gentoo resync : 22.12.2021

16 files changed, 225 insertions, 97 deletions

diff --git a/eclass/Manifest.gz b/eclass/Manifest.gz
index 508cb7bd790f..620acda3be65 100644
--- a/eclass/Manifest.gz
+++ b/eclass/Manifest.gz
diff --git a/eclass/dist-kernel-utils.eclass b/eclass/dist-kernel-utils.eclass
index 9ab65b097b32..f514a3da65a9 100644
--- a/eclass/dist-kernel-utils.eclass
+++ b/eclass/dist-kernel-utils.eclass
@@ -72,7 +72,8 @@ dist-kernel_get_image_path() {
 		arm)
 			echo arch/arm/boot/zImage
 			;;
-		ppc64)
+		ppc|ppc64)
+			# https://www.kernel.org/doc/html/latest/powerpc/bootwrapper.html
 			# ./ is required because of ${image_path%/*}
 			# substitutions in the code
 			echo ./vmlinux
diff --git a/eclass/dune.eclass b/eclass/dune.eclass
index 02a8a870ef43..4653db3ae791 100644
--- a/eclass/dune.eclass
+++ b/eclass/dune.eclass
@@ -8,7 +8,7 @@
 # ML <ml@gentoo.org>
 # @AUTHOR:
 # Rafael Kitover <rkitover@gmail.com>
-# @SUPPORTED_EAPIS: 5 6 7
+# @SUPPORTED_EAPIS: 6 7 8
 # @BLURB: Provides functions for installing Dune packages.
 # @DESCRIPTION:
 # Provides dependencies on dDne and OCaml and default src_compile, src_test and
@@ -19,9 +19,10 @@
 # @DESCRIPTION:
 # Sets the actual Dune package name, if different from Gentoo package name.
 # Set before inheriting the eclass.
+: ${DUNE_PKG_NAME:=${PN}}
 
 case ${EAPI:-0} in
-	5|6|7) ;;
+	6|7|8) ;;
 	*) die "${ECLASS}: EAPI ${EAPI} not supported" ;;
 esac
 
@@ -32,7 +33,7 @@ EXPORT_FUNCTIONS src_compile src_test src_install
 
 RDEPEND=">=dev-lang/ocaml-4:=[ocamlopt?] dev-ml/dune:="
 case ${EAPI:-0} in
-	5|6)
+	6)
 		DEPEND="${RDEPEND} dev-ml/dune"
 		;;
 	*)
@@ -42,11 +43,15 @@ case ${EAPI:-0} in
 esac
 
 dune_src_compile() {
-	dune build @install --profile release || die
+	ebegin "Building"
+	dune build @install --profile release
+	eend $? || die
 }
 
 dune_src_test() {
-	dune runtest || die
+	ebegin "Testing"
+	dune runtest
+	eend $? || die
 }
 
 # @FUNCTION: dune-install
@@ -54,26 +59,37 @@ dune_src_test() {
 # @DESCRIPTION:
 # Installs the dune packages given as arguments. For each "${pkg}" element in
 # that list, "${pkg}.install" must be readable from "${PWD}/_build/default"
+#
+# Example use:
+# @CODE
+# dune-install menhir menhirLib menhirSdk
+# @CODE
 dune-install() {
+	local -a pkgs=( "${@}" )
+
+	[[ ${#pkgs[@]} -eq 0 ]] && pkgs=( "${DUNE_PKG_NAME}" )
+
+	local -a myduneopts=(
+		--prefix="${ED%/}/usr"
+		--libdir="${D%/}$(ocamlc -where)"
+		--mandir="${ED%/}/usr/share/man"
+	)
+
 	local pkg
-	for pkg ; do
-		dune install \
-			--prefix="${ED%/}/usr" \
-			--libdir="${D%/}$(ocamlc -where)" \
-			--mandir="${ED%/}/usr/share/man" \
-			"${pkg}" || die
+	for pkg in "${pkgs[@]}" ; do
+		ebegin "Installing ${pkg}"
+		dune install ${myduneopts[@]} ${pkg}
+		eend $? || die
+
+		# Move docs to the appropriate place.
+		if [ -d "${ED%/}/usr/doc/${pkg}" ] ; then
+			mkdir -p "${ED%/}/usr/share/doc/${PF}/" || die
+			mv "${ED%/}/usr/doc/${pkg}" "${ED%/}/usr/share/doc/${PF}/" || die
+			rm -rf "${ED%/}/usr/doc" || die
+		fi
 	done
 }
 
 dune_src_install() {
-	local pkg="${1:-${DUNE_PKG_NAME:-${PN}}}"
-
-	dune-install "${pkg}"
-
-	# Move docs to the appropriate place.
-	if [ -d "${ED%/}/usr/doc/${pkg}" ] ; then
-		mkdir -p "${ED%/}/usr/share/doc/${PF}/" || die
-		mv "${ED%/}/usr/doc/${pkg}/"* "${ED%/}/usr/share/doc/${PF}/" || die
-		rm -rf "${ED%/}/usr/doc" || die
-	fi
+	dune-install ${1:-${DUNE_PKG_NAME}}
 }
diff --git a/eclass/flag-o-matic.eclass b/eclass/flag-o-matic.eclass
index d262a60b6bb2..32119cb9a526 100644
--- a/eclass/flag-o-matic.eclass
+++ b/eclass/flag-o-matic.eclass
@@ -193,7 +193,8 @@ filter-lfs-flags() {
 	# _LARGEFILE_SOURCE: enable support for new LFS funcs (ftello/etc...)
 	# _LARGEFILE64_SOURCE: enable support for 64bit variants (off64_t/fseeko64/etc...)
 	# _FILE_OFFSET_BITS: default to 64bit variants (off_t is defined as off64_t)
-	filter-flags -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
+	# _TIME_BITS: default to 64bit time_t (requires _FILE_OFFSET_BITS=64)
+	filter-flags -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_TIME_BITS=64
 }
 
 # @FUNCTION: filter-ldflags
diff --git a/eclass/gnome2-utils.eclass b/eclass/gnome2-utils.eclass
index f7d45090f820..97b845c7b88b 100644
--- a/eclass/gnome2-utils.eclass
+++ b/eclass/gnome2-utils.eclass
@@ -1,10 +1,10 @@
-# Copyright 1999-2020 Gentoo Authors
+# Copyright 1999-2021 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 # @ECLASS: gnome2-utils.eclass
 # @MAINTAINER:
 # gnome@gentoo.org
-# @SUPPORTED_EAPIS: 5 6 7
+# @SUPPORTED_EAPIS: 5 6 7 8
 # @PROVIDES: xdg-utils
 # @BLURB: Auxiliary functions commonly used by Gnome packages.
 # @DESCRIPTION:
@@ -16,14 +16,13 @@
 #  * scrollkeeper (old Gnome help system) management
 
 [[ ${EAPI} == 5 ]] && inherit multilib
-# eutils.eclass: emktemp
 # toolchain-funs.eclass: tc-is-cross-compiler
 # xdg-utils.eclass: xdg_environment_reset, xdg_icon_cache_update
-inherit eutils toolchain-funcs xdg-utils
+inherit toolchain-funcs xdg-utils
 
 case ${EAPI} in
-	5|6|7) ;;
-	*) die "EAPI=${EAPI} is not supported" ;;
+	5|6|7|8) ;;
+	*) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;;
 esac
 
 # @ECLASS-VARIABLE: GCONFTOOL_BIN
@@ -379,7 +378,7 @@ gnome2_gdk_pixbuf_update() {
 	fi
 
 	ebegin "Updating gdk-pixbuf loader cache"
-	local tmp_file=$(emktemp)
+	local tmp_file=$(mktemp "${T}"/tmp.XXXXXXXXXX) || die "Failed to create temporary file"
 	${updater} 1> "${tmp_file}" &&
 	chmod 0644 "${tmp_file}" &&
 	cp -f "${tmp_file}" "${EROOT%/}/usr/$(get_libdir)/gdk-pixbuf-2.0/2.10.0/loaders.cache" &&
diff --git a/eclass/gnome2.eclass b/eclass/gnome2.eclass
index 6fab55785be5..0414d5cd5f3a 100644
--- a/eclass/gnome2.eclass
+++ b/eclass/gnome2.eclass
@@ -1,10 +1,10 @@
-# Copyright 1999-2020 Gentoo Authors
+# Copyright 1999-2021 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 # @ECLASS: gnome2.eclass
 # @MAINTAINER:
 # gnome@gentoo.org
-# @SUPPORTED_EAPIS: 5 6 7
+# @SUPPORTED_EAPIS: 5 6 7 8
 # @PROVIDES: gnome2-utils
 # @BLURB: Provides phases for Gnome/Gtk+ based packages.
 # @DESCRIPTION:
@@ -21,14 +21,14 @@ GNOME2_EAUTORECONF=${GNOME2_EAUTORECONF:-""}
 [[ ${EAPI} == [56] ]] && inherit eutils ltprune
 inherit libtool gnome.org gnome2-utils xdg
 
-case ${EAPI:-0} in
+case ${EAPI} in
 	5)
 		EXPORT_FUNCTIONS src_unpack src_prepare src_configure src_compile src_install pkg_preinst pkg_postinst pkg_postrm
 		;;
-	6|7)
+	6|7|8)
 		EXPORT_FUNCTIONS src_prepare src_configure src_compile src_install pkg_preinst pkg_postinst pkg_postrm
 		;;
-	*) die "EAPI=${EAPI} is not supported" ;;
+	*) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;;
 esac
 
 # @ECLASS-VARIABLE: ELTCONF
@@ -96,7 +96,7 @@ gnome2_src_unpack() {
 # Prepare environment for build, fix build of scrollkeeper documentation,
 # run elibtoolize.
 gnome2_src_prepare() {
-	xdg_src_prepare
+	[[ ${EAPI} != 5 ]] && default
 
 	# Prevent assorted access violations and test failures
 	gnome2_environment_reset
diff --git a/eclass/go-module.eclass b/eclass/go-module.eclass
index 3ad8542a28ae..c9eb90ac62ea 100644
--- a/eclass/go-module.eclass
+++ b/eclass/go-module.eclass
@@ -1,4 +1,4 @@
-# Copyright 2019-2020 Gentoo Authors
+# Copyright 2019-2021 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 # @ECLASS: go-module.eclass
@@ -55,13 +55,17 @@ if [[ -z ${_GO_MODULE} ]]; then
 
 _GO_MODULE=1
 
-BDEPEND=">=dev-lang/go-1.12"
+if [[ ! ${GO_OPTIONAL} ]]; then
+	BDEPEND=">=dev-lang/go-1.12"
 
-# Workaround for pkgcheck false positive: https://github.com/pkgcore/pkgcheck/issues/214
-# MissingUnpackerDep: version ...: missing BDEPEND="app-arch/unzip"
-# Added here rather than to each affected package, so it can be cleaned up just
-# once when pkgcheck is improved.
-BDEPEND+=" app-arch/unzip"
+	# Workaround for pkgcheck false positive: https://github.com/pkgcore/pkgcheck/issues/214
+	# MissingUnpackerDep: version ...: missing BDEPEND="app-arch/unzip"
+	# Added here rather than to each affected package, so it can be cleaned up just
+	# once when pkgcheck is improved.
+	BDEPEND+=" app-arch/unzip"
+
+	EXPORT_FUNCTIONS src_unpack
+fi
 
 # Force go to build in module mode.
 # In this mode the GOPATH environment variable is ignored.
@@ -83,8 +87,6 @@ QA_FLAGS_IGNORED='.*'
 # Go packages should not be stripped with strip(1).
 RESTRICT+=" strip"
 
-EXPORT_FUNCTIONS src_unpack
-
 # @ECLASS-VARIABLE: EGO_SUM
 # @DESCRIPTION:
 # This is an array based on the go.sum content from inside the target package.
@@ -147,6 +149,17 @@ EXPORT_FUNCTIONS src_unpack
 # directory structure.
 declare -A -g _GOMODULE_GOSUM_REVERSE_MAP
 
+# @ECLASS-VARIABLE: GO_OPTIONAL
+# @DEFAULT_UNSET
+# @PRE_INHERIT
+# @DESCRIPTION:
+# If set to a non-null value before inherit, then the Go part of the
+# ebuild will be considered optional. No dependencies will be added and
+# no phase functions will be exported.
+#
+# If you enable GO_OPTIONAL, you have to set BDEPEND on >=dev-lang/go-1.12
+# for your package and call go-module_src_unpack manually.
+
 # @FUNCTION: go-module_set_globals
 # @DESCRIPTION:
 # Convert the information in EGO_SUM for other usage in the ebuild.
diff --git a/eclass/kernel-install.eclass b/eclass/kernel-install.eclass
index 609afa754deb..3f98c4a53443 100644
--- a/eclass/kernel-install.eclass
+++ b/eclass/kernel-install.eclass
@@ -73,6 +73,7 @@ BDEPEND="
 		sys-fs/e2fsprogs
 		amd64? ( app-emulation/qemu[qemu_softmmu_targets_x86_64] )
 		arm64? ( app-emulation/qemu[qemu_softmmu_targets_aarch64] )
+		ppc? ( app-emulation/qemu[qemu_softmmu_targets_ppc] )
 		ppc64? ( app-emulation/qemu[qemu_softmmu_targets_ppc64] )
 		x86? ( app-emulation/qemu[qemu_softmmu_targets_i386] )
 	)"
@@ -161,6 +162,9 @@ kernel-install_get_qemu_arch() {
 		arm64)
 			echo aarch64
 			;;
+		ppc)
+			echo ppc
+			;;
 		ppc64)
 			echo ppc64
 			;;
@@ -295,6 +299,11 @@ kernel-install_test() {
 			qemu_extra_args="-cpu max"
 			qemu_extra_append="console=ttyS0,115200n8"
 			;;
+		ppc)
+			# https://wiki.qemu.org/Documentation/Platforms/PowerPC#Command_line_options
+			qemu_extra_args="-boot d -L pc-bios -M mac99,via=pmu"
+			qemu_extra_append="console=ttyS0,115200n8"
+			;;
 		ppc64)
 			qemu_extra_args="-nodefaults"
 			;;
diff --git a/eclass/llvm.org.eclass b/eclass/llvm.org.eclass
index f33599c3bb58..7ad6d1efe94e 100644
--- a/eclass/llvm.org.eclass
+++ b/eclass/llvm.org.eclass
@@ -135,13 +135,20 @@ case ${PV} in
 	10*|11*|12*)
 		# this API is not present for old LLVM versions
 		;;
-	*)
+	13*)
 		ALL_LLVM_EXPERIMENTAL_TARGETS=( ARC CSKY M68k VE )
 		ALL_LLVM_PRODUCTION_TARGETS=(
 			AArch64 AMDGPU ARM AVR BPF Hexagon Lanai Mips MSP430 NVPTX
 			PowerPC RISCV Sparc SystemZ WebAssembly X86 XCore
 		)
 		;;
+	*)
+		ALL_LLVM_EXPERIMENTAL_TARGETS=( ARC CSKY M68k )
+		ALL_LLVM_PRODUCTION_TARGETS=(
+			AArch64 AMDGPU ARM AVR BPF Hexagon Lanai Mips MSP430 NVPTX
+			PowerPC RISCV Sparc SystemZ VE WebAssembly X86 XCore
+		)
+		;;
 esac
 
 ALL_LLVM_TARGET_FLAGS=(
diff --git a/eclass/mount-boot.eclass b/eclass/mount-boot.eclass
index 2b07160231a6..3111d9dcb9b5 100644
--- a/eclass/mount-boot.eclass
+++ b/eclass/mount-boot.eclass
@@ -4,7 +4,7 @@
 # @ECLASS: mount-boot.eclass
 # @MAINTAINER:
 # base-system@gentoo.org
-# @SUPPORTED_EAPIS: 6 7
+# @SUPPORTED_EAPIS: 6 7 8
 # @BLURB: functions for packages that install files into /boot
 # @DESCRIPTION:
 # This eclass is really only useful for bootloaders.
@@ -14,7 +14,7 @@
 # error if it can't.  It does nothing if /boot isn't a separate partition.
 
 case ${EAPI:-0} in
-	6|7) ;;
+	6|7|8) ;;
 	*) die "${ECLASS}: EAPI ${EAPI:-0} not supported" ;;
 esac
 
diff --git a/eclass/tmpfiles.eclass b/eclass/tmpfiles.eclass
index b9238a6434a0..7a0e2cb72657 100644
--- a/eclass/tmpfiles.eclass
+++ b/eclass/tmpfiles.eclass
@@ -8,7 +8,7 @@
 # @AUTHOR:
 # Mike Gilbert <floppym@gentoo.org>
 # William Hubbs <williamh@gentoo.org>
-# @SUPPORTED_EAPIS: 5 6 7
+# @SUPPORTED_EAPIS: 5 6 7 8
 # @BLURB: Functions related to tmpfiles.d files
 # @DESCRIPTION:
 # This eclass provides functionality related to installing and
@@ -56,7 +56,7 @@ if [[ -z ${TMPFILES_ECLASS} ]]; then
 TMPFILES_ECLASS=1
 
 case "${EAPI}" in
-5|6|7) ;;
+5|6|7|8) ;;
 *) die "API is undefined for EAPI ${EAPI}" ;;
 esac
 
diff --git a/eclass/toolchain-funcs.eclass b/eclass/toolchain-funcs.eclass
index 563d9deef40b..77fb304940b2 100644
--- a/eclass/toolchain-funcs.eclass
+++ b/eclass/toolchain-funcs.eclass
@@ -675,6 +675,7 @@ ninj() { [[ ${type} == "kern" ]] && echo $1 || echo $2 ; }
 			fi
 			;;
 		ia64*)		echo ia64;;
+		loongarch*)	ninj loongarch loong;;
 		m68*)		echo m68k;;
 		metag*)		echo metag;;
 		microblaze*)	echo microblaze;;
@@ -752,6 +753,7 @@ tc-endian() {
 		hppa*)		echo big;;
 		i?86*)		echo little;;
 		ia64*)		echo little;;
+		loongarch*)	echo little;;
 		m68*)		echo big;;
 		mips*l*)	echo little;;
 		mips*)		echo big;;
diff --git a/eclass/tree-sitter-grammar.eclass b/eclass/tree-sitter-grammar.eclass
index 46573027f96f..7207ecf3ddd7 100644
--- a/eclass/tree-sitter-grammar.eclass
+++ b/eclass/tree-sitter-grammar.eclass
@@ -40,15 +40,13 @@ EXPORT_FUNCTIONS src_compile src_install
 # @INTERNAL
 # @DESCRIPTION:
 # This internal function determines the ABI version of a grammar library based
-# on the package version.
+# on a constant in the source file.
 _get_tsg_abi_ver() {
-	if ver_test -gt 0.21; then
-		die "Grammar too new; unknown ABI version"
-	elif ver_test -ge 0.19.0; then
-		echo 13
-	else
-		die "Grammar too old; unknown ABI version"
-	fi
+	# This sed script finds ABI definition string in parser source file,
+	# substitutes all the string until the ABI number, and prints remains
+	# (the ABI number itself)
+	sed -n 's/#define LANGUAGE_VERSION //p' "${S}"/parser.c ||
+		die "Unable to extract ABI version for this grammar"
 }
 
 # @FUNCTION: tree-sitter-grammar_src_compile
@@ -89,8 +87,10 @@ tree-sitter-grammar_src_compile() {
 tree-sitter-grammar_src_install() {
 	debug-print-function ${FUNCNAME} "${@}"
 
-	dolib.so "${WORKDIR}"/lib${PN}$(get_libname $(_get_tsg_abi_ver))
-	dosym lib${PN}$(get_libname $(_get_tsg_abi_ver)) \
+	local soname=lib${PN}$(get_libname $(_get_tsg_abi_ver))
+
+	dolib.so "${WORKDIR}/${soname}"
+	dosym "${soname}" \
 		  /usr/$(get_libdir)/lib${PN}$(get_libname)
 }
 fi
diff --git a/eclass/vala.eclass b/eclass/vala.eclass
index c7ee9fe3648d..677520748c62 100644
--- a/eclass/vala.eclass
+++ b/eclass/vala.eclass
@@ -28,8 +28,8 @@ _VALA_ECLASS=1
 
 # @ECLASS-VARIABLE: VALA_MIN_API_VERSION
 # @DESCRIPTION:
-# Minimum vala API version (e.g. 0.44).
-VALA_MIN_API_VERSION=${VALA_MIN_API_VERSION:-0.44}
+# Minimum vala API version (e.g. 0.46).
+VALA_MIN_API_VERSION=${VALA_MIN_API_VERSION:-0.46}
 
 # @ECLASS-VARIABLE: VALA_MAX_API_VERSION
 # @DESCRIPTION:
@@ -52,12 +52,11 @@ vala_api_versions() {
 	local minimal_supported_minor_version minor_version
 
 	# Dependency atoms are not generated for Vala versions older than 0.${minimal_supported_minor_version}.
-	minimal_supported_minor_version="44"
+	minimal_supported_minor_version="46"
 
 	for ((minor_version = ${VALA_MAX_API_VERSION#*.}; minor_version >= ${VALA_MIN_API_VERSION#*.}; minor_version = minor_version - 2)); do
-		# 0.38 was never in main tree; remove the special case once minimal_supported_minor_version >= 40
 		# 0.42 is EOL and removed from tree; remove special case once minimal_support_minor_version >= 44
-		if ((minor_version >= minimal_supported_minor_version)) && ((minor_version != 38)) && ((minor_version != 42)); then
+		if ((minor_version >= minimal_supported_minor_version)) && ((minor_version != 42)); then
 			echo "0.${minor_version}"
 		fi
 	done
diff --git a/eclass/vdr-plugin-2.eclass b/eclass/vdr-plugin-2.eclass
index 8964ecbaf741..c2f31003fd87 100644
--- a/eclass/vdr-plugin-2.eclass
+++ b/eclass/vdr-plugin-2.eclass
@@ -9,7 +9,7 @@
 # Joerg Bornkessel <hd_brummy@gentoo.org>
 # Christian Ruppert <idl0r@gentoo.org>
 # (undisclosed contributors)
-# @SUPPORTED_EAPIS: 5 6 7
+# @SUPPORTED_EAPIS: 5 6 7 8
 # @BLURB: common vdr plugin ebuild functions
 # @DESCRIPTION:
 # Eclass for easing maintenance of vdr plugin ebuilds
diff --git a/eclass/verify-sig.eclass b/eclass/verify-sig.eclass
index 2bc5bd5ddba9..3693eb16ff41 100644
--- a/eclass/verify-sig.eclass
+++ b/eclass/verify-sig.eclass
@@ -20,7 +20,11 @@
 # signatures to SRC_URI and set VERIFY_SIG_OPENPGP_KEY_PATH.  The eclass
 # provides verify-sig USE flag to toggle the verification.
 #
+# If you need to use signify, you may want to copy distfiles into WORKDIR to
+# work around "Too many levels of symbolic links" error.
+# @EXAMPLE:
 # Example use:
+#
 # @CODE
 # inherit verify-sig
 #
@@ -43,11 +47,30 @@ if [[ ! ${_VERIFY_SIG_ECLASS} ]]; then
 
 IUSE="verify-sig"
 
-BDEPEND="
-	verify-sig? (
-		app-crypt/gnupg
-		>=app-portage/gemato-16
-	)"
+# @ECLASS-VARIABLE: VERIFY_SIG_METHOD
+# @PRE_INHERIT
+# @DESCRIPTION:
+# Signature verification method to use.  The allowed value are:
+#
+# - openpgp -- verify PGP signatures using app-crypt/gnupg (the default)
+# - signify -- verify signatures with Ed25519 public key using app-crypt/signify
+: ${VERIFY_SIG_METHOD:=openpgp}
+
+case ${VERIFY_SIG_METHOD} in
+	openpgp)
+		BDEPEND="
+			verify-sig? (
+				app-crypt/gnupg
+				>=app-portage/gemato-16
+			)"
+		;;
+	signify)
+		BDEPEND="verify-sig? ( app-crypt/signify )"
+		;;
+	*)
+		die "${ECLASS}: unknown method '${VERIFY_SIG_METHOD}'"
+		;;
+esac
 
 # @ECLASS-VARIABLE: VERIFY_SIG_OPENPGP_KEY_PATH
 # @DEFAULT_UNSET
@@ -55,6 +78,9 @@ BDEPEND="
 # Path to key bundle used to perform the verification.  This is required
 # when using default src_unpack.  Alternatively, the key path can be
 # passed directly to the verification functions.
+#
+# NB: this variable is also used for non-OpenPGP signatures.  The name
+# contains "OPENPGP" for historical reasons.
 
 # @ECLASS-VARIABLE: VERIFY_SIG_OPENPGP_KEYSERVER
 # @DEFAULT_UNSET
@@ -62,6 +88,8 @@ BDEPEND="
 # Keyserver used to refresh keys.  If not specified, the keyserver
 # preference from the key will be respected.  If no preference
 # is specified by the key, the GnuPG default will be used.
+#
+# Supported for OpenPGP only.
 
 # @ECLASS-VARIABLE: VERIFY_SIG_OPENPGP_KEY_REFRESH
 # @USER_VARIABLE
@@ -69,6 +97,8 @@ BDEPEND="
 # Attempt to refresh keys via WKD/keyserver.  Set it to "yes"
 # in make.conf to enable.  Note that this requires working Internet
 # connection.
+#
+# Supported for OpenPGP only.
 : ${VERIFY_SIG_OPENPGP_KEY_REFRESH:=no}
 
 # @FUNCTION: verify-sig_verify_detached
@@ -88,9 +118,14 @@ verify-sig_verify_detached() {
 
 	local extra_args=()
 	[[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} == yes ]] || extra_args+=( -R )
-	[[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]] && extra_args+=(
-		--keyserver "${VERIFY_SIG_OPENPGP_KEYSERVER}"
-	)
+	if [[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]]; then
+		[[ ${VERIFY_SIG_METHOD} == openpgp ]] ||
+			die "${FUNCNAME}: VERIFY_SIG_OPENPGP_KEYSERVER is not supported"
+
+		extra_args+=(
+			--keyserver "${VERIFY_SIG_OPENPGP_KEYSERVER}"
+		)
+	fi
 
 	# GPG upstream knows better than to follow the spec, so we can't
 	# override this directory.  However, there is a clean fallback
@@ -100,9 +135,17 @@ verify-sig_verify_detached() {
 	local filename=${file##*/}
 	[[ ${file} == - ]] && filename='(stdin)'
 	einfo "Verifying ${filename} ..."
-	gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
-		gpg --verify "${sig}" "${file}" ||
-		die "PGP signature verification failed"
+	case ${VERIFY_SIG_METHOD} in
+		openpgp)
+			gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
+				gpg --verify "${sig}" "${file}" ||
+				die "PGP signature verification failed"
+			;;
+		signify)
+			signify -V -p "${key}" -m "${file}" -x "${sig}" ||
+				die "Signify signature verification failed"
+			;;
+	esac
 }
 
 # @FUNCTION: verify-sig_verify_message
@@ -124,9 +167,14 @@ verify-sig_verify_message() {
 
 	local extra_args=()
 	[[ ${VERIFY_SIG_OPENPGP_KEY_REFRESH} == yes ]] || extra_args+=( -R )
-	[[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]] && extra_args+=(
-		--keyserver "${VERIFY_SIG_OPENPGP_KEYSERVER}"
-	)
+	if [[ -n ${VERIFY_SIG_OPENPGP_KEYSERVER+1} ]]; then
+		[[ ${VERIFY_SIG_METHOD} == openpgp ]] ||
+			die "${FUNCNAME}: VERIFY_SIG_OPENPGP_KEYSERVER is not supported"
+
+		extra_args+=(
+			--keyserver "${VERIFY_SIG_OPENPGP_KEYSERVER}"
+		)
+	fi
 
 	# GPG upstream knows better than to follow the spec, so we can't
 	# override this directory.  However, there is a clean fallback
@@ -136,30 +184,32 @@ verify-sig_verify_message() {
 	local filename=${file##*/}
 	[[ ${file} == - ]] && filename='(stdin)'
 	einfo "Verifying ${filename} ..."
-	gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
-		gpg --verify --output="${output_file}" "${file}" ||
-		die "PGP signature verification failed"
+	case ${VERIFY_SIG_METHOD} in
+		openpgp)
+			gemato gpg-wrap -K "${key}" "${extra_args[@]}" -- \
+				gpg --verify --output="${output_file}" "${file}" ||
+				die "PGP signature verification failed"
+			;;
+		signify)
+			signify -V -e -p "${key}" -m "${output_file}" -x "${file}" ||
+				die "Signify signature verification failed"
+			;;
+	esac
 }
 
-# @FUNCTION: verify-sig_verify_signed_checksums
+# @FUNCTION: _gpg_verify_signed_checksums
+# @INTERNAL
 # @USAGE: <checksum-file> <algo> <files> [<key-file>]
 # @DESCRIPTION:
-# Verify the checksums for all files listed in the space-separated list
-# <files> (akin to ${A}) using a PGP-signed <checksum-file>.  <algo>
-# specified the checksum algorithm (e.g. sha256).  <key-file> can either
-# be passed directly, or it defaults to VERIFY_SIG_OPENPGP_KEY_PATH.
-#
-# The function dies if PGP verification fails, the checksum file
-# contains unsigned data, one of the files do not match checksums
-# or are missing from the checksum file.
-verify-sig_verify_signed_checksums() {
+# GnuPG-specific function to verify a signed checksums list.
+_gpg_verify_signed_checksums() {
 	local checksum_file=${1}
 	local algo=${2}
 	local files=()
 	read -r -d '' -a files <<<"${3}"
 	local key=${4:-${VERIFY_SIG_OPENPGP_KEY_PATH}}
-
 	local chksum_prog chksum_len
+
 	case ${algo} in
 		sha256)
 			chksum_prog=sha256sum
@@ -170,9 +220,6 @@ verify-sig_verify_signed_checksums() {
 			;;
 	esac
 
-	[[ -n ${key} ]] ||
-		die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset"
-
 	local checksum filename junk ret=0 count=0
 	while read -r checksum filename junk; do
 		[[ ${#checksum} -eq ${chksum_len} ]] || continue
@@ -194,6 +241,40 @@ verify-sig_verify_signed_checksums() {
 		die "${FUNCNAME}: checksums for some of the specified files were missing"
 }
 
+# @FUNCTION: verify-sig_verify_signed_checksums
+# @USAGE: <checksum-file> <algo> <files> [<key-file>]
+# @DESCRIPTION:
+# Verify the checksums for all files listed in the space-separated list
+# <files> (akin to ${A}) using a signed <checksum-file>.  <algo> specifies
+# the checksum algorithm (e.g. sha256).  <key-file> can either be passed
+# directly, or it defaults to VERIFY_SIG_OPENPGP_KEY_PATH.
+#
+# The function dies if signature verification fails, the checksum file
+# contains unsigned data, one of the files do not match checksums or
+# are missing from the checksum file.
+verify-sig_verify_signed_checksums() {
+	local checksum_file=${1}
+	local algo=${2}
+	local files=()
+	read -r -d '' -a files <<<"${3}"
+	local key=${4:-${VERIFY_SIG_OPENPGP_KEY_PATH}}
+
+	[[ -n ${key} ]] ||
+		die "${FUNCNAME}: no key passed and VERIFY_SIG_OPENPGP_KEY_PATH unset"
+
+	case ${VERIFY_SIG_METHOD} in
+		openpgp)
+			_gpg_verify_signed_checksums \
+				"${checksum_file}" "${algo}" "${files[@]}" "${key}"
+			;;
+		signify)
+			signify -C -p "${key}" \
+				-x "${checksum_file}" "${files[@]}" ||
+				die "Signify signature verification failed"
+			;;
+	esac
+}
+
 # @FUNCTION: verify-sig_src_unpack
 # @DESCRIPTION:
 # Default src_unpack override that verifies signatures for all