Imported Upstream version 2.2.3upstream/2.2.3

14 files changed, 214 insertions, 98 deletions

diff --git a/NEWS b/NEWS
index 0ffff2f..38a8da1 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,22 @@
+Noteworthy changes in version 2.2.3 (2017-11-20)
+------------------------------------------------
+
+  * gpgsm: Fix initial keybox creation on Windows. [#3507]
+
+  * dirmngr: Fix crash in case of a CRL loading error. [#3510]
+
+  * Fix the name of the Windows registry key. [Git#4f5afaf1fd]
+
+  * gpgtar: Fix wrong behaviour of --set-filename. [#3500]
+
+  * gpg: Silence AKL retrieval messages. [#3504]
+
+  * agent: Use clock or clock_gettime for calibration. [#3056]
+
+  * agent: Improve robustness of the shutdown pending
+    state. [Git#7ffedfab89]
+
+
 Noteworthy changes in version 2.2.2 (2017-11-07)
 ------------------------------------------------
 
@@ -40,6 +59,8 @@ Noteworthy changes in version 2.2.2 (2017-11-07)
 
   * Add configure option --enable-werror.  [#2423]
 
+  See-also: gnupg-announce/2017q4/000416.html
+
 
 Noteworthy changes in version 2.2.1 (2017-09-19)
 ------------------------------------------------
diff --git a/README b/README
index dd66dab..23f705a 100644
--- a/README
+++ b/README
@@ -33,11 +33,11 @@
 
   GnuPG 2.2 depends on the following GnuPG related packages:
 
-    npth         (ftp://ftp.gnupg.org/gcrypt/npth/)
-    libgpg-error (ftp://ftp.gnupg.org/gcrypt/libgpg-error/)
-    libgcrypt    (ftp://ftp.gnupg.org/gcrypt/libgcrypt/)
-    libksba      (ftp://ftp.gnupg.org/gcrypt/libksba/)
-    libassuan    (ftp://ftp.gnupg.org/gcrypt/libassuan/)
+    npth         (https://gnupg.org/ftp/gcrypt/npth/)
+    libgpg-error (https://gnupg.org/ftp/gcrypt/libgpg-error/)
+    libgcrypt    (https://gnupg.org/ftp/gcrypt/libgcrypt/)
+    libksba      (https://gnupg.org/ftp/gcrypt/libksba/)
+    libassuan    (https://gnupg.org/ftp/gcrypt/libassuan/)
 
   You should get the latest versions of course, the GnuPG configure
   script complains if a version is not sufficient.
@@ -48,7 +48,7 @@
 
   You also need the Pinentry package for most functions of GnuPG;
   however it is not a build requirement.  Pinentry is available at
-  ftp://ftp.gnupg.org/gcrypt/pinentry/ .
+  https://gnupg.org/ftp/gcrypt/pinentry/ .
 
   After building and installing the above packages in the order as
   given above, you may continue with GnuPG installation (you may also
@@ -228,7 +228,7 @@
   You subscribe to one of the list by sending mail with a subject of
   "subscribe" to x-request@gnupg.org, where x is the name of the
   mailing list (gnupg-announce, gnupg-users, etc.). See
-  https://www.gnupg.org/documentation/mailing-lists.html for archives
+  https://gnupg.org/documentation/mailing-lists.html for archives
   of the mailing lists.
 
   Please direct bug reports to [[https://bugs.gnupg.org]] or post them
@@ -241,7 +241,7 @@
   authors and we try to answer questions when time allows us.
 
   Commercial grade support for GnuPG is available; for a listing of
-  offers see https://www.gnupg.org/service.html .  Maintaining and
+  offers see https://gnupg.org/service.html .  Maintaining and
   improving GnuPG requires a lot of time.  Since 2001, g10 Code GmbH,
   a German company owned and headed by GnuPG's principal author Werner
   Koch, is bearing the majority of these costs.  To keep GnuPG in a
diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
index 2e19d19..0b2b982 100644
--- a/agent/gpg-agent.c
+++ b/agent/gpg-agent.c
@@ -3000,27 +3000,34 @@ handle_connections (gnupg_fd_t listen_fd,
 	   next timeout.  */
 	continue;
 
+      /* The inotify fds are set even when a shutdown is pending (see
+       * above).  So we must handle them in any case.  To avoid that
+       * they trigger a second time we close them immediately.  */
+      if (sock_inotify_fd != -1
+          && FD_ISSET (sock_inotify_fd, &read_fdset)
+          && gnupg_inotify_has_name (sock_inotify_fd, GPG_AGENT_SOCK_NAME))
+        {
+          shutdown_pending = 1;
+          close (sock_inotify_fd);
+          sock_inotify_fd = -1;
+          log_info ("socket file has been removed - shutting down\n");
+        }
+
+      if (home_inotify_fd != -1
+          && FD_ISSET (home_inotify_fd, &read_fdset))
+        {
+          shutdown_pending = 1;
+          close (home_inotify_fd);
+          home_inotify_fd = -1;
+          log_info ("homedir has been removed - shutting down\n");
+        }
+
       if (!shutdown_pending)
         {
           int idx;
           ctrl_t ctrl;
           npth_t thread;
 
-          if (sock_inotify_fd != -1
-              && FD_ISSET (sock_inotify_fd, &read_fdset)
-              && gnupg_inotify_has_name (sock_inotify_fd, GPG_AGENT_SOCK_NAME))
-            {
-              shutdown_pending = 1;
-              log_info ("socket file has been removed - shutting down\n");
-            }
-
-          if (home_inotify_fd != -1
-              && FD_ISSET (home_inotify_fd, &read_fdset))
-            {
-              shutdown_pending = 1;
-              log_info ("homedir has been removed - shutting down\n");
-            }
-
           for (idx=0; idx < DIM(listentbl); idx++)
             {
               if (listentbl[idx].l_fd == GNUPG_INVALID_FD)
diff --git a/agent/protect.c b/agent/protect.c
index 3073fc4..9bb2da6 100644
--- a/agent/protect.c
+++ b/agent/protect.c
@@ -23,6 +23,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <time.h>
 #include <ctype.h>
 #include <assert.h>
 #include <unistd.h>
@@ -104,11 +105,14 @@ calibrate_get_time (struct calibrate_time_s *data)
                    &data->creation_time, &data->exit_time,
                    &data->kernel_time, &data->user_time);
 # endif
-#else
-  struct tms tmp;
+#elif defined (CLOCK_THREAD_CPUTIME_ID)
+  struct timespec tmp;
 
-  times (&tmp);
-  data->ticks = tmp.tms_utime;
+  clock_gettime (CLOCK_THREAD_CPUTIME_ID, &tmp);
+  data->ticks = (clock_t)(((unsigned long long)tmp.tv_sec * 1000000000 +
+                           tmp.tv_nsec) * CLOCKS_PER_SEC / 1000000000);
+#else
+  data->ticks = clock ();
 #endif
 }
 
@@ -135,7 +139,7 @@ calibrate_elapsed_time (struct calibrate_time_s *starttime)
   }
 #else
   return (unsigned long)((((double) (stoptime.ticks - starttime->ticks))
-                          /CLOCKS_PER_SEC)*10000000);
+                          /CLOCKS_PER_SEC)*1000);
 #endif
 }
 
diff --git a/agent/t-protect.c b/agent/t-protect.c
index 1d3c8ec..92d312c 100644
--- a/agent/t-protect.c
+++ b/agent/t-protect.c
@@ -322,9 +322,9 @@ test_agent_protect_shared_secret (void)
 int
 main (int argc, char **argv)
 {
-  (void)argc;
   (void)argv;
 
+  opt.verbose = argc - 1;       /* We can do "./t-protect -v -v" */
   gcry_control (GCRYCTL_DISABLE_SECMEM);
 
   test_agent_protect ();
diff --git a/configure.ac b/configure.ac
index dc1fc1a..fb6f0da 100644
--- a/configure.ac
+++ b/configure.ac
@@ -28,7 +28,7 @@ min_automake_version="1.14"
 m4_define([mym4_package],[gnupg])
 m4_define([mym4_major], [2])
 m4_define([mym4_minor], [2])
-m4_define([mym4_micro], [2])
+m4_define([mym4_micro], [3])
 
 # To start a new development series, i.e a new major or minor number
 # you need to mark an arbitrary commit before the first beta release
@@ -602,8 +602,9 @@ AC_PROG_RANLIB
 AC_CHECK_TOOL(AR, ar, :)
 AC_PATH_PROG(PERL,"perl")
 AC_CHECK_TOOL(WINDRES, windres, :)
-AC_PATH_PROG(YAT2M, "yat2m", "./yat2m" )
+AC_PATH_PROG(YAT2M, "yat2m")
 AC_ARG_VAR(YAT2M, [tool to convert texi to man pages])
+AM_CONDITIONAL(HAVE_YAT2M, test -n "$ac_cv_path_YAT2M")
 AC_ISC_POSIX
 AC_SYS_LARGEFILE
 GNUPG_CHECK_USTAR
@@ -1611,12 +1612,20 @@ if test "$GCC" = yes; then
           mycflags="$mycflags -Wdeclaration-after-statement"
         fi
 
-        AC_MSG_CHECKING([if gcc supports -Wlogical-op and -Wvla])
-        CFLAGS="-Wlogical-op -Wvla"
+        AC_MSG_CHECKING([if gcc supports -Wlogical-op])
+        CFLAGS="-Wlogical-op -Werror"
         AC_COMPILE_IFELSE([AC_LANG_PROGRAM([],[])],_gcc_wopt=yes,_gcc_wopt=no)
         AC_MSG_RESULT($_gcc_wopt)
         if test x"$_gcc_wopt" = xyes ; then
-          mycflags="$mycflags -Wlogical-op -Wvla"
+          mycflags="$mycflags -Wlogical-op"
+        fi
+
+        AC_MSG_CHECKING([if gcc supports -Wvla])
+        CFLAGS="-Wvla"
+        AC_COMPILE_IFELSE([AC_LANG_PROGRAM([],[])],_gcc_wopt=yes,_gcc_wopt=no)
+        AC_MSG_RESULT($_gcc_wopt)
+        if test x"$_gcc_wopt" = xyes ; then
+          mycflags="$mycflags -Wvla"
         fi
 
     else
@@ -1814,7 +1823,7 @@ AC_DEFINE_UNQUOTED(DIRMNGR_DEFAULT_KEYSERVER,
 AC_DEFINE_UNQUOTED(GPGEXT_GPG, "gpg", [The standard binary file suffix])
 
 if test "$have_w32_system" = yes; then
-  AC_DEFINE_UNQUOTED(GNUPG_REGISTRY_DIR, "\\\\Software\\\\GNU\\\\GnuPG",
+  AC_DEFINE_UNQUOTED(GNUPG_REGISTRY_DIR, "Software\\\\GNU\\\\GnuPG",
                      [The directory part of the W32 registry keys])
 fi
 
diff --git a/dirmngr/crlcache.c b/dirmngr/crlcache.c
index 248ad9a..6eeeb8d 100644
--- a/dirmngr/crlcache.c
+++ b/dirmngr/crlcache.c
@@ -1562,7 +1562,7 @@ start_sig_check (ksba_crl_t crl, gcry_md_hd_t *md, int *algo)
    should return 0 on a good signature, GPG_ERR_BAD_SIGNATURE if the
    signature does not verify or any other error code. CRL is the CRL
    object we are working on, MD the hash context and ISSUER_CERT the
-   certificate of the CRL issuer.  This function closes MD.  */
+   certificate of the CRL issuer.  This function takes ownership of MD.  */
 static gpg_error_t
 finish_sig_check (ksba_crl_t crl, gcry_md_hd_t md, int algo,
                   ksba_cert_t issuer_cert)
@@ -1646,12 +1646,13 @@ finish_sig_check (ksba_crl_t crl, gcry_md_hd_t md, int algo,
 
 
 /* Call this to match a start_sig_check that can not be completed
-   normally.  */
+   normally.  Takes ownership of MD if MD is not NULL.  */
 static void
 abort_sig_check (ksba_crl_t crl, gcry_md_hd_t md)
 {
   (void)crl;
-  gcry_md_close (md);
+  if (md)
+    gcry_md_close (md);
 }
 
 
@@ -1842,13 +1843,13 @@ crl_parse_insert (ctrl_t ctrl, ksba_crl_t crl,
               }
 
             err = finish_sig_check (crl, md, algo, crlissuer_cert);
+            md = NULL; /* Closed.  */
             if (err)
               {
                 log_error (_("CRL signature verification failed: %s\n"),
                            gpg_strerror (err));
                 goto failure;
               }
-	    md = NULL;
 
             err = validate_cert_chain (ctrl, crlissuer_cert, NULL,
                                        (VALIDATE_FLAG_TRUST_CONFIG
@@ -1877,8 +1878,7 @@ crl_parse_insert (ctrl_t ctrl, ksba_crl_t crl,
 
 
  failure:
-  if (md)
-    abort_sig_check (crl, md);
+  abort_sig_check (crl, md);
   ksba_cert_release (crlissuer_cert);
   return err;
 }
diff --git a/doc/DETAILS b/doc/DETAILS
index 0be55f4..e54e8a0 100644
--- a/doc/DETAILS
+++ b/doc/DETAILS
@@ -394,9 +394,8 @@ pkd:0:1024:B665B1435F4C2 .... FF26ABB:
 *** NEWSIG [<signers_uid>]
     Is issued right before a signature verification starts.  This is
     useful to define a context for parsing ERROR status messages.
-    arguments are currently defined.  If SIGNERS_UID is given and is
-    not "-" this is the percent escape value of the OpenPGP Signer's
-    User ID signature sub-packet.
+    If SIGNERS_UID is given and is not "-" this is the percent-escaped
+    value of the OpenPGP Signer's User ID signature sub-packet.
 
 *** GOODSIG  <long_keyid_or_fpr>  <username>
     The signature with the keyid is good.  For each signature only one
@@ -1041,15 +1040,16 @@ pkd:0:1024:B665B1435F4C2 .... FF26ABB:
     - 4 :: Key is stored on a smartcard.
 
 *** PROGRESS <what> <char> <cur> <total> [<units>]
-    Used by the primegen and Public key functions to indicate
+    Used by the primegen and public key functions to indicate
     progress.  <char> is the character displayed with no --status-fd
     enabled, with the linefeed replaced by an 'X'.  <cur> is the
     current amount done and <total> is amount to be done; a <total> of
-    0 indicates that the total amount is not known. The condition
+    0 indicates that the total amount is not known. Both are
+    non-negative integers.  The condition
       :       TOTAL && CUR == TOTAL
     may be used to detect the end of an operation.
 
-    Well known values for WHAT are:
+    Well known values for <what> are:
 
            - pk_dsa   :: DSA key generation
            - pk_elg   :: Elgamal key generation
@@ -1064,7 +1064,9 @@ pkd:0:1024:B665B1435F4C2 .... FF26ABB:
                           the data of a smartcard.
            - card_busy :: A smartcard is still working
 
-    <units> is sometines used to describe the units for <current> and
+    When <what> refers to a file path, it may be truncated.
+
+    <units> is sometimes used to describe the units for <current> and
     <total>.  For example "B", "KiB", or "MiB".
 
 *** BACKUP_KEY_CREATED <fingerprint> <fname>
diff --git a/doc/Makefile.am b/doc/Makefile.am
index 89079b3..aba84ba 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -91,7 +91,7 @@ myman_sources = gnupg7.texi gpg.texi gpgsm.texi gpg-agent.texi \
 	        dirmngr.texi scdaemon.texi tools.texi wks.texi
 myman_pages   = gpgsm.1 gpg-agent.1 dirmngr.8 scdaemon.1 \
                 watchgnupg.1 gpgconf.1 addgnupghome.8 gpg-preset-passphrase.1 \
-		gpg-connect-agent.1 gpgparsemail.1 symcryptrun.1 \
+		gpg-connect-agent.1 gpgparsemail.1 symcryptrun.1 gpgtar.1 \
 		applygnupgdefaults.8 gpg-wks-client.1 gpg-wks-server.1 \
 		dirmngr-client.1
 if USE_GPG2_HACK
@@ -110,10 +110,18 @@ CLEANFILES = yat2m mkdefsinc defs.inc
 DISTCLEANFILES = gnupg.tmp gnupg.ops yat2m-stamp.tmp yat2m-stamp \
                  gnupg-card-architecture.eps \
                  gnupg-module-overview.eps \
-		 $(myman_pages) gpg-zip.1 gnupg.7
+		 $(myman_pages) gnupg.7
+
+if HAVE_YAT2M
+YAT2M_CMD = $(YAT2M)
+YAT2M_DEP = $(YAT2M)
+else
+YAT2M_CMD = ./yat2m
+YAT2M_DEP = yat2m
 
 yat2m: yat2m.c
 	$(CC_FOR_BUILD) -o $@ $(srcdir)/yat2m.c
+endif
 
 mkdefsinc: mkdefsinc.c Makefile ../config.h
 	$(CC_FOR_BUILD) -I. -I.. -I$(srcdir) $(AM_CPPFLAGS) \
@@ -146,12 +154,12 @@ yat2m-stamp: $(myman_sources) defs.inc
 	@touch yat2m-stamp.tmp
 	incd="`test -f defsincdate || echo '$(srcdir)/'`defsincdate"; \
 	for file in $(myman_sources) ; do \
-              $(YAT2M) $(YAT2M_OPTIONS) --store \
+              $(YAT2M_CMD) $(YAT2M_OPTIONS) --store \
                   --date "`cat $$incd 2>/dev/null`" \
 	          `test -f '$$file' || echo '$(srcdir)/'`$$file ; done
 	@mv -f yat2m-stamp.tmp $@
 
-yat2m-stamp: $(YAT2M)
+yat2m-stamp: $(YAT2M_DEP)
 
 $(myman_pages) gnupg.7 : yat2m-stamp defs.inc
 	@if test -f $@; then :; else \
diff --git a/doc/tools.texi b/doc/tools.texi
index 332fb01..5104bea 100644
--- a/doc/tools.texi
+++ b/doc/tools.texi
@@ -20,7 +20,7 @@ GnuPG comes with a couple of smaller tools:
 * dirmngr-client::        How to use the Dirmngr client tool.
 * gpgparsemail::          Parse a mail message into an annotated format
 * symcryptrun::           Call a simple symmetric encryption tool.
-* gpg-zip::               Encrypt or sign files into an archive.
+* gpgtar::                Encrypt or sign files into an archive.
 @end menu
 
 @c
@@ -1894,23 +1894,19 @@ The possible exit status codes of @command{symcryptrun} are:
 
 
 @c
-@c  GPG-ZIP
+@c  GPGTAR
 @c
-@c The original manpage on which this section is based was written
-@c by Colin Tuckley  <colin@tuckley.org> and Daniel Leidert
-@c <daniel.leidert@wgdd.de> for the Debian distribution (but may be used by
-@c others).
-@manpage gpg-zip.1
-@node gpg-zip
+@manpage gpgtar.1
+@node gpgtar
 @section Encrypt or sign files into an archive
 @ifset manverb
-.B gpg-zip
+.B gpgtar
 \- Encrypt or sign files into an archive
 @end ifset
 
 @mansect synopsis
 @ifset manverb
-.B  gpg-zip
+.B  gpgtar
 .RI [ options ]
 .I filename1
 .I [ filename2, ... ]
@@ -1919,61 +1915,130 @@ The possible exit status codes of @command{symcryptrun} are:
 @end ifset
 
 @mansect description
-@command{gpg-zip} encrypts or signs files into an archive.  It is an
+@command{gpgtar} encrypts or signs files into an archive.  It is an
 gpg-ized tar using the same format as used by PGP's PGP Zip.
 
 @manpause
 @noindent
-@command{gpg-zip} is invoked this way:
+@command{gpgtar} is invoked this way:
 
 @example
-gpg-zip [options] @var{filename1} [@var{filename2}, ...] @var{directory} [@var{directory2}, ...]
+gpgtar [options] @var{filename1} [@var{filename2}, ...] @var{directory} [@var{directory2}, ...]
 @end example
 
 @mansect options
 @noindent
-@command{gpg-zip} understands these options:
+@command{gpgtar} understands these options:
 
 @table @gnupgtabopt
 
+@item --create
+@opindex create
+Put given files and directories into a vanilla ``ustar'' archive.
+
+@item --extract
+@opindex extract
+Extract all files from a vanilla ``ustar'' archive.
+
 @item --encrypt
 @itemx -e
 @opindex encrypt
-Encrypt data.  This option may be combined with @option{--symmetric} (for  output that may be decrypted via a secret key or a passphrase).
+Encrypt given files and directories into an archive.  This option may
+be combined with option @option{--symmetric} for an archive that may
+be decrypted via a secret key or a passphrase.
 
 @item --decrypt
 @itemx -d
 @opindex decrypt
-Decrypt data.
+Extract all files from an encrypted archive.
+
+@item --sign
+@itemx -s
+Make a signed archive from the given files and directories.  Thsi can
+be combined with option @option{--encrypt} to create a signed and then
+encrypted archive.
+
+@item --list-archive
+@itemx -t
+@opindex list-archive
+List the contents of the specified archive.
 
 @item --symmetric
 @itemx -c
 Encrypt with a symmetric cipher using a passphrase.  The default
-symmetric cipher used is CAST5, but may be chosen with the
+symmetric cipher used is @value{GPGSYMENCALGO}, but may be chosen with the
 @option{--cipher-algo} option to @command{gpg}.
 
-@item --sign
-@itemx -s
-Make a signature.  See @command{gpg}.
-
 @item --recipient @var{user}
 @itemx -r @var{user}
 @opindex recipient
-Encrypt for user id @var{user}. See @command{gpg}.
+Encrypt for user id @var{user}. For details see @command{gpg}.
 
 @item --local-user @var{user}
 @itemx -u @var{user}
 @opindex local-user
-Use @var{user} as the key to sign with.  See @command{gpg}.
-
-@item --list-archive
-@opindex list-archive
-List the contents of the specified archive.
+Use @var{user} as the key to sign with.  For details see @command{gpg}.
 
 @item --output @var{file}
 @itemx -o @var{file}
 @opindex output
-Write output to specified file @var{file}.
+Write the archive to the specified file @var{file}.
+
+@item --verbose
+@itemx -v
+@opindex verbose
+Enable extra informational output.
+
+@item --quiet
+@itemx -q
+@opindex quiet
+Try to be as quiet as possible.
+
+@item --skip-crypto
+@opindex skip-crypto
+Skip all crypto operations and create or extract vanilla ``ustar''
+archives.
+
+@item --dry-run
+@opindex dry-run
+Do not actually output the extracted files.
+
+@item --directory @var{dir}
+@itemx -C @var{dir}
+@opindex directory
+Extract the files into the directory @var{dir}.  The
+default is to take the directory name from
+the input filename.  If no input filename is known a directory named
+@file{GPGARCH} is used.
+
+@item --files-from @var{file}
+@itemx -T @var{file}
+Take the file names to work from the file @var{file}; one file per
+line.
+
+@item --null
+@opindex null
+Modify option @option{--files-from} to use a binary nul instead of a
+linefeed to separate file names.
+
+@item --openpgp
+@opindex openpgp
+This option has no effect becuase OpenPGP encryption and signing is
+the default.
+
+@item --cms
+@opindex cms
+This option is reserved and shall not be used.  It will eventually be
+used to encrypt or sign using the CMS protocol; but that is not yet
+implemented.
+
+
+@item --set-filename @var{file}
+@opindex set-filename
+Use the last component of @var{file} as the output directory.  The
+default is to take the directory name from the input filename.  If no
+input filename is known a directory named @file{GPGARCH} is used.
+This option is deprecated in favor of option @option{--directory}.
 
 @item --gpg @var{gpgcmd}
 @opindex gpg
@@ -1981,15 +2046,14 @@ Use the specified command @var{gpgcmd} instead of @command{gpg}.
 
 @item --gpg-args @var{args}
 @opindex gpg-args
-Pass the specified options to @command{gpg}.
-
-@item --tar @var{tarcmd}
-@opindex tar
-Use the specified command @var{tarcmd} instead of @command{tar}.
+Pass the specified extra options to @command{gpg}.
 
 @item --tar-args @var{args}
 @opindex tar-args
-Pass the specified options to @command{tar}.
+Assume @var{args} are standard options of the command @command{tar}
+and parse them.  The only supported tar options are "--directory",
+"--files-from", and "--null" This is an obsolete options because those
+supported tar options can also be given directly.
 
 @item --version
 @opindex version
@@ -2017,14 +2081,14 @@ Encrypt the contents of directory @file{mydocs} for user Bob to file
 @file{test1}:
 
 @example
-gpg-zip --encrypt --output test1 --gpg-args  -r Bob mydocs
+gpgtar --encrypt --output test1 -r Bob mydocs
 @end example
 
 @noindent
 List the contents of archive @file{test1}:
 
 @example
-gpg-zip --list-archive test1
+gpgtar --list-archive test1
 @end example
 
 
diff --git a/g10/getkey.c b/g10/getkey.c
index c58e8ff..f73e443 100644
--- a/g10/getkey.c
+++ b/g10/getkey.c
@@ -1448,8 +1448,9 @@ get_pubkey_byname (ctrl_t ctrl, GETKEY_CTX * retctx, PKT_public_key * pk,
 	  if (!rc)
 	    {
 	      /* Key found.  */
-	      log_info (_("automatically retrieved '%s' via %s\n"),
-			name, mechanism);
+              if (opt.verbose)
+                log_info (_("automatically retrieved '%s' via %s\n"),
+                          name, mechanism);
 	      break;
 	    }
 	  if (gpg_err_code (rc) != GPG_ERR_NO_PUBKEY
diff --git a/po/da.po b/po/da.po
index bd6e9c5..abc1257 100644
--- a/po/da.po
+++ b/po/da.po
@@ -4994,7 +4994,7 @@ msgid "Key is superseded"
 msgstr "Nøglen er blevet afløst"
 
 msgid "Key has been compromised"
-msgstr "Nøglen er blevet komprimeret"
+msgstr "Nøglen er blevet kompromitteret"
 
 msgid "Key is no longer used"
 msgstr "Nøglen bruges ikke længere"
diff --git a/sm/keydb.c b/sm/keydb.c
index 87fc12d..d85679a 100644
--- a/sm/keydb.c
+++ b/sm/keydb.c
@@ -205,7 +205,7 @@ maybe_create_keybox (char *filename, int force, int *r_created)
 
   /* The file does not yet exist, create it now. */
   oldmask = umask (077);
-  fp = fopen (filename, "w");
+  fp = fopen (filename, "wb");
   if (!fp)
     {
       rc = gpg_error_from_syserror ();
diff --git a/tools/gpgtar-extract.c b/tools/gpgtar-extract.c
index b0e17cb..8613d19 100644
--- a/tools/gpgtar-extract.c
+++ b/tools/gpgtar-extract.c
@@ -345,21 +345,21 @@ gpgtar_extract (const char *filename, int decrypt)
     dirname = xtrystrdup (opt.directory);
   else
     {
-      if (filename)
+      if (opt.filename)
         {
-          dirprefix = strrchr (filename, '/');
+          dirprefix = strrchr (opt.filename, '/');
           if (dirprefix)
             dirprefix++;
           else
-            dirprefix = filename;
+            dirprefix = opt.filename;
         }
-      else if (opt.filename)
+      else if (filename)
         {
-          dirprefix = strrchr (opt.filename, '/');
+          dirprefix = strrchr (filename, '/');
           if (dirprefix)
             dirprefix++;
           else
-            dirprefix = opt.filename;
+            dirprefix = filename;
         }
 
       if (!dirprefix || !*dirprefix)