summaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 16:14:06 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 16:14:06 +0000
commiteee068778cb28ecf3c14e1bf843a95547d72c42d (patch)
tree0e07b30ddc5ea579d682d5dbe57998200d1c9ab7 /doc
parentInitial commit. (diff)
downloadgnupg2-eee068778cb28ecf3c14e1bf843a95547d72c42d.tar.xz
gnupg2-eee068778cb28ecf3c14e1bf843a95547d72c42d.zip
Adding upstream version 2.2.40.upstream/2.2.40upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc')
-rw-r--r--doc/ChangeLog-2011871
-rw-r--r--doc/DCO29
-rw-r--r--doc/DETAILS1617
-rw-r--r--doc/FAQ13
-rw-r--r--doc/HACKING433
-rw-r--r--doc/KEYSERVER83
-rw-r--r--doc/Makefile.am213
-rw-r--r--doc/Makefile.in1273
-rw-r--r--doc/OpenPGP116
-rw-r--r--doc/TRANSLATE61
-rw-r--r--doc/com-certs.pem67
-rw-r--r--doc/contrib.texi106
-rw-r--r--doc/debugging.texi287
-rw-r--r--doc/defsincdate1
-rw-r--r--doc/dirmngr.texi1273
-rw-r--r--doc/examples/Automatic.prf15
-rw-r--r--doc/examples/README11
-rw-r--r--doc/examples/VS-NfD.prf24
-rw-r--r--doc/examples/debug.prf29
-rw-r--r--doc/examples/gpgconf.conf62
-rw-r--r--doc/examples/gpgconf.rnames12
-rw-r--r--doc/examples/pwpattern.list48
-rwxr-xr-xdoc/examples/scd-event102
-rw-r--r--doc/examples/systemd-user/README66
-rw-r--r--doc/examples/systemd-user/dirmngr.service8
-rw-r--r--doc/examples/systemd-user/dirmngr.socket11
-rw-r--r--doc/examples/systemd-user/gpg-agent-browser.socket13
-rw-r--r--doc/examples/systemd-user/gpg-agent-extra.socket13
-rw-r--r--doc/examples/systemd-user/gpg-agent-ssh.socket13
-rw-r--r--doc/examples/systemd-user/gpg-agent.service8
-rw-r--r--doc/examples/systemd-user/gpg-agent.socket12
-rw-r--r--doc/examples/trustlist.txt66
-rw-r--r--doc/glossary.texi72
-rw-r--r--doc/gnupg-card-architecture.fig419
-rw-r--r--doc/gnupg-card-architecture.pdfbin0 -> 19415 bytes
-rw-r--r--doc/gnupg-card-architecture.pngbin0 -> 8829 bytes
-rw-r--r--doc/gnupg-logo-tr.pngbin0 -> 9415 bytes
-rw-r--r--doc/gnupg-logo.eps2704
-rw-r--r--doc/gnupg-logo.pdfbin0 -> 13838 bytes
-rw-r--r--doc/gnupg-logo.pngbin0 -> 14471 bytes
-rw-r--r--doc/gnupg-module-overview.pdf381
-rw-r--r--doc/gnupg-module-overview.pngbin0 -> 123361 bytes
-rw-r--r--doc/gnupg-module-overview.svg892
-rw-r--r--doc/gnupg.info224
-rw-r--r--doc/gnupg.info-17172
-rw-r--r--doc/gnupg.info-26144
-rw-r--r--doc/gnupg.texi241
-rw-r--r--doc/gnupg7.texi31
-rw-r--r--doc/gpg-agent.texi1672
-rw-r--r--doc/gpg.texi4436
-rw-r--r--doc/gpgsm.texi1696
-rw-r--r--doc/gpgv.texi193
-rw-r--r--doc/gpl.texi732
-rw-r--r--doc/help.be.txt286
-rw-r--r--doc/help.ca.txt286
-rw-r--r--doc/help.cs.txt286
-rw-r--r--doc/help.da.txt286
-rw-r--r--doc/help.de.txt279
-rw-r--r--doc/help.el.txt286
-rw-r--r--doc/help.eo.txt286
-rw-r--r--doc/help.es.txt251
-rw-r--r--doc/help.et.txt286
-rw-r--r--doc/help.fi.txt256
-rw-r--r--doc/help.fr.txt256
-rw-r--r--doc/help.gl.txt286
-rw-r--r--doc/help.hu.txt257
-rw-r--r--doc/help.id.txt251
-rw-r--r--doc/help.it.txt251
-rw-r--r--doc/help.ja.txt335
-rw-r--r--doc/help.nb.txt286
-rw-r--r--doc/help.pl.txt250
-rw-r--r--doc/help.pt.txt253
-rw-r--r--doc/help.pt_BR.txt253
-rw-r--r--doc/help.ro.txt251
-rw-r--r--doc/help.ru.txt369
-rw-r--r--doc/help.sk.txt254
-rw-r--r--doc/help.sv.txt286
-rw-r--r--doc/help.tr.txt242
-rw-r--r--doc/help.txt407
-rw-r--r--doc/help.zh_CN.txt233
-rw-r--r--doc/help.zh_TW.txt245
-rw-r--r--doc/howto-create-a-server-cert.texi274
-rw-r--r--doc/howtos.texi15
-rw-r--r--doc/instguide.texi77
-rw-r--r--doc/mkdefsinc.c367
-rwxr-xr-xdoc/mksamplekeys10
-rw-r--r--doc/opt-homedir.texi25
-rw-r--r--doc/qualified.txt243
-rw-r--r--doc/samplekeys.asc920
-rw-r--r--doc/scdaemon.texi777
-rw-r--r--doc/see-also-note.texi14
-rw-r--r--doc/specify-user-id.texi173
-rw-r--r--doc/sysnotes.texi58
-rw-r--r--doc/tools.texi2136
-rw-r--r--doc/trust-values.texi47
-rw-r--r--doc/whats-new-in-2.1.txt873
-rw-r--r--doc/wks.texi481
-rw-r--r--doc/yat2m.c1646
98 files changed, 49854 insertions, 0 deletions
diff --git a/doc/ChangeLog-2011 b/doc/ChangeLog-2011
new file mode 100644
index 0000000..b830c0e
--- /dev/null
+++ b/doc/ChangeLog-2011
@@ -0,0 +1,871 @@
+2011-12-01 Werner Koch <wk@g10code.com>
+
+ NB: ChangeLog files are no longer manually maintained. Starting
+ on December 1st, 2011 we put change information only in the GIT
+ commit log, and generate a top-level ChangeLog file from logs at
+ "make dist". See doc/HACKING for details.
+
+2011-10-12 Werner Koch <wk@g10code.com>
+
+ * gpg.texi: Add a bunch of opindex items.
+
+ * yat2m.c (parse_file): Add hack to allow table indentation.
+
+2011-08-12 Werner Koch <wk@g10code.com>
+
+ * texi.css: Override some elements.
+ * gnupg-log-tr.png: New.
+ * gnupg.texi: Use transparent logo.
+
+2011-03-01 Werner Koch <wk@g10code.com>
+
+ * gpgsm.texi (CSR and certificate creation): New.
+ * gpg.texi (Unattended GPG key generation): New.
+
+2010-10-29 David Shaw <dshaw@jabberwocky.com>
+
+ * gpg.texi (GPG Configuration Options): Clarify that show-photos
+ doesn't work with --with-colons. --personal-digest-preferences
+ does not have a default any longer.
+
+2010-10-18 Werner Koch <wk@g10code.com>
+
+ * DETAILS: Fix description of IMPORT_RES. Reported by Nicholas Cole.
+
+2010-10-11 Daniel Kahn Gillmor <dkg@fifthhorseman.net> (wk)
+
+ * gpg.texi (GPG Configuration Options) <photo-viewer>: Describe %v
+ and %V.
+
+2010-10-05 Werner Koch <wk@g10code.com>
+
+ * Makefile.am (faq.txt faq.html, faq-online): New.
+
+2010-10-04 Werner Koch <wk@g10code.com>
+
+ * faq.org: New.
+ * FAQ: Make it a static file with a pointer to the online location.
+ * Makefile.am (EXTRA_DIST): Remove faq.raw and faq.html.
+ (FAQ, faq.html): Remove these targets
+
+2010-09-28 Werner Koch <wk@g10code.com>
+
+ * Makefile.am (AM_MAKEINFOFLAGS): Add define gpgtwoone.
+
+2010-09-28 David Shaw <dshaw@jabberwocky.com>
+
+ * gpg.texi (OpenPGP Options): Clarify that --force-v3-sigs
+ disables (not enables) v4 options. --force-v3-sigs defaults to
+ no.
+
+2010-08-18 Werner Koch <wk@g10code.com>
+
+ * tools.texi (watchgnupg): Add examples section.
+
+2010-06-10 Werner Koch <wk@g10code.com>
+
+ * Makefile.am (gnupg_TEXINFOS): Add dirmngr.texi.
+ (myman_sources): Ditto.
+ (myman_pages): Add dirmngr and dirmngr-client pages.
+ (noinst_MANS): Move gnupg.7 to man_MANS.
+
+ * gnupg.texi: Include dirmngr.texi and add a menu entry.
+ * dirmngr.texi: New. Taken from the current SVN of the dirmngr
+ package and adjusted to fit into the GnuPG manual. Moved
+ dirmngr-cleint stuff to ...
+ * tools.texi (dirmngr-client): ... new.
+
+2009-11-18 Werner Koch <wk@g10code.com>
+
+ * gpg.texi (GPG Key related Options): Describe
+ --skip-hidden-recipients.
+
+2009-10-19 David Shaw <dshaw@jabberwocky.com>
+
+ * gpg.texi (GPG Configuration Options): Clarify that ca-cert-file
+ is a generic store, the details of which depend on the underlying
+ libraries.
+
+2009-08-24 David Shaw <dshaw@jabberwocky.com>
+
+ * gpg.texi: Suggested new ordering for --edit-key.
+
+2009-08-17 David Shaw <dshaw@jabberwocky.com>
+
+ * gpg.texi (OpenPGP Options): Clarify that
+ personal-foo-preferences overrides recipient preferences (safely).
+
+2009-08-14 David Shaw <dshaw@jabberwocky.com>
+
+ * gpg.texi (GPG Configuration Options): Document keyserver options
+ check-cert and ca-cert-file.
+
+2009-08-06 Werner Koch <wk@g10code.com>
+
+ * DETAILS: Describe the new INV_SNDR and NO_SNDR..
+
+2009-07-31 David Shaw <dshaw@jabberwocky.com>
+
+ * gpg.texi (OpenPGP Options): Don't mention
+ --no-sk-comment (doesn't exist any longer).
+
+2009-07-23 David Shaw <dshaw@jabberwocky.com>
+
+ * gpg.texi (GPG Configuration Options): LDAP uses DNS-SD to locate
+ a server before falling back to keys.{domain}.
+
+2009-07-23 Werner Koch <wk@g10code.com>
+
+ * help.txt (gpgsm.crl-problem): New.
+
+2009-07-22 Werner Koch <wk@g10code.com>
+
+ * scdaemon.texi, instguide.texi, gpgsm.texi, sysnotes.texi
+ * glossary.texi, howto-create-a-server-cert.texi, tools.texi
+ * gpg-agent.texi, gpg.texi, debugging.texi: Typo fixes. Reported
+ by Jeroen Schot. Fixes bug#1093.
+
+ * gpg.texi (GPG Configuration Options): Tell what files to backup.
+ * sysnotes.texi: Remove some warning notes for W32.
+
+2009-07-20 Werner Koch <wk@g10code.com>
+
+ * gpg.texi (Operational GPG Commands): Add a note for --send-keys.
+ Fixes bug#1090.
+
+2009-07-06 Werner Koch <wk@g10code.com>
+
+ * debugging.texi (Common Problems): Add a note about corrupted
+ keys in --search-keys.
+
+2009-06-02 Werner Koch <wk@g10code.com>
+
+ * tools.texi (watchgnupg): Typo fix. Fixes bug#1065.
+
+ * gpg-agent.texi (Agent Commands): Update description of --daemon.
+
+2009-05-20 Werner Koch <wk@g10code.com>
+
+ * gpg.texi (GPG Configuration Options): Explain new meaning of
+ --enable-dsa2.
+
+2009-03-16 David Shaw <dshaw@jabberwocky.com>
+
+ * gpg.texi (GPG Configuration Options): Document keyserver-options
+ debug.
+
+2009-03-04 Werner Koch <wk@g10code.com>
+
+ * help.txt (gpg.keygen.size): Add a link to web page.
+
+2009-03-03 Werner Koch <wk@g10code.com>
+
+ * gpg.texi (Operational GPG Commands): "merge-only" is an
+ import-option. Reported by Joseph Oreste Bruni.
+
+2009-03-02 Werner Koch <wk@g10code.com>
+
+ * gpg-agent.texi (Invoking GPG-AGENT): Modernized instructions.
+ (Agent Options): Fix spelling of option --lc-ctype.
+
+2009-01-12 Werner Koch <wk@g10code.com>
+
+ * faq.raw: Fix bug reorting address.
+
+2008-12-12 Werner Koch <wk@g10code.com>
+
+ * gpgsm.texi (General GPGSM Commands): Fix --help, --version and
+ --warranty wording.
+
+2008-12-08 Werner Koch <wk@g10code.com>
+
+ * DETAILS: Clarify the use of "trust" and "validity" as suggested
+ by Daniel Kahn Gillmor. Fix some typos. Remove the outdated
+ sections on packet headers and pipemode. Point to the libgcrypt
+ manual for a description of the key generation.
+
+2008-11-12 Werner Koch <wk@g10code.com>
+
+ * gpg-agent.texi (Agent Options): Use Posix $() instead of
+ backticks to avoid rendering problems.
+
+2008-10-13 Werner Koch <wk@g10code.com>
+
+ * gpgsm.texi (Certificate Management): Explain hot to delete the
+ secret key.
+
+2008-10-01 Werner Koch <wk@g10code.com>
+
+ * tools.texi (Controlling gpg-connect-agent): Describe /datafile.
+
+2008-09-23 David Shaw <dshaw@jabberwocky.com>
+
+ * gpg.texi (OpenPGP Key Management): Clarify setpref a bit.
+
+2008-08-30 Werner Koch <wk@g10code.com>
+
+ * yat2m.c (write_th): Print a note that this is generated source.
+ (VERSION): Bump up to 1.0.
+
+2008-07-30 Werner Koch <wk@g10code.com>
+
+ * gpgsm.texi (GPGSM Configuration): Mention com-cert.pem.
+
+2008-06-25 Werner Koch <wk@g10code.com>
+
+ * qualified.txt: Add new BnetzA certs 12R and 13R.
+ * com-certs.pem: Ditto.
+ * examples/trustlist.txt: Ditto.
+
+2008-06-19 Werner Koch <wk@g10code.com>
+
+ * tools.texi (Listing options): Describe new complect gpgconf type
+ "alias list".
+
+2008-06-16 Werner Koch <wk@g10code.com>
+
+ * DETAILS (group): Document %ask-passphrase.
+
+2008-05-26 Werner Koch <wk@g10code.com>
+
+ * gpgv.texi: Minor fixes. Fixes bug#918.
+
+ * opt-homedir.texi: Typo fixes. Fixes bug#917.
+
+2008-05-26 Marcus Brinkmann <marcus@g10code.de>
+
+ * tools.texi (Invoking gpgconf): Document --list-dirs.
+
+2008-05-20 Marcus Brinkmann <marcus@g10code.de>
+
+ * tools.texi (Invoking gpgconf): Add --dry-run and --check-options.
+ (Checking programs): Document --check-options.
+
+2008-05-15 Marcus Brinkmann <marcus@g10code.de>
+
+ * gpg.texi (Operational GPG Commands): Mention the way to change
+ the default signing key.
+
+2008-05-06 Werner Koch <wk@g10code.com>
+
+ * Makefile.am (myman_pages): Add gpg-zip.1.
+
+ * tools.texi (gpg-zip): Add new section.
+
+2008-04-08 Werner Koch <wk@g10code.com>
+
+ * gpg.texi (GPG Configuration Options): Change subkeys.pgp.net to
+ keys.gnupg.net. Describe --auto-key-locate mechanisms local and
+ nodefault.
+
+2008-04-03 Werner Koch <wk@g10code.com>
+
+ * yat2m.c (proc_texi_cmd): Remove extra apostrophe from @samp and
+ use open and close quote to @file and @env.
+
+2008-04-02 Werner Koch <wk@g10code.com>
+
+ * opt-homedir.texi: Remove special case for Registry key.
+
+ * yat2m.c (proc_texi_cmd): Use the \(aq glyph for @samp. This is
+ bug#898.
+ (proc_texi_buffer): Handle backslashs correctly.
+
+2008-03-27 Werner Koch <wk@g10code.com>
+
+ * Makefile.am (nobase_dist_doc_DATA, dist_html_DATA): New. Move
+ relevant files to here.
+ (install-html-local): Remove.
+
+2008-02-27 Marcus Brinkmann <marcus@g10code.de>
+
+ * tools.texi (Listing options): Document new types.
+
+2008-02-26 Werner Koch <wk@g10code.com>
+
+ * gpg.texi (GPG Configuration Options): Mention rfc4398.
+
+2008-02-05 David Shaw <dshaw@jabberwocky.com>
+
+ * gpg.texi (GPG Esoteric Options): Tweak mention of Tempest font
+ to add a "claimed" in there.
+
+2008-01-29 Justin Pryzby <jpryzby+d@quoininc.com> (wk)
+
+ * gpg-agent.texi (Agent Options): Grammar fixes
+
+ * qualified.txt: Spelling fixes.
+
+2008-01-28 Justin Pryzby <jpryzby+d@quoininc.com> (wk)
+
+ * gpg-agent.texi, yat2m.c, scdaemon.texi, qualified.txt
+ * tools.texi, gpgsm.texi: Typo fixes and minor grammer fixes.
+
+2008-01-10 Werner Koch <wk@g10code.com>
+
+ * qualified.txt: Add missing country tag to the last entries.
+ Reported by Marcus Brinkmann.
+
+2008-01-10 Marcus Brinkmann <marcus@g10code.de>
+
+ * tools.texi (gpgconf): Some clarifications.
+
+2008-01-02 Werner Koch <wk@g10code.com>
+
+ * gpg.texi (GPG Esoteric Options): Mention --log-file.
+
+2007-12-13 Werner Koch <wk@g10code.com>
+
+ * qualified.txt: Add 2 root certs from S-Trust for 2008-2012.
+ * examples/trustlist.txt: Ditto.
+ * com-certs.pem: Ditto.
+
+ * gpgsm.texi (Esoteric Options): Document --extra-digest-algo.
+
+2007-12-12 Werner Koch <wk@g10code.com>
+
+ * gpg.texi: Typo fixes. From Christer Andersson.
+
+2007-12-04 Werner Koch <wk@g10code.com>
+
+ * help.txt: New online help file.
+ * help.be.txt, help.ca.txt, help.cs.txt, help.da.txt, help.de.txt
+ * help.el.txt, help.eo.txt, help.es.txt, help.et.txt, help.fi.txt
+ * help.fr.txt, help.gl.txt, help.hu.txt, help.id.txt, help.it.txt
+ * help.ja.txt, help.nb.txt, help.pl.txt, help.pt.txt
+ * help.pt_BR.txt, help.ro.txt, help.ru.txt, help.sk.txt
+ * help.sv.txt, help.tr.txt, help.zh_CN.txt, help.zh_TW.txt: New
+ online file, generated from teh current po files.
+ * Makefile.am (dist_pkgdata_DATA): Add them.
+
+2007-11-19 Werner Koch <wk@g10code.com>
+
+ * gpg.texi (GPG Configuration Options): English Grammar fix.
+ Thanks to Gerg Troxel.
+
+ * gpgsm.texi (Certificate Options): Document
+ --auto-issuer-key-retrieve.
+
+2007-11-15 Werner Koch <wk@g10code.com>
+
+ * gpg.texi (GPG Configuration): Add PINENTRY_USER_DATA.
+
+ * gpg-agent.texi (Agent Options): Add xauthority.
+
+2007-10-31 Marcus Brinkmann <marcus@g10code.de>
+
+ * gpg-agent.texi (Agent Options): Fix typos, by Bernhard Reiter.
+
+2007-10-27 David Shaw <dshaw@jabberwocky.com>
+
+ * gpg.texi: Document --rfc4880 (the new --openpgp).
+
+2007-10-25 David Shaw <dshaw@jabberwocky.com>
+
+ * gpg.texi: Clarify --force-v3-sigs, --pgp2, and --pgp6 a bit.
+
+2007-10-23 Werner Koch <wk@g10code.com>
+
+ * tools.texi (Listing global options): New.
+
+2007-10-19 Werner Koch <wk@g10code.com>
+
+ * tools.texi (Controlling gpg-connect-agent): Updated.
+
+2007-08-29 Werner Koch <wk@g10code.com>
+
+ * tools.texi (Checking programs): New.
+
+2007-08-27 Werner Koch <wk@g10code.com>
+
+ * examples/pwpattern.list: New.
+
+2007-08-24 Werner Koch <wk@g10code.com>
+
+ * debugging.texi (Common Problems): Add "A root certifciate does
+ not validate."
+
+2007-08-14 Werner Koch <wk@g10code.com>
+
+ * glossary.texi (Glossary): Add a more items.
+
+2007-08-13 Werner Koch <wk@g10code.com>
+
+ * yat2m.c (proc_texi_cmd): Do not put @samp content between two
+ newlines.
+
+ * gpg-agent.texi (Agent Configuration): Explain the CM flag for
+ trustlist.txt.
+
+2007-08-09 Werner Koch <wk@g10code.com>
+
+ * gpgsm.texi (Certificate Options): Describe --validation-model.
+
+2007-07-23 Werner Koch <wk@g10code.com>
+
+ * scdaemon.texi (Scdaemon Commands): Remove obsolete --print-atr.
+
+2007-07-17 Werner Koch <wk@g10code.com>
+
+ * gpgsm.texi (Input and Output): Document --default-key.
+
+2007-07-04 Werner Koch <wk@g10code.com>
+
+ * gpl.texi: Updated to GPLv3.
+
+2007-06-22 Werner Koch <wk@g10code.com>
+
+ * gpg.texi (Operational GPG Commands): Describe the flags used by
+ --check-sigs.
+
+2007-06-21 Werner Koch <wk@g10code.com>
+
+ * gpgsm.texi (Certificate Management): Changed description of
+ --gen-key.
+
+2007-06-19 Werner Koch <wk@g10code.com>
+
+ * glossary.texi (Glossary): Describe PSE.
+
+2007-06-18 Werner Koch <wk@g10code.com>
+
+ * gpg-agent.texi (Agent GETINFO): New.
+
+2007-06-06 Werner Koch <wk@g10code.com>
+
+ * Makefile.am (yat2m): Use a plain rule to build it for the sake
+ of cross-compiling.
+
+ * yat2m.c (finish_page): Init SECT to NULL.
+
+2007-05-11 Werner Koch <wk@g10code.com>
+
+ * gpgsm.texi (--export): Enhanced description.
+
+2007-05-09 Werner Koch <wk@g10code.com>
+
+ * examples/gpgconf.conf: Remove active example line.
+
+ * Makefile.am (online): Distinguish between released and svn manuals.
+
+2007-05-08 Werner Koch <wk@g10code.com>
+
+ * howtos.texi: New.
+ * howto-create-a-server-cert.texi: New.
+ * Makefile.am (gnupg_TEXINFOS): Add new files.
+
+ * gnupg.texi: Moved the logo for HTML more to the top.
+ * Makefile.am (install-html-local): New.
+ (DVIPS): Redefine to include srcdir.
+
+2007-05-04 Werner Koch <wk@g10code.com>
+
+ * gnupg.texi (Top): Fix typo and a grammar issue.
+ * Makefile.am (EXTRA_DIST): Add gnupg-logo.png. Suggested by
+ Bernard Leak.
+
+2007-04-15 David Shaw <dshaw@jabberwocky.com>
+
+ * gpg.texi (OpenPGP Options): Update the personal-foo-preferences
+ documentation a bit.
+
+2007-04-10 Werner Koch <wk@g10code.com>
+
+ * gpg.texi (GPG Configuration Options): Document --batch, no-tty,
+ --yes and --no.
+
+2007-03-08 Werner Koch <wk@g10code.com>
+
+ * gnupg-logo.png, gnupg-logo.eps, gnupg-logo.pdf: New.
+ * gnupg-badge-openpgp.eps, gnupg-badge-openpgp.eps
+ * gnupg-badge-openpgp.jpg: Removed.
+ * gnupg.texi: Use new logo.
+
+2007-03-07 Werner Koch <wk@g10code.com>
+
+ * tools.texi (applygnupgdefaults): New.
+
+2007-03-06 Werner Koch <wk@g10code.com>
+
+ * examples/gpgconf.conf: New.
+
+2007-03-04 David Shaw <dshaw@jabberwocky.com>
+
+ * gpg.texi (GPG Esoteric Options): Document
+ --allow-multiple-messages.
+
+2007-02-26 Werner Koch <wk@g10code.com>
+
+ * gpg.texi (GPG Configuration): Document envvar LANGUAGE.
+ (GPG Configuration Options): Document show-primary-uid-only.
+
+2007-02-18 Werner Koch <wk@g10code.com>
+
+ * gpg.texi (GPG Esoteric Options): No card reader options for gpg2.
+
+2007-02-14 Werner Koch <wk@g10code.com>
+
+ * gpg-agent.texi (Agent Options): Doc --pinentry-touch-file.
+
+2007-02-05 Werner Koch <wk@g10code.com>
+
+ * debugging.texi (Common Problems): Tell how to export a private
+ key without a certificate.
+
+2007-01-30 Werner Koch <wk@g10code.com>
+
+ * com-certs.pem: Added the current root certifcates of D-Trust and
+ S-Trust.
+
+2007-01-18 David Shaw <dshaw@jabberwocky.com>
+
+ * gpg.texi, specify-user-id.texi: Only some of the mentions of
+ exclamation marks have an example. Give examples to the rest.
+
+2007-01-17 David Shaw <dshaw@jabberwocky.com>
+
+ * gpg.texi (GPG Configuration Options): Make http_proxy option
+ documentation match reality.
+ (BUGS): Warn about hibernate/safe-sleep/etc writing main RAM to
+ disk, despite locking.
+
+2006-12-08 Werner Koch <wk@g10code.com>
+
+ * gnupg.texi (direntry): Rename gpg to gpg2.
+
+2006-12-04 Werner Koch <wk@g10code.com>
+
+ * gpgv.texi: New.
+ * tools.texi: Include new file.
+
+2006-12-02 David Shaw <dshaw@jabberwocky.com>
+
+ * gpg.texi (GPG Esoteric Options): Document --passphrase-repeat.
+
+2006-11-14 Werner Koch <wk@g10code.com>
+
+ * gpgsm.texi (GPGSM EXPORT): Document changes.
+
+2006-11-11 Werner Koch <wk@g10code.com>
+
+ * gnupg.texi (Top): Move gpg-agent part before gpg.
+
+2006-11-05 David Shaw <dshaw@jabberwocky.com>
+
+ * gpg.texi: Reference to --s2k-count in --s2k-mode.
+
+2006-10-30 Werner Koch <wk@g10code.com>
+
+ * faq.raw: Minor corrections.
+
+2006-10-12 Werner Koch <wk@g10code.com>
+
+ * Makefile.am (man_MANS): Do not install gnupg.7 due to a conflict
+ with gpg1.
+
+2006-10-12 David Shaw <dshaw@jabberwocky.com>
+
+ * gpg.texi: Document --s2k-count.
+
+2006-09-25 Werner Koch <wk@g10code.com>
+
+ * gpg.texi (GPG Examples): Add markup to all options. This is
+ required to have the double dashs printed correclty.
+
+2006-09-22 Werner Koch <wk@g10code.com>
+
+ * instguide.texi (Installation): New.
+ * assuan.texi (Assuan): Removed. Use the libassuan manual instead.
+ * gnupg.texi: Reflect these changes.
+
+ * gpg.texi: Make some parts depend on the "gpgone" set
+ command. This allows us to use the same source for gpg1 and gpg2.
+
+ * yat2m.c (parse_file): Better parsing of @ifset and ifclear.
+ (main): Allow definition of "-D gpgone".
+ (parse_file): Allow macro definitions.
+ (proc_texi_cmd): Expand macros.
+ (proc_texi_buffer): Process commands terminated by the closing
+ brace of the enclosing command.
+
+2006-09-20 Werner Koch <wk@g10code.com>
+
+ * texi.css: New. Note that the current vesion of makeinfo has a
+ bug while copying the @import directive. A pacth has been send to
+ upstream.
+
+2006-09-19 Werner Koch <wk@g10code.com>
+
+ * gpg.texi: Some restructuring.
+
+ * Makefile.am (online): New target.
+
+2006-09-18 Werner Koch <wk@g10code.com>
+
+ * com-certs.pem: New.
+
+2006-09-13 Werner Koch <wk@g10code.com>
+
+ * gpg.texi (GPG Esoteric Options): Fixed typo in
+ --require-cross-certification and made it the default.
+
+2006-09-11 Werner Koch <wk@g10code.com>
+
+ * HACKING: Cleaned up.
+
+2006-09-08 Werner Koch <wk@g10code.com>
+
+ * yat2m.c (parse_file): Ignore @node lines immediately.
+ (proc_texi_cmd): No special @end ifset processing anymore.
+
+ * specify-user-id.texi: New. Factored out of gpg.texi and ../README.
+
+2006-09-07 Werner Koch <wk@g10code.com>
+
+ * scdaemon.texi (Scdaemon Configuration): New.
+
+ * examples/scd-event: Event handler for sdaemon.
+ * examples/: New directory
+
+2006-08-22 Werner Koch <wk@g10code.com>
+
+ * yat2m.c (parse_file): Added code to skip a line after @mansect.
+
+ * gnupg7.texi: New.
+
+2006-08-21 Werner Koch <wk@g10code.com>
+
+ * Makefile.am: Added other doc files from gpg 1.4.
+
+2006-08-17 Werner Koch <wk@g10code.com>
+
+ * Makefile.am: Added rules to build man pages.
+
+ * yat2m.c: New.
+
+2006-02-14 Werner Koch <wk@gnupg.org>
+
+ * gpgsm.texi (GPGSM Configuration): New section.
+
+2005-11-14 Werner Koch <wk@g10code.com>
+
+ * qualified.txt: Added real information.
+
+2005-11-13 Werner Koch <wk@g10code.com>
+
+ * qualified.txt: New.
+ * Makefile.am (dist_pkgdata_DATA): New.
+
+2005-08-16 Werner Koch <wk@g10code.com>
+
+ * gpg-agent.texi (Agent Options): Note default file name for
+ --write-env-file.
+
+2005-06-03 Werner Koch <wk@g10code.com>
+
+ * debugging.texi (Architecture Details): New section, mostly empty.
+ * gnupg-card-architecture.fig: New.
+ * Makefile.am: Rules to build png and eps versions.
+
+ * gpg-agent.texi (Agent UPDATESTARTUPTTY): New.
+
+2005-05-17 Werner Koch <wk@g10code.com>
+
+ * gpg-agent.texi (Agent Options): Removed --disable-pth.
+
+2005-04-27 Werner Koch <wk@g10code.com>
+
+ * tools.texi (symcryptrun): Added.
+
+ * scdaemon.texi: Removed OpenSC specific options.
+
+2005-04-20 Werner Koch <wk@g10code.com>
+
+ * gpg-agent.texi (Agent Configuration): New section.
+
+2005-02-24 Werner Koch <wk@g10code.com>
+
+ * tools.texi (gpg-connect-agent): New.
+
+2005-02-14 Werner Koch <wk@g10code.com>
+
+ * gpgsm.texi (Certificate Management): Document --import.
+
+2005-01-27 Moritz Schulte <moritz@g10code.com>
+
+ * gpg-agent.texi: Document ssh-agent emulation layer.
+
+2005-01-04 Werner Koch <wk@g10code.com>
+
+ * gnupg.texi: Updated to use @copying.
+
+2004-12-22 Werner Koch <wk@g10code.com>
+
+ * gnupg.texi: Reordered.
+ * contrib.texi: Updated.
+
+2004-12-21 Werner Koch <wk@g10code.com>
+
+ * tools.texi (gpg-preset-passphrase): New section.
+
+ * gnupg-badge-openpgp.eps, gnupg-badge-openpgp.jpg: New
+ * gnupg.texi: Add a logo.
+ * sysnotes.texi: New.
+
+2004-11-05 Werner Koch <wk@g10code.com>
+
+ * debugging.texi (Common Problems): Curses pinentry problem.
+
+2004-10-22 Werner Koch <wk@g10code.com>
+
+ * tools.texi (Helper Tools): Document gpgsm-gencert.sh.
+
+2004-10-05 Werner Koch <wk@g10code.com>
+
+ * gpg-agent.texi (Invoking GPG-AGENT): Tell that GPG_TTY needs to
+ be set in all cases.
+
+2004-09-30 Werner Koch <wk@g10code.com>
+
+ * gpg.texi: New.
+ * gnupg.texi: Include gpg.texi
+
+ * tools.texi: Add a few @command markups.
+ * gpgsm.texi: Ditto
+ * gpg-agent.texi: Ditto.
+ * scdaemon.texi: Ditto.
+
+2004-09-30 Marcus Brinkmann <marcus@g10code.de>
+
+ * tools.texi (Changing options): Add documentation for gpgconf.
+
+ * contrib.texi (Contributors): Add two missing periods.
+
+2004-09-29 Werner Koch <wk@g10code.com>
+
+ * gpgsm.texi (Configuration Options): Add --log-file.
+
+ * gpg-agent.texi (Invoking GPG-AGENT): Add a few words about the
+ expected pinentry filename.
+
+ Changed license of the manual stuff to GPL.
+
+ * gnupg.texi (Top): New menu item Helper Tools.
+
+ * tools.texi (Helper Tools): New.
+ * Makefile.am (gnupg_TEXINFOS): Add tools.texi.
+
+2004-08-05 Werner Koch <wk@g10code.de>
+
+ * scdaemon.texi (Card applications): New section.
+
+2004-06-22 Werner Koch <wk@g10code.com>
+
+ * glossary.texi: New.
+
+2004-06-18 Werner Koch <wk@gnupg.org>
+
+ * debugging.texi: New.
+ * gnupg.texi: Include it.
+
+2004-05-11 Werner Koch <wk@gnupg.org>
+
+ * gpgsm.texi (Esoteric Options): Add --debug-allow-core-dump.
+
+2004-05-03 Werner Koch <wk@gnupg.org>
+
+ * gpg-agent.texi (Agent Options): Add --allow-mark-trusted.
+
+2004-02-03 Werner Koch <wk@gnupg.org>
+
+ * contrib.texi (Contributors): Updated from the gpg 1.2.3 thanks
+ list.
+ * gpgsm.texi, gpg-agent.texi, scdaemon.texi: Language cleanups.
+
+2003-12-01 Werner Koch <wk@gnupg.org>
+
+ * gpgsm.texi (Certificate Options): Add --{enable,disable}-ocsp.
+
+2003-11-17 Werner Koch <wk@gnupg.org>
+
+ * scdaemon.texi (Scdaemon Options): Added --allow-admin and
+ --deny-admin.
+
+2003-10-27 Werner Koch <wk@gnupg.org>
+
+ * gpg-agent.texi (Agent GET_CONFIRMATION): New.
+
+2002-12-04 Werner Koch <wk@gnupg.org>
+
+ * gpg-agent.texi (Agent Signals): New.
+
+2002-12-03 Werner Koch <wk@gnupg.org>
+
+ * gpgsm.texi (Operational Commands): Add --passwd and
+ --call-protect-tool.
+ * gpg-agent.texi (Agent PASSWD): New
+
+2002-11-13 Werner Koch <wk@gnupg.org>
+
+ * gpg-agent.texi (Invoking GPG-AGENT): Tell about GPG_TTY.
+
+2002-11-12 Werner Koch <wk@gnupg.org>
+
+ * gpgsm.texi (Operational Commands): Add --call-dirmngr.
+
+2002-09-25 Werner Koch <wk@gnupg.org>
+
+ * gpg-agent.texi (Agent Options): Add --keep-tty and --keep-display.
+
+2002-09-12 Werner Koch <wk@gnupg.org>
+
+ * gpg-agent.texi (Invoking GPG-AGENT): Explained how to start only
+ one instance.
+
+2002-08-28 Werner Koch <wk@gnupg.org>
+
+ * gpg-agent.texi (Agent Options): Explained more options.
+ * scdaemon.texi (Scdaemon Options): Ditto.
+
+2002-08-09 Werner Koch <wk@gnupg.org>
+
+ * Makefile.am (gnupg_TEXINFOS): Include contrib.texi.
+
+2002-08-06 Werner Koch <wk@gnupg.org>
+
+ * gpgsm.texi: Added more options.
+
+2002-07-26 Werner Koch <wk@gnupg.org>
+
+ * assuan.texi: New.
+ * gpgsm.texi, scdaemon.texi, gpg-agent.texi: Documented the Assuan
+ protocol used.
+
+2002-07-22 Werner Koch <wk@gnupg.org>
+
+ * gnupg.texi, scdaemon.texi, gpg-agent.texi: New.
+ * contrib.texi, gpl.texi, fdl.texi: New.
+ * gpgsm.texi: Made this an include file for gnupg.texi.
+ * Makefile.am: Build gnupg.info instead of gpgsm.info.
+
+2002-06-04 Werner Koch <wk@gnupg.org>
+
+ * gpgsm.texi (Invocation): Described the various debug flags.
+
+2002-05-14 Werner Koch <wk@gnupg.org>
+
+ * Makefile.am, gpgsm.texi: New.
+
+ Copyright 2002, 2004, 2005, 2006, 2007, 2008, 2010 Free Software Foundation, Inc.
+
+ This file is free software; as a special exception the author gives
+ unlimited permission to copy and/or distribute it, with or without
+ modifications, as long as this notice is preserved.
+
+ This file is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
+ implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+
+Local Variables:
+buffer-read-only: t
+End:
diff --git a/doc/DCO b/doc/DCO
new file mode 100644
index 0000000..bae7bff
--- /dev/null
+++ b/doc/DCO
@@ -0,0 +1,29 @@
+GnuPG Developer's Certificate of Origin. Version 1.0
+=====================================================
+
+By making a contribution to the GnuPG project, I certify that:
+
+(a) The contribution was created in whole or in part by me and I
+ have the right to submit it under the free software license
+ indicated in the file; or
+
+(b) The contribution is based upon previous work that, to the
+ best of my knowledge, is covered under an appropriate free
+ software license and I have the right under that license to
+ submit that work with modifications, whether created in whole
+ or in part by me, under the same free software license
+ (unless I am permitted to submit under a different license),
+ as indicated in the file; or
+
+(c) The contribution was provided directly to me by some other
+ person who certified (a), (b) or (c) and I have not modified
+ it.
+
+(d) I understand and agree that this project and the contribution
+ are public and that a record of the contribution (including
+ all personal information I submit with it, including my
+ sign-off) is maintained indefinitely and may be redistributed
+ consistent with this project or the free software license(s)
+ involved.
+
+Signed-off-by: [Your name and mail address]
diff --git a/doc/DETAILS b/doc/DETAILS
new file mode 100644
index 0000000..420f67d
--- /dev/null
+++ b/doc/DETAILS
@@ -0,0 +1,1617 @@
+# doc/DETAILS -*- org -*-
+#+TITLE: GnuPG Details
+# Globally disable superscripts and subscripts:
+#+OPTIONS: ^:{}
+#
+
+# Note: This file uses org-mode; it should be easy to read as plain
+# text but be aware of some markup peculiarities: Verbatim code is
+# enclosed in #+begin-example, #+end-example blocks or marked by a
+# colon as the first non-white-space character, words bracketed with
+# equal signs indicate a monospace font, and the usual /italics/,
+# *bold*, and _underline_ conventions are recognized.
+
+This is the DETAILS file for GnuPG which specifies some internals and
+parts of the external API for GPG and GPGSM.
+
+* Format of the colon listings
+
+ The format is a based on colon separated record, each recods starts
+ with a tag string and extends to the end of the line. Here is an
+ example:
+#+begin_example
+$ gpg --with-colons --list-keys \
+ --with-fingerprint --with-fingerprint wk@gnupg.org
+pub:f:1024:17:6C7EE1B8621CC013:899817715:1055898235::m:::scESC:
+fpr:::::::::ECAF7590EB3443B5C7CF3ACB6C7EE1B8621CC013:
+uid:f::::::::Werner Koch <wk@g10code.com>:
+uid:f::::::::Werner Koch <wk@gnupg.org>:
+sub:f:1536:16:06AD222CADF6A6E1:919537416:1036177416:::::e:
+fpr:::::::::CF8BCC4B18DE08FCD8A1615906AD222CADF6A6E1:
+sub:r:1536:20:5CE086B5B5A18FF4:899817788:1025961788:::::esc:
+fpr:::::::::AB059359A3B81F410FCFF97F5CE086B5B5A18FF4:
+#+end_example
+
+Note that new version of GnuPG or the use of certain options may add
+new fields to the output. Parsers should not assume a limit on the
+number of fields per line. Some fields are not yet used or only used
+with certain record types; parsers should ignore fields they are not
+aware of. New versions of GnuPG or the use of certain options may add
+new types of records as well. Parsers should ignore any record whose
+type they do not recognize for forward-compatibility.
+
+The double =--with-fingerprint= prints the fingerprint for the subkeys
+too. Old versions of gpg used a slightly different format and required
+the use of the option =--fixed-list-mode= to conform to the format
+described here.
+
+
+** Description of the fields
+*** Field 1 - Type of record
+
+ - pub :: Public key
+ - crt :: X.509 certificate
+ - crs :: X.509 certificate and private key available
+ - sub :: Subkey (secondary key)
+ - sec :: Secret key
+ - ssb :: Secret subkey (secondary key)
+ - uid :: User id
+ - uat :: User attribute (same as user id except for field 10).
+ - sig :: Signature
+ - rev :: Revocation signature
+ - rvs :: Recocation signature (standalone) [since 2.2.9]
+ - fpr :: Fingerprint (fingerprint is in field 10)
+ - fp2 :: SHA-256 fingerprint (fingerprint is in field 10)
+ - pkd :: Public key data [*]
+ - grp :: Keygrip
+ - rvk :: Revocation key
+ - tfs :: TOFU statistics [*]
+ - tru :: Trust database information [*]
+ - spk :: Signature subpacket [*]
+ - cfg :: Configuration data [*]
+
+ Records marked with an asterisk are described at [[*Special%20field%20formats][*Special fields]].
+
+*** Field 2 - Validity
+
+ This is a letter describing the computed validity of a key.
+ Currently this is a single letter, but be prepared that additional
+ information may follow in some future versions. Note that GnuPG <
+ 2.1 does not set this field for secret key listings.
+
+ - o :: Unknown (this key is new to the system)
+ - i :: The key is invalid (e.g. due to a missing self-signature)
+ - d :: The key has been disabled
+ (deprecated - use the 'D' in field 12 instead)
+ - r :: The key has been revoked
+ - e :: The key has expired
+ - - :: Unknown validity (i.e. no value assigned)
+ - q :: Undefined validity. '-' and 'q' may safely be treated as
+ the same value for most purposes
+ - n :: The key is not valid
+ - m :: The key is marginal valid.
+ - f :: The key is fully valid
+ - u :: The key is ultimately valid. This often means that the
+ secret key is available, but any key may be marked as
+ ultimately valid.
+ - w :: The key has a well known private part.
+ - s :: The key has special validity. This means that it might be
+ self-signed and expected to be used in the STEED system.
+
+ If the validity information is given for a UID or UAT record, it
+ describes the validity calculated based on this user ID. If given
+ for a key record it describes the validity taken from the best
+ rated user ID.
+
+ For X.509 certificates a 'u' is used for a trusted root
+ certificate (i.e. for the trust anchor) and an 'f' for all other
+ valid certificates.
+
+ In "sig" records, this field may have one of these values as first
+ character:
+
+ - ! :: Signature is good.
+ - - :: Signature is bad.
+ - ? :: No public key to verify signature or public key is not usable.
+ - % :: Other error verifying a signature
+
+ More values may be added later. The field may also be empty if
+ gpg has been invoked in a non-checking mode (--list-sigs) or in a
+ fast checking mode. Since 2.2.7 '?' will also be printed by the
+ command --list-sigs if the key is not in the local keyring.
+
+*** Field 3 - Key length
+
+ The length of key in bits.
+
+*** Field 4 - Public key algorithm
+
+ The values here are those from the OpenPGP specs or if they are
+ greather than 255 the algorithm ids as used by Libgcrypt.
+
+*** Field 5 - KeyID
+
+ This is the 64 bit keyid as specified by OpenPGP and the last 64
+ bit of the SHA-1 fingerprint of an X.509 certifciate.
+
+*** Field 6 - Creation date
+
+ The creation date of the key is given in UTC. For UID and UAT
+ records, this is used for the self-signature date. Note that the
+ date is usually printed in seconds since epoch, however, we are
+ migrating to an ISO 8601 format (e.g. "19660205T091500"). This is
+ currently only relevant for X.509. A simple way to detect the new
+ format is to scan for the 'T'. Note that old versions of gpg
+ without using the =--fixed-list-mode= option used a "yyyy-mm-tt"
+ format.
+
+*** Field 7 - Expiration date
+
+ Key or UID/UAT expiration date or empty if it does not expire.
+
+*** Field 8 - Certificate S/N, UID hash, trust signature info
+
+ Used for serial number in crt records. For UID and UAT records,
+ this is a hash of the user ID contents used to represent that
+ exact user ID. For trust signatures, this is the trust depth
+ separated by the trust value by a space.
+
+*** Field 9 - Ownertrust
+
+ This is only used on primary keys. This is a single letter, but
+ be prepared that additional information may follow in future
+ versions. For trust signatures with a regular expression, this is
+ the regular expression value, quoted as in field 10.
+
+*** Field 10 - User-ID
+
+ The value is quoted like a C string to avoid control characters
+ (the colon is quoted =\x3a=). For a "pub" record this field is
+ not used on --fixed-list-mode. A UAT record puts the attribute
+ subpacket count here, a space, and then the total attribute
+ subpacket size. In gpgsm the issuer name comes here. The FPR and FP2
+ records store the fingerprints here. The fingerprint of a
+ revocation key is stored here.
+
+*** Field 11 - Signature class
+
+ Signature class as per RFC-4880. This is a 2 digit hexnumber
+ followed by either the letter 'x' for an exportable signature or
+ the letter 'l' for a local-only signature. The class byte of an
+ revocation key is also given here, 'x' and 'l' is used the same
+ way. This field if not used for X.509.
+
+ "rev" and "rvs" may be followed by a comma and a 2 digit hexnumber
+ with the revocation reason.
+
+*** Field 12 - Key capabilities
+
+ The defined capabilities are:
+
+ - e :: Encrypt
+ - s :: Sign
+ - c :: Certify
+ - a :: Authentication
+ - ? :: Unknown capability
+
+ A key may have any combination of them in any order. In addition
+ to these letters, the primary key has uppercase versions of the
+ letters to denote the _usable_ capabilities of the entire key, and
+ a potential letter 'D' to indicate a disabled key.
+
+*** Field 13 - Issuer certificate fingerprint or other info
+
+ Used in FPR records for S/MIME keys to store the fingerprint of
+ the issuer certificate. This is useful to build the certificate
+ path based on certificates stored in the local key database it is
+ only filled if the issuer certificate is available. The root has
+ been reached if this is the same string as the fingerprint. The
+ advantage of using this value is that it is guaranteed to have
+ been built by the same lookup algorithm as gpgsm uses.
+
+ For "uid" records this field lists the preferences in the same way
+ gpg's --edit-key menu does.
+
+ For "sig", "rev" and "rvs" records, this is the fingerprint of the
+ key that issued the signature. Note that this may only be filled
+ if the signature verified correctly. Note also that for various
+ technical reasons, this fingerprint is only available if
+ --no-sig-cache is used. Since 2.2.7 this field will also be set
+ if the key is missing but the signature carries an issuer
+ fingerprint as meta data.
+
+*** Field 14 - Flag field
+
+ Flag field used in the --edit menu output
+
+*** Field 15 - S/N of a token
+
+ Used in sec/ssb to print the serial number of a token (internal
+ protect mode 1002) or a '#' if that key is a simple stub (internal
+ protect mode 1001). If the option --with-secret is used and a
+ secret key is available for the public key, a '+' indicates this.
+
+*** Field 16 - Hash algorithm
+
+ For sig records, this is the used hash algorithm. For example:
+ 2 = SHA-1, 8 = SHA-256.
+
+*** Field 17 - Curve name
+
+ For pub, sub, sec, and ssb records this field is used for the ECC
+ curve name.
+
+*** Field 18 - Compliance flags
+
+ Space separated list of asserted compliance modes for this key.
+
+ Valid values are:
+
+ - 8 :: The key is compliant with RFC4880bis
+ - 23 :: The key is compliant with compliance mode "de-vs".
+
+*** Field 19 - Last update
+
+ The timestamp of the last update of a key or user ID. The update
+ time of a key is defined a lookup of the key via its unique
+ identifier (fingerprint); the field is empty if not known. The
+ update time of a user ID is defined by a lookup of the key using a
+ trusted mapping from mail address to key.
+
+*** Field 20 - Origin
+
+ The origin of the key or the user ID. This is an integer
+ optionally followed by a space and an URL. This goes along with
+ the previous field. The URL is quoted in C style.
+
+*** Field 21 - Comment
+
+ This is currently only used in "rev" and "rvs" records to carry
+ the the comment field of the recocation reason. The value is
+ quoted in C style.
+
+** Special fields
+
+*** PKD - Public key data
+
+ If field 1 has the tag "pkd", a listing looks like this:
+#+begin_example
+pkd:0:1024:B665B1435F4C2 .... FF26ABB:
+ ! ! !-- the value
+ ! !------ for information number of bits in the value
+ !--------- index (eg. DSA goes from 0 to 3: p,q,g,y)
+#+end_example
+
+*** TFS - TOFU statistics
+
+ This field may follows a UID record to convey information about
+ the TOFU database. The information is similar to a TOFU_STATS
+ status line.
+
+ - Field 2 :: tfs record version (must be 1)
+ - Field 3 :: validity - A number with validity code.
+ - Field 4 :: signcount - The number of signatures seen.
+ - Field 5 :: encrcount - The number of encryptions done.
+ - Field 6 :: policy - A string with the policy
+ - Field 7 :: signture-first-seen - a timestamp or 0 if not known.
+ - Field 8 :: signature-most-recent-seen - a timestamp or 0 if not known.
+ - Field 9 :: encryption-first-done - a timestamp or 0 if not known.
+ - Field 10 :: encryption-most-recent-done - a timestamp or 0 if not known.
+
+*** TRU - Trust database information
+ Example for a "tru" trust base record:
+#+begin_example
+ tru:o:0:1166697654:1:3:1:5
+#+end_example
+
+ - Field 2 :: Reason for staleness of trust. If this field is
+ empty, then the trustdb is not stale. This field may
+ have multiple flags in it:
+
+ - o :: Trustdb is old
+ - t :: Trustdb was built with a different trust model
+ than the one we are using now.
+
+ - Field 3 :: Trust model
+
+ - 0 :: Classic trust model, as used in PGP 2.x.
+ - 1 :: PGP trust model, as used in PGP 6 and later.
+ This is the same as the classic trust model,
+ except for the addition of trust signatures.
+
+ GnuPG before version 1.4 used the classic trust model
+ by default. GnuPG 1.4 and later uses the PGP trust
+ model by default.
+
+ - Field 4 :: Date trustdb was created in seconds since Epoch.
+ - Field 5 :: Date trustdb will expire in seconds since Epoch.
+ - Field 6 :: Number of marginally trusted users to introduce a new
+ key signer (gpg's option --marginals-needed).
+ - Field 7 :: Number of completely trusted users to introduce a new
+ key signer. (gpg's option --completes-needed)
+
+ - Field 8 :: Maximum depth of a certification chain. (gpg's option
+ --max-cert-depth)
+
+*** SPK - Signature subpacket records
+
+ - Field 2 :: Subpacket number as per RFC-4880 and later.
+ - Field 3 :: Flags in hex. Currently the only two bits assigned
+ are 1, to indicate that the subpacket came from the
+ hashed part of the signature, and 2, to indicate the
+ subpacket was marked critical.
+ - Field 4 :: Length of the subpacket. Note that this is the
+ length of the subpacket, and not the length of field
+ 5 below. Due to the need for %-encoding, the length
+ of field 5 may be up to 3x this value.
+ - Field 5 :: The subpacket data. Printable ASCII is shown as
+ ASCII, but other values are rendered as %XX where XX
+ is the hex value for the byte.
+
+*** CFG - Configuration data
+
+ --list-config outputs information about the GnuPG configuration
+ for the benefit of frontends or other programs that call GnuPG.
+ There are several list-config items, all colon delimited like the
+ rest of the --with-colons output. The first field is always "cfg"
+ to indicate configuration information. The second field is one of
+ (with examples):
+
+ - version :: The third field contains the version of GnuPG.
+
+ : cfg:version:1.3.5
+
+ - pubkey :: The third field contains the public key algorithms
+ this version of GnuPG supports, separated by
+ semicolons. The algorithm numbers are as specified in
+ RFC-4880. Note that in contrast to the --status-fd
+ interface these are _not_ the Libgcrypt identifiers.
+ Using =pubkeyname= prints names instead of numbers.
+
+ : cfg:pubkey:1;2;3;16;17
+
+ - cipher :: The third field contains the symmetric ciphers this
+ version of GnuPG supports, separated by semicolons.
+ The cipher numbers are as specified in RFC-4880.
+ Using =ciphername= prints names instead of numbers.
+
+ : cfg:cipher:2;3;4;7;8;9;10
+
+ - digest :: The third field contains the digest (hash) algorithms
+ this version of GnuPG supports, separated by
+ semicolons. The digest numbers are as specified in
+ RFC-4880. Using =digestname= prints names instead of
+ numbers.
+
+ : cfg:digest:1;2;3;8;9;10
+
+ - compress :: The third field contains the compression algorithms
+ this version of GnuPG supports, separated by
+ semicolons. The algorithm numbers are as specified
+ in RFC-4880.
+
+ : cfg:compress:0;1;2;3
+
+ - group :: The third field contains the name of the group, and the
+ fourth field contains the values that the group expands
+ to, separated by semicolons.
+
+ For example, a group of:
+ : group mynames = paige 0x12345678 joe patti
+ would result in:
+ : cfg:group:mynames:patti;joe;0x12345678;paige
+
+ - curve :: The third field contains the curve names this version
+ of GnuPG supports, separated by semicolons. Using
+ =curveoid= prints OIDs instead of numbers.
+
+ : cfg:curve:ed25519;nistp256;nistp384;nistp521
+
+
+* Format of the --status-fd output
+
+ Every line is prefixed with "[GNUPG:] ", followed by a keyword with
+ the type of the status line and some arguments depending on the type
+ (maybe none); an application should always be willing to ignore
+ unknown keywords that may be emitted by future versions of GnuPG.
+ Also, new versions of GnuPG may add arguments to existing keywords.
+ Any additional arguments should be ignored for forward-compatibility.
+
+** General status codes
+*** NEWSIG [<signers_uid>]
+ Is issued right before a signature verification starts. This is
+ useful to define a context for parsing ERROR status messages.
+ If SIGNERS_UID is given and is not "-" this is the percent-escaped
+ value of the OpenPGP Signer's User ID signature sub-packet.
+
+*** GOODSIG <long_keyid_or_fpr> <username>
+ The signature with the keyid is good. For each signature only one
+ of the codes GOODSIG, BADSIG, EXPSIG, EXPKEYSIG, REVKEYSIG or
+ ERRSIG will be emitted. In the past they were used as a marker
+ for a new signature; new code should use the NEWSIG status
+ instead. The username is the primary one encoded in UTF-8 and %XX
+ escaped. The fingerprint may be used instead of the long keyid if
+ it is available. This is the case with CMS and might eventually
+ also be available for OpenPGP.
+
+*** EXPSIG <long_keyid_or_fpr> <username>
+ The signature with the keyid is good, but the signature is
+ expired. The username is the primary one encoded in UTF-8 and %XX
+ escaped. The fingerprint may be used instead of the long keyid if
+ it is available. This is the case with CMS and might eventually
+ also be available for OpenPGP.
+
+*** EXPKEYSIG <long_keyid_or_fpr> <username>
+ The signature with the keyid is good, but the signature was made
+ by an expired key. The username is the primary one encoded in
+ UTF-8 and %XX escaped. The fingerprint may be used instead of the
+ long keyid if it is available. This is the case with CMS and
+ might eventually also be available for OpenPGP.
+
+*** REVKEYSIG <long_keyid_or_fpr> <username>
+ The signature with the keyid is good, but the signature was made
+ by a revoked key. The username is the primary one encoded in UTF-8
+ and %XX escaped. The fingerprint may be used instead of the long
+ keyid if it is available. This is the case with CMS and might
+ eventually also beñ available for OpenPGP.
+
+*** BADSIG <long_keyid_or_fpr> <username>
+ The signature with the keyid has not been verified okay. The
+ username is the primary one encoded in UTF-8 and %XX escaped. The
+ fingerprint may be used instead of the long keyid if it is
+ available. This is the case with CMS and might eventually also be
+ available for OpenPGP.
+
+*** ERRSIG <keyid> <pkalgo> <hashalgo> <sig_class> <time> <rc> <fpr>
+ It was not possible to check the signature. This may be caused by
+ a missing public key or an unsupported algorithm. A RC of 4
+ indicates unknown algorithm, a 9 indicates a missing public
+ key. The other fields give more information about this signature.
+ sig_class is a 2 byte hex-value. The fingerprint may be used
+ instead of the long_keyid_or_fpr if it is available. This is the
+ case with gpgsm and might eventually also be available for
+ OpenPGP. The ERRSIG line has FPR filed which is only available
+ since 2.2.7; that FPR may either be missing or - if the signature
+ has no fingerprint as meta data.
+
+ Note, that TIME may either be the number of seconds since Epoch or
+ an ISO 8601 string. The latter can be detected by the presence of
+ the letter 'T'.
+
+*** VALIDSIG <args>
+
+ The args are:
+
+ - <fingerprint_in_hex>
+ - <sig_creation_date>
+ - <sig-timestamp>
+ - <expire-timestamp>
+ - <sig-version>
+ - <reserved>
+ - <pubkey-algo>
+ - <hash-algo>
+ - <sig-class>
+ - [ <primary-key-fpr> ]
+
+ This status indicates that the signature is cryptographically
+ valid. This is similar to GOODSIG, EXPSIG, EXPKEYSIG, or REVKEYSIG
+ (depending on the date and the state of the signature and signing
+ key) but has the fingerprint as the argument. Multiple status
+ lines (VALIDSIG and the other appropriate *SIG status) are emitted
+ for a valid signature. All arguments here are on one long line.
+ sig-timestamp is the signature creation time in seconds after the
+ epoch. expire-timestamp is the signature expiration time in
+ seconds after the epoch (zero means "does not
+ expire"). sig-version, pubkey-algo, hash-algo, and sig-class (a
+ 2-byte hex value) are all straight from the signature packet.
+ PRIMARY-KEY-FPR is the fingerprint of the primary key or identical
+ to the first argument. This is useful to get back to the primary
+ key without running gpg again for this purpose.
+
+ The primary-key-fpr parameter is used for OpenPGP and not
+ available for CMS signatures. The sig-version as well as the sig
+ class is not defined for CMS and currently set to 0 and 00.
+
+ Note, that *-TIMESTAMP may either be a number of seconds since
+ Epoch or an ISO 8601 string which can be detected by the presence
+ of the letter 'T'.
+
+*** SIG_ID <radix64_string> <sig_creation_date> <sig-timestamp>
+ This is emitted only for signatures of class 0 or 1 which have
+ been verified okay. The string is a signature id and may be used
+ in applications to detect replay attacks of signed messages. Note
+ that only DLP algorithms give unique ids - others may yield
+ duplicated ones when they have been created in the same second.
+
+ Note, that SIG-TIMESTAMP may either be a number of seconds since
+ Epoch or an ISO 8601 string which can be detected by the presence
+ of the letter 'T'.
+
+*** ENC_TO <long_keyid> <keytype> <keylength>
+ The message is encrypted to this LONG_KEYID. KEYTYPE is the
+ numerical value of the public key algorithm or 0 if it is not
+ known, KEYLENGTH is the length of the key or 0 if it is not known
+ (which is currently always the case). Gpg prints this line
+ always; Gpgsm only if it knows the certificate.
+
+*** BEGIN_DECRYPTION
+ Mark the start of the actual decryption process. This is also
+ emitted when in --list-only mode.
+*** END_DECRYPTION
+ Mark the end of the actual decryption process. This are also
+ emitted when in --list-only mode.
+*** DECRYPTION_KEY <fpr> <fpr2> <otrust>
+ This line is emitted when a public key decryption succeeded in
+ providing a session key. <fpr> is the hexified fingerprint of the
+ actual key used for descryption. <fpr2> is the fingerprint of the
+ primary key. <otrust> is the letter with the ownertrust; this is
+ in general a 'u' which stands for ultimately trusted.
+*** DECRYPTION_INFO <mdc_method> <sym_algo> [<aead_algo>]
+ Print information about the symmetric encryption algorithm and the
+ MDC method. This will be emitted even if the decryption fails.
+ For an AEAD algorithm AEAD_ALGO is not 0.
+
+*** DECRYPTION_FAILED
+ The symmetric decryption failed - one reason could be a wrong
+ passphrase for a symmetrical encrypted message.
+
+*** DECRYPTION_OKAY
+ The decryption process succeeded. This means, that either the
+ correct secret key has been used or the correct passphrase for a
+ symmetric encrypted message was given. The program itself may
+ return an errorcode because it may not be possible to verify a
+ signature for some reasons.
+
+*** SESSION_KEY <algo>:<hexdigits>
+ The session key used to decrypt the message. This message will
+ only be emitted if the option --show-session-key is used. The
+ format is suitable to be passed as value for the option
+ --override-session-key. It is not an indication that the
+ decryption will or has succeeded.
+
+*** BEGIN_ENCRYPTION <mdc_method> <sym_algo>
+ Mark the start of the actual encryption process.
+
+*** END_ENCRYPTION
+ Mark the end of the actual encryption process.
+
+*** FILE_START <what> <filename>
+ Start processing a file <filename>. <what> indicates the performed
+ operation:
+ - 1 :: verify
+ - 2 :: encrypt
+ - 3 :: decrypt
+
+*** FILE_DONE
+ Marks the end of a file processing which has been started
+ by FILE_START.
+
+*** BEGIN_SIGNING
+ Mark the start of the actual signing process. This may be used as
+ an indication that all requested secret keys are ready for use.
+
+*** ALREADY_SIGNED <long-keyid>
+ Warning: This is experimental and might be removed at any time.
+
+*** SIG_CREATED <type> <pk_algo> <hash_algo> <class> <timestamp> <keyfpr>
+ A signature has been created using these parameters.
+ Values for type <type> are:
+ - D :: detached
+ - C :: cleartext
+ - S :: standard
+ (only the first character should be checked)
+
+ <class> are 2 hex digits with the OpenPGP signature class.
+
+ Note, that TIMESTAMP may either be a number of seconds since Epoch
+ or an ISO 8601 string which can be detected by the presence of the
+ letter 'T'.
+
+*** NOTATION_
+ There are actually three related status codes to convey notation
+ data:
+
+ - NOTATION_NAME <name>
+ - NOTATION_FLAGS <critical> <human_readable>
+ - NOTATION_DATA <string>
+
+ <name> and <string> are %XX escaped. The data may be split among
+ several NOTATION_DATA lines. NOTATION_FLAGS is emitted after
+ NOTATION_NAME and gives the critical and human readable flags;
+ the flag values are either 0 or 1.
+
+*** POLICY_URL <string>
+ Note that URL in <string> is %XX escaped.
+
+*** PLAINTEXT <format> <timestamp> <filename>
+ This indicates the format of the plaintext that is about to be
+ written. The format is a 1 byte hex code that shows the format of
+ the plaintext: 62 ('b') is binary data, 74 ('t') is text data with
+ no character set specified, and 75 ('u') is text data encoded in
+ the UTF-8 character set. The timestamp is in seconds since the
+ epoch. If a filename is available it gets printed as the third
+ argument, percent-escaped as usual.
+
+*** PLAINTEXT_LENGTH <length>
+ This indicates the length of the plaintext that is about to be
+ written. Note that if the plaintext packet has partial length
+ encoding it is not possible to know the length ahead of time. In
+ that case, this status tag does not appear. The length is only
+ exact for binary formats; other formats ('t', 'u') may do post
+ processing like line ending conversion so that the actual number
+ of bytes written may be differ.
+
+*** ATTRIBUTE <arguments>
+ The list or arguments are:
+ - <fpr>
+ - <octets>
+ - <type>
+ - <index>
+ - <count>
+ - <timestamp>
+ - <expiredate>
+ - <flags>
+
+ This is one long line issued for each attribute subpacket when an
+ attribute packet is seen during key listing. <fpr> is the
+ fingerprint of the key. <octets> is the length of the attribute
+ subpacket. <type> is the attribute type (e.g. 1 for an image).
+ <index> and <count> indicate that this is the N-th indexed
+ subpacket of count total subpackets in this attribute packet.
+ <timestamp> and <expiredate> are from the self-signature on the
+ attribute packet. If the attribute packet does not have a valid
+ self-signature, then the timestamp is 0. <flags> are a bitwise OR
+ of:
+ - 0x01 :: this attribute packet is a primary uid
+ - 0x02 :: this attribute packet is revoked
+ - 0x04 :: this attribute packet is expired
+
+*** SIG_SUBPACKET <type> <flags> <len> <data>
+ This indicates that a signature subpacket was seen. The format is
+ the same as the "spk" record above.
+
+*** ENCRYPTION_COMPLIANCE_MODE <flags>
+ Indicates that the current encryption operation was in compliance
+ with the given set of modes for all recipients. "flags" is a
+ space separated list of numerical flags, see "Field 18 -
+ Compliance flags" above.
+
+*** DECRYPTION_COMPLIANCE_MODE <flags>
+ Indicates that the current decryption operation is in compliance
+ with the given set of modes. "flags" is a space separated list of
+ numerical flags, see "Field 18 - Compliance flags" above.
+
+*** VERIFICATION_COMPLIANCE_MODE <flags>
+ Indicates that the current signature verification operation is in
+ compliance with the given set of modes. "flags" is a space
+ separated list of numerical flags, see "Field 18 - Compliance
+ flags" above.
+
+** Key related
+*** INV_RECP, INV_SGNR
+ The two similar status codes:
+
+ - INV_RECP <reason> <requested_recipient>
+ - INV_SGNR <reason> <requested_sender>
+
+ are issued for each unusable recipient/sender. The reasons codes
+ currently in use are:
+
+ - 0 :: No specific reason given
+ - 1 :: Not Found
+ - 2 :: Ambigious specification
+ - 3 :: Wrong key usage
+ - 4 :: Key revoked
+ - 5 :: Key expired
+ - 6 :: No CRL known
+ - 7 :: CRL too old
+ - 8 :: Policy mismatch
+ - 9 :: Not a secret key
+ - 10 :: Key not trusted
+ - 11 :: Missing certificate
+ - 12 :: Missing issuer certificate
+ - 13 :: Key disabled
+ - 14 :: Syntax error in specification
+
+ If no specific reason was given a previously emitted status code
+ KEY_CONSIDERED may be used to analyzed the problem.
+
+ Note that for historical reasons the INV_RECP status is also used
+ for gpgsm's SIGNER command where it relates to signer's of course.
+ Newer GnuPG versions are using INV_SGNR; applications should
+ ignore the INV_RECP during the sender's command processing once
+ they have seen an INV_SGNR. Different codes are used so that they
+ can be distinguish while doing an encrypt+sign operation.
+
+*** NO_RECP <reserved>
+ Issued if no recipients are usable.
+
+*** NO_SGNR <reserved>
+ Issued if no senders are usable.
+
+*** KEY_CONSIDERED <fpr> <flags>
+ Issued to explain the lookup of a key. FPR is the hexified
+ fingerprint of the primary key. The bit values for FLAGS are:
+
+ - 1 :: The key has not been selected.
+ - 2 :: All subkeys of the key are expired or have been revoked.
+
+*** KEYEXPIRED <expire-timestamp>
+ The key has expired. expire-timestamp is the expiration time in
+ seconds since Epoch. This status line is not very useful because
+ it will also be emitted for expired subkeys even if this subkey is
+ not used. To check whether a key used to sign a message has
+ expired, the EXPKEYSIG status line is to be used.
+
+ Note, that the TIMESTAMP may either be a number of seconds since
+ Epoch or an ISO 8601 string which can be detected by the presence
+ of the letter 'T'.
+
+*** KEYREVOKED
+ The used key has been revoked by its owner. No arguments yet.
+
+*** NO_PUBKEY <long keyid>
+ The public key is not available. Note the arg should in general
+ not be used because it is better to take it from the ERRSIG
+ status line which is printed right before this one.
+
+*** NO_SECKEY <long keyid>
+ The secret key is not available
+
+*** KEY_CREATED <type> <fingerprint> [<handle>]
+ A key has been created. Values for <type> are:
+ - B :: primary and subkey
+ - P :: primary
+ - S :: subkey
+ The fingerprint is one of the primary key for type B and P and the
+ one of the subkey for S. Handle is an arbitrary non-whitespace
+ string used to match key parameters from batch key creation run.
+
+*** KEY_NOT_CREATED [<handle>]
+ The key from batch run has not been created due to errors.
+
+*** TRUST_
+ These are several similar status codes:
+
+ - TRUST_UNDEFINED <error_token>
+ - TRUST_NEVER <error_token>
+ - TRUST_MARGINAL [0 [<validation_model>]]
+ - TRUST_FULLY [0 [<validation_model>]]
+ - TRUST_ULTIMATE [0 [<validation_model>]]
+
+ For good signatures one of these status lines are emitted to
+ indicate the validity of the key used to create the signature.
+ The error token values are currently only emitted by gpgsm.
+
+ VALIDATION_MODEL describes the algorithm used to check the
+ validity of the key. The defaults are the standard Web of Trust
+ model for gpg and the standard X.509 model for gpgsm. The
+ defined values are
+
+ - pgp :: The standard PGP WoT.
+ - shell :: The standard X.509 model.
+ - chain :: The chain model.
+ - steed :: The STEED model.
+ - tofu :: The TOFU model
+
+ Note that the term =TRUST_= in the status names is used for
+ historic reasons; we now speak of validity.
+
+*** TOFU_USER <fingerprint_in_hex> <mbox>
+
+ This status identifies the key and the userid for all following
+ Tofu information. The fingerprint is the fingerprint of the
+ primary key and the mbox is in general the addr-spec part of the
+ userid encoded in UTF-8 and percent escaped. The fingerprint is
+ identical for all TOFU_USER lines up to a NEWSIG line.
+
+*** TOFU_STATS <MANY_ARGS>
+
+ Statistics for the current user id.
+
+ The <MANY_ARGS> are the usual space delimited arguments. Here we
+ have too many of them to fit on one printed line and thus they are
+ given on 3 printed lines:
+
+ : <summary> <sign-count> <encryption-count>
+ : [<policy> [<tm1> <tm2> <tm3> <tm4>
+ : [<validity> [<sign-days> <encrypt-days>]]]]
+
+ Values for SUMMARY are:
+ - 0 :: attention, an interaction with the user is required (conflict)
+ - 1 :: key with no verification/encryption history
+ - 2 :: key with little history
+ - 3 :: key with enough history for basic trust
+ - 4 :: key with a lot of history
+
+ Values for POLICY are:
+ - none :: No Policy set
+ - auto :: Policy is "auto"
+ - good :: Policy is "good"
+ - bad :: Policy is "bad"
+ - ask :: Policy is "ask"
+ - unknown :: Policy is "unknown" (TOFU information does not
+ contribute to the key's validity)
+
+ TM1 is the time the first message was verified. TM2 is the time
+ the most recent message was verified. TM3 is the time the first
+ message was encrypted. TM4 is the most recent encryption. All may
+ either be seconds since Epoch or an ISO time string
+ (yyyymmddThhmmss).
+
+ VALIDITY is the same as SUMMARY with the exception that VALIDITY
+ doesn't reflect whether the key needs attention. That is it never
+ takes on value 0. Instead, if there is a conflict, VALIDITY still
+ reflects the key's validity (values: 1-4).
+
+ SUMMARY values use the euclidean distance (m = sqrt(a² + b²)) rather
+ then the sum of the magnitudes (m = a + b) to ensure a balance between
+ verified signatures and encrypted messages.
+
+ Values are calculated based on the number of days where a key was used
+ for verifying a signature or to encrypt to it.
+ The ranges for the values are:
+
+ - 1 :: signature_days + encryption_days == 0
+ - 2 :: 1 <= sqrt(signature_days² + encryption_days²) < 8
+ - 3 :: 8 <= sqrt(signature_days² + encryption_days²) < 42
+ - 4 :: sqrt(signature_days² + encryption_days²) >= 42
+
+ SIGN-COUNT and ENCRYPTION-COUNT are the number of messages that we
+ have seen that have been signed by this key / encryption to this
+ key.
+
+ SIGN-DAYS and ENCRYPTION-DAYS are similar, but the number of days
+ (in UTC) on which we have seen messages signed by this key /
+ encrypted to this key.
+
+*** TOFU_STATS_SHORT <long_string>
+
+ Information about the TOFU binding for the signature.
+ Example: "15 signatures verified. 10 messages encrypted"
+
+*** TOFU_STATS_LONG <long_string>
+
+ Information about the TOFU binding for the signature in verbose
+ format. The LONG_STRING is percent escaped.
+ Example: 'Verified 9 messages signed by "Werner Koch
+ (dist sig)" in the past 3 minutes, 40 seconds. The most
+ recent message was verified 4 seconds ago.'
+
+*** PKA_TRUST_
+ This is one of:
+
+ - PKA_TRUST_GOOD <addr-spec>
+ - PKA_TRUST_BAD <addr-spec>
+
+ Depending on the outcome of the PKA check one of the above status
+ codes is emitted in addition to a =TRUST_*= status.
+
+** Remote control
+*** GET_BOOL, GET_LINE, GET_HIDDEN, GOT_IT
+
+ These status line are used with --command-fd for interactive
+ control of the process.
+
+*** USERID_HINT <long main keyid> <string>
+ Give a hint about the user ID for a certain keyID.
+
+*** NEED_PASSPHRASE <long keyid> <long main keyid> <keytype> <keylength>
+ Issued whenever a passphrase is needed. KEYTYPE is the numerical
+ value of the public key algorithm or 0 if this is not applicable,
+ KEYLENGTH is the length of the key or 0 if it is not known (this
+ is currently always the case).
+
+*** NEED_PASSPHRASE_SYM <cipher_algo> <s2k_mode> <s2k_hash>
+ Issued whenever a passphrase for symmetric encryption is needed.
+
+*** NEED_PASSPHRASE_PIN <card_type> <chvno> [<serialno>]
+ Issued whenever a PIN is requested to unlock a card.
+
+*** MISSING_PASSPHRASE
+ No passphrase was supplied. An application which encounters this
+ message may want to stop parsing immediately because the next
+ message will probably be a BAD_PASSPHRASE. However, if the
+ application is a wrapper around the key edit menu functionality it
+ might not make sense to stop parsing but simply ignoring the
+ following BAD_PASSPHRASE.
+
+*** BAD_PASSPHRASE <long keyid>
+ The supplied passphrase was wrong or not given. In the latter
+ case you may have seen a MISSING_PASSPHRASE.
+
+*** GOOD_PASSPHRASE
+ The supplied passphrase was good and the secret key material
+ is therefore usable.
+
+** Import/Export
+*** IMPORT_CHECK <long keyid> <fingerprint> <user ID>
+ This status is emitted in interactive mode right before
+ the "import.okay" prompt.
+
+*** IMPORTED <long keyid> <username>
+ The keyid and name of the signature just imported
+
+*** IMPORT_OK <reason> [<fingerprint>]
+ The key with the primary key's FINGERPRINT has been imported.
+ REASON flags are:
+
+ - 0 :: Not actually changed
+ - 1 :: Entirely new key.
+ - 2 :: New user IDs
+ - 4 :: New signatures
+ - 8 :: New subkeys
+ - 16 :: Contains private key.
+
+ The flags may be ORed.
+
+*** IMPORT_PROBLEM <reason> [<fingerprint>]
+ Issued for each import failure. Reason codes are:
+
+ - 0 :: No specific reason given.
+ - 1 :: Invalid Certificate.
+ - 2 :: Issuer Certificate missing.
+ - 3 :: Certificate Chain too long.
+ - 4 :: Error storing certificate.
+
+*** IMPORT_RES <args>
+ Final statistics on import process (this is one long line). The
+ args are a list of unsigned numbers separated by white space:
+
+ - <count>
+ - <no_user_id>
+ - <imported>
+ - always 0 (formerly used for the number of RSA keys)
+ - <unchanged>
+ - <n_uids>
+ - <n_subk>
+ - <n_sigs>
+ - <n_revoc>
+ - <sec_read>
+ - <sec_imported>
+ - <sec_dups>
+ - <skipped_new_keys>
+ - <not_imported>
+ - <skipped_v3_keys>
+
+*** EXPORTED <fingerprint>
+ The key with <fingerprint> has been exported. The fingerprint is
+ the fingerprint of the primary key even if the primary key has
+ been replaced by a stub key during secret key export.
+
+*** EXPORT_RES <args>
+
+ Final statistics on export process (this is one long line). The
+ args are a list of unsigned numbers separated by white space:
+
+ - <count>
+ - <secret_count>
+ - <exported>
+
+
+** Smartcard related
+*** CARDCTRL <what> [<serialno>]
+ This is used to control smartcard operations. Defined values for
+ WHAT are:
+
+ - 1 :: Request insertion of a card. Serialnumber may be given
+ to request a specific card. Used by gpg 1.4 w/o
+ scdaemon
+ - 2 :: Request removal of a card. Used by gpg 1.4 w/o scdaemon.
+ - 3 :: Card with serialnumber detected
+ - 4 :: No card available
+ - 5 :: No card reader available
+ - 6 :: No card support available
+ - 7 :: Card is in termination state
+
+*** SC_OP_FAILURE [<code>]
+ An operation on a smartcard definitely failed. Currently there is
+ no indication of the actual error code, but application should be
+ prepared to later accept more arguments. Defined values for
+ <code> are:
+
+ - 0 :: unspecified error (identically to a missing CODE)
+ - 1 :: canceled
+ - 2 :: bad PIN
+
+*** SC_OP_SUCCESS
+ A smart card operaion succeeded. This status is only printed for
+ certain operation and is mostly useful to check whether a PIN
+ change really worked.
+
+** Miscellaneous status codes
+*** NODATA <what>
+ No data has been found. Codes for WHAT are:
+
+ - 1 :: No armored data.
+ - 2 :: Expected a packet but did not found one.
+ - 3 :: Invalid packet found, this may indicate a non OpenPGP
+ message.
+ - 4 :: Signature expected but not found
+
+ You may see more than one of these status lines.
+
+*** UNEXPECTED <what>
+ Unexpected data has been encountered. Codes for WHAT are:
+ - 0 :: Not further specified
+ - 1 :: Corrupted message structure
+
+*** TRUNCATED <maxno>
+ The output was truncated to MAXNO items. This status code is
+ issued for certain external requests.
+
+*** ERROR <error location> <error code> [<more>]
+ This is a generic error status message, it might be followed by
+ error location specific data. <error code> and <error_location>
+ should not contain spaces. The error code is a either a string
+ commencing with a letter or such a string prefixed with a
+ numerical error code and an underscore; e.g.: "151011327_EOF".
+*** WARNING <location> <error code> [<text>]
+ This is a generic warning status message, it might be followed by
+ error location specific data. <location> and <error code> may not
+ contain spaces. The <location> may be used to indicate a class of
+ warnings. The error code is a either a string commencing with a
+ letter or such a string prefixed with a numerical error code and
+ an underscore; e.g.: "151011327_EOF".
+*** NOTE <location> <error code> [<text>]
+ This is a generic info status message the same syntax as for
+ WARNING messages is used.
+*** SUCCESS [<location>]
+ Positive confirmation that an operation succeeded. It is used
+ similar to ISO-C's EXIT_SUCCESS. <location> is optional but if
+ given should not contain spaces. Used only with a few commands.
+
+*** FAILURE <location> <error_code>
+ This is the counterpart to SUCCESS and used to indicate a program
+ failure. It is used similar to ISO-C's EXIT_FAILURE but allows
+ conveying more information, in particular a gpg-error error code.
+ That numerical error code may optionally have a suffix made of an
+ underscore and a string with an error symbol like "151011327_EOF".
+ A dash may be used instead of <location>.
+
+*** BADARMOR
+ The ASCII armor is corrupted. No arguments yet.
+
+*** DELETE_PROBLEM <reason_code>
+ Deleting a key failed. Reason codes are:
+ - 1 :: No such key
+ - 2 :: Must delete secret key first
+ - 3 :: Ambigious specification
+ - 4 :: Key is stored on a smartcard.
+
+*** PROGRESS <what> <char> <cur> <total> [<units>]
+ Used by the primegen and public key functions to indicate
+ progress. <char> is the character displayed with no --status-fd
+ enabled, with the linefeed replaced by an 'X'. <cur> is the
+ current amount done and <total> is amount to be done; a <total> of
+ 0 indicates that the total amount is not known. Both are
+ non-negative integers. The condition
+ : TOTAL && CUR == TOTAL
+ may be used to detect the end of an operation.
+
+ Well known values for <what> are:
+
+ - pk_dsa :: DSA key generation
+ - pk_elg :: Elgamal key generation
+ - primegen :: Prime generation
+ - need_entropy :: Waiting for new entropy in the RNG
+ - tick :: Generic tick without any special meaning - useful
+ for letting clients know that the server is still
+ working.
+ - starting_agent :: A gpg-agent was started because it is not
+ running as a daemon.
+ - learncard :: Send by the agent and gpgsm while learing
+ the data of a smartcard.
+ - card_busy :: A smartcard is still working
+ - scd_locked :: Waiting for other clients to unlock the scdaemon
+
+ When <what> refers to a file path, it may be truncated.
+
+ <units> is sometimes used to describe the units for <current> and
+ <total>. For example "B", "KiB", or "MiB".
+
+*** BACKUP_KEY_CREATED <fingerprint> <fname>
+ A backup of a key identified by <fingerprint> has been writte to
+ the file <fname>; <fname> is percent-escaped.
+
+*** MOUNTPOINT <name>
+ <name> is a percent-plus escaped filename describing the
+ mountpoint for the current operation (e.g. used by "g13 --mount").
+ This may either be the specified mountpoint or one randomly
+ chosen by g13.
+
+*** PINENTRY_LAUNCHED <pid>[:<extra>]
+ This status line is emitted by gpg to notify a client that a
+ Pinentry has been launched. <pid> is the PID of the Pinentry. It
+ may be used to display a hint to the user but can't be used to
+ synchronize with Pinentry. Note that there is also an Assuan
+ inquiry line with the same name used internally or, if enabled,
+ send to the client instead of this status line. Such an inquiry
+ may be used to sync with Pinentry
+
+** Obsolete status codes
+*** SIGEXPIRED
+ Removed on 2011-02-04. This is deprecated in favor of KEYEXPIRED.
+*** RSA_OR_IDEA
+ Obsolete. This status message used to be emitted for requests to
+ use the IDEA or RSA algorithms. It has been dropped from GnuPG
+ 2.1 after the respective patents expired.
+*** SHM_INFO, SHM_GET, SHM_GET_BOOL, SHM_GET_HIDDEN
+ These were used for the ancient shared memory based co-processing.
+*** BEGIN_STREAM, END_STREAM
+ Used to issued by the experimental pipemode.
+
+** Inter-component codes
+ Status codes are also used between the components of the GnuPG
+ system via the Assuan S lines. Some of them are documented here:
+
+*** PUBKEY_INFO <n> <ubid>
+ The type of the public key in the following D-lines or
+ communicated via a pipe. <n> is the value of =enum pubkey_types=
+ and <ubid> the Unique Blob ID (UBID) which is the fingerprint of
+ the primary key truncated to 20 octets and formatted in hex. Note
+ that the keyboxd SEARCH command can be used to lookup the public
+ key using the <ubid> prefixed with a caret (^).
+
+*** KEYPAIRINFO <grip> <keyref> [<usage>] [<keytime>]
+
+ This status is emitted by scdaemon and gpg-agent to convey brief
+ information about keypairs stored on tokens. <grip> is the
+ hexified keygrip of the key or, if no key is stored, an "X".
+ <keyref> is the ID of a card's key; for example "OPENPGP.2" for
+ the second key slot of an OpenPGP card. <usage> is optional and
+ returns technically possible key usages, this is a string of
+ single letters describing the usage ('c' for certify, 'e' for
+ encryption, 's' for signing, 'a' for authentication). A '-' can be
+ used to tell that usage flags are not conveyed. <keytime> is used
+ by OpenPGP cards for the stored key creation time. A '-' means no
+ info available. The format is the usual ISO string are a number
+ with the seconds since Epoch.
+*** MANUFACTURER <n> [<string>]
+
+ This status returns the Manufactorer ID as the unsigned number N.
+ For OpenPGP this is weel defined; for other cards this is 0. The
+ name of the manufacturer is also given as <string>; spaces are not
+ escaped. For PKCS#15 cards <string> is TokenInfo.manufactorerID.
+
+* Format of the --attribute-fd output
+
+ When --attribute-fd is set, during key listings (--list-keys,
+ --list-secret-keys) GnuPG dumps each attribute packet to the file
+ descriptor specified. --attribute-fd is intended for use with
+ --status-fd as part of the required information is carried on the
+ ATTRIBUTE status tag (see above).
+
+ The contents of the attribute data is specified by RFC 4880. For
+ convenience, here is the Photo ID format, as it is currently the
+ only attribute defined:
+
+ - Byte 0-1 :: The length of the image header. Due to a historical
+ accident (i.e. oops!) back in the NAI PGP days, this
+ is a little-endian number. Currently 16 (0x10 0x00).
+
+ - Byte 2 :: The image header version. Currently 0x01.
+
+ - Byte 3 :: Encoding format. 0x01 == JPEG.
+
+ - Byte 4-15 :: Reserved, and currently unused.
+
+ All other data after this header is raw image (JPEG) data.
+
+
+* Layout of the TrustDB
+
+ The TrustDB is built from fixed length records, where the first byte
+ describes the record type. All numeric values are stored in network
+ byte order. The length of each record is 40 bytes. The first
+ record of the DB is always of type 1 and this is the only record of
+ this type.
+
+ The record types: directory(2), key(3), uid(4), pref(5), sigrec(6),
+ and shadow directory(8) are not anymore used by version 2 of the
+ TrustDB.
+
+** Record type 0
+
+ Unused record or deleted, can be reused for any purpose. Such
+ records should in general not exist because deleted records are of
+ type 254 and kept in a linked list.
+
+** Version info (RECTYPE_VER, 1)
+
+ Version information for this TrustDB. This is always the first
+ record of the DB and the only one of this type.
+
+ - 1 u8 :: Record type (value: 1).
+ - 3 byte :: Magic value ("gpg")
+ - 1 u8 :: TrustDB version (value: 2).
+ - 1 u8 :: =marginals=. How many marginal trusted keys are required.
+ - 1 u8 :: =completes=. How many completely trusted keys are
+ required.
+ - 1 u8 :: =max_cert_depth=. How deep is the WoT evaluated. Along
+ with =marginals= and =completes=, this value is used to
+ check whether the cached validity value from a [FIXME
+ dir] record can be used.
+ - 1 u8 :: =trust_model=
+ - 1 u8 :: =min_cert_level=
+ - 2 byte :: Not used
+ - 1 u32 :: =created=. Timestamp of trustdb creation.
+ - 1 u32 :: =nextcheck=. Timestamp of last modification which may
+ affect the validity of keys in the trustdb. This value
+ is checked against the validity timestamp in the dir
+ records.
+ - 1 u32 :: =reserved=. Not used.
+ - 1 u32 :: =reserved2=. Not used.
+ - 1 u32 :: =firstfree=. Number of the record with the head record
+ of the RECTYPE_FREE linked list.
+ - 1 u32 :: =reserved3=. Not used.
+ - 1 u32 :: =trusthashtbl=. Record number of the trusthashtable.
+
+
+** Hash table (RECTYPE_HTBL, 10)
+
+ Due to the fact that we use fingerprints to lookup keys, we can
+ implement quick access by some simple hash methods, and avoid the
+ overhead of gdbm. A property of fingerprints is that they can be
+ used directly as hash values. What we use is a dynamic multilevel
+ architecture, which combines hash tables, record lists, and linked
+ lists.
+
+ This record is a hash table of 256 entries with the property that
+ all these records are stored consecutively to make one big
+ table. The hash value is simple the 1st, 2nd, ... byte of the
+ fingerprint (depending on the indirection level).
+
+ - 1 u8 :: Record type (value: 10).
+ - 1 u8 :: Reserved
+ - n u32 :: =recnum=. A table with the hash table items fitting into
+ this record. =n= depends on the record length:
+ $n=(reclen-2)/4$ which yields 9 for oure current record
+ length of 40 bytes.
+
+ The total number of hash table records to form the table is:
+ $m=(256+n-1)/n$. This is 29 for our record length of 40.
+
+ To look up a key we use the first byte of the fingerprint to get
+ the recnum from this hash table and then look up the addressed
+ record:
+
+ - If that record is another hash table, we use 2nd byte to index
+ that hash table and so on;
+ - if that record is a hash list, we walk all entries until we find
+ a matching one; or
+ - if that record is a key record, we compare the fingerprint to
+ decide whether it is the requested key;
+
+
+** Hash list (RECTYPE_HLST, 11)
+
+ See hash table above on how it is used. It may also be used for
+ other purposes.
+
+ - 1 u8 :: Record type (value: 11).
+ - 1 u8 :: Reserved.
+ - 1 u32 :: =next=. Record number of the next hash list record or 0
+ if none.
+ - n u32 :: =rnum=. Array with record numbers to values. With
+ $n=(reclen-5)/5$ and our record length of 40, n is 7.
+
+** Trust record (RECTYPE_TRUST, 12)
+
+ - 1 u8 :: Record type (value: 12).
+ - 1 u8 :: Reserved.
+ - 20 byte :: =fingerprint=.
+ - 1 u8 :: =ownertrust=.
+ - 1 u8 :: =depth=.
+ - 1 u8 :: =min_ownertrust=.
+ - 1 byte :: =flags=.
+ - 1 u32 :: =validlist=.
+ - 10 byte :: Not used.
+
+** Validity record (RECTYPE_VALID, 13)
+
+ - 1 u8 :: Record type (value: 13).
+ - 1 u8 :: Reserved.
+ - 20 byte :: =namehash=.
+ - 1 u8 :: =validity=
+ - 1 u32 :: =next=.
+ - 1 u8 :: =full_count=.
+ - 1 u8 :: =marginal_count=.
+ - 11 byte :: Not used.
+
+** Free record (RECTYPE_FREE, 254)
+
+ All these records form a linked list of unused records in the TrustDB.
+
+ - 1 u8 :: Record type (value: 254)
+ - 1 u8 :: Reserved.
+ - 1 u32 :: =next=. Record number of the next rcord of this type.
+ The record number to the head of this linked list is
+ stored in the version info record.
+
+
+* Database scheme for the TOFU info
+
+#+begin_src sql
+--
+-- The VERSION table holds the version of our TOFU data structures.
+--
+CREATE TABLE version (
+ version integer -- As of now this is always 1
+);
+
+--
+-- The BINDINGS table associates mail addresses with keys.
+--
+CREATE TABLE bindings (
+ oid integer primary key autoincrement,
+ fingerprint text, -- The key's fingerprint in hex
+ email text, -- The normalized mail address destilled from user_id
+ user_id text, -- The unmodified user id
+ time integer, -- The time this binding was first observed.
+ policy boolean check
+ (policy in (1, 2, 3, 4, 5)), -- The trust policy with the values:
+ -- 1 := Auto
+ -- 2 := Good
+ -- 3 := Unknown
+ -- 4 := Bad
+ -- 5 := Ask
+ conflict string, -- NULL or a hex formatted fingerprint.
+ unique (fingerprint, email)
+);
+
+CREATE INDEX bindings_fingerprint_email on bindings (fingerprint, email);
+CREATE INDEX bindings_email on bindings (email);
+
+--
+-- The SIGNATURES table records all data signatures we verified
+--
+CREATE TABLE signatures (
+ binding integer not null, -- Link to bindings table,
+ -- references bindings.oid.
+ sig_digest text, -- The digest of the signed message.
+ origin text, -- String describing who initially fed
+ -- the signature to gpg (e.g. "email:claws").
+ sig_time integer, -- Timestamp from the signature.
+ time integer, -- Time this record was created.
+ primary key (binding, sig_digest, origin)
+);
+#+end_src
+
+
+* GNU extensions to the S2K algorithm
+
+ 1 octet - S2K Usage: either 254 or 255.
+ 1 octet - S2K Cipher Algo: 0
+ 1 octet - S2K Specifier: 101
+ 3 octets - "GNU"
+ 1 octet - GNU S2K Extension Number.
+
+ If such a GNU extension is used neither an IV nor any kind of
+ checksum is used. The defined GNU S2K Extension Numbers are:
+
+ - 1 :: Do not store the secret part at all. No specific data
+ follows.
+
+ - 2 :: A stub to access smartcards. This data follows:
+ - One octet with the length of the following serial number.
+ - The serial number. Regardless of what the length octet
+ indicates no more than 16 octets are stored.
+
+ Note that gpg stores the GNU S2K Extension Number internally as an
+ S2K Specifier with an offset of 1000.
+
+
+* Format of the OpenPGP TRUST packet
+
+ According to RFC4880 (5.10), the trust packet (aka ring trust) is
+ only used within keyrings and contains data that records the user's
+ specifications of which key holds trusted introducers. The RFC also
+ states that the format of this packet is implementation defined and
+ SHOULD NOT be emitted to output streams or should be ignored on
+ import. GnuPG uses this packet in several additional ways:
+
+ - 1 octet :: Trust-Value (only used by Subtype SIG)
+ - 1 octet :: Signature-Cache (only used by Subtype SIG; value must
+ be less than 128)
+ - 3 octets :: Fixed value: "gpg"
+ - 1 octet :: Subtype
+ - 0 :: Signature cache (SIG)
+ - 1 :: Key source on the primary key (KEY)
+ - 2 :: Key source on a user id (UID)
+ - 1 octet :: Key Source; i.e. the origin of the key:
+ - 0 :: Unknown source.
+ - 1 :: Public keyserver.
+ - 2 :: Preferred keyserver.
+ - 3 :: OpenPGP DANE.
+ - 4 :: Web Key Directory.
+ - 5 :: Import from a trusted URL.
+ - 6 :: Import from a trusted file.
+ - 7 :: Self generated.
+ - 4 octets :: Time of last update. This is a four-octet scalar
+ with the seconds since Epoch.
+ - 1 octet :: Scalar with the length of the following field.
+ - N octets :: String with the URL of the source. This may be a
+ zero-length string.
+
+ If the packets contains only two octets a Subtype of 0 is assumed;
+ this is the only format recognized by GnuPG versions < 2.1.18.
+ Trust-Value and Signature-Cache must be zero for all subtypes other
+ than SIG.
+
+
+* Keyserver helper message format
+
+ *This information is obsolete*
+ (Keyserver helpers have been replaced by dirmngr)
+
+ The keyserver may be contacted by a Unix Domain socket or via TCP.
+
+ The format of a request is:
+#+begin_example
+ command-tag
+ "Content-length:" digits
+ CRLF
+#+end_example
+
+ Where command-tag is
+
+#+begin_example
+ NOOP
+ GET <user-name>
+ PUT
+ DELETE <user-name>
+#+end_example
+
+The format of a response is:
+
+#+begin_example
+ "GNUPG/1.0" status-code status-text
+ "Content-length:" digits
+ CRLF
+#+end_example
+followed by <digits> bytes of data
+
+Status codes are:
+
+ - 1xx :: Informational - Request received, continuing process
+
+ - 2xx :: Success - The action was successfully received, understood,
+ and accepted
+
+ - 4xx :: Client Error - The request contains bad syntax or cannot be
+ fulfilled
+
+ - 5xx :: Server Error - The server failed to fulfill an apparently
+ valid request
+
+
+* Object identifiers
+
+ OIDs below the GnuPG arc:
+
+#+begin_example
+ 1.3.6.1.4.1.11591.2 GnuPG
+ 1.3.6.1.4.1.11591.2.1 notation
+ 1.3.6.1.4.1.11591.2.1.1 pkaAddress
+ 1.3.6.1.4.1.11591.2.2 X.509 extensions
+ 1.3.6.1.4.1.11591.2.2.1 standaloneCertificate
+ 1.3.6.1.4.1.11591.2.2.2 wellKnownPrivateKey
+ 1.3.6.1.4.1.11591.2.12242973 invalid encoded OID
+#+end_example
+
+
+
+* Debug flags
+
+This tables gives the flag values for the --debug option along with
+the alternative names used by the components.
+
+| | gpg | gpgsm | agent | scd | dirmngr | g13 | wks |
+|-------+---------+---------+---------+---------+---------+---------+---------|
+| 1 | packet | x509 | | | x509 | mount | mime |
+| 2 | mpi | mpi | mpi | mpi | | | parser |
+| 4 | crypto | crypto | crypto | crypto | crypto | crypto | crypto |
+| 8 | filter | | | | | | |
+| 16 | iobuf | | | | dns | | |
+| 32 | memory | memory | memory | memory | memory | memory | memory |
+| 64 | cache | cache | cache | cache | cache | | |
+| 128 | memstat | memstat | memstat | memstat | memstat | memstat | memstat |
+| 256 | trust | | | | | | |
+| 512 | hashing | hashing | hashing | hashing | hashing | | |
+| 1024 | ipc | ipc | ipc | ipc | ipc | ipc | ipc |
+| 2048 | | | | cardio | network | | |
+| 4096 | clock | | | reader | | | |
+| 8192 | lookup | | | | lookup | | |
+| 16384 | extprog | | | | | | extprog |
+
+Description of some debug flags:
+
+ - cardio :: Used by scdaemon to trace the APDUs exchange with the
+ card.
+ - clock :: Show execution times of certain functions.
+ - crypto :: Trace crypto operations.
+ - hashing :: Create files with the hashed data.
+ - ipc :: Trace the Assuan commands.
+ - mpi :: Show the values of the MPIs.
+ - reader :: Used by scdaemon to trace card reader related code. For
+ example: Open and close reader.
+
+
+
+* Miscellaneous notes
+
+** v3 fingerprints
+ For packet version 3 we calculate the keyids this way:
+ - RSA :: Low 64 bits of n
+ - ELGAMAL :: Build a v3 pubkey packet (with CTB 0x99) and
+ calculate a RMD160 hash value from it. This is used
+ as the fingerprint and the low 64 bits are the keyid.
+
+** Simplified revocation certificates
+ Revocation certificates consist only of the signature packet;
+ "--import" knows how to handle this. The rationale behind it is to
+ keep them small.
+
+** Documentation on HKP (the http keyserver protocol):
+
+ A minimalistic HTTP server on port 11371 recognizes a GET for
+ /pks/lookup. The standard http URL encoded query parameters are
+ this (always key=value):
+
+ - op=index (like pgp -kv), op=vindex (like pgp -kvv) and op=get (like
+ pgp -kxa)
+
+ - search=<stringlist>. This is a list of words that must occur in the key.
+ The words are delimited with space, points, @ and so on. The delimiters
+ are not searched for and the order of the words doesn't matter (but see
+ next option).
+
+ - exact=on. This switch tells the hkp server to only report exact matching
+ keys back. In this case the order and the "delimiters" are important.
+
+ - fingerprint=on. Also reports the fingerprints when used with 'index' or
+ 'vindex'
+
+ The keyserver also recognizes http-POSTs to /pks/add. Use this to upload
+ keys.
+
+
+ A better way to do this would be a request like:
+
+ /pks/lookup/<gnupg_formatierte_user_id>?op=<operation>
+
+ This can be implemented using Hurd's translator mechanism.
+ However, I think the whole keyserver stuff has to be re-thought;
+ I have some ideas and probably create a white paper.
+** Algorithm names for the "keygen.algo" prompt
+
+ When using a --command-fd controlled key generation or "addkey"
+ there is way to know the number to enter on the "keygen.algo"
+ prompt. The displayed numbers are for human reception and may
+ change with releases. To provide a stable way to enter a desired
+ algorithm choice the prompt also accepts predefined names for the
+ algorithms, which will not change.
+
+ | Name | No | Description |
+ |---------+----+---------------------------------|
+ | rsa+rsa | 1 | RSA and RSA (default) |
+ | dsa+elg | 2 | DSA and Elgamal |
+ | dsa | 3 | DSA (sign only) |
+ | rsa/s | 4 | RSA (sign only) |
+ | elg | 5 | Elgamal (encrypt only) |
+ | rsa/e | 6 | RSA (encrypt only) |
+ | dsa/* | 7 | DSA (set your own capabilities) |
+ | rsa/* | 8 | RSA (set your own capabilities) |
+ | ecc+ecc | 9 | ECC and ECC |
+ | ecc/s | 10 | ECC (sign only) |
+ | ecc/* | 11 | ECC (set your own capabilities) |
+ | ecc/e | 12 | ECC (encrypt only) |
+ | keygrip | 13 | Existing key |
+ | cardkey | 14 | Existing key from card |
+
+ If one of the "foo/*" names are used a "keygen.flags" prompt needs
+ to be answered as well. Instead of toggling the predefined flags,
+ it is also possible to set them direct: Use a "=" character
+ directly followed by a combination of "a" (for authentication), "s"
+ (for signing), or "c" (for certification).
diff --git a/doc/FAQ b/doc/FAQ
new file mode 100644
index 0000000..309788c
--- /dev/null
+++ b/doc/FAQ
@@ -0,0 +1,13 @@
+GnuPG Frequently Asked Questions
+
+A FAQ is a fast moving target and thus we don't distribute it anymore
+with GnuPG. You may retrieve the current FAQ in HTML format at
+
+ https://gnupg.org/faq/gnupg-faq.html
+
+or in plain text format at
+
+ https://gnupg.org/faq/gnupg-faq.txt
+
+
+
diff --git a/doc/HACKING b/doc/HACKING
new file mode 100644
index 0000000..bd16856
--- /dev/null
+++ b/doc/HACKING
@@ -0,0 +1,433 @@
+# HACKING -*- org -*-
+#+TITLE: A Hacker's Guide to GnuPG
+#+TEXT: Some notes on GnuPG internals
+#+STARTUP: showall
+#+OPTIONS: ^:{}
+
+* How to contribute
+
+ The following stuff explains some basic procedures you need to
+ follow if you want to contribute code or documentation.
+
+** No more ChangeLog files
+
+Do not modify any of the ChangeLog files in GnuPG. Starting on
+December 1st, 2011 we put change information only in the GIT commit
+log, and generate a top-level ChangeLog file from logs at "make dist"
+time. As such, there are strict requirements on the form of the
+commit log messages. The old ChangeLog files have all be renamed to
+ChangeLog-2011
+
+** Commit log requirements
+
+Your commit log should always start with a one-line summary, the
+second line should be blank, and the remaining lines are usually
+ChangeLog-style entries for all affected files. However, it's fine
+--- even recommended --- to write a few lines of prose describing the
+change, when the summary and ChangeLog entries don't give enough of
+the big picture. Omit the leading TABs that you are seeing in a
+"real" ChangeLog file, but keep the maximum line length at 72 or
+smaller, so that the generated ChangeLog lines, each with its leading
+TAB, will not exceed 80 columns. If you want to add text which shall
+not be copied to the ChangeLog, separate it by a line consisting of
+two dashes at the begin of a line.
+
+The one-line summary usually starts with a keyword to identify the
+mainly affected subsystem. If more than one keyword is required the
+are delimited by a comma (e.g. =scd,w32:=). Commonly found keywords
+are
+
+ - agent :: The gpg-agent component
+ - build :: Changes to the build system
+ - ccid :: The CCID driver in scdaemon
+ - common :: Code in common
+ - dirmngr :: The dirmngr component
+ - doc :: Documentation changes
+ - gpg :: The gpg or gpgv components
+ - sm :: The gpgsm component (also "gpgsm")
+ - gpgscm :: The regression test driver
+ - indent :: Indentation and similar changes
+ - iobuf :: The IOBUF system in common
+ - po :: Translations
+ - scd :: The scdaemon component
+ - speedo :: Speedo build system specific changes
+ - ssh :: The ssh-agent part of the agent
+ - tests :: The regressions tests
+ - tools :: Other code in tools
+ - w32 :: Windows related code
+ - wks :: The web key service tools
+ - yat2m :: The yat2m tool.
+
+Typo fixes and documentation updates don't need a ChangeLog entry;
+thus you would use a commit message like
+
+#+begin_example
+doc: Fix typo in a comment
+
+--
+#+end_example
+
+The marker line here is important; without it the first line would
+appear in the ChangeLog.
+
+If you exceptionally need to have longer lines in a commit log you may
+do this after this scissor line:
+#+begin_example
+# ------------------------ >8 ------------------------
+#+end_example
+(hash, blank, 24 dashes, blank, scissor, blank, 24 dashes).
+Note that such a comment will be removed if the git commit option
+=--cleanup=scissor= is used.
+
+** License policy
+
+ GnuPG is licensed under the GPLv3+ with some files under a mixed
+ LGPLv3+/GPLv2+ license. It is thus important, that all contributed
+ code allows for an update of the license; for example we can't
+ accept code under the GPLv2(only).
+
+ GnuPG used to have a strict policy of requiring copyright
+ assignments to the FSF. To avoid this major organizational overhead
+ and to allow inclusion of code, not copyrighted by the FSF, this
+ policy has been relaxed on 2013-03-29. It is now also possible to
+ contribute code by asserting that the contribution is in accordance
+ to the "Libgcrypt Developer's Certificate of Origin" as found in the
+ file "DCO". (Except for a slight wording change, this DCO is
+ identical to the one used by the Linux kernel.)
+
+ If you want to contribute code or documentation to GnuPG and you
+ didn't sign a copyright assignment with the FSF in the past, you
+ need to take these simple steps:
+
+ - Decide which mail address you want to use. Please have your real
+ name in the address and not a pseudonym. Anonymous contributions
+ can only be done if you find a proxy who certifies for you.
+
+ - If your employer or school might claim ownership of code written
+ by you; you need to talk to them to make sure that you have the
+ right to contribute under the DCO.
+
+ - Send an OpenPGP signed mail to the gnupg-devel@gnupg.org mailing
+ list from your mail address. Include a copy of the DCO as found
+ in the official master branch. Insert your name and email address
+ into the DCO in the same way you want to use it later. Example:
+
+ Signed-off-by: Joe R. Hacker <joe@example.org>
+
+ (If you really need it, you may perform simple transformations of
+ the mail address: Replacing "@" by " at " or "." by " dot ".)
+
+ - That's it. From now on you only need to add a "Signed-off-by:"
+ line with your name and mail address to the commit message. It is
+ recommended to send the patches using a PGP/MIME signed mail.
+
+** Coding standards
+
+ Please follow the GNU coding standards. If you are in doubt consult
+ the existing code as an example. Do no re-indent code without a
+ need. If you really need to do it, use a separate commit for such a
+ change.
+
+ - Only certain C99 features may be used (see below); in general
+ stick to C90.
+ - Please do not use C++ =//= style comments.
+ - Do not use comments like:
+#+begin_src
+ if (foo)
+ /* Now that we know that foo is true we can call bar. */
+ bar ();
+#+end_src
+ instead write the comment on the if line or before it. You may
+ also use a block and put the comment inside.
+ - Please use asterisks on the left of longer comments. This makes
+ it easier to read without syntax highlighting, on printouts, and
+ for blind people.
+ - Try to fit lines into 80 columns.
+ - Ignore signed/unsigned pointer mismatches
+ - No arithmetic on void pointers; cast to char* first.
+ - Do not use
+#+begin_src
+ if ( 42 == foo )
+#+end_src
+ this is harder to read and modern compilers are pretty good in
+ detecing accidential assignments. It is also suggested not to
+ compare to 0 or NULL but to test the value direct or with a '!';
+ this makes it easier to see that a boolean test is done.
+ - We use our own printf style functions like =es_printf=, and
+ =gpgrt_asprintf= (or the =es_asprintf= macro) which implement most
+ C99 features with the exception of =wchar_t= (which should anyway
+ not be used). Please use them always and do not resort to those
+ provided by libc. The rationale for using them is that we know
+ that the format specifiers work on all platforms and that we do
+ not need to chase platform dependent bugs. Note also that in
+ gnupg asprintf is a macro already evaluating to gpgrt_asprintf.
+ - It is common to have a label named "leave" for a function's
+ cleanup and return code. This helps with freeing memory and is a
+ convenient location to set a breakpoint for debugging.
+ - Always use xfree() instead of free(). If it is not easy to see
+ that the freed variable is not anymore used, explicitly set the
+ variable to NULL.
+ - New code shall in general use xtrymalloc or xtrycalloc and check
+ for an error (use gpg_error_from_syserror()).
+ - Init function local variables only if needed so that the compiler
+ can do a better job in detecting uninitialized variables which may
+ indicate a problem with the code.
+ - Never init static or file local variables to 0 to make sure they
+ end up in BSS.
+ - Put extra parenthesis around terms with binary operators to make
+ it clear that the binary operator was indeed intended.
+ - Use --enable-maintainer-mode with configure so that all suitable
+ warnings are enabled.
+
+** Variable names
+
+ Follow the GNU standards. Here are some conventions you may want to
+ stick to (do not rename existing "wrong" uses without a goog
+ reason).
+
+ - err :: This conveys an error code of type =gpg_error_t= which is
+ compatible to an =int=. To compare such a variable to a
+ GPG_ERR_ constant, it is necessary to map the value like
+ this: =gpg_err_code(err)=.
+ - ec :: This is used for a gpg-error code which has no source part
+ (=gpg_err_code_t=) and will eventually be used as input to
+ =gpg_err_make=.
+ - rc :: Used for all kind of other errors; for example system
+ calls. The value is not compatible with gpg-error.
+
+
+*** C99 language features
+
+ In GnuPG 2.x, but *not in 1.4* and not in most libraries, a limited
+ set of C99 features may be used:
+
+ - Variadic macros:
+ : #define foo(a,...) bar(a, __VA_ARGS__)
+
+ - The predefined macro =__func__=:
+ : log_debug ("%s: Problem with foo\n", __func__);
+
+ - Variable declaration inside a for():
+ : for (int i = 0; i < 5; ++)
+ : bar (i);
+
+ Although we usually make use of the =u16=, =u32=, and =u64= types,
+ it is also possible to include =<stdint.h>= and use =int16_t=,
+ =int32_t=, =int64_t=, =uint16_t=, =uint32_t=, and =uint64_t=. But do
+ not use =int8_t= or =uint8_t=.
+
+** Commit log keywords
+
+ - GnuPG-bug-id :: Values are comma or space delimited bug numbers
+ from bug.gnupg.org pertaining to this commit.
+ - Debian-bug-id :: Same as above but from the Debian bug tracker.
+ - CVE-id :: CVE id number pertaining to this commit.
+ - Regression-due-to :: Commit id of the regression fixed by this commit.
+ - Fixes-commit :: Commit id this commit fixes.
+ - Updates-commit :: Commit id this commit updates.
+ - Reported-by :: Value is a name or mail address of a bug reporte.
+ - Suggested-by :: Value is a name or mail address of someone how
+ suggested this change.
+ - Co-authored-by :: Name or mail address of a co-author
+ - Some-comments-by :: Name or mail address of the author of
+ additional comments (commit log or code).
+ - Proofread-by :: Sometimes used by translation commits.
+ - Signed-off-by :: Name or mail address of the developer
+
+* Windows
+** How to build an installer for Windows
+
+ Your best bet is to use a decent Debian System for development.
+ You need to install a long list of tools for building. This list
+ still needs to be compiled. However, the build process will stop
+ if a tool is missing. GNU make is required (on non GNU systems
+ often installed as "gmake"). The installer requires a couple of
+ extra software to be available either as tarballs or as local git
+ repositories. In case this file here is part of a gnupg-w32-2.*.xz
+ complete tarball as distributed from the same place as a binary
+ installer, all such tarballs are already included.
+
+ Cd to the GnuPG source directory and use one of one of these
+ command:
+
+ - If sources are included (gnupg-w32-*.tar.xz)
+
+ make -f build-aux/speedo.mk WHAT=this installer
+
+ - To build from tarballs
+
+ make -f build-aux/speedo.mk WHAT=release TARBALLS=TARDIR installer
+
+ - To build from local GIT repos
+
+ make -f build-aux/speedo.mk WHAT=git TARBALLS=TARDIR installer
+
+ Note that also you need to supply tarballs with supporting
+ libraries even if you build from git. The makefile expects only
+ the core GnuPG software to be available as local GIT repositories.
+ speedo.mk has the versions of the tarballs and the branch names of
+ the git repositories. In case of problems, don't hesitate to ask
+ on the gnupg-devel mailing for help.
+
+* Debug hints
+
+ See the manual for some hints.
+
+* Standards
+** RFCs
+
+1423 Privacy Enhancement for Internet Electronic Mail:
+ Part III: Algorithms, Modes, and Identifiers.
+
+1489 Registration of a Cyrillic Character Set.
+
+1750 Randomness Recommendations for Security.
+
+1991 PGP Message Exchange Formats (obsolete)
+
+2144 The CAST-128 Encryption Algorithm.
+
+2279 UTF-8, a transformation format of ISO 10646.
+
+2440 OpenPGP (obsolete).
+
+3156 MIME Security with Pretty Good Privacy (PGP).
+
+4880 Current OpenPGP specification.
+
+6337 Elliptic Curve Cryptography (ECC) in OpenPGP
+
+* Various information
+
+** Directory Layout
+
+ - ./ :: Readme, configure
+ - ./agent :: Gpg-agent and related tools
+ - ./doc :: Documentation
+ - ./g10 :: Gpg program here called gpg2
+ - ./sm :: Gpgsm program
+ - ./jnlib :: Not used (formerly used utility functions)
+ - ./common :: Utility functions
+ - ./kbx :: Keybox library
+ - ./scd :: Smartcard daemon
+ - ./scripts :: Scripts needed by configure and others
+ - ./dirmngr :: The directory manager
+
+** Detailed Roadmap
+
+ This list of files is not up to date!
+
+ - g10/gpg.c :: Main module with option parsing and all the stuff you
+ have to do on startup. Also has the exit handler and
+ some helper functions.
+
+ - g10/parse-packet.c ::
+ - g10/build-packet.c ::
+ - g10/free-packet.c :: Parsing and creating of OpenPGP message packets.
+
+ - g10/getkey.c :: Key selection code
+ - g10/pkclist.c :: Build a list of public keys
+ - g10/skclist.c :: Build a list of secret keys
+ - g10/keyring.c :: Keyring access functions
+ - g10/keydb.h ::
+
+ - g10/keyid.c :: Helper functions to get the keyid, fingerprint etc.
+
+ - g10/trustdb.c :: Web-of-Trust computations
+ - g10/trustdb.h ::
+ - g10/tdbdump.c :: Export/import/list the trustdb.gpg
+ - g10/tdbio.c :: I/O handling for the trustdb.gpg
+ - g10/tdbio.h ::
+
+ - g10/compress.c :: Filter to handle compression
+ - g10/filter.h :: Declarations for all filter functions
+ - g10/delkey.c :: Delete a key
+ - g10/kbnode.c :: Helper for the kbnode_t linked list
+ - g10/main.h :: Prototypes and some constants
+ - g10/mainproc.c :: Message processing
+ - g10/armor.c :: Ascii armor filter
+ - g10/mdfilter.c :: Filter to calculate hashs
+ - g10/textfilter.c :: Filter to handle CR/LF and trailing white space
+ - g10/cipher.c :: En-/Decryption filter
+ - g10/misc.c :: Utility functions
+ - g10/options.h :: Structure with all the command line options
+ and related constants
+ - g10/openfile.c :: Create/Open Files
+ - g10/keyserver.h :: Keyserver access dispatcher.
+ - g10/packet.h :: Definition of OpenPGP structures.
+ - g10/passphrase.c :: Passphrase handling code
+
+ - g10/pubkey-enc.c :: Process a public key encoded packet.
+ - g10/seckey-cert.c :: Not anymore used
+ - g10/seskey.c :: Make session keys etc.
+ - g10/import.c :: Import keys into our key storage.
+ - g10/export.c :: Export keys to the OpenPGP format.
+ - g10/sign.c :: Create signature and optionally encrypt.
+ - g10/plaintext.c :: Process plaintext packets.
+ - g10/decrypt-data.c :: Decrypt an encrypted data packet
+ - g10/encrypt.c :: Main encryption driver
+ - g10/revoke.c :: Create recovation certificates.
+ - g10/keylist.c :: Print information about OpenPGP keys
+ - g10/sig-check.c :: Check a signature
+ - g10/helptext.c :: Show online help texts
+ - g10/verify.c :: Verify signed data.
+ - g10/decrypt.c :: Decrypt and verify data.
+ - g10/keyedit.c :: Edit properties of a key.
+ - g10/dearmor.c :: Armor utility.
+ - g10/keygen.c :: Generate a key pair
+
+** Memory allocation
+
+Use only the functions:
+
+ - xmalloc
+ - xmalloc_secure
+ - xtrymalloc
+ - xtrymalloc_secure
+ - xcalloc
+ - xcalloc_secure
+ - xtrycalloc
+ - xtrycalloc_secure
+ - xrealloc
+ - xtryrealloc
+ - xstrdup
+ - xtrystrdup
+ - xfree
+
+
+The *secure versions allocate memory in the secure memory. That is,
+swapping out of this memory is avoided and is gets overwritten on
+free. Use this for passphrases, session keys and other sensitive
+material. This memory set aside for secure memory is linited to a few
+k. In general the function don't print a memeory message and
+terminate the process if there is not enough memory available. The
+"try" versions of the functions return NULL instead.
+
+** Logging
+
+ TODO
+
+** Option parsing
+
+GnuPG does not use getopt or GNU getopt but functions of it's own.
+See util/argparse.c for details. The advantage of these functions is
+that it is more easy to display and maintain the help texts for the
+options. The same option table is also used to parse resource files.
+
+** What is an IOBUF
+
+This is the data structure used for most I/O of gnupg. It is similar
+to System V Streams but much simpler. Because OpenPGP messages are
+nested in different ways; the use of such a system has big advantages.
+Here is an example, how it works: If the parser sees a packet header
+with a partial length, it pushes the block_filter onto the IOBUF to
+handle these partial length packets: from now on you don't have to
+worry about this. When it sees a compressed packet it pushes the
+uncompress filter and the next read byte is one which has already been
+uncompressed by this filter. Same goes for enciphered packet,
+plaintext packets and so on. The file g10/encode.c might be a good
+starting point to see how it is used - actually this is the other way:
+constructing messages using pushed filters but it may be easier to
+understand.
+
+
diff --git a/doc/KEYSERVER b/doc/KEYSERVER
new file mode 100644
index 0000000..f63200a
--- /dev/null
+++ b/doc/KEYSERVER
@@ -0,0 +1,83 @@
+Format of keyserver colon listings
+==================================
+
+David Shaw <dshaw@jabberwocky.com>
+
+The machine readable response begins with an optional information
+line:
+
+info:<version>:<count>
+
+<version> = this is the version of this protocol. Currently, this is
+ the number 1.
+
+<count> = the number of keys returned in this response. Note this is
+ the number of keys, and not the number of lines returned.
+ It should match the number of "pub:" lines returned.
+
+If this optional line is not included, or the version information is
+not supplied, the version number is assumed to be 1.
+
+The key listings are made up of several lines per key. The first line
+is for the primary key:
+
+pub:<fingerprint>:<algo>:<keylen>:<creationdate>:<expirationdate>:<flags>
+
+<fingerprint> = this is either the fingerprint or the keyid of the
+ key. Either the 16-digit or 8-digit keyids are
+ acceptable, but obviously the fingerprint is best.
+ Since it is not possible to calculate the keyid from a
+ V3 key fingerprint, for V3 keys this should be either
+ the 16-digit or 8-digit keyid only.
+
+<algo> = the algorithm number from RFC-2440. (i.e. 1==RSA, 17==DSA,
+ etc).
+
+<keylen> = the key length (i.e. 1024, 2048, 4096, etc.)
+
+<creationdate> = creation date of the key in standard RFC-2440 form
+ (i.e. number of seconds since 1/1/1970 UTC time)
+
+<expirationdate> = expiration date of the key in standard RFC-2440
+ form (i.e. number of seconds since 1/1/1970 UTC time)
+
+<flags> = letter codes to indicate details of the key, if any. Flags
+ may be in any order.
+
+ r == revoked
+ d == disabled
+ e == expired
+
+Following the "pub" line are one or more "uid" lines to indicate user
+IDs on the key:
+
+uid:<escaped uid string>:<creationdate>:<expirationdate>:<flags>
+
+<escaped uid string> == the user ID string, with HTTP %-escaping for
+ anything that isn't 7-bit safe as well as for
+ the ":" character. Any other characters may
+ be escaped, as desired.
+
+creationdate, expirationdate, and flags mean the same here as before.
+The information is taken from the self-sig, if any, and applies to the
+user ID in question, and not to the key as a whole.
+
+Details:
+
+* All characters except for the <escaped uid string> are
+ case-insensitive.
+
+* Obviously, on a keyserver without integrated crypto, many of the
+ items given here are not fully trustworthy until the key is
+ downloaded and signatures checked. For example, the information
+ that a key is flagged "r" for revoked should be treated as
+ untrustworthy information until the key is checked on the client
+ side.
+
+* Empty fields are allowed. For example, a key with no expiration
+ date would have the <expirationdate> field empty. Also, a keyserver
+ that does not track a particular piece of information may leave that
+ field empty as well. I expect that the creation and expiration
+ dates for user IDs will be left empty in current keyservers. Colons
+ for empty fields on the end of each line may be left off, if
+ desired.
diff --git a/doc/Makefile.am b/doc/Makefile.am
new file mode 100644
index 0000000..aba09b9
--- /dev/null
+++ b/doc/Makefile.am
@@ -0,0 +1,213 @@
+# Copyright (C) 2002, 2004 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+## Process this file with automake to produce Makefile.in
+
+AM_CPPFLAGS =
+
+include $(top_srcdir)/am/cmacros.am
+
+examples = examples/README examples/scd-event examples/trustlist.txt \
+ examples/VS-NfD.prf examples/Automatic.prf \
+ examples/debug.prf \
+ examples/gpgconf.rnames examples/gpgconf.conf \
+ examples/systemd-user/README \
+ examples/systemd-user/dirmngr.service \
+ examples/systemd-user/dirmngr.socket \
+ examples/systemd-user/gpg-agent.service \
+ examples/systemd-user/gpg-agent.socket \
+ examples/systemd-user/gpg-agent-ssh.socket \
+ examples/systemd-user/gpg-agent-browser.socket \
+ examples/systemd-user/gpg-agent-extra.socket \
+ examples/pwpattern.list
+
+helpfiles = help.txt help.be.txt help.ca.txt help.cs.txt \
+ help.da.txt help.de.txt help.el.txt help.eo.txt \
+ help.es.txt help.et.txt help.fi.txt help.fr.txt \
+ help.gl.txt help.hu.txt help.id.txt help.it.txt \
+ help.ja.txt help.nb.txt help.pl.txt help.pt.txt \
+ help.pt_BR.txt help.ro.txt help.ru.txt help.sk.txt \
+ help.sv.txt help.tr.txt help.zh_CN.txt help.zh_TW.txt
+
+profiles =
+
+EXTRA_DIST = samplekeys.asc mksamplekeys com-certs.pem qualified.txt \
+ gnupg-logo.eps gnupg-logo.pdf gnupg-logo.png gnupg-logo-tr.png \
+ gnupg-module-overview.png gnupg-module-overview.pdf \
+ gnupg-card-architecture.png gnupg-card-architecture.pdf \
+ FAQ gnupg7.texi mkdefsinc.c defsincdate \
+ opt-homedir.texi see-also-note.texi specify-user-id.texi \
+ gpgv.texi yat2m.c ChangeLog-2011 whats-new-in-2.1.txt \
+ trust-values.texi
+
+BUILT_SOURCES = gnupg-module-overview.png gnupg-module-overview.pdf \
+ gnupg-card-architecture.png gnupg-card-architecture.pdf \
+ defsincdate defs.inc
+
+info_TEXINFOS = gnupg.texi
+
+dist_pkgdata_DATA = $(helpfiles) $(profiles)
+
+nobase_dist_doc_DATA = FAQ DETAILS HACKING DCO TRANSLATE OpenPGP KEYSERVER \
+ $(examples)
+
+#dist_html_DATA =
+
+
+gnupg_TEXINFOS = \
+ gpg.texi gpgsm.texi gpg-agent.texi scdaemon.texi instguide.texi \
+ tools.texi debugging.texi glossary.texi contrib.texi gpl.texi \
+ sysnotes.texi dirmngr.texi wks.texi \
+ gnupg-module-overview.svg \
+ gnupg-card-architecture.fig \
+ howtos.texi howto-create-a-server-cert.texi
+
+gnupg.texi : defs.inc
+
+# We need EPS files for "make distcheck" but we do not want to distribute
+# them due to their size. Let's build them as needed.
+gnupg.dvi : gnupg-module-overview.eps gnupg-card-architecture.eps
+
+
+DVIPS = TEXINPUTS="$(srcdir)$(PATH_SEPARATOR)$$TEXINPUTS" dvips
+
+AM_MAKEINFOFLAGS = -I $(srcdir) --css-ref=/share/site.css
+
+YAT2M_OPTIONS = -I $(srcdir) \
+ --release "GnuPG @PACKAGE_VERSION@" --source "GNU Privacy Guard 2.2"
+
+myman_sources = gnupg7.texi gpg.texi gpgsm.texi gpg-agent.texi \
+ dirmngr.texi scdaemon.texi tools.texi wks.texi
+myman_pages = gpgsm.1 gpg-agent.1 dirmngr.8 scdaemon.1 \
+ watchgnupg.1 gpgconf.1 addgnupghome.8 gpg-preset-passphrase.1 \
+ gpg-connect-agent.1 gpgparsemail.1 gpgtar.1 \
+ gpg-check-pattern.1 \
+ applygnupgdefaults.8 gpg-wks-client.1 gpg-wks-server.1 \
+ dirmngr-client.1
+if USE_GPG2_HACK
+myman_pages += gpg2.1 gpgv2.1
+else
+myman_pages += gpg.1 gpgv.1
+endif
+
+man_MANS = $(myman_pages) gnupg.7
+
+watchgnupg_SOURCE = gnupg.texi
+
+
+CLEANFILES = yat2m mkdefsinc defs.inc
+
+DISTCLEANFILES = gnupg.tmp gnupg.ops yat2m-stamp.tmp yat2m-stamp \
+ gnupg-card-architecture.eps \
+ gnupg-module-overview.eps \
+ $(myman_pages) gnupg.7
+
+if HAVE_YAT2M
+YAT2M_CMD = $(YAT2M)
+YAT2M_DEP = $(YAT2M)
+else
+YAT2M_CMD = ./yat2m
+YAT2M_DEP = yat2m
+
+yat2m: yat2m.c
+ $(CC_FOR_BUILD) -o $@ $(srcdir)/yat2m.c
+endif
+
+mkdefsinc: mkdefsinc.c Makefile ../config.h
+ $(CC_FOR_BUILD) -I. -I.. -I$(srcdir) $(AM_CPPFLAGS) \
+ -o $@ $(srcdir)/mkdefsinc.c
+
+.svg.eps:
+ convert `test -f '$<' || echo '$(srcdir)/'`$< $@
+
+.svg.png:
+ convert `test -f '$<' || echo '$(srcdir)/'`$< $@
+
+.svg.pdf:
+ convert `test -f '$<' || echo '$(srcdir)/'`$< $@
+
+.fig.png:
+ fig2dev -L png `test -f '$<' || echo '$(srcdir)/'`$< $@
+
+.fig.jpg:
+ fig2dev -L jpeg `test -f '$<' || echo '$(srcdir)/'`$< $@
+
+.fig.eps:
+ fig2dev -L eps `test -f '$<' || echo '$(srcdir)/'`$< $@
+
+.fig.pdf:
+ fig2dev -L pdf `test -f '$<' || echo '$(srcdir)/'`$< $@
+
+
+yat2m-stamp: $(myman_sources) defs.inc
+ @rm -f yat2m-stamp.tmp
+ @touch yat2m-stamp.tmp
+ incd="`test -f defsincdate || echo '$(srcdir)/'`defsincdate"; \
+ for file in $(myman_sources) ; do \
+ $(YAT2M_CMD) $(YAT2M_OPTIONS) --store \
+ --date "`cat $$incd 2>/dev/null`" \
+ `test -f '$$file' || echo '$(srcdir)/'`$$file ; done
+ @mv -f yat2m-stamp.tmp $@
+
+yat2m-stamp: $(YAT2M_DEP)
+
+$(myman_pages) gnupg.7 : yat2m-stamp defs.inc
+ @if test -f $@; then :; else \
+ trap 'rm -rf yat2m-stamp yat2m-lock' 1 2 13 15; \
+ if mkdir yat2m-lock 2>/dev/null; then \
+ rm -f yat2m-stamp; \
+ $(MAKE) $(AM_MAKEFLAGS) yat2m-stamp; \
+ rmdir yat2m-lock; \
+ else \
+ while test -d yat2m-lock; do sleep 1; done; \
+ test -f yat2m-stamp; exit $$?; \
+ fi; \
+ fi
+
+dist-hook: defsincdate
+
+defsincdate: $(gnupg_TEXINFOS)
+ : >defsincdate ; \
+ if test -e $(top_srcdir)/.git; then \
+ (cd $(srcdir) && git log -1 --format='%ct' \
+ -- $(gnupg_TEXINFOS) 2>/dev/null) >>defsincdate; \
+ elif test x"$$SOURCE_DATE_EPOCH" != x; then \
+ echo "$$SOURCE_DATE_EPOCH" >>defsincdate ; \
+ fi
+
+defs.inc : defsincdate Makefile mkdefsinc
+ incd="`test -f defsincdate || echo '$(srcdir)/'`defsincdate"; \
+ ./mkdefsinc -C $(srcdir) --date "`cat $$incd 2>/dev/null`" \
+ $(gnupg_TEXINFOS) >$@
+
+
+online: gnupg.html gnupg.pdf gnupg-module-overview.png \
+ gnupg-card-architecture.png
+ set -e; \
+ echo "Uploading current manuals to www.gnupg.org ..."; \
+ cp $(srcdir)/gnupg-logo-tr.png gnupg.html/; \
+ cp gnupg-module-overview.png gnupg.html/; \
+ cp gnupg-card-architecture.png gnupg.html/; \
+ user=werner ; webhost="ftp.gnupg.org" ; dashdevel="" ; \
+ if echo "@PACKAGE_VERSION@" | grep -- "-beta" >/dev/null; then \
+ dashdevel="-devel" ; \
+ else \
+ rsync -v gnupg.pdf $${user}@$${webhost}:webspace/manuals/ ; \
+ fi ; \
+ cd gnupg.html ; \
+ rsync -vr --exclude='.git' . \
+ $${user}@$${webhost}:webspace/manuals/gnupg$${dashdevel}/
diff --git a/doc/Makefile.in b/doc/Makefile.in
new file mode 100644
index 0000000..59b671f
--- /dev/null
+++ b/doc/Makefile.in
@@ -0,0 +1,1273 @@
+# Makefile.in generated by automake 1.16.3 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2020 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+@SET_MAKE@
+
+# Copyright (C) 2002, 2004 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+# cmacros.am - C macro definitions
+# Copyright (C) 2004 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+VPATH = @srcdir@
+am__is_gnu_make = { \
+ if test -z '$(MAKELEVEL)'; then \
+ false; \
+ elif test -n '$(MAKE_HOST)'; then \
+ true; \
+ elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+ true; \
+ else \
+ false; \
+ fi; \
+}
+am__make_running_with_option = \
+ case $${target_option-} in \
+ ?) ;; \
+ *) echo "am__make_running_with_option: internal error: invalid" \
+ "target option '$${target_option-}' specified" >&2; \
+ exit 1;; \
+ esac; \
+ has_opt=no; \
+ sane_makeflags=$$MAKEFLAGS; \
+ if $(am__is_gnu_make); then \
+ sane_makeflags=$$MFLAGS; \
+ else \
+ case $$MAKEFLAGS in \
+ *\\[\ \ ]*) \
+ bs=\\; \
+ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
+ esac; \
+ fi; \
+ skip_next=no; \
+ strip_trailopt () \
+ { \
+ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+ }; \
+ for flg in $$sane_makeflags; do \
+ test $$skip_next = yes && { skip_next=no; continue; }; \
+ case $$flg in \
+ *=*|--*) continue;; \
+ -*I) strip_trailopt 'I'; skip_next=yes;; \
+ -*I?*) strip_trailopt 'I';; \
+ -*O) strip_trailopt 'O'; skip_next=yes;; \
+ -*O?*) strip_trailopt 'O';; \
+ -*l) strip_trailopt 'l'; skip_next=yes;; \
+ -*l?*) strip_trailopt 'l';; \
+ -[dEDm]) skip_next=yes;; \
+ -[JT]) skip_next=yes;; \
+ esac; \
+ case $$flg in \
+ *$$target_option*) has_opt=yes; break;; \
+ esac; \
+ done; \
+ test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+@HAVE_DOSISH_SYSTEM_FALSE@am__append_1 = -DGNUPG_BINDIR="\"$(bindir)\"" \
+@HAVE_DOSISH_SYSTEM_FALSE@ -DGNUPG_LIBEXECDIR="\"$(libexecdir)\"" \
+@HAVE_DOSISH_SYSTEM_FALSE@ -DGNUPG_LIBDIR="\"$(libdir)/@PACKAGE@\"" \
+@HAVE_DOSISH_SYSTEM_FALSE@ -DGNUPG_DATADIR="\"$(datadir)/@PACKAGE@\"" \
+@HAVE_DOSISH_SYSTEM_FALSE@ -DGNUPG_SYSCONFDIR="\"$(sysconfdir)/@PACKAGE@\"" \
+@HAVE_DOSISH_SYSTEM_FALSE@ -DGNUPG_LOCALSTATEDIR="\"$(localstatedir)\""
+
+
+# If a specific protect tool program has been defined, pass its name
+# to cc. Note that these macros should not be used directly but via
+# the gnupg_module_name function.
+@GNUPG_AGENT_PGM_TRUE@am__append_2 = -DGNUPG_DEFAULT_AGENT="\"@GNUPG_AGENT_PGM@\""
+@GNUPG_PINENTRY_PGM_TRUE@am__append_3 = -DGNUPG_DEFAULT_PINENTRY="\"@GNUPG_PINENTRY_PGM@\""
+@GNUPG_SCDAEMON_PGM_TRUE@am__append_4 = -DGNUPG_DEFAULT_SCDAEMON="\"@GNUPG_SCDAEMON_PGM@\""
+@GNUPG_DIRMNGR_PGM_TRUE@am__append_5 = -DGNUPG_DEFAULT_DIRMNGR="\"@GNUPG_DIRMNGR_PGM@\""
+@GNUPG_PROTECT_TOOL_PGM_TRUE@am__append_6 = -DGNUPG_DEFAULT_PROTECT_TOOL="\"@GNUPG_PROTECT_TOOL_PGM@\""
+@GNUPG_DIRMNGR_LDAP_PGM_TRUE@am__append_7 = -DGNUPG_DEFAULT_DIRMNGR_LDAP="\"@GNUPG_DIRMNGR_LDAP_PGM@\""
+@USE_GPG2_HACK_TRUE@am__append_8 = gpg2.1 gpgv2.1
+@USE_GPG2_HACK_FALSE@am__append_9 = gpg.1 gpgv.1
+subdir = doc
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/autobuild.m4 \
+ $(top_srcdir)/m4/codeset.m4 $(top_srcdir)/m4/gettext.m4 \
+ $(top_srcdir)/m4/gpg-error.m4 $(top_srcdir)/m4/iconv.m4 \
+ $(top_srcdir)/m4/isc-posix.m4 $(top_srcdir)/m4/ksba.m4 \
+ $(top_srcdir)/m4/lcmessage.m4 $(top_srcdir)/m4/ldap.m4 \
+ $(top_srcdir)/m4/lib-ld.m4 $(top_srcdir)/m4/lib-link.m4 \
+ $(top_srcdir)/m4/lib-prefix.m4 $(top_srcdir)/m4/libassuan.m4 \
+ $(top_srcdir)/m4/libgcrypt.m4 $(top_srcdir)/m4/nls.m4 \
+ $(top_srcdir)/m4/npth.m4 $(top_srcdir)/m4/ntbtls.m4 \
+ $(top_srcdir)/m4/pkg.m4 $(top_srcdir)/m4/po.m4 \
+ $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/m4/readline.m4 \
+ $(top_srcdir)/m4/socklen.m4 $(top_srcdir)/m4/sys_socket_h.m4 \
+ $(top_srcdir)/m4/tar-ustar.m4 $(top_srcdir)/acinclude.m4 \
+ $(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(dist_pkgdata_DATA) \
+ $(nobase_dist_doc_DATA) $(am__DIST_COMMON)
+mkinstalldirs = $(SHELL) $(top_srcdir)/build-aux/mkinstalldirs
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+AM_V_P = $(am__v_P_@AM_V@)
+am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_@AM_V@)
+am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@)
+am__v_GEN_0 = @echo " GEN " $@;
+am__v_GEN_1 =
+AM_V_at = $(am__v_at_@AM_V@)
+am__v_at_ = $(am__v_at_@AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 =
+SOURCES =
+DIST_SOURCES =
+AM_V_DVIPS = $(am__v_DVIPS_@AM_V@)
+am__v_DVIPS_ = $(am__v_DVIPS_@AM_DEFAULT_V@)
+am__v_DVIPS_0 = @echo " DVIPS " $@;
+am__v_DVIPS_1 =
+AM_V_MAKEINFO = $(am__v_MAKEINFO_@AM_V@)
+am__v_MAKEINFO_ = $(am__v_MAKEINFO_@AM_DEFAULT_V@)
+am__v_MAKEINFO_0 = @echo " MAKEINFO" $@;
+am__v_MAKEINFO_1 =
+AM_V_INFOHTML = $(am__v_INFOHTML_@AM_V@)
+am__v_INFOHTML_ = $(am__v_INFOHTML_@AM_DEFAULT_V@)
+am__v_INFOHTML_0 = @echo " INFOHTML" $@;
+am__v_INFOHTML_1 =
+AM_V_TEXI2DVI = $(am__v_TEXI2DVI_@AM_V@)
+am__v_TEXI2DVI_ = $(am__v_TEXI2DVI_@AM_DEFAULT_V@)
+am__v_TEXI2DVI_0 = @echo " TEXI2DVI" $@;
+am__v_TEXI2DVI_1 =
+AM_V_TEXI2PDF = $(am__v_TEXI2PDF_@AM_V@)
+am__v_TEXI2PDF_ = $(am__v_TEXI2PDF_@AM_DEFAULT_V@)
+am__v_TEXI2PDF_0 = @echo " TEXI2PDF" $@;
+am__v_TEXI2PDF_1 =
+AM_V_texinfo = $(am__v_texinfo_@AM_V@)
+am__v_texinfo_ = $(am__v_texinfo_@AM_DEFAULT_V@)
+am__v_texinfo_0 = -q
+am__v_texinfo_1 =
+AM_V_texidevnull = $(am__v_texidevnull_@AM_V@)
+am__v_texidevnull_ = $(am__v_texidevnull_@AM_DEFAULT_V@)
+am__v_texidevnull_0 = > /dev/null
+am__v_texidevnull_1 =
+INFO_DEPS = $(srcdir)/gnupg.info
+TEXINFO_TEX = $(top_srcdir)/build-aux/texinfo.tex
+am__TEXINFO_TEX_DIR = $(top_srcdir)/build-aux
+DVIS = gnupg.dvi
+PDFS = gnupg.pdf
+PSS = gnupg.ps
+HTMLS = gnupg.html
+TEXINFOS = gnupg.texi
+TEXI2DVI = texi2dvi
+TEXI2PDF = $(TEXI2DVI) --pdf --batch
+MAKEINFOHTML = $(MAKEINFO) --html
+AM_MAKEINFOHTMLFLAGS = $(AM_MAKEINFOFLAGS)
+am__can_run_installinfo = \
+ case $$AM_UPDATE_INFO_DIR in \
+ n|no|NO) false;; \
+ *) (install-info --version) >/dev/null 2>&1;; \
+ esac
+am__installdirs = "$(DESTDIR)$(infodir)" "$(DESTDIR)$(man1dir)" \
+ "$(DESTDIR)$(man7dir)" "$(DESTDIR)$(man8dir)" \
+ "$(DESTDIR)$(pkgdatadir)" "$(DESTDIR)$(docdir)"
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+ for p in $$list; do echo "$$p $$p"; done | \
+ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+ if (++n[$$2] == $(am__install_max)) \
+ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+ END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+ test -z "$$files" \
+ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+ $(am__cd) "$$dir" && rm -f $$files; }; \
+ }
+man1dir = $(mandir)/man1
+man7dir = $(mandir)/man7
+man8dir = $(mandir)/man8
+NROFF = nroff
+MANS = $(man_MANS)
+DATA = $(dist_pkgdata_DATA) $(nobase_dist_doc_DATA)
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+am__DIST_COMMON = $(gnupg_TEXINFOS) $(srcdir)/Makefile.in \
+ $(top_srcdir)/am/cmacros.am \
+ $(top_srcdir)/build-aux/mkinstalldirs \
+ $(top_srcdir)/build-aux/texinfo.tex
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+AWK_HEX_NUMBER_OPTION = @AWK_HEX_NUMBER_OPTION@
+BUILD_FILEVERSION = @BUILD_FILEVERSION@
+BUILD_HOSTNAME = @BUILD_HOSTNAME@
+BUILD_INCLUDED_LIBINTL = @BUILD_INCLUDED_LIBINTL@
+BUILD_REVISION = @BUILD_REVISION@
+BUILD_TIMESTAMP = @BUILD_TIMESTAMP@
+BUILD_VERSION = @BUILD_VERSION@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CC_FOR_BUILD = @CC_FOR_BUILD@
+CFLAGS = @CFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DL_LIBS = @DL_LIBS@
+DNSLIBS = @DNSLIBS@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+ENCFS = @ENCFS@
+EXEEXT = @EXEEXT@
+FUSERMOUNT = @FUSERMOUNT@
+GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
+GMSGFMT = @GMSGFMT@
+GMSGFMT_015 = @GMSGFMT_015@
+GNUPG_AGENT_PGM = @GNUPG_AGENT_PGM@
+GNUPG_DIRMNGR_LDAP_PGM = @GNUPG_DIRMNGR_LDAP_PGM@
+GNUPG_DIRMNGR_PGM = @GNUPG_DIRMNGR_PGM@
+GNUPG_PINENTRY_PGM = @GNUPG_PINENTRY_PGM@
+GNUPG_PROTECT_TOOL_PGM = @GNUPG_PROTECT_TOOL_PGM@
+GNUPG_SCDAEMON_PGM = @GNUPG_SCDAEMON_PGM@
+GPGKEYS_LDAP = @GPGKEYS_LDAP@
+GPGRT_CONFIG = @GPGRT_CONFIG@
+GPG_ERROR_CFLAGS = @GPG_ERROR_CFLAGS@
+GPG_ERROR_CONFIG = @GPG_ERROR_CONFIG@
+GPG_ERROR_LIBS = @GPG_ERROR_LIBS@
+GPG_ERROR_MT_CFLAGS = @GPG_ERROR_MT_CFLAGS@
+GPG_ERROR_MT_LIBS = @GPG_ERROR_MT_LIBS@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+INTLLIBS = @INTLLIBS@
+INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
+KSBA_CFLAGS = @KSBA_CFLAGS@
+KSBA_CONFIG = @KSBA_CONFIG@
+KSBA_LIBS = @KSBA_LIBS@
+LBER_LIBS = @LBER_LIBS@
+LDAPLIBS = @LDAPLIBS@
+LDAP_CPPFLAGS = @LDAP_CPPFLAGS@
+LDFLAGS = @LDFLAGS@
+LIBASSUAN_CFLAGS = @LIBASSUAN_CFLAGS@
+LIBASSUAN_CONFIG = @LIBASSUAN_CONFIG@
+LIBASSUAN_LIBS = @LIBASSUAN_LIBS@
+LIBGCRYPT_CFLAGS = @LIBGCRYPT_CFLAGS@
+LIBGCRYPT_CONFIG = @LIBGCRYPT_CONFIG@
+LIBGCRYPT_LIBS = @LIBGCRYPT_LIBS@
+LIBGNUTLS_CFLAGS = @LIBGNUTLS_CFLAGS@
+LIBGNUTLS_LIBS = @LIBGNUTLS_LIBS@
+LIBICONV = @LIBICONV@
+LIBINTL = @LIBINTL@
+LIBOBJS = @LIBOBJS@
+LIBREADLINE = @LIBREADLINE@
+LIBS = @LIBS@
+LIBUSB_CPPFLAGS = @LIBUSB_CPPFLAGS@
+LIBUSB_LIBS = @LIBUSB_LIBS@
+LIBUTIL_LIBS = @LIBUTIL_LIBS@
+LN_S = @LN_S@
+LTLIBICONV = @LTLIBICONV@
+LTLIBINTL = @LTLIBINTL@
+LTLIBOBJS = @LTLIBOBJS@
+MAINT = @MAINT@
+MAKEINFO = @MAKEINFO@
+MKDIR_P = @MKDIR_P@
+MSGFMT = @MSGFMT@
+MSGFMT_015 = @MSGFMT_015@
+MSGMERGE = @MSGMERGE@
+NETLIBS = @NETLIBS@
+NPTH_CFLAGS = @NPTH_CFLAGS@
+NPTH_CONFIG = @NPTH_CONFIG@
+NPTH_LIBS = @NPTH_LIBS@
+NTBTLS_CFLAGS = @NTBTLS_CFLAGS@
+NTBTLS_CONFIG = @NTBTLS_CONFIG@
+NTBTLS_LIBS = @NTBTLS_LIBS@
+OBJEXT = @OBJEXT@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_GT = @PACKAGE_GT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+POSUB = @POSUB@
+RANLIB = @RANLIB@
+SENDMAIL = @SENDMAIL@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SHRED = @SHRED@
+SQLITE3_CFLAGS = @SQLITE3_CFLAGS@
+SQLITE3_LIBS = @SQLITE3_LIBS@
+STRIP = @STRIP@
+SYSROOT = @SYSROOT@
+SYS_SOCKET_H = @SYS_SOCKET_H@
+TAR = @TAR@
+USE_C99_CFLAGS = @USE_C99_CFLAGS@
+USE_INCLUDED_LIBINTL = @USE_INCLUDED_LIBINTL@
+USE_NLS = @USE_NLS@
+VERSION = @VERSION@
+W32SOCKLIBS = @W32SOCKLIBS@
+WINDRES = @WINDRES@
+XGETTEXT = @XGETTEXT@
+XGETTEXT_015 = @XGETTEXT_015@
+XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
+YAT2M = @YAT2M@
+ZLIBS = @ZLIBS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_CC = @ac_ct_CC@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+datadir = @datadir@
+datarootdir = @datarootdir@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+libdir = @libdir@
+libexecdir = @libexecdir@
+localedir = $(datadir)/locale
+localstatedir = @localstatedir@
+mandir = @mandir@
+mkdir_p = @mkdir_p@
+oldincludedir = @oldincludedir@
+pdfdir = @pdfdir@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+runstatedir = @runstatedir@
+sbindir = @sbindir@
+sharedstatedir = @sharedstatedir@
+srcdir = @srcdir@
+sysconfdir = @sysconfdir@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+
+# NB: AM_CFLAGS may also be used by tools running on the build
+# platform to create source files.
+AM_CPPFLAGS = -DLOCALEDIR=\"$(localedir)\" $(am__append_1) \
+ $(am__append_2) $(am__append_3) $(am__append_4) \
+ $(am__append_5) $(am__append_6) $(am__append_7)
+@HAVE_W32CE_SYSTEM_FALSE@extra_sys_libs =
+
+# Under Windows we use LockFileEx. WindowsCE provides this only on
+# the WindowsMobile 6 platform and thus we need to use the coredll6
+# import library. We also want to use a stacksize of 256k instead of
+# the 2MB which is the default with cegcc. 256k is the largest stack
+# we use with pth.
+@HAVE_W32CE_SYSTEM_TRUE@extra_sys_libs = -lcoredll6
+@HAVE_W32CE_SYSTEM_FALSE@extra_bin_ldflags =
+@HAVE_W32CE_SYSTEM_TRUE@extra_bin_ldflags = -Wl,--stack=0x40000
+resource_objs =
+
+# Convenience macros
+libcommon = ../common/libcommon.a
+libcommonpth = ../common/libcommonpth.a
+libcommontls = ../common/libcommontls.a
+libcommontlsnpth = ../common/libcommontlsnpth.a
+examples = examples/README examples/scd-event examples/trustlist.txt \
+ examples/VS-NfD.prf examples/Automatic.prf \
+ examples/debug.prf \
+ examples/gpgconf.rnames examples/gpgconf.conf \
+ examples/systemd-user/README \
+ examples/systemd-user/dirmngr.service \
+ examples/systemd-user/dirmngr.socket \
+ examples/systemd-user/gpg-agent.service \
+ examples/systemd-user/gpg-agent.socket \
+ examples/systemd-user/gpg-agent-ssh.socket \
+ examples/systemd-user/gpg-agent-browser.socket \
+ examples/systemd-user/gpg-agent-extra.socket \
+ examples/pwpattern.list
+
+helpfiles = help.txt help.be.txt help.ca.txt help.cs.txt \
+ help.da.txt help.de.txt help.el.txt help.eo.txt \
+ help.es.txt help.et.txt help.fi.txt help.fr.txt \
+ help.gl.txt help.hu.txt help.id.txt help.it.txt \
+ help.ja.txt help.nb.txt help.pl.txt help.pt.txt \
+ help.pt_BR.txt help.ro.txt help.ru.txt help.sk.txt \
+ help.sv.txt help.tr.txt help.zh_CN.txt help.zh_TW.txt
+
+profiles =
+EXTRA_DIST = samplekeys.asc mksamplekeys com-certs.pem qualified.txt \
+ gnupg-logo.eps gnupg-logo.pdf gnupg-logo.png gnupg-logo-tr.png \
+ gnupg-module-overview.png gnupg-module-overview.pdf \
+ gnupg-card-architecture.png gnupg-card-architecture.pdf \
+ FAQ gnupg7.texi mkdefsinc.c defsincdate \
+ opt-homedir.texi see-also-note.texi specify-user-id.texi \
+ gpgv.texi yat2m.c ChangeLog-2011 whats-new-in-2.1.txt \
+ trust-values.texi
+
+BUILT_SOURCES = gnupg-module-overview.png gnupg-module-overview.pdf \
+ gnupg-card-architecture.png gnupg-card-architecture.pdf \
+ defsincdate defs.inc
+
+info_TEXINFOS = gnupg.texi
+dist_pkgdata_DATA = $(helpfiles) $(profiles)
+nobase_dist_doc_DATA = FAQ DETAILS HACKING DCO TRANSLATE OpenPGP KEYSERVER \
+ $(examples)
+
+
+#dist_html_DATA =
+gnupg_TEXINFOS = \
+ gpg.texi gpgsm.texi gpg-agent.texi scdaemon.texi instguide.texi \
+ tools.texi debugging.texi glossary.texi contrib.texi gpl.texi \
+ sysnotes.texi dirmngr.texi wks.texi \
+ gnupg-module-overview.svg \
+ gnupg-card-architecture.fig \
+ howtos.texi howto-create-a-server-cert.texi
+
+DVIPS = TEXINPUTS="$(srcdir)$(PATH_SEPARATOR)$$TEXINPUTS" dvips
+AM_MAKEINFOFLAGS = -I $(srcdir) --css-ref=/share/site.css
+YAT2M_OPTIONS = -I $(srcdir) \
+ --release "GnuPG @PACKAGE_VERSION@" --source "GNU Privacy Guard 2.2"
+
+myman_sources = gnupg7.texi gpg.texi gpgsm.texi gpg-agent.texi \
+ dirmngr.texi scdaemon.texi tools.texi wks.texi
+
+myman_pages = gpgsm.1 gpg-agent.1 dirmngr.8 scdaemon.1 watchgnupg.1 \
+ gpgconf.1 addgnupghome.8 gpg-preset-passphrase.1 \
+ gpg-connect-agent.1 gpgparsemail.1 gpgtar.1 \
+ gpg-check-pattern.1 applygnupgdefaults.8 gpg-wks-client.1 \
+ gpg-wks-server.1 dirmngr-client.1 $(am__append_8) \
+ $(am__append_9)
+man_MANS = $(myman_pages) gnupg.7
+watchgnupg_SOURCE = gnupg.texi
+CLEANFILES = yat2m mkdefsinc defs.inc
+DISTCLEANFILES = gnupg.tmp gnupg.ops yat2m-stamp.tmp yat2m-stamp \
+ gnupg-card-architecture.eps \
+ gnupg-module-overview.eps \
+ $(myman_pages) gnupg.7
+
+@HAVE_YAT2M_FALSE@YAT2M_CMD = ./yat2m
+@HAVE_YAT2M_TRUE@YAT2M_CMD = $(YAT2M)
+@HAVE_YAT2M_FALSE@YAT2M_DEP = yat2m
+@HAVE_YAT2M_TRUE@YAT2M_DEP = $(YAT2M)
+all: $(BUILT_SOURCES)
+ $(MAKE) $(AM_MAKEFLAGS) all-am
+
+.SUFFIXES:
+.SUFFIXES: .dvi .eps .fig .html .info .jpg .o .pdf .png .ps .rc .svg .texi
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/am/cmacros.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu doc/Makefile'; \
+ $(am__cd) $(top_srcdir) && \
+ $(AUTOMAKE) --gnu doc/Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
+ esac;
+$(top_srcdir)/am/cmacros.am $(am__empty):
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+.texi.info:
+ $(AM_V_MAKEINFO)restore=: && backupdir="$(am__leading_dot)am$$$$" && \
+ am__cwd=`pwd` && $(am__cd) $(srcdir) && \
+ rm -rf $$backupdir && mkdir $$backupdir && \
+ if ($(MAKEINFO) --version) >/dev/null 2>&1; then \
+ for f in $@ $@-[0-9] $@-[0-9][0-9] $(@:.info=).i[0-9] $(@:.info=).i[0-9][0-9]; do \
+ if test -f $$f; then mv $$f $$backupdir; restore=mv; else :; fi; \
+ done; \
+ else :; fi && \
+ cd "$$am__cwd"; \
+ if $(MAKEINFO) $(AM_MAKEINFOFLAGS) $(MAKEINFOFLAGS) -I $(srcdir) \
+ -o $@ $<; \
+ then \
+ rc=0; \
+ $(am__cd) $(srcdir); \
+ else \
+ rc=$$?; \
+ $(am__cd) $(srcdir) && \
+ $$restore $$backupdir/* `echo "./$@" | sed 's|[^/]*$$||'`; \
+ fi; \
+ rm -rf $$backupdir; exit $$rc
+
+.texi.dvi:
+ $(AM_V_TEXI2DVI)TEXINPUTS="$(am__TEXINFO_TEX_DIR)$(PATH_SEPARATOR)$$TEXINPUTS" \
+ MAKEINFO='$(MAKEINFO) $(AM_MAKEINFOFLAGS) $(MAKEINFOFLAGS) -I $(srcdir)' \
+ $(TEXI2DVI) $(AM_V_texinfo) --build-dir=$(@:.dvi=.t2d) -o $@ $(AM_V_texidevnull) \
+ $<
+
+.texi.pdf:
+ $(AM_V_TEXI2PDF)TEXINPUTS="$(am__TEXINFO_TEX_DIR)$(PATH_SEPARATOR)$$TEXINPUTS" \
+ MAKEINFO='$(MAKEINFO) $(AM_MAKEINFOFLAGS) $(MAKEINFOFLAGS) -I $(srcdir)' \
+ $(TEXI2PDF) $(AM_V_texinfo) --build-dir=$(@:.pdf=.t2p) -o $@ $(AM_V_texidevnull) \
+ $<
+
+.texi.html:
+ $(AM_V_MAKEINFO)rm -rf $(@:.html=.htp)
+ $(AM_V_at)if $(MAKEINFOHTML) $(AM_MAKEINFOHTMLFLAGS) $(MAKEINFOFLAGS) -I $(srcdir) \
+ -o $(@:.html=.htp) $<; \
+ then \
+ rm -rf $@ && mv $(@:.html=.htp) $@; \
+ else \
+ rm -rf $(@:.html=.htp); exit 1; \
+ fi
+$(srcdir)/gnupg.info: gnupg.texi $(gnupg_TEXINFOS)
+gnupg.pdf: gnupg.texi $(gnupg_TEXINFOS)
+gnupg.html: gnupg.texi $(gnupg_TEXINFOS)
+.dvi.ps:
+ $(AM_V_DVIPS)TEXINPUTS="$(am__TEXINFO_TEX_DIR)$(PATH_SEPARATOR)$$TEXINPUTS" \
+ $(DVIPS) $(AM_V_texinfo) -o $@ $<
+
+uninstall-dvi-am:
+ @$(NORMAL_UNINSTALL)
+ @list='$(DVIS)'; test -n "$(dvidir)" || list=; \
+ for p in $$list; do \
+ $(am__strip_dir) \
+ echo " rm -f '$(DESTDIR)$(dvidir)/$$f'"; \
+ rm -f "$(DESTDIR)$(dvidir)/$$f"; \
+ done
+
+uninstall-html-am:
+ @$(NORMAL_UNINSTALL)
+ @list='$(HTMLS)'; test -n "$(htmldir)" || list=; \
+ for p in $$list; do \
+ $(am__strip_dir) \
+ echo " rm -rf '$(DESTDIR)$(htmldir)/$$f'"; \
+ rm -rf "$(DESTDIR)$(htmldir)/$$f"; \
+ done
+
+uninstall-info-am:
+ @$(PRE_UNINSTALL)
+ @if test -d '$(DESTDIR)$(infodir)' && $(am__can_run_installinfo); then \
+ list='$(INFO_DEPS)'; \
+ for file in $$list; do \
+ relfile=`echo "$$file" | sed 's|^.*/||'`; \
+ echo " install-info --info-dir='$(DESTDIR)$(infodir)' --remove '$(DESTDIR)$(infodir)/$$relfile'"; \
+ if install-info --info-dir="$(DESTDIR)$(infodir)" --remove "$(DESTDIR)$(infodir)/$$relfile"; \
+ then :; else test ! -f "$(DESTDIR)$(infodir)/$$relfile" || exit 1; fi; \
+ done; \
+ else :; fi
+ @$(NORMAL_UNINSTALL)
+ @list='$(INFO_DEPS)'; \
+ for file in $$list; do \
+ relfile=`echo "$$file" | sed 's|^.*/||'`; \
+ relfile_i=`echo "$$relfile" | sed 's|\.info$$||;s|$$|.i|'`; \
+ (if test -d "$(DESTDIR)$(infodir)" && cd "$(DESTDIR)$(infodir)"; then \
+ echo " cd '$(DESTDIR)$(infodir)' && rm -f $$relfile $$relfile-[0-9] $$relfile-[0-9][0-9] $$relfile_i[0-9] $$relfile_i[0-9][0-9]"; \
+ rm -f $$relfile $$relfile-[0-9] $$relfile-[0-9][0-9] $$relfile_i[0-9] $$relfile_i[0-9][0-9]; \
+ else :; fi); \
+ done
+
+uninstall-pdf-am:
+ @$(NORMAL_UNINSTALL)
+ @list='$(PDFS)'; test -n "$(pdfdir)" || list=; \
+ for p in $$list; do \
+ $(am__strip_dir) \
+ echo " rm -f '$(DESTDIR)$(pdfdir)/$$f'"; \
+ rm -f "$(DESTDIR)$(pdfdir)/$$f"; \
+ done
+
+uninstall-ps-am:
+ @$(NORMAL_UNINSTALL)
+ @list='$(PSS)'; test -n "$(psdir)" || list=; \
+ for p in $$list; do \
+ $(am__strip_dir) \
+ echo " rm -f '$(DESTDIR)$(psdir)/$$f'"; \
+ rm -f "$(DESTDIR)$(psdir)/$$f"; \
+ done
+
+dist-info: $(INFO_DEPS)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
+ list='$(INFO_DEPS)'; \
+ for base in $$list; do \
+ case $$base in \
+ $(srcdir)/*) base=`echo "$$base" | sed "s|^$$srcdirstrip/||"`;; \
+ esac; \
+ if test -f $$base; then d=.; else d=$(srcdir); fi; \
+ base_i=`echo "$$base" | sed 's|\.info$$||;s|$$|.i|'`; \
+ for file in $$d/$$base $$d/$$base-[0-9] $$d/$$base-[0-9][0-9] $$d/$$base_i[0-9] $$d/$$base_i[0-9][0-9]; do \
+ if test -f $$file; then \
+ relfile=`expr "$$file" : "$$d/\(.*\)"`; \
+ test -f "$(distdir)/$$relfile" || \
+ cp -p $$file "$(distdir)/$$relfile"; \
+ else :; fi; \
+ done; \
+ done
+
+mostlyclean-aminfo:
+ -rm -rf gnupg.t2d gnupg.t2p
+
+clean-aminfo:
+ -test -z "gnupg.dvi gnupg.pdf gnupg.ps gnupg.html" \
+ || rm -rf gnupg.dvi gnupg.pdf gnupg.ps gnupg.html
+
+maintainer-clean-aminfo:
+ @list='$(INFO_DEPS)'; for i in $$list; do \
+ i_i=`echo "$$i" | sed 's|\.info$$||;s|$$|.i|'`; \
+ echo " rm -f $$i $$i-[0-9] $$i-[0-9][0-9] $$i_i[0-9] $$i_i[0-9][0-9]"; \
+ rm -f $$i $$i-[0-9] $$i-[0-9][0-9] $$i_i[0-9] $$i_i[0-9][0-9]; \
+ done
+install-man1: $(man_MANS)
+ @$(NORMAL_INSTALL)
+ @list1=''; \
+ list2='$(man_MANS)'; \
+ test -n "$(man1dir)" \
+ && test -n "`echo $$list1$$list2`" \
+ || exit 0; \
+ echo " $(MKDIR_P) '$(DESTDIR)$(man1dir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(man1dir)" || exit 1; \
+ { for i in $$list1; do echo "$$i"; done; \
+ if test -n "$$list2"; then \
+ for i in $$list2; do echo "$$i"; done \
+ | sed -n '/\.1[a-z]*$$/p'; \
+ fi; \
+ } | while read p; do \
+ if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+ echo "$$d$$p"; echo "$$p"; \
+ done | \
+ sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^1][0-9a-z]*$$,1,;x' \
+ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
+ sed 'N;N;s,\n, ,g' | { \
+ list=; while read file base inst; do \
+ if test "$$base" = "$$inst"; then list="$$list $$file"; else \
+ echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man1dir)/$$inst'"; \
+ $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man1dir)/$$inst" || exit $$?; \
+ fi; \
+ done; \
+ for i in $$list; do echo "$$i"; done | $(am__base_list) | \
+ while read files; do \
+ test -z "$$files" || { \
+ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man1dir)'"; \
+ $(INSTALL_DATA) $$files "$(DESTDIR)$(man1dir)" || exit $$?; }; \
+ done; }
+
+uninstall-man1:
+ @$(NORMAL_UNINSTALL)
+ @list=''; test -n "$(man1dir)" || exit 0; \
+ files=`{ for i in $$list; do echo "$$i"; done; \
+ l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+ sed -n '/\.1[a-z]*$$/p'; \
+ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^1][0-9a-z]*$$,1,;x' \
+ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
+ dir='$(DESTDIR)$(man1dir)'; $(am__uninstall_files_from_dir)
+install-man7: $(man_MANS)
+ @$(NORMAL_INSTALL)
+ @list1=''; \
+ list2='$(man_MANS)'; \
+ test -n "$(man7dir)" \
+ && test -n "`echo $$list1$$list2`" \
+ || exit 0; \
+ echo " $(MKDIR_P) '$(DESTDIR)$(man7dir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(man7dir)" || exit 1; \
+ { for i in $$list1; do echo "$$i"; done; \
+ if test -n "$$list2"; then \
+ for i in $$list2; do echo "$$i"; done \
+ | sed -n '/\.7[a-z]*$$/p'; \
+ fi; \
+ } | while read p; do \
+ if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+ echo "$$d$$p"; echo "$$p"; \
+ done | \
+ sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^7][0-9a-z]*$$,7,;x' \
+ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
+ sed 'N;N;s,\n, ,g' | { \
+ list=; while read file base inst; do \
+ if test "$$base" = "$$inst"; then list="$$list $$file"; else \
+ echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man7dir)/$$inst'"; \
+ $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man7dir)/$$inst" || exit $$?; \
+ fi; \
+ done; \
+ for i in $$list; do echo "$$i"; done | $(am__base_list) | \
+ while read files; do \
+ test -z "$$files" || { \
+ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man7dir)'"; \
+ $(INSTALL_DATA) $$files "$(DESTDIR)$(man7dir)" || exit $$?; }; \
+ done; }
+
+uninstall-man7:
+ @$(NORMAL_UNINSTALL)
+ @list=''; test -n "$(man7dir)" || exit 0; \
+ files=`{ for i in $$list; do echo "$$i"; done; \
+ l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+ sed -n '/\.7[a-z]*$$/p'; \
+ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^7][0-9a-z]*$$,7,;x' \
+ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
+ dir='$(DESTDIR)$(man7dir)'; $(am__uninstall_files_from_dir)
+install-man8: $(man_MANS)
+ @$(NORMAL_INSTALL)
+ @list1=''; \
+ list2='$(man_MANS)'; \
+ test -n "$(man8dir)" \
+ && test -n "`echo $$list1$$list2`" \
+ || exit 0; \
+ echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \
+ { for i in $$list1; do echo "$$i"; done; \
+ if test -n "$$list2"; then \
+ for i in $$list2; do echo "$$i"; done \
+ | sed -n '/\.8[a-z]*$$/p'; \
+ fi; \
+ } | while read p; do \
+ if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+ echo "$$d$$p"; echo "$$p"; \
+ done | \
+ sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
+ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
+ sed 'N;N;s,\n, ,g' | { \
+ list=; while read file base inst; do \
+ if test "$$base" = "$$inst"; then list="$$list $$file"; else \
+ echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
+ $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \
+ fi; \
+ done; \
+ for i in $$list; do echo "$$i"; done | $(am__base_list) | \
+ while read files; do \
+ test -z "$$files" || { \
+ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \
+ $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \
+ done; }
+
+uninstall-man8:
+ @$(NORMAL_UNINSTALL)
+ @list=''; test -n "$(man8dir)" || exit 0; \
+ files=`{ for i in $$list; do echo "$$i"; done; \
+ l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+ sed -n '/\.8[a-z]*$$/p'; \
+ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
+ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
+ dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir)
+install-dist_pkgdataDATA: $(dist_pkgdata_DATA)
+ @$(NORMAL_INSTALL)
+ @list='$(dist_pkgdata_DATA)'; test -n "$(pkgdatadir)" || list=; \
+ if test -n "$$list"; then \
+ echo " $(MKDIR_P) '$(DESTDIR)$(pkgdatadir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(pkgdatadir)" || exit 1; \
+ fi; \
+ for p in $$list; do \
+ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+ echo "$$d$$p"; \
+ done | $(am__base_list) | \
+ while read files; do \
+ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(pkgdatadir)'"; \
+ $(INSTALL_DATA) $$files "$(DESTDIR)$(pkgdatadir)" || exit $$?; \
+ done
+
+uninstall-dist_pkgdataDATA:
+ @$(NORMAL_UNINSTALL)
+ @list='$(dist_pkgdata_DATA)'; test -n "$(pkgdatadir)" || list=; \
+ files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \
+ dir='$(DESTDIR)$(pkgdatadir)'; $(am__uninstall_files_from_dir)
+install-nobase_dist_docDATA: $(nobase_dist_doc_DATA)
+ @$(NORMAL_INSTALL)
+ @list='$(nobase_dist_doc_DATA)'; test -n "$(docdir)" || list=; \
+ if test -n "$$list"; then \
+ echo " $(MKDIR_P) '$(DESTDIR)$(docdir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(docdir)" || exit 1; \
+ fi; \
+ $(am__nobase_list) | while read dir files; do \
+ xfiles=; for file in $$files; do \
+ if test -f "$$file"; then xfiles="$$xfiles $$file"; \
+ else xfiles="$$xfiles $(srcdir)/$$file"; fi; done; \
+ test -z "$$xfiles" || { \
+ test "x$$dir" = x. || { \
+ echo " $(MKDIR_P) '$(DESTDIR)$(docdir)/$$dir'"; \
+ $(MKDIR_P) "$(DESTDIR)$(docdir)/$$dir"; }; \
+ echo " $(INSTALL_DATA) $$xfiles '$(DESTDIR)$(docdir)/$$dir'"; \
+ $(INSTALL_DATA) $$xfiles "$(DESTDIR)$(docdir)/$$dir" || exit $$?; }; \
+ done
+
+uninstall-nobase_dist_docDATA:
+ @$(NORMAL_UNINSTALL)
+ @list='$(nobase_dist_doc_DATA)'; test -n "$(docdir)" || list=; \
+ $(am__nobase_strip_setup); files=`$(am__nobase_strip)`; \
+ dir='$(DESTDIR)$(docdir)'; $(am__uninstall_files_from_dir)
+tags TAGS:
+
+ctags CTAGS:
+
+cscope cscopelist:
+
+
+distdir: $(BUILT_SOURCES)
+ $(MAKE) $(AM_MAKEFLAGS) distdir-am
+
+distdir-am: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d "$(distdir)/$$file"; then \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+ else \
+ test -f "$(distdir)/$$file" \
+ || cp -p $$d/$$file "$(distdir)/$$file" \
+ || exit 1; \
+ fi; \
+ done
+ $(MAKE) $(AM_MAKEFLAGS) \
+ top_distdir="$(top_distdir)" distdir="$(distdir)" \
+ dist-info dist-hook
+check-am: all-am
+check: $(BUILT_SOURCES)
+ $(MAKE) $(AM_MAKEFLAGS) check-am
+all-am: Makefile $(INFO_DEPS) $(MANS) $(DATA)
+installdirs:
+ for dir in "$(DESTDIR)$(infodir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man7dir)" "$(DESTDIR)$(man8dir)" "$(DESTDIR)$(pkgdatadir)" "$(DESTDIR)$(docdir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: $(BUILT_SOURCES)
+ $(MAKE) $(AM_MAKEFLAGS) install-am
+install-exec: $(BUILT_SOURCES)
+ $(MAKE) $(AM_MAKEFLAGS) install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ if test -z '$(STRIP)'; then \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ install; \
+ else \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+ fi
+mostlyclean-generic:
+
+clean-generic:
+ -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+ -test -z "$(DISTCLEANFILES)" || rm -f $(DISTCLEANFILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+ -test -z "$(BUILT_SOURCES)" || rm -f $(BUILT_SOURCES)
+clean: clean-am
+
+clean-am: clean-aminfo clean-generic mostlyclean-am
+
+distclean: distclean-am
+ -rm -f Makefile
+distclean-am: clean-am distclean-generic
+
+dvi: dvi-am
+
+dvi-am: $(DVIS)
+
+html: html-am
+
+html-am: $(HTMLS)
+
+info: info-am
+
+info-am: $(INFO_DEPS)
+
+install-data-am: install-dist_pkgdataDATA install-info-am install-man \
+ install-nobase_dist_docDATA
+
+install-dvi: install-dvi-am
+
+install-dvi-am: $(DVIS)
+ @$(NORMAL_INSTALL)
+ @list='$(DVIS)'; test -n "$(dvidir)" || list=; \
+ if test -n "$$list"; then \
+ echo " $(MKDIR_P) '$(DESTDIR)$(dvidir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(dvidir)" || exit 1; \
+ fi; \
+ for p in $$list; do \
+ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+ echo "$$d$$p"; \
+ done | $(am__base_list) | \
+ while read files; do \
+ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(dvidir)'"; \
+ $(INSTALL_DATA) $$files "$(DESTDIR)$(dvidir)" || exit $$?; \
+ done
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am: $(HTMLS)
+ @$(NORMAL_INSTALL)
+ @list='$(HTMLS)'; list2=; test -n "$(htmldir)" || list=; \
+ if test -n "$$list"; then \
+ echo " $(MKDIR_P) '$(DESTDIR)$(htmldir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(htmldir)" || exit 1; \
+ fi; \
+ for p in $$list; do \
+ if test -f "$$p" || test -d "$$p"; then d=; else d="$(srcdir)/"; fi; \
+ $(am__strip_dir) \
+ d2=$$d$$p; \
+ if test -d "$$d2"; then \
+ echo " $(MKDIR_P) '$(DESTDIR)$(htmldir)/$$f'"; \
+ $(MKDIR_P) "$(DESTDIR)$(htmldir)/$$f" || exit 1; \
+ echo " $(INSTALL_DATA) '$$d2'/* '$(DESTDIR)$(htmldir)/$$f'"; \
+ $(INSTALL_DATA) "$$d2"/* "$(DESTDIR)$(htmldir)/$$f" || exit $$?; \
+ else \
+ list2="$$list2 $$d2"; \
+ fi; \
+ done; \
+ test -z "$$list2" || { echo "$$list2" | $(am__base_list) | \
+ while read files; do \
+ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(htmldir)'"; \
+ $(INSTALL_DATA) $$files "$(DESTDIR)$(htmldir)" || exit $$?; \
+ done; }
+install-info: install-info-am
+
+install-info-am: $(INFO_DEPS)
+ @$(NORMAL_INSTALL)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; \
+ list='$(INFO_DEPS)'; test -n "$(infodir)" || list=; \
+ if test -n "$$list"; then \
+ echo " $(MKDIR_P) '$(DESTDIR)$(infodir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(infodir)" || exit 1; \
+ fi; \
+ for file in $$list; do \
+ case $$file in \
+ $(srcdir)/*) file=`echo "$$file" | sed "s|^$$srcdirstrip/||"`;; \
+ esac; \
+ if test -f $$file; then d=.; else d=$(srcdir); fi; \
+ file_i=`echo "$$file" | sed 's|\.info$$||;s|$$|.i|'`; \
+ for ifile in $$d/$$file $$d/$$file-[0-9] $$d/$$file-[0-9][0-9] \
+ $$d/$$file_i[0-9] $$d/$$file_i[0-9][0-9] ; do \
+ if test -f $$ifile; then \
+ echo "$$ifile"; \
+ else : ; fi; \
+ done; \
+ done | $(am__base_list) | \
+ while read files; do \
+ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(infodir)'"; \
+ $(INSTALL_DATA) $$files "$(DESTDIR)$(infodir)" || exit $$?; done
+ @$(POST_INSTALL)
+ @if $(am__can_run_installinfo); then \
+ list='$(INFO_DEPS)'; test -n "$(infodir)" || list=; \
+ for file in $$list; do \
+ relfile=`echo "$$file" | sed 's|^.*/||'`; \
+ echo " install-info --info-dir='$(DESTDIR)$(infodir)' '$(DESTDIR)$(infodir)/$$relfile'";\
+ install-info --info-dir="$(DESTDIR)$(infodir)" "$(DESTDIR)$(infodir)/$$relfile" || :;\
+ done; \
+ else : ; fi
+install-man: install-man1 install-man7 install-man8
+
+install-pdf: install-pdf-am
+
+install-pdf-am: $(PDFS)
+ @$(NORMAL_INSTALL)
+ @list='$(PDFS)'; test -n "$(pdfdir)" || list=; \
+ if test -n "$$list"; then \
+ echo " $(MKDIR_P) '$(DESTDIR)$(pdfdir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(pdfdir)" || exit 1; \
+ fi; \
+ for p in $$list; do \
+ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+ echo "$$d$$p"; \
+ done | $(am__base_list) | \
+ while read files; do \
+ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(pdfdir)'"; \
+ $(INSTALL_DATA) $$files "$(DESTDIR)$(pdfdir)" || exit $$?; done
+install-ps: install-ps-am
+
+install-ps-am: $(PSS)
+ @$(NORMAL_INSTALL)
+ @list='$(PSS)'; test -n "$(psdir)" || list=; \
+ if test -n "$$list"; then \
+ echo " $(MKDIR_P) '$(DESTDIR)$(psdir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(psdir)" || exit 1; \
+ fi; \
+ for p in $$list; do \
+ if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \
+ echo "$$d$$p"; \
+ done | $(am__base_list) | \
+ while read files; do \
+ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(psdir)'"; \
+ $(INSTALL_DATA) $$files "$(DESTDIR)$(psdir)" || exit $$?; done
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-aminfo \
+ maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-aminfo mostlyclean-generic
+
+pdf: pdf-am
+
+pdf-am: $(PDFS)
+
+ps: ps-am
+
+ps-am: $(PSS)
+
+uninstall-am: uninstall-dist_pkgdataDATA uninstall-dvi-am \
+ uninstall-html-am uninstall-info-am uninstall-man \
+ uninstall-nobase_dist_docDATA uninstall-pdf-am uninstall-ps-am
+
+uninstall-man: uninstall-man1 uninstall-man7 uninstall-man8
+
+.MAKE: all check install install-am install-exec install-strip
+
+.PHONY: all all-am check check-am clean clean-aminfo clean-generic \
+ cscopelist-am ctags-am dist-hook dist-info distclean \
+ distclean-generic distdir dvi dvi-am html html-am info info-am \
+ install install-am install-data install-data-am \
+ install-dist_pkgdataDATA install-dvi install-dvi-am \
+ install-exec install-exec-am install-html install-html-am \
+ install-info install-info-am install-man install-man1 \
+ install-man7 install-man8 install-nobase_dist_docDATA \
+ install-pdf install-pdf-am install-ps install-ps-am \
+ install-strip installcheck installcheck-am installdirs \
+ maintainer-clean maintainer-clean-aminfo \
+ maintainer-clean-generic mostlyclean mostlyclean-aminfo \
+ mostlyclean-generic pdf pdf-am ps ps-am tags-am uninstall \
+ uninstall-am uninstall-dist_pkgdataDATA uninstall-dvi-am \
+ uninstall-html-am uninstall-info-am uninstall-man \
+ uninstall-man1 uninstall-man7 uninstall-man8 \
+ uninstall-nobase_dist_docDATA uninstall-pdf-am uninstall-ps-am
+
+.PRECIOUS: Makefile
+
+
+@HAVE_W32_SYSTEM_TRUE@.rc.o:
+@HAVE_W32_SYSTEM_TRUE@ $(WINDRES) $(DEFAULT_INCLUDES) $(INCLUDES) "$<" "$@"
+
+gnupg.texi : defs.inc
+
+# We need EPS files for "make distcheck" but we do not want to distribute
+# them due to their size. Let's build them as needed.
+gnupg.dvi : gnupg-module-overview.eps gnupg-card-architecture.eps
+
+@HAVE_YAT2M_FALSE@yat2m: yat2m.c
+@HAVE_YAT2M_FALSE@ $(CC_FOR_BUILD) -o $@ $(srcdir)/yat2m.c
+
+mkdefsinc: mkdefsinc.c Makefile ../config.h
+ $(CC_FOR_BUILD) -I. -I.. -I$(srcdir) $(AM_CPPFLAGS) \
+ -o $@ $(srcdir)/mkdefsinc.c
+
+.svg.eps:
+ convert `test -f '$<' || echo '$(srcdir)/'`$< $@
+
+.svg.png:
+ convert `test -f '$<' || echo '$(srcdir)/'`$< $@
+
+.svg.pdf:
+ convert `test -f '$<' || echo '$(srcdir)/'`$< $@
+
+.fig.png:
+ fig2dev -L png `test -f '$<' || echo '$(srcdir)/'`$< $@
+
+.fig.jpg:
+ fig2dev -L jpeg `test -f '$<' || echo '$(srcdir)/'`$< $@
+
+.fig.eps:
+ fig2dev -L eps `test -f '$<' || echo '$(srcdir)/'`$< $@
+
+.fig.pdf:
+ fig2dev -L pdf `test -f '$<' || echo '$(srcdir)/'`$< $@
+
+yat2m-stamp: $(myman_sources) defs.inc
+ @rm -f yat2m-stamp.tmp
+ @touch yat2m-stamp.tmp
+ incd="`test -f defsincdate || echo '$(srcdir)/'`defsincdate"; \
+ for file in $(myman_sources) ; do \
+ $(YAT2M_CMD) $(YAT2M_OPTIONS) --store \
+ --date "`cat $$incd 2>/dev/null`" \
+ `test -f '$$file' || echo '$(srcdir)/'`$$file ; done
+ @mv -f yat2m-stamp.tmp $@
+
+yat2m-stamp: $(YAT2M_DEP)
+
+$(myman_pages) gnupg.7 : yat2m-stamp defs.inc
+ @if test -f $@; then :; else \
+ trap 'rm -rf yat2m-stamp yat2m-lock' 1 2 13 15; \
+ if mkdir yat2m-lock 2>/dev/null; then \
+ rm -f yat2m-stamp; \
+ $(MAKE) $(AM_MAKEFLAGS) yat2m-stamp; \
+ rmdir yat2m-lock; \
+ else \
+ while test -d yat2m-lock; do sleep 1; done; \
+ test -f yat2m-stamp; exit $$?; \
+ fi; \
+ fi
+
+dist-hook: defsincdate
+
+defsincdate: $(gnupg_TEXINFOS)
+ : >defsincdate ; \
+ if test -e $(top_srcdir)/.git; then \
+ (cd $(srcdir) && git log -1 --format='%ct' \
+ -- $(gnupg_TEXINFOS) 2>/dev/null) >>defsincdate; \
+ elif test x"$$SOURCE_DATE_EPOCH" != x; then \
+ echo "$$SOURCE_DATE_EPOCH" >>defsincdate ; \
+ fi
+
+defs.inc : defsincdate Makefile mkdefsinc
+ incd="`test -f defsincdate || echo '$(srcdir)/'`defsincdate"; \
+ ./mkdefsinc -C $(srcdir) --date "`cat $$incd 2>/dev/null`" \
+ $(gnupg_TEXINFOS) >$@
+
+online: gnupg.html gnupg.pdf gnupg-module-overview.png \
+ gnupg-card-architecture.png
+ set -e; \
+ echo "Uploading current manuals to www.gnupg.org ..."; \
+ cp $(srcdir)/gnupg-logo-tr.png gnupg.html/; \
+ cp gnupg-module-overview.png gnupg.html/; \
+ cp gnupg-card-architecture.png gnupg.html/; \
+ user=werner ; webhost="ftp.gnupg.org" ; dashdevel="" ; \
+ if echo "@PACKAGE_VERSION@" | grep -- "-beta" >/dev/null; then \
+ dashdevel="-devel" ; \
+ else \
+ rsync -v gnupg.pdf $${user}@$${webhost}:webspace/manuals/ ; \
+ fi ; \
+ cd gnupg.html ; \
+ rsync -vr --exclude='.git' . \
+ $${user}@$${webhost}:webspace/manuals/gnupg$${dashdevel}/
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/doc/OpenPGP b/doc/OpenPGP
new file mode 100644
index 0000000..794f669
--- /dev/null
+++ b/doc/OpenPGP
@@ -0,0 +1,116 @@
+ GnuPG and OpenPGP
+ =================
+
+ See RFC-4880 for a description of OpenPGP. These notes are older
+ than RFC-4880 and refer to the predecessor of the specs (RFC-2440).
+
+
+ Compatibility Notes
+ ===================
+ GnuPG (>=1.0.3) is in compliance with RFC2440 despite these exceptions:
+
+ * With GnuPG >= 2.1.0 all support for version 3 keys has been
+ removed. Thus there is no more compatibility with PGP-2. Users
+ who need to be able to decrypt old PGP 2 messages should use
+ GnuPG 1.4.x along with the option --allow-weak-digest-algos.
+
+ * With GnuPG >= 2.1.0 all signatures (on messages and keys) are
+ created using version 4 signatures. Support for verifying
+ version 3 signature is still available.
+
+ * (9.2) states that IDEA SHOULD be implemented. This is not done
+ due to patent problems.
+ UPDATE: Since version 1.4.13 (or GnuPG 2.x with Libgcrypt 1.6)
+ IDEA support has been added to allow decryption of old
+ PGP-2 encrypted material.
+
+ All MAY features are implemented with this exception:
+
+ * multi-part armored messages are not supported.
+ MIME (rfc2015) should be used instead.
+
+ Most of the OPTIONAL stuff is implemented.
+
+ There are a couple of options which can be used to override some
+ RFC requirements. This is always mentioned with the description
+ of that options.
+
+ A special format of partial packet length exists for v3 packets
+ which can be considered to be in compliance with RFC1991; this
+ format is only created if a special option is active.
+ UPDATE: This support has been removed with version 1.3.6.
+
+ GnuPG uses a S2K mode of 101 for GNU extensions to the secret key
+ protection algorithms. This number is not defined in OpenPGP, but
+ given that this number is in a range which is used at many other
+ places in OpenPGP for private/experimental algorithm identifiers,
+ this should be not a too bad choice. The 3 bytes "GNU" are used to
+ identify this as a GNU extension - see the file DETAILS for a
+ definition of the used data formats.
+
+
+ Some Notes on OpenPGP / PGP Compatibility:
+ ==========================================
+
+ * PGP 5.x does not accept V4 signatures for anything other than
+ key material. The GnuPG option --force-v3-sigs mimics this
+ behavior.
+
+ * PGP 5.x does not recognize the "five-octet" lengths in
+ new-format headers or in signature subpacket lengths.
+
+ * PGP 5.0 rejects an encrypted session key if the keylength
+ differs from the S2K symmetric algorithm. This is a bug in its
+ validation function.
+
+ * PGP 5.0 does not handle multiple one-pass signature headers and
+ trailers. Signing one will compress the one-pass signed literal
+ and prefix a V3 signature instead of doing a nested one-pass
+ signature.
+
+ * When exporting a private key, PGP 2.x generates the header
+ "BEGIN PGP SECRET KEY BLOCK" instead of "BEGIN PGP PRIVATE KEY
+ BLOCK". All previous versions ignore the implied data type, and
+ look directly at the packet data type.
+
+ * In a clear-signed signature, PGP 5.0 will figure out the correct
+ hash algorithm if there is no "Hash:" header, but it will reject
+ a mismatch between the header and the actual algorithm used. The
+ "standard" (i.e. Zimmermann/Finney/et al.) version of PGP 2.x
+ rejects the "Hash:" header and assumes MD5. There are a number
+ of enhanced variants of PGP 2.6.x that have been modified for
+ SHA-1 signatures.
+
+ * PGP 5.0 can read an RSA key in V4 format, but can only recognize
+ it with a V3 keyid, and can properly use only a V3 format RSA
+ key.
+
+ * Neither PGP 5.x nor PGP 6.0 recognize ElGamal Encrypt and Sign
+ keys. They only handle ElGamal Encrypt-only keys.
+
+
+ Parts of this document are taken from:
+ ======================================
+
+ OpenPGP Message Format
+ draft-ietf-openpgp-formats-07.txt
+
+
+ Copyright 1998 by The Internet Society. All Rights Reserved.
+
+ This document and translations of it may be copied and furnished to
+ others, and derivative works that comment on or otherwise explain it
+ or assist in its implementation may be prepared, copied, published
+ and distributed, in whole or in part, without restriction of any
+ kind, provided that the above copyright notice and this paragraph
+ are included on all such copies and derivative works. However, this
+ document itself may not be modified in any way, such as by removing
+ the copyright notice or references to the Internet Society or other
+ Internet organizations, except as needed for the purpose of
+ developing Internet standards in which case the procedures for
+ copyrights defined in the Internet Standards process must be
+ followed, or as required to translate it into languages other than
+ English.
+
+ The limited permissions granted above are perpetual and will not be
+ revoked by the Internet Society or its successors or assigns.
diff --git a/doc/TRANSLATE b/doc/TRANSLATE
new file mode 100644
index 0000000..9bd9b08
--- /dev/null
+++ b/doc/TRANSLATE
@@ -0,0 +1,61 @@
+$Id$
+
+Note for translators
+--------------------
+
+Some strings in GnuPG are for matching user input against. These
+strings can accept multiple values that mean essentially the same
+thing.
+
+For example, the string "yes" in English is "sí" in Spanish. However,
+some users will type "si" (without the accent). To accommodate both
+users, you can translate the string "yes" as "sí|si". You can have
+any number of alternate matches separated by the | character like
+"sí|si|seguro".
+
+The strings that can be handled in this way are of the form "yes|yes",
+(or "no|no", etc.) There should also be a comment in the .po file
+directing you to this file.
+
+
+Help files
+----------
+
+GnuPG provides a little help feature (entering a ? on a prompt). This
+help used to be translated the usual way with gettext but it turned
+out that this is too inflexible and does for example not allow
+correcting little mistakes in the English text. For some newer features
+we require editable help files anyway and thus the existing help
+strings have been moved to plain text files names "help.LL.txt". We
+distribute these files and allow overriding them by files of that name
+in /etc/gnupg. The syntax of these files is documented in
+doc/help.txt. This is also the original we use to describe new
+possible online help keys. The source files are located in doc/ and
+need to be in encoded in UTF-8. Strings which require a translation
+are disabled like this
+
+ .#gpgsm.some.help-item
+ This string is not translated.
+
+After translation you should remove the hash mark so that the
+entry looks like.
+
+ .gpgsm.some.help-item
+ This string has been translated.
+
+The percent sign is not a special character and if there is something
+to watch out there will be a remark.
+
+
+
+Sending new or updated translations
+-----------------------------------
+
+Please note that we do not use the TP Robot but require that
+translations are to be send by mail to translations@gnupg.org. We
+also strongly advise to get subscribed to i18n@gnupg.org and request
+assistance if it is not clear on how to translate certain strings. A
+wrongly translated string may lead to a security problem.
+
+A copyright disclaimer to the FSF is not anymore required since
+December 2012.
diff --git a/doc/com-certs.pem b/doc/com-certs.pem
new file mode 100644
index 0000000..33dd40c
--- /dev/null
+++ b/doc/com-certs.pem
@@ -0,0 +1,67 @@
+# Common certificates for initial keybox creation.
+
+Issuer ...: /CN=CA Cert Signing Authority/OU=http:\x2f\x2fwww.cacert.org/O=Root CA/EMail=support@cacert.org
+Serial ...: 00
+Subject ..: /CN=CA Cert Signing Authority/OU=http:\x2f\x2fwww.cacert.org/O=Root CA/EMail=support@cacert.org
+
+-----BEGIN CERTIFICATE-----
+MIIHPTCCBSWgAwIBAgIBADANBgkqhkiG9w0BAQQFADB5MRAwDgYDVQQKEwdSb290
+IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNB
+IENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRA
+Y2FjZXJ0Lm9yZzAeFw0wMzAzMzAxMjI5NDlaFw0zMzAzMjkxMjI5NDlaMHkxEDAO
+BgNVBAoTB1Jvb3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEi
+MCAGA1UEAxMZQ0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJ
+ARYSc3VwcG9ydEBjYWNlcnQub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
+CgKCAgEAziLA4kZ97DYoB1CW8qAzQIxL8TtmPzHlawI229Z89vGIj053NgVBlfkJ
+8BLPRoZzYLdufujAWGSuzbCtRRcMY/pnCujW0r8+55jE8Ez64AO7NV1sId6eINm6
+zWYyN3L69wj1x81YyY7nDl7qPv4coRQKFWyGhFtkZip6qUtTefWIonvuLwphK42y
+fk1WpRPs6tqSnqxEQR5YYGUFZvjARL3LlPdCfgv3ZWiYUQXw8wWRBB0bF4LsyFe7
+w2t6iPGwcswlWyCR7BYCEo8y6RcYSNDHBS4CMEK4JZwFaz+qOqfrU0j36NK2B5jc
+G8Y0f3/JHIJ6BVgrCFvzOKKrF11myZjXnhCLotLddJr3cQxyYN/Nb5gznZY0dj4k
+epKwDpUeb+agRThHqtdB7Uq3EvbXG4OKDy7YCbZZ16oE/9KTfWgu3YtLq1i6L43q
+laegw1SJpfvbi1EinbLDvhG+LJGGi5Z4rSDTii8aP8bQUWWHIbEZAWV/RRyH9XzQ
+QUxPKZgh/TMfdQwEUfoZd9vUFBzugcMd9Zi3aQaRIt0AUMyBMawSB3s42mhb5ivU
+fslfrejrckzzAeVLIL+aplfKkQABi6F1ITe1Yw1nPkZPcCBnzsXWWdsC4PDSy826
+YreQQejdIOQpvGQpQsgi3Hia/0PsmBsJUUtaWsJx8cTLc6nloQsCAwEAAaOCAc4w
+ggHKMB0GA1UdDgQWBBQWtTIb1Mfz4OaO873SsDrusjkY0TCBowYDVR0jBIGbMIGY
+gBQWtTIb1Mfz4OaO873SsDrusjkY0aF9pHsweTEQMA4GA1UEChMHUm9vdCBDQTEe
+MBwGA1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0
+IFNpZ25pbmcgQXV0aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2Vy
+dC5vcmeCAQAwDwYDVR0TAQH/BAUwAwEB/zAyBgNVHR8EKzApMCegJaAjhiFodHRw
+czovL3d3dy5jYWNlcnQub3JnL3Jldm9rZS5jcmwwMAYJYIZIAYb4QgEEBCMWIWh0
+dHBzOi8vd3d3LmNhY2VydC5vcmcvcmV2b2tlLmNybDA0BglghkgBhvhCAQgEJxYl
+aHR0cDovL3d3dy5jYWNlcnQub3JnL2luZGV4LnBocD9pZD0xMDBWBglghkgBhvhC
+AQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQg
+b3ZlciB0byBodHRwOi8vd3d3LmNhY2VydC5vcmcwDQYJKoZIhvcNAQEEBQADggIB
+ACjH7pyCArpcgBLKNQodgW+JapnM8mgPf6fhjViVPr3yBsOQWqy1YPaZQwGjiHCc
+nWKdpIevZ1gNMDY75q1I08t0AoZxPuIrA2jxNGJARjtT6ij0rPtmlVOKTV39O9lg
+18p5aTuxZZKmxoGCXJzN600BiqXfEVWqFcofN8CCmHBh22p8lqOOLlQ+TyGpkO/c
+gr/c6EWtTZBzCDyUZbAEmXZ/4rzCahWqlwQ3JNgelE5tDlG+1sSPypZt90Pf6DBl
+Jzt7u0NDY8RD97LsaMzhGY4i+5jhe1o+ATc7iwiwovOVThrLm82asduycPAtStvY
+sONvRUgzEv/+PDIqVPfE94rwiCPCR/5kenHA0R6mY7AHfqQv0wGP3J8rtsYIqQ+T
+SCX8Ev2fQtzzxD72V7DX3WnRBnc0CkvSyqD/HMaMyRa+xMwyN2hzXwj7UfdJUzYF
+CpUCTPJ5GhD22Dp1nPMd8aINcGeGG7MW9S/lpOt5hvk9C8JzC6WZrG/8Z7jlLwum
+GCSNe9FINSkYQKyTYOGWhlC0elnYjyELn8+CkcY7v2vcB5G5l1YjqrZslMZIBjzk
+zk6q5PYvCdxTby78dOs6Y5nCpqyJvKeyRKANihDjbPIky/qbn3BHLt4Ui9SyIAmW
+omTxJBzcoTWcFbLUvFUufQb1nA5V9FrWk9p2rSVzTMVD
+-----END CERTIFICATE-----
+
+
+Issuer ...: /CN=The STEED Self-Signing Nonthority
+Serial ...: 01
+Subject ..: /CN=The STEED Self-Signing Nonthority
+
+-----BEGIN CERTIFICATE-----
+MIICKDCCAZGgAwIBAgIBATANBgkqhkiG9w0BAQUFADAsMSowKAYDVQQDEyFUaGUg
+U1RFRUQgU2VsZi1TaWduaW5nIE5vbnRob3JpdHkwIBcNMTExMTExMDAwMDAwWhgP
+MjEwNjAyMDYwMDAwMDBaMCwxKjAoBgNVBAMTIVRoZSBTVEVFRCBTZWxmLVNpZ25p
+bmcgTm9udGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAk2h9kqe8
+0eb8ESY7UGV6j6S5zuP5DiM4TWJ3jKG2y+D2CyA1Sl90iZ6zyN3zCB0yR1xxhpuw
+xdrwBRovRFludAbx3MeynYhzXkk0Hwn038q1oIt2YUw3Igz34s24o455ZE86JQ/6
+5dC7ppF8Z1I9KBL96NO+qZR/alVAKxYAwS8CAwEAAaNYMFYwEgYDVR0TAQH/BAgw
+BgEB/wIBATARBgorBgEEAdpHAgICBAMBAf8wHQYDVR0OBBYEFGimOJmN+rrFEOpk
+XONPloay7ffqMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQUFAAOBgQB3JwUn
+AbOdGv5ErojNSSP+yGZIy5av4wnkzK840Uj3jY6A5cuHroZGOD60hqLV2Hy0npox
+zte4phWEKWmZiXd8SCmd3MFNgZSieiixye0qxSmuqYft2j6NhEXD5xc/iTTjFT42
+SjGPLKAICuMBuGPnoozOEVlgqwaDqKOUph5sqw==
+-----END CERTIFICATE-----
diff --git a/doc/contrib.texi b/doc/contrib.texi
new file mode 100644
index 0000000..8a4fc86
--- /dev/null
+++ b/doc/contrib.texi
@@ -0,0 +1,106 @@
+@c Copyright (C) 2002 Free Software Foundation, Inc.
+@c This is part of the GnuPG manual.
+@c For copying conditions, see the file gnupg.texi.
+
+@node Contributors
+@unnumbered Contributors to GnuPG
+@cindex contributors
+
+The GnuPG project would like to thank its many contributors. Without
+them the project would not have been nearly as successful as it has
+been. Any omissions in this list are accidental. Feel free to contact
+the maintainer if you have been left out or some of your contributions
+are not listed.
+
+David Shaw, Matthew Skala, Michael Roth, Niklas Hernaeus, Nils
+Ellmenreich, Rémi Guyomarch, Stefan Bellon, Timo Schulz and Werner
+Koch wrote the code. Birger Langkjer, Daniel Resare, Dokianakis
+Theofanis, Edmund GRIMLEY EVANS, Gaël Quéri, Gregory Steuck, Nagy
+Ferenc László, Ivo Timmermans, Jacobo Tarri'o Barreiro, Janusz
+Aleksander Urbanowicz, Jedi Lin, Jouni Hiltunen, Laurentiu Buzdugan,
+Magda Procha'zkova', Michael Anckaert, Michal Majer, Marco d'Itri,
+Nilgun Belma Buguner, Pedro Morais, Tedi Heriyanto, Thiago Jung
+Bauermann, Rafael Caetano dos Santos, Toomas Soome, Urko Lusa, Walter
+Koch, Yosiaki IIDA did the official translations. Mike Ashley wrote
+and maintains the GNU Privacy Handbook. David Scribner is the current
+FAQ editor. Lorenzo Cappelletti maintains the web site.
+
+The new modularized architecture of gnupg 1.9 as well as the X.509/CMS
+part has been developed as part of the Ägypten project. Direct
+contributors to this project are: Bernhard Herzog, who did extensive
+testing and tracked down a lot of bugs. Bernhard Reiter, who made sure
+that we met the specifications and the deadlines. He did extensive
+testing and came up with a lot of suggestions. Jan-Oliver Wagner made
+sure that we met the specifications and the deadlines. He also did
+extensive testing and came up with a lot of suggestions. Karl-Heinz
+Zimmer and Marc Mutz had to struggle with all the bugs and
+misconceptions while working on KDE integration. Marcus Brinkman
+extended GPGME, cleaned up the Assuan code and fixed bugs all over the
+place. Moritz Schulte took over Libgcrypt maintenance and developed it
+into a stable an useful library. Steffen Hansen had a hard time to
+write the dirmngr due to underspecified interfaces. Thomas Koester did
+extensive testing and tracked down a lot of bugs. Werner Koch designed
+the system and wrote most of the code.
+
+The following people helped greatly by suggesting improvements,
+testing, fixing bugs, providing resources and doing other important
+tasks: Adam Mitchell, Albert Chin, Alec Habig, Allan Clark, Anand
+Kumria, Andreas Haumer, Anthony Mulcahy, Ariel T Glenn, Bob Mathews,
+Bodo Moeller, Brendan O'Dea, Brenno de Winter, Brian M. Carlson, Brian
+Moore, Brian Warner, Bryan Fullerton, Caskey L. Dickson, Cees van de
+Griend, Charles Levert, Chip Salzenberg, Chris Adams, Christian Biere,
+Christian Kurz, Christian von Roques, Christopher Oliver, Christian
+Recktenwald, Dan Winship, Daniel Eisenbud, Daniel Koening, Dave
+Dykstra, David C Niemi, David Champion, David Ellement, David
+Hallinan, David Hollenberg, David Mathog, David R. Bergstein, Detlef
+Lannert, Dimitri, Dirk Lattermann, Dirk Meyer, Disastry, Douglas
+Calvert, Ed Boraas, Edmund GRIMLEY EVANS, Edwin Woudt, Enzo
+Michelangeli, Ernst Molitor, Fabio Coatti, Felix von Leitner, fish
+stiqz, Florian Weimer, Francesco Potorti, Frank Donahoe, Frank
+Heckenbach, Frank Stajano, Frank Tobin, Gabriel Rosenkoetter, Gaël
+Quéri, Gene Carter, Geoff Keating, Georg Schwarz, Giampaolo Tomassoni,
+Gilbert Fernandes, Greg Louis, Greg Troxel, Gregory Steuck, Gregery
+Barton, Harald Denker, Holger Baust, Hendrik Buschkamp, Holger
+Schurig, Holger Smolinski, Holger Trapp, Hugh Daniel, Huy Le, Ian
+McKellar, Ivo Timmermans, Jan Krueger, Jan Niehusmann, Janusz
+A. Urbanowicz, James Troup, Jean-loup Gailly, Jeff Long, Jeffery Von
+Ronne, Jens Bachem, Jeroen C. van Gelderen, J Horacio MG, J. Michael
+Ashley, Jim Bauer, Jim Small, Joachim Backes, Joe Rhett, John
+A. Martin, Johnny Teveßen, Jörg Schilling, Jos Backus, Joseph Walton,
+Juan F. Codagnone, Jun Kuriyama, Kahil D. Jallad, Karl Fogel, Karsten
+Thygesen, Katsuhiro Kondou, Kazu Yamamoto, Keith Clayton, Kevin Ryde,
+Klaus Singvogel, Kurt Garloff, Lars Kellogg-Stedman, L. Sassaman, M
+Taylor, Marcel Waldvogel, Marco d'Itri, Marco Parrone, Marcus
+Brinkmann, Mark Adler, Mark Elbrecht, Mark Pettit, Markus Friedl,
+Martin Kahlert, Martin Hamilton, Martin Schulte, Matt Kraai, Matthew
+Skala, Matthew Wilcox, Matthias Urlichs, Max Valianskiy, Michael
+Engels, Michael Fischer v. Mollard, Michael Roth, Michael Sobolev,
+Michael Tokarev, Nicolas Graner, Mike McEwan, Neal H Walfield, Nelson
+H. F. Beebe, NIIBE Yutaka, Niklas Hernaeus, Nimrod Zimerman, N J Doye,
+Oliver Haakert, Oskari Jääskeläinen, Pascal Scheffers, Paul D. Smith,
+Per Cederqvist, Phil Blundell, Philippe Laliberte, Peter Fales, Peter
+Gutmann, Peter Marschall, Peter Valchev, Piotr Krukowiecki, QingLong,
+Ralph Gillen, Rat, Reinhard Wobst, Rémi Guyomarch, Reuben Sumner,
+Richard Outerbridge, Robert Joop, Roddy Strachan, Roger Sondermann,
+Roland Rosenfeld, Roman Pavlik, Ross Golder, Ryan Malayter, Sam
+Roberts, Sami Tolvanen, Sean MacLennan, Sebastian Klemke, Serge
+Munhoven, SL Baur, Stefan Bellon, Dr.Stefan.Dalibor, Stefan Karrmann,
+Stefan Keller, Steffen Ullrich, Steffen Zahn, Steven Bakker, Steven
+Murdoch, Susanne Schultz, Ted Cabeen, Thiago Jung Bauermann, Thijmen
+Klok, Thomas Roessler, Tim Mooney, Timo Schulz, Todd Vierling, TOGAWA
+Satoshi, Tom Spindler, Tom Zerucha, Tomas Fasth, Tommi Komulainen,
+Thomas Klausner, Tomasz Kozlowski, Thomas Mikkelsen, Ulf Möller, Urko
+Lusa, Vincent P. Broman, Volker Quetschke, W Lewis, Walter Hofmann,
+Walter Koch, Wayne Chapeskie, Wim Vandeputte, Winona Brown, Yosiaki
+IIDA, Yoshihiro Kajiki and Gerlinde Klaes.
+
+This software has been made possible by the previous work of Chris
+Wedgwood, Jean-loup Gailly, Jon Callas, Mark Adler, Martin Hellman,
+Paul Kendall, Philip R. Zimmermann, Peter Gutmann, Philip A. Nelson,
+Taher Elgamal, Torbjorn Granlund, Whitfield Diffie, some unknown NSA
+mathematicians and all the folks who have worked hard to create
+complete and free operating systems.
+
+And finally we'd like to thank everyone who uses these tools, submits
+bug reports and generally reminds us why we're doing this work in the
+first place.
diff --git a/doc/debugging.texi b/doc/debugging.texi
new file mode 100644
index 0000000..14056d6
--- /dev/null
+++ b/doc/debugging.texi
@@ -0,0 +1,287 @@
+@c Copyright (C) 2004 Free Software Foundation, Inc.
+@c This is part of the GnuPG manual.
+@c For copying conditions, see the file gnupg.texi.
+
+@node Debugging
+@chapter How to solve problems
+
+Everyone knows that software often does not do what it should do and thus
+there is a need to track down problems. We call this debugging in a
+reminiscent to the moth jamming a relay in a Mark II box back in 1947.
+
+Most of the problems a merely configuration and user problems but
+nevertheless they are the most annoying ones and responsible for many
+gray hairs. We try to give some guidelines here on how to identify and
+solve the problem at hand.
+
+
+@menu
+* Debugging Tools:: Description of some useful tools.
+* Debugging Hints:: Various hints on debugging.
+* Common Problems:: Commonly seen problems.
+* Architecture Details:: How the whole thing works internally.
+@end menu
+
+
+@node Debugging Tools
+@section Debugging Tools
+
+The GnuPG distribution comes with a couple of tools, useful to help find
+and solving problems.
+
+@menu
+* kbxutil:: Scrutinizing a keybox file.
+@end menu
+
+@node kbxutil
+@subsection Scrutinizing a keybox file
+
+A keybox is a file format used to store public keys along with meta
+information and indices. The commonly used one is the file
+@file{pubring.kbx} in the @file{.gnupg} directory. It contains all
+X.509 certificates as well as OpenPGP keys.
+
+@noindent
+When called the standard way, e.g.:
+
+@samp{kbxutil ~/.gnupg/pubring.kbx}
+
+@noindent
+it lists all records (called @acronym{blobs}) with there meta-information
+in a human readable format.
+
+@noindent
+To see statistics on the keybox in question, run it using
+
+@samp{kbxutil --stats ~/.gnupg/pubring.kbx}
+
+@noindent
+and you get an output like:
+
+@example
+Total number of blobs: 99
+ header: 1
+ empty: 0
+ openpgp: 0
+ x509: 98
+ non flagged: 81
+ secret flagged: 0
+ ephemeral flagged: 17
+@end example
+
+In this example you see that the keybox does not have any OpenPGP keys
+but contains 98 X.509 certificates and a total of 17 keys or certificates
+are flagged as ephemeral, meaning that they are only temporary stored
+(cached) in the keybox and won't get listed using the usual commands
+provided by @command{gpgsm} or @command{gpg}. 81 certificates are stored
+in a standard way and directly available from @command{gpgsm}.
+
+@noindent
+To find duplicated certificates and keyblocks in a keybox file (this
+should not occur but sometimes things go wrong), run it using
+
+@samp{kbxutil --find-dups ~/.gnupg/pubring.kbx}
+
+
+@node Debugging Hints
+@section Various hints on debugging
+
+@itemize @bullet
+
+@item How to find the IP address of a keyserver
+
+If a round robin URL of is used for a keyserver
+(e.g. subkeys.gnupg.org); it is not easy to see what server is actually
+used. Using the keyserver debug option as in
+
+@smallexample
+ gpg --keyserver-options debug=1 -v --refresh-key 1E42B367
+@end smallexample
+
+is thus often helpful. Note that the actual output depends on the
+backend and may change from release to release.
+
+@item Logging on WindowsCE
+
+For development, the best logging method on WindowsCE is the use of
+remote debugging using a log file name of @file{tcp://<ip-addr>:<port>}.
+The command @command{watchgnupg} may be used on the remote host to listen
+on the given port (@pxref{option watchgnupg --tcp}). For in the field
+tests it is better to make use of the logging facility provided by the
+@command{gpgcedev} driver (part of libassuan); this is enabled by using
+a log file name of @file{GPG2:} (@pxref{option --log-file}).
+
+@end itemize
+
+
+@node Common Problems
+@section Commonly Seen Problems
+
+
+@itemize @bullet
+@item Error code @samp{Not supported} from Dirmngr
+
+Most likely the option @option{enable-ocsp} is active for gpgsm
+but Dirmngr's OCSP feature has not been enabled using
+@option{allow-ocsp} in @file{dirmngr.conf}.
+
+@item The Curses based Pinentry does not work
+
+The far most common reason for this is that the environment variable
+@code{GPG_TTY} has not been set correctly. Make sure that it has been
+set to a real tty device and not just to @samp{/dev/tty};
+i.e. @samp{GPG_TTY=tty} is plainly wrong; what you want is
+@samp{GPG_TTY=`tty`} --- note the back ticks. Also make sure that
+this environment variable gets exported, that is you should follow up
+the setting with an @samp{export GPG_TTY} (assuming a Bourne style
+shell). Even for GUI based Pinentries; you should have set
+@code{GPG_TTY}. See the section on installing the @command{gpg-agent}
+on how to do it.
+
+
+@item SSH hangs while a popping up pinentry was expected
+
+SSH has no way to tell the gpg-agent what terminal or X display it is
+running on. So when remotely logging into a box where a gpg-agent with
+SSH support is running, the pinentry will get popped up on whatever
+display the gpg-agent has been started. To solve this problem you may
+issue the command
+
+@smallexample
+echo UPDATESTARTUPTTY | gpg-connect-agent
+@end smallexample
+
+and the next pinentry will pop up on your display or screen. However,
+you need to kill the running pinentry first because only one pinentry
+may be running at once. If you plan to use ssh on a new display you
+should issue the above command before invoking ssh or any other service
+making use of ssh.
+
+
+@item Exporting a secret key without a certificate
+
+It may happen that you have created a certificate request using
+@command{gpgsm} but not yet received and imported the certificate from
+the CA. However, you want to export the secret key to another machine
+right now to import the certificate over there then. You can do this
+with a little trick but it requires that you know the approximate time
+you created the signing request. By running the command
+
+@smallexample
+ ls -ltr ~/.gnupg/private-keys-v1.d
+@end smallexample
+
+you get a listing of all private keys under control of @command{gpg-agent}.
+Pick the key which best matches the creation time and run the command
+
+@cartouche
+@smallexample
+ @value{LIBEXECDIR}/gpg-protect-tool --p12-export \
+ ~/.gnupg/private-keys-v1.d/@var{foo} >@var{foo}.p12
+@end smallexample
+@end cartouche
+
+(Please adjust the path to @command{gpg-protect-tool} to the appropriate
+location). @var{foo} is the name of the key file you picked (it should
+have the suffix @file{.key}). A Pinentry box will pop up and ask you
+for the current passphrase of the key and a new passphrase to protect it
+in the pkcs#12 file.
+
+To import the created file on the machine you use this command:
+
+@cartouche
+@smallexample
+ @value{LIBEXECDIR}/gpg-protect-tool --p12-import --store @var{foo}.p12
+@end smallexample
+@end cartouche
+
+You will be asked for the pkcs#12 passphrase and a new passphrase to
+protect the imported private key at its new location.
+
+Note that there is no easy way to match existing certificates with
+stored private keys because some private keys are used for Secure Shell
+or other purposes and don't have a corresponding certificate.
+
+
+@item A root certificate does not verify
+
+A common problem is that the root certificate misses the required
+basicConstraints attribute and thus @command{gpgsm} rejects this
+certificate. An error message indicating ``no value'' is a sign for
+such a certificate. You may use the @code{relax} flag in
+@file{trustlist.txt} to accept the certificate anyway. Note that the
+fingerprint and this flag may only be added manually to
+@file{trustlist.txt}.
+
+@item Error message: ``digest algorithm N has not been enabled''
+
+The signature is broken. You may try the option
+@option{--extra-digest-algo SHA256} to workaround the problem. The
+number N is the internal algorithm identifier; for example 8 refers to
+SHA-256.
+
+
+@item The Windows version does not work under Wine
+
+When running the W32 version of @command{gpg} under Wine you may get
+an error messages like:
+
+@smallexample
+gpg: fatal: WriteConsole failed: Access denied
+@end smallexample
+
+@noindent
+The solution is to use the command @command{wineconsole}.
+
+Some operations like @option{--generate-key} really want to talk to
+the console directly
+for increased security (for example to prevent the passphrase from
+appearing on the screen). So, you should use @command{wineconsole}
+instead of @command{wine}, which will launch a windows console that
+implements those additional features.
+
+
+@item Why does GPG's --search-key list weird keys?
+
+For performance reasons the keyservers do not check the keys the same
+way @command{gpg} does. It may happen that the listing of keys
+available on the keyservers shows keys with wrong user IDs or with user
+Ids from other keys. If you try to import this key, the bad keys or bad
+user ids won't get imported, though. This is a bit unfortunate but we
+can't do anything about it without actually downloading the keys.
+
+@end itemize
+
+
+@c ********************************************
+@c *** Architecture Details *****************
+@c ********************************************
+@node Architecture Details
+@section How the whole thing works internally
+
+
+@menu
+* Component interaction:: How the components work together.
+* GnuPG-1 and GnuPG-2:: Relationship between GnuPG 1.4 and 2.x.
+@end menu
+
+@node Component interaction
+@subsection How the components work together
+
+
+@float Figure,fig:moduleoverview
+@caption{GnuPG module overview}
+@center @image{gnupg-module-overview, 150mm,,GnuPG modules}
+@end float
+
+
+@node GnuPG-1 and GnuPG-2
+@subsection Relationship between GnuPG 1.4 and 2.x
+
+Here is a little picture showing how the different GnuPG versions make
+use of a smartcard:
+
+@float Figure,fig:cardarchitecture
+@caption{GnuPG card architecture}
+@center @image{gnupg-card-architecture, 150mm,, GnuPG card architecture}
+@end float
diff --git a/doc/defsincdate b/doc/defsincdate
new file mode 100644
index 0000000..2ed5769
--- /dev/null
+++ b/doc/defsincdate
@@ -0,0 +1 @@
+1665157484
diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
new file mode 100644
index 0000000..d6ef375
--- /dev/null
+++ b/doc/dirmngr.texi
@@ -0,0 +1,1273 @@
+@c Copyright (C) 2002 Klar"alvdalens Datakonsult AB
+@c Copyright (C) 2004, 2005, 2006, 2007 g10 Code GmbH
+@c This is part of the GnuPG manual.
+@c For copying conditions, see the file gnupg.texi.
+
+@include defs.inc
+
+@node Invoking DIRMNGR
+@chapter Invoking DIRMNGR
+@cindex DIRMNGR command options
+@cindex command options
+@cindex options, DIRMNGR command
+
+@manpage dirmngr.8
+@ifset manverb
+.B dirmngr
+\- GnuPG's network access daemon
+@end ifset
+
+@mansect synopsis
+@ifset manverb
+.B dirmngr
+.RI [ options ]
+.I command
+.RI [ args ]
+@end ifset
+
+@mansect description
+Since version 2.1 of GnuPG, @command{dirmngr} takes care of accessing
+the OpenPGP keyservers. As with previous versions it is also used as
+a server for managing and downloading certificate revocation lists
+(CRLs) for X.509 certificates, downloading X.509 certificates, and
+providing access to OCSP providers. Dirmngr is invoked internally by
+@command{gpg}, @command{gpgsm}, or via the @command{gpg-connect-agent}
+tool.
+
+@manpause
+@noindent
+@xref{Option Index},for an index to @command{DIRMNGR}'s commands and
+options.
+@mancont
+
+@menu
+* Dirmngr Commands:: List of all commands.
+* Dirmngr Options:: List of all options.
+* Dirmngr Configuration:: Configuration files.
+* Dirmngr Signals:: Use of signals.
+* Dirmngr Examples:: Some usage examples.
+* Dirmngr Protocol:: The protocol dirmngr uses.
+@end menu
+
+
+@node Dirmngr Commands
+@section Commands
+@mansect commands
+
+Commands are not distinguished from options except for the fact that
+only one command is allowed.
+
+@table @gnupgtabopt
+@item --version
+@opindex version
+Print the program version and licensing information. Note that you cannot
+abbreviate this command.
+
+@item --help, -h
+@opindex help
+Print a usage message summarizing the most useful command-line options.
+Note that you cannot abbreviate this command.
+
+@item --dump-options
+@opindex dump-options
+Print a list of all available options and commands. Note that you cannot
+abbreviate this command.
+
+@item --server
+@opindex server
+Run in server mode and wait for commands on the @code{stdin}. The
+default mode is to create a socket and listen for commands there.
+This is only used for testing.
+
+@item --daemon
+@opindex daemon
+Run in background daemon mode and listen for commands on a socket.
+This is the way @command{dirmngr} is started on demand by the other
+GnuPG components. To force starting @command{dirmngr} it is in
+general best to use @code{gpgconf --launch dirmngr}.
+
+@item --supervised
+@opindex supervised
+Run in the foreground, sending logs to stderr, and listening on file
+descriptor 3, which must already be bound to a listening socket. This
+is useful when running under systemd or other similar process
+supervision schemes. This option is not supported on Windows.
+
+@item --list-crls
+@opindex list-crls
+List the contents of the CRL cache on @code{stdout}. This is probably
+only useful for debugging purposes.
+
+@item --load-crl @var{file}
+@opindex load-crl
+This command requires a filename as additional argument, and it will
+make Dirmngr try to import the CRL in @var{file} into it's cache.
+Note, that this is only possible if Dirmngr is able to retrieve the
+CA's certificate directly by its own means. In general it is better
+to use @code{gpgsm}'s @code{--call-dirmngr loadcrl filename} command
+so that @code{gpgsm} can help dirmngr.
+
+@item --fetch-crl @var{url}
+@opindex fetch-crl
+This command requires an URL as additional argument, and it will make
+dirmngr try to retrieve and import the CRL from that @var{url} into
+it's cache. This is mainly useful for debugging purposes. The
+@command{dirmngr-client} provides the same feature for a running dirmngr.
+
+@item --shutdown
+@opindex shutdown
+This commands shuts down an running instance of Dirmngr. This command
+has currently no effect.
+
+@item --flush
+@opindex flush
+This command removes all CRLs from Dirmngr's cache. Client requests
+will thus trigger reading of fresh CRLs.
+
+@end table
+
+
+@mansect options
+@node Dirmngr Options
+@section Option Summary
+
+Note that all long options with the exception of @option{--options}
+and @option{--homedir} may also be given in the configuration file
+after stripping off the two leading dashes.
+
+@table @gnupgtabopt
+
+@item --options @var{file}
+@opindex options
+Reads configuration from @var{file} instead of from the default
+per-user configuration file. The default configuration file is named
+@file{dirmngr.conf} and expected in the home directory.
+
+@item --homedir @var{dir}
+@opindex options
+Set the name of the home directory to @var{dir}. This option is only
+effective when used on the command line. The default is
+the directory named @file{.gnupg} directly below the home directory
+of the user unless the environment variable @code{GNUPGHOME} has been set
+in which case its value will be used. Many kinds of data are stored within
+this directory.
+
+
+@item -v
+@item --verbose
+@opindex v
+@opindex verbose
+Outputs additional information while running.
+You can increase the verbosity by giving several
+verbose commands to @sc{dirmngr}, such as @option{-vv}.
+
+
+@item --log-file @var{file}
+@opindex log-file
+Append all logging output to @var{file}. This is very helpful in
+seeing what the agent actually does. Use @file{socket://} to log to
+socket.
+
+@item --debug-level @var{level}
+@opindex debug-level
+Select the debug level for investigating problems. @var{level} may be a
+numeric value or by a keyword:
+
+@table @code
+@item none
+No debugging at all. A value of less than 1 may be used instead of
+the keyword.
+@item basic
+Some basic debug messages. A value between 1 and 2 may be used
+instead of the keyword.
+@item advanced
+More verbose debug messages. A value between 3 and 5 may be used
+instead of the keyword.
+@item expert
+Even more detailed messages. A value between 6 and 8 may be used
+instead of the keyword.
+@item guru
+All of the debug messages you can get. A value greater than 8 may be
+used instead of the keyword. The creation of hash tracing files is
+only enabled if the keyword is used.
+@end table
+
+How these messages are mapped to the actual debugging flags is not
+specified and may change with newer releases of this program. They are
+however carefully selected to best aid in debugging.
+
+@item --debug @var{flags}
+@opindex debug
+Set debugging flags. This option is only useful for debugging and its
+behavior may change with a new release. All flags are or-ed and may
+be given in C syntax (e.g. 0x0042) or as a comma separated list of
+flag names. To get a list of all supported flags the single word
+"help" can be used.
+
+@item --debug-all
+@opindex debug-all
+Same as @code{--debug=0xffffffff}
+
+@item --tls-debug @var{level}
+@opindex tls-debug
+Enable debugging of the TLS layer at @var{level}. The details of the
+debug level depend on the used TLS library and are not set in stone.
+
+@item --debug-wait @var{n}
+@opindex debug-wait
+When running in server mode, wait @var{n} seconds before entering the
+actual processing loop and print the pid. This gives time to attach a
+debugger.
+
+@item --disable-check-own-socket
+@opindex disable-check-own-socket
+On some platforms @command{dirmngr} is able to detect the removal of
+its socket file and shutdown itself. This option disable this
+self-test for debugging purposes.
+
+@item -s
+@itemx --sh
+@itemx -c
+@itemx --csh
+@opindex s
+@opindex sh
+@opindex c
+@opindex csh
+Format the info output in daemon mode for use with the standard Bourne
+shell respective the C-shell. The default is to guess it based on the
+environment variable @code{SHELL} which is in almost all cases
+sufficient.
+
+@item --force
+@opindex force
+Enabling this option forces loading of expired CRLs; this is only
+useful for debugging.
+
+@item --use-tor
+@itemx --no-use-tor
+@opindex use-tor
+@opindex no-use-tor
+The option @option{--use-tor} switches Dirmngr and thus GnuPG into
+``Tor mode'' to route all network access via Tor (an anonymity
+network). Certain other features are disabled in this mode. The
+effect of @option{--use-tor} cannot be overridden by any other command
+or even by reloading dirmngr. The use of @option{--no-use-tor}
+disables the use of Tor. The default is to use Tor if it is available
+on startup or after reloading dirmngr. The test on the available of
+Tor is done by trying to connects to a SOCKS proxy at either port 9050
+or 9150); if another type of proxy is listening on one of these ports,
+you should use @option{--no-use-tor}.
+
+@item --standard-resolver
+@opindex standard-resolver
+This option forces the use of the system's standard DNS resolver code.
+This is mainly used for debugging. Note that on Windows a standard
+resolver is not used and all DNS access will return the error ``Not
+Implemented'' if this option is used. Using this together with enabled
+Tor mode returns the error ``Not Enabled''.
+
+@item --recursive-resolver
+@opindex recursive-resolver
+When possible use a recursive resolver instead of a stub resolver.
+
+@item --resolver-timeout @var{n}
+@opindex resolver-timeout
+Set the timeout for the DNS resolver to N seconds. The default are 30
+seconds.
+
+@item --connect-timeout @var{n}
+@item --connect-quick-timeout @var{n}
+@opindex connect-timeout
+@opindex connect-quick-timeout
+Set the timeout for HTTP and generic TCP connection attempts to N
+seconds. The value set with the quick variant is used when the
+--quick option has been given to certain Assuan commands. The quick
+value is capped at the value of the regular connect timeout. The
+default values are 15 and 2 seconds. Note that the timeout values are
+for each connection attempt; the connection code will attempt to
+connect all addresses listed for a server.
+
+@item --listen-backlog @var{n}
+@opindex listen-backlog
+Set the size of the queue for pending connections. The default is 64.
+
+@item --allow-version-check
+@opindex allow-version-check
+Allow Dirmngr to connect to @code{https://versions.gnupg.org} to get
+the list of current software versions. If this option is enabled
+the list is retrieved in case the local
+copy does not exist or is older than 5 to 7 days. See the option
+@option{--query-swdb} of the command @command{gpgconf} for more
+details. Note, that regardless of this option a version check can
+always be triggered using this command:
+
+@example
+ gpg-connect-agent --dirmngr 'loadswdb --force' /bye
+@end example
+
+
+@item --keyserver @var{name}
+@opindex keyserver
+Use @var{name} as your keyserver. This is the server that @command{gpg}
+communicates with to receive keys, send keys, and search for
+keys. The format of the @var{name} is a URI:
+`scheme:[//]keyservername[:port]' The scheme is the type of keyserver:
+"hkp" for the HTTP (or compatible) keyservers, "ldap" for the LDAP
+keyservers, or "mailto" for the Graff email keyserver. Note that your
+particular installation of GnuPG may have other keyserver types
+available as well. Keyserver schemes are case-insensitive. After the
+keyserver name, optional keyserver configuration options may be
+provided. These are the same as the @option{--keyserver-options} of
+@command{gpg}, but apply only to this particular keyserver.
+
+Most keyservers synchronize with each other, so there is generally no
+need to send keys to more than one server. Somes keyservers use round
+robin DNS to give a different keyserver each time you use it.
+
+If exactly two keyservers are configured and only one is a Tor hidden
+service (.onion), Dirmngr selects the keyserver to use depending on
+whether Tor is locally running or not. The check for a running Tor is
+done for each new connection.
+
+If no keyserver is explicitly configured, dirmngr will use the
+built-in default of @code{https://keyserver.ubuntu.com}.
+
+Windows users with a keyserver running on their Active Directory
+may use the short form @code{ldap:///} for @var{name} to access this directory.
+
+For accessing anonymous LDAP keyservers @var{name} is in general just
+a @code{ldaps://ldap.example.com}. A BaseDN parameter should never be
+specified. If authentication is required things are more complicated
+and two methods are available:
+
+The modern method (since version 2.2.28) is to use the very same syntax
+as used with the option @option{--ldapserver}. Please see over
+there for details; here is an example:
+
+@example
+ keyserver ldap:ldap.example.com::uid=USERNAME,ou=GnuPG Users,
+ dc=example,dc=com:PASSWORD::starttls
+@end example
+
+ The other method is to use a full URL for @var{name}; for example:
+
+@example
+ keyserver ldaps://ldap.example.com/????bindname=uid=USERNAME
+ %2Cou=GnuPG%20Users%2Cdc=example%2Cdc=com,password=PASSWORD
+@end example
+
+ Put this all on one line without any spaces and keep the '%2C'
+ as given. Replace USERNAME, PASSWORD, and the 'dc' parts
+ according to the instructions received from your LDAP
+ administrator. Note that only simple authentication
+ (i.e. cleartext passwords) is supported and thus using ldaps is
+ strongly suggested (since 2.2.28 "ldaps" defaults to port 389
+ and uses STARTTLS). On Windows authentication via AD can be
+ requested by adding @code{gpgNtds=1} after the fourth question
+ mark instead of the bindname and password parameter.
+
+
+
+@item --nameserver @var{ipaddr}
+@opindex nameserver
+In ``Tor mode'' Dirmngr uses a public resolver via Tor to resolve DNS
+names. If the default public resolver, which is @code{8.8.8.8}, shall
+not be used a different one can be given using this option. Note that
+a numerical IP address must be given (IPv6 or IPv4) and that no error
+checking is done for @var{ipaddr}.
+
+@item --disable-ipv4
+@item --disable-ipv6
+@opindex disable-ipv4
+@opindex disable-ipv6
+Disable the use of all IPv4 or IPv6 addresses.
+
+@item --disable-ldap
+@opindex disable-ldap
+Entirely disables the use of LDAP.
+
+@item --disable-http
+@opindex disable-http
+Entirely disables the use of HTTP.
+
+@item --ignore-http-dp
+@opindex ignore-http-dp
+When looking for the location of a CRL, the to be tested certificate
+usually contains so called @dfn{CRL Distribution Point} (DP) entries
+which are URLs describing the way to access the CRL. The first found DP
+entry is used. With this option all entries using the @acronym{HTTP}
+scheme are ignored when looking for a suitable DP.
+
+@item --ignore-ldap-dp
+@opindex ignore-ldap-dp
+This is similar to @option{--ignore-http-dp} but ignores entries using
+the @acronym{LDAP} scheme. Both options may be combined resulting in
+ignoring DPs entirely.
+
+@item --ignore-ocsp-service-url
+@opindex ignore-ocsp-service-url
+Ignore all OCSP URLs contained in the certificate. The effect is to
+force the use of the default responder.
+
+@item --honor-http-proxy
+@opindex honor-http-proxy
+If the environment variable @env{http_proxy} has been set, use its
+value to access HTTP servers.
+
+@item --http-proxy [http://]@var{host}[:@var{port}]
+@opindex http-proxy
+@efindex http_proxy
+Use @var{host} and @var{port} to access HTTP servers. The use of this
+option overrides the environment variable @env{http_proxy} regardless
+whether @option{--honor-http-proxy} has been set.
+
+
+@item --ldap-proxy @var{host}[:@var{port}]
+@opindex ldap-proxy
+Use @var{host} and @var{port} to connect to LDAP servers. If @var{port}
+is omitted, port 389 (standard LDAP port) is used. This overrides any
+specified host and port part in a LDAP URL and will also be used if host
+and port have been omitted from the URL.
+
+@item --only-ldap-proxy
+@opindex only-ldap-proxy
+Never use anything else but the LDAP "proxy" as configured with
+@option{--ldap-proxy}. Usually @command{dirmngr} tries to use other
+configured LDAP server if the connection using the "proxy" failed.
+
+
+@item --ldapserverlist-file @var{file}
+@opindex ldapserverlist-file
+Read the list of LDAP servers to consult for CRLs and X.509 certificates from
+file instead of the default per-user ldap server list file. The default
+value for @var{file} is @file{dirmngr_ldapservers.conf}.
+
+This server list file contains one LDAP server per line in the format
+
+@sc{hostname:port:username:password:base_dn:flags}
+
+Lines starting with a @samp{#} are comments.
+
+Note that as usual all strings entered are expected to be UTF-8 encoded.
+Obviously this will lead to problems if the password has originally been
+encoded as Latin-1. There is no other solution here than to put such a
+password in the binary encoding into the file (i.e. non-ascii characters
+won't show up readable).@footnote{The @command{gpgconf} tool might be
+helpful for frontends as it enables editing this configuration file using
+percent-escaped strings.}
+
+
+@item --ldapserver @var{spec}
+@opindex ldapserver
+This is an alternative way to specify LDAP servers for CRL and X.509
+certificate retrieval. If this option is used the servers configured
+in @file{dirmngr_ldapservers.conf} (or the file given by
+@option{--ldapserverlist-file}) are cleared. Note that
+@file{dirmngr_ldapservers.conf} is not read again by a reload
+signal. However, @option{--ldapserver} options are read again.
+
+@var{spec} is either a proper LDAP URL or a colon delimited list of
+the form
+
+@sc{hostname:port:username:password:base_dn:flags:}
+
+with an optional prefix of @code{ldap:} (but without the two slashes
+which would turn this into a proper LDAP URL). @sc{flags} is a list
+of one or more comma delimited keywords:
+@table @code
+@item plain
+The default: Do not use a TLS secured connection at all; the default
+port is 389.
+@item starttls
+Use STARTTLS to secure the connection; the default port is 389.
+@item ldaptls
+Tunnel LDAP through a TLS connection; the default port is 636.
+@item ntds
+On Windows authenticate the LDAP connection using the Active Directory
+with the current user.
+@item areconly
+On Windows use only the A or AAAA record when resolving the LDAP
+server name.
+@end table
+
+Note that in an URL style specification the scheme @code{ldaps://}
+refers to STARTTLS and _not_ to LDAP-over-TLS.
+
+
+@item --ldaptimeout @var{secs}
+@opindex ldaptimeout
+Specify the number of seconds to wait for an LDAP query before timing
+out. The default are 15 seconds. 0 will never timeout.
+
+
+@item --add-servers
+@opindex add-servers
+This option makes dirmngr add any servers it discovers when validating
+certificates against CRLs to the internal list of servers to consult for
+certificates and CRLs.
+
+This option is useful when trying to validate a certificate that has
+a CRL distribution point that points to a server that is not already
+listed in the ldapserverlist. Dirmngr will always go to this server and
+try to download the CRL, but chances are high that the certificate used
+to sign the CRL is located on the same server. So if dirmngr doesn't add
+that new server to list, it will often not be able to verify the
+signature of the CRL unless the @code{--add-servers} option is used.
+
+Note: The current version of dirmngr has this option disabled by default.
+
+
+@item --allow-ocsp
+@opindex allow-ocsp
+This option enables OCSP support if requested by the client.
+
+OCSP requests are rejected by default because they may violate the
+privacy of the user; for example it is possible to track the time when
+a user is reading a mail.
+
+
+@item --ocsp-responder @var{url}
+@opindex ocsp-responder
+Use @var{url} as the default OCSP Responder if the certificate does
+not contain information about an assigned responder. Note, that
+@code{--ocsp-signer} must also be set to a valid certificate.
+
+@item --ocsp-signer @var{fpr}|@var{file}
+@opindex ocsp-signer
+Use the certificate with the fingerprint @var{fpr} to check the
+responses of the default OCSP Responder. Alternatively a filename can be
+given in which case the response is expected to be signed by one of the
+certificates described in that file. Any argument which contains a
+slash, dot or tilde is considered a filename. Usual filename expansion
+takes place: A tilde at the start followed by a slash is replaced by the
+content of @env{HOME}, no slash at start describes a relative filename
+which will be searched at the home directory. To make sure that the
+@var{file} is searched in the home directory, either prepend the name
+with "./" or use a name which contains a dot.
+
+If a response has been signed by a certificate described by these
+fingerprints no further check upon the validity of this certificate is
+done.
+
+The format of the @var{FILE} is a list of SHA-1 fingerprint, one per
+line with optional colons between the bytes. Empty lines and lines
+prefix with a hash mark are ignored.
+
+
+@item --ocsp-max-clock-skew @var{n}
+@opindex ocsp-max-clock-skew
+The number of seconds a skew between the OCSP responder and them local
+clock is accepted. Default is 600 (10 minutes).
+
+@item --ocsp-max-period @var{n}
+@opindex ocsp-max-period
+Seconds a response is at maximum considered valid after the time given
+in the thisUpdate field. Default is 7776000 (90 days).
+
+@item --ocsp-current-period @var{n}
+@opindex ocsp-current-period
+The number of seconds an OCSP response is considered valid after the
+time given in the NEXT_UPDATE datum. Default is 10800 (3 hours).
+
+
+@item --max-replies @var{n}
+@opindex max-replies
+Do not return more that @var{n} items in one query. The default is
+10.
+
+@item --ignore-cert-extension @var{oid}
+@opindex ignore-cert-extension
+Add @var{oid} to the list of ignored certificate extensions. The
+@var{oid} is expected to be in dotted decimal form, like
+@code{2.5.29.3}. This option may be used more than once. Critical
+flagged certificate extensions matching one of the OIDs in the list
+are treated as if they are actually handled and thus the certificate
+won't be rejected due to an unknown critical extension. Use this
+option with care because extensions are usually flagged as critical
+for a reason.
+
+@item --ignore-cert @var{fpr}|@var{file}
+@opindex ignore-cert
+Entirely ignore certificates with the fingerprint @var{fpr}. As an
+alternative to the fingerprint a filename can be given in which case
+all certificates described in that file are ignored. Any argument
+which contains a slash, dot or tilde is considered a filename. Usual
+filename expansion takes place: A tilde at the start followed by a
+slash is replaced by the content of @env{HOME}, no slash at start
+describes a relative filename which will be searched at the home
+directory. To make sure that the @var{file} is searched in the home
+directory, either prepend the name with "./" or use a name which
+contains a dot. The format of such a file is a list of SHA-1
+fingerprint, one per line with optional colons between the bytes.
+Empty lines and lines prefixed with a hash mark are ignored.
+
+This option is useful as a quick workaround to exclude certain
+certificates from the system store.
+
+
+@item --hkp-cacert @var{file}
+Use the root certificates in @var{file} for verification of the TLS
+certificates used with @code{hkps} (keyserver access over TLS). If
+the file is in PEM format a suffix of @code{.pem} is expected for
+@var{file}. This option may be given multiple times to add more
+root certificates. Tilde expansion is supported.
+
+If no @code{hkp-cacert} directive is present, dirmngr will use the
+system CAs.
+
+@end table
+
+
+@c
+@c Dirmngr Configuration
+@c
+@mansect files
+@node Dirmngr Configuration
+@section Configuration
+
+Dirmngr makes use of several directories when running in daemon mode:
+There are a few configuration files whih control the operation of
+dirmngr. By default they may all be found in the current home
+directory (@pxref{option --homedir}).
+
+@table @file
+
+@item dirmngr.conf
+@efindex dirmngr.conf
+This is the standard configuration file read by @command{dirmngr} on
+startup. It may contain any valid long option; the leading two dashes
+may not be entered and the option may not be abbreviated. This file
+is also read after a @code{SIGHUP} however not all options will
+actually have an effect. This default name may be changed on the
+command line (@pxref{option --options}). You should backup this file.
+
+@item /etc/gnupg/trusted-certs
+This directory should be filled with certificates of Root CAs you
+are trusting in checking the CRLs and signing OCSP Responses.
+
+Usually these are the same certificates you use with the applications
+making use of dirmngr. It is expected that each of these certificate
+files contain exactly one @acronym{DER} encoded certificate in a file
+with the suffix @file{.crt} or @file{.der}. @command{dirmngr} reads
+those certificates on startup and when given a SIGHUP. Certificates
+which are not readable or do not make up a proper X.509 certificate
+are ignored; see the log file for details.
+
+Applications using dirmngr (e.g. gpgsm) can request these
+certificates to complete a trust chain in the same way as with the
+extra-certs directory (see below).
+
+Note that for OCSP responses the certificate specified using the option
+@option{--ocsp-signer} is always considered valid to sign OCSP requests.
+
+@item /etc/gnupg/extra-certs
+This directory may contain extra certificates which are preloaded
+into the internal cache on startup. Applications using dirmngr (e.g. gpgsm)
+can request cached certificates to complete a trust chain.
+This is convenient in cases you have a couple intermediate CA certificates
+or certificates usually used to sign OCSP responses.
+These certificates are first tried before going
+out to the net to look for them. These certificates must also be
+@acronym{DER} encoded and suffixed with @file{.crt} or @file{.der}.
+
+@item ~/.gnupg/crls.d
+This directory is used to store cached CRLs. The @file{crls.d}
+part will be created by dirmngr if it does not exists but you need to
+make sure that the upper directory exists.
+
+@end table
+@manpause
+
+To be able to see what's going on you should create the configure file
+@file{~/gnupg/dirmngr.conf} with at least one line:
+
+@example
+log-file ~/dirmngr.log
+@end example
+
+To be able to perform OCSP requests you probably want to add the line:
+
+@example
+allow-ocsp
+@end example
+
+To make sure that new options are read and that after the installation
+of a new GnuPG versions the installed dirmngr is running, you may want
+to kill an existing dirmngr first:
+
+@example
+gpgconf --kill dirmngr
+@end example
+
+You may check the log file to see whether all desired root
+certificates have been loaded correctly.
+
+
+@c
+@c Dirmngr Signals
+@c
+@mansect signals
+@node Dirmngr Signals
+@section Use of signals
+
+A running @command{dirmngr} may be controlled by signals, i.e. using
+the @command{kill} command to send a signal to the process.
+
+Here is a list of supported signals:
+
+@table @gnupgtabopt
+
+@item SIGHUP
+@cpindex SIGHUP
+This signal flushes all internally cached CRLs as well as any cached
+certificates. Then the certificate cache is reinitialized as on
+startup. Options are re-read from the configuration file. Instead of
+sending this signal it is better to use
+@example
+gpgconf --reload dirmngr
+@end example
+
+@item SIGTERM
+@cpindex SIGTERM
+Shuts down the process but waits until all current requests are
+fulfilled. If the process has received 3 of these signals and requests
+are still pending, a shutdown is forced. You may also use
+@example
+gpgconf --kill dirmngr
+@end example
+instead of this signal
+
+@item SIGINT
+@cpindex SIGINT
+Shuts down the process immediately.
+
+
+@item SIGUSR1
+@cpindex SIGUSR1
+This prints some caching statistics to the log file.
+
+@end table
+
+
+
+@c
+@c Examples
+@c
+@mansect examples
+@node Dirmngr Examples
+@section Examples
+
+Here is an example on how to show dirmngr's internal table of OpenPGP
+keyserver addresses. The output is intended for debugging purposes
+and not part of a defined API.
+
+@example
+ gpg-connect-agent --dirmngr 'keyserver --hosttable' /bye
+@end example
+
+To inhibit the use of a particular host you have noticed in one of the
+keyserver pools, you may use
+
+@example
+ gpg-connect-agent --dirmngr 'keyserver --dead pgpkeys.bnd.de' /bye
+@end example
+
+The description of the @code{keyserver} command can be printed using
+
+@example
+ gpg-connect-agent --dirmngr 'help keyserver' /bye
+@end example
+
+
+
+@c
+@c Assuan Protocol
+@c
+@manpause
+@node Dirmngr Protocol
+@section Dirmngr's Assuan Protocol
+
+Assuan is the IPC protocol used to access dirmngr. This is a
+description of the commands implemented by dirmngr.
+
+@menu
+* Dirmngr LOOKUP:: Look up a certificate via LDAP
+* Dirmngr ISVALID:: Validate a certificate using a CRL or OCSP.
+* Dirmngr CHECKCRL:: Validate a certificate using a CRL.
+* Dirmngr CHECKOCSP:: Validate a certificate using OCSP.
+* Dirmngr CACHECERT:: Put a certificate into the internal cache.
+* Dirmngr VALIDATE:: Validate a certificate for debugging.
+@end menu
+
+@node Dirmngr LOOKUP
+@subsection Return the certificate(s) found
+
+Lookup certificate. To allow multiple patterns (which are ORed)
+quoting is required: Spaces are to be translated into "+" or into
+"%20"; obviously this requires that the usual escape quoting rules
+are applied. The server responds with:
+
+@example
+ S: D <DER encoded certificate>
+ S: END
+ S: D <second DER encoded certificate>
+ S: END
+ S: OK
+@end example
+
+In this example 2 certificates are returned. The server may return
+any number of certificates; OK will also be returned when no
+certificates were found. The dirmngr might return a status line
+
+@example
+ S: S TRUNCATED <n>
+@end example
+
+
+To indicate that the output was truncated to N items due to a
+limitation of the server or by an arbitrary set limit.
+
+The option @option{--url} may be used if instead of a search pattern a
+complete URL to the certificate is known:
+
+@example
+ C: LOOKUP --url CN%3DWerner%20Koch,o%3DIntevation%20GmbH,c%3DDE?userCertificate
+@end example
+
+If the option @option{--cache-only} is given, no external lookup is done
+so that only certificates from the cache are returned.
+
+With the option @option{--single}, the first and only the first match
+will be returned. Unless option @option{--cache-only} is also used, no
+local lookup will be done in this case.
+
+
+
+@node Dirmngr ISVALID
+@subsection Validate a certificate using a CRL or OCSP
+
+@example
+ ISVALID [--only-ocsp] [--force-default-responder] @var{certid}|@var{certfpr}
+@end example
+
+Check whether the certificate described by the @var{certid} has been
+revoked. Due to caching, the Dirmngr is able to answer immediately in
+most cases.
+
+The @var{certid} is a hex encoded string consisting of two parts,
+delimited by a single dot. The first part is the SHA-1 hash of the
+issuer name and the second part the serial number.
+
+Alternatively the certificate's SHA-1 fingerprint @var{certfpr} may be
+given in which case an OCSP request is done before consulting the CRL.
+If the option @option{--only-ocsp} is given, no fallback to a CRL check
+will be used. If the option @option{--force-default-responder} is
+given, only the default OCSP responder will be used and any other
+methods of obtaining an OCSP responder URL won't be used.
+
+@noindent
+Common return values are:
+
+@table @code
+@item GPG_ERR_NO_ERROR (0)
+This is the positive answer: The certificate is not revoked and we have
+an up-to-date revocation list for that certificate. If OCSP was used
+the responder confirmed that the certificate has not been revoked.
+
+@item GPG_ERR_CERT_REVOKED
+This is the negative answer: The certificate has been revoked. Either
+it is in a CRL and that list is up to date or an OCSP responder informed
+us that it has been revoked.
+
+@item GPG_ERR_NO_CRL_KNOWN
+No CRL is known for this certificate or the CRL is not valid or out of
+date.
+
+@item GPG_ERR_NO_DATA
+The OCSP responder returned an ``unknown'' status. This means that it
+is not aware of the certificate's status.
+
+@item GPG_ERR_NOT_SUPPORTED
+This is commonly seen if OCSP support has not been enabled in the
+configuration.
+@end table
+
+If DirMngr has not enough information about the given certificate (which
+is the case for not yet cached certificates), it will inquire the
+missing data:
+
+@example
+ S: INQUIRE SENDCERT <CertID>
+ C: D <DER encoded certificate>
+ C: END
+@end example
+
+A client should be aware that DirMngr may ask for more than one
+certificate.
+
+If Dirmngr has a certificate but the signature of the certificate
+could not been validated because the root certificate is not known to
+dirmngr as trusted, it may ask back to see whether the client trusts
+this the root certificate:
+
+@example
+ S: INQUIRE ISTRUSTED <CertHexfpr>
+ C: D 1
+ C: END
+@end example
+
+Only this answer will let Dirmngr consider the certificate as valid.
+
+
+@node Dirmngr CHECKCRL
+@subsection Validate a certificate using a CRL
+
+Check whether the certificate with FINGERPRINT (SHA-1 hash of the
+entire X.509 certificate blob) is valid or not by consulting the CRL
+responsible for this certificate. If the fingerprint has not been
+given or the certificate is not known, the function inquires the
+certificate using:
+
+@example
+ S: INQUIRE TARGETCERT
+ C: D <DER encoded certificate>
+ C: END
+@end example
+
+Thus the caller is expected to return the certificate for the request
+(which should match FINGERPRINT) as a binary blob. Processing then
+takes place without further interaction; in particular dirmngr tries
+to locate other required certificate by its own mechanism which
+includes a local certificate store as well as a list of trusted root
+certificates.
+
+@noindent
+The return code is 0 for success; i.e. the certificate has not been
+revoked or one of the usual error codes from libgpg-error.
+
+@node Dirmngr CHECKOCSP
+@subsection Validate a certificate using OCSP
+
+@example
+ CHECKOCSP [--force-default-responder] [@var{fingerprint}]
+@end example
+
+Check whether the certificate with @var{fingerprint} (the SHA-1 hash of
+the entire X.509 certificate blob) is valid by consulting the appropriate
+OCSP responder. If the fingerprint has not been given or the
+certificate is not known by Dirmngr, the function inquires the
+certificate using:
+
+@example
+ S: INQUIRE TARGETCERT
+ C: D <DER encoded certificate>
+ C: END
+@end example
+
+Thus the caller is expected to return the certificate for the request
+(which should match @var{fingerprint}) as a binary blob. Processing
+then takes place without further interaction; in particular dirmngr
+tries to locate other required certificates by its own mechanism which
+includes a local certificate store as well as a list of trusted root
+certificates.
+
+If the option @option{--force-default-responder} is given, only the
+default OCSP responder is used. This option is the per-command variant
+of the global option @option{--ignore-ocsp-service-url}.
+
+
+@noindent
+The return code is 0 for success; i.e. the certificate has not been
+revoked or one of the usual error codes from libgpg-error.
+
+@node Dirmngr CACHECERT
+@subsection Put a certificate into the internal cache
+
+Put a certificate into the internal cache. This command might be
+useful if a client knows in advance certificates required for a test and
+wants to make sure they get added to the internal cache. It is also
+helpful for debugging. To get the actual certificate, this command
+immediately inquires it using
+
+@example
+ S: INQUIRE TARGETCERT
+ C: D <DER encoded certificate>
+ C: END
+@end example
+
+Thus the caller is expected to return the certificate for the request
+as a binary blob.
+
+@noindent
+The return code is 0 for success; i.e. the certificate has not been
+successfully cached or one of the usual error codes from libgpg-error.
+
+@node Dirmngr VALIDATE
+@subsection Validate a certificate for debugging
+
+Validate a certificate using the certificate validation function used
+internally by dirmngr. This command is only useful for debugging. To
+get the actual certificate, this command immediately inquires it using
+
+@example
+ S: INQUIRE TARGETCERT
+ C: D <DER encoded certificate>
+ C: END
+@end example
+
+Thus the caller is expected to return the certificate for the request
+as a binary blob.
+
+
+@mansect see also
+@ifset isman
+@command{gpgsm}(1),
+@command{dirmngr-client}(1)
+@end ifset
+@include see-also-note.texi
+
+@c
+@c !!! UNDER CONSTRUCTION !!!
+@c
+@c
+@c @section Verifying a Certificate
+@c
+@c There are several ways to request services from Dirmngr. Almost all of
+@c them are done using the Assuan protocol. What we describe here is the
+@c Assuan command CHECKCRL as used for example by the dirmnr-client tool if
+@c invoked as
+@c
+@c @example
+@c dirmngr-client foo.crt
+@c @end example
+@c
+@c This command will send an Assuan request to an already running Dirmngr
+@c instance. foo.crt is expected to be a standard X.509 certificate and
+@c dirmngr will receive the Assuan command
+@c
+@c @example
+@c CHECKCRL @var [{fingerprint}]
+@c @end example
+@c
+@c @var{fingerprint} is optional and expected to be the SHA-1 has of the
+@c DER encoding of the certificate under question. It is to be HEX
+@c encoded. The rationale for sending the fingerprint is that it allows
+@c dirmngr to reply immediately if it has already cached such a request. If
+@c this is not the case and no certificate has been found in dirmngr's
+@c internal certificate storage, dirmngr will request the certificate using
+@c the Assuan inquiry
+@c
+@c @example
+@c INQUIRE TARGETCERT
+@c @end example
+@c
+@c The caller (in our example dirmngr-client) is then expected to return
+@c the certificate for the request (which should match @var{fingerprint})
+@c as a binary blob.
+@c
+@c Dirmngr now passes control to @code{crl_cache_cert_isvalid}. This
+@c function checks whether a CRL item exists for target certificate. These
+@c CRL items are kept in a database of already loaded and verified CRLs.
+@c This mechanism is called the CRL cache. Obviously timestamps are kept
+@c there with each item to cope with the expiration date of the CRL. The
+@c possible return values are: @code{0} to indicate that a valid CRL is
+@c available for the certificate and the certificate itself is not listed
+@c in this CRL, @code{GPG_ERR_CERT_REVOKED} to indicate that the certificate is
+@c listed in the CRL or @code{GPG_ERR_NO_CRL_KNOWN} in cases where no CRL or no
+@c information is available. The first two codes are immediately returned to
+@c the caller and the processing of this request has been done.
+@c
+@c Only the @code{GPG_ERR_NO_CRL_KNOWN} needs more attention: Dirmngr now
+@c calls @code{clr_cache_reload_crl} and if this succeeds calls
+@c @code{crl_cache_cert_isvald) once more. All further errors are
+@c immediately returned to the caller.
+@c
+@c @code{crl_cache_reload_crl} is the actual heart of the CRL management.
+@c It locates the corresponding CRL for the target certificate, reads and
+@c verifies this CRL and stores it in the CRL cache. It works like this:
+@c
+@c * Loop over all crlDPs in the target certificate.
+@c * If the crlDP is invalid immediately terminate the loop.
+@c * Loop over all names in the current crlDP.
+@c * If the URL scheme is unknown or not enabled
+@c (--ignore-http-dp, --ignore-ldap-dp) continues with
+@c the next name.
+@c * @code{crl_fetch} is called to actually retrieve the CRL.
+@c In case of problems this name is ignore and we continue with
+@c the next name. Note that @code{crl_fetch} does only return
+@c a descriptor for the CRL for further reading so does the CRL
+@c does not yet end up in memory.
+@c * @code{crl_cache_insert} is called with that descriptor to
+@c actually read the CRL into the cache. See below for a
+@c description of this function. If there is any error (e.g. read
+@c problem, CRL not correctly signed or verification of signature
+@c not possible), this descriptor is rejected and we continue
+@c with the next name. If the CRL has been successfully loaded,
+@c the loop is terminated.
+@c * If no crlDP has been found in the previous loop use a default CRL.
+@c Note, that if any crlDP has been found but loading of the CRL failed,
+@c this condition is not true.
+@c * Try to load a CRL from all configured servers (ldapservers.conf)
+@c in turn. The first server returning a CRL is used.
+@c * @code(crl_cache_insert) is then used to actually insert the CRL
+@c into the cache. If this failed we give up immediately without
+@c checking the rest of the servers from the first step.
+@c * Ready.
+@c
+@c
+@c The @code{crl_cache_insert} function takes care of reading the bulk of
+@c the CRL, parsing it and checking the signature. It works like this: A
+@c new database file is created using a temporary file name. The CRL
+@c parsing machinery is started and all items of the CRL are put into
+@c this database file. At the end the issuer certificate of the CRL
+@c needs to be retrieved. Three cases are to be distinguished:
+@c
+@c a) An authorityKeyIdentifier with an issuer and serialno exits: The
+@c certificate is retrieved using @code{find_cert_bysn}. If
+@c the certificate is in the certificate cache, it is directly
+@c returned. Then the requester (i.e. the client who requested the
+@c CRL check) is asked via the Assuan inquiry ``SENDCERT'' whether
+@c he can provide this certificate. If this succeed the returned
+@c certificate gets cached and returned. Note, that dirmngr does not
+@c verify in any way whether the expected certificate is returned.
+@c It is in the interest of the client to return a useful certificate
+@c as otherwise the service request will fail due to a bad signature.
+@c The last way to get the certificate is by looking it up at
+@c external resources. This is done using the @code{ca_cert_fetch}
+@c and @code{fetch_next_ksba_cert} and comparing the returned
+@c certificate to match the requested issuer and seriano (This is
+@c needed because the LDAP layer may return several certificates as
+@c LDAP as no standard way to retrieve by serial number).
+@c
+@c b) An authorityKeyIdentifier with a key ID exists: The certificate is
+@c retrieved using @code{find_cert_bysubject}. If the certificate is
+@c in the certificate cache, it is directly returned. Then the
+@c requester is asked via the Assuan inquiry ``SENDCERT_SKI'' whether
+@c he can provide this certificate. If this succeed the returned
+@c certificate gets cached and returned. Note, that dirmngr does not
+@c verify in any way whether the expected certificate is returned.
+@c It is in the interest of the client to return a useful certificate
+@c as otherwise the service request will fail due to a bad signature.
+@c The last way to get the certificate is by looking it up at
+@c external resources. This is done using the @code{ca_cert_fetch}
+@c and @code{fetch_next_ksba_cert} and comparing the returned
+@c certificate to match the requested subject and key ID.
+@c
+@c c) No authorityKeyIdentifier exits: The certificate is retrieved
+@c using @code{find_cert_bysubject} without the key ID argument. If
+@c the certificate is in the certificate cache the first one with a
+@c matching subject is directly returned. Then the requester is
+@c asked via the Assuan inquiry ``SENDCERT'' and an exact
+@c specification of the subject whether he can
+@c provide this certificate. If this succeed the returned
+@c certificate gets cached and returned. Note, that dirmngr does not
+@c verify in any way whether the expected certificate is returned.
+@c It is in the interest of the client to return a useful certificate
+@c as otherwise the service request will fail due to a bad signature.
+@c The last way to get the certificate is by looking it up at
+@c external resources. This is done using the @code{ca_cert_fetch}
+@c and @code{fetch_next_ksba_cert} and comparing the returned
+@c certificate to match the requested subject; the first certificate
+@c with a matching subject is then returned.
+@c
+@c If no certificate was found, the function returns with the error
+@c GPG_ERR_MISSING_CERT. Now the signature is verified. If this fails,
+@c the erro is returned. On success the @code{validate_cert_chain} is
+@c used to verify that the certificate is actually valid.
+@c
+@c Here we may encounter a recursive situation:
+@c @code{validate_cert_chain} needs to look at other certificates and
+@c also at CRLs to check whether these other certificates and well, the
+@c CRL issuer certificate itself are not revoked. FIXME: We need to make
+@c sure that @code{validate_cert_chain} does not try to lookup the CRL we
+@c are currently processing. This would be a catch-22 and may indicate a
+@c broken PKI. However, due to overlapping expiring times and imprecise
+@c clocks this may actually happen.
+@c
+@c For historical reasons the Assuan command ISVALID is a bit different
+@c to CHECKCRL but this is mainly due to different calling conventions.
+@c In the end the same fucntionality is used, albeit hidden by a couple
+@c of indirection and argument and result code mangling. It furthere
+@c ingetrages OCSP checking depending on options are the way it is
+@c called. GPGSM still uses this command but might eventuall switch over
+@c to CHECKCRL and CHECKOCSP so that ISVALID can be retired.
+@c
+@c
+@c @section Validating a certificate
+@c
+@c We describe here how the internal function @code{validate_cert_chain}
+@c works. Note that mainly testing purposes this functionality may be
+@c called directly using @cmd{dirmngr-client --validate @file{foo.crt}}.
+@c
+@c The function takes the target certificate and a mode argument as
+@c parameters and returns an error code and optionally the closes
+@c expiration time of all certificates in the chain.
+@c
+@c We first check that the certificate may be used for the requested
+@c purpose (i.e. OCSP or CRL signing). If this is not the case
+@c GPG_ERR_WRONG_KEY_USAGE is returned.
+@c
+@c The next step is to find the trust anchor (root certificate) and to
+@c assemble the chain in memory: Starting with the target certificate,
+@c the expiration time is checked against the current date, unknown
+@c critical extensions are detected and certificate policies are matched
+@c (We only allow 2.289.9.9 but I have no clue about that OID and from
+@c where I got it - it does not even seem to be assigned - debug cruft?).
+@c
+@c Now if this certificate is a self-signed one, we have reached the
+@c trust anchor. In this case we check that the signature is good, the
+@c certificate is allowed to act as a CA, that it is a trusted one (by
+@c checking whether it is has been put into the trusted-certs
+@c configuration directory) and finally prepend into to our list
+@c representing the certificate chain. This steps ends then.
+@c
+@c If it is not a self-signed certificate, we check that the chain won't
+@c get too long (current limit is 100), if this is the case we terminate
+@c with the error GPG_ERR_BAD_CERT_CHAIN.
+@c
+@c Now the issuer's certificate is looked up: If an
+@c authorityKeyIdentifier is available, this one is used to locate the
+@c certificate either using issuer and serialnumber or subject DN
+@c (i.e. the issuer's DN) and the keyID. The functions
+@c @code{find_cert_bysn) and @code{find_cert_bysubject} are used
+@c respectively. The have already been described above under the
+@c description of @code{crl_cache_insert}. If no certificate was found
+@c or with no authorityKeyIdentifier, only the cache is consulted using
+@c @code{get_cert_bysubject}. The latter is done under the assumption
+@c that a matching certificate has explicitly been put into the
+@c certificate cache. If the issuer's certificate could not be found,
+@c the validation terminates with the error code @code{GPG_ERR_MISSING_CERT}.
+@c
+@c If the issuer's certificate has been found, the signature of the
+@c actual certificate is checked and in case this fails the error
+@c #code{GPG_ERR_BAD_CERT_CHAIN} is returned. If the signature checks out, the
+@c maximum chain length of the issuing certificate is checked as well as
+@c the capability of the certificate (i.e. whether he may be used for
+@c certificate signing). Then the certificate is prepended to our list
+@c representing the certificate chain. Finally the loop is continued now
+@c with the issuer's certificate as the current certificate.
+@c
+@c After the end of the loop and if no error as been encountered
+@c (i.e. the certificate chain has been assempled correctly), a check is
+@c done whether any certificate expired or a critical policy has not been
+@c met. In any of these cases the validation terminates with an
+@c appropriate error.
+@c
+@c Finally the function @code{check_revocations} is called to verify no
+@c certificate in the assempled chain has been revoked: This is an
+@c recursive process because a CRL has to be checked for each certificate
+@c in the chain except for the root certificate, of which we already know
+@c that it is trusted and we avoid checking a CRL here due to common
+@c setup problems and the assumption that a revoked root certificate has
+@c been removed from the list of trusted certificates.
+@c
+@c
+@c
+@c
+@c @section Looking up certificates through LDAP.
+@c
+@c This describes the LDAP layer to retrieve certificates.
+@c the functions @code{ca_cert_fetch} and @code{fetch_next_ksba_cert} are
+@c used for this. The first one starts a search and the second one is
+@c used to retrieve certificate after certificate.
+@c
diff --git a/doc/examples/Automatic.prf b/doc/examples/Automatic.prf
new file mode 100644
index 0000000..41f9bea
--- /dev/null
+++ b/doc/examples/Automatic.prf
@@ -0,0 +1,15 @@
+# Automatic.prf - Configure options for a more automatic mode -*- conf -*-
+#
+# The options for each tool are configured in a section ("[TOOL]");
+# see the respective man page for a description of these options and
+# the gpgconf manpage for a description of this file's syntax.
+
+[gpg]
+auto-key-locate local,wkd,dane
+auto-key-retrieve
+trust-model tofu+pgp$\r$\n'
+
+[gpg-agent]
+default-cache-ttl 900
+max-cache-ttl 3600
+min-passphrase-nonalpha 0
diff --git a/doc/examples/README b/doc/examples/README
new file mode 100644
index 0000000..77ee807
--- /dev/null
+++ b/doc/examples/README
@@ -0,0 +1,11 @@
+Files in this directory:
+
+
+scd-event A handler script used with scdaemon
+
+trustlist.txt A list of trustworthy root certificates
+ (Please check yourself whether you actually trust them)
+
+gpgconf.conf A sample configuration file for gpgconf.
+
+systemd-user Sample files for a Linux-only init system.
diff --git a/doc/examples/VS-NfD.prf b/doc/examples/VS-NfD.prf
new file mode 100644
index 0000000..edb9e01
--- /dev/null
+++ b/doc/examples/VS-NfD.prf
@@ -0,0 +1,24 @@
+# VS-NfD.prf - Configure options for the VS-NfD mode -*- conf -*-
+#
+# The options for each tool are configured in a section ("[TOOL]");
+# see the respective man page for a description of these options and
+# the gpgconf manpage for a description of this file's syntax.
+
+[gpg]
+compliance de-vs
+
+[gpgsm]
+compliance de-vs
+enable-crl-checks
+
+[gpg-agent]
+default-cache-ttl 900
+max-cache-ttl 3600
+no-allow-mark-trusted
+no-allow-external-cache
+enforce-passphrase-constraints
+min-passphrase-len 9
+min-passphrase-nonalpha 0
+
+[dirmngr]
+allow-ocsp
diff --git a/doc/examples/debug.prf b/doc/examples/debug.prf
new file mode 100644
index 0000000..f635fc8
--- /dev/null
+++ b/doc/examples/debug.prf
@@ -0,0 +1,29 @@
+# debug.prf - Configure options for easier debugging -*- conf -*-
+#
+# Note that the actual debug options for each component need to be set
+# manually. Running the component with "--debug help" shows a list of
+# supported values. To watch the logs this command can be used:
+#
+# watchgnupg --time-only --force $(gpgconf --list-dirs socketdir)/S.log
+#
+
+[gpg]
+log-file socket://
+verbose
+#debug ipc
+
+[gpgsm]
+log-file socket://
+verbose
+#debug ipc
+
+[gpg-agent]
+log-file socket://
+verbose
+#debug ipc
+#debug-pinentry
+
+[dirmngr]
+log-file socket://
+verbose
+#debug ipc,dns
diff --git a/doc/examples/gpgconf.conf b/doc/examples/gpgconf.conf
new file mode 100644
index 0000000..a61d4d4
--- /dev/null
+++ b/doc/examples/gpgconf.conf
@@ -0,0 +1,62 @@
+# gpgconf.conf - configuration for gpgconf
+#----------------------------------------------------------------------
+# This file is read by gpgconf(1) to setup defaults for all or
+# specified users and groups. It may be used to change the hardwired
+# defaults in gpgconf and to enforce certain values for the various
+# GnuPG related configuration files.
+#
+# NOTE: This is a legacy mechanism. The modern way is to use global
+# configuration files like /etc/gnupg/gpg.conf which are more
+# flexible and better integrated into the configuration system.
+#
+# Empty lines and comment lines, indicated by a hash mark as first non
+# white space character, are ignored. The line is separated by white
+# space into fields. The first field is used to match the user or
+# group and must start at the first column, the file is processed
+# sequential until a matching rule is found. A rule may contain
+# several lines; continuation lines are indicated by a indenting them.
+#
+# Syntax of a line:
+# <key>|WS <component> <option> ["["<flag>"]"] [<value>]
+#
+# Examples for the <key> field:
+# foo - Matches the user "foo".
+# foo: - Matches the user "foo".
+# foo:staff - Matches the user "foo" or the group "staff".
+# :staff - Matches the group "staff".
+# * - Matches any user.
+# All other variants are not defined and reserved for future use.
+#
+# <component> and <option> are as specified by gpgconf.
+# <flag> may be one of:
+# default - Delete the option so that the default is used.
+# no-change - Mark the field as non changeable by gpgconf.
+# change - Mark the field as changeable by gpgconf.
+#
+# Example file:
+#==========
+# :staff gpg-agent min-passphrase-len 6 [change]
+#
+# * gpg-agent min-passphrase-len [no-change] 8
+# gpg-agent min-passphrase-nonalpha [no-change] 1
+# gpg-agent max-passphrase-days [no-change] 700
+# gpg-agent enable-passphrase-history [no-change]
+# gpg-agent enforce-passphrase-constraints [default]
+# gpg-agent enforce-passphrase-constraints [no-change]
+# gpg-agent max-cache-ttl [no-change] 10800
+# gpg-agent max-cache-ttl-ssh [no-change] 10800
+# gpgsm enable-ocsp
+# gpg compliance [no-change]
+# gpgsm compliance [no-change]
+#===========
+# All users in the group "staff" are allowed to change the value for
+# --allow-mark-trusted; gpgconf's default is not to allow a change
+# through its interface. When "gpgconf --apply-defaults" is used,
+# "allow-mark-trusted" will get enabled and "min-passphrase-len" set
+# to 6. All other users are not allowed to change
+# "min-passphrase-len" and "allow-mark-trusted". When "gpgconf
+# --apply-defaults" is used for them, "min-passphrase-len" is set to
+# 8, "allow-mark-trusted" deleted from the config file and
+# "enable-ocsp" is put into the config file of gpgsm. The latter may
+# be changed by any user.
+#-------------------------------------------------------------------
diff --git a/doc/examples/gpgconf.rnames b/doc/examples/gpgconf.rnames
new file mode 100644
index 0000000..0e83732
--- /dev/null
+++ b/doc/examples/gpgconf.rnames
@@ -0,0 +1,12 @@
+# gpgconf-rnames.lst
+# Additional registry settings to be shown by "gpgconf -X".
+#
+# Example: HKCU\Software\GNU\GnuPG:FooBar
+#
+# HKCU := The class. Other supported classes are HKLM, HKCR, HKU,
+# and HKCC. If no class is given and the string thus starts
+# with a backslash HKCU with a fallback to HKLM is used.
+# Software\GNU\GnuPG := The actual key.
+# FooBar := The name of the item. if a name is not given the default
+# value is used.
+#
diff --git a/doc/examples/pwpattern.list b/doc/examples/pwpattern.list
new file mode 100644
index 0000000..251c2d4
--- /dev/null
+++ b/doc/examples/pwpattern.list
@@ -0,0 +1,48 @@
+# pwpattern.list -*- default-generic -*-
+#
+# This is an example for a pattern file as used by gpg-check-pattern.
+# The file is line based with comment lines beginning on the *first*
+# position with a '#'. Empty lines and lines with just spaces are
+# ignored. The other lines may be verbatim patterns and match as they
+# are (trailing spaces are ignored) or extended regular expressions
+# indicated by a / in the first column and terminated by another / or
+# end of line. All comparisons are case insensitive.
+
+# Reject the usual metavariables. Usual not required because
+# gpg-agent can be used to reject all passphrases shorter than 8
+# charactes.
+foo
+bar
+baz
+
+# As well as very common passwords. Note that gpg-agent can be used
+# to reject them due to missing non-alpha characters.
+password
+passwort
+passphrase
+mantra
+test
+abc
+egal
+
+# German number plates.
+/^[A-Z]{1,3}[ ]*-[ ]*[A-Z]{1,2}[ ]*[0-9]+/
+
+# Dates (very limited, only ISO dates). */
+/^[012][0-9][0-9][0-9]-[012][0-9]-[0123][0-9]$/
+
+# Arbitrary strings
+the quick brown fox jumps over the lazy dogs back
+no-password
+no password
+
+12345678
+123456789
+1234567890
+87654321
+987654321
+0987654321
+qwertyuiop
+qwertzuiop
+asdfghjkl
+zxcvbnm
diff --git a/doc/examples/scd-event b/doc/examples/scd-event
new file mode 100755
index 0000000..938465f
--- /dev/null
+++ b/doc/examples/scd-event
@@ -0,0 +1,102 @@
+#!/bin/sh
+# Sample script for scdaemon event mechanism.
+
+#exec >>/tmp/scd-event.log
+
+PGM=scd-event
+
+reader_port=
+old_code=0x0000
+new_code=0x0000
+status=
+
+tick='`'
+prev=
+while [ $# -gt 0 ]; do
+ arg="$1"
+ case $arg in
+ -*=*) optarg=$(echo "X$arg" | sed -e '1s/^X//' -e 's/[-_a-zA-Z0-9]*=//')
+ ;;
+ *) optarg=
+ ;;
+ esac
+ if [ -n "$prev" ]; then
+ eval "$prev=\$arg"
+ prev=
+ shift
+ continue
+ fi
+ case $arg in
+ --help|-h)
+ cat <<EOF
+Usage: $PGM [options]
+$PGM is called by scdaemon on card reader status changes
+
+Options:
+ --reader-port N Reports change for port N
+ --old-code 0xNNNN Previous status code
+ --old-code 0xNNNN Current status code
+ --status USABLE|ACTIVE|PRESENT|NOCARD
+ Human readable status code
+
+Environment:
+
+GNUPGHOME=DIR Set to the active homedir
+
+EOF
+ exit 0
+ ;;
+
+ --reader-port)
+ prev=reader_port
+ ;;
+ --reader-port=*)
+ reader_port="$optarg"
+ ;;
+ --old-code)
+ prev=old_code
+ ;;
+ --old-code=*)
+ old_code="$optarg"
+ ;;
+ --new-code)
+ prev=new_code
+ ;;
+ --new-code=*)
+ new_code="$optarg"
+ ;;
+ --status)
+ prev=status
+ ;;
+ --new-code=*)
+ status="$optarg"
+ ;;
+
+ -*)
+ echo "$PGM: invalid option $tick$arg'" >&2
+ exit 1
+ ;;
+
+ *)
+ break
+ ;;
+ esac
+ shift
+done
+if [ -n "$prev" ]; then
+ echo "$PGM: argument missing for option $tick$prev'" >&2
+ exit 1
+fi
+
+cat <<EOF
+========================
+port: $reader_port
+old-code: $old_code
+new-code: $new_code
+status: $status
+EOF
+
+if [ x$status = xUSABLE ]; then
+ gpg --batch --card-status 2>&1
+fi
+
diff --git a/doc/examples/systemd-user/README b/doc/examples/systemd-user/README
new file mode 100644
index 0000000..43122f5
--- /dev/null
+++ b/doc/examples/systemd-user/README
@@ -0,0 +1,66 @@
+Socket-activated dirmngr and gpg-agent with systemd
+===================================================
+
+When used on a GNU/Linux system supervised by systemd, you can ensure
+that the GnuPG daemons dirmngr and gpg-agent are launched
+automatically the first time they're needed, and shut down cleanly at
+session logout. This is done by enabling user services via
+socket-activation.
+
+System distributors
+-------------------
+
+The *.service and *.socket files (from this directory) should be
+placed in /usr/lib/systemd/user/ alongside other user-session services
+and sockets.
+
+To enable socket-activated dirmngr for all accounts on the system,
+use:
+
+ systemctl --user --global enable dirmngr.socket
+
+To enable socket-activated gpg-agent for all accounts on the system,
+use:
+
+ systemctl --user --global enable gpg-agent.socket
+
+Additionally, you can enable socket-activated gpg-agent ssh-agent
+emulation for all accounts on the system with:
+
+ systemctl --user --global enable gpg-agent-ssh.socket
+
+You can also enable restricted ("--extra-socket"-style) gpg-agent
+sockets for all accounts on the system with:
+
+ systemctl --user --global enable gpg-agent-extra.socket
+
+Individual users
+----------------
+
+A user on a system with systemd where this has not been installed
+system-wide can place these files in ~/.config/systemd/user/ to make
+them available.
+
+If a given service isn't installed system-wide, or if it's installed
+system-wide but not globally enabled, individual users will still need
+to enable them. For example, to enable socket-activated dirmngr for
+all future sessions:
+
+ systemctl --user enable dirmngr.socket
+
+To enable socket-activated gpg-agent with ssh support, do:
+
+ systemctl --user enable gpg-agent.socket gpg-agent-ssh.socket
+
+These changes won't take effect until your next login after you've
+fully logged out (be sure to terminate any running daemons before
+logging out).
+
+If you'd rather try a socket-activated GnuPG daemon in an
+already-running session without logging out (with or without enabling
+it for all future sessions), kill any existing daemon and start the
+user socket directly. For example, to set up socket-activated dirmgnr
+in the current session:
+
+ gpgconf --kill dirmngr
+ systemctl --user start dirmngr.socket
diff --git a/doc/examples/systemd-user/dirmngr.service b/doc/examples/systemd-user/dirmngr.service
new file mode 100644
index 0000000..3c060cd
--- /dev/null
+++ b/doc/examples/systemd-user/dirmngr.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=GnuPG network certificate management daemon
+Documentation=man:dirmngr(8)
+Requires=dirmngr.socket
+
+[Service]
+ExecStart=/usr/bin/dirmngr --supervised
+ExecReload=/usr/bin/gpgconf --reload dirmngr
diff --git a/doc/examples/systemd-user/dirmngr.socket b/doc/examples/systemd-user/dirmngr.socket
new file mode 100644
index 0000000..ebabf89
--- /dev/null
+++ b/doc/examples/systemd-user/dirmngr.socket
@@ -0,0 +1,11 @@
+[Unit]
+Description=GnuPG network certificate management daemon
+Documentation=man:dirmngr(8)
+
+[Socket]
+ListenStream=%t/gnupg/S.dirmngr
+SocketMode=0600
+DirectoryMode=0700
+
+[Install]
+WantedBy=sockets.target
diff --git a/doc/examples/systemd-user/gpg-agent-browser.socket b/doc/examples/systemd-user/gpg-agent-browser.socket
new file mode 100644
index 0000000..bc8d344
--- /dev/null
+++ b/doc/examples/systemd-user/gpg-agent-browser.socket
@@ -0,0 +1,13 @@
+[Unit]
+Description=GnuPG cryptographic agent and passphrase cache (access for web browsers)
+Documentation=man:gpg-agent(1)
+
+[Socket]
+ListenStream=%t/gnupg/S.gpg-agent.browser
+FileDescriptorName=browser
+Service=gpg-agent.service
+SocketMode=0600
+DirectoryMode=0700
+
+[Install]
+WantedBy=sockets.target
diff --git a/doc/examples/systemd-user/gpg-agent-extra.socket b/doc/examples/systemd-user/gpg-agent-extra.socket
new file mode 100644
index 0000000..5b87d09
--- /dev/null
+++ b/doc/examples/systemd-user/gpg-agent-extra.socket
@@ -0,0 +1,13 @@
+[Unit]
+Description=GnuPG cryptographic agent and passphrase cache (restricted)
+Documentation=man:gpg-agent(1)
+
+[Socket]
+ListenStream=%t/gnupg/S.gpg-agent.extra
+FileDescriptorName=extra
+Service=gpg-agent.service
+SocketMode=0600
+DirectoryMode=0700
+
+[Install]
+WantedBy=sockets.target
diff --git a/doc/examples/systemd-user/gpg-agent-ssh.socket b/doc/examples/systemd-user/gpg-agent-ssh.socket
new file mode 100644
index 0000000..798c1d9
--- /dev/null
+++ b/doc/examples/systemd-user/gpg-agent-ssh.socket
@@ -0,0 +1,13 @@
+[Unit]
+Description=GnuPG cryptographic agent (ssh-agent emulation)
+Documentation=man:gpg-agent(1) man:ssh-add(1) man:ssh-agent(1) man:ssh(1)
+
+[Socket]
+ListenStream=%t/gnupg/S.gpg-agent.ssh
+FileDescriptorName=ssh
+Service=gpg-agent.service
+SocketMode=0600
+DirectoryMode=0700
+
+[Install]
+WantedBy=sockets.target
diff --git a/doc/examples/systemd-user/gpg-agent.service b/doc/examples/systemd-user/gpg-agent.service
new file mode 100644
index 0000000..a050fcc
--- /dev/null
+++ b/doc/examples/systemd-user/gpg-agent.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=GnuPG cryptographic agent and passphrase cache
+Documentation=man:gpg-agent(1)
+Requires=gpg-agent.socket
+
+[Service]
+ExecStart=/usr/bin/gpg-agent --supervised
+ExecReload=/usr/bin/gpgconf --reload gpg-agent
diff --git a/doc/examples/systemd-user/gpg-agent.socket b/doc/examples/systemd-user/gpg-agent.socket
new file mode 100644
index 0000000..4257c2c
--- /dev/null
+++ b/doc/examples/systemd-user/gpg-agent.socket
@@ -0,0 +1,12 @@
+[Unit]
+Description=GnuPG cryptographic agent and passphrase cache
+Documentation=man:gpg-agent(1)
+
+[Socket]
+ListenStream=%t/gnupg/S.gpg-agent
+FileDescriptorName=std
+SocketMode=0600
+DirectoryMode=0700
+
+[Install]
+WantedBy=sockets.target
diff --git a/doc/examples/trustlist.txt b/doc/examples/trustlist.txt
new file mode 100644
index 0000000..4d57242
--- /dev/null
+++ b/doc/examples/trustlist.txt
@@ -0,0 +1,66 @@
+# This is the global list of trusted keys. Comment lines, like this
+# one, as well as empty lines are ignored. Lines have a length limit
+# but this is not serious limitation as the format of the entries is
+# fixed and checked by gpg-agent. A non-comment line starts with
+# optional white space, followed by the SHA-1 fingerpint in hex,
+# optionally followed by a flag character which my either be 'P', 'S'
+# or '*'. This file will be read by gpg-agent if no local trustlist
+# is available or if the statement "include-default" is used in the
+# local list. You should give the gpg-agent(s) a HUP after editing
+# this file.
+
+
+#Serial number: 32D18D
+# Issuer: /CN=6R-Ca 1:PN/NameDistinguisher=1/O=RegulierungsbehÈorde
+# fÈur Telekommunikation und Post/C=DE
+EA:8D:99:DD:36:AA:2D:07:1A:3C:7B:69:00:9E:51:B9:4A:2E:E7:60 S
+
+#Serial number: 00C48C8D
+# Issuer: /CN=7R-CA 1:PN/NameDistinguisher=1/O=RegulierungsbehÈorde
+# fÈur Telekommunikation und Post/C=DE
+DB:45:3D:1B:B0:1A:F3:23:10:6B:DE:D0:09:61:57:AA:F4:25:E0:5B S
+
+#Serial number: 01
+# Issuer: /CN=8R-CA 1:PN/O=Regulierungsbehörde für
+# Telekommunikation und Post/C=DE
+42:6A:F6:78:30:E9:CE:24:5B:EF:41:A2:C1:A8:51:DA:C5:0A:6D:F5 S
+
+#Serial number: 02
+# Issuer: /CN=9R-CA 1:PN/O=Regulierungsbehörde für
+# Telekommunikation und Post/C=DE
+75:9A:4A:CE:7C:DA:7E:89:1B:B2:72:4B:E3:76:EA:47:3A:96:97:24 S
+
+#Serial number: 2A
+# Issuer: /CN=10R-CA 1:PN/O=Bundesnetzagentur/C=DE
+31:C9:D2:E6:31:4D:0B:CC:2C:1A:45:00:A6:6B:97:98:27:18:8E:CD S
+
+#Serial number: 2D
+# Issuer: /CN=11R-CA 1:PN/O=Bundesnetzagentur/C=DE
+A0:8B:DF:3B:AA:EE:3F:9D:64:6C:47:81:23:21:D4:A6:18:81:67:1D S
+
+# S/N: 0139
+# Issuer: /CN=12R-CA 1:PN/O=Bundesnetzagentur/C=DE
+44:7E:D4:E3:9A:D7:92:E2:07:FA:53:1A:2E:F5:B8:02:5B:47:57:B0 de
+
+# S/N: 013C
+# Issuer: /CN=13R-CA 1:PN/O=Bundesnetzagentur/C=DE
+AC:A7:BE:45:1F:A6:BF:09:F2:D1:3F:08:7B:BC:EB:7F:46:A2:CC:8A de
+
+
+# S/N: 00B3963E0E6C2D65125853E970665402E5
+# Issuer: /CN=S-TRUST Qualified Root CA 2008-001:PN
+# /O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart/C=DE
+C9:2F:E6:50:DB:32:59:E0:CE:65:55:F3:8C:76:E0:B8:A8:FE:A3:CA S
+
+# S/N: 00C4216083F35C54F67B09A80C3C55FE7D
+# Issuer: /CN=S-TRUST Qualified Root CA 2008-002:PN
+# /O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart/C=DE
+D5:C7:50:F2:FE:4E:EE:D7:C7:B1:E4:13:7B:FB:54:84:3A:7D:97:9B S
+
+
+#Serial number: 00
+# Issuer: /CN=CA Cert Signing Authority/OU=http:\x2f\x2fwww.
+# cacert.org/O=Root CA/EMail=support@cacert.org
+13:5C:EC:36:F4:9C:B8:E9:3B:1A:B2:70:CD:80:88:46:76:CE:8F:33 S
+
+
diff --git a/doc/glossary.texi b/doc/glossary.texi
new file mode 100644
index 0000000..8c786a7
--- /dev/null
+++ b/doc/glossary.texi
@@ -0,0 +1,72 @@
+@c Copyright (C) 2004 Free Software Foundation, Inc.
+@c This is part of the GnuPG manual.
+@c For copying conditions, see the file gnupg.texi.
+
+@node Glossary
+@unnumbered Glossary
+
+
+@table @samp
+@item ARL
+ The @emph{Authority Revocation List} is technical identical to a
+@acronym{CRL} but used for @acronym{CA}s and not for end user
+certificates.
+
+@item Chain model
+ Verification model for X.509 which uses the creation date of a
+signature as the date the validation starts and in turn checks that each
+certificate has been issued within the time frame, the issuing
+certificate was valid. This allows the verification of signatures after
+the CA's certificate expired. The validation test also required an
+online check of the certificate status. The chain model is required by
+the German signature law. See also @emph{Shell model}.
+
+@item CMS
+ The @emph{Cryptographic Message Standard} describes a message
+format for encryption and digital signing. It is closely related to the
+X.509 certificate format. @acronym{CMS} was formerly known under the
+name @code{PKCS#7} and is described by @code{RFC3369}.
+
+@item CRL
+ The @emph{Certificate Revocation List} is a list containing
+certificates revoked by the issuer.
+
+@item CSR
+ The @emph{Certificate Signing Request} is a message send to a CA to
+ask them to issue a new certificate. The data format of such a signing
+request is called PCKS#10.
+
+@item OpenPGP
+ A data format used to build a PKI and to exchange encrypted or
+signed messages. In contrast to X.509, OpenPGP also includes the
+message format but does not explicitly demand a specific PKI. However
+any kind of PKI may be build upon the OpenPGP protocol.
+
+@item Keygrip
+ This term is used by GnuPG to describe a 20 byte hash value used
+to identify a certain key without referencing to a concrete protocol.
+It is used internally to access a private key. Usually it is shown and
+entered as a 40 character hexadecimal formatted string.
+
+@item OCSP
+ The @emph{Online Certificate Status Protocol} is used as an
+alternative to a @acronym{CRL}. It is described in @code{RFC 2560}.
+
+@item PSE
+ The @emph{Personal Security Environment} describes a database to
+store private keys. This is either a smartcard or a collection of files
+on a disk; the latter is often called a Soft-PSE.
+
+
+@item Shell model
+The standard model for validation of certificates under X.509. At the
+time of the verification all certificates must be valid and not expired.
+See also @emph{Chain model}.
+
+
+@item X.509
+Description of a PKI used with CMS. It is for example
+defined by @code{RFC3280}.
+
+
+@end table
diff --git a/doc/gnupg-card-architecture.fig b/doc/gnupg-card-architecture.fig
new file mode 100644
index 0000000..0efa362
--- /dev/null
+++ b/doc/gnupg-card-architecture.fig
@@ -0,0 +1,419 @@
+#FIG 3.2 Produced by xfig version 3.2.5-alpha5
+# Copyright 2005 Werner Koch
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <http://www.gnu.org/licenses/>.
+#
+Landscape
+Center
+Metric
+A4
+100.00
+Single
+-2
+1200 2
+0 32 #414541
+0 33 #808080
+0 34 #c0c0c0
+0 35 #c6b797
+0 36 #eff8ff
+0 37 #dccba6
+0 38 #e0e0e0
+0 39 #8e8f8e
+0 40 #aaaaaa
+0 41 #555555
+0 42 #404040
+0 43 #868286
+0 44 #c7c3c7
+0 45 #e7e3e7
+0 46 #8e8e8e
+0 47 #444444
+0 48 #868686
+0 49 #c7c7c7
+0 50 #666666
+0 51 #e2e2ee
+0 52 #94949a
+0 53 #dbdbdb
+0 54 #a1a1b7
+0 55 #9c0000
+0 56 #ededed
+0 57 #86acff
+0 58 #7070ff
+0 59 #bebebe
+0 60 #515151
+0 61 #000049
+0 62 #797979
+0 63 #303430
+0 64 #c7b696
+0 65 #d7d7d7
+0 66 #aeaeae
+0 67 #85807d
+0 68 #d2d2d2
+0 69 #3a3a3a
+0 70 #4573aa
+0 71 #000000
+0 72 #e7e7e7
+0 73 #f7f7f7
+0 74 #d6d7d6
+0 75 #7b79a5
+0 76 #effbff
+0 77 #9e9e9e
+0 78 #717571
+0 79 #73758c
+0 80 #414141
+0 81 #635dce
+0 82 #565151
+0 83 #dd9d93
+0 84 #f1ece0
+0 85 #c3c3c3
+0 86 #e2c8a8
+0 87 #e1e1e1
+0 88 #da7a1a
+0 89 #f1e41a
+0 90 #887dc2
+0 91 #d6d6d6
+0 92 #8c8ca5
+0 93 #4a4a4a
+0 94 #8c6b6b
+0 95 #5a5a5a
+0 96 #636363
+0 97 #b79b73
+0 98 #4193ff
+0 99 #bf703b
+0 100 #db7700
+0 101 #dab800
+0 102 #006400
+0 103 #5a6b3b
+0 104 #d3d3d3
+0 105 #8e8ea4
+0 106 #f3b95d
+0 107 #89996b
+0 108 #646464
+0 109 #b7e6ff
+0 110 #86c0ec
+0 111 #bdbdbd
+0 112 #d39552
+0 113 #98d2fe
+0 114 #8c9c6b
+0 115 #f76b00
+0 116 #5a6b39
+0 117 #8c9c6b
+0 118 #8c9c7b
+0 119 #184a18
+0 120 #adadad
+0 121 #f7bd5a
+0 122 #636b9c
+0 123 #de0000
+0 124 #adadad
+0 125 #f7bd5a
+0 126 #adadad
+0 127 #f7bd5a
+0 128 #636b9c
+0 129 #526b29
+0 130 #949494
+0 131 #006300
+0 132 #00634a
+0 133 #7b844a
+0 134 #e7bd7b
+0 135 #a5b5c6
+0 136 #6b6b94
+0 137 #846b6b
+0 138 #529c4a
+0 139 #d6e7e7
+0 140 #526363
+0 141 #186b4a
+0 142 #9ca5b5
+0 143 #ff9400
+0 144 #ff9400
+0 145 #00634a
+0 146 #7b844a
+0 147 #63737b
+0 148 #e7bd7b
+0 149 #184a18
+0 150 #f7bd5a
+0 151 #dedede
+0 152 #f3eed3
+0 153 #f5ae5d
+0 154 #95ce99
+0 155 #b5157d
+0 156 #eeeeee
+0 157 #848484
+0 158 #7b7b7b
+0 159 #005a00
+0 160 #e77373
+0 161 #ffcb31
+0 162 #29794a
+0 163 #de2821
+0 164 #2159c6
+0 165 #f8f8f8
+0 166 #e6e6e6
+0 167 #21845a
+0 168 #ff9408
+0 169 #007000
+0 170 #d00000
+0 171 #fed600
+0 172 #d82010
+0 173 #003484
+0 174 #d62010
+0 175 #389000
+0 176 #ba0000
+0 177 #003380
+0 178 #00a7bd
+0 179 #ffc500
+0 180 #087bd0
+0 181 #fbc100
+0 182 #840029
+0 183 #07399c
+0 184 #0063bd
+0 185 #39acdf
+0 186 #42c0e0
+0 187 #31ceff
+0 188 #ffde00
+0 189 #085a00
+0 190 #ff2100
+0 191 #f75e08
+0 192 #ef7b08
+0 193 #ff8200
+0 194 #007d00
+0 195 #0000be
+0 196 #757575
+0 197 #f3f3f3
+0 198 #d7d3d7
+0 199 #aeaaae
+0 200 #c2c2c2
+0 201 #303030
+0 202 #515551
+0 203 #f7f3f7
+0 204 #717171
+6 9270 1980 13230 6570
+6 9471 3906 13014 5677
+2 4 0 1 0 7 50 -1 -1 0.000 0 0 5 0 0 5
+ 10540 4394 10540 3936 9471 3936 9471 4394 10540 4394
+2 4 0 1 0 7 50 -1 -1 0.000 0 0 5 0 0 5
+ 10387 5616 10387 5158 9471 5158 9471 5616 10387 5616
+2 4 0 1 0 7 50 -1 -1 0.000 0 0 5 0 0 5
+ 12984 5005 12984 4547 9471 4547 9471 5005 12984 5005
+2 4 0 1 0 7 50 -1 -1 0.000 0 0 5 0 0 5
+ 12984 5616 12984 5158 12067 5158 12067 5616 12984 5616
+2 4 0 1 0 7 50 -1 -1 0.000 0 0 5 0 0 5
+ 11701 5627 11701 5168 10784 5168 10784 5627 11701 5627
+4 0 0 50 -1 16 11 0.0000 4 173 835 9623 4242 OpenPGP\001
+4 0 0 50 -1 16 11 0.0000 4 132 2770 9776 4853 APDU and ISO-7816 access code\001
+4 0 0 50 -1 16 11 0.0000 4 132 448 9623 5464 CCID\001
+4 0 0 50 -1 16 11 0.0000 4 132 601 12220 5464 CT-API\001
+4 0 0 50 -1 16 11 0.0000 4 132 560 10957 5464 PC/SC\001
+-6
+6 10693 3906 13014 4394
+2 4 0 1 0 7 50 -1 -1 0.000 0 0 5 0 0 5
+ 11762 4394 11762 3936 10693 3936 10693 4394 11762 4394
+2 4 0 1 0 7 50 -1 -1 0.000 0 0 5 0 0 5
+ 12984 4394 12984 3936 11915 3936 11915 4394 12984 4394
+4 0 0 50 -1 16 11 0.0000 4 132 377 10998 4242 NKS\001
+4 0 0 50 -1 16 11 0.0000 4 132 804 12067 4242 PKCS#15\001
+-6
+2 4 0 2 0 6 60 -1 20 0.000 0 0 5 0 0 5
+ 13137 2072 9318 2072 9318 5739 13137 5739 13137 2072
+2 1 2 1 0 7 50 -1 -1 3.000 0 0 -1 0 0 2
+ 9318 3753 13137 3753
+2 4 0 2 0 6 60 -1 20 0.000 0 0 5 0 0 5
+ 11691 6360 10774 6360 10774 5901 11691 5901 11691 6360
+2 1 2 2 0 7 50 -1 -1 4.500 0 0 -1 0 0 1
+ 11762 5739
+2 1 1 2 0 7 50 -1 -1 6.000 0 0 -1 0 0 4
+ 10693 5739 10693 6502 11762 6502 11762 5739
+4 0 0 50 -1 18 15 0.0000 4 183 1293 10540 2989 SCDaemon\001
+4 0 0 50 -1 16 11 0.0000 4 133 662 10896 6176 wrapper\001
+-6
+6 90 1980 4050 5760
+6 306 3906 3849 5677
+2 4 0 1 0 7 50 -1 -1 0.000 0 0 5 0 0 5
+ 1375 4394 1375 3936 306 3936 306 4394 1375 4394
+2 4 0 1 0 7 50 -1 -1 0.000 0 0 5 0 0 5
+ 1222 5616 1222 5158 306 5158 306 5616 1222 5616
+2 4 0 1 0 7 50 -1 -1 0.000 0 0 5 0 0 5
+ 3819 5005 3819 4547 306 4547 306 5005 3819 5005
+2 4 0 1 0 7 50 -1 -1 0.000 0 0 5 0 0 5
+ 3819 5616 3819 5158 2902 5158 2902 5616 3819 5616
+2 4 0 1 0 7 50 -1 -1 0.000 0 0 5 0 0 5
+ 2536 5627 2536 5168 1619 5168 1619 5627 2536 5627
+4 0 0 50 -1 16 11 0.0000 4 173 835 458 4242 OpenPGP\001
+4 0 0 50 -1 16 11 0.0000 4 132 2770 611 4853 APDU and ISO-7816 access code\001
+4 0 0 50 -1 16 11 0.0000 4 132 448 458 5464 CCID\001
+4 0 0 50 -1 16 11 0.0000 4 132 601 3055 5464 CT-API\001
+4 0 0 50 -1 16 11 0.0000 4 132 560 1792 5464 PC/SC\001
+-6
+6 2139 3753 3208 4211
+2 4 0 1 0 7 50 -1 -1 4.000 0 0 5 0 0 5
+ 3208 4211 3208 3753 2139 3753 2139 4211 3208 4211
+4 0 0 50 -1 16 11 0.0000 4 132 784 2291 4058 Gluecode\001
+-6
+2 1 2 2 0 7 50 -1 -1 4.500 0 0 -1 0 0 1
+ 2597 5739
+2 1 0 1 0 7 50 -1 -1 4.000 0 0 -1 1 0 2
+ 1 1 1.00 40.73 81.47
+ 2139 4028 1405 4150
+2 1 2 1 0 7 50 -1 -1 3.000 0 0 -1 0 0 4
+ 153 3753 1833 3753 1833 4364 3972 4364
+2 4 0 2 0 6 60 -1 20 0.000 0 0 5 0 0 5
+ 3972 2072 153 2072 153 5739 3972 5739 3972 2072
+4 0 0 50 -1 18 15 0.0000 4 224 866 1375 2989 gpg 1.4\001
+-6
+6 4888 4058 5346 5433
+2 4 0 1 0 7 50 -1 -1 4.000 0 0 5 0 0 5
+ 5346 5433 5346 4058 4888 4058 4888 5433 5346 5433
+4 0 0 50 -1 16 11 1.5708 4 132 611 5194 5128 Assuan\001
+-6
+6 4680 1980 8640 5760
+2 4 0 1 0 7 50 -1 -1 4.000 0 0 5 0 0 5
+ 5346 3753 5346 2378 4888 2378 4888 3753 5346 3753
+2 4 0 2 0 6 60 -1 20 0.000 0 0 5 0 0 5
+ 8554 5739 4735 5739 4735 2072 8554 2072 8554 5739
+4 0 0 50 -1 16 11 1.5708 4 173 804 5194 3447 ssh-agent\001
+-6
+6 5805 3447 7332 4975
+6 5957 3447 7179 4211
+2 4 0 1 0 7 50 -1 -1 4.000 0 0 5 0 0 5
+ 7179 4211 7179 3447 5957 3447 5957 4211 7179 4211
+4 0 0 50 -1 16 11 0.0000 4 173 937 6110 3753 Private Key\001
+4 0 0 50 -1 16 11 0.0000 4 173 896 6110 4058 Operations\001
+-6
+2 1 0 1 0 7 50 -1 -1 4.000 0 0 -1 0 0 1
+ 7195 4883
+2 1 0 1 0 7 50 -1 -1 4.000 0 0 -1 0 0 1
+ 7195 4883
+2 4 0 1 0 7 50 -1 -1 4.000 0 0 5 0 0 5
+ 7332 4975 7332 4517 6721 4517 6721 4975 7332 4975
+2 1 0 1 0 7 50 -1 -1 4.000 0 0 -1 1 1 2
+ 1 1 1.00 40.73 81.47
+ 1 1 1.00 40.73 81.47
+ 6568 4211 7027 4517
+2 1 0 1 0 7 50 -1 -1 4.000 0 0 -1 1 1 2
+ 1 1 1.00 40.73 81.47
+ 1 1 1.00 40.73 81.47
+ 6568 4211 6110 4517
+2 4 0 1 0 7 50 -1 -1 4.000 0 0 5 0 0 5
+ 6416 4975 6416 4517 5805 4517 5805 4975 6416 4975
+4 0 0 50 -1 16 11 0.0000 4 132 397 6874 4822 Card\001
+4 0 0 50 -1 16 11 0.0000 4 132 356 5957 4822 Disk\001
+-6
+6 7638 3600 8401 4058
+2 4 0 1 0 7 50 -1 -1 4.000 0 0 5 0 0 5
+ 8401 4058 8401 3600 7638 3600 7638 4058 8401 4058
+2 1 0 1 0 7 50 -1 -1 4.000 0 0 -1 0 0 1
+ 7638 3814
+4 0 0 50 -1 16 11 0.0000 4 132 530 7790 3905 Cache\001
+-6
+6 9471 2225 9929 3600
+2 4 0 1 0 7 50 -1 -1 4.000 0 0 5 0 0 5
+ 9929 3600 9929 2225 9471 2225 9471 3600 9929 3600
+4 0 0 50 -1 16 11 1.5708 4 132 611 9776 3294 Assuan\001
+-6
+6 6480 360 8640 1440
+2 4 0 2 0 6 60 -1 20 0.000 0 0 5 0 0 5
+ 8554 1339 6568 1339 6568 423 8554 423 8554 1339
+4 0 0 50 -1 18 15 0.0000 4 234 967 7027 881 pinentry\001
+4 0 0 50 -1 16 10 0.0000 4 153 1375 6874 1187 (GTK+, Qt, Curses)\001
+-6
+6 10570 270 13137 1003
+2 1 1 1 1 2 50 -1 -1 4.000 0 0 -1 1 0 2
+ 1 1 1.00 40.73 81.47
+ 10632 331 11181 331
+2 1 0 2 1 2 50 -1 -1 6.000 0 0 -1 1 0 2
+ 1 1 2.00 81.47 162.94
+ 10632 637 11181 637
+2 1 0 1 0 2 50 -1 -1 4.000 0 0 -1 1 0 2
+ 1 1 1.00 40.73 81.47
+ 10632 942 11181 942
+4 0 0 50 -1 16 10 0.0000 4 163 1762 11365 392 Alternative access paths\001
+4 0 0 50 -1 16 10 0.0000 4 163 1426 11365 698 IPC (pipe or socket)\001
+4 0 0 50 -1 16 10 0.0000 4 122 1232 11365 1003 Internal data flow\001
+-6
+# Smartcard ID-1
+6 6840 6120 8550 7200
+6 7069 6526 7307 6746
+2 1 0 1 0 7 48 -1 -1 0.000 0 0 -1 0 0 2
+ 7234 6691 7307 6691
+2 1 0 1 0 0 48 -1 20 0.000 0 0 -1 0 0 2
+ 7069 6636 7143 6636
+2 1 0 1 0 7 48 -1 -1 0.000 0 0 -1 0 0 2
+ 7069 6581 7143 6581
+2 1 0 1 0 7 48 -1 -1 0.000 0 0 -1 0 0 2
+ 7069 6691 7143 6691
+2 1 0 1 0 7 48 -1 -1 0.000 0 0 -1 0 0 2
+ 7143 6526 7143 6746
+2 1 0 1 0 7 48 -1 -1 0.000 0 0 -1 0 0 3
+ 7307 6581 7234 6581 7234 6746
+2 1 0 1 0 7 48 -1 -1 0.000 0 0 -1 0 0 2
+ 7234 6636 7307 6636
+2 4 0 1 0 31 49 -1 20 0.000 0 0 1 0 0 5
+ 7069 6526 7307 6526 7307 6746 7069 6746 7069 6526
+-6
+2 4 0 1 -1 7 50 -1 20 0.000 0 0 1 0 0 5
+ 8472 7185 6904 7185 6904 6197 8472 6197 8472 7185
+-6
+2 1 0 1 0 7 50 -1 -1 4.000 0 0 -1 1 0 2
+ 1 1 1.00 40.73 81.47
+ 5346 3142 5957 3753
+2 1 0 1 0 7 50 -1 -1 4.000 0 0 -1 1 0 2
+ 1 1 1.00 40.73 81.47
+ 5346 4669 5957 3905
+2 1 0 1 0 7 50 -1 -1 4.000 0 0 -1 1 1 2
+ 1 1 1.00 40.73 81.47
+ 1 1 1.00 40.73 81.47
+ 7179 3814 7638 3814
+2 4 0 2 0 6 60 -1 20 0.000 0 0 5 0 0 5
+ 11731 7480 10693 7480 10693 6991 11731 6991 11731 7480
+3 2 0 2 1 2 50 -1 -1 6.000 0 1 0 3
+ 1 1 2.00 81.47 162.94
+ 8022 3600 8096 2225 7513 1360
+ 0.000 -1.000 0.000
+3 2 0 2 1 2 50 -1 -1 0.000 0 1 0 3
+ 0 0 2.00 81.47 162.94
+ 7332 4730 8737 4486 9471 2897
+ 0.000 -1.000 0.000
+3 2 0 2 1 2 50 -1 -1 6.000 0 1 0 3
+ 1 1 2.00 81.47 162.94
+ 3238 3997 4216 4242 4888 4730
+ 0.000 -1.000 0.000
+3 2 0 2 1 2 50 -1 -1 6.000 0 1 0 3
+ 1 1 2.00 81.47 162.94
+ 11243 6502 11304 6747 11181 6991
+ 0.000 -1.000 0.000
+3 2 1 1 1 2 50 -1 -1 4.000 0 1 0 3
+ 1 1 1.00 40.73 81.47
+ 10693 7235 9471 7174 8493 6869
+ 0.000 -1.000 0.000
+3 2 1 1 1 2 50 -1 -1 4.000 0 1 0 3
+ 1 1 1.00 40.73 81.47
+ 9898 5647 9532 6380 8493 6563
+ 0.000 -1.000 0.000
+3 2 1 1 1 2 50 -1 -1 4.000 0 1 0 3
+ 1 1 1.00 40.73 81.47
+ 12465 5647 11731 6624 8493 6747
+ 0.000 -1.000 0.000
+3 2 1 1 1 2 50 -1 -1 4.000 0 1 0 3
+ 1 1 1.00 40.73 81.47
+ 2077 5647 3177 6502 6843 6624
+ 0.000 -1.000 0.000
+3 2 1 1 1 2 50 -1 -1 4.000 0 1 0 3
+ 1 1 1.00 40.73 81.47
+ 733 5647 2444 6808 6843 6747
+ 0.000 -1.000 0.000
+3 2 1 1 1 2 50 -1 -1 4.000 0 1 0 3
+ 1 1 1.00 40.73 81.47
+ 3361 5647 4155 6319 6843 6502
+ 0.000 -1.000 0.000
+4 0 0 50 -1 18 15 0.0000 4 214 1191 5957 2989 gpg-agent\001
+4 0 0 50 -1 16 11 0.0000 4 173 387 10998 7297 pcsd\001
diff --git a/doc/gnupg-card-architecture.pdf b/doc/gnupg-card-architecture.pdf
new file mode 100644
index 0000000..8592943
--- /dev/null
+++ b/doc/gnupg-card-architecture.pdf
Binary files differ
diff --git a/doc/gnupg-card-architecture.png b/doc/gnupg-card-architecture.png
new file mode 100644
index 0000000..3740d40
--- /dev/null
+++ b/doc/gnupg-card-architecture.png
Binary files differ
diff --git a/doc/gnupg-logo-tr.png b/doc/gnupg-logo-tr.png
new file mode 100644
index 0000000..af21af9
--- /dev/null
+++ b/doc/gnupg-logo-tr.png
Binary files differ
diff --git a/doc/gnupg-logo.eps b/doc/gnupg-logo.eps
new file mode 100644
index 0000000..d428f23
--- /dev/null
+++ b/doc/gnupg-logo.eps
@@ -0,0 +1,2704 @@
+%!PS-Adobe-3.0 EPSF-3.0
+%%Creator: (ImageMagick)
+%%Title: (gnupg-logo.eps)
+%%CreationDate: (Thu Mar 8 17:48:33 2007)
+%%BoundingBox: 0 0 118 38
+%%HiResBoundingBox: 0 0 118.11 38
+%%DocumentData: Clean7Bit
+%%LanguageLevel: 1
+%%Pages: 1
+%%EndComments
+
+%%BeginDefaults
+%%EndDefaults
+
+%%BeginProlog
+%
+% Display a color image. The image is displayed in color on
+% Postscript viewers or printers that support color, otherwise
+% it is displayed as grayscale.
+%
+/DirectClassPacket
+{
+ %
+ % Get a DirectClass packet.
+ %
+ % Parameters:
+ % red.
+ % green.
+ % blue.
+ % length: number of pixels minus one of this color (optional).
+ %
+ currentfile color_packet readhexstring pop pop
+ compression 0 eq
+ {
+ /number_pixels 3 def
+ }
+ {
+ currentfile byte readhexstring pop 0 get
+ /number_pixels exch 1 add 3 mul def
+ } ifelse
+ 0 3 number_pixels 1 sub
+ {
+ pixels exch color_packet putinterval
+ } for
+ pixels 0 number_pixels getinterval
+} bind def
+
+/DirectClassImage
+{
+ %
+ % Display a DirectClass image.
+ %
+ systemdict /colorimage known
+ {
+ columns rows 8
+ [
+ columns 0 0
+ rows neg 0 rows
+ ]
+ { DirectClassPacket } false 3 colorimage
+ }
+ {
+ %
+ % No colorimage operator; convert to grayscale.
+ %
+ columns rows 8
+ [
+ columns 0 0
+ rows neg 0 rows
+ ]
+ { GrayDirectClassPacket } image
+ } ifelse
+} bind def
+
+/GrayDirectClassPacket
+{
+ %
+ % Get a DirectClass packet; convert to grayscale.
+ %
+ % Parameters:
+ % red
+ % green
+ % blue
+ % length: number of pixels minus one of this color (optional).
+ %
+ currentfile color_packet readhexstring pop pop
+ color_packet 0 get 0.299 mul
+ color_packet 1 get 0.587 mul add
+ color_packet 2 get 0.114 mul add
+ cvi
+ /gray_packet exch def
+ compression 0 eq
+ {
+ /number_pixels 1 def
+ }
+ {
+ currentfile byte readhexstring pop 0 get
+ /number_pixels exch 1 add def
+ } ifelse
+ 0 1 number_pixels 1 sub
+ {
+ pixels exch gray_packet put
+ } for
+ pixels 0 number_pixels getinterval
+} bind def
+
+/GrayPseudoClassPacket
+{
+ %
+ % Get a PseudoClass packet; convert to grayscale.
+ %
+ % Parameters:
+ % index: index into the colormap.
+ % length: number of pixels minus one of this color (optional).
+ %
+ currentfile byte readhexstring pop 0 get
+ /offset exch 3 mul def
+ /color_packet colormap offset 3 getinterval def
+ color_packet 0 get 0.299 mul
+ color_packet 1 get 0.587 mul add
+ color_packet 2 get 0.114 mul add
+ cvi
+ /gray_packet exch def
+ compression 0 eq
+ {
+ /number_pixels 1 def
+ }
+ {
+ currentfile byte readhexstring pop 0 get
+ /number_pixels exch 1 add def
+ } ifelse
+ 0 1 number_pixels 1 sub
+ {
+ pixels exch gray_packet put
+ } for
+ pixels 0 number_pixels getinterval
+} bind def
+
+/PseudoClassPacket
+{
+ %
+ % Get a PseudoClass packet.
+ %
+ % Parameters:
+ % index: index into the colormap.
+ % length: number of pixels minus one of this color (optional).
+ %
+ currentfile byte readhexstring pop 0 get
+ /offset exch 3 mul def
+ /color_packet colormap offset 3 getinterval def
+ compression 0 eq
+ {
+ /number_pixels 3 def
+ }
+ {
+ currentfile byte readhexstring pop 0 get
+ /number_pixels exch 1 add 3 mul def
+ } ifelse
+ 0 3 number_pixels 1 sub
+ {
+ pixels exch color_packet putinterval
+ } for
+ pixels 0 number_pixels getinterval
+} bind def
+
+/PseudoClassImage
+{
+ %
+ % Display a PseudoClass image.
+ %
+ % Parameters:
+ % class: 0-PseudoClass or 1-Grayscale.
+ %
+ currentfile buffer readline pop
+ token pop /class exch def pop
+ class 0 gt
+ {
+ currentfile buffer readline pop
+ token pop /depth exch def pop
+ /grays columns 8 add depth sub depth mul 8 idiv string def
+ columns rows depth
+ [
+ columns 0 0
+ rows neg 0 rows
+ ]
+ { currentfile grays readhexstring pop } image
+ }
+ {
+ %
+ % Parameters:
+ % colors: number of colors in the colormap.
+ % colormap: red, green, blue color packets.
+ %
+ currentfile buffer readline pop
+ token pop /colors exch def pop
+ /colors colors 3 mul def
+ /colormap colors string def
+ currentfile colormap readhexstring pop pop
+ systemdict /colorimage known
+ {
+ columns rows 8
+ [
+ columns 0 0
+ rows neg 0 rows
+ ]
+ { PseudoClassPacket } false 3 colorimage
+ }
+ {
+ %
+ % No colorimage operator; convert to grayscale.
+ %
+ columns rows 8
+ [
+ columns 0 0
+ rows neg 0 rows
+ ]
+ { GrayPseudoClassPacket } image
+ } ifelse
+ } ifelse
+} bind def
+
+/DisplayImage
+{
+ %
+ % Display a DirectClass or PseudoClass image.
+ %
+ % Parameters:
+ % x & y translation.
+ % x & y scale.
+ % label pointsize.
+ % image label.
+ % image columns & rows.
+ % class: 0-DirectClass or 1-PseudoClass.
+ % compression: 0-none or 1-RunlengthEncoded.
+ % hex color packets.
+ %
+ gsave
+ /buffer 512 string def
+ /byte 1 string def
+ /color_packet 3 string def
+ /pixels 768 string def
+
+ currentfile buffer readline pop
+ token pop /x exch def
+ token pop /y exch def pop
+ x y translate
+ currentfile buffer readline pop
+ token pop /x exch def
+ token pop /y exch def pop
+ currentfile buffer readline pop
+ token pop /pointsize exch def pop
+ /Times-Roman findfont pointsize scalefont setfont
+ x y scale
+ currentfile buffer readline pop
+ token pop /columns exch def
+ token pop /rows exch def pop
+ currentfile buffer readline pop
+ token pop /class exch def pop
+ currentfile buffer readline pop
+ token pop /compression exch def pop
+ class 0 gt { PseudoClassImage } { DirectClassImage } ifelse
+ grestore
+} bind def
+%%EndProlog
+%%Page: 1 1
+%%PageBoundingBox: 0 0 118 38
+userdict begin
+DisplayImage
+0 0
+118.11 38.189
+12.000000
+300 97
+0
+0
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCFEFFBFE3F675C3EC33A7E30795DE008EDB008CDB
+008DDB008FDC0092DD0093DD0093DD0093DD0093DD0091DC008FDC008DDB008CDB008EDB
+0996DE38AAE47AC5EDC3E5F7FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEBF7FC91CFF031A6E30090DC008CDB008FDC0092DD0093DD0093DD
+0093DD0092DD0091DC0090DC0090DC008FDC0090DC0091DC0091DD0092DD0093DD0093DD
+0092DD008FDC008CDB0091DC35A8E397D2F1F0F9FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFEDF8FD81C8EE1B9DE0008CDB008FDC0093DD0093DD0093DD0091DD008FDC008DDB
+008DDB0092DD0E99DF1B9EE126A3E22AA5E320A1E11A9EE00A97DE0091DC008DDB008DDB
+008FDC0092DD0093DD0092DD008FDC008DDB229FE189CCEFF1F9FDFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+A1D7F2239FE1008CDB0090DC0093DD0093DD0092DD008EDC008DDB0C97DE37A9E474C3EC
+A4D7F3C8E7F8E6F4FCF4FAFDFCFEFFFFFFFFFEFFFFFCFEFFEBF7FCCDEAF8A5D8F370C2EC
+32A7E30895DE008DDB008FDC0093DD0093DD0090DC008CDB28A2E2ACDBF4FFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDEF1FB4CB2E6
+008EDB008FDC0093DD0093DD0092DD008DDB0091DC3FACE597D2F1DFF1FBFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFF7FBFEE7F4FCD5EDF9CBE9F8C4E5F7CFEAF8DDF1FAEEF8FD
+EFF8FDD6EDF995D1F140ADE50593DD008FDC0093DD0093DD008FDC008EDC56B6E8E6F5FC
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFB1DEF51A9CE0008CDB
+0093DD0093DD0093DD008EDB0493DD55B5E8C3E5F7FFFFFFFFFFFFFFFFFFFFFFFFF9FDFE
+CDE9F89BD4F165BDEA38AAE41F9FE10D98DF0294DD0091DC008FDC0091DC0193DD0B97DE
+1D9FE13AABE468BFEB8DCEF07AC5ED39A9E40A95DE0092DD0093DD0092DD008CDB229FE0
+BBE2F6FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8ACDEF0090DC0090DC0093DD
+0093DD0091DC008DDB44AEE6C7E7F8FFFFFFFFFFFFFFFFFFFFFFFFC9E7F871C2EC2AA3E2
+0192DD008DDB008DDB008FDC0090DC0091DC0092DD0092DD0093DD0092DD0092DD0091DD
+0090DC008FDC008DDB008EDB0996DE23A2E2189DE00192DD0093DD0093DD0093DD008FDC
+0592DD96D2F1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF73C3EC008DDB0091DD0093DD0093DD
+008EDB1198DF96D2F1FFFFFFFFFFFFFFFFFFF6FBFE9FD6F241ADE50092DD008CDB008FDC
+0092DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0092DD0091DC0092DD0093DD0093DD0093DD0093DD0093DD
+0091DC008EDC82CAEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6CC0EB008BDB0092DD0093DD0093DD008CDB
+34A7E3D3ECF9FFFFFFFFFFFFFFFFFFA4D8F22BA3E2008DDB008EDB0092DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0092DD008DDB7CC8EDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF78C6ED008DDB0092DD0093DD0093DD008CDB55B6E8
+F0F9FDFFFFFFFFFFFFC9E8F842ADE5008EDB008FDC0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0092DD008DDB89CDEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFF9AD4F1008EDB0092DD0093DD0093DD008CDB61BCEAFCFEFF
+FFFFFFFEFFFF87CBEF0894DD008DDB0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0092DD008FDCA6D9F3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFC4E6F70793DD0091DC0093DD0093DD008CDB5AB9E9FEFEFFFFFFFF
+E6F5FC4BB1E7008CDB0091DC0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0090DC0D96DED2ECF9FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFF0F9FD28A3E2008EDB0093DD0093DD008DDB40AEE5F8FCFEFFFFFFD3ECF9
+29A2E2008CDB0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0092DD0090DC008FDC008DDB008DDB008DDB008DDB008FDC0091DC0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD008DDB33A8E4F7FBFEFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF68BFEB008BDB0093DD0093DD008FDC1D9EE1E6F4FCFFFFFFC8E8F8179ADF
+008EDB0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008FDC008CDB
+0091DC1B9EE139ABE454B6E86AC0EB68BFEB52B6E837AAE4199DE00090DC008CDB0090DC
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD008CDB7EC8EEFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFC5E6F70191DC0092DD0093DD0092DD0190DCB8E1F6FFFFFFC9E9F81499DF008FDB
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008FDC008EDC2EA6E380C8EE
+C3E5F7F0F8FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEEF8FDBDE3F679C5ED29A3E2
+008EDB008FDC0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0091DC0894DED2ECF9FFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FEFFFF3FAEE5008DDB0093DD0093DD008CDB65BEEAFFFFFFD9EFFA189BDF008EDC0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0091DD008DDB2FA5E3A7D9F3F9FDFEFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6FBFE
+A0D6F229A3E2008CDB0092DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD008DDB4CB4E7FFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+B3DFF5008FDB0093DD0093DD0090DC189CE0ECF7FCF0F9FD2FA6E3008EDB0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD008FDC0693DD85CBEEF5FBFEFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFF2FAFD79C6ED0291DD0090DC0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0092DD0291DCC3E6F7FFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFEFF
+3AACE5008EDB0093DD0093DD008CDB8DCFF0FFFFFF56B7E8008CDB0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD008EDB1A9CE0BDE3F6FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFB3DFF51298DF008FDC0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008DDB4EB4E7FFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC8E7F8
+0191DC0092DD0093DD0090DC189DE0F9FCFEA2D8F3008DDB0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD008EDC1F9EE0D5EDF9FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFCDEAF8199CE0008FDC0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0092DD0493DDD1ECF9FFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF65BEEB
+008CDB0093DD0093DD008CDB80C9EEEDF7FD1199DF0090DC0093DD0093DD0093DD0093DD
+0093DD0093DD0090DC1398DFD1ECF9FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC3E6F70B95DD0091DC0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB78C6EDFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0F8FD179DE0
+0090DC0093DD0092DD0594DEE4F3FB60BCEA008CDB0093DD0093DD0093DD0093DD0093DD
+0093DD0092DD008FDCACDCF4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF9FD7F2008EDB0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008FDC29A5E3F9FCFE
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFB4DFF5008FDC
+0093DD0093DD008EDB49B2E7CBE9F80492DD0092DD0093DD0093DD0093DD0093DD0093DD
+0093DD008DDB64BDEBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF51B5E8008DDB0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0092DD0091DCC8E8F8
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6AC0EB008CDB
+0093DD0093DD008DDB8DCFF057B8E9008DDB0093DD0093DD0093DD0093DD0093DD0093DD
+0091DC1199DFE7F5FCFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDBEFFA0B96DE0091DC0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB7FC9EE
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFF36AAE4008FDC
+0093DD0093DD0694DD85CBEF0996DE0092DD0093DD0093DD0093DD0093DD0093DD0093DD
+008CDB75C5ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF69BFEB008CDB0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008EDB46B0E7
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC
+0093DD0091DC23A2E252B6E8008EDC0093DD0093DD0093DD0093DD0093DD0093DD0092DD
+0895DDD9EFFAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD0EBF90493DD0092DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0090DC189DE0
+F1F9FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC6E7F70091DD0093DD
+0093DD0091DC1FA0E1169CE00091DC0093DD0093DD0093DD0093DD0093DD0093DD008EDB
+40AEE6FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFEFF2EA7E3008FDC0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0092DD0394DD
+D2ECF9FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA5D9F3008EDB0093DD
+0093DD0093DD0294DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008DDB
+89CDEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF72C3EC008DDB0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008FDC
+B8E1F5FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8CCFF0008DDB0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008FDC
+BAE2F6FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA8DAF3008EDB0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008EDB
+9FD6F2FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF77C5ED008CDB0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0092DD0495DE
+D4EDF9FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC8E8F80092DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008DDB
+8CCFF0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6AC0EB008DDB0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC0C99DF
+E4F3FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDBF0FB0797DE0092DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB
+80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6BC0EB008DDB0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC129BDF
+EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE5F4FC0E99DF0092DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB
+80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6BC0EB008DDB0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC129BDF
+EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEEF7FD139BDF0091DC
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB
+80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6BC0EB008DDB0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC129BDF
+EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB
+80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6BC0EB008DDB0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC129BDF
+EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB
+80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6BC0EB008DDB0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC129BDF
+EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB
+80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6BC0EB008DDB0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC129BDF
+EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB
+80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6BC0EB008DDB0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC129BDF
+EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB
+80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6BC0EB008DDB0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC129BDF
+EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB
+80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6BC0EB008DDB0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC129BDF
+EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB
+80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6BC0EB008DDB0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC129BDF
+EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB
+80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6BC0EB008DDB0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC129BDF
+EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB
+80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6BC0EB008DDB0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC129BDF
+EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB
+80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6BC0EB008DDB0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC129BDF
+EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB
+80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6BC0EB008DDB0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC129BDF
+EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB
+80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6DC1EB008DDB0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC129BDF
+F1F8FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF1F8FD129BDF0091DC
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB
+7FC9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFF7FBFEF4FAFDF4FAFEF4FAFEF4FAFE66BEEA008DDB0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC119BDF
+E3F3FCF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFE
+F4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFE
+F4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEF4FAFEE3F3FC119BDF0091DC
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0092DD0087D9
+80C9EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFF58B8E91E9BDF1EA0E11EA0E11EA0E10D98DF0092DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0294DD
+1C9FE11EA0E11EA0E11EA0E11EA0E11EA0E11EA0E11EA0E11EA0E11EA0E11EA0E11EA0E1
+1EA0E11EA0E11EA0E11EA0E11EA0E11EA0E11EA0E11EA0E11EA0E11EA0E11EA0E11EA0E1
+1EA0E11EA0E11EA0E11EA0E11EA0E11EA0E11EA0E11EA0E11EA0E11C9FE10294DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD008EDB008FDC58B7E8
+E3F3FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE4F3FBB6E0F591D0F071C2EC
+53B5E841AEE637AAE436AAE436A9E43FADE554B6E872C3EC91D0F0B5DFF5DDF0FAFCFDFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFEFEFFE0F2FBDDF0FADDF1FADDF1FADDF1FADDF1FADDF1FADDF1FADDF1FADDF1FA
+DDF1FADDF1FADDF1FADDF1FADDF1FADDF0FAE5F4FBEEF8FDF6FBFEFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE4F3FBB7E0F593D0F071C2EC53B5E8
+41AEE536AAE436AAE436A9E43EADE553B6E870C2EC90D0F0B6DFF5DEF1FBFCFDFEFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFF3DADE5008BDA0090DC0090DC0090DC0092DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0090DC0090DC0090DC0090DC0090DC0090DC0090DC0090DC0090DC0090DC0090DC0090DC
+0090DC0090DC0090DC0090DC0090DC0090DC0090DC0090DC0090DC0090DC0090DC0090DC
+0090DC0090DC0090DC0090DC0090DC0090DC0090DC0090DC0090DC0090DC0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD008FDC008EDB37A8E4B1DEF4FFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFEFFFFC7E7F780C8EE39AAE40E98DF008FDC008DDB008CDB
+008DDB008EDB008FDC008FDC008FDC008EDB008DDB008CDB008DDB008FDC0A96DE2CA4E2
+62BCEAA2D7F2DAEFFAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFDFEFF3FADE60993DD0997DE0997DE0997DE0997DE0997DE0997DE0997DE0997DE
+0997DE0997DE0997DE0997DE0997DE0996DE0D99DF159BE023A1E13AABE467BEEAA2D6F2
+DBEFFAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFC7E7F77FC7EE37A9E40F98DF008FDC008DDB008CDB008DDB
+008EDB008FDC008FDC008FDC008EDC008DDB008CDB008DDB008FDC0A97DE2CA4E260BBEA
+A4D7F3DAEFFAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0092DD008EDB008DDB2EA5E3A1D6F2FCFEFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFF9FDFEA1D7F238A9E40091DC008CDB008FDC0091DC0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0092DD008FDC
+008DDB008DDB0895DE40ACE590CFF0EBF6FCFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF58B8E9008BDA0092DD0092DD0092DD0092DD0092DD0092DD0092DD0092DD
+0092DD0092DD0092DD0092DD0092DD0092DD0091DC0091DC0090DC008FDC008DDB008DDB
+0995DE4CB2E7B4DFF5FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFF9FDFEA1D6F239A9E40091DC008CDB008FDC0091DC0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0092DD008FDC008DDB
+008DDB0996DE3FACE591D0F0ECF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0091DC008DDB0090DC3DABE4A1D7F2F8FCFEFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFAFDDF434A7E3008DDB008EDC0092DD0093DD0093DD0093DD0093DD0092DD0090DC
+008EDB008DDB008CDB008DDB008DDB008CDB008DDB008EDB0090DC0092DD0093DD0093DD
+0093DD0093DD0092DD008EDB0089D99DD6F2FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF62BCEA008DDB0093DD0093DD0093DD0093DD0093DD0093DD0091DC008DDB
+008DDB008DDB008DDB008DDB008DDB008EDB0090DC0092DD0093DD0093DD0093DD0093DD
+0092DD008DDB008FDC4CB1E7D1ECF9FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+B0DDF535A7E3008DDB008EDC0092DD0093DD0093DD0093DD0093DD0092DD0090DC008EDB
+008DDB008CDB008DDB008DDB008CDB008DDB008EDB0090DC0092DD0093DD0093DD0093DD
+0093DD0092DD008EDC0089D9A8DAF4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DC
+008DDB008DDB1A9CE061BAEAC0E4F7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF8FC
+63BCEA008EDC008EDC0093DD0093DD0093DD0093DD0093DD0091DD008DDB0090DC22A1E1
+4BB3E76FC2EC86CCEF94D2F194D2F186CCEF6DC1EB4AB2E722A1E10092DD008CDB008FDC
+0093DD0093DD0093DD0093DD008EDB9DD6F2FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD0091DC25A3E261BCEA
+61BCEA61BCEA61BCEA61BCEA5BBAE944AFE621A1E10090DC008DDB0092DD0093DD0093DD
+0093DD0093DD0093DD008CDB1097DEABDBF4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFECF7FD63BBEA
+008FDC008EDC0093DD0093DD0093DD0093DD0093DD0091DD008DDB0091DC22A1E14AB2E7
+6EC1EB87CCEF94D2F194D2F185CBEF6CC0EB4AB2E723A1E10092DD008CDB008FDC0093DD
+0093DD0093DD0093DD008EDBA8DAF4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0092DD0090DC008CDB008EDB1299DF
+50B4E7A3D7F2ECF7FCFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD5EDF92BA4E2
+008CDB0092DD0093DD0093DD0093DD0093DD0092DD008DDB0C96DE63BCEABDE3F6F5FBFE
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6FBFEC7E7F780C8EE2BA4E2
+008FDC008EDB0092DD0093DD008EDB9ED6F2FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB66BEEBFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF4FAFDBDE3F655B6E80090DC0090DC0093DD
+0093DD0093DD0093DD0093DD0090DC008FDCA0D7F2FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD6EEFA2DA4E2008BDB
+0092DD0093DD0093DD0093DD0093DD0093DD008DDB0B96DE63BCE9BEE3F6F5FBFEFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6FBFEC8E7F782C9EE2CA4E2008FDC
+008EDB0092DD0093DD008EDBA9DAF4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0092DD008FDC008DDB008DDB0494DD2AA4E268BEEAA6D9F3E6F4FB
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFE9F6FC93D1F1FEFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC2E6F71A9BE0008EDB
+0093DD0093DD0093DD0093DD0093DD0091DC008FDC5CB9E9D6EEFAFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF9FCFE
+B1DEF549B0E60090DC008EDB008EDB9ED6F2FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFAEDCF41499DF008FDC
+0093DD0093DD0093DD0093DD0093DD0090DC0894DDC6E7F8FFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC8E8F81A9BDF008EDB0093DD
+0093DD0093DD0093DD0093DD0091DC008FDC5AB8E8D4ECF9FFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF9FCFEB1DEF5
+49B0E60090DC008EDB008EDBA9DAF4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0092DD0091DC008FDC
+008DDB008DDB008FDC0996DE2DA6E35FBAE99BD4F1D3ECF9F9FCFEFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFF4FAFD3AAAE440AEE6FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD0ECF91399DF008EDC0093DD
+0093DD0093DD0093DD0093DD008FDC0B95DE9ED5F2FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFB5DFF536A8E30087D99AD4F1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC6E7F80F96DE
+0091DC0093DD0093DD0093DD0093DD0093DD008EDB2CA6E3F6FBFEFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCEEBF9169ADF008EDB0093DD0093DD
+0093DD0093DD0093DD0090DC0A95DE9FD6F2FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFB7E0F537A8E40087D9A5D8F3FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0092DD0091DC0090DC008FDC008EDB008DDB008DDB008EDB0394DD199DE035A9E4
+60BBE98ECEF0B8E1F6DCF0FAFCFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFEEF8FD43AEE60087D951B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE3F3FB209FE1008EDB0093DD0093DD
+0093DD0093DD0093DD008FDC1399DEC0E5F7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFF9FDFE84C9EEAADBF4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF99D4F2
+008EDB0093DD0093DD0093DD0093DD0093DD0093DD008CDBA2D8F2FFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE4F3FB209FE1008EDB0093DD0093DD0093DD
+0093DD0093DD0090DC0F97DEBBE2F6FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFAFDFE85CAEEB3DFF5FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0092DD0091DC008FDC008EDB008DDB008DDB008CDB008DDB008EDB
+0090DC0495DD0E99DF1E9FE131A7E34AB2E76FC2EC91D0F0B0DDF4D3ECF9F0F8FDFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFE4F4FC36A8E3008CDB008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFEFF48B1E7008CDB0093DD0093DD0093DD
+0093DD0093DD0091DC0793DDBDE3F6FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCFEFF
+2FA7E3008FDC0093DD0093DD0093DD0093DD0093DD008EDB3AACE5FEFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFEFF4AB2E7008CDB0093DD0093DD0093DD0093DD
+0093DD0091DC0692DDB9E2F6FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0090DC
+008EDB008CDB008EDC0294DD139BDF2CA5E342AFE659B8E969BFEB7CC7ED91D0F0ACDBF4
+C3E5F7D5EDF9E6F4FCF4FAFDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+CDEAF924A0E1008DDB0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8ECFF0008CDB0093DD0093DD0093DD0093DD
+0093DD0093DD008DDB94D2F1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF9FDFEE1F2FBC7E7F7BDE3F6BDE3F6
+C0E4F6D7EEF9F1F9FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+93D1F0008DDB0093DD0093DD0093DD0093DD0093DD0092DD0795DEDBF0FAFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8CCFF0008CDB0093DD0093DD0093DD0093DD0093DD
+0093DD008DDB92D1F1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0090DC008CDB0090DC1C9EE0
+4AB1E778C5EDAFDCF4D2EBF9EBF6FCFCFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFADDCF4
+1398DF008EDB0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE0F2FB0F98DF0090DC0093DD0093DD0093DD0093DD
+0093DD008DDB4CB3E7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEAF6FC9ED6F29ED6F29ED6F29ED6F29ED6F29ED6F29ED4F1D7EEFA
+FFFFFFFFFFFFFFFFFFFFFFFFF4FBFEAEDCF45DB9E928A3E20B97DE0091DC008FDC008FDC
+008FDC0695DE1A9DE044AFE691CFF0E0F2FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE7F5FC9ED5F29ED6F29ED6F2
+9ED6F29ED6F29ED6F29ED4F1B6E0F5FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFB9E1F69ED4F19ED6F29ED6F2
+9ED6F29ED6F29ED6F29ED4F2DEF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+D4EDF90594DD0092DD0093DD0093DD0093DD0093DD0093DD008EDCA9DBF3FFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFE4F3FB1099DF0090DC0093DD0093DD0093DD0093DD0093DD
+008DDB49B2E7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0091DC008DDB0090DC2AA3E275C4ECBDE3F6F1F9FD
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFF7FC8EE0090DC
+0090DC0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6BC1EB008CDB0093DD0093DD0093DD0093DD0093DD
+0092DC0A95DDD8EEFAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFDBF0FA0092DD008CDB008EDB008EDB008EDB008EDB0087D98FD0F0
+FFFFFFFFFFFFFFFFFFA1D7F32AA2E2008EDB008DDB0090DC0091DD0092DD0093DD0093DD
+0093DD0092DD0091DC008EDB008CDB1198DF7FC8EEF7FCFEFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD1EBF9008FDC008CDB008EDB
+008EDB008EDB008EDB0087D953B6E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF57B8E90087D9008EDB008EDB
+008EDB008EDB008DDB008CDBC4E6F7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+F6FBFE1EA0E10090DC0093DD0093DD0093DD0093DD0093DD008CDB88CDEFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFF6BC0EB008CDB0093DD0093DD0093DD0093DD0093DD0091DC
+0995DED6EDF9FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0091DC008CDB0D97DE60BAE9B8E0F5F9FCFEFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDDF1FA49B0E6008DDB0092DD
+0093DD0093DD0093DD0093DD008ADA4DB3E7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFE1F3FB0D98DF0091DD0093DD0093DD0093DD0093DD0093DD
+008CDB66BFEAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEEF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB93D2F1
+FFFFFFF6FBFE5DBAE9008DDB008FDC0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0091DC008BDB3BAAE4E1F2FBFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE8F5FC0F9ADF0091DC0093DD
+0093DD0093DD0093DD008DDB71C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7BC7ED008CDB0093DD0093DD
+0093DD0093DD0092DD0997DEDEF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FEFFFF33A9E4008FDC0093DD0093DD0093DD0093DD0093DD008DDB72C3ECFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFE2F2FB0C97DE0091DC0093DD0093DD0093DD0093DD0093DD008DDB
+65BEEBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0092DD008DDB0D96DE71C1ECDBEFFAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA4D8F31A9BDF008DDB0093DD0093DD
+0093DD0093DD008FDC008EDB1C9ADF6ABFEBFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFF84CBEE008CDB0093DD0093DD0093DD0093DD0093DD0092DD
+0492DDCEEAF8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB98D4F1
+FFFFFF50B4E7008BDA0092DD0093DD0093DD0093DD0092DD0092DD0092DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD008CDB2AA3E2E7F5FCFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEEF7FD129BDF0091DC0093DD
+0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF81C9EE008CDB0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFF37ABE4008FDC0093DD0093DD0093DD0093DD0093DD008DDB69BFEBFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFF84CBEF008CDB0093DD0093DD0093DD0093DD0093DD0092DD0393DD
+CFEAF8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0093DD0093DD0093DD
+008FDC0091DC63BCEAD9EFFAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDDF1FB57B7E8008EDB0090DC0093DD0093DD0093DD
+0090DC008DDB33A7E3A5D8F3F1F9FDACDCF4FDFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFBFDFF2CA6E3008FDC0093DD0093DD0093DD0093DD0093DD008FDB
+32A8E4FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDBA1D8F2
+83CAEE008BDA0093DD0093DD008FDC008DDB008EDB0091DC0093DD0091DC008EDB008DDB
+0091DC0093DD0093DD0093DD0093DD0093DD0093DD0093DD008BDA4EB4E7FFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD
+0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FEFFFF33A9E4008FDC0093DD0093DD0093DD0093DD0093DD008CDB73C3ECFFFFFFFFFFFF
+FFFFFFFFFFFFFEFEFF31A8E4008FDC0093DD0093DD0093DD0093DD0093DD008FDC2BA6E3
+FCFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0093DD0092DD008CDB
+2AA3E2B7E0F5FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFF6FBFE8DCEEF1499DF008CDB0092DD0093DD0093DD0091DC008CDB
+209EE097D2F1F9FCFEFFFFFFC6E7F756B7E9FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFD4ECF90394DD0092DD0093DD0093DD0093DD0093DD0093DD008CDB
+6EC1ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD0092DD45B0E6
+0695DE0092DD0090DC008FDC31A7E37DC7EEADDCF4C6E7F7CDEAF8C5E6F7A7D9F368BEEB
+189CE0008DDB0093DD0093DD0093DD0093DD0093DD0093DD0092DD008FDCBAE2F6FFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD
+0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+F7FCFE21A1E20090DC0093DD0093DD0093DD0093DD0093DD008DDB8BCEEFFFFFFFFFFFFF
+FFFFFFFFFFFFD3ECF90493DD0092DD0093DD0093DD0093DD0093DD0093DD008DDB70C2EC
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0093DD0091DC008EDB66BDEA
+F1F9FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFEFFFFA5D8F32CA3E2008DDB0091DC0093DD0093DD0092DD008CDB0B95DE78C5EC
+ECF7FCFFFFFFFFFFFFF8FCFE2BA4E245B0E6FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFF91D0F1008CDB0093DD0093DD0093DD0093DD0093DD0093DD008EDB
+B0DDF5FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD0093DD0091DC
+0092DD008EDB1D9DE0ACDBF4FCFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+E8F5FC65BDEA008EDB0093DD0093DD0093DD0093DD0093DD0093DD008DDB52B6E8FFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD
+0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+D9EFFA0695DD0092DD0093DD0093DD0093DD0093DD0093DD008EDBACDCF4FFFFFFFFFFFF
+FFFFFFFFFFFF95D2F1008DDB0093DD0093DD0093DD0093DD0093DD0093DD008EDBACDCF4
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD0093DD0090DC0793DD97D3F1FFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF9FDFE
+ABDBF43BABE4008EDB008FDC0093DD0093DD0093DD008EDB0091DC54B5E7D2ECF9FFFFFF
+FFFFFFFFFFFFFFFFFF79C7ED0087D951B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFF57B8E9008DDB0093DD0093DD0093DD0093DD0093DD0092DD0696DE
+DBEFFAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD0093DD0093DD
+008FDC229FE1D8EFFAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF66BEEA008DDB0093DD0093DD0093DD0093DD0093DD0090DC189EE0F2F9FD
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD
+0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+9AD4F1008DDB0093DD0093DD0093DD0093DD0093DD0092DD0896DEDDF1FBFFFFFFFFFFFF
+FFFFFFFFFFFF56B7E8008DDB0093DD0093DD0093DD0093DD0093DD0092DD0796DEDAEFFA
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB0093DD008FDB1399DFB8E1F6FFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEAF6FC96D1F02FA5E3
+008EDB008EDC0093DD0093DD0092DD008DDB008EDB44AEE5BDE3F6FFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFA9DBF3008FDC008CDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFBFDFF2BA5E3008FDC0093DD0093DD0093DD0093DD0093DD0090DC1FA0E1
+F6FBFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD0093DD0092DC
+0894DDC8E8F8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFEEF7FD189DE00090DC0093DD0093DD0093DD0093DD0092DD0495DED6EDFA
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD
+0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+3BACE5008EDB0093DD0093DD0093DD0093DD0093DD008EDB3DADE5FFFFFFFFFFFFFFFFFF
+FFFFFFFCFEFF2BA6E3008FDC0093DD0093DD0093DD0093DD0093DD0090DC23A2E2F9FCFE
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008EDB008FDC169ADFC7E8F8FFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8FCFEBBE2F66BBFEB189CE0008DDB008FDC
+0093DD0092DD0090DC008CDB0292DD47AFE6AEDCF4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFCEEBF90F97DE0090DC008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFE6F4FC0D99DF0091DC0093DD0093DD0093DD0093DD0093DD008EDB42AFE6
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD0093DD008DDB
+61BCEAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFF6BC0EC008DDB0093DD0093DD0093DD0093DD0093DD0090DCC1E5F7
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD
+0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFB7E1F5
+0190DC0093DD0093DD0093DD0093DD0093DD0093DD008DDBA2D7F2FFFFFFFFFFFFFFFFFF
+FFFFFFEAF6FD129BDF0091DC0093DD0093DD0093DD0093DD0093DD008EDB3CACE5FFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFF42AFE6008ADA1198DECAE9F8FFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEFF8FDB7E0F571C2EC28A2E20090DC008CDB0090DC0091DC008EDB
+008DDB0091DC27A2E273C3ECCDE9F8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+E0F2FB219FE1008EDC0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFD0EBF80294DD0092DD0093DD0093DD0093DD0093DD0093DD008DDB5CBAE9
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD0092DD0292DD
+CBE9F8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFA7DAF3008DDB0093DD0093DD0093DD0093DD0093DD008FDCBCE3F6
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD
+0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF2FAFD2BA4E2
+008FDC0093DD0093DD0093DD0093DD0093DD008EDC2BA5E3F5FBFEFFFFFFFFFFFFFFFFFF
+FFFFFFCFEBF80193DD0092DD0093DD0093DD0093DD0093DD0093DD008DDB58B9E8FFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFF3DADE5038EDCB9E2F6FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3FAFDD8EEFA
+B1DDF479C5ED44AFE6169BE0008DDB0089DA008BDA008CDB008DDB0091DC1A9DE046B0E6
+89CCEFC5E6F7F7FCFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE9F6FC
+31A6E3008DDB0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFC0E4F70090DC0093DD0093DD0093DD0093DD0093DD0093DD008DDB70C2EC
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8FCFEF6FBFE
+F6FBFEF6FBFEF6FBFEF6FBFEF6FBFEF6FBFEF5FBFEFDFEFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD0090DC27A4E2
+FAFDFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFBEE4F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD
+0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF6FBFE4FB3E7008DDB
+0093DD0093DD0093DD0093DD0093DD0090DC0592DDC2E5F7FFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFB8E1F5008EDC0093DD0093DD0093DD0093DD0093DD0093DD008CDB75C4ECFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF9FDFEF6FBFEF6FBFE
+F6FBFEF6FBFEF6FBFEF6FBFEF6FBFEF5FBFEFDFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFF37AAE48FD0F0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFAFDFEDCF0FABEE3F6A7D9F38CCEEF72C3EC56B7E836A9E4159BE00091DC
+008DDB008CDB0090DC0796DE199DE02EA6E347B0E674C3EC9BD4F1C6E6F7EFF8FDFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE6F5FC35A8E3
+008DDB0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFAEDCF4008EDB0093DD0093DD0093DD0093DD0093DD0093DD008CDB7FC9EE
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFADDCF4229DE0
+22A1E122A1E122A1E122A1E122A1E122A0E12FA7E3EBF6FCFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB51B5E8
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD
+0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB62BDEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCEEAF83FADE5008DDB0093DD
+0093DD0093DD0093DD0093DD0091DC008EDB95D3F1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFAADCF4008EDC0093DD0093DD0093DD0093DD0093DD0093DD008CDB84CBEFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFADDDF4229DE022A1E1
+22A1E122A1E122A1E122A1E122A0E133A9E4EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFCFEFFADDCF4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFCFEFFEFF8FDE3F3FBD4EDF9C4E6F7BAE1F6B5E0F5B2DEF5B6E0F5BAE2F6
+C5E6F7CCE9F8D7EEFAE4F4FBF1F9FDFDFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD8EEFA2BA3E2008DDB
+0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFA8D9F4008EDB0093DD0093DD0093DD0093DD0093DD0093DD008CDB82CAEE
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC2E5F7008EDC
+008FDC0090DC0090DC0090DC0090DC008CDB23A2E2FAFDFEFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB63BDEA
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD
+0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB5DBAE9F4FAFE
+F4FAFEF4FAFEF4FAFEF2FAFDE9F5FCCBE9F89DD5F250B4E70794DD008EDC0093DD0093DD
+0093DD0093DD0093DD008EDB0491DD98D4F1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFF9ED6F2008EDB0093DD0093DD0093DD0093DD0093DD0093DD008DDB8FD0F0FFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFBBE2F6008CDB0090DC
+0090DC0090DC0090DC0090DC008CDB23A2E2FAFDFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFBFE4F61B9CE0008EDB0093DD
+0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF9CD5F2008EDB0093DD0093DD0093DD0093DD0093DD0093DD008DDB94D2F1
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCAE8F80092DD
+0092DD0093DD0093DD0093DD0093DD008FDC33A9E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB6FC2EC
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD
+0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD0092DD0B98DE1EA0E1
+1EA0E11EA0E11EA0E11B9FE1109ADF0093DD008DDB008EDB0092DD0093DD0093DD0093DD
+0093DD0090DC008CDB2BA3E2B8E1F6FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFF9ED6F2008EDB0093DD0093DD0093DD0093DD0093DD0093DD008DDB8FD0F0FFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD
+0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8FCFF00793DD008FDC0093DD0093DD
+0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFA7D9F4008EDB0093DD0093DD0093DD0093DD0093DD0093DD008DDB88CDEF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD
+0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD
+0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD0093DD0092DD0090DC
+0090DC0090DC0090DC0090DC0091DC0092DD0093DD0093DD0093DD0093DD0091DC008EDB
+008CDB1B9CE083CAEEF3FAFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFF9DD6F2008EDB0093DD0093DD0093DD0093DD0093DD0093DD008DDB90D0F0FFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD
+0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDEF1FB54B5E8008DDB0091DC0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFABDBF4008EDB0093DD0093DD0093DD0093DD0093DD0093DD008CDB80C9EE
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD
+0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD
+0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD0093DD0092DD0090DC
+0090DC0090DC0090DC0090DC008FDC008FDC008EDB008DDB008CDB008FDC0F98DF49B1E6
+97D2F1EBF6FCFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFA7DAF3008EDC0093DD0093DD0093DD0093DD0093DD0093DD008CDB89CDEFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD
+0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFDFFFF98D3F1179BDF008CDB0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD0093DD008DDB78C5ED
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD
+0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD
+0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD0092DD0D98DF22A1E1
+22A1E122A1E122A1E123A2E130A7E335A9E446B0E65EBAE981C8EEB3DEF5E3F3FBFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFB8E1F5008EDC0093DD0093DD0093DD0093DD0093DD0093DD008CDB7CC7EDFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD
+0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFB7E0F53CABE5008DDB0090DC0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFCEEAF80293DD0092DD0093DD0093DD0093DD0093DD0093DD008DDB65BEEB
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD
+0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD
+0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB5EBAEAF6FBFE
+F6FBFEF6FBFEF6FBFEF6FBFEFEFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFCCEAF80193DD0092DD0093DD0093DD0093DD0093DD0093DD008DDB65BEEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD
+0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFF
+BBE2F648B0E60090DC008EDC0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFE2F2FB0B98DF0091DC0093DD0093DD0093DD0093DD0093DD008DDB4DB4E7
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD
+0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD
+0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB62BDEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFE7F5FC0E99DF0091DD0093DD0093DD0093DD0093DD0093DD008EDB47B1E7FFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD
+0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFECF7FC9BD4F138A9E4
+0091DC008EDB0092DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFAFCFF26A3E20090DC0093DD0093DD0093DD0093DD0093DD008FDC2EA7E3
+FDFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD
+0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD
+0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFAFDFE27A4E2008FDC0093DD0093DD0093DD0093DD0093DD008FDC2DA6E3FCFEFE
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD
+0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFF8FDBAE1F568BEEB1A9CE0008DDB008EDC
+0092DD0093DD0093DD0093DD0093DD0093DD0090DC008DDB0091DC0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFF50B5E8008DDB0093DD0093DD0093DD0093DD0093DD0091DC0F9ADF
+E7F5FCFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD
+0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD
+0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF4DB4E7008EDB0093DD0093DD0093DD0093DD0093DD0091DC119BDFEAF6FD
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD
+0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFDDF0FAA5D8F35DB9E91D9EE1008FDC008DDB0090DC0093DD0093DD
+0093DD0093DD0093DD0092DD008DDB008EDB23A1E184CBEE79C6ED0090DC0093DD0093DD
+0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFF86CCEF008CDB0093DD0093DD0093DD0093DD0093DD0093DD0090DC
+C2E5F7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD
+0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD
+0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF8ACDEF008CDB0093DD0093DD0093DD0093DD0093DD0093DD0090DCBEE4F6
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD
+0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCFEFFE8F5FCC1E5F7
+96D2F168BEEB34A8E40996DE008EDB008DDB0090DC0093DD0093DD0093DD0093DD0093DD
+0092DD008FDC008CDB0794DD4FB3E7A9DAF3F7FCFEF5FBFE34A8E40090DC0093DD0093DD
+0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFC8E8F80192DD0092DD0093DD0093DD0093DD0093DD0093DD008DDB
+83CAEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD
+0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD
+0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFC8E8F80191DC0093DD0093DD0093DD0093DD0093DD0093DD008DDB86CCEF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD
+0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFCFEFFFAFDFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FAFDFEF3FAFDEBF7FCD9EFFAC5E6F7AEDCF494D1F175C4EC4CB3E72CA5E3119ADF0091DC
+008DDB008DDB008FDC0092DD0093DD0093DD0093DD0093DD0092DD0091DC008EDC008CDB
+0090DC2BA3E27CC7EDD5EDF9FFFFFFFFFFFFF7FCFE39ABE4008DDB0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFF6FBFE1FA0E10090DC0093DD0093DD0093DD0093DD0093DD008EDB
+43B0E6FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD
+0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD
+0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF80C9EE008CDB0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFF9FCFF25A3E2008FDC0093DD0093DD0093DD0093DD0093DD008EDB3BADE5
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD
+0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFE3F3FBA7D9F372C2EC53B5E83CACE533A9E427A3E224A2E2
+1D9FE1149CE00B97DE0194DD008FDC008CDB008CDB008BDB008DDB008EDB0090DC0091DC
+0091DC0091DC0090DC008FDC008EDC008DDB008CDB008DDB0091DC159BDF3EACE584CAEE
+C4E6F7F8FCFEFFFFFFFFFFFFFFFFFFF1F9FD49B1E6008DDB0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFF6FC2EC008CDB0093DD0093DD0093DD0093DD0093DD0092DD
+0B97DEDEF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD
+0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD
+0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF81C9EE008CDB0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFF6EC2EC008CDB0093DD0093DD0093DD0093DD0093DD0092DD0896DE
+DDF0FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD
+0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF2FAFDDAEFFAB6DFF592D0F075C4EC52B5E8
+36A9E428A4E21C9EE1129ADF0D98DF0A97DE0595DE0595DE0595DE0595DE0595DE0A97DE
+0C98DF129BDF1D9FE12BA5E33BABE555B6E87CC7ED9DD5F2C3E5F7ECF6FCFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFE8F6FC41ADE5008CDB0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFCEEAF90392DC0092DD0093DD0093DD0093DD0093DD0093DD
+008CDB82CBEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD
+0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD
+0093DD0093DD0093DD008DDB70C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7BC7ED008CDB0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFCFEAF80393DD0092DD0093DD0093DD0093DD0093DD0093DD008CDB
+81CAEEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD
+0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFDFEFFF5FBFEEFF8FDE6F4FCE0F2FBD6EEFAD5EDF9D5EDF9D5EDF9D5EDF9DFF1FB
+E3F3FBEDF7FDF3FAFDFBFDFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFCAE8F826A1E1008DDB0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF4AB3E7008DDB0093DD0093DD0093DD0093DD0093DD
+0090DC1A9DE0EDF7FCFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD
+0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD
+0093DD0093DD0093DD008DDB71C2ECFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF67BEEB008DDB0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFF4AB3E7008DDB0093DD0093DD0093DD0093DD0093DD0090DC
+199DE0EDF7FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD
+0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFEFFFF91D0F00C95DE008EDC0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC1E5F70090DC0092DD0093DD0093DD0093DD0093DD
+0093DD008CDB7DC8EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD
+0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFECF7FD119BDF0091DC0093DD
+0093DD0093DD0093DD008DDB60BBEAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFEFF36AAE5008FDB0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFC4E6F70191DC0092DD0093DD0093DD0093DD0093DD0093DD
+008CDB78C6EDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD
+0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+D0EBF945AEE5008DDB0091DC0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF59B9E9008CDB0093DD0093DD0093DD0093DD
+0093DD0091DC0A95DECFEBF9FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD
+0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5FAFE1EA0E10090DC0093DD
+0093DD0093DD0093DD008FDC2FA7E3FEFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCFEAF80392DD0092DD0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5BBAE9008BDB0093DD0093DD0093DD0093DD0093DD
+0091DD0994DDCEEAF8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD
+0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE1F2FB72C2EC
+0B95DE008DDB0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE3F3FB189CE0008FDC0093DD0093DD0093DD
+0093DD0093DD008EDC2DA5E2EDF8FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD
+0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3BACE5008EDC0093DD
+0093DD0093DD0093DD0092DD0392DDC9E8F8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52B6E8008EDB0093DD0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE4F3FB199CE00090DC0093DD0093DD0093DD0093DD
+0093DD008EDC2BA4E2EDF8FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD
+0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE4F4FB79C5ED1499DF008CDB
+0091DC0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFADDCF4008FDB0092DD0093DD0093DD
+0093DD0093DD0093DD008DDB44AFE6F1F9FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC9E8F80092DD
+0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF65BEEB008CDB0093DD
+0093DD0093DD0093DD0093DD008EDB43AFE6FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF86CCEF008DDB0093DD0093DD0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFAFDDF4008FDC0092DD0093DD0093DD0093DD
+0093DD0093DD008DDB40ADE5EFF9FDFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCDEAF80093DD0092DD
+0093DD0093DD0093DD0093DD008FDC36AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCAE8F866BDEA159ADF008CDB0091DC0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF86CCEF008DDB0092DD0093DD
+0093DD0093DD0093DD0093DD008DDB37A9E4D8EEFAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD1ECF90092DD
+0092DD0093DD0093DD0093DD0093DD008FDC32A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA3D8F3008DDB0093DD
+0093DD0093DD0093DD0093DD0093DD008EDB64BCEAF5FBFDFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFEFF8FD6EC0EB008FDC0092DD0092DD0093DD0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF85CBEF008DDB0092DD0093DD0093DD
+0093DD0093DD0093DD008DDB37A9E3D9EFFAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD5EEF90093DD0092DD
+0093DD0093DD0093DD0093DD008FDC37AAE4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFDEF1FB93D0F03EACE50192DD008DDB0091DC0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF71C3EC008CDB0092DD
+0093DD0093DD0093DD0093DD0093DD008EDB159ADF98D3F1F7FCFEFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFEFF98D3F10091DC
+0092DD0093DD0093DD0093DD0093DD008FDC33A8E4FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEDF8FD179DE00090DC
+0093DD0093DD0093DD0093DD0093DD0093DD008DDB2FA5E39DD5F2DEF1FBF6FBFEFBFDFE
+FAFDFEF0F9FDD2ECF988CCEF25A1E1008DDB0092DD0091DC0896DE0194DD0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF75C4ED008CDB0092DD0093DD
+0093DD0093DD0093DD0093DD008EDB1599DF97D3F1F7FCFEFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFF9BD5F10091DD0092DD
+0093DD0093DD0093DD0093DD008FDC33A9E4FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF4FAFD
+C6E6F787CBEF3EACE50C97DE008DDB008EDC0092DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF86CBEF008FDC
+008FDC0093DD0093DD0093DD0093DD0093DD0090DC008EDB2BA4E28DCEF0D9EFFAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE2F3FB9AD3F138A9E40090DC0092DD
+0093DD0093DD0093DD0093DD0093DD0090DC20A1E1F6FBFEFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBDE3F6
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF8ECFF0008BDA
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD008FDC008EDB0A97DE21A1E12AA5E3
+29A4E3199EE00394DD008DDB0090DC0093DD008FDC21A1E187CCEF0191DC0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF88CCEF008FDC008FDC
+0093DD0093DD0093DD0093DD0093DD0090DC008EDB2CA4E28ECEF0DBEFFAFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE3F3FB99D3F138A9E40090DC0092DD0093DD
+0093DD0093DD0093DD0093DD008FDC23A2E2F8FCFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FCFEE6F4FCCDE9F8AEDCF484CAEE4DB3E71F9FE1
+0092DC008CDB008EDC0091DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFAADBF4
+1C9CE0008CDB0092DD0093DD0093DD0093DD0093DD0093DD008FDC008DDB0996DE33A8E3
+5FBBEA84CBEE8FD0F08FD0F089CDEF6CC1EB3BABE50F98DF008DDB008FDC0093DD0093DD
+0093DD0093DD0093DD0093DD0092DD008DDB008FDCD5EDF9FFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEDF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB70C2EC
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFBDE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBEE3F6
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFBFDFE47B1E6
+008BDB0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0091DD0090DC008FDC
+0090DC0090DC0092DD0093DD0093DD008FDC0B95DDC8E8F8B7E1F6008EDB0093DD0093DD
+0093DD0093DD0092DD0997DEDDF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF61BCEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB61BCEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFAADBF41C9CE0
+008CDB0092DD0093DD0093DD0093DD0093DD0093DD008FDC008DDB0A96DE32A8E35DBAE9
+83CAEE8FD0F08FD0F08ACDEF6CC0EB3CABE51099DF008DDB008FDC0093DD0093DD0093DD
+0093DD0093DD0093DD0092DD008EDB0090DCD6EEFAFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE1F2FBBAE1F68DCEF0
+6BC0EB58B8E94AB2E742AEE642AFE642AFE642AFE642AEE64AB2E751B5E856B8E861BCEA
+61BCEA61BCEA57B8E94DB3E73BACE524A2E20E99DF0093DD008EDC008DDB008EDB0090DC
+0092DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+E3F3FB5FBAE90291DC008DDB0091DD0093DD0093DD0093DD0093DD0093DD0092DD008FDC
+008DDB008CDB008DDB008DDB008DDB008DDB008FDC0091DC0093DD0093DD0093DD0093DD
+0093DD0091DC008EDB008CDB0494DD35A8E484CAEEE9F6FCFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFEEF7FD129BDF0091DC0093DD0093DD0093DD0093DD008DDB6EC1EC
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFBEE3F6008FDC0093DD0093DD0093DD0093DD0093DD008FDCBAE2F6
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFF8FD
+42AEE6008ADA0091DC0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD008DDB0E96DEB5E0F5FFFFFFA9DAF4008EDB0093DD0093DD
+0093DD0093DD0092DD0A97DEDEF2FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF62BDEA008DDB0093DD0093DD0093DD0093DD0093DD008DDB63BDEAFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE4F4FB
+61BBE90191DC008DDB0091DD0093DD0093DD0093DD0093DD0093DD0092DD008FDC008DDB
+008CDB008DDB008DDB008DDB008DDB008FDC0091DC0093DD0093DD0093DD0093DD0093DD
+0091DC008EDB008CDB0393DD34A8E481C9EEE7F5FCFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCEEAF881C8EE3DACE50C97DE008FDC008DDB
+008DDB008DDB008EDB008EDB008EDB008EDB008EDB008EDB008EDB008EDB008DDB008DDB
+008DDB008DDB008DDB008EDB008EDC0090DC0091DC0092DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD008DDB51B5E8FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFC4E6F75BB7E90C97DE008CDB008DDB0090DC0092DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0093DD0092DD0091DC008FDC008DDB
+008EDC1199DF4BB2E78DCDF0D1EBF9FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFE9F5FC0997DE008EDB0090DC0090DC0090DC0090DC008ADA58B8E9
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFB6E0F5008CDB0090DC0090DC0090DC0090DC0090DC008ADA9FD6F3
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+F5FBFE70C2EC0894DD008CDB0090DC0093DD0093DD0093DD0093DD0093DD0093DD0093DD
+0093DD0092DD008EDB008DDB3BAAE4CBE9F8FFFFFFFFFFFFA7D9F4008BDA0090DC0090DC
+0090DC0090DC008FDC0092DCD3EDF9FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFF50B5E8008ADA0090DC0090DC0090DC0090DC0090DC008ADA4DB4E8FFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFC2E5F75AB7E80D97DE008DDB008EDB0090DC0092DD0093DD0093DD0093DD0093DD
+0093DD0093DD0093DD0093DD0093DD0093DD0093DD0092DD0091DD008FDC008DDB008EDC
+1199DF4AB1E78DCEEFD1EBF9FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFF1F9FDA6D9F339A9E4008CDB0086D90088DA008BDB008CDB008DDB
+008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB
+008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB
+008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB
+008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB008DDB
+008DDB008DDB008DDB008DDB0086D947B1E7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFDDF1FA93D0F050B3E71B9DE00293DD008EDC008DDB008CDB
+008CDB008DDB008DDB008DDB008CDB008CDB008DDB008EDB0091DC0D98DF35A8E36ABFEB
+AFDCF4E5F4FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFD8EEFA26A2E222A0E122A1E122A1E122A1E122A1E1229DE05AB9E9
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFA1D7F3229CE022A1E122A1E122A1E122A1E122A1E1229CE08FD0F0
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFCFEAF965BCEA1B9DE00090DC008DDB008CDB008CDB008DDB008CDB008DDB
+008EDC0B97DE44AEE5A6D8F3FBFDFEFFFFFFFFFFFFFFFFFFB4DFF5229DE022A1E122A1E1
+22A1E122A1E122A1E1219EE1BFE4F6FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFDFEFF4DB4E7229EE022A1E122A1E122A1E122A1E122A1E1229EE047B1E6FBFDFE
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFDFF1FB96D1F14EB3E71B9DE00293DD008EDC008DDB008CDB008CDB
+008DDB008DDB008DDB008CDB008CDB008DDB008EDB0091DC0D97DE34A8E36BBFEBAEDCF4
+E5F4FCFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFBFDFFABDCF466BCEA60BBE968BFEB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB
+6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB
+6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB
+6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB
+6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB6BC0EB
+6BC0EB6BC0EB6BC0EB6BC0EB6BBDEA9AD4F2FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0F8FDD0EBF9B4DEF599D3F185CBEF
+73C3EC6BC0EB6BC0EB6BC0EB70C2EC82CAEE93D1F0A8DAF3C5E6F7E3F2FBFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFBFEFEF5FBFEF6FBFEF6FBFEF6FBFEF6FBFEF6FBFEF6FBFEF6FBFE
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFF8FCFEF6FBFEF6FBFEF6FBFEF6FBFEF6FBFEF6FBFEF6FBFEF8FCFE
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFEEF8FDC5E6F7A0D6F285CBEF77C5ED6DC1EC80C9EE94D1F1
+B4DEF5DEF1FBFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCFEFFF6FBFEF6FBFEF6FBFE
+F6FBFEF6FBFEF6FBFEF6FBFEFAFDFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFEFFFFF5FBFEF6FBFEF6FBFEF6FBFEF6FBFEF6FBFEF6FBFEF6FBFEF4FBFDFDFEFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0F8FDD1EBF9B2DEF597D3F185CBEE72C3EC
+6BC0EB6BC0EB6BC0EB70C2EC81C9EE92D0F0A9DAF3C4E6F7E2F2FBFFFFFFFFFFFFFFFFFF
+FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+
+end
+%%PageTrailer
+%%Trailer
+%%EOF
diff --git a/doc/gnupg-logo.pdf b/doc/gnupg-logo.pdf
new file mode 100644
index 0000000..a2aab4a
--- /dev/null
+++ b/doc/gnupg-logo.pdf
Binary files differ
diff --git a/doc/gnupg-logo.png b/doc/gnupg-logo.png
new file mode 100644
index 0000000..a1556df
--- /dev/null
+++ b/doc/gnupg-logo.png
Binary files differ
diff --git a/doc/gnupg-module-overview.pdf b/doc/gnupg-module-overview.pdf
new file mode 100644
index 0000000..dcc5f39
--- /dev/null
+++ b/doc/gnupg-module-overview.pdf
@@ -0,0 +1,381 @@
+%PDF-1.4
+1 0 obj
+<<
+/Pages 2 0 R
+/Type /Catalog
+>>
+endobj
+2 0 obj
+<<
+/Type /Pages
+/Kids [ 3 0 R ]
+/Count 1
+>>
+endobj
+3 0 obj
+<<
+/Type /Page
+/Parent 2 0 R
+/Resources <<
+/XObject << /Im0 8 0 R >>
+/ProcSet 6 0 R >>
+/MediaBox [0 0 1052 744]
+/CropBox [0 0 1052 744]
+/Contents 4 0 R
+/Thumb 11 0 R
+>>
+endobj
+4 0 obj
+<<
+/Length 5 0 R
+>>
+stream
+q
+1052 0 0 744 0 0 cm
+/Im0 Do
+Q
+
+endstream
+endobj
+5 0 obj
+32
+endobj
+6 0 obj
+[ /PDF /Text /ImageC ]
+endobj
+7 0 obj
+<<
+>>
+endobj
+8 0 obj
+<<
+/Type /XObject
+/Subtype /Image
+/Name /Im0
+/Filter [ /RunLengthDecode ]
+/Width 1052
+/Height 744
+/ColorSpace 10 0 R
+/BitsPerComponent 8
+/SMask 15 0 R
+/Length 9 0 R
+>>
+stream
+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ©ÿ~ûúùÑŹŸ‹y‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹~vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vTb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb‹vb•€m¸§˜éãÞ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿðÿþþ~žŠx’^.Ì„@ÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜ~ŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽ]DÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÜŽDÖŠBµu9Y:I8'ßÖ΂ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿùÿ~õóñF5%¥j4ý£Nÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤fOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oç•HC+µ¤”‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿÿÿþþ~F5%Í„@ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤iOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oý¢N\<Á²¤‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿƒÿ~ {¤j3ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤oOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oø M÷ôò‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~üûúü¢Nÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O¸w9 {‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~Óǽ\-ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OøŸM$‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~£~Ê‚?ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O% ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‰ÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿáÿ~€Éî
+
+<<"ââÕ‚ÿðÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿáÿ~€Éî
+oG"ÛD¹w9
+¬o5ÿ¤Oì˜I5"¤i3è•Hèj•H
+tK$ÚŒD•`.@)ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿáÿ~€Éî
+¡h2ÿ¤Oÿ¤O6#”_.öžL˜b/óœKÿ¤Oÿ¤O?)ŒZ+ÿ¤Oì˜Iþ
+<'–`.ÔˆBJ0]-ÿ¤Oì˜Iþ
+yN%ßE›d0@)ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿáÿ~€Éî
+X9ÙŒCÿ¤OôLþ
+ xM%œd0 ¹w9ì˜Iþ
+ {O&šc0 ½z;ì˜Iþ
+xM%@)ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿáÿ~€Éî
+
+ãä[þÿf÷øcþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿf$$·¸JþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿxfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfÛÜX‰‰f‚ÿöÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿáÿ~€Éî
+úd¦§Cçè]þ
+||2ûüeþÿfòóa;;ÍÎR88 FFêë^þÿf99 ’“;ïð`>>ÇÈP((¡¢Aff)bb'þÿfþÿfþÿf ¦§CþÿfþjÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfÛÜX‰‰f‚ÿöÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿáÿ~€Éî
+ûd ¡¢Açè]þ
+œœ¤ððüððüððüÈÈÒþ
+e( ÞßYçè]þ
+ûüeþÿfþÿf¬­E00þÿfïð`þ
+ÿfþÿfþÿfçè]þ
+
+óôbþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþ ÿfþÿfþÿfÛÜX‰‰f‚ÿöÿ~zgÚŒDÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤rOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OB+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿáÿ~€Éî
+((*ççòððümms ððüððü||‚ððüððüããî'')mmsjjp<<?îîúííù335XX]ssy::=þ
+ÿfþÿfþÿfçè]þ
+ÿfþÿfþÿfçè]þ
+
+ ŽŽ•ððü88:NNRððüððüððüððüððüììøÀÀÊ::= ððüððüWW[ ððüððüððüððü,,.]]bððüððüððüððü\\a99<ððüððüððüððüððüððüððüääï 
+qqwððüððüããî WW[ððüððüÄÄÎþ
+
+ ZZ_ððüððüHHKHHKððüððüððüuu{ððüËËÕþ
+ÿfþÿfþÿfçè]þ
+€4þÿfþÿfïð`þ
+
+ ,,.,,. ððüððüWW[..0ððüððüððüððü
+
+ ï
+ääïððüÄÄÎþ
+xx~ððüððüððüððüððüððüððü©©²IIM!<<?ZZ_ððüððüHHKHHKððüððüððüuu{ððü®®·þ
+‰‰»»Å””›$$&þ UUYààëððüÞÞéþþ
+WW[¦¦®††Œ((*ììøððüþ2
+99<ŸŸ§••œ##% ××áððümms ððüððü||‚ððüððüÊÊÔþ==@££«¡¡©**,!!#ååð””›þ5xx~¹¹ÃŸŸ§002 779ØØãððüIIM&&(¾¾Èèèóððüuu{ððüððüˆˆŽþ
+((*~~„ÕÕß&&(ííùWW[557ððüððüððüððüððüÈÈÒGGJ@@CººÄððüððüððüððüððüððüîîú335ððüððüððüððüððüððü°°¹þ
+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿáÿ~€Éî
+þþ
+‚ÿ‚ÿ‚ÿæÿ á‚ÿ‚ÿ‚ÿ‚ÿüÿ ,¦ã
+
+??þÿfþÿfAAyy0ôõbII 
+ÞßYþÿfþÿfÃÄN oo,((þÿfþÿf\\%€344**þ
+@@îï`þÿfþÿfÆÇP oo,$$þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿf»¼KÛÛ‚ÿöÿ~þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþ~ÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿufþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿf
+
+ûüeûüe º»Kœ?èé]þÿf¯°Fôõbþÿfþÿf ÏÐSþÿfíî_§¨CþÿfÎÏSÏÐS×ØVþ
+((þÿfþÿf\\%ÔÕUþÿfž?õöbþÿf‡ˆ6TT"þÿfþÿfþÿf$$·¸Jþÿf£¤Bþ
+•Ù
+
+÷øcþÿfUU"CCæç\ÜÝXEEþ
+tt.ãä[¤¥BÓÔU×ØVþÿfþÿfþÿfll+tt.þÿfüýe++[[$ßàZ®¯F ++þÿfþÿf\\%||2þÿfþÿfóôbþ
+''þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿf»¼KÛÛ‚ÿöÿ~þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþ~ÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿufþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿf
+
+00³´HSS!þÿfþÿfll+
+
+¦§Cþÿf×ØVAA &&¨©Dþÿf×ØVþÿfþ7ÿfþÿfll+tt.þÿfþÿfÙÚWAAII“”;==þÿfþÿf\\%||2þÿfþÿfóôbþ
+ }}2üýeþÿfþÿfÛÜXCCGG–—<99þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿf»¼KÛÛ‚ÿöÿ~þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþ~ÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿufþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿf
+õöbþÿfþÿfJJþÿfþÿf!! —˜=þÿfþÿfùúd**–—<þÿf«¬Eþ
+BBéê^þÿfäå\<<±²Gþÿfþÿfëì^þ
+š›>þÿfâã[AAþ
+
+@@ˆ‰7DD ((þÿfþÿfbb'
+zz1€3!! WW#þÿfþÿfãä[ UU":YY$ÍÎRþÿfëì^þ
+üýeþÿfüýe88((þÿfþÿfdd(³´Hþÿfþÿf¤¥B þÿfþÿfaa'XX#þÿfþÿfþÿþf )WW#þÿfëì^þ
+þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþjÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfðñ`UU5Ñÿ‡ˆˆ‚ÿ‚ÿ‘ÿoeeoeeÂÿ~ôôê3þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþ~ÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿ$fþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþ
+ÂÃNçè]ww0 âã[þÿf«¬E þÿfþÿfþÿf€3LLþÿfþÿfLLss.þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþ~ÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿ fþÿfþÿfÑÑT””r¤ÿþ÷þŸþIþ þ=þÝþ×þ
+þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþjÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿféê]cdBÑÿ‡ˆˆ‚ÿ‚ÿ‘ÿoeeoee¿ÿ~kk@ãä[þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþ~ÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿ$fþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfÁÂM¤¤z‚ÿóÿ RR3ïï`þÿfþÿfþÿf{{1CCþÿfþÿfþÿfÂÃNþ
+aa'îï`þÿf:88þÿfþÿf÷øcþ
+
+88ÁÂNþÿfþÿf«¬E þÿfþÿfþÿf€3LLþÿfþÿfŸ @RR!þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿxfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfž?Ë˵§ÿþÎþ­ûÿþñþ.þsþ÷þþ¼ûÿþâþDþåþB 
+þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþjÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfÂÃN§¨ˆÑÿ‡ˆˆ‚ÿ‚ÿ‘ÿoeeoee¿ÿøøñþ
+þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþjÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfûüe
+ììäÑÿ‡ˆˆ‚ÿ‚ÿ‘ÿoeeoee¼ÿ~ééÙWW0¯°Fö÷cþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþ~ÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfóóaŽ9€€T÷÷ï‚ÿíÿppMyz1÷øcþÿfõöb
+``&ßàZ¹ºJ!! þ
+ss.þÿfþÿfhh*%%ÉÊQÚÛXHH
+
+žŸ@þÿfùúd$$\\%ÞßYÇÈP‡ˆ6þÿfpp-!! ÄÅOÞßY^^& õöbþÿfëì^þ
+
+òòìÔÿ~áâÔÍÎRþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿféê^qq-ÑÒTº»K""‰Š7þÿfþÿf,,›œ>þÿfþÿfþÿfþÿfþÿfþÿfÆÇP‘:Ö×V¥¦B¹ºJþÿfþÿfþÿfþÿfþÿfþ~ÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿlfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfÊËQþ
+HHÁÂN''@@þÿfþÿf°±G00
+
+%%˜™=þÿfþÿfëì^þ
+þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþgÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfçè]CD²³•Îÿ‡ˆˆ‚ÿ‚ÿ‘ÿoeeoee¶ÿÄÄ£wwKþ
+'----))þ
+##--------------
+##-------------- þ ~  ------------------------------------------------!II\p!II------------------------~------------------------------------------------------------------------------------- ---iiGôôï‚ÿóÿþÎþX.332&& ,-----
+##-------------- þ ~  ----------------------------------!!   ----------------------------------~-------------------------------------------------------------------------------------1---------------------------------þ
+—Þƒÿ
+—Þƒÿ
+—Þ
+—Þg¿ë†ÿ
+óœKÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OŠY+š†sÂÿ
+—Þ¯Ýô‚ÿ‚ÿˆÿ~oZGÁ|<ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O¤i3’}j‚ÿ‚ÿ‚ÿ‚ÿ«ÿ„||ˆˆ‚ÿ‚ÿ‘ÿrhhrhh¿ÿþþ~*ë—Iÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÉ>s^J‚ÿÆÿ~ÖËÁ^<ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤!Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O^=ØÍÄ‚ÿ‚ÿèÿ)¤âÂÿ~Œwc¹w9ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤!Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OòœKüûúÅÿ™ß‚ÿ‚ÿˆÿ~ʽ±rI#ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤!Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OI/âÚÒ‚ÿ‚ÿ‚ÿ‚ÿ®ÿ„||ˆˆ‚ÿ‚ÿ‘ÿrhhrhh¿ÿ~¼¬“_.ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤$Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OR4åÞׂÿÉÿ~?/ é–Hÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤!Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oé–HA1"‚ÿ‚ÿëÿ…Ëïœà†ÌïÈÿ~îêå0ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤$Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O«n5«˜‡Èÿ…Ëï–Þ†Ìï‚ÿ‚ÿ‹ÿ~&ð›Jÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤!Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OàEYE3‚ÿ‚ÿ‚ÿ‚ÿ®ÿ„||ˆˆ‚ÿ‚ÿ‘ÿrhhrhh¿ÿ~- òœKÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤$Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÖŠB}hT‚ÿÌÿ~ß×ÏfB ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤'Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OfA áÙÒ‚ÿ‚ÿîÿ
+ûúù‚ÿ‚ÿñÿ
+ 1 ¢h2ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O«n5
+~Q'ä“Gþ
+ä“Gþ
+ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oè•Hþ
+¨l4ÿ¤Oÿ¤Oÿ¤OÇ€> „U)ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ%¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oý£N ËÿW¸é•ÞV·è‚ÿ‚ÿ‘ÿ)àØЀS(ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O@)ø
+¨l4ÿ¤Oÿ¤Oÿ¤OÇ€> „U)ÿ¤OÿU¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OP3‚ÿÒÿ~óúý‡Ìï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…~Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ë~ï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëïh…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…ËïE‡ªK°…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…Ëï…ËïÀä÷‚ÿ‚ÿÓÿrhhrhhÂÿ~6'ø Mÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O g2ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤OZ:1 À{;ã’FÀ{;8$K0ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÈ> ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O 
+¼y*:ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÝŽDˆs_‚ÿÒÿ~êäßkE!ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÜD
+\;¼y:˃?ŠY+ e1ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O7#•U`.ý£Nÿ¤OøŸMÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O8$nG"ÜDÜDÜDÜDÞEÿ¤OøŸMÿ¤Oè•Hþ
+ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oè•Hþ
+¨l4ÿ¤Oÿ¤OÊ‚?
+„U)ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ.¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oý£N Èÿ ˜ß‚ÿ‚ÿŽÿ~àØЂS(ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O@)jD!ÜDÜD΄@a>ßEÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OøŸMÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤O$ ¸v9ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O
+¨l4ÿ¤Oÿ¤OÊ‚?
+„U)ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤*Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OP4‚ÿÒÿ~™Ôñ
+' ‘]-ÿ¤Oÿ¤Oÿ¤OÕ‰B<'
+G.ŠY+H.ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oû¡N´t8ÿ¤Oÿ¤Oÿ¤O׊Cþ
+( ”_.ÿ¤Oÿ¤Oÿ¤OÛDD, 0³s7ÿ¤OÈ> ÿ¤Oÿ¤O„U) å“Gÿ¤Oä“GQ4 |P&ü¢Nÿ¤O5" “_.ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÝŽDˆs_‚ÿÒÿ~êäßkE!ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OF-^<ÿ¤Oÿ¤Oÿ¤Oÿ¤OŒZ+" ÿ¤Oÿ¤OÞEI/
+' ‘]-ÿ¤Oÿ¤OöžL8$цA:% A*æ”Gÿ¤OD,
+€R(ä“Gþ
+I/ˆW*L1ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O8$€R(ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oä“Gþ
+›d0$ hC öžLÿ¤Oè•Hþ
+¨l4ÿ¤OÍ„@
+…V)ÿ¤Oÿ¤Oÿ¤Oä“GQ4 |P&ü¢Nÿ¤OgB b?ÿ¤Oÿ¤Oÿ¤O%  g2ÿ¤O™b/" 4!É>ÿ%¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oý£N Èÿ ˜ß‚ÿ‚ÿŽÿPàØЂS(ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O@)|P&ÿ¤Oÿ¤Oÿ¤Oû¡N Ÿf1óœK8$Í„@* šc0è•Hþ
+¨l4ÿ¤OÍ„@
+…V)ÿ¤Oÿ¤Oÿ¤OäU“GQ4 |P&ü¢Nÿ¤OgB b?ÿ¤Oÿ¤Oÿ¤O%  g2ÿ¤O–`." 6#̃?ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OP4‚ÿÒÿ~˜Óñ
+b?ÜD²r7 ¦k3ÿ¤OøŸM vL%ÜD‹Y+æ”GÈ> ÿ¤Oe1 ׊Cÿ¤Oü¢N+ iD!ßEÄ~=& zN&ÿ¤Oÿ¤O 
+¼y*:ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÝŽDˆs_‚ÿÒÿ,êäßkE!ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oé–Hþ
+kE!ÿ¤Oè•Hþ
+¨l4Ï…@ †V*ÿ¤Oÿ¤Oÿ¤Oü¢N+ iD!ßEÄ~=& zN&ÿ¤O¶u8ý£Nÿ¤OцAïšJ΄@¨l4ÛD[;,ÿ%¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oý£N Ëÿ
+lE!ÛD¼y: ¤i3ÿ¤Oÿ¤O$ ¸v9ÿ¤Oü¢N+ iD!ßEÄ~=& zN&ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O
+¨l4Ï…@ †V*ÿ¤Oÿ¤Oÿ¤Oü¢N+U iD!ßEÄ~=& zN&ÿ¤O¶u8ý£Nÿ¤OцAïšJ˃?ªm5ÚŒDX90ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OP4‚ÿÒÿ~˜Óñ
+¼y*:ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÝŽDˆs_‚ÿÒÿbêäßkE!ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O¿{;ú¡Mÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O²r7 ÷ŸMÿ¤Oÿ¤OˆW*8$ÿ¤OôLþ
+yN%̃?ÿ¤Oÿ¤Oÿ¤O¹w9 ý£Nÿ¤Oÿ¤O±r7,ÿ¤OøŸM Ç€>ÿ¤O}P'L1ÿ¤O«n5
+ðšJÿ¤Oë—I¹w9ÿ%¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oý£N Ëÿ
+yN%̃?ÿ¤Oÿ¤Oÿ¤O¹w9U ý£Nÿ¤Oÿ¤O±r7,ÿ¤OøŸM Ç€>ÿ¤O}P'L1ÿ¤O§k4 òœKÿ¤Oê–H»x:ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OP4‚ÿÒÿ~˜Óñ
+§k4ÿ¤Oÿ¤O’^-   
+
+ÿ¤Oÿ¤O 
+¼y*:ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÝŽDˆs_‚ÿÒÿbêäßkE!ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O¼y:ú¡Mÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OŒZ+A*ÿ¤Oÿ¤Oÿ¤O¿{; ÿ¤OôLþ
+
+ÿ¤Oí˜I3!
+_=³s7ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OiD!ëåà‚ÿ‚ÿñÿ
+¡h2jD!( öžLÿ¤Oÿ¤O’^-   
+
+ÿ¤Oÿ¤OT6yN%ÿ¤O) £i2ÿ¤OïšJ5" ^<²r7þ£Oÿ%¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oý£N Ëÿ
+
+ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O
+¡h2jD!( öžLÿ¤Oÿ¤O’^-U   
+
+ÿ¤Oÿ¤OT6yN%ÿ¤O) £i2ÿ¤Oí˜I3!
+_=³s7ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OP4‚ÿÒÿ~˜Óñ
+ÿ¤OrI#Z:ÿ¤Oÿ¤Oÿ¤O~Q'H.ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oá‘F°q7ÿ¤Oÿ¤Oÿ¤Oÿ¤OцA™b/‡W*F-ÿ¤Oÿ¤Oÿ¤O½z; ÿ¤OvL%[;ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÈ>²r7R'
+÷ŸMÿ¤O g2-ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O 
+¼y*:ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÝŽDˆs_‚ÿÒÿ,êäßkE!ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oè•Hþ
+ÿ¤OôLþ
+†V*ÿ¤OõžL$ lE!ÿ¤Oÿ¤O g2-ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O¤i3,Õ‰Bñ›Kÿ¤Oÿ¤Oÿ¤O¿{;gB  5"÷%ŸMÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oý£N Ëÿ
+†V*ÿ¤OõžL$ lE!ÿ¤Oÿ¤O g2-Uÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O¤i3,Õ‰Bñ›Kÿ¤Oÿ¤Oÿ¤O½z;fB  7#øŸMÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OP4‚ÿÒÿ~˜Óñ
+¼y*:ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÝŽDˆs_‚ÿÒÿbêäßkE!ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O='[;ÿ¤Oÿ¤Oÿ¤Oÿ¤O‹Y+
+ü¢N±r7 øŸMÿ¤Oÿ¤OŠY+5"ÿ¤OôLþ
+¨l4ÿ¤Oÿ¤OÇ€>¹w9ÿ¤OÉ>ñ›Kÿ¤Oÿ¤OŸf1kE!ÿ¤Oÿ¤Oî™J_=P3ÿ¤Oÿ¤O»x:e1ÿ¤Oÿ¤Oî™JÄ%~=ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oý£N Ëÿ
+¨l4ÿ¤Oÿ¤OÇ€>¹w9ÿ¤OÉ>Uñ›Kÿ¤Oÿ¤OŸf1kE!ÿ¤Oÿ¤Oî™J_=P3ÿ¤Oÿ¤O¹w9Ÿf1ÿ¤Oÿ¤Oì˜IÈ>ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OP4‚ÿÒÿ~˜Óñ
+gB â‘F·v9 ¥j3ÿ¤OòœK }P'å“G£i2Ø‹CÈ> ÿ¤Oÿ¤OŸf1 é–Hÿ¤O8$N2ÙŒCµt8 ”_.ÿ¤Oÿ¤O!
+¤i*3û¡Nÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÝŽDˆs_‚ÿÒÿbêäßkE!ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÙŒC Y9¾z;̃?‡W*•`.ÿ¤Oú¡M" d@á‘F¹w9 ¡h2ÿ¤OôLþ
+€R(ä“G™b/ N2ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O8$€R(ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oä“Gþ
+`>ÿ¤O¼y:þ
+¨l4ÿ¤Oÿ¤Oÿ¤O{O&í˜Iÿ¤O8$N2ÙŒCµt8 ”_.ÿ¤Oÿ¤Oÿ¤OB*þ
+ºx:ä“G[,è•Hÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oý£N Ëÿ
+¨l4ÿ¤Oÿ¤Oÿ¤O{O&í˜Iÿ¤O8$N2ÙŒCµt8 ”_.ÿ¤Oÿ¤Oÿ¤OB*þ
+$ ]-ÿ¤Oÿ¤Oÿ¤OÇ€>4!
+\;{O&]<ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oú¡MzN&1 
+V7ÖŠBÿ¤Oÿ¤OÛDF- % ’^-ÿ¤Oÿ¤Oÿ¤OÒ‡A=' 'g ¬o5ÿ¤OÈ> ÿ¤Oÿ¤Oý£N1 hC ÿ¤Oê–HR5 R'þ£Oÿ¤Oÿ¤O}P' ”_.ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÝŽDˆs_‚ÿÒÿbêäßkE!ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OÛDP3 3!¤i3ÿ¤Oÿ¤Oÿ¤OÝŽDG.
+$ ]-ÿ¤Oÿ¤OôLþ
+¨l4ÿ¤Oÿ¤Oÿ¤Oú¡M1 U7ÿ¤Oê–HR5 R'þ£Oÿ¤Oÿ¤Oÿ¤O]- óœKÿ¤Oÿ¤Oþ£OxM%1 µt8ÿ%¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oý£N Èÿ
+—Þ‚ÿ‚ÿŽÿAàØЂS(ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O@)|P&ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OðšJþ
+ xM%žf1
+µt8ÿ¤OS( ]-ÿ¤Oê–HR5 R'þ£Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O
+¨l4ÿ¤Oÿ¤Oÿ¤Oú¡M1 U7ÿ¤OêU–HR5 R'þ£Oÿ¤Oÿ¤Oÿ¤O]- óœKÿ¤Oÿ¤Oþ£OuK$ 2 ·v9ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OP4‚ÿÒÿ~˜Óñ
+—Þ‚ÿ‚ÿŽÿ~àØЂS(ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OvL%S5ÿ¤Oÿ¤Oÿ¤Oÿ¤*Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OP4‚ÿÒÿ~˜Óñ
+lE!ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤*Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oý£N Ëÿ
+lE!ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤*Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OP4‚ÿÒÿ~˜Óñ
+‚ÿÒÿP˜Óñ
+þ£Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤!Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OðšJ þþ‚ÿÉÿ~¥’€¨l4ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤!Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O§l4¦“‚ÿ‚ÿëÿ
+èáÛ‚ÿÌÿD˜Óñ
+SSW<<?þþ
+èèôððüððüƒƒ‰þ
+
+ ÚÚåððüððü’’™þ
+—ÞM´çàòûøÿ;yÆí
+—Þ/§ã‚ÿºÿ
+—Þ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ³ÿ~˜Óñ
+
+îï`þÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþ~ÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿ~fþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfqþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfþÿfýþf‰‰7µµ˜‚ÿ‚ÿÙÿ~à×Ï;,~Q'è•Hÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤uOÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OßEhC ZF4ëæá‚ÿùÿ~˜Óñ
+¸v9ïšJÏ…@:%^<ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OðšJþ£Où Mÿ¤Oÿ¤O ßEþ£Où Mÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OôLÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O–`.!
+ºx:ïšJ΄@8$b?ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤EOÿ¤Oÿ¤Oÿ¤OÔˆB$ ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O‰X+ÜÒÊŒÿ~˜Óñ
+.Ä~=ÿ¤OF-þ
+΄@ÿ¤Oÿ¤Oÿ¤OÍ„@.öžLÿ¤O™b/# /Ç€>ÿ¤Oÿ¤O®p6(  Z:ðšJÔˆB# ƒT)
+¢h2ÿ¤Oÿ¤OÄ~=3! Q4Õ‰Bÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O‰X+ÜÒÊŒÿ~˜Óñ
+ÿ¤Oÿ¤Oÿ¤Oÿ(¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O$ ´t8ÿ¤Oÿ¤Oã’FmF"W8ÿ¤Oü¢Nþ
+è•HІ@,ÿ¤OÜD Ê~‚?í˜IL1vL%ã’FÄ~=øŸM‚T(@)ÿ¤Oÿ¤OôLí˜I ¹w9ú¡MŽ[,
+û¡Nÿ¤Oÿ¤Oÿ¤O¼y:( ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OßEÆ=÷ŸM~Q'D,ÿ¤OØ‹C ̃ ?ì˜II/zN&ÔˆBþ
+è•HІ@,ÿ¤O‚T(iD!ÿ~¤Oÿ¤OßE´t8ù Mä“Gÿ¤OöžLŠY+0ÿ¤Oÿ¤OôL›d0T6ÿ¤Oÿ¤Oÿ¤O ÜDÿ¤Oÿ¤Oÿ¤Ošc0C+ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤OøŸMå“Gÿ¤OõžL‡W*4!ÿ¤O~Q'mF"ÿ¤EOÿ¤OÝŽD¶u8ÔˆB ü¢Nÿ¤OòœKÿ¤O—a/X9ÿ¤Oÿ¤Oÿ¤OàEÿ¤Oÿ¤Oÿ¤Oÿ¤O‰X+ÜÒÊæÿþlþáÈÿþ¤þ©ìÿ~˜Óñ
+ÿ¤Oÿ¤Oÿ¤Oÿ(¤Oÿ¤O¤i3ÞEÿ¤O$ ±r7ü¢Nü¢Nñ›KS5a>ÿ¤Oü¢Nþ
+è•HІ@,ÿ¤Od@‰X*ÿ~¤Oÿ¤Oÿ¤Oÿ¤Oû¡NzN&.;&T60ÿ¤Oÿ¤OôL}P' ( ( ( ( È>ÿ¤Oÿ¤Oÿ¤Oºx:( ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O¡h2á‘Fú¡MxM%-<'S54!ÿ¤O`>[,ÿ¤EOÿ¤Oÿ¤Oÿ¤OÔˆB# ÿ¤Oÿ¤OôLÿ¤OyN% ( ( ( ( ˃?ÿ¤Oÿ¤Oÿ¤Oÿ¤O‰X+ÜÒÊøÿþåþ¤þþÖûÿþlþáþþþÀþ˜þ¨þïûÿþÂþ˜þ þäûÿþûþ¸þ˜þ·þôþÿþ¤þ©þ¤þçûÿþ«þàþÿ˜Óñ
+ÿ¤Oÿ¤Oÿ¤OðšJІ@,ÿ¤Oÿ¤O
+è•HІ@,ÿ¤O{O&mF"ÿ¤Oÿ¤OÜD”_.¦k3* é–Hÿ¤OÄ~=0ÿ¤Oÿ¤OôL”_.O3ÿ+¤Oÿ¤Oÿ¤OÇ€>øŸMÿ¤Oÿ¤Oÿ¤Oì˜I Í„@ÿ¤Oÿ¤Oÿ¤OßEþ
+ÿ¤Oÿ¤Oÿ¤Oè•HІ@,ÿ¤Oÿ¤O
+è•HІ@,ÿ¤OÏ…@ Ñ~†AïšJT6hC ”_.9%÷ŸMóœKM2) ÿ¤Oÿ¤Oì˜Iâ‘F ¼y:ù M“_. ý£Nÿ¤Oÿ¤Oÿ¤Oÿ¤O]- 
+¹w9òœKÍ„@4!Z:ÿ¤O]-<'øŸMòœKJ0-ÿ¤Õ?ÓˆEAïšJQ4lE!ÔˆB$ ÿ¤Oÿ¤OôLÿ¤OßE ¿{;ù M\,!
+þ£Oÿ¤Oÿ¤Oÿ¤Oÿ¤O‰X+ÜÒÊûÿþ þ¦ûÿþàþæþÿþlþáþVþòûÿþ‡þ¾þ½þjþÁþëûÿþèþRþ¥û¦þ[þÙþ¤þ©þéþaþýþ¦þ¤ûÿ;˜Óñ
+
+oG"ñ›Kÿ¤Oÿ¤O$ ´t8ÿ¤Oÿ¤Oÿ¤Oé–H
+
+qI#óœKÿ¤Oÿ¤Oºx:. 7#Í„@ÿ¤OÔˆB 
+ÿ¤Oÿ¤Oÿ¤OY9ºx:,ÿ¤Oÿ¤O
+è•HІ@,ÿ¤Oÿ¤O¤i3$ 
+Q4í˜Iò~œKH. 4!¯q6$ €R(ÿ¤OU7ç•H¸v9- 9%Ï…@ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O g2/
+ 
+sJ$ôLÿ¤OðšJF- 5"¯q6" ƒT)ÿ¤O¡h2# 
+S5ïšJÔˆ9B$ ÿ¤Oÿ¤OôLÿ¤Oÿ¤Oµt8+ :%Ò‡Aÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤O‰X+ÜÒÊûÿþ”þµûÿþýþüþÿþlþÞþRþýûÿþ•þ³þÿþâþ¥þxþ|þûþæþ[þÝøÞþõþ¤þ©þÿþ~þÉþbþìûÿ~˜Óñ
+ÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ~¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤~Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oÿ¤Oý£N
+$$&$$&ï
+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ¦ÿ~˜Óñ
+þÿþìþ
+þÿþìþ
+þºþäþþþèþÿþ8þNþÙþµþþ”þÿþìþ
+þþoþñûÿþ$þ´øÿþéþþÉþüò
+þþqþóûÿþºþ.þ þ7þÍþÿþÔþ øÿþYþþºþ,ûÿþþèþÐþ,ûÿþ¤þ$þþQþíþðþFþþ5þ¯þ"þƒþÿþUþþçþ¸þ-þþ9þÏþÿþòþPþþþ[þóþÿþ ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ¦ÿ~˜Óñ
+
+endstream
+endobj
+9 0 obj
+457292
+endobj
+10 0 obj
+/DeviceRGB
+endobj
+11 0 obj
+<<
+/Filter [ /RunLengthDecode ]
+/Width 106
+/Height 75
+/ColorSpace 10 0 R
+/BitsPerComponent 8
+/Length 12 0 R
+>>
+stream
+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ›ÿ
+endstream
+endobj
+12 0 obj
+9346
+endobj
+13 0 obj
+<<
+>>
+endobj
+14 0 obj
+9346
+endobj
+15 0 obj
+<<
+/Type /XObject
+/Subtype /Image
+/Name /Ma0
+/Filter [ /RunLengthDecode ]
+/Width 1052
+/Height 744
+/ColorSpace /DeviceGray
+/BitsPerComponent 8
+/Length 16 0 R
+>>
+stream
+‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿ‚ÿÿ€
+endstream
+endobj
+16 0 obj
+12327
+endobj
+17 0 obj
+<<
+/Title (þÿ
+/CreationDate (D:20221010135803)
+/ModDate (D:20221010135803)
+/Producer (https://imagemagick.org)
+>>
+endobj
+xref
+0 18
+0000000000 65535 f
+0000000010 00000 n
+0000000059 00000 n
+0000000118 00000 n
+0000000302 00000 n
+0000000387 00000 n
+0000000405 00000 n
+0000000443 00000 n
+0000000464 00000 n
+0000457957 00000 n
+0000457979 00000 n
+0000458006 00000 n
+0000467497 00000 n
+0000467518 00000 n
+0000467540 00000 n
+0000467561 00000 n
+0000480082 00000 n
+0000480104 00000 n
+trailer
+<<
+/Size 18
+/Info 17 0 R
+/Root 1 0 R
+/ID [<82dfca7e38da96118e28c32df36dd8031dbd96f4470decd5fafe68b1366d6064> <82dfca7e38da96118e28c32df36dd8031dbd96f4470decd5fafe68b1366d6064>]
+>>
+startxref
+480279
+%%EOF
diff --git a/doc/gnupg-module-overview.png b/doc/gnupg-module-overview.png
new file mode 100644
index 0000000..cae6c48
--- /dev/null
+++ b/doc/gnupg-module-overview.png
Binary files differ
diff --git a/doc/gnupg-module-overview.svg b/doc/gnupg-module-overview.svg
new file mode 100644
index 0000000..5b22f0d
--- /dev/null
+++ b/doc/gnupg-module-overview.svg
@@ -0,0 +1,892 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+ xmlns:dc="http://purl.org/dc/elements/1.1/"
+ xmlns:cc="http://creativecommons.org/ns#"
+ xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+ xmlns:svg="http://www.w3.org/2000/svg"
+ xmlns="http://www.w3.org/2000/svg"
+ xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+ xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+ width="1052.3622"
+ height="744.09448"
+ id="svg5013"
+ version="1.1"
+ inkscape:version="0.48.3.1 r9886"
+ sodipodi:docname="gnupg-module-overview.svg">
+ <sodipodi:namedview
+ pagecolor="#ffffff"
+ bordercolor="#666666"
+ borderopacity="1"
+ objecttolerance="10"
+ gridtolerance="10"
+ guidetolerance="10"
+ inkscape:pageopacity="0"
+ inkscape:pageshadow="2"
+ inkscape:window-width="1672"
+ inkscape:window-height="978"
+ id="namedview5247"
+ showgrid="false"
+ inkscape:zoom="1.0964545"
+ inkscape:cx="549.42213"
+ inkscape:cy="371.37197"
+ inkscape:window-x="0"
+ inkscape:window-y="0"
+ inkscape:window-maximized="1"
+ inkscape:current-layer="svg5013"
+ showguides="true"
+ inkscape:guide-bbox="true">
+ <inkscape:grid
+ id="grid3097"
+ type="xygrid"
+ empspacing="5"
+ visible="true"
+ enabled="true"
+ snapvisiblegridlinesonly="true" />
+ </sodipodi:namedview>
+ <metadata
+ id="metadata5249">
+ <rdf:RDF>
+ <cc:Work
+ rdf:about="">
+ <dc:format>image/svg+xml</dc:format>
+ <dc:type
+ rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+ <dc:title />
+ </cc:Work>
+ </rdf:RDF>
+ </metadata>
+ <defs
+ id="defs5015">
+ <marker
+ inkscape:stockid="Arrow2Sstart"
+ orient="auto"
+ refY="0"
+ refX="0"
+ id="Arrow2Sstart"
+ style="overflow:visible">
+ <path
+ id="path4021"
+ style="fill-rule:evenodd;stroke-width:0.625;stroke-linejoin:round"
+ d="M 8.7185878,4.0337352 -2.2072895,0.01601326 8.7185884,-4.0017078 c -1.7454984,2.3720609 -1.7354408,5.6174519 -6e-7,8.035443 z"
+ transform="matrix(0.3,0,0,0.3,-0.69,0)"
+ inkscape:connector-curvature="0" />
+ </marker>
+ <marker
+ inkscape:stockid="Arrow2Mend"
+ orient="auto"
+ refY="0"
+ refX="0"
+ id="Arrow2Mend"
+ style="overflow:visible">
+ <path
+ id="path4018"
+ style="fill-rule:evenodd;stroke-width:0.625;stroke-linejoin:round"
+ d="M 8.7185878,4.0337352 -2.2072895,0.01601326 8.7185884,-4.0017078 c -1.7454984,2.3720609 -1.7354408,5.6174519 -6e-7,8.035443 z"
+ transform="scale(-0.6,-0.6)"
+ inkscape:connector-curvature="0" />
+ </marker>
+ <marker
+ inkscape:stockid="Arrow1Mend"
+ orient="auto"
+ refY="0"
+ refX="0"
+ id="Arrow1Mend"
+ style="overflow:visible">
+ <path
+ id="path4000"
+ d="M 0,0 5,-5 -12.5,0 5,5 0,0 z"
+ style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt"
+ transform="matrix(-0.4,0,0,-0.4,-4,0)"
+ inkscape:connector-curvature="0" />
+ </marker>
+ <marker
+ orient="auto"
+ markerHeight="3"
+ markerWidth="4"
+ markerUnits="strokeWidth"
+ refY="5"
+ refX="0"
+ viewBox="0 0 10 10"
+ id="ArrowEnd">
+ <path
+ id="path5018"
+ d="M 0,0 10,5 0,10 z"
+ inkscape:connector-curvature="0" />
+ </marker>
+ <marker
+ orient="auto"
+ markerHeight="3"
+ markerWidth="4"
+ markerUnits="strokeWidth"
+ refY="5"
+ refX="10"
+ viewBox="0 0 10 10"
+ id="ArrowStart">
+ <path
+ id="path5021"
+ d="M 10,0 0,5 10,10 z"
+ inkscape:connector-curvature="0" />
+ </marker>
+ <marker
+ inkscape:stockid="ArrowEndo"
+ orient="auto"
+ markerHeight="3"
+ markerWidth="4"
+ markerUnits="strokeWidth"
+ refY="5"
+ refX="0"
+ viewBox="0 0 10 10"
+ id="ArrowEndo">
+ <path
+ id="path4964"
+ d="M 0,0 10,5 0,10 z"
+ inkscape:connector-curvature="0" />
+ </marker>
+ <marker
+ inkscape:isstock="true"
+ style="overflow:visible"
+ id="marker6214"
+ refX="0"
+ refY="0"
+ orient="auto"
+ inkscape:stockid="Arrow2Send">
+ <path
+ inkscape:connector-curvature="0"
+ transform="matrix(-0.3,0,0,-0.3,0.69,0)"
+ d="M 8.7185878,4.0337352 -2.2072895,0.01601326 8.7185884,-4.0017078 c -1.7454984,2.3720609 -1.7354408,5.6174519 -6e-7,8.035443 z"
+ style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:0.625;stroke-linejoin:round;stroke-opacity:1"
+ id="path6216" />
+ </marker>
+ <marker
+ inkscape:isstock="true"
+ style="overflow:visible"
+ id="marker4916"
+ refX="0"
+ refY="0"
+ orient="auto"
+ inkscape:stockid="Arrow2Send">
+ <path
+ inkscape:connector-curvature="0"
+ transform="matrix(-0.3,0,0,-0.3,0.69,0)"
+ d="M 8.7185878,4.0337352 -2.2072895,0.01601326 8.7185884,-4.0017078 c -1.7454984,2.3720609 -1.7354408,5.6174519 -6e-7,8.035443 z"
+ style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:0.625;stroke-linejoin:round;stroke-opacity:1"
+ id="path4918" />
+ </marker>
+ <marker
+ inkscape:isstock="true"
+ style="overflow:visible"
+ id="marker4916-9"
+ refX="0"
+ refY="0"
+ orient="auto"
+ inkscape:stockid="Arrow2Send">
+ <path
+ inkscape:connector-curvature="0"
+ transform="matrix(-0.3,0,0,-0.3,0.69,0)"
+ d="M 8.7185878,4.0337352 -2.2072895,0.01601326 8.7185884,-4.0017078 c -1.7454984,2.3720609 -1.7354408,5.6174519 -6e-7,8.035443 z"
+ style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:0.625;stroke-linejoin:round;stroke-opacity:1"
+ id="path4918-0" />
+ </marker>
+ <marker
+ inkscape:stockid="Arrow2Send"
+ orient="auto"
+ refY="0"
+ refX="0"
+ id="marker4292"
+ style="overflow:visible"
+ inkscape:isstock="true"
+ inkscape:collect="always">
+ <path
+ inkscape:connector-curvature="0"
+ id="path4294"
+ style="fill:#707070;fill-opacity:1;fill-rule:evenodd;stroke:#707070;stroke-width:0.625;stroke-linejoin:round;stroke-opacity:1"
+ d="M 8.7185878,4.0337352 -2.2072895,0.01601326 8.7185884,-4.0017078 c -1.7454984,2.3720609 -1.7354408,5.6174519 -6e-7,8.035443 z"
+ transform="matrix(-0.3,0,0,-0.3,0.69,0)" />
+ </marker>
+ </defs>
+ <path
+ sodipodi:nodetypes="ccc"
+ style="fill:none;stroke:#707070;stroke-width:1.37621439;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0;marker-end:url(#marker4292)"
+ d="m 287.5667,471.57196 0,97.32813 125.9533,0"
+ id="path4897"
+ inkscape:connector-curvature="0" />
+ <path
+ sodipodi:nodetypes="cccc"
+ style="fill:none;stroke:#707070;stroke-width:1.37621439;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0;marker-end:url(#marker4292)"
+ d="m 287.5667,378.67655 312.68618,0 307.44416,0 -0.19429,-59.6196"
+ id="path4683"
+ inkscape:connector-curvature="0" />
+ <path
+ inkscape:connector-curvature="0"
+ id="path6223"
+ d="m 287.70069,169.03486 -0.12386,102.03147"
+ style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:5.50485762, 2.75242881;stroke-dashoffset:0;marker-end:url(#marker6214)"
+ sodipodi:nodetypes="cc" />
+ <path
+ inkscape:connector-curvature="0"
+ id="path5608"
+ d="m 567.28751,169.03486 -0.12386,102.03147"
+ style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:5.50485762, 2.75242881;stroke-dashoffset:0;marker-end:url(#marker6214)"
+ sodipodi:nodetypes="cc" />
+ <path
+ inkscape:connector-curvature="0"
+ id="path6212"
+ d="M 740.82251,277.66035 740.69865,174.39089"
+ style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:5.50485762, 2.75242881;stroke-dashoffset:0;marker-end:url(#marker6214)"
+ sodipodi:nodetypes="cc" />
+ <path
+ style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;marker-end:none"
+ d="m 523.40929,311.79252 0,124.65874"
+ id="path6073"
+ inkscape:connector-curvature="0"
+ sodipodi:nodetypes="cc" />
+ <path
+ sodipodi:nodetypes="cc"
+ inkscape:connector-curvature="0"
+ id="path6047"
+ d="m 740.69179,316.07585 0,119.95752"
+ style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;marker-end:none" />
+ <path
+ inkscape:connector-curvature="0"
+ id="path3376-9"
+ d="m 287.6031,433.13662 0,-57.34608 0,-57.34607"
+ style="fill:#707070;fill-opacity:1;fill-rule:evenodd;stroke:#707070;stroke-width:1.37621439;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0;marker-end:url(#marker4292)"
+ sodipodi:nodetypes="ccc" />
+ <rect
+ style="fill:#ffffff;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.55048579;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0"
+ id="rect3352"
+ width="97.554695"
+ height="40.571972"
+ x="391.51746"
+ y="636.94879"
+ ry="13.673332"
+ rx="13.673332" />
+ <text
+ y="662.4939"
+ x="409.48114"
+ style="font-size:13.69026756px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica"
+ id="text3354">
+ <tspan
+ id="tspan3356"
+ style="font-size:13.76214409px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">Keyserver</tspan>
+ </text>
+ <path
+ inkscape:connector-curvature="0"
+ id="path3378"
+ d="m 440.28156,586.50326 0,45.86759"
+ style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:5.50485762, 2.75242881;stroke-dashoffset:0;marker-end:url(#marker4916)"
+ sodipodi:nodetypes="cc" />
+ <path
+ sodipodi:nodetypes="cc"
+ style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:5.50485762, 2.75242881;stroke-dashoffset:0;marker-end:url(#marker4916)"
+ d="m 556.46073,586.50326 0,45.86759"
+ id="path3376"
+ inkscape:connector-curvature="0" />
+ <path
+ style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:5.50485762, 2.75242881;stroke-dashoffset:0;marker-end:url(#marker4916)"
+ d="m 429.01048,170.98678 0,100.99292"
+ id="path6342"
+ inkscape:connector-curvature="0"
+ sodipodi:nodetypes="cc" />
+ <path
+ style="fill:none;stroke:#0093dd;stroke-width:2.75242877;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none"
+ d="m 907.57277,170.14422 0,113.50352"
+ id="path5123"
+ inkscape:connector-curvature="0"
+ sodipodi:nodetypes="cc" />
+ <path
+ style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;marker-end:none"
+ d="m 673.43067,568.61382 -98.4701,0"
+ id="path6243"
+ inkscape:connector-curvature="0"
+ sodipodi:nodetypes="cc" />
+ <path
+ inkscape:connector-curvature="0"
+ id="path6201"
+ d="m 453.30881,317.35087 0.18784,34.85336 53.29577,-0.16228 190.29392,-0.16229 0.18785,-30.27572"
+ style="fill:none;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:5.50485762, 2.75242881;stroke-dashoffset:0;marker-end:url(#marker6214)"
+ sodipodi:nodetypes="ccccc" />
+ <rect
+ rx="4.3253841"
+ ry="4.3253841"
+ y="276.6272"
+ x="675.82629"
+ height="40.530724"
+ width="123.10358"
+ id="rect6187"
+ style="fill:#feff66;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.55048579;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0" />
+ <text
+ id="text5121"
+ transform="scale(1.0507543,0.95169727)"
+ style="font-size:13.02898884px;line-height:125%;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica"
+ x="674.47369"
+ y="315.29083"
+ sodipodi:linespacing="125%">
+ <tspan
+ style="font-size:13.76214409px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:125%;writing-mode:lr-tb;text-anchor:start;font-family:Droid Sans;-inkscape-font-specification:Droid Sans"
+ id="tspan4497">gpg-agent</tspan>
+ </text>
+ <rect
+ style="fill:#feff66;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.55048579;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0"
+ id="rect6197"
+ width="123.10358"
+ height="40.530724"
+ x="846.021"
+ y="276.6272"
+ ry="4.3253841"
+ rx="4.3253841" />
+ <rect
+ style="fill:#feff66;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.55048579;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0"
+ id="rect6192"
+ width="123.10358"
+ height="40.530724"
+ x="675.82629"
+ y="129.8378"
+ ry="4.3253841"
+ rx="4.3253841" />
+ <path
+ style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;marker-end:none"
+ d="m 498.35189,473.54808 0,75.31261"
+ id="path6069"
+ inkscape:connector-curvature="0"
+ sodipodi:nodetypes="cc" />
+ <rect
+ style="fill:#feff66;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.55048579;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0"
+ id="rect6177"
+ width="164.51004"
+ height="40.445511"
+ x="416.09686"
+ y="548.39105"
+ ry="4.3253841"
+ rx="4.3253841" />
+ <rect
+ style="fill:#feff66;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.55048579;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0"
+ id="rect6173"
+ width="123.10358"
+ height="40.530724"
+ x="367.47192"
+ y="276.6272"
+ ry="4.3253841"
+ rx="4.3253841" />
+ <rect
+ rx="4.3253841"
+ ry="4.3253841"
+ y="276.6272"
+ x="505.63153"
+ height="40.530724"
+ width="123.10358"
+ id="rect6168"
+ style="fill:#feff66;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.55048579;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0" />
+ <rect
+ rx="13.673332"
+ ry="13.673332"
+ y="433.47479"
+ x="691.91449"
+ height="40.571972"
+ width="97.554695"
+ id="rect6083"
+ style="fill:#ffa44f;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.55048579;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0" />
+ <path
+ sodipodi:nodetypes="cc"
+ inkscape:connector-curvature="0"
+ id="path6071"
+ d="m 473.29453,317.56143 0,118.88983"
+ style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;marker-end:none" />
+ <path
+ sodipodi:nodetypes="cc"
+ inkscape:connector-curvature="0"
+ id="path6056"
+ d="m 129.94217,317.56143 0,119.95753"
+ style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;marker-end:none" />
+ <rect
+ style="fill:#f0f0fc;fill-opacity:1;stroke:#0093dd;stroke-width:2.06634402;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0"
+ id="rect5612"
+ width="403.86743"
+ height="39.392567"
+ x="225.40582"
+ y="130.97597" />
+ <path
+ style="fill:none;stroke:#524646;stroke-width:1;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:0.5,0.5;stroke-dashoffset:0"
+ d="m 58.463573,227.2185 928.110467,0 0,382.29175 -928.110467,0 0,-382.29175 z"
+ id="path5025"
+ inkscape:connector-curvature="0" />
+ <text
+ id="text5061"
+ transform="scale(1.0507332,0.95171638)"
+ style="font-size:13.0976572px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica"
+ x="518.80000"
+ y="315.28461">
+ <tspan
+ style="font-size:13.76214409px"
+ id="tspan4513">gpgsm</tspan>
+ </text>
+ <text
+ id="text5073"
+ transform="scale(1.0507333,0.95171629)"
+ style="font-size:13.02924919px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica"
+ x="395.6857"
+ y="315.28461">
+ <tspan
+ style="font-size:13.76214409px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Droid Sans;-inkscape-font-specification:Droid Sans"
+ id="tspan4515">gpg</tspan>
+ </text>
+ <rect
+ rx="13.673332"
+ ry="12.771004"
+ y="548.32782"
+ x="673.75952"
+ height="40.571972"
+ width="133.86456"
+ id="rect6095"
+ style="fill:#ffa44f;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.55048579;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0" />
+ <text
+ id="text5105"
+ style="font-size:13.69026756px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica"
+ x="680.94543"
+ y="573.11676">
+ <tspan
+ style="font-size:12.38593006px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Droid Sans;-inkscape-font-specification:Droid Sans"
+ id="tspan4529">CRL/Certificate Cache</tspan>
+ </text>
+ <text
+ id="text5129"
+ transform="scale(1.0507438,0.95170678)"
+ style="font-size:13.02911949px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica"
+ x="830.64813"
+ y="317.11887">
+ <tspan
+ style="font-size:13.76214409px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Droid Sans;-inkscape-font-specification:Droid Sans"
+ id="tspan4509">scdaemon</tspan>
+ </text>
+ <rect
+ style="fill:#ffa44f;fill-opacity:1;fill-rule:nonzero;stroke:#020202;stroke-width:0.55048579;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0"
+ id="rect5628"
+ width="67.014503"
+ height="121.84404"
+ x="103.36046"
+ y="-968.49481"
+ ry="7.6290565"
+ rx="7.6290565"
+ transform="matrix(0,1,-1,0,0,0)" />
+ <text
+ y="142.0016"
+ x="875.88068"
+ id="text5135"
+ style="font-size:13.69026756px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica">
+ <tspan
+ id="tspan4507"
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">Smartcard</tspan>
+ </text>
+ <g
+ id="g5153"
+ transform="matrix(1.3762144,0,0,1.3762144,61.101249,-38.173118)">
+ <path
+ inkscape:connector-curvature="0"
+ id="path5155"
+ d="m 19.4715,229.854 61.1008,0 c 2.6103,0 4.7291,1.919 4.7291,4.283 l 0,19.78 c 0,2.364 -2.1188,4.283 -4.7291,4.283 l -61.1008,0 c -2.6102,0 -4.729,-1.919 -4.729,-4.283 l 0,-19.78 c 0,-2.364 2.1188,-4.283 4.729,-4.283 z"
+ style="fill:#feff66;fill-rule:evenodd;stroke:#000000;stroke-width:0.283465" />
+ <text
+ id="text5157"
+ style="font-size:9.94777203px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica"
+ x="21.563971"
+ y="247.59825">
+ <tspan
+ style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Droid Sans;-inkscape-font-specification:Droid Sans"
+ id="tspan4517">watchgnupg</tspan>
+ </text>
+ </g>
+ <text
+ id="text5181"
+ style="font-size:13.69026756px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica"
+ x="702.94672"
+ y="457.17776">
+ <tspan
+ style="font-size:13.76214409px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Droid Sans;-inkscape-font-specification:Droid Sans"
+ id="tspan4527">Private Keys</tspan>
+ </text>
+ <text
+ id="text5199"
+ transform="scale(1.0230018,0.97751538)"
+ style="font-size:15.83039284px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica"
+ x="317.46622"
+ y="158.42787">
+ <tspan
+ style="font-size:16.51457214px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Droid Sans;-inkscape-font-specification:Droid Sans"
+ id="tspan5886">GPGME aware Applications</tspan>
+ </text>
+ <text
+ style="font-size:13.69026756px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica"
+ id="text5632"
+ x="710.88654"
+ y="153.50237">
+ <tspan
+ style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Droid Sans;-inkscape-font-specification:Droid Sans"
+ id="tspan5634">Pinentry</tspan>
+ </text>
+ <path
+ inkscape:connector-curvature="0"
+ id="path6067"
+ d="m 567.29104,317.51986 -0.12386,226.20179"
+ style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:5.50485762, 2.75242881;stroke-dashoffset:0;marker-end:url(#marker6214)"
+ sodipodi:nodetypes="cc" />
+ <rect
+ rx="13.673332"
+ ry="13.673332"
+ y="433.47479"
+ x="449.57455"
+ height="40.571972"
+ width="97.554695"
+ id="rect6088"
+ style="fill:#ffa44f;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.55048579;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0" />
+ <text
+ id="text5175"
+ style="font-size:13.69026756px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica"
+ x="463.25439"
+ y="457.33569">
+ <tspan
+ style="font-size:13.76214409px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Droid Sans;-inkscape-font-specification:Droid Sans"
+ id="tspan4521">Public Keys</tspan>
+ </text>
+ <text
+ id="text5089"
+ style="font-size:13.69026756px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica"
+ x="472.05396"
+ y="572.03088">
+ <tspan
+ style="font-size:13.76214409px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Droid Sans;-inkscape-font-specification:Droid Sans"
+ id="tspan4523">dirmngr</tspan>
+ </text>
+ <rect
+ style="fill:#ffa44f;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.55048579;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0"
+ id="rect6111"
+ width="97.554695"
+ height="40.571972"
+ x="81.164833"
+ y="433.47479"
+ ry="13.673332"
+ rx="13.673332" />
+ <text
+ y="457.33569"
+ x="96.524628"
+ style="font-size:13.69026756px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica"
+ id="text5163">
+ <tspan
+ id="tspan4519"
+ style="font-size:13.76214409px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">Log Socket</tspan>
+ </text>
+ <path
+ sodipodi:nodetypes="cc"
+ style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:5.50485762, 2.75242881;stroke-dashoffset:0;marker-end:url(#marker6214)"
+ d="m 429.1316,317.51986 -0.12386,226.20179"
+ id="path6179"
+ inkscape:connector-curvature="0" />
+ <path
+ sodipodi:nodetypes="cc"
+ style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:5.50485762, 2.75242881;stroke-dashoffset:0;marker-end:url(#marker6214)"
+ d="m 629.27326,296.76206 42.33457,0.0512"
+ id="path6203"
+ inkscape:connector-curvature="0" />
+ <g
+ id="g6225"
+ transform="matrix(1.3762144,0,0,1.3762144,118.49324,-38.173118)">
+ <rect
+ style="fill:#feff66;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.40000001;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0"
+ id="rect6205"
+ width="89.450874"
+ height="29.450878"
+ x="78.150215"
+ y="228.74368"
+ ry="3.1429582"
+ rx="3.1429582" />
+ <g
+ id="g6207"
+ transform="matrix(1,0,0,1.0478715,-311.25716,-12.101961)">
+ <text
+ y="258.88663"
+ x="393.02432"
+ style="font-size:9.46736145px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica"
+ transform="scale(1.0507438,0.95170677)"
+ id="text6209">
+ <tspan
+ id="tspan6211"
+ style="font-size:10px">gpgconf</tspan>
+ </text>
+ </g>
+ </g>
+ <rect
+ rx="13.673332"
+ ry="13.673332"
+ y="433.47479"
+ x="238.81912"
+ height="40.571972"
+ width="97.554695"
+ id="rect6217"
+ style="fill:#ffa44f;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.55048579;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0" />
+ <text
+ y="457.37265"
+ x="252.14281"
+ style="font-size:13.69026756px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica"
+ id="text6219">
+ <tspan
+ id="tspan6221"
+ style="font-size:13.76214409px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">Config Files</tspan>
+ </text>
+ <path
+ inkscape:connector-curvature="0"
+ id="path6294"
+ d="m 799.10128,296.76206 42.33458,0.0512"
+ style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:5.50485762, 2.75242881;stroke-dashoffset:0;marker-end:url(#marker6214)"
+ sodipodi:nodetypes="cc" />
+ <rect
+ rx="13.673332"
+ ry="13.673332"
+ y="636.94879"
+ x="507.69662"
+ height="40.571972"
+ width="97.554695"
+ id="rect3358"
+ style="fill:#ffffff;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.55048579;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0" />
+ <text
+ id="text3360"
+ style="font-size:13.69026756px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica"
+ x="509.57916"
+ y="661.91278">
+ <tspan
+ style="font-size:12.38593006px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Droid Sans;-inkscape-font-specification:Droid Sans"
+ id="tspan3362">CRLs/Certificates</tspan>
+ </text>
+ <path
+ sodipodi:nodetypes="cc"
+ style="fill:#707070;fill-opacity:1;fill-rule:evenodd;stroke:#707070;stroke-width:1.37621439;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0;marker-end:url(#marker4292)"
+ d="m 398.90883,378.89687 0,-59.343"
+ id="path4891"
+ inkscape:connector-curvature="0" />
+ <path
+ inkscape:connector-curvature="0"
+ id="path4893"
+ d="m 601.00042,378.89687 0,-59.343"
+ style="fill:#707070;fill-opacity:1;fill-rule:evenodd;stroke:#707070;stroke-width:1.37621439;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0;marker-end:url(#marker4292)"
+ sodipodi:nodetypes="cc" />
+ <path
+ sodipodi:nodetypes="cc"
+ style="fill:#707070;fill-opacity:1;fill-rule:evenodd;stroke:#707070;stroke-width:1.37621439;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0;marker-end:url(#marker4292)"
+ d="m 771.49503,378.89687 0,-59.343"
+ id="path4895"
+ inkscape:connector-curvature="0" />
+ <g
+ id="g5086"
+ transform="translate(0,-6)">
+ <rect
+ style="fill:#f0f0fc;fill-opacity:1;stroke:#0093dd;stroke-width:1.99633956;stroke-linejoin:round;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0"
+ id="rect2987"
+ width="159.27866"
+ height="228.80177"
+ x="849.40546"
+ y="454.11374" />
+ <text
+ xml:space="preserve"
+ style="font-size:18.12819099px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:125%;letter-spacing:0px;word-spacing:0px;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;font-family:Liberation Sans;-inkscape-font-specification:Liberation Sans"
+ x="913.58813"
+ y="498.23856"
+ id="text3759"
+ sodipodi:linespacing="125%"><tspan
+ sodipodi:role="line"
+ id="tspan3761"
+ x="913.58813"
+ y="498.23856"
+ style="font-size:23.30767632px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-family:Roboto;-inkscape-font-specification:Roboto">GnuPG</tspan></text>
+ <g
+ id="g6169"
+ transform="matrix(0.49007212,0,0,0.49007212,836.80821,295.5608)">
+ <rect
+ y="390.43344"
+ x="58.297867"
+ height="47.099998"
+ width="70"
+ id="rect3132"
+ style="fill:#0093dd;fill-opacity:1;fill-rule:nonzero;stroke:none" />
+ <rect
+ y="371.00229"
+ x="63.037552"
+ height="19.485378"
+ width="15.009007"
+ id="rect4103"
+ style="fill:#0093dd;fill-opacity:1;fill-rule:nonzero;stroke:none" />
+ <rect
+ y="371.22836"
+ x="108.41566"
+ height="19.239996"
+ width="15.18455"
+ id="rect4105"
+ style="fill:#0093dd;fill-opacity:1;fill-rule:nonzero;stroke:none" />
+ <path
+ id="path6045"
+ d="m 93.922866,345.53344 c -22.46905,0.16165 -30.875,20.99835 -30.875,25.56249 6.14654,0 12.81165,0.34375 14.21875,0.34375 0.33001,0 0.39884,8e-5 0.71875,0 1.67836,-6.87024 7.86511,-11.96874 15.25,-11.96874 7.352024,0 13.507864,5.05103 15.218754,11.87499 0.38707,-1.8e-4 0.56404,0 0.96875,0 12.63916,0 14.125,0.0937 14.125,0.0937 0,0 -5.04885,-26.08179 -29.625004,-25.90624 z"
+ style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:none"
+ inkscape:connector-curvature="0" />
+ <path
+ sodipodi:nodetypes="ccsc"
+ id="path7026"
+ d="m 68.567186,370.73896 c 11.42171,-23.28824 27.43165,-20.04817 36.688924,-18.61339 0,0 -12.173084,-5.82971 -23.874214,-0.082 -11.47547,5.63682 -12.81471,18.69542 -12.81471,18.69542 z"
+ style="fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:none"
+ inkscape:connector-curvature="0" />
+ <path
+ sodipodi:nodetypes="cssscccccccccc"
+ id="path7997"
+ d="m 58.047866,413.78343 c 0,0 7.78901,-8.70131 14.0625,-11 8.1875,-3 18.1875,-2.0625 34.750004,-5.375 5.86257,-1.17251 7.6875,-2.625 16.625,-7.25 0.75499,-0.39069 5.375,-0.3125 5.375,-0.3125 l -0.375,6.25 c -10.1875,10.6875 -33.437504,16.65625 -35.375004,16.5625 19.667484,2.63843 30.165594,-7.55691 34.437504,-8.1875 -9.9375,21.125 -45.187504,20.0625 -45.187504,20.0625 20.437504,5.5625 37.062504,-2.75 37.062504,-2.75 -9.3125,15.40625 -43.687504,13.3125 -43.687504,13.3125 -3.59375,0.3125 -6.5,2.625 -6.5,2.625 l -11.0625,0.3125 -0.125,-24.25 z"
+ style="fill:#ffffff;fill-opacity:1;fill-rule:evenodd;stroke:none"
+ inkscape:connector-curvature="0" />
+ </g>
+ <text
+ id="text5079"
+ style="font-size:10.04583168px;fill:#4d4d4d;fill-rule:evenodd;stroke:none;font-family:Palatino-Roman"
+ x="958.4126"
+ y="672.75244">
+ <tspan
+ style="font-size:9px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;fill:#4d4d4d;font-family:Droid Sans;-inkscape-font-specification:Droid Sans"
+ id="tspan4550">2016-02-16</tspan>
+ </text>
+ <path
+ inkscape:connector-curvature="0"
+ id="path5029"
+ d="m 858.59964,575.15188 0,0 0,0 0,0 0,0 z"
+ style="fill:none;stroke:#000000;stroke-width:1.37621439" />
+ <path
+ inkscape:connector-curvature="0"
+ id="path5031"
+ d="m 850.64237,521.64467 0,0 0,0 0,0 0,0 z"
+ style="fill:none;stroke:#000000;stroke-width:1.37621439" />
+ <path
+ inkscape:connector-curvature="0"
+ id="path5081"
+ d="m 925.49559,530.74765 0,0 0,0 0,0 0,0 z"
+ style="fill:none;stroke:#000000;stroke-width:1.37621439" />
+ <text
+ id="text5219"
+ transform="scale(1.0657564,0.93830074)"
+ style="font-size:7.41257px;fill:#4d4d4d;fill-rule:evenodd;stroke:none;font-family:Helvetica"
+ x="811.75702"
+ y="581.03601">
+ <tspan
+ style="font-size:11.00971508px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;fill:#4d4d4d;font-family:Droid Sans;-inkscape-font-specification:Droid Sans"
+ id="tspan4544">closely linked</tspan>
+ </text>
+ <g
+ transform="translate(0,-2)"
+ id="g5069">
+ <text
+ y="611.05994"
+ x="812.3645"
+ style="font-size:7.41257px;fill:#4d4d4d;fill-rule:evenodd;stroke:none;font-family:Helvetica"
+ transform="scale(1.0657564,0.93830074)"
+ id="text5221">
+ <tspan
+ id="tspan4546"
+ style="font-size:11.00971508px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;fill:#4d4d4d;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">Assuan protocol</tspan>
+ </text>
+ <path
+ inkscape:connector-curvature="0"
+ id="path5618"
+ d="m 865.13523,560.69899 80.92233,0.0512"
+ style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:5.5048576, 2.7524288;stroke-dashoffset:0;marker-end:url(#marker6214)"
+ sodipodi:nodetypes="cc" />
+ </g>
+ <path
+ sodipodi:nodetypes="cc"
+ inkscape:connector-curvature="0"
+ id="path4323"
+ d="m 865.13523,532.18831 84.92605,0"
+ style="fill:#0093dd;fill-opacity:1;fill-rule:evenodd;stroke:#0093dd;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;marker-end:none" />
+ <text
+ y="510.38229"
+ x="915.55554"
+ style="font-size:10.04583168px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Palatino-Roman"
+ id="text6327">
+ <tspan
+ id="tspan6329"
+ style="font-size:11.00971508px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;fill:#4d4d4d;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">architecture</tspan>
+ </text>
+ <g
+ transform="translate(0,-2)"
+ id="g5074">
+ <text
+ y="640.84277"
+ x="811.75702"
+ style="font-size:7.41257px;fill:#4d4d4d;fill-rule:evenodd;stroke:none;font-family:Helvetica"
+ transform="scale(1.0657564,0.93830073)"
+ id="text5217">
+ <tspan
+ id="tspan4548"
+ style="font-size:11.00971508px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;fill:#4d4d4d;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">execute/access</tspan>
+ </text>
+ <path
+ inkscape:connector-curvature="0"
+ id="path4912-6"
+ d="m 865.13523,587.99572 81.37511,0"
+ style="fill:#000000;fill-opacity:1;fill-rule:evenodd;stroke:#000000;stroke-width:2.75242877;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:5.5048576, 2.7524288;stroke-dashoffset:0;marker-end:url(#marker4916)"
+ sodipodi:nodetypes="cc" />
+ </g>
+ <g
+ transform="translate(0,22.156206)"
+ id="g5053">
+ <rect
+ rx="4.3253841"
+ ry="3.3909659"
+ y="612.22021"
+ x="865.13519"
+ height="18.246916"
+ width="84.926071"
+ id="rect6354"
+ style="fill:#feff66;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.55048579;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0" />
+ <text
+ id="text6350"
+ transform="scale(1.0657564,0.93830074)"
+ style="font-size:7.41257px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica"
+ x="832.3197"
+ y="664.93915">
+ <tspan
+ style="font-size:11.00971508px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;fill:#000000;font-family:Droid Sans;-inkscape-font-specification:Droid Sans"
+ id="tspan6352">process</tspan>
+ </text>
+ <rect
+ style="fill:#ffa44f;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:0.40877044;stroke-linecap:square;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0"
+ id="rect6356"
+ width="84.926071"
+ height="16.446747"
+ x="865.13519"
+ y="636.65216"
+ ry="13.673332"
+ rx="6.1170168" />
+ <text
+ y="691.21802"
+ x="837.2547"
+ style="font-size:7.41257px;fill:#000000;fill-rule:evenodd;stroke:none;font-family:Helvetica"
+ transform="scale(1.0657564,0.93830074)"
+ id="text6358">
+ <tspan
+ id="tspan6360"
+ style="font-size:11.00971508px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;fill:#000000;font-family:Droid Sans;-inkscape-font-specification:Droid Sans">object</tspan>
+ </text>
+ </g>
+ <g
+ transform="translate(0,-2)"
+ id="g5079">
+ <path
+ inkscape:connector-curvature="0"
+ id="path5019"
+ d="m 865.06095,613.70189 83.42501,-0.114"
+ style="fill:#707070;fill-opacity:1;fill-rule:evenodd;stroke:#707070;stroke-width:1.37621439;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-opacity:1;stroke-dasharray:none;stroke-dashoffset:0;marker-end:url(#marker4292)"
+ sodipodi:nodetypes="cc" />
+ <text
+ id="text5065"
+ transform="scale(1.0657564,0.93830073)"
+ style="font-size:7.41257px;fill:#4d4d4d;fill-rule:evenodd;stroke:none;font-family:Helvetica"
+ x="811.75702"
+ y="666.24689">
+ <tspan
+ style="font-size:11.00971508px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;fill:#4d4d4d;font-family:Droid Sans;-inkscape-font-specification:Droid Sans"
+ id="tspan5067">configure</tspan>
+ </text>
+ </g>
+ </g>
+</svg>
diff --git a/doc/gnupg.info b/doc/gnupg.info
new file mode 100644
index 0000000..d3b8fe5
--- /dev/null
+++ b/doc/gnupg.info
@@ -0,0 +1,224 @@
+This is gnupg.info, produced by makeinfo version 6.5 from gnupg.texi.
+
+This is the 'The GNU Privacy Guard Manual' (version 2.2.40-beta3,
+October 2022).
+
+ (C) 2002, 2004, 2005, 2006, 2007, 2010 Free Software Foundation, Inc.
+(C) 2013, 2014, 2015 Werner Koch.
+(C) 2015, 2016, 2017 g10 Code GmbH.
+
+ Permission is granted to copy, distribute and/or modify this
+ document under the terms of the GNU General Public License as
+ published by the Free Software Foundation; either version 3 of the
+ License, or (at your option) any later version. The text of the
+ license can be found in the section entitled "Copying".
+INFO-DIR-SECTION GNU Utilities
+START-INFO-DIR-ENTRY
+* gpg2: (gnupg). OpenPGP encryption and signing tool.
+* gpgsm: (gnupg). S/MIME encryption and signing tool.
+* gpg-agent: (gnupg). The secret key daemon.
+* dirmngr: (gnupg). X.509 CRL and OCSP server.
+* dirmngr-client: (gnupg). X.509 CRL and OCSP client.
+END-INFO-DIR-ENTRY
+
+
+Indirect:
+gnupg.info-1: 990
+gnupg.info-2: 305399
+
+Tag Table:
+(Indirect)
+Node: Top990
+Node: Installation2917
+Node: Invoking GPG-AGENT5266
+Node: Agent Commands7032
+Node: Agent Options8836
+Ref: option --options9116
+Ref: option --homedir9442
+Ref: option --log-file14860
+Ref: option --no-allow-mark-trusted15233
+Ref: option --no-user-trustlist15437
+Ref: option --allow-preset-passphrase15903
+Ref: option --no-allow-loopback-pinentry16056
+Ref: option --extra-socket24409
+Ref: option --enable-ssh-support25875
+Ref: option --ssh-fingerprint-digest28212
+Node: Agent Configuration29869
+Node: Agent Signals35359
+Node: Agent Examples36819
+Node: Agent Protocol37386
+Node: Agent PKDECRYPT39540
+Node: Agent PKSIGN41452
+Node: Agent GENKEY43756
+Node: Agent IMPORT45653
+Node: Agent EXPORT46097
+Node: Agent ISTRUSTED46312
+Node: Agent GET_PASSPHRASE48687
+Node: Agent CLEAR_PASSPHRASE51128
+Node: Agent PRESET_PASSPHRASE51519
+Node: Agent GET_CONFIRMATION52357
+Node: Agent HAVEKEY53029
+Node: Agent LEARN53661
+Node: Agent PASSWD53959
+Node: Agent UPDATESTARTUPTTY54425
+Node: Agent GETEVENTCOUNTER54903
+Node: Agent GETINFO55705
+Node: Agent OPTION56409
+Node: Invoking DIRMNGR59467
+Node: Dirmngr Commands60365
+Node: Dirmngr Options62818
+Ref: Dirmngr Options-Footnote-181071
+Node: Dirmngr Configuration81206
+Node: Dirmngr Signals84336
+Node: Dirmngr Examples85364
+Node: Dirmngr Protocol86046
+Node: Dirmngr LOOKUP86696
+Node: Dirmngr ISVALID88067
+Node: Dirmngr CHECKCRL90640
+Node: Dirmngr CHECKOCSP91697
+Node: Dirmngr CACHECERT93003
+Node: Dirmngr VALIDATE93842
+Node: Invoking GPG94410
+Node: GPG Commands95640
+Node: General GPG Commands96534
+Node: Operational GPG Commands97223
+Ref: option --export-ownertrust114524
+Node: OpenPGP Key Management116637
+Node: GPG Options138596
+Node: GPG Configuration Options139929
+Ref: gpg-option --options153467
+Ref: trust-model-tofu158035
+Node: GPG Key related Options178353
+Node: GPG Input and Output183549
+Node: OpenPGP Options197253
+Node: Compliance Options201981
+Node: GPG Esoteric Options205925
+Ref: GPG Esoteric Options-Footnote-1233647
+Node: Deprecated Options233801
+Node: GPG Configuration235304
+Node: GPG Examples241192
+Node: Unattended Usage of GPG250002
+Node: Programmatic use of GnuPG250633
+Node: Ephemeral home directories251184
+Node: The quick key manipulation interface252491
+Node: Unattended GPG key generation253078
+Node: Invoking GPGSM262397
+Node: GPGSM Commands263266
+Node: General GPGSM Commands263704
+Node: Operational GPGSM Commands264392
+Node: Certificate Management266426
+Node: GPGSM Options271402
+Node: Configuration Options271976
+Ref: gpgsm-option --options272245
+Node: Certificate Options275368
+Ref: gpgsm-option --validation-model278972
+Node: Input and Output279952
+Ref: option --p12-charset280535
+Ref: gpgsm-option --with-key-data281779
+Ref: gpgsm-option --with-validation282053
+Node: CMS Options282931
+Node: Esoteric Options283951
+Node: GPGSM Configuration291184
+Node: GPGSM Examples296852
+Node: Unattended Usage297049
+Node: Automated signature checking297640
+Node: CSR and certificate creation299463
+Node: GPGSM Protocol305399
+Node: GPGSM ENCRYPT306655
+Node: GPGSM DECRYPT309330
+Node: GPGSM SIGN310166
+Node: GPGSM VERIFY311622
+Node: GPGSM GENKEY312138
+Node: GPGSM LISTKEYS313153
+Ref: gpgsm-cmd listkeys313312
+Node: GPGSM EXPORT314065
+Node: GPGSM IMPORT315029
+Node: GPGSM DELETE315770
+Node: GPGSM GETAUDITLOG316277
+Ref: gpgsm-cmd getauditlog316446
+Node: GPGSM GETINFO316790
+Node: GPGSM OPTION317639
+Node: Invoking SCDAEMON320992
+Node: Scdaemon Commands321666
+Node: Scdaemon Options322794
+Node: Card applications332236
+Node: OpenPGP Card332901
+Node: NKS Card333374
+Node: DINSIG Card333700
+Node: PKCS#15 Card334076
+Node: Geldkarte Card334346
+Node: SmartCard-HSM334737
+Node: Undefined Card335333
+Node: Scdaemon Configuration335746
+Node: Scdaemon Examples336784
+Node: Scdaemon Protocol336967
+Node: Scdaemon SERIALNO338486
+Node: Scdaemon LEARN339332
+Node: Scdaemon READCERT340179
+Node: Scdaemon READKEY340581
+Node: Scdaemon PKSIGN340867
+Node: Scdaemon PKDECRYPT341593
+Node: Scdaemon GETATTR342343
+Node: Scdaemon SETATTR342545
+Node: Scdaemon WRITEKEY342750
+Node: Scdaemon GENKEY343452
+Node: Scdaemon RANDOM343655
+Node: Scdaemon PASSWD343878
+Node: Scdaemon CHECKPIN344269
+Node: Scdaemon RESTART345272
+Node: Scdaemon APDU345805
+Node: Specify a User ID346778
+Ref: how-to-specify-a-user-id346936
+Node: Trust Values351794
+Ref: trust-values351923
+Node: Helper Tools352528
+Node: watchgnupg353380
+Ref: option watchgnupg --tcp354202
+Node: gpgv355780
+Node: addgnupghome360979
+Node: gpgconf361675
+Ref: gpgconf-Footnote-1363862
+Node: Invoking gpgconf364160
+Node: Format conventions370852
+Node: Listing components376183
+Node: Checking programs378266
+Node: Listing options381004
+Node: Changing options388710
+Node: Listing global options390412
+Node: Querying versions392392
+Node: Files used by gpgconf395090
+Node: applygnupgdefaults395696
+Node: gpg-preset-passphrase396566
+Node: Invoking gpg-preset-passphrase397601
+Node: gpg-connect-agent399003
+Node: Invoking gpg-connect-agent399717
+Node: Controlling gpg-connect-agent403263
+Node: dirmngr-client409736
+Node: gpgparsemail413087
+Node: gpgtar413400
+Node: gpg-check-pattern418128
+Node: Web Key Service420430
+Node: gpg-wks-client420743
+Node: gpg-wks-server426549
+Node: Howtos431906
+Node: Howto Create a Server Cert432178
+Node: System Notes440591
+Node: W32 Notes441802
+Node: Debugging442224
+Node: Debugging Tools443052
+Node: kbxutil443332
+Node: Debugging Hints444863
+Node: Common Problems445994
+Node: Architecture Details451231
+Node: Component interaction451541
+Ref: fig:moduleoverview451727
+Node: GnuPG-1 and GnuPG-2451834
+Ref: fig:cardarchitecture452124
+Node: Copying452239
+Node: Contributors489763
+Node: Glossary496018
+Node: Option Index498537
+Node: Environment Index579841
+Node: Index585434
+
+End Tag Table
diff --git a/doc/gnupg.info-1 b/doc/gnupg.info-1
new file mode 100644
index 0000000..3d95d00
--- /dev/null
+++ b/doc/gnupg.info-1
@@ -0,0 +1,7172 @@
+This is gnupg.info, produced by makeinfo version 6.5 from gnupg.texi.
+
+This is the 'The GNU Privacy Guard Manual' (version 2.2.40-beta3,
+October 2022).
+
+ (C) 2002, 2004, 2005, 2006, 2007, 2010 Free Software Foundation, Inc.
+(C) 2013, 2014, 2015 Werner Koch.
+(C) 2015, 2016, 2017 g10 Code GmbH.
+
+ Permission is granted to copy, distribute and/or modify this
+ document under the terms of the GNU General Public License as
+ published by the Free Software Foundation; either version 3 of the
+ License, or (at your option) any later version. The text of the
+ license can be found in the section entitled "Copying".
+INFO-DIR-SECTION GNU Utilities
+START-INFO-DIR-ENTRY
+* gpg2: (gnupg). OpenPGP encryption and signing tool.
+* gpgsm: (gnupg). S/MIME encryption and signing tool.
+* gpg-agent: (gnupg). The secret key daemon.
+* dirmngr: (gnupg). X.509 CRL and OCSP server.
+* dirmngr-client: (gnupg). X.509 CRL and OCSP client.
+END-INFO-DIR-ENTRY
+
+
+File: gnupg.info, Node: Top, Next: Installation, Up: (dir)
+
+Using the GNU Privacy Guard
+***************************
+
+This is the 'The GNU Privacy Guard Manual' (version 2.2.40-beta3,
+October 2022).
+
+ (C) 2002, 2004, 2005, 2006, 2007, 2010 Free Software Foundation, Inc.
+(C) 2013, 2014, 2015 Werner Koch.
+(C) 2015, 2016, 2017 g10 Code GmbH.
+
+ Permission is granted to copy, distribute and/or modify this
+ document under the terms of the GNU General Public License as
+ published by the Free Software Foundation; either version 3 of the
+ License, or (at your option) any later version. The text of the
+ license can be found in the section entitled "Copying".
+
+ This manual documents how to use the GNU Privacy Guard system as well
+as the administration and the architecture.
+
+* Menu:
+
+* Installation:: A short installation guide.
+
+* Invoking GPG-AGENT:: How to launch the secret key daemon.
+* Invoking DIRMNGR:: How to launch the CRL and OCSP daemon.
+* Invoking GPG:: Using the OpenPGP protocol.
+* Invoking GPGSM:: Using the S/MIME protocol.
+* Invoking SCDAEMON:: How to handle Smartcards.
+* Specify a User ID:: How to Specify a User Id.
+* Trust Values:: How GnuPG displays trust values.
+
+* Helper Tools:: Description of small helper tools
+* Web Key Service:: Tools for the Web Key Service
+
+* Howtos:: How to do certain things.
+* System Notes:: Notes pertaining to certain OSes.
+* Debugging:: How to solve problems
+
+* Copying:: GNU General Public License says
+ how you can copy and share GnuPG
+* Contributors:: People who have contributed to GnuPG.
+
+* Glossary:: Short description of terms used.
+* Option Index:: Index to command line options.
+* Environment Index:: Index to environment variables and files.
+* Index:: Index of concepts and symbol names.
+
+
+File: gnupg.info, Node: Installation, Next: Invoking GPG-AGENT, Prev: Top, Up: Top
+
+1 A short installation guide
+****************************
+
+Unfortunately the installation guide has not been finished in time.
+Instead of delaying the release of GnuPG 2.0 even further, I decided to
+release without that guide. The chapter on gpg-agent and gpgsm do
+include brief information on how to set up the whole thing. Please
+watch the GnuPG website for updates of the documentation. In the
+meantime you may search the GnuPG mailing list archives or ask on the
+gnupg-users mailing list for advise on how to solve problems or how to
+get that whole thing up and running.
+
+ ** Building the software
+
+ Building the software is described in the file 'INSTALL'. Given that
+you are already reading this documentation we can only give some extra
+hints.
+
+ To comply with the rules on GNU systems you should have build time
+configured 'gnupg' using:
+
+ ./configure --sysconfdir=/etc --localstatedir=/var
+
+ This is to make sure that system wide configuration files are
+searched in the directory '/etc' and variable data below '/var'; the
+default would be to also install them below '/usr/local' where the
+binaries get installed. If you selected to use the '--prefix=/' you
+obviously don't need those option as they are the default then.
+
+ ** Notes on setting a root CA key to trusted
+
+ X.509 is based on a hierarchical key infrastructure. At the root of
+the tree a trusted anchor (root certificate) is required. There are
+usually no other means of verifying whether this root certificate is
+trustworthy than looking it up in a list. GnuPG uses a file
+('trustlist.txt') to keep track of all root certificates it knows about.
+There are 3 ways to get certificates into this list:
+
+ * Use the list which comes with GnuPG. However this list only
+ contains a few root certificates. Most installations will need
+ more.
+
+ * Let 'gpgsm' ask you whether you want to insert a new root
+ certificate. This feature is enabled by default; you may disable
+ it using the option 'no-allow-mark-trusted' into 'gpg-agent.conf'.
+
+ * Manually maintain the list of trusted root certificates. For a
+ multi user installation this can be done once for all users on a
+ machine. Specific changes on a per-user base are also possible.
+
+
+File: gnupg.info, Node: Invoking GPG-AGENT, Next: Invoking DIRMNGR, Prev: Installation, Up: Top
+
+2 Invoking GPG-AGENT
+********************
+
+'gpg-agent' is a daemon to manage secret (private) keys independently
+from any protocol. It is used as a backend for 'gpg' and 'gpgsm' as
+well as for a couple of other utilities.
+
+ The agent is automatically started on demand by 'gpg', 'gpgsm',
+'gpgconf', or 'gpg-connect-agent'. Thus there is no reason to start it
+manually. In case you want to use the included Secure Shell Agent you
+may start the agent using:
+
+ gpg-connect-agent /bye
+
+If you want to manually terminate the currently-running agent, you can
+safely do so with:
+
+ gpgconf --kill gpg-agent
+
+You should always add the following lines to your '.bashrc' or whatever
+initialization file is used for all shell invocations:
+
+ GPG_TTY=$(tty)
+ export GPG_TTY
+
+It is important that this environment variable always reflects the
+output of the 'tty' command. For W32 systems this option is not
+required.
+
+ Please make sure that a proper pinentry program has been installed
+under the default filename (which is system dependent) or use the option
+'pinentry-program' to specify the full name of that program. It is
+often useful to install a symbolic link from the actual used pinentry
+(e.g. '/usr/local/bin/pinentry-gtk') to the expected one (e.g.
+'/usr/local/bin/pinentry').
+
+*Note Option Index::, for an index to 'GPG-AGENT''s commands and
+options.
+
+* Menu:
+
+* Agent Commands:: List of all commands.
+* Agent Options:: List of all options.
+* Agent Configuration:: Configuration files.
+* Agent Signals:: Use of some signals.
+* Agent Examples:: Some usage examples.
+* Agent Protocol:: The protocol the agent uses.
+
+
+File: gnupg.info, Node: Agent Commands, Next: Agent Options, Up: Invoking GPG-AGENT
+
+2.1 Commands
+============
+
+Commands are not distinguished from options except for the fact that
+only one command is allowed.
+
+'--version'
+ Print the program version and licensing information. Note that you
+ cannot abbreviate this command.
+
+'--help'
+'-h'
+ Print a usage message summarizing the most useful command-line
+ options. Note that you cannot abbreviate this command.
+
+'--dump-options'
+ Print a list of all available options and commands. Note that you
+ cannot abbreviate this command.
+
+'--server'
+ Run in server mode and wait for commands on the 'stdin'. The
+ default mode is to create a socket and listen for commands there.
+
+'--daemon [COMMAND LINE]'
+ Start the gpg-agent as a daemon; that is, detach it from the
+ console and run it in the background.
+
+ As an alternative you may create a new process as a child of
+ gpg-agent: 'gpg-agent --daemon /bin/sh'. This way you get a new
+ shell with the environment setup properly; after you exit from this
+ shell, gpg-agent terminates within a few seconds.
+
+'--supervised'
+ Run in the foreground, sending logs by default to stderr, and
+ listening on provided file descriptors, which must already be bound
+ to listening sockets. This command is useful when running under
+ systemd or other similar process supervision schemes. This option
+ is not supported on Windows.
+
+ In -supervised mode, different file descriptors can be provided for
+ use as different socket types (e.g. ssh, extra) as long as they
+ are identified in the environment variable 'LISTEN_FDNAMES' (see
+ sd_listen_fds(3) on some Linux distributions for more information
+ on this convention).
+
+
+File: gnupg.info, Node: Agent Options, Next: Agent Configuration, Prev: Agent Commands, Up: Invoking GPG-AGENT
+
+2.2 Option Summary
+==================
+
+Options may either be used on the command line or, after stripping off
+the two leading dashes, in the configuration file.
+
+'--options FILE'
+ Reads configuration from FILE instead of from the default per-user
+ configuration file. The default configuration file is named
+ 'gpg-agent.conf' and expected in the '.gnupg' directory directly
+ below the home directory of the user. This option is ignored if
+ used in an options file.
+
+'--homedir DIR'
+ Set the name of the home directory to DIR. If this option is not
+ used, the home directory defaults to '~/.gnupg'. It is only
+ recognized when given on the command line. It also overrides any
+ home directory stated through the environment variable 'GNUPGHOME'
+ or (on Windows systems) by means of the Registry entry
+ HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
+
+ On Windows systems it is possible to install GnuPG as a portable
+ application. In this case only this command line option is
+ considered, all other ways to set a home directory are ignored.
+
+ To install GnuPG as a portable application under Windows, create an
+ empty file named 'gpgconf.ctl' in the same directory as the tool
+ 'gpgconf.exe'. The root of the installation is then that
+ directory; or, if 'gpgconf.exe' has been installed directly below a
+ directory named 'bin', its parent directory. You also need to make
+ sure that the following directories exist and are writable:
+ 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg'
+ for internal cache files.
+
+'-v'
+'--verbose'
+ Outputs additional information while running. You can increase the
+ verbosity by giving several verbose commands to 'gpg-agent', such
+ as '-vv'.
+
+'-q'
+'--quiet'
+ Try to be as quiet as possible.
+
+'--batch'
+ Don't invoke a pinentry or do any other thing requiring human
+ interaction.
+
+'--faked-system-time EPOCH'
+ This option is only useful for testing; it sets the system time
+ back or forth to EPOCH which is the number of seconds elapsed since
+ the year 1970.
+
+'--debug-level LEVEL'
+ Select the debug level for investigating problems. LEVEL may be a
+ numeric value or a keyword:
+
+ 'none'
+ No debugging at all. A value of less than 1 may be used
+ instead of the keyword.
+ 'basic'
+ Some basic debug messages. A value between 1 and 2 may be
+ used instead of the keyword.
+ 'advanced'
+ More verbose debug messages. A value between 3 and 5 may be
+ used instead of the keyword.
+ 'expert'
+ Even more detailed messages. A value between 6 and 8 may be
+ used instead of the keyword.
+ 'guru'
+ All of the debug messages you can get. A value greater than 8
+ may be used instead of the keyword. The creation of hash
+ tracing files is only enabled if the keyword is used.
+
+ How these messages are mapped to the actual debugging flags is not
+ specified and may change with newer releases of this program. They
+ are however carefully selected to best aid in debugging.
+
+'--debug FLAGS'
+ This option is only useful for debugging and the behavior may
+ change at any time without notice. FLAGS are bit encoded and may
+ be given in usual C-Syntax. The currently defined bits are:
+
+ '0 (1)'
+ X.509 or OpenPGP protocol related data
+ '1 (2)'
+ values of big number integers
+ '2 (4)'
+ low level crypto operations
+ '5 (32)'
+ memory allocation
+ '6 (64)'
+ caching
+ '7 (128)'
+ show memory statistics
+ '9 (512)'
+ write hashed data to files named 'dbgmd-000*'
+ '10 (1024)'
+ trace Assuan protocol
+ '12 (4096)'
+ bypass all certificate validation
+
+'--debug-all'
+ Same as '--debug=0xffffffff'
+
+'--debug-wait N'
+ When running in server mode, wait N seconds before entering the
+ actual processing loop and print the pid. This gives time to
+ attach a debugger.
+
+'--debug-quick-random'
+ This option inhibits the use of the very secure random quality
+ level (Libgcrypt’s 'GCRY_VERY_STRONG_RANDOM') and degrades all
+ request down to standard random quality. It is only used for
+ testing and should not be used for any production quality keys.
+ This option is only effective when given on the command line.
+
+ On GNU/Linux, another way to quickly generate insecure keys is to
+ use 'rngd' to fill the kernel's entropy pool with lower quality
+ random data. 'rngd' is typically provided by the 'rng-tools'
+ package. It can be run as follows: 'sudo rngd -f -r /dev/urandom'.
+
+'--debug-pinentry'
+ This option enables extra debug information pertaining to the
+ Pinentry. As of now it is only useful when used along with
+ '--debug 1024'.
+
+'--no-detach'
+ Don't detach the process from the console. This is mainly useful
+ for debugging.
+
+'--steal-socket'
+ In '--daemon' mode, gpg-agent detects an already running gpg-agent
+ and does not allow to start a new instance. This option can be
+ used to override this check: the new gpg-agent process will try to
+ take over the communication sockets from the already running
+ process and start anyway. This option should in general not be
+ used.
+
+'-s'
+'--sh'
+'-c'
+'--csh'
+ Format the info output in daemon mode for use with the standard
+ Bourne shell or the C-shell respectively. The default is to guess
+ it based on the environment variable 'SHELL' which is correct in
+ almost all cases.
+
+'--grab'
+'--no-grab'
+ Tell the pinentry to grab the keyboard and mouse. This option
+ should be used on X-Servers to avoid X-sniffing attacks. Any use
+ of the option '--grab' overrides an used option '--no-grab'. The
+ default is '--no-grab'.
+
+'--log-file FILE'
+ Append all logging output to FILE. This is very helpful in seeing
+ what the agent actually does. Use 'socket://' to log to socket.
+ If neither a log file nor a log file descriptor has been set on a
+ Windows platform, the Registry entry
+ 'HKCU\Software\GNU\GnuPG:DefaultLogFile', if set, is used to
+ specify the logging output.
+
+'--no-allow-mark-trusted'
+ Do not allow clients to mark keys as trusted, i.e. put them into
+ the 'trustlist.txt' file. This makes it harder for users to
+ inadvertently accept Root-CA keys.
+
+'--no-user-trustlist'
+ Entirely ignore the user trust list and consider only the global
+ trustlist ('/etc/gnupg/trustlist.txt'). This implies the *note
+ option --no-allow-mark-trusted::.
+
+'--sys-trustlist-name FILE'
+ Changes the default name for the global trustlist from
+ "trustlist.txt" to FILE. If FILE does not contain any slashes and
+ does not start with "~/" it is searched in the system configuration
+ directory ('/etc/gnupg').
+
+'--allow-preset-passphrase'
+ This option allows the use of 'gpg-preset-passphrase' to seed the
+ internal cache of 'gpg-agent' with passphrases.
+
+'--no-allow-loopback-pinentry'
+'--allow-loopback-pinentry'
+ Disallow or allow clients to use the loopback pinentry features;
+ see the option 'pinentry-mode' for details. Allow is the default.
+
+ The '--force' option of the Assuan command 'DELETE_KEY' is also
+ controlled by this option: The option is ignored if a loopback
+ pinentry is disallowed.
+
+'--no-allow-external-cache'
+ Tell Pinentry not to enable features which use an external cache
+ for passphrases.
+
+ Some desktop environments prefer to unlock all credentials with one
+ master password and may have installed a Pinentry which employs an
+ additional external cache to implement such a policy. By using
+ this option the Pinentry is advised not to make use of such a cache
+ and instead always ask the user for the requested passphrase.
+
+'--allow-emacs-pinentry'
+ Tell Pinentry to allow features to divert the passphrase entry to a
+ running Emacs instance. How this is exactly handled depends on the
+ version of the used Pinentry.
+
+'--ignore-cache-for-signing'
+ This option will let 'gpg-agent' bypass the passphrase cache for
+ all signing operation. Note that there is also a per-session
+ option to control this behavior but this command line option takes
+ precedence.
+
+'--default-cache-ttl N'
+ Set the time a cache entry is valid to N seconds. The default is
+ 600 seconds. Each time a cache entry is accessed, the entry's
+ timer is reset. To set an entry's maximum lifetime, use
+ 'max-cache-ttl'. Note that a cached passphrase may not be evicted
+ immediately from memory if no client requests a cache operation.
+ This is due to an internal housekeeping function which is only run
+ every few seconds.
+
+'--default-cache-ttl-ssh N'
+ Set the time a cache entry used for SSH keys is valid to N seconds.
+ The default is 1800 seconds. Each time a cache entry is accessed,
+ the entry's timer is reset. To set an entry's maximum lifetime,
+ use 'max-cache-ttl-ssh'.
+
+'--max-cache-ttl N'
+ Set the maximum time a cache entry is valid to N seconds. After
+ this time a cache entry will be expired even if it has been
+ accessed recently or has been set using 'gpg-preset-passphrase'.
+ The default is 2 hours (7200 seconds).
+
+'--max-cache-ttl-ssh N'
+ Set the maximum time a cache entry used for SSH keys is valid to N
+ seconds. After this time a cache entry will be expired even if it
+ has been accessed recently or has been set using
+ 'gpg-preset-passphrase'. The default is 2 hours (7200 seconds).
+
+'--enforce-passphrase-constraints'
+ Enforce the passphrase constraints by not allowing the user to
+ bypass them using the "Take it anyway" button.
+
+'--min-passphrase-len N'
+ Set the minimal length of a passphrase. When entering a new
+ passphrase shorter than this value a warning will be displayed.
+ Defaults to 8.
+
+'--min-passphrase-nonalpha N'
+ Set the minimal number of digits or special characters required in
+ a passphrase. When entering a new passphrase with less than this
+ number of digits or special characters a warning will be displayed.
+ Defaults to 1.
+
+'--check-passphrase-pattern FILE'
+'--check-sym-passphrase-pattern FILE'
+ Check the passphrase against the pattern given in FILE. When
+ entering a new passphrase matching one of these pattern a warning
+ will be displayed. If FILE does not contain any slashes and does
+ not start with "~/" it is searched in the system configuration
+ directory ('/etc/gnupg'). The default is not to use any pattern
+ file. The second version of this option is only used when creating
+ a new symmetric key to allow the use of different patterns for such
+ passphrases.
+
+ Security note: It is known that checking a passphrase against a
+ list of pattern or even against a complete dictionary is not very
+ effective to enforce good passphrases. Users will soon figure up
+ ways to bypass such a policy. A better policy is to educate users
+ on good security behavior and optionally to run a passphrase
+ cracker regularly on all users passphrases to catch the very simple
+ ones.
+
+'--max-passphrase-days N'
+ Ask the user to change the passphrase if N days have passed since
+ the last change. With '--enforce-passphrase-constraints' set the
+ user may not bypass this check.
+
+'--enable-passphrase-history'
+ This option does nothing yet.
+
+'--pinentry-invisible-char CHAR'
+ This option asks the Pinentry to use CHAR for displaying hidden
+ characters. CHAR must be one character UTF-8 string. A Pinentry
+ may or may not honor this request.
+
+'--pinentry-timeout N'
+ This option asks the Pinentry to timeout after N seconds with no
+ user input. The default value of 0 does not ask the pinentry to
+ timeout, however a Pinentry may use its own default timeout value
+ in this case. A Pinentry may or may not honor this request.
+
+'--pinentry-formatted-passphrase'
+ This option asks the Pinentry to enable passphrase formatting when
+ asking the user for a new passphrase and masking of the passphrase
+ is turned off.
+
+ If passphrase formatting is enabled, then all non-breaking space
+ characters are stripped from the entered passphrase. Passphrase
+ formatting is mostly useful in combination with passphrases
+ generated with the GENPIN feature of some Pinentries. Note that
+ such a generated passphrase, if not modified by the user, skips all
+ passphrase constraints checking because such constraints would
+ actually weaken the generated passphrase.
+
+'--pinentry-program FILENAME'
+ Use program FILENAME as the PIN entry. The default is installation
+ dependent. With the default configuration the name of the default
+ pinentry is 'pinentry'; if that file does not exist but a
+ 'pinentry-basic' exist the latter is used.
+
+ On a Windows platform the default is to use the first existing
+ program from this list: 'bin\pinentry.exe',
+ '..\Gpg4win\bin\pinentry.exe', '..\Gpg4win\pinentry.exe',
+ '..\GNU\GnuPG\pinentry.exe', '..\GNU\bin\pinentry.exe',
+ 'bin\pinentry-basic.exe' where the file names are relative to the
+ GnuPG installation directory.
+
+'--pinentry-touch-file FILENAME'
+ By default the filename of the socket gpg-agent is listening for
+ requests is passed to Pinentry, so that it can touch that file
+ before exiting (it does this only in curses mode). This option
+ changes the file passed to Pinentry to FILENAME. The special name
+ '/dev/null' may be used to completely disable this feature. Note
+ that Pinentry will not create that file, it will only change the
+ modification and access time.
+
+'--scdaemon-program FILENAME'
+ Use program FILENAME as the Smartcard daemon. The default is
+ installation dependent and can be shown with the 'gpgconf' command.
+
+'--disable-scdaemon'
+ Do not make use of the scdaemon tool. This option has the effect
+ of disabling the ability to do smartcard operations. Note, that
+ enabling this option at runtime does not kill an already forked
+ scdaemon.
+
+'--disable-check-own-socket'
+ 'gpg-agent' employs a periodic self-test to detect a stolen socket.
+ This usually means a second instance of 'gpg-agent' has taken over
+ the socket and 'gpg-agent' will then terminate itself. This option
+ may be used to disable this self-test for debugging purposes.
+
+'--use-standard-socket'
+'--no-use-standard-socket'
+'--use-standard-socket-p'
+ Since GnuPG 2.1 the standard socket is always used. These options
+ have no more effect. The command 'gpg-agent
+ --use-standard-socket-p' will thus always return success.
+
+'--display STRING'
+'--ttyname STRING'
+'--ttytype STRING'
+'--lc-ctype STRING'
+'--lc-messages STRING'
+'--xauthority STRING'
+ These options are used with the server mode to pass localization
+ information.
+
+'--keep-tty'
+'--keep-display'
+ Ignore requests to change the current 'tty' or X window system's
+ 'DISPLAY' variable respectively. This is useful to lock the
+ pinentry to pop up at the 'tty' or display you started the agent.
+
+'--listen-backlog N'
+ Set the size of the queue for pending connections. The default is
+ 64.
+
+'--extra-socket NAME'
+ The extra socket is created by default, you may use this option to
+ change the name of the socket. To disable the creation of the
+ socket use "none" or "/dev/null" for NAME.
+
+ Also listen on native gpg-agent connections on the given socket.
+ The intended use for this extra socket is to setup a Unix domain
+ socket forwarding from a remote machine to this socket on the local
+ machine. A 'gpg' running on the remote machine may then connect to
+ the local gpg-agent and use its private keys. This enables
+ decrypting or signing data on a remote machine without exposing the
+ private keys to the remote machine.
+
+'--enable-extended-key-format'
+'--disable-extended-key-format'
+ Since version 2.2.22 keys are created in the extended private key
+ format by default. Changing the passphrase of a key will also
+ convert the key to that new format. This key format is supported
+ since GnuPG version 2.1.12 and thus there should be no need to
+ disable it. Anyway, the disable option still allows to revert to
+ the old behavior for new keys; be aware that keys are never
+ migrated back to the old format. If the enable option has been
+ used the disable option won't have an effect. The advantage of the
+ extended private key format is that it is text based and can carry
+ additional meta data. In extended key format the OCB mode is used
+ for key protection.
+
+'--enable-ssh-support'
+'--enable-putty-support'
+
+ The OpenSSH Agent protocol is always enabled, but 'gpg-agent' will
+ only set the 'SSH_AUTH_SOCK' variable if this flag is given.
+
+ In this mode of operation, the agent does not only implement the
+ gpg-agent protocol, but also the agent protocol used by OpenSSH
+ (through a separate socket). Consequently, it should be possible
+ to use the gpg-agent as a drop-in replacement for the well known
+ ssh-agent.
+
+ SSH Keys, which are to be used through the agent, need to be added
+ to the gpg-agent initially through the ssh-add utility. When a key
+ is added, ssh-add will ask for the password of the provided key
+ file and send the unprotected key material to the agent; this
+ causes the gpg-agent to ask for a passphrase, which is to be used
+ for encrypting the newly received key and storing it in a gpg-agent
+ specific directory.
+
+ Once a key has been added to the gpg-agent this way, the gpg-agent
+ will be ready to use the key.
+
+ Note: in case the gpg-agent receives a signature request, the user
+ might need to be prompted for a passphrase, which is necessary for
+ decrypting the stored key. Since the ssh-agent protocol does not
+ contain a mechanism for telling the agent on which display/terminal
+ it is running, gpg-agent's ssh-support will use the TTY or X
+ display where gpg-agent has been started. To switch this display
+ to the current one, the following command may be used:
+
+ gpg-connect-agent updatestartuptty /bye
+
+ Although all GnuPG components try to start the gpg-agent as needed,
+ this is not possible for the ssh support because ssh does not know
+ about it. Thus if no GnuPG tool which accesses the agent has been
+ run, there is no guarantee that ssh is able to use gpg-agent for
+ authentication. To fix this you may start gpg-agent if needed
+ using this simple command:
+
+ gpg-connect-agent /bye
+
+ Adding the '--verbose' shows the progress of starting the agent.
+
+ The '--enable-putty-support' is only available under Windows and
+ allows the use of gpg-agent with the ssh implementation 'putty'.
+ This is similar to the regular ssh-agent support but makes use of
+ Windows message queue as required by 'putty'.
+
+'--ssh-fingerprint-digest'
+
+ Select the digest algorithm used to compute ssh fingerprints that
+ are communicated to the user, e.g. in pinentry dialogs. OpenSSH
+ has transitioned from using MD5 to the more secure SHA256.
+
+'--auto-expand-secmem N'
+ Allow Libgcrypt to expand its secure memory area as required. The
+ optional value N is a non-negative integer with a suggested size in
+ bytes of each additionally allocated secure memory area. The value
+ is rounded up to the next 32 KiB; usual C style prefixes are
+ allowed. For an heavy loaded gpg-agent with many concurrent
+ connection this option avoids sign or decrypt errors due to out of
+ secure memory error returns.
+
+'--s2k-calibration MILLISECONDS'
+ Change the default calibration time to MILLISECONDS. The given
+ value is capped at 60 seconds; a value of 0 resets to the
+ compiled-in default. This option is re-read on a SIGHUP (or
+ 'gpgconf --reload gpg-agent') and the S2K count is then
+ re-calibrated.
+
+'--s2k-count N'
+ Specify the iteration count used to protect the passphrase. This
+ option can be used to override the auto-calibration done by
+ default. The auto-calibration computes a count which requires by
+ default 100ms to mangle a given passphrase. See also
+ '--s2k-calibration'.
+
+ To view the actually used iteration count and the milliseconds
+ required for an S2K operation use:
+
+ gpg-connect-agent 'GETINFO s2k_count' /bye
+ gpg-connect-agent 'GETINFO s2k_time' /bye
+
+ To view the auto-calibrated count use:
+
+ gpg-connect-agent 'GETINFO s2k_count_cal' /bye
+
+
+File: gnupg.info, Node: Agent Configuration, Next: Agent Signals, Prev: Agent Options, Up: Invoking GPG-AGENT
+
+2.3 Configuration
+=================
+
+There are a few configuration files needed for the operation of the
+agent. By default they may all be found in the current home directory
+(*note option --homedir::).
+
+'gpg-agent.conf'
+ This is the standard configuration file read by 'gpg-agent' on
+ startup. It may contain any valid long option; the leading two
+ dashes may not be entered and the option may not be abbreviated.
+ This file is also read after a 'SIGHUP' however only a few options
+ will actually have an effect. This default name may be changed on
+ the command line (*note option --options::). You should backup
+ this file.
+
+'trustlist.txt'
+ This is the list of trusted keys. You should backup this file.
+
+ Comment lines, indicated by a leading hash mark, as well as empty
+ lines are ignored. To mark a key as trusted you need to enter its
+ fingerprint followed by a space and a capital letter 'S'. Colons
+ may optionally be used to separate the bytes of a fingerprint; this
+ enables cutting and pasting the fingerprint from a key listing
+ output. If the line is prefixed with a '!' the key is explicitly
+ marked as not trusted.
+
+ Here is an example where two keys are marked as ultimately trusted
+ and one as not trusted:
+
+ # CN=Wurzel ZS 3,O=Intevation GmbH,C=DE
+ A6935DD34EF3087973C706FC311AA2CCF733765B S
+
+ # CN=PCA-1-Verwaltung-02/O=PKI-1-Verwaltung/C=DE
+ DC:BD:69:25:48:BD:BB:7E:31:6E:BB:80:D3:00:80:35:D4:F8:A6:CD S
+
+ # CN=Root-CA/O=Schlapphuete/L=Pullach/C=DE
+ !14:56:98:D3:FE:9C:CA:5A:31:6E:BC:81:D3:11:4E:00:90:A3:44:C2 S
+
+ Before entering a key into this file, you need to ensure its
+ authenticity. How to do this depends on your organisation; your
+ administrator might have already entered those keys which are
+ deemed trustworthy enough into this file. Places where to look for
+ the fingerprint of a root certificate are letters received from the
+ CA or the website of the CA (after making 100% sure that this is
+ indeed the website of that CA). You may want to consider
+ disallowing interactive updates of this file by using the *note
+ option --no-allow-mark-trusted::. It might even be advisable to
+ change the permissions to read-only so that this file can't be
+ changed inadvertently.
+
+ As a special feature a line 'include-default' will include a global
+ list of trusted certificates (e.g. '/etc/gnupg/trustlist.txt').
+ This global list is also used if the local list is not available;
+ the *note option --no-user-trustlist:: enforces the use of only
+ this global list.
+
+ It is possible to add further flags after the 'S' for use by the
+ caller:
+
+ 'relax'
+ Relax checking of some root certificate requirements. As of
+ now this flag allows the use of root certificates with a
+ missing basicConstraints attribute (despite that it is a MUST
+ for CA certificates) and disables CRL checking for the root
+ certificate.
+
+ 'cm'
+ If validation of a certificate finally issued by a CA with
+ this flag set fails, try again using the chain validation
+ model.
+
+'sshcontrol'
+ This file is used when support for the secure shell agent protocol
+ has been enabled (*note option --enable-ssh-support::). Only keys
+ present in this file are used in the SSH protocol. You should
+ backup this file.
+
+ The 'ssh-add' tool may be used to add new entries to this file; you
+ may also add them manually. Comment lines, indicated by a leading
+ hash mark, as well as empty lines are ignored. An entry starts
+ with optional whitespace, followed by the keygrip of the key given
+ as 40 hex digits, optionally followed by the caching TTL in seconds
+ and another optional field for arbitrary flags. A non-zero TTL
+ overrides the global default as set by '--default-cache-ttl-ssh'.
+
+ The only flag support is 'confirm'. If this flag is found for a
+ key, each use of the key will pop up a pinentry to confirm the use
+ of that key. The flag is automatically set if a new key was loaded
+ into 'gpg-agent' using the option '-c' of the 'ssh-add' command.
+
+ The keygrip may be prefixed with a '!' to disable an entry.
+
+ The following example lists exactly one key. Note that keys
+ available through a OpenPGP smartcard in the active smartcard
+ reader are implicitly added to this list; i.e. there is no need to
+ list them.
+
+ # Key added on: 2011-07-20 20:38:46
+ # Fingerprint: 5e:8d:c4:ad:e7:af:6e:27:8a:d6:13:e4:79:ad:0b:81
+ 34B62F25E277CF13D3C6BCEBFD3F85D08F0A864B 0 confirm
+
+'private-keys-v1.d/'
+
+ This is the directory where gpg-agent stores the private keys.
+ Each key is stored in a file with the name made up of the keygrip
+ and the suffix 'key'. You should backup all files in this
+ directory and take great care to keep this backup closed away.
+
+ Note that on larger installations, it is useful to put predefined
+files into the directory '/etc/skel/.gnupg' so that newly created users
+start up with a working configuration. For existing users the a small
+helper script is provided to create these files (*note addgnupghome::).
+
+
+File: gnupg.info, Node: Agent Signals, Next: Agent Examples, Prev: Agent Configuration, Up: Invoking GPG-AGENT
+
+2.4 Use of some signals
+=======================
+
+A running 'gpg-agent' may be controlled by signals, i.e. using the
+'kill' command to send a signal to the process.
+
+ Here is a list of supported signals:
+
+'SIGHUP'
+ This signal flushes all cached passphrases and if the program has
+ been started with a configuration file, the configuration file is
+ read again. Only certain options are honored: 'quiet', 'verbose',
+ 'debug', 'debug-all', 'debug-level', 'debug-pinentry', 'no-grab',
+ 'pinentry-program', 'pinentry-invisible-char', 'default-cache-ttl',
+ 'max-cache-ttl', 'ignore-cache-for-signing', 's2k-count',
+ 'no-allow-external-cache', 'allow-emacs-pinentry',
+ 'no-allow-mark-trusted', 'disable-scdaemon', and
+ 'disable-check-own-socket'. 'scdaemon-program' is also supported
+ but due to the current implementation, which calls the scdaemon
+ only once, it is not of much use unless you manually kill the
+ scdaemon.
+
+'SIGTERM'
+ Shuts down the process but waits until all current requests are
+ fulfilled. If the process has received 3 of these signals and
+ requests are still pending, a shutdown is forced.
+
+'SIGINT'
+ Shuts down the process immediately.
+
+'SIGUSR1'
+ Dump internal information to the log file.
+
+'SIGUSR2'
+ This signal is used for internal purposes.
+
+
+File: gnupg.info, Node: Agent Examples, Next: Agent Protocol, Prev: Agent Signals, Up: Invoking GPG-AGENT
+
+2.5 Examples
+============
+
+It is important to set the environment variable 'GPG_TTY' in your login
+shell, for example in the '~/.bashrc' init script:
+
+ export GPG_TTY=$(tty)
+
+ If you enabled the Ssh Agent Support, you also need to tell ssh about
+it by adding this to your init script:
+
+ unset SSH_AGENT_PID
+ if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then
+ export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
+ fi
+
+
+File: gnupg.info, Node: Agent Protocol, Prev: Agent Examples, Up: Invoking GPG-AGENT
+
+2.6 Agent's Assuan Protocol
+===========================
+
+Note: this section does only document the protocol, which is used by
+GnuPG components; it does not deal with the ssh-agent protocol. To see
+the full specification of each command, use
+
+ gpg-connect-agent 'help COMMAND' /bye
+
+or just 'help' to list all available commands.
+
+The 'gpg-agent' daemon is started on demand by the GnuPG components.
+
+ To identify a key we use a thing called keygrip which is the SHA-1
+hash of an canonical encoded S-Expression of the public key as used in
+Libgcrypt. For the purpose of this interface the keygrip is given as a
+hex string. The advantage of using this and not the hash of a
+certificate is that it will be possible to use the same keypair for
+different protocols, thereby saving space on the token used to keep the
+secret keys.
+
+ The 'gpg-agent' may send status messages during a command or when
+returning from a command to inform a client about the progress or result
+of an operation. For example, the INQUIRE_MAXLEN status message may be
+sent during a server inquire to inform the client of the maximum usable
+length of the inquired data (which should not be exceeded).
+
+* Menu:
+
+* Agent PKDECRYPT:: Decrypting a session key
+* Agent PKSIGN:: Signing a Hash
+* Agent GENKEY:: Generating a Key
+* Agent IMPORT:: Importing a Secret Key
+* Agent EXPORT:: Exporting a Secret Key
+* Agent ISTRUSTED:: Importing a Root Certificate
+* Agent GET_PASSPHRASE:: Ask for a passphrase
+* Agent CLEAR_PASSPHRASE:: Expire a cached passphrase
+* Agent PRESET_PASSPHRASE:: Set a passphrase for a keygrip
+* Agent GET_CONFIRMATION:: Ask for confirmation
+* Agent HAVEKEY:: Check whether a key is available
+* Agent LEARN:: Register a smartcard
+* Agent PASSWD:: Change a Passphrase
+* Agent UPDATESTARTUPTTY:: Change the Standard Display
+* Agent GETEVENTCOUNTER:: Get the Event Counters
+* Agent GETINFO:: Return information about the process
+* Agent OPTION:: Set options for the session
+
+
+File: gnupg.info, Node: Agent PKDECRYPT, Next: Agent PKSIGN, Up: Agent Protocol
+
+2.6.1 Decrypting a session key
+------------------------------
+
+The client asks the server to decrypt a session key. The encrypted
+session key should have all information needed to select the appropriate
+secret key or to delegate it to a smartcard.
+
+ SETKEY <keyGrip>
+
+ Tell the server about the key to be used for decryption. If this is
+not used, 'gpg-agent' may try to figure out the key by trying to decrypt
+the message with each key available.
+
+ PKDECRYPT
+
+ The agent checks whether this command is allowed and then does an
+INQUIRY to get the ciphertext the client should then send the cipher
+text.
+
+ S: INQUIRE CIPHERTEXT
+ C: D (xxxxxx
+ C: D xxxx)
+ C: END
+
+ Please note that the server may send status info lines while reading
+the data lines from the client. The data send is a SPKI like S-Exp with
+this structure:
+
+ (enc-val
+ (<algo>
+ (<param_name1> <mpi>)
+ ...
+ (<param_namen> <mpi>)))
+
+ Where algo is a string with the name of the algorithm; see the
+libgcrypt documentation for a list of valid algorithms. The number and
+names of the parameters depend on the algorithm. The agent does return
+an error if there is an inconsistency.
+
+ If the decryption was successful the decrypted data is returned by
+means of "D" lines.
+
+ Here is an example session:
+ C: PKDECRYPT
+ S: INQUIRE CIPHERTEXT
+ C: D (enc-val elg (a 349324324)
+ C: D (b 3F444677CA)))
+ C: END
+ S: # session key follows
+ S: S PADDING 0
+ S: D (value 1234567890ABCDEF0)
+ S: OK decryption successful
+
+ The “PADDING†status line is only send if gpg-agent can tell what
+kind of padding is used. As of now only the value 0 is used to indicate
+that the padding has been removed.
+
+
+File: gnupg.info, Node: Agent PKSIGN, Next: Agent GENKEY, Prev: Agent PKDECRYPT, Up: Agent Protocol
+
+2.6.2 Signing a Hash
+--------------------
+
+The client asks the agent to sign a given hash value. A default key
+will be chosen if no key has been set. To set a key a client first
+uses:
+
+ SIGKEY <keyGrip>
+
+ This can be used multiple times to create multiple signature, the
+list of keys is reset with the next PKSIGN command or a RESET. The
+server tests whether the key is a valid key to sign something and
+responds with okay.
+
+ SETHASH --hash=<name>|<algo> <hexstring>
+
+ The client can use this command to tell the server about the data
+<hexstring> (which usually is a hash) to be signed. <algo> is the
+decimal encoded hash algorithm number as used by Libgcrypt. Either
+<algo> or -hash=<name> must be given. Valid names for <name> are:
+
+'sha1'
+ The SHA-1 hash algorithm
+'sha256'
+ The SHA-256 hash algorithm
+'rmd160'
+ The RIPE-MD160 hash algorithm
+'md5'
+ The old and broken MD5 hash algorithm
+'tls-md5sha1'
+ A combined hash algorithm as used by the TLS protocol.
+
+The actual signing is done using
+
+ PKSIGN <options>
+
+ Options are not yet defined, but may later be used to choose among
+different algorithms. The agent does then some checks, asks for the
+passphrase and as a result the server returns the signature as an SPKI
+like S-expression in "D" lines:
+
+ (sig-val
+ (<algo>
+ (<param_name1> <mpi>)
+ ...
+ (<param_namen> <mpi>)))
+
+ The operation is affected by the option
+
+ OPTION use-cache-for-signing=0|1
+
+ The default of '1' uses the cache. Setting this option to '0' will
+lead 'gpg-agent' to ignore the passphrase cache. Note, that there is
+also a global command line option for 'gpg-agent' to globally disable
+the caching.
+
+ Here is an example session:
+ C: SIGKEY <keyGrip>
+ S: OK key available
+ C: SIGKEY <keyGrip>
+ S: OK key available
+ C: PKSIGN
+ S: # I did ask the user whether he really wants to sign
+ S: # I did ask the user for the passphrase
+ S: INQUIRE HASHVAL
+ C: D ABCDEF012345678901234
+ C: END
+ S: # signature follows
+ S: D (sig-val rsa (s 45435453654612121212))
+ S: OK
+
+
+File: gnupg.info, Node: Agent GENKEY, Next: Agent IMPORT, Prev: Agent PKSIGN, Up: Agent Protocol
+
+2.6.3 Generating a Key
+----------------------
+
+This is used to create a new keypair and store the secret key inside the
+active PSE -- which is in most cases a Soft-PSE. A not-yet-defined
+option allows choosing the storage location. To get the secret key out
+of the PSE, a special export tool has to be used.
+
+ GENKEY [--no-protection] [--preset] [<cache_nonce>]
+
+ Invokes the key generation process and the server will then inquire
+on the generation parameters, like:
+
+ S: INQUIRE KEYPARM
+ C: D (genkey (rsa (nbits 1024)))
+ C: END
+
+ The format of the key parameters which depends on the algorithm is of
+the form:
+
+ (genkey
+ (algo
+ (parameter_name_1 ....)
+ ....
+ (parameter_name_n ....)))
+
+ If everything succeeds, the server returns the *public key* in a SPKI
+like S-Expression like this:
+
+ (public-key
+ (rsa
+ (n <mpi>)
+ (e <mpi>)))
+
+ Here is an example session:
+ C: GENKEY
+ S: INQUIRE KEYPARM
+ C: D (genkey (rsa (nbits 1024)))
+ C: END
+ S: D (public-key
+ S: D (rsa (n 326487324683264) (e 10001)))
+ S OK key created
+
+ The '--no-protection' option may be used to prevent prompting for a
+passphrase to protect the secret key while leaving the secret key
+unprotected. The '--preset' option may be used to add the passphrase to
+the cache using the default cache parameters.
+
+ The '--inq-passwd' option may be used to create the key with a
+supplied passphrase. When used the agent does an inquiry with the
+keyword 'NEWPASSWD' to retrieve that passphrase. This option takes
+precedence over '--no-protection'; however if the client sends a empty
+(zero-length) passphrase, this is identical to '--no-protection'.
+
+
+File: gnupg.info, Node: Agent IMPORT, Next: Agent EXPORT, Prev: Agent GENKEY, Up: Agent Protocol
+
+2.6.4 Importing a Secret Key
+----------------------------
+
+This operation is not yet supported by GpgAgent. Specialized tools are
+to be used for this.
+
+ There is no actual need because we can expect that secret keys
+created by a 3rd party are stored on a smartcard. If we have generated
+the key ourselves, we do not need to import it.
+
+
+File: gnupg.info, Node: Agent EXPORT, Next: Agent ISTRUSTED, Prev: Agent IMPORT, Up: Agent Protocol
+
+2.6.5 Export a Secret Key
+-------------------------
+
+Not implemented.
+
+ Should be done by an extra tool.
+
+
+File: gnupg.info, Node: Agent ISTRUSTED, Next: Agent GET_PASSPHRASE, Prev: Agent EXPORT, Up: Agent Protocol
+
+2.6.6 Importing a Root Certificate
+----------------------------------
+
+Actually we do not import a Root Cert but provide a way to validate any
+piece of data by storing its Hash along with a description and an
+identifier in the PSE. Here is the interface description:
+
+ ISTRUSTED <fingerprint>
+
+ Check whether the OpenPGP primary key or the X.509 certificate with
+the given fingerprint is an ultimately trusted key or a trusted Root CA
+certificate. The fingerprint should be given as a hexstring (without
+any blanks or colons or whatever in between) and may be left padded with
+00 in case of an MD5 fingerprint. GPGAgent will answer with:
+
+ OK
+
+ The key is in the table of trusted keys.
+
+ ERR 304 (Not Trusted)
+
+ The key is not in this table.
+
+ Gpg needs the entire list of trusted keys to maintain the web of
+trust; the following command is therefore quite helpful:
+
+ LISTTRUSTED
+
+ GpgAgent returns a list of trusted keys line by line:
+
+ S: D 000000001234454556565656677878AF2F1ECCFF P
+ S: D 340387563485634856435645634856438576457A P
+ S: D FEDC6532453745367FD83474357495743757435D S
+ S: OK
+
+ The first item on a line is the hexified fingerprint where MD5
+fingerprints are '00' padded to the left and the second item is a flag
+to indicate the type of key (so that gpg is able to only take care of
+PGP keys). P = OpenPGP, S = S/MIME. A client should ignore the rest of
+the line, so that we can extend the format in the future.
+
+ Finally a client should be able to mark a key as trusted:
+
+ MARKTRUSTED FINGERPRINT "P"|"S"
+
+ The server will then pop up a window to ask the user whether she
+really trusts this key. For this it will probably ask for a text to be
+displayed like this:
+
+ S: INQUIRE TRUSTDESC
+ C: D Do you trust the key with the fingerprint @FPR@
+ C: D bla fasel blurb.
+ C: END
+ S: OK
+
+ Known sequences with the pattern @foo@ are replaced according to this
+table:
+
+'@FPR16@'
+ Format the fingerprint according to gpg rules for a v3 keys.
+'@FPR20@'
+ Format the fingerprint according to gpg rules for a v4 keys.
+'@FPR@'
+ Choose an appropriate format to format the fingerprint.
+'@@'
+ Replaced by a single '@'.
+
+
+File: gnupg.info, Node: Agent GET_PASSPHRASE, Next: Agent CLEAR_PASSPHRASE, Prev: Agent ISTRUSTED, Up: Agent Protocol
+
+2.6.7 Ask for a passphrase
+--------------------------
+
+This function is usually used to ask for a passphrase to be used for
+symmetric encryption, but may also be used by programs which need
+special handling of passphrases. This command uses a syntax which helps
+clients to use the agent with minimum effort.
+
+ GET_PASSPHRASE [--data] [--check] [--no-ask] [--repeat[=N]] \
+ [--qualitybar] CACHE_ID \
+ [ERROR_MESSAGE PROMPT DESCRIPTION]
+
+ CACHE_ID is expected to be a string used to identify a cached
+passphrase. Use a 'X' to bypass the cache. With no other arguments the
+agent returns a cached passphrase or an error. By convention either the
+hexified fingerprint of the key shall be used for CACHE_ID or an
+arbitrary string prefixed with the name of the calling application and a
+colon: Like 'gpg:somestring'.
+
+ ERROR_MESSAGE is either a single 'X' for no error message or a string
+to be shown as an error message like (e.g. "invalid passphrase").
+Blanks must be percent escaped or replaced by '+''.
+
+ PROMPT is either a single 'X' for a default prompt or the text to be
+shown as the prompt. Blanks must be percent escaped or replaced by '+'.
+
+ DESCRIPTION is a text shown above the entry field. Blanks must be
+percent escaped or replaced by '+'.
+
+ The agent either returns with an error or with a OK followed by the
+hex encoded passphrase. Note that the length of the strings is
+implicitly limited by the maximum length of a command. If the option
+'--data' is used, the passphrase is not returned on the OK line but by
+regular data lines; this is the preferred method.
+
+ If the option '--check' is used, the standard passphrase constraints
+checks are applied. A check is not done if the passphrase has been
+found in the cache.
+
+ If the option '--no-ask' is used and the passphrase is not in the
+cache the user will not be asked to enter a passphrase but the error
+code 'GPG_ERR_NO_DATA' is returned.
+
+ If the option '--qualitybar' is used and a minimum passphrase length
+has been configured, a visual indication of the entered passphrase
+quality is shown.
+
+ CLEAR_PASSPHRASE CACHE_ID
+
+ may be used to invalidate the cache entry for a passphrase. The
+function returns with OK even when there is no cached passphrase.
+
+
+File: gnupg.info, Node: Agent CLEAR_PASSPHRASE, Next: Agent PRESET_PASSPHRASE, Prev: Agent GET_PASSPHRASE, Up: Agent Protocol
+
+2.6.8 Remove a cached passphrase
+--------------------------------
+
+Use this command to remove a cached passphrase.
+
+ CLEAR_PASSPHRASE [--mode=normal] <cache_id>
+
+ The '--mode=normal' option can be used to clear a CACHE_ID that was
+set by gpg-agent.
+
+
+File: gnupg.info, Node: Agent PRESET_PASSPHRASE, Next: Agent GET_CONFIRMATION, Prev: Agent CLEAR_PASSPHRASE, Up: Agent Protocol
+
+2.6.9 Set a passphrase for a keygrip
+------------------------------------
+
+This command adds a passphrase to the cache for the specified KEYGRIP.
+
+ PRESET_PASSPHRASE [--inquire] <string_or_keygrip> <timeout> [<hexstring>]
+
+ The passphrase is a hexadecimal string when specified. When not
+specified, the passphrase will be retrieved from the pinentry module
+unless the '--inquire' option was specified in which case the passphrase
+will be retrieved from the client.
+
+ The TIMEOUT parameter keeps the passphrase cached for the specified
+number of seconds. A value of '-1' means infinite while '0' means the
+default (currently only a timeout of -1 is allowed, which means to never
+expire it).
+
+
+File: gnupg.info, Node: Agent GET_CONFIRMATION, Next: Agent HAVEKEY, Prev: Agent PRESET_PASSPHRASE, Up: Agent Protocol
+
+2.6.10 Ask for confirmation
+---------------------------
+
+This command may be used to ask for a simple confirmation by presenting
+a text and 2 buttons: Okay and Cancel.
+
+ GET_CONFIRMATION DESCRIPTION
+
+ DESCRIPTIONis displayed along with a Okay and Cancel button. Blanks
+must be percent escaped or replaced by '+'. A 'X' may be used to
+display confirmation dialog with a default text.
+
+ The agent either returns with an error or with a OK. Note, that the
+length of DESCRIPTION is implicitly limited by the maximum length of a
+command.
+
+
+File: gnupg.info, Node: Agent HAVEKEY, Next: Agent LEARN, Prev: Agent GET_CONFIRMATION, Up: Agent Protocol
+
+2.6.11 Check whether a key is available
+---------------------------------------
+
+This can be used to see whether a secret key is available. It does not
+return any information on whether the key is somehow protected.
+
+ HAVEKEY KEYGRIPS
+
+ The agent answers either with OK or 'No_Secret_Key' (208). The
+caller may want to check for other error codes as well. More than one
+keygrip may be given. In this case the command returns success if at
+least one of the keygrips corresponds to an available secret key.
+
+
+File: gnupg.info, Node: Agent LEARN, Next: Agent PASSWD, Prev: Agent HAVEKEY, Up: Agent Protocol
+
+2.6.12 Register a smartcard
+---------------------------
+
+ LEARN [--send]
+
+ This command is used to register a smartcard. With the '--send'
+option given the certificates are sent back.
+
+
+File: gnupg.info, Node: Agent PASSWD, Next: Agent UPDATESTARTUPTTY, Prev: Agent LEARN, Up: Agent Protocol
+
+2.6.13 Change a Passphrase
+--------------------------
+
+ PASSWD [--cache-nonce=<c>] [--passwd-nonce=<s>] [--preset] KEYGRIP
+
+ This command is used to interactively change the passphrase of the
+key identified by the hex string KEYGRIP. The '--preset' option may be
+used to add the new passphrase to the cache using the default cache
+parameters.
+
+
+File: gnupg.info, Node: Agent UPDATESTARTUPTTY, Next: Agent GETEVENTCOUNTER, Prev: Agent PASSWD, Up: Agent Protocol
+
+2.6.14 Change the standard display
+----------------------------------
+
+ UPDATESTARTUPTTY
+
+ Set the startup TTY and X-DISPLAY variables to the values of this
+session. This command is useful to direct future pinentry invocations
+to another screen. It is only required because there is no way in the
+ssh-agent protocol to convey this information.
+
+
+File: gnupg.info, Node: Agent GETEVENTCOUNTER, Next: Agent GETINFO, Prev: Agent UPDATESTARTUPTTY, Up: Agent Protocol
+
+2.6.15 Get the Event Counters
+-----------------------------
+
+ GETEVENTCOUNTER
+
+ This function return one status line with the current values of the
+event counters. The event counters are useful to avoid polling by
+delaying a poll until something has changed. The values are decimal
+numbers in the range '0' to 'UINT_MAX' and wrapping around to 0. The
+actual values should not be relied upon; they shall only be used to
+detect a change.
+
+ The currently defined counters are:
+'ANY'
+ Incremented with any change of any of the other counters.
+'KEY'
+ Incremented for added or removed private keys.
+'CARD'
+ Incremented for changes of the card readers stati.
+
+
+File: gnupg.info, Node: Agent GETINFO, Next: Agent OPTION, Prev: Agent GETEVENTCOUNTER, Up: Agent Protocol
+
+2.6.16 Return information about the process
+-------------------------------------------
+
+This is a multipurpose function to return a variety of information.
+
+ GETINFO WHAT
+
+ The value of WHAT specifies the kind of information returned:
+'version'
+ Return the version of the program.
+'pid'
+ Return the process id of the process.
+'socket_name'
+ Return the name of the socket used to connect the agent.
+'ssh_socket_name'
+ Return the name of the socket used for SSH connections. If SSH
+ support has not been enabled the error 'GPG_ERR_NO_DATA' will be
+ returned.
+
+
+File: gnupg.info, Node: Agent OPTION, Prev: Agent GETINFO, Up: Agent Protocol
+
+2.6.17 Set options for the session
+----------------------------------
+
+Here is a list of session options which are not yet described with other
+commands. The general syntax for an Assuan option is:
+
+ OPTION KEY=VALUE
+
+Supported KEYs are:
+
+'agent-awareness'
+ This may be used to tell gpg-agent of which gpg-agent version the
+ client is aware of. gpg-agent uses this information to enable
+ features which might break older clients.
+
+'putenv'
+ Change the session's environment to be used for the Pinentry.
+ Valid values are:
+
+ 'NAME'
+ Delete envvar NAME
+ 'NAME='
+ Set envvar NAME to the empty string
+ 'NAME=VALUE'
+ Set envvar NAME to the string VALUE.
+
+'use-cache-for-signing'
+ See Assuan command 'PKSIGN'.
+
+'allow-pinentry-notify'
+ This does not need any value. It is used to enable the
+ PINENTRY_LAUNCHED inquiry.
+
+'pinentry-mode'
+ This option is used to change the operation mode of the pinentry.
+ The following values are defined:
+
+ 'ask'
+ This is the default mode which pops up a pinentry as needed.
+
+ 'cancel'
+ Instead of popping up a pinentry, return the error code
+ 'GPG_ERR_CANCELED'.
+
+ 'error'
+ Instead of popping up a pinentry, return the error code
+ 'GPG_ERR_NO_PIN_ENTRY'.
+
+ 'loopback'
+ Use a loopback pinentry. This fakes a pinentry by using
+ inquiries back to the caller to ask for a passphrase. This
+ option may only be set if the agent has been configured for
+ that. To disable this feature use *note option
+ --no-allow-loopback-pinentry::.
+
+'cache-ttl-opt-preset'
+ This option sets the cache TTL for new entries created by GENKEY
+ and PASSWD commands when using the '--preset' option. It is not
+ used a default value is used.
+
+'s2k-count'
+ Instead of using the standard S2K count (which is computed on the
+ fly), the given S2K count is used for new keys or when changing the
+ passphrase of a key. Values below 65536 are considered to be 0.
+ This option is valid for the entire session or until reset to 0.
+ This option is useful if the key is later used on boxes which are
+ either much slower or faster than the actual box.
+
+'pretend-request-origin'
+ This option switches the connection into a restricted mode which
+ handles all further commands in the same way as they would be
+ handled when originating from the extra or browser socket. Note
+ that this option is not available in the restricted mode. Valid
+ values for this option are:
+
+ 'none'
+ 'local'
+ This is a NOP and leaves the connection in the standard way.
+
+ 'remote'
+ Pretend to come from a remote origin in the same way as
+ connections from the '--extra-socket'.
+
+ 'browser'
+ Pretend to come from a local web browser in the same way as
+ connections from the '--browser-socket'.
+
+
+File: gnupg.info, Node: Invoking DIRMNGR, Next: Invoking GPG, Prev: Invoking GPG-AGENT, Up: Top
+
+3 Invoking DIRMNGR
+******************
+
+Since version 2.1 of GnuPG, 'dirmngr' takes care of accessing the
+OpenPGP keyservers. As with previous versions it is also used as a
+server for managing and downloading certificate revocation lists (CRLs)
+for X.509 certificates, downloading X.509 certificates, and providing
+access to OCSP providers. Dirmngr is invoked internally by 'gpg',
+'gpgsm', or via the 'gpg-connect-agent' tool.
+
+*Note Option Index::,for an index to 'DIRMNGR''s commands and options.
+
+* Menu:
+
+* Dirmngr Commands:: List of all commands.
+* Dirmngr Options:: List of all options.
+* Dirmngr Configuration:: Configuration files.
+* Dirmngr Signals:: Use of signals.
+* Dirmngr Examples:: Some usage examples.
+* Dirmngr Protocol:: The protocol dirmngr uses.
+
+
+File: gnupg.info, Node: Dirmngr Commands, Next: Dirmngr Options, Up: Invoking DIRMNGR
+
+3.1 Commands
+============
+
+Commands are not distinguished from options except for the fact that
+only one command is allowed.
+
+'--version'
+ Print the program version and licensing information. Note that you
+ cannot abbreviate this command.
+
+'--help, -h'
+ Print a usage message summarizing the most useful command-line
+ options. Note that you cannot abbreviate this command.
+
+'--dump-options'
+ Print a list of all available options and commands. Note that you
+ cannot abbreviate this command.
+
+'--server'
+ Run in server mode and wait for commands on the 'stdin'. The
+ default mode is to create a socket and listen for commands there.
+ This is only used for testing.
+
+'--daemon'
+ Run in background daemon mode and listen for commands on a socket.
+ This is the way 'dirmngr' is started on demand by the other GnuPG
+ components. To force starting 'dirmngr' it is in general best to
+ use 'gpgconf --launch dirmngr'.
+
+'--supervised'
+ Run in the foreground, sending logs to stderr, and listening on
+ file descriptor 3, which must already be bound to a listening
+ socket. This is useful when running under systemd or other similar
+ process supervision schemes. This option is not supported on
+ Windows.
+
+'--list-crls'
+ List the contents of the CRL cache on 'stdout'. This is probably
+ only useful for debugging purposes.
+
+'--load-crl FILE'
+ This command requires a filename as additional argument, and it
+ will make Dirmngr try to import the CRL in FILE into it's cache.
+ Note, that this is only possible if Dirmngr is able to retrieve the
+ CA's certificate directly by its own means. In general it is
+ better to use 'gpgsm''s '--call-dirmngr loadcrl filename' command
+ so that 'gpgsm' can help dirmngr.
+
+'--fetch-crl URL'
+ This command requires an URL as additional argument, and it will
+ make dirmngr try to retrieve and import the CRL from that URL into
+ it's cache. This is mainly useful for debugging purposes. The
+ 'dirmngr-client' provides the same feature for a running dirmngr.
+
+'--shutdown'
+ This commands shuts down an running instance of Dirmngr. This
+ command has currently no effect.
+
+'--flush'
+ This command removes all CRLs from Dirmngr's cache. Client
+ requests will thus trigger reading of fresh CRLs.
+
+
+File: gnupg.info, Node: Dirmngr Options, Next: Dirmngr Configuration, Prev: Dirmngr Commands, Up: Invoking DIRMNGR
+
+3.2 Option Summary
+==================
+
+Note that all long options with the exception of '--options' and
+'--homedir' may also be given in the configuration file after stripping
+off the two leading dashes.
+
+'--options FILE'
+ Reads configuration from FILE instead of from the default per-user
+ configuration file. The default configuration file is named
+ 'dirmngr.conf' and expected in the home directory.
+
+'--homedir DIR'
+ Set the name of the home directory to DIR. This option is only
+ effective when used on the command line. The default is the
+ directory named '.gnupg' directly below the home directory of the
+ user unless the environment variable 'GNUPGHOME' has been set in
+ which case its value will be used. Many kinds of data are stored
+ within this directory.
+
+'-v'
+'--verbose'
+ Outputs additional information while running. You can increase the
+ verbosity by giving several verbose commands to DIRMNGR, such as
+ '-vv'.
+
+'--log-file FILE'
+ Append all logging output to FILE. This is very helpful in seeing
+ what the agent actually does. Use 'socket://' to log to socket.
+
+'--debug-level LEVEL'
+ Select the debug level for investigating problems. LEVEL may be a
+ numeric value or by a keyword:
+
+ 'none'
+ No debugging at all. A value of less than 1 may be used
+ instead of the keyword.
+ 'basic'
+ Some basic debug messages. A value between 1 and 2 may be
+ used instead of the keyword.
+ 'advanced'
+ More verbose debug messages. A value between 3 and 5 may be
+ used instead of the keyword.
+ 'expert'
+ Even more detailed messages. A value between 6 and 8 may be
+ used instead of the keyword.
+ 'guru'
+ All of the debug messages you can get. A value greater than 8
+ may be used instead of the keyword. The creation of hash
+ tracing files is only enabled if the keyword is used.
+
+ How these messages are mapped to the actual debugging flags is not
+ specified and may change with newer releases of this program. They
+ are however carefully selected to best aid in debugging.
+
+'--debug FLAGS'
+ Set debugging flags. This option is only useful for debugging and
+ its behavior may change with a new release. All flags are or-ed
+ and may be given in C syntax (e.g. 0x0042) or as a comma separated
+ list of flag names. To get a list of all supported flags the
+ single word "help" can be used.
+
+'--debug-all'
+ Same as '--debug=0xffffffff'
+
+'--tls-debug LEVEL'
+ Enable debugging of the TLS layer at LEVEL. The details of the
+ debug level depend on the used TLS library and are not set in
+ stone.
+
+'--debug-wait N'
+ When running in server mode, wait N seconds before entering the
+ actual processing loop and print the pid. This gives time to
+ attach a debugger.
+
+'--disable-check-own-socket'
+ On some platforms 'dirmngr' is able to detect the removal of its
+ socket file and shutdown itself. This option disable this
+ self-test for debugging purposes.
+
+'-s'
+'--sh'
+'-c'
+'--csh'
+ Format the info output in daemon mode for use with the standard
+ Bourne shell respective the C-shell. The default is to guess it
+ based on the environment variable 'SHELL' which is in almost all
+ cases sufficient.
+
+'--force'
+ Enabling this option forces loading of expired CRLs; this is only
+ useful for debugging.
+
+'--use-tor'
+'--no-use-tor'
+ The option '--use-tor' switches Dirmngr and thus GnuPG into "Tor
+ mode" to route all network access via Tor (an anonymity network).
+ Certain other features are disabled in this mode. The effect of
+ '--use-tor' cannot be overridden by any other command or even by
+ reloading dirmngr. The use of '--no-use-tor' disables the use of
+ Tor. The default is to use Tor if it is available on startup or
+ after reloading dirmngr. The test on the available of Tor is done
+ by trying to connects to a SOCKS proxy at either port 9050 or
+ 9150); if another type of proxy is listening on one of these ports,
+ you should use '--no-use-tor'.
+
+'--standard-resolver'
+ This option forces the use of the system's standard DNS resolver
+ code. This is mainly used for debugging. Note that on Windows a
+ standard resolver is not used and all DNS access will return the
+ error "Not Implemented" if this option is used. Using this
+ together with enabled Tor mode returns the error "Not Enabled".
+
+'--recursive-resolver'
+ When possible use a recursive resolver instead of a stub resolver.
+
+'--resolver-timeout N'
+ Set the timeout for the DNS resolver to N seconds. The default are
+ 30 seconds.
+
+'--connect-timeout N'
+'--connect-quick-timeout N'
+ Set the timeout for HTTP and generic TCP connection attempts to N
+ seconds. The value set with the quick variant is used when the
+ -quick option has been given to certain Assuan commands. The quick
+ value is capped at the value of the regular connect timeout. The
+ default values are 15 and 2 seconds. Note that the timeout values
+ are for each connection attempt; the connection code will attempt
+ to connect all addresses listed for a server.
+
+'--listen-backlog N'
+ Set the size of the queue for pending connections. The default is
+ 64.
+
+'--allow-version-check'
+ Allow Dirmngr to connect to 'https://versions.gnupg.org' to get the
+ list of current software versions. If this option is enabled the
+ list is retrieved in case the local copy does not exist or is older
+ than 5 to 7 days. See the option '--query-swdb' of the command
+ 'gpgconf' for more details. Note, that regardless of this option a
+ version check can always be triggered using this command:
+
+ gpg-connect-agent --dirmngr 'loadswdb --force' /bye
+
+'--keyserver NAME'
+ Use NAME as your keyserver. This is the server that 'gpg'
+ communicates with to receive keys, send keys, and search for keys.
+ The format of the NAME is a URI: 'scheme:[//]keyservername[:port]'
+ The scheme is the type of keyserver: "hkp" for the HTTP (or
+ compatible) keyservers, "ldap" for the LDAP keyservers, or "mailto"
+ for the Graff email keyserver. Note that your particular
+ installation of GnuPG may have other keyserver types available as
+ well. Keyserver schemes are case-insensitive. After the keyserver
+ name, optional keyserver configuration options may be provided.
+ These are the same as the '--keyserver-options' of 'gpg', but apply
+ only to this particular keyserver.
+
+ Most keyservers synchronize with each other, so there is generally
+ no need to send keys to more than one server. Somes keyservers use
+ round robin DNS to give a different keyserver each time you use it.
+
+ If exactly two keyservers are configured and only one is a Tor
+ hidden service (.onion), Dirmngr selects the keyserver to use
+ depending on whether Tor is locally running or not. The check for
+ a running Tor is done for each new connection.
+
+ If no keyserver is explicitly configured, dirmngr will use the
+ built-in default of 'https://keyserver.ubuntu.com'.
+
+ Windows users with a keyserver running on their Active Directory
+ may use the short form 'ldap:///' for NAME to access this
+ directory.
+
+ For accessing anonymous LDAP keyservers NAME is in general just a
+ 'ldaps://ldap.example.com'. A BaseDN parameter should never be
+ specified. If authentication is required things are more
+ complicated and two methods are available:
+
+ The modern method (since version 2.2.28) is to use the very same
+ syntax as used with the option '--ldapserver'. Please see over
+ there for details; here is an example:
+
+ keyserver ldap:ldap.example.com::uid=USERNAME,ou=GnuPG Users,
+ dc=example,dc=com:PASSWORD::starttls
+
+ The other method is to use a full URL for NAME; for example:
+
+ keyserver ldaps://ldap.example.com/????bindname=uid=USERNAME
+ %2Cou=GnuPG%20Users%2Cdc=example%2Cdc=com,password=PASSWORD
+
+ Put this all on one line without any spaces and keep the '%2C' as
+ given. Replace USERNAME, PASSWORD, and the 'dc' parts according to
+ the instructions received from your LDAP administrator. Note that
+ only simple authentication (i.e. cleartext passwords) is supported
+ and thus using ldaps is strongly suggested (since 2.2.28 "ldaps"
+ defaults to port 389 and uses STARTTLS). On Windows authentication
+ via AD can be requested by adding 'gpgNtds=1' after the fourth
+ question mark instead of the bindname and password parameter.
+
+'--nameserver IPADDR'
+ In "Tor mode" Dirmngr uses a public resolver via Tor to resolve DNS
+ names. If the default public resolver, which is '8.8.8.8', shall
+ not be used a different one can be given using this option. Note
+ that a numerical IP address must be given (IPv6 or IPv4) and that
+ no error checking is done for IPADDR.
+
+'--disable-ipv4'
+'--disable-ipv6'
+ Disable the use of all IPv4 or IPv6 addresses.
+
+'--disable-ldap'
+ Entirely disables the use of LDAP.
+
+'--disable-http'
+ Entirely disables the use of HTTP.
+
+'--ignore-http-dp'
+ When looking for the location of a CRL, the to be tested
+ certificate usually contains so called "CRL Distribution Point"
+ (DP) entries which are URLs describing the way to access the CRL.
+ The first found DP entry is used. With this option all entries
+ using the HTTP scheme are ignored when looking for a suitable DP.
+
+'--ignore-ldap-dp'
+ This is similar to '--ignore-http-dp' but ignores entries using the
+ LDAP scheme. Both options may be combined resulting in ignoring
+ DPs entirely.
+
+'--ignore-ocsp-service-url'
+ Ignore all OCSP URLs contained in the certificate. The effect is
+ to force the use of the default responder.
+
+'--honor-http-proxy'
+ If the environment variable 'http_proxy' has been set, use its
+ value to access HTTP servers.
+
+'--http-proxy [http://]HOST[:PORT]'
+ Use HOST and PORT to access HTTP servers. The use of this option
+ overrides the environment variable 'http_proxy' regardless whether
+ '--honor-http-proxy' has been set.
+
+'--ldap-proxy HOST[:PORT]'
+ Use HOST and PORT to connect to LDAP servers. If PORT is omitted,
+ port 389 (standard LDAP port) is used. This overrides any
+ specified host and port part in a LDAP URL and will also be used if
+ host and port have been omitted from the URL.
+
+'--only-ldap-proxy'
+ Never use anything else but the LDAP "proxy" as configured with
+ '--ldap-proxy'. Usually 'dirmngr' tries to use other configured
+ LDAP server if the connection using the "proxy" failed.
+
+'--ldapserverlist-file FILE'
+ Read the list of LDAP servers to consult for CRLs and X.509
+ certificates from file instead of the default per-user ldap server
+ list file. The default value for FILE is
+ 'dirmngr_ldapservers.conf'.
+
+ This server list file contains one LDAP server per line in the
+ format
+
+ HOSTNAME:PORT:USERNAME:PASSWORD:BASE_DN:FLAGS
+
+ Lines starting with a '#' are comments.
+
+ Note that as usual all strings entered are expected to be UTF-8
+ encoded. Obviously this will lead to problems if the password has
+ originally been encoded as Latin-1. There is no other solution
+ here than to put such a password in the binary encoding into the
+ file (i.e. non-ascii characters won't show up readable).(1)
+
+'--ldapserver SPEC'
+ This is an alternative way to specify LDAP servers for CRL and
+ X.509 certificate retrieval. If this option is used the servers
+ configured in 'dirmngr_ldapservers.conf' (or the file given by
+ '--ldapserverlist-file') are cleared. Note that
+ 'dirmngr_ldapservers.conf' is not read again by a reload signal.
+ However, '--ldapserver' options are read again.
+
+ SPEC is either a proper LDAP URL or a colon delimited list of the
+ form
+
+ HOSTNAME:PORT:USERNAME:PASSWORD:BASE_DN:FLAGS:
+
+ with an optional prefix of 'ldap:' (but without the two slashes
+ which would turn this into a proper LDAP URL). FLAGS is a list of
+ one or more comma delimited keywords:
+ 'plain'
+ The default: Do not use a TLS secured connection at all; the
+ default port is 389.
+ 'starttls'
+ Use STARTTLS to secure the connection; the default port is
+ 389.
+ 'ldaptls'
+ Tunnel LDAP through a TLS connection; the default port is 636.
+ 'ntds'
+ On Windows authenticate the LDAP connection using the Active
+ Directory with the current user.
+ 'areconly'
+ On Windows use only the A or AAAA record when resolving the
+ LDAP server name.
+
+ Note that in an URL style specification the scheme 'ldaps://'
+ refers to STARTTLS and _not_ to LDAP-over-TLS.
+
+'--ldaptimeout SECS'
+ Specify the number of seconds to wait for an LDAP query before
+ timing out. The default are 15 seconds. 0 will never timeout.
+
+'--add-servers'
+ This option makes dirmngr add any servers it discovers when
+ validating certificates against CRLs to the internal list of
+ servers to consult for certificates and CRLs.
+
+ This option is useful when trying to validate a certificate that
+ has a CRL distribution point that points to a server that is not
+ already listed in the ldapserverlist. Dirmngr will always go to
+ this server and try to download the CRL, but chances are high that
+ the certificate used to sign the CRL is located on the same server.
+ So if dirmngr doesn't add that new server to list, it will often
+ not be able to verify the signature of the CRL unless the
+ '--add-servers' option is used.
+
+ Note: The current version of dirmngr has this option disabled by
+ default.
+
+'--allow-ocsp'
+ This option enables OCSP support if requested by the client.
+
+ OCSP requests are rejected by default because they may violate the
+ privacy of the user; for example it is possible to track the time
+ when a user is reading a mail.
+
+'--ocsp-responder URL'
+ Use URL as the default OCSP Responder if the certificate does not
+ contain information about an assigned responder. Note, that
+ '--ocsp-signer' must also be set to a valid certificate.
+
+'--ocsp-signer FPR|FILE'
+ Use the certificate with the fingerprint FPR to check the responses
+ of the default OCSP Responder. Alternatively a filename can be
+ given in which case the response is expected to be signed by one of
+ the certificates described in that file. Any argument which
+ contains a slash, dot or tilde is considered a filename. Usual
+ filename expansion takes place: A tilde at the start followed by a
+ slash is replaced by the content of 'HOME', no slash at start
+ describes a relative filename which will be searched at the home
+ directory. To make sure that the FILE is searched in the home
+ directory, either prepend the name with "./" or use a name which
+ contains a dot.
+
+ If a response has been signed by a certificate described by these
+ fingerprints no further check upon the validity of this certificate
+ is done.
+
+ The format of the FILE is a list of SHA-1 fingerprint, one per line
+ with optional colons between the bytes. Empty lines and lines
+ prefix with a hash mark are ignored.
+
+'--ocsp-max-clock-skew N'
+ The number of seconds a skew between the OCSP responder and them
+ local clock is accepted. Default is 600 (10 minutes).
+
+'--ocsp-max-period N'
+ Seconds a response is at maximum considered valid after the time
+ given in the thisUpdate field. Default is 7776000 (90 days).
+
+'--ocsp-current-period N'
+ The number of seconds an OCSP response is considered valid after
+ the time given in the NEXT_UPDATE datum. Default is 10800 (3
+ hours).
+
+'--max-replies N'
+ Do not return more that N items in one query. The default is 10.
+
+'--ignore-cert-extension OID'
+ Add OID to the list of ignored certificate extensions. The OID is
+ expected to be in dotted decimal form, like '2.5.29.3'. This
+ option may be used more than once. Critical flagged certificate
+ extensions matching one of the OIDs in the list are treated as if
+ they are actually handled and thus the certificate won't be
+ rejected due to an unknown critical extension. Use this option
+ with care because extensions are usually flagged as critical for a
+ reason.
+
+'--ignore-cert FPR|FILE'
+ Entirely ignore certificates with the fingerprint FPR. As an
+ alternative to the fingerprint a filename can be given in which
+ case all certificates described in that file are ignored. Any
+ argument which contains a slash, dot or tilde is considered a
+ filename. Usual filename expansion takes place: A tilde at the
+ start followed by a slash is replaced by the content of 'HOME', no
+ slash at start describes a relative filename which will be searched
+ at the home directory. To make sure that the FILE is searched in
+ the home directory, either prepend the name with "./" or use a name
+ which contains a dot. The format of such a file is a list of SHA-1
+ fingerprint, one per line with optional colons between the bytes.
+ Empty lines and lines prefixed with a hash mark are ignored.
+
+ This option is useful as a quick workaround to exclude certain
+ certificates from the system store.
+
+'--hkp-cacert FILE'
+ Use the root certificates in FILE for verification of the TLS
+ certificates used with 'hkps' (keyserver access over TLS). If the
+ file is in PEM format a suffix of '.pem' is expected for FILE.
+ This option may be given multiple times to add more root
+ certificates. Tilde expansion is supported.
+
+ If no 'hkp-cacert' directive is present, dirmngr will use the
+ system CAs.
+
+ ---------- Footnotes ----------
+
+ (1) The 'gpgconf' tool might be helpful for frontends as it enables
+editing this configuration file using percent-escaped strings.
+
+
+File: gnupg.info, Node: Dirmngr Configuration, Next: Dirmngr Signals, Prev: Dirmngr Options, Up: Invoking DIRMNGR
+
+3.3 Configuration
+=================
+
+Dirmngr makes use of several directories when running in daemon mode:
+There are a few configuration files whih control the operation of
+dirmngr. By default they may all be found in the current home directory
+(*note option --homedir::).
+
+'dirmngr.conf'
+ This is the standard configuration file read by 'dirmngr' on
+ startup. It may contain any valid long option; the leading two
+ dashes may not be entered and the option may not be abbreviated.
+ This file is also read after a 'SIGHUP' however not all options
+ will actually have an effect. This default name may be changed on
+ the command line (*note option --options::). You should backup
+ this file.
+
+'/etc/gnupg/trusted-certs'
+ This directory should be filled with certificates of Root CAs you
+ are trusting in checking the CRLs and signing OCSP Responses.
+
+ Usually these are the same certificates you use with the
+ applications making use of dirmngr. It is expected that each of
+ these certificate files contain exactly one DER encoded certificate
+ in a file with the suffix '.crt' or '.der'. 'dirmngr' reads those
+ certificates on startup and when given a SIGHUP. Certificates which
+ are not readable or do not make up a proper X.509 certificate are
+ ignored; see the log file for details.
+
+ Applications using dirmngr (e.g. gpgsm) can request these
+ certificates to complete a trust chain in the same way as with the
+ extra-certs directory (see below).
+
+ Note that for OCSP responses the certificate specified using the
+ option '--ocsp-signer' is always considered valid to sign OCSP
+ requests.
+
+'/etc/gnupg/extra-certs'
+ This directory may contain extra certificates which are preloaded
+ into the internal cache on startup. Applications using dirmngr
+ (e.g. gpgsm) can request cached certificates to complete a trust
+ chain. This is convenient in cases you have a couple intermediate
+ CA certificates or certificates usually used to sign OCSP
+ responses. These certificates are first tried before going out to
+ the net to look for them. These certificates must also be DER
+ encoded and suffixed with '.crt' or '.der'.
+
+'~/.gnupg/crls.d'
+ This directory is used to store cached CRLs. The 'crls.d' part
+ will be created by dirmngr if it does not exists but you need to
+ make sure that the upper directory exists.
+
+ To be able to see what's going on you should create the configure
+file '~/gnupg/dirmngr.conf' with at least one line:
+
+ log-file ~/dirmngr.log
+
+ To be able to perform OCSP requests you probably want to add the
+line:
+
+ allow-ocsp
+
+ To make sure that new options are read and that after the
+installation of a new GnuPG versions the installed dirmngr is running,
+you may want to kill an existing dirmngr first:
+
+ gpgconf --kill dirmngr
+
+ You may check the log file to see whether all desired root
+certificates have been loaded correctly.
+
+
+File: gnupg.info, Node: Dirmngr Signals, Next: Dirmngr Examples, Prev: Dirmngr Configuration, Up: Invoking DIRMNGR
+
+3.4 Use of signals
+==================
+
+A running 'dirmngr' may be controlled by signals, i.e. using the 'kill'
+command to send a signal to the process.
+
+ Here is a list of supported signals:
+
+'SIGHUP'
+ This signal flushes all internally cached CRLs as well as any
+ cached certificates. Then the certificate cache is reinitialized
+ as on startup. Options are re-read from the configuration file.
+ Instead of sending this signal it is better to use
+ gpgconf --reload dirmngr
+
+'SIGTERM'
+ Shuts down the process but waits until all current requests are
+ fulfilled. If the process has received 3 of these signals and
+ requests are still pending, a shutdown is forced. You may also use
+ gpgconf --kill dirmngr
+ instead of this signal
+
+'SIGINT'
+ Shuts down the process immediately.
+
+'SIGUSR1'
+ This prints some caching statistics to the log file.
+
+
+File: gnupg.info, Node: Dirmngr Examples, Next: Dirmngr Protocol, Prev: Dirmngr Signals, Up: Invoking DIRMNGR
+
+3.5 Examples
+============
+
+Here is an example on how to show dirmngr's internal table of OpenPGP
+keyserver addresses. The output is intended for debugging purposes and
+not part of a defined API.
+
+ gpg-connect-agent --dirmngr 'keyserver --hosttable' /bye
+
+ To inhibit the use of a particular host you have noticed in one of
+the keyserver pools, you may use
+
+ gpg-connect-agent --dirmngr 'keyserver --dead pgpkeys.bnd.de' /bye
+
+ The description of the 'keyserver' command can be printed using
+
+ gpg-connect-agent --dirmngr 'help keyserver' /bye
+
+
+File: gnupg.info, Node: Dirmngr Protocol, Prev: Dirmngr Examples, Up: Invoking DIRMNGR
+
+3.6 Dirmngr's Assuan Protocol
+=============================
+
+Assuan is the IPC protocol used to access dirmngr. This is a
+description of the commands implemented by dirmngr.
+
+* Menu:
+
+* Dirmngr LOOKUP:: Look up a certificate via LDAP
+* Dirmngr ISVALID:: Validate a certificate using a CRL or OCSP.
+* Dirmngr CHECKCRL:: Validate a certificate using a CRL.
+* Dirmngr CHECKOCSP:: Validate a certificate using OCSP.
+* Dirmngr CACHECERT:: Put a certificate into the internal cache.
+* Dirmngr VALIDATE:: Validate a certificate for debugging.
+
+
+File: gnupg.info, Node: Dirmngr LOOKUP, Next: Dirmngr ISVALID, Up: Dirmngr Protocol
+
+3.6.1 Return the certificate(s) found
+-------------------------------------
+
+Lookup certificate. To allow multiple patterns (which are ORed) quoting
+is required: Spaces are to be translated into "+" or into "%20";
+obviously this requires that the usual escape quoting rules are applied.
+The server responds with:
+
+ S: D <DER encoded certificate>
+ S: END
+ S: D <second DER encoded certificate>
+ S: END
+ S: OK
+
+ In this example 2 certificates are returned. The server may return
+any number of certificates; OK will also be returned when no
+certificates were found. The dirmngr might return a status line
+
+ S: S TRUNCATED <n>
+
+ To indicate that the output was truncated to N items due to a
+limitation of the server or by an arbitrary set limit.
+
+ The option '--url' may be used if instead of a search pattern a
+complete URL to the certificate is known:
+
+ C: LOOKUP --url CN%3DWerner%20Koch,o%3DIntevation%20GmbH,c%3DDE?userCertificate
+
+ If the option '--cache-only' is given, no external lookup is done so
+that only certificates from the cache are returned.
+
+ With the option '--single', the first and only the first match will
+be returned. Unless option '--cache-only' is also used, no local lookup
+will be done in this case.
+
+
+File: gnupg.info, Node: Dirmngr ISVALID, Next: Dirmngr CHECKCRL, Prev: Dirmngr LOOKUP, Up: Dirmngr Protocol
+
+3.6.2 Validate a certificate using a CRL or OCSP
+------------------------------------------------
+
+ ISVALID [--only-ocsp] [--force-default-responder] CERTID|CERTFPR
+
+ Check whether the certificate described by the CERTID has been
+revoked. Due to caching, the Dirmngr is able to answer immediately in
+most cases.
+
+ The CERTID is a hex encoded string consisting of two parts, delimited
+by a single dot. The first part is the SHA-1 hash of the issuer name
+and the second part the serial number.
+
+ Alternatively the certificate's SHA-1 fingerprint CERTFPR may be
+given in which case an OCSP request is done before consulting the CRL.
+If the option '--only-ocsp' is given, no fallback to a CRL check will be
+used. If the option '--force-default-responder' is given, only the
+default OCSP responder will be used and any other methods of obtaining
+an OCSP responder URL won't be used.
+
+Common return values are:
+
+'GPG_ERR_NO_ERROR (0)'
+ This is the positive answer: The certificate is not revoked and we
+ have an up-to-date revocation list for that certificate. If OCSP
+ was used the responder confirmed that the certificate has not been
+ revoked.
+
+'GPG_ERR_CERT_REVOKED'
+ This is the negative answer: The certificate has been revoked.
+ Either it is in a CRL and that list is up to date or an OCSP
+ responder informed us that it has been revoked.
+
+'GPG_ERR_NO_CRL_KNOWN'
+ No CRL is known for this certificate or the CRL is not valid or out
+ of date.
+
+'GPG_ERR_NO_DATA'
+ The OCSP responder returned an "unknown" status. This means that
+ it is not aware of the certificate's status.
+
+'GPG_ERR_NOT_SUPPORTED'
+ This is commonly seen if OCSP support has not been enabled in the
+ configuration.
+
+ If DirMngr has not enough information about the given certificate
+(which is the case for not yet cached certificates), it will inquire the
+missing data:
+
+ S: INQUIRE SENDCERT <CertID>
+ C: D <DER encoded certificate>
+ C: END
+
+ A client should be aware that DirMngr may ask for more than one
+certificate.
+
+ If Dirmngr has a certificate but the signature of the certificate
+could not been validated because the root certificate is not known to
+dirmngr as trusted, it may ask back to see whether the client trusts
+this the root certificate:
+
+ S: INQUIRE ISTRUSTED <CertHexfpr>
+ C: D 1
+ C: END
+
+ Only this answer will let Dirmngr consider the certificate as valid.
+
+
+File: gnupg.info, Node: Dirmngr CHECKCRL, Next: Dirmngr CHECKOCSP, Prev: Dirmngr ISVALID, Up: Dirmngr Protocol
+
+3.6.3 Validate a certificate using a CRL
+----------------------------------------
+
+Check whether the certificate with FINGERPRINT (SHA-1 hash of the entire
+X.509 certificate blob) is valid or not by consulting the CRL
+responsible for this certificate. If the fingerprint has not been given
+or the certificate is not known, the function inquires the certificate
+using:
+
+ S: INQUIRE TARGETCERT
+ C: D <DER encoded certificate>
+ C: END
+
+ Thus the caller is expected to return the certificate for the request
+(which should match FINGERPRINT) as a binary blob. Processing then
+takes place without further interaction; in particular dirmngr tries to
+locate other required certificate by its own mechanism which includes a
+local certificate store as well as a list of trusted root certificates.
+
+The return code is 0 for success; i.e. the certificate has not been
+revoked or one of the usual error codes from libgpg-error.
+
+
+File: gnupg.info, Node: Dirmngr CHECKOCSP, Next: Dirmngr CACHECERT, Prev: Dirmngr CHECKCRL, Up: Dirmngr Protocol
+
+3.6.4 Validate a certificate using OCSP
+---------------------------------------
+
+ CHECKOCSP [--force-default-responder] [FINGERPRINT]
+
+ Check whether the certificate with FINGERPRINT (the SHA-1 hash of the
+entire X.509 certificate blob) is valid by consulting the appropriate
+OCSP responder. If the fingerprint has not been given or the
+certificate is not known by Dirmngr, the function inquires the
+certificate using:
+
+ S: INQUIRE TARGETCERT
+ C: D <DER encoded certificate>
+ C: END
+
+ Thus the caller is expected to return the certificate for the request
+(which should match FINGERPRINT) as a binary blob. Processing then
+takes place without further interaction; in particular dirmngr tries to
+locate other required certificates by its own mechanism which includes a
+local certificate store as well as a list of trusted root certificates.
+
+ If the option '--force-default-responder' is given, only the default
+OCSP responder is used. This option is the per-command variant of the
+global option '--ignore-ocsp-service-url'.
+
+The return code is 0 for success; i.e. the certificate has not been
+revoked or one of the usual error codes from libgpg-error.
+
+
+File: gnupg.info, Node: Dirmngr CACHECERT, Next: Dirmngr VALIDATE, Prev: Dirmngr CHECKOCSP, Up: Dirmngr Protocol
+
+3.6.5 Put a certificate into the internal cache
+-----------------------------------------------
+
+Put a certificate into the internal cache. This command might be useful
+if a client knows in advance certificates required for a test and wants
+to make sure they get added to the internal cache. It is also helpful
+for debugging. To get the actual certificate, this command immediately
+inquires it using
+
+ S: INQUIRE TARGETCERT
+ C: D <DER encoded certificate>
+ C: END
+
+ Thus the caller is expected to return the certificate for the request
+as a binary blob.
+
+The return code is 0 for success; i.e. the certificate has not been
+successfully cached or one of the usual error codes from libgpg-error.
+
+
+File: gnupg.info, Node: Dirmngr VALIDATE, Prev: Dirmngr CACHECERT, Up: Dirmngr Protocol
+
+3.6.6 Validate a certificate for debugging
+------------------------------------------
+
+Validate a certificate using the certificate validation function used
+internally by dirmngr. This command is only useful for debugging. To
+get the actual certificate, this command immediately inquires it using
+
+ S: INQUIRE TARGETCERT
+ C: D <DER encoded certificate>
+ C: END
+
+ Thus the caller is expected to return the certificate for the request
+as a binary blob.
+
+
+File: gnupg.info, Node: Invoking GPG, Next: Invoking GPGSM, Prev: Invoking DIRMNGR, Up: Top
+
+4 Invoking GPG
+**************
+
+'gpg' is the OpenPGP part of the GNU Privacy Guard (GnuPG). It is a tool
+to provide digital encryption and signing services using the OpenPGP
+standard. 'gpg' features complete key management and all the bells and
+whistles you would expect from a full OpenPGP implementation.
+
+ There are two main versions of GnuPG: GnuPG 1.x and GnuPG 2.x. GnuPG
+2.x supports modern encryption algorithms and thus should be preferred
+over GnuPG 1.x. You only need to use GnuPG 1.x if your platform doesn't
+support GnuPG 2.x, or you need support for some features that GnuPG 2.x
+has deprecated, e.g., decrypting data created with PGP-2 keys.
+
+ If you are looking for version 1 of GnuPG, you may find that version
+installed under the name 'gpg1'.
+
+ *Note Option Index::, for an index to 'gpg''s commands and options.
+
+* Menu:
+
+* GPG Commands:: List of all commands.
+* GPG Options:: List of all options.
+* GPG Configuration:: Configuration files.
+* GPG Examples:: Some usage examples.
+
+Developer information:
+* Unattended Usage of GPG:: Using 'gpg' from other programs.
+
+
+File: gnupg.info, Node: GPG Commands, Next: GPG Options, Up: Invoking GPG
+
+4.1 Commands
+============
+
+Commands are not distinguished from options except for the fact that
+only one command is allowed. Generally speaking, irrelevant options are
+silently ignored, and may not be checked for correctness.
+
+ 'gpg' may be run with no commands. In this case it will print a
+warning perform a reasonable action depending on the type of file it is
+given as input (an encrypted message is decrypted, a signature is
+verified, a file containing keys is listed, etc.).
+
+ If you run into any problems, please add the option '--verbose' to
+the invocation to see more diagnostics.
+
+* Menu:
+
+* General GPG Commands:: Commands not specific to the functionality.
+* Operational GPG Commands:: Commands to select the type of operation.
+* OpenPGP Key Management:: How to manage your keys.
+
+
+File: gnupg.info, Node: General GPG Commands, Next: Operational GPG Commands, Up: GPG Commands
+
+4.1.1 Commands not specific to the function
+-------------------------------------------
+
+'--version'
+ Print the program version and licensing information. Note that you
+ cannot abbreviate this command.
+
+'--help'
+'-h'
+ Print a usage message summarizing the most useful command-line
+ options. Note that you cannot arbitrarily abbreviate this command
+ (though you can use its short form '-h').
+
+'--warranty'
+ Print warranty information.
+
+'--dump-options'
+ Print a list of all available options and commands. Note that you
+ cannot abbreviate this command.
+
+
+File: gnupg.info, Node: Operational GPG Commands, Next: OpenPGP Key Management, Prev: General GPG Commands, Up: GPG Commands
+
+4.1.2 Commands to select the type of operation
+----------------------------------------------
+
+'--sign'
+'-s'
+ Sign a message. This command may be combined with '--encrypt' (to
+ sign and encrypt a message), '--symmetric' (to sign and
+ symmetrically encrypt a message), or both '--encrypt' and
+ '--symmetric' (to sign and encrypt a message that can be decrypted
+ using a secret key or a passphrase). The signing key is chosen by
+ default or can be set explicitly using the '--local-user' and
+ '--default-key' options.
+
+'--clear-sign'
+'--clearsign'
+ Make a cleartext signature. The content in a cleartext signature
+ is readable without any special software. OpenPGP software is only
+ needed to verify the signature. cleartext signatures may modify
+ end-of-line whitespace for platform independence and are not
+ intended to be reversible. The signing key is chosen by default or
+ can be set explicitly using the '--local-user' and '--default-key'
+ options.
+
+'--detach-sign'
+'-b'
+ Make a detached signature.
+
+'--encrypt'
+'-e'
+ Encrypt data to one or more public keys. This command may be
+ combined with '--sign' (to sign and encrypt a message),
+ '--symmetric' (to encrypt a message that can be decrypted using a
+ secret key or a passphrase), or '--sign' and '--symmetric' together
+ (for a signed message that can be decrypted using a secret key or a
+ passphrase). '--recipient' and related options specify which
+ public keys to use for encryption.
+
+'--symmetric'
+'-c'
+ Encrypt with a symmetric cipher using a passphrase. The default
+ symmetric cipher used is AES-128, but may be chosen with the
+ '--cipher-algo' option. This command may be combined with '--sign'
+ (for a signed and symmetrically encrypted message), '--encrypt'
+ (for a message that may be decrypted via a secret key or a
+ passphrase), or '--sign' and '--encrypt' together (for a signed
+ message that may be decrypted via a secret key or a passphrase).
+ 'gpg' caches the passphrase used for symmetric encryption so that a
+ decrypt operation may not require that the user needs to enter the
+ passphrase. The option '--no-symkey-cache' can be used to disable
+ this feature.
+
+'--store'
+ Store only (make a simple literal data packet).
+
+'--decrypt'
+'-d'
+ Decrypt the file given on the command line (or STDIN if no file is
+ specified) and write it to STDOUT (or the file specified with
+ '--output'). If the decrypted file is signed, the signature is
+ also verified. This command differs from the default operation, as
+ it never writes to the filename which is included in the file and
+ it rejects files that don't begin with an encrypted message.
+
+'--verify'
+ Assume that the first argument is a signed file and verify it
+ without generating any output. With no arguments, the signature
+ packet is read from STDIN. If only one argument is given, the
+ specified file is expected to include a complete signature.
+
+ With more than one argument, the first argument should specify a
+ file with a detached signature and the remaining files should
+ contain the signed data. To read the signed data from STDIN, use
+ '-' as the second filename. For security reasons, a detached
+ signature will not read the signed material from STDIN if not
+ explicitly specified.
+
+ Note: If the option '--batch' is not used, 'gpg' may assume that a
+ single argument is a file with a detached signature, and it will
+ try to find a matching data file by stripping certain suffixes.
+ Using this historical feature to verify a detached signature is
+ strongly discouraged; you should always specify the data file
+ explicitly.
+
+ Note: When verifying a cleartext signature, 'gpg' verifies only
+ what makes up the cleartext signed data and not any extra data
+ outside of the cleartext signature or the header lines directly
+ following the dash marker line. The option '--output' may be used
+ to write out the actual signed data, but there are other pitfalls
+ with this format as well. It is suggested to avoid cleartext
+ signatures in favor of detached signatures.
+
+ Note: Sometimes the use of the 'gpgv' tool is easier than using the
+ full-fledged 'gpg' with this option. 'gpgv' is designed to compare
+ signed data against a list of trusted keys and returns with success
+ only for a good signature. It has its own manual page.
+
+'--multifile'
+ This modifies certain other commands to accept multiple files for
+ processing on the command line or read from STDIN with each
+ filename on a separate line. This allows for many files to be
+ processed at once. '--multifile' may currently be used along with
+ '--verify', '--encrypt', and '--decrypt'. Note that '--multifile
+ --verify' may not be used with detached signatures.
+
+'--verify-files'
+ Identical to '--multifile --verify'.
+
+'--encrypt-files'
+ Identical to '--multifile --encrypt'.
+
+'--decrypt-files'
+ Identical to '--multifile --decrypt'.
+
+'--list-keys'
+'-k'
+'--list-public-keys'
+ List the specified keys. If no keys are specified, then all keys
+ from the configured public keyrings are listed.
+
+ Never use the output of this command in scripts or other programs.
+ The output is intended only for humans and its format is likely to
+ change. The '--with-colons' option emits the output in a stable,
+ machine-parseable format, which is intended for use by scripts and
+ other programs.
+
+'--list-secret-keys'
+'-K'
+ List the specified secret keys. If no keys are specified, then all
+ known secret keys are listed. A '#' after the initial tags 'sec'
+ or 'ssb' means that the secret key or subkey is currently not
+ usable. We also say that this key has been taken offline (for
+ example, a primary key can be taken offline by exporting the key
+ using the command '--export-secret-subkeys'). A '>' after these
+ tags indicate that the key is stored on a smartcard. See also
+ '--list-keys'.
+
+'--check-signatures'
+'--check-sigs'
+ Same as '--list-keys', but the key signatures are verified and
+ listed too. Note that for performance reasons the revocation
+ status of a signing key is not shown. This command has the same
+ effect as using '--list-keys' with '--with-sig-check'.
+
+ The status of the verification is indicated by a flag directly
+ following the "sig" tag (and thus before the flags described below.
+ A "!" indicates that the signature has been successfully verified,
+ a "-" denotes a bad signature and a "%" is used if an error
+ occurred while checking the signature (e.g. a non supported
+ algorithm). Signatures where the public key is not available are
+ not listed; to see their keyids the command '--list-sigs' can be
+ used.
+
+ For each signature listed, there are several flags in between the
+ signature status flag and keyid. These flags give additional
+ information about each key signature. From left to right, they are
+ the numbers 1-3 for certificate check level (see
+ '--ask-cert-level'), "L" for a local or non-exportable signature
+ (see '--lsign-key'), "R" for a nonRevocable signature (see the
+ '--edit-key' command "nrsign"), "P" for a signature that contains a
+ policy URL (see '--cert-policy-url'), "N" for a signature that
+ contains a notation (see '--cert-notation'), "X" for an eXpired
+ signature (see '--ask-cert-expire'), and the numbers 1-9 or "T" for
+ 10 and above to indicate trust signature levels (see the
+ '--edit-key' command "tsign").
+
+'--locate-keys'
+'--locate-external-keys'
+ Locate the keys given as arguments. This command basically uses
+ the same algorithm as used when locating keys for encryption and
+ may thus be used to see what keys 'gpg' might use. In particular
+ external methods as defined by '--auto-key-locate' are used to
+ locate a key if the arguments comain valid mail addresses. Only
+ public keys are listed.
+
+ The variant '--locate-external-keys' does not consider a locally
+ existing key and can thus be used to force the refresh of a key via
+ the defined external methods. If a fingerprint is given and and
+ the methods defined by -auto-key-locate define LDAP servers, the
+ key is fetched from these resources; defined non-LDAP keyservers
+ are skipped.
+
+'--show-keys'
+ This commands takes OpenPGP keys as input and prints information
+ about them in the same way the command '--list-keys' does for
+ locally stored key. In addition the list options
+ 'show-unusable-uids', 'show-unusable-subkeys', 'show-notations' and
+ 'show-policy-urls' are also enabled. As usual for automated
+ processing, this command should be combined with the option
+ '--with-colons'.
+
+'--fingerprint'
+ List all keys (or the specified ones) along with their
+ fingerprints. This is the same output as '--list-keys' but with
+ the additional output of a line with the fingerprint. May also be
+ combined with '--check-signatures'. If this command is given
+ twice, the fingerprints of all secondary keys are listed too. This
+ command also forces pretty printing of fingerprints if the keyid
+ format has been set to "none".
+
+'--list-packets'
+ List only the sequence of packets. This command is only useful for
+ debugging. When used with option '--verbose' the actual MPI values
+ are dumped and not only their lengths. Note that the output of
+ this command may change with new releases.
+
+'--edit-card'
+'--card-edit'
+ Present a menu to work with a smartcard. The subcommand "help"
+ provides an overview on available commands. For a detailed
+ description, please see the Card HOWTO at
+ https://gnupg.org/documentation/howtos.html#GnuPG-cardHOWTO .
+
+'--card-status'
+ Show the content of the smart card.
+
+'--change-pin'
+ Present a menu to allow changing the PIN of a smartcard. This
+ functionality is also available as the subcommand "passwd" with the
+ '--edit-card' command.
+
+'--delete-keys NAME'
+ Remove key from the public keyring. In batch mode either '--yes'
+ is required or the key must be specified by fingerprint. This is a
+ safeguard against accidental deletion of multiple keys. If the
+ exclamation mark syntax is used with the fingerprint of a subkey
+ only that subkey is deleted; if the exclamation mark is used with
+ the fingerprint of the primary key the entire public key is
+ deleted.
+
+'--delete-secret-keys NAME'
+ Remove key from the secret keyring. In batch mode the key must be
+ specified by fingerprint. The option '--yes' can be used to advise
+ gpg-agent not to request a confirmation. This extra pre-caution is
+ done because 'gpg' can't be sure that the secret key (as controlled
+ by gpg-agent) is only used for the given OpenPGP public key. If
+ the exclamation mark syntax is used with the fingerprint of a
+ subkey only the secret part of that subkey is deleted; if the
+ exclamation mark is used with the fingerprint of the primary key
+ only the secret part of the primary key is deleted.
+
+'--delete-secret-and-public-key NAME'
+ Same as '--delete-key', but if a secret key exists, it will be
+ removed first. In batch mode the key must be specified by
+ fingerprint. The option '--yes' can be used to advise gpg-agent
+ not to request a confirmation.
+
+'--export'
+ Either export all keys from all keyrings (default keyring and those
+ registered via option '--keyring'), or if at least one name is
+ given, those of the given name. The exported keys are written to
+ STDOUT or to the file given with option '--output'. Use together
+ with '--armor' to mail those keys.
+
+'--send-keys KEYIDS'
+ Similar to '--export' but sends the keys to a keyserver.
+ Fingerprints may be used instead of key IDs. Don't send your
+ complete keyring to a keyserver -- select only those keys which are
+ new or changed by you. If no KEYIDS are given, 'gpg' does nothing.
+
+ Take care: Keyservers are by design write only systems and thus it
+ is not possible to ever delete keys once they have been send to a
+ keyserver.
+
+'--export-secret-keys'
+'--export-secret-subkeys'
+ Same as '--export', but exports the secret keys instead. The
+ exported keys are written to STDOUT or to the file given with
+ option '--output'. This command is often used along with the
+ option '--armor' to allow for easy printing of the key for paper
+ backup; however the external tool 'paperkey' does a better job of
+ creating backups on paper. Note that exporting a secret key can be
+ a security risk if the exported keys are sent over an insecure
+ channel.
+
+ The second form of the command has the special property to render
+ the secret part of the primary key useless; this is a GNU extension
+ to OpenPGP and other implementations can not be expected to
+ successfully import such a key. Its intended use is in generating
+ a full key with an additional signing subkey on a dedicated
+ machine. This command then exports the key without the primary key
+ to the main machine.
+
+ GnuPG may ask you to enter the passphrase for the key. This is
+ required, because the internal protection method of the secret key
+ is different from the one specified by the OpenPGP protocol.
+
+'--export-ssh-key'
+ This command is used to export a key in the OpenSSH public key
+ format. It requires the specification of one key by the usual
+ means and exports the latest valid subkey which has an
+ authentication capability to STDOUT or to the file given with
+ option '--output'. That output can directly be added to ssh's
+ 'authorized_key' file.
+
+ By specifying the key to export using a key ID or a fingerprint
+ suffixed with an exclamation mark (!), a specific subkey or the
+ primary key can be exported. This does not even require that the
+ key has the authentication capability flag set.
+
+'--import'
+'--fast-import'
+ Import/merge keys. This adds the given keys to the keyring. The
+ fast version is currently just a synonym.
+
+ There are a few other options which control how this command works.
+ Most notable here is the '--import-options merge-only' option which
+ does not insert new keys but does only the merging of new
+ signatures, user-IDs and subkeys.
+
+'--receive-keys KEYIDS'
+'--recv-keys KEYIDS'
+ Import the keys with the given KEYIDS from a keyserver.
+
+'--refresh-keys'
+ Request updates from a keyserver for keys that already exist on the
+ local keyring. This is useful for updating a key with the latest
+ signatures, user IDs, etc. Calling this with no arguments will
+ refresh the entire keyring.
+
+'--search-keys NAMES'
+ Search the keyserver for the given NAMES. Multiple names given
+ here will be joined together to create the search string for the
+ keyserver. Note that keyservers search for NAMES in a different
+ and simpler way than gpg does. The best choice is to use a mail
+ address. Due to data privacy reasons keyservers may even not even
+ allow searching by user id or mail address and thus may only return
+ results when being used with the '--recv-key' command to search by
+ key fingerprint or keyid.
+
+'--fetch-keys URIS'
+ Retrieve keys located at the specified URIS. Note that different
+ installations of GnuPG may support different protocols (HTTP, FTP,
+ LDAP, etc.). When using HTTPS the system provided root
+ certificates are used by this command.
+
+'--update-trustdb'
+ Do trust database maintenance. This command iterates over all keys
+ and builds the Web of Trust. This is an interactive command
+ because it may have to ask for the "ownertrust" values for keys.
+ The user has to give an estimation of how far she trusts the owner
+ of the displayed key to correctly certify (sign) other keys. GnuPG
+ only asks for the ownertrust value if it has not yet been assigned
+ to a key. Using the '--edit-key' menu, the assigned value can be
+ changed at any time.
+
+'--check-trustdb'
+ Do trust database maintenance without user interaction. From time
+ to time the trust database must be updated so that expired keys or
+ signatures and the resulting changes in the Web of Trust can be
+ tracked. Normally, GnuPG will calculate when this is required and
+ do it automatically unless '--no-auto-check-trustdb' is set. This
+ command can be used to force a trust database check at any time.
+ The processing is identical to that of '--update-trustdb' but it
+ skips keys with a not yet defined "ownertrust".
+
+ For use with cron jobs, this command can be used together with
+ '--batch' in which case the trust database check is done only if a
+ check is needed. To force a run even in batch mode add the option
+ '--yes'.
+
+'--export-ownertrust'
+ Send the ownertrust values to STDOUT. This is useful for backup
+ purposes as these values are the only ones which can't be
+ re-created from a corrupted trustdb. Example:
+ gpg --export-ownertrust > otrust.txt
+
+'--import-ownertrust'
+ Update the trustdb with the ownertrust values stored in 'files' (or
+ STDIN if not given); existing values will be overwritten. In case
+ of a severely damaged trustdb and if you have a recent backup of
+ the ownertrust values (e.g. in the file 'otrust.txt'), you may
+ re-create the trustdb using these commands:
+ cd ~/.gnupg
+ rm trustdb.gpg
+ gpg --import-ownertrust < otrust.txt
+
+'--rebuild-keydb-caches'
+ When updating from version 1.0.6 to 1.0.7 this command should be
+ used to create signature caches in the keyring. It might be handy
+ in other situations too.
+
+'--print-md ALGO'
+'--print-mds'
+ Print message digest of algorithm ALGO for all given files or
+ STDIN. With the second form (or a deprecated "*" for ALGO) digests
+ for all available algorithms are printed.
+
+'--gen-random 0|1|2 COUNT'
+ Emit COUNT random bytes of the given quality level 0, 1 or 2. If
+ COUNT is not given or zero, an endless sequence of random bytes
+ will be emitted. If used with '--armor' the output will be base64
+ encoded. PLEASE, don't use this command unless you know what you
+ are doing; it may remove precious entropy from the system!
+
+'--gen-prime MODE BITS'
+ Use the source, Luke :-). The output format is subject to change
+ with ant release.
+
+'--enarmor'
+'--dearmor'
+ Pack or unpack an arbitrary input into/from an OpenPGP ASCII armor.
+ This is a GnuPG extension to OpenPGP and in general not very
+ useful.
+
+'--tofu-policy {auto|good|unknown|bad|ask} KEYS'
+ Set the TOFU policy for all the bindings associated with the
+ specified KEYS. For more information about the meaning of the
+ policies, *note trust-model-tofu::. The KEYS may be specified
+ either by their fingerprint (preferred) or their keyid.
+
+
+File: gnupg.info, Node: OpenPGP Key Management, Prev: Operational GPG Commands, Up: GPG Commands
+
+4.1.3 How to manage your keys
+-----------------------------
+
+This section explains the main commands for key management.
+
+'--quick-generate-key USER-ID [ALGO [USAGE [EXPIRE]]]'
+'--quick-gen-key'
+ This is a simple command to generate a standard key with one user
+ id. In contrast to '--generate-key' the key is generated directly
+ without the need to answer a bunch of prompts. Unless the option
+ '--yes' is given, the key creation will be canceled if the given
+ user id already exists in the keyring.
+
+ If invoked directly on the console without any special options an
+ answer to a "Continue?" style confirmation prompt is required. In
+ case the user id already exists in the keyring a second prompt to
+ force the creation of the key will show up.
+
+ If ALGO or USAGE are given, only the primary key is created and no
+ prompts are shown. To specify an expiration date but still create
+ a primary and subkey use "default" or "future-default" for ALGO and
+ "default" for USAGE. For a description of these optional arguments
+ see the command '--quick-add-key'. The USAGE accepts also the
+ value "cert" which can be used to create a certification only
+ primary key; the default is to a create certification and signing
+ key.
+
+ The EXPIRE argument can be used to specify an expiration date for
+ the key. Several formats are supported; commonly the ISO formats
+ "YYYY-MM-DD" or "YYYYMMDDThhmmss" are used. To make the key expire
+ in N seconds, N days, N weeks, N months, or N years use
+ "seconds=N", "Nd", "Nw", "Nm", or "Ny" respectively. Not
+ specifying a value, or using "-" results in a key expiring in a
+ reasonable default interval. The values "never", "none" can be
+ used for no expiration date.
+
+ If this command is used with '--batch', '--pinentry-mode' has been
+ set to 'loopback', and one of the passphrase options
+ ('--passphrase', '--passphrase-fd', or '--passphrase-file') is
+ used, the supplied passphrase is used for the new key and the agent
+ does not ask for it. To create a key without any protection
+ '--passphrase ''' may be used.
+
+ To create an OpenPGP key from the keys available on the currently
+ inserted smartcard, the special string "card" can be used for ALGO.
+ If the card features an encryption and a signing key, gpg will
+ figure them out and creates an OpenPGP key consisting of the usual
+ primary key and one subkey. This works only with certain
+ smartcards. Note that the interactive '--full-gen-key' command
+ allows to do the same but with greater flexibility in the selection
+ of the smartcard keys.
+
+ Note that it is possible to create a primary key and a subkey using
+ non-default algorithms by using "default" and changing the default
+ parameters using the option '--default-new-key-algo'.
+
+'--quick-set-expire FPR EXPIRE [*|SUBFPRS]'
+ With two arguments given, directly set the expiration time of the
+ primary key identified by FPR to EXPIRE. To remove the expiration
+ time '0' can be used. With three arguments and the third given as
+ an asterisk, the expiration time of all non-revoked and not yet
+ expired subkeys are set to EXPIRE. With more than two arguments
+ and a list of fingerprints given for SUBFPRS, all non-revoked
+ subkeys matching these fingerprints are set to EXPIRE.
+
+'--quick-add-key FPR [ALGO [USAGE [EXPIRE]]]'
+ Directly add a subkey to the key identified by the fingerprint FPR.
+ Without the optional arguments an encryption subkey is added. If
+ any of the arguments are given a more specific subkey is added.
+
+ ALGO may be any of the supported algorithms or curve names given in
+ the format as used by key listings. To use the default algorithm
+ the string "default" or "-" can be used. Supported algorithms are
+ "rsa", "dsa", "elg", "ed25519", "cv25519", and other ECC curves.
+ For example the string "rsa" adds an RSA key with the default key
+ length; a string "rsa4096" requests that the key length is 4096
+ bits. The string "future-default" is an alias for the algorithm
+ which will likely be used as default algorithm in future versions
+ of gpg. To list the supported ECC curves the command 'gpg
+ --with-colons --list-config curve' can be used.
+
+ Depending on the given ALGO the subkey may either be an encryption
+ subkey or a signing subkey. If an algorithm is capable of signing
+ and encryption and such a subkey is desired, a USAGE string must be
+ given. This string is either "default" or "-" to keep the default
+ or a comma delimited list (or space delimited list) of keywords:
+ "sign" for a signing subkey, "auth" for an authentication subkey,
+ and "encr" for an encryption subkey ("encrypt" can be used as alias
+ for "encr"). The valid combinations depend on the algorithm.
+
+ The EXPIRE argument can be used to specify an expiration date for
+ the key. Several formats are supported; commonly the ISO formats
+ "YYYY-MM-DD" or "YYYYMMDDThhmmss" are used. To make the key expire
+ in N seconds, N days, N weeks, N months, or N years use
+ "seconds=N", "Nd", "Nw", "Nm", or "Ny" respectively. Not
+ specifying a value, or using "-" results in a key expiring in a
+ reasonable default interval. The values "never", "none" can be
+ used for no expiration date.
+
+'--generate-key'
+'--gen-key'
+ Generate a new key pair using the current default parameters. This
+ is the standard command to create a new key. In addition to the
+ key a revocation certificate is created and stored in the
+ 'openpgp-revocs.d' directory below the GnuPG home directory.
+
+'--full-generate-key'
+'--full-gen-key'
+ Generate a new key pair with dialogs for all options. This is an
+ extended version of '--generate-key'.
+
+ There is also a feature which allows you to create keys in batch
+ mode. See the manual section "Unattended key generation" on how to
+ use this.
+
+'--generate-revocation NAME'
+'--gen-revoke NAME'
+ Generate a revocation certificate for the complete key. To only
+ revoke a subkey or a key signature, use the '--edit' command.
+
+ This command merely creates the revocation certificate so that it
+ can be used to revoke the key if that is ever needed. To actually
+ revoke a key the created revocation certificate needs to be merged
+ with the key to revoke. This is done by importing the revocation
+ certificate using the '--import' command. Then the revoked key
+ needs to be published, which is best done by sending the key to a
+ keyserver (command '--send-key') and by exporting ('--export') it
+ to a file which is then send to frequent communication partners.
+
+'--generate-designated-revocation NAME'
+'--desig-revoke NAME'
+ Generate a designated revocation certificate for a key. This
+ allows a user (with the permission of the keyholder) to revoke
+ someone else's key.
+
+'--edit-key'
+ Present a menu which enables you to do most of the key management
+ related tasks. It expects the specification of a key on the
+ command line.
+
+ uid N
+ Toggle selection of user ID or photographic user ID with index
+ N. Use '*' to select all and '0' to deselect all.
+
+ key N
+ Toggle selection of subkey with index N or key ID N. Use '*'
+ to select all and '0' to deselect all.
+
+ sign
+ Make a signature on key of user 'name'. If the key is not yet
+ signed by the default user (or the users given with '-u'), the
+ program displays the information of the key again, together
+ with its fingerprint and asks whether it should be signed.
+ This question is repeated for all users specified with '-u'.
+
+ lsign
+ Same as "sign" but the signature is marked as non-exportable
+ and will therefore never be used by others. This may be used
+ to make keys valid only in the local environment.
+
+ nrsign
+ Same as "sign" but the signature is marked as non-revocable
+ and can therefore never be revoked.
+
+ tsign
+ Make a trust signature. This is a signature that combines the
+ notions of certification (like a regular signature), and trust
+ (like the "trust" command). It is generally only useful in
+ distinct communities or groups. For more information please
+ read the sections "Trust Signature" and "Regular Expression"
+ in RFC-4880.
+
+ Note that "l" (for local / non-exportable), "nr" (for
+ non-revocable, and "t" (for trust) may be freely mixed and prefixed
+ to "sign" to create a signature of any type desired.
+
+ If the option '--only-sign-text-ids' is specified, then any
+ non-text based user ids (e.g., photo IDs) will not be selected for
+ signing.
+
+ delsig
+ Delete a signature. Note that it is not possible to retract a
+ signature, once it has been send to the public (i.e. to a
+ keyserver). In that case you better use 'revsig'.
+
+ revsig
+ Revoke a signature. For every signature which has been
+ generated by one of the secret keys, GnuPG asks whether a
+ revocation certificate should be generated.
+
+ check
+ Check the signatures on all selected user IDs. With the extra
+ option 'selfsig' only self-signatures are shown.
+
+ adduid
+ Create an additional user ID.
+
+ addphoto
+ Create a photographic user ID. This will prompt for a JPEG
+ file that will be embedded into the user ID. Note that a very
+ large JPEG will make for a very large key. Also note that
+ some programs will display your JPEG unchanged (GnuPG), and
+ some programs will scale it to fit in a dialog box (PGP).
+
+ showphoto
+ Display the selected photographic user ID.
+
+ deluid
+ Delete a user ID or photographic user ID. Note that it is not
+ possible to retract a user id, once it has been send to the
+ public (i.e. to a keyserver). In that case you better use
+ 'revuid'.
+
+ revuid
+ Revoke a user ID or photographic user ID.
+
+ primary
+ Flag the current user id as the primary one, removes the
+ primary user id flag from all other user ids and sets the
+ timestamp of all affected self-signatures one second ahead.
+ Note that setting a photo user ID as primary makes it primary
+ over other photo user IDs, and setting a regular user ID as
+ primary makes it primary over other regular user IDs.
+
+ keyserver
+ Set a preferred keyserver for the specified user ID(s). This
+ allows other users to know where you prefer they get your key
+ from. See '--keyserver-options honor-keyserver-url' for more
+ on how this works. Setting a value of "none" removes an
+ existing preferred keyserver.
+
+ notation
+ Set a name=value notation for the specified user ID(s). See
+ '--cert-notation' for more on how this works. Setting a value
+ of "none" removes all notations, setting a notation prefixed
+ with a minus sign (-) removes that notation, and setting a
+ notation name (without the =value) prefixed with a minus sign
+ removes all notations with that name.
+
+ pref
+ List preferences from the selected user ID. This shows the
+ actual preferences, without including any implied preferences.
+
+ showpref
+ More verbose preferences listing for the selected user ID.
+ This shows the preferences in effect by including the implied
+ preferences of 3DES (cipher), SHA-1 (digest), and Uncompressed
+ (compression) if they are not already included in the
+ preference list. In addition, the preferred keyserver and
+ signature notations (if any) are shown.
+
+ setpref STRING
+ Set the list of user ID preferences to STRING for all (or just
+ the selected) user IDs. Calling setpref with no arguments
+ sets the preference list to the default (either built-in or
+ set via '--default-preference-list'), and calling setpref with
+ "none" as the argument sets an empty preference list. Use
+ 'gpg --version' to get a list of available algorithms. Note
+ that while you can change the preferences on an attribute user
+ ID (aka "photo ID"), GnuPG does not select keys via attribute
+ user IDs so these preferences will not be used by GnuPG.
+
+ When setting preferences, you should list the algorithms in
+ the order which you'd like to see them used by someone else
+ when encrypting a message to your key. If you don't include
+ 3DES, it will be automatically added at the end. Note that
+ there are many factors that go into choosing an algorithm (for
+ example, your key may not be the only recipient), and so the
+ remote OpenPGP application being used to send to you may or
+ may not follow your exact chosen order for a given message.
+ It will, however, only choose an algorithm that is present on
+ the preference list of every recipient key. See also the
+ INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS section below.
+
+ addkey
+ Add a subkey to this key.
+
+ addcardkey
+ Generate a subkey on a card and add it to this key.
+
+ keytocard
+ Transfer the selected secret subkey (or the primary key if no
+ subkey has been selected) to a smartcard. The secret key in
+ the keyring will be replaced by a stub if the key could be
+ stored successfully on the card and you use the save command
+ later. Only certain key types may be transferred to the card.
+ A sub menu allows you to select on what card to store the key.
+ Note that it is not possible to get that key back from the
+ card - if the card gets broken your secret key will be lost
+ unless you have a backup somewhere.
+
+ bkuptocard FILE
+ Restore the given FILE to a card. This command may be used to
+ restore a backup key (as generated during card initialization)
+ to a new card. In almost all cases this will be the
+ encryption key. You should use this command only with the
+ corresponding public key and make sure that the file given as
+ argument is indeed the backup to restore. You should then
+ select 2 to restore as encryption key. You will first be
+ asked to enter the passphrase of the backup key and then for
+ the Admin PIN of the card.
+
+ delkey
+ Remove a subkey (secondary key). Note that it is not possible
+ to retract a subkey, once it has been send to the public (i.e.
+ to a keyserver). In that case you better use 'revkey'. Also
+ note that this only deletes the public part of a key.
+
+ revkey
+ Revoke a subkey.
+
+ expire
+ Change the key or subkey expiration time. If a subkey is
+ selected, the expiration time of this subkey will be changed.
+ With no selection, the key expiration of the primary key is
+ changed.
+
+ trust
+ Change the owner trust value for the key. This updates the
+ trust-db immediately and no save is required.
+
+ disable
+ enable
+ Disable or enable an entire key. A disabled key can not
+ normally be used for encryption.
+
+ addrevoker
+ Add a designated revoker to the key. This takes one optional
+ argument: "sensitive". If a designated revoker is marked as
+ sensitive, it will not be exported by default (see
+ export-options).
+
+ passwd
+ Change the passphrase of the secret key.
+
+ toggle
+ This is dummy command which exists only for backward
+ compatibility.
+
+ clean
+ Compact (by removing all signatures except the selfsig) any
+ user ID that is no longer usable (e.g. revoked, or expired).
+ Then, remove any signatures that are not usable by the trust
+ calculations. Specifically, this removes any signature that
+ does not validate, any signature that is superseded by a later
+ signature, revoked signatures, and signatures issued by keys
+ that are not present on the keyring.
+
+ minimize
+ Make the key as small as possible. This removes all
+ signatures from each user ID except for the most recent
+ self-signature.
+
+ change-usage
+ Change the usage flags (capabilities) of the primary key or of
+ subkeys. These usage flags (e.g. Certify, Sign,
+ Authenticate, Encrypt) are set during key creation. Sometimes
+ it is useful to have the opportunity to change them (for
+ example to add Authenticate) after they have been created.
+ Please take care when doing this; the allowed usage flags
+ depend on the key algorithm.
+
+ cross-certify
+ Add cross-certification signatures to signing subkeys that may
+ not currently have them. Cross-certification signatures
+ protect against a subtle attack against signing subkeys. See
+ '--require-cross-certification'. All new keys generated have
+ this signature by default, so this command is only useful to
+ bring older keys up to date.
+
+ save
+ Save all changes to the keyring and quit.
+
+ quit
+ Quit the program without updating the keyring.
+
+ The listing shows you the key with its secondary keys and all user
+ IDs. The primary user ID is indicated by a dot, and selected keys
+ or user IDs are indicated by an asterisk. The trust value is
+ displayed with the primary key: "trust" is the assigned owner trust
+ and "validity" is the calculated validity of the key. Validity
+ values are also displayed for all user IDs. For possible values of
+ trust, *note trust-values::.
+
+'--sign-key NAME'
+ Signs a public key with your secret key. This is a shortcut
+ version of the subcommand "sign" from '--edit'.
+
+'--lsign-key NAME'
+ Signs a public key with your secret key but marks it as
+ non-exportable. This is a shortcut version of the subcommand
+ "lsign" from '--edit-key'.
+
+'--quick-sign-key FPR [NAMES]'
+'--quick-lsign-key FPR [NAMES]'
+ Directly sign a key from the passphrase without any further user
+ interaction. The FPR must be the verified primary fingerprint of a
+ key in the local keyring. If no NAMES are given, all useful user
+ ids are signed; with given [NAMES] only useful user ids matching
+ one of theses names are signed. By default, or if a name is
+ prefixed with a '*', a case insensitive substring match is used.
+ If a name is prefixed with a '=' a case sensitive exact match is
+ done.
+
+ The command '--quick-lsign-key' marks the signatures as
+ non-exportable. If such a non-exportable signature already exists
+ the '--quick-sign-key' turns it into a exportable signature. If
+ you need to update an existing signature, for example to add or
+ change notation data, you need to use the option
+ '--force-sign-key'.
+
+ This command uses reasonable defaults and thus does not provide the
+ full flexibility of the "sign" subcommand from '--edit-key'. Its
+ intended use is to help unattended key signing by utilizing a list
+ of verified fingerprints.
+
+'--quick-add-uid USER-ID NEW-USER-ID'
+ This command adds a new user id to an existing key. In contrast to
+ the interactive sub-command 'adduid' of '--edit-key' the
+ NEW-USER-ID is added verbatim with only leading and trailing white
+ space removed, it is expected to be UTF-8 encoded, and no checks on
+ its form are applied.
+
+'--quick-revoke-uid USER-ID USER-ID-TO-REVOKE'
+ This command revokes a user ID on an existing key. It cannot be
+ used to revoke the last user ID on key (some non-revoked user ID
+ must remain), with revocation reason "User ID is no longer valid".
+ If you want to specify a different revocation reason, or to supply
+ supplementary revocation text, you should use the interactive
+ sub-command 'revuid' of '--edit-key'.
+
+'--quick-revoke-sig FPR SIGNING-FPR [NAMES]'
+ This command revokes the key signatures made by SIGNING-FPR from
+ the key specified by the fingerprint FPR. With NAMES given only
+ the signatures on user ids of the key matching any of the given
+ names are affected (see '--quick-sign-key'). If a revocation
+ already exists a notice is printed instead of creating a new
+ revocation; no error is returned in this case. Note that key
+ signature revocations may be superseded by a newer key signature
+ and in turn again revoked.
+
+'--quick-set-primary-uid USER-ID PRIMARY-USER-ID'
+ This command sets or updates the primary user ID flag on an
+ existing key. USER-ID specifies the key and PRIMARY-USER-ID the
+ user ID which shall be flagged as the primary user ID. The primary
+ user ID flag is removed from all other user ids and the timestamp
+ of all affected self-signatures is set one second ahead.
+
+'--change-passphrase USER-ID'
+'--passwd USER-ID'
+ Change the passphrase of the secret key belonging to the
+ certificate specified as USER-ID. This is a shortcut for the
+ sub-command 'passwd' of the edit key menu. When using together
+ with the option '--dry-run' this will not actually change the
+ passphrase but check that the current passphrase is correct.
+
+
+File: gnupg.info, Node: GPG Options, Next: GPG Configuration, Prev: GPG Commands, Up: Invoking GPG
+
+4.2 Option Summary
+==================
+
+'gpg' features a bunch of options to control the exact behaviour and to
+change the default configuration.
+
+* Menu:
+
+* GPG Configuration Options:: How to change the configuration.
+* GPG Key related Options:: Key related options.
+* GPG Input and Output:: Input and Output.
+* OpenPGP Options:: OpenPGP protocol specific options.
+* Compliance Options:: Compliance options.
+* GPG Esoteric Options:: Doing things one usually doesn't want to do.
+* Deprecated Options:: Deprecated options.
+
+ Long options can be put in an options file (default
+"~/.gnupg/gpg.conf"). Short option names will not work - for example,
+"armor" is a valid option for the options file, while "a" is not. Do
+not write the 2 dashes, but simply the name of the option and any
+required arguments. Lines with a hash ('#') as the first
+non-white-space character are ignored. Commands may be put in this file
+too, but that is not generally useful as the command will execute
+automatically with every execution of gpg.
+
+ Please remember that option parsing stops as soon as a non-option is
+encountered, you can explicitly stop parsing by using the special option
+'--'.
+
+
+File: gnupg.info, Node: GPG Configuration Options, Next: GPG Key related Options, Up: GPG Options
+
+4.2.1 How to change the configuration
+-------------------------------------
+
+These options are used to change the configuration and most of them are
+usually found in the option file.
+
+'--default-key NAME'
+ Use NAME as the default key to sign with. If this option is not
+ used, the default key is the first key found in the secret keyring.
+ Note that '-u' or '--local-user' overrides this option. This
+ option may be given multiple times. In this case, the last key for
+ which a secret key is available is used. If there is no secret key
+ available for any of the specified values, GnuPG will not emit an
+ error message but continue as if this option wasn't given.
+
+'--default-recipient NAME'
+ Use NAME as default recipient if option '--recipient' is not used
+ and don't ask if this is a valid one. NAME must be non-empty.
+
+'--default-recipient-self'
+ Use the default key as default recipient if option '--recipient' is
+ not used and don't ask if this is a valid one. The default key is
+ the first one from the secret keyring or the one set with
+ '--default-key'.
+
+'--no-default-recipient'
+ Reset '--default-recipient' and '--default-recipient-self'. Should
+ not be used in an option file.
+
+'-v, --verbose'
+ Give more information during processing. If used twice, the input
+ data is listed in detail.
+
+'--no-verbose'
+ Reset verbose level to 0. Should not be used in an option file.
+
+'-q, --quiet'
+ Try to be as quiet as possible. Should not be used in an option
+ file.
+
+'--batch'
+'--no-batch'
+ Use batch mode. Never ask, do not allow interactive commands.
+ '--no-batch' disables this option. Note that even with a filename
+ given on the command line, gpg might still need to read from STDIN
+ (in particular if gpg figures that the input is a detached
+ signature and no data file has been specified). Thus if you do not
+ want to feed data via STDIN, you should connect STDIN to
+ '/dev/null'.
+
+ It is highly recommended to use this option along with the options
+ '--status-fd' and '--with-colons' for any unattended use of 'gpg'.
+ Should not be used in an option file.
+
+'--no-tty'
+ Make sure that the TTY (terminal) is never used for any output.
+ This option is needed in some cases because GnuPG sometimes prints
+ warnings to the TTY even if '--batch' is used.
+
+'--yes'
+ Assume "yes" on most questions. Should not be used in an option
+ file.
+
+'--no'
+ Assume "no" on most questions. Should not be used in an option
+ file.
+
+'--list-options PARAMETERS'
+ This is a space or comma delimited string that gives options used
+ when listing keys and signatures (that is, '--list-keys',
+ '--check-signatures', '--list-public-keys', '--list-secret-keys',
+ and the '--edit-key' functions). Options can be prepended with a
+ 'no-' (after the two dashes) to give the opposite meaning. The
+ options are:
+
+ show-photos
+ Causes '--list-keys', '--check-signatures',
+ '--list-public-keys', and '--list-secret-keys' to display any
+ photo IDs attached to the key. Defaults to no. See also
+ '--photo-viewer'. Does not work with '--with-colons': see
+ '--attribute-fd' for the appropriate way to get photo data for
+ scripts and other frontends.
+
+ show-usage
+ Show usage information for keys and subkeys in the standard
+ key listing. This is a list of letters indicating the allowed
+ usage for a key ('E'=encryption, 'S'=signing,
+ 'C'=certification, 'A'=authentication). Defaults to yes.
+
+ show-policy-urls
+ Show policy URLs in the '--check-signatures' listings.
+ Defaults to no.
+
+ show-notations
+ show-std-notations
+ show-user-notations
+ Show all, IETF standard, or user-defined signature notations
+ in the '--check-signatures' listings. Defaults to no.
+
+ show-keyserver-urls
+ Show any preferred keyserver URL in the '--check-signatures'
+ listings. Defaults to no.
+
+ show-uid-validity
+ Display the calculated validity of user IDs during key
+ listings. Defaults to yes.
+
+ show-unusable-uids
+ Show revoked and expired user IDs in key listings. Defaults
+ to no.
+
+ show-unusable-subkeys
+ Show revoked and expired subkeys in key listings. Defaults to
+ no.
+
+ show-keyring
+ Display the keyring name at the head of key listings to show
+ which keyring a given key resides on. Defaults to no.
+
+ show-sig-expire
+ Show signature expiration dates (if any) during
+ '--check-signatures' listings. Defaults to no.
+
+ show-sig-subpackets
+ Include signature subpackets in the key listing. This option
+ can take an optional argument list of the subpackets to list.
+ If no argument is passed, list all subpackets. Defaults to
+ no. This option is only meaningful when using '--with-colons'
+ along with '--check-signatures'.
+
+ show-only-fpr-mbox
+ For each user-id which has a valid mail address print only the
+ fingerprint followed by the mail address.
+
+'--verify-options PARAMETERS'
+ This is a space or comma delimited string that gives options used
+ when verifying signatures. Options can be prepended with a 'no-'
+ to give the opposite meaning. The options are:
+
+ show-photos
+ Display any photo IDs present on the key that issued the
+ signature. Defaults to no. See also '--photo-viewer'.
+
+ show-policy-urls
+ Show policy URLs in the signature being verified. Defaults to
+ yes.
+
+ show-notations
+ show-std-notations
+ show-user-notations
+ Show all, IETF standard, or user-defined signature notations
+ in the signature being verified. Defaults to IETF standard.
+
+ show-keyserver-urls
+ Show any preferred keyserver URL in the signature being
+ verified. Defaults to yes.
+
+ show-uid-validity
+ Display the calculated validity of the user IDs on the key
+ that issued the signature. Defaults to yes.
+
+ show-unusable-uids
+ Show revoked and expired user IDs during signature
+ verification. Defaults to no.
+
+ show-primary-uid-only
+ Show only the primary user ID during signature verification.
+ That is all the AKA lines as well as photo Ids are not shown
+ with the signature verification status.
+
+ pka-lookups
+ Enable PKA lookups to verify sender addresses. Note that PKA
+ is based on DNS, and so enabling this option may disclose
+ information on when and what signatures are verified or to
+ whom data is encrypted. This is similar to the "web bug"
+ described for the '--auto-key-retrieve' option.
+
+ pka-trust-increase
+ Raise the trust in a signature to full if the signature passes
+ PKA validation. This option is only meaningful if pka-lookups
+ is set.
+
+'--enable-large-rsa'
+'--disable-large-rsa'
+ With -generate-key and -batch, enable the creation of RSA secret
+ keys as large as 8192 bit. Note: 8192 bit is more than is
+ generally recommended. These large keys don't significantly
+ improve security, but they are more expensive to use, and their
+ signatures and certifications are larger. This option is only
+ available if the binary was build with large-secmem support.
+
+'--enable-dsa2'
+'--disable-dsa2'
+ Enable hash truncation for all DSA keys even for old DSA Keys up to
+ 1024 bit. This is also the default with '--openpgp'. Note that
+ older versions of GnuPG also required this flag to allow the
+ generation of DSA larger than 1024 bit.
+
+'--photo-viewer STRING'
+ This is the command line that should be run to view a photo ID.
+ "%i" will be expanded to a filename containing the photo. "%I"
+ does the same, except the file will not be deleted once the viewer
+ exits. Other flags are "%k" for the key ID, "%K" for the long key
+ ID, "%f" for the key fingerprint, "%t" for the extension of the
+ image type (e.g. "jpg"), "%T" for the MIME type of the image (e.g.
+ "image/jpeg"), "%v" for the single-character calculated validity of
+ the image being viewed (e.g. "f"), "%V" for the calculated
+ validity as a string (e.g. "full"), "%U" for a base32 encoded hash
+ of the user ID, and "%%" for an actual percent sign. If neither %i
+ or %I are present, then the photo will be supplied to the viewer on
+ standard input.
+
+ On Unix the default viewer is 'xloadimage -fork -quiet -title
+ 'KeyID 0x%k' STDIN' with a fallback to 'display -title 'KeyID 0x%k'
+ %i' and finally to 'xdg-open %i'. On Windows '!ShellExecute 400
+ %i' is used; here the command is a meta command to use that API
+ call followed by a wait time in milliseconds which is used to give
+ the viewer time to read the temporary image file before gpg deletes
+ it again. Note that if your image viewer program is not secure,
+ then executing it from gpg does not make it secure.
+
+'--exec-path STRING'
+ Sets a list of directories to search for photo viewers If not
+ provided photo viewers use the 'PATH' environment variable.
+
+'--keyring FILE'
+ Add FILE to the current list of keyrings. If FILE begins with a
+ tilde and a slash, these are replaced by the $HOME directory. If
+ the filename does not contain a slash, it is assumed to be in the
+ GnuPG home directory ("~/.gnupg" unless '--homedir' or $GNUPGHOME
+ is used).
+
+ Note that this adds a keyring to the current list. If the intent
+ is to use the specified keyring alone, use '--keyring' along with
+ '--no-default-keyring'.
+
+ If the option '--no-keyring' has been used no keyrings will be used
+ at all.
+
+'--primary-keyring FILE'
+ This is a varian of '--keyring' and designates FILE as the primary
+ public keyring. This means that newly imported keys (via
+ '--import' or keyserver '--recv-from') will go to this keyring.
+
+'--secret-keyring FILE'
+ This is an obsolete option and ignored. All secret keys are stored
+ in the 'private-keys-v1.d' directory below the GnuPG home
+ directory.
+
+'--trustdb-name FILE'
+ Use FILE instead of the default trustdb. If FILE begins with a
+ tilde and a slash, these are replaced by the $HOME directory. If
+ the filename does not contain a slash, it is assumed to be in the
+ GnuPG home directory ('~/.gnupg' if '--homedir' or $GNUPGHOME is
+ not used).
+
+'--homedir DIR'
+ Set the name of the home directory to DIR. If this option is not
+ used, the home directory defaults to '~/.gnupg'. It is only
+ recognized when given on the command line. It also overrides any
+ home directory stated through the environment variable 'GNUPGHOME'
+ or (on Windows systems) by means of the Registry entry
+ HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
+
+ On Windows systems it is possible to install GnuPG as a portable
+ application. In this case only this command line option is
+ considered, all other ways to set a home directory are ignored.
+
+ To install GnuPG as a portable application under Windows, create an
+ empty file named 'gpgconf.ctl' in the same directory as the tool
+ 'gpgconf.exe'. The root of the installation is then that
+ directory; or, if 'gpgconf.exe' has been installed directly below a
+ directory named 'bin', its parent directory. You also need to make
+ sure that the following directories exist and are writable:
+ 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg'
+ for internal cache files.
+
+'--display-charset NAME'
+ Set the name of the native character set. This is used to convert
+ some informational strings like user IDs to the proper UTF-8
+ encoding. Note that this has nothing to do with the character set
+ of data to be encrypted or signed; GnuPG does not recode
+ user-supplied data. If this option is not used, the default
+ character set is determined from the current locale. A verbosity
+ level of 3 shows the chosen set. This option should not be used on
+ Windows. Valid values for NAME are:
+
+ iso-8859-1
+ This is the Latin 1 set.
+
+ iso-8859-2
+ The Latin 2 set.
+
+ iso-8859-15
+ This is currently an alias for the Latin 1 set.
+
+ koi8-r
+ The usual Russian set (RFC-1489).
+
+ utf-8
+ Bypass all translations and assume that the OS uses native
+ UTF-8 encoding.
+
+'--utf8-strings'
+'--no-utf8-strings'
+ Assume that command line arguments are given as UTF-8 strings. The
+ default ('--no-utf8-strings') is to assume that arguments are
+ encoded in the character set as specified by '--display-charset'.
+ These options affect all following arguments. Both options may be
+ used multiple times. This option should not be used in an option
+ file.
+
+ This option has no effect on Windows. There the internal used
+ UTF-8 encoding is translated for console input and output. The
+ command line arguments are expected as Unicode and translated to
+ UTF-8. Thus when calling this program from another, make sure to
+ use the Unicode version of CreateProcess.
+
+'--options FILE'
+ Read options from FILE and do not try to read them from the default
+ options file in the homedir (see '--homedir'). This option is
+ ignored if used in an options file.
+
+'--no-options'
+ Shortcut for '--options /dev/null'. This option is detected before
+ an attempt to open an option file. Using this option will also
+ prevent the creation of a '~/.gnupg' homedir.
+
+'-z N'
+'--compress-level N'
+'--bzip2-compress-level N'
+ Set compression level to N for the ZIP and ZLIB compression
+ algorithms. The default is to use the default compression level of
+ zlib (normally 6). '--bzip2-compress-level' sets the compression
+ level for the BZIP2 compression algorithm (defaulting to 6 as
+ well). This is a different option from '--compress-level' since
+ BZIP2 uses a significant amount of memory for each additional
+ compression level. '-z' sets both. A value of 0 for N disables
+ compression.
+
+'--bzip2-decompress-lowmem'
+ Use a different decompression method for BZIP2 compressed files.
+ This alternate method uses a bit more than half the memory, but
+ also runs at half the speed. This is useful under extreme low
+ memory circumstances when the file was originally compressed at a
+ high '--bzip2-compress-level'.
+
+'--mangle-dos-filenames'
+'--no-mangle-dos-filenames'
+ Older version of Windows cannot handle filenames with more than one
+ dot. '--mangle-dos-filenames' causes GnuPG to replace (rather than
+ add to) the extension of an output filename to avoid this problem.
+ This option is off by default and has no effect on non-Windows
+ platforms.
+
+'--ask-cert-level'
+'--no-ask-cert-level'
+ When making a key signature, prompt for a certification level. If
+ this option is not specified, the certification level used is set
+ via '--default-cert-level'. See '--default-cert-level' for
+ information on the specific levels and how they are used.
+ '--no-ask-cert-level' disables this option. This option defaults
+ to no.
+
+'--default-cert-level N'
+ The default to use for the check level when signing a key.
+
+ 0 means you make no particular claim as to how carefully you
+ verified the key.
+
+ 1 means you believe the key is owned by the person who claims to
+ own it but you could not, or did not verify the key at all. This
+ is useful for a "persona" verification, where you sign the key of a
+ pseudonymous user.
+
+ 2 means you did casual verification of the key. For example, this
+ could mean that you verified the key fingerprint and checked the
+ user ID on the key against a photo ID.
+
+ 3 means you did extensive verification of the key. For example,
+ this could mean that you verified the key fingerprint with the
+ owner of the key in person, and that you checked, by means of a
+ hard to forge document with a photo ID (such as a passport) that
+ the name of the key owner matches the name in the user ID on the
+ key, and finally that you verified (by exchange of email) that the
+ email address on the key belongs to the key owner.
+
+ Note that the examples given above for levels 2 and 3 are just
+ that: examples. In the end, it is up to you to decide just what
+ "casual" and "extensive" mean to you.
+
+ This option defaults to 0 (no particular claim).
+
+'--min-cert-level'
+ When building the trust database, treat any signatures with a
+ certification level below this as invalid. Defaults to 2, which
+ disregards level 1 signatures. Note that level 0 "no particular
+ claim" signatures are always accepted.
+
+'--trusted-key LONG KEY ID OR FINGERPRINT'
+ Assume that the specified key (which should be given as
+ fingerprint) is as trustworthy as one of your own secret keys.
+ This option is useful if you don't want to keep your secret keys
+ (or one of them) online but still want to be able to check the
+ validity of a given recipient's or signator's key. If the given
+ key is not locally available but an LDAP keyserver is configured
+ the missing key is imported from that server.
+
+'--trust-model {pgp|classic|tofu|tofu+pgp|direct|always|auto}'
+ Set what trust model GnuPG should follow. The models are:
+
+ pgp
+ This is the Web of Trust combined with trust signatures as
+ used in PGP 5.x and later. This is the default trust model
+ when creating a new trust database.
+
+ classic
+ This is the standard Web of Trust as introduced by PGP 2.
+
+ tofu
+ TOFU stands for Trust On First Use. In this trust model, the
+ first time a key is seen, it is memorized. If later another
+ key with a user id with the same email address is seen, both
+ keys are marked as suspect. In that case, the next time
+ either is used, a warning is displayed describing the
+ conflict, why it might have occurred (either the user
+ generated a new key and failed to cross sign the old and new
+ keys, the key is forgery, or a man-in-the-middle attack is
+ being attempted), and the user is prompted to manually confirm
+ the validity of the key in question.
+
+ Because a potential attacker is able to control the email
+ address and thereby circumvent the conflict detection
+ algorithm by using an email address that is similar in
+ appearance to a trusted email address, whenever a message is
+ verified, statistics about the number of messages signed with
+ the key are shown. In this way, a user can easily identify
+ attacks using fake keys for regular correspondents.
+
+ When compared with the Web of Trust, TOFU offers significantly
+ weaker security guarantees. In particular, TOFU only helps
+ ensure consistency (that is, that the binding between a key
+ and email address doesn't change). A major advantage of TOFU
+ is that it requires little maintenance to use correctly. To
+ use the web of trust properly, you need to actively sign keys
+ and mark users as trusted introducers. This is a
+ time-consuming process and anecdotal evidence suggests that
+ even security-conscious users rarely take the time to do this
+ thoroughly and instead rely on an ad-hoc TOFU process.
+
+ In the TOFU model, policies are associated with bindings
+ between keys and email addresses (which are extracted from
+ user ids and normalized). There are five policies, which can
+ be set manually using the '--tofu-policy' option. The default
+ policy can be set using the '--tofu-default-policy' option.
+
+ The TOFU policies are: 'auto', 'good', 'unknown', 'bad' and
+ 'ask'. The 'auto' policy is used by default (unless
+ overridden by '--tofu-default-policy') and marks a binding as
+ marginally trusted. The 'good', 'unknown' and 'bad' policies
+ mark a binding as fully trusted, as having unknown trust or as
+ having trust never, respectively. The 'unknown' policy is
+ useful for just using TOFU to detect conflicts, but to never
+ assign positive trust to a binding. The final policy, 'ask'
+ prompts the user to indicate the binding's trust. If batch
+ mode is enabled (or input is inappropriate in the context),
+ then the user is not prompted and the 'undefined' trust level
+ is returned.
+
+ tofu+pgp
+ This trust model combines TOFU with the Web of Trust. This is
+ done by computing the trust level for each model and then
+ taking the maximum trust level where the trust levels are
+ ordered as follows: 'unknown < undefined < marginal < fully <
+ ultimate < expired < never'.
+
+ By setting '--tofu-default-policy=unknown', this model can be
+ used to implement the web of trust with TOFU's conflict
+ detection algorithm, but without its assignment of positive
+ trust values, which some security-conscious users don't like.
+
+ direct
+ Key validity is set directly by the user and not calculated
+ via the Web of Trust. This model is solely based on the key
+ and does not distinguish user IDs. Note that when changing to
+ another trust model the trust values assigned to a key are
+ transformed into ownertrust values, which also indicate how
+ you trust the owner of the key to sign other keys.
+
+ always
+ Skip key validation and assume that used keys are always fully
+ valid. You generally won't use this unless you are using some
+ external validation scheme. This option also suppresses the
+ "[uncertain]" tag printed with signature checks when there is
+ no evidence that the user ID is bound to the key. Note that
+ this trust model still does not allow the use of expired,
+ revoked, or disabled keys.
+
+ auto
+ Select the trust model depending on whatever the internal
+ trust database says. This is the default model if such a
+ database already exists. Note that a tofu trust model is not
+ considered here and must be enabled explicitly.
+
+'--auto-key-locate MECHANISMS'
+'--no-auto-key-locate'
+ GnuPG can automatically locate and retrieve keys as needed using
+ this option. This happens when encrypting to an email address (in
+ the "user@example.com" form), and there are no "user@example.com"
+ keys on the local keyring. This option takes any number of the
+ mechanisms listed below, in the order they are to be tried.
+ Instead of listing the mechanisms as comma delimited arguments, the
+ option may also be given several times to add more mechanism. The
+ option '--no-auto-key-locate' or the mechanism "clear" resets the
+ list. The default is "local,wkd".
+
+ cert
+ Locate a key using DNS CERT, as specified in RFC-4398.
+
+ pka
+ Locate a key using DNS PKA.
+
+ dane
+ Locate a key using DANE, as specified in
+ draft-ietf-dane-openpgpkey-05.txt.
+
+ wkd
+ Locate a key using the Web Key Directory protocol.
+
+ ldap
+ Using DNS Service Discovery, check the domain in question for
+ any LDAP keyservers to use. If this fails, attempt to locate
+ the key using the PGP Universal method of checking
+ 'ldap://keys.(thedomain)'.
+
+ ntds
+ Locate the key using the Active Directory (Windows only).
+ This method also allows to search by fingerprint using the
+ command '--locate-external-key'. Note that this mechanism is
+ actually a shortcut for the mechanism 'keyserver' but using
+ "ldap:///" as the keyserver.
+
+ keyserver
+ Locate a key using a keyserver. This method also allows to
+ search by fingerprint using the command
+ '--locate-external-key' if any of the configured keyservers is
+ an LDAP server.
+
+ keyserver-URL
+ In addition, a keyserver URL as used in the 'dirmngr'
+ configuration may be used here to query that particular
+ keyserver. This method also allows to search by fingerprint
+ using the command '--locate-external-key' if the URL specifies
+ an LDAP server.
+
+ local
+ Locate the key using the local keyrings. This mechanism
+ allows the user to select the order a local key lookup is
+ done. Thus using '--auto-key-locate local' is identical to
+ '--no-auto-key-locate'.
+
+ nodefault
+ This flag disables the standard local key lookup, done before
+ any of the mechanisms defined by the '--auto-key-locate' are
+ tried. The position of this mechanism in the list does not
+ matter. It is not required if 'local' is also used.
+
+ clear
+ Clear all defined mechanisms. This is useful to override
+ mechanisms given in a config file. Note that a 'nodefault' in
+ MECHANISMS will also be cleared unless it is given after the
+ 'clear'.
+
+'--auto-key-import'
+'--no-auto-key-import'
+ This is an offline mechanism to get a missing key for signature
+ verification and for later encryption to this key. If this option
+ is enabled and a signature includes an embedded key, that key is
+ used to verify the signature and on verification success that key
+ is imported. The default is '--no-auto-key-import'.
+
+ On the sender (signing) site the option '--include-key-block' needs
+ to be used to put the public part of the signing key as “Key Block
+ subpacket†into the signature.
+
+'--auto-key-retrieve'
+'--no-auto-key-retrieve'
+ These options enable or disable the automatic retrieving of keys
+ from a keyserver when verifying signatures made by keys that are
+ not on the local keyring. The default is '--no-auto-key-retrieve'.
+
+ The order of methods tried to lookup the key is:
+
+ 1. If the option '--auto-key-import' is set and the signatures
+ includes an embedded key, that key is used to verify the signature
+ and on verification success that key is imported.
+
+ 2. If a preferred keyserver is specified in the signature and the
+ option 'honor-keyserver-url' is active (which is not the default),
+ that keyserver is tried. Note that the creator of the signature
+ uses the option '--sig-keyserver-url' to specify the preferred
+ keyserver for data signatures.
+
+ 3. If the signature has the Signer's UID set (e.g. using
+ '--sender' while creating the signature) a Web Key Directory (WKD)
+ lookup is done. This is the default configuration but can be
+ disabled by removing WKD from the auto-key-locate list or by using
+ the option '--disable-signer-uid'.
+
+ 4. If the option 'honor-pka-record' is active, the legacy PKA
+ method is used.
+
+ 5. If any keyserver is configured and the Issuer Fingerprint is
+ part of the signature (since GnuPG 2.1.16), the configured
+ keyservers are tried.
+
+ Note that this option makes a "web bug" like behavior possible.
+ Keyserver or Web Key Directory operators can see which keys you
+ request, so by sending you a message signed by a brand new key
+ (which you naturally will not have on your local keyring), the
+ operator can tell both your IP address and the time when you
+ verified the signature.
+
+'--keyid-format {none|short|0xshort|long|0xlong}'
+ Select how to display key IDs. "none" does not show the key ID at
+ all but shows the fingerprint in a separate line. "short" is the
+ traditional 8-character key ID. "long" is the more accurate (but
+ less convenient) 16-character key ID. Add an "0x" to either to
+ include an "0x" at the beginning of the key ID, as in 0x99242560.
+ Note that this option is ignored if the option '--with-colons' is
+ used.
+
+'--keyserver NAME'
+ This option is deprecated - please use the '--keyserver' in
+ 'dirmngr.conf' instead.
+
+ Use NAME as your keyserver. This is the server that
+ '--receive-keys', '--send-keys', and '--search-keys' will
+ communicate with to receive keys from, send keys to, and search for
+ keys on. The format of the NAME is a URI:
+ 'scheme:[//]keyservername[:port]' The scheme is the type of
+ keyserver: "hkp"/"hkps" for the HTTP (or compatible) keyservers or
+ "ldap"/"ldaps" for the LDAP keyservers. Note that your particular
+ installation of GnuPG may have other keyserver types available as
+ well. Keyserver schemes are case-insensitive.
+
+ Most keyservers synchronize with each other, so there is generally
+ no need to send keys to more than one server. The keyserver
+ 'hkp://keys.gnupg.net' uses round robin DNS to give a different
+ keyserver each time you use it.
+
+'--keyserver-options {NAME=VALUE}'
+ This is a space or comma delimited string that gives options for
+ the keyserver. Options can be prefixed with a 'no-' to give the
+ opposite meaning. Valid import-options or export-options may be
+ used here as well to apply to importing ('--recv-key') or exporting
+ ('--send-key') a key from a keyserver. While not all options are
+ available for all keyserver types, some common options are:
+
+ include-revoked
+ When searching for a key with '--search-keys', include keys
+ that are marked on the keyserver as revoked. Note that not
+ all keyservers differentiate between revoked and unrevoked
+ keys, and for such keyservers this option is meaningless.
+ Note also that most keyservers do not have cryptographic
+ verification of key revocations, and so turning this option
+ off may result in skipping keys that are incorrectly marked as
+ revoked.
+
+ include-disabled
+ When searching for a key with '--search-keys', include keys
+ that are marked on the keyserver as disabled. Note that this
+ option is not used with HKP keyservers.
+
+ auto-key-retrieve
+ This is an obsolete alias for the option 'auto-key-retrieve'.
+ Please do not use it; it will be removed in future versions..
+
+ honor-keyserver-url
+ When using '--refresh-keys', if the key in question has a
+ preferred keyserver URL, then use that preferred keyserver to
+ refresh the key from. In addition, if auto-key-retrieve is
+ set, and the signature being verified has a preferred
+ keyserver URL, then use that preferred keyserver to fetch the
+ key from. Note that this option introduces a "web bug": The
+ creator of the key can see when the keys is refreshed. Thus
+ this option is not enabled by default.
+
+ honor-pka-record
+ If '--auto-key-retrieve' is used, and the signature being
+ verified has a PKA record, then use the PKA information to
+ fetch the key. Defaults to "yes".
+
+ include-subkeys
+ When receiving a key, include subkeys as potential targets.
+ Note that this option is not used with HKP keyservers, as they
+ do not support retrieving keys by subkey id.
+
+ timeout
+ http-proxy=VALUE
+ verbose
+ debug
+ check-cert
+ ca-cert-file
+ These options have no more function since GnuPG 2.1. Use the
+ 'dirmngr' configuration options instead.
+
+ The default list of options is: "self-sigs-only, import-clean,
+ repair-keys, repair-pks-subkey-bug, export-attributes,
+ honor-pka-record". However, if the actual used source is an LDAP
+ server "no-self-sigs-only" is assumed unless "self-sigs-only" has
+ been explictly configured.
+
+'--completes-needed N'
+ Number of completely trusted users to introduce a new key signer
+ (defaults to 1).
+
+'--marginals-needed N'
+ Number of marginally trusted users to introduce a new key signer
+ (defaults to 3)
+
+'--tofu-default-policy {auto|good|unknown|bad|ask}'
+ The default TOFU policy (defaults to 'auto'). For more information
+ about the meaning of this option, *note trust-model-tofu::.
+
+'--max-cert-depth N'
+ Maximum depth of a certification chain (default is 5).
+
+'--no-sig-cache'
+ Do not cache the verification status of key signatures. Caching
+ gives a much better performance in key listings. However, if you
+ suspect that your public keyring is not safe against write
+ modifications, you can use this option to disable the caching. It
+ probably does not make sense to disable it because all kind of
+ damage can be done if someone else has write access to your public
+ keyring.
+
+'--auto-check-trustdb'
+'--no-auto-check-trustdb'
+ If GnuPG feels that its information about the Web of Trust has to
+ be updated, it automatically runs the '--check-trustdb' command
+ internally. This may be a time consuming process.
+ '--no-auto-check-trustdb' disables this option.
+
+'--use-agent'
+'--no-use-agent'
+ This is dummy option. 'gpg' always requires the agent.
+
+'--gpg-agent-info'
+ This is dummy option. It has no effect when used with 'gpg'.
+
+'--agent-program FILE'
+ Specify an agent program to be used for secret key operations. The
+ default value is determined by running 'gpgconf' with the option
+ '--list-dirs'. Note that the pipe symbol ('|') is used for a
+ regression test suite hack and may thus not be used in the file
+ name.
+
+'--dirmngr-program FILE'
+ Specify a dirmngr program to be used for keyserver access. The
+ default value is '/usr/local/bin/dirmngr'.
+
+'--disable-dirmngr'
+ Entirely disable the use of the Dirmngr.
+
+'--no-autostart'
+ Do not start the gpg-agent or the dirmngr if it has not yet been
+ started and its service is required. This option is mostly useful
+ on machines where the connection to gpg-agent has been redirected
+ to another machines. If dirmngr is required on the remote machine,
+ it may be started manually using 'gpgconf --launch dirmngr'.
+
+'--lock-once'
+ Lock the databases the first time a lock is requested and do not
+ release the lock until the process terminates.
+
+'--lock-multiple'
+ Release the locks every time a lock is no longer needed. Use this
+ to override a previous '--lock-once' from a config file.
+
+'--lock-never'
+ Disable locking entirely. This option should be used only in very
+ special environments, where it can be assured that only one process
+ is accessing those files. A bootable floppy with a stand-alone
+ encryption system will probably use this. Improper usage of this
+ option may lead to data and key corruption.
+
+'--exit-on-status-write-error'
+ This option will cause write errors on the status FD to immediately
+ terminate the process. That should in fact be the default but it
+ never worked this way and thus we need an option to enable this, so
+ that the change won't break applications which close their end of a
+ status fd connected pipe too early. Using this option along with
+ '--enable-progress-filter' may be used to cleanly cancel long
+ running gpg operations.
+
+'--limit-card-insert-tries N'
+ With N greater than 0 the number of prompts asking to insert a
+ smartcard gets limited to N-1. Thus with a value of 1 gpg won't at
+ all ask to insert a card if none has been inserted at startup.
+ This option is useful in the configuration file in case an
+ application does not know about the smartcard support and waits ad
+ infinitum for an inserted card.
+
+'--no-random-seed-file'
+ GnuPG uses a file to store its internal random pool over
+ invocations. This makes random generation faster; however
+ sometimes write operations are not desired. This option can be
+ used to achieve that with the cost of slower random generation.
+
+'--no-greeting'
+ Suppress the initial copyright message.
+
+'--no-secmem-warning'
+ Suppress the warning about "using insecure memory".
+
+'--no-permission-warning'
+ Suppress the warning about unsafe file and home directory
+ ('--homedir') permissions. Note that the permission checks that
+ GnuPG performs are not intended to be authoritative, but rather
+ they simply warn about certain common permission problems. Do not
+ assume that the lack of a warning means that your system is secure.
+
+ Note that the warning for unsafe '--homedir' permissions cannot be
+ suppressed in the gpg.conf file, as this would allow an attacker to
+ place an unsafe gpg.conf file in place, and use this file to
+ suppress warnings about itself. The '--homedir' permissions
+ warning may only be suppressed on the command line.
+
+'--require-secmem'
+'--no-require-secmem'
+ Refuse to run if GnuPG cannot get secure memory. Defaults to no
+ (i.e. run, but give a warning).
+
+'--require-cross-certification'
+'--no-require-cross-certification'
+ When verifying a signature made from a subkey, ensure that the
+ cross certification "back signature" on the subkey is present and
+ valid. This protects against a subtle attack against subkeys that
+ can sign. Defaults to '--require-cross-certification' for 'gpg'.
+
+'--expert'
+'--no-expert'
+ Allow the user to do certain nonsensical or "silly" things like
+ signing an expired or revoked key, or certain potentially
+ incompatible things like generating unusual key types. This also
+ disables certain warning messages about potentially incompatible
+ actions. As the name implies, this option is for experts only. If
+ you don't fully understand the implications of what it allows you
+ to do, leave this off. '--no-expert' disables this option.
+
+
+File: gnupg.info, Node: GPG Key related Options, Next: GPG Input and Output, Prev: GPG Configuration Options, Up: GPG Options
+
+4.2.2 Key related options
+-------------------------
+
+'--recipient NAME'
+'-r'
+ Encrypt for user id NAME. If this option or '--hidden-recipient'
+ is not specified, GnuPG asks for the user-id unless
+ '--default-recipient' is given.
+
+'--hidden-recipient NAME'
+'-R'
+ Encrypt for user ID NAME, but hide the key ID of this user's key.
+ This option helps to hide the receiver of the message and is a
+ limited countermeasure against traffic analysis. If this option or
+ '--recipient' is not specified, GnuPG asks for the user ID unless
+ '--default-recipient' is given.
+
+'--recipient-file FILE'
+'-f'
+ This option is similar to '--recipient' except that it encrypts to
+ a key stored in the given file. FILE must be the name of a file
+ containing exactly one key. 'gpg' assumes that the key in this
+ file is fully valid.
+
+'--hidden-recipient-file FILE'
+'-F'
+ This option is similar to '--hidden-recipient' except that it
+ encrypts to a key stored in the given file. FILE must be the name
+ of a file containing exactly one key. 'gpg' assumes that the key
+ in this file is fully valid.
+
+'--encrypt-to NAME'
+ Same as '--recipient' but this one is intended for use in the
+ options file and may be used with your own user-id as an
+ "encrypt-to-self". These keys are only used when there are other
+ recipients given either by use of '--recipient' or by the asked
+ user id. No trust checking is performed for these user ids and
+ even disabled keys can be used.
+
+'--hidden-encrypt-to NAME'
+ Same as '--hidden-recipient' but this one is intended for use in
+ the options file and may be used with your own user-id as a hidden
+ "encrypt-to-self". These keys are only used when there are other
+ recipients given either by use of '--recipient' or by the asked
+ user id. No trust checking is performed for these user ids and
+ even disabled keys can be used.
+
+'--no-encrypt-to'
+ Disable the use of all '--encrypt-to' and '--hidden-encrypt-to'
+ keys.
+
+'--group {NAME=VALUE}'
+ Sets up a named group, which is similar to aliases in email
+ programs. Any time the group name is a recipient ('-r' or
+ '--recipient'), it will be expanded to the values specified.
+ Multiple groups with the same name are automatically merged into a
+ single group.
+
+ The values are 'key IDs' or fingerprints, but any key description
+ is accepted. Note that a value with spaces in it will be treated
+ as two different values. Note also there is only one level of
+ expansion -- you cannot make an group that points to another group.
+ When used from the command line, it may be necessary to quote the
+ argument to this option to prevent the shell from treating it as
+ multiple arguments.
+
+'--ungroup NAME'
+ Remove a given entry from the '--group' list.
+
+'--no-groups'
+ Remove all entries from the '--group' list.
+
+'--local-user NAME'
+'-u'
+ Use NAME as the key to sign with. Note that this option overrides
+ '--default-key'.
+
+'--sender MBOX'
+ This option has two purposes. MBOX must either be a complete user
+ id with a proper mail address or just a mail address. When
+ creating a signature this option tells gpg the user id of a key
+ used to make a signature if the key was not directly specified by a
+ user id. When verifying a signature the MBOX is used to restrict
+ the information printed by the TOFU code to matching user ids.
+
+'--try-secret-key NAME'
+ For hidden recipients GPG needs to know the keys to use for trial
+ decryption. The key set with '--default-key' is always tried
+ first, but this is often not sufficient. This option allows
+ setting more keys to be used for trial decryption. Although any
+ valid user-id specification may be used for NAME it makes sense to
+ use at least the long keyid to avoid ambiguities. Note that
+ gpg-agent might pop up a pinentry for a lot keys to do the trial
+ decryption. If you want to stop all further trial decryption you
+ may use close-window button instead of the cancel button.
+
+'--try-all-secrets'
+ Don't look at the key ID as stored in the message but try all
+ secret keys in turn to find the right decryption key. This option
+ forces the behaviour as used by anonymous recipients (created by
+ using '--throw-keyids' or '--hidden-recipient') and might come
+ handy in case where an encrypted message contains a bogus key ID.
+
+'--skip-hidden-recipients'
+'--no-skip-hidden-recipients'
+ During decryption skip all anonymous recipients. This option helps
+ in the case that people use the hidden recipients feature to hide
+ their own encrypt-to key from others. If one has many secret keys
+ this may lead to a major annoyance because all keys are tried in
+ turn to decrypt something which was not really intended for it.
+ The drawback of this option is that it is currently not possible to
+ decrypt a message which includes real anonymous recipients.
+
+
+File: gnupg.info, Node: GPG Input and Output, Next: OpenPGP Options, Prev: GPG Key related Options, Up: GPG Options
+
+4.2.3 Input and Output
+----------------------
+
+'--armor'
+'-a'
+ Create ASCII armored output. The default is to create the binary
+ OpenPGP format.
+
+'--no-armor'
+ Assume the input data is not in ASCII armored format.
+
+'--output FILE'
+'-o FILE'
+ Write output to FILE. To write to stdout use '-' as the filename.
+
+'--max-output N'
+ This option sets a limit on the number of bytes that will be
+ generated when processing a file. Since OpenPGP supports various
+ levels of compression, it is possible that the plaintext of a given
+ message may be significantly larger than the original OpenPGP
+ message. While GnuPG works properly with such messages, there is
+ often a desire to set a maximum file size that will be generated
+ before processing is forced to stop by the OS limits. Defaults to
+ 0, which means "no limit".
+
+'--input-size-hint N'
+ This option can be used to tell GPG the size of the input data in
+ bytes. N must be a positive base-10 number. This option is only
+ useful if the input is not taken from a file. GPG may use this
+ hint to optimize its buffer allocation strategy. It is also used
+ by the '--status-fd' line "PROGRESS" to provide a value for "total"
+ if that is not available by other means.
+
+'--key-origin STRING[,URL]'
+ gpg can track the origin of a key. Certain origins are implicitly
+ known (e.g. keyserver, web key directory) and set. For a standard
+ import the origin of the keys imported can be set with this option.
+ To list the possible values use "help" for STRING. Some origins
+ can store an optional URL argument. That URL can appended to
+ STRING after a comma.
+
+'--import-options PARAMETERS'
+ This is a space or comma delimited string that gives options for
+ importing keys. Options can be prepended with a 'no-' to give the
+ opposite meaning. The options are:
+
+ import-local-sigs
+ Allow importing key signatures marked as "local". This is not
+ generally useful unless a shared keyring scheme is being used.
+ Defaults to no.
+
+ keep-ownertrust
+ Normally possible still existing ownertrust values of a key
+ are cleared if a key is imported. This is in general
+ desirable so that a formerly deleted key does not
+ automatically gain an ownertrust values merely due to import.
+ On the other hand it is sometimes necessary to re-import a
+ trusted set of keys again but keeping already assigned
+ ownertrust values. This can be achieved by using this option.
+
+ repair-pks-subkey-bug
+ During import, attempt to repair the damage caused by the PKS
+ keyserver bug (pre version 0.9.6) that mangles keys with
+ multiple subkeys. Note that this cannot completely repair the
+ damaged key as some crucial data is removed by the keyserver,
+ but it does at least give you back one subkey. Defaults to no
+ for regular '--import' and to yes for keyserver
+ '--receive-keys'.
+
+ import-show
+ show-only
+ Show a listing of the key as imported right before it is
+ stored. This can be combined with the option '--dry-run' to
+ only look at keys; the option 'show-only' is a shortcut for
+ this combination. The command '--show-keys' is another
+ shortcut for this. Note that suffixes like '#' for "sec" and
+ "sbb" lines may or may not be printed.
+
+ import-export
+ Run the entire import code but instead of storing the key to
+ the local keyring write it to the output. The export options
+ 'export-pka' and 'export-dane' affect the output. This option
+ can be used to remove all invalid parts from a key without the
+ need to store it.
+
+ merge-only
+ During import, allow key updates to existing keys, but do not
+ allow any new keys to be imported. Defaults to no.
+
+ import-clean
+ After import, compact (remove all signatures except the
+ self-signature) any user IDs from the new key that are not
+ usable. Then, remove any signatures from the new key that are
+ not usable. This includes signatures that were issued by keys
+ that are not present on the keyring. This option is the same
+ as running the '--edit-key' command "clean" after import.
+ Defaults to no.
+
+ self-sigs-only
+ Accept only self-signatures while importing a key. All other
+ key signatures are skipped at an early import stage. This
+ option can be used with 'keyserver-options' to mitigate
+ attempts to flood a key with bogus signatures from a
+ keyserver. The drawback is that all other valid key
+ signatures, as required by the Web of Trust are also not
+ imported. Note that when using this option along with
+ import-clean it suppresses the final clean step after merging
+ the imported key into the existing key.
+
+ repair-keys
+ After import, fix various problems with the keys. For
+ example, this reorders signatures, and strips duplicate
+ signatures. Defaults to yes.
+
+ import-minimal
+ Import the smallest key possible. This removes all signatures
+ except the most recent self-signature on each user ID. This
+ option is the same as running the '--edit-key' command
+ "minimize" after import. Defaults to no.
+
+ restore
+ import-restore
+ Import in key restore mode. This imports all data which is
+ usually skipped during import; including all GnuPG specific
+ data. All other contradicting options are overridden.
+
+'--import-filter {NAME=EXPR}'
+'--export-filter {NAME=EXPR}'
+ These options define an import/export filter which are applied to
+ the imported/exported keyblock right before it will be
+ stored/written. NAME defines the type of filter to use, EXPR the
+ expression to evaluate. The option can be used several times which
+ then appends more expression to the same NAME.
+
+ The available filter types are:
+
+ keep-uid
+ This filter will keep a user id packet and its dependent
+ packets in the keyblock if the expression evaluates to true.
+
+ drop-subkey
+ This filter drops the selected subkeys. Currently only
+ implemented for -export-filter.
+
+ drop-sig
+ This filter drops the selected key signatures on user ids.
+ Self-signatures are not considered. Currently only
+ implemented for -import-filter.
+
+ For the syntax of the expression see the chapter "FILTER
+ EXPRESSIONS". The property names for the expressions depend on the
+ actual filter type and are indicated in the following table.
+
+ The available properties are:
+
+ uid
+ A string with the user id. (keep-uid)
+
+ mbox
+ The addr-spec part of a user id with mailbox or the empty
+ string. (keep-uid)
+
+ key_algo
+ A number with the public key algorithm of a key or subkey
+ packet. (drop-subkey)
+
+ key_created
+ key_created_d
+ The first is the timestamp a public key or subkey packet was
+ created. The second is the same but given as an ISO string,
+ e.g. "2016-08-17". (drop-subkey)
+
+ fpr
+ The hexified fingerprint of the current subkey or primary key.
+ (drop-subkey)
+
+ primary
+ Boolean indicating whether the user id is the primary one.
+ (keep-uid)
+
+ expired
+ Boolean indicating whether a user id (keep-uid), a key
+ (drop-subkey), or a signature (drop-sig) expired.
+
+ revoked
+ Boolean indicating whether a user id (keep-uid) or a key
+ (drop-subkey) has been revoked.
+
+ disabled
+ Boolean indicating whether a primary key is disabled. (not
+ used)
+
+ secret
+ Boolean indicating whether a key or subkey is a secret one.
+ (drop-subkey)
+
+ usage
+ A string indicating the usage flags for the subkey, from the
+ sequence "ecsa?". For example, a subkey capable of just
+ signing and authentication would be an exact match for "sa".
+ (drop-subkey)
+
+ sig_created
+ sig_created_d
+ The first is the timestamp a signature packet was created.
+ The second is the same but given as an ISO date string, e.g.
+ "2016-08-17". (drop-sig)
+
+ sig_algo
+ A number with the public key algorithm of a signature packet.
+ (drop-sig)
+
+ sig_digest_algo
+ A number with the digest algorithm of a signature packet.
+ (drop-sig)
+
+'--export-options PARAMETERS'
+ This is a space or comma delimited string that gives options for
+ exporting keys. Options can be prepended with a 'no-' to give the
+ opposite meaning. The options are:
+
+ export-local-sigs
+ Allow exporting key signatures marked as "local". This is not
+ generally useful unless a shared keyring scheme is being used.
+ Defaults to no.
+
+ export-attributes
+ Include attribute user IDs (photo IDs) while exporting. Not
+ including attribute user IDs is useful to export keys that are
+ going to be used by an OpenPGP program that does not accept
+ attribute user IDs. Defaults to yes.
+
+ export-sensitive-revkeys
+ Include designated revoker information that was marked as
+ "sensitive". Defaults to no.
+
+ backup
+ export-backup
+ Export for use as a backup. The exported data includes all
+ data which is needed to restore the key or keys later with
+ GnuPG. The format is basically the OpenPGP format but enhanced
+ with GnuPG specific data. All other contradicting options are
+ overridden.
+
+ export-clean
+ Compact (remove all signatures from) user IDs on the key being
+ exported if the user IDs are not usable. Also, do not export
+ any signatures that are not usable. This includes signatures
+ that were issued by keys that are not present on the keyring.
+ This option is the same as running the '--edit-key' command
+ "clean" before export except that the local copy of the key is
+ not modified. Defaults to no.
+
+ export-minimal
+ Export the smallest key possible. This removes all signatures
+ except the most recent self-signature on each user ID. This
+ option is the same as running the '--edit-key' command
+ "minimize" before export except that the local copy of the key
+ is not modified. Defaults to no.
+
+ export-pka
+ Instead of outputting the key material output PKA records
+ suitable to put into DNS zone files. An ORIGIN line is
+ printed before each record to allow diverting the records to
+ the corresponding zone file.
+
+ export-dane
+ Instead of outputting the key material output OpenPGP DANE
+ records suitable to put into DNS zone files. An ORIGIN line
+ is printed before each record to allow diverting the records
+ to the corresponding zone file.
+
+'--with-colons'
+ Print key listings delimited by colons. Note that the output will
+ be encoded in UTF-8 regardless of any '--display-charset' setting.
+ This format is useful when GnuPG is called from scripts and other
+ programs as it is easily machine parsed. The details of this
+ format are documented in the file 'doc/DETAILS', which is included
+ in the GnuPG source distribution.
+
+'--fixed-list-mode'
+ Do not merge primary user ID and primary key in '--with-colon'
+ listing mode and print all timestamps as seconds since 1970-01-01.
+ Since GnuPG 2.0.10, this mode is always used and thus this option
+ is obsolete; it does not harm to use it though.
+
+'--legacy-list-mode'
+ Revert to the pre-2.1 public key list mode. This only affects the
+ human readable output and not the machine interface (i.e.
+ '--with-colons'). Note that the legacy format does not convey
+ suitable information for elliptic curves.
+
+'--with-fingerprint'
+ Same as the command '--fingerprint' but changes only the format of
+ the output and may be used together with another command.
+
+'--with-subkey-fingerprint'
+ If a fingerprint is printed for the primary key, this option forces
+ printing of the fingerprint for all subkeys. This could also be
+ achieved by using the '--with-fingerprint' twice but by using this
+ option along with keyid-format "none" a compact fingerprint is
+ printed.
+
+'--with-icao-spelling'
+ Print the ICAO spelling of the fingerprint in addition to the hex
+ digits.
+
+'--with-keygrip'
+ Include the keygrip in the key listings. In '--with-colons' mode
+ this is implicitly enable for secret keys.
+
+'--with-key-origin'
+ Include the locally held information on the origin and last update
+ of a key in a key listing. In '--with-colons' mode this is always
+ printed. This data is currently experimental and shall not be
+ considered part of the stable API.
+
+'--with-wkd-hash'
+ Print a Web Key Directory identifier along with each user ID in key
+ listings. This is an experimental feature and semantics may
+ change.
+
+'--with-secret'
+ Include info about the presence of a secret key in public key
+ listings done with '--with-colons'.
+
+
+File: gnupg.info, Node: OpenPGP Options, Next: Compliance Options, Prev: GPG Input and Output, Up: GPG Options
+
+4.2.4 OpenPGP protocol specific options
+---------------------------------------
+
+'-t, --textmode'
+'--no-textmode'
+ Treat input files as text and store them in the OpenPGP canonical
+ text form with standard "CRLF" line endings. This also sets the
+ necessary flags to inform the recipient that the encrypted or
+ signed data is text and may need its line endings converted back to
+ whatever the local system uses. This option is useful when
+ communicating between two platforms that have different line ending
+ conventions (UNIX-like to Mac, Mac to Windows, etc).
+ '--no-textmode' disables this option, and is the default.
+
+'--force-v3-sigs'
+'--no-force-v3-sigs'
+'--force-v4-certs'
+'--no-force-v4-certs'
+ These options are obsolete and have no effect since GnuPG 2.1.
+
+'--force-mdc'
+'--disable-mdc'
+ These options are obsolete and have no effect since GnuPG 2.2.8.
+ The MDC is always used. But note: If the creation of a legacy
+ non-MDC message is exceptionally required, the option '--rfc2440'
+ allows for this.
+
+'--disable-signer-uid'
+ By default the user ID of the signing key is embedded in the data
+ signature. As of now this is only done if the signing key has been
+ specified with 'local-user' using a mail address, or with 'sender'.
+ This information can be helpful for verifier to locate the key; see
+ option '--auto-key-retrieve'.
+
+'--include-key-block'
+ This option is used to embed the actual signing key into a data
+ signature. The embedded key is stripped down to a single user id
+ and includes only the signing subkey used to create the signature
+ as well as as valid encryption subkeys. All other info is removed
+ from the key to keep it and thus the signature small. This option
+ is the OpenPGP counterpart to the 'gpgsm' option '--include-certs'.
+
+'--personal-cipher-preferences STRING'
+ Set the list of personal cipher preferences to STRING. Use 'gpg
+ --version' to get a list of available algorithms, and use 'none' to
+ set no preference at all. This allows the user to safely override
+ the algorithm chosen by the recipient key preferences, as GPG will
+ only select an algorithm that is usable by all recipients. The
+ most highly ranked cipher in this list is also used for the
+ '--symmetric' encryption command.
+
+'--personal-digest-preferences STRING'
+ Set the list of personal digest preferences to STRING. Use 'gpg
+ --version' to get a list of available algorithms, and use 'none' to
+ set no preference at all. This allows the user to safely override
+ the algorithm chosen by the recipient key preferences, as GPG will
+ only select an algorithm that is usable by all recipients. The
+ most highly ranked digest algorithm in this list is also used when
+ signing without encryption (e.g. '--clear-sign' or '--sign').
+
+'--personal-compress-preferences STRING'
+ Set the list of personal compression preferences to STRING. Use
+ 'gpg --version' to get a list of available algorithms, and use
+ 'none' to set no preference at all. This allows the user to safely
+ override the algorithm chosen by the recipient key preferences, as
+ GPG will only select an algorithm that is usable by all recipients.
+ The most highly ranked compression algorithm in this list is also
+ used when there are no recipient keys to consider (e.g.
+ '--symmetric').
+
+'--s2k-cipher-algo NAME'
+ Use NAME as the cipher algorithm for symmetric encryption with a
+ passphrase if '--personal-cipher-preferences' and '--cipher-algo'
+ are not given. The default is AES-128.
+
+'--s2k-digest-algo NAME'
+ Use NAME as the digest algorithm used to mangle the passphrases for
+ symmetric encryption. The default is SHA-1.
+
+'--s2k-mode N'
+ Selects how passphrases for symmetric encryption are mangled. If N
+ is 0 a plain passphrase (which is in general not recommended) will
+ be used, a 1 adds a salt (which should not be used) to the
+ passphrase and a 3 (the default) iterates the whole process a
+ number of times (see '--s2k-count').
+
+'--s2k-count N'
+ Specify how many times the passphrases mangling for symmetric
+ encryption is repeated. This value may range between 1024 and
+ 65011712 inclusive. The default is inquired from gpg-agent. Note
+ that not all values in the 1024-65011712 range are legal and if an
+ illegal value is selected, GnuPG will round up to the nearest legal
+ value. This option is only meaningful if '--s2k-mode' is set to
+ the default of 3.
+
+
+File: gnupg.info, Node: Compliance Options, Next: GPG Esoteric Options, Prev: OpenPGP Options, Up: GPG Options
+
+4.2.5 Compliance options
+------------------------
+
+These options control what GnuPG is compliant to. Only one of these
+options may be active at a time. Note that the default setting of this
+is nearly always the correct one. See the INTEROPERABILITY WITH OTHER
+OPENPGP PROGRAMS section below before using one of these options.
+
+'--gnupg'
+ Use standard GnuPG behavior. This is essentially OpenPGP behavior
+ (see '--openpgp'), but with some additional workarounds for common
+ compatibility problems in different versions of PGP. This is the
+ default option, so it is not generally needed, but it may be useful
+ to override a different compliance option in the gpg.conf file.
+
+'--openpgp'
+ Reset all packet, cipher and digest options to strict OpenPGP
+ behavior. Use this option to reset all previous options like
+ '--s2k-*', '--cipher-algo', '--digest-algo' and '--compress-algo'
+ to OpenPGP compliant values. All PGP workarounds are disabled.
+
+'--rfc4880'
+ Reset all packet, cipher and digest options to strict RFC-4880
+ behavior. Note that this is currently the same thing as
+ '--openpgp'.
+
+'--rfc4880bis'
+ Enable experimental features from proposed updates to RFC-4880.
+ This option can be used in addition to the other compliance
+ options. Warning: The behavior may change with any GnuPG release
+ and created keys or data may not be usable with future GnuPG
+ versions.
+
+'--rfc2440'
+ Reset all packet, cipher and digest options to strict RFC-2440
+ behavior. Note that by using this option encryption packets are
+ created in a legacy mode without MDC protection. This is dangerous
+ and should thus only be used for experiments. See also option
+ '--ignore-mdc-error'.
+
+'--pgp6'
+ Set up all options to be as PGP 6 compliant as possible. This
+ restricts you to the ciphers IDEA (if the IDEA plugin is
+ installed), 3DES, and CAST5, the hashes MD5, SHA1 and RIPEMD160,
+ and the compression algorithms none and ZIP. This also disables
+ '--throw-keyids', and making signatures with signing subkeys as PGP
+ 6 does not understand signatures made by signing subkeys.
+
+ This option implies '--escape-from-lines'.
+
+'--pgp7'
+ Set up all options to be as PGP 7 compliant as possible. This is
+ identical to '--pgp6' except that MDCs are not disabled, and the
+ list of allowable ciphers is expanded to add AES128, AES192,
+ AES256, and TWOFISH.
+
+'--pgp8'
+ Set up all options to be as PGP 8 compliant as possible. PGP 8 is
+ a lot closer to the OpenPGP standard than previous versions of PGP,
+ so all this does is disable '--throw-keyids' and set
+ '--escape-from-lines'. All algorithms are allowed except for the
+ SHA224, SHA384, and SHA512 digests.
+
+'--compliance STRING'
+ This option can be used instead of one of the options above. Valid
+ values for STRING are the above option names (without the double
+ dash) and possibly others as shown when using "help" for STRING.
+
+'--min-rsa-length N'
+ This option adjusts the compliance mode "de-vs" for stricter key
+ size requirements. For example, a value of 3000 turns rsa2048 and
+ dsa2048 keys into non-VS-NfD compliant keys.
+
+'--require-compliance'
+ To check that data has been encrypted according to the rules of the
+ current compliance mode, a gpg user needs to evaluate the status
+ lines. This is allows frontends to handle compliance check in a
+ more flexible way. However, for scripted use the required
+ evaluation of the status-line requires quite some effort; this
+ option can be used instead to make sure that the gpg process exits
+ with a failure if the compliance rules are not fulfilled. Note
+ that this option has currently an effect only in "de-vs" mode.
+
+
+File: gnupg.info, Node: GPG Esoteric Options, Next: Deprecated Options, Prev: Compliance Options, Up: GPG Options
+
+4.2.6 Doing things one usually doesn't want to do
+-------------------------------------------------
+
+'-n'
+'--dry-run'
+ Don't make any changes (this is not completely implemented).
+
+'--list-only'
+ Changes the behaviour of some commands. This is like '--dry-run'
+ but different in some cases. The semantic of this option may be
+ extended in the future. Currently it only skips the actual
+ decryption pass and therefore enables a fast listing of the
+ encryption keys.
+
+'-i'
+'--interactive'
+ Prompt before overwriting any files.
+
+'--debug-level LEVEL'
+ Select the debug level for investigating problems. LEVEL may be a
+ numeric value or by a keyword:
+
+ 'none'
+ No debugging at all. A value of less than 1 may be used
+ instead of the keyword.
+ 'basic'
+ Some basic debug messages. A value between 1 and 2 may be
+ used instead of the keyword.
+ 'advanced'
+ More verbose debug messages. A value between 3 and 5 may be
+ used instead of the keyword.
+ 'expert'
+ Even more detailed messages. A value between 6 and 8 may be
+ used instead of the keyword.
+ 'guru'
+ All of the debug messages you can get. A value greater than 8
+ may be used instead of the keyword. The creation of hash
+ tracing files is only enabled if the keyword is used.
+
+ How these messages are mapped to the actual debugging flags is not
+ specified and may change with newer releases of this program. They
+ are however carefully selected to best aid in debugging.
+
+'--debug FLAGS'
+ Set debugging flags. All flags are or-ed and FLAGS may be given in
+ C syntax (e.g. 0x0042) or as a comma separated list of flag names.
+ To get a list of all supported flags the single word "help" can be
+ used.
+
+'--debug-all'
+ Set all useful debugging flags.
+
+'--debug-iolbf'
+ Set stdout into line buffered mode. This option is only honored
+ when given on the command line.
+
+'--faked-system-time EPOCH'
+ This option is only useful for testing; it sets the system time
+ back or forth to EPOCH which is the number of seconds elapsed since
+ the year 1970. Alternatively EPOCH may be given as a full ISO time
+ string (e.g. "20070924T154812").
+
+ If you suffix EPOCH with an exclamation mark (!), the system time
+ will appear to be frozen at the specified time.
+
+'--enable-progress-filter'
+ Enable certain PROGRESS status outputs. This option allows
+ frontends to display a progress indicator while gpg is processing
+ larger files. There is a slight performance overhead using it.
+
+'--status-fd N'
+ Write special status strings to the file descriptor N. See the
+ file DETAILS in the documentation for a listing of them.
+
+'--status-file FILE'
+ Same as '--status-fd', except the status data is written to file
+ FILE.
+
+'--logger-fd N'
+ Write log output to file descriptor N and not to STDERR.
+
+'--log-file FILE'
+'--logger-file FILE'
+ Same as '--logger-fd', except the logger data is written to file
+ FILE. Use 'socket://' to log to a socket. Note that in this
+ version of gpg the option has only an effect if '--batch' is also
+ used.
+
+'--attribute-fd N'
+ Write attribute subpackets to the file descriptor N. This is most
+ useful for use with '--status-fd', since the status messages are
+ needed to separate out the various subpackets from the stream
+ delivered to the file descriptor.
+
+'--attribute-file FILE'
+ Same as '--attribute-fd', except the attribute data is written to
+ file FILE.
+
+'--comment STRING'
+'--no-comments'
+ Use STRING as a comment string in cleartext signatures and ASCII
+ armored messages or keys (see '--armor'). The default behavior is
+ not to use a comment string. '--comment' may be repeated multiple
+ times to get multiple comment strings. '--no-comments' removes all
+ comments. It is a good idea to keep the length of a single comment
+ below 60 characters to avoid problems with mail programs wrapping
+ such lines. Note that comment lines, like all other header lines,
+ are not protected by the signature.
+
+'--emit-version'
+'--no-emit-version'
+ Force inclusion of the version string in ASCII armored output. If
+ given once only the name of the program and the major number is
+ emitted, given twice the minor is also emitted, given thrice the
+ micro is added, and given four times an operating system
+ identification is also emitted. '--no-emit-version' (default)
+ disables the version line.
+
+'--sig-notation {NAME=VALUE}'
+'--cert-notation {NAME=VALUE}'
+'-N, --set-notation {NAME=VALUE}'
+ Put the name value pair into the signature as notation data. NAME
+ must consist only of printable characters or spaces, and must
+ contain a '@' character in the form keyname@domain.example.com
+ (substituting the appropriate keyname and domain name, of course).
+ This is to help prevent pollution of the IETF reserved notation
+ namespace. The '--expert' flag overrides the '@' check. VALUE may
+ be any printable string; it will be encoded in UTF-8, so you should
+ check that your '--display-charset' is set correctly. If you
+ prefix NAME with an exclamation mark (!), the notation data will be
+ flagged as critical (rfc4880:5.2.3.16). '--sig-notation' sets a
+ notation for data signatures. '--cert-notation' sets a notation
+ for key signatures (certifications). '--set-notation' sets both.
+
+ There are special codes that may be used in notation names. "%k"
+ will be expanded into the key ID of the key being signed, "%K" into
+ the long key ID of the key being signed, "%f" into the fingerprint
+ of the key being signed, "%s" into the key ID of the key making the
+ signature, "%S" into the long key ID of the key making the
+ signature, "%g" into the fingerprint of the key making the
+ signature (which might be a subkey), "%p" into the fingerprint of
+ the primary key of the key making the signature, "%c" into the
+ signature count from the OpenPGP smartcard, and "%%" results in a
+ single "%". %k, %K, and %f are only meaningful when making a key
+ signature (certification), and %c is only meaningful when using the
+ OpenPGP smartcard.
+
+'--known-notation NAME'
+ Adds NAME to a list of known critical signature notations. The
+ effect of this is that gpg will not mark a signature with a
+ critical signature notation of that name as bad. Note that gpg
+ already knows by default about a few critical signatures notation
+ names.
+
+'--sig-policy-url STRING'
+'--cert-policy-url STRING'
+'--set-policy-url STRING'
+ Use STRING as a Policy URL for signatures (rfc4880:5.2.3.20). If
+ you prefix it with an exclamation mark (!), the policy URL packet
+ will be flagged as critical. '--sig-policy-url' sets a policy url
+ for data signatures. '--cert-policy-url' sets a policy url for key
+ signatures (certifications). '--set-policy-url' sets both.
+
+ The same %-expandos used for notation data are available here as
+ well.
+
+'--sig-keyserver-url STRING'
+ Use STRING as a preferred keyserver URL for data signatures. If
+ you prefix it with an exclamation mark (!), the keyserver URL
+ packet will be flagged as critical.
+
+ The same %-expandos used for notation data are available here as
+ well.
+
+'--set-filename STRING'
+ Use STRING as the filename which is stored inside messages. This
+ overrides the default, which is to use the actual filename of the
+ file being encrypted. Using the empty string for STRING
+ effectively removes the filename from the output.
+
+'--for-your-eyes-only'
+'--no-for-your-eyes-only'
+ Set the 'for your eyes only' flag in the message. This causes
+ GnuPG to refuse to save the file unless the '--output' option is
+ given, and PGP to use a "secure viewer" with a claimed
+ Tempest-resistant font to display the message. This option
+ overrides '--set-filename'. '--no-for-your-eyes-only' disables
+ this option.
+
+'--use-embedded-filename'
+'--no-use-embedded-filename'
+ Try to create a file with a name as embedded in the data. This can
+ be a dangerous option as it enables overwriting files. Defaults to
+ no. Note that the option '--output' overrides this option.
+
+'--cipher-algo NAME'
+ Use NAME as cipher algorithm. Running the program with the command
+ '--version' yields a list of supported algorithms. If this is not
+ used the cipher algorithm is selected from the preferences stored
+ with the key. In general, you do not want to use this option as it
+ allows you to violate the OpenPGP standard.
+ '--personal-cipher-preferences' is the safe way to accomplish the
+ same thing.
+
+'--digest-algo NAME'
+ Use NAME as the message digest algorithm. Running the program with
+ the command '--version' yields a list of supported algorithms. In
+ general, you do not want to use this option as it allows you to
+ violate the OpenPGP standard. '--personal-digest-preferences' is
+ the safe way to accomplish the same thing.
+
+'--compress-algo NAME'
+ Use compression algorithm NAME. "zlib" is RFC-1950 ZLIB
+ compression. "zip" is RFC-1951 ZIP compression which is used by
+ PGP. "bzip2" is a more modern compression scheme that can compress
+ some things better than zip or zlib, but at the cost of more memory
+ used during compression and decompression. "uncompressed" or
+ "none" disables compression. If this option is not used, the
+ default behavior is to examine the recipient key preferences to see
+ which algorithms the recipient supports. If all else fails, ZIP is
+ used for maximum compatibility.
+
+ ZLIB may give better compression results than ZIP, as the
+ compression window size is not limited to 8k. BZIP2 may give even
+ better compression results than that, but will use a significantly
+ larger amount of memory while compressing and decompressing. This
+ may be significant in low memory situations. Note, however, that
+ PGP (all versions) only supports ZIP compression. Using any
+ algorithm other than ZIP or "none" will make the message unreadable
+ with PGP. In general, you do not want to use this option as it
+ allows you to violate the OpenPGP standard.
+ '--personal-compress-preferences' is the safe way to accomplish the
+ same thing.
+
+'--cert-digest-algo NAME'
+ Use NAME as the message digest algorithm used when signing a key.
+ Running the program with the command '--version' yields a list of
+ supported algorithms. Be aware that if you choose an algorithm
+ that GnuPG supports but other OpenPGP implementations do not, then
+ some users will not be able to use the key signatures you make, or
+ quite possibly your entire key.
+
+'--disable-cipher-algo NAME'
+ Never allow the use of NAME as cipher algorithm. The given name
+ will not be checked so that a later loaded algorithm will still get
+ disabled.
+
+'--disable-pubkey-algo NAME'
+ Never allow the use of NAME as public key algorithm. The given
+ name will not be checked so that a later loaded algorithm will
+ still get disabled.
+
+'--throw-keyids'
+'--no-throw-keyids'
+ Do not put the recipient key IDs into encrypted messages. This
+ helps to hide the receivers of the message and is a limited
+ countermeasure against traffic analysis.(1) On the receiving side,
+ it may slow down the decryption process because all available
+ secret keys must be tried. '--no-throw-keyids' disables this
+ option. This option is essentially the same as using
+ '--hidden-recipient' for all recipients.
+
+'--not-dash-escaped'
+ This option changes the behavior of cleartext signatures so that
+ they can be used for patch files. You should not send such an
+ armored file via email because all spaces and line endings are
+ hashed too. You can not use this option for data which has 5
+ dashes at the beginning of a line, patch files don't have this. A
+ special armor header line tells GnuPG about this cleartext
+ signature option.
+
+'--escape-from-lines'
+'--no-escape-from-lines'
+ Because some mailers change lines starting with "From " to ">From "
+ it is good to handle such lines in a special way when creating
+ cleartext signatures to prevent the mail system from breaking the
+ signature. Note that all other PGP versions do it this way too.
+ Enabled by default. '--no-escape-from-lines' disables this option.
+
+'--passphrase-repeat N'
+ Specify how many times 'gpg' will request a new passphrase be
+ repeated. This is useful for helping memorize a passphrase.
+ Defaults to 1 repetition; can be set to 0 to disable any passphrase
+ repetition. Note that a N greater than 1 will pop up the pinentry
+ window N+1 times even if a modern pinentry with two entry fields is
+ used.
+
+'--passphrase-fd N'
+ Read the passphrase from file descriptor N. Only the first line
+ will be read from file descriptor N. If you use 0 for N, the
+ passphrase will be read from STDIN. This can only be used if only
+ one passphrase is supplied.
+
+ Note that since Version 2.0 this passphrase is only used if the
+ option '--batch' has also been given. Since Version 2.1 the
+ '--pinentry-mode' also needs to be set to 'loopback'.
+
+'--passphrase-file FILE'
+ Read the passphrase from file FILE. Only the first line will be
+ read from file FILE. This can only be used if only one passphrase
+ is supplied. Obviously, a passphrase stored in a file is of
+ questionable security if other users can read this file. Don't use
+ this option if you can avoid it.
+
+ Note that since Version 2.0 this passphrase is only used if the
+ option '--batch' has also been given. Since Version 2.1 the
+ '--pinentry-mode' also needs to be set to 'loopback'.
+
+'--passphrase STRING'
+ Use STRING as the passphrase. This can only be used if only one
+ passphrase is supplied. Obviously, this is of very questionable
+ security on a multi-user system. Don't use this option if you can
+ avoid it.
+
+ Note that since Version 2.0 this passphrase is only used if the
+ option '--batch' has also been given. Since Version 2.1 the
+ '--pinentry-mode' also needs to be set to 'loopback'.
+
+'--pinentry-mode MODE'
+ Set the pinentry mode to MODE. Allowed values for MODE are:
+ default
+ Use the default of the agent, which is 'ask'.
+ ask
+ Force the use of the Pinentry.
+ cancel
+ Emulate use of Pinentry's cancel button.
+ error
+ Return a Pinentry error ("No Pinentry").
+ loopback
+ Redirect Pinentry queries to the caller. Note that in
+ contrast to Pinentry the user is not prompted again if he
+ enters a bad password.
+
+'--no-symkey-cache'
+ Disable the passphrase cache used for symmetrical en- and
+ decryption. This cache is based on the message specific salt value
+ (cf. '--s2k-mode').
+
+'--request-origin ORIGIN'
+ Tell gpg to assume that the operation ultimately originated at
+ ORIGIN. Depending on the origin certain restrictions are applied
+ and the Pinentry may include an extra note on the origin.
+ Supported values for ORIGIN are: 'local' which is the default,
+ 'remote' to indicate a remote origin or 'browser' for an operation
+ requested by a web browser.
+
+'--command-fd N'
+ This is a replacement for the deprecated shared-memory IPC mode.
+ If this option is enabled, user input on questions is not expected
+ from the TTY but from the given file descriptor. It should be used
+ together with '--status-fd'. See the file doc/DETAILS in the
+ source distribution for details on how to use it.
+
+'--command-file FILE'
+ Same as '--command-fd', except the commands are read out of file
+ FILE
+
+'--allow-non-selfsigned-uid'
+'--no-allow-non-selfsigned-uid'
+ Allow the import and use of keys with user IDs which are not
+ self-signed. This is not recommended, as a non self-signed user ID
+ is trivial to forge. '--no-allow-non-selfsigned-uid' disables.
+
+'--allow-freeform-uid'
+ Disable all checks on the form of the user ID while generating a
+ new one. This option should only be used in very special
+ environments as it does not ensure the de-facto standard format of
+ user IDs.
+
+'--ignore-time-conflict'
+ GnuPG normally checks that the timestamps associated with keys and
+ signatures have plausible values. However, sometimes a signature
+ seems to be older than the key due to clock problems. This option
+ makes these checks just a warning. See also '--ignore-valid-from'
+ for timestamp issues on subkeys.
+
+'--ignore-valid-from'
+ GnuPG normally does not select and use subkeys created in the
+ future. This option allows the use of such keys and thus exhibits
+ the pre-1.0.7 behaviour. You should not use this option unless
+ there is some clock problem. See also '--ignore-time-conflict' for
+ timestamp issues with signatures.
+
+'--ignore-crc-error'
+ The ASCII armor used by OpenPGP is protected by a CRC checksum
+ against transmission errors. Occasionally the CRC gets mangled
+ somewhere on the transmission channel but the actual content (which
+ is protected by the OpenPGP protocol anyway) is still okay. This
+ option allows GnuPG to ignore CRC errors.
+
+'--ignore-mdc-error'
+ This option changes a MDC integrity protection failure into a
+ warning. It is required to decrypt old messages which did not use
+ an MDC. It may also be useful if a message is partially garbled,
+ but it is necessary to get as much data as possible out of that
+ garbled message. Be aware that a missing or failed MDC can be an
+ indication of an attack. Use with great caution; see also option
+ '--rfc2440'.
+
+'--allow-weak-digest-algos'
+ Signatures made with known-weak digest algorithms are normally
+ rejected with an "invalid digest algorithm" message. This option
+ allows the verification of signatures made with such weak
+ algorithms. MD5 is the only digest algorithm considered weak by
+ default. See also '--weak-digest' to reject other digest
+ algorithms.
+
+'--weak-digest NAME'
+ Treat the specified digest algorithm as weak. Signatures made over
+ weak digests algorithms are normally rejected. This option can be
+ supplied multiple times if multiple algorithms should be considered
+ weak. See also '--allow-weak-digest-algos' to disable rejection of
+ weak digests. MD5 is always considered weak, and does not need to
+ be listed explicitly.
+
+'--allow-weak-key-signatures'
+ To avoid a minor risk of collision attacks on third-party key
+ signatures made using SHA-1, those key signatures are considered
+ invalid. This options allows to override this restriction.
+
+'--override-compliance-check'
+ The signature verification only allows the use of keys suitable in
+ the current compliance mode. If the compliance mode has been
+ forced by a global option, there might be no way to check certain
+ signature. This option allows to override this and prints an extra
+ warning in such a case. This option is ignored in -batch mode so
+ that no accidental unattended verification may happen.
+
+'--no-default-keyring'
+ Do not add the default keyring to the list of keyrings. Note that
+ GnuPG needs for almost all operations a keyring. Thus if you use
+ this option and do not provide alternate keyrings via '--keyring',
+ then GnuPG will still use the default keyring.
+
+'--no-keyring'
+ Do not use any keyring at all. This overrides the default and all
+ options which specify keyrings.
+
+'--skip-verify'
+ Skip the signature verification step. This may be used to make the
+ decryption faster if the signature verification is not needed.
+
+'--with-key-data'
+ Print key listings delimited by colons (like '--with-colons') and
+ print the public key data.
+
+'--list-signatures'
+'--list-sigs'
+ Same as '--list-keys', but the signatures are listed too. This
+ command has the same effect as using '--list-keys' with
+ '--with-sig-list'. Note that in contrast to '--check-signatures'
+ the key signatures are not verified. This command can be used to
+ create a list of signing keys missing in the local keyring; for
+ example:
+
+ gpg --list-sigs --with-colons USERID | \
+ awk -F: '$1=="sig" && $2=="?" {if($13){print $13}else{print $5}}'
+
+'--fast-list-mode'
+ Changes the output of the list commands to work faster; this is
+ achieved by leaving some parts empty. Some applications don't need
+ the user ID and the trust information given in the listings. By
+ using this options they can get a faster listing. The exact
+ behaviour of this option may change in future versions. If you are
+ missing some information, don't use this option.
+
+'--no-literal'
+ This is not for normal use. Use the source to see for what it
+ might be useful.
+
+'--set-filesize'
+ This is not for normal use. Use the source to see for what it
+ might be useful.
+
+'--show-session-key'
+ Display the session key used for one message. See
+ '--override-session-key' for the counterpart of this option.
+
+ We think that Key Escrow is a Bad Thing; however the user should
+ have the freedom to decide whether to go to prison or to reveal the
+ content of one specific message without compromising all messages
+ ever encrypted for one secret key.
+
+ You can also use this option if you receive an encrypted message
+ which is abusive or offensive, to prove to the administrators of
+ the messaging system that the ciphertext transmitted corresponds to
+ an inappropriate plaintext so they can take action against the
+ offending user.
+
+'--override-session-key STRING'
+'--override-session-key-fd FD'
+ Don't use the public key but the session key STRING respective the
+ session key taken from the first line read from file descriptor FD.
+ The format of this string is the same as the one printed by
+ '--show-session-key'. This option is normally not used but comes
+ handy in case someone forces you to reveal the content of an
+ encrypted message; using this option you can do this without
+ handing out the secret key. Note that using
+ '--override-session-key' may reveal the session key to all local
+ users via the global process table. Often it is useful to combine
+ this option with '--no-keyring'.
+
+'--ask-sig-expire'
+'--no-ask-sig-expire'
+ When making a data signature, prompt for an expiration time. If
+ this option is not specified, the expiration time set via
+ '--default-sig-expire' is used. '--no-ask-sig-expire' disables
+ this option.
+
+'--default-sig-expire'
+ The default expiration time to use for signature expiration. Valid
+ values are "0" for no expiration, a number followed by the letter d
+ (for days), w (for weeks), m (for months), or y (for years) (for
+ example "2m" for two months, or "5y" for five years), or an
+ absolute date in the form YYYY-MM-DD. Defaults to "0".
+
+'--ask-cert-expire'
+'--no-ask-cert-expire'
+ When making a key signature, prompt for an expiration time. If
+ this option is not specified, the expiration time set via
+ '--default-cert-expire' is used. '--no-ask-cert-expire' disables
+ this option.
+
+'--default-cert-expire'
+ The default expiration time to use for key signature expiration.
+ Valid values are "0" for no expiration, a number followed by the
+ letter d (for days), w (for weeks), m (for months), or y (for
+ years) (for example "2m" for two months, or "5y" for five years),
+ or an absolute date in the form YYYY-MM-DD. Defaults to "0".
+
+'--default-new-key-algo STRING'
+ This option can be used to change the default algorithms for key
+ generation. The STRING is similar to the arguments required for
+ the command '--quick-add-key' but slightly different. For example
+ the current default of '"rsa2048/cert,sign+rsa2048/encr"' (or
+ '"rsa3072"') can be changed to the value of what we currently call
+ future default, which is '"ed25519/cert,sign+cv25519/encr"'. You
+ need to consult the source code to learn the details. Note that
+ the advanced key generation commands can always be used to specify
+ a key algorithm directly.
+
+'--force-sign-key'
+ This option modifies the behaviour of the commands
+ '--quick-sign-key', '--quick-lsign-key', and the "sign"
+ sub-commands of '--edit-key' by forcing the creation of a key
+ signature, even if one already exists.
+
+'--forbid-gen-key'
+ This option is intended for use in the global config file to
+ disallow the use of generate key commands. Those commands will
+ then fail with the error code for Not Enabled.
+
+'--allow-secret-key-import'
+ This is an obsolete option and is not used anywhere.
+
+'--allow-multiple-messages'
+'--no-allow-multiple-messages'
+ Allow processing of multiple OpenPGP messages contained in a single
+ file or stream. Some programs that call GPG are not prepared to
+ deal with multiple messages being processed together, so this
+ option defaults to no. Note that versions of GPG prior to 1.4.7
+ always allowed multiple messages. Future versions of GnUPG will
+ remove this option.
+
+ Warning: Do not use this option unless you need it as a temporary
+ workaround!
+
+'--enable-special-filenames'
+ This option enables a mode in which filenames of the form '-&n',
+ where n is a non-negative decimal number, refer to the file
+ descriptor n and not to a file with that name.
+
+'--no-expensive-trust-checks'
+ Experimental use only.
+
+'--preserve-permissions'
+ Don't change the permissions of a secret keyring back to user
+ read/write only. Use this option only if you really know what you
+ are doing.
+
+'--default-preference-list STRING'
+ Set the list of default preferences to STRING. This preference
+ list is used for new keys and becomes the default for "setpref" in
+ the edit menu.
+
+'--default-keyserver-url NAME'
+ Set the default keyserver URL to NAME. This keyserver will be used
+ as the keyserver URL when writing a new self-signature on a key,
+ which includes key generation and changing preferences.
+
+'--list-config'
+ Display various internal configuration parameters of GnuPG. This
+ option is intended for external programs that call GnuPG to perform
+ tasks, and is thus not generally useful. See the file
+ 'doc/DETAILS' in the source distribution for the details of which
+ configuration items may be listed. '--list-config' is only usable
+ with '--with-colons' set.
+
+'--list-gcrypt-config'
+ Display various internal configuration parameters of Libgcrypt.
+
+'--gpgconf-list'
+ This command is similar to '--list-config' but in general only
+ internally used by the 'gpgconf' tool.
+
+'--gpgconf-test'
+ This is more or less dummy action. However it parses the
+ configuration file and returns with failure if the configuration
+ file would prevent 'gpg' from startup. Thus it may be used to run
+ a syntax check on the configuration file.
+
+ ---------- Footnotes ----------
+
+ (1) Using a little social engineering anyone who is able to decrypt
+the message can check whether one of the other recipients is the one he
+suspects.
+
+
+File: gnupg.info, Node: Deprecated Options, Prev: GPG Esoteric Options, Up: GPG Options
+
+4.2.7 Deprecated options
+------------------------
+
+'--show-photos'
+'--no-show-photos'
+ Causes '--list-keys', '--list-signatures', '--list-public-keys',
+ '--list-secret-keys', and verifying a signature to also display the
+ photo ID attached to the key, if any. See also '--photo-viewer'.
+ These options are deprecated. Use '--list-options
+ [no-]show-photos' and/or '--verify-options [no-]show-photos'
+ instead.
+
+'--show-keyring'
+ Display the keyring name at the head of key listings to show which
+ keyring a given key resides on. This option is deprecated: use
+ '--list-options [no-]show-keyring' instead.
+
+'--always-trust'
+ Identical to '--trust-model always'. This option is deprecated.
+
+'--show-notation'
+'--no-show-notation'
+ Show signature notations in the '--list-signatures' or
+ '--check-signatures' listings as well as when verifying a signature
+ with a notation in it. These options are deprecated. Use
+ '--list-options [no-]show-notation' and/or '--verify-options
+ [no-]show-notation' instead.
+
+'--show-policy-url'
+'--no-show-policy-url'
+ Show policy URLs in the '--list-signatures' or '--check-signatures'
+ listings as well as when verifying a signature with a policy URL in
+ it. These options are deprecated. Use '--list-options
+ [no-]show-policy-url' and/or '--verify-options
+ [no-]show-policy-url' instead.
+
+
+File: gnupg.info, Node: GPG Configuration, Next: GPG Examples, Prev: GPG Options, Up: Invoking GPG
+
+4.3 Configuration files
+=======================
+
+There are a few configuration files to control certain aspects of
+'gpg''s operation. Unless noted, they are expected in the current home
+directory (*note option --homedir::).
+
+'gpg.conf'
+ This is the standard configuration file read by 'gpg' on startup.
+ It may contain any valid long option; the leading two dashes may
+ not be entered and the option may not be abbreviated. This default
+ name may be changed on the command line (*note gpg-option
+ --options::). You should backup this file.
+
+ Note that on larger installations, it is useful to put predefined
+files into the directory '/etc/skel/.gnupg' so that newly created users
+start up with a working configuration. For existing users a small
+helper script is provided to create these files (*note addgnupghome::).
+
+ For internal purposes 'gpg' creates and maintains a few other files;
+They all live in the current home directory (*note option --homedir::).
+Only the 'gpg' program may modify these files.
+
+'~/.gnupg'
+ This is the default home directory which is used if neither the
+ environment variable 'GNUPGHOME' nor the option '--homedir' is
+ given.
+
+'~/.gnupg/pubring.gpg'
+ The public keyring using a legacy format. You should backup this
+ file.
+
+ If this file is not available, 'gpg' defaults to the new keybox
+ format and creates a file 'pubring.kbx' unless that file already
+ exists in which case that file will also be used for OpenPGP keys.
+
+ Note that in the case that both files, 'pubring.gpg' and
+ 'pubring.kbx' exists but the latter has no OpenPGP keys, the legacy
+ file 'pubring.gpg' will be used. Take care: GnuPG versions before
+ 2.1 will always use the file 'pubring.gpg' because they do not know
+ about the new keybox format. In the case that you have to use
+ GnuPG 1.4 to decrypt archived data you should keep this file.
+
+'~/.gnupg/pubring.gpg.lock'
+ The lock file for the public keyring.
+
+'~/.gnupg/pubring.kbx'
+ The public keyring using the new keybox format. This file is
+ shared with 'gpgsm'. You should backup this file. See above for
+ the relation between this file and it predecessor.
+
+ To convert an existing 'pubring.gpg' file to the keybox format, you
+ first backup the ownertrust values, then rename 'pubring.gpg' to
+ 'publickeys.backup', so it won’t be recognized by any GnuPG
+ version, run import, and finally restore the ownertrust values:
+
+ $ cd ~/.gnupg
+ $ gpg --export-ownertrust >otrust.lst
+ $ mv pubring.gpg publickeys.backup
+ $ gpg --import-options restore --import publickeys.backups
+ $ gpg --import-ownertrust otrust.lst
+
+'~/.gnupg/pubring.kbx.lock'
+ The lock file for 'pubring.kbx'.
+
+'~/.gnupg/secring.gpg'
+ The legacy secret keyring as used by GnuPG versions before 2.1. It
+ is not used by GnuPG 2.1 and later. You may want to keep it in
+ case you have to use GnuPG 1.4 to decrypt archived data.
+
+'~/.gnupg/secring.gpg.lock'
+ The lock file for the legacy secret keyring.
+
+'~/.gnupg/.gpg-v21-migrated'
+ File indicating that a migration to GnuPG 2.1 has been done.
+
+'~/.gnupg/trustdb.gpg'
+ The trust database. There is no need to backup this file; it is
+ better to backup the ownertrust values (*note option
+ --export-ownertrust::).
+
+'~/.gnupg/trustdb.gpg.lock'
+ The lock file for the trust database.
+
+'~/.gnupg/random_seed'
+ A file used to preserve the state of the internal random pool.
+
+'~/.gnupg/openpgp-revocs.d/'
+ This is the directory where gpg stores pre-generated revocation
+ certificates. The file name corresponds to the OpenPGP fingerprint
+ of the respective key. It is suggested to backup those
+ certificates and if the primary private key is not stored on the
+ disk to move them to an external storage device. Anyone who can
+ access theses files is able to revoke the corresponding key. You
+ may want to print them out. You should backup all files in this
+ directory and take care to keep this backup closed away.
+
+ Operation is further controlled by a few environment variables:
+
+HOME
+ Used to locate the default home directory.
+
+GNUPGHOME
+ If set directory used instead of "~/.gnupg".
+
+GPG_AGENT_INFO
+ This variable is obsolete; it was used by GnuPG versions before
+ 2.1.
+
+PINENTRY_USER_DATA
+ This value is passed via gpg-agent to pinentry. It is useful to
+ convey extra information to a custom pinentry.
+
+COLUMNS
+LINES
+ Used to size some displays to the full size of the screen.
+
+LANGUAGE
+ Apart from its use by GNU, it is used in the W32 version to
+ override the language selection done through the Registry. If used
+ and set to a valid and available language name (LANGID), the file
+ with the translation is loaded from 'GPGDIR/gnupg.nls/LANGID.mo'.
+ Here GPGDIR is the directory out of which the gpg binary has been
+ loaded. If it can't be loaded the Registry is tried and as last
+ resort the native Windows locale system is used.
+
+GNUPG_BUILD_ROOT
+ This variable is only used by the regression test suite as a helper
+ under operating systems without proper support to figure out the
+ name of a process' text file.
+
+GNUPG_EXEC_DEBUG_FLAGS
+ This variable allows to enable diagnostics for process management.
+ A numeric decimal value is expected. Bit 0 enables general
+ diagnostics, bit 1 enables certain warnings on Windows.
+
+ When calling the gpg-agent component 'gpg' sends a set of environment
+variables to gpg-agent. The names of these variables can be listed
+using the command:
+
+ gpg-connect-agent 'getinfo std_env_names' /bye | awk '$1=="D" {print $2}'
+
+
+File: gnupg.info, Node: GPG Examples, Next: Unattended Usage of GPG, Prev: GPG Configuration, Up: Invoking GPG
+
+4.4 Examples
+============
+
+gpg -se -r 'Bob' 'file'
+ sign and encrypt for user Bob
+
+gpg -clear-sign 'file'
+ make a cleartext signature
+
+gpg -sb 'file'
+ make a detached signature
+
+gpg -u 0x12345678 -sb 'file'
+ make a detached signature with the key 0x12345678
+
+gpg -list-keys 'user_ID'
+ show keys
+
+gpg -fingerprint 'user_ID'
+ show fingerprint
+
+gpg -verify 'pgpfile'
+gpg -verify 'sigfile' ['datafile']
+ Verify the signature of the file but do not output the data unless
+ requested. The second form is used for detached signatures, where
+ 'sigfile' is the detached signature (either ASCII armored or
+ binary) and 'datafile' are the signed data; if this is not given,
+ the name of the file holding the signed data is constructed by
+ cutting off the extension (".asc" or ".sig") of 'sigfile' or by
+ asking the user for the filename. If the option '--output' is also
+ used the signed data is written to the file specified by that
+ option; use '-' to write the signed data to stdout.
+
+FILTER EXPRESSIONS
+******************
+
+The options '--import-filter' and '--export-filter' use expressions with
+this syntax (square brackets indicate an optional part and curly braces
+a repetition, white space between the elements are allowed):
+
+ [lc] {[{flag}] PROPNAME op VALUE [lc]}
+
+ The name of a property (PROPNAME) may only consist of letters, digits
+and underscores. The description for the filter type describes which
+properties are defined. If an undefined property is used it evaluates
+to the empty string. Unless otherwise noted, the VALUE must always be
+given and may not be the empty string. No quoting is defined for the
+value, thus the value may not contain the strings '&&' or '||', which
+are used as logical connection operators. The flag '--' can be used to
+remove this restriction.
+
+ Numerical values are computed as long int; standard C notation
+applies. LC is the logical connection operator; either '&&' for a
+conjunction or '||' for a disjunction. A conjunction is assumed at the
+begin of an expression. Conjunctions have higher precedence than
+disjunctions. If VALUE starts with one of the characters used in any OP
+a space after the OP is required.
+
+The supported operators (OP) are:
+
+=~
+ Substring must match.
+
+!~
+ Substring must not match.
+
+=
+ The full string must match.
+
+<>
+ The full string must not match.
+
+==
+ The numerical value must match.
+
+!=
+ The numerical value must not match.
+
+<=
+ The numerical value of the field must be LE than the value.
+
+<
+ The numerical value of the field must be LT than the value.
+
+>
+ The numerical value of the field must be GT than the value.
+
+>=
+ The numerical value of the field must be GE than the value.
+
+-le
+ The string value of the field must be less or equal than the value.
+
+-lt
+ The string value of the field must be less than the value.
+
+-gt
+ The string value of the field must be greater than the value.
+
+-ge
+ The string value of the field must be greater or equal than the
+ value.
+
+-n
+ True if value is not empty (no value allowed).
+
+-z
+ True if value is empty (no value allowed).
+
+-t
+ Alias for "PROPNAME != 0" (no value allowed).
+
+-f
+ Alias for "PROPNAME == 0" (no value allowed).
+
+Values for FLAG must be space separated. The supported flags are:
+
+-
+ VALUE spans to the end of the expression.
+-c
+ The string match in this part is done case-sensitive.
+-t
+ Leading and trailing spaces are not removed from VALUE. The
+ optional single space after OP is here required.
+
+ The filter options concatenate several specifications for a filter of
+the same type. For example the four options in this example:
+
+ --import-filter keep-uid="uid =~ Alfa"
+ --import-filter keep-uid="&& uid !~ Test"
+ --import-filter keep-uid="|| uid =~ Alpha"
+ --import-filter keep-uid="uid !~ Test"
+
+which is equivalent to
+
+ --import-filter \
+ keep-uid="uid =~ Alfa" && uid !~ Test" || uid =~ Alpha" && "uid !~ Test"
+
+ imports only the user ids of a key containing the strings "Alfa" or
+"Alpha" but not the string "test".
+
+RETURN VALUE
+************
+
+The program returns 0 if there are no severe errors, 1 if at least a
+signature was bad, and other error codes for fatal errors.
+
+ Note that signature verification requires exact knowledge of what has
+been signed and by whom it has beensigned. Using only the return code
+is thus not an appropriate way to verify a signature by a script.
+Either make proper use or the status codes or use the 'gpgv' tool which
+has been designed to make signature verification easy for scripts.
+
+WARNINGS
+********
+
+Use a good password for your user account and make sure that all
+security issues are always fixed on your machine. Also employ diligent
+physical protection to your machine. Consider to use a good passphrase
+as a last resort protection to your secret key in the case your machine
+gets stolen. It is important that your secret key is never leaked.
+Using an easy to carry around token or smartcard with the secret key is
+often a advisable.
+
+ If you are going to verify detached signatures, make sure that the
+program knows about it; either give both filenames on the command line
+or use '-' to specify STDIN.
+
+ For scripted or other unattended use of 'gpg' make sure to use the
+machine-parseable interface and not the default interface which is
+intended for direct use by humans. The machine-parseable interface
+provides a stable and well documented API independent of the locale or
+future changes of 'gpg'. To enable this interface use the options
+'--with-colons' and '--status-fd'. For certain operations the option
+'--command-fd' may come handy too. See this man page and the file
+'DETAILS' for the specification of the interface. Note that the GnuPG
+"info" pages as well as the PDF version of the GnuPG manual features a
+chapter on unattended use of GnuPG. As an alternative the library
+'GPGME' can be used as a high-level abstraction on top of that
+interface.
+
+INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS
+********************************************
+
+GnuPG tries to be a very flexible implementation of the OpenPGP
+standard. In particular, GnuPG implements many of the optional parts of
+the standard, such as the SHA-512 hash, and the ZLIB and BZIP2
+compression algorithms. It is important to be aware that not all
+OpenPGP programs implement these optional algorithms and that by forcing
+their use via the '--cipher-algo', '--digest-algo',
+'--cert-digest-algo', or '--compress-algo' options in GnuPG, it is
+possible to create a perfectly valid OpenPGP message, but one that
+cannot be read by the intended recipient.
+
+ There are dozens of variations of OpenPGP programs available, and
+each supports a slightly different subset of these optional algorithms.
+For example, until recently, no (unhacked) version of PGP supported the
+BLOWFISH cipher algorithm. A message using BLOWFISH simply could not be
+read by a PGP user. By default, GnuPG uses the standard OpenPGP
+preferences system that will always do the right thing and create
+messages that are usable by all recipients, regardless of which OpenPGP
+program they use. Only override this safe default if you really know
+what you are doing.
+
+ If you absolutely must override the safe default, or if the
+preferences on a given key are invalid for some reason, you are far
+better off using the '--pgp6', '--pgp7', or '--pgp8' options. These
+options are safe as they do not force any particular algorithms in
+violation of OpenPGP, but rather reduce the available algorithms to a
+"PGP-safe" list.
+
+BUGS
+****
+
+On older systems this program should be installed as setuid(root). This
+is necessary to lock memory pages. Locking memory pages prevents the
+operating system from writing memory pages (which may contain
+passphrases or other sensitive material) to disk. If you get no warning
+message about insecure memory your operating system supports locking
+without being root. The program drops root privileges as soon as locked
+memory is allocated.
+
+ Note also that some systems (especially laptops) have the ability to
+"suspend to disk" (also known as "safe sleep" or "hibernate"). This
+writes all memory to disk before going into a low power or even powered
+off mode. Unless measures are taken in the operating system to protect
+the saved memory, passphrases or other sensitive material may be
+recoverable from it later.
+
+ Before you report a bug you should first search the mailing list
+archives for similar problems and second check whether such a bug has
+already been reported to our bug tracker at <https://bugs.gnupg.org>.
+
+
+File: gnupg.info, Node: Unattended Usage of GPG, Prev: GPG Examples, Up: Invoking GPG
+
+4.5 Unattended Usage
+====================
+
+'gpg' is often used as a backend engine by other software. To help with
+this a machine interface has been defined to have an unambiguous way to
+do this. The options '--status-fd' and '--batch' are almost always
+required for this.
+
+* Menu:
+
+* Programmatic use of GnuPG:: Programmatic use of GnuPG
+* Ephemeral home directories:: Ephemeral home directories
+* The quick key manipulation interface:: The quick key manipulation interface
+* Unattended GPG key generation:: Unattended key generation
+
+
+File: gnupg.info, Node: Programmatic use of GnuPG, Next: Ephemeral home directories, Up: Unattended Usage of GPG
+
+4.5.1 Programmatic use of GnuPG
+-------------------------------
+
+Please consider using GPGME instead of calling 'gpg' directly. GPGME
+offers a stable, backend-independent interface for many cryptographic
+operations. It supports OpenPGP and S/MIME, and also allows interaction
+with various GnuPG components.
+
+ GPGME provides a C-API, and comes with bindings for C++, Qt, and
+Python. Bindings for other languages are available.
+
+
+File: gnupg.info, Node: Ephemeral home directories, Next: The quick key manipulation interface, Prev: Programmatic use of GnuPG, Up: Unattended Usage of GPG
+
+4.5.2 Ephemeral home directories
+--------------------------------
+
+Sometimes you want to contain effects of some operation, for example you
+want to import a key to inspect it, but you do not want this key to be
+added to your keyring. In earlier versions of GnuPG, it was possible to
+specify alternate keyring files for both public and secret keys. In
+modern GnuPG versions, however, we changed how secret keys are stored in
+order to better protect secret key material, and it was not possible to
+preserve this interface.
+
+ The preferred way to do this is to use ephemeral home directories.
+This technique works across all versions of GnuPG.
+
+ Create a temporary directory, create (or copy) a configuration that
+meets your needs, make 'gpg' use this directory either using the
+environment variable GNUPGHOME, or the option '--homedir'. GPGME
+supports this too on a per-context basis, by modifying the engine info
+of contexts. Now execute whatever operation you like, import and export
+key material as necessary. Once finished, you can delete the directory.
+All GnuPG backend services that were started will detect this and shut
+down.
+
+
+File: gnupg.info, Node: The quick key manipulation interface, Next: Unattended GPG key generation, Prev: Ephemeral home directories, Up: Unattended Usage of GPG
+
+4.5.3 The quick key manipulation interface
+------------------------------------------
+
+Recent versions of GnuPG have an interface to manipulate keys without
+using the interactive command '--edit-key'. This interface was added
+mainly for the benefit of GPGME (please consider using GPGME, see the
+manual subsection "Programmatic use of GnuPG"). This interface is
+described in the subsection "How to manage your keys".
+
+
+File: gnupg.info, Node: Unattended GPG key generation, Prev: The quick key manipulation interface, Up: Unattended Usage of GPG
+
+4.5.4 Unattended key generation
+-------------------------------
+
+The command '--generate-key' may be used along with the option '--batch'
+for unattended key generation. This is the most flexible way of
+generating keys, but it is also the most complex one. Consider using
+the quick key manipulation interface described in the previous
+subsection "The quick key manipulation interface".
+
+ The parameters for the key are either read from stdin or given as a
+file on the command line. The format of the parameter file is as
+follows:
+
+ * Text only, line length is limited to about 1000 characters.
+ * UTF-8 encoding must be used to specify non-ASCII characters.
+ * Empty lines are ignored.
+ * Leading and trailing white space is ignored.
+ * A hash sign as the first non white space character indicates a
+ comment line.
+ * Control statements are indicated by a leading percent sign, the
+ arguments are separated by white space from the keyword.
+ * Parameters are specified by a keyword, followed by a colon.
+ Arguments are separated by white space.
+ * The first parameter must be 'Key-Type'; control statements may be
+ placed anywhere.
+ * The order of the parameters does not matter except for 'Key-Type'
+ which must be the first parameter. The parameters are only used
+ for the generated keyblock (primary and subkeys); parameters from
+ previous sets are not used. Some syntactically checks may be
+ performed.
+ * Key generation takes place when either the end of the parameter
+ file is reached, the next 'Key-Type' parameter is encountered or at
+ the control statement '%commit' is encountered.
+
+Control statements:
+
+%echo TEXT
+ Print TEXT as diagnostic.
+
+%dry-run
+ Suppress actual key generation (useful for syntax checking).
+
+%commit
+ Perform the key generation. Note that an implicit commit is done
+ at the next Key-Type parameter.
+
+%pubring FILENAME
+ Do not write the key to the default or commandline given keyring
+ but to FILENAME. This must be given before the first commit to
+ take place, duplicate specification of the same filename is
+ ignored, the last filename before a commit is used. The filename
+ is used until a new filename is used (at commit points) and all
+ keys are written to that file. If a new filename is given, this
+ file is created (and overwrites an existing one).
+
+ See the previous subsection "Ephemeral home directories" for a more
+ robust way to contain side-effects.
+
+%secring FILENAME
+ This option is a no-op for GnuPG 2.1 and later.
+
+ See the previous subsection "Ephemeral home directories".
+
+%ask-passphrase
+%no-ask-passphrase
+ This option is a no-op for GnuPG 2.1 and later.
+
+%no-protection
+ Using this option allows the creation of keys without any
+ passphrase protection. This option is mainly intended for
+ regression tests.
+
+%transient-key
+ If given the keys are created using a faster and a somewhat less
+ secure random number generator. This option may be used for keys
+ which are only used for a short time and do not require full
+ cryptographic strength. It takes only effect if used together with
+ the control statement '%no-protection'.
+
+General Parameters:
+
+Key-Type: ALGO
+ Starts a new parameter block by giving the type of the primary key.
+ The algorithm must be capable of signing. This is a required
+ parameter. ALGO may either be an OpenPGP algorithm number or a
+ string with the algorithm name. The special value 'default' may be
+ used for ALGO to create the default key type; in this case a
+ 'Key-Usage' shall not be given and 'default' also be used for
+ 'Subkey-Type'.
+
+Key-Length: NBITS
+ The requested length of the generated key in bits. The default is
+ returned by running the command 'gpg --gpgconf-list'. For ECC keys
+ this parameter is ignored.
+
+Key-Curve: CURVE
+ The requested elliptic curve of the generated key. This is a
+ required parameter for ECC keys. It is ignored for non-ECC keys.
+
+Key-Grip: HEXSTRING
+ This is optional and used to generate a CSR or certificate for an
+ already existing key. Key-Length will be ignored when given.
+
+Key-Usage: USAGE-LIST
+ Space or comma delimited list of key usages. Allowed values are
+ 'encrypt', 'sign', and 'auth'. This is used to generate the key
+ flags. Please make sure that the algorithm is capable of this
+ usage. Note that OpenPGP requires that all primary keys are
+ capable of certification, so no matter what usage is given here,
+ the 'cert' flag will be on. If no 'Key-Usage' is specified and the
+ 'Key-Type' is not 'default', all allowed usages for that particular
+ algorithm are used; if it is not given but 'default' is used the
+ usage will be 'sign'.
+
+Subkey-Type: ALGO
+ This generates a secondary key (subkey). Currently only one subkey
+ can be handled. See also 'Key-Type' above.
+
+Subkey-Length: NBITS
+ Length of the secondary key (subkey) in bits. The default is
+ returned by running the command 'gpg --gpgconf-list'.
+
+Subkey-Curve: CURVE
+ Key curve for a subkey; similar to 'Key-Curve'.
+
+Subkey-Usage: USAGE-LIST
+ Key usage lists for a subkey; similar to 'Key-Usage'.
+
+Passphrase: STRING
+ If you want to specify a passphrase for the secret key, enter it
+ here. Default is to use the Pinentry dialog to ask for a
+ passphrase.
+
+Name-Real: NAME
+Name-Comment: COMMENT
+Name-Email: EMAIL
+ The three parts of a user name. Remember to use UTF-8 encoding
+ here. If you don't give any of them, no user ID is created.
+
+Expire-Date: ISO-DATE|(NUMBER[d|w|m|y])
+ Set the expiration date for the key (and the subkey). It may
+ either be entered in ISO date format (e.g. "20000815T145012") or
+ as number of days, weeks, month or years after the creation date.
+ The special notation "seconds=N" is also allowed to specify a
+ number of seconds since creation. Without a letter days are
+ assumed. Note that there is no check done on the overflow of the
+ type used by OpenPGP for timestamps. Thus you better make sure
+ that the given value make sense. Although OpenPGP works with time
+ intervals, GnuPG uses an absolute value internally and thus the
+ last year we can represent is 2105.
+
+Creation-Date: ISO-DATE
+ Set the creation date of the key as stored in the key information
+ and which is also part of the fingerprint calculation. Either a
+ date like "1986-04-26" or a full timestamp like "19860426T042640"
+ may be used. The time is considered to be UTC. The special
+ notation "seconds=N" may be used to directly specify a the number
+ of seconds since Epoch (Unix time). If it is not given the current
+ time is used.
+
+Preferences: STRING
+ Set the cipher, hash, and compression preference values for this
+ key. This expects the same type of string as the sub-command
+ 'setpref' in the '--edit-key' menu.
+
+Revoker: ALGO:FPR [sensitive]
+ Add a designated revoker to the generated key. Algo is the public
+ key algorithm of the designated revoker (i.e. RSA=1, DSA=17, etc.)
+ FPR is the fingerprint of the designated revoker. The optional
+ 'sensitive' flag marks the designated revoker as sensitive
+ information. Only v4 keys may be designated revokers.
+
+Keyserver: STRING
+ This is an optional parameter that specifies the preferred
+ keyserver URL for the key.
+
+Handle: STRING
+ This is an optional parameter only used with the status lines
+ KEY_CREATED and KEY_NOT_CREATED. STRING may be up to 100 characters
+ and should not contain spaces. It is useful for batch key
+ generation to associate a key parameter block with a status line.
+
+Here is an example on how to create a key in an ephemeral home
+directory:
+ $ export GNUPGHOME="$(mktemp -d)"
+ $ cat >foo <<EOF
+ %echo Generating a basic OpenPGP key
+ Key-Type: DSA
+ Key-Length: 1024
+ Subkey-Type: ELG-E
+ Subkey-Length: 1024
+ Name-Real: Joe Tester
+ Name-Comment: with stupid passphrase
+ Name-Email: joe@foo.bar
+ Expire-Date: 0
+ Passphrase: abc
+ # Do a commit here, so that we can later print "done" :-)
+ %commit
+ %echo done
+ EOF
+ $ gpg --batch --generate-key foo
+ [...]
+ $ gpg --list-secret-keys
+ /tmp/tmp.0NQxB74PEf/pubring.kbx
+ -------------------------------
+ sec dsa1024 2016-12-16 [SCA]
+ 768E895903FC1C44045C8CB95EEBDB71E9E849D0
+ uid [ultimate] Joe Tester (with stupid passphrase) <joe@foo.bar>
+ ssb elg1024 2016-12-16 [E]
+
+If you want to create a key with the default algorithms you would use
+these parameters:
+ %echo Generating a default key
+ Key-Type: default
+ Subkey-Type: default
+ Name-Real: Joe Tester
+ Name-Comment: with stupid passphrase
+ Name-Email: joe@foo.bar
+ Expire-Date: 0
+ Passphrase: abc
+ # Do a commit here, so that we can later print "done" :-)
+ %commit
+ %echo done
+
+
+File: gnupg.info, Node: Invoking GPGSM, Next: Invoking SCDAEMON, Prev: Invoking GPG, Up: Top
+
+5 Invoking GPGSM
+****************
+
+'gpgsm' is a tool similar to 'gpg' to provide digital encryption and
+signing services on X.509 certificates and the CMS protocol. It is
+mainly used as a backend for S/MIME mail processing. 'gpgsm' includes a
+full featured certificate management and complies with all rules defined
+for the German Sphinx project.
+
+ *Note Option Index::, for an index to 'GPGSM''s commands and options.
+
+* Menu:
+
+* GPGSM Commands:: List of all commands.
+* GPGSM Options:: List of all options.
+* GPGSM Configuration:: Configuration files.
+* GPGSM Examples:: Some usage examples.
+
+Developer information:
+* Unattended Usage:: Using 'gpgsm' from other programs.
+* GPGSM Protocol:: The protocol the server mode uses.
+
+
+File: gnupg.info, Node: GPGSM Commands, Next: GPGSM Options, Up: Invoking GPGSM
+
+5.1 Commands
+============
+
+Commands are not distinguished from options except for the fact that
+only one command is allowed.
+
+* Menu:
+
+* General GPGSM Commands:: Commands not specific to the functionality.
+* Operational GPGSM Commands:: Commands to select the type of operation.
+* Certificate Management:: How to manage certificates.
+
+
+File: gnupg.info, Node: General GPGSM Commands, Next: Operational GPGSM Commands, Up: GPGSM Commands
+
+5.1.1 Commands not specific to the function
+-------------------------------------------
+
+'--version'
+ Print the program version and licensing information. Note that you
+ cannot abbreviate this command.
+
+'--help, -h'
+ Print a usage message summarizing the most useful command-line
+ options. Note that you cannot abbreviate this command.
+
+'--warranty'
+ Print warranty information. Note that you cannot abbreviate this
+ command.
+
+'--dump-options'
+ Print a list of all available options and commands. Note that you
+ cannot abbreviate this command.
+
+
+File: gnupg.info, Node: Operational GPGSM Commands, Next: Certificate Management, Prev: General GPGSM Commands, Up: GPGSM Commands
+
+5.1.2 Commands to select the type of operation
+----------------------------------------------
+
+'--encrypt'
+ Perform an encryption. The keys the data is encrypted to must be
+ set using the option '--recipient'.
+
+'--decrypt'
+ Perform a decryption; the type of input is automatically
+ determined. It may either be in binary form or PEM encoded;
+ automatic determination of base-64 encoding is not done.
+
+'--sign'
+ Create a digital signature. The key used is either the fist one
+ found in the keybox or those set with the '--local-user' option.
+
+'--verify'
+ Check a signature file for validity. Depending on the arguments a
+ detached signature may also be checked.
+
+'--server'
+ Run in server mode and wait for commands on the 'stdin'.
+
+'--call-dirmngr COMMAND [ARGS]'
+ Behave as a Dirmngr client issuing the request COMMAND with the
+ optional list of ARGS. The output of the Dirmngr is printed
+ stdout. Please note that file names given as arguments should have
+ an absolute file name (i.e. commencing with '/') because they are
+ passed verbatim to the Dirmngr and the working directory of the
+ Dirmngr might not be the same as the one of this client. Currently
+ it is not possible to pass data via stdin to the Dirmngr. COMMAND
+ should not contain spaces.
+
+ This is command is required for certain maintaining tasks of the
+ dirmngr where a dirmngr must be able to call back to 'gpgsm'. See
+ the Dirmngr manual for details.
+
+'--call-protect-tool ARGUMENTS'
+ Certain maintenance operations are done by an external program call
+ 'gpg-protect-tool'; this is usually not installed in a directory
+ listed in the PATH variable. This command provides a simple
+ wrapper to access this tool. ARGUMENTS are passed verbatim to this
+ command; use '--help' to get a list of supported operations.
+
+
+File: gnupg.info, Node: Certificate Management, Prev: Operational GPGSM Commands, Up: GPGSM Commands
+
+5.1.3 How to manage the certificates and keys
+---------------------------------------------
+
+'--generate-key'
+'--gen-key'
+ This command allows the creation of a certificate signing request
+ or a self-signed certificate. It is commonly used along with the
+ '--output' option to save the created CSR or certificate into a
+ file. If used with the '--batch' a parameter file is used to
+ create the CSR or certificate and it is further possible to create
+ non-self-signed certificates.
+
+'--list-keys'
+'-k'
+ List all available certificates stored in the local key database.
+ Note that the displayed data might be reformatted for better human
+ readability and illegal characters are replaced by safe
+ substitutes.
+
+'--list-secret-keys'
+'-K'
+ List all available certificates for which a corresponding a secret
+ key is available.
+
+'--list-external-keys PATTERN'
+ List certificates matching PATTERN using an external server. This
+ utilizes the 'dirmngr' service.
+
+'--list-chain'
+ Same as '--list-keys' but also prints all keys making up the chain.
+
+'--dump-cert'
+'--dump-keys'
+ List all available certificates stored in the local key database
+ using a format useful mainly for debugging.
+
+'--dump-chain'
+ Same as '--dump-keys' but also prints all keys making up the chain.
+
+'--dump-secret-keys'
+ List all available certificates for which a corresponding a secret
+ key is available using a format useful mainly for debugging.
+
+'--dump-external-keys PATTERN'
+ List certificates matching PATTERN using an external server. This
+ utilizes the 'dirmngr' service. It uses a format useful mainly for
+ debugging.
+
+'--keydb-clear-some-cert-flags'
+ This is a debugging aid to reset certain flags in the key database
+ which are used to cache certain certificate stati. It is
+ especially useful if a bad CRL or a weird running OCSP responder
+ did accidentally revoke certificate. There is no security issue
+ with this command because 'gpgsm' always make sure that the
+ validity of a certificate is checked right before it is used.
+
+'--delete-keys PATTERN'
+ Delete the keys matching PATTERN. Note that there is no command to
+ delete the secret part of the key directly. In case you need to do
+ this, you should run the command 'gpgsm --dump-secret-keys KEYID'
+ before you delete the key, copy the string of hex-digits in the
+ "keygrip" line and delete the file consisting of these hex-digits
+ and the suffix '.key' from the 'private-keys-v1.d' directory below
+ our GnuPG home directory (usually '~/.gnupg').
+
+'--export [PATTERN]'
+ Export all certificates stored in the Keybox or those specified by
+ the optional PATTERN. Those pattern consist of a list of user ids
+ (*note how-to-specify-a-user-id::). When used along with the
+ '--armor' option a few informational lines are prepended before
+ each block. There is one limitation: As there is no commonly
+ agreed upon way to pack more than one certificate into an ASN.1
+ structure, the binary export (i.e. without using 'armor') works
+ only for the export of one certificate. Thus it is required to
+ specify a PATTERN which yields exactly one certificate. Ephemeral
+ certificate are only exported if all PATTERN are given as
+ fingerprints or keygrips.
+
+'--export-secret-key-p12 KEY-ID'
+ Export the private key and the certificate identified by KEY-ID
+ using the PKCS#12 format. When used with the '--armor' option a
+ few informational lines are prepended to the output. Note, that
+ the PKCS#12 format is not very secure and proper transport security
+ should be used to convey the exported key. (*Note option
+ --p12-charset::.)
+
+'--export-secret-key-p8 KEY-ID'
+'--export-secret-key-raw KEY-ID'
+ Export the private key of the certificate identified by KEY-ID with
+ any encryption stripped. The '...-raw' command exports in PKCS#1
+ format; the '...-p8' command exports in PKCS#8 format. When used
+ with the '--armor' option a few informational lines are prepended
+ to the output. These commands are useful to prepare a key for use
+ on a TLS server.
+
+'--import [FILES]'
+ Import the certificates from the PEM or binary encoded files as
+ well as from signed-only messages. This command may also be used
+ to import a secret key from a PKCS#12 file.
+
+'--learn-card'
+ Read information about the private keys from the smartcard and
+ import the certificates from there. This command utilizes the
+ 'gpg-agent' and in turn the 'scdaemon'.
+
+'--change-passphrase USER_ID'
+'--passwd USER_ID'
+ Change the passphrase of the private key belonging to the
+ certificate specified as USER_ID. Note, that changing the
+ passphrase/PIN of a smartcard is not yet supported.
+
+
+File: gnupg.info, Node: GPGSM Options, Next: GPGSM Configuration, Prev: GPGSM Commands, Up: Invoking GPGSM
+
+5.2 Option Summary
+==================
+
+'GPGSM' features a bunch of options to control the exact behaviour and
+to change the default configuration.
+
+* Menu:
+
+* Configuration Options:: How to change the configuration.
+* Certificate Options:: Certificate related options.
+* Input and Output:: Input and Output.
+* CMS Options:: How to change how the CMS is created.
+* Esoteric Options:: Doing things one usually do not want to do.
+
+
+File: gnupg.info, Node: Configuration Options, Next: Certificate Options, Up: GPGSM Options
+
+5.2.1 How to change the configuration
+-------------------------------------
+
+These options are used to change the configuration and are usually found
+in the option file.
+
+'--options FILE'
+ Reads configuration from FILE instead of from the default per-user
+ configuration file. The default configuration file is named
+ 'gpgsm.conf' and expected in the '.gnupg' directory directly below
+ the home directory of the user.
+
+'--homedir DIR'
+ Set the name of the home directory to DIR. If this option is not
+ used, the home directory defaults to '~/.gnupg'. It is only
+ recognized when given on the command line. It also overrides any
+ home directory stated through the environment variable 'GNUPGHOME'
+ or (on Windows systems) by means of the Registry entry
+ HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
+
+ On Windows systems it is possible to install GnuPG as a portable
+ application. In this case only this command line option is
+ considered, all other ways to set a home directory are ignored.
+
+ To install GnuPG as a portable application under Windows, create an
+ empty file named 'gpgconf.ctl' in the same directory as the tool
+ 'gpgconf.exe'. The root of the installation is then that
+ directory; or, if 'gpgconf.exe' has been installed directly below a
+ directory named 'bin', its parent directory. You also need to make
+ sure that the following directories exist and are writable:
+ 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg'
+ for internal cache files.
+
+'-v'
+'--verbose'
+ Outputs additional information while running. You can increase the
+ verbosity by giving several verbose commands to 'gpgsm', such as
+ '-vv'.
+
+'--keyserver STRING'
+ This is a deprecated option. It was used to add an LDAP server to
+ use for X.509 certificate and CRL lookup. The alias '--ldapserver'
+ existed from version 2.2.28 to 2.2.33 but is now entirely ignored.
+
+ LDAP servers must be given in the configuration for 'dirmngr'.
+
+'--policy-file FILENAME'
+ Change the default name of the policy file to FILENAME.
+
+'--agent-program FILE'
+ Specify an agent program to be used for secret key operations. The
+ default value is determined by running the command 'gpgconf'. Note
+ that the pipe symbol ('|') is used for a regression test suite hack
+ and may thus not be used in the file name.
+
+'--dirmngr-program FILE'
+ Specify a dirmngr program to be used for CRL checks. The default
+ value is '/usr/local/bin/dirmngr'.
+
+'--prefer-system-dirmngr'
+ This option is obsolete and ignored.
+
+'--disable-dirmngr'
+ Entirely disable the use of the Dirmngr.
+
+'--no-autostart'
+ Do not start the gpg-agent or the dirmngr if it has not yet been
+ started and its service is required. This option is mostly useful
+ on machines where the connection to gpg-agent has been redirected
+ to another machines. If dirmngr is required on the remote machine,
+ it may be started manually using 'gpgconf --launch dirmngr'.
+
+'--no-secmem-warning'
+ Do not print a warning when the so called "secure memory" cannot be
+ used.
+
+'--log-file FILE'
+ When running in server mode, append all logging output to FILE.
+ Use 'socket://' to log to socket.
+
+
+File: gnupg.info, Node: Certificate Options, Next: Input and Output, Prev: Configuration Options, Up: GPGSM Options
+
+5.2.2 Certificate related options
+---------------------------------
+
+'--enable-policy-checks'
+'--disable-policy-checks'
+ By default policy checks are enabled. These options may be used to
+ change it.
+
+'--enable-crl-checks'
+'--disable-crl-checks'
+ By default the CRL checks are enabled and the DirMngr is used to
+ check for revoked certificates. The disable option is most useful
+ with an off-line network connection to suppress this check and also
+ to avoid that new certificates introduce a web bug by including a
+ certificate specific CRL DP. The disable option also disables an
+ issuer certificate lookup via the authorityInfoAccess property of
+ the certificate; the '--enable-issuer-key-retrieve' can be used to
+ make use of that property anyway.
+
+'--enable-trusted-cert-crl-check'
+'--disable-trusted-cert-crl-check'
+ By default the CRL for trusted root certificates are checked like
+ for any other certificates. This allows a CA to revoke its own
+ certificates voluntary without the need of putting all ever issued
+ certificates into a CRL. The disable option may be used to switch
+ this extra check off. Due to the caching done by the Dirmngr,
+ there will not be any noticeable performance gain. Note, that this
+ also disables possible OCSP checks for trusted root certificates.
+ A more specific way of disabling this check is by adding the
+ "relax" keyword to the root CA line of the 'trustlist.txt'
+
+'--force-crl-refresh'
+ Tell the dirmngr to reload the CRL for each request. For better
+ performance, the dirmngr will actually optimize this by suppressing
+ the loading for short time intervals (e.g. 30 minutes). This
+ option is useful to make sure that a fresh CRL is available for
+ certificates hold in the keybox. The suggested way of doing this
+ is by using it along with the option '--with-validation' for a key
+ listing command. This option should not be used in a configuration
+ file.
+
+'--enable-issuer-based-crl-check'
+ Run a CRL check even for certificates which do not have any CRL
+ distribution point. This requires that a suitable LDAP server has
+ been configured in Dirmngr and that the CRL can be found using the
+ issuer. This option reverts to what GnuPG did up to version
+ 2.2.20. This option is in general not useful.
+
+'--enable-ocsp'
+'--disable-ocsp'
+ By default OCSP checks are disabled. The enable option may be used
+ to enable OCSP checks via Dirmngr. If CRL checks are also enabled,
+ CRLs will be used as a fallback if for some reason an OCSP request
+ will not succeed. Note, that you have to allow OCSP requests in
+ Dirmngr's configuration too (option '--allow-ocsp') and configure
+ Dirmngr properly. If you do not do so you will get the error code
+ 'Not supported'.
+
+'--auto-issuer-key-retrieve'
+ If a required certificate is missing while validating the chain of
+ certificates, try to load that certificate from an external
+ location. This usually means that Dirmngr is employed to search
+ for the certificate. Note that this option makes a "web bug" like
+ behavior possible. LDAP server operators can see which keys you
+ request, so by sending you a message signed by a brand new key
+ (which you naturally will not have on your local keybox), the
+ operator can tell both your IP address and the time when you
+ verified the signature.
+
+'--validation-model NAME'
+ This option changes the default validation model. The only
+ possible values are "shell" (which is the default), "chain" which
+ forces the use of the chain model and "steed" for a new simplified
+ model. The chain model is also used if an option in the
+ 'trustlist.txt' or an attribute of the certificate requests it.
+ However the standard model (shell) is in that case always tried
+ first.
+
+'--ignore-cert-extension OID'
+ Add OID to the list of ignored certificate extensions. The OID is
+ expected to be in dotted decimal form, like '2.5.29.3'. This
+ option may be used more than once. Critical flagged certificate
+ extensions matching one of the OIDs in the list are treated as if
+ they are actually handled and thus the certificate will not be
+ rejected due to an unknown critical extension. Use this option
+ with care because extensions are usually flagged as critical for a
+ reason.
+
+
+File: gnupg.info, Node: Input and Output, Next: CMS Options, Prev: Certificate Options, Up: GPGSM Options
+
+5.2.3 Input and Output
+----------------------
+
+'--armor'
+'-a'
+ Create PEM encoded output. Default is binary output.
+
+'--base64'
+ Create Base-64 encoded output; i.e. PEM without the header lines.
+
+'--assume-armor'
+ Assume the input data is PEM encoded. Default is to autodetect the
+ encoding but this is may fail.
+
+'--assume-base64'
+ Assume the input data is plain base-64 encoded.
+
+'--assume-binary'
+ Assume the input data is binary encoded.
+
+'--p12-charset NAME'
+ 'gpgsm' uses the UTF-8 encoding when encoding passphrases for
+ PKCS#12 files. This option may be used to force the passphrase to
+ be encoded in the specified encoding NAME. This is useful if the
+ application used to import the key uses a different encoding and
+ thus will not be able to import a file generated by 'gpgsm'.
+ Commonly used values for NAME are 'Latin1' and 'CP850'. Note that
+ 'gpgsm' itself automagically imports any file with a passphrase
+ encoded to the most commonly used encodings.
+
+'--default-key USER_ID'
+ Use USER_ID as the standard key for signing. This key is used if
+ no other key has been defined as a signing key. Note, that the
+ first '--local-users' option also sets this key if it has not yet
+ been set; however '--default-key' always overrides this.
+
+'--local-user USER_ID'
+'-u USER_ID'
+ Set the user(s) to be used for signing. The default is the first
+ secret key found in the database.
+
+'--recipient NAME'
+'-r'
+ Encrypt to the user id NAME. There are several ways a user id may
+ be given (*note how-to-specify-a-user-id::).
+
+'--output FILE'
+'-o FILE'
+ Write output to FILE. The default is to write it to stdout.
+
+'--with-key-data'
+ Displays extra information with the '--list-keys' commands.
+ Especially a line tagged 'grp' is printed which tells you the
+ keygrip of a key. This string is for example used as the file name
+ of the secret key. Implies '--with-colons'.
+
+'--with-validation'
+ When doing a key listing, do a full validation check for each key
+ and print the result. This is usually a slow operation because it
+ requires a CRL lookup and other operations.
+
+ When used along with '--import', a validation of the certificate to
+ import is done and only imported if it succeeds the test. Note
+ that this does not affect an already available certificate in the
+ DB. This option is therefore useful to simply verify a certificate.
+
+'--with-md5-fingerprint'
+ For standard key listings, also print the MD5 fingerprint of the
+ certificate.
+
+'--with-keygrip'
+ Include the keygrip in standard key listings. Note that the
+ keygrip is always listed in '--with-colons' mode.
+
+'--with-secret'
+ Include info about the presence of a secret key in public key
+ listings done with '--with-colons'.
+
+
+File: gnupg.info, Node: CMS Options, Next: Esoteric Options, Prev: Input and Output, Up: GPGSM Options
+
+5.2.4 How to change how the CMS is created
+------------------------------------------
+
+'--include-certs N'
+ Using N of -2 includes all certificate except for the root cert, -1
+ includes all certs, 0 does not include any certs, 1 includes only
+ the signers cert and all other positive values include up to N
+ certificates starting with the signer cert. The default is -2.
+
+'--cipher-algo OID'
+ Use the cipher algorithm with the ASN.1 object identifier OID for
+ encryption. For convenience the strings '3DES', 'AES' and 'AES256'
+ may be used instead of their OIDs. The default is 'AES'
+ (2.16.840.1.101.3.4.1.2).
+
+'--digest-algo name'
+ Use 'name' as the message digest algorithm. Usually this algorithm
+ is deduced from the respective signing certificate. This option
+ forces the use of the given algorithm and may lead to severe
+ interoperability problems.
+
+
+File: gnupg.info, Node: Esoteric Options, Prev: CMS Options, Up: GPGSM Options
+
+5.2.5 Doing things one usually do not want to do
+------------------------------------------------
+
+'--extra-digest-algo NAME'
+ Sometimes signatures are broken in that they announce a different
+ digest algorithm than actually used. 'gpgsm' uses a one-pass data
+ processing model and thus needs to rely on the announced digest
+ algorithms to properly hash the data. As a workaround this option
+ may be used to tell 'gpgsm' to also hash the data using the
+ algorithm NAME; this slows processing down a little bit but allows
+ verification of such broken signatures. If 'gpgsm' prints an error
+ like "digest algo 8 has not been enabled" you may want to try this
+ option, with 'SHA256' for NAME.
+
+'--compliance STRING'
+ Set the compliance mode. Valid values are shown when using "help"
+ for STRING.
+
+'--min-rsa-length N'
+ This option adjusts the compliance mode "de-vs" for stricter key
+ size requirements. For example, a value of 3000 turns rsa2048 and
+ dsa2048 keys into non-VS-NfD compliant keys.
+
+'--require-compliance'
+ To check that data has been encrypted according to the rules of the
+ current compliance mode, a gpgsm user needs to evaluate the status
+ lines. This is allows frontends to handle compliance check in a
+ more flexible way. However, for scripted use the required
+ evaluation of the status-line requires quite some effort; this
+ option can be used instead to make sure that the gpgsm process
+ exits with a failure if the compliance rules are not fulfilled.
+ Note that this option has currently an effect only in "de-vs" mode.
+
+'--ignore-cert-with-oid OID'
+ Add OID to the list of OIDs to be checked while reading
+ certificates from smartcards. The OID is expected to be in dotted
+ decimal form, like '2.5.29.3'. This option may be used more than
+ once. As of now certificates with an extended key usage matching
+ one of those OIDs are ignored during a '--learn-card' operation and
+ not imported. This option can help to keep the local key database
+ clear of unneeded certificates stored on smartcards.
+
+'--faked-system-time EPOCH'
+ This option is only useful for testing; it sets the system time
+ back or forth to EPOCH which is the number of seconds elapsed since
+ the year 1970. Alternatively EPOCH may be given as a full ISO time
+ string (e.g. "20070924T154812").
+
+'--with-ephemeral-keys'
+ Include ephemeral flagged keys in the output of key listings. Note
+ that they are included anyway if the key specification for a
+ listing is given as fingerprint or keygrip.
+
+'--compatibility-flags FLAGS'
+ Set compatibility flags to work around problems due to
+ non-compliant certificates or data. The FLAGS are given as a comma
+ separated list of flag names and are OR-ed together. The special
+ flag "none" clears the list and allows to start over with an empty
+ list. To get a list of available flags the sole word "help" can be
+ used.
+
+'--debug-level LEVEL'
+ Select the debug level for investigating problems. LEVEL may be a
+ numeric value or by a keyword:
+
+ 'none'
+ No debugging at all. A value of less than 1 may be used
+ instead of the keyword.
+ 'basic'
+ Some basic debug messages. A value between 1 and 2 may be
+ used instead of the keyword.
+ 'advanced'
+ More verbose debug messages. A value between 3 and 5 may be
+ used instead of the keyword.
+ 'expert'
+ Even more detailed messages. A value between 6 and 8 may be
+ used instead of the keyword.
+ 'guru'
+ All of the debug messages you can get. A value greater than 8
+ may be used instead of the keyword. The creation of hash
+ tracing files is only enabled if the keyword is used.
+
+ How these messages are mapped to the actual debugging flags is not
+ specified and may change with newer releases of this program. They
+ are however carefully selected to best aid in debugging.
+
+'--debug FLAGS'
+ This option is only useful for debugging and the behaviour may
+ change at any time without notice; using '--debug-levels' is the
+ preferred method to select the debug verbosity. FLAGS are bit
+ encoded and may be given in usual C-Syntax. The currently defined
+ bits are:
+
+ '0 (1)'
+ X.509 or OpenPGP protocol related data
+ '1 (2)'
+ values of big number integers
+ '2 (4)'
+ low level crypto operations
+ '5 (32)'
+ memory allocation
+ '6 (64)'
+ caching
+ '7 (128)'
+ show memory statistics
+ '9 (512)'
+ write hashed data to files named 'dbgmd-000*'
+ '10 (1024)'
+ trace Assuan protocol
+
+ Note, that all flags set using this option may get overridden by
+ '--debug-level'.
+
+'--debug-all'
+ Same as '--debug=0xffffffff'
+
+'--debug-allow-core-dump'
+ Usually 'gpgsm' tries to avoid dumping core by well written code
+ and by disabling core dumps for security reasons. However, bugs
+ are pretty durable beasts and to squash them it is sometimes useful
+ to have a core dump. This option enables core dumps unless the Bad
+ Thing happened before the option parsing.
+
+'--debug-no-chain-validation'
+ This is actually not a debugging option but only useful as such.
+ It lets 'gpgsm' bypass all certificate chain validation checks.
+
+'--debug-ignore-expiration'
+ This is actually not a debugging option but only useful as such.
+ It lets 'gpgsm' ignore all notAfter dates, this is used by the
+ regression tests.
+
+'--passphrase-fd n'
+ Read the passphrase from file descriptor 'n'. Only the first line
+ will be read from file descriptor 'n'. If you use 0 for 'n', the
+ passphrase will be read from STDIN. This can only be used if only
+ one passphrase is supplied.
+
+ Note that this passphrase is only used if the option '--batch' has
+ also been given.
+
+'--pinentry-mode mode'
+ Set the pinentry mode to 'mode'. Allowed values for 'mode' are:
+ default
+ Use the default of the agent, which is 'ask'.
+ ask
+ Force the use of the Pinentry.
+ cancel
+ Emulate use of Pinentry's cancel button.
+ error
+ Return a Pinentry error ("No Pinentry").
+ loopback
+ Redirect Pinentry queries to the caller. Note that in
+ contrast to Pinentry the user is not prompted again if he
+ enters a bad password.
+
+'--request-origin ORIGIN'
+ Tell gpgsm to assume that the operation ultimately originated at
+ ORIGIN. Depending on the origin certain restrictions are applied
+ and the Pinentry may include an extra note on the origin.
+ Supported values for ORIGIN are: 'local' which is the default,
+ 'remote' to indicate a remote origin or 'browser' for an operation
+ requested by a web browser.
+
+'--no-common-certs-import'
+ Suppress the import of common certificates on keybox creation.
+
+ All the long options may also be given in the configuration file
+after stripping off the two leading dashes.
+
+
+File: gnupg.info, Node: GPGSM Configuration, Next: GPGSM Examples, Prev: GPGSM Options, Up: Invoking GPGSM
+
+5.3 Configuration files
+=======================
+
+There are a few configuration files to control certain aspects of
+'gpgsm''s operation. Unless noted, they are expected in the current
+home directory (*note option --homedir::).
+
+'gpgsm.conf'
+ This is the standard configuration file read by 'gpgsm' on startup.
+ It may contain any valid long option; the leading two dashes may
+ not be entered and the option may not be abbreviated. This default
+ name may be changed on the command line (*note gpgsm-option
+ --options::). You should backup this file.
+
+'policies.txt'
+ This is a list of allowed CA policies. This file should list the
+ object identifiers of the policies line by line. Empty lines and
+ lines starting with a hash mark are ignored. Policies missing in
+ this file and not marked as critical in the certificate will print
+ only a warning; certificates with policies marked as critical and
+ not listed in this file will fail the signature verification. You
+ should backup this file.
+
+ For example, to allow only the policy 2.289.9.9, the file should
+ look like this:
+
+ # Allowed policies
+ 2.289.9.9
+
+'qualified.txt'
+ This is the list of root certificates used for qualified
+ certificates. They are defined as certificates capable of creating
+ legally binding signatures in the same way as handwritten
+ signatures are. Comments start with a hash mark and empty lines
+ are ignored. Lines do have a length limit but this is not a
+ serious limitation as the format of the entries is fixed and
+ checked by 'gpgsm': A non-comment line starts with optional
+ whitespace, followed by exactly 40 hex characters, white space and
+ a lowercased 2 letter country code. Additional data delimited with
+ by a white space is current ignored but might late be used for
+ other purposes.
+
+ Note that even if a certificate is listed in this file, this does
+ not mean that the certificate is trusted; in general the
+ certificates listed in this file need to be listed also in
+ 'trustlist.txt'.
+
+ This is a global file an installed in the data directory (e.g.
+ '/usr/local/share/gnupg/qualified.txt'). GnuPG installs a suitable
+ file with root certificates as used in Germany. As new Root-CA
+ certificates may be issued over time, these entries may need to be
+ updated; new distributions of this software should come with an
+ updated list but it is still the responsibility of the
+ Administrator to check that this list is correct.
+
+ Every time 'gpgsm' uses a certificate for signing or verification
+ this file will be consulted to check whether the certificate under
+ question has ultimately been issued by one of these CAs. If this
+ is the case the user will be informed that the verified signature
+ represents a legally binding ("qualified") signature. When
+ creating a signature using such a certificate an extra prompt will
+ be issued to let the user confirm that such a legally binding
+ signature shall really be created.
+
+ Because this software has not yet been approved for use with such
+ certificates, appropriate notices will be shown to indicate this
+ fact.
+
+'help.txt'
+ This is plain text file with a few help entries used with
+ 'pinentry' as well as a large list of help items for 'gpg' and
+ 'gpgsm'. The standard file has English help texts; to install
+ localized versions use filenames like 'help.LL.txt' with LL
+ denoting the locale. GnuPG comes with a set of predefined help
+ files in the data directory (e.g.
+ '/usr/local/share/gnupg/gnupg/help.de.txt') and allows overriding
+ of any help item by help files stored in the system configuration
+ directory (e.g. '/etc/gnupg/help.de.txt'). For a reference of the
+ help file's syntax, please see the installed 'help.txt' file.
+
+'com-certs.pem'
+ This file is a collection of common certificates used to populated
+ a newly created 'pubring.kbx'. An administrator may replace this
+ file with a custom one. The format is a concatenation of PEM
+ encoded X.509 certificates. This global file is installed in the
+ data directory (e.g. '/usr/local/share/gnupg/com-certs.pem').
+
+ Note that on larger installations, it is useful to put predefined
+files into the directory '/etc/skel/.gnupg/' so that newly created users
+start up with a working configuration. For existing users a small
+helper script is provided to create these files (*note addgnupghome::).
+
+ For internal purposes 'gpgsm' creates and maintains a few other
+files; they all live in the current home directory (*note option
+--homedir::). Only 'gpgsm' may modify these files.
+
+'pubring.kbx'
+ This a database file storing the certificates as well as meta
+ information. For debugging purposes the tool 'kbxutil' may be used
+ to show the internal structure of this file. You should backup
+ this file.
+
+'random_seed'
+ This content of this file is used to maintain the internal state of
+ the random number generator across invocations. The same file is
+ used by other programs of this software too.
+
+'S.gpg-agent'
+ If this file exists 'gpgsm' will first try to connect to this
+ socket for accessing 'gpg-agent' before starting a new 'gpg-agent'
+ instance. Under Windows this socket (which in reality be a plain
+ file describing a regular TCP listening port) is the standard way
+ of connecting the 'gpg-agent'.
+
+
+File: gnupg.info, Node: GPGSM Examples, Next: Unattended Usage, Prev: GPGSM Configuration, Up: Invoking GPGSM
+
+5.4 Examples
+============
+
+ $ gpgsm -er goo@bar.net <plaintext >ciphertext
+
+
+File: gnupg.info, Node: Unattended Usage, Next: GPGSM Protocol, Prev: GPGSM Examples, Up: Invoking GPGSM
+
+5.5 Unattended Usage
+====================
+
+'gpgsm' is often used as a backend engine by other software. To help
+with this a machine interface has been defined to have an unambiguous
+way to do this. This is most likely used with the '--server' command
+but may also be used in the standard operation mode by using the
+'--status-fd' option.
+
+* Menu:
+
+* Automated signature checking:: Automated signature checking.
+* CSR and certificate creation:: CSR and certificate creation.
+
+
+File: gnupg.info, Node: Automated signature checking, Next: CSR and certificate creation, Up: Unattended Usage
+
+5.5.1 Automated signature checking
+----------------------------------
+
+It is very important to understand the semantics used with signature
+verification. Checking a signature is not as simple as it may sound and
+so the operation is a bit complicated. In most cases it is required to
+look at several status lines. Here is a table of all cases a signed
+message may have:
+
+The signature is valid
+ This does mean that the signature has been successfully verified,
+ the certificates are all sane. However there are two subcases with
+ important information: One of the certificates may have expired or
+ a signature of a message itself as expired. It is a sound practise
+ to consider such a signature still as valid but additional
+ information should be displayed. Depending on the subcase 'gpgsm'
+ will issue these status codes:
+ signature valid and nothing did expire
+ 'GOODSIG', 'VALIDSIG', 'TRUST_FULLY'
+ signature valid but at least one certificate has expired
+ 'EXPKEYSIG', 'VALIDSIG', 'TRUST_FULLY'
+ signature valid but expired
+ 'EXPSIG', 'VALIDSIG', 'TRUST_FULLY' Note, that this case is
+ currently not implemented.
+
+The signature is invalid
+ This means that the signature verification failed (this is an
+ indication of a transfer error, a program error or tampering with
+ the message). 'gpgsm' issues one of these status codes sequences:
+ 'BADSIG'
+ 'GOODSIG, VALIDSIG TRUST_NEVER'
+
+Error verifying a signature
+ For some reason the signature could not be verified, i.e. it
+ cannot be decided whether the signature is valid or invalid. A
+ common reason for this is a missing certificate.
+
+
+File: gnupg.info, Node: CSR and certificate creation, Prev: Automated signature checking, Up: Unattended Usage
+
+5.5.2 CSR and certificate creation
+----------------------------------
+
+The command '--generate-key' may be used along with the option '--batch'
+to either create a certificate signing request (CSR) or an X.509
+certificate. This is controlled by a parameter file; the format of this
+file is as follows:
+
+ * Text only, line length is limited to about 1000 characters.
+ * UTF-8 encoding must be used to specify non-ASCII characters.
+ * Empty lines are ignored.
+ * Leading and trailing while space is ignored.
+ * A hash sign as the first non white space character indicates a
+ comment line.
+ * Control statements are indicated by a leading percent sign, the
+ arguments are separated by white space from the keyword.
+ * Parameters are specified by a keyword, followed by a colon.
+ Arguments are separated by white space.
+ * The first parameter must be 'Key-Type', control statements may be
+ placed anywhere.
+ * The order of the parameters does not matter except for 'Key-Type'
+ which must be the first parameter. The parameters are only used
+ for the generated CSR/certificate; parameters from previous sets
+ are not used. Some syntactically checks may be performed.
+ * Key generation takes place when either the end of the parameter
+ file is reached, the next 'Key-Type' parameter is encountered or at
+ the control statement '%commit' is encountered.
+
+Control statements:
+
+%echo TEXT
+ Print TEXT as diagnostic.
+
+%dry-run
+ Suppress actual key generation (useful for syntax checking).
+
+%commit
+ Perform the key generation. Note that an implicit commit is done
+ at the next Key-Type parameter.
+
+General Parameters:
+
+Key-Type: ALGO
+ Starts a new parameter block by giving the type of the primary key.
+ The algorithm must be capable of signing. This is a required
+ parameter. The only supported value for ALGO is 'rsa'.
+
+Key-Length: NBITS
+ The requested length of a generated key in bits. Defaults to 3072.
+
+Key-Grip: HEXSTRING
+ This is optional and used to generate a CSR or certificate for an
+ already existing key. Key-Length will be ignored when given.
+
+Key-Usage: USAGE-LIST
+ Space or comma delimited list of key usage, allowed values are
+ 'encrypt', 'sign' and 'cert'. This is used to generate the
+ keyUsage extension. Please make sure that the algorithm is capable
+ of this usage. Default is to allow encrypt and sign.
+
+Name-DN: SUBJECT-NAME
+ This is the Distinguished Name (DN) of the subject in RFC-2253
+ format.
+
+Name-Email: STRING
+ This is an email address for the altSubjectName. This parameter is
+ optional but may occur several times to add several email addresses
+ to a certificate.
+
+Name-DNS: STRING
+ The is an DNS name for the altSubjectName. This parameter is
+ optional but may occur several times to add several DNS names to a
+ certificate.
+
+Name-URI: STRING
+ This is an URI for the altSubjectName. This parameter is optional
+ but may occur several times to add several URIs to a certificate.
+
+Additional parameters used to create a certificate (in contrast to a
+certificate signing request):
+
+Serial: SN
+ If this parameter is given an X.509 certificate will be generated.
+ SN is expected to be a hex string representing an unsigned integer
+ of arbitrary length. The special value 'random' can be used to
+ create a 64 bit random serial number.
+
+Issuer-DN: ISSUER-NAME
+ This is the DN name of the issuer in RFC-2253 format. If it is not
+ set it will default to the subject DN and a special GnuPG extension
+ will be included in the certificate to mark it as a standalone
+ certificate.
+
+Creation-Date: ISO-DATE
+Not-Before: ISO-DATE
+ Set the notBefore date of the certificate. Either a date like
+ '1986-04-26' or '1986-04-26 12:00' or a standard ISO timestamp like
+ '19860426T042640' may be used. The time is considered to be UTC.
+ If it is not given the current date is used.
+
+Expire-Date: ISO-DATE
+Not-After: ISO-DATE
+ Set the notAfter date of the certificate. Either a date like
+ '2063-04-05' or '2063-04-05 17:00' or a standard ISO timestamp like
+ '20630405T170000' may be used. The time is considered to be UTC.
+ If it is not given a default value in the not too far future is
+ used.
+
+Signing-Key: KEYGRIP
+ This gives the keygrip of the key used to sign the certificate. If
+ it is not given a self-signed certificate will be created. For
+ compatibility with future versions, it is suggested to prefix the
+ keygrip with a '&'.
+
+Hash-Algo: HASH-ALGO
+ Use HASH-ALGO for this CSR or certificate. The supported hash
+ algorithms are: 'sha1', 'sha256', 'sha384' and 'sha512'; they may
+ also be specified with uppercase letters. The default is 'sha256'.
+
diff --git a/doc/gnupg.info-2 b/doc/gnupg.info-2
new file mode 100644
index 0000000..7895f56
--- /dev/null
+++ b/doc/gnupg.info-2
@@ -0,0 +1,6144 @@
+This is gnupg.info, produced by makeinfo version 6.5 from gnupg.texi.
+
+This is the 'The GNU Privacy Guard Manual' (version 2.2.40-beta3,
+October 2022).
+
+ (C) 2002, 2004, 2005, 2006, 2007, 2010 Free Software Foundation, Inc.
+(C) 2013, 2014, 2015 Werner Koch.
+(C) 2015, 2016, 2017 g10 Code GmbH.
+
+ Permission is granted to copy, distribute and/or modify this
+ document under the terms of the GNU General Public License as
+ published by the Free Software Foundation; either version 3 of the
+ License, or (at your option) any later version. The text of the
+ license can be found in the section entitled "Copying".
+INFO-DIR-SECTION GNU Utilities
+START-INFO-DIR-ENTRY
+* gpg2: (gnupg). OpenPGP encryption and signing tool.
+* gpgsm: (gnupg). S/MIME encryption and signing tool.
+* gpg-agent: (gnupg). The secret key daemon.
+* dirmngr: (gnupg). X.509 CRL and OCSP server.
+* dirmngr-client: (gnupg). X.509 CRL and OCSP client.
+END-INFO-DIR-ENTRY
+
+
+File: gnupg.info, Node: GPGSM Protocol, Prev: Unattended Usage, Up: Invoking GPGSM
+
+5.6 The Protocol the Server Mode Uses
+=====================================
+
+Description of the protocol used to access 'GPGSM'. 'GPGSM' does
+implement the Assuan protocol and in addition provides a regular command
+line interface which exhibits a full client to this protocol (but uses
+internal linking). To start 'gpgsm' as a server the command line the
+option '--server' must be used. Additional options are provided to
+select the communication method (i.e. the name of the socket).
+
+ We assume that the connection has already been established; see the
+Assuan manual for details.
+
+* Menu:
+
+* GPGSM ENCRYPT:: Encrypting a message.
+* GPGSM DECRYPT:: Decrypting a message.
+* GPGSM SIGN:: Signing a message.
+* GPGSM VERIFY:: Verifying a message.
+* GPGSM GENKEY:: Generating a key.
+* GPGSM LISTKEYS:: List available keys.
+* GPGSM EXPORT:: Export certificates.
+* GPGSM IMPORT:: Import certificates.
+* GPGSM DELETE:: Delete certificates.
+* GPGSM GETAUDITLOG:: Retrieve an audit log.
+* GPGSM GETINFO:: Information about the process
+* GPGSM OPTION:: Session options.
+
+
+File: gnupg.info, Node: GPGSM ENCRYPT, Next: GPGSM DECRYPT, Up: GPGSM Protocol
+
+5.6.1 Encrypting a Message
+--------------------------
+
+Before encryption can be done the recipient must be set using the
+command:
+
+ RECIPIENT USERID
+
+ Set the recipient for the encryption. USERID should be the internal
+representation of the key; the server may accept any other way of
+specification. If this is a valid and trusted recipient the server does
+respond with OK, otherwise the return is an ERR with the reason why the
+recipient cannot be used, the encryption will then not be done for this
+recipient. If the policy is not to encrypt at all if not all recipients
+are valid, the client has to take care of this. All 'RECIPIENT'
+commands are cumulative until a 'RESET' or an successful 'ENCRYPT'
+command.
+
+ INPUT FD[=N] [--armor|--base64|--binary]
+
+ Set the file descriptor for the message to be encrypted to N.
+Obviously the pipe must be open at that point, the server establishes
+its own end. If the server returns an error the client should consider
+this session failed. If N is not given, this commands uses the last
+file descriptor passed to the application. *Note the assuan_sendfd
+function: (assuan)fun-assuan_sendfd, on how to do descriptor passing.
+
+ The '--armor' option may be used to advise the server that the input
+data is in PEM format, '--base64' advises that a raw base-64 encoding is
+used, '--binary' advises of raw binary input (BER). If none of these
+options is used, the server tries to figure out the used encoding, but
+this may not always be correct.
+
+ OUTPUT FD[=N] [--armor|--base64]
+
+ Set the file descriptor to be used for the output (i.e. the
+encrypted message). Obviously the pipe must be open at that point, the
+server establishes its own end. If the server returns an error the
+client should consider this session failed.
+
+ The option '--armor' encodes the output in PEM format, the '--base64'
+option applies just a base-64 encoding. No option creates binary output
+(BER).
+
+ The actual encryption is done using the command
+
+ ENCRYPT
+
+ It takes the plaintext from the 'INPUT' command, writes to the
+ciphertext to the file descriptor set with the 'OUTPUT' command, take
+the recipients from all the recipients set so far. If this command
+fails the clients should try to delete all output currently done or
+otherwise mark it as invalid. 'GPGSM' does ensure that there will not
+be any security problem with leftover data on the output in this case.
+
+ This command should in general not fail, as all necessary checks have
+been done while setting the recipients. The input and output pipes are
+closed.
+
+
+File: gnupg.info, Node: GPGSM DECRYPT, Next: GPGSM SIGN, Prev: GPGSM ENCRYPT, Up: GPGSM Protocol
+
+5.6.2 Decrypting a message
+--------------------------
+
+Input and output FDs are set the same way as in encryption, but 'INPUT'
+refers to the ciphertext and 'OUTPUT' to the plaintext. There is no
+need to set recipients. 'GPGSM' automatically strips any S/MIME headers
+from the input, so it is valid to pass an entire MIME part to the INPUT
+pipe.
+
+ The decryption is done by using the command
+
+ DECRYPT
+
+ It performs the decrypt operation after doing some check on the
+internal state (e.g. that all needed data has been set). Because it
+utilizes the GPG-Agent for the session key decryption, there is no need
+to ask the client for a protecting passphrase - GpgAgent takes care of
+this by requesting this from the user.
+
+
+File: gnupg.info, Node: GPGSM SIGN, Next: GPGSM VERIFY, Prev: GPGSM DECRYPT, Up: GPGSM Protocol
+
+5.6.3 Signing a Message
+-----------------------
+
+Signing is usually done with these commands:
+
+ INPUT FD[=N] [--armor|--base64|--binary]
+
+ This tells 'GPGSM' to read the data to sign from file descriptor N.
+
+ OUTPUT FD[=M] [--armor|--base64]
+
+ Write the output to file descriptor M. If a detached signature is
+requested, only the signature is written.
+
+ SIGN [--detached]
+
+ Sign the data set with the 'INPUT' command and write it to the sink
+set by 'OUTPUT'. With '--detached', a detached signature is created
+(surprise).
+
+ The key used for signing is the default one or the one specified in
+the configuration file. To get finer control over the keys, it is
+possible to use the command
+
+ SIGNER USERID
+
+ to set the signer's key. USERID should be the internal
+representation of the key; the server may accept any other way of
+specification. If this is a valid and trusted recipient the server does
+respond with OK, otherwise the return is an ERR with the reason why the
+key cannot be used, the signature will then not be created using this
+key. If the policy is not to sign at all if not all keys are valid, the
+client has to take care of this. All 'SIGNER' commands are cumulative
+until a 'RESET' is done. Note that a 'SIGN' does not reset this list of
+signers which is in contrast to the 'RECIPIENT' command.
+
+
+File: gnupg.info, Node: GPGSM VERIFY, Next: GPGSM GENKEY, Prev: GPGSM SIGN, Up: GPGSM Protocol
+
+5.6.4 Verifying a Message
+-------------------------
+
+To verify a message the command:
+
+ VERIFY
+
+ is used. It does a verify operation on the message send to the input
+FD. The result is written out using status lines. If an output FD was
+given, the signed text will be written to that. If the signature is a
+detached one, the server will inquire about the signed material and the
+client must provide it.
+
+
+File: gnupg.info, Node: GPGSM GENKEY, Next: GPGSM LISTKEYS, Prev: GPGSM VERIFY, Up: GPGSM Protocol
+
+5.6.5 Generating a Key
+----------------------
+
+This is used to generate a new keypair, store the secret part in the PSE
+and the public key in the key database. We will probably add optional
+commands to allow the client to select whether a hardware token is used
+to store the key. Configuration options to 'GPGSM' can be used to
+restrict the use of this command.
+
+ GENKEY
+
+ 'GPGSM' checks whether this command is allowed and then does an
+INQUIRY to get the key parameters, the client should then send the key
+parameters in the native format:
+
+ S: INQUIRE KEY_PARAM native
+ C: D foo:fgfgfg
+ C: D bar
+ C: END
+
+ Please note that the server may send Status info lines while reading
+the data lines from the client. After this the key generation takes
+place and the server eventually does send an ERR or OK response. Status
+lines may be issued as a progress indicator.
+
+
+File: gnupg.info, Node: GPGSM LISTKEYS, Next: GPGSM EXPORT, Prev: GPGSM GENKEY, Up: GPGSM Protocol
+
+5.6.6 List available keys
+-------------------------
+
+To list the keys in the internal database or using an external key
+provider, the command:
+
+ LISTKEYS PATTERN
+
+ is used. To allow multiple patterns (which are ORed during the
+search) quoting is required: Spaces are to be translated into "+" or
+into "%20"; in turn this requires that the usual escape quoting rules
+are done.
+
+ LISTSECRETKEYS PATTERN
+
+ Lists only the keys where a secret key is available.
+
+ The list commands are affected by the option
+
+ OPTION list-mode=MODE
+
+ where mode may be:
+'0'
+ Use default (which is usually the same as 1).
+'1'
+ List only the internal keys.
+'2'
+ List only the external keys.
+'3'
+ List internal and external keys.
+
+ Note that options are valid for the entire session.
+
+
+File: gnupg.info, Node: GPGSM EXPORT, Next: GPGSM IMPORT, Prev: GPGSM LISTKEYS, Up: GPGSM Protocol
+
+5.6.7 Export certificates
+-------------------------
+
+To export certificate from the internal key database the command:
+
+ EXPORT [--data [--armor] [--base64]] [--] PATTERN
+
+ is used. To allow multiple patterns (which are ORed) quoting is
+required: Spaces are to be translated into "+" or into "%20"; in turn
+this requires that the usual escape quoting rules are done.
+
+ If the '--data' option has not been given, the format of the output
+depends on what was set with the 'OUTPUT' command. When using PEM
+encoding a few informational lines are prepended.
+
+ If the '--data' has been given, a target set via 'OUTPUT' is ignored
+and the data is returned inline using standard 'D'-lines. This avoids
+the need for an extra file descriptor. In this case the options
+'--armor' and '--base64' may be used in the same way as with the
+'OUTPUT' command.
+
+
+File: gnupg.info, Node: GPGSM IMPORT, Next: GPGSM DELETE, Prev: GPGSM EXPORT, Up: GPGSM Protocol
+
+5.6.8 Import certificates
+-------------------------
+
+To import certificates into the internal key database, the command
+
+ IMPORT [--re-import]
+
+ is used. The data is expected on the file descriptor set with the
+'INPUT' command. Certain checks are performed on the certificate. Note
+that the code will also handle PKCS#12 files and import private keys; a
+helper program is used for that.
+
+ With the option '--re-import' the input data is expected to a be a
+linefeed separated list of fingerprints. The command will re-import the
+corresponding certificates; that is they are made permanent by removing
+their ephemeral flag.
+
+
+File: gnupg.info, Node: GPGSM DELETE, Next: GPGSM GETAUDITLOG, Prev: GPGSM IMPORT, Up: GPGSM Protocol
+
+5.6.9 Delete certificates
+-------------------------
+
+To delete a certificate the command
+
+ DELKEYS PATTERN
+
+ is used. To allow multiple patterns (which are ORed) quoting is
+required: Spaces are to be translated into "+" or into "%20"; in turn
+this requires that the usual escape quoting rules are done.
+
+ The certificates must be specified unambiguously otherwise an error
+is returned.
+
+
+File: gnupg.info, Node: GPGSM GETAUDITLOG, Next: GPGSM GETINFO, Prev: GPGSM DELETE, Up: GPGSM Protocol
+
+5.6.10 Retrieve an audit log
+----------------------------
+
+This command is used to retrieve an audit log.
+
+ GETAUDITLOG [--data] [--html]
+
+ If '--data' is used, the audit log is send using D-lines instead of
+being sent to the file descriptor given by an 'OUTPUT' command. If
+'--html' is used, the output is formatted as an XHTML block. This is
+designed to be incorporated into a HTML document.
+
+
+File: gnupg.info, Node: GPGSM GETINFO, Next: GPGSM OPTION, Prev: GPGSM GETAUDITLOG, Up: GPGSM Protocol
+
+5.6.11 Return information about the process
+-------------------------------------------
+
+This is a multipurpose function to return a variety of information.
+
+ GETINFO WHAT
+
+ The value of WHAT specifies the kind of information returned:
+'version'
+ Return the version of the program.
+'pid'
+ Return the process id of the process.
+'agent-check'
+ Return OK if the agent is running.
+'cmd_has_option CMD OPT'
+ Return OK if the command CMD implements the option OPT. The
+ leading two dashes usually used with OPT shall not be given.
+'offline'
+ Return OK if the connection is in offline mode. This may be either
+ due to a 'OPTION offline=1' or due to 'gpgsm' being started with
+ option '--disable-dirmngr'.
+
+
+File: gnupg.info, Node: GPGSM OPTION, Prev: GPGSM GETINFO, Up: GPGSM Protocol
+
+5.6.12 Session options
+----------------------
+
+The standard Assuan option handler supports these options.
+
+ OPTION NAME[=VALUE]
+
+ These NAMEs are recognized:
+
+'putenv'
+ Change the session's environment to be passed via gpg-agent to
+ Pinentry. VALUE is a string of the form '<KEY>[=[<STRING>]]'. If
+ only '<KEY>' is given the environment variable '<KEY>' is removed
+ from the session environment, if '<KEY>=' is given that environment
+ variable is set to the empty string, and if '<STRING>' is given it
+ is set to that string.
+
+'display'
+ Set the session environment variable 'DISPLAY' is set to VALUE.
+'ttyname'
+ Set the session environment variable 'GPG_TTY' is set to VALUE.
+'ttytype'
+ Set the session environment variable 'TERM' is set to VALUE.
+'lc-ctype'
+ Set the session environment variable 'LC_CTYPE' is set to VALUE.
+'lc-messages'
+ Set the session environment variable 'LC_MESSAGES' is set to VALUE.
+'xauthority'
+ Set the session environment variable 'XAUTHORITY' is set to VALUE.
+'pinentry-user-data'
+ Set the session environment variable 'PINENTRY_USER_DATA' is set to
+ VALUE.
+
+'include-certs'
+ This option overrides the command line option '--include-certs'. A
+ VALUE of -2 includes all certificates except for the root
+ certificate, -1 includes all certificates, 0 does not include any
+ certificates, 1 includes only the signers certificate and all other
+ positive values include up to VALUE certificates starting with the
+ signer cert.
+
+'list-mode'
+ *Note gpgsm-cmd listkeys::.
+
+'list-to-output'
+ If VALUE is true the output of the list commands (*note gpgsm-cmd
+ listkeys::) is written to the file descriptor set with the last
+ 'OUTPUT' command. If VALUE is false the output is written via data
+ lines; this is the default.
+
+'with-validation'
+ If VALUE is true for each listed certificate the validation status
+ is printed. This may result in the download of a CRL or the user
+ being asked about the trustworthiness of a root certificate. The
+ default is given by a command line option (*note gpgsm-option
+ --with-validation::).
+
+'with-secret'
+ If VALUE is true certificates with a corresponding private key are
+ marked by the list commands.
+
+'validation-model'
+ This option overrides the command line option 'validation-model'
+ for the session. (*Note gpgsm-option --validation-model::.)
+
+'with-key-data'
+ This option globally enables the command line option
+ '--with-key-data'. (*Note gpgsm-option --with-key-data::.)
+
+'enable-audit-log'
+ If VALUE is true data to write an audit log is gathered. (*Note
+ gpgsm-cmd getauditlog::.)
+
+'allow-pinentry-notify'
+ If this option is used notifications about the launch of a Pinentry
+ are passed back to the client.
+
+'with-ephemeral-keys'
+ If VALUE is true ephemeral certificates are included in the output
+ of the list commands.
+
+'no-encrypt-to'
+ If this option is used all keys set by the command line option
+ '--encrypt-to' are ignored.
+
+'offline'
+ If VALUE is true or VALUE is not given all network access is
+ disabled for this session. This is the same as the command line
+ option '--disable-dirmngr'.
+
+
+File: gnupg.info, Node: Invoking SCDAEMON, Next: Specify a User ID, Prev: Invoking GPGSM, Up: Top
+
+6 Invoking the SCDAEMON
+***********************
+
+The 'scdaemon' is a daemon to manage smartcards. It is usually invoked
+by 'gpg-agent' and in general not used directly.
+
+ *Note Option Index::, for an index to 'scdaemon''s commands and
+options.
+
+* Menu:
+
+* Scdaemon Commands:: List of all commands.
+* Scdaemon Options:: List of all options.
+* Card applications:: Description of card applications.
+* Scdaemon Configuration:: Configuration files.
+* Scdaemon Examples:: Some usage examples.
+* Scdaemon Protocol:: The protocol the daemon uses.
+
+
+File: gnupg.info, Node: Scdaemon Commands, Next: Scdaemon Options, Up: Invoking SCDAEMON
+
+6.1 Commands
+============
+
+Commands are not distinguished from options except for the fact that
+only one command is allowed.
+
+'--version'
+ Print the program version and licensing information. Note that you
+ cannot abbreviate this command.
+
+'--help, -h'
+ Print a usage message summarizing the most useful command-line
+ options. Note that you cannot abbreviate this command.
+
+'--dump-options'
+ Print a list of all available options and commands. Note that you
+ cannot abbreviate this command.
+
+'--server'
+ Run in server mode and wait for commands on the 'stdin'. The
+ default mode is to create a socket and listen for commands there.
+
+'--multi-server'
+ Run in server mode and wait for commands on the 'stdin' as well as
+ on an additional Unix Domain socket. The server command 'GETINFO'
+ may be used to get the name of that extra socket.
+
+'--daemon'
+ Run the program in the background. This option is required to
+ prevent it from being accidentally running in the background.
+
+
+File: gnupg.info, Node: Scdaemon Options, Next: Card applications, Prev: Scdaemon Commands, Up: Invoking SCDAEMON
+
+6.2 Option Summary
+==================
+
+'--options FILE'
+ Reads configuration from FILE instead of from the default per-user
+ configuration file. The default configuration file is named
+ 'scdaemon.conf' and expected in the '.gnupg' directory directly
+ below the home directory of the user.
+
+'--homedir DIR'
+ Set the name of the home directory to DIR. If this option is not
+ used, the home directory defaults to '~/.gnupg'. It is only
+ recognized when given on the command line. It also overrides any
+ home directory stated through the environment variable 'GNUPGHOME'
+ or (on Windows systems) by means of the Registry entry
+ HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
+
+ On Windows systems it is possible to install GnuPG as a portable
+ application. In this case only this command line option is
+ considered, all other ways to set a home directory are ignored.
+
+ To install GnuPG as a portable application under Windows, create an
+ empty file named 'gpgconf.ctl' in the same directory as the tool
+ 'gpgconf.exe'. The root of the installation is then that
+ directory; or, if 'gpgconf.exe' has been installed directly below a
+ directory named 'bin', its parent directory. You also need to make
+ sure that the following directories exist and are writable:
+ 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg'
+ for internal cache files.
+
+'-v'
+'--verbose'
+ Outputs additional information while running. You can increase the
+ verbosity by giving several verbose commands to 'gpgsm', such as
+ '-vv'.
+
+'--debug-level LEVEL'
+ Select the debug level for investigating problems. LEVEL may be a
+ numeric value or a keyword:
+
+ 'none'
+ No debugging at all. A value of less than 1 may be used
+ instead of the keyword.
+ 'basic'
+ Some basic debug messages. A value between 1 and 2 may be
+ used instead of the keyword.
+ 'advanced'
+ More verbose debug messages. A value between 3 and 5 may be
+ used instead of the keyword.
+ 'expert'
+ Even more detailed messages. A value between 6 and 8 may be
+ used instead of the keyword.
+ 'guru'
+ All of the debug messages you can get. A value greater than 8
+ may be used instead of the keyword. The creation of hash
+ tracing files is only enabled if the keyword is used.
+
+ How these messages are mapped to the actual debugging flags is not
+ specified and may change with newer releases of this program. They
+ are however carefully selected to best aid in debugging.
+
+ Note: All debugging options are subject to change and thus
+ should not be used by any application program. As the name
+ says, they are only used as helpers to debug problems.
+
+'--debug FLAGS'
+ This option is only useful for debugging and the behavior may
+ change at any time without notice. FLAGS are bit encoded and may
+ be given in usual C-Syntax. The currently defined bits are:
+
+ '0 (1)'
+ command I/O
+ '1 (2)'
+ values of big number integers
+ '2 (4)'
+ low level crypto operations
+ '5 (32)'
+ memory allocation
+ '6 (64)'
+ caching
+ '7 (128)'
+ show memory statistics
+ '9 (512)'
+ write hashed data to files named 'dbgmd-000*'
+ '10 (1024)'
+ trace Assuan protocol. See also option
+ '--debug-assuan-log-cats'.
+ '11 (2048)'
+ trace APDU I/O to the card. This may reveal sensitive data.
+ '12 (4096)'
+ trace some card reader related function calls.
+
+'--debug-all'
+ Same as '--debug=0xffffffff'
+
+'--debug-wait N'
+ When running in server mode, wait N seconds before entering the
+ actual processing loop and print the pid. This gives time to
+ attach a debugger.
+
+'--debug-ccid-driver'
+ Enable debug output from the included CCID driver for smartcards.
+ Using this option twice will also enable some tracing of the T=1
+ protocol. Note that this option may reveal sensitive data.
+
+'--debug-disable-ticker'
+ This option disables all ticker functions like checking for card
+ insertions.
+
+'--debug-allow-core-dump'
+ For security reasons we won't create a core dump when the process
+ aborts. For debugging purposes it is sometimes better to allow
+ core dump. This option enables it and also changes the working
+ directory to '/tmp' when running in '--server' mode.
+
+'--debug-log-tid'
+ This option appends a thread ID to the PID in the log output.
+
+'--debug-assuan-log-cats CATS'
+ Changes the active Libassuan logging categories to CATS. The value
+ for CATS is an unsigned integer given in usual C-Syntax. A value
+ of 0 switches to a default category. If this option is not used
+ the categories are taken from the environment variable
+ 'ASSUAN_DEBUG'. Note that this option has only an effect if the
+ Assuan debug flag has also been with the option '--debug'. For a
+ list of categories see the Libassuan manual.
+
+'--no-detach'
+ Don't detach the process from the console. This is mainly useful
+ for debugging.
+
+'--listen-backlog N'
+ Set the size of the queue for pending connections. The default is
+ 64. This option has an effect only if '--multi-server' is also
+ used.
+
+'--log-file FILE'
+ Append all logging output to FILE. This is very helpful in seeing
+ what the agent actually does. Use 'socket://' to log to socket.
+
+'--pcsc-shared'
+ Use shared mode to access the card via PC/SC. This is a somewhat
+ dangerous option because Scdaemon assumes exclusivbe access to teh
+ card and for example caches certain information from the card. Use
+ this option only if you know what you are doing.
+
+'--pcsc-driver LIBRARY'
+ Use LIBRARY to access the smartcard reader. The current default on
+ Unix is 'libpcsclite.so' and on Windows 'winscard.dll'. Instead of
+ using this option you might also want to install a symbolic link to
+ the default file name (e.g. from 'libpcsclite.so.1'). A Unicode
+ file name may not be used on Windows.
+
+'--ctapi-driver LIBRARY'
+ Use LIBRARY to access the smartcard reader. The current default is
+ 'libtowitoko.so'. Note that the use of this interface is
+ deprecated; it may be removed in future releases.
+
+'--disable-ccid'
+ Disable the integrated support for CCID compliant readers. This
+ allows falling back to one of the other drivers even if the
+ internal CCID driver can handle the reader. Note, that CCID
+ support is only available if libusb was available at build time.
+
+'--reader-port NUMBER_OR_STRING'
+ This option may be used to specify the port of the card terminal.
+ A value of 0 refers to the first serial device; add 32768 to access
+ USB devices. The default is 32768 (first USB device). PC/SC or
+ CCID readers might need a string here; run the program in verbose
+ mode to get a list of available readers. The default is then the
+ first reader found.
+
+ To get a list of available CCID readers you may use this command:
+ echo scd getinfo reader_list \
+ | gpg-connect-agent --decode | awk '/^D/ {print $2}'
+
+'--card-timeout N'
+ If N is not 0 and no client is actively using the card, the card
+ will be powered down after N seconds. Powering down the card
+ avoids a potential risk of damaging a card when used with certain
+ cheap readers. This also allows applications that are not aware of
+ Scdaemon to access the card. The disadvantage of using a card
+ timeout is that accessing the card takes longer and that the user
+ needs to enter the PIN again after the next power up.
+
+ Note that with the current version of Scdaemon the card is powered
+ down immediately at the next timer tick for any value of N other
+ than 0.
+
+'--enable-pinpad-varlen'
+ Please specify this option when the card reader supports variable
+ length input for pinpad (default is no). For known readers (listed
+ in ccid-driver.c and apdu.c), this option is not needed. Note that
+ if your card reader doesn't supports variable length input but you
+ want to use it, you need to specify your pinpad request on your
+ card.
+
+'--disable-pinpad'
+ Even if a card reader features a pinpad, do not try to use it.
+
+'--deny-admin'
+ This option disables the use of admin class commands for card
+ applications where this is supported. Currently we support it for
+ the OpenPGP card. This option is useful to inhibit accidental
+ access to admin class command which could ultimately lock the card
+ through wrong PIN numbers. Note that GnuPG versions older than
+ 2.0.11 featured an '--allow-admin' option which was required to use
+ such admin commands. This option has no more effect today because
+ the default is now to allow admin commands.
+
+'--disable-application NAME'
+ This option disables the use of the card application named NAME.
+ This is mainly useful for debugging or if a application with lower
+ priority should be used by default.
+
+ All the long options may also be given in the configuration file
+after stripping off the two leading dashes.
+
+
+File: gnupg.info, Node: Card applications, Next: Scdaemon Configuration, Prev: Scdaemon Options, Up: Invoking SCDAEMON
+
+6.3 Description of card applications
+====================================
+
+'scdaemon' supports the card applications as described below.
+
+* Menu:
+
+* OpenPGP Card:: The OpenPGP card application
+* NKS Card:: The Telesec NetKey card application
+* DINSIG Card:: The DINSIG card application
+* PKCS#15 Card:: The PKCS#15 card application
+* Geldkarte Card:: The Geldkarte application
+* SmartCard-HSM:: The SmartCard-HSM application
+* Undefined Card:: The Undefined stub application
+
+
+File: gnupg.info, Node: OpenPGP Card, Next: NKS Card, Up: Card applications
+
+6.3.1 The OpenPGP card application "openpgp"
+--------------------------------------------
+
+This application is currently only used by 'gpg' but may in future also
+be useful with 'gpgsm'. Version 1 and version 2 of the card is
+supported.
+
+The specifications for these cards are available at
+<http://g10code.com/docs/openpgp-card-1.0.pdf> and
+<http://g10code.com/docs/openpgp-card-2.0.pdf>.
+
+
+File: gnupg.info, Node: NKS Card, Next: DINSIG Card, Prev: OpenPGP Card, Up: Card applications
+
+6.3.2 The Telesec NetKey card "nks"
+-----------------------------------
+
+This is the main application of the Telesec cards as available in
+Germany. It is a superset of the German DINSIG card. The card is used
+by 'gpgsm'.
+
+
+File: gnupg.info, Node: DINSIG Card, Next: PKCS#15 Card, Prev: NKS Card, Up: Card applications
+
+6.3.3 The DINSIG card application "dinsig"
+------------------------------------------
+
+This is an application as described in the German draft standard _DIN V
+66291-1_. It is intended to be used by cards supporting the German
+signature law and its bylaws (SigG and SigV).
+
+
+File: gnupg.info, Node: PKCS#15 Card, Next: Geldkarte Card, Prev: DINSIG Card, Up: Card applications
+
+6.3.4 The PKCS#15 card application "p15"
+----------------------------------------
+
+This is common framework for smart card applications. It is used by
+'gpgsm'.
+
+
+File: gnupg.info, Node: Geldkarte Card, Next: SmartCard-HSM, Prev: PKCS#15 Card, Up: Card applications
+
+6.3.5 The Geldkarte card application "geldkarte"
+------------------------------------------------
+
+This is a simple application to display information of a German
+Geldkarte. The Geldkarte is a small amount debit card application which
+comes with almost all German banking cards.
+
+
+File: gnupg.info, Node: SmartCard-HSM, Next: Undefined Card, Prev: Geldkarte Card, Up: Card applications
+
+6.3.6 The SmartCard-HSM card application "sc-hsm"
+-------------------------------------------------
+
+This application adds read-only support for keys and certificates stored
+on a SmartCard-HSM (http://www.smartcard-hsm.com).
+
+ To generate keys and store certificates you may use OpenSC
+(https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM) or the tools from
+OpenSCDP (http://www.openscdp.org).
+
+ The SmartCard-HSM cards requires a card reader that supports Extended
+Length APDUs.
+
+
+File: gnupg.info, Node: Undefined Card, Prev: SmartCard-HSM, Up: Card applications
+
+6.3.7 The Undefined card application "undefined"
+------------------------------------------------
+
+This is a stub application to allow the use of the APDU command even if
+no supported application is found on the card. This application is not
+used automatically but must be explicitly requested using the SERIALNO
+command.
+
+
+File: gnupg.info, Node: Scdaemon Configuration, Next: Scdaemon Examples, Prev: Card applications, Up: Invoking SCDAEMON
+
+6.4 Configuration files
+=======================
+
+There are a few configuration files to control certain aspects of
+'scdaemons''s operation. Unless noted, they are expected in the current
+home directory (*note option --homedir::).
+
+'scdaemon.conf'
+ This is the standard configuration file read by 'scdaemon' on
+ startup. It may contain any valid long option; the leading two
+ dashes may not be entered and the option may not be abbreviated.
+ This default name may be changed on the command line (*note option
+ --options::).
+
+'scd-event'
+ If this file is present and executable, it will be called on every
+ card reader's status change. An example of this script is provided
+ with the distribution
+
+'reader_N.status'
+ This file is created by 'scdaemon' to let other applications now
+ about reader status changes. Its use is now deprecated in favor of
+ 'scd-event'.
+
+
+File: gnupg.info, Node: Scdaemon Examples, Next: Scdaemon Protocol, Prev: Scdaemon Configuration, Up: Invoking SCDAEMON
+
+6.5 Examples
+============
+
+ $ scdaemon --server -v
+
+
+File: gnupg.info, Node: Scdaemon Protocol, Prev: Scdaemon Examples, Up: Invoking SCDAEMON
+
+6.6 Scdaemon's Assuan Protocol
+==============================
+
+The SC-Daemon should be started by the system to provide access to
+external tokens. Using Smartcards on a multi-user system does not make
+much sense except for system services, but in this case no regular user
+accounts are hosted on the machine.
+
+ A client connects to the SC-Daemon by connecting to the socket named
+'/usr/local/var/run/gnupg/scdaemon/socket', configuration information is
+read from /ETC/GNUPG/SCDAEMON.CONF
+
+ Each connection acts as one session, SC-Daemon takes care of
+synchronizing access to a token between sessions.
+
+* Menu:
+
+* Scdaemon SERIALNO:: Return the serial number.
+* Scdaemon LEARN:: Read all useful information from the card.
+* Scdaemon READCERT:: Return a certificate.
+* Scdaemon READKEY:: Return a public key.
+* Scdaemon PKSIGN:: Signing data with a Smartcard.
+* Scdaemon PKDECRYPT:: Decrypting data with a Smartcard.
+* Scdaemon GETATTR:: Read an attribute's value.
+* Scdaemon SETATTR:: Update an attribute's value.
+* Scdaemon WRITEKEY:: Write a key to a card.
+* Scdaemon GENKEY:: Generate a new key on-card.
+* Scdaemon RANDOM:: Return random bytes generated on-card.
+* Scdaemon PASSWD:: Change PINs.
+* Scdaemon CHECKPIN:: Perform a VERIFY operation.
+* Scdaemon RESTART:: Restart connection
+* Scdaemon APDU:: Send a verbatim APDU to the card
+
+
+File: gnupg.info, Node: Scdaemon SERIALNO, Next: Scdaemon LEARN, Up: Scdaemon Protocol
+
+6.6.1 Return the serial number
+------------------------------
+
+This command should be used to check for the presence of a card. It is
+special in that it can be used to reset the card. Most other commands
+will return an error when a card change has been detected and the use of
+this function is therefore required.
+
+ Background: We want to keep the client clear of handling card changes
+between operations; i.e. the client can assume that all operations are
+done on the same card unless he call this function.
+
+ SERIALNO
+
+ Return the serial number of the card using a status response like:
+
+ S SERIALNO D27600000000000000000000
+
+ The serial number is the hex encoded value identified by the '0x5A'
+tag in the GDO file (FIX=0x2F02).
+
+
+File: gnupg.info, Node: Scdaemon LEARN, Next: Scdaemon READCERT, Prev: Scdaemon SERIALNO, Up: Scdaemon Protocol
+
+6.6.2 Read all useful information from the card
+-----------------------------------------------
+
+ LEARN [--force]
+
+ Learn all useful information of the currently inserted card. When
+used without the '--force' option, the command might do an INQUIRE like
+this:
+
+ INQUIRE KNOWNCARDP <hexstring_with_serialNumber>
+
+ The client should just send an 'END' if the processing should go on
+or a 'CANCEL' to force the function to terminate with a cancel error
+message. The response of this command is a list of status lines
+formatted as this:
+
+ S KEYPAIRINFO HEXSTRING_WITH_KEYGRIP HEXSTRING_WITH_ID
+
+ If there is no certificate yet stored on the card a single "X" is
+returned in HEXSTRING_WITH_KEYGRIP.
+
+
+File: gnupg.info, Node: Scdaemon READCERT, Next: Scdaemon READKEY, Prev: Scdaemon LEARN, Up: Scdaemon Protocol
+
+6.6.3 Return a certificate
+--------------------------
+
+ READCERT HEXIFIED_CERTID|KEYID
+
+ This function is used to read a certificate identified by
+HEXIFIED_CERTID from the card. With OpenPGP cards the keyid 'OpenPGP.3'
+may be used to read the certificate of version 2 cards.
+
+
+File: gnupg.info, Node: Scdaemon READKEY, Next: Scdaemon PKSIGN, Prev: Scdaemon READCERT, Up: Scdaemon Protocol
+
+6.6.4 Return a public key
+-------------------------
+
+ READKEY HEXIFIED_CERTID
+
+ Return the public key for the given cert or key ID as an standard
+S-Expression.
+
+
+File: gnupg.info, Node: Scdaemon PKSIGN, Next: Scdaemon PKDECRYPT, Prev: Scdaemon READKEY, Up: Scdaemon Protocol
+
+6.6.5 Signing data with a Smartcard
+-----------------------------------
+
+To sign some data the caller should use the command
+
+ SETDATA HEXSTRING
+
+ to tell 'scdaemon' about the data to be signed. The data must be
+given in hex notation. The actual signing is done using the command
+
+ PKSIGN KEYID
+
+ where KEYID is the hexified ID of the key to be used. The key id may
+have been retrieved using the command 'LEARN'. If another hash
+algorithm than SHA-1 is used, that algorithm may be given like:
+
+ PKSIGN --hash=ALGONAME KEYID
+
+ With ALGONAME are one of 'sha1', 'rmd160' or 'md5'.
+
+
+File: gnupg.info, Node: Scdaemon PKDECRYPT, Next: Scdaemon GETATTR, Prev: Scdaemon PKSIGN, Up: Scdaemon Protocol
+
+6.6.6 Decrypting data with a Smartcard
+--------------------------------------
+
+To decrypt some data the caller should use the command
+
+ SETDATA HEXSTRING
+
+ to tell 'scdaemon' about the data to be decrypted. The data must be
+given in hex notation. The actual decryption is then done using the
+command
+
+ PKDECRYPT KEYID
+
+ where KEYID is the hexified ID of the key to be used.
+
+ If the card is aware of the apdding format a status line with padding
+information is send before the plaintext data. The key for this status
+line is 'PADDING' with the only defined value being 0 and meaning
+padding has been removed.
+
+
+File: gnupg.info, Node: Scdaemon GETATTR, Next: Scdaemon SETATTR, Prev: Scdaemon PKDECRYPT, Up: Scdaemon Protocol
+
+6.6.7 Read an attribute's value
+-------------------------------
+
+TO BE WRITTEN.
+
+
+File: gnupg.info, Node: Scdaemon SETATTR, Next: Scdaemon WRITEKEY, Prev: Scdaemon GETATTR, Up: Scdaemon Protocol
+
+6.6.8 Update an attribute's value
+---------------------------------
+
+TO BE WRITTEN.
+
+
+File: gnupg.info, Node: Scdaemon WRITEKEY, Next: Scdaemon GENKEY, Prev: Scdaemon SETATTR, Up: Scdaemon Protocol
+
+6.6.9 Write a key to a card
+---------------------------
+
+ WRITEKEY [--force] KEYID
+
+ This command is used to store a secret key on a smartcard. The
+allowed keyids depend on the currently selected smartcard application.
+The actual keydata is requested using the inquiry 'KEYDATA' and need to
+be provided without any protection. With '--force' set an existing key
+under this KEYID will get overwritten. The key data is expected to be
+the usual canonical encoded S-expression.
+
+ A PIN will be requested in most cases. This however depends on the
+actual card application.
+
+
+File: gnupg.info, Node: Scdaemon GENKEY, Next: Scdaemon RANDOM, Prev: Scdaemon WRITEKEY, Up: Scdaemon Protocol
+
+6.6.10 Generate a new key on-card
+---------------------------------
+
+TO BE WRITTEN.
+
+
+File: gnupg.info, Node: Scdaemon RANDOM, Next: Scdaemon PASSWD, Prev: Scdaemon GENKEY, Up: Scdaemon Protocol
+
+6.6.11 Return random bytes generated on-card
+--------------------------------------------
+
+TO BE WRITTEN.
+
+
+File: gnupg.info, Node: Scdaemon PASSWD, Next: Scdaemon CHECKPIN, Prev: Scdaemon RANDOM, Up: Scdaemon Protocol
+
+6.6.12 Change PINs
+------------------
+
+ PASSWD [--reset] [--nullpin] CHVNO
+
+ Change the PIN or reset the retry counter of the card holder
+verification vector number CHVNO. The option '--nullpin' is used to
+initialize the PIN of TCOS cards (6 byte NullPIN only).
+
+
+File: gnupg.info, Node: Scdaemon CHECKPIN, Next: Scdaemon RESTART, Prev: Scdaemon PASSWD, Up: Scdaemon Protocol
+
+6.6.13 Perform a VERIFY operation
+---------------------------------
+
+ CHECKPIN IDSTR
+
+ Perform a VERIFY operation without doing anything else. This may be
+used to initialize a the PIN cache earlier to long lasting operations.
+Its use is highly application dependent:
+
+*OpenPGP*
+
+ Perform a simple verify operation for CHV1 and CHV2, so that
+ further operations won't ask for CHV2 and it is possible to do a
+ cheap check on the PIN: If there is something wrong with the PIN
+ entry system, only the regular CHV will get blocked and not the
+ dangerous CHV3. IDSTR is the usual card's serial number in hex
+ notation; an optional fingerprint part will get ignored.
+
+ There is however a special mode if IDSTR is suffixed with the
+ literal string '[CHV3]': In this case the Admin PIN is checked if
+ and only if the retry counter is still at 3.
+
+
+File: gnupg.info, Node: Scdaemon RESTART, Next: Scdaemon APDU, Prev: Scdaemon CHECKPIN, Up: Scdaemon Protocol
+
+6.6.14 Perform a RESTART operation
+----------------------------------
+
+ RESTART
+
+ Restart the current connection; this is a kind of warm reset. It
+deletes the context used by this connection but does not actually reset
+the card.
+
+ This is used by gpg-agent to reuse a primary pipe connection and may
+be used by clients to backup from a conflict in the serial command; i.e.
+to select another application.
+
+
+File: gnupg.info, Node: Scdaemon APDU, Prev: Scdaemon RESTART, Up: Scdaemon Protocol
+
+6.6.15 Send a verbatim APDU to the card
+---------------------------------------
+
+ APDU [--atr] [--more] [--exlen[=N]] [HEXSTRING]
+
+ Send an APDU to the current reader. This command bypasses the high
+level functions and sends the data directly to the card. HEXSTRING is
+expected to be a proper APDU. If HEXSTRING is not given no commands are
+send to the card; However the command will implicitly check whether the
+card is ready for use.
+
+ Using the option '--atr' returns the ATR of the card as a status
+message before any data like this:
+ S CARD-ATR 3BFA1300FF813180450031C173C00100009000B1
+
+ Using the option '--more' handles the card status word MORE_DATA
+(61xx) and concatenate all responses to one block.
+
+ Using the option '--exlen' the returned APDU may use extended length
+up to N bytes. If N is not given a default value is used (currently
+4096).
+
+
+File: gnupg.info, Node: Specify a User ID, Next: Trust Values, Prev: Invoking SCDAEMON, Up: Top
+
+7 How to Specify a User Id
+**************************
+
+There are different ways to specify a user ID to GnuPG. Some of them are
+only valid for 'gpg' others are only good for 'gpgsm'. Here is the
+entire list of ways to specify a key:
+
+ * By key Id. This format is deduced from the length of the string
+ and its content or '0x' prefix. The key Id of an X.509 certificate
+ are the low 64 bits of its SHA-1 fingerprint. The use of key Ids
+ is just a shortcut, for all automated processing the fingerprint
+ should be used.
+
+ When using 'gpg' an exclamation mark (!) may be appended to force
+ using the specified primary or secondary key and not to try and
+ calculate which primary or secondary key to use.
+
+ The last four lines of the example give the key ID in their long
+ form as internally used by the OpenPGP protocol. You can see the
+ long key ID using the option '--with-colons'.
+
+ 234567C4
+ 0F34E556E
+ 01347A56A
+ 0xAB123456
+
+ 234AABBCC34567C4
+ 0F323456784E56EAB
+ 01AB3FED1347A5612
+ 0x234AABBCC34567C4
+
+ * By fingerprint. This format is deduced from the length of the
+ string and its content or the '0x' prefix. Note, that only the 20
+ byte version fingerprint is available with 'gpgsm' (i.e. the SHA-1
+ hash of the certificate).
+
+ When using 'gpg' an exclamation mark (!) may be appended to force
+ using the specified primary or secondary key and not to try and
+ calculate which primary or secondary key to use.
+
+ The best way to specify a key Id is by using the fingerprint. This
+ avoids any ambiguities in case that there are duplicated key IDs.
+
+ 1234343434343434C434343434343434
+ 123434343434343C3434343434343734349A3434
+ 0E12343434343434343434EAB3484343434343434
+ 0xE12343434343434343434EAB3484343434343434
+
+ 'gpgsm' also accepts colons between each pair of hexadecimal digits
+ because this is the de-facto standard on how to present X.509
+ fingerprints. 'gpg' also allows the use of the space separated
+ SHA-1 fingerprint as printed by the key listing commands.
+
+ * By exact match on OpenPGP user ID. This is denoted by a leading
+ equal sign. It does not make sense for X.509 certificates.
+
+ =Heinrich Heine <heinrichh@uni-duesseldorf.de>
+
+ * By exact match on an email address. This is indicated by enclosing
+ the email address in the usual way with left and right angles.
+
+ <heinrichh@uni-duesseldorf.de>
+
+ * By partial match on an email address. This is indicated by
+ prefixing the search string with an '@'. This uses a substring
+ search but considers only the mail address (i.e. inside the angle
+ brackets).
+
+ @heinrichh
+
+ * By exact match on the subject's DN. This is indicated by a leading
+ slash, directly followed by the RFC-2253 encoded DN of the subject.
+ Note that you can't use the string printed by 'gpgsm --list-keys'
+ because that one has been reordered and modified for better
+ readability; use '--with-colons' to print the raw (but standard
+ escaped) RFC-2253 string.
+
+ /CN=Heinrich Heine,O=Poets,L=Paris,C=FR
+
+ * By exact match on the issuer's DN. This is indicated by a leading
+ hash mark, directly followed by a slash and then directly followed
+ by the RFC-2253 encoded DN of the issuer. This should return the
+ Root cert of the issuer. See note above.
+
+ #/CN=Root Cert,O=Poets,L=Paris,C=FR
+
+ * By exact match on serial number and issuer's DN. This is indicated
+ by a hash mark, followed by the hexadecimal representation of the
+ serial number, then followed by a slash and the RFC-2253 encoded DN
+ of the issuer. See note above.
+
+ #4F03/CN=Root Cert,O=Poets,L=Paris,C=FR
+
+ * By keygrip. This is indicated by an ampersand followed by the 40
+ hex digits of a keygrip. 'gpgsm' prints the keygrip when using the
+ command '--dump-cert'.
+
+ &D75F22C3F86E355877348498CDC92BD21010A480
+
+ * By substring match. This is the default mode but applications may
+ want to explicitly indicate this by putting the asterisk in front.
+ Match is not case sensitive.
+
+ Heine
+ *Heine
+
+ * . and + prefixes These prefixes are reserved for looking up mails
+ anchored at the end and for a word search mode. They are not yet
+ implemented and using them is undefined.
+
+ Please note that we have reused the hash mark identifier which was
+used in old GnuPG versions to indicate the so called local-id. It is
+not anymore used and there should be no conflict when used with X.509
+stuff.
+
+ Using the RFC-2253 format of DNs has the drawback that it is not
+possible to map them back to the original encoding, however we don't
+have to do this because our key database stores this encoding as meta
+data.
+
+
+File: gnupg.info, Node: Trust Values, Next: Helper Tools, Prev: Specify a User ID, Up: Top
+
+8 Trust Values
+**************
+
+Trust values are used to indicate ownertrust and validity of keys and
+user IDs. They are displayed with letters or strings:
+
+-
+unknown
+ No ownertrust assigned / not yet calculated.
+
+e
+expired
+
+ Trust calculation has failed; probably due to an expired key.
+
+q
+undefined, undef
+ Not enough information for calculation.
+
+n
+never
+ Never trust this key.
+
+m
+marginal
+ Marginally trusted.
+
+f
+full
+ Fully trusted.
+
+u
+ultimate
+ Ultimately trusted.
+
+r
+revoked
+ For validity only: the key or the user ID has been revoked.
+
+?
+err
+ The program encountered an unknown trust value.
+
+
+File: gnupg.info, Node: Helper Tools, Next: Web Key Service, Prev: Trust Values, Up: Top
+
+9 Helper Tools
+**************
+
+GnuPG comes with a couple of smaller tools:
+
+* Menu:
+
+* watchgnupg:: Read logs from a socket.
+* gpgv:: Verify OpenPGP signatures.
+* addgnupghome:: Create .gnupg home directories.
+* gpgconf:: Modify .gnupg home directories.
+* applygnupgdefaults:: Run gpgconf for all users.
+* gpg-preset-passphrase:: Put a passphrase into the cache.
+* gpg-connect-agent:: Communicate with a running agent.
+* dirmngr-client:: How to use the Dirmngr client tool.
+* gpgparsemail:: Parse a mail message into an annotated format
+* gpgtar:: Encrypt or sign files into an archive.
+* gpg-check-pattern:: Check a passphrase on stdin against the patternfile.
+
+
+File: gnupg.info, Node: watchgnupg, Next: gpgv, Up: Helper Tools
+
+9.1 Read logs from a socket
+===========================
+
+Most of the main utilities are able to write their log files to a Unix
+Domain socket if configured that way. 'watchgnupg' is a simple listener
+for such a socket. It ameliorates the output with a time stamp and
+makes sure that long lines are not interspersed with log output from
+other utilities. This tool is not available for Windows.
+
+'watchgnupg' is commonly invoked as
+
+ watchgnupg --force $(gpgconf --list-dirs socketdir)/S.log
+
+This starts it on the current terminal for listening on the standard
+logging socket (which is either '~/.gnupg/S.log' or
+'/var/run/user/UID/gnupg/S.log').
+
+'watchgnupg' understands these options:
+
+'--force'
+ Delete an already existing socket file.
+
+'--tcp N'
+ Instead of reading from a local socket, listen for connects on TCP
+ port N.
+
+'--time-only'
+ Do not print the date part of the timestamp.
+
+'--verbose'
+ Enable extra informational output.
+
+'--version'
+ Print version of the program and exit.
+
+'--help'
+ Display a brief help page and exit.
+
+
+Examples
+********
+
+ $ watchgnupg --force --time-only $(gpgconf --list-dirs socketdir)/S.log
+
+ This waits for connections on the local socket (e.g.
+'/home/foo/.gnupg/S.log') and shows all log entries. To make this work
+the option 'log-file' needs to be used with all modules which logs are
+to be shown. The suggested entry for the configuration files is:
+
+ log-file socket://
+
+ If the default socket as given above and returned by "echo $(gpgconf
+-list-dirs socketdir)/S.log" is not desired an arbitrary socket name can
+be specified, for example 'socket:///home/foo/bar/mysocket'. For
+debugging purposes it is also possible to do remote logging. Take care
+if you use this feature because the information is send in the clear
+over the network. Use this syntax in the conf files:
+
+ log-file tcp://192.168.1.1:4711
+
+ You may use any port and not just 4711 as shown above; only IP
+addresses are supported (v4 and v6) and no host names. You need to
+start 'watchgnupg' with the 'tcp' option. Note that under Windows the
+registry entry HKCU\SOFTWARE\GNU\GNUPG:DEFAULTLOGFILE can be used to
+change the default log output from 'stderr' to whatever is given by that
+entry. However the only useful entry is a TCP name for remote
+debugging.
+
+
+File: gnupg.info, Node: gpgv, Next: addgnupghome, Prev: watchgnupg, Up: Helper Tools
+
+9.2 Verify OpenPGP signatures
+=============================
+
+'gpgv' is an OpenPGP signature verification tool.
+
+ This program is actually a stripped-down version of 'gpg' which is
+only able to check signatures. It is somewhat smaller than the
+fully-blown 'gpg' and uses a different (and simpler) way to check that
+the public keys used to make the signature are valid. There are no
+configuration files and only a few options are implemented.
+
+ 'gpgv' assumes that all keys in the keyring are trustworthy. That
+does also mean that it does not check for expired or revoked keys.
+
+ If no '--keyring' option is given, 'gpgv' looks for a "default"
+keyring named 'trustedkeys.kbx' (preferred) or 'trustedkeys.gpg' in the
+home directory of GnuPG, either the default home directory or the one
+set by the '--homedir' option or the 'GNUPGHOME' environment variable.
+If any '--keyring' option is used, 'gpgv' will not look for the default
+keyring. The '--keyring' option may be used multiple times and all
+specified keyrings will be used together.
+
+
+ 'gpgv' recognizes these options:
+
+'--verbose'
+'-v'
+ Gives more information during processing. If used twice, the input
+ data is listed in detail.
+
+'--quiet'
+'-q'
+ Try to be as quiet as possible.
+
+'--keyring FILE'
+ Add FILE to the list of keyrings. If FILE begins with a tilde and
+ a slash, these are replaced by the HOME directory. If the filename
+ does not contain a slash, it is assumed to be in the home-directory
+ ("~/.gnupg" if -homedir is not used).
+
+'--output FILE'
+'-o FILE'
+ Write output to FILE; to write to stdout use '-'. This option can
+ be used to get the signed text from a cleartext or binary
+ signature; it also works for detached signatures, but in that case
+ this option is in general not useful. Note that an existing file
+ will be overwritten.
+
+'--status-fd N'
+ Write special status strings to the file descriptor N. See the
+ file DETAILS in the documentation for a listing of them.
+
+'--logger-fd n'
+ Write log output to file descriptor 'n' and not to stderr.
+
+'--log-file file'
+ Same as '--logger-fd', except the logger data is written to file
+ 'file'. Use 'socket://' to log to socket.
+
+'--ignore-time-conflict'
+ GnuPG normally checks that the timestamps associated with keys and
+ signatures have plausible values. However, sometimes a signature
+ seems to be older than the key due to clock problems. This option
+ turns these checks into warnings.
+
+'--homedir DIR'
+ Set the name of the home directory to DIR. If this option is not
+ used, the home directory defaults to '~/.gnupg'. It is only
+ recognized when given on the command line. It also overrides any
+ home directory stated through the environment variable 'GNUPGHOME'
+ or (on Windows systems) by means of the Registry entry
+ HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
+
+ On Windows systems it is possible to install GnuPG as a portable
+ application. In this case only this command line option is
+ considered, all other ways to set a home directory are ignored.
+
+ To install GnuPG as a portable application under Windows, create an
+ empty file named 'gpgconf.ctl' in the same directory as the tool
+ 'gpgconf.exe'. The root of the installation is then that
+ directory; or, if 'gpgconf.exe' has been installed directly below a
+ directory named 'bin', its parent directory. You also need to make
+ sure that the following directories exist and are writable:
+ 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg'
+ for internal cache files.
+
+'--weak-digest name'
+ Treat the specified digest algorithm as weak. Signatures made over
+ weak digests algorithms are normally rejected. This option can be
+ supplied multiple times if multiple algorithms should be considered
+ weak. MD5 is always considered weak, and does not need to be
+ listed explicitly.
+
+'--enable-special-filenames'
+ This option enables a mode in which filenames of the form '-&n',
+ where n is a non-negative decimal number, refer to the file
+ descriptor n and not to a file with that name.
+
+ The program returns 0 if everything is fine, 1 if at least one
+signature was bad, and other error codes for fatal errors.
+
+9.2.1 Examples
+--------------
+
+gpgv 'pgpfile'
+gpgv 'sigfile' ['datafile']
+ Verify the signature of the file. The second form is used for
+ detached signatures, where 'sigfile' is the detached signature
+ (either ASCII-armored or binary) and 'datafile' contains the signed
+ data; if 'datafile' is "-" the signed data is expected on 'stdin';
+ if 'datafile' is not given the name of the file holding the signed
+ data is constructed by cutting off the extension (".asc", ".sig" or
+ ".sign") from 'sigfile'.
+
+9.2.2 Environment
+-----------------
+
+HOME
+ Used to locate the default home directory.
+
+GNUPGHOME
+ If set directory used instead of "~/.gnupg".
+
+9.2.3 FILES
+-----------
+
+~/.gnupg/trustedkeys.gpg
+ The default keyring with the allowed keys.
+
+ 'gpg'(1)
+
+
+File: gnupg.info, Node: addgnupghome, Next: gpgconf, Prev: gpgv, Up: Helper Tools
+
+9.3 Create .gnupg home directories
+==================================
+
+If GnuPG is installed on a system with existing user accounts, it is
+sometimes required to populate the GnuPG home directory with existing
+files. Especially a 'trustlist.txt' and a keybox with some initial
+certificates are often desired. This script helps to do this by copying
+all files from '/etc/skel/.gnupg' to the home directories of the
+accounts given on the command line. It takes care not to overwrite
+existing GnuPG home directories.
+
+'addgnupghome' is invoked by root as:
+
+ addgnupghome account1 account2 ... accountn
+
+
+File: gnupg.info, Node: gpgconf, Next: applygnupgdefaults, Prev: addgnupghome, Up: Helper Tools
+
+9.4 Modify .gnupg home directories
+==================================
+
+The 'gpgconf' is a utility to automatically and reasonable safely query
+and modify configuration files in the '.gnupg' home directory. It is
+designed not to be invoked manually by the user, but automatically by
+graphical user interfaces (GUI).(1)
+
+ 'gpgconf' provides access to the configuration of one or more
+components of the GnuPG system. These components correspond more or
+less to the programs that exist in the GnuPG framework, like GPG, GPGSM,
+DirMngr, etc. But this is not a strict one-to-one relationship. Not
+all configuration options are available through 'gpgconf'. 'gpgconf'
+provides a generic and abstract method to access the most important
+configuration options that can feasibly be controlled via such a
+mechanism.
+
+ 'gpgconf' can be used to gather and change the options available in
+each component, and can also provide their default values. 'gpgconf'
+will give detailed type information that can be used to restrict the
+user's input without making an attempt to commit the changes.
+
+ 'gpgconf' provides the backend of a configuration editor. The
+configuration editor would usually be a graphical user interface program
+that displays the current options, their default values, and allows the
+user to make changes to the options. These changes can then be made
+active with 'gpgconf' again. Such a program that uses 'gpgconf' in this
+way will be called GUI throughout this section.
+
+* Menu:
+
+* Invoking gpgconf:: List of all commands and options.
+* Format conventions:: Formatting conventions relevant for all commands.
+* Listing components:: List all gpgconf components.
+* Checking programs:: Check all programs known to gpgconf.
+* Listing options:: List all options of a component.
+* Changing options:: Changing options of a component.
+* Listing global options:: List all global options.
+* Querying versions:: Get and compare software versions.
+* Files used by gpgconf:: What files are used by gpgconf.
+
+ ---------- Footnotes ----------
+
+ (1) Please note that currently no locking is done, so concurrent
+access should be avoided. There are some precautions to avoid
+corruption with concurrent usage, but results may be inconsistent and
+some changes may get lost. The stateless design makes it difficult to
+provide more guarantees.
+
+
+File: gnupg.info, Node: Invoking gpgconf, Next: Format conventions, Up: gpgconf
+
+9.4.1 Invoking gpgconf
+----------------------
+
+One of the following commands must be given:
+
+'--list-components'
+ List all components. This is the default command used if none is
+ specified.
+
+'--check-programs'
+ List all available backend programs and test whether they are
+ runnable.
+
+'--list-options COMPONENT'
+ List all options of the component COMPONENT.
+
+'--change-options COMPONENT'
+ Change the options of the component COMPONENT.
+
+'--check-options COMPONENT'
+ Check the options for the component COMPONENT.
+
+'--apply-profile FILE'
+ Apply the configuration settings listed in FILE to the
+ configuration files. If FILE has no suffix and no slashes the
+ command first tries to read a file with the suffix '.prf' from the
+ data directory ('gpgconf --list-dirs datadir') before it reads the
+ file verbatim. A profile is divided into sections using the
+ bracketed component name. Each section then lists the option which
+ shall go into the respective configuration file.
+
+'--apply-defaults'
+ Update all configuration files with values taken from the global
+ configuration file (usually '/etc/gnupg/gpgconf.conf'). Note: This
+ is a legacy mechanism. Please use global configuraion files
+ instead.
+
+'--list-dirs [NAMES]'
+'-L'
+ Lists the directories used by 'gpgconf'. One directory is listed
+ per line, and each line consists of a colon-separated list where
+ the first field names the directory type (for example 'sysconfdir')
+ and the second field contains the percent-escaped directory.
+ Although they are not directories, the socket file names used by
+ 'gpg-agent' and 'dirmngr' are printed as well. Note that the
+ socket file names and the 'homedir' lines are the default names and
+ they may be overridden by command line switches. If NAMES are
+ given only the directories or file names specified by the list
+ names are printed without any escaping.
+
+'--list-config [FILENAME]'
+ List the global configuration file in a colon separated format. If
+ FILENAME is given, check that file instead.
+
+'--check-config [FILENAME]'
+ Run a syntax check on the global configuration file. If FILENAME
+ is given, check that file instead.
+
+'--query-swdb PACKAGE_NAME [VERSION_STRING]'
+ Returns the current version for PACKAGE_NAME and if VERSION_STRING
+ is given also an indicator on whether an update is available. The
+ actual file with the software version is automatically downloaded
+ and checked by 'dirmngr'. 'dirmngr' uses a thresholds to avoid
+ download the file too often and it does this by default only if it
+ can be done via Tor. To force an update of that file this command
+ can be used:
+
+ gpg-connect-agent --dirmngr 'loadswdb --force' /bye
+
+'--reload [COMPONENT]'
+'-R'
+ Reload all or the given component. This is basically the same as
+ sending a SIGHUP to the component. Components which don't support
+ reloading are ignored. Without COMPONENT or by using "all" for
+ COMPONENT all components which are daemons are reloaded.
+
+'--launch [COMPONENT]'
+ If the COMPONENT is not already running, start it. 'component'
+ must be a daemon. This is in general not required because the
+ system starts these daemons as needed. However, external software
+ making direct use of 'gpg-agent' or 'dirmngr' may use this command
+ to ensure that they are started. Using "all" for COMPONENT
+ launches all components which are daemons.
+
+'--kill [COMPONENT]'
+'-K'
+ Kill the given component that runs as a daemon, including
+ 'gpg-agent', 'dirmngr', and 'scdaemon'. A 'component' which does
+ not run as a daemon will be ignored. Using "all" for COMPONENT
+ kills all components running as daemons. Note that as of now
+ reload and kill have the same effect for 'scdaemon'.
+
+'--create-socketdir'
+ Create a directory for sockets below /run/user or /var/run/user.
+ This is command is only required if a non default home directory is
+ used and the /run based sockets shall be used. For the default
+ home directory GnUPG creates a directory on the fly.
+
+'--remove-socketdir'
+ Remove a directory created with command '--create-socketdir'.
+
+ The following options may be used:
+
+'-o FILE'
+'--output FILE'
+ Write output to FILE. Default is to write to stdout.
+
+'-v'
+'--verbose'
+ Outputs additional information while running. Specifically, this
+ extends numerical field values by human-readable descriptions.
+
+'-q'
+'--quiet'
+ Try to be as quiet as possible.
+
+'--homedir DIR'
+ Set the name of the home directory to DIR. If this option is not
+ used, the home directory defaults to '~/.gnupg'. It is only
+ recognized when given on the command line. It also overrides any
+ home directory stated through the environment variable 'GNUPGHOME'
+ or (on Windows systems) by means of the Registry entry
+ HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
+
+ On Windows systems it is possible to install GnuPG as a portable
+ application. In this case only this command line option is
+ considered, all other ways to set a home directory are ignored.
+
+ To install GnuPG as a portable application under Windows, create an
+ empty file named 'gpgconf.ctl' in the same directory as the tool
+ 'gpgconf.exe'. The root of the installation is then that
+ directory; or, if 'gpgconf.exe' has been installed directly below a
+ directory named 'bin', its parent directory. You also need to make
+ sure that the following directories exist and are writable:
+ 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg'
+ for internal cache files.
+
+'-n'
+'--dry-run'
+ Do not actually change anything. This is currently only
+ implemented for '--change-options' and can be used for testing
+ purposes.
+
+'-r'
+'--runtime'
+ Only used together with '--change-options'. If one of the modified
+ options can be changed in a running daemon process, signal the
+ running daemon to ask it to reparse its configuration file after
+ changing.
+
+ This means that the changes will take effect at run-time, as far as
+ this is possible. Otherwise, they will take effect at the next
+ start of the respective backend programs.
+
+'--status-fd N'
+ Write special status strings to the file descriptor N. This
+ program returns the status messages SUCCESS or FAILURE which are
+ helpful when the caller uses a double fork approach and can't
+ easily get the return code of the process.
+
+
+File: gnupg.info, Node: Format conventions, Next: Listing components, Prev: Invoking gpgconf, Up: gpgconf
+
+9.4.2 Format conventions
+------------------------
+
+Some lines in the output of 'gpgconf' contain a list of colon-separated
+fields. The following conventions apply:
+
+ * The GUI program is required to strip off trailing newline and/or
+ carriage return characters from the output.
+
+ * 'gpgconf' will never leave out fields. If a certain version
+ provides a certain field, this field will always be present in all
+ 'gpgconf' versions from that time on.
+
+ * Future versions of 'gpgconf' might append fields to the list. New
+ fields will always be separated from the previously last field by a
+ colon separator. The GUI should be prepared to parse the last
+ field it knows about up until a colon or end of line.
+
+ * Not all fields are defined under all conditions. You are required
+ to ignore the content of undefined fields.
+
+ There are several standard types for the content of a field:
+
+verbatim
+ Some fields contain strings that are not escaped in any way. Such
+ fields are described to be used _verbatim_. These fields will
+ never contain a colon character (for obvious reasons). No
+ de-escaping or other formatting is required to use the field
+ content. This is for easy parsing of the output, when it is known
+ that the content can never contain any special characters.
+
+percent-escaped
+ Some fields contain strings that are described to be
+ _percent-escaped_. Such strings need to be de-escaped before their
+ content can be presented to the user. A percent-escaped string is
+ de-escaped by replacing all occurrences of '%XY' by the byte that
+ has the hexadecimal value 'XY'. 'X' and 'Y' are from the set
+ '0-9a-f'.
+
+localized
+ Some fields contain strings that are described to be _localized_.
+ Such strings are translated to the active language and formatted in
+ the active character set.
+
+unsigned number
+ Some fields contain an _unsigned number_. This number will always
+ fit into a 32-bit unsigned integer variable. The number may be
+ followed by a space, followed by a human readable description of
+ that value (if the verbose option is used). You should ignore
+ everything in the field that follows the number.
+
+signed number
+ Some fields contain a _signed number_. This number will always fit
+ into a 32-bit signed integer variable. The number may be followed
+ by a space, followed by a human readable description of that value
+ (if the verbose option is used). You should ignore everything in
+ the field that follows the number.
+
+boolean value
+ Some fields contain a _boolean value_. This is a number with
+ either the value 0 or 1. The number may be followed by a space,
+ followed by a human readable description of that value (if the
+ verbose option is used). You should ignore everything in the field
+ that follows the number; checking just the first character is
+ sufficient in this case.
+
+option
+ Some fields contain an _option_ argument. The format of an option
+ argument depends on the type of the option and on some flags:
+
+ no argument
+ The simplest case is that the option does not take an argument
+ at all (TYPE '0'). Then the option argument is an unsigned
+ number that specifies how often the option occurs. If the
+ 'list' flag is not set, then the only valid number is '1'.
+ Options that do not take an argument never have the 'default'
+ or 'optional arg' flag set.
+
+ number
+ If the option takes a number argument (ALT-TYPE is '2' or
+ '3'), and it can only occur once ('list' flag is not set),
+ then the option argument is either empty (only allowed if the
+ argument is optional), or it is a number. A number is a
+ string that begins with an optional minus character, followed
+ by one or more digits. The number must fit into an integer
+ variable (unsigned or signed, depending on ALT-TYPE).
+
+ number list
+ If the option takes a number argument and it can occur more
+ than once, then the option argument is either empty, or it is
+ a comma-separated list of numbers as described above.
+
+ string
+ If the option takes a string argument (ALT-TYPE is 1), and it
+ can only occur once ('list' flag is not set) then the option
+ argument is either empty (only allowed if the argument is
+ optional), or it starts with a double quote character ('"')
+ followed by a percent-escaped string that is the argument
+ value. Note that there is only a leading double quote
+ character, no trailing one. The double quote character is
+ only needed to be able to differentiate between no value and
+ the empty string as value.
+
+ string list
+ If the option takes a string argument and it can occur more
+ than once, then the option argument is either empty, or it is
+ a comma-separated list of string arguments as described above.
+
+ The active language and character set are currently determined from
+the locale environment of the 'gpgconf' program.
+
+
+File: gnupg.info, Node: Listing components, Next: Checking programs, Prev: Format conventions, Up: gpgconf
+
+9.4.3 Listing components
+------------------------
+
+The command '--list-components' will list all components that can be
+configured with 'gpgconf'. Usually, one component will correspond to
+one GnuPG-related program and contain the options of that program's
+configuration file that can be modified using 'gpgconf'. However, this
+is not necessarily the case. A component might also be a group of
+selected options from several programs, or contain entirely virtual
+options that have a special effect rather than changing exactly one
+option in one configuration file.
+
+ A component is a set of configuration options that semantically
+belong together. Furthermore, several changes to a component can be
+made in an atomic way with a single operation. The GUI could for
+example provide a menu with one entry for each component, or a window
+with one tabulator sheet per component.
+
+ The command '--list-components' lists all available components, one
+per line. The format of each line is:
+
+ 'NAME:DESCRIPTION:PGMNAME:'
+
+NAME
+ This field contains a name tag of the component. The name tag is
+ used to specify the component in all communication with 'gpgconf'.
+ The name tag is to be used _verbatim_. It is thus not in any
+ escaped format.
+
+DESCRIPTION
+ The _string_ in this field contains a human-readable description of
+ the component. It can be displayed to the user of the GUI for
+ informational purposes. It is _percent-escaped_ and _localized_.
+
+PGMNAME
+ The _string_ in this field contains the absolute name of the
+ program's file. It can be used to unambiguously invoke that
+ program. It is _percent-escaped_.
+
+ Example:
+ $ gpgconf --list-components
+ gpg:GPG for OpenPGP:/usr/local/bin/gpg2:
+ gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:
+ scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:
+ gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:
+ dirmngr:Directory Manager:/usr/local/bin/dirmngr:
+
+
+File: gnupg.info, Node: Checking programs, Next: Listing options, Prev: Listing components, Up: gpgconf
+
+9.4.4 Checking programs
+-----------------------
+
+The command '--check-programs' is similar to '--list-components' but
+works on backend programs and not on components. It runs each program
+to test whether it is installed and runnable. This also includes a
+syntax check of all config file options of the program.
+
+ The command '--check-programs' lists all available programs, one per
+line. The format of each line is:
+
+ 'NAME:DESCRIPTION:PGMNAME:AVAIL:OKAY:CFGFILE:LINE:ERROR:'
+
+NAME
+ This field contains a name tag of the program which is identical to
+ the name of the component. The name tag is to be used _verbatim_.
+ It is thus not in any escaped format. This field may be empty to
+ indicate a continuation of error descriptions for the last name.
+ The description and pgmname fields are then also empty.
+
+DESCRIPTION
+ The _string_ in this field contains a human-readable description of
+ the component. It can be displayed to the user of the GUI for
+ informational purposes. It is _percent-escaped_ and _localized_.
+
+PGMNAME
+ The _string_ in this field contains the absolute name of the
+ program's file. It can be used to unambiguously invoke that
+ program. It is _percent-escaped_.
+
+AVAIL
+ The _boolean value_ in this field indicates whether the program is
+ installed and runnable.
+
+OKAY
+ The _boolean value_ in this field indicates whether the program's
+ config file is syntactically okay.
+
+CFGFILE
+ If an error occurred in the configuration file (as indicated by a
+ false value in the field 'okay'), this field has the name of the
+ failing configuration file. It is _percent-escaped_.
+
+LINE
+ If an error occurred in the configuration file, this field has the
+ line number of the failing statement in the configuration file. It
+ is an _unsigned number_.
+
+ERROR
+ If an error occurred in the configuration file, this field has the
+ error text of the failing statement in the configuration file. It
+ is _percent-escaped_ and _localized_.
+
+In the following example the 'dirmngr' is not runnable and the
+configuration file of 'scdaemon' is not okay.
+
+ $ gpgconf --check-programs
+ gpg:GPG for OpenPGP:/usr/local/bin/gpg2:1:1:
+ gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:1:1:
+ scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:1:0:
+ gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:1:1:
+ dirmngr:Directory Manager:/usr/local/bin/dirmngr:0:0:
+
+The command '--check-options COMPONENT' will verify the configuration
+file in the same manner as '--check-programs', but only for the
+component COMPONENT.
+
+
+File: gnupg.info, Node: Listing options, Next: Changing options, Prev: Checking programs, Up: gpgconf
+
+9.4.5 Listing options
+---------------------
+
+Every component contains one or more options. Options may be gathered
+into option groups to allow the GUI to give visual hints to the user
+about which options are related.
+
+ The command '--list-options COMPONENT' lists all options (and the
+groups they belong to) in the component COMPONENT, one per line.
+COMPONENT must be the string in the field NAME in the output of the
+'--list-components' command.
+
+ Take care if system-wide options are used: gpgconf may not be able to
+properly show the options and the listed options may have no actual
+effect in case the system-wide options enforced their own settings.
+
+ There is one line for each option and each group. First come all
+options that are not in any group. Then comes a line describing a
+group. Then come all options that belong into each group. Then comes
+the next group and so on. There does not need to be any group (and in
+this case the output will stop after the last non-grouped option).
+
+ The format of each line is:
+
+ 'NAME:FLAGS:LEVEL:DESCRIPTION:TYPE:ALT-TYPE:ARGNAME:DEFAULT:ARGDEF:VALUE'
+
+NAME
+ This field contains a name tag for the group or option. The name
+ tag is used to specify the group or option in all communication
+ with 'gpgconf'. The name tag is to be used _verbatim_. It is thus
+ not in any escaped format.
+
+FLAGS
+ The flags field contains an _unsigned number_. Its value is the
+ OR-wise combination of the following flag values:
+
+ 'group (1)'
+ If this flag is set, this is a line describing a group and not
+ an option.
+
+ The following flag values are only defined for options (that is, if
+ the 'group' flag is not used).
+
+ 'optional arg (2)'
+ If this flag is set, the argument is optional. This is never
+ set for TYPE '0' (none) options.
+
+ 'list (4)'
+ If this flag is set, the option can be given multiple times.
+
+ 'runtime (8)'
+ If this flag is set, the option can be changed at runtime.
+
+ 'default (16)'
+ If this flag is set, a default value is available.
+
+ 'default desc (32)'
+ If this flag is set, a (runtime) default is available. This
+ and the 'default' flag are mutually exclusive.
+
+ 'no arg desc (64)'
+ If this flag is set, and the 'optional arg' flag is set, then
+ the option has a special meaning if no argument is given.
+
+ 'no change (128)'
+ If this flag is set, 'gpgconf' ignores requests to change the
+ value. GUI frontends should grey out this option. Note, that
+ manual changes of the configuration files are still possible.
+
+LEVEL
+ This field is defined for options and for groups. It contains an
+ _unsigned number_ that specifies the expert level under which this
+ group or option should be displayed. The following expert levels
+ are defined for options (they have analogous meaning for groups):
+
+ 'basic (0)'
+ This option should always be offered to the user.
+
+ 'advanced (1)'
+ This option may be offered to advanced users.
+
+ 'expert (2)'
+ This option should only be offered to expert users.
+
+ 'invisible (3)'
+ This option should normally never be displayed, not even to
+ expert users.
+
+ 'internal (4)'
+ This option is for internal use only. Ignore it.
+
+ The level of a group will always be the lowest level of all options
+ it contains.
+
+DESCRIPTION
+ This field is defined for options and groups. The _string_ in this
+ field contains a human-readable description of the option or group.
+ It can be displayed to the user of the GUI for informational
+ purposes. It is _percent-escaped_ and _localized_.
+
+TYPE
+ This field is only defined for options. It contains an _unsigned
+ number_ that specifies the type of the option's argument, if any.
+ The following types are defined:
+
+ Basic types:
+
+ 'none (0)'
+ No argument allowed.
+
+ 'string (1)'
+ An _unformatted string_.
+
+ 'int32 (2)'
+ A _signed number_.
+
+ 'uint32 (3)'
+ An _unsigned number_.
+
+ Complex types:
+
+ 'pathname (32)'
+ A _string_ that describes the pathname of a file. The file
+ does not necessarily need to exist.
+
+ 'ldap server (33)'
+ A _string_ that describes an LDAP server in the format:
+
+ 'HOSTNAME:PORT:USERNAME:PASSWORD:BASE_DN'
+
+ 'key fingerprint (34)'
+ A _string_ with a 40 digit fingerprint specifying a
+ certificate.
+
+ 'pub key (35)'
+ A _string_ that describes a certificate by user ID, key ID or
+ fingerprint.
+
+ 'sec key (36)'
+ A _string_ that describes a certificate with a key by user ID,
+ key ID or fingerprint.
+
+ 'alias list (37)'
+ A _string_ that describes an alias list, like the one used
+ with gpg's group option. The list consists of a key, an equal
+ sign and space separated values.
+
+ More types will be added in the future. Please see the ALT-TYPE
+ field for information on how to cope with unknown types.
+
+ALT-TYPE
+ This field is identical to TYPE, except that only the types '0' to
+ '31' are allowed. The GUI is expected to present the user the
+ option in the format specified by TYPE. But if the argument type
+ TYPE is not supported by the GUI, it can still display the option
+ in the more generic basic type ALT-TYPE. The GUI must support all
+ the defined basic types to be able to display all options. More
+ basic types may be added in future versions. If the GUI encounters
+ a basic type it doesn't support, it should report an error and
+ abort the operation.
+
+ARGNAME
+ This field is only defined for options with an argument type TYPE
+ that is not '0'. In this case it may contain a _percent-escaped_
+ and _localized string_ that gives a short name for the argument.
+ The field may also be empty, though, in which case a short name is
+ not known.
+
+DEFAULT
+ This field is defined only for options for which the 'default' or
+ 'default desc' flag is set. If the 'default' flag is set, its
+ format is that of an _option argument_ (*note Format conventions::,
+ for details). If the default value is empty, then no default is
+ known. Otherwise, the value specifies the default value for this
+ option. If the 'default desc' flag is set, the field is either
+ empty or contains a description of the effect if the option is not
+ given.
+
+ARGDEF
+ This field is defined only for options for which the 'optional arg'
+ flag is set. If the 'no arg desc' flag is not set, its format is
+ that of an _option argument_ (*note Format conventions::, for
+ details). If the default value is empty, then no default is known.
+ Otherwise, the value specifies the default argument for this
+ option. If the 'no arg desc' flag is set, the field is either
+ empty or contains a description of the effect of this option if no
+ argument is given.
+
+VALUE
+ This field is defined only for options. Its format is that of an
+ _option argument_. If it is empty, then the option is not
+ explicitly set in the current configuration, and the default
+ applies (if any). Otherwise, it contains the current value of the
+ option. Note that this field is also meaningful if the option
+ itself does not take a real argument (in this case, it contains the
+ number of times the option appears).
+
+
+File: gnupg.info, Node: Changing options, Next: Listing global options, Prev: Listing options, Up: gpgconf
+
+9.4.6 Changing options
+----------------------
+
+The command '--change-options COMPONENT' will attempt to change the
+options of the component COMPONENT to the specified values. COMPONENT
+must be the string in the field NAME in the output of the
+'--list-components' command. You have to provide the options that shall
+be changed in the following format on standard input:
+
+ 'NAME:FLAGS:NEW-VALUE'
+
+NAME
+ This is the name of the option to change. NAME must be the string
+ in the field NAME in the output of the '--list-options' command.
+
+FLAGS
+ The flags field contains an _unsigned number_. Its value is the
+ OR-wise combination of the following flag values:
+
+ 'default (16)'
+ If this flag is set, the option is deleted and the default
+ value is used instead (if applicable).
+
+NEW-VALUE
+ The new value for the option. This field is only defined if the
+ 'default' flag is not set. The format is that of an _option
+ argument_. If it is empty (or the field is omitted), the default
+ argument is used (only allowed if the argument is optional for this
+ option). Otherwise, the option will be set to the specified value.
+
+The output of the command is the same as that of '--check-options' for
+the modified configuration file.
+
+ Examples:
+
+ To set the force option, which is of basic type 'none (0)':
+
+ $ echo 'force:0:1' | gpgconf --change-options dirmngr
+
+ To delete the force option:
+
+ $ echo 'force:16:' | gpgconf --change-options dirmngr
+
+ The '--runtime' option can influence when the changes take effect.
+
+
+File: gnupg.info, Node: Listing global options, Next: Querying versions, Prev: Changing options, Up: gpgconf
+
+9.4.7 Listing global options
+----------------------------
+
+Some legacy applications look at the global configuration file for the
+gpgconf tool itself; this is the file 'gpgconf.conf'. Modern
+applications should not use it but use per component global
+configuration files which are more flexible than the 'gpgconf.conf'.
+Using both files is not suggested.
+
+ The colon separated listing format is record oriented and uses the
+first field to identify the record type:
+
+'k'
+ This describes a key record to start the definition of a new
+ ruleset for a user/group. The format of a key record is:
+
+ 'k:USER:GROUP:'
+
+ USER
+ This is the user field of the key. It is percent escaped.
+ See the definition of the gpgconf.conf format for details.
+
+ GROUP
+ This is the group field of the key. It is percent escaped.
+
+'r'
+ This describes a rule record. All rule records up to the next key
+ record make up a rule set for that key. The format of a rule
+ record is:
+
+ 'r:::COMPONENT:OPTION:FLAG:VALUE:'
+
+ COMPONENT
+ This is the component part of a rule. It is a plain string.
+
+ OPTION
+ This is the option part of a rule. It is a plain string.
+
+ FLAG
+ This is the flags part of a rule. There may be only one flag
+ per rule but by using the same component and option, several
+ flags may be assigned to an option. It is a plain string.
+
+ VALUE
+ This is the optional value for the option. It is a percent
+ escaped string with a single quotation mark to indicate a
+ string. The quotation mark is only required to distinguish
+ between no value specified and an empty string.
+
+Unknown record types should be ignored. Note that there is
+intentionally no feature to change the global option file through
+'gpgconf'.
+
+
+File: gnupg.info, Node: Querying versions, Next: Files used by gpgconf, Prev: Listing global options, Up: gpgconf
+
+9.4.8 Get and compare software versions.
+----------------------------------------
+
+The GnuPG Project operates a server to query the current versions of
+software packages related to GnuPG. 'gpgconf' can be used to access this
+online database. To allow for offline operations, this feature works by
+having 'dirmngr' download a file from 'https://versions.gnupg.org',
+checking the signature of that file and storing the file in the GnuPG
+home directory. If 'gpgconf' is used and 'dirmngr' is running, it may
+ask 'dirmngr' to refresh that file before itself uses the file.
+
+ The command '--query-swdb' returns information for the given package
+in a colon delimited format:
+
+NAME
+ This is the name of the package as requested. Note that "gnupg" is
+ a special name which is replaced by the actual package implementing
+ this version of GnuPG. For this name it is also not required to
+ specify a version because 'gpgconf' takes its own version in this
+ case.
+
+IVERSION
+ The currently installed version or an empty string. The value is
+ taken from the command line argument but may be provided by gpg if
+ not given.
+
+STATUS
+ The status of the software package according to this table:
+ '-'
+ No information available. This is either because no current
+ version has been specified or due to an error.
+ '?'
+ The given name is not known in the online database.
+ 'u'
+ An update of the software is available.
+ 'c'
+ The installed version of the software is current.
+ 'n'
+ The installed version is already newer than the released
+ version.
+
+URGENCY
+ If the value (the empty string should be considered as zero) is
+ greater than zero an important update is available.
+
+ERROR
+ This returns an 'gpg-error' error code to distinguish between
+ various failure modes.
+
+FILEDATE
+ This gives the date of the file with the version numbers in
+ standard ISO format ('yyyymmddThhmmss'). The date has been
+ extracted by 'dirmngr' from the signature of the file.
+
+VERIFIED
+ This gives the date in ISO format the file was downloaded. This
+ value can be used to evaluate the freshness of the information.
+
+VERSION
+ This returns the version string for the requested software from the
+ file.
+
+RELDATE
+ This returns the release date in ISO format.
+
+SIZE
+ This returns the size of the package as decimal number of bytes.
+
+HASH
+ This returns a hexified SHA-2 hash of the package.
+
+More fields may be added in future to the output.
+
+
+File: gnupg.info, Node: Files used by gpgconf, Prev: Querying versions, Up: gpgconf
+
+9.4.9 Files used by gpgconf
+---------------------------
+
+'/etc/gnupg/gpgconf.conf'
+ If this file exists, it is processed as a global configuration
+ file. This is a legacy mechanism which should not be used tigether
+ with the modern global per component configuration files. A
+ commented example can be found in the 'examples' directory of the
+ distribution.
+
+'GNUPGHOME/swdb.lst'
+ A file with current software versions. 'dirmngr' creates this file
+ on demand from an online resource.
+
+
+File: gnupg.info, Node: applygnupgdefaults, Next: gpg-preset-passphrase, Prev: gpgconf, Up: Helper Tools
+
+9.5 Run gpgconf for all users
+=============================
+
+This is a legacy script. Modern application should use the per
+component global configuration files under '/etc/gnupg/'.
+
+ This script is a wrapper around 'gpgconf' to run it with the command
+'--apply-defaults' for all real users with an existing GnuPG home
+directory. Admins might want to use this script to update he GnuPG
+configuration files for all users after '/etc/gnupg/gpgconf.conf' has
+been changed. This allows enforcing certain policies for all users.
+Note, that this is not a bulletproof way to force a user to use certain
+options. A user may always directly edit the configuration files and
+bypass gpgconf.
+
+'applygnupgdefaults' is invoked by root as:
+
+ applygnupgdefaults
+
+
+File: gnupg.info, Node: gpg-preset-passphrase, Next: gpg-connect-agent, Prev: applygnupgdefaults, Up: Helper Tools
+
+9.6 Put a passphrase into the cache
+===================================
+
+The 'gpg-preset-passphrase' is a utility to seed the internal cache of a
+running 'gpg-agent' with passphrases. It is mainly useful for
+unattended machines, where the usual 'pinentry' tool may not be used and
+the passphrases for the to be used keys are given at machine startup.
+
+ This program works with GnuPG 2 and later. GnuPG 1.x is not
+supported.
+
+ Passphrases set with this utility don't expire unless the '--forget'
+option is used to explicitly clear them from the cache -- or 'gpg-agent'
+is either restarted or reloaded (by sending a SIGHUP to it). Note that
+the maximum cache time as set with '--max-cache-ttl' is still honored.
+It is necessary to allow this passphrase presetting by starting
+'gpg-agent' with the '--allow-preset-passphrase'.
+
+* Menu:
+
+* Invoking gpg-preset-passphrase:: List of all commands and options.
+
+
+File: gnupg.info, Node: Invoking gpg-preset-passphrase, Up: gpg-preset-passphrase
+
+9.6.1 List of all commands and options
+--------------------------------------
+
+'gpg-preset-passphrase' is invoked this way:
+
+ gpg-preset-passphrase [options] [command] CACHEID
+
+ CACHEID is either a 40 character keygrip of hexadecimal characters
+identifying the key for which the passphrase should be set or cleared.
+The keygrip is listed along with the key when running the command:
+'gpgsm --with-keygrip --list-secret-keys'. Alternatively an arbitrary
+string may be used to identify a passphrase; it is suggested that such a
+string is prefixed with the name of the application (e.g 'foo:12346').
+Scripts should always use the option '--with-colons', which provides the
+keygrip in a "grp" line (cf. 'doc/DETAILS')/
+
+One of the following command options must be given:
+
+'--preset'
+ Preset a passphrase. This is what you usually will use.
+ 'gpg-preset-passphrase' will then read the passphrase from 'stdin'.
+
+'--forget'
+ Flush the passphrase for the given cache ID from the cache.
+
+The following additional options may be used:
+
+'-v'
+'--verbose'
+ Output additional information while running.
+
+'-P STRING'
+'--passphrase STRING'
+ Instead of reading the passphrase from 'stdin', use the supplied
+ STRING as passphrase. Note that this makes the passphrase visible
+ for other users.
+
+
+File: gnupg.info, Node: gpg-connect-agent, Next: dirmngr-client, Prev: gpg-preset-passphrase, Up: Helper Tools
+
+9.7 Communicate with a running agent
+====================================
+
+The 'gpg-connect-agent' is a utility to communicate with a running
+'gpg-agent'. It is useful to check out the commands 'gpg-agent'
+provides using the Assuan interface. It might also be useful for
+scripting simple applications. Input is expected at stdin and output
+gets printed to stdout.
+
+ It is very similar to running 'gpg-agent' in server mode; but here we
+connect to a running instance.
+
+* Menu:
+
+* Invoking gpg-connect-agent:: List of all options.
+* Controlling gpg-connect-agent:: Control commands.
+
+
+File: gnupg.info, Node: Invoking gpg-connect-agent, Next: Controlling gpg-connect-agent, Up: gpg-connect-agent
+
+9.7.1 List of all options
+-------------------------
+
+'gpg-connect-agent' is invoked this way:
+
+ gpg-connect-agent [options] [commands]
+
+The following options may be used:
+
+'-v'
+'--verbose'
+ Output additional information while running.
+
+'-q'
+'--quiet'
+ Try to be as quiet as possible.
+
+'--homedir DIR'
+ Set the name of the home directory to DIR. If this option is not
+ used, the home directory defaults to '~/.gnupg'. It is only
+ recognized when given on the command line. It also overrides any
+ home directory stated through the environment variable 'GNUPGHOME'
+ or (on Windows systems) by means of the Registry entry
+ HKCU\SOFTWARE\GNU\GNUPG:HOMEDIR.
+
+ On Windows systems it is possible to install GnuPG as a portable
+ application. In this case only this command line option is
+ considered, all other ways to set a home directory are ignored.
+
+ To install GnuPG as a portable application under Windows, create an
+ empty file named 'gpgconf.ctl' in the same directory as the tool
+ 'gpgconf.exe'. The root of the installation is then that
+ directory; or, if 'gpgconf.exe' has been installed directly below a
+ directory named 'bin', its parent directory. You also need to make
+ sure that the following directories exist and are writable:
+ 'ROOT/home' for the GnuPG home and 'ROOT/usr/local/var/cache/gnupg'
+ for internal cache files.
+
+'--agent-program FILE'
+ Specify the agent program to be started if none is running. The
+ default value is determined by running 'gpgconf' with the option
+ '--list-dirs'. Note that the pipe symbol ('|') is used for a
+ regression test suite hack and may thus not be used in the file
+ name.
+
+'--dirmngr-program FILE'
+ Specify the directory manager (keyserver client) program to be
+ started if none is running. This has only an effect if used
+ together with the option '--dirmngr'.
+
+'--dirmngr'
+ Connect to a running directory manager (keyserver client) instead
+ of to the gpg-agent. If a dirmngr is not running, start it.
+
+'-S'
+'--raw-socket NAME'
+ Connect to socket NAME assuming this is an Assuan style server. Do
+ not run any special initializations or environment checks. This
+ may be used to directly connect to any Assuan style socket server.
+
+'-E'
+'--exec'
+ Take the rest of the command line as a program and it's arguments
+ and execute it as an Assuan server. Here is how you would run
+ 'gpgsm':
+ gpg-connect-agent --exec gpgsm --server
+ Note that you may not use options on the command line in this case.
+
+'--no-ext-connect'
+ When using '-S' or '--exec', 'gpg-connect-agent' connects to the
+ Assuan server in extended mode to allow descriptor passing. This
+ option makes it use the old mode.
+
+'--no-autostart'
+ Do not start the gpg-agent or the dirmngr if it has not yet been
+ started.
+
+'-r FILE'
+'--run FILE'
+ Run the commands from FILE at startup and then continue with the
+ regular input method. Note, that commands given on the command
+ line are executed after this file.
+
+'-s'
+'--subst'
+ Run the command '/subst' at startup.
+
+'--hex'
+ Print data lines in a hex format and the ASCII representation of
+ non-control characters.
+
+'--decode'
+ Decode data lines. That is to remove percent escapes but make sure
+ that a new line always starts with a D and a space.
+
+
+File: gnupg.info, Node: Controlling gpg-connect-agent, Prev: Invoking gpg-connect-agent, Up: gpg-connect-agent
+
+9.7.2 Control commands
+----------------------
+
+While reading Assuan commands, gpg-agent also allows a few special
+commands to control its operation. These control commands all start
+with a slash ('/').
+
+'/echo ARGS'
+ Just print ARGS.
+
+'/let NAME VALUE'
+ Set the variable NAME to VALUE. Variables are only substituted on
+ the input if the '/subst' has been used. Variables are referenced
+ by prefixing the name with a dollar sign and optionally include the
+ name in curly braces. The rules for a valid name are identically
+ to those of the standard bourne shell. This is not yet enforced
+ but may be in the future. When used with curly braces no leading
+ or trailing white space is allowed.
+
+ If a variable is not found, it is searched in the environment and
+ if found copied to the table of variables.
+
+ Variable functions are available: The name of the function must be
+ followed by at least one space and the at least one argument. The
+ following functions are available:
+
+ 'get'
+ Return a value described by the argument. Available arguments
+ are:
+
+ 'cwd'
+ The current working directory.
+ 'homedir'
+ The gnupg homedir.
+ 'sysconfdir'
+ GnuPG's system configuration directory.
+ 'bindir'
+ GnuPG's binary directory.
+ 'libdir'
+ GnuPG's library directory.
+ 'libexecdir'
+ GnuPG's library directory for executable files.
+ 'datadir'
+ GnuPG's data directory.
+ 'serverpid'
+ The PID of the current server. Command '/serverpid' must
+ have been given to return a useful value.
+
+ 'unescape ARGS'
+ Remove C-style escapes from ARGS. Note that '\0' and '\x00'
+ terminate the returned string implicitly. The string to be
+ converted are the entire arguments right behind the delimiting
+ space of the function name.
+
+ 'unpercent ARGS'
+ 'unpercent+ ARGS'
+ Remove percent style escaping from ARGS. Note that '%00'
+ terminates the string implicitly. The string to be converted
+ are the entire arguments right behind the delimiting space of
+ the function name. 'unpercent+' also maps plus signs to a
+ spaces.
+
+ 'percent ARGS'
+ 'percent+ ARGS'
+ Escape the ARGS using percent style escaping. Tabs,
+ formfeeds, linefeeds, carriage returns and colons are escaped.
+ 'percent+' also maps spaces to plus signs.
+
+ 'errcode ARG'
+ 'errsource ARG'
+ 'errstring ARG'
+ Assume ARG is an integer and evaluate it using 'strtol'.
+ Return the gpg-error error code, error source or a formatted
+ string with the error code and error source.
+
+ '+'
+ '-'
+ '*'
+ '/'
+ '%'
+ Evaluate all arguments as long integers using 'strtol' and
+ apply this operator. A division by zero yields an empty
+ string.
+
+ '!'
+ '|'
+ '&'
+ Evaluate all arguments as long integers using 'strtol' and
+ apply the logical operators NOT, OR or AND. The NOT operator
+ works on the last argument only.
+
+'/definq NAME VAR'
+ Use content of the variable VAR for inquiries with NAME. NAME may
+ be an asterisk ('*') to match any inquiry.
+
+'/definqfile NAME FILE'
+ Use content of FILE for inquiries with NAME. NAME may be an
+ asterisk ('*') to match any inquiry.
+
+'/definqprog NAME PROG'
+ Run PROG for inquiries matching NAME and pass the entire line to it
+ as command line arguments.
+
+'/datafile NAME'
+ Write all data lines from the server to the file NAME. The file is
+ opened for writing and created if it does not exists. An existing
+ file is first truncated to 0. The data written to the file fully
+ decoded. Using a single dash for NAME writes to stdout. The file
+ is kept open until a new file is set using this command or this
+ command is used without an argument.
+
+'/showdef'
+ Print all definitions
+
+'/cleardef'
+ Delete all definitions
+
+'/sendfd FILE MODE'
+ Open FILE in MODE (which needs to be a valid 'fopen' mode string)
+ and send the file descriptor to the server. This is usually
+ followed by a command like 'INPUT FD' to set the input source for
+ other commands.
+
+'/recvfd'
+ Not yet implemented.
+
+'/open VAR FILE [MODE]'
+ Open FILE and assign the file descriptor to VAR. Warning: This
+ command is experimental and might change in future versions.
+
+'/close FD'
+ Close the file descriptor FD. Warning: This command is
+ experimental and might change in future versions.
+
+'/showopen'
+ Show a list of open files.
+
+'/serverpid'
+ Send the Assuan command 'GETINFO pid' to the server and store the
+ returned PID for internal purposes.
+
+'/sleep'
+ Sleep for a second.
+
+'/hex'
+'/nohex'
+ Same as the command line option '--hex'.
+
+'/decode'
+'/nodecode'
+ Same as the command line option '--decode'.
+
+'/subst'
+'/nosubst'
+ Enable and disable variable substitution. It defaults to disabled
+ unless the command line option '--subst' has been used. If /subst
+ as been enabled once, leading whitespace is removed from input
+ lines which makes scripts easier to read.
+
+'/while CONDITION'
+'/end'
+ These commands provide a way for executing loops. All lines
+ between the 'while' and the corresponding 'end' are executed as
+ long as the evaluation of CONDITION yields a non-zero value or is
+ the string 'true' or 'yes'. The evaluation is done by passing
+ CONDITION to the 'strtol' function. Example:
+
+ /subst
+ /let i 3
+ /while $i
+ /echo loop counter is $i
+ /let i ${- $i 1}
+ /end
+
+'/if CONDITION'
+'/end'
+ These commands provide a way for conditional execution. All lines
+ between the 'if' and the corresponding 'end' are executed only if
+ the evaluation of CONDITION yields a non-zero value or is the
+ string 'true' or 'yes'. The evaluation is done by passing
+ CONDITION to the 'strtol' function.
+
+'/run FILE'
+ Run commands from FILE.
+
+'/bye'
+ Terminate the connection and the program.
+
+'/help'
+ Print a list of available control commands.
+
+
+File: gnupg.info, Node: dirmngr-client, Next: gpgparsemail, Prev: gpg-connect-agent, Up: Helper Tools
+
+9.8 The Dirmngr Client Tool
+===========================
+
+The 'dirmngr-client' is a simple tool to contact a running dirmngr and
+test whether a certificate has been revoked -- either by being listed in
+the corresponding CRL or by running the OCSP protocol. If no dirmngr is
+running, a new instances will be started but this is in general not a
+good idea due to the huge performance overhead.
+
+The usual way to run this tool is either:
+
+ dirmngr-client ACERT
+
+or
+
+ dirmngr-client <ACERT
+
+ Where ACERT is one DER encoded (binary) X.509 certificates to be
+tested. The return value of this command is
+
+'0'
+ The certificate under question is valid; i.e. there is a valid CRL
+ available and it is not listed there or the OCSP request returned
+ that that certificate is valid.
+
+'1'
+ The certificate has been revoked
+
+'2 (and other values)'
+ There was a problem checking the revocation state of the
+ certificate. A message to stderr has given more detailed
+ information. Most likely this is due to a missing or expired CRL
+ or due to a network problem.
+
+'dirmngr-client' may be called with the following options:
+
+'--version'
+ Print the program version and licensing information. Note that you
+ cannot abbreviate this command.
+
+'--help, -h'
+ Print a usage message summarizing the most useful command-line
+ options. Note that you cannot abbreviate this command.
+
+'--quiet, -q'
+ Make the output extra brief by suppressing any informational
+ messages.
+
+'-v'
+'--verbose'
+ Outputs additional information while running. You can increase the
+ verbosity by giving several verbose commands to DIRMNGR, such as
+ '-vv'.
+
+'--pem'
+ Assume that the given certificate is in PEM (armored) format.
+
+'--ocsp'
+ Do the check using the OCSP protocol and ignore any CRLs.
+
+'--force-default-responder'
+ When checking using the OCSP protocol, force the use of the default
+ OCSP responder. That is not to use the Reponder as given by the
+ certificate.
+
+'--ping'
+ Check whether the dirmngr daemon is up and running.
+
+'--cache-cert'
+ Put the given certificate into the cache of a running dirmngr.
+ This is mainly useful for debugging.
+
+'--validate'
+ Validate the given certificate using dirmngr's internal validation
+ code. This is mainly useful for debugging.
+
+'--load-crl'
+ This command expects a list of filenames with DER encoded CRL
+ files. With the option '--url' URLs are expected in place of
+ filenames and they are loaded directly from the given location.
+ All CRLs will be validated and then loaded into dirmngr's cache.
+
+'--lookup'
+ Take the remaining arguments and run a lookup command on each of
+ them. The results are Base-64 encoded outputs (without header
+ lines). This may be used to retrieve certificates from a server.
+ However the output format is not very well suited if more than one
+ certificate is returned.
+
+'--url'
+'-u'
+ Modify the 'lookup' and 'load-crl' commands to take an URL.
+
+'--local'
+'-l'
+ Let the 'lookup' command only search the local cache.
+
+'--squid-mode'
+ Run DIRMNGR-CLIENT in a mode suitable as a helper program for
+ Squid's 'external_acl_type' option.
+
+
+File: gnupg.info, Node: gpgparsemail, Next: gpgtar, Prev: dirmngr-client, Up: Helper Tools
+
+9.9 Parse a mail message into an annotated format
+=================================================
+
+The 'gpgparsemail' is a utility currently only useful for debugging.
+Run it with '--help' for usage information.
+
+
+File: gnupg.info, Node: gpgtar, Next: gpg-check-pattern, Prev: gpgparsemail, Up: Helper Tools
+
+9.10 Encrypt or sign files into an archive
+==========================================
+
+'gpgtar' encrypts or signs files into an archive. It is an gpg-ized tar
+using the same format as used by PGP's PGP Zip.
+
+'gpgtar' is invoked this way:
+
+ gpgtar [options] FILENAME1 [FILENAME2, ...] DIRECTORY [DIRECTORY2, ...]
+
+'gpgtar' understands these options:
+
+'--create'
+ Put given files and directories into a vanilla "ustar" archive.
+
+'--extract'
+ Extract all files from a vanilla "ustar" archive.
+
+'--encrypt'
+'-e'
+ Encrypt given files and directories into an archive. This option
+ may be combined with option '--symmetric' for an archive that may
+ be decrypted via a secret key or a passphrase.
+
+'--decrypt'
+'-d'
+ Extract all files from an encrypted archive.
+
+'--sign'
+'-s'
+ Make a signed archive from the given files and directories. This
+ can be combined with option '--encrypt' to create a signed and then
+ encrypted archive.
+
+'--list-archive'
+'-t'
+ List the contents of the specified archive.
+
+'--symmetric'
+'-c'
+ Encrypt with a symmetric cipher using a passphrase. The default
+ symmetric cipher used is AES-128, but may be chosen with the
+ '--cipher-algo' option to 'gpg'.
+
+'--recipient USER'
+'-r USER'
+ Encrypt for user id USER. For details see 'gpg'.
+
+'--local-user USER'
+'-u USER'
+ Use USER as the key to sign with. For details see 'gpg'.
+
+'--output FILE'
+'-o FILE'
+ Write the archive to the specified file FILE.
+
+'--verbose'
+'-v'
+ Enable extra informational output.
+
+'--quiet'
+'-q'
+ Try to be as quiet as possible.
+
+'--skip-crypto'
+ Skip all crypto operations and create or extract vanilla "ustar"
+ archives.
+
+'--dry-run'
+ Do not actually output the extracted files.
+
+'--directory DIR'
+'-C DIR'
+ Extract the files into the directory DIR. The default is to take
+ the directory name from the input filename. If no input filename
+ is known a directory named 'GPGARCH' is used. For tarball
+ creation, switch to directory DIR before performing any operations.
+
+'--files-from FILE'
+'-T FILE'
+ Take the file names to work from the file FILE; one file per line.
+
+'--null'
+ Modify option '--files-from' to use a binary nul instead of a
+ linefeed to separate file names.
+
+'--utf8-strings'
+ Assume that the file names read by '--files-from' are UTF-8
+ encoded. This option has an effect only on Windows where the
+ active code page is otherwise assumed.
+
+'--openpgp'
+ This option has no effect because OpenPGP encryption and signing is
+ the default.
+
+'--cms'
+ This option is reserved and shall not be used. It will eventually
+ be used to encrypt or sign using the CMS protocol; but that is not
+ yet implemented.
+
+'--batch'
+ Use batch mode. Never ask but use the default action. This option
+ is passed directly to 'gpg'.
+
+'--yes'
+ Assume "yes" on most questions. Often used together with '--batch'
+ to overwrite existing files. This option is passed directly to
+ 'gpg'.
+
+'--no'
+ Assume "no" on most questions. This option is passed directly to
+ 'gpg'.
+
+'--require-compliance'
+ This option is passed directly to 'gpg'.
+
+'--status-fd N'
+ Write special status strings to the file descriptor N. See the
+ file DETAILS in the documentation for a listing of them.
+
+'--with-log'
+ When extracting an encrypted tarball also write a log file with the
+ gpg output to a file named after the extraction directory with the
+ suffix ".log".
+
+'--set-filename FILE'
+ Use the last component of FILE as the output directory. The
+ default is to take the directory name from the input filename. If
+ no input filename is known a directory named 'GPGARCH' is used.
+ This option is deprecated in favor of option '--directory'.
+
+'--gpg GPGCMD'
+ Use the specified command GPGCMD instead of 'gpg'.
+
+'--gpg-args ARGS'
+ Pass the specified extra options to 'gpg'.
+
+'--tar-args ARGS'
+ Assume ARGS are standard options of the command 'tar' and parse
+ them. The only supported tar options are "-directory",
+ "-files-from", and "-null" This is an obsolete options because
+ those supported tar options can also be given directly.
+
+'--version'
+ Print version of the program and exit.
+
+'--help'
+ Display a brief help page and exit.
+
+The program returns 0 if everything was fine, 1 otherwise.
+
+Some examples:
+
+Encrypt the contents of directory 'mydocs' for user Bob to file 'test1':
+
+ gpgtar --encrypt --output test1 -r Bob mydocs
+
+List the contents of archive 'test1':
+
+ gpgtar --list-archive test1
+
+
+File: gnupg.info, Node: gpg-check-pattern, Prev: gpgtar, Up: Helper Tools
+
+9.11 Check a passphrase on stdin against the patternfile
+========================================================
+
+'gpg-check-pattern' checks a passphrase given on stdin against a
+specified pattern file.
+
+ The pattern file is line based with comment lines beginning on the
+_first_ position with a '#'. Empty lines and lines with only white
+spaces are ignored. The actual pattern lines may either be verbatim
+string pattern and match as they are (trailing spaces are ignored) or
+extended regular expressions indicated by a '/' or '!/' in the first
+column and terminated by another '/' or end of line. If a regular
+expression starts with '!/' the match result is reversed. By default
+all comparisons are case insensitive.
+
+ Tag lines may be used to further control the operation of this tool.
+The currently defined tags are:
+
+'[icase]'
+ Switch to case insensitive comparison for all further patterns.
+ This is the default.
+
+'[case]'
+ Switch to case sensitive comparison for all further patterns.
+
+'[reject]'
+ Switch to reject mode. This is the default mode.
+
+'[accept]'
+ Switch to accept mode.
+
+ In the future more tags may be introduced and thus it is advisable
+not to start a plain pattern string with an open bracket. The tags must
+be given verbatim on the line with no spaces to the left or any non
+white space characters to the right.
+
+ In reject mode the program exits on the first match with an exit code
+of 1 (failure). If at the end of the pattern list the reject mode is
+still active the program exits with code 0 (success).
+
+ In accept mode blocks of patterns are used. A block starts at the
+next pattern after an "accept" tag and ends with the last pattern before
+the next "accept" or "reject" tag or at the end of the pattern list. If
+all patterns in a block match the program exits with an exit code of 0
+(success). If any pattern in a block do not match the next pattern
+block is evaluated. If at the end of the pattern list the accept mode
+is still active the program exits with code 1 (failure).
+
+
+'--verbose'
+ Enable extra informational output.
+
+'--check'
+ Run only a syntax check on the patternfile.
+
+'--null'
+ Input is expected to be null delimited.
+
+
+File: gnupg.info, Node: Web Key Service, Next: Howtos, Prev: Helper Tools, Up: Top
+
+10 Web Key Service
+******************
+
+GnuPG comes with tools used to maintain and access a Web Key Directory.
+
+* Menu:
+
+* gpg-wks-client:: Send requests via WKS
+* gpg-wks-server:: Server to provide the WKS.
+
+
+File: gnupg.info, Node: gpg-wks-client, Next: gpg-wks-server, Up: Web Key Service
+
+10.1 Send requests via WKS
+==========================
+
+The 'gpg-wks-client' is used to send requests to a Web Key Service
+provider. This is usually done to upload a key into a Web Key
+Directory.
+
+ With the '--supported' command the caller can test whether a site
+supports the Web Key Service. The argument is an arbitrary address in
+the to be tested domain. For example 'foo@example.net'. The command
+returns success if the Web Key Service is supported. The operation is
+silent; to get diagnostic output use the option '--verbose'. See option
+'--with-colons' for a variant of this command.
+
+ With the '--check' command the caller can test whether a key exists
+for a supplied mail address. The command returns success if a key is
+available.
+
+ The '--create' command is used to send a request for publication in
+the Web Key Directory. The arguments are the fingerprint of the key and
+the user id to publish. The output from the command is a properly
+formatted mail with all standard headers. This mail can be fed to
+'sendmail(8)' or any other tool to actually send that mail. If
+'sendmail(8)' is installed the option '--send' can be used to directly
+send the created request. If the provider request a 'mailbox-only' user
+id and no such user id is found, 'gpg-wks-client' will try an additional
+user id.
+
+ The '--receive' and '--read' commands are used to process
+confirmation mails as send from the service provider. The former
+expects an encrypted MIME messages, the latter an already decrypted MIME
+message. The result of these commands are another mail which can be
+send in the same way as the mail created with '--create'.
+
+ The command '--install-key' manually installs a key into a local
+directory (see option '-C') reflecting the structure of a WKD. The
+arguments are a file with the keyblock and the user-id to install. If
+the first argument resembles a fingerprint the key is taken from the
+current keyring; to force the use of a file, prefix the first argument
+with "./". If no arguments are given the parameters are read from
+stdin; the expected format are lines with the fingerprint and the
+mailbox separated by a space. The command '--remove-key' removes a key
+from that directory, its only argument is a user-id.
+
+ The command '--mirror' is similar to '--install-key' but takes the
+keys from the the LDAP server configured for Dirmngr. If no arguments
+are given all keys and user ids are installed. If arguments are given
+they are taken as domain names to limit the to be installed keys. The
+option '--blacklist' may be used to further limit the to be installed
+keys.
+
+ The command '--print-wkd-hash' prints the WKD user-id identifiers and
+the corresponding mailboxes from the user-ids given on the command line
+or via stdin (one user-id per line).
+
+ The command '--print-wkd-url' prints the URLs used to fetch the key
+for the given user-ids from WKD. The meanwhile preferred format with
+sub-domains is used here.
+
+ 'gpg-wks-client' is not commonly invoked directly and thus it is not
+installed in the bin directory. Here is an example how it can be
+invoked manually to check for a Web Key Directory entry for
+'foo@example.org':
+
+ $(gpgconf --list-dirs libexecdir)/gpg-wks-client --check foo@example.net
+
+'gpg-wks-client' understands these options:
+
+'--send'
+ Directly send created mails using the 'sendmail' command. Requires
+ installation of that command.
+
+'--with-colons'
+ This option has currently only an effect on the '--supported'
+ command. If it is used all arguments on the command line are taken
+ as domain names and tested for WKD support. The output format is
+ one line per domain with colon delimited fields. The currently
+ specified fields are (future versions may specify additional
+ fields):
+
+ 1 - domain
+ This is the domain name. Although quoting is not required for
+ valid domain names this field is specified to be quoted in
+ standard C manner.
+
+ 2 - WKD
+ If the value is true the domain supports the Web Key
+ Directory.
+
+ 3 - WKS
+ If the value is true the domain supports the Web Key Service
+ protocol to upload keys to the directory.
+
+ 4 - error-code
+ This may contain an gpg-error code to describe certain
+ failures. Use 'gpg-error CODE' to explain the code.
+
+ 5 - protocol-version
+ The minimum protocol version supported by the server.
+
+ 6 - auth-submit
+ The auth-submit flag from the policy file of the server.
+
+ 7 - mailbox-only
+ The mailbox-only flag from the policy file of the server.
+
+'--output FILE'
+'-o'
+ Write the created mail to FILE instead of stdout. Note that the
+ value '-' for FILE is the same as writing to stdout.
+
+'--status-fd N'
+ Write special status strings to the file descriptor N. This
+ program returns only the status messages SUCCESS or FAILURE which
+ are helpful when the caller uses a double fork approach and can't
+ easily get the return code of the process.
+
+'-C DIR'
+'--directory DIR'
+ Use DIR as top level directory for the commands '--mirror',
+ '--install-key' and '--remove-key'. The default is 'openpgpkey'.
+
+'--blacklist FILE'
+ This option is used to exclude certain mail addresses from a mirror
+ operation. The format of FILE is one mail address (just the
+ addrspec, e.g. "postel@isi.edu") per line. Empty lines and lines
+ starting with a '#' are ignored.
+
+'--verbose'
+ Enable extra informational output.
+
+'--quiet'
+ Disable almost all informational output.
+
+'--version'
+ Print version of the program and exit.
+
+'--help'
+ Display a brief help page and exit.
+
+
+File: gnupg.info, Node: gpg-wks-server, Prev: gpg-wks-client, Up: Web Key Service
+
+10.2 Provide the Web Key Service
+================================
+
+The 'gpg-wks-server' is a server site implementation of the Web Key
+Service. It receives requests for publication, sends confirmation
+requests, receives confirmations, and published the key. It also has
+features to ease the setup and maintenance of a Web Key Directory.
+
+ When used with the command '--receive' a single Web Key Service mail
+is processed. Commonly this command is used with the option '--send' to
+directly send the crerated mails back. See below for an installation
+example.
+
+ The command '--cron' is used for regualr cleanup tasks. For example
+non-confirmed requested should be removed after their expire time. It
+is best to run this command once a day from a cronjob.
+
+ The command '--list-domains' prints all configured domains. Further
+it creates missing directories for the configuration and prints warnings
+pertaining to problems in the configuration.
+
+ The command '--check-key' (or just '--check') checks whether a key
+with the given user-id is installed. The process returns success in
+this case; to also print a diagnostic use the option '-v'. If the key
+is not installed a diagnostic is printed and the process returns
+failure; to suppress the diagnostic, use option '-q'. More than one
+user-id can be given; see also option 'with-file'.
+
+ The command '--install-key' manually installs a key into the WKD. The
+arguments are a file with the keyblock and the user-id to install. If
+the first argument resembles a fingerprint the key is taken from the
+current keyring; to force the use of a file, prefix the first argument
+with "./". If no arguments are given the parameters are read from
+stdin; the expected format are lines with the fingerprint and the
+mailbox separated by a space.
+
+ The command '--remove-key' uninstalls a key from the WKD. The process
+returns success in this case; to also print a diagnostic, use option
+'-v'. If the key is not installed a diagnostic is printed and the
+process returns failure; to suppress the diagnostic, use option '-q'.
+
+ The command '--revoke-key' is not yet functional.
+
+'gpg-wks-server' understands these options:
+
+'-C DIR'
+'--directory DIR'
+ Use DIR as top level directory for domains. The default is
+ '/var/lib/gnupg/wks'.
+
+'--from MAILADDR'
+ Use MAILADDR as the default sender address.
+
+'--header NAME=VALUE'
+ Add the mail header "NAME: VALUE" to all outgoing mails.
+
+'--send'
+ Directly send created mails using the 'sendmail' command. Requires
+ installation of that command.
+
+'-o FILE'
+'--output FILE'
+ Write the created mail also to FILE. Note that the value '-' for
+ FILE would write it to stdout.
+
+'--with-dir'
+ When used with the command '--list-domains' print for each
+ installed domain the domain name and its directory name.
+
+'--with-file'
+ When used with the command '--check-key' print for each user-id,
+ the address, 'i' for installed key or 'n' for not installed key,
+ and the filename.
+
+'--verbose'
+ Enable extra informational output.
+
+'--quiet'
+ Disable almost all informational output.
+
+'--version'
+ Print version of the program and exit.
+
+'--help'
+ Display a brief help page and exit.
+
+
+Examples
+********
+
+The Web Key Service requires a working directory to store keys pending
+for publication. As root create a working directory:
+
+ # mkdir /var/lib/gnupg/wks
+ # chown webkey:webkey /var/lib/gnupg/wks
+ # chmod 2750 /var/lib/gnupg/wks
+
+ Then under your webkey account create directories for all your
+domains. Here we do it for "example.net":
+
+ $ mkdir /var/lib/gnupg/wks/example.net
+
+ Finally run
+
+ $ gpg-wks-server --list-domains
+
+ to create the required sub-directories with the permissions set
+correctly. For each domain a submission address needs to be configured.
+All service mails are directed to that address. It can be the same
+address for all configured domains, for example:
+
+ $ cd /var/lib/gnupg/wks/example.net
+ $ echo key-submission@example.net >submission-address
+
+ The protocol requires that the key to be published is send with an
+encrypted mail to the service. Thus you need to create a key for the
+submission address:
+
+ $ gpg --batch --passphrase '' --quick-gen-key key-submission@example.net
+ $ gpg -K key-submission@example.net
+
+ The output of the last command looks similar to this:
+
+ sec rsa2048 2016-08-30 [SC]
+ C0FCF8642D830C53246211400346653590B3795B
+ uid [ultimate] key-submission@example.net
+ ssb rsa2048 2016-08-30 [E]
+
+ Take the fingerprint from that output and manually publish the key:
+
+ $ gpg-wks-server --install-key C0FCF8642D830C53246211400346653590B3795B \
+ > key-submission@example.net
+
+ Finally that submission address needs to be redirected to a script
+running 'gpg-wks-server'. The 'procmail' command can be used for this:
+Redirect the submission address to the user "webkey" and put this into
+webkey's '.procmailrc':
+
+ :0
+ * !^From: webkey@example.net
+ * !^X-WKS-Loop: webkey.example.net
+ |gpg-wks-server -v --receive \
+ --header X-WKS-Loop=webkey.example.net \
+ --from webkey@example.net --send
+
+
+File: gnupg.info, Node: Howtos, Next: System Notes, Prev: Web Key Service, Up: Top
+
+11 How to do certain things
+***************************
+
+This is a collection of small howto documents.
+
+* Menu:
+
+* Howto Create a Server Cert:: Creating a TLS server certificate.
+
+
+File: gnupg.info, Node: Howto Create a Server Cert, Up: Howtos
+
+11.1 Creating a TLS server certificate
+======================================
+
+Here is a brief run up on how to create a server certificate. It has
+actually been done this way to get a certificate from CAcert to be used
+on a real server. It has only been tested with this CA, but there
+shouldn't be any problem to run this against any other CA.
+
+ We start by generating an X.509 certificate signing request. As
+there is no need for a configuration file, you may simply enter:
+
+ $ gpgsm --generate-key >example.com.cert-req.pem
+ Please select what kind of key you want:
+ (1) RSA
+ (2) Existing key
+ (3) Existing key from card
+ Your selection? 1
+
+ I opted for creating a new RSA key. The other option is to use an
+already existing key, by selecting '2' and entering the so-called
+keygrip. Running the command 'gpgsm --dump-secret-key USERID' shows you
+this keygrip. Using '3' offers another menu to create a certificate
+directly from a smart card based key.
+
+ Let's continue:
+
+ What keysize do you want? (3072)
+ Requested keysize is 3072 bits
+
+ Hitting enter chooses the default RSA key size of 3072 bits. Keys
+smaller than 2048 bits are too weak on the modern Internet. If you
+choose a larger (stronger) key, your server will need to do more work.
+
+ Possible actions for a RSA key:
+ (1) sign, encrypt
+ (2) sign
+ (3) encrypt
+ Your selection? 1
+
+ Selecting "sign" enables use of the key for Diffie-Hellman key
+exchange mechanisms (DHE and ECDHE) in TLS, which are preferred because
+they offer forward secrecy. Selecting "encrypt" enables RSA key
+exchange mechanisms, which are still common in some places. Selecting
+both enables both key exchange mechanisms.
+
+ Now for some real data:
+
+ Enter the X.509 subject name: CN=example.com
+
+ This is the most important value for a server certificate. Enter
+here the canonical name of your server machine. You may add other
+virtual server names later.
+
+ E-Mail addresses (end with an empty line):
+ >
+
+ We don't need email addresses in a TLS server certificate and CAcert
+would anyway ignore such a request. Thus just hit enter.
+
+ If you want to create a client certificate for email encryption, this
+would be the place to enter your mail address (e.g. <joe@example.org>).
+You may enter as many addresses as you like, however the CA may not
+accept them all or reject the entire request.
+
+ Enter DNS names (optional; end with an empty line):
+ > example.com
+ > www.example.com
+ >
+
+ Here I entered the names of the services which the machine actually
+provides. You almost always want to include the canonical name here
+too. The browser will accept a certificate for any of these names. As
+usual the CA must approve all of these names.
+
+ URIs (optional; end with an empty line):
+ >
+
+ It is possible to insert arbitrary URIs into a certificate; for a
+server certificate this does not make sense.
+
+ Create self-signed certificate? (y/N)
+
+ Since we are creating a certificate signing request, and not a full
+certificate, we answer no here, or just hit enter for the default.
+
+ We have now entered all required information and 'gpgsm' will display
+what it has gathered and ask whether to create the certificate request:
+
+ These parameters are used:
+ Key-Type: RSA
+ Key-Length: 3072
+ Key-Usage: sign, encrypt
+ Name-DN: CN=example.com
+ Name-DNS: example.com
+ Name-DNS: www.example.com
+
+ Proceed with creation? (y/N) y
+
+ 'gpgsm' will now start working on creating the request. As this
+includes the creation of an RSA key it may take a while. During this
+time you will be asked 3 times for a passphrase to protect the created
+private key on your system. A pop up window will appear to ask for it.
+The first two prompts are for the new passphrase and for re-entering it;
+the third one is required to actually create the certificate signing
+request.
+
+ When it is ready, you should see the final notice:
+
+ Ready. You should now send this request to your CA.
+
+ Now, you may look at the created request:
+
+ $ cat example.com.cert-req.pem
+ -----BEGIN CERTIFICATE REQUEST-----
+ MIIClTCCAX0CAQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3
+ DQEBAQUAA4IBDwAwggEKAoIBAQDP1QEcbTvOLLCX4gAoOzH9AW7jNOMj7OSOL0uW
+ h2bCdkK5YVpnX212Z6COTC3ZG0pJiCeGt1TbbDJUlTa4syQ6JXavjK66N8ASZsyC
+ Rwcl0m6hbXp541t1dbgt2VgeGk25okWw3j+brw6zxLD2TnthJxOatID0lDIG47HW
+ GqzZmA6WHbIBIONmGnReIHTpPAPCDm92vUkpKG1xLPszuRmsQbwEl870W/FHrsvm
+ DPvVUUSdIvTV9NuRt7/WY6G4nPp9QlIuTf1ESPzIuIE91gKPdrRCAx0yuT708S1n
+ xCv3ETQ/bKPoAQ67eE3mPBqkcVwv9SE/2/36Lz06kAizRgs5AgMBAAGgOjA4Bgkq
+ hkiG9w0BCQ4xKzApMCcGA1UdEQQgMB6CC2V4YW1wbGUuY29tgg93d3cuZXhhbXBs
+ ZS5jb20wDQYJKoZIhvcNAQELBQADggEBAEWD0Qqz4OENLYp6yyO/KqF0ig9FDsLN
+ b5/R+qhms5qlhdB5+Dh+j693Sj0UgbcNKc6JT86IuBqEBZmRCJuXRoKoo5aMS1cJ
+ hXga7N9IA3qb4VBUzBWvlL92U2Iptr/cEbikFlYZF2Zv3PBv8RfopVlI3OLbKV9D
+ bJJTt/6kuoydXKo/Vx4G0DFzIKNdFdJk86o/Ziz8NOs9JjZxw9H9VY5sHKFM5LKk
+ VcLwnnLRlNjBGB+9VK/Tze575eG0cJomTp7UGIB+1xzIQVAhUZOizRDv9tHDeaK3
+ k+tUhV0kuJcYHucpJycDSrP/uAY5zuVJ0rs2QSjdnav62YrRgEsxJrU=
+ -----END CERTIFICATE REQUEST-----
+ $
+
+ You may now proceed by logging into your account at the CAcert
+website, choose 'Server Certificates - New', check 'sign by class 3 root
+certificate', paste the above request block into the text field and
+click on 'Submit'.
+
+ If everything works out fine, a certificate will be shown. Now run
+
+ $ gpgsm --import
+
+ and paste the certificate from the CAcert page into your terminal
+followed by a Ctrl-D
+
+ -----BEGIN CERTIFICATE-----
+ MIIEIjCCAgqgAwIBAgIBTDANBgkqhkiG9w0BAQQFADBUMRQwEgYDVQQKEwtDQWNl
+ [...]
+ rUTFlNElRXCwIl0YcJkIaYYqWf7+A/aqYJCi8+51usZwMy3Jsq3hJ6MA3h1BgwZs
+ Rtct3tIX
+ -----END CERTIFICATE-----
+ gpgsm: issuer certificate (#/CN=CAcert Class 3 Ro[...]) not found
+ gpgsm: certificate imported
+
+ gpgsm: total number processed: 1
+ gpgsm: imported: 1
+
+ 'gpgsm' tells you that it has imported the certificate. It is now
+associated with the key you used when creating the request. The root
+certificate has not been found, so you may want to import it from the
+CACert website.
+
+ To see the content of your certificate, you may now enter:
+
+ $ gpgsm -K example.com
+ /home/foo/.gnupg/pubring.kbx
+ ---------------------------
+ Serial number: 4C
+ Issuer: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.[...]
+ Subject: /CN=example.com
+ aka: (dns-name example.com)
+ aka: (dns-name www.example.com)
+ validity: 2015-07-01 16:20:51 through 2016-07-01 16:20:51
+ key type: 3072 bit RSA
+ key usage: digitalSignature keyEncipherment
+ ext key usage: clientAuth (suggested), serverAuth (suggested), [...]
+ fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:D8:19:E9:65:B9:4F:BD:B1:98:CC:57
+
+ I used '-K' above because this will only list certificates for which
+a private key is available. To see more details, you may use
+'--dump-secret-keys' instead of '-K'.
+
+ To make actual use of the certificate you need to install it on your
+server. Server software usually expects a PKCS\#12 file with key and
+certificate. To create such a file, run:
+
+ $ gpgsm --export-secret-key-p12 -a >example.com-cert.pem
+
+ You will be asked for the passphrase as well as for a new passphrase
+to be used to protect the PKCS\#12 file. The file now contains the
+certificate as well as the private key:
+
+ $ cat example-cert.pem
+ Issuer ...: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.CA[...]
+ Serial ...: 4C
+ Subject ..: /CN=example.com
+ aka ..: (dns-name example.com)
+ aka ..: (dns-name www.example.com)
+
+ -----BEGIN PKCS12-----
+ MIIHlwIBAzCCB5AGCSqGSIb37QdHAaCCB4EEggd9MIIHeTk1BJ8GCSqGSIb3DQEu
+ [...many more lines...]
+ -----END PKCS12-----
+ $
+
+ Copy this file in a secure way to the server, install it there and
+delete the file then. You may export the file again at any time as long
+as it is available in GnuPG's private key database.
+
+
+File: gnupg.info, Node: System Notes, Next: Debugging, Prev: Howtos, Up: Top
+
+12 Notes pertaining to certain OSes
+***********************************
+
+GnuPG has been developed on GNU/Linux systems and is know to work on
+almost all Free OSes. All modern POSIX systems should be supported
+right now, however there are probably a lot of smaller glitches we need
+to fix first. The major problem areas are:
+
+ * We are planning to use file descriptor passing for interprocess
+ communication. This will allow us save a lot of resources and
+ improve performance of certain operations a lot. Systems not
+ supporting this won't gain these benefits but we try to keep them
+ working the standard way as it is done today.
+
+ * We require more or less full POSIX compatibility. This has been
+ around for 15 years now and thus we don't believe it makes sense to
+ support non POSIX systems anymore. Well, we of course the usual
+ workarounds for near POSIX systems well be applied.
+
+ There is one exception of this rule: Systems based the Microsoft
+ Windows API (called here _W32_) will be supported to some extend.
+
+* Menu:
+
+* W32 Notes:: Microsoft Windows Notes
+
+
+File: gnupg.info, Node: W32 Notes, Up: System Notes
+
+12.1 Microsoft Windows Notes
+============================
+
+Current limitations are:
+
+ * 'gpgconf' does not create backup files, so in case of trouble your
+ configuration file might get lost.
+
+ * 'watchgnupg' is not available. Logging to sockets is not possible.
+
+ * The periodical smartcard status checking done by 'scdaemon' is not
+ yet supported.
+
+
+File: gnupg.info, Node: Debugging, Next: Copying, Prev: System Notes, Up: Top
+
+13 How to solve problems
+************************
+
+Everyone knows that software often does not do what it should do and
+thus there is a need to track down problems. We call this debugging in
+a reminiscent to the moth jamming a relay in a Mark II box back in 1947.
+
+ Most of the problems a merely configuration and user problems but
+nevertheless they are the most annoying ones and responsible for many
+gray hairs. We try to give some guidelines here on how to identify and
+solve the problem at hand.
+
+* Menu:
+
+* Debugging Tools:: Description of some useful tools.
+* Debugging Hints:: Various hints on debugging.
+* Common Problems:: Commonly seen problems.
+* Architecture Details:: How the whole thing works internally.
+
+
+File: gnupg.info, Node: Debugging Tools, Next: Debugging Hints, Up: Debugging
+
+13.1 Debugging Tools
+====================
+
+The GnuPG distribution comes with a couple of tools, useful to help find
+and solving problems.
+
+* Menu:
+
+* kbxutil:: Scrutinizing a keybox file.
+
+
+File: gnupg.info, Node: kbxutil, Up: Debugging Tools
+
+13.1.1 Scrutinizing a keybox file
+---------------------------------
+
+A keybox is a file format used to store public keys along with meta
+information and indices. The commonly used one is the file
+'pubring.kbx' in the '.gnupg' directory. It contains all X.509
+certificates as well as OpenPGP keys.
+
+When called the standard way, e.g.:
+
+ 'kbxutil ~/.gnupg/pubring.kbx'
+
+it lists all records (called blobs) with there meta-information in a
+human readable format.
+
+To see statistics on the keybox in question, run it using
+
+ 'kbxutil --stats ~/.gnupg/pubring.kbx'
+
+and you get an output like:
+
+ Total number of blobs: 99
+ header: 1
+ empty: 0
+ openpgp: 0
+ x509: 98
+ non flagged: 81
+ secret flagged: 0
+ ephemeral flagged: 17
+
+ In this example you see that the keybox does not have any OpenPGP
+keys but contains 98 X.509 certificates and a total of 17 keys or
+certificates are flagged as ephemeral, meaning that they are only
+temporary stored (cached) in the keybox and won't get listed using the
+usual commands provided by 'gpgsm' or 'gpg'. 81 certificates are stored
+in a standard way and directly available from 'gpgsm'.
+
+To find duplicated certificates and keyblocks in a keybox file (this
+should not occur but sometimes things go wrong), run it using
+
+ 'kbxutil --find-dups ~/.gnupg/pubring.kbx'
+
+
+File: gnupg.info, Node: Debugging Hints, Next: Common Problems, Prev: Debugging Tools, Up: Debugging
+
+13.2 Various hints on debugging
+===============================
+
+ * How to find the IP address of a keyserver
+
+ If a round robin URL of is used for a keyserver (e.g.
+ subkeys.gnupg.org); it is not easy to see what server is actually
+ used. Using the keyserver debug option as in
+
+ gpg --keyserver-options debug=1 -v --refresh-key 1E42B367
+
+ is thus often helpful. Note that the actual output depends on the
+ backend and may change from release to release.
+
+ * Logging on WindowsCE
+
+ For development, the best logging method on WindowsCE is the use of
+ remote debugging using a log file name of 'tcp://<ip-addr>:<port>'.
+ The command 'watchgnupg' may be used on the remote host to listen
+ on the given port (*note option watchgnupg --tcp::). For in the
+ field tests it is better to make use of the logging facility
+ provided by the 'gpgcedev' driver (part of libassuan); this is
+ enabled by using a log file name of 'GPG2:' (*note option
+ --log-file::).
+
+
+File: gnupg.info, Node: Common Problems, Next: Architecture Details, Prev: Debugging Hints, Up: Debugging
+
+13.3 Commonly Seen Problems
+===========================
+
+ * Error code 'Not supported' from Dirmngr
+
+ Most likely the option 'enable-ocsp' is active for gpgsm but
+ Dirmngr's OCSP feature has not been enabled using 'allow-ocsp' in
+ 'dirmngr.conf'.
+
+ * The Curses based Pinentry does not work
+
+ The far most common reason for this is that the environment
+ variable 'GPG_TTY' has not been set correctly. Make sure that it
+ has been set to a real tty device and not just to '/dev/tty'; i.e.
+ 'GPG_TTY=tty' is plainly wrong; what you want is 'GPG_TTY=`tty`' --
+ note the back ticks. Also make sure that this environment variable
+ gets exported, that is you should follow up the setting with an
+ 'export GPG_TTY' (assuming a Bourne style shell). Even for GUI
+ based Pinentries; you should have set 'GPG_TTY'. See the section
+ on installing the 'gpg-agent' on how to do it.
+
+ * SSH hangs while a popping up pinentry was expected
+
+ SSH has no way to tell the gpg-agent what terminal or X display it
+ is running on. So when remotely logging into a box where a
+ gpg-agent with SSH support is running, the pinentry will get popped
+ up on whatever display the gpg-agent has been started. To solve
+ this problem you may issue the command
+
+ echo UPDATESTARTUPTTY | gpg-connect-agent
+
+ and the next pinentry will pop up on your display or screen.
+ However, you need to kill the running pinentry first because only
+ one pinentry may be running at once. If you plan to use ssh on a
+ new display you should issue the above command before invoking ssh
+ or any other service making use of ssh.
+
+ * Exporting a secret key without a certificate
+
+ It may happen that you have created a certificate request using
+ 'gpgsm' but not yet received and imported the certificate from the
+ CA. However, you want to export the secret key to another machine
+ right now to import the certificate over there then. You can do
+ this with a little trick but it requires that you know the
+ approximate time you created the signing request. By running the
+ command
+
+ ls -ltr ~/.gnupg/private-keys-v1.d
+
+ you get a listing of all private keys under control of 'gpg-agent'.
+ Pick the key which best matches the creation time and run the
+ command
+
+ /usr/local/libexec/gpg-protect-tool --p12-export \
+ ~/.gnupg/private-keys-v1.d/FOO >FOO.p12
+
+ (Please adjust the path to 'gpg-protect-tool' to the appropriate
+ location). FOO is the name of the key file you picked (it should
+ have the suffix '.key'). A Pinentry box will pop up and ask you
+ for the current passphrase of the key and a new passphrase to
+ protect it in the pkcs#12 file.
+
+ To import the created file on the machine you use this command:
+
+ /usr/local/libexec/gpg-protect-tool --p12-import --store FOO.p12
+
+ You will be asked for the pkcs#12 passphrase and a new passphrase
+ to protect the imported private key at its new location.
+
+ Note that there is no easy way to match existing certificates with
+ stored private keys because some private keys are used for Secure
+ Shell or other purposes and don't have a corresponding certificate.
+
+ * A root certificate does not verify
+
+ A common problem is that the root certificate misses the required
+ basicConstraints attribute and thus 'gpgsm' rejects this
+ certificate. An error message indicating "no value" is a sign for
+ such a certificate. You may use the 'relax' flag in
+ 'trustlist.txt' to accept the certificate anyway. Note that the
+ fingerprint and this flag may only be added manually to
+ 'trustlist.txt'.
+
+ * Error message: "digest algorithm N has not been enabled"
+
+ The signature is broken. You may try the option
+ '--extra-digest-algo SHA256' to workaround the problem. The number
+ N is the internal algorithm identifier; for example 8 refers to
+ SHA-256.
+
+ * The Windows version does not work under Wine
+
+ When running the W32 version of 'gpg' under Wine you may get an
+ error messages like:
+
+ gpg: fatal: WriteConsole failed: Access denied
+
+ The solution is to use the command 'wineconsole'.
+
+ Some operations like '--generate-key' really want to talk to the
+ console directly for increased security (for example to prevent the
+ passphrase from appearing on the screen). So, you should use
+ 'wineconsole' instead of 'wine', which will launch a windows
+ console that implements those additional features.
+
+ * Why does GPG's -search-key list weird keys?
+
+ For performance reasons the keyservers do not check the keys the
+ same way 'gpg' does. It may happen that the listing of keys
+ available on the keyservers shows keys with wrong user IDs or with
+ user Ids from other keys. If you try to import this key, the bad
+ keys or bad user ids won't get imported, though. This is a bit
+ unfortunate but we can't do anything about it without actually
+ downloading the keys.
+
+
+File: gnupg.info, Node: Architecture Details, Prev: Common Problems, Up: Debugging
+
+13.4 How the whole thing works internally
+=========================================
+
+* Menu:
+
+* Component interaction:: How the components work together.
+* GnuPG-1 and GnuPG-2:: Relationship between GnuPG 1.4 and 2.x.
+
+
+File: gnupg.info, Node: Component interaction, Next: GnuPG-1 and GnuPG-2, Up: Architecture Details
+
+13.4.1 How the components work together
+---------------------------------------
+
+
+
+Figure 13.1: GnuPG module overview
+
+
+File: gnupg.info, Node: GnuPG-1 and GnuPG-2, Prev: Component interaction, Up: Architecture Details
+
+13.4.2 Relationship between GnuPG 1.4 and 2.x
+---------------------------------------------
+
+Here is a little picture showing how the different GnuPG versions make
+use of a smartcard:
+
+
+
+Figure 13.2: GnuPG card architecture
+
+
+File: gnupg.info, Node: Copying, Next: Contributors, Prev: Debugging, Up: Top
+
+GNU General Public License
+**************************
+
+ Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+
+ Everyone is permitted to copy and distribute verbatim copies of this
+ license document, but changing it is not allowed.
+
+Preamble
+========
+
+The GNU General Public License is a free, copyleft license for software
+and other kinds of works.
+
+ The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works. By contrast,
+the GNU General Public License is intended to guarantee your freedom to
+share and change all versions of a program-to make sure it remains free
+software for all its users. We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors. You can apply it to
+your programs, too.
+
+ When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+ To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights. Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.
+
+ For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received. You must make sure that they, too, receive
+or can get the source code. And you must show them these terms so they
+know their rights.
+
+ Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+ For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software. For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+ Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so. This is fundamentally incompatible with the aim of
+protecting users' freedom to change the software. The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable. Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products. If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+ Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary. To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.
+
+ The precise terms and conditions for copying, distribution and
+modification follow.
+
+ TERMS AND CONDITIONS
+
+ 0. Definitions.
+
+ "This License" refers to version 3 of the GNU General Public
+ License.
+
+ "Copyright" also means copyright-like laws that apply to other
+ kinds of works, such as semiconductor masks.
+
+ "The Program" refers to any copyrightable work licensed under this
+ License. Each licensee is addressed as "you". "Licensees" and
+ "recipients" may be individuals or organizations.
+
+ To "modify" a work means to copy from or adapt all or part of the
+ work in a fashion requiring copyright permission, other than the
+ making of an exact copy. The resulting work is called a "modified
+ version" of the earlier work or a work "based on" the earlier work.
+
+ A "covered work" means either the unmodified Program or a work
+ based on the Program.
+
+ To "propagate" a work means to do anything with it that, without
+ permission, would make you directly or secondarily liable for
+ infringement under applicable copyright law, except executing it on
+ a computer or modifying a private copy. Propagation includes
+ copying, distribution (with or without modification), making
+ available to the public, and in some countries other activities as
+ well.
+
+ To "convey" a work means any kind of propagation that enables other
+ parties to make or receive copies. Mere interaction with a user
+ through a computer network, with no transfer of a copy, is not
+ conveying.
+
+ An interactive user interface displays "Appropriate Legal Notices"
+ to the extent that it includes a convenient and prominently visible
+ feature that (1) displays an appropriate copyright notice, and (2)
+ tells the user that there is no warranty for the work (except to
+ the extent that warranties are provided), that licensees may convey
+ the work under this License, and how to view a copy of this
+ License. If the interface presents a list of user commands or
+ options, such as a menu, a prominent item in the list meets this
+ criterion.
+
+ 1. Source Code.
+
+ The "source code" for a work means the preferred form of the work
+ for making modifications to it. "Object code" means any non-source
+ form of a work.
+
+ A "Standard Interface" means an interface that either is an
+ official standard defined by a recognized standards body, or, in
+ the case of interfaces specified for a particular programming
+ language, one that is widely used among developers working in that
+ language.
+
+ The "System Libraries" of an executable work include anything,
+ other than the work as a whole, that (a) is included in the normal
+ form of packaging a Major Component, but which is not part of that
+ Major Component, and (b) serves only to enable use of the work with
+ that Major Component, or to implement a Standard Interface for
+ which an implementation is available to the public in source code
+ form. A "Major Component", in this context, means a major
+ essential component (kernel, window system, and so on) of the
+ specific operating system (if any) on which the executable work
+ runs, or a compiler used to produce the work, or an object code
+ interpreter used to run it.
+
+ The "Corresponding Source" for a work in object code form means all
+ the source code needed to generate, install, and (for an executable
+ work) run the object code and to modify the work, including scripts
+ to control those activities. However, it does not include the
+ work's System Libraries, or general-purpose tools or generally
+ available free programs which are used unmodified in performing
+ those activities but which are not part of the work. For example,
+ Corresponding Source includes interface definition files associated
+ with source files for the work, and the source code for shared
+ libraries and dynamically linked subprograms that the work is
+ specifically designed to require, such as by intimate data
+ communication or control flow between those subprograms and other
+ parts of the work.
+
+ The Corresponding Source need not include anything that users can
+ regenerate automatically from other parts of the Corresponding
+ Source.
+
+ The Corresponding Source for a work in source code form is that
+ same work.
+
+ 2. Basic Permissions.
+
+ All rights granted under this License are granted for the term of
+ copyright on the Program, and are irrevocable provided the stated
+ conditions are met. This License explicitly affirms your unlimited
+ permission to run the unmodified Program. The output from running
+ a covered work is covered by this License only if the output, given
+ its content, constitutes a covered work. This License acknowledges
+ your rights of fair use or other equivalent, as provided by
+ copyright law.
+
+ You may make, run and propagate covered works that you do not
+ convey, without conditions so long as your license otherwise
+ remains in force. You may convey covered works to others for the
+ sole purpose of having them make modifications exclusively for you,
+ or provide you with facilities for running those works, provided
+ that you comply with the terms of this License in conveying all
+ material for which you do not control copyright. Those thus making
+ or running the covered works for you must do so exclusively on your
+ behalf, under your direction and control, on terms that prohibit
+ them from making any copies of your copyrighted material outside
+ their relationship with you.
+
+ Conveying under any other circumstances is permitted solely under
+ the conditions stated below. Sublicensing is not allowed; section
+ 10 makes it unnecessary.
+
+ 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+ No covered work shall be deemed part of an effective technological
+ measure under any applicable law fulfilling obligations under
+ article 11 of the WIPO copyright treaty adopted on 20 December
+ 1996, or similar laws prohibiting or restricting circumvention of
+ such measures.
+
+ When you convey a covered work, you waive any legal power to forbid
+ circumvention of technological measures to the extent such
+ circumvention is effected by exercising rights under this License
+ with respect to the covered work, and you disclaim any intention to
+ limit operation or modification of the work as a means of
+ enforcing, against the work's users, your or third parties' legal
+ rights to forbid circumvention of technological measures.
+
+ 4. Conveying Verbatim Copies.
+
+ You may convey verbatim copies of the Program's source code as you
+ receive it, in any medium, provided that you conspicuously and
+ appropriately publish on each copy an appropriate copyright notice;
+ keep intact all notices stating that this License and any
+ non-permissive terms added in accord with section 7 apply to the
+ code; keep intact all notices of the absence of any warranty; and
+ give all recipients a copy of this License along with the Program.
+
+ You may charge any price or no price for each copy that you convey,
+ and you may offer support or warranty protection for a fee.
+
+ 5. Conveying Modified Source Versions.
+
+ You may convey a work based on the Program, or the modifications to
+ produce it from the Program, in the form of source code under the
+ terms of section 4, provided that you also meet all of these
+ conditions:
+
+ a. The work must carry prominent notices stating that you
+ modified it, and giving a relevant date.
+
+ b. The work must carry prominent notices stating that it is
+ released under this License and any conditions added under
+ section 7. This requirement modifies the requirement in
+ section 4 to "keep intact all notices".
+
+ c. You must license the entire work, as a whole, under this
+ License to anyone who comes into possession of a copy. This
+ License will therefore apply, along with any applicable
+ section 7 additional terms, to the whole of the work, and all
+ its parts, regardless of how they are packaged. This License
+ gives no permission to license the work in any other way, but
+ it does not invalidate such permission if you have separately
+ received it.
+
+ d. If the work has interactive user interfaces, each must display
+ Appropriate Legal Notices; however, if the Program has
+ interactive interfaces that do not display Appropriate Legal
+ Notices, your work need not make them do so.
+
+ A compilation of a covered work with other separate and independent
+ works, which are not by their nature extensions of the covered
+ work, and which are not combined with it such as to form a larger
+ program, in or on a volume of a storage or distribution medium, is
+ called an "aggregate" if the compilation and its resulting
+ copyright are not used to limit the access or legal rights of the
+ compilation's users beyond what the individual works permit.
+ Inclusion of a covered work in an aggregate does not cause this
+ License to apply to the other parts of the aggregate.
+
+ 6. Conveying Non-Source Forms.
+
+ You may convey a covered work in object code form under the terms
+ of sections 4 and 5, provided that you also convey the
+ machine-readable Corresponding Source under the terms of this
+ License, in one of these ways:
+
+ a. Convey the object code in, or embodied in, a physical product
+ (including a physical distribution medium), accompanied by the
+ Corresponding Source fixed on a durable physical medium
+ customarily used for software interchange.
+
+ b. Convey the object code in, or embodied in, a physical product
+ (including a physical distribution medium), accompanied by a
+ written offer, valid for at least three years and valid for as
+ long as you offer spare parts or customer support for that
+ product model, to give anyone who possesses the object code
+ either (1) a copy of the Corresponding Source for all the
+ software in the product that is covered by this License, on a
+ durable physical medium customarily used for software
+ interchange, for a price no more than your reasonable cost of
+ physically performing this conveying of source, or (2) access
+ to copy the Corresponding Source from a network server at no
+ charge.
+
+ c. Convey individual copies of the object code with a copy of the
+ written offer to provide the Corresponding Source. This
+ alternative is allowed only occasionally and noncommercially,
+ and only if you received the object code with such an offer,
+ in accord with subsection 6b.
+
+ d. Convey the object code by offering access from a designated
+ place (gratis or for a charge), and offer equivalent access to
+ the Corresponding Source in the same way through the same
+ place at no further charge. You need not require recipients
+ to copy the Corresponding Source along with the object code.
+ If the place to copy the object code is a network server, the
+ Corresponding Source may be on a different server (operated by
+ you or a third party) that supports equivalent copying
+ facilities, provided you maintain clear directions next to the
+ object code saying where to find the Corresponding Source.
+ Regardless of what server hosts the Corresponding Source, you
+ remain obligated to ensure that it is available for as long as
+ needed to satisfy these requirements.
+
+ e. Convey the object code using peer-to-peer transmission,
+ provided you inform other peers where the object code and
+ Corresponding Source of the work are being offered to the
+ general public at no charge under subsection 6d.
+
+ A separable portion of the object code, whose source code is
+ excluded from the Corresponding Source as a System Library, need
+ not be included in conveying the object code work.
+
+ A "User Product" is either (1) a "consumer product", which means
+ any tangible personal property which is normally used for personal,
+ family, or household purposes, or (2) anything designed or sold for
+ incorporation into a dwelling. In determining whether a product is
+ a consumer product, doubtful cases shall be resolved in favor of
+ coverage. For a particular product received by a particular user,
+ "normally used" refers to a typical or common use of that class of
+ product, regardless of the status of the particular user or of the
+ way in which the particular user actually uses, or expects or is
+ expected to use, the product. A product is a consumer product
+ regardless of whether the product has substantial commercial,
+ industrial or non-consumer uses, unless such uses represent the
+ only significant mode of use of the product.
+
+ "Installation Information" for a User Product means any methods,
+ procedures, authorization keys, or other information required to
+ install and execute modified versions of a covered work in that
+ User Product from a modified version of its Corresponding Source.
+ The information must suffice to ensure that the continued
+ functioning of the modified object code is in no case prevented or
+ interfered with solely because modification has been made.
+
+ If you convey an object code work under this section in, or with,
+ or specifically for use in, a User Product, and the conveying
+ occurs as part of a transaction in which the right of possession
+ and use of the User Product is transferred to the recipient in
+ perpetuity or for a fixed term (regardless of how the transaction
+ is characterized), the Corresponding Source conveyed under this
+ section must be accompanied by the Installation Information. But
+ this requirement does not apply if neither you nor any third party
+ retains the ability to install modified object code on the User
+ Product (for example, the work has been installed in ROM).
+
+ The requirement to provide Installation Information does not
+ include a requirement to continue to provide support service,
+ warranty, or updates for a work that has been modified or installed
+ by the recipient, or for the User Product in which it has been
+ modified or installed. Access to a network may be denied when the
+ modification itself materially and adversely affects the operation
+ of the network or violates the rules and protocols for
+ communication across the network.
+
+ Corresponding Source conveyed, and Installation Information
+ provided, in accord with this section must be in a format that is
+ publicly documented (and with an implementation available to the
+ public in source code form), and must require no special password
+ or key for unpacking, reading or copying.
+
+ 7. Additional Terms.
+
+ "Additional permissions" are terms that supplement the terms of
+ this License by making exceptions from one or more of its
+ conditions. Additional permissions that are applicable to the
+ entire Program shall be treated as though they were included in
+ this License, to the extent that they are valid under applicable
+ law. If additional permissions apply only to part of the Program,
+ that part may be used separately under those permissions, but the
+ entire Program remains governed by this License without regard to
+ the additional permissions.
+
+ When you convey a copy of a covered work, you may at your option
+ remove any additional permissions from that copy, or from any part
+ of it. (Additional permissions may be written to require their own
+ removal in certain cases when you modify the work.) You may place
+ additional permissions on material, added by you to a covered work,
+ for which you have or can give appropriate copyright permission.
+
+ Notwithstanding any other provision of this License, for material
+ you add to a covered work, you may (if authorized by the copyright
+ holders of that material) supplement the terms of this License with
+ terms:
+
+ a. Disclaiming warranty or limiting liability differently from
+ the terms of sections 15 and 16 of this License; or
+
+ b. Requiring preservation of specified reasonable legal notices
+ or author attributions in that material or in the Appropriate
+ Legal Notices displayed by works containing it; or
+
+ c. Prohibiting misrepresentation of the origin of that material,
+ or requiring that modified versions of such material be marked
+ in reasonable ways as different from the original version; or
+
+ d. Limiting the use for publicity purposes of names of licensors
+ or authors of the material; or
+
+ e. Declining to grant rights under trademark law for use of some
+ trade names, trademarks, or service marks; or
+
+ f. Requiring indemnification of licensors and authors of that
+ material by anyone who conveys the material (or modified
+ versions of it) with contractual assumptions of liability to
+ the recipient, for any liability that these contractual
+ assumptions directly impose on those licensors and authors.
+
+ All other non-permissive additional terms are considered "further
+ restrictions" within the meaning of section 10. If the Program as
+ you received it, or any part of it, contains a notice stating that
+ it is governed by this License along with a term that is a further
+ restriction, you may remove that term. If a license document
+ contains a further restriction but permits relicensing or conveying
+ under this License, you may add to a covered work material governed
+ by the terms of that license document, provided that the further
+ restriction does not survive such relicensing or conveying.
+
+ If you add terms to a covered work in accord with this section, you
+ must place, in the relevant source files, a statement of the
+ additional terms that apply to those files, or a notice indicating
+ where to find the applicable terms.
+
+ Additional terms, permissive or non-permissive, may be stated in
+ the form of a separately written license, or stated as exceptions;
+ the above requirements apply either way.
+
+ 8. Termination.
+
+ You may not propagate or modify a covered work except as expressly
+ provided under this License. Any attempt otherwise to propagate or
+ modify it is void, and will automatically terminate your rights
+ under this License (including any patent licenses granted under the
+ third paragraph of section 11).
+
+ However, if you cease all violation of this License, then your
+ license from a particular copyright holder is reinstated (a)
+ provisionally, unless and until the copyright holder explicitly and
+ finally terminates your license, and (b) permanently, if the
+ copyright holder fails to notify you of the violation by some
+ reasonable means prior to 60 days after the cessation.
+
+ Moreover, your license from a particular copyright holder is
+ reinstated permanently if the copyright holder notifies you of the
+ violation by some reasonable means, this is the first time you have
+ received notice of violation of this License (for any work) from
+ that copyright holder, and you cure the violation prior to 30 days
+ after your receipt of the notice.
+
+ Termination of your rights under this section does not terminate
+ the licenses of parties who have received copies or rights from you
+ under this License. If your rights have been terminated and not
+ permanently reinstated, you do not qualify to receive new licenses
+ for the same material under section 10.
+
+ 9. Acceptance Not Required for Having Copies.
+
+ You are not required to accept this License in order to receive or
+ run a copy of the Program. Ancillary propagation of a covered work
+ occurring solely as a consequence of using peer-to-peer
+ transmission to receive a copy likewise does not require
+ acceptance. However, nothing other than this License grants you
+ permission to propagate or modify any covered work. These actions
+ infringe copyright if you do not accept this License. Therefore,
+ by modifying or propagating a covered work, you indicate your
+ acceptance of this License to do so.
+
+ 10. Automatic Licensing of Downstream Recipients.
+
+ Each time you convey a covered work, the recipient automatically
+ receives a license from the original licensors, to run, modify and
+ propagate that work, subject to this License. You are not
+ responsible for enforcing compliance by third parties with this
+ License.
+
+ An "entity transaction" is a transaction transferring control of an
+ organization, or substantially all assets of one, or subdividing an
+ organization, or merging organizations. If propagation of a
+ covered work results from an entity transaction, each party to that
+ transaction who receives a copy of the work also receives whatever
+ licenses to the work the party's predecessor in interest had or
+ could give under the previous paragraph, plus a right to possession
+ of the Corresponding Source of the work from the predecessor in
+ interest, if the predecessor has it or can get it with reasonable
+ efforts.
+
+ You may not impose any further restrictions on the exercise of the
+ rights granted or affirmed under this License. For example, you
+ may not impose a license fee, royalty, or other charge for exercise
+ of rights granted under this License, and you may not initiate
+ litigation (including a cross-claim or counterclaim in a lawsuit)
+ alleging that any patent claim is infringed by making, using,
+ selling, offering for sale, or importing the Program or any portion
+ of it.
+
+ 11. Patents.
+
+ A "contributor" is a copyright holder who authorizes use under this
+ License of the Program or a work on which the Program is based.
+ The work thus licensed is called the contributor's "contributor
+ version".
+
+ A contributor's "essential patent claims" are all patent claims
+ owned or controlled by the contributor, whether already acquired or
+ hereafter acquired, that would be infringed by some manner,
+ permitted by this License, of making, using, or selling its
+ contributor version, but do not include claims that would be
+ infringed only as a consequence of further modification of the
+ contributor version. For purposes of this definition, "control"
+ includes the right to grant patent sublicenses in a manner
+ consistent with the requirements of this License.
+
+ Each contributor grants you a non-exclusive, worldwide,
+ royalty-free patent license under the contributor's essential
+ patent claims, to make, use, sell, offer for sale, import and
+ otherwise run, modify and propagate the contents of its contributor
+ version.
+
+ In the following three paragraphs, a "patent license" is any
+ express agreement or commitment, however denominated, not to
+ enforce a patent (such as an express permission to practice a
+ patent or covenant not to sue for patent infringement). To "grant"
+ such a patent license to a party means to make such an agreement or
+ commitment not to enforce a patent against the party.
+
+ If you convey a covered work, knowingly relying on a patent
+ license, and the Corresponding Source of the work is not available
+ for anyone to copy, free of charge and under the terms of this
+ License, through a publicly available network server or other
+ readily accessible means, then you must either (1) cause the
+ Corresponding Source to be so available, or (2) arrange to deprive
+ yourself of the benefit of the patent license for this particular
+ work, or (3) arrange, in a manner consistent with the requirements
+ of this License, to extend the patent license to downstream
+ recipients. "Knowingly relying" means you have actual knowledge
+ that, but for the patent license, your conveying the covered work
+ in a country, or your recipient's use of the covered work in a
+ country, would infringe one or more identifiable patents in that
+ country that you have reason to believe are valid.
+
+ If, pursuant to or in connection with a single transaction or
+ arrangement, you convey, or propagate by procuring conveyance of, a
+ covered work, and grant a patent license to some of the parties
+ receiving the covered work authorizing them to use, propagate,
+ modify or convey a specific copy of the covered work, then the
+ patent license you grant is automatically extended to all
+ recipients of the covered work and works based on it.
+
+ A patent license is "discriminatory" if it does not include within
+ the scope of its coverage, prohibits the exercise of, or is
+ conditioned on the non-exercise of one or more of the rights that
+ are specifically granted under this License. You may not convey a
+ covered work if you are a party to an arrangement with a third
+ party that is in the business of distributing software, under which
+ you make payment to the third party based on the extent of your
+ activity of conveying the work, and under which the third party
+ grants, to any of the parties who would receive the covered work
+ from you, a discriminatory patent license (a) in connection with
+ copies of the covered work conveyed by you (or copies made from
+ those copies), or (b) primarily for and in connection with specific
+ products or compilations that contain the covered work, unless you
+ entered into that arrangement, or that patent license was granted,
+ prior to 28 March 2007.
+
+ Nothing in this License shall be construed as excluding or limiting
+ any implied license or other defenses to infringement that may
+ otherwise be available to you under applicable patent law.
+
+ 12. No Surrender of Others' Freedom.
+
+ If conditions are imposed on you (whether by court order, agreement
+ or otherwise) that contradict the conditions of this License, they
+ do not excuse you from the conditions of this License. If you
+ cannot convey a covered work so as to satisfy simultaneously your
+ obligations under this License and any other pertinent obligations,
+ then as a consequence you may not convey it at all. For example,
+ if you agree to terms that obligate you to collect a royalty for
+ further conveying from those to whom you convey the Program, the
+ only way you could satisfy both those terms and this License would
+ be to refrain entirely from conveying the Program.
+
+ 13. Use with the GNU Affero General Public License.
+
+ Notwithstanding any other provision of this License, you have
+ permission to link or combine any covered work with a work licensed
+ under version 3 of the GNU Affero General Public License into a
+ single combined work, and to convey the resulting work. The terms
+ of this License will continue to apply to the part which is the
+ covered work, but the special requirements of the GNU Affero
+ General Public License, section 13, concerning interaction through
+ a network will apply to the combination as such.
+
+ 14. Revised Versions of this License.
+
+ The Free Software Foundation may publish revised and/or new
+ versions of the GNU General Public License from time to time. Such
+ new versions will be similar in spirit to the present version, but
+ may differ in detail to address new problems or concerns.
+
+ Each version is given a distinguishing version number. If the
+ Program specifies that a certain numbered version of the GNU
+ General Public License "or any later version" applies to it, you
+ have the option of following the terms and conditions either of
+ that numbered version or of any later version published by the Free
+ Software Foundation. If the Program does not specify a version
+ number of the GNU General Public License, you may choose any
+ version ever published by the Free Software Foundation.
+
+ If the Program specifies that a proxy can decide which future
+ versions of the GNU General Public License can be used, that
+ proxy's public statement of acceptance of a version permanently
+ authorizes you to choose that version for the Program.
+
+ Later license versions may give you additional or different
+ permissions. However, no additional obligations are imposed on any
+ author or copyright holder as a result of your choosing to follow a
+ later version.
+
+ 15. Disclaimer of Warranty.
+
+ THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+ APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE
+ COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS"
+ WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED,
+ INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE
+ RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.
+ SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL
+ NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+ 16. Limitation of Liability.
+
+ IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
+ WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES
+ AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR
+ DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
+ CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE
+ THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA
+ BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+ PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+ PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF
+ THE POSSIBILITY OF SUCH DAMAGES.
+
+ 17. Interpretation of Sections 15 and 16.
+
+ If the disclaimer of warranty and limitation of liability provided
+ above cannot be given local legal effect according to their terms,
+ reviewing courts shall apply local law that most closely
+ approximates an absolute waiver of all civil liability in
+ connection with the Program, unless a warranty or assumption of
+ liability accompanies a copy of the Program in return for a fee.
+
+ END OF TERMS AND CONDITIONS
+
+How to Apply These Terms to Your New Programs
+=============================================
+
+If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these
+terms.
+
+ To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least the
+"copyright" line and a pointer to where the full notice is found.
+
+ ONE LINE TO GIVE THE PROGRAM'S NAME AND A BRIEF IDEA OF WHAT IT DOES.
+ Copyright (C) YEAR NAME OF AUTHOR
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or (at
+ your option) any later version.
+
+ This program is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program does terminal interaction, make it output a short notice
+like this when it starts in an interactive mode:
+
+ PROGRAM Copyright (C) YEAR NAME OF AUTHOR
+ This program comes with ABSOLUTELY NO WARRANTY; for details
+ type 'show w'. This is free software, and you are
+ welcome to redistribute it under certain conditions;
+ type 'show c' for details.
+
+ The hypothetical commands 'show w' and 'show c' should show the
+appropriate parts of the General Public License. Of course, your
+program's commands might be different; for a GUI interface, you would
+use an "about box".
+
+ You should also get your employer (if you work as a programmer) or
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. For more information on this, and how to apply and follow
+the GNU GPL, see <https://www.gnu.org/licenses/>.
+
+ The GNU General Public License does not permit incorporating your
+program into proprietary programs. If your program is a subroutine
+library, you may consider it more useful to permit linking proprietary
+applications with the library. If this is what you want to do, use the
+GNU Lesser General Public License instead of this License. But first,
+please read <https://www.gnu.org/philosophy/why-not-lgpl.html>.
+
+
+File: gnupg.info, Node: Contributors, Next: Glossary, Prev: Copying, Up: Top
+
+Contributors to GnuPG
+*********************
+
+The GnuPG project would like to thank its many contributors. Without
+them the project would not have been nearly as successful as it has
+been. Any omissions in this list are accidental. Feel free to contact
+the maintainer if you have been left out or some of your contributions
+are not listed.
+
+ David Shaw, Matthew Skala, Michael Roth, Niklas Hernaeus, Nils
+Ellmenreich, Rémi Guyomarch, Stefan Bellon, Timo Schulz and Werner Koch
+wrote the code. Birger Langkjer, Daniel Resare, Dokianakis Theofanis,
+Edmund GRIMLEY EVANS, Gaël Quéri, Gregory Steuck, Nagy Ferenc
+László, Ivo Timmermans, Jacobo Tarri'o Barreiro, Janusz Aleksander
+Urbanowicz, Jedi Lin, Jouni Hiltunen, Laurentiu Buzdugan, Magda
+Procha'zkova', Michael Anckaert, Michal Majer, Marco d'Itri, Nilgun
+Belma Buguner, Pedro Morais, Tedi Heriyanto, Thiago Jung Bauermann,
+Rafael Caetano dos Santos, Toomas Soome, Urko Lusa, Walter Koch, Yosiaki
+IIDA did the official translations. Mike Ashley wrote and maintains the
+GNU Privacy Handbook. David Scribner is the current FAQ editor.
+Lorenzo Cappelletti maintains the web site.
+
+ The new modularized architecture of gnupg 1.9 as well as the
+X.509/CMS part has been developed as part of the Ägypten project.
+Direct contributors to this project are: Bernhard Herzog, who did
+extensive testing and tracked down a lot of bugs. Bernhard Reiter, who
+made sure that we met the specifications and the deadlines. He did
+extensive testing and came up with a lot of suggestions. Jan-Oliver
+Wagner made sure that we met the specifications and the deadlines. He
+also did extensive testing and came up with a lot of suggestions.
+Karl-Heinz Zimmer and Marc Mutz had to struggle with all the bugs and
+misconceptions while working on KDE integration. Marcus Brinkman
+extended GPGME, cleaned up the Assuan code and fixed bugs all over the
+place. Moritz Schulte took over Libgcrypt maintenance and developed it
+into a stable an useful library. Steffen Hansen had a hard time to
+write the dirmngr due to underspecified interfaces. Thomas Koester did
+extensive testing and tracked down a lot of bugs. Werner Koch designed
+the system and wrote most of the code.
+
+ The following people helped greatly by suggesting improvements,
+testing, fixing bugs, providing resources and doing other important
+tasks: Adam Mitchell, Albert Chin, Alec Habig, Allan Clark, Anand
+Kumria, Andreas Haumer, Anthony Mulcahy, Ariel T Glenn, Bob Mathews,
+Bodo Moeller, Brendan O'Dea, Brenno de Winter, Brian M. Carlson, Brian
+Moore, Brian Warner, Bryan Fullerton, Caskey L. Dickson, Cees van de
+Griend, Charles Levert, Chip Salzenberg, Chris Adams, Christian Biere,
+Christian Kurz, Christian von Roques, Christopher Oliver, Christian
+Recktenwald, Dan Winship, Daniel Eisenbud, Daniel Koening, Dave Dykstra,
+David C Niemi, David Champion, David Ellement, David Hallinan, David
+Hollenberg, David Mathog, David R. Bergstein, Detlef Lannert, Dimitri,
+Dirk Lattermann, Dirk Meyer, Disastry, Douglas Calvert, Ed Boraas,
+Edmund GRIMLEY EVANS, Edwin Woudt, Enzo Michelangeli, Ernst Molitor,
+Fabio Coatti, Felix von Leitner, fish stiqz, Florian Weimer, Francesco
+Potorti, Frank Donahoe, Frank Heckenbach, Frank Stajano, Frank Tobin,
+Gabriel Rosenkoetter, Gaël Quéri, Gene Carter, Geoff Keating, Georg
+Schwarz, Giampaolo Tomassoni, Gilbert Fernandes, Greg Louis, Greg
+Troxel, Gregory Steuck, Gregery Barton, Harald Denker, Holger Baust,
+Hendrik Buschkamp, Holger Schurig, Holger Smolinski, Holger Trapp, Hugh
+Daniel, Huy Le, Ian McKellar, Ivo Timmermans, Jan Krueger, Jan
+Niehusmann, Janusz A. Urbanowicz, James Troup, Jean-loup Gailly, Jeff
+Long, Jeffery Von Ronne, Jens Bachem, Jeroen C. van Gelderen, J Horacio
+MG, J. Michael Ashley, Jim Bauer, Jim Small, Joachim Backes, Joe Rhett,
+John A. Martin, Johnny Teveßen, Jörg Schilling, Jos Backus, Joseph
+Walton, Juan F. Codagnone, Jun Kuriyama, Kahil D. Jallad, Karl Fogel,
+Karsten Thygesen, Katsuhiro Kondou, Kazu Yamamoto, Keith Clayton, Kevin
+Ryde, Klaus Singvogel, Kurt Garloff, Lars Kellogg-Stedman, L. Sassaman,
+M Taylor, Marcel Waldvogel, Marco d'Itri, Marco Parrone, Marcus
+Brinkmann, Mark Adler, Mark Elbrecht, Mark Pettit, Markus Friedl, Martin
+Kahlert, Martin Hamilton, Martin Schulte, Matt Kraai, Matthew Skala,
+Matthew Wilcox, Matthias Urlichs, Max Valianskiy, Michael Engels,
+Michael Fischer v. Mollard, Michael Roth, Michael Sobolev, Michael
+Tokarev, Nicolas Graner, Mike McEwan, Neal H Walfield, Nelson H. F.
+Beebe, NIIBE Yutaka, Niklas Hernaeus, Nimrod Zimerman, N J Doye, Oliver
+Haakert, Oskari Jääskeläinen, Pascal Scheffers, Paul D. Smith, Per
+Cederqvist, Phil Blundell, Philippe Laliberte, Peter Fales, Peter
+Gutmann, Peter Marschall, Peter Valchev, Piotr Krukowiecki, QingLong,
+Ralph Gillen, Rat, Reinhard Wobst, Rémi Guyomarch, Reuben Sumner,
+Richard Outerbridge, Robert Joop, Roddy Strachan, Roger Sondermann,
+Roland Rosenfeld, Roman Pavlik, Ross Golder, Ryan Malayter, Sam Roberts,
+Sami Tolvanen, Sean MacLennan, Sebastian Klemke, Serge Munhoven, SL
+Baur, Stefan Bellon, Dr.Stefan.Dalibor, Stefan Karrmann, Stefan Keller,
+Steffen Ullrich, Steffen Zahn, Steven Bakker, Steven Murdoch, Susanne
+Schultz, Ted Cabeen, Thiago Jung Bauermann, Thijmen Klok, Thomas
+Roessler, Tim Mooney, Timo Schulz, Todd Vierling, TOGAWA Satoshi, Tom
+Spindler, Tom Zerucha, Tomas Fasth, Tommi Komulainen, Thomas Klausner,
+Tomasz Kozlowski, Thomas Mikkelsen, Ulf Möller, Urko Lusa, Vincent P.
+Broman, Volker Quetschke, W Lewis, Walter Hofmann, Walter Koch, Wayne
+Chapeskie, Wim Vandeputte, Winona Brown, Yosiaki IIDA, Yoshihiro Kajiki
+and Gerlinde Klaes.
+
+ This software has been made possible by the previous work of Chris
+Wedgwood, Jean-loup Gailly, Jon Callas, Mark Adler, Martin Hellman, Paul
+Kendall, Philip R. Zimmermann, Peter Gutmann, Philip A. Nelson, Taher
+Elgamal, Torbjorn Granlund, Whitfield Diffie, some unknown NSA
+mathematicians and all the folks who have worked hard to create complete
+and free operating systems.
+
+ And finally we'd like to thank everyone who uses these tools, submits
+bug reports and generally reminds us why we're doing this work in the
+first place.
+
+
+File: gnupg.info, Node: Glossary, Next: Option Index, Prev: Contributors, Up: Top
+
+Glossary
+********
+
+'ARL'
+ The _Authority Revocation List_ is technical identical to a CRL but
+ used for CAs and not for end user certificates.
+
+'Chain model'
+ Verification model for X.509 which uses the creation date of a
+ signature as the date the validation starts and in turn checks that
+ each certificate has been issued within the time frame, the issuing
+ certificate was valid. This allows the verification of signatures
+ after the CA's certificate expired. The validation test also
+ required an online check of the certificate status. The chain
+ model is required by the German signature law. See also _Shell
+ model_.
+
+'CMS'
+ The _Cryptographic Message Standard_ describes a message format for
+ encryption and digital signing. It is closely related to the X.509
+ certificate format. CMS was formerly known under the name 'PKCS#7'
+ and is described by 'RFC3369'.
+
+'CRL'
+ The _Certificate Revocation List_ is a list containing certificates
+ revoked by the issuer.
+
+'CSR'
+ The _Certificate Signing Request_ is a message send to a CA to ask
+ them to issue a new certificate. The data format of such a signing
+ request is called PCKS#10.
+
+'OpenPGP'
+ A data format used to build a PKI and to exchange encrypted or
+ signed messages. In contrast to X.509, OpenPGP also includes the
+ message format but does not explicitly demand a specific PKI.
+ However any kind of PKI may be build upon the OpenPGP protocol.
+
+'Keygrip'
+ This term is used by GnuPG to describe a 20 byte hash value used to
+ identify a certain key without referencing to a concrete protocol.
+ It is used internally to access a private key. Usually it is shown
+ and entered as a 40 character hexadecimal formatted string.
+
+'OCSP'
+ The _Online Certificate Status Protocol_ is used as an alternative
+ to a CRL. It is described in 'RFC 2560'.
+
+'PSE'
+ The _Personal Security Environment_ describes a database to store
+ private keys. This is either a smartcard or a collection of files
+ on a disk; the latter is often called a Soft-PSE.
+
+'Shell model'
+ The standard model for validation of certificates under X.509. At
+ the time of the verification all certificates must be valid and not
+ expired. See also _Chain model_.
+
+'X.509'
+ Description of a PKI used with CMS. It is for example defined by
+ 'RFC3280'.
+
+
+File: gnupg.info, Node: Option Index, Next: Environment Index, Prev: Glossary, Up: Top
+
+Option Index
+************
+
+
+* Menu:
+
+* --override-compliance-check: GPG Esoteric Options.
+ (line 424)
+* add-servers: Dirmngr Options. (line 313)
+* agent-program: GPG Configuration Options.
+ (line 755)
+* agent-program <1>: Configuration Options.
+ (line 53)
+* agent-program <2>: Invoking gpg-connect-agent.
+ (line 42)
+* allow-admin: Scdaemon Options. (line 204)
+* allow-emacs-pinentry: Agent Options. (line 206)
+* allow-freeform-uid: GPG Esoteric Options.
+ (line 367)
+* allow-loopback-pinentry: Agent Options. (line 188)
+* allow-multiple-messages: GPG Esoteric Options.
+ (line 560)
+* allow-non-selfsigned-uid: GPG Esoteric Options.
+ (line 362)
+* allow-ocsp: Dirmngr Options. (line 330)
+* allow-preset-passphrase: Agent Options. (line 183)
+* allow-secret-key-import: GPG Esoteric Options.
+ (line 556)
+* allow-version-check: Dirmngr Options. (line 138)
+* allow-weak-digest-algos: GPG Esoteric Options.
+ (line 403)
+* allow-weak-key-signatures: GPG Esoteric Options.
+ (line 419)
+* always-trust: Deprecated Options. (line 21)
+* armor: GPG Input and Output.
+ (line 8)
+* armor <1>: Input and Output. (line 8)
+* ask-cert-expire: GPG Esoteric Options.
+ (line 521)
+* ask-cert-level: GPG Configuration Options.
+ (line 360)
+* ask-sig-expire: GPG Esoteric Options.
+ (line 507)
+* assume-armor: Input and Output. (line 14)
+* assume-base64: Input and Output. (line 18)
+* assume-binary: Input and Output. (line 21)
+* attribute-fd: GPG Esoteric Options.
+ (line 92)
+* attribute-file: GPG Esoteric Options.
+ (line 98)
+* auto-check-trustdb: GPG Configuration Options.
+ (line 742)
+* auto-expand-secmem: Agent Options. (line 456)
+* auto-issuer-key-retrieve: Certificate Options. (line 62)
+* auto-key-import: GPG Configuration Options.
+ (line 578)
+* auto-key-locate: GPG Configuration Options.
+ (line 509)
+* auto-key-retrieve: GPG Configuration Options.
+ (line 590)
+* base64: Input and Output. (line 11)
+* batch: Agent Options. (line 48)
+* batch <1>: GPG Configuration Options.
+ (line 45)
+* batch <2>: gpgtar. (line 104)
+* blacklist: gpg-wks-client. (line 126)
+* bzip2-compress-level: GPG Configuration Options.
+ (line 334)
+* bzip2-decompress-lowmem: GPG Configuration Options.
+ (line 344)
+* c: Dirmngr Options. (line 87)
+* cache-cert: dirmngr-client. (line 72)
+* call-dirmngr: Operational GPGSM Commands.
+ (line 27)
+* call-protect-tool: Operational GPGSM Commands.
+ (line 41)
+* card-edit: Operational GPG Commands.
+ (line 210)
+* card-status: Operational GPG Commands.
+ (line 216)
+* card-timeout: Scdaemon Options. (line 180)
+* cert-digest-algo: GPG Esoteric Options.
+ (line 238)
+* cert-notation: GPG Esoteric Options.
+ (line 124)
+* cert-policy-url: GPG Esoteric Options.
+ (line 160)
+* change-passphrase: OpenPGP Key Management.
+ (line 452)
+* change-passphrase <1>: Certificate Management.
+ (line 109)
+* change-pin: Operational GPG Commands.
+ (line 219)
+* check: gpg-check-pattern. (line 56)
+* check-passphrase-pattern: Agent Options. (line 260)
+* check-signatures: Operational GPG Commands.
+ (line 140)
+* check-sigs: Operational GPG Commands.
+ (line 141)
+* check-sym-passphrase-pattern: Agent Options. (line 260)
+* check-trustdb: Operational GPG Commands.
+ (line 349)
+* cipher-algo: GPG Esoteric Options.
+ (line 199)
+* cipher-algo <1>: CMS Options. (line 13)
+* clear-sign: Operational GPG Commands.
+ (line 17)
+* clearsign: Operational GPG Commands.
+ (line 18)
+* cms: gpgtar. (line 99)
+* command-fd: GPG Esoteric Options.
+ (line 350)
+* command-file: GPG Esoteric Options.
+ (line 357)
+* comment: GPG Esoteric Options.
+ (line 103)
+* compatibility-flags: Esoteric Options. (line 57)
+* compliance: Compliance Options. (line 67)
+* compliance <1>: Esoteric Options. (line 18)
+* compliant-needed: GPG Configuration Options.
+ (line 717)
+* compress-algo: GPG Esoteric Options.
+ (line 215)
+* compress-level: GPG Configuration Options.
+ (line 334)
+* connect-quick-timeout: Dirmngr Options. (line 125)
+* connect-timeout: Dirmngr Options. (line 125)
+* create: gpgtar. (line 16)
+* create-socketdir: Invoking gpgconf. (line 96)
+* csh: Agent Options. (line 146)
+* csh <1>: Dirmngr Options. (line 87)
+* ctapi-driver: Scdaemon Options. (line 157)
+* daemon: Agent Commands. (line 27)
+* daemon <1>: Dirmngr Commands. (line 27)
+* daemon <2>: Scdaemon Commands. (line 31)
+* dearmor: Operational GPG Commands.
+ (line 403)
+* debug: Agent Options. (line 82)
+* debug <1>: Dirmngr Options. (line 59)
+* debug <2>: GPG Esoteric Options.
+ (line 47)
+* debug <3>: Esoteric Options. (line 90)
+* debug <4>: Scdaemon Options. (line 69)
+* debug-all: Agent Options. (line 106)
+* debug-all <1>: Dirmngr Options. (line 66)
+* debug-all <2>: GPG Esoteric Options.
+ (line 53)
+* debug-all <3>: Esoteric Options. (line 117)
+* debug-all <4>: Scdaemon Options. (line 96)
+* debug-allow-core-dump: Esoteric Options. (line 120)
+* debug-allow-core-dump <1>: Scdaemon Options. (line 113)
+* debug-assuan-log-cats: Scdaemon Options. (line 122)
+* debug-disable-ticker: Scdaemon Options. (line 109)
+* debug-ignore-expiration: Esoteric Options. (line 131)
+* debug-iolbf: GPG Esoteric Options.
+ (line 56)
+* debug-level: Agent Options. (line 57)
+* debug-level <1>: Dirmngr Options. (line 34)
+* debug-level <2>: GPG Esoteric Options.
+ (line 22)
+* debug-level <3>: Esoteric Options. (line 65)
+* debug-level <4>: Scdaemon Options. (line 40)
+* debug-log-tid: Scdaemon Options. (line 119)
+* debug-no-chain-validation: Esoteric Options. (line 127)
+* debug-pinentry: Agent Options. (line 126)
+* debug-quick-random: Agent Options. (line 114)
+* debug-wait: Agent Options. (line 109)
+* debug-wait <1>: Dirmngr Options. (line 74)
+* debug-wait <2>: Scdaemon Options. (line 99)
+* debug-wait <3>: Scdaemon Options. (line 104)
+* decode: Invoking gpg-connect-agent.
+ (line 95)
+* decrypt: Operational GPG Commands.
+ (line 59)
+* decrypt <1>: Operational GPGSM Commands.
+ (line 11)
+* decrypt <2>: gpgtar. (line 29)
+* decrypt-files: Operational GPG Commands.
+ (line 114)
+* default-cache-ttl: Agent Options. (line 217)
+* default-cache-ttl <1>: Agent Options. (line 226)
+* default-cert-expire: GPG Esoteric Options.
+ (line 527)
+* default-cert-level: GPG Configuration Options.
+ (line 368)
+* default-key: GPG Configuration Options.
+ (line 10)
+* default-key <1>: Input and Output. (line 34)
+* default-keyserver-url: GPG Esoteric Options.
+ (line 589)
+* default-new-key-algo STRING: GPG Esoteric Options.
+ (line 534)
+* default-preference-list: GPG Esoteric Options.
+ (line 584)
+* default-recipient: GPG Configuration Options.
+ (line 19)
+* default-recipient-self: GPG Configuration Options.
+ (line 23)
+* default-sig-expire: GPG Esoteric Options.
+ (line 513)
+* delete-keys: Operational GPG Commands.
+ (line 224)
+* delete-keys <1>: Certificate Management.
+ (line 60)
+* delete-secret-and-public-key: Operational GPG Commands.
+ (line 244)
+* delete-secret-keys: Operational GPG Commands.
+ (line 233)
+* deny-admin: Scdaemon Options. (line 204)
+* desig-revoke: OpenPGP Key Management.
+ (line 134)
+* detach-sign: Operational GPG Commands.
+ (line 28)
+* digest-algo: GPG Esoteric Options.
+ (line 208)
+* directory: gpgtar. (line 76)
+* directory <1>: gpg-wks-client. (line 122)
+* directory <2>: gpg-wks-server. (line 50)
+* dirmngr: Invoking gpg-connect-agent.
+ (line 54)
+* dirmngr-program: GPG Configuration Options.
+ (line 762)
+* dirmngr-program <1>: Configuration Options.
+ (line 59)
+* dirmngr-program <2>: Invoking gpg-connect-agent.
+ (line 49)
+* disable-application: Scdaemon Options. (line 214)
+* disable-ccid: Scdaemon Options. (line 162)
+* disable-check-own-socket: Agent Options. (line 342)
+* disable-check-own-socket <1>: Dirmngr Options. (line 79)
+* disable-cipher-algo: GPG Esoteric Options.
+ (line 246)
+* disable-crl-checks: Certificate Options. (line 13)
+* disable-dsa2: GPG Configuration Options.
+ (line 196)
+* disable-extended-key-format: Agent Options. (line 388)
+* disable-http: Dirmngr Options. (line 217)
+* disable-ipv4: Dirmngr Options. (line 211)
+* disable-ipv6: Dirmngr Options. (line 211)
+* disable-large-rsa: GPG Configuration Options.
+ (line 187)
+* disable-ldap: Dirmngr Options. (line 214)
+* disable-mdc: OpenPGP Options. (line 25)
+* disable-ocsp: Certificate Options. (line 53)
+* disable-pinpad: Scdaemon Options. (line 201)
+* disable-policy-checks: Certificate Options. (line 8)
+* disable-pubkey-algo: GPG Esoteric Options.
+ (line 251)
+* disable-scdaemon: Agent Options. (line 336)
+* disable-signer-uid: OpenPGP Options. (line 31)
+* disable-trusted-cert-crl-check: Certificate Options. (line 24)
+* display: Agent Options. (line 360)
+* display-charset: GPG Configuration Options.
+ (line 281)
+* display-charset:iso-8859-1: GPG Configuration Options.
+ (line 291)
+* display-charset:iso-8859-15: GPG Configuration Options.
+ (line 297)
+* display-charset:iso-8859-2: GPG Configuration Options.
+ (line 294)
+* display-charset:koi8-r: GPG Configuration Options.
+ (line 300)
+* display-charset:utf-8: GPG Configuration Options.
+ (line 303)
+* dry-run: GPG Esoteric Options.
+ (line 8)
+* dry-run <1>: gpgtar. (line 72)
+* dump-cert: Certificate Management.
+ (line 36)
+* dump-chain: Certificate Management.
+ (line 40)
+* dump-external-keys: Certificate Management.
+ (line 47)
+* dump-keys: Certificate Management.
+ (line 36)
+* dump-options: Agent Commands. (line 19)
+* dump-options <1>: Dirmngr Commands. (line 18)
+* dump-options <2>: General GPG Commands.
+ (line 20)
+* dump-options <3>: General GPGSM Commands.
+ (line 19)
+* dump-options <4>: Scdaemon Commands. (line 18)
+* dump-secret-keys: Certificate Management.
+ (line 43)
+* edit-card: Operational GPG Commands.
+ (line 209)
+* edit-key: OpenPGP Key Management.
+ (line 139)
+* emit-version: GPG Esoteric Options.
+ (line 114)
+* enable-crl-checks: Certificate Options. (line 13)
+* enable-dsa2: GPG Configuration Options.
+ (line 196)
+* enable-extended-key-format: Agent Options. (line 388)
+* enable-issuer-based-crl-check: Certificate Options. (line 45)
+* enable-large-rsa: GPG Configuration Options.
+ (line 187)
+* enable-ocsp: Certificate Options. (line 53)
+* enable-passphrase-history: Agent Options. (line 283)
+* enable-pinpad-varlen: Scdaemon Options. (line 193)
+* enable-policy-checks: Certificate Options. (line 8)
+* enable-progress-filter: GPG Esoteric Options.
+ (line 69)
+* enable-putty-support: Agent Options. (line 402)
+* enable-special-filenames: GPG Esoteric Options.
+ (line 571)
+* enable-special-filenames <1>: gpgv. (line 97)
+* enable-ssh-support: Agent Options. (line 402)
+* enable-trusted-cert-crl-check: Certificate Options. (line 24)
+* enarmor: Operational GPG Commands.
+ (line 403)
+* encrypt: Operational GPG Commands.
+ (line 32)
+* encrypt <1>: Operational GPGSM Commands.
+ (line 7)
+* encrypt <2>: gpgtar. (line 23)
+* encrypt-files: Operational GPG Commands.
+ (line 111)
+* encrypt-to: GPG Key related Options.
+ (line 35)
+* enforce-passphrase-constraints: Agent Options. (line 244)
+* escape-from-lines: GPG Esoteric Options.
+ (line 276)
+* exec: Invoking gpg-connect-agent.
+ (line 65)
+* exec-path: GPG Configuration Options.
+ (line 225)
+* exit-on-status-write-error: GPG Configuration Options.
+ (line 791)
+* expert: GPG Configuration Options.
+ (line 846)
+* export: Operational GPG Commands.
+ (line 250)
+* export <1>: Certificate Management.
+ (line 69)
+* export-filter: GPG Input and Output.
+ (line 131)
+* export-options: GPG Input and Output.
+ (line 220)
+* export-ownertrust: Operational GPG Commands.
+ (line 364)
+* export-secret-key-p12: Certificate Management.
+ (line 82)
+* export-secret-key-p8: Certificate Management.
+ (line 91)
+* export-secret-key-raw: Certificate Management.
+ (line 91)
+* export-secret-keys: Operational GPG Commands.
+ (line 268)
+* export-secret-subkeys: Operational GPG Commands.
+ (line 268)
+* export-ssh-key: Operational GPG Commands.
+ (line 290)
+* extra-digest-algo: Esoteric Options. (line 7)
+* extra-socket: Agent Options. (line 374)
+* extract: gpgtar. (line 19)
+* faked-system-time: Agent Options. (line 52)
+* faked-system-time <1>: GPG Esoteric Options.
+ (line 60)
+* faked-system-time <2>: Esoteric Options. (line 46)
+* fast-list-mode: GPG Esoteric Options.
+ (line 462)
+* fetch-crl: Dirmngr Commands. (line 52)
+* fetch-keys: Operational GPG Commands.
+ (line 333)
+* fingerprint: Operational GPG Commands.
+ (line 194)
+* fixed-list-mode: GPG Input and Output.
+ (line 284)
+* flush: Dirmngr Commands. (line 62)
+* for-your-eyes-only: GPG Esoteric Options.
+ (line 185)
+* forbid-gen-key: GPG Esoteric Options.
+ (line 551)
+* force: Dirmngr Options. (line 93)
+* force <1>: watchgnupg. (line 23)
+* force-crl-refresh: Certificate Options. (line 35)
+* force-default-responder: dirmngr-client. (line 64)
+* force-mdc: OpenPGP Options. (line 25)
+* force-sign-key: GPG Esoteric Options.
+ (line 545)
+* forget: Invoking gpg-preset-passphrase.
+ (line 26)
+* from: gpg-wks-server. (line 54)
+* full-gen-key: OpenPGP Key Management.
+ (line 111)
+* full-generate-key: OpenPGP Key Management.
+ (line 110)
+* gen-key: OpenPGP Key Management.
+ (line 104)
+* gen-key <1>: Certificate Management.
+ (line 8)
+* gen-prime: Operational GPG Commands.
+ (line 398)
+* gen-random: Operational GPG Commands.
+ (line 391)
+* gen-revoke: OpenPGP Key Management.
+ (line 120)
+* generate-designated-revocation: OpenPGP Key Management.
+ (line 133)
+* generate-key: OpenPGP Key Management.
+ (line 103)
+* generate-key <1>: Certificate Management.
+ (line 7)
+* generate-revocation: OpenPGP Key Management.
+ (line 119)
+* gnupg: Compliance Options. (line 12)
+* gpg: gpgtar. (line 135)
+* gpg-agent-info: GPG Configuration Options.
+ (line 752)
+* gpg-args: gpgtar. (line 138)
+* gpgconf-list: GPG Esoteric Options.
+ (line 605)
+* gpgconf-test: GPG Esoteric Options.
+ (line 609)
+* grab: Agent Options. (line 153)
+* group: GPG Key related Options.
+ (line 55)
+* header: gpg-wks-server. (line 57)
+* help: Agent Commands. (line 15)
+* help <1>: Dirmngr Commands. (line 14)
+* help <2>: General GPG Commands.
+ (line 12)
+* help <3>: General GPGSM Commands.
+ (line 11)
+* help <4>: Scdaemon Commands. (line 14)
+* help <5>: watchgnupg. (line 39)
+* help <6>: dirmngr-client. (line 44)
+* help <7>: gpgtar. (line 150)
+* help <8>: gpg-wks-client. (line 141)
+* help <9>: gpg-wks-server. (line 87)
+* hex: Invoking gpg-connect-agent.
+ (line 91)
+* hidden-encrypt-to: GPG Key related Options.
+ (line 43)
+* hidden-recipient: GPG Key related Options.
+ (line 14)
+* hidden-recipient-file: GPG Key related Options.
+ (line 29)
+* homedir: Agent Options. (line 17)
+* homedir <1>: GPG Configuration Options.
+ (line 260)
+* homedir <2>: Configuration Options.
+ (line 16)
+* homedir <3>: Scdaemon Options. (line 13)
+* homedir <4>: gpgv. (line 69)
+* homedir <5>: Invoking gpgconf. (line 120)
+* homedir <6>: Invoking gpg-connect-agent.
+ (line 21)
+* honor-http-proxy: Dirmngr Options. (line 236)
+* http-proxy: Dirmngr Options. (line 240)
+* ignore-cache-for-signing: Agent Options. (line 211)
+* ignore-cert: Dirmngr Options. (line 389)
+* ignore-cert-extension: Dirmngr Options. (line 379)
+* ignore-cert-extension <1>: Certificate Options. (line 82)
+* ignore-cert-with-oid: Esoteric Options. (line 37)
+* ignore-crc-error: GPG Esoteric Options.
+ (line 387)
+* ignore-http-dp: Dirmngr Options. (line 220)
+* ignore-ldap-dp: Dirmngr Options. (line 227)
+* ignore-mdc-error: GPG Esoteric Options.
+ (line 394)
+* ignore-ocsp-service-url: Dirmngr Options. (line 232)
+* ignore-time-conflict: GPG Esoteric Options.
+ (line 373)
+* ignore-time-conflict <1>: gpgv. (line 63)
+* ignore-valid-from: GPG Esoteric Options.
+ (line 380)
+* import: Operational GPG Commands.
+ (line 304)
+* import <1>: Certificate Management.
+ (line 99)
+* import-filter: GPG Input and Output.
+ (line 131)
+* import-options: GPG Input and Output.
+ (line 45)
+* import-ownertrust: Operational GPG Commands.
+ (line 370)
+* include-certs: CMS Options. (line 7)
+* include-key-block: OpenPGP Options. (line 38)
+* input-size-hint: GPG Input and Output.
+ (line 29)
+* interactive: GPG Esoteric Options.
+ (line 19)
+* keep-display: Agent Options. (line 365)
+* keep-tty: Agent Options. (line 365)
+* key-origin: GPG Input and Output.
+ (line 37)
+* keydb-clear-some-cert-flags: Certificate Management.
+ (line 52)
+* keyedit:addcardkey: OpenPGP Key Management.
+ (line 281)
+* keyedit:addkey: OpenPGP Key Management.
+ (line 278)
+* keyedit:addphoto: OpenPGP Key Management.
+ (line 201)
+* keyedit:addrevoker: OpenPGP Key Management.
+ (line 330)
+* keyedit:adduid: OpenPGP Key Management.
+ (line 198)
+* keyedit:bkuptocard: OpenPGP Key Management.
+ (line 295)
+* keyedit:change-usage: OpenPGP Key Management.
+ (line 357)
+* keyedit:check: OpenPGP Key Management.
+ (line 194)
+* keyedit:clean: OpenPGP Key Management.
+ (line 343)
+* keyedit:cross-certify: OpenPGP Key Management.
+ (line 366)
+* keyedit:delkey: OpenPGP Key Management.
+ (line 306)
+* keyedit:delsig: OpenPGP Key Management.
+ (line 184)
+* keyedit:deluid: OpenPGP Key Management.
+ (line 211)
+* keyedit:disable: OpenPGP Key Management.
+ (line 326)
+* keyedit:enable: OpenPGP Key Management.
+ (line 326)
+* keyedit:expire: OpenPGP Key Management.
+ (line 315)
+* keyedit:key: OpenPGP Key Management.
+ (line 148)
+* keyedit:keyserver: OpenPGP Key Management.
+ (line 228)
+* keyedit:keytocard: OpenPGP Key Management.
+ (line 284)
+* keyedit:lsign: OpenPGP Key Management.
+ (line 159)
+* keyedit:minimize: OpenPGP Key Management.
+ (line 352)
+* keyedit:notation: OpenPGP Key Management.
+ (line 235)
+* keyedit:nrsign: OpenPGP Key Management.
+ (line 164)
+* keyedit:passwd: OpenPGP Key Management.
+ (line 336)
+* keyedit:pref: OpenPGP Key Management.
+ (line 243)
+* keyedit:primary: OpenPGP Key Management.
+ (line 220)
+* keyedit:quit: OpenPGP Key Management.
+ (line 377)
+* keyedit:revkey: OpenPGP Key Management.
+ (line 312)
+* keyedit:revsig: OpenPGP Key Management.
+ (line 189)
+* keyedit:revuid: OpenPGP Key Management.
+ (line 217)
+* keyedit:save: OpenPGP Key Management.
+ (line 374)
+* keyedit:setpref: OpenPGP Key Management.
+ (line 255)
+* keyedit:showphoto: OpenPGP Key Management.
+ (line 208)
+* keyedit:showpref: OpenPGP Key Management.
+ (line 247)
+* keyedit:sign: OpenPGP Key Management.
+ (line 152)
+* keyedit:toggle: OpenPGP Key Management.
+ (line 339)
+* keyedit:trust: OpenPGP Key Management.
+ (line 321)
+* keyedit:tsign: OpenPGP Key Management.
+ (line 168)
+* keyedit:uid: OpenPGP Key Management.
+ (line 144)
+* keyid-format: GPG Configuration Options.
+ (line 627)
+* keyring: GPG Configuration Options.
+ (line 229)
+* keyring <1>: gpgv. (line 38)
+* keyserver: Dirmngr Options. (line 148)
+* keyserver <1>: GPG Configuration Options.
+ (line 636)
+* keyserver <2>: Configuration Options.
+ (line 43)
+* keyserver-options: GPG Configuration Options.
+ (line 655)
+* kill: Invoking gpgconf. (line 89)
+* known-notation: GPG Esoteric Options.
+ (line 151)
+* launch: Invoking gpgconf. (line 80)
+* lc-ctype: Agent Options. (line 360)
+* lc-messages: Agent Options. (line 360)
+* ldap-proxy: Dirmngr Options. (line 245)
+* ldapserver: Dirmngr Options. (line 275)
+* ldapserverlist-file: Dirmngr Options. (line 256)
+* ldaptimeout: Dirmngr Options. (line 309)
+* learn-card: Certificate Management.
+ (line 104)
+* legacy-list-mode: GPG Input and Output.
+ (line 290)
+* limit-card-insert-tries: GPG Configuration Options.
+ (line 800)
+* list-archive: gpgtar. (line 39)
+* list-chain: Certificate Management.
+ (line 32)
+* list-config: GPG Esoteric Options.
+ (line 594)
+* list-crls: Dirmngr Commands. (line 40)
+* list-gcrypt-config: GPG Esoteric Options.
+ (line 602)
+* list-keys: Operational GPG Commands.
+ (line 119)
+* list-keys <1>: Certificate Management.
+ (line 17)
+* list-keys <2>: Certificate Management.
+ (line 28)
+* list-only: GPG Esoteric Options.
+ (line 11)
+* list-options: GPG Configuration Options.
+ (line 71)
+* list-options:show-keyring: GPG Configuration Options.
+ (line 119)
+* list-options:show-keyserver-urls: GPG Configuration Options.
+ (line 103)
+* list-options:show-notations: GPG Configuration Options.
+ (line 99)
+* list-options:show-only-fpr-mbox: GPG Configuration Options.
+ (line 134)
+* list-options:show-photos: GPG Configuration Options.
+ (line 79)
+* list-options:show-policy-urls: GPG Configuration Options.
+ (line 93)
+* list-options:show-sig-expire: GPG Configuration Options.
+ (line 123)
+* list-options:show-sig-subpackets: GPG Configuration Options.
+ (line 127)
+* list-options:show-std-notations: GPG Configuration Options.
+ (line 99)
+* list-options:show-uid-validity: GPG Configuration Options.
+ (line 107)
+* list-options:show-unusable-subkeys: GPG Configuration Options.
+ (line 115)
+* list-options:show-unusable-uids: GPG Configuration Options.
+ (line 111)
+* list-options:show-usage: GPG Configuration Options.
+ (line 87)
+* list-options:show-user-notations: GPG Configuration Options.
+ (line 99)
+* list-packets: Operational GPG Commands.
+ (line 203)
+* list-secret-keys: Operational GPG Commands.
+ (line 130)
+* list-secret-keys <1>: Certificate Management.
+ (line 24)
+* list-signatures: GPG Esoteric Options.
+ (line 450)
+* list-sigs: GPG Esoteric Options.
+ (line 451)
+* listen-backlog: Agent Options. (line 370)
+* listen-backlog <1>: Dirmngr Options. (line 134)
+* listen-backlog <2>: Scdaemon Options. (line 135)
+* load-crl: Dirmngr Commands. (line 44)
+* load-crl <1>: dirmngr-client. (line 80)
+* local-user: GPG Key related Options.
+ (line 77)
+* local-user <1>: Input and Output. (line 41)
+* local-user <2>: gpgtar. (line 53)
+* locate-external-keys: Operational GPG Commands.
+ (line 170)
+* locate-keys: Operational GPG Commands.
+ (line 170)
+* lock-multiple: GPG Configuration Options.
+ (line 780)
+* lock-never: GPG Configuration Options.
+ (line 784)
+* lock-once: GPG Configuration Options.
+ (line 776)
+* log-file: Agent Options. (line 159)
+* log-file <1>: Dirmngr Options. (line 30)
+* log-file <2>: GPG Esoteric Options.
+ (line 86)
+* log-file <3>: Configuration Options.
+ (line 80)
+* log-file <4>: Scdaemon Options. (line 140)
+* log-file <5>: gpgv. (line 59)
+* logger-fd: GPG Esoteric Options.
+ (line 82)
+* logger-fd <1>: gpgv. (line 56)
+* lookup: dirmngr-client. (line 86)
+* lsign-key: OpenPGP Key Management.
+ (line 392)
+* mangle-dos-filenames: GPG Configuration Options.
+ (line 352)
+* marginals-needed: GPG Configuration Options.
+ (line 721)
+* max-cache-ttl: Agent Options. (line 232)
+* max-cache-ttl-ssh: Agent Options. (line 238)
+* max-cert-depth: GPG Configuration Options.
+ (line 729)
+* max-output: GPG Input and Output.
+ (line 19)
+* max-passphrase-days: Agent Options. (line 278)
+* max-replies: Dirmngr Options. (line 376)
+* min-cert-level: GPG Configuration Options.
+ (line 397)
+* min-passphrase-len: Agent Options. (line 248)
+* min-passphrase-nonalpha: Agent Options. (line 253)
+* min-rsa-length: Compliance Options. (line 72)
+* min-rsa-length <1>: Esoteric Options. (line 22)
+* multi-server: Scdaemon Commands. (line 26)
+* multifile: Operational GPG Commands.
+ (line 100)
+* nameserver: Dirmngr Options. (line 203)
+* no: GPG Configuration Options.
+ (line 67)
+* no <1>: gpgtar. (line 113)
+* no-allow-external-cache: Agent Options. (line 196)
+* no-allow-loopback-pinentry: Agent Options. (line 188)
+* no-allow-mark-trusted: Agent Options. (line 167)
+* no-armor: GPG Input and Output.
+ (line 12)
+* no-auto-key-import: GPG Configuration Options.
+ (line 578)
+* no-auto-key-retrieve: GPG Configuration Options.
+ (line 590)
+* no-autostart: GPG Configuration Options.
+ (line 769)
+* no-autostart <1>: Configuration Options.
+ (line 69)
+* no-autostart <2>: Invoking gpg-connect-agent.
+ (line 77)
+* no-batch: GPG Configuration Options.
+ (line 45)
+* no-common-certs-import: Esoteric Options. (line 168)
+* no-default-keyring: GPG Esoteric Options.
+ (line 432)
+* no-default-recipient: GPG Configuration Options.
+ (line 29)
+* no-detach: Agent Options. (line 131)
+* no-detach <1>: Scdaemon Options. (line 131)
+* no-encrypt-to: GPG Key related Options.
+ (line 51)
+* no-expensive-trust-checks: GPG Esoteric Options.
+ (line 576)
+* no-ext-connect: Invoking gpg-connect-agent.
+ (line 72)
+* no-grab: Agent Options. (line 153)
+* no-greeting: GPG Configuration Options.
+ (line 814)
+* no-groups: GPG Key related Options.
+ (line 73)
+* no-keyring: GPG Esoteric Options.
+ (line 438)
+* no-literal: GPG Esoteric Options.
+ (line 470)
+* no-mangle-dos-filenames: GPG Configuration Options.
+ (line 352)
+* no-options: GPG Configuration Options.
+ (line 327)
+* no-random-seed-file: GPG Configuration Options.
+ (line 808)
+* no-secmem-warning: GPG Configuration Options.
+ (line 817)
+* no-secmem-warning <1>: Configuration Options.
+ (line 76)
+* no-sig-cache: GPG Configuration Options.
+ (line 732)
+* no-skip-hidden-recipients: GPG Key related Options.
+ (line 108)
+* no-symkey-cache: GPG Esoteric Options.
+ (line 337)
+* no-tty: GPG Configuration Options.
+ (line 58)
+* no-use-standard-socket: Agent Options. (line 350)
+* no-use-tor: Dirmngr Options. (line 98)
+* no-user-trustlist: Agent Options. (line 172)
+* no-verbose: GPG Configuration Options.
+ (line 37)
+* not-dash-escaped: GPG Esoteric Options.
+ (line 266)
+* null: gpgtar. (line 86)
+* null <1>: gpg-check-pattern. (line 59)
+* ocsp: dirmngr-client. (line 61)
+* ocsp-current-period: Dirmngr Options. (line 371)
+* ocsp-max-clock-skew: Dirmngr Options. (line 363)
+* ocsp-max-period: Dirmngr Options. (line 367)
+* ocsp-responder: Dirmngr Options. (line 337)
+* ocsp-signer: Dirmngr Options. (line 342)
+* only-ldap-proxy: Dirmngr Options. (line 251)
+* openpgp: Compliance Options. (line 19)
+* openpgp <1>: gpgtar. (line 95)
+* options: Agent Options. (line 10)
+* options <1>: Dirmngr Options. (line 11)
+* options <2>: Dirmngr Options. (line 16)
+* options <3>: GPG Configuration Options.
+ (line 322)
+* options <4>: Configuration Options.
+ (line 10)
+* options <5>: Scdaemon Options. (line 7)
+* output: GPG Input and Output.
+ (line 16)
+* output <1>: Input and Output. (line 51)
+* output <2>: gpgv. (line 45)
+* output <3>: gpgtar. (line 57)
+* output <4>: gpg-wks-client. (line 111)
+* output <5>: gpg-wks-server. (line 65)
+* override-session-key: GPG Esoteric Options.
+ (line 494)
+* p12-charset: Input and Output. (line 24)
+* passphrase: GPG Esoteric Options.
+ (line 312)
+* passphrase <1>: Invoking gpg-preset-passphrase.
+ (line 36)
+* passphrase-fd: GPG Esoteric Options.
+ (line 291)
+* passphrase-fd <1>: Esoteric Options. (line 136)
+* passphrase-file: GPG Esoteric Options.
+ (line 301)
+* passphrase-repeat: GPG Esoteric Options.
+ (line 283)
+* passwd: OpenPGP Key Management.
+ (line 453)
+* passwd <1>: Certificate Management.
+ (line 110)
+* pcsc-driver: Scdaemon Options. (line 150)
+* pcsc-shared: Scdaemon Options. (line 144)
+* pem: dirmngr-client. (line 58)
+* permission-warning: GPG Configuration Options.
+ (line 820)
+* personal-cipher-preferences: OpenPGP Options. (line 46)
+* personal-compress-preferences: OpenPGP Options. (line 64)
+* personal-digest-preferences: OpenPGP Options. (line 55)
+* pgp6: Compliance Options. (line 44)
+* pgp7: Compliance Options. (line 54)
+* pgp8: Compliance Options. (line 60)
+* photo-viewer: GPG Configuration Options.
+ (line 202)
+* pinentry-formatted-passphrase: Agent Options. (line 297)
+* pinentry-invisible-char: Agent Options. (line 286)
+* pinentry-mode: GPG Esoteric Options.
+ (line 322)
+* pinentry-mode <1>: Esoteric Options. (line 145)
+* pinentry-program: Agent Options. (line 310)
+* pinentry-timeout: Agent Options. (line 291)
+* pinentry-touch-file: Agent Options. (line 323)
+* ping: dirmngr-client. (line 69)
+* policy-file: Configuration Options.
+ (line 50)
+* prefer-system-dirmngr: Configuration Options.
+ (line 63)
+* preserve-permissions: GPG Esoteric Options.
+ (line 579)
+* preset: Invoking gpg-preset-passphrase.
+ (line 22)
+* primary-keyring: GPG Configuration Options.
+ (line 243)
+* print-md: Operational GPG Commands.
+ (line 386)
+* q: Invoking gpg-connect-agent.
+ (line 18)
+* quick-add-key: OpenPGP Key Management.
+ (line 69)
+* quick-add-uid: OpenPGP Key Management.
+ (line 420)
+* quick-gen-key: OpenPGP Key Management.
+ (line 10)
+* quick-generate-key: OpenPGP Key Management.
+ (line 10)
+* quick-lsign-key: OpenPGP Key Management.
+ (line 398)
+* quick-revoke-sig: OpenPGP Key Management.
+ (line 435)
+* quick-revoke-uid: OpenPGP Key Management.
+ (line 427)
+* quick-set-expire: OpenPGP Key Management.
+ (line 60)
+* quick-set-primary-uid: OpenPGP Key Management.
+ (line 445)
+* quick-sign-key: OpenPGP Key Management.
+ (line 398)
+* quiet: Agent Options. (line 45)
+* quiet <1>: GPG Configuration Options.
+ (line 40)
+* quiet <2>: gpgv. (line 35)
+* quiet <3>: Invoking gpgconf. (line 117)
+* quiet <4>: Invoking gpg-connect-agent.
+ (line 18)
+* quiet <5>: dirmngr-client. (line 48)
+* quiet <6>: gpgtar. (line 65)
+* quiet <7>: gpg-wks-client. (line 135)
+* quiet <8>: gpg-wks-server. (line 81)
+* raw-socket: Invoking gpg-connect-agent.
+ (line 59)
+* reader-port: Scdaemon Options. (line 168)
+* rebuild-keydb-caches: Operational GPG Commands.
+ (line 380)
+* receive-keys: Operational GPG Commands.
+ (line 313)
+* recipient: GPG Key related Options.
+ (line 8)
+* recipient <1>: Input and Output. (line 46)
+* recipient <2>: gpgtar. (line 49)
+* recipient-file: GPG Key related Options.
+ (line 22)
+* recursive-resolver: Dirmngr Options. (line 117)
+* recv-keys: Operational GPG Commands.
+ (line 314)
+* refresh-keys: Operational GPG Commands.
+ (line 317)
+* reload: Invoking gpgconf. (line 74)
+* remove-socketdir: Invoking gpgconf. (line 102)
+* request-origin: GPG Esoteric Options.
+ (line 342)
+* request-origin <1>: Esoteric Options. (line 160)
+* require-compliance: Compliance Options. (line 77)
+* require-compliance <1>: Esoteric Options. (line 27)
+* require-compliance <2>: gpgtar. (line 117)
+* require-cross-certification: GPG Configuration Options.
+ (line 839)
+* require-secmem: GPG Configuration Options.
+ (line 834)
+* resolver-timeout: Dirmngr Options. (line 120)
+* rfc2440: Compliance Options. (line 37)
+* rfc4880: Compliance Options. (line 25)
+* rfc4880bis: Compliance Options. (line 30)
+* run: Invoking gpg-connect-agent.
+ (line 82)
+* s: Dirmngr Options. (line 87)
+* s2k-calibration: Agent Options. (line 465)
+* s2k-cipher-algo: OpenPGP Options. (line 74)
+* s2k-count: Agent Options. (line 472)
+* s2k-count <1>: OpenPGP Options. (line 90)
+* s2k-digest-algo: OpenPGP Options. (line 79)
+* s2k-mode: OpenPGP Options. (line 83)
+* scdaemon-program: Agent Options. (line 332)
+* search-keys: Operational GPG Commands.
+ (line 323)
+* secret-keyring: GPG Configuration Options.
+ (line 248)
+* send: gpg-wks-client. (line 72)
+* send <1>: gpg-wks-server. (line 60)
+* send-keys: Operational GPG Commands.
+ (line 257)
+* sender: GPG Key related Options.
+ (line 81)
+* server: Agent Commands. (line 23)
+* server <1>: Dirmngr Commands. (line 22)
+* server <2>: Operational GPGSM Commands.
+ (line 24)
+* server <3>: Scdaemon Commands. (line 22)
+* set-filename: GPG Esoteric Options.
+ (line 178)
+* set-filename <1>: gpgtar. (line 129)
+* set-filesize: GPG Esoteric Options.
+ (line 474)
+* set-notation: GPG Esoteric Options.
+ (line 124)
+* set-policy-url: GPG Esoteric Options.
+ (line 160)
+* sh: Agent Options. (line 146)
+* sh <1>: Dirmngr Options. (line 87)
+* show-keyring: Deprecated Options. (line 16)
+* show-keys: Operational GPG Commands.
+ (line 185)
+* show-notation: Deprecated Options. (line 25)
+* show-photos: Deprecated Options. (line 8)
+* show-policy-url: Deprecated Options. (line 33)
+* show-session-key: GPG Esoteric Options.
+ (line 478)
+* shutdown: Dirmngr Commands. (line 58)
+* sig-keyserver-url: GPG Esoteric Options.
+ (line 170)
+* sig-notation: GPG Esoteric Options.
+ (line 124)
+* sig-policy-url: GPG Esoteric Options.
+ (line 160)
+* sign: Operational GPG Commands.
+ (line 8)
+* sign <1>: Operational GPGSM Commands.
+ (line 16)
+* sign-key: OpenPGP Key Management.
+ (line 388)
+* skip-crypto: gpgtar. (line 68)
+* skip-hidden-recipients: GPG Key related Options.
+ (line 108)
+* skip-verify: GPG Esoteric Options.
+ (line 442)
+* squid-mode: dirmngr-client. (line 101)
+* ssh-fingerprint-digest: Agent Options. (line 450)
+* standard-resolver: Dirmngr Options. (line 110)
+* status-fd: GPG Esoteric Options.
+ (line 74)
+* status-fd <1>: gpgv. (line 52)
+* status-fd <2>: Invoking gpgconf. (line 158)
+* status-fd <3>: gpgtar. (line 120)
+* status-fd <4>: gpg-wks-client. (line 115)
+* status-file: GPG Esoteric Options.
+ (line 78)
+* steal-socket: Agent Options. (line 135)
+* store: Operational GPG Commands.
+ (line 55)
+* subst: Invoking gpg-connect-agent.
+ (line 88)
+* supervised: Agent Commands. (line 36)
+* supervised <1>: Dirmngr Commands. (line 33)
+* symmetric: Operational GPG Commands.
+ (line 42)
+* sys-trustlist-name: Agent Options. (line 177)
+* tar-args: gpgtar. (line 141)
+* textmode: OpenPGP Options. (line 8)
+* throw-keyids: GPG Esoteric Options.
+ (line 257)
+* time-only: watchgnupg. (line 30)
+* tls-debug: Dirmngr Options. (line 69)
+* tofu-default-policy: GPG Configuration Options.
+ (line 725)
+* tofu-policy: Operational GPG Commands.
+ (line 408)
+* trust-model: GPG Configuration Options.
+ (line 412)
+* trust-model:always: GPG Configuration Options.
+ (line 493)
+* trust-model:auto: GPG Configuration Options.
+ (line 502)
+* trust-model:classic: GPG Configuration Options.
+ (line 420)
+* trust-model:direct: GPG Configuration Options.
+ (line 485)
+* trust-model:pgp: GPG Configuration Options.
+ (line 415)
+* trust-model:tofu: GPG Configuration Options.
+ (line 423)
+* trust-model:tofu+pgp: GPG Configuration Options.
+ (line 473)
+* trustdb-name: GPG Configuration Options.
+ (line 253)
+* trusted-key: GPG Configuration Options.
+ (line 403)
+* try-all-secrets: GPG Key related Options.
+ (line 100)
+* try-secret-key: GPG Key related Options.
+ (line 89)
+* ttyname: Agent Options. (line 360)
+* ttytype: Agent Options. (line 360)
+* ungroup: GPG Key related Options.
+ (line 70)
+* update-trustdb: Operational GPG Commands.
+ (line 339)
+* url: dirmngr-client. (line 94)
+* url <1>: dirmngr-client. (line 98)
+* use-agent: GPG Configuration Options.
+ (line 749)
+* use-embedded-filename: GPG Esoteric Options.
+ (line 194)
+* use-standard-socket: Agent Options. (line 350)
+* use-standard-socket-p: Agent Options. (line 350)
+* use-tor: Dirmngr Options. (line 98)
+* utf8-strings: GPG Configuration Options.
+ (line 308)
+* utf8-strings <1>: gpgtar. (line 90)
+* v: Dirmngr Options. (line 25)
+* v <1>: Configuration Options.
+ (line 38)
+* v <2>: Scdaemon Options. (line 35)
+* v <3>: dirmngr-client. (line 53)
+* validate: dirmngr-client. (line 76)
+* validation-model: Certificate Options. (line 73)
+* verbose: Agent Options. (line 39)
+* verbose <1>: Dirmngr Options. (line 25)
+* verbose <2>: GPG Configuration Options.
+ (line 33)
+* verbose <3>: Configuration Options.
+ (line 38)
+* verbose <4>: Scdaemon Options. (line 35)
+* verbose <5>: watchgnupg. (line 33)
+* verbose <6>: gpgv. (line 30)
+* verbose <7>: Invoking gpg-preset-passphrase.
+ (line 32)
+* verbose <8>: Invoking gpg-connect-agent.
+ (line 14)
+* verbose <9>: dirmngr-client. (line 53)
+* verbose <10>: gpgtar. (line 61)
+* verbose <11>: gpg-check-pattern. (line 53)
+* verbose <12>: gpg-wks-client. (line 132)
+* verbose <13>: gpg-wks-server. (line 78)
+* verify: Operational GPG Commands.
+ (line 67)
+* verify <1>: Operational GPGSM Commands.
+ (line 20)
+* verify-files: Operational GPG Commands.
+ (line 108)
+* verify-options: GPG Configuration Options.
+ (line 138)
+* verify-options:pka-lookups: GPG Configuration Options.
+ (line 174)
+* verify-options:pka-trust-increase: GPG Configuration Options.
+ (line 181)
+* verify-options:show-keyserver-urls: GPG Configuration Options.
+ (line 157)
+* verify-options:show-notations: GPG Configuration Options.
+ (line 153)
+* verify-options:show-photos: GPG Configuration Options.
+ (line 143)
+* verify-options:show-policy-urls: GPG Configuration Options.
+ (line 147)
+* verify-options:show-primary-uid-only: GPG Configuration Options.
+ (line 169)
+* verify-options:show-std-notations: GPG Configuration Options.
+ (line 153)
+* verify-options:show-uid-validity: GPG Configuration Options.
+ (line 161)
+* verify-options:show-unusable-uids: GPG Configuration Options.
+ (line 165)
+* verify-options:show-user-notations: GPG Configuration Options.
+ (line 153)
+* version: Agent Commands. (line 10)
+* version <1>: Dirmngr Commands. (line 10)
+* version <2>: General GPG Commands.
+ (line 7)
+* version <3>: General GPGSM Commands.
+ (line 7)
+* version <4>: Scdaemon Commands. (line 10)
+* version <5>: watchgnupg. (line 36)
+* version <6>: dirmngr-client. (line 40)
+* version <7>: gpgtar. (line 147)
+* version <8>: gpg-wks-client. (line 138)
+* version <9>: gpg-wks-server. (line 84)
+* warranty: General GPG Commands.
+ (line 17)
+* warranty <1>: General GPGSM Commands.
+ (line 15)
+* weak-digest: GPG Esoteric Options.
+ (line 411)
+* weak-digest <1>: gpgv. (line 90)
+* with-colons: GPG Input and Output.
+ (line 276)
+* with-colons <1>: gpg-wks-client. (line 76)
+* with-dir: gpg-wks-server. (line 69)
+* with-ephemeral-keys: Esoteric Options. (line 52)
+* with-file: gpg-wks-server. (line 73)
+* with-fingerprint: GPG Input and Output.
+ (line 296)
+* with-icao-spelling: GPG Input and Output.
+ (line 307)
+* with-key-data: GPG Esoteric Options.
+ (line 446)
+* with-key-data <1>: Input and Output. (line 54)
+* with-key-origin: GPG Input and Output.
+ (line 315)
+* with-keygrip: GPG Input and Output.
+ (line 311)
+* with-log: gpgtar. (line 124)
+* with-secret: GPG Input and Output.
+ (line 326)
+* with-secret <1>: Input and Output. (line 78)
+* with-subkey-fingerprint: GPG Input and Output.
+ (line 300)
+* with-validation: Input and Output. (line 60)
+* with-wkd-hash: GPG Input and Output.
+ (line 321)
+* xauthority: Agent Options. (line 360)
+* yes: GPG Configuration Options.
+ (line 63)
+* yes <1>: gpgtar. (line 108)
+
+
+File: gnupg.info, Node: Environment Index, Next: Index, Prev: Option Index, Up: Top
+
+Environment Variable and File Index
+***********************************
+
+
+* Menu:
+
+* .gpg-v21-migrated: GPG Configuration. (line 77)
+* ~/.gnupg: GPG Configuration. (line 27)
+* ASSUAN_DEBUG: Scdaemon Options. (line 122)
+* COLUMNS: GPG Configuration. (line 118)
+* com-certs.pem: GPGSM Configuration. (line 84)
+* dirmngr.conf: Dirmngr Configuration.
+ (line 12)
+* DISPLAY: GPGSM OPTION. (line 21)
+* GNUPGHOME: Agent Options. (line 17)
+* GNUPGHOME <1>: GPG Configuration Options.
+ (line 260)
+* GNUPGHOME <2>: GPG Configuration. (line 106)
+* GNUPGHOME <3>: Configuration Options.
+ (line 16)
+* GNUPGHOME <4>: Scdaemon Options. (line 13)
+* GNUPGHOME <5>: gpgv. (line 69)
+* GNUPGHOME <6>: Invoking gpgconf. (line 120)
+* GNUPGHOME <7>: Invoking gpg-connect-agent.
+ (line 21)
+* GNUPG_BUILD_ROOT: GPG Configuration. (line 130)
+* GNUPG_EXEC_DEBUG_FLAGS: GPG Configuration. (line 135)
+* gpg-agent.conf: Agent Configuration. (line 11)
+* gpg.conf: GPG Configuration. (line 11)
+* gpgconf.ctl: Agent Options. (line 28)
+* gpgconf.ctl <1>: GPG Configuration Options.
+ (line 271)
+* gpgconf.ctl <2>: Configuration Options.
+ (line 27)
+* gpgconf.ctl <3>: Scdaemon Options. (line 24)
+* gpgconf.ctl <4>: gpgv. (line 80)
+* gpgconf.ctl <5>: Invoking gpgconf. (line 131)
+* gpgconf.ctl <6>: Invoking gpg-connect-agent.
+ (line 32)
+* gpgsm.conf: GPGSM Configuration. (line 11)
+* GPG_TTY: Invoking GPG-AGENT. (line 22)
+* GPG_TTY <1>: GPGSM OPTION. (line 23)
+* help.txt: GPGSM Configuration. (line 72)
+* HKCU\Software\GNU\GnuPG:DefaultLogFile: Agent Options. (line 159)
+* HKCU\Software\GNU\GnuPG:HomeDir: Agent Options. (line 17)
+* HKCU\Software\GNU\GnuPG:HomeDir <1>: GPG Configuration Options.
+ (line 260)
+* HKCU\Software\GNU\GnuPG:HomeDir <2>: Configuration Options.
+ (line 16)
+* HKCU\Software\GNU\GnuPG:HomeDir <3>: Scdaemon Options. (line 13)
+* HKCU\Software\GNU\GnuPG:HomeDir <4>: gpgv. (line 69)
+* HKCU\Software\GNU\GnuPG:HomeDir <5>: Invoking gpgconf. (line 120)
+* HKCU\Software\GNU\GnuPG:HomeDir <6>: Invoking gpg-connect-agent.
+ (line 21)
+* HOME: GPG Configuration. (line 103)
+* http_proxy: Dirmngr Options. (line 240)
+* LANGUAGE: GPG Configuration. (line 121)
+* LC_CTYPE: GPGSM OPTION. (line 27)
+* LC_MESSAGES: GPGSM OPTION. (line 29)
+* LINES: GPG Configuration. (line 118)
+* openpgp-revocs.d: GPG Configuration. (line 91)
+* PATH: GPG Configuration Options.
+ (line 225)
+* PINENTRY_USER_DATA: GPG Configuration. (line 113)
+* PINENTRY_USER_DATA <1>: GPGSM OPTION. (line 33)
+* policies.txt: GPGSM Configuration. (line 18)
+* private-keys-v1.d: Agent Configuration. (line 106)
+* pubring.gpg: GPG Configuration. (line 32)
+* pubring.kbx: GPG Configuration. (line 50)
+* pubring.kbx <1>: GPGSM Configuration. (line 100)
+* qualified.txt: GPGSM Configuration. (line 33)
+* random_seed: GPG Configuration. (line 88)
+* random_seed <1>: GPGSM Configuration. (line 106)
+* S.gpg-agent: GPGSM Configuration. (line 111)
+* secring.gpg: GPG Configuration. (line 69)
+* SHELL: Agent Options. (line 146)
+* sshcontrol: Agent Configuration. (line 76)
+* TERM: GPGSM OPTION. (line 25)
+* trustdb.gpg: GPG Configuration. (line 80)
+* trustlist.txt: Agent Configuration. (line 20)
+* XAUTHORITY: GPGSM OPTION. (line 31)
+
+
+File: gnupg.info, Node: Index, Prev: Environment Index, Up: Top
+
+Index
+*****
+
+
+* Menu:
+
+* command options: Invoking GPG-AGENT. (line 6)
+* command options <1>: Invoking DIRMNGR. (line 6)
+* command options <2>: Invoking GPG. (line 6)
+* command options <3>: Invoking GPGSM. (line 6)
+* command options <4>: Invoking SCDAEMON. (line 6)
+* contributors: Contributors. (line 6)
+* DIRMNGR command options: Invoking DIRMNGR. (line 6)
+* GPG command options: Invoking GPG. (line 6)
+* GPG-AGENT command options: Invoking GPG-AGENT. (line 6)
+* gpgconf.conf: Files used by gpgconf.
+ (line 7)
+* GPGSM command options: Invoking GPGSM. (line 6)
+* options, DIRMNGR command: Invoking DIRMNGR. (line 6)
+* options, GPG command: Invoking GPG. (line 6)
+* options, GPG-AGENT command: Invoking GPG-AGENT. (line 6)
+* options, GPGSM command: Invoking GPGSM. (line 6)
+* options, SCDAEMON command: Invoking SCDAEMON. (line 6)
+* relax: Agent Configuration. (line 64)
+* scd-event: Scdaemon Configuration.
+ (line 18)
+* SCDAEMON command options: Invoking SCDAEMON. (line 6)
+* scdaemon.conf: Scdaemon Configuration.
+ (line 11)
+* SIGHUP: Agent Signals. (line 12)
+* SIGHUP <1>: Dirmngr Signals. (line 12)
+* SIGINT: Agent Signals. (line 31)
+* SIGINT <1>: Dirmngr Signals. (line 26)
+* SIGTERM: Agent Signals. (line 26)
+* SIGTERM <1>: Dirmngr Signals. (line 19)
+* SIGUSR1: Agent Signals. (line 34)
+* SIGUSR1 <1>: Dirmngr Signals. (line 29)
+* SIGUSR2: Agent Signals. (line 37)
+* swdb.lst: Files used by gpgconf.
+ (line 14)
+* trust values: Trust Values. (line 6)
+
diff --git a/doc/gnupg.texi b/doc/gnupg.texi
new file mode 100644
index 0000000..3364148
--- /dev/null
+++ b/doc/gnupg.texi
@@ -0,0 +1,241 @@
+\input texinfo @c -*-texinfo-*-
+@c %**start of header
+@setfilename gnupg.info
+@include defs.inc
+@settitle Using the GNU Privacy Guard
+
+@c A couple of macros with no effect on texinfo
+@c but used by the yat2m processor.
+@macro manpage {a}
+@end macro
+@macro mansect {a}
+@end macro
+@macro manpause
+@end macro
+@macro mancont
+@end macro
+
+
+
+@c Create a separate index for command line options.
+@defcodeindex op
+@c Create an index vor environment variables and files.
+@defcodeindex ef
+
+@c Merge the function index into the concept index.
+@syncodeindex fn cp
+@c Merge the variable index into the concept index.
+@syncodeindex vr cp
+@c Merge the keystroke index into the concept index.
+@syncodeindex ky cp
+@c Merge the program index into the concept index.
+@syncodeindex pg cp
+@c Merge the data type index into the concept index.
+@syncodeindex tp cp
+@c %**end of header
+@copying
+This is the @cite{The GNU Privacy Guard Manual} (version
+@value{VERSION}, @value{UPDATED-MONTH}).
+
+@iftex
+Published by The GnuPG Project@*
+@url{https://gnupg.org}@*
+(or @url{http://ic6au7wa3f6naxjq.onion})
+@end iftex
+
+@copyright{} 2002, 2004, 2005, 2006, 2007, 2010 Free Software Foundation, Inc.@*
+@copyright{} 2013, 2014, 2015 Werner Koch.@*
+@copyright{} 2015, 2016, 2017 g10 Code GmbH.
+
+@quotation
+Permission is granted to copy, distribute and/or modify this document
+under the terms of the GNU General Public License as published by the
+Free Software Foundation; either version 3 of the License, or (at your
+option) any later version. The text of the license can be found in the
+section entitled ``Copying''.
+@end quotation
+@end copying
+
+
+@dircategory GNU Utilities
+@direntry
+* gpg2: (gnupg). OpenPGP encryption and signing tool.
+* gpgsm: (gnupg). S/MIME encryption and signing tool.
+* gpg-agent: (gnupg). The secret key daemon.
+* dirmngr: (gnupg). X.509 CRL and OCSP server.
+* dirmngr-client: (gnupg). X.509 CRL and OCSP client.
+@end direntry
+
+
+@c
+@c Printing stuff taken from gcc.
+@c
+@macro gnupgtabopt{body}
+@code{\body\}
+@end macro
+@macro gnupgoptlist{body}
+@smallexample
+\body\
+@end smallexample
+@end macro
+@c Makeinfo handles the above macro OK, TeX needs manual line breaks;
+@c they get lost at some point in handling the macro. But if @macro is
+@c used here rather than @alias, it produces double line breaks.
+@iftex
+@alias gol = *
+@end iftex
+@ifnottex
+@macro gol
+@end macro
+@end ifnottex
+
+
+@c
+@c Titlepage
+@c
+@setchapternewpage odd
+@titlepage
+@title Using the GNU Privacy Guard
+@subtitle Version @value{VERSION}
+@subtitle @value{UPDATED-MONTH}
+
+@sp 3
+
+@image{gnupg-logo,,,The GnuPG Logo}
+
+@sp 3
+
+@author The GnuPG Project (@url{https://gnupg.org})
+
+@page
+@vskip 0pt plus 1filll
+@insertcopying
+@end titlepage
+
+@ifnothtml
+@summarycontents
+@contents
+@page
+@end ifnothtml
+
+@ifhtml
+@center @image{gnupg-logo-tr,6cm,,The GnuPG Logo}
+@end ifhtml
+
+@ifnottex
+@node Top
+@top
+@insertcopying
+
+This manual documents how to use the GNU Privacy Guard system as well as
+the administration and the architecture.
+@end ifnottex
+
+@menu
+* Installation:: A short installation guide.
+
+* Invoking GPG-AGENT:: How to launch the secret key daemon.
+* Invoking DIRMNGR:: How to launch the CRL and OCSP daemon.
+* Invoking GPG:: Using the OpenPGP protocol.
+* Invoking GPGSM:: Using the S/MIME protocol.
+* Invoking SCDAEMON:: How to handle Smartcards.
+* Specify a User ID:: How to Specify a User Id.
+* Trust Values:: How GnuPG displays trust values.
+
+* Helper Tools:: Description of small helper tools
+* Web Key Service:: Tools for the Web Key Service
+
+* Howtos:: How to do certain things.
+* System Notes:: Notes pertaining to certain OSes.
+* Debugging:: How to solve problems
+
+* Copying:: GNU General Public License says
+ how you can copy and share GnuPG
+* Contributors:: People who have contributed to GnuPG.
+
+* Glossary:: Short description of terms used.
+* Option Index:: Index to command line options.
+* Environment Index:: Index to environment variables and files.
+* Index:: Index of concepts and symbol names.
+@end menu
+
+
+@ifhtml
+@page
+@summarycontents
+@contents
+@end ifhtml
+
+
+@include instguide.texi
+
+@include gpg-agent.texi
+@include dirmngr.texi
+@include gpg.texi
+@include gpgsm.texi
+@include scdaemon.texi
+
+@node Specify a User ID
+@chapter How to Specify a User Id
+@anchor{how-to-specify-a-user-id}
+@include specify-user-id.texi
+
+@node Trust Values
+@chapter Trust Values
+@anchor{trust-values}
+@cindex trust values
+@include trust-values.texi
+
+@include tools.texi
+@include wks.texi
+
+@include howtos.texi
+
+@include sysnotes.texi
+
+@include debugging.texi
+
+@include gpl.texi
+
+@include contrib.texi
+
+@c ---------------------------------------------------------------------
+@c Indexes
+@c ---------------------------------------------------------------------
+
+@include glossary.texi
+
+@node Option Index
+@unnumbered Option Index
+
+@printindex op
+
+@node Environment Index
+@unnumbered Environment Variable and File Index
+
+@printindex ef
+
+@node Index
+@unnumbered Index
+
+@printindex cp
+
+@c ---------------------------------------------------------------------
+@c Epilogue
+@c ---------------------------------------------------------------------
+
+@c @node History
+@c @unnumbered History
+@c
+@c Here are the notices from the old dirmngr manual:
+@c
+@c @itemize
+@c @item Using DirMngr, 2002, Steffen Hansen, Klar"alvdalens Datakonsult AB.
+@c @item Using DirMngr, 2004, 2005, 2006, 2008 Werner Koch, g10 Code GmbH.
+@c @end itemize
+@c
+
+
+@bye
+
+
diff --git a/doc/gnupg7.texi b/doc/gnupg7.texi
new file mode 100644
index 0000000..c48dca9
--- /dev/null
+++ b/doc/gnupg7.texi
@@ -0,0 +1,31 @@
+@c @c -*-texinfo-*-
+@c This is only used to create a man page, thus we don't need to care
+@c about actual texinfo stuff.
+
+@manpage gnupg.7
+@ifset manverb
+.B GnuPG
+\- The GNU Privacy Guard suite of programs
+@end ifset
+@mansect description
+@ifset isman
+GnuPG is a set of programs for public key encryption and digital
+signatures. The program most users will want to use is the OpenPGP
+command line tool, named @command{gpg2}. @command{gpgv}is a stripped
+down version of @command{gpg2} with no encryption functionality, used
+only to verify signatures against a trusted keyring. @command{gpgsm} is
+the X.509/CMS (for S/MIME) counterpart of
+@command{gpg2}. @command{gpg-agent} is a passphrase and private key
+daemon which may also emulate the @command{ssh-agent}.
+@mansect see also
+@command{gpg}(1),
+@command{gpg2}(1),
+@command{gpgv}(1),
+@command{gpgsm}(1),
+@command{gpg-agent}(1),
+@command{dirmngr}(8),
+@command{scdaemon}(1)
+@include see-also-note.texi
+@end ifset
+
+@bye
diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi
new file mode 100644
index 0000000..8766250
--- /dev/null
+++ b/doc/gpg-agent.texi
@@ -0,0 +1,1672 @@
+@c Copyright (C) 2002 Free Software Foundation, Inc.
+@c This is part of the GnuPG manual.
+@c For copying conditions, see the file gnupg.texi.
+
+@include defs.inc
+
+@node Invoking GPG-AGENT
+@chapter Invoking GPG-AGENT
+@cindex GPG-AGENT command options
+@cindex command options
+@cindex options, GPG-AGENT command
+
+@manpage gpg-agent.1
+@ifset manverb
+.B gpg-agent
+\- Secret key management for GnuPG
+@end ifset
+
+@mansect synopsis
+@ifset manverb
+.B gpg-agent
+.RB [ \-\-homedir
+.IR dir ]
+.RB [ \-\-options
+.IR file ]
+.RI [ options ]
+.br
+.B gpg-agent
+.RB [ \-\-homedir
+.IR dir ]
+.RB [ \-\-options
+.IR file ]
+.RI [ options ]
+.B \-\-server
+.br
+.B gpg-agent
+.RB [ \-\-homedir
+.IR dir ]
+.RB [ \-\-options
+.IR file ]
+.RI [ options ]
+.B \-\-daemon
+.RI [ command_line ]
+@end ifset
+
+@mansect description
+@command{gpg-agent} is a daemon to manage secret (private) keys
+independently from any protocol. It is used as a backend for
+@command{gpg} and @command{gpgsm} as well as for a couple of other
+utilities.
+
+The agent is automatically started on demand by @command{gpg},
+@command{gpgsm}, @command{gpgconf}, or @command{gpg-connect-agent}.
+Thus there is no reason to start it manually. In case you want to use
+the included Secure Shell Agent you may start the agent using:
+
+@c From dkg on gnupg-devel on 2016-04-21:
+@c
+@c Here's an attempt at writing a short description of the goals of an
+@c isolated cryptographic agent:
+@c
+@c A cryptographic agent should control access to secret key material.
+@c The agent permits use of the secret key material by a supplicant
+@c without providing a copy of the secret key material to the supplicant.
+@c
+@c An isolated cryptographic agent separates the request for use of
+@c secret key material from permission for use of secret key material.
+@c That is, the system or process requesting use of the key (the
+@c "supplicant") can be denied use of the key by the owner/operator of
+@c the agent (the "owner"), which the supplicant has no control over.
+@c
+@c One way of enforcing this split is a per-key or per-session
+@c passphrase, known only by the owner, which must be supplied to the
+@c agent to permit the use of the secret key material. Another way is
+@c with an out-of-band permission mechanism (e.g. a button or GUI
+@c interface that the owner has access to, but the supplicant does not).
+@c
+@c The rationale for this separation is that it allows access to the
+@c secret key to be tightly controlled and audited, and it doesn't permit
+@c the supplicant to either copy the key or to override the owner's
+@c intentions.
+
+@example
+gpg-connect-agent /bye
+@end example
+
+@noindent
+If you want to manually terminate the currently-running agent, you can
+safely do so with:
+
+@example
+gpgconf --kill gpg-agent
+@end example
+
+@noindent
+@efindex GPG_TTY
+You should always add the following lines to your @code{.bashrc} or
+whatever initialization file is used for all shell invocations:
+
+@smallexample
+GPG_TTY=$(tty)
+export GPG_TTY
+@end smallexample
+
+@noindent
+It is important that this environment variable always reflects the
+output of the @code{tty} command. For W32 systems this option is not
+required.
+
+Please make sure that a proper pinentry program has been installed
+under the default filename (which is system dependent) or use the
+option @option{pinentry-program} to specify the full name of that program.
+It is often useful to install a symbolic link from the actual used
+pinentry (e.g. @file{@value{BINDIR}/pinentry-gtk}) to the expected
+one (e.g. @file{@value{BINDIR}/pinentry}).
+
+@manpause
+@noindent
+@xref{Option Index}, for an index to @command{GPG-AGENT}'s commands and options.
+@mancont
+
+@menu
+* Agent Commands:: List of all commands.
+* Agent Options:: List of all options.
+* Agent Configuration:: Configuration files.
+* Agent Signals:: Use of some signals.
+* Agent Examples:: Some usage examples.
+* Agent Protocol:: The protocol the agent uses.
+@end menu
+
+@mansect commands
+@node Agent Commands
+@section Commands
+
+Commands are not distinguished from options except for the fact that
+only one command is allowed.
+
+@table @gnupgtabopt
+@item --version
+@opindex version
+Print the program version and licensing information. Note that you cannot
+abbreviate this command.
+
+@item --help
+@itemx -h
+@opindex help
+Print a usage message summarizing the most useful command-line options.
+Note that you cannot abbreviate this command.
+
+@item --dump-options
+@opindex dump-options
+Print a list of all available options and commands. Note that you cannot
+abbreviate this command.
+
+@item --server
+@opindex server
+Run in server mode and wait for commands on the @code{stdin}. The
+default mode is to create a socket and listen for commands there.
+
+@item --daemon [@var{command line}]
+@opindex daemon
+Start the gpg-agent as a daemon; that is, detach it from the console
+and run it in the background.
+
+As an alternative you may create a new process as a child of
+gpg-agent: @code{gpg-agent --daemon /bin/sh}. This way you get a new
+shell with the environment setup properly; after you exit from this
+shell, gpg-agent terminates within a few seconds.
+
+@item --supervised
+@opindex supervised
+Run in the foreground, sending logs by default to stderr, and
+listening on provided file descriptors, which must already be bound to
+listening sockets. This command is useful when running under systemd
+or other similar process supervision schemes. This option is not
+supported on Windows.
+
+In --supervised mode, different file descriptors can be provided for
+use as different socket types (e.g. ssh, extra) as long as they are
+identified in the environment variable @code{LISTEN_FDNAMES} (see
+sd_listen_fds(3) on some Linux distributions for more information on
+this convention).
+@end table
+
+@mansect options
+@node Agent Options
+@section Option Summary
+
+Options may either be used on the command line or, after stripping off
+the two leading dashes, in the configuration file.
+
+@table @gnupgtabopt
+
+@anchor{option --options}
+@item --options @var{file}
+@opindex options
+Reads configuration from @var{file} instead of from the default
+per-user configuration file. The default configuration file is named
+@file{gpg-agent.conf} and expected in the @file{.gnupg} directory
+directly below the home directory of the user. This option is ignored
+if used in an options file.
+
+@anchor{option --homedir}
+@include opt-homedir.texi
+
+
+@item -v
+@itemx --verbose
+@opindex verbose
+Outputs additional information while running.
+You can increase the verbosity by giving several
+verbose commands to @command{gpg-agent}, such as @samp{-vv}.
+
+@item -q
+@itemx --quiet
+@opindex quiet
+Try to be as quiet as possible.
+
+@item --batch
+@opindex batch
+Don't invoke a pinentry or do any other thing requiring human interaction.
+
+@item --faked-system-time @var{epoch}
+@opindex faked-system-time
+This option is only useful for testing; it sets the system time back or
+forth to @var{epoch} which is the number of seconds elapsed since the year
+1970.
+
+@item --debug-level @var{level}
+@opindex debug-level
+Select the debug level for investigating problems. @var{level} may be
+a numeric value or a keyword:
+
+@table @code
+@item none
+No debugging at all. A value of less than 1 may be used instead of
+the keyword.
+@item basic
+Some basic debug messages. A value between 1 and 2 may be used
+instead of the keyword.
+@item advanced
+More verbose debug messages. A value between 3 and 5 may be used
+instead of the keyword.
+@item expert
+Even more detailed messages. A value between 6 and 8 may be used
+instead of the keyword.
+@item guru
+All of the debug messages you can get. A value greater than 8 may be
+used instead of the keyword. The creation of hash tracing files is
+only enabled if the keyword is used.
+@end table
+
+How these messages are mapped to the actual debugging flags is not
+specified and may change with newer releases of this program. They are
+however carefully selected to best aid in debugging.
+
+@item --debug @var{flags}
+@opindex debug
+This option is only useful for debugging and the behavior may change at
+any time without notice. FLAGS are bit encoded and may be given in
+usual C-Syntax. The currently defined bits are:
+
+@table @code
+@item 0 (1)
+X.509 or OpenPGP protocol related data
+@item 1 (2)
+values of big number integers
+@item 2 (4)
+low level crypto operations
+@item 5 (32)
+memory allocation
+@item 6 (64)
+caching
+@item 7 (128)
+show memory statistics
+@item 9 (512)
+write hashed data to files named @code{dbgmd-000*}
+@item 10 (1024)
+trace Assuan protocol
+@item 12 (4096)
+bypass all certificate validation
+@end table
+
+@item --debug-all
+@opindex debug-all
+Same as @code{--debug=0xffffffff}
+
+@item --debug-wait @var{n}
+@opindex debug-wait
+When running in server mode, wait @var{n} seconds before entering the
+actual processing loop and print the pid. This gives time to attach a
+debugger.
+
+@item --debug-quick-random
+@opindex debug-quick-random
+This option inhibits the use of the very secure random quality level
+(Libgcrypt’s @code{GCRY_VERY_STRONG_RANDOM}) and degrades all request
+down to standard random quality. It is only used for testing and
+should not be used for any production quality keys. This option is
+only effective when given on the command line.
+
+On GNU/Linux, another way to quickly generate insecure keys is to use
+@command{rngd} to fill the kernel's entropy pool with lower quality
+random data. @command{rngd} is typically provided by the
+@command{rng-tools} package. It can be run as follows: @samp{sudo
+rngd -f -r /dev/urandom}.
+
+@item --debug-pinentry
+@opindex debug-pinentry
+This option enables extra debug information pertaining to the
+Pinentry. As of now it is only useful when used along with
+@code{--debug 1024}.
+
+@item --no-detach
+@opindex no-detach
+Don't detach the process from the console. This is mainly useful for
+debugging.
+
+@item --steal-socket
+@opindex steal-socket
+In @option{--daemon} mode, gpg-agent detects an already running
+gpg-agent and does not allow to start a new instance. This option can
+be used to override this check: the new gpg-agent process will try to
+take over the communication sockets from the already running process
+and start anyway. This option should in general not be used.
+
+
+@item -s
+@itemx --sh
+@itemx -c
+@itemx --csh
+@opindex sh
+@opindex csh
+@efindex SHELL
+Format the info output in daemon mode for use with the standard Bourne
+shell or the C-shell respectively. The default is to guess it based on
+the environment variable @code{SHELL} which is correct in almost all
+cases.
+
+
+@item --grab
+@itemx --no-grab
+@opindex grab
+@opindex no-grab
+Tell the pinentry to grab the keyboard and mouse. This option should
+be used on X-Servers to avoid X-sniffing attacks. Any use of the
+option @option{--grab} overrides an used option @option{--no-grab}.
+The default is @option{--no-grab}.
+
+@anchor{option --log-file}
+@item --log-file @var{file}
+@opindex log-file
+@efindex HKCU\Software\GNU\GnuPG:DefaultLogFile
+Append all logging output to @var{file}. This is very helpful in
+seeing what the agent actually does. Use @file{socket://} to log to
+socket. If neither a log file nor a log file descriptor has been set
+on a Windows platform, the Registry entry
+@code{HKCU\Software\GNU\GnuPG:DefaultLogFile}, if set, is used to
+specify the logging output.
+
+
+@anchor{option --no-allow-mark-trusted}
+@item --no-allow-mark-trusted
+@opindex no-allow-mark-trusted
+Do not allow clients to mark keys as trusted, i.e. put them into the
+@file{trustlist.txt} file. This makes it harder for users to inadvertently
+accept Root-CA keys.
+
+
+@anchor{option --no-user-trustlist}
+@item --no-user-trustlist
+@opindex no-user-trustlist
+Entirely ignore the user trust list and consider only the global
+trustlist (@file{@value{SYSCONFDIR}/trustlist.txt}). This
+implies the @ref{option --no-allow-mark-trusted}.
+
+@item --sys-trustlist-name @var{file}
+@opindex sys-trustlist-name
+Changes the default name for the global trustlist from "trustlist.txt"
+to @var{file}. If @var{file} does not contain any slashes and does
+not start with "~/" it is searched in the system configuration
+directory (@file{@value{SYSCONFDIR}}).
+
+@anchor{option --allow-preset-passphrase}
+@item --allow-preset-passphrase
+@opindex allow-preset-passphrase
+This option allows the use of @command{gpg-preset-passphrase} to seed the
+internal cache of @command{gpg-agent} with passphrases.
+
+@anchor{option --no-allow-loopback-pinentry}
+@item --no-allow-loopback-pinentry
+@item --allow-loopback-pinentry
+@opindex no-allow-loopback-pinentry
+@opindex allow-loopback-pinentry
+Disallow or allow clients to use the loopback pinentry features; see
+the option @option{pinentry-mode} for details. Allow is the default.
+
+The @option{--force} option of the Assuan command @command{DELETE_KEY}
+is also controlled by this option: The option is ignored if a loopback
+pinentry is disallowed.
+
+@item --no-allow-external-cache
+@opindex no-allow-external-cache
+Tell Pinentry not to enable features which use an external cache for
+passphrases.
+
+Some desktop environments prefer to unlock all
+credentials with one master password and may have installed a Pinentry
+which employs an additional external cache to implement such a policy.
+By using this option the Pinentry is advised not to make use of such a
+cache and instead always ask the user for the requested passphrase.
+
+@item --allow-emacs-pinentry
+@opindex allow-emacs-pinentry
+Tell Pinentry to allow features to divert the passphrase entry to a
+running Emacs instance. How this is exactly handled depends on the
+version of the used Pinentry.
+
+@item --ignore-cache-for-signing
+@opindex ignore-cache-for-signing
+This option will let @command{gpg-agent} bypass the passphrase cache for all
+signing operation. Note that there is also a per-session option to
+control this behavior but this command line option takes precedence.
+
+@item --default-cache-ttl @var{n}
+@opindex default-cache-ttl
+Set the time a cache entry is valid to @var{n} seconds. The default
+is 600 seconds. Each time a cache entry is accessed, the entry's
+timer is reset. To set an entry's maximum lifetime, use
+@command{max-cache-ttl}. Note that a cached passphrase may not be
+evicted immediately from memory if no client requests a cache
+operation. This is due to an internal housekeeping function which is
+only run every few seconds.
+
+@item --default-cache-ttl-ssh @var{n}
+@opindex default-cache-ttl
+Set the time a cache entry used for SSH keys is valid to @var{n}
+seconds. The default is 1800 seconds. Each time a cache entry is
+accessed, the entry's timer is reset. To set an entry's maximum
+lifetime, use @command{max-cache-ttl-ssh}.
+
+@item --max-cache-ttl @var{n}
+@opindex max-cache-ttl
+Set the maximum time a cache entry is valid to @var{n} seconds. After
+this time a cache entry will be expired even if it has been accessed
+recently or has been set using @command{gpg-preset-passphrase}. The
+default is 2 hours (7200 seconds).
+
+@item --max-cache-ttl-ssh @var{n}
+@opindex max-cache-ttl-ssh
+Set the maximum time a cache entry used for SSH keys is valid to
+@var{n} seconds. After this time a cache entry will be expired even
+if it has been accessed recently or has been set using
+@command{gpg-preset-passphrase}. The default is 2 hours (7200
+seconds).
+
+@item --enforce-passphrase-constraints
+@opindex enforce-passphrase-constraints
+Enforce the passphrase constraints by not allowing the user to bypass
+them using the ``Take it anyway'' button.
+
+@item --min-passphrase-len @var{n}
+@opindex min-passphrase-len
+Set the minimal length of a passphrase. When entering a new passphrase
+shorter than this value a warning will be displayed. Defaults to 8.
+
+@item --min-passphrase-nonalpha @var{n}
+@opindex min-passphrase-nonalpha
+Set the minimal number of digits or special characters required in a
+passphrase. When entering a new passphrase with less than this number
+of digits or special characters a warning will be displayed. Defaults
+to 1.
+
+@item --check-passphrase-pattern @var{file}
+@itemx --check-sym-passphrase-pattern @var{file}
+@opindex check-passphrase-pattern
+@opindex check-sym-passphrase-pattern
+Check the passphrase against the pattern given in @var{file}. When
+entering a new passphrase matching one of these pattern a warning will
+be displayed. If @var{file} does not contain any slashes and does not
+start with "~/" it is searched in the system configuration directory
+(@file{@value{SYSCONFDIR}}). The default is not to use any
+pattern file. The second version of this option is only used when
+creating a new symmetric key to allow the use of different patterns
+for such passphrases.
+
+Security note: It is known that checking a passphrase against a list of
+pattern or even against a complete dictionary is not very effective to
+enforce good passphrases. Users will soon figure up ways to bypass such
+a policy. A better policy is to educate users on good security
+behavior and optionally to run a passphrase cracker regularly on all
+users passphrases to catch the very simple ones.
+
+@item --max-passphrase-days @var{n}
+@opindex max-passphrase-days
+Ask the user to change the passphrase if @var{n} days have passed since
+the last change. With @option{--enforce-passphrase-constraints} set the
+user may not bypass this check.
+
+@item --enable-passphrase-history
+@opindex enable-passphrase-history
+This option does nothing yet.
+
+@item --pinentry-invisible-char @var{char}
+@opindex pinentry-invisible-char
+This option asks the Pinentry to use @var{char} for displaying hidden
+characters. @var{char} must be one character UTF-8 string. A
+Pinentry may or may not honor this request.
+
+@item --pinentry-timeout @var{n}
+@opindex pinentry-timeout
+This option asks the Pinentry to timeout after @var{n} seconds with no
+user input. The default value of 0 does not ask the pinentry to
+timeout, however a Pinentry may use its own default timeout value in
+this case. A Pinentry may or may not honor this request.
+
+@item --pinentry-formatted-passphrase
+@opindex pinentry-formatted-passphrase
+This option asks the Pinentry to enable passphrase formatting when asking the
+user for a new passphrase and masking of the passphrase is turned off.
+
+If passphrase formatting is enabled, then all non-breaking space characters
+are stripped from the entered passphrase. Passphrase formatting is mostly
+useful in combination with passphrases generated with the GENPIN
+feature of some Pinentries. Note that such a generated
+passphrase, if not modified by the user, skips all passphrase
+constraints checking because such constraints would actually weaken
+the generated passphrase.
+
+@item --pinentry-program @var{filename}
+@opindex pinentry-program
+Use program @var{filename} as the PIN entry. The default is
+installation dependent. With the default configuration the name of
+the default pinentry is @file{pinentry}; if that file does not exist
+but a @file{pinentry-basic} exist the latter is used.
+
+On a Windows platform the default is to use the first existing program
+from this list:
+@file{bin\pinentry.exe},
+@file{..\Gpg4win\bin\pinentry.exe},
+@file{..\Gpg4win\pinentry.exe},
+@file{..\GNU\GnuPG\pinentry.exe},
+@file{..\GNU\bin\pinentry.exe},
+@file{bin\pinentry-basic.exe}
+where the file names are relative to the GnuPG installation directory.
+
+
+@item --pinentry-touch-file @var{filename}
+@opindex pinentry-touch-file
+By default the filename of the socket gpg-agent is listening for
+requests is passed to Pinentry, so that it can touch that file before
+exiting (it does this only in curses mode). This option changes the
+file passed to Pinentry to @var{filename}. The special name
+@code{/dev/null} may be used to completely disable this feature. Note
+that Pinentry will not create that file, it will only change the
+modification and access time.
+
+
+@item --scdaemon-program @var{filename}
+@opindex scdaemon-program
+Use program @var{filename} as the Smartcard daemon. The default is
+installation dependent and can be shown with the @command{gpgconf}
+command.
+
+@item --disable-scdaemon
+@opindex disable-scdaemon
+Do not make use of the scdaemon tool. This option has the effect of
+disabling the ability to do smartcard operations. Note, that enabling
+this option at runtime does not kill an already forked scdaemon.
+
+@item --disable-check-own-socket
+@opindex disable-check-own-socket
+@command{gpg-agent} employs a periodic self-test to detect a stolen
+socket. This usually means a second instance of @command{gpg-agent}
+has taken over the socket and @command{gpg-agent} will then terminate
+itself. This option may be used to disable this self-test for
+debugging purposes.
+
+@item --use-standard-socket
+@itemx --no-use-standard-socket
+@itemx --use-standard-socket-p
+@opindex use-standard-socket
+@opindex no-use-standard-socket
+@opindex use-standard-socket-p
+Since GnuPG 2.1 the standard socket is always used. These options
+have no more effect. The command @code{gpg-agent
+--use-standard-socket-p} will thus always return success.
+
+@item --display @var{string}
+@itemx --ttyname @var{string}
+@itemx --ttytype @var{string}
+@itemx --lc-ctype @var{string}
+@itemx --lc-messages @var{string}
+@itemx --xauthority @var{string}
+@opindex display
+@opindex ttyname
+@opindex ttytype
+@opindex lc-ctype
+@opindex lc-messages
+@opindex xauthority
+These options are used with the server mode to pass localization
+information.
+
+@item --keep-tty
+@itemx --keep-display
+@opindex keep-tty
+@opindex keep-display
+Ignore requests to change the current @code{tty} or X window system's
+@code{DISPLAY} variable respectively. This is useful to lock the
+pinentry to pop up at the @code{tty} or display you started the agent.
+
+@item --listen-backlog @var{n}
+@opindex listen-backlog
+Set the size of the queue for pending connections. The default is 64.
+
+@anchor{option --extra-socket}
+@item --extra-socket @var{name}
+@opindex extra-socket
+The extra socket is created by default, you may use this option to
+change the name of the socket. To disable the creation of the socket
+use ``none'' or ``/dev/null'' for @var{name}.
+
+Also listen on native gpg-agent connections on the given socket. The
+intended use for this extra socket is to setup a Unix domain socket
+forwarding from a remote machine to this socket on the local machine.
+A @command{gpg} running on the remote machine may then connect to the
+local gpg-agent and use its private keys. This enables decrypting or
+signing data on a remote machine without exposing the private keys to the
+remote machine.
+
+@item --enable-extended-key-format
+@itemx --disable-extended-key-format
+@opindex enable-extended-key-format
+@opindex disable-extended-key-format
+Since version 2.2.22 keys are created in the extended private key
+format by default. Changing the passphrase of a key will also convert
+the key to that new format. This key format is supported since GnuPG
+version 2.1.12 and thus there should be no need to disable it.
+Anyway, the disable option still allows to revert to the old behavior
+for new keys; be aware that keys are never migrated back to the old
+format. If the enable option has been used the disable option won't
+have an effect. The advantage of the extended private key format is
+that it is text based and can carry additional meta data. In extended
+key format the OCB mode is used for key protection.
+
+@anchor{option --enable-ssh-support}
+@item --enable-ssh-support
+@itemx --enable-putty-support
+@opindex enable-ssh-support
+@opindex enable-putty-support
+
+The OpenSSH Agent protocol is always enabled, but @command{gpg-agent}
+will only set the @code{SSH_AUTH_SOCK} variable if this flag is given.
+
+In this mode of operation, the agent does not only implement the
+gpg-agent protocol, but also the agent protocol used by OpenSSH
+(through a separate socket). Consequently, it should be possible to use
+the gpg-agent as a drop-in replacement for the well known ssh-agent.
+
+SSH Keys, which are to be used through the agent, need to be added to
+the gpg-agent initially through the ssh-add utility. When a key is
+added, ssh-add will ask for the password of the provided key file and
+send the unprotected key material to the agent; this causes the
+gpg-agent to ask for a passphrase, which is to be used for encrypting
+the newly received key and storing it in a gpg-agent specific
+directory.
+
+Once a key has been added to the gpg-agent this way, the gpg-agent
+will be ready to use the key.
+
+Note: in case the gpg-agent receives a signature request, the user might
+need to be prompted for a passphrase, which is necessary for decrypting
+the stored key. Since the ssh-agent protocol does not contain a
+mechanism for telling the agent on which display/terminal it is running,
+gpg-agent's ssh-support will use the TTY or X display where gpg-agent
+has been started. To switch this display to the current one, the
+following command may be used:
+
+@smallexample
+gpg-connect-agent updatestartuptty /bye
+@end smallexample
+
+Although all GnuPG components try to start the gpg-agent as needed, this
+is not possible for the ssh support because ssh does not know about it.
+Thus if no GnuPG tool which accesses the agent has been run, there is no
+guarantee that ssh is able to use gpg-agent for authentication. To fix
+this you may start gpg-agent if needed using this simple command:
+
+@smallexample
+gpg-connect-agent /bye
+@end smallexample
+
+Adding the @option{--verbose} shows the progress of starting the agent.
+
+The @option{--enable-putty-support} is only available under Windows
+and allows the use of gpg-agent with the ssh implementation
+@command{putty}. This is similar to the regular ssh-agent support but
+makes use of Windows message queue as required by @command{putty}.
+
+@anchor{option --ssh-fingerprint-digest}
+@item --ssh-fingerprint-digest
+@opindex ssh-fingerprint-digest
+
+Select the digest algorithm used to compute ssh fingerprints that are
+communicated to the user, e.g. in pinentry dialogs. OpenSSH has
+transitioned from using MD5 to the more secure SHA256.
+
+
+@item --auto-expand-secmem @var{n}
+@opindex auto-expand-secmem
+Allow Libgcrypt to expand its secure memory area as required. The
+optional value @var{n} is a non-negative integer with a suggested size
+in bytes of each additionally allocated secure memory area. The value
+is rounded up to the next 32 KiB; usual C style prefixes are allowed.
+For an heavy loaded gpg-agent with many concurrent connection this
+option avoids sign or decrypt errors due to out of secure memory error
+returns.
+
+@item --s2k-calibration @var{milliseconds}
+@opindex s2k-calibration
+Change the default calibration time to @var{milliseconds}. The given
+value is capped at 60 seconds; a value of 0 resets to the compiled-in
+default. This option is re-read on a SIGHUP (or @code{gpgconf
+--reload gpg-agent}) and the S2K count is then re-calibrated.
+
+@item --s2k-count @var{n}
+@opindex s2k-count
+Specify the iteration count used to protect the passphrase. This
+option can be used to override the auto-calibration done by default.
+The auto-calibration computes a count which requires by default 100ms
+to mangle a given passphrase. See also @option{--s2k-calibration}.
+
+To view the actually used iteration count and the milliseconds
+required for an S2K operation use:
+
+@example
+gpg-connect-agent 'GETINFO s2k_count' /bye
+gpg-connect-agent 'GETINFO s2k_time' /bye
+@end example
+
+To view the auto-calibrated count use:
+
+@example
+gpg-connect-agent 'GETINFO s2k_count_cal' /bye
+@end example
+
+
+@end table
+
+
+@mansect files
+@node Agent Configuration
+@section Configuration
+
+There are a few configuration files needed for the operation of the
+agent. By default they may all be found in the current home directory
+(@pxref{option --homedir}).
+
+@table @file
+
+@item gpg-agent.conf
+@efindex gpg-agent.conf
+ This is the standard configuration file read by @command{gpg-agent} on
+ startup. It may contain any valid long option; the leading
+ two dashes may not be entered and the option may not be abbreviated.
+ This file is also read after a @code{SIGHUP} however only a few
+ options will actually have an effect. This default name may be
+ changed on the command line (@pxref{option --options}).
+ You should backup this file.
+
+@item trustlist.txt
+@efindex trustlist.txt
+ This is the list of trusted keys. You should backup this file.
+
+ Comment lines, indicated by a leading hash mark, as well as empty
+ lines are ignored. To mark a key as trusted you need to enter its
+ fingerprint followed by a space and a capital letter @code{S}. Colons
+ may optionally be used to separate the bytes of a fingerprint; this
+ enables cutting and pasting the fingerprint from a key listing output. If
+ the line is prefixed with a @code{!} the key is explicitly marked as
+ not trusted.
+
+ Here is an example where two keys are marked as ultimately trusted
+ and one as not trusted:
+
+ @cartouche
+ @smallexample
+ # CN=Wurzel ZS 3,O=Intevation GmbH,C=DE
+ A6935DD34EF3087973C706FC311AA2CCF733765B S
+
+ # CN=PCA-1-Verwaltung-02/O=PKI-1-Verwaltung/C=DE
+ DC:BD:69:25:48:BD:BB:7E:31:6E:BB:80:D3:00:80:35:D4:F8:A6:CD S
+
+ # CN=Root-CA/O=Schlapphuete/L=Pullach/C=DE
+ !14:56:98:D3:FE:9C:CA:5A:31:6E:BC:81:D3:11:4E:00:90:A3:44:C2 S
+ @end smallexample
+ @end cartouche
+
+Before entering a key into this file, you need to ensure its
+authenticity. How to do this depends on your organisation; your
+administrator might have already entered those keys which are deemed
+trustworthy enough into this file. Places where to look for the
+fingerprint of a root certificate are letters received from the CA or
+the website of the CA (after making 100% sure that this is indeed the
+website of that CA). You may want to consider disallowing interactive
+updates of this file by using the @ref{option --no-allow-mark-trusted}.
+It might even be advisable to change the permissions to read-only so
+that this file can't be changed inadvertently.
+
+As a special feature a line @code{include-default} will include a global
+list of trusted certificates (e.g. @file{@value{SYSCONFDIR}/trustlist.txt}).
+This global list is also used if the local list is not available;
+the @ref{option --no-user-trustlist} enforces the use of only
+this global list.
+
+It is possible to add further flags after the @code{S} for use by the
+caller:
+
+@table @code
+
+@item relax
+@cindex relax
+Relax checking of some root certificate requirements. As of now this
+flag allows the use of root certificates with a missing basicConstraints
+attribute (despite that it is a MUST for CA certificates) and disables
+CRL checking for the root certificate.
+
+@item cm
+If validation of a certificate finally issued by a CA with this flag set
+fails, try again using the chain validation model.
+
+@end table
+
+
+@item sshcontrol
+@efindex sshcontrol
+This file is used when support for the secure shell agent protocol has
+been enabled (@pxref{option --enable-ssh-support}). Only keys present in
+this file are used in the SSH protocol. You should backup this file.
+
+The @command{ssh-add} tool may be used to add new entries to this file;
+you may also add them manually. Comment lines, indicated by a leading
+hash mark, as well as empty lines are ignored. An entry starts with
+optional whitespace, followed by the keygrip of the key given as 40 hex
+digits, optionally followed by the caching TTL in seconds and another
+optional field for arbitrary flags. A non-zero TTL overrides the global
+default as set by @option{--default-cache-ttl-ssh}.
+
+The only flag support is @code{confirm}. If this flag is found for a
+key, each use of the key will pop up a pinentry to confirm the use of
+that key. The flag is automatically set if a new key was loaded into
+@code{gpg-agent} using the option @option{-c} of the @code{ssh-add}
+command.
+
+The keygrip may be prefixed with a @code{!} to disable an entry.
+
+The following example lists exactly one key. Note that keys available
+through a OpenPGP smartcard in the active smartcard reader are
+implicitly added to this list; i.e. there is no need to list them.
+
+@cartouche
+@smallexample
+ # Key added on: 2011-07-20 20:38:46
+ # Fingerprint: 5e:8d:c4:ad:e7:af:6e:27:8a:d6:13:e4:79:ad:0b:81
+ 34B62F25E277CF13D3C6BCEBFD3F85D08F0A864B 0 confirm
+@end smallexample
+@end cartouche
+
+@item private-keys-v1.d/
+@efindex private-keys-v1.d
+
+ This is the directory where gpg-agent stores the private keys. Each
+ key is stored in a file with the name made up of the keygrip and the
+ suffix @file{key}. You should backup all files in this directory
+ and take great care to keep this backup closed away.
+
+
+@end table
+
+Note that on larger installations, it is useful to put predefined
+files into the directory @file{@value{SYSCONFSKELDIR}} so that newly created
+users start up with a working configuration. For existing users the
+a small helper script is provided to create these files (@pxref{addgnupghome}).
+
+
+
+@c
+@c Agent Signals
+@c
+@mansect signals
+@node Agent Signals
+@section Use of some signals
+A running @command{gpg-agent} may be controlled by signals, i.e. using
+the @command{kill} command to send a signal to the process.
+
+Here is a list of supported signals:
+
+@table @gnupgtabopt
+
+@item SIGHUP
+@cpindex SIGHUP
+This signal flushes all cached passphrases and if the program has been
+started with a configuration file, the configuration file is read
+again. Only certain options are honored: @code{quiet},
+@code{verbose}, @code{debug}, @code{debug-all}, @code{debug-level},
+@code{debug-pinentry},
+@code{no-grab},
+@code{pinentry-program},
+@code{pinentry-invisible-char},
+@code{default-cache-ttl},
+@code{max-cache-ttl}, @code{ignore-cache-for-signing},
+@code{s2k-count},
+@code{no-allow-external-cache}, @code{allow-emacs-pinentry},
+@code{no-allow-mark-trusted}, @code{disable-scdaemon}, and
+@code{disable-check-own-socket}. @code{scdaemon-program} is also
+supported but due to the current implementation, which calls the
+scdaemon only once, it is not of much use unless you manually kill the
+scdaemon.
+
+
+@item SIGTERM
+@cpindex SIGTERM
+Shuts down the process but waits until all current requests are
+fulfilled. If the process has received 3 of these signals and requests
+are still pending, a shutdown is forced.
+
+@item SIGINT
+@cpindex SIGINT
+Shuts down the process immediately.
+
+@item SIGUSR1
+@cpindex SIGUSR1
+Dump internal information to the log file.
+
+@item SIGUSR2
+@cpindex SIGUSR2
+This signal is used for internal purposes.
+
+@end table
+
+@c
+@c Examples
+@c
+@mansect examples
+@node Agent Examples
+@section Examples
+
+It is important to set the environment variable @code{GPG_TTY} in
+your login shell, for example in the @file{~/.bashrc} init script:
+
+@cartouche
+@example
+ export GPG_TTY=$(tty)
+@end example
+@end cartouche
+
+If you enabled the Ssh Agent Support, you also need to tell ssh about
+it by adding this to your init script:
+
+@cartouche
+@example
+unset SSH_AGENT_PID
+if [ "$@{gnupg_SSH_AUTH_SOCK_by:-0@}" -ne $$ ]; then
+ export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
+fi
+@end example
+@end cartouche
+
+
+@c
+@c Assuan Protocol
+@c
+@manpause
+@node Agent Protocol
+@section Agent's Assuan Protocol
+
+Note: this section does only document the protocol, which is used by
+GnuPG components; it does not deal with the ssh-agent protocol. To
+see the full specification of each command, use
+
+@example
+ gpg-connect-agent 'help COMMAND' /bye
+@end example
+
+@noindent
+or just 'help' to list all available commands.
+
+@noindent
+The @command{gpg-agent} daemon is started on demand by the GnuPG
+components.
+
+To identify a key we use a thing called keygrip which is the SHA-1 hash
+of an canonical encoded S-Expression of the public key as used in
+Libgcrypt. For the purpose of this interface the keygrip is given as a
+hex string. The advantage of using this and not the hash of a
+certificate is that it will be possible to use the same keypair for
+different protocols, thereby saving space on the token used to keep the
+secret keys.
+
+The @command{gpg-agent} may send status messages during a command or when
+returning from a command to inform a client about the progress or result of an
+operation. For example, the @var{INQUIRE_MAXLEN} status message may be sent
+during a server inquire to inform the client of the maximum usable length of
+the inquired data (which should not be exceeded).
+
+@menu
+* Agent PKDECRYPT:: Decrypting a session key
+* Agent PKSIGN:: Signing a Hash
+* Agent GENKEY:: Generating a Key
+* Agent IMPORT:: Importing a Secret Key
+* Agent EXPORT:: Exporting a Secret Key
+* Agent ISTRUSTED:: Importing a Root Certificate
+* Agent GET_PASSPHRASE:: Ask for a passphrase
+* Agent CLEAR_PASSPHRASE:: Expire a cached passphrase
+* Agent PRESET_PASSPHRASE:: Set a passphrase for a keygrip
+* Agent GET_CONFIRMATION:: Ask for confirmation
+* Agent HAVEKEY:: Check whether a key is available
+* Agent LEARN:: Register a smartcard
+* Agent PASSWD:: Change a Passphrase
+* Agent UPDATESTARTUPTTY:: Change the Standard Display
+* Agent GETEVENTCOUNTER:: Get the Event Counters
+* Agent GETINFO:: Return information about the process
+* Agent OPTION:: Set options for the session
+@end menu
+
+@node Agent PKDECRYPT
+@subsection Decrypting a session key
+
+The client asks the server to decrypt a session key. The encrypted
+session key should have all information needed to select the
+appropriate secret key or to delegate it to a smartcard.
+
+@example
+ SETKEY <keyGrip>
+@end example
+
+Tell the server about the key to be used for decryption. If this is
+not used, @command{gpg-agent} may try to figure out the key by trying to
+decrypt the message with each key available.
+
+@example
+ PKDECRYPT
+@end example
+
+The agent checks whether this command is allowed and then does an
+INQUIRY to get the ciphertext the client should then send the cipher
+text.
+
+@example
+ S: INQUIRE CIPHERTEXT
+ C: D (xxxxxx
+ C: D xxxx)
+ C: END
+@end example
+
+Please note that the server may send status info lines while reading the
+data lines from the client. The data send is a SPKI like S-Exp with
+this structure:
+
+@example
+ (enc-val
+ (<algo>
+ (<param_name1> <mpi>)
+ ...
+ (<param_namen> <mpi>)))
+@end example
+
+Where algo is a string with the name of the algorithm; see the libgcrypt
+documentation for a list of valid algorithms. The number and names of
+the parameters depend on the algorithm. The agent does return an error
+if there is an inconsistency.
+
+If the decryption was successful the decrypted data is returned by
+means of "D" lines.
+
+Here is an example session:
+@cartouche
+@smallexample
+ C: PKDECRYPT
+ S: INQUIRE CIPHERTEXT
+ C: D (enc-val elg (a 349324324)
+ C: D (b 3F444677CA)))
+ C: END
+ S: # session key follows
+ S: S PADDING 0
+ S: D (value 1234567890ABCDEF0)
+ S: OK decryption successful
+@end smallexample
+@end cartouche
+
+The “PADDING†status line is only send if gpg-agent can tell what kind
+of padding is used. As of now only the value 0 is used to indicate
+that the padding has been removed.
+
+
+@node Agent PKSIGN
+@subsection Signing a Hash
+
+The client asks the agent to sign a given hash value. A default key
+will be chosen if no key has been set. To set a key a client first
+uses:
+
+@example
+ SIGKEY <keyGrip>
+@end example
+
+This can be used multiple times to create multiple signature, the list
+of keys is reset with the next PKSIGN command or a RESET. The server
+tests whether the key is a valid key to sign something and responds with
+okay.
+
+@example
+ SETHASH --hash=<name>|<algo> <hexstring>
+@end example
+
+The client can use this command to tell the server about the data <hexstring>
+(which usually is a hash) to be signed. <algo> is the decimal encoded hash
+algorithm number as used by Libgcrypt. Either <algo> or --hash=<name>
+must be given. Valid names for <name> are:
+
+@table @code
+@item sha1
+The SHA-1 hash algorithm
+@item sha256
+The SHA-256 hash algorithm
+@item rmd160
+The RIPE-MD160 hash algorithm
+@item md5
+The old and broken MD5 hash algorithm
+@item tls-md5sha1
+A combined hash algorithm as used by the TLS protocol.
+@end table
+
+@noindent
+The actual signing is done using
+
+@example
+ PKSIGN <options>
+@end example
+
+Options are not yet defined, but may later be used to choose among
+different algorithms. The agent does then some checks, asks for the
+passphrase and as a result the server returns the signature as an SPKI
+like S-expression in "D" lines:
+
+@example
+ (sig-val
+ (<algo>
+ (<param_name1> <mpi>)
+ ...
+ (<param_namen> <mpi>)))
+@end example
+
+
+The operation is affected by the option
+
+@example
+ OPTION use-cache-for-signing=0|1
+@end example
+
+The default of @code{1} uses the cache. Setting this option to @code{0}
+will lead @command{gpg-agent} to ignore the passphrase cache. Note, that there is
+also a global command line option for @command{gpg-agent} to globally disable the
+caching.
+
+
+Here is an example session:
+@cartouche
+@smallexample
+ C: SIGKEY <keyGrip>
+ S: OK key available
+ C: SIGKEY <keyGrip>
+ S: OK key available
+ C: PKSIGN
+ S: # I did ask the user whether he really wants to sign
+ S: # I did ask the user for the passphrase
+ S: INQUIRE HASHVAL
+ C: D ABCDEF012345678901234
+ C: END
+ S: # signature follows
+ S: D (sig-val rsa (s 45435453654612121212))
+ S: OK
+@end smallexample
+@end cartouche
+
+@node Agent GENKEY
+@subsection Generating a Key
+
+This is used to create a new keypair and store the secret key inside the
+active PSE --- which is in most cases a Soft-PSE. A not-yet-defined
+option allows choosing the storage location. To get the secret key out
+of the PSE, a special export tool has to be used.
+
+@example
+ GENKEY [--no-protection] [--preset] [<cache_nonce>]
+@end example
+
+Invokes the key generation process and the server will then inquire
+on the generation parameters, like:
+
+@example
+ S: INQUIRE KEYPARM
+ C: D (genkey (rsa (nbits 1024)))
+ C: END
+@end example
+
+The format of the key parameters which depends on the algorithm is of
+the form:
+
+@example
+ (genkey
+ (algo
+ (parameter_name_1 ....)
+ ....
+ (parameter_name_n ....)))
+@end example
+
+If everything succeeds, the server returns the *public key* in a SPKI
+like S-Expression like this:
+
+@example
+ (public-key
+ (rsa
+ (n <mpi>)
+ (e <mpi>)))
+@end example
+
+Here is an example session:
+@cartouche
+@smallexample
+ C: GENKEY
+ S: INQUIRE KEYPARM
+ C: D (genkey (rsa (nbits 1024)))
+ C: END
+ S: D (public-key
+ S: D (rsa (n 326487324683264) (e 10001)))
+ S OK key created
+@end smallexample
+@end cartouche
+
+The @option{--no-protection} option may be used to prevent prompting for a
+passphrase to protect the secret key while leaving the secret key unprotected.
+The @option{--preset} option may be used to add the passphrase to the cache
+using the default cache parameters.
+
+The @option{--inq-passwd} option may be used to create the key with a
+supplied passphrase. When used the agent does an inquiry with the
+keyword @code{NEWPASSWD} to retrieve that passphrase. This option
+takes precedence over @option{--no-protection}; however if the client
+sends a empty (zero-length) passphrase, this is identical to
+@option{--no-protection}.
+
+@node Agent IMPORT
+@subsection Importing a Secret Key
+
+This operation is not yet supported by GpgAgent. Specialized tools
+are to be used for this.
+
+There is no actual need because we can expect that secret keys
+created by a 3rd party are stored on a smartcard. If we have
+generated the key ourselves, we do not need to import it.
+
+@node Agent EXPORT
+@subsection Export a Secret Key
+
+Not implemented.
+
+Should be done by an extra tool.
+
+@node Agent ISTRUSTED
+@subsection Importing a Root Certificate
+
+Actually we do not import a Root Cert but provide a way to validate
+any piece of data by storing its Hash along with a description and
+an identifier in the PSE. Here is the interface description:
+
+@example
+ ISTRUSTED <fingerprint>
+@end example
+
+Check whether the OpenPGP primary key or the X.509 certificate with the
+given fingerprint is an ultimately trusted key or a trusted Root CA
+certificate. The fingerprint should be given as a hexstring (without
+any blanks or colons or whatever in between) and may be left padded with
+00 in case of an MD5 fingerprint. GPGAgent will answer with:
+
+@example
+ OK
+@end example
+
+The key is in the table of trusted keys.
+
+@example
+ ERR 304 (Not Trusted)
+@end example
+
+The key is not in this table.
+
+Gpg needs the entire list of trusted keys to maintain the web of
+trust; the following command is therefore quite helpful:
+
+@example
+ LISTTRUSTED
+@end example
+
+GpgAgent returns a list of trusted keys line by line:
+
+@example
+ S: D 000000001234454556565656677878AF2F1ECCFF P
+ S: D 340387563485634856435645634856438576457A P
+ S: D FEDC6532453745367FD83474357495743757435D S
+ S: OK
+@end example
+
+The first item on a line is the hexified fingerprint where MD5
+fingerprints are @code{00} padded to the left and the second item is a
+flag to indicate the type of key (so that gpg is able to only take care
+of PGP keys). P = OpenPGP, S = S/MIME. A client should ignore the rest
+of the line, so that we can extend the format in the future.
+
+Finally a client should be able to mark a key as trusted:
+
+@example
+ MARKTRUSTED @var{fingerprint} "P"|"S"
+@end example
+
+The server will then pop up a window to ask the user whether she
+really trusts this key. For this it will probably ask for a text to
+be displayed like this:
+
+@example
+ S: INQUIRE TRUSTDESC
+ C: D Do you trust the key with the fingerprint @@FPR@@
+ C: D bla fasel blurb.
+ C: END
+ S: OK
+@end example
+
+Known sequences with the pattern @@foo@@ are replaced according to this
+table:
+
+@table @code
+@item @@FPR16@@
+Format the fingerprint according to gpg rules for a v3 keys.
+@item @@FPR20@@
+Format the fingerprint according to gpg rules for a v4 keys.
+@item @@FPR@@
+Choose an appropriate format to format the fingerprint.
+@item @@@@
+Replaced by a single @code{@@}.
+@end table
+
+@node Agent GET_PASSPHRASE
+@subsection Ask for a passphrase
+
+This function is usually used to ask for a passphrase to be used for
+symmetric encryption, but may also be used by programs which need
+special handling of passphrases. This command uses a syntax which helps
+clients to use the agent with minimum effort.
+
+@example
+ GET_PASSPHRASE [--data] [--check] [--no-ask] [--repeat[=N]] \
+ [--qualitybar] @var{cache_id} \
+ [@var{error_message} @var{prompt} @var{description}]
+@end example
+
+@var{cache_id} is expected to be a string used to identify a cached
+passphrase. Use a @code{X} to bypass the cache. With no other
+arguments the agent returns a cached passphrase or an error. By
+convention either the hexified fingerprint of the key shall be used for
+@var{cache_id} or an arbitrary string prefixed with the name of the
+calling application and a colon: Like @code{gpg:somestring}.
+
+@var{error_message} is either a single @code{X} for no error message or
+a string to be shown as an error message like (e.g. "invalid
+passphrase"). Blanks must be percent escaped or replaced by @code{+}'.
+
+@var{prompt} is either a single @code{X} for a default prompt or the
+text to be shown as the prompt. Blanks must be percent escaped or
+replaced by @code{+}.
+
+@var{description} is a text shown above the entry field. Blanks must be
+percent escaped or replaced by @code{+}.
+
+The agent either returns with an error or with a OK followed by the hex
+encoded passphrase. Note that the length of the strings is implicitly
+limited by the maximum length of a command. If the option
+@option{--data} is used, the passphrase is not returned on the OK line
+but by regular data lines; this is the preferred method.
+
+If the option @option{--check} is used, the standard passphrase
+constraints checks are applied. A check is not done if the passphrase
+has been found in the cache.
+
+If the option @option{--no-ask} is used and the passphrase is not in the
+cache the user will not be asked to enter a passphrase but the error
+code @code{GPG_ERR_NO_DATA} is returned.
+
+If the option @option{--qualitybar} is used and a minimum passphrase
+length has been configured, a visual indication of the entered
+passphrase quality is shown.
+
+@example
+ CLEAR_PASSPHRASE @var{cache_id}
+@end example
+
+may be used to invalidate the cache entry for a passphrase. The
+function returns with OK even when there is no cached passphrase.
+
+
+
+@node Agent CLEAR_PASSPHRASE
+@subsection Remove a cached passphrase
+
+Use this command to remove a cached passphrase.
+
+@example
+ CLEAR_PASSPHRASE [--mode=normal] <cache_id>
+@end example
+
+The @option{--mode=normal} option can be used to clear a @var{cache_id} that
+was set by gpg-agent.
+
+
+@node Agent PRESET_PASSPHRASE
+@subsection Set a passphrase for a keygrip
+
+This command adds a passphrase to the cache for the specified @var{keygrip}.
+
+@example
+ PRESET_PASSPHRASE [--inquire] <string_or_keygrip> <timeout> [<hexstring>]
+@end example
+
+The passphrase is a hexadecimal string when specified. When not specified, the
+passphrase will be retrieved from the pinentry module unless the
+@option{--inquire} option was specified in which case the passphrase will be
+retrieved from the client.
+
+The @var{timeout} parameter keeps the passphrase cached for the specified
+number of seconds. A value of @code{-1} means infinite while @code{0} means
+the default (currently only a timeout of -1 is allowed, which means to never
+expire it).
+
+
+@node Agent GET_CONFIRMATION
+@subsection Ask for confirmation
+
+This command may be used to ask for a simple confirmation by
+presenting a text and 2 buttons: Okay and Cancel.
+
+@example
+ GET_CONFIRMATION @var{description}
+@end example
+
+@var{description}is displayed along with a Okay and Cancel
+button. Blanks must be percent escaped or replaced by @code{+}. A
+@code{X} may be used to display confirmation dialog with a default
+text.
+
+The agent either returns with an error or with a OK. Note, that the
+length of @var{description} is implicitly limited by the maximum
+length of a command.
+
+
+
+@node Agent HAVEKEY
+@subsection Check whether a key is available
+
+This can be used to see whether a secret key is available. It does
+not return any information on whether the key is somehow protected.
+
+@example
+ HAVEKEY @var{keygrips}
+@end example
+
+The agent answers either with OK or @code{No_Secret_Key} (208). The
+caller may want to check for other error codes as well. More than one
+keygrip may be given. In this case the command returns success if at
+least one of the keygrips corresponds to an available secret key.
+
+
+@node Agent LEARN
+@subsection Register a smartcard
+
+@example
+ LEARN [--send]
+@end example
+
+This command is used to register a smartcard. With the @option{--send}
+option given the certificates are sent back.
+
+
+@node Agent PASSWD
+@subsection Change a Passphrase
+
+@example
+ PASSWD [--cache-nonce=<c>] [--passwd-nonce=<s>] [--preset] @var{keygrip}
+@end example
+
+This command is used to interactively change the passphrase of the key
+identified by the hex string @var{keygrip}. The @option{--preset}
+option may be used to add the new passphrase to the cache using the
+default cache parameters.
+
+
+@node Agent UPDATESTARTUPTTY
+@subsection Change the standard display
+
+@example
+ UPDATESTARTUPTTY
+@end example
+
+Set the startup TTY and X-DISPLAY variables to the values of this
+session. This command is useful to direct future pinentry invocations
+to another screen. It is only required because there is no way in the
+ssh-agent protocol to convey this information.
+
+
+@node Agent GETEVENTCOUNTER
+@subsection Get the Event Counters
+
+@example
+ GETEVENTCOUNTER
+@end example
+
+This function return one status line with the current values of the
+event counters. The event counters are useful to avoid polling by
+delaying a poll until something has changed. The values are decimal
+numbers in the range @code{0} to @code{UINT_MAX} and wrapping around to
+0. The actual values should not be relied upon; they shall only be used
+to detect a change.
+
+The currently defined counters are:
+@table @code
+@item ANY
+Incremented with any change of any of the other counters.
+@item KEY
+Incremented for added or removed private keys.
+@item CARD
+Incremented for changes of the card readers stati.
+@end table
+
+@node Agent GETINFO
+@subsection Return information about the process
+
+This is a multipurpose function to return a variety of information.
+
+@example
+GETINFO @var{what}
+@end example
+
+The value of @var{what} specifies the kind of information returned:
+@table @code
+@item version
+Return the version of the program.
+@item pid
+Return the process id of the process.
+@item socket_name
+Return the name of the socket used to connect the agent.
+@item ssh_socket_name
+Return the name of the socket used for SSH connections. If SSH support
+has not been enabled the error @code{GPG_ERR_NO_DATA} will be returned.
+@end table
+
+@node Agent OPTION
+@subsection Set options for the session
+
+Here is a list of session options which are not yet described with
+other commands. The general syntax for an Assuan option is:
+
+@smallexample
+OPTION @var{key}=@var{value}
+@end smallexample
+
+@noindent
+Supported @var{key}s are:
+
+@table @code
+@item agent-awareness
+This may be used to tell gpg-agent of which gpg-agent version the
+client is aware of. gpg-agent uses this information to enable
+features which might break older clients.
+
+@item putenv
+Change the session's environment to be used for the
+Pinentry. Valid values are:
+
+ @table @code
+ @item @var{name}
+ Delete envvar @var{name}
+ @item @var{name}=
+ Set envvar @var{name} to the empty string
+ @item @var{name}=@var{value}
+ Set envvar @var{name} to the string @var{value}.
+ @end table
+
+@item use-cache-for-signing
+See Assuan command @code{PKSIGN}.
+
+@item allow-pinentry-notify
+This does not need any value. It is used to enable the
+PINENTRY_LAUNCHED inquiry.
+
+@item pinentry-mode
+This option is used to change the operation mode of the pinentry. The
+following values are defined:
+
+ @table @code
+ @item ask
+ This is the default mode which pops up a pinentry as needed.
+
+ @item cancel
+ Instead of popping up a pinentry, return the error code
+ @code{GPG_ERR_CANCELED}.
+
+ @item error
+ Instead of popping up a pinentry, return the error code
+ @code{GPG_ERR_NO_PIN_ENTRY}.
+
+ @item loopback
+ Use a loopback pinentry. This fakes a pinentry by using inquiries
+ back to the caller to ask for a passphrase. This option may only be
+ set if the agent has been configured for that.
+ To disable this feature use @ref{option --no-allow-loopback-pinentry}.
+ @end table
+
+@item cache-ttl-opt-preset
+This option sets the cache TTL for new entries created by GENKEY and
+PASSWD commands when using the @option{--preset} option. It is not
+used a default value is used.
+
+@item s2k-count
+Instead of using the standard S2K count (which is computed on the
+fly), the given S2K count is used for new keys or when changing the
+passphrase of a key. Values below 65536 are considered to be 0. This
+option is valid for the entire session or until reset to 0. This
+option is useful if the key is later used on boxes which are either
+much slower or faster than the actual box.
+
+@item pretend-request-origin
+This option switches the connection into a restricted mode which
+handles all further commands in the same way as they would be handled
+when originating from the extra or browser socket. Note that this
+option is not available in the restricted mode. Valid values for this
+option are:
+
+ @table @code
+ @item none
+ @itemx local
+ This is a NOP and leaves the connection in the standard way.
+
+ @item remote
+ Pretend to come from a remote origin in the same way as connections
+ from the @option{--extra-socket}.
+
+ @item browser
+ Pretend to come from a local web browser in the same way as connections
+ from the @option{--browser-socket}.
+ @end table
+
+@end table
+
+
+@mansect see also
+@ifset isman
+@command{@gpgname}(1),
+@command{gpgsm}(1),
+@command{gpgconf}(1),
+@command{gpg-connect-agent}(1),
+@command{scdaemon}(1)
+@end ifset
+@include see-also-note.texi
diff --git a/doc/gpg.texi b/doc/gpg.texi
new file mode 100644
index 0000000..39c996b
--- /dev/null
+++ b/doc/gpg.texi
@@ -0,0 +1,4436 @@
+@c Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007,
+@c 2008, 2009, 2010 Free Software Foundation, Inc.
+@c This is part of the GnuPG manual.
+@c For copying conditions, see the file gnupg.texi.
+
+@include defs.inc
+
+@node Invoking GPG
+@chapter Invoking GPG
+@cindex GPG command options
+@cindex command options
+@cindex options, GPG command
+
+
+@c Begin standard stuff
+@ifclear gpgtwohack
+@manpage gpg.1
+@ifset manverb
+.B gpg
+\- OpenPGP encryption and signing tool
+@end ifset
+
+@mansect synopsis
+@ifset manverb
+.B gpg
+.RB [ \-\-homedir
+.IR dir ]
+.RB [ \-\-options
+.IR file ]
+.RI [ options ]
+.I command
+.RI [ args ]
+@end ifset
+@end ifclear
+@c End standard stuff
+
+@c Begin gpg2 hack stuff
+@ifset gpgtwohack
+@manpage gpg2.1
+@ifset manverb
+.B gpg2
+\- OpenPGP encryption and signing tool
+@end ifset
+
+@mansect synopsis
+@ifset manverb
+.B gpg2
+.RB [ \-\-homedir
+.IR dir ]
+.RB [ \-\-options
+.IR file ]
+.RI [ options ]
+.I command
+.RI [ args ]
+@end ifset
+@end ifset
+@c End gpg2 hack stuff
+
+
+@mansect description
+@command{@gpgname} is the OpenPGP part of the GNU Privacy Guard (GnuPG). It
+is a tool to provide digital encryption and signing services using the
+OpenPGP standard. @command{@gpgname} features complete key management and
+all the bells and whistles you would expect from a full OpenPGP
+implementation.
+
+There are two main versions of GnuPG: GnuPG 1.x and GnuPG 2.x. GnuPG
+2.x supports modern encryption algorithms and thus should be preferred
+over GnuPG 1.x. You only need to use GnuPG 1.x if your platform
+doesn't support GnuPG 2.x, or you need support for some features that
+GnuPG 2.x has deprecated, e.g., decrypting data created with PGP-2
+keys.
+
+@ifclear gpgtwohack
+If you are looking for version 1 of GnuPG, you may find that version
+installed under the name @command{gpg1}.
+@end ifclear
+@ifset gpgtwohack
+In contrast to the standalone command @command{gpg} from GnuPG 1.x,
+the 2.x version is commonly installed under the name
+@command{@gpgname}.
+@end ifset
+
+@manpause
+
+@xref{Option Index}, for an index to @command{@gpgname}'s commands and options.
+@mancont
+
+@menu
+* GPG Commands:: List of all commands.
+* GPG Options:: List of all options.
+* GPG Configuration:: Configuration files.
+* GPG Examples:: Some usage examples.
+
+Developer information:
+* Unattended Usage of GPG:: Using @command{gpg} from other programs.
+@end menu
+
+@c * GPG Protocol:: The protocol the server mode uses.
+
+
+@c *******************************************
+@c *************** ****************
+@c *************** COMMANDS ****************
+@c *************** ****************
+@c *******************************************
+@mansect commands
+@node GPG Commands
+@section Commands
+
+Commands are not distinguished from options except for the fact that
+only one command is allowed. Generally speaking, irrelevant options
+are silently ignored, and may not be checked for correctness.
+
+@command{@gpgname} may be run with no commands. In this case it will
+print a warning perform a reasonable action depending on the type of
+file it is given as input (an encrypted message is decrypted, a
+signature is verified, a file containing keys is listed, etc.).
+
+If you run into any problems, please add the option @option{--verbose}
+to the invocation to see more diagnostics.
+
+
+@menu
+* General GPG Commands:: Commands not specific to the functionality.
+* Operational GPG Commands:: Commands to select the type of operation.
+* OpenPGP Key Management:: How to manage your keys.
+@end menu
+
+
+@c *******************************************
+@c ********** GENERAL COMMANDS *************
+@c *******************************************
+@node General GPG Commands
+@subsection Commands not specific to the function
+
+@table @gnupgtabopt
+@item --version
+@opindex version
+Print the program version and licensing information. Note that you
+cannot abbreviate this command.
+
+@item --help
+@itemx -h
+@opindex help
+Print a usage message summarizing the most useful command-line options.
+Note that you cannot arbitrarily abbreviate this command
+(though you can use its short form @option{-h}).
+
+@item --warranty
+@opindex warranty
+Print warranty information.
+
+@item --dump-options
+@opindex dump-options
+Print a list of all available options and commands. Note that you cannot
+abbreviate this command.
+@end table
+
+
+@c *******************************************
+@c ******** OPERATIONAL COMMANDS ***********
+@c *******************************************
+@node Operational GPG Commands
+@subsection Commands to select the type of operation
+
+
+@table @gnupgtabopt
+
+@item --sign
+@itemx -s
+@opindex sign
+Sign a message. This command may be combined with @option{--encrypt}
+(to sign and encrypt a message), @option{--symmetric} (to sign and
+symmetrically encrypt a message), or both @option{--encrypt} and
+@option{--symmetric} (to sign and encrypt a message that can be
+decrypted using a secret key or a passphrase). The signing key is
+chosen by default or can be set explicitly using the
+@option{--local-user} and @option{--default-key} options.
+
+@item --clear-sign
+@opindex clear-sign
+@itemx --clearsign
+@opindex clearsign
+Make a cleartext signature. The content in a cleartext signature is
+readable without any special software. OpenPGP software is only needed
+to verify the signature. cleartext signatures may modify end-of-line
+whitespace for platform independence and are not intended to be
+reversible. The signing key is chosen by default or can be set
+explicitly using the @option{--local-user} and @option{--default-key}
+options.
+
+
+@item --detach-sign
+@itemx -b
+@opindex detach-sign
+Make a detached signature.
+
+@item --encrypt
+@itemx -e
+@opindex encrypt
+Encrypt data to one or more public keys. This command may be combined
+with @option{--sign} (to sign and encrypt a message),
+@option{--symmetric} (to encrypt a message that can be decrypted using a
+secret key or a passphrase), or @option{--sign} and
+@option{--symmetric} together (for a signed message that can be
+decrypted using a secret key or a passphrase). @option{--recipient}
+and related options specify which public keys to use for encryption.
+
+@item --symmetric
+@itemx -c
+@opindex symmetric
+Encrypt with a symmetric cipher using a passphrase. The default
+symmetric cipher used is @value{GPGSYMENCALGO}, but may be chosen with the
+@option{--cipher-algo} option. This command may be combined with
+@option{--sign} (for a signed and symmetrically encrypted message),
+@option{--encrypt} (for a message that may be decrypted via a secret key
+or a passphrase), or @option{--sign} and @option{--encrypt} together
+(for a signed message that may be decrypted via a secret key or a
+passphrase). @command{@gpgname} caches the passphrase used for
+symmetric encryption so that a decrypt operation may not require that
+the user needs to enter the passphrase. The option
+@option{--no-symkey-cache} can be used to disable this feature.
+
+@item --store
+@opindex store
+Store only (make a simple literal data packet).
+
+@item --decrypt
+@itemx -d
+@opindex decrypt
+Decrypt the file given on the command line (or STDIN if no file
+is specified) and write it to STDOUT (or the file specified with
+@option{--output}). If the decrypted file is signed, the signature is also
+verified. This command differs from the default operation, as it never
+writes to the filename which is included in the file and it rejects
+files that don't begin with an encrypted message.
+
+@item --verify
+@opindex verify
+Assume that the first argument is a signed file and verify it without
+generating any output. With no arguments, the signature packet is
+read from STDIN. If only one argument is given, the specified file is
+expected to include a complete signature.
+
+With more than one argument, the first argument should specify a file
+with a detached signature and the remaining files should contain the
+signed data. To read the signed data from STDIN, use @samp{-} as the
+second filename. For security reasons, a detached signature will not
+read the signed material from STDIN if not explicitly specified.
+
+Note: If the option @option{--batch} is not used, @command{@gpgname}
+may assume that a single argument is a file with a detached signature,
+and it will try to find a matching data file by stripping certain
+suffixes. Using this historical feature to verify a detached
+signature is strongly discouraged; you should always specify the data file
+explicitly.
+
+Note: When verifying a cleartext signature, @command{@gpgname} verifies
+only what makes up the cleartext signed data and not any extra data
+outside of the cleartext signature or the header lines directly following
+the dash marker line. The option @code{--output} may be used to write
+out the actual signed data, but there are other pitfalls with this
+format as well. It is suggested to avoid cleartext signatures in
+favor of detached signatures.
+
+Note: Sometimes the use of the @command{gpgv} tool is easier than
+using the full-fledged @command{gpg} with this option. @command{gpgv}
+is designed to compare signed data against a list of trusted keys and
+returns with success only for a good signature. It has its own manual
+page.
+
+
+@item --multifile
+@opindex multifile
+This modifies certain other commands to accept multiple files for
+processing on the command line or read from STDIN with each filename on
+a separate line. This allows for many files to be processed at
+once. @option{--multifile} may currently be used along with
+@option{--verify}, @option{--encrypt}, and @option{--decrypt}. Note that
+@option{--multifile --verify} may not be used with detached signatures.
+
+@item --verify-files
+@opindex verify-files
+Identical to @option{--multifile --verify}.
+
+@item --encrypt-files
+@opindex encrypt-files
+Identical to @option{--multifile --encrypt}.
+
+@item --decrypt-files
+@opindex decrypt-files
+Identical to @option{--multifile --decrypt}.
+
+@item --list-keys
+@itemx -k
+@itemx --list-public-keys
+@opindex list-keys
+List the specified keys. If no keys are specified, then all keys from
+the configured public keyrings are listed.
+
+Never use the output of this command in scripts or other programs.
+The output is intended only for humans and its format is likely to
+change. The @option{--with-colons} option emits the output in a
+stable, machine-parseable format, which is intended for use by scripts
+and other programs.
+
+@item --list-secret-keys
+@itemx -K
+@opindex list-secret-keys
+List the specified secret keys. If no keys are specified, then all
+known secret keys are listed. A @code{#} after the initial tags
+@code{sec} or @code{ssb} means that the secret key or subkey is
+currently not usable. We also say that this key has been taken
+offline (for example, a primary key can be taken offline by exporting
+the key using the command @option{--export-secret-subkeys}). A
+@code{>} after these tags indicate that the key is stored on a
+smartcard. See also @option{--list-keys}.
+
+@item --check-signatures
+@opindex check-signatures
+@itemx --check-sigs
+@opindex check-sigs
+Same as @option{--list-keys}, but the key signatures are verified and
+listed too. Note that for performance reasons the revocation status
+of a signing key is not shown. This command has the same effect as
+using @option{--list-keys} with @option{--with-sig-check}.
+
+The status of the verification is indicated by a flag directly
+following the "sig" tag (and thus before the flags described below. A
+"!" indicates that the signature has been successfully verified, a "-"
+denotes a bad signature and a "%" is used if an error occurred while
+checking the signature (e.g. a non supported algorithm). Signatures
+where the public key is not available are not listed; to see their
+keyids the command @option{--list-sigs} can be used.
+
+For each signature listed, there are several flags in between the
+signature status flag and keyid. These flags give additional
+information about each key signature. From left to right, they are
+the numbers 1-3 for certificate check level (see
+@option{--ask-cert-level}), "L" for a local or non-exportable
+signature (see @option{--lsign-key}), "R" for a nonRevocable signature
+(see the @option{--edit-key} command "nrsign"), "P" for a signature
+that contains a policy URL (see @option{--cert-policy-url}), "N" for a
+signature that contains a notation (see @option{--cert-notation}), "X"
+for an eXpired signature (see @option{--ask-cert-expire}), and the
+numbers 1-9 or "T" for 10 and above to indicate trust signature levels
+(see the @option{--edit-key} command "tsign").
+
+
+@item --locate-keys
+@itemx --locate-external-keys
+@opindex locate-keys
+@opindex locate-external-keys
+Locate the keys given as arguments. This command basically uses the
+same algorithm as used when locating keys for encryption and may thus
+be used to see what keys @command{@gpgname} might use. In particular
+external methods as defined by @option{--auto-key-locate} are used to
+locate a key if the arguments comain valid mail addresses. Only
+public keys are listed.
+
+The variant @option{--locate-external-keys} does not consider a
+locally existing key and can thus be used to force the refresh of a
+key via the defined external methods. If a fingerprint is given and
+and the methods defined by --auto-key-locate define LDAP servers, the
+key is fetched from these resources; defined non-LDAP keyservers are
+skipped.
+
+@item --show-keys
+@opindex show-keys
+This commands takes OpenPGP keys as input and prints information about
+them in the same way the command @option{--list-keys} does for locally
+stored key. In addition the list options @code{show-unusable-uids},
+@code{show-unusable-subkeys}, @code{show-notations} and
+@code{show-policy-urls} are also enabled. As usual for automated
+processing, this command should be combined with the option
+@option{--with-colons}.
+
+@item --fingerprint
+@opindex fingerprint
+List all keys (or the specified ones) along with their
+fingerprints. This is the same output as @option{--list-keys} but with
+the additional output of a line with the fingerprint. May also be
+combined with @option{--check-signatures}. If this
+command is given twice, the fingerprints of all secondary keys are
+listed too. This command also forces pretty printing of fingerprints
+if the keyid format has been set to "none".
+
+@item --list-packets
+@opindex list-packets
+List only the sequence of packets. This command is only useful for
+debugging. When used with option @option{--verbose} the actual MPI
+values are dumped and not only their lengths. Note that the output of
+this command may change with new releases.
+
+
+@item --edit-card
+@opindex edit-card
+@itemx --card-edit
+@opindex card-edit
+Present a menu to work with a smartcard. The subcommand "help" provides
+an overview on available commands. For a detailed description, please
+see the Card HOWTO at
+https://gnupg.org/documentation/howtos.html#GnuPG-cardHOWTO .
+
+@item --card-status
+@opindex card-status
+Show the content of the smart card.
+
+@item --change-pin
+@opindex change-pin
+Present a menu to allow changing the PIN of a smartcard. This
+functionality is also available as the subcommand "passwd" with the
+@option{--edit-card} command.
+
+@item --delete-keys @var{name}
+@opindex delete-keys
+Remove key from the public keyring. In batch mode either @option{--yes} is
+required or the key must be specified by fingerprint. This is a
+safeguard against accidental deletion of multiple keys. If the
+exclamation mark syntax is used with the fingerprint of a subkey only
+that subkey is deleted; if the exclamation mark is used with the
+fingerprint of the primary key the entire public key is deleted.
+
+@item --delete-secret-keys @var{name}
+@opindex delete-secret-keys
+Remove key from the secret keyring. In batch mode the key must be
+specified by fingerprint. The option @option{--yes} can be used to
+advise gpg-agent not to request a confirmation. This extra
+pre-caution is done because @command{@gpgname} can't be sure that the
+secret key (as controlled by gpg-agent) is only used for the given
+OpenPGP public key. If the exclamation mark syntax is used with the
+fingerprint of a subkey only the secret part of that subkey is
+deleted; if the exclamation mark is used with the fingerprint of the
+primary key only the secret part of the primary key is deleted.
+
+
+@item --delete-secret-and-public-key @var{name}
+@opindex delete-secret-and-public-key
+Same as @option{--delete-key}, but if a secret key exists, it will be
+removed first. In batch mode the key must be specified by fingerprint.
+The option @option{--yes} can be used to advise gpg-agent not to
+request a confirmation.
+
+@item --export
+@opindex export
+Either export all keys from all keyrings (default keyring and those
+registered via option @option{--keyring}), or if at least one name is given,
+those of the given name. The exported keys are written to STDOUT or to the
+file given with option @option{--output}. Use together with
+@option{--armor} to mail those keys.
+
+@item --send-keys @var{keyIDs}
+@opindex send-keys
+Similar to @option{--export} but sends the keys to a keyserver.
+Fingerprints may be used instead of key IDs.
+Don't send your complete keyring to a keyserver --- select
+only those keys which are new or changed by you. If no @var{keyIDs}
+are given, @command{@gpgname} does nothing.
+
+Take care: Keyservers are by design write only systems and thus it is
+not possible to ever delete keys once they have been send to a
+keyserver.
+
+
+@item --export-secret-keys
+@itemx --export-secret-subkeys
+@opindex export-secret-keys
+@opindex export-secret-subkeys
+Same as @option{--export}, but exports the secret keys instead. The
+exported keys are written to STDOUT or to the file given with option
+@option{--output}. This command is often used along with the option
+@option{--armor} to allow for easy printing of the key for paper backup;
+however the external tool @command{paperkey} does a better job of
+creating backups on paper. Note that exporting a secret key can be a
+security risk if the exported keys are sent over an insecure channel.
+
+The second form of the command has the special property to render the
+secret part of the primary key useless; this is a GNU extension to
+OpenPGP and other implementations can not be expected to successfully
+import such a key. Its intended use is in generating a full key with
+an additional signing subkey on a dedicated machine. This command
+then exports the key without the primary key to the main machine.
+
+GnuPG may ask you to enter the passphrase for the key. This is
+required, because the internal protection method of the secret key is
+different from the one specified by the OpenPGP protocol.
+
+@item --export-ssh-key
+@opindex export-ssh-key
+This command is used to export a key in the OpenSSH public key format.
+It requires the specification of one key by the usual means and
+exports the latest valid subkey which has an authentication capability
+to STDOUT or to the file given with option @option{--output}. That
+output can directly be added to ssh's @file{authorized_key} file.
+
+By specifying the key to export using a key ID or a fingerprint
+suffixed with an exclamation mark (!), a specific subkey or the
+primary key can be exported. This does not even require that the key
+has the authentication capability flag set.
+
+@item --import
+@itemx --fast-import
+@opindex import
+Import/merge keys. This adds the given keys to the
+keyring. The fast version is currently just a synonym.
+
+There are a few other options which control how this command works.
+Most notable here is the @option{--import-options merge-only} option
+which does not insert new keys but does only the merging of new
+signatures, user-IDs and subkeys.
+
+@item --receive-keys @var{keyIDs}
+@opindex receive-keys
+@itemx --recv-keys @var{keyIDs}
+@opindex recv-keys
+Import the keys with the given @var{keyIDs} from a keyserver.
+
+@item --refresh-keys
+@opindex refresh-keys
+Request updates from a keyserver for keys that already exist on the
+local keyring. This is useful for updating a key with the latest
+signatures, user IDs, etc. Calling this with no arguments will refresh
+the entire keyring.
+
+@item --search-keys @var{names}
+@opindex search-keys
+Search the keyserver for the given @var{names}. Multiple names given
+here will be joined together to create the search string for the
+keyserver. Note that keyservers search for @var{names} in a different
+and simpler way than gpg does. The best choice is to use a mail
+address. Due to data privacy reasons keyservers may even not even
+allow searching by user id or mail address and thus may only return
+results when being used with the @option{--recv-key} command to
+search by key fingerprint or keyid.
+
+@item --fetch-keys @var{URIs}
+@opindex fetch-keys
+Retrieve keys located at the specified @var{URIs}. Note that different
+installations of GnuPG may support different protocols (HTTP, FTP,
+LDAP, etc.). When using HTTPS the system provided root certificates
+are used by this command.
+
+@item --update-trustdb
+@opindex update-trustdb
+Do trust database maintenance. This command iterates over all keys and
+builds the Web of Trust. This is an interactive command because it may
+have to ask for the "ownertrust" values for keys. The user has to give
+an estimation of how far she trusts the owner of the displayed key to
+correctly certify (sign) other keys. GnuPG only asks for the ownertrust
+value if it has not yet been assigned to a key. Using the
+@option{--edit-key} menu, the assigned value can be changed at any time.
+
+@item --check-trustdb
+@opindex check-trustdb
+Do trust database maintenance without user interaction. From time to
+time the trust database must be updated so that expired keys or
+signatures and the resulting changes in the Web of Trust can be
+tracked. Normally, GnuPG will calculate when this is required and do it
+automatically unless @option{--no-auto-check-trustdb} is set. This
+command can be used to force a trust database check at any time. The
+processing is identical to that of @option{--update-trustdb} but it
+skips keys with a not yet defined "ownertrust".
+
+For use with cron jobs, this command can be used together with
+@option{--batch} in which case the trust database check is done only if
+a check is needed. To force a run even in batch mode add the option
+@option{--yes}.
+
+@anchor{option --export-ownertrust}
+@item --export-ownertrust
+@opindex export-ownertrust
+Send the ownertrust values to STDOUT. This is useful for backup purposes
+as these values are the only ones which can't be re-created from a
+corrupted trustdb. Example:
+@c man:.RS
+@example
+ @gpgname{} --export-ownertrust > otrust.txt
+@end example
+@c man:.RE
+
+
+@item --import-ownertrust
+@opindex import-ownertrust
+Update the trustdb with the ownertrust values stored in @code{files} (or
+STDIN if not given); existing values will be overwritten. In case of a
+severely damaged trustdb and if you have a recent backup of the
+ownertrust values (e.g. in the file @file{otrust.txt}), you may re-create
+the trustdb using these commands:
+@c man:.RS
+@example
+ cd ~/.gnupg
+ rm trustdb.gpg
+ @gpgname{} --import-ownertrust < otrust.txt
+@end example
+@c man:.RE
+
+
+@item --rebuild-keydb-caches
+@opindex rebuild-keydb-caches
+When updating from version 1.0.6 to 1.0.7 this command should be used
+to create signature caches in the keyring. It might be handy in other
+situations too.
+
+@item --print-md @var{algo}
+@itemx --print-mds
+@opindex print-md
+Print message digest of algorithm @var{algo} for all given files or STDIN.
+With the second form (or a deprecated "*" for @var{algo}) digests for all
+available algorithms are printed.
+
+@item --gen-random @var{0|1|2} @var{count}
+@opindex gen-random
+Emit @var{count} random bytes of the given quality level 0, 1 or 2. If
+@var{count} is not given or zero, an endless sequence of random bytes
+will be emitted. If used with @option{--armor} the output will be
+base64 encoded. PLEASE, don't use this command unless you know what
+you are doing; it may remove precious entropy from the system!
+
+@item --gen-prime @var{mode} @var{bits}
+@opindex gen-prime
+Use the source, Luke :-). The output format is subject to change
+with ant release.
+
+
+@item --enarmor
+@itemx --dearmor
+@opindex enarmor
+@opindex dearmor
+Pack or unpack an arbitrary input into/from an OpenPGP ASCII armor.
+This is a GnuPG extension to OpenPGP and in general not very useful.
+
+@item --tofu-policy @{auto|good|unknown|bad|ask@} @var{keys}
+@opindex tofu-policy
+Set the TOFU policy for all the bindings associated with the specified
+@var{keys}. For more information about the meaning of the policies,
+@pxref{trust-model-tofu}. The @var{keys} may be specified either by their
+fingerprint (preferred) or their keyid.
+
+@c @item --server
+@c @opindex server
+@c Run gpg in server mode. This feature is not yet ready for use and
+@c thus not documented.
+
+@end table
+
+
+@c *******************************************
+@c ******* KEY MANGEMENT COMMANDS **********
+@c *******************************************
+@node OpenPGP Key Management
+@subsection How to manage your keys
+
+This section explains the main commands for key management.
+
+@table @gnupgtabopt
+
+@item --quick-generate-key @var{user-id} [@var{algo} [@var{usage} [@var{expire}]]]
+@itemx --quick-gen-key
+@opindex quick-generate-key
+@opindex quick-gen-key
+This is a simple command to generate a standard key with one user id.
+In contrast to @option{--generate-key} the key is generated directly
+without the need to answer a bunch of prompts. Unless the option
+@option{--yes} is given, the key creation will be canceled if the
+given user id already exists in the keyring.
+
+If invoked directly on the console without any special options an
+answer to a ``Continue?'' style confirmation prompt is required. In
+case the user id already exists in the keyring a second prompt to
+force the creation of the key will show up.
+
+If @var{algo} or @var{usage} are given, only the primary key is
+created and no prompts are shown. To specify an expiration date but
+still create a primary and subkey use ``default'' or
+``future-default'' for @var{algo} and ``default'' for @var{usage}.
+For a description of these optional arguments see the command
+@code{--quick-add-key}. The @var{usage} accepts also the value
+``cert'' which can be used to create a certification only primary key;
+the default is to a create certification and signing key.
+
+The @var{expire} argument can be used to specify an expiration date
+for the key. Several formats are supported; commonly the ISO formats
+``YYYY-MM-DD'' or ``YYYYMMDDThhmmss'' are used. To make the key
+expire in N seconds, N days, N weeks, N months, or N years use
+``seconds=N'', ``Nd'', ``Nw'', ``Nm'', or ``Ny'' respectively. Not
+specifying a value, or using ``-'' results in a key expiring in a
+reasonable default interval. The values ``never'', ``none'' can be
+used for no expiration date.
+
+If this command is used with @option{--batch},
+@option{--pinentry-mode} has been set to @code{loopback}, and one of
+the passphrase options (@option{--passphrase},
+@option{--passphrase-fd}, or @option{--passphrase-file}) is used, the
+supplied passphrase is used for the new key and the agent does not ask
+for it. To create a key without any protection @code{--passphrase ''}
+may be used.
+
+To create an OpenPGP key from the keys available on the currently
+inserted smartcard, the special string ``card'' can be used for
+@var{algo}. If the card features an encryption and a signing key, gpg
+will figure them out and creates an OpenPGP key consisting of the
+usual primary key and one subkey. This works only with certain
+smartcards. Note that the interactive @option{--full-gen-key} command
+allows to do the same but with greater flexibility in the selection of
+the smartcard keys.
+
+Note that it is possible to create a primary key and a subkey using
+non-default algorithms by using ``default'' and changing the default
+parameters using the option @option{--default-new-key-algo}.
+
+@item --quick-set-expire @var{fpr} @var{expire} [*|@var{subfprs}]
+@opindex quick-set-expire
+With two arguments given, directly set the expiration time of the
+primary key identified by @var{fpr} to @var{expire}. To remove the
+expiration time @code{0} can be used. With three arguments and the
+third given as an asterisk, the expiration time of all non-revoked and
+not yet expired subkeys are set to @var{expire}. With more than two
+arguments and a list of fingerprints given for @var{subfprs}, all
+non-revoked subkeys matching these fingerprints are set to
+@var{expire}.
+
+
+@item --quick-add-key @var{fpr} [@var{algo} [@var{usage} [@var{expire}]]]
+@opindex quick-add-key
+Directly add a subkey to the key identified by the fingerprint
+@var{fpr}. Without the optional arguments an encryption subkey is
+added. If any of the arguments are given a more specific subkey is
+added.
+
+@var{algo} may be any of the supported algorithms or curve names
+given in the format as used by key listings. To use the default
+algorithm the string ``default'' or ``-'' can be used. Supported
+algorithms are ``rsa'', ``dsa'', ``elg'', ``ed25519'', ``cv25519'',
+and other ECC curves. For example the string ``rsa'' adds an RSA key
+with the default key length; a string ``rsa4096'' requests that the
+key length is 4096 bits. The string ``future-default'' is an alias
+for the algorithm which will likely be used as default algorithm in
+future versions of gpg. To list the supported ECC curves the command
+@code{gpg --with-colons --list-config curve} can be used.
+
+Depending on the given @var{algo} the subkey may either be an
+encryption subkey or a signing subkey. If an algorithm is capable of
+signing and encryption and such a subkey is desired, a @var{usage}
+string must be given. This string is either ``default'' or ``-'' to
+keep the default or a comma delimited list (or space delimited list)
+of keywords: ``sign'' for a signing subkey, ``auth'' for an
+authentication subkey, and ``encr'' for an encryption subkey
+(``encrypt'' can be used as alias for ``encr''). The valid
+combinations depend on the algorithm.
+
+The @var{expire} argument can be used to specify an expiration date
+for the key. Several formats are supported; commonly the ISO formats
+``YYYY-MM-DD'' or ``YYYYMMDDThhmmss'' are used. To make the key
+expire in N seconds, N days, N weeks, N months, or N years use
+``seconds=N'', ``Nd'', ``Nw'', ``Nm'', or ``Ny'' respectively. Not
+specifying a value, or using ``-'' results in a key expiring in a
+reasonable default interval. The values ``never'', ``none'' can be
+used for no expiration date.
+
+@item --generate-key
+@opindex generate-key
+@itemx --gen-key
+@opindex gen-key
+Generate a new key pair using the current default parameters. This is
+the standard command to create a new key. In addition to the key a
+revocation certificate is created and stored in the
+@file{openpgp-revocs.d} directory below the GnuPG home directory.
+
+@item --full-generate-key
+@opindex full-generate-key
+@itemx --full-gen-key
+@opindex full-gen-key
+Generate a new key pair with dialogs for all options. This is an
+extended version of @option{--generate-key}.
+
+There is also a feature which allows you to create keys in batch
+mode. See the manual section ``Unattended key generation'' on how
+to use this.
+
+
+@item --generate-revocation @var{name}
+@opindex generate-revocation
+@itemx --gen-revoke @var{name}
+@opindex gen-revoke
+Generate a revocation certificate for the complete key. To only revoke
+a subkey or a key signature, use the @option{--edit} command.
+
+This command merely creates the revocation certificate so that it can
+be used to revoke the key if that is ever needed. To actually revoke
+a key the created revocation certificate needs to be merged with the
+key to revoke. This is done by importing the revocation certificate
+using the @option{--import} command. Then the revoked key needs to be
+published, which is best done by sending the key to a keyserver
+(command @option{--send-key}) and by exporting (@option{--export}) it
+to a file which is then send to frequent communication partners.
+
+
+@item --generate-designated-revocation @var{name}
+@opindex generate-designated-revocation
+@itemx --desig-revoke @var{name}
+@opindex desig-revoke
+Generate a designated revocation certificate for a key. This allows a
+user (with the permission of the keyholder) to revoke someone else's
+key.
+
+
+@item --edit-key
+@opindex edit-key
+Present a menu which enables you to do most of the key management
+related tasks. It expects the specification of a key on the command
+line.
+
+@c ******** Begin Edit-key Options **********
+@table @asis
+
+ @item uid @var{n}
+ @opindex keyedit:uid
+ Toggle selection of user ID or photographic user ID with index @var{n}.
+ Use @code{*} to select all and @code{0} to deselect all.
+
+ @item key @var{n}
+ @opindex keyedit:key
+ Toggle selection of subkey with index @var{n} or key ID @var{n}.
+ Use @code{*} to select all and @code{0} to deselect all.
+
+ @item sign
+ @opindex keyedit:sign
+ Make a signature on key of user @code{name}. If the key is not yet
+ signed by the default user (or the users given with @option{-u}), the program
+ displays the information of the key again, together with its
+ fingerprint and asks whether it should be signed. This question is
+ repeated for all users specified with
+ @option{-u}.
+
+ @item lsign
+ @opindex keyedit:lsign
+ Same as "sign" but the signature is marked as non-exportable and will
+ therefore never be used by others. This may be used to make keys
+ valid only in the local environment.
+
+ @item nrsign
+ @opindex keyedit:nrsign
+ Same as "sign" but the signature is marked as non-revocable and can
+ therefore never be revoked.
+
+ @item tsign
+ @opindex keyedit:tsign
+ Make a trust signature. This is a signature that combines the notions
+ of certification (like a regular signature), and trust (like the
+ "trust" command). It is generally only useful in distinct communities
+ or groups. For more information please read the sections
+ ``Trust Signature'' and ``Regular Expression'' in RFC-4880.
+@end table
+
+@c man:.RS
+Note that "l" (for local / non-exportable), "nr" (for non-revocable,
+and "t" (for trust) may be freely mixed and prefixed to "sign" to
+create a signature of any type desired.
+@c man:.RE
+
+If the option @option{--only-sign-text-ids} is specified, then any
+non-text based user ids (e.g., photo IDs) will not be selected for
+signing.
+
+@table @asis
+
+ @item delsig
+ @opindex keyedit:delsig
+ Delete a signature. Note that it is not possible to retract a signature,
+ once it has been send to the public (i.e. to a keyserver). In that case
+ you better use @code{revsig}.
+
+ @item revsig
+ @opindex keyedit:revsig
+ Revoke a signature. For every signature which has been generated by
+ one of the secret keys, GnuPG asks whether a revocation certificate
+ should be generated.
+
+ @item check
+ @opindex keyedit:check
+ Check the signatures on all selected user IDs. With the extra
+ option @code{selfsig} only self-signatures are shown.
+
+ @item adduid
+ @opindex keyedit:adduid
+ Create an additional user ID.
+
+ @item addphoto
+ @opindex keyedit:addphoto
+ Create a photographic user ID. This will prompt for a JPEG file that
+ will be embedded into the user ID. Note that a very large JPEG will make
+ for a very large key. Also note that some programs will display your
+ JPEG unchanged (GnuPG), and some programs will scale it to fit in a
+ dialog box (PGP).
+
+ @item showphoto
+ @opindex keyedit:showphoto
+ Display the selected photographic user ID.
+
+ @item deluid
+ @opindex keyedit:deluid
+ Delete a user ID or photographic user ID. Note that it is not
+ possible to retract a user id, once it has been send to the public
+ (i.e. to a keyserver). In that case you better use @code{revuid}.
+
+ @item revuid
+ @opindex keyedit:revuid
+ Revoke a user ID or photographic user ID.
+
+ @item primary
+ @opindex keyedit:primary
+ Flag the current user id as the primary one, removes the primary user
+ id flag from all other user ids and sets the timestamp of all affected
+ self-signatures one second ahead. Note that setting a photo user ID
+ as primary makes it primary over other photo user IDs, and setting a
+ regular user ID as primary makes it primary over other regular user
+ IDs.
+
+ @item keyserver
+ @opindex keyedit:keyserver
+ Set a preferred keyserver for the specified user ID(s). This allows
+ other users to know where you prefer they get your key from. See
+ @option{--keyserver-options honor-keyserver-url} for more on how this
+ works. Setting a value of "none" removes an existing preferred
+ keyserver.
+
+ @item notation
+ @opindex keyedit:notation
+ Set a name=value notation for the specified user ID(s). See
+ @option{--cert-notation} for more on how this works. Setting a value of
+ "none" removes all notations, setting a notation prefixed with a minus
+ sign (-) removes that notation, and setting a notation name (without the
+ =value) prefixed with a minus sign removes all notations with that name.
+
+ @item pref
+ @opindex keyedit:pref
+ List preferences from the selected user ID. This shows the actual
+ preferences, without including any implied preferences.
+
+ @item showpref
+ @opindex keyedit:showpref
+ More verbose preferences listing for the selected user ID. This shows
+ the preferences in effect by including the implied preferences of 3DES
+ (cipher), SHA-1 (digest), and Uncompressed (compression) if they are
+ not already included in the preference list. In addition, the
+ preferred keyserver and signature notations (if any) are shown.
+
+ @item setpref @var{string}
+ @opindex keyedit:setpref
+ Set the list of user ID preferences to @var{string} for all (or just
+ the selected) user IDs. Calling setpref with no arguments sets the
+ preference list to the default (either built-in or set via
+ @option{--default-preference-list}), and calling setpref with "none"
+ as the argument sets an empty preference list. Use @command{@gpgname
+ --version} to get a list of available algorithms. Note that while you
+ can change the preferences on an attribute user ID (aka "photo ID"),
+ GnuPG does not select keys via attribute user IDs so these preferences
+ will not be used by GnuPG.
+
+ When setting preferences, you should list the algorithms in the order
+ which you'd like to see them used by someone else when encrypting a
+ message to your key. If you don't include 3DES, it will be
+ automatically added at the end. Note that there are many factors that
+ go into choosing an algorithm (for example, your key may not be the
+ only recipient), and so the remote OpenPGP application being used to
+ send to you may or may not follow your exact chosen order for a given
+ message. It will, however, only choose an algorithm that is present
+ on the preference list of every recipient key. See also the
+ INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS section below.
+
+ @item addkey
+ @opindex keyedit:addkey
+ Add a subkey to this key.
+
+ @item addcardkey
+ @opindex keyedit:addcardkey
+ Generate a subkey on a card and add it to this key.
+
+ @item keytocard
+ @opindex keyedit:keytocard
+ Transfer the selected secret subkey (or the primary key if no subkey
+ has been selected) to a smartcard. The secret key in the keyring will
+ be replaced by a stub if the key could be stored successfully on the
+ card and you use the save command later. Only certain key types may be
+ transferred to the card. A sub menu allows you to select on what card
+ to store the key. Note that it is not possible to get that key back
+ from the card - if the card gets broken your secret key will be lost
+ unless you have a backup somewhere.
+
+ @item bkuptocard @var{file}
+ @opindex keyedit:bkuptocard
+ Restore the given @var{file} to a card. This command may be used to restore a
+ backup key (as generated during card initialization) to a new card. In
+ almost all cases this will be the encryption key. You should use this
+ command only with the corresponding public key and make sure that the
+ file given as argument is indeed the backup to restore. You should then
+ select 2 to restore as encryption key. You will first be asked to enter
+ the passphrase of the backup key and then for the Admin PIN of the card.
+
+ @item delkey
+ @opindex keyedit:delkey
+ Remove a subkey (secondary key). Note that it is not possible to retract
+ a subkey, once it has been send to the public (i.e. to a keyserver). In
+ that case you better use @code{revkey}. Also note that this only
+ deletes the public part of a key.
+
+ @item revkey
+ @opindex keyedit:revkey
+ Revoke a subkey.
+
+ @item expire
+ @opindex keyedit:expire
+ Change the key or subkey expiration time. If a subkey is selected, the
+ expiration time of this subkey will be changed. With no selection, the
+ key expiration of the primary key is changed.
+
+ @item trust
+ @opindex keyedit:trust
+ Change the owner trust value for the key. This updates the trust-db
+ immediately and no save is required.
+
+ @item disable
+ @itemx enable
+ @opindex keyedit:disable
+ @opindex keyedit:enable
+ Disable or enable an entire key. A disabled key can not normally be
+ used for encryption.
+
+ @item addrevoker
+ @opindex keyedit:addrevoker
+ Add a designated revoker to the key. This takes one optional argument:
+ "sensitive". If a designated revoker is marked as sensitive, it will
+ not be exported by default (see export-options).
+
+ @item passwd
+ @opindex keyedit:passwd
+ Change the passphrase of the secret key.
+
+ @item toggle
+ @opindex keyedit:toggle
+ This is dummy command which exists only for backward compatibility.
+
+ @item clean
+ @opindex keyedit:clean
+ Compact (by removing all signatures except the selfsig) any user ID
+ that is no longer usable (e.g. revoked, or expired). Then, remove any
+ signatures that are not usable by the trust calculations.
+ Specifically, this removes any signature that does not validate, any
+ signature that is superseded by a later signature, revoked signatures,
+ and signatures issued by keys that are not present on the keyring.
+
+ @item minimize
+ @opindex keyedit:minimize
+ Make the key as small as possible. This removes all signatures from
+ each user ID except for the most recent self-signature.
+
+ @item change-usage
+ @opindex keyedit:change-usage
+ Change the usage flags (capabilities) of the primary key or of
+ subkeys. These usage flags (e.g. Certify, Sign, Authenticate,
+ Encrypt) are set during key creation. Sometimes it is useful to
+ have the opportunity to change them (for example to add
+ Authenticate) after they have been created. Please take care when
+ doing this; the allowed usage flags depend on the key algorithm.
+
+ @item cross-certify
+ @opindex keyedit:cross-certify
+ Add cross-certification signatures to signing subkeys that may not
+ currently have them. Cross-certification signatures protect against a
+ subtle attack against signing subkeys. See
+ @option{--require-cross-certification}. All new keys generated have
+ this signature by default, so this command is only useful to bring
+ older keys up to date.
+
+ @item save
+ @opindex keyedit:save
+ Save all changes to the keyring and quit.
+
+ @item quit
+ @opindex keyedit:quit
+ Quit the program without updating the
+ keyring.
+@end table
+
+@c man:.RS
+The listing shows you the key with its secondary keys and all user
+IDs. The primary user ID is indicated by a dot, and selected keys or
+user IDs are indicated by an asterisk. The trust
+value is displayed with the primary key: "trust" is the assigned owner
+trust and "validity" is the calculated validity of the key. Validity
+values are also displayed for all user IDs.
+For possible values of trust, @pxref{trust-values}.
+@c man:.RE
+@c ******** End Edit-key Options **********
+
+@item --sign-key @var{name}
+@opindex sign-key
+Signs a public key with your secret key. This is a shortcut version of
+the subcommand "sign" from @option{--edit}.
+
+@item --lsign-key @var{name}
+@opindex lsign-key
+Signs a public key with your secret key but marks it as
+non-exportable. This is a shortcut version of the subcommand "lsign"
+from @option{--edit-key}.
+
+@item --quick-sign-key @var{fpr} [@var{names}]
+@itemx --quick-lsign-key @var{fpr} [@var{names}]
+@opindex quick-sign-key
+@opindex quick-lsign-key
+Directly sign a key from the passphrase without any further user
+interaction. The @var{fpr} must be the verified primary fingerprint
+of a key in the local keyring. If no @var{names} are given, all
+useful user ids are signed; with given [@var{names}] only useful user
+ids matching one of theses names are signed. By default, or if a name
+is prefixed with a '*', a case insensitive substring match is used.
+If a name is prefixed with a '=' a case sensitive exact match is done.
+
+The command @option{--quick-lsign-key} marks the signatures as
+non-exportable. If such a non-exportable signature already exists the
+@option{--quick-sign-key} turns it into a exportable signature. If
+you need to update an existing signature, for example to add or change
+notation data, you need to use the option @option{--force-sign-key}.
+
+This command uses reasonable defaults and thus does not provide the
+full flexibility of the "sign" subcommand from @option{--edit-key}.
+Its intended use is to help unattended key signing by utilizing a list
+of verified fingerprints.
+
+@item --quick-add-uid @var{user-id} @var{new-user-id}
+@opindex quick-add-uid
+This command adds a new user id to an existing key. In contrast to
+the interactive sub-command @code{adduid} of @option{--edit-key} the
+@var{new-user-id} is added verbatim with only leading and trailing
+white space removed, it is expected to be UTF-8 encoded, and no checks
+on its form are applied.
+
+@item --quick-revoke-uid @var{user-id} @var{user-id-to-revoke}
+@opindex quick-revoke-uid
+This command revokes a user ID on an existing key. It cannot be used
+to revoke the last user ID on key (some non-revoked user ID must
+remain), with revocation reason ``User ID is no longer valid''. If
+you want to specify a different revocation reason, or to supply
+supplementary revocation text, you should use the interactive
+sub-command @code{revuid} of @option{--edit-key}.
+
+@item --quick-revoke-sig @var{fpr} @var{signing-fpr} [@var{names}]
+@opindex quick-revoke-sig
+This command revokes the key signatures made by @var{signing-fpr} from
+the key specified by the fingerprint @var{fpr}. With @var{names}
+given only the signatures on user ids of the key matching any of the
+given names are affected (see @option{--quick-sign-key}). If a
+revocation already exists a notice is printed instead of creating a
+new revocation; no error is returned in this case. Note that key
+signature revocations may be superseded by a newer key signature and
+in turn again revoked.
+
+@item --quick-set-primary-uid @var{user-id} @var{primary-user-id}
+@opindex quick-set-primary-uid
+This command sets or updates the primary user ID flag on an existing
+key. @var{user-id} specifies the key and @var{primary-user-id} the
+user ID which shall be flagged as the primary user ID. The primary
+user ID flag is removed from all other user ids and the timestamp of
+all affected self-signatures is set one second ahead.
+
+
+@item --change-passphrase @var{user-id}
+@opindex change-passphrase
+@itemx --passwd @var{user-id}
+@opindex passwd
+Change the passphrase of the secret key belonging to the certificate
+specified as @var{user-id}. This is a shortcut for the sub-command
+@code{passwd} of the edit key menu. When using together with the
+option @option{--dry-run} this will not actually change the passphrase
+but check that the current passphrase is correct.
+
+@end table
+
+
+@c *******************************************
+@c *************** ****************
+@c *************** OPTIONS ****************
+@c *************** ****************
+@c *******************************************
+@mansect options
+@node GPG Options
+@section Option Summary
+
+@command{@gpgname} features a bunch of options to control the exact
+behaviour and to change the default configuration.
+
+@menu
+* GPG Configuration Options:: How to change the configuration.
+* GPG Key related Options:: Key related options.
+* GPG Input and Output:: Input and Output.
+* OpenPGP Options:: OpenPGP protocol specific options.
+* Compliance Options:: Compliance options.
+* GPG Esoteric Options:: Doing things one usually doesn't want to do.
+* Deprecated Options:: Deprecated options.
+@end menu
+
+Long options can be put in an options file (default
+"~/.gnupg/gpg.conf"). Short option names will not work - for example,
+"armor" is a valid option for the options file, while "a" is not. Do not
+write the 2 dashes, but simply the name of the option and any required
+arguments. Lines with a hash ('#') as the first non-white-space
+character are ignored. Commands may be put in this file too, but that is
+not generally useful as the command will execute automatically with
+every execution of gpg.
+
+Please remember that option parsing stops as soon as a non-option is
+encountered, you can explicitly stop parsing by using the special option
+@option{--}.
+
+@c *******************************************
+@c ******** CONFIGURATION OPTIONS **********
+@c *******************************************
+@node GPG Configuration Options
+@subsection How to change the configuration
+
+These options are used to change the configuration and most of them
+are usually found in the option file.
+
+@table @gnupgtabopt
+
+@item --default-key @var{name}
+@opindex default-key
+Use @var{name} as the default key to sign with. If this option is not
+used, the default key is the first key found in the secret keyring.
+Note that @option{-u} or @option{--local-user} overrides this option.
+This option may be given multiple times. In this case, the last key
+for which a secret key is available is used. If there is no secret
+key available for any of the specified values, GnuPG will not emit an
+error message but continue as if this option wasn't given.
+
+@item --default-recipient @var{name}
+@opindex default-recipient
+Use @var{name} as default recipient if option @option{--recipient} is
+not used and don't ask if this is a valid one. @var{name} must be
+non-empty.
+
+@item --default-recipient-self
+@opindex default-recipient-self
+Use the default key as default recipient if option @option{--recipient} is not
+used and don't ask if this is a valid one. The default key is the first
+one from the secret keyring or the one set with @option{--default-key}.
+
+@item --no-default-recipient
+@opindex no-default-recipient
+Reset @option{--default-recipient} and @option{--default-recipient-self}.
+Should not be used in an option file.
+
+@item -v, --verbose
+@opindex verbose
+Give more information during processing. If used
+twice, the input data is listed in detail.
+
+@item --no-verbose
+@opindex no-verbose
+Reset verbose level to 0. Should not be used in an option file.
+
+@item -q, --quiet
+@opindex quiet
+Try to be as quiet as possible. Should not be used in an option file.
+
+@item --batch
+@itemx --no-batch
+@opindex batch
+@opindex no-batch
+Use batch mode. Never ask, do not allow interactive commands.
+@option{--no-batch} disables this option. Note that even with a
+filename given on the command line, gpg might still need to read from
+STDIN (in particular if gpg figures that the input is a
+detached signature and no data file has been specified). Thus if you
+do not want to feed data via STDIN, you should connect STDIN to
+@file{/dev/null}.
+
+It is highly recommended to use this option along with the options
+@option{--status-fd} and @option{--with-colons} for any unattended use of
+@command{gpg}. Should not be used in an option file.
+
+@item --no-tty
+@opindex no-tty
+Make sure that the TTY (terminal) is never used for any output.
+This option is needed in some cases because GnuPG sometimes prints
+warnings to the TTY even if @option{--batch} is used.
+
+@item --yes
+@opindex yes
+Assume "yes" on most questions. Should not be used in an option file.
+
+@item --no
+@opindex no
+Assume "no" on most questions. Should not be used in an option file.
+
+
+@item --list-options @var{parameters}
+@opindex list-options
+This is a space or comma delimited string that gives options used when
+listing keys and signatures (that is, @option{--list-keys},
+@option{--check-signatures}, @option{--list-public-keys},
+@option{--list-secret-keys}, and the @option{--edit-key} functions).
+Options can be prepended with a @option{no-} (after the two dashes) to
+give the opposite meaning. The options are:
+
+@table @asis
+
+ @item show-photos
+ @opindex list-options:show-photos
+ Causes @option{--list-keys}, @option{--check-signatures},
+ @option{--list-public-keys}, and @option{--list-secret-keys} to
+ display any photo IDs attached to the key. Defaults to no. See also
+ @option{--photo-viewer}. Does not work with @option{--with-colons}:
+ see @option{--attribute-fd} for the appropriate way to get photo data
+ for scripts and other frontends.
+
+ @item show-usage
+ @opindex list-options:show-usage
+ Show usage information for keys and subkeys in the standard key
+ listing. This is a list of letters indicating the allowed usage for a
+ key (@code{E}=encryption, @code{S}=signing, @code{C}=certification,
+ @code{A}=authentication). Defaults to yes.
+
+ @item show-policy-urls
+ @opindex list-options:show-policy-urls
+ Show policy URLs in the @option{--check-signatures}
+ listings. Defaults to no.
+
+ @item show-notations
+ @itemx show-std-notations
+ @itemx show-user-notations
+ @opindex list-options:show-notations
+ @opindex list-options:show-std-notations
+ @opindex list-options:show-user-notations
+ Show all, IETF standard, or user-defined signature notations in the
+ @option{--check-signatures} listings. Defaults to no.
+
+ @item show-keyserver-urls
+ @opindex list-options:show-keyserver-urls
+ Show any preferred keyserver URL in the
+ @option{--check-signatures} listings. Defaults to no.
+
+ @item show-uid-validity
+ @opindex list-options:show-uid-validity
+ Display the calculated validity of user IDs during key listings.
+ Defaults to yes.
+
+ @item show-unusable-uids
+ @opindex list-options:show-unusable-uids
+ Show revoked and expired user IDs in key listings. Defaults to no.
+
+ @item show-unusable-subkeys
+ @opindex list-options:show-unusable-subkeys
+ Show revoked and expired subkeys in key listings. Defaults to no.
+
+ @item show-keyring
+ @opindex list-options:show-keyring
+ Display the keyring name at the head of key listings to show which
+ keyring a given key resides on. Defaults to no.
+
+ @item show-sig-expire
+ @opindex list-options:show-sig-expire
+ Show signature expiration dates (if any) during
+ @option{--check-signatures} listings. Defaults to no.
+
+ @item show-sig-subpackets
+ @opindex list-options:show-sig-subpackets
+ Include signature subpackets in the key listing. This option can take an
+ optional argument list of the subpackets to list. If no argument is
+ passed, list all subpackets. Defaults to no. This option is only
+ meaningful when using @option{--with-colons} along with
+ @option{--check-signatures}.
+
+ @item show-only-fpr-mbox
+ @opindex list-options:show-only-fpr-mbox
+ For each user-id which has a valid mail address print
+ only the fingerprint followed by the mail address.
+@end table
+
+@item --verify-options @var{parameters}
+@opindex verify-options
+This is a space or comma delimited string that gives options used when
+verifying signatures. Options can be prepended with a `no-' to give
+the opposite meaning. The options are:
+
+@table @asis
+
+ @item show-photos
+ @opindex verify-options:show-photos
+ Display any photo IDs present on the key that issued the signature.
+ Defaults to no. See also @option{--photo-viewer}.
+
+ @item show-policy-urls
+ @opindex verify-options:show-policy-urls
+ Show policy URLs in the signature being verified. Defaults to yes.
+
+ @item show-notations
+ @itemx show-std-notations
+ @itemx show-user-notations
+ @opindex verify-options:show-notations
+ @opindex verify-options:show-std-notations
+ @opindex verify-options:show-user-notations
+ Show all, IETF standard, or user-defined signature notations in the
+ signature being verified. Defaults to IETF standard.
+
+ @item show-keyserver-urls
+ @opindex verify-options:show-keyserver-urls
+ Show any preferred keyserver URL in the signature being verified.
+ Defaults to yes.
+
+ @item show-uid-validity
+ @opindex verify-options:show-uid-validity
+ Display the calculated validity of the user IDs on the key that issued
+ the signature. Defaults to yes.
+
+ @item show-unusable-uids
+ @opindex verify-options:show-unusable-uids
+ Show revoked and expired user IDs during signature verification.
+ Defaults to no.
+
+ @item show-primary-uid-only
+ @opindex verify-options:show-primary-uid-only
+ Show only the primary user ID during signature verification. That is
+ all the AKA lines as well as photo Ids are not shown with the signature
+ verification status.
+
+ @item pka-lookups
+ @opindex verify-options:pka-lookups
+ Enable PKA lookups to verify sender addresses. Note that PKA is based
+ on DNS, and so enabling this option may disclose information on when
+ and what signatures are verified or to whom data is encrypted. This
+ is similar to the "web bug" described for the @option{--auto-key-retrieve}
+ option.
+
+ @item pka-trust-increase
+ @opindex verify-options:pka-trust-increase
+ Raise the trust in a signature to full if the signature passes PKA
+ validation. This option is only meaningful if pka-lookups is set.
+@end table
+
+@item --enable-large-rsa
+@itemx --disable-large-rsa
+@opindex enable-large-rsa
+@opindex disable-large-rsa
+With --generate-key and --batch, enable the creation of RSA secret keys as
+large as 8192 bit. Note: 8192 bit is more than is generally
+recommended. These large keys don't significantly improve security,
+but they are more expensive to use, and their signatures and
+certifications are larger. This option is only available if the
+binary was build with large-secmem support.
+
+@item --enable-dsa2
+@itemx --disable-dsa2
+@opindex enable-dsa2
+@opindex disable-dsa2
+Enable hash truncation for all DSA keys even for old DSA Keys up to
+1024 bit. This is also the default with @option{--openpgp}. Note
+that older versions of GnuPG also required this flag to allow the
+generation of DSA larger than 1024 bit.
+
+@item --photo-viewer @var{string}
+@opindex photo-viewer
+This is the command line that should be run to view a photo ID. "%i"
+will be expanded to a filename containing the photo. "%I" does the
+same, except the file will not be deleted once the viewer exits.
+Other flags are "%k" for the key ID, "%K" for the long key ID, "%f"
+for the key fingerprint, "%t" for the extension of the image type
+(e.g. "jpg"), "%T" for the MIME type of the image (e.g. "image/jpeg"),
+"%v" for the single-character calculated validity of the image being
+viewed (e.g. "f"), "%V" for the calculated validity as a string (e.g.
+"full"), "%U" for a base32 encoded hash of the user ID,
+and "%%" for an actual percent sign. If neither %i or %I are present,
+then the photo will be supplied to the viewer on standard input.
+
+On Unix the default viewer is
+@code{xloadimage -fork -quiet -title 'KeyID 0x%k' STDIN}
+with a fallback to
+@code{display -title 'KeyID 0x%k' %i}
+and finally to
+@code{xdg-open %i}.
+On Windows
+@code{!ShellExecute 400 %i} is used; here the command is a meta
+command to use that API call followed by a wait time in milliseconds
+which is used to give the viewer time to read the temporary image file
+before gpg deletes it again. Note that if your image viewer program
+is not secure, then executing it from gpg does not make it secure.
+
+@item --exec-path @var{string}
+@opindex exec-path
+@efindex PATH
+Sets a list of directories to search for photo viewers If not provided
+photo viewers use the @code{PATH} environment variable.
+
+@item --keyring @var{file}
+@opindex keyring
+Add @var{file} to the current list of keyrings. If @var{file} begins
+with a tilde and a slash, these are replaced by the $HOME directory. If
+the filename does not contain a slash, it is assumed to be in the GnuPG
+home directory ("~/.gnupg" unless @option{--homedir} or $GNUPGHOME is
+used).
+
+Note that this adds a keyring to the current list. If the intent is to
+use the specified keyring alone, use @option{--keyring} along with
+@option{--no-default-keyring}.
+
+If the option @option{--no-keyring} has been used no keyrings will
+be used at all.
+
+@item --primary-keyring @var{file}
+@opindex primary-keyring
+This is a varian of @option{--keyring} and designates @var{file} as
+the primary public keyring. This means that newly imported keys (via
+@option{--import} or keyserver @option{--recv-from}) will go to this
+keyring.
+
+
+@item --secret-keyring @var{file}
+@opindex secret-keyring
+This is an obsolete option and ignored. All secret keys are stored in
+the @file{private-keys-v1.d} directory below the GnuPG home directory.
+
+@item --trustdb-name @var{file}
+@opindex trustdb-name
+Use @var{file} instead of the default trustdb. If @var{file} begins
+with a tilde and a slash, these are replaced by the $HOME directory. If
+the filename does not contain a slash, it is assumed to be in the GnuPG
+home directory (@file{~/.gnupg} if @option{--homedir} or $GNUPGHOME is
+not used).
+
+@include opt-homedir.texi
+
+
+@item --display-charset @var{name}
+@opindex display-charset
+Set the name of the native character set. This is used to convert some
+informational strings like user IDs to the proper UTF-8 encoding.
+Note that this has nothing to do with the character set of data to be
+encrypted or signed; GnuPG does not recode user-supplied data. If this
+option is not used, the default character set is determined from the
+current locale. A verbosity level of 3 shows the chosen set. This
+option should not be used on Windows. Valid values for @var{name}
+are:
+
+@table @asis
+
+ @item iso-8859-1
+ @opindex display-charset:iso-8859-1
+ This is the Latin 1 set.
+
+ @item iso-8859-2
+ @opindex display-charset:iso-8859-2
+ The Latin 2 set.
+
+ @item iso-8859-15
+ @opindex display-charset:iso-8859-15
+ This is currently an alias for
+ the Latin 1 set.
+
+ @item koi8-r
+ @opindex display-charset:koi8-r
+ The usual Russian set (RFC-1489).
+
+ @item utf-8
+ @opindex display-charset:utf-8
+ Bypass all translations and assume
+ that the OS uses native UTF-8 encoding.
+@end table
+
+@item --utf8-strings
+@itemx --no-utf8-strings
+@opindex utf8-strings
+Assume that command line arguments are given as UTF-8 strings. The
+default (@option{--no-utf8-strings}) is to assume that arguments are
+encoded in the character set as specified by
+@option{--display-charset}. These options affect all following
+arguments. Both options may be used multiple times.
+This option should not be used in an option file.
+
+This option has no effect on Windows. There the internal used UTF-8
+encoding is translated for console input and output. The command line
+arguments are expected as Unicode and translated to UTF-8. Thus when
+calling this program from another, make sure to use the Unicode
+version of CreateProcess.
+
+@anchor{gpg-option --options}
+@item --options @var{file}
+@opindex options
+Read options from @var{file} and do not try to read them from the
+default options file in the homedir (see @option{--homedir}). This
+option is ignored if used in an options file.
+
+@item --no-options
+@opindex no-options
+Shortcut for @option{--options /dev/null}. This option is detected
+before an attempt to open an option file. Using this option will also
+prevent the creation of a @file{~/.gnupg} homedir.
+
+@item -z @var{n}
+@itemx --compress-level @var{n}
+@itemx --bzip2-compress-level @var{n}
+@opindex compress-level
+@opindex bzip2-compress-level
+Set compression level to @var{n} for the ZIP and ZLIB compression
+algorithms. The default is to use the default compression level of zlib
+(normally 6). @option{--bzip2-compress-level} sets the compression level
+for the BZIP2 compression algorithm (defaulting to 6 as well). This is a
+different option from @option{--compress-level} since BZIP2 uses a
+significant amount of memory for each additional compression level.
+@option{-z} sets both. A value of 0 for @var{n} disables compression.
+
+@item --bzip2-decompress-lowmem
+@opindex bzip2-decompress-lowmem
+Use a different decompression method for BZIP2 compressed files. This
+alternate method uses a bit more than half the memory, but also runs
+at half the speed. This is useful under extreme low memory
+circumstances when the file was originally compressed at a high
+@option{--bzip2-compress-level}.
+
+
+@item --mangle-dos-filenames
+@itemx --no-mangle-dos-filenames
+@opindex mangle-dos-filenames
+@opindex no-mangle-dos-filenames
+Older version of Windows cannot handle filenames with more than one
+dot. @option{--mangle-dos-filenames} causes GnuPG to replace (rather
+than add to) the extension of an output filename to avoid this
+problem. This option is off by default and has no effect on non-Windows
+platforms.
+
+@item --ask-cert-level
+@itemx --no-ask-cert-level
+@opindex ask-cert-level
+When making a key signature, prompt for a certification level. If this
+option is not specified, the certification level used is set via
+@option{--default-cert-level}. See @option{--default-cert-level} for
+information on the specific levels and how they are
+used. @option{--no-ask-cert-level} disables this option. This option
+defaults to no.
+
+@item --default-cert-level @var{n}
+@opindex default-cert-level
+The default to use for the check level when signing a key.
+
+0 means you make no particular claim as to how carefully you verified
+the key.
+
+1 means you believe the key is owned by the person who claims to own
+it but you could not, or did not verify the key at all. This is
+useful for a "persona" verification, where you sign the key of a
+pseudonymous user.
+
+2 means you did casual verification of the key. For example, this
+could mean that you verified the key fingerprint and checked the
+user ID on the key against a photo ID.
+
+3 means you did extensive verification of the key. For example, this
+could mean that you verified the key fingerprint with the owner of the
+key in person, and that you checked, by means of a hard to forge
+document with a photo ID (such as a passport) that the name of the key
+owner matches the name in the user ID on the key, and finally that you
+verified (by exchange of email) that the email address on the key
+belongs to the key owner.
+
+Note that the examples given above for levels 2 and 3 are just that:
+examples. In the end, it is up to you to decide just what "casual"
+and "extensive" mean to you.
+
+This option defaults to 0 (no particular claim).
+
+@item --min-cert-level
+@opindex min-cert-level
+When building the trust database, treat any signatures with a
+certification level below this as invalid. Defaults to 2, which
+disregards level 1 signatures. Note that level 0 "no particular
+claim" signatures are always accepted.
+
+@item --trusted-key @var{long key ID or fingerprint}
+@opindex trusted-key
+Assume that the specified key (which should be given as fingerprint)
+is as trustworthy as one of your own secret keys. This option is
+useful if you don't want to keep your secret keys (or one of them)
+online but still want to be able to check the validity of a given
+recipient's or signator's key. If the given key is not locally
+available but an LDAP keyserver is configured the missing key is
+imported from that server.
+
+@item --trust-model @{pgp|classic|tofu|tofu+pgp|direct|always|auto@}
+@opindex trust-model
+Set what trust model GnuPG should follow. The models are:
+
+@table @asis
+
+ @item pgp
+ @opindex trust-model:pgp
+ This is the Web of Trust combined with trust signatures as used in PGP
+ 5.x and later. This is the default trust model when creating a new
+ trust database.
+
+ @item classic
+ @opindex trust-model:classic
+ This is the standard Web of Trust as introduced by PGP 2.
+
+ @item tofu
+ @opindex trust-model:tofu
+ @anchor{trust-model-tofu}
+ TOFU stands for Trust On First Use. In this trust model, the first
+ time a key is seen, it is memorized. If later another key with a
+ user id with the same email address is seen, both keys are marked as
+ suspect. In that case, the next time either is used, a warning is
+ displayed describing the conflict, why it might have occurred
+ (either the user generated a new key and failed to cross sign the
+ old and new keys, the key is forgery, or a man-in-the-middle attack
+ is being attempted), and the user is prompted to manually confirm
+ the validity of the key in question.
+
+ Because a potential attacker is able to control the email address
+ and thereby circumvent the conflict detection algorithm by using an
+ email address that is similar in appearance to a trusted email
+ address, whenever a message is verified, statistics about the number
+ of messages signed with the key are shown. In this way, a user can
+ easily identify attacks using fake keys for regular correspondents.
+
+ When compared with the Web of Trust, TOFU offers significantly
+ weaker security guarantees. In particular, TOFU only helps ensure
+ consistency (that is, that the binding between a key and email
+ address doesn't change). A major advantage of TOFU is that it
+ requires little maintenance to use correctly. To use the web of
+ trust properly, you need to actively sign keys and mark users as
+ trusted introducers. This is a time-consuming process and anecdotal
+ evidence suggests that even security-conscious users rarely take the
+ time to do this thoroughly and instead rely on an ad-hoc TOFU
+ process.
+
+ In the TOFU model, policies are associated with bindings between
+ keys and email addresses (which are extracted from user ids and
+ normalized). There are five policies, which can be set manually
+ using the @option{--tofu-policy} option. The default policy can be
+ set using the @option{--tofu-default-policy} option.
+
+ The TOFU policies are: @code{auto}, @code{good}, @code{unknown},
+ @code{bad} and @code{ask}. The @code{auto} policy is used by
+ default (unless overridden by @option{--tofu-default-policy}) and
+ marks a binding as marginally trusted. The @code{good},
+ @code{unknown} and @code{bad} policies mark a binding as fully
+ trusted, as having unknown trust or as having trust never,
+ respectively. The @code{unknown} policy is useful for just using
+ TOFU to detect conflicts, but to never assign positive trust to a
+ binding. The final policy, @code{ask} prompts the user to indicate
+ the binding's trust. If batch mode is enabled (or input is
+ inappropriate in the context), then the user is not prompted and the
+ @code{undefined} trust level is returned.
+
+ @item tofu+pgp
+ @opindex trust-model:tofu+pgp
+ This trust model combines TOFU with the Web of Trust. This is done
+ by computing the trust level for each model and then taking the
+ maximum trust level where the trust levels are ordered as follows:
+ @code{unknown < undefined < marginal < fully < ultimate < expired <
+ never}.
+
+ By setting @option{--tofu-default-policy=unknown}, this model can be
+ used to implement the web of trust with TOFU's conflict detection
+ algorithm, but without its assignment of positive trust values,
+ which some security-conscious users don't like.
+
+ @item direct
+ @opindex trust-model:direct
+ Key validity is set directly by the user and not calculated via the
+ Web of Trust. This model is solely based on the key and does
+ not distinguish user IDs. Note that when changing to another trust
+ model the trust values assigned to a key are transformed into
+ ownertrust values, which also indicate how you trust the owner of
+ the key to sign other keys.
+
+ @item always
+ @opindex trust-model:always
+ Skip key validation and assume that used keys are always fully
+ valid. You generally won't use this unless you are using some
+ external validation scheme. This option also suppresses the
+ "[uncertain]" tag printed with signature checks when there is no
+ evidence that the user ID is bound to the key. Note that this
+ trust model still does not allow the use of expired, revoked, or
+ disabled keys.
+
+ @item auto
+ @opindex trust-model:auto
+ Select the trust model depending on whatever the internal trust
+ database says. This is the default model if such a database already
+ exists. Note that a tofu trust model is not considered here and
+ must be enabled explicitly.
+@end table
+
+@item --auto-key-locate @var{mechanisms}
+@itemx --no-auto-key-locate
+@opindex auto-key-locate
+GnuPG can automatically locate and retrieve keys as needed using this
+option. This happens when encrypting to an email address (in the
+"user@@example.com" form), and there are no "user@@example.com" keys
+on the local keyring. This option takes any number of the mechanisms
+listed below, in the order they are to be tried. Instead of listing
+the mechanisms as comma delimited arguments, the option may also be
+given several times to add more mechanism. The option
+@option{--no-auto-key-locate} or the mechanism "clear" resets the
+list. The default is "local,wkd".
+
+@table @asis
+
+ @item cert
+ Locate a key using DNS CERT, as specified in RFC-4398.
+
+ @item pka
+ Locate a key using DNS PKA.
+
+ @item dane
+ Locate a key using DANE, as specified
+ in draft-ietf-dane-openpgpkey-05.txt.
+
+ @item wkd
+ Locate a key using the Web Key Directory protocol.
+
+ @item ldap
+ Using DNS Service Discovery, check the domain in question for any LDAP
+ keyservers to use. If this fails, attempt to locate the key using the
+ PGP Universal method of checking @samp{ldap://keys.(thedomain)}.
+
+ @item ntds
+ Locate the key using the Active Directory (Windows only). This
+ method also allows to search by fingerprint using the command
+ @option{--locate-external-key}. Note that this mechanism is
+ actually a shortcut for the mechanism @samp{keyserver} but using
+ "ldap:///" as the keyserver.
+
+ @item keyserver
+ Locate a key using a keyserver. This method also allows to search
+ by fingerprint using the command @option{--locate-external-key} if
+ any of the configured keyservers is an LDAP server.
+
+ @item keyserver-URL
+ In addition, a keyserver URL as used in the @command{dirmngr}
+ configuration may be used here to query that particular keyserver.
+ This method also allows to search by fingerprint using the command
+ @option{--locate-external-key} if the URL specifies an LDAP server.
+
+ @item local
+ Locate the key using the local keyrings. This mechanism allows the user to
+ select the order a local key lookup is done. Thus using
+ @samp{--auto-key-locate local} is identical to
+ @option{--no-auto-key-locate}.
+
+ @item nodefault
+ This flag disables the standard local key lookup, done before any of the
+ mechanisms defined by the @option{--auto-key-locate} are tried. The
+ position of this mechanism in the list does not matter. It is not
+ required if @code{local} is also used.
+
+ @item clear
+ Clear all defined mechanisms. This is useful to override
+ mechanisms given in a config file. Note that a @code{nodefault} in
+ @var{mechanisms} will also be cleared unless it is given after the
+ @code{clear}.
+
+@end table
+
+
+@item --auto-key-import
+@itemx --no-auto-key-import
+@opindex auto-key-import
+@opindex no-auto-key-import
+This is an offline mechanism to get a missing key for signature
+verification and for later encryption to this key. If this option is
+enabled and a signature includes an embedded key, that key is
+used to verify the signature and on verification success that key is
+imported. The default is @option{--no-auto-key-import}.
+
+On the sender (signing) site the option @option{--include-key-block}
+needs to be used to put the public part of the signing key as “Key
+Block subpacket†into the signature.
+
+@item --auto-key-retrieve
+@itemx --no-auto-key-retrieve
+@opindex auto-key-retrieve
+@opindex no-auto-key-retrieve
+These options enable or disable the automatic retrieving of keys from
+a keyserver when verifying signatures made by keys that are not on the
+local keyring. The default is @option{--no-auto-key-retrieve}.
+
+The order of methods tried to lookup the key is:
+
+1. If the option @option{--auto-key-import} is set and the signatures
+includes an embedded key, that key is used to verify the
+signature and on verification success that key is imported.
+
+2. If a preferred keyserver is specified in the signature and the
+option @option{honor-keyserver-url} is active (which is not the
+default), that keyserver is tried. Note that the creator of the
+signature uses the option @option{--sig-keyserver-url} to specify the
+preferred keyserver for data signatures.
+
+3. If the signature has the Signer's UID set (e.g. using
+@option{--sender} while creating the signature) a Web Key Directory
+(WKD) lookup is done. This is the default configuration but can be
+disabled by removing WKD from the auto-key-locate list or by using the
+option @option{--disable-signer-uid}.
+
+4. If the option @option{honor-pka-record} is active, the legacy PKA
+method is used.
+
+5. If any keyserver is configured and the Issuer Fingerprint is part
+of the signature (since GnuPG 2.1.16), the configured keyservers are
+tried.
+
+Note that this option makes a "web bug" like behavior possible.
+Keyserver or Web Key Directory operators can see which keys you
+request, so by sending you a message signed by a brand new key (which
+you naturally will not have on your local keyring), the operator can
+tell both your IP address and the time when you verified the
+signature.
+
+@item --keyid-format @{none|short|0xshort|long|0xlong@}
+@opindex keyid-format
+Select how to display key IDs. "none" does not show the key ID at all
+but shows the fingerprint in a separate line. "short" is the
+traditional 8-character key ID. "long" is the more accurate (but less
+convenient) 16-character key ID. Add an "0x" to either to include an
+"0x" at the beginning of the key ID, as in 0x99242560. Note that this
+option is ignored if the option @option{--with-colons} is used.
+
+@item --keyserver @var{name}
+@opindex keyserver
+This option is deprecated - please use the @option{--keyserver} in
+@file{dirmngr.conf} instead.
+
+Use @var{name} as your keyserver. This is the server that
+@option{--receive-keys}, @option{--send-keys}, and @option{--search-keys}
+will communicate with to receive keys from, send keys to, and search for
+keys on. The format of the @var{name} is a URI:
+`scheme:[//]keyservername[:port]' The scheme is the type of keyserver:
+"hkp"/"hkps" for the HTTP (or compatible) keyservers or "ldap"/"ldaps"
+for the LDAP keyservers. Note that your particular installation of
+GnuPG may have other keyserver types available as well. Keyserver
+schemes are case-insensitive.
+
+Most keyservers synchronize with each other, so there is generally no
+need to send keys to more than one server. The keyserver
+@code{hkp://keys.gnupg.net} uses round robin DNS to give a different
+keyserver each time you use it.
+
+@item --keyserver-options @{@var{name}=@var{value}@}
+@opindex keyserver-options
+This is a space or comma delimited string that gives options for the
+keyserver. Options can be prefixed with a `no-' to give the opposite
+meaning. Valid import-options or export-options may be used here as
+well to apply to importing (@option{--recv-key}) or exporting
+(@option{--send-key}) a key from a keyserver. While not all options
+are available for all keyserver types, some common options are:
+
+@table @asis
+
+ @item include-revoked
+ When searching for a key with @option{--search-keys}, include keys that
+ are marked on the keyserver as revoked. Note that not all keyservers
+ differentiate between revoked and unrevoked keys, and for such
+ keyservers this option is meaningless. Note also that most keyservers do
+ not have cryptographic verification of key revocations, and so turning
+ this option off may result in skipping keys that are incorrectly marked
+ as revoked.
+
+ @item include-disabled
+ When searching for a key with @option{--search-keys}, include keys that
+ are marked on the keyserver as disabled. Note that this option is not
+ used with HKP keyservers.
+
+ @item auto-key-retrieve
+ This is an obsolete alias for the option @option{auto-key-retrieve}.
+ Please do not use it; it will be removed in future versions..
+
+ @item honor-keyserver-url
+ When using @option{--refresh-keys}, if the key in question has a preferred
+ keyserver URL, then use that preferred keyserver to refresh the key
+ from. In addition, if auto-key-retrieve is set, and the signature
+ being verified has a preferred keyserver URL, then use that preferred
+ keyserver to fetch the key from. Note that this option introduces a
+ "web bug": The creator of the key can see when the keys is
+ refreshed. Thus this option is not enabled by default.
+
+ @item honor-pka-record
+ If @option{--auto-key-retrieve} is used, and the signature being
+ verified has a PKA record, then use the PKA information to fetch
+ the key. Defaults to "yes".
+
+ @item include-subkeys
+ When receiving a key, include subkeys as potential targets. Note that
+ this option is not used with HKP keyservers, as they do not support
+ retrieving keys by subkey id.
+
+ @item timeout
+ @itemx http-proxy=@var{value}
+ @itemx verbose
+ @itemx debug
+ @itemx check-cert
+ @item ca-cert-file
+ These options have no more function since GnuPG 2.1. Use the
+ @code{dirmngr} configuration options instead.
+
+@end table
+
+The default list of options is: "self-sigs-only, import-clean,
+repair-keys, repair-pks-subkey-bug, export-attributes,
+honor-pka-record". However, if
+the actual used source is an LDAP server "no-self-sigs-only" is
+assumed unless "self-sigs-only" has been explictly configured.
+
+
+@item --completes-needed @var{n}
+@opindex compliant-needed
+Number of completely trusted users to introduce a new
+key signer (defaults to 1).
+
+@item --marginals-needed @var{n}
+@opindex marginals-needed
+Number of marginally trusted users to introduce a new
+key signer (defaults to 3)
+
+@item --tofu-default-policy @{auto|good|unknown|bad|ask@}
+@opindex tofu-default-policy
+The default TOFU policy (defaults to @code{auto}). For more
+information about the meaning of this option, @pxref{trust-model-tofu}.
+
+@item --max-cert-depth @var{n}
+@opindex max-cert-depth
+Maximum depth of a certification chain (default is 5).
+
+@item --no-sig-cache
+@opindex no-sig-cache
+Do not cache the verification status of key signatures.
+Caching gives a much better performance in key listings. However, if
+you suspect that your public keyring is not safe against write
+modifications, you can use this option to disable the caching. It
+probably does not make sense to disable it because all kind of damage
+can be done if someone else has write access to your public keyring.
+
+@item --auto-check-trustdb
+@itemx --no-auto-check-trustdb
+@opindex auto-check-trustdb
+If GnuPG feels that its information about the Web of Trust has to be
+updated, it automatically runs the @option{--check-trustdb} command
+internally. This may be a time consuming
+process. @option{--no-auto-check-trustdb} disables this option.
+
+@item --use-agent
+@itemx --no-use-agent
+@opindex use-agent
+This is dummy option. @command{@gpgname} always requires the agent.
+
+@item --gpg-agent-info
+@opindex gpg-agent-info
+This is dummy option. It has no effect when used with @command{@gpgname}.
+
+
+@item --agent-program @var{file}
+@opindex agent-program
+Specify an agent program to be used for secret key operations. The
+default value is determined by running @command{gpgconf} with the
+option @option{--list-dirs}. Note that the pipe symbol (@code{|}) is
+used for a regression test suite hack and may thus not be used in the
+file name.
+
+@item --dirmngr-program @var{file}
+@opindex dirmngr-program
+Specify a dirmngr program to be used for keyserver access. The
+default value is @file{@value{BINDIR}/dirmngr}.
+
+@item --disable-dirmngr
+Entirely disable the use of the Dirmngr.
+
+@item --no-autostart
+@opindex no-autostart
+Do not start the gpg-agent or the dirmngr if it has not yet been
+started and its service is required. This option is mostly useful on
+machines where the connection to gpg-agent has been redirected to
+another machines. If dirmngr is required on the remote machine, it
+may be started manually using @command{gpgconf --launch dirmngr}.
+
+@item --lock-once
+@opindex lock-once
+Lock the databases the first time a lock is requested
+and do not release the lock until the process
+terminates.
+
+@item --lock-multiple
+@opindex lock-multiple
+Release the locks every time a lock is no longer
+needed. Use this to override a previous @option{--lock-once}
+from a config file.
+
+@item --lock-never
+@opindex lock-never
+Disable locking entirely. This option should be used only in very
+special environments, where it can be assured that only one process
+is accessing those files. A bootable floppy with a stand-alone
+encryption system will probably use this. Improper usage of this
+option may lead to data and key corruption.
+
+@item --exit-on-status-write-error
+@opindex exit-on-status-write-error
+This option will cause write errors on the status FD to immediately
+terminate the process. That should in fact be the default but it never
+worked this way and thus we need an option to enable this, so that the
+change won't break applications which close their end of a status fd
+connected pipe too early. Using this option along with
+@option{--enable-progress-filter} may be used to cleanly cancel long
+running gpg operations.
+
+@item --limit-card-insert-tries @var{n}
+@opindex limit-card-insert-tries
+With @var{n} greater than 0 the number of prompts asking to insert a
+smartcard gets limited to N-1. Thus with a value of 1 gpg won't at
+all ask to insert a card if none has been inserted at startup. This
+option is useful in the configuration file in case an application does
+not know about the smartcard support and waits ad infinitum for an
+inserted card.
+
+@item --no-random-seed-file
+@opindex no-random-seed-file
+GnuPG uses a file to store its internal random pool over invocations.
+This makes random generation faster; however sometimes write operations
+are not desired. This option can be used to achieve that with the cost of
+slower random generation.
+
+@item --no-greeting
+@opindex no-greeting
+Suppress the initial copyright message.
+
+@item --no-secmem-warning
+@opindex no-secmem-warning
+Suppress the warning about "using insecure memory".
+
+@item --no-permission-warning
+@opindex permission-warning
+Suppress the warning about unsafe file and home directory (@option{--homedir})
+permissions. Note that the permission checks that GnuPG performs are
+not intended to be authoritative, but rather they simply warn about
+certain common permission problems. Do not assume that the lack of a
+warning means that your system is secure.
+
+Note that the warning for unsafe @option{--homedir} permissions cannot be
+suppressed in the gpg.conf file, as this would allow an attacker to
+place an unsafe gpg.conf file in place, and use this file to suppress
+warnings about itself. The @option{--homedir} permissions warning may only be
+suppressed on the command line.
+
+@item --require-secmem
+@itemx --no-require-secmem
+@opindex require-secmem
+Refuse to run if GnuPG cannot get secure memory. Defaults to no
+(i.e. run, but give a warning).
+
+
+@item --require-cross-certification
+@itemx --no-require-cross-certification
+@opindex require-cross-certification
+When verifying a signature made from a subkey, ensure that the cross
+certification "back signature" on the subkey is present and valid. This
+protects against a subtle attack against subkeys that can sign.
+Defaults to @option{--require-cross-certification} for
+@command{@gpgname}.
+
+@item --expert
+@itemx --no-expert
+@opindex expert
+Allow the user to do certain nonsensical or "silly" things like
+signing an expired or revoked key, or certain potentially incompatible
+things like generating unusual key types. This also disables certain
+warning messages about potentially incompatible actions. As the name
+implies, this option is for experts only. If you don't fully
+understand the implications of what it allows you to do, leave this
+off. @option{--no-expert} disables this option.
+
+@end table
+
+
+@c *******************************************
+@c ******** KEY RELATED OPTIONS ************
+@c *******************************************
+@node GPG Key related Options
+@subsection Key related options
+
+@table @gnupgtabopt
+
+@item --recipient @var{name}
+@itemx -r
+@opindex recipient
+Encrypt for user id @var{name}. If this option or
+@option{--hidden-recipient} is not specified, GnuPG asks for the user-id
+unless @option{--default-recipient} is given.
+
+@item --hidden-recipient @var{name}
+@itemx -R
+@opindex hidden-recipient
+Encrypt for user ID @var{name}, but hide the key ID of this user's
+key. This option helps to hide the receiver of the message and is a
+limited countermeasure against traffic analysis. If this option or
+@option{--recipient} is not specified, GnuPG asks for the user ID unless
+@option{--default-recipient} is given.
+
+@item --recipient-file @var{file}
+@itemx -f
+@opindex recipient-file
+This option is similar to @option{--recipient} except that it
+encrypts to a key stored in the given file. @var{file} must be the
+name of a file containing exactly one key. @command{@gpgname} assumes that
+the key in this file is fully valid.
+
+@item --hidden-recipient-file @var{file}
+@itemx -F
+@opindex hidden-recipient-file
+This option is similar to @option{--hidden-recipient} except that it
+encrypts to a key stored in the given file. @var{file} must be the
+name of a file containing exactly one key. @command{@gpgname} assumes that
+the key in this file is fully valid.
+
+@item --encrypt-to @var{name}
+@opindex encrypt-to
+Same as @option{--recipient} but this one is intended for use in the
+options file and may be used with your own user-id as an
+"encrypt-to-self". These keys are only used when there are other
+recipients given either by use of @option{--recipient} or by the asked
+user id. No trust checking is performed for these user ids and even
+disabled keys can be used.
+
+@item --hidden-encrypt-to @var{name}
+@opindex hidden-encrypt-to
+Same as @option{--hidden-recipient} but this one is intended for use in the
+options file and may be used with your own user-id as a hidden
+"encrypt-to-self". These keys are only used when there are other
+recipients given either by use of @option{--recipient} or by the asked user id.
+No trust checking is performed for these user ids and even disabled
+keys can be used.
+
+@item --no-encrypt-to
+@opindex no-encrypt-to
+Disable the use of all @option{--encrypt-to} and
+@option{--hidden-encrypt-to} keys.
+
+@item --group @{@var{name}=@var{value}@}
+@opindex group
+Sets up a named group, which is similar to aliases in email programs.
+Any time the group name is a recipient (@option{-r} or
+@option{--recipient}), it will be expanded to the values
+specified. Multiple groups with the same name are automatically merged
+into a single group.
+
+The values are @code{key IDs} or fingerprints, but any key description
+is accepted. Note that a value with spaces in it will be treated as
+two different values. Note also there is only one level of expansion
+--- you cannot make an group that points to another group. When used
+from the command line, it may be necessary to quote the argument to
+this option to prevent the shell from treating it as multiple
+arguments.
+
+@item --ungroup @var{name}
+@opindex ungroup
+Remove a given entry from the @option{--group} list.
+
+@item --no-groups
+@opindex no-groups
+Remove all entries from the @option{--group} list.
+
+@item --local-user @var{name}
+@itemx -u
+@opindex local-user
+Use @var{name} as the key to sign with. Note that this option overrides
+@option{--default-key}.
+
+@item --sender @var{mbox}
+@opindex sender
+This option has two purposes. @var{mbox} must either be a complete
+user id with a proper mail address or just a mail address. When
+creating a signature this option tells gpg the user id of a key used
+to make a signature if the key was not directly specified by a user
+id. When verifying a signature the @var{mbox} is used to restrict the
+information printed by the TOFU code to matching user ids.
+
+@item --try-secret-key @var{name}
+@opindex try-secret-key
+For hidden recipients GPG needs to know the keys to use for trial
+decryption. The key set with @option{--default-key} is always tried
+first, but this is often not sufficient. This option allows setting more
+keys to be used for trial decryption. Although any valid user-id
+specification may be used for @var{name} it makes sense to use at least
+the long keyid to avoid ambiguities. Note that gpg-agent might pop up a
+pinentry for a lot keys to do the trial decryption. If you want to stop
+all further trial decryption you may use close-window button instead of
+the cancel button.
+
+@item --try-all-secrets
+@opindex try-all-secrets
+Don't look at the key ID as stored in the message but try all secret
+keys in turn to find the right decryption key. This option forces the
+behaviour as used by anonymous recipients (created by using
+@option{--throw-keyids} or @option{--hidden-recipient}) and might come
+handy in case where an encrypted message contains a bogus key ID.
+
+@item --skip-hidden-recipients
+@itemx --no-skip-hidden-recipients
+@opindex skip-hidden-recipients
+@opindex no-skip-hidden-recipients
+During decryption skip all anonymous recipients. This option helps in
+the case that people use the hidden recipients feature to hide their
+own encrypt-to key from others. If one has many secret keys this
+may lead to a major annoyance because all keys are tried in turn to
+decrypt something which was not really intended for it. The drawback
+of this option is that it is currently not possible to decrypt a
+message which includes real anonymous recipients.
+
+
+@end table
+
+@c *******************************************
+@c ******** INPUT AND OUTPUT ***************
+@c *******************************************
+@node GPG Input and Output
+@subsection Input and Output
+
+@table @gnupgtabopt
+
+@item --armor
+@itemx -a
+@opindex armor
+Create ASCII armored output. The default is to create the binary
+OpenPGP format.
+
+@item --no-armor
+@opindex no-armor
+Assume the input data is not in ASCII armored format.
+
+@item --output @var{file}
+@itemx -o @var{file}
+@opindex output
+Write output to @var{file}. To write to stdout use @code{-} as the
+filename.
+
+@item --max-output @var{n}
+@opindex max-output
+This option sets a limit on the number of bytes that will be generated
+when processing a file. Since OpenPGP supports various levels of
+compression, it is possible that the plaintext of a given message may be
+significantly larger than the original OpenPGP message. While GnuPG
+works properly with such messages, there is often a desire to set a
+maximum file size that will be generated before processing is forced to
+stop by the OS limits. Defaults to 0, which means "no limit".
+
+@item --input-size-hint @var{n}
+@opindex input-size-hint
+This option can be used to tell GPG the size of the input data in
+bytes. @var{n} must be a positive base-10 number. This option is
+only useful if the input is not taken from a file. GPG may use this
+hint to optimize its buffer allocation strategy. It is also used by
+the @option{--status-fd} line ``PROGRESS'' to provide a value for
+``total'' if that is not available by other means.
+
+@item --key-origin @var{string}[,@var{url}]
+@opindex key-origin
+gpg can track the origin of a key. Certain origins are implicitly
+known (e.g. keyserver, web key directory) and set. For a standard
+import the origin of the keys imported can be set with this option.
+To list the possible values use "help" for @var{string}. Some origins
+can store an optional @var{url} argument. That URL can appended to
+@var{string} after a comma.
+
+@item --import-options @var{parameters}
+@opindex import-options
+This is a space or comma delimited string that gives options for
+importing keys. Options can be prepended with a `no-' to give the
+opposite meaning. The options are:
+
+@table @asis
+
+ @item import-local-sigs
+ Allow importing key signatures marked as "local". This is not
+ generally useful unless a shared keyring scheme is being used.
+ Defaults to no.
+
+ @item keep-ownertrust
+ Normally possible still existing ownertrust values of a key are
+ cleared if a key is imported. This is in general desirable so that
+ a formerly deleted key does not automatically gain an ownertrust
+ values merely due to import. On the other hand it is sometimes
+ necessary to re-import a trusted set of keys again but keeping
+ already assigned ownertrust values. This can be achieved by using
+ this option.
+
+ @item repair-pks-subkey-bug
+ During import, attempt to repair the damage caused by the PKS keyserver
+ bug (pre version 0.9.6) that mangles keys with multiple subkeys. Note
+ that this cannot completely repair the damaged key as some crucial data
+ is removed by the keyserver, but it does at least give you back one
+ subkey. Defaults to no for regular @option{--import} and to yes for
+ keyserver @option{--receive-keys}.
+
+ @item import-show
+ @itemx show-only
+ Show a listing of the key as imported right before it is stored.
+ This can be combined with the option @option{--dry-run} to only look
+ at keys; the option @option{show-only} is a shortcut for this
+ combination. The command @option{--show-keys} is another shortcut
+ for this. Note that suffixes like '#' for "sec" and "sbb" lines
+ may or may not be printed.
+
+ @item import-export
+ Run the entire import code but instead of storing the key to the
+ local keyring write it to the output. The export options
+ @option{export-pka} and @option{export-dane} affect the output. This
+ option can be used to remove all invalid parts from a key without the
+ need to store it.
+
+ @item merge-only
+ During import, allow key updates to existing keys, but do not allow
+ any new keys to be imported. Defaults to no.
+
+ @item import-clean
+ After import, compact (remove all signatures except the
+ self-signature) any user IDs from the new key that are not usable.
+ Then, remove any signatures from the new key that are not usable.
+ This includes signatures that were issued by keys that are not present
+ on the keyring. This option is the same as running the @option{--edit-key}
+ command "clean" after import. Defaults to no.
+
+ @item self-sigs-only
+ Accept only self-signatures while importing a key. All other key
+ signatures are skipped at an early import stage. This option can be
+ used with @code{keyserver-options} to mitigate attempts to flood a
+ key with bogus signatures from a keyserver. The drawback is that
+ all other valid key signatures, as required by the Web of Trust are
+ also not imported. Note that when using this option along with
+ import-clean it suppresses the final clean step after merging the
+ imported key into the existing key.
+
+ @item repair-keys
+ After import, fix various problems with the
+ keys. For example, this reorders signatures, and strips duplicate
+ signatures. Defaults to yes.
+
+ @item import-minimal
+ Import the smallest key possible. This removes all signatures except
+ the most recent self-signature on each user ID. This option is the
+ same as running the @option{--edit-key} command "minimize" after import.
+ Defaults to no.
+
+ @item restore
+ @itemx import-restore
+ Import in key restore mode. This imports all data which is usually
+ skipped during import; including all GnuPG specific data. All other
+ contradicting options are overridden.
+@end table
+
+@item --import-filter @{@var{name}=@var{expr}@}
+@itemx --export-filter @{@var{name}=@var{expr}@}
+@opindex import-filter
+@opindex export-filter
+These options define an import/export filter which are applied to the
+imported/exported keyblock right before it will be stored/written.
+@var{name} defines the type of filter to use, @var{expr} the
+expression to evaluate. The option can be used several times which
+then appends more expression to the same @var{name}.
+
+@noindent
+The available filter types are:
+
+@table @asis
+
+ @item keep-uid
+ This filter will keep a user id packet and its dependent packets in
+ the keyblock if the expression evaluates to true.
+
+ @item drop-subkey
+ This filter drops the selected subkeys.
+ Currently only implemented for --export-filter.
+
+ @item drop-sig
+ This filter drops the selected key signatures on user ids.
+ Self-signatures are not considered.
+ Currently only implemented for --import-filter.
+
+@end table
+
+For the syntax of the expression see the chapter "FILTER EXPRESSIONS".
+The property names for the expressions depend on the actual filter
+type and are indicated in the following table.
+
+The available properties are:
+
+@table @asis
+
+ @item uid
+ A string with the user id. (keep-uid)
+
+ @item mbox
+ The addr-spec part of a user id with mailbox or the empty string.
+ (keep-uid)
+
+ @item key_algo
+ A number with the public key algorithm of a key or subkey packet.
+ (drop-subkey)
+
+ @item key_created
+ @itemx key_created_d
+ The first is the timestamp a public key or subkey packet was
+ created. The second is the same but given as an ISO string,
+ e.g. "2016-08-17". (drop-subkey)
+
+ @item fpr
+ The hexified fingerprint of the current subkey or primary key.
+ (drop-subkey)
+
+ @item primary
+ Boolean indicating whether the user id is the primary one. (keep-uid)
+
+ @item expired
+ Boolean indicating whether a user id (keep-uid), a key (drop-subkey), or a
+ signature (drop-sig) expired.
+
+ @item revoked
+ Boolean indicating whether a user id (keep-uid) or a key (drop-subkey) has
+ been revoked.
+
+ @item disabled
+ Boolean indicating whether a primary key is disabled. (not used)
+
+ @item secret
+ Boolean indicating whether a key or subkey is a secret one.
+ (drop-subkey)
+
+ @item usage
+ A string indicating the usage flags for the subkey, from the
+ sequence ``ecsa?''. For example, a subkey capable of just signing
+ and authentication would be an exact match for ``sa''. (drop-subkey)
+
+ @item sig_created
+ @itemx sig_created_d
+ The first is the timestamp a signature packet was created. The
+ second is the same but given as an ISO date string,
+ e.g. "2016-08-17". (drop-sig)
+
+ @item sig_algo
+ A number with the public key algorithm of a signature packet. (drop-sig)
+
+ @item sig_digest_algo
+ A number with the digest algorithm of a signature packet. (drop-sig)
+
+@end table
+
+@item --export-options @var{parameters}
+@opindex export-options
+This is a space or comma delimited string that gives options for
+exporting keys. Options can be prepended with a `no-' to give the
+opposite meaning. The options are:
+
+@table @asis
+
+ @item export-local-sigs
+ Allow exporting key signatures marked as "local". This is not
+ generally useful unless a shared keyring scheme is being used.
+ Defaults to no.
+
+ @item export-attributes
+ Include attribute user IDs (photo IDs) while exporting. Not
+ including attribute user IDs is useful to export keys that are going
+ to be used by an OpenPGP program that does not accept attribute user
+ IDs. Defaults to yes.
+
+ @item export-sensitive-revkeys
+ Include designated revoker information that was marked as
+ "sensitive". Defaults to no.
+
+ @c Since GnuPG 2.1 gpg-agent manages the secret key and thus the
+ @c export-reset-subkey-passwd hack is not anymore justified. Such use
+ @c cases may be implemented using a specialized secret key export
+ @c tool.
+ @c @item export-reset-subkey-passwd
+ @c When using the @option{--export-secret-subkeys} command, this option resets
+ @c the passphrases for all exported subkeys to empty. This is useful
+ @c when the exported subkey is to be used on an unattended machine where
+ @c a passphrase doesn't necessarily make sense. Defaults to no.
+
+ @item backup
+ @itemx export-backup
+ Export for use as a backup. The exported data includes all data
+ which is needed to restore the key or keys later with GnuPG. The
+ format is basically the OpenPGP format but enhanced with GnuPG
+ specific data. All other contradicting options are overridden.
+
+ @item export-clean
+ Compact (remove all signatures from) user IDs on the key being
+ exported if the user IDs are not usable. Also, do not export any
+ signatures that are not usable. This includes signatures that were
+ issued by keys that are not present on the keyring. This option is
+ the same as running the @option{--edit-key} command "clean" before export
+ except that the local copy of the key is not modified. Defaults to
+ no.
+
+ @item export-minimal
+ Export the smallest key possible. This removes all signatures except the
+ most recent self-signature on each user ID. This option is the same as
+ running the @option{--edit-key} command "minimize" before export except
+ that the local copy of the key is not modified. Defaults to no.
+
+ @item export-pka
+ Instead of outputting the key material output PKA records suitable
+ to put into DNS zone files. An ORIGIN line is printed before each
+ record to allow diverting the records to the corresponding zone file.
+
+ @item export-dane
+ Instead of outputting the key material output OpenPGP DANE records
+ suitable to put into DNS zone files. An ORIGIN line is printed before
+ each record to allow diverting the records to the corresponding zone
+ file.
+
+@end table
+
+@item --with-colons
+@opindex with-colons
+Print key listings delimited by colons. Note that the output will be
+encoded in UTF-8 regardless of any @option{--display-charset} setting. This
+format is useful when GnuPG is called from scripts and other programs
+as it is easily machine parsed. The details of this format are
+documented in the file @file{doc/DETAILS}, which is included in the GnuPG
+source distribution.
+
+@item --fixed-list-mode
+@opindex fixed-list-mode
+Do not merge primary user ID and primary key in @option{--with-colon}
+listing mode and print all timestamps as seconds since 1970-01-01.
+Since GnuPG 2.0.10, this mode is always used and thus this option is
+obsolete; it does not harm to use it though.
+
+@item --legacy-list-mode
+@opindex legacy-list-mode
+Revert to the pre-2.1 public key list mode. This only affects the
+human readable output and not the machine interface
+(i.e. @code{--with-colons}). Note that the legacy format does not
+convey suitable information for elliptic curves.
+
+@item --with-fingerprint
+@opindex with-fingerprint
+Same as the command @option{--fingerprint} but changes only the format
+of the output and may be used together with another command.
+
+@item --with-subkey-fingerprint
+@opindex with-subkey-fingerprint
+If a fingerprint is printed for the primary key, this option forces
+printing of the fingerprint for all subkeys. This could also be
+achieved by using the @option{--with-fingerprint} twice but by using
+this option along with keyid-format "none" a compact fingerprint is
+printed.
+
+@item --with-icao-spelling
+@opindex with-icao-spelling
+Print the ICAO spelling of the fingerprint in addition to the hex digits.
+
+@item --with-keygrip
+@opindex with-keygrip
+Include the keygrip in the key listings. In @code{--with-colons} mode
+this is implicitly enable for secret keys.
+
+@item --with-key-origin
+@opindex with-key-origin
+Include the locally held information on the origin and last update of
+a key in a key listing. In @code{--with-colons} mode this is always
+printed. This data is currently experimental and shall not be
+considered part of the stable API.
+
+@item --with-wkd-hash
+@opindex with-wkd-hash
+Print a Web Key Directory identifier along with each user ID in key
+listings. This is an experimental feature and semantics may change.
+
+@item --with-secret
+@opindex with-secret
+Include info about the presence of a secret key in public key listings
+done with @code{--with-colons}.
+
+@end table
+
+@c *******************************************
+@c ******** OPENPGP OPTIONS ****************
+@c *******************************************
+@node OpenPGP Options
+@subsection OpenPGP protocol specific options
+
+@table @gnupgtabopt
+
+@item -t, --textmode
+@itemx --no-textmode
+@opindex textmode
+Treat input files as text and store them in the OpenPGP canonical text
+form with standard "CRLF" line endings. This also sets the necessary
+flags to inform the recipient that the encrypted or signed data is text
+and may need its line endings converted back to whatever the local
+system uses. This option is useful when communicating between two
+platforms that have different line ending conventions (UNIX-like to Mac,
+Mac to Windows, etc). @option{--no-textmode} disables this option, and
+is the default.
+
+@item --force-v3-sigs
+@itemx --no-force-v3-sigs
+@item --force-v4-certs
+@itemx --no-force-v4-certs
+These options are obsolete and have no effect since GnuPG 2.1.
+
+@item --force-mdc
+@itemx --disable-mdc
+@opindex force-mdc
+@opindex disable-mdc
+These options are obsolete and have no effect since GnuPG 2.2.8. The
+MDC is always used. But note: If the creation of a legacy non-MDC
+message is exceptionally required, the option @option{--rfc2440}
+allows for this.
+
+@item --disable-signer-uid
+@opindex disable-signer-uid
+By default the user ID of the signing key is embedded in the data signature.
+As of now this is only done if the signing key has been specified with
+@option{local-user} using a mail address, or with @option{sender}. This
+information can be helpful for verifier to locate the key; see option
+@option{--auto-key-retrieve}.
+
+@item --include-key-block
+@opindex include-key-block
+This option is used to embed the actual signing key into a data
+signature. The embedded key is stripped down to a single user id and
+includes only the signing subkey used to create the signature as well
+as as valid encryption subkeys. All other info is removed from the
+key to keep it and thus the signature small. This option is the
+OpenPGP counterpart to the @command{gpgsm} option
+@option{--include-certs}.
+
+@item --personal-cipher-preferences @var{string}
+@opindex personal-cipher-preferences
+Set the list of personal cipher preferences to @var{string}. Use
+@command{@gpgname --version} to get a list of available algorithms,
+and use @code{none} to set no preference at all. This allows the user
+to safely override the algorithm chosen by the recipient key
+preferences, as GPG will only select an algorithm that is usable by
+all recipients. The most highly ranked cipher in this list is also
+used for the @option{--symmetric} encryption command.
+
+@item --personal-digest-preferences @var{string}
+@opindex personal-digest-preferences
+Set the list of personal digest preferences to @var{string}. Use
+@command{@gpgname --version} to get a list of available algorithms,
+and use @code{none} to set no preference at all. This allows the user
+to safely override the algorithm chosen by the recipient key
+preferences, as GPG will only select an algorithm that is usable by
+all recipients. The most highly ranked digest algorithm in this list
+is also used when signing without encryption
+(e.g. @option{--clear-sign} or @option{--sign}).
+
+@item --personal-compress-preferences @var{string}
+@opindex personal-compress-preferences
+Set the list of personal compression preferences to @var{string}.
+Use @command{@gpgname --version} to get a list of available
+algorithms, and use @code{none} to set no preference at all. This
+allows the user to safely override the algorithm chosen by the
+recipient key preferences, as GPG will only select an algorithm that
+is usable by all recipients. The most highly ranked compression
+algorithm in this list is also used when there are no recipient keys
+to consider (e.g. @option{--symmetric}).
+
+@item --s2k-cipher-algo @var{name}
+@opindex s2k-cipher-algo
+Use @var{name} as the cipher algorithm for symmetric encryption with
+a passphrase if @option{--personal-cipher-preferences} and
+@option{--cipher-algo} are not given. The default is @value{GPGSYMENCALGO}.
+
+@item --s2k-digest-algo @var{name}
+@opindex s2k-digest-algo
+Use @var{name} as the digest algorithm used to mangle the passphrases
+for symmetric encryption. The default is SHA-1.
+
+@item --s2k-mode @var{n}
+@opindex s2k-mode
+Selects how passphrases for symmetric encryption are mangled. If
+@var{n} is 0 a plain passphrase (which is in general not recommended)
+will be used, a 1 adds a salt (which should not be used) to the
+passphrase and a 3 (the default) iterates the whole process a number
+of times (see @option{--s2k-count}).
+
+@item --s2k-count @var{n}
+@opindex s2k-count
+Specify how many times the passphrases mangling for symmetric
+encryption is repeated. This value may range between 1024 and
+65011712 inclusive. The default is inquired from gpg-agent. Note
+that not all values in the 1024-65011712 range are legal and if an
+illegal value is selected, GnuPG will round up to the nearest legal
+value. This option is only meaningful if @option{--s2k-mode} is set
+to the default of 3.
+
+
+@end table
+
+@c ***************************
+@c ******* Compliance ********
+@c ***************************
+@node Compliance Options
+@subsection Compliance options
+
+These options control what GnuPG is compliant to. Only one of these
+options may be active at a time. Note that the default setting of
+this is nearly always the correct one. See the INTEROPERABILITY WITH
+OTHER OPENPGP PROGRAMS section below before using one of these
+options.
+
+@table @gnupgtabopt
+
+@item --gnupg
+@opindex gnupg
+Use standard GnuPG behavior. This is essentially OpenPGP behavior
+(see @option{--openpgp}), but with some additional workarounds for common
+compatibility problems in different versions of PGP. This is the
+default option, so it is not generally needed, but it may be useful to
+override a different compliance option in the gpg.conf file.
+
+@item --openpgp
+@opindex openpgp
+Reset all packet, cipher and digest options to strict OpenPGP
+behavior. Use this option to reset all previous options like
+@option{--s2k-*}, @option{--cipher-algo}, @option{--digest-algo} and
+@option{--compress-algo} to OpenPGP compliant values. All PGP
+workarounds are disabled.
+
+@item --rfc4880
+@opindex rfc4880
+Reset all packet, cipher and digest options to strict RFC-4880
+behavior. Note that this is currently the same thing as
+@option{--openpgp}.
+
+@item --rfc4880bis
+@opindex rfc4880bis
+Enable experimental features from proposed updates to RFC-4880. This
+option can be used in addition to the other compliance options.
+Warning: The behavior may change with any GnuPG release and created
+keys or data may not be usable with future GnuPG versions.
+
+@item --rfc2440
+@opindex rfc2440
+Reset all packet, cipher and digest options to strict RFC-2440
+behavior. Note that by using this option encryption packets are
+created in a legacy mode without MDC protection. This is dangerous
+and should thus only be used for experiments. See also option
+@option{--ignore-mdc-error}.
+
+@item --pgp6
+@opindex pgp6
+Set up all options to be as PGP 6 compliant as possible. This
+restricts you to the ciphers IDEA (if the IDEA plugin is installed),
+3DES, and CAST5, the hashes MD5, SHA1 and RIPEMD160, and the
+compression algorithms none and ZIP. This also disables
+@option{--throw-keyids}, and making signatures with signing subkeys as PGP 6
+does not understand signatures made by signing subkeys.
+
+This option implies @option{--escape-from-lines}.
+
+@item --pgp7
+@opindex pgp7
+Set up all options to be as PGP 7 compliant as possible. This is
+identical to @option{--pgp6} except that MDCs are not disabled, and the
+list of allowable ciphers is expanded to add AES128, AES192, AES256, and
+TWOFISH.
+
+@item --pgp8
+@opindex pgp8
+Set up all options to be as PGP 8 compliant as possible. PGP 8 is a lot
+closer to the OpenPGP standard than previous versions of PGP, so all
+this does is disable @option{--throw-keyids} and set
+@option{--escape-from-lines}. All algorithms are allowed except for the
+SHA224, SHA384, and SHA512 digests.
+
+@item --compliance @var{string}
+@opindex compliance
+This option can be used instead of one of the options above. Valid
+values for @var{string} are the above option names (without the double
+dash) and possibly others as shown when using "help" for @var{string}.
+
+@item --min-rsa-length @var{n}
+@opindex min-rsa-length
+This option adjusts the compliance mode "de-vs" for stricter key size
+requirements. For example, a value of 3000 turns rsa2048 and dsa2048
+keys into non-VS-NfD compliant keys.
+
+@item --require-compliance
+@opindex require-compliance
+To check that data has been encrypted according to the rules of the
+current compliance mode, a gpg user needs to evaluate the status
+lines. This is allows frontends to handle compliance check in a more
+flexible way. However, for scripted use the required evaluation of
+the status-line requires quite some effort; this option can be used
+instead to make sure that the gpg process exits with a failure if the
+compliance rules are not fulfilled. Note that this option has
+currently an effect only in "de-vs" mode.
+
+@end table
+
+
+@c *******************************************
+@c ******** ESOTERIC OPTIONS ***************
+@c *******************************************
+@node GPG Esoteric Options
+@subsection Doing things one usually doesn't want to do
+
+@table @gnupgtabopt
+
+@item -n
+@itemx --dry-run
+@opindex dry-run
+Don't make any changes (this is not completely implemented).
+
+@item --list-only
+@opindex list-only
+Changes the behaviour of some commands. This is like @option{--dry-run} but
+different in some cases. The semantic of this option may be extended in
+the future. Currently it only skips the actual decryption pass and
+therefore enables a fast listing of the encryption keys.
+
+@item -i
+@itemx --interactive
+@opindex interactive
+Prompt before overwriting any files.
+
+@item --debug-level @var{level}
+@opindex debug-level
+Select the debug level for investigating problems. @var{level} may be
+a numeric value or by a keyword:
+
+@table @code
+ @item none
+ No debugging at all. A value of less than 1 may be used instead of
+ the keyword.
+ @item basic
+ Some basic debug messages. A value between 1 and 2 may be used
+ instead of the keyword.
+ @item advanced
+ More verbose debug messages. A value between 3 and 5 may be used
+ instead of the keyword.
+ @item expert
+ Even more detailed messages. A value between 6 and 8 may be used
+ instead of the keyword.
+ @item guru
+ All of the debug messages you can get. A value greater than 8 may be
+ used instead of the keyword. The creation of hash tracing files is
+ only enabled if the keyword is used.
+@end table
+
+How these messages are mapped to the actual debugging flags is not
+specified and may change with newer releases of this program. They are
+however carefully selected to best aid in debugging.
+
+@item --debug @var{flags}
+@opindex debug
+Set debugging flags. All flags are or-ed and @var{flags} may be given
+in C syntax (e.g. 0x0042) or as a comma separated list of flag names.
+To get a list of all supported flags the single word "help" can be
+used.
+
+@item --debug-all
+@opindex debug-all
+Set all useful debugging flags.
+
+@item --debug-iolbf
+@opindex debug-iolbf
+Set stdout into line buffered mode. This option is only honored when
+given on the command line.
+
+@item --faked-system-time @var{epoch}
+@opindex faked-system-time
+This option is only useful for testing; it sets the system time back or
+forth to @var{epoch} which is the number of seconds elapsed since the year
+1970. Alternatively @var{epoch} may be given as a full ISO time string
+(e.g. "20070924T154812").
+
+If you suffix @var{epoch} with an exclamation mark (!), the system time
+will appear to be frozen at the specified time.
+
+@item --enable-progress-filter
+@opindex enable-progress-filter
+Enable certain PROGRESS status outputs. This option allows frontends
+to display a progress indicator while gpg is processing larger files.
+There is a slight performance overhead using it.
+
+@item --status-fd @var{n}
+@opindex status-fd
+Write special status strings to the file descriptor @var{n}.
+See the file DETAILS in the documentation for a listing of them.
+
+@item --status-file @var{file}
+@opindex status-file
+Same as @option{--status-fd}, except the status data is written to file
+@var{file}.
+
+@item --logger-fd @var{n}
+@opindex logger-fd
+Write log output to file descriptor @var{n} and not to STDERR.
+
+@item --log-file @var{file}
+@itemx --logger-file @var{file}
+@opindex log-file
+Same as @option{--logger-fd}, except the logger data is written to
+file @var{file}. Use @file{socket://} to log to a socket. Note that
+in this version of gpg the option has only an effect if
+@option{--batch} is also used.
+
+@item --attribute-fd @var{n}
+@opindex attribute-fd
+Write attribute subpackets to the file descriptor @var{n}. This is most
+useful for use with @option{--status-fd}, since the status messages are
+needed to separate out the various subpackets from the stream delivered
+to the file descriptor.
+
+@item --attribute-file @var{file}
+@opindex attribute-file
+Same as @option{--attribute-fd}, except the attribute data is written to
+file @var{file}.
+
+@item --comment @var{string}
+@itemx --no-comments
+@opindex comment
+Use @var{string} as a comment string in cleartext signatures and ASCII
+armored messages or keys (see @option{--armor}). The default behavior is
+not to use a comment string. @option{--comment} may be repeated multiple
+times to get multiple comment strings. @option{--no-comments} removes
+all comments. It is a good idea to keep the length of a single comment
+below 60 characters to avoid problems with mail programs wrapping such
+lines. Note that comment lines, like all other header lines, are not
+protected by the signature.
+
+@item --emit-version
+@itemx --no-emit-version
+@opindex emit-version
+Force inclusion of the version string in ASCII armored output. If
+given once only the name of the program and the major number is
+emitted, given twice the minor is also emitted, given thrice
+the micro is added, and given four times an operating system identification
+is also emitted. @option{--no-emit-version} (default) disables the version
+line.
+
+@item --sig-notation @{@var{name}=@var{value}@}
+@itemx --cert-notation @{@var{name}=@var{value}@}
+@itemx -N, --set-notation @{@var{name}=@var{value}@}
+@opindex sig-notation
+@opindex cert-notation
+@opindex set-notation
+Put the name value pair into the signature as notation data.
+@var{name} must consist only of printable characters or spaces, and
+must contain a '@@' character in the form keyname@@domain.example.com
+(substituting the appropriate keyname and domain name, of course). This
+is to help prevent pollution of the IETF reserved notation
+namespace. The @option{--expert} flag overrides the '@@'
+check. @var{value} may be any printable string; it will be encoded in
+UTF-8, so you should check that your @option{--display-charset} is set
+correctly. If you prefix @var{name} with an exclamation mark (!), the
+notation data will be flagged as critical
+(rfc4880:5.2.3.16). @option{--sig-notation} sets a notation for data
+signatures. @option{--cert-notation} sets a notation for key signatures
+(certifications). @option{--set-notation} sets both.
+
+There are special codes that may be used in notation names. "%k" will
+be expanded into the key ID of the key being signed, "%K" into the
+long key ID of the key being signed, "%f" into the fingerprint of the
+key being signed, "%s" into the key ID of the key making the
+signature, "%S" into the long key ID of the key making the signature,
+"%g" into the fingerprint of the key making the signature (which might
+be a subkey), "%p" into the fingerprint of the primary key of the key
+making the signature, "%c" into the signature count from the OpenPGP
+smartcard, and "%%" results in a single "%". %k, %K, and %f are only
+meaningful when making a key signature (certification), and %c is only
+meaningful when using the OpenPGP smartcard.
+
+@item --known-notation @var{name}
+@opindex known-notation
+Adds @var{name} to a list of known critical signature notations. The
+effect of this is that gpg will not mark a signature with a critical
+signature notation of that name as bad. Note that gpg already knows
+by default about a few critical signatures notation names.
+
+@item --sig-policy-url @var{string}
+@itemx --cert-policy-url @var{string}
+@itemx --set-policy-url @var{string}
+@opindex sig-policy-url
+@opindex cert-policy-url
+@opindex set-policy-url
+Use @var{string} as a Policy URL for signatures (rfc4880:5.2.3.20). If
+you prefix it with an exclamation mark (!), the policy URL packet will
+be flagged as critical. @option{--sig-policy-url} sets a policy url for
+data signatures. @option{--cert-policy-url} sets a policy url for key
+signatures (certifications). @option{--set-policy-url} sets both.
+
+The same %-expandos used for notation data are available here as well.
+
+@item --sig-keyserver-url @var{string}
+@opindex sig-keyserver-url
+Use @var{string} as a preferred keyserver URL for data signatures. If
+you prefix it with an exclamation mark (!), the keyserver URL packet
+will be flagged as critical.
+
+The same %-expandos used for notation data are available here as well.
+
+@item --set-filename @var{string}
+@opindex set-filename
+Use @var{string} as the filename which is stored inside messages.
+This overrides the default, which is to use the actual filename of the
+file being encrypted. Using the empty string for @var{string}
+effectively removes the filename from the output.
+
+@item --for-your-eyes-only
+@itemx --no-for-your-eyes-only
+@opindex for-your-eyes-only
+Set the `for your eyes only' flag in the message. This causes GnuPG to
+refuse to save the file unless the @option{--output} option is given,
+and PGP to use a "secure viewer" with a claimed Tempest-resistant font
+to display the message. This option overrides @option{--set-filename}.
+@option{--no-for-your-eyes-only} disables this option.
+
+@item --use-embedded-filename
+@itemx --no-use-embedded-filename
+@opindex use-embedded-filename
+Try to create a file with a name as embedded in the data. This can be
+a dangerous option as it enables overwriting files. Defaults to no.
+Note that the option @option{--output} overrides this option.
+
+@item --cipher-algo @var{name}
+@opindex cipher-algo
+Use @var{name} as cipher algorithm. Running the program with the
+command @option{--version} yields a list of supported algorithms. If
+this is not used the cipher algorithm is selected from the preferences
+stored with the key. In general, you do not want to use this option as
+it allows you to violate the OpenPGP standard.
+@option{--personal-cipher-preferences} is the safe way to accomplish the
+same thing.
+
+@item --digest-algo @var{name}
+@opindex digest-algo
+Use @var{name} as the message digest algorithm. Running the program
+with the command @option{--version} yields a list of supported algorithms. In
+general, you do not want to use this option as it allows you to
+violate the OpenPGP standard. @option{--personal-digest-preferences} is the
+safe way to accomplish the same thing.
+
+@item --compress-algo @var{name}
+@opindex compress-algo
+Use compression algorithm @var{name}. "zlib" is RFC-1950 ZLIB
+compression. "zip" is RFC-1951 ZIP compression which is used by PGP.
+"bzip2" is a more modern compression scheme that can compress some
+things better than zip or zlib, but at the cost of more memory used
+during compression and decompression. "uncompressed" or "none"
+disables compression. If this option is not used, the default
+behavior is to examine the recipient key preferences to see which
+algorithms the recipient supports. If all else fails, ZIP is used for
+maximum compatibility.
+
+ZLIB may give better compression results than ZIP, as the compression
+window size is not limited to 8k. BZIP2 may give even better
+compression results than that, but will use a significantly larger
+amount of memory while compressing and decompressing. This may be
+significant in low memory situations. Note, however, that PGP (all
+versions) only supports ZIP compression. Using any algorithm other
+than ZIP or "none" will make the message unreadable with PGP. In
+general, you do not want to use this option as it allows you to
+violate the OpenPGP standard. @option{--personal-compress-preferences} is the
+safe way to accomplish the same thing.
+
+@item --cert-digest-algo @var{name}
+@opindex cert-digest-algo
+Use @var{name} as the message digest algorithm used when signing a
+key. Running the program with the command @option{--version} yields a
+list of supported algorithms. Be aware that if you choose an algorithm
+that GnuPG supports but other OpenPGP implementations do not, then some
+users will not be able to use the key signatures you make, or quite
+possibly your entire key.
+
+@item --disable-cipher-algo @var{name}
+@opindex disable-cipher-algo
+Never allow the use of @var{name} as cipher algorithm.
+The given name will not be checked so that a later loaded algorithm
+will still get disabled.
+
+@item --disable-pubkey-algo @var{name}
+@opindex disable-pubkey-algo
+Never allow the use of @var{name} as public key algorithm.
+The given name will not be checked so that a later loaded algorithm
+will still get disabled.
+
+@item --throw-keyids
+@itemx --no-throw-keyids
+@opindex throw-keyids
+Do not put the recipient key IDs into encrypted messages. This helps to
+hide the receivers of the message and is a limited countermeasure
+against traffic analysis.@footnote{Using a little social engineering
+anyone who is able to decrypt the message can check whether one of the
+other recipients is the one he suspects.} On the receiving side, it may
+slow down the decryption process because all available secret keys must
+be tried. @option{--no-throw-keyids} disables this option. This option
+is essentially the same as using @option{--hidden-recipient} for all
+recipients.
+
+@item --not-dash-escaped
+@opindex not-dash-escaped
+This option changes the behavior of cleartext signatures
+so that they can be used for patch files. You should not
+send such an armored file via email because all spaces
+and line endings are hashed too. You can not use this
+option for data which has 5 dashes at the beginning of a
+line, patch files don't have this. A special armor header
+line tells GnuPG about this cleartext signature option.
+
+@item --escape-from-lines
+@itemx --no-escape-from-lines
+@opindex escape-from-lines
+Because some mailers change lines starting with "From " to ">From " it
+is good to handle such lines in a special way when creating cleartext
+signatures to prevent the mail system from breaking the signature. Note
+that all other PGP versions do it this way too. Enabled by
+default. @option{--no-escape-from-lines} disables this option.
+
+@item --passphrase-repeat @var{n}
+@opindex passphrase-repeat
+Specify how many times @command{@gpgname} will request a new
+passphrase be repeated. This is useful for helping memorize a
+passphrase. Defaults to 1 repetition; can be set to 0 to disable any
+passphrase repetition. Note that a @var{n} greater than 1 will pop up
+the pinentry window @var{n}+1 times even if a modern pinentry with
+two entry fields is used.
+
+@item --passphrase-fd @var{n}
+@opindex passphrase-fd
+Read the passphrase from file descriptor @var{n}. Only the first line
+will be read from file descriptor @var{n}. If you use 0 for @var{n},
+the passphrase will be read from STDIN. This can only be used if only
+one passphrase is supplied.
+
+Note that since Version 2.0 this passphrase is only used if the
+option @option{--batch} has also been given. Since Version 2.1
+the @option{--pinentry-mode} also needs to be set to @code{loopback}.
+
+@item --passphrase-file @var{file}
+@opindex passphrase-file
+Read the passphrase from file @var{file}. Only the first line will
+be read from file @var{file}. This can only be used if only one
+passphrase is supplied. Obviously, a passphrase stored in a file is
+of questionable security if other users can read this file. Don't use
+this option if you can avoid it.
+
+Note that since Version 2.0 this passphrase is only used if the
+option @option{--batch} has also been given. Since Version 2.1
+the @option{--pinentry-mode} also needs to be set to @code{loopback}.
+
+@item --passphrase @var{string}
+@opindex passphrase
+Use @var{string} as the passphrase. This can only be used if only one
+passphrase is supplied. Obviously, this is of very questionable
+security on a multi-user system. Don't use this option if you can
+avoid it.
+
+Note that since Version 2.0 this passphrase is only used if the
+option @option{--batch} has also been given. Since Version 2.1
+the @option{--pinentry-mode} also needs to be set to @code{loopback}.
+
+@item --pinentry-mode @var{mode}
+@opindex pinentry-mode
+Set the pinentry mode to @var{mode}. Allowed values for @var{mode}
+are:
+@table @asis
+ @item default
+ Use the default of the agent, which is @code{ask}.
+ @item ask
+ Force the use of the Pinentry.
+ @item cancel
+ Emulate use of Pinentry's cancel button.
+ @item error
+ Return a Pinentry error (``No Pinentry'').
+ @item loopback
+ Redirect Pinentry queries to the caller. Note that in contrast to
+ Pinentry the user is not prompted again if he enters a bad password.
+@end table
+
+@item --no-symkey-cache
+@opindex no-symkey-cache
+Disable the passphrase cache used for symmetrical en- and decryption.
+This cache is based on the message specific salt value
+(cf. @option{--s2k-mode}).
+
+@item --request-origin @var{origin}
+@opindex request-origin
+Tell gpg to assume that the operation ultimately originated at
+@var{origin}. Depending on the origin certain restrictions are applied
+and the Pinentry may include an extra note on the origin. Supported
+values for @var{origin} are: @code{local} which is the default,
+@code{remote} to indicate a remote origin or @code{browser} for an
+operation requested by a web browser.
+
+@item --command-fd @var{n}
+@opindex command-fd
+This is a replacement for the deprecated shared-memory IPC mode.
+If this option is enabled, user input on questions is not expected
+from the TTY but from the given file descriptor. It should be used
+together with @option{--status-fd}. See the file doc/DETAILS in the source
+distribution for details on how to use it.
+
+@item --command-file @var{file}
+@opindex command-file
+Same as @option{--command-fd}, except the commands are read out of file
+@var{file}
+
+@item --allow-non-selfsigned-uid
+@itemx --no-allow-non-selfsigned-uid
+@opindex allow-non-selfsigned-uid
+Allow the import and use of keys with user IDs which are not
+self-signed. This is not recommended, as a non self-signed user ID is
+trivial to forge. @option{--no-allow-non-selfsigned-uid} disables.
+
+@item --allow-freeform-uid
+@opindex allow-freeform-uid
+Disable all checks on the form of the user ID while generating a new
+one. This option should only be used in very special environments as
+it does not ensure the de-facto standard format of user IDs.
+
+@item --ignore-time-conflict
+@opindex ignore-time-conflict
+GnuPG normally checks that the timestamps associated with keys and
+signatures have plausible values. However, sometimes a signature
+seems to be older than the key due to clock problems. This option
+makes these checks just a warning. See also @option{--ignore-valid-from} for
+timestamp issues on subkeys.
+
+@item --ignore-valid-from
+@opindex ignore-valid-from
+GnuPG normally does not select and use subkeys created in the future.
+This option allows the use of such keys and thus exhibits the
+pre-1.0.7 behaviour. You should not use this option unless there
+is some clock problem. See also @option{--ignore-time-conflict} for timestamp
+issues with signatures.
+
+@item --ignore-crc-error
+@opindex ignore-crc-error
+The ASCII armor used by OpenPGP is protected by a CRC checksum against
+transmission errors. Occasionally the CRC gets mangled somewhere on
+the transmission channel but the actual content (which is protected by
+the OpenPGP protocol anyway) is still okay. This option allows GnuPG
+to ignore CRC errors.
+
+@item --ignore-mdc-error
+@opindex ignore-mdc-error
+This option changes a MDC integrity protection failure into a warning.
+It is required to decrypt old messages which did not use an MDC. It
+may also be useful if a message is partially garbled, but it is
+necessary to get as much data as possible out of that garbled message.
+Be aware that a missing or failed MDC can be an indication of an
+attack. Use with great caution; see also option @option{--rfc2440}.
+
+@item --allow-weak-digest-algos
+@opindex allow-weak-digest-algos
+Signatures made with known-weak digest algorithms are normally
+rejected with an ``invalid digest algorithm'' message. This option
+allows the verification of signatures made with such weak algorithms.
+MD5 is the only digest algorithm considered weak by default. See also
+@option{--weak-digest} to reject other digest algorithms.
+
+@item --weak-digest @var{name}
+@opindex weak-digest
+Treat the specified digest algorithm as weak. Signatures made over
+weak digests algorithms are normally rejected. This option can be
+supplied multiple times if multiple algorithms should be considered
+weak. See also @option{--allow-weak-digest-algos} to disable
+rejection of weak digests. MD5 is always considered weak, and does
+not need to be listed explicitly.
+
+@item --allow-weak-key-signatures
+@opindex allow-weak-key-signatures
+To avoid a minor risk of collision attacks on third-party key
+signatures made using SHA-1, those key signatures are considered
+invalid. This options allows to override this restriction.
+
+@item --override-compliance-check
+@opindex --override-compliance-check
+The signature verification only allows the use of keys suitable in the
+current compliance mode. If the compliance mode has been forced by a
+global option, there might be no way to check certain signature. This
+option allows to override this and prints an extra warning in such a
+case. This option is ignored in --batch mode so that no accidental
+unattended verification may happen.
+
+@item --no-default-keyring
+@opindex no-default-keyring
+Do not add the default keyring to the list of keyrings. Note that
+GnuPG needs for almost all operations a keyring. Thus if you use this
+option and do not provide alternate keyrings via @option{--keyring},
+then GnuPG will still use the default keyring.
+
+@item --no-keyring
+@opindex no-keyring
+Do not use any keyring at all. This overrides the default and all
+options which specify keyrings.
+
+@item --skip-verify
+@opindex skip-verify
+Skip the signature verification step. This may be
+used to make the decryption faster if the signature
+verification is not needed.
+
+@item --with-key-data
+@opindex with-key-data
+Print key listings delimited by colons (like @option{--with-colons}) and
+print the public key data.
+
+@item --list-signatures
+@opindex list-signatures
+@itemx --list-sigs
+@opindex list-sigs
+Same as @option{--list-keys}, but the signatures are listed too. This
+command has the same effect as using @option{--list-keys} with
+@option{--with-sig-list}. Note that in contrast to
+@option{--check-signatures} the key signatures are not verified. This
+command can be used to create a list of signing keys missing in the
+local keyring; for example:
+
+@example
+ gpg --list-sigs --with-colons USERID | \
+ awk -F: '$1=="sig" && $2=="?" @{if($13)@{print $13@}else@{print $5@}@}'
+@end example
+
+@item --fast-list-mode
+@opindex fast-list-mode
+Changes the output of the list commands to work faster; this is achieved
+by leaving some parts empty. Some applications don't need the user ID
+and the trust information given in the listings. By using this options
+they can get a faster listing. The exact behaviour of this option may
+change in future versions. If you are missing some information, don't
+use this option.
+
+@item --no-literal
+@opindex no-literal
+This is not for normal use. Use the source to see for what it might be useful.
+
+@item --set-filesize
+@opindex set-filesize
+This is not for normal use. Use the source to see for what it might be useful.
+
+@item --show-session-key
+@opindex show-session-key
+Display the session key used for one message. See
+@option{--override-session-key} for the counterpart of this option.
+
+We think that Key Escrow is a Bad Thing; however the user should have
+the freedom to decide whether to go to prison or to reveal the content
+of one specific message without compromising all messages ever
+encrypted for one secret key.
+
+You can also use this option if you receive an encrypted message which
+is abusive or offensive, to prove to the administrators of the
+messaging system that the ciphertext transmitted corresponds to an
+inappropriate plaintext so they can take action against the offending
+user.
+
+@item --override-session-key @var{string}
+@itemx --override-session-key-fd @var{fd}
+@opindex override-session-key
+Don't use the public key but the session key @var{string} respective
+the session key taken from the first line read from file descriptor
+@var{fd}. The format of this string is the same as the one printed by
+@option{--show-session-key}. This option is normally not used but
+comes handy in case someone forces you to reveal the content of an
+encrypted message; using this option you can do this without handing
+out the secret key. Note that using @option{--override-session-key}
+may reveal the session key to all local users via the global process
+table. Often it is useful to combine this option with
+@option{--no-keyring}.
+
+@item --ask-sig-expire
+@itemx --no-ask-sig-expire
+@opindex ask-sig-expire
+When making a data signature, prompt for an expiration time. If this
+option is not specified, the expiration time set via
+@option{--default-sig-expire} is used. @option{--no-ask-sig-expire}
+disables this option.
+
+@item --default-sig-expire
+@opindex default-sig-expire
+The default expiration time to use for signature expiration. Valid
+values are "0" for no expiration, a number followed by the letter d
+(for days), w (for weeks), m (for months), or y (for years) (for
+example "2m" for two months, or "5y" for five years), or an absolute
+date in the form YYYY-MM-DD. Defaults to "0".
+
+@item --ask-cert-expire
+@itemx --no-ask-cert-expire
+@opindex ask-cert-expire
+When making a key signature, prompt for an expiration time. If this
+option is not specified, the expiration time set via
+@option{--default-cert-expire} is used. @option{--no-ask-cert-expire}
+disables this option.
+
+@item --default-cert-expire
+@opindex default-cert-expire
+The default expiration time to use for key signature expiration.
+Valid values are "0" for no expiration, a number followed by the
+letter d (for days), w (for weeks), m (for months), or y (for years)
+(for example "2m" for two months, or "5y" for five years), or an
+absolute date in the form YYYY-MM-DD. Defaults to "0".
+
+@item --default-new-key-algo @var{string}
+@opindex default-new-key-algo @var{string}
+This option can be used to change the default algorithms for key
+generation. The @var{string} is similar to the arguments required for
+the command @option{--quick-add-key} but slightly different. For
+example the current default of @code{"rsa2048/cert,sign+rsa2048/encr"}
+(or @code{"rsa3072"}) can be changed to the value of what we currently
+call future default, which is @code{"ed25519/cert,sign+cv25519/encr"}.
+You need to consult the source code to learn the details. Note that
+the advanced key generation commands can always be used to specify a
+key algorithm directly.
+
+@item --force-sign-key
+@opindex force-sign-key
+This option modifies the behaviour of the commands
+@option{--quick-sign-key}, @option{--quick-lsign-key}, and the "sign"
+sub-commands of @option{--edit-key} by forcing the creation of a key
+signature, even if one already exists.
+
+@item --forbid-gen-key
+@opindex forbid-gen-key
+This option is intended for use in the global config file to disallow
+the use of generate key commands. Those commands will then fail with
+the error code for Not Enabled.
+
+@item --allow-secret-key-import
+@opindex allow-secret-key-import
+This is an obsolete option and is not used anywhere.
+
+@item --allow-multiple-messages
+@item --no-allow-multiple-messages
+@opindex allow-multiple-messages
+Allow processing of multiple OpenPGP messages contained in a single file
+or stream. Some programs that call GPG are not prepared to deal with
+multiple messages being processed together, so this option defaults to
+no. Note that versions of GPG prior to 1.4.7 always allowed multiple
+messages. Future versions of GnUPG will remove this option.
+
+Warning: Do not use this option unless you need it as a temporary
+workaround!
+
+
+@item --enable-special-filenames
+@opindex enable-special-filenames
+This option enables a mode in which filenames of the form
+@file{-&n}, where n is a non-negative decimal number,
+refer to the file descriptor n and not to a file with that name.
+
+@item --no-expensive-trust-checks
+@opindex no-expensive-trust-checks
+Experimental use only.
+
+@item --preserve-permissions
+@opindex preserve-permissions
+Don't change the permissions of a secret keyring back to user
+read/write only. Use this option only if you really know what you are doing.
+
+@item --default-preference-list @var{string}
+@opindex default-preference-list
+Set the list of default preferences to @var{string}. This preference
+list is used for new keys and becomes the default for "setpref" in the
+edit menu.
+
+@item --default-keyserver-url @var{name}
+@opindex default-keyserver-url
+Set the default keyserver URL to @var{name}. This keyserver will be
+used as the keyserver URL when writing a new self-signature on a key,
+which includes key generation and changing preferences.
+
+@item --list-config
+@opindex list-config
+Display various internal configuration parameters of GnuPG. This option
+is intended for external programs that call GnuPG to perform tasks, and
+is thus not generally useful. See the file @file{doc/DETAILS} in the
+source distribution for the details of which configuration items may be
+listed. @option{--list-config} is only usable with
+@option{--with-colons} set.
+
+@item --list-gcrypt-config
+@opindex list-gcrypt-config
+Display various internal configuration parameters of Libgcrypt.
+
+@item --gpgconf-list
+@opindex gpgconf-list
+This command is similar to @option{--list-config} but in general only
+internally used by the @command{gpgconf} tool.
+
+@item --gpgconf-test
+@opindex gpgconf-test
+This is more or less dummy action. However it parses the configuration
+file and returns with failure if the configuration file would prevent
+@command{@gpgname} from startup. Thus it may be used to run a syntax check
+on the configuration file.
+
+@end table
+
+@c *******************************
+@c ******* Deprecated ************
+@c *******************************
+@node Deprecated Options
+@subsection Deprecated options
+
+@table @gnupgtabopt
+
+@item --show-photos
+@itemx --no-show-photos
+@opindex show-photos
+Causes @option{--list-keys}, @option{--list-signatures},
+@option{--list-public-keys}, @option{--list-secret-keys}, and verifying
+a signature to also display the photo ID attached to the key, if
+any. See also @option{--photo-viewer}. These options are deprecated. Use
+@option{--list-options [no-]show-photos} and/or @option{--verify-options
+[no-]show-photos} instead.
+
+@item --show-keyring
+@opindex show-keyring
+Display the keyring name at the head of key listings to show which
+keyring a given key resides on. This option is deprecated: use
+@option{--list-options [no-]show-keyring} instead.
+
+@item --always-trust
+@opindex always-trust
+Identical to @option{--trust-model always}. This option is deprecated.
+
+@item --show-notation
+@itemx --no-show-notation
+@opindex show-notation
+Show signature notations in the @option{--list-signatures} or @option{--check-signatures} listings
+as well as when verifying a signature with a notation in it. These
+options are deprecated. Use @option{--list-options [no-]show-notation}
+and/or @option{--verify-options [no-]show-notation} instead.
+
+@item --show-policy-url
+@itemx --no-show-policy-url
+@opindex show-policy-url
+Show policy URLs in the @option{--list-signatures} or @option{--check-signatures}
+listings as well as when verifying a signature with a policy URL in
+it. These options are deprecated. Use @option{--list-options
+[no-]show-policy-url} and/or @option{--verify-options
+[no-]show-policy-url} instead.
+
+
+@end table
+
+
+@c *******************************************
+@c *************** ****************
+@c *************** FILES ****************
+@c *************** ****************
+@c *******************************************
+@mansect files
+@node GPG Configuration
+@section Configuration files
+
+There are a few configuration files to control certain aspects of
+@command{@gpgname}'s operation. Unless noted, they are expected in the
+current home directory (@pxref{option --homedir}).
+
+@table @file
+
+ @item gpg.conf
+ @efindex gpg.conf
+ This is the standard configuration file read by @command{@gpgname} on
+ startup. It may contain any valid long option; the leading two dashes
+ may not be entered and the option may not be abbreviated. This default
+ name may be changed on the command line (@pxref{gpg-option --options}).
+ You should backup this file.
+
+@end table
+
+Note that on larger installations, it is useful to put predefined files
+into the directory @file{@value{SYSCONFSKELDIR}} so that
+newly created users start up with a working configuration.
+For existing users a small
+helper script is provided to create these files (@pxref{addgnupghome}).
+
+For internal purposes @command{@gpgname} creates and maintains a few other
+files; They all live in the current home directory (@pxref{option
+--homedir}). Only the @command{@gpgname} program may modify these files.
+
+
+@table @file
+ @item ~/.gnupg
+ @efindex ~/.gnupg
+ This is the default home directory which is used if neither the
+ environment variable @code{GNUPGHOME} nor the option
+ @option{--homedir} is given.
+
+ @item ~/.gnupg/pubring.gpg
+ @efindex pubring.gpg
+ The public keyring using a legacy format. You should backup this file.
+
+ If this file is not available, @command{gpg} defaults to the new
+ keybox format and creates a file @file{pubring.kbx} unless that file
+ already exists in which case that file will also be used for OpenPGP
+ keys.
+
+ Note that in the case that both files, @file{pubring.gpg} and
+ @file{pubring.kbx} exists but the latter has no OpenPGP keys, the
+ legacy file @file{pubring.gpg} will be used. Take care: GnuPG
+ versions before 2.1 will always use the file @file{pubring.gpg}
+ because they do not know about the new keybox format. In the case
+ that you have to use GnuPG 1.4 to decrypt archived data you should
+ keep this file.
+
+ @item ~/.gnupg/pubring.gpg.lock
+ The lock file for the public keyring.
+
+ @item ~/.gnupg/pubring.kbx
+ @efindex pubring.kbx
+ The public keyring using the new keybox format. This file is shared
+ with @command{gpgsm}. You should backup this file. See above for
+ the relation between this file and it predecessor.
+
+ To convert an existing @file{pubring.gpg} file to the keybox format, you
+ first backup the ownertrust values, then rename @file{pubring.gpg} to
+ @file{publickeys.backup}, so it won’t be recognized by any GnuPG version,
+ run import, and finally restore the ownertrust values:
+
+ @example
+ $ cd ~/.gnupg
+ $ gpg --export-ownertrust >otrust.lst
+ $ mv pubring.gpg publickeys.backup
+ $ gpg --import-options restore --import publickeys.backups
+ $ gpg --import-ownertrust otrust.lst
+ @end example
+
+ @item ~/.gnupg/pubring.kbx.lock
+ The lock file for @file{pubring.kbx}.
+
+ @item ~/.gnupg/secring.gpg
+ @efindex secring.gpg
+ The legacy secret keyring as used by GnuPG versions before 2.1. It is not
+ used by GnuPG 2.1 and later. You may want to keep it in case you
+ have to use GnuPG 1.4 to decrypt archived data.
+
+ @item ~/.gnupg/secring.gpg.lock
+ The lock file for the legacy secret keyring.
+
+ @item ~/.gnupg/.gpg-v21-migrated
+ @efindex .gpg-v21-migrated
+ File indicating that a migration to GnuPG 2.1 has been done.
+
+ @item ~/.gnupg/trustdb.gpg
+ @efindex trustdb.gpg
+ The trust database. There is no need to backup this file; it is better
+ to backup the ownertrust values (@pxref{option --export-ownertrust}).
+
+ @item ~/.gnupg/trustdb.gpg.lock
+ The lock file for the trust database.
+
+ @item ~/.gnupg/random_seed
+ @efindex random_seed
+ A file used to preserve the state of the internal random pool.
+
+ @item ~/.gnupg/openpgp-revocs.d/
+ @efindex openpgp-revocs.d
+ This is the directory where gpg stores pre-generated revocation
+ certificates. The file name corresponds to the OpenPGP fingerprint of
+ the respective key. It is suggested to backup those certificates and
+ if the primary private key is not stored on the disk to move them to
+ an external storage device. Anyone who can access theses files is
+ able to revoke the corresponding key. You may want to print them out.
+ You should backup all files in this directory and take care to keep
+ this backup closed away.
+
+@end table
+
+Operation is further controlled by a few environment variables:
+
+@table @asis
+
+ @item HOME
+ @efindex HOME
+ Used to locate the default home directory.
+
+ @item GNUPGHOME
+ @efindex GNUPGHOME
+ If set directory used instead of "~/.gnupg".
+
+ @item GPG_AGENT_INFO
+ This variable is obsolete; it was used by GnuPG versions before 2.1.
+
+ @item PINENTRY_USER_DATA
+ @efindex PINENTRY_USER_DATA
+ This value is passed via gpg-agent to pinentry. It is useful to convey
+ extra information to a custom pinentry.
+
+ @item COLUMNS
+ @itemx LINES
+ @efindex COLUMNS
+ @efindex LINES
+ Used to size some displays to the full size of the screen.
+
+ @item LANGUAGE
+ @efindex LANGUAGE
+ Apart from its use by GNU, it is used in the W32 version to override the
+ language selection done through the Registry. If used and set to a
+ valid and available language name (@var{langid}), the file with the
+ translation is loaded from
+ @code{@var{gpgdir}/gnupg.nls/@var{langid}.mo}. Here @var{gpgdir} is the
+ directory out of which the gpg binary has been loaded. If it can't be
+ loaded the Registry is tried and as last resort the native Windows
+ locale system is used.
+
+ @item GNUPG_BUILD_ROOT
+ @efindex GNUPG_BUILD_ROOT
+ This variable is only used by the regression test suite as a helper
+ under operating systems without proper support to figure out the
+ name of a process' text file.
+
+ @item GNUPG_EXEC_DEBUG_FLAGS
+ @efindex GNUPG_EXEC_DEBUG_FLAGS
+ This variable allows to enable diagnostics for process management.
+ A numeric decimal value is expected. Bit 0 enables general
+ diagnostics, bit 1 enables certain warnings on Windows.
+
+@end table
+
+When calling the gpg-agent component @command{@gpgname} sends a set of
+environment variables to gpg-agent. The names of these variables can
+be listed using the command:
+
+@example
+ gpg-connect-agent 'getinfo std_env_names' /bye | awk '$1=="D" @{print $2@}'
+@end example
+
+
+
+@c *******************************************
+@c *************** ****************
+@c *************** EXAMPLES ****************
+@c *************** ****************
+@c *******************************************
+@mansect examples
+@node GPG Examples
+@section Examples
+
+@table @asis
+
+@item gpg -se -r @code{Bob} @code{file}
+sign and encrypt for user Bob
+
+@item gpg --clear-sign @code{file}
+make a cleartext signature
+
+@item gpg -sb @code{file}
+make a detached signature
+
+@item gpg -u 0x12345678 -sb @code{file}
+make a detached signature with the key 0x12345678
+
+@item gpg --list-keys @code{user_ID}
+show keys
+
+@item gpg --fingerprint @code{user_ID}
+show fingerprint
+
+@item gpg --verify @code{pgpfile}
+@itemx gpg --verify @code{sigfile} [@code{datafile}]
+Verify the signature of the file but do not output the data unless
+requested. The second form is used for detached signatures, where
+@code{sigfile} is the detached signature (either ASCII armored or
+binary) and @code{datafile} are the signed data; if this is not given, the name of the
+file holding the signed data is constructed by cutting off the
+extension (".asc" or ".sig") of @code{sigfile} or by asking the user
+for the filename. If the option @option{--output} is also used the
+signed data is written to the file specified by that option; use
+@code{-} to write the signed data to stdout.
+@end table
+
+
+@c *******************************************
+@c *************** ****************
+@c *************** USER ID ****************
+@c *************** ****************
+@c *******************************************
+@mansect how to specify a user id
+@ifset isman
+@include specify-user-id.texi
+@end ifset
+
+@mansect filter expressions
+@chapheading FILTER EXPRESSIONS
+
+The options @option{--import-filter} and @option{--export-filter} use
+expressions with this syntax (square brackets indicate an optional
+part and curly braces a repetition, white space between the elements
+are allowed):
+
+@c man:.RS
+@example
+ [lc] @{[@{flag@}] PROPNAME op VALUE [lc]@}
+@end example
+@c man:.RE
+
+The name of a property (@var{PROPNAME}) may only consist of letters,
+digits and underscores. The description for the filter type
+describes which properties are defined. If an undefined property is
+used it evaluates to the empty string. Unless otherwise noted, the
+@var{VALUE} must always be given and may not be the empty string. No
+quoting is defined for the value, thus the value may not contain the
+strings @code{&&} or @code{||}, which are used as logical connection
+operators. The flag @code{--} can be used to remove this restriction.
+
+Numerical values are computed as long int; standard C notation
+applies. @var{lc} is the logical connection operator; either
+@code{&&} for a conjunction or @code{||} for a disjunction. A
+conjunction is assumed at the begin of an expression. Conjunctions
+have higher precedence than disjunctions. If @var{VALUE} starts with
+one of the characters used in any @var{op} a space after the
+@var{op} is required.
+
+@noindent
+The supported operators (@var{op}) are:
+
+@table @asis
+
+ @item =~
+ Substring must match.
+
+ @item !~
+ Substring must not match.
+
+ @item =
+ The full string must match.
+
+ @item <>
+ The full string must not match.
+
+ @item ==
+ The numerical value must match.
+
+ @item !=
+ The numerical value must not match.
+
+ @item <=
+ The numerical value of the field must be LE than the value.
+
+ @item <
+ The numerical value of the field must be LT than the value.
+
+ @item >
+ The numerical value of the field must be GT than the value.
+
+ @item >=
+ The numerical value of the field must be GE than the value.
+
+ @item -le
+ The string value of the field must be less or equal than the value.
+
+ @item -lt
+ The string value of the field must be less than the value.
+
+ @item -gt
+ The string value of the field must be greater than the value.
+
+ @item -ge
+ The string value of the field must be greater or equal than the value.
+
+ @item -n
+ True if value is not empty (no value allowed).
+
+ @item -z
+ True if value is empty (no value allowed).
+
+ @item -t
+ Alias for "PROPNAME != 0" (no value allowed).
+
+ @item -f
+ Alias for "PROPNAME == 0" (no value allowed).
+
+@end table
+
+@noindent
+Values for @var{flag} must be space separated. The supported flags
+are:
+
+@table @asis
+ @item --
+ @var{VALUE} spans to the end of the expression.
+ @item -c
+ The string match in this part is done case-sensitive.
+ @item -t
+ Leading and trailing spaces are not removed from @var{VALUE}.
+ The optional single space after @var{op} is here required.
+@end table
+
+The filter options concatenate several specifications for a filter of
+the same type. For example the four options in this example:
+
+@c man:.RS
+@example
+ --import-filter keep-uid="uid =~ Alfa"
+ --import-filter keep-uid="&& uid !~ Test"
+ --import-filter keep-uid="|| uid =~ Alpha"
+ --import-filter keep-uid="uid !~ Test"
+@end example
+@c man:.RE
+
+@noindent
+which is equivalent to
+
+@c man:.RS
+@example
+ --import-filter \
+ keep-uid="uid =~ Alfa" && uid !~ Test" || uid =~ Alpha" && "uid !~ Test"
+@end example
+@c man:.RE
+
+imports only the user ids of a key containing the strings "Alfa"
+or "Alpha" but not the string "test".
+
+@mansect trust values
+@ifset isman
+@include trust-values.texi
+@end ifset
+
+@mansect return value
+@chapheading RETURN VALUE
+
+The program returns 0 if there are no severe errors, 1 if at least a
+signature was bad, and other error codes for fatal errors.
+
+Note that signature verification requires exact knowledge of what has
+been signed and by whom it has beensigned. Using only the return code
+is thus not an appropriate way to verify a signature by a script.
+Either make proper use or the status codes or use the @command{gpgv}
+tool which has been designed to make signature verification easy for
+scripts.
+
+@mansect warnings
+@chapheading WARNINGS
+
+Use a good password for your user account and make sure that all
+security issues are always fixed on your machine. Also employ
+diligent physical protection to your machine. Consider to use a good
+passphrase as a last resort protection to your secret key in the case
+your machine gets stolen. It is important that your secret key is
+never leaked. Using an easy to carry around token or smartcard with
+the secret key is often a advisable.
+
+If you are going to verify detached signatures, make sure that the
+program knows about it; either give both filenames on the command line
+or use @samp{-} to specify STDIN.
+
+For scripted or other unattended use of @command{gpg} make sure to use
+the machine-parseable interface and not the default interface which is
+intended for direct use by humans. The machine-parseable interface
+provides a stable and well documented API independent of the locale or
+future changes of @command{gpg}. To enable this interface use the
+options @option{--with-colons} and @option{--status-fd}. For certain
+operations the option @option{--command-fd} may come handy too. See
+this man page and the file @file{DETAILS} for the specification of the
+interface. Note that the GnuPG ``info'' pages as well as the PDF
+version of the GnuPG manual features a chapter on unattended use of
+GnuPG. As an alternative the library @command{GPGME} can be used as a
+high-level abstraction on top of that interface.
+
+@mansect interoperability
+@chapheading INTEROPERABILITY WITH OTHER OPENPGP PROGRAMS
+
+GnuPG tries to be a very flexible implementation of the OpenPGP
+standard. In particular, GnuPG implements many of the optional parts
+of the standard, such as the SHA-512 hash, and the ZLIB and BZIP2
+compression algorithms. It is important to be aware that not all
+OpenPGP programs implement these optional algorithms and that by
+forcing their use via the @option{--cipher-algo},
+@option{--digest-algo}, @option{--cert-digest-algo}, or
+@option{--compress-algo} options in GnuPG, it is possible to create a
+perfectly valid OpenPGP message, but one that cannot be read by the
+intended recipient.
+
+There are dozens of variations of OpenPGP programs available, and each
+supports a slightly different subset of these optional algorithms.
+For example, until recently, no (unhacked) version of PGP supported
+the BLOWFISH cipher algorithm. A message using BLOWFISH simply could
+not be read by a PGP user. By default, GnuPG uses the standard
+OpenPGP preferences system that will always do the right thing and
+create messages that are usable by all recipients, regardless of which
+OpenPGP program they use. Only override this safe default if you
+really know what you are doing.
+
+If you absolutely must override the safe default, or if the preferences
+on a given key are invalid for some reason, you are far better off using
+the @option{--pgp6}, @option{--pgp7}, or @option{--pgp8} options. These
+options are safe as they do not force any particular algorithms in
+violation of OpenPGP, but rather reduce the available algorithms to a
+"PGP-safe" list.
+
+@mansect bugs
+@chapheading BUGS
+
+On older systems this program should be installed as setuid(root). This
+is necessary to lock memory pages. Locking memory pages prevents the
+operating system from writing memory pages (which may contain
+passphrases or other sensitive material) to disk. If you get no
+warning message about insecure memory your operating system supports
+locking without being root. The program drops root privileges as soon
+as locked memory is allocated.
+
+Note also that some systems (especially laptops) have the ability to
+``suspend to disk'' (also known as ``safe sleep'' or ``hibernate'').
+This writes all memory to disk before going into a low power or even
+powered off mode. Unless measures are taken in the operating system
+to protect the saved memory, passphrases or other sensitive material
+may be recoverable from it later.
+
+Before you report a bug you should first search the mailing list
+archives for similar problems and second check whether such a bug has
+already been reported to our bug tracker at @url{https://bugs.gnupg.org}.
+
+@c *******************************************
+@c *************** **************
+@c *************** UNATTENDED **************
+@c *************** **************
+@c *******************************************
+@manpause
+@node Unattended Usage of GPG
+@section Unattended Usage
+
+@command{@gpgname} is often used as a backend engine by other software. To help
+with this a machine interface has been defined to have an unambiguous
+way to do this. The options @option{--status-fd} and @option{--batch}
+are almost always required for this.
+
+@menu
+* Programmatic use of GnuPG:: Programmatic use of GnuPG
+* Ephemeral home directories:: Ephemeral home directories
+* The quick key manipulation interface:: The quick key manipulation interface
+* Unattended GPG key generation:: Unattended key generation
+@end menu
+
+
+@node Programmatic use of GnuPG
+@subsection Programmatic use of GnuPG
+
+Please consider using GPGME instead of calling @command{@gpgname}
+directly. GPGME offers a stable, backend-independent interface for
+many cryptographic operations. It supports OpenPGP and S/MIME, and
+also allows interaction with various GnuPG components.
+
+GPGME provides a C-API, and comes with bindings for C++, Qt, and
+Python. Bindings for other languages are available.
+
+@node Ephemeral home directories
+@subsection Ephemeral home directories
+
+Sometimes you want to contain effects of some operation, for example
+you want to import a key to inspect it, but you do not want this key
+to be added to your keyring. In earlier versions of GnuPG, it was
+possible to specify alternate keyring files for both public and secret
+keys. In modern GnuPG versions, however, we changed how secret keys
+are stored in order to better protect secret key material, and it was
+not possible to preserve this interface.
+
+The preferred way to do this is to use ephemeral home directories.
+This technique works across all versions of GnuPG.
+
+Create a temporary directory, create (or copy) a configuration that
+meets your needs, make @command{@gpgname} use this directory either
+using the environment variable @var{GNUPGHOME}, or the option
+@option{--homedir}. GPGME supports this too on a per-context basis,
+by modifying the engine info of contexts. Now execute whatever
+operation you like, import and export key material as necessary. Once
+finished, you can delete the directory. All GnuPG backend services
+that were started will detect this and shut down.
+
+@node The quick key manipulation interface
+@subsection The quick key manipulation interface
+
+Recent versions of GnuPG have an interface to manipulate keys without
+using the interactive command @option{--edit-key}. This interface was
+added mainly for the benefit of GPGME (please consider using GPGME,
+see the manual subsection ``Programmatic use of GnuPG''). This
+interface is described in the subsection ``How to manage your keys''.
+
+@node Unattended GPG key generation
+@subsection Unattended key generation
+
+The command @option{--generate-key} may be used along with the option
+@option{--batch} for unattended key generation. This is the most
+flexible way of generating keys, but it is also the most complex one.
+Consider using the quick key manipulation interface described in the
+previous subsection ``The quick key manipulation interface''.
+
+The parameters for the key are either read from stdin or given as a
+file on the command line. The format of the parameter file is as
+follows:
+
+@itemize @bullet
+ @item Text only, line length is limited to about 1000 characters.
+ @item UTF-8 encoding must be used to specify non-ASCII characters.
+ @item Empty lines are ignored.
+ @item Leading and trailing white space is ignored.
+ @item A hash sign as the first non white space character indicates
+ a comment line.
+ @item Control statements are indicated by a leading percent sign, the
+ arguments are separated by white space from the keyword.
+ @item Parameters are specified by a keyword, followed by a colon. Arguments
+ are separated by white space.
+ @item
+ The first parameter must be @samp{Key-Type}; control statements may be
+ placed anywhere.
+ @item
+ The order of the parameters does not matter except for @samp{Key-Type}
+ which must be the first parameter. The parameters are only used for
+ the generated keyblock (primary and subkeys); parameters from previous
+ sets are not used. Some syntactically checks may be performed.
+ @item
+ Key generation takes place when either the end of the parameter file
+ is reached, the next @samp{Key-Type} parameter is encountered or at the
+ control statement @samp{%commit} is encountered.
+@end itemize
+
+@noindent
+Control statements:
+
+@table @asis
+
+@item %echo @var{text}
+Print @var{text} as diagnostic.
+
+@item %dry-run
+Suppress actual key generation (useful for syntax checking).
+
+@item %commit
+Perform the key generation. Note that an implicit commit is done at
+the next @asis{Key-Type} parameter.
+
+@item %pubring @var{filename}
+Do not write the key to the default or commandline given keyring but
+to @var{filename}. This must be given before the first commit to take
+place, duplicate specification of the same filename is ignored, the
+last filename before a commit is used. The filename is used until a
+new filename is used (at commit points) and all keys are written to
+that file. If a new filename is given, this file is created (and
+overwrites an existing one).
+
+See the previous subsection ``Ephemeral home directories'' for a more
+robust way to contain side-effects.
+
+@item %secring @var{filename}
+This option is a no-op for GnuPG 2.1 and later.
+
+See the previous subsection ``Ephemeral home directories''.
+
+@item %ask-passphrase
+@itemx %no-ask-passphrase
+This option is a no-op for GnuPG 2.1 and later.
+
+@item %no-protection
+Using this option allows the creation of keys without any passphrase
+protection. This option is mainly intended for regression tests.
+
+@item %transient-key
+If given the keys are created using a faster and a somewhat less
+secure random number generator. This option may be used for keys
+which are only used for a short time and do not require full
+cryptographic strength. It takes only effect if used together with
+the control statement @samp{%no-protection}.
+
+@end table
+
+@noindent
+General Parameters:
+
+@table @asis
+
+@item Key-Type: @var{algo}
+Starts a new parameter block by giving the type of the primary
+key. The algorithm must be capable of signing. This is a required
+parameter. @var{algo} may either be an OpenPGP algorithm number or a
+string with the algorithm name. The special value @samp{default} may
+be used for @var{algo} to create the default key type; in this case a
+@samp{Key-Usage} shall not be given and @samp{default} also be used
+for @samp{Subkey-Type}.
+
+@item Key-Length: @var{nbits}
+The requested length of the generated key in bits. The default is
+returned by running the command @samp{@gpgname --gpgconf-list}.
+For ECC keys this parameter is ignored.
+
+@item Key-Curve: @var{curve}
+The requested elliptic curve of the generated key. This is a required
+parameter for ECC keys. It is ignored for non-ECC keys.
+
+@item Key-Grip: @var{hexstring}
+This is optional and used to generate a CSR or certificate for an
+already existing key. Key-Length will be ignored when given.
+
+@item Key-Usage: @var{usage-list}
+Space or comma delimited list of key usages. Allowed values are
+@samp{encrypt}, @samp{sign}, and @samp{auth}. This is used to
+generate the key flags. Please make sure that the algorithm is
+capable of this usage. Note that OpenPGP requires that all primary
+keys are capable of certification, so no matter what usage is given
+here, the @samp{cert} flag will be on. If no @samp{Key-Usage} is
+specified and the @samp{Key-Type} is not @samp{default}, all allowed
+usages for that particular algorithm are used; if it is not given but
+@samp{default} is used the usage will be @samp{sign}.
+
+@item Subkey-Type: @var{algo}
+This generates a secondary key (subkey). Currently only one subkey
+can be handled. See also @samp{Key-Type} above.
+
+@item Subkey-Length: @var{nbits}
+Length of the secondary key (subkey) in bits. The default is returned
+by running the command @samp{@gpgname --gpgconf-list}.
+
+@item Subkey-Curve: @var{curve}
+Key curve for a subkey; similar to @samp{Key-Curve}.
+
+@item Subkey-Usage: @var{usage-list}
+Key usage lists for a subkey; similar to @samp{Key-Usage}.
+
+@item Passphrase: @var{string}
+If you want to specify a passphrase for the secret key, enter it here.
+Default is to use the Pinentry dialog to ask for a passphrase.
+
+@item Name-Real: @var{name}
+@itemx Name-Comment: @var{comment}
+@itemx Name-Email: @var{email}
+The three parts of a user name. Remember to use UTF-8 encoding here.
+If you don't give any of them, no user ID is created.
+
+@item Expire-Date: @var{iso-date}|(@var{number}[d|w|m|y])
+Set the expiration date for the key (and the subkey). It may either
+be entered in ISO date format (e.g. "20000815T145012") or as number of
+days, weeks, month or years after the creation date. The special
+notation "seconds=N" is also allowed to specify a number of seconds
+since creation. Without a letter days are assumed. Note that there
+is no check done on the overflow of the type used by OpenPGP for
+timestamps. Thus you better make sure that the given value make
+sense. Although OpenPGP works with time intervals, GnuPG uses an
+absolute value internally and thus the last year we can represent is
+2105.
+
+@item Creation-Date: @var{iso-date}
+Set the creation date of the key as stored in the key information and
+which is also part of the fingerprint calculation. Either a date like
+"1986-04-26" or a full timestamp like "19860426T042640" may be used.
+The time is considered to be UTC. The special notation "seconds=N"
+may be used to directly specify a the number of seconds since Epoch
+(Unix time). If it is not given the current time is used.
+
+@item Preferences: @var{string}
+Set the cipher, hash, and compression preference values for this key.
+This expects the same type of string as the sub-command @samp{setpref}
+in the @option{--edit-key} menu.
+
+@item Revoker: @var{algo}:@var{fpr} [sensitive]
+Add a designated revoker to the generated key. Algo is the public key
+algorithm of the designated revoker (i.e. RSA=1, DSA=17, etc.)
+@var{fpr} is the fingerprint of the designated revoker. The optional
+@samp{sensitive} flag marks the designated revoker as sensitive
+information. Only v4 keys may be designated revokers.
+
+@item Keyserver: @var{string}
+This is an optional parameter that specifies the preferred keyserver
+URL for the key.
+
+@item Handle: @var{string}
+This is an optional parameter only used with the status lines
+KEY_CREATED and KEY_NOT_CREATED. @var{string} may be up to 100
+characters and should not contain spaces. It is useful for batch key
+generation to associate a key parameter block with a status line.
+
+@end table
+
+@noindent
+Here is an example on how to create a key in an ephemeral home directory:
+@smallexample
+$ export GNUPGHOME="$(mktemp -d)"
+$ cat >foo <<EOF
+ %echo Generating a basic OpenPGP key
+ Key-Type: DSA
+ Key-Length: 1024
+ Subkey-Type: ELG-E
+ Subkey-Length: 1024
+ Name-Real: Joe Tester
+ Name-Comment: with stupid passphrase
+ Name-Email: joe@@foo.bar
+ Expire-Date: 0
+ Passphrase: abc
+ # Do a commit here, so that we can later print "done" :-)
+ %commit
+ %echo done
+EOF
+$ @gpgname --batch --generate-key foo
+ [...]
+$ @gpgname --list-secret-keys
+/tmp/tmp.0NQxB74PEf/pubring.kbx
+-------------------------------
+sec dsa1024 2016-12-16 [SCA]
+ 768E895903FC1C44045C8CB95EEBDB71E9E849D0
+uid [ultimate] Joe Tester (with stupid passphrase) <joe@@foo.bar>
+ssb elg1024 2016-12-16 [E]
+@end smallexample
+
+@noindent
+If you want to create a key with the default algorithms you would use
+these parameters:
+@smallexample
+ %echo Generating a default key
+ Key-Type: default
+ Subkey-Type: default
+ Name-Real: Joe Tester
+ Name-Comment: with stupid passphrase
+ Name-Email: joe@@foo.bar
+ Expire-Date: 0
+ Passphrase: abc
+ # Do a commit here, so that we can later print "done" :-)
+ %commit
+ %echo done
+@end smallexample
+
+
+
+
+@mansect see also
+@ifset isman
+@command{gpgv}(1),
+@command{gpgsm}(1),
+@command{gpg-agent}(1)
+@end ifset
+@include see-also-note.texi
diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi
new file mode 100644
index 0000000..ba91aed
--- /dev/null
+++ b/doc/gpgsm.texi
@@ -0,0 +1,1696 @@
+@c Copyright (C) 2002 Free Software Foundation, Inc.
+@c This is part of the GnuPG manual.
+@c For copying conditions, see the file gnupg.texi.
+
+@include defs.inc
+
+@node Invoking GPGSM
+@chapter Invoking GPGSM
+@cindex GPGSM command options
+@cindex command options
+@cindex options, GPGSM command
+
+@manpage gpgsm.1
+@ifset manverb
+.B gpgsm
+\- CMS encryption and signing tool
+@end ifset
+
+@mansect synopsis
+@ifset manverb
+.B gpgsm
+.RB [ \-\-homedir
+.IR dir ]
+.RB [ \-\-options
+.IR file ]
+.RI [ options ]
+.I command
+.RI [ args ]
+@end ifset
+
+
+@mansect description
+@command{gpgsm} is a tool similar to @command{gpg} to provide digital
+encryption and signing services on X.509 certificates and the CMS
+protocol. It is mainly used as a backend for S/MIME mail processing.
+@command{gpgsm} includes a full featured certificate management and
+complies with all rules defined for the German Sphinx project.
+
+@manpause
+@xref{Option Index}, for an index to @command{GPGSM}'s commands and options.
+@mancont
+
+@menu
+* GPGSM Commands:: List of all commands.
+* GPGSM Options:: List of all options.
+* GPGSM Configuration:: Configuration files.
+* GPGSM Examples:: Some usage examples.
+
+Developer information:
+* Unattended Usage:: Using @command{gpgsm} from other programs.
+* GPGSM Protocol:: The protocol the server mode uses.
+@end menu
+
+@c *******************************************
+@c *************** ****************
+@c *************** COMMANDS ****************
+@c *************** ****************
+@c *******************************************
+@mansect commands
+@node GPGSM Commands
+@section Commands
+
+Commands are not distinguished from options except for the fact that
+only one command is allowed.
+
+@menu
+* General GPGSM Commands:: Commands not specific to the functionality.
+* Operational GPGSM Commands:: Commands to select the type of operation.
+* Certificate Management:: How to manage certificates.
+@end menu
+
+
+@c *******************************************
+@c ********** GENERAL COMMANDS *************
+@c *******************************************
+@node General GPGSM Commands
+@subsection Commands not specific to the function
+
+@table @gnupgtabopt
+@item --version
+@opindex version
+Print the program version and licensing information. Note that you
+cannot abbreviate this command.
+
+@item --help, -h
+@opindex help
+Print a usage message summarizing the most useful command-line options.
+Note that you cannot abbreviate this command.
+
+@item --warranty
+@opindex warranty
+Print warranty information. Note that you cannot abbreviate this
+command.
+
+@item --dump-options
+@opindex dump-options
+Print a list of all available options and commands. Note that you cannot
+abbreviate this command.
+@end table
+
+
+@c *******************************************
+@c ******** OPERATIONAL COMMANDS ***********
+@c *******************************************
+@node Operational GPGSM Commands
+@subsection Commands to select the type of operation
+
+@table @gnupgtabopt
+@item --encrypt
+@opindex encrypt
+Perform an encryption. The keys the data is encrypted to must be set
+using the option @option{--recipient}.
+
+@item --decrypt
+@opindex decrypt
+Perform a decryption; the type of input is automatically determined. It
+may either be in binary form or PEM encoded; automatic determination of
+base-64 encoding is not done.
+
+@item --sign
+@opindex sign
+Create a digital signature. The key used is either the fist one found
+in the keybox or those set with the @option{--local-user} option.
+
+@item --verify
+@opindex verify
+Check a signature file for validity. Depending on the arguments a
+detached signature may also be checked.
+
+@item --server
+@opindex server
+Run in server mode and wait for commands on the @code{stdin}.
+
+@item --call-dirmngr @var{command} [@var{args}]
+@opindex call-dirmngr
+Behave as a Dirmngr client issuing the request @var{command} with the
+optional list of @var{args}. The output of the Dirmngr is printed
+stdout. Please note that file names given as arguments should have an
+absolute file name (i.e. commencing with @code{/}) because they are
+passed verbatim to the Dirmngr and the working directory of the
+Dirmngr might not be the same as the one of this client. Currently it
+is not possible to pass data via stdin to the Dirmngr. @var{command}
+should not contain spaces.
+
+This is command is required for certain maintaining tasks of the dirmngr
+where a dirmngr must be able to call back to @command{gpgsm}. See the Dirmngr
+manual for details.
+
+@item --call-protect-tool @var{arguments}
+@opindex call-protect-tool
+Certain maintenance operations are done by an external program call
+@command{gpg-protect-tool}; this is usually not installed in a directory
+listed in the PATH variable. This command provides a simple wrapper to
+access this tool. @var{arguments} are passed verbatim to this command;
+use @samp{--help} to get a list of supported operations.
+
+
+@end table
+
+
+@c *******************************************
+@c ******* CERTIFICATE MANAGEMENT **********
+@c *******************************************
+@node Certificate Management
+@subsection How to manage the certificates and keys
+
+@table @gnupgtabopt
+@item --generate-key
+@opindex generate-key
+@itemx --gen-key
+@opindex gen-key
+This command allows the creation of a certificate signing request or a
+self-signed certificate. It is commonly used along with the
+@option{--output} option to save the created CSR or certificate into a
+file. If used with the @option{--batch} a parameter file is used to
+create the CSR or certificate and it is further possible to create
+non-self-signed certificates.
+
+@item --list-keys
+@itemx -k
+@opindex list-keys
+List all available certificates stored in the local key database.
+Note that the displayed data might be reformatted for better human
+readability and illegal characters are replaced by safe substitutes.
+
+@item --list-secret-keys
+@itemx -K
+@opindex list-secret-keys
+List all available certificates for which a corresponding a secret key
+is available.
+
+@item --list-external-keys @var{pattern}
+@opindex list-keys
+List certificates matching @var{pattern} using an external server. This
+utilizes the @code{dirmngr} service.
+
+@item --list-chain
+@opindex list-chain
+Same as @option{--list-keys} but also prints all keys making up the chain.
+
+
+@item --dump-cert
+@itemx --dump-keys
+@opindex dump-cert
+@opindex dump-keys
+List all available certificates stored in the local key database using a
+format useful mainly for debugging.
+
+@item --dump-chain
+@opindex dump-chain
+Same as @option{--dump-keys} but also prints all keys making up the chain.
+
+@item --dump-secret-keys
+@opindex dump-secret-keys
+List all available certificates for which a corresponding a secret key
+is available using a format useful mainly for debugging.
+
+@item --dump-external-keys @var{pattern}
+@opindex dump-external-keys
+List certificates matching @var{pattern} using an external server.
+This utilizes the @code{dirmngr} service. It uses a format useful
+mainly for debugging.
+
+@item --keydb-clear-some-cert-flags
+@opindex keydb-clear-some-cert-flags
+This is a debugging aid to reset certain flags in the key database
+which are used to cache certain certificate stati. It is especially
+useful if a bad CRL or a weird running OCSP responder did accidentally
+revoke certificate. There is no security issue with this command
+because @command{gpgsm} always make sure that the validity of a certificate is
+checked right before it is used.
+
+@item --delete-keys @var{pattern}
+@opindex delete-keys
+Delete the keys matching @var{pattern}. Note that there is no command
+to delete the secret part of the key directly. In case you need to do
+this, you should run the command @code{gpgsm --dump-secret-keys KEYID}
+before you delete the key, copy the string of hex-digits in the
+``keygrip'' line and delete the file consisting of these hex-digits
+and the suffix @code{.key} from the @file{private-keys-v1.d} directory
+below our GnuPG home directory (usually @file{~/.gnupg}).
+
+@item --export [@var{pattern}]
+@opindex export
+Export all certificates stored in the Keybox or those specified by the
+optional @var{pattern}. Those pattern consist of a list of user ids
+(@pxref{how-to-specify-a-user-id}). When used along with the
+@option{--armor} option a few informational lines are prepended before
+each block. There is one limitation: As there is no commonly agreed
+upon way to pack more than one certificate into an ASN.1 structure,
+the binary export (i.e. without using @option{armor}) works only for
+the export of one certificate. Thus it is required to specify a
+@var{pattern} which yields exactly one certificate. Ephemeral
+certificate are only exported if all @var{pattern} are given as
+fingerprints or keygrips.
+
+@item --export-secret-key-p12 @var{key-id}
+@opindex export-secret-key-p12
+Export the private key and the certificate identified by @var{key-id}
+using the PKCS#12 format. When used with the @code{--armor} option a few
+informational lines are prepended to the output. Note, that the PKCS#12
+format is not very secure and proper transport security should be used
+to convey the exported key. (@xref{option --p12-charset}.)
+
+@item --export-secret-key-p8 @var{key-id}
+@itemx --export-secret-key-raw @var{key-id}
+@opindex export-secret-key-p8
+@opindex export-secret-key-raw
+Export the private key of the certificate identified by @var{key-id}
+with any encryption stripped. The @code{...-raw} command exports in
+PKCS#1 format; the @code{...-p8} command exports in PKCS#8 format.
+When used with the @code{--armor} option a few informational lines are
+prepended to the output. These commands are useful to prepare a key
+for use on a TLS server.
+
+@item --import [@var{files}]
+@opindex import
+Import the certificates from the PEM or binary encoded files as well as
+from signed-only messages. This command may also be used to import a
+secret key from a PKCS#12 file.
+
+@item --learn-card
+@opindex learn-card
+Read information about the private keys from the smartcard and import
+the certificates from there. This command utilizes the @command{gpg-agent}
+and in turn the @command{scdaemon}.
+
+@item --change-passphrase @var{user_id}
+@opindex change-passphrase
+@itemx --passwd @var{user_id}
+@opindex passwd
+Change the passphrase of the private key belonging to the certificate
+specified as @var{user_id}. Note, that changing the passphrase/PIN of a
+smartcard is not yet supported.
+
+@end table
+
+
+@c *******************************************
+@c *************** ****************
+@c *************** OPTIONS ****************
+@c *************** ****************
+@c *******************************************
+@mansect options
+@node GPGSM Options
+@section Option Summary
+
+@command{GPGSM} features a bunch of options to control the exact behaviour
+and to change the default configuration.
+
+@menu
+* Configuration Options:: How to change the configuration.
+* Certificate Options:: Certificate related options.
+* Input and Output:: Input and Output.
+* CMS Options:: How to change how the CMS is created.
+* Esoteric Options:: Doing things one usually do not want to do.
+@end menu
+
+
+@c *******************************************
+@c ******** CONFIGURATION OPTIONS **********
+@c *******************************************
+@node Configuration Options
+@subsection How to change the configuration
+
+These options are used to change the configuration and are usually found
+in the option file.
+
+@table @gnupgtabopt
+
+@anchor{gpgsm-option --options}
+@item --options @var{file}
+@opindex options
+Reads configuration from @var{file} instead of from the default
+per-user configuration file. The default configuration file is named
+@file{gpgsm.conf} and expected in the @file{.gnupg} directory directly
+below the home directory of the user.
+
+@include opt-homedir.texi
+
+
+@item -v
+@item --verbose
+@opindex v
+@opindex verbose
+Outputs additional information while running.
+You can increase the verbosity by giving several
+verbose commands to @command{gpgsm}, such as @samp{-vv}.
+
+@item --keyserver @var{string}
+@opindex keyserver
+This is a deprecated option. It was used to add an LDAP server to use
+for X.509 certificate and CRL lookup. The alias @option{--ldapserver}
+existed from version 2.2.28 to 2.2.33 but is now entirely ignored.
+
+LDAP servers must be given in the configuration for @command{dirmngr}.
+
+
+@item --policy-file @var{filename}
+@opindex policy-file
+Change the default name of the policy file to @var{filename}.
+
+@item --agent-program @var{file}
+@opindex agent-program
+Specify an agent program to be used for secret key operations. The
+default value is determined by running the command @command{gpgconf}.
+Note that the pipe symbol (@code{|}) is used for a regression test
+suite hack and may thus not be used in the file name.
+
+@item --dirmngr-program @var{file}
+@opindex dirmngr-program
+Specify a dirmngr program to be used for @acronym{CRL} checks. The
+default value is @file{@value{BINDIR}/dirmngr}.
+
+@item --prefer-system-dirmngr
+@opindex prefer-system-dirmngr
+This option is obsolete and ignored.
+
+@item --disable-dirmngr
+Entirely disable the use of the Dirmngr.
+
+@item --no-autostart
+@opindex no-autostart
+Do not start the gpg-agent or the dirmngr if it has not yet been
+started and its service is required. This option is mostly useful on
+machines where the connection to gpg-agent has been redirected to
+another machines. If dirmngr is required on the remote machine, it
+may be started manually using @command{gpgconf --launch dirmngr}.
+
+@item --no-secmem-warning
+@opindex no-secmem-warning
+Do not print a warning when the so called "secure memory" cannot be used.
+
+@item --log-file @var{file}
+@opindex log-file
+When running in server mode, append all logging output to @var{file}.
+Use @file{socket://} to log to socket.
+
+@end table
+
+
+@c *******************************************
+@c ******** CERTIFICATE OPTIONS ************
+@c *******************************************
+@node Certificate Options
+@subsection Certificate related options
+
+@table @gnupgtabopt
+
+@item --enable-policy-checks
+@itemx --disable-policy-checks
+@opindex enable-policy-checks
+@opindex disable-policy-checks
+By default policy checks are enabled. These options may be used to
+change it.
+
+@item --enable-crl-checks
+@itemx --disable-crl-checks
+@opindex enable-crl-checks
+@opindex disable-crl-checks
+By default the @acronym{CRL} checks are enabled and the DirMngr is
+used to check for revoked certificates. The disable option is most
+useful with an off-line network connection to suppress this check and
+also to avoid that new certificates introduce a web bug by including a
+certificate specific CRL DP. The disable option also disables an
+issuer certificate lookup via the authorityInfoAccess property of the
+certificate; the @option{--enable-issuer-key-retrieve} can be used
+to make use of that property anyway.
+
+@item --enable-trusted-cert-crl-check
+@itemx --disable-trusted-cert-crl-check
+@opindex enable-trusted-cert-crl-check
+@opindex disable-trusted-cert-crl-check
+By default the @acronym{CRL} for trusted root certificates are checked
+like for any other certificates. This allows a CA to revoke its own
+certificates voluntary without the need of putting all ever issued
+certificates into a CRL. The disable option may be used to switch this
+extra check off. Due to the caching done by the Dirmngr, there will not be
+any noticeable performance gain. Note, that this also disables possible
+OCSP checks for trusted root certificates. A more specific way of
+disabling this check is by adding the ``relax'' keyword to the root CA
+line of the @file{trustlist.txt}
+
+
+@item --force-crl-refresh
+@opindex force-crl-refresh
+Tell the dirmngr to reload the CRL for each request. For better
+performance, the dirmngr will actually optimize this by suppressing
+the loading for short time intervals (e.g. 30 minutes). This option
+is useful to make sure that a fresh CRL is available for certificates
+hold in the keybox. The suggested way of doing this is by using it
+along with the option @option{--with-validation} for a key listing
+command. This option should not be used in a configuration file.
+
+@item --enable-issuer-based-crl-check
+@opindex enable-issuer-based-crl-check
+Run a CRL check even for certificates which do not have any CRL
+distribution point. This requires that a suitable LDAP server has
+been configured in Dirmngr and that the CRL can be found using the
+issuer. This option reverts to what GnuPG did up to version 2.2.20.
+This option is in general not useful.
+
+@item --enable-ocsp
+@itemx --disable-ocsp
+@opindex enable-ocsp
+@opindex disable-ocsp
+By default @acronym{OCSP} checks are disabled. The enable option may
+be used to enable OCSP checks via Dirmngr. If @acronym{CRL} checks
+are also enabled, CRLs will be used as a fallback if for some reason an
+OCSP request will not succeed. Note, that you have to allow OCSP
+requests in Dirmngr's configuration too (option
+@option{--allow-ocsp}) and configure Dirmngr properly. If you do not do
+so you will get the error code @samp{Not supported}.
+
+@item --auto-issuer-key-retrieve
+@opindex auto-issuer-key-retrieve
+If a required certificate is missing while validating the chain of
+certificates, try to load that certificate from an external location.
+This usually means that Dirmngr is employed to search for the
+certificate. Note that this option makes a "web bug" like behavior
+possible. LDAP server operators can see which keys you request, so by
+sending you a message signed by a brand new key (which you naturally
+will not have on your local keybox), the operator can tell both your IP
+address and the time when you verified the signature.
+
+
+@anchor{gpgsm-option --validation-model}
+@item --validation-model @var{name}
+@opindex validation-model
+This option changes the default validation model. The only possible
+values are "shell" (which is the default), "chain" which forces the
+use of the chain model and "steed" for a new simplified model. The
+chain model is also used if an option in the @file{trustlist.txt} or
+an attribute of the certificate requests it. However the standard
+model (shell) is in that case always tried first.
+
+@item --ignore-cert-extension @var{oid}
+@opindex ignore-cert-extension
+Add @var{oid} to the list of ignored certificate extensions. The
+@var{oid} is expected to be in dotted decimal form, like
+@code{2.5.29.3}. This option may be used more than once. Critical
+flagged certificate extensions matching one of the OIDs in the list
+are treated as if they are actually handled and thus the certificate
+will not be rejected due to an unknown critical extension. Use this
+option with care because extensions are usually flagged as critical
+for a reason.
+
+@end table
+
+@c *******************************************
+@c *********** INPUT AND OUTPUT ************
+@c *******************************************
+@node Input and Output
+@subsection Input and Output
+
+@table @gnupgtabopt
+@item --armor
+@itemx -a
+@opindex armor
+Create PEM encoded output. Default is binary output.
+
+@item --base64
+@opindex base64
+Create Base-64 encoded output; i.e. PEM without the header lines.
+
+@item --assume-armor
+@opindex assume-armor
+Assume the input data is PEM encoded. Default is to autodetect the
+encoding but this is may fail.
+
+@item --assume-base64
+@opindex assume-base64
+Assume the input data is plain base-64 encoded.
+
+@item --assume-binary
+@opindex assume-binary
+Assume the input data is binary encoded.
+
+@anchor{option --p12-charset}
+@item --p12-charset @var{name}
+@opindex p12-charset
+@command{gpgsm} uses the UTF-8 encoding when encoding passphrases for
+PKCS#12 files. This option may be used to force the passphrase to be
+encoded in the specified encoding @var{name}. This is useful if the
+application used to import the key uses a different encoding and thus
+will not be able to import a file generated by @command{gpgsm}. Commonly
+used values for @var{name} are @code{Latin1} and @code{CP850}. Note
+that @command{gpgsm} itself automagically imports any file with a
+passphrase encoded to the most commonly used encodings.
+
+
+@item --default-key @var{user_id}
+@opindex default-key
+Use @var{user_id} as the standard key for signing. This key is used if
+no other key has been defined as a signing key. Note, that the first
+@option{--local-users} option also sets this key if it has not yet been
+set; however @option{--default-key} always overrides this.
+
+
+@item --local-user @var{user_id}
+@item -u @var{user_id}
+@opindex local-user
+Set the user(s) to be used for signing. The default is the first
+secret key found in the database.
+
+
+@item --recipient @var{name}
+@itemx -r
+@opindex recipient
+Encrypt to the user id @var{name}. There are several ways a user id
+may be given (@pxref{how-to-specify-a-user-id}).
+
+
+@item --output @var{file}
+@itemx -o @var{file}
+@opindex output
+Write output to @var{file}. The default is to write it to stdout.
+
+
+@anchor{gpgsm-option --with-key-data}
+@item --with-key-data
+@opindex with-key-data
+Displays extra information with the @code{--list-keys} commands. Especially
+a line tagged @code{grp} is printed which tells you the keygrip of a
+key. This string is for example used as the file name of the
+secret key. Implies @code{--with-colons}.
+
+@anchor{gpgsm-option --with-validation}
+@item --with-validation
+@opindex with-validation
+When doing a key listing, do a full validation check for each key and
+print the result. This is usually a slow operation because it
+requires a CRL lookup and other operations.
+
+When used along with @option{--import}, a validation of the certificate to
+import is done and only imported if it succeeds the test. Note that
+this does not affect an already available certificate in the DB.
+This option is therefore useful to simply verify a certificate.
+
+
+@item --with-md5-fingerprint
+For standard key listings, also print the MD5 fingerprint of the
+certificate.
+
+@item --with-keygrip
+Include the keygrip in standard key listings. Note that the keygrip is
+always listed in @option{--with-colons} mode.
+
+@item --with-secret
+@opindex with-secret
+Include info about the presence of a secret key in public key listings
+done with @code{--with-colons}.
+
+@end table
+
+@c *******************************************
+@c ************* CMS OPTIONS ***************
+@c *******************************************
+@node CMS Options
+@subsection How to change how the CMS is created
+
+@table @gnupgtabopt
+@item --include-certs @var{n}
+@opindex include-certs
+Using @var{n} of -2 includes all certificate except for the root cert,
+-1 includes all certs, 0 does not include any certs, 1 includes only the
+signers cert and all other positive values include up to @var{n}
+certificates starting with the signer cert. The default is -2.
+
+@item --cipher-algo @var{oid}
+@opindex cipher-algo
+Use the cipher algorithm with the ASN.1 object identifier @var{oid} for
+encryption. For convenience the strings @code{3DES}, @code{AES} and
+@code{AES256} may be used instead of their OIDs. The default is
+@code{AES} (2.16.840.1.101.3.4.1.2).
+
+@item --digest-algo @code{name}
+Use @code{name} as the message digest algorithm. Usually this
+algorithm is deduced from the respective signing certificate. This
+option forces the use of the given algorithm and may lead to severe
+interoperability problems.
+
+@end table
+
+
+
+@c *******************************************
+@c ******** ESOTERIC OPTIONS ***************
+@c *******************************************
+@node Esoteric Options
+@subsection Doing things one usually do not want to do
+
+
+@table @gnupgtabopt
+
+@item --extra-digest-algo @var{name}
+@opindex extra-digest-algo
+Sometimes signatures are broken in that they announce a different digest
+algorithm than actually used. @command{gpgsm} uses a one-pass data
+processing model and thus needs to rely on the announced digest
+algorithms to properly hash the data. As a workaround this option may
+be used to tell @command{gpgsm} to also hash the data using the algorithm
+@var{name}; this slows processing down a little bit but allows verification of
+such broken signatures. If @command{gpgsm} prints an error like
+``digest algo 8 has not been enabled'' you may want to try this option,
+with @samp{SHA256} for @var{name}.
+
+@item --compliance @var{string}
+@opindex compliance
+Set the compliance mode. Valid values are shown when using "help" for
+@var{string}.
+
+@item --min-rsa-length @var{n}
+@opindex min-rsa-length
+This option adjusts the compliance mode "de-vs" for stricter key size
+requirements. For example, a value of 3000 turns rsa2048 and dsa2048
+keys into non-VS-NfD compliant keys.
+
+@item --require-compliance
+@opindex require-compliance
+To check that data has been encrypted according to the rules of the
+current compliance mode, a gpgsm user needs to evaluate the status
+lines. This is allows frontends to handle compliance check in a more
+flexible way. However, for scripted use the required evaluation of
+the status-line requires quite some effort; this option can be used
+instead to make sure that the gpgsm process exits with a failure if
+the compliance rules are not fulfilled. Note that this option has
+currently an effect only in "de-vs" mode.
+
+@item --ignore-cert-with-oid @var{oid}
+@opindex ignore-cert-with-oid
+Add @var{oid} to the list of OIDs to be checked while reading
+certificates from smartcards. The @var{oid} is expected to be in
+dotted decimal form, like @code{2.5.29.3}. This option may be used
+more than once. As of now certificates with an extended key usage
+matching one of those OIDs are ignored during a @option{--learn-card}
+operation and not imported. This option can help to keep the local
+key database clear of unneeded certificates stored on smartcards.
+
+@item --faked-system-time @var{epoch}
+@opindex faked-system-time
+This option is only useful for testing; it sets the system time back or
+forth to @var{epoch} which is the number of seconds elapsed since the year
+1970. Alternatively @var{epoch} may be given as a full ISO time string
+(e.g. "20070924T154812").
+
+@item --with-ephemeral-keys
+@opindex with-ephemeral-keys
+Include ephemeral flagged keys in the output of key listings. Note
+that they are included anyway if the key specification for a listing
+is given as fingerprint or keygrip.
+
+@item --compatibility-flags @var{flags}
+@opindex compatibility-flags
+Set compatibility flags to work around problems due to non-compliant
+certificates or data. The @var{flags} are given as a comma separated
+list of flag names and are OR-ed together. The special flag "none"
+clears the list and allows to start over with an empty list. To get a
+list of available flags the sole word "help" can be used.
+
+@item --debug-level @var{level}
+@opindex debug-level
+Select the debug level for investigating problems. @var{level} may be
+a numeric value or by a keyword:
+
+@table @code
+@item none
+No debugging at all. A value of less than 1 may be used instead of
+the keyword.
+@item basic
+Some basic debug messages. A value between 1 and 2 may be used
+instead of the keyword.
+@item advanced
+More verbose debug messages. A value between 3 and 5 may be used
+instead of the keyword.
+@item expert
+Even more detailed messages. A value between 6 and 8 may be used
+instead of the keyword.
+@item guru
+All of the debug messages you can get. A value greater than 8 may be
+used instead of the keyword. The creation of hash tracing files is
+only enabled if the keyword is used.
+@end table
+
+How these messages are mapped to the actual debugging flags is not
+specified and may change with newer releases of this program. They are
+however carefully selected to best aid in debugging.
+
+@item --debug @var{flags}
+@opindex debug
+This option is only useful for debugging and the behaviour may change
+at any time without notice; using @code{--debug-levels} is the
+preferred method to select the debug verbosity. FLAGS are bit encoded
+and may be given in usual C-Syntax. The currently defined bits are:
+
+@table @code
+@item 0 (1)
+X.509 or OpenPGP protocol related data
+@item 1 (2)
+values of big number integers
+@item 2 (4)
+low level crypto operations
+@item 5 (32)
+memory allocation
+@item 6 (64)
+caching
+@item 7 (128)
+show memory statistics
+@item 9 (512)
+write hashed data to files named @code{dbgmd-000*}
+@item 10 (1024)
+trace Assuan protocol
+@end table
+
+Note, that all flags set using this option may get overridden by
+@code{--debug-level}.
+
+@item --debug-all
+@opindex debug-all
+Same as @code{--debug=0xffffffff}
+
+@item --debug-allow-core-dump
+@opindex debug-allow-core-dump
+Usually @command{gpgsm} tries to avoid dumping core by well written code and by
+disabling core dumps for security reasons. However, bugs are pretty
+durable beasts and to squash them it is sometimes useful to have a core
+dump. This option enables core dumps unless the Bad Thing happened
+before the option parsing.
+
+@item --debug-no-chain-validation
+@opindex debug-no-chain-validation
+This is actually not a debugging option but only useful as such. It
+lets @command{gpgsm} bypass all certificate chain validation checks.
+
+@item --debug-ignore-expiration
+@opindex debug-ignore-expiration
+This is actually not a debugging option but only useful as such. It
+lets @command{gpgsm} ignore all notAfter dates, this is used by the regression
+tests.
+
+@item --passphrase-fd @code{n}
+@opindex passphrase-fd
+Read the passphrase from file descriptor @code{n}. Only the first line
+will be read from file descriptor @code{n}. If you use 0 for @code{n},
+the passphrase will be read from STDIN. This can only be used if only
+one passphrase is supplied.
+
+Note that this passphrase is only used if the option @option{--batch}
+has also been given.
+
+@item --pinentry-mode @code{mode}
+@opindex pinentry-mode
+Set the pinentry mode to @code{mode}. Allowed values for @code{mode}
+are:
+@table @asis
+ @item default
+ Use the default of the agent, which is @code{ask}.
+ @item ask
+ Force the use of the Pinentry.
+ @item cancel
+ Emulate use of Pinentry's cancel button.
+ @item error
+ Return a Pinentry error (``No Pinentry'').
+ @item loopback
+ Redirect Pinentry queries to the caller. Note that in contrast to
+ Pinentry the user is not prompted again if he enters a bad password.
+@end table
+
+@item --request-origin @var{origin}
+@opindex request-origin
+Tell gpgsm to assume that the operation ultimately originated at
+@var{origin}. Depending on the origin certain restrictions are applied
+and the Pinentry may include an extra note on the origin. Supported
+values for @var{origin} are: @code{local} which is the default,
+@code{remote} to indicate a remote origin or @code{browser} for an
+operation requested by a web browser.
+
+@item --no-common-certs-import
+@opindex no-common-certs-import
+Suppress the import of common certificates on keybox creation.
+
+@end table
+
+All the long options may also be given in the configuration file after
+stripping off the two leading dashes.
+
+@c *******************************************
+@c *************** ****************
+@c *************** USER ID ****************
+@c *************** ****************
+@c *******************************************
+@mansect how to specify a user id
+@ifset isman
+@include specify-user-id.texi
+@end ifset
+
+@c *******************************************
+@c *************** ****************
+@c *************** FILES ****************
+@c *************** ****************
+@c *******************************************
+@mansect files
+@node GPGSM Configuration
+@section Configuration files
+
+There are a few configuration files to control certain aspects of
+@command{gpgsm}'s operation. Unless noted, they are expected in the
+current home directory (@pxref{option --homedir}).
+
+@table @file
+
+@item gpgsm.conf
+@efindex gpgsm.conf
+This is the standard configuration file read by @command{gpgsm} on
+startup. It may contain any valid long option; the leading two dashes
+may not be entered and the option may not be abbreviated. This default
+name may be changed on the command line (@pxref{gpgsm-option --options}).
+You should backup this file.
+
+
+@item policies.txt
+@efindex policies.txt
+This is a list of allowed CA policies. This file should list the
+object identifiers of the policies line by line. Empty lines and
+lines starting with a hash mark are ignored. Policies missing in this
+file and not marked as critical in the certificate will print only a
+warning; certificates with policies marked as critical and not listed
+in this file will fail the signature verification. You should backup
+this file.
+
+For example, to allow only the policy 2.289.9.9, the file should look
+like this:
+
+@c man:.RS
+@example
+# Allowed policies
+2.289.9.9
+@end example
+@c man:.RE
+
+@item qualified.txt
+@efindex qualified.txt
+This is the list of root certificates used for qualified certificates.
+They are defined as certificates capable of creating legally binding
+signatures in the same way as handwritten signatures are. Comments
+start with a hash mark and empty lines are ignored. Lines do have a
+length limit but this is not a serious limitation as the format of the
+entries is fixed and checked by @command{gpgsm}: A non-comment line starts with
+optional whitespace, followed by exactly 40 hex characters, white space
+and a lowercased 2 letter country code. Additional data delimited with
+by a white space is current ignored but might late be used for other
+purposes.
+
+Note that even if a certificate is listed in this file, this does not
+mean that the certificate is trusted; in general the certificates listed
+in this file need to be listed also in @file{trustlist.txt}.
+
+This is a global file an installed in the data directory
+(e.g. @file{@value{DATADIR}/qualified.txt}). GnuPG installs a suitable
+file with root certificates as used in Germany. As new Root-CA
+certificates may be issued over time, these entries may need to be
+updated; new distributions of this software should come with an updated
+list but it is still the responsibility of the Administrator to check
+that this list is correct.
+
+Every time @command{gpgsm} uses a certificate for signing or verification
+this file will be consulted to check whether the certificate under
+question has ultimately been issued by one of these CAs. If this is the
+case the user will be informed that the verified signature represents a
+legally binding (``qualified'') signature. When creating a signature
+using such a certificate an extra prompt will be issued to let the user
+confirm that such a legally binding signature shall really be created.
+
+Because this software has not yet been approved for use with such
+certificates, appropriate notices will be shown to indicate this fact.
+
+@item help.txt
+@efindex help.txt
+This is plain text file with a few help entries used with
+@command{pinentry} as well as a large list of help items for
+@command{gpg} and @command{gpgsm}. The standard file has English help
+texts; to install localized versions use filenames like @file{help.LL.txt}
+with LL denoting the locale. GnuPG comes with a set of predefined help
+files in the data directory (e.g. @file{@value{DATADIR}/gnupg/help.de.txt})
+and allows overriding of any help item by help files stored in the
+system configuration directory (e.g. @file{@value{SYSCONFDIR}/help.de.txt}).
+For a reference of the help file's syntax, please see the installed
+@file{help.txt} file.
+
+
+@item com-certs.pem
+@efindex com-certs.pem
+This file is a collection of common certificates used to populated a
+newly created @file{pubring.kbx}. An administrator may replace this
+file with a custom one. The format is a concatenation of PEM encoded
+X.509 certificates. This global file is installed in the data directory
+(e.g. @file{@value{DATADIR}/com-certs.pem}).
+
+@end table
+
+@c man:.RE
+Note that on larger installations, it is useful to put predefined files
+into the directory @file{/etc/skel/.gnupg/} so that newly created users
+start up with a working configuration. For existing users a small
+helper script is provided to create these files (@pxref{addgnupghome}).
+
+For internal purposes @command{gpgsm} creates and maintains a few other files;
+they all live in the current home directory (@pxref{option
+--homedir}). Only @command{gpgsm} may modify these files.
+
+
+@table @file
+@item pubring.kbx
+@efindex pubring.kbx
+This a database file storing the certificates as well as meta
+information. For debugging purposes the tool @command{kbxutil} may be
+used to show the internal structure of this file. You should backup
+this file.
+
+@item random_seed
+@efindex random_seed
+This content of this file is used to maintain the internal state of the
+random number generator across invocations. The same file is used by
+other programs of this software too.
+
+@item S.gpg-agent
+@efindex S.gpg-agent
+If this file exists
+@command{gpgsm} will first try to connect to this socket for
+accessing @command{gpg-agent} before starting a new @command{gpg-agent}
+instance. Under Windows this socket (which in reality be a plain file
+describing a regular TCP listening port) is the standard way of
+connecting the @command{gpg-agent}.
+
+@end table
+
+
+@c *******************************************
+@c *************** ****************
+@c *************** EXAMPLES ****************
+@c *************** ****************
+@c *******************************************
+@mansect examples
+@node GPGSM Examples
+@section Examples
+
+@example
+$ gpgsm -er goo@@bar.net <plaintext >ciphertext
+@end example
+
+
+@c *******************************************
+@c *************** **************
+@c *************** UNATTENDED **************
+@c *************** **************
+@c *******************************************
+@manpause
+@node Unattended Usage
+@section Unattended Usage
+
+@command{gpgsm} is often used as a backend engine by other software. To help
+with this a machine interface has been defined to have an unambiguous
+way to do this. This is most likely used with the @code{--server} command
+but may also be used in the standard operation mode by using the
+@code{--status-fd} option.
+
+@menu
+* Automated signature checking:: Automated signature checking.
+* CSR and certificate creation:: CSR and certificate creation.
+@end menu
+
+@node Automated signature checking
+@subsection Automated signature checking
+
+It is very important to understand the semantics used with signature
+verification. Checking a signature is not as simple as it may sound and
+so the operation is a bit complicated. In most cases it is required
+to look at several status lines. Here is a table of all cases a signed
+message may have:
+
+@table @asis
+@item The signature is valid
+This does mean that the signature has been successfully verified, the
+certificates are all sane. However there are two subcases with
+important information: One of the certificates may have expired or a
+signature of a message itself as expired. It is a sound practise to
+consider such a signature still as valid but additional information
+should be displayed. Depending on the subcase @command{gpgsm} will issue
+these status codes:
+ @table @asis
+ @item signature valid and nothing did expire
+ @code{GOODSIG}, @code{VALIDSIG}, @code{TRUST_FULLY}
+ @item signature valid but at least one certificate has expired
+ @code{EXPKEYSIG}, @code{VALIDSIG}, @code{TRUST_FULLY}
+ @item signature valid but expired
+ @code{EXPSIG}, @code{VALIDSIG}, @code{TRUST_FULLY}
+ Note, that this case is currently not implemented.
+ @end table
+
+@item The signature is invalid
+This means that the signature verification failed (this is an indication
+of a transfer error, a program error or tampering with the message).
+@command{gpgsm} issues one of these status codes sequences:
+ @table @code
+ @item @code{BADSIG}
+ @item @code{GOODSIG}, @code{VALIDSIG} @code{TRUST_NEVER}
+ @end table
+
+@item Error verifying a signature
+For some reason the signature could not be verified, i.e. it cannot be
+decided whether the signature is valid or invalid. A common reason for
+this is a missing certificate.
+
+@end table
+
+@node CSR and certificate creation
+@subsection CSR and certificate creation
+
+The command @option{--generate-key} may be used along with the option
+@option{--batch} to either create a certificate signing request (CSR)
+or an X.509 certificate. This is controlled by a parameter file; the
+format of this file is as follows:
+
+@itemize @bullet
+@item Text only, line length is limited to about 1000 characters.
+@item UTF-8 encoding must be used to specify non-ASCII characters.
+@item Empty lines are ignored.
+@item Leading and trailing while space is ignored.
+@item A hash sign as the first non white space character indicates
+a comment line.
+@item Control statements are indicated by a leading percent sign, the
+arguments are separated by white space from the keyword.
+@item Parameters are specified by a keyword, followed by a colon. Arguments
+are separated by white space.
+@item The first parameter must be @samp{Key-Type}, control statements
+may be placed anywhere.
+@item
+The order of the parameters does not matter except for @samp{Key-Type}
+which must be the first parameter. The parameters are only used for
+the generated CSR/certificate; parameters from previous sets are not
+used. Some syntactically checks may be performed.
+@item
+Key generation takes place when either the end of the parameter file
+is reached, the next @samp{Key-Type} parameter is encountered or at the
+control statement @samp{%commit} is encountered.
+@end itemize
+
+@noindent
+Control statements:
+
+@table @asis
+
+@item %echo @var{text}
+Print @var{text} as diagnostic.
+
+@item %dry-run
+Suppress actual key generation (useful for syntax checking).
+
+@item %commit
+Perform the key generation. Note that an implicit commit is done at
+the next @asis{Key-Type} parameter.
+
+@c %certfile <filename>
+@c [Not yet implemented!]
+@c Do not write the certificate to the keyDB but to <filename>.
+@c This must be given before the first
+@c commit to take place, duplicate specification of the same filename
+@c is ignored, the last filename before a commit is used.
+@c The filename is used until a new filename is used (at commit points)
+@c and all keys are written to that file. If a new filename is given,
+@c this file is created (and overwrites an existing one).
+@c Both control statements must be given.
+@end table
+
+@noindent
+General Parameters:
+
+@table @asis
+
+@item Key-Type: @var{algo}
+Starts a new parameter block by giving the type of the primary
+key. The algorithm must be capable of signing. This is a required
+parameter. The only supported value for @var{algo} is @samp{rsa}.
+
+@item Key-Length: @var{nbits}
+The requested length of a generated key in bits. Defaults to 3072.
+
+@item Key-Grip: @var{hexstring}
+This is optional and used to generate a CSR or certificate for an
+already existing key. Key-Length will be ignored when given.
+
+@item Key-Usage: @var{usage-list}
+Space or comma delimited list of key usage, allowed values are
+@samp{encrypt}, @samp{sign} and @samp{cert}. This is used to generate
+the keyUsage extension. Please make sure that the algorithm is
+capable of this usage. Default is to allow encrypt and sign.
+
+@item Name-DN: @var{subject-name}
+This is the Distinguished Name (DN) of the subject in RFC-2253 format.
+
+@item Name-Email: @var{string}
+This is an email address for the altSubjectName. This parameter is
+optional but may occur several times to add several email addresses to
+a certificate.
+
+@item Name-DNS: @var{string}
+The is an DNS name for the altSubjectName. This parameter is optional
+but may occur several times to add several DNS names to a certificate.
+
+@item Name-URI: @var{string}
+This is an URI for the altSubjectName. This parameter is optional but
+may occur several times to add several URIs to a certificate.
+@end table
+
+@noindent
+Additional parameters used to create a certificate (in contrast to a
+certificate signing request):
+
+@table @asis
+
+@item Serial: @var{sn}
+If this parameter is given an X.509 certificate will be generated.
+@var{sn} is expected to be a hex string representing an unsigned
+integer of arbitrary length. The special value @samp{random} can be
+used to create a 64 bit random serial number.
+
+@item Issuer-DN: @var{issuer-name}
+This is the DN name of the issuer in RFC-2253 format. If it is not set
+it will default to the subject DN and a special GnuPG extension will
+be included in the certificate to mark it as a standalone certificate.
+
+@item Creation-Date: @var{iso-date}
+@itemx Not-Before: @var{iso-date}
+Set the notBefore date of the certificate. Either a date like
+@samp{1986-04-26} or @samp{1986-04-26 12:00} or a standard ISO
+timestamp like @samp{19860426T042640} may be used. The time is
+considered to be UTC. If it is not given the current date is used.
+
+@item Expire-Date: @var{iso-date}
+@itemx Not-After: @var{iso-date}
+Set the notAfter date of the certificate. Either a date like
+@samp{2063-04-05} or @samp{2063-04-05 17:00} or a standard ISO
+timestamp like @samp{20630405T170000} may be used. The time is
+considered to be UTC. If it is not given a default value in the not
+too far future is used.
+
+@item Signing-Key: @var{keygrip}
+This gives the keygrip of the key used to sign the certificate. If it
+is not given a self-signed certificate will be created. For
+compatibility with future versions, it is suggested to prefix the
+keygrip with a @samp{&}.
+
+@item Hash-Algo: @var{hash-algo}
+Use @var{hash-algo} for this CSR or certificate. The supported hash
+algorithms are: @samp{sha1}, @samp{sha256}, @samp{sha384} and
+@samp{sha512}; they may also be specified with uppercase letters. The
+default is @samp{sha256}.
+
+@end table
+
+@c *******************************************
+@c *************** *****************
+@c *************** ASSSUAN *****************
+@c *************** *****************
+@c *******************************************
+@node GPGSM Protocol
+@section The Protocol the Server Mode Uses
+
+Description of the protocol used to access @command{GPGSM}.
+@command{GPGSM} does implement the Assuan protocol and in addition
+provides a regular command line interface which exhibits a full client
+to this protocol (but uses internal linking). To start
+@command{gpgsm} as a server the command line the option
+@code{--server} must be used. Additional options are provided to
+select the communication method (i.e. the name of the socket).
+
+We assume that the connection has already been established; see the
+Assuan manual for details.
+
+@menu
+* GPGSM ENCRYPT:: Encrypting a message.
+* GPGSM DECRYPT:: Decrypting a message.
+* GPGSM SIGN:: Signing a message.
+* GPGSM VERIFY:: Verifying a message.
+* GPGSM GENKEY:: Generating a key.
+* GPGSM LISTKEYS:: List available keys.
+* GPGSM EXPORT:: Export certificates.
+* GPGSM IMPORT:: Import certificates.
+* GPGSM DELETE:: Delete certificates.
+* GPGSM GETAUDITLOG:: Retrieve an audit log.
+* GPGSM GETINFO:: Information about the process
+* GPGSM OPTION:: Session options.
+@end menu
+
+
+@node GPGSM ENCRYPT
+@subsection Encrypting a Message
+
+Before encryption can be done the recipient must be set using the
+command:
+
+@example
+ RECIPIENT @var{userID}
+@end example
+
+Set the recipient for the encryption. @var{userID} should be the
+internal representation of the key; the server may accept any other way
+of specification. If this is a valid and trusted recipient the server
+does respond with OK, otherwise the return is an ERR with the reason why
+the recipient cannot be used, the encryption will then not be done for
+this recipient. If the policy is not to encrypt at all if not all
+recipients are valid, the client has to take care of this. All
+@code{RECIPIENT} commands are cumulative until a @code{RESET} or an
+successful @code{ENCRYPT} command.
+
+@example
+ INPUT FD[=@var{n}] [--armor|--base64|--binary]
+@end example
+
+Set the file descriptor for the message to be encrypted to @var{n}.
+Obviously the pipe must be open at that point, the server establishes
+its own end. If the server returns an error the client should consider
+this session failed. If @var{n} is not given, this commands uses the
+last file descriptor passed to the application.
+@xref{fun-assuan_sendfd, ,the assuan_sendfd function,assuan,the Libassuan
+manual}, on how to do descriptor passing.
+
+The @code{--armor} option may be used to advise the server that the
+input data is in @acronym{PEM} format, @code{--base64} advises that a
+raw base-64 encoding is used, @code{--binary} advises of raw binary
+input (@acronym{BER}). If none of these options is used, the server
+tries to figure out the used encoding, but this may not always be
+correct.
+
+@example
+ OUTPUT FD[=@var{n}] [--armor|--base64]
+@end example
+
+Set the file descriptor to be used for the output (i.e. the encrypted
+message). Obviously the pipe must be open at that point, the server
+establishes its own end. If the server returns an error the client
+should consider this session failed.
+
+The option @option{--armor} encodes the output in @acronym{PEM} format, the
+@option{--base64} option applies just a base-64 encoding. No option
+creates binary output (@acronym{BER}).
+
+The actual encryption is done using the command
+
+@example
+ ENCRYPT
+@end example
+
+It takes the plaintext from the @code{INPUT} command, writes to the
+ciphertext to the file descriptor set with the @code{OUTPUT} command,
+take the recipients from all the recipients set so far. If this command
+fails the clients should try to delete all output currently done or
+otherwise mark it as invalid. @command{GPGSM} does ensure that there
+will not be any
+security problem with leftover data on the output in this case.
+
+This command should in general not fail, as all necessary checks have
+been done while setting the recipients. The input and output pipes are
+closed.
+
+
+@node GPGSM DECRYPT
+@subsection Decrypting a message
+
+Input and output FDs are set the same way as in encryption, but
+@code{INPUT} refers to the ciphertext and @code{OUTPUT} to the plaintext. There
+is no need to set recipients. @command{GPGSM} automatically strips any
+@acronym{S/MIME} headers from the input, so it is valid to pass an
+entire MIME part to the INPUT pipe.
+
+The decryption is done by using the command
+
+@example
+ DECRYPT
+@end example
+
+It performs the decrypt operation after doing some check on the internal
+state (e.g. that all needed data has been set). Because it utilizes
+the GPG-Agent for the session key decryption, there is no need to ask
+the client for a protecting passphrase - GpgAgent takes care of this by
+requesting this from the user.
+
+
+@node GPGSM SIGN
+@subsection Signing a Message
+
+Signing is usually done with these commands:
+
+@example
+ INPUT FD[=@var{n}] [--armor|--base64|--binary]
+@end example
+
+This tells @command{GPGSM} to read the data to sign from file descriptor @var{n}.
+
+@example
+ OUTPUT FD[=@var{m}] [--armor|--base64]
+@end example
+
+Write the output to file descriptor @var{m}. If a detached signature is
+requested, only the signature is written.
+
+@example
+ SIGN [--detached]
+@end example
+
+Sign the data set with the @code{INPUT} command and write it to the sink set by
+@code{OUTPUT}. With @code{--detached}, a detached signature is created
+(surprise).
+
+The key used for signing is the default one or the one specified in
+the configuration file. To get finer control over the keys, it is
+possible to use the command
+
+@example
+ SIGNER @var{userID}
+@end example
+
+to set the signer's key. @var{userID} should be the
+internal representation of the key; the server may accept any other way
+of specification. If this is a valid and trusted recipient the server
+does respond with OK, otherwise the return is an ERR with the reason why
+the key cannot be used, the signature will then not be created using
+this key. If the policy is not to sign at all if not all
+keys are valid, the client has to take care of this. All
+@code{SIGNER} commands are cumulative until a @code{RESET} is done.
+Note that a @code{SIGN} does not reset this list of signers which is in
+contrast to the @code{RECIPIENT} command.
+
+
+@node GPGSM VERIFY
+@subsection Verifying a Message
+
+To verify a message the command:
+
+@example
+ VERIFY
+@end example
+
+is used. It does a verify operation on the message send to the input FD.
+The result is written out using status lines. If an output FD was
+given, the signed text will be written to that. If the signature is a
+detached one, the server will inquire about the signed material and the
+client must provide it.
+
+@node GPGSM GENKEY
+@subsection Generating a Key
+
+This is used to generate a new keypair, store the secret part in the
+@acronym{PSE} and the public key in the key database. We will probably
+add optional commands to allow the client to select whether a hardware
+token is used to store the key. Configuration options to
+@command{GPGSM} can be used to restrict the use of this command.
+
+@example
+ GENKEY
+@end example
+
+@command{GPGSM} checks whether this command is allowed and then does an
+INQUIRY to get the key parameters, the client should then send the
+key parameters in the native format:
+
+@example
+ S: INQUIRE KEY_PARAM native
+ C: D foo:fgfgfg
+ C: D bar
+ C: END
+@end example
+
+Please note that the server may send Status info lines while reading the
+data lines from the client. After this the key generation takes place
+and the server eventually does send an ERR or OK response. Status lines
+may be issued as a progress indicator.
+
+
+@node GPGSM LISTKEYS
+@subsection List available keys
+@anchor{gpgsm-cmd listkeys}
+
+To list the keys in the internal database or using an external key
+provider, the command:
+
+@example
+ LISTKEYS @var{pattern}
+@end example
+
+is used. To allow multiple patterns (which are ORed during the search)
+quoting is required: Spaces are to be translated into "+" or into "%20";
+in turn this requires that the usual escape quoting rules are done.
+
+@example
+ LISTSECRETKEYS @var{pattern}
+@end example
+
+Lists only the keys where a secret key is available.
+
+The list commands are affected by the option
+
+@example
+ OPTION list-mode=@var{mode}
+@end example
+
+where mode may be:
+@table @code
+@item 0
+Use default (which is usually the same as 1).
+@item 1
+List only the internal keys.
+@item 2
+List only the external keys.
+@item 3
+List internal and external keys.
+@end table
+
+Note that options are valid for the entire session.
+
+
+@node GPGSM EXPORT
+@subsection Export certificates
+
+To export certificate from the internal key database the command:
+
+@example
+ EXPORT [--data [--armor] [--base64]] [--] @var{pattern}
+@end example
+
+is used. To allow multiple patterns (which are ORed) quoting is
+required: Spaces are to be translated into "+" or into "%20"; in turn
+this requires that the usual escape quoting rules are done.
+
+If the @option{--data} option has not been given, the format of the
+output depends on what was set with the @code{OUTPUT} command. When using
+@acronym{PEM} encoding a few informational lines are prepended.
+
+If the @option{--data} has been given, a target set via @code{OUTPUT} is
+ignored and the data is returned inline using standard
+@code{D}-lines. This avoids the need for an extra file descriptor. In
+this case the options @option{--armor} and @option{--base64} may be used
+in the same way as with the @code{OUTPUT} command.
+
+
+@node GPGSM IMPORT
+@subsection Import certificates
+
+To import certificates into the internal key database, the command
+
+@example
+ IMPORT [--re-import]
+@end example
+
+is used. The data is expected on the file descriptor set with the
+@code{INPUT} command. Certain checks are performed on the
+certificate. Note that the code will also handle PKCS#12 files and
+import private keys; a helper program is used for that.
+
+With the option @option{--re-import} the input data is expected to a be
+a linefeed separated list of fingerprints. The command will re-import
+the corresponding certificates; that is they are made permanent by
+removing their ephemeral flag.
+
+
+@node GPGSM DELETE
+@subsection Delete certificates
+
+To delete a certificate the command
+
+@example
+ DELKEYS @var{pattern}
+@end example
+
+is used. To allow multiple patterns (which are ORed) quoting is
+required: Spaces are to be translated into "+" or into "%20"; in turn
+this requires that the usual escape quoting rules are done.
+
+The certificates must be specified unambiguously otherwise an error is
+returned.
+
+@node GPGSM GETAUDITLOG
+@subsection Retrieve an audit log
+@anchor{gpgsm-cmd getauditlog}
+
+This command is used to retrieve an audit log.
+
+@example
+GETAUDITLOG [--data] [--html]
+@end example
+
+If @option{--data} is used, the audit log is send using D-lines
+instead of being sent to the file descriptor given by an @code{OUTPUT}
+command. If @option{--html} is used, the output is formatted as an
+XHTML block. This is designed to be incorporated into a HTML
+document.
+
+
+@node GPGSM GETINFO
+@subsection Return information about the process
+
+This is a multipurpose function to return a variety of information.
+
+@example
+GETINFO @var{what}
+@end example
+
+The value of @var{what} specifies the kind of information returned:
+@table @code
+@item version
+Return the version of the program.
+@item pid
+Return the process id of the process.
+@item agent-check
+Return OK if the agent is running.
+@item cmd_has_option @var{cmd} @var{opt}
+Return OK if the command @var{cmd} implements the option @var{opt}.
+The leading two dashes usually used with @var{opt} shall not be given.
+@item offline
+Return OK if the connection is in offline mode. This may be either
+due to a @code{OPTION offline=1} or due to @command{gpgsm} being
+started with option @option{--disable-dirmngr}.
+@end table
+
+@node GPGSM OPTION
+@subsection Session options
+
+The standard Assuan option handler supports these options.
+
+@example
+OPTION @var{name}[=@var{value}]
+@end example
+
+These @var{name}s are recognized:
+
+@table @code
+
+@item putenv
+Change the session's environment to be passed via gpg-agent to
+Pinentry. @var{value} is a string of the form
+@code{<KEY>[=[<STRING>]]}. If only @code{<KEY>} is given the
+environment variable @code{<KEY>} is removed from the session
+environment, if @code{<KEY>=} is given that environment variable is
+set to the empty string, and if @code{<STRING>} is given it is set to
+that string.
+
+@item display
+@efindex DISPLAY
+Set the session environment variable @code{DISPLAY} is set to @var{value}.
+@item ttyname
+@efindex GPG_TTY
+Set the session environment variable @code{GPG_TTY} is set to @var{value}.
+@item ttytype
+@efindex TERM
+Set the session environment variable @code{TERM} is set to @var{value}.
+@item lc-ctype
+@efindex LC_CTYPE
+Set the session environment variable @code{LC_CTYPE} is set to @var{value}.
+@item lc-messages
+@efindex LC_MESSAGES
+Set the session environment variable @code{LC_MESSAGES} is set to @var{value}.
+@item xauthority
+@efindex XAUTHORITY
+Set the session environment variable @code{XAUTHORITY} is set to @var{value}.
+@item pinentry-user-data
+@efindex PINENTRY_USER_DATA
+Set the session environment variable @code{PINENTRY_USER_DATA} is set
+to @var{value}.
+
+@item include-certs
+This option overrides the command line option
+@option{--include-certs}. A @var{value} of -2 includes all
+certificates except for the root certificate, -1 includes all
+certificates, 0 does not include any certificates, 1 includes only the
+signers certificate and all other positive values include up to
+@var{value} certificates starting with the signer cert.
+
+@item list-mode
+@xref{gpgsm-cmd listkeys}.
+
+@item list-to-output
+If @var{value} is true the output of the list commands
+(@pxref{gpgsm-cmd listkeys}) is written to the file descriptor set
+with the last @code{OUTPUT} command. If @var{value} is false the output is
+written via data lines; this is the default.
+
+@item with-validation
+If @var{value} is true for each listed certificate the validation
+status is printed. This may result in the download of a CRL or the
+user being asked about the trustworthiness of a root certificate. The
+default is given by a command line option (@pxref{gpgsm-option
+--with-validation}).
+
+
+@item with-secret
+If @var{value} is true certificates with a corresponding private key
+are marked by the list commands.
+
+@item validation-model
+This option overrides the command line option
+@option{validation-model} for the session.
+(@xref{gpgsm-option --validation-model}.)
+
+@item with-key-data
+This option globally enables the command line option
+@option{--with-key-data}. (@xref{gpgsm-option --with-key-data}.)
+
+@item enable-audit-log
+If @var{value} is true data to write an audit log is gathered.
+(@xref{gpgsm-cmd getauditlog}.)
+
+@item allow-pinentry-notify
+If this option is used notifications about the launch of a Pinentry
+are passed back to the client.
+
+@item with-ephemeral-keys
+If @var{value} is true ephemeral certificates are included in the
+output of the list commands.
+
+@item no-encrypt-to
+If this option is used all keys set by the command line option
+@option{--encrypt-to} are ignored.
+
+@item offline
+If @var{value} is true or @var{value} is not given all network access
+is disabled for this session. This is the same as the command line
+option @option{--disable-dirmngr}.
+
+@end table
+
+@mansect see also
+@ifset isman
+@command{gpg2}(1),
+@command{gpg-agent}(1)
+@end ifset
+@include see-also-note.texi
diff --git a/doc/gpgv.texi b/doc/gpgv.texi
new file mode 100644
index 0000000..2dd9576
--- /dev/null
+++ b/doc/gpgv.texi
@@ -0,0 +1,193 @@
+@c Copyright (C) 2004 Free Software Foundation, Inc.
+@c This is part of the GnuPG manual.
+@c For copying conditions, see the file GnuPG.texi.
+
+@c
+@c This is included by tools.texi.
+@c
+
+@include defs.inc
+
+@c Begin standard stuff
+@ifclear gpgtwohack
+@manpage gpgv.1
+@node gpgv
+@section Verify OpenPGP signatures
+@ifset manverb
+.B gpgv
+\- Verify OpenPGP signatures
+@end ifset
+
+@mansect synopsis
+@ifset manverb
+.B gpgv
+.RI [ options ]
+.I signed_files
+@end ifset
+@end ifclear
+@c End standard stuff
+
+@c Begin gpg2 hack stuff
+@ifset gpgtwohack
+@manpage gpgv2.1
+@node gpgv
+@section Verify OpenPGP signatures
+@ifset manverb
+.B gpgv2
+\- Verify OpenPGP signatures
+@end ifset
+
+@mansect synopsis
+@ifset manverb
+.B gpgv2
+.RI [ options ]
+.I signed_files
+@end ifset
+@end ifset
+@c End gpg2 hack stuff
+
+@mansect description
+@code{@gpgvname} is an OpenPGP signature verification tool.
+
+This program is actually a stripped-down version of @code{gpg} which is
+only able to check signatures. It is somewhat smaller than the fully-blown
+@code{gpg} and uses a different (and simpler) way to check that
+the public keys used to make the signature are valid. There are
+no configuration files and only a few options are implemented.
+
+@code{@gpgvname} assumes that all keys in the keyring are trustworthy.
+That does also mean that it does not check for expired or revoked
+keys.
+
+If no @code{--keyring} option is given, @code{gpgv} looks for a
+``default'' keyring named @file{trustedkeys.kbx} (preferred) or
+@file{trustedkeys.gpg} in the home directory of GnuPG, either the
+default home directory or the one set by the @code{--homedir} option
+or the @code{GNUPGHOME} environment variable. If any @code{--keyring}
+option is used, @code{gpgv} will not look for the default keyring. The
+@code{--keyring} option may be used multiple times and all specified
+keyrings will be used together.
+
+@noindent
+@mansect options
+@code{@gpgvname} recognizes these options:
+
+@table @gnupgtabopt
+
+@item --verbose
+@itemx -v
+@opindex verbose
+Gives more information during processing. If used
+twice, the input data is listed in detail.
+
+@item --quiet
+@itemx -q
+@opindex quiet
+Try to be as quiet as possible.
+
+@item --keyring @var{file}
+@opindex keyring
+Add @var{file} to the list of keyrings.
+If @var{file} begins with a tilde and a slash, these
+are replaced by the HOME directory. If the filename
+does not contain a slash, it is assumed to be in the
+home-directory ("~/.gnupg" if --homedir is not used).
+
+@item --output @var{file}
+@itemx -o @var{file}
+@opindex output
+Write output to @var{file}; to write to stdout use @code{-}. This
+option can be used to get the signed text from a cleartext or binary
+signature; it also works for detached signatures, but in that case
+this option is in general not useful. Note that an existing file will
+be overwritten.
+
+
+@item --status-fd @var{n}
+@opindex status-fd
+Write special status strings to the file descriptor @var{n}. See the
+file DETAILS in the documentation for a listing of them.
+
+@item --logger-fd @code{n}
+@opindex logger-fd
+Write log output to file descriptor @code{n} and not to stderr.
+
+@item --log-file @code{file}
+@opindex log-file
+Same as @option{--logger-fd}, except the logger data is written to
+file @code{file}. Use @file{socket://} to log to socket.
+
+@item --ignore-time-conflict
+@opindex ignore-time-conflict
+GnuPG normally checks that the timestamps associated with keys and
+signatures have plausible values. However, sometimes a signature seems to
+be older than the key due to clock problems. This option turns these
+checks into warnings.
+
+@include opt-homedir.texi
+
+@item --weak-digest @code{name}
+@opindex weak-digest
+Treat the specified digest algorithm as weak. Signatures made over
+weak digests algorithms are normally rejected. This option can be
+supplied multiple times if multiple algorithms should be considered
+weak. MD5 is always considered weak, and does not need to be listed
+explicitly.
+
+@item --enable-special-filenames
+@opindex enable-special-filenames
+This option enables a mode in which filenames of the form
+@file{-&n}, where n is a non-negative decimal number,
+refer to the file descriptor n and not to a file with that name.
+
+@end table
+
+@mansect return value
+
+The program returns 0 if everything is fine, 1 if at least
+one signature was bad, and other error codes for fatal errors.
+
+@mansect examples
+@subsection Examples
+
+@table @asis
+
+@item @gpgvname @code{pgpfile}
+@itemx @gpgvname @code{sigfile} [@code{datafile}]
+Verify the signature of the file. The second form is used for detached
+signatures, where @code{sigfile} is the detached signature (either
+ASCII-armored or binary) and @code{datafile} contains the signed data;
+if @code{datafile} is "-" the signed data is expected on
+@code{stdin}; if @code{datafile} is not given the name of the file
+holding the signed data is constructed by cutting off the extension
+(".asc", ".sig" or ".sign") from @code{sigfile}.
+
+@end table
+
+@mansect environment
+@subsection Environment
+
+@table @asis
+
+@item HOME
+Used to locate the default home directory.
+
+@item GNUPGHOME
+If set directory used instead of "~/.gnupg".
+
+@end table
+
+@mansect files
+@subsection FILES
+
+@table @asis
+
+@item ~/.gnupg/trustedkeys.gpg
+The default keyring with the allowed keys.
+
+@end table
+
+@mansect see also
+@command{gpg}(1)
+@include see-also-note.texi
+
diff --git a/doc/gpl.texi b/doc/gpl.texi
new file mode 100644
index 0000000..931a93d
--- /dev/null
+++ b/doc/gpl.texi
@@ -0,0 +1,732 @@
+@node Copying
+
+@unnumbered GNU General Public License
+@center Version 3, 29 June 2007
+
+@c This file is intended to be included in another file.
+
+@display
+Copyright @copyright{} 2007 Free Software Foundation, Inc. @url{https://fsf.org/}
+
+Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.
+@end display
+
+@unnumberedsec Preamble
+
+The GNU General Public License is a free, copyleft license for
+software and other kinds of works.
+
+The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works. By contrast,
+the GNU General Public License is intended to guarantee your freedom
+to share and change all versions of a program--to make sure it remains
+free software for all its users. We, the Free Software Foundation,
+use the GNU General Public License for most of our software; it
+applies also to any other work released this way by its authors. You
+can apply it to your programs, too.
+
+When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights. Therefore, you
+have certain responsibilities if you distribute copies of the
+software, or if you modify it: responsibilities to respect the freedom
+of others.
+
+For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received. You must make sure that they, too,
+receive or can get the source code. And you must show them these
+terms so they know their rights.
+
+Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software. For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the
+manufacturer can do so. This is fundamentally incompatible with the
+aim of protecting users' freedom to change the software. The
+systematic pattern of such abuse occurs in the area of products for
+individuals to use, which is precisely where it is most unacceptable.
+Therefore, we have designed this version of the GPL to prohibit the
+practice for those products. If such problems arise substantially in
+other domains, we stand ready to extend this provision to those
+domains in future versions of the GPL, as needed to protect the
+freedom of users.
+
+Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish
+to avoid the special danger that patents applied to a free program
+could make it effectively proprietary. To prevent this, the GPL
+assures that patents cannot be used to render the program non-free.
+
+The precise terms and conditions for copying, distribution and
+modification follow.
+
+@iftex
+@unnumberedsec TERMS AND CONDITIONS
+@end iftex
+@ifinfo
+@center TERMS AND CONDITIONS
+@end ifinfo
+
+@enumerate 0
+@item Definitions.
+
+``This License'' refers to version 3 of the GNU General Public License.
+
+``Copyright'' also means copyright-like laws that apply to other kinds
+of works, such as semiconductor masks.
+
+``The Program'' refers to any copyrightable work licensed under this
+License. Each licensee is addressed as ``you''. ``Licensees'' and
+``recipients'' may be individuals or organizations.
+
+To ``modify'' a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of
+an exact copy. The resulting work is called a ``modified version'' of
+the earlier work or a work ``based on'' the earlier work.
+
+A ``covered work'' means either the unmodified Program or a work based
+on the Program.
+
+To ``propagate'' a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy. Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+To ``convey'' a work means any kind of propagation that enables other
+parties to make or receive copies. Mere interaction with a user
+through a computer network, with no transfer of a copy, is not
+conveying.
+
+An interactive user interface displays ``Appropriate Legal Notices'' to
+the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License. If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+@item Source Code.
+
+The ``source code'' for a work means the preferred form of the work for
+making modifications to it. ``Object code'' means any non-source form
+of a work.
+
+A ``Standard Interface'' means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+The ``System Libraries'' of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form. A
+``Major Component'', in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+The ``Corresponding Source'' for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities. However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work. For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+The Corresponding Source need not include anything that users can
+regenerate automatically from other parts of the Corresponding Source.
+
+The Corresponding Source for a work in source code form is that same
+work.
+
+@item Basic Permissions.
+
+All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met. This License explicitly affirms your unlimited
+permission to run the unmodified Program. The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work. This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+You may make, run and propagate covered works that you do not convey,
+without conditions so long as your license otherwise remains in force.
+You may convey covered works to others for the sole purpose of having
+them make modifications exclusively for you, or provide you with
+facilities for running those works, provided that you comply with the
+terms of this License in conveying all material for which you do not
+control copyright. Those thus making or running the covered works for
+you must do so exclusively on your behalf, under your direction and
+control, on terms that prohibit them from making any copies of your
+copyrighted material outside their relationship with you.
+
+Conveying under any other circumstances is permitted solely under the
+conditions stated below. Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+@item Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such
+circumvention is effected by exercising rights under this License with
+respect to the covered work, and you disclaim any intention to limit
+operation or modification of the work as a means of enforcing, against
+the work's users, your or third parties' legal rights to forbid
+circumvention of technological measures.
+
+@item Conveying Verbatim Copies.
+
+You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+@item Conveying Modified Source Versions.
+
+You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these
+conditions:
+
+@enumerate a
+@item
+The work must carry prominent notices stating that you modified it,
+and giving a relevant date.
+
+@item
+The work must carry prominent notices stating that it is released
+under this License and any conditions added under section 7. This
+requirement modifies the requirement in section 4 to ``keep intact all
+notices''.
+
+@item
+You must license the entire work, as a whole, under this License to
+anyone who comes into possession of a copy. This License will
+therefore apply, along with any applicable section 7 additional terms,
+to the whole of the work, and all its parts, regardless of how they
+are packaged. This License gives no permission to license the work in
+any other way, but it does not invalidate such permission if you have
+separately received it.
+
+@item
+If the work has interactive user interfaces, each must display
+Appropriate Legal Notices; however, if the Program has interactive
+interfaces that do not display Appropriate Legal Notices, your work
+need not make them do so.
+@end enumerate
+
+A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+``aggregate'' if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit. Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+@item Conveying Non-Source Forms.
+
+You may convey a covered work in object code form under the terms of
+sections 4 and 5, provided that you also convey the machine-readable
+Corresponding Source under the terms of this License, in one of these
+ways:
+
+@enumerate a
+@item
+Convey the object code in, or embodied in, a physical product
+(including a physical distribution medium), accompanied by the
+Corresponding Source fixed on a durable physical medium customarily
+used for software interchange.
+
+@item
+Convey the object code in, or embodied in, a physical product
+(including a physical distribution medium), accompanied by a written
+offer, valid for at least three years and valid for as long as you
+offer spare parts or customer support for that product model, to give
+anyone who possesses the object code either (1) a copy of the
+Corresponding Source for all the software in the product that is
+covered by this License, on a durable physical medium customarily used
+for software interchange, for a price no more than your reasonable
+cost of physically performing this conveying of source, or (2) access
+to copy the Corresponding Source from a network server at no charge.
+
+@item
+Convey individual copies of the object code with a copy of the written
+offer to provide the Corresponding Source. This alternative is
+allowed only occasionally and noncommercially, and only if you
+received the object code with such an offer, in accord with subsection
+6b.
+
+@item
+Convey the object code by offering access from a designated place
+(gratis or for a charge), and offer equivalent access to the
+Corresponding Source in the same way through the same place at no
+further charge. You need not require recipients to copy the
+Corresponding Source along with the object code. If the place to copy
+the object code is a network server, the Corresponding Source may be
+on a different server (operated by you or a third party) that supports
+equivalent copying facilities, provided you maintain clear directions
+next to the object code saying where to find the Corresponding Source.
+Regardless of what server hosts the Corresponding Source, you remain
+obligated to ensure that it is available for as long as needed to
+satisfy these requirements.
+
+@item
+Convey the object code using peer-to-peer transmission, provided you
+inform other peers where the object code and Corresponding Source of
+the work are being offered to the general public at no charge under
+subsection 6d.
+
+@end enumerate
+
+A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+A ``User Product'' is either (1) a ``consumer product'', which means any
+tangible personal property which is normally used for personal,
+family, or household purposes, or (2) anything designed or sold for
+incorporation into a dwelling. In determining whether a product is a
+consumer product, doubtful cases shall be resolved in favor of
+coverage. For a particular product received by a particular user,
+``normally used'' refers to a typical or common use of that class of
+product, regardless of the status of the particular user or of the way
+in which the particular user actually uses, or expects or is expected
+to use, the product. A product is a consumer product regardless of
+whether the product has substantial commercial, industrial or
+non-consumer uses, unless such uses represent the only significant
+mode of use of the product.
+
+``Installation Information'' for a User Product means any methods,
+procedures, authorization keys, or other information required to
+install and execute modified versions of a covered work in that User
+Product from a modified version of its Corresponding Source. The
+information must suffice to ensure that the continued functioning of
+the modified object code is in no case prevented or interfered with
+solely because modification has been made.
+
+If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information. But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or
+updates for a work that has been modified or installed by the
+recipient, or for the User Product in which it has been modified or
+installed. Access to a network may be denied when the modification
+itself materially and adversely affects the operation of the network
+or violates the rules and protocols for communication across the
+network.
+
+Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+@item Additional Terms.
+
+``Additional permissions'' are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law. If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it. (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.) You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders
+of that material) supplement the terms of this License with terms:
+
+@enumerate a
+@item
+Disclaiming warranty or limiting liability differently from the terms
+of sections 15 and 16 of this License; or
+
+@item
+Requiring preservation of specified reasonable legal notices or author
+attributions in that material or in the Appropriate Legal Notices
+displayed by works containing it; or
+
+@item
+Prohibiting misrepresentation of the origin of that material, or
+requiring that modified versions of such material be marked in
+reasonable ways as different from the original version; or
+
+@item
+Limiting the use for publicity purposes of names of licensors or
+authors of the material; or
+
+@item
+Declining to grant rights under trademark law for use of some trade
+names, trademarks, or service marks; or
+
+@item
+Requiring indemnification of licensors and authors of that material by
+anyone who conveys the material (or modified versions of it) with
+contractual assumptions of liability to the recipient, for any
+liability that these contractual assumptions directly impose on those
+licensors and authors.
+@end enumerate
+
+All other non-permissive additional terms are considered ``further
+restrictions'' within the meaning of section 10. If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term. If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions; the
+above requirements apply either way.
+
+@item Termination.
+
+You may not propagate or modify a covered work except as expressly
+provided under this License. Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+However, if you cease all violation of this License, then your license
+from a particular copyright holder is reinstated (a) provisionally,
+unless and until the copyright holder explicitly and finally
+terminates your license, and (b) permanently, if the copyright holder
+fails to notify you of the violation by some reasonable means prior to
+60 days after the cessation.
+
+Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License. If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+@item Acceptance Not Required for Having Copies.
+
+You are not required to accept this License in order to receive or run
+a copy of the Program. Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance. However,
+nothing other than this License grants you permission to propagate or
+modify any covered work. These actions infringe copyright if you do
+not accept this License. Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+@item Automatic Licensing of Downstream Recipients.
+
+Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License. You are not responsible
+for enforcing compliance by third parties with this License.
+
+An ``entity transaction'' is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations. If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License. For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+@item Patents.
+
+A ``contributor'' is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based. The
+work thus licensed is called the contributor's ``contributor version''.
+
+A contributor's ``essential patent claims'' are all patent claims owned
+or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version. For
+purposes of this definition, ``control'' includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+In the following three paragraphs, a ``patent license'' is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement). To ``grant'' such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients. ``Knowingly relying'' means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+A patent license is ``discriminatory'' if it does not include within the
+scope of its coverage, prohibits the exercise of, or is conditioned on
+the non-exercise of one or more of the rights that are specifically
+granted under this License. You may not convey a covered work if you
+are a party to an arrangement with a third party that is in the
+business of distributing software, under which you make payment to the
+third party based on the extent of your activity of conveying the
+work, and under which the third party grants, to any of the parties
+who would receive the covered work from you, a discriminatory patent
+license (a) in connection with copies of the covered work conveyed by
+you (or copies made from those copies), or (b) primarily for and in
+connection with specific products or compilations that contain the
+covered work, unless you entered into that arrangement, or that patent
+license was granted, prior to 28 March 2007.
+
+Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+@item No Surrender of Others' Freedom.
+
+If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot convey
+a covered work so as to satisfy simultaneously your obligations under
+this License and any other pertinent obligations, then as a
+consequence you may not convey it at all. For example, if you agree
+to terms that obligate you to collect a royalty for further conveying
+from those to whom you convey the Program, the only way you could
+satisfy both those terms and this License would be to refrain entirely
+from conveying the Program.
+
+@item Use with the GNU Affero General Public License.
+
+Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work. The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+@item Revised Versions of this License.
+
+The Free Software Foundation may publish revised and/or new versions
+of the GNU General Public License from time to time. Such new
+versions will be similar in spirit to the present version, but may
+differ in detail to address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies that a certain numbered version of the GNU General Public
+License ``or any later version'' applies to it, you have the option of
+following the terms and conditions either of that numbered version or
+of any later version published by the Free Software Foundation. If
+the Program does not specify a version number of the GNU General
+Public License, you may choose any version ever published by the Free
+Software Foundation.
+
+If the Program specifies that a proxy can decide which future versions
+of the GNU General Public License can be used, that proxy's public
+statement of acceptance of a version permanently authorizes you to
+choose that version for the Program.
+
+Later license versions may give you additional or different
+permissions. However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+@item Disclaimer of Warranty.
+
+THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM ``AS IS'' WITHOUT
+WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND
+PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE
+DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR
+CORRECTION.
+
+@item Limitation of Liability.
+
+IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR
+CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES
+ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT
+NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR
+LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM
+TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER
+PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+@item Interpretation of Sections 15 and 16.
+
+If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+@end enumerate
+
+@iftex
+@heading END OF TERMS AND CONDITIONS
+@end iftex
+@ifinfo
+@center END OF TERMS AND CONDITIONS
+@end ifinfo
+
+@unnumberedsec How to Apply These Terms to Your New Programs
+
+If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these
+terms.
+
+To do so, attach the following notices to the program. It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the ``copyright'' line and a pointer to where the full notice is
+found.
+
+@example
+@var{one line to give the program's name and a brief idea of what it does.}
+Copyright (C) @var{year} @var{name of author}
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or (at
+your option) any later version.
+
+This program is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program. If not, see @url{https://www.gnu.org/licenses/}.
+@end example
+
+@noindent
+Also add information on how to contact you by electronic and paper mail.
+
+@noindent
+If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+@smallexample
+@var{program} Copyright (C) @var{year} @var{name of author}
+This program comes with ABSOLUTELY NO WARRANTY; for details
+type @samp{show w}. This is free software, and you are
+welcome to redistribute it under certain conditions;
+type @samp{show c} for details.
+@end smallexample
+
+The hypothetical commands @samp{show w} and @samp{show c} should show
+the appropriate parts of the General Public License. Of course, your
+program's commands might be different; for a GUI interface, you would
+use an ``about box''.
+
+You should also get your employer (if you work as a programmer) or school,
+if any, to sign a ``copyright disclaimer'' for the program, if necessary.
+For more information on this, and how to apply and follow the GNU GPL, see
+@url{https://www.gnu.org/licenses/}.
+
+The GNU General Public License does not permit incorporating your
+program into proprietary programs. If your program is a subroutine
+library, you may consider it more useful to permit linking proprietary
+applications with the library. If this is what you want to do, use
+the GNU Lesser General Public License instead of this License. But
+first, please read @url{https://www.gnu.org/philosophy/why-not-lgpl.html}.
diff --git a/doc/help.be.txt b/doc/help.be.txt
new file mode 100644
index 0000000..0ac3be7
--- /dev/null
+++ b/doc/help.be.txt
@@ -0,0 +1,286 @@
+# help..txt - GnuPG online help
+# Copyright (C) 2007 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+
+.#gpg.edit_ownertrust.value
+# fixme: Please translate and remove the hash mark from the key line.
+It's up to you to assign a value here; this value will never be exported
+to any 3rd party. We need it to implement the web-of-trust; it has nothing
+to do with the (implicitly created) web-of-certificates.
+.
+
+.#gpg.edit_ownertrust.set_ultimate.okay
+# fixme: Please translate and remove the hash mark from the key line.
+To build the Web-of-Trust, GnuPG needs to know which keys are
+ultimately trusted - those are usually the keys for which you have
+access to the secret key. Answer "yes" to set this key to
+ultimately trusted
+
+.
+
+.#gpg.untrusted_key.override
+# fixme: Please translate and remove the hash mark from the key line.
+If you want to use this untrusted key anyway, answer "yes".
+.
+
+.#gpg.pklist.user_id.enter
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the user ID of the addressee to whom you want to send the message.
+.
+
+.#gpg.keygen.algo
+# fixme: Please translate and remove the hash mark from the key line.
+Select the algorithm to use.
+
+DSA (aka DSS) is the Digital Signature Algorithm and can only be used
+for signatures.
+
+Elgamal is an encrypt-only algorithm.
+
+RSA may be used for signatures or encryption.
+
+The first (primary) key must always be a key which is capable of signing.
+.
+
+.#gpg.keygen.algo.rsa_se
+# fixme: Please translate and remove the hash mark from the key line.
+In general it is not a good idea to use the same key for signing and
+encryption. This algorithm should only be used in certain domains.
+Please consult your security expert first.
+.
+
+.#gpg.keygen.size
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the size of the key
+.
+
+.#gpg.keygen.size.huge.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keygen.size.large.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keygen.valid
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the required value as shown in the prompt.
+It is possible to enter a ISO date (YYYY-MM-DD) but you won't
+get a good error response - instead the system tries to interpret
+the given value as an interval.
+.
+
+.#gpg.keygen.valid.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keygen.name
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the name of the key holder
+.
+
+.#gpg.keygen.email
+# fixme: Please translate and remove the hash mark from the key line.
+please enter an optional but highly suggested email address
+.
+
+.#gpg.keygen.comment
+# fixme: Please translate and remove the hash mark from the key line.
+Please enter an optional comment
+.
+
+.#gpg.keygen.userid.cmd
+# fixme: Please translate and remove the hash mark from the key line.
+N to change the name.
+C to change the comment.
+E to change the email address.
+O to continue with key generation.
+Q to to quit the key generation.
+.
+
+.#gpg.keygen.sub.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" (or just "y") if it is okay to generate the sub key.
+.
+
+.#gpg.sign_uid.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.sign_uid.class
+# fixme: Please translate and remove the hash mark from the key line.
+When you sign a user ID on a key, you should first verify that the key
+belongs to the person named in the user ID. It is useful for others to
+know how carefully you verified this.
+
+"0" means you make no particular claim as to how carefully you verified the
+ key.
+
+"1" means you believe the key is owned by the person who claims to own it
+ but you could not, or did not verify the key at all. This is useful for
+ a "persona" verification, where you sign the key of a pseudonymous user.
+
+"2" means you did casual verification of the key. For example, this could
+ mean that you verified the key fingerprint and checked the user ID on the
+ key against a photo ID.
+
+"3" means you did extensive verification of the key. For example, this could
+ mean that you verified the key fingerprint with the owner of the key in
+ person, and that you checked, by means of a hard to forge document with a
+ photo ID (such as a passport) that the name of the key owner matches the
+ name in the user ID on the key, and finally that you verified (by exchange
+ of email) that the email address on the key belongs to the key owner.
+
+Note that the examples given above for levels 2 and 3 are *only* examples.
+In the end, it is up to you to decide just what "casual" and "extensive"
+mean to you when you sign other keys.
+
+If you don't know what the right answer is, answer "0".
+.
+
+.#gpg.change_passwd.empty.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keyedit.save.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keyedit.cancel.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keyedit.sign_all.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if you want to sign ALL the user IDs
+.
+
+.#gpg.keyedit.remove.uid.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if you really want to delete this user ID.
+All certificates are then also lost!
+.
+
+.#gpg.keyedit.remove.subkey.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if it is okay to delete the subkey
+.
+
+.#gpg.keyedit.delsig.valid
+# fixme: Please translate and remove the hash mark from the key line.
+This is a valid signature on the key; you normally don't want
+to delete this signature because it may be important to establish a
+trust connection to the key or another key certified by this key.
+.
+
+.#gpg.keyedit.delsig.unknown
+# fixme: Please translate and remove the hash mark from the key line.
+This signature can't be checked because you don't have the
+corresponding key. You should postpone its deletion until you
+know which key was used because this signing key might establish
+a trust connection through another already certified key.
+.
+
+.#gpg.keyedit.delsig.invalid
+# fixme: Please translate and remove the hash mark from the key line.
+The signature is not valid. It does make sense to remove it from
+your keyring.
+.
+
+.#gpg.keyedit.delsig.selfsig
+# fixme: Please translate and remove the hash mark from the key line.
+This is a signature which binds the user ID to the key. It is
+usually not a good idea to remove such a signature. Actually
+GnuPG might not be able to use this key anymore. So do this
+only if this self-signature is for some reason not valid and
+a second one is available.
+.
+
+.#gpg.keyedit.updpref.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Change the preferences of all user IDs (or just of the selected ones)
+to the current list of preferences. The timestamp of all affected
+self-signatures will be advanced by one second.
+
+.
+
+.#gpg.passphrase.enter
+# fixme: Please translate and remove the hash mark from the key line.
+Please enter the passphrase; this is a secret sentence
+
+.
+
+.#gpg.passphrase.repeat
+# fixme: Please translate and remove the hash mark from the key line.
+Please repeat the last passphrase, so you are sure what you typed in.
+.
+
+.#gpg.detached_signature.filename
+# fixme: Please translate and remove the hash mark from the key line.
+Give the name of the file to which the signature applies
+.
+
+.#gpg.openfile.overwrite.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if it is okay to overwrite the file
+.
+
+.#gpg.openfile.askoutname
+# fixme: Please translate and remove the hash mark from the key line.
+Please enter a new filename. If you just hit RETURN the default
+file (which is shown in brackets) will be used.
+.
+
+.#gpg.ask_revocation_reason.code
+# fixme: Please translate and remove the hash mark from the key line.
+You should specify a reason for the certification. Depending on the
+context you have the ability to choose from this list:
+ "Key has been compromised"
+ Use this if you have a reason to believe that unauthorized persons
+ got access to your secret key.
+ "Key is superseded"
+ Use this if you have replaced this key with a newer one.
+ "Key is no longer used"
+ Use this if you have retired this key.
+ "User ID is no longer valid"
+ Use this to state that the user ID should not longer be used;
+ this is normally used to mark an email address invalid.
+
+.
+
+.#gpg.ask_revocation_reason.text
+# fixme: Please translate and remove the hash mark from the key line.
+If you like, you can enter a text describing why you issue this
+revocation certificate. Please keep this text concise.
+An empty line ends the text.
+
+.
+
+
+
+# Local variables:
+# mode: fundamental
+# coding: utf-8
+# End:
diff --git a/doc/help.ca.txt b/doc/help.ca.txt
new file mode 100644
index 0000000..0ac3be7
--- /dev/null
+++ b/doc/help.ca.txt
@@ -0,0 +1,286 @@
+# help..txt - GnuPG online help
+# Copyright (C) 2007 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+
+.#gpg.edit_ownertrust.value
+# fixme: Please translate and remove the hash mark from the key line.
+It's up to you to assign a value here; this value will never be exported
+to any 3rd party. We need it to implement the web-of-trust; it has nothing
+to do with the (implicitly created) web-of-certificates.
+.
+
+.#gpg.edit_ownertrust.set_ultimate.okay
+# fixme: Please translate and remove the hash mark from the key line.
+To build the Web-of-Trust, GnuPG needs to know which keys are
+ultimately trusted - those are usually the keys for which you have
+access to the secret key. Answer "yes" to set this key to
+ultimately trusted
+
+.
+
+.#gpg.untrusted_key.override
+# fixme: Please translate and remove the hash mark from the key line.
+If you want to use this untrusted key anyway, answer "yes".
+.
+
+.#gpg.pklist.user_id.enter
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the user ID of the addressee to whom you want to send the message.
+.
+
+.#gpg.keygen.algo
+# fixme: Please translate and remove the hash mark from the key line.
+Select the algorithm to use.
+
+DSA (aka DSS) is the Digital Signature Algorithm and can only be used
+for signatures.
+
+Elgamal is an encrypt-only algorithm.
+
+RSA may be used for signatures or encryption.
+
+The first (primary) key must always be a key which is capable of signing.
+.
+
+.#gpg.keygen.algo.rsa_se
+# fixme: Please translate and remove the hash mark from the key line.
+In general it is not a good idea to use the same key for signing and
+encryption. This algorithm should only be used in certain domains.
+Please consult your security expert first.
+.
+
+.#gpg.keygen.size
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the size of the key
+.
+
+.#gpg.keygen.size.huge.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keygen.size.large.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keygen.valid
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the required value as shown in the prompt.
+It is possible to enter a ISO date (YYYY-MM-DD) but you won't
+get a good error response - instead the system tries to interpret
+the given value as an interval.
+.
+
+.#gpg.keygen.valid.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keygen.name
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the name of the key holder
+.
+
+.#gpg.keygen.email
+# fixme: Please translate and remove the hash mark from the key line.
+please enter an optional but highly suggested email address
+.
+
+.#gpg.keygen.comment
+# fixme: Please translate and remove the hash mark from the key line.
+Please enter an optional comment
+.
+
+.#gpg.keygen.userid.cmd
+# fixme: Please translate and remove the hash mark from the key line.
+N to change the name.
+C to change the comment.
+E to change the email address.
+O to continue with key generation.
+Q to to quit the key generation.
+.
+
+.#gpg.keygen.sub.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" (or just "y") if it is okay to generate the sub key.
+.
+
+.#gpg.sign_uid.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.sign_uid.class
+# fixme: Please translate and remove the hash mark from the key line.
+When you sign a user ID on a key, you should first verify that the key
+belongs to the person named in the user ID. It is useful for others to
+know how carefully you verified this.
+
+"0" means you make no particular claim as to how carefully you verified the
+ key.
+
+"1" means you believe the key is owned by the person who claims to own it
+ but you could not, or did not verify the key at all. This is useful for
+ a "persona" verification, where you sign the key of a pseudonymous user.
+
+"2" means you did casual verification of the key. For example, this could
+ mean that you verified the key fingerprint and checked the user ID on the
+ key against a photo ID.
+
+"3" means you did extensive verification of the key. For example, this could
+ mean that you verified the key fingerprint with the owner of the key in
+ person, and that you checked, by means of a hard to forge document with a
+ photo ID (such as a passport) that the name of the key owner matches the
+ name in the user ID on the key, and finally that you verified (by exchange
+ of email) that the email address on the key belongs to the key owner.
+
+Note that the examples given above for levels 2 and 3 are *only* examples.
+In the end, it is up to you to decide just what "casual" and "extensive"
+mean to you when you sign other keys.
+
+If you don't know what the right answer is, answer "0".
+.
+
+.#gpg.change_passwd.empty.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keyedit.save.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keyedit.cancel.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keyedit.sign_all.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if you want to sign ALL the user IDs
+.
+
+.#gpg.keyedit.remove.uid.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if you really want to delete this user ID.
+All certificates are then also lost!
+.
+
+.#gpg.keyedit.remove.subkey.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if it is okay to delete the subkey
+.
+
+.#gpg.keyedit.delsig.valid
+# fixme: Please translate and remove the hash mark from the key line.
+This is a valid signature on the key; you normally don't want
+to delete this signature because it may be important to establish a
+trust connection to the key or another key certified by this key.
+.
+
+.#gpg.keyedit.delsig.unknown
+# fixme: Please translate and remove the hash mark from the key line.
+This signature can't be checked because you don't have the
+corresponding key. You should postpone its deletion until you
+know which key was used because this signing key might establish
+a trust connection through another already certified key.
+.
+
+.#gpg.keyedit.delsig.invalid
+# fixme: Please translate and remove the hash mark from the key line.
+The signature is not valid. It does make sense to remove it from
+your keyring.
+.
+
+.#gpg.keyedit.delsig.selfsig
+# fixme: Please translate and remove the hash mark from the key line.
+This is a signature which binds the user ID to the key. It is
+usually not a good idea to remove such a signature. Actually
+GnuPG might not be able to use this key anymore. So do this
+only if this self-signature is for some reason not valid and
+a second one is available.
+.
+
+.#gpg.keyedit.updpref.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Change the preferences of all user IDs (or just of the selected ones)
+to the current list of preferences. The timestamp of all affected
+self-signatures will be advanced by one second.
+
+.
+
+.#gpg.passphrase.enter
+# fixme: Please translate and remove the hash mark from the key line.
+Please enter the passphrase; this is a secret sentence
+
+.
+
+.#gpg.passphrase.repeat
+# fixme: Please translate and remove the hash mark from the key line.
+Please repeat the last passphrase, so you are sure what you typed in.
+.
+
+.#gpg.detached_signature.filename
+# fixme: Please translate and remove the hash mark from the key line.
+Give the name of the file to which the signature applies
+.
+
+.#gpg.openfile.overwrite.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if it is okay to overwrite the file
+.
+
+.#gpg.openfile.askoutname
+# fixme: Please translate and remove the hash mark from the key line.
+Please enter a new filename. If you just hit RETURN the default
+file (which is shown in brackets) will be used.
+.
+
+.#gpg.ask_revocation_reason.code
+# fixme: Please translate and remove the hash mark from the key line.
+You should specify a reason for the certification. Depending on the
+context you have the ability to choose from this list:
+ "Key has been compromised"
+ Use this if you have a reason to believe that unauthorized persons
+ got access to your secret key.
+ "Key is superseded"
+ Use this if you have replaced this key with a newer one.
+ "Key is no longer used"
+ Use this if you have retired this key.
+ "User ID is no longer valid"
+ Use this to state that the user ID should not longer be used;
+ this is normally used to mark an email address invalid.
+
+.
+
+.#gpg.ask_revocation_reason.text
+# fixme: Please translate and remove the hash mark from the key line.
+If you like, you can enter a text describing why you issue this
+revocation certificate. Please keep this text concise.
+An empty line ends the text.
+
+.
+
+
+
+# Local variables:
+# mode: fundamental
+# coding: utf-8
+# End:
diff --git a/doc/help.cs.txt b/doc/help.cs.txt
new file mode 100644
index 0000000..0ac3be7
--- /dev/null
+++ b/doc/help.cs.txt
@@ -0,0 +1,286 @@
+# help..txt - GnuPG online help
+# Copyright (C) 2007 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+
+.#gpg.edit_ownertrust.value
+# fixme: Please translate and remove the hash mark from the key line.
+It's up to you to assign a value here; this value will never be exported
+to any 3rd party. We need it to implement the web-of-trust; it has nothing
+to do with the (implicitly created) web-of-certificates.
+.
+
+.#gpg.edit_ownertrust.set_ultimate.okay
+# fixme: Please translate and remove the hash mark from the key line.
+To build the Web-of-Trust, GnuPG needs to know which keys are
+ultimately trusted - those are usually the keys for which you have
+access to the secret key. Answer "yes" to set this key to
+ultimately trusted
+
+.
+
+.#gpg.untrusted_key.override
+# fixme: Please translate and remove the hash mark from the key line.
+If you want to use this untrusted key anyway, answer "yes".
+.
+
+.#gpg.pklist.user_id.enter
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the user ID of the addressee to whom you want to send the message.
+.
+
+.#gpg.keygen.algo
+# fixme: Please translate and remove the hash mark from the key line.
+Select the algorithm to use.
+
+DSA (aka DSS) is the Digital Signature Algorithm and can only be used
+for signatures.
+
+Elgamal is an encrypt-only algorithm.
+
+RSA may be used for signatures or encryption.
+
+The first (primary) key must always be a key which is capable of signing.
+.
+
+.#gpg.keygen.algo.rsa_se
+# fixme: Please translate and remove the hash mark from the key line.
+In general it is not a good idea to use the same key for signing and
+encryption. This algorithm should only be used in certain domains.
+Please consult your security expert first.
+.
+
+.#gpg.keygen.size
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the size of the key
+.
+
+.#gpg.keygen.size.huge.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keygen.size.large.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keygen.valid
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the required value as shown in the prompt.
+It is possible to enter a ISO date (YYYY-MM-DD) but you won't
+get a good error response - instead the system tries to interpret
+the given value as an interval.
+.
+
+.#gpg.keygen.valid.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keygen.name
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the name of the key holder
+.
+
+.#gpg.keygen.email
+# fixme: Please translate and remove the hash mark from the key line.
+please enter an optional but highly suggested email address
+.
+
+.#gpg.keygen.comment
+# fixme: Please translate and remove the hash mark from the key line.
+Please enter an optional comment
+.
+
+.#gpg.keygen.userid.cmd
+# fixme: Please translate and remove the hash mark from the key line.
+N to change the name.
+C to change the comment.
+E to change the email address.
+O to continue with key generation.
+Q to to quit the key generation.
+.
+
+.#gpg.keygen.sub.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" (or just "y") if it is okay to generate the sub key.
+.
+
+.#gpg.sign_uid.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.sign_uid.class
+# fixme: Please translate and remove the hash mark from the key line.
+When you sign a user ID on a key, you should first verify that the key
+belongs to the person named in the user ID. It is useful for others to
+know how carefully you verified this.
+
+"0" means you make no particular claim as to how carefully you verified the
+ key.
+
+"1" means you believe the key is owned by the person who claims to own it
+ but you could not, or did not verify the key at all. This is useful for
+ a "persona" verification, where you sign the key of a pseudonymous user.
+
+"2" means you did casual verification of the key. For example, this could
+ mean that you verified the key fingerprint and checked the user ID on the
+ key against a photo ID.
+
+"3" means you did extensive verification of the key. For example, this could
+ mean that you verified the key fingerprint with the owner of the key in
+ person, and that you checked, by means of a hard to forge document with a
+ photo ID (such as a passport) that the name of the key owner matches the
+ name in the user ID on the key, and finally that you verified (by exchange
+ of email) that the email address on the key belongs to the key owner.
+
+Note that the examples given above for levels 2 and 3 are *only* examples.
+In the end, it is up to you to decide just what "casual" and "extensive"
+mean to you when you sign other keys.
+
+If you don't know what the right answer is, answer "0".
+.
+
+.#gpg.change_passwd.empty.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keyedit.save.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keyedit.cancel.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keyedit.sign_all.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if you want to sign ALL the user IDs
+.
+
+.#gpg.keyedit.remove.uid.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if you really want to delete this user ID.
+All certificates are then also lost!
+.
+
+.#gpg.keyedit.remove.subkey.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if it is okay to delete the subkey
+.
+
+.#gpg.keyedit.delsig.valid
+# fixme: Please translate and remove the hash mark from the key line.
+This is a valid signature on the key; you normally don't want
+to delete this signature because it may be important to establish a
+trust connection to the key or another key certified by this key.
+.
+
+.#gpg.keyedit.delsig.unknown
+# fixme: Please translate and remove the hash mark from the key line.
+This signature can't be checked because you don't have the
+corresponding key. You should postpone its deletion until you
+know which key was used because this signing key might establish
+a trust connection through another already certified key.
+.
+
+.#gpg.keyedit.delsig.invalid
+# fixme: Please translate and remove the hash mark from the key line.
+The signature is not valid. It does make sense to remove it from
+your keyring.
+.
+
+.#gpg.keyedit.delsig.selfsig
+# fixme: Please translate and remove the hash mark from the key line.
+This is a signature which binds the user ID to the key. It is
+usually not a good idea to remove such a signature. Actually
+GnuPG might not be able to use this key anymore. So do this
+only if this self-signature is for some reason not valid and
+a second one is available.
+.
+
+.#gpg.keyedit.updpref.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Change the preferences of all user IDs (or just of the selected ones)
+to the current list of preferences. The timestamp of all affected
+self-signatures will be advanced by one second.
+
+.
+
+.#gpg.passphrase.enter
+# fixme: Please translate and remove the hash mark from the key line.
+Please enter the passphrase; this is a secret sentence
+
+.
+
+.#gpg.passphrase.repeat
+# fixme: Please translate and remove the hash mark from the key line.
+Please repeat the last passphrase, so you are sure what you typed in.
+.
+
+.#gpg.detached_signature.filename
+# fixme: Please translate and remove the hash mark from the key line.
+Give the name of the file to which the signature applies
+.
+
+.#gpg.openfile.overwrite.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if it is okay to overwrite the file
+.
+
+.#gpg.openfile.askoutname
+# fixme: Please translate and remove the hash mark from the key line.
+Please enter a new filename. If you just hit RETURN the default
+file (which is shown in brackets) will be used.
+.
+
+.#gpg.ask_revocation_reason.code
+# fixme: Please translate and remove the hash mark from the key line.
+You should specify a reason for the certification. Depending on the
+context you have the ability to choose from this list:
+ "Key has been compromised"
+ Use this if you have a reason to believe that unauthorized persons
+ got access to your secret key.
+ "Key is superseded"
+ Use this if you have replaced this key with a newer one.
+ "Key is no longer used"
+ Use this if you have retired this key.
+ "User ID is no longer valid"
+ Use this to state that the user ID should not longer be used;
+ this is normally used to mark an email address invalid.
+
+.
+
+.#gpg.ask_revocation_reason.text
+# fixme: Please translate and remove the hash mark from the key line.
+If you like, you can enter a text describing why you issue this
+revocation certificate. Please keep this text concise.
+An empty line ends the text.
+
+.
+
+
+
+# Local variables:
+# mode: fundamental
+# coding: utf-8
+# End:
diff --git a/doc/help.da.txt b/doc/help.da.txt
new file mode 100644
index 0000000..0ac3be7
--- /dev/null
+++ b/doc/help.da.txt
@@ -0,0 +1,286 @@
+# help..txt - GnuPG online help
+# Copyright (C) 2007 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+
+.#gpg.edit_ownertrust.value
+# fixme: Please translate and remove the hash mark from the key line.
+It's up to you to assign a value here; this value will never be exported
+to any 3rd party. We need it to implement the web-of-trust; it has nothing
+to do with the (implicitly created) web-of-certificates.
+.
+
+.#gpg.edit_ownertrust.set_ultimate.okay
+# fixme: Please translate and remove the hash mark from the key line.
+To build the Web-of-Trust, GnuPG needs to know which keys are
+ultimately trusted - those are usually the keys for which you have
+access to the secret key. Answer "yes" to set this key to
+ultimately trusted
+
+.
+
+.#gpg.untrusted_key.override
+# fixme: Please translate and remove the hash mark from the key line.
+If you want to use this untrusted key anyway, answer "yes".
+.
+
+.#gpg.pklist.user_id.enter
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the user ID of the addressee to whom you want to send the message.
+.
+
+.#gpg.keygen.algo
+# fixme: Please translate and remove the hash mark from the key line.
+Select the algorithm to use.
+
+DSA (aka DSS) is the Digital Signature Algorithm and can only be used
+for signatures.
+
+Elgamal is an encrypt-only algorithm.
+
+RSA may be used for signatures or encryption.
+
+The first (primary) key must always be a key which is capable of signing.
+.
+
+.#gpg.keygen.algo.rsa_se
+# fixme: Please translate and remove the hash mark from the key line.
+In general it is not a good idea to use the same key for signing and
+encryption. This algorithm should only be used in certain domains.
+Please consult your security expert first.
+.
+
+.#gpg.keygen.size
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the size of the key
+.
+
+.#gpg.keygen.size.huge.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keygen.size.large.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keygen.valid
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the required value as shown in the prompt.
+It is possible to enter a ISO date (YYYY-MM-DD) but you won't
+get a good error response - instead the system tries to interpret
+the given value as an interval.
+.
+
+.#gpg.keygen.valid.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keygen.name
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the name of the key holder
+.
+
+.#gpg.keygen.email
+# fixme: Please translate and remove the hash mark from the key line.
+please enter an optional but highly suggested email address
+.
+
+.#gpg.keygen.comment
+# fixme: Please translate and remove the hash mark from the key line.
+Please enter an optional comment
+.
+
+.#gpg.keygen.userid.cmd
+# fixme: Please translate and remove the hash mark from the key line.
+N to change the name.
+C to change the comment.
+E to change the email address.
+O to continue with key generation.
+Q to to quit the key generation.
+.
+
+.#gpg.keygen.sub.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" (or just "y") if it is okay to generate the sub key.
+.
+
+.#gpg.sign_uid.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.sign_uid.class
+# fixme: Please translate and remove the hash mark from the key line.
+When you sign a user ID on a key, you should first verify that the key
+belongs to the person named in the user ID. It is useful for others to
+know how carefully you verified this.
+
+"0" means you make no particular claim as to how carefully you verified the
+ key.
+
+"1" means you believe the key is owned by the person who claims to own it
+ but you could not, or did not verify the key at all. This is useful for
+ a "persona" verification, where you sign the key of a pseudonymous user.
+
+"2" means you did casual verification of the key. For example, this could
+ mean that you verified the key fingerprint and checked the user ID on the
+ key against a photo ID.
+
+"3" means you did extensive verification of the key. For example, this could
+ mean that you verified the key fingerprint with the owner of the key in
+ person, and that you checked, by means of a hard to forge document with a
+ photo ID (such as a passport) that the name of the key owner matches the
+ name in the user ID on the key, and finally that you verified (by exchange
+ of email) that the email address on the key belongs to the key owner.
+
+Note that the examples given above for levels 2 and 3 are *only* examples.
+In the end, it is up to you to decide just what "casual" and "extensive"
+mean to you when you sign other keys.
+
+If you don't know what the right answer is, answer "0".
+.
+
+.#gpg.change_passwd.empty.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keyedit.save.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keyedit.cancel.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keyedit.sign_all.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if you want to sign ALL the user IDs
+.
+
+.#gpg.keyedit.remove.uid.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if you really want to delete this user ID.
+All certificates are then also lost!
+.
+
+.#gpg.keyedit.remove.subkey.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if it is okay to delete the subkey
+.
+
+.#gpg.keyedit.delsig.valid
+# fixme: Please translate and remove the hash mark from the key line.
+This is a valid signature on the key; you normally don't want
+to delete this signature because it may be important to establish a
+trust connection to the key or another key certified by this key.
+.
+
+.#gpg.keyedit.delsig.unknown
+# fixme: Please translate and remove the hash mark from the key line.
+This signature can't be checked because you don't have the
+corresponding key. You should postpone its deletion until you
+know which key was used because this signing key might establish
+a trust connection through another already certified key.
+.
+
+.#gpg.keyedit.delsig.invalid
+# fixme: Please translate and remove the hash mark from the key line.
+The signature is not valid. It does make sense to remove it from
+your keyring.
+.
+
+.#gpg.keyedit.delsig.selfsig
+# fixme: Please translate and remove the hash mark from the key line.
+This is a signature which binds the user ID to the key. It is
+usually not a good idea to remove such a signature. Actually
+GnuPG might not be able to use this key anymore. So do this
+only if this self-signature is for some reason not valid and
+a second one is available.
+.
+
+.#gpg.keyedit.updpref.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Change the preferences of all user IDs (or just of the selected ones)
+to the current list of preferences. The timestamp of all affected
+self-signatures will be advanced by one second.
+
+.
+
+.#gpg.passphrase.enter
+# fixme: Please translate and remove the hash mark from the key line.
+Please enter the passphrase; this is a secret sentence
+
+.
+
+.#gpg.passphrase.repeat
+# fixme: Please translate and remove the hash mark from the key line.
+Please repeat the last passphrase, so you are sure what you typed in.
+.
+
+.#gpg.detached_signature.filename
+# fixme: Please translate and remove the hash mark from the key line.
+Give the name of the file to which the signature applies
+.
+
+.#gpg.openfile.overwrite.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if it is okay to overwrite the file
+.
+
+.#gpg.openfile.askoutname
+# fixme: Please translate and remove the hash mark from the key line.
+Please enter a new filename. If you just hit RETURN the default
+file (which is shown in brackets) will be used.
+.
+
+.#gpg.ask_revocation_reason.code
+# fixme: Please translate and remove the hash mark from the key line.
+You should specify a reason for the certification. Depending on the
+context you have the ability to choose from this list:
+ "Key has been compromised"
+ Use this if you have a reason to believe that unauthorized persons
+ got access to your secret key.
+ "Key is superseded"
+ Use this if you have replaced this key with a newer one.
+ "Key is no longer used"
+ Use this if you have retired this key.
+ "User ID is no longer valid"
+ Use this to state that the user ID should not longer be used;
+ this is normally used to mark an email address invalid.
+
+.
+
+.#gpg.ask_revocation_reason.text
+# fixme: Please translate and remove the hash mark from the key line.
+If you like, you can enter a text describing why you issue this
+revocation certificate. Please keep this text concise.
+An empty line ends the text.
+
+.
+
+
+
+# Local variables:
+# mode: fundamental
+# coding: utf-8
+# End:
diff --git a/doc/help.de.txt b/doc/help.de.txt
new file mode 100644
index 0000000..ce0ce14
--- /dev/null
+++ b/doc/help.de.txt
@@ -0,0 +1,279 @@
+# help.de.txt - German GnuPG online help
+# Copyright (C) 2007 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+
+# Die Datei help.txt beschreibt das verwendete Format.
+# Diese Datei muß UTF-8 kodiert sein.
+
+
+.#pinentry.qualitybar.tooltip
+# Dies ist lediglich eine kommentiertes Beispiel. Es ist am sinnvolssten
+# einen individuellen Text in /etc/gnupg/help.de.txt zu erstellen.
+Die Qualität der Passphrase, die Sie oben eingegeben haben. Bitte
+fragen sie Ihren Systembeauftragten nach den Kriterien für die Messung
+der Qualität.
+.
+
+
+
+
+.gpg.edit_ownertrust.value
+Sie müssen selbst entscheiden, welchen Wert Sie hier eintragen; dieser Wert
+wird niemals an eine dritte Seite weitergegeben. Wir brauchen diesen Wert,
+um das "Netz des Vertrauens" aufzubauen. Dieses hat nichts mit dem
+(implizit erzeugten) "Netz der Zertifikate" zu tun.
+.
+
+.gpg.edit_ownertrust.set_ultimate.okay
+Um das Web-of-Trust aufzubauen muß GnuPG wissen, welchen Schlüsseln
+ultimativ vertraut wird. Das sind üblicherweise die Schlüssel
+auf deren geheimen Schlüssel Sie Zugruff haben.
+Antworten Sie mit "yes" um diesen Schlüssel ultimativ zu vertrauen
+
+.
+
+.gpg.untrusted_key.override
+Wenn Sie diesen nicht vertrauenswürdigen Schlüssel trotzdem benutzen wollen,
+so antworten Sie mit "ja".
+.
+
+.gpg.pklist.user_id.enter
+Geben Sie die User-ID dessen ein, dem Sie die Botschaft senden wollen.
+.
+
+.gpg.keygen.algo
+Wählen Sie das zu verwendene Verfahren.
+
+DSA (alias DSS) ist der "Digital Signature Algorithm" und kann nur für
+Unterschriften genutzt werden.
+
+Elgamal ist ein Verfahren nur für Verschlüsselung.
+
+RSA kann sowohl für Unterschriften als auch für Verschlüsselung genutzt
+werden.
+
+Der erste Schlüssel (Hauptschlüssel) muß immer ein Schlüssel sein, mit dem
+unterschrieben werden kann.
+.
+
+.gpg.keygen.algo.rsa_se
+Normalerweise ist es nicht gut, denselben Schlüssel zum unterschreiben
+und verschlüsseln zu nutzen. Dieses Verfahren sollte in speziellen
+Anwendungsgebiten benutzt werden. Bitte lassen Sie sich zuerst von
+einem Sicherheistexperten beraten.
+.
+
+.gpg.keygen.size
+Wählen Sie die gewünschte Schlüssellänge
+.
+
+.gpg.keygen.size.huge.okay
+Geben Sie "ja" oder "nein" ein
+.
+
+.gpg.keygen.size.large.okay
+Geben Sie "ja" oder "nein" ein
+.
+
+.gpg.keygen.valid
+Geben Sie den benötigten Wert so an, wie er im Prompt erscheint.
+Es ist zwar möglich ein "ISO"-Datum (JJJJ-MM-DD) einzugeben, aber man
+erhält dann ggfs. keine brauchbaren Fehlermeldungen - stattdessen versucht
+der Rechner den Wert als Intervall (von-bis) zu deuten.
+.
+
+.gpg.keygen.valid.okay
+Geben Sie "ja" oder "nein" ein
+.
+
+.gpg.keygen.name
+Geben Sie den Namen des Schlüsselinhabers ein.
+Beispiel: Heinrich Heine.
+.
+
+.gpg.keygen.email
+Geben Sie eine Email-Adresse ein. Dies ist zwar nicht unbedingt notwendig,
+aber sehr empfehlenswert.
+Beispiel: heinrichh@duesseldorf.de
+.
+
+.gpg.keygen.comment
+Geben Sie - bei Bedarf - einen Kommentar ein.
+.
+
+.gpg.keygen.userid.cmd
+N um den Namen zu ändern.
+K um den Kommentar zu ändern.
+E um die Email-Adresse zu ändern.
+F um mit der Schlüsselerzeugung fortzusetzen.
+B um die Schlüsselerzeugung abbrechen.
+.
+
+.gpg.keygen.sub.okay
+Geben Sie "ja" (oder nur "j") ein, um den Unterschlüssel zu erzeugen.
+.
+
+.gpg.sign_uid.okay
+Geben Sie "ja" oder "nein" ein
+.
+
+.gpg.sign_uid.class
+Wenn Sie die User-ID eines Schlüssels beglaubigen wollen, sollten Sie zunächst
+sicherstellen, daß der Schlüssel demjenigen gehört, der in der User-ID genannt
+ist. Für Dritte ist es hilfreich zu wissen, wie gut diese Zuordnung überprüft
+wurde.
+
+"0" zeigt, daß Sie keine bestimmte Aussage über die Sorgfalt der
+ Schlüsselzuordnung machen.
+
+"1" Sie glauben, daß der Schlüssel der benannten Person gehört,
+ aber Sie konnten oder nahmen die Überpüfung überhaupt nicht vor.
+ Dies ist hilfreich für eine "persona"-Überprüfung, wobei man den
+ Schlüssel eines Pseudonym-Trägers beglaubigt
+
+"2" Sie nahmen eine flüchtige Überprüfung vor. Das heißt Sie haben z.B.
+ den Schlüsselfingerabdruck kontrolliert und die User-ID des Schlüssels
+ anhand des Fotos geprüft.
+
+"3" Sie haben eine ausführlich Kontrolle des Schlüssels vorgenommen.
+ Das kann z.B. die Kontrolle des Schlüsselfingerabdrucks mit dem
+ Schlüsselinhaber persönlich vorgenommen haben; daß Sie die User-ID des
+ Schlüssel anhand einer schwer zu fälschenden Urkunde mit Foto (wie z.B.
+ einem Paß) abgeglichen haben und schließlich per Email-Verkehr die
+ Email-Adresse als zum Schlüsselbesitzer gehörig erkannt haben.
+
+Beachten Sie, daß diese Beispiele für die Antworten 2 und 3 *nur* Beispiele
+sind. Schlußendlich ist es Ihre Sache, was Sie unter "flüchtig" oder
+ "ausführlich" verstehen, wenn Sie Schlüssel Dritter beglaubigen.
+
+Wenn Sie nicht wissen, wie Sie antworten sollen, wählen Sie "0".
+.
+
+.gpg.change_passwd.empty.okay
+Geben Sie "ja" oder "nein" ein
+.
+
+.gpg.keyedit.save.okay
+Geben Sie "ja" oder "nein" ein
+.
+
+.gpg.keyedit.cancel.okay
+Geben Sie "ja" oder "nein" ein
+.
+
+.gpg.keyedit.sign_all.okay
+Geben Sie "ja" (oder nur "j") ein, um alle User-IDs zu beglaubigen
+.
+
+.gpg.keyedit.remove.uid.okay
+Geben Sie "ja" (oder nur "j") ein, um diese User-ID zu LÖSCHEN.
+Alle Zertifikate werden dann auch weg sein!
+.
+
+.gpg.keyedit.remove.subkey.okay
+Geben Sie "ja" (oder nur "j") ein, um diesen Unterschlüssel zu löschen
+.
+
+.gpg.keyedit.delsig.valid
+Dies ist eine gültige Beglaubigung für den Schlüssel. Es ist normalerweise
+unnötig sie zu löschen. Sie ist möglicherweise sogar notwendig, um einen
+Trust-Weg zu diesem oder einem durch diesen Schlüssel beglaubigten Schlüssel
+herzustellen.
+.
+
+.gpg.keyedit.delsig.unknown
+Diese Beglaubigung kann nicht geprüft werden, da Sie den passenden Schlüssel
+nicht besitzen. Sie sollten die Löschung der Beglaubigung verschieben, bis
+sie wissen, welcher Schlüssel verwendet wurde. Denn vielleicht würde genau
+diese Beglaubigung den "Trust"-Weg komplettieren.
+.
+
+.gpg.keyedit.delsig.invalid
+Diese Beglaubigung ist ungültig. Es ist sinnvoll sie aus Ihrem
+Schlüsselbund zu entfernen.
+.
+
+.gpg.keyedit.delsig.selfsig
+Diese Beglaubigung bindet die User-ID an den Schlüssel. Normalerweise ist
+es nicht gut, solche Beglaubigungen zu entfernen. Um ehrlich zu sein:
+Es könnte dann sein, daß GnuPG diesen Schlüssel gar nicht mehr benutzen kann.
+Sie sollten diese Eigenbeglaubigung also nur dann entfernen, wenn sie aus
+irgendeinem Grund nicht gültig ist und eine zweite Beglaubigung verfügbar ist.
+.
+
+.gpg.keyedit.updpref.okay
+Ändern der Voreinstellung aller User-IDs (oder nur der ausgewählten)
+auf die aktuelle Liste der Voreinstellung. Die Zeitangaben aller betroffenen
+Eigenbeglaubigungen werden um eine Sekunde vorgestellt.
+
+.
+
+.gpg.passphrase.enter
+Bitte geben Sie die Passphrase ein. Dies ist ein geheimer Satz
+
+.
+
+.gpg.passphrase.repeat
+Um sicher zu gehen, daß Sie sich bei der Eingabe der Passphrase nicht
+vertippt haben, geben Sie diese bitte nochmal ein. Nur wenn beide Eingaben
+übereinstimmen, wird die Passphrase akzeptiert.
+.
+
+.gpg.detached_signature.filename
+Geben Sie den Namen der Datei an, zu dem die abgetrennte Unterschrift gehört
+.
+
+.gpg.openfile.overwrite.okay
+Geben Sie "ja" ein, wenn Sie die Datei überschreiben möchten
+.
+
+.gpg.openfile.askoutname
+Geben Sie bitte einen neuen Dateinamen ein. Falls Sie nur die
+Eingabetaste betätigen, wird der (in Klammern angezeigte) Standarddateiname
+verwendet.
+.
+
+.gpg.ask_revocation_reason.code
+Sie sollten einen Grund für die Zertifizierung angeben. Je nach
+Zusammenhang können Sie aus dieser Liste auswählen:
+ "Schlüssel wurde kompromitiert"
+ Falls Sie Grund zu der Annahme haben, daß nicht berechtigte Personen
+ Zugriff zu Ihrem geheimen Schlüssel hatten
+ "Schlüssel ist überholt"
+ Falls Sie diesen Schlüssel durch einem neuen ersetzt haben.
+ "Schlüssel wird nicht mehr benutzt"
+ Falls Sie diesen Schlüssel zurückgezogen haben.
+ "User-ID ist nicht mehr gültig"
+ Um bekanntzugeben, daß die User-ID nicht mehr benutzt werden soll.
+ So weist man normalerweise auf eine ungültige Emailadresse hin.
+
+.
+
+.gpg.ask_revocation_reason.text
+Wenn Sie möchten, können Sie hier einen Text eingeben, der darlegt, warum
+Sie diesen Widerruf herausgeben. Der Text sollte möglichst knapp sein.
+Eine Leerzeile beendet die Eingabe.
+
+.
+
+
+
+# Local variables:
+# mode: default-generic
+# coding: utf-8
+# End:
diff --git a/doc/help.el.txt b/doc/help.el.txt
new file mode 100644
index 0000000..0ac3be7
--- /dev/null
+++ b/doc/help.el.txt
@@ -0,0 +1,286 @@
+# help..txt - GnuPG online help
+# Copyright (C) 2007 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+
+.#gpg.edit_ownertrust.value
+# fixme: Please translate and remove the hash mark from the key line.
+It's up to you to assign a value here; this value will never be exported
+to any 3rd party. We need it to implement the web-of-trust; it has nothing
+to do with the (implicitly created) web-of-certificates.
+.
+
+.#gpg.edit_ownertrust.set_ultimate.okay
+# fixme: Please translate and remove the hash mark from the key line.
+To build the Web-of-Trust, GnuPG needs to know which keys are
+ultimately trusted - those are usually the keys for which you have
+access to the secret key. Answer "yes" to set this key to
+ultimately trusted
+
+.
+
+.#gpg.untrusted_key.override
+# fixme: Please translate and remove the hash mark from the key line.
+If you want to use this untrusted key anyway, answer "yes".
+.
+
+.#gpg.pklist.user_id.enter
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the user ID of the addressee to whom you want to send the message.
+.
+
+.#gpg.keygen.algo
+# fixme: Please translate and remove the hash mark from the key line.
+Select the algorithm to use.
+
+DSA (aka DSS) is the Digital Signature Algorithm and can only be used
+for signatures.
+
+Elgamal is an encrypt-only algorithm.
+
+RSA may be used for signatures or encryption.
+
+The first (primary) key must always be a key which is capable of signing.
+.
+
+.#gpg.keygen.algo.rsa_se
+# fixme: Please translate and remove the hash mark from the key line.
+In general it is not a good idea to use the same key for signing and
+encryption. This algorithm should only be used in certain domains.
+Please consult your security expert first.
+.
+
+.#gpg.keygen.size
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the size of the key
+.
+
+.#gpg.keygen.size.huge.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keygen.size.large.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keygen.valid
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the required value as shown in the prompt.
+It is possible to enter a ISO date (YYYY-MM-DD) but you won't
+get a good error response - instead the system tries to interpret
+the given value as an interval.
+.
+
+.#gpg.keygen.valid.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keygen.name
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the name of the key holder
+.
+
+.#gpg.keygen.email
+# fixme: Please translate and remove the hash mark from the key line.
+please enter an optional but highly suggested email address
+.
+
+.#gpg.keygen.comment
+# fixme: Please translate and remove the hash mark from the key line.
+Please enter an optional comment
+.
+
+.#gpg.keygen.userid.cmd
+# fixme: Please translate and remove the hash mark from the key line.
+N to change the name.
+C to change the comment.
+E to change the email address.
+O to continue with key generation.
+Q to to quit the key generation.
+.
+
+.#gpg.keygen.sub.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" (or just "y") if it is okay to generate the sub key.
+.
+
+.#gpg.sign_uid.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.sign_uid.class
+# fixme: Please translate and remove the hash mark from the key line.
+When you sign a user ID on a key, you should first verify that the key
+belongs to the person named in the user ID. It is useful for others to
+know how carefully you verified this.
+
+"0" means you make no particular claim as to how carefully you verified the
+ key.
+
+"1" means you believe the key is owned by the person who claims to own it
+ but you could not, or did not verify the key at all. This is useful for
+ a "persona" verification, where you sign the key of a pseudonymous user.
+
+"2" means you did casual verification of the key. For example, this could
+ mean that you verified the key fingerprint and checked the user ID on the
+ key against a photo ID.
+
+"3" means you did extensive verification of the key. For example, this could
+ mean that you verified the key fingerprint with the owner of the key in
+ person, and that you checked, by means of a hard to forge document with a
+ photo ID (such as a passport) that the name of the key owner matches the
+ name in the user ID on the key, and finally that you verified (by exchange
+ of email) that the email address on the key belongs to the key owner.
+
+Note that the examples given above for levels 2 and 3 are *only* examples.
+In the end, it is up to you to decide just what "casual" and "extensive"
+mean to you when you sign other keys.
+
+If you don't know what the right answer is, answer "0".
+.
+
+.#gpg.change_passwd.empty.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keyedit.save.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keyedit.cancel.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keyedit.sign_all.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if you want to sign ALL the user IDs
+.
+
+.#gpg.keyedit.remove.uid.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if you really want to delete this user ID.
+All certificates are then also lost!
+.
+
+.#gpg.keyedit.remove.subkey.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if it is okay to delete the subkey
+.
+
+.#gpg.keyedit.delsig.valid
+# fixme: Please translate and remove the hash mark from the key line.
+This is a valid signature on the key; you normally don't want
+to delete this signature because it may be important to establish a
+trust connection to the key or another key certified by this key.
+.
+
+.#gpg.keyedit.delsig.unknown
+# fixme: Please translate and remove the hash mark from the key line.
+This signature can't be checked because you don't have the
+corresponding key. You should postpone its deletion until you
+know which key was used because this signing key might establish
+a trust connection through another already certified key.
+.
+
+.#gpg.keyedit.delsig.invalid
+# fixme: Please translate and remove the hash mark from the key line.
+The signature is not valid. It does make sense to remove it from
+your keyring.
+.
+
+.#gpg.keyedit.delsig.selfsig
+# fixme: Please translate and remove the hash mark from the key line.
+This is a signature which binds the user ID to the key. It is
+usually not a good idea to remove such a signature. Actually
+GnuPG might not be able to use this key anymore. So do this
+only if this self-signature is for some reason not valid and
+a second one is available.
+.
+
+.#gpg.keyedit.updpref.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Change the preferences of all user IDs (or just of the selected ones)
+to the current list of preferences. The timestamp of all affected
+self-signatures will be advanced by one second.
+
+.
+
+.#gpg.passphrase.enter
+# fixme: Please translate and remove the hash mark from the key line.
+Please enter the passphrase; this is a secret sentence
+
+.
+
+.#gpg.passphrase.repeat
+# fixme: Please translate and remove the hash mark from the key line.
+Please repeat the last passphrase, so you are sure what you typed in.
+.
+
+.#gpg.detached_signature.filename
+# fixme: Please translate and remove the hash mark from the key line.
+Give the name of the file to which the signature applies
+.
+
+.#gpg.openfile.overwrite.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if it is okay to overwrite the file
+.
+
+.#gpg.openfile.askoutname
+# fixme: Please translate and remove the hash mark from the key line.
+Please enter a new filename. If you just hit RETURN the default
+file (which is shown in brackets) will be used.
+.
+
+.#gpg.ask_revocation_reason.code
+# fixme: Please translate and remove the hash mark from the key line.
+You should specify a reason for the certification. Depending on the
+context you have the ability to choose from this list:
+ "Key has been compromised"
+ Use this if you have a reason to believe that unauthorized persons
+ got access to your secret key.
+ "Key is superseded"
+ Use this if you have replaced this key with a newer one.
+ "Key is no longer used"
+ Use this if you have retired this key.
+ "User ID is no longer valid"
+ Use this to state that the user ID should not longer be used;
+ this is normally used to mark an email address invalid.
+
+.
+
+.#gpg.ask_revocation_reason.text
+# fixme: Please translate and remove the hash mark from the key line.
+If you like, you can enter a text describing why you issue this
+revocation certificate. Please keep this text concise.
+An empty line ends the text.
+
+.
+
+
+
+# Local variables:
+# mode: fundamental
+# coding: utf-8
+# End:
diff --git a/doc/help.eo.txt b/doc/help.eo.txt
new file mode 100644
index 0000000..0ac3be7
--- /dev/null
+++ b/doc/help.eo.txt
@@ -0,0 +1,286 @@
+# help..txt - GnuPG online help
+# Copyright (C) 2007 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+
+.#gpg.edit_ownertrust.value
+# fixme: Please translate and remove the hash mark from the key line.
+It's up to you to assign a value here; this value will never be exported
+to any 3rd party. We need it to implement the web-of-trust; it has nothing
+to do with the (implicitly created) web-of-certificates.
+.
+
+.#gpg.edit_ownertrust.set_ultimate.okay
+# fixme: Please translate and remove the hash mark from the key line.
+To build the Web-of-Trust, GnuPG needs to know which keys are
+ultimately trusted - those are usually the keys for which you have
+access to the secret key. Answer "yes" to set this key to
+ultimately trusted
+
+.
+
+.#gpg.untrusted_key.override
+# fixme: Please translate and remove the hash mark from the key line.
+If you want to use this untrusted key anyway, answer "yes".
+.
+
+.#gpg.pklist.user_id.enter
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the user ID of the addressee to whom you want to send the message.
+.
+
+.#gpg.keygen.algo
+# fixme: Please translate and remove the hash mark from the key line.
+Select the algorithm to use.
+
+DSA (aka DSS) is the Digital Signature Algorithm and can only be used
+for signatures.
+
+Elgamal is an encrypt-only algorithm.
+
+RSA may be used for signatures or encryption.
+
+The first (primary) key must always be a key which is capable of signing.
+.
+
+.#gpg.keygen.algo.rsa_se
+# fixme: Please translate and remove the hash mark from the key line.
+In general it is not a good idea to use the same key for signing and
+encryption. This algorithm should only be used in certain domains.
+Please consult your security expert first.
+.
+
+.#gpg.keygen.size
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the size of the key
+.
+
+.#gpg.keygen.size.huge.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keygen.size.large.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keygen.valid
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the required value as shown in the prompt.
+It is possible to enter a ISO date (YYYY-MM-DD) but you won't
+get a good error response - instead the system tries to interpret
+the given value as an interval.
+.
+
+.#gpg.keygen.valid.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keygen.name
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the name of the key holder
+.
+
+.#gpg.keygen.email
+# fixme: Please translate and remove the hash mark from the key line.
+please enter an optional but highly suggested email address
+.
+
+.#gpg.keygen.comment
+# fixme: Please translate and remove the hash mark from the key line.
+Please enter an optional comment
+.
+
+.#gpg.keygen.userid.cmd
+# fixme: Please translate and remove the hash mark from the key line.
+N to change the name.
+C to change the comment.
+E to change the email address.
+O to continue with key generation.
+Q to to quit the key generation.
+.
+
+.#gpg.keygen.sub.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" (or just "y") if it is okay to generate the sub key.
+.
+
+.#gpg.sign_uid.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.sign_uid.class
+# fixme: Please translate and remove the hash mark from the key line.
+When you sign a user ID on a key, you should first verify that the key
+belongs to the person named in the user ID. It is useful for others to
+know how carefully you verified this.
+
+"0" means you make no particular claim as to how carefully you verified the
+ key.
+
+"1" means you believe the key is owned by the person who claims to own it
+ but you could not, or did not verify the key at all. This is useful for
+ a "persona" verification, where you sign the key of a pseudonymous user.
+
+"2" means you did casual verification of the key. For example, this could
+ mean that you verified the key fingerprint and checked the user ID on the
+ key against a photo ID.
+
+"3" means you did extensive verification of the key. For example, this could
+ mean that you verified the key fingerprint with the owner of the key in
+ person, and that you checked, by means of a hard to forge document with a
+ photo ID (such as a passport) that the name of the key owner matches the
+ name in the user ID on the key, and finally that you verified (by exchange
+ of email) that the email address on the key belongs to the key owner.
+
+Note that the examples given above for levels 2 and 3 are *only* examples.
+In the end, it is up to you to decide just what "casual" and "extensive"
+mean to you when you sign other keys.
+
+If you don't know what the right answer is, answer "0".
+.
+
+.#gpg.change_passwd.empty.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keyedit.save.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keyedit.cancel.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keyedit.sign_all.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if you want to sign ALL the user IDs
+.
+
+.#gpg.keyedit.remove.uid.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if you really want to delete this user ID.
+All certificates are then also lost!
+.
+
+.#gpg.keyedit.remove.subkey.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if it is okay to delete the subkey
+.
+
+.#gpg.keyedit.delsig.valid
+# fixme: Please translate and remove the hash mark from the key line.
+This is a valid signature on the key; you normally don't want
+to delete this signature because it may be important to establish a
+trust connection to the key or another key certified by this key.
+.
+
+.#gpg.keyedit.delsig.unknown
+# fixme: Please translate and remove the hash mark from the key line.
+This signature can't be checked because you don't have the
+corresponding key. You should postpone its deletion until you
+know which key was used because this signing key might establish
+a trust connection through another already certified key.
+.
+
+.#gpg.keyedit.delsig.invalid
+# fixme: Please translate and remove the hash mark from the key line.
+The signature is not valid. It does make sense to remove it from
+your keyring.
+.
+
+.#gpg.keyedit.delsig.selfsig
+# fixme: Please translate and remove the hash mark from the key line.
+This is a signature which binds the user ID to the key. It is
+usually not a good idea to remove such a signature. Actually
+GnuPG might not be able to use this key anymore. So do this
+only if this self-signature is for some reason not valid and
+a second one is available.
+.
+
+.#gpg.keyedit.updpref.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Change the preferences of all user IDs (or just of the selected ones)
+to the current list of preferences. The timestamp of all affected
+self-signatures will be advanced by one second.
+
+.
+
+.#gpg.passphrase.enter
+# fixme: Please translate and remove the hash mark from the key line.
+Please enter the passphrase; this is a secret sentence
+
+.
+
+.#gpg.passphrase.repeat
+# fixme: Please translate and remove the hash mark from the key line.
+Please repeat the last passphrase, so you are sure what you typed in.
+.
+
+.#gpg.detached_signature.filename
+# fixme: Please translate and remove the hash mark from the key line.
+Give the name of the file to which the signature applies
+.
+
+.#gpg.openfile.overwrite.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if it is okay to overwrite the file
+.
+
+.#gpg.openfile.askoutname
+# fixme: Please translate and remove the hash mark from the key line.
+Please enter a new filename. If you just hit RETURN the default
+file (which is shown in brackets) will be used.
+.
+
+.#gpg.ask_revocation_reason.code
+# fixme: Please translate and remove the hash mark from the key line.
+You should specify a reason for the certification. Depending on the
+context you have the ability to choose from this list:
+ "Key has been compromised"
+ Use this if you have a reason to believe that unauthorized persons
+ got access to your secret key.
+ "Key is superseded"
+ Use this if you have replaced this key with a newer one.
+ "Key is no longer used"
+ Use this if you have retired this key.
+ "User ID is no longer valid"
+ Use this to state that the user ID should not longer be used;
+ this is normally used to mark an email address invalid.
+
+.
+
+.#gpg.ask_revocation_reason.text
+# fixme: Please translate and remove the hash mark from the key line.
+If you like, you can enter a text describing why you issue this
+revocation certificate. Please keep this text concise.
+An empty line ends the text.
+
+.
+
+
+
+# Local variables:
+# mode: fundamental
+# coding: utf-8
+# End:
diff --git a/doc/help.es.txt b/doc/help.es.txt
new file mode 100644
index 0000000..d59f214
--- /dev/null
+++ b/doc/help.es.txt
@@ -0,0 +1,251 @@
+# help.es.txt - es GnuPG online help
+# Copyright (C) 2007 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+
+.gpg.edit_ownertrust.value
+Está en su mano asignar un valor aquí. Dicho valor nunca será exportado a
+terceros. Es necesario para implementar la red de confianza, no tiene nada
+que ver con la red de certificados (implícitamente creada).
+.
+
+.gpg.edit_ownertrust.set_ultimate.okay
+Para construir la Red-de-Confianza, GnuPG necesita saber qué claves
+tienen confianza absoluta - normalmente son las claves para las que usted
+puede acceder a la clave secreta. Conteste "sí" para hacer que esta
+clave se considere como de total confianza
+
+.
+
+.gpg.untrusted_key.override
+Si quiere usar esta clave no fiable de todos modos, conteste "sí".
+.
+
+.gpg.pklist.user_id.enter
+Introduzca el ID de usuario al que quiere enviar el mensaje.
+.
+
+.gpg.keygen.algo
+Seleccione el algoritmo que usar.
+
+DSA (alias DSS) es el Algoritmo de Firma Digital y sólo se usa para firmas.
+
+Elgamal es un algoritmo sólo para cifrar.
+
+RSA sirve tanto para firmar como para cifrar.
+
+La primera clave (clave primaria) debe ser siempre de tipo capaz de firmar.
+.
+
+.gpg.keygen.algo.rsa_se
+En general no es una buena idea usar la misma clave para firmar y
+cifrar. Este algoritmo debéria usarse solo en ciertos contextos.
+Por favor consulte primero a un experto en seguridad.
+.
+
+.gpg.keygen.size
+Introduzca la longitud de la clave
+.
+
+.gpg.keygen.size.huge.okay
+Responda "sí" o "no"
+.
+
+.gpg.keygen.size.large.okay
+Responda "sí" o "no"
+.
+
+.gpg.keygen.valid
+Introduzca el valor requerido conforme se muestra.
+Es posible introducir una fecha ISO (AAAA-MM-DD), pero no se obtendrá una
+buena respuesta a los errores; el sistema intentará interpretar el valor
+introducido como un intervalo.
+.
+
+.gpg.keygen.valid.okay
+Responda "sí" o "no"
+.
+
+.gpg.keygen.name
+Introduzca el nombre del dueño de la clave
+.
+
+.gpg.keygen.email
+Introduzca una dirección de correo electrónico (opcional pero muy
+recomendable)
+.
+
+.gpg.keygen.comment
+Introduzca un comentario opcional
+.
+
+.gpg.keygen.userid.cmd
+N para cambiar el nombre.
+C para cambiar el comentario.
+E para cambiar la dirección.
+O para continuar con la generación de clave.
+S para interrumpir la generación de clave.
+.
+
+.gpg.keygen.sub.okay
+Responda "sí" (o sólo "s") para generar la subclave.
+.
+
+.gpg.sign_uid.okay
+Responda "sí" o "no"
+.
+
+.gpg.sign_uid.class
+Cuando firme un ID de usuario en una clave, debería verificar que la clave
+pertenece a la persona que se nombra en el ID de usuario. Es útil para
+otros saber cómo de cuidadosamente lo ha verificado.
+
+"0" significa que no hace ninguna declaración concreta sobre como ha
+ comprobado la validez de la clave.
+
+"1" significa que cree que la clave pertenece a la persona que declara
+ poseerla pero no pudo o no verificó la clave en absoluto. Esto es útil
+ para una verificación en persona cuando firmas la clave de un usuario
+ pseudoanónimo.
+
+"2" significa que hizo una comprobación informal de la clave. Por ejemplo
+ podría querer decir que comprobó la huella dactilar de la clave y
+ comprobó el ID de usuario en la clave con un ID fotográfico.
+
+"3" significa que hizo una comprobación exhaustiva de la clave. Por
+ ejemplo verificando la huella dactilar de la clave con el propietario
+ de la clave, y que comprobó, mediante un documento difícil de falsificar
+ con ID fotográfico (como un pasaporte) que el nombre del poseedor de la
+ clave coincide con el ID de usuario en la clave y finalmente que verificó
+ (intercambiando email) que la dirección de email de la clave pertenece
+ al poseedor de la clave.
+
+Observe que los ejemplos dados en los niveles 2 y 3 son *solo* ejemplos.
+En definitiva, usted decide lo que significa "informal" y "exhaustivo"
+para usted cuando firma las claves de otros.
+
+Si no sabe qué contestar, conteste "0".
+.
+
+.gpg.change_passwd.empty.okay
+Responda "sí" o "no"
+.
+
+.gpg.keyedit.save.okay
+Responda "sí" o "no"
+.
+
+.gpg.keyedit.cancel.okay
+Responda "sí" o "no"
+.
+
+.gpg.keyedit.sign_all.okay
+Responda "sí" si quiere firmar TODOS los IDs de usuario
+.
+
+.gpg.keyedit.remove.uid.okay
+Responda "sí" si realmente quiere borrar este ID de usuario.
+¡También se perderán todos los certificados!
+.
+
+.gpg.keyedit.remove.subkey.okay
+Responda "sí" si quiere borrar esta subclave
+.
+
+.gpg.keyedit.delsig.valid
+Esta es una firma válida de esta clave. Normalmente no será deseable
+borrar esta firma ya que puede ser importante para establecer una conexión
+de confianza con la clave o con otra clave certificada por ésta.
+.
+
+.gpg.keyedit.delsig.unknown
+Esta firma no puede ser comprobada porque no tiene Vd. la clave
+correspondiente. Debería posponer su borrado hasta conocer qué clave
+se usó, ya que dicha clave podría establecer una conexión de confianza
+a través de otra clave certificada.
+.
+
+.gpg.keyedit.delsig.invalid
+Esta firma no es válida. Tiene sentido borrarla de su anillo.
+.
+
+.gpg.keyedit.delsig.selfsig
+Esta es una firma que une el ID de usuario a la clave. No suele ser una
+buena idea borrar dichas firmas. De hecho, GnuPG podría no ser capaz de
+volver a usar esta clave. Así que bórrela tan sólo si esta autofirma no
+es válida por alguna razón y hay otra disponible.
+.
+
+.gpg.keyedit.updpref.okay
+Cambiar las preferencias de todos los IDs de usuario (o sólo los
+seleccionados) a la lista actual de preferencias. El sello de tiempo
+de todas las autofirmas afectadas se avanzará en un segundo.
+
+.
+
+.gpg.passphrase.enter
+Por favor introduzca la contraseña: una frase secreta
+
+.
+
+.gpg.passphrase.repeat
+Repita la última frase contraseña para asegurarse de lo que tecleó.
+.
+
+.gpg.detached_signature.filename
+Introduzca el nombre del fichero al que corresponde la firma
+.
+
+.gpg.openfile.overwrite.okay
+Responda "sí" para sobreescribir el fichero
+.
+
+.gpg.openfile.askoutname
+Introduzca un nuevo nombre de fichero. Si pulsa INTRO se usará el fichero
+por omisión (mostrado entre corchetes).
+.
+
+.gpg.ask_revocation_reason.code
+Debería especificar un motivo para la certificación. Dependiendo del
+contexto puede elegir una opción de esta lista:
+ "La clave ha sido comprometida"
+ Use esto si tiene razones para pensar que personas no autorizadas
+ tuvieron acceso a su clave secreta.
+ "La clave ha sido sustituida"
+ Use esto si ha reemplazado la clave por otra más nueva.
+ "La clave ya no está en uso"
+ Use esto si ha dejado de usar esta clave.
+ "La identificación de usuario ya no es válida"
+ Use esto para señalar que la identificación de usuario no debería
+ seguir siendo usada; esto se utiliza normalmente para marcar una
+ dirección de correo-e como inválida.
+
+.
+
+.gpg.ask_revocation_reason.text
+Si lo desea puede introducir un texto explicando por qué emite
+este certificado de revocación. Por favor, que el texto sea breve.
+Una línea vacía pone fin al texto.
+
+.
+
+
+
+# Local variables:
+# mode: fundamental
+# coding: utf-8
+# End:
diff --git a/doc/help.et.txt b/doc/help.et.txt
new file mode 100644
index 0000000..0ac3be7
--- /dev/null
+++ b/doc/help.et.txt
@@ -0,0 +1,286 @@
+# help..txt - GnuPG online help
+# Copyright (C) 2007 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+
+.#gpg.edit_ownertrust.value
+# fixme: Please translate and remove the hash mark from the key line.
+It's up to you to assign a value here; this value will never be exported
+to any 3rd party. We need it to implement the web-of-trust; it has nothing
+to do with the (implicitly created) web-of-certificates.
+.
+
+.#gpg.edit_ownertrust.set_ultimate.okay
+# fixme: Please translate and remove the hash mark from the key line.
+To build the Web-of-Trust, GnuPG needs to know which keys are
+ultimately trusted - those are usually the keys for which you have
+access to the secret key. Answer "yes" to set this key to
+ultimately trusted
+
+.
+
+.#gpg.untrusted_key.override
+# fixme: Please translate and remove the hash mark from the key line.
+If you want to use this untrusted key anyway, answer "yes".
+.
+
+.#gpg.pklist.user_id.enter
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the user ID of the addressee to whom you want to send the message.
+.
+
+.#gpg.keygen.algo
+# fixme: Please translate and remove the hash mark from the key line.
+Select the algorithm to use.
+
+DSA (aka DSS) is the Digital Signature Algorithm and can only be used
+for signatures.
+
+Elgamal is an encrypt-only algorithm.
+
+RSA may be used for signatures or encryption.
+
+The first (primary) key must always be a key which is capable of signing.
+.
+
+.#gpg.keygen.algo.rsa_se
+# fixme: Please translate and remove the hash mark from the key line.
+In general it is not a good idea to use the same key for signing and
+encryption. This algorithm should only be used in certain domains.
+Please consult your security expert first.
+.
+
+.#gpg.keygen.size
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the size of the key
+.
+
+.#gpg.keygen.size.huge.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keygen.size.large.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keygen.valid
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the required value as shown in the prompt.
+It is possible to enter a ISO date (YYYY-MM-DD) but you won't
+get a good error response - instead the system tries to interpret
+the given value as an interval.
+.
+
+.#gpg.keygen.valid.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keygen.name
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the name of the key holder
+.
+
+.#gpg.keygen.email
+# fixme: Please translate and remove the hash mark from the key line.
+please enter an optional but highly suggested email address
+.
+
+.#gpg.keygen.comment
+# fixme: Please translate and remove the hash mark from the key line.
+Please enter an optional comment
+.
+
+.#gpg.keygen.userid.cmd
+# fixme: Please translate and remove the hash mark from the key line.
+N to change the name.
+C to change the comment.
+E to change the email address.
+O to continue with key generation.
+Q to to quit the key generation.
+.
+
+.#gpg.keygen.sub.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" (or just "y") if it is okay to generate the sub key.
+.
+
+.#gpg.sign_uid.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.sign_uid.class
+# fixme: Please translate and remove the hash mark from the key line.
+When you sign a user ID on a key, you should first verify that the key
+belongs to the person named in the user ID. It is useful for others to
+know how carefully you verified this.
+
+"0" means you make no particular claim as to how carefully you verified the
+ key.
+
+"1" means you believe the key is owned by the person who claims to own it
+ but you could not, or did not verify the key at all. This is useful for
+ a "persona" verification, where you sign the key of a pseudonymous user.
+
+"2" means you did casual verification of the key. For example, this could
+ mean that you verified the key fingerprint and checked the user ID on the
+ key against a photo ID.
+
+"3" means you did extensive verification of the key. For example, this could
+ mean that you verified the key fingerprint with the owner of the key in
+ person, and that you checked, by means of a hard to forge document with a
+ photo ID (such as a passport) that the name of the key owner matches the
+ name in the user ID on the key, and finally that you verified (by exchange
+ of email) that the email address on the key belongs to the key owner.
+
+Note that the examples given above for levels 2 and 3 are *only* examples.
+In the end, it is up to you to decide just what "casual" and "extensive"
+mean to you when you sign other keys.
+
+If you don't know what the right answer is, answer "0".
+.
+
+.#gpg.change_passwd.empty.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keyedit.save.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keyedit.cancel.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keyedit.sign_all.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if you want to sign ALL the user IDs
+.
+
+.#gpg.keyedit.remove.uid.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if you really want to delete this user ID.
+All certificates are then also lost!
+.
+
+.#gpg.keyedit.remove.subkey.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if it is okay to delete the subkey
+.
+
+.#gpg.keyedit.delsig.valid
+# fixme: Please translate and remove the hash mark from the key line.
+This is a valid signature on the key; you normally don't want
+to delete this signature because it may be important to establish a
+trust connection to the key or another key certified by this key.
+.
+
+.#gpg.keyedit.delsig.unknown
+# fixme: Please translate and remove the hash mark from the key line.
+This signature can't be checked because you don't have the
+corresponding key. You should postpone its deletion until you
+know which key was used because this signing key might establish
+a trust connection through another already certified key.
+.
+
+.#gpg.keyedit.delsig.invalid
+# fixme: Please translate and remove the hash mark from the key line.
+The signature is not valid. It does make sense to remove it from
+your keyring.
+.
+
+.#gpg.keyedit.delsig.selfsig
+# fixme: Please translate and remove the hash mark from the key line.
+This is a signature which binds the user ID to the key. It is
+usually not a good idea to remove such a signature. Actually
+GnuPG might not be able to use this key anymore. So do this
+only if this self-signature is for some reason not valid and
+a second one is available.
+.
+
+.#gpg.keyedit.updpref.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Change the preferences of all user IDs (or just of the selected ones)
+to the current list of preferences. The timestamp of all affected
+self-signatures will be advanced by one second.
+
+.
+
+.#gpg.passphrase.enter
+# fixme: Please translate and remove the hash mark from the key line.
+Please enter the passphrase; this is a secret sentence
+
+.
+
+.#gpg.passphrase.repeat
+# fixme: Please translate and remove the hash mark from the key line.
+Please repeat the last passphrase, so you are sure what you typed in.
+.
+
+.#gpg.detached_signature.filename
+# fixme: Please translate and remove the hash mark from the key line.
+Give the name of the file to which the signature applies
+.
+
+.#gpg.openfile.overwrite.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if it is okay to overwrite the file
+.
+
+.#gpg.openfile.askoutname
+# fixme: Please translate and remove the hash mark from the key line.
+Please enter a new filename. If you just hit RETURN the default
+file (which is shown in brackets) will be used.
+.
+
+.#gpg.ask_revocation_reason.code
+# fixme: Please translate and remove the hash mark from the key line.
+You should specify a reason for the certification. Depending on the
+context you have the ability to choose from this list:
+ "Key has been compromised"
+ Use this if you have a reason to believe that unauthorized persons
+ got access to your secret key.
+ "Key is superseded"
+ Use this if you have replaced this key with a newer one.
+ "Key is no longer used"
+ Use this if you have retired this key.
+ "User ID is no longer valid"
+ Use this to state that the user ID should not longer be used;
+ this is normally used to mark an email address invalid.
+
+.
+
+.#gpg.ask_revocation_reason.text
+# fixme: Please translate and remove the hash mark from the key line.
+If you like, you can enter a text describing why you issue this
+revocation certificate. Please keep this text concise.
+An empty line ends the text.
+
+.
+
+
+
+# Local variables:
+# mode: fundamental
+# coding: utf-8
+# End:
diff --git a/doc/help.fi.txt b/doc/help.fi.txt
new file mode 100644
index 0000000..4286cc0
--- /dev/null
+++ b/doc/help.fi.txt
@@ -0,0 +1,256 @@
+# help.fi.txt - fi GnuPG online help
+# Copyright (C) 2007 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+
+.gpg.edit_ownertrust.value
+Tämän arvon määrittäminen on sinun tehtäväsi, tätä arvoa ei koskaan
+kerrota kolmansille osapuolille. Tarvitsemme sitä toteuttamaan
+luottamusverkko eikä sillä ei ole mitään tekemistä (epäsuorasti luotujen)
+varmenneverkkojen kanssa.
+.
+
+.gpg.edit_ownertrust.set_ultimate.okay
+Rakentaakseen luottamusverkon, GnuPG:n täytyy tietää mihin avaimiin
+luotetaan ehdottomasti - nämä ovat tavallisesti ne avaimet, joiden salainen
+pari on sinulla. Vastaa "kyllä" luottaaksesi tähän avaimeen ehdoitta
+
+.
+
+.gpg.untrusted_key.override
+Vastaa "kyllä" jos haluat kaikesta huolimatta käyttää tätä epäluotettavaa
+avainta.
+.
+
+.gpg.pklist.user_id.enter
+Syötä vastaanottajan, jolle haluat lähettää viestin, käyttäjätunnus.
+.
+
+.#gpg.keygen.algo
+# fixme: Please translate and remove the hash mark from the key line.
+Select the algorithm to use.
+
+DSA (aka DSS) is the Digital Signature Algorithm and can only be used
+for signatures.
+
+Elgamal is an encrypt-only algorithm.
+
+RSA may be used for signatures or encryption.
+
+The first (primary) key must always be a key which is capable of signing.
+.
+
+.gpg.keygen.algo.rsa_se
+Yleensä ei ole järkevää käyttää samaa avainta allekirjoitukseen
+ja salaamiseen. Tätä algorimiä tulisi käyttää vain määrätyissä ympäristöissä.
+Ole hyvä ja kysy tietoturva-asiantuntijaltasi ensin
+.
+
+.gpg.keygen.size
+Syötä avaimen koko
+.
+
+.gpg.keygen.size.huge.okay
+Vastaa "kyllä" tai " ei"
+.
+
+.gpg.keygen.size.large.okay
+Vastaa "kyllä" tai " ei"
+.
+
+.gpg.keygen.valid
+Syötä pyydetty arvo kuten näkyy kehotteessa.
+On mahdollista syöttää ISO-muotoinen päivä (VVVV-KK-PP),
+mutta sen seurauksena et saa kunnollista virheilmoitusta
+vaan järjestelmä yrittää tulkita arvon aikajaksona.
+.
+
+.gpg.keygen.valid.okay
+Vastaa "kyllä" tai " ei"
+.
+
+.gpg.keygen.name
+Anna avaimen haltijan nimi
+.
+
+.gpg.keygen.email
+anna vapaaehtoinen, mutta erittäin suositeltava sähköpostiosoite
+.
+
+.gpg.keygen.comment
+Kirjoita vapaaehtoinen huomautus
+.
+
+.gpg.keygen.userid.cmd
+N muuta nimeä
+C muuta kommenttia
+E muuta sähköpostiosoitetta
+O jatka avaimen luomista
+L lopeta
+.
+
+.gpg.keygen.sub.okay
+Vastaa "kyllä" (tai vain "k") jos haluat luoda aliavaimen.
+.
+
+.gpg.sign_uid.okay
+Vastaa "kyllä" tai " ei"
+.
+
+.gpg.sign_uid.class
+Allekirjoittaessasi avaimen käyttäjätunnuksen sinun tulisi varmista, että
+avain todella kuuluu henkilölle, joka mainitaan käyttäjätunnuksessa. Muiden
+on hyvä tietää kuinka huolellisesti olet varmistanut tämän.
+
+"0" tarkoittaa, että et väitä mitään siitä, kuinka huolellisesti olet
+ varmistanut avaimen.
+
+"1" tarkoittaa, että uskot avaimen kuuluvan henkilölle, joka väittää
+ hallitsevan sitä, mutta et voinut varmistaa tai et varmistanut avainta
+ lainkaan. Tämä on hyödyllinen "persoonan" varmistamiseen, jossa
+ allekirjoitat pseudonyymin käyttäjän avaimen.
+
+"2" tarkoittaa arkista varmistusta. Esimerkiksi olet varmistanut
+ avaimen sormenjäljen ja tarkistanut käyttäjätunnuksen ja
+ valokuvatunnisteen täsmäävän.
+
+"3" tarkoittaa syvällistä henkilöllisyyden varmistamista. Esimerkiksi
+ tämä voi tarkoittaa avaimen sormenjäljen tarkistamista avaimen haltijan
+ kanssa henkilökohtaisesti, ja että tarkistit nimen avaimessa täsmäävän
+ vaikeasti väärennettävän kuvallisen henkilöllisyystodistuksen (kuten
+ passi) kanssa, ja lopuksi varmistit (sähköpostin vaihtamisella), että
+ sähköpostiosoite kuuluu avaimen haltijalle.
+
+Huomaa, että yllä annetut esimerkit tasoille 2 ja 3 ovat todellakin *vain*
+esimerkkejä. Lopullisesti se on sinun päätöksesi mitä "arkinen" ja
+"syvällinen" tarkoittaa allekirjoittaessasi muita avaimia.
+
+Jos et tiedä mikä olisi sopiva vastaus, vastaa "0".
+.
+
+.gpg.change_passwd.empty.okay
+Vastaa "kyllä" tai " ei"
+.
+
+.gpg.keyedit.save.okay
+Vastaa "kyllä" tai " ei"
+.
+
+.gpg.keyedit.cancel.okay
+Vastaa "kyllä" tai " ei"
+.
+
+.#gpg.keyedit.sign_all.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if you want to sign ALL the user IDs
+.
+
+.gpg.keyedit.remove.uid.okay
+Vastaa "kyllä", jos haluat poistaa tämän käyttäjätunnuksen.
+Menetät samalla kaikki siihen liittyvät varmenteet!
+.
+
+.gpg.keyedit.remove.subkey.okay
+Vastaa "kyllä", jos aliavaimen voi poistaa
+.
+
+.gpg.keyedit.delsig.valid
+Tämä on voimassa oleva allekirjoitus tälle avaimelle, tavallisesti ei
+kannata poistaa tätä allekirjoitusta koska se saattaa olla tarpeen
+luottamussuhteen luomiseksi avaimeen tai johonkin toiseen tämän avaimen
+varmentamaan avaimeen.
+.
+
+.gpg.keyedit.delsig.unknown
+Allekirjoitusta ei voida tarkistaa koska sinulla ei ole
+siihen liittyvää avainta. Lykkää sen poistamista kunnes
+ tiedät mitä avainta on käytetty, koska allekirjoitus
+avain saattaa luoda luottamusketjun toisen, jo ennalta
+varmennetun avaimen kautta.
+.
+
+.gpg.keyedit.delsig.invalid
+Allekirjoitus ei ole pätevä. Järkevintä olisi poistaa se
+avainrenkaastasi.
+.
+
+.gpg.keyedit.delsig.selfsig
+Tämä allekirjoitus takaa avaimen haltijan henkilöllisyyden.
+Tällaisen allekirjoituksen poistaminen on tavallisesti huono
+ajatus. GnuPG ei kenties voi käyttää avainta enää. Poista
+allekirjoitus vain, jos se ei ole jostain syystä pätevä, ja
+avaimella on jo toinen allekirjoitus.
+.
+
+.gpg.keyedit.updpref.okay
+Muuta valinnat kaikille käyttäjätunnuksille (tai vain valituille)
+nykyiseen luetteloon valinnoista. Kaikkien muutettujen
+oma-allekirjoitusten aikaleima siirretään yhdellä sekunnilla eteenpäin.
+
+.
+
+.gpg.passphrase.enter
+Ole hyvä ja syötä salasana, tämän on salainen lause
+
+.
+
+.gpg.passphrase.repeat
+Toista edellinen salasanasi varmistuaksesi siitä, mitä kirjoitit.
+.
+
+.gpg.detached_signature.filename
+Anna allekirjoitetun tiedoston nimi
+.
+
+.gpg.openfile.overwrite.okay
+Vastaa "kyllä", jos tiedoston voi ylikirjoittaa
+.
+
+.gpg.openfile.askoutname
+Syötä uusi tiedostonimi. Jos painat vain RETURN, käytetään
+oletustiedostoa (joka näkyy sulkeissa).
+.
+
+.gpg.ask_revocation_reason.code
+Sinun tulisi määrittää syy varmenteelle. Riippuen asiayhteydestä
+voit valita tästä listasta:
+ "Avain on paljastunut"
+ Käytä tätä, jos sinulla on syytä uskoa, että luvattomat henkilöt
+ ovat saaneet salaisen avaimesi käsiinsä.
+ "Avain on korvattu"
+ Käytä tätä, jos olet korvannut tämän uudemmalla avaimella.
+ "Avain ei ole enää käytössä"
+ Käytä tätä, jost ole lopettanut tämän avaimen käytön.
+ "Käyttäjätunnus ei ole enää voimassa"
+ Käytä tätä ilmoittamaan, että käyttäjätunnusta ei pitäisi käyttää;
+ tätä normaalisti käytetään merkitsemään sähköpostiosoite vanhenneeksi.
+
+.
+
+.gpg.ask_revocation_reason.text
+Halutessasi voit kirjoittaa tähän kuvauksen miksi julkaiset tämän
+mitätöintivarmenteen. Kirjoita lyhyesti.
+Tyhjä rivi päättää tekstin.
+
+.
+
+
+
+# Local variables:
+# mode: fundamental
+# coding: utf-8
+# End:
diff --git a/doc/help.fr.txt b/doc/help.fr.txt
new file mode 100644
index 0000000..4e4e7da
--- /dev/null
+++ b/doc/help.fr.txt
@@ -0,0 +1,256 @@
+# help.fr.txt - fr GnuPG online help
+# Copyright (C) 2007 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+
+.gpg.edit_ownertrust.value
+C'est à vous d'assigner une valeur ici; cette valeur ne sera jamais
+envoyée à une tierce personne. Nous en avons besoin pour créer le réseau
+de confiance (web-of-trust); cela n'a rien à voir avec le réseau des
+certificats (créé implicitement)
+.
+
+.gpg.edit_ownertrust.set_ultimate.okay
+Pour mettre en place le Réseau de confiance (Web of Trust), GnuPG a
+besoin de savoir en quelles clés votre confiance est ultime - ce sont
+en général les clés dont vous avez accès à la clé secrète. Répondez
+"oui" pour indiquer que votre confiance en cette clé est ultime
+
+.
+
+.gpg.untrusted_key.override
+Si vous voulez utiliser cette clé peu sûre quand-même, répondez «oui».
+.
+
+.gpg.pklist.user_id.enter
+Entrez le nom d'utilisateur de la personne à qui vous voulez envoyer
+le message.
+.
+
+.gpg.keygen.algo
+Sélectionnez l'algorithme à utiliser.
+
+DSA (connu également sous le nom de DSS) est un algorithme de signature
+digitale et ne peut être utilisé que pour des signatures.
+
+Elgamal est un algorithme pour le chiffrement seul.
+
+RSA peut être utilisé pour les signatures et le chiffrement.
+
+La première clé (clé principale) doit toujours être une clé capable
+de signer.
+.
+
+.gpg.keygen.algo.rsa_se
+En général ce n'est pas une bonne idée d'utiliser la même clé pour
+signer et pour chiffrer. Cet algorithme ne doit être utilisé que
+pour certains domaines.
+Consultez votre expert en sécurité d'abord.
+.
+
+.gpg.keygen.size
+Entrez la taille de la clé
+.
+
+.gpg.keygen.size.huge.okay
+Répondez «oui» ou «non»
+.
+
+.gpg.keygen.size.large.okay
+Répondez «oui» ou «non»
+.
+
+.gpg.keygen.valid
+Entrez la valeur demandée comme indiqué dans la ligne de commande.
+On peut entrer une date ISO (AAAA-MM-JJ) mais le résultat d'erreur sera
+mauvais - le système essaierait d'interpréter la valeur donnée comme un
+intervalle.
+.
+
+.gpg.keygen.valid.okay
+Répondez «oui» ou «non»
+.
+
+.gpg.keygen.name
+Entrez le nom du propriétaire de la clé
+.
+
+.gpg.keygen.email
+entrez une adresse e-mail optionnelle mais hautement recommandée
+.
+
+.gpg.keygen.comment
+Entrez un commentaire optionnel
+.
+
+.gpg.keygen.userid.cmd
+N pour changer le nom.
+C pour changer le commentaire.
+E pour changer l'adresse e-mail.
+O pour continuer à générer la clé.
+Q pour arrêter de générer de clé.
+.
+
+.gpg.keygen.sub.okay
+Répondez «oui» (ou simplement «o») pour générer la sous-clé
+.
+
+.gpg.sign_uid.okay
+Répondez «oui» ou «non»
+.
+
+.gpg.sign_uid.class
+Quand vous signez un nom d'utilisateur d'une clé, vous devriez d'abord
+vérifier que la clé appartient à la personne nommée. Il est utile que
+les autres personnes sachent avec quel soin vous l'avez vérifié.
+
+"0" signifie que vous n'avez pas d'opinon.
+
+"1" signifie que vous croyez que la clé appartient à la personne qui
+dit la posséder mais vous n'avez pas pu vérifier du tout la clé.
+C'est utile lorsque vous signez la clé d'un pseudonyme.
+
+"2" signifie que vous avez un peu vérifié la clé. Par exemple, cela
+pourrait être un vérification de l'empreinte et du nom de
+l'utilisateur avec la photo.
+
+"3" signifie que vous avez complètement vérifié la clé. Par exemple,
+cela pourrait être une vérification de l'empreinte, du nom de
+l'utilisateur avec un document difficile à contrefaire (comme un
+passeport) et de son adresse e-mail (vérifié par un échange de
+courrier électronique).
+
+Notez bien que les exemples donnés ci-dessus pour les niveaux 2 et
+3 ne sont *que* des exemples.
+C'est à vous de décider quelle valeur mettre quand vous signez
+les clés des autres personnes.
+
+Si vous ne savez pas quelle réponse est la bonne, répondez "0".
+.
+
+.gpg.change_passwd.empty.okay
+Répondez «oui» ou «non»
+.
+
+.gpg.keyedit.save.okay
+Répondez «oui» ou «non»
+.
+
+.gpg.keyedit.cancel.okay
+Répondez «oui» ou «non»
+.
+
+.gpg.keyedit.sign_all.okay
+Répondez «oui» si vous voulez signer TOUS les noms d'utilisateurs
+.
+
+.gpg.keyedit.remove.uid.okay
+Répondez «oui» si vous voulez vraiment supprimer ce nom
+d'utilisateur. Tous les certificats seront alors perdus en même temps !
+.
+
+.gpg.keyedit.remove.subkey.okay
+Répondez «oui» s'il faut vraiment supprimer la sous-clé
+.
+
+.gpg.keyedit.delsig.valid
+C'est une signature valide dans la clé; vous n'avez pas normalement
+intérêt à supprimer cette signature car elle peut être importante pour
+établir une connection de confiance vers la clé ou une autre clé certifiée
+par celle-là.
+.
+
+.gpg.keyedit.delsig.unknown
+Cette signature ne peut pas être vérifiée parce que vous n'avez pas la
+clé correspondante. Vous devriez remettre sa supression jusqu'à ce que
+vous soyez sûr de quelle clé a été utilisée car cette clé de signature
+peut établir une connection de confiance vers une autre clé déjà certifiée.
+.
+
+.gpg.keyedit.delsig.invalid
+Cette signature n'est pas valide. Vous devriez la supprimer de votre
+porte-clés.
+.
+
+.gpg.keyedit.delsig.selfsig
+Cette signature relie le nom d'utilisateur à la clé. Habituellement
+enlever une telle signature n'est pas une bonne idée. En fait GnuPG peut
+ne plus être capable d'utiliser cette clé. Donc faites ceci uniquement si
+cette auto-signature est invalide pour une certaine raison et si une autre
+est disponible.
+.
+
+.gpg.keyedit.updpref.okay
+Changer les préférences de tous les noms d'utilisateurs (ou juste
+ceux qui sont sélectionnés) vers la liste actuelle. La date de toutes
+les auto-signatures affectées seront avancées d'une seconde.
+
+.
+
+.gpg.passphrase.enter
+Entrez le mot de passe ; c'est une phrase secrète
+
+.
+
+.gpg.passphrase.repeat
+Répétez la dernière phrase de passe pour être sûr de ce que vous
+avez tapé.
+.
+
+.gpg.detached_signature.filename
+Donnez le nom du fichier auquel la signature se rapporte
+.
+
+.gpg.openfile.overwrite.okay
+Répondez «oui» s'il faut vraiment réécrire le fichier
+.
+
+.gpg.openfile.askoutname
+Entrez le nouveau nom de fichier. Si vous tapez simplement ENTRÉE le
+fichier par défaut (indiqué entre crochets) sera utilisé.
+.
+
+.gpg.ask_revocation_reason.code
+Vous devriez donner une raison pour la certification. Selon le contexte
+vous pouvez choisir dans cette liste:
+ «La clé a été compromise»
+ Utilisez cette option si vous avez une raison de croire que des
+ personnes ont pu accéder à votre clé secrète sans autorisation.
+ «La clé a été remplacée»
+ Utilisez cette option si vous avez remplacé la clé par une nouvelle.
+ «La clé n'est plus utilisée»
+ Utilisez cette option si cette clé n'a plus d'utilité.
+ «Le nom d'utilisateur n'est plus valide»
+ Utilisez cette option si le nom d'utilisateur ne doit plus être
+ utilisé. Cela sert généralement à indiquer qu'une adresse e-mail
+ est invalide.
+
+.
+
+.gpg.ask_revocation_reason.text
+Si vous le désirez, vous pouvez entrer un texte qui explique pourquoi vous
+avez émis ce certificat de révocation. Essayez de garder ce texte concis.
+Une ligne vide délimite la fin du texte.
+
+.
+
+
+
+# Local variables:
+# mode: fundamental
+# coding: utf-8
+# End:
diff --git a/doc/help.gl.txt b/doc/help.gl.txt
new file mode 100644
index 0000000..0ac3be7
--- /dev/null
+++ b/doc/help.gl.txt
@@ -0,0 +1,286 @@
+# help..txt - GnuPG online help
+# Copyright (C) 2007 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+
+.#gpg.edit_ownertrust.value
+# fixme: Please translate and remove the hash mark from the key line.
+It's up to you to assign a value here; this value will never be exported
+to any 3rd party. We need it to implement the web-of-trust; it has nothing
+to do with the (implicitly created) web-of-certificates.
+.
+
+.#gpg.edit_ownertrust.set_ultimate.okay
+# fixme: Please translate and remove the hash mark from the key line.
+To build the Web-of-Trust, GnuPG needs to know which keys are
+ultimately trusted - those are usually the keys for which you have
+access to the secret key. Answer "yes" to set this key to
+ultimately trusted
+
+.
+
+.#gpg.untrusted_key.override
+# fixme: Please translate and remove the hash mark from the key line.
+If you want to use this untrusted key anyway, answer "yes".
+.
+
+.#gpg.pklist.user_id.enter
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the user ID of the addressee to whom you want to send the message.
+.
+
+.#gpg.keygen.algo
+# fixme: Please translate and remove the hash mark from the key line.
+Select the algorithm to use.
+
+DSA (aka DSS) is the Digital Signature Algorithm and can only be used
+for signatures.
+
+Elgamal is an encrypt-only algorithm.
+
+RSA may be used for signatures or encryption.
+
+The first (primary) key must always be a key which is capable of signing.
+.
+
+.#gpg.keygen.algo.rsa_se
+# fixme: Please translate and remove the hash mark from the key line.
+In general it is not a good idea to use the same key for signing and
+encryption. This algorithm should only be used in certain domains.
+Please consult your security expert first.
+.
+
+.#gpg.keygen.size
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the size of the key
+.
+
+.#gpg.keygen.size.huge.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keygen.size.large.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keygen.valid
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the required value as shown in the prompt.
+It is possible to enter a ISO date (YYYY-MM-DD) but you won't
+get a good error response - instead the system tries to interpret
+the given value as an interval.
+.
+
+.#gpg.keygen.valid.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keygen.name
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the name of the key holder
+.
+
+.#gpg.keygen.email
+# fixme: Please translate and remove the hash mark from the key line.
+please enter an optional but highly suggested email address
+.
+
+.#gpg.keygen.comment
+# fixme: Please translate and remove the hash mark from the key line.
+Please enter an optional comment
+.
+
+.#gpg.keygen.userid.cmd
+# fixme: Please translate and remove the hash mark from the key line.
+N to change the name.
+C to change the comment.
+E to change the email address.
+O to continue with key generation.
+Q to to quit the key generation.
+.
+
+.#gpg.keygen.sub.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" (or just "y") if it is okay to generate the sub key.
+.
+
+.#gpg.sign_uid.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.sign_uid.class
+# fixme: Please translate and remove the hash mark from the key line.
+When you sign a user ID on a key, you should first verify that the key
+belongs to the person named in the user ID. It is useful for others to
+know how carefully you verified this.
+
+"0" means you make no particular claim as to how carefully you verified the
+ key.
+
+"1" means you believe the key is owned by the person who claims to own it
+ but you could not, or did not verify the key at all. This is useful for
+ a "persona" verification, where you sign the key of a pseudonymous user.
+
+"2" means you did casual verification of the key. For example, this could
+ mean that you verified the key fingerprint and checked the user ID on the
+ key against a photo ID.
+
+"3" means you did extensive verification of the key. For example, this could
+ mean that you verified the key fingerprint with the owner of the key in
+ person, and that you checked, by means of a hard to forge document with a
+ photo ID (such as a passport) that the name of the key owner matches the
+ name in the user ID on the key, and finally that you verified (by exchange
+ of email) that the email address on the key belongs to the key owner.
+
+Note that the examples given above for levels 2 and 3 are *only* examples.
+In the end, it is up to you to decide just what "casual" and "extensive"
+mean to you when you sign other keys.
+
+If you don't know what the right answer is, answer "0".
+.
+
+.#gpg.change_passwd.empty.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keyedit.save.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keyedit.cancel.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keyedit.sign_all.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if you want to sign ALL the user IDs
+.
+
+.#gpg.keyedit.remove.uid.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if you really want to delete this user ID.
+All certificates are then also lost!
+.
+
+.#gpg.keyedit.remove.subkey.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if it is okay to delete the subkey
+.
+
+.#gpg.keyedit.delsig.valid
+# fixme: Please translate and remove the hash mark from the key line.
+This is a valid signature on the key; you normally don't want
+to delete this signature because it may be important to establish a
+trust connection to the key or another key certified by this key.
+.
+
+.#gpg.keyedit.delsig.unknown
+# fixme: Please translate and remove the hash mark from the key line.
+This signature can't be checked because you don't have the
+corresponding key. You should postpone its deletion until you
+know which key was used because this signing key might establish
+a trust connection through another already certified key.
+.
+
+.#gpg.keyedit.delsig.invalid
+# fixme: Please translate and remove the hash mark from the key line.
+The signature is not valid. It does make sense to remove it from
+your keyring.
+.
+
+.#gpg.keyedit.delsig.selfsig
+# fixme: Please translate and remove the hash mark from the key line.
+This is a signature which binds the user ID to the key. It is
+usually not a good idea to remove such a signature. Actually
+GnuPG might not be able to use this key anymore. So do this
+only if this self-signature is for some reason not valid and
+a second one is available.
+.
+
+.#gpg.keyedit.updpref.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Change the preferences of all user IDs (or just of the selected ones)
+to the current list of preferences. The timestamp of all affected
+self-signatures will be advanced by one second.
+
+.
+
+.#gpg.passphrase.enter
+# fixme: Please translate and remove the hash mark from the key line.
+Please enter the passphrase; this is a secret sentence
+
+.
+
+.#gpg.passphrase.repeat
+# fixme: Please translate and remove the hash mark from the key line.
+Please repeat the last passphrase, so you are sure what you typed in.
+.
+
+.#gpg.detached_signature.filename
+# fixme: Please translate and remove the hash mark from the key line.
+Give the name of the file to which the signature applies
+.
+
+.#gpg.openfile.overwrite.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if it is okay to overwrite the file
+.
+
+.#gpg.openfile.askoutname
+# fixme: Please translate and remove the hash mark from the key line.
+Please enter a new filename. If you just hit RETURN the default
+file (which is shown in brackets) will be used.
+.
+
+.#gpg.ask_revocation_reason.code
+# fixme: Please translate and remove the hash mark from the key line.
+You should specify a reason for the certification. Depending on the
+context you have the ability to choose from this list:
+ "Key has been compromised"
+ Use this if you have a reason to believe that unauthorized persons
+ got access to your secret key.
+ "Key is superseded"
+ Use this if you have replaced this key with a newer one.
+ "Key is no longer used"
+ Use this if you have retired this key.
+ "User ID is no longer valid"
+ Use this to state that the user ID should not longer be used;
+ this is normally used to mark an email address invalid.
+
+.
+
+.#gpg.ask_revocation_reason.text
+# fixme: Please translate and remove the hash mark from the key line.
+If you like, you can enter a text describing why you issue this
+revocation certificate. Please keep this text concise.
+An empty line ends the text.
+
+.
+
+
+
+# Local variables:
+# mode: fundamental
+# coding: utf-8
+# End:
diff --git a/doc/help.hu.txt b/doc/help.hu.txt
new file mode 100644
index 0000000..81b3991
--- /dev/null
+++ b/doc/help.hu.txt
@@ -0,0 +1,257 @@
+# help.hu.txt - hu GnuPG online help
+# Copyright (C) 2007 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+
+.gpg.edit_ownertrust.value
+Az Ön döntésén múlik, hogy milyen értéket ad meg itt. Ezt az értéket soha
+nem exportáljuk mások részére. Ez a bizalmak hálózatához (web-of-trust)
+szükséges, semmi köze az igazolások hálózatához (web-of-certificates).
+.
+
+.gpg.edit_ownertrust.set_ultimate.okay
+Hogy a bizalmak hálózatát felépítsük, a GnuPG-nek tudnia kell, hogy
+mely kulcsok alapvetően megbízhatóak - általában ezek azok a kulcsok,
+melyek titkos kulcsához hozzáfér. Válaszoljon "igen"-nel, ha kulcsot
+alapvetően megbízhatónak jelöli!
+
+.
+
+.gpg.untrusted_key.override
+Ha mégis használni akarja ezt a kulcsot, melyben nem bízunk,
+válaszoljon "igen"-nel!
+.
+
+.gpg.pklist.user_id.enter
+Adja meg a címzett felhasználói azonosítóját!
+.
+
+.#gpg.keygen.algo
+# fixme: Please translate and remove the hash mark from the key line.
+Select the algorithm to use.
+
+DSA (aka DSS) is the Digital Signature Algorithm and can only be used
+for signatures.
+
+Elgamal is an encrypt-only algorithm.
+
+RSA may be used for signatures or encryption.
+
+The first (primary) key must always be a key which is capable of signing.
+.
+
+.gpg.keygen.algo.rsa_se
+Ãltalában nem jó ötlet ugyanazt a kulcsot használni aláíráshoz és
+titkosításhoz. Ezt az algoritmust csak bizonyos területeken ajánlatos
+használni. Kérem, először konzultáljon a biztonsági szakértőjével!
+.
+
+.gpg.keygen.size
+Adja meg a kulcs méretét!
+.
+
+.gpg.keygen.size.huge.okay
+Kérem, adjon "igen" vagy "nem" választ!
+.
+
+.gpg.keygen.size.large.okay
+Kérem, adjon "igen" vagy "nem" választ!
+.
+
+.gpg.keygen.valid
+Adja meg a szükséges értéket, ahogy a prompt mutatja!
+Lehetséges ISO dátumot is beírni (ÉÉÉÉ-HH-NN), de nem fog rendes
+hibaüzenetet kapni, hanem a rendszer megpróbálja az értéket
+intervallumként értelmezni.
+.
+
+.gpg.keygen.valid.okay
+Kérem, adjon "igen" vagy "nem" választ!
+.
+
+.gpg.keygen.name
+Adja meg a kulcs tulajdonosának a nevét!
+.
+
+.gpg.keygen.email
+Kérem, adjon meg egy opcionális, de nagyon ajánlott e-mail címet!
+.
+
+.gpg.keygen.comment
+Kérem, adjon meg egy opcionális megjegyzést!
+.
+
+.gpg.keygen.userid.cmd
+N név változtatása
+M megjegyzés változtatása
+E e-mail változtatása
+R kulcsgenerálás folytatása
+Q kilépés a kulcsgenerálásból
+.
+
+.gpg.keygen.sub.okay
+Válaszoljon "igen"-nel (vagy csak "i"-vel), ha kezdhetjük az alkulcs
+létrehozását!
+.
+
+.gpg.sign_uid.okay
+Kérem, adjon "igen" vagy "nem" választ!
+.
+
+.gpg.sign_uid.class
+Mielőtt aláír egy felhasználói azonosítót egy kulcson, ellenőriznie kell,
+hogy a kulcs a felhasználói azonosítóban megnevezett személyhez tartozik.
+Mások számára hasznos lehet, ha tudják, hogy milyen gondosan ellenőrizte
+Ön ezt.
+
+"0" azt jelenti, hogy nem tesz az ellenőrzés gondosságára vonatkozó
+ kijelentést.
+
+"1" azt jelenti, hogy Ön hiszi, hogy a kulcs annak a személynek a
+ tulajdona, aki azt állítja, hogy az övé, de Ön nem tudta ezt
+ ellenőrizni, vagy egyszerűen nem ellenőrizte ezt. Ez hasznos egy
+ "persona" típusú ellenőrzéshez, mikor Ön egy pszeudonim felhasználó
+ kulcsát írja alá.
+
+"2" azt jelenti, hogy Ön a kulcsot hétköznapi alapossággal ellenőrizte.
+ Például ez azt jelentheti, hogy ellenőrizte a kulcs ujjlenyomatát, és
+ összevetette a kulcson szereplő felhasználóazonosítót egy fényképes
+ igazolvánnyal.
+
+"3" azt jelenti, hogy alaposan ellenőrizte a kulcsot. Például ez azt
+ jelentheti, hogy a kulcs ujjlenyomatát a tulajdonossal személyesen
+ találkozva ellenőrizte, egy nehezen hamisítható, fényképes igazolvánnyal
+ (mint az útlevél) meggyőződött arról, hogy a személy neve egyezik a
+ kulcson levővel, és végül (e-mail váltással) ellenőrizte, hogy a kulcson
+ szereplő e-mail cím a kulcs tulajdonosához tartozik.
+
+A 2-es és 3-as szintekhez adott példák *csak* példák. Végső soron Ön dönti
+el, hogy mit jelentenek Önnek a "hétköznapi" és "alapos" kifejezések,
+amikor mások kulcsát aláírja.
+
+Ha nem tudja, hogy mit válaszoljon, írjon "0"-t!
+.
+
+.gpg.change_passwd.empty.okay
+Kérem, adjon "igen" vagy "nem" választ!
+.
+
+.gpg.keyedit.save.okay
+Kérem, adjon "igen" vagy "nem" választ!
+.
+
+.gpg.keyedit.cancel.okay
+Kérem, adjon "igen" vagy "nem" választ!
+.
+
+.#gpg.keyedit.sign_all.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if you want to sign ALL the user IDs
+.
+
+.gpg.keyedit.remove.uid.okay
+Válaszoljon "igen"-nel, ha valóban törölni akarja ezt a felhasználóazonosítót!
+Minden igazolás törlődik vele együtt!
+.
+
+.gpg.keyedit.remove.subkey.okay
+Válaszoljon "igen"-nel, ha az alkulcs törölhető.
+.
+
+.gpg.keyedit.delsig.valid
+Ez egy érvényes aláírás a kulcson. Normál esetben nincs értelme
+törölni, mert fontos lehet ahhoz, hogy érvényesítse ezt a kulcsot,
+vagy egy másikat, melyet ezzel a kulccsal igazolnak.
+.
+
+.gpg.keyedit.delsig.unknown
+Ezt az aláírást nem tudom ellenőrizni, mert nincs meg a hozzá tartozó
+kulcs. Ajánlatos lenne elhalasztani a törlést addig, amíg meg nem tudja,
+hogy melyik kulcsot használták, mert ez az aláíró kulcs bizalmi
+kapcsolatot hozhat létre egy már hitelesített kulcson keresztül.
+.
+
+.gpg.keyedit.delsig.invalid
+Ez az aláírás nem érvényes. Értelmetlen eltávolítani a kulcskarikáról.
+.
+
+.gpg.keyedit.delsig.selfsig
+Ez egy olyan aláírás, amely összeköti a felhasználóazonosítót
+a kulccsal. Ãltalában nem jó ötlet egy ilyen aláírást eltávolítani.
+Az is lehetséges, hogy a GnuPG többé nem tudja használni ezt
+a kulcsot. Csak akkor tegye ezt, ha valami okból ez az önaláírás nem
+érvényes, és rendelkezésre áll egy másik!
+.
+
+.gpg.keyedit.updpref.okay
+Lecseréli az összes felhasználóazonosítóhoz (vagy csak a kijelöltekhez)
+tartozó preferenciákat az aktuális preferenciákra. Minden érintett
+önaláírás időpontját egy másodperccel növeli.
+
+.
+
+.gpg.passphrase.enter
+Kérem, adja meg a jelszót! Ezt egy titkos mondat.
+
+.
+
+.gpg.passphrase.repeat
+Kérem, ismételje meg az előző jelszót ellenőrzésképpen!
+.
+
+.gpg.detached_signature.filename
+Adja meg az állomány nevét, melyhez az aláírás tartozik!
+.
+
+.gpg.openfile.overwrite.okay
+Válaszoljon "igen"-nel, ha felülírható az állomány!
+.
+
+.gpg.openfile.askoutname
+Kérem, adjon meg egy új fájlnevet! Ha RETURN-t/ENTER-t nyom, akkor
+a szögletes zárójelben levő alapértelmezett nevet használom.
+.
+
+.gpg.ask_revocation_reason.code
+Ajánlatos megadni a visszavonás okát. A helyzettől függően válasszon
+a következő listából:
+ "A kulcs kompromittálódott."
+ Használja ezt akkor, ha oka van azt hinni, hogy titkos kulcsa
+ illetéktelen kezekbe került!
+ "A kulcsot lecserélték."
+ Használja ezt akkor, ha a kulcsot lecserélte egy újabbra!
+ "A kulcs már nem használatos."
+ Használja ezt akkor, ha már nem használja a kulcsot!
+ "A felhasználóazonosító már nem érvényes."
+ Használja ezt akkor, ha azt állítja, hogy a felhasználóazonosító
+ már nem használatos! Ãltalában érvénytelen e-mail címet jelent.
+
+.
+
+.gpg.ask_revocation_reason.text
+Ha akarja, megadhat egy szöveget, melyben megindokolja, hogy miért
+adta ki ezt a visszavonó igazolást. Kérem, fogalmazzon tömören!
+Egy üres sor jelzi a szöveg végét.
+
+.
+
+
+
+# Local variables:
+# mode: fundamental
+# coding: utf-8
+# End:
diff --git a/doc/help.id.txt b/doc/help.id.txt
new file mode 100644
index 0000000..c07492f
--- /dev/null
+++ b/doc/help.id.txt
@@ -0,0 +1,251 @@
+# help.id.txt - id GnuPG online help
+# Copyright (C) 2007 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+
+.gpg.edit_ownertrust.value
+Terserah anda untuk memberi nilai baru di sini; nilai ini tidak akan diekspor
+ke pihak ketiga. Kami perlu untuk mengimplementasikan web-of-trust; tidak ada
+kaitan dengan (membuat secara implisit) web-of-certificates.
+.
+
+.gpg.edit_ownertrust.set_ultimate.okay
+Untuk membuat Web-of-Trust, GnuPG perlu tahu kunci mana yang
+sangat dipercaya - mereka biasanya adalah kunci yang anda punya
+akses ke kunci rahasia. Jawab "yes" untuk menset kunci ini ke
+sangat dipercaya
+
+.
+
+.gpg.untrusted_key.override
+Jika anda ingin menggunakan kunci tidak terpercaya ini, jawab "ya".
+.
+
+.gpg.pklist.user_id.enter
+Masukkan ID user penerima pesan.
+.
+
+.#gpg.keygen.algo
+# fixme: Please translate and remove the hash mark from the key line.
+Select the algorithm to use.
+
+DSA (aka DSS) is the Digital Signature Algorithm and can only be used
+for signatures.
+
+Elgamal is an encrypt-only algorithm.
+
+RSA may be used for signatures or encryption.
+
+The first (primary) key must always be a key which is capable of signing.
+.
+
+.gpg.keygen.algo.rsa_se
+Secara umum bukan ide baik untuk menggunakan kunci yang sama untuk menandai dan
+mengenkripsi. Algoritma ini seharusnya digunakan dalam domain tertentu.
+Silakan berkonsultasi dulu dengan ahli keamanan anda.
+.
+
+.gpg.keygen.size
+Masukkan ukuran kunci
+.
+
+.gpg.keygen.size.huge.okay
+Jawab "ya" atau "tidak"
+.
+
+.gpg.keygen.size.large.okay
+Jawab "ya" atau "tidak"
+.
+
+.gpg.keygen.valid
+Masukkan nilai yang diperlukan seperti pada prompt.
+Dapat digunakan format (YYYY-MM-DD) untuk mengisi tanggal ISO tetapi anda
+tidak akan mendapat respon kesalahan yang baik - sebaiknya sistem akan
+berusaha menginterprestasi nilai yang diberikan sebagai sebuah interval.
+.
+
+.gpg.keygen.valid.okay
+Jawab "ya" atau "tidak"
+.
+
+.gpg.keygen.name
+Masukkan nama pemegang kunci
+.
+
+.gpg.keygen.email
+silakan masukkan alamat email (pilihan namun sangat dianjurkan)
+.
+
+.gpg.keygen.comment
+Silakan masukkan komentar tambahan
+.
+
+.gpg.keygen.userid.cmd
+N untuk merubah nama.
+K untuk merubah komentar.
+E untuk merubah alamat email.
+O untuk melanjutkan dengan pembuatan kunci.
+K untuk menghentikan pembuatan kunci.
+.
+
+.gpg.keygen.sub.okay
+Jawab "ya" (atau "y") jika telah siap membuat subkey.
+.
+
+.gpg.sign_uid.okay
+Jawab "ya" atau "tidak"
+.
+
+.gpg.sign_uid.class
+Ketika anda menandai user ID pada kunci, anda perlu memverifikasi bahwa kunci
+milik orang yang disebut dalam user ID. Ini penting bagi orang lain untuk tahu
+seberapa cermat anda memverifikasi ini.
+
+"0" berarti anda tidak melakukan klaim tentang betapa cermat anda memverifikasi kunci.
+
+"1" berarti anda percaya bahwa kunci dimiliki oleh orang yang mengklaim memilikinya
+ namun anda tidak dapat, atau tidak memverifikasi kunci sama sekali. Hal ini bergunabagi
+ verifikasi "persona", yaitu anda menandai kunci user pseudonymous
+
+"2" berarti anda melakukan verifikasi kasual atas kunci. Sebagai contoh, halini dapat
+ berarti bahwa anda memverifikasi fingerprint kunci dan memeriksa user ID pada kunci
+ dengan photo ID.
+
+"3" berarti anda melakukan verifikasi ekstensif atas kunci. Sebagai contoh, hal ini
+ dapat berarti anda memverifikasi fingerprint kunci dengan pemilik kunci
+ secara personal, dan anda memeriksa, dengan menggunakan dokumen yang sulit dipalsukan yang memiliki
+ photo ID (seperti paspor) bahwa nama pemilik kunci cocok dengan
+ nama user ID kunci, dan bahwa anda telah memverifikasi (dengan pertukaran
+ email) bahwa alamat email pada kunci milik pemilik kunci.
+
+Contoh-contoh pada level 2 dan 3 hanyalah contoh.
+Pada akhirnya, terserah anda untuk memutuskan apa arti "kasual" dan "ekstensif"
+bagi anda ketika menandai kunci lain.
+
+Jika anda tidak tahu jawaban yang tepat, jawab "0".
+.
+
+.gpg.change_passwd.empty.okay
+Jawab "ya" atau "tidak"
+.
+
+.gpg.keyedit.save.okay
+Jawab "ya" atau "tidak"
+.
+
+.gpg.keyedit.cancel.okay
+Jawab "ya" atau "tidak"
+.
+
+.#gpg.keyedit.sign_all.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if you want to sign ALL the user IDs
+.
+
+.gpg.keyedit.remove.uid.okay
+Jawab "ya" jika anda benar-benar ingin menghapus ID user ini.
+Seluruh sertifikat juga akan hilang!
+.
+
+.gpg.keyedit.remove.subkey.okay
+Jawab "ya" jika ingin menghapus subkey
+.
+
+.gpg.keyedit.delsig.valid
+Ini adalah signature valid untuk kunci; anda normalnya tdk ingin menghapus
+signature ini karena mungkin penting membangun koneksi trust ke kunci atau
+ke kunci tersertifikasi lain dengan kunci ini.
+.
+
+.gpg.keyedit.delsig.unknown
+Signature ini tidak dapat diperiksa karena anda tidak memiliki kunci
+korespondennya. Anda perlu menunda penghapusannya hingga anda tahu
+kunci yang digunakan karena kunci penanda ini mungkin membangun suatu
+koneksi trust melalui kunci yang telah tersertifikasi lain.
+.
+
+.gpg.keyedit.delsig.invalid
+Signature tidak valid. Adalah hal yang masuk akal untuk menghapusnya dari
+keyring anda
+.
+
+.gpg.keyedit.delsig.selfsig
+Ini adalah signature yang menghubungkan ID pemakai ke kunci. Biasanya
+bukan ide yang baik untuk menghapus signature semacam itu. Umumnya
+GnuPG tidak akan dapat menggunakan kunci ini lagi. Sehingga lakukan hal
+ini bila self-signature untuk beberapa alasan tidak valid dan
+tersedia yang kedua.
+.
+
+.gpg.keyedit.updpref.okay
+Rubah preferensi seluruh user ID (atau hanya yang terpilih)
+ke daftar preferensi saat ini. Timestamp seluruh self-signature
+yang terpengaruh akan bertambah satu detik.
+
+.
+
+.gpg.passphrase.enter
+Silakan masukkan passphrase; ini kalimat rahasia
+
+.
+
+.gpg.passphrase.repeat
+Silakan ulangi passphrase terakhir, sehingga anda yakin yang anda ketikkan.
+.
+
+.gpg.detached_signature.filename
+Beri nama file tempat berlakunya signature
+.
+
+.gpg.openfile.overwrite.okay
+Jawab "ya" jika tidak apa-apa menimpa file
+.
+
+.gpg.openfile.askoutname
+Silakan masukan nama file baru. Jika anda hanya menekan RETURN nama
+file baku (yang diapit tanda kurung) akan dipakai.
+.
+
+.gpg.ask_revocation_reason.code
+Anda harus menspesifikasikan alasan pembatalan. Semua ini tergantung
+konteks, anda dapat memilih dari daftar berikut:
+ "Key has been compromised"
+ Gunakan ini jika anda punya alasan untuk percaya bahwa orang yang tidak berhak
+ memiliki akses ke kunci pribadi anda.
+ "Key is superseded"
+ Gunakan ini bila anda mengganti kunci anda dengan yang baru.
+ "Key is no longer used"
+ Gunakan ini bila anda telah mempensiunkan kunci ini.
+ "User ID is no longer valid"
+ Gunakan ini untuk menyatakan user ID tidak boleh digunakan lagi;
+ normalnya digunakan untuk menandai bahwa alamat email tidak valid lagi.
+
+.
+
+.gpg.ask_revocation_reason.text
+Jika anda suka, anda dapat memasukkan teks menjelaskan mengapa anda
+mengeluarkan sertifikat pembatalan ini. Buatlah ringkas.
+Baris kosong mengakhiri teks.
+
+.
+
+
+
+# Local variables:
+# mode: fundamental
+# coding: utf-8
+# End:
diff --git a/doc/help.it.txt b/doc/help.it.txt
new file mode 100644
index 0000000..675f8c0
--- /dev/null
+++ b/doc/help.it.txt
@@ -0,0 +1,251 @@
+# help.it.txt - Italian GnuPG online help
+# Copyright (C) 2007 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+
+.gpg.edit_ownertrust.value
+E compito tuo assegnare un valore; questo valore non sarà mai esportato a
+terzi. Ci serve per implementare il web-of-trust; non ha nulla a che fare
+con il web-of-certificates (creato implicitamente).
+.
+
+.gpg.edit_ownertrust.set_ultimate.okay
+Per costruire il Web-Of-Trust, GnuPG ha bisogno di sapere quali chiavi sono
+definitivamente affidabili - di solito quelle per cui hai accesso alla chiave
+segreta.
+Rispondi "sì" per impostare questa chiave come definitivamente affidabile
+
+.
+
+.gpg.untrusted_key.override
+Se vuoi usare comunque questa chiave non fidata, rispondi "si".
+.
+
+.gpg.pklist.user_id.enter
+Inserisci l'user ID del destinatario a cui vuoi mandare il messaggio.
+.
+
+.#gpg.keygen.algo
+# fixme: Please translate and remove the hash mark from the key line.
+Select the algorithm to use.
+
+DSA (aka DSS) is the Digital Signature Algorithm and can only be used
+for signatures.
+
+Elgamal is an encrypt-only algorithm.
+
+RSA may be used for signatures or encryption.
+
+The first (primary) key must always be a key which is capable of signing.
+.
+
+.gpg.keygen.algo.rsa_se
+In generale non è una buona idea usare la stessa chiave per le firme e la
+cifratura. Questo algoritmo dovrebbe solo essere usato in determinati campi.
+Per favore consulta prima il tuo esperto di sicurezza.
+.
+
+.gpg.keygen.size
+Inserisci le dimensioni della chiave
+.
+
+.gpg.keygen.size.huge.okay
+Rispondi "si" o "no"
+.
+
+.gpg.keygen.size.large.okay
+Rispondi "si" o "no"
+.
+
+.gpg.keygen.valid
+Inserisci il valore richiesto come indicato dal prompt.
+È possibile inserire una data in formato ISO (YYYY-MM-DD) ma non avrai un
+messaggio di errore corretto: il sistema cerca di interpretare il valore
+dato come un intervallo.
+.
+
+.gpg.keygen.valid.okay
+Rispondi "si" o "no"
+.
+
+.gpg.keygen.name
+Inserisci il nome del proprietario della chiave
+.
+
+.gpg.keygen.email
+Inserisci un indirizzo di email opzionale (ma fortemente suggerito)
+.
+
+.gpg.keygen.comment
+Inserisci un commento opzionale
+.
+
+.gpg.keygen.userid.cmd
+N per cambiare il nome.
+C per cambiare il commento.
+E per cambiare l'indirizzo di email.
+O per continuare con la generazione della chiave.
+Q per abbandonare il processo di generazione della chiave.
+.
+
+.gpg.keygen.sub.okay
+Rispondi "si" (o "y") se va bene generare la subchiave.
+.
+
+.gpg.sign_uid.okay
+Rispondi "si" o "no"
+.
+
+.gpg.sign_uid.class
+Quando firmi l'user ID di una chiave dovresti prima verificare che questa
+appartiene alla persona indicata nell'user ID. È utile agli altri sapere
+con quanta attenzione lo hai verificato.
+
+"0" significa che non fai particolari affermazioni sull'attenzione con cui
+ hai ferificato la chiave.
+
+"1" significa che credi che la chiave sia posseduta dalla persona che dice di
+ possederla, ma non hai o non hai potuto verificare per niente la chiave.
+
+"2" significa che hai fatto una verifica superficiale della chiave. Per esempio
+ potrebbe significare che hai verificato l'impronta digitale e confrontato
+ l'user ID della chiave con un documento di identità con fotografia.
+
+"3" significa che hai fatto una verifica approfondita della chiave. Per esempio
+ potrebbe significare che hai verificato di persona l'impronta digitale con
+ il possessore della chiave e hai controllato, per esempio per mezzo di
+ un documento di identità con fotografia difficile da falsificare (come
+ un passaporto), che il nome del proprietario della chiave corrisponde a
+ quello nell'user ID della chiave, e per finire che hai verificato
+ (scambiando dei messaggi) che l'indirizzo di email sulla chiave appartiene
+ al proprietario.
+
+Nota che gli esempi indicati per i livelli 2 e 3 sono *solo* esempi. Alla fine
+sta a te decidere cosa significano "superficiale" e "approfondita" quando
+firmi chiavi di altri.
+
+Se non sai cosa rispondere, rispondi "0".
+.
+
+.gpg.change_passwd.empty.okay
+Rispondi "si" o "no"
+.
+
+.gpg.keyedit.save.okay
+Rispondi "si" o "no"
+.
+
+.gpg.keyedit.cancel.okay
+Rispondi "si" o "no"
+.
+
+.#gpg.keyedit.sign_all.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if you want to sign ALL the user IDs
+.
+
+.gpg.keyedit.remove.uid.okay
+Rispondi "si" se vuoi davvero cancellare questo user ID.
+Tutti i certificati saranno persi!
+.
+
+.gpg.keyedit.remove.subkey.okay
+Rispondi "si" se va bene cancellare la subchiave
+.
+
+.gpg.keyedit.delsig.valid
+Questa è una firma valida per la chiave. Normalmente non vorresti cancellare
+questa firma perchè può essere importante per stabilire una connessione di
+fiducia alla chiave o a un'altra chiave certificata da questa chiave.
+.
+
+.gpg.keyedit.delsig.unknown
+Questa firma non può essere verificata perchè non hai la chiave corrispondente.
+Dovresti rimandare la sua cancellazione finchè non saprai quale chiave è stata
+usata perchè questa chiave potrebbe stabilire una connessione di fiducia
+attraverso una chiave già certificata.
+.
+
+.gpg.keyedit.delsig.invalid
+La firma non è valida. Ha senso rimuoverla dal tuo portachiavi.
+.
+
+.gpg.keyedit.delsig.selfsig
+Questa è una firma che collega l'user id alla chiave. Solitamente non è una
+buona idea rimuovere questo tipo di firma. In realtà GnuPG potrebbe non essere
+più in grado di usare questa chiave. Quindi fallo solo se questa autofirma non
+è valida per qualche ragione e ne è disponibile un'altra.
+.
+
+.gpg.keyedit.updpref.okay
+Cambia le preferenze di tutti gli user ID (o solo di quelli selezionati) con
+la lista di preferenze corrente. L'orario di tutte le autofirme coinvolte
+sarà aumentato di un secondo.
+
+.
+
+.gpg.passphrase.enter
+Inserisci la passphrase, cioè una frase segreta
+
+.
+
+.gpg.passphrase.repeat
+Ripeti l'ultima passphrase per essere sicuro di cosa hai scritto.
+.
+
+.gpg.detached_signature.filename
+Inserisci il nome del file a cui si riferisce la firma.
+.
+
+.gpg.openfile.overwrite.okay
+Rispondi "si" se va bene sovrascrivere il file.
+.
+
+.gpg.openfile.askoutname
+Inserisci il nuovo nome del file. Se premi INVIO sarà usato il nome
+predefinito (quello indicato tra parentesi).
+.
+
+.gpg.ask_revocation_reason.code
+Dovresti specificare un motivo per questa certificazione. A seconda del
+contesto hai la possibilità di scegliere tra questa lista:
+ "Key has been compromised"
+ Usa questo se hai un motivo per credere che una persona non autorizzata
+ abbia avuto accesso alla tua chiave segreta.
+ "Key is superseded"
+ Usa questo se hai sostituito questa chiave con una più recente.
+ "Key is no longer used"
+ Usa questo se hai mandato in pensione questa chiave.
+ "User ID is no longer valid"
+ Usa questo per affermare che l'user ID non dovrebbe più essere usato;
+ solitamente è usato per indicare un indirizzo di email non valido.
+
+.
+
+.gpg.ask_revocation_reason.text
+Se vuoi, puoi digitare un testo che descrive perché hai emesso
+questo certificato di revoca. Per favore sii conciso.
+Una riga vuota termina il testo.
+
+.
+
+
+
+# Local variables:
+# mode: fundamental
+# coding: utf-8
+# End:
diff --git a/doc/help.ja.txt b/doc/help.ja.txt
new file mode 100644
index 0000000..c503de6
--- /dev/null
+++ b/doc/help.ja.txt
@@ -0,0 +1,335 @@
+# help.ja.txt - Japanese GnuPG online help
+# Copyright (C) 2007 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+.#pinentry.qualitybar.tooltip
+# [ ã“ã®ã‚¨ãƒ³ãƒˆãƒªã¯æœ‰åŠ¹ã«ã™ã‚‹ã«ã¯ã€ä¸Šè¨˜ã®ã‚­ãƒ¼ã® # を削除ã—ã¦ãã ã•ã„。]
+# ã“ã‚Œã¯ä¾‹ã§ã™ã€‚
+ã“ã®ãƒãƒ¼ã¯ã€å…¥åŠ›ã•ã‚ŒãŸãƒ‘スフレーズã®å“質を示ã—ã¦ã„ã¾ã™ã€‚
+
+ãƒãƒ¼ãŒèµ¤ã„色ã¨ãªã£ã¦ã„ã‚‹å ´åˆã€GnuPGã¯ãƒ‘スフレーズãŒå¼±ã™ãŽã‚‹ã¨åˆ¤æ–­ã—ã€å—
+ã‘付ã‘ã¾ã›ã‚“。管ç†è€…ã«ãƒ‘スフレーズã®åˆ¶é™ã®è¨­å®šã«ã¤ã„ã¦è©³ç´°ã‚’å•ã„åˆã‚ã›
+ã¦ãã ã•ã„。
+.
+
+.gnupg.agent-problem
+# There was a problem accessing or starting the agent.
+動作中ã®Gpg-Agentã¸ã®æŽ¥ç¶šãŒã§ããªã‹ã£ãŸã‹ã€é€šä¿¡ã®å•é¡ŒãŒç™ºç”Ÿã—ã¾ã—ãŸã€‚
+
+システムã¯ã€Gpg-Agentã¨å‘¼ã°ã‚Œã‚‹ãƒãƒƒã‚¯ã‚°ãƒ©ã‚¦ãƒ³ãƒ‰ãƒ»ãƒ—ロセスを利用ã—ã€ç§˜å¯†
+éµã¨ãƒ‘スフレーズã®å•ã„åˆã‚ã›ã‚’処ç†ã—ã¾ã™ã€‚ã“ã®ã‚¨ãƒ¼ã‚¸ã‚§ãƒ³ãƒˆã¯é€šå¸¸ã€ãƒ¦ãƒ¼
+ザãŒãƒ­ã‚°ã‚¤ãƒ³ã™ã‚‹ã¨ãã«é–‹å§‹ã•ã‚Œã€ãƒ­ã‚°ã‚¤ãƒ³ã—ã¦ã„ã‚‹é–“ã€å‹•ã„ã¦ã„ã¾ã™ã€‚ã‚‚ã—ã€
+エージェントãŒåˆ©ç”¨å¯èƒ½ã§ãªã„å ´åˆã€ã‚·ã‚¹ãƒ†ãƒ ã¯ã€ãã®å ´ã§ã‚¨ãƒ¼ã‚¸ã‚§ãƒ³ãƒˆã®èµ·
+動を試ã—ã¾ã™ãŒã€ã“ã®å ´åˆã€æ©Ÿèƒ½ãŒã‚„や制é™ã•ã‚Œã€è‹¥å¹²ã®å•é¡ŒãŒã‚ã‚‹å ´åˆãŒã‚
+ã‚Šã¾ã™ã€‚
+
+ã‚‚ã—ã‹ã—ãŸã‚‰ã€ç®¡ç†è€…ã«å•ã„åˆã‚ã›ã¦ã€ã“ã®å•é¡Œã‚’ã©ã®ã‚ˆã†ã«è§£æ±ºã—ãŸã‚‰è‰¯ã„
+ã‹èžã„ãŸæ–¹ãŒè‰¯ã„ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“。ã¨ã‚Šã‚ãˆãšã®æ–¹ç­–ã¨ã—ã¦ã¯ã€ä¸€åº¦ãƒ­ã‚°ã‚¢ã‚¦
+トã—ã¦ã‚‚ã†ä¸€åº¦ãƒ­ã‚°ã‚¤ãƒ³ã—ã€æ”¹å–„ãŒè¦‹ã‚‰ã‚Œã‚‹ã‹è©¦ã—ã¦ã¿ã‚‹ã“ã¨ãŒã‚ã‚Šã¾ã™ã€‚ã‚‚
+ã—ã€ã“ã‚ŒãŒã†ã¾ãã„ãよã†ã§ã‚ã‚Œã°ç®¡ç†è€…ã«å ±å‘Šã—ã¦ãã ã•ã„。ãã‚Œã¯ãŠãら
+ãã€ã‚½ãƒ•ãƒˆã‚¦ã‚§ã‚¢ã®ãƒã‚°ã§ã‚ã‚‹ã“ã¨ã‚’示ã—ã¦ã„ã¾ã™ã®ã§ã€‚
+.
+
+
+.gnupg.dirmngr-problem
+# There was a problen accessing the dirmngr.
+動作中ã®Dirmngrã¸ã®æŽ¥ç¶šãŒã§ããªã‹ã£ãŸã‹ã€é€šä¿¡ã®å•é¡ŒãŒç™ºç”Ÿã—ã¾ã—ãŸã€‚
+
+証明書失効リスト(CRL)を検索ã—ã€OCSPã®æ‡¸è³žã¨LDAPサーãƒã‚’通ã˜ã¦éµã‚’検索ã™
+ã‚‹ãŸã‚ã€ã‚·ã‚¹ãƒ†ãƒ ã¯ã€Dirmngrã¨å‘¼ã°ã‚Œã‚‹å¤–部サービス・プログラムを利用ã—ã¾
+ã™ã€‚Dirmngrã¯é€šå¸¸ã€ã‚·ã‚¹ãƒ†ãƒ ã‚µãƒ¼ãƒ“ス(daemon)ã¨ã—ã¦å®ŸåŠ¹ã•ã‚Œã¾ã™ã€ä¸€èˆ¬ãƒ¦ãƒ¼
+ザã¯æ°—ã«ã™ã‚‹å¿…è¦ã¯ã‚ã‚Šã¾ã›ã‚“。å•é¡ŒãŒã‚ã‚‹å ´åˆã€ã‚·ã‚¹ãƒ†ãƒ ã¯ã€è¦æ±‚ã«å¿œã˜ã¦ã€
+Dirmngrã‚’èµ·å‹•ã™ã‚‹ã“ã¨ãŒã‚ã‚Šã¾ã™ãŒã€ã“ã‚Œã¯å¯¾å¿œç­–ã§ã‚ã‚Šã€æ€§èƒ½ã«åˆ¶é™ãŒç”Ÿã˜
+ã¾ã™ã€‚
+
+ã“ã®å•é¡ŒãŒã‚ã‚‹å ´åˆã€ã‚·ã‚¹ãƒ†ãƒ ç®¡ç†è€…ã«é€£çµ¡ã—ã€ã©ã®ã‚ˆã†ã«é€²ã‚ãŸã‚‰è‰¯ã„ã‹å•
+ã„åˆã‚ã›ã¦ãã ã•ã„。ã¨ã‚Šã‚ãˆãšã®è§£æ±ºç­–ã¨ã—ã¦ã¯ã€gpgsmã®è¨­å®šã§CRLã®æ¤œè¨¼
+ã‚’åœæ­¢ã•ã›ã‚‹ã“ã¨ãŒè€ƒãˆã‚‰ã‚Œã¾ã™ã€‚
+.
+
+
+.gpg.edit_ownertrust.value
+ã“ã“ã§ã®å€¤ã®æŒ‡å®šã¯ã€ã‚ãªãŸã«ä»»ã•ã‚Œã¦ã„ã¾ã™ã€‚ã“ã®å€¤ã¯ã€ç¬¬ä¸‰è€…ã«é–‹ç¤ºã•ã‚Œ
+ã‚‹ã“ã¨ã¯æ±ºã—ã¦ã‚ã‚Šã¾ã›ã‚“。ウェブ・オブ・トラストを実装ã™ã‚‹ãŸã‚ã«ã“ã®å€¤
+ãŒå¿…è¦ã¨ãªã‚Šã¾ã™ãŒã€(暗黙的ã«ä½œã‚‰ã‚Œã‚‹)証明書ã®ç¶²ã«ã¯ä½•ã‚‚関係ã—ã¾ã›ã‚“。
+.
+
+.gpg.edit_ownertrust.set_ultimate.okay
+ウェブ・オブ・トラストを構築ã™ã‚‹ãŸã‚ã«GnuPGã¯ã€ã©ã®éµãŒç©¶æ¥µçš„ã«ä¿¡é ¼ã§ã
+ã‚‹ã‹ã‚’知る必è¦ãŒã‚ã‚Šã¾ã™ã€‚ãã®éµã¯é€šå¸¸ã¯ã€ã‚ãªãŸãŒç§˜å¯†éµã¸ã‚¢ã‚¯ã‚»ã‚¹ã§ã
+ã‚‹ã‚‚ã®ã§ã™ã€‚ã“ã®éµãŒç©¶æ¥µçš„ã«ä¿¡é ¼ã§ãã‚‹å ´åˆã€"yes" ã¨ç­”ãˆã¦ãã ã•ã„。
+.
+
+
+.gpg.untrusted_key.override
+ã“ã®ä¿¡é ¼ã•ã‚Œã¦ãªã„éµã‚’ã©ã¡ã‚‰ã«ã›ã‚ˆä½¿ã„ãŸã„å ´åˆã€"yes" ã¨ç­”ãˆã¦ãã ã•ã„。
+.
+
+.gpg.pklist.user_id.enter
+ã“ã®ãƒ¡ãƒƒã‚»ãƒ¼ã‚¸ã‚’é€ã‚ŠãŸã„宛先ã®ãƒ¦ãƒ¼ã‚¶IDを入力ã—ã¦ãã ã•ã„。
+.
+
+.gpg.keygen.algo
+使用ã™ã‚‹ã‚¢ãƒ«ã‚´ãƒªã‚ºãƒ ã‚’é¸æŠžã—ã¦ãã ã•ã„。
+
+DSA (別å DSS)ã¯é›»å­ç½²åアルゴリズムã§ã‚ã‚Šã€ç½²åã«ã®ã¿ä½¿ãˆã¾ã™ã€‚
+
+Elgamal ã¯æš—å·åŒ–ã®ã¿ã®ã‚¢ãƒ«ã‚´ãƒªã‚ºãƒ ã§ã™ã€‚
+
+RSA ã¯ç½²åã¨æš—å·åŒ–ã®ã©ã¡ã‚‰ã«ã‚‚使ãˆã¾ã™ã€‚
+
+主éµã¯å¸¸ã«ã€ç½²åãŒå¯èƒ½ã®éµã§ã‚ã‚‹å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚
+.
+
+
+.gpg.keygen.algo.rsa_se
+一般的ã«ã€ç½²åã¨æš—å·åŒ–ã«åŒä¸€ã®éµã‚’用ã„ã‚‹ã“ã¨ã¯è‰¯ã„ã“ã¨ã§ã¯ã‚ã‚Šã¾ã›ã‚“。
+ã“ã®ã‚¢ãƒ«ã‚´ãƒªã‚ºãƒ ã¯ã‚る特定ã®é ˜åŸŸã ã‘ã«ä½¿ã†ã¹ãã§ã™ã€‚ã¾ãšã€ã‚»ã‚­ãƒ¥ãƒªãƒ†ã‚£
+ã®å°‚門家ã«ç›¸è«‡ã—ã¦ãã ã•ã„。
+.
+
+
+.gpg.keygen.size
+éµã®é•·ã•ã‚’入力ã—ã¦ãã ã•ã„。
+
+æ案ã•ã‚ŒãŸãƒ‡ãƒ•ã‚©ãƒ«ãƒˆãŒé€šå¸¸è‰¯ã„é¸æŠžã§ã™ã€‚
+
+大ããªéµé•·ã‚’使ã„ãŸã„å ´åˆã€ãŸã¨ãˆã°4096ビットãªã©ã€æœ¬å½“ã«æ„味ãŒã‚ã‚‹ã‹å†
+検討ã—ã¦ãã ã•ã„。ã“ã¡ã‚‰ã®ã‚¦ã‚§ãƒ–ページを見るã®ã‚‚良ã„ã¨æ€ã„ã¾ã™:
+http://www.xkcd.com/538/
+.
+
+.gpg.keygen.size.huge.okay
+"yes" ã‹ "no" ã§ç­”ãˆã¦ãã ã•ã„。
+.
+
+
+.gpg.keygen.size.large.okay
+"yes" ã‹ "no" ã§ç­”ãˆã¦ãã ã•ã„。
+.
+
+
+.gpg.keygen.valid
+プロンプトã§ç¤ºã•ã‚ŒãŸå¿…è¦ãªå€¤ã‚’入力ã—ã¦ãã ã•ã„。ISOå½¢å¼ã®æ—¥ä»˜
+(YYYY-MM-DD)ã®å…¥åŠ›ãŒå¯èƒ½ã§ã™ãŒã€è‰¯ã„エラー対応ãŒå¾—られãªã„ã‹ã‚‚ã—ã‚Œã¾ã›
+ん。システムãŒä¸Žãˆã‚‰ã‚ŒãŸå€¤ã‚’期間ã¨è§£é‡ˆã™ã‚‹ã“ã¨ãŒã‚ã‚Šã¾ã™ã€‚.
+.
+
+.gpg.keygen.valid.okay
+"yes" ã‹ "no" ã§ç­”ãˆã¦ãã ã•ã„。
+.
+
+
+.gpg.keygen.name
+éµã®æŒã¡ä¸»ã®åå‰ã‚’入力ã—ã¦ãã ã•ã„。
+文字 "<" 㨠">" ã¯è¨±ã•ã‚Œã¦ã„ã¾ã›ã‚“。
+例: Heinrich Heine
+.
+
+
+.gpg.keygen.email
+オプションã§ã™ãŒæŽ¨å¥¨ã•ã‚Œã‚‹é›»å­ãƒ¡ãƒ¼ãƒ«ã‚¢ãƒ‰ãƒ¬ã‚¹ã‚’入力ã—ã¦ãã ã•ã„。
+例: heinrichh@duesseldorf.de
+.
+
+.gpg.keygen.comment
+オプションã®ã‚³ãƒ¡ãƒ³ãƒˆã‚’入力ã—ã¦ãã ã•ã„。
+文字 "(" 㨠")" ã¯è¨±ã•ã‚Œã¦ã„ã¾ã›ã‚“。
+一般的ã«ã‚³ãƒ¡ãƒ³ãƒˆã¯å¿…è¦ã§ã¯ã‚ã‚Šã¾ã›ã‚“。
+.
+
+
+.gpg.keygen.userid.cmd
+# (Keep a leading empty line)
+
+N åå‰ã®å¤‰æ›´ã€‚
+C コメントã®å¤‰æ›´ã€‚
+E é›»å­ãƒ¡ãƒ¼ãƒ«ã‚¢ãƒ‰ãƒ¬ã‚¹ã®å¤‰æ›´ã€‚
+O éµç”Ÿæˆã«é€²ã‚€ã€‚
+Q éµç”Ÿæˆã‚’æ­¢ã‚る。
+.
+
+.gpg.keygen.sub.okay
+副éµã‚’生æˆã—ã¦ã‚ˆã‘ã‚Œã°ã€"yes" (ã‚ã‚‹ã„ã¯å˜ã« "y") ã¨ç­”ãˆã¦ãã ã•ã„。
+.
+
+.gpg.sign_uid.okay
+"yes" ã‹ "no" ã§ç­”ãˆã¦ãã ã•ã„。
+.
+
+.gpg.sign_uid.class
+ã‚ã‚‹éµã®ãƒ¦ãƒ¼ã‚¶IDã«ç½²åã™ã‚‹ã¨ãã€ã‚ãªãŸã¯ã€ã¾ãšã€ãã®éµãŒãã®ãƒ¦ãƒ¼ã‚¶IDã®
+人ã«å±žã™ã‚‹ã‹ã©ã†ã‹ã‚’確èªã—ãªã‘ã‚Œã°ãªã‚Šã¾ã›ã‚“。ã‚ãªãŸãŒã©ã‚Œãらã„ã“れを
+æ…Žé‡ã«ç¢ºèªã—ãŸã‹ã«ã¤ã„ã¦ã€ã»ã‹ã®äººãŒçŸ¥ã‚‹ã“ã¨ã¯æœ‰ç”¨ã§ã™ã€‚
+
+"0" ã¯ã€ã©ã‚Œãらã„æ…Žé‡ã«ç¢ºèªã—ãŸã‹ã«ã¤ã„ã¦ç‰¹ã«ãªã«ã‚‚主張ã—ãªã„ã“ã¨ã‚’æ„味ã—ã¾ã™ã€‚
+
+"1" ã¯ã€ã‚ãªãŸã¯ã€ä¸»å¼µã™ã‚‹ãã®äººãŒæ‰€æœ‰ã™ã‚‹éµã§ã‚ã‚‹ã¨è€ƒãˆã‚‹ãŒã€ãã®éµã«ã¤ã„ã¦ã€
+ 確èªã§ããªã‹ã£ãŸã€ã‚ã‚‹ã„ã¯ã—ãªã‹ã£ãŸã“ã¨ã‚’æ„味ã—ã¾ã™ã€‚ã“ã‚Œã¯ã€ãƒšãƒ³ãƒãƒ¼ãƒ ã®
+ ユーザã®éµã«ç½²åã™ã‚‹ã‚ˆã†ãª "persona" 確èªã«æœ‰ç”¨ã§ã™ã€‚
+
+"2" ã¯ã€ãã®éµã«å¯¾ã—ã€é€šå¸¸ã®æ¤œè¨¼ã‚’è¡Œã£ãŸã“ã¨ã‚’æ„味ã—ã¾ã™ã€‚ãŸã¨ãˆã°ã€éµ
+ ã®ãƒ•ã‚£ãƒ³ã‚¬ãƒ¼ãƒ—リントを確èªã—ã€å†™çœŸä»˜ãIDã§ãƒ¦ãƒ¼ã‚¶IDを確èªã—ãŸã“ã¨ã‚’
+ æ„味ã—ã¾ã™ã€‚
+
+"3" ã¯ã€ãã®éµã«å¯¾ã—ã€åºƒç¯„ãªæ¤œè¨¼ã‚’è¡Œã£ãŸã“ã¨ã‚’æ„味ã—ã¾ã™ã€‚ãŸã¨ãˆã°ã€éµ
+ ã®ãƒ•ã‚£ãƒ³ã‚¬ãƒ¼ãƒ—リントを対é¢ã§ç¢ºèªã—ã€ãƒ‘スãƒãƒ¼ãƒˆãªã©å½é€ ã™ã‚‹ã“ã¨ãŒé›£
+ ã—ã„写真付ãIDã§ãƒ¦ãƒ¼ã‚¶IDを確èªã—ã€æ‰€æœ‰è€…ã®åå‰ãŒéµã®ãƒ¦ãƒ¼ã‚¶IDã«é©åˆ
+ ã—ã€ãƒ¡ãƒ¼ãƒ«ã®äº¤æ›ã§ã€ãƒ¡ãƒ¼ãƒ«ã‚¢ãƒ‰ãƒ¬ã‚¹ãŒæ‰€æœ‰è€…ã«å±žã™ã‚‹ã“ã¨ã‚’確èªã—ãŸã“
+ ã¨ã‚’æ„味ã—ã¾ã™ã€‚
+
+上記ã®ãƒ¬ãƒ™ãƒ«2ã¨ãƒ¬ãƒ™ãƒ«3ã§ç¤ºã—ãŸä¾‹ã¯ã€å˜ã«ä¾‹ã§ã‚ã‚‹ã“ã¨ã«æ³¨æ„ã—ã¦ãã ã•ã„。
+çµå±€ã¯ã€ã»ã‹ã®éµã«ç½²åã™ã‚‹ã¨ãã€ãªã«ãŒã‚ãªãŸã«ã¨ã£ã¦ã€Œé€šå¸¸ã€ã§ã€ãªã«ãŒ
+「広範ã€ã‹ã‚’を決ã‚ã‚‹ã®ã¯ã€ã‚ãªãŸè‡ªèº«ã«ä»»ã•ã‚Œã¦ã„ã¾ã™ã€‚
+
+æ­£ã—ã„ç­”ãˆãŒãªã«ã‹ã‚ã‹ã‚‰ãªã„ã¨ã㯠"0" ã¨ç­”ãˆã¦ãã ã•ã„。
+.
+
+.gpg.change_passwd.empty.okay
+"yes" ã‹ "no" ã§ç­”ãˆã¦ãã ã•ã„。
+.
+
+
+.gpg.keyedit.save.okay
+"yes" ã‹ "no" ã§ç­”ãˆã¦ãã ã•ã„。
+.
+
+
+.gpg.keyedit.cancel.okay
+"yes" ã‹ "no" ã§ç­”ãˆã¦ãã ã•ã„。
+.
+
+.gpg.keyedit.sign_all.okay
+ã™ã¹ã¦ã®ãƒ¦ãƒ¼ã‚¶IDã«å¯¾ã—ã¦ç½²åã—ãŸã„å ´åˆã€"yes"ã¨ç­”ãˆã¦ãã ã•ã„。
+.
+
+.gpg.keyedit.remove.uid.okay
+ã“ã®ãƒ¦ãƒ¼ã‚¶IDを本当ã«å‰Šé™¤ã—ãŸã„å ´åˆã€"yes"ã¨ç­”ãˆã¦ãã ã•ã„。
+ãã†ã™ã‚‹ã¨å…¨éƒ¨ã®è¨¼æ˜Žæ›¸ãŒå¤±ã‚ã‚Œã¾ã™!
+.
+
+.gpg.keyedit.remove.subkey.okay
+副éµã‚’削除ã—ã¦ã‚ˆã„å ´åˆã€"yes"ã¨ç­”ãˆã¦ãã ã•ã„。
+.
+
+
+.gpg.keyedit.delsig.valid
+ã“ã‚Œã¯ã€ã“ã®éµã®æœ‰åŠ¹ãªç½²åã§ã™ã€‚通常ã€ã“ã®ç½²åを削除ã™ã‚‹ã“ã¨ã¯æœ›ã¾ãªã„
+ã§ã—ょã†ã€‚ã“ã®éµ(ã¾ãŸã¯ã€ã“ã®éµã§è¨¼æ˜Žã•ã‚ŒãŸåˆ¥ã®éµ)ã¸ã®ä¿¡é ¼ã®ã‚³ãƒã‚¯ã‚·ãƒ§
+ンãŒæˆç«‹ã™ã‚‹ã“ã¨ãŒé‡è¦ã¨ãªã‚‹å ´åˆãŒã‚ã‚‹ã‹ã‚‰ã§ã™ã€‚
+.
+
+.gpg.keyedit.delsig.unknown
+ã“ã®ç½²åã¯æ¤œè¨¼ã§ãã¾ã›ã‚“ã§ã—ãŸã€‚対応ã™ã‚‹éµã‚’æŒã£ã¦ã„ãªã„ã‹ã‚‰ã§ã™ã€‚ã©ã®
+éµãŒä½¿ã‚ã‚ŒãŸã‹ã‚ã‹ã‚‹ã¾ã§ã“ã®å‰Šé™¤ã‚’延期ã™ã¹ãã§ã™ã€‚ã“ã®ç½²åã®éµã¯ã€åˆ¥ã®
+ã™ã§ã«è¨¼æ˜Žã•ã‚ŒãŸéµã‚’通ã˜ã¦ä¿¡é ¼ã®ã‚³ãƒã‚¯ã‚·ãƒ§ãƒ³ã‚’æˆç«‹ã™ã‚‹ã“ã¨ãŒã‚ã‚‹ã‹ã‚‰ã§
+ã™ã€‚
+.
+
+.gpg.keyedit.delsig.invalid
+ã“ã®ç½²åã¯æœ‰åŠ¹ã§ã¯ã‚ã‚Šã¾ã›ã‚“。éµãƒªãƒ³ã‚°ã‹ã‚‰å‰Šé™¤ã™ã‚‹ã“ã¨ã«æ„味ãŒã‚ã‚Šã¾ã™ã€‚
+.
+
+.gpg.keyedit.delsig.selfsig
+ã“ã‚Œã¯ã“ã®ãƒ¦ãƒ¼ã‚¶IDã¨ã“ã®éµã¨ã‚’çµã¶ç½²åã§ã™ã€‚通常ã€ã“ã®ã‚ˆã†ãªç½²åを削除
+ã™ã‚‹ã“ã¨ã¯è‰¯ã„ã“ã¨ã§ã¯ã‚ã‚Šã¾ã›ã‚“。実際ã€GnuPGã¯ã“ã®éµã‚’使ã†ã“ã¨ãŒã§ããª
+ããªã£ã¦ã—ã¾ã†ã‹ã‚‚ã—ã‚Œã¾ã›ã‚“。ã§ã™ã‹ã‚‰ã€ã“ã®è‡ªå·±ç½²åãŒãªã‚“らã‹ã®ç†ç”±ã«
+よã£ã¦ç„¡åŠ¹ã§ã‚ã‚Šã€ç¬¬äºŒã®ã‚‚ã®ãŒåˆ©ç”¨å¯èƒ½ã§ã‚ã‚‹å ´åˆã«ã ã‘ã€å®Ÿè¡Œã—ã¦ãã ã•
+ã„。
+.
+
+.gpg.keyedit.updpref.okay
+ã™ã¹ã¦ã®ãƒ¦ãƒ¼ã‚¶ID(ã‚‚ã—ãã¯å˜ã«é¸æŠžã•ã‚ŒãŸä¸€ã¤)ã®å„ªå…ˆæŒ‡å®šã‚’ç¾è¡Œã®å„ªå…ˆæŒ‡å®š
+ã«å¤‰æ›´ã—ã¾ã™ã€‚ã™ã¹ã¦ã®é–¢ä¿‚ã™ã‚‹è‡ªå·±ç½²åã®ã‚¿ã‚¤ãƒ ã‚¹ã‚¿ãƒ³ãƒ—ã¯ã€ä¸€ç§’進んã ã‚‚
+ã®ã¨ãªã‚Šã¾ã™ã€‚
+.
+
+.gpg.passphrase.enter
+# (keep a leading empty line)
+
+パスフレーズを入力ã—ã¦ãã ã•ã„。秘密ã®æ–‡ã§ã™ã€‚
+.
+
+
+.gpg.passphrase.repeat
+ã‚‚ã†ä¸€åº¦ãƒ‘スフレーズを入力ã—ã€é–“é•ã„ãªã入力ã•ã‚ŒãŸã“ã¨ã‚’確èªã—ã¦ãã ã•ã„。
+.
+
+.gpg.detached_signature.filename
+ç½²åãŒé©ç”¨ã•ã‚Œã‚‹ãƒ•ã‚¡ã‚¤ãƒ«ã®åå‰ã‚’与ãˆã¦ãã ã•ã„。
+.
+
+.gpg.openfile.overwrite.okay
+# openfile.c (overwrite_filep)
+ファイルを上書ãã—ã¦ã‚ˆã‘ã‚Œã°ã€"yes"ã¨ç­”ãˆã¦ãã ã•ã„。
+.
+
+.gpg.openfile.askoutname
+# openfile.c (ask_outfile_name)
+æ–°ã—ã„ファイルåを入力ã—ã¦ãã ã•ã„。å˜ã«Enterを打ã¤ã¨ã€ã‚«ãƒƒã‚³ã§ç¤ºã•ã‚ŒãŸ
+デフォルトã®ãƒ•ã‚¡ã‚¤ãƒ«ãŒä½¿ã‚ã‚Œã¾ã™ã€‚
+.
+
+.gpg.ask_revocation_reason.code
+# revoke.c (ask_revocation_reason)
+証明書ã®ç†ç”±ã‚’指定ã—ã¾ã™ã€‚下記ã®ãƒªã‚¹ãƒˆã‹ã‚‰é¸æŠžã—ã¦ãã ã•ã„:
+ "éµãŒå±ã†ããªã£ãŸ"
+ 承èªã—ã¦ã„ãªã„人ãŒã‚ãªãŸã®ç§˜å¯†éµã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ã‚’å¾—ãŸã¨è€ƒãˆã‚‹ç†ç”±ãŒ
+ ã‚ã‚‹å ´åˆã«ã€ã“れを指定ã—ã¾ã™ã€‚
+ "éµã‚’å–り替ãˆãŸ"
+ æ–°ã—ã„éµã§ã“ã®éµã‚’ç½®ãæ›ãˆãŸå ´åˆã«ã€ã“れを指定ã—ã¾ã™ã€‚
+ "éµã¯ã‚‚ã†ä½¿ã‚ã‚Œãªã„"
+ ã“ã®éµã‚’使ã‚ãªããªã£ãŸå ´åˆã«ã€ã“れを指定ã—ã¾ã™ã€‚
+ "ユーザIDãŒç„¡åŠ¹ã¨ãªã£ãŸ"
+ ユーザIDã‚’ã‚‚ã¯ã‚„使ã†ã¹ãã§ãªã„å ´åˆã«ã€ã“れを指定ã—ã¾ã™ã€‚通常ã€ã“
+ ã‚Œã¯ã€é›»å­ãƒ¡ãƒ¼ãƒ«ã‚¢ãƒ‰ãƒ¬ã‚¹ãŒç„¡åŠ¹ã¨ãªã£ãŸå ´åˆã§ã™ã€‚
+.
+
+
+.gpg.ask_revocation_reason.text
+# revoke.c (ask_revocation_reason)
+å¿…è¦ã§ã‚ã‚Œã°ã€ã“ã®å¤±åŠ¹è¨¼æ˜Žæ›¸ã‚’発行ã™ã‚‹ç†ç”±ã‚’記述ã™ã‚‹æ–‡ç« ã‚’入力ã™ã‚‹
+ã“ã¨ãŒã§ãã¾ã™ã€‚ã“ã®æ–‡ç« ã¯ç°¡æ½”ã«ã—ã¦ãã ã•ã„。空行ã¯æ–‡ç« ã®çµ‚ã‚ã‚Šã‚’
+æ„味ã—ã¾ã™ã€‚
+.
+
+
+.gpgsm.root-cert-not-trusted
+# This text gets displayed by the audit log if
+# a root certificates was not trusted.
+ルート証明書(ä¿¡é ¼ã®æ‹ ã‚Šæ‰€)ãŒä¿¡é ¼ã§ãã‚‹ã¨ã•ã‚Œã¦ã„ã¾ã›ã‚“。設定ã«ã‚‚よりã¾
+ã™ãŒã€ãã®ãƒ«ãƒ¼ãƒˆè¨¼æ˜Žæ›¸ã‚’ä¿¡é ¼ã§ãã‚‹ã‚‚ã®ã¨æŒ‡å®šã™ã‚‹ã‚ˆã†ã«æ—¢ã«å•ã‚ã‚ŒãŸã‹ã‚‚
+ã—ã‚Œã¾ã›ã‚“ã—ã€æ‰‹å‹•ã§GnuPGãŒãã®è¨¼æ˜Žæ›¸ã‚’ä¿¡é ¼ã§ãã‚‹ã¨æ‰±ã†ã‚ˆã†ã«è¨­å®šã™ã‚‹å¿…
+è¦ãŒã‚ã‚Šã¾ã™ã€‚ä¿¡é ¼ã§ãる証明書ã¯ã€GnuPGã®ãƒ›ãƒ¼ãƒ ãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒªã®ãƒ•ã‚¡ã‚¤ãƒ«
+trustlist.txt ã«è¨­å®šã—ã¾ã™ã€‚ç–‘å•ã®ã‚ã‚‹å ´åˆã€ã‚·ã‚¹ãƒ†ãƒ ç®¡ç†è€…ã«ã“ã®è¨¼æ˜Žæ›¸
+ã‚’ä¿¡é ¼ã—ã¦ã‚ˆã„ã‚‚ã®ã‹ã©ã†ã‹å•ã„åˆã‚ã›ã¦ãã ã•ã„。
+.
+
+
+.gpgsm.crl-problem
+# This tex is displayed by the audit log for problems with
+# the CRL or OCSP checking.
+設定ã«ã‚ˆã‚Šã¾ã™ãŒã€CRLã®å–å¾—ã‹ã€OCSP検証ã®éš›ã«å•é¡ŒãŒèµ·ãã¾ã—ãŸã€‚ã“ã‚ŒãŒå‹•
+ã‹ãªã„å ´åˆã€å®Ÿã«æ§˜ã€…ãªç†ç”±ãŒã‚ã‚Šãˆã¾ã™ã€‚解決策ã¯ã€ãƒžãƒ‹ãƒ¥ã‚¢ãƒ«ã‚’見ã¦ãã 
+ã•ã„。
+.
+
+
+# Local variables:
+# mode: fundamental
+# coding: utf-8
+# End:
diff --git a/doc/help.nb.txt b/doc/help.nb.txt
new file mode 100644
index 0000000..0ac3be7
--- /dev/null
+++ b/doc/help.nb.txt
@@ -0,0 +1,286 @@
+# help..txt - GnuPG online help
+# Copyright (C) 2007 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+
+.#gpg.edit_ownertrust.value
+# fixme: Please translate and remove the hash mark from the key line.
+It's up to you to assign a value here; this value will never be exported
+to any 3rd party. We need it to implement the web-of-trust; it has nothing
+to do with the (implicitly created) web-of-certificates.
+.
+
+.#gpg.edit_ownertrust.set_ultimate.okay
+# fixme: Please translate and remove the hash mark from the key line.
+To build the Web-of-Trust, GnuPG needs to know which keys are
+ultimately trusted - those are usually the keys for which you have
+access to the secret key. Answer "yes" to set this key to
+ultimately trusted
+
+.
+
+.#gpg.untrusted_key.override
+# fixme: Please translate and remove the hash mark from the key line.
+If you want to use this untrusted key anyway, answer "yes".
+.
+
+.#gpg.pklist.user_id.enter
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the user ID of the addressee to whom you want to send the message.
+.
+
+.#gpg.keygen.algo
+# fixme: Please translate and remove the hash mark from the key line.
+Select the algorithm to use.
+
+DSA (aka DSS) is the Digital Signature Algorithm and can only be used
+for signatures.
+
+Elgamal is an encrypt-only algorithm.
+
+RSA may be used for signatures or encryption.
+
+The first (primary) key must always be a key which is capable of signing.
+.
+
+.#gpg.keygen.algo.rsa_se
+# fixme: Please translate and remove the hash mark from the key line.
+In general it is not a good idea to use the same key for signing and
+encryption. This algorithm should only be used in certain domains.
+Please consult your security expert first.
+.
+
+.#gpg.keygen.size
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the size of the key
+.
+
+.#gpg.keygen.size.huge.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keygen.size.large.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keygen.valid
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the required value as shown in the prompt.
+It is possible to enter a ISO date (YYYY-MM-DD) but you won't
+get a good error response - instead the system tries to interpret
+the given value as an interval.
+.
+
+.#gpg.keygen.valid.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keygen.name
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the name of the key holder
+.
+
+.#gpg.keygen.email
+# fixme: Please translate and remove the hash mark from the key line.
+please enter an optional but highly suggested email address
+.
+
+.#gpg.keygen.comment
+# fixme: Please translate and remove the hash mark from the key line.
+Please enter an optional comment
+.
+
+.#gpg.keygen.userid.cmd
+# fixme: Please translate and remove the hash mark from the key line.
+N to change the name.
+C to change the comment.
+E to change the email address.
+O to continue with key generation.
+Q to to quit the key generation.
+.
+
+.#gpg.keygen.sub.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" (or just "y") if it is okay to generate the sub key.
+.
+
+.#gpg.sign_uid.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.sign_uid.class
+# fixme: Please translate and remove the hash mark from the key line.
+When you sign a user ID on a key, you should first verify that the key
+belongs to the person named in the user ID. It is useful for others to
+know how carefully you verified this.
+
+"0" means you make no particular claim as to how carefully you verified the
+ key.
+
+"1" means you believe the key is owned by the person who claims to own it
+ but you could not, or did not verify the key at all. This is useful for
+ a "persona" verification, where you sign the key of a pseudonymous user.
+
+"2" means you did casual verification of the key. For example, this could
+ mean that you verified the key fingerprint and checked the user ID on the
+ key against a photo ID.
+
+"3" means you did extensive verification of the key. For example, this could
+ mean that you verified the key fingerprint with the owner of the key in
+ person, and that you checked, by means of a hard to forge document with a
+ photo ID (such as a passport) that the name of the key owner matches the
+ name in the user ID on the key, and finally that you verified (by exchange
+ of email) that the email address on the key belongs to the key owner.
+
+Note that the examples given above for levels 2 and 3 are *only* examples.
+In the end, it is up to you to decide just what "casual" and "extensive"
+mean to you when you sign other keys.
+
+If you don't know what the right answer is, answer "0".
+.
+
+.#gpg.change_passwd.empty.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keyedit.save.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keyedit.cancel.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keyedit.sign_all.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if you want to sign ALL the user IDs
+.
+
+.#gpg.keyedit.remove.uid.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if you really want to delete this user ID.
+All certificates are then also lost!
+.
+
+.#gpg.keyedit.remove.subkey.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if it is okay to delete the subkey
+.
+
+.#gpg.keyedit.delsig.valid
+# fixme: Please translate and remove the hash mark from the key line.
+This is a valid signature on the key; you normally don't want
+to delete this signature because it may be important to establish a
+trust connection to the key or another key certified by this key.
+.
+
+.#gpg.keyedit.delsig.unknown
+# fixme: Please translate and remove the hash mark from the key line.
+This signature can't be checked because you don't have the
+corresponding key. You should postpone its deletion until you
+know which key was used because this signing key might establish
+a trust connection through another already certified key.
+.
+
+.#gpg.keyedit.delsig.invalid
+# fixme: Please translate and remove the hash mark from the key line.
+The signature is not valid. It does make sense to remove it from
+your keyring.
+.
+
+.#gpg.keyedit.delsig.selfsig
+# fixme: Please translate and remove the hash mark from the key line.
+This is a signature which binds the user ID to the key. It is
+usually not a good idea to remove such a signature. Actually
+GnuPG might not be able to use this key anymore. So do this
+only if this self-signature is for some reason not valid and
+a second one is available.
+.
+
+.#gpg.keyedit.updpref.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Change the preferences of all user IDs (or just of the selected ones)
+to the current list of preferences. The timestamp of all affected
+self-signatures will be advanced by one second.
+
+.
+
+.#gpg.passphrase.enter
+# fixme: Please translate and remove the hash mark from the key line.
+Please enter the passphrase; this is a secret sentence
+
+.
+
+.#gpg.passphrase.repeat
+# fixme: Please translate and remove the hash mark from the key line.
+Please repeat the last passphrase, so you are sure what you typed in.
+.
+
+.#gpg.detached_signature.filename
+# fixme: Please translate and remove the hash mark from the key line.
+Give the name of the file to which the signature applies
+.
+
+.#gpg.openfile.overwrite.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if it is okay to overwrite the file
+.
+
+.#gpg.openfile.askoutname
+# fixme: Please translate and remove the hash mark from the key line.
+Please enter a new filename. If you just hit RETURN the default
+file (which is shown in brackets) will be used.
+.
+
+.#gpg.ask_revocation_reason.code
+# fixme: Please translate and remove the hash mark from the key line.
+You should specify a reason for the certification. Depending on the
+context you have the ability to choose from this list:
+ "Key has been compromised"
+ Use this if you have a reason to believe that unauthorized persons
+ got access to your secret key.
+ "Key is superseded"
+ Use this if you have replaced this key with a newer one.
+ "Key is no longer used"
+ Use this if you have retired this key.
+ "User ID is no longer valid"
+ Use this to state that the user ID should not longer be used;
+ this is normally used to mark an email address invalid.
+
+.
+
+.#gpg.ask_revocation_reason.text
+# fixme: Please translate and remove the hash mark from the key line.
+If you like, you can enter a text describing why you issue this
+revocation certificate. Please keep this text concise.
+An empty line ends the text.
+
+.
+
+
+
+# Local variables:
+# mode: fundamental
+# coding: utf-8
+# End:
diff --git a/doc/help.pl.txt b/doc/help.pl.txt
new file mode 100644
index 0000000..c5444b6
--- /dev/null
+++ b/doc/help.pl.txt
@@ -0,0 +1,250 @@
+# help.pl.txt - pl GnuPG online help
+# Copyright (C) 2007 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+
+.gpg.edit_ownertrust.value
+Te wartości użytkownik przydziela wg swojego uznania; nie będą nigdy
+eksportowane poza ten system. Potrzebne sÄ… one do zbudowania sieci
+zaufania, i nie ma to nic wspólnego z tworzoną automatycznie siecią
+certyfikatów.
+.
+
+.gpg.edit_ownertrust.set_ultimate.okay
+Aby zbudować Sieć Zaufania, GnuPG potrzebuje znać klucze do których
+masz absolutne zaufanie. Zwykle są to klucze do których masz klucze
+tajne. Odpowiedz ,,tak'', jeśli chcesz określić ten klucz jako klucz
+do którego masz absolutne zaufanie.
+
+.
+
+.gpg.untrusted_key.override
+Jeśli mimo wszystko chcesz użyć tego klucza, klucza, co do którego nie ma
+żadnej pewności do kogo należy, odpowiedz ,,tak''.
+.
+
+.gpg.pklist.user_id.enter
+Podaj adresatów tej wiadomości.
+.
+
+.gpg.keygen.algo
+Proszę wybrać algorytm.
+
+DSA (znany także jako DSS) to algorytm podpisu cyfrowego (Digital Signature
+Algorithm) i może być używany tylko do podpisów.
+
+Elgamal to algorytm tylko do szyfrowania.
+
+RSA może być używany do podpisów lub szyfrowania.
+
+Pierwszy (główny) klucz zawsze musi być kluczem nadającym się do podpisywania.
+.
+
+.gpg.keygen.algo.rsa_se
+Używanie tego samego klucza do podpisywania i szyfrowania nie jest dobrym
+pomysłem. Można tak postępować tylko w niektórych zastosowaniach. Proszę się
+najpierw skonsultować z ekspertem od bezpieczeństwa.
+.
+
+.gpg.keygen.size
+Wprowadź rozmiar klucza
+.
+
+.gpg.keygen.size.huge.okay
+Odpowiedz "tak" lub "nie".
+.
+
+.gpg.keygen.size.large.okay
+Odpowiedz "tak" lub "nie".
+.
+
+.gpg.keygen.valid
+Wprowadź żądaną wartość (jak w znaku zachęty).
+Można tu podać datę w formacie ISO (RRRR-MM-DD) ale nie da to
+właściwej obsługi błędów - system próbuje interpretować podaną wartość
+jako okres.
+.
+
+.gpg.keygen.valid.okay
+Odpowiedz "tak" lub "nie".
+.
+
+.gpg.keygen.name
+Nazwa właściciela klucza.
+.
+
+.gpg.keygen.email
+proszę wprowadzić opcjonalny ale wysoce doradzany adres e-mail
+.
+
+.gpg.keygen.comment
+Proszę wprowadzić opcjonalny komentarz
+.
+
+.gpg.keygen.userid.cmd
+N aby zmienić nazwę (nazwisko).
+C aby zmienić komentarz.<
+E aby zmienić adres e-mail.
+O aby kontynuować tworzenie klucza.
+Q aby zrezygnować z tworzenia klucza.
+.
+
+.gpg.keygen.sub.okay
+Jeśli ma zostać wygenerowany podklucz, należy odpowiedzieć "tak".
+.
+
+.gpg.sign_uid.okay
+Odpowiedz "tak" lub "nie".
+.
+
+.gpg.sign_uid.class
+Przy podpisywaniu identyfikatora użytkownika na kluczu należy sprawdzić,
+czy tożsamość użytkownika odpowiada temu, co jest wpisane w identyfikatorze.
+Innym użytkownikom przyda się informacja, jak dogłębnie zostało to przez
+Ciebie sprawdzone.
+
+"0" oznacza, że nie podajesz żadnych informacji na temat tego jak dogłębnie
+ tożsamość użytkownika została przez Ciebie potwierdzona.
+
+"1" oznacza, że masz przekonanie, że tożsamość użytkownika odpowiada
+ identyfikatorowi klucza, ale nie było możliwości sprawdzenia tego.
+ Taka sytuacja występuje też kiedy podpisujesz identyfikator będący
+ pseudonimem.
+
+"2" oznacza, że tożsamość użytkownika została przez Ciebie potwierdzona
+ pobieżnie - sprawdziliście odcisk klucza, sprawdziłaś/eś tożsamość
+ na okazanym dokumencie ze zdjęciem.
+
+"3" to dogłębna weryfikacja tożsamości. Na przykład sprawdzenie odcisku
+ klucza, sprawdzenie tożsamości z okazanego oficjalnego dokumentu ze
+ zdjęciem (np paszportu) i weryfikacja poprawności adresu poczty
+ elektronicznej przez wymianÄ™ poczty z tym adresem.
+
+Zauważ, że podane powyżej przykłady dla poziomów "2" i "3" to *tylko*
+przykłady. Do Ciebie należy decyzja co oznacza "pobieżny" i "dogłębny" w
+kontekście poświadczania i podpisywania kluczy.
+
+Jeśli nie wiesz co odpowiedzieć, podaj "0".
+.
+
+.gpg.change_passwd.empty.okay
+Odpowiedz "tak" lub "nie".
+.
+
+.gpg.keyedit.save.okay
+Odpowiedz "tak" lub "nie".
+.
+
+.gpg.keyedit.cancel.okay
+Odpowiedz "tak" lub "nie".
+.
+
+.gpg.keyedit.sign_all.okay
+Odpowiedz "tak", aby podpisać WSZYSTKIE identyfikatory użytkownika.
+.
+
+.gpg.keyedit.remove.uid.okay
+Aby skasować ten identyfikator użytkownika (co wiąże się ze utratą
+wszystkich jego poświadczeń!) należy odpowiedzieć ,,tak''.
+.
+
+.gpg.keyedit.remove.subkey.okay
+Aby skasować podklucz należy odpowiedzieć "tak".
+.
+
+.gpg.keyedit.delsig.valid
+To jest poprawny podpis na tym kluczu; normalnie nie należy go usuwać
+ponieważ może być ważny dla zestawienia połączenia zaufania do klucza
+którym go złożono lub do innego klucza nim poświadczonego.
+.
+
+.gpg.keyedit.delsig.unknown
+Ten podpis nie może zostać potwierdzony ponieważ nie ma
+odpowiadającego mu klucza publicznego. Należy odłożyć usunięcie tego
+podpisu do czasu, kiedy okaże się który klucz został użyty, ponieważ
+w momencie uzyskania tego klucza może pojawić się ścieżka zaufania
+pomiędzy tym a innym, już poświadczonym kluczem.
+.
+
+.gpg.keyedit.delsig.invalid
+Ten podpis jest niepoprawny. Można usunąć go ze zbioru kluczy.
+.
+
+.gpg.keyedit.delsig.selfsig
+To jest podpis wiążący identyfikator użytkownika z kluczem. Nie należy
+go usuwać - GnuPG może nie móc posługiwać się dalej kluczem bez
+takiego podpisu. Bezpiecznie można go usunąć tylko jeśli ten podpis
+klucza nim samym z jakichÅ› przyczyn nie jest poprawny, i klucz jest
+drugi raz podpisany w ten sam sposób.
+.
+
+.gpg.keyedit.updpref.okay
+Przestawienie wszystkich (lub tylko wybranych) identyfikatorów na aktualne
+ustawienia. Data na odpowiednich podpisach zostane przesunięta do przodu o
+jednÄ… sekundÄ™.
+
+.
+
+.gpg.passphrase.enter
+Podaj długie, skomplikowane hasło, np. całe zdanie.
+
+.
+
+.gpg.passphrase.repeat
+Proszę powtórzyć hasło, aby upewnić się że nie było pomyłki.
+.
+
+.gpg.detached_signature.filename
+Podaj nazwę pliku którego dotyczy ten podpis
+.
+
+.gpg.openfile.overwrite.okay
+Jeśli można nadpisać ten plik, należy odpowiedzieć ,,tak''
+.
+
+.gpg.openfile.askoutname
+Nazwa pliku. Naciśnięcie ENTER potwierdzi nazwę domyślną (w nawiasach).
+.
+
+.gpg.ask_revocation_reason.code
+Nalezy podać powód unieważnienia klucza. W zależności od kontekstu można
+go wybrać z listy:
+ "Klucz został skompromitowany"
+ Masz powody uważać że twój klucz tajny dostał się w niepowołane ręce.
+ "Klucz został zastąpiony"
+ Klucz został zastąpiony nowym.
+ "Klucz nie jest już używany"
+ Klucz został wycofany z użycia.
+ "Identyfikator użytkownika przestał być poprawny"
+ Identyfikator użytkownika (najczęściej adres e-mail przestał być
+ poprawny.
+
+.
+
+.gpg.ask_revocation_reason.text
+Jeśli chcesz, możesz podać opis powodu wystawienia certyfikatu
+unieważnienia. Opis powinien byc zwięzły.
+Pusta linia kończy wprowadzanie tekstu.
+
+.
+
+
+
+# Local variables:
+# mode: fundamental
+# coding: utf-8
+# End:
diff --git a/doc/help.pt.txt b/doc/help.pt.txt
new file mode 100644
index 0000000..da9a181
--- /dev/null
+++ b/doc/help.pt.txt
@@ -0,0 +1,253 @@
+# help.pt.txt - pt GnuPG online help
+# Copyright (C) 2007 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+
+.gpg.edit_ownertrust.value
+Você decide que valor usar aqui; este valor nunca será exportado para
+terceiros. Precisamos dele implementar a rede de confiança, que não tem
+nada a ver com a rede de certificados (implicitamente criada).
+.
+
+.gpg.edit_ownertrust.set_ultimate.okay
+Para construir a Teia-de-Confiança ('Web-of-Trust'), o GnuPG precisa de
+saber quais são as chaves em que deposita confiança absoluta - normalmente
+estas são as chaves a que tem acesso à chave privada. Responda "sim" para
+que esta chave seja de confiança absoluta.
+
+.
+
+.gpg.untrusted_key.override
+Se você quiser usar esta chave, não de confiança, assim mesmo, responda "sim".
+.
+
+.gpg.pklist.user_id.enter
+Digite o ID de utilizador do destinatário para quem quer enviar a
+mensagem.
+.
+
+.#gpg.keygen.algo
+# fixme: Please translate and remove the hash mark from the key line.
+Select the algorithm to use.
+
+DSA (aka DSS) is the Digital Signature Algorithm and can only be used
+for signatures.
+
+Elgamal is an encrypt-only algorithm.
+
+RSA may be used for signatures or encryption.
+
+The first (primary) key must always be a key which is capable of signing.
+.
+
+.gpg.keygen.algo.rsa_se
+Em geral não é uma boa ideia utilizar a mesma chave para assinar e para
+cifrar. Este algoritmo só deve ser utilizado em alguns domínios.
+Por favor consulte primeiro o seu perito em segurança.
+.
+
+.gpg.keygen.size
+Insira o tamanho da chave
+.
+
+.gpg.keygen.size.huge.okay
+Responda "sim" ou "não"
+.
+
+.gpg.keygen.size.large.okay
+Responda "sim" ou "não"
+.
+
+.gpg.keygen.valid
+Digite o valor necessário conforme pedido.
+É possível digitar uma data ISO (AAAA-MM-DD) mas você não terá uma boa
+reacção a erros - o sistema tentará interpretar o valor dado como um intervalo.
+.
+
+.gpg.keygen.valid.okay
+Responda "sim" ou "não"
+.
+
+.gpg.keygen.name
+Digite o nome do possuidor da chave
+.
+
+.gpg.keygen.email
+por favor digite um endereço de email (opcional mas recomendado)
+.
+
+.gpg.keygen.comment
+Por favor digite um comentário (opcional)
+.
+
+.gpg.keygen.userid.cmd
+N para mudar o nome.
+C para mudar o comentário.
+E para mudar o endereço de email
+O para continuar a geração da chave.
+S para interromper a geração da chave.
+.
+
+.gpg.keygen.sub.okay
+Responda "sim" (ou apenas "s") se quiser gerar a subchave.
+.
+
+.gpg.sign_uid.okay
+Responda "sim" ou "não"
+.
+
+.gpg.sign_uid.class
+Quando assina uma chave de identificação de um utilizador, deve primeiro
+verificar que a chave pertence realmente à pessoa em questão. É útil para
+terceiros saberem com que cuidado é que efectuou esta verificação.
+
+"0" significa que não deseja declarar a forma com verificou a chave
+
+"1" significa que acredita que a chave pertence à pessoa em questão, mas
+ não conseguiu ou não tentou verificar. Este grau é útil para quando
+ assina a chave de uma utilizador pseudo-anónimo.
+
+"2" significa que efectuou uma verificação normal da chave. Por exemplo,
+ isto pode significar que verificou a impressão digital da chave e
+ verificou o identificador de utilizador da chave contra uma identificação
+ fotográfica.
+
+"3" significa que efectuou uma verificação exaustiva da chave. Por exemplo,
+ isto pode significar que efectuou a verificação pessoalmente, e que
+ utilizou um documento, com fotografia, difícil de falsificar
+ (como por exemplo um passaporte) que o nome do dono da chave é o
+ mesmo do que o identificador da chave, e que, finalmente, verificou
+ (através de troca de e-mail) que o endereço de email da chave pertence
+ ao done da chave.
+
+Atenção: os exemplos dados para os níveis 2 e 3 são *apenas* exemplos.
+Compete-lhe a si decidir o que considera, ao assinar chaves, uma verificação
+"normal" e uma verificação "exaustiva".
+
+Se não sabe qual é a resposta correcta, responda "0".
+.
+
+.gpg.change_passwd.empty.okay
+Responda "sim" ou "não"
+.
+
+.gpg.keyedit.save.okay
+Responda "sim" ou "não"
+.
+
+.gpg.keyedit.cancel.okay
+Responda "sim" ou "não"
+.
+
+.#gpg.keyedit.sign_all.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if you want to sign ALL the user IDs
+.
+
+.gpg.keyedit.remove.uid.okay
+Responda "sim" se quiser realmente remover este ID de utilizador.
+Todos os certificados também serão perdidos!
+.
+
+.gpg.keyedit.remove.subkey.okay
+Responda "sim" se quiser remover a subchave
+.
+
+.gpg.keyedit.delsig.valid
+Esta é uma assinatura válida na chave; normalmente não é desejável
+remover esta assinatura porque ela pode ser importante para estabelecer
+uma conexão de confiança à chave ou a outra chave certificada por esta.
+.
+
+.gpg.keyedit.delsig.unknown
+Esta assinatura não pode ser verificada porque você não tem a chave
+correspondente. Você deve adiar sua remoção até saber que chave foi usada
+porque a chave desta assinatura pode estabelecer uma conexão de confiança
+através de outra chave já certificada.
+.
+
+.gpg.keyedit.delsig.invalid
+A assinatura não é válida. Faz sentido removê-la do seu porta-chaves.
+.
+
+.gpg.keyedit.delsig.selfsig
+Esta é uma assinatura que liga o ID de utilizador à chave. Geralmente
+não é uma boa idéia remover tal assinatura. É possível que o GnuPG
+não consiga mais usar esta chave. Faça isto apenas se por alguma
+razão esta auto-assinatura não for válida e há uma segunda disponível.
+.
+
+.gpg.keyedit.updpref.okay
+Muda as preferências de todos os identificadores de utilizadores
+(ou apenas dos seleccionados) para a lista actual de preferências.
+O 'timestamp' de todas as auto-assinaturas afectuadas será avançado
+em um segundo.
+
+.
+
+.gpg.passphrase.enter
+Por favor digite a frase secreta
+
+.
+
+.gpg.passphrase.repeat
+Por favor repita a frase secreta, para ter certeza do que digitou.
+.
+
+.gpg.detached_signature.filename
+Dê o nome para o ficheiro ao qual a assinatura se aplica
+.
+
+.gpg.openfile.overwrite.okay
+Responda "sim" se quiser escrever por cima do ficheiro
+.
+
+.gpg.openfile.askoutname
+Por favor digite um novo nome de ficheiro. Se você apenas carregar em RETURN
+o ficheiro por omissão (que é mostrado entre parênteses) será utilizado.
+.
+
+.gpg.ask_revocation_reason.code
+Deve especificar uma razão para a emissão do certificado. Dependendo no
+contexto, pode escolher as seguintes opções desta lista:
+ "A chave foi comprometida"
+ Utilize esta opção se tem razões para acreditar que indivíduos não
+ autorizados obtiveram acesso à sua chave secreta.
+ "A chave foi substituida"
+ Utilize esta opção se substituiu esta chave com uma mais recente.
+ "A chave já não é utilizada"
+ Utilize esta opção se já não utiliza a chave.
+ "O identificador do utilizador já não é válido"
+ Utilize esta opção para comunicar que o identificador do utilizador
+ não deve ser mais utilizado; normalmente utilizada para indicar
+ que um endereço de email é inválido.
+
+.
+
+.gpg.ask_revocation_reason.text
+Se desejar, pode inserir uma texto descrevendo a razão pela qual criou
+este certificado de revogação. Por favor mantenha este texto conciso.
+Uma linha vazia termina o texto.
+
+.
+
+
+
+# Local variables:
+# mode: fundamental
+# coding: utf-8
+# End:
diff --git a/doc/help.pt_BR.txt b/doc/help.pt_BR.txt
new file mode 100644
index 0000000..e88265c
--- /dev/null
+++ b/doc/help.pt_BR.txt
@@ -0,0 +1,253 @@
+# help.pt_BR.txt - Brazilian GnuPG online help
+# Copyright (C) 2007 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+
+.gpg.edit_ownertrust.value
+Você decide que valor usar aqui; este valor nunca será exportado para
+terceiros. Precisamos dele implementar a rede de confiança, que não tem
+nada a ver com a rede de certificados (implicitamente criada).
+.
+
+.gpg.edit_ownertrust.set_ultimate.okay
+Para construir a Teia-de-Confiança ('Web-of-Trust'), o GnuPG precisa de
+saber quais são as chaves em que deposita confiança absoluta - normalmente
+estas são as chaves a que tem acesso à chave privada. Responda "sim" para
+que esta chave seja de confiança absoluta.
+
+.
+
+.gpg.untrusted_key.override
+Se você quiser usar esta chave não confiável assim mesmo, responda "sim".
+.
+
+.gpg.pklist.user_id.enter
+Digite o ID de usuário do destinatário para o qual você quer enviar a
+mensagem.
+.
+
+.#gpg.keygen.algo
+# fixme: Please translate and remove the hash mark from the key line.
+Select the algorithm to use.
+
+DSA (aka DSS) is the Digital Signature Algorithm and can only be used
+for signatures.
+
+Elgamal is an encrypt-only algorithm.
+
+RSA may be used for signatures or encryption.
+
+The first (primary) key must always be a key which is capable of signing.
+.
+
+.gpg.keygen.algo.rsa_se
+Em geral não é uma boa ideia utilizar a mesma chave para assinar e para
+cifrar. Este algoritmo só deve ser utilizado em alguns domínios.
+Por favor consulte primeiro o seu perito em segurança.
+.
+
+.gpg.keygen.size
+Digite o tamanho da chave
+.
+
+.gpg.keygen.size.huge.okay
+Responda "sim" ou "não"
+.
+
+.gpg.keygen.size.large.okay
+Responda "sim" ou "não"
+.
+
+.gpg.keygen.valid
+Digite o valor necessário conforme pedido.
+É possível digitar uma data ISO (AAAA-MM-DD) mas você não terá uma boa
+reação a erros - o sistema tentará interpretar o valor dado como um intervalo.
+.
+
+.gpg.keygen.valid.okay
+Responda "sim" ou "não"
+.
+
+.gpg.keygen.name
+Digite o nome do possuidor da chave
+.
+
+.gpg.keygen.email
+por favor digite um endereço de email (opcional mas recomendado)
+.
+
+.gpg.keygen.comment
+Por favor digite um comentário (opcional)
+.
+
+.gpg.keygen.userid.cmd
+N para mudar o nome.
+C para mudar o comentário.
+E para mudar o endereço de correio eletrônico.
+O para continuar a geração da chave.
+S para interromper a geração da chave.
+.
+
+.gpg.keygen.sub.okay
+Responda "sim" (ou apenas "s") se quiser gerar a subchave.
+.
+
+.gpg.sign_uid.okay
+Responda "sim" ou "não"
+.
+
+.gpg.sign_uid.class
+Quando assina uma chave de identificação de um utilizador, deve primeiro
+verificar que a chave pertence realmente à pessoa em questão. É útil para
+terceiros saberem com que cuidado é que efectuou esta verificação.
+
+"0" significa que não deseja declarar a forma com verificou a chave
+
+"1" significa que acredita que a chave pertence à pessoa em questão, mas
+ não conseguiu ou não tentou verificar. Este grau é útil para quando
+ assina a chave de uma utilizador pseudo-anónimo.
+
+"2" significa que efectuou uma verificação normal da chave. Por exemplo,
+ isto pode significar que verificou a impressão digital da chave e
+ verificou o identificador de utilizador da chave contra uma identificação
+ fotográfica.
+
+"3" significa que efectuou uma verificação exaustiva da chave. Por exemplo,
+ isto pode significar que efectuou a verificação pessoalmente, e que
+ utilizou um documento, com fotografia, difícil de falsificar
+ (como por exemplo um passaporte) que o nome do dono da chave é o
+ mesmo do que o identificador da chave, e que, finalmente, verificou
+ (através de troca de e-mail) que o endereço de email da chave pertence
+ ao done da chave.
+
+Atenção: os exemplos dados para os níveis 2 e 3 são *apenas* exemplos.
+Compete-lhe a si decidir o que considera, ao assinar chaves, uma verificação
+"normal" e uma verificação "exaustiva".
+
+Se não sabe qual é a resposta correcta, responda "0".
+.
+
+.gpg.change_passwd.empty.okay
+Responda "sim" ou "não"
+.
+
+.gpg.keyedit.save.okay
+Responda "sim" ou "não"
+.
+
+.gpg.keyedit.cancel.okay
+Responda "sim" ou "não"
+.
+
+.#gpg.keyedit.sign_all.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if you want to sign ALL the user IDs
+.
+
+.gpg.keyedit.remove.uid.okay
+Responda "sim" se quiser realmente remover este ID de usuário.
+Todos os certificados também serão perdidos!
+.
+
+.gpg.keyedit.remove.subkey.okay
+Responda "sim" se quiser remover a subchave
+.
+
+.gpg.keyedit.delsig.valid
+Esta é uma assinatura válida na chave; normalmente não é desejável
+remover esta assinatura porque ela pode ser importante para estabelecer
+uma conexão de confiança à chave ou a outra chave certificada por esta.
+.
+
+.gpg.keyedit.delsig.unknown
+Esta assinatura não pode ser verificada porque você não tem a chave
+correspondente. Você deve adiar sua remoção até saber que chave foi usada
+porque a chave desta assinatura pode estabelecer uma conexão de confiança
+através de outra chave já certificada.
+.
+
+.gpg.keyedit.delsig.invalid
+A assinatura não é válida. Faz sentido removê-la de seu chaveiro.
+.
+
+.gpg.keyedit.delsig.selfsig
+Esta é uma assinatura que liga o ID de usuário à chave. Geralmente
+não é uma boa idéia remover tal assinatura. É possível que o GnuPG
+não consiga mais usar esta chave. Faça isto apenas se por alguma
+razão esta auto-assinatura não for válida e há uma segunda disponível.
+.
+
+.gpg.keyedit.updpref.okay
+Muda as preferências de todos os identificadores de utilizadores
+(ou apenas dos seleccionados) para a lista actual de preferências.
+O 'timestamp' de todas as auto-assinaturas afectuadas será avançado
+em um segundo.
+
+.
+
+.gpg.passphrase.enter
+Por favor digite a frase secreta
+
+.
+
+.gpg.passphrase.repeat
+Por favor repita a última frase secreta, para ter certeza do que você digitou.
+.
+
+.gpg.detached_signature.filename
+Dê o nome para o arquivo ao qual a assinatura se aplica
+.
+
+.gpg.openfile.overwrite.okay
+Responda "sim" se quiser sobrescrever o arquivo
+.
+
+.gpg.openfile.askoutname
+Por favor digite um novo nome de arquivo. Se você apenas apertar RETURN o
+arquivo padrão (que é mostrado em colchetes) será usado.
+.
+
+.gpg.ask_revocation_reason.code
+Deve especificar uma razão para a emissão do certificado. Dependendo no
+contexto, pode escolher as seguintes opções desta lista:
+ "A chave foi comprometida"
+ Utilize esta opção se tem razões para acreditar que indivíduos não
+ autorizados obtiveram acesso à sua chave secreta.
+ "A chave foi substituida"
+ Utilize esta opção se substituiu esta chave com uma mais recente.
+ "A chave já não é utilizada"
+ Utilize esta opção se já não utiliza a chave.
+ "O identificador do utilizador já não é válido"
+ Utilize esta opção para comunicar que o identificador do utilizador
+ não deve ser mais utilizado; normalmente utilizada para indicar
+ que um endereço de email é inválido.
+
+.
+
+.gpg.ask_revocation_reason.text
+Se desejar, pode inserir uma texto descrevendo a razão pela qual criou
+este certificado de revogação. Por favor mantenha este texto conciso.
+Uma linha vazia termina o texto.
+
+.
+
+
+
+# Local variables:
+# mode: fundamental
+# coding: utf-8
+# End:
diff --git a/doc/help.ro.txt b/doc/help.ro.txt
new file mode 100644
index 0000000..b26dd53
--- /dev/null
+++ b/doc/help.ro.txt
@@ -0,0 +1,251 @@
+# help.ro.txt - ro GnuPG online help
+# Copyright (C) 2007 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+
+.gpg.edit_ownertrust.value
+Este sarcina d-voastră să atribuiţi o valoare aici; această valoare
+nu va fi niciodată exportată pentru o terţă parte. Trebuie să
+implementăm reţeaua-de-încredere; aceasta nu are nimic în comun cu
+certificatele-de-reţea (create implicit).
+.
+
+.gpg.edit_ownertrust.set_ultimate.okay
+Pentru a construi Reţeaua-de-Încredere, GnuPG trebuie să ştie care chei
+au nivel de încredere suprem - acestea de obicei sunt cheile pentru care
+aveţi acces la cheia secretă. Răspundeţi "da" pentru a seta
+această cheie cu nivel de încredere suprem
+
+.
+
+.gpg.untrusted_key.override
+Dacă doriţi oricum să folosiţi această cheie fără încredere, răspundeţi "da".
+.
+
+.gpg.pklist.user_id.enter
+Introduceţi ID-ul utilizator al destinatarului mesajului.
+.
+
+.gpg.keygen.algo
+Selectaţi algoritmul de folosit.
+
+DSA (aka DSS) este Digital Signature Algorithm ÅŸi poate fi folosit numai
+pentru semnături.
+
+Elgamal este un algoritm numai pentru cifrare.
+
+RSA poate fi folosit pentru semnături sau cifrare.
+
+Prima cheie (primară) trebuie să fie întotdeauna o cheie cu care se poate semna.
+.
+
+.gpg.keygen.algo.rsa_se
+În general nu este o idee bună să folosiţi aceeaşi cheie şi pentru
+semnare ÅŸi pentru cifrare. Acest algoritm ar trebui folosit numai
+în anumite domenii. Vă rugăm consultaţi mai întâi un expert în domeniu.
+.
+
+.gpg.keygen.size
+Introduceţi lungimea cheii
+.
+
+.gpg.keygen.size.huge.okay
+Răspundeţi "da" sau "nu"
+.
+
+.gpg.keygen.size.large.okay
+Răspundeţi "da" sau "nu"
+.
+
+.gpg.keygen.valid
+Introduceţi valoarea cerută precum a arătat la prompt.
+Este posibil să introduceţi o dată ISO (AAAA-LL-ZZ) dar nu veţi
+obţine un răspuns de eroare bun - în loc sistemul încearcă să
+interpreteze valoare dată ca un interval.
+.
+
+.gpg.keygen.valid.okay
+Răspundeţi "da" sau "nu"
+.
+
+.gpg.keygen.name
+Introduceţi numele deţinătorului cheii
+.
+
+.gpg.keygen.email
+vă rugăm introduceţi o adresă de email (opţională dar recomandată)
+.
+
+.gpg.keygen.comment
+Vă rugăm introduceţi un comentriu opţional
+.
+
+.gpg.keygen.userid.cmd
+N pentru a schimba numele.
+C pentru a schimba comentariul.
+E pentru a schimba adresa de email.
+O pentru a continua cu generarea cheii.
+T pentru a termina generarea cheii.
+.
+
+.gpg.keygen.sub.okay
+Răspundeţi "da" (sau numai "d") dacă sunteţi OK să generaţi subcheia.
+.
+
+.gpg.sign_uid.okay
+Răspundeţi "da" sau "nu"
+.
+
+.gpg.sign_uid.class
+Când semnaţi un ID utilizator pe o cheie ar trebui să verificaţi mai întâi
+că cheia aparţine persoanei numite în ID-ul utilizator. Este util şi altora
+să ştie cât de atent aţi verificat acest lucru.
+
+"0" înseamnă că nu pretindeţi nimic despre cât de atent aţi verificat cheia
+"1" înseamnă că credeţi că cheia este a persoanei ce pretinde că este
+ proprietarul ei, dar n-aţi putut, sau nu aţi verificat deloc cheia.
+ Aceasta este utilă pentru verificare "persona", unde semnaţi cheia
+ unui utilizator pseudonim.
+
+"2" înseamnă că aţi făcut o verificare supericială a cheii. De exemplu,
+ aceasta ar putea însemna că aţi verificat amprenta cheii şi aţi verificat
+ ID-ul utilizator de pe cheie cu un ID cu poză.
+
+"3" înseamnă că aţi făcut o verificare extensivă a cheii. De exemplu,
+ aceasta ar putea însemna că aţi verificat amprenta cheii cu proprietarul
+ cheii în persoană, că aţi verificat folosind un document dificil de
+ falsificat cu poză (cum ar fi un paşaport) că numele proprietarului cheii
+ este acelaşi cu numele ID-ului utilizator al cheii şi că aţi verificat
+ (schimbând emailuri) că adresa de email de pe cheie aparţine proprietarului
+cheii.
+
+De notat că exemplele date pentru nivelele 2 şi 3 ceva mai sus sunt *numai*
+exemple. La urma urmei, d-voastră decideţi ce înseamnă "superficial" şi
+"extensiv" pentru d-voastră când semnaţi alte chei.
+
+Dacă nu ştiţi care este răspunsul, răspundeţi "0".
+.
+
+.gpg.change_passwd.empty.okay
+Răspundeţi "da" sau "nu"
+.
+
+.gpg.keyedit.save.okay
+Răspundeţi "da" sau "nu"
+.
+
+.gpg.keyedit.cancel.okay
+Răspundeţi "da" sau "nu"
+.
+
+.gpg.keyedit.sign_all.okay
+Răspundeţi "da" dacă doriţi să semnaţi TOATE ID-urile utilizator
+.
+
+.gpg.keyedit.remove.uid.okay
+Răspundeţi "da" dacă într-adevăr doriţi să ştergeţi acest ID utilizator.
+Toate certificatele sunt de asemenea pierdute!
+.
+
+.gpg.keyedit.remove.subkey.okay
+Răspundeţi "da" dacă este OK să ştergeţi subcheia
+.
+
+.gpg.keyedit.delsig.valid
+Aceasta este o semnătură validă pe cheie; în mod normal n-ar trebui
+să ştergeţi această semnătură pentru că aceasta ar putea fi importantăla stabilirea conexiunii de încredere la cheie sau altă cheie certificată
+de această cheie.
+.
+
+.gpg.keyedit.delsig.unknown
+Această semnătură nu poate fi verificată pentru că nu aveţi cheia
+corespunzătoare. Ar trebui să amânaţi ştergerea sa până ştiţi care
+cheie a fost folosită pentru că această cheie de semnare ar putea
+constitui o conexiune de încredere spre o altă cheie deja certificată.
+.
+
+.gpg.keyedit.delsig.invalid
+Semnătura nu este validă. Aceasta ar trebui ştearsă de pe inelul
+d-voastră de chei.
+.
+
+.gpg.keyedit.delsig.selfsig
+Aceasta este o semnătură care leagă ID-ul utilizator de cheie.
+De obicei nu este o idee bună să ştergeţi o asemenea semnătură.
+De fapt, GnuPG ar putea să nu mai poată folosi această cheie.
+Aşa că faceţi acest lucru numai dacă această auto-semnătură este
+dintr-o oarecare cauză invalidă şi o a doua este disponibilă.
+.
+
+.gpg.keyedit.updpref.okay
+Schimbaţi toate preferinţele ale tuturor ID-urilor utilizator (sau doar
+cele selectate) conform cu lista curentă de preferinţe. Timestamp-urile
+tuturor auto-semnăturilor afectate vor fi avansate cu o secundă.
+
+.
+
+.gpg.passphrase.enter
+Vă rugăm introduceţi fraza-parolă; aceasta este o propoziţie secretă
+
+.
+
+.gpg.passphrase.repeat
+Vă rugăm repetaţi ultima frază-parolă, pentru a fi sigur(ă) ce aţi tastat.
+.
+
+.gpg.detached_signature.filename
+Daţi numele fişierului la care se aplică semnătura
+.
+
+.gpg.openfile.overwrite.okay
+Răspundeţi "da" dacă este OK să suprascrieţi fişierul
+.
+
+.gpg.openfile.askoutname
+Vă rugăm introduceţi un nou nume-fişier. Dacă doar apăsaţi RETURN,
+va fi folosit fişierul implicit (arătat în paranteze).
+.
+
+.gpg.ask_revocation_reason.code
+Ar trebui să specificaţi un motiv pentru certificare. În funcţie de
+context aveţi posibilitatea să alegeţi din această listă:
+ "Cheia a fost compromisă"
+ Folosiţi această opţiune dacă aveţi un motiv să credeţi că persoane
+ neautorizate au avut acces la cheia d-voastră secretă.
+ "Cheia este înlocuită"
+ Folosiţi această opţiune dacă înlocuiţi cheia cu una nouă.
+ "Cheia nu mai este folosită"
+ Folosiţi această opţiune dacă pensionaţi cheia.
+ "ID-ul utilizator nu mai este valid"
+ Folosiţi această opţiune dacă ID-ul utilizator nu mai trebuie folosit;
+ de obicei folosită pentru a marca o adresă de email ca invalidă.
+
+.
+
+.gpg.ask_revocation_reason.text
+Dacă doriţi, puteţi introduce un text descriind de ce publicaţi acest
+certificat de revocare. Vă rugăm fiţi concis.
+O linie goală termină textul.
+
+.
+
+
+
+# Local variables:
+# mode: fundamental
+# coding: utf-8
+# End:
diff --git a/doc/help.ru.txt b/doc/help.ru.txt
new file mode 100644
index 0000000..b78e1ff
--- /dev/null
+++ b/doc/help.ru.txt
@@ -0,0 +1,369 @@
+# help.ru.txt - Russian GnuPG online help
+# Copyright (C) 2007 Free Software Foundation, Inc.
+# Copyright (C) 2016 Ineiev <ineiev@gnu.org> (translation)
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+# The translated revision was taken from HEAD b8bb16c6c08d3c2947f1ff67
+# which is the same as the revision from STABLE-BRANCH-2-0 776bee6d370
+
+.#pinentry.qualitybar.tooltip
+# [remove the hash mark from the key to enable this text]
+# This entry is just an example on how to customize the tooltip shown
+# when hovering over the quality bar of the pinentry. We don't
+# install this text so that the hardcoded translation takes
+# precedence. An administrator should write up a short help to tell
+# the users about the configured passphrase constraints and save that
+# to /etc/gnupg/help.txt. The help text should not be longer than
+# about 800 characters.
+Этот индикатор показывает качеÑтво введенной выше фразы-паролÑ.
+
+Пока индикатор краÑный, GnuPG Ñчитает фразу-пароль неприемлемо Ñлабой.
+Уточните у Ñвоего админиÑтратора принÑтые Ñ‚Ñ€ÐµÐ±Ð¾Ð²Ð°Ð½Ð¸Ñ Ðº фразе-паролю.
+.
+
+
+.gnupg.agent-problem
+# There was a problem accessing or starting the agent.
+К запущенному Gpg-Agent было невозможно подключитьÑÑ, либо возникла
+проблема ÑÐ¾ÐµÐ´Ð¸Ð½ÐµÐ½Ð¸Ñ Ñ Ð½Ð¸Ð¼.
+
+СиÑтема иÑпользует фоновый процеÑÑ Ð¿Ð¾Ð´ названием Gpg-Agent
+Ð´Ð»Ñ Ð¾Ð±Ñ€Ð°Ð±Ð¾Ñ‚ÐºÐ¸ Ñекретных ключей и запроÑа фраз-паролей. Обычно процеÑÑ
+запуÑкаетÑÑ Ð¿Ñ€Ð¸ входе Ð¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ñ‚ÐµÐ»Ñ Ð² ÑиÑтему и работает, пока
+пользователь не выйдет. ЕÑли процеÑÑ Ð½ÐµÐ´Ð¾Ñтупен, ÑиÑтема пытаетÑÑ
+запуÑтить его на ходу, но функции Ñтой верÑий неÑколько ограничены,
+Ñто может привеÑти к небольшим проблемам.
+
+ВероÑтно, Ð´Ð»Ñ Ñ€ÐµÑˆÐµÐ½Ð¸Ñ Ð¿Ñ€Ð¾Ð±Ð»ÐµÐ¼Ñ‹ нужно обратитьÑÑ Ðº админиÑтратору.
+Ð’ качеÑтве временной меры можно выйти и Ñнова войти в ÑиÑтему;
+может быть, Ñто поможет. Ð’ любом Ñлучае Ñообщите об Ñтом
+админиÑтратору, потому что Ñто указывает на недочет в программе.
+.
+
+
+.gnupg.dirmngr-problem
+# There was a problen accessing the dirmngr.
+К запущенному Dirmngr было невозможно подключитьÑÑ, либо возникла
+проблема ÑÐ¾ÐµÐ´Ð¸Ð½ÐµÐ½Ð¸Ñ Ñ Ð½Ð¸Ð¼.
+
+Ð”Ð»Ñ Ð¿Ñ€Ð¾Ñмотра ÑпиÑков отзыва Ñертификатов во Ð²Ñ€ÐµÐ¼Ñ Ð¿Ñ€Ð¾Ð²ÐµÑ€ÐºÐ¸
+Ñертификатов и Ð´Ð»Ñ Ð¿Ð¾Ð¸Ñка ключей на локальных Ñерверах ÑиÑтема
+пользуетÑÑ Ð²Ð½ÐµÑˆÐ½ÐµÐ¹ Ñлужебной программой Dirmngr. Обычно она работает
+как ÑиÑÑ‚ÐµÐ¼Ð½Ð°Ñ Ñлужба (демон) и не нуждаетÑÑ Ð² каких-либо дейÑтвиÑÑ…
+Ñо Ñтороны пользователÑ. Ð’ Ñлучае проблем ÑиÑтема может запуÑкать
+новую копию Dirmngr по каждому запроÑу; Ñто запаÑной вариант
+Ñ ÑƒÑ…ÑƒÐ´ÑˆÐµÐ½Ð½Ñ‹Ð¼Ð¸ характериÑтиками.
+
+ЕÑли Ð’Ñ‹ ÑтолкнулиÑÑŒ Ñ Ñтой проблемой, обратитеÑÑŒ к ÑиÑтемному
+админиÑтратору. Ð’ качеÑтве временного Ñ€ÐµÑˆÐµÐ½Ð¸Ñ Ð¼Ð¾Ð¶Ð½Ð¾ попробовать
+отключить проверку ÑпиÑков отзыва Ñертификатов в наÑтройках gpgsm.
+.
+
+
+.gpg.edit_ownertrust.value
+# The help identies prefixed with "gpg." used to be hard coded in gpg
+# but may now be overridden by help texts from this file.
+ЕÑли хотите, поÑтавьте здеÑÑŒ значение; оно никогда не будет выводитьÑÑ
+Ð´Ð»Ñ Ñ‚Ñ€ÐµÑ‚ÑŒÐ¸Ñ… Ñторон. Ðам оно нужно Ð´Ð»Ñ Ñ€ÐµÐ°Ð»Ð¸Ð·Ð°Ñ†Ð¸Ð¸ Ñети довериÑ; оно
+никак не ÑвÑзано Ñ (неÑвно Ñоздаваемой) Ñетью Ñертификатов.
+.
+
+.gpg.edit_ownertrust.set_ultimate.okay
+Ð”Ð»Ñ Ð¿Ð¾ÑÑ‚Ñ€Ð¾ÐµÐ½Ð¸Ñ Ð¡ÐµÑ‚Ð¸ Ð´Ð¾Ð²ÐµÑ€Ð¸Ñ GnuPG нужно знать, каким ключам доверÑÑ‚ÑŒ
+полноÑтью - обычно Ñто ключи, Ñекретные чаÑти которых у Ð’Ð°Ñ ÐµÑÑ‚ÑŒ.
+Ответ "да" уÑтановит полное доверие Ñтому ключу.
+
+
+.gpg.untrusted_key.override
+ЕÑли Ð’Ñ‹ хотите вÑе равно пользоватьÑÑ Ñтим недоверенным ключом,
+ответьте "да".
+.
+
+.gpg.pklist.user_id.enter
+Введите ID Ð¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ñ‚ÐµÐ»Ñ - Ð¿Ð¾Ð»ÑƒÑ‡Ð°Ñ‚ÐµÐ»Ñ Ð’Ð°ÑˆÐµÐ³Ð¾ ÑообщениÑ.
+.
+
+.gpg.keygen.algo
+Выберите алгоритм.
+
+DSA (он же DSS) можно применÑÑ‚ÑŒ только Ð´Ð»Ñ Ð¿Ð¾Ð´Ð¿Ð¸Ñей.
+
+Elgamal - алгоритм только Ð´Ð»Ñ ÑˆÐ¸Ñ„Ñ€Ð¾Ð²Ð°Ð½Ð¸Ñ.
+
+RSA можно применÑÑ‚ÑŒ Ð´Ð»Ñ ÑˆÐ¸Ñ„Ñ€Ð¾Ð²Ð°Ð½Ð¸Ñ Ð¸Ð»Ð¸ подпиÑей.
+
+Первый (первичный) ключ вÑегда должен быть пригоден Ð´Ð»Ñ Ð¿Ð¾Ð´Ð¿Ð¸Ñей.
+.
+
+
+.gpg.keygen.algo.rsa_se
+Ð’ целом неразумно пользоватьÑÑ Ð¾Ð´Ð½Ð¸Ð¼ и тем же ключом и Ð´Ð»Ñ Ð¿Ð¾Ð´Ð¿Ð¸Ñи,
+и Ð´Ð»Ñ ÑˆÐ¸Ñ„Ñ€Ð¾Ð²Ð°Ð½Ð¸Ñ. Это может быть полезно только в определенных
+ÑлучаÑÑ…. ПроконÑультируйтеÑÑŒ Ñо Ñвоим ÑкÑпертом по безопаÑноÑти.
+.
+
+
+.gpg.keygen.flags
+ПоменÑÑ‚ÑŒ функции ключа.
+
+Переключать можно только функции, доÑтупные Ð´Ð»Ñ Ð²Ñ‹Ð±Ñ€Ð°Ð½Ð½Ð¾Ð³Ð¾
+алгоритма.
+
+Ð”Ð»Ñ Ð±Ñ‹Ñтрой уÑтановки Ñразу вÑех возможноÑтей введите Ñначала '=',
+а за ним ÑпиÑок букв, задающих набор функций: '1' - подпиÑÑŒ, '2' -
+шифрование, '3' - аутентификациÑ. Ðеправильные буквы и функции
+не учитываютÑÑ. Сразу поÑле быÑтрого ввода Ñто подменю закрываетÑÑ.
+.
+
+
+.gpg.keygen.size
+Введите размер ключа.
+
+Предлагаемое значение обычно хорошо подходит.
+
+ЕÑли Вам нужен ключ большого размера, например, 4096 бит, подумайте,
+дейÑтвительно ли Ñто Ð´Ð»Ñ Ð’Ð°Ñ Ð¸Ð¼ÐµÐµÑ‚ ÑмыÑл. См. ÐºÐ¾Ð¼Ð¸ÐºÑ Ð½Ð° Ñтранице
+http://www.xkcd.com/538/ .
+.
+
+.gpg.keygen.size.huge.okay
+Отвечайте "да" или "нет".
+.
+
+
+.gpg.keygen.size.large.okay
+Отвечайте "да" или "нет".
+.
+
+
+.gpg.keygen.valid
+Введите нужное значение, как показано в приглашении.
+Можно ввеÑти дату ИСО (ГГГГ-ММ-ДД), но ÑÐ¾Ð¾Ð±Ñ‰ÐµÐ½Ð¸Ñ Ð¾Ð± ошибках будут
+неудобочитаемыми: ÑиÑтема пытаетÑÑ Ð¸Ð½Ñ‚ÐµÑ€Ð¿Ñ€ÐµÑ‚Ð¸Ñ€Ð¾Ð²Ð°Ñ‚ÑŒ данное значение
+как интервал.
+.
+
+.gpg.keygen.valid.okay
+Отвечайте "да" или "нет".
+.
+
+
+.gpg.keygen.name
+Введите Ð¸Ð¼Ñ Ð²Ð»Ð°Ð´ÐµÐ»ÑŒÑ†Ð° ключа.
+Символы "<" и ">" недопуÑтимы.
+Пример: ВаÑÑ ÐŸÑƒÑˆÐºÐ¸Ð½
+.
+
+
+.gpg.keygen.email
+Введите, пожалуйÑта, Ð°Ð´Ñ€ÐµÑ Ñлектронной почты (необÑзательно,
+но очень рекомендуетÑÑ).
+Пример: vp@test.ru
+.
+
+.gpg.keygen.comment
+Введите, пожалуйÑта, необÑзательное примечание.
+Символы "(" и ")" недопуÑтимы.
+В общем и целом оно не нужно.
+.
+
+
+.gpg.keygen.userid.cmd
+# (Keep a leading empty line)
+
+N Ñменить имÑ.
+C Ñменить примечание.
+E Ñменить адреÑ.
+O продолжить Ñоздание ключа.
+Q прекратить Ñоздание ключа.
+.
+
+.gpg.keygen.sub.okay
+Введите "да" (или "y"), чтобы разрешить Ñоздание ключа.
+.
+
+.gpg.sign_uid.okay
+Отвечайте "да" или "нет".
+.
+
+.gpg.sign_uid.class
+Когда Ð’Ñ‹ подпиÑываете идентификатор Ð¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ñ‚ÐµÐ»Ñ Ð² ключе, нужно Ñначала
+удоÑтоверитьÑÑ, что ключ принадлежит указанному в идентификаторе лицу.
+Другим полезно знать, наÑколько тщательно Ð’Ñ‹ Ñто проверили.
+
+"0" значит, что Ð’Ñ‹ не указываете, наÑколько тщательно вы проверÑли ключ.
+
+"1" значит, что Ð’Ñ‹ Ñчитаете, что ключ принадлежит заÑвленному лицу, но Ð’Ñ‹
+ не могли проверить или не проверÑли ключ. Это полезно Ð´Ð»Ñ Ð¿Ñ€Ð¾Ð²ÐµÑ€ÐºÐ¸
+ "инкогнито", когда вы подпиÑываете ключ Ñ Ð¿Ñевдонимом.
+
+"2" значит, что Ð’Ñ‹ провели чаÑтичную проверку ключа. Ðапример, проверили
+ отпечаток ключа и идентификатор Ð¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ñ‚ÐµÐ»Ñ Ð¸Ð· ключа
+ по фотоидентификатору.
+
+"3" значит, что Ð’Ñ‹ провели тщательную проверку ключа. Ðапример,
+ Ð’Ñ‹ проверили отпечаток ключа, а также проверили по удоÑтоверению
+ личноÑти (такому как паÑпорт), что Ð¸Ð¼Ñ Ð²Ð»Ð°Ð´ÐµÐ»ÑŒÑ†Ð° ключа Ñовпадает
+ Ñ Ð¸Ð¼ÐµÐ½ÐµÐ¼ человека, запиÑанным в идентификаторе Ð¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ñ‚ÐµÐ»Ñ ÐºÐ»ÑŽÑ‡Ð°;
+ наконец, Ð’Ñ‹ удоÑтоверилиÑÑŒ (обменÑвшиÑÑŒ Ñлектронной почтой), что
+ Ð°Ð´Ñ€ÐµÑ Ñлектронной почты принадлежит владельцу ключа.
+
+Имейте в виду, что примеры, данные Ð´Ð»Ñ ÑƒÑ€Ð¾Ð²Ð½ÐµÐ¹ 2 и 3 - Ñто *только*
+примеры. Ð’ конечном Ñчете Ð’Ñ‹ Ñами решаете, что значит "чаÑтичнаÑ"
+и "тщательнаÑ" проверка, когда Ð’Ñ‹ подпиÑываете другие ключи.
+
+ЕÑли затруднÑетеÑÑŒ Ñ Ð¾Ñ‚Ð²ÐµÑ‚Ð¾Ð¼, поÑтавьте "0".
+.
+
+.gpg.change_passwd.empty.okay
+Отвечайте "да" или "нет".
+.
+
+
+.gpg.keyedit.save.okay
+Отвечайте "да" или "нет".
+.
+
+
+.gpg.keyedit.cancel.okay
+Отвечайте "да" или "нет".
+.
+
+.gpg.keyedit.sign_all.okay
+Ответьте "да", еÑли хотите подпиÑать ВСЕ идентификаторы пользователÑ.
+.
+
+.gpg.keyedit.remove.uid.okay
+Ответьте "да", еÑли дейÑтвительно хотите удалить Ñтот идентификатор
+пользователÑ.
+Ð’Ñе Ñертификаты будут также удалены!
+.
+
+.gpg.keyedit.remove.subkey.okay
+Ответьте "да", еÑли подключ можно удалить.
+.
+
+
+.gpg.keyedit.delsig.valid
+Это Ð²ÐµÑ€Ð½Ð°Ñ Ð¿Ð¾Ð´Ð¿Ð¸ÑÑŒ ключа; как правило, ее не нужно удалÑÑ‚ÑŒ,
+поÑкольку может быть важно уÑтановить отношение Ð´Ð¾Ð²ÐµÑ€Ð¸Ñ Ð¼ÐµÐ¶Ð´Ñƒ
+Ñтим ключом и другими ключами.
+.
+
+.gpg.keyedit.delsig.unknown
+Эту подпиÑÑŒ Ð½ÐµÐ»ÑŒÐ·Ñ Ð¿Ñ€Ð¾Ð²ÐµÑ€Ð¸Ñ‚ÑŒ, поÑкольку отÑутÑтвует ÑоответÑтвующий
+ключ. Удаление ее нужно отложить до тех пор, пока не Ñтанет
+извеÑтно, какой из ключей был иÑпользован, так как подпиÑÑŒ
+Ñтого ключа могло бы уÑтановить отношение Ð´Ð¾Ð²ÐµÑ€Ð¸Ñ Ñ‡ÐµÑ€ÐµÐ·
+другой, уже Ñертифицированный ключ.
+.
+
+.gpg.keyedit.delsig.invalid
+ПодпиÑÑŒ недейÑтвительна. Имеет ÑмыÑл удалить ее из Вашей таблицы
+ключей.
+.
+
+.gpg.keyedit.delsig.selfsig
+Эта подпиÑÑŒ ÑвÑзывает идентификатор Ð¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ñ‚ÐµÐ»Ñ Ñ ÐºÐ»ÑŽÑ‡Ð¾Ð¼. Обычно
+удалÑÑ‚ÑŒ такие подпиÑи не Ñледует. Это может Ñделать ключ непригодным
+Ð´Ð»Ñ Ð¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ð½Ð¸Ñ Ñ GnuPG. Так что делайте Ñто только еÑли Ñта
+ÑамоподпиÑÑŒ по какой-то причине недейÑтвительна и еÑÑ‚ÑŒ другаÑ.
+.
+
+.gpg.keyedit.updpref.okay
+Изменить Ð¿Ñ€ÐµÐ´Ð¿Ð¾Ñ‡Ñ‚ÐµÐ½Ð¸Ñ Ð´Ð»Ñ Ð²Ñех идентификаторов Ð¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ñ‚ÐµÐ»Ñ (или
+только Ð´Ð»Ñ Ð²Ñ‹Ð±Ñ€Ð°Ð½Ð½Ñ‹Ñ…) на текущий ÑпиÑок предпочтений. Дата вÑех
+ÑамоподпиÑей, которых Ñто каÑаетÑÑ, будет Ñдвинута вперед
+на одну Ñекунду.
+.
+
+
+.gpg.passphrase.enter
+# (keep a leading empty line)
+
+Введите, пожалуйÑта, фразу-пароль (Ñекретное предложение).
+.
+
+
+.gpg.passphrase.repeat
+Повторите введенную фразу-пароль, чтобы проверить, что Ð’Ñ‹ не ошиблиÑÑŒ.
+.
+
+.gpg.detached_signature.filename
+Задайте Ð¸Ð¼Ñ Ñ„Ð°Ð¹Ð»Ð°, который подпиÑываетÑÑ.
+.
+
+.gpg.openfile.overwrite.okay
+# openfile.c (overwrite_filep)
+Ответьте "да", еÑли файл можно перезапиÑать.
+.
+
+.gpg.openfile.askoutname
+# openfile.c (ask_outfile_name)
+Введите новое Ð¸Ð¼Ñ Ñ„Ð°Ð¹Ð»Ð°. ЕÑли проÑто нажать "Enter", будет
+иÑпользован файл по умолчанию (указан в Ñкобках).
+.
+
+.gpg.ask_revocation_reason.code
+# revoke.c (ask_revocation_reason)
+Ðужно указать причину отзыва. Можно выбрать из ÑпиÑка:
+ "Ключ был раÑкрыт"
+ ЕÑÑ‚ÑŒ оÑÐ½Ð¾Ð²Ð°Ð½Ð¸Ñ Ð¿Ð¾Ð»Ð°Ð³Ð°Ñ‚ÑŒ, что какие-то лица получили
+ неÑанкционированный доÑтуп к Ñекретному ключу.
+ "Ключ заменен другим"
+ Вы заменили ключ на новый.
+ "Ключ больше не иÑпользуетÑÑ"
+ Ð’Ñ‹ дали ключу отÑтавку.
+ "ID Ð¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ñ‚ÐµÐ»Ñ Ð±Ð¾Ð»ÑŒÑˆÐµ не дейÑтвителен"
+ ID Ð¿Ð¾Ð»ÑŒÐ·Ð¾Ð²Ð°Ñ‚ÐµÐ»Ñ Ð±Ð¾Ð»ÑŒÑˆÐµ не должен употреблÑÑ‚ÑŒÑÑ; обычно Ñто значит,
+ что Ð°Ð´Ñ€ÐµÑ Ñлектронной почты недейÑтвителен.
+.
+
+.gpg.ask_revocation_reason.text
+# revoke.c (ask_revocation_reason)
+ЕÑли хотите, можете ввеÑти текÑÑ‚, поÑÑнÑющий причину, по которой
+выпущен Ñтот Ñертификат отзыва. ВыражайтеÑÑŒ, пожалуйÑта, ÑÑно.
+ТекÑÑ‚ заканчиваетÑÑ Ð¿ÑƒÑтой Ñтрокой.
+.
+
+
+
+
+.gpgsm.root-cert-not-trusted
+# This text gets displayed by the audit log if
+# a root certificates was not trusted.
+Ðет Ð´Ð¾Ð²ÐµÑ€Ð¸Ñ Ðº корневому Ñертификату. Ð’ завиÑимоÑти от наÑтроек
+Вам могли предложить пометить Ñтот корневой Ñертификат как доверенный
+или вручную указать GnuPG, что Ñтому Ñертификату нужно доверÑÑ‚ÑŒ.
+Доверенные Ñертификаты задаютÑÑ Ð² файле trustlist.txt в домашнем
+каталоге GnuPG. ЕÑли ÑомневаетеÑÑŒ, ÑпроÑите Ñвоего ÑиÑтемного
+админиÑтратора, Ñледует ли Вам доверÑÑ‚ÑŒ Ñтому Ñертификату.
+
+
+.gpgsm.crl-problem
+# This tex is displayed by the audit log for problems with
+# the CRL or OCSP checking.
+Ð’ завиÑимоÑти от наÑтроек возникла проблема в получении ÑпиÑка
+отозванных Ñертификатов или в выполнении проверки по протоколу
+OCSP. Это могло ÑлучитьÑÑ Ð¿Ð¾ очень многим причинам. ОбратитеÑÑŒ
+к документации за возможными решениÑми.
+
+
+# Local variables:
+# mode: default-generic
+# coding: utf-8
+# End:
diff --git a/doc/help.sk.txt b/doc/help.sk.txt
new file mode 100644
index 0000000..9e50c76
--- /dev/null
+++ b/doc/help.sk.txt
@@ -0,0 +1,254 @@
+# help.sk.txt - sk GnuPG online help
+# Copyright (C) 2007 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+
+.gpg.edit_ownertrust.value
+Je na Vás, aby ste sem priradili hodnotu; táto hodnota nebude nikdy
+exportovaná tretej strane. Potrebujeme ju k implementácii "pavuÄiny
+dôvery"; nemá to niÄ spoloÄné s (implicitne vytvorenou) "pavuÄinou
+certifikátov".
+.
+
+.gpg.edit_ownertrust.set_ultimate.okay
+Aby bolo možné vybudovaÅ¥ pavuÄinu dôvery, musí GnuPG vedieÅ¥, ktorým kľúÄom
+dôverujete absolútne - obyÄajne sú to tie kľúÄe, pre ktoré máte prístup
+k tajným kľúÄom. Odpovedzte "ano", aby ste nastavili tieto kľúÄe
+ako absolútne dôveryhodné
+
+.
+
+.gpg.untrusted_key.override
+Pokiaľ aj tak chcete použiÅ¥ tento nedôveryhodný kľúÄ, odpovedzte "ano".
+.
+
+.gpg.pklist.user_id.enter
+Vložte identifikátor adresáta, ktorému chcete poslať správu.
+.
+
+.#gpg.keygen.algo
+# fixme: Please translate and remove the hash mark from the key line.
+Select the algorithm to use.
+
+DSA (aka DSS) is the Digital Signature Algorithm and can only be used
+for signatures.
+
+Elgamal is an encrypt-only algorithm.
+
+RSA may be used for signatures or encryption.
+
+The first (primary) key must always be a key which is capable of signing.
+.
+
+.gpg.keygen.algo.rsa_se
+VÅ¡ebecne nemožno odporúÄaÅ¥ používaÅ¥ rovnaký kÄ¾ÃºÄ na Å¡ifrovanie a podeisovanie
+Tento algoritmus je vhodné použiÅ¥ len za urÄitých podmienok.
+Kontaktujte prosím najprv bezpeÄnostného Å¡pecialistu.
+.
+
+.gpg.keygen.size
+Vložte dĺžku kľúÄa
+.
+
+.gpg.keygen.size.huge.okay
+Odpovedzte "ano" alebo "nie"
+.
+
+.gpg.keygen.size.large.okay
+Odpovedzte "ano" alebo "nie"
+.
+
+.gpg.keygen.valid
+Vložte požadovanú hodnotu tak, ako je uvedené v príkazovom riadku.
+Je možné vložiť dátum vo formáte ISO (RRRR-MM-DD), ale nedostanete
+správnu chybovú hlášku - miesto toho systém skúsi interpretovať
+zadanú hodnotu ako interval.
+.
+
+.gpg.keygen.valid.okay
+Odpovedzte "ano" alebo "nie"
+.
+
+.gpg.keygen.name
+Vložte meno držiteľa kľúÄa
+.
+
+.gpg.keygen.email
+prosím, vložte e-mailovú adresu (nepovinné, ale veľmi odporúÄané)
+.
+
+.gpg.keygen.comment
+Prosím, vložte nepovinný komentár
+.
+
+.gpg.keygen.userid.cmd
+N pre zmenu názvu.
+C pre zmenu komentára.
+E pre zmenu e-mailovej adresy.
+O pre pokraÄovanie generovania kľúÄa.
+Q pre ukonÄenie generovania kľúÄa.
+.
+
+.gpg.keygen.sub.okay
+Ak chcete generovaÅ¥ podkľúÄ, odpovedzte "ano" (alebo len "a").
+.
+
+.gpg.sign_uid.okay
+Odpovedzte "ano" alebo "nie"
+.
+
+.gpg.sign_uid.class
+Skôr ako podpíšete id užívateľa, mali by ste najprv overiÅ¥, Äi kľúÄ
+patrí osobe, ktorej meno je uvedené v identifikátore užívateľa.
+Je veľmi užitoÄné, keÄ ostatní vedia, ako dôsledne ste previedli
+takéto overenie.
+
+"0" znamená, že neuvádzate, ako dôsledne ste pravosÅ¥ kľúÄa overili
+
+"1" znamená, že veríte tomu, že kÄ¾ÃºÄ patrí osobe, ktorá je uvedená,
+ v užívateľskom ID, ale nemohli ste alebo jste nepreverili túto skutoÄnosÅ¥.
+ To je užitoÄné pre "osobnú" verifikáciu, keÄ podpisujete kľúÄe, ktoré
+ používajú pseudonym užívateľa.
+
+"2" znamená, že ste ÄiastoÄne overili pravosÅ¥ kľúÄa. Napr. ste overili
+ fingerprint kľúÄa a skontrolovali identifikátor užívateľa
+ uvedený na kľúÄi s fotografickým id.
+
+"3" Znamená, že ste vykonali veľmi dôkladné overenie pravosti kľúÄa.
+ To môže napríklad znamenaÅ¥, že ste overili fingerprint kľúÄa
+ jeho vlastníka osobne a Äalej ste pomocou tažko falÅ¡ovateľného
+ dokumentu s fotografiou (napríklad pasu) overili, že meno majiteľa
+ kľúÄa sa zhoduje s menom uvedeným v užívateľskom ID a Äalej ste
+ overili (výmenou elektronických dopisov), že elektronická adresa uvedená
+ v ID užívateľa patrí majiteľovi kľúÄa.
+
+Prosím nezabúdajte, že príklady uvedené pre úroveň 2 a 3 sú *len*
+príklady.
+Je len na VaÅ¡om rozhodnutí, Äo "ÄiastoÄné" a "dôkladné" overenie znamená
+keÄ budete podpisovaÅ¥ kľúÄe iným užívateľom.
+
+Pokiaľ neviete, aká je správna odpoveÄ, odpovedzte "0".
+.
+
+.gpg.change_passwd.empty.okay
+Odpovedzte "ano" alebo "nie"
+.
+
+.gpg.keyedit.save.okay
+Odpovedzte "ano" alebo "nie"
+.
+
+.gpg.keyedit.cancel.okay
+Odpovedzte "ano" alebo "nie"
+.
+
+.#gpg.keyedit.sign_all.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if you want to sign ALL the user IDs
+.
+
+.gpg.keyedit.remove.uid.okay
+Pokiaľ skutoÄne chcete zmazaÅ¥ tento identifikátor užívateľa, odpovedzte "ano".
+Všetky certifikáty budú tiež stratené!
+.
+
+.gpg.keyedit.remove.subkey.okay
+Odpovedzte "ano", pokiaľ chcete zmazaÅ¥ podkľúÄ
+.
+
+.gpg.keyedit.delsig.valid
+Toto je platný podpis kľúÄa; normálne nechcete tento podpis zmazaÅ¥,
+pretože môže byÅ¥ dôležitý pri vytváraní dôvery kľúÄa alebo iného kľúÄa
+ceritifikovaného týmto kľúÄom.
+.
+
+.gpg.keyedit.delsig.unknown
+Tento podpis nemôže byÅ¥ overený, pretože nemáte zodpovedajúci verejný kľúÄ.
+Jeho zmazanie by ste mali odložiÅ¥ do Äasu, keÄ budete vedieÅ¥, ktorý kľúÄ
+bol použitý, pretože tento podpisovací kÄ¾ÃºÄ môže vytvoriÅ¥ dôveru
+prostredníctvom iného už certifikovaného kľúÄa.
+.
+
+.gpg.keyedit.delsig.invalid
+Podpis je neplatný. Je rozumné ho odstrániÅ¥ z Vášho súboru kľúÄov.
+.
+
+.gpg.keyedit.delsig.selfsig
+Toto je podpis, ktorý viaže identifikátor užívateľa ku kľúÄu. ZvyÄajne
+nie je dobré takýto podpis odstrániÅ¥. GnuPG nemôže tento kÄ¾ÃºÄ naÄalej
+používaÅ¥. Urobte to len v prípade, keÄ je tento podpis kľúÄa
+ním samým z nejakého dôvodu neplatný a keÄ je k dispozícii iný kľúÄ.
+.
+
+.gpg.keyedit.updpref.okay
+ZmeniÅ¥ predvoľby pre vÅ¡etky užívateľské ID (alebo len pre oznaÄené)
+na aktuálny zoznam predvolieb. Časové razítka všetkých dotknutých podpisov
+kľúÄov nimi samotnými budú posunuté o jednu sekundu dopredu.
+
+.
+
+.gpg.passphrase.enter
+Prosím, vložte heslo; toto je tajná veta
+
+.
+
+.gpg.passphrase.repeat
+Prosím, zopakujte posledné heslo, aby ste si boli istý, Äo ste napísali.
+.
+
+.gpg.detached_signature.filename
+Zadajte názov súboru, ku ktorému sa podpis vzťahuje
+.
+
+.gpg.openfile.overwrite.okay
+Ak si prajete prepísanie súboru, odpovedzte "ano"
+.
+
+.gpg.openfile.askoutname
+Prosím, vložte nový názov súboru. Ak len stlaÄíte RETURN, bude
+použitý implicitný súbor (ktorý je zobrazený v zátvorkách).
+.
+
+.gpg.ask_revocation_reason.code
+Mali by ste špecifikovať dôvod certifikácie. V závislosti na kontexte
+máte možnosť si vybrať zo zoznamu:
+ "kÄ¾ÃºÄ bol kompromitovaný"
+ Toto použite, pokiaľ si myslíte, že k Vášmu tajnému kľúÄu získali
+ prístup neoprávnené osoby.
+ "kÄ¾ÃºÄ je nahradený"
+ Toto použite, pokiaľ ste tento kÄ¾ÃºÄ nahradili novším kľúÄom.
+ "kÄ¾ÃºÄ sa už nepoužíva"
+ Toto použite, pokiaľ tento kÄ¾ÃºÄ už nepoužívate.
+ "Identifikátor užívateľa už nie je platný"
+ Toto použite, pokiaľ by sa identifikátor užívateľa už nemal používať;
+ normálne sa používa na oznaÄenie neplatnej e-mailové adresy.
+
+.
+
+.gpg.ask_revocation_reason.text
+Ak chcete, môžete vložiÅ¥ text popisujúcí pôvod vzniku tohto revokaÄného
+ceritifikátu. Prosím, struÄne.
+Text konÄí prázdnym riadkom.
+
+.
+
+
+
+# Local variables:
+# mode: fundamental
+# coding: utf-8
+# End:
diff --git a/doc/help.sv.txt b/doc/help.sv.txt
new file mode 100644
index 0000000..0ac3be7
--- /dev/null
+++ b/doc/help.sv.txt
@@ -0,0 +1,286 @@
+# help..txt - GnuPG online help
+# Copyright (C) 2007 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+
+.#gpg.edit_ownertrust.value
+# fixme: Please translate and remove the hash mark from the key line.
+It's up to you to assign a value here; this value will never be exported
+to any 3rd party. We need it to implement the web-of-trust; it has nothing
+to do with the (implicitly created) web-of-certificates.
+.
+
+.#gpg.edit_ownertrust.set_ultimate.okay
+# fixme: Please translate and remove the hash mark from the key line.
+To build the Web-of-Trust, GnuPG needs to know which keys are
+ultimately trusted - those are usually the keys for which you have
+access to the secret key. Answer "yes" to set this key to
+ultimately trusted
+
+.
+
+.#gpg.untrusted_key.override
+# fixme: Please translate and remove the hash mark from the key line.
+If you want to use this untrusted key anyway, answer "yes".
+.
+
+.#gpg.pklist.user_id.enter
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the user ID of the addressee to whom you want to send the message.
+.
+
+.#gpg.keygen.algo
+# fixme: Please translate and remove the hash mark from the key line.
+Select the algorithm to use.
+
+DSA (aka DSS) is the Digital Signature Algorithm and can only be used
+for signatures.
+
+Elgamal is an encrypt-only algorithm.
+
+RSA may be used for signatures or encryption.
+
+The first (primary) key must always be a key which is capable of signing.
+.
+
+.#gpg.keygen.algo.rsa_se
+# fixme: Please translate and remove the hash mark from the key line.
+In general it is not a good idea to use the same key for signing and
+encryption. This algorithm should only be used in certain domains.
+Please consult your security expert first.
+.
+
+.#gpg.keygen.size
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the size of the key
+.
+
+.#gpg.keygen.size.huge.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keygen.size.large.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keygen.valid
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the required value as shown in the prompt.
+It is possible to enter a ISO date (YYYY-MM-DD) but you won't
+get a good error response - instead the system tries to interpret
+the given value as an interval.
+.
+
+.#gpg.keygen.valid.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keygen.name
+# fixme: Please translate and remove the hash mark from the key line.
+Enter the name of the key holder
+.
+
+.#gpg.keygen.email
+# fixme: Please translate and remove the hash mark from the key line.
+please enter an optional but highly suggested email address
+.
+
+.#gpg.keygen.comment
+# fixme: Please translate and remove the hash mark from the key line.
+Please enter an optional comment
+.
+
+.#gpg.keygen.userid.cmd
+# fixme: Please translate and remove the hash mark from the key line.
+N to change the name.
+C to change the comment.
+E to change the email address.
+O to continue with key generation.
+Q to to quit the key generation.
+.
+
+.#gpg.keygen.sub.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" (or just "y") if it is okay to generate the sub key.
+.
+
+.#gpg.sign_uid.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.sign_uid.class
+# fixme: Please translate and remove the hash mark from the key line.
+When you sign a user ID on a key, you should first verify that the key
+belongs to the person named in the user ID. It is useful for others to
+know how carefully you verified this.
+
+"0" means you make no particular claim as to how carefully you verified the
+ key.
+
+"1" means you believe the key is owned by the person who claims to own it
+ but you could not, or did not verify the key at all. This is useful for
+ a "persona" verification, where you sign the key of a pseudonymous user.
+
+"2" means you did casual verification of the key. For example, this could
+ mean that you verified the key fingerprint and checked the user ID on the
+ key against a photo ID.
+
+"3" means you did extensive verification of the key. For example, this could
+ mean that you verified the key fingerprint with the owner of the key in
+ person, and that you checked, by means of a hard to forge document with a
+ photo ID (such as a passport) that the name of the key owner matches the
+ name in the user ID on the key, and finally that you verified (by exchange
+ of email) that the email address on the key belongs to the key owner.
+
+Note that the examples given above for levels 2 and 3 are *only* examples.
+In the end, it is up to you to decide just what "casual" and "extensive"
+mean to you when you sign other keys.
+
+If you don't know what the right answer is, answer "0".
+.
+
+.#gpg.change_passwd.empty.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keyedit.save.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keyedit.cancel.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" or "no"
+.
+
+.#gpg.keyedit.sign_all.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if you want to sign ALL the user IDs
+.
+
+.#gpg.keyedit.remove.uid.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if you really want to delete this user ID.
+All certificates are then also lost!
+.
+
+.#gpg.keyedit.remove.subkey.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if it is okay to delete the subkey
+.
+
+.#gpg.keyedit.delsig.valid
+# fixme: Please translate and remove the hash mark from the key line.
+This is a valid signature on the key; you normally don't want
+to delete this signature because it may be important to establish a
+trust connection to the key or another key certified by this key.
+.
+
+.#gpg.keyedit.delsig.unknown
+# fixme: Please translate and remove the hash mark from the key line.
+This signature can't be checked because you don't have the
+corresponding key. You should postpone its deletion until you
+know which key was used because this signing key might establish
+a trust connection through another already certified key.
+.
+
+.#gpg.keyedit.delsig.invalid
+# fixme: Please translate and remove the hash mark from the key line.
+The signature is not valid. It does make sense to remove it from
+your keyring.
+.
+
+.#gpg.keyedit.delsig.selfsig
+# fixme: Please translate and remove the hash mark from the key line.
+This is a signature which binds the user ID to the key. It is
+usually not a good idea to remove such a signature. Actually
+GnuPG might not be able to use this key anymore. So do this
+only if this self-signature is for some reason not valid and
+a second one is available.
+.
+
+.#gpg.keyedit.updpref.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Change the preferences of all user IDs (or just of the selected ones)
+to the current list of preferences. The timestamp of all affected
+self-signatures will be advanced by one second.
+
+.
+
+.#gpg.passphrase.enter
+# fixme: Please translate and remove the hash mark from the key line.
+Please enter the passphrase; this is a secret sentence
+
+.
+
+.#gpg.passphrase.repeat
+# fixme: Please translate and remove the hash mark from the key line.
+Please repeat the last passphrase, so you are sure what you typed in.
+.
+
+.#gpg.detached_signature.filename
+# fixme: Please translate and remove the hash mark from the key line.
+Give the name of the file to which the signature applies
+.
+
+.#gpg.openfile.overwrite.okay
+# fixme: Please translate and remove the hash mark from the key line.
+Answer "yes" if it is okay to overwrite the file
+.
+
+.#gpg.openfile.askoutname
+# fixme: Please translate and remove the hash mark from the key line.
+Please enter a new filename. If you just hit RETURN the default
+file (which is shown in brackets) will be used.
+.
+
+.#gpg.ask_revocation_reason.code
+# fixme: Please translate and remove the hash mark from the key line.
+You should specify a reason for the certification. Depending on the
+context you have the ability to choose from this list:
+ "Key has been compromised"
+ Use this if you have a reason to believe that unauthorized persons
+ got access to your secret key.
+ "Key is superseded"
+ Use this if you have replaced this key with a newer one.
+ "Key is no longer used"
+ Use this if you have retired this key.
+ "User ID is no longer valid"
+ Use this to state that the user ID should not longer be used;
+ this is normally used to mark an email address invalid.
+
+.
+
+.#gpg.ask_revocation_reason.text
+# fixme: Please translate and remove the hash mark from the key line.
+If you like, you can enter a text describing why you issue this
+revocation certificate. Please keep this text concise.
+An empty line ends the text.
+
+.
+
+
+
+# Local variables:
+# mode: fundamental
+# coding: utf-8
+# End:
diff --git a/doc/help.tr.txt b/doc/help.tr.txt
new file mode 100644
index 0000000..086f191
--- /dev/null
+++ b/doc/help.tr.txt
@@ -0,0 +1,242 @@
+# help.tr.txt - tr GnuPG online help
+# Copyright (C) 2007 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+
+.gpg.edit_ownertrust.value
+Bir değeri buraya işaretlemek size kalmış; bu değer herhangi bir 3. şahsa
+gönderilmeyecek. Bir güvence ağı sağlamak için bizim buna ihtiyacımız var;
+bunun (açıkça belirtilmeden oluşturulmuş) sertifikalar ağıyla
+hiçbir alakası yok.
+.
+
+.gpg.edit_ownertrust.set_ultimate.okay
+Web-of-Trust oluşturulabilmesi için GnuPG'ye hangi anahtarların son derece
+güvenli (bunlar gizli anahtarlarına erişiminiz olan anahtarlardır) olduğunun
+bildirilmesi gerekir. "evet" yanıtı bu anahtarın son derece güvenli
+olduğunun belirtilmesi için yeterlidir.
+
+.
+
+.gpg.untrusted_key.override
+Bu güvencesiz anahtarı yine de kullanmak istiyorsanız cevap olarak
+ "evet" yazın.
+.
+
+.gpg.pklist.user_id.enter
+Bu iletiyi göndereceğiniz adresin kullanıcı kimliğini giriniz.
+.
+
+.gpg.keygen.algo
+Kullanılacak algoritmayı seçiniz.
+
+DSA (nam-ı diğer DSS) Sayısal İmza Algortimasıdır ve
+sadece imzalar için kullanılabilir.
+
+Elgamal sadece şifreleme amacıyla kullanılabilen bir algoritmadır.
+
+RSA hem imzalamak hem de şifrelemek amacıyla kullanılabilir.
+
+İlk (asıl) anahtar daima imzalama yeteneğine sahip bir anahtar olmalıdır.
+.
+
+.gpg.keygen.algo.rsa_se
+Genelde imzalama ve şifreleme için aynı anahtarı kullanmak iyi bir fikir
+değildir. Bu algoritma sadece belli alanlarda kullanılabilir.
+Lütfen güvenlik uzmanınıza danışın.
+.
+
+.gpg.keygen.size
+Anahtar uzunluÄŸunu giriniz
+.
+
+.gpg.keygen.size.huge.okay
+Cevap "evet" ya da "hayır"
+.
+
+.gpg.keygen.size.large.okay
+Cevap "evet" ya da "hayır"
+.
+
+.gpg.keygen.valid
+İstenen değeri girin. ISO tarihi (YYYY-AA-GG) girmeniz mümkündür fakat
+iyi bir hata cevabı alamazsınız -- onun yerine sistem verilen değeri
+bir zaman aralığı olarak çözümlemeyi dener.
+.
+
+.gpg.keygen.valid.okay
+Cevap "evet" ya da "hayır"
+.
+
+.gpg.keygen.name
+Anahtar tutucunun ismini giriniz
+.
+
+.gpg.keygen.email
+lütfen bir E-posta adresi girin (isteğe bağlı ancak kuvvetle tavsiye edilir)
+.
+
+.gpg.keygen.comment
+Lütfen önbilgi girin (isteğe bağlı)
+.
+
+.gpg.keygen.userid.cmd
+S iSim değiştirmek için.
+B önBilgiyi değiştirmek için.
+P e-Posta adresini değiştirmek için.
+D anahtar üretimine Devam etmek için.
+K anahtar üretiminden çıKmak için.
+.
+
+.gpg.keygen.sub.okay
+Yardımcı anahtarı üretmek istiyorsanız "evet" ya da "e" girin.
+.
+
+.gpg.sign_uid.okay
+Cevap "evet" ya da "hayır"
+.
+
+.gpg.sign_uid.class
+Bir anahtarı bir kullanıcı kimlikle imzalamadan önce kullanıcı kimliğin
+içindeki ismin, anahtarın sahibine ait olup olmadığını kontrol etmelisiniz.
+
+"0" bu kontrolu yapmadığınız ve yapmayı da bilmediğiniz anlamındadır.
+"1" anahtar size sahibi tarafından gönderildi ama siz bu anahtarı başka
+ kaynaklardan doğrulamadınız anlamındadır. Bu kişisel doğrulama için
+ yeterlidir. En azında yarı anonim bir anahtar imzalaması yapmış
+ olursunuz.
+"2" ayrıntılı bir inceleme yapıldığı anlamındadır. Örneğin parmakizi ve
+ bir anahtarın foto kimliğiyle kullanıcı kimliğini karşılaştırmak
+ gibi denetimleri yapmışsınızdır.
+"3" inceden inceye bir doğrulama anlatır. Örneğin, şahıstaki anahtarın
+ sahibi ile anahtar parmak izini karşılaştırmışsınızdır ve anahtardaki
+ kullanıcı kimlikte belirtilen isme ait bir basılı kimlik belgesindeki
+ bir fotoğrafla şahsı karşılaştırmışsınızdır ve son olarak anahtar
+ sahibinin e-posta adresini kendisinin kullanmakta olduÄŸunu da
+ denetlemiÅŸsinizdir.
+Burada 2 ve 3 için verilen örnekler *sadece* örnektir.
+Eninde sonunda bir anahtarı imzalarken "ayrıntılı" ve "inceden inceye" kontroller arasındaki ayrıma siz karar vereceksiniz.
+Bu kararı verebilecek durumda değilseniz "0" cevabını verin.
+.
+
+.gpg.change_passwd.empty.okay
+Cevap "evet" ya da "hayır"
+.
+
+.gpg.keyedit.save.okay
+Cevap "evet" ya da "hayır"
+.
+
+.gpg.keyedit.cancel.okay
+Cevap "evet" ya da "hayır"
+.
+
+.gpg.keyedit.sign_all.okay
+Kullanıcı kimliklerinin TÜMünü imzalamak istiyorsanız "evet" ya da "yes" yazın
+.
+
+.gpg.keyedit.remove.uid.okay
+Bu kullanıcı kimliğini gerçekten silmek istiyorsanız "evet" girin.
+Böylece bütün sertifikaları kaybedeceksiniz!
+.
+
+.gpg.keyedit.remove.subkey.okay
+Bu yardımcı anahtarı silme izni vermek istiyorsanız "evet" girin
+.
+
+.gpg.keyedit.delsig.valid
+Bu, anahtar üzerinde geçerli bir imzadır; anahtara ya da bu anahtarla
+sertifikalanmış bir diğer anahtara bir güvence bağlantısı sağlamakta
+önemli olabileceğinden normalde bu imzayı silmek istemezsiniz.
+.
+
+.gpg.keyedit.delsig.unknown
+Bu imza, anahtarına sahip olmadığınızdan, kontrol edilemez. Bu imzanın
+silinmesini hangi anahtarın kullanıldığını bilene kadar
+ertelemelisiniz çünkü bu imzalama anahtarı başka bir sertifikalı
+anahtar vasıtası ile bir güvence bağlantısı sağlayabilir.
+.
+
+.gpg.keyedit.delsig.invalid
+İmza geçersiz. Anahtarlıktan kaldırmak uygun olacak.
+.
+
+.gpg.keyedit.delsig.selfsig
+Bu imza kullanıcı kimliğini anahtara bağlar. Öz-imzayı silmek hiç iyi
+bir fikir değil. GnuPG bu anahtarı bir daha hiç kullanamayabilir.
+Bunu sadece, eğer bu öz-imza bazı durumlarda geçerli değilse ya da
+kullanılabilir bir ikincisi var ise yapın.
+.
+
+.gpg.keyedit.updpref.okay
+Tüm kullanıcı kimlik tercihlerini (ya da seçilen birini) mevcut tercihler
+listesine çevirir. Tüm etkilenen öz-imzaların zaman damgaları bir sonraki
+tarafından öne alınacaktır.
+
+.
+
+.gpg.passphrase.enter
+Lütfen bir anahtar parolası giriniz; yazdıklarınız görünmeyecek
+
+.
+
+.gpg.passphrase.repeat
+Lütfen son parolayı tekrarlayarak ne yazdığınızdan emin olun.
+.
+
+.gpg.detached_signature.filename
+İmzanın uygulanacağı dosyanın ismini verin
+.
+
+.gpg.openfile.overwrite.okay
+Dosyanın üzerine yazılacaksa lütfen "evet" yazın
+.
+
+.gpg.openfile.askoutname
+Lütfen yeni dosya ismini girin. Dosya ismini yazmadan RETURN tuşlarsanız
+parantez içinde gösterilen öntanımlı dosya kullanılacak.
+.
+
+.gpg.ask_revocation_reason.code
+Sertifikalama için bir sebep belirtmelisiniz. İçeriğine bağlı olarak
+bu listeden seçebilirsiniz:
+ "Anahtar tehlikede"
+ Yetkisiz kişilerin gizli anahtarınıza erişebildiğine inanıyorsanız
+ bunu seçin.
+ "Anahtar geçici"
+ Mevcut anahtarı daha yeni bir anahtar ile değiştirmişseniz bunu seçin.
+ "Anahtar artık kullanılmayacak"
+ Anahtarı emekliye ayıracaksanız bunu seçin.
+ "Kullanıcı kimliği artık geçersiz"
+ Kullanıcı kimliği artık kullanılamayacak durumdaysa bunu
+ seçin; genelde Eposta adresi geçersiz olduğunda kullanılır.
+
+.
+
+.gpg.ask_revocation_reason.text
+İsterseniz, neden bu yürürlükten kaldırma sertifikasını
+verdiğinizi açıklayan bir metin girebilirsiniz.
+Lütfen bu metin kısa olsun. Bir boş satır metni bitirir.
+
+.
+
+
+
+# Local variables:
+# mode: fundamental
+# coding: utf-8
+# End:
diff --git a/doc/help.txt b/doc/help.txt
new file mode 100644
index 0000000..a172176
--- /dev/null
+++ b/doc/help.txt
@@ -0,0 +1,407 @@
+# help.txt - English GnuPG online help
+# Copyright (C) 2007 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+
+# Note that this help file needs to be UTF-8 encoded. When looking
+# for a help item, GnuPG scans the help files in the following order
+# (assuming a GNU or Unix system):
+#
+# /etc/gnupg/help.LL_TT.txt
+# /etc/gnupg/help.LL.txt
+# /etc/gnupg/help.txt
+# /usr/share/gnupg/help.LL_TT.txt
+# /usr/share/gnupg/help.LL.txt
+# /usr/share/gnupg/help.txt
+#
+# Here LL_TT denotes the full name of the current locale with the
+# territory (.e.g. "de_DE"), LL denotes just the locale name
+# (e.g. "de"). The first matching item is returned. To put a dot or
+# a hash mark at the beginning of a help text line, it needs to be
+# prefixed with ". ". A single dot may be used to terminated ahelp
+# entry.
+
+.#pinentry.qualitybar.tooltip
+# [remove the hash mark from the key to enable this text]
+# This entry is just an example on how to customize the tooltip shown
+# when hovering over the quality bar of the pinentry. We don't
+# install this text so that the hardcoded translation takes
+# precedence. An administrator should write up a short help to tell
+# the users about the configured passphrase constraints and save that
+# to /etc/gnupg/help.txt. The help text should not be longer than
+# about 800 characters.
+This bar indicates the quality of the passphrase entered above.
+
+As long as the bar is shown in red, GnuPG considers the passphrase too
+weak to accept. Please ask your administrator for details about the
+configured passphrase constraints.
+.
+
+
+.gnupg.agent-problem
+# There was a problem accessing or starting the agent.
+It was either not possible to connect to a running Gpg-Agent or a
+communication problem with a running agent occurred.
+
+The system uses a background process, called Gpg-Agent, for processing
+private keys and to ask for passphrases. The agent is usually started
+when the user logs in and runs as long the user is logged in. In case
+that no agent is available, the system tries to start one on the fly
+but that version of the agent is somewhat limited in functionality and
+thus may lead to little problems.
+
+You probably need to ask your administrator on how to solve the
+problem. As a workaround you might try to log out and in to your
+session and see whether this helps. If this helps please tell the
+administrator anyway because this indicates a bug in the software.
+.
+
+
+.gnupg.dirmngr-problem
+# There was a problen accessing the dirmngr.
+It was either not possible to connect to a running Dirmngr or a
+communication problem with a running Dirmngr occurred.
+
+To lookup certificate revocation lists (CRLs), performing OCSP
+validation and to lookup keys through LDAP servers, the system uses an
+external service program named Dirmngr. The Dirmngr is usually running
+as a system service (daemon) and does not need any attention by the
+user. In case of problems the system might start its own copy of the
+Dirmngr on a per request base; this is a workaround and yields limited
+performance.
+
+If you encounter this problem, you should ask your system
+administrator how to proceed. As an interim solution you may try to
+disable CRL checking in gpgsm's configuration.
+.
+
+
+.gpg.edit_ownertrust.value
+# The help identies prefixed with "gpg." used to be hard coded in gpg
+# but may now be overridden by help texts from this file.
+It's up to you to assign a value here; this value will never be exported
+to any 3rd party. We need it to implement the web-of-trust; it has nothing
+to do with the (implicitly created) web-of-certificates.
+.
+
+.gpg.edit_ownertrust.set_ultimate.okay
+To build the Web-of-Trust, GnuPG needs to know which keys are
+ultimately trusted - those are usually the keys for which you have
+access to the secret key. Answer "yes" to set this key to
+ultimately trusted.
+
+
+.gpg.untrusted_key.override
+If you want to use this untrusted key anyway, answer "yes".
+.
+
+.gpg.pklist.user_id.enter
+Enter the user ID of the addressee to whom you want to send the message.
+.
+
+.gpg.keygen.algo
+Select the algorithm to use.
+
+DSA (aka DSS) is the Digital Signature Algorithm and can only be used
+for signatures.
+
+Elgamal is an encrypt-only algorithm.
+
+RSA may be used for signatures or encryption.
+
+The first (primary) key must always be a key which is capable of signing.
+.
+
+
+.gpg.keygen.algo.rsa_se
+In general it is not a good idea to use the same key for signing and
+encryption. This algorithm should only be used in certain domains.
+Please consult your security expert first.
+.
+
+
+
+.gpg.keygen.keygrip
+Enter the keygrip of the key to add.
+
+The keygrip is a string of 40 hex digits that identifies a key. It
+must belong to a secret key or a secret subkey stored in your keyring.
+.
+
+
+.gpg.keygen.flags
+Toggle the capabilities of the key.
+
+It is only possible to toggle those capabilities which are possible
+for the selected algorithm.
+
+To quickly set the capabilities all at once it is possible to enter a
+'=' as first character followed by a list of letters indicating the
+capability to set: 's' for signing, 'e' for encryption, and 'a' for
+authentication. Invalid letters and impossible capabilities are
+ignored. This submenu is immediately closed after using this
+shortcut.
+.
+
+
+.gpg.keygen.size
+Enter the size of the key.
+
+The suggested default is usually a good choice.
+
+If you want to use a large key size, for example 4096 bit, please
+think again whether it really makes sense for you. You may want
+to view the web page http://www.xkcd.com/538/ .
+.
+
+.gpg.keygen.size.huge.okay
+Answer "yes" or "no".
+.
+
+
+.gpg.keygen.size.large.okay
+Answer "yes" or "no".
+.
+
+
+.gpg.keygen.valid
+Enter the required value as shown in the prompt.
+It is possible to enter a ISO date (YYYY-MM-DD) but you won't
+get a good error response - instead the system tries to interpret
+the given value as an interval.
+.
+
+.gpg.keygen.valid.okay
+Answer "yes" or "no".
+.
+
+
+.gpg.keygen.name
+Enter the name of the key holder.
+The characters "<" and ">" are not allowed.
+Example: Heinrich Heine
+.
+
+
+.gpg.keygen.email
+Please enter an optional but highly suggested email address.
+Example: heinrichh@duesseldorf.de
+.
+
+.gpg.keygen.comment
+Please enter an optional comment.
+The characters "(" and ")" are not allowed.
+In general there is no need for a comment.
+.
+
+
+.gpg.keygen.userid.cmd
+# (Keep a leading empty line)
+
+N to change the name.
+C to change the comment.
+E to change the email address.
+O to continue with key generation.
+Q to quit the key generation.
+.
+
+.gpg.keygen.sub.okay
+Answer "yes" (or just "y") if it is okay to generate the sub key.
+.
+
+.gpg.sign_uid.okay
+Answer "yes" or "no".
+.
+
+.gpg.sign_uid.class
+When you sign a user ID on a key, you should first verify that the key
+belongs to the person named in the user ID. It is useful for others to
+know how carefully you verified this.
+
+"0" means you make no particular claim as to how carefully you verified the
+ key.
+
+"1" means you believe the key is owned by the person who claims to own it
+ but you could not, or did not verify the key at all. This is useful for
+ a "persona" verification, where you sign the key of a pseudonymous user.
+
+"2" means you did casual verification of the key. For example, this could
+ mean that you verified the key fingerprint and checked the user ID on the
+ key against a photo ID.
+
+"3" means you did extensive verification of the key. For example, this could
+ mean that you verified the key fingerprint with the owner of the key in
+ person, and that you checked, by means of a hard to forge document with a
+ photo ID (such as a passport) that the name of the key owner matches the
+ name in the user ID on the key, and finally that you verified (by exchange
+ of email) that the email address on the key belongs to the key owner.
+
+Note that the examples given above for levels 2 and 3 are *only* examples.
+In the end, it is up to you to decide just what "casual" and "extensive"
+mean to you when you sign other keys.
+
+If you don't know what the right answer is, answer "0".
+.
+
+.gpg.change_passwd.empty.okay
+Answer "yes" or "no".
+.
+
+
+.gpg.keyedit.save.okay
+Answer "yes" or "no".
+.
+
+
+.gpg.keyedit.cancel.okay
+Answer "yes" or "no".
+.
+
+.gpg.keyedit.sign_all.okay
+Answer "yes" if you want to sign ALL the user IDs.
+.
+
+.gpg.keyedit.remove.uid.okay
+Answer "yes" if you really want to delete this user ID.
+All certificates are then also lost!
+.
+
+.gpg.keyedit.remove.subkey.okay
+Answer "yes" if it is okay to delete the subkey.
+.
+
+
+.gpg.keyedit.delsig.valid
+This is a valid signature on the key; you normally don't want
+to delete this signature because it may be important to establish a
+trust connection to the key or another key certified by this key.
+.
+
+.gpg.keyedit.delsig.unknown
+This signature can't be checked because you don't have the
+corresponding key. You should postpone its deletion until you
+know which key was used because this signing key might establish
+a trust connection through another already certified key.
+.
+
+.gpg.keyedit.delsig.invalid
+The signature is not valid. It does make sense to remove it from
+your keyring.
+.
+
+.gpg.keyedit.delsig.selfsig
+This is a signature which binds the user ID to the key. It is
+usually not a good idea to remove such a signature. Actually
+GnuPG might not be able to use this key anymore. So do this
+only if this self-signature is for some reason not valid and
+a second one is available.
+.
+
+.gpg.keyedit.updpref.okay
+Change the preferences of all user IDs (or just of the selected ones)
+to the current list of preferences. The timestamp of all affected
+self-signatures will be advanced by one second.
+.
+
+
+.gpg.passphrase.enter
+# (keep a leading empty line)
+
+Please enter the passphrase; this is a secret sentence.
+.
+
+
+.gpg.passphrase.repeat
+Please repeat the last passphrase, so you are sure what you typed in.
+.
+
+.gpg.detached_signature.filename
+Give the name of the file to which the signature applies.
+.
+
+.gpg.openfile.overwrite.okay
+# openfile.c (overwrite_filep)
+Answer "yes" if it is okay to overwrite the file.
+.
+
+.gpg.openfile.askoutname
+# openfile.c (ask_outfile_name)
+Please enter a new filename. If you just hit RETURN the default
+file (which is shown in brackets) will be used.
+.
+
+.gpg.ask_revocation_reason.code
+# revoke.c (ask_revocation_reason)
+You should specify a reason for the revocation. Depending on the
+context you have the ability to choose from this list:
+ "Key has been compromised"
+ Use this if you have a reason to believe that unauthorized persons
+ got access to your secret key.
+ "Key is superseded"
+ Use this if you have replaced this key with a newer one.
+ "Key is no longer used"
+ Use this if you have retired this key.
+ "User ID is no longer valid"
+ Use this to state that the user ID should not longer be used;
+ this is normally used to mark an email address invalid.
+.
+
+.gpg.ask_revocation_reason.text
+# revoke.c (ask_revocation_reason)
+If you like, you can enter a text describing why you issue this
+revocation certificate. Please keep this text concise.
+An empty line ends the text.
+.
+
+.gpg.tofu.conflict
+# tofu.c
+TOFU has detected another key with the same (or a very similar) email
+address. It might be that the user created a new key. In this case,
+you can safely trust the new key (but, confirm this by asking the
+person). However, it could also be that the key is a forgery or there
+is an active Man-in-the-Middle (MitM) attack. In this case, you
+should mark the key as being bad, so that it is untrusted. Marking a
+key as being untrusted means that any signatures will be considered
+bad and attempts to encrypt to the key will be flagged. If you are
+unsure and can't currently check, you should select either accept once
+or reject once.
+.
+
+.gpgsm.root-cert-not-trusted
+# This text gets displayed by the audit log if
+# a root certificates was not trusted.
+The root certificate (the trust-anchor) is not trusted. Depending on
+the configuration you may have been prompted to mark that root
+certificate as trusted or you need to manually tell GnuPG to trust that
+certificate. Trusted certificates are configured in the file
+trustlist.txt in GnuPG's home directory. If you are in doubt, ask
+your system administrator whether you should trust this certificate.
+
+
+.gpgsm.crl-problem
+# This text is displayed by the audit log for problems with
+# the CRL or OCSP checking.
+Depending on your configuration a problem retrieving the CRL or
+performing an OCSP check occurred. There are a great variety of
+reasons why this did not work. Check the manual for possible
+solutions.
+
+
+# Local variables:
+# mode: default-generic
+# coding: utf-8
+# End:
diff --git a/doc/help.zh_CN.txt b/doc/help.zh_CN.txt
new file mode 100644
index 0000000..7b199c2
--- /dev/null
+++ b/doc/help.zh_CN.txt
@@ -0,0 +1,233 @@
+# help.zh_CN.txt - zh_CN GnuPG online help
+# Copyright (C) 2007 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+
+.gpg.edit_ownertrust.value
+在这里指定的数值完全由您自己决定;这些数值永远ä¸ä¼šè¢«è¾“出给任何第三方。
+我们需è¦å®ƒæ¥å®žçŽ°â€œä¿¡ä»»ç½‘络â€ï¼›è¿™è·Ÿéšå«å»ºç«‹èµ·æ¥çš„“验è¯ç½‘络â€æ— å…³ã€‚
+.
+
+.gpg.edit_ownertrust.set_ultimate.okay
+è¦å»ºç«‹èµ·ä¿¡ä»»ç½‘络,GnuPG 需è¦çŸ¥é“哪些密钥是å¯ç»å¯¹ä¿¡ä»»çš„――通常
+就是您拥有ç§é’¥çš„那些密钥。回答“yesâ€å°†æ­¤å¯†é’¥è®¾æˆå¯ç»å¯¹ä¿¡ä»»çš„
+
+.
+
+.gpg.untrusted_key.override
+如果您无论如何è¦ä½¿ç”¨è¿™æŠŠæœªè¢«ä¿¡ä»»çš„密钥,请回答“yesâ€ã€‚
+.
+
+.gpg.pklist.user_id.enter
+输入您è¦é€’é€çš„报文的接收者的用户标识。
+.
+
+.gpg.keygen.algo
+选择使用的算法。
+
+DSA (ä¹Ÿå« DSS)å³â€œæ•°å­—ç­¾å算法â€(美国国家标准),åªèƒ½å¤Ÿç”¨ä½œç­¾å。
+
+Elgamal 是一ç§åªèƒ½ç”¨ä½œåŠ å¯†çš„算法。
+
+RSA å¯ä»¥ç”¨ä½œç­¾å或加密。
+
+第一把密钥(主钥)必须具有签å的能力。
+.
+
+.gpg.keygen.algo.rsa_se
+通常æ¥è¯´ç”¨åŒä¸€æŠŠå¯†é’¥ç­¾ååŠåŠ å¯†å¹¶ä¸æ˜¯ä¸ªå¥½ä¸»æ„。这个算法åªåœ¨ç‰¹å®šçš„情况
+下使用。请先咨询安全方é¢çš„专家。
+.
+
+.gpg.keygen.size
+请输入密钥的尺寸
+.
+
+.gpg.keygen.size.huge.okay
+请回答“yesâ€æˆ–“noâ€
+.
+
+.gpg.keygen.size.large.okay
+请回答“yesâ€æˆ–“noâ€
+.
+
+.gpg.keygen.valid
+请输入æ示所è¦æ±‚的数值。
+您å¯ä»¥è¾“å…¥ ISO 日期格å¼(YYYY-MM-DD),但是出错时您ä¸ä¼šå¾—到å‹å¥½çš„å“应
+――系统会å°è¯•å°†ç»™å®šå€¼è§£é‡Šä¸ºæ—¶é—´é—´éš”。
+.
+
+.gpg.keygen.valid.okay
+请回答“yesâ€æˆ–“noâ€
+.
+
+.gpg.keygen.name
+请输入密钥æŒæœ‰äººçš„åå­—
+.
+
+.gpg.keygen.email
+请输入电å­é‚®ä»¶åœ°å€(å¯é€‰é¡¹ï¼Œä½†å¼ºçƒˆæŽ¨è使用)
+.
+
+.gpg.keygen.comment
+请输入注释(å¯é€‰é¡¹)
+.
+
+.gpg.keygen.userid.cmd
+N 修改姓å。
+C 修改注释。
+E 修改电å­é‚®ä»¶åœ°å€ã€‚
+O 继续产生密钥。
+Q 中止产生密钥。
+.
+
+.gpg.keygen.sub.okay
+如果您å…许生æˆå­é’¥ï¼Œè¯·å›žç­”“yesâ€(或者“yâ€)。
+.
+
+.gpg.sign_uid.okay
+请回答“yesâ€æˆ–“noâ€
+.
+
+.gpg.sign_uid.class
+当您为æŸæŠŠå¯†é’¥ä¸ŠæŸä¸ªç”¨æˆ·æ ‡è¯†æ·»åŠ ç­¾å时,您必须首先验è¯è¿™æŠŠå¯†é’¥ç¡®å®žå±žäºŽ
+ç½²å于它的用户标识上的那个人。了解到您曾多么谨慎地对此进行过验è¯ï¼Œå¯¹å…¶
+他人是éžå¸¸æœ‰ç”¨çš„
+
+“0†表示您对您有多么仔细地验è¯è¿™æŠŠå¯†é’¥çš„问题ä¸è¡¨æ€ã€‚
+
+“1†表示您相信这把密钥属于那个声明是主人的人,但是您ä¸èƒ½æˆ–根本没有验
+ è¯è¿‡ã€‚如果您为一把属于类似虚拟人物的密钥签å,这个选择很有用。
+
+“2†表示您éšæ„地验è¯äº†é‚£æŠŠå¯†é’¥ã€‚例如,您验è¯äº†è¿™æŠŠå¯†é’¥çš„指纹,或比对
+ 照片验è¯äº†ç”¨æˆ·æ ‡è¯†ã€‚
+
+“3†表示您åšäº†å¤§é‡è€Œè¯¦å°½çš„验è¯å¯†é’¥å·¥ä½œã€‚例如,您åŒå¯†é’¥æŒæœ‰äººéªŒè¯äº†å¯†
+ 钥指纹,而且通过查验附带照片而难以伪造的è¯ä»¶(如护照)确认了密钥æŒ
+ 有人的姓å与密钥上的用户标识一致,最åŽæ‚¨è¿˜(通过电å­é‚®ä»¶å¾€æ¥)验è¯
+ 了密钥上的电å­é‚®ä»¶åœ°å€ç¡®å®žå±žäºŽå¯†é’¥æŒæœ‰äººã€‚
+
+请注æ„上述关于验è¯çº§åˆ« 2 å’Œ 3 的说明仅是例å­è€Œå·²ã€‚最终还是由您自己决定
+当您为其他密钥签å时,什么是“éšæ„â€ï¼Œè€Œä»€ä¹ˆæ˜¯â€œå¤§é‡è€Œè¯¦å°½â€ã€‚
+
+如果您ä¸çŸ¥é“应该选什么答案的è¯ï¼Œå°±é€‰â€œ0â€ã€‚
+.
+
+.gpg.change_passwd.empty.okay
+请回答“yesâ€æˆ–“noâ€
+.
+
+.gpg.keyedit.save.okay
+请回答“yesâ€æˆ–“noâ€
+.
+
+.gpg.keyedit.cancel.okay
+请回答“yesâ€æˆ–“noâ€
+.
+
+.gpg.keyedit.sign_all.okay
+如果您想è¦ä¸ºæ‰€æœ‰ç”¨æˆ·æ ‡è¯†ç­¾åçš„è¯å°±é€‰â€œyesâ€
+.
+
+.gpg.keyedit.remove.uid.okay
+如果您真的想è¦åˆ é™¤è¿™ä¸ªç”¨æˆ·æ ‡è¯†çš„è¯å°±å›žç­”“yesâ€ã€‚
+所有相关认è¯åœ¨æ­¤ä¹‹åŽä¹Ÿä¼šä¸¢å¤±ï¼
+.
+
+.gpg.keyedit.remove.subkey.okay
+如果å¯ä»¥åˆ é™¤è¿™æŠŠå­é’¥ï¼Œè¯·å›žç­”“yesâ€
+.
+
+.gpg.keyedit.delsig.valid
+这是一份在这把密钥上有效的签å;通常您ä¸ä¼šæƒ³è¦åˆ é™¤è¿™ä»½ç­¾å,
+因为è¦ä¸Žè¿™æŠŠå¯†é’¥æˆ–拥有这把密钥的签å的密钥建立认è¯å…³ç³»å¯èƒ½
+相当é‡è¦ã€‚
+.
+
+.gpg.keyedit.delsig.unknown
+这份签å无法被检验,因为您没有相应的密钥。您应该暂缓删除它,
+直到您知é“此签å使用了哪一把密钥;因为用æ¥ç­¾å的密钥å¯èƒ½ä¸Ž
+其他已ç»éªŒè¯çš„密钥存在信任关系。
+.
+
+.gpg.keyedit.delsig.invalid
+这份签å无效。应当把它从您的钥匙环里删除。
+.
+
+.gpg.keyedit.delsig.selfsig
+这是一份将密钥与用户标识相è”系的签å。通常ä¸åº”删除这样的签å。
+事实上,一旦删除,GnuPGå¯èƒ½ä»Žæ­¤å°±ä¸èƒ½å†ä½¿ç”¨è¿™æŠŠå¯†é’¥äº†ã€‚因此,
+åªæœ‰åœ¨è¿™æŠŠå¯†é’¥çš„第一个自身签åå› æŸäº›åŽŸå› å¤±æ•ˆï¼Œè€Œæœ‰ç¬¬äºŒä¸ªè‡ªèº«ç­¾
+å­—å¯ç”¨çš„情况下æ‰è¿™ä¹ˆåšã€‚
+.
+
+.gpg.keyedit.updpref.okay
+用现有的首选项更新所有(或选定的)用户标识的首选项。所有å—å½±å“的自身签
+字的时间戳都会增加一秒钟。
+
+.
+
+.gpg.passphrase.enter
+请输入密ç ï¼šè¿™æ˜¯ä¸€ä¸ªç§˜å¯†çš„å¥å­
+
+.
+
+.gpg.passphrase.repeat
+请å†æ¬¡è¾“入上次的密ç ï¼Œä»¥ç¡®å®šæ‚¨åˆ°åº•é”®å…¥äº†äº›ä»€ä¹ˆã€‚
+.
+
+.gpg.detached_signature.filename
+请给定è¦æ·»åŠ ç­¾å的文件å
+.
+
+.gpg.openfile.overwrite.okay
+如果å¯ä»¥è¦†ç›–这个文件,请回答“yesâ€
+.
+
+.gpg.openfile.askoutname
+请输入一个新的文件å。如果您直接按下了回车,那么就会使用显示在括
+å·ä¸­çš„默认的文件å。
+.
+
+.gpg.ask_revocation_reason.code
+您应该为这份åŠé”€è¯ä¹¦æŒ‡å®šä¸€ä¸ªåŽŸå› ã€‚æ ¹æ®æƒ…境的ä¸åŒï¼Œæ‚¨å¯ä»¥ä»Žä¸‹åˆ—清å•ä¸­
+选出一项:
+ “密钥已泄æ¼â€
+ 如果您相信有æŸä¸ªæœªç»è®¸å¯çš„人已å–得了您的ç§é’¥ï¼Œè¯·é€‰æ­¤é¡¹ã€‚
+ “密钥已替æ¢â€
+ 如果您已用一把新密钥代替旧的,请选此项。
+ “密钥ä¸å†è¢«ä½¿ç”¨â€
+ 如果您已决定让这把密钥退休,请选此项
+ “用户标识ä¸å†æœ‰æ•ˆâ€
+ 如果这个用户标识ä¸å†è¢«ä½¿ç”¨äº†ï¼Œè¯·é€‰æ­¤é¡¹ï¼›è¿™é€šå¸¸ç”¨è¡¨æ˜ŽæŸä¸ªç”µå­é‚®
+ 件地å€å·²ä¸å†æœ‰æ•ˆã€‚
+
+.
+
+.gpg.ask_revocation_reason.text
+您也å¯ä»¥è¾“入一串文字,æè¿°å‘布这份åŠé”€è¯ä¹¦çš„ç†ç”±ã€‚请尽é‡ä½¿è¿™æ®µæ–‡
+字简明扼è¦ã€‚
+键入一空行以结æŸè¾“入。
+
+.
+
+
+
+# Local variables:
+# mode: fundamental
+# coding: utf-8
+# End:
diff --git a/doc/help.zh_TW.txt b/doc/help.zh_TW.txt
new file mode 100644
index 0000000..5665b70
--- /dev/null
+++ b/doc/help.zh_TW.txt
@@ -0,0 +1,245 @@
+# help.zh_TW.txt - zh_TW GnuPG online help
+# Copyright (C) 2007 Free Software Foundation, Inc.
+#
+# This file is part of GnuPG.
+#
+# GnuPG is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# GnuPG is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see <https://www.gnu.org/licenses/>.
+
+
+.gpg.edit_ownertrust.value
+在這裡指派的數值完全是看妳自己決定; 這些數值永é ä¸æœƒè¢«åŒ¯å‡ºçµ¦å…¶ä»–人.
+我們需è¦å®ƒä¾†å¯¦æ–½ä¿¡ä»»ç¶²çµ¡; 這跟 (自動建立起的) 憑證網絡一點關係也沒有.
+.
+
+.gpg.edit_ownertrust.set_ultimate.okay
+è¦å»ºç«‹èµ·ä¿¡ä»»ç¶²çµ¡, GnuPG 需è¦çŸ¥é“哪些金鑰是被徹底信任的 -
+那些金鑰通常就是妳有辦法存å–到ç§é‘°çš„. 回答 "yes" 來將這些
+金鑰設æˆè¢«å¾¹åº•ä¿¡ä»»çš„
+
+.
+
+.gpg.untrusted_key.override
+如果妳無論如何想è¦ä½¿ç”¨é€™æŠŠæœªè¢«ä¿¡ä»»çš„金鑰, 請回答 "yes".
+.
+
+.gpg.pklist.user_id.enter
+輸入妳è¦éžé€çš„訊æ¯æŽ¥æ”¶è€…的使用者 ID.
+.
+
+.gpg.keygen.algo
+è«‹é¸æ“‡è¦ä½¿ç”¨çš„演算法.
+
+DSA (äº¦å³ DSS) 是數ä½ç°½ç« æ¼”算法 (Digital Signature Algorithm),
+祇能用於簽署.
+
+Elgamal 是祇能用於加密的演算法.
+
+RSA å¯ä»¥è¢«ç”¨ä¾†ç°½ç½²åŠåŠ å¯†.
+
+第一把 (主è¦çš„) 金鑰一定è¦å«æœ‰èƒ½ç”¨æ–¼ç°½ç½²çš„金鑰.
+.
+
+.gpg.keygen.algo.rsa_se
+通常來說用åŒä¸€æŠŠé‡‘鑰簽署åŠåŠ å¯†ä¸¦ä¸æ˜¯å€‹å¥½ä¸»æ„.
+這個演算法應該祇被用於特定的情æ³ä¸‹.
+è«‹å…ˆè¯çµ¡å¦³çš„安全專家.
+.
+
+.gpg.keygen.size
+請輸入金鑰的尺寸
+.
+
+.gpg.keygen.size.huge.okay
+請回答 "yes" 或 "no"
+.
+
+.gpg.keygen.size.large.okay
+請回答 "yes" 或 "no"
+.
+
+.gpg.keygen.valid
+請輸入æ示裡所è¦æ±‚的數值.
+妳å¯ä»¥è¼¸å…¥ ISO æ—¥æœŸæ ¼å¼ (YYYY-MM-DD), 但是ä¸æœƒå¾—到良好的錯誤回應 -
+å之, 系統會試著把給定的數值中斷æˆè‹¥å¹²ç‰‡æ®µ.
+.
+
+.gpg.keygen.valid.okay
+請回答 "yes" 或 "no"
+.
+
+.gpg.keygen.name
+請輸入金鑰æŒæœ‰äººçš„åå­—
+.
+
+.gpg.keygen.email
+請輸入é¸ç”¨ (但強烈建議使用) çš„é›»å­éƒµä»¶ä½å€
+.
+
+.gpg.keygen.comment
+請輸入é¸ç”¨çš„註釋
+.
+
+.gpg.keygen.userid.cmd
+N 修改姓å.
+C 修改註釋.
+E 修改電å­éƒµä»¶ä½å€.
+O 繼續產生金鑰.
+Q 中止產生金鑰.
+.
+
+.gpg.keygen.sub.okay
+如果妳覺得產生å­é‘°å¯ä»¥çš„話, 就回答 "yes" (æˆ–è€…ç¥‡è¦ "y").
+.
+
+.gpg.sign_uid.okay
+請回答 "yes" 或 "no"
+.
+
+.gpg.sign_uid.class
+當妳在æŸæŠŠé‡‘鑰上簽署æŸå€‹ä½¿ç”¨è€… ID, 妳首先必須先驗證那把
+金鑰確實屬於那個使用者 ID 上å«é‚£å€‹å字的人. 這å°é‚£äº›çŸ¥é“
+妳多å°å¿ƒé©—證的人來說很有用.
+
+"0" 表示妳ä¸èƒ½æ出任何特別的主張來表明
+ 妳多仔細驗證那把金鑰
+
+"1" 表示妳相信這把金鑰屬於那個主張是主人的人,
+ 但是妳ä¸èƒ½æˆ–沒有驗證那把金鑰.
+ 這å°é‚£äº›ç¥‡æƒ³è¦ "個人的" 驗證的人來說很有用,
+ 因為妳簽署了一把擬似匿å使用者的金鑰.
+
+"2" 表示妳真的仔細驗證了那把金鑰.
+ 例如說, 這能表示妳驗證了這把金鑰的指紋和
+ 使用者 ID, 並比å°äº†ç…§ç‰‡ ID.
+
+"3" 表示妳真的åšäº†å¤§è¦æ¨¡çš„驗證金鑰工作.
+ 例如說, 這能表示妳å‘金鑰æŒæœ‰äººé©—證了金鑰指紋,
+ 而且妳é€éŽé™„帶照片而難以å½é€ çš„文件 (åƒæ˜¯è­·ç…§)
+ 確èªäº†é‡‘é‘°æŒæœ‰äººçš„姓å與金鑰上使用者 ID 的一致,
+ 最後妳還 (é€éŽé›»å­éƒµä»¶å¾€ä¾†) 驗證了金鑰上的
+ é›»å­éƒµä»¶ä½å€ç¢ºå¯¦å±¬æ–¼é‡‘é‘°æŒæœ‰äºº.
+
+請注æ„上述關於等級 2 å’Œ 3 çš„ä¾‹å­ "祇是" 例å­è€Œå·².
+最後, 還是得由妳自己決定當妳簽署其他金鑰時,
+甚麼是 "漫ä¸ç¶“心", 而甚麼是 "超級謹慎".
+
+如果妳ä¸çŸ¥é“應該é¸ç”šéº¼ç­”案的話, å°±é¸ "0".
+.
+
+.gpg.change_passwd.empty.okay
+請回答 "yes" 或 "no"
+.
+
+.gpg.keyedit.save.okay
+請回答 "yes" 或 "no"
+.
+
+.gpg.keyedit.cancel.okay
+請回答 "yes" 或 "no"
+.
+
+.gpg.keyedit.sign_all.okay
+如果妳想è¦ç°½ç½² *所有* 使用者 ID 的話就回答 "yes"
+.
+
+.gpg.keyedit.remove.uid.okay
+如果妳真的想è¦åˆªé™¤é€™å€‹ä½¿ç”¨è€… ID 的話就回答 "yes".
+所有的憑證在那之後也都會失去!
+.
+
+.gpg.keyedit.remove.subkey.okay
+如果刪除這把å­é‘°æ²’å•é¡Œçš„話就回答 "yes"
+.
+
+.gpg.keyedit.delsig.valid
+這是一份在這把金鑰上有效的簽章; 通常妳ä¸æœƒæƒ³è¦åˆªé™¤é€™ä»½ç°½ç« ,
+因為è¦è·Ÿåˆ¥çš„金鑰建立起信任連çµ, 或由這把金鑰所簽署的金鑰憑證
+會是一件相當é‡è¦çš„事.
+.
+
+.gpg.keyedit.delsig.unknown
+這份簽章無法被檢驗, 因為妳沒有符åˆçš„金鑰. 妳應該延緩刪除它,
+直到妳知é“哪一把金鑰被使用了; 因為這把來簽署的金鑰å¯èƒ½é€éŽ
+其他已經驗證的金鑰建立了一個信任連çµ.
+.
+
+.gpg.keyedit.delsig.invalid
+這份簽章無效. 把它從妳的鑰匙圈裡移去相當åˆç†.
+.
+
+.gpg.keyedit.delsig.selfsig
+這是一份和這個金鑰使用者 ID 相繫的簽章. 通常
+把這樣的簽章移除ä¸æœƒæ˜¯å€‹å¥½é»žå­. 事實上 GnuPG
+å¯èƒ½å¾žæ­¤å°±ä¸èƒ½å†ä½¿ç”¨é€™æŠŠé‡‘鑰了. 所以祇有在這
+把金鑰的第一個自我簽章因æŸäº›åŽŸå› ç„¡æ•ˆ, 而第二
+個還å¯ç”¨çš„情æ³ä¸‹çº”這麼åš.
+.
+
+.gpg.keyedit.updpref.okay
+變更所有 (或祇有被é¸å–的那幾個) 使用者 ID çš„å好æˆç¾ç”¨çš„å好清單.
+所有å—到影響的自我簽章的時間戳記都會增加一秒é˜.
+
+.
+
+.gpg.passphrase.enter
+請輸入密語; 這是一個秘密的å¥å­
+
+.
+
+.gpg.passphrase.repeat
+è«‹å†æ¬¡è¼¸å…¥æœ€å¾Œçš„密語, 以確定妳到底éµé€²äº†äº›ç”šéº¼.
+.
+
+.gpg.detached_signature.filename
+請給定簽章所è¦å¥—用的檔案å稱
+.
+
+.gpg.openfile.overwrite.okay
+如果覆寫這個檔案沒有å•é¡Œçš„話就回答 "yes"
+.
+
+.gpg.openfile.askoutname
+請輸入一個新的檔å. 如果妳直接按下了 Enter, 那麼
+就會使用é è¨­çš„檔案 (顯示在括號中).
+.
+
+.gpg.ask_revocation_reason.code
+妳應該為這份憑證指定一個原因.
+根據情境的ä¸åŒ, 妳應該å¯ä»¥å¾žé€™å€‹æ¸…單中é¸å‡ºä¸€é …:
+ "金鑰已經被洩æ¼äº†"
+ 如果妳相信有æŸå€‹æœªç¶“許å¯çš„傢伙å–得了妳的ç§é‘°çš„話,
+ å°±é¸é€™å€‹.
+ "金鑰被代æ›äº†"
+ 如果妳把妳的金鑰æ›æˆæ–°çš„了, å°±é¸é€™å€‹.
+ "金鑰ä¸å†è¢«ä½¿ç”¨äº†"
+ 如果妳已經撤回了這把金鑰, å°±é¸é€™å€‹.
+ "使用者 ID ä¸å†æœ‰æ•ˆäº†"
+ 如果這個使用者 ID ä¸å†è¢«ä½¿ç”¨äº†, å°±é¸é€™å€‹;
+ 這通常用來表示æŸå€‹é›»å­éƒµä»¶ä½å€ä¸å†æœ‰æ•ˆäº†.
+
+.
+
+.gpg.ask_revocation_reason.text
+妳也å¯ä»¥è¼¸å…¥ä¸€ä¸²æ–‡å­—來æ述為甚麼發佈這份撤銷憑證的ç†ç”±.
+請讓這段文字ä¿æŒç°¡æ˜Žæ‰¼è¦.
+éµå…¥ç©ºç™½åˆ—以çµæŸé€™æ®µæ–‡å­—.
+
+.
+
+
+
+# Local variables:
+# mode: fundamental
+# coding: utf-8
+# End:
diff --git a/doc/howto-create-a-server-cert.texi b/doc/howto-create-a-server-cert.texi
new file mode 100644
index 0000000..30e28bd
--- /dev/null
+++ b/doc/howto-create-a-server-cert.texi
@@ -0,0 +1,274 @@
+@node Howto Create a Server Cert
+@section Creating a TLS server certificate
+
+
+Here is a brief run up on how to create a server certificate. It has
+actually been done this way to get a certificate from CAcert to be used
+on a real server. It has only been tested with this CA, but there
+shouldn't be any problem to run this against any other CA.
+
+We start by generating an X.509 certificate signing request. As there
+is no need for a configuration file, you may simply enter:
+
+@cartouche
+@example
+ $ gpgsm --generate-key >example.com.cert-req.pem
+ Please select what kind of key you want:
+ (1) RSA
+ (2) Existing key
+ (3) Existing key from card
+ Your selection? 1
+@end example
+@end cartouche
+
+I opted for creating a new RSA key. The other option is to use an
+already existing key, by selecting @kbd{2} and entering the so-called
+keygrip. Running the command @samp{gpgsm --dump-secret-key USERID}
+shows you this keygrip. Using @kbd{3} offers another menu to create a
+certificate directly from a smart card based key.
+
+Let's continue:
+
+@cartouche
+@example
+ What keysize do you want? (3072)
+ Requested keysize is 3072 bits
+@end example
+@end cartouche
+
+Hitting enter chooses the default RSA key size of 3072 bits. Keys
+smaller than 2048 bits are too weak on the modern Internet. If you
+choose a larger (stronger) key, your server will need to do more work.
+
+@cartouche
+@example
+ Possible actions for a RSA key:
+ (1) sign, encrypt
+ (2) sign
+ (3) encrypt
+ Your selection? 1
+@end example
+@end cartouche
+
+Selecting ``sign'' enables use of the key for Diffie-Hellman key
+exchange mechanisms (DHE and ECDHE) in TLS, which are preferred
+because they offer forward secrecy. Selecting ``encrypt'' enables RSA
+key exchange mechanisms, which are still common in some places.
+Selecting both enables both key exchange mechanisms.
+
+Now for some real data:
+
+@cartouche
+@example
+ Enter the X.509 subject name: CN=example.com
+@end example
+@end cartouche
+
+This is the most important value for a server certificate. Enter here
+the canonical name of your server machine. You may add other virtual
+server names later.
+
+@cartouche
+@example
+ E-Mail addresses (end with an empty line):
+ >
+@end example
+@end cartouche
+
+We don't need email addresses in a TLS server certificate and CAcert
+would anyway ignore such a request. Thus just hit enter.
+
+If you want to create a client certificate for email encryption, this
+would be the place to enter your mail address
+(e.g. @email{joe@@example.org}). You may enter as many addresses as you like,
+however the CA may not accept them all or reject the entire request.
+
+@cartouche
+@example
+ Enter DNS names (optional; end with an empty line):
+ > example.com
+ > www.example.com
+ >
+@end example
+@end cartouche
+
+Here I entered the names of the services which the machine actually
+provides. You almost always want to include the canonical name here
+too. The browser will accept a certificate for any of these names. As
+usual the CA must approve all of these names.
+
+@cartouche
+@example
+ URIs (optional; end with an empty line):
+ >
+@end example
+@end cartouche
+
+It is possible to insert arbitrary URIs into a certificate; for a server
+certificate this does not make sense.
+
+@cartouche
+@example
+ Create self-signed certificate? (y/N)
+@end example
+@end cartouche
+
+Since we are creating a certificate signing request, and not a full
+certificate, we answer no here, or just hit enter for the default.
+
+We have now entered all required information and @command{gpgsm} will
+display what it has gathered and ask whether to create the certificate
+request:
+
+@cartouche
+@example
+ These parameters are used:
+ Key-Type: RSA
+ Key-Length: 3072
+ Key-Usage: sign, encrypt
+ Name-DN: CN=example.com
+ Name-DNS: example.com
+ Name-DNS: www.example.com
+
+ Proceed with creation? (y/N) y
+@end example
+@end cartouche
+
+@command{gpgsm} will now start working on creating the request. As this
+includes the creation of an RSA key it may take a while. During this
+time you will be asked 3 times for a passphrase to protect the created
+private key on your system. A pop up window will appear to ask for
+it. The first two prompts are for the new passphrase and for re-entering it;
+the third one is required to actually create the certificate signing request.
+
+When it is ready, you should see the final notice:
+
+@cartouche
+@example
+ Ready. You should now send this request to your CA.
+@end example
+@end cartouche
+
+Now, you may look at the created request:
+
+@cartouche
+@example
+ $ cat example.com.cert-req.pem
+ -----BEGIN CERTIFICATE REQUEST-----
+ MIIClTCCAX0CAQAwFjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3
+ DQEBAQUAA4IBDwAwggEKAoIBAQDP1QEcbTvOLLCX4gAoOzH9AW7jNOMj7OSOL0uW
+ h2bCdkK5YVpnX212Z6COTC3ZG0pJiCeGt1TbbDJUlTa4syQ6JXavjK66N8ASZsyC
+ Rwcl0m6hbXp541t1dbgt2VgeGk25okWw3j+brw6zxLD2TnthJxOatID0lDIG47HW
+ GqzZmA6WHbIBIONmGnReIHTpPAPCDm92vUkpKG1xLPszuRmsQbwEl870W/FHrsvm
+ DPvVUUSdIvTV9NuRt7/WY6G4nPp9QlIuTf1ESPzIuIE91gKPdrRCAx0yuT708S1n
+ xCv3ETQ/bKPoAQ67eE3mPBqkcVwv9SE/2/36Lz06kAizRgs5AgMBAAGgOjA4Bgkq
+ hkiG9w0BCQ4xKzApMCcGA1UdEQQgMB6CC2V4YW1wbGUuY29tgg93d3cuZXhhbXBs
+ ZS5jb20wDQYJKoZIhvcNAQELBQADggEBAEWD0Qqz4OENLYp6yyO/KqF0ig9FDsLN
+ b5/R+qhms5qlhdB5+Dh+j693Sj0UgbcNKc6JT86IuBqEBZmRCJuXRoKoo5aMS1cJ
+ hXga7N9IA3qb4VBUzBWvlL92U2Iptr/cEbikFlYZF2Zv3PBv8RfopVlI3OLbKV9D
+ bJJTt/6kuoydXKo/Vx4G0DFzIKNdFdJk86o/Ziz8NOs9JjZxw9H9VY5sHKFM5LKk
+ VcLwnnLRlNjBGB+9VK/Tze575eG0cJomTp7UGIB+1xzIQVAhUZOizRDv9tHDeaK3
+ k+tUhV0kuJcYHucpJycDSrP/uAY5zuVJ0rs2QSjdnav62YrRgEsxJrU=
+ -----END CERTIFICATE REQUEST-----
+ $
+@end example
+@end cartouche
+
+You may now proceed by logging into your account at the CAcert website,
+choose @code{Server Certificates - New}, check @code{sign by class 3 root
+certificate}, paste the above request block into the text field and
+click on @code{Submit}.
+
+If everything works out fine, a certificate will be shown. Now run
+
+@cartouche
+@example
+$ gpgsm --import
+@end example
+@end cartouche
+
+and paste the certificate from the CAcert page into your terminal
+followed by a Ctrl-D
+
+@cartouche
+@example
+ -----BEGIN CERTIFICATE-----
+ MIIEIjCCAgqgAwIBAgIBTDANBgkqhkiG9w0BAQQFADBUMRQwEgYDVQQKEwtDQWNl
+ [...]
+ rUTFlNElRXCwIl0YcJkIaYYqWf7+A/aqYJCi8+51usZwMy3Jsq3hJ6MA3h1BgwZs
+ Rtct3tIX
+ -----END CERTIFICATE-----
+ gpgsm: issuer certificate (#/CN=CAcert Class 3 Ro[...]) not found
+ gpgsm: certificate imported
+
+ gpgsm: total number processed: 1
+ gpgsm: imported: 1
+@end example
+@end cartouche
+
+@command{gpgsm} tells you that it has imported the certificate. It is now
+associated with the key you used when creating the request. The root
+certificate has not been found, so you may want to import it from the
+CACert website.
+
+To see the content of your certificate, you may now enter:
+
+@cartouche
+@example
+ $ gpgsm -K example.com
+ /home/foo/.gnupg/pubring.kbx
+ ---------------------------
+ Serial number: 4C
+ Issuer: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.[...]
+ Subject: /CN=example.com
+ aka: (dns-name example.com)
+ aka: (dns-name www.example.com)
+ validity: 2015-07-01 16:20:51 through 2016-07-01 16:20:51
+ key type: 3072 bit RSA
+ key usage: digitalSignature keyEncipherment
+ ext key usage: clientAuth (suggested), serverAuth (suggested), [...]
+ fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:D8:19:E9:65:B9:4F:BD:B1:98:CC:57
+@end example
+@end cartouche
+
+I used @option{-K} above because this will only list certificates for
+which a private key is available. To see more details, you may use
+@option{--dump-secret-keys} instead of @option{-K}.
+
+
+To make actual use of the certificate you need to install it on your
+server. Server software usually expects a PKCS\#12 file with key and
+certificate. To create such a file, run:
+
+@cartouche
+@example
+ $ gpgsm --export-secret-key-p12 -a >example.com-cert.pem
+@end example
+@end cartouche
+
+You will be asked for the passphrase as well as for a new passphrase to
+be used to protect the PKCS\#12 file. The file now contains the
+certificate as well as the private key:
+
+@cartouche
+@example
+ $ cat example-cert.pem
+ Issuer ...: /CN=CAcert Class 3 Root/OU=http:\x2f\x2fwww.CA[...]
+ Serial ...: 4C
+ Subject ..: /CN=example.com
+ aka ..: (dns-name example.com)
+ aka ..: (dns-name www.example.com)
+
+ -----BEGIN PKCS12-----
+ MIIHlwIBAzCCB5AGCSqGSIb37QdHAaCCB4EEggd9MIIHeTk1BJ8GCSqGSIb3DQEu
+ [...many more lines...]
+ -----END PKCS12-----
+ $
+@end example
+@end cartouche
+
+Copy this file in a secure way to the server, install it there and
+delete the file then. You may export the file again at any time as long
+as it is available in GnuPG's private key database.
+
+
diff --git a/doc/howtos.texi b/doc/howtos.texi
new file mode 100644
index 0000000..bd48de0
--- /dev/null
+++ b/doc/howtos.texi
@@ -0,0 +1,15 @@
+@c Copyright (C) 2007 Free Software Foundation, Inc.
+@c This is part of the GnuPG manual.
+@c For copying conditions, see the file gnupg.texi.
+
+@node Howtos
+@chapter How to do certain things
+
+This is a collection of small howto documents.
+
+@menu
+* Howto Create a Server Cert:: Creating a TLS server certificate.
+@end menu
+
+
+@include howto-create-a-server-cert.texi
diff --git a/doc/instguide.texi b/doc/instguide.texi
new file mode 100644
index 0000000..bf99a5c
--- /dev/null
+++ b/doc/instguide.texi
@@ -0,0 +1,77 @@
+@c instguide.texi - Installation guide for GnuPG
+@c Copyright (C) 2006 Free Software Foundation, Inc.
+@c This is part of the GnuPG manual.
+@c For copying conditions, see the file gnupg.texi.
+
+@node Installation
+@chapter A short installation guide
+
+Unfortunately the installation guide has not been finished in time.
+Instead of delaying the release of GnuPG 2.0 even further, I decided to
+release without that guide. The chapter on gpg-agent and gpgsm do
+include brief information on how to set up the whole thing. Please
+watch the GnuPG website for updates of the documentation. In the
+meantime you may search the GnuPG mailing list archives or ask on the
+gnupg-users mailing list for advise on how to solve problems or how to
+get that whole thing up and running.
+
+** Building the software
+
+Building the software is described in the file @file{INSTALL}. Given
+that you are already reading this documentation we can only give some
+extra hints.
+
+To comply with the rules on GNU systems you should have build time
+configured @command{gnupg} using:
+
+@example
+./configure --sysconfdir=/etc --localstatedir=/var
+@end example
+
+This is to make sure that system wide configuration files are searched
+in the directory @file{/etc} and variable data below @file{/var};
+the default would be to also install them below @file{/usr/local} where
+the binaries get installed. If you selected to use the
+@option{--prefix=/} you obviously don't need those option as they are
+the default then.
+
+
+** Notes on setting a root CA key to trusted
+
+X.509 is based on a hierarchical key infrastructure. At the root of the
+tree a trusted anchor (root certificate) is required. There are usually
+no other means of verifying whether this root certificate is trustworthy
+than looking it up in a list. GnuPG uses a file (@file{trustlist.txt})
+to keep track of all root certificates it knows about. There are 3 ways
+to get certificates into this list:
+
+@itemize
+@item
+Use the list which comes with GnuPG. However this list only
+contains a few root certificates. Most installations will need more.
+
+@item
+Let @command{gpgsm} ask you whether you want to insert a new root
+certificate. This feature is enabled by default; you may disable it
+using the option @option{no-allow-mark-trusted} into
+@file{gpg-agent.conf}.
+
+@item
+Manually maintain the list of trusted root certificates. For a multi
+user installation this can be done once for all users on a machine.
+Specific changes on a per-user base are also possible.
+@end itemize
+
+@c describe how to maintain trustlist.txt and /etc/gnupg/trustlist.txt.
+
+
+@c ** How to get the ssh support running
+@c
+@c XXX How to use the ssh support.
+
+
+@c @section Installation Overview
+@c
+@c XXXX
+
+
diff --git a/doc/mkdefsinc.c b/doc/mkdefsinc.c
new file mode 100644
index 0000000..b8fbed6
--- /dev/null
+++ b/doc/mkdefsinc.c
@@ -0,0 +1,367 @@
+/* mkdefsinc.c - Tool to create defs.inc
+ * Copyright (C) 2015 g10 Code GmbH
+ *
+ * This file is free software; as a special exception the author gives
+ * unlimited permission to copy and/or distribute it, with or without
+ * modifications, as long as this notice is preserved.
+ *
+ * This file is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
+ * implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+/* This tool needs to be build with command line supplied -D options
+ for the various directory variables. See ../am/cmacros.am. It is
+ easier to do this in build file than to use fragile make rules and
+ a template file. */
+
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <time.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <unistd.h>
+
+#define PGM "mkdefsinc"
+
+/* We include config.h after all include files because the config.h
+ values are not valid for the build platform but we need some values
+ nevertheless. */
+#include "config.h"
+/* When building for Windows the -D macros do not have appropriate
+ values. We provide replacements here. */
+#ifdef HAVE_W32_SYSTEM
+# undef GNUPG_BINDIR
+# undef GNUPG_LIBEXECDIR
+# undef GNUPG_LIBDIR
+# undef GNUPG_DATADIR
+# undef GNUPG_SYSCONFDIR
+# undef GNUPG_LOCALSTATEDIR
+# define GNUPG_BINDIR "INSTDIR/bin"
+# define GNUPG_LIBEXECDIR "INSTDIR/bin"
+# define GNUPG_LIBDIR "INSTDIR/lib/" PACKAGE_NAME
+# define GNUPG_DATADIR "INSTDIR/share/" PACKAGE_NAME
+# define GNUPG_SYSCONFDIR "APPDATA/GNU/etc/" PACKAGE_NAME
+# define GNUPG_LOCALSTATEDIR "APPDATA/GNU"
+#endif /*HAVE_W32_SYSTEM*/
+
+
+#if USE_GPG2_HACK
+# define gpg2_suffix "2"
+#else
+# define gpg2_suffix ""
+#endif
+
+
+static int verbose;
+
+
+/* The usual free wrapper. */
+static void
+xfree (void *a)
+{
+ if (a)
+ free (a);
+}
+
+
+static char *
+xmalloc (size_t n)
+{
+ char *p;
+
+ p = malloc (n);
+ if (!p)
+ {
+ fputs (PGM ": out of core\n", stderr);
+ exit (1);
+ }
+ return p;
+}
+
+
+static char *
+xstrdup (const char *string)
+{
+ char *p;
+
+ p = xmalloc (strlen (string)+1);
+ strcpy (p, string);
+ return p;
+}
+
+
+/* Return a malloced string with the last modification date of the
+ FILES. Returns NULL on error. */
+static char *
+get_date_from_files (char **files)
+{
+ const char *file;
+ const char *usedfile = NULL;
+ struct stat sb;
+ struct tm *tp;
+ int errors = 0;
+ time_t stamp = 0;
+ char *result;
+
+ for (; (file = *files); files++)
+ {
+ if (!*file || !strcmp (file, ".") || !strcmp (file, ".."))
+ continue;
+ if (stat (file, &sb))
+ {
+ fprintf (stderr, PGM ": stat failed for '%s': %s\n",
+ file, strerror (errno));
+ errors = 1;
+ continue;
+ }
+ if (sb.st_mtime > stamp)
+ {
+ stamp = sb.st_mtime;
+ usedfile = file;
+ }
+ }
+ if (errors)
+ exit (1);
+
+ if (usedfile)
+ fprintf (stderr, PGM ": taking date from '%s'\n", usedfile);
+
+ tp = gmtime (&stamp);
+ if (!tp)
+ return NULL;
+ result = xmalloc (4+1+2+1+2+1);
+ snprintf (result, 4+1+2+1+2+1, "%04d-%02d-%02d",
+ tp->tm_year + 1900, tp->tm_mon+1, tp->tm_mday);
+ return result;
+}
+
+
+/* We need to escape file names for Texinfo. */
+static void
+print_filename (const char *prefix, const char *name)
+{
+ const char *s;
+
+ fputs (prefix, stdout);
+ for (s=name; *s; s++)
+ switch (*s)
+ {
+ case '@': fputs ("@atchar{}", stdout); break;
+ case '{': fputs ("@lbracechar{}", stdout); break;
+ case '}': fputs ("@rbracechar{}", stdout); break;
+ case ',': fputs ("@comma{}", stdout); break;
+ case '\\':fputs ("@backslashchar{}", stdout); break;
+ case '#': fputs ("@hashchar{}", stdout); break;
+ default: putchar (*s); break;
+ }
+ putchar('\n');
+}
+
+
+int
+main (int argc, char **argv)
+{
+ int last_argc = -1;
+ char *opt_date = NULL;
+ int monthoff;
+ char *p, *pend;
+ size_t n;
+
+ /* Option parsing. */
+ if (argc)
+ {
+ argc--; argv++;
+ }
+ while (argc && last_argc != argc )
+ {
+ last_argc = argc;
+ if (!strcmp (*argv, "--"))
+ {
+ argc--; argv++;
+ break;
+ }
+ else if (!strcmp (*argv, "--help"))
+ {
+ fputs ("Usage: " PGM " [OPTION] [FILES]\n"
+ "Create defs.inc file.\nOptions:\n"
+ " -C DIR Change to DIR before doing anything\n"
+ " --date STRING Take publication date from STRING\n"
+ " --verbose Enable extra informational output\n"
+ " --help Display this help and exit\n"
+ , stdout);
+ exit (0);
+ }
+ else if (!strcmp (*argv, "--verbose"))
+ {
+ verbose = 1;
+ argc--; argv++;
+ }
+ else if (!strcmp (*argv, "-C"))
+ {
+ argc--; argv++;
+ if (argc)
+ {
+ if (chdir (*argv))
+ {
+ fprintf (stderr, PGM ": chdir to '%s' failed: %s\n",
+ *argv, strerror (errno));
+ exit (1);
+ }
+ argc--; argv++;
+ }
+ }
+ else if (!strcmp (*argv, "--date"))
+ {
+ argc--; argv++;
+ if (argc)
+ {
+ opt_date = xstrdup (*argv);
+ argc--; argv++;
+ }
+ }
+ else if (!strncmp (*argv, "--", 2))
+ {
+ fprintf (stderr, PGM ": unknown option '%s'\n", *argv);
+ exit (1);
+ }
+ }
+
+ if (opt_date && *opt_date)
+ {
+ time_t stamp;
+ struct tm *tp;
+
+ if (*opt_date == '2' && strlen (opt_date) >= 10
+ && opt_date[4] == '-' && opt_date[7] == '-')
+ {
+ opt_date[10] = 0;
+ }
+ else if ((stamp = strtoul (opt_date, NULL, 10)) > 0
+ && (tp = gmtime (&stamp)))
+ {
+ p = xmalloc (4+1+2+1+2+1);
+ snprintf (p, 4+1+2+1+2+1, "%04d-%02d-%02d",
+ tp->tm_year + 1900, tp->tm_mon+1, tp->tm_mday);
+ xfree (opt_date);
+ opt_date = p;
+ }
+ else
+ {
+ fprintf (stderr, PGM ": bad date '%s'\n", opt_date);
+ exit (1);
+ }
+ }
+ else
+ {
+ xfree (opt_date);
+ opt_date = argc? get_date_from_files (argv) : NULL;
+ }
+ if (!opt_date)
+ {
+ opt_date = xstrdup ("unknown");
+ monthoff = 0;
+ }
+ else
+ {
+ const char *month = "?";
+
+ switch (atoi (opt_date+5))
+ {
+ case 1: month = "January"; break;
+ case 2: month = "February"; break;
+ case 3: month = "March"; break;
+ case 4: month = "April"; break;
+ case 5: month = "May"; break;
+ case 6: month = "June"; break;
+ case 7: month = "July"; break;
+ case 8: month = "August"; break;
+ case 9: month = "September"; break;
+ case 10: month = "October"; break;
+ case 11: month = "November"; break;
+ case 12: month = "December"; break;
+ }
+ n = strlen (opt_date) + strlen (month) + 2 + 1;
+ p = xmalloc (n);
+ snprintf (p, n, "%d %n%s %d",
+ atoi (opt_date+8), &monthoff, month, atoi (opt_date));
+ xfree (opt_date);
+ opt_date = p;
+ }
+
+
+ fputs ("@c defs.inc -*- texinfo -*-\n"
+ "@c Common and build specific constants for the manuals.\n"
+ "@c This file has been created by " PGM ".\n\n", stdout);
+
+ fputs ("@ifclear defsincincluded\n"
+ "@set defsincincluded 1\n\n", stdout);
+
+
+ fputs ("\n@c Flags\n\n", stdout);
+
+#if USE_GPG2_HACK
+ fputs ("@set gpgtwohack 1\n\n", stdout);
+#endif
+
+ fputs ("\n@c Directories\n\n", stdout);
+
+ print_filename ("@set BINDIR ", GNUPG_BINDIR );
+ print_filename ("@set LIBEXECDIR ", GNUPG_LIBEXECDIR );
+ print_filename ("@set LIBDIR ", GNUPG_LIBDIR );
+ print_filename ("@set DATADIR ", GNUPG_DATADIR );
+ print_filename ("@set SYSCONFDIR ", GNUPG_SYSCONFDIR );
+ print_filename ("@set LOCALSTATEDIR ", GNUPG_LOCALSTATEDIR );
+ print_filename ("@set LOCALCACHEDIR ", (GNUPG_LOCALSTATEDIR
+ "/cache/" PACKAGE_NAME));
+ print_filename ("@set LOCALRUNDIR ", (GNUPG_LOCALSTATEDIR
+ "/run/" PACKAGE_NAME));
+
+ p = xstrdup (GNUPG_SYSCONFDIR);
+ pend = strrchr (p, '/');
+ fputs ("@set SYSCONFSKELDIR ", stdout);
+ if (pend)
+ {
+ *pend = 0;
+ fputs (p, stdout);
+ }
+ fputs ("/skel/." PACKAGE_NAME "\n", stdout);
+ xfree (p);
+
+ fputs ("\n@c Version information a la version.texi\n\n", stdout);
+
+ printf ("@set UPDATED %s\n", opt_date);
+ printf ("@set UPDATED-MONTH %s\n", opt_date + monthoff);
+ printf ("@set EDITION %s\n", PACKAGE_VERSION);
+ printf ("@set VERSION %s\n", PACKAGE_VERSION);
+
+ fputs ("\n@c Algorithm defaults\n\n", stdout);
+
+ /* Fixme: Use a config.h macro here: */
+ fputs ("@set GPGSYMENCALGO AES-128\n", stdout);
+
+ fputs ("\n@c Macros\n\n", stdout);
+
+ printf ("@macro gpgname\n%s%s\n@end macro\n", GPG_NAME, gpg2_suffix);
+ printf ("@macro gpgvname\n%sv%s\n@end macro\n", GPG_NAME, gpg2_suffix);
+
+
+ /* Trailer. */
+ fputs ("\n"
+ "@end ifclear\n"
+ "\n"
+ "@c Loc" "al Variables:\n"
+ "@c buffer-read-only: t\n"
+ "@c End:\n", stdout);
+
+ if (ferror (stdout))
+ {
+ fprintf (stderr, PGM ": error writing to stdout: %s\n", strerror (errno));
+ return 1;
+ }
+
+ return 0;
+}
diff --git a/doc/mksamplekeys b/doc/mksamplekeys
new file mode 100755
index 0000000..cd56b21
--- /dev/null
+++ b/doc/mksamplekeys
@@ -0,0 +1,10 @@
+#/bin/sh
+# Generate a samplekeys.asc
+
+keys='1E42B367 99242560 87978569 4F25E3B6 5B0358A2 57548DCD B2D7795E 1CE0C630'
+
+for i in $keys; do
+ gpg --list-keys $i | awk '{ if ( $0 != "") print " " $0; else print $0; }'
+done
+echo
+gpg --export-options export-minimal --export -a $keys
diff --git a/doc/opt-homedir.texi b/doc/opt-homedir.texi
new file mode 100644
index 0000000..07993d2
--- /dev/null
+++ b/doc/opt-homedir.texi
@@ -0,0 +1,25 @@
+@c This option is included at several places.
+@item --homedir @var{dir}
+@opindex homedir
+@efindex GNUPGHOME
+@efindex HKCU\Software\GNU\GnuPG:HomeDir
+Set the name of the home directory to @var{dir}. If this option is not
+used, the home directory defaults to @file{~/.gnupg}. It is only
+recognized when given on the command line. It also overrides any home
+directory stated through the environment variable @env{GNUPGHOME} or
+(on Windows systems) by means of the Registry entry
+@var{HKCU\Software\GNU\GnuPG:HomeDir}.
+
+On Windows systems it is possible to install GnuPG as a portable
+application. In this case only this command line option is
+considered, all other ways to set a home directory are ignored.
+
+@efindex gpgconf.ctl
+To install GnuPG as a portable application under Windows, create an
+empty file named @file{gpgconf.ctl} in the same directory as the tool
+@file{gpgconf.exe}. The root of the installation is then that
+directory; or, if @file{gpgconf.exe} has been installed directly below
+a directory named @file{bin}, its parent directory. You also need to
+make sure that the following directories exist and are writable:
+@file{ROOT/home} for the GnuPG home and @file{ROOT@value{LOCALCACHEDIR}}
+for internal cache files.
diff --git a/doc/qualified.txt b/doc/qualified.txt
new file mode 100644
index 0000000..c0e4da5
--- /dev/null
+++ b/doc/qualified.txt
@@ -0,0 +1,243 @@
+# This is the list of root certificates used for qualified
+# certificates. They are defined as certificates capable of creating
+# legally binding signatures in the same way as a handwritten
+# signatures are. Comments like this one and empty lines are allowed
+# Lines do have a length limit but this is not a serious limitation as
+# the format of the entries is fixed and checked by gpgsm: A
+# non-comment line starts with optional whitespaces, followed by
+# exactly 40 hex character, whitespace and a lowercased 2 letter
+# country code. Additional data delimited with by a whitespace is
+# current ignored but might late be used for other purposes.
+#
+# Note: The subversion copy of this file carries a gpg:signature
+# property with its OpenPGP signature. Check this signature before
+# adding entries:
+# svn pg gpg:signature qualified.txt | gpg --verify - qualified.txt
+# to create a new signature:
+# f=qualified.txt; gpg -sba $f && svn ps gpg:signature -F $f.asc $f
+
+#*******************************************
+#
+# Belgium
+#
+# Need to figure out a reliable source.
+#*******************************************
+
+
+
+#*******************************************
+#
+# Germany
+#
+# The information for Germany is available
+# at http://www.bundesnetzagentur.de
+#*******************************************
+
+#Serial number: 32D18D
+# Issuer: /CN=6R-Ca 1:PN/NameDistinguisher=1/O=RegulierungsbehÈorde
+# fÈur Telekommunikation und Post/C=DE
+# Subject: /CN=6R-Ca 1:PN/NameDistinguisher=1/O=RegulierungsbehÈorde
+# fÈur Telekommunikation und Post/C=DE
+# validity: 2001-02-01 09:52:17 through 2005-06-01 09:52:17
+# key type: 1024 bit RSA
+# key usage: certSign crlSign
+#[checked: 2005-11-14]
+EA:8D:99:DD:36:AA:2D:07:1A:3C:7B:69:00:9E:51:B9:4A:2E:E7:60 de
+
+
+#Serial number: 00C48C8D
+# Issuer: /CN=7R-CA 1:PN/NameDistinguisher=1/O=RegulierungsbehÈorde
+# fÈur Telekommunikation und Post/C=DE
+# Subject: /CN=7R-CA 1:PN/NameDistinguisher=1/O=RegulierungsbehÈorde
+# fÈur Telekommunikation und Post/C=DE
+# validity: 2001-10-15 11:15:15 through 2006-02-15 11:15:15
+# key type: 1024 bit RSA
+# key usage: certSign crlSign
+#[checked: 2005-11-14]
+DB:45:3D:1B:B0:1A:F3:23:10:6B:DE:D0:09:61:57:AA:F4:25:E0:5B de
+
+
+#Serial number: 01
+# Issuer: /CN=8R-CA 1:PN/O=Regulierungsbehörde für
+# Telekommunikation und Post/C=DE
+# Subject: /CN=8R-CA 1:PN/O=Regulierungsbehörde für
+# Telekommunikation und Post/C=DE
+# validity: 2004-11-25 14:10:37 through 2007-12-31 14:04:03
+# key type: 1024 bit RSA
+# key usage: certSign
+# policies: 1.3.36.8.1.1:N:
+# chain length: unlimited
+#[checked: 2005-11-14]
+42:6A:F6:78:30:E9:CE:24:5B:EF:41:A2:C1:A8:51:DA:C5:0A:6D:F5 de
+
+
+#Serial number: 02
+# Issuer: /CN=9R-CA 1:PN/O=Regulierungsbehörde für
+# Telekommunikation und Post/C=DE
+# Subject: /CN=9R-CA 1:PN/O=Regulierungsbehörde für
+# Telekommunikation und Post/C=DE
+# validity: 2004-11-25 14:59:11 through 2007-12-31 14:56:59
+# key type: 1024 bit RSA
+# key usage: certSign
+# policies: 1.3.36.8.1.1:N:
+# chain length: unlimited
+#[checked: 2005-11-14]
+75:9A:4A:CE:7C:DA:7E:89:1B:B2:72:4B:E3:76:EA:47:3A:96:97:24 de
+
+
+#Serial number: 2A
+# Issuer: /CN=10R-CA 1:PN/O=Bundesnetzagentur/C=DE
+# Subject: /CN=10R-CA 1:PN/O=Bundesnetzagentur/C=DE
+# validity: 2005-08-03 15:30:36 through 2007-12-31 15:09:23
+# key type: 1024 bit RSA
+# key usage: certSign
+# policies: 1.3.36.8.1.1:N:
+# chain length: unlimited
+#[checked: 2005-11-14]
+31:C9:D2:E6:31:4D:0B:CC:2C:1A:45:00:A6:6B:97:98:27:18:8E:CD de
+
+
+#Serial number: 2D
+# Issuer: /CN=11R-CA 1:PN/O=Bundesnetzagentur/C=DE
+# Subject: /CN=11R-CA 1:PN/O=Bundesnetzagentur/C=DE
+# validity: 2005-08-03 18:09:49 through 2007-12-31 18:04:28
+# key type: 1024 bit RSA
+# key usage: certSign
+# policies: 1.3.36.8.1.1:N:
+# chain length: unlimited
+#[checked: 2005-11-14]
+A0:8B:DF:3B:AA:EE:3F:9D:64:6C:47:81:23:21:D4:A6:18:81:67:1D de
+
+
+# ID: 0x5B4757B0
+# S/N: 0139
+# Issuer: /CN=12R-CA 1:PN/O=Bundesnetzagentur/C=DE
+# Subject: /CN=12R-CA 1:PN/O=Bundesnetzagentur/C=DE
+# validity: 2007-05-25 11:01:44 through 2012-05-25 10:56:07
+# key type: 2048 bit RSA
+# key usage: certSign
+# policies: 1.3.36.8.1.1:N:
+# chain length: unlimited
+# [checked: 2008-06-25]
+44:7E:D4:E3:9A:D7:92:E2:07:FA:53:1A:2E:F5:B8:02:5B:47:57:B0 de
+
+# ID: 0x46A2CC8A
+# S/N: 013C
+# Issuer: /CN=13R-CA 1:PN/O=Bundesnetzagentur/C=DE
+# Subject: /CN=13R-CA 1:PN/O=Bundesnetzagentur/C=DE
+# validity: 2007-05-29 11:02:37 through 2012-05-29 10:55:54
+# key type: 2048 bit RSA
+# key usage: certSign
+# policies: 1.3.36.8.1.1:N:
+# chain length: unlimited
+# [checked: 2008-06-25]
+AC:A7:BE:45:1F:A6:BF:09:F2:D1:3F:08:7B:BC:EB:7F:46:A2:CC:8A de
+
+
+#
+# D-Trust root certificates. Probably by shifting a lot of Euros to
+# laywer companies, German CAs achieved to get the permission to
+# create their own legally binding root certificates - independent of
+# the Bundesnetzagentur. The main problem with this is that it is
+# hard to figure out what qualified root certificates are actually
+# active. There is now no way to be sure whether a signature is a
+# qualified one. A pettifogger's way of validating certificates.
+#
+
+#Serial number: 00B95F
+# Issuer: /CN=D-TRUST Qualified Root CA 1 2006:PN/O=D-Trust GmbH/C=DE
+# Subject: /CN=D-TRUST Qualified Root CA 1 2006:PN/O=D-Trust GmbH/C=DE
+# aka: info@d-trust.net
+# aka: (uri http://www.d-trust.net)
+# validity: 2006-04-27 12:40:54 through 2011-04-27 12:40:54
+# key type: 2048 bit RSA
+# key usage: certSign crlSign
+# policies: 1.3.6.1.4.1.4788.2.30.1:N:
+# chain length: unlimited
+#[checked: 2007-01-31 by phone 030-259391-0 and callback by Mrs. Enke]
+E0:BF:1B:91:91:6B:88:E4:F1:15:92:22:CE:37:23:96:B1:4A:2E:5C de
+
+
+#Serial number: 00B960
+# Issuer: /CN=D-TRUST Qualified Root CA 2 2006:PN/O=D-Trust GmbH/C=DE
+# Subject: /CN=D-TRUST Qualified Root CA 2 2006:PN/O=D-Trust GmbH/C=DE
+# aka: info@d-trust.net
+# aka: (uri http://www.d-trust.net)
+# validity: 2006-04-27 12:40:54 through 2011-04-27 12:40:54
+# key type: 2048 bit RSA
+# key usage: certSign crlSign
+# policies: 1.3.6.1.4.1.4788.2.30.1:N:
+# chain length: unlimited
+#[checked: 2007-01-31 by phone 030-259391-0 and callback by Mrs. Enke]
+98:2A:75:67:0F:F8:28:4A:94:E0:9D:23:D8:E7:62:C8:BD:A4:54:04 de
+
+
+#
+# S-Trust root certificates.
+#
+
+#Serial number: 00DF749F80AA51F0EDC0CB1FC183E97EE2
+# Issuer: /CN=S-TRUST Qualified Root CA 2006-001:PN
+# /O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart
+# /ST=Baden-Wuerttemberg (BW)/C=DE
+# Subject: /CN=S-TRUST Qualified Root CA 2006-001:PN
+# /O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart
+# /ST=Baden-Wuerttemberg (BW)/C=DE
+# validity: 2006-01-01 00:00:00 through 2010-12-30 23:59:59
+# key type: 2048 bit RSA
+# key usage: certSign crlSign
+# chain length: 1
+#[checked: 2007-01-31 by phone 0711-782-0 Mr. Brommer]
+7D:DC:76:1C:FD:AF:4C:E0:3A:B5:3A:DD:C9:FA:13:35:19:A3:DE:C9 de
+
+#Serial number: 00BC098E0402E92956B8D7DE74977E26F7
+# Issuer: /CN=S-TRUST Qualified Root CA 2007-001:PN
+# /O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart
+# /ST=Baden-Wuerttemberg (BW)/C=DE
+# Subject: /CN=S-TRUST Qualified Root CA 2007-001:PN
+# /O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart
+# /ST=Baden-Wuerttemberg (BW)/C=DE
+# validity: 2007-01-01 00:00:00 through 2011-12-30 23:59:59
+# key type: 2048 bit RSA
+# key usage: certSign crlSign
+# chain length: 1
+#[checked: 2007-01-31 by phone 0711-782-0 Mr. Brommer]
+7A:3C:1B:60:2E:BD:A4:A1:E0:EB:AD:7A:BA:4F:D1:43:69:A9:39:FC de
+
+
+# ID: 0xA8FEA3CA
+# S/N: 00B3963E0E6C2D65125853E970665402E5
+# Issuer: /CN=S-TRUST Qualified Root CA 2008-001:PN
+# /O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart/C=DE
+# Subject: /CN=S-TRUST Qualified Root CA 2008-001:PN
+# /O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart/C=DE
+# validity: 2008-01-01 00:00:00 through 2012-12-30 23:59:59
+# key type: 2048 bit RSA
+# key usage: certSign crlSign
+# chain length: 1
+#[checked: 2007-12-13 via received ZIP file with qualified signature from
+# /CN=Dr. Matthias Stehle/O=Deutscher Sparkassenverlag
+# /C=DE/SerialNumber=DSV0000000008/SN=Stehle/GN=Matthias Georg]
+C9:2F:E6:50:DB:32:59:E0:CE:65:55:F3:8C:76:E0:B8:A8:FE:A3:CA de
+
+# ID: 0x3A7D979B
+# S/N: 00C4216083F35C54F67B09A80C3C55FE7D
+# Issuer: /CN=S-TRUST Qualified Root CA 2008-002:PN
+# /O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart/C=DE
+# Subject: /CN=S-TRUST Qualified Root CA 2008-002:PN
+# /O=Deutscher Sparkassen Verlag GmbH/L=Stuttgart/C=DE
+# validity: 2008-01-01 00:00:00 through 2012-12-30 23:59:59
+# key type: 2048 bit RSA
+# key usage: certSign crlSign
+# chain length: 1
+#[checked: 2007-12-13 via received ZIP file with qualified signature from
+# /CN=Dr. Matthias Stehle/O=Deutscher Sparkassenverlag
+# /C=DE/SerialNumber=DSV0000000008/SN=Stehle/GN=Matthias Georg"]
+D5:C7:50:F2:FE:4E:EE:D7:C7:B1:E4:13:7B:FB:54:84:3A:7D:97:9B de
+
+
+#*******************************************
+#
+# End of file
+#
+#*******************************************
diff --git a/doc/samplekeys.asc b/doc/samplekeys.asc
new file mode 100644
index 0000000..034af39
--- /dev/null
+++ b/doc/samplekeys.asc
@@ -0,0 +1,920 @@
+ pub 2048D/1E42B367 2007-12-31 [expires: 2018-12-31]
+ uid Werner Koch <wk@gnupg.org>
+ uid Werner Koch <wk@g10code.com>
+ sub 2048R/C193565B 2011-11-07 [expires: 2013-12-31]
+ sub 1024D/77F95F95 2011-11-02
+
+ pub 4096R/99242560 2002-01-28
+ uid David M. Shaw <dshaw@jabberwocky.com>
+ sub 2048R/A1BC4FA4 2012-01-10 [expires: 2017-01-31]
+ sub 2048R/6F410A43 2012-01-10 [expires: 2017-01-31]
+
+ pub 1024D/87978569 1999-05-13
+ uid Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
+ uid Marcus Brinkmann
+ uid Marcus Brinkmann <mb@g10code.de>
+ uid Marcus Brinkmann <mb@g10code.com>
+ uid Marcus Brinkmann <brinkmd@debian.org>
+ sub 1024R/08AEA692 2006-04-14
+ sub 1024R/FCD2A293 2006-04-14
+ sub 1024R/233A942F 2006-04-14
+ sub 2048g/C3AF90C1 1999-05-13
+
+ pub 2048R/4F25E3B6 2011-01-12 [expires: 2019-12-31]
+ uid Werner Koch (dist sig)
+ sub 2048R/AC87C71A 2011-01-12 [expires: 2019-12-31]
+
+ pub 1024D/5B0358A2 1999-03-15 [expired: 2011-07-11]
+ uid Werner Koch <wk@gnupg.org>
+ uid Werner Koch <wk@g10code.com>
+ uid Werner Koch
+ uid Werner Koch <werner@fsfe.org>
+
+ pub 1024D/57548DCD 1998-07-07 [expired: 2005-12-31]
+ uid Werner Koch (gnupg sig) <dd9jn@gnu.org>
+
+ pub 1024D/B2D7795E 2001-01-04
+ uid Philip R. Zimmermann <prz@mit.edu>
+ uid Philip R. Zimmermann <prz@acm.org>
+ uid [jpeg image of size 3369]
+ uid [jpeg image of size 3457]
+ uid Philip R. Zimmermann <prz@philzimmermann.com>
+ sub 3072g/A8E92834 2001-01-04
+
+ pub 1024R/1CE0C630 2006-01-01 [expired: 2011-06-30]
+ uid Werner Koch (dist sig) <dd9jn@gnu.org>
+
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.11 (GNU/Linux)
+
+mQGiBDbtSOkRBACURhKnGIFyXIeX61GAY9hJA5FgG4UalV55ohdz4whBgDzDGLE3
+XYlO8HCn4ggKilll6MOwY0yZeg6PEU9Y3SqTzpQSV6qj2M7MgcS8xOpi6bNCu0iy
+ZUik0KklUXMdI8e/CVmBpQJT9CofbD1dsP6z4dC6z3jil0+5Wbfw6yIXzwCgy/7F
+agq5mN0H760/JEiiXILS1n0D/3H26lTaxo1vGput9Td1FQN7Vn6YDP0/To5ipsOO
+DROV3zyUwF5QleY+8zTFJA3qD5KxRfA726WELOF1mB6Mw44UdkPniOoGdMH5oSx6
+qnNnlVZBBu3U+e1qfQwLQjHu0WX4Z2q00DKpWLThGv7Loh5NKi6OfTbMhfHoevCA
+zQnmA/wKc6J8GqthENThKXxZaei3Ep0t+PlBmbUzuAYCXZhI6/0KyD6emyQ7LYIa
+Pv9qEfMkMLhxicG0v/AAwOCBRKS3bkqc6wAYaO0bjUHJvem3HkWPux82t83+6YPy
+RnVjm/mwt0uEyKSvt7Md2DVrO3lEcKRkRHiYuf0nonPhl5Rs5bQaV2VybmVyIEtv
+Y2ggPHdrQGdudXBnLm9yZz6IawQTEQIAIwIXgAIZAQULBwoDAgMVAgMDFgIBAh4B
+BQJGtcWFBQkXLil/ABIHZUdQRwABAQkQXeJJllsDWKJBTACfQI8TnuVIxE88u2na
+pOMyUfoWZSMAn2t47LUMuyDEHRcYvEBiP/SRVvsrtBxXZXJuZXIgS29jaCA8d2tA
+ZzEwY29kZS5jb20+iGMEExECACMCGwMCHgECF4AFCwcKAwIDFQIDAxYCAQUCRrXF
+kQUJFy4pfwAKCRBd4kmWWwNYomksAJ4q+Lv3fDvzDJl4JcOmzWHPsPg2QQCdHcj5
+DwCCM7YnRLiE58ApHdrg11S0C1dlcm5lciBLb2NoiGMEExECABsDCwoDAxUDAgMW
+AgECF4AFAka1xZEFCRcuKX8AEgdlR1BHAAEBCRBd4kmWWwNYokHUAKCKSLq+i1yH
+rG8ZXqJRk+d4SyanGwCeKFwqqRr3tbae+m4iK+EcyY+BR2a0HVdlcm5lciBLb2No
+IDx3ZXJuZXJAZnNmZS5vcmc+iGMEExECACMCGwMCHgECF4AFCwcKAwIDFQIDAxYC
+AQUCRrXFkQUJFy4pfwAKCRBd4kmWWwNYomC9AKCOTnRhGus67gV2k+8K2SwytYDq
+VQCfcaEJKu8EBd0sx3F024GX/RNwnZq5AaIEQF3aTxEEAP9SgfIbIPL6BQ1nqobl
+sTYoiwWPL48uBZPjkDfy8XsVR5V9aRQlggC4x4/MD3Ip5AUgReI7PcHnp4m3vcVL
+XPl+/7i7hAwd84iKzgN8I8VW0EevflcNm7nbWEnpjaGxJWFbhSLI1DmqnafoU8nZ
+gGp2QoE+flgGDd559C3SiHRTAKDbqgS3EDhTbwfS+bAhW5Xi8/2CPwP9HueeuW9M
+/cyt8UvliLsj2eYMEIy7CeSLO13XfnqCjcnHK+b59/ADd99dpMaq3gKj7Aj1RIsR
+V2qWDJpDNXVxP7Cy+FzxelQsytPQOV8H8AkB+RgmSyfxlNRUkC3sQU6jR9IwmPD4
+iB5fp/SqUpn++77TAArXqsfHbmlnwcuU1EAD/i7CEhxLBYS1N77hwxL8DWCqjpi+
+1PKG+6dc0BQFIU3uUhbzLGfqEobUDhveqgtlsvoEZ/lR8RgMv/uOjXEgiATQyTEa
+7s3M2vjXlpLjXjzklma3Lqmcam3dEf/5OR02yZif6hPU/x8f/VQle0kKNKdOCV1+
+dlo8aJH2UIZRRIvtiJcEGBECAA8CGwIFCQcbVgAFAkR1rB0AUkcgBBkRAgAGBQJE
+dawTAAoJEGB4TpQBClft2RMAn1XiL/bC9hByZInCJTaCd8WS8kYCAKCfpAWwLIxk
+fwAeD/RI+2p00nQfvAkQXeJJllsDWKKx7QCguc4/HiEs64Ey5p6Yihy67X8E0YsA
+nRXMFdXVP7ww8uldljPiD1TgyurpiEYEEBECAAYFAjc3I8UACgkQ9u7fIBhLxNmH
+ZQCglWbPDznIcnOxdDW+k7YgA9+/n00An1ZjSiJipverUxLEFHAbSBWI0IntiEYE
+EBECAAYFAjc6+aMACgkQdQ9klcidkz6GiwCdGe0KSP/vSyEZM/GClQXvjMD4RvMA
+oJwyTIdcjPZbQizDeAO3btn2CCwTiEYEEBECAAYFAjgUDhkACgkQYAeQgHPH80+I
+2gCdHeTAPusmEfN2bdkijpW1gpxBvGoAn1kzL7Mg7tC4pqlqw2fV3kRUy1a5iEYE
+EBECAAYFAjgqYh4ACgkQ4/JYVBKPDnkPkACgmzk7HMlJ1h0qw6OHyMtDE4RI4ToA
+ni+Cm+01pHfzh0EnFQTvLE1M9PtoiEYEEBECAAYFAjnKOw4ACgkQK7tDpvCerwqu
+XwCfbW9xGF2AHQakBPakh61xKmC8WEEAn3TytfY5qrTjxIj2HZFKN5QuQpYSiEYE
+EBECAAYFAjnKiy8ACgkQF6ZBbfeUj9ombQCfYQYxpipdMGBxbNd8jbL9RDmH3nMA
+oITmZnDJwXzpHNuSLY8o3c5YhHXziEYEEBECAAYFAjnKnXcACgkQNfZhfFE679le
+7gCggQjsjFhjaIO1lWHfPusn0dqdhRYAn3rOW0XSeh64V9o+VItH2LZngmNAiEYE
+EBECAAYFAjnLMigACgkQUaz2rXW+gJcIVgCfRRq0G2fCcZOFoey9uZGAkWctKsQA
+oLw6lUhdeZDgULrDC7OQRIk7CnMtiEYEEBECAAYFAjnPp1IACgkQkVrMRaj0wv0I
+qwCfWGMeiZ58ysuZCAP9IsX3aKcSPtcAoJno1COOjAMhoWjUiHctgLZX9+gTiEYE
+EBECAAYFAjnQ39UACgkQbyOLwk/aWgxfIwCfb/GeMAD8w84hq5/aUQMCvVqUYqAA
+n07SKuWYsZLEUuPWIgYY0yoByJxviEYEEBECAAYFAjnSCrEACgkQv+EgZWshSJq8
+jACfdf20dqs3IWOPHgFMdYb5VF+WkJUAn05quvyHB3Xug8csxWg6RwSfQBTBiEYE
+EBECAAYFAjpMy0UACgkQ7UaByb89+bRUrQCg6aozpYiCEDPVAHe54/8/q48FLP8A
+niviG9fjxInPaSKB+LXRmQjc2jLZiEYEEBECAAYFAjqJgd8ACgkQYogE2yD8bPYG
+agCggMsqGJN61JuOQkY5MiKb4UPQpBwAniNYwQb+hlEzJF7qnPECh0MAxq8OiEYE
+EBECAAYFAjrBCNQACgkQt1anjIgqbEu30gCdEsSeFtJ5KziD5l/CvAhVZt9lnQUA
+nRrmbV8HkndXp3+DNoREgscZk/rliEYEEBECAAYFAjrB0SkACgkQ0vCiU5+ISsiP
+kgCeOFayt7NkcymwTC2UKNjjyukNDvAAoLq/bOTNZECtztYIMDQ2VrzZ3m6KiEYE
+EBECAAYFAjr1eYsACgkQ7A6vcTZ3gCXdrQCgllIx6G2DkKSGKBhYCgsyywFBXLUA
+n2PJGrCOov0LS8jCMD2Xo4T7qfsjiEYEEBECAAYFAjr1mwEACgkQLBigKrTF83+E
+4ACffa4yaJ6Pj4uFZY7dVuiOfkuoTE8AniIdw0DVkHBuxlNp9PAglhztyE+oiEYE
+EBECAAYFAjtFbTsACgkQ53XjJNtBs4ex3wCfXLPNscM4Uxtmy0/t5Ygg9lDWEQAA
+nR39P9eJtEeBtMPfbEGYc10ABqjkiEYEEBECAAYFAjtF2QAACgkQI/q1+wgWzBuJ
+gACeIak+A98IheVSowXG4J6jzBA439MAn2IFA8EB/EkQ1rn7OEmFNX++PNZyiEYE
+EBECAAYFAjtF8RYACgkQJ4bCRH+KQBfSwgCaAvm7pL+LioYj/oKDBQ1pJAj+UqMA
+n10W8RKrYblMZ4L11R2TO9xOvFn6iEYEEBECAAYFAjtIDxYACgkQBgac8paUV/DL
+WACgifbHtSi50JxmSr18WofeVcVcAXUAoJs99aH6/t9gkO34ajXjiIQxc0qMiEYE
+EBECAAYFAjtIJ18ACgkQ11ldN0tyliUx5gCggbhG1uzvdgHNY8oCt4cc6TfHUREA
+oJuRw8q2kbztnt8TQ4mjiTINcBXziEYEEBECAAYFAjtJwaAACgkQUI/TY7yTaDkP
+jgCcDSJQUZBBP/5OvW48Q3BUkUkRSQkAn1Mjqe4WTFEEA8HK5h+KDcqR0aZIiEYE
+EBECAAYFAjtKFVcACgkQliSD4VZixzSYCgCeJpt98LMq02q9W1bK5iPUvCkcsSYA
+n1dqFcoXctXVnMj53z8zfAaW0BcwiEYEEBECAAYFAjtLFwcACgkQDqdWtRRIQ/XM
+GQCdH1u9tmtUYY3ExVLdT/H2IIQCU3MAoI69Y4Z17RDh4Bj2gmJwmEAmfDwbiEYE
+EBECAAYFAjtMF8oACgkQ1w1fWGA80Hj2mwCfazudYZSMmQWO85xZvg0uTB3rhZQA
+n3DSyrvXxIpmv0CcnBtUQu5N21kSiEYEEBECAAYFAjtRuWUACgkQ5DsVPMtGficb
+LACeNpRJOS9AZ7q7bhX2sBJglKLloTsAoLm5FTnY6iAySfPZZlwAVeE6zMJwiEYE
+EBECAAYFAjtSxD8ACgkQO/YJxouvzb1F7ACfVp8vhxAWCeRZN3InlvYLrxFTng4A
+n1QO6+D3QUjX+0YRNZ3tpZDTSd6QiEYEEBECAAYFAjtXQl8ACgkQeRYvNvf2qtkl
+NwCfcg4Tss3C9Nf6NiyOAHhXO4JLhtkAn055IHb4i2IO5TQLSQi0tk4ktZVfiEYE
+EBECAAYFAjtnOlkACgkQwAsNNiHlPr2cagCg07IN1/MaXn+8yd4Ncp9/723gEBgA
+njNCoGAAccbvCCVE29sXBNAvUo8MiEYEEBECAAYFAjuYRI4ACgkQkC29kYw4qQpq
+wACfcyB4krJFqyeHoKzRYDqW8JDUdvcAn2pa3UDeKM7FVe8LgCQyz0McM4JqiEYE
+EBECAAYFAjwH+10ACgkQ2tKwXV88MYVF8gCeMoYaFN7v/VDmuYt+G1BXDxzcuusA
+nR8fAcIyBjSffB0yEIwaA7O9X7ZxiEYEEBECAAYFAjwIEdIACgkQaliC34RARgJ9
+zgCfS1K0bROVSB+9wX4g+xEE0phEAToAn3etSLME5hzsisIRMjUsGbBDe7+aiEYE
+EBECAAYFAjwjtVQACgkQRHJT9Ar9DKjv+QCbBE3lRMzyKxTbPUd9v+nB8EVqv4cA
+n0DxPkAIkuriAuwtOjCypTDNydyxiEYEEBECAAYFAjxdq0AACgkQ7vDbNLMhJgNw
+vwCeMc0QmOS0ctJOX1J9a3DWkMyUdf4An3iIslZ7stkMOi1VdyE5fR2YDvNFiEYE
+EBECAAYFAjxw4+MACgkQGM0lpSLzivNlngCeLdkkRkcyHVKttl6Z9IQExE+gaNsA
+nRko+7BQOu5jXMfGarg1rE2zDhsFiEYEEBECAAYFAjxxJxIACgkQscRzFz57S3Pk
+JwCg3qepdTsiNKuGYC6a1RlJZTBqkiEAn2G6ypvCpWAL43LWbMbyyf/rYxSoiEYE
+EBECAAYFAjxxQYIACgkQOhqmNZCaVAYvbACgz9mXzo/nC64mx03IFgL8oFuBAhIA
+oL91NILXxGYrkaOnM+2Ci20UvA3ZiEYEEBECAAYFAjxzeIMACgkQo+C50no0+t5J
+7QCgpSCgGQ8eMefvsDsF0DlEZzuAHNoAoK1TFwuK7ZowUQJyWp1tKDtNDbx3iEYE
+EBECAAYFAjx+gfMACgkQjjtznt0rzJ3/dgCgnDMnLna3yPskxeVf32wDbTHLxf0A
+njWCw4lfYauS0LumGv9uHN9PaErhiEYEEBECAAYFAjyAY8EACgkQ14NrbAzZIOdE
+PgCgt5DiZfRFkvzAPecRDCIp3pOdUwkAnjj1CDE+Kzg2RiK9Z73QM8B0J4driEYE
+EBECAAYFAjyBd5kACgkQ/3vbrZlD49+lmwCfS9apz+gEHsRV6ELS4NtCLvrJsRkA
+n3AexpisdP+8KwolieJwaVPitN2giEYEEBECAAYFAjyMzCQACgkQhbmQdcKRDkGo
+iACaAqrwXn6kf3aD7wss1rgQmrCtJKIAoIU6uifoxBubp2+YjW6kjbnkFMD0iEYE
+EBECAAYFAjyXNDoACgkQoegCcNp0M5aGrgCeLBRQ8CAVzPO8OTz2TMFqYLIbFrcA
+oK2qJqojmF2+THtFCHz0hhiBAekNiEYEEBECAAYFAjyXNjgACgkQg2i7WWb7wYxz
+xwCfcrZ5yTwjn9Sh1S/yL3MBKBs8uxUAn0pC4GgIsbbaxcf1QA5AYwFiPcPEiEYE
+EBECAAYFAjyxODEACgkQJXt5TsZsoD0pVgCfTIJ88OFNFlnUFoNZemDdbd4ZqEsA
+n1y5ZyCl5SYkqFTGiVtkgtIIEhK7iEYEEBECAAYFAjyxguAACgkQeuuK7Uc6ScnB
+gACfUlQrrDUb78b93JEvThA/f1ZankIAni448ZxagzPjnj/vH33yK14agnq0iEYE
+EBECAAYFAjyxj4MACgkQocWSfM5dzg4qigCdHrjYquNu2aphWggG5E0G6zCW5MEA
+n1NQJmKkTEUsbanbVOBx1G5wvYkeiEYEEBECAAYFAjyyhzsACgkQVlEzpFDUq7k9
+9gCeMJc5KvC2gAHgCVjv6Hn7AKgY+rMAnRFIrjunb1Sh77542URoWAVmuPN0iEYE
+EBECAAYFAjzyIFQACgkQX1807qC7Pev9PgCfcW15D2cS4UTkn11BSqn+pgrA4KIA
+oKzLDc78X3OFDzVXTOvk8V89OshGiEYEEBECAAYFAj1uHIwACgkQKMb1a4F8NWhP
+PQCaAprFvggEHBTVR+KWzm0Z3l9ijLIAnAw2QtJ1Mlnz0ctNwSJwORM87/ARiEYE
+EBECAAYFAj2ERksACgkQ1DyzBZX+yjSzyACgjUKL3CH2UYciEAarZU9H0ZYIIWQA
+nA6I1aJ0FgWiF2bd/jgWaBL2jtd4iEYEEBECAAYFAj2F5U4ACgkQdZc6ENbQhKbt
+/gCfblKSqJohqhaFawtXPs8TX1UqY/sAnjqwumhFN4YAAez36gItTB9BxcmJiEYE
+EBECAAYFAj43BmIACgkQkQghntzeiQqeGACfSyyIi1vPniQOq8xLfgjDxFkkVEYA
+oJSFbH8uhrwBMa8aOIRkjN9uRdY2iEYEEBECAAYFAj+Q/gMACgkQdt8qX2QD4/2l
+hwCgnv3QSQPCGbmTI67mtAxl9d4rZ4UAn1WXmoSknE2WYeqRUb6d4wAhG/jViEYE
+EBECAAYFAkCnUpQACgkQt+hxIz4tn22gnwCfTWoR3vhEv0yp1Ks/vz7jow0Tw6QA
+n3YXgQn0DS9/9u7AyG5gjh18VLtuiEYEEBECAAYFAkCnUqEACgkQt+hxIz4tn22d
+OACgjeYArERuayyqZmozCahsgUyPihMAn0PkgZDTwKgSw690xdLuR2rWJrPQiEYE
+EBECAAYFAkGD05gACgkQ9oi/YaVie2EkhgCg582nMvFSTXDb/PdF0+kZTBQTCGQA
+mwSEka7EMzOzoCxEefZd+GQmEdcXiEYEEBECAAYFAkGGD60ACgkQ6gnEQD//YGyI
+WQCgruyF9KSG2GuqPVQIsizCCV8rjPcAnRQsBzfw9QLM960FP64YWUCqhYkYiEYE
+EhECAAYFAj0EW94ACgkQj/Eaxd/oD7Lv2ACfUACXl0hDfGeEdbGjhIa/hSaZCrkA
+mwV4SdeJnBoXV22VBEekmTfzHKHEiEYEExECAAYFAjyvU4oACgkQ6pxm6rn41tmE
+ewCbB4FZ6z6dmSJ2epBIdeoS8KHLNhEAn2ZcUDKfuFpVVDuV/bMhpjbbHJRIiEYE
+ExECAAYFAj0FswMACgkQoWMMj3Tgt2a46gCdFwSWzfEmyuvfjnmNPzCyvdO2R2cA
+oJRl1Ibl/2hPXjenl1f08pQLThZAiEYEExECAAYFAj0GRB8ACgkQKb5dImj9VJ8F
+HACcDjdyCPMWjSbrXKCVFjDtuapl428AnRSI7e1VYRJcVdGmrAtmu360GrQpiEYE
+ExECAAYFAj2J/ScACgkQ74J3yv6ZHpg4ogCgj8BllYTJEQ5sF62Qd2q9o2FNJ8cA
+n2K/7zpy9M/Oig+yIYofaN+5fnUUiEYEExECAAYFAj4ykiMACgkQaqtaJwF/Vr1M
+mgCfcNfOOm6/woHpEtuFVgYXvUh0tG4AnRTPBwdemHFViOojNJ0glWck/84ciEYE
+ExECAAYFAkDa3nAACgkQRTxFSQIw1gIZCQCg/jjaczO/s9GkLq/kftPN8A6kLr8A
+oPwGlVzoq5yWxhgCkEMfV+KItmDViEYEExECAAYFAkGE+RcACgkQ3ZHkUS+VgsFX
+/ACfRYBeswRWTHOdc4gLefxUVSGbj8wAnA3CWEF3MQOIpJQ5KSFLE2104h5riEYE
+ExECAAYFAkGNFPwACgkQ+C5cwEsrK56k8QCguxJO7l5effxWbaYOgeVko8HiQ80A
+oKSJGsOZGx1nvQRKeRK/7DrZbB2piEYEExECAAYFAkGqFTYACgkQztt/8ZMtg2MV
+MgCfZevJcAcVXa4hUUJSjkWo0j/b9MkAn2HZC4sNs9nMN1PvX95Ge39wfBEKiEYE
+ExECAAYFAkIrN0cACgkQi0rEgawecV4jeQCdF+GUDJuQnCaFZqw6sNgZtol0UncA
+n1/VQvGDB0Or+JItHnUlCU98URNXiEkEExECAAkFAkGD3AUCBwAACgkQQSganqDi
+jRh6lQCgmgm1rqgdF3qYuDQn/S1vFxggwpIAn1htaL3fD6o4LnT/8BIm6K6tPGPW
+iEwEEBECAAwFAj0BE/8Fgwa1sWoACgkQFBE43aPkXWatjQCdF96DM2kdreTGbWTK
+jTMTuwB3AtYAoOxTFERoyUCn7nTsufD4QpxIkJCiiEwEEBECAAwFAj2GAuUFgwYw
+woQACgkQU+KFTgvh8OP+lgCfTLjRfVihRNQQ/MVIuHttesX/s/4An1ZBth8G2EvC
+fiOU2KoOjl3MZUJ4iEwEEBECAAwFAj+ObrAFgwQoVrkACgkQCmLlNDenkUkzjQCe
+IR3z4h7TMEeNI9Sy5/4Sgclj9WsAoK9yVbdDuWQJQh/ZBUpx0GjxMSW1iEwEEBEC
+AAwFAj+SeAcFgwQkTWIACgkQ78vN/2HwW4xfggCgg+yTSXldBhvFoDXoAeOwcC74
+YqkAn0b+tC5AZ2BQkg0vJXZ6tFXuOvhaiEwEEBECAAwFAkCoZL4FgwmwcCoACgkQ
+EgljnRFKqFxfngCfbXYSsBtMM5hcUCsnm9IvyCmMhgAAnjtDe7q+5cW/JmzE3ill
+B+u8fc9DiEwEEBECAAwFAkC/Rz8FgwmZjakACgkQ2S0k392WXIP5uwCfTlmW1u9U
+3nck5mCo6DeTHNTmUvkAn2jnjXhvqKoLfS2ERRwQlFFAw6NRiEwEEBECAAwFAkDb
+VF4Fgwl9gIoACgkQ9ijrk0dDIGxiBQCeJIrdN0kFT16KL4COSILMmcjVxygAni6O
+inWWNJqCk+k+BNIvKpm+QKm2iEwEEBECAAwFAkDxIncFgwlnsnEACgkQkvv9V4b8
+pZK7gACgwOU8kI9ZBzryS+HxAeWEo4WjeC8Anjl67/wgPGr4XAS/XA1xmWzRwZiP
+iEwEEBECAAwFAkGsm40FgwisOVsACgkQLEmBxMM0hsB4NgCeLxvQw1g9MSpWY9+2
+VbSK/4vNd4EAnicGGKdS3Zy48E4GBZr62ZmWjr/iiEwEEBECAAwFAkHCEoIFgwiW
+wmYACgkQGFnQH2d7oezd+QCeJzuPIHb2H/PX1R9NYqC6z+63wFsAmgJUX4Ei+WzK
+Gs2r8LVtIo03nc/niEwEEBECAAwFAkHCKOAFgwiWrAgACgkQgcL36+ITtpJ6eQCf
+Q5aTW9WLJNVWTdp4fi618YDdnNEAn36Vz84EsZ0gpO0Je9S+geCrffj6iEwEEBEC
+AAwFAkHCKTAFgwiWq7gACgkQa3Ds2V3D9HOXdgCg91Pqo7tiv00Je9XoTIJq82ug
+6gsAn2Q37v0WzuggX1xyzDSR7oxz77owiEwEEBECAAwFAkIi82wFgwg14XwACgkQ
+2KgHx8zsInvpsgCfdHcjOaK7aK1MBAYBaWwkK4rfd7kAoKxblxsQzllz7sLvFbK7
+xG2ipuNJiEwEEBECAAwFAkIongEFgwgwNucACgkQLADuUthSlVgXawCcCbstExBn
+Vkd/fHvatuzJ3sJ0g0gAn1t1CmnaMwV/HVQlUhfqefYlVN3giEwEEBECAAwFAkJT
+jYsFgwgFR10ACgkQlvNNek/0hjUNPgCfRJZleAq/j/4tbek4A3/lhgXJha0An1aT
+oz0bp8HSf2NBjW1euvf/4VZCiEwEEBECAAwFAkKYjoAFgwfARmgACgkQTbbnG4Bh
+qDBuUgCgyBpzBy8k7OKzjiYrKMGIWZqiMiYAnjHdHdzo6dKcV+J3ef4hl3VcLqDf
+iEwEEBECAAwFAkK9MmEFgweboocACgkQr2QksT29OyBNEACfbNEfltwRZ1RmZEkt
+9ZTwOJSli5gAn3brUt3vc1JIxs8dlkwHV1fSJpH8iEwEEBECAAwFAkK9RW4Fgweb
+j3oACgkQ62zWxYk/rQd1UACgwJNmfL/Cs6bYMFPC1dRrNsf2GtAAnR6K37k2u63F
+X1lbg4aSMLCcNviCiEwEEBECAAwFAkLinZ0Fgwd2N0sACgkQ9D5yZjzIjAkhqgCg
+j/Uy+2Xvfw9FAwPdWSaC+o4AVUEAoIvJ06LeJppo5EQqEt1mc8bYV1UjiEwEEBEC
+AAwFAkLlBZcFgwdzz1EACgkQg2E6UBaCfQMWAwCgk0N+XcWaLDssH7wYu0EtOFW1
+kKUAn3Vq83yrmg+F4TvieNmPhhqTP6W2iEwEEhECAAwFAj5ecYsFgwVYU94ACgkQ
+UF6IRyLnX0ugAwCgnZ5NnBWJ3j9/7slzg5Iy/pU6UesAoLaNJiUgVfg+h3uP4vUJ
+hum91P/biEwEEhECAAwFAj97CToFgwQ7vC8ACgkQW7P1GVgWeRq/ZACeL6lVKkE1
+iFiC/YonlBzLqNAdVkgAoIBH8VYDXLRIgBpyfSdwc1YxTeDDiEwEEhECAAwFAj+P
+7j8FgwQm1yoACgkQKLKVw/RurbuqxACfb1X6tBq7g3z5HgfCXv2sm2gQI5sAn1JL
+b8gDxuSRcWMHulGZY0hZJfvyiEwEEhECAAwFAkCn2cEFgwmw+ycACgkQt5wosOl/
+hW1B0wCgiQGkFQEonh2cRtw1xXowakWqx/EAnjp2Du5T+xpOdf4O+JwV5DmtKqW+
+iEwEEhECAAwFAkGE6LYFgwjT7DIACgkQGKDMjVcGpLQO+QCgsc+A/SO9bY78+ul2
+KU+7SCcztq8AnRbnT0G0HnJdQYMffrLF5Ing2fP5iEwEEhECAAwFAkGxhHAFgwin
+UHgACgkQAVLWA9/qxLltoQCg24DNLxMnSOcPFPCNLTPkyyjyQu4AoIe0tZDEDS7m
+vM6RQaHREvCuFIOZiEwEEhECAAwFAkKWAqQFgwfC0kQACgkQi5YpQ/wkPzzhMQCg
+j+rrxz3tJgTrmh3g3+5rIcWEEUYAnjKOFjzGL/7SyFlpehh0Xa3oO69WiEwEEhEC
+AAwFAkLrbeoFgwdtZv4ACgkQwm9wFgHGy4MQfQCffyaecfqcThyxP9FNgZ2Uz4pB
+wAEAnjMFgtk5JN6gZ+Ztgqe+YyYrGvvuiEwEEhECAAwFAkLw+X4Fgwdn22oACgkQ
+WNqWrwuQEUHBCgCgn3XtRj5qJxudfYkec540HnkoerEAnR2x0A8LAA49rsbhCiLZ
+lmTaaD67iEwEExECAAwFAj0HTRcFgwaveFIACgkQPGLK2OTUMk2IMgCfUXkZfmZr
+MFIiYO8F/naQMBs/94UAn2Xrf2uaISYrPudIbRkxYm+R2NrZiEwEExECAAwFAj14
+eLIFgwY+TLcACgkQ0BqcGU12bN6ruACgi2uFjh4Sy0Kjyd760dvfpa/9jtMAnjHy
+PQ0tHYSqSZDD9qaQvb/F3PlMiEwEExECAAwFAj15MRMFgwY9lFYACgkQcFxTidXB
+s1halQCgiR5GTSx4fSCqkikzrOOOXAonDVcAnRFQ13dmkjLcRy4E8bxLtm8xPyAd
+iEwEExECAAwFAj2DrfMFgwYzF3YACgkQAtbtIeMsT0ugzQCaA50Snyeu82nth0ik
+NVnzHD4W0eAAnA9WxGBmmpvWYOq5LOTy2fVe2P+EiEwEExECAAwFAj2F/AoFgwYw
+yV8ACgkQ9Wsmo6Y5nnPZcgCfUvxNXjoWYEsAYJz3z+MWDeGrfJQAn3slXF9ced2O
+AN3YgYZNTlIC7UUaiEwEExECAAwFAj2IEOQFgwYutIUACgkQg2XL3N1NTv7QVACg
+r+C/P7gqGDupYTC21jl07mPfG/cAoLZ9zkmr1YF6Br7szUKksSan6fwtiEwEExEC
+AAwFAj2IOwAFgwYuimkACgkQHb1edYOZ4buWMwCff0YYdFZ7gdc1qjCaeXDhCfLe
+0OAAn1OJuZ/eKGk+i0V/ScLpOMLn/SCCiEwEExECAAwFAj22wZ4FgwYAA8sACgkQ
+VkEm8inxm9HyigCfaNbjyIlHYA9cAv8sLkz5uHRoTe4AnRyDPfAFiBPZZhwJNDlm
+TEColXL/iEwEExECAAwFAj72Ip0FgwTAoswACgkQofbulCQLTD21TQCfcKuy3MEj
+JRrikDBgKtpIP1at2cQAmwRlZNeKOT0UJ4RNt2piAHqTD47giEwEExECAAwFAj72
+z7wFgwS/9a0ACgkQBYtazUQcX4H/jgCfaQXW+LvjoJacVNYrdxhXUYx2a+4AoMQV
+/y+zjcnaNRbZTH6unq4fBDB5iEwEExECAAwFAj8AnloFgwS2Jw8ACgkQMozWs+vC
+dRW8xQCeJLRNfZLO7twP4DnAsaP9wNdsI+AAoKChEzuM19HrksvckWmBVafawaPR
+iEwEExECAAwFAj8Fq5cFgwSxGdIACgkQTrg06OLM8A+J1wCgmucpP9rc1NjzPHDF
+NcQokRbp/REAnRvctW/8AwDaH/btQjPtXgQGCbrPiEwEExECAAwFAj+PlHgFgwQn
+MPEACgkQbHYXjKDtmC0gWwCgrfQwM+i6i82wTcXx8LRPVHm//88AnjOiqMYKpGj4
+cpkwdX2nhUlZEyGOiEwEExECAAwFAj+QUxgFgwQmclEACgkQnQioDO2QjWrbcwCe
+Nw1qkRaDRy3/fl41K0F7fbCqq58AnRXqq6031t7zmMdmZDvFlB5M6uFXiEwEExEC
+AAwFAj+Qbb4FgwQmV6sACgkQlSxWI2ynbPR51wCgkZpbx8pnoqj6mmXrUQgJSce7
+eRMAoJcbGZ0ls3JXAJRD5y0PYzznxLIriEwEExECAAwFAj+RGicFgwQlq0IACgkQ
+46aNyqaY2pkmnQCeLsrSrn63Mnhc7lwklc3UHlYHQLwAniZuyemrUEsU0fdQKHda
+fHg471iPiEwEExECAAwFAj+SmrkFgwQkKrAACgkQtamfe9tFLSc5AwCfaA0hJcLI
+fm1Eek+X2hs01q3f2lMAn04yqK1H85hZ+77goaEBj2YEEiYsiEwEExECAAwFAj+T
+KtsFgwQjmo4ACgkQrSAagZQ6Xw5tYQCbBE8yHKPJrUivqIYiVJL8y7voOqAAoJc/
+HBTNTrRSxyjK7nPmyBYlbY8miEwEExECAAwFAj+UBecFgwQiv4IACgkQOiUrvZ0k
+S1UvJwCg2Lw5xCu5/pUTEFErcShPUDM3uDIAoNLDQt61O5Wego+ez43N2N8doSqF
+iEwEExECAAwFAj+VCZoFgwQhu88ACgkQTDL5CJndlGiZvgCgiM3ez6j21lBLfJnM
+IKhGMrMhW/gAn0WLirWDnek/f9iDEMVcGMEnwOOciEwEExECAAwFAj+cMmsFgwQa
+kv4ACgkQNgJWU6vgsQY8MQCcDE5hjYq9uHuyC7ZnBg47a5BkVdsAoNxLfUY6DeCe
+kwPu3e+3qJsbwib7iEwEExECAAwFAj/UdIUFgwPiUOQACgkQW5ql+IAeqTKRqACf
+d21FYGEziCv14kLK2bD6ghb80jUAni5XNqaFLg8i+0bg/MSQVf88ZQKziEwEExEC
+AAwFAkDcUg4Fgwl8gtoACgkQzQ+com69o1nN6gCfUXjD5LUESFXa08Px3pbfXidX
+AuAAoMJ1/H/oFgcer7t+tACN2vC8GGYsiEwEExECAAwFAkDkGbAFgwl0uzgACgkQ
+Hckf8471INHpVQCfV67np1keBn20I5JABN5Swm51B+EAnRxMBVbypQcppBhdWnxQ
+adrjhHVqiEwEExECAAwFAkDuoKIFgwlqNEYACgkQyA90Wa3Cns2o+wCgjBXhs2mE
+n9HFs5F8WR4AdTpWp0UAnj/Qls/ZRkcy/RAfAN12XgHOkpyciEwEExECAAwFAkEN
+p5kFgwlLLU8ACgkQK6gmAsLOgJlWDQCfe7E7rcFCn9xuL5Rh9MDVVueAJY4AoIL6
+CdZIlgg9Lt/HG2dDFgwPwbkGiEwEExECAAwFAkEYu4wFgwlAGVwACgkQ1W4oD4nf
+jasGFACgyTFOT3NMOo7DObxulYi+WtYriqUAn1Y740hi4fWeByAn5qoUj8brf24p
+iEwEExECAAwFAkEiMZoFgwk2o04ACgkQ+FmQsCSK63O7vwCePBtM5gchuVC3gXAM
+O7r1A/le76AAoIMM0oq6wuiHnT/dUAG858Cw09t0iEwEExECAAwFAkGA8OwFgwjX
+4/wACgkQsYn2tNI6QchEuQCeN/pbbqMBzHuAfWO/g9QfmlmVIW0An2WQXrXoE3xn
+Vp2C85BtML2phOWPiEwEExECAAwFAkGEAf8FgwjU0ukACgkQTjypAm4rQ9yB6ACf
+YnJx27fjxYsq+5UfQEemQt2VO3cAnApE8yUw0B3ZpqCyfRo8JQIb/cJUiEwEExEC
+AAwFAkGEkIoFgwjURF4ACgkQlPH09zrL0iMiigCcCIbdWZPauTvF4Pn724WxH6Qe
+d5EAmwcodEzOE/rElE7fqScRmudd8Ur7iEwEExECAAwFAkGEvnwFgwjUFmwACgkQ
+TbPZ7n9FhNqFGgCeNgwyzTJY1OABEu/EoBXEUOENxdMAnA6Ul/yxKQihc39VvKQf
+pdwPGUhRiEwEExECAAwFAkGE6B8FgwjT7MkACgkQLMilaHDIrOVJxQCeIJI+GgF1
+UfUOjkYsjkq260Q72OUAoL0ekc/ixpvh4Vs0j1q9Wx0fpQUwiEwEExECAAwFAkGF
+RwQFgwjTjeQACgkQDecnbV4Fd/JDbACfW5h+kLB3Y0wokkr/sxy8RFXwp9kAnjMs
+2yoVbG2ZbkHQV2ZODRF66zuMiEwEExECAAwFAkGFVkIFgwjTfqYACgkQqI/9z8xh
+Hubw1wCfWLT8UnjyRQIuxGPPWjtGVeezdP4An2GJa9XsZW3yv2eOPAsP93+npZtd
+iEwEExECAAwFAkGFXLkFgwjTeC8ACgkQT6RVPNdrU1mZHgCgq9+wyMgDr96Ism0g
+Y9OxSqMA+88Ani8EIVnKhI6trTzgZLZDrZ5pdzDuiEwEExECAAwFAkGG8eAFgwjR
+4wgACgkQbHYXjKDtmC3wYACg1f05WHi83tg/PMHoBkqlngdDIuIAoK7KZ/to5Frk
+fNphn6Zo0fozB1n0iEwEExECAAwFAkGHwbsFgwjREy0ACgkQVm02LO4Jd+iS0wCf
+bUWuTf4DZrjdua5kNdfvk65gojgAoLHPPvTdAlVKacX/rnPD7c36LfuYiEwEExEC
+AAwFAkGH6+oFgwjQ6P4ACgkQTTx8oVVPtMYoQQCfXmZAzk9EjL3qPz50zZgSUO8l
+3m4An0Xoqn603NHFaHfbBKdtWGijlgl5iEwEExECAAwFAkGMPFkFgwjMmI8ACgkQ
+iSG13M0VqIMbDQCfSxC8XNlseJ9VQ50GJ66KwSDljmMAn33ApYFWTs8qa/EBIQSg
+qPlVEBO/iEwEExECAAwFAkGSMFkFgwjGpI8ACgkQ/2R3A0yRcenRkgCbB5vYhB0c
+v0S9X1y54Ci1KmaMDNkAnjeOH5rAZQsOQZXoDJPzHNrjYpLciEwEExECAAwFAkGT
+rb0FgwjFJysACgkQ1mvqN8E/x7b7ygCaAyFqMIKTMqQYuQ7hnGpMTx7FPmoAoJtf
+YoL1pFmVZ5Mhwkv9GFUee+HHiEwEExECAAwFAkGZWWUFgwi/e4MACgkQSvFUKpY6
+VLAkgACgiL8te7hejTXfDXRIOAZeVzd76/cAoJbmj0tdYt2QGc3j/4yMnmXrKPC/
+iEwEExECAAwFAkGc8GEFgwi75IcACgkQV5nlLYTPmpDPdACfbASh9WQ47r2zzcVc
+jlfbvsz2VvgAn0KtwOo73pm3e7aPO/mYlLsP4V9iiEwEExECAAwFAkGqMckFgwiu
+ox8ACgkQdDpVTOTwh9cWbgCfaMETpI9v6LZgWuTCzE7DceGsuW8AoIcBSwWGF0Xk
+XpRYcvXfjvAg57+piEwEExECAAwFAkGrJUQFgwitr6QACgkQzop515gBbccEhwCf
+ZhBXUVoNKDbW5mpYGxfKrMfScIgAnj0XoOlYmWWNN1hlKoSQrZSvh4FFiEwEExEC
+AAwFAkG3PJoFgwihmE4ACgkQEfLcQ8rmNEIRiwCgpAzSttJZSiGIffSr4/dixsFU
+VxAAoIwnyzPthchrUSMR10AvPAu8Czm9iEwEExECAAwFAkG4HyoFgwigtb4ACgkQ
+5Vyxg0d4n7u8mQCfdQ++3anppXuhZp6cQIp1DCCz56AAnRA9B/n9ah1wL+IMjoBh
+FvgSW7JLiEwEExECAAwFAkG4K9cFgwigqREACgkQ4We9YdVB4USYCgCeLsm06Ov/
+Yoi9lfn4UB0IX3qwBFgAoIPEVT2gGxQYua51y70pjVYG6t4eiEwEExECAAwFAkG4
+Wg0FgwigetsACgkQBMQfNs0khKmYzACfZgUeTlimmFrhBDEV6SsslxvVIGUAoKZR
+9c4+kfE0+BJ069AUZBkkeRKGiEwEExECAAwFAkG5dt4FgwifXgoACgkQPrq84hvw
+IdMBbgCeJhjUvC1klrCPhWqKhyfoKJE+hWYAnitsOnNDnjkKDdKta+mrdL23iPD5
+iEwEExECAAwFAkHCqnIFgwiWKnYACgkQPG1Ayb4vCvZS9ACfROLs6kU6Z93eoFUJ
+l5H1M3U/L3sAoIgAGfCxQ3sADvFiYg11GTGnDzffiEwEExECAAwFAkHq47IFgwht
+8TYACgkQvdkzt4X+wX/UgACfeM81+Z/SliH++ZzOmy5ZR9ljTo8AnA5DGAsPAbdU
+7j1NN0NXUg53dNvkiEwEExECAAwFAkIIjHoFgwhQSG4ACgkQIqUcje1P4MASOwCe
+LyBkToAQ+3Bvup4B9POq1xipZNgAnAui9pLAdwaGAZ8w5PFxuS2GoXxEiEwEExEC
+AAwFAkI2qnwFgwgiKmwACgkQ1cW3Q8Sn6j4gRACfQWmnt2z+J0tB79JQ50hNEVrY
+uKEAoNAe1Y5xlLlDTSKJmnwjqnN0qaeriFsEExECABsFAjbtSOoFCQzJfIADCwoD
+AxUDAgMWAgECF4AACgkQXeJJllsDWKK11gCfUgltInjqS+wGOrxfjiGjJsNmVtYA
+oJLaNHln4KYwLlYOo16kdcB7dqUDiF4EExECAB4DCwoDAxUDAgMWAgECF4ACGQEF
+AkBd2egFCRNri/8ACgkQXeJJllsDCRDs0gCgy5RdOqhFvwUFYWj+dHb4LGt7xi0A
+oKduFxGMuM/loPShQnjvk/VVFesAiIMEExECAEMFAkKVnMMFgwfDOCU2Gmh0dHA6
+Ly93d3cudmFuaGV1c2Rlbi5jb20vcGdwLWtleS1zaWduaW5nLXBvbGljeS5odG1s
+AAoJEDAZDowfKNiuNUAAnjPHZE2+qGvOkOkRYAmqCFMXw9euAJ4lr8dHPg0y8xeN
+H8M6rSswZaeHT4kAlQMFEDuB4BNSrOsu06QsYQEB6AYD/iRZgJ2U+hTGt879PPwL
+W1y7dQFbjMHqbyyM7eml9ZbC+m+jqNvMsniFCR5qvStMgbXuUZGGpd41mL5+vqF0
+wwM00nBQe+rr5grY2oMPCSEJRNtHEamOsbc4GP59nrwbUhA7MKPSrPCvh9bvh+XQ
+7MSlar9eVBkqvnYmKdaKI1ioiKIEEwECAAwFAj+WOcoFgwQgi58ACgkQ4WdUde/j
+R61yvQQAghvUxGu+fWc6RUEZnrQ8n69FOPRq+od8fiYNF5iSWfBon3hmT8IQi3vR
+FbqCcKsd7fn+rl2zZjFU5f7SuzaF8+hODuH7B/jK+bW/dnhpgDRZyvmZMtLpeAOP
+h3IkrGEeknV1LeTZcRJnbGTZiSu3LS8E/AVuSXmmj+2tXXBzSFKJARUDBRA3Q97T
+UoBXRHZTQB0BAchxB/9iTH4O9RoIshiUysQgMpncn9o9snx+sCO/NiSuAVleHNBP
+1d/Kvo6SGLJYoVfbfLPMNVyuZ4jGi8JQjsgVjpAz93nIevhjz7Xwd3JpS9oUvPej
+1mdWnUB4AnkKQfN+5+eso9Gk7OC9cWq20lU9tpVMDIlOj8GHR9kYfJ4fBbzdCGbG
+5Z9pzo+96gDUMzX5ZrHlChdV4eHJPMi60XeK+mpocQFQH3GBUSTeM3Sy93JoYJLd
+AA2ZcwMF5xI8HRx8u0rwCZNXnDTgPaRbDiW7587n3dWn7Pwmxu/CPtCQ4YO+Wdjc
+KvHio7CqojtM8/7xuclkp3Wb1pE1s9w929ca9SHdiQEVAwUQOcqYVhpPhku+30gx
+AQGDOwgAjoKCGePm8h7g2edNYGosrPTMcZ8PNCMETXMZozgCbEd5oWvotRaZnta2
+CZyj/u5gOrE7z8XR2PNttenuHVDii5y0KwaaTR12/wrp9VJ61wLy/4zncnx/C9Nw
+g/Mu9Y2bMS8EuL16yWNrm6YxprWsaaYy7G251NI7cseXcVnuAowzm6k8ovEwCAqV
+l4s7EUibNQQCuDgH4idUdr410fDnpUalpvsGYf1wqhs93RbjU7pNEaLmnlz8zESH
+Yaev+JpMVAfnw/jjWp97xyCual75xrc/aj93anrobvU/sSKCDbteDzW9xYyjqZGu
+2npn+rBR4iUHZf9j/glwT0PVnH/jf4kBHAQTAQIABgUCQQm8qwAKCRAz/XFX/s5m
+Tm10B/wK4tRztfYKQVVYYl3rduOE1rEntFEP3yV0H5qkIlPrXNi3j2hgOiUEBNDg
+FpuJ9rSz7IZ3GcIGlP2IlT9OicGwpabAtoB81S8rJKkzI+bBLCK2J1xJslIdjk2F
+O1u+KjLu1gu3RZYaYPc3bETXXmtECI2h5hNazvDw+QS1JTIkqr/vhl3TY9JAxiLw
+NBWn30phh8kRzvRJh1EI584vRVb7nTSd6PYpnpoEskJbXyAc+BV2QLPk95oj52Mw
+eGADFNv3uuyUq2WH9H1KP3MnwNReTy++woQfLzobHHMyBr4ccC4uKlqOmBcZ+kkm
+EjxrJTRALelu2quUhpR7a0tcqFxSiQGiBBMBAgAMBQJBhRYSBYMI077WAAoJENJk
+ZhEZk6qtGSkL/0qaizY3Ix+hwNj+UAN8sGhPLYNGSnPCgLyLMceByJP7fpF96Try
+6wIYsVAsXdltuC6wEsDNjIc74FCduAc0HfhnJ5Yu3ciJ/DvR//vlbnE1pp+RysVf
+7V3CVNxLgOdfSBd76tgktcfbsh+R+qKR4JtWjojkET+XAOrCDYNj8P3nNxHzzYO9
+UHSBsNzrm46RBFNxtETh0nDxmgzfu6i2vpSwoRMbi/39VGlHJNYoA7itVZfZx8Fe
+bJA9KcirRDGtWcofsUhWWfnQA2K+ahPIx+N0xVzuxjKZoXbkSC+LFwzaoYFUE6Oc
+FsBkUY40QhCNKIWUX3kSZVUWro6WuwMltQAkXG+03awShgpciqzZ3o+Oro8zmMoE
+SJl9c5oUWuIfJwHpvrw7UrArcZLdf6bcOjHlJqGv2XSRJIxeiUtLghPrZF8pqN7j
+58yL94QC7PsQLsRkcgGLp9aSv87O7XzGU9nlyOS7wR56pQPClpTO8tm6ckquKh7T
+5jIqnszVh2t4yYkCIgQQAQIADAUCQcIpbgWDCJaregAKCRCq4+bOZqFEaCX4D/4k
+RmZ8eDsYuKrw8OS0yUK3PI9k4wyBGxUQmuJKgXFRAbCkUpATHvRh6ZXquWFSVbgk
+ay3cfbGLfZWiT7TAz+k3eiVStm/Mk88pqlTfu2pUq0/5bpqJF9zt/L/i2aY/030A
+4l5gsEccCsdy5F1FXQPbYGFTvjtPJx8hMstAG761HhaOib/A2O8jd7f8elZMGSTu
+btsFJ1/K2Po6sy/3ylJlfo/FzgvqTJYju4IPsIrq44D3k4kQDMahU2W4k6crQncV
+7w2wqC0zxmuZIuCio1wyvYG3ey/pjNfrOemSuA/gmmN38uBJM+vEQIPnUdJslc9H
+2eH4rVKFEQZuqUk+HUdwVQhJKfwaMmSiGj4PeXphtFc6a3lqfhsiN+7lOnzk0dRM
+CxZEMgLjIC6pGquJ610zsYGRb/viXDUliNBJod7CeOHRH653/00U9aaqh1Km2He+
+BWmtZt+Kzw10YUm8oox0/E6XlE4EL8p/LP1uv8vbaGzTVxX5NIr9gVhrnOVDHHXt
+lFZxatg7ZLuSNkK6oiqsR2ynxk2ysmTQEzyi20UFxnH8ICsUyRyEDbJlbewQPtJR
+nknpV6QhsUA6bVytyYYA3RkJqSDojEgAgz5LL+Zhm1Ttz9ccwxJY6/ZevzlScNrF
+xPnzmaotfWPgFis0yF+PLZGTuf/gssj8yYMAWhhtBLkBCwRAXdspAQgA0ShUtJWc
+P9jGsEvez951crdhRfV1m/LIu0/SYJfjURfd7qlDiAtebN7uUlT3MHSIaBtOMGCh
+0yyocgQIxaeGs3y5oiAQw6d+w2N0gLSU+k7IFC0fshZF20b7iDlOTf9Fsc6yuiSc
+JRVRMmj1+85llSjAo/kjI9ha5pbblUtGgn9IqN5/e21AL7lN3YI0xaB6luNNe7Jn
+2xOFTMJy2It/9UkvbNMrCjOj8echDN6EIjlv/aUuPMEhX7N5V4vDdQYpID3VORRQ
+PuQRklIcchX/panY8HAcgQuy093QqxXlkDi9FHlYesBuPDut4/I7nu5n05vuefbl
+5w/yeuT4h3GU5wAGKYhPBBgRAgAPBQJAXdspAhsMBQkDWO8AAAoJEF3iSZZbA1ii
+EtYAoKCds+DpwNHVbe2TPz3gLClwNChVAJ9wFd8rmSl+Fh8OT53+bC5heS1JJbkB
+CwRDuBYiAQgA0VqHgsH+JVSCUGoTO8rRUbzzK5EmUMtO9vyOv+EDyrGhyPh56AfD
+405gacgQyyvGOjn92NYTW++8XvptoPvFqvwVCh71ItRfsc7M6Z4sbTK/kDosulO5
+AiQOnxr6tKps61xnL+a16Rr1sMmX8pky1uF9lioDS/G4Tg8tLifWUf34YxO55yB4
+CG6EpwQFDxwrCPQRbprG1PBSrCiQjgas4hxMgx24se7j+gcmLJR9rVMPVnUFPGM6
+NplqI4IV6YxO1E9LQG+EDU3cLqy4IhCB+bprDON3pa9f9p3dOiooEF/jUeDKsrUf
+tvCbRBCr1C8CWaZhMbOAfjgeMfJfui3NPwAGKYhPBBgRAgAPBQJDuBYiAhsMBQkD
+wRWAAAoJEF3iSZZbA1iiXcsAnjckbTtf8iMojZKLWEXzuct8bh6HAJwMgOI2sWu9
+NrEbOIj0f1liZDIBKrkBDQRHeSljAQgA3i2NQz0mgdjcli3miy02tRtEEyF6dsuh
+aS74AvzyM0fCJ0cTYZAQ2rMBQT7nP6AEjUAr10woxbID73NY0ulKUx2NzZ2ZcQer
+OTW1tWAz0BNQpJSe97jVPa/GgcTIbK86KlTvz8y6lIXMFqf+rAY8hc+WW/ljYqeC
+HfSfno+d+69lCaPxojIdyTloKef0qlE1s8KMLVNddXkTpVEVYesKxtdWW0KhaO6j
+GNZQLrfFbeLycSr403ZZbO34UXz8JnMQQ18WcnDzijvFRd1yTyN21cZKChUbjiWS
+v3x54IYBGMK74iohtLwyElDk6jhOt4WqLWu9oFFJQ0yRq6K7zTvAvwARAQABiE8E
+GBECAA8FAkd5KWMCGwwFCQaf+l0ACgkQXeJJllsDWKIWwQCgwNWVKWyNzlnfuRH5
+4+PNlK5r+O4AoLV0a8jLsSWfDFoXwWdGKrx+w3iguQGiBEd5KNQRBACEzkqU3lt4
+OOnRGk5xg663vf1q4V7x8y+5D9U6c2AuI4oOwtret8VICwoJr9e4ngvY/laoiuqJ
+RjyC/MuUXR4yYErTQC/qbGdJI8dshgAlKYA5MuPYUbX8VhrqISZwR1KbKf9gxjgs
+i9J5c5LyUSFXSGQDIGGJpxrvGrYpR6R2/wCg/2mC7sXkHx0Y8pQfMjne4hxBO1cD
+/0EsYcLUkFl3YM/ysk8IwIzevSRjceolCq8DYjy6YRLn2ItBM3SpK8ZbZEy7mWJn
+fsqMTCr6ChwDoC3vkXJxfWWQ3Nl1I7oyJbtJQyHtP9sVFyWEN8ys2krdam87pONe
+Es0Y5IrFVJ3vxriTbjNsAME0pnhl4Tv34HPvtTIri3a/A/4/0/JXzUuPHMydHhfv
+1RthRuZfiVbnEW75gVopVVhV1jk1sqBbqkPvLerhwHZcssWZYLd62VrFOq9r0Pms
+hCyd558uM2XcZQQPDtl26Vd313+TZVLGVmN/7Yn8kjsByEEbyV9DQEs9gKOKlwSh
+ewjOrGc5W142ulx2clBuad2pwIiXBBgRAgAPBQJHeSjUAhsCBQkGoUxsAFIJEF3i
+SZZbA1iiRyAEGRECAAYFAkd5KNQACgkQzT/NXj1SwoIQ+QCeOqJ3dB9J8t5z0K1y
+OfwkMZNdmMwAn0fo/fpNMvry2H87gwlqEri3lrrwWMoAnjz2JUfE7cnoJ3vOmf8a
+rsTRYBY7AKC+sA7qOILCPuv280jZcq5FGJizu5kBogQ6VOgnEQQAwk/7RqQbtBB6
+Y3dxtdULZE1mJ4oWQwXXp42FdhL6LYEWQI+YeHsKa6tbv86sxgWKYmC//Y/uVwxX
+KFhduG87FJh17Gw0or/lxMkDQ9RlHceMFXBGOazY5AK19Ol7mczm71xVzr6kY+i7
+JHj7cN8S3+bo/IzzdDX+mCp4XxiB0VkAoP9FAK94TCus3AP3oL1kRrJvXSXnA/9f
+F1npM7eSSXit33myTv9zMHuNzulTTsZjKRljmE64Yr8jm/2S4C3nal/jHlxxnRq6
+AEWfpMWKv2vcuYzXIrw/hMjfiIjQzw+uK5dNBTWZLMe3Yow/PT2yFCwwrVKabNid
+IJOYp0fss4p3/ow8hZ5+VBByNqzxS1G11hyVyXKdFAQAgZMw3XrD4xFV2XU0Uy5N
+LH4lhHXATP+RqTbMDJSuAOwOoqiaEjSeKTuUKuj2DsAxahoq9fVhH6E8h1tJMYqZ
+1W76uKtrwIUiCjqjRCRsYOA0xCnnH98QnSdJFvHVUqIBwx/3PkOPkRUKv99Wnr9x
+w8ttGGssQBPeAViLCpIWjMqIYQQfEQIAIQUCOlTwWwIHABcMgBE/xzIEHSPp6mbd
+tQCcnbwh33TcYQAKCRDHRjY5std5Xle4AKCh1dqtFxD/BiZMqdP1eZYG8AZgTACf
+U7VX8NpIaGmdyzVdrSDUo49AJae0IlBoaWxpcCBSLiBaaW1tZXJtYW5uIDxwcnpA
+bWl0LmVkdT6IqgQQEQIAagUCRef5PDQUgAAAAAAgAAtwcmVmZXJyZWQtZW1haWwt
+ZW5jb2RpbmdAcGdwLmNvbXBhcnRpdGlvbmVkBQsJCAcDAhkBGRhsZGFwOi8va2V5
+c2VydmVyLnBncC5jb20FGwMAAAAFHgEAAAAACgkQx0Y2ObLXeV5HSACgjFrFxTBO
+tJlEIchRGIAQkfGP40gAn34gLcaPqvzDS+mRQEqQGEc2DKQRtCJQaGlsaXAgUi4g
+WmltbWVybWFubiA8cHJ6QGFjbS5vcmc+iJsEEBECAFsFAkXn+Tw0FIAAAAAAIAAL
+cHJlZmVycmVkLWVtYWlsLWVuY29kaW5nQHBncC5jb21wYXJ0aXRpb25lZBkYbGRh
+cDovL2tleXNlcnZlci5wZ3AuY29tBR4BAAAAAAoJEMdGNjmy13lemYkAoKcCxXB8
+HSiXXIxTT7mID5EXa4ShAKDdLTSyEKe2BPpaTITWO5iRkFENYdHMf/8AAA06ARAA
+AQEAAAAAAAAAAAAAAAD/2P/gABBKRklGAAEBAAABAAEAAP/bAEMACgcHCAcGCggI
+CAsKCgsOGBAODQ0OHRUWERgjHyUkIh8iISYrNy8mKTQpISIwQTE0OTs+Pj4lLkRJ
+QzxINz0+O//bAEMBCgsLDg0OHBAQHDsoIig7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7
+Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O//AABEIAJAAeAMBIgACEQEDEQH/
+xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv/xAC1EAACAQMDAgQDBQUE
+BAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZ
+GiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOE
+hYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX
+2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQID
+BAUGBwgJCgv/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIy
+gQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpT
+VFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeo
+qaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+fr/
+2gAMAwEAAhEDEQA/AOopcUoNISAMk4FdJ54dqgmuooh8zCqV5qfJSL86yLi52o0s
+z4RRkk00iW+xqS6qOdhrNvPEqWiks4dh/CprlL/xC87GO3JjXPXuaypZmkYDO7PX
+A/rUua6GsaTe50dx471EviBI0HoRuNVT4113dgSKv1QVz6ctgLj2NaFu3lRbREgZ
+unIrO7NuWK6G5Z+OdTDfvvKlC/e+Tb+tdVpXijTtUUKJRDN3jc/yPevNWmcsRIiA
+eiilkkhgjE8ODz1Vvu01JkummewghgCCCPUUprhdD8buvl297EjRHhZVOCPqOldv
+HKs0ayRncjDIIPUVadzFprcXbig0tFMkjIop5xRTAeOtZuqXZj/coeT1rTzgc9q5
+m7uBNcux6Z4oSCTIua5LxNqpeY2UbfKh+fB6munup1trWWdukaFq88ffI3msfnkO
+4k0qj0sXRjd3ZPaxO37x1+U9BjOTW3BokrwB5ULF+Qo4xUGjWokuYlI+QfMfeu7h
+tEmVeMVztnYlc4G50GUjIRgB69qrwWQtGyV3knr3FekNo0Lk8HJ98CqUnhvzCQWI
+9OOlJyL9mcDdxcNuZyxGQSaggsZZiSm73Nd+PCTOAZSpUe1aFtoVtbKMRru9hSUh
++zPL57W4sSGeN9jdeOK7bwR4lknddKnG5VTMUncexrR1TTYjAwKAjvxXERwHSfEC
+eU5QN88Z9DWkXqY1I3R67SVDZzi5s4ph/Ggapq2OMbRS0UxBOwWB2PZTXMYHY5/C
+ug1Nytk+O/Fc/mnEmRmeIX2aLPn+LC/rXED5pQM5HfHeur8XSFbCGMfxyZP4CuYg
+i82ZIl4PrWVTc6qK906fQo1M+5TnHGB0FdnZMAg57VgaPYi0thgZOK1IruCFyGkG
+T2FYPU6oqxsJyR7VaR1xggVRhmjcja4OfSrYUgjHekbLUkcAkAAc1WkK7iRwKkUl
+pmA6KKgmba+3oT0pDM+9kBQgc1wviOMLcWr9w5H4V210ecetcf4lKMyZ7E/yqosx
+qHW+CriS48M25lzmMtGCe4B4rez6VieDY9nhi0B5J3Hn/eNbldS2POluxpNFKeKK
+ZJR1mYLCsXduaxa0NaP+koP9ms3NUtiHuVNVsIby1DXAYopOCh5HvXIaZY3M92kt
+v82x84bjIrvb5d+hTbRjy4mYk+5x/jWB4bfzBIxHCkKK5W7ydz0lFRhFI2heqIfL
+CMk7L8sfUn2FZytp4UG6nSOcjcVVdx/Kti+gSaxJ2gupBDY5HIpV0NFyY0Q5HPY/
+nWbbRpGNzLkvSYohaalalVzyYdrYzxz3rQ0/Wr2GNhJIkzLznB6e2D/OmHQ5IInj
+tQI0kADgkHP6VW/s1rJSVXcMbThsZzUOXY0jGy1Oii1VowWVoSZjhQSRn2FU9S1l
+LaVTcCPcOMI+cfyqnrS+RZWsMeQyhQuOhxWLNFcPEHjVpJskuHUFSO2O+aaYS0NW
+TxBYsu4Pz2DcZrlvENx5jQSLkAljg+tX2aK3jSO409dsg+d41I2n6Gsu907zpIYI
+mwHk+Xc3rxgVcWYyv1PS/DabPDtiOuYQfz5rTqK1iSG2jiRdqxoFA+gqQ11HnsQ9
+KKDRTJMfWwRdIexWs3NburW5mgEi9UrCq1sS9x958+g3UakANHjJ7c//AF6wNARo
+kdT3c8Vs3M/l6bcrtLbk6Vm6bEUZcEZzkj3PJrllGzZ6EJ8yR0luqzQtE33WGDWl
+BC0MIEo8wjjcvf3rIt5NrHtV0aslupGVZ+wNYtnXFaE9xcW8SFmhlGPy/OqCEz3C
+gx7UHzKh7e596jmkNyhuJbhNynKrngfWoYNbRpd4VSE4JU5pJrqW0Ta3C5tlmUfN
+CwYD1pbVYLqBXBV1PT1+hqPU9dtp4vLUKrNxtXvTrKCJlCzhoWcZSSM4P0PrRJpg
+rhd6dbmInZz9a5xUlfWrMR84mVQfpya6l4ljXDXUjD04/wAKxI2A16BEXIL8ADpm
+rppXOevpE7fgdqSjk9Riius8wQ0UhooAJBmJhjqK5ZwVkKnsa6vrXP6pD5NyWxw3
+NOJMijIu+Nl6ZBFUtNOJ/LKBSvXnpV7OaxtQMtjdiUNhJDwfSpqq6NaErSOjbCgO
+TwOtc6zyX15N5AcjcSCORiqlxrh8sxxsQyjHJ4zTtEvja36+aTtbqK4nFo9FNN2H
+XRulUwO7R5PIOen1qrZ2t19oVo2GByQrAHFdpcrC0fnbAQO5FY0mpWAYo9sg2jlg
+OtJM25YrdmDfw3jyb2JLZJADZxir1pql0kIhuWeMqflYdqvfYbO7G+NMA9gcUmrt
+bWqQQ8BumBR5EyVtmWodSN1bZyC4ODjp9aXQonuPEhYjKwR7icd6rWhhis1IPQZx
+W54UgIhuLphgzSZXP93tW1JanLXl7p0BNIaQmk7ZrpOEUmimk0UCGPcxR/eYVkap
+dR3LoEwQtTwaJcTENdy7R3VeTWnb6dBbD9zCAf7zcmqtYWrOeisLucZSBgv95uB+
+tV9V0ZrzSHVRmVAWXHfFddPtETrvJcjt0qsibEDDtzT3QLR3PEgWSTZJnOcHJq/a
+ySTSoUPOMsfTFdV4u8HMzHULEDY5yyjsTXF20j2s7pINvY1yNdD0FK6ujttPvjLb
+Pas2QDjOc1K2k2t7IZlO0lMdelclHem0VSHI3DPHrWhB4i+zx+WhycYJxWbVjeM0
+9zTiZNJEoZw2PuD6Vzmo3z3t09weDnjHYU271CS7kG7hcmn6bpF7rUwitkOyPl5G
+4UfWnGOpE5/cavh60udUvQvITqzdgK9Et4UtbdIU4VFAFUdD0iGzsjEigvnLN0JN
+XjG8TcP+DiuqMLI8+c+Z3JCQfxoJpm/byy49cc0oYEZBzTsyAOfpRSE0UAaaoeSx
+x7CmOcnipmGUpmMn8KZdiu0WFLMOSf6UxY8AY6EcVclTKkev+FRR7S3lkckZX+oo
+uKwkO0qY2AKnjB6fSuX8Q+BLS63T2sWM5JRfvL7j1HtXUMnlvn+E1W1vWYdF0eW8
+nbG3CpxnLHoKzkkzSEmmeRahoF5bTnblowcD/CqsGhahczBI4juY4AHJJrqJ9b1b
+UoBIEt7e3B5uGAJ/A02LxdDpeCkpuZen7uIKG9s1h1Onm00LOkfDq5Jjl1GdVXPz
+RIckj3NdmLG106xENpCkMeeFUdT61JYXIvrKOcblEg+ZG4ZD3U+4NB3XNzgDKpXT
+FJHJKTluRxx7IweQc5qdY3YcnI681KIgAc+9S4AC+/FVcmxWWLggHBHUetNe3Oeu
+M+1WGTL59RTudoJ9RTuKxQaFl6Nn2xRVx0LHGO3WinoKxaz+7/KkUfN+FL0GPelP
+XIqDQXAYH8arsCrhh1HIq0gyDUTr09RikMHwyBuxrG1nTk1iFdOnyLeTO8jqPTH8
+61S4EZQ/WqMknkK9zNKsaJyzMeFHvTF1PLtctLrTLxtHmOYoYw0RHAcf3qveB9Ht
+pnk1m8Uv9nfbBGRxuAyWP0zxUOp6jba34lkvZXcWrfuoz0O0DGfxJrp/C0C6dq0+
+ms4kt7lPOt39wMMPy5/CsVbmsbNvlNvTHAtp3UEK0hYAjHUCrMKMgDA4Y9aiiDPK
+6fKFJH3RV8R/0NbbGHUg/eM5GT1qdUbyxuPIp+ADT153Ci4WIn4YfiKXZlSO9D9v
+rT1I3YpgLgAZ7GimTMfLIHWihIGz/9mITgQQEQIABgUCOlaPIgASCRDHRjY5std5
+XgdlR1BHAAEBB9EAoJKfHe2geEWwIBoiwJGSYV0jgef2AJsEMoiq8ESPJtydoFb6
+Jm59yMDOx9HM1/8AAA2SARAAAQEAAAAAAAAAAAAAAAD/2P/gABBKRklGAAEBAAAB
+AAEAAP/bAEMACgcHCAcGCggICAsKCgsOGBAODQ0OHRUWERgjHyUkIh8iISYrNy8m
+KTQpISIwQTE0OTs+Pj4lLkRJQzxINz0+O//bAEMBCgsLDg0OHBAQHDsoIig7Ozs7
+Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7O//A
+ABEIAI8AdQMBIgACEQEDEQH/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJ
+Cgv/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgj
+QrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFla
+Y2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3
+uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/xAAfAQAD
+AQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv/xAC1EQACAQIEBAMEBwUEBAABAncA
+AQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYn
+KCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeI
+iYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri
+4+Tl5ufo6ery8/T19vf4+fr/2gAMAwEAAhEDEQA/APZqKKKACiiigArI1vxLpuhR
+k3Uu6XHyxL94/wCH41leNvFx0K3+x2OHv5R1yMRL6n3rx+8vJbqV5priaaVjmSQv
+gA/WpcuxpCF9WdzqXxN1KdythFFbpnHTe38v6Viy+ONecDzNRljycjaSv9BXOW7R
+vz5LZH8e8k1YWABi7AMW68n+XOazb8zZRt0Oss/GWsRMrnUJHGfuybWB/Ouz0Xxv
+Z3yLHe/6PKf4iPlP+FeRCPyBlfmGeUIxmr1hKGby/MO3se4NCbQpRTPdkdZFDowZ
+T0IOQadXlVnrF/oUnmpOVjz8yHlWH0rvtA1+LW4SQmyRRkjsR6itFK5jKNjXoooq
+iAooooAKKKKACs7XtVTRdHnvmwWRcIp/iY9BWjXAfFe98nTLO3D43yF2HcgcD+dJ
+7Dirs811PUZr2+kuLiRpppHJZjwoNFhYJeS4blBz6DNZ7yZYBRjPX1Nb2lsYkBJx
+nqawm7I7acbs049OtzGEAx06Y4qnd6Dfo5azDSpjjHatWCTKcjJ+uK17RsoMGsE2
+jdo4628Navd3A8+MQoM5LV0lt4Ulhj/dSorEYLlMn9a34V3Hgc1oxRKUz3IrVNsw
+nZHBaj4a1d4yJpkuUHIKjaam8I6lNoOsql0SYD8rEjBXPrXatHg89a57XdPhFzBc
+FQFZgjkDpnoaak0ybJqx6OCGAIOQeQaWsPwndyT6V9nmbdJat5e7+8v8J/L+Vbld
+CdzkaswooopiCiiigAryP4sXhk1yG2YAJBCMYPJJ5/LpXqOp6jBpWnT31ycRwruP
+v6CvBfGOrXGvai+phFRXwNoJO0DtUya2NacG/eMyCMzTABScVtwK0cYUc56+1R6T
+ZGKxSaTBLc7gcip5ZNo/d7Qc/Mx6Z/CuaTuzuhZK5q2TsFAbvW/bw4VSmMe3auPt
+dat4f3U0sZY9Dtb+orptN1izkiAW4jyeMZqOWw+a5u2uYwZW4CjmrsbFYxxkEfnW
+eZUNoioykSsMkHtVxZ/3xj7BeD2NWjCWpO0ikY/pWP4o2/8ACPXLjG5QCv1yMVqM
+ecday/EboNKKPyHcfpzTJRb8CO7+fvGDtGfqCRXYVzXguDbYyzMPncgE9/Wulroj
+sc0twoooqiQooooA5D4lyEeG44gxHm3C5+gBNeSM6SOqoActgDPFerfEuKSXS7Mo
+CQJiDj1K8V5hHaG1uoonI3ck4Oc1zzfvM7qX8NI04t6KPK7LtwRnNUbnSNRuyZYp
+NqZOfLUZHNXhMA+1Rn6VrafIlsFaZmiBJwGGB+dY3sb2Oat9Hv8Aztkl2rwYPDxK
+5/pVG1e5t9QWMxlHyMBOM/SvSN9swztQse+BXKXcEU+t4gKu5OCVPC8+vrT5u4or
+U14p7lLdbmWJo2YcFOAp9T/9akn8TXdthUnEz4ycRjIrbkso20+2Q8IrhT9M1gX3
+giKe5Z9xRWO4PGcEGkhNrsamm+K0udqXFnNGx43qmQT9O1S+I5VuYLSOF1IaT5vb
+pWUbPU9KmQRXP2y2GAY3++vuGro9PtBqOr2izhkjQF9gHUA5wf8APetI6uxjNWVz
+ptCtmtdHgR12uV3MPc/5FaNFFdRxBRRRQAUUUUAY3ivTptT0GWG2XdMhDqo6tjsP
+wrx++tpbfUlWZHRlA+Vhgj8K95ryr4hWLQ+IWuCciaMFRj8/5VlOPU6KM/snI/af
+9Iyc8H16V1elX/mQhGxt9D0rjJMxuGbIye9SDUWgZjIjhMcBeg9P51g43O1ySRva
+/r1nBIlrb2qAt/rJtg+Ue3v71Dol1YDU1aBgEx0Fc7NN/aJ3RoWDdqdb6XcWS/a2
+ZwvUD/CjlVhKX3Hr6CGezCBwQ45x296ZazvNAeBIyMUYr6g1xml38qXkK3UkwhUA
+4D4z9a0bO7XSdcdY5t1tdnzEJPc9VNK5HIdPKY3VB5RLBhxtrV0e3VblnbG9U6D3
+P/1hWYLnzcY4z0Fa2hN5y3M38Jk2L7gf/rrWna5z1LqJrUUUV0HMFFFFABRRWLrH
+i/QdDB+3ajErj/lmh3N+Q6fjQBtVxfxKsd2jpqSD57ZtrY/un/6/86wNW+OFjCzR
+6Vpks7dnmbaD+Az/ADrnbn4j634hD6ffLBDb3SsPLSPBAxkck561L2NIp3ObuL5R
+ICWGRnnoOvWt3S/Lmj2vhy6/NyDniuMvM29wUxjnnFbeh3wUrHgZHzMx6ZrOUbo3
+jN8xqnTYoLpsRxMno3H61u6Y9jJGtv8Av4lz90ESKD7BhxTbQW2pKC64xxnua0LH
+w+sMxkaQlUbIH8q5/U6XLsSPpdzJ5uBDchlO12XY4PbpxWLDaXF5KtrJhPLOSVOd
+uD2966fUtRTTbUgNvkPCL6+9c5pV8glkk3gsXxge5p2ZPMdOpkS3/d5MgXCDuW7V
+2el2f2DTorfuBlvqetefSa9a6N5Wo6gjyW0br8sfJLdv8a7bRPFGjeIIw2nXqSPj
+Jib5XH/ATXRTVkclZ3ehr0UUVqYBRRRQB4X4o+KOq6sjQWrfYrc9om+Y/Vq89uLm
+S5kJYk5PJ9abM7M2KfDEFG49e1I0J7eFIgGIy/8AKnW9xt1OGRunmDP0pjMQv1qB
+wTu9c0PUd7Gzqtp5xJUDeORnvWdZ3LWpaOQbexBFaUF2Ly1D5y6/K49xUUyxzfLK
+vPY//XrKLa0Z0Tin7yNax8Qw2xTcfu9/73at238XKIjhlye3oa8+azK/ccHjqTjN
+SJBNEoXeAAc53d6HCL1JU5JWsdPqeuPNJgyAlSOSc4qCxmdLgysxVF6tj/OTWZp8
+CXLZbdIByWA2g1Y81pb6RQNsUXyqi9Ae5+v+FWoWRPNc0b6/e/lPmjEarhYz0ArG
+UyWF4JLWV42Q7kKtgjn1rRc4+8B9fWs3U488gHlMH6VRJ6R4X+Kk0Spa60puEHAn
+UfOPqO/+eteladrGnatEJLG7inBGcK3I+o6ivmG3kbcNxrZtb6a1cSQTPGwOQy5B
+oJ5Uz6Sorxaw+I+vWsHltcibHQypuI/Gii5PIzzSOHzHLEfKDUpXHWrEQR418rkU
+jp64plWKrkgUkMZkD45xzSyKT0FVpgyplSQV5yOMUiSxC0llPv6ISNw9K3rdbWZQ
+0hGMVz1leG4PkXBBLDCt7+hretpbf7GUbBY+vUVFSPVG1KXQaZbWN2VYI3PZj/jT
+IIE1BmKOrRo20qn9f8/nWdeThEl2pgE8kkcmrvhrbHpczgjc0nIzjp/k1pCCTJlU
+b0NG/uE0+xbylA/hUDuT/wDrqDTofLt1ycluST3J61T1Nmmv4oecp87Z9egrQtip
+iHXHpmqk9SYkrLjnP5dqpXwBRDz3HTpV5xwcDrz3qtdJutmPdSDUlGNgqxB9etXF
+f5eD7ioJVBAPQ06Elhx1NIS0ZZWQjIVT+C0UkYTLBsDnrxzRQWZSiaKX90C2T0He
+r+fMGMdOopYFWMg9Tjk0w8OfemQtBjqMHBHFMijEkgTseOalbj86ZBxcL6ZoF1Mb
+YUd1yQUPFamnvLLK754xwP8AaPeql0uy+kAx1NbGmRCOxV+mfmP41UVdkIgvo3li
+EbkZ5YDqVpPD9z5MktjLgCXlMj+Idvy/lViXBuUBbqoxn1zWbO2BKV4LMApHbpzV
+PR3AvWwM080553sdp9hwKvwyeVIBnCt1J9ahtItkKKPTFEuVcccNUGiNItkZJPPb
+0pgUMrqedwxUdtMJIyrH7vf1FQm9bP7kDj+Nun5UhlKcYU4A4psLfNnOOvSluO+e
+ST2qKHJkAHfigV9TQgQ7TkEf1/SirWEiRcjJIooGf//ZiJsEEBECAFsFAkXn+Tw0
+FIAAAAAAIAALcHJlZmVycmVkLWVtYWlsLWVuY29kaW5nQHBncC5jb21wYXJ0aXRp
+b25lZBkYbGRhcDovL2tleXNlcnZlci5wZ3AuY29tBR4BAAAAAAoJEMdGNjmy13le
+vlgAoMqGHGUHYglUc1q0ONVSbBqREwqgAKDm0Wb8gOEgOc4LMyrMUjFQDE+9ibQt
+UGhpbGlwIFIuIFppbW1lcm1hbm4gPHByekBwaGlsemltbWVybWFubi5jb20+iKEE
+EBECAGEFAkXn+Tw0FIAAAAAAIAALcHJlZmVycmVkLWVtYWlsLWVuY29kaW5nQHBn
+cC5jb21wYXJ0aXRpb25lZAULCQgHAxkYbGRhcDovL2tleXNlcnZlci5wZ3AuY29t
+BR4BAAAAAAoJEMdGNjmy13leaBkAni74iLTyTIzFwexRyQIQaKO3Gda9AKDIot/K
+YfOdMe8YD4f5Di2KsiAnR7kDDQQ6VOgnEAwAzB13VyQ4SuLE8OiOE2eXTpITYfbb
+6yUOF/32mPfIfHmwch04dfv2wXPEgxEmK0Ngw+Po1gr9oSgmC66prrNlD6IAUwGg
+fNaroxIe+g8qzh90hE/K8xfzpEDp19J3tkItAjbBJstoXp18mAkKjX4t7eRdefXU
+kk+bGI78KqdLfDL2Qle3CH8IF3KiutapQvMF6PlTETlPtvFuuUs4INoBp1ajFOmP
+QFXz0AfGy0OplK33TGSGSfgMg71l6RfUodNQ+PVZX9x2Uk89PY3bzpnhV5JZzf24
+rnRPxfx2vIPFRzBhznzJZv8V+bv9kV7HAarTW56NoKVyOtQa8L9GAFgr5fSI/VhO
+SdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsYjY67VYy4XTjTNP18
+F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsC
+RtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpTDJvAAICDACNUV4K2PS6h574Z3NaBsIQ
+e5jkVO48MSohjC6s29CjPhlU79cQIYWmBpuNfwroZ6zltyz6Y2Fm65V0IfvVicR7
+zvFFCOhahMuk1cr+Qp936OMEq9sLZGxTjClgwrHGS7YpMSZrEC7bpOmERjo4F/n5
+YmCHJCH8QzCOc9+80gjVEsHiJVABrC8yykjKL5x1V/PSArE4QtMLbkBPGmQYOw8b
+x6jCHoO43QjUzbqRfBMHZqWVJyoIIZCp+n13XM4+NO/cDVsZ8bjch0LIOyMrT85n
+24yfXRlP0s7BFjLm59Jjhf4djuJWikJawWETlypAy86OYRRuwCbIyNauBeTKy+av
+ZvF2oLvpwH4UnudpC06/O0jkj2lQpn9EEUw11RwO6sq9zYTwAUyKerN00cbCfyiZ
+l01CIo0btcTO6hQK3c67PaloJ9lVH8/mH7LuqkMLDH5ugkpzmed/8SorfqVkakne
+6b4mRySFCBXaVZoKmDHzcH2oSSMhM9exyh6dzi1bGu6IVAQYEQIADAUCOlToJwUb
+DAAAAAASCRDHRjY5std5XgdlR1BHAAEB5W0AoPjfnyN286hffnwedCebBR1RzO4W
+AJ9PvQHw5eZ3J6+A+0XjA5WKCGcEUZkBogQ1oh4eEQQA/pdK4Oafa1uDN7Cr5nss
+4bNpg8YUSg01VVJ08KTCEdpCAPaU+NzaP3KD2ow74WU2gzP70s9uSGQ2Vie4BLvO
+kaaBHba/3ivBrg3ILFrxbOfmKQg8Fhtncd/TBOwzfkkbxBNcVJuBPRtjZ3dlDbS4
+IPNsIIv2SuCIfQmA8qNGvWsAoIrJ90b2fzERCZkKtfkoyYA8fnNrBADhJ8RmIrKi
+CnDk3Tzk04nu6O8fp3ptrmnO7jluvDfsEVsYRjyMbDnbnjCGu1PeFoP2HZ+H9lp4
+CaQbyjWh2JlvI9UOc72V16SFkV0r8k0euNQXHhhzXWIkfz4gwSbBkN2nO5+6cIVe
+KnsdyFYkQyVs+Q86/PMfjo7utyrcWLq1CAQAou3da1JR6+KJO4gUZVh2F1NoaVCE
+PAvlDhNV10/hwe5mS0kTjUJ1jMl56mwAFvhFFF9saW+eAnrwIOHjopbdHrPBmTJl
+OnNMHVLJzFlqjihwRRZQyL8iNu2mfarn9Mr28ut5BQmp0CnNEJ6hl0Cs7l2xagWF
+tlEK2II144vK3fG0J1dlcm5lciBLb2NoIChnbnVwZyBzaWcpIDxkZDlqbkBnbnUu
+b3JnPohhBBMRAgAhAheABQkOFIf9BQJBvGheBgsJCAcDAgMVAgMDFgIBAh4BAAoJ
+EGi3q4lXVI3NBJMAn01313ag0tgjrGUZtDlKYbmNIeMeAJ0UpVsjxpylBcSjsPE8
+MAki7Hb2R5iOBEO3+scBBADQmRl6K1zJAyqTbEZ3/mYahzj5g3BCjw5KZXAi9jxQ
+Aje0GiuEXqFr2eJqplTi92V1OdcxTSPWg9yQCE6BE9o69oRmFhRMXQX/XmmIAXl2
+RlDp2yZdVSQ81gxlOmRzacD4gAIGI6bKAYGQsW5e8dFbWLpI3PbyJEf9RlxguL/a
+IQAggVZQmbQmV2VybmVyIEtvY2ggKGRpc3Qgc2lnKSA8ZGQ5am5AZ251Lm9yZz6I
+vAQTAQIAJgIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheABQJNLYy3BQkKVE5hAAoJ
+EFO2INAc4MYw8HgD/RTUMlH0tuRa4GzwqjoomgosxUjqJg0kGEC2bd3FZ5TEDXp5
+gNZb9v0uTkqeO1Ja4Y56prswKxeeTIeQ7zwoT0hwzeYWeF8U3apqB3+dFyGX0w+x
+06B/+6DuPvYCW/ZXyzbxHXQdON/DJJ7+iZdbAreqfyi7o3sgP4TAJXuLZ7a7mQMq
+BEd5F8MRCACfArHCJFR6nkmxNiW+UE4PAW3bQla9JWFqCwu4VqLkPI/lHb5pxHff
+8Fzy2O89BxD/6hXSDx2SlVmAGHOCJhShx1vfNGVYNsJn2oNK50in9kGvD0+mVACf
+y5MyPV8mtMcOM2p18wWVuMd2geYbdNYgArfn/DNpU/59M6eCUphXkYEDcECBqZRK
+jSB1JNEnqHAM+gc5fc4VlYdZ+HYBrEZTX/ZLPZg5kffR7XyA6IgqWPSY0PrYxDOx
+GujyeStpyZhmkT7ezVzoKBI+ylj3bpKOrkuKLjB3W5TngCLLYvTR/g7yzNygt/+u
+rpzNO85KsGLBVDkkShSswiPIett0ZFB/AOD8DawpLNUTX2c6zM6d0gKfS8/DTrxX
+6PS5A5ZzB/4xEBpnjnCr2RjnbTi4lcNLg+b25c9lrbT1SXytrUifUQbcOEkCefk+
+X7JPoU/x3Db1DuC94LAaMFfU2o6GWPTzBNtEBBtGpg4Ms5Q1w1g1gDREpKM3mGIP
+ycLKXhB+Jfi8pF+qvBqRiA3xnWZALZP009ZfLY+8nMB06u/59zKcLyz+h/zjCmpI
+JdFr5xQotm6ztK8Qms1GG1MOVPQ1vCUCHiSwIa7V1KtllYIIsHqR7sIXuTSmiLJ4
+8Tq1NY59nE1hD7JicccghyPeX52onFfEw5qHEPJoXhcOjxSua2x9U9i7cpJnzLKn
+IBhdZa7TQht7/jL4C75Sy+fExeESng8PCACUBT+zUUzALezGOZGvxn82OM6rR/l2
+mV9WXepKEB+IDPG1JBwqfl1f80/mI8hhwkr2LYryhd5u+cecRy71993dPSnAYDay
+sG/+sIVxYz9M4doWQVhSe9EOJngWcvYP5bCWDybmlBYQJgCkrFUqMvQTJOCklpqb
+jQm/uxXaWum9dSAxp5YeHCKqBILUnjBVLoarmV0bcWXwotZiXFd3WpnBHjE/QSny
+cFh334+brR8KTSnmS+v6I+B6W+VOcyzHt+8WpXuo1YS4okCmZv6fzIlf6HcVJOJT
+8dpqpzyMhqn4YYT0LbRC9orc2Kox0hzaios9K0EoKf5MRQEMsAHAdM0MtBpXZXJu
+ZXIgS29jaCA8d2tAZ251cGcub3JnPoh0BBMRCwAkAhsDBQkUsIqNAh4BAheABQsH
+CgkCBRUIAgoDBQJHeR6XAhkBAAoJEPKthaweQrNnl2MA31DaryNMaxT+O5dPrAQQ
++Y/GfR/RcoE+GblWTscA3j3/V2ELjY2vjEFKmRLWW74pTBOc3+cFDKN7FbS0HFdl
+cm5lciBLb2NoIDx3a0BnMTBjb2RlLmNvbT6IcQQTEQsAIQIbAwUJFLCKjQIeAQIX
+gAULBwoJAgUVCAIKAwUCR3kegAAKCRDyrYWsHkKzZ/pEAN98mmysmPc9bo1aMXCx
+e0TnNJkrF++bK0VyI8U4AODSsIJ1dRjdUC+myh+BuwBU4JiTEI1i8sKYLmNxuQEN
+BEfjtM8BCACswr5+/Tz6nDawIXQNC2TvXtNLIeZyafx7ud0ZcQHFlbL+xBahmsoq
+vn+CaQIfc7Sn+xJmGKN8LNN4SUU7QBIVpIC9pdxCqFSeMRwjiJzcotsjt9KqiqC+
+QnyrB8gWi9vyMw7+0FCA2ZgA4NMGWcurnMki9O+moQB48Fl133RIaILq80ANnTgP
+k9uXdl1c3BqS/XL54tziOdg9wCSqx/xTv8KWkZxoAM8sLQqnWU3qVgFdFXpBekRr
+SqHYlPg8a7v3zWEVW8qMF28KVvPoTwjdpKfLxpxQXpsFFX78f2TaVb3GsPv4Tehs
+FcnnkJY4vjKehLr2KLZfJVDHJbP5rtmXABEBAAGIXwQYEQsADwUCR+O0zwIbDAUJ
+BxqNoQAKCRDyrYWsHkKzZy6pAN9gOveX0ZsU3EBlK/8dJcpxnkwnKzlMt99Bg9Bf
+AN9HNXqKYrIYmYjq0BoNUCAsM2V3rgsM/bCtw57MuQENBE64FVgBCAChkCmMrdCK
+W/PWuBQs2/lcTqz3i33KOUCynyj1aOzen9HUJVHymJnN4dZTjq3ARlSTuCSoJmQw
+cmom0wjDS2L9qqCnUctdyIoFxTetnMP3JkBhJ4j5IxtwkTznWa0SgEjvBdNUkLTB
+G/3lgfMFoqlQNh1or07wsHS+LlvaxvFnqMozssKqYLC9mTVqWfXvTeRsCzYLvZ6j
+y4rqbJnDIJzHgqV3K6cyqA5NcZqoWj8OQNUbS+sVCU8nkYkDYQA7wm2nwolEfROS
+dFtSTmL49PNQS1V3MUdLUb7SfsDmwfm59SDmJUp4iw3F535P/ei+G5cBYzHO0jN0
+nzUH/sfM7njjABEBAAGIXwQYEQgADwUCTrgVWAIbDAUJBAqORwAKCRDyrYWsHkKz
+Z6TKAN0WMNFzexmPvciaqa2LyUVUI/ht3suw/tlVSGDCAN9tCWF1UFBrQORgcrpg
+QBfNKPkUdAxxyiDrXfZ1uQGiBE6xTIYRBACUIwMLqbWeRx0ArcxXzzhqKs7n9qQI
+mFPQJaN3ovFszbtKt6axbsdJpSg5I1dJek+CS10NwDvLpjxxe14ab379kfA2heBh
+adOlaOTnSout7SII0tylPVXRwwR6/kH/Zhc6KiD/uhucj62Mb/LtXjVs3MBx4p6F
+IVtKLmHLPsQBkwCghsFvzxBF2yHVEqa0d1VeyO6+V2kD/Ryn/CZbBYR9YwYq+0KT
+mLoDKXxPpgdGO2pnCcwWs1uMSyy6WRDRekMZFwDI73a62nXayXuHwNaXg5IQWHqu
+cVUk+sgjxhBdqGsByEHsy1zkDMMUWaAmq8l2nxYRWfH6cuX2yFpGJ8dRJ0vB233T
+2n7UIWbwKEOXv55kTthu8RYZA/4k0DQMcWo1LEIXOzrrsKeJzuincGRpQ3XfM25H
+VpWl6nFQSGSTot+KIeZA43tAdUCq+2r9M7Sy/LLycB4WGVapxdfzi26ihuaewKjB
+rXfsJdhX9IPslWPLlf9vpxuzawi3Lft4kuOh9+fFAe835rN/4m3G1NeExN52EFAC
+B2UEZoihBBgRCAAJBQJOuBAJAhsCAFIJEPKthaweQrNnRyAEGREIAAYFAk64EAkA
+CgkQTwVA1Xf5X5WSmgCcDkxOYVuRygzg3g5jBvdgYx+gAPQAn2PZ7SISj1+Ex9xK
+gob3GywuilRM6PQA4M1p2bpqMYCXLUihqb54tJurEd9KRAQc7GEyIWMA32rgu6Kt
+I67rm5HVudOYX5n3b76owi4SQfj8uc2ZAaIENzr33REEAMP/kWLCNIB9I6cXdWOn
+bG7qXTl/nZk/1OR4WvNWv506xD/7ziI8fN69us4oLUlwQ6/s6zE4dfF7tgmCzqIL
+C3BOmsoXczHrOjknee0u1pqFrnxREDgdftvGmixcsyNF1ujKZwj2CVUt5lazK+PD
+Mto1i9I4raWTLHIxsuYuGn0rAKCMKQk42UYBZr+xn5W/gRlVLhJzpQQAwWdF///l
+RyNc2UwKS/FYRp+27dhAf7uSDXUNsHNvZtc6kAfE961Of/+XLFZU71uotsOIAxyA
+JSETcb73TzSD17f42CF0MDP/1AwHOSDdAxDl0+azJJXpf5sO8lWH3o4mOVuEsWIY
+hltw+Mm8CmEO5WrUAQR2JhlizxP2AI8XShYD/i6llnWeSlenJSqeNwJFJO94QzLx
+p5fGf1b9jPsGo+uvzGySXQYFFvz7tjSRmrMVUivKt+hF4/aTQdCvBVa8ertngDRH
+a1o/TDv3HIUN7AtyN3rdTeevKqp1zrv+5ldclRyX0vLEHNrabTE53m+7rJlwBefj
+s4lDnEu7pMEhF5yctBBNYXJjdXMgQnJpbmttYW5uiF0EExECABUFAjc6990DCwoD
+AxUDAgMWAgECF4AAEgkQwKTLuYeXhWkHZUdQRwABAUDLAJoDM2syf9ExRqVyMhaY
+hl3szCi/YACeNiHcMaH5q0bI8j7ZUtsiwCfQYUW0IE1hcmN1cyBCcmlua21hbm4g
+PG1iQGcxMGNvZGUuZGU+iF8EExECABcFAjxw+b0FCwcKAwQDFQMCAxYCAQIXgAAS
+CRDApMu5h5eFaQdlR1BHAAEBjmYAni0grvGxgcgSuXK3vzLErIkfFK+jAJ9OfvRc
+1QinOAydyujUX5roXM/opLQhTWFyY3VzIEJyaW5rbWFubiA8bWJAZzEwY29kZS5j
+b20+iGYEExECAB4FAjx7ebMCGwMGCwcKAwQCAxUDAgMWAgECHgECF4AAEgkQwKTL
+uYeXhWkHZUdQRwABAZRBAJ4oxvVUX6skfJud8oKoYvy0l/ArGQCePXVckzHYxtiu
+H7NsDTesxWN2Jx20JU1hcmN1cyBCcmlua21hbm4gPGJyaW5rbWRAZGViaWFuLm9y
+Zz6IXQQTEQIAFQUCNzr52QMLCgMDFQMCAxYCAQIXgAASCRDApMu5h5eFaQdlR1BH
+AAEBtf8AnjtHrp2rije+hsx7cuo4eFcR1Z5QAJ9O9XRuyEFfcwhshjneWE6eqQ29
+VLQ2TWFyY3VzIEJyaW5rbWFubiA8TWFyY3VzLkJyaW5rbWFubkBydWhyLXVuaS1i
+b2NodW0uZGU+iGAEExECABgDCwoDAxUDAgMWAgECF4AFAj+BZzACGQEAEgdlR1BH
+AAEBCRDApMu5h5eFaSl5AJ0Ymtg3+5PTlP6Ct1yL7PM15vJt9gCaArY6MzRMuQNJ
+l5KNWAoTHq0bvCW4jgREQA/wAQQApRHPoIKN7SmmizSUkBPgurFEI46l0JxYDnp4
+DARYqOVK+/rIvAyvYiqJYJOh7iGBR+jHgphb1EYnCqHJWDFRihsfJnN4qu2sASK1
+OI++EY+V4l43jLov4x4IB/dG3/6LhzXE07B1+ZM4sHk3allWKOwII3YeXJL+nGKp
+YPP/g0kAIPyqo2OIRgQQEQIABgUCN3h2NAAKCRBxLclYPcV2908zAJ0dMP3LNzuR
+QGhcPmlUg5PblCT+sgCfZaCC32pvlr3hfjKxp7rF7A73/d2IRgQQEQIABgUCN3kc
+ugAKCRA3QH4JLnqqzSKoAJ4qqxovpy5gT3P4jkR7N4/MjJzdqACfcaeVP0QGINoj
+7ZUTmNBF5Kb6mC+IRgQQEQIABgUCN48TeQAKCRCp5mf/Jsx4U4JIAKDZRZuT2sMc
+jBpVwdMjTbVru4hrhwCfYB+jtkyriI+32JaCKAS5HtRd7lyIRgQQEQIABgUCO0D/
+zAAKCRB5Fi829/aq2WTIAJ9OEmXw2BBDtB/Puf6ZBt2dSevAGwCfYcsuOLrk/avu
+ab3BJZW5JchGLWiIRgQQEQIABgUCO0EF7wAKCRA79gnGi6/NvQ4wAKDUH14G5McC
+JruDtw+dz6emMPnZ/QCgqFy3xJus0vpN3Q0YrpU6SfeDTEiIRgQQEQIABgUCO0hv
+PQAKCRDndeMk20Gzh6BaAKCccntGS2Zzs3oxm2gI3XQ5xRa0RQCfSYnn7bU74hs1
+XGTWIusfZiFN7imIRgQQEQIABgUCO0s2UAAKCRAOp1a1FEhD9fzwAJ9X45AvZ+oC
+31mRYg/Ydua7ZcfDagCffhjd8Rr2MOaCZK5CuhP4ciSnCPmIRgQQEQIABgUCO0tY
+WwAKCRArSuypsSI1rW6GAJ4gdCjvjQX+7R+o30eGrWXwfaCRGACg1LAC49VDdxqA
+ikFcQT2Fsp2APcOIRgQQEQIABgUCO1LAVAAKCRDx0szISXoXbSUcAJ9WVudDIL4a
+eRKOprfqzDIMMtnCeQCbBLlreYUISQYZ+9OGY4Ib84ogH6CIRgQQEQIABgUCO2Ma
+vAAKCRCPH9/JvOCUNrfcAJ0fcUOOpxX/4UM2WQi1Vjb7SrsTdwCdGwoAGuHqsKge
+YYP8rjTxMxW8IaiIRgQQEQIABgUCPG5gRgAKCRCHlTgeG764SuljAJ92YRNmzOU9
+hmhfxYfE6RCFVUNxSgCdEPVMI6/xKZ/+e2IrfpZmzH51YoyIRgQQEQIABgUCPHEX
+qwAKCRCbLIdocvHyDQ9vAJ9WeR5bPibJKeg24iHxhK2B2HI2jwCgltQ7aWIRStrl
+eD82t+ylopb8eHGIRgQQEQIABgUCPHFApQAKCRA6GqY1kJpUBu8ZAJ9G0kygdwR5
+euu/ecLZkXaBSmeteACeNq4DtiCRuV0Yf/v463Bo87b7AUmIRgQQEQIABgUCPHSu
+sgAKCRDRo+6vr9EKz5t8AKCHtAqPb5Sn+oMI8+GJMvQYl72MggCfZvdt2M454BTB
+geO4Kipkt1OCCGKIRgQQEQIABgUCPHtynQAKCRBu+K/ChldKymIsAJ4ro0p160Gd
+njRgvpl00qCwRFps4wCdGZNu3WhTuhlIH8DPdm7ul1t2Xk+IRgQQEQIABgUCPH1C
+sgAKCRAsGKAqtMXzfz60AJ4koQfDOgTB7MN6zriL8TnN12wL+QCgmMe7mxdXlsrL
+kzexsq1GQeOGfECIRgQQEQIABgUCPIy9rwAKCRCFuZB1wpEOQbQiAKCJzIEDwVHk
+t8FtpKuvxwr+X/kv4gCgq5dNDmWaJs9eHYJaB0bM/NevYiiIRgQQEQIABgUCPQbH
+fQAKCRCMu0FTEUuvES6iAJ4ibjCcUMk2gRtY6jtVje/Dl6wTDQCfeXBPKZm9AhDG
+sd45pt6sCUXmmY+IRgQQEQIABgUCPSjG0gAKCRB8O3lwiMfB9zCqAJ4/Ho5zFCow
+uZKHusCbXPS1SU9EaQCgiM1uAe2vQi0OX8/IT0Eb7FkT/6OIRgQQEQIABgUCPSjG
+3QAKCRAnZWjXXGFTreolAKCbr6n47EhyhjuPY9jaymTCeuwkXQCdH537q71id7kC
+Kq7g0kGVh6fCmLuIRgQQEQIABgUCPTGQJwAKCRAYzSWlIvOK84htAJ49rr2AcpdD
+wuQHccxS5F16eXZPKQCePWM2VZ4ZDATDwDtEpv0COt7wb7OIRgQQEQIABgUCPTLl
+zgAKCRBQj9NjvJNoOWUjAKDeB+RBE29XDELNe3xri9Y6DLVS7gCeOVB/2RPgGS0l
+gHX3vXQxTmUJ5ACIRgQQEQIABgUCPTaM/QAKCRCRCCGe3N6JCj9DAJ9BDquzVMvF
+ihqNSlfxGZ+cailIlACcC42fqA6wUqitA1Isi44zhCFPVZiIRgQQEQIABgUCPTxw
+FgAKCRCEYzW4IcBlmNdQAKCJ15kf5PDXvT3cJ2EhThOROKppkQCbBvh4rCKKYW0X
+pPBr//iSVCrmuH6IRgQQEQIABgUCPU+IfgAKCRBUj1nrnBQ1XX9FAJ4qbcHZVpWA
+hRXylv6Z8w3fBRxlsgCghzOxChhMVUgYIEvOfn8OEnwaKCaIRgQQEQIABgUCPVL2
+RQAKCRCVM3R1+L9kOn6/AJ9ZKI+fBhPMVvUx7A/jFjlEO5ggvACdGZmSmdki35D4
+mmyDE9ksxcNaYr6IRgQQEQIABgUCPbTjDwAKCRBSkvdD69WTawxfAKCUnSC8uKox
+hm0JZYgQqqVhNrIU3QCdGzCxj1dtm3YggG/gpUU1H/jd9M2IRgQQEQIABgUCPbwJ
+iwAKCRCo3Z2A3JKuMHSdAJ9hMiqw5RgAz7k8WpTVfSZd5ZNy8wCffbK1wkp9UP8o
+meEETdPWxvhN0DKIRgQQEQIABgUCPbyU/QAKCRA2z7pEeJFrhFJYAJ9/BgtMAuXu
+dqbGpRAi17W4UnuUzwCfeKZKw7Zkh34g83OMHEx2ck5AceCIRgQQEQIABgUCPcs7
+sgAKCRAJlJH3kbDTt5kgAJwIQwk4cwiwHmC5ibmqhHYFLF7gTACfQqqBeE8WGhoy
+wq74tQTcJpNVrEuIRgQQEQIABgUCPjG3zQAKCRDu8Ns0syEmA4p6AJ9KBwB3kDZ4
+CpIDs7GFmtMspapy2QCdFMP71wvOY05J1dJp0FXatoD4yumIRgQQEQIABgUCPkr0
+6gAKCRCYdolhntEBv6MxAKDAiKl2k0xQiMSp7+BfhGwfNDnZEgCfe0gz3y6oicwD
+Fxupb4xw2q8N13SIRgQQEQIABgUCP1Dl8gAKCRCRWsxFqPTC/WQTAJ9+RxaatsQP
+8FhzO17uEq6F8OEeHwCeJRQj8dOAZ7ILLEYmhNN9ZWULr9GIRgQQEQIABgUCQXwB
+uQAKCRAYWdAfZ3uh7KpxAJ9x8sTY388xFY8y6MtF2fmUOYT/fwCaAy1My1JHNny1
+541cwZZvIGZAHEOIRgQQEQIABgUCQXwSYAAKCRCBwvfr4hO2kqwoAJ9hLkZBAvwI
+lb16HU0FpEuWEtw3JQCdGZGkg/wAdXX22uHsPniatWYRR9aIRgQQEQIABgUCQXwS
+uAAKCRBrcOzZXcP0c3EqAJ0b51eUrICrJilaIFEQT9dBjHls/wCeOIZPbvwjh4kn
+rVhz0+jyB+9r1HqIRgQQEQIABgUCQijQAAAKCRC2a/Z7cQPF2uAPAKCzq0rT3s4C
+HZ4X0g3Od92un95K0gCfcyRb+3mCA3Hl7KwTQFRmyl4hAPSIRgQQEQIABgUCQlwq
+uAAKCRAqi8QAwEbAOXs9AJ4yAtnzkeAOJWlrQnPA3mngr/pbrgCg4c6DaNEnYr7q
+j17zGGU2eyxYsYiIRgQQEQIABgUCRBFyYwAKCRASdiQXzwUI7BlGAJwK5GVXfn/A
+LLsVSSdv2eh5ljhBqQCgo+mFUgcUAacqF93ZeUx/fAh525KIRgQSEQIABgUCPSdf
+QgAKCRALDykp34Hug10bAKCA38i3rxWMNjcn6eDmZQfSFGR+bQCfW0pc7+7Ge7wY
+olYGG2HXculOvoSIRgQSEQIABgUCPxlx4wAKCRAzCwOLbGN0bdwCAKCwpt+fKPdZ
+LF6nvUxIMqhKLmjvmACaAu3ilm5zHvszp3KppCHvdvt0SHqIRgQSEQIABgUCQYvg
+pAAKCRDbw+v8M+P+VrEkAJ4tDhIqFNU6qKMU1tnehaHBrPnmfgCfW8iL2gQmqa7i
+9ICwMXo8HRSK1PqIRgQTEQIABgUCPQTnuAAKCRBxXtagfnuKyQiOAJ4v0SAy4nuA
+yQQ+b3DkJV5EPwdG6ACfRrPJQjOUSeTHdViJT72iy33+mKWIRgQTEQIABgUCPTSZ
+ewAKCRA5tmKor+OBaZx3AJ9kazJCCLkcFkvqJW4SNva6izmEHACfejk8wb/R5y0J
+PezIKyJNLjExKAuIRgQTEQIABgUCPbVlCgAKCRDLlpiUTMcIXW8/AJ9Iw81alQa9
+0fD2nGt2Bq5IPwee1QCeNrs4yUu/toFnb0giD23zassyVDOIRgQTEQIABgUCPbZD
+TAAKCRCy038ItUwJMFMPAJ9F6QMf9WFRCAJf2wVIfL0DVX10PgCfWahBLYdkJv27
+aSxttfvTzQkIpsKIRgQTEQIABgUCPbxvfwAKCRAuLPZ7d5amC5GcAKCpYhwL/bZR
+WBarhQelKDciWEUVXgCff2rJBPkwpR4Dnl/7QLrVVk3lYMqIRgQTEQIABgUCPb3M
+ywAKCRAp+ORlZ4iWXwrVAJ938BI08jD7EpDAAh2ZUcEyiU5/jACfUSRhcPh+Ejn3
+Bcs0JdujkMVA5WuIRgQTEQIABgUCPc1V/AAKCRDvZ/vHYouOaYrIAKCJbxnpyvFV
+nYxB3SfSKs27FUMm2gCfX0dKQUEBf1UqtIi89FDX4rXLOBeIRgQTEQIABgUCPkmO
+ewAKCRDeeq9ulMCcf/ZWAKDlaEU4DExCNpjxa4rra2lN9l9tzgCfScBPnkvZ0yDp
+onBXCi9zbrQkE1CIRgQTEQIABgUCP4RQfAAKCRDFFK+OS6QBw3j7AKDcsSW5owo8
+IuLDyhRdwdDH9oJ9sQCgrRFU01mFCC2oVXZ467uz5pR5QiKIRgQTEQIABgUCQXJ5
+DAAKCRBPe/KEr/sMFwv/AJ4oDTbBtsExmUj8mhMJNoWMDcc74QCePV5asFsdMqdz
+Ucc0d0e5aHI3KM2IRgQTEQIABgUCQjOU+gAKCRDki2W1SzlPfgQBAKCZgdRoadGr
+QovOm5y3K78SwVSUDgCeO7IW40mpIqqe1fPbOOb6B9CWVHWIRgQTEQIABgUCRBCu
+jwAKCRC+wkwE2qiYkkwiAKCBPhcfnyjyWA4ZdmKA3RSsibm9zgCfSBo+g9ijeFDI
+YWIQTFxDEe6QBZiISQQYEQIACQUCREAP8AIbIAAKCRDApMu5h5eFaRjYAJ9nCwn+
+e4V1HXcb2zwYLVl+Fsj8QwCfX4N/EISa6nyvfs/sy9qWexqhq3SIXQQTEQIAFQUC
+Nzr5wQMLCgMDFQMCAxYCAQIXgAASCRDApMu5h5eFaQdlR1BHAAEBtxUAn2cup2ei
+tiSd6fI5zYz/ipwoAX+iAJ91rpgQfUY372Ajy+xJDloRkSdtTYkAlQMFEDh7ZIdM
+J+1lNufNCQEB3BkEAIo/Xtch42Hs3lVlYVoY4NO6hH3P1eT1UObuSlu81tM7UvEb
+UyGmiWiPJS5yTFeoI+XMffdRs2i+Ppw9B5/l6Q2nDRpzur05XpeMa73ESXrQuXQ+
+pHf772/piolcB2yvmxeIYgc27K3idk9B1BFSqEs9VqW4axDtoeTd3z3Ryg4eiQEi
+BBABAgAMBQJCnMwFBQMAEnUAAAoJEJcQuJvKV618yWkH/jZ+OnuBruybI9IgThAj
+hUxwmMLwrQV2EogCdqjW1UOBvcxwltuZzHJpwsaE+SyEl27r06cOcErwzpSLCbQ7
+wH1SuPEl16qDCeUv9KI+pySiZZTAhhxCIYwh8r1llZO/WaYreYJWlAXxv5mKrNO3
+5uirmEPGbepAdEpfIoHRP36M0ZKFIHiIzVG1ai769CV89UwkY0JpcM6nND4Ivx2+
+XW1QYer94VytBCzeo72jXp8c9sgxiICbCO4NnraHxyxkI4P6SpAJ6Bx7O/xHrXmP
+eDsM/+UsDO1N3X0NqyqtBX/lNVDaZ58kDozHP8UjgxQOUatrwdB3qBpqMQV0I7wf
+j4uJAhwEEAECAAYFAkF8E18ACgkQquPmzmahRGifEhAAqM1mxUkeVWt7s+8nMV/A
+mugk9EVMjxV4Bnzh9U270irFtTH26r/0y9UTSNch2bQHeYvDRiwgbK/2yQ2fx2DX
+bxo1hio5JXBRYzA4hhf0OHNwmEi5dyWxcqLyF9lXdhVsXz6CxXQUUC/ACZHGUl4J
+EhVD2qpGdh1Bg286AjPR+7vbUnJg2I4QZ4ZVkLhaMucI6W2sQInWbXBuMnHF30Lb
+iWSr8j8BKdExVG9cNoSlu2pEtIvsB3GaV5UtqqrNs/wbMtGKjWEdiuqgZm21ZLlo
+gRmGrQ8rkgQ9F8qBNYXLhV/dqreinzGIFebI3MIhhP3YuwcNSm2X1uFCob5STGLQ
+i53H5Ef+qjzQNluMQIdkA5JUnkfltILE3th/Ne8vbne/u8TpzAtLvkBhaly80QNj
+u+6DHzRb4vtwb8UvZCPvDwT/2lP3u4hmBpzoLr7Gar/DSyGxF9+wHytN8OxvlnYV
+vFrrHlyI0M7IabBOCTWNL0cn2igrGlY6pEuDZt317Atyi+9hc2QSwIWfuudMXHtd
+Q8LIan3xj2K8/Vg0QueOQHU6dnc8N/15x/xjCco2bPZkgc1LCeDJC6PsztLQILjZ
+y9jpa9R9+H5gCZIA09QtYniwZkZUoro8n3f8TRJ7oCgMyeKsKKwEVaZS0YYWLbkw
+/rcVpMQ1Jjp7tugzJ7paUEq4jgREQBAUAQQA029FKgKXodEFSgPOlXcNBXGwo+//
+7A9hLYDGFhZuqUMf/Y/+6JtoDJGhBWif6spUHItD9+VXY5QU7sLe2uG5yx6nXDDC
+JnyNUYs4hqxp1OHV7qYs0P45IGWbPg3vSSjNxtLtE5dtPjbqs/6yMg5IcUart7kQ
++wpM2G+rBtxJyZEAIMLgSz2I5wQYEQIACQIbAgUCRpSgCAConSAEGQECAAYFAkaU
+oAEACgkQ+4hivfzSopNxrAP/ZD7HGr1MBsR0LsXmPA6TBf5GAcWNnLqY/yQhMpms
+WaQORKwbdJN8tD9pjT8tRS5gDvM5q/DO/3oa8IpzM2GbjWOqO6XO5XcbUbC503DO
+KUXzP/SyqoV8+LxceVuULpW/drlJ7eKgZnqUopBQCGo3xAxkY5fdW9+0mvP535F1
+mcQJEMCky7mHl4VpM8IAn0Gmksoyxst1iMhrjFcy3ZZrmh7UAJ9tcqbZYa4HL3r1
+A0yOoC8qJnpr77iOBERAEC4BBADXA5qVc88MN8XM04C/HpCvk6/YYsLxIbS5FLT7
+QkFcRFa4ux7xdFO/E+XqefRMfSPJXxowZlLSdU9XBV0Z22MrP/hzDvAxG1HaIkUy
+3rd/pkf3pNqMJ+2r6qJGgkjtca95+iptNna6ex/R8lJTgvkCoT+hb7XYSKXeB4u1
+kMiVHQAg9VSME4hJBBgRAgAJBQJEQBAuAhsMAAoJEMCky7mHl4VpotcAniMkQ0sW
+FzItgpmWEUpJjnQLRvrZAJ9Csnyw/w2412Bi1KiAFN372fPFFrkCDQQ3Ovl2EAgA
+pyy7xIHSUEE7Fht3+hfSaKukfrCZAIT2n4YCxQDzimP3ET5t5vuFaUEsZ4OZ8NYu
+h6XsCwPu9UJyIru7/cjlcM9YTntMgmG3QXil9Dnyn3QQraqojGtWSaPwvnWiHLSu
+i3ZW6SU7/7ZKViPtr7ACl/A9T2GQEIqahApsw1uR5fUL07pwA7BrdsvKF37lnBUq
+1uwVc7Tx2QSZHSDuLT6M7MpVl1MDMTa4uD/ebnxTL2DdQzGGDi1tZmtLQexxZ1le
+gCOj9zDecLq61plLLnzaDGkZd/gPsOOZQ5b0DCQNs9kW4cLJhGuk79D7iRC8pOQM
+iLqbfDU/14abt6rt2zda7wADBQf+PwMGpa1cLabUb72eyP1tS5i0Lk4wrKL0xGLB
+usJ2WRH+ruFGCm+iPGK6Lozr2zmtoEgNr7eTaYAdUep9H7tAL6fgpNchcc6s3gYc
+PqOUQPCdWvKWprAwUCAJG60PuKlM998n0blweo8u4Emjns/j25H4Nn6WmeCqvhdN
+Exb2T3lGQzkjsadRT7XdOPngDNOGLix7WV4phCNYFhAtuL/8w4VnwSk94B0/ic0J
+QsdE2PTCLHhTuHAQFYoed0VKtArKnCi0ixOejJ+Z7Yl0Ctyvnfa0Pz7eaJU0ep3Y
+GJFgidBEIaxVosrMSzv2zEyt4Gm/aqn4sItZnpXhAxoieict2YhOBBgRAgAGBQI3
+Ovl2ABIJEMCky7mHl4VpB2VHUEcAAQGcPQCeJ/VW6/5dtHDAc6dTK/K2xYlZ4xgA
+n37xvFpYHgPw0OCrNhLNyCkJZ0XVmQENBE0ti4EBCACqGtKlX9jI/enhlBdy2cyQ
+P6Q7JoyxtaG6/ckAKWHYrqFTQk3IUe8TuDrGT742XFncG9PoMBfJDUNltIPgKFn8
+E9tYQqAOlpSA25bOb30cA2ADkrjgjvDAH8cZ+fkIayWtObTxwqLfPivjFxEM//Id
+ShFFVQj+QHmXYBJggWyEIil8Bje7KRw6B5ucs4qSzp5VH4CqDr9PDnLD8lBGHk0x
+8jpwh4V/yEODJKATY0Vj00793L8uqA35ZiyczUvvJSLYvf7STO943GswkxdAfqxX
+bYifiK2gjE/7SAmB+2jFxsonUDOB1BAY5s3FKqrkaxZr3BBjeuGGoCuiSX/cXRIh
+ABEBAAG0Fldlcm5lciBLb2NoIChkaXN0IHNpZymJAT4EEwECACgFAk0ti4ECGwMF
+CRDdnwIGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJECSbOdJPJeO2PlMIAJxP
+tFXf5yozPpFjRbSkSdjsk9eru05shKZOAKw3RUePTU80SRLPdg4AH+vkm1JMWFFp
+wvHlgfxqnE9rp13o7L/4UwNUwqH85zCwu7SHz9cX3d4UUwzcP6qQP4BQEH9/xlpQ
+S9eTK9b2RMyggqwd/J8mxjvoWzL8Klf/wl6jXHn/yP92xG9/YA86lNOL1N3/PhlZ
+zLuJ6bdD9WzsEp/+kh3UDfjkIrOcWkqwupB+d01R4bHPu9tvXy8Xut8Sok2zku2x
+VkEOsV2TXHbwuHO2AGC5pWDX6wgCE4F5XeCB/0ovao2/bk22w1TxzP6PMxo6sLkm
+aF6D0frhM2bl4C/uSsq5AQ0ETS2LgQEIAKHwucgbaRj0V7Ht0FnM6RmbqwZ7IFV2
+lR+YN1gkZaWRRCaJoPEZFKhhPEBX1bDVwr/iTPaPPEtpi7oQoHk65yeLrhtOmXXp
+NVkV/5WQjAJIrWn+JQ3z/ZejxHULhzKsGg5FC6pRYcEyzRXHtv4BO9kBIKNVirZj
+EkQG4BnIrQgl6e2YFa47GNMqcQH7nJdwG1cGQOZOIDQQM41gBzwoSrStMA6DjHku
+kFegKfcSbSLArBtYNAwTwmW7RqOMEJwlo0+NYx2Yn75x66bYwdlsP0FLOgez/O/I
+xoPRxXr0l4e+uj6dFHqvBi04dx6JsPmXEyeAyLiCWSh7Rwq8uIhBUBUAEQEAAYic
+BBABAgAGBQJNLY0EAAoJEFO2INAc4MYwRk8EAIuasyOnCbJW8jpfk3g2VZy1dBZj
+7g4PHaI70K1Qz8X3piI8WWaDCwlTPJcvAAtiT6yGHzdONAt+N7GiHNLU7TsMJlTL
+suxv1HsdtgnVh/9BwTKRuIBbjrkJlvUEA4xHYdQ4MFNoAFqJ1+eGZTMm1rLPtjQo
+pEcDH5VVLqR+ewWriQElBBgBAgAPBQJNLYuBAhsgBQkQ3Z8CAAoJECSbOdJPJeO2
+uxIIAJE2B8aQPQ6o6LBijX/4rJaetAu6xW9Jg7DyE3rqB5TcE7yJDQqjL6bRApjW
+RaNofB7CmDxl5tjgTawds0gL1KnKLLPb2wAnaKe9/j/gx6lOCnE2LDj5ebKQKQ3U
+B9WG8xNBczNFs7lnBG0+mOwyvWPm9fWzpTf9HFIAi2kCQK7UYZNM4fSvXY5yFz+6
+b5AYDI7pZSP8iJnUxfu2hdbRIKjwNKXzPlDsqYlYXpNAsrUuS7hshUbUe7CjX/RY
+dza8Jp3kHEeOCjLxOwotOa9hBla2eNa9AZXZQ4AFhZxpy61ldBDY88IhjsuWm5L/
+jkJdZtPlj6bFjfLt1vPhoX7y7IKZAgsEPFTJeQEQAKCDq/E0+KCD0VDPXgKQ+1H9
+0SrewKMrWvj7ajJ6hGej6mpnpntl+mGAD+rnCjB4UAY6DXsoPZZd6ChDmldsW8/7
+D2P3ObeDn1fNNFLNmBJx6VOJs+crLqDyvwYMBjohCtpHqnF7jb3v83Oeq9G8qlO3
+mDVc/kvKNUGwS/0cBgkTW/LLXSpJBG0TPdC6dTN8Qs0LiSJg0xk6eaBoV5bgA8gi
+FYO2uvGpbc5+OnUrgMCGpydrKt+9hs62qHSzEnbjqS9VzcFz2kfrAPD/K5vZ164+
+roFkEsEnCu27/bSoPSexn2Kz/mPRovUxm5WavvEpip56HLMnVZ2kkrnaqeD2dq1h
+51L4Z58oMjDUmrumlA1Z9V25M0hMVMXQmzCCCNC4+opPxN3kYLLBBY3+QYdunoR3
+JuJRdn71+nh56TRQHkz6ytLBuQXiFDSYGuqWxqiOLgK5eNzRz5nHUPSkZ+qoEKa8
+RXW0u6XdTyHRPNHiilQDyYsp6BCnlyOH90fPvNM8PFWBKvduUn0XEjVnr22H/6Mm
+PerqOije5b/nLypAKvN1ILOz5MMRbC5xm0ki4iFNy3wAw9j8DK349/2Nd8j7FJCD
+PevsS7mj6sS7Tb9y2Fo5zhvcpgO02SMsqzOCJ7G3UFg6rTpH5jKHaqCyD1rPOR+5
+2++nCEKknsQ7Fx1o/dvHAAYptCVEYXZpZCBNLiBTaGF3IDxkc2hhd0BqYWJiZXJ3
+b2NreS5jb20+iQI5BBMBAgAjAhsDAh4BAheABQJPDEnABgsJCAcDAgYVCgkICwIF
+FgIDAQAACgkQ22mNcZkkJWBi3Q//beukI1Sq42RbUPYFwk5p9o+tj2J4kS8Z5ZRJ
+NBNy0qrkXTCKChfA5kCYGDb8jsU9qivN/jpma2RerZ77Az8NBap1WRLR4EhjXR6x
+/2F/r4I3++9tNkG89SGR7IJlVMQsIEwtN0wsY0C2N646i+1Lc4f6qVLu158/v6mU
+zFPR4EP6jLB+yDqKMbZJqfhicW2jXyiflrk6OGGC5WbKfVKqOG1FyYB+2NlmtG8s
+SdD9hE9uADS8VGdp9hoaEv1LxL8miugx9y2cDbzvwYyFGWOb6kITRaz6wroWaUq9
+xMZYY5PG48vedXRx5dcSCORcTeM7raJmwVfvL1q+YqDgJGiQgKVsEoaMOQOLIXuX
+yvmbUDtY6pepxIDcnLVZCtXTHY3LVdGwnTQMxKXmgJygRJ1PFegJJLgtSHBK9haa
+Pzad6iXc98ZL2wZ39thl10LzAyzbVHvQJfnu3lDOOawSBZOK4DZeFeViUpF7cpAD
+w3llk8lYtXMsNFq10KDIzFSu4eKBO0fkajlss7ZrJN1YlxWcHbIrpINW3TNEny0d
+4cFypshQj2cl6+c9yfVBCNM5M5mm7YMu7f9voJ+tAq/LnfqqQEZJv49bIu+0aVRt
+GElefd27b7tRE/6weFpxoyBk2OTkU+RrjBr/rdp7O0nhWbJAA//l8PP6++aYNnS9
+/vfdjE+5AQ0ETwxJ3QEIAMVOEC6RP/3MNhri2/v5PwG8SaLM2ZUxpnX+TtRMocqc
+dPo2zlOYgRCSYn/CYS01BKwt86o5smDTQ9R8Nm2pvSgcQeyZSVSsnEEWJ84oTQMC
+nNllMpGytxT1XcpPVZUj0ttBzpc/3QvzWhMz//bKG5F3lUYtDgpoMQDt4IPMnlNs
+NJyrIOxuYB7aGuZKDfL3hf6DR6ClrFrHJDOOULXOTuiAb9TmvCc2oIrpxMN8g41H
+tjSHstWumMj7+0NuFaQthQBpj9ZWA6X6dgB84ea9Wd7enlKvTkqtKdB6de6P5QUy
+1HWt/7mTDOZfvTVsaoibqQHjgMG2OJ/R/wdChDML0GUAEQEAAYkDRAQYAQIADwUC
+TwxJ3QIbAgUJCYPP8wEpCRDbaY1xmSQlYMBdIAQZAQIABgUCTwxJ3QAKCRD+p4p6
+obxPpHxhB/9sNDyAsCSX6s1QPAecgJDGxhdIrE3Z5Bx+O+DVG1cGlBIh3UpojPmx
+xyqF8koTqsAInLK2D8CeEqg8IB/IjI/LhiQf/Mby57gB46jeThfecdcyhh97kHPh
+Xj9Gea2u82YXIYYlVjD9VbsKggoSLFmda6YgPFd6KMbkwaIFgCNDK4GFVITq7HdH
+HDJCS5Iec/KnhnQNMHkFdQcycUwaiNSuvIK54LLex2MAL/RoLpYNEmwxApyWlagh
+rJe6aRh44FHboBT9lAd7pJ1P2CXEdirrG+WM+DVE7dluJF0bTQ94WtpRyMyCQSv0
+7qBZVUtU/oUe2curJymo3Pv+zxcevmVkTAEQAIKfiBMRDuXfLaGPDBW32OgOReVu
+4MysBKJSrvh+x1xD0BO/z/1bZFKMYf71ayf7sBq58o+rMjPUH9ulzTPL8U4F3oA2
+DtP/YSmJixPqB29MqifIZHrhLZwbEjYyysanohZU5YfwenMKdCnjFuCfGbAoSkUA
+kyqioXHkHUmBf/qt/v73JNHu7QQOMmJ88PT7f+EYNykcTkd8tANojiZH/Vaem/Nq
+fEPFqem6MwEjzyJDwNff1NUeeQLnT+LeAOeC2cWUZel5VbbUzxIWYFTfijplP1Qa
+nihFY3D0Yu2weJzpWbKfyTKPJMVOwQS1RwDFZxnPxlXJxvaIOeWQjMHEKsYP+LZy
+mH/JG5FMc6UX9duaFZ9fCmivT6OXc2XlWbTLaK5Ux/uneXg/pA5ZcTG75RFjya/p
+vXzioeFCieNrecn2M13aEZkuAPcdMlrwAVzX9WaMKi6BUBtcIIEVoohZHzq+SzO2
+bR10H4tfU1T6+PewAcZ9dYGc8sSgGrbiBiW4DbdkP5oR3BUDO1EJYcHhsFY7+nn+
+384XXXBd9BZQKvHHkeot38T9PFTB8tk1ClfnUD9CUTl/4zPTwbe2NQNaSwLJJ7yR
+3/4V3jTY3ogZSqu1+GTPschRBwD5JSm8y7eBbjzbRXqLmTEO3hjZSrE1w1iBJFuC
+3n+ouAqeAvRr/aazuQENBE8MSi8BCACvl2RV6ve1i8nr++fKneCgMLTh5nxKSBaq
+iYpT2dlGwpAdyBU46aij9hH/b6oYAB0CxxrgMxNaBOpGVxUENFQ1qK6bfW1KIndu
+YFJVqh4J6pAByz8Pu2BOdk0POarB3JDH51kE+QYZeyt+jgbO4+UYmorPQGiexeMj
+rKhJNQLjnHzLlYNptwCgaSatubDrk6+p7x5dHPRTk1cqjYA1IJ+wgK7iXO/TOo2d
+DYmYZ6T2n9Pr0q5IksWYjM+sfpnsaH+Y4KQ1TfXBlxvKU+gAZTi0PFZE4lQKEvp3
+lSxklxBVcvVDJyfSGQ0C9FeqU/sgLDrfKljVxck1dFKeIWsgYbG7ABEBAAGJAiUE
+GAECAA8FAk8MSi8CGwwFCQmDz6EACgkQ22mNcZkkJWAlZw//duQCqkLqI83OH+vy
+5z/52d+9Ca2u3tANvudrT5z9XyRWtuVevhRmYy8ClnnmEoCb66yGZ13RtnBjxDf2
+1fz6daNSc4lbSrpOySjCkdKP86wUipuCX+uFzsVdivb2PtvZ3C383RCeA7Ys1jNM
+F54jfwlCKaIPiNwIUggWOXiGFCs0UB0mlp12DcDZh9/lWEAGrSt3Q1JgcHjUGbNb
+mrJD7NIsBZqjRp3i0WgSd4oDY3svpGOL0Ixz0Zsitqz5XRSJxgBqb8VKytF8W53Y
+HrW4IfQFbn93CbxG40PcmWoU/s3qxFfdC9DrK/sGejWTlg37luVPPlWz9i9lC5kA
+f12M9veUKESC+uyCf1wEoK9mLMVPl3l8v2X5BzVT3CxberXV5IHIXoa5sATkor+O
+2S/TVKdo16IOqhSaK3JDH4ETH4s08bX0C/XYVKrRXCT1xPCQid27fcvzC6Dj8Q41
+Z+cjFQbrzXWkNCJ/OD/qkPmmtKH51EUBiToR2Q67ubUtioV9+dwtAclrwSvSHcfK
+qRPLGGeqhZaR0cENfjEBfp+sG42QmzD1KIPFyPaWJpEjsWcqIRxcm8MI69iI2NSR
+6dbXTgHHcf1HHZFL1/TJNmT52GqDal3MG8iSDnn8gYd+S3hCSmsO4wHhK/UIN6X2
+/CAeQoHDpRcWLPhqVIHekxZNmOM=
+=K9om
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/doc/scdaemon.texi b/doc/scdaemon.texi
new file mode 100644
index 0000000..98fa70c
--- /dev/null
+++ b/doc/scdaemon.texi
@@ -0,0 +1,777 @@
+@c Copyright (C) 2002 Free Software Foundation, Inc.
+@c This is part of the GnuPG manual.
+@c For copying conditions, see the file gnupg.texi.
+
+@include defs.inc
+
+@node Invoking SCDAEMON
+@chapter Invoking the SCDAEMON
+@cindex SCDAEMON command options
+@cindex command options
+@cindex options, SCDAEMON command
+
+@manpage scdaemon.1
+@ifset manverb
+.B scdaemon
+\- Smartcard daemon for the GnuPG system
+@end ifset
+
+@mansect synopsis
+@ifset manverb
+.B scdaemon
+.RB [ \-\-homedir
+.IR dir ]
+.RB [ \-\-options
+.IR file ]
+.RI [ options ]
+.B \-\-server
+.br
+.B scdaemon
+.RB [ \-\-homedir
+.IR dir ]
+.RB [ \-\-options
+.IR file ]
+.RI [ options ]
+.B \-\-daemon
+.RI [ command_line ]
+@end ifset
+
+
+@mansect description
+The @command{scdaemon} is a daemon to manage smartcards. It is usually
+invoked by @command{gpg-agent} and in general not used directly.
+
+@manpause
+@xref{Option Index}, for an index to @command{scdaemon}'s commands and
+options.
+@mancont
+
+@menu
+* Scdaemon Commands:: List of all commands.
+* Scdaemon Options:: List of all options.
+* Card applications:: Description of card applications.
+* Scdaemon Configuration:: Configuration files.
+* Scdaemon Examples:: Some usage examples.
+* Scdaemon Protocol:: The protocol the daemon uses.
+@end menu
+
+@mansect commands
+
+@node Scdaemon Commands
+@section Commands
+
+Commands are not distinguished from options except for the fact that
+only one command is allowed.
+
+@table @gnupgtabopt
+@item --version
+@opindex version
+Print the program version and licensing information. Note that you cannot
+abbreviate this command.
+
+@item --help, -h
+@opindex help
+Print a usage message summarizing the most useful command-line options.
+Note that you cannot abbreviate this command.
+
+@item --dump-options
+@opindex dump-options
+Print a list of all available options and commands. Note that you cannot
+abbreviate this command.
+
+@item --server
+@opindex server
+Run in server mode and wait for commands on the @code{stdin}. The
+default mode is to create a socket and listen for commands there.
+
+@item --multi-server
+@opindex multi-server
+Run in server mode and wait for commands on the @code{stdin} as well as
+on an additional Unix Domain socket. The server command @code{GETINFO}
+may be used to get the name of that extra socket.
+
+@item --daemon
+@opindex daemon
+Run the program in the background. This option is required to prevent
+it from being accidentally running in the background.
+
+@end table
+
+
+@mansect options
+
+@node Scdaemon Options
+@section Option Summary
+
+@table @gnupgtabopt
+
+@item --options @var{file}
+@opindex options
+Reads configuration from @var{file} instead of from the default
+per-user configuration file. The default configuration file is named
+@file{scdaemon.conf} and expected in the @file{.gnupg} directory directly
+below the home directory of the user.
+
+@include opt-homedir.texi
+
+
+@item -v
+@item --verbose
+@opindex v
+@opindex verbose
+Outputs additional information while running.
+You can increase the verbosity by giving several
+verbose commands to @command{gpgsm}, such as @samp{-vv}.
+
+@item --debug-level @var{level}
+@opindex debug-level
+Select the debug level for investigating problems. @var{level} may be
+a numeric value or a keyword:
+
+@table @code
+@item none
+No debugging at all. A value of less than 1 may be used instead of
+the keyword.
+@item basic
+Some basic debug messages. A value between 1 and 2 may be used
+instead of the keyword.
+@item advanced
+More verbose debug messages. A value between 3 and 5 may be used
+instead of the keyword.
+@item expert
+Even more detailed messages. A value between 6 and 8 may be used
+instead of the keyword.
+@item guru
+All of the debug messages you can get. A value greater than 8 may be
+used instead of the keyword. The creation of hash tracing files is
+only enabled if the keyword is used.
+@end table
+
+How these messages are mapped to the actual debugging flags is not
+specified and may change with newer releases of this program. They are
+however carefully selected to best aid in debugging.
+
+@quotation Note
+All debugging options are subject to change and thus should not be used
+by any application program. As the name says, they are only used as
+helpers to debug problems.
+@end quotation
+
+
+@item --debug @var{flags}
+@opindex debug
+This option is only useful for debugging and the behavior may change at
+any time without notice. FLAGS are bit encoded and may be given in
+usual C-Syntax. The currently defined bits are:
+
+@table @code
+@item 0 (1)
+command I/O
+@item 1 (2)
+values of big number integers
+@item 2 (4)
+low level crypto operations
+@item 5 (32)
+memory allocation
+@item 6 (64)
+caching
+@item 7 (128)
+show memory statistics
+@item 9 (512)
+write hashed data to files named @code{dbgmd-000*}
+@item 10 (1024)
+trace Assuan protocol.
+See also option @option{--debug-assuan-log-cats}.
+@item 11 (2048)
+trace APDU I/O to the card. This may reveal sensitive data.
+@item 12 (4096)
+trace some card reader related function calls.
+@end table
+
+@item --debug-all
+@opindex debug-all
+Same as @code{--debug=0xffffffff}
+
+@item --debug-wait @var{n}
+@opindex debug-wait
+When running in server mode, wait @var{n} seconds before entering the
+actual processing loop and print the pid. This gives time to attach a
+debugger.
+
+@item --debug-ccid-driver
+@opindex debug-wait
+Enable debug output from the included CCID driver for smartcards.
+Using this option twice will also enable some tracing of the T=1
+protocol. Note that this option may reveal sensitive data.
+
+@item --debug-disable-ticker
+@opindex debug-disable-ticker
+This option disables all ticker functions like checking for card
+insertions.
+
+@item --debug-allow-core-dump
+@opindex debug-allow-core-dump
+For security reasons we won't create a core dump when the process
+aborts. For debugging purposes it is sometimes better to allow core
+dump. This option enables it and also changes the working directory to
+@file{/tmp} when running in @option{--server} mode.
+
+@item --debug-log-tid
+@opindex debug-log-tid
+This option appends a thread ID to the PID in the log output.
+
+@item --debug-assuan-log-cats @var{cats}
+@opindex debug-assuan-log-cats
+@efindex ASSUAN_DEBUG
+Changes the active Libassuan logging categories to @var{cats}. The
+value for @var{cats} is an unsigned integer given in usual C-Syntax.
+A value of 0 switches to a default category. If this option is not
+used the categories are taken from the environment variable
+@code{ASSUAN_DEBUG}. Note that this option has only an effect if the
+Assuan debug flag has also been with the option @option{--debug}. For
+a list of categories see the Libassuan manual.
+
+@item --no-detach
+@opindex no-detach
+Don't detach the process from the console. This is mainly useful for
+debugging.
+
+@item --listen-backlog @var{n}
+@opindex listen-backlog
+Set the size of the queue for pending connections. The default is 64.
+This option has an effect only if @option{--multi-server} is also
+used.
+
+@item --log-file @var{file}
+@opindex log-file
+Append all logging output to @var{file}. This is very helpful in
+seeing what the agent actually does. Use @file{socket://} to log to
+socket.
+
+@item --pcsc-shared
+@opindex pcsc-shared
+Use shared mode to access the card via PC/SC. This is a somewhat
+dangerous option because Scdaemon assumes exclusivbe access to teh
+card and for example caches certain information from the card. Use
+this option only if you know what you are doing.
+
+@item --pcsc-driver @var{library}
+@opindex pcsc-driver
+Use @var{library} to access the smartcard reader. The current default
+on Unix is @file{libpcsclite.so} and on Windows @file{winscard.dll}.
+Instead of using this option you might also want to install a symbolic
+link to the default file name (e.g. from @file{libpcsclite.so.1}).
+A Unicode file name may not be used on Windows.
+
+@item --ctapi-driver @var{library}
+@opindex ctapi-driver
+Use @var{library} to access the smartcard reader. The current default
+is @file{libtowitoko.so}. Note that the use of this interface is
+deprecated; it may be removed in future releases.
+
+@item --disable-ccid
+@opindex disable-ccid
+Disable the integrated support for CCID compliant readers. This
+allows falling back to one of the other drivers even if the internal
+CCID driver can handle the reader. Note, that CCID support is only
+available if libusb was available at build time.
+
+@item --reader-port @var{number_or_string}
+@opindex reader-port
+This option may be used to specify the port of the card terminal. A
+value of 0 refers to the first serial device; add 32768 to access USB
+devices. The default is 32768 (first USB device). PC/SC or CCID
+readers might need a string here; run the program in verbose mode to get
+a list of available readers. The default is then the first reader
+found.
+
+To get a list of available CCID readers you may use this command:
+@cartouche
+@smallexample
+ echo scd getinfo reader_list \
+ | gpg-connect-agent --decode | awk '/^D/ @{print $2@}'
+@end smallexample
+@end cartouche
+
+@item --card-timeout @var{n}
+@opindex card-timeout
+If @var{n} is not 0 and no client is actively using the card, the card
+will be powered down after @var{n} seconds. Powering down the card
+avoids a potential risk of damaging a card when used with certain
+cheap readers. This also allows applications that are not aware of
+Scdaemon to access the card. The disadvantage of using a card timeout
+is that accessing the card takes longer and that the user needs to
+enter the PIN again after the next power up.
+
+Note that with the current version of Scdaemon the card is powered
+down immediately at the next timer tick for any value of @var{n} other
+than 0.
+
+@item --enable-pinpad-varlen
+@opindex enable-pinpad-varlen
+Please specify this option when the card reader supports variable
+length input for pinpad (default is no). For known readers (listed in
+ccid-driver.c and apdu.c), this option is not needed. Note that if
+your card reader doesn't supports variable length input but you want
+to use it, you need to specify your pinpad request on your card.
+
+
+@item --disable-pinpad
+@opindex disable-pinpad
+Even if a card reader features a pinpad, do not try to use it.
+
+
+@item --deny-admin
+@opindex deny-admin
+@opindex allow-admin
+This option disables the use of admin class commands for card
+applications where this is supported. Currently we support it for the
+OpenPGP card. This option is useful to inhibit accidental access to
+admin class command which could ultimately lock the card through wrong
+PIN numbers. Note that GnuPG versions older than 2.0.11 featured an
+@option{--allow-admin} option which was required to use such admin
+commands. This option has no more effect today because the default is
+now to allow admin commands.
+
+@item --disable-application @var{name}
+@opindex disable-application
+This option disables the use of the card application named
+@var{name}. This is mainly useful for debugging or if a application
+with lower priority should be used by default.
+
+@end table
+
+All the long options may also be given in the configuration file after
+stripping off the two leading dashes.
+
+
+@mansect card applications
+@node Card applications
+@section Description of card applications
+
+@command{scdaemon} supports the card applications as described below.
+
+@menu
+* OpenPGP Card:: The OpenPGP card application
+* NKS Card:: The Telesec NetKey card application
+* DINSIG Card:: The DINSIG card application
+* PKCS#15 Card:: The PKCS#15 card application
+* Geldkarte Card:: The Geldkarte application
+* SmartCard-HSM:: The SmartCard-HSM application
+* Undefined Card:: The Undefined stub application
+@end menu
+
+@node OpenPGP Card
+@subsection The OpenPGP card application ``openpgp''
+
+This application is currently only used by @command{gpg} but may in
+future also be useful with @command{gpgsm}. Version 1 and version 2 of
+the card is supported.
+
+@noindent
+The specifications for these cards are available at@*
+@uref{http://g10code.com/docs/openpgp-card-1.0.pdf} and@*
+@uref{http://g10code.com/docs/openpgp-card-2.0.pdf}.
+
+@node NKS Card
+@subsection The Telesec NetKey card ``nks''
+
+This is the main application of the Telesec cards as available in
+Germany. It is a superset of the German DINSIG card. The card is
+used by @command{gpgsm}.
+
+@node DINSIG Card
+@subsection The DINSIG card application ``dinsig''
+
+This is an application as described in the German draft standard
+@emph{DIN V 66291-1}. It is intended to be used by cards supporting
+the German signature law and its bylaws (SigG and SigV).
+
+@node PKCS#15 Card
+@subsection The PKCS#15 card application ``p15''
+
+This is common framework for smart card applications. It is used by
+@command{gpgsm}.
+
+@node Geldkarte Card
+@subsection The Geldkarte card application ``geldkarte''
+
+This is a simple application to display information of a German
+Geldkarte. The Geldkarte is a small amount debit card application which
+comes with almost all German banking cards.
+
+@node SmartCard-HSM
+@subsection The SmartCard-HSM card application ``sc-hsm''
+
+This application adds read-only support for keys and certificates
+stored on a @uref{http://www.smartcard-hsm.com, SmartCard-HSM}.
+
+To generate keys and store certificates you may use
+@uref{https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM, OpenSC} or
+the tools from @uref{http://www.openscdp.org, OpenSCDP}.
+
+The SmartCard-HSM cards requires a card reader that supports Extended
+Length APDUs.
+
+@node Undefined Card
+@subsection The Undefined card application ``undefined''
+
+This is a stub application to allow the use of the APDU command even
+if no supported application is found on the card. This application is
+not used automatically but must be explicitly requested using the
+SERIALNO command.
+
+
+@c *******************************************
+@c *************** ****************
+@c *************** FILES ****************
+@c *************** ****************
+@c *******************************************
+@mansect files
+@node Scdaemon Configuration
+@section Configuration files
+
+There are a few configuration files to control certain aspects of
+@command{scdaemons}'s operation. Unless noted, they are expected in the
+current home directory (@pxref{option --homedir}).
+
+@table @file
+
+@item scdaemon.conf
+@cindex scdaemon.conf
+This is the standard configuration file read by @command{scdaemon} on
+startup. It may contain any valid long option; the leading two dashes
+may not be entered and the option may not be abbreviated. This default
+name may be changed on the command line (@pxref{option --options}).
+
+@item scd-event
+@cindex scd-event
+If this file is present and executable, it will be called on every card
+reader's status change. An example of this script is provided with the
+distribution
+
+@item reader_@var{n}.status
+This file is created by @command{scdaemon} to let other applications now
+about reader status changes. Its use is now deprecated in favor of
+@file{scd-event}.
+
+@end table
+
+
+@c
+@c Examples
+@c
+@mansect examples
+@node Scdaemon Examples
+@section Examples
+
+@c man begin EXAMPLES
+
+@example
+$ scdaemon --server -v
+@end example
+
+@c man end
+
+@c
+@c Assuan Protocol
+@c
+@manpause
+@node Scdaemon Protocol
+@section Scdaemon's Assuan Protocol
+
+The SC-Daemon should be started by the system to provide access to
+external tokens. Using Smartcards on a multi-user system does not
+make much sense except for system services, but in this case no
+regular user accounts are hosted on the machine.
+
+A client connects to the SC-Daemon by connecting to the socket named
+@file{@value{LOCALRUNDIR}/scdaemon/socket}, configuration information
+is read from @var{@value{SYSCONFDIR}/scdaemon.conf}
+
+Each connection acts as one session, SC-Daemon takes care of
+synchronizing access to a token between sessions.
+
+@menu
+* Scdaemon SERIALNO:: Return the serial number.
+* Scdaemon LEARN:: Read all useful information from the card.
+* Scdaemon READCERT:: Return a certificate.
+* Scdaemon READKEY:: Return a public key.
+* Scdaemon PKSIGN:: Signing data with a Smartcard.
+* Scdaemon PKDECRYPT:: Decrypting data with a Smartcard.
+* Scdaemon GETATTR:: Read an attribute's value.
+* Scdaemon SETATTR:: Update an attribute's value.
+* Scdaemon WRITEKEY:: Write a key to a card.
+* Scdaemon GENKEY:: Generate a new key on-card.
+* Scdaemon RANDOM:: Return random bytes generated on-card.
+* Scdaemon PASSWD:: Change PINs.
+* Scdaemon CHECKPIN:: Perform a VERIFY operation.
+* Scdaemon RESTART:: Restart connection
+* Scdaemon APDU:: Send a verbatim APDU to the card
+@end menu
+
+@node Scdaemon SERIALNO
+@subsection Return the serial number
+
+This command should be used to check for the presence of a card. It is
+special in that it can be used to reset the card. Most other commands
+will return an error when a card change has been detected and the use of
+this function is therefore required.
+
+Background: We want to keep the client clear of handling card changes
+between operations; i.e. the client can assume that all operations are
+done on the same card unless he call this function.
+
+@example
+ SERIALNO
+@end example
+
+Return the serial number of the card using a status response like:
+
+@example
+ S SERIALNO D27600000000000000000000
+@end example
+
+The serial number is the hex encoded value identified by
+the @code{0x5A} tag in the GDO file (FIX=0x2F02).
+
+
+
+@node Scdaemon LEARN
+@subsection Read all useful information from the card
+
+@example
+ LEARN [--force]
+@end example
+
+Learn all useful information of the currently inserted card. When
+used without the @option{--force} option, the command might do an INQUIRE
+like this:
+
+@example
+ INQUIRE KNOWNCARDP <hexstring_with_serialNumber>
+@end example
+
+The client should just send an @code{END} if the processing should go on
+or a @code{CANCEL} to force the function to terminate with a cancel
+error message. The response of this command is a list of status lines
+formatted as this:
+
+@example
+ S KEYPAIRINFO @var{hexstring_with_keygrip} @var{hexstring_with_id}
+@end example
+
+If there is no certificate yet stored on the card a single "X" is
+returned in @var{hexstring_with_keygrip}.
+
+@node Scdaemon READCERT
+@subsection Return a certificate
+
+@example
+ READCERT @var{hexified_certid}|@var{keyid}
+@end example
+
+This function is used to read a certificate identified by
+@var{hexified_certid} from the card. With OpenPGP cards the keyid
+@code{OpenPGP.3} may be used to read the certificate of version 2 cards.
+
+
+@node Scdaemon READKEY
+@subsection Return a public key
+
+@example
+READKEY @var{hexified_certid}
+@end example
+
+Return the public key for the given cert or key ID as an standard
+S-Expression.
+
+
+
+@node Scdaemon PKSIGN
+@subsection Signing data with a Smartcard
+
+To sign some data the caller should use the command
+
+@example
+ SETDATA @var{hexstring}
+@end example
+
+to tell @command{scdaemon} about the data to be signed. The data must be given in
+hex notation. The actual signing is done using the command
+
+@example
+ PKSIGN @var{keyid}
+@end example
+
+where @var{keyid} is the hexified ID of the key to be used. The key id
+may have been retrieved using the command @code{LEARN}. If another
+hash algorithm than SHA-1 is used, that algorithm may be given like:
+
+@example
+ PKSIGN --hash=@var{algoname} @var{keyid}
+@end example
+
+With @var{algoname} are one of @code{sha1}, @code{rmd160} or @code{md5}.
+
+
+@node Scdaemon PKDECRYPT
+@subsection Decrypting data with a Smartcard
+
+To decrypt some data the caller should use the command
+
+@example
+ SETDATA @var{hexstring}
+@end example
+
+to tell @command{scdaemon} about the data to be decrypted. The data
+must be given in hex notation. The actual decryption is then done
+using the command
+
+@example
+ PKDECRYPT @var{keyid}
+@end example
+
+where @var{keyid} is the hexified ID of the key to be used.
+
+If the card is aware of the apdding format a status line with padding
+information is send before the plaintext data. The key for this
+status line is @code{PADDING} with the only defined value being 0 and
+meaning padding has been removed.
+
+@node Scdaemon GETATTR
+@subsection Read an attribute's value
+
+TO BE WRITTEN.
+
+@node Scdaemon SETATTR
+@subsection Update an attribute's value
+
+TO BE WRITTEN.
+
+@node Scdaemon WRITEKEY
+@subsection Write a key to a card
+
+@example
+ WRITEKEY [--force] @var{keyid}
+@end example
+
+This command is used to store a secret key on a smartcard. The
+allowed keyids depend on the currently selected smartcard
+application. The actual keydata is requested using the inquiry
+@code{KEYDATA} and need to be provided without any protection. With
+@option{--force} set an existing key under this @var{keyid} will get
+overwritten. The key data is expected to be the usual canonical encoded
+S-expression.
+
+A PIN will be requested in most cases. This however depends on the
+actual card application.
+
+
+@node Scdaemon GENKEY
+@subsection Generate a new key on-card
+
+TO BE WRITTEN.
+
+@node Scdaemon RANDOM
+@subsection Return random bytes generated on-card
+
+TO BE WRITTEN.
+
+
+@node Scdaemon PASSWD
+@subsection Change PINs
+
+@example
+ PASSWD [--reset] [--nullpin] @var{chvno}
+@end example
+
+Change the PIN or reset the retry counter of the card holder
+verification vector number @var{chvno}. The option @option{--nullpin}
+is used to initialize the PIN of TCOS cards (6 byte NullPIN only).
+
+
+@node Scdaemon CHECKPIN
+@subsection Perform a VERIFY operation
+
+@example
+ CHECKPIN @var{idstr}
+@end example
+
+Perform a VERIFY operation without doing anything else. This may be
+used to initialize a the PIN cache earlier to long lasting
+operations. Its use is highly application dependent:
+
+@table @strong
+@item OpenPGP
+
+Perform a simple verify operation for CHV1 and CHV2, so that further
+operations won't ask for CHV2 and it is possible to do a cheap check on
+the PIN: If there is something wrong with the PIN entry system, only the
+regular CHV will get blocked and not the dangerous CHV3. @var{idstr} is
+the usual card's serial number in hex notation; an optional fingerprint
+part will get ignored.
+
+There is however a special mode if @var{idstr} is suffixed with the
+literal string @code{[CHV3]}: In this case the Admin PIN is checked if
+and only if the retry counter is still at 3.
+
+@end table
+
+
+
+@node Scdaemon RESTART
+@subsection Perform a RESTART operation
+
+@example
+ RESTART
+@end example
+
+Restart the current connection; this is a kind of warm reset. It
+deletes the context used by this connection but does not actually
+reset the card.
+
+This is used by gpg-agent to reuse a primary pipe connection and
+may be used by clients to backup from a conflict in the serial
+command; i.e. to select another application.
+
+
+
+
+@node Scdaemon APDU
+@subsection Send a verbatim APDU to the card
+
+@example
+ APDU [--atr] [--more] [--exlen[=@var{n}]] [@var{hexstring}]
+@end example
+
+
+Send an APDU to the current reader. This command bypasses the high
+level functions and sends the data directly to the card.
+@var{hexstring} is expected to be a proper APDU. If @var{hexstring} is
+not given no commands are send to the card; However the command will
+implicitly check whether the card is ready for use.
+
+Using the option @code{--atr} returns the ATR of the card as a status
+message before any data like this:
+@example
+ S CARD-ATR 3BFA1300FF813180450031C173C00100009000B1
+@end example
+
+Using the option @code{--more} handles the card status word MORE_DATA
+(61xx) and concatenate all responses to one block.
+
+Using the option @code{--exlen} the returned APDU may use extended
+length up to N bytes. If N is not given a default value is used
+(currently 4096).
+
+
+
+@mansect see also
+@ifset isman
+@command{gpg-agent}(1),
+@command{gpgsm}(1),
+@command{gpg2}(1)
+@end ifset
+@include see-also-note.texi
+
diff --git a/doc/see-also-note.texi b/doc/see-also-note.texi
new file mode 100644
index 0000000..b18efc3
--- /dev/null
+++ b/doc/see-also-note.texi
@@ -0,0 +1,14 @@
+@c We append this note to all ``see also'' sections of the man pages
+
+@ifset isman
+The full documentation for this tool is maintained as a Texinfo manual.
+If GnuPG and the info program are properly installed at your site, the
+command
+
+@example
+info gnupg
+@end example
+
+should give you access to the complete manual including a menu structure
+and an index.
+@end ifset
diff --git a/doc/specify-user-id.texi b/doc/specify-user-id.texi
new file mode 100644
index 0000000..64e354b
--- /dev/null
+++ b/doc/specify-user-id.texi
@@ -0,0 +1,173 @@
+@c Include file to allow for different placements in man pages and the manual
+
+There are different ways to specify a user ID to GnuPG. Some of them
+are only valid for @command{gpg} others are only good for
+@command{gpgsm}. Here is the entire list of ways to specify a key:
+
+@itemize @bullet
+
+@item By key Id.
+This format is deduced from the length of the string and its content or
+@code{0x} prefix. The key Id of an X.509 certificate are the low 64 bits
+of its SHA-1 fingerprint. The use of key Ids is just a shortcut, for
+all automated processing the fingerprint should be used.
+
+When using @command{gpg} an exclamation mark (!) may be appended to
+force using the specified primary or secondary key and not to try and
+calculate which primary or secondary key to use.
+
+The last four lines of the example give the key ID in their long form as
+internally used by the OpenPGP protocol. You can see the long key ID
+using the option @option{--with-colons}.
+
+@cartouche
+@example
+234567C4
+0F34E556E
+01347A56A
+0xAB123456
+
+234AABBCC34567C4
+0F323456784E56EAB
+01AB3FED1347A5612
+0x234AABBCC34567C4
+@end example
+@end cartouche
+
+
+
+@item By fingerprint.
+This format is deduced from the length of the string and its content or
+the @code{0x} prefix. Note, that only the 20 byte version fingerprint
+is available with @command{gpgsm} (i.e. the SHA-1 hash of the
+certificate).
+
+When using @command{gpg} an exclamation mark (!) may be appended to
+force using the specified primary or secondary key and not to try and
+calculate which primary or secondary key to use.
+
+The best way to specify a key Id is by using the fingerprint. This
+avoids any ambiguities in case that there are duplicated key IDs.
+
+@cartouche
+@example
+1234343434343434C434343434343434
+123434343434343C3434343434343734349A3434
+0E12343434343434343434EAB3484343434343434
+0xE12343434343434343434EAB3484343434343434
+@end example
+@end cartouche
+
+@noindent
+@command{gpgsm} also accepts colons between each pair of hexadecimal
+digits because this is the de-facto standard on how to present X.509
+fingerprints. @command{gpg} also allows the use of the space
+separated SHA-1 fingerprint as printed by the key listing commands.
+
+@item By exact match on OpenPGP user ID.
+This is denoted by a leading equal sign. It does not make sense for
+X.509 certificates.
+
+@cartouche
+@example
+=Heinrich Heine <heinrichh@@uni-duesseldorf.de>
+@end example
+@end cartouche
+
+@item By exact match on an email address.
+This is indicated by enclosing the email address in the usual way
+with left and right angles.
+
+@cartouche
+@example
+<heinrichh@@uni-duesseldorf.de>
+@end example
+@end cartouche
+
+
+@item By partial match on an email address.
+This is indicated by prefixing the search string with an @code{@@}.
+This uses a substring search but considers only the mail address
+(i.e. inside the angle brackets).
+
+@cartouche
+@example
+@@heinrichh
+@end example
+@end cartouche
+
+@item By exact match on the subject's DN.
+This is indicated by a leading slash, directly followed by the RFC-2253
+encoded DN of the subject. Note that you can't use the string printed
+by @code{gpgsm --list-keys} because that one has been reordered and modified
+for better readability; use @option{--with-colons} to print the raw
+(but standard escaped) RFC-2253 string.
+
+@cartouche
+@example
+/CN=Heinrich Heine,O=Poets,L=Paris,C=FR
+@end example
+@end cartouche
+
+@item By exact match on the issuer's DN.
+This is indicated by a leading hash mark, directly followed by a slash
+and then directly followed by the RFC-2253 encoded DN of the issuer.
+This should return the Root cert of the issuer. See note above.
+
+@cartouche
+@example
+#/CN=Root Cert,O=Poets,L=Paris,C=FR
+@end example
+@end cartouche
+
+
+@item By exact match on serial number and issuer's DN.
+This is indicated by a hash mark, followed by the hexadecimal
+representation of the serial number, then followed by a slash and the
+RFC-2253 encoded DN of the issuer. See note above.
+
+@cartouche
+@example
+#4F03/CN=Root Cert,O=Poets,L=Paris,C=FR
+@end example
+@end cartouche
+
+@item By keygrip.
+This is indicated by an ampersand followed by the 40 hex digits of a
+keygrip. @command{gpgsm} prints the keygrip when using the command
+@option{--dump-cert}.
+
+@cartouche
+@example
+&D75F22C3F86E355877348498CDC92BD21010A480
+@end example
+@end cartouche
+
+
+@item By substring match.
+This is the default mode but applications may want to explicitly
+indicate this by putting the asterisk in front. Match is not case
+sensitive.
+
+@cartouche
+@example
+Heine
+*Heine
+@end example
+@end cartouche
+
+@item . and + prefixes
+These prefixes are reserved for looking up mails anchored at the end
+and for a word search mode. They are not yet implemented and using
+them is undefined.
+
+@end itemize
+
+Please note that we have reused the hash mark identifier which was used
+in old GnuPG versions to indicate the so called local-id. It is not
+anymore used and there should be no conflict when used with X.509 stuff.
+
+Using the RFC-2253 format of DNs has the drawback that it is not
+possible to map them back to the original encoding, however we don't
+have to do this because our key database stores this encoding as meta
+data.
diff --git a/doc/sysnotes.texi b/doc/sysnotes.texi
new file mode 100644
index 0000000..f8cc212
--- /dev/null
+++ b/doc/sysnotes.texi
@@ -0,0 +1,58 @@
+@c Copyright (C) 2004 Free Software Foundation, Inc.
+@c This is part of the GnuPG manual.
+@c For copying conditions, see the file gnupg.texi.
+
+@node System Notes
+@chapter Notes pertaining to certain OSes
+
+GnuPG has been developed on GNU/Linux systems and is know to work on
+almost all Free OSes. All modern POSIX systems should be supported
+right now, however there are probably a lot of smaller glitches we need
+to fix first. The major problem areas are:
+
+@itemize
+@item
+We are planning to use file descriptor passing for interprocess
+communication. This will allow us save a lot of resources and improve
+performance of certain operations a lot. Systems not supporting this
+won't gain these benefits but we try to keep them working the standard
+way as it is done today.
+
+@item
+We require more or less full POSIX compatibility. This has been
+around for 15 years now and thus we don't believe it makes sense to
+support non POSIX systems anymore. Well, we of course the usual
+workarounds for near POSIX systems well be applied.
+
+There is one exception of this rule: Systems based the Microsoft Windows
+API (called here @emph{W32}) will be supported to some extend.
+
+@end itemize
+
+
+@menu
+* W32 Notes:: Microsoft Windows Notes
+@end menu
+
+
+@node W32 Notes
+@section Microsoft Windows Notes
+
+@noindent
+Current limitations are:
+
+@itemize
+
+@item
+@command{gpgconf} does not create backup files, so in case of trouble
+your configuration file might get lost.
+
+@item
+@command{watchgnupg} is not available. Logging to sockets is not
+possible.
+
+@item
+The periodical smartcard status checking done by @command{scdaemon} is
+not yet supported.
+
+@end itemize
diff --git a/doc/tools.texi b/doc/tools.texi
new file mode 100644
index 0000000..6b9a9fe
--- /dev/null
+++ b/doc/tools.texi
@@ -0,0 +1,2136 @@
+@c Copyright (C) 2004, 2008 Free Software Foundation, Inc.
+@c This is part of the GnuPG manual.
+@c For copying conditions, see the file GnuPG.texi.
+
+@include defs.inc
+
+@node Helper Tools
+@chapter Helper Tools
+
+GnuPG comes with a couple of smaller tools:
+
+@menu
+* watchgnupg:: Read logs from a socket.
+* gpgv:: Verify OpenPGP signatures.
+* addgnupghome:: Create .gnupg home directories.
+* gpgconf:: Modify .gnupg home directories.
+* applygnupgdefaults:: Run gpgconf for all users.
+* gpg-preset-passphrase:: Put a passphrase into the cache.
+* gpg-connect-agent:: Communicate with a running agent.
+* dirmngr-client:: How to use the Dirmngr client tool.
+* gpgparsemail:: Parse a mail message into an annotated format
+* gpgtar:: Encrypt or sign files into an archive.
+* gpg-check-pattern:: Check a passphrase on stdin against the patternfile.
+@end menu
+
+@c
+@c WATCHGNUPG
+@c
+@manpage watchgnupg.1
+@node watchgnupg
+@section Read logs from a socket
+@ifset manverb
+.B watchgnupg
+\- Read and print logs from a socket
+@end ifset
+
+@mansect synopsis
+@ifset manverb
+.B watchgnupg
+.RB [ \-\-force ]
+.RB [ \-\-verbose ]
+.I socketname
+@end ifset
+
+@mansect description
+Most of the main utilities are able to write their log files to a Unix
+Domain socket if configured that way. @command{watchgnupg} is a simple
+listener for such a socket. It ameliorates the output with a time stamp
+and makes sure that long lines are not interspersed with log output from
+other utilities. This tool is not available for Windows.
+
+
+@noindent
+@command{watchgnupg} is commonly invoked as
+
+@example
+watchgnupg --force $(gpgconf --list-dirs socketdir)/S.log
+@end example
+@manpause
+
+@noindent
+This starts it on the current terminal for listening on the standard
+logging socket (which is either @file{~/.gnupg/S.log} or
+@file{/var/run/user/UID/gnupg/S.log}).
+
+@mansect options
+@noindent
+@command{watchgnupg} understands these options:
+
+@table @gnupgtabopt
+
+@item --force
+@opindex force
+Delete an already existing socket file.
+
+@anchor{option watchgnupg --tcp}
+@item --tcp @var{n}
+Instead of reading from a local socket, listen for connects on TCP port
+@var{n}.
+
+@item --time-only
+@opindex time-only
+Do not print the date part of the timestamp.
+
+@item --verbose
+@opindex verbose
+Enable extra informational output.
+
+@item --version
+@opindex version
+Print version of the program and exit.
+
+@item --help
+@opindex help
+Display a brief help page and exit.
+
+@end table
+
+@noindent
+@mansect examples
+@chapheading Examples
+
+@example
+$ watchgnupg --force --time-only $(gpgconf --list-dirs socketdir)/S.log
+@end example
+
+This waits for connections on the local socket
+(e.g. @file{/home/foo/.gnupg/S.log}) and shows all log entries. To
+make this work the option @option{log-file} needs to be used with all
+modules which logs are to be shown. The suggested entry for the
+configuration files is:
+
+@example
+log-file socket://
+@end example
+
+If the default socket as given above and returned by "echo $(gpgconf
+--list-dirs socketdir)/S.log" is not desired an arbitrary socket name
+can be specified, for example @file{socket:///home/foo/bar/mysocket}.
+For debugging purposes it is also possible to do remote logging. Take
+care if you use this feature because the information is send in the
+clear over the network. Use this syntax in the conf files:
+
+@example
+log-file tcp://192.168.1.1:4711
+@end example
+
+You may use any port and not just 4711 as shown above; only IP
+addresses are supported (v4 and v6) and no host names. You need to
+start @command{watchgnupg} with the @option{tcp} option. Note that
+under Windows the registry entry
+@var{HKCU\Software\GNU\GnuPG:DefaultLogFile} can be used to change the
+default log output from @code{stderr} to whatever is given by that
+entry. However the only useful entry is a TCP name for remote
+debugging.
+
+
+@mansect see also
+@ifset isman
+@command{gpg}(1),
+@command{gpgsm}(1),
+@command{gpg-agent}(1),
+@command{scdaemon}(1)
+@end ifset
+@include see-also-note.texi
+
+
+@c
+@c GPGV
+@c
+@include gpgv.texi
+
+
+@c
+@c ADDGNUPGHOME
+@c
+@manpage addgnupghome.8
+@node addgnupghome
+@section Create .gnupg home directories
+@ifset manverb
+.B addgnupghome
+\- Create .gnupg home directories
+@end ifset
+
+@mansect synopsis
+@ifset manverb
+.B addgnupghome
+.I account_1
+.IR account_2 ... account_n
+@end ifset
+
+@mansect description
+If GnuPG is installed on a system with existing user accounts, it is
+sometimes required to populate the GnuPG home directory with existing
+files. Especially a @file{trustlist.txt} and a keybox with some
+initial certificates are often desired. This script helps to do this
+by copying all files from @file{/etc/skel/.gnupg} to the home
+directories of the accounts given on the command line. It takes care
+not to overwrite existing GnuPG home directories.
+
+@noindent
+@command{addgnupghome} is invoked by root as:
+
+@example
+addgnupghome account1 account2 ... accountn
+@end example
+
+
+@c
+@c GPGCONF
+@c
+@manpage gpgconf.1
+@node gpgconf
+@section Modify .gnupg home directories
+@ifset manverb
+.B gpgconf
+\- Modify .gnupg home directories
+@end ifset
+
+@mansect synopsis
+@ifset manverb
+.B gpgconf
+.RI [ options ]
+.B \-\-list-components
+.br
+.B gpgconf
+.RI [ options ]
+.B \-\-list-options
+.I component
+.br
+.B gpgconf
+.RI [ options ]
+.B \-\-change-options
+.I component
+@end ifset
+
+
+@mansect description
+The @command{gpgconf} is a utility to automatically and reasonable
+safely query and modify configuration files in the @file{.gnupg} home
+directory. It is designed not to be invoked manually by the user, but
+automatically by graphical user interfaces (GUI).@footnote{Please note
+that currently no locking is done, so concurrent access should be
+avoided. There are some precautions to avoid corruption with
+concurrent usage, but results may be inconsistent and some changes may
+get lost. The stateless design makes it difficult to provide more
+guarantees.}
+
+@command{gpgconf} provides access to the configuration of one or more
+components of the GnuPG system. These components correspond more or
+less to the programs that exist in the GnuPG framework, like GPG,
+GPGSM, DirMngr, etc. But this is not a strict one-to-one
+relationship. Not all configuration options are available through
+@command{gpgconf}. @command{gpgconf} provides a generic and abstract
+method to access the most important configuration options that can
+feasibly be controlled via such a mechanism.
+
+@command{gpgconf} can be used to gather and change the options
+available in each component, and can also provide their default
+values. @command{gpgconf} will give detailed type information that
+can be used to restrict the user's input without making an attempt to
+commit the changes.
+
+@command{gpgconf} provides the backend of a configuration editor. The
+configuration editor would usually be a graphical user interface
+program that displays the current options, their default
+values, and allows the user to make changes to the options. These
+changes can then be made active with @command{gpgconf} again. Such a
+program that uses @command{gpgconf} in this way will be called GUI
+throughout this section.
+
+@menu
+* Invoking gpgconf:: List of all commands and options.
+* Format conventions:: Formatting conventions relevant for all commands.
+* Listing components:: List all gpgconf components.
+* Checking programs:: Check all programs known to gpgconf.
+* Listing options:: List all options of a component.
+* Changing options:: Changing options of a component.
+* Listing global options:: List all global options.
+* Querying versions:: Get and compare software versions.
+* Files used by gpgconf:: What files are used by gpgconf.
+@end menu
+
+@manpause
+@node Invoking gpgconf
+@subsection Invoking gpgconf
+
+@mansect commands
+One of the following commands must be given:
+
+@table @gnupgtabopt
+
+@item --list-components
+List all components. This is the default command used if none is
+specified.
+
+@item --check-programs
+List all available backend programs and test whether they are runnable.
+
+@item --list-options @var{component}
+List all options of the component @var{component}.
+
+@item --change-options @var{component}
+Change the options of the component @var{component}.
+
+@item --check-options @var{component}
+Check the options for the component @var{component}.
+
+@item --apply-profile @var{file}
+Apply the configuration settings listed in @var{file} to the
+configuration files. If @var{file} has no suffix and no slashes the
+command first tries to read a file with the suffix @code{.prf} from
+the data directory (@code{gpgconf --list-dirs datadir}) before it
+reads the file verbatim. A profile is divided into sections using the
+bracketed component name. Each section then lists the option which
+shall go into the respective configuration file.
+
+@item --apply-defaults
+Update all configuration files with values taken from the global
+configuration file (usually @file{/etc/gnupg/gpgconf.conf}).
+Note: This is a legacy mechanism. Please use global configuraion
+files instead.
+
+@item --list-dirs [@var{names}]
+@itemx -L
+Lists the directories used by @command{gpgconf}. One directory is
+listed per line, and each line consists of a colon-separated list where
+the first field names the directory type (for example @code{sysconfdir})
+and the second field contains the percent-escaped directory. Although
+they are not directories, the socket file names used by
+@command{gpg-agent} and @command{dirmngr} are printed as well. Note
+that the socket file names and the @code{homedir} lines are the default
+names and they may be overridden by command line switches. If
+@var{names} are given only the directories or file names specified by
+the list names are printed without any escaping.
+
+@item --list-config [@var{filename}]
+List the global configuration file in a colon separated format. If
+@var{filename} is given, check that file instead.
+
+@item --check-config [@var{filename}]
+Run a syntax check on the global configuration file. If @var{filename}
+is given, check that file instead.
+
+
+@item --query-swdb @var{package_name} [@var{version_string}]
+Returns the current version for @var{package_name} and if
+@var{version_string} is given also an indicator on whether an update
+is available. The actual file with the software version is
+automatically downloaded and checked by @command{dirmngr}.
+@command{dirmngr} uses a thresholds to avoid download the file too
+often and it does this by default only if it can be done via Tor. To
+force an update of that file this command can be used:
+
+@example
+ gpg-connect-agent --dirmngr 'loadswdb --force' /bye
+@end example
+
+@item --reload [@var{component}]
+@itemx -R
+@opindex reload
+Reload all or the given component. This is basically the same as
+sending a SIGHUP to the component. Components which don't support
+reloading are ignored. Without @var{component} or by using "all" for
+@var{component} all components which are daemons are reloaded.
+
+@item --launch [@var{component}]
+@opindex launch
+If the @var{component} is not already running, start it.
+@command{component} must be a daemon. This is in general not required
+because the system starts these daemons as needed. However, external
+software making direct use of @command{gpg-agent} or @command{dirmngr}
+may use this command to ensure that they are started. Using "all" for
+@var{component} launches all components which are daemons.
+
+@item --kill [@var{component}]
+@itemx -K
+@opindex kill
+Kill the given component that runs as a daemon, including
+@command{gpg-agent}, @command{dirmngr}, and @command{scdaemon}. A
+@command{component} which does not run as a daemon will be ignored.
+Using "all" for @var{component} kills all components running as
+daemons. Note that as of now reload and kill have the same effect for
+@command{scdaemon}.
+
+@item --create-socketdir
+@opindex create-socketdir
+Create a directory for sockets below /run/user or /var/run/user. This
+is command is only required if a non default home directory is used
+and the /run based sockets shall be used. For the default home
+directory GnUPG creates a directory on the fly.
+
+@item --remove-socketdir
+@opindex remove-socketdir
+Remove a directory created with command @option{--create-socketdir}.
+
+@end table
+
+
+@mansect options
+
+The following options may be used:
+
+@table @gnupgtabopt
+
+@item -o @var{file}
+@itemx --output @var{file}
+Write output to @var{file}. Default is to write to stdout.
+
+@item -v
+@itemx --verbose
+Outputs additional information while running. Specifically, this
+extends numerical field values by human-readable descriptions.
+
+@item -q
+@itemx --quiet
+@opindex quiet
+Try to be as quiet as possible.
+
+@include opt-homedir.texi
+
+@item -n
+@itemx --dry-run
+Do not actually change anything. This is currently only implemented
+for @code{--change-options} and can be used for testing purposes.
+
+@item -r
+@itemx --runtime
+Only used together with @code{--change-options}. If one of the
+modified options can be changed in a running daemon process, signal
+the running daemon to ask it to reparse its configuration file after
+changing.
+
+This means that the changes will take effect at run-time, as far as
+this is possible. Otherwise, they will take effect at the next start
+of the respective backend programs.
+
+@item --status-fd @var{n}
+@opindex status-fd
+Write special status strings to the file descriptor @var{n}. This
+program returns the status messages SUCCESS or FAILURE which are
+helpful when the caller uses a double fork approach and can't easily
+get the return code of the process.
+
+@manpause
+@end table
+
+
+@node Format conventions
+@subsection Format conventions
+
+Some lines in the output of @command{gpgconf} contain a list of
+colon-separated fields. The following conventions apply:
+
+@itemize @bullet
+@item
+The GUI program is required to strip off trailing newline and/or
+carriage return characters from the output.
+
+@item
+@command{gpgconf} will never leave out fields. If a certain version
+provides a certain field, this field will always be present in all
+@command{gpgconf} versions from that time on.
+
+@item
+Future versions of @command{gpgconf} might append fields to the list.
+New fields will always be separated from the previously last field by
+a colon separator. The GUI should be prepared to parse the last field
+it knows about up until a colon or end of line.
+
+@item
+Not all fields are defined under all conditions. You are required to
+ignore the content of undefined fields.
+@end itemize
+
+There are several standard types for the content of a field:
+
+@table @asis
+@item verbatim
+Some fields contain strings that are not escaped in any way. Such
+fields are described to be used @emph{verbatim}. These fields will
+never contain a colon character (for obvious reasons). No de-escaping
+or other formatting is required to use the field content. This is for
+easy parsing of the output, when it is known that the content can
+never contain any special characters.
+
+@item percent-escaped
+Some fields contain strings that are described to be
+@emph{percent-escaped}. Such strings need to be de-escaped before
+their content can be presented to the user. A percent-escaped string
+is de-escaped by replacing all occurrences of @code{%XY} by the byte
+that has the hexadecimal value @code{XY}. @code{X} and @code{Y} are
+from the set @code{0-9a-f}.
+
+@item localized
+Some fields contain strings that are described to be @emph{localized}.
+Such strings are translated to the active language and formatted in
+the active character set.
+
+@item @w{unsigned number}
+Some fields contain an @emph{unsigned number}. This number will
+always fit into a 32-bit unsigned integer variable. The number may be
+followed by a space, followed by a human readable description of that
+value (if the verbose option is used). You should ignore everything
+in the field that follows the number.
+
+@item @w{signed number}
+Some fields contain a @emph{signed number}. This number will always
+fit into a 32-bit signed integer variable. The number may be followed
+by a space, followed by a human readable description of that value (if
+the verbose option is used). You should ignore everything in the
+field that follows the number.
+
+@item @w{boolean value}
+Some fields contain a @emph{boolean value}. This is a number with
+either the value 0 or 1. The number may be followed by a space,
+followed by a human readable description of that value (if the verbose
+option is used). You should ignore everything in the field that follows
+the number; checking just the first character is sufficient in this
+case.
+
+@item option
+Some fields contain an @emph{option} argument. The format of an
+option argument depends on the type of the option and on some flags:
+
+@table @asis
+@item no argument
+The simplest case is that the option does not take an argument at all
+(@var{type} @code{0}). Then the option argument is an unsigned number
+that specifies how often the option occurs. If the @code{list} flag
+is not set, then the only valid number is @code{1}. Options that do
+not take an argument never have the @code{default} or @code{optional
+arg} flag set.
+
+@item number
+If the option takes a number argument (@var{alt-type} is @code{2} or
+@code{3}), and it can only occur once (@code{list} flag is not set),
+then the option argument is either empty (only allowed if the argument
+is optional), or it is a number. A number is a string that begins
+with an optional minus character, followed by one or more digits. The
+number must fit into an integer variable (unsigned or signed,
+depending on @var{alt-type}).
+
+@item number list
+If the option takes a number argument and it can occur more than once,
+then the option argument is either empty, or it is a comma-separated
+list of numbers as described above.
+
+@item string
+If the option takes a string argument (@var{alt-type} is 1), and it
+can only occur once (@code{list} flag is not set) then the option
+argument is either empty (only allowed if the argument is optional),
+or it starts with a double quote character (@code{"}) followed by a
+percent-escaped string that is the argument value. Note that there is
+only a leading double quote character, no trailing one. The double
+quote character is only needed to be able to differentiate between no
+value and the empty string as value.
+
+@item string list
+If the option takes a string argument and it can occur more than once,
+then the option argument is either empty, or it is a comma-separated
+list of string arguments as described above.
+@end table
+@end table
+
+The active language and character set are currently determined from
+the locale environment of the @command{gpgconf} program.
+
+@c FIXME: Document the active language and active character set. Allow
+@c to change it via the command line?
+
+
+@mansect usage
+@node Listing components
+@subsection Listing components
+
+The command @code{--list-components} will list all components that can
+be configured with @command{gpgconf}. Usually, one component will
+correspond to one GnuPG-related program and contain the options of
+that program's configuration file that can be modified using
+@command{gpgconf}. However, this is not necessarily the case. A
+component might also be a group of selected options from several
+programs, or contain entirely virtual options that have a special
+effect rather than changing exactly one option in one configuration
+file.
+
+A component is a set of configuration options that semantically belong
+together. Furthermore, several changes to a component can be made in
+an atomic way with a single operation. The GUI could for example
+provide a menu with one entry for each component, or a window with one
+tabulator sheet per component.
+
+The command @code{--list-components} lists all available
+components, one per line. The format of each line is:
+
+@code{@var{name}:@var{description}:@var{pgmname}:}
+
+@table @var
+@item name
+This field contains a name tag of the component. The name tag is used
+to specify the component in all communication with @command{gpgconf}.
+The name tag is to be used @emph{verbatim}. It is thus not in any
+escaped format.
+
+@item description
+The @emph{string} in this field contains a human-readable description
+of the component. It can be displayed to the user of the GUI for
+informational purposes. It is @emph{percent-escaped} and
+@emph{localized}.
+
+@item pgmname
+The @emph{string} in this field contains the absolute name of the
+program's file. It can be used to unambiguously invoke that program.
+It is @emph{percent-escaped}.
+@end table
+
+Example:
+@example
+$ gpgconf --list-components
+gpg:GPG for OpenPGP:/usr/local/bin/gpg2:
+gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:
+scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:
+gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:
+dirmngr:Directory Manager:/usr/local/bin/dirmngr:
+@end example
+
+
+
+@node Checking programs
+@subsection Checking programs
+
+The command @code{--check-programs} is similar to
+@code{--list-components} but works on backend programs and not on
+components. It runs each program to test whether it is installed and
+runnable. This also includes a syntax check of all config file options
+of the program.
+
+The command @code{--check-programs} lists all available
+programs, one per line. The format of each line is:
+
+@code{@var{name}:@var{description}:@var{pgmname}:@var{avail}:@var{okay}:@var{cfgfile}:@var{line}:@var{error}:}
+
+@table @var
+@item name
+This field contains a name tag of the program which is identical to the
+name of the component. The name tag is to be used @emph{verbatim}. It
+is thus not in any escaped format. This field may be empty to indicate
+a continuation of error descriptions for the last name. The description
+and pgmname fields are then also empty.
+
+@item description
+The @emph{string} in this field contains a human-readable description
+of the component. It can be displayed to the user of the GUI for
+informational purposes. It is @emph{percent-escaped} and
+@emph{localized}.
+
+@item pgmname
+The @emph{string} in this field contains the absolute name of the
+program's file. It can be used to unambiguously invoke that program.
+It is @emph{percent-escaped}.
+
+@item avail
+The @emph{boolean value} in this field indicates whether the program is
+installed and runnable.
+
+@item okay
+The @emph{boolean value} in this field indicates whether the program's
+config file is syntactically okay.
+
+@item cfgfile
+If an error occurred in the configuration file (as indicated by a false
+value in the field @code{okay}), this field has the name of the failing
+configuration file. It is @emph{percent-escaped}.
+
+@item line
+If an error occurred in the configuration file, this field has the line
+number of the failing statement in the configuration file.
+It is an @emph{unsigned number}.
+
+@item error
+If an error occurred in the configuration file, this field has the error
+text of the failing statement in the configuration file. It is
+@emph{percent-escaped} and @emph{localized}.
+
+@end table
+
+@noindent
+In the following example the @command{dirmngr} is not runnable and the
+configuration file of @command{scdaemon} is not okay.
+
+@example
+$ gpgconf --check-programs
+gpg:GPG for OpenPGP:/usr/local/bin/gpg2:1:1:
+gpg-agent:GPG Agent:/usr/local/bin/gpg-agent:1:1:
+scdaemon:Smartcard Daemon:/usr/local/bin/scdaemon:1:0:
+gpgsm:GPG for S/MIME:/usr/local/bin/gpgsm:1:1:
+dirmngr:Directory Manager:/usr/local/bin/dirmngr:0:0:
+@end example
+
+@noindent
+The command @w{@code{--check-options @var{component}}} will verify the
+configuration file in the same manner as @code{--check-programs}, but
+only for the component @var{component}.
+
+
+@node Listing options
+@subsection Listing options
+
+Every component contains one or more options. Options may be gathered
+into option groups to allow the GUI to give visual hints to the user
+about which options are related.
+
+The command @code{@w{--list-options @var{component}}} lists
+all options (and the groups they belong to) in the component
+@var{component}, one per line. @var{component} must be the string in
+the field @var{name} in the output of the @code{--list-components}
+command.
+
+Take care if system-wide options are used: gpgconf may not be able to
+properly show the options and the listed options may have no actual
+effect in case the system-wide options enforced their own settings.
+
+There is one line for each option and each group. First come all
+options that are not in any group. Then comes a line describing a
+group. Then come all options that belong into each group. Then comes
+the next group and so on. There does not need to be any group (and in
+this case the output will stop after the last non-grouped option).
+
+The format of each line is:
+
+@code{@var{name}:@var{flags}:@var{level}:@var{description}:@var{type}:@var{alt-type}:@var{argname}:@var{default}:@var{argdef}:@var{value}}
+
+@table @var
+@item name
+This field contains a name tag for the group or option. The name tag
+is used to specify the group or option in all communication with
+@command{gpgconf}. The name tag is to be used @emph{verbatim}. It is
+thus not in any escaped format.
+
+@item flags
+The flags field contains an @emph{unsigned number}. Its value is the
+OR-wise combination of the following flag values:
+
+@table @code
+@item group (1)
+If this flag is set, this is a line describing a group and not an
+option.
+@end table
+
+The following flag values are only defined for options (that is, if
+the @code{group} flag is not used).
+
+@table @code
+@item optional arg (2)
+If this flag is set, the argument is optional. This is never set for
+@var{type} @code{0} (none) options.
+
+@item list (4)
+If this flag is set, the option can be given multiple times.
+
+@item runtime (8)
+If this flag is set, the option can be changed at runtime.
+
+@item default (16)
+If this flag is set, a default value is available.
+
+@item default desc (32)
+If this flag is set, a (runtime) default is available. This and the
+@code{default} flag are mutually exclusive.
+
+@item no arg desc (64)
+If this flag is set, and the @code{optional arg} flag is set, then the
+option has a special meaning if no argument is given.
+
+@item no change (128)
+If this flag is set, @command{gpgconf} ignores requests to change the
+value. GUI frontends should grey out this option. Note, that manual
+changes of the configuration files are still possible.
+@end table
+
+@item level
+This field is defined for options and for groups. It contains an
+@emph{unsigned number} that specifies the expert level under which
+this group or option should be displayed. The following expert levels
+are defined for options (they have analogous meaning for groups):
+
+@table @code
+@item basic (0)
+This option should always be offered to the user.
+
+@item advanced (1)
+This option may be offered to advanced users.
+
+@item expert (2)
+This option should only be offered to expert users.
+
+@item invisible (3)
+This option should normally never be displayed, not even to expert
+users.
+
+@item internal (4)
+This option is for internal use only. Ignore it.
+@end table
+
+The level of a group will always be the lowest level of all options it
+contains.
+
+@item description
+This field is defined for options and groups. The @emph{string} in
+this field contains a human-readable description of the option or
+group. It can be displayed to the user of the GUI for informational
+purposes. It is @emph{percent-escaped} and @emph{localized}.
+
+@item type
+This field is only defined for options. It contains an @emph{unsigned
+number} that specifies the type of the option's argument, if any. The
+following types are defined:
+
+Basic types:
+
+@table @code
+@item none (0)
+No argument allowed.
+
+@item string (1)
+An @emph{unformatted string}.
+
+@item int32 (2)
+A @emph{signed number}.
+
+@item uint32 (3)
+An @emph{unsigned number}.
+@end table
+
+Complex types:
+
+@table @code
+@item pathname (32)
+A @emph{string} that describes the pathname of a file. The file does
+not necessarily need to exist.
+
+@item ldap server (33)
+A @emph{string} that describes an LDAP server in the format:
+
+@code{@var{hostname}:@var{port}:@var{username}:@var{password}:@var{base_dn}}
+
+@item key fingerprint (34)
+A @emph{string} with a 40 digit fingerprint specifying a certificate.
+
+@item pub key (35)
+A @emph{string} that describes a certificate by user ID, key ID or
+fingerprint.
+
+@item sec key (36)
+A @emph{string} that describes a certificate with a key by user ID,
+key ID or fingerprint.
+
+@item alias list (37)
+A @emph{string} that describes an alias list, like the one used with
+gpg's group option. The list consists of a key, an equal sign and space
+separated values.
+@end table
+
+More types will be added in the future. Please see the @var{alt-type}
+field for information on how to cope with unknown types.
+
+@item alt-type
+This field is identical to @var{type}, except that only the types
+@code{0} to @code{31} are allowed. The GUI is expected to present the
+user the option in the format specified by @var{type}. But if the
+argument type @var{type} is not supported by the GUI, it can still
+display the option in the more generic basic type @var{alt-type}. The
+GUI must support all the defined basic types to be able to display all
+options. More basic types may be added in future versions. If the
+GUI encounters a basic type it doesn't support, it should report an
+error and abort the operation.
+
+@item argname
+This field is only defined for options with an argument type
+@var{type} that is not @code{0}. In this case it may contain a
+@emph{percent-escaped} and @emph{localized string} that gives a short
+name for the argument. The field may also be empty, though, in which
+case a short name is not known.
+
+@item default
+This field is defined only for options for which the @code{default} or
+@code{default desc} flag is set. If the @code{default} flag is set,
+its format is that of an @emph{option argument} (@pxref{Format
+conventions}, for details). If the default value is empty, then no
+default is known. Otherwise, the value specifies the default value
+for this option. If the @code{default desc} flag is set, the field is
+either empty or contains a description of the effect if the option is
+not given.
+
+@item argdef
+This field is defined only for options for which the @code{optional
+arg} flag is set. If the @code{no arg desc} flag is not set, its
+format is that of an @emph{option argument} (@pxref{Format
+conventions}, for details). If the default value is empty, then no
+default is known. Otherwise, the value specifies the default argument
+for this option. If the @code{no arg desc} flag is set, the field is
+either empty or contains a description of the effect of this option if
+no argument is given.
+
+@item value
+This field is defined only for options. Its format is that of an
+@emph{option argument}. If it is empty, then the option is not
+explicitly set in the current configuration, and the default applies
+(if any). Otherwise, it contains the current value of the option.
+Note that this field is also meaningful if the option itself does not
+take a real argument (in this case, it contains the number of times
+the option appears).
+@end table
+
+
+@node Changing options
+@subsection Changing options
+
+The command @w{@code{--change-options @var{component}}} will attempt
+to change the options of the component @var{component} to the
+specified values. @var{component} must be the string in the field
+@var{name} in the output of the @code{--list-components} command. You
+have to provide the options that shall be changed in the following
+format on standard input:
+
+@code{@var{name}:@var{flags}:@var{new-value}}
+
+@table @var
+@item name
+This is the name of the option to change. @var{name} must be the
+string in the field @var{name} in the output of the
+@code{--list-options} command.
+
+@item flags
+The flags field contains an @emph{unsigned number}. Its value is the
+OR-wise combination of the following flag values:
+
+@table @code
+@item default (16)
+If this flag is set, the option is deleted and the default value is
+used instead (if applicable).
+@end table
+
+@item new-value
+The new value for the option. This field is only defined if the
+@code{default} flag is not set. The format is that of an @emph{option
+argument}. If it is empty (or the field is omitted), the default
+argument is used (only allowed if the argument is optional for this
+option). Otherwise, the option will be set to the specified value.
+@end table
+
+@noindent
+The output of the command is the same as that of
+@code{--check-options} for the modified configuration file.
+
+Examples:
+
+To set the force option, which is of basic type @code{none (0)}:
+
+@example
+$ echo 'force:0:1' | gpgconf --change-options dirmngr
+@end example
+
+To delete the force option:
+
+@example
+$ echo 'force:16:' | gpgconf --change-options dirmngr
+@end example
+
+The @code{--runtime} option can influence when the changes take
+effect.
+
+
+@node Listing global options
+@subsection Listing global options
+
+Some legacy applications look at the global configuration file for the
+gpgconf tool itself; this is the file @file{gpgconf.conf}. Modern
+applications should not use it but use per component global
+configuration files which are more flexible than the
+@file{gpgconf.conf}. Using both files is not suggested.
+
+The colon separated listing format is record oriented and uses the first
+field to identify the record type:
+
+@table @code
+@item k
+This describes a key record to start the definition of a new ruleset for
+a user/group. The format of a key record is:
+
+ @code{k:@var{user}:@var{group}:}
+
+@table @var
+@item user
+This is the user field of the key. It is percent escaped. See the
+definition of the gpgconf.conf format for details.
+
+@item group
+This is the group field of the key. It is percent escaped.
+@end table
+
+@item r
+This describes a rule record. All rule records up to the next key record
+make up a rule set for that key. The format of a rule record is:
+
+ @code{r:::@var{component}:@var{option}:@var{flag}:@var{value}:}
+
+@table @var
+@item component
+This is the component part of a rule. It is a plain string.
+
+@item option
+This is the option part of a rule. It is a plain string.
+
+@item flag
+This is the flags part of a rule. There may be only one flag per rule
+but by using the same component and option, several flags may be
+assigned to an option. It is a plain string.
+
+@item value
+This is the optional value for the option. It is a percent escaped
+string with a single quotation mark to indicate a string. The quotation
+mark is only required to distinguish between no value specified and an
+empty string.
+@end table
+
+@end table
+
+@noindent
+Unknown record types should be ignored. Note that there is intentionally
+no feature to change the global option file through @command{gpgconf}.
+
+
+@node Querying versions
+@subsection Get and compare software versions.
+
+The GnuPG Project operates a server to query the current versions of
+software packages related to GnuPG. @command{gpgconf} can be used to
+access this online database. To allow for offline operations, this
+feature works by having @command{dirmngr} download a file from
+@code{https://versions.gnupg.org}, checking the signature of that file
+and storing the file in the GnuPG home directory. If
+@command{gpgconf} is used and @command{dirmngr} is running, it may ask
+@command{dirmngr} to refresh that file before itself uses the file.
+
+The command @option{--query-swdb} returns information for the given
+package in a colon delimited format:
+
+@table @var
+
+@item name
+This is the name of the package as requested. Note that "gnupg" is a
+special name which is replaced by the actual package implementing this
+version of GnuPG. For this name it is also not required to specify a
+version because @command{gpgconf} takes its own version in this case.
+
+@item iversion
+The currently installed version or an empty string. The value is
+taken from the command line argument but may be provided by gpg
+if not given.
+
+@item status
+The status of the software package according to this table:
+@table @code
+@item -
+No information available. This is either because no current version
+has been specified or due to an error.
+@item ?
+The given name is not known in the online database.
+@item u
+An update of the software is available.
+@item c
+The installed version of the software is current.
+@item n
+The installed version is already newer than the released version.
+@end table
+
+@item urgency
+If the value (the empty string should be considered as zero) is
+greater than zero an important update is available.
+
+@item error
+This returns an @command{gpg-error} error code to distinguish between
+various failure modes.
+
+@item filedate
+This gives the date of the file with the version numbers in standard
+ISO format (@code{yyyymmddThhmmss}). The date has been extracted by
+@command{dirmngr} from the signature of the file.
+
+@item verified
+This gives the date in ISO format the file was downloaded. This value
+can be used to evaluate the freshness of the information.
+
+@item version
+This returns the version string for the requested software from the
+file.
+
+@item reldate
+This returns the release date in ISO format.
+
+@item size
+This returns the size of the package as decimal number of bytes.
+
+@item hash
+This returns a hexified SHA-2 hash of the package.
+
+@end table
+
+@noindent
+More fields may be added in future to the output.
+
+
+@mansect files
+@node Files used by gpgconf
+@subsection Files used by gpgconf
+
+@table @file
+
+@item /etc/gnupg/gpgconf.conf
+@cindex gpgconf.conf
+ If this file exists, it is processed as a global configuration file.
+ This is a legacy mechanism which should not be used tigether with
+ the modern global per component configuration files. A commented
+ example can be found in the @file{examples} directory of the
+ distribution.
+
+@item @var{GNUPGHOME}/swdb.lst
+@cindex swdb.lst
+ A file with current software versions. @command{dirmngr} creates
+ this file on demand from an online resource.
+
+@end table
+
+
+@mansect see also
+@ifset isman
+@command{gpg}(1),
+@command{gpgsm}(1),
+@command{gpg-agent}(1),
+@command{scdaemon}(1),
+@command{dirmngr}(1)
+@end ifset
+@include see-also-note.texi
+
+
+
+@c
+@c APPLYGNUPGDEFAULTS
+@c
+@manpage applygnupgdefaults.8
+@node applygnupgdefaults
+@section Run gpgconf for all users
+@ifset manverb
+.B applygnupgdefaults
+\- Run gpgconf --apply-defaults for all users.
+@end ifset
+
+@mansect synopsis
+@ifset manverb
+.B applygnupgdefaults
+@end ifset
+
+@mansect description
+This is a legacy script. Modern application should use the per
+component global configuration files under @file{/etc/gnupg/}.
+
+This script is a wrapper around @command{gpgconf} to run it with the
+command @code{--apply-defaults} for all real users with an existing
+GnuPG home directory. Admins might want to use this script to update he
+GnuPG configuration files for all users after
+@file{/etc/gnupg/gpgconf.conf} has been changed. This allows enforcing
+certain policies for all users. Note, that this is not a bulletproof way to
+force a user to use certain options. A user may always directly edit
+the configuration files and bypass gpgconf.
+
+@noindent
+@command{applygnupgdefaults} is invoked by root as:
+
+@example
+applygnupgdefaults
+@end example
+
+
+@c
+@c GPG-PRESET-PASSPHRASE
+@c
+@node gpg-preset-passphrase
+@section Put a passphrase into the cache
+@manpage gpg-preset-passphrase.1
+@ifset manverb
+.B gpg-preset-passphrase
+\- Put a passphrase into gpg-agent's cache
+@end ifset
+
+@mansect synopsis
+@ifset manverb
+.B gpg-preset-passphrase
+.RI [ options ]
+.RI [ command ]
+.I cache-id
+@end ifset
+
+@mansect description
+The @command{gpg-preset-passphrase} is a utility to seed the internal
+cache of a running @command{gpg-agent} with passphrases. It is mainly
+useful for unattended machines, where the usual @command{pinentry} tool
+may not be used and the passphrases for the to be used keys are given at
+machine startup.
+
+This program works with GnuPG 2 and later. GnuPG 1.x is not supported.
+
+Passphrases set with this utility don't expire unless the
+@option{--forget} option is used to explicitly clear them from the
+cache --- or @command{gpg-agent} is either restarted or reloaded (by
+sending a SIGHUP to it). Note that the maximum cache time as set with
+@option{--max-cache-ttl} is still honored. It is necessary to allow
+this passphrase presetting by starting @command{gpg-agent} with the
+@option{--allow-preset-passphrase}.
+
+@menu
+* Invoking gpg-preset-passphrase:: List of all commands and options.
+@end menu
+
+@manpause
+@node Invoking gpg-preset-passphrase
+@subsection List of all commands and options
+@mancont
+
+@noindent
+@command{gpg-preset-passphrase} is invoked this way:
+
+@example
+gpg-preset-passphrase [options] [command] @var{cacheid}
+@end example
+
+@var{cacheid} is either a 40 character keygrip of hexadecimal
+characters identifying the key for which the passphrase should be set
+or cleared. The keygrip is listed along with the key when running the
+command: @code{gpgsm --with-keygrip --list-secret-keys}.
+Alternatively an arbitrary string may be used to identify a
+passphrase; it is suggested that such a string is prefixed with the
+name of the application (e.g @code{foo:12346}). Scripts should always
+use the option @option{--with-colons}, which provides the keygrip in a
+"grp" line (cf. @file{doc/DETAILS})/
+
+@noindent
+One of the following command options must be given:
+
+@table @gnupgtabopt
+@item --preset
+@opindex preset
+Preset a passphrase. This is what you usually will
+use. @command{gpg-preset-passphrase} will then read the passphrase from
+@code{stdin}.
+
+@item --forget
+@opindex forget
+Flush the passphrase for the given cache ID from the cache.
+
+@end table
+
+@noindent
+The following additional options may be used:
+
+@table @gnupgtabopt
+@item -v
+@itemx --verbose
+@opindex verbose
+Output additional information while running.
+
+@item -P @var{string}
+@itemx --passphrase @var{string}
+@opindex passphrase
+Instead of reading the passphrase from @code{stdin}, use the supplied
+@var{string} as passphrase. Note that this makes the passphrase visible
+for other users.
+@end table
+
+@mansect see also
+@ifset isman
+@command{gpg}(1),
+@command{gpgsm}(1),
+@command{gpg-agent}(1),
+@command{scdaemon}(1)
+@end ifset
+@include see-also-note.texi
+
+
+
+
+@c
+@c GPG-CONNECT-AGENT
+@c
+@node gpg-connect-agent
+@section Communicate with a running agent
+@manpage gpg-connect-agent.1
+@ifset manverb
+.B gpg-connect-agent
+\- Communicate with a running agent
+@end ifset
+
+@mansect synopsis
+@ifset manverb
+.B gpg-connect-agent
+.RI [ options ] [commands]
+@end ifset
+
+@mansect description
+The @command{gpg-connect-agent} is a utility to communicate with a
+running @command{gpg-agent}. It is useful to check out the commands
+@command{gpg-agent} provides using the Assuan interface. It might
+also be useful for scripting simple applications. Input is expected
+at stdin and output gets printed to stdout.
+
+It is very similar to running @command{gpg-agent} in server mode; but
+here we connect to a running instance.
+
+@menu
+* Invoking gpg-connect-agent:: List of all options.
+* Controlling gpg-connect-agent:: Control commands.
+@end menu
+
+@manpause
+@node Invoking gpg-connect-agent
+@subsection List of all options
+
+@noindent
+@command{gpg-connect-agent} is invoked this way:
+
+@example
+gpg-connect-agent [options] [commands]
+@end example
+@mancont
+
+@noindent
+The following options may be used:
+
+@table @gnupgtabopt
+@item -v
+@itemx --verbose
+@opindex verbose
+Output additional information while running.
+
+@item -q
+@item --quiet
+@opindex q
+@opindex quiet
+Try to be as quiet as possible.
+
+@include opt-homedir.texi
+
+@item --agent-program @var{file}
+@opindex agent-program
+Specify the agent program to be started if none is running. The
+default value is determined by running @command{gpgconf} with the
+option @option{--list-dirs}. Note that the pipe symbol (@code{|}) is
+used for a regression test suite hack and may thus not be used in the
+file name.
+
+@item --dirmngr-program @var{file}
+@opindex dirmngr-program
+Specify the directory manager (keyserver client) program to be started
+if none is running. This has only an effect if used together with the
+option @option{--dirmngr}.
+
+@item --dirmngr
+@opindex dirmngr
+Connect to a running directory manager (keyserver client) instead of
+to the gpg-agent. If a dirmngr is not running, start it.
+
+@item -S
+@itemx --raw-socket @var{name}
+@opindex raw-socket
+Connect to socket @var{name} assuming this is an Assuan style server.
+Do not run any special initializations or environment checks. This may
+be used to directly connect to any Assuan style socket server.
+
+@item -E
+@itemx --exec
+@opindex exec
+Take the rest of the command line as a program and it's arguments and
+execute it as an Assuan server. Here is how you would run @command{gpgsm}:
+@smallexample
+ gpg-connect-agent --exec gpgsm --server
+@end smallexample
+Note that you may not use options on the command line in this case.
+
+@item --no-ext-connect
+@opindex no-ext-connect
+When using @option{-S} or @option{--exec}, @command{gpg-connect-agent}
+connects to the Assuan server in extended mode to allow descriptor
+passing. This option makes it use the old mode.
+
+@item --no-autostart
+@opindex no-autostart
+Do not start the gpg-agent or the dirmngr if it has not yet been
+started.
+
+@item -r @var{file}
+@itemx --run @var{file}
+@opindex run
+Run the commands from @var{file} at startup and then continue with the
+regular input method. Note, that commands given on the command line are
+executed after this file.
+
+@item -s
+@itemx --subst
+@opindex subst
+Run the command @code{/subst} at startup.
+
+@item --hex
+@opindex hex
+Print data lines in a hex format and the ASCII representation of
+non-control characters.
+
+@item --decode
+@opindex decode
+Decode data lines. That is to remove percent escapes but make sure that
+a new line always starts with a D and a space.
+
+@end table
+
+@mansect control commands
+@node Controlling gpg-connect-agent
+@subsection Control commands
+
+While reading Assuan commands, gpg-agent also allows a few special
+commands to control its operation. These control commands all start
+with a slash (@code{/}).
+
+@table @code
+
+@item /echo @var{args}
+Just print @var{args}.
+
+@item /let @var{name} @var{value}
+Set the variable @var{name} to @var{value}. Variables are only
+substituted on the input if the @command{/subst} has been used.
+Variables are referenced by prefixing the name with a dollar sign and
+optionally include the name in curly braces. The rules for a valid name
+are identically to those of the standard bourne shell. This is not yet
+enforced but may be in the future. When used with curly braces no
+leading or trailing white space is allowed.
+
+If a variable is not found, it is searched in the environment and if
+found copied to the table of variables.
+
+Variable functions are available: The name of the function must be
+followed by at least one space and the at least one argument. The
+following functions are available:
+
+@table @code
+@item get
+Return a value described by the argument. Available arguments are:
+
+@table @code
+@item cwd
+The current working directory.
+@item homedir
+The gnupg homedir.
+@item sysconfdir
+GnuPG's system configuration directory.
+@item bindir
+GnuPG's binary directory.
+@item libdir
+GnuPG's library directory.
+@item libexecdir
+GnuPG's library directory for executable files.
+@item datadir
+GnuPG's data directory.
+@item serverpid
+The PID of the current server. Command @command{/serverpid} must
+have been given to return a useful value.
+@end table
+
+@item unescape @var{args}
+Remove C-style escapes from @var{args}. Note that @code{\0} and
+@code{\x00} terminate the returned string implicitly. The string to be
+converted are the entire arguments right behind the delimiting space of
+the function name.
+
+@item unpercent @var{args}
+@itemx unpercent+ @var{args}
+Remove percent style escaping from @var{args}. Note that @code{%00}
+terminates the string implicitly. The string to be converted are the
+entire arguments right behind the delimiting space of the function
+name. @code{unpercent+} also maps plus signs to a spaces.
+
+@item percent @var{args}
+@itemx percent+ @var{args}
+Escape the @var{args} using percent style escaping. Tabs, formfeeds,
+linefeeds, carriage returns and colons are escaped. @code{percent+} also
+maps spaces to plus signs.
+
+@item errcode @var{arg}
+@itemx errsource @var{arg}
+@itemx errstring @var{arg}
+Assume @var{arg} is an integer and evaluate it using @code{strtol}. Return
+the gpg-error error code, error source or a formatted string with the
+error code and error source.
+
+
+@item +
+@itemx -
+@itemx *
+@itemx /
+@itemx %
+Evaluate all arguments as long integers using @code{strtol} and apply
+this operator. A division by zero yields an empty string.
+
+@item !
+@itemx |
+@itemx &
+Evaluate all arguments as long integers using @code{strtol} and apply
+the logical operators NOT, OR or AND. The NOT operator works on the
+last argument only.
+
+
+@end table
+
+
+@item /definq @var{name} @var{var}
+Use content of the variable @var{var} for inquiries with @var{name}.
+@var{name} may be an asterisk (@code{*}) to match any inquiry.
+
+
+@item /definqfile @var{name} @var{file}
+Use content of @var{file} for inquiries with @var{name}.
+@var{name} may be an asterisk (@code{*}) to match any inquiry.
+
+@item /definqprog @var{name} @var{prog}
+Run @var{prog} for inquiries matching @var{name} and pass the
+entire line to it as command line arguments.
+
+@item /datafile @var{name}
+Write all data lines from the server to the file @var{name}. The file
+is opened for writing and created if it does not exists. An existing
+file is first truncated to 0. The data written to the file fully
+decoded. Using a single dash for @var{name} writes to stdout. The
+file is kept open until a new file is set using this command or this
+command is used without an argument.
+
+@item /showdef
+Print all definitions
+
+@item /cleardef
+Delete all definitions
+
+@item /sendfd @var{file} @var{mode}
+Open @var{file} in @var{mode} (which needs to be a valid @code{fopen}
+mode string) and send the file descriptor to the server. This is
+usually followed by a command like @code{INPUT FD} to set the
+input source for other commands.
+
+@item /recvfd
+Not yet implemented.
+
+@item /open @var{var} @var{file} [@var{mode}]
+Open @var{file} and assign the file descriptor to @var{var}. Warning:
+This command is experimental and might change in future versions.
+
+@item /close @var{fd}
+Close the file descriptor @var{fd}. Warning: This command is
+experimental and might change in future versions.
+
+@item /showopen
+Show a list of open files.
+
+@item /serverpid
+Send the Assuan command @command{GETINFO pid} to the server and store
+the returned PID for internal purposes.
+
+@item /sleep
+Sleep for a second.
+
+@item /hex
+@itemx /nohex
+Same as the command line option @option{--hex}.
+
+@item /decode
+@itemx /nodecode
+Same as the command line option @option{--decode}.
+
+@item /subst
+@itemx /nosubst
+Enable and disable variable substitution. It defaults to disabled
+unless the command line option @option{--subst} has been used.
+If /subst as been enabled once, leading whitespace is removed from
+input lines which makes scripts easier to read.
+
+@item /while @var{condition}
+@itemx /end
+These commands provide a way for executing loops. All lines between
+the @code{while} and the corresponding @code{end} are executed as long
+as the evaluation of @var{condition} yields a non-zero value or is the
+string @code{true} or @code{yes}. The evaluation is done by passing
+@var{condition} to the @code{strtol} function. Example:
+
+@smallexample
+ /subst
+ /let i 3
+ /while $i
+ /echo loop counter is $i
+ /let i $@{- $i 1@}
+ /end
+@end smallexample
+
+@item /if @var{condition}
+@itemx /end
+These commands provide a way for conditional execution. All lines between
+the @code{if} and the corresponding @code{end} are executed only if
+the evaluation of @var{condition} yields a non-zero value or is the
+string @code{true} or @code{yes}. The evaluation is done by passing
+@var{condition} to the @code{strtol} function.
+
+@item /run @var{file}
+Run commands from @var{file}.
+
+@item /bye
+Terminate the connection and the program.
+
+@item /help
+Print a list of available control commands.
+
+@end table
+
+
+@ifset isman
+@mansect see also
+@command{gpg-agent}(1),
+@command{scdaemon}(1)
+@include see-also-note.texi
+@end ifset
+
+@c
+@c DIRMNGR-CLIENT
+@c
+@node dirmngr-client
+@section The Dirmngr Client Tool
+
+@manpage dirmngr-client.1
+@ifset manverb
+.B dirmngr-client
+\- Tool to access the Dirmngr services
+@end ifset
+
+@mansect synopsis
+@ifset manverb
+.B dirmngr-client
+.RI [ options ]
+.RI [ certfile | pattern ]
+@end ifset
+
+@mansect description
+The @command{dirmngr-client} is a simple tool to contact a running
+dirmngr and test whether a certificate has been revoked --- either by
+being listed in the corresponding CRL or by running the OCSP protocol.
+If no dirmngr is running, a new instances will be started but this is
+in general not a good idea due to the huge performance overhead.
+
+@noindent
+The usual way to run this tool is either:
+
+@example
+dirmngr-client @var{acert}
+@end example
+
+@noindent
+or
+
+@example
+dirmngr-client <@var{acert}
+@end example
+
+Where @var{acert} is one DER encoded (binary) X.509 certificates to be
+tested.
+@ifclear isman
+The return value of this command is
+@end ifclear
+
+@mansect return value
+@ifset isman
+@command{dirmngr-client} returns these values:
+@end ifset
+@table @code
+
+@item 0
+The certificate under question is valid; i.e. there is a valid CRL
+available and it is not listed there or the OCSP request returned that
+that certificate is valid.
+
+@item 1
+The certificate has been revoked
+
+@item 2 (and other values)
+There was a problem checking the revocation state of the certificate.
+A message to stderr has given more detailed information. Most likely
+this is due to a missing or expired CRL or due to a network problem.
+
+@end table
+
+@mansect options
+@noindent
+@command{dirmngr-client} may be called with the following options:
+
+
+@table @gnupgtabopt
+@item --version
+@opindex version
+Print the program version and licensing information. Note that you cannot
+abbreviate this command.
+
+@item --help, -h
+@opindex help
+Print a usage message summarizing the most useful command-line options.
+Note that you cannot abbreviate this command.
+
+@item --quiet, -q
+@opindex quiet
+Make the output extra brief by suppressing any informational messages.
+
+@item -v
+@item --verbose
+@opindex v
+@opindex verbose
+Outputs additional information while running.
+You can increase the verbosity by giving several
+verbose commands to @sc{dirmngr}, such as @samp{-vv}.
+
+@item --pem
+@opindex pem
+Assume that the given certificate is in PEM (armored) format.
+
+@item --ocsp
+@opindex ocsp
+Do the check using the OCSP protocol and ignore any CRLs.
+
+@item --force-default-responder
+@opindex force-default-responder
+When checking using the OCSP protocol, force the use of the default OCSP
+responder. That is not to use the Reponder as given by the certificate.
+
+@item --ping
+@opindex ping
+Check whether the dirmngr daemon is up and running.
+
+@item --cache-cert
+@opindex cache-cert
+Put the given certificate into the cache of a running dirmngr. This is
+mainly useful for debugging.
+
+@item --validate
+@opindex validate
+Validate the given certificate using dirmngr's internal validation code.
+This is mainly useful for debugging.
+
+@item --load-crl
+@opindex load-crl
+This command expects a list of filenames with DER encoded CRL files.
+With the option @option{--url} URLs are expected in place of filenames
+and they are loaded directly from the given location. All CRLs will be
+validated and then loaded into dirmngr's cache.
+
+@item --lookup
+@opindex lookup
+Take the remaining arguments and run a lookup command on each of them.
+The results are Base-64 encoded outputs (without header lines). This
+may be used to retrieve certificates from a server. However the output
+format is not very well suited if more than one certificate is returned.
+
+@item --url
+@itemx -u
+@opindex url
+Modify the @command{lookup} and @command{load-crl} commands to take an URL.
+
+@item --local
+@itemx -l
+@opindex url
+Let the @command{lookup} command only search the local cache.
+
+@item --squid-mode
+@opindex squid-mode
+Run @sc{dirmngr-client} in a mode suitable as a helper program for
+Squid's @option{external_acl_type} option.
+
+
+@end table
+
+@ifset isman
+@mansect see also
+@command{dirmngr}(8),
+@command{gpgsm}(1)
+@include see-also-note.texi
+@end ifset
+
+
+@c
+@c GPGPARSEMAIL
+@c
+@node gpgparsemail
+@section Parse a mail message into an annotated format
+
+@manpage gpgparsemail.1
+@ifset manverb
+.B gpgparsemail
+\- Parse a mail message into an annotated format
+@end ifset
+
+@mansect synopsis
+@ifset manverb
+.B gpgparsemail
+.RI [ options ]
+.RI [ file ]
+@end ifset
+
+@mansect description
+The @command{gpgparsemail} is a utility currently only useful for
+debugging. Run it with @code{--help} for usage information.
+
+
+
+@c
+@c GPGTAR
+@c
+@manpage gpgtar.1
+@node gpgtar
+@section Encrypt or sign files into an archive
+@ifset manverb
+.B gpgtar
+\- Encrypt or sign files into an archive
+@end ifset
+
+@mansect synopsis
+@ifset manverb
+.B gpgtar
+.RI [ options ]
+.I filename1
+.I [ filename2, ... ]
+.I directory1
+.I [ directory2, ... ]
+@end ifset
+
+@mansect description
+@command{gpgtar} encrypts or signs files into an archive. It is an
+gpg-ized tar using the same format as used by PGP's PGP Zip.
+
+@manpause
+@noindent
+@command{gpgtar} is invoked this way:
+
+@example
+gpgtar [options] @var{filename1} [@var{filename2}, ...] @var{directory} [@var{directory2}, ...]
+@end example
+
+@mansect options
+@noindent
+@command{gpgtar} understands these options:
+
+@table @gnupgtabopt
+
+@item --create
+@opindex create
+Put given files and directories into a vanilla ``ustar'' archive.
+
+@item --extract
+@opindex extract
+Extract all files from a vanilla ``ustar'' archive.
+
+@item --encrypt
+@itemx -e
+@opindex encrypt
+Encrypt given files and directories into an archive. This option may
+be combined with option @option{--symmetric} for an archive that may
+be decrypted via a secret key or a passphrase.
+
+@item --decrypt
+@itemx -d
+@opindex decrypt
+Extract all files from an encrypted archive.
+
+@item --sign
+@itemx -s
+Make a signed archive from the given files and directories. This can
+be combined with option @option{--encrypt} to create a signed and then
+encrypted archive.
+
+@item --list-archive
+@itemx -t
+@opindex list-archive
+List the contents of the specified archive.
+
+@item --symmetric
+@itemx -c
+Encrypt with a symmetric cipher using a passphrase. The default
+symmetric cipher used is @value{GPGSYMENCALGO}, but may be chosen with the
+@option{--cipher-algo} option to @command{gpg}.
+
+@item --recipient @var{user}
+@itemx -r @var{user}
+@opindex recipient
+Encrypt for user id @var{user}. For details see @command{gpg}.
+
+@item --local-user @var{user}
+@itemx -u @var{user}
+@opindex local-user
+Use @var{user} as the key to sign with. For details see @command{gpg}.
+
+@item --output @var{file}
+@itemx -o @var{file}
+@opindex output
+Write the archive to the specified file @var{file}.
+
+@item --verbose
+@itemx -v
+@opindex verbose
+Enable extra informational output.
+
+@item --quiet
+@itemx -q
+@opindex quiet
+Try to be as quiet as possible.
+
+@item --skip-crypto
+@opindex skip-crypto
+Skip all crypto operations and create or extract vanilla ``ustar''
+archives.
+
+@item --dry-run
+@opindex dry-run
+Do not actually output the extracted files.
+
+@item --directory @var{dir}
+@itemx -C @var{dir}
+@opindex directory
+Extract the files into the directory @var{dir}. The default is to
+take the directory name from the input filename. If no input filename
+is known a directory named @file{GPGARCH} is used. For tarball
+creation, switch to directory @var{dir} before performing any
+operations.
+
+@item --files-from @var{file}
+@itemx -T @var{file}
+Take the file names to work from the file @var{file}; one file per
+line.
+
+@item --null
+@opindex null
+Modify option @option{--files-from} to use a binary nul instead of a
+linefeed to separate file names.
+
+@item --utf8-strings
+@opindex utf8-strings
+Assume that the file names read by @option{--files-from} are UTF-8
+encoded. This option has an effect only on Windows where the active
+code page is otherwise assumed.
+
+@item --openpgp
+@opindex openpgp
+This option has no effect because OpenPGP encryption and signing is
+the default.
+
+@item --cms
+@opindex cms
+This option is reserved and shall not be used. It will eventually be
+used to encrypt or sign using the CMS protocol; but that is not yet
+implemented.
+
+@item --batch
+@opindex batch
+Use batch mode. Never ask but use the default action. This option is
+passed directly to @command{gpg}.
+
+@item --yes
+@opindex yes
+Assume "yes" on most questions. Often used together with
+@option{--batch} to overwrite existing files. This option is passed
+directly to @command{gpg}.
+
+@item --no
+@opindex no
+Assume "no" on most questions. This option is passed directly to
+@command{gpg}.
+
+@item --require-compliance
+@opindex require-compliance
+This option is passed directly to @command{gpg}.
+
+@item --status-fd @var{n}
+@opindex status-fd
+Write special status strings to the file descriptor @var{n}.
+See the file DETAILS in the documentation for a listing of them.
+
+@item --with-log
+@opindex with-log
+When extracting an encrypted tarball also write a log file with the
+gpg output to a file named after the extraction directory with the
+suffix ".log".
+
+@item --set-filename @var{file}
+@opindex set-filename
+Use the last component of @var{file} as the output directory. The
+default is to take the directory name from the input filename. If no
+input filename is known a directory named @file{GPGARCH} is used.
+This option is deprecated in favor of option @option{--directory}.
+
+@item --gpg @var{gpgcmd}
+@opindex gpg
+Use the specified command @var{gpgcmd} instead of @command{gpg}.
+
+@item --gpg-args @var{args}
+@opindex gpg-args
+Pass the specified extra options to @command{gpg}.
+
+@item --tar-args @var{args}
+@opindex tar-args
+Assume @var{args} are standard options of the command @command{tar}
+and parse them. The only supported tar options are "--directory",
+"--files-from", and "--null" This is an obsolete options because those
+supported tar options can also be given directly.
+
+@item --version
+@opindex version
+Print version of the program and exit.
+
+@item --help
+@opindex help
+Display a brief help page and exit.
+
+@end table
+
+@mansect diagnostics
+@noindent
+The program returns 0 if everything was fine, 1 otherwise.
+
+
+@mansect examples
+@ifclear isman
+@noindent
+Some examples:
+
+@end ifclear
+@noindent
+Encrypt the contents of directory @file{mydocs} for user Bob to file
+@file{test1}:
+
+@example
+gpgtar --encrypt --output test1 -r Bob mydocs
+@end example
+
+@noindent
+List the contents of archive @file{test1}:
+
+@example
+gpgtar --list-archive test1
+@end example
+
+
+@mansect see also
+@ifset isman
+@command{gpg}(1),
+@command{tar}(1),
+@end ifset
+@include see-also-note.texi
+
+@c
+@c GPG-CHECK-PATTERN
+@c
+@manpage gpg-check-pattern.1
+@node gpg-check-pattern
+@section Check a passphrase on stdin against the patternfile
+@ifset manverb
+.B gpg-check-pattern
+\- Check a passphrase on stdin against the patternfile
+@end ifset
+
+@mansect synopsis
+@ifset manverb
+.B gpg\-check\-pattern
+.RI [ options ]
+.I patternfile
+@end ifset
+
+@mansect description
+@command{gpg-check-pattern} checks a passphrase given on stdin against
+a specified pattern file.
+
+The pattern file is line based with comment lines beginning on the
+@emph{first} position with a @code{#}. Empty lines and lines with
+only white spaces are ignored. The actual pattern lines may either be
+verbatim string pattern and match as they are (trailing spaces are
+ignored) or extended regular expressions indicated by a @code{/} or
+@code{!/} in the first column and terminated by another @code{/} or
+end of line. If a regular expression starts with @code{!/} the match
+result is reversed. By default all comparisons are case insensitive.
+
+Tag lines may be used to further control the operation of this tool.
+The currently defined tags are:
+
+@table @code
+@item [icase]
+Switch to case insensitive comparison for all further patterns. This
+is the default.
+
+@item [case]
+Switch to case sensitive comparison for all further patterns.
+
+@item [reject]
+Switch to reject mode. This is the default mode.
+
+@item [accept]
+Switch to accept mode.
+@end table
+
+In the future more tags may be introduced and thus it is advisable not to
+start a plain pattern string with an open bracket. The tags must be
+given verbatim on the line with no spaces to the left or any non white
+space characters to the right.
+
+In reject mode the program exits on the first match with an exit code
+of 1 (failure). If at the end of the pattern list the reject mode is
+still active the program exits with code 0 (success).
+
+In accept mode blocks of patterns are used. A block starts at the
+next pattern after an "accept" tag and ends with the last pattern
+before the next "accept" or "reject" tag or at the end of the pattern
+list. If all patterns in a block match the program exits with an exit
+code of 0 (success). If any pattern in a block do not match the next
+pattern block is evaluated. If at the end of the pattern list the
+accept mode is still active the program exits with code 1 (failure).
+
+
+@mansect options
+@noindent
+
+@table @gnupgtabopt
+
+@item --verbose
+@opindex verbose
+Enable extra informational output.
+
+@item --check
+@opindex check
+Run only a syntax check on the patternfile.
+
+@item --null
+@opindex null
+Input is expected to be null delimited.
+
+@end table
+
+@mansect see also
+@ifset isman
+@command{gpg-agent}(1),
+@end ifset
+@include see-also-note.texi
diff --git a/doc/trust-values.texi b/doc/trust-values.texi
new file mode 100644
index 0000000..634a784
--- /dev/null
+++ b/doc/trust-values.texi
@@ -0,0 +1,47 @@
+@c Copyright (C) 2018 Free Software Foundation, Inc.
+@c This is part of the GnuPG manual.
+@c For copying conditions, see the file gnupg.texi.
+
+Trust values are used to indicate ownertrust and validity of keys and
+user IDs. They are displayed with letters or strings:
+
+@table @asis
+
+ @item -
+ @itemx unknown
+ No ownertrust assigned / not yet calculated.
+
+ @item e
+ @itemx expired
+
+ Trust calculation has failed; probably due to an expired key.
+
+ @item q
+ @itemx undefined, undef
+ Not enough information for calculation.
+
+ @item n
+ @itemx never
+ Never trust this key.
+
+ @item m
+ @itemx marginal
+ Marginally trusted.
+
+ @item f
+ @itemx full
+ Fully trusted.
+
+ @item u
+ @itemx ultimate
+ Ultimately trusted.
+
+ @item r
+ @itemx revoked
+ For validity only: the key or the user ID has been revoked.
+
+ @item ?
+ @itemx err
+ The program encountered an unknown trust value.
+
+@end table
diff --git a/doc/whats-new-in-2.1.txt b/doc/whats-new-in-2.1.txt
new file mode 100644
index 0000000..ef8b233
--- /dev/null
+++ b/doc/whats-new-in-2.1.txt
@@ -0,0 +1,873 @@
+ â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”
+ GNUPG - WHAT’S NEW IN 2.1
+
+
+ Werner Koch
+ â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”â”
+
+
+ 2017-08-28
+
+
+Table of Contents
+─────────────────
+
+1 What’s new in GnuPG 2.1
+.. 1.1 Removal of the secret keyring
+.. 1.2 Removal of PGP-2 support
+.. 1.3 Leaner key generation interface
+.. 1.4 Support for ECC
+.. 1.5 Quick generate and sign commands
+.. 1.6 Improved Pinentry support
+.. 1.7 Auto-start of the gpg-agent
+.. 1.8 Duplicate long key id fixes
+.. 1.9 Enhanced Dirmngr
+.. 1.10 Better keyserver pool support
+.. 1.11 Faster keyring format
+.. 1.12 Auto-generated revocation certificates
+.. 1.13 Improved card support
+.. 1.14 New format for key listings
+.. 1.15 Recipient key from file
+.. 1.16 Using gpg as a filter
+.. 1.17 Support for Putty
+.. 1.18 Export of SSH public keys
+.. 1.19 Improved X.509 certificate creation
+.. 1.20 Scripts to create a Windows installer
+
+
+A possibly revised version of this article can be found at:
+https://gnupg.org/faq/whats-new-in-2.1.html
+
+
+1 What’s new in GnuPG 2.1
+â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•â•
+
+ GnuPG version 2.1 (now known as 2.2) comes with a bag of new features
+ which changes some things old-timers are used to. This page explains
+ the more important ones. It expects that the reader is familiar with
+ GnuPG version 2.0 and aware that GnuPG consists of /gpg/, /gpgsm/, and
+ /gpg-agent/ as its main components.
+
+ • The file /secring.gpg/ is not anymore used to store the secret keys.
+ Merging of secret keys is now supported.
+
+ • All support for /PGP-2 keys/ has been removed for security reasons.
+
+ • The standard key generation interface is now much leaner. This will
+ help a new user to quickly generate a suitable key.
+
+ • Support for /Elliptic Curve Cryptography/ (ECC) is now available.
+
+ • Commands to create and sign keys from the command line without any
+ extra prompts are now available.
+
+ • The Pinentry may now show the new passphrase entry and the
+ passphrase confirmation entry in one dialog.
+
+ • There is no more need to manually start the gpg-agent. It is now
+ started by any part of GnuPG as needed.
+
+ • Problems with importing keys with the same long key id have been
+ addressed.
+
+ • The /dirmngr/ is now part of GnuPG proper and also takes care of
+ accessing keyserver.
+
+ • Keyserver pools are now handled in a smarter way.
+
+ • A new format for locally storing the public keys is now used. This
+ considerable speeds up operations on large keyrings.
+
+ • /Revocation certificates/ are now created by default.
+
+ • Card support has been updated, new readers and token types are
+ supported.
+
+ • The format of the key listing has been changed to better identify
+ the properties of a key.
+
+ • A file with the recipient’s key may now be used directly.
+
+ • Gpg can be used to filter out parts of a key.
+
+ • The gpg-agent may now be used on Windows as /pageant/ replacement
+ for /putty/ in the same way it is used for years on Unix as
+ /ssh-agent/ replacement.
+
+ • Creation of X.509 certificates has been improved. It is now also
+ possible to export them directly in PKCS#8 and PEM format for use on
+ TLS servers.
+
+ • Export of /ssh/ keys has been integrated.
+
+ • The scripts to create a Windows installer are now part of GnuPG.
+
+ Now for the detailed description of these new features. Note that the
+ examples assume that /gpg/ is installed as /gpg/. Your installation
+ may have it installed under the name /gpg2/.
+
+
+1.1 Removal of the secret keyring
+─────────────────────────────────
+
+ gpg used to keep the public key pairs in two files: `pubring.gpg' and
+ `secring.gpg'. The only difference is that secring stored in addition
+ to the public part also the private part of the key pair. The secret
+ keyring thus contained only the keys for which a private key is
+ available, that is the user’s key. It required a lot of code to keep
+ both versions of the key in sync and led to sometimes surprising
+ inconsistencies.
+
+ The design of GnuPG-2 demands that only the gpg-agent has control over
+ the private parts of the keys and the actual encryption engine (gpg or
+ gpgsm) does not know about the private key but care only about session
+ keys and keys for symmetric encryption. This has been implemented
+ about 10 years ago for /gpgsm/ (the S/MIME part of GnuPG). However,
+ /gpg/ (the OpenPGP part) used the gpg-agent only as passphrase entry
+ and cache device but handles the private key itself.
+
+ With GnuPG 2.1 this changed and /gpg/ now also delegates all private
+ key operations to the gpg-agent. Thus there is no more code in the
+ /gpg/ binary for handling private keys. En passant this allows the
+ long time requested “merging of secret keys†and several other
+ advanced key management techniques.
+
+ To ease the migration to the no-secring method, /gpg/ detects the
+ presence of a `secring.gpg' and converts the keys on-the-fly to the
+ the key store of /gpg-agent/ (this is the `private-keys-v1.d'
+ directory below the GnuPG home directory (`~/.gnupg')). This is done
+ only once and an existing `secring.gpg' is then not anymore touched by
+ /gpg/. This allows co-existence of older GnuPG versions with GnuPG
+ 2.1. However, any change to the private keys using the new /gpg/ will
+ not show up when using pre-2.1 versions of GnuPG and vice versa.
+
+ Note that the command `--export-secret-keys' still creates an OpenPGP
+ compliant file with the secret keys. This is achieved by asking
+ /gpg-agent/ to convert a key and return it in the OpenPGP protected
+ format. The export operation requires that the passphrase for the key
+ is entered so that /gpg-agent/ is able to change the protection from
+ its internal format to the OpenPGP required format.
+
+
+1.2 Removal of PGP-2 support
+────────────────────────────
+
+ Some algorithms and parts of the protocols as used by the 20 years old
+ [PGP-2] software are meanwhile considered unsafe. In particular the
+ baked in use of the [MD5] hash algorithm limits the security of PGP-2
+ keys to non-acceptable rate. Technically those PGP-2 keys are called
+ version 3 keys (v3) and are easily identified by a shorter fingerprint
+ which is commonly presented as 16 separate double hex digits.
+
+ With GnuPG 2.1 all support for those keys has gone. If they are in an
+ existing keyring they will eventually be removed. If GnuPG encounters
+ such a key on import it will not be imported due to the not anymore
+ implemented v3 key format. Removing the v3 key support also reduces
+ complexity of the code and is thus better than to keep on handling
+ them with a specific error message.
+
+ There is one use case where PGP-2 keys may still be required: For
+ existing encrypted data. We suggest to keep a version of GnuPG 1.4
+ around which still has support for these keys (it might be required to
+ use the `--allow-weak-digest-algos' option). A better solution is to
+ re-encrypt the data using a modern key.
+
+
+ [PGP-2] https://en.wikipedia.org/wiki/Pretty_Good_Privacy
+
+ [MD5] https://en.wikipedia.org/wiki/MD5
+
+
+1.3 Leaner key generation interface
+───────────────────────────────────
+
+ This is best shown with an example:
+
+ ┌────
+ │ $ gpg --gen-key
+ │ gpg (GnuPG) 2.1.0; Copyright (C) 2014 Free Software Foundation, Inc.
+ │ This is free software: you are free to change and redistribute it.
+ │ There is NO WARRANTY, to the extent permitted by law.
+ │
+ │ gpg: keybox '/home/foo/.gnupg/pubring.kbx' created
+ │ Note: Use "gpg --full-gen-key" for a full featured key generation dialog.
+ │
+ │ GnuPG needs to construct a user ID to identify your key.
+ │
+ │ Real name: Glenn Greenwald
+ │ Email address: glenn@example.org
+ │ You selected this USER-ID:
+ │ "Glenn Greenwald <glenn@example.org>"
+ │
+ │ Change (N)ame, (E)mail, or (O)kay/(Q)uit? o
+ │ [...]
+ │ pub rsa2048/68FD0088 2014-11-03
+ │ Key fingerprint = 0290 5ABF 17C7 81FB C390 9B00 636A 1BBD 68FD 0088
+ │ uid [ultimate] Glenn Greenwald <glenn@example.org>
+ │ sub rsa2048/84439DCD 2014-11-03
+ └────
+
+ Thus only the name and the mail address are required. For all other
+ parameters the default values are used. Many graphical frontends
+ works in the same way. Note that /gpg/ prints a hint for the old time
+ gpg users on how to get the full option menu.
+
+
+1.4 Support for ECC
+───────────────────
+
+ GnuPG now support Elliptic Curve keys for public key encryption. This
+ is defined in [RFC-6637]. Because there is no other mainstream
+ OpenPGP implementation yet available which supports ECC, the use of
+ such keys is still very limited. Thus GnuPG 2.1 currently hides the
+ options to create an ECC key.
+
+ For those who want to experiment with ECC or already want to prepare a
+ key for future use, the command `--full-gen-key' along with the option
+ `--expert' is the enabler:
+
+ ┌────
+ │ $ gpg --expert --full-gen-key
+ │ gpg (GnuPG) 2.1.0; Copyright (C) 2014 Free Software Foundation, Inc.
+ │ This is free software: you are free to change and redistribute it.
+ │ There is NO WARRANTY, to the extent permitted by law.
+ │
+ │ Please select what kind of key you want:
+ │ (1) RSA and RSA (default)
+ │ (2) DSA and Elgamal
+ │ (3) DSA (sign only)
+ │ (4) RSA (sign only)
+ │ (7) DSA (set your own capabilities)
+ │ (8) RSA (set your own capabilities)
+ │ (9) ECC and ECC
+ │ (10) ECC (sign only)
+ │ (11) ECC (set your own capabilities)
+ │ Your selection? 9
+ │ Please select which elliptic curve you want:
+ │ (2) NIST P-256
+ │ (3) NIST P-384
+ │ (4) NIST P-521
+ │ (5) Brainpool P-256
+ │ (6) Brainpool P-384
+ │ (7) Brainpool P-512
+ │ Your selection? 2
+ │ Please specify how long the key should be valid.
+ │ 0 = key does not expire
+ │ <n> = key expires in n days
+ │ <n>w = key expires in n weeks
+ │ <n>m = key expires in n months
+ │ <n>y = key expires in n years
+ │ Key is valid for? (0)
+ │ Key does not expire at all
+ │ Is this correct? (y/N) y
+ │
+ │ GnuPG needs to construct a user ID to identify your key.
+ │
+ │ Real name: Edward Snowden
+ │ Email address: edward@example.org
+ │ Comment:
+ │ You selected this USER-ID:
+ │ "Edward Snowden <edward@example.org>"
+ │
+ │ Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
+ │ [...]
+ │ pub nistp256/382660E3 2014-11-03
+ │ Key fingerprint = E630 27CF 3D68 22A7 6FF2 093E D179 9E72 3826 60E3
+ │ uid [ultimate] Edward Snowden <edward@example.org>
+ │ sub nistp256/48C9A997 2014-11-03 nistp256
+ └────
+
+ In this example we created a primary ECC key for signing and an subkey
+ for encryption. For both we use the NIST P-256 curve. The key may
+ now be used in the same way as any other key. It is possible to add
+ an RSA subkey or one can create an RSA or DSA main key and add an ECC
+ subkey for signing or encryption. Note that the list of offered
+ curves depends on the installed Libgcrypt version.
+
+ For many people the NIST and also the Brainpool curves have an
+ doubtful origin and thus the plan for GnuPG is to use Bernstein’s
+ [Curve 25519] as default. GnuPG 2.1.0 already comes with support for
+ signing keys using the [Ed25519] variant of this curve. This has not
+ yet been standardized by the IETF (i.e. there is no RFC) but we won’t
+ wait any longer and go ahead using the proposed format for this
+ signing algorithm. The format for an encryption key has not yet been
+ finalized and will be added to GnuPG in one of the next point
+ releases. Recall that an encryption subkey can be added to a key at
+ any time. If you want to create a signing key you may do it this way:
+
+ ┌────
+ │ $ gpg --expert --full-gen-key
+ │ gpg (GnuPG) 2.1.0; Copyright (C) 2014 Free Software Foundation, Inc.
+ │ This is free software: you are free to change and redistribute it.
+ │ There is NO WARRANTY, to the extent permitted by law.
+ │
+ │ Please select what kind of key you want:
+ │ (1) RSA and RSA (default)
+ │ (2) DSA and Elgamal
+ │ (3) DSA (sign only)
+ │ (4) RSA (sign only)
+ │ (7) DSA (set your own capabilities)
+ │ (8) RSA (set your own capabilities)
+ │ (9) ECC and ECC
+ │ (10) ECC (sign only)
+ │ (11) ECC (set your own capabilities)
+ │ Your selection? 10
+ │ Please select which elliptic curve you want:
+ │ (1) Curve 25519
+ │ (2) NIST P-256
+ │ (3) NIST P-384
+ │ (4) NIST P-521
+ │ (5) Brainpool P-256
+ │ (6) Brainpool P-384
+ │ (7) Brainpool P-512
+ │ Your selection? 1
+ │ gpg: WARNING: Curve25519 is not yet part of the OpenPGP standard.
+ │ Use this curve anyway? (y/N) y
+ │ Please specify how long the key should be valid.
+ │ 0 = key does not expire
+ │ <n> = key expires in n days
+ │ <n>w = key expires in n weeks
+ │ <n>m = key expires in n months
+ │ <n>y = key expires in n years
+ │ Key is valid for? (0)
+ │ Key does not expire at all
+ │ Is this correct? (y/N) y
+ │
+ │ GnuPG needs to construct a user ID to identify your key.
+ │
+ │ Real name: Laura Poitras
+ │ Email address: laura@example.org
+ │ Comment:
+ │ You selected this USER-ID:
+ │ "Laura Poitras <laura@example.org>"
+ │
+ │ Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
+ │ [...]
+ │ pub ed25519/5C1AFC2A 2014-11-03
+ │ Key fingerprint = ED85 4D98 5D8F 502F C6C5 FFB2 AA81 319E 5C1A FC2A
+ │ uid [ultimate] Laura Poitras <laura@example.org>
+ └────
+
+ Support for ECC keys is available only on some keyservers but it is
+ expected that this will be fixed over the next few months.
+
+
+ [RFC-6637] https://rfc-editor.org/info/rfc6637
+
+ [Curve 25519] http://cr.yp.to/ecdh/curve25519-20060209.pdf
+
+ [Ed25519] http://dx.doi.org/10.1007/s13389-012-0027-1
+
+
+1.5 Quick generate and sign commands
+────────────────────────────────────
+
+ Sometimes it is useful to use only command line options without any
+ parameter file or interactive prompts for generating a key or to sign
+ a key. This can now be accomplished with a few new commands:
+
+ ┌────
+ │ $ gpg --batch --quick-gen-key 'Daniel Ellsberg <ellsberg@example.org>'
+ │ gpg: key 911B90A9 marked as ultimately trusted
+ └────
+
+ If a key with that user id already exists, gpg bails out with an error
+ message. You can force creation using the option `--yes'. If you
+ want some more control, you may not use `--batch' and gpg will ask for
+ confirmation and show the resulting key:
+
+ ┌────
+ │ $ gpg --quick-gen-key 'Daniel Ellsberg <ellsberg@example.org>'
+ │ About to create a key for:
+ │ "Daniel Ellsberg <ellsberg@example.org>"
+ │
+ │ Continue? (Y/n) y
+ │ gpg: A key for "Daniel Ellsberg <ellsberg@example.org>" already exists
+ │ Create anyway? (y/N) y
+ │ gpg: creating anyway
+ │ [...]
+ │ pub rsa2048/BD19AC1C 2014-11-04
+ │ Key fingerprint = 15CB 723E 2000 A1A8 2505 F3B7 CC00 B501 BD19 AC1C
+ │ uid [ultimate] Daniel Ellsberg <ellsberg@example.org>
+ │ sub rsa2048/72A4D018 2014-11-04
+ └────
+
+ Another common operation is to sign a key. /gpg/ can do this directly
+ from the command line by giving the fingerprint of the to-be-signed
+ key:
+
+ ┌────
+ │ $ gpg --quick-sign-key '15CB 723E 2000 A1A8 2505 F3B7 CC00 B501 BD19 AC1C'
+ │
+ │ pub rsa2048/BD19AC1C
+ │ created: 2014-11-04 expires: never usage: SC
+ │ trust: ultimate validity: ultimate
+ │ Primary key fingerprint: 15CB 723E 2000 A1A8 2505 F3B7 CC00 B501 BD19 AC1C
+ │
+ │ Daniel Ellsberg <ellsberg@example.org>
+ └────
+
+ In case the key has already been signed, the command prints a note and
+ exits with success. In case you want to check that it really worked,
+ use `--check-sigs' as usual:
+
+ ┌────
+ │ $ gpg --check-sigs '15CB 723E 2000 A1A8 2505 F3B7 CC00 B501 BD19 AC1C'
+ │ gpg: checking the trustdb
+ │ gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
+ │ gpg: depth: 0 valid: 6 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 6u
+ │ pub rsa2048/BD19AC1C 2014-11-04
+ │ uid [ full ] Daniel Ellsberg <ellsberg@example.org>
+ │ sig!3 BD19AC1C 2014-11-04 Daniel Ellsberg <ellsberg@example.org>
+ │ sig! 68FD0088 2014-11-04 Glenn Greenwald <glenn@example.org>
+ │ sub rsa2048/72A4D018 2014-11-04
+ │ sig! BD19AC1C 2014-11-04 Daniel Ellsberg <ellsberg@example.org>
+ └────
+
+
+ The fingerprint may also be given without the spaces in which case
+ there is no need for the quotes. If you want to sign only certain
+ user ids of a key, list those user id verbatim after the fingerprint.
+ To create a non-exportable key signature, use the command
+ `--quick-lsign-key' instead.
+
+ Since version 2.1.4 it possible to directly add another user id to an
+ existing key:
+
+ ┌────
+ │ $ gpg -k 8CFDE12197965A9A
+ │ pub ed25519/8CFDE12197965A9A 2014-08-19
+ │ uid [ unknown] EdDSA sample key 1
+ │ $ gpg --quick-adduid 8CFDE12197965A9A 'Sample 2 <me@example.org>'
+ │ $ gpg -k 8CFDE12197965A9A
+ │ pub ed25519/8CFDE12197965A9A 2014-08-19
+ │ uid [ unknown] Sample 2 <me@example.org>
+ │ uid [ unknown] EdDSA sample key 1
+ └────
+
+ Since version 2.1.13 another subkey can directly be added to an
+ existing key:
+
+ ┌────
+ │ $ gpg --quick-addkey 15CB723E2000A1A82505F3B7CC00B501BD19AC1C - - 2016-12-31
+ │ $ gpg -k 15CB723E2000A1A82505F3B7CC00B501BD19AC1C
+ │ pub rsa2048 2014-11-04 [SC]
+ │ 15CB723E2000A1A82505F3B7CC00B501BD19AC1C
+ │ uid [ unknown] Daniel Ellsberg <ellsberg@example.org>
+ │ sub rsa2048 2014-11-04 [E]
+ │ sub rsa2048 2016-06-06 [E] [expires: 2016-12-31]
+ └────
+
+ Here we created another encryption subkey with an expiration date.
+ The key listing also shows the default key listing format introduced
+ with 2.1.13. There are a lot of other options to the `--quick-addkey'
+ command which are described in the manual.
+
+ Since version 2.1.14 it possible to revoke a user id on an existing
+ key:
+
+ ┌────
+ │ $ gpg -k 8CFDE12197965A9A
+ │ pub ed25519/8CFDE12197965A9A 2014-08-19
+ │ uid [ unknown] Sample 2 <me@example.org>
+ │ uid [ unknown] EdDSA sample key 1
+ │ $ gpg --quick-revuid 8CFDE12197965A9A 'EdDSA sample key 1'
+ │ $ gpg -k 8CFDE12197965A9A
+ │ pub ed25519/8CFDE12197965A9A 2014-08-19
+ │ uid [ unknown] Sample 2 <me@example.org>
+ └────
+
+ Since version 2.1.17 the expiration date of the primary key can be
+ changed directly:
+
+ ┌────
+ │ $ gpg --quick-set-expire 5B83120DB1E3A65AE5A8DCF6AA43F1DCC7FED1B7 2017-12-31
+ │ $ gpg -K 5B83120DB1E3A65AE5A8DCF6AA43F1DCC7FED1B7
+ │ sec rsa2048 2016-06-22 [SC] [expires: 2017-12-31]
+ │ 5B83120DB1E3A65AE5A8DCF6AA43F1DCC7FED1B7
+ │ uid [ultimate] steve.biko@example.net
+ │ ssb rsa2048 2016-06-22 [E]
+ │
+ │ $ gpg --quick-set-expire 5B83120DB1E3A65AE5A8DCF6AA43F1DCC7FED1B7 none
+ │ $ gpg -K 5B83120DB1E3A65AE5A8DCF6AA43F1DCC7FED1B7
+ │ sec rsa2048 2016-06-22 [SC]
+ │ 5B83120DB1E3A65AE5A8DCF6AA43F1DCC7FED1B7
+ │ uid [ultimate] steve.biko@example.net
+ │ ssb rsa2048 2016-06-22 [E]
+ └────
+
+
+1.6 Improved Pinentry support
+─────────────────────────────
+
+ When using a recent Pinentry module (0.90, GTK+ variant), the
+ gpg-agent will not anymore show two separate Pinentry dialogs to enter
+ a new passphrase and later to confirm the new passphrase. Instead the
+ first dialog also has the confirm/repeat entry and internally checks
+ whether they match.
+
+ With any Pinentry version the several separate dialogs to inform and
+ ask for confirmation about questionable properties of a new passphrase
+ (e.g. length, only alpha letters) have been combined into one dialog
+ to show all non-asserted constraints at once.
+
+ The GTK+ Pinentry does now allow pasting of values into the entries.
+ Copying them from the entries is still inhibited on purpose.
+ Depending on the system, the option `no-grab' may be required for in
+ the `gpg-agent.conf' file to actually make use of the paste feature.
+
+
+1.7 Auto-start of the gpg-agent
+───────────────────────────────
+
+ The /gpg-agent/ is the central part of the GnuPG system. It takes
+ care of all private (secret) keys and if required diverts operations
+ to a smartcard or other token. It also provides support for the
+ Secure Shell by implementing the ssh-agent protocol.
+
+ The classic way to run /gpg-agent/ on Unix systems is by launching it
+ at login time and use an environment variable (`GPG_AGENT_INFO') to
+ tell the other GnuPG modules how to connect to the agent. However,
+ correctly managing the start up and this environment variable is
+ cumbersome so that an easier method is required. Since GnuPG 2.0.16
+ the `--use-standard-socket' option already allowed to start the agent
+ on the fly; however the environment variable was still required.
+
+ With GnuPG 2.1 the need of `GPG_AGENT_INFO' has been completely
+ removed and the variable is ignored. Instead a fixed Unix domain
+ socket named `S.gpg-agent' in the GnuPG home directory (by default
+ `~/.gnupg') is used. The agent is also started on demand by all tools
+ requiring services from the agent.
+
+ If the option `--enable-ssh-support' is used the auto-start mechanism
+ does not work because /ssh/ does not know about this mechanism.
+ Instead it is required that the environment variable `SSH_AUTH_SOCK'
+ is set to the `S.gpg-agent.ssh' socket in the GnuPG home directory.
+ Further /gpg-agent/ must be started: Either by using a GnuPG command
+ which implicitly starts /gpg-agent/ or by using `gpgconf --launch
+ gpg-agent' to explicitly start it if not yet done.
+
+
+1.8 Duplicate long key id fixes
+───────────────────────────────
+
+ A deficit of the OpenPGP protocol is that signatures carry only a
+ limited indication on which public key has been used to create a
+ signature. Thus a verification engine may only use this “long key idâ€
+ to look up the key in its own store or from a public keyserver.
+ Unfortunately it has now become possible to create a key with a long
+ key id matching the key id of another key. Importing a key with a
+ long key id already used by another key in gpg’s local key store was
+ not possible due to checks done on import. Now, if the “wrong†key
+ has been imported first /gpg/ would not allow later import of the
+ second “correct†key. This problem has been fixed in 2.1 by allowing
+ the import and by doing trial verification against all matching keys.
+
+
+1.9 Enhanced Dirmngr
+────────────────────
+
+ Before version 2.1, /gpg/ used so-called keyserver helpers to access
+ the OpenPGP keyservers. A problem with that is that they are short
+ living processes which are not able to keep a state. With 2.1, the
+ formerly separate package Dirmngr (which was separate due to copyright
+ assignment reasons) has been integrated into GnuPG.
+
+ In the past /dirmngr/ was only used by /gpgsm/ for X.509 (S/MIME) CRL
+ and OCSP handling. Being a proper part of GnuPG /dirmngr/ does now
+ also care about accessing OpenPGP keyservers. This make its easier to
+ debug problems with the keyservers and to exchange additional
+ information about the keyserver between /gpg/ and /dirmngr/. It will
+ eventually also be possible to run background tasks to refresh keys.
+
+ Although the ability to start /dirmngr/ as a system service is still
+ available, this is not anymore recommended and instead /dirmngr/ is
+ now by default started on-demand, very similar to /gpg-agent/.
+
+
+1.10 Better keyserver pool support
+──────────────────────────────────
+
+ For load balancing reasons, keyservers are organized in pools to
+ enable instant round-robin DNS assignment of random keyservers. A
+ problem with that approach is that the DNS resolver is not aware of
+ the state of the keyserver. If a keyserver has gone down or a routing
+ problems occurs, /gpg/ and its keyserver helpers were not aware of it
+ and would try over and over to use the same, dead, keyserver up until
+ the DNS information expires and a the DNS resolver assigned a new
+ server from the pool.
+
+ The new /dirmngr/ in GnuPG does not use the implicit round-robin of
+ the DNS resolver but uses its own DNS lookup and keeps an internal
+ table of all hosts from the pool along with the encountered aliveness
+ state. Thus after a failure (timeout) of a request, /dirmngr/ flags a
+ host as dead and randomly selects another one from the pool. After a
+ few hours the flag is removed so that the host will be tried again.
+ It is also possible to mark a specific host from a pool explicitly as
+ dead so that it won’t be used in the future. To interact with the
+ /dirmngr/ the `gpg-connect-agent' tool is used:
+
+ ┌────
+ │ $ gpg-connect-agent --dirmngr 'help keyserver' /bye
+ │ $ gpg-connect-agent --dirmngr 'keyserver --hosttable' /bye
+ └────
+
+ The first command prints a help screen for the keyserver command and
+ the second command prints the current host table.
+
+
+1.11 Faster keyring format
+──────────────────────────
+
+ The format GnuPG has always used for the public keyring is actually a
+ slightly extended version of the on-the-wire format for OpenPGP key
+ exchange. This format is quite inflexible to work with when random
+ access to keys in the keyring is required. In fact /gpg/ always
+ parsed all keys in the keyring until it encountered the desired one.
+ With a large keyring (more than a few thousand keys) this could be
+ quite slow.
+
+ From its very beginning /gpgsm/ has used a different format to store
+ public keys (certificates) which we call a /keybox/. That file format
+ carries meta information about the stored keys and thus allows
+ searching without actually parsing the key and computing fingerprints
+ and such. The /keybox/ format has been designed to be protocol
+ independent and with 2.1 support for OpenPGP keys has been added.
+ Random access to the keys is now really fast and keyrings with 30000
+ keys and more are now easily possible. That change also enables us to
+ easily introduce other storage methods
+
+ If no `pubring.gpg' is found, /gpg/ defaults to the new /keybox/
+ format and creates a `pubring.kbx' keybox file. If such a keybox file
+ already exists, for example due to the use of /gpgsm/, it will also be
+ used for OpenPGP keys. However, if a `pubring.gpg' is found and no
+ keybox file with OpenPGP keys exists, the old `pubring.gpg' will be
+ used. Take care: GnuPG versions before 2.1 will always use the
+ `pubring.gpg' file and not know anything about keys stored in the
+ keybox file.
+
+ To convert an existing `pubring.gpg' file to the keybox format, you
+ first backup the ownertrust values, then rename the file to (for
+ example) `publickeys', so it won’t be recognized by any GnuPG version,
+ then run import, and finally restore the ownertrust values:
+
+ ┌────
+ │ $ cd ~/.gnupg
+ │ $ gpg --export-ownertrust >otrust.lst
+ │ $ mv pubring.gpg publickeys
+ │ $ gpg --import-options import-local-sigs --import publickeys
+ │ $ gpg --import-ownertrust otrust.lst
+ └────
+
+ You may then rename the `publickeys' file back so that it can be used
+ by older GnuPG versions. Remember that in this case you have two
+ independent copies of the public keys. The ownertrust values are kept
+ by all gpg versions in the file `trustdb.gpg' but the above
+ precautions need to be taken to keep them over an import.
+
+
+1.12 Auto-generated revocation certificates
+───────────────────────────────────────────
+
+ This version creates an ASCII armored revocation certificate for each
+ generated keypair and stores that certificate in a file named after
+ the fingerprint of the key in the `openpgp-revocs.d' directory below
+ the GnuPG home directory. Brief instructions on how to use this
+ revocation certificate are put at the top of the file.
+
+
+1.13 Improved card support
+──────────────────────────
+
+ The /scdaemon/, which is responsible for accessing smardcards and
+ other tokens, has received many updates. In particular pluggable USB
+ readers with a fixed card now work smoothless and similar to standard
+ readers. The latest features of the [gnuk] token are supported. Code
+ for the SmartCard-HSM has been added. More card readers with a PIN
+ pad are supported. The internal CCID driver does now also work with
+ certain non-auto-configuration equipped readers.
+
+ Since version 2.1.19 multiple card readers are support and the format
+ of the Pinentry prompts has been changed to show more information on
+ the requested card.
+
+
+ [gnuk] http://www.fsij.org/doc-gnuk/
+
+
+1.14 New format for key listings
+────────────────────────────────
+
+ Due to the introduction of ECC keys the old format to list keys was
+ not anymore suitable. In particular, the length of an ECC key is
+ defined but its expressiveness is limited without the other parameters
+ of the curve. The common way to describe an ECC key is by using the
+ assigned name of its curve. To allow for a common description we now
+ either use the algorithm name with appended key length or use the name
+ of the curve:
+
+ ┌────
+ │ pub 2048D/1E42B367 2007-12-31 [expires: 2018-12-31]
+ │
+ │ pub dsa2048 2007-12-31 [SC] [expires: 2018-12-31]
+ │ 80615870F5BAD690333686D0F2AD85AC1E42B367
+ │
+ │ pub ed25519 2014-10-18 [SC]
+ │ 0B7F0C1D690BC440D5AFF9B56902F00A0AA914C9
+ └────
+
+ The first two "pub"-items show the same key in the old format and in
+ the new format. The third "pub"-item shows an example of an ECC key
+ using an ed25519 curve. Note that since version 2.1.13 the key id is
+ not anymore shown. Instead the full fingerprint is shown in a compact
+ format; by using the option `--with-fingerprint' the non-compact
+ format is used. The `--keyid-format' option can be used to switch
+ back to the discouraged format which prints only the key id.
+
+ As a further change the validity of a key is now shown by default;
+ that is `show-uid-validity' is implicitly used for the
+ `--list-options'.
+
+ The annotated key listing produced by the `--with-colons' options did
+ not change. However a couple of new fields have been added, for
+ example if the new option `--with-secret' is used the “S/N of a token
+ field†indicates the presence of a secret key even in a public key
+ listing. This option is supported by recent [GPGME] versions and
+ makes writing of key manager software easier.
+
+
+ [GPGME] https://gnupg.org/software/gpgme/
+
+
+1.15 Recipient key from file
+────────────────────────────
+
+ Since version 2.1.14 it is possible to specify the recipient’s key by
+ providing a file with that key. This done with the new options
+ `--recipient-file' (or short `-f') and `--hidden-recipient-file' (or
+ short `-F'). The file must containing exactly one key in binary or
+ armored format. All keys specified with those options are always
+ considered fully valid. These option may be mixed with the regular
+ options to specify a key. Along with the new convenience option
+ `--no-keyring' it is now possible to encrypt data without maintaining
+ a local keyring.
+
+
+1.16 Using gpg as a filter
+──────────────────────────
+
+ Since version 2.1.14 the export and import options have been enhanced
+ to allow the use of /gpg/ to modify a key without first stroing it in
+ the keyring. For example:
+
+ ┌────
+ │ $ gpg --import-options import-minimal,import-export \
+ │ --output smallkey.gpg --import key.gpg
+ └────
+
+ copies the keys in `keys.gpg' to `smallkey.gpg' while also removing
+ all key signatures except for the latest self-signatures. This can
+ even be further restricted to copy only a specific user ID to the
+ output file:
+
+ ┌────
+ │ $ gpg --import-options import-minimal,import-export \
+ │ --import-filter keepuid='mbox = foo@example.org' \
+ │ --output smallkey.gpg --import key.gpg
+ └────
+
+ Here the new `--import-filter' option is used to remove all user IDs
+ except for those which have the mail address “foo@example.orgâ€. The
+ same is also possible while exporting a key:
+
+ ┌────
+ │ $ gpg --export-filter keepuid='mbox = me@example.org' \
+ │ --armor --export 8CFDE12197965A9A >smallkey.asc
+ └────
+
+
+1.17 Support for Putty
+──────────────────────
+
+ On Windows the new option `--enable-putty-support' allows gpg-agent to
+ act as a replacement for [Putty]’s authentication agent /Pageant/. It
+ is the Windows counterpart for the `--enable-ssh-support' option as
+ used on Unix.
+
+
+ [Putty] http://www.chiark.greenend.org.uk/~sgtatham/putty/
+
+
+1.18 Export of SSH public keys
+──────────────────────────────
+
+ The new command `--export-ssh-key' makes it easy to export an /ssh/
+ public key in the format used for ssh’s `authorized_keys' file. By
+ default the command exports the newest subkey with an authorization
+ usage flags. A special syntax can be used to export other subkeys.
+ This command is available since 2.1.11 and replaces the former debug
+ utility /gpgkey2ssh/.
+
+
+1.19 Improved X.509 certificate creation
+────────────────────────────────────────
+
+ In addition to an improved certificate signing request menu, it is now
+ possible to create a self-signed certificate using the interactive
+ menu of /gpgsm/.
+
+ In batch mode the certificate creation dialog can now be controlled by
+ a parameter file with several new keywords. Such a parameter file
+ allows the creation of arbitrary X.509 certificates similar to what
+ can be done with /openssl/. It may thus be used as the base for a CA
+ software. For details see the “CSR and certificate creation†section
+ in the manual.
+
+ The new commands `--export-secret-key-p8' and –export-secret-key-raw=
+ may be used to export a secret key directly in PKCS#8 or PKCS#1
+ format. Thus X.509 certificates for TLS use may be managed by /gpgsm/
+ and directly exported in a format suitable for OpenSSL based servers.
+
+
+1.20 Scripts to create a Windows installer
+──────────────────────────────────────────
+
+ GnuPG now comes with the /speedo/ build system which may be used to
+ quickly download and build GnuPG and all its direct dependencies on a
+ decent Unix system. See the README file for more instructions.
+
+ The very same script may also be used to build a complete NSIS based
+ installer for Windows using the mingw-w64 cross-compiler toolchain.
+ That installer will feature GnuPG proper, GPA as graphical frontend,
+ and GpgEX as a Windows Explorer extension. GnuPG needs to be unpacked
+ and from the top source directory you run this command
+
+ ┌────
+ │ make -f build-aux/speedo.mk w32-installer
+ └────
+
+ This command downloads all direct dependencies, checks the signatures
+ using the GnuPG version from the build system (all Linux distros
+ feature a suitable GnuPG tool), builds everything from source, and
+ uses NSIS to create the installer. Although this sounds easy, some
+ experience in setting up a development machine is still required.
+ Some versions of the toolchain exhibit bugs and thus your mileage may
+ vary. See the [Wiki] for more info.
+
+ Support for keyserver access over TLS is currently not available but
+ will be added with one of the next point releases.
+
+
+
+ # Copyright 2014--2017 The GnuPG Project.
+ # This work is licensed under the Creative Commons
+ # Attribution-ShareAlike 4.0 International License. To view a copy of
+ # this license, visit http://creativecommons.org/licenses/by-sa/4.0/
+ # or send a letter to Creative Commons, PO Box 1866, Mountain View, CA
+ # 94042, USA.
+ #
+ # The canonical source for this article can be found in the gnupg-doc
+ # git repository as web/faq/whats-new-in-2.1.org.
+
+
+ [Wiki] https://wiki.gnupg.org/Build2.1_Windows
diff --git a/doc/wks.texi b/doc/wks.texi
new file mode 100644
index 0000000..e398ccb
--- /dev/null
+++ b/doc/wks.texi
@@ -0,0 +1,481 @@
+@c wks.texi - man pages for the Web Key Service tools.
+@c Copyright (C) 2017 g10 Code GmbH
+@c Copyright (C) 2017 Bundesamt für Sicherheit in der Informationstechnik
+@c This is part of the GnuPG manual.
+@c For copying conditions, see the file GnuPG.texi.
+
+@include defs.inc
+
+@node Web Key Service
+@chapter Web Key Service
+
+GnuPG comes with tools used to maintain and access a Web Key
+Directory.
+
+@menu
+* gpg-wks-client:: Send requests via WKS
+* gpg-wks-server:: Server to provide the WKS.
+@end menu
+
+@c
+@c GPG-WKS-CLIENT
+@c
+@manpage gpg-wks-client.1
+@node gpg-wks-client
+@section Send requests via WKS
+@ifset manverb
+.B gpg-wks-client
+\- Client for the Web Key Service
+@end ifset
+
+@mansect synopsis
+@ifset manverb
+.B gpg-wks-client
+.RI [ options ]
+.B \-\-supported
+.I user-id
+.br
+.B gpg-wks-client
+.RI [ options ]
+.B \-\-check
+.I user-id
+.br
+.B gpg-wks-client
+.RI [ options ]
+.B \-\-create
+.I fingerprint
+.I user-id
+.br
+.B gpg-wks-client
+.RI [ options ]
+.B \-\-receive
+.br
+.B gpg-wks-client
+.RI [ options ]
+.B \-\-read
+.br
+.B gpg-wks-client
+.RI [ options ]
+.B \-\-mirror
+.br
+.B gpg-wks-client
+.RI [ options ]
+.B \-\-install-key
+.br
+.B gpg-wks-client
+.RI [ options ]
+.B \-\-remove-key
+.br
+.B gpg-wks-client
+.RI [ options ]
+.B \-\-print-wkd-hash
+.br
+.B gpg-wks-client
+.RI [ options ]
+.B \-\-print-wkd-url
+@end ifset
+
+@mansect description
+The @command{gpg-wks-client} is used to send requests to a Web Key
+Service provider. This is usually done to upload a key into a Web
+Key Directory.
+
+With the @option{--supported} command the caller can test whether a
+site supports the Web Key Service. The argument is an arbitrary
+address in the to be tested domain. For example
+@file{foo@@example.net}. The command returns success if the Web Key
+Service is supported. The operation is silent; to get diagnostic
+output use the option @option{--verbose}. See option
+@option{--with-colons} for a variant of this command.
+
+With the @option{--check} command the caller can test whether a key
+exists for a supplied mail address. The command returns success if a
+key is available.
+
+The @option{--create} command is used to send a request for
+publication in the Web Key Directory. The arguments are the
+fingerprint of the key and the user id to publish. The output from
+the command is a properly formatted mail with all standard headers.
+This mail can be fed to @command{sendmail(8)} or any other tool to
+actually send that mail. If @command{sendmail(8)} is installed the
+option @option{--send} can be used to directly send the created
+request. If the provider request a 'mailbox-only' user id and no such
+user id is found, @command{gpg-wks-client} will try an additional user
+id.
+
+The @option{--receive} and @option{--read} commands are used to
+process confirmation mails as send from the service provider. The
+former expects an encrypted MIME messages, the latter an already
+decrypted MIME message. The result of these commands are another mail
+which can be send in the same way as the mail created with
+@option{--create}.
+
+The command @option{--install-key} manually installs a key into a
+local directory (see option @option{-C}) reflecting the structure of a
+WKD. The arguments are a file with the keyblock and the user-id to
+install. If the first argument resembles a fingerprint the key is
+taken from the current keyring; to force the use of a file, prefix the
+first argument with "./". If no arguments are given the parameters
+are read from stdin; the expected format are lines with the
+fingerprint and the mailbox separated by a space. The command
+@option{--remove-key} removes a key from that directory, its only
+argument is a user-id.
+
+The command @option{--mirror} is similar to @option{--install-key} but
+takes the keys from the the LDAP server configured for Dirmngr. If no
+arguments are given all keys and user ids are installed. If arguments
+are given they are taken as domain names to limit the to be installed
+keys. The option @option{--blacklist} may be used to further limit
+the to be installed keys.
+
+The command @option{--print-wkd-hash} prints the WKD user-id identifiers
+and the corresponding mailboxes from the user-ids given on the command
+line or via stdin (one user-id per line).
+
+The command @option{--print-wkd-url} prints the URLs used to fetch the
+key for the given user-ids from WKD. The meanwhile preferred format
+with sub-domains is used here.
+
+@command{gpg-wks-client} is not commonly invoked directly and thus it
+is not installed in the bin directory. Here is an example how it can
+be invoked manually to check for a Web Key Directory entry for
+@file{foo@@example.org}:
+
+@example
+$(gpgconf --list-dirs libexecdir)/gpg-wks-client --check foo@@example.net
+@end example
+
+@mansect options
+@noindent
+@command{gpg-wks-client} understands these options:
+
+@table @gnupgtabopt
+
+@item --send
+@opindex send
+Directly send created mails using the @command{sendmail} command.
+Requires installation of that command.
+
+@item --with-colons
+@opindex with-colons
+This option has currently only an effect on the @option{--supported}
+command. If it is used all arguments on the command line are taken
+as domain names and tested for WKD support. The output format is one
+line per domain with colon delimited fields. The currently specified
+fields are (future versions may specify additional fields):
+
+@table @asis
+
+ @item 1 - domain
+ This is the domain name. Although quoting is not required for valid
+ domain names this field is specified to be quoted in standard C
+ manner.
+
+ @item 2 - WKD
+ If the value is true the domain supports the Web Key Directory.
+
+ @item 3 - WKS
+ If the value is true the domain supports the Web Key Service
+ protocol to upload keys to the directory.
+
+ @item 4 - error-code
+ This may contain an gpg-error code to describe certain
+ failures. Use @samp{gpg-error CODE} to explain the code.
+
+ @item 5 - protocol-version
+ The minimum protocol version supported by the server.
+
+ @item 6 - auth-submit
+ The auth-submit flag from the policy file of the server.
+
+ @item 7 - mailbox-only
+ The mailbox-only flag from the policy file of the server.
+@end table
+
+
+
+@item --output @var{file}
+@itemx -o
+@opindex output
+Write the created mail to @var{file} instead of stdout. Note that the
+value @code{-} for @var{file} is the same as writing to stdout.
+
+@item --status-fd @var{n}
+@opindex status-fd
+Write special status strings to the file descriptor @var{n}.
+This program returns only the status messages SUCCESS or FAILURE which
+are helpful when the caller uses a double fork approach and can't
+easily get the return code of the process.
+
+@item -C @var{dir}
+@itemx --directory @var{dir}
+@opindex directory
+Use @var{dir} as top level directory for the commands
+@option{--mirror}, @option{--install-key} and @option{--remove-key}.
+The default is @file{openpgpkey}.
+
+
+@item --blacklist @var{file}
+@opindex blacklist
+This option is used to exclude certain mail addresses from a mirror
+operation. The format of @var{file} is one mail address (just the
+addrspec, e.g. "postel@@isi.edu") per line. Empty lines and lines
+starting with a '#' are ignored.
+
+@item --verbose
+@opindex verbose
+Enable extra informational output.
+
+@item --quiet
+@opindex quiet
+Disable almost all informational output.
+
+@item --version
+@opindex version
+Print version of the program and exit.
+
+@item --help
+@opindex help
+Display a brief help page and exit.
+
+@end table
+
+
+@mansect see also
+@ifset isman
+@command{gpg-wks-server}(1)
+@end ifset
+
+
+@c
+@c GPG-WKS-SERVER
+@c
+@manpage gpg-wks-server.1
+@node gpg-wks-server
+@section Provide the Web Key Service
+@ifset manverb
+.B gpg-wks-server
+\- Server providing the Web Key Service
+@end ifset
+
+@mansect synopsis
+@ifset manverb
+.B gpg-wks-server
+.RI [ options ]
+.B \-\-receive
+.br
+.B gpg-wks-server
+.RI [ options ]
+.B \-\-cron
+.br
+.B gpg-wks-server
+.RI [ options ]
+.B \-\-list-domains
+.br
+.B gpg-wks-server
+.RI [ options ]
+.B \-\-check-key
+.I user-id
+.br
+.B gpg-wks-server
+.RI [ options ]
+.B \-\-install-key
+.I file
+.I user-id
+.br
+.B gpg-wks-server
+.RI [ options ]
+.B \-\-remove-key
+.I user-id
+.br
+.B gpg-wks-server
+.RI [ options ]
+.B \-\-revoke-key
+.I user-id
+@end ifset
+
+@mansect description
+The @command{gpg-wks-server} is a server site implementation of the
+Web Key Service. It receives requests for publication, sends
+confirmation requests, receives confirmations, and published the key.
+It also has features to ease the setup and maintenance of a Web Key
+Directory.
+
+When used with the command @option{--receive} a single Web Key Service
+mail is processed. Commonly this command is used with the option
+@option{--send} to directly send the crerated mails back. See below
+for an installation example.
+
+The command @option{--cron} is used for regualr cleanup tasks. For
+example non-confirmed requested should be removed after their expire
+time. It is best to run this command once a day from a cronjob.
+
+The command @option{--list-domains} prints all configured domains.
+Further it creates missing directories for the configuration and
+prints warnings pertaining to problems in the configuration.
+
+The command @option{--check-key} (or just @option{--check}) checks
+whether a key with the given user-id is installed. The process returns
+success in this case; to also print a diagnostic use the option
+@option{-v}. If the key is not installed a diagnostic is printed and
+the process returns failure; to suppress the diagnostic, use option
+@option{-q}. More than one user-id can be given; see also option
+@option{with-file}.
+
+The command @option{--install-key} manually installs a key into the
+WKD. The arguments are a file with the keyblock and the user-id to
+install. If the first argument resembles a fingerprint the key is
+taken from the current keyring; to force the use of a file, prefix the
+first argument with "./". If no arguments are given the parameters
+are read from stdin; the expected format are lines with the
+fingerprint and the mailbox separated by a space.
+
+The command @option{--remove-key} uninstalls a key from the WKD. The
+process returns success in this case; to also print a diagnostic, use
+option @option{-v}. If the key is not installed a diagnostic is
+printed and the process returns failure; to suppress the diagnostic,
+use option @option{-q}.
+
+The command @option{--revoke-key} is not yet functional.
+
+
+@mansect options
+@noindent
+@command{gpg-wks-server} understands these options:
+
+@table @gnupgtabopt
+
+@item -C @var{dir}
+@itemx --directory @var{dir}
+@opindex directory
+Use @var{dir} as top level directory for domains. The default is
+@file{/var/lib/gnupg/wks}.
+
+@item --from @var{mailaddr}
+@opindex from
+Use @var{mailaddr} as the default sender address.
+
+@item --header @var{name}=@var{value}
+@opindex header
+Add the mail header "@var{name}: @var{value}" to all outgoing mails.
+
+@item --send
+@opindex send
+Directly send created mails using the @command{sendmail} command.
+Requires installation of that command.
+
+@item -o @var{file}
+@itemx --output @var{file}
+@opindex output
+Write the created mail also to @var{file}. Note that the value
+@code{-} for @var{file} would write it to stdout.
+
+@item --with-dir
+@opindex with-dir
+When used with the command @option{--list-domains} print for each
+installed domain the domain name and its directory name.
+
+@item --with-file
+@opindex with-file
+When used with the command @option{--check-key} print for each user-id,
+the address, 'i' for installed key or 'n' for not installed key, and
+the filename.
+
+@item --verbose
+@opindex verbose
+Enable extra informational output.
+
+@item --quiet
+@opindex quiet
+Disable almost all informational output.
+
+@item --version
+@opindex version
+Print version of the program and exit.
+
+@item --help
+@opindex help
+Display a brief help page and exit.
+
+@end table
+
+@noindent
+@mansect examples
+@chapheading Examples
+
+The Web Key Service requires a working directory to store keys
+pending for publication. As root create a working directory:
+
+@example
+ # mkdir /var/lib/gnupg/wks
+ # chown webkey:webkey /var/lib/gnupg/wks
+ # chmod 2750 /var/lib/gnupg/wks
+@end example
+
+Then under your webkey account create directories for all your
+domains. Here we do it for "example.net":
+
+@example
+ $ mkdir /var/lib/gnupg/wks/example.net
+@end example
+
+Finally run
+
+@example
+ $ gpg-wks-server --list-domains
+@end example
+
+to create the required sub-directories with the permissions set
+correctly. For each domain a submission address needs to be
+configured. All service mails are directed to that address. It can
+be the same address for all configured domains, for example:
+
+@example
+ $ cd /var/lib/gnupg/wks/example.net
+ $ echo key-submission@@example.net >submission-address
+@end example
+
+The protocol requires that the key to be published is send with an
+encrypted mail to the service. Thus you need to create a key for
+the submission address:
+
+@example
+ $ gpg --batch --passphrase '' --quick-gen-key key-submission@@example.net
+ $ gpg -K key-submission@@example.net
+@end example
+
+The output of the last command looks similar to this:
+
+@example
+ sec rsa2048 2016-08-30 [SC]
+ C0FCF8642D830C53246211400346653590B3795B
+ uid [ultimate] key-submission@@example.net
+ ssb rsa2048 2016-08-30 [E]
+@end example
+
+Take the fingerprint from that output and manually publish the key:
+
+@example
+ $ gpg-wks-server --install-key C0FCF8642D830C53246211400346653590B3795B \
+ > key-submission@@example.net
+@end example
+
+Finally that submission address needs to be redirected to a script
+running @command{gpg-wks-server}. The @command{procmail} command can
+be used for this: Redirect the submission address to the user "webkey"
+and put this into webkey's @file{.procmailrc}:
+
+@example
+:0
+* !^From: webkey@@example.net
+* !^X-WKS-Loop: webkey.example.net
+|gpg-wks-server -v --receive \
+ --header X-WKS-Loop=webkey.example.net \
+ --from webkey@@example.net --send
+@end example
+
+
+@mansect see also
+@ifset isman
+@command{gpg-wks-client}(1)
+@end ifset
diff --git a/doc/yat2m.c b/doc/yat2m.c
new file mode 100644
index 0000000..c7bec33
--- /dev/null
+++ b/doc/yat2m.c
@@ -0,0 +1,1646 @@
+/* yat2m.c - Yet Another Texi 2 Man converter
+ * Copyright (C) 2005, 2013, 2015, 2016, 2017 g10 Code GmbH
+ * Copyright (C) 2006, 2008, 2011 Free Software Foundation, Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <https://www.gnu.org/licenses/>.
+ */
+
+/**********************************************
+ * Note: The canonical source of this tool **
+ * is part of libgpg-error and it **
+ * installs yat2m on the build system. **
+ **********************************************/
+
+/*
+ This is a simple texinfo to man page converter. It needs some
+ special markup in th e texinfo and tries best to get a create man
+ page. It has been designed for the GnuPG man pages and thus only
+ a few texinfo commands are supported.
+
+ To use this you need to add the following macros into your texinfo
+ source:
+
+ @macro manpage {a}
+ @end macro
+ @macro mansect {a}
+ @end macro
+ @macro manpause
+ @end macro
+ @macro mancont
+ @end macro
+
+ They are used by yat2m to select parts of the Texinfo which should
+ go into the man page. These macros need to be used without leading
+ left space. Processing starts after a "manpage" macro has been
+ seen. "mansect" identifies the section and yat2m make sure to
+ emit the sections in the proper order. Note that @mansect skips
+ the next input line if that line begins with @section, @subsection or
+ @chapheading.
+
+ To insert verbatim troff markup, the following texinfo code may be
+ used:
+
+ @ifset manverb
+ .B whateever you want
+ @end ifset
+
+ alternativly a special comment may be used:
+
+ @c man:.B whatever you want
+
+ This is useful in case you need just one line. If you want to
+ include parts only in the man page but keep the texinfo
+ translation you may use:
+
+ @ifset isman
+ stuff to be rendered only on man pages
+ @end ifset
+
+ or to exclude stuff from man pages:
+
+ @ifclear isman
+ stuff not to be rendered on man pages
+ @end ifclear
+
+ the keyword @section is ignored, however @subsection gets rendered
+ as ".SS". @menu is completely skipped. Several man pages may be
+ extracted from one file, either using the --store or the --select
+ option.
+
+ If you want to indent tables in the source use this style:
+
+ @table foo
+ @item
+ @item
+ @table
+ @item
+ @end
+ @end
+
+ Don't change the indentation within a table and keep the same
+ number of white space at the start of the line. yat2m simply
+ detects the number of white spaces in front of an @item and remove
+ this number of spaces from all following lines until a new @item
+ is found or there are less spaces than for the last @item.
+
+ Note that @* does only work correctly if used at the end of an
+ input line.
+
+*/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stddef.h>
+#include <string.h>
+#include <errno.h>
+#include <stdarg.h>
+#include <assert.h>
+#include <ctype.h>
+#include <time.h>
+
+
+#if __GNUC__
+# define MY_GCC_VERSION (__GNUC__ * 10000 \
+ + __GNUC_MINOR__ * 100 \
+ + __GNUC_PATCHLEVEL__)
+#else
+# define MY_GCC_VERSION 0
+#endif
+
+#if MY_GCC_VERSION >= 20500
+# define ATTR_PRINTF(f, a) __attribute__ ((format(printf,f,a)))
+# define ATTR_NR_PRINTF(f, a) __attribute__ ((noreturn, format(printf,f,a)))
+#else
+# define ATTR_PRINTF(f, a)
+# define ATTR_NR_PRINTF(f, a)
+#endif
+#if MY_GCC_VERSION >= 30200
+# define ATTR_MALLOC __attribute__ ((__malloc__))
+#else
+# define ATTR_MALLOC
+#endif
+
+
+
+#define PGM "yat2m"
+#define VERSION "1.0"
+
+/* The maximum length of a line including the linefeed and one extra
+ character. */
+#define LINESIZE 1024
+
+/* Number of allowed condition nestings. */
+#define MAX_CONDITION_NESTING 10
+
+/* Option flags. */
+static int verbose;
+static int quiet;
+static int debug;
+static const char *opt_source;
+static const char *opt_release;
+static const char *opt_date;
+static const char *opt_select;
+static const char *opt_include;
+static int opt_store;
+
+/* Flag to keep track whether any error occurred. */
+static int any_error;
+
+
+/* Object to keep macro definitions. */
+struct macro_s
+{
+ struct macro_s *next;
+ char *value; /* Malloced value. */
+ char name[1];
+};
+typedef struct macro_s *macro_t;
+
+/* List of all defined macros. */
+static macro_t macrolist;
+
+/* List of variables set by @set. */
+static macro_t variablelist;
+
+/* List of global macro names. The value part is not used. */
+static macro_t predefinedmacrolist;
+
+/* Object to keep track of @isset and @ifclear. */
+struct condition_s
+{
+ int manverb; /* "manverb" needs special treatment. */
+ int isset; /* This is an @isset condition. */
+ char name[1]; /* Name of the condition macro. */
+};
+typedef struct condition_s *condition_t;
+
+/* The stack used to evaluate conditions. And the current states. */
+static condition_t condition_stack[MAX_CONDITION_NESTING];
+static int condition_stack_idx;
+static int cond_is_active; /* State of ifset/ifclear */
+static int cond_in_verbatim; /* State of "manverb". */
+
+
+/* Object to store one line of content. */
+struct line_buffer_s
+{
+ struct line_buffer_s *next;
+ int verbatim; /* True if LINE contains verbatim data. The default
+ is Texinfo source. */
+ char *line;
+};
+typedef struct line_buffer_s *line_buffer_t;
+
+
+/* Object to collect the data of a section. */
+struct section_buffer_s
+{
+ char *name; /* Malloced name of the section. This may be
+ NULL to indicate this slot is not used. */
+ line_buffer_t lines; /* Linked list with the lines of the section. */
+ line_buffer_t *lines_tail; /* Helper for faster appending to the
+ linked list. */
+ line_buffer_t last_line; /* Points to the last line appended. */
+};
+typedef struct section_buffer_s *section_buffer_t;
+
+/* Variable to keep info about the current page together. */
+static struct
+{
+ /* Filename of the current page or NULL if no page is active. Malloced. */
+ char *name;
+
+ /* Number of allocated elements in SECTIONS below. */
+ size_t n_sections;
+ /* Array with the data of the sections. */
+ section_buffer_t sections;
+
+} thepage;
+
+
+/* The list of standard section names. COMMANDS and ASSUAN are GnuPG
+ specific. */
+static const char * const standard_sections[] =
+ { "NAME", "SYNOPSIS", "DESCRIPTION",
+ "RETURN VALUE", "EXIT STATUS", "ERROR HANDLING", "ERRORS",
+ "COMMANDS", "OPTIONS", "USAGE", "EXAMPLES", "FILES",
+ "ENVIRONMENT", "DIAGNOSTICS", "SECURITY", "CONFORMING TO",
+ "ASSUAN", "NOTES", "BUGS", "AUTHOR", "SEE ALSO", NULL };
+
+
+/*-- Local prototypes. --*/
+static void proc_texi_buffer (FILE *fp, const char *line, size_t len,
+ int *table_level, int *eol_action);
+
+static void die (const char *format, ...) ATTR_NR_PRINTF(1,2);
+static void err (const char *format, ...) ATTR_PRINTF(1,2);
+static void inf (const char *format, ...) ATTR_PRINTF(1,2);
+static void *xmalloc (size_t n) ATTR_MALLOC;
+static void *xcalloc (size_t n, size_t m) ATTR_MALLOC;
+
+
+
+/*-- Functions --*/
+
+/* Print diagnostic message and exit with failure. */
+static void
+die (const char *format, ...)
+{
+ va_list arg_ptr;
+
+ fflush (stdout);
+ fprintf (stderr, "%s: ", PGM);
+
+ va_start (arg_ptr, format);
+ vfprintf (stderr, format, arg_ptr);
+ va_end (arg_ptr);
+ putc ('\n', stderr);
+
+ exit (1);
+}
+
+
+/* Print diagnostic message. */
+static void
+err (const char *format, ...)
+{
+ va_list arg_ptr;
+
+ fflush (stdout);
+ if (strncmp (format, "%s:%d:", 6))
+ fprintf (stderr, "%s: ", PGM);
+
+ va_start (arg_ptr, format);
+ vfprintf (stderr, format, arg_ptr);
+ va_end (arg_ptr);
+ putc ('\n', stderr);
+ any_error = 1;
+}
+
+/* Print diagnostic message. */
+static void
+inf (const char *format, ...)
+{
+ va_list arg_ptr;
+
+ fflush (stdout);
+ fprintf (stderr, "%s: ", PGM);
+
+ va_start (arg_ptr, format);
+ vfprintf (stderr, format, arg_ptr);
+ va_end (arg_ptr);
+ putc ('\n', stderr);
+}
+
+
+static void *
+xmalloc (size_t n)
+{
+ void *p = malloc (n);
+ if (!p)
+ die ("out of core: %s", strerror (errno));
+ return p;
+}
+
+static void *
+xcalloc (size_t n, size_t m)
+{
+ void *p = calloc (n, m);
+ if (!p)
+ die ("out of core: %s", strerror (errno));
+ return p;
+}
+
+static void *
+xrealloc (void *old, size_t n)
+{
+ void *p = realloc (old, n);
+ if (!p)
+ die ("out of core: %s", strerror (errno));
+ return p;
+}
+
+static char *
+xstrdup (const char *string)
+{
+ void *p = malloc (strlen (string)+1);
+ if (!p)
+ die ("out of core: %s", strerror (errno));
+ strcpy (p, string);
+ return p;
+}
+
+
+/* Uppercase the ascii characters in STRING. */
+static char *
+ascii_strupr (char *string)
+{
+ char *p;
+
+ for (p = string; *p; p++)
+ if (!(*p & 0x80))
+ *p = toupper (*p);
+ return string;
+}
+
+
+/* Return the current date as an ISO string. */
+const char *
+isodatestring (void)
+{
+ static char buffer[11+5];
+ struct tm *tp;
+ time_t atime;
+
+ if (opt_date && *opt_date)
+ atime = strtoul (opt_date, NULL, 10);
+ else
+ atime = time (NULL);
+ if (atime < 0)
+ strcpy (buffer, "????" "-??" "-??");
+ else
+ {
+ tp = gmtime (&atime);
+ sprintf (buffer,"%04d-%02d-%02d",
+ 1900+tp->tm_year, tp->tm_mon+1, tp->tm_mday );
+ }
+ return buffer;
+}
+
+
+/* Add NAME to the list of predefined macros which are global for all
+ files. */
+static void
+add_predefined_macro (const char *name)
+{
+ macro_t m;
+
+ for (m=predefinedmacrolist; m; m = m->next)
+ if (!strcmp (m->name, name))
+ break;
+ if (!m)
+ {
+ m = xcalloc (1, sizeof *m + strlen (name));
+ strcpy (m->name, name);
+ m->next = predefinedmacrolist;
+ predefinedmacrolist = m;
+ }
+}
+
+
+/* Create or update a macro with name MACRONAME and set its values TO
+ MACROVALUE. Note that ownership of the macro value is transferred
+ to this function. */
+static void
+set_macro (const char *macroname, char *macrovalue)
+{
+ macro_t m;
+
+ for (m=macrolist; m; m = m->next)
+ if (!strcmp (m->name, macroname))
+ break;
+ if (m)
+ free (m->value);
+ else
+ {
+ m = xcalloc (1, sizeof *m + strlen (macroname));
+ strcpy (m->name, macroname);
+ m->next = macrolist;
+ macrolist = m;
+ }
+ m->value = macrovalue;
+ macrovalue = NULL;
+}
+
+
+/* Create or update a variable with name and value given in NAMEANDVALUE. */
+static void
+set_variable (char *nameandvalue)
+{
+ macro_t m;
+ const char *value;
+ char *p;
+
+ for (p = nameandvalue; *p && *p != ' ' && *p != '\t'; p++)
+ ;
+ if (!*p)
+ value = "";
+ else
+ {
+ *p++ = 0;
+ while (*p == ' ' || *p == '\t')
+ p++;
+ value = p;
+ }
+
+ for (m=variablelist; m; m = m->next)
+ if (!strcmp (m->name, nameandvalue))
+ break;
+ if (m)
+ free (m->value);
+ else
+ {
+ m = xcalloc (1, sizeof *m + strlen (nameandvalue));
+ strcpy (m->name, nameandvalue);
+ m->next = variablelist;
+ variablelist = m;
+ }
+ m->value = xstrdup (value);
+}
+
+
+/* Return true if the macro or variable NAME is set, i.e. not the
+ empty string and not evaluating to 0. */
+static int
+macro_set_p (const char *name)
+{
+ macro_t m;
+
+ for (m = macrolist; m ; m = m->next)
+ if (!strcmp (m->name, name))
+ break;
+ if (!m)
+ for (m = variablelist; m ; m = m->next)
+ if (!strcmp (m->name, name))
+ break;
+ if (!m || !m->value || !*m->value)
+ return 0;
+ if ((*m->value & 0x80) || !isdigit (*m->value))
+ return 1; /* Not a digit but some other string. */
+ return !!atoi (m->value);
+}
+
+
+/* Evaluate the current conditions. */
+static void
+evaluate_conditions (const char *fname, int lnr)
+{
+ int i;
+
+ /* for (i=0; i < condition_stack_idx; i++) */
+ /* inf ("%s:%d: stack[%d] %s %s %c", */
+ /* fname, lnr, i, condition_stack[i]->isset? "set":"clr", */
+ /* condition_stack[i]->name, */
+ /* (macro_set_p (condition_stack[i]->name) */
+ /* ^ !condition_stack[i]->isset)? 't':'f'); */
+
+ cond_is_active = 1;
+ cond_in_verbatim = 0;
+ if (condition_stack_idx)
+ {
+ for (i=0; i < condition_stack_idx; i++)
+ {
+ if (condition_stack[i]->manverb)
+ cond_in_verbatim = (macro_set_p (condition_stack[i]->name)
+ ^ !condition_stack[i]->isset);
+ else if (!(macro_set_p (condition_stack[i]->name)
+ ^ !condition_stack[i]->isset))
+ {
+ cond_is_active = 0;
+ break;
+ }
+ }
+ }
+
+ /* inf ("%s:%d: active=%d verbatim=%d", */
+ /* fname, lnr, cond_is_active, cond_in_verbatim); */
+}
+
+
+/* Push a condition with condition macro NAME onto the stack. If
+ ISSET is true, a @isset condition is pushed. */
+static void
+push_condition (const char *name, int isset, const char *fname, int lnr)
+{
+ condition_t cond;
+ int manverb = 0;
+
+ if (condition_stack_idx >= MAX_CONDITION_NESTING)
+ {
+ err ("%s:%d: condition nested too deep", fname, lnr);
+ return;
+ }
+
+ if (!strcmp (name, "manverb"))
+ {
+ if (!isset)
+ {
+ err ("%s:%d: using \"@ifclear manverb\" is not allowed", fname, lnr);
+ return;
+ }
+ manverb = 1;
+ }
+
+ cond = xcalloc (1, sizeof *cond + strlen (name));
+ cond->manverb = manverb;
+ cond->isset = isset;
+ strcpy (cond->name, name);
+
+ condition_stack[condition_stack_idx++] = cond;
+ evaluate_conditions (fname, lnr);
+}
+
+
+/* Remove the last condition from the stack. ISSET is used for error
+ reporting. */
+static void
+pop_condition (int isset, const char *fname, int lnr)
+{
+ if (!condition_stack_idx)
+ {
+ err ("%s:%d: unbalanced \"@end %s\"",
+ fname, lnr, isset?"isset":"isclear");
+ return;
+ }
+ condition_stack_idx--;
+ free (condition_stack[condition_stack_idx]);
+ condition_stack[condition_stack_idx] = NULL;
+ evaluate_conditions (fname, lnr);
+}
+
+
+
+/* Return a section buffer for the section NAME. Allocate a new buffer
+ if this is a new section. Keep track of the sections in THEPAGE.
+ This function may reallocate the section array in THEPAGE. */
+static section_buffer_t
+get_section_buffer (const char *name)
+{
+ int i;
+ section_buffer_t sect;
+
+ /* If there is no section we put everything into the required NAME
+ section. Given that this is the first one listed it is likely
+ that error are easily visible. */
+ if (!name)
+ name = "NAME";
+
+ for (i=0; i < thepage.n_sections; i++)
+ {
+ sect = thepage.sections + i;
+ if (sect->name && !strcmp (name, sect->name))
+ return sect;
+ }
+ for (i=0; i < thepage.n_sections; i++)
+ if (!thepage.sections[i].name)
+ break;
+ if (thepage.n_sections && i < thepage.n_sections)
+ sect = thepage.sections + i;
+ else
+ {
+ /* We need to allocate or reallocate the section array. */
+ size_t old_n = thepage.n_sections;
+ size_t new_n = 20;
+
+ if (!old_n)
+ thepage.sections = xcalloc (new_n, sizeof *thepage.sections);
+ else
+ {
+ thepage.sections = xrealloc (thepage.sections,
+ ((old_n + new_n)
+ * sizeof *thepage.sections));
+ memset (thepage.sections + old_n, 0,
+ new_n * sizeof *thepage.sections);
+ }
+ thepage.n_sections += new_n;
+
+ /* Setup the tail pointers. */
+ for (i=old_n; i < thepage.n_sections; i++)
+ {
+ sect = thepage.sections + i;
+ sect->lines_tail = &sect->lines;
+ }
+ sect = thepage.sections + old_n;
+ }
+
+ /* Store the name. */
+ assert (!sect->name);
+ sect->name = xstrdup (name);
+ return sect;
+}
+
+
+
+/* Add the content of LINE to the section named SECTNAME. */
+static void
+add_content (const char *sectname, char *line, int verbatim)
+{
+ section_buffer_t sect;
+ line_buffer_t lb;
+
+ sect = get_section_buffer (sectname);
+ if (sect->last_line && !sect->last_line->verbatim == !verbatim)
+ {
+ /* Lets append that line to the last one. We do this to keep
+ all lines of the same kind (i.e.verbatim or not) together in
+ one large buffer. */
+ size_t n1, n;
+
+ lb = sect->last_line;
+ n1 = strlen (lb->line);
+ n = n1 + 1 + strlen (line) + 1;
+ lb->line = xrealloc (lb->line, n);
+ strcpy (lb->line+n1, "\n");
+ strcpy (lb->line+n1+1, line);
+ }
+ else
+ {
+ lb = xcalloc (1, sizeof *lb);
+ lb->verbatim = verbatim;
+ lb->line = xstrdup (line);
+ sect->last_line = lb;
+ *sect->lines_tail = lb;
+ sect->lines_tail = &lb->next;
+ }
+}
+
+
+/* Prepare for a new man page using the filename NAME. */
+static void
+start_page (char *name)
+{
+ if (verbose)
+ inf ("starting page '%s'", name);
+ assert (!thepage.name);
+ thepage.name = xstrdup (name);
+ thepage.n_sections = 0;
+}
+
+
+/* Write the .TH entry of the current page. Return -1 if there is a
+ problem with the page. */
+static int
+write_th (FILE *fp)
+{
+ char *name, *p;
+
+ fputs (".\\\" Created from Texinfo source by yat2m " VERSION "\n", fp);
+
+ name = ascii_strupr (xstrdup (thepage.name));
+ p = strrchr (name, '.');
+ if (!p || !p[1])
+ {
+ err ("no section name in man page '%s'", thepage.name);
+ free (name);
+ return -1;
+ }
+ *p++ = 0;
+ fprintf (fp, ".TH %s %s %s \"%s\" \"%s\"\n",
+ name, p, isodatestring (), opt_release, opt_source);
+ free (name);
+ return 0;
+}
+
+
+/* Process the texinfo command COMMAND (without the leading @) and
+ write output if needed to FP. REST is the remainer of the line
+ which should either point to an opening brace or to a white space.
+ The function returns the number of characters already processed
+ from REST. LEN is the usable length of REST. TABLE_LEVEL is used to
+ control the indentation of tables. */
+static size_t
+proc_texi_cmd (FILE *fp, const char *command, const char *rest, size_t len,
+ int *table_level, int *eol_action)
+{
+ static struct {
+ const char *name; /* Name of the command. */
+ int what; /* What to do with this command. */
+ const char *lead_in; /* String to print with a opening brace. */
+ const char *lead_out;/* String to print with the closing brace. */
+ } cmdtbl[] = {
+ { "command", 0, "\\fB", "\\fR" },
+ { "code", 0, "\\fB", "\\fR" },
+ { "url", 0, "\\fB", "\\fR" },
+ { "sc", 0, "\\fB", "\\fR" },
+ { "var", 0, "\\fI", "\\fR" },
+ { "samp", 0, "\\(aq", "\\(aq" },
+ { "file", 0, "\\(oq\\fI","\\fR\\(cq" },
+ { "env", 0, "\\(oq\\fI","\\fR\\(cq" },
+ { "acronym", 0 },
+ { "dfn", 0 },
+ { "option", 0, "\\fB", "\\fR" },
+ { "example", 1, ".RS 2\n.nf\n" },
+ { "smallexample", 1, ".RS 2\n.nf\n" },
+ { "asis", 7 },
+ { "anchor", 7 },
+ { "cartouche", 1 },
+ { "ref", 0, "[", "]" },
+ { "xref", 0, "See: [", "]" },
+ { "pxref", 0, "see: [", "]" },
+ { "uref", 0, "(\\fB", "\\fR)" },
+ { "footnote",0, " ([", "])" },
+ { "emph", 0, "\\fI", "\\fR" },
+ { "w", 1 },
+ { "c", 5 },
+ { "efindex", 1 },
+ { "opindex", 1 },
+ { "cpindex", 1 },
+ { "cindex", 1 },
+ { "noindent", 0 },
+ { "section", 1 },
+ { "chapter", 1 },
+ { "subsection", 6, "\n.SS " },
+ { "chapheading", 0},
+ { "item", 2, ".TP\n.B " },
+ { "itemx", 2, ".TQ\n.B " },
+ { "table", 3 },
+ { "itemize", 3 },
+ { "bullet", 0, "* " },
+ { "*", 0, "\n.br"},
+ { "/", 0 },
+ { "end", 4 },
+ { "quotation",1, ".RS\n\\fB" },
+ { "value", 8 },
+ { NULL }
+ };
+ size_t n;
+ int i;
+ const char *s;
+ const char *lead_out = NULL;
+ int ignore_args = 0;
+
+ for (i=0; cmdtbl[i].name && strcmp (cmdtbl[i].name, command); i++)
+ ;
+ if (cmdtbl[i].name)
+ {
+ s = cmdtbl[i].lead_in;
+ if (s)
+ fputs (s, fp);
+ lead_out = cmdtbl[i].lead_out;
+ switch (cmdtbl[i].what)
+ {
+ case 1: /* Throw away the entire line. */
+ s = memchr (rest, '\n', len);
+ return s? (s-rest)+1 : len;
+ case 2: /* Handle @item. */
+ break;
+ case 3: /* Handle table. */
+ if (++(*table_level) > 1)
+ fputs (".RS\n", fp);
+ /* Now throw away the entire line. */
+ s = memchr (rest, '\n', len);
+ return s? (s-rest)+1 : len;
+ break;
+ case 4: /* Handle end. */
+ for (s=rest, n=len; n && (*s == ' ' || *s == '\t'); s++, n--)
+ ;
+ if (n >= 5 && !memcmp (s, "table", 5)
+ && (!n || s[5] == ' ' || s[5] == '\t' || s[5] == '\n'))
+ {
+ if ((*table_level)-- > 1)
+ fputs (".RE\n", fp);
+ else
+ fputs (".P\n", fp);
+ }
+ else if (n >= 7 && !memcmp (s, "example", 7)
+ && (!n || s[7] == ' ' || s[7] == '\t' || s[7] == '\n'))
+ {
+ fputs (".fi\n.RE\n", fp);
+ }
+ else if (n >= 12 && !memcmp (s, "smallexample", 12)
+ && (!n || s[12] == ' ' || s[12] == '\t' || s[12] == '\n'))
+ {
+ fputs (".fi\n.RE\n", fp);
+ }
+ else if (n >= 9 && !memcmp (s, "quotation", 9)
+ && (!n || s[9] == ' ' || s[9] == '\t' || s[9] == '\n'))
+ {
+ fputs ("\\fR\n.RE\n", fp);
+ }
+ /* Now throw away the entire line. */
+ s = memchr (rest, '\n', len);
+ return s? (s-rest)+1 : len;
+ case 5: /* Handle special comments. */
+ for (s=rest, n=len; n && (*s == ' ' || *s == '\t'); s++, n--)
+ ;
+ if (n >= 4 && !memcmp (s, "man:", 4))
+ {
+ for (s+=4, n-=4; n && *s != '\n'; n--, s++)
+ putc (*s, fp);
+ putc ('\n', fp);
+ }
+ /* Now throw away the entire line. */
+ s = memchr (rest, '\n', len);
+ return s? (s-rest)+1 : len;
+ case 6:
+ *eol_action = 1;
+ break;
+ case 7:
+ ignore_args = 1;
+ break;
+ case 8:
+ ignore_args = 1;
+ if (*rest != '{')
+ {
+ err ("opening brace for command '%s' missing", command);
+ return len;
+ }
+ else
+ {
+ /* Find closing brace. */
+ for (s=rest+1, n=1; *s && n < len; s++, n++)
+ if (*s == '}')
+ break;
+ if (*s != '}')
+ {
+ err ("closing brace for command '%s' not found", command);
+ return len;
+ }
+ else
+ {
+ size_t len = s - (rest + 1);
+ macro_t m;
+
+ for (m = variablelist; m; m = m->next)
+ if (strlen (m->name) == len
+ &&!strncmp (m->name, rest+1, len))
+ break;
+ if (m)
+ fputs (m->value, fp);
+ else
+ inf ("texinfo variable '%.*s' is not set",
+ (int)len, rest+1);
+ }
+ }
+ break;
+ default:
+ break;
+ }
+ }
+ else /* macro */
+ {
+ macro_t m;
+
+ for (m = macrolist; m ; m = m->next)
+ if (!strcmp (m->name, command))
+ break;
+ if (m)
+ {
+ proc_texi_buffer (fp, m->value, strlen (m->value),
+ table_level, eol_action);
+ ignore_args = 1; /* Parameterized macros are not yet supported. */
+ }
+ else
+ inf ("texinfo command '%s' not supported (%.*s)", command,
+ (int)((s = memchr (rest, '\n', len)), (s? (s-rest) : len)), rest);
+ }
+
+ if (*rest == '{')
+ {
+ /* Find matching closing brace. */
+ for (s=rest+1, n=1, i=1; i && *s && n < len; s++, n++)
+ if (*s == '{')
+ i++;
+ else if (*s == '}')
+ i--;
+ if (i)
+ {
+ err ("closing brace for command '%s' not found", command);
+ return len;
+ }
+ if (n > 2 && !ignore_args)
+ proc_texi_buffer (fp, rest+1, n-2, table_level, eol_action);
+ }
+ else
+ n = 0;
+
+ if (lead_out)
+ fputs (lead_out, fp);
+
+ return n;
+}
+
+
+
+/* Process the string LINE with LEN bytes of Texinfo content. */
+static void
+proc_texi_buffer (FILE *fp, const char *line, size_t len,
+ int *table_level, int *eol_action)
+{
+ const char *s;
+ char cmdbuf[256];
+ int cmdidx = 0;
+ int in_cmd = 0;
+ size_t n;
+
+ for (s=line; *s && len; s++, len--)
+ {
+ if (in_cmd)
+ {
+ if (in_cmd == 1)
+ {
+ switch (*s)
+ {
+ case '@': case '{': case '}':
+ putc (*s, fp); in_cmd = 0;
+ break;
+ case ':': /* Not ending a sentence flag. */
+ in_cmd = 0;
+ break;
+ case '.': case '!': case '?': /* Ending a sentence. */
+ putc (*s, fp); in_cmd = 0;
+ break;
+ case ' ': case '\t': case '\n': /* Non collapsing spaces. */
+ putc (*s, fp); in_cmd = 0;
+ break;
+ default:
+ cmdidx = 0;
+ cmdbuf[cmdidx++] = *s;
+ in_cmd++;
+ break;
+ }
+ }
+ else if (*s == '{' || *s == ' ' || *s == '\t' || *s == '\n')
+ {
+ cmdbuf[cmdidx] = 0;
+ n = proc_texi_cmd (fp, cmdbuf, s, len, table_level, eol_action);
+ assert (n <= len);
+ s += n; len -= n;
+ s--; len++;
+ in_cmd = 0;
+ }
+ else if (cmdidx < sizeof cmdbuf -1)
+ cmdbuf[cmdidx++] = *s;
+ else
+ {
+ err ("texinfo command too long - ignored");
+ in_cmd = 0;
+ }
+ }
+ else if (*s == '@')
+ in_cmd = 1;
+ else if (*s == '\n')
+ {
+ switch (*eol_action)
+ {
+ case 1: /* Create a dummy paragraph. */
+ fputs ("\n\\ \n", fp);
+ break;
+ default:
+ putc (*s, fp);
+ }
+ *eol_action = 0;
+ }
+ else if (*s == '\\')
+ fputs ("\\\\", fp);
+ else
+ putc (*s, fp);
+ }
+
+ if (in_cmd > 1)
+ {
+ cmdbuf[cmdidx] = 0;
+ n = proc_texi_cmd (fp, cmdbuf, s, len, table_level, eol_action);
+ assert (n <= len);
+ s += n; len -= n;
+ s--; len++;
+ /* in_cmd = 0; -- doc only */
+ }
+}
+
+
+/* Do something with the Texinfo line LINE. */
+static void
+parse_texi_line (FILE *fp, const char *line, int *table_level)
+{
+ int eol_action = 0;
+
+ /* A quick test whether there are any texinfo commands. */
+ if (!strchr (line, '@'))
+ {
+ fputs (line, fp);
+ putc ('\n', fp);
+ return;
+ }
+ proc_texi_buffer (fp, line, strlen (line), table_level, &eol_action);
+ putc ('\n', fp);
+}
+
+
+/* Write all the lines LINES to FP. */
+static void
+write_content (FILE *fp, line_buffer_t lines)
+{
+ line_buffer_t line;
+ int table_level = 0;
+
+ for (line = lines; line; line = line->next)
+ {
+ if (line->verbatim)
+ {
+ fputs (line->line, fp);
+ putc ('\n', fp);
+ }
+ else
+ {
+/* fputs ("TEXI---", fp); */
+/* fputs (line->line, fp); */
+/* fputs ("---\n", fp); */
+ parse_texi_line (fp, line->line, &table_level);
+ }
+ }
+}
+
+
+
+static int
+is_standard_section (const char *name)
+{
+ int i;
+ const char *s;
+
+ for (i=0; (s=standard_sections[i]); i++)
+ if (!strcmp (s, name))
+ return 1;
+ return 0;
+}
+
+
+/* Finish a page; that is sort the data and write it out to the file. */
+static void
+finish_page (void)
+{
+ FILE *fp;
+ section_buffer_t sect = NULL;
+ int idx;
+ const char *s;
+ int i;
+
+ if (!thepage.name)
+ return; /* No page active. */
+
+ if (verbose)
+ inf ("finishing page '%s'", thepage.name);
+
+ if (opt_select)
+ {
+ if (!strcmp (opt_select, thepage.name))
+ {
+ inf ("selected '%s'", thepage.name );
+ fp = stdout;
+ }
+ else
+ {
+ fp = fopen ( "/dev/null", "w" );
+ if (!fp)
+ die ("failed to open /dev/null: %s\n", strerror (errno));
+ }
+ }
+ else if (opt_store)
+ {
+ inf ("writing '%s'", thepage.name );
+ fp = fopen ( thepage.name, "w" );
+ if (!fp)
+ die ("failed to create '%s': %s\n", thepage.name, strerror (errno));
+ }
+ else
+ fp = stdout;
+
+ if (write_th (fp))
+ goto leave;
+
+ for (idx=0; (s=standard_sections[idx]); idx++)
+ {
+ for (i=0; i < thepage.n_sections; i++)
+ {
+ sect = thepage.sections + i;
+ if (sect->name && !strcmp (s, sect->name))
+ break;
+ }
+ if (i == thepage.n_sections)
+ sect = NULL;
+
+ if (sect)
+ {
+ fprintf (fp, ".SH %s\n", sect->name);
+ write_content (fp, sect->lines);
+ /* Now continue with all non standard sections directly
+ following this one. */
+ for (i++; i < thepage.n_sections; i++)
+ {
+ sect = thepage.sections + i;
+ if (sect->name && is_standard_section (sect->name))
+ break;
+ if (sect->name)
+ {
+ fprintf (fp, ".SH %s\n", sect->name);
+ write_content (fp, sect->lines);
+ }
+ }
+
+ }
+ }
+
+
+ leave:
+ if (fp != stdout)
+ fclose (fp);
+ free (thepage.name);
+ thepage.name = NULL;
+ /* FIXME: Cleanup the content. */
+}
+
+
+
+
+/* Parse one Texinfo file and create manpages according to the
+ embedded instructions. */
+static void
+parse_file (const char *fname, FILE *fp, char **section_name, int in_pause)
+{
+ char *line;
+ int lnr = 0;
+ /* Fixme: The following state variables don't carry over to include
+ files. */
+ int skip_to_end = 0; /* Used to skip over menu entries. */
+ int skip_sect_line = 0; /* Skip after @mansect. */
+ int item_indent = 0; /* How far is the current @item indented. */
+
+ /* Helper to define a macro. */
+ char *macroname = NULL;
+ char *macrovalue = NULL;
+ size_t macrovaluesize = 0;
+ size_t macrovalueused = 0;
+
+ line = xmalloc (LINESIZE);
+ while (fgets (line, LINESIZE, fp))
+ {
+ size_t n = strlen (line);
+ int got_line = 0;
+ char *p, *pend;
+
+ lnr++;
+ if (!n || line[n-1] != '\n')
+ {
+ err ("%s:%d: trailing linefeed missing, line too long or "
+ "embedded Nul character", fname, lnr);
+ break;
+ }
+ line[--n] = 0;
+
+ /* Kludge to allow indentation of tables. */
+ for (p=line; *p == ' ' || *p == '\t'; p++)
+ ;
+ if (*p)
+ {
+ if (*p == '@' && !strncmp (p+1, "item", 4))
+ item_indent = p - line; /* Set a new indent level. */
+ else if (p - line < item_indent)
+ item_indent = 0; /* Switch off indention. */
+
+ if (item_indent)
+ {
+ memmove (line, line+item_indent, n - item_indent + 1);
+ n -= item_indent;
+ }
+ }
+
+
+ if (*line == '@')
+ {
+ for (p=line+1, n=1; *p && *p != ' ' && *p != '\t'; p++)
+ n++;
+ while (*p == ' ' || *p == '\t')
+ p++;
+ }
+ else
+ p = line;
+
+ /* Take action on macro. */
+ if (macroname)
+ {
+ if (n == 4 && !memcmp (line, "@end", 4)
+ && (line[4]==' '||line[4]=='\t'||!line[4])
+ && !strncmp (p, "macro", 5)
+ && (p[5]==' '||p[5]=='\t'||!p[5]))
+ {
+ if (macrovalueused)
+ macrovalue[--macrovalueused] = 0; /* Kill the last LF. */
+ macrovalue[macrovalueused] = 0; /* Terminate macro. */
+ macrovalue = xrealloc (macrovalue, macrovalueused+1);
+
+ set_macro (macroname, macrovalue);
+ macrovalue = NULL;
+ free (macroname);
+ macroname = NULL;
+ }
+ else
+ {
+ if (macrovalueused + strlen (line) + 2 >= macrovaluesize)
+ {
+ macrovaluesize += strlen (line) + 256;
+ macrovalue = xrealloc (macrovalue, macrovaluesize);
+ }
+ strcpy (macrovalue+macrovalueused, line);
+ macrovalueused += strlen (line);
+ macrovalue[macrovalueused++] = '\n';
+ }
+ continue;
+ }
+
+
+ if (n >= 5 && !memcmp (line, "@node", 5)
+ && (line[5]==' '||line[5]=='\t'||!line[5]))
+ {
+ /* Completey ignore @node lines. */
+ continue;
+ }
+
+
+ if (skip_sect_line)
+ {
+ skip_sect_line = 0;
+ if (!strncmp (line, "@section", 8)
+ || !strncmp (line, "@subsection", 11)
+ || !strncmp (line, "@chapheading", 12))
+ continue;
+ }
+
+ /* We only parse lines we need and ignore the rest. There are a
+ few macros used to control this as well as one @ifset
+ command. Parts we know about are saved away into containers
+ separate for each section. */
+
+ /* First process ifset/ifclear commands. */
+ if (*line == '@')
+ {
+ if (n == 6 && !memcmp (line, "@ifset", 6)
+ && (line[6]==' '||line[6]=='\t'))
+ {
+ for (p=line+7; *p == ' ' || *p == '\t'; p++)
+ ;
+ if (!*p)
+ {
+ err ("%s:%d: name missing after \"@ifset\"", fname, lnr);
+ continue;
+ }
+ for (pend=p; *pend && *pend != ' ' && *pend != '\t'; pend++)
+ ;
+ *pend = 0; /* Ignore rest of the line. */
+ push_condition (p, 1, fname, lnr);
+ continue;
+ }
+ else if (n == 8 && !memcmp (line, "@ifclear", 8)
+ && (line[8]==' '||line[8]=='\t'))
+ {
+ for (p=line+9; *p == ' ' || *p == '\t'; p++)
+ ;
+ if (!*p)
+ {
+ err ("%s:%d: name missing after \"@ifsclear\"", fname, lnr);
+ continue;
+ }
+ for (pend=p; *pend && *pend != ' ' && *pend != '\t'; pend++)
+ ;
+ *pend = 0; /* Ignore rest of the line. */
+ push_condition (p, 0, fname, lnr);
+ continue;
+ }
+ else if (n == 4 && !memcmp (line, "@end", 4)
+ && (line[4]==' '||line[4]=='\t')
+ && !strncmp (p, "ifset", 5)
+ && (p[5]==' '||p[5]=='\t'||!p[5]))
+ {
+ pop_condition (1, fname, lnr);
+ continue;
+ }
+ else if (n == 4 && !memcmp (line, "@end", 4)
+ && (line[4]==' '||line[4]=='\t')
+ && !strncmp (p, "ifclear", 7)
+ && (p[7]==' '||p[7]=='\t'||!p[7]))
+ {
+ pop_condition (0, fname, lnr);
+ continue;
+ }
+ }
+
+ /* Take action on ifset/ifclear. */
+ if (!cond_is_active)
+ continue;
+
+ /* Process commands. */
+ if (*line == '@')
+ {
+ if (skip_to_end
+ && n == 4 && !memcmp (line, "@end", 4)
+ && (line[4]==' '||line[4]=='\t'||!line[4]))
+ {
+ skip_to_end = 0;
+ }
+ else if (cond_in_verbatim)
+ {
+ got_line = 1;
+ }
+ else if (n == 6 && !memcmp (line, "@macro", 6))
+ {
+ macroname = xstrdup (p);
+ macrovalue = xmalloc ((macrovaluesize = 1024));
+ macrovalueused = 0;
+ }
+ else if (n == 4 && !memcmp (line, "@set", 4))
+ {
+ set_variable (p);
+ }
+ else if (n == 8 && !memcmp (line, "@manpage", 8))
+ {
+ free (*section_name);
+ *section_name = NULL;
+ finish_page ();
+ start_page (p);
+ in_pause = 0;
+ }
+ else if (n == 8 && !memcmp (line, "@mansect", 8))
+ {
+ if (!thepage.name)
+ err ("%s:%d: section outside of a man page", fname, lnr);
+ else
+ {
+ free (*section_name);
+ *section_name = ascii_strupr (xstrdup (p));
+ in_pause = 0;
+ skip_sect_line = 1;
+ }
+ }
+ else if (n == 9 && !memcmp (line, "@manpause", 9))
+ {
+ if (!*section_name)
+ err ("%s:%d: pausing outside of a man section", fname, lnr);
+ else if (in_pause)
+ err ("%s:%d: already pausing", fname, lnr);
+ else
+ in_pause = 1;
+ }
+ else if (n == 8 && !memcmp (line, "@mancont", 8))
+ {
+ if (!*section_name)
+ err ("%s:%d: continue outside of a man section", fname, lnr);
+ else if (!in_pause)
+ err ("%s:%d: continue while not pausing", fname, lnr);
+ else
+ in_pause = 0;
+ }
+ else if (n == 5 && !memcmp (line, "@menu", 5)
+ && (line[5]==' '||line[5]=='\t'||!line[5]))
+ {
+ skip_to_end = 1;
+ }
+ else if (n == 8 && !memcmp (line, "@include", 8)
+ && (line[8]==' '||line[8]=='\t'||!line[8]))
+ {
+ char *incname = xstrdup (p);
+ FILE *incfp = fopen (incname, "r");
+
+ if (!incfp && opt_include && *opt_include && *p != '/')
+ {
+ free (incname);
+ incname = xmalloc (strlen (opt_include) + 1
+ + strlen (p) + 1);
+ strcpy (incname, opt_include);
+ if ( incname[strlen (incname)-1] != '/' )
+ strcat (incname, "/");
+ strcat (incname, p);
+ incfp = fopen (incname, "r");
+ }
+
+ if (!incfp)
+ err ("can't open include file '%s': %s",
+ incname, strerror (errno));
+ else
+ {
+ parse_file (incname, incfp, section_name, in_pause);
+ fclose (incfp);
+ }
+ free (incname);
+ }
+ else if (n == 4 && !memcmp (line, "@bye", 4)
+ && (line[4]==' '||line[4]=='\t'||!line[4]))
+ {
+ break;
+ }
+ else if (!skip_to_end)
+ got_line = 1;
+ }
+ else if (!skip_to_end)
+ got_line = 1;
+
+ if (got_line && cond_in_verbatim)
+ add_content (*section_name, line, 1);
+ else if (got_line && thepage.name && *section_name && !in_pause)
+ add_content (*section_name, line, 0);
+
+ }
+ if (ferror (fp))
+ err ("%s:%d: read error: %s", fname, lnr, strerror (errno));
+ free (macroname);
+ free (macrovalue);
+ free (line);
+}
+
+
+static void
+top_parse_file (const char *fname, FILE *fp)
+{
+ char *section_name = NULL; /* Name of the current section or NULL
+ if not in a section. */
+ macro_t m;
+
+ while (macrolist)
+ {
+ macro_t next = macrolist->next;
+ free (macrolist->value);
+ free (macrolist);
+ macrolist = next;
+ }
+ while (variablelist)
+ {
+ macro_t next = variablelist->next;
+ free (variablelist->value);
+ free (variablelist);
+ variablelist = next;
+ }
+ for (m=predefinedmacrolist; m; m = m->next)
+ set_macro (m->name, xstrdup ("1"));
+ cond_is_active = 1;
+ cond_in_verbatim = 0;
+
+ parse_file (fname, fp, &section_name, 0);
+ free (section_name);
+ finish_page ();
+}
+
+
+int
+main (int argc, char **argv)
+{
+ int last_argc = -1;
+ const char *s;
+
+ opt_source = "GNU";
+ opt_release = "";
+
+ /* Define default macros. The trick is that these macros are not
+ defined when using the actual texinfo renderer. */
+ add_predefined_macro ("isman");
+ add_predefined_macro ("manverb");
+
+ /* Option parsing. */
+ if (argc)
+ {
+ argc--; argv++;
+ }
+ while (argc && last_argc != argc )
+ {
+ last_argc = argc;
+ if (!strcmp (*argv, "--"))
+ {
+ argc--; argv++;
+ break;
+ }
+ else if (!strcmp (*argv, "--help"))
+ {
+ puts (
+ "Usage: " PGM " [OPTION] [FILE]\n"
+ "Extract man pages from a Texinfo source.\n\n"
+ " --source NAME use NAME as source field\n"
+ " --release STRING use STRING as the release field\n"
+ " --date EPOCH use EPOCH as publication date\n"
+ " --store write output using @manpage name\n"
+ " --select NAME only output pages with @manpage NAME\n"
+ " --verbose enable extra informational output\n"
+ " --debug enable additional debug output\n"
+ " --help display this help and exit\n"
+ " -I DIR also search in include DIR\n"
+ " -D gpgone the only usable define\n\n"
+ "With no FILE, or when FILE is -, read standard input.\n\n"
+ "Report bugs to <bugs@g10code.com>.");
+ exit (0);
+ }
+ else if (!strcmp (*argv, "--version"))
+ {
+ puts (PGM " " VERSION "\n"
+ "Copyright (C) 2005 g10 Code GmbH\n"
+ "This program comes with ABSOLUTELY NO WARRANTY.\n"
+ "This is free software, and you are welcome to redistribute it\n"
+ "under certain conditions. See the file COPYING for details.");
+ exit (0);
+ }
+ else if (!strcmp (*argv, "--verbose"))
+ {
+ verbose = 1;
+ argc--; argv++;
+ }
+ else if (!strcmp (*argv, "--quiet"))
+ {
+ quiet = 1;
+ argc--; argv++;
+ }
+ else if (!strcmp (*argv, "--debug"))
+ {
+ verbose = debug = 1;
+ argc--; argv++;
+ }
+ else if (!strcmp (*argv, "--source"))
+ {
+ argc--; argv++;
+ if (argc)
+ {
+ opt_source = *argv;
+ argc--; argv++;
+ }
+ }
+ else if (!strcmp (*argv, "--release"))
+ {
+ argc--; argv++;
+ if (argc)
+ {
+ opt_release = *argv;
+ argc--; argv++;
+ }
+ }
+ else if (!strcmp (*argv, "--date"))
+ {
+ argc--; argv++;
+ if (argc)
+ {
+ opt_date = *argv;
+ argc--; argv++;
+ }
+ }
+ else if (!strcmp (*argv, "--store"))
+ {
+ opt_store = 1;
+ argc--; argv++;
+ }
+ else if (!strcmp (*argv, "--select"))
+ {
+ argc--; argv++;
+ if (argc)
+ {
+ opt_select = strrchr (*argv, '/');
+ if (opt_select)
+ opt_select++;
+ else
+ opt_select = *argv;
+ argc--; argv++;
+ }
+ }
+ else if (!strcmp (*argv, "-I"))
+ {
+ argc--; argv++;
+ if (argc)
+ {
+ opt_include = *argv;
+ argc--; argv++;
+ }
+ }
+ else if (!strcmp (*argv, "-D"))
+ {
+ argc--; argv++;
+ if (argc)
+ {
+ add_predefined_macro (*argv);
+ argc--; argv++;
+ }
+ }
+ }
+
+ if (argc > 1)
+ die ("usage: " PGM " [OPTION] [FILE] (try --help for more information)\n");
+
+ /* Take care of supplied timestamp for reproducible builds. See
+ * https://reproducible-builds.org/specs/source-date-epoch/ */
+ if (!opt_date && (s = getenv ("SOURCE_DATE_EPOCH")) && *s)
+ opt_date = s;
+
+ /* Start processing. */
+ if (argc && strcmp (*argv, "-"))
+ {
+ FILE *fp = fopen (*argv, "rb");
+ if (!fp)
+ die ("%s:0: can't open file: %s", *argv, strerror (errno));
+ top_parse_file (*argv, fp);
+ fclose (fp);
+ }
+ else
+ top_parse_file ("-", stdin);
+
+ return !!any_error;
+}
+
+
+/*
+Local Variables:
+compile-command: "gcc -Wall -g -Wall -o yat2m yat2m.c"
+End:
+*/