diff --git a/.gitignore b/.gitignore
index a4b5234..2ec5133 100644
--- a/.gitignore
+++ b/.gitignore
@@ -80,3 +80,5 @@ gnupg-2.0.16.tar.bz2.sig
 /gnupg-2.2.12.tar.bz2.sig
 /gnupg-2.2.13.tar.bz2
 /gnupg-2.2.13.tar.bz2.sig
+/gnupg-2.2.16.tar.bz2
+/gnupg-2.2.16.tar.bz2.sig
diff --git a/gnupg-2.1.1-ocsp-keyusage.patch b/gnupg-2.1.1-ocsp-keyusage.patch
deleted file mode 100644
index 3b7be41..0000000
--- a/gnupg-2.1.1-ocsp-keyusage.patch
+++ /dev/null
@@ -1,17 +0,0 @@
-diff -up gnupg-2.1.1/sm/certlist.c.keyusage gnupg-2.1.1/sm/certlist.c
---- gnupg-2.1.1/sm/certlist.c.keyusage	2014-11-27 11:51:36.000000000 +0100
-+++ gnupg-2.1.1/sm/certlist.c	2015-01-29 17:30:57.117135497 +0100
-@@ -146,10 +146,9 @@ cert_usage_p (ksba_cert_t cert, int mode
- 
-   if (mode == 5)
-     {
--      if (use != ~0
--          && (have_ocsp_signing
--              || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN
--                         |KSBA_KEYUSAGE_CRL_SIGN))))
-+      if (have_ocsp_signing
-+          || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN
-+                     |KSBA_KEYUSAGE_CRL_SIGN)))
-         return 0;
-       log_info (_("certificate should not have "
-                   "been used for OCSP response signing\n"));
diff --git a/gnupg-2.2.12-build.patch b/gnupg-2.2.12-build.patch
deleted file mode 100644
index 7314b86..0000000
--- a/gnupg-2.2.12-build.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up gnupg-2.2.12/dirmngr/dns.h.build gnupg-2.2.12/dirmngr/dns.h
---- gnupg-2.2.12/dirmngr/dns.h.build	2017-08-28 12:22:54.000000000 +0200
-+++ gnupg-2.2.12/dirmngr/dns.h	2019-02-04 14:46:53.420995232 +0100
-@@ -154,7 +154,7 @@ DNS_PUBLIC int *dns_debug_p(void);
- 
- #define dns_quietinit(...) \
- 	DNS_PRAGMA_PUSH DNS_PRAGMA_QUIET __VA_ARGS__ DNS_PRAGMA_POP
--#elif (__GNUC__ == 4 && __GNUC_MINOR__ >= 6) || __GNUC__ > 4
-+#elif ((__GNUC__ == 4 && __GNUC_MINOR__ >= 6) || __GNUC__ > 4) && __GNUC__ < 9
- #define DNS_PRAGMA_PUSH _Pragma("GCC diagnostic push")
- #define DNS_PRAGMA_QUIET _Pragma("GCC diagnostic ignored \"-Woverride-init\"")
- #define DNS_PRAGMA_POP _Pragma("GCC diagnostic pop")
diff --git a/gnupg-2.2.16-ocsp-keyusage.patch b/gnupg-2.2.16-ocsp-keyusage.patch
new file mode 100644
index 0000000..eeed053
--- /dev/null
+++ b/gnupg-2.2.16-ocsp-keyusage.patch
@@ -0,0 +1,17 @@
+diff -up gnupg-2.2.16/sm/certlist.c.keyusage gnupg-2.2.16/sm/certlist.c
+--- gnupg-2.2.16/sm/certlist.c.keyusage	2019-07-01 17:17:06.925254065 +0200
++++ gnupg-2.2.16/sm/certlist.c	2019-07-01 17:24:15.665759322 +0200
+@@ -147,10 +147,9 @@ cert_usage_p (ksba_cert_t cert, int mode
+ 
+   if (mode == 5)
+     {
+-      if (use != ~0
+-          && (have_ocsp_signing
+-              || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN
+-                         |KSBA_KEYUSAGE_CRL_SIGN))))
++      if (have_ocsp_signing
++          || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN
++                     |KSBA_KEYUSAGE_CRL_SIGN)))
+         return 0;
+       if (!silent)
+         log_info (_("certificate should not have "
diff --git a/gnupg2.spec b/gnupg2.spec
index fd00a3f..c3b1334 100644
--- a/gnupg2.spec
+++ b/gnupg2.spec
@@ -6,7 +6,7 @@
 
 Summary: Utility for secure communication and data storage
 Name:    gnupg2
-Version: 2.2.13
+Version: 2.2.16
 Release: 1%{?dist}
 
 License: GPLv3+
@@ -17,11 +17,11 @@ Patch1:  gnupg-2.1.21-insttools.patch
 Patch3:  gnupg-2.1.10-secmem.patch
 # non-upstreamable patch adding file-is-digest option needed for Copr
 Patch4:  gnupg-2.2.8-file-is-digest.patch
-Patch5:  gnupg-2.1.1-ocsp-keyusage.patch
+# fix handling of missing key usage on ocsp replies - upstream T1333
+Patch5:  gnupg-2.2.16-ocsp-keyusage.patch
 Patch6:  gnupg-2.1.1-fips-algo.patch
 # allow 8192 bit RSA keys in keygen UI with large RSA
 Patch9:  gnupg-2.1.21-large-rsa.patch
-Patch10: gnupg-2.2.12-build.patch
 
 URL:     http://www.gnupg.org/
 
@@ -98,7 +98,6 @@ to the base GnuPG package
 %patch5 -p1 -b .keyusage
 %patch6 -p1 -b .fips
 %patch9 -p1 -b .large-rsa
-%patch10 -p1 -b .build
 
 # pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper)
 # Note: this is just the name of the default shared lib to load in scdaemon,
@@ -205,6 +204,9 @@ make -k check
 
 
 %changelog
+* Mon Jul  1 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.16-1
+- upgrade to 2.2.16
+
 * Tue Feb 26 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.13-1
 - upgrade to 2.2.13
 
diff --git a/sources b/sources
index 5418483..3e6e780 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (gnupg-2.2.13.tar.bz2) = 3770e33902ca608f567bc9f0decb57129b77dd3479e5c1bbd569ede4c1f6690cdfe00105ffdc1e7721faa331abcb879adb56e87931313b13ed48763763c6632f
-SHA512 (gnupg-2.2.13.tar.bz2.sig) = e9f4700df797f2ebbab5a8a231f8aae58103c8c0db2490e1d6c640b83f8ce144021ec932f14495b02a6dd4b8b550ef83c3a3b64bfe1d2cf9dd59aca771036670
+SHA512 (gnupg-2.2.16.tar.bz2) = 0e0040905cc4d1d9d29e184cfeda520b43990e4ec459212537c0ce6092de987157e05b1d1a3022398d9b3cbaeea0f58a7e686745f96933e5ac26be4229162247
+SHA512 (gnupg-2.2.16.tar.bz2.sig) = 76fab64386fc46c735f7b0696cd7063910e818ffa32b51dd6f9bab57aef9ca5addbc8e05cf6cf10ec562685c286c6d03aa879204dc129127a10f68dc43e01bd6