diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..26e3729
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1 @@
+src/_version.py export-subst
diff --git a/.gitignore b/.gitignore
index c2b65d1..1b0ee02 100644
--- a/.gitignore
+++ b/.gitignore
@@ -35,11 +35,13 @@ nosetests.xml
 .pydevproject
 
 # Temp files
+.\#*
 \#*\#
 *~
 
 # tags
 TAGS
+tags
 
 # notes
 *.org
@@ -47,3 +49,26 @@ TAGS
 # Ignore log files and directories from tests:
 keys/*
 *.log
+
+# Ignore distutils record of installed files:
+installed-files.txt
+
+# Ignore PyCharm files:
+.idea/*
+
+# and git-tickets and tickets:
+.tickets/*
+tickets/*
+
+# Ignore virtualenv folders, if they are here:
+include/*
+local/*
+
+# Ignore gpg binary symlinks:
+gpg
+
+# Ignore keys generated during tests:
+*generated-keys*
+*.pubring
+*.secring
+*random_seed*
diff --git a/COPYLEFT b/COPYLEFT
deleted file mode 100644
index 6a810bf..0000000
--- a/COPYLEFT
+++ /dev/null
@@ -1,12 +0,0 @@
-    This file is part of python-gnupg, a Python wrapper around GnuPG.
-    Copyright (C) 2013   Isis Lovecruft
-
-    This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU Affero General Public License as published
-    by the Free Software Foundation, either version 3 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU Affero General Public License for more details.
diff --git a/Makefile b/Makefile
index c765da6..4571e0f 100644
--- a/Makefile
+++ b/Makefile
@@ -1,18 +1,65 @@
 
-clean:
-	rm -f \#*\#
-	rm -f ./*.pyc
-	rm -f ./*.pyo
+ctags:
+	ctags -R *.py
 
-cleantest: clean
-	mkdir -p keys
+etags:
+	find . -name "*.py" -print | xargs etags
+
+cleanup-src:
+	cd src && \
+		rm -f \#*\# && \
+		rm -f ./*.pyc && \
+		rm -f ./*.pyo
+
+cleanup-tests:
+	cd tests && \
+		rm -f \#*\# && \
+		rm -f ./*.pyc && \
+		rm -f ./*.pyo
+	mkdir -p tests/tmp
+	mkdir -p tests/logs
+	touch tests/placeholder.log
+	mv tests/*.log tests/logs/
+	rm tests/logs/placeholder.log
 	touch placeholder.log
-	rm -rf keys
 	rm *.log
+	rm tests/random_seed
 
-test: cleantest 
-	python test_gnupg.py basic
+cleanup-tests-all: cleanup-tests
+	rm -rf tests/tmp
+
+cleanup-build:
+	mkdir buildnot
+	rm -rf build*
+
+test: cleanup-src cleanup-tests
+	which gpg
+	gpg --version
+	which gpg2
+	gpg2 --version
+	which gpg-agent
+	which pinentry
+	which python
+	python --version
+	which pip
+	pip --version
+	pip list
+	python tests/test_gnupg.py parsers basic encodings genkey sign listkeys crypt keyrings import
 
 install: 
-	python setup.py install
+	python setup.py install --record installed-files.txt
 
+uninstall:
+	touch installed-files.txt
+	cat installed-files.txt | sudo xargs rm -rf
+
+cleandocs:
+	sphinx-apidoc -F -A "Isis Agora Lovecruft" -H "python-gnupg" -V 0.4.0 -R 0.4.0 -o docs src/ tests/
+
+docs:
+	cd docs
+	make clean
+	make html
+
+venv:
+	-source /usr/shared/python/ns/virtualenvwrapper.sh && mkvirtualenv -a "$PWD" --no-site-packages --unzip-setuptools --distribute python-gnupg
diff --git a/PKG-INFO b/PKG-INFO
index 7acb3ca..206db4c 100644
--- a/PKG-INFO
+++ b/PKG-INFO
@@ -5,24 +5,25 @@ Summary: A wrapper for the Gnu Privacy Guard (GPG or GnuPG)
 Home-page: https://www.github.com/isislovecruft/python-gnupg
 Author: Isis Lovecruft
 Author-email: isis@leap.se
-License: Copyright (C) 2013 by Isis Lovecruft. All Rights Reserved. See LICENSE for license. See COPYLEFT for "copyright".
-Download-URL: https://github.com/isislovecruft/python-gnupg.git
-Description: This module allows easy access to GnuPG's key management, encryption and signature functionality from Python programs. It is intended for use with Python 2.4 or greater.
-Platform: No particular restrictions
-Classifier: Development Status :: 3 - Alpha
-Classifier: Intended Audience :: Developers
-Classifier: License :: OSI Approved :: GNU Affero General Public License v3 or later (AGPLv3+)
-Classifier: Programming Language :: Python
-Classifier: Programming Language :: Python :: 2
-Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 2.4
-Classifier: Programming Language :: Python :: 2.5
-Classifier: Programming Language :: Python :: 2.6
-Classifier: Programming Language :: Python :: 2.7
-Classifier: Programming Language :: Python :: 3.0
-Classifier: Programming Language :: Python :: 3.1
-Classifier: Programming Language :: Python :: 3.2
-Classifier: Operating System :: OS Independent
-Classifier: Topic :: Security :: Cryptography
-Classifier: Topic :: Software Development :: Libraries :: Python Modules
-Classifier: Topic :: Utilities
+Download-URL: https://github.com/isislovecruft/python-gnupg/archives/develop.zip
+Description:: This module allows easy access to GnuPG's key management, encryption and signature functionality from Python programs. It is intended for use with Python 2.6 or greater.
+Classifier:: Development Status :: 3 - Alpha
+License :: OSI Approved :: GNU Affero General Public License v3 or later (AGPLv3+)
+Operating System :: MacOS :: MacOS X
+Operating System :: Microsoft :: Windows :: Windows 7
+Operating System :: Microsoft :: Windows :: Windows XP
+Operating System :: POSIX :: BSD
+Operating System :: POSIX :: Linux
+Classifier:: Intended Audience :: Developers
+Classifier:: License :: OSI Approved :: GNU Affero General Public License v3 or later (AGPLv3+)
+Classifier:: Programming Language :: Python
+Classifier:: Programming Language :: Python :: 2
+Classifier:: Programming Language :: Python :: 3
+Classifier:: Programming Language :: Python :: 2.6
+Classifier:: Programming Language :: Python :: 2.7
+Classifier:: Programming Language :: Python :: 3.0
+Classifier:: Programming Language :: Python :: 3.1
+Classifier:: Programming Language :: Python :: 3.2
+Classifier:: Topic :: Security :: Cryptography
+Classifier:: Topic :: Software Development :: Libraries :: Python Modules
+Classifier:: Topic :: Utilities
diff --git a/README b/README
deleted file mode 100644
index b553aa2..0000000
--- a/README
+++ /dev/null
@@ -1,12 +0,0 @@
-python-gnupg
-============
-
-Fork of python-gnupg-0.3.2, patched to remove Popen([...], shell=True).
-
-Installation
-------------
-To install this package from a source distribution, do the following.
-
-1. Extract all the files in the distribution archive to some directory on your system.
-2. In that directory, run "python setup.py install".
-3. Optionally, run "python test_gnupg.py" to ensure that the package is working as expected.
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..1d70df3
--- /dev/null
+++ b/README.md
@@ -0,0 +1,63 @@
+# python-gnupg #
+================
+
+Fork of python-gnupg-0.3.2, patched to remove ```Popen([...], shell=True)```.
+
+### Installation ###
+
+#### From this git repository ####
+To install this package from this git repository, do:
+
+```
+git clone https://github.com/isislovecruft/python-gnupg.git
+cd python-gnupg
+make install
+make test
+```
+
+Optionally to build the documentation after installation, do:
+```
+make docs
+```
+
+To get started using python-gnupg's API, see the [online documentation](https://python-gnupg.readthedocs.org/en/latest/),
+and import the module like so:
+```
+>>> import gnupg
+```
+
+The primary interface class you'll likely want to interact with is
+[```gnupg.GPG```](https://python-gnupg.readthedocs.org/en/latest/gnupg.html#gpg):
+```
+>>> gpg = gnupg.GPG(gpgbinary='/usr/bin/gpg',
+...     gpghome='./keys',
+...     pubring='pubring.gpg',
+...     secring='secring.gpg')
+>>> batch_key_input = gpg.gen_key_input()
+>>> print batch_key_input
+Key-Type: RSA
+Name-Email: isis@wintermute
+Name-Comment: Generated by gnupg.py
+Key-Length: 4096
+Name-Real: Autogenerated Key
+%pubring /home/isis/code/python-gnupg/keys/pubring.gpg
+%secring /home/isis/code/python-gnupg/keys/secring.gpg
+%commit
+
+>>> key = gpg.gen_key(batch_key_input)
+>>> print key.fingerprint
+245D8FA30F543B742053949F553C0E154F2E7A98
+
+```
+
+#### From PyPI ####
+Hold your horses, boy. I haven't finished development, so the packages on
+[PyPI](https://pypi.python.org) are still the old versions belonging to the
+other authors.
+
+### Bug Reports & Feature Requests ###
+Our bugtracker is [here](https://leap.se/code/projects/eip_server/issue/new). 
+
+Please use that for bug reports and feature requests instead of github's
+tracker. We're using github for code commenting and review between
+collaborators.
diff --git a/TODO b/TODO
new file mode 100644
index 0000000..d752f6d
--- /dev/null
+++ b/TODO
@@ -0,0 +1,60 @@
+-*- mode: org -*-
+
+* Keyring separation                                      :keyseparation:
+** TODO in GPG.gen_key()                           :keyseparation:gen_key:
+It would be nice to have an option for gen_key() [[gnupg.py:927]] to
+automatically switch before key generation to a new tempfile.mkdtemp()
+directory, with a new keyring and secring, and then to rename either the
+directory or the keyrings with the long keyid of the key which was freshly
+generated.
+
+* I/O                                                                :io:
+** TODO in GPG.__make_args()                                 :io:makeargs:
+It would be nice to make the file descriptors for communication with the GnuPG
+process configurable, and not the default, hard-coded 0=stdin 1=stdout
+2=stderr.
+
+* Key editing                                                   :editkey:
+** TODO add '--edit-key' feature                                :editkey:
+see :compatibility:gen__key_input:
+
+* Compatibility between GnuPG versions                    :compatibility:
+** TODO GnuPG>=2.1.0 won't allow key generation with preset passphrase
+*** TODO in GPG.gen__key_input()             :compatibility:gen_key_input:
+In the docstring of GPG.gen__key_input() [[gnupg.py:1068]], for the parameter
+'passphrase', it is explained that:
+
+        :param str passphrase: The passphrase for the new key. The default is
+                               to not use any passphrase. Note that
+                               GnuPG>=2.1.x will not allow you to specify a
+                               passphrase for batch key generation -- GnuPG
+                               will ignore the ``passphrase`` parameter, stop,
+                               and ask the user for the new passphrase.
+                               However, we can put the command '%no-protection'
+                               into the batch key generation file to allow a
+                               passwordless key to be created, which can then
+                               have its passphrase set later with '--edit-key'.
+
+If we add a GnuPG version detection feature (the version string is already
+obtained in GPG.___init___() [[gnupg.py:407]]), then we can automatically chain
+GPG.gen__key_input() to another new feature for '--edit-key'. This chaining
+would likely need to happen here [[gnupg.py:1146]].
+
+*** TODO add '--edit-key' feature                               :editkey:
+This would be necessary for adding a passphrase to the key after passwordless
+generation in GnuPG>=2.1.0.
+
+* Code cleanup                                                  :cleanup:
+** TODO in parsers.__sanitise()                         :cleanup:sanitise:
+Ughh...this is the ugliest code I think I've ever written. It works, but I
+worry that it is fragile, not to mention *I* have trouble reading it, and I
+fucking wrote the damn thing. There's probably not much that could be done to
+make it more Pythonic, because type checks and input validation are pretty much
+intrinsically non-Pythonic. But did i mention that it's ugly? I'm sure these
+functions would be pretty glad to get a shower, shave, and haircut.
+
+** TODO in parsers.__is_allowed()                     :cleanup:is_allowed:
+There is a lot of madness dealing with stupid things like hyphens
+vs. underscores, and lists of options vs. strings. This can *definitely* be
+cleaned up.
+
diff --git a/docs/DETAILS b/docs/DETAILS
new file mode 100644
index 0000000..d5c5cea
--- /dev/null
+++ b/docs/DETAILS
@@ -0,0 +1,1225 @@
+# doc/DETAILS                                                -*- org -*-
+#+TITLE: GnuPG Details
+# Globally disable superscripts and subscripts:
+#+OPTIONS: ^:{}
+#
+
+# Note: This file uses org-mode; it should be easy to read as plain
+# text but be aware of some markup peculiarities: Verbatim code is
+# enclosed in #+begin-example, #+end-example blocks or marked by a
+# colon as the first non-white-space character, words bracketed with
+# equal signs indicate a monospace font, and the usual /italics/,
+# *bold*, and _underline_ conventions are recognized.
+
+This is the DETAILS file for GnuPG which specifies some internals and
+parts of the external API for GPG and GPGSM.
+
+* Format of the colon listings
+  The format is a based on colon separated record, each recods starts
+  with a tag string and extends to the end of the line.  Here is an
+  example:
+#+begin_example
+$ gpg --with-colons --list-keys \
+      --with-fingerprint --with-fingerprint wk@gnupg.org
+pub:f:1024:17:6C7EE1B8621CC013:899817715:1055898235::m:::scESC:
+fpr:::::::::ECAF7590EB3443B5C7CF3ACB6C7EE1B8621CC013:
+uid:f::::::::Werner Koch <wk@g10code.com>:
+uid:f::::::::Werner Koch <wk@gnupg.org>:
+sub:f:1536:16:06AD222CADF6A6E1:919537416:1036177416:::::e:
+fpr:::::::::CF8BCC4B18DE08FCD8A1615906AD222CADF6A6E1:
+sub:r:1536:20:5CE086B5B5A18FF4:899817788:1025961788:::::esc:
+fpr:::::::::AB059359A3B81F410FCFF97F5CE086B5B5A18FF4:
+#+end_example
+
+The double =--with-fingerprint= prints the fingerprint for the subkeys
+too.  Old versions of gpg used a lighly different format and required
+the use of the option =--fixed-list-mode= to conform to format
+described here.
+
+** Description of the fields
+*** Field 1 - Type of record
+
+    - pub :: Public key
+    - crt :: X.509 certificate
+    - crs :: X.509 certificate and private key available
+    - sub :: Subkey (secondary key)
+    - sec :: Secret key
+    - ssb :: Secret subkey (secondary key)
+    - uid :: User id (only field 10 is used).
+    - uat :: User attribute (same as user id except for field 10).
+    - sig :: Signature
+    - rev :: Revocation signature
+    - fpr :: Fingerprint (fingerprint is in field 10)
+    - pkd :: Public key data [*]
+    - grp :: Keygrip
+    - rvk :: Revocation key
+    - tru :: Trust database information [*]
+    - spk :: Signature subpacket [*]
+    - cfg :: Configuration data [*]
+
+    Records marked with an asterisk are described at [[*Special%20field%20formats][*Special fields]].
+
+*** Field 2 - Validity
+
+    This is a letter describing the computed validity of a key.
+    Currently this is a single letter, but be prepared that additional
+    information may follow in some future versions. Note that GnuPG <
+    2.1 does not set this field for secret key listings.
+
+    - o :: Unknown (this key is new to the system)
+    - i :: The key is invalid (e.g. due to a missing self-signature)
+    - d :: The key has been disabled
+	   (deprecated - use the 'D' in field 12 instead)
+    - r :: The key has been revoked
+    - e :: The key has expired
+    - - :: Unknown validity (i.e. no value assigned)
+    - q :: Undefined validity.  '-' and 'q' may safely be treated as
+           the same value for most purposes
+    - n :: The key is not valid
+    - m :: The key is marginal valid.
+    - f :: The key is fully valid
+    - u :: The key is ultimately valid.  This often means that the
+           secret key is available, but any key may be marked as
+           ultimately valid.
+    - w :: The key has a well known private part.
+    - s :: The key has special validity.  This means that it might be
+           self-signed and expected to be used in the STEED sytem.
+
+    If the validity information is given for a UID or UAT record, it
+    describes the validity calculated based on this user ID.  If given
+    for a key record it describes the validity taken from the best
+    rated user ID.
+
+    For X.509 certificates a 'u' is used for a trusted root
+    certificate (i.e. for the trust anchor) and an 'f' for all other
+    valid certificates.
+
+*** Field 3 - Key length
+
+    The length of key in bits.
+
+*** Field 4 - Public key algorithm
+
+    The values here are those from the OpenPGP specs or if they are
+    greather than 255 the algorithm ids as used by Libgcrypt.
+
+*** Field 5 - KeyID
+
+    This is the 64 bit keyid as specified by OpenPGP and the last 64
+    bit of the SHA-1 fingerprint of an X.509 certifciate.
+
+*** Field 6 - Creation date
+
+    The creation date of the key is given in UTC.  For UID and UAT
+    records, this is used for the self-signature date.  Note that the
+    date is usally printed in seconds since epoch, however, we are
+    migrating to an ISO 8601 format (e.g. "19660205T091500").  This is
+    currently only relevant for X.509.  A simple way to detect the new
+    format is to scan for the 'T'.  Note that old versions of gpg
+    without using the =--fixed-list-mode= option used a "yyyy-mm-tt"
+    format.
+
+*** Field 7 - Expiration date
+
+    Key or UID/UAT expiration date or empty if it does not expire.
+
+*** Field 8 - Certificate S/N, UID hash, trust signature info
+
+    Used for serial number in crt records.  For UID and UAT records,
+    this is a hash of the user ID contents used to represent that
+    exact user ID.  For trust signatures, this is the trust depth
+    seperated by the trust value by a space.
+
+*** Field 9 -  Ownertrust
+
+    This is only used on primary keys.  This is a single letter, but
+    be prepared that additional information may follow in future
+    versions.  For trust signatures with a regular expression, this is
+    the regular expression value, quoted as in field 10.
+
+*** Field 10 - User-ID
+    The value is quoted like a C string to avoid control characters
+    (the colon is quoted =\x3a=).  For a "pub" record this field is
+    not used on --fixed-list-mode.  A UAT record puts the attribute
+    subpacket count here, a space, and then the total attribute
+    subpacket size.  In gpgsm the issuer name comes here.  A FPR
+    record stores the fingerprint here.  The fingerprint of a
+    revocation key is stored here.
+*** Field 11 - Signature class
+
+    Signature class as per RFC-4880.  This is a 2 digit hexnumber
+    followed by either the letter 'x' for an exportable signature or
+    the letter 'l' for a local-only signature.  The class byte of an
+    revocation key is also given here, 'x' and 'l' is used the same
+    way.  This field if not used for X.509.
+
+*** Field 12 - Key capabilities
+
+    The defined capabilities are:
+
+    - e :: Encrypt
+    - s :: Sign
+    - c :: Certify
+    - a :: Authentication
+    - ? :: Unknown capability
+
+    A key may have any combination of them in any order.  In addition
+    to these letters, the primary key has uppercase versions of the
+    letters to denote the _usable_ capabilities of the entire key, and
+    a potential letter 'D' to indicate a disabled key.
+
+*** Field 13 - Issuer certificate fingerprint or other info
+
+    Used in FPR records for S/MIME keys to store the fingerprint of
+    the issuer certificate.  This is useful to build the certificate
+    path based on certificates stored in the local key database it is
+    only filled if the issuer certificate is available. The root has
+    been reached if this is the same string as the fingerprint. The
+    advantage of using this value is that it is guaranteed to have
+    been been build by the same lookup algorithm as gpgsm uses.
+
+    For "uid" records this field lists the preferences in the same way
+    gpg's --edit-key menu does.
+
+    For "sig" records, this is the fingerprint of the key that issued
+    the signature.  Note that this is only filled in if the signature
+    verified correctly.  Note also that for various technical reasons,
+    this fingerprint is only available if --no-sig-cache is used.
+
+*** Field 14 - Flag field
+
+    Flag field used in the --edit menu output
+
+*** Field 15 - S/N of a token
+
+    Used in sec/sbb to print the serial number of a token (internal
+    protect mode 1002) or a '#' if that key is a simple stub (internal
+    protect mode 1001)
+
+*** Field 16 - Hash algorithm
+
+    For sig records, this is the used hash algorithm.  For example:
+    2 = SHA-1, 8 = SHA-256.
+
+** Special fields
+
+*** PKD - Public key data
+
+    If field 1 has the tag "pkd", a listing looks like this:
+#+begin_example
+pkd:0:1024:B665B1435F4C2 .... FF26ABB:
+    !  !   !-- the value
+    !  !------ for information number of bits in the value
+    !--------- index (eg. DSA goes from 0 to 3: p,q,g,y)
+#+end_example
+
+*** TRU - Trust database information
+    Example for a "tru" trust base record:
+#+begin_example
+    tru:o:0:1166697654:1:3:1:5
+#+end_example
+
+    - Field 2 :: Reason for staleness of trust.  If this field is
+                 empty, then the trustdb is not stale.  This field may
+                 have multiple flags in it:
+
+                 - o :: Trustdb is old
+                 - t :: Trustdb was built with a different trust model
+                        than the one we are using now.
+
+    - Field 3 :: Trust model
+
+                 - 0 :: Classic trust model, as used in PGP 2.x.
+                 - 1 :: PGP trust model, as used in PGP 6 and later.
+                        This is the same as the classic trust model,
+                        except for the addition of trust signatures.
+
+                 GnuPG before version 1.4 used the classic trust model
+                 by default. GnuPG 1.4 and later uses the PGP trust
+                 model by default.
+
+    - Field 4 :: Date trustdb was created in seconds since Epoch.
+    - Field 5 :: Date trustdb will expire in seconds since Epoch.
+    - Field 6 :: Number of marginally trusted users to introduce a new
+                 key signer (gpg's option --marginals-needed).
+    - Field 7 :: Number of completely trusted users to introduce a new
+                 key signer.  (gpg's option --completes-needed)
+
+    - Field 8 :: Maximum depth of a certification chain. (gpg's option
+                 --max-cert-depth)
+
+*** SPK - Signature subpacket records
+
+    - Field 2 :: Subpacket number as per RFC-4880 and later.
+    - Field 3 :: Flags in hex.  Currently the only two bits assigned
+                 are 1, to indicate that the subpacket came from the
+                 hashed part of the signature, and 2, to indicate the
+                 subpacket was marked critical.
+    - Field 4 :: Length of the subpacket.  Note that this is the
+                 length of the subpacket, and not the length of field
+                 5 below.  Due to the need for %-encoding, the length
+                 of field 5 may be up to 3x this value.
+    - Field 5 :: The subpacket data.  Printable ASCII is shown as
+                 ASCII, but other values are rendered as %XX where XX
+                 is the hex value for the byte.
+
+*** CFG - Configuration data
+
+    --list-config outputs information about the GnuPG configuration
+    for the benefit of frontends or other programs that call GnuPG.
+    There are several list-config items, all colon delimited like the
+    rest of the --with-colons output.  The first field is always "cfg"
+    to indicate configuration information.  The second field is one of
+    (with examples):
+
+    - version :: The third field contains the version of GnuPG.
+
+                 : cfg:version:1.3.5
+
+    - pubkey :: The third field contains the public key algorithms
+                this version of GnuPG supports, separated by
+                semicolons.  The algorithm numbers are as specified in
+                RFC-4880.  Note that in contrast to the --status-fd
+                interface these are _not_ the Libgcrypt identifiers.
+
+                 : cfg:pubkey:1;2;3;16;17
+
+    - cipher :: The third field contains the symmetric ciphers this
+                version of GnuPG supports, separated by semicolons.
+                The cipher numbers are as specified in RFC-4880.
+
+                 : cfg:cipher:2;3;4;7;8;9;10
+
+    - digest :: The third field contains the digest (hash) algorithms
+                this version of GnuPG supports, separated by
+                semicolons.  The digest numbers are as specified in
+                RFC-4880.
+
+                 : cfg:digest:1;2;3;8;9;10
+
+    - compress :: The third field contains the compression algorithms
+                  this version of GnuPG supports, separated by
+                  semicolons.  The algorithm numbers are as specified
+                  in RFC-4880.
+
+                 : cfg:compress:0;1;2;3
+
+    - group :: The third field contains the name of the group, and the
+               fourth field contains the values that the group expands
+               to, separated by semicolons.
+
+               For example, a group of:
+                 : group mynames = paige 0x12345678 joe patti
+               would result in:
+                 : cfg:group:mynames:patti;joe;0x12345678;paige
+
+
+* Format of the --status-fd output
+
+  Every line is prefixed with "[GNUPG:] ", followed by a keyword with
+  the type of the status line and some arguments depending on the type
+  (maybe none); an application should always be prepared to see more
+  arguments in future versions.
+
+** General status codes
+*** NEWSIG
+    May be issued right before a signature verification starts.  This
+    is useful to define a context for parsing ERROR status messages.
+    No arguments are currently defined.
+
+*** GOODSIG  <long_keyid_or_fpr>  <username>
+    The signature with the keyid is good.  For each signature only one
+    of the codes GOODSIG, BADSIG, EXPSIG, EXPKEYSIG, REVKEYSIG or
+    ERRSIG will be emitted.  In the past they were used as a marker
+    for a new signature; new code should use the NEWSIG status
+    instead.  The username is the primary one encoded in UTF-8 and %XX
+    escaped. The fingerprint may be used instead of the long keyid if
+    it is available.  This is the case with CMS and might eventually
+    also be available for OpenPGP.
+
+*** EXPSIG  <long_keyid_or_fpr>  <username>
+    The signature with the keyid is good, but the signature is
+    expired. The username is the primary one encoded in UTF-8 and %XX
+    escaped. The fingerprint may be used instead of the long keyid if
+    it is available.  This is the case with CMS and might eventually
+    also be available for OpenPGP.
+
+*** EXPKEYSIG  <long_keyid_or_fpr> <username>
+    The signature with the keyid is good, but the signature was made
+    by an expired key. The username is the primary one encoded in
+    UTF-8 and %XX escaped.  The fingerprint may be used instead of the
+    long keyid if it is available.  This is the case with CMS and
+    might eventually also be available for OpenPGP.
+
+*** REVKEYSIG  <long_keyid_or_fpr>  <username>
+    The signature with the keyid is good, but the signature was made
+    by a revoked key. The username is the primary one encoded in UTF-8
+    and %XX escaped. The fingerprint may be used instead of the long
+    keyid if it is available.  This is the case with CMS and might
+    eventually also beñ available for OpenPGP.
+
+*** BADSIG  <long_keyid_or_fpr>  <username>
+    The signature with the keyid has not been verified okay.  The
+    username is the primary one encoded in UTF-8 and %XX escaped. The
+    fingerprint may be used instead of the long keyid if it is
+    available.  This is the case with CMS and might eventually also be
+    available for OpenPGP.
+
+*** ERRSIG  <keyid>  <pkalgo> <hashalgo> <sig_class> <time> <rc>
+    It was not possible to check the signature.  This may be caused by
+    a missing public key or an unsupported algorithm.  A RC of 4
+    indicates unknown algorithm, a 9 indicates a missing public
+    key. The other fields give more information about this signature.
+    sig_class is a 2 byte hex-value.  The fingerprint may be used
+    instead of the keyid if it is available.  This is the case with
+    gpgsm and might eventually also be available for OpenPGP.
+
+    Note, that TIME may either be the number of seconds since Epoch or
+    the letter 'T'.
+    an ISO 8601 string.  The latter can be detected by the presence of
+
+*** VALIDSIG <args>
+
+    The args are:
+
+    - <fingerprint_in_hex>
+    - <sig_creation_date>
+    - <sig-timestamp>
+    - <expire-timestamp>
+    - <sig-version>
+    - <reserved>
+    - <pubkey-algo>
+    - <hash-algo>
+    - <sig-class>
+    - [ <primary-key-fpr> ]
+
+    This status indicates that the signature is good. This is the same
+    as GOODSIG but has the fingerprint as the argument. Both status
+    lines are emitted for a good signature.  All arguments here are on
+    one long line.  sig-timestamp is the signature creation time in
+    seconds after the epoch. expire-timestamp is the signature
+    expiration time in seconds after the epoch (zero means "does not
+    expire"). sig-version, pubkey-algo, hash-algo, and sig-class (a
+    2-byte hex value) are all straight from the signature packet.
+    PRIMARY-KEY-FPR is the fingerprint of the primary key or identical
+    to the first argument.  This is useful to get back to the primary
+    key without running gpg again for this purpose.
+
+    The primary-key-fpr parameter is used for OpenPGP and not
+    class is not defined for CMS and currently set to 0 and 00.
+    available for CMS signatures.  The sig-version as well as the sig
+
+    Note, that *-TIMESTAMP may either be a number of seconds since
+    Epoch or an ISO 8601 string which can be detected by the presence
+    of the letter 'T'.
+
+*** SIG_ID  <radix64_string>  <sig_creation_date>  <sig-timestamp>
+    This is emitted only for signatures of class 0 or 1 which have
+    been verified okay.  The string is a signature id and may be used
+    in applications to detect replay attacks of signed messages.  Note
+    that only DLP algorithms give unique ids - others may yield
+    duplicated ones when they have been created in the same second.
+
+    Note, that SIG-TIMESTAMP may either be a number of seconds since
+    Epoch or an ISO 8601 string which can be detected by the presence
+    of the letter 'T'.
+
+*** ENC_TO  <long_keyid>  <keytype>  <keylength>
+    The message is encrypted to this LONG_KEYID.  KEYTYPE is the
+    numerical value of the public key algorithm or 0 if it is not
+    known, KEYLENGTH is the length of the key or 0 if it is not known
+    (which is currently always the case).  Gpg prints this line
+    always; Gpgsm only if it knows the certificate.
+
+*** BEGIN_DECRYPTION
+    Mark the start of the actual decryption process.  This is also
+    emitted when in --list-only mode.
+*** END_DECRYPTION
+    Mark the end of the actual decryption process.  This are also
+    emitted when in --list-only mode.
+*** DECRYPTION_INFO <mdc_method> <sym_algo>
+    Print information about the symmetric encryption algorithm and the
+    MDC method.  This will be emitted even if the decryption fails.
+
+*** DECRYPTION_FAILED
+    The symmetric decryption failed - one reason could be a wrong
+    passphrase for a symmetrical encrypted message.
+
+*** DECRYPTION_OKAY
+    The decryption process succeeded.  This means, that either the
+    correct secret key has been used or the correct passphrase for a
+    conventional encrypted message was given.  The program itself may
+    return an errorcode because it may not be possible to verify a
+    signature for some reasons.
+
+*** SESSION_KEY <algo>:<hexdigits>
+    The session key used to decrypt the message.  This message will
+    only be emitted when the special option --show-session-key is
+    used.  The format is suitable to be passed to the option
+    --override-session-key
+
+*** BEGIN_ENCRYPTION  <mdc_method> <sym_algo>
+    Mark the start of the actual encryption process.
+
+*** END_ENCRYPTION
+    Mark the end of the actual encryption process.
+
+*** FILE_START <what> <filename>
+    Start processing a file <filename>.  <what> indicates the performed
+    operation:
+    - 1 :: verify
+    - 2 :: encrypt
+    - 3 :: decrypt
+
+*** FILE_DONE
+    Marks the end of a file processing which has been started
+    by FILE_START.
+
+*** BEGIN_SIGNING
+    Mark the start of the actual signing process. This may be used as
+    an indication that all requested secret keys are ready for use.
+
+*** ALREADY_SIGNED <long-keyid>
+    Warning: This is experimental and might be removed at any time.
+
+*** SIG_CREATED <type> <pk_algo> <hash_algo> <class> <timestamp> <keyfpr>
+    A signature has been created using these parameters.
+    Values for type <type> are:
+      - D :: detached
+      - C :: cleartext
+      - S :: standard
+    (only the first character should be checked)
+
+    <class> are 2 hex digits with the OpenPGP signature class.
+
+    Note, that TIMESTAMP may either be a number of seconds since Epoch
+    or an ISO 8601 string which can be detected by the presence of the
+    letter 'T'.
+
+*** NOTATION_
+    There are actually two related status codes to convey notation
+    data:
+
+    - NOTATION_NAME <name>
+    - NOTATION_DATA <string>
+
+    <name> and <string> are %XX escaped; the data may be split among
+    several NOTATION_DATA lines.
+
+*** POLICY_URL <string>
+    Note that URL in <string> is %XX escaped.
+
+*** PLAINTEXT <format> <timestamp> <filename>
+    This indicates the format of the plaintext that is about to be
+    written.  The format is a 1 byte hex code that shows the format of
+    the plaintext: 62 ('b') is binary data, 74 ('t') is text data with
+    no character set specified, and 75 ('u') is text data encoded in
+    the UTF-8 character set.  The timestamp is in seconds since the
+    epoch.  If a filename is available it gets printed as the third
+    argument, percent-escaped as usual.
+
+*** PLAINTEXT_LENGTH <length>
+    This indicates the length of the plaintext that is about to be
+    written.  Note that if the plaintext packet has partial length
+    encoding it is not possible to know the length ahead of time.  In
+    that case, this status tag does not appear.
+
+*** ATTRIBUTE <arguments>
+    The list or argemnts are:
+    - <fpr>
+    - <octets>
+    - <type>
+    - <index>
+    - <count>
+    - <timestamp>
+    - <expiredate>
+    - <flags>
+
+    This is one long line issued for each attribute subpacket when an
+    attribute packet is seen during key listing.  <fpr> is the
+    fingerprint of the key.  <octets> is the length of the attribute
+    subpacket.  <type> is the attribute type (e.g. 1 for an image).
+    <index> and <count> indicate that this is the N-th indexed
+    subpacket of count total subpackets in this attribute packet.
+    <timestamp> and <expiredate> are from the self-signature on the
+    attribute packet.  If the attribute packet does not have a valid
+    self-signature, then the timestamp is 0.  <flags> are a bitwise OR
+    of:
+    - 0x01 :: this attribute packet is a primary uid
+    - 0x02 :: this attribute packet is revoked
+    - 0x04 :: this attribute packet is expired
+
+*** SIG_SUBPACKET <type> <flags> <len> <data>
+    This indicates that a signature subpacket was seen.  The format is
+    the same as the "spk" record above.
+
+** Key related
+*** INV_RECP, INV_SGNR
+    The two similar status codes:
+
+    - INV_RECP <reason> <requested_recipient>
+    - INV_SGNR <reason> <requested_sender>
+
+    are issued for each unusable recipient/sender. The reasons codes
+    currently in use are:
+
+       -  0 :: No specific reason given
+       -  1 :: Not Found
+       -  2 :: Ambigious specification
+       -  3 :: Wrong key usage
+       -  4 :: Key revoked
+       -  5 :: Key expired
+       -  6 :: No CRL known
+       -  7 :: CRL too old
+       -  8 :: Policy mismatch
+       -  9 :: Not a secret key
+       - 10 :: Key not trusted
+       - 11 :: Missing certificate
+       - 12 :: Missing issuer certificate
+
+    Note that for historical reasons the INV_RECP status is also used
+    for gpgsm's SIGNER command where it relates to signer's of course.
+    Newer GnuPG versions are using INV_SGNR; applications should
+    ignore the INV_RECP during the sender's command processing once
+    they have seen an INV_SGNR.  Different codes are used so that they
+    can be distinguish while doing an encrypt+sign operation.
+*** NO_RECP <reserved>
+    Issued if no recipients are usable.
+
+*** NO_SGNR <reserved>
+    Issued if no senders are usable.
+
+*** KEYEXPIRED <expire-timestamp>
+    The key has expired.  expire-timestamp is the expiration time in
+    seconds since Epoch.  This status line is not very useful because
+    it will also be emitted for expired subkeys even if this subkey is
+    not used.  To check whether a key used to sign a message has
+    expired, the EXPKEYSIG status line is to be used.
+
+    Note, that the TIMESTAMP may either be a number of seconds since
+    Epoch or an ISO 8601 string which can be detected by the presence
+    of the letter 'T'.
+
+*** KEYREVOKED
+    The used key has been revoked by its owner.  No arguments yet.
+
+*** NO_PUBKEY  <long keyid>
+    The public key is not available
+
+*** NO_SECKEY  <long keyid>
+    The secret key is not available
+
+*** KEY_CREATED <type> <fingerprint> [<handle>]
+    A key has been created.  Values for <type> are:
+      - B :: primary and subkey
+      - P :: primary
+      - S :: subkey
+    The fingerprint is one of the primary key for type B and P and the
+    one of the subkey for S.  Handle is an arbitrary non-whitespace
+    string used to match key parameters from batch key creation run.
+
+*** KEY_NOT_CREATED [<handle>]
+    The key from batch run has not been created due to errors.
+
+*** TRUST_
+    These are several similar status codes:
+
+    - TRUST_UNDEFINED <error_token>
+    - TRUST_NEVER     <error_token>
+    - TRUST_MARGINAL  [0  [<validation_model>]]
+    - TRUST_FULLY     [0  [<validation_model>]]
+    - TRUST_ULTIMATE  [0  [<validation_model>]]
+
+    For good signatures one of these status lines are emitted to
+    indicate the validity of the key used to create the signature.
+    The error token values are currently only emitted by gpgsm.
+
+    VALIDATION_MODEL describes the algorithm used to check the
+    validity of the key.  The defaults are the standard Web of Trust
+    model for gpg and the the standard X.509 model for gpgsm.  The
+    defined values are
+
+       - pgp   :: The standard PGP WoT.
+       - shell :: The standard X.509 model.
+       - chain :: The chain model.
+       - steed :: The STEED model.
+
+    Note that the term =TRUST_= in the status names is used for
+    historic reasons; we now speak of validity.
+
+*** PKA_TRUST_
+    This is is one:
+
+    - PKA_TRUST_GOOD <mailbox>
+    - PKA_TRUST_BAD  <mailbox>
+
+    Depending on the outcome of the PKA check one of the above status
+    codes is emitted in addition to a =TRUST_*= status.
+
+** Remote control
+*** GET_BOOL, GET_LINE, GET_HIDDEN, GOT_IT
+
+    These status line are used with --command-fd for interactive
+    control of the process.
+
+*** USERID_HINT <long main keyid> <string>
+    Give a hint about the user ID for a certain keyID.
+
+*** NEED_PASSPHRASE <long keyid> <long main keyid> <keytype> <keylength>
+    Issued whenever a passphrase is needed.  KEYTYPE is the numerical
+    value of the public key algorithm or 0 if this is not applicable,
+    KEYLENGTH is the length of the key or 0 if it is not known (this
+    is currently always the case).
+
+*** NEED_PASSPHRASE_SYM <cipher_algo> <s2k_mode> <s2k_hash>
+    Issued whenever a passphrase for symmetric encryption is needed.
+
+*** NEED_PASSPHRASE_PIN <card_type> <chvno> [<serialno>]
+    Issued whenever a PIN is requested to unlock a card.
+
+*** MISSING_PASSPHRASE
+    No passphrase was supplied.  An application which encounters this
+    message may want to stop parsing immediately because the next
+    message will probably be a BAD_PASSPHRASE.  However, if the
+    application is a wrapper around the key edit menu functionality it
+    might not make sense to stop parsing but simply ignoring the
+    following BAD_PASSPHRASE.
+
+*** BAD_PASSPHRASE <long keyid>
+    The supplied passphrase was wrong or not given.  In the latter
+    case you may have seen a MISSING_PASSPHRASE.
+
+*** GOOD_PASSPHRASE
+    The supplied passphrase was good and the secret key material
+    is therefore usable.
+
+** Import/Export
+*** IMPORT_CHECK <long keyid> <fingerprint> <user ID>
+    This status is emitted in interactive mode right before
+    the "import.okay" prompt.
+
+*** IMPORTED   <long keyid>  <username>
+    The keyid and name of the signature just imported
+
+*** IMPORT_OK  <reason> [<fingerprint>]
+    The key with the primary key's FINGERPRINT has been imported.
+    REASON flags are:
+
+    - 0 :: Not actually changed
+    - 1 :: Entirely new key.
+    - 2 :: New user IDs
+    - 4 :: New signatures
+    - 8 :: New subkeys
+    - 16 :: Contains private key.
+
+    The flags may be ORed.
+
+*** IMPORT_PROBLEM <reason> [<fingerprint>]
+    Issued for each import failure.  Reason codes are:
+
+    - 0 :: No specific reason given.
+    - 1 :: Invalid Certificate.
+    - 2 :: Issuer Certificate missing.
+    - 3 :: Certificate Chain too long.
+    - 4 :: Error storing certificate.
+
+*** IMPORT_RES <args>
+    Final statistics on import process (this is one long line). The
+    args are a list of unsigned numbers separated by white space:
+
+    - <count>
+    - <no_user_id>
+    - <imported>
+    - <imported_rsa>
+    - <unchanged>
+    - <n_uids>
+    - <n_subk>
+    - <n_sigs>
+    - <n_revoc>
+    - <sec_read>
+    - <sec_imported>
+    - <sec_dups>
+    - <skipped_new_keys>
+    - <not_imported>
+
+** Smartcard related
+*** CARDCTRL <what> [<serialno>]
+    This is used to control smartcard operations.  Defined values for
+    WHAT are:
+
+      - 1 :: Request insertion of a card.  Serialnumber may be given
+             to request a specific card.  Used by gpg 1.4 w/o
+             scdaemon
+      - 2 :: Request removal of a card.  Used by gpg 1.4 w/o scdaemon.
+      - 3 :: Card with serialnumber detected
+      - 4 :: No card available
+      - 5 :: No card reader available
+      - 6 :: No card support available
+
+*** SC_OP_FAILURE [<code>]
+    An operation on a smartcard definitely failed.  Currently there is
+    no indication of the actual error code, but application should be
+    prepared to later accept more arguments.  Defined values for
+    <code> are:
+
+      - 0 :: unspecified error (identically to a missing CODE)
+      - 1 :: canceled
+      - 2 :: bad PIN
+
+*** SC_OP_SUCCESS
+    A smart card operaion succeeded.  This status is only printed for
+    certain operation and is mostly useful to check whether a PIN
+    change really worked.
+
+** Miscellaneous status codes
+*** NODATA  <what>
+    No data has been found.  Codes for WHAT are:
+
+    - 1 :: No armored data.
+    - 2 :: Expected a packet but did not found one.
+    - 3 :: Invalid packet found, this may indicate a non OpenPGP
+           message.
+    - 4 :: Signature expected but not found
+
+    You may see more than one of these status lines.
+
+*** UNEXPECTED <what>
+    Unexpected data has been encountered.  Codes for WHAT are:
+    - 0 :: Not further specified
+
+*** TRUNCATED <maxno>
+    The output was truncated to MAXNO items.  This status code is
+    issued for certain external requests.
+
+*** ERROR <error location> <error code> [<more>]
+    This is a generic error status message, it might be followed by
+    error location specific data. <error code> and <error_location>
+    should not contain spaces.  The error code is a either a string
+    commencing with a letter or such a string prefixed with a
+    numerical error code and an underscore; e.g.: "151011327_EOF".
+
+*** SUCCESS [<location>]
+    Postive confirimation that an operation succeeded.  <location> is
+    optional but if given should not contain spaces.  Used only with a
+    few commands.
+
+*** BADARMOR
+    The ASCII armor is corrupted.  No arguments yet.
+
+*** DELETE_PROBLEM <reason_code>
+    Deleting a key failed.  Reason codes are:
+    - 1 :: No such key
+    - 2 :: Must delete secret key first
+    - 3 :: Ambigious specification
+
+*** PROGRESS <what> <char> <cur> <total>
+    Used by the primegen and Public key functions to indicate
+    progress.  <char> is the character displayed with no --status-fd
+    enabled, with the linefeed replaced by an 'X'.  <cur> is the
+    current amount done and <total> is amount to be done; a <total> of
+    0 indicates that the total amount is not known. The condition
+      :       TOTAL && CUR == TOTAL
+    may be used to detect the end of an operation.
+
+    Well known values for WHAT are:
+
+           - pk_dsa   :: DSA key generation
+           - pk_elg   :: Elgamal key generation
+           - primegen :: Prime generation
+           - need_entropy :: Waiting for new entropy in the RNG
+           - tick :: Generic tick without any special meaning - useful
+                     for letting clients know that the server is still
+                     working.
+           - starting_agent :: A gpg-agent was started because it is not
+                                running as a daemon.
+           - learncard :: Send by the agent and gpgsm while learing
+                          the data of a smartcard.
+           - card_busy :: A smartcard is still working
+
+*** BACKUP_KEY_CREATED <fingerprint> <fname>
+    A backup of a key identified by <fingerprint> has been writte to
+    the file <fname>; <fname> is percent-escaped.
+
+*** MOUNTPOINT <name>
+    <name> is a percent-plus escaped filename describing the
+    mountpoint for the current operation (e.g. used by "g13 --mount").
+    This may either be the specified mountpoint or one randomly
+    choosen by g13.
+
+*** PINENTRY_LAUNCHED <pid>
+    This status line is emitted by gpg to notify a client that a
+    Pinentry has been launched.  <pid> is the PID of the Pinentry.  It
+    may be used to display a hint to the user but can't be used to
+    synchronize with Pinentry.  Note that there is also an Assuan
+    inquiry line with the same name used internally or, if enabled,
+    send to the client instead of this status line.  Such an inquiry
+    may be used to sync with Pinentry
+
+** Obsolete status codes
+*** SIGEXPIRED
+    Removed on 2011-02-04.  This is deprecated in favor of KEYEXPIRED.
+*** RSA_OR_IDEA
+    Obsolete.  This status message used to be emitted for requests to
+    use the IDEA or RSA algorithms.  It has been dropped from GnuPG
+    2.1 after the respective patents expired.
+*** SHM_INFO, SHM_GET, SHM_GET_BOOL, SHM_GET_HIDDEN
+    These were used for the ancient shared memory based co-processing.
+*** BEGIN_STREAM, END_STREAM
+    Used to issued by the experimental pipemode.
+
+
+* Format of the --attribute-fd output
+
+  When --attribute-fd is set, during key listings (--list-keys,
+  --list-secret-keys) GnuPG dumps each attribute packet to the file
+  descriptor specified.  --attribute-fd is intended for use with
+  --status-fd as part of the required information is carried on the
+  ATTRIBUTE status tag (see above).
+
+  The contents of the attribute data is specified by RFC 4880.  For
+  convenience, here is the Photo ID format, as it is currently the
+  only attribute defined:
+
+  - Byte 0-1 :: The length of the image header.  Due to a historical
+                accident (i.e. oops!) back in the NAI PGP days, this
+                is a little-endian number.  Currently 16 (0x10 0x00).
+
+  - Byte 2 :: The image header version.  Currently 0x01.
+
+  - Byte 3 :: Encoding format.  0x01 == JPEG.
+
+  - Byte 4-15 :: Reserved, and currently unused.
+
+  All other data after this header is raw image (JPEG) data.
+
+
+* Unattended key generation
+
+   Please see the GnuPG manual for a description.
+
+
+* Layout of the TrustDB
+
+  The TrustDB is built from fixed length records, where the first byte
+  describes the record type.  All numeric values are stored in network
+  byte order. The length of each record is 40 bytes. The first record
+  of the DB is always of type 1 and this is the only record of this
+  type.
+
+  FIXME:  The layout changed, document it here.
+#+begin_example
+  Record type 0:
+  --------------
+    Unused record, can be reused for any purpose.
+
+  Record type 1:
+  --------------
+    Version information for this TrustDB.  This is always the first
+    record of the DB and the only one with type 1.
+     1 byte value 1
+     3 bytes 'gpg'  magic value
+     1 byte Version of the TrustDB (2)
+     1 byte marginals needed
+     1 byte completes needed
+     1 byte max_cert_depth
+	    The three items are used to check whether the cached
+	    validity value from the dir record can be used.
+     1 u32  locked flags [not used]
+     1 u32  timestamp of trustdb creation
+     1 u32  timestamp of last modification which may affect the validity
+	    of keys in the trustdb.  This value is checked against the
+	    validity timestamp in the dir records.
+     1 u32  timestamp of last validation [currently not used]
+	    (Used to keep track of the time, when this TrustDB was checked
+	     against the pubring)
+     1 u32  record number of keyhashtable [currently not used]
+     1 u32  first free record
+     1 u32  record number of shadow directory hash table [currently not used]
+	    It does not make sense to combine this table with the key table
+	    because the keyid is not in every case a part of the fingerprint.
+     1 u32  record number of the trusthashtbale
+
+
+  Record type 2: (directory record)
+  --------------
+    Informations about a public key certificate.
+    These are static values which are never changed without user interaction.
+
+     1 byte value 2
+     1 byte  reserved
+     1 u32   LID     .	(This is simply the record number of this record.)
+     1 u32   List of key-records (the first one is the primary key)
+     1 u32   List of uid-records
+     1 u32   cache record
+     1 byte  ownertrust
+     1 byte  dirflag
+     1 byte  maximum validity of all the user ids
+     1 u32   time of last validity check.
+     1 u32   Must check when this time has been reached.
+	     (0 = no check required)
+
+
+  Record type 3:  (key record)
+  --------------
+    Informations about a primary public key.
+    (This is mainly used to lookup a trust record)
+
+     1 byte value 3
+     1 byte  reserved
+     1 u32   LID
+     1 u32   next   - next key record
+     7 bytes reserved
+     1 byte  keyflags
+     1 byte  pubkey algorithm
+     1 byte  length of the fingerprint (in bytes)
+     20 bytes fingerprint of the public key
+	      (This is the value we use to identify a key)
+
+  Record type 4: (uid record)
+  --------------
+    Informations about a userid
+    We do not store the userid but the hash value of the userid because that
+    is sufficient.
+
+     1 byte value 4
+     1 byte reserved
+     1 u32  LID  points to the directory record.
+     1 u32  next   next userid
+     1 u32  pointer to preference record
+     1 u32  siglist  list of valid signatures
+     1 byte uidflags
+     1 byte validity of the key calculated over this user id
+     20 bytes ripemd160 hash of the username.
+
+
+  Record type 5: (pref record)
+  --------------
+    This record type is not anymore used.
+
+     1 byte value 5
+     1 byte   reserved
+     1 u32  LID; points to the directory record (and not to the uid record!).
+	    (or 0 for standard preference record)
+     1 u32  next
+     30 byte preference data
+
+  Record type 6  (sigrec)
+  -------------
+    Used to keep track of key signatures. Self-signatures are not
+    stored.  If a public key is not in the DB, the signature points to
+    a shadow dir record, which in turn has a list of records which
+    might be interested in this key (and the signature record here
+    is one).
+
+     1 byte   value 6
+     1 byte   reserved
+     1 u32    LID	    points back to the dir record
+     1 u32    next   next sigrec of this uid or 0 to indicate the
+		     last sigrec.
+     6 times
+	1 u32  Local_id of signatures dir or shadow dir record
+	1 byte Flag: Bit 0 = checked: Bit 1 is valid (we have a real
+			     directory record for this)
+			 1 = valid is set (but may be revoked)
+
+
+
+  Record type 8: (shadow directory record)
+  --------------
+    This record is used to reserve a LID for a public key.  We
+    need this to create the sig records of other keys, even if we
+    do not yet have the public key of the signature.
+    This record (the record number to be more precise) will be reused
+    as the dir record when we import the real public key.
+
+     1 byte value 8
+     1 byte  reserved
+     1 u32   LID      (This is simply the record number of this record.)
+     2 u32   keyid
+     1 byte  pubkey algorithm
+     3 byte reserved
+     1 u32   hintlist	A list of records which have references to
+			this key.  This is used for fast access to
+			signature records which are not yet checked.
+			Note, that this is only a hint and the actual records
+			may not anymore hold signature records for that key
+			but that the code cares about this.
+    18 byte reserved
+
+
+
+  Record Type 10 (hash table)
+  --------------
+    Due to the fact that we use fingerprints to lookup keys, we can
+    implement quick access by some simple hash methods, and avoid
+    the overhead of gdbm.  A property of fingerprints is that they can be
+    used directly as hash values.  (They can be considered as strong
+    random numbers.)
+      What we use is a dynamic multilevel architecture, which combines
+    hashtables, record lists, and linked lists.
+
+    This record is a hashtable of 256 entries; a special property
+    is that all these records are stored consecutively to make one
+    big table. The hash value is simple the 1st, 2nd, ... byte of
+    the fingerprint (depending on the indirection level).
+
+    When used to hash shadow directory records, a different table is used
+    and indexed by the keyid.
+
+     1 byte value 10
+     1 byte reserved
+     n u32  recnum; n depends on the record length:
+	    n = (reclen-2)/4  which yields 9 for the current record length
+	    of 40 bytes.
+
+    the total number of such record which makes up the table is:
+	 m = (256+n-1) / n
+    which is 29 for a record length of 40.
+
+    To look up a key we use the first byte of the fingerprint to get
+    the recnum from this hashtable and look up the addressed record:
+       - If this record is another hashtable, we use 2nd byte
+	 to index this hash table and so on.
+       - if this record is a hashlist, we walk all entries
+	 until we found one a matching one.
+       - if this record is a key record, we compare the
+	 fingerprint and to decide whether it is the requested key;
+
+
+  Record type 11 (hash list)
+  --------------
+    see hash table for an explanation.
+    This is also used for other purposes.
+
+    1 byte value 11
+    1 byte reserved
+    1 u32  next 	 next hash list record
+    n times		 n = (reclen-5)/5
+	1 u32  recnum
+
+    For the current record length of 40, n is 7
+
+
+
+  Record type 254 (free record)
+  ---------------
+    All these records form a linked list of unused records.
+     1 byte  value 254
+     1 byte  reserved (0)
+     1 u32   next_free
+#+end_example
+
+
+* GNU extensions to the S2K algorithm
+
+  S2K mode 101 is used to identify these extensions.
+  After the hash algorithm the 3 bytes "GNU" are used to make
+  clear that these are extensions for GNU, the next bytes gives the
+  GNU protection mode - 1000.  Defined modes are:
+  - 1001 :: Do not store the secret part at all.
+  - 1002 :: A stub to access smartcards (not used in 1.2.x)
+
+* Keyserver helper message format
+
+  The keyserver may be contacted by a Unix Domain socket or via TCP.
+
+  The format of a request is:
+#+begin_example
+  command-tag
+  "Content-length:" digits
+  CRLF
+#+end_example
+
+  Where command-tag is
+
+#+begin_example
+  NOOP
+  GET <user-name>
+  PUT
+  DELETE <user-name>
+#+end_example
+
+The format of a response is:
+
+#+begin_example
+  "GNUPG/1.0" status-code status-text
+  "Content-length:" digits
+  CRLF
+#+end_example
+followed by <digits> bytes of data
+
+Status codes are:
+
+  - 1xx :: Informational - Request received, continuing process
+
+  - 2xx :: Success - The action was successfully received, understood,
+           and accepted
+
+  - 4xx :: Client Error - The request contains bad syntax or cannot be
+           fulfilled
+
+  - 5xx :: Server Error - The server failed to fulfill an apparently
+           valid request
+
+
+* Object identifiers
+
+  OIDs below the GnuPG arc:
+
+#+begin_example
+  1.3.6.1.4.1.11591.2          GnuPG
+  1.3.6.1.4.1.11591.2.1          notation
+  1.3.6.1.4.1.11591.2.1.1          pkaAddress
+  1.3.6.1.4.1.11591.2.2          X.509 extensions
+  1.3.6.1.4.1.11591.2.2.1          standaloneCertificate
+  1.3.6.1.4.1.11591.2.2.2          wellKnownPrivateKey
+  1.3.6.1.4.1.11591.2.12242973   invalid encoded OID
+#+end_example
+
+
+
+* Miscellaneous notes
+
+** v3 fingerprints
+   For packet version 3 we calculate the keyids this way:
+    - RSA :: Low 64 bits of n
+    - ELGAMAL :: Build a v3 pubkey packet (with CTB 0x99) and
+                 calculate a RMD160 hash value from it. This is used
+                 as the fingerprint and the low 64 bits are the keyid.
+
+** Simplified revocation certificates
+  Revocation certificates consist only of the signature packet;
+  "--import" knows how to handle this.  The rationale behind it is to
+  keep them small.
+
+** Documentation on HKP (the http keyserver protocol):
+
+   A minimalistic HTTP server on port 11371 recognizes a GET for
+   /pks/lookup.  The standard http URL encoded query parameters are
+   this (always key=value):
+
+   - op=index (like pgp -kv), op=vindex (like pgp -kvv) and op=get (like
+     pgp -kxa)
+
+   - search=<stringlist>. This is a list of words that must occur in the key.
+     The words are delimited with space, points, @ and so on. The delimiters
+     are not searched for and the order of the words doesn't matter (but see
+     next option).
+
+   - exact=on. This switch tells the hkp server to only report exact matching
+     keys back. In this case the order and the "delimiters" are important.
+
+   - fingerprint=on. Also reports the fingerprints when used with 'index' or
+     'vindex'
+
+   The keyserver also recognizes http-POSTs to /pks/add. Use this to upload
+   keys.
+
+
+   A better way to do this would be a request like:
+
+      /pks/lookup/<gnupg_formatierte_user_id>?op=<operation>
+
+   This can be implemented using Hurd's translator mechanism.
+   However, I think the whole key server stuff has to be re-thought;
+   I have some ideas and probably create a white paper.
diff --git a/docs/Makefile b/docs/Makefile
new file mode 100644
index 0000000..7159d3e
--- /dev/null
+++ b/docs/Makefile
@@ -0,0 +1,153 @@
+# Makefile for Sphinx documentation
+#
+
+# You can set these variables from the command line.
+SPHINXOPTS    =
+SPHINXBUILD   = sphinx-build
+PAPER         =
+BUILDDIR      = _build
+
+# Internal variables.
+PAPEROPT_a4     = -D latex_paper_size=a4
+PAPEROPT_letter = -D latex_paper_size=letter
+ALLSPHINXOPTS   = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
+# the i18n builder cannot share the environment and doctrees with the others
+I18NSPHINXOPTS  = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
+
+.PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest gettext
+
+help:
+	@echo "Please use \`make <target>' where <target> is one of"
+	@echo "  html       to make standalone HTML files"
+	@echo "  dirhtml    to make HTML files named index.html in directories"
+	@echo "  singlehtml to make a single large HTML file"
+	@echo "  pickle     to make pickle files"
+	@echo "  json       to make JSON files"
+	@echo "  htmlhelp   to make HTML files and a HTML help project"
+	@echo "  qthelp     to make HTML files and a qthelp project"
+	@echo "  devhelp    to make HTML files and a Devhelp project"
+	@echo "  epub       to make an epub"
+	@echo "  latex      to make LaTeX files, you can set PAPER=a4 or PAPER=letter"
+	@echo "  latexpdf   to make LaTeX files and run them through pdflatex"
+	@echo "  text       to make text files"
+	@echo "  man        to make manual pages"
+	@echo "  texinfo    to make Texinfo files"
+	@echo "  info       to make Texinfo files and run them through makeinfo"
+	@echo "  gettext    to make PO message catalogs"
+	@echo "  changes    to make an overview of all changed/added/deprecated items"
+	@echo "  linkcheck  to check all external links for integrity"
+	@echo "  doctest    to run all doctests embedded in the documentation (if enabled)"
+
+clean:
+	-rm -rf $(BUILDDIR)/*
+
+html:
+	$(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html
+	@echo
+	@echo "Build finished. The HTML pages are in $(BUILDDIR)/html."
+
+dirhtml:
+	$(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml
+	@echo
+	@echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml."
+
+singlehtml:
+	$(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml
+	@echo
+	@echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml."
+
+pickle:
+	$(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle
+	@echo
+	@echo "Build finished; now you can process the pickle files."
+
+json:
+	$(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json
+	@echo
+	@echo "Build finished; now you can process the JSON files."
+
+htmlhelp:
+	$(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp
+	@echo
+	@echo "Build finished; now you can run HTML Help Workshop with the" \
+	      ".hhp project file in $(BUILDDIR)/htmlhelp."
+
+qthelp:
+	$(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp
+	@echo
+	@echo "Build finished; now you can run "qcollectiongenerator" with the" \
+	      ".qhcp project file in $(BUILDDIR)/qthelp, like this:"
+	@echo "# qcollectiongenerator $(BUILDDIR)/qthelp/python-gnupg.qhcp"
+	@echo "To view the help file:"
+	@echo "# assistant -collectionFile $(BUILDDIR)/qthelp/python-gnupg.qhc"
+
+devhelp:
+	$(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp
+	@echo
+	@echo "Build finished."
+	@echo "To view the help file:"
+	@echo "# mkdir -p $$HOME/.local/share/devhelp/python-gnupg"
+	@echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/python-gnupg"
+	@echo "# devhelp"
+
+epub:
+	$(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub
+	@echo
+	@echo "Build finished. The epub file is in $(BUILDDIR)/epub."
+
+latex:
+	$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
+	@echo
+	@echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex."
+	@echo "Run \`make' in that directory to run these through (pdf)latex" \
+	      "(use \`make latexpdf' here to do that automatically)."
+
+latexpdf:
+	$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
+	@echo "Running LaTeX files through pdflatex..."
+	$(MAKE) -C $(BUILDDIR)/latex all-pdf
+	@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
+
+text:
+	$(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text
+	@echo
+	@echo "Build finished. The text files are in $(BUILDDIR)/text."
+
+man:
+	$(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man
+	@echo
+	@echo "Build finished. The manual pages are in $(BUILDDIR)/man."
+
+texinfo:
+	$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
+	@echo
+	@echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo."
+	@echo "Run \`make' in that directory to run these through makeinfo" \
+	      "(use \`make info' here to do that automatically)."
+
+info:
+	$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
+	@echo "Running Texinfo files through makeinfo..."
+	make -C $(BUILDDIR)/texinfo info
+	@echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo."
+
+gettext:
+	$(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale
+	@echo
+	@echo "Build finished. The message catalogs are in $(BUILDDIR)/locale."
+
+changes:
+	$(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes
+	@echo
+	@echo "The overview file is in $(BUILDDIR)/changes."
+
+linkcheck:
+	$(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck
+	@echo
+	@echo "Link check complete; look for any errors in the above output " \
+	      "or in $(BUILDDIR)/linkcheck/output.txt."
+
+doctest:
+	$(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest
+	@echo "Testing of doctests in the sources finished, look at the " \
+	      "results in $(BUILDDIR)/doctest/output.txt."
diff --git a/docs/NOTES-python-gnupg-3.1-audit.gpg b/docs/NOTES-python-gnupg-3.1-audit.gpg
new file mode 100644
index 0000000..3973e25
Binary files /dev/null and b/docs/NOTES-python-gnupg-3.1-audit.gpg differ
diff --git a/docs/NOTES-python-openpgp-implementations.gpg b/docs/NOTES-python-openpgp-implementations.gpg
new file mode 100644
index 0000000..0a6e020
Binary files /dev/null and b/docs/NOTES-python-openpgp-implementations.gpg differ
diff --git a/docs/_static/haiku.css b/docs/_static/haiku.css
new file mode 100644
index 0000000..8e28149
--- /dev/null
+++ b/docs/_static/haiku.css
@@ -0,0 +1,386 @@
+/* custom stuff I put in FIXME where is it "supposed" to go? */
+
+div.admonition-todo
+{
+  border: 1px solid red;
+  background-color: #Fdd;
+}
+
+div.admonition-todo p.admonition-title
+{
+  margin: 0;
+  color: red;
+  text-transform: lowercase;
+}
+
+p.admonition-title
+{
+  font-size: 120%;
+  font-weight: bold;
+}
+
+dl.class>dt, dl.interface>dt, dl.function>dt, dl.staticmethod>dt
+{
+  font-size: 150%;
+  background-color:#ddd;
+}
+
+dl.method>dt
+{
+  background-color: #eee;
+  border-bottom: 2px solid #ddd;
+}
+
+dl.method:hover
+{
+  background-color:#ffd;
+}
+
+/** end custom */
+
+html {
+    margin: 0px;
+    padding: 0px;
+    background: #FFF url(bg-page.png) top left repeat-x;
+}
+
+body {
+    line-height: 1.5;
+    margin: auto;
+    padding: 0px;
+    font-family: "DejaVu Sans", Arial, Helvetica, sans-serif;
+    min-width: 59em;
+    max-width: 70em;
+    color: #333333;
+}
+
+div.footer {
+    padding: 8px;
+    font-size: 11px;
+    text-align: center;
+    letter-spacing: 0.5px;
+}
+
+/* link colors and text decoration */
+
+a:link {
+    font-weight: bold;
+    text-decoration: none;
+    color: #dc3c01;
+}
+
+a:visited {
+    font-weight: bold;
+    text-decoration: none;
+    color: #892601;
+}
+
+a:hover, a:active {
+    text-decoration: underline;
+    color: #ff4500;
+}
+
+/* Some headers act as anchors, don't give them a hover effect */
+
+h1 a:hover, a:active {
+    text-decoration: none;
+    color: #0c3762;
+}
+
+h2 a:hover, a:active {
+    text-decoration: none;
+    color: #0c3762;
+}
+
+h3 a:hover, a:active {
+    text-decoration: none;
+    color: #0c3762;
+}
+
+h4 a:hover, a:active {
+    text-decoration: none;
+    color: #0c3762;
+}
+
+a.headerlink {
+    color: #a7ce38;
+    padding-left: 5px;
+}
+
+a.headerlink:hover {
+    color: #a7ce38;
+}
+
+/* basic text elements */
+
+div.content {
+    margin-top: 20px;
+    margin-left: 40px;
+    margin-right: 40px;
+    margin-bottom: 50px;
+    font-size: 0.9em;
+}
+
+/* heading and navigation */
+
+div.header {
+    position: relative;
+    left: 0px;
+    top: 0px;
+    height: 85px;
+    /* background: #eeeeee; */
+    padding: 0 40px;
+}
+div.header h1 {
+    font-size: 1.6em;
+    font-weight: normal;
+    letter-spacing: 1px;
+    color: #0c3762;
+    border: 0;
+    margin: 0;
+    padding-top: 15px;
+}
+div.header h1 a {
+    font-weight: normal;
+    color: #0c3762;
+}
+div.header h2 {
+    font-size: 1.3em;
+    font-weight: normal;
+    letter-spacing: 1px;
+    text-transform: uppercase;
+    color: #aaa;
+    border: 0;
+    margin-top: -3px;
+    padding: 0;
+}
+
+div.header img.rightlogo {
+    float: right;
+}
+
+
+div.title {
+    font-size: 1.3em;
+    font-weight: bold;
+    color: #0c3762;
+    border-bottom: dotted thin #e0e0e0;
+    margin-bottom: 25px;
+}
+div.topnav {
+    /* background: #e0e0e0; */
+}
+div.topnav p {
+    margin-top: 0;
+    margin-left: 40px;
+    margin-right: 40px;
+    margin-bottom: 0px;
+    text-align: right;
+    font-size: 0.8em;
+}
+div.bottomnav {
+    background: #eeeeee;
+}
+div.bottomnav p {
+    margin-right: 40px;
+    text-align: right;
+    font-size: 0.8em;
+}
+
+a.uplink {
+    font-weight: normal;
+}
+
+
+/* contents box */
+
+table.index {
+    margin: 0px 0px 30px 30px;
+    padding: 1px;
+    border-width: 1px;
+    border-style: dotted;
+    border-color: #e0e0e0;
+}
+table.index tr.heading {
+    background-color: #e0e0e0;
+    text-align: center;
+    font-weight: bold;
+    font-size: 1.1em;
+}
+table.index tr.index {
+    background-color: #eeeeee;
+}
+table.index td {
+    padding: 5px 20px;
+}
+
+table.index a:link, table.index a:visited {
+    font-weight: normal;
+    text-decoration: none;
+    color: #dc3c01;
+}
+table.index a:hover, table.index a:active {
+    text-decoration: underline;
+    color: #ff4500;
+}
+
+
+/* Haiku User Guide styles and layout */
+
+/* Rounded corner boxes */
+/* Common declarations */
+div.admonition {
+    -webkit-border-radius: 10px;
+    -khtml-border-radius: 10px;
+    -moz-border-radius: 10px;
+    border-radius: 10px;
+    border-style: dotted;
+    border-width: thin;
+    border-color: #dcdcdc;
+    padding: 10px 15px 10px 15px;
+    margin-bottom: 15px;
+    margin-top: 15px;
+}
+div.note {
+    padding: 10px 15px 10px 80px;
+    background: #e4ffde url(alert_info_32.png) 15px 15px no-repeat;
+    min-height: 42px;
+}
+div.warning {
+    padding: 10px 15px 10px 80px;
+    background: #fffbc6 url(alert_warning_32.png) 15px 15px no-repeat;
+    min-height: 42px;
+}
+div.seealso {
+    background: #e4ffde;
+}
+
+/* More layout and styles */
+h1 {
+    font-size: 1.3em;
+    font-weight: bold;
+    color: #0c3762;
+    border-bottom: dotted thin #e0e0e0;
+    margin-top: 30px;
+}
+
+h2 {
+    font-size: 1.2em;
+    font-weight: normal;
+    color: #0c3762;
+    border-bottom: dotted thin #e0e0e0;
+    margin-top: 30px;
+}
+
+h3 {
+    font-size: 1.1em;
+    font-weight: normal;
+    color: #0c3762;
+    margin-top: 30px;
+}
+
+h4 {
+    font-size: 1.0em;
+    font-weight: normal;
+    color: #0c3762;
+    margin-top: 30px;
+}
+
+p {
+    text-align: justify;
+}
+
+p.last {
+    margin-bottom: 0;
+}
+
+ol {
+    padding-left: 20px;
+}
+
+ul {
+    padding-left: 5px;
+    margin-top: 3px;
+}
+
+li {
+    line-height: 1.3;
+}
+
+div.content ul > li {
+    -moz-background-clip:border;
+    -moz-background-inline-policy:continuous;
+    -moz-background-origin:padding;
+    background: transparent url(bullet_orange.png) no-repeat scroll left 0.45em;
+    list-style-image: none;
+    list-style-type: none;
+    padding: 0 0 0 1.666em;
+    margin-bottom: 3px;
+}
+
+td {
+    vertical-align: top;
+}
+
+tt {
+    background-color: #e2e2e2;
+    font-size: 1.0em;
+    font-family: monospace;
+}
+
+pre {
+    border-color: #0c3762;
+    border-style: dotted;
+    border-width: thin;
+    margin: 0 0 12px 0;
+    padding: 0.8em;
+    background-color: #f0f0f0;
+}
+
+hr {
+    border-top: 1px solid #ccc;
+    border-bottom: 0;
+    border-right: 0;
+    border-left: 0;
+    margin-bottom: 10px;
+    margin-top: 20px;
+}
+
+/* printer only pretty stuff */
+@media print {
+    .noprint {
+        display: none;
+    }
+    /* for acronyms we want their definitions inlined at print time */
+    acronym[title]:after {
+        font-size: small;
+        content: " (" attr(title) ")";
+        font-style: italic;
+    }
+    /* and not have mozilla dotted underline */
+    acronym {
+        border: none;
+    }
+    div.topnav, div.bottomnav, div.header, table.index {
+        display: none;
+    }
+    div.content {
+        margin: 0px;
+        padding: 0px;
+    }
+    html {
+        background: #FFF;
+    }
+}
+
+.viewcode-back {
+    font-family: "DejaVu Sans", Arial, Helvetica, sans-serif;
+}
+
+div.viewcode-block:target {
+    background-color: #f4debf;
+    border-top: 1px solid #ac9;
+    border-bottom: 1px solid #ac9;
+    margin: -1px -12px;
+    padding: 0 12px;
+}
diff --git a/docs/conf.py b/docs/conf.py
new file mode 100644
index 0000000..7704150
--- /dev/null
+++ b/docs/conf.py
@@ -0,0 +1,306 @@
+# -*- coding: utf-8 -*-
+#
+# python-gnupg documentation build configuration file, created by
+# sphinx-quickstart on Fri Apr  5 22:38:47 2013.
+#
+# This file is execfile()d with the current directory set to its containing dir.
+#
+# Note that not all possible configuration values are present in this
+# autogenerated file.
+#
+# All configuration values have a default; values that are commented out
+# serve to show the default.
+
+import sys, os
+
+# If extensions (or modules to document with autodoc) are in another directory,
+# add these directories to sys.path here. If the directory is relative to the
+# documentation root, use os.path.abspath to make it absolute, like shown here.
+sys.path.insert(0, os.path.abspath('./../gnupg'))
+sys.path.insert(0, os.path.abspath('.'))
+
+# -- Autodoc settings ----------------------------------------------------------
+## trying to set this somewhere...
+autodoc_member_order = 'bysource'
+autodoc_default_flags = ['members', 'show-inheritance', 'undoc-members']
+autoclass_content = 'both'
+
+# -- General configuration -----------------------------------------------------
+
+# If your documentation needs a minimal Sphinx version, state it here.
+#needs_sphinx = '1.0'
+
+# Add any Sphinx extension module names here, as strings. They can be extensions
+# coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
+extensions = ['sphinx.ext.autodoc', 'sphinx.ext.viewcode']
+
+# Add any paths that contain templates here, relative to this directory.
+templates_path = ['_templates']
+
+# The suffix of source filenames.
+source_suffix = '.rst'
+
+# The encoding of source files.
+#source_encoding = 'utf-8-sig'
+
+# The master toctree document.
+master_doc = 'index'
+
+# General information about the project.
+project = u'python-gnupg'
+copyright = u'2013, Isis Agora Lovecruft'
+
+# The version info for the project you're documenting, acts as replacement for
+# |version| and |release|, also used in various other places throughout the
+# built documents.
+#
+# The short X.Y version.
+from gnupg import __version__
+version = __version__
+# The full version, including alpha/beta/rc tags.
+release = __version__
+
+# The language for content autogenerated by Sphinx. Refer to documentation
+# for a list of supported languages.
+#language = None
+
+# There are two options for replacing |today|: either, you set today to some
+# non-false value, then it is used:
+#today = ''
+# Else, today_fmt is used as the format for a strftime call.
+#today_fmt = '%B %d, %Y'
+
+# List of patterns, relative to source directory, that match files and
+# directories to ignore when looking for source files.
+exclude_patterns = ['_build']
+
+# The reST default role (used for this markup: `text`) to use for all documents.
+#default_role = None
+
+# If true, '()' will be appended to :func: etc. cross-reference text.
+add_function_parentheses = True
+
+# If true, the current module name will be prepended to all description
+# unit titles (such as .. function::).
+#add_module_names = True
+
+# If true, sectionauthor and moduleauthor directives will be shown in the
+# output. They are ignored by default.
+#show_authors = False
+
+# The name of the Pygments (syntax highlighting) style to use.
+pygments_style = 'sphinx'
+
+# A list of ignored prefixes for module index sorting.
+#modindex_common_prefix = []
+
+
+# -- Options for HTML output ---------------------------------------------------
+
+# The theme to use for HTML and HTML Help pages.  See the documentation for
+# a list of builtin themes.
+html_theme = 'default'
+html_theme = 'scrolls'
+html_theme = 'traditional'
+html_theme = 'nature'
+html_theme = 'pyramid'
+html_theme = 'agogo'
+html_theme = 'haiku'
+html_theme_options = {
+#   'stickysidebar': 'true',
+#   'rightsidebar':'true',
+    'nosidebar': 'false',
+#    'full_logo': 'false'
+    'sidebarwidth': '300'
+    }
+
+# Theme options are theme-specific and customize the look and feel of a theme
+# further.  For a list of options available for each theme, see the
+# documentation.
+#html_theme_options = {}
+
+# Add any paths that contain custom themes here, relative to this directory.
+#html_theme_path = []
+
+# The name for this set of Sphinx documents.  If None, it defaults to
+# "<project> v<release> documentation".
+#html_title = None
+
+# A shorter title for the navigation bar.  Default is the same as html_title.
+#html_short_title = None
+
+# The name of an image file (relative to this directory) to place at the top
+# of the sidebar.
+#html_logo = None
+
+# The name of an image file (within the static path) to use as favicon of the
+# docs.  This file should be a Windows icon file (.ico) being 16x16 or 32x32
+# pixels large.
+#html_favicon = None
+
+# Add any paths that contain custom static files (such as style sheets) here,
+# relative to this directory. They are copied after the builtin static files,
+# so a file named "default.css" will overwrite the builtin "default.css".
+html_static_path = ['_static']
+
+# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
+# using the given strftime format.
+#html_last_updated_fmt = '%b %d, %Y'
+
+# If true, SmartyPants will be used to convert quotes and dashes to
+# typographically correct entities.
+html_use_smartypants = True
+
+# Custom sidebar templates, maps document names to template names.
+#html_sidebars = {}
+
+# Additional templates that should be rendered to pages, maps page names to
+# template names.
+#html_additional_pages = {}
+
+# If false, no module index is generated.
+#html_domain_indices = True
+
+# If false, no index is generated.
+#html_use_index = True
+
+# If true, the index is split into individual pages for each letter.
+#html_split_index = False
+
+# If true, links to the reST sources are added to the pages.
+html_show_sourcelink = False
+
+# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
+#html_show_sphinx = True
+
+# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
+html_show_copyright = False
+
+# If true, an OpenSearch description file will be output, and all pages will
+# contain a <link> tag referring to it.  The value of this option must be the
+# base URL from which the finished HTML is served.
+#html_use_opensearch = ''
+
+# This is the file name suffix for HTML files (e.g. ".xhtml").
+#html_file_suffix = None
+
+# Output file base name for HTML help builder.
+htmlhelp_basename = 'python-gnupgdoc'
+
+
+# -- Options for LaTeX output --------------------------------------------------
+
+latex_elements = {
+# The paper size ('letterpaper' or 'a4paper').
+#'papersize': 'letterpaper',
+
+# The font size ('10pt', '11pt' or '12pt').
+#'pointsize': '10pt',
+
+# Additional stuff for the LaTeX preamble.
+#'preamble': '',
+}
+
+# Grouping the document tree into LaTeX files. List of tuples
+# (source start file, target name, title, author, documentclass [howto/manual]).
+latex_documents = [
+  ('index', 'python-gnupg.tex', u'python-gnupg Documentation',
+   u'Isis Agora Lovecruft', 'manual'),
+]
+
+# The name of an image file (relative to this directory) to place at the top of
+# the title page.
+#latex_logo = None
+
+# For "manual" documents, if this is true, then toplevel headings are parts,
+# not chapters.
+#latex_use_parts = False
+
+# If true, show page references after internal links.
+#latex_show_pagerefs = False
+
+# If true, show URL addresses after external links.
+#latex_show_urls = False
+
+# Documents to append as an appendix to all manuals.
+#latex_appendices = []
+
+# If false, no module index is generated.
+#latex_domain_indices = True
+
+
+# -- Options for manual page output --------------------------------------------
+
+# One entry per manual page. List of tuples
+# (source start file, name, description, authors, manual section).
+man_pages = [
+    ('index', 'python-gnupg', u'python-gnupg Documentation',
+     [u'Isis Agora Lovecruft'], 1)
+]
+
+# If true, show URL addresses after external links.
+#man_show_urls = False
+
+
+# -- Options for Texinfo output ------------------------------------------------
+
+# Grouping the document tree into Texinfo files. List of tuples
+# (source start file, target name, title, author,
+#  dir menu entry, description, category)
+texinfo_documents = [
+  ('index', 'python-gnupg', u'python-gnupg Documentation',
+   u'Isis Agora Lovecruft', 'python-gnupg', 'One line description of project.',
+   'Miscellaneous'),
+]
+
+# Documents to append as an appendix to all manuals.
+#texinfo_appendices = []
+
+# If false, no module index is generated.
+#texinfo_domain_indices = True
+
+# How to display URL addresses: 'footnote', 'no', or 'inline'.
+#texinfo_show_urls = 'footnote'
+
+
+# -- Options for Epub output ---------------------------------------------------
+
+# Bibliographic Dublin Core info.
+epub_title = u'python-gnupg'
+epub_author = u'Isis Agora Lovecruft'
+epub_publisher = u'Isis Agora Lovecruft'
+epub_copyright = u'2013, Isis Agora Lovecruft'
+
+# The language of the text. It defaults to the language option
+# or en if the language is not set.
+#epub_language = ''
+
+# The scheme of the identifier. Typical schemes are ISBN or URL.
+#epub_scheme = ''
+
+# The unique identifier of the text. This can be a ISBN number
+# or the project homepage.
+#epub_identifier = ''
+
+# A unique identification for the text.
+#epub_uid = ''
+
+# A tuple containing the cover image and cover page html template filenames.
+#epub_cover = ()
+
+# HTML files that should be inserted before the pages created by sphinx.
+# The format is a list of tuples containing the path and title.
+#epub_pre_files = []
+
+# HTML files shat should be inserted after the pages created by sphinx.
+# The format is a list of tuples containing the path and title.
+#epub_post_files = []
+
+# A list of files that should not be packed into the epub file.
+#epub_exclude_files = []
+
+# The depth of the table of contents in toc.ncx.
+#epub_tocdepth = 3
+
+# Allow duplicate toc entries.
+#epub_tocdup = True
diff --git a/docs/gnupg.rst b/docs/gnupg.rst
new file mode 100644
index 0000000..0b159f9
--- /dev/null
+++ b/docs/gnupg.rst
@@ -0,0 +1,7 @@
+gnupg Module
+============
+
+.. automodule:: gnupg
+    :members:
+    :undoc-members:
+    :show-inheritance:
diff --git a/docs/index.rst b/docs/index.rst
new file mode 100644
index 0000000..234f0ca
--- /dev/null
+++ b/docs/index.rst
@@ -0,0 +1,24 @@
+.. python-gnupg documentation master file, created by
+   sphinx-quickstart on Fri Apr  5 22:38:47 2013.
+   You can adapt this file completely to your liking, but it should at least
+   contain the root `toctree` directive.
+
+python-gnupg documentation
+==========================
+
+Contents:
+
+.. toctree::
+   :maxdepth: 4
+
+   gnupg
+   parsers
+
+
+Indices and tables
+==================
+
+* :ref:`genindex`
+* :ref:`modindex`
+* :ref:`search`
+
diff --git a/docs/make.bat b/docs/make.bat
new file mode 100644
index 0000000..fa3950f
--- /dev/null
+++ b/docs/make.bat
@@ -0,0 +1,190 @@
+@ECHO OFF
+
+REM Command file for Sphinx documentation
+
+if "%SPHINXBUILD%" == "" (
+	set SPHINXBUILD=sphinx-build
+)
+set BUILDDIR=_build
+set ALLSPHINXOPTS=-d %BUILDDIR%/doctrees %SPHINXOPTS% .
+set I18NSPHINXOPTS=%SPHINXOPTS% .
+if NOT "%PAPER%" == "" (
+	set ALLSPHINXOPTS=-D latex_paper_size=%PAPER% %ALLSPHINXOPTS%
+	set I18NSPHINXOPTS=-D latex_paper_size=%PAPER% %I18NSPHINXOPTS%
+)
+
+if "%1" == "" goto help
+
+if "%1" == "help" (
+	:help
+	echo.Please use `make ^<target^>` where ^<target^> is one of
+	echo.  html       to make standalone HTML files
+	echo.  dirhtml    to make HTML files named index.html in directories
+	echo.  singlehtml to make a single large HTML file
+	echo.  pickle     to make pickle files
+	echo.  json       to make JSON files
+	echo.  htmlhelp   to make HTML files and a HTML help project
+	echo.  qthelp     to make HTML files and a qthelp project
+	echo.  devhelp    to make HTML files and a Devhelp project
+	echo.  epub       to make an epub
+	echo.  latex      to make LaTeX files, you can set PAPER=a4 or PAPER=letter
+	echo.  text       to make text files
+	echo.  man        to make manual pages
+	echo.  texinfo    to make Texinfo files
+	echo.  gettext    to make PO message catalogs
+	echo.  changes    to make an overview over all changed/added/deprecated items
+	echo.  linkcheck  to check all external links for integrity
+	echo.  doctest    to run all doctests embedded in the documentation if enabled
+	goto end
+)
+
+if "%1" == "clean" (
+	for /d %%i in (%BUILDDIR%\*) do rmdir /q /s %%i
+	del /q /s %BUILDDIR%\*
+	goto end
+)
+
+if "%1" == "html" (
+	%SPHINXBUILD% -b html %ALLSPHINXOPTS% %BUILDDIR%/html
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished. The HTML pages are in %BUILDDIR%/html.
+	goto end
+)
+
+if "%1" == "dirhtml" (
+	%SPHINXBUILD% -b dirhtml %ALLSPHINXOPTS% %BUILDDIR%/dirhtml
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished. The HTML pages are in %BUILDDIR%/dirhtml.
+	goto end
+)
+
+if "%1" == "singlehtml" (
+	%SPHINXBUILD% -b singlehtml %ALLSPHINXOPTS% %BUILDDIR%/singlehtml
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished. The HTML pages are in %BUILDDIR%/singlehtml.
+	goto end
+)
+
+if "%1" == "pickle" (
+	%SPHINXBUILD% -b pickle %ALLSPHINXOPTS% %BUILDDIR%/pickle
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished; now you can process the pickle files.
+	goto end
+)
+
+if "%1" == "json" (
+	%SPHINXBUILD% -b json %ALLSPHINXOPTS% %BUILDDIR%/json
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished; now you can process the JSON files.
+	goto end
+)
+
+if "%1" == "htmlhelp" (
+	%SPHINXBUILD% -b htmlhelp %ALLSPHINXOPTS% %BUILDDIR%/htmlhelp
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished; now you can run HTML Help Workshop with the ^
+.hhp project file in %BUILDDIR%/htmlhelp.
+	goto end
+)
+
+if "%1" == "qthelp" (
+	%SPHINXBUILD% -b qthelp %ALLSPHINXOPTS% %BUILDDIR%/qthelp
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished; now you can run "qcollectiongenerator" with the ^
+.qhcp project file in %BUILDDIR%/qthelp, like this:
+	echo.^> qcollectiongenerator %BUILDDIR%\qthelp\python-gnupg.qhcp
+	echo.To view the help file:
+	echo.^> assistant -collectionFile %BUILDDIR%\qthelp\python-gnupg.ghc
+	goto end
+)
+
+if "%1" == "devhelp" (
+	%SPHINXBUILD% -b devhelp %ALLSPHINXOPTS% %BUILDDIR%/devhelp
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished.
+	goto end
+)
+
+if "%1" == "epub" (
+	%SPHINXBUILD% -b epub %ALLSPHINXOPTS% %BUILDDIR%/epub
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished. The epub file is in %BUILDDIR%/epub.
+	goto end
+)
+
+if "%1" == "latex" (
+	%SPHINXBUILD% -b latex %ALLSPHINXOPTS% %BUILDDIR%/latex
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished; the LaTeX files are in %BUILDDIR%/latex.
+	goto end
+)
+
+if "%1" == "text" (
+	%SPHINXBUILD% -b text %ALLSPHINXOPTS% %BUILDDIR%/text
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished. The text files are in %BUILDDIR%/text.
+	goto end
+)
+
+if "%1" == "man" (
+	%SPHINXBUILD% -b man %ALLSPHINXOPTS% %BUILDDIR%/man
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished. The manual pages are in %BUILDDIR%/man.
+	goto end
+)
+
+if "%1" == "texinfo" (
+	%SPHINXBUILD% -b texinfo %ALLSPHINXOPTS% %BUILDDIR%/texinfo
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished. The Texinfo files are in %BUILDDIR%/texinfo.
+	goto end
+)
+
+if "%1" == "gettext" (
+	%SPHINXBUILD% -b gettext %I18NSPHINXOPTS% %BUILDDIR%/locale
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Build finished. The message catalogs are in %BUILDDIR%/locale.
+	goto end
+)
+
+if "%1" == "changes" (
+	%SPHINXBUILD% -b changes %ALLSPHINXOPTS% %BUILDDIR%/changes
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.The overview file is in %BUILDDIR%/changes.
+	goto end
+)
+
+if "%1" == "linkcheck" (
+	%SPHINXBUILD% -b linkcheck %ALLSPHINXOPTS% %BUILDDIR%/linkcheck
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Link check complete; look for any errors in the above output ^
+or in %BUILDDIR%/linkcheck/output.txt.
+	goto end
+)
+
+if "%1" == "doctest" (
+	%SPHINXBUILD% -b doctest %ALLSPHINXOPTS% %BUILDDIR%/doctest
+	if errorlevel 1 exit /b 1
+	echo.
+	echo.Testing of doctests in the sources finished, look at the ^
+results in %BUILDDIR%/doctest/output.txt.
+	goto end
+)
+
+:end
diff --git a/docs/parsers.rst b/docs/parsers.rst
new file mode 100644
index 0000000..0b9c688
--- /dev/null
+++ b/docs/parsers.rst
@@ -0,0 +1,7 @@
+parsers Module
+==============
+
+.. automodule:: parsers
+    :members:
+    :undoc-members:
+    :show-inheritance:
diff --git a/gnupg.py b/gnupg.py
deleted file mode 100644
index 379da08..0000000
--- a/gnupg.py
+++ /dev/null
@@ -1,1760 +0,0 @@
-#!/usr/bin/env python
-#-*- encoding: utf-8 -*-
-"""
-gnupg.py
-========
-A Python interface to GnuPG.
-
-This is a modified version of python-gnupg-0.3.0, which was created by Vinay
-Sajip, which itself is a modification of GPG.py written by Steve Traugott,
-which in turn is a modification of the pycrypto GnuPG interface written by
-A.M. Kuchling.
-
-This version is patched to exclude calls to :class:`subprocess.Popen([...],
-shell=True)`, and it also attempts to provide sanitization of arguments
-presented to gnupg, in order to avoid potential vulnerabilities.
-
-@authors: A.M. Kuchling
-          Steve Traugott
-          Vinay Sajip
-          Isis Lovecruft, <isis@leap.se> 0x2cdb8b35
-
-Steve Traugott's documentation:
--------------------------------
-    Portions of this module are derived from A.M. Kuchling's well-designed
-    GPG.py, using Richard Jones' updated version 1.3, which can be found in
-    the pycrypto CVS repository on Sourceforge:
-
-    http://pycrypto.cvs.sourceforge.net/viewvc/pycrypto/gpg/GPG.py
-
-    This module is *not* forward-compatible with amk's; some of the old
-    interface has changed.  For instance, since I've added decrypt
-    functionality, I elected to initialize with a 'gpghome' argument instead
-    of 'keyring', so that gpg can find both the public and secret keyrings.
-    I've also altered some of the returned objects in order for the caller to
-    not have to know as much about the internals of the result classes.
-
-    While the rest of ISconf is released under the GPL, I am releasing this
-    single file under the same terms that A.M. Kuchling used for pycrypto.
-
-    Steve Traugott, stevegt@terraluna.org
-    Thu Jun 23 21:27:20 PDT 2005
-
-Vinay Sajip's documentation:
-----------------------------
-    This version of the module has been modified from Steve Traugott's version
-    (see http://trac.t7a.org/isconf/browser/trunk/lib/python/isconf/GPG.py) by
-    Vinay Sajip to make use of the subprocess module (Steve's version uses
-    os.fork() and so does not work on Windows). Renamed to gnupg.py to avoid
-    confusion with the previous versions.
-
-    A unittest harness (test_gnupg.py) has also been added.
-
-    Modifications Copyright (C) 2008-2012 Vinay Sajip. All rights reserved.
-"""
-
-__module__ = 'gnupg'
-__version__ = "0.3.1"
-__author__ = "Isis Agora Lovecruft"
-__date__  = "12 Febuary 2013"
-
-import locale
-
-try:
-    from io import StringIO
-    from io import BytesIO
-except ImportError:
-    from cStringIO import StringIO
-
-import codecs
-import locale
-import logging
-import os
-import re
-import socket
-from subprocess import Popen
-from subprocess import PIPE
-import sys
-import tempfile
-import threading
-
-try:
-    import logging.NullHandler as NullHandler
-except ImportError:
-    class NullHandler(logging.Handler):
-        def handle(self, record):
-            pass
-try:
-    unicode
-    _py3k = False
-except NameError:
-    _py3k = True
-
-
-ESCAPE_PATTERN = re.compile(r'\\x([0-9a-f][0-9a-f])', re.I)
-
-logger = logging.getLogger(__module__)
-if not logger.handlers:
-    logger.addHandler(NullHandler())
-
-
-class ProtectedOption(Exception):
-    """Raised when the option passed to GPG is disallowed."""
-
-class UsageError(Exception):
-    """Raised when you're Doing It Wrong."""
-
-
-def _copy_data(instream, outstream):
-    """
-    Copy data from one stream to another.
-
-    @param instream: A file descriptor to read from.
-    @param outstream: A file descriptor to write to.
-    """
-    sent = 0
-
-    try:
-        assert isinstance(instream, BytesIO), "instream is not a file"
-        assert isinstance(outstream, file), "outstream is not a file"
-    except AssertionError as ae:
-        logger.exception(ae)
-        return
-
-    if hasattr(sys.stdin, 'encoding'):
-        enc = sys.stdin.encoding
-    else:
-        enc = 'ascii'
-
-    while True:
-        data = instream.read(1024)
-        if len(data) == 0:
-            break
-        sent += len(data)
-        logger.debug("sending chunk (%d): %r", sent, data[:256])
-        try:
-            outstream.write(data)
-        except UnicodeError:
-            try:
-                outstream.write(data.encode(enc))
-            except IOError:
-                logger.exception('Error sending data: Broken pipe')
-                break
-        except IOError:
-            # Can sometimes get 'broken pipe' errors even when the
-            # data has all been sent
-            logger.exception('Error sending data: Broken pipe')
-            break
-    try:
-        outstream.close()
-    except IOError:
-        logger.exception('Got IOError while trying to close FD outstream')
-    else:
-        logger.debug("closed output, %d bytes sent", sent)
-
-def _fix_unsafe(input):
-    """
-    Find characters used to escape from a string into a shell, and wrap them
-    in quotes if they exist. Regex pilfered from python-3.x shlex module.
-
-    @param input: The input intended for the gnupg process.
-    """
-    ## xxx do we want to add ';'?
-    _unsafe = re.compile(r'[^\w@%+=:,./-]', 256)
-    try:
-        if len(_unsafe.findall(input)) == 0:
-            return input
-        else:
-            clean = "'" + input.replace("'", "'\"'\"'") + "'"
-            return clean
-    except TypeError:
-        return None
-
-def _has_readwrite(path):
-    """
-    Determine if the real uid/gid of the executing user has read and write
-    permissions for a directory or a file.
-
-    @type path: C{str}
-    @param path: The path to the directory or file to check permissions for.
-
-    @rtype: C{bool}
-    @param: True if real uid/gid has read+write permissions, False otherwise.
-    """
-    return os.access(path, os.R_OK and os.W_OK)
-
-def _hyphenate(input, add_prefix=False):
-    """
-    Change underscores to hyphens so that object attributes can be easily
-    tranlated to GPG option names.
-
-    @type input: C{str}
-    @param input: The attribute to hyphenate.
-
-    @type add_prefix: C{bool}
-    @param add_prefix: If True, add leading hyphens to the input.
-
-    @rtype: C{str}
-    @return: The :param:input with underscores changed to hyphens.
-    """
-    ret  = '--' if add_prefix else ''
-    ret += input.replace('_', '-')
-    return ret
-
-def _is_allowed(input):
-    """
-    Check that an option or argument given to GPG is in the set of allowed
-    options, the latter being a strict subset of the set of all options known
-    to GPG.
-
-    @type input: C{str}
-    @param input: An input meant to be parsed as an option or flag to the GnuPG
-                  process. Should be formatted the same as an option or flag
-                  to the commandline gpg, i.e. "--encrypt-files".
-
-    @type _possible: C{frozenset}
-    @ivar _possible: All known GPG options and flags.
-
-    @type _allowed: C{frozenset}
-    @ivar _allowed: All allowed GPG options and flags, e.g. all GPG options and
-                    flags which we are willing to acknowledge and parse. If we
-                    want to support a new option, it will need to have its own
-                    parsing class and its name will need to be added to this
-                    set.
-
-    @rtype: C{Exception} or C{str}
-    @raise: UsageError if :ivar:_allowed is not a subset of :ivar:_possible.
-            ProtectedOption if :param:input is not in the set :ivar:_allowed.
-    @return: The original parameter :param:input, unmodified and unsanitized,
-             if no errors occur.
-    """
-
-    _all = ("""
---allow-freeform-uid              --multifile
---allow-multiple-messages         --no
---allow-multisig-verification     --no-allow-freeform-uid
---allow-non-selfsigned-uid        --no-allow-multiple-messages
---allow-secret-key-import         --no-allow-non-selfsigned-uid
---always-trust                    --no-armor
---armor                           --no-armour
---armour                          --no-ask-cert-expire
---ask-cert-expire                 --no-ask-cert-level
---ask-cert-level                  --no-ask-sig-expire
---ask-sig-expire                  --no-auto-check-trustdb
---attribute-fd                    --no-auto-key-locate
---attribute-file                  --no-auto-key-retrieve
---auto-check-trustdb              --no-batch
---auto-key-locate                 --no-comments
---auto-key-retrieve               --no-default-keyring
---batch                           --no-default-recipient
---bzip2-compress-level            --no-disable-mdc
---bzip2-decompress-lowmem         --no-emit-version
---card-edit                       --no-encrypt-to
---card-status                     --no-escape-from-lines
---cert-digest-algo                --no-expensive-trust-checks
---cert-notation                   --no-expert
---cert-policy-url                 --no-force-mdc
---change-pin                      --no-force-v3-sigs
---charset                         --no-force-v4-certs
---check-sig                       --no-for-your-eyes-only
---check-sigs                      --no-greeting
---check-trustdb                   --no-groups
---cipher-algo                     --no-literal
---clearsign                       --no-mangle-dos-filenames
---command-fd                      --no-mdc-warning
---command-file                    --no-options
---comment                         --no-permission-warning
---completes-needed                --no-pgp2
---compress-algo                   --no-pgp6
---compression-algo                --no-pgp7
---compress-keys                   --no-pgp8
---compress-level                  --no-random-seed-file
---compress-sigs                   --no-require-backsigs
---ctapi-driver                    --no-require-cross-certification
---dearmor                         --no-require-secmem
---dearmour                        --no-rfc2440-text
---debug                           --no-secmem-warning
---debug-all                       --no-show-notation
---debug-ccid-driver               --no-show-photos
---debug-level                     --no-show-policy-url
---decrypt                         --no-sig-cache
---decrypt-files                   --no-sig-create-check
---default-cert-check-level        --no-sk-comments
---default-cert-expire             --no-strict
---default-cert-level              --notation-data
---default-comment                 --not-dash-escaped
---default-key                     --no-textmode
---default-keyserver-url           --no-throw-keyid
---default-preference-list         --no-throw-keyids
---default-recipient               --no-tty
---default-recipient-self          --no-use-agent
---default-sig-expire              --no-use-embedded-filename
---delete-keys                     --no-utf8-strings
---delete-secret-and-public-keys   --no-verbose
---delete-secret-keys              --no-version
---desig-revoke                    --openpgp
---detach-sign                     --options
---digest-algo                     --output
---disable-ccid                    --override-session-key
---disable-cipher-algo             --passphrase
---disable-dsa2                    --passphrase-fd
---disable-mdc                     --passphrase-file
---disable-pubkey-algo             --passphrase-repeat
---display                         --pcsc-driver
---display-charset                 --personal-cipher-preferences
---dry-run                         --personal-cipher-prefs
---dump-options                    --personal-compress-preferences
---edit-key                        --personal-compress-prefs
---emit-version                    --personal-digest-preferences
---enable-dsa2                     --personal-digest-prefs
---enable-progress-filter          --pgp2
---enable-special-filenames        --pgp6
---enarmor                         --pgp7
---enarmour                        --pgp8
---encrypt                         --photo-viewer
---encrypt-files                   --pipemode
---encrypt-to                      --preserve-permissions
---escape-from-lines               --primary-keyring
---exec-path                       --print-md
---exit-on-status-write-error      --print-mds
---expert                          --quick-random
---export                          --quiet
---export-options                  --reader-port
---export-ownertrust               --rebuild-keydb-caches
---export-secret-keys              --recipient
---export-secret-subkeys           --recv-keys
---fast-import                     --refresh-keys
---fast-list-mode                  --remote-user
---fetch-keys                      --require-backsigs
---fingerprint                     --require-cross-certification
---fixed-list-mode                 --require-secmem
---fix-trustdb                     --rfc1991
---force-mdc                       --rfc2440
---force-ownertrust                --rfc2440-text
---force-v3-sigs                   --rfc4880
---force-v4-certs                  --run-as-shm-coprocess
---for-your-eyes-only              --s2k-cipher-algo
---gen-key                         --s2k-count
---gen-prime                       --s2k-digest-algo
---gen-random                      --s2k-mode
---gen-revoke                      --search-keys
---gnupg                           --secret-keyring
---gpg-agent-info                  --send-keys
---gpgconf-list                    --set-filename
---gpgconf-test                    --set-filesize
---group                           --set-notation
---help                            --set-policy-url
---hidden-encrypt-to               --show-keyring
---hidden-recipient                --show-notation
---homedir                         --show-photos
---honor-http-proxy                --show-policy-url
---ignore-crc-error                --show-session-key
---ignore-mdc-error                --sig-keyserver-url
---ignore-time-conflict            --sign
---ignore-valid-from               --sign-key
---import                          --sig-notation
---import-options                  --sign-with
---import-ownertrust               --sig-policy-url
---interactive                     --simple-sk-checksum
---keyid-format                    --sk-comments
---keyring                         --skip-verify
---keyserver                       --status-fd
---keyserver-options               --status-file
---lc-ctype                        --store
---lc-messages                     --strict
---limit-card-insert-tries         --symmetric
---list-config                     --temp-directory
---list-key                        --textmode
---list-keys                       --throw-keyid
---list-only                       --throw-keyids
---list-options                    --trustdb-name
---list-ownertrust                 --trusted-key
---list-packets                    --trust-model
---list-public-keys                --try-all-secrets
---list-secret-keys                --ttyname
---list-sig                        --ttytype
---list-sigs                       --ungroup
---list-trustdb                    --update-trustdb
---load-extension                  --use-agent
---local-user                      --use-embedded-filename
---lock-multiple                   --user
---lock-never                      --utf8-strings
---lock-once                       --verbose
---logger-fd                       --verify
---logger-file                     --verify-files
---lsign-key                       --verify-options
---mangle-dos-filenames            --version
---marginals-needed                --warranty
---max-cert-depth                  --with-colons
---max-output                      --with-fingerprint
---merge-only                      --with-key-data
---min-cert-level                  --yes
-""").split()
-
-    _possible = frozenset(_all)
-
-    ## these are the allowed options we will handle so far, all others should
-    ## be dropped. this dance is so that when new options are added later, we
-    ## merely add the to the _allowed list, and the `` _allowed.issubset``
-    ## assertion will check that GPG will recognise them
-    ##
-    ## xxx key fetching/retrieving options: [fetch_keys, merge_only, recv_keys]
-    ##
-    ## xxx which ones do we want as defaults?
-    ##     eg, --no-show-photos would mitigate things like
-    ##     https://www-01.ibm.com/support/docview.wss?uid=swg21620982
-    _allowed = frozenset(
-        ['--list-packets', '--delete-keys', '--delete-secret-keys',
-         '--encrypt', '--print-mds', '--print-md', '--sign',
-         '--encrypt-files', '--gen-key', '--decrypt', '--decrypt-files',
-         '--list-keys', '--import', '--verify', '--version',
-         '--status-fd', '--no-tty', '--homedir', '--no-default-keyring',
-         '--keyring', '--passphrase-fd', '--fingerprint', '--with-colons'])
-
-    ## check that _allowed is a subset of _possible
-    try:
-        assert _allowed.issubset(_possible), \
-            '_allowed is not subset of known options, difference: %s' \
-            % _allowed.difference(_possible)
-    except AssertionError as ae:   ## 'as' syntax requires python>=2.6
-        logger.debug("gnupg._is_allowed(): %s" % ae.message)
-        raise UsageError(ae.message)
-
-    ## if we got a list of args, join them
-    if not isinstance(input, str):
-        input = ' '.join([x for x in input])
-
-    if isinstance(input, str):
-        if input.find('_') > 0:
-            if not input.startswith('--'):
-                hyphenated = _hyphenate(input, add_prefix=True)
-            else:
-                hyphenated = _hyphenate(input)
-        else:
-            hyphenated = input
-            try:
-                assert hyphenated in _allowed
-            except AssertionError as ae:
-                logger.warn("Dropping option '%s'..."
-                            % _fix_unsafe(hyphenated))
-                raise ProtectedOption("Option '%s' not supported."
-                                      % _fix_unsafe(hyphenated))
-            else:
-                logger.debug("Got allowed option '%s'."
-                             % _fix_unsafe(hyphenated))
-                return input
-    return None
-
-def _is_file(input):
-    """
-    Check that the size of the thing which is supposed to be a filename has
-    size greater than zero, without following symbolic links or using
-    :func:`os.path.isfile`.
-    """
-    try:
-        assert os.lstat(input).st_size > 0, "not a file: %s" % input
-    except (AssertionError, TypeError) as error:
-        logger.debug(error.message)
-        return False
-    else:
-        return True
-
-def _is_sequence(instance):
-    return isinstance(instance,list) or isinstance(instance,tuple)
-
-def _make_binary_stream(s, encoding):
-    try:
-        if _py3k:
-            if isinstance(s, str):
-                s = s.encode(encoding)
-        else:
-            if type(s) is not str:
-                s = s.encode(encoding)
-        from io import BytesIO
-        rv = BytesIO(s)
-    except ImportError:
-        rv = StringIO(s)
-    return rv
-
-def _sanitise(*args):
-    """
-    Take an arg or the key portion of a kwarg and check that it is in the set
-    of allowed GPG options and flags, and that it has the correct type. Then,
-    attempt to escape any unsafe characters. If an option is not allowed,
-    drop it with a logged warning. Returns a dictionary of all sanitised,
-    allowed options.
-
-    Each new option that we support that is not a boolean, but instead has
-    some extra inputs, i.e. "--encrypt-file foo.txt", will need some basic
-    safety checks added here.
-
-    GnuPG has three-hundred and eighteen commandline flags. Also, not all
-    implementations of OpenPGP parse PGP packets and headers in the same way,
-    so there is added potential there for messing with calls to GPG.
-
-    For information on the PGP message format specification, see:
-        https://www.ietf.org/rfc/rfc1991.txt
-
-    If you're asking, "Is this *really* necessary?": No. Not really. See:
-        https://xkcd.com/1181/
-
-    @type args: C{str}
-    @param args: (optional) The boolean arguments which will be passed to the
-                 GnuPG process.
-    @rtype: C{str}
-    @param: :ivar:sanitised
-    """
-
-    def _check_arg_and_value(arg, value):
-        """
-        Check that a single :param:arg is an allowed option. If it is allowed,
-        quote out any escape characters in :param:values, and add the pair to
-        :ivar:sanitised.
-
-        @type arg: C{str}
-
-        @param arg: The arguments which will be passed to the GnuPG process,
-                    and, optionally their corresponding values.  The values are
-                    any additional arguments following the GnuPG option or
-                    flag. For example, if we wanted to pass "--encrypt
-                    --recipient isis@leap.se" to gpg, then "--encrypt" would be
-                    an arg without a value, and "--recipient" would also be an
-                    arg, with a value of "isis@leap.se".
-        @type sanitised: C{str}
-        @ivar sanitised: The sanitised, allowed options.
-        """
-        safe_values = str()
-
-        try:
-            allowed_flag = _is_allowed(arg)
-            assert allowed_flag is not None, \
-                "_check_arg_and_value(): got None for allowed_flag"
-        except (AssertionError, ProtectedOption) as error:
-            logger.warn(error.message)
-            logger.debug("Dropping option '%s'..." % _fix_unsafe(arg))
-        else:
-            safe_values += (allowed_flag + " ")
-            if isinstance(value, str):
-                value_list = []
-                if value.find(' ') > 0:
-                    value_list = value.split(' ')
-                else:
-                    logger.debug("_check_values(): got non-string for values")
-                for value in value_list:
-                    safe_value = _fix_unsafe(value)
-                    if allowed_flag == '--encrypt' or '--encrypt-files' \
-                            or '--decrypt' or '--decrypt-file' \
-                            or '--import' or '--verify':
-                        ## xxx what other things should we check for?
-                        ## Place checks here:
-                        if _is_file(safe_value):
-                            safe_values += (safe_value + " ")
-                        else:
-                            logger.debug("Got non-filename for %s option: %s"
-                                         % (allowed_flag, safe_value))
-                    else:
-                        safe_values += (safe_value + " ")
-                        logger.debug("Got non-checked value: %s" % safe_value)
-        return safe_values
-
-    checked = []
-
-    if args is not None:
-        for arg in args:
-            if isinstance(arg, str):
-                logger.debug("_sanitise(): Got arg string: %s" % arg)
-                ## if we're given a string with a bunch of options in it split
-                ## them up and deal with them separately
-                if arg.find(' ') > 0:
-                    filo = arg.split()
-                    filo.reverse()
-                    is_flag = lambda x: x.startswith('-')
-                    new_arg, new_value = str(), str()
-                    while len(filo) > 0:
-                        if is_flag(filo[0]):
-                            new_arg = filo.pop()
-                            if len(filo) > 0:
-                                while not is_flag(filo[0]):
-                                    new_value += (filo.pop() + ' ')
-                        else:
-                            logger.debug("Got non-flag argument: %s" % filo[0])
-                            filo.pop()
-                        safe = _check_arg_and_value(new_arg, new_value)
-                        if safe is not None and safe.strip() != '':
-                            logger.debug("_sanitise(): appending args: %s" % safe)
-                            checked.append(safe)
-                else:
-                    safe = _check_arg_and_value(arg, None)
-                    logger.debug("_sanitise(): appending args: %s" % safe)
-                    checked.append(safe)
-            elif isinstance(arg, list): ## happens with '--version'
-                logger.debug("_sanitise(): Got arg list: %s" % arg)
-                for a in arg:
-                    if a.startswith('--'):
-                        safe = _check_arg_and_value(a, None)
-                        logger.debug("_sanitise(): appending args: %s" % safe)
-                        checked.append(safe)
-            else:
-                logger.debug("_sanitise(): got non string or list arg: %s" % arg)
-
-    sanitised = ' '.join(x for x in checked)
-    return sanitised
-
-def _sanitise_list(arg_list):
-    """
-    A generator for running through a list of gpg options and sanitising them.
-
-    @type arg_list: C{list}
-    @param arg_list: A list of options and flags for gpg.
-    @rtype: C{generator}
-    @return: A generator whose next() method returns each of the items in
-             :param:arg_list after calling :func:_sanitise with that item as a
-             parameter.
-    """
-    if isinstance(arg_list, list):
-        for arg in arg_list:
-            safe_arg = _sanitise(arg)
-            if safe_arg != "":
-                yield safe_arg
-
-def _threaded_copy_data(instream, outstream):
-    wr = threading.Thread(target=_copy_data, args=(instream, outstream))
-    wr.setDaemon(True)
-    logger.debug('data copier: %r, %r, %r', wr, instream, outstream)
-    wr.start()
-    return wr
-
-def _underscore(input, remove_prefix=False):
-    """
-    Change hyphens to underscores so that GPG option names can be easily
-    tranlated to object attributes.
-
-    @type input: C{str}
-    @param input: The input intended for the gnupg process.
-
-    @type remove_prefix: C{bool}
-    @param remove_prefix: If True, strip leading hyphens from the input.
-
-    @rtype: C{str}
-    @return: The :param:input with hyphens changed to underscores.
-    """
-    if not remove_prefix:
-        return input.replace('-', '_')
-    else:
-        return input.lstrip('-').replace('-', '_')
-
-def _which(executable, flags=os.X_OK):
-    """Borrowed from Twisted's :mod:twisted.python.proutils .
-
-    Search PATH for executable files with the given name.
-
-    On newer versions of MS-Windows, the PATHEXT environment variable will be
-    set to the list of file extensions for files considered executable. This
-    will normally include things like ".EXE". This fuction will also find files
-    with the given name ending with any of these extensions.
-
-    On MS-Windows the only flag that has any meaning is os.F_OK. Any other
-    flags will be ignored.
-
-    Note: This function does not help us prevent an attacker who can already
-    manipulate the environment's PATH settings from placing malicious code
-    higher in the PATH. It also does happily follows links.
-
-    @type name: C{str}
-    @param name: The name for which to search.
-    @type flags: C{int}
-    @param flags: Arguments to L{os.access}.
-    @rtype: C{list}
-    @param: A list of the full paths to files found, in the order in which
-            they were found.
-    """
-    result = []
-    exts = filter(None, os.environ.get('PATHEXT', '').split(os.pathsep))
-    path = os.environ.get('PATH', None)
-    if path is None:
-        return []
-    for p in os.environ.get('PATH', '').split(os.pathsep):
-        p = os.path.join(p, executable)
-        if os.access(p, flags):
-            result.append(p)
-        for e in exts:
-            pext = p + e
-            if os.access(pext, flags):
-                result.append(pext)
-    return result
-
-def _write_passphrase(stream, passphrase, encoding):
-    passphrase = '%s\n' % passphrase
-    passphrase = passphrase.encode(encoding)
-    stream.write(passphrase)
-    logger.debug("Wrote passphrase.")
-
-
-class Verify(object):
-    """Handle status messages for --verify"""
-
-    TRUST_UNDEFINED = 0
-    TRUST_NEVER = 1
-    TRUST_MARGINAL = 2
-    TRUST_FULLY = 3
-    TRUST_ULTIMATE = 4
-
-    TRUST_LEVELS = {
-        "TRUST_UNDEFINED" : TRUST_UNDEFINED,
-        "TRUST_NEVER" : TRUST_NEVER,
-        "TRUST_MARGINAL" : TRUST_MARGINAL,
-        "TRUST_FULLY" : TRUST_FULLY,
-        "TRUST_ULTIMATE" : TRUST_ULTIMATE,
-    }
-
-    def __init__(self, gpg):
-        self.gpg = gpg
-        self.valid = False
-        self.fingerprint = self.creation_date = self.timestamp = None
-        self.signature_id = self.key_id = None
-        self.username = None
-        self.status = None
-        self.pubkey_fingerprint = None
-        self.expire_timestamp = None
-        self.sig_timestamp = None
-        self.trust_text = None
-        self.trust_level = None
-
-    def __nonzero__(self):
-        return self.valid
-
-    __bool__ = __nonzero__
-
-    def handle_status(self, key, value):
-        if key in self.TRUST_LEVELS:
-            self.trust_text = key
-            self.trust_level = self.TRUST_LEVELS[key]
-        elif key in ("RSA_OR_IDEA", "NODATA", "IMPORT_RES", "PLAINTEXT",
-                   "PLAINTEXT_LENGTH", "POLICY_URL", "DECRYPTION_INFO",
-                   "DECRYPTION_OKAY", "INV_SGNR"):
-            pass
-        elif key == "BADSIG":
-            self.valid = False
-            self.status = 'signature bad'
-            self.key_id, self.username = value.split(None, 1)
-        elif key == "GOODSIG":
-            self.valid = True
-            self.status = 'signature good'
-            self.key_id, self.username = value.split(None, 1)
-        elif key == "VALIDSIG":
-            (self.fingerprint,
-             self.creation_date,
-             self.sig_timestamp,
-             self.expire_timestamp) = value.split()[:4]
-            # may be different if signature is made with a subkey
-            self.pubkey_fingerprint = value.split()[-1]
-            self.status = 'signature valid'
-        elif key == "SIG_ID":
-            (self.signature_id,
-             self.creation_date, self.timestamp) = value.split()
-        elif key == "ERRSIG":
-            self.valid = False
-            (self.key_id,
-             algo, hash_algo,
-             cls,
-             self.timestamp) = value.split()[:5]
-            self.status = 'signature error'
-        elif key == "DECRYPTION_FAILED":
-            self.valid = False
-            self.key_id = value
-            self.status = 'decryption failed'
-        elif key == "NO_PUBKEY":
-            self.valid = False
-            self.key_id = value
-            self.status = 'no public key'
-        elif key in ("KEYEXPIRED", "SIGEXPIRED"):
-            # these are useless in verify, since they are spit out for any
-            # pub/subkeys on the key, not just the one doing the signing.
-            # if we want to check for signatures with expired key,
-            # the relevant flag is EXPKEYSIG.
-            pass
-        elif key in ("EXPKEYSIG", "REVKEYSIG"):
-            # signed with expired or revoked key
-            self.valid = False
-            self.key_id = value.split()[0]
-            self.status = (('%s %s') % (key[:3], key[3:])).lower()
-        else:
-            raise ValueError("Unknown status message: %r" % key)
-
-class ImportResult(object):
-    """Handle status messages for --import"""
-
-    counts = '''count no_user_id imported imported_rsa unchanged
-            n_uids n_subk n_sigs n_revoc sec_read sec_imported
-            sec_dups not_imported'''.split()
-    def __init__(self, gpg):
-        self.gpg = gpg
-        self.imported = []
-        self.results = []
-        self.fingerprints = []
-        for result in self.counts:
-            setattr(self, result, None)
-
-    def __nonzero__(self):
-        if self.not_imported: return False
-        if not self.fingerprints: return False
-        return True
-
-    __bool__ = __nonzero__
-
-    ok_reason = {
-        '0': 'Not actually changed',
-        '1': 'Entirely new key',
-        '2': 'New user IDs',
-        '4': 'New signatures',
-        '8': 'New subkeys',
-        '16': 'Contains private key',
-    }
-
-    problem_reason = {
-        '0': 'No specific reason given',
-        '1': 'Invalid Certificate',
-        '2': 'Issuer Certificate missing',
-        '3': 'Certificate Chain too long',
-        '4': 'Error storing certificate',
-    }
-
-    def handle_status(self, key, value):
-        if key == "IMPORTED":
-            # this duplicates info we already see in import_ok & import_problem
-            pass
-        elif key == "NODATA":
-            self.results.append({'fingerprint': None,
-                'problem': '0', 'text': 'No valid data found'})
-        elif key == "IMPORT_OK":
-            reason, fingerprint = value.split()
-            reasons = []
-            for code, text in list(self.ok_reason.items()):
-                if int(reason) | int(code) == int(reason):
-                    reasons.append(text)
-            reasontext = '\n'.join(reasons) + "\n"
-            self.results.append({'fingerprint': fingerprint,
-                'ok': reason, 'text': reasontext})
-            self.fingerprints.append(fingerprint)
-        elif key == "IMPORT_PROBLEM":
-            try:
-                reason, fingerprint = value.split()
-            except:
-                reason = value
-                fingerprint = '<unknown>'
-            self.results.append({'fingerprint': fingerprint,
-                'problem': reason, 'text': self.problem_reason[reason]})
-        elif key == "IMPORT_RES":
-            import_res = value.split()
-            for i in range(len(self.counts)):
-                setattr(self, self.counts[i], int(import_res[i]))
-        elif key == "KEYEXPIRED":
-            self.results.append({'fingerprint': None,
-                'problem': '0', 'text': 'Key expired'})
-        elif key == "SIGEXPIRED":
-            self.results.append({'fingerprint': None,
-                'problem': '0', 'text': 'Signature expired'})
-        else:
-            raise ValueError("Unknown status message: %r" % key)
-
-    def summary(self):
-        l = []
-        l.append('%d imported' % self.imported)
-        if self.not_imported:
-            l.append('%d not imported' % self.not_imported)
-        return ', '.join(l)
-
-class ListKeys(list):
-    """ Handle status messages for --list-keys.
-
-        Handle pub and uid (relating the latter to the former).
-
-        Don't care about (info from src/DETAILS):
-
-        crt = X.509 certificate
-        crs = X.509 certificate and private key available
-        ssb = secret subkey (secondary key)
-        uat = user attribute (same as user id except for field 10).
-        sig = signature
-        rev = revocation signature
-        pkd = public key data (special field format, see below)
-        grp = reserved for gpgsm
-        rvk = revocation key
-    """
-
-    def __init__(self, gpg):
-        super(ListKeys, self).__init__()
-        self.gpg = gpg
-        self.curkey = None
-        self.fingerprints = []
-        self.uids = []
-
-    def key(self, args):
-        vars = ("""
-            type trust length algo keyid date expires dummy ownertrust uid
-        """).split()
-        self.curkey = {}
-        for i in range(len(vars)):
-            self.curkey[vars[i]] = args[i]
-        self.curkey['uids'] = []
-        if self.curkey['uid']:
-            self.curkey['uids'].append(self.curkey['uid'])
-        del self.curkey['uid']
-        self.curkey['subkeys'] = []
-        self.append(self.curkey)
-
-    pub = sec = key
-
-    def fpr(self, args):
-        self.curkey['fingerprint'] = args[9]
-        self.fingerprints.append(args[9])
-
-    def uid(self, args):
-        uid = args[9]
-        uid = ESCAPE_PATTERN.sub(lambda m: chr(int(m.group(1), 16)), uid)
-        self.curkey['uids'].append(uid)
-        self.uids.append(uid)
-
-    def sub(self, args):
-        subkey = [args[4], args[11]]
-        self.curkey['subkeys'].append(subkey)
-
-    def handle_status(self, key, value):
-        pass
-
-class Crypt(Verify):
-    """Handle status messages for --encrypt and --decrypt"""
-    def __init__(self, gpg):
-        Verify.__init__(self, gpg)
-        self.data = ''
-        self.ok = False
-        self.status = ''
-
-    def __nonzero__(self):
-        if self.ok: return True
-        return False
-
-    __bool__ = __nonzero__
-
-    def __str__(self):
-        return self.data.decode(self.gpg.encoding, self.gpg.decode_errors)
-
-    def handle_status(self, key, value):
-        if key in ("ENC_TO", "USERID_HINT", "GOODMDC", "END_DECRYPTION",
-                   "BEGIN_SIGNING", "NO_SECKEY", "ERROR", "NODATA",
-                   "CARDCTRL"):
-            # in the case of ERROR, this is because a more specific error
-            # message will have come first
-            pass
-        elif key in ("NEED_PASSPHRASE", "BAD_PASSPHRASE", "GOOD_PASSPHRASE",
-                     "MISSING_PASSPHRASE", "DECRYPTION_FAILED",
-                     "KEY_NOT_CREATED"):
-            self.status = key.replace("_", " ").lower()
-        elif key == "NEED_PASSPHRASE_SYM":
-            self.status = 'need symmetric passphrase'
-        elif key == "BEGIN_DECRYPTION":
-            self.status = 'decryption incomplete'
-        elif key == "BEGIN_ENCRYPTION":
-            self.status = 'encryption incomplete'
-        elif key == "DECRYPTION_OKAY":
-            self.status = 'decryption ok'
-            self.ok = True
-        elif key == "END_ENCRYPTION":
-            self.status = 'encryption ok'
-            self.ok = True
-        elif key == "INV_RECP":
-            self.status = 'invalid recipient'
-        elif key == "KEYEXPIRED":
-            self.status = 'key expired'
-        elif key == "SIG_CREATED":
-            self.status = 'sig created'
-        elif key == "SIGEXPIRED":
-            self.status = 'sig expired'
-        else:
-            Verify.handle_status(self, key, value)
-
-class GenKey(object):
-    """Handle status messages for --gen-key"""
-    def __init__(self, gpg):
-        self.gpg = gpg
-        self.type = None
-        self.fingerprint = None
-
-    def __nonzero__(self):
-        if self.fingerprint: return True
-        return False
-
-    __bool__ = __nonzero__
-
-    def __str__(self):
-        return self.fingerprint or ''
-
-    def handle_status(self, key, value):
-        if key in ("PROGRESS", "GOOD_PASSPHRASE", "NODATA", "KEY_NOT_CREATED"):
-            pass
-        elif key == "KEY_CREATED":
-            (self.type, self.fingerprint) = value.split()
-        else:
-            raise ValueError("Unknown status message: %r" % key)
-
-class DeleteResult(object):
-    """Handle status messages for --delete-key and --delete-secret-key"""
-    def __init__(self, gpg):
-        self.gpg = gpg
-        self.status = 'ok'
-
-    def __str__(self):
-        return self.status
-
-    problem_reason = {
-        '1': 'No such key',
-        '2': 'Must delete secret key first',
-        '3': 'Ambigious specification',
-        }
-
-    def handle_status(self, key, value):
-        if key == "DELETE_PROBLEM":
-            self.status = self.problem_reason.get(value, "Unknown error: %r"
-                                                  % value)
-        else:
-            raise ValueError("Unknown status message: %r" % key)
-
-class Sign(object):
-    """Handle status messages for --sign"""
-    def __init__(self, gpg):
-        self.gpg = gpg
-        self.type = None
-        self.fingerprint = None
-
-    def __nonzero__(self):
-        return self.fingerprint is not None
-
-    __bool__ = __nonzero__
-
-    def __str__(self):
-        return self.data.decode(self.gpg.encoding, self.gpg.decode_errors)
-
-    def handle_status(self, key, value):
-        if key in ("USERID_HINT", "NEED_PASSPHRASE", "BAD_PASSPHRASE",
-                   "GOOD_PASSPHRASE", "BEGIN_SIGNING", "CARDCTRL",
-                   "INV_SGNR", "NODATA"):
-            pass
-        elif key == "SIG_CREATED":
-            (self.type, algo, hashalgo, cls, self.timestamp,
-             self.fingerprint) = value.split()
-        else:
-            raise ValueError("Unknown status message: %r" % key)
-
-class GPG(object):
-    """Encapsulate access to the gpg executable"""
-    decode_errors = 'strict'
-
-    result_map = {'crypt': Crypt,
-                  'delete': DeleteResult,
-                  'generate': GenKey,
-                  'import': ImportResult,
-                  'list': ListKeys,
-                  'sign': Sign,
-                  'verify': Verify,}
-
-    def __init__(self, gpgbinary=None, gpghome=None,
-                 verbose=False, use_agent=False,
-                 keyring=None, secring=None, pubring=None,
-                 options=None):
-        """
-        Initialize a GnuPG process wrapper.
-
-        @type gpgbinary: C{str}
-        @param gpgbinary: Name for GnuPG binary executable. If the absolute
-                            path is not given, the evironment variable $PATH is
-                            searched for the executable and checked that the
-                            real uid/gid of the user has sufficient permissions.
-        @type gpghome: C{str}
-        @param gpghome: Full pathname to directory containing the public and
-                        private keyrings. Default is whatever GnuPG defaults
-                        to.
-
-        @type keyring: C{str}
-        @param keyring: raises C{DeprecationWarning}. Use :param:secring.
-
-        @type secring: C{str}
-        @param secring: Name of alternative secret keyring file to use. If left
-                        unspecified, this will default to using 'secring.gpg'
-                        in the :param:gpghome directory, and create that file
-                        if it does not exist.
-
-        @type pubring: C{str}
-        @param pubring: Name of alternative public keyring file to use. If left
-                        unspecified, this will default to using 'pubring.gpg'
-                        in the :param:gpghome directory, and create that file
-                        if it does not exist.
-
-        @options: A list of additional options to pass to the GPG binary.
-
-        @rtype: C{Exception} or C{}
-        @raises: RuntimeError with explanation message if there is a problem
-                 invoking gpg.
-        @returns:
-        """
-
-        if not gpghome:
-            gpghome = os.path.join(os.getcwd(), 'gnupg')
-        self.gpghome = _fix_unsafe(gpghome)
-        if self.gpghome:
-            if not os.path.isdir(self.gpghome):
-                message = ("Creating gpg home dir: %s" % gpghome)
-                logger.debug("GPG.__init__(): %s" % message)
-                os.makedirs(self.gpghome, 0x1C0)
-            if not os.path.isabs(self.gpghome):
-                message = ("Got non-abs gpg home dir path: %s" % self.gpghome)
-                logger.debug("GPG.__init__(): %s" % message)
-                self.gpghome = os.path.abspath(self.gpghome)
-        else:
-            message = ("Unsuitable gpg home dir: %s" % gpghome)
-            logger.debug("GPG.__init__(): %s" % message)
-
-        ## find the absolute path, check that it is not a link, and check that
-        ## we have exec permissions
-        bin = None
-        if gpgbinary is not None:
-            if not os.path.isabs(gpgbinary):
-                try: bin = _which(gpgbinary)[0]
-                except IndexError as ie: logger.debug(ie.message)
-        if bin is None:
-            try: bin = _which('gpg')[0]
-            except IndexError: raise RuntimeError("gpg is not installed")
-        try:
-            assert os.path.isabs(bin), "Path to gpg binary not absolute"
-            assert not os.path.islink(bin), "Path to gpg binary is symbolic link"
-            assert os.access(bin, os.X_OK), "Lacking +x perms for gpg binary"
-        except (AssertionError, AttributeError) as ae:
-            logger.debug("GPG.__init__(): %s" % ae.message)
-        else:
-            self.gpgbinary = bin
-
-        if keyring is not None:
-            try:
-                raise DeprecationWarning(
-                    "Option 'keyring' changing to 'secring'")
-            except DeprecationWarning as dw:
-                log.warn(dw.message)
-            finally:
-                secring = keyring
-
-        secring = 'secring.gpg' if secring is None else _fix_unsafe(secring)
-        pubring = 'pubring.gpg' if pubring is None else _fix_unsafe(pubring)
-
-        self.secring = os.path.join(self.gpghome, secring)
-        self.pubring = os.path.join(self.gpghome, pubring)
-        ## XXX should eventually be changed throughout to 'secring', but until
-        ## then let's not break backward compatibility
-        self.keyring = self.secring
-
-        for ring in [self.secring, self.pubring]:
-            if ring and not os.path.isfile(ring):
-                with open(ring, 'a+') as ringfile:
-                    ringfile.write(" ")
-                    ringfile.flush()
-            try:
-                assert _has_readwrite(ring), \
-                    ("Need r+w for %s" % ring)
-            except AssertionError as ae:
-                logger.debug(ae.message)
-
-        self.options = _sanitise(options) if options else None
-
-        ## xxx TODO: hack the locale module away so we can use this on android
-        self.encoding = locale.getpreferredencoding()
-        if self.encoding is None: # This happens on Jython!
-            self.encoding = sys.stdin.encoding
-
-        try:
-            assert self.gpghome is not None, "Got None for self.gpghome"
-            assert _has_readwrite(self.gpghome), ("Home dir %s needs r+w"
-                                                  % self.gpghome)
-            assert self.gpgbinary, "Could not find gpgbinary %s" % full
-            assert isinstance(verbose, bool), "'verbose' must be boolean"
-            assert isinstance(use_agent, bool), "'use_agent' must be boolean"
-            if self.options:
-                assert isinstance(options, str), ("options not formatted: %s"
-                                                  % options)
-        except (AssertionError, AttributeError) as ae:
-            logger.debug("GPG.__init__(): %s" % ae.message)
-            raise RuntimeError(ae.message)
-        else:
-            self.verbose = verbose
-            self.use_agent = use_agent
-
-            proc = self._open_subprocess(["--version"])
-            result = self.result_map['list'](self)
-            self._collect_output(proc, result, stdin=proc.stdin)
-            if proc.returncode != 0:
-                raise RuntimeError("Error invoking gpg: %s: %s"
-                                   % (proc.returncode, result.stderr))
-
-    def make_args(self, args, passphrase=False):
-        """
-        Make a list of command line elements for GPG. The value of ``args``
-        will be appended. The ``passphrase`` argument needs to be True if
-        a passphrase will be sent to GPG, else False.
-        """
-        cmd = [self.gpgbinary, '--status-fd 2 --no-tty']
-        if self.gpghome:
-            cmd.append('--homedir "%s"' % self.gpghome)
-        if self.keyring:
-            cmd.append('--no-default-keyring --keyring "%s"' % self.keyring)
-        if passphrase:
-            cmd.append('--batch --passphrase-fd 0')
-        if self.use_agent:
-            cmd.append('--use-agent')
-        if self.options:
-            [cmd.append(opt) for opt in iter(_sanitise_list(self.options))]
-        if args:
-            [cmd.append(arg) for arg in iter(_sanitise_list(args))]
-        logger.debug("make_args(): Using command: %s" % cmd)
-        return cmd
-
-    def _open_subprocess(self, args=None, passphrase=False):
-        # Internal method: open a pipe to a GPG subprocess and return
-        # the file objects for communicating with it.
-        cmd = ' '.join(self.make_args(args, passphrase))
-        if self.verbose:
-            print(cmd)
-        logger.debug("%s", cmd)
-        return Popen(cmd, shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE)
-
-    def _read_response(self, stream, result):
-        # Internal method: reads all the stderr output from GPG, taking notice
-        # only of lines that begin with the magic [GNUPG:] prefix.
-        #
-        # Calls methods on the response object for each valid token found,
-        # with the arg being the remainder of the status line.
-        lines = []
-        while True:
-            line = stream.readline()
-            if len(line) == 0:
-                break
-            lines.append(line)
-            line = line.rstrip()
-            if self.verbose:
-                print(line)
-            logger.debug("%s", line)
-            if line[0:9] == '[GNUPG:] ':
-                # Chop off the prefix
-                line = line[9:]
-                L = line.split(None, 1)
-                keyword = L[0]
-                if len(L) > 1:
-                    value = L[1]
-                else:
-                    value = ""
-                result.handle_status(keyword, value)
-        result.stderr = ''.join(lines)
-
-    def _read_data(self, stream, result):
-        # Read the contents of the file from GPG's stdout
-        chunks = []
-        while True:
-            data = stream.read(1024)
-            if len(data) == 0:
-                break
-            logger.debug("chunk: %r" % data[:256])
-            chunks.append(data)
-        if _py3k:
-            # Join using b'' or '', as appropriate
-            result.data = type(data)().join(chunks)
-        else:
-            result.data = ''.join(chunks)
-
-    def _collect_output(self, process, result, writer=None, stdin=None):
-        """
-        Drain the subprocesses output streams, writing the collected output
-        to the result. If a writer thread (writing to the subprocess) is given,
-        make sure it's joined before returning. If a stdin stream is given,
-        close it before returning.
-        """
-        stderr = codecs.getreader(self.encoding)(process.stderr)
-        rr = threading.Thread(target=self._read_response, args=(stderr, result))
-        rr.setDaemon(True)
-        logger.debug('stderr reader: %r', rr)
-        rr.start()
-
-        stdout = process.stdout
-        dr = threading.Thread(target=self._read_data, args=(stdout, result))
-        dr.setDaemon(True)
-        logger.debug('stdout reader: %r', dr)
-        dr.start()
-
-        dr.join()
-        rr.join()
-        if writer is not None:
-            writer.join()
-        process.wait()
-        if stdin is not None:
-            try:
-                stdin.close()
-            except IOError:
-                pass
-        stderr.close()
-        stdout.close()
-
-    def _handle_io(self, args, file, result, passphrase=None, binary=False):
-        """
-        Handle a call to GPG - pass input data, collect output data.
-        """
-        if passphrase is not None:
-            ask_passphrase = True
-        else:
-            ask_passphrase = False
-        p = self._open_subprocess(args, ask_passphrase)
-        if not binary:
-            stdin = codecs.getwriter(self.encoding)(p.stdin)
-        else:
-            stdin = p.stdin
-        if passphrase:
-            _write_passphrase(stdin, passphrase, self.encoding)
-        writer = _threaded_copy_data(file, stdin)
-        self._collect_output(p, result, writer, stdin)
-        return result
-
-    #
-    # SIGNATURE METHODS
-    #
-    def sign(self, message, **kwargs):
-        """sign message"""
-        f = _make_binary_stream(message, self.encoding)
-        result = self.sign_file(f, **kwargs)
-        f.close()
-        return result
-
-    def sign_file(self, file, keyid=None, passphrase=None, clearsign=True,
-                  detach=False, binary=False):
-        """sign file"""
-        logger.debug("sign_file: %s", file)
-        if binary:
-            args = ['-s']
-        else:
-            args = ['-sa']
-
-        if clearsign:
-            args.append("--clearsign")
-            if detach:
-                logger.debug(
-                    "Cannot use --clearsign and --detach-sign simultaneously.")
-                logger.debug(
-                    "Using default GPG behaviour: --clearsign only.")
-        elif detach and not clearsign:
-            args.append("--detach-sign")
-
-        if keyid:
-            args.append('--default-key "%s"' % keyid)
-
-        result = self.result_map['sign'](self)
-        #We could use _handle_io here except for the fact that if the
-        #passphrase is bad, gpg bails and you can't write the message.
-        p = self._open_subprocess(args, passphrase is not None)
-        try:
-            stdin = p.stdin
-            if passphrase:
-                _write_passphrase(stdin, passphrase, self.encoding)
-            writer = _threaded_copy_data(file, stdin)
-        except IOError:
-            logging.exception("error writing message")
-            writer = None
-        self._collect_output(p, result, writer, stdin)
-        return result
-
-    def verify(self, data):
-        """Verify the signature on the contents of the string 'data'
-
-        >>> gpg = GPG(gpghome="keys")
-        >>> input = gpg.gen_key_input(Passphrase='foo')
-        >>> key = gpg.gen_key(input)
-        >>> assert key
-        >>> sig = gpg.sign('hello',keyid=key.fingerprint,passphrase='bar')
-        >>> assert not sig
-        >>> sig = gpg.sign('hello',keyid=key.fingerprint,passphrase='foo')
-        >>> assert sig
-        >>> verify = gpg.verify(sig.data)
-        >>> assert verify
-
-        """
-        f = _make_binary_stream(data, self.encoding)
-        result = self.verify_file(f)
-        f.close()
-        return result
-
-    def verify_file(self, file, data_filename=None):
-        """
-        Verify the signature on the contents of a file or file-like
-        object. Can handle embedded signatures as well as detached
-        signatures. If using detached signatures, the file containing the
-        detached signature should be specified as the :param:`data_filename`.
-
-        @param file: A file descriptor object. Its type will be checked with
-                     :func:`_is_file`.
-        @param data_filename: (optional) A file containing the GPG signature
-                              data for :param:`file`. If given, :param:`file`
-                              is verified via this detached signature.
-        """
-        ## attempt to wrap any escape characters in quotes:
-        safe_file = _fix_unsafe(file)
-
-        ## check that :param:`file` is actually a file:
-        _is_file(safe_file)
-
-        logger.debug('verify_file: %r, %r', safe_file, data_filename)
-        result = self.result_map['verify'](self)
-        args = ['--verify']
-        if data_filename is None:
-            self._handle_io(args, safe_file, result, binary=True)
-        else:
-            safe_data_filename = _fix_unsafe(data_filename)
-
-            logger.debug('Handling detached verification')
-            fd, fn = tempfile.mkstemp(prefix='pygpg')
-
-            with open(safe_file) as sf:
-                contents = sf.read()
-                os.write(fd, s)
-                os.close(fd)
-                logger.debug('Wrote to temp file: %r', contents)
-                args.append(fn)
-                args.append('"%s"' % safe_data_filename)
-
-                try:
-                    p = self._open_subprocess(args)
-                    self._collect_output(p, result, stdin=p.stdin)
-                finally:
-                    os.unlink(fn)
-
-        return result
-
-    #
-    # KEY MANAGEMENT
-    #
-    def import_keys(self, key_data):
-        """
-        Import the key_data into our keyring.
-
-        >>> import shutil
-        >>> shutil.rmtree("keys")
-        >>> gpg = GPG(gpghome="keys")
-        >>> input = gpg.gen_key_input()
-        >>> result = gpg.gen_key(input)
-        >>> print1 = result.fingerprint
-        >>> result = gpg.gen_key(input)
-        >>> print2 = result.fingerprint
-        >>> pubkey1 = gpg.export_keys(print1)
-        >>> seckey1 = gpg.export_keys(print1,secret=True)
-        >>> seckeys = gpg.list_keys(secret=True)
-        >>> pubkeys = gpg.list_keys()
-        >>> assert print1 in seckeys.fingerprints
-        >>> assert print1 in pubkeys.fingerprints
-        >>> str(gpg.delete_keys(print1))
-        'Must delete secret key first'
-        >>> str(gpg.delete_keys(print1,secret=True))
-        'ok'
-        >>> str(gpg.delete_keys(print1))
-        'ok'
-        >>> str(gpg.delete_keys("nosuchkey"))
-        'No such key'
-        >>> seckeys = gpg.list_keys(secret=True)
-        >>> pubkeys = gpg.list_keys()
-        >>> assert not print1 in seckeys.fingerprints
-        >>> assert not print1 in pubkeys.fingerprints
-        >>> result = gpg.import_keys('foo')
-        >>> assert not result
-        >>> result = gpg.import_keys(pubkey1)
-        >>> pubkeys = gpg.list_keys()
-        >>> seckeys = gpg.list_keys(secret=True)
-        >>> assert not print1 in seckeys.fingerprints
-        >>> assert print1 in pubkeys.fingerprints
-        >>> result = gpg.import_keys(seckey1)
-        >>> assert result
-        >>> seckeys = gpg.list_keys(secret=True)
-        >>> pubkeys = gpg.list_keys()
-        >>> assert print1 in seckeys.fingerprints
-        >>> assert print1 in pubkeys.fingerprints
-        >>> assert print2 in pubkeys.fingerprints
-        """
-        ## xxx need way to validate that key_data is actually a valid GPG key
-        ##     it might be possible to use --list-packets and parse the output
-
-        result = self.result_map['import'](self)
-        logger.debug('import_keys: %r', key_data[:256])
-        data = _make_binary_stream(key_data, self.encoding)
-        self._handle_io(['--import'], data, result, binary=True)
-        logger.debug('import_keys result: %r', result.__dict__)
-        data.close()
-        return result
-
-    def recv_keys(self, keyserver, *keyids):
-        """Import a key from a keyserver
-
-        >>> import shutil
-        >>> shutil.rmtree("keys")
-        >>> gpg = GPG(gpghome="keys")
-        >>> result = gpg.recv_keys('pgp.mit.edu', '3FF0DB166A7476EA')
-        >>> assert result
-
-        """
-        safe_keyserver = _fix_unsafe(keyserver)
-
-        result = self.result_map['import'](self)
-        data = _make_binary_stream("", self.encoding)
-        args = ['--keyserver', keyserver, '--recv-keys']
-
-        if keyids:
-            if keyids is not None:
-                safe_keyids = ' '.join(
-                    [(lambda: _fix_unsafe(k))() for k in keyids])
-                logger.debug('recv_keys: %r', safe_keyids)
-                args.extend(safe_keyids)
-
-        self._handle_io(args, data, result, binary=True)
-        data.close()
-        logger.debug('recv_keys result: %r', result.__dict__)
-        return result
-
-    def delete_keys(self, fingerprints, secret=False):
-        which='key'
-        if secret:
-            which='secret-key'
-        if _is_sequence(fingerprints):
-            fingerprints = ' '.join(fingerprints)
-        args = ['--batch --delete-%s "%s"' % (which, fingerprints)]
-        result = self.result_map['delete'](self)
-        p = self._open_subprocess(args)
-        self._collect_output(p, result, stdin=p.stdin)
-        return result
-
-    def export_keys(self, keyids, secret=False):
-        """export the indicated keys. 'keyid' is anything gpg accepts"""
-        which=''
-        if secret:
-            which='-secret-key'
-        if _is_sequence(keyids):
-            keyids = ' '.join(['"%s"' % k for k in keyids])
-        args = ["--armor --export%s %s" % (which, keyids)]
-        p = self._open_subprocess(args)
-        # gpg --export produces no status-fd output; stdout will be
-        # empty in case of failure
-        #stdout, stderr = p.communicate()
-        result = self.result_map['delete'](self) # any result will do
-        self._collect_output(p, result, stdin=p.stdin)
-        logger.debug('export_keys result: %r', result.data)
-        return result.data.decode(self.encoding, self.decode_errors)
-
-    def list_keys(self, secret=False):
-        """List the keys currently in the keyring.
-
-        >>> import shutil
-        >>> shutil.rmtree("keys")
-        >>> gpg = GPG(gpghome="keys")
-        >>> input = gpg.gen_key_input()
-        >>> result = gpg.gen_key(input)
-        >>> print1 = result.fingerprint
-        >>> result = gpg.gen_key(input)
-        >>> print2 = result.fingerprint
-        >>> pubkeys = gpg.list_keys()
-        >>> assert print1 in pubkeys.fingerprints
-        >>> assert print2 in pubkeys.fingerprints
-
-        """
-
-        which='keys'
-        if secret:
-            which='secret-keys'
-        args = "--list-%s --fixed-list-mode --fingerprint --with-colons" % (which,)
-        args = [args]
-        p = self._open_subprocess(args)
-
-        # there might be some status thingumy here I should handle... (amk)
-        # ...nope, unless you care about expired sigs or keys (stevegt)
-
-        # Get the response information
-        result = self.result_map['list'](self)
-        self._collect_output(p, result, stdin=p.stdin)
-        lines = result.data.decode(self.encoding,
-                                   self.decode_errors).splitlines()
-        valid_keywords = 'pub uid sec fpr sub'.split()
-        for line in lines:
-            if self.verbose:
-                print(line)
-            logger.debug("line: %r", line.rstrip())
-            if not line:
-                break
-            L = line.strip().split(':')
-            if not L:
-                continue
-            keyword = L[0]
-            if keyword in valid_keywords:
-                getattr(result, keyword)(L)
-        return result
-
-    def gen_key(self, input):
-        """
-        Generate a key; you might use gen_key_input() to create the control
-        input.
-
-        >>> gpg = GPG(gpghome="keys")
-        >>> input = gpg.gen_key_input()
-        >>> result = gpg.gen_key(input)
-        >>> assert result
-        >>> result = gpg.gen_key('foo')
-        >>> assert not result
-
-        """
-        args = ["--gen-key --batch"]
-        result = self.result_map['generate'](self)
-        f = _make_binary_stream(input, self.encoding)
-        self._handle_io(args, f, result, binary=True)
-        f.close()
-        return result
-
-    def gen_key_input(self, **kwargs):
-        """
-        Generate --gen-key input per gpg doc/DETAILS
-        """
-        parms = {}
-        for key, val in list(kwargs.items()):
-            key = key.replace('_','-').title()
-            if str(val).strip():    # skip empty strings
-                parms[key] = val
-        parms.setdefault('Key-Type', 'RSA')
-        parms.setdefault('Key-Length', 2048)
-        parms.setdefault('Name-Real', "Autogenerated Key")
-        parms.setdefault('Name-Comment', "Generated by gnupg.py")
-        try:
-            logname = os.environ['LOGNAME']
-        except KeyError:
-            logname = os.environ['USERNAME']
-        hostname = socket.gethostname()
-        parms.setdefault('Name-Email', "%s@%s"
-                         % (logname.replace(' ', '_'), hostname))
-        out = "Key-Type: %s\n" % parms.pop('Key-Type')
-        for key, val in list(parms.items()):
-            out += "%s: %s\n" % (key, val)
-        out += "%commit\n"
-        return out
-
-        # Key-Type: RSA
-        # Key-Length: 1024
-        # Name-Real: ISdlink Server on %s
-        # Name-Comment: Created by %s
-        # Name-Email: isdlink@%s
-        # Expire-Date: 0
-        # %commit
-        #
-        #
-        # Key-Type: DSA
-        # Key-Length: 1024
-        # Subkey-Type: ELG-E
-        # Subkey-Length: 1024
-        # Name-Real: Joe Tester
-        # Name-Comment: with stupid passphrase
-        # Name-Email: joe@foo.bar
-        # Expire-Date: 0
-        # Passphrase: abc
-        # %pubring foo.pub
-        # %secring foo.sec
-        # %commit
-
-    #
-    # ENCRYPTION
-    #
-    def encrypt_file(self, file, recipients, sign=None,
-            always_trust=False, passphrase=None,
-            armor=True, output=None, symmetric=False):
-        """Encrypt the message read from the file-like object 'file'"""
-        args = ['--encrypt']
-        if symmetric:
-            args = ['--symmetric']
-        else:
-            args = ['--encrypt']
-            if not _is_sequence(recipients):
-                recipients = (recipients,)
-            for recipient in recipients:
-                args.append('--recipient "%s"' % recipient)
-        if armor:   # create ascii-armored output - set to False for binary output
-            args.append('--armor')
-        if output:  # write the output to a file with the specified name
-            if os.path.exists(output):
-                os.remove(output) # to avoid overwrite confirmation message
-            args.append('--output "%s"' % output)
-        if sign:
-            args.append('--sign --default-key "%s"' % sign)
-        if always_trust:
-            args.append("--always-trust")
-        result = self.result_map['crypt'](self)
-        self._handle_io(args, file, result, passphrase=passphrase, binary=True)
-        logger.debug('encrypt result: %r', result.data)
-        return result
-
-    def encrypt(self, data, recipients, **kwargs):
-        """Encrypt the message contained in the string 'data'
-
-        >>> import shutil
-        >>> if os.path.exists("keys"):
-        ...     shutil.rmtree("keys")
-        >>> gpg = GPG(gpghome="keys")
-        >>> input = gpg.gen_key_input(passphrase='foo')
-        >>> result = gpg.gen_key(input)
-        >>> print1 = result.fingerprint
-        >>> input = gpg.gen_key_input()
-        >>> result = gpg.gen_key(input)
-        >>> print2 = result.fingerprint
-        >>> result = gpg.encrypt("hello",print2)
-        >>> message = str(result)
-        >>> assert message != 'hello'
-        >>> result = gpg.decrypt(message)
-        >>> assert result
-        >>> str(result)
-        'hello'
-        >>> result = gpg.encrypt("hello again",print1)
-        >>> message = str(result)
-        >>> result = gpg.decrypt(message,passphrase='bar')
-        >>> result.status in ('decryption failed', 'bad passphrase')
-        True
-        >>> assert not result
-        >>> result = gpg.decrypt(message,passphrase='foo')
-        >>> result.status == 'decryption ok'
-        True
-        >>> str(result)
-        'hello again'
-        >>> result = gpg.encrypt("signed hello",print2,sign=print1,passphrase='foo')
-        >>> result.status == 'encryption ok'
-        True
-        >>> message = str(result)
-        >>> result = gpg.decrypt(message)
-        >>> result.status == 'decryption ok'
-        True
-        >>> assert result.fingerprint == print1
-
-        """
-        data = _make_binary_stream(data, self.encoding)
-        result = self.encrypt_file(data, recipients, **kwargs)
-        data.close()
-        return result
-
-    def decrypt(self, message, **kwargs):
-        data = _make_binary_stream(message, self.encoding)
-        result = self.decrypt_file(data, **kwargs)
-        data.close()
-        return result
-
-    def decrypt_file(self, file, always_trust=False, passphrase=None,
-                     output=None):
-        args = ["--decrypt"]
-        if output:  # write the output to a file with the specified name
-            if os.path.exists(output):
-                os.remove(output) # to avoid overwrite confirmation message
-            args.append('--output "%s"' % output)
-        if always_trust:
-            args.append("--always-trust")
-        result = self.result_map['crypt'](self)
-        self._handle_io(args, file, result, passphrase, binary=True)
-        logger.debug('decrypt result: %r', result.data)
-        return result
-
diff --git a/requirements.txt b/requirements.txt
new file mode 100644
index 0000000..c82f9d5
--- /dev/null
+++ b/requirements.txt
@@ -0,0 +1,2 @@
+Sphinx>=1.1
+psutil>=0.5.1
diff --git a/setup.py b/setup.py
index 6a158f8..7135b6d 100644
--- a/setup.py
+++ b/setup.py
@@ -1,37 +1,48 @@
+#!/usr/bin/env python
+#-*- coding: utf-8 -*-
+
 from distutils.core import setup
 
-from gnupg import __version__ as version
+import versioneer
+versioneer.versionfile_source = 'src/_version.py'
+versioneer.versionfile_build  = 'gnupg/_version.py'
+versioneer.tag_prefix = ''
+versioneer.parentdir_prefix = 'python-gnupg-'
+
+__author__ = "Isis Agora Lovecruft"
+__contact__ = 'isis@leap.se'
 
 setup(name = "python-gnupg",
-    description="A wrapper for the Gnu Privacy Guard (GPG or GnuPG)",
-    long_description = "This module allows easy access to GnuPG's key \
+      description="A wrapper for the Gnu Privacy Guard (GPG or GnuPG)",
+      long_description = "This module allows easy access to GnuPG's key \
 management, encryption and signature functionality from Python programs. \
-It is intended for use with Python 2.4 or greater.",
-    license="""Copyright (C) 2008-2012 by Vinay Sajip. All Rights Reserved. See LICENSE for license.""",
-    version=version,
-    author="Vinay Sajip",
-    author_email="vinay_sajip@red-dove.com",
-    maintainer="Vinay Sajip",
-    maintainer_email="vinay_sajip@red-dove.com",
-    url="http://packages.python.org/python-gnupg/index.html",
-    py_modules=["gnupg"],
-    platforms="No particular restrictions",
-    download_url="http://python-gnupg.googlecode.com/files/python-gnupg-%s.tar.gz" % version,
-    classifiers=[
-        'Development Status :: 5 - Production/Stable',
-        "Intended Audience :: Developers",
-        'License :: OSI Approved :: BSD License',
-        "Programming Language :: Python",
-        "Programming Language :: Python :: 2",
-        "Programming Language :: Python :: 3",
-        "Programming Language :: Python :: 2.4",
-        "Programming Language :: Python :: 2.5",
-        "Programming Language :: Python :: 2.6",
-        "Programming Language :: Python :: 2.7",
-        "Programming Language :: Python :: 3.0",
-        "Programming Language :: Python :: 3.1",
-        "Programming Language :: Python :: 3.2",
-        "Operating System :: OS Independent",
-        "Topic :: Software Development :: Libraries :: Python Modules"
-    ]
-)
+It is intended for use with Python 2.6 or greater.",
+      license="""Copyright © 2013 Isis Lovecruft, et.al. see LICENSE file.""",
+      version=versioneer.get_version(),
+      cmdclass=versioneer.get_cmdclass(),
+      author=__author__,
+      author_email=__contact__,
+      maintainer=__author__,
+      maintainer_email=__contact__,
+      url="https://github.com/isislovecruft/python-gnupg",
+      package_dir={'gnupg': 'src'},
+      packages=['gnupg'],
+      platforms="Linux, BSD, OSX, Windows",
+      download_url="https://github.com/isislovecruft/python-gnupg/archive/develop.zip",
+      classifiers=[
+          'Development Status :: 4 - Alpha',
+          "Intended Audience :: Developers",
+          'Classifier:: License :: OSI Approved :: GNU Affero General Public License v3 or later (AGPLv3+)',
+          "Programming Language :: Python",
+          "Programming Language :: Python :: 2",
+          "Programming Language :: Python :: 3",
+          "Programming Language :: Python :: 2.6",
+          "Programming Language :: Python :: 2.7",
+          "Programming Language :: Python :: 3.0",
+          "Programming Language :: Python :: 3.1",
+          "Programming Language :: Python :: 3.2",
+          "Topic :: Software Development :: Libraries :: Python Modules",
+          'Classifier:: Topic :: Security :: Cryptography',
+          'Classifier:: Topic :: Software Development :: Libraries :: Python Modules',
+          'Classifier:: Topic :: Utilities',]
+      )
diff --git a/src/__init__.py b/src/__init__.py
new file mode 100644
index 0000000..43a5b8e
--- /dev/null
+++ b/src/__init__.py
@@ -0,0 +1,21 @@
+
+import gnupg
+import copyleft
+
+from gnupg import GPG
+
+from ._version import get_versions
+__version__ = get_versions()['version']
+
+gnupg.__version__ = __version__
+gnupg.__author__  = 'Isis Agora Lovecruft'
+gnupg.__contact__ = 'isis@leap.se'
+gnupg.__url__     = 'https://github.com/isislovecruft/python-gnupg'
+gnupg.__license__ = copyleft.disclaimer
+
+__all__ = ["GPG"]
+
+del gnupg
+del copyleft
+del get_versions
+del _version
diff --git a/src/_ansistrm.py b/src/_ansistrm.py
new file mode 100644
index 0000000..6453d23
--- /dev/null
+++ b/src/_ansistrm.py
@@ -0,0 +1,172 @@
+# -*- coding: utf-8 -*-
+#
+# This file is part of python-gnupg, a Python wrapper aroung GnuPG, and it was
+# taken from https://gist.github.com/vsajip/758430 on the 14th of May, 2013. It
+# has also been included in the 'logutils' Python module, see
+# https://code.google.com/p/logutils/ .
+#
+# The original copyright and license text are as follows:
+# |
+# |   Copyright (C) 2010-2012 Vinay Sajip. All rights reserved.
+# |   Licensed under the new BSD license.
+# |
+#
+# This file is part of python-gnupg, a Python wrapper around GnuPG.
+# Copyright © 2013 Isis Lovecruft, Andrej B.
+#           © 2008-2012 Vinay Sajip
+#           © 2005 Steve Traugott
+#           © 2004 A.M. Kuchling
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+
+
+import ctypes
+import logging
+import os
+
+class ColorizingStreamHandler(logging.StreamHandler):
+    # color names to indices
+    color_map = {
+        'black': 0,
+        'red': 1,
+        'green': 2,
+        'yellow': 3,
+        'blue': 4,
+        'magenta': 5,
+        'cyan': 6,
+        'white': 7,
+    }
+
+    #levels to (background, foreground, bold/intense)
+    if os.name == 'nt':
+        level_map = {
+            logging.DEBUG: (None, 'blue', True),
+            logging.INFO: (None, 'green', False),
+            logging.WARNING: (None, 'yellow', True),
+            logging.ERROR: (None, 'red', True),
+            logging.CRITICAL: ('red', 'white', True),
+        }
+    else:
+        level_map = {
+            logging.DEBUG: (None, 'blue', False),
+            logging.INFO: (None, 'green', False),
+            logging.WARNING: (None, 'yellow', False),
+            logging.ERROR: (None, 'red', False),
+            logging.CRITICAL: ('red', 'white', True),
+        }
+    csi = '\x1b['
+    reset = '\x1b[0m'
+
+    @property
+    def is_tty(self):
+        isatty = getattr(self.stream, 'isatty', None)
+        return isatty and isatty()
+
+    def emit(self, record):
+        try:
+            message = self.format(record)
+            stream = self.stream
+            if not self.is_tty:
+                stream.write(message)
+            else:
+                self.output_colorized(message)
+            stream.write(getattr(self, 'terminator', '\n'))
+            self.flush()
+        except (KeyboardInterrupt, SystemExit):
+            raise
+        except:
+            self.handleError(record)
+
+    if os.name != 'nt':
+        def output_colorized(self, message):
+            self.stream.write(message)
+    else:
+        import re
+        ansi_esc = re.compile(r'\x1b\[((?:\d+)(?:;(?:\d+))*)m')
+
+        nt_color_map = {
+            0: 0x00,    # black
+            1: 0x04,    # red
+            2: 0x02,    # green
+            3: 0x06,    # yellow
+            4: 0x01,    # blue
+            5: 0x05,    # magenta
+            6: 0x03,    # cyan
+            7: 0x07,    # white
+        }
+
+        def output_colorized(self, message):
+            parts = self.ansi_esc.split(message)
+            write = self.stream.write
+            h = None
+            fd = getattr(self.stream, 'fileno', None)
+            if fd is not None:
+                fd = fd()
+                if fd in (1, 2): # stdout or stderr
+                    h = ctypes.windll.kernel32.GetStdHandle(-10 - fd)
+            while parts:
+                text = parts.pop(0)
+                if text:
+                    write(text)
+                if parts:
+                    params = parts.pop(0)
+                    if h is not None:
+                        params = [int(p) for p in params.split(';')]
+                        color = 0
+                        for p in params:
+                            if 40 <= p <= 47:
+                                color |= self.nt_color_map[p - 40] << 4
+                            elif 30 <= p <= 37:
+                                color |= self.nt_color_map[p - 30]
+                            elif p == 1:
+                                color |= 0x08 # foreground intensity on
+                            elif p == 0: # reset to default color
+                                color = 0x07
+                            else:
+                                pass # error condition ignored
+                        ctypes.windll.kernel32.SetConsoleTextAttribute(h, color)
+
+    def colorize(self, message, record):
+        if record.levelno in self.level_map:
+            bg, fg, bold = self.level_map[record.levelno]
+            params = []
+            if bg in self.color_map:
+                params.append(str(self.color_map[bg] + 40))
+            if fg in self.color_map:
+                params.append(str(self.color_map[fg] + 30))
+            if bold:
+                params.append('1')
+            if params:
+                message = ''.join((self.csi, ';'.join(params),
+                                   'm', message, self.reset))
+        return message
+
+    def format(self, record):
+        message = logging.StreamHandler.format(self, record)
+        if self.is_tty:
+            # Don't colorize any traceback
+            parts = message.split('\n', 1)
+            parts[0] = self.colorize(parts[0], record)
+            message = '\n'.join(parts)
+        return message
+
+def main():
+    root = logging.getLogger()
+    root.setLevel(logging.DEBUG)
+    root.addHandler(ColorizingStreamHandler())
+    logging.debug('DEBUG')
+    logging.info('INFO')
+    logging.warning('WARNING')
+    logging.error('ERROR')
+    logging.critical('CRITICAL')
+
+if __name__ == '__main__':
+    main()
diff --git a/src/_logger.py b/src/_logger.py
new file mode 100644
index 0000000..536b485
--- /dev/null
+++ b/src/_logger.py
@@ -0,0 +1,97 @@
+# -*- coding: utf-8 -*-
+#
+# This file is part of python-gnupg, a Python wrapper around GnuPG.
+# Copyright © 2013 Isis Lovecruft, Andrej B.
+#           © 2008-2012 Vinay Sajip
+#           © 2005 Steve Traugott
+#           © 2004 A.M. Kuchling
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+'''log.py
+----------
+Logging module for python-gnupg.
+'''
+
+from __future__ import print_function
+from datetime   import datetime
+from functools  import wraps
+
+import logging
+import sys
+import os
+
+import _ansistrm
+
+try:
+    from logging import NullHandler
+except:
+    class NullHandler(logging.Handler):
+        def handle(self, record):
+            pass
+
+
+GNUPG_STATUS_LEVEL = 9
+
+def status(self, message, *args, **kwargs):
+    """LogRecord for GnuPG internal status messages."""
+    if self.isEnabledFor(GNUPG_STATUS_LEVEL):
+        self._log(GNUPG_STATUS_LEVEL, message, args, **kwargs)
+
+@wraps(logging.Logger)
+def create_logger(level=logging.NOTSET):
+    """Create a logger for python-gnupg at a specific message level.
+
+    :type level: int or str
+    :param level: A string or an integer for the lowest level to log.
+                  Available levels:
+                  int str       description
+                  0   NOTSET    Disable all logging.
+                  9   GNUPG     Log GnuPG's internal status messages.
+                  10  DEBUG     Log module level debuging messages.
+                  20  INFO      Normal user-level messages.
+                  30  WARN      Warning messages.
+                  40  ERROR     Error messages and tracebacks.
+                  50  CRITICAL  Unhandled exceptions and tracebacks.
+    """
+    _test = os.path.join(os.getcwd(), 'tests')
+    _now  = datetime.now().strftime("%Y-%m-%d_%H%M%S")
+    _fn   = os.path.join(_test, "%s_test_gnupg.log" % _now)
+    _fmt  = "%(relativeCreated)-4d L%(lineno)-4d:%(funcName)-18.18s %(levelname)-7.7s %(message)s"
+
+    ## Add the GNUPG_STATUS_LEVEL LogRecord to all Loggers in the module:
+    logging.addLevelName(GNUPG_STATUS_LEVEL, "GNUPG")
+    logging.Logger.status = status
+
+
+    if level > logging.NOTSET:
+        logging.basicConfig(level=level, filename=_fn,
+                            filemode="a", format=_fmt)
+        logging.captureWarnings(True)
+        logging.logThreads = True
+
+        colouriser = _ansistrm.ColorizingStreamHandler
+        colouriser.level_map[9]  = (None, 'blue', False)
+        colouriser.level_map[10] = (None, 'cyan', False)
+        handler = colouriser(stream=sys.stderr)
+        handler.setLevel(level)
+
+        formatr = logging.Formatter(_fmt)
+        handler.setFormatter(formatr)
+        print("Starting the logger...")
+    else:
+        handler = NullHandler()
+        print("GnuPG logging disabled...")
+
+    log = logging.getLogger('gnupg')
+    log.addHandler(handler)
+    log.setLevel(level)
+    log.info("Log opened: %s UTC" % datetime.ctime(datetime.utcnow()))
+    return log
diff --git a/src/_parsers.py b/src/_parsers.py
new file mode 100644
index 0000000..3d5c1d5
--- /dev/null
+++ b/src/_parsers.py
@@ -0,0 +1,1186 @@
+# -*- coding: utf-8 -*-
+#
+# This file is part of python-gnupg, a Python wrapper around GnuPG.
+# Copyright © 2013 Isis Lovecruft, Andrej B.
+#           © 2008-2012 Vinay Sajip
+#           © 2005 Steve Traugott
+#           © 2004 A.M. Kuchling
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+'''
+parsers.py
+----------
+Classes for parsing GnuPG status messages and sanitising commandline options.
+'''
+
+import re
+
+from _util import log
+
+import _util
+
+
+ESCAPE_PATTERN = re.compile(r'\\x([0-9a-f][0-9a-f])', re.I)
+HEXIDECIMAL    = re.compile('([0-9A-Fa-f]{2})+')
+
+
+class ProtectedOption(Exception):
+    """Raised when the option passed to GPG is disallowed."""
+
+class UsageError(Exception):
+    """Raised when incorrect usage of the API occurs.."""
+
+
+def _check_preferences(prefs, pref_type=None):
+    """Check cipher, digest, and compression preference settings.
+
+    MD5 is not allowed. This is not 1994.[0] SHA1 is allowed grudgingly.[1]
+
+    [0]: http://www.cs.colorado.edu/~jrblack/papers/md5e-full.pdf
+    [1]: http://eprint.iacr.org/2008/469.pdf
+    """
+    if prefs is None: return
+
+    cipher   = frozenset(['AES256', 'AES192', 'AES128',
+                          'CAMELLIA256', 'CAMELLIA192',
+                          'TWOFISH', '3DES'])
+    digest   = frozenset(['SHA512', 'SHA384', 'SHA256', 'SHA224', 'RMD160',
+                          'SHA1'])
+    compress = frozenset(['BZIP2', 'ZLIB', 'ZIP', 'Uncompressed'])
+    all      = frozenset([cipher, digest, compress])
+
+    if isinstance(prefs, str):
+        prefs = set(prefs.split())
+    elif isinstance(prefs, list):
+        prefs = set(prefs)
+    else:
+        msg = "prefs must be a list of strings, or one space-separated string"
+        log.error("parsers._check_preferences(): %s" % message)
+        raise TypeError(message)
+
+    if not pref_type:
+        pref_type = 'all'
+
+    allowed = str()
+
+    if pref_type == 'cipher':
+        allowed += ' '.join(prefs.intersection(cipher))
+    if pref_type == 'digest':
+        allowed += ' '.join(prefs.intersection(digest))
+    if pref_type == 'compress':
+        allowed += ' '.join(prefs.intersection(compress))
+    if pref_type == 'all':
+        allowed += ' '.join(prefs.intersection(all))
+
+    return allowed
+
+def _fix_unsafe(shell_input):
+    """Find characters used to escape from a string into a shell, and wrap them
+    in quotes if they exist. Regex pilfered from python-3.x shlex module.
+
+    :param str shell_input: The input intended for the GnuPG process.
+    """
+    ## xxx do we want to add ';'?
+    _unsafe = re.compile(r'[^\w@%+=:,./-]', 256)
+    try:
+        if len(_unsafe.findall(shell_input)) == 0:
+            return shell_input.strip()
+        else:
+            clean = "'" + shell_input.replace("'", "'\"'\"'") + "'"
+            return clean
+    except TypeError:
+        return None
+
+def _hyphenate(input, add_prefix=False):
+    """Change underscores to hyphens so that object attributes can be easily
+    tranlated to GPG option names.
+
+    :param str input: The attribute to hyphenate.
+    :param bool add_prefix: If True, add leading hyphens to the input.
+    :rtype: str
+    :return: The ``input`` with underscores changed to hyphens.
+    """
+    ret  = '--' if add_prefix else ''
+    ret += input.replace('_', '-')
+    return ret
+
+def _is_allowed(input):
+    """
+    Check that an option or argument given to GPG is in the set of allowed
+    options, the latter being a strict subset of the set of all options known
+    to GPG.
+
+    :param str input: An input meant to be parsed as an option or flag to the
+                      GnuPG process. Should be formatted the same as an option
+                      or flag to the commandline gpg, i.e. "--encrypt-files".
+    :ivar frozenset _possible: All known GPG options and flags.
+    :ivar frozenset _allowed: All allowed GPG options and flags, e.g. all GPG
+                              options and flags which we are willing to
+                              acknowledge and parse. If we want to support a
+                              new option, it will need to have its own parsing
+                              class and its name will need to be added to this
+                              set.
+
+    :rtype: Exception or str
+    :raise: :exc:UsageError if ``_allowed`` is not a subset of ``_possible``.
+            ProtectedOption if ``input`` is not in the set ``_allowed``.
+    :return: The original parameter ``input``, unmodified and unsanitized,
+             if no errors occur.
+    """
+
+    three_hundred_eighteen = ("""
+--allow-freeform-uid              --multifile
+--allow-multiple-messages         --no
+--allow-multisig-verification     --no-allow-freeform-uid
+--allow-non-selfsigned-uid        --no-allow-multiple-messages
+--allow-secret-key-import         --no-allow-non-selfsigned-uid
+--always-trust                    --no-armor
+--armor                           --no-armour
+--armour                          --no-ask-cert-expire
+--ask-cert-expire                 --no-ask-cert-level
+--ask-cert-level                  --no-ask-sig-expire
+--ask-sig-expire                  --no-auto-check-trustdb
+--attribute-fd                    --no-auto-key-locate
+--attribute-file                  --no-auto-key-retrieve
+--auto-check-trustdb              --no-batch
+--auto-key-locate                 --no-comments
+--auto-key-retrieve               --no-default-keyring
+--batch                           --no-default-recipient
+--bzip2-compress-level            --no-disable-mdc
+--bzip2-decompress-lowmem         --no-emit-version
+--card-edit                       --no-encrypt-to
+--card-status                     --no-escape-from-lines
+--cert-digest-algo                --no-expensive-trust-checks
+--cert-notation                   --no-expert
+--cert-policy-url                 --no-force-mdc
+--change-pin                      --no-force-v3-sigs
+--charset                         --no-force-v4-certs
+--check-sig                       --no-for-your-eyes-only
+--check-sigs                      --no-greeting
+--check-trustdb                   --no-groups
+--cipher-algo                     --no-literal
+--clearsign                       --no-mangle-dos-filenames
+--command-fd                      --no-mdc-warning
+--command-file                    --no-options
+--comment                         --no-permission-warning
+--completes-needed                --no-pgp2
+--compress-algo                   --no-pgp6
+--compression-algo                --no-pgp7
+--compress-keys                   --no-pgp8
+--compress-level                  --no-random-seed-file
+--compress-sigs                   --no-require-backsigs
+--ctapi-driver                    --no-require-cross-certification
+--dearmor                         --no-require-secmem
+--dearmour                        --no-rfc2440-text
+--debug                           --no-secmem-warning
+--debug-all                       --no-show-notation
+--debug-ccid-driver               --no-show-photos
+--debug-level                     --no-show-policy-url
+--decrypt                         --no-sig-cache
+--decrypt-files                   --no-sig-create-check
+--default-cert-check-level        --no-sk-comments
+--default-cert-expire             --no-strict
+--default-cert-level              --notation-data
+--default-comment                 --not-dash-escaped
+--default-key                     --no-textmode
+--default-keyserver-url           --no-throw-keyid
+--default-preference-list         --no-throw-keyids
+--default-recipient               --no-tty
+--default-recipient-self          --no-use-agent
+--default-sig-expire              --no-use-embedded-filename
+--delete-keys                     --no-utf8-strings
+--delete-secret-and-public-keys   --no-verbose
+--delete-secret-keys              --no-version
+--desig-revoke                    --openpgp
+--detach-sign                     --options
+--digest-algo                     --output
+--disable-ccid                    --override-session-key
+--disable-cipher-algo             --passphrase
+--disable-dsa2                    --passphrase-fd
+--disable-mdc                     --passphrase-file
+--disable-pubkey-algo             --passphrase-repeat
+--display                         --pcsc-driver
+--display-charset                 --personal-cipher-preferences
+--dry-run                         --personal-cipher-prefs
+--dump-options                    --personal-compress-preferences
+--edit-key                        --personal-compress-prefs
+--emit-version                    --personal-digest-preferences
+--enable-dsa2                     --personal-digest-prefs
+--enable-progress-filter          --pgp2
+--enable-special-filenames        --pgp6
+--enarmor                         --pgp7
+--enarmour                        --pgp8
+--encrypt                         --photo-viewer
+--encrypt-files                   --pipemode
+--encrypt-to                      --preserve-permissions
+--escape-from-lines               --primary-keyring
+--exec-path                       --print-md
+--exit-on-status-write-error      --print-mds
+--expert                          --quick-random
+--export                          --quiet
+--export-options                  --reader-port
+--export-ownertrust               --rebuild-keydb-caches
+--export-secret-keys              --recipient
+--export-secret-subkeys           --recv-keys
+--fast-import                     --refresh-keys
+--fast-list-mode                  --remote-user
+--fetch-keys                      --require-backsigs
+--fingerprint                     --require-cross-certification
+--fixed-list-mode                 --require-secmem
+--fix-trustdb                     --rfc1991
+--force-mdc                       --rfc2440
+--force-ownertrust                --rfc2440-text
+--force-v3-sigs                   --rfc4880
+--force-v4-certs                  --run-as-shm-coprocess
+--for-your-eyes-only              --s2k-cipher-algo
+--gen-key                         --s2k-count
+--gen-prime                       --s2k-digest-algo
+--gen-random                      --s2k-mode
+--gen-revoke                      --search-keys
+--gnupg                           --secret-keyring
+--gpg-agent-info                  --send-keys
+--gpgconf-list                    --set-filename
+--gpgconf-test                    --set-filesize
+--group                           --set-notation
+--help                            --set-policy-url
+--hidden-encrypt-to               --show-keyring
+--hidden-recipient                --show-notation
+--homedir                         --show-photos
+--honor-http-proxy                --show-policy-url
+--ignore-crc-error                --show-session-key
+--ignore-mdc-error                --sig-keyserver-url
+--ignore-time-conflict            --sign
+--ignore-valid-from               --sign-key
+--import                          --sig-notation
+--import-options                  --sign-with
+--import-ownertrust               --sig-policy-url
+--interactive                     --simple-sk-checksum
+--keyid-format                    --sk-comments
+--keyring                         --skip-verify
+--keyserver                       --status-fd
+--keyserver-options               --status-file
+--lc-ctype                        --store
+--lc-messages                     --strict
+--limit-card-insert-tries         --symmetric
+--list-config                     --temp-directory
+--list-key                        --textmode
+--list-keys                       --throw-keyid
+--list-only                       --throw-keyids
+--list-options                    --trustdb-name
+--list-ownertrust                 --trusted-key
+--list-packets                    --trust-model
+--list-public-keys                --try-all-secrets
+--list-secret-keys                --ttyname
+--list-sig                        --ttytype
+--list-sigs                       --ungroup
+--list-trustdb                    --update-trustdb
+--load-extension                  --use-agent
+--local-user                      --use-embedded-filename
+--lock-multiple                   --user
+--lock-never                      --utf8-strings
+--lock-once                       --verbose
+--logger-fd                       --verify
+--logger-file                     --verify-files
+--lsign-key                       --verify-options
+--mangle-dos-filenames            --version
+--marginals-needed                --warranty
+--max-cert-depth                  --with-colons
+--max-output                      --with-fingerprint
+--merge-only                      --with-key-data
+--min-cert-level                  --yes
+""").split()
+
+    possible = frozenset(three_hundred_eighteen)
+
+    ## these are the allowed options we will handle so far, all others should
+    ## be dropped. this dance is so that when new options are added later, we
+    ## merely add the to the _allowed list, and the `` _allowed.issubset``
+    ## assertion will check that GPG will recognise them
+    ##
+    ## xxx checkout the --store option for creating rfc1991 data packets
+    ## xxx key fetching/retrieving options: [fetch_keys, merge_only, recv_keys]
+    ##
+    allowed = frozenset(['--fixed-list-mode',  ## key/packet listing
+                         '--list-key',
+                         '--list-keys',
+                         '--list-options',
+                         '--list-packets',
+                         '--list-public-keys',
+                         '--list-secret-keys',
+                         '--print-md',
+                         '--print-mds',
+                         '--with-colons',
+                         ## deletion
+                         '--delete-keys',
+                         '--delete-secret-keys',
+                         ## en-/de-cryption
+                         '--always-trust',
+                         '--decrypt',
+                         '--decrypt-files',
+                         '--encrypt',
+                         '--encrypt-files',
+                         '--recipient',
+                         '--no-default-recipient',
+                         '--symmetric',
+                         '--use-agent',
+                         '--no-use-agent',
+                         ## signing/certification
+                         '--armor',
+                         '--armour',
+                         '--clearsign',
+                         '--detach-sign',
+                         '--list-sigs',
+                         '--sign',
+                         '--verify',
+                         ## i/o and files
+                         '--batch',
+                         '--debug-all',
+                         '--debug-level',
+                         '--gen-key',
+                         #'--multifile',
+                         '--no-emit-version',
+                         '--no-tty',
+                         '--output',
+                         '--passphrase-fd',
+                         '--status-fd',
+                         '--version',
+                         ## keyring, homedir, & options
+                         '--homedir',
+                         '--keyring',
+                         '--primary-keyring',
+                         '--secret-keyring',
+                         '--no-default-keyring',
+                         '--default-key',
+                         '--no-options',
+                         ## preferences
+                         '--digest-algo',
+                         '--cipher-algo',
+                         '--compress-algo',
+                         '--compression-algo',
+                         '--cert-digest-algo',
+                         '--list-config',
+                         '--personal-digest-prefs',
+                         '--personal-digest-preferences',
+                         '--personal-cipher-prefs',
+                         '--personal-cipher-preferences',
+                         '--personal-compress-prefs',
+                         '--personal-compress-preferences',
+                         ## export/import
+                         '--import',
+                         '--export',
+                         '--export-secret-keys',
+                         '--export-secret-subkeys',
+                         '--fingerprint',
+                     ])
+
+    ## check that allowed is a subset of possible
+    try:
+        assert allowed.issubset(possible), \
+            'allowed is not subset of known options, difference: %s' \
+            % allowed.difference(possible)
+    except AssertionError as ae:
+        log.error("_is_allowed(): %s" % ae.message)
+        raise UsageError(ae.message)
+
+    ## if we got a list of args, join them
+    ##
+    ## see TODO file, tag :cleanup:
+    if not isinstance(input, str):
+        input = ' '.join([x for x in input])
+
+    if isinstance(input, str):
+        if input.find('_') > 0:
+            if not input.startswith('--'):
+                hyphenated = _hyphenate(input, add_prefix=True)
+            else:
+                hyphenated = _hyphenate(input)
+        else:
+            hyphenated = input
+            ## xxx we probably want to use itertools.dropwhile here
+            try:
+                assert hyphenated in allowed
+            except AssertionError as ae:
+                dropped = _fix_unsafe(hyphenated)
+                log.warn("_is_allowed(): Dropping option '%s'..." % dropped)
+                raise ProtectedOption("Option '%s' not supported." % dropped)
+            else:
+                return input
+    return None
+
+def _is_hex(string):
+    """Check that a string is hexidecimal, with alphabetic characters
+    capitalized and without whitespace.
+
+    :param str string: The string to check.
+    """
+    matched = HEXIDECIMAL.match(string)
+    if matched is not None and len(matched.group()) >= 2:
+        return True
+    return False
+
+def _sanitise(*args):
+    """Take an arg or the key portion of a kwarg and check that it is in the
+    set of allowed GPG options and flags, and that it has the correct
+    type. Then, attempt to escape any unsafe characters. If an option is not
+    allowed, drop it with a logged warning. Returns a dictionary of all
+    sanitised, allowed options.
+
+    Each new option that we support that is not a boolean, but instead has
+    some extra inputs, i.e. "--encrypt-file foo.txt", will need some basic
+    safety checks added here.
+
+    GnuPG has three-hundred and eighteen commandline flags. Also, not all
+    implementations of OpenPGP parse PGP packets and headers in the same way,
+    so there is added potential there for messing with calls to GPG.
+
+    For information on the PGP message format specification, see:
+        https://www.ietf.org/rfc/rfc1991.txt
+
+    If you're asking, "Is this *really* necessary?": No, not really -- we could
+    just do a check as described here: https://xkcd.com/1181/
+
+    :param str args: (optional) The boolean arguments which will be passed to
+                     the GnuPG process.
+    :rtype: str
+    :returns: ``sanitised``
+    """
+
+    ## see TODO file, tag :cleanup:sanitise:
+
+    def _check_option(arg, value):
+        """
+        Check that a single :param:arg is an allowed option. If it is allowed,
+        quote out any escape characters in :param:values, and add the pair to
+        :ivar:sanitised.
+
+        :param str arg: The arguments which will be passed to the GnuPG
+                        process, and, optionally their corresponding values.
+                        The values are any additional arguments following the
+                        GnuPG option or flag. For example, if we wanted to pass
+                        "--encrypt --recipient isis@leap.se" to gpg, then
+                        "--encrypt" would be an arg without a value, and
+                        "--recipient" would also be an arg, with a value of
+                        "isis@leap.se".
+        :ivar list checked: The sanitised, allowed options and values.
+        :rtype: str
+        :returns: A string of the items in ``checked`` delimited by spaces.
+        """
+        safe_option = str()
+
+        if not _util._py3k:
+            if not isinstance(arg, list) and isinstance(arg, unicode):
+                arg = str(arg)
+
+        try:
+            flag = _is_allowed(arg)
+            assert flag is not None, "_check_option(): got None for flag"
+        except (AssertionError, ProtectedOption) as error:
+            log.warn("_check_option(): %s" % error.message)
+        else:
+            safe_option += (flag + " ")
+            if (not _util._py3k and isinstance(value, basestring)) \
+                    or (_util._py3k and isinstance(value, str)):
+                values = value.split(' ')
+                for v in values:
+                    try:
+                        assert v is not None
+                        assert v.strip() != ""
+                    except:
+                        log.debug("Dropping %s %s" % (flag, v))
+                        continue
+
+                    ## these can be handled separately, without _fix_unsafe(),
+                    ## because they are only allowed if the pass the regex
+                    if flag in ['--default-key', '--recipient', '--export',
+                                '--export-secret-keys', '--delete-keys',
+                                '--list-sigs', '--export-secret-subkeys',]:
+                        if _is_hex(v):
+                            safe_option += (v + " ")
+                            continue
+                        else: log.debug("'%s %s' not hex." % (flag, v))
+
+                    val = _fix_unsafe(v)
+
+                    try:
+                        assert v is not None
+                        assert v.strip() != ""
+                    except:
+                        log.debug("Dropping %s %s" % (flag, v))
+                        continue
+
+                    if flag in ['--encrypt', '--encrypt-files', '--decrypt',
+                                '--decrypt-files', '--import', '--verify']:
+                        if _util._is_file(val): safe_option += (val + " ")
+                        else: log.debug("%s not file: %s" % (flag, val))
+
+                    elif flag in ['--cipher-algo', '--personal-cipher-prefs',
+                                  '--personal-cipher-preferences']:
+                        legit_algos = _check_preferences(val, 'cipher')
+                        if legit_algos: safe_option += (legit_algos + " ")
+                        else: log.debug("'%s' is not cipher" % val)
+
+                    elif flag in ['--compress-algo', '--compression-algo',
+                                  '--personal-compress-prefs',
+                                  '--personal-compress-preferences']:
+                        legit_algos = _check_preferences(val, 'compress')
+                        if legit_algos: safe_option += (legit_algos + " ")
+                        else: log.debug("'%s' not compress algo" % val)
+
+                    else:
+                        safe_option += (val + " ")
+                        log.debug("_check_option(): No checks for %s" % val)
+
+        return safe_option
+
+    is_flag = lambda x: x.startswith('--')
+
+    def _make_filo(args_string):
+        filo = arg.split(' ')
+        filo.reverse()
+        log.debug("_make_filo(): Converted to reverse list: %s" % filo)
+        return filo
+
+    def _make_groups(filo):
+        groups = {}
+        while len(filo) >= 1:
+            last = filo.pop()
+            if is_flag(last):
+                log.debug("Got arg: %s" % last)
+                if last == '--verify':
+                    groups[last] = str(filo.pop())
+                    ## accept the read-from-stdin arg:
+                    if len(filo) >= 1 and filo[len(filo)-1] == '-':
+                        groups[last] += str(' - \'\'') ## gross hack
+                else:
+                    groups[last] = str()
+                while len(filo) > 1 and not is_flag(filo[len(filo)-1]):
+                    log.debug("Got value: %s" % filo[len(filo)-1])
+                    groups[last] += (filo.pop() + " ")
+                else:
+                    if len(filo) == 1 and not is_flag(filo[0]):
+                        log.debug("Got value: %s" % filo[0])
+                        groups[last] += filo.pop()
+            else:
+                log.warn("_make_groups(): Got solitary value: %s" % last)
+                groups["xxx"] = last
+        return groups
+
+    def _check_groups(groups):
+        log.debug("Got groups: %s" % groups)
+        checked_groups = []
+        for a,v in groups.items():
+            v = None if len(v) == 0 else v
+            safe = _check_option(a, v)
+            if safe is not None and not safe.strip() == "":
+                log.debug("Appending option: %s" % safe)
+                checked_groups.append(safe)
+            else:
+                log.warn("Dropped option: '%s %s'" % (a,v))
+        return checked_groups
+
+    if args is not None:
+        option_groups = {}
+        for arg in args:
+            ## if we're given a string with a bunch of options in it split
+            ## them up and deal with them separately
+            if (not _util._py3k and isinstance(arg, basestring)) \
+                    or (_util._py3k and isinstance(arg, str)):
+                log.debug("Got arg string: %s" % arg)
+                if arg.find(' ') > 0:
+                    filo = _make_filo(arg)
+                    option_groups.update(_make_groups(filo))
+                else:
+                    option_groups.update({ arg: "" })
+            elif isinstance(arg, list):
+                log.debug("Got arg list: %s" % arg)
+                arg.reverse()
+                option_groups.update(_make_groups(arg))
+            else:
+                log.warn("Got non-str/list arg: '%s', type '%s'"
+                         % (arg, type(arg)))
+        checked = _check_groups(option_groups)
+        sanitised = ' '.join(x for x in checked)
+        return sanitised
+    else:
+        log.debug("Got None for args")
+
+def _sanitise_list(arg_list):
+    """A generator for iterating through a list of gpg options and sanitising
+    them.
+
+    :param list arg_list: A list of options and flags for GnuPG.
+    :rtype: generator
+    :return: A generator whose next() method returns each of the items in
+             ``arg_list`` after calling ``_sanitise()`` with that item as a
+             parameter.
+    """
+    if isinstance(arg_list, list):
+        for arg in arg_list:
+            safe_arg = _sanitise(arg)
+            if safe_arg != "":
+                yield safe_arg
+
+
+def nodata(status_code):
+    """Translate NODATA status codes from GnuPG to messages."""
+    lookup = {
+        '1': 'No armored data.',
+        '2': 'Expected a packet but did not find one.',
+        '3': 'Invalid packet found, this may indicate a non OpenPGP message.',
+        '4': 'Signature expected but not found.' }
+    for key, value in lookup.items():
+        if str(status_code) == key:
+            return value
+
+def progress(status_code):
+    """Translate PROGRESS status codes from GnuPG to messages."""
+    lookup = {
+        'pk_dsa': 'DSA key generation',
+        'pk_elg': 'Elgamal key generation',
+        'primegen': 'Prime generation',
+        'need_entropy': 'Waiting for new entropy in the RNG',
+        'tick': 'Generic tick without any special meaning - still working.',
+        'starting_agent': 'A gpg-agent was started.',
+        'learncard': 'gpg-agent or gpgsm is learning the smartcard data.',
+        'card_busy': 'A smartcard is still working.' }
+    for key, value in lookup.items():
+        if str(status_code) == key:
+            return value
+
+
+class GenKey(object):
+    """Handle status messages for key generation.
+
+    Calling the GenKey.__str__() method of this class will return the
+    generated key's fingerprint, or a status string explaining the results.
+    """
+    def __init__(self, gpg):
+        self.gpg = gpg
+        ## this should get changed to something more useful, like 'key_type'
+        #: 'P':= primary, 'S':= subkey, 'B':= both
+        self.type = None
+        self.fingerprint = None
+        self.status = None
+        self.subkey_created = False
+        self.primary_created = False
+
+    def __nonzero__(self):
+        if self.fingerprint: return True
+        return False
+    __bool__ = __nonzero__
+
+    def __str__(self):
+        if self.fingerprint:
+            return self.fingerprint
+        else:
+            if self.status is not None:
+                return self.status
+            else:
+                return False
+
+    def handle_status(self, key, value):
+        """Parse a status code from the attached GnuPG process.
+
+        :raises: :exc:`ValueError` if the status message is unknown.
+        """
+        if key in ("GOOD_PASSPHRASE"):
+            pass
+        elif key == "KEY_NOT_CREATED":
+            self.status = 'key not created'
+        elif key == "KEY_CREATED":
+            (self.type, self.fingerprint) = value.split()
+            self.status = 'key created'
+        elif key == "NODATA":
+            self.status = nodata(value)
+        elif key == "PROGRESS":
+            self.status = progress(value.split(' ', 1)[0])
+        else:
+            raise ValueError("Unknown status message: %r" % key)
+
+        if self.type in ('B', 'P'):
+            self.primary_key_created = True
+        if self.type in ('B', 'S'):
+            self.subkey_created = True
+
+class DeleteResult(object):
+    """Handle status messages for --delete-keys and --delete-secret-keys"""
+    def __init__(self, gpg):
+        self.gpg = gpg
+        self.status = 'ok'
+
+    def __str__(self):
+        return self.status
+
+    problem_reason = { '1': 'No such key',
+                       '2': 'Must delete secret key first',
+                       '3': 'Ambigious specification', }
+
+    def handle_status(self, key, value):
+        """Parse a status code from the attached GnuPG process.
+
+        :raises: :exc:`ValueError` if the status message is unknown.
+        """
+        if key == "DELETE_PROBLEM":
+            self.status = self.problem_reason.get(value, "Unknown error: %r"
+                                                  % value)
+        else:
+            raise ValueError("Unknown status message: %r" % key)
+
+class Sign(object):
+    """Parse GnuPG status messages for signing operations.
+
+    :param gpg: An instance of :class:`gnupg.GPG`.
+    """
+
+    #: The type of signature created.
+    sig_type = None
+    #: The algorithm used to create the signature.
+    sig_algo = None
+    #: The hash algorithm used to create the signature.
+    sig_hash_also = None
+    #: The fingerprint of the signing keyid.
+    fingerprint = None
+    #: The timestamp on the signature.
+    timestamp = None
+    #: xxx fill me in
+    what = None
+
+    def __init__(self, gpg):
+        self.gpg = gpg
+
+    def __nonzero__(self):
+        """Override the determination for truthfulness evaluation.
+
+        :rtype: bool
+        :returns: True if we have a valid signature, False otherwise.
+        """
+        return self.fingerprint is not None
+    __bool__ = __nonzero__
+
+    def __str__(self):
+        return self.data.decode(self.gpg.encoding, self.gpg._decode_errors)
+
+    def handle_status(self, key, value):
+        """Parse a status code from the attached GnuPG process.
+
+        :raises: :exc:`ValueError` if the status message is unknown.
+        """
+        if key in ("USERID_HINT", "NEED_PASSPHRASE", "BAD_PASSPHRASE",
+                   "GOOD_PASSPHRASE", "BEGIN_SIGNING", "CARDCTRL",
+                   "INV_SGNR"):
+            pass
+        elif key == "SIG_CREATED":
+            (self.sig_type, self.sig_algo, self.sig_hash_algo,
+             self.what, self.timestamp, self.fingerprint) = value.split()
+        elif key == "NODATA":
+            self.status = nodata(value)
+        else:
+            raise ValueError("Unknown status message: %r" % key)
+
+class ListKeys(list):
+    """Handle status messages for --list-keys.
+
+        Handle pub and uid (relating the latter to the former).
+
+        Don't care about (info from src/DETAILS):
+
+        crt = X.509 certificate
+        crs = X.509 certificate and private key available
+        ssb = secret subkey (secondary key)
+        uat = user attribute (same as user id except for field 10).
+        sig = signature
+        rev = revocation signature
+        pkd = public key data (special field format, see below)
+        grp = reserved for gpgsm
+        rvk = revocation key
+    """
+
+    def __init__(self, gpg):
+        super(ListKeys, self).__init__()
+        self.gpg = gpg
+        self.curkey = None
+        self.fingerprints = []
+        self.uids = []
+
+    def key(self, args):
+        vars = ("""
+            type trust length algo keyid date expires dummy ownertrust uid
+        """).split()
+        self.curkey = {}
+        for i in range(len(vars)):
+            self.curkey[vars[i]] = args[i]
+        self.curkey['uids'] = []
+        if self.curkey['uid']:
+            self.curkey['uids'].append(self.curkey['uid'])
+        del self.curkey['uid']
+        self.curkey['subkeys'] = []
+        self.append(self.curkey)
+
+    pub = sec = key
+
+    def fpr(self, args):
+        self.curkey['fingerprint'] = args[9]
+        self.fingerprints.append(args[9])
+
+    def uid(self, args):
+        uid = args[9]
+        uid = ESCAPE_PATTERN.sub(lambda m: chr(int(m.group(1), 16)), uid)
+        self.curkey['uids'].append(uid)
+        self.uids.append(uid)
+
+    def sub(self, args):
+        subkey = [args[4], args[11]]
+        self.curkey['subkeys'].append(subkey)
+
+    def handle_status(self, key, value):
+        pass
+
+
+class ImportResult(object):
+    """Parse GnuPG status messages for key import operations.
+
+    :type gpg: :class:`gnupg.GPG`
+    :param gpg: An instance of :class:`gnupg.GPG`.
+    """
+
+    counts = '''count no_user_id imported imported_rsa unchanged
+            n_uids n_subk n_sigs n_revoc sec_read sec_imported
+            sec_dups not_imported'''.split()
+
+    #: List of all keys imported.
+    imported = list()
+
+    #: A list of strings containing the fingerprints of the GnuPG keyIDs
+    #: imported.
+    fingerprints = list()
+
+    #: A list containing dictionaries with information gathered on keys
+    #: imported.
+    results = list()
+
+    def __init__(self, gpg):
+        self.gpg = gpg
+        for result in self.counts:
+            setattr(self, result, None)
+
+    def __nonzero__(self):
+        """Override the determination for truthfulness evaluation.
+
+        :rtype: bool
+        :returns: True if we have immport some keys, False otherwise.
+        """
+        if self.not_imported: return False
+        if not self.fingerprints: return False
+        return True
+    __bool__ = __nonzero__
+
+    ok_reason = {'0': 'Not actually changed',
+                 '1': 'Entirely new key',
+                 '2': 'New user IDs',
+                 '4': 'New signatures',
+                 '8': 'New subkeys',
+                 '16': 'Contains private key',
+                 '17': 'Contains private key',}
+
+    problem_reason = { '0': 'No specific reason given',
+                       '1': 'Invalid Certificate',
+                       '2': 'Issuer Certificate missing',
+                       '3': 'Certificate Chain too long',
+                       '4': 'Error storing certificate', }
+
+    def handle_status(self, key, value):
+        """Parse a status code from the attached GnuPG process.
+
+        :raises: :exc:`ValueError` if the status message is unknown.
+        """
+        if key == "IMPORTED":
+            # this duplicates info we already see in import_ok & import_problem
+            pass
+        elif key == "NODATA":
+            self.results.append({'fingerprint': None,
+                'problem': '0', 'text': 'No valid data found'})
+        elif key == "IMPORT_OK":
+            reason, fingerprint = value.split()
+            reasons = []
+            for code, text in self.ok_reason.items():
+                if int(reason) | int(code) == int(reason):
+                    reasons.append(text)
+            reasontext = '\n'.join(reasons) + "\n"
+            self.results.append({'fingerprint': fingerprint,
+                'ok': reason, 'text': reasontext})
+            self.fingerprints.append(fingerprint)
+        elif key == "IMPORT_PROBLEM":
+            try:
+                reason, fingerprint = value.split()
+            except:
+                reason = value
+                fingerprint = '<unknown>'
+            self.results.append({'fingerprint': fingerprint,
+                'problem': reason, 'text': self.problem_reason[reason]})
+        elif key == "IMPORT_RES":
+            import_res = value.split()
+            for i in range(len(self.counts)):
+                setattr(self, self.counts[i], int(import_res[i]))
+        elif key == "KEYEXPIRED":
+            self.results.append({'fingerprint': None,
+                'problem': '0', 'text': 'Key expired'})
+        elif key == "SIGEXPIRED":
+            self.results.append({'fingerprint': None,
+                'problem': '0', 'text': 'Signature expired'})
+        else:
+            raise ValueError("Unknown status message: %r" % key)
+
+    def summary(self):
+        l = []
+        l.append('%d imported' % self.imported)
+        if self.not_imported:
+            l.append('%d not imported' % self.not_imported)
+        return ', '.join(l)
+
+
+class Verify(object):
+    """Parser for internal status messages from GnuPG for
+    certification/signature verification, and for parsing portions of status
+    messages from decryption operations.
+
+    :type gpg: :class:`gnupg.GPG`
+    :param gpg: An instance of :class:`gnupg.GPG`.
+    """
+
+    TRUST_UNDEFINED = 0
+    TRUST_NEVER = 1
+    TRUST_MARGINAL = 2
+    TRUST_FULLY = 3
+    TRUST_ULTIMATE = 4
+
+    TRUST_LEVELS = {"TRUST_UNDEFINED" : TRUST_UNDEFINED,
+                    "TRUST_NEVER" : TRUST_NEVER,
+                    "TRUST_MARGINAL" : TRUST_MARGINAL,
+                    "TRUST_FULLY" : TRUST_FULLY,
+                    "TRUST_ULTIMATE" : TRUST_ULTIMATE,}
+
+    #: True if the signature is valid, False otherwise.
+    valid = False
+    #: A string describing the status of the signature verification.
+    #: Can be one of ``'signature bad'``, ``'signature good'``,
+    #: ``'signature valid'``, ``'signature error'``, ``'decryption failed'``,
+    #: ``'no public key'``, ``'key exp'``, or ``'key rev'``.
+    status = None
+    #: The fingerprint of the signing keyid.
+    fingerprint = None
+    #: The fingerprint of the corresponding public key, which may be different
+    #: if the signature was created with a subkey.
+    pubkey_fingerprint = None
+    #: The keyid of the signing key.
+    key_id = None
+    #: The id of the signature itself.
+    signature_id = None
+    #: The creation date of the signing key.
+    creation_date = None
+    #: The timestamp of the purported signature, if we are unable to parse it.
+    timestamp = None
+    #: The userid of the signing key which was used to create the signature.
+    username = None
+    #: When the signing key is due to expire.
+    expire_timestamp = None
+    #: The timestamp for when the signature was created.
+    sig_timestamp = None
+    #: A number 0-4 describing the trust level of the signature.
+    trust_level = None
+    #: The string corresponding to the ``trust_level`` number.
+    trust_text = None
+
+    def __init__(self, gpg):
+        self.gpg = gpg
+        self.valid = False
+        self.fingerprint = self.creation_date = self.timestamp = None
+        self.signature_id = self.key_id = None
+        self.username = None
+        self.status = None
+        self.pubkey_fingerprint = None
+        self.expire_timestamp = None
+        self.sig_timestamp = None
+        self.trust_text = None
+        self.trust_level = None
+
+    def __nonzero__(self):
+        """Override the determination for truthfulness evaluation.
+
+        :rtype: bool
+        :returns: True if we have a valid signature, False otherwise.
+        """
+        return self.valid
+    __bool__ = __nonzero__
+
+    def handle_status(self, key, value):
+        """Parse a status code from the attached GnuPG process.
+
+        :raises: :exc:`ValueError` if the status message is unknown.
+        """
+        if key in self.TRUST_LEVELS:
+            self.trust_text = key
+            self.trust_level = self.TRUST_LEVELS[key]
+        elif key in ("RSA_OR_IDEA", "NODATA", "IMPORT_RES", "PLAINTEXT",
+                     "PLAINTEXT_LENGTH", "POLICY_URL", "DECRYPTION_INFO",
+                     "DECRYPTION_OKAY", "INV_SGNR"):
+            pass
+        elif key == "BADSIG":
+            self.valid = False
+            self.status = 'signature bad'
+            self.key_id, self.username = value.split(None, 1)
+        elif key == "GOODSIG":
+            self.valid = True
+            self.status = 'signature good'
+            self.key_id, self.username = value.split(None, 1)
+        elif key == "VALIDSIG":
+            (self.fingerprint,
+             self.creation_date,
+             self.sig_timestamp,
+             self.expire_timestamp) = value.split()[:4]
+            # may be different if signature is made with a subkey
+            self.pubkey_fingerprint = value.split()[-1]
+            self.status = 'signature valid'
+        elif key == "SIG_ID":
+            (self.signature_id,
+             self.creation_date, self.timestamp) = value.split()
+        elif key == "ERRSIG":
+            self.valid = False
+            (self.key_id,
+             algo, hash_algo,
+             cls,
+             self.timestamp) = value.split()[:5]
+            self.status = 'signature error'
+        elif key == "DECRYPTION_FAILED":
+            self.valid = False
+            self.key_id = value
+            self.status = 'decryption failed'
+        elif key == "NO_PUBKEY":
+            self.valid = False
+            self.key_id = value
+            self.status = 'no public key'
+        elif key in ("KEYEXPIRED", "SIGEXPIRED"):
+            # these are useless in verify, since they are spit out for any
+            # pub/subkeys on the key, not just the one doing the signing.
+            # if we want to check for signatures with expired key,
+            # the relevant flag is EXPKEYSIG.
+            pass
+        elif key in ("EXPKEYSIG", "REVKEYSIG"):
+            # signed with expired or revoked key
+            self.valid = False
+            self.key_id = value.split()[0]
+            self.status = (('%s %s') % (key[:3], key[3:])).lower()
+        else:
+            raise ValueError("Unknown status message: %r" % key)
+
+
+class Crypt(Verify):
+    """Parser for internal status messages from GnuPG for ``--encrypt``,
+    ``--decrypt``, and ``--decrypt-files``.
+    """
+    def __init__(self, gpg):
+        Verify.__init__(self, gpg)
+        self.gpg = gpg
+        self.data = ''
+        self.ok = False
+        self.status = ''
+        self.data_format = None
+        self.data_timestamp = None
+        self.data_filename = None
+
+    def __nonzero__(self):
+        if self.ok: return True
+        return False
+    __bool__ = __nonzero__
+
+    def __str__(self):
+        return self.data.decode(self.gpg.encoding, self.gpg._decode_errors)
+
+    def handle_status(self, key, value):
+        """Parse a status code from the attached GnuPG process.
+
+        :raises: :exc:`ValueError` if the status message is unknown.
+        """
+        if key in ("ENC_TO", "USERID_HINT", "GOODMDC", "END_DECRYPTION",
+                   "BEGIN_SIGNING", "NO_SECKEY", "ERROR", "NODATA",
+                   "CARDCTRL"):
+            # in the case of ERROR, this is because a more specific error
+            # message will have come first
+            pass
+        elif key in ("NEED_PASSPHRASE", "BAD_PASSPHRASE", "GOOD_PASSPHRASE",
+                     "MISSING_PASSPHRASE", "DECRYPTION_FAILED",
+                     "KEY_NOT_CREATED"):
+            self.status = key.replace("_", " ").lower()
+        elif key == "NEED_PASSPHRASE_SYM":
+            self.status = 'need symmetric passphrase'
+        elif key == "BEGIN_DECRYPTION":
+            self.status = 'decryption incomplete'
+        elif key == "BEGIN_ENCRYPTION":
+            self.status = 'encryption incomplete'
+        elif key == "DECRYPTION_OKAY":
+            self.status = 'decryption ok'
+            self.ok = True
+        elif key == "END_ENCRYPTION":
+            self.status = 'encryption ok'
+            self.ok = True
+        elif key == "INV_RECP":
+            self.status = 'invalid recipient'
+        elif key == "KEYEXPIRED":
+            self.status = 'key expired'
+        elif key == "SIG_CREATED":
+            self.status = 'sig created'
+        elif key == "SIGEXPIRED":
+            self.status = 'sig expired'
+        elif key == "PLAINTEXT":
+            fmt, dts = value.split(' ', 1)
+            if dts.find(' ') > 0:
+                self.data_timestamp, self.data_filename = dts.split(' ', 1)
+            else:
+                self.data_timestamp = dts
+            ## GnuPG give us a hex byte for an ascii char corresponding to
+            ## the data format of the resulting plaintext,
+            ## i.e. '62'→'b':= binary data
+            self.data_format = chr(int(str(fmt), 16))
+        else:
+            super(Crypt, self).handle_status(key, value)
+
+class ListPackets(object):
+    """
+    Handle status messages for --list-packets.
+    """
+
+    def __init__(self, gpg):
+        self.gpg = gpg
+        self.nodata = None
+        self.key = None
+        self.need_passphrase = None
+        self.need_passphrase_sym = None
+        self.userid_hint = None
+
+    def handle_status(self, key, value):
+        """Parse a status code from the attached GnuPG process.
+
+        :raises: :exc:`ValueError` if the status message is unknown.
+        """
+        # TODO: write tests for handle_status
+        if key == 'NODATA':
+            self.nodata = True
+        elif key == 'ENC_TO':
+            # This will only capture keys in our keyring. In the future we
+            # may want to include multiple unknown keys in this list.
+            self.key, _, _ = value.split()
+        elif key == 'NEED_PASSPHRASE':
+            self.need_passphrase = True
+        elif key == 'NEED_PASSPHRASE_SYM':
+            self.need_passphrase_sym = True
+        elif key == 'USERID_HINT':
+            self.userid_hint = value.strip().split()
+        else:
+            raise ValueError("Unknown status message: %r" % key)
diff --git a/src/_util.py b/src/_util.py
new file mode 100644
index 0000000..bbfe3c9
--- /dev/null
+++ b/src/_util.py
@@ -0,0 +1,470 @@
+# -*- coding: utf-8 -*-
+#
+# This file is part of python-gnupg, a Python wrapper around GnuPG.
+# Copyright © 2013 Isis Lovecruft, Andrej B.
+#           © 2008-2012 Vinay Sajip
+#           © 2005 Steve Traugott
+#           © 2004 A.M. Kuchling
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+'''
+util.py
+----------
+Extra utilities for python-gnupg.
+'''
+
+from datetime import datetime
+from socket   import gethostname
+
+import codecs
+import encodings
+import os
+import time
+import threading
+import random
+import string
+import sys
+
+import _logger
+
+try:
+    from io import StringIO
+    from io import BytesIO
+except ImportError:
+    from cStringIO import StringIO
+
+try:
+    unicode
+    _py3k = False
+    try:
+        isinstance(__name__, basestring)
+    except NameError:
+        msg  = "Sorry, python-gnupg requires a Python version with proper"
+        msg += " unicode support. Please upgrade to Python>=2.3."
+        raise SystemExit(msg)
+except NameError:
+    _py3k = True
+
+
+## Directory shortcuts:
+_here = os.getcwd()
+_test = os.path.join(os.path.join(_here, 'tests'), 'tmp') ## ./tests/tmp
+_user = os.environ.get('HOME')                            ## $HOME
+_ugpg = os.path.join(_user, '.gnupg')                     ## $HOME/.gnupg
+_conf = os.path.join(os.path.join(_user, '.config'), 'python-gnupg')
+                                     ## $HOME/.config/python-gnupg
+
+## Logger is disabled by default
+log = _logger.create_logger(0)
+
+
+def find_encodings(enc=None, system=False):
+    """Find functions for encoding translations for a specific codec.
+
+    :param str enc: The codec to find translation functions for. It will be
+                    normalized by converting to lowercase, excluding
+                    everything which is not ascii, and hyphens will be
+                    converted to underscores.
+
+    :param bool system: If True, find encodings based on the system's stdin
+                        encoding, otherwise assume utf-8.
+
+    :raises: :exc:LookupError if the normalized codec, ``enc``, cannot be
+             found in Python's encoding translation map.
+    """
+    if not enc:
+        enc = 'utf-8'
+
+    if system:
+        if getattr(sys.stdin, 'encoding', None) is None:
+            enc = sys.stdin.encoding
+            log.debug("Obtained encoding from stdin: %s" % enc)
+        else:
+            enc = 'ascii'
+
+    ## have to have lowercase to work, see
+    ## http://docs.python.org/dev/library/codecs.html#standard-encodings
+    enc = enc.lower()
+    codec_alias = encodings.normalize_encoding(enc)
+
+    codecs.register(encodings.search_function)
+    coder = codecs.lookup(codec_alias)
+
+    return coder
+
+def _copy_data(instream, outstream):
+    """Copy data from one stream to another.
+
+    :type instream: :class:`io.BytesIO` or :class:`io.StringIO` or file
+    :param instream: A byte stream or open file to read from.
+    :param file outstream: The file descriptor of a tmpfile to write to.
+    """
+    sent = 0
+
+    #try:
+    #    #assert (util._is_stream(instream)
+    #    #        or isinstance(instream, file)), "instream not stream or file"
+    #    assert isinstance(outstream, file), "outstream is not a file"
+    #except AssertionError as ae:
+    #    log.exception(ae)
+    #    return
+
+    coder = find_encodings()
+
+    while True:
+        if ((_py3k and isinstance(instream, str)) or
+            (not _py3k and isinstance(instream, basestring))):
+            data = instream[:1024]
+            instream = instream[1024:]
+        else:
+            data = instream.read(1024)
+        if len(data) == 0:
+            break
+        sent += len(data)
+        log.debug("Sending chunk %d bytes:\n%s"
+                  % (sent, data))
+        try:
+            outstream.write(data)
+        except UnicodeError:
+            try:
+                outstream.write(coder.encode(data))
+            except IOError:
+                log.exception("Error sending data: Broken pipe")
+                break
+        except IOError:
+            # Can get 'broken pipe' errors even when all data was sent
+            log.exception('Error sending data: Broken pipe')
+            break
+    try:
+        outstream.close()
+    except IOError as ioe:
+        log.error("Unable to close outstream %s:\r\t%s" % (outstream, ioe))
+    else:
+        log.debug("Closed outstream: %d bytes sent." % sent)
+
+def _create_if_necessary(directory):
+    """Create the specified directory, if necessary.
+
+    :param str directory: The directory to use.
+    :rtype: bool
+    :returns: True if no errors occurred and the directory was created or
+              existed beforehand, False otherwise.
+    """
+
+    if not os.path.isabs(directory):
+        log.debug("Got non-absolute path: %s" % directory)
+        directory = os.path.abspath(directory)
+
+    if not os.path.isdir(directory):
+        log.info("Creating directory: %s" % directory)
+        try:
+            os.makedirs(directory, 0x1C0)
+        except OSError as ose:
+            log.error(ose, exc_info=1)
+            return False
+        else:
+            log.debug("Created directory.")
+    return True
+
+def create_uid_email(username=None, hostname=None):
+    """Create an email address suitable for a UID on a GnuPG key.
+
+    :param str username: The username portion of an email address.  If None,
+                         defaults to the username of the running Python
+                         process.
+
+    :param str hostname: The FQDN portion of an email address. If None, the
+                         hostname is obtained from gethostname(2).
+
+    :rtype: str
+    :returns: A string formatted as <username>@<hostname>.
+    """
+    if hostname:
+        hostname = hostname.replace(' ', '_')
+    if not username:
+        try: username = os.environ['LOGNAME']
+        except KeyError: username = os.environ['USERNAME']
+
+        if not hostname: hostname = gethostname()
+
+        uid = "%s@%s" % (username.replace(' ', '_'), hostname)
+    else:
+        username = username.replace(' ', '_')
+        if (not hostname) and (username.find('@') == 0):
+            uid = "%s@%s" % (username, gethostname())
+        elif hostname:
+            uid = "%s@%s" % (username, hostname)
+        else:
+            uid = username
+
+    return uid
+
+def _find_binary(binary=None):
+    """Find the absolute path to the GnuPG binary.
+
+    Also run checks that the binary is not a symlink, and check that
+    our process real uid has exec permissions.
+
+    :param str binary: The path to the GnuPG binary.
+    :raises: :exc:RuntimeError if it appears that GnuPG is not installed.
+    :rtype: str
+    :returns: The absolute path to the GnuPG binary to use, if no exceptions
+              occur.
+    """
+    gpg_binary = None
+    if binary is not None:
+        if not os.path.isabs(binary):
+            try: binary = _which(binary)[0]
+            except IndexError as ie:
+                log.error(ie.message)
+    if binary is None:
+        try: binary = _which('gpg')[0]
+        except IndexError: raise RuntimeError("GnuPG is not installed!")
+    try:
+        assert os.path.isabs(binary), "Path to gpg binary not absolute"
+        assert not os.path.islink(binary), "Path to gpg binary is symlink"
+        assert os.access(binary, os.X_OK), "Lacking +x perms for gpg binary"
+    except (AssertionError, AttributeError) as ae:
+        log.error(ae.message)
+    else:
+        return binary
+
+def _has_readwrite(path):
+    """
+    Determine if the real uid/gid of the executing user has read and write
+    permissions for a directory or a file.
+
+    :param str path: The path to the directory or file to check permissions
+                     for.
+    :rtype: bool
+    :returns: True if real uid/gid has read+write permissions, False otherwise.
+    """
+    return os.access(path, os.R_OK ^ os.W_OK)
+
+def _is_file(input):
+    """Check that the size of the thing which is supposed to be a filename has
+    size greater than zero, without following symbolic links or using
+    :func:os.path.isfile.
+
+    :param input: An object to check.
+    :rtype: bool
+    :returns: True if :param:input is file-like, False otherwise.
+    """
+    try:
+        assert os.lstat(input).st_size > 0, "not a file: %s" % input
+    except (AssertionError, TypeError, IOError, OSError) as err:
+        log.error(err.message, exc_info=1)
+        return False
+    else:
+        return True
+
+def _is_stream(input):
+    """Check that the input is a byte stream.
+
+    :param input: An object provided for reading from or writing to.
+    :rtype: bool
+    :returns: True if :param:input is a stream, False if otherwise.
+    """
+    return isinstance(input, BytesIO) or isinstance(input, StringIO)
+
+def _is_list_or_tuple(instance):
+    """Check that ``instance`` is a list or tuple.
+
+    :param instance: The object to type check.
+    :rtype: bool
+    :returns: True if ``instance`` is a list or tuple, False otherwise.
+    """
+    return isinstance(instance, (list, tuple,))
+
+def _make_binary_stream(s, encoding):
+    """
+    xxx fill me in
+    """
+    try:
+        if _py3k:
+            if isinstance(s, str):
+                s = s.encode(encoding)
+        else:
+            if type(s) is not str:
+                s = s.encode(encoding)
+        from io import BytesIO
+        rv = BytesIO(s)
+    except ImportError:
+        rv = StringIO(s)
+    return rv
+
+def _make_passphrase(length=None, save=False, file=None):
+    """Create a passphrase and write it to a file that only the user can read.
+
+    This is not very secure, and should not be relied upon for actual key
+    passphrases.
+
+    :param int length: The length in bytes of the string to generate.
+
+    :param file file: The file to save the generated passphrase in. If not
+        given, defaults to 'passphrase-<the real user id>-<seconds since
+        epoch>' in the top-level directory.
+    """
+    if not length:
+        length = 40
+
+    passphrase = _make_random_string(length)
+
+    if save:
+        ruid, euid, suid = os.getresuid()
+        gid = os.getgid()
+        now = time.mktime(time.gmtime())
+
+        if not file:
+            filename = str('passphrase-%s-%s' % uid, now)
+            file = os.path.join(_repo, filename)
+
+        with open(file, 'a') as fh:
+            fh.write(passphrase)
+            fh.flush()
+            fh.close()
+            os.chmod(file, 0600)
+            os.chown(file, ruid, gid)
+
+        log.warn("Generated passphrase saved to %s" % file)
+    return passphrase
+
+def _make_random_string(length):
+    """Returns a random lowercase, uppercase, alphanumerical string.
+
+    :param int length: The length in bytes of the string to generate.
+    """
+    chars = string.ascii_lowercase + string.ascii_uppercase + string.digits
+    return ''.join(random.choice(chars) for x in range(length))
+
+def _next_year():
+    """Get the date of today plus one year.
+
+    :rtype: str
+    :returns: The date of this day next year, in the format '%Y-%m-%d'.
+    """
+    now = datetime.now().__str__()
+    date = now.split(' ', 1)[0]
+    year, month, day = date.split('-', 2)
+    next_year = str(int(year)+1)
+    return '-'.join((next_year, month, day))
+
+def _now():
+    """Get a timestamp for right now, formatted according to ISO 8601."""
+    return datetime.isoformat(datetime.now())
+
+def _threaded_copy_data(instream, outstream):
+    """Copy data from one stream to another in a separate thread.
+
+    Wraps ``_copy_data()`` in a :class:`threading.Thread`.
+
+    :type instream: :class:`io.BytesIO` or :class:`io.StringIO`
+    :param instream: A byte stream to read from.
+    :param file outstream: The file descriptor of a tmpfile to write to.
+    """
+    copy_thread = threading.Thread(target=_copy_data,
+                                   args=(instream, outstream))
+    copy_thread.setDaemon(True)
+    log.debug('%r, %r, %r', copy_thread, instream, outstream)
+    copy_thread.start()
+    return copy_thread
+
+def _utc_epoch():
+    """Get the seconds since epoch for UTC."""
+    return int(time.mktime(time.gmtime()))
+
+def _which(executable, flags=os.X_OK):
+    """Borrowed from Twisted's :mod:twisted.python.proutils .
+
+    Search PATH for executable files with the given name.
+
+    On newer versions of MS-Windows, the PATHEXT environment variable will be
+    set to the list of file extensions for files considered executable. This
+    will normally include things like ".EXE". This fuction will also find files
+    with the given name ending with any of these extensions.
+
+    On MS-Windows the only flag that has any meaning is os.F_OK. Any other
+    flags will be ignored.
+
+    Note: This function does not help us prevent an attacker who can already
+    manipulate the environment's PATH settings from placing malicious code
+    higher in the PATH. It also does happily follows links.
+
+    :param str name: The name for which to search.
+    :param int flags: Arguments to L{os.access}.
+    :rtype: list
+    :returns: A list of the full paths to files found, in the order in which
+              they were found.
+    """
+    result = []
+    exts = filter(None, os.environ.get('PATHEXT', '').split(os.pathsep))
+    path = os.environ.get('PATH', None)
+    if path is None:
+        return []
+    for p in os.environ.get('PATH', '').split(os.pathsep):
+        p = os.path.join(p, executable)
+        if os.access(p, flags):
+            result.append(p)
+        for e in exts:
+            pext = p + e
+            if os.access(pext, flags):
+                result.append(pext)
+    return result
+
+def _write_passphrase(stream, passphrase, encoding):
+    """Write the passphrase from memory to the GnuPG process' stdin.
+
+    :type stream: file, :class:BytesIO, or :class:StringIO
+    :param stream: The input file descriptor to write the password to.
+    :param str passphrase: The passphrase for the secret key material.
+    :param str encoding: The data encoding expected by GnuPG. Usually, this
+                         is ``sys.getfilesystemencoding()``.
+    """
+    passphrase = '%s\n' % passphrase
+    passphrase = passphrase.encode(encoding)
+    stream.write(passphrase)
+    log.debug("Wrote passphrase on stdin.")
+
+
+class InheritableProperty(object):
+  """Based on the emulation of PyProperty_Type() in Objects/descrobject.c"""
+
+  def __init__(self, fget=None, fset=None, fdel=None, doc=None):
+    self.fget = fget
+    self.fset = fset
+    self.fdel = fdel
+    self.__doc__ = doc
+
+  def __get__(self, obj, objtype=None):
+    if obj is None:
+      return self
+    if self.fget is None:
+      raise AttributeError, "unreadable attribute"
+    if self.fget.__name__ == '<lambda>' or not self.fget.__name__:
+      return self.fget(obj)
+    else:
+      return getattr(obj, self.fget.__name__)()
+
+  def __set__(self, obj, value):
+    if self.fset is None:
+      raise AttributeError, "can't set attribute"
+    if self.fset.__name__ == '<lambda>' or not self.fset.__name__:
+      self.fset(obj, value)
+    else:
+      getattr(obj, self.fset.__name__)(value)
+
+  def __delete__(self, obj):
+    if self.fdel is None:
+      raise AttributeError, "can't delete attribute"
+    if self.fdel.__name__ == '<lambda>' or not self.fdel.__name__:
+      self.fdel(obj)
+    else:
+      getattr(obj, self.fdel.__name__)()
diff --git a/src/_version.py b/src/_version.py
new file mode 100644
index 0000000..42d41a2
--- /dev/null
+++ b/src/_version.py
@@ -0,0 +1,197 @@
+
+IN_LONG_VERSION_PY = True
+# This file helps to compute a version number in source trees obtained from
+# git-archive tarball (such as those provided by githubs download-from-tag
+# feature). Distribution tarballs (build by setup.py sdist) and build
+# directories (produced by setup.py build) will contain a much shorter file
+# that just contains the computed version number.
+
+# This file is released into the public domain. Generated by
+# versioneer-0.7+ (https://github.com/warner/python-versioneer)
+
+# these strings will be replaced by git during git-archive
+git_refnames = "$Format:%d$"
+git_full = "$Format:%H$"
+
+
+import subprocess
+import sys
+
+def run_command(args, cwd=None, verbose=False):
+    try:
+        # remember shell=False, so use git.cmd on windows, not just git
+        p = subprocess.Popen(args, stdout=subprocess.PIPE, cwd=cwd)
+    except EnvironmentError:
+        e = sys.exc_info()[1]
+        if verbose:
+            print("unable to run %s" % args[0])
+            print(e)
+        return None
+    stdout = p.communicate()[0].strip()
+    if sys.version >= '3':
+        stdout = stdout.decode()
+    if p.returncode != 0:
+        if verbose:
+            print("unable to run %s (error)" % args[0])
+        return None
+    return stdout
+
+
+import sys
+import re
+import os.path
+
+def get_expanded_variables(versionfile_source):
+    # the code embedded in _version.py can just fetch the value of these
+    # variables. When used from setup.py, we don't want to import
+    # _version.py, so we do it with a regexp instead. This function is not
+    # used from _version.py.
+    variables = {}
+    try:
+        for line in open(versionfile_source,"r").readlines():
+            if line.strip().startswith("git_refnames ="):
+                mo = re.search(r'=\s*"(.*)"', line)
+                if mo:
+                    variables["refnames"] = mo.group(1)
+            if line.strip().startswith("git_full ="):
+                mo = re.search(r'=\s*"(.*)"', line)
+                if mo:
+                    variables["full"] = mo.group(1)
+    except EnvironmentError:
+        pass
+    return variables
+
+def versions_from_expanded_variables(variables, tag_prefix, verbose=False):
+    refnames = variables["refnames"].strip()
+    if refnames.startswith("$Format"):
+        if verbose:
+            print("variables are unexpanded, not using")
+        return {} # unexpanded, so not in an unpacked git-archive tarball
+    refs = set([r.strip() for r in refnames.strip("()").split(",")])
+    for ref in list(refs):
+        if not re.search(r'\d', ref):
+            if verbose:
+                print("discarding '%s', no digits" % ref)
+            refs.discard(ref)
+            # Assume all version tags have a digit. git's %d expansion
+            # behaves like git log --decorate=short and strips out the
+            # refs/heads/ and refs/tags/ prefixes that would let us
+            # distinguish between branches and tags. By ignoring refnames
+            # without digits, we filter out many common branch names like
+            # "release" and "stabilization", as well as "HEAD" and "master".
+    if verbose:
+        print("remaining refs: %s" % ",".join(sorted(refs)))
+    for ref in sorted(refs):
+        # sorting will prefer e.g. "2.0" over "2.0rc1"
+        if ref.startswith(tag_prefix):
+            r = ref[len(tag_prefix):]
+            if verbose:
+                print("picking %s" % r)
+            return { "version": r,
+                     "full": variables["full"].strip() }
+    # no suitable tags, so we use the full revision id
+    if verbose:
+        print("no suitable tags, using full revision id")
+    return { "version": variables["full"].strip(),
+             "full": variables["full"].strip() }
+
+def versions_from_vcs(tag_prefix, versionfile_source, verbose=False):
+    # this runs 'git' from the root of the source tree. That either means
+    # someone ran a setup.py command (and this code is in versioneer.py, so
+    # IN_LONG_VERSION_PY=False, thus the containing directory is the root of
+    # the source tree), or someone ran a project-specific entry point (and
+    # this code is in _version.py, so IN_LONG_VERSION_PY=True, thus the
+    # containing directory is somewhere deeper in the source tree). This only
+    # gets called if the git-archive 'subst' variables were *not* expanded,
+    # and _version.py hasn't already been rewritten with a short version
+    # string, meaning we're inside a checked out source tree.
+
+    try:
+        here = os.path.abspath(__file__)
+    except NameError:
+        # some py2exe/bbfreeze/non-CPython implementations don't do __file__
+        return {} # not always correct
+
+    # versionfile_source is the relative path from the top of the source tree
+    # (where the .git directory might live) to this file. Invert this to find
+    # the root from __file__.
+    root = here
+    if IN_LONG_VERSION_PY:
+        for i in range(len(versionfile_source.split("/"))):
+            root = os.path.dirname(root)
+    else:
+        root = os.path.dirname(here)
+    if not os.path.exists(os.path.join(root, ".git")):
+        if verbose:
+            print("no .git in %s" % root)
+        return {}
+
+    GIT = "git"
+    if sys.platform == "win32":
+        GIT = "git.cmd"
+    stdout = run_command([GIT, "describe", "--tags", "--dirty", "--always"],
+                         cwd=root)
+    if stdout is None:
+        return {}
+    if not stdout.startswith(tag_prefix):
+        if verbose:
+            print("tag '%s' doesn't start with prefix '%s'" % (stdout, tag_prefix))
+        return {}
+    tag = stdout[len(tag_prefix):]
+    stdout = run_command([GIT, "rev-parse", "HEAD"], cwd=root)
+    if stdout is None:
+        return {}
+    full = stdout.strip()
+    if tag.endswith("-dirty"):
+        full += "-dirty"
+    return {"version": tag, "full": full}
+
+
+def versions_from_parentdir(parentdir_prefix, versionfile_source, verbose=False):
+    if IN_LONG_VERSION_PY:
+        # We're running from _version.py. If it's from a source tree
+        # (execute-in-place), we can work upwards to find the root of the
+        # tree, and then check the parent directory for a version string. If
+        # it's in an installed application, there's no hope.
+        try:
+            here = os.path.abspath(__file__)
+        except NameError:
+            # py2exe/bbfreeze/non-CPython don't have __file__
+            return {} # without __file__, we have no hope
+        # versionfile_source is the relative path from the top of the source
+        # tree to _version.py. Invert this to find the root from __file__.
+        root = here
+        for i in range(len(versionfile_source.split("/"))):
+            root = os.path.dirname(root)
+    else:
+        # we're running from versioneer.py, which means we're running from
+        # the setup.py in a source tree. sys.argv[0] is setup.py in the root.
+        here = os.path.abspath(sys.argv[0])
+        root = os.path.dirname(here)
+
+    # Source tarballs conventionally unpack into a directory that includes
+    # both the project name and a version string.
+    dirname = os.path.basename(root)
+    if not dirname.startswith(parentdir_prefix):
+        if verbose:
+            print("guessing rootdir is '%s', but '%s' doesn't start with prefix '%s'" %
+                  (root, dirname, parentdir_prefix))
+        return None
+    return {"version": dirname[len(parentdir_prefix):], "full": ""}
+
+tag_prefix = "python-gnupg-"
+parentdir_prefix = "python-gnupg-"
+versionfile_source = "src/_version.py"
+
+def get_versions(default={"version": "unknown", "full": ""}, verbose=False):
+    variables = { "refnames": git_refnames, "full": git_full }
+    ver = versions_from_expanded_variables(variables, tag_prefix, verbose)
+    if not ver:
+        ver = versions_from_vcs(tag_prefix, versionfile_source, verbose)
+    if not ver:
+        ver = versions_from_parentdir(parentdir_prefix, versionfile_source,
+                                      verbose)
+    if not ver:
+        ver = default
+    return ver
+
diff --git a/src/copyleft.py b/src/copyleft.py
new file mode 100644
index 0000000..d557030
--- /dev/null
+++ b/src/copyleft.py
@@ -0,0 +1,50 @@
+#-*- encoding: utf-8 -*-
+'''
+Copyright information for python-gnupg.
+'''
+
+copyright = """\
+Copyright (C) 2013 Isis Lovecruft.
+See LICENSE for details."""
+
+disclaimer = """\
+This file is part of python-gnupg, a Python wrapper around GnuPG.
+%s
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as 
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+Affero General Public License for more details.""" % (copyright,)
+
+
+txcopyright = """\
+Where stated, parts of this program were taken from Twisted, which is
+licensed as follows:
+
+Twisted, the Framework of Your Internet
+Copyright (c) 2001-2013 Twisted Matrix Laboratories.
+See LICENSE for details.
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE."""
diff --git a/src/gnupg.py b/src/gnupg.py
new file mode 100644
index 0000000..7158ff5
--- /dev/null
+++ b/src/gnupg.py
@@ -0,0 +1,1710 @@
+# -*- coding: utf-8 -*-
+#
+# This file is part of python-gnupg, a Python interface to GnuPG.
+# Copyright © 2013 Isis Lovecruft
+#           © 2008-2012 Vinay Sajip
+#           © 2005 Steve Traugott
+#           © 2004 A.M. Kuchling
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published
+# by the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+"""gnupg.py
+========
+A Python interface to GnuPG.
+
+This is a modified version of python-gnupg-0.3.0, which was created by Vinay
+Sajip, which itself is a modification of GPG.py written by Steve Traugott,
+which in turn is a modification of the pycrypto GnuPG interface written by
+A.M. Kuchling.
+
+This version is patched to sanitize untrusted inputs, due to the necessity of
+executing :class:`subprocess.Popen([...], shell=True)` in order to communicate
+with GnuPG.
+
+:Info: see <https://www.github.com/isislovecruft/python-gnupg>
+:Authors: A.M. Kuchling, Steve Traugott, Vinay Sajip, Isis Lovecruft
+:Date: $Date: 2013-04-04 01:11:01 +0000 (Thursday, April 4, 2013) $
+:Description: Documentation of python-gnupg, a Python module for GnuPG.
+
+
+Previous Authors' Documentation
+-------------------------------
+
+Steve Traugott's documentation:
+
+    Portions of this module are derived from A.M. Kuchling's well-designed
+    GPG.py, using Richard Jones' updated version 1.3, which can be found in
+    the pycrypto CVS repository on Sourceforge:
+
+    http://pycrypto.cvs.sourceforge.net/viewvc/pycrypto/gpg/GPG.py
+
+    This module is *not* forward-compatible with amk's; some of the old
+    interface has changed.  For instance, since I've added decrypt
+    functionality, I elected to initialize with a 'gpghome' argument instead
+    of 'keyring', so that gpg can find both the public and secret keyrings.
+    I've also altered some of the returned objects in order for the caller to
+    not have to know as much about the internals of the result classes.
+
+    While the rest of ISconf is released under the GPL, I am releasing this
+    single file under the same terms that A.M. Kuchling used for pycrypto.
+
+    Steve Traugott, stevegt@terraluna.org
+    Thu Jun 23 21:27:20 PDT 2005
+
+
+Vinay Sajip's documentation:
+
+    This version of the module has been modified from Steve Traugott's version
+    (see http://trac.t7a.org/isconf/browser/trunk/lib/python/isconf/GPG.py) by
+    Vinay Sajip to make use of the subprocess module (Steve's version uses
+    os.fork() and so does not work on Windows). Renamed to gnupg.py to avoid
+    confusion with the previous versions.
+
+    A unittest harness (test_gnupg.py) has also been added.
+
+    Modifications Copyright (C) 2008-2012 Vinay Sajip. All rights reserved.
+"""
+
+try:
+    from io import StringIO
+    from io import BytesIO
+except ImportError:
+    from cStringIO import StringIO
+
+from codecs     import open as open
+from pprint     import pprint
+from psutil     import process_iter
+from subprocess import Popen
+from subprocess import PIPE
+
+import atexit
+import codecs
+## For AOS, the locale module will need to point to a wrapper around the
+## java.util.Locale class.
+## See https://code.patternsinthevoid.net/?p=android-locale-hack.git
+import encodings
+import locale
+import logging
+import os
+import re
+import sys
+import tempfile
+import threading
+
+from _parsers import _fix_unsafe, _sanitise, _is_allowed, _sanitise_list
+from _parsers import _check_preferences
+from _util    import _conf, _is_list_or_tuple, _is_stream
+from _util    import _make_binary_stream
+from _util    import log
+
+import _util
+import _parsers
+
+
+class GPGMeta(type):
+    """Metaclass for changing the :meth:GPG.__init__ initialiser.
+
+    Detects running gpg-agent processes and the presence of a pinentry
+    program, and disables pinentry so that python-gnupg can write the
+    passphrase to the controlled GnuPG process without killing the agent.
+    """
+
+    def __new__(cls, name, bases, attrs):
+        """Construct the initialiser for GPG"""
+        log.debug("Metaclass __new__ constructor called for %r" % cls)
+        if cls._find_agent():
+            ## call the normal GPG.__init__() initialisor:
+            attrs['init'] = cls.__init__ ## nothing changed for now
+            attrs['_remove_agent'] = True
+        return super(GPGMeta, cls).__new__(cls, name, bases, attrs)
+
+    @classmethod
+    def _find_agent(cls):
+        """Discover if a gpg-agent process for the current euid is running.
+
+        If there is a matching gpg-agent process, set a :class:psutil.Process
+        instance containing the gpg-agent process' information to
+        :attr:cls._agent_proc.
+
+        :returns: True if there exists a gpg-agent process running under the
+                  same effective user ID as that of this program. Otherwise,
+                  returns None.
+        """
+        identity = os.getresuid()
+        for proc in process_iter():
+            if (proc.name == "gpg-agent") and proc.is_running:
+                log.debug("Found gpg-agent process with pid %d" % proc.pid)
+                if proc.uids == identity:
+                    log.debug(
+                        "Effective UIDs of this process and gpg-agent match")
+                    setattr(cls, '_agent_proc', proc)
+                    return True
+
+    ## xxx we might not need this, try setting:
+    ## attrs['remove_path'] = __remove_path__
+
+    # @classmethod
+    # def _init_decorator(cls):
+    #     """Wraps the :meth:__init__ function in a partial of itself."""
+    #     log.debug("_init_decorator called for %s" % cls.__init__.__repr__())
+    #     def _init_wrapper(*args, **kwargs):
+    #         wraps(cls.__init__, *args, **kwargs)
+    #         if getattr(cls, '_agent_proc', None) is not None:
+    #             cls.__remove_path__(prog='pinentry')
+    #     return _init_wrapper
+
+
+class GPGBase(object):
+    """Base class to control process initialisation and for property storage."""
+
+    __metaclass__  = GPGMeta
+
+    def __init__(self, binary=None, home=None, keyring=None, secring=None,
+                 use_agent=False, default_preference_list=None,
+                 verbose=False, options=None):
+
+        self.binary  = _util._find_binary(binary)
+        self.homedir = home if home else _conf
+        pub = _fix_unsafe(keyring) if keyring else 'pubring.gpg'
+        sec = _fix_unsafe(secring) if secring else 'secring.gpg'
+        self.keyring = os.path.join(self._homedir, pub)
+        self.secring = os.path.join(self._homedir, sec)
+        self.options = _sanitise(options) if options else None
+
+        if default_preference_list:
+            self._prefs = _check_options(default_preference_list, 'all')
+        else:
+            self._prefs  = 'SHA512 SHA384 SHA256 AES256 CAMELLIA256 TWOFISH'
+            self._prefs += ' AES192 ZLIB ZIP Uncompressed'
+
+        encoding = locale.getpreferredencoding()
+        if encoding is None: # This happens on Jython!
+            encoding = sys.stdin.encoding
+        self.encoding = encoding.lower().replace('-', '_')
+        self.filesystemencoding = encodings.normalize_encoding(
+            sys.getfilesystemencoding().lower())
+
+        try:
+            assert self.binary, "Could not find binary %s" % binary
+            assert isinstance(verbose, (bool, str, int)), \
+                "'verbose' must be boolean, string, or 0 <= n <= 9"
+            assert isinstance(use_agent, bool), "'use_agent' must be boolean"
+            if self.options is not None:
+                assert isinstance(self.options, str), "options not string"
+        except (AssertionError, AttributeError) as ae:
+            log.error("GPGBase.__init__(): %s" % ae.message)
+            raise RuntimeError(ae.message)
+        else:
+            self.verbose = verbose
+            self.use_agent = use_agent
+
+        if hasattr(self, '_agent_proc') \
+                and getattr(self, '_remove_agent', None) is True:
+            if hasattr(self, '__remove_path__'):
+                self.__remove_path__('pinentry')
+
+    def __remove_path__(self, prog=None, at_exit=True):
+        """Remove a the directories containing a program from the system's
+        $PATH. If self.gpg.binary is in a directory being removed, it is
+        symlinked to './gpg'
+
+        :param str prog:
+        """
+        self._removed_path_entries = []
+
+        log.debug("Attempting to remove %s from system PATH" % str(prog))
+        if (prog is None) or (not isinstance(prog, str)): return
+
+        try:
+            program = _util._which(prog)[0]
+        except (OSError, IOError, IndexError) as err:
+            log.err(err.message)
+            log.err("Cannot find program '%s', not changing PATH." % prog)
+            return
+
+        ## __remove_path__ cannot be an @classmethod in GPGMeta, because
+        ## the use_agent attribute must be set by the instance.
+        if not self.use_agent:
+            program_base = os.path.dirname(prog)
+            gnupg_base = os.path.dirname(self.binary)
+
+            ## symlink our gpg binary into $PWD if the path we are removing is
+            ## the one which contains our gpg executable:
+            if gnupg_base == program_base:
+                os.symlink(self.binary, os.path.join(os.getcwd(), 'gpg'))
+
+            ## copy the original environment so that we can put it back later:
+            env_copy = os.environ            ## this one should not be touched
+            path_copy = os.environ.pop('PATH')
+            log.debug("Created a copy of system PATH: %r" % path_copy)
+            assert not os.environ.has_key('PATH'), "OS env kept $PATH anyway!"
+
+            @staticmethod
+            def remove_program_from_path(path, prog_base):
+                """Remove all directories which contain a program from PATH.
+
+                :param str path: The contents of the system environment's
+                                 PATH.
+                :param str prog_base: The base (directory only) portion of a
+                                      program's location.
+                """
+                paths = path.split(':')
+                for directory in paths:
+                    if directory == prog_base:
+                        log.debug("Found directory with target program: %s"
+                                  % directory)
+                        path.remove(directory)
+                        self._removed_path_entries.append(directory)
+                log.debug("Deleted all found instance of %s." % directory)
+                log.debug("PATH is now:%s%s" % (os.linesep, path))
+                new_path = ':'.join([p for p in path])
+                return new_path
+
+            @staticmethod
+            def update_path(environment, path):
+                """Add paths to the string at os.environ['PATH'].
+
+                :param str environment: The environment mapping to update.
+                :param list path: A list of strings to update the PATH with.
+                """
+                log.debug("Updating system path...")
+                os.environ = environment
+                new_path = ':'.join([p for p in path])
+                old = ''
+                if 'PATH' in os.environ:
+                    new_path = ':'.join([os.environ['PATH'], new_path])
+                os.environ.update({'PATH': new_path})
+                log.debug("System $PATH: %s" % os.environ['PATH'])
+
+            modified_path = remove_program_from_path(path_copy, program_base)
+            update_path(env_copy, modified_path)
+
+            ## register an _exithandler with the python interpreter:
+            atexit.register(update_path, env_copy, path_copy)
+
+            @atexit.register
+            def remove_symlinked_binary():
+                loc = os.path.join(os.getcwd(), 'gpg')
+                if os.path.islink(loc):
+                    os.unline(loc)
+                    log.debug("Removed binary symlink '%s'" % loc)
+
+    @property
+    def default_preference_list(self):
+        """Get the default preference list."""
+        return self._prefs
+
+    @default_preference_list.setter
+    def default_preference_list(self, prefs):
+        """Set the default preference list.
+
+        :param str prefs: A string containing the default preferences for
+                          ciphers, digests, and compression algorithms.
+        """
+        prefs = _check_preferences(prefs)
+        if prefs is not None:
+            self._prefs = prefs
+
+    @default_preference_list.deleter
+    def default_preference_list(self, prefs):
+        """Reset the default preference list to its original state.
+
+        Note that "original state" does not mean the default preference
+        list for whichever version of GnuPG is being used. It means the
+        default preference list defined by :attr:`GPGBase._preferences`.
+
+        Using BZIP2 is avoided due to not interacting well with some versions
+        of GnuPG>=2.0.0.
+        """
+        self._prefs = 'SHA512 SHA384 SHA256 AES256 CAMELLIA256 TWOFISH ZLIB ZIP'
+
+    def _homedir_getter(self):
+        """Get the directory currently being used as GnuPG's homedir.
+
+        If unspecified, use $HOME/.config/python-gnupg/
+
+        :rtype: str
+        :returns: The absolute path to the current GnuPG homedir.
+        """
+        return self._homedir
+
+    def _homedir_setter(self, directory):
+        """Set the directory to use as GnuPG's homedir.
+
+        If unspecified, use $HOME/.config/python-gnupg. If specified, ensure
+        that the ``directory`` does not contain various shell escape
+        characters. If ``directory`` is not found, it will be automatically
+        created. Lastly, the ``direcory`` will be checked that the EUID has
+        read and write permissions for it.
+
+        :param str homedir: A relative or absolute path to the directory to use
+                            for storing/accessing GnuPG's files, including
+                            keyrings and the trustdb.
+        :raises: :exc:`RuntimeError` if unable to find a suitable directory to
+                 use.
+        """
+        if not directory:
+            log.debug("GPGBase._homedir_setter(): Using default homedir: '%s'"
+                         % _conf)
+            directory = _conf
+
+        hd = _fix_unsafe(directory)
+        log.debug("GPGBase._homedir_setter(): got directory '%s'" % hd)
+
+        if hd:
+            log.debug("GPGBase._homedir_setter(): Check existence of '%s'" % hd)
+            _util._create_if_necessary(hd)
+
+        try:
+            log.debug("GPGBase._homedir_setter(): checking permissions")
+            assert _util._has_readwrite(hd), \
+                "Homedir '%s' needs read/write permissions" % hd
+        except AssertionError as ae:
+            msg = ("Unable to set '%s' as GnuPG homedir" % directory)
+            log.debug("GPGBase.homedir.setter(): %s" % msg)
+            log.debug(ae.message)
+            raise RuntimeError(ae.message)
+        else:
+            log.info("Setting homedir to '%s'" % hd)
+            self._homedir = hd
+
+    homedir = _util.InheritableProperty(_homedir_getter, _homedir_setter)
+
+
+class GPG(GPGBase):
+    """Encapsulate access to the gpg executable"""
+
+    _decode_errors = 'strict'
+    _result_map    = { 'crypt':    _parsers.Crypt,
+                       'delete':   _parsers.DeleteResult,
+                       'generate': _parsers.GenKey,
+                       'import':   _parsers.ImportResult,
+                       'list':     _parsers.ListKeys,
+                       'sign':     _parsers.Sign,
+                       'verify':   _parsers.Verify,
+                       'packets':  _parsers.ListPackets }
+    #: The number of simultaneous keyids we should list operations like
+    #  '--list-sigs' to:
+    _batch_limit    = 25
+
+    def __init__(self, binary=None, homedir=None, verbose=False,
+                 use_agent=False, keyring=None, secring=None,
+                 default_preference_list=None, options=None):
+        """Initialize a GnuPG process wrapper.
+
+        :param str binary: Name for GnuPG binary executable. If the absolute
+                           path is not given, the evironment variable $PATH is
+                           searched for the executable and checked that the
+                           real uid/gid of the user has sufficient permissions.
+
+        :param str homedir: Full pathname to directory containing the public
+                            and private keyrings. Default is whatever GnuPG
+                            defaults to.
+
+        :param str keyring: Name of keyring file containing public key data, if
+                            unspecified, defaults to 'pubring.gpg' in the
+                            ``homedir`` directory.
+
+        :param str secring: Name of alternative secret keyring file to use. If
+                            left unspecified, this will default to using
+                            'secring.gpg' in the :param:homedir directory, and
+                            create that file if it does not exist.
+
+        :param str pubring: Name of alternative public keyring file to use. If
+                            left unspecified, this will default to using
+                            'pubring.gpg' in the :param:homedir directory, and
+                            create that file if it does not exist.
+
+        :param list options: A list of additional options to pass to the GPG
+                             binary.
+
+        :raises: :exc:`RuntimeError` with explanation message if there is a
+                 problem invoking gpg.
+
+        Example:
+
+        >>> import gnupg
+        GnuPG logging disabled...
+        >>> gpg = gnupg.GPG(homedir='./test-homedir')
+        >>> gpg.keyring
+        './test-homedir/pubring.gpg'
+        >>> gpg.secring
+        './test-homedir/secring.gpg'
+        >>> gpg.use_agent
+        False
+        >>> gpg.binary
+        '/usr/bin/gpg'
+        >>> import os
+        >>> import shutil
+        >>> if os.path.exists('./test-homedir'):
+        ...     shutil.rmtree('./test-homedir')
+        ...
+
+        """
+
+        super(GPG, self).__init__(
+            binary=binary,
+            home=homedir,
+            keyring=keyring,
+            secring=secring,
+            default_preference_list=default_preference_list,
+            options=options,
+            verbose=verbose,
+            use_agent=use_agent,)
+
+        log.info("""
+Initialised settings:
+binary: %s
+homedir: %s
+keyring: %s
+secring: %s
+default_preference_list: %s
+options: %s
+verbose: %s
+use_agent: %s
+        """ % (self.binary, self.homedir, self.keyring, self.secring,
+               self.default_preference_list, self.options, str(self.verbose),
+               str(self.use_agent)))
+
+        self._batch_dir = os.path.join(self.homedir, 'batch-files')
+        self._key_dir  = os.path.join(self.homedir, 'generated-keys')
+
+        #: The keyring used in the most recently created batch file
+        self.temp_keyring = None
+        #: The secring used in the most recently created batch file
+        self.temp_secring = None
+
+        ## check that everything runs alright:
+        proc = self._open_subprocess(["--list-config", "--with-colons"])
+        result = self._result_map['list'](self)
+        self._collect_output(proc, result, stdin=proc.stdin)
+        if proc.returncode != 0:
+            raise RuntimeError("Error invoking gpg: %s: %s"
+                               % (proc.returncode, result.stderr))
+
+    def _make_args(self, args, passphrase=False):
+        """Make a list of command line elements for GPG. The value of ``args``
+        will be appended only if it passes the checks in
+        :func:`parsers._sanitise`. The ``passphrase`` argument needs to be True
+        if a passphrase will be sent to GPG, else False.
+
+        :param list args: A list of strings of options and flags to pass to
+                          ``GPG.binary``. This is input safe, meaning that
+                          these values go through strict checks (see
+                          ``parsers._sanitise_list``) before being passed to to
+                          the input file descriptor for the GnuPG process.
+                          Each string should be given exactly as it would be on
+                          the commandline interface to GnuPG,
+                          e.g. ["--cipher-algo AES256", "--default-key
+                          A3ADB67A2CDB8B35"].
+
+        :param bool passphrase: If True, the passphrase will be sent to the
+                                stdin file descriptor for the attached GnuPG
+                                process.
+        """
+        ## see TODO file, tag :io:makeargs:
+        cmd = [self.binary,
+               '--no-options --no-emit-version --no-tty --status-fd 2']
+
+        if self.homedir: cmd.append('--homedir "%s"' % self.homedir)
+
+        if self.keyring:
+            cmd.append('--no-default-keyring --keyring %s' % self.keyring)
+        if self.secring:
+            cmd.append('--secret-keyring %s' % self.secring)
+
+        if passphrase: cmd.append('--batch --passphrase-fd 0')
+
+        if self.use_agent: cmd.append('--use-agent')
+        else: cmd.append('--no-use-agent')
+
+        if self.options:
+            [cmd.append(opt) for opt in iter(_sanitise_list(self.options))]
+        if args:
+            [cmd.append(arg) for arg in iter(_sanitise_list(args))]
+
+        if self.verbose:
+            cmd.append('--debug-all')
+            if ((isinstance(self.verbose, str) and
+                 self.verbose in ['basic', 'advanced', 'expert', 'guru'])
+                or (isinstance(self.verbose, int) and (1<=self.verbose<=9))):
+                cmd.append('--debug-level %s' % self.verbose)
+
+        return cmd
+
+    def _open_subprocess(self, args=None, passphrase=False):
+        """Open a pipe to a GPG subprocess and return the file objects for
+        communicating with it.
+
+        :param list args: A list of strings of options and flags to pass to
+                          ``GPG.binary``. This is input safe, meaning that
+                          these values go through strict checks (see
+                          ``parsers._sanitise_list``) before being passed to to
+                          the input file descriptor for the GnuPG process.
+                          Each string should be given exactly as it would be on
+                          the commandline interface to GnuPG,
+                          e.g. ["--cipher-algo AES256", "--default-key
+                          A3ADB67A2CDB8B35"].
+
+        :param bool passphrase: If True, the passphrase will be sent to the
+                                stdin file descriptor for the attached GnuPG
+                                process.
+        """
+        ## see http://docs.python.org/2/library/subprocess.html#converting-an\
+        ##    -argument-sequence-to-a-string-on-windows
+        cmd = ' '.join(self._make_args(args, passphrase))
+        log.debug("Sending command to GnuPG process:%s%s" % (os.linesep, cmd))
+        return Popen(cmd, shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE)
+
+    def _read_response(self, stream, result):
+        """Reads all the stderr output from GPG, taking notice only of lines
+        that begin with the magic [GNUPG:] prefix.
+
+        Calls methods on the response object for each valid token found, with
+        the arg being the remainder of the status line.
+        """
+        lines = []
+        while True:
+            line = stream.readline()
+            if len(line) == 0:
+                break
+            lines.append(line)
+            line = line.rstrip()
+            if line[0:9] == '[GNUPG:] ':
+                # Chop off the prefix
+                line = line[9:]
+                log.status("%s" % line)
+                L = line.split(None, 1)
+                keyword = L[0]
+                if len(L) > 1:
+                    value = L[1]
+                else:
+                    value = ""
+                result.handle_status(keyword, value)
+            elif line[0:5] == 'gpg: ':
+                log.warn("%s" % line)
+            else:
+                if self.verbose:
+                    log.info("%s" % line)
+                else:
+                    log.debug("%s" % line)
+        result.stderr = ''.join(lines)
+
+    def _read_data(self, stream, result):
+        """Read the contents of the file from GPG's stdout."""
+        chunks = []
+        while True:
+            data = stream.read(1024)
+            if len(data) == 0:
+                break
+            log.debug("read from stdout: %r" % data[:256])
+            chunks.append(data)
+        if _util._py3k:
+            # Join using b'' or '', as appropriate
+            result.data = type(data)().join(chunks)
+        else:
+            result.data = ''.join(chunks)
+
+    def _collect_output(self, process, result, writer=None, stdin=None):
+        """Drain the subprocesses output streams, writing the collected output
+        to the result. If a writer thread (writing to the subprocess) is given,
+        make sure it's joined before returning. If a stdin stream is given,
+        close it before returning.
+        """
+        stderr = codecs.getreader(self.encoding)(process.stderr)
+        rr = threading.Thread(target=self._read_response, args=(stderr, result))
+        rr.setDaemon(True)
+        log.debug('stderr reader: %r', rr)
+        rr.start()
+
+        stdout = process.stdout
+        dr = threading.Thread(target=self._read_data, args=(stdout, result))
+        dr.setDaemon(True)
+        log.debug('stdout reader: %r', dr)
+        dr.start()
+
+        dr.join()
+        rr.join()
+        if writer is not None:
+            writer.join()
+        process.wait()
+        if stdin is not None:
+            try:
+                stdin.close()
+            except IOError:
+                pass
+        stderr.close()
+        stdout.close()
+
+    def _handle_io(self, args, file, result, passphrase=False, binary=False):
+        """Handle a call to GPG - pass input data, collect output data."""
+        p = self._open_subprocess(args, passphrase)
+        if not binary:
+            stdin = codecs.getwriter(self.encoding)(p.stdin)
+        else:
+            stdin = p.stdin
+        if passphrase:
+            _util._write_passphrase(stdin, passphrase, self.encoding)
+        writer = _util._threaded_copy_data(file, stdin)
+        self._collect_output(p, result, writer, stdin)
+        return result
+
+    def sign(self, data, **kwargs):
+        """Create a signature for a message string or file.
+
+        Note that this method is not for signing other keys. (In GnuPG's terms,
+        what we all usually call 'keysigning' is actually termed
+        'certification'...) Even though they are cryptographically the same
+        operation, GnuPG differentiates between them, presumedly because these
+        operations are also the same as the decryption operation. If the
+        ``key_usage``s ``C (certification)``, ``S (sign)``, and ``E
+        (encrypt)``, were all the same key, the key would "wear down" through
+        frequent signing usage -- since signing data is usually done often --
+        meaning that the secret portion of the keypair, also used for
+        decryption in this scenario, would have a statistically higher
+        probability of an adversary obtaining an oracle for it (or for a
+        portion of the rounds in the cipher algorithm, depending on the family
+        of cryptanalytic attack used).
+
+        In simpler terms: this function isn't for signing your friends' keys,
+        it's for something like signing an email.
+
+        :type data: str or file
+        :param data: A string or file stream to sign.
+        :param str keyid: The key to sign with.
+        :param str passphrase: The passphrase to pipe to stdin.
+        :param bool clearsign: If True, create a cleartext signature.
+        :param bool detach: If True, create a detached signature.
+        :param bool binary: If True, do not ascii armour the output.
+        """
+        if isinstance(data, file):
+            log.warn("Note: This function is not for signing other keys,")
+            log.warn("      see the docstring for GPG.sign()")
+            if 'keyid' in kwargs.items():
+                log.info("Signing file '%r' with keyid: %s"
+                         % (data, kwargs[keyid]))
+            else:
+                log.warn("No 'sign_with' keyid given! Using default key.")
+            result = self._sign_file(data, **kwargs)
+
+        elif not _is_stream(data):
+            if 'keyid' in kwargs.items():
+                log.info("Signing data string '%s' with keyid: %s"
+                         % (data, kwargs[keyid]))
+            else:
+                log.warn("No 'sign_with' keyid given! Using default key.")
+            stream = _make_binary_stream(data, self.encoding)
+            result = self._sign_file(stream, **kwargs)
+            stream.close()
+
+        else:
+            log.warn("Unable to sign message '%s' with type %s"
+                     % (data, type(data)))
+            result = None
+        return result
+
+    def _sign_file(self, file, default_key=None, passphrase=None,
+                   clearsign=True, detach=False, binary=False):
+        """Create a signature for a file.
+
+        :param file: The file stream (i.e. it's already been open()'d) to sign.
+        :param str keyid: The key to sign with.
+        :param str passphrase: The passphrase to pipe to stdin.
+        :param bool clearsign: If True, create a cleartext signature.
+        :param bool detach: If True, create a detached signature.
+        :param bool binary: If True, do not ascii armour the output.
+        """
+        log.debug("_sign_file():")
+        if binary:
+            log.info("Creating binary signature for file %s" % file)
+            args = ['--sign']
+        else:
+            log.info("Creating ascii-armoured signature for file %s" % file)
+            args = ['--sign --armor']
+
+        if clearsign:
+            args.append("--clearsign")
+            if detach:
+                log.warn("Cannot use both --clearsign and --detach-sign.")
+                log.warn("Using default GPG behaviour: --clearsign only.")
+        elif detach and not clearsign:
+            args.append("--detach-sign")
+
+        if default_key:
+            args.append(str("--default-key %s" % default_key))
+
+        ## We could use _handle_io here except for the fact that if the
+        ## passphrase is bad, gpg bails and you can't write the message.
+        result = self._result_map['sign'](self)
+        proc = self._open_subprocess(args, passphrase is not None)
+        try:
+            if passphrase:
+                _util._write_passphrase(proc.stdin, passphrase, self.encoding)
+            writer = _util._threaded_copy_data(file, proc.stdin)
+        except IOError as ioe:
+            log.exception("Error writing message: %s" % ioe.message)
+            writer = None
+        self._collect_output(proc, result, writer, proc.stdin)
+        return result
+
+    def verify(self, data):
+        """Verify the signature on the contents of the string ``data``.
+
+        >>> gpg = GPG(homedir="keys")
+        >>> input = gpg.gen_key_input(Passphrase='foo')
+        >>> key = gpg.gen_key(input)
+        >>> assert key
+        >>> sig = gpg.sign('hello',keyid=key.fingerprint,passphrase='bar')
+        >>> assert not sig
+        >>> sig = gpg.sign('hello',keyid=key.fingerprint,passphrase='foo')
+        >>> assert sig
+        >>> verify = gpg.verify(sig.data)
+        >>> assert verify
+
+        """
+        f = _make_binary_stream(data, self.encoding)
+        result = self.verify_file(f)
+        f.close()
+        return result
+
+    def verify_file(self, file, sig_file=None):
+        """Verify the signature on the contents of a file or file-like
+        object. Can handle embedded signatures as well as detached
+        signatures. If using detached signatures, the file containing the
+        detached signature should be specified as the ``sig_file``.
+
+        :param file file: A file descriptor object. Its type will be checked
+                          with :func:`_util._is_file`.
+        :param str sig_file: A file containing the GPG signature data for
+                             ``file``. If given, ``file`` is verified via this
+                             detached signature.
+        """
+
+        fn = None
+        result = self._result_map['verify'](self)
+
+        if sig_file is None:
+            log.debug("verify_file(): Handling embedded signature")
+            args = ["--verify"]
+            proc = self._open_subprocess(args)
+            writer = _util._threaded_copy_data(file, proc.stdin)
+            self._collect_output(proc, result, writer, stdin=proc.stdin)
+        else:
+            if not _util._is_file(sig_file):
+                log.debug("verify_file(): '%r' is not a file" % sig_file)
+                return result
+            log.debug('verify_file(): Handling detached verification')
+            sig_fh = None
+            try:
+                sig_fh = open(sig_file)
+                args = ["--verify %s - " % sig_fh.name]
+                proc = self._open_subprocess(args)
+                writer = _util._threaded_copy_data(file, proc.stdin)
+                self._collect_output(proc, result, stdin=proc.stdin)
+            finally:
+                if sig_fh and not sig_fh.closed:
+                    sig_fh.close()
+        return result
+
+    def import_keys(self, key_data):
+        """
+        Import the key_data into our keyring.
+
+        >>> import shutil
+        >>> shutil.rmtree("doctests")
+        >>> gpg = gnupg.GPG(homedir="doctests")
+        >>> inpt = gpg.gen_key_input()
+        >>> key1 = gpg.gen_key(inpt)
+        >>> print1 = str(key1.fingerprint)
+        >>> pubkey1 = gpg.export_keys(print1)
+        >>> seckey1 = gpg.export_keys(print1,secret=True)
+        >>> key2 = gpg.gen_key(inpt)
+        >>> print2 = key2.fingerprint
+        >>> seckeys = gpg.list_keys(secret=True)
+        >>> pubkeys = gpg.list_keys()
+        >>> assert print1 in seckeys.fingerprints
+        >>> assert print1 in pubkeys.fingerprints
+        >>> str(gpg.delete_keys(print1))
+        'Must delete secret key first'
+        >>> str(gpg.delete_keys(print1,secret=True))
+        'ok'
+        >>> str(gpg.delete_keys(print1))
+        'ok'
+        >>> pubkeys = gpg.list_keys()
+        >>> assert not print1 in pubkeys.fingerprints
+        >>> result = gpg.import_keys(pubkey1)
+        >>> pubkeys = gpg.list_keys()
+        >>> seckeys = gpg.list_keys(secret=True)
+        >>> assert not print1 in seckeys.fingerprints
+        >>> assert print1 in pubkeys.fingerprints
+        >>> result = gpg.import_keys(seckey1)
+        >>> assert result
+        >>> seckeys = gpg.list_keys(secret=True)
+        >>> assert print1 in seckeys.fingerprints
+        """
+        ## xxx need way to validate that key_data is actually a valid GPG key
+        ##     it might be possible to use --list-packets and parse the output
+
+        result = self._result_map['import'](self)
+        log.info('Importing: %r', key_data[:256])
+        data = _make_binary_stream(key_data, self.encoding)
+        self._handle_io(['--import'], data, result, binary=True)
+        #pretty = pprint(result.__dict__, indent=4, width=76, depth=8)
+        #log.debug("Import result:%s%s" % (os.linesep, pretty))
+        data.close()
+        return result
+
+    def recv_keys(self, keyserver, *keyids):
+        """Import a key from a keyserver
+
+        >>> import shutil
+        >>> shutil.rmtree("doctests")
+        >>> gpg = gnupg.GPG(homedir="doctests")
+        >>> result = gpg.recv_keys('pgp.mit.edu', '3FF0DB166A7476EA')
+        >>> assert result
+
+        """
+        safe_keyserver = _fix_unsafe(keyserver)
+
+        result = self._result_map['import'](self)
+        data = _make_binary_stream("", self.encoding)
+        args = ['--keyserver', keyserver, '--recv-keys']
+
+        if keyids:
+            if keyids is not None:
+                safe_keyids = ' '.join(
+                    [(lambda: _fix_unsafe(k))() for k in keyids])
+                log.debug('recv_keys: %r', safe_keyids)
+                args.extend(safe_keyids)
+
+        self._handle_io(args, data, result, binary=True)
+        data.close()
+        log.debug('recv_keys result: %r', result.__dict__)
+        return result
+
+    def delete_keys(self, fingerprints, secret=False, subkeys=False):
+        """Delete a key, or list of keys, from the current keyring.
+
+        The keys must be refered to by their full fingerprint for GnuPG to
+        delete them. If :param:`secret <secret=True>`, the corresponding secret
+        keyring will be deleted from :attr:`GPG.secring <self.secring>`.
+
+        :type fingerprints: str or list or tuple
+        :param fingerprints: A string representing the fingerprint (or a
+                             list/tuple of fingerprint strings) for the key(s)
+                             to delete.
+
+        :param bool secret: If True, delete the corresponding secret key(s)
+                            also. (default: False)
+        :param bool subkeys: If True, delete the secret subkey first, then
+                             the public key. Same as
+                            ``gpg --delete-secret-and-public-key 0x12345678``
+                            (default: False)
+        """
+
+        which='keys'
+        if secret:
+            which='secret-key'
+        if subkeys:
+            which='secret-and-public-key'
+
+        if _is_list_or_tuple(fingerprints):
+            fingerprints = ' '.join(fingerprints)
+
+        args = ['--batch']
+        args.append("--delete-{} {}".format(which, fingerprints))
+
+        result = self._result_map['delete'](self)
+        p = self._open_subprocess(args)
+        self._collect_output(p, result, stdin=p.stdin)
+        return result
+
+    def export_keys(self, keyids, secret=False, subkeys=False):
+        """Export the indicated ``keyids``.
+
+        :param str keyids: A keyid or fingerprint in any format that GnuPG will
+                           accept.
+        :param bool secret: If True, export only the secret key.
+        :param bool subkeys: If True, export the secret subkeys.
+        """
+        which=''
+        if subkeys:
+            which='-secret-subkeys'
+        elif secret:
+            which='-secret-keys'
+
+        if _is_list_or_tuple(keyids):
+            keyids = ' '.join(['%s' % k for k in keyids])
+
+        args = ["--armor"]
+        args.append("--export{} {}".format(which, keyids))
+
+        p = self._open_subprocess(args)
+        ## gpg --export produces no status-fd output; stdout will be empty in
+        ## case of failure
+        #stdout, stderr = p.communicate()
+        result = self._result_map['delete'](self) # any result will do
+        self._collect_output(p, result, stdin=p.stdin)
+        log.debug('Exported:%s%r' % (os.linesep, result.data))
+        return result.data.decode(self.encoding, self._decode_errors)
+
+    def list_keys(self, secret=False):
+        """List the keys currently in the keyring.
+
+        The GnuPG option '--show-photos', according to the GnuPG manual, "does
+        not work with --with-colons", but since we can't rely on all versions
+        of GnuPG to explicitly handle this correctly, we should probably
+        include it in the args.
+
+        >>> import shutil
+        >>> shutil.rmtree("keys")
+        >>> gpg = GPG(homedir="keys")
+        >>> input = gpg.gen_key_input()
+        >>> result = gpg.gen_key(input)
+        >>> print1 = result.fingerprint
+        >>> result = gpg.gen_key(input)
+        >>> print2 = result.fingerprint
+        >>> pubkeys = gpg.list_keys()
+        >>> assert print1 in pubkeys.fingerprints
+        >>> assert print2 in pubkeys.fingerprints
+        """
+
+        which='public-keys'
+        if secret:
+            which='secret-keys'
+        args = "--list-%s --fixed-list-mode --fingerprint " % (which,)
+        args += "--with-colons --list-options no-show-photos"
+        args = [args]
+        p = self._open_subprocess(args)
+
+        # there might be some status thingumy here I should handle... (amk)
+        # ...nope, unless you care about expired sigs or keys (stevegt)
+
+        # Get the response information
+        result = self._result_map['list'](self)
+        self._collect_output(p, result, stdin=p.stdin)
+        lines = result.data.decode(self.encoding,
+                                   self._decode_errors).splitlines()
+        valid_keywords = 'pub uid sec fpr sub'.split()
+        for line in lines:
+            if self.verbose:
+                print(line)
+            log.debug("%r", line.rstrip())
+            if not line:
+                break
+            L = line.strip().split(':')
+            if not L:
+                continue
+            keyword = L[0]
+            if keyword in valid_keywords:
+                getattr(result, keyword)(L)
+        return result
+
+    def list_packets(self, raw_data):
+        """List the packet contents of a file."""
+        args = ["--list-packets"]
+        result = self._result_map['packets'](self)
+        self._handle_io(args, _make_binary_stream(raw_data, self.encoding),
+                        result)
+        return result
+
+    def list_sigs(self, *keyids):
+        """Get the signatures for each of the ``keyids``.
+
+        >>> import gnupg
+        >>> gpg = gnupg.GPG(homedir="./tests/doctest")
+        >>> key_input = gpg.gen_key_input()
+        >>> key = gpg.gen_key(key_input)
+        >>> assert key.fingerprint
+
+        :rtype: dict
+        :returns: A dictionary whose keys are the original keyid parameters,
+                  and whose values are lists of signatures.
+        """
+        if len(keyids) > self._batch_limit:
+            raise ValueError(
+                "List signatures is limited to %d keyids simultaneously"
+                % self._batch_limit)
+
+        args = ["--with-colons", "--fixed-list-mode", "--list-sigs"]
+
+        for key in keyids:
+            args.append(key)
+
+        proc = self._open_subprocess(args)
+
+        result = self._result_map['list'](self)
+        self._collect_output(proc, result, stdin=p.stdin)
+        return result
+
+    def gen_key(self, input):
+        """Generate a GnuPG key through batch file key generation. See
+        :meth:`GPG.gen_key_input()` for creating the control input.
+
+        >>> import gnupg
+        >>> gpg = gnupg.GPG(homedir="./tests/doctest")
+        >>> key_input = gpg.gen_key_input()
+        >>> key = gpg.gen_key(key_input)
+        >>> assert key.fingerprint
+
+        :param dict input: A dictionary of parameters and values for the new
+                           key.
+        :returns: The result mapping with details of the new key, which is a
+                  :class:`parsers.GenKey <GenKey>` object.
+        """
+        ## see TODO file, tag :gen_key: for todo items
+        args = ["--gen-key --batch"]
+        key = self._result_map['generate'](self)
+        f = _make_binary_stream(input, self.encoding)
+        self._handle_io(args, f, key, binary=True)
+        f.close()
+
+        fpr = str(key.fingerprint)
+        if len(fpr) == 20:
+            if self.temp_keyring or self.temp_secring:
+                if not os.path.exists(self._key_dir):
+                    os.makedirs(self._key_dir)
+                prefix = os.path.join(self._key_dir, fpr)
+
+            if self.temp_keyring:
+                if os.path.isfile(self.temp_keyring):
+                    try: os.rename(self.temp_keyring, prefix+".pubring")
+                    except OSError as ose: log.error(ose.message)
+                    else: self.temp_keyring = None
+                    #finally: self.import_keys(fpr)
+
+            if self.temp_secring:
+                if os.path.isfile(self.temp_secring):
+                    try: os.rename(self.temp_secring, prefix+".secring")
+                    except OSError as ose: log.error(ose.message)
+                    else: self.temp_secring = None
+                    #finally: self.import_keys(fpr)
+
+        log.info("Key created. Fingerprint: %s" % fpr)
+        return key
+
+    def gen_key_input(self, separate_keyring=False, save_batchfile=False,
+                      testing=False, **kwargs):
+        """Generate a batch file for input to :meth:`GPG.gen_key()`.
+
+        The GnuPG batch file key generation feature allows unattended key
+        generation by creating a file with special syntax and then providing it
+        to: ``gpg --gen-key --batch``. Batch files look like this:
+
+            Name-Real: Alice
+            Name-Email: alice@inter.net
+            Expire-Date: 2014-04-01
+            Key-Type: RSA
+            Key-Length: 4096
+            Key-Usage: cert
+            Subkey-Type: RSA
+            Subkey-Length: 4096
+            Subkey-Usage: encrypt,sign,auth
+            Passphrase: sekrit
+            %pubring foo.gpg
+            %secring sec.gpg
+            %commit
+
+        which is what this function creates for you. All of the available,
+        non-control parameters are detailed below (control parameters are the
+        ones which begin with a '%'). For example, to generate the batch file
+        example above, use like this:
+
+        >>> import gnupg
+        GnuPG logging disabled...
+        >>> from __future__ import print_function
+        >>> gpg = gnupg.GPG(homedir='./tests/doctest')
+        >>> alice = { 'name_real': 'Alice',
+        ...     'name_email': 'alice@inter.net',
+        ...     'expire_date': '2014-04-01',
+        ...     'key_type': 'RSA',
+        ...     'key_length': 4096,
+        ...     'key_usage': '',
+        ...     'subkey_type': 'RSA',
+        ...     'subkey_length': 4096,
+        ...     'subkey_usage': 'encrypt,sign,auth',
+        ...     'passphrase': 'sekrit'}
+        >>> alice_input = gpg.gen_key_input(**alice)
+        >>> print(alice_input)
+        Key-Type: RSA
+        Subkey-Type: RSA
+        Subkey-Usage: encrypt,sign,auth
+        Expire-Date: 2014-04-01
+        Passphrase: sekrit
+        Name-Real: Alice
+        Name-Email: alice@inter.net
+        Key-Length: 4096
+        Subkey-Length: 4096
+        %pubring ./tests/doctest/pubring.gpg
+        %secring ./tests/doctest/secring.gpg
+        %commit
+        <BLANKLINE>
+        >>> alice_key = gpg.gen_key(alice_input)
+        >>> assert alice_key is not None
+        >>> assert alice_key.fingerprint is not None
+        >>> message = "no one else can read my sekrit message"
+        >>> encrypted = gpg.encrypt(message, alice_key.fingerprint)
+        >>> assert isinstance(encrypted.data, str)
+
+        :param bool separate_keyring: Specify for the new key to be written to
+                                      a separate pubring.gpg and
+                                      secring.gpg. If True,
+                                      :meth:`GPG.gen_key` will automatically
+                                      rename the separate keyring and secring
+                                      to whatever the fingerprint of the
+                                      generated key ends up being, suffixed
+                                      with '.pubring' and '.secring'
+                                      respectively.
+
+        :param bool save_batchfile: Save a copy of the generated batch file to
+                                    disk in a file named <name_real>.batch,
+                                    where <name_real> is the ``name_real``
+                                    parameter stripped of punctuation, spaces,
+                                    and non-ascii characters.
+
+        :param bool testing: Uses a faster, albeit insecure random number
+                             generator to create keys. This should only be
+                             used for testing purposes, for keys which are
+                             going to be created and then soon after
+                             destroyed, and never for the generation of actual
+                             use keys.
+
+        :param str name_real: The name field of the UID in the generated key.
+        :param str name_comment: The comment in the UID of the generated key.
+        :param str name_email: The email in the UID of the generated key.
+                               (default: $USER@$(hostname) ) Remember to use
+                               UTF-8 encoding for the entirety of the UID. At
+                               least one of :param:`name_real <name_real>`,
+                               :param:`name_comment <name_comment>`, or
+                               :param:`name_email <name_email>` must be
+                               provided, or else no user ID is created.
+
+        :param str key_type: One of 'RSA', 'DSA', 'ELG-E', or 'default'.
+                             (default: 'default') Starts a new parameter block
+                             by giving the type of the primary key. The
+                             algorithm must be capable of signing. This is a
+                             required parameter. The algorithm may either be
+                             an OpenPGP algorithm number or a string with the
+                             algorithm name. The special value ‘default’ may
+                             be used for algo to create the default key type;
+                             in this case a :param:`key_usage <key_usage>`
+                             should not be given and ‘default’ must also be
+                             used for :param:`subkey_type <subkey_type>`.
+
+        :param int key_length: The requested length of the generated key in
+                               bits. (Default: 4096)
+
+        :param str key_grip: hexstring This is an optional hexidecimal string
+                             which is used to generate a CSR or certificate
+                             for an already existing key. :param:key_length
+                             will be ignored if this parameter is given.
+
+        :param str key_usage: Space or comma delimited string of key
+                              usages. Allowed values are ‘encrypt’, ‘sign’,
+                              and ‘auth’. This is used to generate the key
+                              flags. Please make sure that the algorithm is
+                              capable of this usage. Note that OpenPGP
+                              requires that all primary keys are capable of
+                              certification, so no matter what usage is given
+                              here, the ‘cert’ flag will be on. If no
+                              ‘Key-Usage’ is specified and the ‘Key-Type’ is
+                              not ‘default’, all allowed usages for that
+                              particular algorithm are used; if it is not
+                              given but ‘default’ is used the usage will be
+                              ‘sign’.
+
+        :param str subkey_type: This generates a secondary key
+                                (subkey). Currently only one subkey can be
+                                handled. See also ``key_type`` above.
+
+        :param int subkey_length: The length of the secondary subkey in bits.
+
+        :param str subkey_usage: Key usage for a subkey; similar to
+                                 ``key_usage``.
+
+        :type expire_date: int or str
+        :param expire_date: Can be specified as an iso-date or as
+                            <int>[d|w|m|y] Set the expiration date for the key
+                            (and the subkey). It may either be entered in ISO
+                            date format (2000-08-15) or as number of days,
+                            weeks, month or years. The special notation
+                            "seconds=N" is also allowed to directly give an
+                            Epoch value. Without a letter days are
+                            assumed. Note that there is no check done on the
+                            overflow of the type used by OpenPGP for
+                            timestamps. Thus you better make sure that the
+                            given value make sense. Although OpenPGP works
+                            with time intervals, GnuPG uses an absolute value
+                            internally and thus the last year we can represent
+                            is 2105.
+
+        :param str creation_date: Set the creation date of the key as stored
+                                  in the key information and which is also
+                                  part of the fingerprint calculation. Either
+                                  a date like "1986-04-26" or a full timestamp
+                                  like "19860426T042640" may be used. The time
+                                  is considered to be UTC. If it is not given
+                                  the current time is used.
+
+        :param str passphrase: The passphrase for the new key. The default is
+                               to not use any passphrase. Note that
+                               GnuPG>=2.1.x will not allow you to specify a
+                               passphrase for batch key generation -- GnuPG
+                               will ignore the ``passphrase`` parameter, stop,
+                               and ask the user for the new passphrase.
+                               However, we can put the command
+                               '%no-protection' into the batch key generation
+                               file to allow a passwordless key to be created,
+                               which can then have its passphrase set later
+                               with '--edit-key'.
+
+        :param str preferences: Set the cipher, hash, and compression
+                                preference values for this key. This expects
+                                the same type of string as the sub-command
+                                ‘setpref’ in the --edit-key menu.
+
+        :param str revoker: Should be given as 'algo:fpr' [case sensitive].
+                            Add a designated revoker to the generated
+                            key. Algo is the public key algorithm of the
+                            designated revoker (i.e. RSA=1, DSA=17, etc.) fpr
+                            is the fingerprint of the designated revoker. The
+                            optional ‘sensitive’ flag marks the designated
+                            revoker as sensitive information. Only v4 keys may
+                            be designated revokers.
+
+        :param str keyserver: This is an optional parameter that specifies the
+                              preferred keyserver URL for the key.
+
+        :param str handle: This is an optional parameter only used with the
+                           status lines KEY_CREATED and
+                           KEY_NOT_CREATED. string may be up to 100 characters
+                           and should not contain spaces. It is useful for
+                           batch key generation to associate a key parameter
+                           block with a status line.
+
+        :rtype: str
+        :returns: A suitable input string for the ``GPG.gen_key()`` method,
+                  the latter of which will create the new keypair.
+
+        see
+        http://www.gnupg.org/documentation/manuals/gnupg-devel/Unattended-GPG-key-generation.html
+        for more details.
+        """
+
+        parms = {}
+
+        #: A boolean for determining whether to set subkey_type to 'default'
+        default_type = False
+
+        name_email = kwargs.get('name_email')
+        uidemail = _util.create_uid_email(name_email)
+
+        parms.setdefault('Key-Type', 'default')
+        parms.setdefault('Key-Length', 4096)
+        parms.setdefault('Name-Real', "Autogenerated Key")
+        parms.setdefault('Expire-Date', _util._next_year())
+        parms.setdefault('Name-Email', uidemail)
+
+        if testing:
+            ## This specific comment string is required by (some? all?)
+            ## versions of GnuPG to use the insecure PRNG:
+            parms.setdefault('Name-Comment', 'insecure!')
+
+        for key, val in list(kwargs.items()):
+            key = key.replace('_','-').title()
+            ## to set 'cert', 'Key-Usage' must be blank string
+            if not key in ('Key-Usage', 'Subkey-Usage'):
+                if str(val).strip():
+                    parms[key] = val
+
+        ## if Key-Type is 'default', make Subkey-Type also be 'default'
+        if parms['Key-Type'] == 'default':
+            default_type = True
+            for field in ('Key-Usage', 'Subkey-Usage',):
+                try: parms.pop(field)  ## toss these out, handle manually
+                except KeyError: pass
+
+        ## Key-Type must come first, followed by length
+        out  = "Key-Type: %s\n" % parms.pop('Key-Type')
+        out += "Key-Length: %d\n" % parms.pop('Key-Length')
+        if 'Subkey-Type' in parms.keys():
+            out += "Subkey-Type: %s\n" % parms.pop('Subkey-Type')
+        else:
+            if default_type:
+                out += "Subkey-Type: default\n"
+        if 'Subkey-Length' in parms.keys():
+            out += "Subkey-Length: %s\n" % parms.pop('Subkey-Length')
+
+        for key, val in list(parms.items()):
+            out += "%s: %s\n" % (key, val)
+
+        ## There is a problem where, in the batch files, if the '%%pubring'
+        ## and '%%secring' are given as any static string, i.e. 'pubring.gpg',
+        ## that file will always get rewritten without confirmation, killing
+        ## off any keys we had before. So in the case where we wish to
+        ## generate a bunch of keys and then do stuff with them, we should not
+        ## give 'pubring.gpg' as our keyring file, otherwise we will lose any
+        ## keys we had previously.
+
+        if separate_keyring:
+            ring = str(uidemail + '_' + str(_util._utc_epoch()))
+            self.temp_keyring = os.path.join(self.homedir, ring+'.pubring')
+            self.temp_secring = os.path.join(self.homedir, ring+'.secring')
+            out += "%%pubring %s\n" % self.temp_keyring
+            out += "%%secring %s\n" % self.temp_secring
+
+        if testing:
+            ## see TODO file, tag :compatibility:gen_key_input:
+            ##
+            ## Add version detection before the '%no-protection' flag.
+            out += "%no-protection\n"
+            out += "%transient-key\n"
+
+        out += "%commit\n"
+
+        ## if we've been asked to save a copy of the batch file:
+        if save_batchfile and parms['Name-Email'] != uidemail:
+            asc_uid  = encodings.normalize_encoding(parms['Name-Email'])
+            filename = _fix_unsafe(asc_uid) + _util._now() + '.batch'
+            save_as  = os.path.join(self._batch_dir, filename)
+            readme = os.path.join(self._batch_dir, 'README')
+
+            if not os.path.exists(self._batch_dir):
+                os.makedirs(self._batch_dir)
+
+                ## the following pulls the link to GnuPG's online batchfile
+                ## documentation from this function's docstring and sticks it
+                ## in a README file in the batch directory:
+
+                if getattr(self.gen_key_input, '__doc__', None) is not None:
+                    docs = self.gen_key_input.__doc__
+                else:
+                    docs = str() ## docstring=None if run with "python -OO"
+                links = '\n'.join(x.strip() for x in docs.splitlines()[-2:])
+                explain = """
+This directory was created by python-gnupg, on {}, and
+it contains saved batch files, which can be given to GnuPG to automatically
+generate keys. Please see
+{}""".format(_util.now(), links) ## sometimes python is awesome.
+
+                with open(readme, 'a+') as fh:
+                    [fh.write(line) for line in explain]
+
+            with open(save_as, 'a+') as batch_file:
+                [batch_file.write(line) for line in out]
+
+        return out
+
+    def encrypt_file(self, filename, recipients,
+                     default_key=None,
+                     passphrase=None,
+                     armor=True,
+                     encrypt=True,
+                     symmetric=False,
+                     always_trust=True,
+                     output=None,
+                     cipher_algo='AES256',
+                     digest_algo='SHA512',
+                     compress_algo='ZLIB'):
+        """Encrypt the message read from the file-like object ``filename``.
+
+        :param str filename: The file or bytestream to encrypt.
+        :param str recipients: The recipients to encrypt to. Recipients must
+                               be specified keyID/fingerprint. Care should be
+                               taken in Python2.x to make sure that the given
+                               fingerprint is in fact a string and not a
+                               unicode object.
+        :param str default_key: The keyID/fingerprint of the key to use for
+                                signing. If given, ``filename`` will be
+                                encrypted and signed.
+        :param bool always_trust: If True, ignore trust warnings on recipient
+                                  keys. If False, display trust warnings.
+                                  (default: True)
+        :param str passphrase: If True, use this passphrase to unlock the
+                                secret portion of the ``default_key`` for
+                                signing.
+        :param bool armor: If True, ascii armor the output; otherwise, the
+                           output will be in binary format. (default: True)
+        :param str output: The output file to write to. If not specified, the
+                           encrypted output is returned, and thus should be
+                           stored as an object in Python. For example:
+        """
+        args = []
+
+        if output:
+            if getattr(output, 'fileno', None) is not None:
+                ## avoid overwrite confirmation message
+                if getattr(output, 'name', None) is None:
+                    if os.path.exists(output):
+                        os.remove(output)
+                    args.append('--output %s' % output)
+                else:
+                    if os.path.exists(output.name):
+                        os.remove(output.name)
+                    args.append('--output %s' % output.name)
+
+        if armor: args.append('--armor')
+        if always_trust: args.append('--always-trust')
+        if cipher_algo: args.append('--cipher-algo %s' % cipher_algo)
+        if compress_algo: args.append('--compress-algo %s' % compress_algo)
+
+        if default_key:
+            args.append('--sign')
+            args.append('--default-key %s' % default_key)
+            if digest_algo:
+                args.append('--digest-algo %s' % digest_algo)
+
+        ## both can be used at the same time for an encrypted file which
+        ## is decryptable with a passphrase or secretkey.
+        if symmetric: args.append('--symmetric')
+        if encrypt: args.append('--encrypt')
+
+        if len(recipients) >= 1:
+            log.debug("GPG.encrypt() called for recipients '%s' with type '%s'"
+                      % (recipients, type(recipients)))
+
+            if isinstance(recipients, (list, tuple)):
+                for recp in recipients:
+                    if not _util._py3k:
+                        if isinstance(recp, unicode):
+                            try:
+                                assert _parsers._is_hex(str(recp))
+                            except AssertionError:
+                                log.info("Can't accept recipient string: %s"
+                                         % recp)
+                            else:
+                                args.append('--recipient %s' % str(recp))
+                                continue
+                            ## will give unicode in 2.x as '\uXXXX\uXXXX'
+                            args.append('--recipient %r' % recp)
+                            continue
+                    if isinstance(recp, str):
+                        args.append('--recipient %s' % recp)
+
+            elif (not _util._py3k) and isinstance(recp, basestring):
+                for recp in recipients.split('\x20'):
+                    args.append('--recipient %s' % recp)
+
+            elif _util._py3k and isinstance(recp, str):
+                for recp in recipients.split(' '):
+                    args.append('--recipient %s' % recp)
+                    ## ...and now that we've proven py3k is better...
+
+            else:
+                log.debug("Don't know what to do with recipients: '%s'"
+                          % recipients)
+
+        result = self._result_map['crypt'](self)
+        log.debug("Got filename '%s' with type '%s'."
+                  % (filename, type(filename)))
+        self._handle_io(args, filename, result,
+                        passphrase=passphrase, binary=True)
+        log.debug('GPG.encrypt_file(): Result: %r', result.data)
+        return result
+
+    def encrypt(self, data, *recipients, **kwargs):
+        """Encrypt the message contained in ``data`` to ``recipients``.
+
+        >>> import shutil
+        >>> if os.path.exists("keys"):
+        ...     shutil.rmtree("keys")
+        >>> gpg = GPG(homedir="keys")
+        >>> input = gpg.gen_key_input(passphrase='foo')
+        >>> result = gpg.gen_key(input)
+        >>> print1 = result.fingerprint
+        >>> input = gpg.gen_key_input()
+        >>> result = gpg.gen_key(input)
+        >>> print2 = result.fingerprint
+        >>> result = gpg.encrypt("hello",print2)
+        >>> message = str(result)
+        >>> assert message != 'hello'
+        >>> result = gpg.decrypt(message)
+        >>> assert result
+        >>> str(result)
+        'hello'
+        >>> result = gpg.encrypt("hello again",print1)
+        >>> message = str(result)
+        >>> result = gpg.decrypt(message,passphrase='bar')
+        >>> result.status in ('decryption failed', 'bad passphrase')
+        True
+        >>> assert not result
+        >>> result = gpg.decrypt(message,passphrase='foo')
+        >>> result.status == 'decryption ok'
+        True
+        >>> str(result)
+        'hello again'
+        >>> result = gpg.encrypt("signed hello",print2,sign=print1,passphrase='foo')
+        >>> result.status == 'encryption ok'
+        True
+        >>> message = str(result)
+        >>> result = gpg.decrypt(message)
+        >>> result.status == 'decryption ok'
+        True
+        >>> assert result.fingerprint == print1
+
+        """
+        stream = _make_binary_stream(data, self.encoding)
+        result = self.encrypt_file(stream, recipients, **kwargs)
+        stream.close()
+        return result
+
+    def decrypt(self, message, **kwargs):
+        """Decrypt the contents of a string or file-like object ``message``.
+
+        :param message: A string or file-like object to decrypt.
+        """
+        stream = _make_binary_stream(message, self.encoding)
+        result = self.decrypt_file(stream, **kwargs)
+        stream.close()
+        return result
+
+    def decrypt_file(self, filename, always_trust=False, passphrase=None,
+                     output=None):
+        """
+        Decrypt the contents of a file-like object :param:file .
+
+        :param file: A file-like object to decrypt.
+        :param always_trust: Instruct GnuPG to ignore trust checks.
+        :param passphrase: The passphrase for the secret key used for decryption.
+        :param output: A file to write the decrypted output to.
+        """
+        args = ["--decrypt"]
+        if output:  # write the output to a file with the specified name
+            if os.path.exists(output):
+                os.remove(output) # to avoid overwrite confirmation message
+            args.append('--output %s' % output)
+        if always_trust:
+            args.append("--always-trust")
+        result = self._result_map['crypt'](self)
+        self._handle_io(args, filename, result, passphrase, binary=True)
+        log.debug('decrypt result: %r', result.data)
+        return result
+
+
+class GPGWrapper(GPG):
+    """
+    This is a temporary class for handling GPG requests, and should be
+    replaced by a more general class used throughout the project.
+    """
+    def find_key_by_email(self, email, secret=False):
+        """
+        Find user's key based on their email.
+        """
+        for key in self.list_keys(secret=secret):
+            for uid in key['uids']:
+                if re.search(email, uid):
+                    return key
+        raise LookupError("GnuPG public key for email %s not found!" % email)
+
+    def find_key_by_subkey(self, subkey):
+        for key in self.list_keys():
+            for sub in key['subkeys']:
+                if sub[0] == subkey:
+                    return key
+        raise LookupError(
+            "GnuPG public key for subkey %s not found!" % subkey)
+
+    def encrypt(self, data, recipient, default_key=None, always_trust=True,
+                passphrase=None, symmetric=False):
+        """
+        Encrypt data using GPG.
+        """
+        # TODO: devise a way so we don't need to "always trust".
+        return super(GPGWrapper, self).encrypt(data, recipient,
+                                               default_key=default_key,
+                                               always_trust=always_trust,
+                                               passphrase=passphrase,
+                                               symmetric=symmetric,
+                                               cipher_algo='AES256')
+
+    def decrypt(self, data, always_trust=True, passphrase=None):
+        """
+        Decrypt data using GPG.
+        """
+        # TODO: devise a way so we don't need to "always trust".
+        return super(GPGWrapper, self).decrypt(data,
+                                               always_trust=always_trust,
+                                               passphrase=passphrase)
+
+    def send_keys(self, keyserver, *keyids):
+        """Send keys to a keyserver."""
+        result = self._result_map['list'](self)
+        log.debug('send_keys: %r', keyids)
+        data = _util._make_binary_stream("", self.encoding)
+        args = ['--keyserver', keyserver, '--send-keys']
+        args.extend(keyids)
+        self._handle_io(args, data, result, binary=True)
+        log.debug('send_keys result: %r', result.__dict__)
+        data.close()
+        return result
+
+    def encrypt_file(self, file, recipients, sign=None,
+                     always_trust=False, passphrase=None,
+                     armor=True, output=None, symmetric=False,
+                     cipher_algo=None):
+        "Encrypt the message read from the file-like object 'file'"
+        args = ['--encrypt']
+        if symmetric:
+            args = ['--symmetric']
+            if cipher_algo:
+                args.append('--cipher-algo %s' % cipher_algo)
+        else:
+            args = ['--encrypt']
+            if not _util._is_list_or_tuple(recipients):
+                recipients = (recipients,)
+            for recipient in recipients:
+                args.append('--recipient "%s"' % recipient)
+        if armor:  # create ascii-armored output - set to False for binary
+            args.append('--armor')
+        if output:  # write the output to a file with the specified name
+            if os.path.exists(output):
+                os.remove(output)  # to avoid overwrite confirmation message
+            args.append('--output "%s"' % output)
+        if sign:
+            args.append('--sign --default-key "%s"' % sign)
+        if always_trust:
+            args.append("--always-trust")
+        result = self._result_map['crypt'](self)
+        self._handle_io(args, file, result, passphrase=passphrase, binary=True)
+        log.debug('encrypt result: %r', result.data)
+        return result
+
+    def list_packets(self, raw_data):
+        args = ["--list-packets"]
+        result = self._result_map['list-packets'](self)
+        self._handle_io(args,
+                        _util._make_binary_stream(raw_data, self.encoding),
+                        result)
+        return result
+
+    def encrypted_to(self, raw_data):
+        """
+        Return the key to which raw_data is encrypted to.
+        """
+        # TODO: make this support multiple keys.
+        result = self.list_packets(raw_data)
+        if not result.key:
+            raise LookupError(
+                "Content is not encrypted to a GnuPG key!")
+        try:
+            return self.find_key_by_keyid(result.key)
+        except:
+            return self.find_key_by_subkey(result.key)
+
+    def is_encrypted_sym(self, raw_data):
+        result = self.list_packets(raw_data)
+        return bool(result.need_passphrase_sym)
+
+    def is_encrypted_asym(self, raw_data):
+        result = self.list_packets(raw_data)
+        return bool(result.key)
+
+    def is_encrypted(self, raw_data):
+        self.is_encrypted_asym() or self.is_encrypted_sym()
diff --git a/test_gnupg.py b/test_gnupg.py
deleted file mode 100644
index 6be4854..0000000
--- a/test_gnupg.py
+++ /dev/null
@@ -1,547 +0,0 @@
-# -*- coding: utf-8 -*-
-"""
-A test harness for gnupg.py.
-
-Copyright © 2013 Isis Lovecruft.
-Copyright © 2008-2013 Vinay Sajip. All rights reserved.
-"""
-import doctest
-import logging
-from functools import wraps
-import io
-import os
-import shutil
-import sys
-import tempfile
-import unittest
-
-import gnupg
-
-__author__ = "Isis Lovecruft"
-__date__  = "2013-03-02"
-
-ALL_TESTS = True
-REPO_DIR = os.getcwd()
-TEST_DIR = os.path.join(REPO_DIR, 'keys')
-
-tempfile.tempdir = os.path.join(REPO_DIR, 'temp')
-if not os.path.isdir(tempfile.gettempdir()):
-    os.mkdir(tempfile.gettempdir())
-
-@wraps(tempfile.TemporaryFile)
-def _make_tempfile(*args, **kwargs):
-    return tempfile.TemporaryFile(dir=tempfile.gettempdir(),
-                                  *args, **kwargs)
-
-logger = logging.getLogger(__name__)
-
-KEYS_TO_IMPORT = """-----BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v1.4.9 (MingW32)
-
-mQGiBEiH4QERBACm48JJsg2XGzWfL7f/fjp3wtrY+JIz6P07s7smr35kve+wl605
-nqHtgjnIVpUVsbI9+xhIAPIkFIR6ZcQ7gRDhoT0bWKGkfdQ7YzXedVRPlQLdbpmR
-K2pKKySpF35pJsPAYa73EVaxu2KrII4CyBxVQgNWfGwEbtL5FfzuHhVOZwCg6JF7
-bgOMPmEwBLEHLmgiXbb5K48D/2xsXtWMkvgRp/ubcLxzbNjaHH6gSb2IfDi1+W/o
-Bmfua6FksPnEDn7PWnBhCEO9rf1tV0FcrvkR9m2FGfx38tjssxDdLvX511gbfc/Q
-DJxZ00A63BxI3xav8RiXlqpfQGXpLJmCLdeCh5DXOsVMCfepqRbWyJF0St7LDcq9
-SmuXA/47dzb8puo9dNxA5Nj48I5g4ke3dg6nPn7aiBUQ35PfXjIktXB6/sQJtWWx
-XNFX/GVUxqMM0/aCMPdtaoDkFtz1C6b80ngEz94vXzmON7PCgDY6LqZP1B1xbrkr
-4jGSr68iq7ERT+7E/iF9xp+Ynl91KK7h8llY6zFw+yIe6vGlcLQvR2FyeSBHcm9z
-cyAoQSB0ZXN0IHVzZXIpIDxnYXJ5Lmdyb3NzQGdhbW1hLmNvbT6IYAQTEQIAIAUC
-SIfhAQIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEJZ2Ekdc7S4UtEcAoJIA
-iZurfuzIUE9Dtn86o6vC14qoAJ9P79mxR88wRr/ac9h5/BIf5cZKMbkCDQRIh+EB
-EAgAyYCvtS43J/OfuGHPGPZT0q8C+Y15YLItSQ3H6IMZWFY+sX+ZocaIiM4noVRG
-+mrEqzO9JNh4KP1OdFju1ZC8HZXpPVur48XlTNSm0yjmvvfmi+aGSuyQ0NkfLyi1
-aBeRvB4na/oFUgl908l7vpSYWYn4EY3xpvwJdyTWHTh4o7+zvrR1fByDt49k2b3z
-yTACoxYPVQfknt8gxqLqHZsbgn02Ml7HS17bSWr5Z7PlWqDlmsdqUikVU9d2RvIq
-R+YIJbOdHSklbVQQDhr+xgHPi39e7nXMxR/rMjMbz7E5vSNkge45n8Pzim8iyqy+
-MTMW8psV/OyrHUJzBEA7M6hA1wADBwgAnB0HzI1iyiQmIymO0Hj0BgqU6/avFw9R
-ggBuE2v7KsvuLP6ohXDEhYopjw5hgeotobpg6tS15ynch+6L8uWsJ0rcY2X9dsJy
-O8/5mjrNDHwCKiYRuZfmRZjzW03vO/9+rjtZ0NzoWYMP3UR8lUTVp2LTygefBA88
-Zgw6dWBVzn+/c0vdwcF4Y3njYKE7eq4VrfcwqRgD0hDyIJd1OpqzHfXXnTtLlAsm
-UwtdONzlwu7KkgafMo4vzKY6dCtUkR6pXAE/rLQfCTonwl9SnyusoYZgjDoj4Pvw
-ePxIl2q05dcn96NJGS+SfS/5B4H4irbfaEYmCfKps+45sjncYGhZ/ohJBBgRAgAJ
-BQJIh+EBAhsMAAoJEJZ2Ekdc7S4U2lkAoIwZLMHVldC0v9wse53xU0NsNIskAKDc
-Ft0XWUJ9yajOEUqCVHNs3F99t5kBogRIh+FVEQQAhk/ROtJ5/O+YERl4tZZBEhGH
-JendDBDfzmfRO9GIDcZI20nx5KJ1M/zGguqgKiVRlBy32NS/IRqwSI158npWYLfJ
-rYCWrC2duMK2i/8prOEfaktnqZXVCHudGtP4mTqNSs+867LnGhQ4w3HmB09zCIpD
-eIhhhPOb5H19H8UlojsAoLwsq5BACqUKoiz8lUufpTTFMbaDA/4v1fWmprYAxGq9
-cZ9svae772ymN/RRPDb/D+UJoJCCJSjE8m4MukVchyJVT8GmpJM2+dlt62eYwtz8
-bGNt+Yzzxr0N8rLutsSks7RaM16MaqiAlM20gAXEovxBiocgP/p5bO3FGKOBbrfd
-h47BZDEqLvfJefXjZEsElbZ9oL2zDgP9EsoDS9mbfesHDsagE5jCZRTY1C/FRLBO
-zhGgP2IlqBdOX8BYBYZiIlLM+pN5fU0Hcu3VOZY1Hnj6r3VbK1bOScQzqrZ7qgmw
-TRgyxUQalaOhMb5rUD0+dUFxa/mhTerx5POrX6zOWmmK0ldYTZO4/+nWr4FwmU8R
-41nYYYdi0yS0MURhbm55IERhdmlzIChBIHRlc3QgdXNlcikgPGRhbm55LmRhdmlz
-QGRlbHRhLmNvbT6IYAQTEQIAIAUCSIfhVQIbAwYLCQgHAwIEFQIIAwQWAgMBAh4B
-AheAAAoJEG7bKmS7rMYAEt8An2jxsmsE1MZVZc4Ev8RB9Gu1zbsCAJ9G5kkYIIf0
-OoDqCjkDMDJcpd4MqLkCDQRIh+FVEAgAgHQ+EyseLw6A3BS2EUz6U1ZGzuJ5CXxY
-BY8xaQtE+9AJ0WHyzKeptnlnY1x9et3ny1BcVC5aR1OgsDiuVRvSFwpFfVxMKbRT
-kvERWADfB0N5EyWwyE0E4BT5hyEhW7fS0bucJL6UK5PKvfE5wexWlUI3yV4K1z6W
-2gSNL60o3kmoGn9K5ICWO/jbi6MkPptSoDu/laCJHv/aid6Gf94ckDClQQyLsccj
-0ibynm6rI3cIzpPMbimKIsKT1smAqZEBsTucBlOjIuIROANTZUN3reGIRh/kVNyg
-YTrkUnIqVS9FnbHa2wxeb6F/cO33fPiVfiCmZuKI1Uh4PMGaaSCh0wADBQf/SaXN
-WcuD0mrEnxqgEJRx67ZeFZjZM53Obu3JYQ++lqsthf8MxE7K4J/67xDpOh6waK0G
-6GCLwEm3Z7wjCaz1DYg2uJp/3pispWxZio3PLVe7WrMY+oEBHEsiJXicS5dV620a
-uoaBnnc0aQWT/DREE5s35IrZCh4WDQgO9rl0i/qcIITm77TmQbq2Xdj5vt6s0cx7
-oHKRaFBpQ8DBsCQ+D8Xz7i1oUygNp4Z5xPhItWeCfE9YoCoem4jSB4HGwmMOEicp
-VSpY43k01cd0Yfb1OMhA5C8OBwcwn3zvQB7nbxyxyQ9qphfwhMookIL4+tKKBIQL
-CnOGhApkAGbjRwuLi4hJBBgRAgAJBQJIh+FVAhsMAAoJEG7bKmS7rMYA+JQAn0E2
-WdPQjKEfKnr+bW4yubwMUYKyAJ4uiE8Rv/oEED1oM3xeJqa+MJ9V1w==
-=sqld
------END PGP PUBLIC KEY BLOCK-----"""
-
-
-def is_list_with_len(o, n):
-    return isinstance(o, list) and len(o) == n
-
-def compare_keys(k1, k2):
-    """Compare ASCII keys"""
-    k1 = k1.split('\n')
-    k2 = k2.split('\n')
-    del k1[1] # remove version lines
-    del k2[1]
-    return k1 != k2
-
-class ResultStringIO(io.StringIO):
-    def __init__(self):
-        super(self, io.StringIO).__init__()
-
-    def write(self, data):
-        super(self, io.StringIO).write(unicode(data))
-
-class GPGTestCase(unittest.TestCase):
-    def setUp(self):
-        hd = os.path.join(os.getcwd(), 'keys')
-        if os.path.exists(hd):
-            self.assertTrue(os.path.isdir(hd),
-                            "Not a directory: %s" % hd)
-            shutil.rmtree(hd)
-        self.homedir = hd
-        self.gpg = gnupg.GPG(gpghome=hd, gpgbinary='gpg')
-        self.pubring = os.path.join(self.homedir, 'pubring.gpg')
-        self.secring = os.path.join(self.homedir, 'secring.gpg')
-
-    def test_environment(self):
-        """Test the environment by ensuring that setup worked"""
-        hd = self.homedir
-        self.assertTrue(os.path.exists(hd) and os.path.isdir(hd),
-                        "Not an existing directory: %s" % hd)
-
-    def test_gpg_binary(self):
-        """Test that 'gpg --version' does not return an error code"""
-        proc = self.gpg._open_subprocess(['--version'])
-        result = io.StringIO()
-        self.gpg._collect_output(proc, result, stdin=proc.stdin)
-        self.assertEqual(proc.returncode, 0)
-
-    def test_gpg_binary_version_str(self):
-        """That that 'gpg --version' returns the expected output"""
-        proc = self.gpg._open_subprocess(['--version'])
-        result = proc.stdout.read(1024)
-        expected1 = "Supported algorithms:"
-        expected2 = "Pubkey:"
-        expected3 = "Cipher:"
-        expected4 = "Compression:"
-        logger.debug("'gpg --version' returned output:n%s" % result)
-        self.assertGreater(result.find(expected1), 0)
-        self.assertGreater(result.find(expected2), 0)
-        self.assertGreater(result.find(expected3), 0)
-        self.assertGreater(result.find(expected4), 0)
-
-    def test_gpg_binary_not_abs(self):
-        """Test that a non-absolute path to gpg results in a full path"""
-        self.assertTrue(os.path.isabs(self.gpg.gpgbinary))
-
-    def test_make_args_drop_protected_options(self):
-        """Test that unsupported gpg options are dropped"""
-        self.gpg.options = ['--tyrannosaurus-rex', '--stegosaurus']
-        self.gpg.keyring = self.secring
-        cmd = self.gpg.make_args(None, False)
-        expected = ['/usr/bin/gpg',
-                    '--status-fd 2 --no-tty',
-                    '--homedir "/home/isis/code/riseup/python-gnupg/keys"',
-                    '--no-default-keyring --keyring "%s"' % self.secring]
-        self.assertListEqual(cmd, expected)
-
-    def test_make_args(self):
-        """Test argument line construction"""
-        not_allowed = ['--bicycle', '--zeppelin', 'train', 'flying-carpet']
-        self.gpg.options = not_allowed[:-2]
-        args = self.gpg.make_args(not_allowed[2:], False)
-        self.assertTrue(len(args) == 4)
-        for na in not_allowed:
-            self.assertNotIn(na, args)
-
-    def test_list_keys_initial_public(self):
-        """Test that initially there are no public keys"""
-        public_keys = self.gpg.list_keys()
-        self.assertTrue(is_list_with_len(public_keys, 0),
-                        "Empty list expected...got instead: %s"
-                        % str(public_keys))
-
-    def test_list_keys_initial_secret(self):
-        """Test that initially there are no secret keys"""
-        private_keys = self.gpg.list_keys(secret=True)
-        self.assertTrue(is_list_with_len(private_keys, 0),
-                        "Empty list expected...got instead: %s"
-                        % str(private_keys))
-
-
-    def test_copy_data(self):
-        """Test that _copy_data() is able to duplicate byte streams"""
-        instream = io.BytesIO("This is a string of bytes mapped in memory.")
-        outstream = str("And this one is just a string.")
-
-
-    def generate_key(self, first_name, last_name, domain, passphrase=None):
-        """Generate a key"""
-
-        params = {'Key-Type': 'RSA',
-                  'Key-Length': 2048,
-                  'Subkey-Type': 'RSA',
-                  'Subkey-Length': 2048,
-                  'Name-Comment': 'A test user',
-                  'Expire-Date': 0,
-                  'Name-Real': '%s %s' % (first_name, last_name),
-                  'Name-Email': ("%s.%s@%s"
-                                 % (first_name, last_name, domain)).lower()}
-        if passphrase is None:
-            passphrase = ("%s%s" % (first_name[0], last_name)).lower()
-        params['Passphrase'] = passphrase
-        cmd = self.gpg.gen_key_input(**params)
-        return self.gpg.gen_key(cmd)
-
-    def do_key_generation(self):
-        """Test that key generation succeeds"""
-        result = self.generate_key("Barbara", "Brown", "beta.com")
-        self.assertNotEqual(None, result, "Non-null result")
-        return result
-
-    def test_key_generation_with_invalid_key_type(self):
-        """Test that key generation handles invalid key type"""
-        params = {
-            'Key-Type': 'INVALID',
-            'Key-Length': 1024,
-            'Subkey-Type': 'ELG-E',
-            'Subkey-Length': 2048,
-            'Name-Comment': 'A test user',
-            'Expire-Date': 0,
-            'Name-Real': 'Test Name',
-            'Name-Email': 'test.name@example.com',
-        }
-        cmd = self.gpg.gen_key_input(**params)
-        result = self.gpg.gen_key(cmd)
-        self.assertFalse(result.data, 'Null data result')
-        self.assertEqual(None, result.fingerprint, 'Null fingerprint result')
-
-    def test_key_generation_with_colons(self):
-        """Test that key generation handles colons in key fields"""
-        params = {
-            'key_type': 'RSA',
-            'name_real': 'urn:uuid:731c22c4-830f-422f-80dc-14a9fdae8c19',
-            'name_comment': 'dummy comment',
-            'name_email': 'test.name@example.com',
-        }
-        cmd = self.gpg.gen_key_input(**params)
-        result = self.gpg.gen_key(cmd)
-        keys = self.gpg.list_keys()
-        self.assertEqual(len(keys), 1)
-        key = keys[0]
-        uids = key['uids']
-        self.assertEqual(len(uids), 1)
-        uid = uids[0]
-        self.assertEqual(uid, 'urn:uuid:731c22c4-830f-422f-80dc-14a9fdae8c19 '
-                              '(dummy comment) <test.name@example.com>')
-
-    def test_key_generation_with_empty_value(self):
-        """Test that key generation handles empty values"""
-        params = {
-            'key_type': 'RSA',
-            'key_length': 1024,
-            'name_comment': ' ', # Not added, so default will appear
-        }
-        cmd = self.gpg.gen_key_input(**params)
-        self.assertTrue('\nName-Comment: Generated by gnupg.py\n' in cmd)
-        params['name_comment'] = 'A'
-        cmd = self.gpg.gen_key_input(**params)
-        self.assertTrue('\nName-Comment: A\n' in cmd)
-
-    def test_list_keys_after_generation(self):
-        """Test that after key generation, the generated key is available"""
-        self.test_list_keys_initial()
-        self.do_key_generation()
-        public_keys = self.gpg.list_keys()
-        self.assertTrue(is_list_with_len(public_keys, 1),
-                        "1-element list expected")
-        private_keys = self.gpg.list_keys(secret=True)
-        self.assertTrue(is_list_with_len(private_keys, 1),
-                        "1-element list expected")
-
-    def test_encryption_and_decryption(self):
-        """Test that encryption and decryption works"""
-        logger.debug("test_encryption_and_decryption begins")
-        key = self.generate_key("Andrew", "Able", "alpha.com",
-                                passphrase="andy")
-        andrew = key.fingerprint
-        key = self.generate_key("Barbara", "Brown", "beta.com")
-        barbara = key.fingerprint
-        gpg = self.gpg
-        gpg.encoding = 'latin-1'
-        if gnupg._py3k:
-            data = 'Hello, André!'
-        else:
-            data = unicode('Hello, André', gpg.encoding)
-        data = data.encode(gpg.encoding)
-        edata = str(gpg.encrypt(data, barbara))
-        self.assertNotEqual(data, edata, "Data must have changed")
-        ddata = gpg.decrypt(edata, passphrase="bbrown")
-        if data != ddata.data:
-            logger.debug("was: %r", data)
-            logger.debug("new: %r", ddata.data)
-        self.assertEqual(data, ddata.data, "Round-trip must work")
-        edata = str(gpg.encrypt(data, [andrew, barbara]))
-        self.assertNotEqual(data, edata, "Data must have changed")
-        ddata = gpg.decrypt(edata, passphrase="andy")
-        self.assertEqual(data, ddata.data, "Round-trip must work")
-        ddata = gpg.decrypt(edata, passphrase="bbrown")
-        self.assertEqual(data, ddata.data, "Round-trip must work")
-        logger.debug("test_encryption_and_decryption ends")
-        # Test symmetric encryption
-        data = "chippy was here"
-        edata = str(gpg.encrypt(data, None, passphrase='bbrown', symmetric=True))
-        ddata = gpg.decrypt(edata, passphrase='bbrown')
-        self.assertEqual(data, str(ddata))
-
-    def test_public_keyring(self):
-        """Test that the public keyring is found in the gpg home directory"""
-        self.gpg.keyring = self.pubring
-        self.assertTrue(os.path.isfile(self.pubring))
-
-    def test_secret_keyring(self):
-        """Test that the secret keyring is found in the gpg home directory"""
-        self.gpg.keyring = self.secring
-        self.assertTrue(os.path.isfile(self.secring))
-
-    def test_import_and_export(self):
-        """Test that key import and export works"""
-        logger.debug("test_import_and_export begins")
-        self.test_list_keys_initial()
-        gpg = self.gpg
-        result = gpg.import_keys(KEYS_TO_IMPORT)
-        self.assertEqual(result.summary(), '2 imported')
-        public_keys = gpg.list_keys()
-        self.assertTrue(is_list_with_len(public_keys, 2),
-                        "2-element list expected")
-        private_keys = gpg.list_keys(secret=True)
-        self.assertTrue(is_list_with_len(private_keys, 0),
-                        "Empty list expected")
-        ascii = gpg.export_keys([k['keyid'] for k in public_keys])
-        self.assertTrue(ascii.find("PGP PUBLIC KEY BLOCK") >= 0,
-                        "Exported key should be public")
-        ascii = ascii.replace("\r", "").strip()
-        match = compare_keys(ascii, KEYS_TO_IMPORT)
-        if match:
-            logger.debug("was: %r", KEYS_TO_IMPORT)
-            logger.debug("now: %r", ascii)
-        self.assertEqual(0, match, "Keys must match")
-        #Generate a key so we can test exporting private keys
-        key = self.do_key_generation()
-        ascii = gpg.export_keys(key.fingerprint, True)
-        self.assertTrue(ascii.find("PGP PRIVATE KEY BLOCK") >= 0,
-                        "Exported key should be private")
-        logger.debug("test_import_and_export ends")
-
-    def test_import_only(self):
-        """Test that key import works"""
-        logger.debug("test_import_only begins")
-        self.test_list_keys_initial()
-        self.gpg.import_keys(KEYS_TO_IMPORT)
-        public_keys = self.gpg.list_keys()
-        self.assertTrue(is_list_with_len(public_keys, 2),
-                        "2-element list expected")
-        private_keys = self.gpg.list_keys(secret=True)
-        self.assertTrue(is_list_with_len(private_keys, 0),
-                        "Empty list expected")
-        ascii = self.gpg.export_keys([k['keyid'] for k in public_keys])
-        self.assertTrue(ascii.find("PGP PUBLIC KEY BLOCK") >= 0,
-                        "Exported key should be public")
-        ascii = ascii.replace("\r", "").strip()
-        match = compare_keys(ascii, KEYS_TO_IMPORT)
-        if match:
-            logger.debug("was: %r", KEYS_TO_IMPORT)
-            logger.debug("now: %r", ascii)
-        self.assertEqual(0, match, "Keys must match")
-        logger.debug("test_import_only ends")
-
-    def test_signature_verification(self):
-        """Test that signing and verification works"""
-        logger.debug("test_signature_verification begins")
-        key = self.generate_key("Andrew", "Able", "alpha.com")
-        self.gpg.encoding = 'latin-1'
-        if gnupg._py3k:
-            data = 'Hello, André!'
-        else:
-            data = unicode('Hello, André', self.gpg.encoding)
-        data = data.encode(self.gpg.encoding)
-        sig = self.gpg.sign(data, keyid=key.fingerprint, passphrase='bbrown')
-        self.assertFalse(sig, "Bad passphrase should fail")
-        sig = self.gpg.sign(data, keyid=key.fingerprint, passphrase='aable')
-        self.assertTrue(sig, "Good passphrase should succeed")
-        verified = self.gpg.verify(sig.data)
-        if key.fingerprint != verified.fingerprint:
-            logger.debug("key: %r", key.fingerprint)
-            logger.debug("ver: %r", verified.fingerprint)
-        self.assertEqual(key.fingerprint, verified.fingerprint,
-                         "Fingerprints must match")
-        self.assertEqual(verified.trust_level, verified.TRUST_ULTIMATE)
-        self.assertEqual(verified.trust_text, 'TRUST_ULTIMATE')
-        if not os.path.exists('random_binary_data'):
-            data_file = open('random_binary_data', 'wb')
-            data_file.write(os.urandom(5120 * 1024))
-            data_file.close()
-        data_file = open('random_binary_data', 'rb')
-        sig = self.gpg.sign_file(data_file, keyid=key.fingerprint,
-                                 passphrase='aable')
-        data_file.close()
-        self.assertTrue(sig, "File signing should succeed")
-        try:
-            file = gnupg._make_binary_stream(sig.data, self.gpg.encoding)
-            verified = self.gpg.verify_file(file)
-        except UnicodeDecodeError: #happens in Python 2.6
-            verified = self.gpg.verify_file(io.BytesIO(sig.data))
-        if key.fingerprint != verified.fingerprint:
-            logger.debug("key: %r", key.fingerprint)
-            logger.debug("ver: %r", verified.fingerprint)
-        self.assertEqual(key.fingerprint, verified.fingerprint,
-                         "Fingerprints must match")
-        data_file = open('random_binary_data', 'rb')
-        sig = self.gpg.sign_file(data_file, keyid=key.fingerprint,
-                                 passphrase='aable', detach=True)
-        data_file.close()
-        self.assertTrue(sig, "File signing should succeed")
-        try:
-            file = gnupg._make_binary_stream(sig.data, self.gpg.encoding)
-            verified = self.gpg.verify_file(file, 'random_binary_data')
-        except UnicodeDecodeError: #happens in Python 2.6
-            verified = self.gpg.verify_file(io.BytesIO(sig.data))
-        if key.fingerprint != verified.fingerprint:
-            logger.debug("key: %r", key.fingerprint)
-            logger.debug("ver: %r", verified.fingerprint)
-        self.assertEqual(key.fingerprint, verified.fingerprint,
-                         "Fingerprints must match")
-        logger.debug("test_signature_verification ends")
-
-    def test_deletion(self):
-        """Test that key deletion works"""
-        logger.debug("test_deletion begins")
-        self.gpg.import_keys(KEYS_TO_IMPORT)
-        public_keys = self.gpg.list_keys()
-        self.assertTrue(is_list_with_len(public_keys, 2),
-                        "2-element list expected, got %d" % len(public_keys))
-        self.gpg.delete_keys(public_keys[0]['fingerprint'])
-        public_keys = self.gpg.list_keys()
-        self.assertTrue(is_list_with_len(public_keys, 1),
-                        "1-element list expected, got %d" % len(public_keys))
-        logger.debug("test_deletion ends")
-
-    def test_file_encryption_and_decryption(self):
-        """Test that encryption/decryption to/from file works"""
-        logger.debug("test_file_encryption_and_decryption begins")
-
-        encfname = _make_tempfile()
-        logger.debug('Created tempfile for encrypted content: %s' % encfname)
-        decfname = _make_tempfile()
-        logger.debug('Created tempfile for decrypted content: f%s' % decfname)
-        # On Windows, if the handles aren't closed, the files can't be deleted
-        #os.close(encfno)
-        #os.close(decfno)
-        try:
-            key = self.generate_key("Andrew", "Able", "alpha.com",
-                                    passphrase="andy")
-            andrew = key.fingerprint
-            key = self.generate_key("Barbara", "Brown", "beta.com")
-            barbara = key.fingerprint
-            data = "Hello, world!"
-            file = gnupg._make_binary_stream(data, self.gpg.encoding)
-            edata = self.gpg.encrypt_file(file, barbara,
-                                          armor=False, output=encfname)
-            ddata = self.gpg.decrypt_file(efile, passphrase="bbrown",
-                                          output=decfname)
-            encfname.seek(0, 0) # can't use os.SEEK_SET in 2.4
-            edata = encfname.read()
-            ddata = decfname.read()
-            data = data.encode(self.gpg.encoding)
-            if ddata != data:
-                logger.debug("was: %r", data)
-                logger.debug("new: %r", ddata)
-            self.assertEqual(data, ddata, "Round-trip must work")
-        except Exception as exc:
-            logger.warn(exc.message)
-        logger.debug("test_file_encryption_and_decryption ends")
-
-
-TEST_GROUPS = {
-    'basic' : set(['test_environment',
-                   'test_gpg_binary',
-                   'test_gpg_binary_not_abs',
-                   'test_gpg_binary_version_str',
-                   'test_list_keys_initial_public',
-                   'test_list_keys_initial_secret',
-                   'test_make_args_drop_protected_options',
-                   'test_make_args']),
-    'sign' : set(['test_signature_verification']),
-
-    'crypt' : set(['test_encryption_and_decryption',
-                   'test_file_encryption_and_decryption']),
-    'key' : set(['test_deletion',
-                 'test_import_and_export',
-                 'test_public_keyring',
-                 'test_secret_keyring',
-                 'test_list_keys_after_generation',
-                 'test_key_generation_with_invalid_key_type',
-                 'test_key_generation_with_empty_value',
-                 'test_key_generation_with_colons']),
-    'import' : set(['test_import_only']),
-    }
-
-def suite(args=None):
-    if args is None:
-        args = sys.argv[1:]
-    if not args:
-        result = unittest.TestLoader().loadTestsFromTestCase(GPGTestCase)
-        want_doctests = False
-    else:
-        tests = set()
-        want_doctests = False
-        for arg in args:
-            if arg in TEST_GROUPS:
-                tests.update(TEST_GROUPS[arg])
-            elif arg == "doc":
-                want_doctests = True
-            else:
-                print("Ignoring unknown test group %r" % arg)
-        result = unittest.TestSuite(list(map(GPGTestCase, tests)))
-    if want_doctests:
-        result.addTest(doctest.DocTestSuite(gnupg))
-    return result
-
-def init_logging():
-    logging.basicConfig(
-        level=logging.DEBUG, filename="test_gnupg.log",
-        filemode="a",
-        format="%(asctime)s %(levelname)-5s %(name)-7s %(threadName)-10s %(message)s")
-    logging.captureWarnings(True)
-    logging.logThreads = True
-    logger.addHandler(logging.StreamHandler(stream=sys.stdout))
-    #logger.addHandler(logging.RootLogger(logging.DEBUG))
-    #logger.addHandler(logging.Logger("gnupg.py", level=logging.DEBUG))
-
-def main():
-    init_logging()
-    tests = suite()
-    results = unittest.TextTestRunner(verbosity=3).run(tests)
-    return not results.wasSuccessful()
-
-
-if __name__ == "__main__":
-    sys.exit(main())
diff --git a/tests/files/cypherpunk_manifesto b/tests/files/cypherpunk_manifesto
new file mode 100644
index 0000000..9e3b503
--- /dev/null
+++ b/tests/files/cypherpunk_manifesto
@@ -0,0 +1,87 @@
+Privacy is necessary for an open society in the electronic age. Privacy is not
+secrecy. A private matter is something one doesn't want the whole world to
+know, but a secret matter is something one doesn't want anybody to
+know. Privacy is the power to selectively reveal oneself to the world.
+
+If two parties have some sort of dealings, then each has a memory of their
+interaction. Each party can speak about their own memory of this; how could
+anyone prevent it? One could pass laws against it, but the freedom of speech,
+even more than privacy, is fundamental to an open society; we seek not to
+restrict any speech at all. If many parties speak together in the same forum,
+each can speak to all the others and aggregate together knowledge about
+individuals and other parties. The power of electronic communications has
+enabled such group speech, and it will not go away merely because we might want
+it to.
+
+Since we desire privacy, we must ensure that each party to a transaction have
+knowledge only of that which is directly necessary for that transaction. Since
+any information can be spoken of, we must ensure that we reveal as little as
+possible. In most cases personal identity is not salient. When I purchase a
+magazine at a store and hand cash to the clerk, there is no need to know who I
+am. When I ask my electronic mail provider to send and receive messages, my
+provider need not know to whom I am speaking or what I am saying or what others
+are saying to me; my provider only need know how to get the message there and
+how much I owe them in fees. When my identity is revealed by the underlying
+mechanism of the transaction, I have no privacy. I cannot here selectively
+reveal myself; I must always reveal myself.
+
+Therefore, privacy in an open society requires anonymous transaction
+systems. Until now, cash has been the primary such system. An anonymous
+transaction system is not a secret transaction system. An anonymous system
+empowers individuals to reveal their identity when desired and only when
+desired; this is the essence of privacy.
+
+Privacy in an open society also requires cryptography. If I say something, I
+want it heard only by those for whom I intend it. If the content of my speech
+is available to the world, I have no privacy. To encrypt is to indicate the
+desire for privacy, and to encrypt with weak cryptography is to indicate not
+too much desire for privacy. Furthermore, to reveal one's identity with
+assurance when the default is anonymity requires the cryptographic signature.
+
+We cannot expect governments, corporations, or other large, faceless
+organizations to grant us privacy out of their beneficence. It is to their
+advantage to speak of us, and we should expect that they will speak. To try to
+prevent their speech is to fight against the realities of
+information. Information does not just want to be free, it longs to be
+free. Information expands to fill the available storage space. Information is
+Rumor's younger, stronger cousin; Information is fleeter of foot, has more
+eyes, knows more, and understands less than Rumor.
+
+We must defend our own privacy if we expect to have any. We must come together
+and create systems which allow anonymous transactions to take place. People
+have been defending their own privacy for centuries with whispers, darkness,
+envelopes, closed doors, secret handshakes, and couriers. The technologies of
+the past did not allow for strong privacy, but electronic technologies do.
+
+We the Cypherpunks are dedicated to building anonymous systems. We are
+defending our privacy with cryptography, with anonymous mail forwarding
+systems, with digital signatures, and with electronic money.
+
+Cypherpunks write code. We know that someone has to write software to defend
+privacy, and since we can't get privacy unless we all do, we're going to write
+it. We publish our code so that our fellow Cypherpunks may practice and play
+with it. Our code is free for all to use, worldwide. We don't much care if you
+don't approve of the software we write. We know that software can't be
+destroyed and that a widely dispersed system can't be shut down.
+
+Cypherpunks deplore regulations on cryptography, for encryption is
+fundamentally a private act. The act of encryption, in fact, removes
+information from the public realm. Even laws against cryptography reach only so
+far as a nation's border and the arm of its violence. Cryptography will
+ineluctably spread over the whole globe, and with it the anonymous transactions
+systems that it makes possible.
+
+For privacy to be widespread it must be part of a social contract. People must
+come and together deploy these systems for the common good. Privacy only
+extends so far as the cooperation of one's fellows in society. We the
+Cypherpunks seek your questions and your concerns and hope we may engage you so
+that we do not deceive ourselves. We will not, however, be moved out of our
+course because some may disagree with our goals.
+
+The Cypherpunks are actively engaged in making the networks safer for
+privacy. Let us proceed together apace.
+
+Onward.
+
+Eric Hughes <hughes@soda.berkeley.edu>
+9 March 1993
diff --git a/tests/files/kat.sec b/tests/files/kat.sec
new file mode 100644
index 0000000..b8c960e
--- /dev/null
+++ b/tests/files/kat.sec
@@ -0,0 +1,138 @@
+## 1024R primary secret key, usage C, pasphrase 'katpics'
+-----BEGIN PGP PRIVATE KEY BLOCK-----
+
+lQc+BFGdoeIBEADD7XN3kD/TeMbGdUhOvmBRlp2nDuKx6IKm6tLNHw9PA1ShSwtS
+v9ijldhQwnggyiZZ8P3c6SJRPWrn45YyKUnMhtmRNeEhNx9eQDxCM3Ysu3PUUfVl
+7BiGF9OEdVTNu2/rfBzQ3krM+9oCpDBICRFfE5EuBkFAGa8GjTcsJJxWzJqcJqAP
+/6t6ioyD1DNzaf3V+m5Q5NaDzdbZj9Jw4Sf5pngaLs6Mbhei/GsP0Eoj+XdcSxfN
+HNJ06ZTmAY8XSn0il794aCSyXvVPaJPDGHfGwTgEXP45utqYZNIWYZvm2gpf1Yc3
+zIzopwVp1sLN/3ZXMUCvHg41Js+urzWBRbMu+Ypm7pldkhKPX6RIy5YMfr2zOLvt
++XulIBTZ7Omfai/wARj3JAwkMR4ssbCKIha56k4RGVDUacS0Xx7h2MmSCDE/9xH0
++lka1PN6+lJuU/Iht39vUcthSaKPyrJvcqElgEsSKg2x0rDXS/WoiFilNakBdBPd
+GWmLW89v/kNSHRJNjqwzrQBbHd3lhJUZ0nMuSud85we8SR3ZX/fIvYIBx6RcMwRp
+HCajfjsvHy3bAI0oQnp8DOXGCEDy+FWrUankrtHiOThYMcSHWlVkpXB9kEmxs+ls
+xMRzY5bWbNglu2mAGMZ4KqOEnL9VembHO9ryoASZGNFW+huq7wVqY/IA9QARAQAB
+/gMDAiyujS0siBnfYEEJbKJ0MxztiFtbDxYQLCGAtvhm0jQWxPm0prFs/E8tUiOM
+XCkGWT3V3wTFnm9ZsOxNFPs3KQTYIQK4PqPoiF5ZSuvNzq172X7EhZkhY21j0xgI
+N0GQhE4tPCvPR66SCR6NfVe+0BRB9yuMnGWFVMxSgPn3vS7IdXr4cvNIhhaAi2p7
+OSn3ZJ+h4msMy2T1iTTSL+WZWIBNsbqm9r19SW1AVdX7OJzzF3XnGoaNYZUU2/Xl
+GN41O1SqlSSDmldRUqz/oMMC0NXP/3STaSpjV5FhrA0LdWJPXy5r2v4dY1MGPKux
+SwZVTu2fNK0/LW+CmFNaF16bM0woRQf4QtjN3nIN+TZMZW2V5fsPOvCHZqIOOQMI
+wOA0npwcNGvMWTVSXb7XYrz828OyJ77V9iqRrPucTcYb206XG0EB8Q+gUVmSwXVZ
+paKm86tfP8VvEeTaqKtLDCiIrRTGbhfxHExaKk2gn59Rf23wrp87QKKb0O277OCa
+vbc+6jfzp5IcuqR9TreTAuBqTQFg5cUS7MZW+KHN6masD7jTeZoFYXoR835pF+PJ
+ngC5kE1/owWx513tc66r5TSxNGkW/NCWY7Ae5EAN7XIvtXhmoFTiqWu/MqRxEkZh
+MnVqfWaRZhzSyRH19X2633OnTqqulRNrWIar+cMRh449fBhvh5qZSDVUut+Luqx4
+/dCUQRLeE0gbmnfBS5rgffv8rLF2QJ6liP9bzoZFHOQTreUhgX68kvzsBMgSKmpW
+5Eoq1fvM34bOaX3WSpnkHEPDvPiooH9mrwFqgb87jqW51btaofY6ifPhl9s2+bS/
+6lnB1MG/VcG7460/kbTQo7PMgEtsNODzTaGFAZ76M025Jjg7WmB01rBXDyq1Mazk
+Wy9sDXuFVMpFzTvo+pAYQoVqTporLw3ZmhsAQCnJ4gJ60vxTNa7BO/Q/ICd1edeP
+ip/Nbse2PLVC5ETSVDdIsy7LZWr7jH/YMOiRTQrffq1RwjCxas6AscK29rxkUxVL
+Sz28CuDdsyztyKWbsFHkm3zgOazP1P3Pnx11DRo6eDKO1LtftGaVw9GRjQ0FC9gU
+mJ0GG02pPwQJINUyPGpCDjaLwKcS/O1HjdiJ7Y6ninxv9BmEfnMvoWNqaOc4q2Wb
+ogqQehYhd0SymLFLYaNBOvzwzeeVlMEsNS3/Phts9PC4zAikTukU5beXKAj7gSdm
+Zkx30eXTOiE1N0C+6l2ow0TrlDkha8YrNI9DKi7SKvf00dXYfwL4fwPpLgC4K5lS
+Zb09XZHJxE4EvE4NVU6xH/q5YSV8W5rzIA1BX9hPKaLh/t/TeF0aQE1CU4nQ5/9J
+ppx/63onmm9xE6jmVUtZHEVXq3a8pueAv5Cnd7k5hin6oSAbT1TZ1ggPeuqNRwDp
++UHc02CRvDod9axTk+/fGuLPKJNRcar2PnJQByQqW04bJO9ou1AEapOSk7Cae54M
+Y2rUPCe/IuVhPze/XAXeORwFCSob1E+bWdM/6QosyXVaZArTG24ggvwvelQZoa/i
+F+Ru2SlFF5/BlXyWO6EbXYwzgguoOUSodx/Og6juEvElTQ4ZL60dxstvF3Qy/C6P
+cy1C3qfQuds86SXu0ObPdYrhnZ+Z+hN6wivpSntEkbSkZdrc+cjGovSNNzbuK/4U
+1WPIsn+nMqX79VxyVbX3DUMjlpRowIZsvLqRdPBNa8PLUoiV5GojCrd7D1xRdYfF
+tN84/9o8J5K80zVnROpUq8C0AQQKZuPskMcnN3sNvymUtBVLYXQgSGFubmFoIDxr
+YXRAcGljcz6JAj4EEwECACgFAlGdoeICGy8FCQHg7Z4GCwkIBwMCBhUIAgkKCwQW
+AgMBAh4BAheAAAoJECkjT3+TjVfrhmQP+wRrVAWlPzQbpfrHr5jMYXA9AYKXz/ea
+6n0eTpxQ6zelxgX67abSUGyDJDakffjvB/W8fEgYPmvqvKm2jLDIwJeQElpIyxwT
+QNaiX79V5GwC9yN19oCN6S/NG9fEuDoYrWnU/WXn/8UVavPVZ+h/1Lq3gpAzP1Nm
+mrAkcSqsviKk8b9B4t/U+YpptgfyM9zOiq4YzupvmKgstX8u1o5gy8qsjZK/P64x
+yqRF2tfviU3U1vrnwPjGI6WrHUE/uII6JTQ2cmr4MNjvVrGRJ+qWtZcPx+36BqEt
+WhP+wYSkqHJBLpfdhJtJgkBI6i1iw3o66l/BgI82CMVG6SEsDUqIDv2KdEpnGarF
+oGPgz9FkOaGaGbOH1clmrhv5/jw+GQUx2FVQqFvlxNA9nud0Afh6wNj0gFly4k3y
+akzoyxBOMqEQoqONyYJEk6WjGFkFq+QMAJe7r55v0U53TYhtKXsHUpI5t3/4vCKv
+UWOczD1q2oV4HMtyLgQePURnuw2LbHEcykntkLJPq1wEGHTnNUVHSir4veDAnFAt
+SGwZ0ysQq/YDCZJYIueO8lvOY5zhbasrO7n12nMKXLKror5zA2Jvp6H73BYS2hrs
+ZRA8+AO+WpXEApPoOT3ZT05nbv7FDy0+VtHelrYhWcfcT34JUVHGhxx/eSvEQpLp
+KSNBShAXG++TnQH+BFGdoeIBBADaPOy1jIzQDze3lVcSlRlVgqj6ZBJJQ8Xm1+To
+CVV6Dkc5lITAkpoKZtk/T0DTsELCNCHGRasZ2BYXZ+XUIonIE21u21YcnamGjqpz
+CZG4f7YVy9bSbkL1bQkcAG5vgY8ksj373CMtCGULKU6E9yzRjuZayb91AZVvnM1y
+W6uK3wARAQAB/gMDAiyujS0siBnfYPZc1s1fN0f0/CadnFayJiu0eB523gMwk+QL
+fTfIPZiSdfMWinX21lNWZU3Lw0PNnoaldQioupamEQF04o39MY3kD5NmAs7sBCeD
+rtKuB0aBLZ6vdC7XrYwhn4MpGNrgygniXghSCUHfQuDB0WlTEgOvkZRQ1gYEBbP9
+ApcJyOj22W9muEUZ9dPX7D/1JZC3tXGR2hVNieHswgFoy11xjvEBQQv5jM5CTCnj
+J+O2dk25XfdGVwZTnTdNTdcuOkblgn7wumPzkgC8uqQV6GTaCGYmBlCv39HOw3wi
+0lBrme2IsFTjTMAY0koZTDor9vee3b6yaBg/huXC5iO5c1T0QX5swEVSyHjx12ih
+s2E9xw7rjTLT8hK3QTRt+jzun71qL1aZAelkXe46Z/Cm8TqX7oBve0CxrTOvLQLr
+BH+Z8jYyDCUmy70G/C+7QhPJyQkGgLFYwaZnyQmilyP9N4EEqvkK8YU3iQLDBBgB
+AgAPBQJRnaHiAhsuBQkB4O2eAKgJECkjT3+TjVfrnSAEGQECAAYFAlGdoeIACgkQ
+8X7/+uc/MKDZ5QQAvkVxtlT79NjcESNH+odH3KICUDdriX9s2yuzKFMOypWDPHCo
+xzOZVcml7a/XGi2tVflJu3dHpWZ4nxls6w46bukmkY3NkUo+sG+1SpAw9zJ5tdtV
+mVsiEBMvR/XEMgWZL38ERYBb3aOzoQ74hq4R68wPU8jElHxR6ZWjIlz+YI+gzA//
+aHEWDNOb1+7IkSfZs7WoX0Ng7eVZi14bDauj7Znrr4r3uuSCX8a/QfSqWF4MFBak
+UpouNs6ynJE8+0WaYn8fXdWZ6gV1MqHfreEFuCY3/4JssEmprM0kNkgL9UkT84CL
+xaJ/6Q31c9bUxbo1a7Rp8+hqrRQocn//R+R3d63g3SyBeTI/qh6D+U8fJLDQzwRR
+kEshGTFHWw8XVpEkphcItwh6xv8TVW4e36pT/D0xrnqoBXamH5MDNkQ2GTyTiAbQ
+n5w74gzvM92MDWTTB92MOpJ0RlbRvrCKAMc0ZdPtect2XyQIPDL9NUZx9Ql8DYWM
+FOTr2vtQrEEf4vNlz939Yq7mV440xmFpOx1ehYO3ILChQ9c2qQST72/0UtJVY0Y2
+OIbZqDwuUnaJeuIULM+5AWX4hzEOX7ouvRkgGJvq+mbr8JY3HptXvMfqk5bMXlQF
+ecWLlgG5nESkRuQrmb8dPyOtiN2ihZb+d4HNuBlwKDaEbzLpLcYjHs5OROjWls6R
+NmfL8NMx9SGkiKw1nbrJQipcjgpDFMqw3syThARQEIqhFs7Sju5HH3ezy5w9szha
+CbjED/xkS6oXnAKmSyvpKsJ8GXe4W9s78dGUqyo8dW3SFGnt0//s1Mu1mL/QbZ9W
+hEXud8lwAcJn5KpEN+R33iikYtOD2PRDa0zZ4wlkynM=
+=66aD
+-----END PGP PRIVATE KEY BLOCK-----
+
+## 1024R subkey, usage ES, passphrase 'katpics'
+-----BEGIN PGP PRIVATE KEY BLOCK-----
+
+lQIVBFGdoeIBEADD7XN3kD/TeMbGdUhOvmBRlp2nDuKx6IKm6tLNHw9PA1ShSwtS
+v9ijldhQwnggyiZZ8P3c6SJRPWrn45YyKUnMhtmRNeEhNx9eQDxCM3Ysu3PUUfVl
+7BiGF9OEdVTNu2/rfBzQ3krM+9oCpDBICRFfE5EuBkFAGa8GjTcsJJxWzJqcJqAP
+/6t6ioyD1DNzaf3V+m5Q5NaDzdbZj9Jw4Sf5pngaLs6Mbhei/GsP0Eoj+XdcSxfN
+HNJ06ZTmAY8XSn0il794aCSyXvVPaJPDGHfGwTgEXP45utqYZNIWYZvm2gpf1Yc3
+zIzopwVp1sLN/3ZXMUCvHg41Js+urzWBRbMu+Ypm7pldkhKPX6RIy5YMfr2zOLvt
++XulIBTZ7Omfai/wARj3JAwkMR4ssbCKIha56k4RGVDUacS0Xx7h2MmSCDE/9xH0
++lka1PN6+lJuU/Iht39vUcthSaKPyrJvcqElgEsSKg2x0rDXS/WoiFilNakBdBPd
+GWmLW89v/kNSHRJNjqwzrQBbHd3lhJUZ0nMuSud85we8SR3ZX/fIvYIBx6RcMwRp
+HCajfjsvHy3bAI0oQnp8DOXGCEDy+FWrUankrtHiOThYMcSHWlVkpXB9kEmxs+ls
+xMRzY5bWbNglu2mAGMZ4KqOEnL9VembHO9ryoASZGNFW+huq7wVqY/IA9QARAQAB
+/gNlAkdOVQG0FUthdCBIYW5uYWggPGthdEBwaWNzPokCPgQTAQIAKAUCUZ2h4gIb
+LwUJAeDtngYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQKSNPf5ONV+uGZA/7
+BGtUBaU/NBul+sevmMxhcD0BgpfP95rqfR5OnFDrN6XGBfrtptJQbIMkNqR9+O8H
+9bx8SBg+a+q8qbaMsMjAl5ASWkjLHBNA1qJfv1XkbAL3I3X2gI3pL80b18S4Ohit
+adT9Zef/xRVq89Vn6H/UureCkDM/U2aasCRxKqy+IqTxv0Hi39T5imm2B/Iz3M6K
+rhjO6m+YqCy1fy7WjmDLyqyNkr8/rjHKpEXa1++JTdTW+ufA+MYjpasdQT+4gjol
+NDZyavgw2O9WsZEn6pa1lw/H7foGoS1aE/7BhKSockEul92Em0mCQEjqLWLDejrq
+X8GAjzYIxUbpISwNSogO/Yp0SmcZqsWgY+DP0WQ5oZoZs4fVyWauG/n+PD4ZBTHY
+VVCoW+XE0D2e53QB+HrA2PSAWXLiTfJqTOjLEE4yoRCio43JgkSTpaMYWQWr5AwA
+l7uvnm/RTndNiG0pewdSkjm3f/i8Iq9RY5zMPWrahXgcy3IuBB49RGe7DYtscRzK
+Se2Qsk+rXAQYdOc1RUdKKvi94MCcUC1IbBnTKxCr9gMJklgi547yW85jnOFtqys7
+ufXacwpcsquivnMDYm+nofvcFhLaGuxlEDz4A75alcQCk+g5PdlPTmdu/sUPLT5W
+0d6WtiFZx9xPfglRUcaHHH95K8RCkukpI0FKEBcb75OdAf4EUZ2h4gEEANo87LWM
+jNAPN7eVVxKVGVWCqPpkEklDxebX5OgJVXoORzmUhMCSmgpm2T9PQNOwQsI0IcZF
+qxnYFhdn5dQiicgTbW7bVhydqYaOqnMJkbh/thXL1tJuQvVtCRwAbm+BjySyPfvc
+Iy0IZQspToT3LNGO5lrJv3UBlW+czXJbq4rfABEBAAH+AwMCLK6NLSyIGd9g9lzW
+zV83R/T8Jp2cVrImK7R4HnbeAzCT5At9N8g9mJJ18xaKdfbWU1ZlTcvDQ82ehqV1
+CKi6lqYRAXTijf0xjeQPk2YCzuwEJ4Ou0q4HRoEtnq90LtetjCGfgykY2uDKCeJe
+CFIJQd9C4MHRaVMSA6+RlFDWBgQFs/0ClwnI6PbZb2a4RRn109fsP/UlkLe1cZHa
+FU2J4ezCAWjLXXGO8QFBC/mMzkJMKeMn47Z2Tbld90ZXBlOdN01N1y46RuWCfvC6
+Y/OSALy6pBXoZNoIZiYGUK/f0c7DfCLSUGuZ7YiwVONMwBjSShlMOiv2957dvrJo
+GD+G5cLmI7lzVPRBfmzARVLIePHXaKGzYT3HDuuNMtPyErdBNG36PO6fvWovVpkB
+6WRd7jpn8KbxOpfugG97QLGtM68tAusEf5nyNjIMJSbLvQb8L7tCE8nJCQaAsVjB
+pmfJCaKXI/03gQSq+QrxhTeJAsMEGAECAA8FAlGdoeICGy4FCQHg7Z4AqAkQKSNP
+f5ONV+udIAQZAQIABgUCUZ2h4gAKCRDxfv/65z8woNnlBAC+RXG2VPv02NwRI0f6
+h0fcogJQN2uJf2zbK7MoUw7KlYM8cKjHM5lVyaXtr9caLa1V+Um7d0elZnifGWzr
+Djpu6SaRjc2RSj6wb7VKkDD3Mnm121WZWyIQEy9H9cQyBZkvfwRFgFvdo7OhDviG
+rhHrzA9TyMSUfFHplaMiXP5gj6DMD/9ocRYM05vX7siRJ9mztahfQ2Dt5VmLXhsN
+q6Ptmeuvive65IJfxr9B9KpYXgwUFqRSmi42zrKckTz7RZpifx9d1ZnqBXUyod+t
+4QW4Jjf/gmywSamszSQ2SAv1SRPzgIvFon/pDfVz1tTFujVrtGnz6GqtFChyf/9H
+5Hd3reDdLIF5Mj+qHoP5Tx8ksNDPBFGQSyEZMUdbDxdWkSSmFwi3CHrG/xNVbh7f
+qlP8PTGueqgFdqYfkwM2RDYZPJOIBtCfnDviDO8z3YwNZNMH3Yw6knRGVtG+sIoA
+xzRl0+15y3ZfJAg8Mv01RnH1CXwNhYwU5Ova+1CsQR/i82XP3f1iruZXjjTGYWk7
+HV6Fg7cgsKFD1zapBJPvb/RS0lVjRjY4htmoPC5Sdol64hQsz7kBZfiHMQ5fui69
+GSAYm+r6Zuvwljcem1e8x+qTlsxeVAV5xYuWAbmcRKRG5CuZvx0/I62I3aKFlv53
+gc24GXAoNoRvMuktxiMezk5E6NaWzpE2Z8vw0zH1IaSIrDWduslCKlyOCkMUyrDe
+zJOEBFAQiqEWztKO7kcfd7PLnD2zOFoJuMQP/GRLqhecAqZLK+kqwnwZd7hb2zvx
+0ZSrKjx1bdIUae3T/+zUy7WYv9Btn1aERe53yXABwmfkqkQ35HfeKKRi04PY9ENr
+TNnjCWTKcw==
+=AVxa
+-----END PGP PRIVATE KEY BLOCK-----
diff --git a/tests/files/test_key_1.pub b/tests/files/test_key_1.pub
new file mode 100644
index 0000000..3b48882
--- /dev/null
+++ b/tests/files/test_key_1.pub
@@ -0,0 +1,55 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.12 (GNU/Linux)
+
+mQENBFGh57gBCADRG2Q93/INxPOALefgXj40I8+i9Sc7MblIbZeu3ctAQUL41OXw
+zdTo2NKaDH+CcIQrlQZfMnchYnr69M1mDcj2MQy6DqixvNrwJKF4CZwrmFpZRH6W
+1NJ5yeU4Q6e0kAXZCSJDFjRaWv68HaNpW8j4XTHdcwmv+ry6APBa+mwhXXqAYmnS
+EFu6uk7tEjebnYjnP+J6XxBSHmF7678bvWW7M5IQkG/zxnWpsfLCcrakpxMAJnhZ
+EDhZggAl5Rvpd008H6ERJSgLWdZ03qLUutRX0OaJdH/v/aDLDxclYVZtnC1Kg3Jy
+2WU+QRP2q2q+xNSJ+smRE1wp+BnMz7qiyt8VABEBAAG0OXB5dGhvbi1nbnVwZyB0
+ZXN0IGtleSAjMSAoRE8gTk9UIFVTRSkgPHRlc3RAcHl0aG9uLWdudXBnPokBPgQT
+AQIAKAUCUaHnuAIbAQUJAeEzgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ
+rbLoJv+7o0jHbggAp38Ry4DiR5X1JfR9FU7XHFWXrauFt70s+ut8wexCN09FCSyu
+mJWjAiaK2jdpjUdtAwduo/r564AM1frUDtHGSZCbWes3o9CCEQJDmqo2EChdUAuI
+KitO3Uh1CSVe9wnr2MjiqH2YXxcJcvBnJHROQmOnl3ZhFPtqVDKb3Y+2RofnzhPc
+7G7Mr1O0Eo+JyXkRxbLqIhkcOEa4ve5lKZ8lXN+ZYMxL5zuEaXnlUjwWYcV//Kdn
+5V3RotFim+E+1uRlccl6MPR84Bj3P+ebstfTTrRiyx6gd0e+/OO5cgRC01ffqM+Z
+hspUfSOOtyzkvJCwITBGncIT3bKTsVA8MNIBdokBPgQTAQIAKAUCUaHoYwIbAQUJ
+AeEzgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQrbLoJv+7o0j/9QgAl/ou
+jdynLWz78SZP3437hZ+iAU15kK7EuzVcha9xnyeULzksP/N+xJkn7ac+ld7rGxni
+Qu19tuuCbE08paWWJeFIglZRchadS71Tr/ZPnqFT9R6FLfoxxV5AEdlLgRoNDSXI
+jmUTp1E/zDodHpd55ttDFOd1KxIMYeXoGGSSpQalfvie5vAiFqFEb35TZ3PWHIZu
+rsqvP3euw98zGCF/7fgWoeBVWJSsF0gaFy+bY+qIZAENVwn5YwiP20l2U/AHR+tZ
+peI4v9VDj84WYRIMOmqkzopfWFNkiFs3sdZfJByqh+SOZPaom8SWdCqU0Q+Oeut1
+Rna+P9VMo0LqGRRUnbkBDQRRoegrAQgAsXeEonNphafbuawty1S2OzNNVu+bkN14
+RbRP1k/rUNrk5lxddfdQBbQvhAe9giuUFOJ6IZTZigSt3Pk7IRT2F0kN6svCsGih
+Om/IXRThGJYL9xPlhf60SCq4VXXuIZZMrvBizQcFlwjiHroNHUw2oil4y6V+cJiv
+z7u27ZhdMBfRKShpIiaLlRGaz0uc4JTOtcLHfSmv5orMCkBLdIDXGlbs9VWNfBOX
+QSkIuImLofxMkpH2zwM42ZPzsahAYgAxPJxlCw2pTmF0VBFkYVRq/p5nVeo18e03
+nJYrSX9bThl5eK3CfdE9XLEdbf1b/0jkwrs0GQjGlhSUtu8DurWTAwARAQABiQEl
+BBgBAgAPBQJRoegrAhsMBQkB4TOAAAoJEK2y6Cb/u6NIkxkIALF5BzodiGcmyUaF
+t6NvlkpMtFgKD3cYf5nv68g1z8Fkhwf6lWzR5RGl3vZKUZHJojl6OFtL/FX1xdoO
+k7laf9BRWM4c5Bbr3RFRXxz7aCTh3+LyXmKZjn22JVmYkkFsT6uXJfLJMHdr2Rnp
+7qjjLWOxNN2IZNreQPEhk0vEdGcebxkeiWGrcRSk+P4bBZXj7T6zoXSlmV2N/Z3b
+epym+36V4ANhUteAh5Ko0sFrjnHp1aUaKWrMWI5lyYiysrlQ7G8vV091jQstthuz
+sh7B+W2ngakzflSrJmxvP2peXGuH9pGdb5sdxxwV8vRfVCnG9dj52vw+yFMgKGoN
+xWT6jvO5AQ0EUaHoRQEIAL3HlZ4THeuodzwwtl3rZrQpnzXqMFup9FDtZMUG5AFQ
+M2+7GCjPgIj3cOd/ICZGIMLkKUfIDZgEz1wUW0BtbSAVEF64wtjZniZslt36dnbN
+e26bjB90zF3Sv+w13uWMg5iRmm9O9qtgykuTk2T/rzkn6LSE3zC9A3xccE4HDVjM
+Is1eGfrtAf32hqMW5K1I0BNfwx9BdhyVUMh6M7Ba1a009fPG9E38btwg+tfgBVvz
+Z0hvAGtJlNjSz6H6lURLBN0evhG5tIXMsWBK2RDu6V+R/EE3ZfAagqtB63Bp+dxu
+gT9SWm69ObbOgDXNXn5y/lUqLqZ+PKdX+hC/67lYs4cAEQEAAYkCRAQYAQIADwUC
+UaHoRQIbAgUJAeEzgAEpCRCtsugm/7ujSMBdIAQZAQIABgUCUaHoRQAKCRDIEZpk
+x6X0NDGcCACNvkHUCTpFKHpRzBNX1HbI/wvwB2CYsXIkhgIUFjdsV+qn8JiK42Fl
+0YeXsOxIzeoEwOsB0exgCFmX/42qhZvP5DTc6qgBDtAycVzvjpAV6D0gkJfQxRry
+dP8RvGoHT5bvxAGlG4HJZgSVSsuE7Pl5r44INi0zzU4ceCkbwlXFZidFxA+HFOUL
+MJVOiL1Yre6xRF13BO2YWD8XOlQ47ZAvHKUN9i18aLpfzmcjGOdN/P0+CIoAf49F
+W0Lbvp2ZRBpNlMbr6uTUKVJ3pWOiOeGjVfbgGbQysbGzHJmL6c9agBFMGhlV/sqf
+WlvxI85mw2WNpPvbUBP9+t/LiveifRgQBjwIAKBmV72KabqkOPlvW4rqPKO1KlqJ
+HE5O6q14wfjHqThPFm3Nkv1Ts7aB0T33Jq5m7P1wPnbjIb4HDXhYcj3WuKfTcyW/
+e+YvkLNHaC+Mtn20rLf77bytYwp08mC9BZ+5AuQLWiGMounr+MUAjGhF48FNxQF6
+6eDVrl4M5GcQz/zsX8G8GnHAN9RMT2lMPohdVdD2eCN65I4gsg2JIPyEj6BP3FP2
+BuFRWuK4uJAwRu1j9k8ryJZ8Q7BlAWRDGAPD824dSPoy0FaIgTbotXamhhx+ROvj
+ybQ4ZojVTUS4rDJJpF3a4cZokHfegYgzbAJBNEhjNJT6iiXlj1VYm8XB+to=
+=sTVP
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/tests/files/test_key_1.sec b/tests/files/test_key_1.sec
new file mode 100644
index 0000000..d02c7dd
--- /dev/null
+++ b/tests/files/test_key_1.sec
@@ -0,0 +1,78 @@
+-----BEGIN PGP PRIVATE KEY BLOCK-----
+Version: GnuPG v1.4.12 (GNU/Linux)
+
+lQEVBFGh57gBCADRG2Q93/INxPOALefgXj40I8+i9Sc7MblIbZeu3ctAQUL41OXw
+zdTo2NKaDH+CcIQrlQZfMnchYnr69M1mDcj2MQy6DqixvNrwJKF4CZwrmFpZRH6W
+1NJ5yeU4Q6e0kAXZCSJDFjRaWv68HaNpW8j4XTHdcwmv+ry6APBa+mwhXXqAYmnS
+EFu6uk7tEjebnYjnP+J6XxBSHmF7678bvWW7M5IQkG/zxnWpsfLCcrakpxMAJnhZ
+EDhZggAl5Rvpd008H6ERJSgLWdZ03qLUutRX0OaJdH/v/aDLDxclYVZtnC1Kg3Jy
+2WU+QRP2q2q+xNSJ+smRE1wp+BnMz7qiyt8VABEBAAH+A2UCR05VAbQ5cHl0aG9u
+LWdudXBnIHRlc3Qga2V5ICMxIChETyBOT1QgVVNFKSA8dGVzdEBweXRob24tZ251
+cGc+iQE+BBMBAgAoBQJRoee4AhsBBQkB4TOABgsJCAcDAgYVCAIJCgsEFgIDAQIe
+AQIXgAAKCRCtsugm/7ujSMduCACnfxHLgOJHlfUl9H0VTtccVZetq4W3vSz663zB
+7EI3T0UJLK6YlaMCJoraN2mNR20DB26j+vnrgAzV+tQO0cZJkJtZ6zej0IIRAkOa
+qjYQKF1QC4gqK07dSHUJJV73CevYyOKofZhfFwly8GckdE5CY6eXdmEU+2pUMpvd
+j7ZGh+fOE9zsbsyvU7QSj4nJeRHFsuoiGRw4Rri97mUpnyVc35lgzEvnO4RpeeVS
+PBZhxX/8p2flXdGi0WKb4T7W5GVxyXow9HzgGPc/55uy19NOtGLLHqB3R77847ly
+BELTV9+oz5mGylR9I463LOS8kLAhMEadwhPdspOxUDww0gF2nQO+BFGh6CsBCACx
+d4Sic2mFp9u5rC3LVLY7M01W75uQ3XhFtE/WT+tQ2uTmXF1191AFtC+EB72CK5QU
+4nohlNmKBK3c+TshFPYXSQ3qy8KwaKE6b8hdFOEYlgv3E+WF/rRIKrhVde4hlkyu
+8GLNBwWXCOIeug0dTDaiKXjLpX5wmK/Pu7btmF0wF9EpKGkiJouVEZrPS5zglM61
+wsd9Ka/miswKQEt0gNcaVuz1VY18E5dBKQi4iYuh/EySkfbPAzjZk/OxqEBiADE8
+nGULDalOYXRUEWRhVGr+nmdV6jXx7TeclitJf1tOGXl4rcJ90T1csR1t/Vv/SOTC
+uzQZCMaWFJS27wO6tZMDABEBAAH+AwMCoeJkRdIfrAJgGqOX1nuKlntD6cG9c96y
+5DTAbye8cPHQyEVdmob4KVT3yaMl+WzsO5DTmytC7e49oh0bWOplzZh9reBsRG9L
++OtAmUsOQCvA+hIUPjjm8p6wE8BeXFZtAw2IC9RuRmRw030uIqB/GoSf0eQzgEV4
+I+nve6sqpVx1acRuNhrUHXfV23akQ0ljRomo0lWYkCDgSVgW5pgnSCHgJgADlNP9
+V0MCP6H7KULy0bVvVpf2CD5uVFzIbj9VpbeqoLedzBhyl7O7rr02PyNBIklhW+pF
+iTGwcsLmZzLAmIQ5kqu4ASPXqHYzdtNq2Cf4ELkI6HJYVPtXckUSfKWh+UnMj/Cm
+Aos1jjsBtWRbT1LSnTjfOeGudxB70aNh20LJzoLYIKbvjD3JOFA8qOgieV2K/yHA
+lRkXQmlRSIbRHzQKPcmjZEdMAjeZl72SN67F2KD7gDndHiZfnSQxT8Ul3nlB2edu
+3/n+NY3SGdejU/imlsspeumx5xPqnxzEQkcbJvyoTGmJvmQaGvNYmkFd7YldObwb
+nKqNKZumfvDIztvWmNZ1BwU75jiBkTusdzsgzhtw7G4ssuZoaMgwl59UDzbkkVm4
+Xl48EQFeB39/+2yOMKa5DdBcVCQhbrfP1d0YE/5nhJfCXxYtc2vQaF0j88VockO3
+14IA/4Q6hRx260kDoTx7ddZaez9Fdv8MsLdVtdOiWXEsGMacF2pRT7VEozC8+BED
+JQAnt44z3SfWV1XP/dGGSEWjqnGamCS/6Kq8nY9XEz0skoc6xSUNIaFbMcmKJb+p
+V0rsblClOgk5Kpknou9hOI30r/zNhhDjFkr+Sqr0VxI56+1UT/rOTmhM6+JnI0hN
+Jcu6avnlCa8ZbMqxRVmVxJPLE4jixnOyWJpBZwQmwNE7rZYYi4kBJQQYAQIADwUC
+UaHoKwIbDAUJAeEzgAAKCRCtsugm/7ujSJMZCACxeQc6HYhnJslGhbejb5ZKTLRY
+Cg93GH+Z7+vINc/BZIcH+pVs0eURpd72SlGRyaI5ejhbS/xV9cXaDpO5Wn/QUVjO
+HOQW690RUV8c+2gk4d/i8l5imY59tiVZmJJBbE+rlyXyyTB3a9kZ6e6o4y1jsTTd
+iGTa3kDxIZNLxHRnHm8ZHolhq3EUpPj+GwWV4+0+s6F0pZldjf2d23qcpvt+leAD
+YVLXgIeSqNLBa45x6dWlGilqzFiOZcmIsrK5UOxvL1dPdY0LLbYbs7Iewfltp4Gp
+M35UqyZsbz9qXlxrh/aRnW+bHcccFfL0X1QpxvXY+dr8PshTIChqDcVk+o7znQO+
+BFGh6EUBCAC9x5WeEx3rqHc8MLZd62a0KZ816jBbqfRQ7WTFBuQBUDNvuxgoz4CI
+93DnfyAmRiDC5ClHyA2YBM9cFFtAbW0gFRBeuMLY2Z4mbJbd+nZ2zXtum4wfdMxd
+0r/sNd7ljIOYkZpvTvarYMpLk5Nk/685J+i0hN8wvQN8XHBOBw1YzCLNXhn67QH9
+9oajFuStSNATX8MfQXYclVDIejOwWtWtNPXzxvRN/G7cIPrX4AVb82dIbwBrSZTY
+0s+h+pVESwTdHr4RubSFzLFgStkQ7ulfkfxBN2XwGoKrQetwafncboE/UlpuvTm2
+zoA1zV5+cv5VKi6mfjynV/oQv+u5WLOHABEBAAH+AwMCoeJkRdIfrAJgXvCeRBFe
+7KNEKIe2jaS/F8sK4nW++TXPEErotIr6hLQrej0B+dYy9titSeB7nR2Z+1R+TPXD
+KMA3r4E0M24K/CkZGZr1/gP7B+8aWv9tqijp8nFDi5J0D4H5w79bfkAmFPRwYY5/
+9Hy7Ul/LQAHakPD2aqOmyAX3x6srXnn1celN7Z8SGOsqkcZHZ2CtJde39C3f5aS5
+Ih8u261KSLIXSEo6O1lIRkGQwMLfRdNvFg8NPzordKbKS5lUjl7uuReMlDcqMzgn
+ngn9OVMhMbiNC9lB78WOWSMxw5piY1h4hIgzrltASXxoRCCMUZGJCQhJvrbsD1Cl
+CtVOZjvy5+VZ/TW14O0ZzvWdl/yyrIsgNUkLClyc4wJOEhECHBWfEwjKwnnLJoyG
+ynKlxsye4G2ANS8igULLAHI7yJLJCJyoWAISkF2FHWc343N30aYuV10VJteVNlPt
+7HxxDaINi34UoPfWL194s+fMc0tZ//DGtMHVa1vF0bY4Qsnq0y4DUluCdAf5j1+k
+m/GigqYlT6gHrNv5GeCFsQw3grW5btvIw6H0UDuQ8oj3Wd7o54uWFExYFHmmkTW0
+b6COCcKneSlpIOvAoUisAgEzggTpTTPrz4Ugxmp6cdAf8jg3U2Ui496iyU9pe2BG
+nCB0slyRdjlzOpwamPsb95jfAzdOpIPN1z6JINoqxyrhChnf/D5GLrpoTrtfWqq7
+KdZpBhU6+RI4NYPHF6R/zbp+lF1HhBMRAafJQDz3YM0lNNeDLSWCRL6u1eCY2nuA
+B2Xdyn/H+fLVfEr396DNDxUZ3KANuP7f5Ja78o6Y4Yjpqtdf+pATBFW10GN2j86c
+9cWF/PyF+pm/FWKZv3gAVYpiarOLmryfbgRH5w+ch1dn1WmQ6nnBUBsnLWUtXIkC
+RAQYAQIADwUCUaHoRQIbAgUJAeEzgAEpCRCtsugm/7ujSMBdIAQZAQIABgUCUaHo
+RQAKCRDIEZpkx6X0NDGcCACNvkHUCTpFKHpRzBNX1HbI/wvwB2CYsXIkhgIUFjds
+V+qn8JiK42Fl0YeXsOxIzeoEwOsB0exgCFmX/42qhZvP5DTc6qgBDtAycVzvjpAV
+6D0gkJfQxRrydP8RvGoHT5bvxAGlG4HJZgSVSsuE7Pl5r44INi0zzU4ceCkbwlXF
+ZidFxA+HFOULMJVOiL1Yre6xRF13BO2YWD8XOlQ47ZAvHKUN9i18aLpfzmcjGOdN
+/P0+CIoAf49FW0Lbvp2ZRBpNlMbr6uTUKVJ3pWOiOeGjVfbgGbQysbGzHJmL6c9a
+gBFMGhlV/sqfWlvxI85mw2WNpPvbUBP9+t/LiveifRgQBjwIAKBmV72KabqkOPlv
+W4rqPKO1KlqJHE5O6q14wfjHqThPFm3Nkv1Ts7aB0T33Jq5m7P1wPnbjIb4HDXhY
+cj3WuKfTcyW/e+YvkLNHaC+Mtn20rLf77bytYwp08mC9BZ+5AuQLWiGMounr+MUA
+jGhF48FNxQF66eDVrl4M5GcQz/zsX8G8GnHAN9RMT2lMPohdVdD2eCN65I4gsg2J
+IPyEj6BP3FP2BuFRWuK4uJAwRu1j9k8ryJZ8Q7BlAWRDGAPD824dSPoy0FaIgTbo
+tXamhhx+ROvjybQ4ZojVTUS4rDJJpF3a4cZokHfegYgzbAJBNEhjNJT6iiXlj1VY
+m8XB+to=
+=GLJA
+-----END PGP PRIVATE KEY BLOCK-----
diff --git a/tests/files/test_key_2.pub b/tests/files/test_key_2.pub
new file mode 100644
index 0000000..e3bd904
--- /dev/null
+++ b/tests/files/test_key_2.pub
@@ -0,0 +1,48 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.12 (GNU/Linux)
+
+mQENBFGh6pQBCADU4GbfWdaVQGVJ+qJn1iT6uUe10GRMzCot5Cp5T/Md7B0E8JU+
+K14igCLdCtJU/m5D4hpVoEEj+uELvNm/5OzTmMhL7c8vREBdMa/3uVmDUVuHpO6B
+93+9249aBEwj79a17kp615Lyc7dz8xIYTCjWAkVEMGDfTlSVw2xs+qYUkrbXLy/a
+9sMPnHo8WVhqG8iGszmAPP1mIzYEyUN8fuxi/MLMnkpV5h3q8Qon44tzjfj7JsKj
+3P6jcA0NteF6pZcKOK82sRKjID9mJgl1nHwSvtpz+AHqdULlHnJ8QuTZCk4zCrSn
+rcpQMg5biJ3XLrGIcgwPNQV9xhfyWIbUvSbvABEBAAG0LXRlc3Qga2V5ICMyIChE
+TyBOT1QgVVNFKSA8dGVzdDJAcHl0aG9uLWdudXBnPokBPgQTAQIAKAUCUaHqlAIb
+AQUJAeEzgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ5OgTI+eVTtA+aggA
+yAQgyHmhW9xssAVB5jK/a6hvNMu85hq5h/g+RpTt2vzj/MlKvNAFGUseW4C9L5Gp
+aMAoet3N2PF4/YuSfWG6426AG6I68UccuDpZqpA7vOUW9BekYpQBxNeL25db5xUv
+AIohqB0Cd6zUyHFC1qv32653ZdO857YJdSfBQ5aVM9lGm4PudjKRmF1JmPw0HUra
+9H9PleSKc28BMj+kjRkJW/IOJYJzCsnZqbfuj/WrO5GiBLVbmaoghnApfFnUIeyB
+xp4Skmjp6LxoLdbG9cOCWQ5GFsm2Qw+f7Yr+eku+tMQmiClCUT4dtpJlvb+beLMs
+NKIO081h47ZLyFTd+sdHMLkBDQRRoesPAQgAxqlnUjcYCFbhFXcn93KWsly+WaM7
+Ts20Pbv1TUBQ6zr660QwX1QLpfmuwtUKgjFRr5GWKlKLSNhsduWytWAa8r3tbN5m
+2QtAifs5VvyQSSxryz4K26eBejP6sYCtlvHeTPR1OxEGpqXXrZ9Aq8eyD/Gt9B5B
+fliq13OlwZhkBD4I4Lhw4rKvU1M8RuhWdfsnLKc/3nqS0CtZMXz81orYOkvFruJh
+TZYcJ2wl1lyUYBJb4ebzOevcLfwZnV/PcJxiv5N+vzeMmWbrW6WwldtM6Nd5e69x
+gs8HqLng0grzvUzTQ8LAJysA46BsWrs61fOwzNYP0cwzP+la4G+Ojd9nkwARAQAB
+iQElBBgBAgAPBQJRoesPAhsMBQkB4TOAAAoJEOToEyPnlU7Qp64H/iIJ7gWZQbhF
+k70z2ovBn7HD3MI/fJX8cE4LABecyQY/SHTOt/qedrS9t1A8UO3k+qjK24j5Zouh
+ipVowIP304EB8bgJcrQlORfrkYc0v4pjWuMLg83/asLU0H9wgVPh0FeH4q0reUYN
+tOpgv334nq+07DHXmE+Mu1vaAEwtTSQCIGF7yDNTGxN2Nur+Vjj7ftsZce8IEZ5R
+dk2H41IFr+J8agIXwdCLniX4edCklcwHpGiku0xg31VNVsJBjuK1LLYlHtFTG6sl
+cV2/0Gyi3e0cbDN6aFQ6XRnhH5KUL1FzanMw5CsDKpHVySFtvA4aVLTPM0+G6B+3
+Ei4xK5vPilS5AQ0EUaHrLwEIAL6GvdXsBGVMsRANP2l+RgNHpUMX+j0fvhvYFKeV
+Bs6zHsha4e+8gcSbTudrK1lK6b8qKFodrBPXzDstA/dX+AjAxqWqHH58T72mlyxD
+pr+mtqEM+dObarcoszb7tIQNnkoDwmZv/kXmlbrQLZW3aCX1c46kIcrCqC68iDOu
+NvKmoS7QaKqxk+pC0Xsyp02hsdgaP3cec1/wifPQjWF87YiZXqSxvv7RPPFOMdCE
+xoqERQI/uTPCdJSqOb3YuYyi5K+g/wGnirD9X9k6wPW/UiYZZwopDMql8OfnuEPy
+3pQ/sw8f3o7MipmG8h2Vf482blJuFfdQAwuqXbVl4rVTCDMAEQEAAYkCRAQYAQIA
+DwUCUaHrLwIbAgUJAeEzgAEpCRDk6BMj55VO0MBdIAQZAQIABgUCUaHrLwAKCRAK
++or5ywZSK4umCACh/7AqZo7d9rCMJpdaOnk7I6FpNWHbW/J97ik7gqMCOYdIVC+J
+qCVcqKdytS/UGBEmpUPKxJF9ZXRq55poS9hJlMEUxX2G9DY1jwydzQIHhypF+UYy
+dV1i88r0R19e8qR1PU3OMUDEbR03LVBSM6tqAJw6xKGS+VGL4Jck0SkB9F7WSOy8
+Q1MjkWOdNn6fFzyD7AFxRQuaVgc08g6LgjXkQ/4MSGDGD0L8SYbJsK70HO1fw12c
+cHomGyhyWsgH2DLxJECzWOnShWpSc0g8ADV0Qokw2k9b+tNOCiH+8wxCj1JHslCG
+zLWDzvnHvip4xfPebNa2Ehk795qfPUzc2nKK1QcH/jXogZm8E+0H/G0ys28PQf0H
+bpwgHMgMaUyHZEBuzsWmk4n0AHF+qqA3W5kZ9F/wiVXGyNRq0RXU8+qaQsUC2oZp
+eYFbXZqMSDTlyJnjpi7curmWC7cmrxgdFSHDvlHwx/1sl8k5QgKaCYuisj43rZXj
+fOvBG0mcOqOgXjYCNaaaYyldVBxla0b+TbpwwHkaaewR0zKhTj2VM6CoyHsOUfMc
+KmboxRXJicxQ/xZ+XbogwKsK4edFodJqShsBYfosFV+62c7Fk875FbtbL3I4TbGp
+h5x8vmZGmZFuI2tG369Xx/HXQN7lcEbPKO8OGY/vNgWfbHrBHHpMgqTlMx/Q0ww=
+=bZbj
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/tests/files/test_key_2.sec b/tests/files/test_key_2.sec
new file mode 100644
index 0000000..7f113c5
--- /dev/null
+++ b/tests/files/test_key_2.sec
@@ -0,0 +1,77 @@
+-----BEGIN PGP PRIVATE KEY BLOCK-----
+Version: GnuPG v1.4.12 (GNU/Linux)
+
+lQEVBFGh6pQBCADU4GbfWdaVQGVJ+qJn1iT6uUe10GRMzCot5Cp5T/Md7B0E8JU+
+K14igCLdCtJU/m5D4hpVoEEj+uELvNm/5OzTmMhL7c8vREBdMa/3uVmDUVuHpO6B
+93+9249aBEwj79a17kp615Lyc7dz8xIYTCjWAkVEMGDfTlSVw2xs+qYUkrbXLy/a
+9sMPnHo8WVhqG8iGszmAPP1mIzYEyUN8fuxi/MLMnkpV5h3q8Qon44tzjfj7JsKj
+3P6jcA0NteF6pZcKOK82sRKjID9mJgl1nHwSvtpz+AHqdULlHnJ8QuTZCk4zCrSn
+rcpQMg5biJ3XLrGIcgwPNQV9xhfyWIbUvSbvABEBAAH+A2UCR05VAbQtdGVzdCBr
+ZXkgIzIgKERPIE5PVCBVU0UpIDx0ZXN0MkBweXRob24tZ251cGc+iQE+BBMBAgAo
+BQJRoeqUAhsBBQkB4TOABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDk6BMj
+55VO0D5qCADIBCDIeaFb3GywBUHmMr9rqG80y7zmGrmH+D5GlO3a/OP8yUq80AUZ
+Sx5bgL0vkalowCh63c3Y8Xj9i5J9YbrjboAbojrxRxy4OlmqkDu85Rb0F6RilAHE
+14vbl1vnFS8AiiGoHQJ3rNTIcULWq/fbrndl07zntgl1J8FDlpUz2Uabg+52MpGY
+XUmY/DQdStr0f0+V5IpzbwEyP6SNGQlb8g4lgnMKydmpt+6P9as7kaIEtVuZqiCG
+cCl8WdQh7IHGnhKSaOnovGgt1sb1w4JZDkYWybZDD5/tiv56S760xCaIKUJRPh22
+kmW9v5t4syw0og7TzWHjtkvIVN36x0cwnQO+BFGh6w8BCADGqWdSNxgIVuEVdyf3
+cpayXL5ZoztOzbQ9u/VNQFDrOvrrRDBfVAul+a7C1QqCMVGvkZYqUotI2Gx25bK1
+YBryve1s3mbZC0CJ+zlW/JBJLGvLPgrbp4F6M/qxgK2W8d5M9HU7EQampdetn0Cr
+x7IP8a30HkF+WKrXc6XBmGQEPgjguHDisq9TUzxG6FZ1+ycspz/eepLQK1kxfPzW
+itg6S8Wu4mFNlhwnbCXWXJRgElvh5vM569wt/BmdX89wnGK/k36/N4yZZutbpbCV
+20zo13l7r3GCzweoueDSCvO9TNNDwsAnKwDjoGxauzrV87DM1g/RzDM/6Vrgb46N
+32eTABEBAAH+AwMCkHk0gj7hSzxgh8nBL+SOKeRQxo2bP+3SF/IpSjFgvmOELvfe
+IVGL5UHXZ5593wI6uICnM6+uqY6pmABvnsJ+Q5GNI2q1fRijaQQiNit0YlieZOhE
+rkaBGWwcFKwa6WwSkYyLBw6b+RPywjCpKHcV0FZ7JjUyeKXmiHNRqpWkwrv0izXO
+cXAMwts+ccAaqLvBFNuPSmY3071iQ5dVvfDgLehhTStlMZ8mDL7tQchIDmQao7Ni
+QXGT419ldX3q4cgVkj0AjZQdIfsMSyvwqMs6TmKRJkDROVyAVxtXb3eE0HK7ssJa
+9geF3xMHbeDe3pDaMFqsPQjkiiM0u7XvYIAtCtbYMzk66RcYHLgDebG8jkYTkpqk
+P7A5BG5y0aNKi85ub0A0jU1VJMBY+JI64P2E6CXjy1q11nitMlmJukVBfWzKabml
+0J2ulYxzRBiWfJIxatDiGp646iWzrVIrOpx6oLE4OUhuRe2i7XTnkfcCWGFO1MZW
+yUqBJnspIdESHs+j9hxmUtnIPtmrBLpd2fmkXakYFnu+e2tDQBwTOzMPGQ19u/1U
+2LNGZo0CVDNCzfmnm7WEl9UxIk4kjP3zomfAv2XjVQQPQUMqt1qwpJVyKfJsdAdE
+CUtsaXkiRbeLvdSR+nVoXDET+ZDZKYTdbKvFsnzkJDRhpEb1aHZEBkdY2ZOanQbK
+hfczYIwnDuhckp2TUYW5HW0eKh9PA1jJjhsFH+LZdDVkQ2knJfkn76OJnAumkohE
+9DKgHq3OEpeMa/oTE0tJBHcufh+l89R5D7Og3731EBVsJwAmtOIfQtgbVzD0r1hi
+EI0d1gfpjjHRZZKC6msqx9xbmDa5owVV4UPmkSVv/hxuw8mY3V7wk9pML7vzIHhl
+LnoucJ1BnXlkXF23Yj9OV+bvdtqWbsIuIokBJQQYAQIADwUCUaHrDwIbDAUJAeEz
+gAAKCRDk6BMj55VO0KeuB/4iCe4FmUG4RZO9M9qLwZ+xw9zCP3yV/HBOCwAXnMkG
+P0h0zrf6nna0vbdQPFDt5PqoytuI+WaLoYqVaMCD99OBAfG4CXK0JTkX65GHNL+K
+Y1rjC4PN/2rC1NB/cIFT4dBXh+KtK3lGDbTqYL99+J6vtOwx15hPjLtb2gBMLU0k
+AiBhe8gzUxsTdjbq/lY4+37bGXHvCBGeUXZNh+NSBa/ifGoCF8HQi54l+HnQpJXM
+B6RopLtMYN9VTVbCQY7itSy2JR7RUxurJXFdv9Bsot3tHGwzemhUOl0Z4R+SlC9R
+c2pzMOQrAyqR1ckhbbwOGlS0zzNPhugftxIuMSubz4pUnQO+BFGh6y8BCAC+hr3V
+7ARlTLEQDT9pfkYDR6VDF/o9H74b2BSnlQbOsx7IWuHvvIHEm07naytZSum/Kiha
+HawT18w7LQP3V/gIwMalqhx+fE+9ppcsQ6a/prahDPnTm2q3KLM2+7SEDZ5KA8Jm
+b/5F5pW60C2Vt2gl9XOOpCHKwqguvIgzrjbypqEu0GiqsZPqQtF7MqdNobHYGj93
+HnNf8Inz0I1hfO2ImV6ksb7+0TzxTjHQhMaKhEUCP7kzwnSUqjm92LmMouSvoP8B
+p4qw/V/ZOsD1v1ImGWcKKQzKpfDn57hD8t6UP7MPH96OzIqZhvIdlX+PNm5SbhX3
+UAMLql21ZeK1UwgzABEBAAH+AwMCy7jrCEcZti9gszC7JWKa9anp7NZyBh7U25fA
+NmrAQfSpcrfHW/HIjpbb3xISAlD8bdDs5PGIAwQ7v9a1hdEqcQ15JNM5WJaTfEhq
+Ox5iEHkHjWJnrYDTel9FVMqwnsXvjcKY+0xcp1FB/xtRk0o03rZDD+GWWyyw6tAt
+tvB2KLPr0+Ud8ea7w6RVbip3hzbRi5g1x9HlFKkdSu4CjtOLjR/ama4+zAvLJ/h+
+3gQU7Z8Z5fz5OgOenGXxmZVFkhsfP6gRoZWri3QgWiFcnIfRp7BlQRx6c1W0alLH
+GRAv4YAU4fmDy1QgbtJj+3OLw6vNKS7kC5LCk9k+FjaBymKQ7o6Orj08xB6Xj0Uy
+Z2BqJuVCP4f6wjQMtEcO/+Ij+e61GzF1vTRTJ55dFA/yELjpnFVkcn8knWQbtsIw
+fgEUazzVcJJ9nZQMou2l6S0BDLFRDHqRW8xTQH6ZQzFtXLzAzG2LQwRD8JUMOngO
+sMbNGWVn1ZXw6rYNNECdRORXEgdMl2hnT9y4hUFKbK7nGnv2cUQjtotK2Z3m68WY
+AOwTROZgFr7283+z0v0iIPxLj6Y8ifrw1mTDsShGFRDF2Ia3GFd2BtP53mhGy8ar
+9RKzKpAyelqt6l1o6ECbqwB3MfghUM4Or9zlctzOuqBxWB4E4DJ5OdwKDwJFUxL/
+9DmmbUzMJ6H7nhaTDgfQ1bihGCJ1EApTiA4S7A/7Ig18n4gNi9BzroL4790Wnh4w
+A0hX5sPF2j609D3HeIdHGG+9Zl+u2xlwG0HRdjul3+5ddYypU5ierP9EZJiKUWtR
+8KiJs9sHvZ4K05WKKn261+8uBhWYG9cvDo/hLtrXe2IjUciCO7woUqbBEIDG756W
+yj2EPi10zBrrspGQcbEFGuyO+2kgAtPigpib4JYTkFXdt4kCRAQYAQIADwUCUaHr
+LwIbAgUJAeEzgAEpCRDk6BMj55VO0MBdIAQZAQIABgUCUaHrLwAKCRAK+or5ywZS
+K4umCACh/7AqZo7d9rCMJpdaOnk7I6FpNWHbW/J97ik7gqMCOYdIVC+JqCVcqKdy
+tS/UGBEmpUPKxJF9ZXRq55poS9hJlMEUxX2G9DY1jwydzQIHhypF+UYydV1i88r0
+R19e8qR1PU3OMUDEbR03LVBSM6tqAJw6xKGS+VGL4Jck0SkB9F7WSOy8Q1MjkWOd
+Nn6fFzyD7AFxRQuaVgc08g6LgjXkQ/4MSGDGD0L8SYbJsK70HO1fw12ccHomGyhy
+WsgH2DLxJECzWOnShWpSc0g8ADV0Qokw2k9b+tNOCiH+8wxCj1JHslCGzLWDzvnH
+vip4xfPebNa2Ehk795qfPUzc2nKK1QcH/jXogZm8E+0H/G0ys28PQf0HbpwgHMgM
+aUyHZEBuzsWmk4n0AHF+qqA3W5kZ9F/wiVXGyNRq0RXU8+qaQsUC2oZpeYFbXZqM
+SDTlyJnjpi7curmWC7cmrxgdFSHDvlHwx/1sl8k5QgKaCYuisj43rZXjfOvBG0mc
+OqOgXjYCNaaaYyldVBxla0b+TbpwwHkaaewR0zKhTj2VM6CoyHsOUfMcKmboxRXJ
+icxQ/xZ+XbogwKsK4edFodJqShsBYfosFV+62c7Fk875FbtbL3I4TbGph5x8vmZG
+mZFuI2tG369Xx/HXQN7lcEbPKO8OGY/vNgWfbHrBHHpMgqTlMx/Q0ww=
+=01Sl
+-----END PGP PRIVATE KEY BLOCK-----
diff --git a/tests/test_gnupg.py b/tests/test_gnupg.py
new file mode 100644
index 0000000..4435bd3
--- /dev/null
+++ b/tests/test_gnupg.py
@@ -0,0 +1,1001 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+"""
+A test harness for gnupg.py.
+
+Copyright © 2013 Isis Lovecruft.
+Copyright © 2008-2013 Vinay Sajip. All rights reserved.
+"""
+
+from functools import wraps
+
+import argparse
+import codecs
+import encodings
+import doctest
+import io
+import logging
+import os
+import shutil
+import sys
+import tempfile
+import time
+
+## Use unittest2 if we're on Python2.6 or less:
+if sys.version_info.major == 2 and sys.version_info.minor <= 6:
+    unittest = __import__(unittest2)
+else:
+    import unittest
+
+import gnupg
+from gnupg import _parsers
+from gnupg import _util
+from gnupg import _logger
+
+
+log = _util.log
+log.setLevel(9)
+
+_here  = os.path.join(os.getcwd(), 'tests')
+_files = os.path.join(_here, 'files')
+_tempd = os.path.join(_here, 'tmp')
+
+tempfile.tempdir = _tempd
+if not os.path.isdir(tempfile.gettempdir()):
+    log.debug("Creating temporary testing directory: %s"
+                 % tempfile.gettempdir())
+    os.makedirs(tempfile.gettempdir())
+
+@wraps(tempfile.TemporaryFile)
+def _make_tempfile(*args, **kwargs):
+    return tempfile.TemporaryFile(dir=tempfile.gettempdir(),
+                                  *args, **kwargs)
+
+RETAIN_TEST_DIRS = True
+
+KEYS_TO_IMPORT = """-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGiBEiH4QERBACm48JJsg2XGzWfL7f/fjp3wtrY+JIz6P07s7smr35kve+wl605
+nqHtgjnIVpUVsbI9+xhIAPIkFIR6ZcQ7gRDhoT0bWKGkfdQ7YzXedVRPlQLdbpmR
+K2pKKySpF35pJsPAYa73EVaxu2KrII4CyBxVQgNWfGwEbtL5FfzuHhVOZwCg6JF7
+bgOMPmEwBLEHLmgiXbb5K48D/2xsXtWMkvgRp/ubcLxzbNjaHH6gSb2IfDi1+W/o
+Bmfua6FksPnEDn7PWnBhCEO9rf1tV0FcrvkR9m2FGfx38tjssxDdLvX511gbfc/Q
+DJxZ00A63BxI3xav8RiXlqpfQGXpLJmCLdeCh5DXOsVMCfepqRbWyJF0St7LDcq9
+SmuXA/47dzb8puo9dNxA5Nj48I5g4ke3dg6nPn7aiBUQ35PfXjIktXB6/sQJtWWx
+XNFX/GVUxqMM0/aCMPdtaoDkFtz1C6b80ngEz94vXzmON7PCgDY6LqZP1B1xbrkr
+4jGSr68iq7ERT+7E/iF9xp+Ynl91KK7h8llY6zFw+yIe6vGlcLQvR2FyeSBHcm9z
+cyAoQSB0ZXN0IHVzZXIpIDxnYXJ5Lmdyb3NzQGdhbW1hLmNvbT6IYAQTEQIAIAUC
+SIfhAQIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEJZ2Ekdc7S4UtEcAoJIA
+iZurfuzIUE9Dtn86o6vC14qoAJ9P79mxR88wRr/ac9h5/BIf5cZKMbkCDQRIh+EB
+EAgAyYCvtS43J/OfuGHPGPZT0q8C+Y15YLItSQ3H6IMZWFY+sX+ZocaIiM4noVRG
++mrEqzO9JNh4KP1OdFju1ZC8HZXpPVur48XlTNSm0yjmvvfmi+aGSuyQ0NkfLyi1
+aBeRvB4na/oFUgl908l7vpSYWYn4EY3xpvwJdyTWHTh4o7+zvrR1fByDt49k2b3z
+yTACoxYPVQfknt8gxqLqHZsbgn02Ml7HS17bSWr5Z7PlWqDlmsdqUikVU9d2RvIq
+R+YIJbOdHSklbVQQDhr+xgHPi39e7nXMxR/rMjMbz7E5vSNkge45n8Pzim8iyqy+
+MTMW8psV/OyrHUJzBEA7M6hA1wADBwgAnB0HzI1iyiQmIymO0Hj0BgqU6/avFw9R
+ggBuE2v7KsvuLP6ohXDEhYopjw5hgeotobpg6tS15ynch+6L8uWsJ0rcY2X9dsJy
+O8/5mjrNDHwCKiYRuZfmRZjzW03vO/9+rjtZ0NzoWYMP3UR8lUTVp2LTygefBA88
+Zgw6dWBVzn+/c0vdwcF4Y3njYKE7eq4VrfcwqRgD0hDyIJd1OpqzHfXXnTtLlAsm
+UwtdONzlwu7KkgafMo4vzKY6dCtUkR6pXAE/rLQfCTonwl9SnyusoYZgjDoj4Pvw
+ePxIl2q05dcn96NJGS+SfS/5B4H4irbfaEYmCfKps+45sjncYGhZ/ohJBBgRAgAJ
+BQJIh+EBAhsMAAoJEJZ2Ekdc7S4U2lkAoIwZLMHVldC0v9wse53xU0NsNIskAKDc
+Ft0XWUJ9yajOEUqCVHNs3F99t5kBogRIh+FVEQQAhk/ROtJ5/O+YERl4tZZBEhGH
+JendDBDfzmfRO9GIDcZI20nx5KJ1M/zGguqgKiVRlBy32NS/IRqwSI158npWYLfJ
+rYCWrC2duMK2i/8prOEfaktnqZXVCHudGtP4mTqNSs+867LnGhQ4w3HmB09zCIpD
+eIhhhPOb5H19H8UlojsAoLwsq5BACqUKoiz8lUufpTTFMbaDA/4v1fWmprYAxGq9
+cZ9svae772ymN/RRPDb/D+UJoJCCJSjE8m4MukVchyJVT8GmpJM2+dlt62eYwtz8
+bGNt+Yzzxr0N8rLutsSks7RaM16MaqiAlM20gAXEovxBiocgP/p5bO3FGKOBbrfd
+h47BZDEqLvfJefXjZEsElbZ9oL2zDgP9EsoDS9mbfesHDsagE5jCZRTY1C/FRLBO
+zhGgP2IlqBdOX8BYBYZiIlLM+pN5fU0Hcu3VOZY1Hnj6r3VbK1bOScQzqrZ7qgmw
+TRgyxUQalaOhMb5rUD0+dUFxa/mhTerx5POrX6zOWmmK0ldYTZO4/+nWr4FwmU8R
+41nYYYdi0yS0MURhbm55IERhdmlzIChBIHRlc3QgdXNlcikgPGRhbm55LmRhdmlz
+QGRlbHRhLmNvbT6IYAQTEQIAIAUCSIfhVQIbAwYLCQgHAwIEFQIIAwQWAgMBAh4B
+AheAAAoJEG7bKmS7rMYAEt8An2jxsmsE1MZVZc4Ev8RB9Gu1zbsCAJ9G5kkYIIf0
+OoDqCjkDMDJcpd4MqLkCDQRIh+FVEAgAgHQ+EyseLw6A3BS2EUz6U1ZGzuJ5CXxY
+BY8xaQtE+9AJ0WHyzKeptnlnY1x9et3ny1BcVC5aR1OgsDiuVRvSFwpFfVxMKbRT
+kvERWADfB0N5EyWwyE0E4BT5hyEhW7fS0bucJL6UK5PKvfE5wexWlUI3yV4K1z6W
+2gSNL60o3kmoGn9K5ICWO/jbi6MkPptSoDu/laCJHv/aid6Gf94ckDClQQyLsccj
+0ibynm6rI3cIzpPMbimKIsKT1smAqZEBsTucBlOjIuIROANTZUN3reGIRh/kVNyg
+YTrkUnIqVS9FnbHa2wxeb6F/cO33fPiVfiCmZuKI1Uh4PMGaaSCh0wADBQf/SaXN
+WcuD0mrEnxqgEJRx67ZeFZjZM53Obu3JYQ++lqsthf8MxE7K4J/67xDpOh6waK0G
+6GCLwEm3Z7wjCaz1DYg2uJp/3pispWxZio3PLVe7WrMY+oEBHEsiJXicS5dV620a
+uoaBnnc0aQWT/DREE5s35IrZCh4WDQgO9rl0i/qcIITm77TmQbq2Xdj5vt6s0cx7
+oHKRaFBpQ8DBsCQ+D8Xz7i1oUygNp4Z5xPhItWeCfE9YoCoem4jSB4HGwmMOEicp
+VSpY43k01cd0Yfb1OMhA5C8OBwcwn3zvQB7nbxyxyQ9qphfwhMookIL4+tKKBIQL
+CnOGhApkAGbjRwuLi4hJBBgRAgAJBQJIh+FVAhsMAAoJEG7bKmS7rMYA+JQAn0E2
+WdPQjKEfKnr+bW4yubwMUYKyAJ4uiE8Rv/oEED1oM3xeJqa+MJ9V1w==
+=sqld
+-----END PGP PUBLIC KEY BLOCK-----"""
+
+
+def is_list_with_len(o, n):
+    return isinstance(o, list) and len(o) == n
+
+def compare_keys(k1, k2):
+    """Compare ASCII keys."""
+    k1 = k1.split('\n')
+    k2 = k2.split('\n')
+    return k1 != k2
+
+
+class ResultStringIO(io.StringIO):
+    def __init__(self, init_string):
+        super(ResultStringIO, self).__init__(init_string)
+    def write(self, data):
+        super(ResultStringIO, self).write(unicode(data))
+
+
+class GPGTestCase(unittest.TestCase):
+    """:class:`unittest.TestCase <TestCase>`s for python-gnupg."""
+
+    @classmethod
+    def setUpClass(cls):
+        """Setup ``GPGTestCase`` and runtime environment for tests.
+
+        This function must be called manually.
+        """
+        pass
+
+    def setUp(self):
+        """This method is called once per self.test_* method."""
+        print "%s%s%s" % (os.linesep, str("=" * 70), os.linesep)
+        hd = tempfile.mkdtemp()
+        if os.path.exists(hd):
+            if not RETAIN_TEST_DIRS:
+                self.assertTrue(os.path.isdir(hd), "Not a directory: %s" % hd)
+                shutil.rmtree(hd)
+
+        if not os.path.exists(hd):
+            os.makedirs(hd)
+        self.assertTrue(os.path.isdir(hd), "Not a directory: %s" % hd)
+
+        self.gpg = gnupg.GPG(binary='gpg', homedir=hd)
+        self.homedir = hd
+        self.keyring = self.gpg.keyring
+        self.secring = self.gpg.secring
+        self.insecure_prng = False
+
+    def tearDown(self):
+        """This is called once per self.test_* method after the test run."""
+        if os.path.exists(self.homedir) and os.path.isdir(self.homedir):
+            try:
+                shutil.rmtree(self.homedir)
+            except OSError as ose:
+                log.error(ose)
+        else:
+            log.warn("Can't delete homedir: '%s' not a directory"
+                     % self.homedir)
+        log.warn("%s%s%s" % (os.linesep, str("=" * 70), os.linesep))
+
+    def test_parsers_fix_unsafe(self):
+        """Test that unsafe inputs are quoted out and then ignored."""
+        shell_input = "\"&coproc /bin/sh\""
+        fixed = _parsers._fix_unsafe(shell_input)
+        print fixed
+        test_file = os.path.join(_files, 'cypherpunk_manifesto')
+        self.assertTrue(os.path.isfile(test_file))
+        has_shell = self.gpg.verify_file(test_file, fixed)
+        self.assertFalse(has_shell.valid)
+
+    def test_parsers_is_hex_valid(self):
+        """Test that valid hexidecimal passes the parsers._is_hex() check"""
+        valid_hex = '0A6A58A14B5946ABDE18E207A3ADB67A2CDB8B35'
+        self.assertTrue(_parsers._is_hex(valid_hex))
+
+    def test_parsers_is_hex_lowercase(self):
+        """Test parsers._is_hex() with lowercased hexidecimal"""
+        valid_hex = 'deadbeef15abad1dea'
+        self.assertTrue(_parsers._is_hex(valid_hex))
+
+    def test_parsers_is_hex_invalid(self):
+        """Test that invalid hexidecimal fails the parsers._is_hex() check"""
+        invalid_hex = 'cipherpunks write code'
+        self.assertFalse(_parsers._is_hex(invalid_hex))
+
+    def test_encodings_spiteful(self):
+        """Test that a non-existent codec raises a LookupError."""
+        enc = '#!@& dealing with unicode in Python2'
+        with self.assertRaises(LookupError):
+            _util.find_encodings(enc)
+
+    def test_encodings_iso_8859_1(self):
+        """Test that _util.find_encodings works for Chinese Traditional."""
+        enc = 'big5'
+        coder = _util.find_encodings(enc)
+        msg = u'光榮的中國人民應該摧毀中國長城防火牆。'
+        encoded = coder.encode(msg)[0]
+        decoded = coder.decode(encoded)[0]
+        self.assertEqual(msg, decoded)
+
+    def test_encodings_non_specified(self):
+        """Test that using the default utf-8 encoding works."""
+        coder = _util.find_encodings()
+        msg = u'Nutella á brauð mitt, smear það þykkur!'
+        encoded = coder.encode(msg)[0]
+        decoded = coder.decode(encoded)[0]
+        self.assertEqual(msg, decoded)
+
+    def test_homedir_creation(self):
+        """Test that a homedir is created if left unspecified"""
+        gpg = gnupg.GPG(binary='gpg')
+        self.assertTrue(os.path.exists(gpg.homedir),
+                        "Not an existing directory: %s" % gpg.homedir)
+        self.assertTrue(os.path.isdir(gpg.homedir),
+                        "Not a directory: %s" % gpg.homedir)
+
+    def test_binary_discovery(self):
+        """Test that the path to gpg is discovered if unspecified"""
+        gpg = gnupg.GPG()
+        self.assertIsNotNone(gpg.binary)
+        self.assertTrue(os.path.exists(gpg.binary),
+                        "Path does not exist: %s" % gpg.binary)
+
+    def test_gpg_binary(self):
+        """Test that 'gpg --version' does not return an error code."""
+        proc = self.gpg._open_subprocess(['--version'])
+        result = io.StringIO()
+        self.gpg._collect_output(proc, result, stdin=proc.stdin)
+        self.assertEqual(proc.returncode, 0)
+
+    def test_gpg_binary_version_str(self):
+        """That that 'gpg --version' returns the expected output."""
+        proc = self.gpg._open_subprocess(['--version'])
+        result = proc.stdout.read(1024)
+        expected1 = "Supported algorithms:"
+        expected2 = "Pubkey:"
+        expected3 = "Cipher:"
+        expected4 = "Compression:"
+        self.assertGreater(result.find(expected1), 0)
+        self.assertGreater(result.find(expected2), 0)
+        self.assertGreater(result.find(expected3), 0)
+        self.assertGreater(result.find(expected4), 0)
+
+    def test_gpg_binary_not_installed(self):
+        """Test that Gnupg installation can be detected."""
+        env_copy = os.environ
+        path_copy = os.environ.pop('PATH')
+        with self.assertRaises(RuntimeError):
+            gnupg.GPG(homedir=self.homedir)
+        os.environ = env_copy
+        os.environ.update({'PATH': path_copy})
+
+    def test_gpg_binary_not_abs(self):
+        """Test that a non-absolute path to gpg results in a full path."""
+        print self.gpg.binary
+        self.assertTrue(os.path.isabs(self.gpg.binary))
+
+    def test_make_args_drop_protected_options(self):
+        """Test that unsupported gpg options are dropped."""
+        self.gpg.options = ['--tyrannosaurus-rex', '--stegosaurus']
+        cmd = self.gpg._make_args(None, False)
+        expected = ['/usr/bin/gpg',
+                    '--no-options --no-emit-version --no-tty --status-fd 2',
+                    '--homedir "%s"' % self.homedir,
+                    '--no-default-keyring --keyring %s' % self.keyring,
+                    '--secret-keyring %s' % self.secring,
+                    '--no-use-agent']
+        self.assertListEqual(cmd, expected)
+
+    def test_make_args(self):
+        """Test argument line construction."""
+        not_allowed = ['--bicycle', '--zeppelin', 'train', 'flying-carpet']
+        self.gpg.options = not_allowed[:-2]
+        args = self.gpg._make_args(not_allowed[2:], False)
+        self.assertTrue(len(args) == 6)
+        for na in not_allowed:
+            self.assertNotIn(na, args)
+
+    def test_list_keys_initial_public(self):
+        """Test that initially there are no public keys."""
+        public_keys = self.gpg.list_keys()
+        self.assertTrue(is_list_with_len(public_keys, 0),
+                        "Empty list expected...got instead: %s"
+                        % str(public_keys))
+
+    def test_list_keys_initial_secret(self):
+        """Test that initially there are no secret keys."""
+        private_keys = self.gpg.list_keys(secret=True)
+        self.assertTrue(is_list_with_len(private_keys, 0),
+                        "Empty list expected...got instead: %s"
+                        % str(private_keys))
+
+    def test_copy_data_bytesio(self):
+        """Test that _copy_data() is able to duplicate byte streams."""
+        message = "This is a BytesIO string string in memory."
+        instream = io.BytesIO(message)
+        self.assertEqual(unicode(message), instream.getvalue())
+        outstream = ResultStringIO(u'result:')
+        copied = outstream
+        _util._copy_data(instream, outstream)
+        self.assertTrue(outstream.readable())
+        self.assertTrue(outstream.closed)
+        self.assertFalse(instream.closed)
+        self.assertTrue(copied.closed)
+        #self.assertEqual(instream.getvalue()[6:], outstream.getvalue())
+
+    def generate_key_input(self, real_name, email_domain, key_length=None,
+                           key_type=None, subkey_type=None, passphrase=None):
+        """Generate a GnuPG batch file for key unattended key creation."""
+        name = real_name.lower().replace(' ', '')
+
+        key_type   = 'RSA'if key_type is None else key_type
+        key_length = 1024 if key_length is None else key_length
+
+        batch = {'Key-Type': key_type,
+                 'Key-Length': key_length,
+                 'Expire-Date': 1,
+                 'Name-Real': '%s' % real_name,
+                 'Name-Email': ("%s@%s" % (name, email_domain))}
+
+        batch['Passphrase'] = name if passphrase is None else passphrase
+
+        if subkey_type is not None:
+            batch['Subkey-Type'] = subkey_type
+            batch['Subkey-Length'] = key_length
+
+        key_input = self.gpg.gen_key_input(testing=self.insecure_prng, **batch)
+        return key_input
+
+    def generate_key(self, real_name, email_domain, **kwargs):
+        """Generate a basic key."""
+        key_input = self.generate_key_input(real_name, email_domain, **kwargs)
+        key = self.gpg.gen_key(key_input)
+        print "\nKEY TYPE: ", key.type
+        print "KEY FINGERPRINT: ", key.fingerprint
+        return key
+
+    def test_gen_key_input(self):
+        """Test that GnuPG batch file creation is successful."""
+        key_input = self.generate_key_input("Francisco Ferrer", "an.ok")
+        self.assertIsInstance(key_input, str)
+        self.assertGreater(key_input.find('Francisco Ferrer'), 0)
+
+    def test_rsa_key_generation(self):
+        """Test that RSA key generation succeeds."""
+        key = self.generate_key("Ralph Merkle", "xerox.com")
+        self.assertIsNotNone(key.type)
+        self.assertIsNotNone(key.fingerprint)
+
+    def test_rsa_key_generation_with_unicode(self):
+        """Test that RSA key generation succeeds with unicode characters."""
+        key = self.generate_key("Anaïs de Flavigny", "êtrerien.fr")
+        self.assertIsNotNone(key.type)
+        self.assertIsNotNone(key.fingerprint)
+
+    def test_rsa_key_generation_with_subkey(self):
+        """Test that RSA key generation succeeds with additional subkey."""
+        key = self.generate_key("John Gilmore", "isapu.nk",
+                                subkey_type='RSA')
+        self.assertIsNotNone(key.type)
+        self.assertIsNotNone(key.fingerprint)
+
+    def test_dsa_key_generation(self):
+        """Test that DSA key generation succeeds."""
+        key = self.generate_key("Ross Anderson", "bearli.on")
+        self.assertIsNotNone(key.type)
+        self.assertIsNotNone(key.fingerprint)
+
+    def test_dsa_key_generation_with_unicode(self):
+        """Test that DSA key generation succeeds with unicode characters."""
+        key = self.generate_key("破壊合計する", "破壊合計する.日本")
+        self.assertIsNotNone(key.type)
+        self.assertIsNotNone(key.fingerprint)
+
+    def test_dsa_key_generation_with_subkey(self):
+        """Test that RSA key generation succeeds with additional subkey."""
+        key = self.generate_key("Eli Biham", "bearli.on",
+                                subkey_type='ELG-E')
+        self.assertIsNotNone(key.type)
+        self.assertIsNotNone(key.fingerprint)
+
+    def test_key_generation_with_invalid_key_type(self):
+        """Test that key generation handles invalid key type."""
+        params = {
+            'Key-Type': 'INVALID',
+            'Key-Length': 1024,
+            'Subkey-Type': 'ELG-E',
+            'Subkey-Length': 1024,
+            'Name-Comment': 'A test user',
+            'Expire-Date': 1,
+            'Name-Real': 'Test Name',
+            'Name-Email': 'test.name@example.com',
+        }
+        batch = self.gpg.gen_key_input(**params)
+        key = self.gpg.gen_key(batch)
+        self.assertIsNone(key.type)
+        self.assertIsNone(key.fingerprint)
+
+    def test_key_generation_with_colons(self):
+        """Test that key generation handles colons in Name fields."""
+        params = {
+            'key_type': 'RSA',
+            'name_real': 'urn:uuid:731c22c4-830f-422f-80dc-14a9fdae8c19',
+            'name_comment': 'dummy comment',
+            'name_email': 'test.name@example.com',
+        }
+        batch = self.gpg.gen_key_input(**params)
+        key = self.gpg.gen_key(batch)
+        self.assertIsNotNone(key.type)
+        self.assertIsNotNone(key.fingerprint)
+
+    def test_key_generation_import_list_with_colons(self):
+        """Test that key generation handles colons in Name fields."""
+        params = {
+            'key_type': 'RSA',
+            'name_real': 'urn:uuid:731c22c4-830f-422f-80dc-14a9fdae8c19',
+            'name_comment': 'dummy comment',
+            'name_email': 'test.name@example.com',
+        }
+        batch = self.gpg.gen_key_input(**params)
+        self.assertIsInstance(batch, str)
+        key = self.gpg.gen_key(batch)
+        keys = self.gpg.list_keys()
+        self.assertIsNotNone(key)
+        self.assertEqual(len(keys), 1)
+        key = keys[0]
+        self.assertIsNotNone(key.type)
+        self.assertIsNotNone(key.fingerprint)
+        uids = key['uids']
+        self.assertEqual(len(uids), 1)
+        uid = uids[0]
+        self.assertEqual(uid, 'urn:uuid:731c22c4-830f-422f-80dc-14a9fdae8c19 '
+                              '(dummy comment) <test.name@example.com>')
+
+    def test_key_generation_with_empty_value(self):
+        """Test that key generation handles empty values."""
+        params = {'name_real': ' '}
+        batch = self.gpg.gen_key_input(**params)
+        self.assertTrue('\nName-Real: Autogenerated Key\n' in batch)
+
+    def test_key_generation_override_default_value(self):
+        """Test that overriding a default value in gen_key_input() works."""
+        params = {'name_comment': 'A'}
+        batch = self.gpg.gen_key_input(**params)
+        self.assertFalse('\nName-Comment: Generated by python-gnupg\n' in batch)
+        self.assertTrue('\nName-Comment: A\n' in batch)
+
+    def test_list_keys_after_generation(self):
+        """Test that after key generation, the generated key is available."""
+        self.test_list_keys_initial_public()
+        self.test_list_keys_initial_secret()
+        self.generate_key("Johannes Trithemius", 'iusedcarrierpidgeons@inste.ad')
+        public_keys = self.gpg.list_keys()
+        self.assertTrue(is_list_with_len(public_keys, 1),
+                        "1-element list expected")
+        private_keys = self.gpg.list_keys(secret=True)
+        self.assertTrue(is_list_with_len(private_keys, 1),
+                        "1-element list expected")
+
+    def test_public_keyring(self):
+        """Test that the public keyring is found in the gpg home directory."""
+        ## we have to use the keyring for GnuPG to create it:
+        keys = self.gpg.list_keys()
+        self.assertTrue(os.path.isfile(self.gpg.keyring))
+
+    def test_secret_keyring(self):
+        """Test that the secret keyring is found in the gpg home directory."""
+        ## we have to use the secring for GnuPG to create it:
+        keys = self.gpg.list_keys(secret=True)
+        self.assertTrue(os.path.isfile(self.gpg.secring))
+
+    def test_import_and_export(self):
+        """Test that key import and export works."""
+        self.test_list_keys_initial_public()
+        gpg = self.gpg
+        result = gpg.import_keys(KEYS_TO_IMPORT)
+        self.assertEqual(result.summary(), '2 imported')
+        public_keys = gpg.list_keys()
+        self.assertTrue(is_list_with_len(public_keys, 2),
+                        "2-element list expected")
+        private_keys = gpg.list_keys(secret=True)
+        self.assertTrue(is_list_with_len(private_keys, 0),
+                        "Empty list expected")
+        ascii = gpg.export_keys([k['keyid'] for k in public_keys])
+        self.assertTrue(ascii.find("PGP PUBLIC KEY BLOCK") >= 0,
+                        "Exported key should be public")
+        ascii = ascii.replace("\r", "").strip()
+        match = compare_keys(ascii, KEYS_TO_IMPORT)
+        if match:
+            log.info("was: %r", KEYS_TO_IMPORT)
+            log.info("now: %r", ascii)
+        self.assertEqual(0, match, "Keys must match")
+
+        #Generate a key so we can test exporting private keys
+        key = self.generate_key('Shai Halevi', 'xorr.ox')
+        ascii = gpg.export_keys(key.fingerprint, True)
+        self.assertTrue(ascii.find("PGP PRIVATE KEY BLOCK") >= 0,
+                        "Exported key should be private")
+
+    def test_import_only(self):
+	"""Test that key import works."""
+        self.test_list_keys_initial_public()
+        self.gpg.import_keys(KEYS_TO_IMPORT)
+        public_keys = self.gpg.list_keys()
+        self.assertTrue(is_list_with_len(public_keys, 2),
+                        "2-element list expected")
+        private_keys = self.gpg.list_keys(secret=True)
+        self.assertTrue(is_list_with_len(private_keys, 0),
+                        "Empty list expected")
+        ascii = self.gpg.export_keys([k['keyid'] for k in public_keys])
+        self.assertTrue(ascii.find("PGP PUBLIC KEY BLOCK") >= 0,
+                        "Exported key should be public")
+        ascii = ascii.replace("\r", "").strip()
+        match = compare_keys(ascii, KEYS_TO_IMPORT)
+        if match:
+            log.info("was: %r", KEYS_TO_IMPORT)
+            log.info("now: %r", ascii)
+        self.assertEqual(0, match, "Keys must match")
+
+    def test_signature_string(self):
+        """Test that signing a message string works."""
+        key = self.generate_key("Werner Koch", "gnupg.org")
+        message = "Damn, I really wish GnuPG had ECC support."
+        sig = self.gpg.sign(message, default_key=key.fingerprint,
+                            passphrase='wernerkoch')
+        print "SIGNATURE:\n", sig.data
+        self.assertIsNotNone(sig.data)
+
+    def test_signature_algorithm(self):
+        """Test that determining the signing algorithm works."""
+        key = self.generate_key("Ron Rivest", "rsa.com")
+        message = "Someone should add GCM block cipher mode to PyCrypto."
+        sig = self.gpg.sign(message, default_key=key.fingerprint,
+                            passphrase='ronrivest')
+        print "ALGORITHM:\n", sig.sig_algo
+        self.assertIsNotNone(sig.sig_algo)
+
+    def test_signature_string_bad_passphrase(self):
+        """Test that signing and verification works."""
+        key = self.generate_key("Taher ElGamal", "cryto.me")
+        message = 'أصحاب المصالح لا يحبون الثوراتز'
+        sig = self.gpg.sign(message, default_key=key.fingerprint,
+                            passphrase='foo')
+        self.assertFalse(sig, "Bad passphrase should fail")
+
+    def test_signature_string_alternate_encoding(self):
+        key = self.generate_key("Nos Oignons", "nos-oignons.net")
+        self.gpg.encoding = 'latin-1'
+        message = "Mêle-toi de tes oignons"
+        sig = self.gpg.sign(message, default_key=key.fingerprint,
+                            passphrase='nosoignons')
+        self.assertTrue(sig)
+
+    def test_signature_file(self):
+        """Test that signing a message file works."""
+        key = self.generate_key("Leonard Adleman", "rsa.com")
+        message_file = os.path.join(_files, 'cypherpunk_manifesto')
+        with open(message_file) as msg:
+            sig = self.gpg.sign(msg, default_key=key.fingerprint,
+                                passphrase='leonardadleman')
+            self.assertTrue(sig, "I thought I typed my password correctly...")
+
+    def test_signature_string_verification(self):
+        """Test verification of a signature from a message string."""
+        key = self.generate_key("Bruce Schneier", "schneier.com")
+        message  = '...the government uses the general fear of '
+        message += '[hackers in popular culture] to push for more power'
+        sig = self.gpg.sign(message, default_key=key.fingerprint,
+                            passphrase='bruceschneier')
+        now = time.mktime(time.gmtime())
+        self.assertTrue(sig, "Good passphrase should succeed")
+        verified = self.gpg.verify(sig.data)
+        self.assertIsNotNone(verified.fingerprint)
+        if key.fingerprint != verified.fingerprint:
+            log.warn("key fingerprint:      %r", key.fingerprint)
+            log.warn("verified fingerprint: %r", verified.fingerprint)
+        self.assertEqual(key.fingerprint, verified.fingerprint,
+                         "Fingerprints must match")
+        self.assertEqual(verified.status, 'signature valid')
+        self.assertAlmostEqual(int(now), int(verified.timestamp), delta=1000)
+        if self.insecure_prng:
+            self.assertEqual(
+                verified.username,
+                u'Bruce Schneier (insecure!) <bruceschneier@schneier.com>')
+        else:
+            self.assertEqual(verified.username,
+                             u'Bruce Schneier <bruceschneier@schneier.com>')
+
+    def test_signature_verification_clearsign(self):
+        """Test verfication of an embedded signature."""
+        key = self.generate_key("Johan Borst", "rijnda.el")
+        message = "You're *still* using AES? Really?"
+        sig = self.gpg.sign(message, default_key=key.fingerprint,
+                            passphrase='johanborst')
+        self.assertTrue(sig, "Good passphrase should succeed")
+        try:
+            file = _util._make_binary_stream(sig.data, self.gpg.encoding)
+            verified = self.gpg.verify_file(file)
+        except UnicodeDecodeError: #happens in Python 2.6
+            verified = self.gpg.verify_file(io.BytesIO(sig.data))
+        if key.fingerprint != verified.fingerprint:
+            log.warn("key fingerprint:      %r", key.fingerprint)
+            log.warn("verified fingerprint: %r", verified.fingerprint)
+        self.assertEqual(key.fingerprint, verified.fingerprint)
+
+    def test_signature_verification_detached(self):
+        """Test that verification of a detached signature of a file works."""
+        key = self.generate_key("Paulo S.L.M. Barreto", "anub.is")
+        with open(os.path.join(_files, 'cypherpunk_manifesto'), 'rb') as cm:
+            sig = self.gpg.sign(cm, default_key=key.fingerprint,
+                                passphrase='paulos.l.m.barreto',
+                                detach=True, clearsign=False)
+            self.assertTrue(sig.data, "File signing should succeed")
+            sigfilename = os.path.join(_files, 'cypherpunk_manifesto.sig')
+            with open(sigfilename,'w') as sigfile:
+                sigfile.write(sig.data)
+                sigfile.seek(0)
+
+            verified = self.gpg.verify_file(cm, sigfilename)
+
+            if key.fingerprint != verified.fingerprint:
+                log.warn("key fingerprint:      %r", key.fingerprint)
+                log.warn("verified fingerprint: %r", verified.fingerprint)
+            self.assertEqual(key.fingerprint, verified.fingerprint)
+
+            if os.path.isfile(sigfilename):
+                os.unlink(sigfilename)
+
+    def test_signature_verification_detached_binary(self):
+        """Test that detached signature verification in binary mode fails."""
+        key = self.generate_key("Adi Shamir", "rsa.com")
+        with open(os.path.join(_files, 'cypherpunk_manifesto'), 'rb') as cm:
+            sig = self.gpg.sign(cm, default_key=key.fingerprint,
+                                passphrase='adishamir',
+                                detach=True, binary=True, clearsign=False)
+            self.assertTrue(sig.data, "File signing should succeed")
+            with self.assertRaises(UnicodeDecodeError):
+                print "SIG=", sig
+
+    def test_deletion(self):
+        """Test that key deletion works."""
+        self.gpg.import_keys(KEYS_TO_IMPORT)
+        public_keys = self.gpg.list_keys()
+        self.assertTrue(is_list_with_len(public_keys, 2),
+                        "2-element list expected, got %d" % len(public_keys))
+        self.gpg.delete_keys(public_keys[0]['fingerprint'])
+        public_keys = self.gpg.list_keys()
+        self.assertTrue(is_list_with_len(public_keys, 1),
+                        "1-element list expected, got %d" % len(public_keys))
+        log.debug("test_deletion ends")
+
+    def test_encryption(self):
+        """Test encryption of a message string"""
+        key = self.generate_key("Craig Gentry", "xorr.ox",
+                                passphrase="craiggentry")
+        gentry = str(key.fingerprint)
+        key = self.generate_key("Marten van Dijk", "xorr.ox",
+                                passphrase="martenvandijk")
+        dijk = str(key.fingerprint)
+        gpg = self.gpg
+        message = """
+In 2010 Riggio and Sicari presented a practical application of homomorphic
+encryption to a hybrid wireless sensor/mesh network. The system enables
+transparent multi-hop wireless backhauls that are able to perform statistical
+analysis of different kinds of data (temperature, humidity, etc.)  coming from
+a WSN while ensuring both end-to-end encryption and hop-by-hop
+authentication."""
+        encrypted = str(gpg.encrypt(message, dijk))
+        log.debug("Plaintext: %s" % message)
+        log.debug("Encrypted: %s" % encrypted)
+        self.assertNotEqual(message, encrypted)
+
+    def test_encryption_alt_encoding(self):
+        """Test encryption with latin-1 encoding"""
+        key = self.generate_key("Craig Gentry", "xorr.ox",
+                                passphrase="craiggentry")
+        gentry = str(key.fingerprint)
+        key = self.generate_key("Marten van Dijk", "xorr.ox")
+        dijk = str(key.fingerprint)
+        self.gpg.encoding = 'latin-1'
+        if _util._py3k:
+            data = 'Hello, André!'
+        else:
+            data = unicode('Hello, André', self.gpg.encoding)
+        data = data.encode(self.gpg.encoding)
+        encrypted = self.gpg.encrypt(data, gentry)
+        edata = str(encrypted.data)
+        self.assertNotEqual(data, edata)
+        self.assertGreater(len(edata), 0)
+
+    def test_encryption_multi_recipient(self):
+        """Test encrypting a message for multiple recipients"""
+        self.gpg.homedir = _here
+
+        ian = { 'name_real': 'Ian Goldberg',
+                'name_email': 'gold@stein',
+                'key_type': 'RSA',
+                'key_length': 2048,
+                'key_usage': '',
+                'subkey_type': 'RSA',
+                'subkey_length': 2048,
+                'subkey_usage': 'encrypt,sign',
+                'passphrase': 'victorygin' }
+
+        ## when we don't specify the subkey lengths and the keylength
+        ## gets set automatically in gen_key_input(), gpg complains:
+        ##
+        ##     gpg: keysize invalid; using 1024 bits
+        ##
+        kat = { 'name_real': 'Kat Hannah',
+                'name_email': 'kat@pics',
+                'key_type': 'RSA',
+                'key_length': 2048,
+                'key_usage': '',
+                'subkey_type': 'RSA',
+                'subkey_length': 2048,
+                'subkey_usage': 'encrypt,sign',
+                'passphrase': 'overalls' }
+
+        ian_input = self.gpg.gen_key_input(separate_keyring=True, **ian)
+        ian_key = self.gpg.gen_key(ian_input)
+        log.debug("ian_key status: %s" % ian_key.status)
+        ian_fpr = str(ian_key.fingerprint)
+
+        kat_input = self.gpg.gen_key_input(separate_keyring=True, **kat)
+        kat_key = self.gpg.gen_key(kat_input)
+        log.debug("kat_key status: %s" % kat_key.status)
+        kat_fpr = str(kat_key.fingerprint)
+
+        message = """
+In 2010 Riggio and Sicari presented a practical application of homomorphic
+encryption to a hybrid wireless sensor/mesh network. The system enables
+transparent multi-hop wireless backhauls that are able to perform statistical
+analysis of different kinds of data (temperature, humidity, etc.)  coming from
+a WSN while ensuring both end-to-end encryption and hop-by-hop
+authentication."""
+
+        log.debug("kat_fpr type: %s" % type(kat_fpr))
+        log.debug("ian_fpr type: %s" % type(ian_fpr))
+
+        encrypted = self.gpg.encrypt(message, (ian_fpr, kat_fpr))
+        log.debug("Plaintext: %s" % message)
+        log.debug("Ciphertext: %s" % str(encrypted.data))
+
+        self.assertNotEqual(message, str(encrypted.data))
+
+    def test_decryption(self):
+        """Test decryption"""
+        key = self.generate_key("Frey", "fr.ey", passphrase="frey")
+        frey_fpr = key.fingerprint
+        frey = self.gpg.export_keys(key.fingerprint)
+        self.gpg.import_keys(frey)
+
+        key = self.generate_key("Rück", "rü.ck", passphrase="ruck")
+        ruck_fpr = key.fingerprint
+        ruck = self.gpg.export_keys(key.fingerprint)
+        self.gpg.import_keys(ruck)
+
+        message = """
+In 2010 Riggio and Sicari presented a practical application of homomorphic
+encryption to a hybrid wireless sensor/mesh network. The system enables
+transparent multi-hop wireless backhauls that are able to perform statistical
+analysis of different kinds of data (temperature, humidity, etc.)  coming from
+a WSN while ensuring both end-to-end encryption and hop-by-hop
+authentication."""
+
+        encrypted = str(self.gpg.encrypt(message, ruck_fpr))
+        decrypted = str(self.gpg.decrypt(encrypted, passphrase="ruck"))
+
+        if message != decrypted:
+            log.debug("was: %r" % message)
+            log.debug("new: %r" % decrypted)
+
+        self.assertEqual(message, decrypted)
+
+    def test_encryption_decryption_multi_recipient(self):
+        """Test decryption of an encrypted string for multiple users"""
+
+        alice = open(os.path.join(_files, 'test_key_1.pub'))
+        alice_pub = alice.read()
+        alice_public = self.gpg.import_keys(alice_pub)
+        res = alice_public.results[-1:][0]
+        alice_pfpr = str(res['fingerprint'])
+        alice.close()
+
+        alice = open(os.path.join(_files, 'test_key_1.sec'))
+        alice_priv = alice.read()
+        alice_private = self.gpg.import_keys(alice_priv)
+        res = alice_private.results[-1:][0]
+        alice_sfpr = str(res['fingerprint'])
+        alice.close()
+
+        bob = open(os.path.join(_files, 'test_key_2.pub'))
+        bob_pub = bob.read()
+        bob_public = self.gpg.import_keys(bob_pub)
+        res = bob_public.results[-1:][0]
+        bob_pfpr = str(res['fingerprint'])
+        bob.close()
+
+        bob = open(os.path.join(_files, 'test_key_2.sec'))
+        bob_priv = bob.read()
+        bob_private = self.gpg.import_keys(bob_priv)
+        res = bob_public.results[-1:][0]
+        bob_sfpr = str(res['fingerprint'])
+        bob.close()
+
+        log.debug("alice public fpr: %s" % alice_pfpr)
+        log.debug("alice public fpr: %s" % alice_sfpr)
+        log.debug("bob public fpr: %s" % bob_pfpr)
+        log.debug("bob public fpr: %s" % bob_sfpr)
+
+        message = """
+In 2010 Riggio and Sicari presented a practical application of homomorphic
+encryption to a hybrid wireless sensor/mesh network. The system enables
+transparent multi-hop wireless backhauls that are able to perform statistical
+analysis of different kinds of data (temperature, humidity, etc.)  coming from
+a WSN while ensuring both end-to-end encryption and hop-by-hop
+authentication."""
+        enc = self.gpg.encrypt(message, alice_pfpr, bob_pfpr)
+        encrypted = str(enc.data)
+        log.debug("encryption_decryption_multi_recipient() Ciphertext = %s"
+                  % encrypted)
+
+        self.assertNotEqual(message, encrypted)
+        dec_alice = self.gpg.decrypt(encrypted, passphrase="test")
+        self.assertEqual(message, str(dec_alice.data))
+        dec_bob = self.gpg.decrypt(encrypted, passphrase="test")
+        self.assertEqual(message, str(dec_bob.data))
+
+    def test_symmetric_encryption_and_decryption(self):
+        """Test symmetric encryption and decryption"""
+        msg  = """If you have something that you don't want anyone to know,
+ maybe you shouldn't be doing it in the first place. - Eric Schmidt, CEO
+ of Google"""
+        encrypted = str(self.gpg.encrypt(msg, passphrase='quiscustodiet',
+                                         symmetric=True, encrypt=False))
+        decrypted = self.gpg.decrypt(encrypted, passphrase='quiscustodiet')
+        self.assertEqual(msg, str(decrypted.data))
+
+    def test_file_encryption_and_decryption(self):
+        """Test that encryption/decryption to/from file works."""
+        with open(os.path.join(_files, 'kat.sec')) as katsec:
+            self.gpg.import_keys(katsec.read())
+
+        kat = self.gpg.list_keys('kat')[0]['fingerprint']
+
+        enc_outf = os.path.join(self.gpg.homedir, 'to-b.gpg')
+        dec_outf = os.path.join(self.gpg.homedir, 'to-b.txt')
+
+        message_file = os.path.join(_files, 'cypherpunk_manifesto')
+        with open(message_file) as msg:
+            data = msg.read()
+            ## GnuPG seems to ignore the output directive...
+            edata = self.gpg.encrypt(data, kat, output=enc_outf)
+            with open(enc_outf, 'w+') as enc:
+                enc.write(str(edata))
+
+            with open(enc_outf) as enc2:
+                fdata = enc2.read()
+                ddata = str(self.gpg.decrypt(fdata, passphrase="overalls"))
+
+                data = data.encode(self.gpg.encoding)
+                if ddata != data:
+                    log.debug("data was: %r" % data)
+                    log.debug("new (from filehandle): %r" % fdata)
+                    log.debug("new (from decryption): %r" % ddata)
+                    self.assertEqual(data, ddata)
+
+
+suites = { 'parsers': set(['test_parsers_fix_unsafe',
+                           'test_parsers_is_hex_valid',
+                           'test_parsers_is_hex_lowercase',
+                           'test_parsers_is_hex_invalid',
+                           'test_copy_data_bytesio',]),
+           'encodings': set(['test_encodings_iso_8859_1',
+                             'test_encodings_spiteful',
+                             'test_encodings_non_specified',
+                         ]),
+           'basic': set(['test_homedir_creation',
+                         'test_binary_discovery',
+                         'test_gpg_binary',
+                         'test_gpg_binary_not_abs',
+                         'test_gpg_binary_version_str',
+                         'test_gpg_binary_not_installed',
+                         'test_list_keys_initial_public',
+                         'test_list_keys_initial_secret',
+                         'test_make_args_drop_protected_options',
+                         'test_make_args']),
+           'genkey': set(['test_gen_key_input',
+                          'test_rsa_key_generation',
+                          'test_rsa_key_generation_with_unicode',
+                          'test_rsa_key_generation_with_subkey',
+                          'test_dsa_key_generation',
+                          'test_dsa_key_generation_with_unicode',
+                          'test_dsa_key_generation_with_subkey',
+                          'test_key_generation_with_invalid_key_type',
+                          'test_key_generation_with_empty_value',
+                          'test_key_generation_override_default_value',
+                          'test_key_generation_with_colons']),
+           'sign': set(['test_signature_verification_clearsign',
+                        'test_signature_verification_detached',
+                        'test_signature_verification_detached_binary',
+                        'test_signature_file',
+                        'test_signature_string_bad_passphrase',
+                        'test_signature_string_alternate_encoding',
+                        'test_signature_string_verification',
+                        'test_signature_algorithm',
+                        'test_signature_string']),
+           'crypt': set(['test_encryption',
+                         'test_encryption_alt_encoding',
+                         'test_encryption_multi_recipient',
+                         'test_encryption_decryption_multi_recipient',
+                         'test_decryption',
+                         'test_symmetric_encryption_and_decryption',
+                         'test_file_encryption_and_decryption']),
+           'listkeys': set(['test_list_keys_after_generation']),
+           'keyrings': set(['test_public_keyring',
+                            'test_secret_keyring',
+                            'test_import_and_export',
+                            'test_deletion']),
+           'import': set(['test_import_only']), }
+
+def main(args):
+    if not args.quiet:
+        log = _logger.create_logger(9)
+        log.setLevel(9)
+
+    loader = unittest.TestLoader()
+
+    def _createTests(prog):
+        load_tests = list()
+        if args.test is not None:
+            for suite in args.test:
+                if suite in args.suites.keys():
+                    log.debug("Adding %d items from test suite '%s':"
+                                 % (len(args.suites[suite]), suite))
+                    for method in args.suites[suite]:
+                        load_tests.append(method)
+                        log.debug("\t%s" % method)
+                else:
+                    log.debug("Ignoring unknown test suite %r" % suite)
+            tests = unittest.TestSuite(list(map(GPGTestCase, load_tests)))
+        else:
+            tests = prog.testLoader.loadTestsFromTestCase(GPGTestCase)
+            args.run_doctest = True
+        if args.run_doctest:
+            tests.addTest(doctest.DocTestSuite(gnupg))
+        log.debug("Loaded %d tests..." % tests.countTestCases())
+        prog.test = tests
+
+    runner = unittest.TextTestRunner(verbosity=args.verbose, stream=sys.stderr)
+    runner.resultclass = unittest.TextTestResult
+
+    prog = unittest.TestProgram
+    prog.createTests = _createTests
+    program = prog(module=GPGTestCase,
+                   testRunner=runner,
+                   testLoader=loader,
+                   verbosity=args.verbose,
+                   catchbreak=True)
+
+    ## Finally, remove our testing directory:
+    if not RETAIN_TEST_DIRS:
+        if os.path.isdir(_tempd):
+            shutil.rmtree(_tempd)
+
+
+if __name__ == "__main__":
+
+    suite_names = list()
+    for name, methodset in suites.items():
+        suite_names.append(name)
+        setattr(GPGTestCase, name, list(methodset))
+
+    parser = argparse.ArgumentParser(description="Unittests for python-gnupg")
+    parser.add_argument('--doctest', dest='run_doctest',
+                        type=bool, default=False,
+                        help='Run example code in docstrings')
+    parser.add_argument('--quiet', dest='quiet',
+                        type=bool, default=False,
+                        help='Disable logging to stdout')
+    parser.add_argument('--verbose', dest='verbose',
+                        type=int, default=4,
+                        help='Set verbosity level (low=1 high=5) (default: 4)')
+    parser.add_argument('test', metavar='test', nargs='+', type=str,
+                        help='Select a test suite to run (default: all)')
+    parser.epilog = "Available test suites: %s" % " ".join(suite_names)
+
+    args = parser.parse_args()
+    args.suites = suites
+
+    sys.exit(main(args))
diff --git a/versioneer.py b/versioneer.py
new file mode 100644
index 0000000..57d9941
--- /dev/null
+++ b/versioneer.py
@@ -0,0 +1,656 @@
+#! /usr/bin/python
+
+"""versioneer.py
+
+(like a rocketeer, but for versions)
+
+* https://github.com/warner/python-versioneer
+* Brian Warner
+* License: Public Domain
+* Version: 0.7+
+
+This file helps distutils-based projects manage their version number by just
+creating version-control tags.
+
+For developers who work from a VCS-generated tree (e.g. 'git clone' etc),
+each 'setup.py version', 'setup.py build', 'setup.py sdist' will compute a
+version number by asking your version-control tool about the current
+checkout. The version number will be written into a generated _version.py
+file of your choosing, where it can be included by your __init__.py
+
+For users who work from a VCS-generated tarball (e.g. 'git archive'), it will
+compute a version number by looking at the name of the directory created when
+te tarball is unpacked. This conventionally includes both the name of the
+project and a version number.
+
+For users who work from a tarball built by 'setup.py sdist', it will get a
+version number from a previously-generated _version.py file.
+
+As a result, loading code directly from the source tree will not result in a
+real version. If you want real versions from VCS trees (where you frequently
+update from the upstream repository, or do new development), you will need to
+do a 'setup.py version' after each update, and load code from the build/
+directory.
+
+You need to provide this code with a few configuration values:
+
+ versionfile_source:
+    A project-relative pathname into which the generated version strings
+    should be written. This is usually a _version.py next to your project's
+    main __init__.py file. If your project uses src/myproject/__init__.py,
+    this should be 'src/myproject/_version.py'. This file should be checked
+    in to your VCS as usual: the copy created below by 'setup.py
+    update_files' will include code that parses expanded VCS keywords in
+    generated tarballs. The 'build' and 'sdist' commands will replace it with
+    a copy that has just the calculated version string.
+
+ versionfile_build:
+    Like versionfile_source, but relative to the build directory instead of
+    the source directory. These will differ when your setup.py uses
+    'package_dir='. If you have package_dir={'myproject': 'src/myproject'},
+    then you will probably have versionfile_build='myproject/_version.py' and
+    versionfile_source='src/myproject/_version.py'.
+
+ tag_prefix: a string, like 'PROJECTNAME-', which appears at the start of all
+             VCS tags. If your tags look like 'myproject-1.2.0', then you
+             should use tag_prefix='myproject-'. If you use unprefixed tags
+             like '1.2.0', this should be an empty string.
+
+ parentdir_prefix: a string, frequently the same as tag_prefix, which
+                   appears at the start of all unpacked tarball filenames. If
+                   your tarball unpacks into 'myproject-1.2.0', this should
+                   be 'myproject-'.
+
+To use it:
+
+ 1: include this file in the top level of your project
+ 2: make the following changes to the top of your setup.py:
+     import versioneer
+     versioneer.versionfile_source = 'src/myproject/_version.py'
+     versioneer.versionfile_build = 'myproject/_version.py'
+     versioneer.tag_prefix = '' # tags are like 1.2.0
+     versioneer.parentdir_prefix = 'myproject-' # dirname like 'myproject-1.2.0'
+ 3: add the following arguments to the setup() call in your setup.py:
+     version=versioneer.get_version(),
+     cmdclass=versioneer.get_cmdclass(),
+ 4: run 'setup.py update_files', which will create _version.py, and will
+    append the following to your __init__.py:
+     from _version import __version__
+ 5: modify your MANIFEST.in to include versioneer.py
+ 6: add both versioneer.py and the generated _version.py to your VCS
+"""
+
+import os, sys, re
+from distutils.core import Command
+from distutils.command.sdist import sdist as _sdist
+from distutils.command.build import build as _build
+
+versionfile_source = None
+versionfile_build = None
+tag_prefix = None
+parentdir_prefix = None
+
+VCS = "git"
+IN_LONG_VERSION_PY = False
+
+
+LONG_VERSION_PY = '''
+IN_LONG_VERSION_PY = True
+# This file helps to compute a version number in source trees obtained from
+# git-archive tarball (such as those provided by githubs download-from-tag
+# feature). Distribution tarballs (build by setup.py sdist) and build
+# directories (produced by setup.py build) will contain a much shorter file
+# that just contains the computed version number.
+
+# This file is released into the public domain. Generated by
+# versioneer-0.7+ (https://github.com/warner/python-versioneer)
+
+# these strings will be replaced by git during git-archive
+git_refnames = "%(DOLLAR)sFormat:%%d%(DOLLAR)s"
+git_full = "%(DOLLAR)sFormat:%%H%(DOLLAR)s"
+
+
+import subprocess
+import sys
+
+def run_command(args, cwd=None, verbose=False):
+    try:
+        # remember shell=False, so use git.cmd on windows, not just git
+        p = subprocess.Popen(args, stdout=subprocess.PIPE, cwd=cwd)
+    except EnvironmentError:
+        e = sys.exc_info()[1]
+        if verbose:
+            print("unable to run %%s" %% args[0])
+            print(e)
+        return None
+    stdout = p.communicate()[0].strip()
+    if sys.version >= '3':
+        stdout = stdout.decode()
+    if p.returncode != 0:
+        if verbose:
+            print("unable to run %%s (error)" %% args[0])
+        return None
+    return stdout
+
+
+import sys
+import re
+import os.path
+
+def get_expanded_variables(versionfile_source):
+    # the code embedded in _version.py can just fetch the value of these
+    # variables. When used from setup.py, we don't want to import
+    # _version.py, so we do it with a regexp instead. This function is not
+    # used from _version.py.
+    variables = {}
+    try:
+        for line in open(versionfile_source,"r").readlines():
+            if line.strip().startswith("git_refnames ="):
+                mo = re.search(r'=\s*"(.*)"', line)
+                if mo:
+                    variables["refnames"] = mo.group(1)
+            if line.strip().startswith("git_full ="):
+                mo = re.search(r'=\s*"(.*)"', line)
+                if mo:
+                    variables["full"] = mo.group(1)
+    except EnvironmentError:
+        pass
+    return variables
+
+def versions_from_expanded_variables(variables, tag_prefix, verbose=False):
+    refnames = variables["refnames"].strip()
+    if refnames.startswith("$Format"):
+        if verbose:
+            print("variables are unexpanded, not using")
+        return {} # unexpanded, so not in an unpacked git-archive tarball
+    refs = set([r.strip() for r in refnames.strip("()").split(",")])
+    for ref in list(refs):
+        if not re.search(r'\d', ref):
+            if verbose:
+                print("discarding '%%s', no digits" %% ref)
+            refs.discard(ref)
+            # Assume all version tags have a digit. git's %%d expansion
+            # behaves like git log --decorate=short and strips out the
+            # refs/heads/ and refs/tags/ prefixes that would let us
+            # distinguish between branches and tags. By ignoring refnames
+            # without digits, we filter out many common branch names like
+            # "release" and "stabilization", as well as "HEAD" and "master".
+    if verbose:
+        print("remaining refs: %%s" %% ",".join(sorted(refs)))
+    for ref in sorted(refs):
+        # sorting will prefer e.g. "2.0" over "2.0rc1"
+        if ref.startswith(tag_prefix):
+            r = ref[len(tag_prefix):]
+            if verbose:
+                print("picking %%s" %% r)
+            return { "version": r,
+                     "full": variables["full"].strip() }
+    # no suitable tags, so we use the full revision id
+    if verbose:
+        print("no suitable tags, using full revision id")
+    return { "version": variables["full"].strip(),
+             "full": variables["full"].strip() }
+
+def versions_from_vcs(tag_prefix, versionfile_source, verbose=False):
+    # this runs 'git' from the root of the source tree. That either means
+    # someone ran a setup.py command (and this code is in versioneer.py, so
+    # IN_LONG_VERSION_PY=False, thus the containing directory is the root of
+    # the source tree), or someone ran a project-specific entry point (and
+    # this code is in _version.py, so IN_LONG_VERSION_PY=True, thus the
+    # containing directory is somewhere deeper in the source tree). This only
+    # gets called if the git-archive 'subst' variables were *not* expanded,
+    # and _version.py hasn't already been rewritten with a short version
+    # string, meaning we're inside a checked out source tree.
+
+    try:
+        here = os.path.abspath(__file__)
+    except NameError:
+        # some py2exe/bbfreeze/non-CPython implementations don't do __file__
+        return {} # not always correct
+
+    # versionfile_source is the relative path from the top of the source tree
+    # (where the .git directory might live) to this file. Invert this to find
+    # the root from __file__.
+    root = here
+    if IN_LONG_VERSION_PY:
+        for i in range(len(versionfile_source.split("/"))):
+            root = os.path.dirname(root)
+    else:
+        root = os.path.dirname(here)
+    if not os.path.exists(os.path.join(root, ".git")):
+        if verbose:
+            print("no .git in %%s" %% root)
+        return {}
+
+    GIT = "git"
+    if sys.platform == "win32":
+        GIT = "git.cmd"
+    stdout = run_command([GIT, "describe", "--tags", "--dirty", "--always"],
+                         cwd=root)
+    if stdout is None:
+        return {}
+    if not stdout.startswith(tag_prefix):
+        if verbose:
+            print("tag '%%s' doesn't start with prefix '%%s'" %% (stdout, tag_prefix))
+        return {}
+    tag = stdout[len(tag_prefix):]
+    stdout = run_command([GIT, "rev-parse", "HEAD"], cwd=root)
+    if stdout is None:
+        return {}
+    full = stdout.strip()
+    if tag.endswith("-dirty"):
+        full += "-dirty"
+    return {"version": tag, "full": full}
+
+
+def versions_from_parentdir(parentdir_prefix, versionfile_source, verbose=False):
+    if IN_LONG_VERSION_PY:
+        # We're running from _version.py. If it's from a source tree
+        # (execute-in-place), we can work upwards to find the root of the
+        # tree, and then check the parent directory for a version string. If
+        # it's in an installed application, there's no hope.
+        try:
+            here = os.path.abspath(__file__)
+        except NameError:
+            # py2exe/bbfreeze/non-CPython don't have __file__
+            return {} # without __file__, we have no hope
+        # versionfile_source is the relative path from the top of the source
+        # tree to _version.py. Invert this to find the root from __file__.
+        root = here
+        for i in range(len(versionfile_source.split("/"))):
+            root = os.path.dirname(root)
+    else:
+        # we're running from versioneer.py, which means we're running from
+        # the setup.py in a source tree. sys.argv[0] is setup.py in the root.
+        here = os.path.abspath(sys.argv[0])
+        root = os.path.dirname(here)
+
+    # Source tarballs conventionally unpack into a directory that includes
+    # both the project name and a version string.
+    dirname = os.path.basename(root)
+    if not dirname.startswith(parentdir_prefix):
+        if verbose:
+            print("guessing rootdir is '%%s', but '%%s' doesn't start with prefix '%%s'" %%
+                  (root, dirname, parentdir_prefix))
+        return None
+    return {"version": dirname[len(parentdir_prefix):], "full": ""}
+
+tag_prefix = "%(TAG_PREFIX)s"
+parentdir_prefix = "%(PARENTDIR_PREFIX)s"
+versionfile_source = "%(VERSIONFILE_SOURCE)s"
+
+def get_versions(default={"version": "unknown", "full": ""}, verbose=False):
+    variables = { "refnames": git_refnames, "full": git_full }
+    ver = versions_from_expanded_variables(variables, tag_prefix, verbose)
+    if not ver:
+        ver = versions_from_vcs(tag_prefix, versionfile_source, verbose)
+    if not ver:
+        ver = versions_from_parentdir(parentdir_prefix, versionfile_source,
+                                      verbose)
+    if not ver:
+        ver = default
+    return ver
+
+'''
+
+
+import subprocess
+import sys
+
+def run_command(args, cwd=None, verbose=False):
+    try:
+        # remember shell=False, so use git.cmd on windows, not just git
+        p = subprocess.Popen(args, stdout=subprocess.PIPE, cwd=cwd)
+    except EnvironmentError:
+        e = sys.exc_info()[1]
+        if verbose:
+            print("unable to run %s" % args[0])
+            print(e)
+        return None
+    stdout = p.communicate()[0].strip()
+    if sys.version >= '3':
+        stdout = stdout.decode()
+    if p.returncode != 0:
+        if verbose:
+            print("unable to run %s (error)" % args[0])
+        return None
+    return stdout
+
+
+import sys
+import re
+import os.path
+
+def get_expanded_variables(versionfile_source):
+    # the code embedded in _version.py can just fetch the value of these
+    # variables. When used from setup.py, we don't want to import
+    # _version.py, so we do it with a regexp instead. This function is not
+    # used from _version.py.
+    variables = {}
+    try:
+        for line in open(versionfile_source,"r").readlines():
+            if line.strip().startswith("git_refnames ="):
+                mo = re.search(r'=\s*"(.*)"', line)
+                if mo:
+                    variables["refnames"] = mo.group(1)
+            if line.strip().startswith("git_full ="):
+                mo = re.search(r'=\s*"(.*)"', line)
+                if mo:
+                    variables["full"] = mo.group(1)
+    except EnvironmentError:
+        pass
+    return variables
+
+def versions_from_expanded_variables(variables, tag_prefix, verbose=False):
+    refnames = variables["refnames"].strip()
+    if refnames.startswith("$Format"):
+        if verbose:
+            print("variables are unexpanded, not using")
+        return {} # unexpanded, so not in an unpacked git-archive tarball
+    refs = set([r.strip() for r in refnames.strip("()").split(",")])
+    for ref in list(refs):
+        if not re.search(r'\d', ref):
+            if verbose:
+                print("discarding '%s', no digits" % ref)
+            refs.discard(ref)
+            # Assume all version tags have a digit. git's %d expansion
+            # behaves like git log --decorate=short and strips out the
+            # refs/heads/ and refs/tags/ prefixes that would let us
+            # distinguish between branches and tags. By ignoring refnames
+            # without digits, we filter out many common branch names like
+            # "release" and "stabilization", as well as "HEAD" and "master".
+    if verbose:
+        print("remaining refs: %s" % ",".join(sorted(refs)))
+    for ref in sorted(refs):
+        # sorting will prefer e.g. "2.0" over "2.0rc1"
+        if ref.startswith(tag_prefix):
+            r = ref[len(tag_prefix):]
+            if verbose:
+                print("picking %s" % r)
+            return { "version": r,
+                     "full": variables["full"].strip() }
+    # no suitable tags, so we use the full revision id
+    if verbose:
+        print("no suitable tags, using full revision id")
+    return { "version": variables["full"].strip(),
+             "full": variables["full"].strip() }
+
+def versions_from_vcs(tag_prefix, versionfile_source, verbose=False):
+    # this runs 'git' from the root of the source tree. That either means
+    # someone ran a setup.py command (and this code is in versioneer.py, so
+    # IN_LONG_VERSION_PY=False, thus the containing directory is the root of
+    # the source tree), or someone ran a project-specific entry point (and
+    # this code is in _version.py, so IN_LONG_VERSION_PY=True, thus the
+    # containing directory is somewhere deeper in the source tree). This only
+    # gets called if the git-archive 'subst' variables were *not* expanded,
+    # and _version.py hasn't already been rewritten with a short version
+    # string, meaning we're inside a checked out source tree.
+
+    try:
+        here = os.path.abspath(__file__)
+    except NameError:
+        # some py2exe/bbfreeze/non-CPython implementations don't do __file__
+        return {} # not always correct
+
+    # versionfile_source is the relative path from the top of the source tree
+    # (where the .git directory might live) to this file. Invert this to find
+    # the root from __file__.
+    root = here
+    if IN_LONG_VERSION_PY:
+        for i in range(len(versionfile_source.split("/"))):
+            root = os.path.dirname(root)
+    else:
+        root = os.path.dirname(here)
+    if not os.path.exists(os.path.join(root, ".git")):
+        if verbose:
+            print("no .git in %s" % root)
+        return {}
+
+    GIT = "git"
+    if sys.platform == "win32":
+        GIT = "git.cmd"
+    stdout = run_command([GIT, "describe", "--tags", "--dirty", "--always"],
+                         cwd=root)
+    if stdout is None:
+        return {}
+    if not stdout.startswith(tag_prefix):
+        if verbose:
+            print("tag '%s' doesn't start with prefix '%s'" % (stdout, tag_prefix))
+        return {}
+    tag = stdout[len(tag_prefix):]
+    stdout = run_command([GIT, "rev-parse", "HEAD"], cwd=root)
+    if stdout is None:
+        return {}
+    full = stdout.strip()
+    if tag.endswith("-dirty"):
+        full += "-dirty"
+    return {"version": tag, "full": full}
+
+
+def versions_from_parentdir(parentdir_prefix, versionfile_source, verbose=False):
+    if IN_LONG_VERSION_PY:
+        # We're running from _version.py. If it's from a source tree
+        # (execute-in-place), we can work upwards to find the root of the
+        # tree, and then check the parent directory for a version string. If
+        # it's in an installed application, there's no hope.
+        try:
+            here = os.path.abspath(__file__)
+        except NameError:
+            # py2exe/bbfreeze/non-CPython don't have __file__
+            return {} # without __file__, we have no hope
+        # versionfile_source is the relative path from the top of the source
+        # tree to _version.py. Invert this to find the root from __file__.
+        root = here
+        for i in range(len(versionfile_source.split("/"))):
+            root = os.path.dirname(root)
+    else:
+        # we're running from versioneer.py, which means we're running from
+        # the setup.py in a source tree. sys.argv[0] is setup.py in the root.
+        here = os.path.abspath(sys.argv[0])
+        root = os.path.dirname(here)
+
+    # Source tarballs conventionally unpack into a directory that includes
+    # both the project name and a version string.
+    dirname = os.path.basename(root)
+    if not dirname.startswith(parentdir_prefix):
+        if verbose:
+            print("guessing rootdir is '%s', but '%s' doesn't start with prefix '%s'" %
+                  (root, dirname, parentdir_prefix))
+        return None
+    return {"version": dirname[len(parentdir_prefix):], "full": ""}
+
+import sys
+
+def do_vcs_install(versionfile_source, ipy):
+    GIT = "git"
+    if sys.platform == "win32":
+        GIT = "git.cmd"
+    run_command([GIT, "add", "versioneer.py"])
+    run_command([GIT, "add", versionfile_source])
+    run_command([GIT, "add", ipy])
+    present = False
+    try:
+        f = open(".gitattributes", "r")
+        for line in f.readlines():
+            if line.strip().startswith(versionfile_source):
+                if "export-subst" in line.strip().split()[1:]:
+                    present = True
+        f.close()
+    except EnvironmentError:
+        pass    
+    if not present:
+        f = open(".gitattributes", "a+")
+        f.write("%s export-subst\n" % versionfile_source)
+        f.close()
+        run_command([GIT, "add", ".gitattributes"])
+    
+
+SHORT_VERSION_PY = """
+# This file was generated by 'versioneer.py' (0.7+) from
+# revision-control system data, or from the parent directory name of an
+# unpacked source archive. Distribution tarballs contain a pre-generated copy
+# of this file.
+
+version_version = '%(version)s'
+version_full = '%(full)s'
+def get_versions(default={}, verbose=False):
+    return {'version': version_version, 'full': version_full}
+
+"""
+
+DEFAULT = {"version": "unknown", "full": "unknown"}
+
+def versions_from_file(filename):
+    versions = {}
+    try:
+        f = open(filename)
+    except EnvironmentError:
+        return versions
+    for line in f.readlines():
+        mo = re.match("version_version = '([^']+)'", line)
+        if mo:
+            versions["version"] = mo.group(1)
+        mo = re.match("version_full = '([^']+)'", line)
+        if mo:
+            versions["full"] = mo.group(1)
+    return versions
+
+def write_to_version_file(filename, versions):
+    f = open(filename, "w")
+    f.write(SHORT_VERSION_PY % versions)
+    f.close()
+    print("set %s to '%s'" % (filename, versions["version"]))
+
+
+def get_best_versions(versionfile, tag_prefix, parentdir_prefix,
+                      default=DEFAULT, verbose=False):
+    # returns dict with two keys: 'version' and 'full'
+    #
+    # extract version from first of _version.py, 'git describe', parentdir.
+    # This is meant to work for developers using a source checkout, for users
+    # of a tarball created by 'setup.py sdist', and for users of a
+    # tarball/zipball created by 'git archive' or github's download-from-tag
+    # feature.
+
+    variables = get_expanded_variables(versionfile_source)
+    if variables:
+        ver = versions_from_expanded_variables(variables, tag_prefix)
+        if ver:
+            if verbose: print("got version from expanded variable %s" % ver)
+            return ver
+
+    ver = versions_from_file(versionfile)
+    if ver:
+        if verbose: print("got version from file %s %s" % (versionfile, ver))
+        return ver
+
+    ver = versions_from_vcs(tag_prefix, versionfile_source, verbose)
+    if ver:
+        if verbose: print("got version from git %s" % ver)
+        return ver
+
+    ver = versions_from_parentdir(parentdir_prefix, versionfile_source, verbose)
+    if ver:
+        if verbose: print("got version from parentdir %s" % ver)
+        return ver
+
+    if verbose: print("got version from default %s" % ver)
+    return default
+
+def get_versions(default=DEFAULT, verbose=False):
+    assert versionfile_source is not None, "please set versioneer.versionfile_source"
+    assert tag_prefix is not None, "please set versioneer.tag_prefix"
+    assert parentdir_prefix is not None, "please set versioneer.parentdir_prefix"
+    return get_best_versions(versionfile_source, tag_prefix, parentdir_prefix,
+                             default=default, verbose=verbose)
+def get_version(verbose=False):
+    return get_versions(verbose=verbose)["version"]
+
+class cmd_version(Command):
+    description = "report generated version string"
+    user_options = []
+    boolean_options = []
+    def initialize_options(self):
+        pass
+    def finalize_options(self):
+        pass
+    def run(self):
+        ver = get_version(verbose=True)
+        print("Version is currently: %s" % ver)
+
+
+class cmd_build(_build):
+    def run(self):
+        versions = get_versions(verbose=True)
+        _build.run(self)
+        # now locate _version.py in the new build/ directory and replace it
+        # with an updated value
+        target_versionfile = os.path.join(self.build_lib, versionfile_build)
+        print("UPDATING %s" % target_versionfile)
+        os.unlink(target_versionfile)
+        f = open(target_versionfile, "w")
+        f.write(SHORT_VERSION_PY % versions)
+        f.close()
+
+class cmd_sdist(_sdist):
+    def run(self):
+        versions = get_versions(verbose=True)
+        self._versioneer_generated_versions = versions
+        # unless we update this, the command will keep using the old version
+        self.distribution.metadata.version = versions["version"]
+        return _sdist.run(self)
+
+    def make_release_tree(self, base_dir, files):
+        _sdist.make_release_tree(self, base_dir, files)
+        # now locate _version.py in the new base_dir directory (remembering
+        # that it may be a hardlink) and replace it with an updated value
+        target_versionfile = os.path.join(base_dir, versionfile_source)
+        print("UPDATING %s" % target_versionfile)
+        os.unlink(target_versionfile)
+        f = open(target_versionfile, "w")
+        f.write(SHORT_VERSION_PY % self._versioneer_generated_versions)
+        f.close()
+
+INIT_PY_SNIPPET = """
+from ._version import get_versions
+__version__ = get_versions()['version']
+del get_versions
+"""
+
+class cmd_update_files(Command):
+    description = "modify __init__.py and create _version.py"
+    user_options = []
+    boolean_options = []
+    def initialize_options(self):
+        pass
+    def finalize_options(self):
+        pass
+    def run(self):
+        ipy = os.path.join(os.path.dirname(versionfile_source), "__init__.py")
+        print(" creating %s" % versionfile_source)
+        f = open(versionfile_source, "w")
+        f.write(LONG_VERSION_PY % {"DOLLAR": "$",
+                                   "TAG_PREFIX": tag_prefix,
+                                   "PARENTDIR_PREFIX": parentdir_prefix,
+                                   "VERSIONFILE_SOURCE": versionfile_source,
+                                   })
+        f.close()
+        try:
+            old = open(ipy, "r").read()
+        except EnvironmentError:
+            old = ""
+        if INIT_PY_SNIPPET not in old:
+            print(" appending to %s" % ipy)
+            f = open(ipy, "a")
+            f.write(INIT_PY_SNIPPET)
+            f.close()
+        else:
+            print(" %s unmodified" % ipy)
+        do_vcs_install(versionfile_source, ipy)
+
+def get_cmdclass():
+    return {'version': cmd_version,
+            'update_files': cmd_update_files,
+            'build': cmd_build,
+            'sdist': cmd_sdist,
+            }