29 changed files with 2608 additions and 750 deletions
--- a/.fmf/version
+++ b/.fmf/version
@ -0,0 +1 @@
+1
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,4 @@
-SOURCES/gnupg-2.2.20.tar.bz2
+/*.rpm
+/gnupg-*.tar.bz*
+/gnupg-*/
+/results_gnupg2/
--- a/.gnupg2.metadata
+++ b/.gnupg2.metadata
@ -1 +0,0 @@
-d5290f0781df5dc83302127d6065fb59b35e53d7 SOURCES/gnupg-2.2.20.tar.bz2
--- a/SOURCES/gnupg-2.1.1-fips-algo.patch
+++ b/SOURCES/gnupg-2.1.1-fips-algo.patch
@ -1,13 +0,0 @@
-diff -up gnupg-2.1.1/g10/mainproc.c.fips gnupg-2.1.1/g10/mainproc.c
--- gnupg-2.1.1/g10/mainproc.c.fips	2015-01-29 17:19:49.266031504 +0100
-+++ gnupg-2.1.1/g10/mainproc.c	2015-01-29 17:27:13.938088122 +0100
-@@ -719,7 +719,8 @@ proc_plaintext( CTX c, PACKET *pkt )
-          according to 2440, so hopefully it won't come up that often.
-          There is no good way to specify what algorithms to use in
-          that case, so these there are the historical answer. */
-	gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
-+	if (!gcry_fips_mode_active())
-+            gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
- 	gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
-     }
-   if (DBG_HASHING)
--- a/SOURCES/gnupg-2.1.21-insttools.patch
+++ b/SOURCES/gnupg-2.1.21-insttools.patch
@ -1,62 +0,0 @@
-diff -up gnupg-2.1.21/tools/Makefile.am.insttools gnupg-2.1.21/tools/Makefile.am
--- gnupg-2.1.21/tools/Makefile.am.insttools	2017-04-03 17:13:56.000000000 +0200
-+++ gnupg-2.1.21/tools/Makefile.am	2017-07-18 12:10:59.431729640 +0200
-@@ -35,8 +35,8 @@ AM_CFLAGS = $(LIBGCRYPT_CFLAGS) $(GPG_ER
- sbin_SCRIPTS = addgnupghome applygnupgdefaults
- 
- if HAVE_USTAR
-# bin_SCRIPTS += gpg-zip
-noinst_SCRIPTS = gpg-zip
-+bin_PROGRAMS += gpg-zip
-+#noinst_SCRIPTS = gpg-zip
- endif
- 
- if BUILD_SYMCRYPTRUN
-@@ -53,7 +53,7 @@ endif
- 
- libexec_PROGRAMS = gpg-wks-client
- 
-bin_PROGRAMS = gpgconf gpg-connect-agent ${symcryptrun}
-+bin_PROGRAMS = gpgconf gpg-connect-agent ${symcryptrun} gpgsplit
- if !HAVE_W32_SYSTEM
- bin_PROGRAMS += watchgnupg gpgparsemail ${gpg_wks_server}
- endif
-@@ -63,7 +63,7 @@ libexec_PROGRAMS += gpg-check-pattern
- endif
- 
- if !HAVE_W32CE_SYSTEM
-noinst_PROGRAMS = clean-sat make-dns-cert gpgsplit
-+noinst_PROGRAMS = clean-sat make-dns-cert
- endif
- 
- if !HAVE_W32CE_SYSTEM
-diff -up gnupg-2.1.21/tools/Makefile.in.insttools gnupg-2.1.21/tools/Makefile.in
--- gnupg-2.1.21/tools/Makefile.in.insttools	2017-05-15 16:15:04.000000000 +0200
-+++ gnupg-2.1.21/tools/Makefile.in	2017-07-18 12:12:17.907734745 +0200
-@@ -137,13 +137,13 @@ DIST_COMMON = $(top_srcdir)/am/cmacros.a
- @GNUPG_DIRMNGR_LDAP_PGM_TRUE@am__append_7 = -DGNUPG_DEFAULT_DIRMNGR_LDAP="\"@GNUPG_DIRMNGR_LDAP_PGM@\""
- @HAVE_W32_SYSTEM_TRUE@am__append_8 = gpg-connect-agent-w32info.o
- libexec_PROGRAMS = gpg-wks-client$(EXEEXT) $(am__EXEEXT_5)
-bin_PROGRAMS = gpgconf$(EXEEXT) gpg-connect-agent$(EXEEXT) \
-+bin_PROGRAMS = gpgconf$(EXEEXT) gpg-connect-agent$(EXEEXT) gpgsplit$(EXEEXT) \
- 	$(am__EXEEXT_1) $(am__EXEEXT_3) $(am__EXEEXT_4)
- @HAVE_W32_SYSTEM_FALSE@am__append_9 = watchgnupg gpgparsemail ${gpg_wks_server}
- @DISABLE_REGEX_FALSE@am__append_10 = gpg-check-pattern
- @HAVE_W32CE_SYSTEM_FALSE@noinst_PROGRAMS = clean-sat$(EXEEXT) \
- @HAVE_W32CE_SYSTEM_FALSE@	make-dns-cert$(EXEEXT) \
-@HAVE_W32CE_SYSTEM_FALSE@	gpgsplit$(EXEEXT) $(am__EXEEXT_6)
-+@HAVE_W32CE_SYSTEM_FALSE@	$(am__EXEEXT_6)
- @BUILD_GPGTAR_TRUE@@HAVE_W32CE_SYSTEM_FALSE@am__append_11 = gpgtar
- @BUILD_GPGTAR_FALSE@@HAVE_W32CE_SYSTEM_FALSE@am__append_12 = gpgtar
- subdir = tools
-@@ -582,8 +582,8 @@ libcommontlsnpth = ../common/libcommontl
- AM_CFLAGS = $(LIBGCRYPT_CFLAGS) $(GPG_ERROR_CFLAGS) $(LIBASSUAN_CFLAGS)
- sbin_SCRIPTS = addgnupghome applygnupgdefaults
- 
-# bin_SCRIPTS += gpg-zip
-@HAVE_USTAR_TRUE@noinst_SCRIPTS = gpg-zip
-+@HAVE_USTAR_TRUE@bin_PROGRAMS += gpg-zip
-+#@HAVE_USTAR_TRUE@noinst_SCRIPTS = gpg-zip
- @BUILD_SYMCRYPTRUN_FALSE@symcryptrun = 
- @BUILD_SYMCRYPTRUN_TRUE@symcryptrun = symcryptrun
- @BUILD_WKS_TOOLS_FALSE@gpg_wks_server = 
--- a/SOURCES/gnupg-2.1.21-large-rsa.patch
+++ b/SOURCES/gnupg-2.1.21-large-rsa.patch
@ -1,12 +0,0 @@
-diff -up gnupg-2.1.21/g10/keygen.c.large-rsa gnupg-2.1.21/g10/keygen.c
--- gnupg-2.1.21/g10/keygen.c.large-rsa	2017-05-15 14:13:22.000000000 +0200
-+++ gnupg-2.1.21/g10/keygen.c	2017-07-18 16:12:37.738895016 +0200
-@@ -2091,7 +2091,7 @@ get_keysize_range (int algo, unsigned in
- 
-     default:
-       *min = opt.compliance == CO_DE_VS ? 2048: 1024;
-      *max = 4096;
-+      *max = opt.flags.large_rsa == 1 ? 8192 : 4096;
-       def = 2048;
-       break;
-     }
--- a/SOURCES/gnupg-2.2.16-ocsp-keyusage.patch
+++ b/SOURCES/gnupg-2.2.16-ocsp-keyusage.patch
@ -1,17 +0,0 @@
-diff -up gnupg-2.2.16/sm/certlist.c.keyusage gnupg-2.2.16/sm/certlist.c
--- gnupg-2.2.16/sm/certlist.c.keyusage	2019-07-01 17:17:06.925254065 +0200
-+++ gnupg-2.2.16/sm/certlist.c	2019-07-01 17:24:15.665759322 +0200
-@@ -147,10 +147,9 @@ cert_usage_p (ksba_cert_t cert, int mode
- 
-   if (mode == 5)
-     {
-      if (use != ~0
-          && (have_ocsp_signing
-              || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN
-                         |KSBA_KEYUSAGE_CRL_SIGN))))
-+      if (have_ocsp_signing
-+          || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN
-+                     |KSBA_KEYUSAGE_CRL_SIGN)))
-         return 0;
-       if (!silent)
-         log_info (_("certificate should not have "
--- a/SOURCES/gnupg-2.2.20-CVE-2022-34903.patch
+++ b/SOURCES/gnupg-2.2.20-CVE-2022-34903.patch
@ -1,50 +0,0 @@
-From 34c649b3601383cd11dbc76221747ec16fd68e1b Mon Sep 17 00:00:00 2001
-From: Werner Koch <wk@gnupg.org>
-Date: Tue, 14 Jun 2022 11:33:27 +0200
-Subject: [PATCH GnuPG] g10: Fix garbled status messages in NOTATION_DATA
-
-* g10/cpr.c (write_status_text_and_buffer): Fix off-by-one
--
-
-Depending on the escaping and line wrapping the computed remaining
-buffer length could be wrong.  Fixed by always using a break to
-terminate the escape detection loop.  Might have happened for all
-status lines which may wrap.
-
-GnuPG-bug-id: T6027
---
- g10/cpr.c | 13 ++++---------
- 1 file changed, 4 insertions(+), 9 deletions(-)
-
-diff --git a/g10/cpr.c b/g10/cpr.c
-index 9bfdd3c34..fa8005d6f 100644
--- a/g10/cpr.c
-+++ b/g10/cpr.c
-@@ -372,20 +372,15 @@ write_status_text_and_buffer (int no, const char *string,
-             }
-           first = 0;
-         }
-      for (esc=0, s=buffer, n=len; n && !esc; s++, n--)
-+      for (esc=0, s=buffer, n=len; n; s++, n--)
-         {
-           if (*s == '%' || *(const byte*)s <= lower_limit
-               || *(const byte*)s == 127 )
-             esc = 1;
-           if (wrap && ++count > wrap)
-            {
-              dowrap=1;
-              break;
-            }
-        }
-      if (esc)
-        {
-          s--; n++;
-+            dowrap=1;
-+          if (esc || dowrap)
-+            break;
-         }
-       if (s != buffer)
-         es_fwrite (buffer, s-buffer, 1, statusfp);
-- 
-2.37.1
-
--- a/SOURCES/gnupg-2.2.20-coverity.patch
+++ b/SOURCES/gnupg-2.2.20-coverity.patch
@ -1,319 +0,0 @@
-diff -up gnupg-2.2.20/common/server-help.c.coverity gnupg-2.2.20/common/server-help.c
--- gnupg-2.2.20/common/server-help.c.coverity	2019-02-11 10:59:34.000000000 +0100
-+++ gnupg-2.2.20/common/server-help.c	2020-05-04 12:00:01.085945639 +0200
-@@ -156,7 +156,7 @@ get_option_value (char *line, const char
-   *pend = 0;
-   *r_value = xtrystrdup (p);
-   *pend = c;
-  if (!p)
-+  if (!*r_value)
-     return my_error_from_syserror ();
-   return 0;
- }
-diff -up gnupg-2.2.20/dirmngr/dns.c.coverity gnupg-2.2.20/dirmngr/dns.c
--- gnupg-2.2.20/dirmngr/dns.c.coverity	2019-07-09 11:08:45.000000000 +0200
-+++ gnupg-2.2.20/dirmngr/dns.c	2020-05-04 18:04:12.285521661 +0200
-@@ -10106,9 +10106,8 @@ static const struct {
- 	{ "AR",         DNS_S_ADDITIONAL },
- };
- 
-const char *(dns_strsection)(enum dns_section section) {
-	char _dst[DNS_STRMAXLEN + 1] = { 0 };
-	struct dns_buf dst = DNS_B_INTO(_dst, sizeof _dst);
-+const char *(dns_strsection)(enum dns_section section, void *_dst, size_t lim) {
-+	struct dns_buf dst = DNS_B_INTO(_dst, lim);
- 	unsigned i;
- 
- 	for (i = 0; i < lengthof(dns_sections); i++) {
-@@ -10156,9 +10155,8 @@ static const struct {
- 	{ "IN", DNS_C_IN },
- };
- 
-const char *(dns_strclass)(enum dns_class type) {
-	char _dst[DNS_STRMAXLEN + 1] = { 0 };
-	struct dns_buf dst = DNS_B_INTO(_dst, sizeof _dst);
-+const char *(dns_strclass)(enum dns_class type, void *_dst, size_t lim) {
-+	struct dns_buf dst = DNS_B_INTO(_dst, lim);
- 	unsigned i;
- 
- 	for (i = 0; i < lengthof(dns_classes); i++) {
-@@ -10193,9 +10191,8 @@ enum dns_class dns_iclass(const char *na
- } /* dns_iclass() */
- 
- 
-const char *(dns_strtype)(enum dns_type type) {
-	char _dst[DNS_STRMAXLEN + 1] = { 0 };
-	struct dns_buf dst = DNS_B_INTO(_dst, sizeof _dst);
-+const char *(dns_strtype)(enum dns_type type, void *_dst, size_t lim) {
-+	struct dns_buf dst = DNS_B_INTO(_dst, lim);
- 	unsigned i;
- 
- 	for (i = 0; i < lengthof(dns_rrtypes); i++) {
-diff -up gnupg-2.2.20/dirmngr/dns.h.coverity gnupg-2.2.20/dirmngr/dns.h
--- gnupg-2.2.20/dirmngr/dns.h.coverity	2019-03-07 13:03:26.000000000 +0100
-+++ gnupg-2.2.20/dirmngr/dns.h	2020-05-04 18:04:12.287521625 +0200
-@@ -272,15 +272,25 @@ enum dns_rcode {
-  */
- #define DNS_STRMAXLEN 47 /* "QUESTION|ANSWER|AUTHORITY|ADDITIONAL" */
- 
-DNS_PUBLIC const char *dns_strsection(enum dns_section);
-+DNS_PUBLIC const char *dns_strsection(enum dns_section, void *, size_t);
-+#define dns_strsection3(a, b, c) \
-+				dns_strsection((a), (b), (c))
-+#define dns_strsection1(a)	dns_strsection((a), (char [DNS_STRMAXLEN + 1]){ 0 }, DNS_STRMAXLEN + 1)
-+#define dns_strsection(...)	DNS_PP_CALL(DNS_PP_XPASTE(dns_strsection, DNS_PP_NARG(__VA_ARGS__)), __VA_ARGS__)
- 
- DNS_PUBLIC enum dns_section dns_isection(const char *);
- 
-DNS_PUBLIC const char *dns_strclass(enum dns_class);
-+DNS_PUBLIC const char *dns_strclass(enum dns_class, void *, size_t);
-+#define dns_strclass3(a, b, c)	dns_strclass((a), (b), (c))
-+#define dns_strclass1(a)	dns_strclass((a), (char [DNS_STRMAXLEN + 1]){ 0 }, DNS_STRMAXLEN + 1)
-+#define dns_strclass(...)	DNS_PP_CALL(DNS_PP_XPASTE(dns_strclass, DNS_PP_NARG(__VA_ARGS__)), __VA_ARGS__)
- 
- DNS_PUBLIC enum dns_class dns_iclass(const char *);
- 
-DNS_PUBLIC const char *dns_strtype(enum dns_type);
-+DNS_PUBLIC const char *dns_strtype(enum dns_type, void *, size_t);
-+#define dns_strtype3(a, b, c)	dns_strtype((a), (b), (c))
-+#define dns_strtype1(a)		dns_strtype((a), (char [DNS_STRMAXLEN + 1]){ 0 }, DNS_STRMAXLEN + 1)
-+#define dns_strtype(...)	DNS_PP_CALL(DNS_PP_XPASTE(dns_strtype, DNS_PP_NARG(__VA_ARGS__)), __VA_ARGS__)
- 
- DNS_PUBLIC enum dns_type dns_itype(const char *);
- 
-diff -up gnupg-2.2.20/dirmngr/domaininfo.c.coverity gnupg-2.2.20/dirmngr/domaininfo.c
--- gnupg-2.2.20/dirmngr/domaininfo.c.coverity	2019-07-09 11:08:45.000000000 +0200
-+++ gnupg-2.2.20/dirmngr/domaininfo.c	2020-05-04 17:54:30.800899152 +0200
-@@ -193,6 +193,7 @@ insert_or_update (const char *domain,
-           log_error ("domaininfo: error allocating helper array: %s\n",
-                      gpg_strerror (gpg_err_code_from_syserror ()));
-           drop_extra = bucket;
-+          xfree (di_new);
-           goto leave;
-         }
-       narray = 0;
-@@ -258,6 +259,8 @@ insert_or_update (const char *domain,
-        * sensible strategy.  */
-       drop_extra = domainbuckets[hash];
-       domainbuckets[hash] = keep;
-+
-+      xfree (array);
-     }
- 
-   /* Insert */
-diff -up gnupg-2.2.20/dirmngr/http.c.coverity gnupg-2.2.20/dirmngr/http.c
--- gnupg-2.2.20/dirmngr/http.c.coverity	2019-11-18 18:44:33.000000000 +0100
-+++ gnupg-2.2.20/dirmngr/http.c	2020-05-04 17:00:47.826878715 +0200
-@@ -3656,7 +3656,6 @@ http_prepare_redirect (http_redir_info_t
-       if (!newurl)
-         {
-           err = gpg_error_from_syserror ();
-          http_release_parsed_uri (locuri);
-           return err;
-         }
-     }
-@@ -3675,7 +3674,6 @@ http_prepare_redirect (http_redir_info_t
-       if (!newurl)
-         {
-           err = gpg_error_from_syserror ();
-          http_release_parsed_uri (locuri);
-           return err;
-         }
-     }
-diff -up gnupg-2.2.20/dirmngr/ks-engine-hkp.c.coverity gnupg-2.2.20/dirmngr/ks-engine-hkp.c
--- gnupg-2.2.20/dirmngr/ks-engine-hkp.c.coverity	2019-11-18 18:44:33.000000000 +0100
-+++ gnupg-2.2.20/dirmngr/ks-engine-hkp.c	2020-05-04 12:39:49.970920664 +0200
-@@ -1426,7 +1426,7 @@ ks_hkp_search (ctrl_t ctrl, parsed_uri_t
-   int reselect;
-   unsigned int httpflags;
-   char *httphost = NULL;
-  unsigned int http_status;
-+  unsigned int http_status = 0;
-   unsigned int tries = SEND_REQUEST_RETRIES;
-   unsigned int extra_tries = SEND_REQUEST_EXTRA_RETRIES;
- 
-diff -up gnupg-2.2.20/g10/card-util.c.coverity gnupg-2.2.20/g10/card-util.c
--- gnupg-2.2.20/g10/card-util.c.coverity	2020-03-03 13:33:22.000000000 +0100
-+++ gnupg-2.2.20/g10/card-util.c	2020-05-04 16:56:47.788157786 +0200
-@@ -704,7 +704,7 @@ card_status (ctrl_t ctrl, estream_t fp,
- {
-   int err;
-   strlist_t card_list, sl;
-  char *serialno0, *serialno1;
-+  char *serialno0, *serialno1 = NULL;
-   int all_cards = 0;
-   int any_card = 0;
- 
-@@ -749,6 +749,7 @@ card_status (ctrl_t ctrl, estream_t fp,
- 
-       current_card_status (ctrl, fp, NULL, 0);
-       xfree (serialno1);
-+      serialno1 = NULL;
- 
-       if (!all_cards)
-         goto leave;
-diff -up gnupg-2.2.20/g10/import.c.coverity gnupg-2.2.20/g10/import.c
--- gnupg-2.2.20/g10/import.c.coverity	2020-05-04 12:34:39.820379830 +0200
-+++ gnupg-2.2.20/g10/import.c	2020-05-04 12:34:55.366106195 +0200
-@@ -1888,7 +1888,7 @@ import_one_real (ctrl_t ctrl,
- 
-   if (opt.interactive && !silent)
-     {
-      if (is_status_enabled())
-+      if (uidnode && is_status_enabled())
-         print_import_check (pk, uidnode->pkt->pkt.user_id);
-       merge_keys_and_selfsig (ctrl, keyblock);
-       tty_printf ("\n");
-diff -up gnupg-2.2.20/g10/keygen.c.coverity gnupg-2.2.20/g10/keygen.c
--- gnupg-2.2.20/g10/keygen.c.coverity	2020-05-04 12:23:04.852613017 +0200
-+++ gnupg-2.2.20/g10/keygen.c	2020-05-04 17:33:18.923891110 +0200
-@@ -3075,7 +3075,7 @@ parse_key_parameter_part (ctrl_t ctrl,
-   char *endp;
-   const char *curve = NULL;
-   int ecdh_or_ecdsa = 0;
-  unsigned int size;
-+  unsigned int size = 0;
-   int keyuse;
-   int i;
-   const char *s;
-@@ -5719,12 +5719,20 @@ gen_card_key (int keyno, int algo, int i
-      the self-signatures. */
-   err = agent_readkey (NULL, 1, keyid, &public);
-   if (err)
-    return err;
-+    {
-+      xfree (pkt);
-+      xfree (pk);
-+      return err;
-+    }
-   err = gcry_sexp_sscan (&s_key, NULL, public,
-                          gcry_sexp_canon_len (public, 0, NULL, NULL));
-   xfree (public);
-   if (err)
-    return err;
-+    {
-+      xfree (pkt);
-+      xfree (pk);
-+      return err;
-+    }
- 
-   if (algo == PUBKEY_ALGO_RSA)
-     err = key_from_sexp (pk->pkey, s_key, "public-key", "ne");
-@@ -5739,6 +5747,7 @@ gen_card_key (int keyno, int algo, int i
-   if (err)
-     {
-       log_error ("key_from_sexp failed: %s\n", gpg_strerror (err) );
-+      xfree (pkt);
-       free_public_key (pk);
-       return err;
-     }
-diff -up gnupg-2.2.20/g10/sig-check.c.coverity gnupg-2.2.20/g10/sig-check.c
--- gnupg-2.2.20/g10/sig-check.c.coverity	2020-05-04 12:18:18.515653963 +0200
-+++ gnupg-2.2.20/g10/sig-check.c	2020-05-04 12:18:33.599388425 +0200
-@@ -902,6 +902,7 @@ check_signature_over_key_or_uid (ctrl_t
-                 {
-                   /* Issued by a subkey.  */
-                   signer = subk;
-+                  *is_selfsig = 1;
-                   break;
-                 }
-             }
-diff -up gnupg-2.2.20/g10/sign.c.coverity gnupg-2.2.20/g10/sign.c
--- gnupg-2.2.20/g10/sign.c.coverity	2020-04-30 11:56:43.909360043 +0200
-+++ gnupg-2.2.20/g10/sign.c	2020-05-04 12:08:56.651544958 +0200
-@@ -823,7 +823,7 @@ write_signature_packets (ctrl_t ctrl,
-       PKT_public_key *pk;
-       PKT_signature *sig;
-       gcry_md_hd_t md;
-      gpg_error_t err;
-+      gpg_error_t err = 0;
- 
-       pk = sk_rover->pk;
- 
-diff -up gnupg-2.2.20/kbx/keybox-dump.c.coverity gnupg-2.2.20/kbx/keybox-dump.c
--- gnupg-2.2.20/kbx/keybox-dump.c.coverity	2019-08-23 15:59:06.000000000 +0200
-+++ gnupg-2.2.20/kbx/keybox-dump.c	2020-05-04 17:25:53.365946213 +0200
-@@ -786,11 +786,15 @@ _keybox_dump_cut_records (const char *fi
-   while ( !(rc = _keybox_read_blob (&blob, fp, NULL)) )
-     {
-       if (recno > to)
-        break; /* Ready.  */
-+        {
-+          _keybox_release_blob (blob);
-+          break; /* Ready.  */
-+        }
-       if (recno >= from)
-         {
-           if ((rc = _keybox_write_blob (blob, outfp)))
-             {
-+              _keybox_release_blob (blob);
-               fprintf (stderr, "error writing output: %s\n",
-                        gpg_strerror (rc));
-               goto leave;
-diff -up gnupg-2.2.20/tools/gpg-wks-server.c.coverity gnupg-2.2.20/tools/gpg-wks-server.c
--- gnupg-2.2.20/tools/gpg-wks-server.c.coverity	2020-02-10 16:12:13.000000000 +0100
-+++ gnupg-2.2.20/tools/gpg-wks-server.c	2020-05-04 11:52:42.547643198 +0200
-@@ -890,15 +890,18 @@ store_key_as_pending (const char *dir, e
-     }
- 
-  leave:
-  if (err)
-+  if (fname)
-     {
-      es_fclose (outfp);
-      gnupg_remove (fname);
-    }
-  else if (es_fclose (outfp))
-    {
-      err = gpg_error_from_syserror ();
-      log_error ("error closing '%s': %s\n", fname, gpg_strerror (err));
-+      if (err)
-+        {
-+          es_fclose (outfp);
-+          gnupg_remove (fname);
-+        }
-+      else if (es_fclose (outfp))
-+        {
-+          err = gpg_error_from_syserror ();
-+          log_error ("error closing '%s': %s\n", fname, gpg_strerror (err));
-+        }
-     }
- 
-   if (!err)
-diff -up gnupg-2.2.20/tools/wks-util.c.coverity gnupg-2.2.20/tools/wks-util.c
--- gnupg-2.2.20/tools/wks-util.c.coverity	2020-05-04 12:02:21.839475031 +0200
-+++ gnupg-2.2.20/tools/wks-util.c	2020-05-04 17:23:19.552726949 +0200
-@@ -948,7 +948,7 @@ ensure_policy_file (const char *addrspec
- static gpg_error_t
- install_key_from_spec_file (const char *fname)
- {
-  gpg_error_t err;
-+  gpg_error_t err = 0;
-   estream_t fp;
-   char *line = NULL;
-   size_t linelen = 0;
-@@ -1195,10 +1195,8 @@ wks_cmd_print_wkd_hash (const char *user
-   char *addrspec, *fname;
- 
-   err = wks_fname_from_userid (userid, 1, &fname, &addrspec);
-  if (err)
-    return err;
-
-  es_printf ("%s %s\n", fname, addrspec);
-+  if (!err)
-+    es_printf ("%s %s\n", fname, addrspec);
- 
-   xfree (fname);
-   xfree (addrspec);
-@@ -1216,7 +1214,10 @@ wks_cmd_print_wkd_url (const char *useri
- 
-   err = wks_fname_from_userid (userid, 1, &fname, &addrspec);
-   if (err)
-    return err;
-+    {
-+      xfree (addrspec);
-+      return err;
-+    }
- 
-   domain = strchr (addrspec, '@');
-   if (domain)
--- a/SOURCES/gnupg-2.2.20-file-is-digest.patch
+++ b/SOURCES/gnupg-2.2.20-file-is-digest.patch
@ -1,191 +0,0 @@
-diff -up gnupg-2.2.20/g10/gpg.c.file-is-digest gnupg-2.2.20/g10/gpg.c
--- gnupg-2.2.20/g10/gpg.c.file-is-digest	2020-04-14 16:33:42.630269318 +0200
-+++ gnupg-2.2.20/g10/gpg.c	2020-04-14 16:34:46.455100086 +0200
-@@ -380,6 +380,7 @@ enum cmd_and_opt_values
-     oTTYtype,
-     oLCctype,
-     oLCmessages,
-+    oFileIsDigest,
-     oXauthority,
-     oGroup,
-     oUnGroup,
-@@ -831,6 +832,7 @@ static ARGPARSE_OPTS opts[] = {
-   ARGPARSE_s_s (oPersonalCompressPreferences,
-                                          "personal-compress-preferences", "@"),
-   ARGPARSE_s_s (oFakedSystemTime, "faked-system-time", "@"),
-+  ARGPARSE_s_n (oFileIsDigest, "file-is-digest", "@"),
-   ARGPARSE_s_s (oWeakDigest, "weak-digest","@"),
-   ARGPARSE_s_n (oUnwrap, "unwrap", "@"),
-   ARGPARSE_s_n (oOnlySignTextIDs, "only-sign-text-ids", "@"),
-@@ -2419,6 +2421,7 @@ main (int argc, char **argv)
-     opt.keyid_format = KF_NONE;
-     opt.def_sig_expire = "0";
-     opt.def_cert_expire = "0";
-+    opt.file_is_digest = 0;
-     gnupg_set_homedir (NULL);
-     opt.passphrase_repeat = 1;
-     opt.emit_version = 0;
-@@ -2997,6 +3000,7 @@ main (int argc, char **argv)
- 	    opt.verify_options&=~VERIFY_SHOW_PHOTOS;
- 	    break;
- 	  case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break;
-+	  case oFileIsDigest: opt.file_is_digest = 1; break;
- 
-           case oDisableSignerUID: opt.flags.disable_signer_uid = 1; break;
-           case oIncludeKeyBlock:  opt.flags.include_key_block = 1; break;
-diff -up gnupg-2.2.20/g10/options.h.file-is-digest gnupg-2.2.20/g10/options.h
--- gnupg-2.2.20/g10/options.h.file-is-digest	2020-03-14 19:54:05.000000000 +0100
-+++ gnupg-2.2.20/g10/options.h	2020-04-14 16:33:42.634269245 +0200
-@@ -202,6 +202,7 @@ struct
-   int no_auto_check_trustdb;
-   int preserve_permissions;
-   int no_homedir_creation;
-+  int file_is_digest;
-   struct groupitem *grouplist;
-   int mangle_dos_filenames;
-   int enable_progress_filter;
-diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c
--- gnupg-2.2.20/g10/sign.c.file-is-digest	2020-03-14 19:35:46.000000000 +0100
-+++ gnupg-2.2.20/g10/sign.c	2020-04-14 16:36:54.661751422 +0200
-@@ -40,6 +40,7 @@
- #include "pkglue.h"
- #include "../common/sysutils.h"
- #include "call-agent.h"
-+#include "../common/host2net.h"
- #include "../common/mbox-util.h"
- #include "../common/compliance.h"
- 
-@@ -834,6 +835,8 @@ write_signature_packets (ctrl_t ctrl,
-       if (duration || opt.sig_policy_url
-           || opt.sig_notations || opt.sig_keyserver_url)
-         sig->version = 4;
-+	  else if (opt.file_is_digest)
-+        sig->version = 3;
-       else
-         sig->version = pk->version;
- 
-@@ -860,8 +863,11 @@ write_signature_packets (ctrl_t ctrl,
-           else
-             err = 0;
-         }
-      hash_sigversion_to_magic (md, sig);
-      gcry_md_final (md);
-+
-+      if (!opt.file_is_digest) {
-+	hash_sigversion_to_magic (md, sig);
-+	gcry_md_final (md);
-+      }
- 
-       if (!err)
-         err = do_sign (ctrl, pk, sig, md, hash_for (pk), cache_nonce, 0);
-@@ -924,6 +930,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
-     SK_LIST sk_rover = NULL;
-     int multifile = 0;
-     u32 duration=0;
-+    int sigclass = 0x00;
-+    u32 timestamp = 0;
- 
-     pfx = new_progress_context ();
-     afx = new_armor_context ();
-@@ -941,7 +949,16 @@ sign_file (ctrl_t ctrl, strlist_t filena
- 	fname = NULL;
- 
-     if( fname && filenames->next && (!detached || encryptflag) )
-	log_bug("multiple files can only be detached signed");
-+	log_bug("multiple files can only be detached signed\n");
-+
-+    if (opt.file_is_digest && (multifile || !fname))
-+	log_bug("file-is-digest only works with one file\n");
-+    if (opt.file_is_digest && !detached)
-+	log_bug("file-is-digest can only write detached signatures\n");
-+    if (opt.file_is_digest && !opt.def_digest_algo)
-+	log_bug("file-is-digest needs --digest-algo\n");
-+    if (opt.file_is_digest && opt.textmode)
-+	log_bug("file-is-digest doesn't work with --textmode\n");
- 
-     if(encryptflag==2
-        && (rc=setup_symkey(&efx.symkey_s2k,&efx.symkey_dek)))
-@@ -962,7 +979,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
-       goto leave;
- 
-     /* prepare iobufs */
-    if( multifile )  /* have list of filenames */
-+    if( multifile || opt.file_is_digest)  /* have list of filenames */
- 	inp = NULL; /* we do it later */
-     else {
-       inp = iobuf_open(fname);
-@@ -1100,7 +1117,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
-     for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next)
-       gcry_md_enable (mfx.md, hash_for (sk_rover->pk));
- 
-    if( !multifile )
-+    if( !multifile && !opt.file_is_digest )
- 	iobuf_push_filter( inp, md_filter, &mfx );
- 
-     if( detached && !encryptflag)
-@@ -1155,6 +1172,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
- 
-     write_status_begin_signing (mfx.md);
- 
-+    sigclass = opt.textmode && !outfile? 0x01 : 0x00;
-+
-     /* Setup the inner packet. */
-     if( detached ) {
- 	if( multifile ) {
-@@ -1195,6 +1214,45 @@ sign_file (ctrl_t ctrl, strlist_t filena
- 	    if( opt.verbose )
-               log_printf ("\n");
- 	}
-+	else if (opt.file_is_digest) {
-+	    byte *mdb, ts[5];
-+	    size_t mdlen;
-+	    const char *fp;
-+	    int c, d;
-+
-+	    gcry_md_final(mfx.md);
-+	    /* this assumes gcry_md_read returns the same buffer */
-+	    mdb = gcry_md_read(mfx.md, opt.def_digest_algo);
-+		mdlen = gcry_md_get_algo_dlen(opt.def_digest_algo);
-+	    if (strlen(fname) != mdlen * 2 + 11)
-+	        log_bug("digests must be %zu + @ + 5 bytes\n", mdlen);
-+	    d = -1;
-+	    for (fp = fname ; *fp; ) {
-+		c = *fp++;
-+		if (c >= '0' && c <= '9')
-+		    c -= '0';
-+		else if (c >= 'a' && c <= 'f')
-+		    c -= 'a' - 10;
-+		else if (c >= 'A' && c <= 'F')
-+		    c -= 'A' - 10;
-+		else
-+		    log_bug("filename is not hex\n");
-+		if (d >= 0) {
-+		    *mdb++ = d << 4 | c;
-+		    c = -1;
-+		    if (--mdlen == 0) {
-+			mdb = ts;
-+			if (*fp++ != '@')
-+			    log_bug("missing time separator\n");
-+		    }
-+		}
-+		d = c;
-+	    }
-+	    sigclass = ts[0];
-+	    if (sigclass != 0x00 && sigclass != 0x01)
-+		log_bug("bad cipher class\n");
-+	    timestamp = buf32_to_u32(ts + 1);
-+	}
- 	else {
- 	    /* read, so that the filter can calculate the digest */
- 	    while( iobuf_get(inp) != -1 )
-@@ -1213,8 +1271,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
- 
-     /* write the signatures */
-     rc = write_signature_packets (ctrl, sk_list, out, mfx.md,
-                                  opt.textmode && !outfile? 0x01 : 0x00,
-				  0, duration, detached ? 'D':'S', NULL);
-+                                  sigclass,
-+				  timestamp, duration, detached ? 'D':'S', NULL);
-     if( rc )
-         goto leave;
- 
--- a/SOURCES/gnupg-2.2.20.tar.bz2.sig
+++ b/SOURCES/gnupg-2.2.20.tar.bz2.sig
--- a/ci.fmf
+++ b/ci.fmf
@ -0,0 +1 @@
+resultsdb-testcase: separate
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,7 @@
+--- !Policy
+product_versions:
+  - rhel-10
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-enabled.functional}
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/ci/fips-disabled-buildroot-disabled.functional}
--- a/gnupg-2.1.1-fips-algo.patch
+++ b/gnupg-2.1.1-fips-algo.patch
@ -0,0 +1,54 @@
+diff -up gnupg-2.1.1/g10/mainproc.c.fips gnupg-2.1.1/g10/mainproc.c
+--- gnupg-2.1.1/g10/mainproc.c.fips	2015-01-29 17:19:49.266031504 +0100
+++ gnupg-2.1.1/g10/mainproc.c	2015-01-29 17:27:13.938088122 +0100
+@@ -719,7 +719,8 @@ proc_plaintext( CTX c, PACKET *pkt )
+          according to 2440, so hopefully it won't come up that often.
+          There is no good way to specify what algorithms to use in
+          that case, so these there are the historical answer. */
+-	gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
+	if (!gcry_fips_mode_active())
+            gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
+ 	gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
+     }
+   if (DBG_HASHING)
+diff --git a/common/t-sexputil.c b/common/t-sexputil.c
+index d75090c5b..be5eb2122 100644
+--- a/common/t-sexputil.c
+++ b/common/t-sexputil.c
+@@ -291,36 +291,6 @@ test_ecc_uncompress (void)
+     const char *b;  /* Compressed.    */
+   }
+   tests[] = {
+-  {
+-    "(public-key"
+-    " (ecc"
+-    " (curve brainpoolP256r1)"
+-    " (q #042ECD8679930BE2DB4AD42B8600BA3F80"
+-    /*   */"2D4D539BFF2F69B83EC9B7BBAA7F3406"
+-    /*   */"436DD11A1756AFE56CD93408410FCDA9"
+-    /*   */"BA95024EB613BD481A14FCFEC27A448A#)))",
+-    /* The same in compressed form.  */
+-    "(public-key"
+-    " (ecc"
+-    " (curve brainpoolP256r1)"
+-    " (q #022ECD8679930BE2DB4AD42B8600BA3F80"
+-    /*   */"2D4D539BFF2F69B83EC9B7BBAA7F3406#)))"
+-  },
+-  {
+-    "(public-key"
+-    " (ecc"
+-    " (curve brainpoolP256r1)"
+-    " (q #045B784CA008EE64AB3D85017EE0D2BE87"
+-    /*   */"558762C7300E0C8E06B1F9AF7C031458"
+-    /*   */"9EBBA41915313417BA54218EB0569C59"
+-    /*   */"0B156C76DBCAB6E84575E6EF68CE7B87#)))",
+-    /* The same in compressed form.  */
+-    "(public-key"
+-    " (ecc"
+-    " (curve brainpoolP256r1)"
+-    " (q #035B784CA008EE64AB3D85017EE0D2BE87"
+-    /*   */"558762C7300E0C8E06B1F9AF7C031458#)))"
+-  },
+   { /* A key which does not require a conversion.  */
+     "(public-key"
+     " (ecdsa"
--- a/SOURCES/gnupg-2.1.10-secmem.patch
+++ b/SOURCES/gnupg-2.1.10-secmem.patch
--- a/SOURCES/gnupg-2.2.18-gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch
+++ b/SOURCES/gnupg-2.2.18-gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch
--- a/SOURCES/gnupg-2.2.18-tests-add-test-cases-for-import-without-uid.patch
+++ b/SOURCES/gnupg-2.2.18-tests-add-test-cases-for-import-without-uid.patch
--- a/gnupg-2.2.21-coverity.patch
+++ b/gnupg-2.2.21-coverity.patch
@ -0,0 +1,240 @@
+diff -up gnupg-2.2.21/common/server-help.c.coverity gnupg-2.2.21/common/server-help.c
+--- gnupg-2.2.21/common/server-help.c.coverity 2019-02-11 10:59:34.000000000 +0100
+++ gnupg-2.2.21/common/server-help.c  2020-07-20 17:09:57.416148768 +0200
+@@ -156,7 +156,7 @@ get_option_value (char *line, const char
+   *pend = 0;
+   *r_value = xtrystrdup (p);
+   *pend = c;
+-  if (!p)
+  if (!*r_value)
+     return my_error_from_syserror ();
+   return 0;
+ }
+
+From 7a707a3eff1c3fbe17a74337776871f408377cee Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Fri, 9 Apr 2021 16:13:07 +0200
+Subject: [PATCH GnuPG 03/19] g10: Fix memory leaks
+
+* g10/card-util.c (change_pin): free answer on errors
+  (ask_card_keyattr): free answer on error
+* g10/cpr.c (do_get_from_fd): free string
+* g10/gpg.c (check_permissions): free dir on weird error
+* g10/import.c (append_new_uid): release knode
+* g10/keyedit.c (menu_set_keyserver_url): free answer
+  (menu_set_keyserver_url): free user
+* g10/keygen.c (print_status_key_not_created): move allocation after
+  sanity check
+  (ask_expire_interval): free answer
+  (card_store_key_with_backup): goto leave instaed of return
+* g10/keyserver.c (parse_keyserver_uri): goto fail instead of return
+* g10/revoke.c (gen_desig_revoke): release kdbhd
+  (gen_desig_revoke): free answer
+* g10/tofu.c (ask_about_binding): free sqerr and response
+* g10/trustdb.c (ask_ownertrust): free pk
+
+--
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ g10/card-util.c | 14 +++++++++++---
+ g10/cpr.c       |  6 +++++-
+ g10/gpg.c       |  1 +
+ g10/import.c    |  5 ++++-
+ g10/keyedit.c   |  8 +++++++-
+ g10/keygen.c    | 15 +++++++++++----
+ g10/keyserver.c |  2 +-
+ g10/revoke.c    |  6 +++++-
+ g10/tofu.c      |  4 ++++
+ g10/trustdb.c   |  1 +
+ 10 files changed, 50 insertions(+), 12 deletions(-)
+
+diff --git a/g10/card-util.c b/g10/card-util.c
+index 36f096f06..c7df8380d 100644
+--- a/g10/card-util.c
+++ b/g10/card-util.c
+@@ -127,7 +127,7 @@ change_pin (int unblock_v2, int allow_admin)
+   else
+     for (;;)
+       {
+-	char *answer;
+	char *answer = NULL;
+ 
+ 	tty_printf ("\n");
+ 	tty_printf ("1 - change PIN\n"
+diff --git a/g10/tofu.c b/g10/tofu.c
+index f49083844..83786a08d 100644
+--- a/g10/tofu.c
+++ b/g10/tofu.c
+@@ -1687,6 +1687,8 @@ ask_about_binding (ctrl_t ctrl,
+          GPGSQL_ARG_END);
+       if (rc)
+         {
+          sqlite3_free (sqerr);
+          sqerr = NULL;
+           rc = gpg_error (GPG_ERR_GENERAL);
+           break;
+         }
+-- 
+2.30.2
+
+
+From 7c8048b686a6e811d0b24febf3c5e2528e7881f1 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 13 Apr 2021 16:23:31 +0200
+Subject: [PATCH GnuPG 14/19] dirmgr: Avoid memory leaks
+
+* dirmngr/domaininfo.c (insert_or_update): free di_new
+
+--
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ dirmngr/domaininfo.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/dirmngr/domaininfo.c b/dirmngr/domaininfo.c
+index b41aef366..87782b4b1 100644
+--- a/dirmngr/domaininfo.c
+++ b/dirmngr/domaininfo.c
+@@ -193,6 +193,7 @@ insert_or_update (const char *domain,
+           log_error ("domaininfo: error allocating helper array: %s\n",
+                      gpg_strerror (gpg_err_code_from_syserror ()));
+           drop_extra = bucket;
+          xfree (di_new);
+           goto leave;
+         }
+       narray = 0;
+-- 
+2.30.2
+
+
+From ab3b8c53993b3305088efde756a44bac6e6492d4 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 13 Apr 2021 16:34:40 +0200
+Subject: [PATCH GnuPG 15/19] scd: Avoid memory leaks and uninitialized memory
+
+* scd/app-piv.c (do_decipher): goto leave, initialize outdatalen
+
+--
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ scd/app-piv.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/scd/app-piv.c b/scd/app-piv.c
+index 143cc047a..94257f0ee 100644
+--- a/scd/app-piv.c
+++ b/scd/app-piv.c
+@@ -2483,7 +2483,7 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr,
+   gpg_error_t err;
+   data_object_t dobj;
+   unsigned char *outdata = NULL;
+-  size_t outdatalen;
+  size_t outdatalen = 0;
+   const unsigned char *s;
+   size_t n;
+   int keyref, mechanism;
+@@ -2582,7 +2582,7 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr,
+   /* Now verify the Application PIN.  */
+   err = verify_chv (app, ctrl, 0x80, 0, pincb, pincb_arg);
+   if (err)
+-    return err;
+    goto leave;
+ 
+   /* Build the Dynamic Authentication Template.  */
+   err = concat_tlv_list (0, &apdudata, &apdudatalen,
+-- 
+2.30.2
+
+
+From f182bf91443618323e34261039045a6bde269be5 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 13 Apr 2021 16:44:48 +0200
+Subject: [PATCH GnuPG 16/19] tools: Avoid memory leaks
+
+* tools/wks-util.c (wks_cmd_print_wkd_url): Free addrspec on error
+  (wks_cmd_print_wkd_hash): Free addrspec on error
+
+--
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ tools/wks-util.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/tools/wks-util.c b/tools/wks-util.c
+index 516c7fe00..38dd194ff 100644
+--- a/tools/wks-util.c
+++ b/tools/wks-util.c
+@@ -1192,11 +1192,14 @@ gpg_error_t
+ wks_cmd_print_wkd_hash (const char *userid)
+ {
+   gpg_error_t err;
+-  char *addrspec, *fname;
+  char *addrspec = NULL, *fname;
+ 
+   err = wks_fname_from_userid (userid, 1, &fname, &addrspec);
+   if (err)
+-    return err;
+    {
+      xfree (addrspec);
+      return err;
+    }
+ 
+   es_printf ("%s %s\n", fname, addrspec);
+ 
+@@ -1211,12 +1214,15 @@ gpg_error_t
+ wks_cmd_print_wkd_url (const char *userid)
+ {
+   gpg_error_t err;
+-  char *addrspec, *fname;
+  char *addrspec = NULL, *fname;
+   char *domain;
+ 
+   err = wks_fname_from_userid (userid, 1, &fname, &addrspec);
+   if (err)
+-    return err;
+    {
+      xfree (addrspec);
+      return err;
+    }
+ 
+   domain = strchr (addrspec, '@');
+   if (domain)
+-- 
+2.30.2
+
+
+From 600fabd8268c765d45d48873e7a8610e6dae0966 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 14 Apr 2021 15:59:12 +0200
+Subject: [PATCH GnuPG 17/19] scd: Use the same allocator to free memory
+
+* scd/command.c (cmd_getinfo): Use free instead of gcry_free to match
+  the original allocator
+
+--
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ scd/command.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/scd/command.c b/scd/command.c
+index cb0dd379a..9d85c5a41 100644
+--- a/scd/command.c
+++ b/scd/command.c
+@@ -1832,7 +1832,8 @@ cmd_getinfo (assuan_context_t ctx, char *line)
+         rc = assuan_send_data (ctx, p, strlen (p));
+       else
+         rc = gpg_error (GPG_ERR_NO_DATA);
+-      xfree (p);
+      /* allocated by scd/ccid-driver.c which is not using x*alloc/gcry_* */
+      free (p);
+     }
+   else if (!strcmp (line, "deny_admin"))
+     rc = opt.allow_admin? gpg_error (GPG_ERR_GENERAL) : 0;
+-- 
+2.30.2
--- a/gnupg-2.2.23-large-rsa.patch
+++ b/gnupg-2.2.23-large-rsa.patch
@ -0,0 +1,12 @@
+diff -up gnupg-2.2.23/g10/keygen.c.large-rsa gnupg-2.2.23/g10/keygen.c
+--- gnupg-2.2.23/g10/keygen.c.large-rsa	2020-09-04 13:53:42.030486671 +0200
+++ gnupg-2.2.23/g10/keygen.c	2020-09-04 13:55:52.896669542 +0200
+@@ -2262,7 +2262,7 @@ get_keysize_range (int algo, unsigned in
+ 
+     default:
+       *min = opt.compliance == CO_DE_VS ? 2048: 1024;
+-      *max = 4096;
+      *max = opt.flags.large_rsa == 1 ? 8192 : 4096;
+       def = 3072;
+       break;
+     }
--- a/SOURCES/gnupg-2.2.18-gpg-allow-import-of-previously-known-keys-even-without-UI.patch
+++ b/SOURCES/gnupg-2.2.18-gpg-allow-import-of-previously-known-keys-even-without-UI.patch
@ -1,3 +1,4 @@
+From c9485d59f735dbf7509a0136a896fe76f9cc915a Mon Sep 17 00:00:00 2001
 From: Vincent Breitmoser <look@my.amazin.horse>
 Date: Thu, 13 Jun 2019 21:27:42 +0200
 Subject: gpg: allow import of previously known keys, even without UIDs
@ -13,14 +14,14 @@ This fixes two of the three broken tests in import-incomplete.scm.
 GnuPG-Bug-id: 4393
 Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
 ---
- g10/import.c | 44 +++++++++++---------------------------------
- 1 file changed, 11 insertions(+), 33 deletions(-)
+ g10/import.c | 45 +++++++++++----------------------------------
+ 1 file changed, 11 insertions(+), 34 deletions(-)

 diff --git a/g10/import.c b/g10/import.c
-index 5d3162c..f9acf95 100644
+index 9fab46ca6..c70a6221c 100644
 --- a/g10/import.c
 +++ b/g10/import.c
-@@ -1788,7 +1788,6 @@ import_one_real (ctrl_t ctrl,
+@@ -1954,7 +1954,6 @@ import_one_real (ctrl_t ctrl,
   size_t an;
   char pkstrbuf[PUBKEY_STRING_SIZE];
   int merge_keys_done = 0;
@ -28,12 +29,12 @@ index 5d3162c..f9acf95 100644
   KEYDB_HANDLE hd = NULL;
 
   if (r_valid)
-@@ -1825,14 +1824,6 @@ import_one_real (ctrl_t ctrl,
+@@ -1991,14 +1990,6 @@ import_one_real (ctrl_t ctrl,
       log_printf ("\n");
     }
 
 -
-  if (!uidnode )
+-  if (!uidnode)
 -    {
 -      if (!silent)
 -        log_error( _("key %s: no user ID\n"), keystr_from_pk(pk));
@ -43,16 +44,17 @@ index 5d3162c..f9acf95 100644
   if (screener && screener (keyblock, screener_arg))
     {
       log_error (_("key %s: %s\n"), keystr_from_pk (pk),
-@@ -1907,17 +1898,10 @@ import_one_real (ctrl_t ctrl,
+@@ -2078,18 +2069,10 @@ import_one_real (ctrl_t ctrl,
 	  }
     }
 
-  if (!delete_inv_parts (ctrl, keyblock, keyid, options ) )
+-  /* Delete invalid parts and bail out if there are no user ids left.  */
+-  if (!delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs))
 -    {
 -      if (!silent)
 -        {
-          log_error( _("key %s: no valid user IDs\n"), keystr_from_pk(pk));
-          if (!opt.quiet )
+-          log_error ( _("key %s: no valid user IDs\n"), keystr_from_pk(pk));
+-          if (!opt.quiet)
 -            log_info(_("this may be caused by a missing self-signature\n"));
 -        }
 -      stats->no_user_id++;
@ -61,11 +63,11 @@ index 5d3162c..f9acf95 100644
 +  /* Delete invalid parts, and note if we have any valid ones left.
 +   * We will later abort import if this key is new but contains
 +   * no valid uids.  */
-+  delete_inv_parts (ctrl, keyblock, keyid, options);
+  delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs);
 
   /* Get rid of deleted nodes.  */
   commit_kbnode (&keyblock);
-@@ -1927,24 +1911,11 @@ import_one_real (ctrl_t ctrl,
+@@ -2099,24 +2082,11 @@ import_one_real (ctrl_t ctrl,
     {
       apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid);
       commit_kbnode (&keyblock);
@ -90,7 +92,7 @@ index 5d3162c..f9acf95 100644
     }
 
   /* The keyblock is valid and ready for real import.  */
-@@ -2002,6 +1973,13 @@ import_one_real (ctrl_t ctrl,
+@@ -2174,6 +2144,13 @@ import_one_real (ctrl_t ctrl,
       err = 0;
       stats->skipped_new_keys++;
     }
--- a/gnupg-2.4.1-file-is-digest.patch
+++ b/gnupg-2.4.1-file-is-digest.patch
@ -0,0 +1,226 @@
+From cdd5082a9e3bdfc8de4aee4835dbdd607b4510be Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= <tmraz@fedoraproject.org>
+Date: Tue, 5 Aug 2014 17:04:08 +0200
+Subject: [PATCH gnupg] add --file-is-digest option needed for copr
+
+---
+ g10/gpg.c     |  4 +++
+ g10/options.h |  1 +
+ g10/sign.c    | 93 ++++++++++++++++++++++++++++++++++++++++++++-------
+ 3 files changed, 85 insertions(+), 13 deletions(-)
+
+diff --git a/g10/gpg.c b/g10/gpg.c
+index f9bc8395f..dcab0a11a 100644
+--- a/g10/gpg.c
+++ b/g10/gpg.c
+@@ -395,6 +395,7 @@ enum cmd_and_opt_values
+     oTTYtype,
+     oLCctype,
+     oLCmessages,
+    oFileIsDigest,
+     oXauthority,
+     oGroup,
+     oUnGroup,
+@@ -656,6 +657,7 @@ static gpgrt_opt_t opts[] = {
+   ARGPARSE_s_s (oTempDir,  "temp-directory", "@"),
+   ARGPARSE_s_s (oExecPath, "exec-path", "@"),
+   ARGPARSE_s_n (oExpert,      "expert", "@"),
+  ARGPARSE_s_n (oFileIsDigest, "file-is-digest", "@"),
+   ARGPARSE_s_n (oNoExpert, "no-expert", "@"),
+   ARGPARSE_s_n (oNoSecmemWarn, "no-secmem-warning", "@"),
+   ARGPARSE_s_n (oRequireSecmem, "require-secmem", "@"),
+@@ -2484,6 +2486,7 @@ main (int argc, char **argv)
+     opt.keyid_format = KF_NONE;
+     opt.def_sig_expire = "0";
+     opt.def_cert_expire = "0";
+    opt.file_is_digest = 0;
+     opt.passphrase_repeat = 1;
+     opt.emit_version = 0;
+     opt.weak_digests = NULL;
+@@ -3111,6 +3114,7 @@ main (int argc, char **argv)
+ 	  case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break;
+ 
+ 	  case oForceAEAD: opt.force_aead = 1; break;
+	  case oFileIsDigest: opt.file_is_digest = 1; break;
+ 
+           case oDisableSignerUID: opt.flags.disable_signer_uid = 1; break;
+           case oIncludeKeyBlock:  opt.flags.include_key_block = 1; break;
+diff --git a/g10/options.h b/g10/options.h
+index 9015e321f..10852046c 100644
+--- a/g10/options.h
+++ b/g10/options.h
+@@ -219,6 +219,7 @@ struct
+   int no_auto_check_trustdb;
+   int preserve_permissions;
+   int no_homedir_creation;
+  int file_is_digest;
+   struct groupitem *grouplist;
+   int mangle_dos_filenames;
+   int enable_progress_filter;
+diff --git a/g10/sign.c b/g10/sign.c
+index b5e9d422d..7ad143649 100644
+--- a/g10/sign.c
+++ b/g10/sign.c
+@@ -40,6 +40,7 @@
+ #include "pkglue.h"
+ #include "../common/sysutils.h"
+ #include "call-agent.h"
+#include "../common/host2net.h"
+ #include "../common/mbox-util.h"
+ #include "../common/compliance.h"
+ 
+@@ -945,6 +946,8 @@ write_signature_packets (ctrl_t ctrl,
+ 
+       if (pk->version >= 5)
+         sig->version = 5;  /* Required for v5 keys.  */
+      else if (opt.file_is_digest)
+        sig->version = 3;
+       else
+         sig->version = 4;  /* Required.  */
+ 
+@@ -962,14 +965,22 @@ write_signature_packets (ctrl_t ctrl,
+       if (gcry_md_copy (&md, hash))
+         BUG ();
+ 
+-      build_sig_subpkt_from_sig (sig, pk, 0);
+-      mk_notation_policy_etc (ctrl, sig, NULL, pk);
+-      if (opt.flags.include_key_block && IS_SIG (sig))
+-        err = mk_sig_subpkt_key_block (ctrl, sig, pk);
+-      else
+-        err = 0;
+-      hash_sigversion_to_magic (md, sig, extrahash);
+-      gcry_md_final (md);
+      if (!opt.file_is_digest)
+        {
+          build_sig_subpkt_from_sig (sig, pk, 0);
+          mk_notation_policy_etc (ctrl, sig, NULL, pk);
+          if (opt.flags.include_key_block && IS_SIG (sig))
+            err = mk_sig_subpkt_key_block (ctrl, sig, pk);
+          else
+            err = 0;
+
+          hash_sigversion_to_magic (md, sig, extrahash);
+          gcry_md_final (md);
+        }
+      else if (sig->version >= 4)
+        {
+          log_bug("file-is-digest doesn't work with v4 sigs\n");
+        }
+ 
+       if (!err)
+         err = do_sign (ctrl, pk, sig, md, hash_for (pk), cache_nonce, 0);
+@@ -1034,6 +1045,8 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
+   SK_LIST sk_rover = NULL;
+   int multifile = 0;
+   u32 duration=0;
+  int sigclass = 0x00;
+  u32 timestamp = 0;
+   pt_extra_hash_data_t extrahash = NULL;
+ 
+   pfx = new_progress_context ();
+@@ -1056,7 +1069,16 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
+     fname = NULL;
+ 
+   if (fname && filenames->next && (!detached || encryptflag))
+-    log_bug ("multiple files can only be detached signed");
+    log_bug ("multiple files can only be detached signed\n");
+
+  if (opt.file_is_digest && (multifile || !fname))
+    log_bug ("file-is-digest only works with one file\n");
+  if (opt.file_is_digest && !detached)
+    log_bug ("file-is-digest can only write detached signatures\n");
+  if (opt.file_is_digest && !opt.def_digest_algo)
+    log_bug ("file-is-digest needs --digest-algo\n");
+  if (opt.file_is_digest && opt.textmode)
+    log_bug ("file-is-digest doesn't work with --textmode\n");
+ 
+   if (encryptflag == 2
+       && (rc = setup_symkey (&efx.symkey_s2k, &efx.symkey_dek)))
+@@ -1077,7 +1099,7 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
+     goto leave;
+ 
+   /* Prepare iobufs. */
+-  if (multifile)    /* have list of filenames */
+  if (multifile || opt.file_is_digest)  /* have list of filenames */
+     inp = NULL;     /* we do it later */
+   else
+     {
+@@ -1240,7 +1262,7 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
+   for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next)
+     gcry_md_enable (mfx.md, hash_for (sk_rover->pk));
+ 
+-  if (!multifile)
+  if (!multifile && !opt.file_is_digest)
+     iobuf_push_filter (inp, md_filter, &mfx);
+ 
+   if (detached && !encryptflag)
+@@ -1306,6 +1328,8 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
+ 
+   write_status_begin_signing (mfx.md);
+ 
+  sigclass = opt.textmode && !outfile? 0x01 : 0x00;
+
+   /* Setup the inner packet. */
+   if (detached)
+     {
+@@ -1353,6 +1377,49 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
+           if (opt.verbose)
+             log_printf ("\n");
+ 	}
+      else if (opt.file_is_digest)
+        {
+          byte *mdb, ts[5] = {0};
+          size_t mdlen;
+          const char *fp;
+          int c, d;
+
+          gcry_md_final(mfx.md);
+          /* this assumes gcry_md_read returns the same buffer */
+          mdb = gcry_md_read(mfx.md, opt.def_digest_algo);
+          mdlen = gcry_md_get_algo_dlen(opt.def_digest_algo);
+          if (strlen(fname) != mdlen * 2 + 11)
+            log_bug("digests must be %zu + '@' + 5 bytes\n", mdlen);
+          d = -1;
+          for (fp = fname ; *fp; )
+            {
+               c = *fp++;
+               if (c >= '0' && c <= '9')
+                 c -= '0';
+               else if (c >= 'a' && c <= 'f')
+                 c -= 'a' - 10;
+               else if (c >= 'A' && c <= 'F')
+                 c -= 'A' - 10;
+               else
+                 log_bug("filename is not hex\n");
+               if (d >= 0)
+                {
+                   *mdb++ = d << 4 | c;
+                   c = -1;
+                   if (--mdlen == 0)
+                    {
+                       mdb = ts;
+                       if (*fp++ != '@')
+                         log_bug("missing time separator\n");
+                     }
+                 }
+               d = c;
+            }
+          sigclass = ts[0];
+          if (sigclass != 0x00 && sigclass != 0x01)
+            log_bug("bad cipher class\n");
+          timestamp = buf32_to_u32(ts + 1);
+        }
+       else
+         {
+           /* Read, so that the filter can calculate the digest. */
+@@ -1374,8 +1441,8 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
+ 
+   /* Write the signatures. */
+   rc = write_signature_packets (ctrl, sk_list, out, mfx.md, extrahash,
+-                                opt.textmode && !outfile? 0x01 : 0x00,
+-                                0, duration, detached ? 'D':'S', NULL);
+                                sigclass,
+                                timestamp, duration, detached ? 'D':'S', NULL);
+   if (rc)
+     goto leave;
+ 
--- a/gnupg-2.4.3-restore-systemd-sockets.patch
+++ b/gnupg-2.4.3-restore-systemd-sockets.patch
@ -0,0 +1,275 @@
+From eae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Mon, 23 Jan 2023 16:34:19 +0100
+Subject: [PATCH] doc: Remove profile and systemd example files.
+
+--
+
+The profiles are not any longer useful because global options are way
+more powerful (/etc/gnupg/gpg.conf et al.).  The use of systemd is
+deprecated because of additional complexity and the race between
+systemd based autolaunching and the explicit gnupg based and lockfile
+protected autolaunching.
+
+GnuPG-bug-id: 6336
+---
+diff --git b/doc/Makefile.am a/doc/Makefile.am
+index 390153c76..0093c43a8 100644
+--- b/doc/Makefile.am
+++ a/doc/Makefile.am
+@@ -22,6 +22,14 @@ AM_CPPFLAGS =
+            examples/qualified.txt                                       \
+ 	   examples/common.conf                                         \
+            examples/gpgconf.rnames examples/gpgconf.conf                \
+	   examples/systemd-user/README 				\
+	   examples/systemd-user/dirmngr.service 			\
+	   examples/systemd-user/dirmngr.socket				\
+	   examples/systemd-user/gpg-agent.service 			\
+	   examples/systemd-user/gpg-agent.socket 			\
+	   examples/systemd-user/gpg-agent-ssh.socket 			\
+	   examples/systemd-user/gpg-agent-browser.socket		\
+	   examples/systemd-user/gpg-agent-extra.socket 		\
+ 	   examples/pwpattern.list
+ 
+ helpfiles = help.txt help.be.txt help.ca.txt help.cs.txt		\
+diff --git b/doc/Makefile.in a/doc/Makefile.in
+index 390153c76..0093c43a8 100644
+--- b/doc/Makefile.in
+++ a/doc/Makefile.in
+@@ -475,6 +475,14 @@ AM_CPPFLAGS =
+            examples/qualified.txt                                       \
+ 	   examples/common.conf                                         \
+            examples/gpgconf.rnames examples/gpgconf.conf                \
+	   examples/systemd-user/README 				\
+	   examples/systemd-user/dirmngr.service 			\
+	   examples/systemd-user/dirmngr.socket				\
+	   examples/systemd-user/gpg-agent.service 			\
+	   examples/systemd-user/gpg-agent.socket 			\
+	   examples/systemd-user/gpg-agent-ssh.socket 			\
+	   examples/systemd-user/gpg-agent-browser.socket		\
+	   examples/systemd-user/gpg-agent-extra.socket 		\
+ 	   examples/pwpattern.list
+ 
+ helpfiles = help.txt help.be.txt help.ca.txt help.cs.txt		\
+diff --git b/doc/examples/README a/doc/examples/README
+index cd341ab57..67508c471 100644
+--- b/doc/examples/README
+++ a/doc/examples/README
+@@ -8,6 +8,8 @@ trustlist.txt   A list of trustworthy root certificates
+ 
+ gpgconf.conf    A sample configuration file for gpgconf.
+ 
+systemd-user    Sample files for a Linux-only init system.
+
+ qualified.txt   Sample file for qualified.txt.
+ 
+ common.conf     Sample file for common options.
+diff --git b/doc/examples/gpgconf.conf a/doc/examples/gpgconf.conf
+index 314b955b9..a61d4d453 100644
+--- b/doc/examples/gpgconf.conf
+++ a/doc/examples/gpgconf.conf
+@@ -1,9 +1,5 @@
+ # gpgconf.conf - configuration for gpgconf
+ #----------------------------------------------------------------------
+-#
+-# === The use of this feature is deprecated ===
+-# == Please use the more powerful global options. ==
+-#
+ # This file is read by gpgconf(1) to setup defaults for all or
+ # specified users and groups.  It may be used to change the hardwired
+ # defaults in gpgconf and to enforce certain values for the various
+diff --git b/doc/examples/systemd-user/README a/doc/examples/systemd-user/README
+new file mode 100644
+index 000000000..43122f568
+--- /dev/null
+++ a/doc/examples/systemd-user/README
+@@ -0,0 +1,66 @@
+Socket-activated dirmngr and gpg-agent with systemd
+===================================================
+
+When used on a GNU/Linux system supervised by systemd, you can ensure
+that the GnuPG daemons dirmngr and gpg-agent are launched
+automatically the first time they're needed, and shut down cleanly at
+session logout.  This is done by enabling user services via
+socket-activation.
+
+System distributors
+-------------------
+
+The *.service and *.socket files (from this directory) should be
+placed in /usr/lib/systemd/user/ alongside other user-session services
+and sockets.
+
+To enable socket-activated dirmngr for all accounts on the system,
+use:
+
+    systemctl --user --global enable dirmngr.socket
+
+To enable socket-activated gpg-agent for all accounts on the system,
+use:
+
+    systemctl --user --global enable gpg-agent.socket
+
+Additionally, you can enable socket-activated gpg-agent ssh-agent
+emulation for all accounts on the system with:
+
+    systemctl --user --global enable gpg-agent-ssh.socket
+
+You can also enable restricted ("--extra-socket"-style) gpg-agent
+sockets for all accounts on the system with:
+
+    systemctl --user --global enable gpg-agent-extra.socket
+
+Individual users
+----------------
+
+A user on a system with systemd where this has not been installed
+system-wide can place these files in ~/.config/systemd/user/ to make
+them available.
+
+If a given service isn't installed system-wide, or if it's installed
+system-wide but not globally enabled, individual users will still need
+to enable them.  For example, to enable socket-activated dirmngr for
+all future sessions:
+
+    systemctl --user enable dirmngr.socket
+
+To enable socket-activated gpg-agent with ssh support, do:
+
+    systemctl --user enable gpg-agent.socket gpg-agent-ssh.socket
+
+These changes won't take effect until your next login after you've
+fully logged out (be sure to terminate any running daemons before
+logging out).
+
+If you'd rather try a socket-activated GnuPG daemon in an
+already-running session without logging out (with or without enabling
+it for all future sessions), kill any existing daemon and start the
+user socket directly.  For example, to set up socket-activated dirmgnr
+in the current session:
+
+    gpgconf --kill dirmngr
+    systemctl --user start dirmngr.socket
+diff --git b/doc/examples/systemd-user/dirmngr.service a/doc/examples/systemd-user/dirmngr.service
+new file mode 100644
+index 000000000..3c060cde5
+--- /dev/null
+++ a/doc/examples/systemd-user/dirmngr.service
+@@ -0,0 +1,8 @@
+[Unit]
+Description=GnuPG network certificate management daemon
+Documentation=man:dirmngr(8)
+Requires=dirmngr.socket
+
+[Service]
+ExecStart=/usr/bin/dirmngr --supervised
+ExecReload=/usr/bin/gpgconf --reload dirmngr
+diff --git b/doc/examples/systemd-user/dirmngr.socket a/doc/examples/systemd-user/dirmngr.socket
+new file mode 100644
+index 000000000..ebabf896a
+--- /dev/null
+++ a/doc/examples/systemd-user/dirmngr.socket
+@@ -0,0 +1,11 @@
+[Unit]
+Description=GnuPG network certificate management daemon
+Documentation=man:dirmngr(8)
+
+[Socket]
+ListenStream=%t/gnupg/S.dirmngr
+SocketMode=0600
+DirectoryMode=0700
+
+[Install]
+WantedBy=sockets.target
+diff --git b/doc/examples/systemd-user/gpg-agent-browser.socket a/doc/examples/systemd-user/gpg-agent-browser.socket
+new file mode 100644
+index 000000000..bc8d344e1
+--- /dev/null
+++ a/doc/examples/systemd-user/gpg-agent-browser.socket
+@@ -0,0 +1,13 @@
+[Unit]
+Description=GnuPG cryptographic agent and passphrase cache (access for web browsers)
+Documentation=man:gpg-agent(1)
+
+[Socket]
+ListenStream=%t/gnupg/S.gpg-agent.browser
+FileDescriptorName=browser
+Service=gpg-agent.service
+SocketMode=0600
+DirectoryMode=0700
+
+[Install]
+WantedBy=sockets.target
+diff --git b/doc/examples/systemd-user/gpg-agent-extra.socket a/doc/examples/systemd-user/gpg-agent-extra.socket
+new file mode 100644
+index 000000000..5b87d09df
+--- /dev/null
+++ a/doc/examples/systemd-user/gpg-agent-extra.socket
+@@ -0,0 +1,13 @@
+[Unit]
+Description=GnuPG cryptographic agent and passphrase cache (restricted)
+Documentation=man:gpg-agent(1)
+
+[Socket]
+ListenStream=%t/gnupg/S.gpg-agent.extra
+FileDescriptorName=extra
+Service=gpg-agent.service
+SocketMode=0600
+DirectoryMode=0700
+
+[Install]
+WantedBy=sockets.target
+diff --git b/doc/examples/systemd-user/gpg-agent-ssh.socket a/doc/examples/systemd-user/gpg-agent-ssh.socket
+new file mode 100644
+index 000000000..798c1d967
+--- /dev/null
+++ a/doc/examples/systemd-user/gpg-agent-ssh.socket
+@@ -0,0 +1,13 @@
+[Unit]
+Description=GnuPG cryptographic agent (ssh-agent emulation)
+Documentation=man:gpg-agent(1) man:ssh-add(1) man:ssh-agent(1) man:ssh(1)
+
+[Socket]
+ListenStream=%t/gnupg/S.gpg-agent.ssh
+FileDescriptorName=ssh
+Service=gpg-agent.service
+SocketMode=0600
+DirectoryMode=0700
+
+[Install]
+WantedBy=sockets.target
+diff --git b/doc/examples/systemd-user/gpg-agent.service a/doc/examples/systemd-user/gpg-agent.service
+new file mode 100644
+index 000000000..a050fccdc
+--- /dev/null
+++ a/doc/examples/systemd-user/gpg-agent.service
+@@ -0,0 +1,8 @@
+[Unit]
+Description=GnuPG cryptographic agent and passphrase cache
+Documentation=man:gpg-agent(1)
+Requires=gpg-agent.socket
+
+[Service]
+ExecStart=/usr/bin/gpg-agent --supervised
+ExecReload=/usr/bin/gpgconf --reload gpg-agent
+diff --git b/doc/examples/systemd-user/gpg-agent.socket a/doc/examples/systemd-user/gpg-agent.socket
+new file mode 100644
+index 000000000..4257c2c80
+--- /dev/null
+++ a/doc/examples/systemd-user/gpg-agent.socket
+@@ -0,0 +1,12 @@
+[Unit]
+Description=GnuPG cryptographic agent and passphrase cache
+Documentation=man:gpg-agent(1)
+
+[Socket]
+ListenStream=%t/gnupg/S.gpg-agent
+FileDescriptorName=std
+SocketMode=0600
+DirectoryMode=0700
+
+[Install]
+WantedBy=sockets.target
+-- 
+2.41.0
+
--- a/gnupg-2.4.5-revert-default-eddsa.patch
+++ b/gnupg-2.4.5-revert-default-eddsa.patch
@ -0,0 +1,162 @@
+From ff31dde456f32950f0df6c974b4c41f1d650d68f Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Mon, 5 Oct 2020 14:21:31 +0200
+Subject: [PATCH GnuPG] gpg: Switch to ed25519+cv25519 as default algo.
+
+* g10/keygen.c (DEFAULT_STD_KEY_PARAM): Change to former future
+default ago.
+(ask_algo): Change default and also the way we indicate the default
+algo in the list of algos.
+(ask_curve): Indicate the default curve.
+
+Signed-off-by: Werner Koch <wk@gnupg.org>
+---
+ g10/keygen.c | 57 ++++++++++++++++++++++++++--------------------------
+ 1 file changed, 29 insertions(+), 28 deletions(-)
+
+diff --git a/g10/keygen.c b/g10/keygen.c
+index 16e4e58ea..b510525e3 100644
+--- a/g10/keygen.c
+++ b/g10/keygen.c
+@@ -47,10 +47,11 @@
+ #include "../common/mbox-util.h"
+ 
+ 
+-/* The default algorithms.  If you change them, you should ensure the value
+-   is inside the bounds enforced by ask_keysize and gen_xxx.  See also
+-   get_keysize_range which encodes the allowed ranges.  */
+-#define DEFAULT_STD_KEY_PARAM  "rsa3072/cert,sign+rsa3072/encr"
+/* The default algorithms.  If you change them, you should ensure the
+   value is inside the bounds enforced by ask_keysize and gen_xxx.
+   See also get_keysize_range which encodes the allowed ranges.  The
+   default answer in ask_algo also needs to be adjusted.  */
+#define DEFAULT_STD_KEY_PARAM  "ed25519/cert,sign+cv25519/encr"
+ #define FUTURE_STD_KEY_PARAM   "ed25519/cert,sign+cv25519/encr"
+ 
+ /* When generating keys using the streamlined key generation dialog,
+@@ -2112,50 +2113,49 @@ ask_algo (ctrl_t ctrl, int addmode, int *r_subkey_algo, unsigned int *r_usage,
+ 
+ #if GPG_USE_RSA
+   if (!addmode)
+-    tty_printf (_("   (%d) RSA and RSA (default)\n"), 1 );
+    tty_printf (_("   (%d) RSA and RSA%s\n"), 1, "");
+ #endif
+ 
+   if (!addmode && opt.compliance != CO_DE_VS)
+-    tty_printf (_("   (%d) DSA and Elgamal\n"), 2 );
+    tty_printf (_("   (%d) DSA and Elgamal%s\n"), 2, "");
+ 
+   if (opt.compliance != CO_DE_VS)
+-    tty_printf (_("   (%d) DSA (sign only)\n"), 3 );
+    tty_printf (_("   (%d) DSA (sign only)%s\n"), 3, "");
+ #if GPG_USE_RSA
+-  tty_printf (_("   (%d) RSA (sign only)\n"), 4 );
+  tty_printf (_("   (%d) RSA (sign only)%s\n"), 4, "");
+ #endif
+ 
+   if (addmode)
+     {
+       if (opt.compliance != CO_DE_VS)
+-        tty_printf (_("   (%d) Elgamal (encrypt only)\n"), 5 );
+        tty_printf (_("   (%d) Elgamal (encrypt only)%s\n"), 5, "");
+ #if GPG_USE_RSA
+-      tty_printf (_("   (%d) RSA (encrypt only)\n"), 6 );
+      tty_printf (_("   (%d) RSA (encrypt only)%s\n"), 6, "");
+ #endif
+     }
+   if (opt.expert)
+     {
+       if (opt.compliance != CO_DE_VS)
+-        tty_printf (_("   (%d) DSA (set your own capabilities)\n"), 7 );
+        tty_printf (_("   (%d) DSA (set your own capabilities)%s\n"), 7, "");
+ #if GPG_USE_RSA
+-      tty_printf (_("   (%d) RSA (set your own capabilities)\n"), 8 );
+      tty_printf (_("   (%d) RSA (set your own capabilities)%s\n"), 8, "");
+ #endif
+     }
+ 
+ #if GPG_USE_ECDSA || GPG_USE_ECDH || GPG_USE_EDDSA
+-  if (opt.expert && !addmode)
+-    tty_printf (_("   (%d) ECC and ECC\n"), 9 );
+-  if (opt.expert)
+-    tty_printf (_("  (%d) ECC (sign only)\n"), 10 );
+  if (!addmode)
+    tty_printf (_("   (%d) ECC (sign and encrypt)%s\n"), 9, _(" *default*") );
+  tty_printf (_("  (%d) ECC (sign only)\n"), 10 );
+   if (opt.expert)
+-    tty_printf (_("  (%d) ECC (set your own capabilities)\n"), 11 );
+-  if (opt.expert && addmode)
+-    tty_printf (_("  (%d) ECC (encrypt only)\n"), 12 );
+    tty_printf (_("  (%d) ECC (set your own capabilities)%s\n"), 11, "");
+  if (addmode)
+    tty_printf (_("  (%d) ECC (encrypt only)%s\n"), 12, "");
+ #endif
+ 
+   if (opt.expert && r_keygrip)
+-    tty_printf (_("  (%d) Existing key\n"), 13 );
+    tty_printf (_("  (%d) Existing key%s\n"), 13, "");
+   if (r_keygrip)
+-    tty_printf (_("  (%d) Existing key from card\n"), 14 );
+    tty_printf (_("  (%d) Existing key from card%s\n"), 14, "");
+ 
+   for (;;)
+     {
+@@ -2164,7 +2164,7 @@ ask_algo (ctrl_t ctrl, int addmode, int *r_subkey_algo, unsigned int *r_usage,
+       xfree (answer);
+       answer = cpr_get ("keygen.algo", _("Your selection? "));
+       cpr_kill_prompt ();
+-      algo = *answer? atoi (answer) : 1;
+      algo = *answer? atoi (answer) : 9;  /* Default algo is 9 */
+ 
+       if (opt.compliance == CO_DE_VS
+           && (algo == 2 || algo == 3 || algo == 5 || algo == 7))
+@@ -2220,13 +2220,13 @@ ask_algo (ctrl_t ctrl, int addmode, int *r_subkey_algo, unsigned int *r_usage,
+           break;
+ 	}
+       else if ((algo == 9 || !strcmp (answer, "ecc+ecc"))
+-               && opt.expert && !addmode)
+               && !addmode)
+         {
+           algo = PUBKEY_ALGO_ECDSA;
+           *r_subkey_algo = PUBKEY_ALGO_ECDH;
+           break;
+ 	}
+-      else if ((algo == 10 || !strcmp (answer, "ecc/s")) && opt.expert)
+      else if ((algo == 10 || !strcmp (answer, "ecc/s")))
+         {
+           algo = PUBKEY_ALGO_ECDSA;
+           *r_usage = PUBKEY_USAGE_SIG;
+@@ -2239,7 +2239,7 @@ ask_algo (ctrl_t ctrl, int addmode, int *r_subkey_algo, unsigned int *r_usage,
+           break;
+ 	}
+       else if ((algo == 12 || !strcmp (answer, "ecc/e"))
+-               && opt.expert && addmode)
+               && addmode)
+         {
+           algo = PUBKEY_ALGO_ECDH;
+           *r_usage = PUBKEY_USAGE_ENC;
+@@ -2616,7 +2616,7 @@ ask_curve (int *algo, int *subkey_algo, const char *current)
+     { "NIST P-256",      NULL, NULL,               MY_USE_ECDSADH,  0, 1, 0 },
+     { "NIST P-384",      NULL, NULL,               MY_USE_ECDSADH,  0, 0, 0 },
+     { "NIST P-521",      NULL, NULL,               MY_USE_ECDSADH,  0, 1, 0 },
+-    { "brainpoolP256r1", NULL, "Brainpool P-256",  MY_USE_ECDSADH,  1, 1, 0 },
+    { "brainpoolP256r1", NULL, "Brainpool P-256",  MY_USE_ECDSADH,  1, 0, 0 },
+     { "brainpoolP384r1", NULL, "Brainpool P-384",  MY_USE_ECDSADH,  1, 1, 0 },
+     { "brainpoolP512r1", NULL, "Brainpool P-512",  MY_USE_ECDSADH,  1, 1, 0 },
+     { "secp256k1",       NULL, NULL,               MY_USE_ECDSADH,  0, 1, 0 },
+@@ -2672,9 +2672,10 @@ ask_curve (int *algo, int *subkey_algo, const char *current)
+         }
+ 
+       curves[idx].available = 1;
+-      tty_printf ("   (%d) %s\n", idx + 1,
+      tty_printf ("   (%d) %s%s\n", idx + 1,
+                   curves[idx].pretty_name?
+-                  curves[idx].pretty_name:curves[idx].name);
+                  curves[idx].pretty_name:curves[idx].name,
+                  idx == 0? _(" *default*"):"");
+     }
+   gcry_sexp_release (keyparms);
+ 
+-- 
+2.31.1
+
--- a/gnupg-2.4.5-sast.patch
+++ b/gnupg-2.4.5-sast.patch
--- a/gnupg2-revert-rfc4880bis.patch
+++ b/gnupg2-revert-rfc4880bis.patch
@ -0,0 +1,200 @@
+From 1e4f1550996334d2a631a5d769e937d29ace47bb Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 9 Feb 2023 16:38:58 +0100
+Subject: [PATCH gnupg] Revert the introduction of the RFC4880bis draft into
+ defaults
+
+This reverts commit 4583f4fe2 (gpg: Merge --rfc4880bis features into
+--gnupg, 2022-10-31).
+---
+ g10/gpg.c    | 35 ++++++++++++++++++++++++++++++++---
+ g10/keygen.c | 30 ++++++++++++++++++------------
+ 2 files changed, 50 insertions(+), 15 deletions(-)
+
+diff --git a/g10/gpg.c b/g10/gpg.c
+index dcab0a11a..796888013 100644
+--- a/g10/gpg.c
+++ b/g10/gpg.c
+@@ -247,6 +247,7 @@ enum cmd_and_opt_values
+     oGnuPG,
+     oRFC2440,
+     oRFC4880,
+    oRFC4880bis,
+     oOpenPGP,
+     oPGP7,
+     oPGP8,
+@@ -636,6 +637,7 @@ static gpgrt_opt_t opts[] = {
+   ARGPARSE_s_n (oGnuPG, "no-pgp8", "@"),
+   ARGPARSE_s_n (oRFC2440, "rfc2440", "@"),
+   ARGPARSE_s_n (oRFC4880, "rfc4880", "@"),
+  ARGPARSE_s_n (oRFC4880bis, "rfc4880bis", "@"),
+   ARGPARSE_s_n (oOpenPGP, "openpgp", N_("use strict OpenPGP behavior")),
+   ARGPARSE_s_n (oPGP7, "pgp6", "@"),
+   ARGPARSE_s_n (oPGP7, "pgp7", "@"),
+@@ -978,7 +980,6 @@ static gpgrt_opt_t opts[] = {
+   ARGPARSE_s_n (oNoop, "no-allow-multiple-messages", "@"),
+   ARGPARSE_s_s (oNoop, "aead-algo", "@"),
+   ARGPARSE_s_s (oNoop, "personal-aead-preferences","@"),
+-  ARGPARSE_s_n (oNoop, "rfc4880bis", "@"),
+   ARGPARSE_s_n (oNoop, "override-compliance-check", "@"),
+ 
+ 
+@@ -2227,7 +2228,7 @@ static struct gnupg_compliance_option compliance_options[] =
+   {
+     { "gnupg",      oGnuPG },
+     { "openpgp",    oOpenPGP },
+-    { "rfc4880bis", oGnuPG },
+    { "rfc4880bis", oRFC4880bis },
+     { "rfc4880",    oRFC4880 },
+     { "rfc2440",    oRFC2440 },
+     { "pgp6",       oPGP7 },
+@@ -2243,8 +2244,28 @@ static struct gnupg_compliance_option compliance_options[] =
+ static void
+ set_compliance_option (enum cmd_and_opt_values option)
+ {
+  opt.flags.rfc4880bis = 0;  /* Clear because it is initially set.  */
+
+   switch (option)
+     {
+    case oRFC4880bis:
+      opt.flags.rfc4880bis = 1;
+      opt.compliance = CO_RFC4880;
+      opt.flags.dsa2 = 1;
+      opt.flags.require_cross_cert = 1;
+      opt.rfc2440_text = 0;
+      opt.allow_non_selfsigned_uid = 1;
+      opt.allow_freeform_uid = 1;
+      opt.escape_from = 1;
+      opt.not_dash_escaped = 0;
+      opt.def_cipher_algo = 0;
+      opt.def_digest_algo = 0;
+      opt.cert_digest_algo = 0;
+      opt.compress_algo = -1;
+      opt.s2k_mode = 3; /* iterated+salted */
+      opt.s2k_digest_algo = DIGEST_ALGO_SHA256;
+      opt.s2k_cipher_algo = CIPHER_ALGO_AES256;
+      break;
+     case oOpenPGP:
+     case oRFC4880:
+       /* This is effectively the same as RFC2440, but with
+@@ -2288,6 +2309,7 @@ set_compliance_option (enum cmd_and_opt_values option)
+     case oPGP8:  opt.compliance = CO_PGP8;  break;
+     case oGnuPG:
+       opt.compliance = CO_GNUPG;
+      opt.flags.rfc4880bis = 1;
+       break;
+ 
+     case oDE_VS:
+@@ -2491,6 +2513,7 @@ main (int argc, char **argv)
+     opt.emit_version = 0;
+     opt.weak_digests = NULL;
+     opt.compliance = CO_GNUPG;
+    opt.flags.rfc4880bis = 1;
+ 
+     /* Check special options given on the command line.  */
+     orig_argc = argc;
+@@ -3033,6 +3056,7 @@ main (int argc, char **argv)
+           case oOpenPGP:
+           case oRFC2440:
+           case oRFC4880:
+          case oRFC4880bis:
+           case oPGP7:
+           case oPGP8:
+           case oGnuPG:
+@@ -3862,6 +3886,11 @@ main (int argc, char **argv)
+     if( may_coredump && !opt.quiet )
+ 	log_info(_("WARNING: program may create a core file!\n"));
+ 
+    if (!opt.flags.rfc4880bis)
+      {
+        opt.mimemode = 0; /* This will use text mode instead.  */
+      }
+
+     if (eyes_only) {
+       if (opt.set_filename)
+ 	  log_info(_("WARNING: %s overrides %s\n"),
+@@ -4078,7 +4107,7 @@ main (int argc, char **argv)
+     /* Check our chosen algorithms against the list of legal
+        algorithms. */
+ 
+-    if(!GNUPG)
+    if(!GNUPG && !opt.flags.rfc4880bis)
+       {
+ 	const char *badalg=NULL;
+ 	preftype_t badtype=PREFTYPE_NONE;
+diff --git a/g10/keygen.c b/g10/keygen.c
+index a2cfe3ccf..2a1dd1f81 100644
+--- a/g10/keygen.c
+++ b/g10/keygen.c
+@@ -404,7 +404,7 @@ keygen_set_std_prefs (const char *string,int personal)
+ 	      strcat(dummy_string,"S7 ");
+ 	    strcat(dummy_string,"S2 "); /* 3DES */
+ 
+-            if (!openpgp_aead_test_algo (AEAD_ALGO_OCB))
+            if (opt.flags.rfc4880bis && !openpgp_aead_test_algo (AEAD_ALGO_OCB))
+ 	      strcat(dummy_string,"A2 ");
+ 
+             if (personal)
+@@ -889,7 +889,7 @@ keygen_upd_std_prefs (PKT_signature *sig, void *opaque)
+   /* Make sure that the MDC feature flag is set if needed.  */
+   add_feature_mdc (sig,mdc_available);
+   add_feature_aead (sig, aead_available);
+-  add_feature_v5 (sig, 1);
+  add_feature_v5 (sig, opt.flags.rfc4880bis);
+   add_keyserver_modify (sig,ks_modify);
+   keygen_add_keyserver_url(sig,NULL);
+ 
+@@ -3382,7 +3382,10 @@ parse_key_parameter_part (ctrl_t ctrl,
+                 }
+             }
+           else if (!ascii_strcasecmp (s, "v5"))
+-            keyversion = 5;
+            {
+              if (opt.flags.rfc4880bis)
+                keyversion = 5;
+            }
+           else if (!ascii_strcasecmp (s, "v4"))
+             keyversion = 4;
+           else
+@@ -3641,7 +3644,7 @@ parse_key_parameter_part (ctrl_t ctrl,
+  *   ecdsa := Use algorithm ECDSA.
+  *   eddsa := Use algorithm EdDSA.
+  *   ecdh  := Use algorithm ECDH.
+- *   v5    := Create version 5 key
+ *   v5    := Create version 5 key (requires option --rfc4880bis)
+  *
+  * There are several defaults and fallbacks depending on the
+  * algorithm.  PART can be used to select which part of STRING is
+@@ -4513,9 +4516,9 @@ read_parameter_file (ctrl_t ctrl, const char *fname )
+ 	    }
+ 	}
+ 
+-        if ((keywords[i].key == pVERSION
+-             || keywords[i].key == pSUBVERSION))
+-          ; /* Ignore version.  */
+        if (!opt.flags.rfc4880bis && (keywords[i].key == pVERSION
+                                      || keywords[i].key == pSUBVERSION))
+          ; /* Ignore version unless --rfc4880bis is active.  */
+         else
+           {
+             r = xmalloc_clear( sizeof *r + strlen( value ) );
+@@ -4610,11 +4613,14 @@ quickgen_set_para (struct para_data_s *para, int for_subkey,
+       para = r;
+     }
+ 
+-  r = xmalloc_clear (sizeof *r + 20);
+-  r->key = for_subkey? pSUBVERSION : pVERSION;
+-  snprintf (r->u.value, 20, "%d", version);
+-  r->next = para;
+-  para = r;
+  if (opt.flags.rfc4880bis)
+    {
+      r = xmalloc_clear (sizeof *r + 20);
+      r->key = for_subkey? pSUBVERSION : pVERSION;
+      snprintf (r->u.value, 20, "%d", version);
+      r->next = para;
+      para = r;
+    }
+ 
+   if (keytime)
+     {
--- a/SPECS/gnupg2.spec
+++ b/SPECS/gnupg2.spec
@ -1,69 +1,84 @@
-%bcond_without unversioned_gpg
+%bcond_with bootstrap

 Summary: Utility for secure communication and data storage
 Name:    gnupg2
-Version: 2.2.20
-Release: 3%{?dist}
+Version: 2.4.5
+Release: 2%{?dist}

-License: GPLv3+
-Source0: ftp://ftp.gnupg.org/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2
-Source1: ftp://ftp.gnupg.org/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2.sig
-Patch1:  gnupg-2.1.21-insttools.patch
+License: CC0-1.0 AND GPL-2.0-or-later AND GPL-3.0-or-later AND LGPL-2.1-or-later AND LGPL-3.0-or-later AND (BSD-3-Clause OR LGPL-3.0-or-later OR GPL-2.0-or-later) AND CC-BY-4.0 AND MIT
+Source0: https://gnupg.org/ftp/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2
+Source1: https://gnupg.org/ftp/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2.sig
+Source2: https://gnupg.org/signature_key.asc
 # needed for compatibility with system FIPS mode
 Patch3:  gnupg-2.1.10-secmem.patch
 # non-upstreamable patch adding file-is-digest option needed for Copr
-Patch4:  gnupg-2.2.20-file-is-digest.patch
-# fix handling of missing key usage on ocsp replies - upstream T1333
-Patch5:  gnupg-2.2.16-ocsp-keyusage.patch
+# https://dev.gnupg.org/T1646
+Patch4:  gnupg-2.4.1-file-is-digest.patch
 Patch6:  gnupg-2.1.1-fips-algo.patch
 # allow 8192 bit RSA keys in keygen UI with large RSA
-Patch9:  gnupg-2.1.21-large-rsa.patch
+Patch9:  gnupg-2.2.23-large-rsa.patch
 # fix missing uid on refresh from keys.openpgp.org
 # https://salsa.debian.org/debian/gnupg2/commit/f292beac1171c6c77faf41d1f88c2e0942ed4437
 Patch20: gnupg-2.2.18-tests-add-test-cases-for-import-without-uid.patch
-Patch21: gnupg-2.2.18-gpg-allow-import-of-previously-known-keys-even-without-UI.patch
+Patch21: gnupg-2.4.0-gpg-allow-import-of-previously-known-keys-even-without-UI.patch
 Patch22: gnupg-2.2.18-gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch
-Patch23: gnupg-2.2.20-CVE-2022-34903.patch
 # Fixes for issues found in Coverity scan - reported upstream
-Patch30: gnupg-2.2.20-coverity.patch
+Patch30: gnupg-2.2.21-coverity.patch
+# Revert the introduction of the RFC4880bis draft into defaults
+Patch31: gnupg2-revert-rfc4880bis.patch
+# Mostly reverts https://dev.gnupg.org/rGeae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed
+Patch33: gnupg-2.4.3-restore-systemd-sockets.patch
+# Revert default EdDSA key types -- they do not work in FIPS Mode
+Patch34: gnupg-2.4.5-revert-default-eddsa.patch
+# https://dev.gnupg.org/T7129
+Patch35: gnupg-2.4.5-sast.patch

+URL:     https://www.gnupg.org/

-URL:     http://www.gnupg.org/
-
-#BuildRequires: automake libtool texinfo transfig
 BuildRequires: gcc
 BuildRequires: bzip2-devel
 BuildRequires: curl-devel
 BuildRequires: docbook-utils
 BuildRequires: gettext
-BuildRequires: libassuan-devel >= 2.1.0
-BuildRequires: libgcrypt-devel >= 1.7.0
-BuildRequires: libgpg-error-devel >= 1.31
-BuildRequires: libksba-devel >= 1.3.0
+%if %{without bootstrap}
+# Require gnupg2 to verify sources, unless bootstrapping
+BuildRequires: gnupg2
+%endif
+BuildRequires: libassuan-devel >= 2.5.0
+BuildRequires: libgcrypt-devel >= 1.9.1
+BuildRequires: libgpg-error-devel >= 1.46
+BuildRequires: libksba-devel >= 1.6.3
 BuildRequires: openldap-devel
-BuildRequires: libusb-devel
 BuildRequires: pcsc-lite-libs
+BuildRequires: ncurses-devel
 BuildRequires: npth-devel
-BuildRequires: readline-devel ncurses-devel
+BuildRequires: readline-devel
 BuildRequires: zlib-devel
 BuildRequires: gnutls-devel
 BuildRequires: sqlite-devel
 BuildRequires: fuse
+BuildRequires: make
+BuildRequires: systemd-rpm-macros
+BuildRequires: tpm2-tss-devel
+# for tests
+BuildRequires: openssh-clients
+BuildRequires: swtpm

-Requires: libgcrypt >= 1.7.0
-Requires: libgpg-error >= 1.31
+Requires: libgcrypt >= 1.9.1
+Requires: libgpg-error >= 1.46

 Recommends: pinentry

 Recommends: gnupg2-smime

-%if %{with unversioned_gpg}
+# for USB smart card support
+Recommends: pcsc-lite-ccid
+
 # pgp-tools, perl-GnuPG-Interface requires 'gpg' (not sure why) -- Rex
 Provides: gpg = %{version}-%{release}
 # Obsolete GnuPG-1 package
 Provides: gnupg = %{version}-%{release}
-Obsoletes: gnupg <= 1.4.10
-%endif
+Obsoletes: gnupg < 1.4.24

 Provides: dirmngr = %{version}-%{release}
 Obsoletes: dirmngr < 1.2.0-1
@ -72,7 +87,7 @@ Obsoletes: dirmngr < 1.2.0-1

 %package smime
 Summary: CMS encryption and signing tool and smart card support for GnuPG
-Requires: gnupg2 = %{version}-%{release}
+Requires: gnupg2%{?_isa} = %{version}-%{release}


 %description
@ -93,23 +108,25 @@ package adds support for smart cards and S/MIME encryption and signing
 to the base GnuPG package

 %prep
+%if ! %{with bootstrap}
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
+%endif
 %setup -q -n gnupg-%{version}

-%if %{with unversioned_gpg}
-%patch1 -p1 -b .insttools
-%endif
-%patch3 -p1 -b .secmem
-%patch4 -p1 -b .file-is-digest
-%patch5 -p1 -b .keyusage
-%patch6 -p1 -b .fips
-%patch9 -p1 -b .large-rsa
+%patch 3 -p1 -b .secmem
+%patch 4 -p1 -b .file-is-digest
+%patch 6 -p1 -b .fips
+%patch 9 -p1 -b .large-rsa

-%patch20 -p1 -b .test_missing_uid
-%patch21 -p1 -b .prev_known_key
-%patch22 -p1 -b .good_revoc
-%patch23 -p1 -b .CVE-2022-34903
+%patch 20 -p1 -b .test_missing_uid
+%patch 21 -p1 -b .prev_known_key
+%patch 22 -p1 -b .good_revoc

-%patch30 -p1 -b .coverity
+%patch 30 -p1 -b .coverity
+%patch 31 -p1 -b .revert-rfc4880bis
+%patch 33 -p1 -b .restore-systemd-sockets
+%patch 34 -p1 -R -b .eddsa
+%patch 35 -p1 -b .sast

 # pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper)
 # Note: this is just the name of the default shared lib to load in scdaemon,
@ -120,50 +137,42 @@ sed -i -e 's/"libpcsclite\.so"/"%{pcsclib}"/' scd/scdaemon.c


 %build
-
 %configure \
-%if %{without unversioned_gpg}
-  --enable-gpg-is-gpg2 \
-%endif
-  --disable-gpgtar \
  --disable-rpath \
  --enable-g13 \
+  --disable-ccid-driver \
+  --with-tss=intel \
  --enable-large-secmem

 # need scratch gpg database for tests
 mkdir -p $HOME/.gnupg

-make %{?_smp_mflags}
+%make_build


 %install
-make install DESTDIR=%{buildroot} \
-  INSTALL="install -p" \
+%make_install \
  docdir=%{_pkgdocdir}

-%if %{without unversioned_gpg}
-# rename file conflicting with gnupg-1.x
-rename gnupg.7 gnupg2.7 %{buildroot}%{_mandir}/man7/gnupg.7*
-%endif
-
 %find_lang %{name}

 # gpgconf.conf
 mkdir -p %{buildroot}%{_sysconfdir}/gnupg
 touch %{buildroot}%{_sysconfdir}/gnupg/gpgconf.conf
+mkdir -p %{buildroot}%{_sysconfdir}/profile.d
+echo "export GPG_TTY=\$(tty)" > %{buildroot}%{_sysconfdir}/profile.d/gnupg2.sh
+echo "setenv GPG_TTY \`tty\`" > %{buildroot}%{_sysconfdir}/profile.d/gnupg2.csh

 # more docs
 install -m644 -p AUTHORS NEWS THANKS TODO \
  %{buildroot}%{_pkgdocdir}

-%if %{with unversioned_gpg}
 # compat symlinks
 ln -sf gpg %{buildroot}%{_bindir}/gpg2
 ln -sf gpgv %{buildroot}%{_bindir}/gpgv2
 ln -sf gpg.1 %{buildroot}%{_mandir}/man1/gpg2.1
 ln -sf gpgv.1 %{buildroot}%{_mandir}/man1/gpgv2.1
 ln -sf gnupg.7 %{buildroot}%{_mandir}/man7/gnupg2.7
-%endif

 # info dir
 rm -f %{buildroot}%{_infodir}/dir
@ -183,31 +192,34 @@ make -k check


 %files -f %{name}.lang
-%{!?_licensedir:%global license %%doc}
 %license COPYING
 #doc AUTHORS NEWS README THANKS TODO
 %{_pkgdocdir}
 %dir %{_sysconfdir}/gnupg
 %ghost %config(noreplace) %{_sysconfdir}/gnupg/gpgconf.conf
+%{_sysconfdir}/profile.d/gnupg2.sh
+%{_sysconfdir}/profile.d/gnupg2.csh
 ## docs say to install suid root, but fedora/rh security folk say not to
 %{_bindir}/gpg2
 %{_bindir}/gpgv2
+%{_bindir}/gpg-card
 %{_bindir}/gpg-connect-agent
 %{_bindir}/gpg-agent
+%{_bindir}/gpg-wks-client
 %{_bindir}/gpgconf
 %{_bindir}/gpgparsemail
+%{_bindir}/gpgtar
 %{_bindir}/g13
 %{_bindir}/dirmngr
 %{_bindir}/dirmngr-client
-%if %{with unversioned_gpg}
 %{_bindir}/gpg
 %{_bindir}/gpgv
 %{_bindir}/gpgsplit
-%{_bindir}/gpg-zip
-%endif
 %{_bindir}/watchgnupg
 %{_bindir}/gpg-wks-server
-%{_sbindir}/*
+%{_sbindir}/addgnupghome
+%{_sbindir}/applygnupgdefaults
+%{_sbindir}/g13-syshelp
 %{_datadir}/gnupg/
 %{_libexecdir}/*
 %{_infodir}/*.info*
@ -222,18 +234,219 @@ make -k check


 %changelog
-* Wed Aug 03 2022 Jakub Jelen <jjelen@redhat.com> - 2.2.20-3
- Fix CVE-2022-34903 (#2108447)
+* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 2.4.5-2
+- Bump release for October 2024 mass rebuild:
+  Resolves: RHEL-64018

-* Mon May  4 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.20-2
+* Thu Jul 04 2024 Jakub Jelen <jjelen@redhat.com> - 2.4.5-1
+- New upstream release (#2268461)
+- Set GPG_TTY in profile.d (#2264985)
+
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2.4.4-2
+- Bump release for June 2024 mass rebuild
+
+* Fri Jan 26 2024 Jakub Jelen <jjelen@redhat.com> - 2.4.4-1
+- New upstream release (#2260333)
+
+* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Nov 10 2023 Jakub Jelen <jjelen@redhat.com> - 2.4.3-4
+- Avoid creation of development versions (#2249037)
+
+* Mon Nov 06 2023 Jakub Jelen <jjelen@redhat.com> - 2.4.3-3
+- Restore systemd units and sockets (#2158627)
+
+* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Mon Jul 10 2023 Jakub Jelen <jjelen@redhat.com> - 2.4.3-1
+- New upstream release (#2193503)
+
+* Thu Jun 01 2023 Michael J Gruber <mjg@fedoraproject.org> - 2.4.2-2
+- fix emacs usage (rhbz#2212090)
+
+* Wed May 31 2023 Jakub Jelen <jjelen@redhat.com> - 2.4.2-1
+- New upstream release
+- Build with TPM2 support
+
+* Fri Apr 28 2023 Todd Zullinger <tmz@pobox.com> - 2.4.1-1
+- update to 2.4.1 (#2193503)
+
+* Fri Apr 28 2023 Todd Zullinger <tmz@pobox.com> - 2.4.0-4
+- remove %%skip_verify, brainpool signatures are supported now
+
+* Fri Mar 03 2023 Jakub Jelen <jjelen@redhat.com> - 2.4.0-3
+- Revert introduction of the RFC4880bis draft into defaults
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Tue Dec 20 2022 Todd Zullinger <tmz@pobox.com> - 2.4.0-1
+- update to 2.4.0 (#2155170)
+
+* Mon Oct 17 2022 Todd Zullinger <tmz@pobox.com> - 2.3.8-1
+- update to 2.3.8
+- BR systemd-rpm-macros for %%{_userunitdir}
+
+* Mon Oct 17 2022 Todd Zullinger <tmz@pobox.com> - 2.3.7-5
+- verify upstream signatures in %%prep, unless bootstrapping
+
+* Wed Oct 05 2022 Todd Zullinger <tmz@pobox.com> - 2.3.7-4
+- update BR/R versions for libassuan, libgpg-error, and libksba
+- drop with/without unversioned_gpg, last used with fedora-29
+
+* Mon Aug 01 2022 Jakub Jelen <jjelen@redhat.com> - 2.3.7-3
+- Fix yubikey 5 detection (#2107766)
+
+* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.7-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Tue Jul 12 2022 Jakub Jelen <jjelen@redhat.com> - 2.3.7-1
+- New upstream release (#2106045)
+
+* Mon Jul 04 2022 Jakub Jelen <jjelen@redhat.com> - 2.3.6-2
+- Fix for CVE-2022-34903 (#2103242)
+- Fix focing AEAD through configuration files (#2093760)
+
+* Mon Apr 25 2022 Jakub Jelen <jjelen@redhat.com> - 2.3.6-1
+- New upstream release (#2078550)
+
+* Mon Apr 25 2022 Jakub Jelen <jjelen@redhat.com> - 2.3.5-1
+- New upstream release (#2077616)
+
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.4-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Tue Dec 21 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.4-1
+- New upstream release (#2034437)
+
+* Mon Nov 15 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.3-2
+- Fix file-is-digest patch (#2022904)
+
+* Wed Oct 13 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.3-1
+- New upstream release (2013388)
+
+* Wed Oct 06 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.2-3
+- Fix crash in agent when deciphering (#2009978)
+- Recommend pcsc-lite-ccid to support USB smart cards (#2007923)
+
+* Mon Sep 20 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.2-2
+- Disable ccid driver to avoid clash with pcscd (#2005714)
+
+* Wed Aug 25 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.2-1
+- New upstream relase (#1997276)
+
+* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Wed Apr 21 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.1-1
+- New upstream release (#1947159)
+
+* Mon Mar 29 2021 Jakub Jelen <jjelen@redhat.com> - 2.2.27-4
+- Add a configuration to not require exclusive access to PCSC
+
+* Thu Feb 18 2021 Jakub Jelen <jjelen@redhat.com> - 2.2.27-3
+- Bump required libgpg-error version (#1930110)
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.27-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Tue Jan 12 2021 Jakub Jelen <jjelen@redhat.com> - 2.2.27-1
+- New upstream release (#1909825)
+
+* Mon Jan 04 2021 Jakub Jelen <jjelen@redhat.com> - 2.2.26-1
+- New upstream release (#1909825)
+
+* Tue Nov 24 2020 Jakub Jelen <jjelen@redhat.com> - 2.2.25-2
+- Enable gpgtar (#1901103)
+
+* Tue Nov 24 2020 Jakub Jelen <jjelen@redhat.com> - 2.2.25-1
+- Update to 2.2.25 (#1900815)
+
+* Thu Nov 19 2020 Jakub Jelen <jjelen@redhat.com> - 2.2.24-1
+- Update to 2.2.24 (#1898504)
+
+* Fri Sep  4 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.23-1
+- upgrade to 2.2.23
+
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.21-4
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.21-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 21 2020 Tom Stellard <tstellar@redhat.com> - 2.2.21-2
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+
+* Mon Jul 20 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.21-1
+- upgrade to 2.2.21
+
+* Mon May  4 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.20-3
 - fixes for issues found in Coverity scan

-* Thu Apr 30 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.20-1
+* Thu Apr 30 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.20-2
+- move systemd user units to _userunitdir (no activation by default)
+
+* Tue Apr 14 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.20-1
 - upgrade to 2.2.20

+* Wed Jan 29 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.19-1
+- upgrade to 2.2.19
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.18-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Sat Jan  4 2020 Marcel Härry <mh+fedora@scrit.ch> - 2.2.18-3
+- Add patches to be able to deal with keys without uids (#1787708)
+
+* Fri Dec  6 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.18-2
+- fix abort when decrypting data with anonymous recipient (#1780057)
+
+* Tue Dec  3 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.18-1
+- upgrade to 2.2.18
+
+* Wed Nov  6 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.17-3
+- fix the gnupg(7) manual page (#1769072)
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.17-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Mon Jul 15 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.17-1
+- upgrade to 2.2.17
+
+* Mon Jul  1 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.16-1
+- upgrade to 2.2.16
+
+* Tue Feb 26 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.13-1
+- upgrade to 2.2.13
+
+* Sun Feb 17 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.2.12-3
+- Rebuild for readline 8.0
+
+* Mon Feb  4 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.12-2
+- make it build with gcc-9
+
+* Tue Jan  8 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.12-1
+- upgrade to 2.2.12
+
+* Sat Dec 08 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.2.11-2
+- Provide unversioned GPG on F30+
+
+* Fri Nov 30 2018 Tomáš Mráz <tmraz@redhat.com> - 2.2.11-1
+- upgrade to 2.2.11
+
 * Wed Aug  1 2018 Tomáš Mráz <tmraz@redhat.com> - 2.2.9-1
 - upgrade to 2.2.9

+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.8-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
 * Mon Jun 11 2018 Tomáš Mráz <tmraz@redhat.com> - 2.2.8-1
 - upgrade to 2.2.8 fixing CVE 2018-12020

--- a/plans/ci.fmf
+++ b/plans/ci.fmf
@ -0,0 +1,23 @@
+/fips-disabled-buildroot-disabled:
+  plan:
+    import:
+      url: https://pkgs.devel.redhat.com/git/tests/gnupg2
+      name: /plans/ci/fips-disabled-buildroot-disabled
+
+/fips-disabled-buildroot-enabled:
+  plan:
+    import:
+      url: https://pkgs.devel.redhat.com/git/tests/gnupg2
+      name: /plans/ci/fips-disabled-buildroot-enabled
+
+/fips-enabled-buildroot-disabled:
+  plan:
+    import:
+      url: https://pkgs.devel.redhat.com/git/tests/gnupg2
+      name: /plans/ci/fips-enabled-buildroot-disabled
+
+/fips-enabled-buildroot-enabled:
+  plan:
+    import:
+      url: https://pkgs.devel.redhat.com/git/tests/gnupg2
+      name: /plans/ci/fips-enabled-buildroot-enabled
--- a/signature_key.asc
+++ b/signature_key.asc
@ -0,0 +1,86 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBFjLuq4BDACnM7zNSIaVMAacTwjXa5TGYe13i6ilHe4VL0NShzrgzjcQg531
+3cRgiiiNA7OSOypMqVs73Jez6ZUctn2GVsHBrS/io9NcuC9pVwf8a61WlcEa+EtB
+a3G7HlBmEWnwaUdAtWKNuAi9Xn+Ir7H2xEdksmmd5a0/QnL+sX705boVPF/tpYtb
+LGpPxa78tNrtxDkSwy8Wmi0IADYLI5yI7/yUGeJd8RSCU/fLRKC9fG7YOZRq0tsO
+MhVNWmtUjbG6e73Lu8LKnCZgs1/fC8hvPyARieSV5mdN8s1oWd7oYctfgL4uBleD
+ItAA8GhjKejutzHN8Ei/APw6AiiSyEjnPg+cTX8OgvLGJWjks0H6mPZeB1v/kGyZ
+hBS9vm540h2/MmlVN2ntiCK5TZGeSWpqddiqusfVXotMRpN4HeLKoZh4RAncaCbZ
+F/S+YLeN+kMXY4k3Fqt1fjTX6veFCbthI9pDdHzU9LfUVNp9D/5ktC/tYMORMegV
+wSMxi9G2YWKJkMAEQEAAYkBzgQfAQgAOBYhBFuAxXVCmPDLVdjtarzvfilLCS4o
+BQJYy8DdFwyAAZSlyaA8L+XKOwldjh/fcjz0YraxAgcAAAoJELzvfilLCS4oNgoL
+/0+K1xIx8JW7Lk5M6bYCvNA4fdlEcwQIT4UidJFM9m+suxYFWIGfebvHpRlEuJTg
+dBjkEit8uLAoJXU0BRkKTLrzTF+qDUE79Wfx/R+0nOgJ7aMykQOi0AvuwzMYz4dg
+xIVS2Daou4DF7bh/KF8+fqrmq8P8W1ZrkuFDanMWpHeAPx1uj2skYbo7uPqFdvlJ
+hlNHrcxlcCkjf1InAt0Xt5lMvEsCRUPf9xAH4mNEhs0lh9c+200YPRmtnLWAzc1K
+ckLIC8Q+mUR3DjZDqBlDBEPegXkrI0+MlvRA+9AnAm4YPqTMUfpZ6ZOAWeFjC/6Z
+QYxG/AdWGkb4WFindzklQfybEuiekP8vU07ACQwSwH8PYe0UCom1YrlRUjX7QLkn
+ZLWoeZg8BZy9GTM1Ut7Q1Q2uTw6mxxISuef+RFgYOHjWwLpFWZpqC88xERl7o/iz
+iERJRt/593IctbjO9wenWt2peIAwzR4nz7LqM6ZFTdRAETmcdSvYRhg2Qt8hUE47
+CbQkQW5kcmUgSGVpbmVja2UgKFJlbGVhc2UgU2lnbmluZyBLZXkpiQHUBBMBCAA+
+FiEEW4DFdUKY8MtV2O1qvO9+KUsJLigFAljLuq4CGwMFCRLMAwAFCwkIBwIGFQgJ
+CgsCBBYCAwECHgECF4AACgkQvO9+KUsJLihC/QwAhCC+SEvcFLcutgZ8HfcCtoZs
+IoVzZEy7DjqIvGgnTssD8HCLnIAHCDvnP7dJW3uMuLCdSqym3cjlEIiQMsaGywkl
+fzJISAwJrGQdWSKRd535jXpEXQlXDKal/IwMKAUt0PZtlCc9S3gwixQryxdJ28lJ
+6h2T9fVDr8ZswMmTAFG91uctfhjKOMgPt8UhSPGW484WsIsQgkbOvf+Kfswl0eHu
+ywX+pKAB5ZQ/9GVC6Ug4xfrdiJL0azJTPnvjMY5JYp6/L9RURs5hP5AnHR2j/PPo
+sAtsFCjmbRbOMiASzklnUJPbSz5kfLloDWZmrUScjbzmsXehGyt433JGyRhZJl4x
+/jPbzKhaaAHsGd+fRao6vlLOwFywDDVMp6JuyK7UeUb7I8ekTbSkGFA+l2Oa3O6/
+Y7PYhq7hwwAFuZckYI98IpHNCG1fS9W07FyKdvQbK1PbF1JFRKfsUCWYMKqDnbqE
+o5jivPEHZImw6iYhhXcyEYl8fjcb9T6/S+wOP7aviQGzBBABCAAdFiEElKXJoDwv
+5co7CV2OH99yPPRitrEFAljLv5sACgkQH99yPPRitrFw4gv/XFMFN+/LHsn9hJOP
+4rCwl1yUuxXuYmZgc0sRoY3EpeQkJVyKurQuqqKoy2VuoMiF0O1kAQmGoFtVPUk7
+b8hCoutqB5GyeyKcoLP+WINgVhB2gXg7TSp3MPLBKkgqvSDvPitgRxBqFb4LW8LJ
+bDbfwGrzIvXfDV3WvsrHVPbc2fhlWdL8d+3AE6mFiXF3eTpgmV3ApSBQV12MkkCk
+icLIPmp+ZxZON+OP52ZXkRtfMgOy4Oa/41agrViDAZdMOGeGkhPertQheQZgXzmo
+GF5Wz498HPM80Kv35X91l3iGzL+icEtO+tWea2YscsZ6qpRe2lfVPHk3B+anlmCj
+m4kM4cBd39xa4HHSVh/bRHbZNtgVr7slQCKxlHgQOGVI5vCxPCwEsgJ2KBk03Nk/
+IA9EKO+czfh3/bHW6uMbEqrYDCnt+hmzZrpKDSGcwS/KOhvMUIMlb7/8vDKum6mp
+/8xAtVZ6IAxYZNt3qg7Y7aLRtzCTyqm8rJQrZPtRaQcgLoEimDMEX0PliRYJKwYB
+BAHaRw8BAQdAz75Hlekc16JhhfI0MKdEVxLdkxhcMCO0ZG6WMBAmNpe0H1dlcm5l
+ciBLb2NoIChkaXN0IHNpZ25pbmcgMjAyMCmImgQTFgoAQhYhBG2qbmSnbShAVxtJ
+AlKIl7gmQDraBQJfQ+w1AhsDBQkShccRBQsJCAcCAyICAQYVCgkICwIEFgIDAQIe
+BwIXgAAKCRBSiJe4JkA62nmuAP9uL/HOdB0gvwWrH+FpURJLs4bnaZaPIk9ARrU0
+EXRgJgD/YCGfHQXpIPT0ZaXuwJexK04Z+qMFR/bM1q1Leo5CjgaIbQQQEQsAHRYh
+BIBhWHD1utaQMzaG0PKthaweQrNnBQJfQ/HmAAoJEPKthaweQrNnIZkA3jG6LcZv
+V/URn8Y8OJqsyYa4C3NI4nN+OhEvYhgA4PHzMnALeXIpA2gblvjFIPJPAhDBAU37
+c5PA6+6IdQQQFggAHRYhBK6oTtzwGthsRwHIXGMROuhmWH0KBQJfQ/IlAAoJEGMR
+OuhmWH0K1+MA/0uJ5AHcnSfIBEWHNJwwVVLGyrxAWtS2U+zeymp/UvlPAQDErCLZ
+l0dBiPG3vlowFx5TNep7tanBs6ZJn8F1ao1tAIkBMwQQAQgAHRYhBNhpISPEBl3q
+Xg86tSSbOdJPJeO2BQJfQ/OuAAoJECSbOdJPJeO2DVoH/0o9if66ph6FJrgr+A/W
+HNVeHxmM5tUQhpL1wpRS70SKcsJgolf5CxO5iTQf3HlZe544xGbIU/aCTJsWw9zi
+UE8KmhAtKV4eL/7oQ7xx4nxPnABLpudtM8A44nsM1x/XiYrJnnDm29QjYEGd2Hi8
+7npc7VWKzLoj+I/WcXquynJi5O9TUxW9Bknd1pjpxFkf8v+msjBzCD5VKJgr0CR8
+wA6peQBWeGZX2HacosMIZH4TfL0r0TFla6LJIkNBz9DyIm1yL4L8oRH0950hQljP
+C7TM3L7aRpX+4Kph6llFz6g7MALGFP95kyJ6o+XED9ORuuQVZMBMIkNC0tXOu10V
+bdqIdQQQFgoAHRYhBMHTS2khnkruwLocIeP9/yGORbcrBQJfQ/P8AAoJEOP9/yGO
+Rbcr3lQBAMas8Vl3Hdl3g2I283lz1uHiGvlwcnk2TLeB+U4zIwC9AQCy0nnazVNt
+VQPID1ZCMoaOX7AzOjaqQDLf4j+dVTxgBJgzBGCkgocWCSsGAQQB2kcPAQEHQJmd
+fwp8jEN5P3eEjhQiWk6zQi8utvgOvYD57XmE+H8+tCBOaWliZSBZdXRha2EgKEdu
+dVBHIFJlbGVhc2UgS2V5KYiaBBMWCgBCFiEErI4RW/c+LY1H+pkI6Y6bLRnGyL0F
+AmCkgocCGwMFCQsNBpkFCwkIBwIDIgIBBhUKCQgLAgQWAgMBAh4HAheAAAoJEOmO
+my0Zxsi9/4IA/1rvSr3MU+Sv4jhNDzD+CeC3gmHkPew6pi9VHEsEwdgmAQD2BtiX
+7w1sJL/CBylGWv5jxj4345mP9YfZm0RsgzPjDIh1BBAWCAAdFiEEJJyzdxdQdF1c
+3TI84mewUjZPAo0FAmFAQ54ACgkQ4mewUjZPAo1CiAD+KTT1UVdQTGHMyvHwZocS
+QjU8xhcZrTet+dvvjrE5+4MA/RBdJPZgFevUKu68NEy0Lo+RbkeCtmQJ/c8v5ieF
+vW0AiQEzBBABCAAdFiEEEkEkvTtIYq96CkLxALRevUynur4FAmFAQ7cACgkQALRe
+vUynur4kaAgAolPR8TNWVS0vXMKrr0k0l2M/8QkZTaLZx1GT9Nx1yb4WJKY7ElPM
+YkhGDxetvFBETx0pH/6R3jtj6Crmur+NKHVSRY+rCYpFPDn6ciIOryssRx2G4kCZ
+t+nFB9JyDbBOZAR8DK4pN1mAxG/yLDt4oKcUQsP2xlEFum+phxyR8KyYCpkwKRxY
+eK+6lfilQuveoUwp/Xx5wXPNUy6q4eOOovCW7gS7I7288NGHCa2ul8sD6vA9C4mM
+4Zxaole9P9wwJe1zZFtCIy88zHM9vqv+YM9DxMCaW24+rUztr7eD4bCRdG+QlSh+
+7R/TaqSxY1eAAd1J5tma9CNJO73pTKU+/JhTBGFpSqMTCSskAwMCCAEBBwIDBF6X
+D9NmUQDgiyYNbhs1DMJ14mIw812wY1HVx/4QWYWiBunhrvSFxVbzsjD7/Wv+v3bm
+MPrL+M2DLyFiSewNmcS0JEdudVBHLmNvbSAoUmVsZWFzZSBTaWduaW5nIEtleSAy
+MDIxKYiaBBMTCABCFiEEAvON/3Mf+XywOaHaVJ5pXpBboggFAmFpSqMCGwMFCQ9x
+14oFCwkIBwIDIgIBBhUKCQgLAgQWAgMBAh4HAheAAAoJEFSeaV6QW6IITkoA/RYa
+jaTl1eEBU/Gdm12o3jrI55N5xZK2XTqSx25clVyjAP0XwMW/Og5+ND1ri3bAqADV
+WlBDUswz8wYxsb0C4kYBkoh1BBAWCgAdFiEEbapuZKdtKEBXG0kCUoiXuCZAOtoF
+AmFpTvEACgkQUoiXuCZAOtrJQAEAh7YyykjAy/Qs1yC3ji8iBfIVnPXvblrIx3SR
+RyDwRC8BAKtZbEuKTtPlgkLUgMleTcZJ/vEhJE+GvfQ9o5gWCqEFiHUEEBYKAB0W
+IQTB00tpIZ5K7sC6HCHj/f8hjkW3KwUCYWlPWgAKCRDj/f8hjkW3Kx4eAQDp6aGS
+N/fU4xLl8RSvQUVjVA+aCTrMQR3hRwqw8liF2wEA3O3ECxz6e1+DoItYoJBBLKLw
+eiInsGZ/+h5XYrpXTgA=
+=4+Sn
+-----END PGP PUBLIC KEY BLOCK-----
--- a/2
+++ b/2
@ -0,0 +1,2 @@
+SHA512 (gnupg-2.4.5.tar.bz2) = 4d54744f09399c5899144d0cb5fdc2756e45b058db41b9ea9df3be03e80b914509e16ef35aa0248e7561185b80f7a5f9fd6afcab8ccff75ff82ed555448a38ff
+SHA512 (gnupg-2.4.5.tar.bz2.sig) = 53be0db371a98c930cbef9c844adcd06a8049d84dd71508f6f7427fc1736b374912c85ebf3a415748651260f65cf26f633697f4bdae2cc4a8d2c4b522db0bc71
				`@ -1 +0,0 @@`
				`d5290f0781df5dc83302127d6065fb59b35e53d7 SOURCES/gnupg-2.2.20.tar.bz2`