gentoo resync : 09.07.2022

6 files changed, 581 insertions, 0 deletions

diff --git a/app-crypt/gnupg/Manifest b/app-crypt/gnupg/Manifest
index ab8826d8913b..ab9a5e33cbb1 100644
--- a/app-crypt/gnupg/Manifest
+++ b/app-crypt/gnupg/Manifest
@@ -1,8 +1,15 @@
 AUX gnupg-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch 1048 BLAKE2B 36f37b74da309100191f4d8f9c27d08a1b00d2d30fbaf169dbb74ebbe42293357a4fb62332e286fe5725dcfdc30645a602dc2a51c51924b06215b68fd5235658 SHA512 fd12827150e96cd7979ea9611d64ed4ab9e6c61cfecdd697b8fb4d162f20985b734c2bfc365a921809b9029e86a85a9b36c10ec472b3dd49c25ea18f5aef56ce
+AUX gnupg-2.2.35-status-messages-garbled.patch 1453 BLAKE2B 44f90eac5e9669c39f31eff654b29540175a67c97bd0da673e594986ef6cd1c560225a4ee53cd994183fc83cf09418bba1687beb2504fd0b9e62709f64163694 SHA512 6f7abe2b8270a7297590a1b0c6323ef49f76750a24384a1fea4a5e452eb6bc3c6201399c015dde8c965f5c66874489c7f849d62fe89bf1d35d94ddd01316f7c4
+AUX gnupg-2.3.6-status-messages-garbled.patch 1501 BLAKE2B 1f2631eb090a4e7de2b3e16929433a7dd0d3feadc0a9ed35049edb10b1c396136e024315fc928d97f1c74e21b2c3492cf8a8e2eebb5ad48f7bf6dfa821d8e357 SHA512 4b2e2e9aa24ad3ca1ebffae2b928a76c925b6d7f74fe3d18ba666f0ad2b06947bc138b889656bd1aeab30a0477cfdfebc560b1ed98709d9979a0d9d8de109c9b
 DIST gnupg-2.2.35.tar.bz2 7262687 BLAKE2B 18b5965151ded3b3f28d139824e14d7a6f1673c5192ec5f5a80366a6d5f2e04ed7fa035e2bff105e1752753584f992626ccc9ea8840c2bfa39ffe7ca39b81f7f SHA512 ad9f8d10890b7fafb15a7422e2cebaf0f85ce7cf5f880f4edd8d1dec46aa73c01f9096e601f6edd665f8684d1f5892634991a400e00b3185e6b201f549004d3e
 DIST gnupg-2.2.35.tar.bz2.sig 119 BLAKE2B d95323703c12c9474b21fa91ddb70d4d4d464c794223e21f6ae5d4de955f07a5cabde50612e977168ea6071c4b12be3262cbafe9bcaa8e9a0b009318c0ff6718 SHA512 9043894730520e974e7bc17e0f95419c319fbcd514f102faf644e2f5580e238719cecb8b5e778ecf20f9212ee2554206eb0686e8b5fce7f8c556146657660fe2
+DIST gnupg-2.2.36.tar.bz2 7273805 BLAKE2B 82f26f48380632ddffedacb5e7cff653aec7bea2cf90d88184e0ddeb4053bd2b0ed1ee7addeceb684ffcbf07ccc2cba699172d78e5ab023af2e3d777fbb702b0 SHA512 2d14000a0e8b36688d5e89372a1ef5f8a526b2724715377323d1f9abd23122aa9d0ab2c0988063c397f969afefbf205aedb7205915fd751c539336e680d8462a
+DIST gnupg-2.2.36.tar.bz2.sig 119 BLAKE2B ad6dc03c34f6c0d13080ef0bdea2db152c12ea4f129783ba1b0b7f237965b8eeec22b2e79fcf42657dafdd20cae558d781b07378bed78386979a0b4c4ef4a49b SHA512 4ad3f9041aa1fbffaab3cc4aa0df038a67dc8eb200492cdd96259dcf1e0005cb39d6e6245280f1a2a8d4db9f686381e2b0f5bb80c412edbdbcb3fc11dca044c5
 DIST gnupg-2.3.6.tar.bz2 7604761 BLAKE2B 6cbc749156c50b6633c126cde621271c6c9682a04efea51fbc5a2e92ee56493e8348814391ee0c337adcb4de4dd23293b9592db78998626905038c859ac4af6e SHA512 4540e8d2be836b491918f4987ba301a73fcdc4539b1f9abf6112a74c2d39c0e5dc3f17511212bac1dd7fd0594feecd91f95ecf78d4b2c1e70e818342a1802b85
 DIST gnupg-2.3.6.tar.bz2.sig 119 BLAKE2B c7d4cdc81580b8b1e56c7bc83236d65c9d2c1bab2d210d14a0d3c58f635d656c9b449ef9596b9601027cb891bd437cc8f2a63eb3c17742c288531511984fba7f SHA512 85d155f9809c8d0f38723d8622c085e421531c016d19fcce2ae34dc9a4aeac0bc1895f7a094ee9cdf69a15b426fb0d72ee53319fe0a05665c92caa0e950c1797
+EBUILD gnupg-2.2.35-r1.ebuild 5105 BLAKE2B c5f9f11ae2d4488df2063e68b133d502a3ced5741e604140087320e5dcfda6e50c8aa20f69f59ef60df7226c9d550e5f6485f232eecf3db7923b67191314f452 SHA512 1ba4641d151a503ee82f2081f6967391312e486e52264dd9abefd06be8665180dcc1e8228f1704d9ea71e81053eadf57c00060ea7590a9054e873f08aa21f2b6
 EBUILD gnupg-2.2.35.ebuild 5055 BLAKE2B b5be9e19cafb6e6a65aa219df93d818e0d298da4bcb961ca45edb5208df23cdac21cd8b11da22ba822ea31f4ac66157a32ddc7fb65a1cc82e2ebbd488d7be38c SHA512 25099e0c5880d46d1b89bb387a28cef5f70311ca89c7b78a155cc08dc9ef4107ba70de87d49d26a3dea1a9b67f6dcdae7a8dd7478d250277389c9520e77a3fc7
+EBUILD gnupg-2.2.36.ebuild 5063 BLAKE2B 05e91116a94f2fc3f7540a3f57a6c08fb5e29998903ca64431a9fb173f3b5b01504506e3c8ba87917f5029daa7c57c5a734ebcea4012343d28ff8883169a5110 SHA512 9bd19ba34eedfb4a8273b41834322bfd745b339fb4ce7aab60bfee047c76cbe148380d8f494fc2f43bd1e68c8bd8f7d5b65aed2423755937448d5f36577017ed
+EBUILD gnupg-2.3.6-r1.ebuild 5282 BLAKE2B 349733f8f10abd11c1daeb66eb01b948e81d61adb1f03da525db00e9150b985bff22f57ad3c94e67e23b1fcf5efae54f634a3d48149611cdb0809eb51c9faf06 SHA512 8fa60fca7896fb2e04ef841572c567dbc16b7da4ba4c3643826f140351dfe47806fdc08af197aeb2fe06ddd935cf2a41594f960e2e0db57131176a3540a869c2
 EBUILD gnupg-2.3.6.ebuild 5232 BLAKE2B 0d5a372da5867eef0a78cb46050281e7d1ed5385b6bdfd0a4df9ba5cefabf92f5cd7c363b1f5bebe7919e0114b258833be39a41f3c8b0f6b370239123d0ae3f2 SHA512 eb8b033a34b9cb2509213cb03f1c1c47a823e3009ff334ec294037fd7236ccc0a90eb035849ba7e03feb7c562997c12edf805d83be08d93616c299953009e93f
 MISC metadata.xml 1297 BLAKE2B 2d1b2b6f7e6fdf5b73797347e9a3bf7758f1efc86e53d0d0f4b2c0012152ebc50630ff4f3b2c965063f608cf03b3da2794978a3e3659957970d91d3a735ad604 SHA512 0e9f3d5255ac70d6a08b251bfd20f13ff25f63e763ab9385924fb2cb5ac233b0ae97cc43e8a2d950b9662f088ef65af87f9af4dbb355e122e3fcb118bee1c0de
diff --git a/app-crypt/gnupg/files/gnupg-2.2.35-status-messages-garbled.patch b/app-crypt/gnupg/files/gnupg-2.2.35-status-messages-garbled.patch
new file mode 100644
index 000000000000..23dbf00b1831
--- /dev/null
+++ b/app-crypt/gnupg/files/gnupg-2.2.35-status-messages-garbled.patch
@@ -0,0 +1,45 @@
+https://bugs.gentoo.org/855395
+https://marc.info/?l=oss-security&m=165657063921408&w=2
+https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=7b1db7192e6e4d0cfc439b23b13831837c85bc21
+
+From 7b1db7192e6e4d0cfc439b23b13831837c85bc21 Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Tue, 14 Jun 2022 11:33:27 +0200
+Subject: [PATCH] g10: Fix garbled status messages in NOTATION_DATA
+
+* g10/cpr.c (write_status_text_and_buffer): Fix off-by-one
+--
+
+Depending on the escaping and line wrapping the computed remaining
+buffer length could be wrong.  Fixed by always using a break to
+terminate the escape detection loop.  Might have happened for all
+status lines which may wrap.
+
+GnuPG-bug-id: T6027
+--- a/g10/cpr.c
++++ b/g10/cpr.c
+@@ -328,20 +328,15 @@ write_status_text_and_buffer (int no, const char *string,
+             }
+           first = 0;
+         }
+-      for (esc=0, s=buffer, n=len; n && !esc; s++, n--)
++      for (esc=0, s=buffer, n=len; n; s++, n--)
+         {
+           if (*s == '%' || *(const byte*)s <= lower_limit
+               || *(const byte*)s == 127 )
+             esc = 1;
+           if (wrap && ++count > wrap)
+-            {
+-              dowrap=1;
+-              break;
+-            }
+-        }
+-      if (esc)
+-        {
+-          s--; n++;
++            dowrap=1;
++          if (esc || dowrap)
++            break;
+         }
+       if (s != buffer)
+         es_fwrite (buffer, s-buffer, 1, statusfp);
diff --git a/app-crypt/gnupg/files/gnupg-2.3.6-status-messages-garbled.patch b/app-crypt/gnupg/files/gnupg-2.3.6-status-messages-garbled.patch
new file mode 100644
index 000000000000..4bac4fea0f0e
--- /dev/null
+++ b/app-crypt/gnupg/files/gnupg-2.3.6-status-messages-garbled.patch
@@ -0,0 +1,45 @@
+https://bugs.gentoo.org/855395
+https://marc.info/?l=oss-security&m=165657063921408&w=2
+https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=34c649b3601383cd11dbc76221747ec16fd68e1b;hp=4dbef2addca8c76fb4953fd507bd800d2a19d3ec
+
+From 34c649b3601383cd11dbc76221747ec16fd68e1b Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Tue, 14 Jun 2022 11:33:27 +0200
+Subject: [PATCH 1/1] g10: Fix garbled status messages in NOTATION_DATA
+
+* g10/cpr.c (write_status_text_and_buffer): Fix off-by-one
+--
+
+Depending on the escaping and line wrapping the computed remaining
+buffer length could be wrong.  Fixed by always using a break to
+terminate the escape detection loop.  Might have happened for all
+status lines which may wrap.
+
+GnuPG-bug-id: T6027
+--- a/g10/cpr.c
++++ b/g10/cpr.c
+@@ -372,20 +372,15 @@ write_status_text_and_buffer (int no, const char *string,
+             }
+           first = 0;
+         }
+-      for (esc=0, s=buffer, n=len; n && !esc; s++, n--)
++      for (esc=0, s=buffer, n=len; n; s++, n--)
+         {
+           if (*s == '%' || *(const byte*)s <= lower_limit
+               || *(const byte*)s == 127 )
+             esc = 1;
+           if (wrap && ++count > wrap)
+-            {
+-              dowrap=1;
+-              break;
+-            }
+-        }
+-      if (esc)
+-        {
+-          s--; n++;
++            dowrap=1;
++          if (esc || dowrap)
++            break;
+         }
+       if (s != buffer)
+         es_fwrite (buffer, s-buffer, 1, statusfp);
diff --git a/app-crypt/gnupg/gnupg-2.2.35-r1.ebuild b/app-crypt/gnupg/gnupg-2.2.35-r1.ebuild
new file mode 100644
index 000000000000..d78daa145003
--- /dev/null
+++ b/app-crypt/gnupg/gnupg-2.2.35-r1.ebuild
@@ -0,0 +1,160 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/gnupg.asc
+inherit flag-o-matic systemd toolchain-funcs verify-sig
+
+MY_P="${P/_/-}"
+
+DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation"
+HOMEPAGE="https://gnupg.org/"
+SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2"
+SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )"
+S="${WORKDIR}/${MY_P}"
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test tofu tools usb user-socket wks-server"
+RESTRICT="!test? ( test )"
+
+# Existence of executables is checked during configuration.
+# Note: On each bump, update dep bounds on each version from configure.ac!
+DEPEND=">=dev-libs/libassuan-2.5.0
+	>=dev-libs/libgcrypt-1.8.0:=
+	>=dev-libs/libgpg-error-1.29
+	>=dev-libs/libksba-1.3.5
+	>=dev-libs/npth-1.2
+	>=net-misc/curl-7.10
+	sys-libs/zlib
+	bzip2? ( app-arch/bzip2 )
+	ldap? ( net-nds/openldap:= )
+	readline? ( sys-libs/readline:0= )
+	smartcard? ( usb? ( virtual/libusb:1 ) )
+	ssl? ( >=net-libs/gnutls-3.0:0= )
+	tofu? ( >=dev-db/sqlite-3.7 )"
+
+RDEPEND="${DEPEND}
+	app-crypt/pinentry
+	nls? ( virtual/libintl )
+	selinux? ( sec-policy/selinux-gpg )
+	wks-server? ( virtual/mta )"
+
+BDEPEND="virtual/pkgconfig
+	doc? ( sys-apps/texinfo )
+	nls? ( sys-devel/gettext )
+	verify-sig? ( sec-keys/openpgp-keys-gnupg )"
+
+DOCS=(
+	ChangeLog NEWS README THANKS TODO VERSION
+	doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER
+)
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch
+	"${FILESDIR}"/${P}-status-messages-garbled.patch
+)
+
+src_prepare() {
+	default
+
+	# Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode,
+	# idea borrowed from libdbus, see
+	#   https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6
+	#
+	# This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl',
+	# which in turn requires discovery in Autoconf, something that upstream deeply resents.
+	sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \
+		-i doc/examples/systemd-user/gpg-agent-ssh.socket || die
+}
+
+src_configure() {
+	local myconf=(
+		$(use_enable bzip2)
+		$(use_enable nls)
+		$(use_enable smartcard scdaemon)
+		$(use_enable ssl gnutls)
+		$(use_enable test all-tests)
+		$(use_enable test tests)
+		$(use_enable tofu)
+		$(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver')
+		$(use_enable wks-server wks-tools)
+		$(use_with ldap)
+		$(use_with readline)
+		--with-mailprog=/usr/libexec/sendmail
+		--disable-ntbtls
+		--enable-gpg
+		--enable-gpgsm
+		--enable-large-secmem
+
+		CC_FOR_BUILD="$(tc-getBUILD_CC)"
+		GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config"
+		KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config"
+		LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config"
+		LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config"
+		NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config"
+
+		$("${S}/configure" --help | grep -o -- '--without-.*-prefix')
+	)
+
+	if use prefix && use usb; then
+		# bug #649598
+		append-cppflags -I"${EPREFIX}/usr/include/libusb-1.0"
+	fi
+
+	# bug #663142
+	if use user-socket; then
+		myconf+=( --enable-run-gnupg-user-socket )
+	fi
+
+	# glib fails and picks up clang's internal stdint.h causing weird errors
+	tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h
+
+	# Hardcode mailprog to /usr/libexec/sendmail even if it does not exist.
+	# As of GnuPG 2.3, the mailprog substitution is used for the binary called
+	# by wks-client & wks-server; and if it's autodetected but not not exist at
+	# build time, then then 'gpg-wks-client --send' functionality will not
+	# work. This has an unwanted side-effect in stage3 builds: there was a
+	# [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating
+	# the build where the install guide previously make the user chose the
+	# logger & mta early in the install.
+
+	econf "${myconf[@]}"
+}
+
+src_compile() {
+	default
+
+	use doc && emake -C doc html
+}
+
+src_test() {
+	# bug #638574
+	use tofu && export TESTFLAGS=--parallel
+
+	default
+}
+
+src_install() {
+	default
+
+	use tools &&
+		dobin \
+			tools/{convert-from-106,gpg-check-pattern} \
+			tools/{gpg-zip,gpgconf,gpgsplit,lspgpot,mail-signed-keys} \
+			tools/make-dns-cert
+
+	dosym gpg /usr/bin/gpg2
+	dosym gpgv /usr/bin/gpgv2
+	echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die
+	echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die
+
+	dodir /etc/env.d
+	echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die
+
+	use doc && dodoc doc/gnupg.html/* doc/*.png
+
+	systemd_douserunit doc/examples/systemd-user/*.{service,socket}
+}
diff --git a/app-crypt/gnupg/gnupg-2.2.36.ebuild b/app-crypt/gnupg/gnupg-2.2.36.ebuild
new file mode 100644
index 000000000000..fcc6d9e01c03
--- /dev/null
+++ b/app-crypt/gnupg/gnupg-2.2.36.ebuild
@@ -0,0 +1,159 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/gnupg.asc
+inherit flag-o-matic systemd toolchain-funcs verify-sig
+
+MY_P="${P/_/-}"
+
+DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation"
+HOMEPAGE="https://gnupg.org/"
+SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2"
+SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )"
+S="${WORKDIR}/${MY_P}"
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test tofu tools usb user-socket wks-server"
+RESTRICT="!test? ( test )"
+
+# Existence of executables is checked during configuration.
+# Note: On each bump, update dep bounds on each version from configure.ac!
+DEPEND=">=dev-libs/libassuan-2.5.0
+	>=dev-libs/libgcrypt-1.8.0:=
+	>=dev-libs/libgpg-error-1.29
+	>=dev-libs/libksba-1.3.5
+	>=dev-libs/npth-1.2
+	>=net-misc/curl-7.10
+	sys-libs/zlib
+	bzip2? ( app-arch/bzip2 )
+	ldap? ( net-nds/openldap:= )
+	readline? ( sys-libs/readline:0= )
+	smartcard? ( usb? ( virtual/libusb:1 ) )
+	ssl? ( >=net-libs/gnutls-3.0:0= )
+	tofu? ( >=dev-db/sqlite-3.7 )"
+
+RDEPEND="${DEPEND}
+	app-crypt/pinentry
+	nls? ( virtual/libintl )
+	selinux? ( sec-policy/selinux-gpg )
+	wks-server? ( virtual/mta )"
+
+BDEPEND="virtual/pkgconfig
+	doc? ( sys-apps/texinfo )
+	nls? ( sys-devel/gettext )
+	verify-sig? ( sec-keys/openpgp-keys-gnupg )"
+
+DOCS=(
+	ChangeLog NEWS README THANKS TODO VERSION
+	doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER
+)
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch
+)
+
+src_prepare() {
+	default
+
+	# Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode,
+	# idea borrowed from libdbus, see
+	#   https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6
+	#
+	# This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl',
+	# which in turn requires discovery in Autoconf, something that upstream deeply resents.
+	sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \
+		-i doc/examples/systemd-user/gpg-agent-ssh.socket || die
+}
+
+src_configure() {
+	local myconf=(
+		$(use_enable bzip2)
+		$(use_enable nls)
+		$(use_enable smartcard scdaemon)
+		$(use_enable ssl gnutls)
+		$(use_enable test all-tests)
+		$(use_enable test tests)
+		$(use_enable tofu)
+		$(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver')
+		$(use_enable wks-server wks-tools)
+		$(use_with ldap)
+		$(use_with readline)
+		--with-mailprog=/usr/libexec/sendmail
+		--disable-ntbtls
+		--enable-gpg
+		--enable-gpgsm
+		--enable-large-secmem
+
+		CC_FOR_BUILD="$(tc-getBUILD_CC)"
+		GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config"
+		KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config"
+		LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config"
+		LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config"
+		NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config"
+
+		$("${S}/configure" --help | grep -o -- '--without-.*-prefix')
+	)
+
+	if use prefix && use usb; then
+		# bug #649598
+		append-cppflags -I"${EPREFIX}/usr/include/libusb-1.0"
+	fi
+
+	# bug #663142
+	if use user-socket; then
+		myconf+=( --enable-run-gnupg-user-socket )
+	fi
+
+	# glib fails and picks up clang's internal stdint.h causing weird errors
+	tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h
+
+	# Hardcode mailprog to /usr/libexec/sendmail even if it does not exist.
+	# As of GnuPG 2.3, the mailprog substitution is used for the binary called
+	# by wks-client & wks-server; and if it's autodetected but not not exist at
+	# build time, then then 'gpg-wks-client --send' functionality will not
+	# work. This has an unwanted side-effect in stage3 builds: there was a
+	# [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating
+	# the build where the install guide previously make the user chose the
+	# logger & mta early in the install.
+
+	econf "${myconf[@]}"
+}
+
+src_compile() {
+	default
+
+	use doc && emake -C doc html
+}
+
+src_test() {
+	# bug #638574
+	use tofu && export TESTFLAGS=--parallel
+
+	default
+}
+
+src_install() {
+	default
+
+	use tools &&
+		dobin \
+			tools/{convert-from-106,gpg-check-pattern} \
+			tools/{gpg-zip,gpgconf,gpgsplit,lspgpot,mail-signed-keys} \
+			tools/make-dns-cert
+
+	dosym gpg /usr/bin/gpg2
+	dosym gpgv /usr/bin/gpgv2
+	echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die
+	echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die
+
+	dodir /etc/env.d
+	echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die
+
+	use doc && dodoc doc/gnupg.html/* doc/*.png
+
+	systemd_douserunit doc/examples/systemd-user/*.{service,socket}
+}
diff --git a/app-crypt/gnupg/gnupg-2.3.6-r1.ebuild b/app-crypt/gnupg/gnupg-2.3.6-r1.ebuild
new file mode 100644
index 000000000000..c2540e9010b7
--- /dev/null
+++ b/app-crypt/gnupg/gnupg-2.3.6-r1.ebuild
@@ -0,0 +1,165 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/gnupg.asc
+inherit flag-o-matic systemd toolchain-funcs verify-sig
+
+MY_P="${P/_/-}"
+
+DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation"
+HOMEPAGE="https://gnupg.org/"
+SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2"
+SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )"
+S="${WORKDIR}/${MY_P}"
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test +tofu tpm tools usb user-socket wks-server"
+RESTRICT="!test? ( test )"
+REQUIRED_USE="test? ( tofu )"
+
+# Existence of executables is checked during configuration.
+# Note: On each bump, update dep bounds on each version from configure.ac!
+DEPEND=">=dev-libs/libassuan-2.5.0
+	>=dev-libs/libgcrypt-1.9.1:=
+	>=dev-libs/libgpg-error-1.41
+	>=dev-libs/libksba-1.3.4
+	>=dev-libs/npth-1.2
+	>=net-misc/curl-7.10
+	sys-libs/zlib
+	bzip2? ( app-arch/bzip2 )
+	ldap? ( net-nds/openldap:= )
+	readline? ( sys-libs/readline:0= )
+	smartcard? ( usb? ( virtual/libusb:1 ) )
+	tofu? ( >=dev-db/sqlite-3.27 )
+	tpm? ( >=app-crypt/tpm2-tss-2.4.0:= )
+	ssl? ( >=net-libs/gnutls-3.0:0= )
+"
+
+RDEPEND="${DEPEND}
+	app-crypt/pinentry
+	nls? ( virtual/libintl )
+	selinux? ( sec-policy/selinux-gpg )
+	wks-server? ( virtual/mta )"
+
+BDEPEND="virtual/pkgconfig
+	doc? ( sys-apps/texinfo )
+	nls? ( sys-devel/gettext )
+	verify-sig? ( sec-keys/openpgp-keys-gnupg )"
+
+DOCS=(
+	ChangeLog NEWS README THANKS TODO VERSION
+	doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER
+)
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch
+	"${FILESDIR}"/${P}-status-messages-garbled.patch
+)
+
+src_prepare() {
+	default
+
+	# Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode,
+	# idea borrowed from libdbus, see
+	#   https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6
+	#
+	# This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl',
+	# which in turn requires discovery in Autoconf, something that upstream deeply resents.
+	sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \
+		-i doc/examples/systemd-user/gpg-agent-ssh.socket || die
+}
+
+src_configure() {
+	local myconf=(
+		$(use_enable bzip2)
+		$(use_enable nls)
+		$(use_enable smartcard scdaemon)
+		$(use_enable ssl gnutls)
+		$(use_enable test all-tests)
+		$(use_enable test tests)
+		$(use_enable tofu)
+		$(use_enable tofu keyboxd)
+		$(use_enable tofu sqlite)
+		$(usex tpm '--with-tss=intel' '--disable-tpm2d')
+		$(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver')
+		$(use_enable wks-server wks-tools)
+		$(use_with ldap)
+		$(use_with readline)
+		--with-mailprog=/usr/libexec/sendmail
+		--disable-ntbtls
+		--enable-gpgsm
+		--enable-large-secmem
+
+		CC_FOR_BUILD="$(tc-getBUILD_CC)"
+		GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config"
+		KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config"
+		LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config"
+		LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config"
+		NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config"
+
+		$("${S}/configure" --help | grep -o -- '--without-.*-prefix')
+	)
+
+	if use prefix && use usb; then
+		# bug #649598
+		append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0"
+	fi
+
+	# bug #663142
+	if use user-socket; then
+		myconf+=( --enable-run-gnupg-user-socket )
+	fi
+
+	# glib fails and picks up clang's internal stdint.h causing weird errors
+	tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h
+
+	# Hardcode mailprog to /usr/libexec/sendmail even if it does not exist.
+	# As of GnuPG 2.3, the mailprog substitution is used for the binary called
+	# by wks-client & wks-server; and if it's autodetected but not not exist at
+	# build time, then then 'gpg-wks-client --send' functionality will not
+	# work. This has an unwanted side-effect in stage3 builds: there was a
+	# [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating
+	# the build where the install guide previously make the user chose the
+	# logger & mta early in the install.
+
+	econf "${myconf[@]}"
+}
+
+src_compile() {
+	default
+
+	use doc && emake -C doc html
+}
+
+src_test() {
+	# bug #638574
+	use tofu && export TESTFLAGS=--parallel
+
+	default
+}
+
+src_install() {
+	default
+
+	use tools &&
+		dobin \
+			tools/{convert-from-106,gpg-check-pattern} \
+			tools/{gpgconf,gpgsplit,lspgpot,mail-signed-keys} \
+			tools/make-dns-cert
+
+	dosym gpg /usr/bin/gpg2
+	dosym gpgv /usr/bin/gpgv2
+	echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die
+	echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die
+
+	dodir /etc/env.d
+	echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die
+
+	use doc && dodoc doc/gnupg.html/* doc/*.png
+
+	systemd_douserunit doc/examples/systemd-user/*.{service,socket}
+}