summaryrefslogtreecommitdiff
path: root/repo/gnupg
diff options
context:
space:
mode:
Diffstat (limited to 'repo/gnupg')
-rw-r--r--repo/gnupg/0001-Include-sys-select.h-for-FD_SETSIZE.patch31
-rw-r--r--repo/gnupg/0010-avoid-beta-warning.patch46
-rw-r--r--repo/gnupg/0020-avoid-regenerating-defsincdate-use-shipped-file.patch41
-rw-r--r--repo/gnupg/0110-avoid-simple-memory-dumps-via-ptrace.patch91
-rw-r--r--repo/gnupg/0210-dirmngr-hkp-avoid-potential-race-condition-when-some-host-die.patch83
-rw-r--r--repo/gnupg/0220-dirmngr-avoid-need-for-hkp-housekeeping.patch232
-rw-r--r--repo/gnupg/0230-dirmngr-avoid-automatically-checking-upstream-swdb.patch51
-rw-r--r--repo/gnupg/0310-gpg-default-to-3072-bit-keys.patch93
-rw-r--r--repo/gnupg/0320-gpg-default-to-aes256.patch37
-rw-r--r--repo/gnupg/0330-gpg-default-to-sha512-for-all-signature-types-on-rsa-keys.patch66
-rw-r--r--repo/gnupg/0340-gpg-prefer-sha512-and-sha384-in-personal-digest.patch48
-rw-r--r--repo/gnupg/0410-make-gpg-zip-use-tar-from-path.patch29
-rw-r--r--repo/gnupg/0420-gpg-drop-import-clean-from-default-keyserver-import-options.patch51
-rw-r--r--repo/gnupg/60-scdaemon.rules63
-rw-r--r--repo/gnupg/fix-i18n.patch12
-rw-r--r--repo/gnupg/gnupg-scdaemon.pre-install4
-rw-r--r--repo/gnupg/gnupg.xibuild73
17 files changed, 1051 insertions, 0 deletions
diff --git a/repo/gnupg/0001-Include-sys-select.h-for-FD_SETSIZE.patch b/repo/gnupg/0001-Include-sys-select.h-for-FD_SETSIZE.patch
new file mode 100644
index 0000000..a835f39
--- /dev/null
+++ b/repo/gnupg/0001-Include-sys-select.h-for-FD_SETSIZE.patch
@@ -0,0 +1,31 @@
+From d2f3053e156a8dfc3e2e7f8fa814f671d851b26f Mon Sep 17 00:00:00 2001
+From: Natanael Copa <ncopa@alpinelinux.org>
+Date: Fri, 4 Jul 2014 08:15:21 +0000
+Subject: [PATCH] Include sys/select.h for FD_SETSIZE
+
+This fixes the following compile error with musl libc:
+watchgnupg.c:225:18: error: 'FD_SETSIZE' undeclared (first use in this
+function)
+ else if (fd >= FD_SETSIZE)
+ ^
+
+Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
+---
+ tools/watchgnupg.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/watchgnupg.c b/tools/watchgnupg.c
+index 4f4d54d..7aede22 100644
+--- a/tools/watchgnupg.c
++++ b/tools/watchgnupg.c
+@@ -28,6 +28,7 @@
+ #include <stdarg.h>
+ #include <assert.h>
+ #include <unistd.h>
++#include <sys/select.h>
+ #include <sys/socket.h>
+ #include <sys/un.h>
+ #include <netinet/in.h>
+--
+2.0.1
+
diff --git a/repo/gnupg/0010-avoid-beta-warning.patch b/repo/gnupg/0010-avoid-beta-warning.patch
new file mode 100644
index 0000000..2c3c873
--- /dev/null
+++ b/repo/gnupg/0010-avoid-beta-warning.patch
@@ -0,0 +1,46 @@
+From: Debian GnuPG Maintainers <pkg-gnupg-maint@lists.alioth.debian.org>
+Date: Tue, 14 Apr 2015 10:02:31 -0400
+Subject: avoid-beta-warning
+
+avoid self-describing as a beta
+
+Using autoreconf against the source as distributed in tarball form
+invariably results in a package that thinks it's a "beta" package,
+which produces the "THIS IS A DEVELOPMENT VERSION" warning string.
+
+since we use dh_autoreconf, i need this patch to avoid producing
+builds that announce themselves as DEVELOPMENT VERSIONs.
+
+See discussion at:
+
+ http://lists.gnupg.org/pipermail/gnupg-devel/2014-November/029065.html
+---
+ autogen.sh | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+Patch-Source: https://sources.debian.org/data/main/g/gnupg2/2.2.27-2/debian/patches/debian-packaging/avoid-beta-warning.patch
+
+diff --git a/autogen.sh b/autogen.sh
+index b238550..9b86d3f 100755
+--- a/autogen.sh
++++ b/autogen.sh
+@@ -229,7 +229,7 @@ if [ "$myhost" = "find-version" ]; then
+ esac
+
+ beta=no
+- if [ -e .git ]; then
++ if false; then
+ ingit=yes
+ tmp=$(git describe --match "${matchstr1}" --long 2>/dev/null)
+ tmp=$(echo "$tmp" | sed s/^"$package"//)
+@@ -245,8 +245,8 @@ if [ "$myhost" = "find-version" ]; then
+ rvd=$((0x$(echo ${rev} | dd bs=1 count=4 2>/dev/null)))
+ else
+ ingit=no
+- beta=yes
+- tmp="-unknown"
++ beta=no
++ tmp=""
+ rev="0000000"
+ rvd="0"
+ fi
diff --git a/repo/gnupg/0020-avoid-regenerating-defsincdate-use-shipped-file.patch b/repo/gnupg/0020-avoid-regenerating-defsincdate-use-shipped-file.patch
new file mode 100644
index 0000000..2ce171a
--- /dev/null
+++ b/repo/gnupg/0020-avoid-regenerating-defsincdate-use-shipped-file.patch
@@ -0,0 +1,41 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Mon, 29 Aug 2016 12:34:42 -0400
+Subject: avoid regenerating defsincdate (use shipped file)
+
+upstream ships doc/defsincdate in its tarballs. but doc/Makefile.am
+tries to rewrite doc/defsincdate if it notices that any of the files
+have been modified more recently, and it does so assuming that we're
+running from a git repo.
+
+However, we'd rather ship the documents cleanly without regenerating
+defsincdate -- we don't have a git repo available (debian builds from
+upstream tarballs) and any changes to the texinfo files (e.g. from
+debian/patches/) might result in different dates on the files than we
+expect after they're applied by dpkg or quilt or whatever, which makes
+the datestamp unreproducible.
+---
+ doc/Makefile.am | 9 ---------
+ 1 file changed, 9 deletions(-)
+
+Patch-Source: https://sources.debian.org/data/main/g/gnupg2/2.2.27-2/debian/patches/debian-packaging/avoid-regenerating-defsincdate-use-shipped-file.patch
+
+diff --git a/doc/Makefile.am b/doc/Makefile.am
+index 2b882c3..6be571b 100644
+--- a/doc/Makefile.am
++++ b/doc/Makefile.am
+@@ -178,15 +178,6 @@ $(myman_pages) gnupg.7 : yat2m-stamp defs.inc
+
+ dist-hook: defsincdate
+
+-defsincdate: $(gnupg_TEXINFOS)
+- : >defsincdate ; \
+- if test -e $(top_srcdir)/.git; then \
+- (cd $(srcdir) && git log -1 --format='%ct' \
+- -- $(gnupg_TEXINFOS) 2>/dev/null) >>defsincdate; \
+- elif test x"$$SOURCE_DATE_EPOCH" != x; then \
+- echo "$$SOURCE_DATE_EPOCH" >>defsincdate ; \
+- fi
+-
+ defs.inc : defsincdate Makefile mkdefsinc
+ incd="`test -f defsincdate || echo '$(srcdir)/'`defsincdate"; \
+ ./mkdefsinc -C $(srcdir) --date "`cat $$incd 2>/dev/null`" \
diff --git a/repo/gnupg/0110-avoid-simple-memory-dumps-via-ptrace.patch b/repo/gnupg/0110-avoid-simple-memory-dumps-via-ptrace.patch
new file mode 100644
index 0000000..644b8a5
--- /dev/null
+++ b/repo/gnupg/0110-avoid-simple-memory-dumps-via-ptrace.patch
@@ -0,0 +1,91 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Tue, 11 Aug 2015 20:28:26 -0400
+Subject: Avoid simple memory dumps via ptrace
+
+This avoids needing to setgid gpg-agent. It probably doesn't defend
+against all possible attacks, but it defends against one specific (and
+easy) one. If there are other protections we should do them too.
+
+This will make it slightly harder to debug the agent because the
+normal user won't be able to attach gdb to it directly while it runs.
+
+The remaining options for debugging are:
+
+ * launch the agent from gdb directly
+ * connect gdb to a running agent as the superuser
+
+Upstream bug: https://dev.gnupg.org/T1211
+---
+ agent/gpg-agent.c | 8 ++++++++
+ configure.ac | 2 +-
+ scd/scdaemon.c | 9 +++++++++
+ 3 files changed, 18 insertions(+), 1 deletion(-)
+
+Patch-Source: https://sources.debian.org/data/main/g/gnupg2/2.2.27-2/debian/patches/block-ptrace-on-secret-daemons/Avoid-simple-memory-dumps-via-ptrace.patch
+
+diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
+index b167c34..5afcf11 100644
+--- a/agent/gpg-agent.c
++++ b/agent/gpg-agent.c
+@@ -50,6 +50,9 @@
+ # include <signal.h>
+ #endif
+ #include <npth.h>
++#ifdef HAVE_PRCTL
++# include <sys/prctl.h>
++#endif
+
+ #define INCLUDED_BY_MAIN_MODULE 1
+ #define GNUPG_COMMON_NEED_AFLOCAL
+@@ -1030,6 +1033,11 @@ main (int argc, char **argv )
+
+ early_system_init ();
+
++#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
++ /* Disable ptrace on Linux without sgid bit */
++ prctl(PR_SET_DUMPABLE, 0);
++#endif
++
+ /* Before we do anything else we save the list of currently open
+ file descriptors and the signal mask. This info is required to
+ do the exec call properly. We don't need it on Windows. */
+diff --git a/configure.ac b/configure.ac
+index 7a2d410..2d8b050 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1426,7 +1426,7 @@ AC_CHECK_FUNCS([atexit canonicalize_file_name clock_gettime ctermid \
+ ftruncate funlockfile getaddrinfo getenv getpagesize \
+ getpwnam getpwuid getrlimit getrusage gettimeofday \
+ gmtime_r inet_ntop inet_pton isascii lstat memicmp \
+- memmove memrchr mmap nl_langinfo pipe raise rand \
++ memmove memrchr mmap nl_langinfo pipe prctl raise rand \
+ setenv setlocale setrlimit sigaction sigprocmask \
+ stat stpcpy strcasecmp strerror strftime stricmp \
+ strlwr strncasecmp strpbrk strsep strtol strtoul \
+diff --git a/scd/scdaemon.c b/scd/scdaemon.c
+index 5c519f8..cab66a0 100644
+--- a/scd/scdaemon.c
++++ b/scd/scdaemon.c
+@@ -37,6 +37,9 @@
+ #include <unistd.h>
+ #include <signal.h>
+ #include <npth.h>
++#ifdef HAVE_PRCTL
++# include <sys/prctl.h>
++#endif
+
+ #define INCLUDED_BY_MAIN_MODULE 1
+ #define GNUPG_COMMON_NEED_AFLOCAL
+@@ -446,6 +449,12 @@ main (int argc, char **argv )
+ npth_t pipecon_handler;
+
+ early_system_init ();
++
++#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
++ /* Disable ptrace on Linux without sgid bit */
++ prctl(PR_SET_DUMPABLE, 0);
++#endif
++
+ set_strusage (my_strusage);
+ gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN);
+ /* Please note that we may running SUID(ROOT), so be very CAREFUL
diff --git a/repo/gnupg/0210-dirmngr-hkp-avoid-potential-race-condition-when-some-host-die.patch b/repo/gnupg/0210-dirmngr-hkp-avoid-potential-race-condition-when-some-host-die.patch
new file mode 100644
index 0000000..1aa79c6
--- /dev/null
+++ b/repo/gnupg/0210-dirmngr-hkp-avoid-potential-race-condition-when-some-host-die.patch
@@ -0,0 +1,83 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Sat, 29 Oct 2016 01:25:05 -0400
+Subject: dirmngr: hkp: Avoid potential race condition when some hosts die.
+
+* dirmngr/ks-engine-hkp.c (select_random_host): Use atomic pass
+through the host table instead of risking out-of-bounds write.
+
+--
+
+Multiple threads may write to hosttable[x]->dead while
+select_random_host() is running. For example, a housekeeping thread
+might clear the ->dead bit on some entries, or another connection to
+dirmngr might manually mark a host as alive.
+
+If one or more hosts are resurrected between the two loops over a
+given table in select_random_host(), then the allocation of tbl might
+not be large enough, resulting in a write past the end of tbl on the
+second loop.
+
+This change collapses the two loops into a single loop to avoid this
+discrepancy: each host's "dead" bit is now only checked once.
+
+As Werner points out, this isn't currently strictly necessary, since
+npth will not switch threads unless a blocking system call is made,
+and no blocking system call is made in these two loops.
+
+However, in a subsequent change in this series, we will call a
+function in this loop, and that function may sometimes write(2), or
+call other functions, which may themselves block. Keeping this as a
+single-pass loop avoids the need to keep track of what might block and
+what might not.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ dirmngr/ks-engine-hkp.c | 23 ++++++++++-------------
+ 1 file changed, 10 insertions(+), 13 deletions(-)
+
+Patch-Source: https://sources.debian.org/data/main/g/gnupg2/2.2.27-2/debian/patches/dirmngr-idling/dirmngr-hkp-Avoid-potential-race-condition-when-some.patch
+
+diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
+index 14859c7..d425363 100644
+--- a/dirmngr/ks-engine-hkp.c
++++ b/dirmngr/ks-engine-hkp.c
+@@ -225,29 +225,26 @@ host_in_pool_p (hostinfo_t hi, int tblidx)
+ static int
+ select_random_host (hostinfo_t hi)
+ {
+- int *tbl;
+- size_t tblsize;
++ int *tbl = NULL;
++ size_t tblsize = 0;
+ int pidx, idx;
+
+ /* We create a new table so that we randomly select only from
+ currently alive hosts. */
+- for (idx = 0, tblsize = 0;
++ for (idx = 0;
+ idx < hi->pool_len && (pidx = hi->pool[idx]) != -1;
+ idx++)
+ if (hosttable[pidx] && !hosttable[pidx]->dead)
+- tblsize++;
++ {
++ tblsize++;
++ tbl = xtryrealloc(tbl, tblsize * sizeof *tbl);
++ if (!tbl)
++ return -1; /* memory allocation failed! */
++ tbl[tblsize-1] = pidx;
++ }
+ if (!tblsize)
+ return -1; /* No hosts. */
+
+- tbl = xtrymalloc (tblsize * sizeof *tbl);
+- if (!tbl)
+- return -1;
+- for (idx = 0, tblsize = 0;
+- idx < hi->pool_len && (pidx = hi->pool[idx]) != -1;
+- idx++)
+- if (hosttable[pidx] && !hosttable[pidx]->dead)
+- tbl[tblsize++] = pidx;
+-
+ if (tblsize == 1) /* Save a get_uint_nonce. */
+ pidx = tbl[0];
+ else
diff --git a/repo/gnupg/0220-dirmngr-avoid-need-for-hkp-housekeeping.patch b/repo/gnupg/0220-dirmngr-avoid-need-for-hkp-housekeeping.patch
new file mode 100644
index 0000000..0e125fd
--- /dev/null
+++ b/repo/gnupg/0220-dirmngr-avoid-need-for-hkp-housekeeping.patch
@@ -0,0 +1,232 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Sat, 29 Oct 2016 02:00:50 -0400
+Subject: dirmngr: Avoid need for hkp housekeeping.
+
+* dirmngr/ks-engine-hkp.c (host_is_alive): New function. Test whether
+host is alive and resurrects it if it has been dead long enough.
+(select_random_host, map_host, ks_hkp_mark_host): Use host_is_alive
+instead of testing hostinfo_t->dead directly.
+(ks_hkp_housekeeping): Remove function, no longer needed.
+* dirmngr/dirmngr.c (housekeeping_thread): Remove call to
+ks_hkp_housekeeping.
+
+--
+
+Rather than resurrecting hosts upon scheduled resurrection times, test
+whether hosts should be resurrected as they're inspected for being
+dead. This removes the need for explicit housekeeping, and makes host
+resurrections happen "just in time", rather than being clustered on
+HOUSEKEEPING_INTERVAL seconds.
+
+According to 392e068e9f143d41f6350345619543cbcd47380f,
+dns_stuff_housekeeping only works on Windows, so it also isn't
+necessary in debian, but it remains in place for now.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ dirmngr/dirmngr.c | 3 ---
+ dirmngr/dirmngr.h | 1 -
+ dirmngr/ks-engine-hkp.c | 72 ++++++++++++++++++++++++-------------------------
+ 3 files changed, 35 insertions(+), 41 deletions(-)
+
+Patch-Source: https://sources.debian.org/data/main/g/gnupg2/2.2.27-2/debian/patches/dirmngr-idling/dirmngr-Avoid-need-for-hkp-housekeeping.patch
+
+diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
+index ae967dd..89eea4e 100644
+--- a/dirmngr/dirmngr.c
++++ b/dirmngr/dirmngr.c
+@@ -1935,12 +1935,10 @@ static void *
+ housekeeping_thread (void *arg)
+ {
+ static int sentinel;
+- time_t curtime;
+ struct server_control_s ctrlbuf;
+
+ (void)arg;
+
+- curtime = gnupg_get_time ();
+ if (sentinel)
+ {
+ log_info ("housekeeping is already going on\n");
+@@ -1954,7 +1952,6 @@ housekeeping_thread (void *arg)
+ dirmngr_init_default_ctrl (&ctrlbuf);
+
+ dns_stuff_housekeeping ();
+- ks_hkp_housekeeping (curtime);
+ if (network_activity_seen)
+ {
+ network_activity_seen = 0;
+diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h
+index 1b52a1d..4afc19b 100644
+--- a/dirmngr/dirmngr.h
++++ b/dirmngr/dirmngr.h
+@@ -217,7 +217,6 @@ const char* dirmngr_get_current_socket_name (void);
+ int dirmngr_use_tor (void);
+
+ /*-- Various housekeeping functions. --*/
+-void ks_hkp_housekeeping (time_t curtime);
+ void ks_hkp_reload (void);
+
+
+diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
+index d425363..c50681d 100644
+--- a/dirmngr/ks-engine-hkp.c
++++ b/dirmngr/ks-engine-hkp.c
+@@ -218,6 +218,24 @@ host_in_pool_p (hostinfo_t hi, int tblidx)
+ return 0;
+ }
+
++static int
++host_is_alive (hostinfo_t hi, time_t curtime)
++{
++ if (!hi)
++ return 0;
++ if (!hi->dead)
++ return 1;
++ if (!hi->died_at)
++ return 0; /* manually marked dead */
++ if (hi->died_at + RESURRECT_INTERVAL <= curtime
++ || hi->died_at > curtime)
++ {
++ hi->dead = 0;
++ log_info ("resurrected host '%s'", hi->name);
++ return 1;
++ }
++ return 0;
++}
+
+ /* Select a random host. Consult HI->pool which indices into the global
+ hosttable. Returns index into HI->pool or -1 if no host could be
+@@ -228,13 +246,15 @@ select_random_host (hostinfo_t hi)
+ int *tbl = NULL;
+ size_t tblsize = 0;
+ int pidx, idx;
++ time_t curtime;
+
++ curtime = gnupg_get_time ();
+ /* We create a new table so that we randomly select only from
+ currently alive hosts. */
+ for (idx = 0;
+ idx < hi->pool_len && (pidx = hi->pool[idx]) != -1;
+ idx++)
+- if (hosttable[pidx] && !hosttable[pidx]->dead)
++ if (hosttable[pidx] && host_is_alive (hosttable[pidx], curtime))
+ {
+ tblsize++;
+ tbl = xtryrealloc(tbl, tblsize * sizeof *tbl);
+@@ -462,6 +482,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
+ int is_pool;
+ int new_hosts = 0;
+ char *cname;
++ time_t curtime;
+
+ *r_host = NULL;
+ if (r_httpflags)
+@@ -501,6 +522,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
+ }
+ else
+ hi = hosttable[idx];
++ curtime = gnupg_get_time ();
+
+ is_pool = hi->pool != NULL;
+
+@@ -607,7 +629,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
+ if (force_reselect)
+ hi->poolidx = -1;
+ else if (hi->poolidx >= 0 && hi->poolidx < hosttable_size
+- && hosttable[hi->poolidx] && hosttable[hi->poolidx]->dead)
++ && hosttable[hi->poolidx] && !host_is_alive (hosttable[hi->poolidx], curtime))
+ hi->poolidx = -1;
+
+ /* Select a host if needed. */
+@@ -665,7 +687,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
+ return gpg_error_from_syserror ();
+ }
+
+- if (hi->dead)
++ if (!host_is_alive (hi, curtime))
+ {
+ log_error ("host '%s' marked as dead\n", hi->name);
+ if (r_httphost)
+@@ -770,7 +792,8 @@ ks_hkp_mark_host (ctrl_t ctrl, const char *name, int alive)
+ {
+ gpg_error_t err = 0;
+ hostinfo_t hi, hi2;
+- int idx, idx2, idx3, n;
++ int idx, idx2, idx3, n, is_alive;
++ time_t curtime;
+
+ if (!name || !*name || !strcmp (name, "localhost"))
+ return 0;
+@@ -779,13 +802,15 @@ ks_hkp_mark_host (ctrl_t ctrl, const char *name, int alive)
+ if (idx == -1)
+ return gpg_error (GPG_ERR_NOT_FOUND);
+
++ curtime = gnupg_get_time ();
+ hi = hosttable[idx];
+- if (alive && hi->dead)
++ is_alive = host_is_alive (hi, curtime);
++ if (alive && !is_alive)
+ {
+ hi->dead = 0;
+ err = ks_printf_help (ctrl, "marking '%s' as alive", name);
+ }
+- else if (!alive && !hi->dead)
++ else if (!alive && is_alive)
+ {
+ hi->dead = 1;
+ hi->died_at = 0; /* Manually set dead. */
+@@ -819,14 +844,15 @@ ks_hkp_mark_host (ctrl_t ctrl, const char *name, int alive)
+
+ hi2 = hosttable[n];
+ if (!hi2)
+- ;
+- else if (alive && hi2->dead)
++ continue;
++ is_alive = host_is_alive (hi2, curtime);
++ if (alive && !is_alive)
+ {
+ hi2->dead = 0;
+ err = ks_printf_help (ctrl, "marking '%s' as alive",
+ hi2->name);
+ }
+- else if (!alive && !hi2->dead)
++ else if (!alive && is_alive)
+ {
+ hi2->dead = 1;
+ hi2->died_at = 0; /* Manually set dead. */
+@@ -1112,34 +1138,6 @@ ks_hkp_resolve (ctrl_t ctrl, parsed_uri_t uri)
+ }
+
+
+-/* Housekeeping function called from the housekeeping thread. It is
+- used to mark dead hosts alive so that they may be tried again after
+- some time. */
+-void
+-ks_hkp_housekeeping (time_t curtime)
+-{
+- int idx;
+- hostinfo_t hi;
+-
+- for (idx=0; idx < hosttable_size; idx++)
+- {
+- hi = hosttable[idx];
+- if (!hi)
+- continue;
+- if (!hi->dead)
+- continue;
+- if (!hi->died_at)
+- continue; /* Do not resurrect manually shot hosts. */
+- if (hi->died_at + RESURRECT_INTERVAL <= curtime
+- || hi->died_at > curtime)
+- {
+- hi->dead = 0;
+- log_info ("resurrected host '%s'", hi->name);
+- }
+- }
+-}
+-
+-
+ /* Reload (SIGHUP) action for this module. We mark all host alive
+ * even those which have been manually shot. */
+ void
diff --git a/repo/gnupg/0230-dirmngr-avoid-automatically-checking-upstream-swdb.patch b/repo/gnupg/0230-dirmngr-avoid-automatically-checking-upstream-swdb.patch
new file mode 100644
index 0000000..8ffd897
--- /dev/null
+++ b/repo/gnupg/0230-dirmngr-avoid-automatically-checking-upstream-swdb.patch
@@ -0,0 +1,51 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+From: Jakub Jirutka <jakub@jirutka.cz>
+Date: Sun, 20 Nov 2016 23:09:24 -0500
+Date: Wed, 18 Aug 2021 21:08:20 +0200
+Subject: dirmngr: Avoid automatically checking upstream swdb.
+
+* dirmngr/dirmngr.c (housekeeping_thread): Avoid automatically
+checking upstream's software database. In Debian, software updates
+should be handled by the distro mechanism, and additional upstream
+checks only confuse the user.
+* doc/dirmngr.texi: document that --allow-version-check does nothing.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ dirmngr/dirmngr.c | 2 --
+ doc/dirmngr.texi | 7 ++++---
+ 2 files changed, 4 insertions(+), 5 deletions(-)
+
+Patch-Source: https://sources.debian.org/data/main/g/gnupg2/2.2.27-2/debian/patches/dirmngr-idling/dirmngr-Avoid-automatically-checking-upstream-swdb.patch
+
+diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
+index 89eea4e..f26ed63 100644
+--- a/dirmngr/dirmngr.c
++++ b/dirmngr/dirmngr.c
+@@ -1955,8 +1955,6 @@ housekeeping_thread (void *arg)
+ if (network_activity_seen)
+ {
+ network_activity_seen = 0;
+- if (opt.allow_version_check)
+- dirmngr_load_swdb (&ctrlbuf, 0);
+ workqueue_run_global_tasks (&ctrlbuf, 1);
+ }
+ else
+diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
+index 843fdbf..84a8d28 100644
+--- a/doc/dirmngr.texi
++++ b/doc/dirmngr.texi
+@@ -291,9 +291,10 @@ Set the size of the queue for pending connections. The default is 64.
+ @item --allow-version-check
+ @opindex allow-version-check
+ Allow Dirmngr to connect to @code{https://versions.gnupg.org} to get
+-the list of current software versions. If this option is enabled
+-the list is retrieved in case the local
+-copy does not exist or is older than 5 to 7 days. See the option
++the list of current software versions.
++On Alpine-packaged versions, this option does nothing since software
++updates should be handled by the distribution.
++See the option
+ @option{--query-swdb} of the command @command{gpgconf} for more
+ details. Note, that regardless of this option a version check can
+ always be triggered using this command:
diff --git a/repo/gnupg/0310-gpg-default-to-3072-bit-keys.patch b/repo/gnupg/0310-gpg-default-to-3072-bit-keys.patch
new file mode 100644
index 0000000..e04f480
--- /dev/null
+++ b/repo/gnupg/0310-gpg-default-to-3072-bit-keys.patch
@@ -0,0 +1,93 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Thu, 7 Sep 2017 18:41:10 -0400
+Subject: gpg: default to 3072-bit keys.
+
+* agent/command.c (hlp_genkey): update help text to suggest the use of
+3072 bits.
+* doc/wks.texi: Make example match default generation.
+* g10/keygen.c (gen_elg): update default from 2048 to 3072.
+* g10/keyid.c (pubkey_string): update comment so that first example
+is the default 3072-bit RSA.
+
+--
+
+3072-bit RSA is widely considered to be 128-bit-equivalent security.
+This is a sensible default in 2017.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+
+(cherry picked from commit 909fbca19678e6e36968607e8a2348381da39d8c)
+---
+ agent/command.c | 2 +-
+ doc/wks.texi | 4 ++--
+ g10/keygen.c | 2 +-
+ g10/keyid.c | 4 ++--
+ 4 files changed, 6 insertions(+), 6 deletions(-)
+
+Patch-Source: https://sources.debian.org/data/main/g/gnupg2/2.2.27-2/debian/patches/from-master/gpg-default-to-3072-bit-keys.patch
+
+diff --git a/agent/command.c b/agent/command.c
+index 8642498..f94e770 100644
+--- a/agent/command.c
++++ b/agent/command.c
+@@ -843,7 +843,7 @@ static const char hlp_genkey[] =
+ "\n"
+ " C: GENKEY\n"
+ " S: INQUIRE KEYPARAM\n"
+- " C: D (genkey (rsa (nbits 2048)))\n"
++ " C: D (genkey (rsa (nbits 3072)))\n"
+ " C: END\n"
+ " S: D (public-key\n"
+ " S: D (rsa (n 326487324683264) (e 10001)))\n"
+diff --git a/doc/wks.texi b/doc/wks.texi
+index 119e31c..ae6c310 100644
+--- a/doc/wks.texi
++++ b/doc/wks.texi
+@@ -412,10 +412,10 @@ the submission address:
+ The output of the last command looks similar to this:
+
+ @example
+- sec rsa2048 2016-08-30 [SC]
++ sec rsa3072 2016-08-30 [SC]
+ C0FCF8642D830C53246211400346653590B3795B
+ uid [ultimate] key-submission@@example.net
+- ssb rsa2048 2016-08-30 [E]
++ ssb rsa3072 2016-08-30 [E]
+ @end example
+
+ Take the fingerprint from that output and manually publish the key:
+diff --git a/g10/keygen.c b/g10/keygen.c
+index d50acf8..79d4579 100644
+--- a/g10/keygen.c
++++ b/g10/keygen.c
+@@ -1436,7 +1436,7 @@ gen_elg (int algo, unsigned int nbits, KBNODE pub_root,
+
+ if (nbits < 1024)
+ {
+- nbits = 2048;
++ nbits = 3072;
+ log_info (_("keysize invalid; using %u bits\n"), nbits );
+ }
+ else if (nbits > 4096)
+diff --git a/g10/keyid.c b/g10/keyid.c
+index 69d85da..2987287 100644
+--- a/g10/keyid.c
++++ b/g10/keyid.c
+@@ -73,7 +73,7 @@ pubkey_letter( int algo )
+ is copied to the supplied buffer up a length of BUFSIZE-1.
+ Examples for the output are:
+
+- "rsa2048" - RSA with 2048 bit
++ "rsa3072" - RSA with 3072 bit
+ "elg1024" - Elgamal with 1024 bit
+ "ed25519" - ECC using the curve Ed25519.
+ "E_1.2.3.4" - ECC using the unsupported curve with OID "1.2.3.4".
+@@ -83,7 +83,7 @@ pubkey_letter( int algo )
+ If the option --legacy-list-mode is active, the output use the
+ legacy format:
+
+- "2048R" - RSA with 2048 bit
++ "3072R" - RSA with 3072 bit
+ "1024g" - Elgamal with 1024 bit
+ "256E" - ECDSA using a curve with 256 bit
+
diff --git a/repo/gnupg/0320-gpg-default-to-aes256.patch b/repo/gnupg/0320-gpg-default-to-aes256.patch
new file mode 100644
index 0000000..2d9a90f
--- /dev/null
+++ b/repo/gnupg/0320-gpg-default-to-aes256.patch
@@ -0,0 +1,37 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Thu, 7 Sep 2017 19:04:00 -0400
+Subject: gpg: default to AES-256.
+
+* g10/main.h (DEFAULT_CIPHER_ALGO): Prefer AES256 by default.
+
+--
+
+It's 2017, and pretty much everyone has AES-256 available. Symmetric
+crypto is also rarely the bottleneck (asymmetric crypto is much more
+expensive). AES-256 provides some level of protection against
+large-scale decryption efforts, and longer key lengths provide a hedge
+against unforseen cryptanalysis.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+(cherry picked from commit 73ff075204df09db5248170a049f06498cdbb7aa)
+---
+ g10/main.h | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+Patch-Source: https://sources.debian.org/data/main/g/gnupg2/2.2.27-2/debian/patches/from-master/gpg-default-to-AES-256.patch
+
+diff --git a/g10/main.h b/g10/main.h
+index 68360e2..1983e42 100644
+--- a/g10/main.h
++++ b/g10/main.h
+@@ -31,7 +31,9 @@
+ (i.e. uncompressed) rather than 1 (zip). However, the real world
+ issues of speed and size come into play here. */
+
+-#if GPG_USE_AES128
++#if GPG_USE_AES256
++# define DEFAULT_CIPHER_ALGO CIPHER_ALGO_AES256
++#elif GPG_USE_AES128
+ # define DEFAULT_CIPHER_ALGO CIPHER_ALGO_AES
+ #elif GPG_USE_CAST5
+ # define DEFAULT_CIPHER_ALGO CIPHER_ALGO_CAST5
diff --git a/repo/gnupg/0330-gpg-default-to-sha512-for-all-signature-types-on-rsa-keys.patch b/repo/gnupg/0330-gpg-default-to-sha512-for-all-signature-types-on-rsa-keys.patch
new file mode 100644
index 0000000..75c5b73
--- /dev/null
+++ b/repo/gnupg/0330-gpg-default-to-sha512-for-all-signature-types-on-rsa-keys.patch
@@ -0,0 +1,66 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Thu, 7 Sep 2017 18:49:35 -0400
+Subject: gpg: Default to SHA-512 for all signature types on RSA keys.
+
+* g10/main.h (DEFAULT_DIGEST_ALGO): Use SHA512 instead of SHA256 in
+--gnupg mode (leave strict RFC and PGP modes alone).
+* configure.ac: Do not allow disabling sha512.
+* g10/misc.c (map_md_openpgp_to_gcry): Always support SHA512.
+
+--
+
+SHA512 is more performant on most 64-bit platforms than SHA256, and
+offers a better security margin. It is also widely implemented.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ configure.ac | 2 +-
+ g10/main.h | 2 +-
+ g10/misc.c | 5 +----
+ 3 files changed, 3 insertions(+), 6 deletions(-)
+
+Patch-Source: https://sources.debian.org/data/main/g/gnupg2/2.2.27-2/debian/patches/update-defaults/gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch
+
+diff --git a/configure.ac b/configure.ac
+index 2d8b050..4b9d908 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -317,7 +317,7 @@ GNUPG_GPG_DISABLE_ALGO([rmd160],[RIPE-MD160 hash])
+ GNUPG_GPG_DISABLE_ALGO([sha224],[SHA-224 hash])
+ # SHA256 is a MUST algorithm for GnuPG.
+ GNUPG_GPG_DISABLE_ALGO([sha384],[SHA-384 hash])
+-GNUPG_GPG_DISABLE_ALGO([sha512],[SHA-512 hash])
++# SHA512 is a MUST algorithm for GnuPG.
+
+
+ # Allow disabling of zip support.
+diff --git a/g10/main.h b/g10/main.h
+index 1983e42..388eae3 100644
+--- a/g10/main.h
++++ b/g10/main.h
+@@ -41,7 +41,7 @@
+ # define DEFAULT_CIPHER_ALGO CIPHER_ALGO_3DES
+ #endif
+
+-#define DEFAULT_DIGEST_ALGO ((GNUPG)? DIGEST_ALGO_SHA256:DIGEST_ALGO_SHA1)
++#define DEFAULT_DIGEST_ALGO ((GNUPG)? DIGEST_ALGO_SHA512:DIGEST_ALGO_SHA1)
+ #define DEFAULT_S2K_DIGEST_ALGO DIGEST_ALGO_SHA1
+ #ifdef HAVE_ZIP
+ # define DEFAULT_COMPRESS_ALGO COMPRESS_ALGO_ZIP
+diff --git a/g10/misc.c b/g10/misc.c
+index 634d303..6fc2d58 100644
+--- a/g10/misc.c
++++ b/g10/misc.c
+@@ -849,11 +849,8 @@ map_md_openpgp_to_gcry (digest_algo_t algo)
+ case DIGEST_ALGO_SHA384: return 0;
+ #endif
+
+-#ifdef GPG_USE_SHA512
+ case DIGEST_ALGO_SHA512: return GCRY_MD_SHA512;
+-#else
+- case DIGEST_ALGO_SHA512: return 0;
+-#endif
++
+ default: return 0;
+ }
+ }
diff --git a/repo/gnupg/0340-gpg-prefer-sha512-and-sha384-in-personal-digest.patch b/repo/gnupg/0340-gpg-prefer-sha512-and-sha384-in-personal-digest.patch
new file mode 100644
index 0000000..bac31b3
--- /dev/null
+++ b/repo/gnupg/0340-gpg-prefer-sha512-and-sha384-in-personal-digest.patch
@@ -0,0 +1,48 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Wed, 3 Jan 2018 12:34:26 -0500
+Subject: gpg: Prefer SHA-512 and SHA-384 in personal-digest-preferences.
+
+* g10/keygen.c (keygen_set_std_prefs): prefer SHA-512
+and SHA-384 by default.
+
+--
+
+In 8ede3ae29a39641a2f98ad9a4cf61ea99085a892, upstream changed the
+defaults for --default-preference-list to advertise a preference for
+SHA-512, without touching --personal-digest-preferences. This makes
+the same change for --personal-digest-preferences, since every modern
+OpenPGP library supports them all.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ g10/keygen.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+Patch-Source: https://sources.debian.org/data/main/g/gnupg2/2.2.27-2/debian/patches/update-defaults/gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch
+
+diff --git a/g10/keygen.c b/g10/keygen.c
+index 79d4579..cb92468 100644
+--- a/g10/keygen.c
++++ b/g10/keygen.c
+@@ -391,16 +391,16 @@ keygen_set_std_prefs (const char *string,int personal)
+ if (personal)
+ {
+ /* The default internal hash algo order is:
+- * SHA-256, SHA-384, SHA-512, SHA-224, SHA-1.
++ * SHA-512, SHA-384, SHA-256, SHA-224, SHA-1.
+ */
+- if (!openpgp_md_test_algo (DIGEST_ALGO_SHA256))
+- strcat (dummy_string, "H8 ");
++ if (!openpgp_md_test_algo (DIGEST_ALGO_SHA512))
++ strcat (dummy_string, "H10 ");
+
+ if (!openpgp_md_test_algo (DIGEST_ALGO_SHA384))
+ strcat (dummy_string, "H9 ");
+
+- if (!openpgp_md_test_algo (DIGEST_ALGO_SHA512))
+- strcat (dummy_string, "H10 ");
++ if (!openpgp_md_test_algo (DIGEST_ALGO_SHA256))
++ strcat (dummy_string, "H8 ");
+ }
+ else
+ {
diff --git a/repo/gnupg/0410-make-gpg-zip-use-tar-from-path.patch b/repo/gnupg/0410-make-gpg-zip-use-tar-from-path.patch
new file mode 100644
index 0000000..b0d619e
--- /dev/null
+++ b/repo/gnupg/0410-make-gpg-zip-use-tar-from-path.patch
@@ -0,0 +1,29 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Sun, 18 Nov 2018 17:29:52 -0500
+Subject: Make gpg-zip use tar from $PATH
+
+Apparently there is no clean way to configure this from ./configure,
+and upstream is deprecating gpg-zip anyway. So just force-set tar to
+be manually "tar" (meaning, that we should look in the $PATH at
+runtime).
+
+See also https://dev.gnupg.org/T4251 and https://bugs.debian.org/913582
+---
+ tools/gpg-zip.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Patch-Source: https://sources.debian.org/data/main/g/gnupg2/2.2.27-2/debian/patches/Make-gpg-zip-use-tar-from-PATH.patch
+
+diff --git a/tools/gpg-zip.in b/tools/gpg-zip.in
+index 9047e36..3821f3a 100644
+--- a/tools/gpg-zip.in
++++ b/tools/gpg-zip.in
+@@ -23,7 +23,7 @@
+ # the GNU or POSIX variant of USTAR.
+
+ VERSION=@VERSION@
+-TAR=@TAR@
++TAR=tar
+ GPG=gpg
+
+ usage="\
diff --git a/repo/gnupg/0420-gpg-drop-import-clean-from-default-keyserver-import-options.patch b/repo/gnupg/0420-gpg-drop-import-clean-from-default-keyserver-import-options.patch
new file mode 100644
index 0000000..46f2316
--- /dev/null
+++ b/repo/gnupg/0420-gpg-drop-import-clean-from-default-keyserver-import-options.patch
@@ -0,0 +1,51 @@
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Mon, 15 Jul 2019 16:24:35 -0400
+Subject: gpg: drop import-clean from default keyserver import options
+
+* g10/gpg.c (main): drop IMPORT_CLEAN from the
+default opt.keyserver_options.import_options
+* doc/gpg.texi: reflect this change in the documentation
+
+Given that SELF_SIGS_ONLY is already set, it's not clear what
+additional benefit IMPORT_CLEAN provides. Furthermore, IMPORT_CLEAN
+means that receiving an OpenPGP certificate from a keyserver will
+potentially delete data that is otherwise held in the local keyring,
+which is surprising to users who expect retrieval from the keyservers
+to be purely additive.
+
+GnuPG-Bug-Id: 4628
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ doc/gpg.texi | 2 +-
+ g10/gpg.c | 3 +--
+ 2 files changed, 2 insertions(+), 3 deletions(-)
+
+Patch-Source: https://sources.debian.org/data/main/g/gnupg2/2.2.27-2/debian/patches/gpg-drop-import-clean-from-default-keyserver-import-optio.patch
+
+diff --git a/doc/gpg.texi b/doc/gpg.texi
+index 7b603d7..104318a 100644
+--- a/doc/gpg.texi
++++ b/doc/gpg.texi
+@@ -1982,7 +1982,7 @@ are available for all keyserver types, some common options are:
+
+ @end table
+
+-The default list of options is: "self-sigs-only, import-clean,
++The default list of options is: "self-sigs-only,
+ repair-keys, repair-pks-subkey-bug, export-attributes,
+ honor-pka-record".
+
+diff --git a/g10/gpg.c b/g10/gpg.c
+index 6b44cfb..caa0487 100644
+--- a/g10/gpg.c
++++ b/g10/gpg.c
+@@ -2348,8 +2348,7 @@ main (int argc, char **argv)
+ opt.export_options = EXPORT_ATTRIBUTES;
+ opt.keyserver_options.import_options = (IMPORT_REPAIR_KEYS
+ | IMPORT_REPAIR_PKS_SUBKEY_BUG
+- | IMPORT_SELF_SIGS_ONLY
+- | IMPORT_CLEAN);
++ | IMPORT_SELF_SIGS_ONLY);
+ opt.keyserver_options.export_options = EXPORT_ATTRIBUTES;
+ opt.keyserver_options.options = KEYSERVER_HONOR_PKA_RECORD;
+ opt.verify_options = (LIST_SHOW_UID_VALIDITY
diff --git a/repo/gnupg/60-scdaemon.rules b/repo/gnupg/60-scdaemon.rules
new file mode 100644
index 0000000..55ca5c1
--- /dev/null
+++ b/repo/gnupg/60-scdaemon.rules
@@ -0,0 +1,63 @@
+# do not edit this file, it will be overwritten on update
+
+SUBSYSTEM!="usb", GOTO="gnupg_rules_end"
+ACTION!="add", GOTO="gnupg_rules_end"
+
+# USB SmartCard Readers
+## Cherry GmbH (XX33, ST2000)
+ATTR{idVendor}=="046a", ATTR{idProduct}=="0005", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+ATTR{idVendor}=="046a", ATTR{idProduct}=="0010", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+ATTR{idVendor}=="046a", ATTR{idProduct}=="003e", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+## SCM Microsystems, Inc (SCR331-DI, SCR335, SCR3320, SCR331, SCR3310 and SPR532)
+ATTR{idVendor}=="04e6", ATTR{idProduct}=="5111", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+ATTR{idVendor}=="04e6", ATTR{idProduct}=="5115", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+ATTR{idVendor}=="04e6", ATTR{idProduct}=="5116", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+ATTR{idVendor}=="04e6", ATTR{idProduct}=="5117", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+ATTR{idVendor}=="04e6", ATTR{idProduct}=="e001", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+ATTR{idVendor}=="04e6", ATTR{idProduct}=="e003", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+## Omnikey AG (CardMan 3821, CardMan 6121)
+ATTR{idVendor}=="076b", ATTR{idProduct}=="3821", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+ATTR{idVendor}=="076b", ATTR{idProduct}=="6622", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+## Gemalto
+ATTR{idVendor}=="08e6", ATTR{idProduct}=="3437", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+ATTR{idVendor}=="08e6", ATTR{idProduct}=="3438", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+ATTR{idVendor}=="08e6", ATTR{idProduct}=="3478", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+ATTR{idVendor}=="08e6", ATTR{idProduct}=="34c2", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+ATTR{idVendor}=="08e6", ATTR{idProduct}=="34ec", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+## Reiner (SCT cyberJack)
+ATTR{idVendor}=="0c4b", ATTR{idProduct}=="0500", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+## Kobil (KAAN)
+ATTR{idVendor}=="0d46", ATTR{idProduct}=="2012", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+## VASCO (DIGIPASS 920)
+ATTR{idVendor}=="1a44", ATTR{idProduct}=="0920", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+## Crypto Stick
+ATTR{idVendor}=="20a0", ATTR{idProduct}=="4107", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+## Nitrokey
+ATTR{idVendor}=="20a0", ATTR{idProduct}=="4108", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+ATTR{idVendor}=="20a0", ATTR{idProduct}=="4109", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+ATTR{idVendor}=="20a0", ATTR{idProduct}=="4211", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+## Gnuk Token
+ATTR{idVendor}=="234b", ATTR{idProduct}=="0000", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+## Alcor Micro Corp cardreader (in ThinkPad X250)
+ATTR{idVendor}=="058f", ATTR{idProduct}=="9540", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+## Fujitsu Siemens
+ATTR{idVendor}=="0bf8", ATTR{idProduct}=="1006", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+## Yubico
+# Yubikey NEO OTP+CCID
+ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0111", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+# Yubikey NEO CCID
+ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0112", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+# Yubikey NEO U2F+CCID
+ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0115", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+# Yubikey NEO OTP+U2F+CCID
+ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0116", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+# Yubikey 4 CCID
+ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0404", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+# Yubikey 4 OTP+CCID
+ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0405", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+# Yubikey 4 U2F+CCID
+ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0406", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+# Yubikey 4 OTP+U2F+CCID
+ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg", GROUP+="gnupg"
+
+LABEL="gnupg_rules_end"
diff --git a/repo/gnupg/fix-i18n.patch b/repo/gnupg/fix-i18n.patch
new file mode 100644
index 0000000..90fc033
--- /dev/null
+++ b/repo/gnupg/fix-i18n.patch
@@ -0,0 +1,12 @@
+--- gnupg-2.1.7/common/i18n.c.orig 2015-08-31 20:40:18.752742866 +0300
++++ gnupg-2.1.7/common/i18n.c 2015-08-31 20:40:41.806336224 +0300
+@@ -85,8 +85,8 @@
+ bindtextdomain (PACKAGE_GT, gnupg_localedir ());
+ textdomain (PACKAGE_GT);
+ #else
+-# ifdef ENABLE_NLS
+ setlocale (LC_ALL, "" );
++# ifdef ENABLE_NLS
+ bindtextdomain (PACKAGE_GT, gnupg_localedir ());
+ textdomain (PACKAGE_GT);
+ # endif
diff --git a/repo/gnupg/gnupg-scdaemon.pre-install b/repo/gnupg/gnupg-scdaemon.pre-install
new file mode 100644
index 0000000..b0cac4c
--- /dev/null
+++ b/repo/gnupg/gnupg-scdaemon.pre-install
@@ -0,0 +1,4 @@
+#!/bin/sh
+addgroup -S gnupg 2> /dev/null
+
+exit 0
diff --git a/repo/gnupg/gnupg.xibuild b/repo/gnupg/gnupg.xibuild
new file mode 100644
index 0000000..95ffa44
--- /dev/null
+++ b/repo/gnupg/gnupg.xibuild
@@ -0,0 +1,73 @@
+#!/bin/sh
+
+NAME="gnupg"
+DESC="GNU Privacy Guard 2 - meta package for full GnuPG suite"
+
+MAKEDEPS=" autoconf automake bzip2 gettext gnutls libassuan libgcrypt libgpg-error libksba libtool libusb npth openldap pinentry sqlite texinfo zlib"
+
+PKG_VER=2.2.34
+SOURCE="https://gnupg.org/ftp/gcrypt/gnupg/gnupg-$PKG_VER.tar.bz2"
+
+ADDITIONAL="
+0001-Include-sys-select.h-for-FD_SETSIZE.patch
+0010-avoid-beta-warning.patch
+0020-avoid-regenerating-defsincdate-use-shipped-file.patch
+0110-avoid-simple-memory-dumps-via-ptrace.patch
+0210-dirmngr-hkp-avoid-potential-race-condition-when-some-host-die.patch
+0220-dirmngr-avoid-need-for-hkp-housekeeping.patch
+0230-dirmngr-avoid-automatically-checking-upstream-swdb.patch
+0310-gpg-default-to-3072-bit-keys.patch
+0320-gpg-default-to-aes256.patch
+0330-gpg-default-to-sha512-for-all-signature-types-on-rsa-keys.patch
+0340-gpg-prefer-sha512-and-sha384-in-personal-digest.patch
+0410-make-gpg-zip-use-tar-from-path.patch
+0420-gpg-drop-import-clean-from-default-keyserver-import-options.patch
+60-scdaemon.rules
+fix-i18n.patch
+gnupg-scdaemon.pre-install
+"
+
+prepare() {
+ apply_patches
+
+ autoreconf -vif
+}
+
+build() {
+ ./configure \
+ --prefix=/usr \
+ --sysconfdir=/etc \
+ --mandir=/usr/share/man \
+ --infodir=/usr/share/info \
+ --localstatedir=/var \
+ --disable-nls \
+ --enable-bzip2 \
+ --enable-tofu \
+ --enable-scdaemon \
+ --enable-ccid-driver
+ make
+}
+
+check() {
+ make check
+}
+
+package() {
+ make DESTDIR="$PKG_DEST" install
+
+ install -m755 tools/gpg-zip "$PKG_DEST"/usr/bin/gpg-zip
+ install -Dm644 -t "$PKG_DEST"/lib/udev/rules.d/ "$BUILD_ROOT"/60-scdaemon.rules
+
+ cd "$PKG_DEST"
+
+ # install compat symlink
+ ln -s gpg usr/bin/gpg2
+ ln -s gpgv usr/bin/gpgv2
+
+ # Remove docs for systemd-user
+ rm -rf usr/share/doc/gnupg/examples/systemd-user
+
+ # Remove gpg scheme interpreter - an internal tool used in gpg tests
+ rm -rf usr/bin/gpgscm
+}
+