Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/app-crypt/gnupg
diff options
context:
space:
mode:
authorSam James <sam@gentoo.org>2023-06-10 22:01:44 +0100
committerSam James <sam@gentoo.org>2023-06-10 22:01:52 +0100
commit45c04d8fcc0b0432990e1a3e2c6ae5e0d1c4032a (patch)
tree63a64c6d15949339e9b5bd39cfa5ebbe18de000f /app-crypt/gnupg
parentmedia-video/ffmpeg: drop 5.1.3 (diff)
downloadgentoo-45c04d8fcc0b0432990e1a3e2c6ae5e0d1c4032a.tar.gz
gentoo-45c04d8fcc0b0432990e1a3e2c6ae5e0d1c4032a.tar.bz2
gentoo-45c04d8fcc0b0432990e1a3e2c6ae5e0d1c4032a.zip
app-crypt/gnupg: backport Emacs EPA fix
Closes: https://bugs.gentoo.org/907839 Signed-off-by: Sam James <sam@gentoo.org>
Diffstat (limited to 'app-crypt/gnupg')
-rw-r--r--app-crypt/gnupg/files/gnupg-2.4.2-fix-emacs.patch564
-rw-r--r--app-crypt/gnupg/gnupg-2.4.2-r1.ebuild192
2 files changed, 756 insertions, 0 deletions
diff --git a/app-crypt/gnupg/files/gnupg-2.4.2-fix-emacs.patch b/app-crypt/gnupg/files/gnupg-2.4.2-fix-emacs.patch
new file mode 100644
index 000000000000..2e9141ab579b
--- /dev/null
+++ b/app-crypt/gnupg/files/gnupg-2.4.2-fix-emacs.patch
@@ -0,0 +1,564 @@
+https://bugs.gentoo.org/907839
+https://dev.gnupg.org/T6481
+https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=2f872fa68c6576724b9dabee9fb0844266f55d0d
+
+From 2f872fa68c6576724b9dabee9fb0844266f55d0d Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Wed, 24 May 2023 10:36:04 +0900
+Subject: [PATCH] gpg: Report BEGIN_* status before examining the input.
+
+* common/miscellaneous.c (is_openpgp_compressed_packet)
+(is_file_compressed): Moved to ...
+* common/iobuf.c: ... in this file.
+(is_file_compressed): Change the argument to INP, the iobuf.
+* common/util.h (is_file_compressed): Remove.
+* common/iobuf.h (is_file_compressed): Add.
+* g10/cipher-aead.c (write_header): Don't call write_status_printf
+here.
+(cipher_filter_aead): Call write_status_printf when called with
+IOBUFCTRL_INIT.
+* g10/cipher-cfb.c (write_header): Don't call write_status_printf
+here.
+(cipher_filter_cfb): Call write_status_printf when called with
+IOBUFCTRL_INIT.
+* g10/encrypt.c (encrypt_simple): Use new is_file_compressed function,
+after call of iobuf_push_filter.
+(encrypt_crypt): Likewise.
+* g10/sign.c (sign_file): Likewise.
+
+--
+
+GnuPG-bug-id: 6481
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+--- a/common/iobuf.c
++++ b/common/iobuf.c
+@@ -3057,3 +3057,123 @@ iobuf_skip_rest (iobuf_t a, unsigned long n, int partial)
+ }
+ }
+ }
++
++
++/* Check whether (BUF,LEN) is valid header for an OpenPGP compressed
++ * packet. LEN should be at least 6. */
++static int
++is_openpgp_compressed_packet (const unsigned char *buf, size_t len)
++{
++ int c, ctb, pkttype;
++ int lenbytes;
++
++ ctb = *buf++; len--;
++ if (!(ctb & 0x80))
++ return 0; /* Invalid packet. */
++
++ if ((ctb & 0x40)) /* New style (OpenPGP) CTB. */
++ {
++ pkttype = (ctb & 0x3f);
++ if (!len)
++ return 0; /* Expected first length octet missing. */
++ c = *buf++; len--;
++ if (c < 192)
++ ;
++ else if (c < 224)
++ {
++ if (!len)
++ return 0; /* Expected second length octet missing. */
++ }
++ else if (c == 255)
++ {
++ if (len < 4)
++ return 0; /* Expected length octets missing */
++ }
++ }
++ else /* Old style CTB. */
++ {
++ pkttype = (ctb>>2)&0xf;
++ lenbytes = ((ctb&3)==3)? 0 : (1<<(ctb & 3));
++ if (len < lenbytes)
++ return 0; /* Not enough length bytes. */
++ }
++
++ return (pkttype == 8);
++}
++
++
++/*
++ * Check if the file is compressed, by peeking the iobuf. You need to
++ * pass the iobuf with INP. Returns true if the buffer seems to be
++ * compressed.
++ */
++int
++is_file_compressed (iobuf_t inp)
++{
++ int i;
++ char buf[32];
++ int buflen;
++
++ struct magic_compress_s
++ {
++ byte len;
++ byte extchk;
++ byte magic[5];
++ } magic[] =
++ {
++ { 3, 0, { 0x42, 0x5a, 0x68, 0x00 } }, /* bzip2 */
++ { 3, 0, { 0x1f, 0x8b, 0x08, 0x00 } }, /* gzip */
++ { 4, 0, { 0x50, 0x4b, 0x03, 0x04 } }, /* (pk)zip */
++ { 5, 0, { '%', 'P', 'D', 'F', '-'} }, /* PDF */
++ { 4, 1, { 0xff, 0xd8, 0xff, 0xe0 } }, /* Maybe JFIF */
++ { 5, 2, { 0x89, 'P','N','G', 0x0d} } /* Likely PNG */
++ };
++
++ if (!inp)
++ return 0;
++
++ for ( ; inp->chain; inp = inp->chain )
++ ;
++
++ buflen = iobuf_ioctl (inp, IOBUF_IOCTL_PEEK, sizeof buf, buf);
++ if (buflen < 0)
++ {
++ buflen = 0;
++ log_debug ("peeking at input failed\n");
++ }
++
++ if ( buflen < 6 )
++ {
++ return 0; /* Too short to check - assume uncompressed. */
++ }
++
++ for ( i = 0; i < DIM (magic); i++ )
++ {
++ if (!memcmp( buf, magic[i].magic, magic[i].len))
++ {
++ switch (magic[i].extchk)
++ {
++ case 0:
++ return 1; /* Is compressed. */
++ case 1:
++ if (buflen > 11 && !memcmp (buf + 6, "JFIF", 5))
++ return 1; /* JFIF: this likely a compressed JPEG. */
++ break;
++ case 2:
++ if (buflen > 8
++ && buf[5] == 0x0a && buf[6] == 0x1a && buf[7] == 0x0a)
++ return 1; /* This is a PNG. */
++ break;
++ default:
++ break;
++ }
++ }
++ }
++
++ if (buflen >= 6 && is_openpgp_compressed_packet (buf, buflen))
++ {
++ return 1; /* Already compressed. */
++ }
++
++ return 0; /* Not detected as compressed. */
++}
+--- a/common/iobuf.h
++++ b/common/iobuf.h
+@@ -629,6 +629,9 @@ void iobuf_set_partial_body_length_mode (iobuf_t a, size_t len);
+ from the following filter (which may or may not return EOF). */
+ void iobuf_skip_rest (iobuf_t a, unsigned long n, int partial);
+
++/* Check if the file is compressed, by peeking the iobuf. */
++int is_file_compressed (iobuf_t inp);
++
+ #define iobuf_where(a) "[don't know]"
+
+ /* Each time a filter is allocated (via iobuf_alloc()), a
+--- a/common/miscellaneous.c
++++ b/common/miscellaneous.c
+@@ -415,112 +415,6 @@ decode_c_string (const char *src)
+ }
+
+
+-/* Check whether (BUF,LEN) is valid header for an OpenPGP compressed
+- * packet. LEN should be at least 6. */
+-static int
+-is_openpgp_compressed_packet (const unsigned char *buf, size_t len)
+-{
+- int c, ctb, pkttype;
+- int lenbytes;
+-
+- ctb = *buf++; len--;
+- if (!(ctb & 0x80))
+- return 0; /* Invalid packet. */
+-
+- if ((ctb & 0x40)) /* New style (OpenPGP) CTB. */
+- {
+- pkttype = (ctb & 0x3f);
+- if (!len)
+- return 0; /* Expected first length octet missing. */
+- c = *buf++; len--;
+- if (c < 192)
+- ;
+- else if (c < 224)
+- {
+- if (!len)
+- return 0; /* Expected second length octet missing. */
+- }
+- else if (c == 255)
+- {
+- if (len < 4)
+- return 0; /* Expected length octets missing */
+- }
+- }
+- else /* Old style CTB. */
+- {
+- pkttype = (ctb>>2)&0xf;
+- lenbytes = ((ctb&3)==3)? 0 : (1<<(ctb & 3));
+- if (len < lenbytes)
+- return 0; /* Not enough length bytes. */
+- }
+-
+- return (pkttype == 8);
+-}
+-
+-
+-
+-/*
+- * Check if the file is compressed. You need to pass the first bytes
+- * of the file as (BUF,BUFLEN). Returns true if the buffer seems to
+- * be compressed.
+- */
+-int
+-is_file_compressed (const byte *buf, unsigned int buflen)
+-{
+- int i;
+-
+- struct magic_compress_s
+- {
+- byte len;
+- byte extchk;
+- byte magic[5];
+- } magic[] =
+- {
+- { 3, 0, { 0x42, 0x5a, 0x68, 0x00 } }, /* bzip2 */
+- { 3, 0, { 0x1f, 0x8b, 0x08, 0x00 } }, /* gzip */
+- { 4, 0, { 0x50, 0x4b, 0x03, 0x04 } }, /* (pk)zip */
+- { 5, 0, { '%', 'P', 'D', 'F', '-'} }, /* PDF */
+- { 4, 1, { 0xff, 0xd8, 0xff, 0xe0 } }, /* Maybe JFIF */
+- { 5, 2, { 0x89, 'P','N','G', 0x0d} } /* Likely PNG */
+- };
+-
+- if ( buflen < 6 )
+- {
+- return 0; /* Too short to check - assume uncompressed. */
+- }
+-
+- for ( i = 0; i < DIM (magic); i++ )
+- {
+- if (!memcmp( buf, magic[i].magic, magic[i].len))
+- {
+- switch (magic[i].extchk)
+- {
+- case 0:
+- return 1; /* Is compressed. */
+- case 1:
+- if (buflen > 11 && !memcmp (buf + 6, "JFIF", 5))
+- return 1; /* JFIF: this likely a compressed JPEG. */
+- break;
+- case 2:
+- if (buflen > 8
+- && buf[5] == 0x0a && buf[6] == 0x1a && buf[7] == 0x0a)
+- return 1; /* This is a PNG. */
+- break;
+- default:
+- break;
+- }
+- }
+- }
+-
+- if (buflen >= 6 && is_openpgp_compressed_packet (buf, buflen))
+- {
+- return 1; /* Already compressed. */
+- }
+-
+- return 0; /* Not detected as compressed. */
+-}
+-
+-
+ /* Try match against each substring of multistr, delimited by | */
+ int
+ match_multistr (const char *multistr,const char *match)
+--- a/common/util.h
++++ b/common/util.h
+@@ -360,8 +360,6 @@ char *try_make_printable_string (const void *p, size_t n, int delim);
+ char *make_printable_string (const void *p, size_t n, int delim);
+ char *decode_c_string (const char *src);
+
+-int is_file_compressed (const byte *buf, unsigned int buflen);
+-
+ int match_multistr (const char *multistr,const char *match);
+
+ int gnupg_compare_version (const char *a, const char *b);
+--- a/g10/cipher-aead.c
++++ b/g10/cipher-aead.c
+@@ -174,8 +174,6 @@ write_header (cipher_filter_context_t *cfx, iobuf_t a)
+ log_debug ("aead packet: len=%lu extralen=%d\n",
+ (unsigned long)ed.len, ed.extralen);
+
+- write_status_printf (STATUS_BEGIN_ENCRYPTION, "0 %d %d",
+- cfx->dek->algo, ed.aead_algo);
+ print_cipher_algo_note (cfx->dek->algo);
+
+ if (build_packet( a, &pkt))
+@@ -488,6 +486,11 @@ cipher_filter_aead (void *opaque, int control,
+ {
+ mem2str (buf, "cipher_filter_aead", *ret_len);
+ }
++ else if (control == IOBUFCTRL_INIT)
++ {
++ write_status_printf (STATUS_BEGIN_ENCRYPTION, "0 %d %d",
++ cfx->dek->algo, cfx->dek->use_aead);
++ }
+
+ return rc;
+ }
+--- a/g10/cipher-cfb.c
++++ b/g10/cipher-cfb.c
+@@ -72,9 +72,6 @@ write_header (cipher_filter_context_t *cfx, iobuf_t a)
+ log_info (_("Hint: Do not use option %s\n"), "--rfc2440");
+ }
+
+- write_status_printf (STATUS_BEGIN_ENCRYPTION, "%d %d",
+- ed.mdc_method, cfx->dek->algo);
+-
+ init_packet (&pkt);
+ pkt.pkttype = cfx->dek->use_mdc? PKT_ENCRYPTED_MDC : PKT_ENCRYPTED;
+ pkt.pkt.encrypted = &ed;
+@@ -182,6 +179,12 @@ cipher_filter_cfb (void *opaque, int control,
+ {
+ mem2str (buf, "cipher_filter_cfb", *ret_len);
+ }
++ else if (control == IOBUFCTRL_INIT)
++ {
++ write_status_printf (STATUS_BEGIN_ENCRYPTION, "%d %d",
++ cfx->dek->use_mdc ? DIGEST_ALGO_SHA1 : 0,
++ cfx->dek->algo);
++ }
+
+ return rc;
+ }
+--- a/g10/encrypt.c
++++ b/g10/encrypt.c
+@@ -410,8 +410,6 @@ encrypt_simple (const char *filename, int mode, int use_seskey)
+ text_filter_context_t tfx;
+ progress_filter_context_t *pfx;
+ int do_compress = !!default_compress_algo();
+- char peekbuf[32];
+- int peekbuflen;
+
+ if (!gnupg_rng_is_compliant (opt.compliance))
+ {
+@@ -448,14 +446,6 @@ encrypt_simple (const char *filename, int mode, int use_seskey)
+ return rc;
+ }
+
+- peekbuflen = iobuf_ioctl (inp, IOBUF_IOCTL_PEEK, sizeof peekbuf, peekbuf);
+- if (peekbuflen < 0)
+- {
+- peekbuflen = 0;
+- if (DBG_FILTER)
+- log_debug ("peeking at input failed\n");
+- }
+-
+ handle_progress (pfx, inp, filename);
+
+ if (opt.textmode)
+@@ -517,17 +507,6 @@ encrypt_simple (const char *filename, int mode, int use_seskey)
+ /**/ : "CFB");
+ }
+
+- if (do_compress
+- && cfx.dek
+- && (cfx.dek->use_mdc || cfx.dek->use_aead)
+- && !opt.explicit_compress_option
+- && is_file_compressed (peekbuf, peekbuflen))
+- {
+- if (opt.verbose)
+- log_info(_("'%s' already compressed\n"), filename? filename: "[stdin]");
+- do_compress = 0;
+- }
+-
+ if ( rc || (rc = open_outfile (-1, filename, opt.armor? 1:0, 0, &out )))
+ {
+ iobuf_cancel (inp);
+@@ -598,6 +577,24 @@ encrypt_simple (const char *filename, int mode, int use_seskey)
+ else
+ filesize = opt.set_filesize ? opt.set_filesize : 0; /* stdin */
+
++ /* Register the cipher filter. */
++ if (mode)
++ iobuf_push_filter (out,
++ cfx.dek->use_aead? cipher_filter_aead
++ /**/ : cipher_filter_cfb,
++ &cfx );
++
++ if (do_compress
++ && cfx.dek
++ && (cfx.dek->use_mdc || cfx.dek->use_aead)
++ && !opt.explicit_compress_option
++ && is_file_compressed (inp))
++ {
++ if (opt.verbose)
++ log_info(_("'%s' already compressed\n"), filename? filename: "[stdin]");
++ do_compress = 0;
++ }
++
+ if (!opt.no_literal)
+ {
+ /* Note that PT has been initialized above in !no_literal mode. */
+@@ -617,13 +614,6 @@ encrypt_simple (const char *filename, int mode, int use_seskey)
+ pkt.pkt.generic = NULL;
+ }
+
+- /* Register the cipher filter. */
+- if (mode)
+- iobuf_push_filter (out,
+- cfx.dek->use_aead? cipher_filter_aead
+- /**/ : cipher_filter_cfb,
+- &cfx );
+-
+ /* Register the compress filter. */
+ if ( do_compress )
+ {
+@@ -783,7 +773,7 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
+ PKT_plaintext *pt = NULL;
+ DEK *symkey_dek = NULL;
+ STRING2KEY *symkey_s2k = NULL;
+- int rc = 0, rc2 = 0;
++ int rc = 0;
+ u32 filesize;
+ cipher_filter_context_t cfx;
+ armor_filter_context_t *afx = NULL;
+@@ -792,8 +782,6 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
+ progress_filter_context_t *pfx;
+ PK_LIST pk_list;
+ int do_compress;
+- char peekbuf[32];
+- int peekbuflen;
+
+ if (filefd != -1 && filename)
+ return gpg_error (GPG_ERR_INV_ARG); /* Both given. */
+@@ -866,14 +854,6 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
+ if (opt.verbose)
+ log_info (_("reading from '%s'\n"), iobuf_get_fname_nonnull (inp));
+
+- peekbuflen = iobuf_ioctl (inp, IOBUF_IOCTL_PEEK, sizeof peekbuf, peekbuf);
+- if (peekbuflen < 0)
+- {
+- peekbuflen = 0;
+- if (DBG_FILTER)
+- log_debug ("peeking at input failed\n");
+- }
+-
+ handle_progress (pfx, inp, filename);
+
+ if (opt.textmode)
+@@ -900,25 +880,6 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
+ if (!cfx.dek->use_aead)
+ cfx.dek->use_mdc = !!use_mdc (pk_list, cfx.dek->algo);
+
+- /* Only do the is-file-already-compressed check if we are using a
+- * MDC or AEAD. This forces compressed files to be re-compressed if
+- * we do not have a MDC to give some protection against chosen
+- * ciphertext attacks. */
+- if (do_compress
+- && (cfx.dek->use_mdc || cfx.dek->use_aead)
+- && !opt.explicit_compress_option
+- && is_file_compressed (peekbuf, peekbuflen))
+- {
+- if (opt.verbose)
+- log_info(_("'%s' already compressed\n"), filename? filename: "[stdin]");
+- do_compress = 0;
+- }
+- if (rc2)
+- {
+- rc = rc2;
+- goto leave;
+- }
+-
+ make_session_key (cfx.dek);
+ if (DBG_CRYPTO)
+ log_printhex (cfx.dek->key, cfx.dek->keylen, "DEK is: ");
+@@ -960,6 +921,26 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
+ else
+ filesize = opt.set_filesize ? opt.set_filesize : 0; /* stdin */
+
++ /* Register the cipher filter. */
++ iobuf_push_filter (out,
++ cfx.dek->use_aead? cipher_filter_aead
++ /**/ : cipher_filter_cfb,
++ &cfx);
++
++ /* Only do the is-file-already-compressed check if we are using a
++ * MDC or AEAD. This forces compressed files to be re-compressed if
++ * we do not have a MDC to give some protection against chosen
++ * ciphertext attacks. */
++ if (do_compress
++ && (cfx.dek->use_mdc || cfx.dek->use_aead)
++ && !opt.explicit_compress_option
++ && is_file_compressed (inp))
++ {
++ if (opt.verbose)
++ log_info(_("'%s' already compressed\n"), filename? filename: "[stdin]");
++ do_compress = 0;
++ }
++
+ if (!opt.no_literal)
+ {
+ pt->timestamp = make_timestamp();
+@@ -974,12 +955,6 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
+ else
+ cfx.datalen = filesize && !do_compress ? filesize : 0;
+
+- /* Register the cipher filter. */
+- iobuf_push_filter (out,
+- cfx.dek->use_aead? cipher_filter_aead
+- /**/ : cipher_filter_cfb,
+- &cfx);
+-
+ /* Register the compress filter. */
+ if (do_compress)
+ {
+--- a/g10/sign.c
++++ b/g10/sign.c
+@@ -1035,9 +1035,6 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
+ int multifile = 0;
+ u32 duration=0;
+ pt_extra_hash_data_t extrahash = NULL;
+- char peekbuf[32];
+- int peekbuflen = 0;
+-
+
+ pfx = new_progress_context ();
+ afx = new_armor_context ();
+@@ -1096,14 +1093,6 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
+ goto leave;
+ }
+
+- peekbuflen = iobuf_ioctl (inp, IOBUF_IOCTL_PEEK, sizeof peekbuf, peekbuf);
+- if (peekbuflen < 0)
+- {
+- peekbuflen = 0;
+- if (DBG_FILTER)
+- log_debug ("peeking at input failed\n");
+- }
+-
+ handle_progress (pfx, inp, fname);
+ }
+
+@@ -1261,7 +1250,7 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
+ int compr_algo = opt.compress_algo;
+
+ if (!opt.explicit_compress_option
+- && is_file_compressed (peekbuf, peekbuflen))
++ && is_file_compressed (inp))
+ {
+ if (opt.verbose)
+ log_info(_("'%s' already compressed\n"), fname? fname: "[stdin]");
+--
+2.11.0
diff --git a/app-crypt/gnupg/gnupg-2.4.2-r1.ebuild b/app-crypt/gnupg/gnupg-2.4.2-r1.ebuild
new file mode 100644
index 000000000000..6fd1932406ef
--- /dev/null
+++ b/app-crypt/gnupg/gnupg-2.4.2-r1.ebuild
@@ -0,0 +1,192 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+# Maintainers should:
+# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/
+# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159
+# (find the one for the current release then subscribe to it +
+# any subsequent ones linked within so you're covered for a while.)
+
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/gnupg.asc
+# in-source builds are not supported: https://dev.gnupg.org/T6313#166339
+inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig
+
+MY_P="${P/_/-}"
+
+DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation"
+HOMEPAGE="https://gnupg.org/"
+SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2"
+SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )"
+S="${WORKDIR}/${MY_P}"
+
+LICENSE="GPL-3+"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~x64-solaris"
+IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test +tofu tpm tools usb user-socket wks-server"
+RESTRICT="!test? ( test )"
+REQUIRED_USE="test? ( tofu )"
+
+# Existence of executables is checked during configuration.
+# Note: On each bump, update dep bounds on each version from configure.ac!
+DEPEND="
+ >=dev-libs/libassuan-2.5.0
+ >=dev-libs/libgcrypt-1.9.1:=
+ >=dev-libs/libgpg-error-1.46
+ >=dev-libs/libksba-1.6.3
+ >=dev-libs/npth-1.2
+ >=net-misc/curl-7.10
+ sys-libs/zlib
+ bzip2? ( app-arch/bzip2 )
+ ldap? ( net-nds/openldap:= )
+ readline? ( sys-libs/readline:0= )
+ smartcard? ( usb? ( virtual/libusb:1 ) )
+ tofu? ( >=dev-db/sqlite-3.27 )
+ tpm? ( >=app-crypt/tpm2-tss-2.4.0:= )
+ ssl? ( >=net-libs/gnutls-3.0:0= )
+"
+RDEPEND="
+ ${DEPEND}
+ app-crypt/pinentry
+ nls? ( virtual/libintl )
+ selinux? ( sec-policy/selinux-gpg )
+ wks-server? ( virtual/mta )
+"
+BDEPEND="
+ virtual/pkgconfig
+ doc? ( sys-apps/texinfo )
+ nls? ( sys-devel/gettext )
+ verify-sig? ( sec-keys/openpgp-keys-gnupg )
+"
+
+DOCS=(
+ ChangeLog NEWS README THANKS TODO VERSION
+ doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER
+)
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch
+ "${FILESDIR}"/${PN}-2.4.2-fix-emacs.patch
+)
+
+src_prepare() {
+ default
+
+ GNUPG_SYSTEMD_UNITS=(
+ dirmngr.service
+ dirmngr.socket
+ gpg-agent-browser.socket
+ gpg-agent-extra.socket
+ gpg-agent.service
+ gpg-agent.socket
+ gpg-agent-ssh.socket
+ )
+
+ cp "${GNUPG_SYSTEMD_UNITS[@]/#/${FILESDIR}/}" "${T}" || die
+
+ # Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode,
+ # idea borrowed from libdbus, see
+ # https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6
+ #
+ # This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl',
+ # which in turn requires discovery in Autoconf, something that upstream deeply resents.
+ sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \
+ -i "${T}"/gpg-agent-ssh.socket || die
+}
+
+my_src_configure() {
+ local myconf=(
+ $(use_enable bzip2)
+ $(use_enable nls)
+ $(use_enable smartcard scdaemon)
+ $(use_enable ssl gnutls)
+ $(use_enable test all-tests)
+ $(use_enable test tests)
+ $(use_enable tofu)
+ $(use_enable tofu keyboxd)
+ $(use_enable tofu sqlite)
+ $(usex tpm '--with-tss=intel' '--disable-tpm2d')
+ $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver')
+ $(use_enable wks-server wks-tools)
+ $(use_with ldap)
+ $(use_with readline)
+
+ # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist.
+ # As of GnuPG 2.3, the mailprog substitution is used for the binary called
+ # by wks-client & wks-server; and if it's autodetected but not not exist at
+ # build time, then then 'gpg-wks-client --send' functionality will not
+ # work. This has an unwanted side-effect in stage3 builds: there was a
+ # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating
+ # the build where the install guide previously make the user chose the
+ # logger & mta early in the install.
+ --with-mailprog=/usr/libexec/sendmail
+
+ --disable-ntbtls
+ --enable-gpgsm
+ --enable-large-secmem
+
+ CC_FOR_BUILD="$(tc-getBUILD_CC)"
+ GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config"
+ KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config"
+ LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config"
+ LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config"
+ NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config"
+
+ $("${S}/configure" --help | grep -o -- '--without-.*-prefix')
+ )
+
+ if use prefix && use usb; then
+ # bug #649598
+ append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0"
+ fi
+
+ # bug #663142
+ if use user-socket; then
+ myconf+=( --enable-run-gnupg-user-socket )
+ fi
+
+ # glib fails and picks up clang's internal stdint.h causing weird errors
+ tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h
+
+ econf "${myconf[@]}"
+}
+
+my_src_compile() {
+ default
+
+ use doc && emake -C doc html
+}
+
+my_src_test() {
+ export TESTFLAGS="--parallel=$(makeopts_jobs)"
+
+ default
+}
+
+my_src_install() {
+ emake DESTDIR="${D}" install
+
+ use tools && dobin tools/{gpgconf,gpgsplit,gpg-check-pattern} tools/make-dns-cert
+
+ dosym gpg /usr/bin/gpg2
+ dosym gpgv /usr/bin/gpgv2
+ echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die
+ echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die
+
+ dodir /etc/env.d
+ echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die
+
+ use doc && dodoc doc/gnupg.html/*
+}
+
+my_src_install_all() {
+ einstalldocs
+
+ use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot}
+ use doc && dodoc doc/*.png
+
+ # Dropped upstream in https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=eae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed.
+ dodoc "${FILESDIR}"/README-systemd
+ systemd_douserunit "${GNUPG_SYSTEMD_UNITS[@]/#/${T}/}"
+}