ExternalTestSuite: Add license header

This is done to fix external-sop tests, which rely on environment variables,
which do not play nicely with binary data

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,29 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Describe the bug**
+<!-- A clear and concise description of what the bug is. -->
+
+**Version**
+<!-- What versions of the following libraries are you using? -->
+- `sop-java`:
+- `pgpainless-core`:
+- `bouncycastle`: 
+
+**To Reproduce**
+<!-- Steps to reproduce the behavior: -->
+```
+Example Code Block
+```
+
+**Expected behavior**
+<!-- A clear and concise description of what you expected to happen. -->
+
+**Additional context**
+<!-- Add any other context about the problem here. -->

.reuse/dep5

@@ -1,15 +0,0 @@
-Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
-Upstream-Name: SOP-Java
-Upstream-Contact: Paul Schaub <info@pgpainless.org>
-Source: https://pgpainless.org
-
-# Sample paragraph, commented out:
-#
-# Files: src/*
-# Copyright: $YEAR $NAME <$CONTACT>
-# License: ...
-
-# Gradle build tool
-Files: gradle*
-Copyright: 2015 the original author or authors.
-License: Apache-2.0

.travis.yml

@@ -1,52 +0,0 @@
-# SPDX-FileCopyrightText: 2022 Paul Schaub <info@pgpainless.org>
-#
-# SPDX-License-Identifier: Apache-2.0
-
-language: java
-dist: bionic
-jdk:
-  - openjdk8
-  - openjdk11
-
-services:
-  - docker
-
-before_cache:
-  - rm -f  $HOME/.gradle/caches/modules-2/modules-2.lock
-  - rm -fr $HOME/.gradle/caches/*/plugin-resolution/
-cache:
-  directories:
-    - $HOME/.gradle/caches/
-    - $HOME/.m2
-
-before_install:
-  - export GRADLE_VERSION=6.2
-  - wget https://services.gradle.org/distributions/gradle-${GRADLE_VERSION}-all.zip
-  - unzip -q gradle-${GRADLE_VERSION}-all.zip
-  - rm gradle-${GRADLE_VERSION}-all.zip
-  - sudo mv gradle-${GRADLE_VERSION} /usr/local/bin/
-  - export PATH="/usr/local/bin/gradle-${GRADLE_VERSION}/bin:$PATH"
-  - docker pull fsfe/reuse:latest
-  - docker run -v ${TRAVIS_BUILD_DIR}:/data fsfe/reuse:latest lint
-
-install: gradle assemble --stacktrace
-
-# Run the test suite and also install the artifacts in the local maven
-# archive to additionaly test if artifact creation is
-# functional. Which hasn't always be the case in the past, see
-# 90cbcaebc7a89f4f771f733a33ac9f389df85be2
-# Also run javadocAll to ensure it works.
-script:
-  - |
-    JAVAC_MAJOR_VERSION=$(javac -version | sed -E 's/javac ([[:digit:]]+).*/\1/')
-    GRADLE_TASKS=()
-    GRADLE_TASKS+=(check)
-    if [[ ${JAVAC_MAJOR_VERSION} -ge 11 ]]; then
-      GRADLE_TASKS+=(javadocAll)
-    fi
-    gradle ${GRADLE_TASKS[@]} --stacktrace
-
-after_success:
-  - JAVAC_VERSION=$((javac -version) 2>&1)
-  # Only run jacocoRootReport in the Java 8 build
-  - if [[ "$JAVAC_VERSION" = javac\ 1.8.* ]]; then gradle jacocoRootReport coveralls; fi

.woodpecker/build.yml

@@ -0,0 +1,21 @@
+steps:
+  run:
+    when:
+      event: push
+    image: gradle:7.6-jdk11-jammy
+    commands:
+      # Install Sequoia-SOP
+      - apt update && apt install --yes sqop
+      # Checkout code
+      - git checkout $CI_COMMIT_BRANCH
+      # Prepare CI
+      - cp external-sop/src/main/resources/sop/testsuite/external/config.json.ci external-sop/src/main/resources/sop/testsuite/external/config.json
+      # Code works
+      - gradle test
+      # Code is clean
+      - gradle check javadocAll
+      # Code has coverage
+      - gradle jacocoRootReport coveralls
+    environment:
+      COVERALLS_REPO_TOKEN:
+        from_secret: coveralls_repo_token

.woodpecker/reuse.yml

@@ -0,0 +1,9 @@
+# Code is licensed properly
+# See https://reuse.software/
+steps:
+  reuse:
+    when:
+      event: push
+    image: fsfe/reuse:latest
+    commands:
+      - reuse lint

CHANGELOG.md

@@ -6,6 +6,187 @@ SPDX-License-Identifier: Apache-2.0
 
 # Changelog
 
+## 14.0.0
+- Update implementation to [SOP Specification revision 14](https://www.ietf.org/archive/id/draft-dkg-openpgp-stateless-cli-14.html), 
+  including changes from revisions `11`, `12`, `13`, `14`.
+  - Implement newly introduced operations
+    - `update-key` 'fixes' everything wrong with a key
+    - `merge-certs` merges a certificate with other copies
+    - `certify-userid` create signatures over user-ids on certificates
+    - `validate-userid` validate signatures over user-ids
+  - Add new exceptions
+    - `UnspecificFailure` maps generic application errors
+    - `KeyCannotCertify` signals that a key cannot be used for third-party certifications
+    - `NoHardwareKeyFound` signals that a key backed by a hardware device cannot be found
+    - `HardwareKeyFailure` signals a hardware device failure
+    - `PrimaryKeyBad` signals an unusable or bad primary key
+    - `CertUserIdNoMatch` signals that a user-id cannot be found/validated on a certificate
+  - `Verification`: Add support for JSON description extensions
+- Remove `animalsniffer` from build dependencies
+- Bump `logback` to `1.5.13`
+
+## 10.1.1
+- Prepare jar files for use in native images, e.g. using GraalVM by generating and including
+  configuration files for reflection, resources and dynamic proxies.
+- gradle: Make use of jvmToolchain functionality
+- gradle: Improve reproducibility
+- gradle: Bump animalsniffer to `2.0.0`
+
+## 10.1.0
+- `sop-java`:
+  - Remove `label()` option from `armor()` subcommand
+  - Move test-fixtures artifact built with the `testFixtures` plugin into
+    its own module `sop-java-testfixtures`, which can be consumed by maven builds.
+- `sop-java-picocli`:
+  - Properly map `MissingParameterException` to `MissingArg` exit code
+  - As a workaround for native builds using graalvm:
+    - Do not re-set message bundles dynamically (fails in native builds)
+    - Prevent an unmatched argument error
+
+## 10.0.3
+- CLI `change-key-password`: Fix indirect parameter passing for new and old passwords (thanks to @dkg for the report)
+- Backport: `revoke-key`: Allow for multiple password options
+
+## 10.0.2
+- Downgrade `logback-core` to `1.2.13`
+
+## 10.0.1
+- Remove `label()` option from `Armor` operation
+- Fix exit code for 'Missing required option/parameter' error
+- Fix `revoke-key`: Allow for multiple invocations of `--with-key-password` option
+- Fix `EncryptExternal` use of `--sign-with` parameter
+- Fix `NullPointerException` in `DecryptExternal` when reading lines
+- Fix `DecryptExternal` use of `verifications-out`
+- Test suite: Ignore tests if `UnsupportedOption` is thrown
+- Bump `logback-core` to `1.4.14`
+
+## 10.0.0
+- Update implementation to [SOP Specification revision 10](https://www.ietf.org/archive/id/draft-dkg-openpgp-stateless-cli-10.html).
+  - Throw `BadData` when passing KEYS where CERTS are expected
+  - Introduce `sopv` interface subset with revision `1.0`
+  - Add `sop version --sopv`
+
+## 8.0.2
+- CLI `change-key-password`: Fix indirect parameter passing for new and old passwords (thanks to @dkg for the report)
+- Backport: `revoke-key`: Allow for multiple password options
+
+## 8.0.1
+- `decrypt`: Do not throw `NoSignature` exception (exit code 3) if `--verify-with` is provided, but `VERIFICATIONS` is empty.
+
+## 8.0.0
+- Rewrote `sop-java` in Kotlin
+- Rewrote `sop-java-picocli` in Kotlin
+- Rewrote `external-sop` in Kotlin
+- Update implementation to [SOP Specification revision 08](https://www.ietf.org/archive/id/draft-dkg-openpgp-stateless-cli-08.html).
+  - Add `--no-armor` option to `revoke-key` and `change-key-password` subcommands
+  - `armor`: Deprecate `--label` option in `sop-java` and remove in `sop-java-picocli`
+  - `encrypt`: Add `--session-key-out` option
+- Slight API changes:
+  - `sop.encrypt().plaintext()` now returns a `ReadyWithResult<EncryptionResult>` instead of `Ready`.
+  - `EncryptionResult` is a new result type, that provides access to the session key of an encrypted message
+  - Change `ArmorLabel` values into lowercase
+  - Change `EncryptAs` values into lowercase
+  - Change `SignAs` values into lowercase
+
+## 7.0.2
+- CLI `change-key-password`: Fix indirect parameter passing for new and old passwords (thanks to @dkg for the report)
+- Backport: revoke-key command: Allow for multiple '--with-key-password' options
+
+## 7.0.1
+- `decrypt`: Do not throw `NoSignature` exception (exit code 3) if `--verify-with` is provided, but `VERIFICATIONS` is empty.
+
+## 7.0.0
+- Update implementation to [SOP Specification revision 07](https://www.ietf.org/archive/id/draft-dkg-openpgp-stateless-cli-07.html).
+  - Add support for new `revoke-key` subcommand
+  - Add support for new `change-key-password` subcommand
+  - Add support for new `--signing-only` option of `generate-key` subcommand
+- Add `dearmor.data(String)` utility method
+- Fix typos in, and improve i18n of CLI help pages
+
+## 6.1.0
+- `listProfiles()`: Add shortcut methods `generateKey()` and `encrypt()`
+- Add DSL for testing `Verification` results
+- `Verification`
+  - Return `Optional<SignatureMode>` for `getSignatureMode()`
+  - Return `Optional<String>` for `getDescription()`
+- `Profile`
+  - Add support for profiles without description
+  - Return `Optional<String>` for `getDescription()`
+  - Add `parse(String)` method for parsing profile lines
+- `sop-java`: Add dependency on `com.google.code.findbugs:jsr305` for `@Nullable`, `@Nonnull` annotations
+- `UTCUtil`: `parseUTCDate()` is now `@Nonnull` and throws a `ParseException` for invalid inputs
+- `UTF8Util`: `decodeUTF8()` now throws `CharacterCodingException` instead of `SOPGPException.PasswordNotHumanReadable`
+- `external-sop`: Properly map error codes to new exception types (ported from `5.0.1`):
+  - `UNSUPPORTED_PROFILE`
+  - `INCOMPATIBLE_OPTIONS`
+
+## 5.0.1
+- `external-sop`: Properly map error codes to new exception types:
+  - `UNSUPPORTED_PROFILE`
+  - `INCOMPATIBLE_OPTIONS`
+
+## 6.0.0
+- Update implementation to [SOP Specification revision 06](https://www.ietf.org/archive/id/draft-dkg-openpgp-stateless-cli-06.html).
+  - Add option `--profile=XYZ` to `encrypt` subcommand
+  - Add option `--sop-spec` to `version` subcommand
+  - `Version`: Add different getters for specification-related values
+
+## 5.0.0
+- Update implementation to [SOP Specification revision 05](https://www.ietf.org/archive/id/draft-dkg-openpgp-stateless-cli-05.html).
+  - Add the concept of profiles
+  - Add `list-profiles` subcommand
+  - Add option `--profile=XYZ` to `generate-key` subcommand
+  - `Verification` objects can now optionally indicate the type of the signature (`mode:text` or `mode:binary`)
+  - `Verification` objects can now contain an optional description of the signature
+  - `inline-sign` now throws an error if incompatible options `--as=clearsigned` and `--no-armor` are used
+
+## 4.1.1
+- Restructure test suite to allow simultaneous testing of multiple backends
+- Fix IOException in `sop sign` due to premature stream closing
+- Allow for downstream implementations of `sop-java` to reuse the test suite
+  - Check out Javadoc of `sop-java/src/testFixtures/java/sop/testsuite/SOPInstanceFactory` for details
+
+## 4.1.0
+- Add module `external-sop`
+  - This module implements the `sop-java` interfaces and allows the use of an external SOP binary
+- `decrypt`: Rename `--not-before`, `--not-after` to `--verify-not-before`, `--verify-not-after`
+- `decrypt`: Throw `NoSignature` error if no verifiable signature found, but signature verification is requested using `--verify-with`.
+- `inline-sign`: Fix parameter label of `--as=clearsigned`
+- `ArmorLabel`, `EncryptAs`, `SignAs`: make `toString()` return lowercase
+
+## 4.0.7
+- Make i18n string for `--stacktrace` option translatable
+- Make manpages generation reproducible
+- `dearmor`: Transform `IOException` into `BadData`
+
+## 4.0.6
+- Add support for file descriptors on unix / linux systems
+
+## 4.0.5
+- `inline-sign`: Make possible values of `--as` option lowercase
+- `inline-sign`: Rename value `cleartextsigned` of option `--as` to `clearsigned`
+
+## 4.0.4
+- Not found
+
+## 4.0.3
+- `decrypt`: Rename option `--verify-out` to `--verifications-out`, but keep `--verify-out` as alias
+- Fix: `decrypt`: Flush output stream in order to prevent empty file as result of `--session-key-out`
+- Fix: Properly format session key for `--session-key-out`
+- Be less finicky about input session key formats
+  - Allow upper- and lowercase hexadecimal keys
+  - Allow trailing whitespace
+
+## 4.0.2
+- Fix: `verify`: Do not include detached signature in list of certificates
+- Fix: `inline-verify`: Also include the first argument in list of certificates
+- Hide stacktraces by default and add `--stacktrace` option to print them
+- Properly throw `CannotDecrypt` exception when message could not be decrypted
+
+## 4.0.1
+- Use shared resources for i18n
+  - Fix strings not being resolved properly when downstream renames `sop` command
+
 ## 4.0.0
 - Switch to new versioning format to indicate implemented SOP version
 - Implement SOP specification version 04

README.md

@@ -6,16 +6,18 @@ SPDX-License-Identifier: Apache-2.0
 
 # SOP for Java
 
-[![Travis (.com)](https://travis-ci.com/pgpainless/sop-java.svg?branch=master)](https://travis-ci.com/pgpainless/sop-java)
+[![status-badge](https://ci.codeberg.org/api/badges/PGPainless/sop-java/status.svg)](https://ci.codeberg.org/PGPainless/sop-java)
-[![Maven Central](https://badgen.net/maven/v/maven-central/org.pgpainless/sop-java)](https://search.maven.org/artifact/org.pgpainless/sop-java)
+[![Spec Revision: 14](https://img.shields.io/badge/Spec%20Revision-10-blue)](https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/14/)
-[![Spec Revision: 4](https://img.shields.io/badge/Spec%20Revision-4-blue)](https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/04/)
+[![Coverage Status](https://coveralls.io/repos/github/pgpainless/sop-java/badge.svg?branch=main)](https://coveralls.io/github/pgpainless/sop-java?branch=main)
-[![Coverage Status](https://coveralls.io/repos/github/pgpainless/sop-java/badge.svg?branch=master)](https://coveralls.io/github/pgpainless/sop-java?branch=master)
 [![REUSE status](https://api.reuse.software/badge/github.com/pgpainless/sop-java)](https://api.reuse.software/info/github.com/pgpainless/sop-java)
 
 The [Stateless OpenPGP Protocol](https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/) specification
 defines a generic stateless CLI for dealing with OpenPGP messages.
 Its goal is to provide a minimal, yet powerful API for the most common OpenPGP related operations.
 
+[![Packaging status](https://repology.org/badge/vertical-allrepos/sop-java.svg)](https://repology.org/project/pgpainless/versions)
+[![Maven Central](https://badgen.net/maven/v/maven-central/org.pgpainless/sop-java)](https://search.maven.org/artifact/org.pgpainless/sop-java)
+
 ## Modules
 
 The repository contains the following modules:
@@ -23,16 +25,23 @@ The repository contains the following modules:
 * [sop-java](/sop-java) defines a set of Java interfaces describing the Stateless OpenPGP Protocol.
 * [sop-java-picocli](/sop-java-picocli) contains a wrapper application that transforms the `sop-java` API into a command line application
 compatible with the SOP-CLI specification.
+* [external-sop](/external-sop) contains an API implementation that can be used to forward API calls to a SOP executable,
+allowing to delegate the implementation logic to an arbitrary SOP CLI implementation.
+* [sop-java-testfixtures](/sop-java-testfixtures) contains a test suite that can be shared by downstream implementations
+  of `sop-java`.
 
 ## Known Implementations
 (Please expand!)
 
-| Project                                                                               | Description                                   |
+| Project                                                                             | Description                                                                              |
-|---------------------------------------------------------------------------------------|-----------------------------------------------|
+|-------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------|
-| [pgpainless-sop](https://github.com/pgpainless/pgpainless/tree/master/pgpainless-sop) | Implementation of `sop-java` using PGPainless |
+| [pgpainless-sop](https://github.com/pgpainless/pgpainless/tree/main/pgpainless-sop) | Implementation of `sop-java` using PGPainless                                            |
+| [external-sop](https://github.com/pgpainless/sop-java/tree/main/external-sop)       | Implementation of `sop-java` that allows binding to external SOP binaries such as `sqop` |
+| [bcsop](https://codeberg.org/PGPainless/bc-sop)                                     | Implementation of `sop-java` using vanilla Bouncy Castle                                 |
 
 ### Implementations in other languages
-| Project                                         | Language |
+| Project                                           | Language |
-|-------------------------------------------------|----------|
+|---------------------------------------------------|----------|
-| [sop-rs](https://sequoia-pgp.gitlab.io/sop-rs/) | Rust     |
+| [sop-rs](https://sequoia-pgp.gitlab.io/sop-rs/)   | Rust     |
-| [SOP for python](https://pypi.org/project/sop/) | Python   |
+| [SOP for python](https://pypi.org/project/sop/)   | Python   |
+| [rpgpie-sop](https://crates.io/crates/rpgpie-sop) | Rust     |

REUSE.toml

@@ -0,0 +1,32 @@
+# SPDX-FileCopyrightText: 2025 Paul Schaub <info@pgpainless.org>
+#
+# SPDX-License-Identifier: CC0-1.0
+
+version = 1
+SPDX-PackageName = "SOP-Java"
+SPDX-PackageSupplier = "Paul Schaub <info@pgpainless.org>"
+SPDX-PackageDownloadLocation = "https://pgpainless.org"
+
+[[annotations]]
+path = "gradle**"
+precedence = "aggregate"
+SPDX-FileCopyrightText = "2015 the original author or authors."
+SPDX-License-Identifier = "Apache-2.0"
+
+[[annotations]]
+path = ".woodpecker/**"
+precedence = "aggregate"
+SPDX-FileCopyrightText = "2022 the original author or authors."
+SPDX-License-Identifier = "Apache-2.0"
+
+[[annotations]]
+path = "external-sop/src/main/resources/sop/testsuite/external/**"
+precedence = "aggregate"
+SPDX-FileCopyrightText = "2023 the original author or authors"
+SPDX-License-Identifier = "Apache-2.0"
+
+[[annotations]]
+path = ".github/ISSUE_TEMPLATE/**"
+precedence = "aggregate"
+SPDX-FileCopyrightText = "2024 the original author or authors"
+SPDX-License-Identifier = "Apache-2.0"

build.gradle

@@ -18,7 +18,8 @@ buildscript {
 }
 
 plugins {
-    id 'ru.vyarus.animalsniffer' version '1.5.3'
+    id 'org.jetbrains.kotlin.jvm' version "1.9.21"
+    id 'com.diffplug.spotless' version '6.22.0' apply false
 }
 
 apply from: 'version.gradle'
@@ -29,18 +30,9 @@ allprojects {
     apply plugin: 'eclipse'
     apply plugin: 'jacoco'
     apply plugin: 'checkstyle'
-
+    apply plugin: 'kotlin'
-    // For non-cli modules enable android api compatibility check
+    apply plugin: 'kotlin-kapt'
-    if (it.name.equals('sop-java')) {
+    apply plugin: 'com.diffplug.spotless'
-        // animalsniffer
-        apply plugin: 'ru.vyarus.animalsniffer'
-        dependencies {
-            signature "net.sf.androidscents.signature:android-api-level-${minAndroidSdk}:2.3.3_r2@signature"
-        }
-        animalsniffer {
-            sourceSets = [sourceSets.main]
-        }
-    }
 
     // Only generate jar for submodules
     // https://stackoverflow.com/a/25445035
@@ -53,12 +45,16 @@ allprojects {
         toolVersion = '8.18'
     }
 
+    spotless {
+        kotlin {
+            ktfmt().dropboxStyle()
+        }
+    }
+
     group 'org.pgpainless'
     description = "Stateless OpenPGP Protocol API for Java"
     version = shortVersion
 
-    sourceCompatibility = javaSourceCompatibility
-
     repositories {
         mavenCentral()
     }
@@ -67,6 +63,20 @@ allprojects {
     tasks.withType(AbstractArchiveTask) {
         preserveFileTimestamps = false
         reproducibleFileOrder = true
+
+        dirMode = 0755
+        fileMode = 0644
+    }
+
+    kotlin {
+        jvmToolchain(javaSourceCompatibility)
+    }
+
+    // Compatibility of default implementations in kotlin interfaces with Java implementations.
+    tasks.withType(org.jetbrains.kotlin.gradle.tasks.KotlinCompile).configureEach {
+        kotlinOptions {
+            freeCompilerArgs += ["-Xjvm-default=all-compatibility"]
+        }
     }
 
     project.ext {
@@ -94,7 +104,7 @@ allprojects {
     }
 
     jacoco {
-        toolVersion = "0.8.7"
+        toolVersion = "0.8.8"
     }
 
     jacocoTestReport {
@@ -102,7 +112,7 @@ allprojects {
         sourceDirectories.setFrom(project.files(sourceSets.main.allSource.srcDirs))
         classDirectories.setFrom(project.files(sourceSets.main.output))
         reports {
-            xml.enabled true
+            xml.required = true
         }
     }
 
@@ -120,15 +130,15 @@ subprojects {
     apply plugin: 'signing'
 
     task sourcesJar(type: Jar, dependsOn: classes) {
-        classifier = 'sources'
+        archiveClassifier = 'sources'
         from sourceSets.main.allSource
     }
     task javadocJar(type: Jar, dependsOn: javadoc) {
-        classifier = 'javadoc'
+        archiveClassifier = 'javadoc'
         from javadoc.destinationDir
     }
     task testsJar(type: Jar, dependsOn: testClasses) {
-        classifier = 'tests'
+        archiveClassifier = 'tests'
         from sourceSets.test.output
     }
 
@@ -225,7 +235,7 @@ task jacocoRootReport(type: JacocoReport) {
     classDirectories.setFrom(files(subprojects.sourceSets.main.output))
     executionData.setFrom(files(subprojects.jacocoTestReport.executionData))
     reports {
-        xml.enabled true
+        xml.required = true
         xml.destination file("${buildDir}/reports/jacoco/test/jacocoTestReport.xml")
     }
     // We could remove the following setOnlyIf line, but then
@@ -236,10 +246,6 @@ task jacocoRootReport(type: JacocoReport) {
 }
 
 task javadocAll(type: Javadoc) {
-    def currentJavaVersion = JavaVersion.current()
-    if (currentJavaVersion.compareTo(JavaVersion.VERSION_1_9) >= 0) {
-        options.addStringOption("-release", "8");
-    }
     source subprojects.collect {project ->
         project.sourceSets.main.allJava }
     destinationDir = new File(buildDir, 'javadoc')

external-sop/README.md

@@ -0,0 +1,59 @@
+<!--
+SPDX-FileCopyrightText: 2021 Paul Schaub <vanitasvitae@fsfe.org>
+
+SPDX-License-Identifier: Apache-2.0
+-->
+
+# External-SOP
+
+Access an external SOP binary from within your Java/Kotlin application.
+
+This module implements a backend for `sop-java` that binds to external SOP binaries (such as 
+[sqop](https://gitlab.com/sequoia-pgp/sequoia-sop/), [python-sop](https://pypi.org/project/sop/) etc.).
+SOP operation calls will be delegated to the external binary, and the results are parsed back, so that you can
+access them from your Java application as usual.
+
+## Example
+Let's say you are using `ExampleSOP` which is a binary installed in `/usr/bin/example-sop`.
+Instantiating a `SOP` object is as simple as this:
+
+```java
+SOP sop = new ExternalSOP("/usr/bin/example-sop");
+```
+
+This SOP object can now be used as usual (see [here](../sop-java/README.md)).
+
+Keep in mind the license of the external SOP binary when integrating one with your project!
+
+Some SOP binaries might require additional configuration, e.g. a Java based SOP might need to know which JAVA_HOME to use.
+For this purpose, additional environment variables can be passed in using a `Properties` object:
+
+```java
+Properties properties = new Properties();
+properties.put("JAVA_HOME", "/usr/lib/jvm/[...]");
+SOP sop = new ExternalSOP("/usr/bin/example-sop", properties);
+```
+
+Most results of SOP operations are communicated via standard-out, standard-in. However, some operations rely on
+writing results to additional output files.
+To handle such results, we need to provide a temporary directory, to which those results can be written by the SOP,
+and from which `External-SOP` reads them back.
+The default implementation relies on `Files.createTempDirectory()` to provide a temporary directory.
+It is however possible to overwrite this behavior, in order to specify a custom, perhaps more private directory:
+
+```java
+ExternalSOP.TempDirProvider provider = new ExternalSOP.TempDirProvider() {
+    @Override
+    public File provideTempDirectory() throws IOException {
+        File myTempDir = new File("/path/to/directory");
+        myTempDir.mkdirs();
+        return myTempDir;
+    }
+};
+SOP sop = new ExternalSOP("/usr/bin/example-sop", provider);
+```
+
+## Testing
+The `external-sop` module comes with a growing test suite, which tests SOP binaries against the expectations of the SOP specification.  
+To configure one or multiple backends for use with the test suite, just provide a custom `config.json` file in `src/main/resources/sop/external`.
+An example configuration file with the required file format is available as `config.json.example`.

external-sop/build.gradle

@@ -0,0 +1,45 @@
+// SPDX-FileCopyrightText: 2021 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+plugins {
+    id 'java-library'
+}
+
+group 'org.pgpainless'
+
+repositories {
+    mavenCentral()
+}
+
+dependencies {
+    testImplementation "org.junit.jupiter:junit-jupiter-api:$junitVersion"
+    testImplementation "org.junit.jupiter:junit-jupiter-params:$junitVersion"
+
+    testImplementation "org.junit.platform:junit-platform-suite-api:1.13.2"
+    testRuntimeOnly 'org.junit.platform:junit-platform-suite:1.13.2'
+
+    api project(":sop-java")
+    api "org.slf4j:slf4j-api:$slf4jVersion"
+    testImplementation "ch.qos.logback:logback-classic:$logbackVersion"
+
+    // @Nonnull, @Nullable...
+    implementation "com.google.code.findbugs:jsr305:$jsrVersion"
+
+    // The ExternalTestSubjectFactory reads json config file to find configured SOP binaries...
+    testImplementation "com.google.code.gson:gson:$gsonVersion"
+    // ...and extends TestSubjectFactory
+    testImplementation(project(":sop-java-testfixtures"))
+}
+
+test {
+    // Inject configured external SOP instances using our custom TestSubjectFactory
+    environment("test.implementation", "sop.testsuite.external.ExternalSOPInstanceFactory")
+
+    useJUnitPlatform()
+
+    // since we test external backends which we might not control,
+    //  we ignore test failures in this module
+    ignoreFailures = true
+}
+

external-sop/src/main/kotlin/sop/external/ExternalSOP.kt

@@ -0,0 +1,344 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.external
+
+import java.io.*
+import java.nio.file.Files
+import java.util.*
+import javax.annotation.Nonnull
+import sop.Ready
+import sop.SOP
+import sop.exception.SOPGPException.*
+import sop.external.ExternalSOP.TempDirProvider
+import sop.external.operation.*
+import sop.operation.*
+
+/**
+ * Implementation of the [SOP] API using an external SOP binary.
+ *
+ * Instantiate an [ExternalSOP] object for the given binary and the given [TempDirProvider] using
+ * empty environment variables.
+ *
+ * @param binaryName name / path of the SOP binary
+ * @param tempDirProvider custom tempDirProvider
+ */
+class ExternalSOP(
+    private val binaryName: String,
+    private val properties: Properties = Properties(),
+    private val tempDirProvider: TempDirProvider = defaultTempDirProvider()
+) : SOP {
+
+    constructor(
+        binaryName: String,
+        properties: Properties
+    ) : this(binaryName, properties, defaultTempDirProvider())
+
+    override fun version(): Version = VersionExternal(binaryName, properties)
+
+    override fun generateKey(): GenerateKey = GenerateKeyExternal(binaryName, properties)
+
+    override fun extractCert(): ExtractCert = ExtractCertExternal(binaryName, properties)
+
+    override fun detachedSign(): DetachedSign =
+        DetachedSignExternal(binaryName, properties, tempDirProvider)
+
+    override fun inlineSign(): InlineSign = InlineSignExternal(binaryName, properties)
+
+    override fun detachedVerify(): DetachedVerify = DetachedVerifyExternal(binaryName, properties)
+
+    override fun inlineVerify(): InlineVerify =
+        InlineVerifyExternal(binaryName, properties, tempDirProvider)
+
+    override fun inlineDetach(): InlineDetach =
+        InlineDetachExternal(binaryName, properties, tempDirProvider)
+
+    override fun encrypt(): Encrypt = EncryptExternal(binaryName, properties, tempDirProvider)
+
+    override fun decrypt(): Decrypt = DecryptExternal(binaryName, properties, tempDirProvider)
+
+    override fun armor(): Armor = ArmorExternal(binaryName, properties)
+
+    override fun dearmor(): Dearmor = DearmorExternal(binaryName, properties)
+
+    override fun listProfiles(): ListProfiles = ListProfilesExternal(binaryName, properties)
+
+    override fun revokeKey(): RevokeKey = RevokeKeyExternal(binaryName, properties)
+
+    override fun changeKeyPassword(): ChangeKeyPassword =
+        ChangeKeyPasswordExternal(binaryName, properties)
+
+    override fun updateKey(): UpdateKey = UpdateKeyExternal(binaryName, properties)
+
+    override fun mergeCerts(): MergeCerts = MergeCertsExternal(binaryName, properties)
+
+    override fun certifyUserId(): CertifyUserId = CertifyUserIdExternal(binaryName, properties)
+
+    override fun validateUserId(): ValidateUserId = ValidateUserIdExternal(binaryName, properties)
+
+    /**
+     * This interface can be used to provide a directory in which external SOP binaries can
+     * temporarily store additional results of OpenPGP operations such that the binding classes can
+     * parse them out from there. Unfortunately, on Java you cannot open
+     * [FileDescriptors][java.io.FileDescriptor] arbitrarily, so we have to rely on temporary files
+     * to pass results. An example: `sop decrypt` can emit signature verifications via
+     * `--verify-out=/path/to/tempfile`. [DecryptExternal] will then parse the temp file to make the
+     * result available to consumers. Temporary files are deleted after being read, yet creating
+     * temp files for sensitive information on disk might pose a security risk. Use with care!
+     */
+    fun interface TempDirProvider {
+
+        @Throws(IOException::class) fun provideTempDirectory(): File
+    }
+
+    companion object {
+
+        @JvmStatic
+        @Throws(IOException::class)
+        fun finish(process: Process) {
+            try {
+                mapExitCodeOrException(process)
+            } catch (e: InterruptedException) {
+                throw RuntimeException(e)
+            }
+        }
+
+        @JvmStatic
+        @Throws(InterruptedException::class, IOException::class)
+        private fun mapExitCodeOrException(process: Process) {
+            // wait for process termination
+            val exitCode = process.waitFor()
+
+            if (exitCode == 0) {
+                // we're good, bye
+                return
+            }
+
+            // Read error message
+            val errIn = process.errorStream
+            val errorMessage = readString(errIn)
+
+            when (exitCode) {
+                UnspecificFailure.EXIT_CODE ->
+                    throw UnspecificFailure(
+                        "External SOP backend reported an unspecific error ($exitCode):\n$errorMessage")
+                NoSignature.EXIT_CODE ->
+                    throw NoSignature(
+                        "External SOP backend reported error NoSignature ($exitCode):\n$errorMessage")
+                UnsupportedAsymmetricAlgo.EXIT_CODE ->
+                    throw UnsupportedOperationException(
+                        "External SOP backend reported error UnsupportedAsymmetricAlgo ($exitCode):\n$errorMessage")
+                CertCannotEncrypt.EXIT_CODE ->
+                    throw CertCannotEncrypt(
+                        "External SOP backend reported error CertCannotEncrypt ($exitCode):\n$errorMessage")
+                MissingArg.EXIT_CODE ->
+                    throw MissingArg(
+                        "External SOP backend reported error MissingArg ($exitCode):\n$errorMessage")
+                IncompleteVerification.EXIT_CODE ->
+                    throw IncompleteVerification(
+                        "External SOP backend reported error IncompleteVerification ($exitCode):\n$errorMessage")
+                CannotDecrypt.EXIT_CODE ->
+                    throw CannotDecrypt(
+                        "External SOP backend reported error CannotDecrypt ($exitCode):\n$errorMessage")
+                PasswordNotHumanReadable.EXIT_CODE ->
+                    throw PasswordNotHumanReadable(
+                        "External SOP backend reported error PasswordNotHumanReadable ($exitCode):\n$errorMessage")
+                UnsupportedOption.EXIT_CODE ->
+                    throw UnsupportedOption(
+                        "External SOP backend reported error UnsupportedOption ($exitCode):\n$errorMessage")
+                BadData.EXIT_CODE ->
+                    throw BadData(
+                        "External SOP backend reported error BadData ($exitCode):\n$errorMessage")
+                ExpectedText.EXIT_CODE ->
+                    throw ExpectedText(
+                        "External SOP backend reported error ExpectedText ($exitCode):\n$errorMessage")
+                OutputExists.EXIT_CODE ->
+                    throw OutputExists(
+                        "External SOP backend reported error OutputExists ($exitCode):\n$errorMessage")
+                MissingInput.EXIT_CODE ->
+                    throw MissingInput(
+                        "External SOP backend reported error MissingInput ($exitCode):\n$errorMessage")
+                KeyIsProtected.EXIT_CODE ->
+                    throw KeyIsProtected(
+                        "External SOP backend reported error KeyIsProtected ($exitCode):\n$errorMessage")
+                UnsupportedSubcommand.EXIT_CODE ->
+                    throw UnsupportedSubcommand(
+                        "External SOP backend reported error UnsupportedSubcommand ($exitCode):\n$errorMessage")
+                UnsupportedSpecialPrefix.EXIT_CODE ->
+                    throw UnsupportedSpecialPrefix(
+                        "External SOP backend reported error UnsupportedSpecialPrefix ($exitCode):\n$errorMessage")
+                AmbiguousInput.EXIT_CODE ->
+                    throw AmbiguousInput(
+                        "External SOP backend reported error AmbiguousInput ($exitCode):\n$errorMessage")
+                KeyCannotSign.EXIT_CODE ->
+                    throw KeyCannotSign(
+                        "External SOP backend reported error KeyCannotSign ($exitCode):\n$errorMessage")
+                IncompatibleOptions.EXIT_CODE ->
+                    throw IncompatibleOptions(
+                        "External SOP backend reported error IncompatibleOptions ($exitCode):\n$errorMessage")
+                UnsupportedProfile.EXIT_CODE ->
+                    throw UnsupportedProfile(
+                        "External SOP backend reported error UnsupportedProfile ($exitCode):\n$errorMessage")
+                NoHardwareKeyFound.EXIT_CODE ->
+                    throw NoHardwareKeyFound(
+                        "External SOP backend reported error NoHardwareKeyFound ($exitCode):\n$errorMessage")
+                HardwareKeyFailure.EXIT_CODE ->
+                    throw HardwareKeyFailure(
+                        "External SOP backend reported error HardwareKeyFailure ($exitCode):\n$errorMessage")
+                PrimaryKeyBad.EXIT_CODE ->
+                    throw PrimaryKeyBad(
+                        "External SOP backend reported error PrimaryKeyBad ($exitCode):\n$errorMessage")
+                CertUserIdNoMatch.EXIT_CODE ->
+                    throw CertUserIdNoMatch(
+                        "External SOP backend reported error CertUserIdNoMatch ($exitCode):\n$errorMessage")
+                KeyCannotCertify.EXIT_CODE ->
+                    throw KeyCannotCertify(
+                        "External SOP backend reported error KeyCannotCertify ($exitCode):\n$errorMessage")
+
+                // Did you forget to add a case for a new exception type?
+                else ->
+                    throw RuntimeException(
+                        "External SOP backend reported unknown exit code ($exitCode):\n$errorMessage")
+            }
+        }
+
+        /**
+         * Return all key-value pairs from the given [Properties] object as a list with items of the
+         * form `key=value`.
+         *
+         * @param properties properties
+         * @return list of key=value strings
+         */
+        @JvmStatic
+        fun propertiesToEnv(properties: Properties): List<String> =
+            properties.map { "${it.key}=${it.value}" }
+
+        /**
+         * Read the contents of the [InputStream] and return them as a [String].
+         *
+         * @param inputStream input stream
+         * @return string
+         * @throws IOException in case of an IO error
+         */
+        @JvmStatic
+        @Throws(IOException::class)
+        fun readString(inputStream: InputStream): String {
+            val bOut = ByteArrayOutputStream()
+            val buf = ByteArray(4096)
+            var r: Int
+            while (inputStream.read(buf).also { r = it } > 0) {
+                bOut.write(buf, 0, r)
+            }
+            return bOut.toString()
+        }
+
+        /**
+         * Execute the given command on the given [Runtime] with the given list of environment
+         * variables. This command does not transform any input data, and instead is purely a
+         * producer.
+         *
+         * @param runtime runtime
+         * @param commandList command
+         * @param envList environment variables
+         * @return ready to read the result from
+         */
+        @JvmStatic
+        fun executeProducingOperation(
+            runtime: Runtime,
+            commandList: List<String>,
+            envList: List<String>
+        ): Ready {
+            try {
+                val process = runtime.exec(commandList.toTypedArray(), envList.toTypedArray())
+                val stdIn = process.inputStream
+
+                return object : Ready() {
+                    @Throws(IOException::class)
+                    override fun writeTo(@Nonnull outputStream: OutputStream) {
+                        val buf = ByteArray(4096)
+                        var r: Int
+                        while (stdIn.read(buf).also { r = it } >= 0) {
+                            outputStream.write(buf, 0, r)
+                        }
+                        outputStream.flush()
+                        outputStream.close()
+                        finish(process)
+                    }
+                }
+            } catch (e: IOException) {
+                throw RuntimeException(e)
+            }
+        }
+
+        /**
+         * Execute the given command on the given runtime using the given environment variables. The
+         * given input stream provides input for the process. This command is a transformation,
+         * meaning it is given input data and transforms it into output data.
+         *
+         * @param runtime runtime
+         * @param commandList command
+         * @param envList environment variables
+         * @param standardIn stream of input data for the process
+         * @return ready to read the result from
+         */
+        @JvmStatic
+        fun executeTransformingOperation(
+            runtime: Runtime,
+            commandList: List<String>,
+            envList: List<String>,
+            standardIn: InputStream
+        ): Ready {
+            try {
+                val process = runtime.exec(commandList.toTypedArray(), envList.toTypedArray())
+                val processOut = process.outputStream
+                val processIn = process.inputStream
+
+                return object : Ready() {
+                    override fun writeTo(outputStream: OutputStream) {
+                        val buf = ByteArray(4096)
+                        var r: Int
+                        while (standardIn.read(buf).also { r = it } > 0) {
+                            processOut.write(buf, 0, r)
+                        }
+                        standardIn.close()
+
+                        try {
+                            processOut.flush()
+                            processOut.close()
+                        } catch (e: IOException) {
+                            // Perhaps the stream is already closed, in which case we ignore the
+                            // exception.
+                            if ("Stream closed" != e.message) {
+                                throw e
+                            }
+                        }
+
+                        while (processIn.read(buf).also { r = it } > 0) {
+                            outputStream.write(buf, 0, r)
+                        }
+                        processIn.close()
+
+                        outputStream.flush()
+                        outputStream.close()
+
+                        finish(process)
+                    }
+                }
+            } catch (e: IOException) {
+                throw RuntimeException(e)
+            }
+        }
+
+        /**
+         * Default implementation of the [TempDirProvider] which stores temporary files in the
+         * systems temp dir ([Files.createTempDirectory]).
+         *
+         * @return default implementation
+         */
+        @JvmStatic
+        fun defaultTempDirProvider(): TempDirProvider {
+            return TempDirProvider { Files.createTempDirectory("ext-sop").toFile() }
+        }
+    }
+}

external-sop/src/main/kotlin/sop/external/ExternalSOPV.kt

@@ -0,0 +1,57 @@
+// SPDX-FileCopyrightText: 2024 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.external
+
+import java.nio.file.Files
+import java.util.*
+import sop.SOPV
+import sop.external.ExternalSOP.TempDirProvider
+import sop.external.operation.DetachedVerifyExternal
+import sop.external.operation.InlineVerifyExternal
+import sop.external.operation.ValidateUserIdExternal
+import sop.external.operation.VersionExternal
+import sop.operation.DetachedVerify
+import sop.operation.InlineVerify
+import sop.operation.ValidateUserId
+import sop.operation.Version
+
+/**
+ * Implementation of the [SOPV] API subset using an external sopv/sop binary.
+ *
+ * Instantiate an [ExternalSOPV] object for the given binary and the given [TempDirProvider] using
+ * empty environment variables.
+ *
+ * @param binaryName name / path of the sopv binary
+ * @param tempDirProvider custom tempDirProvider
+ */
+class ExternalSOPV(
+    private val binaryName: String,
+    private val properties: Properties = Properties(),
+    private val tempDirProvider: TempDirProvider = defaultTempDirProvider()
+) : SOPV {
+
+    override fun version(): Version = VersionExternal(binaryName, properties)
+
+    override fun detachedVerify(): DetachedVerify = DetachedVerifyExternal(binaryName, properties)
+
+    override fun inlineVerify(): InlineVerify =
+        InlineVerifyExternal(binaryName, properties, tempDirProvider)
+
+    override fun validateUserId(): ValidateUserId = ValidateUserIdExternal(binaryName, properties)
+
+    companion object {
+
+        /**
+         * Default implementation of the [TempDirProvider] which stores temporary files in the
+         * systems temp dir ([Files.createTempDirectory]).
+         *
+         * @return default implementation
+         */
+        @JvmStatic
+        fun defaultTempDirProvider(): TempDirProvider {
+            return TempDirProvider { Files.createTempDirectory("ext-sopv").toFile() }
+        }
+    }
+}

external-sop/src/main/kotlin/sop/external/operation/ArmorExternal.kt

@@ -0,0 +1,23 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.external.operation
+
+import java.io.InputStream
+import java.util.Properties
+import sop.Ready
+import sop.exception.SOPGPException
+import sop.external.ExternalSOP
+import sop.operation.Armor
+
+/** Implementation of the [Armor] operation using an external SOP binary. */
+class ArmorExternal(binary: String, environment: Properties) : Armor {
+
+    private val commandList: MutableList<String> = mutableListOf(binary, "armor")
+    private val envList: List<String> = ExternalSOP.propertiesToEnv(environment)
+
+    @Throws(SOPGPException.BadData::class)
+    override fun data(data: InputStream): Ready =
+        ExternalSOP.executeTransformingOperation(Runtime.getRuntime(), commandList, envList, data)
+}

external-sop/src/main/kotlin/sop/external/operation/CertifyUserIdExternal.kt

@@ -0,0 +1,48 @@
+// SPDX-FileCopyrightText: 2024 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.external.operation
+
+import java.io.InputStream
+import java.util.*
+import sop.Ready
+import sop.external.ExternalSOP
+import sop.operation.CertifyUserId
+
+class CertifyUserIdExternal(binary: String, environment: Properties) : CertifyUserId {
+
+    private val commandList = mutableListOf(binary, "certify-userid")
+    private val envList = ExternalSOP.propertiesToEnv(environment).toMutableList()
+
+    private var argCount = 0
+
+    private val keys: MutableList<String> = mutableListOf()
+
+    override fun noArmor(): CertifyUserId = apply { commandList.add("--no-armor") }
+
+    override fun userId(userId: String): CertifyUserId = apply {
+        commandList.add("--userid")
+        commandList.add(userId)
+    }
+
+    override fun withKeyPassword(password: ByteArray): CertifyUserId = apply {
+        commandList.add("--with-key-password=@ENV:KEY_PASSWORD_$argCount")
+        envList.add("KEY_PASSWORD_$argCount=${String(password)}")
+        argCount += 1
+    }
+
+    override fun noRequireSelfSig(): CertifyUserId = apply {
+        commandList.add("--no-require-self-sig")
+    }
+
+    override fun keys(keys: InputStream): CertifyUserId = apply {
+        this.keys.add("@ENV:KEY_$argCount")
+        envList.add("KEY_$argCount=${ExternalSOP.readString(keys)}")
+        argCount += 1
+    }
+
+    override fun certs(certs: InputStream): Ready =
+        ExternalSOP.executeTransformingOperation(
+            Runtime.getRuntime(), commandList.plus("--").plus(keys), envList, certs)
+}

external-sop/src/main/kotlin/sop/external/operation/ChangeKeyPasswordExternal.kt

@@ -0,0 +1,37 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.external.operation
+
+import java.io.InputStream
+import java.util.Properties
+import sop.Ready
+import sop.external.ExternalSOP
+import sop.operation.ChangeKeyPassword
+
+/** Implementation of the [ChangeKeyPassword] operation using an external SOP binary. */
+class ChangeKeyPasswordExternal(binary: String, environment: Properties) : ChangeKeyPassword {
+
+    private val commandList: MutableList<String> = mutableListOf(binary, "change-key-password")
+    private val envList = ExternalSOP.propertiesToEnv(environment).toMutableList()
+
+    private var keyPasswordCounter = 0
+
+    override fun noArmor(): ChangeKeyPassword = apply { commandList.add("--no-armor") }
+
+    override fun oldKeyPassphrase(oldPassphrase: String): ChangeKeyPassword = apply {
+        commandList.add("--old-key-password=@ENV:KEY_PASSWORD_$keyPasswordCounter")
+        envList.add("KEY_PASSWORD_$keyPasswordCounter=$oldPassphrase")
+        keyPasswordCounter += 1
+    }
+
+    override fun newKeyPassphrase(newPassphrase: String): ChangeKeyPassword = apply {
+        commandList.add("--new-key-password=@ENV:KEY_PASSWORD_$keyPasswordCounter")
+        envList.add("KEY_PASSWORD_$keyPasswordCounter=$newPassphrase")
+        keyPasswordCounter += 1
+    }
+
+    override fun keys(keys: InputStream): Ready =
+        ExternalSOP.executeTransformingOperation(Runtime.getRuntime(), commandList, envList, keys)
+}

external-sop/src/main/kotlin/sop/external/operation/DearmorExternal.kt

@@ -0,0 +1,20 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.external.operation
+
+import java.io.InputStream
+import java.util.Properties
+import sop.Ready
+import sop.external.ExternalSOP
+import sop.operation.Dearmor
+
+/** Implementation of the [Dearmor] operation using an external SOP binary. */
+class DearmorExternal(binary: String, environment: Properties) : Dearmor {
+    private val commandList = listOf(binary, "dearmor")
+    private val envList = ExternalSOP.propertiesToEnv(environment)
+
+    override fun data(data: InputStream): Ready =
+        ExternalSOP.executeTransformingOperation(Runtime.getRuntime(), commandList, envList, data)
+}

external-sop/src/main/kotlin/sop/external/operation/DecryptExternal.kt

@@ -0,0 +1,133 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.external.operation
+
+import java.io.*
+import java.util.*
+import sop.DecryptionResult
+import sop.ReadyWithResult
+import sop.SessionKey
+import sop.Verification
+import sop.external.ExternalSOP
+import sop.external.ExternalSOP.Companion.finish
+import sop.external.ExternalSOP.Companion.readString
+import sop.operation.Decrypt
+import sop.util.UTCUtil
+
+/** Implementation of the [Decrypt] operation using an external SOP binary. */
+class DecryptExternal(
+    binary: String,
+    environment: Properties,
+    private val tempDirProvider: ExternalSOP.TempDirProvider
+) : Decrypt {
+
+    private val commandList = mutableListOf(binary, "decrypt")
+    private val envList = ExternalSOP.propertiesToEnv(environment).toMutableList()
+
+    private var argCounter = 0
+    private var requireVerification = false
+
+    override fun verifyNotBefore(timestamp: Date): Decrypt = apply {
+        commandList.add("--verify-not-before=${UTCUtil.formatUTCDate(timestamp)}")
+    }
+
+    override fun verifyNotAfter(timestamp: Date): Decrypt = apply {
+        commandList.add("--verify-not-after=${UTCUtil.formatUTCDate(timestamp)}")
+    }
+
+    override fun verifyWithCert(cert: InputStream): Decrypt = apply {
+        commandList.add("--verify-with=@ENV:VERIFY_WITH_$argCounter")
+        envList.add("VERIFY_WITH_$argCounter=${readString(cert)}")
+        argCounter += 1
+        requireVerification = true
+    }
+
+    override fun withSessionKey(sessionKey: SessionKey): Decrypt = apply {
+        commandList.add("--with-session-key=@ENV:SESSION_KEY_$argCounter")
+        envList.add("SESSION_KEY_$argCounter=$sessionKey")
+        argCounter += 1
+    }
+
+    override fun withPassword(password: String): Decrypt = apply {
+        commandList.add("--with-password=@ENV:PASSWORD_$argCounter")
+        envList.add("PASSWORD_$argCounter=$password")
+        argCounter += 1
+    }
+
+    override fun withKey(key: InputStream): Decrypt = apply {
+        commandList.add("@ENV:KEY_$argCounter")
+        envList.add("KEY_$argCounter=${readString(key)}")
+        argCounter += 1
+    }
+
+    override fun withKeyPassword(password: ByteArray): Decrypt = apply {
+        commandList.add("--with-key-password=@ENV:KEY_PASSWORD_$argCounter")
+        envList.add("KEY_PASSWORD_$argCounter=${String(password)}")
+        argCounter += 1
+    }
+
+    override fun ciphertext(ciphertext: InputStream): ReadyWithResult<DecryptionResult> {
+        val tempDir = tempDirProvider.provideTempDirectory()
+
+        val sessionKeyOut = File(tempDir, "session-key-out")
+        sessionKeyOut.delete()
+        commandList.add("--session-key-out=${sessionKeyOut.absolutePath}")
+
+        val verifyOut = File(tempDir, "verifications-out")
+        verifyOut.delete()
+        if (requireVerification) {
+            commandList.add("--verifications-out=${verifyOut.absolutePath}")
+        }
+
+        try {
+            val process =
+                Runtime.getRuntime().exec(commandList.toTypedArray(), envList.toTypedArray())
+            val processOut = process.outputStream
+            val processIn = process.inputStream
+
+            return object : ReadyWithResult<DecryptionResult>() {
+                override fun writeTo(outputStream: OutputStream): DecryptionResult {
+                    val buf = ByteArray(4096)
+                    var r: Int
+                    while (ciphertext.read(buf).also { r = it } > 0) {
+                        processOut.write(buf, 0, r)
+                    }
+
+                    ciphertext.close()
+                    processOut.close()
+
+                    while (processIn.read(buf).also { r = it } > 0) {
+                        outputStream.write(buf, 0, r)
+                    }
+
+                    processIn.close()
+                    outputStream.close()
+
+                    finish(process)
+
+                    val sessionKeyOutIn = FileInputStream(sessionKeyOut)
+                    var line: String? = readString(sessionKeyOutIn)
+                    val sessionKey = line?.let { l -> SessionKey.fromString(l.trim { it <= ' ' }) }
+                    sessionKeyOutIn.close()
+                    sessionKeyOut.delete()
+
+                    val verifications: MutableList<Verification> = ArrayList()
+                    if (requireVerification) {
+                        val verifyOutIn = FileInputStream(verifyOut)
+                        val reader = BufferedReader(InputStreamReader(verifyOutIn))
+                        while (reader.readLine().also { line = it } != null) {
+                            line?.let { verifications.add(Verification.fromString(it.trim())) }
+                        }
+                        reader.close()
+                    }
+
+                    return DecryptionResult(sessionKey, verifications)
+                }
+            }
+        } catch (e: IOException) {
+            throw RuntimeException(e)
+        }
+    }
+}

external-sop/src/main/kotlin/sop/external/operation/DetachedSignExternal.kt

@@ -0,0 +1,104 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.external.operation
+
+import java.io.*
+import java.util.*
+import sop.MicAlg
+import sop.ReadyWithResult
+import sop.SigningResult
+import sop.SigningResult.Companion.builder
+import sop.enums.SignAs
+import sop.external.ExternalSOP
+import sop.external.ExternalSOP.Companion.finish
+import sop.operation.DetachedSign
+
+/** Implementation of the [DetachedSign] operation using an external SOP binary. */
+class DetachedSignExternal(
+    binary: String,
+    environment: Properties,
+    private val tempDirProvider: ExternalSOP.TempDirProvider
+) : DetachedSign {
+
+    private val commandList = mutableListOf(binary, "sign")
+    private val envList = ExternalSOP.propertiesToEnv(environment).toMutableList()
+
+    private var argCounter = 0
+
+    override fun mode(mode: SignAs): DetachedSign = apply { commandList.add("--as=$mode") }
+
+    override fun data(data: InputStream): ReadyWithResult<SigningResult> {
+        val tempDir = tempDirProvider.provideTempDirectory()
+        val micAlgOut = File(tempDir, "micAlgOut")
+        micAlgOut.delete()
+        commandList.add("--micalg-out=${micAlgOut.absolutePath}")
+
+        try {
+            val process =
+                Runtime.getRuntime().exec(commandList.toTypedArray(), envList.toTypedArray())
+            val processOut = process.outputStream
+            val processIn = process.inputStream
+
+            return object : ReadyWithResult<SigningResult>() {
+                override fun writeTo(outputStream: OutputStream): SigningResult {
+                    val buf = ByteArray(4096)
+                    var r: Int
+                    while (data.read(buf).also { r = it } > 0) {
+                        processOut.write(buf, 0, r)
+                    }
+
+                    data.close()
+                    try {
+                        processOut.close()
+                    } catch (e: IOException) {
+                        // Ignore Stream closed
+                        if ("Stream closed" != e.message) {
+                            throw e
+                        }
+                    }
+
+                    while (processIn.read(buf).also { r = it } > 0) {
+                        outputStream.write(buf, 0, r)
+                    }
+
+                    processIn.close()
+                    outputStream.close()
+
+                    finish(process)
+
+                    val builder = builder()
+                    if (micAlgOut.exists()) {
+                        val reader = BufferedReader(InputStreamReader(FileInputStream(micAlgOut)))
+                        val line = reader.readLine()
+                        if (line != null && line.isNotBlank()) {
+                            val micAlg = MicAlg(line.trim())
+                            builder.setMicAlg(micAlg)
+                        }
+                        reader.close()
+                        micAlgOut.delete()
+                    }
+
+                    return builder.build()
+                }
+            }
+        } catch (e: IOException) {
+            throw RuntimeException(e)
+        }
+    }
+
+    override fun noArmor(): DetachedSign = apply { commandList.add("--no-armor") }
+
+    override fun key(key: InputStream): DetachedSign = apply {
+        commandList.add("@ENV:KEY_$argCounter")
+        envList.add("KEY_$argCounter=${ExternalSOP.readString(key)}")
+        argCounter += 1
+    }
+
+    override fun withKeyPassword(password: ByteArray): DetachedSign = apply {
+        commandList.add("--with-key-password=@ENV:WITH_KEY_PASSWORD_$argCounter")
+        envList.add("WITH_KEY_PASSWORD_$argCounter=${String(password)}")
+        argCounter += 1
+    }
+}

external-sop/src/main/kotlin/sop/external/operation/DetachedVerifyExternal.kt

@@ -0,0 +1,90 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.external.operation
+
+import java.io.BufferedReader
+import java.io.IOException
+import java.io.InputStream
+import java.io.InputStreamReader
+import java.util.*
+import sop.Verification
+import sop.Verification.Companion.fromString
+import sop.exception.SOPGPException
+import sop.external.ExternalSOP
+import sop.external.ExternalSOP.Companion.finish
+import sop.operation.DetachedVerify
+import sop.operation.VerifySignatures
+import sop.util.UTCUtil
+
+/** Implementation of the [DetachedVerify] operation using an external SOP binary. */
+class DetachedVerifyExternal(binary: String, environment: Properties) : DetachedVerify {
+
+    private val commandList = mutableListOf(binary, "verify")
+    private val envList = ExternalSOP.propertiesToEnv(environment).toMutableList()
+
+    private var signatures: InputStream? = null
+    private val certs: MutableSet<InputStream> = mutableSetOf()
+    private var argCounter = 0
+
+    override fun signatures(signatures: InputStream): VerifySignatures = apply {
+        this.signatures = signatures
+    }
+
+    override fun notBefore(timestamp: Date): DetachedVerify = apply {
+        commandList.add("--not-before=${UTCUtil.formatUTCDate(timestamp)}")
+    }
+
+    override fun notAfter(timestamp: Date): DetachedVerify = apply {
+        commandList.add("--not-after=${UTCUtil.formatUTCDate(timestamp)}")
+    }
+
+    override fun cert(cert: InputStream): DetachedVerify = apply { this.certs.add(cert) }
+
+    override fun data(data: InputStream): List<Verification> {
+        // Signature
+        if (signatures == null) {
+            throw SOPGPException.MissingArg("Missing argument: signatures cannot be null.")
+        }
+        commandList.add("@ENV:SIGNATURE")
+        envList.add("SIGNATURE=${ExternalSOP.readString(signatures!!)}")
+
+        // Certs
+        for (cert in certs) {
+            commandList.add("@ENV:CERT_$argCounter")
+            envList.add("CERT_$argCounter=${ExternalSOP.readString(cert)}")
+            argCounter += 1
+        }
+
+        try {
+            val process =
+                Runtime.getRuntime().exec(commandList.toTypedArray(), envList.toTypedArray())
+            val processOut = process.outputStream
+            val processIn = process.inputStream
+
+            val buf = ByteArray(4096)
+            var r: Int
+            while (data.read(buf).also { r = it } > 0) {
+                processOut.write(buf, 0, r)
+            }
+
+            data.close()
+            processOut.close()
+
+            val bufferedReader = BufferedReader(InputStreamReader(processIn))
+            val verifications: MutableList<Verification> = ArrayList()
+
+            var line: String?
+            while (bufferedReader.readLine().also { line = it } != null) {
+                verifications.add(fromString(line!!))
+            }
+
+            finish(process)
+
+            return verifications
+        } catch (e: IOException) {
+            throw RuntimeException(e)
+        }
+    }
+}

external-sop/src/main/kotlin/sop/external/operation/EncryptExternal.kt

@@ -0,0 +1,111 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.external.operation
+
+import java.io.File
+import java.io.FileInputStream
+import java.io.IOException
+import java.io.InputStream
+import java.io.OutputStream
+import java.util.*
+import sop.EncryptionResult
+import sop.ReadyWithResult
+import sop.SessionKey.Companion.fromString
+import sop.enums.EncryptAs
+import sop.external.ExternalSOP
+import sop.external.ExternalSOP.Companion.finish
+import sop.external.ExternalSOP.Companion.readString
+import sop.operation.Encrypt
+
+/** Implementation of the [Encrypt] operation using an external SOP binary. */
+class EncryptExternal(
+    binary: String,
+    environment: Properties,
+    private val tempDirProvider: ExternalSOP.TempDirProvider
+) : Encrypt {
+
+    private val commandList = mutableListOf(binary, "encrypt")
+    private val envList = ExternalSOP.propertiesToEnv(environment).toMutableList()
+
+    private var argCounter = 0
+
+    override fun noArmor(): Encrypt = apply { commandList.add("--no-armor") }
+
+    override fun mode(mode: EncryptAs): Encrypt = apply { commandList.add("--as=$mode") }
+
+    override fun signWith(key: InputStream): Encrypt = apply {
+        commandList.add("--sign-with=@ENV:SIGN_WITH_$argCounter")
+        envList.add("SIGN_WITH_$argCounter=${readString(key)}")
+        argCounter += 1
+    }
+
+    override fun withKeyPassword(password: ByteArray): Encrypt = apply {
+        commandList.add("--with-key-password=@ENV:KEY_PASSWORD_$argCounter")
+        envList.add("KEY_PASSWORD_$argCounter=${String(password)}")
+        argCounter += 1
+    }
+
+    override fun withPassword(password: String): Encrypt = apply {
+        commandList.add("--with-password=@ENV:PASSWORD_$argCounter")
+        envList.add("PASSWORD_$argCounter=$password")
+        argCounter += 1
+    }
+
+    override fun withCert(cert: InputStream): Encrypt = apply {
+        commandList.add("@ENV:CERT_$argCounter")
+        envList.add("CERT_$argCounter=${readString(cert)}")
+        argCounter += 1
+    }
+
+    override fun profile(profileName: String): Encrypt = apply {
+        commandList.add("--profile=$profileName")
+    }
+
+    override fun plaintext(plaintext: InputStream): ReadyWithResult<EncryptionResult> {
+        val tempDir = tempDirProvider.provideTempDirectory()
+
+        val sessionKeyOut = File(tempDir, "session-key-out")
+        sessionKeyOut.delete()
+        commandList.add("--session-key-out=${sessionKeyOut.absolutePath}")
+        try {
+            val process =
+                Runtime.getRuntime().exec(commandList.toTypedArray(), envList.toTypedArray())
+            val processOut = process.outputStream
+            val processIn = process.inputStream
+
+            return object : ReadyWithResult<EncryptionResult>() {
+                override fun writeTo(outputStream: OutputStream): EncryptionResult {
+                    val buf = ByteArray(4096)
+                    var r: Int
+                    while (plaintext.read(buf).also { r = it } > 0) {
+                        processOut.write(buf, 0, r)
+                    }
+
+                    plaintext.close()
+                    processOut.close()
+
+                    while (processIn.read(buf).also { r = it } > 0) {
+                        outputStream.write(buf, 0, r)
+                    }
+
+                    processIn.close()
+                    outputStream.close()
+
+                    finish(process)
+
+                    val sessionKeyOutIn = FileInputStream(sessionKeyOut)
+                    val line = readString(sessionKeyOutIn)
+                    val sessionKey = fromString(line.trim())
+                    sessionKeyOutIn.close()
+                    sessionKeyOut.delete()
+
+                    return EncryptionResult(sessionKey)
+                }
+            }
+        } catch (e: IOException) {
+            throw RuntimeException(e)
+        }
+    }
+}

external-sop/src/main/kotlin/sop/external/operation/ExtractCertExternal.kt

@@ -0,0 +1,24 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.external.operation
+
+import java.io.InputStream
+import java.util.Properties
+import sop.Ready
+import sop.external.ExternalSOP
+import sop.operation.ExtractCert
+
+/** Implementation of the [ExtractCert] operation using an external SOP binary. */
+class ExtractCertExternal(binary: String, environment: Properties) : ExtractCert {
+
+    private val commandList = mutableListOf(binary, "extract-cert")
+    private val envList = ExternalSOP.propertiesToEnv(environment)
+
+    override fun noArmor(): ExtractCert = apply { commandList.add("--no-armor") }
+
+    override fun key(keyInputStream: InputStream): Ready =
+        ExternalSOP.executeTransformingOperation(
+            Runtime.getRuntime(), commandList, envList, keyInputStream)
+}

external-sop/src/main/kotlin/sop/external/operation/GenerateKeyExternal.kt

@@ -0,0 +1,38 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.external.operation
+
+import java.util.Properties
+import sop.Ready
+import sop.external.ExternalSOP
+import sop.operation.GenerateKey
+
+/** Implementation of the [GenerateKey] operation using an external SOP binary. */
+class GenerateKeyExternal(binary: String, environment: Properties) : GenerateKey {
+
+    private val commandList = mutableListOf(binary, "generate-key")
+    private val envList = ExternalSOP.propertiesToEnv(environment).toMutableList()
+
+    private var argCounter = 0
+
+    override fun noArmor(): GenerateKey = apply { commandList.add("--no-armor") }
+
+    override fun userId(userId: String): GenerateKey = apply { commandList.add(userId) }
+
+    override fun withKeyPassword(password: String): GenerateKey = apply {
+        commandList.add("--with-key-password=@ENV:KEY_PASSWORD_$argCounter")
+        envList.add("KEY_PASSWORD_$argCounter=$password")
+        argCounter += 1
+    }
+
+    override fun profile(profile: String): GenerateKey = apply {
+        commandList.add("--profile=$profile")
+    }
+
+    override fun signingOnly(): GenerateKey = apply { commandList.add("--signing-only") }
+
+    override fun generate(): Ready =
+        ExternalSOP.executeProducingOperation(Runtime.getRuntime(), commandList, envList)
+}

external-sop/src/main/kotlin/sop/external/operation/InlineDetachExternal.kt

@@ -0,0 +1,82 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.external.operation
+
+import java.io.*
+import java.util.*
+import sop.ReadyWithResult
+import sop.Signatures
+import sop.external.ExternalSOP
+import sop.external.ExternalSOP.Companion.finish
+import sop.operation.InlineDetach
+
+/** Implementation of the [InlineDetach] operation using an external SOP binary. */
+class InlineDetachExternal(
+    binary: String,
+    environment: Properties,
+    private val tempDirProvider: ExternalSOP.TempDirProvider
+) : InlineDetach {
+
+    private val commandList = mutableListOf(binary, "inline-detach")
+    private val envList = ExternalSOP.propertiesToEnv(environment)
+
+    override fun noArmor(): InlineDetach = apply { commandList.add("--no-armor") }
+
+    override fun message(messageInputStream: InputStream): ReadyWithResult<Signatures> {
+        val tempDir = tempDirProvider.provideTempDirectory()
+
+        val signaturesOut = File(tempDir, "signatures")
+        signaturesOut.delete()
+        commandList.add("--signatures-out=${signaturesOut.absolutePath}")
+
+        try {
+            val process =
+                Runtime.getRuntime().exec(commandList.toTypedArray(), envList.toTypedArray())
+            val processOut = process.outputStream
+            val processIn = process.inputStream
+
+            return object : ReadyWithResult<Signatures>() {
+                override fun writeTo(outputStream: OutputStream): Signatures {
+                    val buf = ByteArray(4096)
+                    var r: Int
+                    while (messageInputStream.read(buf).also { r = it } > 0) {
+                        processOut.write(buf, 0, r)
+                    }
+
+                    messageInputStream.close()
+                    processOut.close()
+
+                    while (processIn.read(buf).also { r = it } > 0) {
+                        outputStream.write(buf, 0, r)
+                    }
+
+                    processIn.close()
+                    outputStream.close()
+
+                    finish(process)
+
+                    val signaturesOutIn = FileInputStream(signaturesOut)
+                    val signaturesBuffer = ByteArrayOutputStream()
+                    while (signaturesOutIn.read(buf).also { r = it } > 0) {
+                        signaturesBuffer.write(buf, 0, r)
+                    }
+                    signaturesOutIn.close()
+                    signaturesOut.delete()
+
+                    val sigBytes = signaturesBuffer.toByteArray()
+
+                    return object : Signatures() {
+                        @Throws(IOException::class)
+                        override fun writeTo(outputStream: OutputStream) {
+                            outputStream.write(sigBytes)
+                        }
+                    }
+                }
+            }
+        } catch (e: IOException) {
+            throw RuntimeException(e)
+        }
+    }
+}

external-sop/src/main/kotlin/sop/external/operation/InlineSignExternal.kt

@@ -0,0 +1,40 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.external.operation
+
+import java.io.InputStream
+import java.util.Properties
+import sop.Ready
+import sop.enums.InlineSignAs
+import sop.external.ExternalSOP
+import sop.operation.InlineSign
+
+/** Implementation of the [InlineSign] operation using an external SOP binary. */
+class InlineSignExternal(binary: String, environment: Properties) : InlineSign {
+
+    private val commandList = mutableListOf(binary, "inline-sign")
+    private val envList = ExternalSOP.propertiesToEnv(environment).toMutableList()
+
+    private var argCounter = 0
+
+    override fun mode(mode: InlineSignAs): InlineSign = apply { commandList.add("--as=$mode") }
+
+    override fun data(data: InputStream): Ready =
+        ExternalSOP.executeTransformingOperation(Runtime.getRuntime(), commandList, envList, data)
+
+    override fun noArmor(): InlineSign = apply { commandList.add("--no-armor") }
+
+    override fun key(key: InputStream): InlineSign = apply {
+        commandList.add("@ENV:KEY_$argCounter")
+        envList.add("KEY_$argCounter=${ExternalSOP.readString(key)}")
+        argCounter += 1
+    }
+
+    override fun withKeyPassword(password: ByteArray): InlineSign = apply {
+        commandList.add("--with-key-password=@ENV:WITH_KEY_PASSWORD_$argCounter")
+        envList.add("WITH_KEY_PASSWORD_$argCounter=${String(password)}")
+        argCounter += 1
+    }
+}

external-sop/src/main/kotlin/sop/external/operation/InlineVerifyExternal.kt

@@ -0,0 +1,91 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.external.operation
+
+import java.io.*
+import java.util.*
+import sop.ReadyWithResult
+import sop.Verification
+import sop.Verification.Companion.fromString
+import sop.external.ExternalSOP
+import sop.external.ExternalSOP.Companion.finish
+import sop.operation.InlineVerify
+import sop.util.UTCUtil
+
+/** Implementation of the [InlineVerify] operation using an external SOP binary. */
+class InlineVerifyExternal(
+    binary: String,
+    environment: Properties,
+    private val tempDirProvider: ExternalSOP.TempDirProvider
+) : InlineVerify {
+
+    private val commandList = mutableListOf(binary, "inline-verify")
+    private val envList = ExternalSOP.propertiesToEnv(environment).toMutableList()
+
+    private var argCounter = 0
+
+    override fun data(data: InputStream): ReadyWithResult<List<Verification>> {
+        val tempDir = tempDirProvider.provideTempDirectory()
+
+        val verificationsOut = File(tempDir, "verifications-out")
+        verificationsOut.delete()
+        commandList.add("--verifications-out=${verificationsOut.absolutePath}")
+
+        try {
+            val process =
+                Runtime.getRuntime().exec(commandList.toTypedArray(), envList.toTypedArray())
+            val processOut = process.outputStream
+            val processIn = process.inputStream
+
+            return object : ReadyWithResult<List<Verification>>() {
+                override fun writeTo(outputStream: OutputStream): List<Verification> {
+                    val buf = ByteArray(4096)
+                    var r: Int
+                    while (data.read(buf).also { r = it } > 0) {
+                        processOut.write(buf, 0, r)
+                    }
+
+                    data.close()
+                    processOut.close()
+
+                    while (processIn.read(buf).also { r = it } > 0) {
+                        outputStream.write(buf, 0, r)
+                    }
+
+                    processIn.close()
+                    outputStream.close()
+
+                    finish(process)
+
+                    val verificationsOutIn = FileInputStream(verificationsOut)
+                    val reader = BufferedReader(InputStreamReader(verificationsOutIn))
+                    val verificationList: MutableList<Verification> = mutableListOf()
+                    var line: String?
+                    while (reader.readLine().also { line = it } != null) {
+                        verificationList.add(fromString(line!!.trim()))
+                    }
+
+                    return verificationList
+                }
+            }
+        } catch (e: IOException) {
+            throw RuntimeException(e)
+        }
+    }
+
+    override fun notBefore(timestamp: Date): InlineVerify = apply {
+        commandList.add("--not-before=${UTCUtil.formatUTCDate(timestamp)}")
+    }
+
+    override fun notAfter(timestamp: Date): InlineVerify = apply {
+        commandList.add("--not-after=${UTCUtil.formatUTCDate(timestamp)}")
+    }
+
+    override fun cert(cert: InputStream): InlineVerify = apply {
+        commandList.add("@ENV:CERT_$argCounter")
+        envList.add("CERT_$argCounter=${ExternalSOP.readString(cert)}")
+        argCounter += 1
+    }
+}

external-sop/src/main/kotlin/sop/external/operation/ListProfilesExternal.kt

@@ -0,0 +1,36 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.external.operation
+
+import java.io.IOException
+import java.util.Properties
+import sop.Profile
+import sop.external.ExternalSOP
+import sop.operation.ListProfiles
+
+/** Implementation of the [ListProfiles] operation using an external SOP binary. */
+class ListProfilesExternal(binary: String, environment: Properties) : ListProfiles {
+
+    private val commandList = mutableListOf(binary, "list-profiles")
+    private val envList = ExternalSOP.propertiesToEnv(environment)
+
+    override fun subcommand(command: String): List<Profile> {
+        return try {
+            String(
+                    ExternalSOP.executeProducingOperation(
+                            Runtime.getRuntime(), commandList.plus(command), envList)
+                        .bytes)
+                .let { toProfiles(it) }
+        } catch (e: IOException) {
+            throw RuntimeException(e)
+        }
+    }
+
+    companion object {
+        @JvmStatic
+        private fun toProfiles(output: String): List<Profile> =
+            output.split("\n").filter { it.isNotBlank() }.map { Profile.parse(it) }
+    }
+}

external-sop/src/main/kotlin/sop/external/operation/MergeCertsExternal.kt

@@ -0,0 +1,30 @@
+// SPDX-FileCopyrightText: 2024 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.external.operation
+
+import java.io.InputStream
+import java.util.*
+import sop.Ready
+import sop.external.ExternalSOP
+import sop.operation.MergeCerts
+
+class MergeCertsExternal(binary: String, environment: Properties) : MergeCerts {
+
+    private val commandList = mutableListOf(binary, "merge-certs")
+    private val envList = ExternalSOP.propertiesToEnv(environment).toMutableList()
+
+    private var argCount = 0
+
+    override fun noArmor(): MergeCerts = apply { commandList.add("--no-armor") }
+
+    override fun updates(updateCerts: InputStream): MergeCerts = apply {
+        commandList.add("@ENV:CERT_$argCount")
+        envList.add("CERT_$argCount=${ExternalSOP.readString(updateCerts)}")
+        argCount += 1
+    }
+
+    override fun baseCertificates(certs: InputStream): Ready =
+        ExternalSOP.executeTransformingOperation(Runtime.getRuntime(), commandList, envList, certs)
+}

external-sop/src/main/kotlin/sop/external/operation/RevokeKeyExternal.kt

@@ -0,0 +1,31 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.external.operation
+
+import java.io.InputStream
+import java.util.Properties
+import sop.Ready
+import sop.external.ExternalSOP
+import sop.operation.RevokeKey
+
+/** Implementation of the [RevokeKey] operation using an external SOP binary. */
+class RevokeKeyExternal(binary: String, environment: Properties) : RevokeKey {
+
+    private val commandList = mutableListOf(binary, "revoke-key")
+    private val envList = ExternalSOP.propertiesToEnv(environment).toMutableList()
+
+    private var argCount = 0
+
+    override fun noArmor(): RevokeKey = apply { commandList.add("--no-armor") }
+
+    override fun withKeyPassword(password: ByteArray): RevokeKey = apply {
+        commandList.add("--with-key-password=@ENV:KEY_PASSWORD_$argCount")
+        envList.add("KEY_PASSWORD_$argCount=${String(password)}")
+        argCount += 1
+    }
+
+    override fun keys(keys: InputStream): Ready =
+        ExternalSOP.executeTransformingOperation(Runtime.getRuntime(), commandList, envList, keys)
+}

external-sop/src/main/kotlin/sop/external/operation/UpdateKeyExternal.kt

@@ -0,0 +1,43 @@
+// SPDX-FileCopyrightText: 2024 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.external.operation
+
+import java.io.InputStream
+import java.util.*
+import sop.Ready
+import sop.external.ExternalSOP
+import sop.operation.UpdateKey
+
+class UpdateKeyExternal(binary: String, environment: Properties) : UpdateKey {
+
+    private val commandList = mutableListOf(binary, "update-key")
+    private val envList = ExternalSOP.propertiesToEnv(environment).toMutableList()
+
+    private var argCount = 0
+
+    override fun noArmor(): UpdateKey = apply { commandList.add("--no-armor") }
+
+    override fun signingOnly(): UpdateKey = apply { commandList.add("--signing-only") }
+
+    override fun noAddedCapabilities(): UpdateKey = apply {
+        commandList.add("--no-added-capabilities")
+    }
+
+    override fun withKeyPassword(password: ByteArray): UpdateKey = apply {
+        commandList.add("--with-key-password=@ENV:KEY_PASSWORD_$argCount")
+        envList.add("KEY_PASSWORD_$argCount=${String(password)}")
+        argCount += 1
+    }
+
+    override fun mergeCerts(certs: InputStream): UpdateKey = apply {
+        commandList.add("--merge-certs")
+        commandList.add("@ENV:CERT_$argCount")
+        envList.add("CERT_$argCount=${ExternalSOP.readString(certs)}")
+        argCount += 1
+    }
+
+    override fun key(key: InputStream): Ready =
+        ExternalSOP.executeTransformingOperation(Runtime.getRuntime(), commandList, envList, key)
+}

external-sop/src/main/kotlin/sop/external/operation/ValidateUserIdExternal.kt

@@ -0,0 +1,43 @@
+// SPDX-FileCopyrightText: 2024 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.external.operation
+
+import java.io.InputStream
+import java.util.*
+import sop.external.ExternalSOP
+import sop.operation.ValidateUserId
+import sop.util.UTCUtil
+
+class ValidateUserIdExternal(binary: String, environment: Properties) : ValidateUserId {
+
+    private val commandList = mutableListOf(binary, "validate-userid")
+    private val envList = ExternalSOP.propertiesToEnv(environment).toMutableList()
+
+    private var argCount = 0
+
+    private var userId: String? = null
+    private val authorities: MutableList<String> = mutableListOf()
+
+    override fun addrSpecOnly(): ValidateUserId = apply { commandList.add("--addr-spec-only") }
+
+    override fun userId(userId: String): ValidateUserId = apply { this.userId = userId }
+
+    override fun authorities(certs: InputStream): ValidateUserId = apply {
+        this.authorities.add("@ENV:CERT_$argCount")
+        envList.add("CERT_$argCount=${ExternalSOP.readString(certs)}")
+        argCount += 1
+    }
+
+    override fun subjects(certs: InputStream): Boolean {
+        ExternalSOP.executeTransformingOperation(
+                Runtime.getRuntime(), commandList.plus(userId!!).plus(authorities), envList, certs)
+            .bytes
+        return true
+    }
+
+    override fun validateAt(date: Date): ValidateUserId = apply {
+        commandList.add("--validate-at=${UTCUtil.formatUTCDate(date)}")
+    }
+}

external-sop/src/main/kotlin/sop/external/operation/VersionExternal.kt

@@ -0,0 +1,102 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.external.operation
+
+import java.io.IOException
+import java.util.Properties
+import sop.external.ExternalSOP
+import sop.operation.Version
+
+/** Implementation of the [Version] operation using an external SOP binary. */
+class VersionExternal(binary: String, environment: Properties) : Version {
+
+    private val commandList = listOf(binary, "version")
+    private val envList = ExternalSOP.propertiesToEnv(environment)
+
+    override fun getName(): String {
+        val info = executeForLine(commandList)
+        return if (info.contains(" ")) {
+            info.substring(0, info.lastIndexOf(" "))
+        } else {
+            info
+        }
+    }
+
+    override fun getVersion(): String {
+        val info = executeForLine(commandList)
+        return if (info.contains(" ")) {
+            info.substring(info.lastIndexOf(" ") + 1)
+        } else {
+            info
+        }
+    }
+
+    override fun getBackendVersion(): String {
+        return executeForLines(commandList.plus("--backend"))
+    }
+
+    override fun getExtendedVersion(): String {
+        return executeForLines(commandList.plus("--extended"))
+    }
+
+    override fun getSopSpecRevisionNumber(): Int {
+        val revision = getSopSpecVersion()
+        val firstLine =
+            if (revision.contains("\n")) {
+                revision.substring(0, revision.indexOf("\n"))
+            } else {
+                revision
+            }
+
+        if (!firstLine.contains("-")) {
+            return -1
+        }
+        return Integer.parseInt(firstLine.substring(firstLine.lastIndexOf("-") + 1))
+    }
+
+    override fun isSopSpecImplementationIncomplete(): Boolean {
+        return getSopSpecVersion().startsWith("~")
+    }
+
+    override fun getSopSpecImplementationRemarks(): String? {
+        val revision = getSopSpecVersion()
+        if (revision.contains("\n")) {
+            revision.substring(revision.indexOf("\n")).trim().takeIf { it.isNotBlank() }
+        }
+        return null
+    }
+
+    override fun getSopVVersion(): String {
+        return executeForLines(commandList.plus("--sopv"))
+    }
+
+    override fun getSopSpecVersion(): String {
+        return executeForLines(commandList.plus("--sop-spec"))
+    }
+
+    private fun executeForLine(commandList: List<String>): String {
+        return try {
+            val process =
+                Runtime.getRuntime().exec(commandList.toTypedArray(), envList.toTypedArray())
+            val result = process.inputStream.bufferedReader().readLine()
+            ExternalSOP.finish(process)
+            result.trim()
+        } catch (e: IOException) {
+            throw RuntimeException(e)
+        }
+    }
+
+    private fun executeForLines(commandList: List<String>): String {
+        return try {
+            val process =
+                Runtime.getRuntime().exec(commandList.toTypedArray(), envList.toTypedArray())
+            val result = process.inputStream.bufferedReader().readLines().joinToString("\n")
+            ExternalSOP.finish(process)
+            result.trim()
+        } catch (e: IOException) {
+            throw RuntimeException(e)
+        }
+    }
+}

external-sop/src/main/resources/sop/testsuite/external/.gitignore

@@ -0,0 +1,5 @@
+# SPDX-FileCopyrightText: 2023 Paul Schaub <info@pgpainless.org>
+#
+# SPDX-License-Identifier: CC0-1.0
+
+config.json

external-sop/src/main/resources/sop/testsuite/external/config.json.ci

@@ -0,0 +1,8 @@
+{
+    "backends": [
+        {
+            "name": "Sequoia-SOP",
+            "sop": "/usr/bin/sqop"
+        }
+    ]
+}

external-sop/src/main/resources/sop/testsuite/external/config.json.example

@@ -0,0 +1,17 @@
+{
+    "backends": [
+        {
+            "name": "Example-SOP",
+            "sop": "/usr/bin/example-sop"
+        },
+        {
+            "name": "Awesome-SOP",
+            "sop": "/usr/local/bin/awesome-sop",
+            "env": [
+                {
+                    "key": "myEnvironmentVariable", "value": "FooBar"
+                }
+            ]
+        }
+    ]
+}

external-sop/src/test/java/sop/testsuite/external/ExternalSOPInstanceFactory.java

@@ -0,0 +1,80 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.testsuite.external;
+
+import com.google.gson.Gson;
+import sop.SOP;
+import sop.external.ExternalSOP;
+import sop.testsuite.SOPInstanceFactory;
+
+import java.io.File;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
+
+/**
+ * This implementation of {@link SOPInstanceFactory} reads the JSON file at
+ * <pre>external-sop/src/main/resources/sop/testsuite/external/config.json</pre>
+ * to determine configured external test backends.
+ */
+public class ExternalSOPInstanceFactory extends SOPInstanceFactory {
+
+    @Override
+    public Map<String, SOP> provideSOPInstances() {
+        Map<String, SOP> backends = new HashMap<>();
+        TestSuite suite = readConfiguration();
+        if (suite != null && !suite.backends.isEmpty()) {
+            for (TestSubject subject : suite.backends) {
+                if (!new File(subject.sop).exists()) {
+                    continue;
+                }
+
+                Properties env = new Properties();
+                if (subject.env != null) {
+                    for (Var var : subject.env) {
+                        env.put(var.key, var.value);
+                    }
+                }
+
+                SOP sop = new ExternalSOP(subject.sop, env);
+                backends.put(subject.name, sop);
+            }
+        }
+        return backends;
+    }
+
+
+    public static TestSuite readConfiguration() {
+        Gson gson = new Gson();
+        InputStream inputStream = ExternalSOPInstanceFactory.class.getResourceAsStream("config.json");
+        if (inputStream == null) {
+            return null;
+        }
+
+        InputStreamReader reader = new InputStreamReader(inputStream);
+        return gson.fromJson(reader, TestSuite.class);
+    }
+
+
+    // JSON DTOs
+
+    public static class TestSuite {
+        List<TestSubject> backends;
+    }
+
+    public static class TestSubject {
+        String name;
+        String sop;
+        List<Var> env;
+    }
+
+    public static class Var {
+        String key;
+        String value;
+    }
+}

external-sop/src/test/java/sop/testsuite/external/ExternalTestSuite.java

@@ -0,0 +1,18 @@
+// SPDX-FileCopyrightText: 2025 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.testsuite.external;
+
+import org.junit.platform.suite.api.IncludeClassNamePatterns;
+import org.junit.platform.suite.api.SelectPackages;
+import org.junit.platform.suite.api.Suite;
+import org.junit.platform.suite.api.SuiteDisplayName;
+
+@Suite
+@SuiteDisplayName("External SOP Tests")
+@SelectPackages("sop.testsuite.operation")
+@IncludeClassNamePatterns(".*Test")
+public class ExternalTestSuite {
+
+}

gradle/wrapper/gradle-wrapper.properties

@@ -1,5 +1,5 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-7.1-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-7.5-bin.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists

gradlew

@@ -1,7 +1,7 @@
-#!/usr/bin/env sh
+#!/bin/sh
 
 #
-# Copyright 2015 the original author or authors.
+# Copyright © 2015-2021 the original authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -17,67 +17,101 @@
 #
 
 ##############################################################################
-##
+#
-##  Gradle start up script for UN*X
+#   Gradle start up script for POSIX generated by Gradle.
-##
+#
+#   Important for running:
+#
+#   (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is
+#       noncompliant, but you have some other compliant shell such as ksh or
+#       bash, then to run this script, type that shell name before the whole
+#       command line, like:
+#
+#           ksh Gradle
+#
+#       Busybox and similar reduced shells will NOT work, because this script
+#       requires all of these POSIX shell features:
+#         * functions;
+#         * expansions «$var», «${var}», «${var:-default}», «${var+SET}»,
+#           «${var#prefix}», «${var%suffix}», and «$( cmd )»;
+#         * compound commands having a testable exit status, especially «case»;
+#         * various built-in commands including «command», «set», and «ulimit».
+#
+#   Important for patching:
+#
+#   (2) This script targets any POSIX shell, so it avoids extensions provided
+#       by Bash, Ksh, etc; in particular arrays are avoided.
+#
+#       The "traditional" practice of packing multiple parameters into a
+#       space-separated string is a well documented source of bugs and security
+#       problems, so this is (mostly) avoided, by progressively accumulating
+#       options in "$@", and eventually passing that to Java.
+#
+#       Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS,
+#       and GRADLE_OPTS) rely on word-splitting, this is performed explicitly;
+#       see the in-line comments for details.
+#
+#       There are tweaks for specific operating systems such as AIX, CygWin,
+#       Darwin, MinGW, and NonStop.
+#
+#   (3) This script is generated from the Groovy template
+#       https://github.com/gradle/gradle/blob/master/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
+#       within the Gradle project.
+#
+#       You can find Gradle at https://github.com/gradle/gradle/.
+#
 ##############################################################################
 
 # Attempt to set APP_HOME
+
 # Resolve links: $0 may be a link
-PRG="$0"
+app_path=$0
-# Need this for relative symlinks.
+
-while [ -h "$PRG" ] ; do
+# Need this for daisy-chained symlinks.
-    ls=`ls -ld "$PRG"`
+while
-    link=`expr "$ls" : '.*-> \(.*\)$'`
+    APP_HOME=${app_path%"${app_path##*/}"}  # leaves a trailing /; empty if no leading path
-    if expr "$link" : '/.*' > /dev/null; then
+    [ -h "$app_path" ]
-        PRG="$link"
+do
-    else
+    ls=$( ls -ld "$app_path" )
-        PRG=`dirname "$PRG"`"/$link"
+    link=${ls#*' -> '}
-    fi
+    case $link in             #(
+      /*)   app_path=$link ;; #(
+      *)    app_path=$APP_HOME$link ;;
+    esac
 done
-SAVED="`pwd`"
+
-cd "`dirname \"$PRG\"`/" >/dev/null
+APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit
-APP_HOME="`pwd -P`"
-cd "$SAVED" >/dev/null
 
 APP_NAME="Gradle"
-APP_BASE_NAME=`basename "$0"`
+APP_BASE_NAME=${0##*/}
 
 # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
 DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
-MAX_FD="maximum"
+MAX_FD=maximum
 
 warn () {
     echo "$*"
-}
+} >&2
 
 die () {
     echo
     echo "$*"
     echo
     exit 1
-}
+} >&2
 
 # OS specific support (must be 'true' or 'false').
 cygwin=false
 msys=false
 darwin=false
 nonstop=false
-case "`uname`" in
+case "$( uname )" in                #(
-  CYGWIN* )
+  CYGWIN* )         cygwin=true  ;; #(
-    cygwin=true
+  Darwin* )         darwin=true  ;; #(
-    ;;
+  MSYS* | MINGW* )  msys=true    ;; #(
-  Darwin* )
+  NONSTOP* )        nonstop=true ;;
-    darwin=true
-    ;;
-  MSYS* | MINGW* )
-    msys=true
-    ;;
-  NONSTOP* )
-    nonstop=true
-    ;;
 esac
 
 CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
@@ -87,9 +121,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar
 if [ -n "$JAVA_HOME" ] ; then
     if [ -x "$JAVA_HOME/jre/sh/java" ] ; then
         # IBM's JDK on AIX uses strange locations for the executables
-        JAVACMD="$JAVA_HOME/jre/sh/java"
+        JAVACMD=$JAVA_HOME/jre/sh/java
     else
-        JAVACMD="$JAVA_HOME/bin/java"
+        JAVACMD=$JAVA_HOME/bin/java
     fi
     if [ ! -x "$JAVACMD" ] ; then
         die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME
@@ -98,7 +132,7 @@ Please set the JAVA_HOME variable in your environment to match the
 location of your Java installation."
     fi
 else
-    JAVACMD="java"
+    JAVACMD=java
     which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
 
 Please set the JAVA_HOME variable in your environment to match the
@@ -106,80 +140,95 @@ location of your Java installation."
 fi
 
 # Increase the maximum file descriptors if we can.
-if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then
+if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then
-    MAX_FD_LIMIT=`ulimit -H -n`
+    case $MAX_FD in #(
-    if [ $? -eq 0 ] ; then
+      max*)
-        if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then
+        MAX_FD=$( ulimit -H -n ) ||
-            MAX_FD="$MAX_FD_LIMIT"
+            warn "Could not query maximum file descriptor limit"
-        fi
+    esac
-        ulimit -n $MAX_FD
+    case $MAX_FD in  #(
-        if [ $? -ne 0 ] ; then
+      '' | soft) :;; #(
-            warn "Could not set maximum file descriptor limit: $MAX_FD"
+      *)
-        fi
+        ulimit -n "$MAX_FD" ||
-    else
+            warn "Could not set maximum file descriptor limit to $MAX_FD"
-        warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT"
-    fi
-fi
-
-# For Darwin, add options to specify how the application appears in the dock
-if $darwin; then
-    GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
-fi
-
-# For Cygwin or MSYS, switch paths to Windows format before running java
-if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then
-    APP_HOME=`cygpath --path --mixed "$APP_HOME"`
-    CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
-
-    JAVACMD=`cygpath --unix "$JAVACMD"`
-
-    # We build the pattern for arguments to be converted via cygpath
-    ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null`
-    SEP=""
-    for dir in $ROOTDIRSRAW ; do
-        ROOTDIRS="$ROOTDIRS$SEP$dir"
-        SEP="|"
-    done
-    OURCYGPATTERN="(^($ROOTDIRS))"
-    # Add a user-defined pattern to the cygpath arguments
-    if [ "$GRADLE_CYGPATTERN" != "" ] ; then
-        OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)"
-    fi
-    # Now convert the arguments - kludge to limit ourselves to /bin/sh
-    i=0
-    for arg in "$@" ; do
-        CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -`
-        CHECK2=`echo "$arg"|egrep -c "^-"`                                 ### Determine if an option
-
-        if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then                    ### Added a condition
-            eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"`
-        else
-            eval `echo args$i`="\"$arg\""
-        fi
-        i=`expr $i + 1`
-    done
-    case $i in
-        0) set -- ;;
-        1) set -- "$args0" ;;
-        2) set -- "$args0" "$args1" ;;
-        3) set -- "$args0" "$args1" "$args2" ;;
-        4) set -- "$args0" "$args1" "$args2" "$args3" ;;
-        5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
-        6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
-        7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
-        8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
-        9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
     esac
 fi
 
-# Escape application args
+# Collect all arguments for the java command, stacking in reverse order:
-save () {
+#   * args from the command line
-    for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done
+#   * the main class name
-    echo " "
+#   * -classpath
-}
+#   * -D...appname settings
-APP_ARGS=`save "$@"`
+#   * --module-path (only if needed)
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables.
 
-# Collect all arguments for the java command, following the shell quoting and substitution rules
+# For Cygwin or MSYS, switch paths to Windows format before running java
-eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS"
+if "$cygwin" || "$msys" ; then
+    APP_HOME=$( cygpath --path --mixed "$APP_HOME" )
+    CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" )
+
+    JAVACMD=$( cygpath --unix "$JAVACMD" )
+
+    # Now convert the arguments - kludge to limit ourselves to /bin/sh
+    for arg do
+        if
+            case $arg in                                #(
+              -*)   false ;;                            # don't mess with options #(
+              /?*)  t=${arg#/} t=/${t%%/*}              # looks like a POSIX filepath
+                    [ -e "$t" ] ;;                      #(
+              *)    false ;;
+            esac
+        then
+            arg=$( cygpath --path --ignore --mixed "$arg" )
+        fi
+        # Roll the args list around exactly as many times as the number of
+        # args, so each arg winds up back in the position where it started, but
+        # possibly modified.
+        #
+        # NB: a `for` loop captures its iteration list before it begins, so
+        # changing the positional parameters here affects neither the number of
+        # iterations, nor the values presented in `arg`.
+        shift                   # remove old arg
+        set -- "$@" "$arg"      # push replacement arg
+    done
+fi
+
+# Collect all arguments for the java command;
+#   * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of
+#     shell script including quotes and variable substitutions, so put them in
+#     double quotes to make sure that they get re-expanded; and
+#   * put everything else in single quotes, so that it's not re-expanded.
+
+set -- \
+        "-Dorg.gradle.appname=$APP_BASE_NAME" \
+        -classpath "$CLASSPATH" \
+        org.gradle.wrapper.GradleWrapperMain \
+        "$@"
+
+# Use "xargs" to parse quoted args.
+#
+# With -n1 it outputs one arg per line, with the quotes and backslashes removed.
+#
+# In Bash we could simply go:
+#
+#   readarray ARGS < <( xargs -n1 <<<"$var" ) &&
+#   set -- "${ARGS[@]}" "$@"
+#
+# but POSIX shell has neither arrays nor command substitution, so instead we
+# post-process each arg (as a line of input to sed) to backslash-escape any
+# character that might be a shell metacharacter, then use eval to reverse
+# that process (while maintaining the separation between arguments), and wrap
+# the whole thing up as a single "set" statement.
+#
+# This will of course break if any of these variables contains a newline or
+# an unmatched quote.
+#
+
+eval "set -- $(
+        printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" |
+        xargs -n1 |
+        sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' |
+        tr '\n' ' '
+    )" '"$@"'
 
 exec "$JAVACMD" "$@"

settings.gradle

@@ -5,5 +5,8 @@
 rootProject.name = 'SOP-Java'
 
 include 'sop-java',
-        'sop-java-picocli'
+        'sop-java-picocli',
+        'sop-java-testfixtures',
+        'external-sop',
+        'sop-java-json-gson'
 

sop-java-json-gson/README.md

@@ -0,0 +1,13 @@
+<!--
+SPDX-FileCopyrightText: 2025 Paul Schaub <vanitasvitae@fsfe.org>
+
+SPDX-License-Identifier: Apache-2.0
+-->
+
+# SOP-Java-JSON-GSON
+
+## JSON Parsing VERIFICATION extension JSON using Gson
+
+Since revision 11, the SOP specification defines VERIFICATIONS extension JSON.
+
+This module implements the `JSONParser` and `JSONSerializer` interfaces using Googles Gson library.

sop-java-json-gson/build.gradle

@@ -0,0 +1,28 @@
+// SPDX-FileCopyrightText: 2025 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+plugins {
+    id 'java-library'
+}
+
+group 'org.pgpainless'
+
+repositories {
+    mavenCentral()
+}
+
+dependencies {
+    implementation "org.junit.jupiter:junit-jupiter-api:$junitVersion"
+    implementation "org.junit.jupiter:junit-jupiter-params:$junitVersion"
+    runtimeOnly "org.junit.jupiter:junit-jupiter-engine:$junitVersion"
+
+    implementation project(":sop-java")
+    api "org.slf4j:slf4j-api:$slf4jVersion"
+    testImplementation "ch.qos.logback:logback-classic:$logbackVersion"
+
+    // @Nonnull, @Nullable...
+    implementation "com.google.code.findbugs:jsr305:$jsrVersion"
+
+    api "com.google.code.gson:gson:$gsonVersion"
+}

sop-java-json-gson/src/main/kotlin/sop/GsonParser.kt

@@ -0,0 +1,23 @@
+// SPDX-FileCopyrightText: 2025 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop
+
+import com.google.gson.Gson
+import com.google.gson.JsonSyntaxException
+import com.google.gson.reflect.TypeToken
+import java.text.ParseException
+
+class GsonParser(
+    private val gson: Gson = Gson()
+) : Verification.JSONParser {
+
+    override fun parse(string: String): Verification.JSON {
+        try {
+            return gson.fromJson(string, object : TypeToken<Verification.JSON>(){}.type)
+        } catch (e: JsonSyntaxException) {
+            throw ParseException(e.message, 0)
+        }
+    }
+}

sop-java-json-gson/src/main/kotlin/sop/GsonSerializer.kt

@@ -0,0 +1,16 @@
+// SPDX-FileCopyrightText: 2025 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop
+
+import com.google.gson.Gson
+
+class GsonSerializer(
+    private val gson: Gson = Gson()
+) : Verification.JSONSerializer {
+
+    override fun serialize(json: Verification.JSON): String {
+        return gson.toJson(json)
+    }
+}

sop-java-json-gson/src/test/kotlin/sop/GsonSerializerAndParserTest.kt

@@ -0,0 +1,96 @@
+// SPDX-FileCopyrightText: 2025 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop
+
+import org.junit.jupiter.api.Assertions.assertEquals
+import org.junit.jupiter.api.Test
+import org.junit.jupiter.api.assertThrows
+import java.text.ParseException
+
+class GsonSerializerAndParserTest {
+
+    private val serializer: GsonSerializer = GsonSerializer()
+    private val parser: GsonParser = GsonParser()
+
+    @Test
+    fun simpleSingleTest() {
+        val before = Verification.JSON("/tmp/alice.pgp")
+
+        val json = serializer.serialize(before)
+        assertEquals("{\"signers\":[\"/tmp/alice.pgp\"]}", json)
+
+        val after = parser.parse(json)
+
+        assertEquals(before, after)
+    }
+
+    @Test
+    fun simpleListTest() {
+        val before = Verification.JSON(listOf("/tmp/alice.pgp", "/tmp/bob.asc"))
+
+        val json = serializer.serialize(before)
+        assertEquals("{\"signers\":[\"/tmp/alice.pgp\",\"/tmp/bob.asc\"]}", json)
+
+        val after = parser.parse(json)
+
+        assertEquals(before, after)
+    }
+
+    @Test
+    fun withCommentTest() {
+        val before = Verification.JSON(
+            listOf("/tmp/alice.pgp"),
+            "This is a comment.",
+            null)
+
+        val json = serializer.serialize(before)
+        assertEquals("{\"signers\":[\"/tmp/alice.pgp\"],\"comment\":\"This is a comment.\"}", json)
+
+        val after = parser.parse(json)
+
+        assertEquals(before, after)
+    }
+
+    @Test
+    fun withExtStringTest() {
+        val before = Verification.JSON(
+            listOf("/tmp/alice.pgp"),
+            "This is a comment.",
+            "This is an ext object string.")
+
+        val json = serializer.serialize(before)
+        assertEquals("{\"signers\":[\"/tmp/alice.pgp\"],\"comment\":\"This is a comment.\",\"ext\":\"This is an ext object string.\"}", json)
+
+        val after = parser.parse(json)
+
+        assertEquals(before, after)
+    }
+
+    @Test
+    fun withExtListTest() {
+        val before = Verification.JSON(
+            listOf("/tmp/alice.pgp"),
+            "This is a comment.",
+            listOf(1.0,2.0,3.0))
+
+        val json = serializer.serialize(before)
+        assertEquals("{\"signers\":[\"/tmp/alice.pgp\"],\"comment\":\"This is a comment.\",\"ext\":[1.0,2.0,3.0]}", json)
+
+        val after = parser.parse(json)
+
+        assertEquals(before, after)
+    }
+
+    @Test
+    fun parseInvalidJSON() {
+        assertThrows<ParseException> { parser.parse("Invalid") }
+    }
+
+    @Test
+    fun parseMalformedJSON() {
+        // Missing '}'
+        assertThrows<ParseException> { parser.parse("{\"signers\":[\"Alice\"]") }
+    }
+}

sop-java-picocli/build.gradle

@@ -4,6 +4,7 @@
 
 plugins {
     id 'application'
+    id 'org.asciidoctor.jvm.convert' version '3.3.2'
 }
 
 dependencies {
@@ -11,18 +12,16 @@ dependencies {
     testImplementation "org.junit.jupiter:junit-jupiter-api:$junitVersion"
     testRuntimeOnly "org.junit.jupiter:junit-jupiter-engine:$junitVersion"
 
-    // Testing Exit Codes in JUnit
-    // https://todd.ginsberg.com/post/testing-system-exit/
-    testImplementation "com.ginsberg:junit5-system-exit:$junitSysExitVersion"
-
     // Mocking Components
     testImplementation "org.mockito:mockito-core:$mockitoVersion"
 
     // SOP
     implementation(project(":sop-java"))
+    testImplementation(project(":sop-java-testfixtures"))
 
     // CLI
     implementation "info.picocli:picocli:$picocliVersion"
+    kapt "info.picocli:picocli-codegen:$picocliVersion"
 
     // @Nonnull, @Nullable...
     implementation "com.google.code.findbugs:jsr305:$jsrVersion"
@@ -34,8 +33,13 @@ application {
     mainClass = mainClassName
 }
 
+compileJava {
+    options.compilerArgs += ["-Aproject=${project.group}/${project.name}"]
+}
+
 jar {
     dependsOn(":sop-java:jar")
+    duplicatesStrategy(DuplicatesStrategy.EXCLUDE)
 
     manifest {
         attributes 'Main-Class': "$mainClassName"
@@ -49,3 +53,25 @@ jar {
         exclude "META-INF/*.RSA"
     }
 }
+
+task generateManpageAsciiDoc(type: JavaExec) {
+    dependsOn(classes)
+    group = "Documentation"
+    description = "Generate AsciiDoc manpage"
+    classpath(configurations.annotationProcessor, sourceSets.main.runtimeClasspath)
+    systemProperty("user.language", "en")
+    main 'picocli.codegen.docgen.manpage.ManPageGenerator'
+    args mainClassName, "--outdir=${project.buildDir}/generated-picocli-docs", "-v" //, "--template-dir=src/docs/mantemplates"
+}
+
+apply plugin: 'org.asciidoctor.jvm.convert'
+asciidoctor {
+    attributes 'reproducible': ''
+    dependsOn(generateManpageAsciiDoc)
+    sourceDir = file("${project.buildDir}/generated-picocli-docs")
+    outputDir = file("${project.buildDir}/docs")
+    logDocuments = true
+    outputOptions {
+        backends = ['manpage', 'html5']
+    }
+}

sop-java-picocli/src/main/java/sop/cli/picocli/Print.java

@@ -1,26 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub <vanitasvitae@fsfe.org>
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli;
-
-public class Print {
-
-    public static void errln(String string) {
-        // CHECKSTYLE:OFF
-        System.err.println(string);
-        // CHECKSTYLE:ON
-    }
-
-    public static void trace(Throwable e) {
-        // CHECKSTYLE:OFF
-        e.printStackTrace();
-        // CHECKSTYLE:ON
-    }
-
-    public static void outln(String string) {
-        // CHECKSTYLE:OFF
-        System.out.println(string);
-        // CHECKSTYLE:ON
-    }
-}

sop-java-picocli/src/main/java/sop/cli/picocli/SOPExceptionExitCodeMapper.java

@@ -1,34 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub <vanitasvitae@fsfe.org>
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli;
-
-import picocli.CommandLine;
-import sop.exception.SOPGPException;
-
-public class SOPExceptionExitCodeMapper implements CommandLine.IExitCodeExceptionMapper {
-
-    @Override
-    public int getExitCode(Throwable exception) {
-        if (exception instanceof SOPGPException) {
-            return ((SOPGPException) exception).getExitCode();
-        }
-        if (exception instanceof CommandLine.UnmatchedArgumentException) {
-            CommandLine.UnmatchedArgumentException ex = (CommandLine.UnmatchedArgumentException) exception;
-            // Unmatched option of subcommand (eg. `generate-key -k`)
-            if (ex.isUnknownOption()) {
-                return SOPGPException.UnsupportedOption.EXIT_CODE;
-            }
-            // Unmatched subcommand
-            return SOPGPException.UnsupportedSubcommand.EXIT_CODE;
-        }
-        // Invalid option (eg. `--label Invalid`)
-        if (exception instanceof CommandLine.ParameterException) {
-            return SOPGPException.UnsupportedOption.EXIT_CODE;
-        }
-
-        // Others, like IOException etc.
-        return 1;
-    }
-}

sop-java-picocli/src/main/java/sop/cli/picocli/SOPExecutionExceptionHandler.java

@@ -1,28 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub <vanitasvitae@fsfe.org>
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli;
-
-import picocli.CommandLine;
-
-public class SOPExecutionExceptionHandler implements CommandLine.IExecutionExceptionHandler {
-
-    @Override
-    public int handleExecutionException(Exception ex, CommandLine commandLine, CommandLine.ParseResult parseResult) {
-
-        int exitCode = commandLine.getExitCodeExceptionMapper() != null ?
-                commandLine.getExitCodeExceptionMapper().getExitCode(ex) :
-                commandLine.getCommandSpec().exitCodeOnExecutionException();
-
-        CommandLine.Help.ColorScheme colorScheme = commandLine.getColorScheme();
-        // CHECKSTYLE:OFF
-        if (ex.getMessage() != null) {
-            commandLine.getErr().println(colorScheme.errorText(ex.getMessage()));
-        }
-        ex.printStackTrace(commandLine.getErr());
-        // CHECKSTYLE:ON
-
-        return exitCode;
-    }
-}

sop-java-picocli/src/main/java/sop/cli/picocli/SopCLI.java

@@ -1,109 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub <vanitasvitae@fsfe.org>
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli;
-
-import picocli.AutoComplete;
-import picocli.CommandLine;
-import sop.SOP;
-import sop.cli.picocli.commands.ArmorCmd;
-import sop.cli.picocli.commands.DearmorCmd;
-import sop.cli.picocli.commands.DecryptCmd;
-import sop.cli.picocli.commands.InlineDetachCmd;
-import sop.cli.picocli.commands.EncryptCmd;
-import sop.cli.picocli.commands.ExtractCertCmd;
-import sop.cli.picocli.commands.GenerateKeyCmd;
-import sop.cli.picocli.commands.InlineSignCmd;
-import sop.cli.picocli.commands.InlineVerifyCmd;
-import sop.cli.picocli.commands.SignCmd;
-import sop.cli.picocli.commands.VerifyCmd;
-import sop.cli.picocli.commands.VersionCmd;
-
-import java.util.List;
-import java.util.Locale;
-import java.util.ResourceBundle;
-
-@CommandLine.Command(
-        name = "sop",
-        resourceBundle = "sop",
-        exitCodeOnInvalidInput = 69,
-        subcommands = {
-                CommandLine.HelpCommand.class,
-                ArmorCmd.class,
-                DearmorCmd.class,
-                DecryptCmd.class,
-                InlineDetachCmd.class,
-                EncryptCmd.class,
-                ExtractCertCmd.class,
-                GenerateKeyCmd.class,
-                SignCmd.class,
-                VerifyCmd.class,
-                InlineSignCmd.class,
-                InlineVerifyCmd.class,
-                VersionCmd.class,
-                AutoComplete.GenerateCompletion.class
-        }
-)
-public class SopCLI {
-    // Singleton
-    static SOP SOP_INSTANCE;
-    static ResourceBundle cliMsg = ResourceBundle.getBundle("sop");
-
-    public static String EXECUTABLE_NAME = "sop";
-
-    public static void main(String[] args) {
-        int exitCode = execute(args);
-        if (exitCode != 0) {
-            System.exit(exitCode);
-        }
-    }
-
-    public static int execute(String[] args) {
-
-        // Set locale
-        new CommandLine(new InitLocale()).parseArgs(args);
-
-        cliMsg = ResourceBundle.getBundle("sop");
-
-        // Prepare CLI
-        CommandLine cmd = new CommandLine(SopCLI.class);
-        // Hide generate-completion command
-        CommandLine gen = cmd.getSubcommands().get("generate-completion");
-        gen.getCommandSpec().usageMessage().hidden(true);
-
-        cmd.setCommandName(EXECUTABLE_NAME)
-                .setExecutionExceptionHandler(new SOPExecutionExceptionHandler())
-                .setExitCodeExceptionMapper(new SOPExceptionExitCodeMapper())
-                .setCaseInsensitiveEnumValuesAllowed(true);
-
-        return cmd.execute(args);
-    }
-
-    public static SOP getSop() {
-        if (SOP_INSTANCE == null) {
-            String errorMsg = cliMsg.getString("sop.error.runtime.no_backend_set");
-            throw new IllegalStateException(errorMsg);
-        }
-        return SOP_INSTANCE;
-    }
-
-    public static void setSopInstance(SOP instance) {
-        SOP_INSTANCE = instance;
-    }
-}
-
-/**
- * Control the locale.
- *
- * @see <a href="https://picocli.info/#_controlling_the_locale">Picocli Readme</a>
- */
-class InitLocale {
-    @CommandLine.Option(names = { "-l", "--locale" }, descriptionKey = "sop.locale")
-    void setLocale(String locale) {
-        Locale.setDefault(new Locale(locale));
-    }
-
-    @CommandLine.Unmatched
-    List<String> remainder; // ignore any other parameters and options in the first parsing phase
-}

sop-java-picocli/src/main/java/sop/cli/picocli/commands/AbstractSopCmd.java

@@ -1,229 +0,0 @@
-// SPDX-FileCopyrightText: 2022 Paul Schaub <vanitasvitae@fsfe.org>
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import sop.exception.SOPGPException;
-import sop.util.UTCUtil;
-import sop.util.UTF8Util;
-
-import javax.annotation.Nonnull;
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.util.Collection;
-import java.util.Date;
-import java.util.Locale;
-import java.util.ResourceBundle;
-
-public abstract class AbstractSopCmd implements Runnable {
-
-    public interface EnvironmentVariableResolver {
-        /**
-         * Resolve the value of the given environment variable.
-         * Return null if the variable is not present.
-         *
-         * @param name name of the variable
-         * @return variable value or null
-         */
-        String resolveEnvironmentVariable(String name);
-    }
-
-    public static final String PRFX_ENV = "@ENV:";
-    public static final String PRFX_FD = "@FD:";
-    public static final Date BEGINNING_OF_TIME = new Date(0);
-    public static final Date END_OF_TIME = new Date(8640000000000000L);
-
-    protected final ResourceBundle messages;
-    protected EnvironmentVariableResolver envResolver = System::getenv;
-
-    public AbstractSopCmd() {
-        this(Locale.getDefault());
-    }
-
-    public AbstractSopCmd(@Nonnull Locale locale) {
-        messages = ResourceBundle.getBundle("sop", locale);
-    }
-
-    void throwIfOutputExists(String output) {
-        if (output == null) {
-            return;
-        }
-
-        File outputFile = new File(output);
-        if (outputFile.exists()) {
-            String errorMsg = getMsg("sop.error.indirect_data_type.output_file_already_exists", outputFile.getAbsolutePath());
-            throw new SOPGPException.OutputExists(errorMsg);
-        }
-    }
-
-    public String getMsg(String key) {
-        return messages.getString(key);
-    }
-
-    public String getMsg(String key, String arg1) {
-        return String.format(messages.getString(key), arg1);
-    }
-
-    public String getMsg(String key, String arg1, String arg2) {
-        return String.format(messages.getString(key), arg1, arg2);
-    }
-
-    void throwIfMissingArg(Object arg, String argName) {
-        if (arg == null) {
-            String errorMsg = getMsg("sop.error.usage.argument_required", argName);
-            throw new SOPGPException.MissingArg(errorMsg);
-        }
-    }
-
-    void throwIfEmptyParameters(Collection<?> arg, String parmName) {
-        if (arg.isEmpty()) {
-            String errorMsg = getMsg("sop.error.usage.parameter_required", parmName);
-            throw new SOPGPException.MissingArg(errorMsg);
-        }
-    }
-
-    <T> T throwIfUnsupportedSubcommand(T subcommand, String subcommandName) {
-        if (subcommand == null) {
-            String errorMsg = getMsg("sop.error.feature_support.subcommand_not_supported", subcommandName);
-            throw new SOPGPException.UnsupportedSubcommand(errorMsg);
-        }
-        return subcommand;
-    }
-
-    void setEnvironmentVariableResolver(EnvironmentVariableResolver envResolver) {
-        if (envResolver == null) {
-            throw new NullPointerException("Variable envResolver cannot be null.");
-        }
-        this.envResolver = envResolver;
-    }
-
-    public InputStream getInput(String indirectInput) throws IOException {
-        if (indirectInput == null) {
-            throw new IllegalArgumentException("Input cannot not be null.");
-        }
-
-        String trimmed = indirectInput.trim();
-        if (trimmed.isEmpty()) {
-            throw new IllegalArgumentException("Input cannot be blank.");
-        }
-
-        if (trimmed.startsWith(PRFX_ENV)) {
-            if (new File(trimmed).exists()) {
-                String errorMsg = getMsg("sop.error.indirect_data_type.ambiguous_filename", trimmed);
-                throw new SOPGPException.AmbiguousInput(errorMsg);
-            }
-
-            String envName = trimmed.substring(PRFX_ENV.length());
-            String envValue = envResolver.resolveEnvironmentVariable(envName);
-            if (envValue == null) {
-                String errorMsg = getMsg("sop.error.indirect_data_type.environment_variable_not_set", envName);
-                throw new IllegalArgumentException(errorMsg);
-            }
-
-            if (envValue.trim().isEmpty()) {
-                String errorMsg = getMsg("sop.error.indirect_data_type.environment_variable_empty", envName);
-                throw new IllegalArgumentException(errorMsg);
-            }
-
-            return new ByteArrayInputStream(envValue.getBytes("UTF8"));
-
-        } else if (trimmed.startsWith(PRFX_FD)) {
-
-            if (new File(trimmed).exists()) {
-                String errorMsg = getMsg("sop.error.indirect_data_type.ambiguous_filename", trimmed);
-                throw new SOPGPException.AmbiguousInput(errorMsg);
-            }
-
-            String errorMsg = getMsg("sop.error.indirect_data_type.designator_fd_not_supported");
-            throw new SOPGPException.UnsupportedSpecialPrefix(errorMsg);
-
-        } else {
-            File file = new File(trimmed);
-            if (!file.exists()) {
-                String errorMsg = getMsg("sop.error.indirect_data_type.input_file_does_not_exist", file.getAbsolutePath());
-                throw new SOPGPException.MissingInput(errorMsg);
-            }
-
-            if (!file.isFile()) {
-                String errorMsg = getMsg("sop.error.indirect_data_type.input_not_a_file", file.getAbsolutePath());
-                throw new SOPGPException.MissingInput(errorMsg);
-            }
-
-            return new FileInputStream(file);
-        }
-    }
-
-    public OutputStream getOutput(String indirectOutput) throws IOException {
-        if (indirectOutput == null) {
-            throw new IllegalArgumentException("Output cannot be null.");
-        }
-
-        String trimmed = indirectOutput.trim();
-        if (trimmed.isEmpty()) {
-            throw new IllegalArgumentException("Output cannot be blank.");
-        }
-
-        // @ENV not allowed for output
-        if (trimmed.startsWith(PRFX_ENV)) {
-            String errorMsg = getMsg("sop.error.indirect_data_type.illegal_use_of_env_designator");
-            throw new SOPGPException.UnsupportedSpecialPrefix(errorMsg);
-        }
-
-        if (trimmed.startsWith(PRFX_FD)) {
-            String errorMsg = getMsg("sop.error.indirect_data_type.designator_fd_not_supported");
-            throw new SOPGPException.UnsupportedSpecialPrefix(errorMsg);
-        }
-
-        File file = new File(trimmed);
-        if (file.exists()) {
-            String errorMsg = getMsg("sop.error.indirect_data_type.output_file_already_exists", file.getAbsolutePath());
-            throw new SOPGPException.OutputExists(errorMsg);
-        }
-
-        if (!file.createNewFile()) {
-            String errorMsg = getMsg("sop.error.indirect_data_type.output_file_cannot_be_created", file.getAbsolutePath());
-            throw new IOException(errorMsg);
-        }
-
-        return new FileOutputStream(file);
-    }
-    public static String stringFromInputStream(InputStream inputStream) throws IOException {
-        try {
-            ByteArrayOutputStream byteOut = new ByteArrayOutputStream();
-            byte[] buf = new byte[4096]; int read;
-            while ((read = inputStream.read(buf)) != -1) {
-                byteOut.write(buf, 0, read);
-            }
-            // TODO: For decrypt operations we MUST accept non-UTF8 passwords
-            return UTF8Util.decodeUTF8(byteOut.toByteArray());
-        } finally {
-            inputStream.close();
-        }
-    }
-
-    public Date parseNotAfter(String notAfter) {
-        Date date = notAfter.equals("now") ? new Date() : notAfter.equals("-") ? END_OF_TIME : UTCUtil.parseUTCDate(notAfter);
-        if (date == null) {
-            String errorMsg = getMsg("sop.error.input.malformed_not_after");
-            throw new IllegalArgumentException(errorMsg);
-        }
-        return date;
-    }
-
-    public Date parseNotBefore(String notBefore) {
-        Date date = notBefore.equals("now") ? new Date() : notBefore.equals("-") ? BEGINNING_OF_TIME : UTCUtil.parseUTCDate(notBefore);
-        if (date == null) {
-            String errorMsg = getMsg("sop.error.input.malformed_not_before");
-            throw new IllegalArgumentException(errorMsg);
-        }
-        return date;
-    }
-
-}

sop-java-picocli/src/main/java/sop/cli/picocli/commands/ArmorCmd.java

@@ -1,51 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub <vanitasvitae@fsfe.org>
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import picocli.CommandLine;
-import sop.Ready;
-import sop.cli.picocli.SopCLI;
-import sop.enums.ArmorLabel;
-import sop.exception.SOPGPException;
-import sop.operation.Armor;
-
-import java.io.IOException;
-
-@CommandLine.Command(name = "armor",
-        resourceBundle = "sop",
-        exitCodeOnInvalidInput = SOPGPException.UnsupportedOption.EXIT_CODE)
-public class ArmorCmd extends AbstractSopCmd {
-
-    @CommandLine.Option(names = {"--label"},
-            descriptionKey = "sop.armor.usage.option.label",
-            paramLabel = "{auto|sig|key|cert|message}")
-    ArmorLabel label;
-
-    @Override
-    public void run() {
-        Armor armor = throwIfUnsupportedSubcommand(
-                SopCLI.getSop().armor(),
-        "armor");
-
-        if (label != null) {
-            try {
-                armor.label(label);
-            } catch (SOPGPException.UnsupportedOption unsupportedOption) {
-                String errorMsg = getMsg("sop.error.feature_support.option_not_supported", "--label");
-                throw new SOPGPException.UnsupportedOption(errorMsg, unsupportedOption);
-            }
-        }
-
-        try {
-            Ready ready = armor.data(System.in);
-            ready.writeTo(System.out);
-        } catch (SOPGPException.BadData badData) {
-            String errorMsg = getMsg("sop.error.input.stdin_not_openpgp_data");
-            throw new SOPGPException.BadData(errorMsg, badData);
-        } catch (IOException e) {
-            throw new RuntimeException(e);
-        }
-    }
-}

sop-java-picocli/src/main/java/sop/cli/picocli/commands/DearmorCmd.java

@@ -1,34 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub <vanitasvitae@fsfe.org>
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import picocli.CommandLine;
-import sop.cli.picocli.SopCLI;
-import sop.exception.SOPGPException;
-import sop.operation.Dearmor;
-
-import java.io.IOException;
-
-@CommandLine.Command(name = "dearmor",
-        resourceBundle = "sop",
-        exitCodeOnInvalidInput = SOPGPException.UnsupportedOption.EXIT_CODE)
-public class DearmorCmd extends AbstractSopCmd {
-
-    @Override
-    public void run() {
-        Dearmor dearmor = throwIfUnsupportedSubcommand(
-                SopCLI.getSop().dearmor(), "dearmor");
-
-        try {
-            dearmor.data(System.in)
-                    .writeTo(System.out);
-        } catch (SOPGPException.BadData e) {
-            String errorMsg = getMsg("sop.error.input.stdin_not_openpgp_data");
-            throw new SOPGPException.BadData(errorMsg, e);
-        } catch (IOException e) {
-            throw new RuntimeException(e);
-        }
-    }
-}

sop-java-picocli/src/main/java/sop/cli/picocli/commands/DecryptCmd.java

@@ -1,256 +0,0 @@
-// SPDX-FileCopyrightText: 2020 Paul Schaub <vanitasvitae@fsfe.org>
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import picocli.CommandLine;
-import sop.DecryptionResult;
-import sop.ReadyWithResult;
-import sop.SessionKey;
-import sop.Verification;
-import sop.cli.picocli.SopCLI;
-import sop.exception.SOPGPException;
-import sop.operation.Decrypt;
-import sop.util.HexUtil;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.io.PrintWriter;
-import java.util.ArrayList;
-import java.util.Date;
-import java.util.List;
-import java.util.regex.Pattern;
-
-@CommandLine.Command(name = "decrypt",
-        resourceBundle = "sop",
-        exitCodeOnInvalidInput = SOPGPException.UnsupportedOption.EXIT_CODE)
-public class DecryptCmd extends AbstractSopCmd {
-
-    private static final String OPT_WITH_SESSION_KEY = "--with-session-key";
-    private static final String OPT_WITH_PASSWORD = "--with-password";
-    private static final String OPT_NOT_BEFORE = "--not-before";
-    private static final String OPT_NOT_AFTER = "--not-after";
-    private static final String OPT_SESSION_KEY_OUT = "--session-key-out";
-    private static final String OPT_VERIFY_OUT = "--verify-out";
-    private static final String OPT_VERIFY_WITH = "--verify-with";
-    private static final String OPT_WITH_KEY_PASSWORD = "--with-key-password";
-
-
-    @CommandLine.Option(
-            names = {OPT_SESSION_KEY_OUT},
-            descriptionKey = "sop.decrypt.usage.option.session_key_out",
-            paramLabel = "SESSIONKEY")
-    String sessionKeyOut;
-
-    @CommandLine.Option(
-            names = {OPT_WITH_SESSION_KEY},
-            descriptionKey = "sop.decrypt.usage.option.with_session_key",
-            paramLabel = "SESSIONKEY")
-    List<String> withSessionKey = new ArrayList<>();
-
-    @CommandLine.Option(
-            names = {OPT_WITH_PASSWORD},
-            descriptionKey = "sop.decrypt.usage.option.with_password",
-            paramLabel = "PASSWORD")
-    List<String> withPassword = new ArrayList<>();
-
-    @CommandLine.Option(names = {OPT_VERIFY_OUT},
-            descriptionKey = "sop.decrypt.usage.option.verify_out",
-            paramLabel = "VERIFICATIONS")
-    String verifyOut;
-
-    @CommandLine.Option(names = {OPT_VERIFY_WITH},
-            descriptionKey = "sop.decrypt.usage.option.certs",
-            paramLabel = "CERT")
-    List<String> certs = new ArrayList<>();
-
-    @CommandLine.Option(names = {OPT_NOT_BEFORE},
-            descriptionKey = "sop.decrypt.usage.option.not_before",
-            paramLabel = "DATE")
-    String notBefore = "-";
-
-    @CommandLine.Option(names = {OPT_NOT_AFTER},
-            descriptionKey = "sop.decrypt.usage.option.not_after",
-            paramLabel = "DATE")
-    String notAfter = "now";
-
-    @CommandLine.Parameters(index = "0..*",
-            descriptionKey = "sop.decrypt.usage.param.keys",
-            paramLabel = "KEY")
-    List<String> keys = new ArrayList<>();
-
-    @CommandLine.Option(names = {OPT_WITH_KEY_PASSWORD},
-    descriptionKey = "sop.decrypt.usage.option.with_key_password",
-    paramLabel = "PASSWORD")
-    List<String> withKeyPassword = new ArrayList<>();
-
-    @Override
-    public void run() {
-        Decrypt decrypt = throwIfUnsupportedSubcommand(
-                SopCLI.getSop().decrypt(), "decrypt");
-
-        throwIfOutputExists(verifyOut);
-        throwIfOutputExists(sessionKeyOut);
-
-        setNotAfter(notAfter, decrypt);
-        setNotBefore(notBefore, decrypt);
-        setWithPasswords(withPassword, decrypt);
-        setWithSessionKeys(withSessionKey, decrypt);
-        setWithKeyPassword(withKeyPassword, decrypt);
-        setVerifyWith(certs, decrypt);
-        setDecryptWith(keys, decrypt);
-
-        if (verifyOut != null && certs.isEmpty()) {
-            String errorMsg = getMsg("sop.error.usage.option_requires_other_option", OPT_VERIFY_OUT, OPT_VERIFY_WITH);
-            throw new SOPGPException.IncompleteVerification(errorMsg);
-        }
-
-        try {
-            ReadyWithResult<DecryptionResult> ready = decrypt.ciphertext(System.in);
-            DecryptionResult result = ready.writeTo(System.out);
-            writeSessionKeyOut(result);
-            writeVerifyOut(result);
-        } catch (SOPGPException.BadData badData) {
-            String errorMsg = getMsg("sop.error.input.stdin_not_a_message");
-            throw new SOPGPException.BadData(errorMsg, badData);
-        } catch (IOException ioException) {
-            throw new RuntimeException(ioException);
-        }
-    }
-
-    private void writeVerifyOut(DecryptionResult result) throws IOException {
-        if (verifyOut != null) {
-            try (OutputStream fileOut = getOutput(verifyOut)) {
-                PrintWriter writer = new PrintWriter(fileOut);
-                for (Verification verification : result.getVerifications()) {
-                    // CHECKSTYLE:OFF
-                    writer.println(verification.toString());
-                    // CHECKSTYLE:ON
-                }
-                writer.flush();
-            }
-        }
-    }
-
-    private void writeSessionKeyOut(DecryptionResult result) throws IOException {
-        if (sessionKeyOut != null) {
-            try (OutputStream outputStream = getOutput(sessionKeyOut)) {
-                if (!result.getSessionKey().isPresent()) {
-                    String errorMsg = getMsg("sop.error.runtime.no_session_key_extracted");
-                    throw new SOPGPException.UnsupportedOption(String.format(errorMsg, OPT_SESSION_KEY_OUT));
-                } else {
-                    SessionKey sessionKey = result.getSessionKey().get();
-                    outputStream.write(sessionKey.getAlgorithm());
-                    outputStream.write(sessionKey.getKey());
-                }
-            }
-        }
-    }
-
-    private void setDecryptWith(List<String> keys, Decrypt decrypt) {
-        for (String key : keys) {
-            try (InputStream keyIn = getInput(key)) {
-                decrypt.withKey(keyIn);
-            } catch (SOPGPException.KeyIsProtected keyIsProtected) {
-                String errorMsg = getMsg("sop.error.runtime.cannot_unlock_key", key);
-                throw new SOPGPException.KeyIsProtected(errorMsg, keyIsProtected);
-            } catch (SOPGPException.BadData badData) {
-                String errorMsg = getMsg("sop.error.input.not_a_private_key", key);
-                throw new SOPGPException.BadData(errorMsg, badData);
-            } catch (IOException e) {
-                throw new RuntimeException(e);
-            }
-        }
-    }
-
-    private void setVerifyWith(List<String> certs, Decrypt decrypt) {
-        for (String cert : certs) {
-            try (InputStream certIn = getInput(cert)) {
-                decrypt.verifyWithCert(certIn);
-            } catch (SOPGPException.BadData badData) {
-                String errorMsg = getMsg("sop.error.input.not_a_certificate", cert);
-                throw new SOPGPException.BadData(errorMsg, badData);
-            } catch (IOException ioException) {
-                throw new RuntimeException(ioException);
-            }
-        }
-    }
-
-    private void setWithSessionKeys(List<String> withSessionKey, Decrypt decrypt) {
-        Pattern sessionKeyPattern = Pattern.compile("^\\d+:[0-9A-F]+$");
-        for (String sessionKeyFile : withSessionKey) {
-            String sessionKey;
-            try {
-                sessionKey = stringFromInputStream(getInput(sessionKeyFile));
-            } catch (IOException e) {
-                throw new RuntimeException(e);
-            }
-            if (!sessionKeyPattern.matcher(sessionKey).matches()) {
-                String errorMsg = getMsg("sop.error.input.malformed_session_key");
-                throw new IllegalArgumentException(errorMsg);
-            }
-            String[] split = sessionKey.split(":");
-            byte algorithm = (byte) Integer.parseInt(split[0]);
-            byte[] key = HexUtil.hexToBytes(split[1]);
-
-            try {
-                decrypt.withSessionKey(new SessionKey(algorithm, key));
-            } catch (SOPGPException.UnsupportedOption unsupportedOption) {
-                String errorMsg = getMsg("sop.error.feature_support.option_not_supported", OPT_WITH_SESSION_KEY);
-                throw new SOPGPException.UnsupportedOption(errorMsg, unsupportedOption);
-            }
-        }
-    }
-
-    private void setWithPasswords(List<String> withPassword, Decrypt decrypt) {
-        for (String passwordFile : withPassword) {
-            try {
-                String password = stringFromInputStream(getInput(passwordFile));
-                decrypt.withPassword(password);
-            } catch (SOPGPException.UnsupportedOption unsupportedOption) {
-
-                String errorMsg = getMsg("sop.error.feature_support.option_not_supported", OPT_WITH_PASSWORD);
-                throw new SOPGPException.UnsupportedOption(errorMsg, unsupportedOption);
-            } catch (IOException e) {
-                throw new RuntimeException(e);
-            }
-        }
-    }
-
-    private void setWithKeyPassword(List<String> withKeyPassword, Decrypt decrypt) {
-        for (String passwordFile : withKeyPassword) {
-            try {
-                String password = stringFromInputStream(getInput(passwordFile));
-                decrypt.withKeyPassword(password);
-            } catch (SOPGPException.UnsupportedOption unsupportedOption) {
-
-                String errorMsg = getMsg("sop.error.feature_support.option_not_supported", OPT_WITH_KEY_PASSWORD);
-                throw new SOPGPException.UnsupportedOption(errorMsg, unsupportedOption);
-            } catch (IOException e) {
-                throw new RuntimeException(e);
-            }
-        }
-    }
-
-    private void setNotAfter(String notAfter, Decrypt decrypt) {
-        Date notAfterDate = parseNotAfter(notAfter);
-        try {
-            decrypt.verifyNotAfter(notAfterDate);
-        } catch (SOPGPException.UnsupportedOption unsupportedOption) {
-            String errorMsg = getMsg("sop.error.feature_support.option_not_supported", OPT_NOT_AFTER);
-            throw new SOPGPException.UnsupportedOption(errorMsg, unsupportedOption);
-        }
-    }
-
-    private void setNotBefore(String notBefore, Decrypt decrypt) {
-        Date notBeforeDate = parseNotBefore(notBefore);
-        try {
-            decrypt.verifyNotBefore(notBeforeDate);
-        } catch (SOPGPException.UnsupportedOption unsupportedOption) {
-            String errorMsg = getMsg("sop.error.feature_support.option_not_supported", OPT_NOT_BEFORE);
-            throw new SOPGPException.UnsupportedOption(errorMsg, unsupportedOption);
-        }
-    }
-}

sop-java-picocli/src/main/java/sop/cli/picocli/commands/EncryptCmd.java

@@ -1,147 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub <vanitasvitae@fsfe.org>
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import picocli.CommandLine;
-import sop.Ready;
-import sop.cli.picocli.SopCLI;
-import sop.enums.EncryptAs;
-import sop.exception.SOPGPException;
-import sop.operation.Encrypt;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.util.ArrayList;
-import java.util.List;
-
-@CommandLine.Command(name = "encrypt",
-        resourceBundle = "sop",
-        exitCodeOnInvalidInput = 37)
-public class EncryptCmd extends AbstractSopCmd {
-
-    @CommandLine.Option(names = "--no-armor",
-            descriptionKey = "sop.encrypt.usage.option.armor",
-            negatable = true)
-    boolean armor = true;
-
-    @CommandLine.Option(names = {"--as"},
-            descriptionKey = "sop.encrypt.usage.option.type",
-            paramLabel = "{binary|text}")
-    EncryptAs type;
-
-    @CommandLine.Option(names = "--with-password",
-            descriptionKey = "sop.encrypt.usage.option.with_password",
-            paramLabel = "PASSWORD")
-    List<String> withPassword = new ArrayList<>();
-
-    @CommandLine.Option(names = "--sign-with",
-            descriptionKey = "sop.encrypt.usage.option.sign_with",
-            paramLabel = "KEY")
-    List<String> signWith = new ArrayList<>();
-
-    @CommandLine.Option(names = "--with-key-password",
-            descriptionKey = "sop.encrypt.usage.option.with_key_password",
-            paramLabel = "PASSWORD")
-    List<String> withKeyPassword = new ArrayList<>();
-
-    @CommandLine.Parameters(descriptionKey = "sop.encrypt.usage.param.certs",
-            index = "0..*",
-            paramLabel = "CERTS")
-    List<String> certs = new ArrayList<>();
-
-    @Override
-    public void run() {
-        Encrypt encrypt = throwIfUnsupportedSubcommand(
-                SopCLI.getSop().encrypt(), "encrypt");
-
-        if (type != null) {
-            try {
-                encrypt.mode(type);
-            } catch (SOPGPException.UnsupportedOption unsupportedOption) {
-                String errorMsg = getMsg("sop.error.feature_support.option_not_supported", "--as");
-                throw new SOPGPException.UnsupportedOption(errorMsg, unsupportedOption);
-            }
-        }
-
-        if (withPassword.isEmpty() && certs.isEmpty()) {
-            String errorMsg = getMsg("sop.error.usage.password_or_cert_required");
-            throw new SOPGPException.MissingArg(errorMsg);
-        }
-
-        for (String passwordFileName : withPassword) {
-            try {
-                String password = stringFromInputStream(getInput(passwordFileName));
-                encrypt.withPassword(password);
-            } catch (SOPGPException.UnsupportedOption unsupportedOption) {
-
-                String errorMsg = getMsg("sop.error.feature_support.option_not_supported", "--with-password");
-                throw new SOPGPException.UnsupportedOption(errorMsg, unsupportedOption);
-            } catch (IOException e) {
-                throw new RuntimeException(e);
-            }
-        }
-
-        for (String passwordFileName : withKeyPassword) {
-            try {
-                String password = stringFromInputStream(getInput(passwordFileName));
-                encrypt.withKeyPassword(password);
-            } catch (SOPGPException.UnsupportedOption unsupportedOption) {
-
-                String errorMsg = getMsg("sop.error.feature_support.option_not_supported", "--with-key-password");
-                throw new SOPGPException.UnsupportedOption(errorMsg, unsupportedOption);
-            } catch (IOException e) {
-                throw new RuntimeException(e);
-            }
-        }
-
-        for (String keyInput : signWith) {
-            try (InputStream keyIn = getInput(keyInput)) {
-                encrypt.signWith(keyIn);
-            } catch (IOException e) {
-                throw new RuntimeException(e);
-            } catch (SOPGPException.KeyIsProtected keyIsProtected) {
-                String errorMsg = getMsg("sop.error.runtime.cannot_unlock_key", keyInput);
-                throw new SOPGPException.KeyIsProtected(errorMsg, keyIsProtected);
-            } catch (SOPGPException.UnsupportedAsymmetricAlgo unsupportedAsymmetricAlgo) {
-                String errorMsg = getMsg("sop.error.runtime.key_uses_unsupported_asymmetric_algorithm", keyInput);
-                throw new SOPGPException.UnsupportedAsymmetricAlgo(errorMsg, unsupportedAsymmetricAlgo);
-            } catch (SOPGPException.KeyCannotSign keyCannotSign) {
-                String errorMsg = getMsg("sop.error.runtime.key_cannot_sign", keyInput);
-                throw new SOPGPException.KeyCannotSign(errorMsg, keyCannotSign);
-            } catch (SOPGPException.BadData badData) {
-                String errorMsg = getMsg("sop.error.input.not_a_private_key", keyInput);
-                throw new SOPGPException.BadData(errorMsg, badData);
-            }
-        }
-
-        for (String certInput : certs) {
-            try (InputStream certIn = getInput(certInput)) {
-                encrypt.withCert(certIn);
-            } catch (IOException e) {
-                throw new RuntimeException(e);
-            } catch (SOPGPException.UnsupportedAsymmetricAlgo unsupportedAsymmetricAlgo) {
-                String errorMsg = getMsg("sop.error.runtime.cert_uses_unsupported_asymmetric_algorithm", certInput);
-                throw new SOPGPException.UnsupportedAsymmetricAlgo(errorMsg, unsupportedAsymmetricAlgo);
-            } catch (SOPGPException.CertCannotEncrypt certCannotEncrypt) {
-                String errorMsg = getMsg("sop.error.runtime.cert_cannot_encrypt", certInput);
-                throw new SOPGPException.CertCannotEncrypt(errorMsg, certCannotEncrypt);
-            } catch (SOPGPException.BadData badData) {
-                String errorMsg = getMsg("sop.error.input.not_a_certificate", certInput);
-                throw new SOPGPException.BadData(errorMsg, badData);
-            }
-        }
-
-        if (!armor) {
-            encrypt.noArmor();
-        }
-
-        try {
-            Ready ready = encrypt.plaintext(System.in);
-            ready.writeTo(System.out);
-        } catch (IOException e) {
-            throw new RuntimeException(e);
-        }
-    }
-}

sop-java-picocli/src/main/java/sop/cli/picocli/commands/ExtractCertCmd.java

@@ -1,44 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub <vanitasvitae@fsfe.org>
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import java.io.IOException;
-
-import picocli.CommandLine;
-import sop.Ready;
-import sop.cli.picocli.SopCLI;
-import sop.exception.SOPGPException;
-import sop.operation.ExtractCert;
-
-@CommandLine.Command(name = "extract-cert",
-        resourceBundle = "sop",
-        exitCodeOnInvalidInput = 37)
-public class ExtractCertCmd extends AbstractSopCmd {
-
-    @CommandLine.Option(names = "--no-armor",
-            descriptionKey = "sop.extract-cert.usage.option.armor",
-            negatable = true)
-    boolean armor = true;
-
-    @Override
-    public void run() {
-        ExtractCert extractCert = throwIfUnsupportedSubcommand(
-                SopCLI.getSop().extractCert(), "extract-cert");
-
-        if (!armor) {
-            extractCert.noArmor();
-        }
-
-        try {
-            Ready ready = extractCert.key(System.in);
-            ready.writeTo(System.out);
-        } catch (IOException e) {
-            throw new RuntimeException(e);
-        } catch (SOPGPException.BadData badData) {
-            String errorMsg = getMsg("sop.error.input.stdin_not_a_private_key");
-            throw new SOPGPException.BadData(errorMsg, badData);
-        }
-    }
-}

sop-java-picocli/src/main/java/sop/cli/picocli/commands/GenerateKeyCmd.java

@@ -1,67 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub <vanitasvitae@fsfe.org>
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import picocli.CommandLine;
-import sop.Ready;
-import sop.cli.picocli.SopCLI;
-import sop.exception.SOPGPException;
-import sop.operation.GenerateKey;
-
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.List;
-
-@CommandLine.Command(name = "generate-key",
-        resourceBundle = "sop",
-        exitCodeOnInvalidInput = 37)
-public class GenerateKeyCmd extends AbstractSopCmd {
-
-    @CommandLine.Option(names = "--no-armor",
-            descriptionKey = "sop.generate-key.usage.option.armor",
-            negatable = true)
-    boolean armor = true;
-
-    @CommandLine.Parameters(descriptionKey = "sop.generate-key.usage.option.user_id")
-    List<String> userId = new ArrayList<>();
-
-    @CommandLine.Option(names = "--with-key-password",
-            descriptionKey = "sop.generate-key.usage.option.with_key_password",
-            paramLabel = "PASSWORD")
-    String withKeyPassword;
-
-    @Override
-    public void run() {
-        GenerateKey generateKey = throwIfUnsupportedSubcommand(
-                SopCLI.getSop().generateKey(), "generate-key");
-
-        for (String userId : userId) {
-            generateKey.userId(userId);
-        }
-
-        if (!armor) {
-            generateKey.noArmor();
-        }
-
-        if (withKeyPassword != null) {
-            try {
-                String password = stringFromInputStream(getInput(withKeyPassword));
-                generateKey.withKeyPassword(password);
-            } catch (SOPGPException.UnsupportedOption e) {
-                String errorMsg = getMsg("sop.error.feature_support.option_not_supported", "--with-key-password");
-                throw new SOPGPException.UnsupportedOption(errorMsg, e);
-            } catch (IOException e) {
-                throw new RuntimeException(e);
-            }
-        }
-
-        try {
-            Ready ready = generateKey.generate();
-            ready.writeTo(System.out);
-        } catch (IOException e) {
-            throw new RuntimeException(e);
-        }
-    }
-}

sop-java-picocli/src/main/java/sop/cli/picocli/commands/InlineDetachCmd.java

@@ -1,52 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub <vanitasvitae@fsfe.org>
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import picocli.CommandLine;
-import sop.Signatures;
-import sop.cli.picocli.SopCLI;
-import sop.exception.SOPGPException;
-import sop.operation.InlineDetach;
-
-import java.io.IOException;
-import java.io.OutputStream;
-
-@CommandLine.Command(name = "inline-detach",
-        resourceBundle = "sop",
-        exitCodeOnInvalidInput = SOPGPException.UnsupportedOption.EXIT_CODE)
-public class InlineDetachCmd extends AbstractSopCmd {
-
-    @CommandLine.Option(
-            names = {"--signatures-out"},
-            descriptionKey = "sop.inline-detach.usage.option.signatures_out",
-            paramLabel = "SIGNATURES")
-    String signaturesOut;
-
-    @CommandLine.Option(names = "--no-armor",
-            descriptionKey = "sop.inline-detach.usage.option.armor",
-            negatable = true)
-    boolean armor = true;
-
-    @Override
-    public void run() {
-        InlineDetach inlineDetach = throwIfUnsupportedSubcommand(
-                SopCLI.getSop().inlineDetach(), "inline-detach");
-
-        throwIfOutputExists(signaturesOut);
-        throwIfMissingArg(signaturesOut, "--signatures-out");
-
-        if (!armor) {
-            inlineDetach.noArmor();
-        }
-
-        try (OutputStream outputStream = getOutput(signaturesOut)) {
-            Signatures signatures = inlineDetach
-                    .message(System.in).writeTo(System.out);
-            signatures.writeTo(outputStream);
-        } catch (IOException e) {
-            throw new RuntimeException(e);
-        }
-    }
-}

sop-java-picocli/src/main/java/sop/cli/picocli/commands/InlineSignCmd.java

@@ -1,99 +0,0 @@
-// SPDX-FileCopyrightText: 2022 Paul Schaub <vanitasvitae@fsfe.org>
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import picocli.CommandLine;
-import sop.Ready;
-import sop.cli.picocli.SopCLI;
-import sop.enums.InlineSignAs;
-import sop.exception.SOPGPException;
-import sop.operation.InlineSign;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.util.ArrayList;
-import java.util.List;
-
-@CommandLine.Command(name = "inline-sign",
-        resourceBundle = "sop",
-        exitCodeOnInvalidInput = 37)
-public class InlineSignCmd extends AbstractSopCmd {
-
-    @CommandLine.Option(names = "--no-armor",
-            descriptionKey = "sop.inline-sign.usage.option.armor",
-            negatable = true)
-    boolean armor = true;
-
-    @CommandLine.Option(names = "--as",
-            descriptionKey = "sop.inline-sign.usage.option.as",
-            paramLabel = "{binary|text|cleartextsigned}")
-    InlineSignAs type;
-
-    @CommandLine.Parameters(descriptionKey = "sop.inline-sign.usage.parameter.keys",
-            paramLabel = "KEYS")
-    List<String> secretKeyFile = new ArrayList<>();
-
-    @CommandLine.Option(names = "--with-key-password",
-            descriptionKey = "sop.inline-sign.usage.option.with_key_password",
-            paramLabel = "PASSWORD")
-    List<String> withKeyPassword = new ArrayList<>();
-
-    @Override
-    public void run() {
-        InlineSign inlineSign = throwIfUnsupportedSubcommand(
-                SopCLI.getSop().inlineSign(), "inline-sign");
-
-        if (type != null) {
-            try {
-                inlineSign.mode(type);
-            } catch (SOPGPException.UnsupportedOption unsupportedOption) {
-                String errorMsg = getMsg("sop.error.feature_support.option_not_supported", "--as");
-                throw new SOPGPException.UnsupportedOption(errorMsg, unsupportedOption);
-            }
-        }
-
-        if (secretKeyFile.isEmpty()) {
-            String errorMsg = getMsg("sop.error.usage.parameter_required", "KEYS");
-            throw new SOPGPException.MissingArg(errorMsg);
-        }
-
-        for (String passwordFile : withKeyPassword) {
-            try {
-                String password = stringFromInputStream(getInput(passwordFile));
-                inlineSign.withKeyPassword(password);
-            } catch (SOPGPException.UnsupportedOption unsupportedOption) {
-                String errorMsg = getMsg("sop.error.feature_support.option_not_supported", "--with-key-password");
-                throw new SOPGPException.UnsupportedOption(errorMsg, unsupportedOption);
-            } catch (IOException e) {
-                throw new RuntimeException(e);
-            }
-        }
-
-        for (String keyInput : secretKeyFile) {
-            try (InputStream keyIn = getInput(keyInput)) {
-                inlineSign.key(keyIn);
-            } catch (IOException e) {
-                throw new RuntimeException(e);
-            } catch (SOPGPException.KeyIsProtected e) {
-                String errorMsg = getMsg("sop.error.runtime.cannot_unlock_key", keyInput);
-                throw new SOPGPException.KeyIsProtected(errorMsg, e);
-            } catch (SOPGPException.BadData badData) {
-                String errorMsg = getMsg("sop.error.input.not_a_private_key", keyInput);
-                throw new SOPGPException.BadData(errorMsg, badData);
-            }
-        }
-
-        if (!armor) {
-            inlineSign.noArmor();
-        }
-
-        try {
-            Ready ready = inlineSign.data(System.in);
-            ready.writeTo(System.out);
-        } catch (IOException e) {
-            throw new RuntimeException(e);
-        }
-    }
-}

sop-java-picocli/src/main/java/sop/cli/picocli/commands/InlineVerifyCmd.java

@@ -1,110 +0,0 @@
-// SPDX-FileCopyrightText: 2022 Paul Schaub <vanitasvitae@fsfe.org>
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import picocli.CommandLine;
-import sop.ReadyWithResult;
-import sop.Verification;
-import sop.cli.picocli.SopCLI;
-import sop.exception.SOPGPException;
-import sop.operation.InlineVerify;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.io.PrintWriter;
-import java.util.ArrayList;
-import java.util.List;
-
-@CommandLine.Command(name = "inline-verify",
-        resourceBundle = "sop",
-        exitCodeOnInvalidInput = 37)
-public class InlineVerifyCmd extends AbstractSopCmd {
-
-    @CommandLine.Parameters(arity = "1..*",
-            descriptionKey = "sop.inline-verify.usage.parameter.certs",
-            paramLabel = "CERT")
-    List<String> certificates = new ArrayList<>();
-
-    @CommandLine.Option(names = {"--not-before"},
-            descriptionKey = "sop.inline-verify.usage.option.not_before",
-            paramLabel = "DATE")
-    String notBefore = "-";
-
-    @CommandLine.Option(names = {"--not-after"},
-            descriptionKey = "sop.inline-verify.usage.option.not_after",
-            paramLabel = "DATE")
-    String notAfter = "now";
-
-    @CommandLine.Option(names = "--verifications-out",
-            descriptionKey = "sop.inline-verify.usage.option.verifications_out")
-    String verificationsOut;
-
-    @Override
-    public void run() {
-        InlineVerify inlineVerify = throwIfUnsupportedSubcommand(
-                SopCLI.getSop().inlineVerify(), "inline-verify");
-
-        throwIfOutputExists(verificationsOut);
-
-        if (notAfter != null) {
-            try {
-                inlineVerify.notAfter(parseNotAfter(notAfter));
-            } catch (SOPGPException.UnsupportedOption unsupportedOption) {
-                String errorMsg = getMsg("sop.error.feature_support.option_not_supported", "--not-after");
-                throw new SOPGPException.UnsupportedOption(errorMsg, unsupportedOption);
-            }
-        }
-        if (notBefore != null) {
-            try {
-                inlineVerify.notBefore(parseNotBefore(notBefore));
-            } catch (SOPGPException.UnsupportedOption unsupportedOption) {
-                String errorMsg = getMsg("sop.error.feature_support.option_not_supported", "--not-before");
-                throw new SOPGPException.UnsupportedOption(errorMsg, unsupportedOption);
-            }
-        }
-
-        for (String certInput : certificates) {
-            try (InputStream certIn = getInput(certInput)) {
-                inlineVerify.cert(certIn);
-            } catch (IOException ioException) {
-                throw new RuntimeException(ioException);
-            } catch (SOPGPException.UnsupportedAsymmetricAlgo unsupportedAsymmetricAlgo) {
-                String errorMsg = getMsg("sop.error.runtime.cert_uses_unsupported_asymmetric_algorithm", certInput);
-                throw new SOPGPException.UnsupportedAsymmetricAlgo(errorMsg, unsupportedAsymmetricAlgo);
-            } catch (SOPGPException.BadData badData) {
-                String errorMsg = getMsg("sop.error.input.not_a_certificate", certInput);
-                throw new SOPGPException.BadData(errorMsg, badData);
-            }
-        }
-
-        List<Verification> verifications = null;
-        try {
-            ReadyWithResult<List<Verification>> ready = inlineVerify.data(System.in);
-            verifications = ready.writeTo(System.out);
-        } catch (SOPGPException.NoSignature e) {
-            String errorMsg = getMsg("sop.error.runtime.no_verifiable_signature_found");
-            throw new SOPGPException.NoSignature(errorMsg, e);
-        } catch (IOException ioException) {
-            throw new RuntimeException(ioException);
-        } catch (SOPGPException.BadData badData) {
-            String errorMsg = getMsg("sop.error.input.stdin_not_a_message");
-            throw new SOPGPException.BadData(errorMsg, badData);
-        }
-
-        if (verificationsOut != null) {
-            try (OutputStream outputStream = getOutput(verificationsOut)) {
-                PrintWriter pw = new PrintWriter(outputStream);
-                for (Verification verification : verifications) {
-                    // CHECKSTYLE:OFF
-                    pw.println(verification);
-                    // CHECKSTYLE:ON
-                }
-            } catch (IOException e) {
-                throw new RuntimeException(e);
-            }
-        }
-    }
-}

sop-java-picocli/src/main/java/sop/cli/picocli/commands/SignCmd.java

@@ -1,113 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub <vanitasvitae@fsfe.org>
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import picocli.CommandLine;
-import sop.MicAlg;
-import sop.ReadyWithResult;
-import sop.SigningResult;
-import sop.cli.picocli.SopCLI;
-import sop.enums.SignAs;
-import sop.exception.SOPGPException;
-import sop.operation.DetachedSign;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.util.ArrayList;
-import java.util.List;
-
-@CommandLine.Command(name = "sign",
-        resourceBundle = "sop",
-        exitCodeOnInvalidInput = 37)
-public class SignCmd extends AbstractSopCmd {
-
-    @CommandLine.Option(names = "--no-armor",
-            descriptionKey = "sop.sign.usage.option.armor",
-            negatable = true)
-    boolean armor = true;
-
-    @CommandLine.Option(names = "--as",
-            descriptionKey = "sop.sign.usage.option.as",
-            paramLabel = "{binary|text}")
-    SignAs type;
-
-    @CommandLine.Parameters(descriptionKey = "sop.sign.usage.parameter.keys",
-            paramLabel = "KEYS")
-    List<String> secretKeyFile = new ArrayList<>();
-
-    @CommandLine.Option(names = "--with-key-password",
-            descriptionKey = "sop.sign.usage.option.with_key_password",
-            paramLabel = "PASSWORD")
-    List<String> withKeyPassword = new ArrayList<>();
-
-    @CommandLine.Option(names = "--micalg-out",
-            descriptionKey = "sop.sign.usage.option.micalg_out",
-            paramLabel = "MICALG")
-    String micAlgOut;
-
-    @Override
-    public void run() {
-        DetachedSign detachedSign = throwIfUnsupportedSubcommand(
-                SopCLI.getSop().detachedSign(), "sign");
-
-        throwIfOutputExists(micAlgOut);
-        throwIfEmptyParameters(secretKeyFile, "KEYS");
-
-        if (type != null) {
-            try {
-                detachedSign.mode(type);
-            } catch (SOPGPException.UnsupportedOption unsupportedOption) {
-                String errorMsg = getMsg("sop.error.feature_support.option_not_supported", "--as");
-                throw new SOPGPException.UnsupportedOption(errorMsg, unsupportedOption);
-            }
-        }
-
-        for (String passwordFile : withKeyPassword) {
-            try {
-                String password = stringFromInputStream(getInput(passwordFile));
-                detachedSign.withKeyPassword(password);
-            } catch (SOPGPException.UnsupportedOption unsupportedOption) {
-                String errorMsg = getMsg("sop.error.feature_support.option_not_supported", "--with-key-password");
-                throw new SOPGPException.UnsupportedOption(errorMsg, unsupportedOption);
-            } catch (IOException e) {
-                throw new RuntimeException(e);
-            }
-        }
-
-        for (String keyInput : secretKeyFile) {
-            try (InputStream keyIn = getInput(keyInput)) {
-                detachedSign.key(keyIn);
-            } catch (IOException e) {
-                throw new RuntimeException(e);
-            } catch (SOPGPException.KeyIsProtected keyIsProtected) {
-                String errorMsg = getMsg("sop.error.runtime.cannot_unlock_key", keyInput);
-                throw new SOPGPException.KeyIsProtected(errorMsg, keyIsProtected);
-            } catch (SOPGPException.BadData badData) {
-                String errorMsg = getMsg("sop.error.input.not_a_private_key", keyInput);
-                throw new SOPGPException.BadData(errorMsg, badData);
-            }
-        }
-
-        if (!armor) {
-            detachedSign.noArmor();
-        }
-
-        try {
-            ReadyWithResult<SigningResult> ready = detachedSign.data(System.in);
-            SigningResult result = ready.writeTo(System.out);
-
-            MicAlg micAlg = result.getMicAlg();
-            if (micAlgOut != null) {
-                // Write micalg out
-                OutputStream outputStream = getOutput(micAlgOut);
-                micAlg.writeTo(outputStream);
-                outputStream.close();
-            }
-        } catch (IOException e) {
-            throw new RuntimeException(e);
-        }
-    }
-}

sop-java-picocli/src/main/java/sop/cli/picocli/commands/VerifyCmd.java

@@ -1,106 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub <vanitasvitae@fsfe.org>
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import picocli.CommandLine;
-import sop.Verification;
-import sop.cli.picocli.Print;
-import sop.cli.picocli.SopCLI;
-import sop.exception.SOPGPException;
-import sop.operation.DetachedVerify;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.util.ArrayList;
-import java.util.List;
-
-@CommandLine.Command(name = "verify",
-        resourceBundle = "sop",
-        exitCodeOnInvalidInput = 37)
-public class VerifyCmd extends AbstractSopCmd {
-
-    @CommandLine.Parameters(index = "0",
-            descriptionKey = "sop.verify.usage.parameter.signature",
-            paramLabel = "SIGNATURE")
-    String signature;
-
-    @CommandLine.Parameters(index = "0..*",
-            arity = "1..*",
-            descriptionKey = "sop.verify.usage.parameter.certs",
-            paramLabel = "CERT")
-    List<String> certificates = new ArrayList<>();
-
-    @CommandLine.Option(names = {"--not-before"},
-            descriptionKey = "sop.verify.usage.option.not_before",
-            paramLabel = "DATE")
-    String notBefore = "-";
-
-    @CommandLine.Option(names = {"--not-after"},
-            descriptionKey = "sop.verify.usage.option.not_after",
-            paramLabel = "DATE")
-    String notAfter = "now";
-
-    @Override
-    public void run() {
-        DetachedVerify detachedVerify = throwIfUnsupportedSubcommand(
-                SopCLI.getSop().detachedVerify(), "verify");
-
-        if (notAfter != null) {
-            try {
-                detachedVerify.notAfter(parseNotAfter(notAfter));
-            } catch (SOPGPException.UnsupportedOption unsupportedOption) {
-                String errorMsg = getMsg("sop.error.feature_support.option_not_supported", "--not-after");
-                throw new SOPGPException.UnsupportedOption(errorMsg, unsupportedOption);
-            }
-        }
-        if (notBefore != null) {
-            try {
-                detachedVerify.notBefore(parseNotBefore(notBefore));
-            } catch (SOPGPException.UnsupportedOption unsupportedOption) {
-                String errorMsg = getMsg("sop.error.feature_support.option_not_supported", "--not-before");
-                throw new SOPGPException.UnsupportedOption(errorMsg, unsupportedOption);
-            }
-        }
-
-        for (String certInput : certificates) {
-            try (InputStream certIn = getInput(certInput)) {
-                detachedVerify.cert(certIn);
-            } catch (IOException ioException) {
-                throw new RuntimeException(ioException);
-            } catch (SOPGPException.BadData badData) {
-                String errorMsg = getMsg("sop.error.input.not_a_certificate", certInput);
-                throw new SOPGPException.BadData(errorMsg, badData);
-            }
-        }
-
-        if (signature != null) {
-            try (InputStream sigIn = getInput(signature)) {
-                detachedVerify.signatures(sigIn);
-            } catch (IOException e) {
-                throw new RuntimeException(e);
-            } catch (SOPGPException.BadData badData) {
-                String errorMsg = getMsg("sop.error.input.not_a_signature", signature);
-                throw new SOPGPException.BadData(errorMsg, badData);
-            }
-        }
-
-        List<Verification> verifications;
-        try {
-            verifications = detachedVerify.data(System.in);
-        } catch (SOPGPException.NoSignature e) {
-            String errorMsg = getMsg("sop.error.runtime.no_verifiable_signature_found");
-            throw new SOPGPException.NoSignature(errorMsg, e);
-        } catch (IOException ioException) {
-            throw new RuntimeException(ioException);
-        } catch (SOPGPException.BadData badData) {
-            String errorMsg = getMsg("sop.error.input.stdin_not_a_message");
-            throw new SOPGPException.BadData(errorMsg, badData);
-        }
-
-        for (Verification verification : verifications) {
-            Print.outln(verification.toString());
-        }
-    }
-}

sop-java-picocli/src/main/java/sop/cli/picocli/commands/VersionCmd.java

@@ -1,51 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub <vanitasvitae@fsfe.org>
-//
-// SPDX-License-Identifier: Apache-2.0
-
-package sop.cli.picocli.commands;
-
-import picocli.CommandLine;
-import sop.cli.picocli.Print;
-import sop.cli.picocli.SopCLI;
-import sop.operation.Version;
-
-@CommandLine.Command(name = "version", resourceBundle = "sop",
-        exitCodeOnInvalidInput = 37)
-public class VersionCmd extends AbstractSopCmd {
-
-    @CommandLine.ArgGroup()
-    Exclusive exclusive;
-
-    static class Exclusive {
-        @CommandLine.Option(names = "--extended",
-                descriptionKey = "sop.version.usage.option.extended")
-        boolean extended;
-
-        @CommandLine.Option(names = "--backend",
-                descriptionKey = "sop.version.usage.option.backend")
-        boolean backend;
-    }
-
-
-
-    @Override
-    public void run() {
-        Version version = throwIfUnsupportedSubcommand(
-                SopCLI.getSop().version(), "version");
-
-        if (exclusive == null) {
-            Print.outln(version.getName() + " " + version.getVersion());
-            return;
-        }
-
-        if (exclusive.extended) {
-            Print.outln(version.getExtendedVersion());
-            return;
-        }
-
-        if (exclusive.backend) {
-            Print.outln(version.getBackendVersion());
-            return;
-        }
-    }
-}

sop-java-picocli/src/main/java/sop/cli/picocli/commands/package-info.java

@@ -1,8 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub <vanitasvitae@fsfe.org>
-//
-// SPDX-License-Identifier: Apache-2.0
-
-/**
- * Subcommands of the PGPainless SOP.
- */
-package sop.cli.picocli.commands;

sop-java-picocli/src/main/java/sop/cli/picocli/package-info.java

@@ -1,8 +0,0 @@
-// SPDX-FileCopyrightText: 2021 Paul Schaub <vanitasvitae@fsfe.org>
-//
-// SPDX-License-Identifier: Apache-2.0
-
-/**
- * Implementation of the Stateless OpenPGP Command Line Interface using Picocli.
- */
-package sop.cli.picocli;

sop-java-picocli/src/main/kotlin/sop/cli/picocli/SOPExceptionExitCodeMapper.kt

@@ -0,0 +1,33 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.cli.picocli
+
+import picocli.CommandLine.*
+import sop.exception.SOPGPException
+
+class SOPExceptionExitCodeMapper : IExitCodeExceptionMapper {
+
+    override fun getExitCode(exception: Throwable): Int =
+        if (exception is SOPGPException) {
+            // SOPGPExceptions have well-defined exit code
+            exception.getExitCode()
+        } else if (exception is UnmatchedArgumentException) {
+            if (exception.isUnknownOption) {
+                // Unmatched option of subcommand (e.g. `generate-key --unknown`)
+                SOPGPException.UnsupportedOption.EXIT_CODE
+            } else {
+                // Unmatched subcommand
+                SOPGPException.UnsupportedSubcommand.EXIT_CODE
+            }
+        } else if (exception is MissingParameterException) {
+            SOPGPException.MissingArg.EXIT_CODE
+        } else if (exception is ParameterException) {
+            // Invalid option (e.g. `--as invalid`)
+            SOPGPException.UnsupportedOption.EXIT_CODE
+        } else {
+            // Others, like IOException etc.
+            1
+        }
+}

sop-java-picocli/src/main/kotlin/sop/cli/picocli/SOPExecutionExceptionHandler.kt

@@ -0,0 +1,34 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.cli.picocli
+
+import picocli.CommandLine
+import picocli.CommandLine.IExecutionExceptionHandler
+
+class SOPExecutionExceptionHandler : IExecutionExceptionHandler {
+    override fun handleExecutionException(
+        ex: Exception,
+        commandLine: CommandLine,
+        parseResult: CommandLine.ParseResult
+    ): Int {
+        val exitCode =
+            if (commandLine.exitCodeExceptionMapper != null)
+                commandLine.exitCodeExceptionMapper.getExitCode(ex)
+            else commandLine.commandSpec.exitCodeOnExecutionException()
+
+        val colorScheme = commandLine.colorScheme
+        if (ex.message != null) {
+            commandLine.getErr().println(colorScheme.errorText(ex.message))
+        } else {
+            commandLine.getErr().println(ex.javaClass.getName())
+        }
+
+        if (SopCLI.stacktrace) {
+            ex.printStackTrace(commandLine.getErr())
+        }
+
+        return exitCode
+    }
+}

sop-java-picocli/src/main/kotlin/sop/cli/picocli/SopCLI.kt

@@ -0,0 +1,121 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.cli.picocli
+
+import java.util.*
+import kotlin.system.exitProcess
+import picocli.AutoComplete.GenerateCompletion
+import picocli.CommandLine
+import picocli.CommandLine.*
+import sop.SOP
+import sop.cli.picocli.commands.*
+import sop.exception.SOPGPException
+
+@Command(
+    name = "sop",
+    resourceBundle = "msg_sop",
+    exitCodeOnInvalidInput = SOPGPException.UnsupportedSubcommand.EXIT_CODE,
+    subcommands =
+        [
+            // Meta subcommands
+            VersionCmd::class,
+            ListProfilesCmd::class,
+            // Key and certificate management
+            GenerateKeyCmd::class,
+            ChangeKeyPasswordCmd::class,
+            RevokeKeyCmd::class,
+            ExtractCertCmd::class,
+            UpdateKeyCmd::class,
+            MergeCertsCmd::class,
+            CertifyUserIdCmd::class,
+            ValidateUserIdCmd::class,
+            // Messaging subcommands
+            SignCmd::class,
+            VerifyCmd::class,
+            EncryptCmd::class,
+            DecryptCmd::class,
+            InlineDetachCmd::class,
+            InlineSignCmd::class,
+            InlineVerifyCmd::class,
+            // Transport
+            ArmorCmd::class,
+            DearmorCmd::class,
+            // misc
+            HelpCommand::class,
+            GenerateCompletion::class])
+class SopCLI {
+
+    companion object {
+        @JvmStatic private var sopInstance: SOP? = null
+
+        @JvmStatic
+        fun getSop(): SOP =
+            checkNotNull(sopInstance) { cliMsg.getString("sop.error.runtime.no_backend_set") }
+
+        @JvmStatic
+        fun setSopInstance(sop: SOP?) {
+            sopInstance = sop
+        }
+
+        @JvmField var cliMsg: ResourceBundle = ResourceBundle.getBundle("msg_sop")
+
+        @JvmField var EXECUTABLE_NAME = "sop"
+
+        @JvmField
+        @Option(names = ["--stacktrace", "--debug"], scope = ScopeType.INHERIT)
+        var stacktrace = false
+
+        @JvmStatic
+        fun main(vararg args: String) {
+            val exitCode = execute(*args)
+            if (exitCode != 0) {
+                exitProcess(exitCode)
+            }
+        }
+
+        @JvmStatic
+        fun execute(vararg args: String): Int {
+            // Set locale
+            CommandLine(InitLocale()).setUnmatchedArgumentsAllowed(true).parseArgs(*args)
+
+            // Re-set bundle with updated locale
+            cliMsg = ResourceBundle.getBundle("msg_sop")
+
+            return CommandLine(SopCLI::class.java)
+                .apply {
+                    // Hide generate-completion command
+                    subcommands["generate-completion"]?.commandSpec?.usageMessage()?.hidden(true)
+                    // render Input/Output sections in help command
+                    subcommands.values
+                        .filter {
+                            (it.getCommand() as Any) is AbstractSopCmd
+                        } // Only for AbstractSopCmd objects
+                        .forEach { (it.getCommand() as AbstractSopCmd).installIORenderer(it) }
+                    // overwrite executable name
+                    commandName = EXECUTABLE_NAME
+                    // setup exception handling
+                    executionExceptionHandler = SOPExecutionExceptionHandler()
+                    exitCodeExceptionMapper = SOPExceptionExitCodeMapper()
+                    isCaseInsensitiveEnumValuesAllowed = true
+                }
+                .execute(*args)
+        }
+    }
+
+    /**
+     * Control the locale.
+     *
+     * @see <a href="https://picocli.info/#_controlling_the_locale">Picocli Readme</a>
+     */
+    @Command
+    class InitLocale {
+        @Option(names = ["-l", "--locale"], descriptionKey = "sop.locale")
+        fun setLocale(locale: String) = Locale.setDefault(Locale(locale))
+
+        @Unmatched
+        var remainder: MutableList<String> =
+            mutableListOf() // ignore any other parameters and options in the first parsing phase
+    }
+}

sop-java-picocli/src/main/kotlin/sop/cli/picocli/SopVCLI.kt

@@ -0,0 +1,99 @@
+// SPDX-FileCopyrightText: 2024 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.cli.picocli
+
+import java.util.*
+import kotlin.system.exitProcess
+import picocli.AutoComplete
+import picocli.CommandLine
+import sop.SOPV
+import sop.cli.picocli.commands.*
+import sop.exception.SOPGPException
+
+@CommandLine.Command(
+    name = "sopv",
+    resourceBundle = "msg_sop",
+    exitCodeOnInvalidInput = SOPGPException.UnsupportedSubcommand.EXIT_CODE,
+    subcommands =
+        [
+            // Meta subcommands
+            VersionCmd::class,
+            // signature verification subcommands
+            VerifyCmd::class,
+            InlineVerifyCmd::class,
+            // misc
+            CommandLine.HelpCommand::class,
+            AutoComplete.GenerateCompletion::class])
+class SopVCLI {
+
+    companion object {
+        @JvmStatic private var sopvInstance: SOPV? = null
+
+        @JvmStatic
+        fun getSopV(): SOPV =
+            checkNotNull(sopvInstance) { cliMsg.getString("sop.error.runtime.no_backend_set") }
+
+        @JvmStatic
+        fun setSopVInstance(sopv: SOPV?) {
+            sopvInstance = sopv
+        }
+
+        @JvmField var cliMsg: ResourceBundle = ResourceBundle.getBundle("msg_sop")
+
+        @JvmField var EXECUTABLE_NAME = "sopv"
+
+        @JvmField
+        @CommandLine.Option(
+            names = ["--stacktrace", "--debug"], scope = CommandLine.ScopeType.INHERIT)
+        var stacktrace = false
+
+        @JvmStatic
+        fun main(vararg args: String) {
+            val exitCode = execute(*args)
+            if (exitCode != 0) {
+                exitProcess(exitCode)
+            }
+        }
+
+        @JvmStatic
+        fun execute(vararg args: String): Int {
+            // Set locale
+            CommandLine(InitLocale()).parseArgs(*args)
+
+            // Re-set bundle with updated locale
+            cliMsg = ResourceBundle.getBundle("msg_sop")
+
+            return CommandLine(SopVCLI::class.java)
+                .apply {
+                    // explicitly set help command resource bundle
+                    subcommands["help"]?.setResourceBundle(ResourceBundle.getBundle("msg_help"))
+                    // Hide generate-completion command
+                    subcommands["generate-completion"]?.commandSpec?.usageMessage()?.hidden(true)
+                    // overwrite executable name
+                    commandName = EXECUTABLE_NAME
+                    // setup exception handling
+                    executionExceptionHandler = SOPExecutionExceptionHandler()
+                    exitCodeExceptionMapper = SOPExceptionExitCodeMapper()
+                    isCaseInsensitiveEnumValuesAllowed = true
+                }
+                .execute(*args)
+        }
+    }
+
+    /**
+     * Control the locale.
+     *
+     * @see <a href="https://picocli.info/#_controlling_the_locale">Picocli Readme</a>
+     */
+    @CommandLine.Command
+    class InitLocale {
+        @CommandLine.Option(names = ["-l", "--locale"], descriptionKey = "sop.locale")
+        fun setLocale(locale: String) = Locale.setDefault(Locale(locale))
+
+        @CommandLine.Unmatched
+        var remainder: MutableList<String> =
+            mutableListOf() // ignore any other parameters and options in the first parsing phase
+    }
+}

sop-java-picocli/src/main/kotlin/sop/cli/picocli/commands/AbstractSopCmd.kt

@@ -0,0 +1,348 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.cli.picocli.commands
+
+import java.io.*
+import java.text.ParseException
+import java.util.*
+import picocli.CommandLine
+import picocli.CommandLine.Help
+import picocli.CommandLine.Help.Column
+import picocli.CommandLine.Help.TextTable
+import picocli.CommandLine.IHelpSectionRenderer
+import sop.cli.picocli.commands.AbstractSopCmd.EnvironmentVariableResolver
+import sop.exception.SOPGPException.*
+import sop.util.UTCUtil.Companion.parseUTCDate
+import sop.util.UTF8Util.Companion.decodeUTF8
+
+/** Abstract super class of SOP subcommands. */
+abstract class AbstractSopCmd(locale: Locale = Locale.getDefault()) : Runnable {
+
+    private val messages: ResourceBundle = ResourceBundle.getBundle("msg_sop", locale)
+    var environmentVariableResolver = EnvironmentVariableResolver { name: String ->
+        System.getenv(name)
+    }
+
+    /** Interface to modularize resolving of environment variables. */
+    fun interface EnvironmentVariableResolver {
+
+        /**
+         * Resolve the value of the given environment variable. Return null if the variable is not
+         * present.
+         *
+         * @param name name of the variable
+         * @return variable value or null
+         */
+        fun resolveEnvironmentVariable(name: String): String?
+    }
+
+    fun throwIfOutputExists(output: String?) {
+        output
+            ?.let { File(it) }
+            ?.let {
+                if (it.exists()) {
+                    val errorMsg: String =
+                        getMsg(
+                            "sop.error.indirect_data_type.output_file_already_exists",
+                            it.absolutePath)
+                    throw OutputExists(errorMsg)
+                }
+            }
+    }
+
+    fun getMsg(key: String): String = messages.getString(key)
+
+    fun getMsg(key: String, vararg args: String): String {
+        val msg = messages.getString(key)
+        return String.format(msg, *args)
+    }
+
+    fun throwIfMissingArg(arg: Any?, argName: String) {
+        if (arg == null) {
+            val errorMsg = getMsg("sop.error.usage.argument_required", argName)
+            throw MissingArg(errorMsg)
+        }
+    }
+
+    fun throwIfEmptyParameters(arg: Collection<*>, parmName: String) {
+        if (arg.isEmpty()) {
+            val errorMsg = getMsg("sop.error.usage.parameter_required", parmName)
+            throw MissingArg(errorMsg)
+        }
+    }
+
+    fun <T> throwIfUnsupportedSubcommand(subcommand: T?, subcommandName: String): T {
+        if (subcommand == null) {
+            val errorMsg =
+                getMsg("sop.error.feature_support.subcommand_not_supported", subcommandName)
+            throw UnsupportedSubcommand(errorMsg)
+        }
+        return subcommand
+    }
+
+    @Throws(IOException::class)
+    fun getInput(indirectInput: String): InputStream {
+        val trimmed = indirectInput.trim()
+        require(trimmed.isNotBlank()) { "Input cannot be blank." }
+
+        if (trimmed.startsWith(PRFX_ENV)) {
+            if (File(trimmed).exists()) {
+                val errorMsg = getMsg("sop.error.indirect_data_type.ambiguous_filename", trimmed)
+                throw AmbiguousInput(errorMsg)
+            }
+
+            val envName = trimmed.substring(PRFX_ENV.length)
+            val envValue = environmentVariableResolver.resolveEnvironmentVariable(envName)
+            requireNotNull(envValue) {
+                getMsg("sop.error.indirect_data_type.environment_variable_not_set", envName)
+            }
+
+            require(envValue.trim().isNotEmpty()) {
+                getMsg("sop.error.indirect_data_type.environment_variable_empty", envName)
+            }
+
+            return envValue.byteInputStream()
+        } else if (trimmed.startsWith(PRFX_FD)) {
+
+            if (File(trimmed).exists()) {
+                val errorMsg = getMsg("sop.error.indirect_data_type.ambiguous_filename", trimmed)
+                throw AmbiguousInput(errorMsg)
+            }
+
+            val fdFile: File = fileDescriptorFromString(trimmed)
+            return try {
+                fdFile.inputStream()
+            } catch (e: FileNotFoundException) {
+                val errorMsg =
+                    getMsg(
+                        "sop.error.indirect_data_type.file_descriptor_not_found",
+                        fdFile.absolutePath)
+                throw IOException(errorMsg, e)
+            }
+        } else {
+
+            val file = File(trimmed)
+            if (!file.exists()) {
+                val errorMsg =
+                    getMsg(
+                        "sop.error.indirect_data_type.input_file_does_not_exist", file.absolutePath)
+                throw MissingInput(errorMsg)
+            }
+            if (!file.isFile()) {
+                val errorMsg =
+                    getMsg("sop.error.indirect_data_type.input_not_a_file", file.absolutePath)
+                throw MissingInput(errorMsg)
+            }
+            return file.inputStream()
+        }
+    }
+
+    @Throws(IOException::class)
+    fun getOutput(indirectOutput: String?): OutputStream {
+        requireNotNull(indirectOutput) { "Output cannot be null." }
+        val trimmed = indirectOutput.trim()
+        require(trimmed.isNotEmpty()) { "Output cannot be blank." }
+
+        // @ENV not allowed for output
+        if (trimmed.startsWith(PRFX_ENV)) {
+            val errorMsg = getMsg("sop.error.indirect_data_type.illegal_use_of_env_designator")
+            throw UnsupportedSpecialPrefix(errorMsg)
+        }
+
+        // File Descriptor
+        if (trimmed.startsWith(PRFX_FD)) {
+            val fdFile = fileDescriptorFromString(trimmed)
+            return try {
+                fdFile.outputStream()
+            } catch (e: FileNotFoundException) {
+                val errorMsg =
+                    getMsg(
+                        "sop.error.indirect_data_type.file_descriptor_not_found",
+                        fdFile.absolutePath)
+                throw IOException(errorMsg, e)
+            }
+        }
+        val file = File(trimmed)
+        if (file.exists()) {
+            val errorMsg =
+                getMsg("sop.error.indirect_data_type.output_file_already_exists", file.absolutePath)
+            throw OutputExists(errorMsg)
+        }
+        if (!file.createNewFile()) {
+            val errorMsg =
+                getMsg(
+                    "sop.error.indirect_data_type.output_file_cannot_be_created", file.absolutePath)
+            throw IOException(errorMsg)
+        }
+        return file.outputStream()
+    }
+
+    fun fileDescriptorFromString(fdString: String): File {
+        val fdDir = File("/dev/fd/")
+        if (!fdDir.exists()) {
+            val errorMsg = getMsg("sop.error.indirect_data_type.designator_fd_not_supported")
+            throw UnsupportedSpecialPrefix(errorMsg)
+        }
+        val fdNumber = fdString.substring(PRFX_FD.length)
+        require(PATTERN_FD.matcher(fdNumber).matches()) {
+            "File descriptor must be a positive number."
+        }
+        return File(fdDir, fdNumber)
+    }
+
+    fun parseNotAfter(notAfter: String): Date {
+        return when (notAfter) {
+            "now" -> Date()
+            "-" -> END_OF_TIME
+            else ->
+                try {
+                    parseUTCDate(notAfter)
+                } catch (e: ParseException) {
+                    val errorMsg = getMsg("sop.error.input.malformed_not_after")
+                    throw IllegalArgumentException(errorMsg)
+                }
+        }
+    }
+
+    fun parseNotBefore(notBefore: String): Date {
+        return when (notBefore) {
+            "now" -> Date()
+            "-" -> DAWN_OF_TIME
+            else ->
+                try {
+                    parseUTCDate(notBefore)
+                } catch (e: ParseException) {
+                    val errorMsg = getMsg("sop.error.input.malformed_not_before")
+                    throw IllegalArgumentException(errorMsg)
+                }
+        }
+    }
+
+    /**
+     * See
+     * [Example](https://github.com/remkop/picocli/blob/main/picocli-examples/src/main/java/picocli/examples/customhelp/EnvironmentVariablesSection.java)
+     */
+    class InputOutputHelpSectionRenderer(private val argument: Pair<String?, String?>) :
+        IHelpSectionRenderer {
+
+        override fun render(help: Help): String {
+            return argument.let {
+                val calcLen =
+                    help.calcLongOptionColumnWidth(
+                        help.commandSpec().options(),
+                        help.commandSpec().positionalParameters(),
+                        help.colorScheme())
+                val keyLength =
+                    help
+                        .commandSpec()
+                        .usageMessage()
+                        .longOptionsMaxWidth()
+                        .coerceAtMost(calcLen - 1)
+                val table =
+                    TextTable.forColumns(
+                        help.colorScheme(),
+                        Column(keyLength + 7, 6, Column.Overflow.SPAN),
+                        Column(width(help) - (keyLength + 7), 0, Column.Overflow.WRAP))
+                table.setAdjustLineBreaksForWideCJKCharacters(adjustCJK(help))
+                table.addRowValues("@|yellow ${argument.first}|@", argument.second ?: "")
+                table.toString()
+            }
+        }
+
+        private fun adjustCJK(help: Help) =
+            help.commandSpec().usageMessage().adjustLineBreaksForWideCJKCharacters()
+
+        private fun width(help: Help) = help.commandSpec().usageMessage().width()
+    }
+
+    fun installIORenderer(cmd: CommandLine) {
+        val inputName = getResString(cmd, "standardInput")
+        if (inputName != null) {
+            cmd.helpSectionMap[SECTION_KEY_STANDARD_INPUT_HEADING] = IHelpSectionRenderer {
+                getResString(cmd, "standardInputHeading")
+            }
+            cmd.helpSectionMap[SECTION_KEY_STANDARD_INPUT_DETAILS] =
+                InputOutputHelpSectionRenderer(
+                    inputName to getResString(cmd, "standardInputDescription"))
+            cmd.helpSectionKeys =
+                insertKey(
+                    cmd.helpSectionKeys,
+                    SECTION_KEY_STANDARD_INPUT_HEADING,
+                    SECTION_KEY_STANDARD_INPUT_DETAILS)
+        }
+
+        val outputName = getResString(cmd, "standardOutput")
+        if (outputName != null) {
+            cmd.helpSectionMap[SECTION_KEY_STANDARD_OUTPUT_HEADING] = IHelpSectionRenderer {
+                getResString(cmd, "standardOutputHeading")
+            }
+            cmd.helpSectionMap[SECTION_KEY_STANDARD_OUTPUT_DETAILS] =
+                InputOutputHelpSectionRenderer(
+                    outputName to getResString(cmd, "standardOutputDescription"))
+            cmd.helpSectionKeys =
+                insertKey(
+                    cmd.helpSectionKeys,
+                    SECTION_KEY_STANDARD_OUTPUT_HEADING,
+                    SECTION_KEY_STANDARD_OUTPUT_DETAILS)
+        }
+    }
+
+    private fun insertKey(keys: List<String>, header: String, details: String): List<String> {
+        val index =
+            keys.indexOf(CommandLine.Model.UsageMessageSpec.SECTION_KEY_EXIT_CODE_LIST_HEADING)
+        val result = keys.toMutableList()
+        result.add(index, header)
+        result.add(index + 1, details)
+        return result
+    }
+
+    private fun getResString(cmd: CommandLine, key: String): String? =
+        try {
+                cmd.resourceBundle.getString(key)
+            } catch (m: MissingResourceException) {
+                try {
+                    cmd.parent.resourceBundle.getString(key)
+                } catch (m: MissingResourceException) {
+                    null
+                }
+            }
+            ?.let { String.format(it) }
+
+    companion object {
+        const val PRFX_ENV = "@ENV:"
+
+        const val PRFX_FD = "@FD:"
+
+        const val SECTION_KEY_STANDARD_INPUT_HEADING = "standardInputHeading"
+        const val SECTION_KEY_STANDARD_INPUT_DETAILS = "standardInput"
+        const val SECTION_KEY_STANDARD_OUTPUT_HEADING = "standardOutputHeading"
+        const val SECTION_KEY_STANDARD_OUTPUT_DETAILS = "standardOutput"
+
+        @JvmField val DAWN_OF_TIME = Date(0)
+
+        @JvmField
+        @Deprecated("Replace with DAWN_OF_TIME", ReplaceWith("DAWN_OF_TIME"))
+        val BEGINNING_OF_TIME = DAWN_OF_TIME
+
+        @JvmField val END_OF_TIME = Date(8640000000000000L)
+
+        @JvmField val PATTERN_FD = "^\\d{1,20}$".toPattern()
+
+        @Throws(IOException::class)
+        @JvmStatic
+        fun stringFromInputStream(inputStream: InputStream): String {
+            return inputStream.use { input ->
+                val byteOut = ByteArrayOutputStream()
+                val buf = ByteArray(4096)
+                var read: Int
+                while (input.read(buf).also { read = it } != -1) {
+                    byteOut.write(buf, 0, read)
+                }
+                // TODO: For decrypt operations we MUST accept non-UTF8 passwords
+                decodeUTF8(byteOut.toByteArray())
+            }
+        }
+    }
+}

sop-java-picocli/src/main/kotlin/sop/cli/picocli/commands/ArmorCmd.kt

@@ -0,0 +1,32 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.cli.picocli.commands
+
+import java.io.IOException
+import picocli.CommandLine.Command
+import sop.cli.picocli.SopCLI
+import sop.exception.SOPGPException.BadData
+import sop.exception.SOPGPException.UnsupportedOption
+
+@Command(
+    name = "armor",
+    resourceBundle = "msg_armor",
+    exitCodeOnInvalidInput = UnsupportedOption.EXIT_CODE)
+class ArmorCmd : AbstractSopCmd() {
+
+    override fun run() {
+        val armor = throwIfUnsupportedSubcommand(SopCLI.getSop().armor(), "armor")
+
+        try {
+            val ready = armor.data(System.`in`)
+            ready.writeTo(System.out)
+        } catch (badData: BadData) {
+            val errorMsg = getMsg("sop.error.input.stdin_not_openpgp_data")
+            throw BadData(errorMsg, badData)
+        } catch (e: IOException) {
+            throw RuntimeException(e)
+        }
+    }
+}

sop-java-picocli/src/main/kotlin/sop/cli/picocli/commands/CertifyUserIdCmd.kt

@@ -0,0 +1,84 @@
+// SPDX-FileCopyrightText: 2024 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.cli.picocli.commands
+
+import java.io.IOException
+import picocli.CommandLine.Command
+import picocli.CommandLine.Option
+import picocli.CommandLine.Parameters
+import sop.cli.picocli.SopCLI
+import sop.exception.SOPGPException.BadData
+import sop.exception.SOPGPException.UnsupportedOption
+
+@Command(
+    name = "certify-userid",
+    resourceBundle = "msg_certify-userid",
+    exitCodeOnInvalidInput = UnsupportedOption.EXIT_CODE,
+    showEndOfOptionsDelimiterInUsageHelp = true)
+class CertifyUserIdCmd : AbstractSopCmd() {
+
+    @Option(names = ["--no-armor"], negatable = true) var armor = true
+
+    @Option(names = ["--userid"], required = true, arity = "1..*", paramLabel = "USERID")
+    var userIds: List<String> = listOf()
+
+    @Option(names = ["--with-key-password"], paramLabel = "PASSWORD")
+    var withKeyPassword: List<String> = listOf()
+
+    @Option(names = ["--no-require-self-sig"]) var noRequireSelfSig = false
+
+    @Parameters(paramLabel = "KEYS", arity = "1..*") var keys: List<String> = listOf()
+
+    override fun run() {
+        val certifyUserId =
+            throwIfUnsupportedSubcommand(SopCLI.getSop().certifyUserId(), "certify-userid")
+
+        if (!armor) {
+            certifyUserId.noArmor()
+        }
+
+        if (noRequireSelfSig) {
+            certifyUserId.noRequireSelfSig()
+        }
+
+        for (userId in userIds) {
+            certifyUserId.userId(userId)
+        }
+
+        for (passwordFileName in withKeyPassword) {
+            try {
+                val password = stringFromInputStream(getInput(passwordFileName))
+                certifyUserId.withKeyPassword(password)
+            } catch (unsupportedOption: UnsupportedOption) {
+                val errorMsg =
+                    getMsg("sop.error.feature_support.option_not_supported", "--with-key-password")
+                throw UnsupportedOption(errorMsg, unsupportedOption)
+            } catch (e: IOException) {
+                throw RuntimeException(e)
+            }
+        }
+
+        for (keyInput in keys) {
+            try {
+                getInput(keyInput).use { certifyUserId.keys(it) }
+            } catch (e: IOException) {
+                throw RuntimeException(e)
+            } catch (badData: BadData) {
+                val errorMsg = getMsg("sop.error.input.not_a_private_key", keyInput)
+                throw BadData(errorMsg, badData)
+            }
+        }
+
+        try {
+            val ready = certifyUserId.certs(System.`in`)
+            ready.writeTo(System.out)
+        } catch (e: IOException) {
+            throw RuntimeException(e)
+        } catch (badData: BadData) {
+            val errorMsg = getMsg("sop.error.input.not_a_private_key", "STDIN")
+            throw BadData(errorMsg, badData)
+        }
+    }
+}

sop-java-picocli/src/main/kotlin/sop/cli/picocli/commands/ChangeKeyPasswordCmd.kt

@@ -0,0 +1,52 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.cli.picocli.commands
+
+import java.io.IOException
+import java.lang.RuntimeException
+import picocli.CommandLine.Command
+import picocli.CommandLine.Option
+import sop.cli.picocli.SopCLI
+import sop.exception.SOPGPException
+
+@Command(
+    name = "change-key-password",
+    resourceBundle = "msg_change-key-password",
+    exitCodeOnInvalidInput = SOPGPException.UnsupportedOption.EXIT_CODE)
+class ChangeKeyPasswordCmd : AbstractSopCmd() {
+
+    @Option(names = ["--no-armor"], negatable = true) var armor: Boolean = true
+
+    @Option(names = ["--old-key-password"], paramLabel = "PASSWORD")
+    var oldKeyPasswords: List<String> = listOf()
+
+    @Option(names = ["--new-key-password"], arity = "0..1", paramLabel = "PASSWORD")
+    var newKeyPassword: String? = null
+
+    override fun run() {
+        val changeKeyPassword =
+            throwIfUnsupportedSubcommand(SopCLI.getSop().changeKeyPassword(), "change-key-password")
+
+        if (!armor) {
+            changeKeyPassword.noArmor()
+        }
+
+        oldKeyPasswords.forEach {
+            val password = stringFromInputStream(getInput(it))
+            changeKeyPassword.oldKeyPassphrase(password)
+        }
+
+        newKeyPassword?.let {
+            val password = stringFromInputStream(getInput(it))
+            changeKeyPassword.newKeyPassphrase(password)
+        }
+
+        try {
+            changeKeyPassword.keys(System.`in`).writeTo(System.out)
+        } catch (e: IOException) {
+            throw RuntimeException(e)
+        }
+    }
+}

sop-java-picocli/src/main/kotlin/sop/cli/picocli/commands/DearmorCmd.kt

@@ -0,0 +1,41 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.cli.picocli.commands
+
+import java.io.IOException
+import picocli.CommandLine.Command
+import sop.cli.picocli.SopCLI
+import sop.exception.SOPGPException
+import sop.exception.SOPGPException.BadData
+
+@Command(
+    name = "dearmor",
+    resourceBundle = "msg_dearmor",
+    exitCodeOnInvalidInput = SOPGPException.UnsupportedOption.EXIT_CODE)
+class DearmorCmd : AbstractSopCmd() {
+
+    override fun run() {
+        val dearmor = throwIfUnsupportedSubcommand(SopCLI.getSop().dearmor(), "dearmor")
+
+        try {
+            dearmor.data(System.`in`).writeTo(System.out)
+        } catch (badData: BadData) {
+            val errorMsg = getMsg("sop.error.input.stdin_not_openpgp_data")
+            throw BadData(errorMsg, badData)
+        } catch (e: IOException) {
+            e.message?.let {
+                val errorMsg = getMsg("sop.error.input.stdin_not_openpgp_data")
+                if (it == "invalid armor" ||
+                    it == "invalid armor header" ||
+                    it == "inconsistent line endings in headers" ||
+                    it.startsWith("unable to decode base64 data")) {
+                    throw BadData(errorMsg, e)
+                }
+                throw RuntimeException(e)
+            }
+                ?: throw RuntimeException(e)
+        }
+    }
+}

sop-java-picocli/src/main/kotlin/sop/cli/picocli/commands/DecryptCmd.kt

@@ -0,0 +1,224 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.cli.picocli.commands
+
+import java.io.IOException
+import java.io.PrintWriter
+import picocli.CommandLine.*
+import sop.DecryptionResult
+import sop.SessionKey
+import sop.SessionKey.Companion.fromString
+import sop.cli.picocli.SopCLI
+import sop.exception.SOPGPException.*
+import sop.operation.Decrypt
+
+@Command(
+    name = "decrypt",
+    resourceBundle = "msg_decrypt",
+    exitCodeOnInvalidInput = UnsupportedOption.EXIT_CODE)
+class DecryptCmd : AbstractSopCmd() {
+
+    @Option(names = [OPT_SESSION_KEY_OUT], paramLabel = "SESSIONKEY")
+    var sessionKeyOut: String? = null
+
+    @Option(names = [OPT_WITH_SESSION_KEY], paramLabel = "SESSIONKEY")
+    var withSessionKey: List<String> = listOf()
+
+    @Option(names = [OPT_WITH_PASSWORD], paramLabel = "PASSWORD")
+    var withPassword: List<String> = listOf()
+
+    @Option(names = [OPT_VERIFICATIONS_OUT, "--verify-out"], paramLabel = "VERIFICATIONS")
+    var verifyOut: String? = null
+
+    @Option(names = [OPT_VERIFY_WITH], paramLabel = "CERT") var certs: List<String> = listOf()
+
+    @Option(names = [OPT_NOT_BEFORE], paramLabel = "DATE") var notBefore = "-"
+
+    @Option(names = [OPT_NOT_AFTER], paramLabel = "DATE") var notAfter = "now"
+
+    @Parameters(index = "0..*", paramLabel = "KEY") var keys: List<String> = listOf()
+
+    @Option(names = [OPT_WITH_KEY_PASSWORD], paramLabel = "PASSWORD")
+    var withKeyPassword: List<String> = listOf()
+
+    override fun run() {
+        val decrypt = throwIfUnsupportedSubcommand(SopCLI.getSop().decrypt(), "decrypt")
+
+        throwIfOutputExists(verifyOut)
+        throwIfOutputExists(sessionKeyOut)
+
+        setNotAfter(notAfter, decrypt)
+        setNotBefore(notBefore, decrypt)
+        setWithPasswords(withPassword, decrypt)
+        setWithSessionKeys(withSessionKey, decrypt)
+        setWithKeyPassword(withKeyPassword, decrypt)
+        setVerifyWith(certs, decrypt)
+        setDecryptWith(keys, decrypt)
+
+        if (verifyOut != null && certs.isEmpty()) {
+            val errorMsg =
+                getMsg(
+                    "sop.error.usage.option_requires_other_option",
+                    OPT_VERIFICATIONS_OUT,
+                    OPT_VERIFY_WITH)
+            throw IncompleteVerification(errorMsg)
+        }
+
+        try {
+            val ready = decrypt.ciphertext(System.`in`)
+            val result = ready.writeTo(System.out)
+            writeSessionKeyOut(result)
+            writeVerifyOut(result)
+        } catch (badData: BadData) {
+            val errorMsg = getMsg("sop.error.input.stdin_not_a_message")
+            throw BadData(errorMsg, badData)
+        } catch (e: CannotDecrypt) {
+            val errorMsg = getMsg("sop.error.runtime.cannot_decrypt_message")
+            throw CannotDecrypt(errorMsg, e)
+        } catch (ioException: IOException) {
+            throw RuntimeException(ioException)
+        }
+    }
+
+    @Throws(IOException::class)
+    private fun writeVerifyOut(result: DecryptionResult) {
+        verifyOut?.let {
+            getOutput(it).use { out ->
+                PrintWriter(out).use { pw ->
+                    result.verifications.forEach { verification -> pw.println(verification) }
+                }
+            }
+        }
+    }
+
+    @Throws(IOException::class)
+    private fun writeSessionKeyOut(result: DecryptionResult) {
+        sessionKeyOut?.let { fileName ->
+            getOutput(fileName).use { out ->
+                if (!result.sessionKey.isPresent) {
+                    val errorMsg = getMsg("sop.error.runtime.no_session_key_extracted")
+                    throw UnsupportedOption(String.format(errorMsg, OPT_SESSION_KEY_OUT))
+                }
+
+                PrintWriter(out).use { it.println(result.sessionKey.get()!!) }
+            }
+        }
+    }
+
+    private fun setDecryptWith(keys: List<String>, decrypt: Decrypt) {
+        for (key in keys) {
+            try {
+                getInput(key).use { decrypt.withKey(it) }
+            } catch (keyIsProtected: KeyIsProtected) {
+                val errorMsg = getMsg("sop.error.runtime.cannot_unlock_key", key)
+                throw KeyIsProtected(errorMsg, keyIsProtected)
+            } catch (badData: BadData) {
+                val errorMsg = getMsg("sop.error.input.not_a_private_key", key)
+                throw BadData(errorMsg, badData)
+            } catch (e: IOException) {
+                throw RuntimeException(e)
+            }
+        }
+    }
+
+    private fun setVerifyWith(certs: List<String>, decrypt: Decrypt) {
+        for (cert in certs) {
+            try {
+                getInput(cert).use { certIn -> decrypt.verifyWithCert(certIn) }
+            } catch (badData: BadData) {
+                val errorMsg = getMsg("sop.error.input.not_a_certificate", cert)
+                throw BadData(errorMsg, badData)
+            } catch (ioException: IOException) {
+                throw RuntimeException(ioException)
+            }
+        }
+    }
+
+    private fun setWithSessionKeys(withSessionKey: List<String>, decrypt: Decrypt) {
+        for (sessionKeyFile in withSessionKey) {
+            val sessionKeyString: String =
+                try {
+                    stringFromInputStream(getInput(sessionKeyFile))
+                } catch (e: IOException) {
+                    throw RuntimeException(e)
+                }
+            val sessionKey: SessionKey =
+                try {
+                    fromString(sessionKeyString)
+                } catch (e: IllegalArgumentException) {
+                    val errorMsg = getMsg("sop.error.input.malformed_session_key")
+                    throw IllegalArgumentException(errorMsg, e)
+                }
+            try {
+                decrypt.withSessionKey(sessionKey)
+            } catch (unsupportedOption: UnsupportedOption) {
+                val errorMsg =
+                    getMsg("sop.error.feature_support.option_not_supported", OPT_WITH_SESSION_KEY)
+                throw UnsupportedOption(errorMsg, unsupportedOption)
+            }
+        }
+    }
+
+    private fun setWithPasswords(withPassword: List<String>, decrypt: Decrypt) {
+        for (passwordFile in withPassword) {
+            try {
+                val password = stringFromInputStream(getInput(passwordFile))
+                decrypt.withPassword(password)
+            } catch (unsupportedOption: UnsupportedOption) {
+                val errorMsg =
+                    getMsg("sop.error.feature_support.option_not_supported", OPT_WITH_PASSWORD)
+                throw UnsupportedOption(errorMsg, unsupportedOption)
+            } catch (e: IOException) {
+                throw RuntimeException(e)
+            }
+        }
+    }
+
+    private fun setWithKeyPassword(withKeyPassword: List<String>, decrypt: Decrypt) {
+        for (passwordFile in withKeyPassword) {
+            try {
+                val password = stringFromInputStream(getInput(passwordFile))
+                decrypt.withKeyPassword(password)
+            } catch (unsupportedOption: UnsupportedOption) {
+                val errorMsg =
+                    getMsg("sop.error.feature_support.option_not_supported", OPT_WITH_KEY_PASSWORD)
+                throw UnsupportedOption(errorMsg, unsupportedOption)
+            } catch (e: IOException) {
+                throw RuntimeException(e)
+            }
+        }
+    }
+
+    private fun setNotAfter(notAfter: String, decrypt: Decrypt) {
+        val notAfterDate = parseNotAfter(notAfter)
+        try {
+            decrypt.verifyNotAfter(notAfterDate)
+        } catch (unsupportedOption: UnsupportedOption) {
+            val errorMsg = getMsg("sop.error.feature_support.option_not_supported", OPT_NOT_AFTER)
+            throw UnsupportedOption(errorMsg, unsupportedOption)
+        }
+    }
+
+    private fun setNotBefore(notBefore: String, decrypt: Decrypt) {
+        val notBeforeDate = parseNotBefore(notBefore)
+        try {
+            decrypt.verifyNotBefore(notBeforeDate)
+        } catch (unsupportedOption: UnsupportedOption) {
+            val errorMsg = getMsg("sop.error.feature_support.option_not_supported", OPT_NOT_BEFORE)
+            throw UnsupportedOption(errorMsg, unsupportedOption)
+        }
+    }
+
+    companion object {
+        const val OPT_SESSION_KEY_OUT = "--session-key-out"
+        const val OPT_WITH_SESSION_KEY = "--with-session-key"
+        const val OPT_WITH_PASSWORD = "--with-password"
+        const val OPT_WITH_KEY_PASSWORD = "--with-key-password"
+        const val OPT_VERIFICATIONS_OUT = "--verifications-out"
+        const val OPT_VERIFY_WITH = "--verify-with"
+        const val OPT_NOT_BEFORE = "--verify-not-before"
+        const val OPT_NOT_AFTER = "--verify-not-after"
+    }
+}

sop-java-picocli/src/main/kotlin/sop/cli/picocli/commands/EncryptCmd.kt

@@ -0,0 +1,159 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.cli.picocli.commands
+
+import java.io.IOException
+import java.io.PrintWriter
+import picocli.CommandLine.*
+import sop.cli.picocli.SopCLI
+import sop.enums.EncryptAs
+import sop.exception.SOPGPException.*
+
+@Command(
+    name = "encrypt",
+    resourceBundle = "msg_encrypt",
+    exitCodeOnInvalidInput = UnsupportedOption.EXIT_CODE)
+class EncryptCmd : AbstractSopCmd() {
+
+    @Option(names = ["--no-armor"], negatable = true) var armor = true
+
+    @Option(names = ["--as"], paramLabel = "{binary|text}") var type: EncryptAs? = null
+
+    @Option(names = ["--with-password"], paramLabel = "PASSWORD")
+    var withPassword: List<String> = listOf()
+
+    @Option(names = ["--sign-with"], paramLabel = "KEY") var signWith: List<String> = listOf()
+
+    @Option(names = ["--with-key-password"], paramLabel = "PASSWORD")
+    var withKeyPassword: List<String> = listOf()
+
+    @Option(names = ["--profile"], paramLabel = "PROFILE") var profile: String? = null
+
+    @Parameters(index = "0..*", paramLabel = "CERTS") var certs: List<String> = listOf()
+
+    @Option(names = ["--session-key-out"], paramLabel = "SESSIONKEY")
+    var sessionKeyOut: String? = null
+
+    override fun run() {
+        val encrypt = throwIfUnsupportedSubcommand(SopCLI.getSop().encrypt(), "encrypt")
+
+        throwIfOutputExists(sessionKeyOut)
+
+        profile?.let {
+            try {
+                encrypt.profile(it)
+            } catch (e: UnsupportedProfile) {
+                val errorMsg = getMsg("sop.error.usage.profile_not_supported", "encrypt", it)
+                throw UnsupportedProfile(errorMsg, e)
+            }
+        }
+
+        type?.let {
+            try {
+                encrypt.mode(it)
+            } catch (e: UnsupportedOption) {
+                val errorMsg = getMsg("sop.error.feature_support.option_not_supported", "--as")
+                throw UnsupportedOption(errorMsg, e)
+            }
+        }
+
+        if (withPassword.isEmpty() && certs.isEmpty()) {
+            val errorMsg = getMsg("sop.error.usage.password_or_cert_required")
+            throw MissingArg(errorMsg)
+        }
+
+        for (passwordFileName in withPassword) {
+            try {
+                val password = stringFromInputStream(getInput(passwordFileName))
+                encrypt.withPassword(password)
+            } catch (unsupportedOption: UnsupportedOption) {
+                val errorMsg =
+                    getMsg("sop.error.feature_support.option_not_supported", "--with-password")
+                throw UnsupportedOption(errorMsg, unsupportedOption)
+            } catch (e: IOException) {
+                throw RuntimeException(e)
+            }
+        }
+
+        for (passwordFileName in withKeyPassword) {
+            try {
+                val password = stringFromInputStream(getInput(passwordFileName))
+                encrypt.withKeyPassword(password)
+            } catch (unsupportedOption: UnsupportedOption) {
+                val errorMsg =
+                    getMsg("sop.error.feature_support.option_not_supported", "--with-key-password")
+                throw UnsupportedOption(errorMsg, unsupportedOption)
+            } catch (e: IOException) {
+                throw RuntimeException(e)
+            }
+        }
+
+        for (keyInput in signWith) {
+            try {
+                getInput(keyInput).use { keyIn -> encrypt.signWith(keyIn) }
+            } catch (e: IOException) {
+                throw RuntimeException(e)
+            } catch (keyIsProtected: KeyIsProtected) {
+                val errorMsg = getMsg("sop.error.runtime.cannot_unlock_key", keyInput)
+                throw KeyIsProtected(errorMsg, keyIsProtected)
+            } catch (unsupportedAsymmetricAlgo: UnsupportedAsymmetricAlgo) {
+                val errorMsg =
+                    getMsg("sop.error.runtime.key_uses_unsupported_asymmetric_algorithm", keyInput)
+                throw UnsupportedAsymmetricAlgo(errorMsg, unsupportedAsymmetricAlgo)
+            } catch (keyCannotSign: KeyCannotSign) {
+                val errorMsg = getMsg("sop.error.runtime.key_cannot_sign", keyInput)
+                throw KeyCannotSign(errorMsg, keyCannotSign)
+            } catch (badData: BadData) {
+                val errorMsg = getMsg("sop.error.input.not_a_private_key", keyInput)
+                throw BadData(errorMsg, badData)
+            }
+        }
+
+        for (certInput in certs) {
+            try {
+                getInput(certInput).use { certIn -> encrypt.withCert(certIn) }
+            } catch (e: IOException) {
+                throw RuntimeException(e)
+            } catch (unsupportedAsymmetricAlgo: UnsupportedAsymmetricAlgo) {
+                val errorMsg =
+                    getMsg(
+                        "sop.error.runtime.cert_uses_unsupported_asymmetric_algorithm", certInput)
+                throw UnsupportedAsymmetricAlgo(errorMsg, unsupportedAsymmetricAlgo)
+            } catch (certCannotEncrypt: CertCannotEncrypt) {
+                val errorMsg = getMsg("sop.error.runtime.cert_cannot_encrypt", certInput)
+                throw CertCannotEncrypt(errorMsg, certCannotEncrypt)
+            } catch (badData: BadData) {
+                val errorMsg = getMsg("sop.error.input.not_a_certificate", certInput)
+                throw BadData(errorMsg, badData)
+            }
+        }
+
+        if (!armor) {
+            encrypt.noArmor()
+        }
+
+        try {
+            val ready = encrypt.plaintext(System.`in`)
+            val result = ready.writeTo(System.out)
+
+            if (sessionKeyOut == null) {
+                return
+            }
+
+            getOutput(sessionKeyOut).use {
+                if (!result.sessionKey.isPresent) {
+                    val errorMsg = getMsg("sop.error.runtime.no_session_key_extracted")
+                    throw UnsupportedOption(String.format(errorMsg, "--session-key-out"))
+                }
+                val sessionKey = result.sessionKey.get() ?: return
+                val writer = PrintWriter(it)
+                writer.println(sessionKey)
+                writer.flush()
+            }
+        } catch (e: IOException) {
+            throw RuntimeException(e)
+        }
+    }
+}

sop-java-picocli/src/main/kotlin/sop/cli/picocli/commands/ExtractCertCmd.kt

@@ -0,0 +1,40 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.cli.picocli.commands
+
+import java.io.IOException
+import picocli.CommandLine.Command
+import picocli.CommandLine.Option
+import sop.cli.picocli.SopCLI
+import sop.exception.SOPGPException
+import sop.exception.SOPGPException.BadData
+
+@Command(
+    name = "extract-cert",
+    resourceBundle = "msg_extract-cert",
+    exitCodeOnInvalidInput = SOPGPException.UnsupportedOption.EXIT_CODE)
+class ExtractCertCmd : AbstractSopCmd() {
+
+    @Option(names = ["--no-armor"], negatable = true) var armor = true
+
+    override fun run() {
+        val extractCert =
+            throwIfUnsupportedSubcommand(SopCLI.getSop().extractCert(), "extract-cert")
+
+        if (!armor) {
+            extractCert.noArmor()
+        }
+
+        try {
+            val ready = extractCert.key(System.`in`)
+            ready.writeTo(System.out)
+        } catch (e: IOException) {
+            throw RuntimeException(e)
+        } catch (badData: BadData) {
+            val errorMsg = getMsg("sop.error.input.stdin_not_a_private_key")
+            throw BadData(errorMsg, badData)
+        }
+    }
+}

sop-java-picocli/src/main/kotlin/sop/cli/picocli/commands/GenerateKeyCmd.kt

@@ -0,0 +1,76 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.cli.picocli.commands
+
+import java.io.IOException
+import picocli.CommandLine.*
+import sop.cli.picocli.SopCLI
+import sop.exception.SOPGPException.UnsupportedOption
+import sop.exception.SOPGPException.UnsupportedProfile
+
+@Command(
+    name = "generate-key",
+    resourceBundle = "msg_generate-key",
+    exitCodeOnInvalidInput = UnsupportedOption.EXIT_CODE)
+class GenerateKeyCmd : AbstractSopCmd() {
+
+    @Option(names = ["--no-armor"], negatable = true) var armor = true
+
+    @Parameters(paramLabel = "USERID") var userId: List<String> = listOf()
+
+    @Option(names = ["--with-key-password"], paramLabel = "PASSWORD")
+    var withKeyPassword: String? = null
+
+    @Option(names = ["--profile"], paramLabel = "PROFILE") var profile: String? = null
+
+    @Option(names = ["--signing-only"]) var signingOnly: Boolean = false
+
+    override fun run() {
+        val generateKey =
+            throwIfUnsupportedSubcommand(SopCLI.getSop().generateKey(), "generate-key")
+
+        profile?.let {
+            try {
+                generateKey.profile(it)
+            } catch (e: UnsupportedProfile) {
+                val errorMsg =
+                    getMsg("sop.error.usage.profile_not_supported", "generate-key", profile!!)
+                throw UnsupportedProfile(errorMsg, e)
+            }
+        }
+
+        if (signingOnly) {
+            generateKey.signingOnly()
+        }
+
+        for (userId in userId) {
+            generateKey.userId(userId)
+        }
+
+        if (!armor) {
+            generateKey.noArmor()
+        }
+
+        withKeyPassword?.let {
+            try {
+                val password = stringFromInputStream(getInput(it))
+                generateKey.withKeyPassword(password)
+            } catch (e: UnsupportedOption) {
+                val errorMsg =
+                    getMsg("sop.error.feature_support.option_not_supported", "--with-key-password")
+                throw UnsupportedOption(errorMsg, e)
+            } catch (e: IOException) {
+                throw RuntimeException(e)
+            }
+        }
+
+        try {
+            val ready = generateKey.generate()
+            ready.writeTo(System.out)
+        } catch (e: IOException) {
+            throw RuntimeException(e)
+        }
+    }
+}

sop-java-picocli/src/main/kotlin/sop/cli/picocli/commands/InlineDetachCmd.kt

@@ -0,0 +1,47 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.cli.picocli.commands
+
+import java.io.IOException
+import java.lang.RuntimeException
+import picocli.CommandLine.Command
+import picocli.CommandLine.Option
+import sop.cli.picocli.SopCLI
+import sop.exception.SOPGPException
+
+@Command(
+    name = "inline-detach",
+    resourceBundle = "msg_inline-detach",
+    exitCodeOnInvalidInput = SOPGPException.UnsupportedOption.EXIT_CODE)
+class InlineDetachCmd : AbstractSopCmd() {
+
+    @Option(names = ["--signatures-out"], paramLabel = "SIGNATURES")
+    var signaturesOut: String? = null
+
+    @Option(names = ["--no-armor"], negatable = true) var armor: Boolean = true
+
+    override fun run() {
+        val inlineDetach =
+            throwIfUnsupportedSubcommand(SopCLI.getSop().inlineDetach(), "inline-detach")
+
+        throwIfOutputExists(signaturesOut)
+        throwIfMissingArg(signaturesOut, "--signatures-out")
+
+        if (!armor) {
+            inlineDetach.noArmor()
+        }
+
+        try {
+            getOutput(signaturesOut).use { sigOut ->
+                inlineDetach
+                    .message(System.`in`)
+                    .writeTo(System.out) // message out
+                    .writeTo(sigOut) // signatures out
+            }
+        } catch (e: IOException) {
+            throw RuntimeException(e)
+        }
+    }
+}

sop-java-picocli/src/main/kotlin/sop/cli/picocli/commands/InlineSignCmd.kt

@@ -0,0 +1,89 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.cli.picocli.commands
+
+import java.io.IOException
+import picocli.CommandLine.*
+import sop.cli.picocli.SopCLI
+import sop.enums.InlineSignAs
+import sop.exception.SOPGPException.*
+
+@Command(
+    name = "inline-sign",
+    resourceBundle = "msg_inline-sign",
+    exitCodeOnInvalidInput = UnsupportedOption.EXIT_CODE)
+class InlineSignCmd : AbstractSopCmd() {
+
+    @Option(names = ["--no-armor"], negatable = true) var armor = true
+
+    @Option(names = ["--as"], paramLabel = "{binary|text|clearsigned}")
+    var type: InlineSignAs? = null
+
+    @Parameters(paramLabel = "KEYS") var secretKeyFile: List<String> = listOf()
+
+    @Option(names = ["--with-key-password"], paramLabel = "PASSWORD")
+    var withKeyPassword: List<String> = listOf()
+
+    override fun run() {
+        val inlineSign = throwIfUnsupportedSubcommand(SopCLI.getSop().inlineSign(), "inline-sign")
+
+        if (!armor && type == InlineSignAs.clearsigned) {
+            val errorMsg = getMsg("sop.error.usage.incompatible_options.clearsigned_no_armor")
+            throw IncompatibleOptions(errorMsg)
+        }
+
+        type?.let {
+            try {
+                inlineSign.mode(it)
+            } catch (unsupportedOption: UnsupportedOption) {
+                val errorMsg = getMsg("sop.error.feature_support.option_not_supported", "--as")
+                throw UnsupportedOption(errorMsg, unsupportedOption)
+            }
+        }
+
+        if (secretKeyFile.isEmpty()) {
+            val errorMsg = getMsg("sop.error.usage.parameter_required", "KEYS")
+            throw MissingArg(errorMsg)
+        }
+
+        for (passwordFile in withKeyPassword) {
+            try {
+                val password = stringFromInputStream(getInput(passwordFile))
+                inlineSign.withKeyPassword(password)
+            } catch (unsupportedOption: UnsupportedOption) {
+                val errorMsg =
+                    getMsg("sop.error.feature_support.option_not_supported", "--with-key-password")
+                throw UnsupportedOption(errorMsg, unsupportedOption)
+            } catch (e: IOException) {
+                throw RuntimeException(e)
+            }
+        }
+
+        for (keyInput in secretKeyFile) {
+            try {
+                getInput(keyInput).use { keyIn -> inlineSign.key(keyIn) }
+            } catch (e: IOException) {
+                throw RuntimeException(e)
+            } catch (e: KeyIsProtected) {
+                val errorMsg = getMsg("sop.error.runtime.cannot_unlock_key", keyInput)
+                throw KeyIsProtected(errorMsg, e)
+            } catch (badData: BadData) {
+                val errorMsg = getMsg("sop.error.input.not_a_private_key", keyInput)
+                throw BadData(errorMsg, badData)
+            }
+        }
+
+        if (!armor) {
+            inlineSign.noArmor()
+        }
+
+        try {
+            val ready = inlineSign.data(System.`in`)
+            ready.writeTo(System.out)
+        } catch (e: IOException) {
+            throw RuntimeException(e)
+        }
+    }
+}

sop-java-picocli/src/main/kotlin/sop/cli/picocli/commands/InlineVerifyCmd.kt

@@ -0,0 +1,93 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.cli.picocli.commands
+
+import java.io.IOException
+import java.io.PrintWriter
+import picocli.CommandLine.*
+import sop.cli.picocli.SopCLI
+import sop.exception.SOPGPException.*
+
+@Command(
+    name = "inline-verify",
+    resourceBundle = "msg_inline-verify",
+    exitCodeOnInvalidInput = UnsupportedOption.EXIT_CODE)
+class InlineVerifyCmd : AbstractSopCmd() {
+
+    @Parameters(arity = "0..*", paramLabel = "CERT") var certificates: List<String> = listOf()
+
+    @Option(names = ["--not-before"], paramLabel = "DATE") var notBefore: String = "-"
+
+    @Option(names = ["--not-after"], paramLabel = "DATE") var notAfter: String = "now"
+
+    @Option(names = ["--verifications-out"], paramLabel = "VERIFICATIONS")
+    var verificationsOut: String? = null
+
+    override fun run() {
+        val inlineVerify =
+            throwIfUnsupportedSubcommand(SopCLI.getSop().inlineVerify(), "inline-verify")
+
+        throwIfOutputExists(verificationsOut)
+
+        try {
+            inlineVerify.notAfter(parseNotAfter(notAfter))
+        } catch (unsupportedOption: UnsupportedOption) {
+            val errorMsg = getMsg("sop.error.feature_support.option_not_supported", "--not-after")
+            throw UnsupportedOption(errorMsg, unsupportedOption)
+        }
+
+        try {
+            inlineVerify.notBefore(parseNotBefore(notBefore))
+        } catch (unsupportedOption: UnsupportedOption) {
+            val errorMsg = getMsg("sop.error.feature_support.option_not_supported", "--not-before")
+            throw UnsupportedOption(errorMsg, unsupportedOption)
+        }
+
+        for (certInput in certificates) {
+            try {
+                getInput(certInput).use { certIn -> inlineVerify.cert(certIn) }
+            } catch (ioException: IOException) {
+                throw RuntimeException(ioException)
+            } catch (unsupportedAsymmetricAlgo: UnsupportedAsymmetricAlgo) {
+                val errorMsg =
+                    getMsg(
+                        "sop.error.runtime.cert_uses_unsupported_asymmetric_algorithm", certInput)
+                throw UnsupportedAsymmetricAlgo(errorMsg, unsupportedAsymmetricAlgo)
+            } catch (badData: BadData) {
+                val errorMsg = getMsg("sop.error.input.not_a_certificate", certInput)
+                throw BadData(errorMsg, badData)
+            }
+        }
+
+        val verifications =
+            try {
+                val ready = inlineVerify.data(System.`in`)
+                ready.writeTo(System.out)
+            } catch (e: NoSignature) {
+                val errorMsg = getMsg("sop.error.runtime.no_verifiable_signature_found")
+                throw NoSignature(errorMsg, e)
+            } catch (ioException: IOException) {
+                throw RuntimeException(ioException)
+            } catch (badData: BadData) {
+                val errorMsg = getMsg("sop.error.input.stdin_not_a_message")
+                throw BadData(errorMsg, badData)
+            }
+
+        verificationsOut?.let {
+            try {
+                getOutput(it).use { outputStream ->
+                    val pw = PrintWriter(outputStream)
+                    for (verification in verifications) {
+                        pw.println(verification)
+                    }
+                    pw.flush()
+                    pw.close()
+                }
+            } catch (e: IOException) {
+                throw RuntimeException(e)
+            }
+        }
+    }
+}

sop-java-picocli/src/main/kotlin/sop/cli/picocli/commands/ListProfilesCmd.kt

@@ -0,0 +1,34 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.cli.picocli.commands
+
+import picocli.CommandLine.Command
+import picocli.CommandLine.Parameters
+import sop.cli.picocli.SopCLI
+import sop.exception.SOPGPException
+import sop.exception.SOPGPException.UnsupportedProfile
+
+@Command(
+    name = "list-profiles",
+    resourceBundle = "msg_list-profiles",
+    exitCodeOnInvalidInput = SOPGPException.UnsupportedOption.EXIT_CODE)
+class ListProfilesCmd : AbstractSopCmd() {
+
+    @Parameters(paramLabel = "COMMAND", arity = "1", descriptionKey = "subcommand")
+    lateinit var subcommand: String
+
+    override fun run() {
+        val listProfiles =
+            throwIfUnsupportedSubcommand(SopCLI.getSop().listProfiles(), "list-profiles")
+
+        try {
+            listProfiles.subcommand(subcommand).forEach { println(it) }
+        } catch (e: UnsupportedProfile) {
+            val errorMsg =
+                getMsg("sop.error.feature_support.subcommand_does_not_support_profiles", subcommand)
+            throw UnsupportedProfile(errorMsg, e)
+        }
+    }
+}

sop-java-picocli/src/main/kotlin/sop/cli/picocli/commands/MergeCertsCmd.kt

@@ -0,0 +1,46 @@
+// SPDX-FileCopyrightText: 2024 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.cli.picocli.commands
+
+import java.io.IOException
+import picocli.CommandLine
+import picocli.CommandLine.Command
+import sop.cli.picocli.SopCLI
+import sop.exception.SOPGPException
+
+@Command(
+    name = "merge-certs",
+    resourceBundle = "msg_merge-certs",
+    exitCodeOnInvalidInput = SOPGPException.UnsupportedOption.EXIT_CODE)
+class MergeCertsCmd : AbstractSopCmd() {
+
+    @CommandLine.Option(names = ["--no-armor"], negatable = true) var armor = true
+
+    @CommandLine.Parameters(paramLabel = "CERTS") var updates: List<String> = listOf()
+
+    override fun run() {
+        val mergeCerts = throwIfUnsupportedSubcommand(SopCLI.getSop().mergeCerts(), "merge-certs")
+
+        if (!armor) {
+            mergeCerts.noArmor()
+        }
+
+        for (certFileName in updates) {
+            try {
+                getInput(certFileName).use { mergeCerts.updates(it) }
+            } catch (e: IOException) {
+                throw RuntimeException(e)
+            }
+        }
+
+        try {
+
+            val ready = mergeCerts.baseCertificates(System.`in`)
+            ready.writeTo(System.out)
+        } catch (e: IOException) {
+            throw RuntimeException(e)
+        }
+    }
+}

sop-java-picocli/src/main/kotlin/sop/cli/picocli/commands/RevokeKeyCmd.kt

@@ -0,0 +1,58 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.cli.picocli.commands
+
+import java.io.IOException
+import picocli.CommandLine.Command
+import picocli.CommandLine.Option
+import sop.cli.picocli.SopCLI
+import sop.exception.SOPGPException
+import sop.exception.SOPGPException.KeyIsProtected
+
+@Command(
+    name = "revoke-key",
+    resourceBundle = "msg_revoke-key",
+    exitCodeOnInvalidInput = SOPGPException.UnsupportedOption.EXIT_CODE)
+class RevokeKeyCmd : AbstractSopCmd() {
+
+    @Option(names = ["--no-armor"], negatable = true) var armor = true
+
+    @Option(names = ["--with-key-password"], paramLabel = "PASSWORD", arity = "0..*")
+    var withKeyPassword: List<String> = listOf()
+
+    override fun run() {
+        val revokeKey = throwIfUnsupportedSubcommand(SopCLI.getSop().revokeKey(), "revoke-key")
+
+        if (!armor) {
+            revokeKey.noArmor()
+        }
+
+        for (passwordIn in withKeyPassword) {
+            try {
+                val password = stringFromInputStream(getInput(passwordIn))
+                revokeKey.withKeyPassword(password)
+            } catch (e: SOPGPException.UnsupportedOption) {
+                val errorMsg =
+                    getMsg("sop.error.feature_support.option_not_supported", "--with-key-password")
+                throw SOPGPException.UnsupportedOption(errorMsg, e)
+            } catch (e: IOException) {
+                throw RuntimeException(e)
+            }
+        }
+
+        val ready =
+            try {
+                revokeKey.keys(System.`in`)
+            } catch (e: KeyIsProtected) {
+                val errorMsg = getMsg("sop.error.runtime.cannot_unlock_key", "STANDARD_IN")
+                throw KeyIsProtected(errorMsg, e)
+            }
+        try {
+            ready.writeTo(System.out)
+        } catch (e: IOException) {
+            throw RuntimeException(e)
+        }
+    }
+}

sop-java-picocli/src/main/kotlin/sop/cli/picocli/commands/SignCmd.kt

@@ -0,0 +1,90 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.cli.picocli.commands
+
+import java.io.IOException
+import picocli.CommandLine.*
+import sop.cli.picocli.SopCLI
+import sop.enums.SignAs
+import sop.exception.SOPGPException
+import sop.exception.SOPGPException.BadData
+import sop.exception.SOPGPException.KeyIsProtected
+
+@Command(
+    name = "sign",
+    resourceBundle = "msg_detached-sign",
+    exitCodeOnInvalidInput = SOPGPException.UnsupportedOption.EXIT_CODE)
+class SignCmd : AbstractSopCmd() {
+
+    @Option(names = ["--no-armor"], negatable = true) var armor: Boolean = true
+
+    @Option(names = ["--as"], paramLabel = "{binary|text}") var type: SignAs? = null
+
+    @Parameters(paramLabel = "KEYS") var secretKeyFile: List<String> = listOf()
+
+    @Option(names = ["--with-key-password"], paramLabel = "PASSWORD")
+    var withKeyPassword: List<String> = listOf()
+
+    @Option(names = ["--micalg-out"], paramLabel = "MICALG") var micAlgOut: String? = null
+
+    override fun run() {
+        val detachedSign = throwIfUnsupportedSubcommand(SopCLI.getSop().detachedSign(), "sign")
+
+        throwIfOutputExists(micAlgOut)
+        throwIfEmptyParameters(secretKeyFile, "KEYS")
+
+        try {
+            type?.let { detachedSign.mode(it) }
+        } catch (unsupported: SOPGPException.UnsupportedOption) {
+            val errorMsg =
+                getMsg("sop.error.feature_support.option_not_supported", "--with-key-password")
+            throw SOPGPException.UnsupportedOption(errorMsg, unsupported)
+        } catch (ioe: IOException) {
+            throw RuntimeException(ioe)
+        }
+
+        withKeyPassword.forEach { passIn ->
+            try {
+                val password = stringFromInputStream(getInput(passIn))
+                detachedSign.withKeyPassword(password)
+            } catch (unsupported: SOPGPException.UnsupportedOption) {
+                val errorMsg =
+                    getMsg("sop.error.feature_support.option_not_supported", "--with-key-password")
+                throw SOPGPException.UnsupportedOption(errorMsg, unsupported)
+            } catch (e: IOException) {
+                throw RuntimeException(e)
+            }
+        }
+
+        secretKeyFile.forEach { keyIn ->
+            try {
+                getInput(keyIn).use { input -> detachedSign.key(input) }
+            } catch (ioe: IOException) {
+                throw RuntimeException(ioe)
+            } catch (keyIsProtected: KeyIsProtected) {
+                val errorMsg = getMsg("sop.error.runtime.cannot_unlock_key", keyIn)
+                throw KeyIsProtected(errorMsg, keyIsProtected)
+            } catch (badData: BadData) {
+                val errorMsg = getMsg("sop.error.input.not_a_private_key", keyIn)
+                throw BadData(errorMsg, badData)
+            }
+        }
+
+        if (!armor) {
+            detachedSign.noArmor()
+        }
+
+        try {
+            val ready = detachedSign.data(System.`in`)
+            val result = ready.writeTo(System.out)
+
+            if (micAlgOut != null) {
+                getOutput(micAlgOut).use { result.micAlg.writeTo(it) }
+            }
+        } catch (e: IOException) {
+            throw java.lang.RuntimeException(e)
+        }
+    }
+}

sop-java-picocli/src/main/kotlin/sop/cli/picocli/commands/UpdateKeyCmd.kt

@@ -0,0 +1,79 @@
+// SPDX-FileCopyrightText: 2024 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.cli.picocli.commands
+
+import java.io.IOException
+import picocli.CommandLine.Command
+import picocli.CommandLine.Option
+import sop.cli.picocli.SopCLI
+import sop.exception.SOPGPException.*
+
+@Command(
+    name = "update-key",
+    resourceBundle = "msg_update-key",
+    exitCodeOnInvalidInput = UnsupportedOption.EXIT_CODE)
+class UpdateKeyCmd : AbstractSopCmd() {
+
+    @Option(names = ["--no-armor"], negatable = true) var armor = true
+
+    @Option(names = ["--signing-only"]) var signingOnly = false
+
+    @Option(names = ["--no-added-capabilities"]) var noAddedCapabilities = false
+
+    @Option(names = ["--with-key-password"], paramLabel = "PASSWORD")
+    var withKeyPassword: List<String> = listOf()
+
+    @Option(names = ["--merge-certs"], paramLabel = "CERTS") var mergeCerts: List<String> = listOf()
+
+    override fun run() {
+        val updateKey = throwIfUnsupportedSubcommand(SopCLI.getSop().updateKey(), "update-key")
+
+        if (!armor) {
+            updateKey.noArmor()
+        }
+
+        if (signingOnly) {
+            updateKey.signingOnly()
+        }
+
+        if (noAddedCapabilities) {
+            updateKey.noAddedCapabilities()
+        }
+
+        for (passwordFileName in withKeyPassword) {
+            try {
+                val password = stringFromInputStream(getInput(passwordFileName))
+                updateKey.withKeyPassword(password)
+            } catch (unsupportedOption: UnsupportedOption) {
+                val errorMsg =
+                    getMsg("sop.error.feature_support.option_not_supported", "--with-key-password")
+                throw UnsupportedOption(errorMsg, unsupportedOption)
+            } catch (e: IOException) {
+                throw RuntimeException(e)
+            }
+        }
+
+        for (certInput in mergeCerts) {
+            try {
+                getInput(certInput).use { updateKey.mergeCerts(it) }
+            } catch (e: IOException) {
+                throw RuntimeException(e)
+            } catch (badData: BadData) {
+                val errorMsg = getMsg("sop.error.input.not_a_certificate", certInput)
+                throw BadData(errorMsg, badData)
+            }
+        }
+
+        try {
+            val ready = updateKey.key(System.`in`)
+            ready.writeTo(System.out)
+        } catch (e: IOException) {
+            throw RuntimeException(e)
+        } catch (badData: BadData) {
+            val errorMsg = getMsg("sop.error.input.not_a_private_key", "STDIN")
+            throw BadData(errorMsg, badData)
+        }
+    }
+}

sop-java-picocli/src/main/kotlin/sop/cli/picocli/commands/ValidateUserIdCmd.kt

@@ -0,0 +1,82 @@
+// SPDX-FileCopyrightText: 2024 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.cli.picocli.commands
+
+import java.io.IOException
+import java.util.*
+import picocli.CommandLine.Command
+import picocli.CommandLine.Option
+import picocli.CommandLine.Parameters
+import sop.cli.picocli.SopCLI
+import sop.exception.SOPGPException
+import sop.util.HexUtil.Companion.bytesToHex
+
+@Command(
+    name = "validate-userid",
+    resourceBundle = "msg_validate-userid",
+    exitCodeOnInvalidInput = SOPGPException.MissingArg.EXIT_CODE,
+    showEndOfOptionsDelimiterInUsageHelp = true)
+class ValidateUserIdCmd : AbstractSopCmd() {
+
+    @Option(names = ["--addr-spec-only"]) var addrSpecOnly: Boolean = false
+
+    @Option(names = ["--validate-at"]) var validateAt: Date? = null
+
+    @Parameters(index = "0", arity = "1", paramLabel = "USERID") lateinit var userId: String
+
+    @Parameters(index = "1..*", arity = "1..*", paramLabel = "CERTS")
+    var authorities: List<String> = listOf()
+
+    override fun run() {
+        val validateUserId =
+            throwIfUnsupportedSubcommand(SopCLI.getSop().validateUserId(), "validate-userid")
+
+        if (addrSpecOnly) {
+            validateUserId.addrSpecOnly()
+        }
+
+        if (validateAt != null) {
+            validateUserId.validateAt(validateAt!!)
+        }
+
+        validateUserId.userId(userId)
+
+        for (authority in authorities) {
+            try {
+                getInput(authority).use { validateUserId.authorities(it) }
+            } catch (e: IOException) {
+                throw RuntimeException(e)
+            } catch (b: SOPGPException.BadData) {
+                val errorMsg = getMsg("sop.error.input.not_a_certificate", authority)
+                throw SOPGPException.BadData(errorMsg, b)
+            }
+        }
+
+        try {
+            val valid = validateUserId.subjects(System.`in`)
+
+            if (!valid) {
+                val errorMsg = getMsg("sop.error.runtime.any_cert_user_id_no_match", userId)
+                throw SOPGPException.CertUserIdNoMatch(errorMsg)
+            }
+        } catch (e: SOPGPException.CertUserIdNoMatch) {
+            val errorMsg =
+                if (e.fingerprint != null) {
+                    getMsg(
+                        "sop.error.runtime.cert_user_id_no_match",
+                        bytesToHex(e.fingerprint!!),
+                        userId)
+                } else {
+                    getMsg("sop.error.runtime.any_cert_user_id_no_match", userId)
+                }
+            throw SOPGPException.CertUserIdNoMatch(errorMsg, e)
+        } catch (e: SOPGPException.BadData) {
+            val errorMsg = getMsg("sop.error.input.not_a_certificate", "STDIN")
+            throw SOPGPException.BadData(errorMsg, e)
+        } catch (e: IOException) {
+            throw RuntimeException(e)
+        }
+    }
+}

sop-java-picocli/src/main/kotlin/sop/cli/picocli/commands/VerifyCmd.kt

@@ -0,0 +1,81 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.cli.picocli.commands
+
+import java.io.IOException
+import picocli.CommandLine.*
+import sop.cli.picocli.SopCLI
+import sop.exception.SOPGPException.*
+
+@Command(
+    name = "verify",
+    resourceBundle = "msg_detached-verify",
+    exitCodeOnInvalidInput = UnsupportedOption.EXIT_CODE)
+class VerifyCmd : AbstractSopCmd() {
+
+    @Parameters(index = "0", paramLabel = "SIGNATURE") lateinit var signature: String
+
+    @Parameters(index = "1..*", arity = "1..*", paramLabel = "CERT")
+    lateinit var certificates: List<String>
+
+    @Option(names = ["--not-before"], paramLabel = "DATE") var notBefore: String = "-"
+
+    @Option(names = ["--not-after"], paramLabel = "DATE") var notAfter: String = "now"
+
+    override fun run() {
+        val detachedVerify =
+            throwIfUnsupportedSubcommand(SopCLI.getSop().detachedVerify(), "verify")
+        try {
+            detachedVerify.notAfter(parseNotAfter(notAfter))
+        } catch (unsupportedOption: UnsupportedOption) {
+            val errorMsg = getMsg("sop.error.feature_support.option_not_supported", "--not-after")
+            throw UnsupportedOption(errorMsg, unsupportedOption)
+        }
+
+        try {
+            detachedVerify.notBefore(parseNotBefore(notBefore))
+        } catch (unsupportedOption: UnsupportedOption) {
+            val errorMsg = getMsg("sop.error.feature_support.option_not_supported", "--not-before")
+            throw UnsupportedOption(errorMsg, unsupportedOption)
+        }
+
+        for (certInput in certificates) {
+            try {
+                getInput(certInput).use { certIn -> detachedVerify.cert(certIn) }
+            } catch (ioException: IOException) {
+                throw RuntimeException(ioException)
+            } catch (badData: BadData) {
+                val errorMsg = getMsg("sop.error.input.not_a_certificate", certInput)
+                throw BadData(errorMsg, badData)
+            }
+        }
+
+        try {
+            getInput(signature).use { sigIn -> detachedVerify.signatures(sigIn) }
+        } catch (e: IOException) {
+            throw RuntimeException(e)
+        } catch (badData: BadData) {
+            val errorMsg = getMsg("sop.error.input.not_a_signature", signature)
+            throw BadData(errorMsg, badData)
+        }
+
+        val verifications =
+            try {
+                detachedVerify.data(System.`in`)
+            } catch (e: NoSignature) {
+                val errorMsg = getMsg("sop.error.runtime.no_verifiable_signature_found")
+                throw NoSignature(errorMsg, e)
+            } catch (ioException: IOException) {
+                throw RuntimeException(ioException)
+            } catch (badData: BadData) {
+                val errorMsg = getMsg("sop.error.input.stdin_not_a_message")
+                throw BadData(errorMsg, badData)
+            }
+
+        for (verification in verifications) {
+            println(verification.toString())
+        }
+    }
+}

sop-java-picocli/src/main/kotlin/sop/cli/picocli/commands/VersionCmd.kt

@@ -0,0 +1,57 @@
+// SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package sop.cli.picocli.commands
+
+import picocli.CommandLine.ArgGroup
+import picocli.CommandLine.Command
+import picocli.CommandLine.Option
+import sop.cli.picocli.SopCLI
+import sop.exception.SOPGPException
+
+@Command(
+    name = "version",
+    resourceBundle = "msg_version",
+    exitCodeOnInvalidInput = SOPGPException.UnsupportedOption.EXIT_CODE)
+class VersionCmd : AbstractSopCmd() {
+
+    @ArgGroup var exclusive: Exclusive? = null
+
+    class Exclusive {
+        @Option(names = ["--extended"]) var extended: Boolean = false
+        @Option(names = ["--backend"]) var backend: Boolean = false
+        @Option(names = ["--sop-spec"]) var sopSpec: Boolean = false
+        @Option(names = ["--sopv"]) var sopv: Boolean = false
+    }
+
+    override fun run() {
+        val version = throwIfUnsupportedSubcommand(SopCLI.getSop().version(), "version")
+
+        if (exclusive == null) {
+            // No option provided
+            println("${version.getName()} ${version.getVersion()}")
+            return
+        }
+
+        if (exclusive!!.extended) {
+            println(version.getExtendedVersion())
+            return
+        }
+
+        if (exclusive!!.backend) {
+            println(version.getBackendVersion())
+            return
+        }
+
+        if (exclusive!!.sopSpec) {
+            println(version.getSopSpecVersion())
+            return
+        }
+
+        if (exclusive!!.sopv) {
+            println(version.getSopVVersion())
+            return
+        }
+    }
+}

sop-java-picocli/src/main/resources/msg_armor.properties

@@ -0,0 +1,15 @@
+# SPDX-FileCopyrightText: 2022 Paul Schaub <vanitasvitae@fsfe.org>
+#
+# SPDX-License-Identifier: Apache-2.0
+usage.header=Add ASCII Armor to standard input
+
+standardInput=BINARY
+standardInputDescription=OpenPGP material (SIGNATURES, KEYS, CERTS, CIPHERTEXT, INLINESIGNED)
+standardOutput=ARMORED
+standardOutputDescription=Same material, but with ASCII-armoring added, if not already present
+
+stacktrace=Print stacktrace
+# Generic TODO: Remove when bumping picocli to 4.7.0
+usage.synopsisHeading=Usage:\u0020
+usage.optionListHeading=%nOptions:%n
+usage.footerHeading=Powered by picocli%n

sop-java-picocli/src/main/resources/msg_armor_de.properties

@@ -0,0 +1,13 @@
+# SPDX-FileCopyrightText: 2022 Paul Schaub <vanitasvitae@fsfe.org>
+#
+# SPDX-License-Identifier: Apache-2.0
+usage.header=Schütze Standard-Eingabe mit ASCII Armor
+
+standardInputDescription=OpenPGP Material (SIGNATURES, KEYS, CERTS, CIPHERTEXT, INLINESIGNED)
+standardOutputDescription=Dasselbe Material, aber mit ASCII Armor kodiert, falls noch nicht geschehen
+
+stacktrace=Stacktrace ausgeben
+# Generic TODO: Remove when bumping picocli to 4.7.0
+usage.synopsisHeading=Aufruf:\u0020
+usage.optionListHeading=%nOptionen:%n
+usage.footerHeading=Powered by Picocli%n

sop-java-picocli/src/main/resources/msg_certify-userid.properties

@@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: 2024 Paul Schaub <vanitasvitae@fsfe.org>
+#
+# SPDX-License-Identifier: Apache-2.0
+usage.header=Certify OpenPGP Certificate User IDs
+no-armor=ASCII armor the output
+userid=Identities that shall be certified
+with-key-password.0=Passphrase to unlock the secret key(s).
+with-key-password.1=Is an INDIRECT data type (e.g. file, environment variable, file descriptor...).
+no-require-self-sig=Certify the UserID regardless of whether self-certifications are present
+KEYS[0..*]=Private keys
+
+standardInput=CERTS
+standardInputDescription=Certificates that shall be certified
+standardOutput=CERTS
+standardOutputDescription=Certified certificates
+
+picocli.endofoptions.description=End of options. Remainder are positional parameters. Fixes 'Missing required parameter' error
+
+stacktrace=Print stacktrace
+# Generic TODO: Remove when bumping picocli to 4.7.0
+usage.parameterListHeading=%nParameters:%n
+usage.synopsisHeading=Usage:\u0020
+usage.commandListHeading=%nCommands:%n
+usage.optionListHeading=%nOptions:%n
+usage.footerHeading=Powered by picocli%n

sop-java-picocli/src/main/resources/msg_certify-userid_de.properties

@@ -0,0 +1,22 @@
+# SPDX-FileCopyrightText: 2024 Paul Schaub <vanitasvitae@fsfe.org>
+#
+# SPDX-License-Identifier: Apache-2.0
+usage.header=Zertifiziere OpenPGP Zertifikat Identitäten
+no-armor=Schütze Ausgabe mit ASCII Armor
+userid=Identität, die zertifiziert werden soll
+with-key-password.0=Passwort zum Entsperren der privaten Schlüssel
+with-key-password.1=Ist INDIREKTER Datentyp (z.B.. Datei, Umgebungsvariable, Dateideskriptor...).
+no-require-self-sig=Zertifiziere die Identität, unabhängig davon, ob eine Selbstzertifizierung vorhanden ist
+KEYS[0..*]=Private Schlüssel
+
+standardInputDescription=Zertifikate, auf denen Identitäten zertifiziert werden sollen
+standardOutputDescription=Zertifizierte Zertifikate
+
+picocli.endofoptions.description=Ende der Optionen. Der Rest sind Positionsparameter. Behebt 'Missing required parameter' Fehler
+
+# Generic TODO: Remove when bumping picocli to 4.7.0
+usage.parameterListHeading=%nParameter:%n
+usage.synopsisHeading=Aufruf:\u0020
+usage.commandListHeading=%nBefehle:%n
+usage.optionListHeading=%nOptionen:%n
+usage.footerHeading=Powered by Picocli%n

sop-java-picocli/src/main/resources/msg_change-key-password.properties

@@ -0,0 +1,26 @@
+# SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+#
+# SPDX-License-Identifier: Apache-2.0
+usage.header=Update the password of a key
+usage.description.0=Unlock all secret keys from STDIN using the given old passwords and emit them re-locked using the new password to STDOUT.
+usage.description.1=If any (sub-) key cannot be unlocked, this operation will exit with error code 67.
+no-armor=ASCII armor the output
+new-key-password.0=New password to lock the keys with.
+new-key-password.1=If no new password is passed in, the keys will be emitted unlocked.
+new-key-password.2=Is an INDIRECT data type (e.g. file, environment variable, file descriptor...).
+old-key-password.0=Old passwords to unlock the keys with.
+old-key-password.1=Multiple passwords can be passed in, which are tested sequentially to unlock locked subkeys.
+old-key-password.2=Is an INDIRECT data type (e.g. file, environment variable, file descriptor...).
+
+standardInput=KEYS
+standardInputDescription=OpenPGP keys whose passphrases shall be changed
+standardOutput=KEYS
+standardOutputDescription=OpenPGP keys with changed passphrases
+
+stacktrace=Print stacktrace
+# Generic TODO: Remove when bumping picocli to 4.7.0
+usage.descriptionHeading=%nDescription:%n
+usage.synopsisHeading=Usage:\u0020
+usage.commandListHeading=%nCommands:%n
+usage.optionListHeading=%nOptions:%n
+usage.footerHeading=Powered by picocli%n

sop-java-picocli/src/main/resources/msg_change-key-password_de.properties

@@ -0,0 +1,24 @@
+# SPDX-FileCopyrightText: 2023 Paul Schaub <vanitasvitae@fsfe.org>
+#
+# SPDX-License-Identifier: Apache-2.0
+usage.header=Ändere das Passwort eines Schlüssels
+usage.description.0=Entsperre alle Schlüssel von Standard-Eingabe mithilfe der alten Passwörter und gebe sie mit dem neuen Passwort gesperrt auf Standard-Ausgabe aus.
+usage.description.1=Falls einer oder mehrere (Unter-)Schlüssel nicht entsperrt werden können, gibt diese Operation den Fehlercode 67 aus.
+no-armor=Schütze Ausgabe mit ASCII Armor
+new-key-password.0=Neues Passwort zur Sperrung der Schlüssel.
+new-key-password.1=Falls kein neues Passwort angegeben wird, werden die Schlüssel entsperrt ausgegeben.
+new-key-password.2=Ist ein INDIREKTER Datentyp (z.B.. Datei, Umgebungsvariable, Dateideskriptor...).
+old-key-password.0=Alte Passwörter zum Entsperren der Schlüssel.
+old-key-password.1=Mehrere Passwortkandidaten können übergeben werden, welche der Reihe nach durchprobiert werden, um Unterschlüssel zu entsperren.
+old-key-password.2=Ist ein INDIREKTER Datentyp (z.B.. Datei, Umgebungsvariable, Dateideskriptor...).
+
+standardInputDescription=OpenPGP Schlüssel deren Passwörter geändert werden sollen
+standardOutputDescription=OpenPGP Schlüssel mit geänderten Passwörtern
+
+stacktrace=Stacktrace ausgeben
+# Generic TODO: Remove when bumping picocli to 4.7.0
+usage.descriptionHeading=%nBeschreibung:%n
+usage.synopsisHeading=Aufruf:\u0020
+usage.commandListHeading=%nBefehle:%n
+usage.optionListHeading=%nOptionen:%n
+usage.footerHeading=Powered by Picocli%n

sop-java-picocli/src/main/resources/msg_dearmor.properties

@@ -0,0 +1,16 @@
+# SPDX-FileCopyrightText: 2022 Paul Schaub <vanitasvitae@fsfe.org>
+#
+# SPDX-License-Identifier: Apache-2.0
+usage.header=Remove ASCII Armor from standard input
+
+standardInput=ARMORED
+standardInputDescription=Armored OpenPGP material (SIGNATURES, KEYS, CERTS, CIPHERTEXT, INLINESIGNED)
+standardOutput=BINARY
+standardOutputDescription=Same material, but with ASCII-armoring removed
+
+stacktrace=Print stacktrace
+# Generic TODO: Remove when bumping picocli to 4.7.0
+usage.synopsisHeading=Usage:\u0020
+usage.commandListHeading=%nCommands:%n
+usage.optionListHeading=%nOptions:%n
+usage.footerHeading=Powered by picocli%n

sop-java-picocli/src/main/resources/msg_dearmor_de.properties

@@ -0,0 +1,14 @@
+# SPDX-FileCopyrightText: 2022 Paul Schaub <vanitasvitae@fsfe.org>
+#
+# SPDX-License-Identifier: Apache-2.0
+usage.header=Entferne ASCII Armor von Standard-Eingabe
+
+standardInputDescription=OpenPGP Material mit ASCII Armor (SIGNATURES, KEYS, CERTS, CIPHERTEXT, INLINESIGNED)
+standardOutputDescription=Dasselbe Material, aber mit entfernter ASCII Armor
+
+stacktrace=Stacktrace ausgeben
+# Generic TODO: Remove when bumping picocli to 4.7.0
+usage.synopsisHeading=Aufruf:\u0020
+usage.commandListHeading=%nBefehle:%n
+usage.optionListHeading=%nOptionen:%n
+usage.footerHeading=Powered by Picocli%n

sop-java-picocli/src/main/resources/msg_decrypt.properties

@@ -0,0 +1,36 @@
+# SPDX-FileCopyrightText: 2022 Paul Schaub <vanitasvitae@fsfe.org>
+#
+# SPDX-License-Identifier: Apache-2.0
+usage.header=Decrypt a message
+session-key-out=Can be used to learn the session key on successful decryption
+with-session-key.0=Symmetric message key (session key).
+with-session-key.1=Enables decryption of the "CIPHERTEXT" using the session key directly against the "SEIPD" packet.
+with-session-key.2=Is an INDIRECT data type (e.g. file, environment variable, file descriptor...).
+with-password.0=Symmetric passphrase to decrypt the message with.
+with-password.1=Enables decryption based on any "SKESK" packets in the "CIPHERTEXT".
+with-password.2=Is an INDIRECT data type (e.g. file, environment variable, file descriptor...).
+verify-out=Emits signature verification status to the designated output
+verify-with=Certificates for signature verification
+verify-not-before.0=ISO-8601 formatted UTC date (e.g. '2020-11-23T16:35Z)
+verify-not-before.1=Reject signatures with a creation date not in range.
+verify-not-before.2=Defaults to beginning of time ('-').
+verify-not-after.0=ISO-8601 formatted UTC date (e.g. '2020-11-23T16:35Z)
+verify-not-after.1=Reject signatures with a creation date not in range.
+verify-not-after.2=Defaults to current system time ('now').
+verify-not-after.3=Accepts special value '-' for end of time.
+with-key-password.0=Passphrase to unlock the secret key(s).
+with-key-password.1=Is an INDIRECT data type (e.g. file, environment variable, file descriptor...).
+KEY[0..*]=Secret keys to attempt decryption with
+
+standardInput=CIPHERTEXT
+standardInputDescription=Encrypted OpenPGP message
+standardOutput=DATA
+standardOutputDescription=Decrypted OpenPGP message
+
+stacktrace=Print stacktrace
+# Generic TODO: Remove when bumping picocli to 4.7.0
+usage.parameterListHeading=%nParameters:%n
+usage.synopsisHeading=Usage:\u0020
+usage.commandListHeading=%nCommands:%n
+usage.optionListHeading=%nOptions:%n
+usage.footerHeading=Powered by picocli%n

sop-java-picocli/src/main/resources/msg_decrypt_de.properties

@@ -0,0 +1,34 @@
+# SPDX-FileCopyrightText: 2022 Paul Schaub <vanitasvitae@fsfe.org>
+#
+# SPDX-License-Identifier: Apache-2.0
+usage.header=Entschlüssle eine Nachricht
+session-key-out=Extrahiere den Nachrichtenschlüssel nach erfolgreicher Entschlüsselung
+with-session-key.0=Symmetrischer Nachrichtenschlüssel (Sitzungsschlüssel).
+with-session-key.1=Ermöglicht direkte Entschlüsselung des im "CIPHERTEXT" enthaltenen "SEIPD" Paketes mithilfe des Nachrichtenschlüssels.
+with-session-key.2=Ist INDIREKTER Datentyp (z.B.. Datei, Umgebungsvariable, Dateideskriptor...).
+with-password.0=Symmetrisches Passwort zur Entschlüsselung der Nachricht.
+with-password.1=Ermöglicht Entschlüsselung basierend auf im "CIPHERTEXT" enthaltenen "SKESK" Paketen.
+with-password.2=Ist INDIREKTER Datentyp (z.B.. Datei, Umgebungsvariable, Dateideskriptor...).
+verify-out=Schreibe Status der Signaturprüfung in angegebene Ausgabe
+verify-with=Zertifikate zur Signaturprüfung
+verify-not-before.0=Nach ISO-8601 formatierter UTC Zeitstempel (z.B.. '2020-11-23T16:35Z)
+verify-not-before.1=Lehne Signaturen mit Erstellungsdatum außerhalb des Gültigkeitsbereichs ab.
+verify-not-before.2=Standardmäßig: Anbeginn der Zeit ('-').
+verify-not-after.0=Nach ISO-8601 formatierter UTC Zeitstempel (z.B.. '2020-11-23T16:35Z)
+verify-not-after.1=Lehne Signaturen mit Erstellungsdatum außerhalb des Gültigkeitsbereichs ab.
+verify-not-after.2=Standardmäßig: Aktueller Zeitpunkt ('now').
+verify-not-after.3=Akzeptiert speziellen Wert '-' für das Ende aller Zeiten.
+with-key-password.0=Passwort zum Entsperren der privaten Schlüssel
+with-key-password.1=Ist INDIREKTER Datentyp (z.B.. Datei, Umgebungsvariable, Dateideskriptor...).
+KEY[0..*]=Private Schlüssel zum Entschlüsseln der Nachricht
+
+standardInputDescription=Verschlüsselte OpenPGP Nachricht
+standardOutputDescription=Entschlüsselte OpenPGP Nachricht
+
+stacktrace=Stacktrace ausgeben
+# Generic TODO: Remove when bumping picocli to 4.7.0
+usage.parameterListHeading=%nParameter:%n
+usage.synopsisHeading=Aufruf:\u0020
+usage.commandListHeading=%nBefehle:%n
+usage.optionListHeading=%nOptionen:%n
+usage.footerHeading=Powered by Picocli%n

sop-java-picocli/src/main/resources/msg_detached-sign.properties

@@ -0,0 +1,25 @@
+# SPDX-FileCopyrightText: 2022 Paul Schaub <vanitasvitae@fsfe.org>
+#
+# SPDX-License-Identifier: Apache-2.0
+usage.header=Create a detached message signature
+no-armor=ASCII armor the output
+as.0=Specify the output format of the signed message.
+as.1=Defaults to 'binary'.
+as.2=If '--as=text' and the input data is not valid UTF-8, sign fails with return code 53.
+with-key-password.0=Passphrase to unlock the secret key(s).
+with-key-password.1=Is an INDIRECT data type (e.g. file, environment variable, file descriptor...).
+micalg-out=Emits the digest algorithm used to the specified file in a way that can be used to populate the micalg parameter for the PGP/MIME Content-Type (RFC3156).
+KEYS[0..*]=Secret keys used for signing
+
+standardInput=DATA
+standardInputDescription=Data that shall be signed
+standardOutput=SIGNATURES
+standardOutputDescription=Detached OpenPGP signature(s)
+
+stacktrace=Print stacktrace
+# Generic TODO: Remove when bumping picocli to 4.7.0
+usage.parameterListHeading=%nParameters:%n
+usage.synopsisHeading=Usage:\u0020
+usage.commandListHeading=%nCommands:%n
+usage.optionListHeading=%nOptions:%n
+usage.footerHeading=Powered by picocli%n