=== modified file 'mandos-keygen'
--- mandos-keygen	2022-04-25 18:46:48 +0000
+++ mandos-keygen	2023-02-07 19:11:25 +0000
@@ -147,28 +147,28 @@
 	echo "Empty key type" >&2
 	exit 1
     fi
-    
+
     if [ -z "$KEYNAME" ]; then
 	echo "Empty key name" >&2
 	exit 1
     fi
-    
+
     if [ -z "$KEYLENGTH" ] || [ "$KEYLENGTH" -lt 512 ]; then
 	echo "Invalid key length" >&2
 	exit 1
     fi
-    
+
     if [ -z "$KEYEXPIRE" ]; then
 	echo "Empty key expiration" >&2
 	exit 1
     fi
-    
+
     # Make FORCE be 0 or 1
     case "$FORCE" in
 	[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) FORCE=1;;
 	[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) FORCE=0;;
     esac
-    
+
     if { [ -e "$SECKEYFILE" ] || [ -e "$PUBKEYFILE" ] \
 	     || [ -e "$TLS_PRIVKEYFILE" ] \
 	     || [ -e "$TLS_PUBKEYFILE" ]; } \
@@ -176,7 +176,7 @@
 	echo "Refusing to overwrite old key files; use --force" >&2
 	exit 1
     fi
-    
+
     # Set lines for GnuPG batch file
     if [ -n "$KEYCOMMENT" ]; then
 	KEYCOMMENTLINE="Name-Comment: $KEYCOMMENT"
@@ -184,7 +184,7 @@
     if [ -n "$KEYEMAIL" ]; then
 	KEYEMAILLINE="Name-Email: $KEYEMAIL"
     fi
-    
+
     # Create temporary gpg batch file
     BATCHFILE="`mktemp -t mandos-keygen-batch.XXXXXXXXXX`"
     TLS_PRIVKEYTMP="`mktemp -t mandos-keygen-privkey.XXXXXXXXXX`"
@@ -233,7 +233,7 @@
 	%no-protection
 	%commit
 	EOF
-    
+
     if tty --quiet; then
 	cat <<-EOF
 	Note: Due to entropy requirements, key generation could take
@@ -276,7 +276,7 @@
 	    fi
 	fi
     fi
-    
+
     # Make sure trustdb.gpg exists;
     # this is a workaround for Debian bug #737128
     gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
@@ -287,12 +287,12 @@
 	--homedir "$RINGDIR" --trust-model always \
 	--gen-key "$BATCHFILE"
     rm --force "$BATCHFILE"
-    
+
     if tty --quiet; then
 	echo -n "Finished: "
 	date
     fi
-    
+
     # Backup any old key files
     if cp --backup=numbered --force "$SECKEYFILE" "$SECKEYFILE" \
 	2>/dev/null; then
@@ -302,16 +302,16 @@
 	2>/dev/null; then
 	rm --force "$PUBKEYFILE"
     fi
-    
+
     FILECOMMENT="Mandos client key for $KEYNAME"
     if [ "$KEYCOMMENT" != "$KEYCOMMENT_ORIG" ]; then
 	FILECOMMENT="$FILECOMMENT ($KEYCOMMENT)"
     fi
-    
+
     if [ -n "$KEYEMAIL" ]; then
 	FILECOMMENT="$FILECOMMENT <$KEYEMAIL>"
     fi
-    
+
     # Export key from key rings to key files
     gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
 	--homedir "$RINGDIR" --armor --export-options export-minimal \
@@ -323,13 +323,13 @@
 fi
 
 if [ "$mode" = password ]; then
-    
+
     # Make SSH be 0 or 1
     case "$SSH" in
 	[Yy][Ee][Ss]|[Tt][Rr][Uu][Ee]) SSH=1;;
 	[Nn][Oo]|[Ff][Aa][Ll][Ss][Ee]|*) SSH=0;;
     esac
-    
+
     if [ $SSH -eq 1 ]; then
 	for ssh_keytype in ecdsa-sha2-nistp256 ed25519 rsa; do
 	    set +e
@@ -346,7 +346,7 @@
 	    fi
 	done
     fi
-    
+
     # Import key into temporary key rings
     gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
 	--homedir "$RINGDIR" --trust-model always --armor \
@@ -354,16 +354,16 @@
     gpg --quiet --batch --no-tty --no-options --enable-dsa2 \
 	--homedir "$RINGDIR" --trust-model always --armor \
 	--import "$PUBKEYFILE"
-    
+
     # Get fingerprint of key
     FINGERPRINT="`gpg --quiet --batch --no-tty --no-options \
 	--enable-dsa2 --homedir "$RINGDIR" --trust-model always \
 	--fingerprint --with-colons \
 	| sed --quiet \
 	--expression='/^fpr:/{s/^fpr:.*:\\([0-9A-Z]*\\):\$/\\1/p;q}'`"
-    
+
     test -n "$FINGERPRINT"
-    
+
     if [ -r "$TLS_PUBKEYFILE" ]; then
        KEY_ID="$(certtool --key-id --hash=sha256 \
     		       --infile="$TLS_PUBKEYFILE" 2>/dev/null || :)"
@@ -376,9 +376,9 @@
        fi
        test -n "$KEY_ID"
     fi
-    
+
     FILECOMMENT="Encrypted password for a Mandos client"
-    
+
     while [ ! -s "$SECFILE" ]; do
 	if [ -n "$PASSFILE" ]; then
 	    cat -- "$PASSFILE"
@@ -412,7 +412,7 @@
 	    fi
 	fi
     done
-    
+
     cat <<-EOF
 	[$KEYNAME]
 	host = $KEYNAME