29 changed files with 750 additions and 2608 deletions
--- a/.fmf/version
+++ b/.fmf/version
@ -1 +0,0 @@
 1
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1 @@
-/*.rpm
+SOURCES/gnupg-2.2.20.tar.bz2
 /gnupg-*.tar.bz*
 /gnupg-*/
 /results_gnupg2/
--- a/.gnupg2.metadata
+++ b/.gnupg2.metadata
@ -0,0 +1 @@
 d5290f0781df5dc83302127d6065fb59b35e53d7 SOURCES/gnupg-2.2.20.tar.bz2
--- a/SOURCES/gnupg-2.1.1-fips-algo.patch
+++ b/SOURCES/gnupg-2.1.1-fips-algo.patch
@ -0,0 +1,13 @@
 diff -up gnupg-2.1.1/g10/mainproc.c.fips gnupg-2.1.1/g10/mainproc.c
 --- gnupg-2.1.1/g10/mainproc.c.fips	2015-01-29 17:19:49.266031504 +0100
 +++ gnupg-2.1.1/g10/mainproc.c	2015-01-29 17:27:13.938088122 +0100
@@ -719,7 +719,8 @@ proc_plaintext( CTX c, PACKET *pkt )
          according to 2440, so hopefully it won't come up that often.
          There is no good way to specify what algorithms to use in
          that case, so these there are the historical answer. */
 -	gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
 +	if (!gcry_fips_mode_active())
 +            gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
 	gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
     }
   if (DBG_HASHING)
--- a/SOURCES/gnupg-2.1.10-secmem.patch
+++ b/SOURCES/gnupg-2.1.10-secmem.patch
--- a/SOURCES/gnupg-2.1.21-insttools.patch
+++ b/SOURCES/gnupg-2.1.21-insttools.patch
@ -0,0 +1,62 @@
 diff -up gnupg-2.1.21/tools/Makefile.am.insttools gnupg-2.1.21/tools/Makefile.am
 --- gnupg-2.1.21/tools/Makefile.am.insttools	2017-04-03 17:13:56.000000000 +0200
 +++ gnupg-2.1.21/tools/Makefile.am	2017-07-18 12:10:59.431729640 +0200
@@ -35,8 +35,8 @@ AM_CFLAGS = $(LIBGCRYPT_CFLAGS) $(GPG_ER
 sbin_SCRIPTS = addgnupghome applygnupgdefaults
 if HAVE_USTAR
 -# bin_SCRIPTS += gpg-zip
 -noinst_SCRIPTS = gpg-zip
 +bin_PROGRAMS += gpg-zip
 +#noinst_SCRIPTS = gpg-zip
 endif
 if BUILD_SYMCRYPTRUN
@@ -53,7 +53,7 @@ endif
 libexec_PROGRAMS = gpg-wks-client
 -bin_PROGRAMS = gpgconf gpg-connect-agent ${symcryptrun}
 +bin_PROGRAMS = gpgconf gpg-connect-agent ${symcryptrun} gpgsplit
 if !HAVE_W32_SYSTEM
 bin_PROGRAMS += watchgnupg gpgparsemail ${gpg_wks_server}
 endif
@@ -63,7 +63,7 @@ libexec_PROGRAMS += gpg-check-pattern
 endif
 if !HAVE_W32CE_SYSTEM
 -noinst_PROGRAMS = clean-sat make-dns-cert gpgsplit
 +noinst_PROGRAMS = clean-sat make-dns-cert
 endif
 if !HAVE_W32CE_SYSTEM
 diff -up gnupg-2.1.21/tools/Makefile.in.insttools gnupg-2.1.21/tools/Makefile.in
 --- gnupg-2.1.21/tools/Makefile.in.insttools	2017-05-15 16:15:04.000000000 +0200
 +++ gnupg-2.1.21/tools/Makefile.in	2017-07-18 12:12:17.907734745 +0200
@@ -137,13 +137,13 @@ DIST_COMMON = $(top_srcdir)/am/cmacros.a
 @GNUPG_DIRMNGR_LDAP_PGM_TRUE@am__append_7 = -DGNUPG_DEFAULT_DIRMNGR_LDAP="\"@GNUPG_DIRMNGR_LDAP_PGM@\""
 @HAVE_W32_SYSTEM_TRUE@am__append_8 = gpg-connect-agent-w32info.o
 libexec_PROGRAMS = gpg-wks-client$(EXEEXT) $(am__EXEEXT_5)
 -bin_PROGRAMS = gpgconf$(EXEEXT) gpg-connect-agent$(EXEEXT) \
 +bin_PROGRAMS = gpgconf$(EXEEXT) gpg-connect-agent$(EXEEXT) gpgsplit$(EXEEXT) \
 	$(am__EXEEXT_1) $(am__EXEEXT_3) $(am__EXEEXT_4)
 @HAVE_W32_SYSTEM_FALSE@am__append_9 = watchgnupg gpgparsemail ${gpg_wks_server}
 @DISABLE_REGEX_FALSE@am__append_10 = gpg-check-pattern
 @HAVE_W32CE_SYSTEM_FALSE@noinst_PROGRAMS = clean-sat$(EXEEXT) \
 @HAVE_W32CE_SYSTEM_FALSE@	make-dns-cert$(EXEEXT) \
 -@HAVE_W32CE_SYSTEM_FALSE@	gpgsplit$(EXEEXT) $(am__EXEEXT_6)
 +@HAVE_W32CE_SYSTEM_FALSE@	$(am__EXEEXT_6)
 @BUILD_GPGTAR_TRUE@@HAVE_W32CE_SYSTEM_FALSE@am__append_11 = gpgtar
 @BUILD_GPGTAR_FALSE@@HAVE_W32CE_SYSTEM_FALSE@am__append_12 = gpgtar
 subdir = tools
@@ -582,8 +582,8 @@ libcommontlsnpth = ../common/libcommontl
 AM_CFLAGS = $(LIBGCRYPT_CFLAGS) $(GPG_ERROR_CFLAGS) $(LIBASSUAN_CFLAGS)
 sbin_SCRIPTS = addgnupghome applygnupgdefaults
 -# bin_SCRIPTS += gpg-zip
 -@HAVE_USTAR_TRUE@noinst_SCRIPTS = gpg-zip
 +@HAVE_USTAR_TRUE@bin_PROGRAMS += gpg-zip
 +#@HAVE_USTAR_TRUE@noinst_SCRIPTS = gpg-zip
 @BUILD_SYMCRYPTRUN_FALSE@symcryptrun = 
 @BUILD_SYMCRYPTRUN_TRUE@symcryptrun = symcryptrun
 @BUILD_WKS_TOOLS_FALSE@gpg_wks_server = 
--- a/SOURCES/gnupg-2.1.21-large-rsa.patch
+++ b/SOURCES/gnupg-2.1.21-large-rsa.patch
@ -0,0 +1,12 @@
 diff -up gnupg-2.1.21/g10/keygen.c.large-rsa gnupg-2.1.21/g10/keygen.c
 --- gnupg-2.1.21/g10/keygen.c.large-rsa	2017-05-15 14:13:22.000000000 +0200
 +++ gnupg-2.1.21/g10/keygen.c	2017-07-18 16:12:37.738895016 +0200
@@ -2091,7 +2091,7 @@ get_keysize_range (int algo, unsigned in
     default:
       *min = opt.compliance == CO_DE_VS ? 2048: 1024;
 -      *max = 4096;
 +      *max = opt.flags.large_rsa == 1 ? 8192 : 4096;
       def = 2048;
       break;
     }
--- a/SOURCES/gnupg-2.2.16-ocsp-keyusage.patch
+++ b/SOURCES/gnupg-2.2.16-ocsp-keyusage.patch
@ -0,0 +1,17 @@
 diff -up gnupg-2.2.16/sm/certlist.c.keyusage gnupg-2.2.16/sm/certlist.c
 --- gnupg-2.2.16/sm/certlist.c.keyusage	2019-07-01 17:17:06.925254065 +0200
 +++ gnupg-2.2.16/sm/certlist.c	2019-07-01 17:24:15.665759322 +0200
@@ -147,10 +147,9 @@ cert_usage_p (ksba_cert_t cert, int mode
   if (mode == 5)
     {
 -      if (use != ~0
 -          && (have_ocsp_signing
 -              || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN
 -                         |KSBA_KEYUSAGE_CRL_SIGN))))
 +      if (have_ocsp_signing
 +          || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN
 +                     |KSBA_KEYUSAGE_CRL_SIGN)))
         return 0;
       if (!silent)
         log_info (_("certificate should not have "
--- a/SOURCES/gnupg-2.2.18-gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch
+++ b/SOURCES/gnupg-2.2.18-gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch
--- a/SOURCES/gnupg-2.2.18-gpg-allow-import-of-previously-known-keys-even-without-UI.patch
+++ b/SOURCES/gnupg-2.2.18-gpg-allow-import-of-previously-known-keys-even-without-UI.patch
@ -1,4 +1,3 @@
 From c9485d59f735dbf7509a0136a896fe76f9cc915a Mon Sep 17 00:00:00 2001
 From: Vincent Breitmoser <look@my.amazin.horse>
 Date: Thu, 13 Jun 2019 21:27:42 +0200
 Subject: gpg: allow import of previously known keys, even without UIDs
@ -14,14 +13,14 @@ This fixes two of the three broken tests in import-incomplete.scm.
 GnuPG-Bug-id: 4393
 Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
 ---
- g10/import.c | 45 +++++++++++----------------------------------
+ g10/import.c | 44 +++++++++++---------------------------------
- 1 file changed, 11 insertions(+), 34 deletions(-)
+ 1 file changed, 11 insertions(+), 33 deletions(-)
 diff --git a/g10/import.c b/g10/import.c
-index 9fab46ca6..c70a6221c 100644
+index 5d3162c..f9acf95 100644
 --- a/g10/import.c
 +++ b/g10/import.c
-@@ -1954,7 +1954,6 @@ import_one_real (ctrl_t ctrl,
+@@ -1788,7 +1788,6 @@ import_one_real (ctrl_t ctrl,
   size_t an;
   char pkstrbuf[PUBKEY_STRING_SIZE];
   int merge_keys_done = 0;
@ -29,7 +28,7 @@ index 9fab46ca6..c70a6221c 100644
   KEYDB_HANDLE hd = NULL;
   if (r_valid)
-@@ -1991,14 +1990,6 @@ import_one_real (ctrl_t ctrl,
+@@ -1825,14 +1824,6 @@ import_one_real (ctrl_t ctrl,
       log_printf ("\n");
     }
@ -44,12 +43,11 @@ index 9fab46ca6..c70a6221c 100644
   if (screener && screener (keyblock, screener_arg))
     {
       log_error (_("key %s: %s\n"), keystr_from_pk (pk),
-@@ -2078,18 +2069,10 @@ import_one_real (ctrl_t ctrl,
+@@ -1907,17 +1898,10 @@ import_one_real (ctrl_t ctrl,
 	  }
     }
-  /* Delete invalid parts and bail out if there are no user ids left.  */
+-  if (!delete_inv_parts (ctrl, keyblock, keyid, options ) )
 -  if (!delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs))
 -    {
 -      if (!silent)
 -        {
@ -63,11 +61,11 @@ index 9fab46ca6..c70a6221c 100644
 +  /* Delete invalid parts, and note if we have any valid ones left.
 +   * We will later abort import if this key is new but contains
 +   * no valid uids.  */
-+  delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs);
+  delete_inv_parts (ctrl, keyblock, keyid, options);
   /* Get rid of deleted nodes.  */
   commit_kbnode (&keyblock);
-@@ -2099,24 +2082,11 @@ import_one_real (ctrl_t ctrl,
+@@ -1927,24 +1911,11 @@ import_one_real (ctrl_t ctrl,
     {
       apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid);
       commit_kbnode (&keyblock);
@ -92,7 +90,7 @@ index 9fab46ca6..c70a6221c 100644
     }
   /* The keyblock is valid and ready for real import.  */
-@@ -2174,6 +2144,13 @@ import_one_real (ctrl_t ctrl,
+@@ -2002,6 +1973,13 @@ import_one_real (ctrl_t ctrl,
       err = 0;
       stats->skipped_new_keys++;
     }
--- a/SOURCES/gnupg-2.2.18-tests-add-test-cases-for-import-without-uid.patch
+++ b/SOURCES/gnupg-2.2.18-tests-add-test-cases-for-import-without-uid.patch
--- a/SOURCES/gnupg-2.2.20-CVE-2022-34903.patch
+++ b/SOURCES/gnupg-2.2.20-CVE-2022-34903.patch
@ -0,0 +1,50 @@
 From 34c649b3601383cd11dbc76221747ec16fd68e1b Mon Sep 17 00:00:00 2001
 From: Werner Koch <wk@gnupg.org>
 Date: Tue, 14 Jun 2022 11:33:27 +0200
 Subject: [PATCH GnuPG] g10: Fix garbled status messages in NOTATION_DATA
 * g10/cpr.c (write_status_text_and_buffer): Fix off-by-one
 --
 Depending on the escaping and line wrapping the computed remaining
 buffer length could be wrong.  Fixed by always using a break to
 terminate the escape detection loop.  Might have happened for all
 status lines which may wrap.
 GnuPG-bug-id: T6027
 ---
 g10/cpr.c | 13 ++++---------
 1 file changed, 4 insertions(+), 9 deletions(-)
 diff --git a/g10/cpr.c b/g10/cpr.c
 index 9bfdd3c34..fa8005d6f 100644
 --- a/g10/cpr.c
 +++ b/g10/cpr.c
@@ -372,20 +372,15 @@ write_status_text_and_buffer (int no, const char *string,
             }
           first = 0;
         }
 -      for (esc=0, s=buffer, n=len; n && !esc; s++, n--)
 +      for (esc=0, s=buffer, n=len; n; s++, n--)
         {
           if (*s == '%' || *(const byte*)s <= lower_limit
               || *(const byte*)s == 127 )
             esc = 1;
           if (wrap && ++count > wrap)
 -            {
 -              dowrap=1;
 -              break;
 -            }
 -        }
 -      if (esc)
 -        {
 -          s--; n++;
 +            dowrap=1;
 +          if (esc || dowrap)
 +            break;
         }
       if (s != buffer)
         es_fwrite (buffer, s-buffer, 1, statusfp);
 -- 
 2.37.1
--- a/SOURCES/gnupg-2.2.20-coverity.patch
+++ b/SOURCES/gnupg-2.2.20-coverity.patch
@ -0,0 +1,319 @@
 diff -up gnupg-2.2.20/common/server-help.c.coverity gnupg-2.2.20/common/server-help.c
 --- gnupg-2.2.20/common/server-help.c.coverity	2019-02-11 10:59:34.000000000 +0100
 +++ gnupg-2.2.20/common/server-help.c	2020-05-04 12:00:01.085945639 +0200
@@ -156,7 +156,7 @@ get_option_value (char *line, const char
   *pend = 0;
   *r_value = xtrystrdup (p);
   *pend = c;
 -  if (!p)
 +  if (!*r_value)
     return my_error_from_syserror ();
   return 0;
 }
 diff -up gnupg-2.2.20/dirmngr/dns.c.coverity gnupg-2.2.20/dirmngr/dns.c
 --- gnupg-2.2.20/dirmngr/dns.c.coverity	2019-07-09 11:08:45.000000000 +0200
 +++ gnupg-2.2.20/dirmngr/dns.c	2020-05-04 18:04:12.285521661 +0200
@@ -10106,9 +10106,8 @@ static const struct {
 	{ "AR",         DNS_S_ADDITIONAL },
 };
 -const char *(dns_strsection)(enum dns_section section) {
 -	char _dst[DNS_STRMAXLEN + 1] = { 0 };
 -	struct dns_buf dst = DNS_B_INTO(_dst, sizeof _dst);
 +const char *(dns_strsection)(enum dns_section section, void *_dst, size_t lim) {
 +	struct dns_buf dst = DNS_B_INTO(_dst, lim);
 	unsigned i;
 	for (i = 0; i < lengthof(dns_sections); i++) {
@@ -10156,9 +10155,8 @@ static const struct {
 	{ "IN", DNS_C_IN },
 };
 -const char *(dns_strclass)(enum dns_class type) {
 -	char _dst[DNS_STRMAXLEN + 1] = { 0 };
 -	struct dns_buf dst = DNS_B_INTO(_dst, sizeof _dst);
 +const char *(dns_strclass)(enum dns_class type, void *_dst, size_t lim) {
 +	struct dns_buf dst = DNS_B_INTO(_dst, lim);
 	unsigned i;
 	for (i = 0; i < lengthof(dns_classes); i++) {
@@ -10193,9 +10191,8 @@ enum dns_class dns_iclass(const char *na
 } /* dns_iclass() */
 -const char *(dns_strtype)(enum dns_type type) {
 -	char _dst[DNS_STRMAXLEN + 1] = { 0 };
 -	struct dns_buf dst = DNS_B_INTO(_dst, sizeof _dst);
 +const char *(dns_strtype)(enum dns_type type, void *_dst, size_t lim) {
 +	struct dns_buf dst = DNS_B_INTO(_dst, lim);
 	unsigned i;
 	for (i = 0; i < lengthof(dns_rrtypes); i++) {
 diff -up gnupg-2.2.20/dirmngr/dns.h.coverity gnupg-2.2.20/dirmngr/dns.h
 --- gnupg-2.2.20/dirmngr/dns.h.coverity	2019-03-07 13:03:26.000000000 +0100
 +++ gnupg-2.2.20/dirmngr/dns.h	2020-05-04 18:04:12.287521625 +0200
@@ -272,15 +272,25 @@ enum dns_rcode {
  */
 #define DNS_STRMAXLEN 47 /* "QUESTION|ANSWER|AUTHORITY|ADDITIONAL" */
 -DNS_PUBLIC const char *dns_strsection(enum dns_section);
 +DNS_PUBLIC const char *dns_strsection(enum dns_section, void *, size_t);
 +#define dns_strsection3(a, b, c) \
 +				dns_strsection((a), (b), (c))
 +#define dns_strsection1(a)	dns_strsection((a), (char [DNS_STRMAXLEN + 1]){ 0 }, DNS_STRMAXLEN + 1)
 +#define dns_strsection(...)	DNS_PP_CALL(DNS_PP_XPASTE(dns_strsection, DNS_PP_NARG(__VA_ARGS__)), __VA_ARGS__)
 DNS_PUBLIC enum dns_section dns_isection(const char *);
 -DNS_PUBLIC const char *dns_strclass(enum dns_class);
 +DNS_PUBLIC const char *dns_strclass(enum dns_class, void *, size_t);
 +#define dns_strclass3(a, b, c)	dns_strclass((a), (b), (c))
 +#define dns_strclass1(a)	dns_strclass((a), (char [DNS_STRMAXLEN + 1]){ 0 }, DNS_STRMAXLEN + 1)
 +#define dns_strclass(...)	DNS_PP_CALL(DNS_PP_XPASTE(dns_strclass, DNS_PP_NARG(__VA_ARGS__)), __VA_ARGS__)
 DNS_PUBLIC enum dns_class dns_iclass(const char *);
 -DNS_PUBLIC const char *dns_strtype(enum dns_type);
 +DNS_PUBLIC const char *dns_strtype(enum dns_type, void *, size_t);
 +#define dns_strtype3(a, b, c)	dns_strtype((a), (b), (c))
 +#define dns_strtype1(a)		dns_strtype((a), (char [DNS_STRMAXLEN + 1]){ 0 }, DNS_STRMAXLEN + 1)
 +#define dns_strtype(...)	DNS_PP_CALL(DNS_PP_XPASTE(dns_strtype, DNS_PP_NARG(__VA_ARGS__)), __VA_ARGS__)
 DNS_PUBLIC enum dns_type dns_itype(const char *);
 diff -up gnupg-2.2.20/dirmngr/domaininfo.c.coverity gnupg-2.2.20/dirmngr/domaininfo.c
 --- gnupg-2.2.20/dirmngr/domaininfo.c.coverity	2019-07-09 11:08:45.000000000 +0200
 +++ gnupg-2.2.20/dirmngr/domaininfo.c	2020-05-04 17:54:30.800899152 +0200
@@ -193,6 +193,7 @@ insert_or_update (const char *domain,
           log_error ("domaininfo: error allocating helper array: %s\n",
                      gpg_strerror (gpg_err_code_from_syserror ()));
           drop_extra = bucket;
 +          xfree (di_new);
           goto leave;
         }
       narray = 0;
@@ -258,6 +259,8 @@ insert_or_update (const char *domain,
        * sensible strategy.  */
       drop_extra = domainbuckets[hash];
       domainbuckets[hash] = keep;
 +
 +      xfree (array);
     }
   /* Insert */
 diff -up gnupg-2.2.20/dirmngr/http.c.coverity gnupg-2.2.20/dirmngr/http.c
 --- gnupg-2.2.20/dirmngr/http.c.coverity	2019-11-18 18:44:33.000000000 +0100
 +++ gnupg-2.2.20/dirmngr/http.c	2020-05-04 17:00:47.826878715 +0200
@@ -3656,7 +3656,6 @@ http_prepare_redirect (http_redir_info_t
       if (!newurl)
         {
           err = gpg_error_from_syserror ();
 -          http_release_parsed_uri (locuri);
           return err;
         }
     }
@@ -3675,7 +3674,6 @@ http_prepare_redirect (http_redir_info_t
       if (!newurl)
         {
           err = gpg_error_from_syserror ();
 -          http_release_parsed_uri (locuri);
           return err;
         }
     }
 diff -up gnupg-2.2.20/dirmngr/ks-engine-hkp.c.coverity gnupg-2.2.20/dirmngr/ks-engine-hkp.c
 --- gnupg-2.2.20/dirmngr/ks-engine-hkp.c.coverity	2019-11-18 18:44:33.000000000 +0100
 +++ gnupg-2.2.20/dirmngr/ks-engine-hkp.c	2020-05-04 12:39:49.970920664 +0200
@@ -1426,7 +1426,7 @@ ks_hkp_search (ctrl_t ctrl, parsed_uri_t
   int reselect;
   unsigned int httpflags;
   char *httphost = NULL;
 -  unsigned int http_status;
 +  unsigned int http_status = 0;
   unsigned int tries = SEND_REQUEST_RETRIES;
   unsigned int extra_tries = SEND_REQUEST_EXTRA_RETRIES;
 diff -up gnupg-2.2.20/g10/card-util.c.coverity gnupg-2.2.20/g10/card-util.c
 --- gnupg-2.2.20/g10/card-util.c.coverity	2020-03-03 13:33:22.000000000 +0100
 +++ gnupg-2.2.20/g10/card-util.c	2020-05-04 16:56:47.788157786 +0200
@@ -704,7 +704,7 @@ card_status (ctrl_t ctrl, estream_t fp,
 {
   int err;
   strlist_t card_list, sl;
 -  char *serialno0, *serialno1;
 +  char *serialno0, *serialno1 = NULL;
   int all_cards = 0;
   int any_card = 0;
@@ -749,6 +749,7 @@ card_status (ctrl_t ctrl, estream_t fp,
       current_card_status (ctrl, fp, NULL, 0);
       xfree (serialno1);
 +      serialno1 = NULL;
       if (!all_cards)
         goto leave;
 diff -up gnupg-2.2.20/g10/import.c.coverity gnupg-2.2.20/g10/import.c
 --- gnupg-2.2.20/g10/import.c.coverity	2020-05-04 12:34:39.820379830 +0200
 +++ gnupg-2.2.20/g10/import.c	2020-05-04 12:34:55.366106195 +0200
@@ -1888,7 +1888,7 @@ import_one_real (ctrl_t ctrl,
   if (opt.interactive && !silent)
     {
 -      if (is_status_enabled())
 +      if (uidnode && is_status_enabled())
         print_import_check (pk, uidnode->pkt->pkt.user_id);
       merge_keys_and_selfsig (ctrl, keyblock);
       tty_printf ("\n");
 diff -up gnupg-2.2.20/g10/keygen.c.coverity gnupg-2.2.20/g10/keygen.c
 --- gnupg-2.2.20/g10/keygen.c.coverity	2020-05-04 12:23:04.852613017 +0200
 +++ gnupg-2.2.20/g10/keygen.c	2020-05-04 17:33:18.923891110 +0200
@@ -3075,7 +3075,7 @@ parse_key_parameter_part (ctrl_t ctrl,
   char *endp;
   const char *curve = NULL;
   int ecdh_or_ecdsa = 0;
 -  unsigned int size;
 +  unsigned int size = 0;
   int keyuse;
   int i;
   const char *s;
@@ -5719,12 +5719,20 @@ gen_card_key (int keyno, int algo, int i
      the self-signatures. */
   err = agent_readkey (NULL, 1, keyid, &public);
   if (err)
 -    return err;
 +    {
 +      xfree (pkt);
 +      xfree (pk);
 +      return err;
 +    }
   err = gcry_sexp_sscan (&s_key, NULL, public,
                          gcry_sexp_canon_len (public, 0, NULL, NULL));
   xfree (public);
   if (err)
 -    return err;
 +    {
 +      xfree (pkt);
 +      xfree (pk);
 +      return err;
 +    }
   if (algo == PUBKEY_ALGO_RSA)
     err = key_from_sexp (pk->pkey, s_key, "public-key", "ne");
@@ -5739,6 +5747,7 @@ gen_card_key (int keyno, int algo, int i
   if (err)
     {
       log_error ("key_from_sexp failed: %s\n", gpg_strerror (err) );
 +      xfree (pkt);
       free_public_key (pk);
       return err;
     }
 diff -up gnupg-2.2.20/g10/sig-check.c.coverity gnupg-2.2.20/g10/sig-check.c
 --- gnupg-2.2.20/g10/sig-check.c.coverity	2020-05-04 12:18:18.515653963 +0200
 +++ gnupg-2.2.20/g10/sig-check.c	2020-05-04 12:18:33.599388425 +0200
@@ -902,6 +902,7 @@ check_signature_over_key_or_uid (ctrl_t
                 {
                   /* Issued by a subkey.  */
                   signer = subk;
 +                  *is_selfsig = 1;
                   break;
                 }
             }
 diff -up gnupg-2.2.20/g10/sign.c.coverity gnupg-2.2.20/g10/sign.c
 --- gnupg-2.2.20/g10/sign.c.coverity	2020-04-30 11:56:43.909360043 +0200
 +++ gnupg-2.2.20/g10/sign.c	2020-05-04 12:08:56.651544958 +0200
@@ -823,7 +823,7 @@ write_signature_packets (ctrl_t ctrl,
       PKT_public_key *pk;
       PKT_signature *sig;
       gcry_md_hd_t md;
 -      gpg_error_t err;
 +      gpg_error_t err = 0;
       pk = sk_rover->pk;
 diff -up gnupg-2.2.20/kbx/keybox-dump.c.coverity gnupg-2.2.20/kbx/keybox-dump.c
 --- gnupg-2.2.20/kbx/keybox-dump.c.coverity	2019-08-23 15:59:06.000000000 +0200
 +++ gnupg-2.2.20/kbx/keybox-dump.c	2020-05-04 17:25:53.365946213 +0200
@@ -786,11 +786,15 @@ _keybox_dump_cut_records (const char *fi
   while ( !(rc = _keybox_read_blob (&blob, fp, NULL)) )
     {
       if (recno > to)
 -        break; /* Ready.  */
 +        {
 +          _keybox_release_blob (blob);
 +          break; /* Ready.  */
 +        }
       if (recno >= from)
         {
           if ((rc = _keybox_write_blob (blob, outfp)))
             {
 +              _keybox_release_blob (blob);
               fprintf (stderr, "error writing output: %s\n",
                        gpg_strerror (rc));
               goto leave;
 diff -up gnupg-2.2.20/tools/gpg-wks-server.c.coverity gnupg-2.2.20/tools/gpg-wks-server.c
 --- gnupg-2.2.20/tools/gpg-wks-server.c.coverity	2020-02-10 16:12:13.000000000 +0100
 +++ gnupg-2.2.20/tools/gpg-wks-server.c	2020-05-04 11:52:42.547643198 +0200
@@ -890,15 +890,18 @@ store_key_as_pending (const char *dir, e
     }
  leave:
 -  if (err)
 +  if (fname)
     {
 -      es_fclose (outfp);
 -      gnupg_remove (fname);
 -    }
 -  else if (es_fclose (outfp))
 -    {
 -      err = gpg_error_from_syserror ();
 -      log_error ("error closing '%s': %s\n", fname, gpg_strerror (err));
 +      if (err)
 +        {
 +          es_fclose (outfp);
 +          gnupg_remove (fname);
 +        }
 +      else if (es_fclose (outfp))
 +        {
 +          err = gpg_error_from_syserror ();
 +          log_error ("error closing '%s': %s\n", fname, gpg_strerror (err));
 +        }
     }
   if (!err)
 diff -up gnupg-2.2.20/tools/wks-util.c.coverity gnupg-2.2.20/tools/wks-util.c
 --- gnupg-2.2.20/tools/wks-util.c.coverity	2020-05-04 12:02:21.839475031 +0200
 +++ gnupg-2.2.20/tools/wks-util.c	2020-05-04 17:23:19.552726949 +0200
@@ -948,7 +948,7 @@ ensure_policy_file (const char *addrspec
 static gpg_error_t
 install_key_from_spec_file (const char *fname)
 {
 -  gpg_error_t err;
 +  gpg_error_t err = 0;
   estream_t fp;
   char *line = NULL;
   size_t linelen = 0;
@@ -1195,10 +1195,8 @@ wks_cmd_print_wkd_hash (const char *user
   char *addrspec, *fname;
   err = wks_fname_from_userid (userid, 1, &fname, &addrspec);
 -  if (err)
 -    return err;
 -
 -  es_printf ("%s %s\n", fname, addrspec);
 +  if (!err)
 +    es_printf ("%s %s\n", fname, addrspec);
   xfree (fname);
   xfree (addrspec);
@@ -1216,7 +1214,10 @@ wks_cmd_print_wkd_url (const char *useri
   err = wks_fname_from_userid (userid, 1, &fname, &addrspec);
   if (err)
 -    return err;
 +    {
 +      xfree (addrspec);
 +      return err;
 +    }
   domain = strchr (addrspec, '@');
   if (domain)
--- a/SOURCES/gnupg-2.2.20-file-is-digest.patch
+++ b/SOURCES/gnupg-2.2.20-file-is-digest.patch
@ -0,0 +1,191 @@
 diff -up gnupg-2.2.20/g10/gpg.c.file-is-digest gnupg-2.2.20/g10/gpg.c
 --- gnupg-2.2.20/g10/gpg.c.file-is-digest	2020-04-14 16:33:42.630269318 +0200
 +++ gnupg-2.2.20/g10/gpg.c	2020-04-14 16:34:46.455100086 +0200
@@ -380,6 +380,7 @@ enum cmd_and_opt_values
     oTTYtype,
     oLCctype,
     oLCmessages,
 +    oFileIsDigest,
     oXauthority,
     oGroup,
     oUnGroup,
@@ -831,6 +832,7 @@ static ARGPARSE_OPTS opts[] = {
   ARGPARSE_s_s (oPersonalCompressPreferences,
                                          "personal-compress-preferences", "@"),
   ARGPARSE_s_s (oFakedSystemTime, "faked-system-time", "@"),
 +  ARGPARSE_s_n (oFileIsDigest, "file-is-digest", "@"),
   ARGPARSE_s_s (oWeakDigest, "weak-digest","@"),
   ARGPARSE_s_n (oUnwrap, "unwrap", "@"),
   ARGPARSE_s_n (oOnlySignTextIDs, "only-sign-text-ids", "@"),
@@ -2419,6 +2421,7 @@ main (int argc, char **argv)
     opt.keyid_format = KF_NONE;
     opt.def_sig_expire = "0";
     opt.def_cert_expire = "0";
 +    opt.file_is_digest = 0;
     gnupg_set_homedir (NULL);
     opt.passphrase_repeat = 1;
     opt.emit_version = 0;
@@ -2997,6 +3000,7 @@ main (int argc, char **argv)
 	    opt.verify_options&=~VERIFY_SHOW_PHOTOS;
 	    break;
 	  case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break;
 +	  case oFileIsDigest: opt.file_is_digest = 1; break;
           case oDisableSignerUID: opt.flags.disable_signer_uid = 1; break;
           case oIncludeKeyBlock:  opt.flags.include_key_block = 1; break;
 diff -up gnupg-2.2.20/g10/options.h.file-is-digest gnupg-2.2.20/g10/options.h
 --- gnupg-2.2.20/g10/options.h.file-is-digest	2020-03-14 19:54:05.000000000 +0100
 +++ gnupg-2.2.20/g10/options.h	2020-04-14 16:33:42.634269245 +0200
@@ -202,6 +202,7 @@ struct
   int no_auto_check_trustdb;
   int preserve_permissions;
   int no_homedir_creation;
 +  int file_is_digest;
   struct groupitem *grouplist;
   int mangle_dos_filenames;
   int enable_progress_filter;
 diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c
 --- gnupg-2.2.20/g10/sign.c.file-is-digest	2020-03-14 19:35:46.000000000 +0100
 +++ gnupg-2.2.20/g10/sign.c	2020-04-14 16:36:54.661751422 +0200
@@ -40,6 +40,7 @@
 #include "pkglue.h"
 #include "../common/sysutils.h"
 #include "call-agent.h"
 +#include "../common/host2net.h"
 #include "../common/mbox-util.h"
 #include "../common/compliance.h"
@@ -834,6 +835,8 @@ write_signature_packets (ctrl_t ctrl,
       if (duration || opt.sig_policy_url
           || opt.sig_notations || opt.sig_keyserver_url)
         sig->version = 4;
 +	  else if (opt.file_is_digest)
 +        sig->version = 3;
       else
         sig->version = pk->version;
@@ -860,8 +863,11 @@ write_signature_packets (ctrl_t ctrl,
           else
             err = 0;
         }
 -      hash_sigversion_to_magic (md, sig);
 -      gcry_md_final (md);
 +
 +      if (!opt.file_is_digest) {
 +	hash_sigversion_to_magic (md, sig);
 +	gcry_md_final (md);
 +      }
       if (!err)
         err = do_sign (ctrl, pk, sig, md, hash_for (pk), cache_nonce, 0);
@@ -924,6 +930,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
     SK_LIST sk_rover = NULL;
     int multifile = 0;
     u32 duration=0;
 +    int sigclass = 0x00;
 +    u32 timestamp = 0;
     pfx = new_progress_context ();
     afx = new_armor_context ();
@@ -941,7 +949,16 @@ sign_file (ctrl_t ctrl, strlist_t filena
 	fname = NULL;
     if( fname && filenames->next && (!detached || encryptflag) )
 -	log_bug("multiple files can only be detached signed");
 +	log_bug("multiple files can only be detached signed\n");
 +
 +    if (opt.file_is_digest && (multifile || !fname))
 +	log_bug("file-is-digest only works with one file\n");
 +    if (opt.file_is_digest && !detached)
 +	log_bug("file-is-digest can only write detached signatures\n");
 +    if (opt.file_is_digest && !opt.def_digest_algo)
 +	log_bug("file-is-digest needs --digest-algo\n");
 +    if (opt.file_is_digest && opt.textmode)
 +	log_bug("file-is-digest doesn't work with --textmode\n");
     if(encryptflag==2
        && (rc=setup_symkey(&efx.symkey_s2k,&efx.symkey_dek)))
@@ -962,7 +979,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
       goto leave;
     /* prepare iobufs */
 -    if( multifile )  /* have list of filenames */
 +    if( multifile || opt.file_is_digest)  /* have list of filenames */
 	inp = NULL; /* we do it later */
     else {
       inp = iobuf_open(fname);
@@ -1100,7 +1117,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
     for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next)
       gcry_md_enable (mfx.md, hash_for (sk_rover->pk));
 -    if( !multifile )
 +    if( !multifile && !opt.file_is_digest )
 	iobuf_push_filter( inp, md_filter, &mfx );
     if( detached && !encryptflag)
@@ -1155,6 +1172,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
     write_status_begin_signing (mfx.md);
 +    sigclass = opt.textmode && !outfile? 0x01 : 0x00;
 +
     /* Setup the inner packet. */
     if( detached ) {
 	if( multifile ) {
@@ -1195,6 +1214,45 @@ sign_file (ctrl_t ctrl, strlist_t filena
 	    if( opt.verbose )
               log_printf ("\n");
 	}
 +	else if (opt.file_is_digest) {
 +	    byte *mdb, ts[5];
 +	    size_t mdlen;
 +	    const char *fp;
 +	    int c, d;
 +
 +	    gcry_md_final(mfx.md);
 +	    /* this assumes gcry_md_read returns the same buffer */
 +	    mdb = gcry_md_read(mfx.md, opt.def_digest_algo);
 +		mdlen = gcry_md_get_algo_dlen(opt.def_digest_algo);
 +	    if (strlen(fname) != mdlen * 2 + 11)
 +	        log_bug("digests must be %zu + @ + 5 bytes\n", mdlen);
 +	    d = -1;
 +	    for (fp = fname ; *fp; ) {
 +		c = *fp++;
 +		if (c >= '0' && c <= '9')
 +		    c -= '0';
 +		else if (c >= 'a' && c <= 'f')
 +		    c -= 'a' - 10;
 +		else if (c >= 'A' && c <= 'F')
 +		    c -= 'A' - 10;
 +		else
 +		    log_bug("filename is not hex\n");
 +		if (d >= 0) {
 +		    *mdb++ = d << 4 | c;
 +		    c = -1;
 +		    if (--mdlen == 0) {
 +			mdb = ts;
 +			if (*fp++ != '@')
 +			    log_bug("missing time separator\n");
 +		    }
 +		}
 +		d = c;
 +	    }
 +	    sigclass = ts[0];
 +	    if (sigclass != 0x00 && sigclass != 0x01)
 +		log_bug("bad cipher class\n");
 +	    timestamp = buf32_to_u32(ts + 1);
 +	}
 	else {
 	    /* read, so that the filter can calculate the digest */
 	    while( iobuf_get(inp) != -1 )
@@ -1213,8 +1271,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
     /* write the signatures */
     rc = write_signature_packets (ctrl, sk_list, out, mfx.md,
 -                                  opt.textmode && !outfile? 0x01 : 0x00,
 -				  0, duration, detached ? 'D':'S', NULL);
 +                                  sigclass,
 +				  timestamp, duration, detached ? 'D':'S', NULL);
     if( rc )
         goto leave;
--- a/SOURCES/gnupg-2.2.20.tar.bz2.sig
+++ b/SOURCES/gnupg-2.2.20.tar.bz2.sig
--- a/SPECS/gnupg2.spec
+++ b/SPECS/gnupg2.spec
@ -1,84 +1,69 @@
-%bcond_with bootstrap
+%bcond_without unversioned_gpg
 Summary: Utility for secure communication and data storage
 Name:    gnupg2
-Version: 2.4.5
+Version: 2.2.20
-Release: 2%{?dist}
+Release: 3%{?dist}
-License: CC0-1.0 AND GPL-2.0-or-later AND GPL-3.0-or-later AND LGPL-2.1-or-later AND LGPL-3.0-or-later AND (BSD-3-Clause OR LGPL-3.0-or-later OR GPL-2.0-or-later) AND CC-BY-4.0 AND MIT
+License: GPLv3+
-Source0: https://gnupg.org/ftp/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2
+Source0: ftp://ftp.gnupg.org/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2
-Source1: https://gnupg.org/ftp/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2.sig
+Source1: ftp://ftp.gnupg.org/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2.sig
-Source2: https://gnupg.org/signature_key.asc
+Patch1:  gnupg-2.1.21-insttools.patch
 # needed for compatibility with system FIPS mode
 Patch3:  gnupg-2.1.10-secmem.patch
 # non-upstreamable patch adding file-is-digest option needed for Copr
-# https://dev.gnupg.org/T1646
+Patch4:  gnupg-2.2.20-file-is-digest.patch
-Patch4:  gnupg-2.4.1-file-is-digest.patch
+# fix handling of missing key usage on ocsp replies - upstream T1333
 Patch5:  gnupg-2.2.16-ocsp-keyusage.patch
 Patch6:  gnupg-2.1.1-fips-algo.patch
 # allow 8192 bit RSA keys in keygen UI with large RSA
-Patch9:  gnupg-2.2.23-large-rsa.patch
+Patch9:  gnupg-2.1.21-large-rsa.patch
 # fix missing uid on refresh from keys.openpgp.org
 # https://salsa.debian.org/debian/gnupg2/commit/f292beac1171c6c77faf41d1f88c2e0942ed4437
 Patch20: gnupg-2.2.18-tests-add-test-cases-for-import-without-uid.patch
-Patch21: gnupg-2.4.0-gpg-allow-import-of-previously-known-keys-even-without-UI.patch
+Patch21: gnupg-2.2.18-gpg-allow-import-of-previously-known-keys-even-without-UI.patch
 Patch22: gnupg-2.2.18-gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch
 Patch23: gnupg-2.2.20-CVE-2022-34903.patch
 # Fixes for issues found in Coverity scan - reported upstream
-Patch30: gnupg-2.2.21-coverity.patch
+Patch30: gnupg-2.2.20-coverity.patch
 # Revert the introduction of the RFC4880bis draft into defaults
 Patch31: gnupg2-revert-rfc4880bis.patch
 # Mostly reverts https://dev.gnupg.org/rGeae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed
 Patch33: gnupg-2.4.3-restore-systemd-sockets.patch
 # Revert default EdDSA key types -- they do not work in FIPS Mode
 Patch34: gnupg-2.4.5-revert-default-eddsa.patch
 # https://dev.gnupg.org/T7129
 Patch35: gnupg-2.4.5-sast.patch
 URL:     https://www.gnupg.org/
 URL:     http://www.gnupg.org/
 #BuildRequires: automake libtool texinfo transfig
 BuildRequires: gcc
 BuildRequires: bzip2-devel
 BuildRequires: curl-devel
 BuildRequires: docbook-utils
 BuildRequires: gettext
-%if %{without bootstrap}
+BuildRequires: libassuan-devel >= 2.1.0
-# Require gnupg2 to verify sources, unless bootstrapping
+BuildRequires: libgcrypt-devel >= 1.7.0
-BuildRequires: gnupg2
+BuildRequires: libgpg-error-devel >= 1.31
-%endif
+BuildRequires: libksba-devel >= 1.3.0
 BuildRequires: libassuan-devel >= 2.5.0
 BuildRequires: libgcrypt-devel >= 1.9.1
 BuildRequires: libgpg-error-devel >= 1.46
 BuildRequires: libksba-devel >= 1.6.3
 BuildRequires: openldap-devel
 BuildRequires: libusb-devel
 BuildRequires: pcsc-lite-libs
 BuildRequires: ncurses-devel
 BuildRequires: npth-devel
-BuildRequires: readline-devel
+BuildRequires: readline-devel ncurses-devel
 BuildRequires: zlib-devel
 BuildRequires: gnutls-devel
 BuildRequires: sqlite-devel
 BuildRequires: fuse
 BuildRequires: make
 BuildRequires: systemd-rpm-macros
 BuildRequires: tpm2-tss-devel
 # for tests
 BuildRequires: openssh-clients
 BuildRequires: swtpm
-Requires: libgcrypt >= 1.9.1
+Requires: libgcrypt >= 1.7.0
-Requires: libgpg-error >= 1.46
+Requires: libgpg-error >= 1.31
 Recommends: pinentry
 Recommends: gnupg2-smime
-# for USB smart card support
+%if %{with unversioned_gpg}
 Recommends: pcsc-lite-ccid
 # pgp-tools, perl-GnuPG-Interface requires 'gpg' (not sure why) -- Rex
 Provides: gpg = %{version}-%{release}
 # Obsolete GnuPG-1 package
 Provides: gnupg = %{version}-%{release}
-Obsoletes: gnupg < 1.4.24
+Obsoletes: gnupg <= 1.4.10
 %endif
 Provides: dirmngr = %{version}-%{release}
 Obsoletes: dirmngr < 1.2.0-1
@ -87,7 +72,7 @@ Obsoletes: dirmngr < 1.2.0-1
 %package smime
 Summary: CMS encryption and signing tool and smart card support for GnuPG
-Requires: gnupg2%{?_isa} = %{version}-%{release}
+Requires: gnupg2 = %{version}-%{release}
 %description
@ -108,25 +93,23 @@ package adds support for smart cards and S/MIME encryption and signing
 to the base GnuPG package 
 %prep
 %if ! %{with bootstrap}
 %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %endif
 %setup -q -n gnupg-%{version}
 %if %{with unversioned_gpg}
 %patch1 -p1 -b .insttools
 %endif
 %patch3 -p1 -b .secmem
 %patch4 -p1 -b .file-is-digest
 %patch5 -p1 -b .keyusage
 %patch6 -p1 -b .fips
 %patch9 -p1 -b .large-rsa
 %patch20 -p1 -b .test_missing_uid
 %patch21 -p1 -b .prev_known_key
 %patch22 -p1 -b .good_revoc
 %patch23 -p1 -b .CVE-2022-34903
 %patch30 -p1 -b .coverity
 %patch 31 -p1 -b .revert-rfc4880bis
 %patch 33 -p1 -b .restore-systemd-sockets
 %patch 34 -p1 -R -b .eddsa
 %patch 35 -p1 -b .sast
 # pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper)
 # Note: this is just the name of the default shared lib to load in scdaemon,
@ -137,42 +120,50 @@ sed -i -e 's/"libpcsclite\.so"/"%{pcsclib}"/' scd/scdaemon.c
 %build
 %configure \
 %if %{without unversioned_gpg}
  --enable-gpg-is-gpg2 \
 %endif
  --disable-gpgtar \
  --disable-rpath \
  --enable-g13 \
  --disable-ccid-driver \
  --with-tss=intel \
  --enable-large-secmem
 # need scratch gpg database for tests
 mkdir -p $HOME/.gnupg
-%make_build
+make %{?_smp_mflags}
 %install
-%make_install \
+make install DESTDIR=%{buildroot} \
  INSTALL="install -p" \
  docdir=%{_pkgdocdir}
 %if %{without unversioned_gpg}
 # rename file conflicting with gnupg-1.x
 rename gnupg.7 gnupg2.7 %{buildroot}%{_mandir}/man7/gnupg.7*
 %endif
 %find_lang %{name}
 # gpgconf.conf
 mkdir -p %{buildroot}%{_sysconfdir}/gnupg
 touch %{buildroot}%{_sysconfdir}/gnupg/gpgconf.conf
 mkdir -p %{buildroot}%{_sysconfdir}/profile.d
 echo "export GPG_TTY=\$(tty)" > %{buildroot}%{_sysconfdir}/profile.d/gnupg2.sh
 echo "setenv GPG_TTY \`tty\`" > %{buildroot}%{_sysconfdir}/profile.d/gnupg2.csh
 # more docs
 install -m644 -p AUTHORS NEWS THANKS TODO \
  %{buildroot}%{_pkgdocdir}
 %if %{with unversioned_gpg}
 # compat symlinks
 ln -sf gpg %{buildroot}%{_bindir}/gpg2
 ln -sf gpgv %{buildroot}%{_bindir}/gpgv2
 ln -sf gpg.1 %{buildroot}%{_mandir}/man1/gpg2.1
 ln -sf gpgv.1 %{buildroot}%{_mandir}/man1/gpgv2.1
 ln -sf gnupg.7 %{buildroot}%{_mandir}/man7/gnupg2.7
 %endif
 # info dir
 rm -f %{buildroot}%{_infodir}/dir
@ -192,34 +183,31 @@ make -k check
 %files -f %{name}.lang
 %{!?_licensedir:%global license %%doc}
 %license COPYING
 #doc AUTHORS NEWS README THANKS TODO
 %{_pkgdocdir}
 %dir %{_sysconfdir}/gnupg
 %ghost %config(noreplace) %{_sysconfdir}/gnupg/gpgconf.conf
 %{_sysconfdir}/profile.d/gnupg2.sh
 %{_sysconfdir}/profile.d/gnupg2.csh
 ## docs say to install suid root, but fedora/rh security folk say not to
 %{_bindir}/gpg2
 %{_bindir}/gpgv2
 %{_bindir}/gpg-card
 %{_bindir}/gpg-connect-agent
 %{_bindir}/gpg-agent
 %{_bindir}/gpg-wks-client
 %{_bindir}/gpgconf
 %{_bindir}/gpgparsemail
 %{_bindir}/gpgtar
 %{_bindir}/g13
 %{_bindir}/dirmngr
 %{_bindir}/dirmngr-client
 %if %{with unversioned_gpg}
 %{_bindir}/gpg
 %{_bindir}/gpgv
 %{_bindir}/gpgsplit
 %{_bindir}/gpg-zip
 %endif
 %{_bindir}/watchgnupg
 %{_bindir}/gpg-wks-server
-%{_sbindir}/addgnupghome
+%{_sbindir}/*
 %{_sbindir}/applygnupgdefaults
 %{_sbindir}/g13-syshelp
 %{_datadir}/gnupg/
 %{_libexecdir}/*
 %{_infodir}/*.info*
@ -234,219 +222,18 @@ make -k check
 %changelog
-* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2.4.5-2
+* Wed Aug 03 2022 Jakub Jelen <jjelen@redhat.com> - 2.2.20-3
- Bump release for October 2024 mass rebuild:
+- Fix CVE-2022-34903 (#2108447)
  Resolves: RHEL-64018
-* Thu Jul 04 2024 Jakub Jelen <jjelen@redhat.com> - 2.4.5-1
+* Mon May  4 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.20-2
 - New upstream release (#2268461)
 - Set GPG_TTY in profile.d (#2264985)
 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2.4.4-2
 - Bump release for June 2024 mass rebuild
 * Fri Jan 26 2024 Jakub Jelen <jjelen@redhat.com> - 2.4.4-1
 - New upstream release (#2260333)
 * Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-6
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 * Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 * Fri Nov 10 2023 Jakub Jelen <jjelen@redhat.com> - 2.4.3-4
 - Avoid creation of development versions (#2249037)
 * Mon Nov 06 2023 Jakub Jelen <jjelen@redhat.com> - 2.4.3-3
 - Restore systemd units and sockets (#2158627)
 * Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
 * Mon Jul 10 2023 Jakub Jelen <jjelen@redhat.com> - 2.4.3-1
 - New upstream release (#2193503)
 * Thu Jun 01 2023 Michael J Gruber <mjg@fedoraproject.org> - 2.4.2-2
 - fix emacs usage (rhbz#2212090)
 * Wed May 31 2023 Jakub Jelen <jjelen@redhat.com> - 2.4.2-1
 - New upstream release
 - Build with TPM2 support
 * Fri Apr 28 2023 Todd Zullinger <tmz@pobox.com> - 2.4.1-1
 - update to 2.4.1 (#2193503)
 * Fri Apr 28 2023 Todd Zullinger <tmz@pobox.com> - 2.4.0-4
 - remove %%skip_verify, brainpool signatures are supported now
 * Fri Mar 03 2023 Jakub Jelen <jjelen@redhat.com> - 2.4.0-3
 - Revert introduction of the RFC4880bis draft into defaults
 * Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
 * Tue Dec 20 2022 Todd Zullinger <tmz@pobox.com> - 2.4.0-1
 - update to 2.4.0 (#2155170)
 * Mon Oct 17 2022 Todd Zullinger <tmz@pobox.com> - 2.3.8-1
 - update to 2.3.8
 - BR systemd-rpm-macros for %%{_userunitdir}
 * Mon Oct 17 2022 Todd Zullinger <tmz@pobox.com> - 2.3.7-5
 - verify upstream signatures in %%prep, unless bootstrapping
 * Wed Oct 05 2022 Todd Zullinger <tmz@pobox.com> - 2.3.7-4
 - update BR/R versions for libassuan, libgpg-error, and libksba
 - drop with/without unversioned_gpg, last used with fedora-29
 * Mon Aug 01 2022 Jakub Jelen <jjelen@redhat.com> - 2.3.7-3
 - Fix yubikey 5 detection (#2107766)
 * Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.7-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
 * Tue Jul 12 2022 Jakub Jelen <jjelen@redhat.com> - 2.3.7-1
 - New upstream release (#2106045)
 * Mon Jul 04 2022 Jakub Jelen <jjelen@redhat.com> - 2.3.6-2
 - Fix for CVE-2022-34903 (#2103242)
 - Fix focing AEAD through configuration files (#2093760)
 * Mon Apr 25 2022 Jakub Jelen <jjelen@redhat.com> - 2.3.6-1
 - New upstream release (#2078550)
 * Mon Apr 25 2022 Jakub Jelen <jjelen@redhat.com> - 2.3.5-1
 - New upstream release (#2077616)
 * Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.4-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
 * Tue Dec 21 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.4-1
 - New upstream release (#2034437)
 * Mon Nov 15 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.3-2
 - Fix file-is-digest patch (#2022904)
 * Wed Oct 13 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.3-1
 - New upstream release (2013388)
 * Wed Oct 06 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.2-3
 - Fix crash in agent when deciphering (#2009978)
 - Recommend pcsc-lite-ccid to support USB smart cards (#2007923)
 * Mon Sep 20 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.2-2
 - Disable ccid driver to avoid clash with pcscd (#2005714)
 * Wed Aug 25 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.2-1
 - New upstream relase (#1997276)
 * Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.1-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
 * Wed Apr 21 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.1-1
 - New upstream release (#1947159)
 * Mon Mar 29 2021 Jakub Jelen <jjelen@redhat.com> - 2.2.27-4
 - Add a configuration to not require exclusive access to PCSC
 * Thu Feb 18 2021 Jakub Jelen <jjelen@redhat.com> - 2.2.27-3
 - Bump required libgpg-error version (#1930110)
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.27-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Tue Jan 12 2021 Jakub Jelen <jjelen@redhat.com> - 2.2.27-1
 - New upstream release (#1909825)
 * Mon Jan 04 2021 Jakub Jelen <jjelen@redhat.com> - 2.2.26-1
 - New upstream release (#1909825)
 * Tue Nov 24 2020 Jakub Jelen <jjelen@redhat.com> - 2.2.25-2
 - Enable gpgtar (#1901103)
 * Tue Nov 24 2020 Jakub Jelen <jjelen@redhat.com> - 2.2.25-1
 - Update to 2.2.25 (#1900815)
 * Thu Nov 19 2020 Jakub Jelen <jjelen@redhat.com> - 2.2.24-1
 - Update to 2.2.24 (#1898504)
 * Fri Sep  4 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.23-1
 - upgrade to 2.2.23
 * Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.21-4
 - Second attempt - Rebuilt for
  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.21-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Tue Jul 21 2020 Tom Stellard <tstellar@redhat.com> - 2.2.21-2
 - Use make macros
 - https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
 * Mon Jul 20 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.21-1
 - upgrade to 2.2.21
 * Mon May  4 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.20-3
 - fixes for issues found in Coverity scan
-* Thu Apr 30 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.20-2
+* Thu Apr 30 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.20-1
 - move systemd user units to _userunitdir (no activation by default)
 * Tue Apr 14 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.20-1
 - upgrade to 2.2.20
 * Wed Jan 29 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.19-1
 - upgrade to 2.2.19
 * Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.18-4
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 * Sat Jan  4 2020 Marcel Härry <mh+fedora@scrit.ch> - 2.2.18-3
 - Add patches to be able to deal with keys without uids (#1787708)
 * Fri Dec  6 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.18-2
 - fix abort when decrypting data with anonymous recipient (#1780057)
 * Tue Dec  3 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.18-1
 - upgrade to 2.2.18
 * Wed Nov  6 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.17-3
 - fix the gnupg(7) manual page (#1769072)
 * Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.17-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Mon Jul 15 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.17-1
 - upgrade to 2.2.17
 * Mon Jul  1 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.16-1
 - upgrade to 2.2.16
 * Tue Feb 26 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.13-1
 - upgrade to 2.2.13
 * Sun Feb 17 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.2.12-3
 - Rebuild for readline 8.0
 * Mon Feb  4 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.12-2
 - make it build with gcc-9
 * Tue Jan  8 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.12-1
 - upgrade to 2.2.12
 * Sat Dec 08 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.2.11-2
 - Provide unversioned GPG on F30+
 * Fri Nov 30 2018 Tomáš Mráz <tmraz@redhat.com> - 2.2.11-1
 - upgrade to 2.2.11
 * Wed Aug  1 2018 Tomáš Mráz <tmraz@redhat.com> - 2.2.9-1
 - upgrade to 2.2.9
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.8-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 * Mon Jun 11 2018 Tomáš Mráz <tmraz@redhat.com> - 2.2.8-1
 - upgrade to 2.2.8 fixing CVE 2018-12020
--- a/ci.fmf
+++ b/ci.fmf
@ -1 +0,0 @@
 resultsdb-testcase: separate
--- a/gating.yaml
+++ b/gating.yaml
@ -1,7 +0,0 @@
 --- !Policy
 product_versions:
  - rhel-10
 decision_context: osci_compose_gate
 rules:
  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-enabled.functional}
  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-disabled.functional}
--- a/gnupg-2.1.1-fips-algo.patch
+++ b/gnupg-2.1.1-fips-algo.patch
@ -1,54 +0,0 @@
 diff -up gnupg-2.1.1/g10/mainproc.c.fips gnupg-2.1.1/g10/mainproc.c
 --- gnupg-2.1.1/g10/mainproc.c.fips	2015-01-29 17:19:49.266031504 +0100
 +++ gnupg-2.1.1/g10/mainproc.c	2015-01-29 17:27:13.938088122 +0100
@@ -719,7 +719,8 @@ proc_plaintext( CTX c, PACKET *pkt )
          according to 2440, so hopefully it won't come up that often.
          There is no good way to specify what algorithms to use in
          that case, so these there are the historical answer. */
 -	gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
 +	if (!gcry_fips_mode_active())
 +            gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
 	gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
     }
   if (DBG_HASHING)
 diff --git a/common/t-sexputil.c b/common/t-sexputil.c
 index d75090c5b..be5eb2122 100644
 --- a/common/t-sexputil.c
 +++ b/common/t-sexputil.c
@@ -291,36 +291,6 @@ test_ecc_uncompress (void)
     const char *b;  /* Compressed.    */
   }
   tests[] = {
 -  {
 -    "(public-key"
 -    " (ecc"
 -    " (curve brainpoolP256r1)"
 -    " (q #042ECD8679930BE2DB4AD42B8600BA3F80"
 -    /*   */"2D4D539BFF2F69B83EC9B7BBAA7F3406"
 -    /*   */"436DD11A1756AFE56CD93408410FCDA9"
 -    /*   */"BA95024EB613BD481A14FCFEC27A448A#)))",
 -    /* The same in compressed form.  */
 -    "(public-key"
 -    " (ecc"
 -    " (curve brainpoolP256r1)"
 -    " (q #022ECD8679930BE2DB4AD42B8600BA3F80"
 -    /*   */"2D4D539BFF2F69B83EC9B7BBAA7F3406#)))"
 -  },
 -  {
 -    "(public-key"
 -    " (ecc"
 -    " (curve brainpoolP256r1)"
 -    " (q #045B784CA008EE64AB3D85017EE0D2BE87"
 -    /*   */"558762C7300E0C8E06B1F9AF7C031458"
 -    /*   */"9EBBA41915313417BA54218EB0569C59"
 -    /*   */"0B156C76DBCAB6E84575E6EF68CE7B87#)))",
 -    /* The same in compressed form.  */
 -    "(public-key"
 -    " (ecc"
 -    " (curve brainpoolP256r1)"
 -    " (q #035B784CA008EE64AB3D85017EE0D2BE87"
 -    /*   */"558762C7300E0C8E06B1F9AF7C031458#)))"
 -  },
   { /* A key which does not require a conversion.  */
     "(public-key"
     " (ecdsa"
--- a/gnupg-2.2.21-coverity.patch
+++ b/gnupg-2.2.21-coverity.patch
@ -1,240 +0,0 @@
 diff -up gnupg-2.2.21/common/server-help.c.coverity gnupg-2.2.21/common/server-help.c
 --- gnupg-2.2.21/common/server-help.c.coverity 2019-02-11 10:59:34.000000000 +0100
 +++ gnupg-2.2.21/common/server-help.c  2020-07-20 17:09:57.416148768 +0200
@@ -156,7 +156,7 @@ get_option_value (char *line, const char
   *pend = 0;
   *r_value = xtrystrdup (p);
   *pend = c;
 -  if (!p)
 +  if (!*r_value)
     return my_error_from_syserror ();
   return 0;
 }
 From 7a707a3eff1c3fbe17a74337776871f408377cee Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Fri, 9 Apr 2021 16:13:07 +0200
 Subject: [PATCH GnuPG 03/19] g10: Fix memory leaks
 * g10/card-util.c (change_pin): free answer on errors
  (ask_card_keyattr): free answer on error
 * g10/cpr.c (do_get_from_fd): free string
 * g10/gpg.c (check_permissions): free dir on weird error
 * g10/import.c (append_new_uid): release knode
 * g10/keyedit.c (menu_set_keyserver_url): free answer
  (menu_set_keyserver_url): free user
 * g10/keygen.c (print_status_key_not_created): move allocation after
  sanity check
  (ask_expire_interval): free answer
  (card_store_key_with_backup): goto leave instaed of return
 * g10/keyserver.c (parse_keyserver_uri): goto fail instead of return
 * g10/revoke.c (gen_desig_revoke): release kdbhd
  (gen_desig_revoke): free answer
 * g10/tofu.c (ask_about_binding): free sqerr and response
 * g10/trustdb.c (ask_ownertrust): free pk
 --
 Signed-off-by: Jakub Jelen <jjelen@redhat.com>
 ---
 g10/card-util.c | 14 +++++++++++---
 g10/cpr.c       |  6 +++++-
 g10/gpg.c       |  1 +
 g10/import.c    |  5 ++++-
 g10/keyedit.c   |  8 +++++++-
 g10/keygen.c    | 15 +++++++++++----
 g10/keyserver.c |  2 +-
 g10/revoke.c    |  6 +++++-
 g10/tofu.c      |  4 ++++
 g10/trustdb.c   |  1 +
 10 files changed, 50 insertions(+), 12 deletions(-)
 diff --git a/g10/card-util.c b/g10/card-util.c
 index 36f096f06..c7df8380d 100644
 --- a/g10/card-util.c
 +++ b/g10/card-util.c
@@ -127,7 +127,7 @@ change_pin (int unblock_v2, int allow_admin)
   else
     for (;;)
       {
 -	char *answer;
 +	char *answer = NULL;
 	tty_printf ("\n");
 	tty_printf ("1 - change PIN\n"
 diff --git a/g10/tofu.c b/g10/tofu.c
 index f49083844..83786a08d 100644
 --- a/g10/tofu.c
 +++ b/g10/tofu.c
@@ -1687,6 +1687,8 @@ ask_about_binding (ctrl_t ctrl,
          GPGSQL_ARG_END);
       if (rc)
         {
 +          sqlite3_free (sqerr);
 +          sqerr = NULL;
           rc = gpg_error (GPG_ERR_GENERAL);
           break;
         }
 -- 
 2.30.2
 From 7c8048b686a6e811d0b24febf3c5e2528e7881f1 Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Tue, 13 Apr 2021 16:23:31 +0200
 Subject: [PATCH GnuPG 14/19] dirmgr: Avoid memory leaks
 * dirmngr/domaininfo.c (insert_or_update): free di_new
 --
 Signed-off-by: Jakub Jelen <jjelen@redhat.com>
 ---
 dirmngr/domaininfo.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/dirmngr/domaininfo.c b/dirmngr/domaininfo.c
 index b41aef366..87782b4b1 100644
 --- a/dirmngr/domaininfo.c
 +++ b/dirmngr/domaininfo.c
@@ -193,6 +193,7 @@ insert_or_update (const char *domain,
           log_error ("domaininfo: error allocating helper array: %s\n",
                      gpg_strerror (gpg_err_code_from_syserror ()));
           drop_extra = bucket;
 +          xfree (di_new);
           goto leave;
         }
       narray = 0;
 -- 
 2.30.2
 From ab3b8c53993b3305088efde756a44bac6e6492d4 Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Tue, 13 Apr 2021 16:34:40 +0200
 Subject: [PATCH GnuPG 15/19] scd: Avoid memory leaks and uninitialized memory
 * scd/app-piv.c (do_decipher): goto leave, initialize outdatalen
 --
 Signed-off-by: Jakub Jelen <jjelen@redhat.com>
 ---
 scd/app-piv.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/scd/app-piv.c b/scd/app-piv.c
 index 143cc047a..94257f0ee 100644
 --- a/scd/app-piv.c
 +++ b/scd/app-piv.c
@@ -2483,7 +2483,7 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr,
   gpg_error_t err;
   data_object_t dobj;
   unsigned char *outdata = NULL;
 -  size_t outdatalen;
 +  size_t outdatalen = 0;
   const unsigned char *s;
   size_t n;
   int keyref, mechanism;
@@ -2582,7 +2582,7 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr,
   /* Now verify the Application PIN.  */
   err = verify_chv (app, ctrl, 0x80, 0, pincb, pincb_arg);
   if (err)
 -    return err;
 +    goto leave;
   /* Build the Dynamic Authentication Template.  */
   err = concat_tlv_list (0, &apdudata, &apdudatalen,
 -- 
 2.30.2
 From f182bf91443618323e34261039045a6bde269be5 Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Tue, 13 Apr 2021 16:44:48 +0200
 Subject: [PATCH GnuPG 16/19] tools: Avoid memory leaks
 * tools/wks-util.c (wks_cmd_print_wkd_url): Free addrspec on error
  (wks_cmd_print_wkd_hash): Free addrspec on error
 --
 Signed-off-by: Jakub Jelen <jjelen@redhat.com>
 ---
 tools/wks-util.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)
 diff --git a/tools/wks-util.c b/tools/wks-util.c
 index 516c7fe00..38dd194ff 100644
 --- a/tools/wks-util.c
 +++ b/tools/wks-util.c
@@ -1192,11 +1192,14 @@ gpg_error_t
 wks_cmd_print_wkd_hash (const char *userid)
 {
   gpg_error_t err;
 -  char *addrspec, *fname;
 +  char *addrspec = NULL, *fname;
   err = wks_fname_from_userid (userid, 1, &fname, &addrspec);
   if (err)
 -    return err;
 +    {
 +      xfree (addrspec);
 +      return err;
 +    }
   es_printf ("%s %s\n", fname, addrspec);
@@ -1211,12 +1214,15 @@ gpg_error_t
 wks_cmd_print_wkd_url (const char *userid)
 {
   gpg_error_t err;
 -  char *addrspec, *fname;
 +  char *addrspec = NULL, *fname;
   char *domain;
   err = wks_fname_from_userid (userid, 1, &fname, &addrspec);
   if (err)
 -    return err;
 +    {
 +      xfree (addrspec);
 +      return err;
 +    }
   domain = strchr (addrspec, '@');
   if (domain)
 -- 
 2.30.2
 From 600fabd8268c765d45d48873e7a8610e6dae0966 Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Wed, 14 Apr 2021 15:59:12 +0200
 Subject: [PATCH GnuPG 17/19] scd: Use the same allocator to free memory
 * scd/command.c (cmd_getinfo): Use free instead of gcry_free to match
  the original allocator
 --
 Signed-off-by: Jakub Jelen <jjelen@redhat.com>
 ---
 scd/command.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/scd/command.c b/scd/command.c
 index cb0dd379a..9d85c5a41 100644
 --- a/scd/command.c
 +++ b/scd/command.c
@@ -1832,7 +1832,8 @@ cmd_getinfo (assuan_context_t ctx, char *line)
         rc = assuan_send_data (ctx, p, strlen (p));
       else
         rc = gpg_error (GPG_ERR_NO_DATA);
 -      xfree (p);
 +      /* allocated by scd/ccid-driver.c which is not using x*alloc/gcry_* */
 +      free (p);
     }
   else if (!strcmp (line, "deny_admin"))
     rc = opt.allow_admin? gpg_error (GPG_ERR_GENERAL) : 0;
 -- 
 2.30.2
--- a/gnupg-2.2.23-large-rsa.patch
+++ b/gnupg-2.2.23-large-rsa.patch
@ -1,12 +0,0 @@
 diff -up gnupg-2.2.23/g10/keygen.c.large-rsa gnupg-2.2.23/g10/keygen.c
 --- gnupg-2.2.23/g10/keygen.c.large-rsa	2020-09-04 13:53:42.030486671 +0200
 +++ gnupg-2.2.23/g10/keygen.c	2020-09-04 13:55:52.896669542 +0200
@@ -2262,7 +2262,7 @@ get_keysize_range (int algo, unsigned in
     default:
       *min = opt.compliance == CO_DE_VS ? 2048: 1024;
 -      *max = 4096;
 +      *max = opt.flags.large_rsa == 1 ? 8192 : 4096;
       def = 3072;
       break;
     }
--- a/gnupg-2.4.1-file-is-digest.patch
+++ b/gnupg-2.4.1-file-is-digest.patch
@ -1,226 +0,0 @@
 From cdd5082a9e3bdfc8de4aee4835dbdd607b4510be Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= <tmraz@fedoraproject.org>
 Date: Tue, 5 Aug 2014 17:04:08 +0200
 Subject: [PATCH gnupg] add --file-is-digest option needed for copr
 ---
 g10/gpg.c     |  4 +++
 g10/options.h |  1 +
 g10/sign.c    | 93 ++++++++++++++++++++++++++++++++++++++++++++-------
 3 files changed, 85 insertions(+), 13 deletions(-)
 diff --git a/g10/gpg.c b/g10/gpg.c
 index f9bc8395f..dcab0a11a 100644
 --- a/g10/gpg.c
 +++ b/g10/gpg.c
@@ -395,6 +395,7 @@ enum cmd_and_opt_values
     oTTYtype,
     oLCctype,
     oLCmessages,
 +    oFileIsDigest,
     oXauthority,
     oGroup,
     oUnGroup,
@@ -656,6 +657,7 @@ static gpgrt_opt_t opts[] = {
   ARGPARSE_s_s (oTempDir,  "temp-directory", "@"),
   ARGPARSE_s_s (oExecPath, "exec-path", "@"),
   ARGPARSE_s_n (oExpert,      "expert", "@"),
 +  ARGPARSE_s_n (oFileIsDigest, "file-is-digest", "@"),
   ARGPARSE_s_n (oNoExpert, "no-expert", "@"),
   ARGPARSE_s_n (oNoSecmemWarn, "no-secmem-warning", "@"),
   ARGPARSE_s_n (oRequireSecmem, "require-secmem", "@"),
@@ -2484,6 +2486,7 @@ main (int argc, char **argv)
     opt.keyid_format = KF_NONE;
     opt.def_sig_expire = "0";
     opt.def_cert_expire = "0";
 +    opt.file_is_digest = 0;
     opt.passphrase_repeat = 1;
     opt.emit_version = 0;
     opt.weak_digests = NULL;
@@ -3111,6 +3114,7 @@ main (int argc, char **argv)
 	  case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break;
 	  case oForceAEAD: opt.force_aead = 1; break;
 +	  case oFileIsDigest: opt.file_is_digest = 1; break;
           case oDisableSignerUID: opt.flags.disable_signer_uid = 1; break;
           case oIncludeKeyBlock:  opt.flags.include_key_block = 1; break;
 diff --git a/g10/options.h b/g10/options.h
 index 9015e321f..10852046c 100644
 --- a/g10/options.h
 +++ b/g10/options.h
@@ -219,6 +219,7 @@ struct
   int no_auto_check_trustdb;
   int preserve_permissions;
   int no_homedir_creation;
 +  int file_is_digest;
   struct groupitem *grouplist;
   int mangle_dos_filenames;
   int enable_progress_filter;
 diff --git a/g10/sign.c b/g10/sign.c
 index b5e9d422d..7ad143649 100644
 --- a/g10/sign.c
 +++ b/g10/sign.c
@@ -40,6 +40,7 @@
 #include "pkglue.h"
 #include "../common/sysutils.h"
 #include "call-agent.h"
 +#include "../common/host2net.h"
 #include "../common/mbox-util.h"
 #include "../common/compliance.h"
@@ -945,6 +946,8 @@ write_signature_packets (ctrl_t ctrl,
       if (pk->version >= 5)
         sig->version = 5;  /* Required for v5 keys.  */
 +      else if (opt.file_is_digest)
 +        sig->version = 3;
       else
         sig->version = 4;  /* Required.  */
@@ -962,14 +965,22 @@ write_signature_packets (ctrl_t ctrl,
       if (gcry_md_copy (&md, hash))
         BUG ();
 -      build_sig_subpkt_from_sig (sig, pk, 0);
 -      mk_notation_policy_etc (ctrl, sig, NULL, pk);
 -      if (opt.flags.include_key_block && IS_SIG (sig))
 -        err = mk_sig_subpkt_key_block (ctrl, sig, pk);
 -      else
 -        err = 0;
 -      hash_sigversion_to_magic (md, sig, extrahash);
 -      gcry_md_final (md);
 +      if (!opt.file_is_digest)
 +        {
 +          build_sig_subpkt_from_sig (sig, pk, 0);
 +          mk_notation_policy_etc (ctrl, sig, NULL, pk);
 +          if (opt.flags.include_key_block && IS_SIG (sig))
 +            err = mk_sig_subpkt_key_block (ctrl, sig, pk);
 +          else
 +            err = 0;
 +
 +          hash_sigversion_to_magic (md, sig, extrahash);
 +          gcry_md_final (md);
 +        }
 +      else if (sig->version >= 4)
 +        {
 +          log_bug("file-is-digest doesn't work with v4 sigs\n");
 +        }
       if (!err)
         err = do_sign (ctrl, pk, sig, md, hash_for (pk), cache_nonce, 0);
@@ -1034,6 +1045,8 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
   SK_LIST sk_rover = NULL;
   int multifile = 0;
   u32 duration=0;
 +  int sigclass = 0x00;
 +  u32 timestamp = 0;
   pt_extra_hash_data_t extrahash = NULL;
   pfx = new_progress_context ();
@@ -1056,7 +1069,16 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
     fname = NULL;
   if (fname && filenames->next && (!detached || encryptflag))
 -    log_bug ("multiple files can only be detached signed");
 +    log_bug ("multiple files can only be detached signed\n");
 +
 +  if (opt.file_is_digest && (multifile || !fname))
 +    log_bug ("file-is-digest only works with one file\n");
 +  if (opt.file_is_digest && !detached)
 +    log_bug ("file-is-digest can only write detached signatures\n");
 +  if (opt.file_is_digest && !opt.def_digest_algo)
 +    log_bug ("file-is-digest needs --digest-algo\n");
 +  if (opt.file_is_digest && opt.textmode)
 +    log_bug ("file-is-digest doesn't work with --textmode\n");
   if (encryptflag == 2
       && (rc = setup_symkey (&efx.symkey_s2k, &efx.symkey_dek)))
@@ -1077,7 +1099,7 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
     goto leave;
   /* Prepare iobufs. */
 -  if (multifile)    /* have list of filenames */
 +  if (multifile || opt.file_is_digest)  /* have list of filenames */
     inp = NULL;     /* we do it later */
   else
     {
@@ -1240,7 +1262,7 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
   for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next)
     gcry_md_enable (mfx.md, hash_for (sk_rover->pk));
 -  if (!multifile)
 +  if (!multifile && !opt.file_is_digest)
     iobuf_push_filter (inp, md_filter, &mfx);
   if (detached && !encryptflag)
@@ -1306,6 +1328,8 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
   write_status_begin_signing (mfx.md);
 +  sigclass = opt.textmode && !outfile? 0x01 : 0x00;
 +
   /* Setup the inner packet. */
   if (detached)
     {
@@ -1353,6 +1377,49 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
           if (opt.verbose)
             log_printf ("\n");
 	}
 +      else if (opt.file_is_digest)
 +        {
 +          byte *mdb, ts[5] = {0};
 +          size_t mdlen;
 +          const char *fp;
 +          int c, d;
 +
 +          gcry_md_final(mfx.md);
 +          /* this assumes gcry_md_read returns the same buffer */
 +          mdb = gcry_md_read(mfx.md, opt.def_digest_algo);
 +          mdlen = gcry_md_get_algo_dlen(opt.def_digest_algo);
 +          if (strlen(fname) != mdlen * 2 + 11)
 +            log_bug("digests must be %zu + '@' + 5 bytes\n", mdlen);
 +          d = -1;
 +          for (fp = fname ; *fp; )
 +            {
 +               c = *fp++;
 +               if (c >= '0' && c <= '9')
 +                 c -= '0';
 +               else if (c >= 'a' && c <= 'f')
 +                 c -= 'a' - 10;
 +               else if (c >= 'A' && c <= 'F')
 +                 c -= 'A' - 10;
 +               else
 +                 log_bug("filename is not hex\n");
 +               if (d >= 0)
 +                {
 +                   *mdb++ = d << 4 | c;
 +                   c = -1;
 +                   if (--mdlen == 0)
 +                    {
 +                       mdb = ts;
 +                       if (*fp++ != '@')
 +                         log_bug("missing time separator\n");
 +                     }
 +                 }
 +               d = c;
 +            }
 +          sigclass = ts[0];
 +          if (sigclass != 0x00 && sigclass != 0x01)
 +            log_bug("bad cipher class\n");
 +          timestamp = buf32_to_u32(ts + 1);
 +        }
       else
         {
           /* Read, so that the filter can calculate the digest. */
@@ -1374,8 +1441,8 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
   /* Write the signatures. */
   rc = write_signature_packets (ctrl, sk_list, out, mfx.md, extrahash,
 -                                opt.textmode && !outfile? 0x01 : 0x00,
 -                                0, duration, detached ? 'D':'S', NULL);
 +                                sigclass,
 +                                timestamp, duration, detached ? 'D':'S', NULL);
   if (rc)
     goto leave;
--- a/gnupg-2.4.3-restore-systemd-sockets.patch
+++ b/gnupg-2.4.3-restore-systemd-sockets.patch
@ -1,275 +0,0 @@
 From eae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed Mon Sep 17 00:00:00 2001
 From: Werner Koch <wk@gnupg.org>
 Date: Mon, 23 Jan 2023 16:34:19 +0100
 Subject: [PATCH] doc: Remove profile and systemd example files.
 --
 The profiles are not any longer useful because global options are way
 more powerful (/etc/gnupg/gpg.conf et al.).  The use of systemd is
 deprecated because of additional complexity and the race between
 systemd based autolaunching and the explicit gnupg based and lockfile
 protected autolaunching.
 GnuPG-bug-id: 6336
 ---
 diff --git b/doc/Makefile.am a/doc/Makefile.am
 index 390153c76..0093c43a8 100644
 --- b/doc/Makefile.am
 +++ a/doc/Makefile.am
@@ -22,6 +22,14 @@ AM_CPPFLAGS =
            examples/qualified.txt                                       \
 	   examples/common.conf                                         \
            examples/gpgconf.rnames examples/gpgconf.conf                \
 +	   examples/systemd-user/README 				\
 +	   examples/systemd-user/dirmngr.service 			\
 +	   examples/systemd-user/dirmngr.socket				\
 +	   examples/systemd-user/gpg-agent.service 			\
 +	   examples/systemd-user/gpg-agent.socket 			\
 +	   examples/systemd-user/gpg-agent-ssh.socket 			\
 +	   examples/systemd-user/gpg-agent-browser.socket		\
 +	   examples/systemd-user/gpg-agent-extra.socket 		\
 	   examples/pwpattern.list
 helpfiles = help.txt help.be.txt help.ca.txt help.cs.txt		\
 diff --git b/doc/Makefile.in a/doc/Makefile.in
 index 390153c76..0093c43a8 100644
 --- b/doc/Makefile.in
 +++ a/doc/Makefile.in
@@ -475,6 +475,14 @@ AM_CPPFLAGS =
            examples/qualified.txt                                       \
 	   examples/common.conf                                         \
            examples/gpgconf.rnames examples/gpgconf.conf                \
 +	   examples/systemd-user/README 				\
 +	   examples/systemd-user/dirmngr.service 			\
 +	   examples/systemd-user/dirmngr.socket				\
 +	   examples/systemd-user/gpg-agent.service 			\
 +	   examples/systemd-user/gpg-agent.socket 			\
 +	   examples/systemd-user/gpg-agent-ssh.socket 			\
 +	   examples/systemd-user/gpg-agent-browser.socket		\
 +	   examples/systemd-user/gpg-agent-extra.socket 		\
 	   examples/pwpattern.list
 helpfiles = help.txt help.be.txt help.ca.txt help.cs.txt		\
 diff --git b/doc/examples/README a/doc/examples/README
 index cd341ab57..67508c471 100644
 --- b/doc/examples/README
 +++ a/doc/examples/README
@@ -8,6 +8,8 @@ trustlist.txt   A list of trustworthy root certificates
 gpgconf.conf    A sample configuration file for gpgconf.
 +systemd-user    Sample files for a Linux-only init system.
 +
 qualified.txt   Sample file for qualified.txt.
 common.conf     Sample file for common options.
 diff --git b/doc/examples/gpgconf.conf a/doc/examples/gpgconf.conf
 index 314b955b9..a61d4d453 100644
 --- b/doc/examples/gpgconf.conf
 +++ a/doc/examples/gpgconf.conf
@@ -1,9 +1,5 @@
 # gpgconf.conf - configuration for gpgconf
 #----------------------------------------------------------------------
 -#
 -# === The use of this feature is deprecated ===
 -# == Please use the more powerful global options. ==
 -#
 # This file is read by gpgconf(1) to setup defaults for all or
 # specified users and groups.  It may be used to change the hardwired
 # defaults in gpgconf and to enforce certain values for the various
 diff --git b/doc/examples/systemd-user/README a/doc/examples/systemd-user/README
 new file mode 100644
 index 000000000..43122f568
 --- /dev/null
 +++ a/doc/examples/systemd-user/README
@@ -0,0 +1,66 @@
 +Socket-activated dirmngr and gpg-agent with systemd
 +===================================================
 +
 +When used on a GNU/Linux system supervised by systemd, you can ensure
 +that the GnuPG daemons dirmngr and gpg-agent are launched
 +automatically the first time they're needed, and shut down cleanly at
 +session logout.  This is done by enabling user services via
 +socket-activation.
 +
 +System distributors
 +-------------------
 +
 +The *.service and *.socket files (from this directory) should be
 +placed in /usr/lib/systemd/user/ alongside other user-session services
 +and sockets.
 +
 +To enable socket-activated dirmngr for all accounts on the system,
 +use:
 +
 +    systemctl --user --global enable dirmngr.socket
 +
 +To enable socket-activated gpg-agent for all accounts on the system,
 +use:
 +
 +    systemctl --user --global enable gpg-agent.socket
 +
 +Additionally, you can enable socket-activated gpg-agent ssh-agent
 +emulation for all accounts on the system with:
 +
 +    systemctl --user --global enable gpg-agent-ssh.socket
 +
 +You can also enable restricted ("--extra-socket"-style) gpg-agent
 +sockets for all accounts on the system with:
 +
 +    systemctl --user --global enable gpg-agent-extra.socket
 +
 +Individual users
 +----------------
 +
 +A user on a system with systemd where this has not been installed
 +system-wide can place these files in ~/.config/systemd/user/ to make
 +them available.
 +
 +If a given service isn't installed system-wide, or if it's installed
 +system-wide but not globally enabled, individual users will still need
 +to enable them.  For example, to enable socket-activated dirmngr for
 +all future sessions:
 +
 +    systemctl --user enable dirmngr.socket
 +
 +To enable socket-activated gpg-agent with ssh support, do:
 +
 +    systemctl --user enable gpg-agent.socket gpg-agent-ssh.socket
 +
 +These changes won't take effect until your next login after you've
 +fully logged out (be sure to terminate any running daemons before
 +logging out).
 +
 +If you'd rather try a socket-activated GnuPG daemon in an
 +already-running session without logging out (with or without enabling
 +it for all future sessions), kill any existing daemon and start the
 +user socket directly.  For example, to set up socket-activated dirmgnr
 +in the current session:
 +
 +    gpgconf --kill dirmngr
 +    systemctl --user start dirmngr.socket
 diff --git b/doc/examples/systemd-user/dirmngr.service a/doc/examples/systemd-user/dirmngr.service
 new file mode 100644
 index 000000000..3c060cde5
 --- /dev/null
 +++ a/doc/examples/systemd-user/dirmngr.service
@@ -0,0 +1,8 @@
 +[Unit]
 +Description=GnuPG network certificate management daemon
 +Documentation=man:dirmngr(8)
 +Requires=dirmngr.socket
 +
 +[Service]
 +ExecStart=/usr/bin/dirmngr --supervised
 +ExecReload=/usr/bin/gpgconf --reload dirmngr
 diff --git b/doc/examples/systemd-user/dirmngr.socket a/doc/examples/systemd-user/dirmngr.socket
 new file mode 100644
 index 000000000..ebabf896a
 --- /dev/null
 +++ a/doc/examples/systemd-user/dirmngr.socket
@@ -0,0 +1,11 @@
 +[Unit]
 +Description=GnuPG network certificate management daemon
 +Documentation=man:dirmngr(8)
 +
 +[Socket]
 +ListenStream=%t/gnupg/S.dirmngr
 +SocketMode=0600
 +DirectoryMode=0700
 +
 +[Install]
 +WantedBy=sockets.target
 diff --git b/doc/examples/systemd-user/gpg-agent-browser.socket a/doc/examples/systemd-user/gpg-agent-browser.socket
 new file mode 100644
 index 000000000..bc8d344e1
 --- /dev/null
 +++ a/doc/examples/systemd-user/gpg-agent-browser.socket
@@ -0,0 +1,13 @@
 +[Unit]
 +Description=GnuPG cryptographic agent and passphrase cache (access for web browsers)
 +Documentation=man:gpg-agent(1)
 +
 +[Socket]
 +ListenStream=%t/gnupg/S.gpg-agent.browser
 +FileDescriptorName=browser
 +Service=gpg-agent.service
 +SocketMode=0600
 +DirectoryMode=0700
 +
 +[Install]
 +WantedBy=sockets.target
 diff --git b/doc/examples/systemd-user/gpg-agent-extra.socket a/doc/examples/systemd-user/gpg-agent-extra.socket
 new file mode 100644
 index 000000000..5b87d09df
 --- /dev/null
 +++ a/doc/examples/systemd-user/gpg-agent-extra.socket
@@ -0,0 +1,13 @@
 +[Unit]
 +Description=GnuPG cryptographic agent and passphrase cache (restricted)
 +Documentation=man:gpg-agent(1)
 +
 +[Socket]
 +ListenStream=%t/gnupg/S.gpg-agent.extra
 +FileDescriptorName=extra
 +Service=gpg-agent.service
 +SocketMode=0600
 +DirectoryMode=0700
 +
 +[Install]
 +WantedBy=sockets.target
 diff --git b/doc/examples/systemd-user/gpg-agent-ssh.socket a/doc/examples/systemd-user/gpg-agent-ssh.socket
 new file mode 100644
 index 000000000..798c1d967
 --- /dev/null
 +++ a/doc/examples/systemd-user/gpg-agent-ssh.socket
@@ -0,0 +1,13 @@
 +[Unit]
 +Description=GnuPG cryptographic agent (ssh-agent emulation)
 +Documentation=man:gpg-agent(1) man:ssh-add(1) man:ssh-agent(1) man:ssh(1)
 +
 +[Socket]
 +ListenStream=%t/gnupg/S.gpg-agent.ssh
 +FileDescriptorName=ssh
 +Service=gpg-agent.service
 +SocketMode=0600
 +DirectoryMode=0700
 +
 +[Install]
 +WantedBy=sockets.target
 diff --git b/doc/examples/systemd-user/gpg-agent.service a/doc/examples/systemd-user/gpg-agent.service
 new file mode 100644
 index 000000000..a050fccdc
 --- /dev/null
 +++ a/doc/examples/systemd-user/gpg-agent.service
@@ -0,0 +1,8 @@
 +[Unit]
 +Description=GnuPG cryptographic agent and passphrase cache
 +Documentation=man:gpg-agent(1)
 +Requires=gpg-agent.socket
 +
 +[Service]
 +ExecStart=/usr/bin/gpg-agent --supervised
 +ExecReload=/usr/bin/gpgconf --reload gpg-agent
 diff --git b/doc/examples/systemd-user/gpg-agent.socket a/doc/examples/systemd-user/gpg-agent.socket
 new file mode 100644
 index 000000000..4257c2c80
 --- /dev/null
 +++ a/doc/examples/systemd-user/gpg-agent.socket
@@ -0,0 +1,12 @@
 +[Unit]
 +Description=GnuPG cryptographic agent and passphrase cache
 +Documentation=man:gpg-agent(1)
 +
 +[Socket]
 +ListenStream=%t/gnupg/S.gpg-agent
 +FileDescriptorName=std
 +SocketMode=0600
 +DirectoryMode=0700
 +
 +[Install]
 +WantedBy=sockets.target
 -- 
 2.41.0
--- a/gnupg-2.4.5-revert-default-eddsa.patch
+++ b/gnupg-2.4.5-revert-default-eddsa.patch
@ -1,162 +0,0 @@
 From ff31dde456f32950f0df6c974b4c41f1d650d68f Mon Sep 17 00:00:00 2001
 From: Werner Koch <wk@gnupg.org>
 Date: Mon, 5 Oct 2020 14:21:31 +0200
 Subject: [PATCH GnuPG] gpg: Switch to ed25519+cv25519 as default algo.
 * g10/keygen.c (DEFAULT_STD_KEY_PARAM): Change to former future
 default ago.
 (ask_algo): Change default and also the way we indicate the default
 algo in the list of algos.
 (ask_curve): Indicate the default curve.
 Signed-off-by: Werner Koch <wk@gnupg.org>
 ---
 g10/keygen.c | 57 ++++++++++++++++++++++++++--------------------------
 1 file changed, 29 insertions(+), 28 deletions(-)
 diff --git a/g10/keygen.c b/g10/keygen.c
 index 16e4e58ea..b510525e3 100644
 --- a/g10/keygen.c
 +++ b/g10/keygen.c
@@ -47,10 +47,11 @@
 #include "../common/mbox-util.h"
 -/* The default algorithms.  If you change them, you should ensure the value
 -   is inside the bounds enforced by ask_keysize and gen_xxx.  See also
 -   get_keysize_range which encodes the allowed ranges.  */
 -#define DEFAULT_STD_KEY_PARAM  "rsa3072/cert,sign+rsa3072/encr"
 +/* The default algorithms.  If you change them, you should ensure the
 +   value is inside the bounds enforced by ask_keysize and gen_xxx.
 +   See also get_keysize_range which encodes the allowed ranges.  The
 +   default answer in ask_algo also needs to be adjusted.  */
 +#define DEFAULT_STD_KEY_PARAM  "ed25519/cert,sign+cv25519/encr"
 #define FUTURE_STD_KEY_PARAM   "ed25519/cert,sign+cv25519/encr"
 /* When generating keys using the streamlined key generation dialog,
@@ -2112,50 +2113,49 @@ ask_algo (ctrl_t ctrl, int addmode, int *r_subkey_algo, unsigned int *r_usage,
 #if GPG_USE_RSA
   if (!addmode)
 -    tty_printf (_("   (%d) RSA and RSA (default)\n"), 1 );
 +    tty_printf (_("   (%d) RSA and RSA%s\n"), 1, "");
 #endif
   if (!addmode && opt.compliance != CO_DE_VS)
 -    tty_printf (_("   (%d) DSA and Elgamal\n"), 2 );
 +    tty_printf (_("   (%d) DSA and Elgamal%s\n"), 2, "");
   if (opt.compliance != CO_DE_VS)
 -    tty_printf (_("   (%d) DSA (sign only)\n"), 3 );
 +    tty_printf (_("   (%d) DSA (sign only)%s\n"), 3, "");
 #if GPG_USE_RSA
 -  tty_printf (_("   (%d) RSA (sign only)\n"), 4 );
 +  tty_printf (_("   (%d) RSA (sign only)%s\n"), 4, "");
 #endif
   if (addmode)
     {
       if (opt.compliance != CO_DE_VS)
 -        tty_printf (_("   (%d) Elgamal (encrypt only)\n"), 5 );
 +        tty_printf (_("   (%d) Elgamal (encrypt only)%s\n"), 5, "");
 #if GPG_USE_RSA
 -      tty_printf (_("   (%d) RSA (encrypt only)\n"), 6 );
 +      tty_printf (_("   (%d) RSA (encrypt only)%s\n"), 6, "");
 #endif
     }
   if (opt.expert)
     {
       if (opt.compliance != CO_DE_VS)
 -        tty_printf (_("   (%d) DSA (set your own capabilities)\n"), 7 );
 +        tty_printf (_("   (%d) DSA (set your own capabilities)%s\n"), 7, "");
 #if GPG_USE_RSA
 -      tty_printf (_("   (%d) RSA (set your own capabilities)\n"), 8 );
 +      tty_printf (_("   (%d) RSA (set your own capabilities)%s\n"), 8, "");
 #endif
     }
 #if GPG_USE_ECDSA || GPG_USE_ECDH || GPG_USE_EDDSA
 -  if (opt.expert && !addmode)
 -    tty_printf (_("   (%d) ECC and ECC\n"), 9 );
 -  if (opt.expert)
 -    tty_printf (_("  (%d) ECC (sign only)\n"), 10 );
 +  if (!addmode)
 +    tty_printf (_("   (%d) ECC (sign and encrypt)%s\n"), 9, _(" *default*") );
 +  tty_printf (_("  (%d) ECC (sign only)\n"), 10 );
   if (opt.expert)
 -    tty_printf (_("  (%d) ECC (set your own capabilities)\n"), 11 );
 -  if (opt.expert && addmode)
 -    tty_printf (_("  (%d) ECC (encrypt only)\n"), 12 );
 +    tty_printf (_("  (%d) ECC (set your own capabilities)%s\n"), 11, "");
 +  if (addmode)
 +    tty_printf (_("  (%d) ECC (encrypt only)%s\n"), 12, "");
 #endif
   if (opt.expert && r_keygrip)
 -    tty_printf (_("  (%d) Existing key\n"), 13 );
 +    tty_printf (_("  (%d) Existing key%s\n"), 13, "");
   if (r_keygrip)
 -    tty_printf (_("  (%d) Existing key from card\n"), 14 );
 +    tty_printf (_("  (%d) Existing key from card%s\n"), 14, "");
   for (;;)
     {
@@ -2164,7 +2164,7 @@ ask_algo (ctrl_t ctrl, int addmode, int *r_subkey_algo, unsigned int *r_usage,
       xfree (answer);
       answer = cpr_get ("keygen.algo", _("Your selection? "));
       cpr_kill_prompt ();
 -      algo = *answer? atoi (answer) : 1;
 +      algo = *answer? atoi (answer) : 9;  /* Default algo is 9 */
       if (opt.compliance == CO_DE_VS
           && (algo == 2 || algo == 3 || algo == 5 || algo == 7))
@@ -2220,13 +2220,13 @@ ask_algo (ctrl_t ctrl, int addmode, int *r_subkey_algo, unsigned int *r_usage,
           break;
 	}
       else if ((algo == 9 || !strcmp (answer, "ecc+ecc"))
 -               && opt.expert && !addmode)
 +               && !addmode)
         {
           algo = PUBKEY_ALGO_ECDSA;
           *r_subkey_algo = PUBKEY_ALGO_ECDH;
           break;
 	}
 -      else if ((algo == 10 || !strcmp (answer, "ecc/s")) && opt.expert)
 +      else if ((algo == 10 || !strcmp (answer, "ecc/s")))
         {
           algo = PUBKEY_ALGO_ECDSA;
           *r_usage = PUBKEY_USAGE_SIG;
@@ -2239,7 +2239,7 @@ ask_algo (ctrl_t ctrl, int addmode, int *r_subkey_algo, unsigned int *r_usage,
           break;
 	}
       else if ((algo == 12 || !strcmp (answer, "ecc/e"))
 -               && opt.expert && addmode)
 +               && addmode)
         {
           algo = PUBKEY_ALGO_ECDH;
           *r_usage = PUBKEY_USAGE_ENC;
@@ -2616,7 +2616,7 @@ ask_curve (int *algo, int *subkey_algo, const char *current)
     { "NIST P-256",      NULL, NULL,               MY_USE_ECDSADH,  0, 1, 0 },
     { "NIST P-384",      NULL, NULL,               MY_USE_ECDSADH,  0, 0, 0 },
     { "NIST P-521",      NULL, NULL,               MY_USE_ECDSADH,  0, 1, 0 },
 -    { "brainpoolP256r1", NULL, "Brainpool P-256",  MY_USE_ECDSADH,  1, 1, 0 },
 +    { "brainpoolP256r1", NULL, "Brainpool P-256",  MY_USE_ECDSADH,  1, 0, 0 },
     { "brainpoolP384r1", NULL, "Brainpool P-384",  MY_USE_ECDSADH,  1, 1, 0 },
     { "brainpoolP512r1", NULL, "Brainpool P-512",  MY_USE_ECDSADH,  1, 1, 0 },
     { "secp256k1",       NULL, NULL,               MY_USE_ECDSADH,  0, 1, 0 },
@@ -2672,9 +2672,10 @@ ask_curve (int *algo, int *subkey_algo, const char *current)
         }
       curves[idx].available = 1;
 -      tty_printf ("   (%d) %s\n", idx + 1,
 +      tty_printf ("   (%d) %s%s\n", idx + 1,
                   curves[idx].pretty_name?
 -                  curves[idx].pretty_name:curves[idx].name);
 +                  curves[idx].pretty_name:curves[idx].name,
 +                  idx == 0? _(" *default*"):"");
     }
   gcry_sexp_release (keyparms);
 -- 
 2.31.1
--- a/gnupg-2.4.5-sast.patch
+++ b/gnupg-2.4.5-sast.patch
--- a/gnupg2-revert-rfc4880bis.patch
+++ b/gnupg2-revert-rfc4880bis.patch
@ -1,200 +0,0 @@
 From 1e4f1550996334d2a631a5d769e937d29ace47bb Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Thu, 9 Feb 2023 16:38:58 +0100
 Subject: [PATCH gnupg] Revert the introduction of the RFC4880bis draft into
 defaults
 This reverts commit 4583f4fe2 (gpg: Merge --rfc4880bis features into
 --gnupg, 2022-10-31).
 ---
 g10/gpg.c    | 35 ++++++++++++++++++++++++++++++++---
 g10/keygen.c | 30 ++++++++++++++++++------------
 2 files changed, 50 insertions(+), 15 deletions(-)
 diff --git a/g10/gpg.c b/g10/gpg.c
 index dcab0a11a..796888013 100644
 --- a/g10/gpg.c
 +++ b/g10/gpg.c
@@ -247,6 +247,7 @@ enum cmd_and_opt_values
     oGnuPG,
     oRFC2440,
     oRFC4880,
 +    oRFC4880bis,
     oOpenPGP,
     oPGP7,
     oPGP8,
@@ -636,6 +637,7 @@ static gpgrt_opt_t opts[] = {
   ARGPARSE_s_n (oGnuPG, "no-pgp8", "@"),
   ARGPARSE_s_n (oRFC2440, "rfc2440", "@"),
   ARGPARSE_s_n (oRFC4880, "rfc4880", "@"),
 +  ARGPARSE_s_n (oRFC4880bis, "rfc4880bis", "@"),
   ARGPARSE_s_n (oOpenPGP, "openpgp", N_("use strict OpenPGP behavior")),
   ARGPARSE_s_n (oPGP7, "pgp6", "@"),
   ARGPARSE_s_n (oPGP7, "pgp7", "@"),
@@ -978,7 +980,6 @@ static gpgrt_opt_t opts[] = {
   ARGPARSE_s_n (oNoop, "no-allow-multiple-messages", "@"),
   ARGPARSE_s_s (oNoop, "aead-algo", "@"),
   ARGPARSE_s_s (oNoop, "personal-aead-preferences","@"),
 -  ARGPARSE_s_n (oNoop, "rfc4880bis", "@"),
   ARGPARSE_s_n (oNoop, "override-compliance-check", "@"),
@@ -2227,7 +2228,7 @@ static struct gnupg_compliance_option compliance_options[] =
   {
     { "gnupg",      oGnuPG },
     { "openpgp",    oOpenPGP },
 -    { "rfc4880bis", oGnuPG },
 +    { "rfc4880bis", oRFC4880bis },
     { "rfc4880",    oRFC4880 },
     { "rfc2440",    oRFC2440 },
     { "pgp6",       oPGP7 },
@@ -2243,8 +2244,28 @@ static struct gnupg_compliance_option compliance_options[] =
 static void
 set_compliance_option (enum cmd_and_opt_values option)
 {
 +  opt.flags.rfc4880bis = 0;  /* Clear because it is initially set.  */
 +
   switch (option)
     {
 +    case oRFC4880bis:
 +      opt.flags.rfc4880bis = 1;
 +      opt.compliance = CO_RFC4880;
 +      opt.flags.dsa2 = 1;
 +      opt.flags.require_cross_cert = 1;
 +      opt.rfc2440_text = 0;
 +      opt.allow_non_selfsigned_uid = 1;
 +      opt.allow_freeform_uid = 1;
 +      opt.escape_from = 1;
 +      opt.not_dash_escaped = 0;
 +      opt.def_cipher_algo = 0;
 +      opt.def_digest_algo = 0;
 +      opt.cert_digest_algo = 0;
 +      opt.compress_algo = -1;
 +      opt.s2k_mode = 3; /* iterated+salted */
 +      opt.s2k_digest_algo = DIGEST_ALGO_SHA256;
 +      opt.s2k_cipher_algo = CIPHER_ALGO_AES256;
 +      break;
     case oOpenPGP:
     case oRFC4880:
       /* This is effectively the same as RFC2440, but with
@@ -2288,6 +2309,7 @@ set_compliance_option (enum cmd_and_opt_values option)
     case oPGP8:  opt.compliance = CO_PGP8;  break;
     case oGnuPG:
       opt.compliance = CO_GNUPG;
 +      opt.flags.rfc4880bis = 1;
       break;
     case oDE_VS:
@@ -2491,6 +2513,7 @@ main (int argc, char **argv)
     opt.emit_version = 0;
     opt.weak_digests = NULL;
     opt.compliance = CO_GNUPG;
 +    opt.flags.rfc4880bis = 1;
     /* Check special options given on the command line.  */
     orig_argc = argc;
@@ -3033,6 +3056,7 @@ main (int argc, char **argv)
           case oOpenPGP:
           case oRFC2440:
           case oRFC4880:
 +          case oRFC4880bis:
           case oPGP7:
           case oPGP8:
           case oGnuPG:
@@ -3862,6 +3886,11 @@ main (int argc, char **argv)
     if( may_coredump && !opt.quiet )
 	log_info(_("WARNING: program may create a core file!\n"));
 +    if (!opt.flags.rfc4880bis)
 +      {
 +        opt.mimemode = 0; /* This will use text mode instead.  */
 +      }
 +
     if (eyes_only) {
       if (opt.set_filename)
 	  log_info(_("WARNING: %s overrides %s\n"),
@@ -4078,7 +4107,7 @@ main (int argc, char **argv)
     /* Check our chosen algorithms against the list of legal
        algorithms. */
 -    if(!GNUPG)
 +    if(!GNUPG && !opt.flags.rfc4880bis)
       {
 	const char *badalg=NULL;
 	preftype_t badtype=PREFTYPE_NONE;
 diff --git a/g10/keygen.c b/g10/keygen.c
 index a2cfe3ccf..2a1dd1f81 100644
 --- a/g10/keygen.c
 +++ b/g10/keygen.c
@@ -404,7 +404,7 @@ keygen_set_std_prefs (const char *string,int personal)
 	      strcat(dummy_string,"S7 ");
 	    strcat(dummy_string,"S2 "); /* 3DES */
 -            if (!openpgp_aead_test_algo (AEAD_ALGO_OCB))
 +            if (opt.flags.rfc4880bis && !openpgp_aead_test_algo (AEAD_ALGO_OCB))
 	      strcat(dummy_string,"A2 ");
             if (personal)
@@ -889,7 +889,7 @@ keygen_upd_std_prefs (PKT_signature *sig, void *opaque)
   /* Make sure that the MDC feature flag is set if needed.  */
   add_feature_mdc (sig,mdc_available);
   add_feature_aead (sig, aead_available);
 -  add_feature_v5 (sig, 1);
 +  add_feature_v5 (sig, opt.flags.rfc4880bis);
   add_keyserver_modify (sig,ks_modify);
   keygen_add_keyserver_url(sig,NULL);
@@ -3382,7 +3382,10 @@ parse_key_parameter_part (ctrl_t ctrl,
                 }
             }
           else if (!ascii_strcasecmp (s, "v5"))
 -            keyversion = 5;
 +            {
 +              if (opt.flags.rfc4880bis)
 +                keyversion = 5;
 +            }
           else if (!ascii_strcasecmp (s, "v4"))
             keyversion = 4;
           else
@@ -3641,7 +3644,7 @@ parse_key_parameter_part (ctrl_t ctrl,
  *   ecdsa := Use algorithm ECDSA.
  *   eddsa := Use algorithm EdDSA.
  *   ecdh  := Use algorithm ECDH.
 - *   v5    := Create version 5 key
 + *   v5    := Create version 5 key (requires option --rfc4880bis)
  *
  * There are several defaults and fallbacks depending on the
  * algorithm.  PART can be used to select which part of STRING is
@@ -4513,9 +4516,9 @@ read_parameter_file (ctrl_t ctrl, const char *fname )
 	    }
 	}
 -        if ((keywords[i].key == pVERSION
 -             || keywords[i].key == pSUBVERSION))
 -          ; /* Ignore version.  */
 +        if (!opt.flags.rfc4880bis && (keywords[i].key == pVERSION
 +                                      || keywords[i].key == pSUBVERSION))
 +          ; /* Ignore version unless --rfc4880bis is active.  */
         else
           {
             r = xmalloc_clear( sizeof *r + strlen( value ) );
@@ -4610,11 +4613,14 @@ quickgen_set_para (struct para_data_s *para, int for_subkey,
       para = r;
     }
 -  r = xmalloc_clear (sizeof *r + 20);
 -  r->key = for_subkey? pSUBVERSION : pVERSION;
 -  snprintf (r->u.value, 20, "%d", version);
 -  r->next = para;
 -  para = r;
 +  if (opt.flags.rfc4880bis)
 +    {
 +      r = xmalloc_clear (sizeof *r + 20);
 +      r->key = for_subkey? pSUBVERSION : pVERSION;
 +      snprintf (r->u.value, 20, "%d", version);
 +      r->next = para;
 +      para = r;
 +    }
   if (keytime)
     {
--- a/plans/ci.fmf
+++ b/plans/ci.fmf
@ -1,23 +0,0 @@
 /fips-disabled-buildroot-disabled:
  plan:
    import:
      url: https://pkgs.devel.redhat.com/git/tests/gnupg2
      name: /plans/ci/fips-disabled-buildroot-disabled
 /fips-disabled-buildroot-enabled:
  plan:
    import:
      url: https://pkgs.devel.redhat.com/git/tests/gnupg2
      name: /plans/ci/fips-disabled-buildroot-enabled
 /fips-enabled-buildroot-disabled:
  plan:
    import:
      url: https://pkgs.devel.redhat.com/git/tests/gnupg2
      name: /plans/ci/fips-enabled-buildroot-disabled
 /fips-enabled-buildroot-enabled:
  plan:
    import:
      url: https://pkgs.devel.redhat.com/git/tests/gnupg2
      name: /plans/ci/fips-enabled-buildroot-enabled
--- a/signature_key.asc
+++ b/signature_key.asc
@ -1,86 +0,0 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mQGNBFjLuq4BDACnM7zNSIaVMAacTwjXa5TGYe13i6ilHe4VL0NShzrgzjcQg531
 3cRgiiiNA7OSOypMqVs73Jez6ZUctn2GVsHBrS/io9NcuC9pVwf8a61WlcEa+EtB
 a3G7HlBmEWnwaUdAtWKNuAi9Xn+Ir7H2xEdksmmd5a0/QnL+sX705boVPF/tpYtb
 LGpPxa78tNrtxDkSwy8Wmi0IADYLI5yI7/yUGeJd8RSCU/fLRKC9fG7YOZRq0tsO
 MhVNWmtUjbG6e73Lu8LKnCZgs1/fC8hvPyARieSV5mdN8s1oWd7oYctfgL4uBleD
 ItAA8GhjKejutzHN8Ei/APw6AiiSyEjnPg+cTX8OgvLGJWjks0H6mPZeB1v/kGyZ
 hBS9vm540h2/MmlVN2ntiCK5TZGeSWpqddiqusfVXotMRpN4HeLKoZh4RAncaCbZ
 F/S+YLeN+kMXY4k3Fqt1fjTX6veFCbthI9pDdHzU9LfUVNp9D/5ktC/tYMORMegV
 +wSMxi9G2YWKJkMAEQEAAYkBzgQfAQgAOBYhBFuAxXVCmPDLVdjtarzvfilLCS4o
 BQJYy8DdFwyAAZSlyaA8L+XKOwldjh/fcjz0YraxAgcAAAoJELzvfilLCS4oNgoL
 /0+K1xIx8JW7Lk5M6bYCvNA4fdlEcwQIT4UidJFM9m+suxYFWIGfebvHpRlEuJTg
 dBjkEit8uLAoJXU0BRkKTLrzTF+qDUE79Wfx/R+0nOgJ7aMykQOi0AvuwzMYz4dg
 xIVS2Daou4DF7bh/KF8+fqrmq8P8W1ZrkuFDanMWpHeAPx1uj2skYbo7uPqFdvlJ
 hlNHrcxlcCkjf1InAt0Xt5lMvEsCRUPf9xAH4mNEhs0lh9c+200YPRmtnLWAzc1K
 ckLIC8Q+mUR3DjZDqBlDBEPegXkrI0+MlvRA+9AnAm4YPqTMUfpZ6ZOAWeFjC/6Z
 QYxG/AdWGkb4WFindzklQfybEuiekP8vU07ACQwSwH8PYe0UCom1YrlRUjX7QLkn
 ZLWoeZg8BZy9GTM1Ut7Q1Q2uTw6mxxISuef+RFgYOHjWwLpFWZpqC88xERl7o/iz
 iERJRt/593IctbjO9wenWt2peIAwzR4nz7LqM6ZFTdRAETmcdSvYRhg2Qt8hUE47
 CbQkQW5kcmUgSGVpbmVja2UgKFJlbGVhc2UgU2lnbmluZyBLZXkpiQHUBBMBCAA+
 FiEEW4DFdUKY8MtV2O1qvO9+KUsJLigFAljLuq4CGwMFCRLMAwAFCwkIBwIGFQgJ
 CgsCBBYCAwECHgECF4AACgkQvO9+KUsJLihC/QwAhCC+SEvcFLcutgZ8HfcCtoZs
 IoVzZEy7DjqIvGgnTssD8HCLnIAHCDvnP7dJW3uMuLCdSqym3cjlEIiQMsaGywkl
 fzJISAwJrGQdWSKRd535jXpEXQlXDKal/IwMKAUt0PZtlCc9S3gwixQryxdJ28lJ
 6h2T9fVDr8ZswMmTAFG91uctfhjKOMgPt8UhSPGW484WsIsQgkbOvf+Kfswl0eHu
 ywX+pKAB5ZQ/9GVC6Ug4xfrdiJL0azJTPnvjMY5JYp6/L9RURs5hP5AnHR2j/PPo
 sAtsFCjmbRbOMiASzklnUJPbSz5kfLloDWZmrUScjbzmsXehGyt433JGyRhZJl4x
 /jPbzKhaaAHsGd+fRao6vlLOwFywDDVMp6JuyK7UeUb7I8ekTbSkGFA+l2Oa3O6/
 Y7PYhq7hwwAFuZckYI98IpHNCG1fS9W07FyKdvQbK1PbF1JFRKfsUCWYMKqDnbqE
 o5jivPEHZImw6iYhhXcyEYl8fjcb9T6/S+wOP7aviQGzBBABCAAdFiEElKXJoDwv
 5co7CV2OH99yPPRitrEFAljLv5sACgkQH99yPPRitrFw4gv/XFMFN+/LHsn9hJOP
 4rCwl1yUuxXuYmZgc0sRoY3EpeQkJVyKurQuqqKoy2VuoMiF0O1kAQmGoFtVPUk7
 b8hCoutqB5GyeyKcoLP+WINgVhB2gXg7TSp3MPLBKkgqvSDvPitgRxBqFb4LW8LJ
 bDbfwGrzIvXfDV3WvsrHVPbc2fhlWdL8d+3AE6mFiXF3eTpgmV3ApSBQV12MkkCk
 icLIPmp+ZxZON+OP52ZXkRtfMgOy4Oa/41agrViDAZdMOGeGkhPertQheQZgXzmo
 GF5Wz498HPM80Kv35X91l3iGzL+icEtO+tWea2YscsZ6qpRe2lfVPHk3B+anlmCj
 m4kM4cBd39xa4HHSVh/bRHbZNtgVr7slQCKxlHgQOGVI5vCxPCwEsgJ2KBk03Nk/
 IA9EKO+czfh3/bHW6uMbEqrYDCnt+hmzZrpKDSGcwS/KOhvMUIMlb7/8vDKum6mp
 /8xAtVZ6IAxYZNt3qg7Y7aLRtzCTyqm8rJQrZPtRaQcgLoEimDMEX0PliRYJKwYB
 BAHaRw8BAQdAz75Hlekc16JhhfI0MKdEVxLdkxhcMCO0ZG6WMBAmNpe0H1dlcm5l
 ciBLb2NoIChkaXN0IHNpZ25pbmcgMjAyMCmImgQTFgoAQhYhBG2qbmSnbShAVxtJ
 AlKIl7gmQDraBQJfQ+w1AhsDBQkShccRBQsJCAcCAyICAQYVCgkICwIEFgIDAQIe
 BwIXgAAKCRBSiJe4JkA62nmuAP9uL/HOdB0gvwWrH+FpURJLs4bnaZaPIk9ARrU0
 EXRgJgD/YCGfHQXpIPT0ZaXuwJexK04Z+qMFR/bM1q1Leo5CjgaIbQQQEQsAHRYh
 BIBhWHD1utaQMzaG0PKthaweQrNnBQJfQ/HmAAoJEPKthaweQrNnIZkA3jG6LcZv
 V/URn8Y8OJqsyYa4C3NI4nN+OhEvYhgA4PHzMnALeXIpA2gblvjFIPJPAhDBAU37
 c5PA6+6IdQQQFggAHRYhBK6oTtzwGthsRwHIXGMROuhmWH0KBQJfQ/IlAAoJEGMR
 OuhmWH0K1+MA/0uJ5AHcnSfIBEWHNJwwVVLGyrxAWtS2U+zeymp/UvlPAQDErCLZ
 l0dBiPG3vlowFx5TNep7tanBs6ZJn8F1ao1tAIkBMwQQAQgAHRYhBNhpISPEBl3q
 Xg86tSSbOdJPJeO2BQJfQ/OuAAoJECSbOdJPJeO2DVoH/0o9if66ph6FJrgr+A/W
 HNVeHxmM5tUQhpL1wpRS70SKcsJgolf5CxO5iTQf3HlZe544xGbIU/aCTJsWw9zi
 UE8KmhAtKV4eL/7oQ7xx4nxPnABLpudtM8A44nsM1x/XiYrJnnDm29QjYEGd2Hi8
 7npc7VWKzLoj+I/WcXquynJi5O9TUxW9Bknd1pjpxFkf8v+msjBzCD5VKJgr0CR8
 wA6peQBWeGZX2HacosMIZH4TfL0r0TFla6LJIkNBz9DyIm1yL4L8oRH0950hQljP
 C7TM3L7aRpX+4Kph6llFz6g7MALGFP95kyJ6o+XED9ORuuQVZMBMIkNC0tXOu10V
 bdqIdQQQFgoAHRYhBMHTS2khnkruwLocIeP9/yGORbcrBQJfQ/P8AAoJEOP9/yGO
 Rbcr3lQBAMas8Vl3Hdl3g2I283lz1uHiGvlwcnk2TLeB+U4zIwC9AQCy0nnazVNt
 VQPID1ZCMoaOX7AzOjaqQDLf4j+dVTxgBJgzBGCkgocWCSsGAQQB2kcPAQEHQJmd
 fwp8jEN5P3eEjhQiWk6zQi8utvgOvYD57XmE+H8+tCBOaWliZSBZdXRha2EgKEdu
 dVBHIFJlbGVhc2UgS2V5KYiaBBMWCgBCFiEErI4RW/c+LY1H+pkI6Y6bLRnGyL0F
 AmCkgocCGwMFCQsNBpkFCwkIBwIDIgIBBhUKCQgLAgQWAgMBAh4HAheAAAoJEOmO
 my0Zxsi9/4IA/1rvSr3MU+Sv4jhNDzD+CeC3gmHkPew6pi9VHEsEwdgmAQD2BtiX
 7w1sJL/CBylGWv5jxj4345mP9YfZm0RsgzPjDIh1BBAWCAAdFiEEJJyzdxdQdF1c
 3TI84mewUjZPAo0FAmFAQ54ACgkQ4mewUjZPAo1CiAD+KTT1UVdQTGHMyvHwZocS
 QjU8xhcZrTet+dvvjrE5+4MA/RBdJPZgFevUKu68NEy0Lo+RbkeCtmQJ/c8v5ieF
 vW0AiQEzBBABCAAdFiEEEkEkvTtIYq96CkLxALRevUynur4FAmFAQ7cACgkQALRe
 vUynur4kaAgAolPR8TNWVS0vXMKrr0k0l2M/8QkZTaLZx1GT9Nx1yb4WJKY7ElPM
 YkhGDxetvFBETx0pH/6R3jtj6Crmur+NKHVSRY+rCYpFPDn6ciIOryssRx2G4kCZ
 t+nFB9JyDbBOZAR8DK4pN1mAxG/yLDt4oKcUQsP2xlEFum+phxyR8KyYCpkwKRxY
 eK+6lfilQuveoUwp/Xx5wXPNUy6q4eOOovCW7gS7I7288NGHCa2ul8sD6vA9C4mM
 4Zxaole9P9wwJe1zZFtCIy88zHM9vqv+YM9DxMCaW24+rUztr7eD4bCRdG+QlSh+
 7R/TaqSxY1eAAd1J5tma9CNJO73pTKU+/JhTBGFpSqMTCSskAwMCCAEBBwIDBF6X
 D9NmUQDgiyYNbhs1DMJ14mIw812wY1HVx/4QWYWiBunhrvSFxVbzsjD7/Wv+v3bm
 MPrL+M2DLyFiSewNmcS0JEdudVBHLmNvbSAoUmVsZWFzZSBTaWduaW5nIEtleSAy
 MDIxKYiaBBMTCABCFiEEAvON/3Mf+XywOaHaVJ5pXpBboggFAmFpSqMCGwMFCQ9x
 14oFCwkIBwIDIgIBBhUKCQgLAgQWAgMBAh4HAheAAAoJEFSeaV6QW6IITkoA/RYa
 jaTl1eEBU/Gdm12o3jrI55N5xZK2XTqSx25clVyjAP0XwMW/Og5+ND1ri3bAqADV
 WlBDUswz8wYxsb0C4kYBkoh1BBAWCgAdFiEEbapuZKdtKEBXG0kCUoiXuCZAOtoF
 AmFpTvEACgkQUoiXuCZAOtrJQAEAh7YyykjAy/Qs1yC3ji8iBfIVnPXvblrIx3SR
 RyDwRC8BAKtZbEuKTtPlgkLUgMleTcZJ/vEhJE+GvfQ9o5gWCqEFiHUEEBYKAB0W
 IQTB00tpIZ5K7sC6HCHj/f8hjkW3KwUCYWlPWgAKCRDj/f8hjkW3Kx4eAQDp6aGS
 N/fU4xLl8RSvQUVjVA+aCTrMQR3hRwqw8liF2wEA3O3ECxz6e1+DoItYoJBBLKLw
 eiInsGZ/+h5XYrpXTgA=
 =4+Sn
 -----END PGP PUBLIC KEY BLOCK-----
--- a/2
+++ b/2
@ -1,2 +0,0 @@
 SHA512 (gnupg-2.4.5.tar.bz2) = 4d54744f09399c5899144d0cb5fdc2756e45b058db41b9ea9df3be03e80b914509e16ef35aa0248e7561185b80f7a5f9fd6afcab8ccff75ff82ed555448a38ff
 SHA512 (gnupg-2.4.5.tar.bz2.sig) = 53be0db371a98c930cbef9c844adcd06a8049d84dd71508f6f7427fc1736b374912c85ebf3a415748651260f65cf26f633697f4bdae2cc4a8d2c4b522db0bc71
		`@ -0,0 +1 @@`
							`d5290f0781df5dc83302127d6065fb59b35e53d7 SOURCES/gnupg-2.2.20.tar.bz2`
		`@ -1,2 +0,0 @@`
			`SHA512 (gnupg-2.4.5.tar.bz2) = 4d54744f09399c5899144d0cb5fdc2756e45b058db41b9ea9df3be03e80b914509e16ef35aa0248e7561185b80f7a5f9fd6afcab8ccff75ff82ed555448a38ff`
			`SHA512 (gnupg-2.4.5.tar.bz2.sig) = 53be0db371a98c930cbef9c844adcd06a8049d84dd71508f6f7427fc1736b374912c85ebf3a415748651260f65cf26f633697f4bdae2cc4a8d2c4b522db0bc71`