2024-10-22  Werner Koch  <wk@gnupg.org>

	Release 2.2.45.
	+ commit 8e3fc26d4a1e3d9e0a69198a30fd79bc564c58e6


2024-10-14  Werner Koch  <wk@gnupg.org>

	dirmngr: Print a brief list of URLs with LISTCRLS.
	+ commit cb5f4aba57dc29271aeb2fa2799bf17c8078adbe
	* dirmngr/crlcache.c (crl_cache_list): Print a summary of URLs.

	* sm/call-dirmngr.c (gpgsm_dirmngr_run_command): Print a notice to
	stdout if the dirmngr has been disabled.

2024-10-10  Werner Koch  <wk@gnupg.org>

	gpgsm: Fix cached istrusted lookup.
	+ commit 69a8aefa5bf77136b77383b94e34ba784c1cce89
	* sm/call-agent.c (gpgsm_agent_istrusted): Actually set istrusted
	list.

2024-10-07  Werner Koch  <wk@gnupg.org>

	gpg: Emit status error for an invalid ADSK.
	+ commit 85d8fa57db0a64f565fc8ecb4465340a2fbc9985
	* g10/keygen.c (prepare_adsk): Emit status error.

2024-10-04  Werner Koch  <wk@gnupg.org>

	gpgsm: Add compatibility flag no-keyinfo-cache.
	+ commit a5527edebbad3a3a4a5dc93d61133f75eac6bc89
	* sm/gpgsm.c (compatibility_flags): Add flag.
	* sm/gpgsm.h (COMPAT_NO_KEYINFO_CACHE): New.
	* sm/call-agent.c (gpgsm_agent_istrusted): Act upon it.
	(gpgsm_agent_keyinfo): Ditto.

	gpgsm: Implement a cache for the KEYINFO queries.
	+ commit 9087c1d3637cf1c61744ece0002dc0dc5675d7c9
	* sm/gpgsm.h (struct keyinfo_cache_item_s): New.
	(struct server_control_s): Add keyinfo_cache and keyinfo_cache_valid.
	* sm/call-agent.c (keyinfo_cache_disabled): New flag.
	(release_a_keyinfo_cache): New.
	(gpgsm_flush_keyinfo_cache): New.
	(struct keyinfo_status_parm_s): New.
	(keyinfo_status_cb): Implement a fill mode.
	(gpgsm_agent_keyinfo): Implement a cache.
	* sm/server.c (reset_notify): Flush the cache.
	* sm/gpgsm.c (gpgsm_deinit_default_ctrl): Ditto.

	gpgsm: Use a cache for ISTRUSTED queries.
	+ commit 09d4b8f496dd461a21d5ba0297710d683b16def4
	* sm/call-agent.c (struct istrusted_cache_s): New.
	(istrusted_cache, istrusted_cache_valid): New.
	(istrusted_cache_disabled): New.
	(flush_istrusted_cache): New.
	(struct istrusted_status_parm_s): New.
	(istrusted_status_cb): Fill the cache.
	(gpgsm_agent_istrusted): Implement a cache.

	agent: Add option --status to the LISTRUSTED command.
	+ commit 4fa82eec43e8d205fa336113f6ea554923fd6986
	* agent/trustlist.c (istrusted_internal): Add arg listmode and print
	new status line in this mode.  Adjust callers.
	(agent_listtrusted): Add new args ctrl and status_mode.  Get all
	trusted keys and then call is_trusted_internal for all of them.

	* agent/command.c (cmd_listtrusted): Add new option --status.

2024-10-01  Werner Koch  <wk@gnupg.org>

	gpgsm: Possible improvement for some rare P12 files.
	+ commit 41626a16613a042e7ba2ec65420a41e63ede1f69
	* sm/minip12.c (parse_shrouded_key_bag): Increase size of salt buffer.

2024-09-30  Werner Koch  <wk@gnupg.org>

	gpgsm: Use a cache to speed up parent certificate lookup.
	+ commit dcee2db36ba49a689625f8c4381000bb6e82ea76
	* sm/gpgsm.h (COMPAT_NO_CHAIN_CACHE): New.
	(struct cert_cache_item_s, cert_cache_item_t): New.
	(struct server_control_s): Add parent_cert_cache.
	* sm/gpgsm.c (compatibility_flags): Add "no-chain-cache".
	(parent_cache_stats): New.
	(gpgsm_exit): Print the stats with --debug=memstat.
	(gpgsm_deinit_default_ctrl): Release the cache.
	* sm/certchain.c (gpgsm_walk_cert_chain): Cache the certificates.
	(do_validate_chain): Ditto.

2024-09-27  Werner Koch  <wk@gnupg.org>

	sm: Optmize clearing of the ephemeral flag.
	+ commit 9543b3567b04aa5423852c29ecb77ff004c220f4
	* kbx/keybox-search.c (keybox_get_cert): Store the blob clags in the
	cert object.
	* sm/certchain.c (do_validate_chain): Skip clearing of the ephemeral
	flag if we know that it is not set.

2024-09-26  Werner Koch  <wk@gnupg.org>

	gpg: Add magic parameter "default" to --quick-add-adsk.
	+ commit ecda4b1e1694107000534e6f8dc6fed1947f61bd
	* g10/getkey.c (has_key_with_fingerprint): New.
	* g10/keyedit.c (menu_addadsk): Replace code by new function.
	(keyedit_quick_addadsk): Handle magic arg "default".
	* g10/keygen.c (append_all_default_adsks): New.

	gpg: New command --quick-add-adsk.
	+ commit 45ae027ce404be5ef3f89384856cf823f859e37d
	* g10/gpg.c (enum cmd_and_opt_values): Add aQuickAddADSK.
	(opts): Add --quick-add-adsk.
	(main): Call the actual function.
	* g10/keyedit.c (keyedit_quick_addadsk): New.
	(menu_addadsk): Add arg adskfpr and change caller.

	gpg: New option --default-new-key-adsk and "addadsk" for edit-key.
	+ commit eafe17532069e7ad64904e1d04952587a9c4dbd1
	* g10/free-packet.c (copy_public_key): Factor some code out to ...
	(copy_public_key_basics): new.
	* keygen.c (keygen_add_key_flags_and_expire): Rewrite and make public.
	* g10/keyedit.c (enum cmdids): Add cmdADDADSK.
	(keyedit_menu): Add command "addadsk".
	(menu_addadsk): New.

	* g10/options.h (opt): Add field def_new_key_adsks.
	* g10/gpg.c (oDefaultNewKeyADSK): New.
	(opts): Add --default-new-key-adsk.
	(main): Parse option.
	* g10/keyedit.c (menu_addadsk): Factor some code out to ...
	(append_adsk_to_key): new.  Add compliance check.
	* g10/keygen.c (pADSK): New.
	(para_data_s): Add adsk to the union.
	(release_parameter_list): Free the adsk.
	(prepare_adsk): New.
	(get_parameter_adsk): New.
	(get_parameter_revkey): Remove unneeded arg key and change callers.
	(proc_parameter_file): Prepare adsk parameter from the configured
	fingerprints.
	(do_generate_keypair): Create adsk.

2024-09-25  Werner Koch  <wk@gnupg.org>

	common: New function tokenize_to_strlist.
	+ commit 7eb39815bd73a1df93c79a75edfddfca999ab629
	* common/strlist.c (append_to_strlist_try): Factor code out to ...
	(do_append_to_strlist): new.
	(tokenize_to_strlist): New.

	* common/t-strlist.c (test_tokenize_to_strlist): New.

	(cherry picked from commit d2dca58338a4936b293c3ec6be4572d0e74b6a0d)

2024-09-25  NIIBE Yutaka  <gniibe@fsij.org>

	common:w32: Don't expose unused functions.
	+ commit c33523a0132e047032c4d65f9dedec0297bfbef3
	* common/exechelp.h [HAVE_W32_SYSTEM] (get_max_fds): Don't expose.
	(close_all_fds, get_all_open_fds): Likewise.
	* common/exechelp-w32.c: Don't expose unused functions.

2024-09-25  Werner Koch  <wk@gnupg.org>

	gpg: Exclude expired trusted keys from the key validation process.
	+ commit 79ab52ff42e895037c15555b2ca6df6e34b5ad17
	* g10/trustdb.c (copy_key_item): New.
	(validate_keys): Use a stripped down UTK list w/o expired keys.

	gpg: Validate the trustdb after the import of a trusted key.
	+ commit 23d4e7f0a7963d4cb660942bf673f85ea987967d
	* g10/import.c (import_one_real): Rename non_self to non_self_or_utk.
	If not set after chk_self_sigs check whether the imported key is an
	ultimately trusted key.

	gpg: Remove useless variable in validate_keys.
	+ commit 3dd6887f13b42997a3c07a0e674d5d33290ac76f
	* g10/trustdb.c (store_validation_status): Remove arg  'stored'.
	(validate_keys): Remove keyhashtable 'stored' which was never used.

2024-09-19  Werner Koch  <wk@gnupg.org>

	gpg: Avoid wrong decryption_failed for signed+OCB msg w/o pubkey.
	+ commit 9e8e48e00b85b66563b1a581b0ffd8cbc5262e10
	* g10/decrypt-data.c (struct decode_filter_context_s): Add flag
	checktag_failed.
	(aead_checktag): Set flag.
	(decrypt_data): Initially clear that flag and check the flag after the
	decryption.
	* g10/mainproc.c (proc_encrypted): Revert the log_get_errorcount based
	check.

2024-09-17  Werner Koch  <wk@gnupg.org>

	agent: Fix detection of the trustflag de-vs.
	+ commit d9fdc165e65706f19e60221ad00b59a88fdff567
	* agent/trustlist.c (read_one_trustfile): Fix comparison.

2024-09-12  Werner Koch  <wk@gnupg.org>

	gpg: Don't bail out for unknown subkey packet versions.
	+ commit b357ff2aa64c6a0ff17941d99feeb1174035b031
	* g10/import.c (read_block): Don't show a warning for unbnown version
	also for non-primary-key packets.

	* g10/parse-packet.c (parse_key): Use log_info for unsupported v5
	packets.

2024-09-03  NIIBE Yutaka  <gniibe@fsij.org>

	agent: Fix KEYTOCARD for the use case with loopback pinentry.
	+ commit 95468f531c3b6299becb801d74c6cd2bd9baac96
	* agent/command.c (cmd_keytocard): Copy LINE.

2024-09-03  Werner Koch  <wk@gnupg.org>

	gpgconf: Add missing linefeed to the -X output.
	+ commit 67088b1ce248f9cdcf7d7a31946bdf758426832d
	* tools/gpgconf.c (show_registry_entries_from_file): Add missing LF.

2024-08-23  Werner Koch  <wk@gnupg.org>

	gpg: New option --proc-all-sigs.
	+ commit 5276a1373c8abc09dbb6649f4df11e50acf9c8d7
	* g10/options.h (flags): Add proc_all_sigs.
	* g10/mainproc.c (check_sig_and_print): Do not stop signature checking
	if this new option is used.
	* g10/gpg.c (oProcAllSigs): New.
	(opts): Add "proc-all-sigs".
	(main): Set it.

2024-08-21  Werner Koch  <wk@gnupg.org>

	w32: Add two more registry entries for use with -X.
	+ commit a891e55f15a37ae005698c7c1fc124d1b15cda85
	* tools/gpgconf.c (show_other_registry_entries): Add entries.

2024-08-12  Werner Koch  <wk@gnupg.org>

	Release 2.2.44.
	+ commit 148a25f3de8faed9b7fd692cfc358ff08caed300


	gpgconf: Print the full commit id.
	+ commit cf21e473a54466b12f34b35ad6d40dad8d74de93
	* autogen.sh: Update to version 2024-07-04 from libgpg-error.
	* configure.ac (BUILD_REVISION): Rename the ac_define by
	BUILD_COMMITID.
	* tools/gpgconf.c (show_version_gnupg): Use it here.

	gpg: Improve decryption diagnostic for an ADSK key.
	+ commit 861dc01994b01b5700d2a5ae9eb7e0299181d390
	* g10/keydb.h (GET_PUBKEYBLOCK_FLAG_ADSK): New constant.
	* g10/packet.h (PUBKEY_USAGE_XENC_MASK): New constant.
	* g10/pubkey-enc.c (get_it): Print a note if an ADSK key was used.
	Use the new get_pubkeyblock flag.
	* g10/getkey.c (struct getkey_ctx_s): Add field allow_adsk.
	(get_pubkeyblock): Factor all code out to ...
	(get_pubkeyblock_ext): new.
	(finish_lookup): Add new arg allow_adsk and make use of it.

2024-08-12  Andre Heinecke  <aheinecke@gnupg.org>

	speedo,w32: Update libassuan dll name in wxs.
	+ commit 6f78219d0f4f8e10484ced3d46f19aa088fe64e5
	* build-aux/speedo/w32/wixlib.wxs: Update name and UID for
	libassuan

2024-08-08  Werner Koch  <wk@gnupg.org>

	agent: Fix an unitialized variable in an error path.
	+ commit 80f25fab900b2b5a8efe93a39c3f46e915b51374
	* agent/findkey.c (agent_write_private_key): Init FP.

	common: Allow building with libgpg-error < 1.47.
	+ commit 62bd291dcc6d3120a28a2a2ce1bf1bd7c2b750dd
	* common/util.h (GPG_ERR_BAD_RESET_CODE): New replacement.
	(GPG_ERR_NO_RESET_CODE): New.
	(GPG_ERR_BAD_PUK): New.

2024-08-07  Werner Koch  <wk@gnupg.org>

	sm: More improvements for PKCS#12 parsing for latest IVBB changes.
	+ commit 0dcd1504babb4b98898f7bd738d7aaa1e4a73a05
	* common/tlv.h (TLV_PARSER_FLAG_T5793): New.
	(tlv_parser_new): New macro.  Rename function with an underscore.
	(tlv_next_with_flag): New.
	* common/tlv-parser.c (struct tlv_parser_s): Remove const from buffer.
	Add fields crammed, lasttlv, and origoff.  Remove bufferlist ands ist
	definition.
	(dump_to_file): New but disabled debug helper.
	(parse_tag): Print more info on error.
	(_tlv_parser_new): Add args lasttlv and LNO.  Take a copy of the data.
	(_tlv_parser_release): Free the copy of the buffer and return the
	recorded TLV object from tlv_parser_new.
	(_tlv_peek, tlv_parser_peek, _tlv_parser_peek_null): Remove.
	(_tlv_push): Record crammed length.
	(_tlv_pop): Restore crammed length.
	(_tlv_parser_next): Add arg flags.  More debug output.  Handle cramming
	here.  Take care of cramming here.
	(tlv_expect_object): Simplify to adjust for changes in _tlv_parser_next.
	(tlv_expect_octet_string): Remove arg encapsulates.  Adjust for
	changes in _tlv_parser_next.  Change all allers.
	(tlv_expect_null): New.
	(cram_octet_string): Rewrite.
	(need_octet_string_cramming): Remove.

	* sm/minip12.c (dump_to_file): New.  Enable in debug mode and if an
	envvar ist set.  Replace all explict but disabled dumping to call this
	function.
	(parse_bag_encrypted_data): Replace tlv_peek_null and a peeking for an
	optional SET by non-peeking code.
	(parse_cert_bag): Ditto.
	(parse_shrouded_key_bag): Replace tlv_peek_null by non-peeking code.
	(parse_bag_encrypted_data): Use the new TLV_PARSER_FLAG_T5793 to
	enable the Mozilla workaround.
	(parse_bag_encrypted_data): Replace the 'renewed_tlv' code by the new
	tlv_parser_release semantics.
	(parse_shrouded_key_bag): Ditto.
	(parse_shrouded_key_bag): Create a new context instead of using the
	former encapsulated mechanism for tlv_expect_octet_string.
	(parse_bag_data): Ditto.
	(p12_parse): Ditto.

	* common/tlv-parser.c: New
	* common/Makefile.am: Add new file.

	scd: New getinfo subcommand "manufacturer"
	+ commit 1d0874c3d2c964edc4803f26b665343e0feb0d88
	* scd/command.c (cmd_getinfo): Add subcommand "manufacturer".
	* scd/app-openpgp.c (get_manufacturer): Rename to ...
	(app_openpgp_manufacturer): this and make global.

2024-06-24  Werner Koch  <wk@gnupg.org>

	gpg: Rename recently added import option no-seckeys to only-pubkeys.
	+ commit e208ccc66c3432183eaa38e9d70ac288d7ba492c
	* g10/import.c (parse_import_options): Rename option.
	* g10/options.h (IMPORT_NO_SECKEY): Rename to IMPORT_ONLY_PUBKEYS.
	Change all users.

2024-06-11  Werner Koch  <wk@gnupg.org>

	gpg: Add --import-option "no-seckeys".
	+ commit 7788aba7d86493c42617445f6d2344afdc332af5
	* g10/import.c (parse_import_options): Add "no-seckeys".

	gpg: Do not bail out on secret keys with an unknown algo.
	+ commit c489bf7e7e9fa96db46544edc2ae8bb59f0d340f
	* g10/getkey.c (lookup): Skip keys with unknown algos.

2024-06-05  Werner Koch  <wk@gnupg.org>

	gpg: Do not show RENC if no key capabilities are found for a key.
	+ commit 1d91252205a21fc1a42e7a55a49421e50bb70f05
	* g10/packet.h (PUBKEY_USAGE_BASIC_MASK): New.
	* g10/getkey.c (merge_selfsigs_subkey): Mask the default.
	(merge_selfsigs_main): Ditto.

2024-05-29  Jakub Jelen  <jjelen@redhat.com>

	gpgsm: Avoid double free when checking rsaPSS signatures.
	+ commit bc43812358ede31e2ef089e97740af6ae9754f62
	* sm/certcheck.c (gpgsm_check_cms_signature): Do not free s_sig on
	error. Its owned and freed by the caller.

	agent: Avoid uninitialized access in GENKEY command on parameter error.
	+ commit a1f85fdc40e4ebb0bc59fa72104a2297ad427c10
	* agent/command.c (cmd_genkey): Moved init_membuf to the top.

2024-05-29  Werner Koch  <wk@gnupg.org>
	    Jakub Jelen  <jjelen@redhat.com>

	wks: Make sure that ERR is always initialized.
	+ commit ebf9e3b824f8a024f5b9c56caca60bb4ee9ff361
	* tools/wks-util.c (install_key_from_spec_file): Initialize ERR in case
	the loop is never run.

2024-05-16  NIIBE Yutaka  <gniibe@fsij.org>

	scd:openpgp: Fix PIN pin2hash_if_kdf.
	+ commit bb57c808b2ad2d064ef9dd5a69ca94f6e6f7a763
	* scd/app-openpgp.c (pin2hash_if_kdf): DEK had been changed to pointer
	to allocated memory, so, we need to use DEKLEN for the length.

2024-05-06  Werner Koch  <wk@gnupg.org>

	gpg,gpgsm: Remove compatibility_flags allow-ecc-encr and vsd-allow-encr.
	+ commit 97b37db144da6c9278786d51a233716e78c1f12c
	* g10/options.h (COMPAT_VSD_ALLOW_OCB): Remove.
	* g10/gpg.c (compatibility_flags): Remove "vsd-allow_ocb".
	(main): Alwas set CO_EXTRA_INFO_VSD_ALLOW_OCB.
	* g10/keygen.c (keygen_set_std_prefs): Always set OCB feature flag.
	* g10/encrypt.c (use_aead): Always OCB also in de-vs mode.
	* sm/gpgsm.h (COMPAT_ALLOW_ECC_ENCR): Remove.
	* sm/gpgsm.c (compatibility_flags): Remove "allow-ecc-encr".
	* sm/encrypt.c (encrypt_dek): Always allow ecc encryption.
	* sm/certreqgen.c (proc_parameters): Likewise.

2024-04-22  Werner Koch  <wk@gnupg.org>

	tests: Avoid new C23 keyword true.
	+ commit 6228bb0012572d4cd44cd1a1237cf236607c8c04
	* tests/asschk.c (eval_boolean): s/true/tru/

2024-04-16  Werner Koch  <wk@gnupg.org>

	Release 2.2.43.
	+ commit 398cbbbf8df1470bbec52a0b233dd1c72c86e7d0


2024-04-04  Werner Koch  <wk@gnupg.org>

	gpg: Do not allow to accidently set the RENC usage.
	+ commit 1f31dc62008867558b678a2e538805a76c76a266
	* g10/keygen.c (print_key_flags): Print "RENC" if set.
	(ask_key_flags_with_mask): Remove RENC from the possible set of
	usages.  Add a direct way to set it iff the key is encryption capable.

	gpgconf: Change layout of the gpgconf -X output.
	+ commit 72c5c708713f01fda33cf18b16aad1aa750b94d7
	* tools/gpgconf.c (list_dirs): Change the config mode output.
	(my_copy_file): Adjust output for org-mode style.
	(show_configs_one_file): Ditto.
	(show_other_registry_entries): Ditto.
	(show_registry_entries_from_file): Ditto.
	(show_configs): Ditto.

2024-03-18  Werner Koch  <wk@gnupg.org>

	build: Update nPth configure macros.
	+ commit 8a4069527a1f9a3c4cd1615a8beb98f2f3c7a304
	* m4/npth.m4: Update.

	gpgconf: Check readability of some files with -X.
	+ commit 5ccfc2101a342359de64e5f2b5e2620c0392af9f
	* tools/gpgconf.c (list_dirs): Rename arg from special to
	show_config_mode. Add "S.Uiserver" test and test existsing files for
	readability.

2024-03-14  Werner Koch  <wk@gnupg.org>

	gpg: Make sure a DECRYPTION_OKAY is never issued for a bad OCB tag.
	+ commit 82b39fe254703776209cebb88f428bf2d1eb596b
	* g10/mainproc.c (proc_encrypted): Force a decryption failure if any
	error has been seen.
	* g10/decrypt-data.c (aead_checktag): Issue an ERROR line.

2024-03-13  Werner Koch  <wk@gnupg.org>

	gpg-check-pattern: Consider an empty pattern file as valid.
	+ commit 509d0f76cedd646909fe3c86cd930f02f2af2caa
	* tools/gpg-check-pattern.c (read_file): Check length before calling
	fread.

2024-03-06  Werner Koch  <wk@gnupg.org>

	wks: Make gpg-wks-client --mirror work w/o args.
	+ commit 5999d95e04c478b0bd3dd3a8a21fc5ebb5778cb8
	* tools/gpg-wks-client.c (mirror_one_key): Test for no domain
	specified.

2024-03-04  Werner Koch  <wk@gnupg.org>

	gpg: Fix mixed invocation with --trusted-keys and --no-options.
	+ commit 8cd920f6aa20680bb878953bde5af414d658104c
	* g10/trustdb.c: Move some definitions around.
	(user_utk_list): Rename to trusted_key_list.  Change all users.
	(any_trusted_key_seen): New.
	(tdb_register_trusted_key): Set it here.  Handle the new value "none".
	(verify_own_keys): Do not delete a trusted key from the trustdb if a
	trusted-key option was not used.

2024-03-01  NIIBE Yutaka  <gniibe@fsij.org>

	agent: Allow simple KEYINFO command when restricted.
	+ commit f50c543326c2eea6b40f548d61cf3a66a077bf54
	* agent/command.c (cmd_keyinfo): Only forbid list command.

2024-02-21  NIIBE Yutaka  <gniibe@fsij.org>

	dirmngr: Fix keep-alive flag handling.
	+ commit 41c022072599bc3f12f659e962653548cd86fa3a
	* dirmngr/http.c (run_proxy_connect): Set KEEP_ALIVE if not Basic
	Authentication.  Fix resource leak of FP_WRITE.

	dirmngr: Fix the regression of use of proxy for TLS connection.
	+ commit c33c4fdf10b7ed9e03f2afe988d93f3085b727aa
	* dirmngr/http.c (run_proxy_connect): Don't set keep_alive, since it
	causes resource leak of FP_WRITE.
	Don't try to read response body to fix the hang.

	dirmngr: Fix proxy with TLS.
	+ commit d6c428699db7aa20f8b6ca9fe83197a0314b7e91
	* dirmngr/http.c (proxy_get_token, run_proxy_connect): Always
	available regardless of USE_TLS.
	(send_request): Remove USE_TLS.

2024-02-05  Ángel González  <angel@pgp.16bits.net>

	common: Update requisites.
	+ commit 3d46eb6cf799b64786f3aa555000f350570e1ea8
	* configure.ac: Require libgpg-error 1.38 and libksba 1.4.0
	* common/util.h: Remove error number substitutes.

2024-02-05  Werner Koch  <wk@gnupg.org>

	gpgsm: Increase salt size in pkcs#12 parser.
	+ commit cbe0956df0f99ea6740838a19ac9782ed126a180
	* sm/minip12.c (parse_bag_encrypted_data): Need 32 bytes.

2024-01-30  Werner Koch  <wk@gnupg.org>

	scd:openpgp: Allow PIN length of 6 also with a reset code.
	+ commit ce69c103f433463181f2b26e90b9f0d96594e00d
	* scd/app-openpgp.c (do_change_pin): Fix PIN length check.  Add "R"
	flag to the reset code prompt.

2024-01-26  NIIBE Yutaka  <gniibe@fsij.org>

	scd:openpgp: Add the length check for new PIN.
	+ commit efe325ffdf21205b90f888c8f0248bbd4f61404b
	* scd/app-openpgp.c (do_change_pin): Make sure new PIN length
	is longer than MINLEN.

2024-01-26  Werner Koch  <wk@gnupg.org>

	scd:openpgp: Restructure the pin2hash_id_kdf function.
	+ commit 20e85585ed20af67ce68e637ea5c3637615ba2e9
	* scd/app-openpgp.c (wipe_and_free_string, wipe_and_free): Enable
	functions.
	(pin2hash_if_kdf): Change interface.  The input PIN is not anymore
	changed.  Further there are no more assumptions about the length of
	the provided buffer.
	(verify_a_chv): Adjust for changed pin2hash_if_kdf.
	(verify_chv2): Ditto
	(verify_chv3): Ditto.
	(do_change_pin): Ditto.
	(do_sign): Ditto.

2024-01-26  NIIBE Yutaka  <gniibe@fsij.org>

	tools: Fix argparse table of gpgconf.
	+ commit 97b01ad3f8786d94fd92cb0d98469a7235e2ace4
	* tools/gpgconf.c (opts): Use ARGPARSE macros.

2024-01-26  Werner Koch  <wk@gnupg.org>

	dirmngr: For CRL issuer verification trust the system's root CA.
	+ commit 935b5a49b416590206275ed6adf258c2fe50e295
	* dirmngr/crlcache.c (crl_parse_insert): Add
	VALIDATE_FLAG_TRUST_SYSTEM.

	common,w32: Fix use of GNUPG_SPAWN_KEEP_STDERR.
	+ commit 535c5cf76913ebf37c0c4eddca9c86576ebd42a8
	* common/exechelp-w32.c (gnupg_spawn_process): Fix macro.

2024-01-24  Werner Koch  <wk@gnupg.org>

	gpg: Fix leftover unprotected card backup key.
	+ commit 3b69d8bf7146b8d10737d0cfea9c97affc60ad73
	* agent/command.c (cmd_learn): Add option --reallyforce.
	* agent/findkey.c (agent_write_private_key): Implement reallyforce.
	Also add arg reallyforce and pass it along the call chain.

	* g10/call-agent.c (agent_scd_learn): Pass --reallyforce with a
	special force value.
	* g10/keygen.c (card_store_key_with_backup): Use that force value.

2024-01-10  Werner Koch  <wk@gnupg.org>

	gpg: Allow to create revocations even with non-compliant algos.
	+ commit 89c7eccba5155462a3435301b05b33c2ba832e03
	* g10/sign.c (do_sign): Skip compliance check for revocation certs.

2024-01-09  Werner Koch  <wk@gnupg.org>

	gpgconf: Adjust -X command for the new VERSION file format.
	+ commit 64006729047fd57e3c9827013bc3224388ce9987
	* tools/gpgconf.c (show_version_gnupg): Read and parse the entire
	VERSION file.

	common,w32: Remove duplicated backslashes when setting the homedir.
	+ commit cc9568cd59b2d3944d34c601e7c8cf9ea462a245
	* common/homedir.c (copy_dir_with_fixup) [W32]: Fold double
	backslashes.

2023-11-28  Builder account for the GnuPG engine  <wk@gnupg.org>

	Post release updates.
	+ commit 5ce7f8189ed02d54299eeaf4dafa1de373e6ee74


2023-11-28  Werner Koch  <wk@gnupg.org>

	Release 2.2.42.
	+ commit 6f5c72a2b5bc1d9f6f445ddb287642343964387a


	po: Update po files.
	+ commit e020b59ff6bce5b45e7dd0ccfca203670f4a1839
	* g10/keyserver.c (keyserver_refresh): Use ngettext to avoid msgmerge
	warnings.

2023-11-27  Werner Koch  <wk@gnupg.org>

	gpgsm: Set validity flag in keylisting to n for untrusted root cert.
	+ commit a6eefa99963adb27337f7ae0a4707be592526161
	* sm/keylist.c (list_cert_colon): Map not_trusted to 'n' for non-root
	certs like we do for root certs.

2023-11-23  Werner Koch  <wk@gnupg.org>

	scd:openpgp: Print a diagnostic for the use of default ECDH params.
	+ commit 1d472e4934b889c3ccd99ce61d8b5bdc1bf0d5ee
	* scd/app-openpgp.c (ecc_writekey): Remove the useless check and print
	a diagnostic if the default params are used.

2023-11-21  Werner Koch  <wk@gnupg.org>

	agent: Update the key file only if changed (slight return).
	+ commit a91f268d6cdffeb2f759a3f2c3f66dabf757cfc7
	* agent/findkey.c (read_key_file): Add optional arg r_orig_key_value
	to return the old Key value.  Change all callers.
	(agent_write_private_key): Detect whether the Key entry was really
	changed.

	agent: Update the key file only if not changed.
	+ commit 5bab257d3a52fa5904b801dee3225baa4d807adf
	* common/name-value.c (struct name_value_container): Add flag
	"modified".
	(nvc_modified): New.
	(nvc_new): Set flag.
	(_nvc_add): Set flag.
	(nvc_delete): Set flag.
	(nve_set): Add arg PK.  Change the caller.  Check whether to change at
	all.
	* agent/findkey.c (agent_write_private_key): Update only if modified.

2023-11-15  Werner Koch  <wk@gnupg.org>

	w32: Actually add the manifest to the dirmngr.
	+ commit a5dbd985c29baad79f5db8c9dee185b3f6c34876
	* dirmngr/Makefile.am (dirmngr_LDADD): Fix type in dirmngr_rc_objs.

2023-11-14  Werner Koch  <wk@gnupg.org>

	gpg,gpgsm: Hide password in debug output also for asked passwords.
	+ commit cdc28c59fe5da6ac478485ae474a931ed964eaa4
	* g10/call-agent.c (agent_get_passphrase): Call
	assuan_begin_confidential and assuan_end_confidential.
	* sm/call-agent.c (gpgsm_agent_ask_passphrase): Ditto.

	gpgsm: Re-introduce the bad passphrase hint for pkcs#12.
	+ commit 697d54cecaa5d216f8329d5d24d903aafedb2d5b
	* sm/minip12.c (parse_bag_encrypted_data): Set the badpass flag.
	(parse_shrouded_key_bag): Ditto.

2023-11-10  NIIBE Yutaka  <gniibe@fsij.org>

	gpg,sm: Set confidential in assuan communication for password.
	+ commit 3654fee3a457139bf66523f20e128b998aa6afa1
	* g10/call-agent.c (default_inq_cb): Call assuan_begin_confidential
	and assuan_end_confidential.
	* sm/call-agent.c (default_inq_cb): Likewise.

2023-11-08  Werner Koch  <wk@gnupg.org>

	gpgsm: Support ECDSA in de-vs mode.
	+ commit 77fb089835db9e07ce3bad3e16a099f3a56ef574
	* common/compliance.h (PK_ALGO_FLAG_ECC18): New.
	* common/compliance.c (gnupg_pk_is_allowed): Implement.
	* sm/decrypt.c (gpgsm_decrypt): Pass new flag.
	* sm/sign.c (gpgsm_sign): Ditto.
	* sm/verify.c (gpgsm_verify): Ditto.

	gpgsm: Cleanup of legacy variable name use.
	+ commit 7340d4ecd7ae3c7b59b7242434a9bd4576cd1ca3
	* sm/encrypt.c (gpgsm_encrypt): Unify use of RC and ERR.
	* sm/sign.c (gpgsm_sign): ditto.

2023-11-07  Werner Koch  <wk@gnupg.org>

	scd:openpgp: Fix a segv for cards supporting unknown curves.
	+ commit 600e69b46149872c279c153dc7a757106c64cc03
	* common/openpgp-oid.c (get_keyalgo_string): Do not strdup NULL.

2023-10-27  Werner Koch  <wk@gnupg.org>

	w32: Use utf8 for the asctimestamp function.
	+ commit ad2d578cba864db43c0e3a39f1ae00da7bd3eb96
	* common/gettime.c (asctimestamp) [W32]: Use ".UTF8" for the locale.

	gpg: Pass ECDH parameters to OpenPGP smartcards.
	+ commit 92af3f88a9df7640f8999c856baa8a8dfd550fce
	* g10/call-agent.c (agent_keytocard): Add arg ecdh_param_str.
	* g10/keyid.c (ecdh_param_str_from_pk): New.
	* g10/card-util.c (card_store_subkey): Pass ECDH params to writekey.
	* g10/keygen.c (card_store_key_with_backup): Ditto.

	agent: Add optional ecdh parameter arg to KEYTOCARD.
	+ commit d03d0add1289847585942d2b99969f75e642cf04
	* agent/command.c (KEYTOCARD_TIMESTAMP_FORMAT): Remove and use format
	string direct.
	(cmd_keytocard): Change timestamp to an u64 and use the new u64 parser
	functions.  Use split_fields.  Add ecdh parameter stuff.  Take the
	default timestamp from the keyfile.
	* agent/findkey.c (agent_key_from_file): Add arg timestamp and set it.
	Adjust all callers.

2023-10-26  Werner Koch  <wk@gnupg.org>

	gpg: Allow expiration time after 2013-01-19 on 32 bit Windows.
	+ commit 5da8fe1c402d59c2354601d77704ecdc1e777837
	* g10/keygen.c (parse_expire_string): Use isotime2epoch_u64.
	(parse_creation_string): Ditto.

	common: New functions timegm_u64, isotime2epoch_u64.
	+ commit bb70089d57578b6d6ae559dcc09a8973d1faff90
	* common/mischelp.c (timegm): Move to ...
	* common/gettime.c (timegm): here.  On Windows use timegm_u32.
	(timegm_u32): New.
	(isotime2epoch): Factor code out to ...
	(isotime_make_tm): new helper.
	(isotime2epoch_u64): New.
	(_win32_timegm): Remove duplicated code.
	(parse_timestamp): Use of timegm.
	(scan_isodatestr): Fallback to isotime2epoch_u64.

2023-10-25  Werner Koch  <wk@gnupg.org>

	build: Add mising file for make distcheck.
	+ commit 88b8add558dc672f1e26d23995e1d5cdb198c450
	00

2023-10-24  Werner Koch  <wk@gnupg.org>

	sm: Flag Brainpool curves as compliant for all other operations.
	+ commit f0e127defb87b225dde7d4c3d81099d9e32459b6
	* sm/fingerprint.c (gpgsm_get_key_algo_info2): Rename to
	(gpgsm_get_key_algo_info): this.  Remove the old wrapper.  Adjust all
	callers.
	* sm/decrypt.c (gpgsm_decrypt): Pass the curve to the compliance
	checker.
	* sm/encrypt.c (gpgsm_encrypt): Ditto.
	* sm/sign.c (gpgsm_sign): Ditto.
	* sm/verify.c (gpgsm_verify): Ditto.

	sm: Flag Brainpool curves as compliant.
	+ commit afacacec129c8f8c2db84489146a720634f21d93
	* sm/keylist.c (print_compliance_flags): Add arg curve.
	(list_cert_colon): Pass curve to the compliance check.

	sm: Another partly rewrite of minip12.c.
	+ commit 08f0b9ea2e955209d467f1ff624bf7abd10ae7ac
	* sm/minip12.c (struct tlv_ctx_s): Add origbuffer and origbufsize.
	Remove pop_count.  Rename offset to length.
	(dump_tag_info, _dump_tag_info): Rewrite.
	(dump_tlv_ctx, _dump_tlv_ctx): Rewrite.
	(tlv_new): Init origbuffer.
	(_tlv_peek): Add arg ti.
	(tlv_peek): New.
	(tlv_peek_null): New.
	(_tlv_push): Rewrite.
	(_tlv_pop): Rewrite.
	(tlv_next): New macro.  Move old code to ...
	(_tlv_next): this.  Add arg lno.  Pop remaining end tags.
	(tlv_popped): Remove.
	(tlv_expect_object): Handle ndef.
	(tlv_expect_octet_string): Ditto.
	(parse_bag_encrypted_data): Use nesting level to control the inner
	loop.
	(parse_shrouded_key_bag): Likewise.
	(parse_bag_data): Handle surplus octet strings.
	(p12_parse): Ditto.

	* sm/minip12.c (decrypt_block): Strip the padding.
	(tlv_expect_top_sequence): Remove.  Replace callers by
	tlv_expect_sequence.

	* tests/samplekeys/t6752-ov-user-ff.p12: New sample key.
	* tests/samplekeys/Description-p12: Add its description

2023-10-17  Werner Koch  <wk@gnupg.org>

	sm: Minor robustness fix for a regression test.
	+ commit d528de9c6efbbc4ac901e0bc345ab13bab2536f9
	* sm/t-minip12.c (run_one_test): Don't hash if we have no parameters
	at all.

	sm: Support import of PKCS#12 encoded ECC private keys.
	+ commit 2e7a08a8294441c272c59f91d64347c106d96e5c
	* sm/import.c (parse_p12): Support ECC import.

2023-10-16  Werner Koch  <wk@gnupg.org>

	build: Extend autobuild diagnostics by the username.
	+ commit 2e99d27bd24a5281608ee82c6d9a9c4a8104d253
	* m4/autobuild.m4 (AB_INIT): Add username.

2023-10-14  Werner Koch  <wk@gnupg.org>

	gpg: Allow to specify seconds since Epoch beyond 2038.
	+ commit 5eaf2e926637163621bc0a43b598a19bddefa247
	* g10/keygen.c (parse_expire_string_with_ct): Use new function
	scan_secondsstr.
	(parse_creation_string): Ditto.

	common: New function scan_secondsstr.
	+ commit f5947f749450603a0a35ade08c2678017c406f69
	* common/gettime.c (scan_secondsstr): New.

	* common/t-gettime.c (test_scan_secondsstr):
	(main): Call it.

2023-10-11  Werner Koch  <wk@gnupg.org>

	scd:openpgp: Use a special compare for the serialno.
	+ commit c45a8b034c5e093a48da5f5249c7511a0d100513
	* scd/app-openpgp.c (check_keyidstr): Ignore the card version and also
	compare case insensitive.
	(do_learn_status): Add mssing error handling.

	scd:openpgp: Allow the reading the key by keygrip.
	+ commit 4e47639af0dd2bb5702f4c15b566a074dfa0c639
	* scd/app-openpgp.c (do_readkey): Allow the keygrip for the keyid.
	Use case insensitive match forthe keyid.
	(do_readcert): Allow the keygrip for the keyid.

	scd:openpgp: Extend KEYPAIRINFO with an algorithm string.
	+ commit 92528476461b0858f7c2ad55640bb9c123c6d232
	* scd/app-openpgp.c (retrieve_fprtime_from_card): New.
	(send_keypair_info): Add more to KEYPAIRINFO.

	scd:openpgp: Use shared fucntion for the dispserialno.
	+ commit 10f8bb16713887a680030148e682ca9954baf6cc
	* scd/app-openpgp.c (wipe_and_free): New.
	(wipe_and_free_string): New.
	(get_disp_serialno): Remove.  Replace callers by function
	app_get_dispserialno.
	(get_usage_string): New.
	(send_keypair_info): Use new function.

2023-10-10  NIIBE Yutaka  <gniibe@fsij.org>

	scd: Add handling of "Algorithm Information" DO.
	+ commit acda0a3f3377326f0be987eb385f768513a5d0c9
	* cd/app-openpgp.c (data_objects): Add 0x00FA.
	(do_getattr): Add KEY-ATTR-INFO.

2023-10-10  Werner Koch  <wk@gnupg.org>

	scd:openpgp: New KEY-STATUS attribute.
	+ commit d4208704a784a6da6322b54448e2f687c01714b8
	* scd/app-openpgp.c (do_getattr): Return KEY-STATUS

	scd:openpgp: Add attribute "UIF" for convenience.
	+ commit 216f3fc96ac213edae82b8d17088dcfc5d746214
	* scd/app-openpgp.c (do_getattr): New attrubute "UIF".
	(do_learn_status): Use that.

2023-10-10  NIIBE Yutaka  <gniibe@fsij.org>

	scd: Add handling of Ed448 key.
	+ commit 52abdac2d42bb1134874ad86db21a6d4dbb1ffae
	* scd/app-openpgp.c (struct app_local_s): Add ecc.algo field.
	(send_key_attr): Use ecc.algo field.
	(ecc_read_pubkey): Use ecc.algo field.
	(ecc_writekey): Ed448 means EdDSA.
	(parse_algorithm_attribute): Set ecc.algo field from card.
	Add checking for Ed25519 for ECC_FLAG_DJB_TWEAK flag.

2023-10-10  Werner Koch  <wk@gnupg.org>

	scd:openpgp: Support the ecdh-params arg for writing keys.
	+ commit b262a21c617d5dc037958a4092e3a749b0a52a2a
	* scd/app-openpgp.c (ecc_writekey): Use provided ECDH params to
	compute the fingerprint.  Add a default for use by gnupg 2.2.
	(store_fpr): Add arg update.
	(rsa_read_pubkey, ecc_read_pubkey): Add arg meta_update and avoid
	writing the fingerprint back to the card if not set.
	(read_public_key): Also add arg meta_update.
	(get_public_key): Do not pass it as true here...
	(do_genkey): ... but here.

	scd:openpgp: Handle wrong error return code of Yubikey.
	+ commit d25e960652680c7474392a817e3091a69e60e04d
	* scd/app-openpgp.c (get_public_key): Handle wrong error code by
	Yubikeys.

2023-10-10  NIIBE Yutaka  <gniibe@fsij.org>

	scd: Fix description string.
	+ commit d938abcc5ee224288bc5ba915c270982fb35ce5c
	* scd/app-openpgp.c (data_objects): Capitalize the word for usage.

	(cherry picked from commit e6b7e0ff9990813ac9f11b2d9d92596d6379ebfe)

	scd:openpgp: Support UIF changing command.
	+ commit 7666a4583007e63e4ea8d0f7dbdc4d8f6e0919cc
	* g10/card-util.c (uif, cmdUIF): New.
	(card_edit): Add call to uif by cmdUIF.
	* scd/app-openpgp.c (do_getattr): Support UIF-1, UIF-2, and UIF-3.
	(do_setattr): Likewise.
	(do_learn_status): Learn UIF-1, UIF-2, and UIF-3.

2023-10-10  Werner Koch  <wk@gnupg.org>

	scd:openpgp: Small speedup reading card properties.
	+ commit 9e3b7e26a9f9571a643e2dc27dd447be15f469e6
	* scd/app-openpgp.c (struct app_local_s): Add new flag.
	(get_cached_data): Force chace use if flag is set.
	(app_select_openpgp): Avoid reading DO 6E multiple times.

	scd:openpgp: Allow reading and writing user certs for keys 1 and 2.
	+ commit 57bfad2c39f54feb4704023ee71e844450d30177
	* scd/iso7816.c (CMD_SELECT_DATA): New.
	(iso7816_select_data): New.
	* scd/app-openpgp.c (do_readcert): Allow OpenPGP.1 and OPENPGP.2
	(do_writecert): Ditto.
	(do_setattr): Add CERT-1 and CERT-2.

	scd: Allow standard keyref scheme for app-openpgp.
	+ commit b2363c1dd97d27ec8c79d508a4decc8337e3f157
	* scd/app-openpgp.c (do_change_pin): Allow prefixing the CHVNO with
	"OPENPGP."

2023-10-10  NIIBE Yutaka  <gniibe@fsij.org>

	scd:openpgp: Support GET DATA response with no header for DO 0x00FA.
	+ commit 3d368c1a7d1c513586e2623ac8873a3060ddae1c
	* scd/app-openpgp.c (do_getattr): Support Gnuk, as well.

2023-10-10  Werner Koch  <wk@gnupg.org>

	scd:openpgp: Pass arg ctrl to more functions.
	+ commit c4eada078794a1a397ff262b9b6911e117c78c9c
	* scd/app-openpgp.c (verify_a_chv): Add currently unused arg ctrl.
	Adjust callers.
	(verify_chv3): Ditto.
	(verify_chv2): Add arg ctrl.  Adjust callers.
	(change_keyattr): Ditto.
	(change_rsa_keyattr): Ditto.
	(change_keyattr_from_string): Ditto.
	(rsa_writekey): Ditto.
	(ecc_writekey): Ditto.

	scd:openpgp: Replace assert by log_assert.
	+ commit 03aa4e66515ea562fdaf3fdf1409aa088103cfea
	* scd/app-openpgp.c: Remope assert.h. Replace all assert by
	log_assert.

2023-10-10  NIIBE Yutaka  <gniibe@fsij.org>

	scd:openpgp: Fix computing fingerprint for ECC with SOS.
	+ commit a942986f1737bb2d94d538212d85e8395abe19a3
	* scd/app-openpgp.c (count_sos_bits): New.  Count as sos_write does.
	(store_fpr): For ECC, use count_sos_bits.

2023-10-10  Werner Koch  <wk@gnupg.org>

	scd:openpgp: Very minor refactoring.
	+ commit 24033dc8aeaa3b34650890b6f7055dcfdea213b8
	* scd/app-openpgp.c (app_select_openpgp): Move AID definition to ...
	(openpgp_aid): new.

	scd:openpgp: Rename an internal variable.
	+ commit 7f8cac5cec220ee2bd17a64dfa2a6db930938d34
	* scd/app-openpgp.c (struct app_local_s): s/extcap_v3/is_v3/.
	s/max_certlen_3/max_certlen.  Change users.

2023-10-06  Werner Koch  <wk@gnupg.org>

	sm: Support more HMAC algos in the pkcs#12 parser.
	+ commit 9976285ff0658bd36527913557ea4befb3b466a1
	* sm/minip12.c (oid_hmacWithSHA1): New.  Also for the SHA-2 algos.
	(digest_algo_from_oid): New.
	(set_key_iv_pbes2): Add arg digest_algo.
	(crypt_block): Ditto.
	(decrypt_block): Ditto.
	(parse_bag_encrypted_data): Parse the optional prf part and get the
	hmac algorithm.
	(parse_shrouded_key_bag): Ditto.
	(p12_build): Pass SHA1 for digest_algo.

	* sm/t-minip12.c (run_one_test): Print failed values in verbose mode.

	* tests/samplekeys/nistp256-openssl-self-signed.p12: New.
	* tests/samplekeys/Description-p12: Add this one.
	* tests/Makefile.am (EXTRA_DIST): Ditto.

2023-10-05  Werner Koch  <wk@gnupg.org>

	common,w32: Add missing GetLastError->errno mapping.
	+ commit 1e9ac18f8818c4a2df50988e956190e8de27556b
	* common/iobuf.c (file_filter, sock_filter): Add missing mapping.

	sm: Improve the octet string cramming for pkcs#12.
	+ commit bb157044a044452130a42480a01d7d8f474a878f
	* sm/minip12.c (need_octet_string_cramming): New.
	(tlv_expect_object, tlv_expect_octet_string): Run the test before
	cramming.
