commit 6a7a032d06bd8879390115be2df9c62d2643c2a6
Author: MSVSphere Packaging Team <packager@msvsphere-os.ru>
Date:   Fri Oct 25 14:56:20 2024 +0300

    import gnupg2-2.4.5-1.el10

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..e00b417
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+SOURCES/gnupg-2.4.5.tar.bz2
+SOURCES/gnupg-2.4.5.tar.bz2.sig
diff --git a/.gnupg2.metadata b/.gnupg2.metadata
new file mode 100644
index 0000000..cb686f6
--- /dev/null
+++ b/.gnupg2.metadata
@@ -0,0 +1,2 @@
+ae0935ead29a2dfa34d6b48d70808652bc3ca73b SOURCES/gnupg-2.4.5.tar.bz2
+408af6802382e453953dac599f851c5c1415fa9b SOURCES/gnupg-2.4.5.tar.bz2.sig
diff --git a/SOURCES/gnupg-2.1.1-fips-algo.patch b/SOURCES/gnupg-2.1.1-fips-algo.patch
new file mode 100644
index 0000000..b8e0129
--- /dev/null
+++ b/SOURCES/gnupg-2.1.1-fips-algo.patch
@@ -0,0 +1,54 @@
+diff -up gnupg-2.1.1/g10/mainproc.c.fips gnupg-2.1.1/g10/mainproc.c
+--- gnupg-2.1.1/g10/mainproc.c.fips	2015-01-29 17:19:49.266031504 +0100
++++ gnupg-2.1.1/g10/mainproc.c	2015-01-29 17:27:13.938088122 +0100
+@@ -719,7 +719,8 @@ proc_plaintext( CTX c, PACKET *pkt )
+          according to 2440, so hopefully it won't come up that often.
+          There is no good way to specify what algorithms to use in
+          that case, so these there are the historical answer. */
+-	gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
++	if (!gcry_fips_mode_active())
++            gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
+ 	gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
+     }
+   if (DBG_HASHING)
+diff --git a/common/t-sexputil.c b/common/t-sexputil.c
+index d75090c5b..be5eb2122 100644
+--- a/common/t-sexputil.c
++++ b/common/t-sexputil.c
+@@ -291,36 +291,6 @@ test_ecc_uncompress (void)
+     const char *b;  /* Compressed.    */
+   }
+   tests[] = {
+-  {
+-    "(public-key"
+-    " (ecc"
+-    " (curve brainpoolP256r1)"
+-    " (q #042ECD8679930BE2DB4AD42B8600BA3F80"
+-    /*   */"2D4D539BFF2F69B83EC9B7BBAA7F3406"
+-    /*   */"436DD11A1756AFE56CD93408410FCDA9"
+-    /*   */"BA95024EB613BD481A14FCFEC27A448A#)))",
+-    /* The same in compressed form.  */
+-    "(public-key"
+-    " (ecc"
+-    " (curve brainpoolP256r1)"
+-    " (q #022ECD8679930BE2DB4AD42B8600BA3F80"
+-    /*   */"2D4D539BFF2F69B83EC9B7BBAA7F3406#)))"
+-  },
+-  {
+-    "(public-key"
+-    " (ecc"
+-    " (curve brainpoolP256r1)"
+-    " (q #045B784CA008EE64AB3D85017EE0D2BE87"
+-    /*   */"558762C7300E0C8E06B1F9AF7C031458"
+-    /*   */"9EBBA41915313417BA54218EB0569C59"
+-    /*   */"0B156C76DBCAB6E84575E6EF68CE7B87#)))",
+-    /* The same in compressed form.  */
+-    "(public-key"
+-    " (ecc"
+-    " (curve brainpoolP256r1)"
+-    " (q #035B784CA008EE64AB3D85017EE0D2BE87"
+-    /*   */"558762C7300E0C8E06B1F9AF7C031458#)))"
+-  },
+   { /* A key which does not require a conversion.  */
+     "(public-key"
+     " (ecdsa"
diff --git a/SOURCES/gnupg-2.1.10-secmem.patch b/SOURCES/gnupg-2.1.10-secmem.patch
new file mode 100644
index 0000000..e263509
--- /dev/null
+++ b/SOURCES/gnupg-2.1.10-secmem.patch
@@ -0,0 +1,33 @@
+diff -up gnupg-2.1.10/g10/gpg.c.secmem gnupg-2.1.10/g10/gpg.c
+--- gnupg-2.1.10/g10/gpg.c.secmem	2015-12-04 10:53:27.000000000 +0100
++++ gnupg-2.1.10/g10/gpg.c	2015-12-07 15:32:38.922812652 +0100
+@@ -889,7 +889,7 @@ make_libversion (const char *libname, co
+ 
+   if (maybe_setuid)
+     {
+-      gcry_control (GCRYCTL_INIT_SECMEM, 0, 0);  /* Drop setuid. */
++      gcry_control (GCRYCTL_INIT_SECMEM, 4096, 0);  /* Drop setuid. */
+       maybe_setuid = 0;
+     }
+   s = getfnc (NULL);
+@@ -1041,7 +1041,7 @@ build_list (const char *text, char lette
+   char *string;
+ 
+   if (maybe_setuid)
+-    gcry_control (GCRYCTL_INIT_SECMEM, 0, 0);  /* Drop setuid. */
++    gcry_control (GCRYCTL_INIT_SECMEM, 4096, 0);  /* Drop setuid. */
+ 
+   indent = utf8_charcount (text, -1);
+   len = 0;
+diff -up gnupg-2.1.10/sm/gpgsm.c.secmem gnupg-2.1.10/sm/gpgsm.c
+--- gnupg-2.1.10/sm/gpgsm.c.secmem	2015-11-30 17:39:52.000000000 +0100
++++ gnupg-2.1.10/sm/gpgsm.c	2015-12-07 15:31:17.226884207 +0100
+@@ -530,7 +530,7 @@ make_libversion (const char *libname, co
+ 
+   if (maybe_setuid)
+     {
+-      gcry_control (GCRYCTL_INIT_SECMEM, 0, 0);  /* Drop setuid. */
++      gcry_control (GCRYCTL_INIT_SECMEM, 4096, 0);  /* Drop setuid. */
+       maybe_setuid = 0;
+     }
+   s = getfnc (NULL);
diff --git a/SOURCES/gnupg-2.2.18-gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch b/SOURCES/gnupg-2.2.18-gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch
new file mode 100644
index 0000000..a617396
--- /dev/null
+++ b/SOURCES/gnupg-2.2.18-gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch
@@ -0,0 +1,32 @@
+From: Vincent Breitmoser <look@my.amazin.horse>
+Date: Thu, 13 Jun 2019 21:27:43 +0200
+Subject: gpg: accept subkeys with a good revocation but no self-sig during
+ import
+
+* g10/import.c (chk_self_sigs): Set the NODE_GOOD_SELFSIG flag when we
+encounter a valid revocation signature. This allows import of subkey
+revocation signatures, even in the absence of a corresponding subkey
+binding signature.
+
+--
+
+This fixes the remaining test in import-incomplete.scm.
+
+GnuPG-Bug-id: 4393
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ g10/import.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/g10/import.c b/g10/import.c
+index f9acf95..9217911 100644
+--- a/g10/import.c
++++ b/g10/import.c
+@@ -3602,6 +3602,7 @@ chk_self_sigs (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid, int *non_self)
+                   /* It's valid, so is it newer? */
+                   if (sig->timestamp >= rsdate)
+                     {
++                      knode->flag |= NODE_GOOD_SELFSIG; /* Subkey is valid.  */
+                       if (rsnode)
+                         {
+                           /* Delete the last revocation sig since
diff --git a/SOURCES/gnupg-2.2.18-tests-add-test-cases-for-import-without-uid.patch b/SOURCES/gnupg-2.2.18-tests-add-test-cases-for-import-without-uid.patch
new file mode 100644
index 0000000..37ddeea
--- /dev/null
+++ b/SOURCES/gnupg-2.2.18-tests-add-test-cases-for-import-without-uid.patch
@@ -0,0 +1,201 @@
+From: Vincent Breitmoser <look@my.amazin.horse>
+Date: Thu, 13 Jun 2019 21:27:41 +0200
+Subject: tests: add test cases for import without uid
+
+This commit adds a test case that does the following, in order:
+- Import of a primary key plus user id
+- Check that import of a subkey works, without a user id present in the
+imported key
+- Check that import of a subkey revocation works, without a user id or
+subkey binding signature present in the imported key
+- Check that import of a primary key revocation works, without a user id
+present in the imported key
+
+--
+
+Note that this test currently fails.  The following changesets will
+fix gpg so that the tests pass.
+
+GnuPG-Bug-id: 4393
+Signed-Off-By: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ tests/openpgp/Makefile.am                          |  1 +
+ tests/openpgp/import-incomplete.scm                | 68 ++++++++++++++++++++++
+ .../import-incomplete/primary+revocation.asc       |  9 +++
+ .../primary+subkey+sub-revocation.asc              | 10 ++++
+ .../import-incomplete/primary+subkey+sub-sig.asc   | 10 ++++
+ .../openpgp/import-incomplete/primary+uid-sig.asc  | 10 ++++
+ tests/openpgp/import-incomplete/primary+uid.asc    | 10 ++++
+ 7 files changed, 118 insertions(+)
+ create mode 100755 tests/openpgp/import-incomplete.scm
+ create mode 100644 tests/openpgp/import-incomplete/primary+revocation.asc
+ create mode 100644 tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc
+ create mode 100644 tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc
+ create mode 100644 tests/openpgp/import-incomplete/primary+uid-sig.asc
+ create mode 100644 tests/openpgp/import-incomplete/primary+uid.asc
+
+diff --git a/tests/openpgp/Makefile.am b/tests/openpgp/Makefile.am
+index f6014c9..6423da1 100644
+--- a/tests/openpgp/Makefile.am
++++ b/tests/openpgp/Makefile.am
+@@ -78,6 +78,7 @@ XTESTS = \
+ 	gpgv-forged-keyring.scm \
+ 	armor.scm \
+ 	import.scm \
++	import-incomplete.scm \
+ 	import-revocation-certificate.scm \
+ 	ecc.scm \
+ 	4gb-packet.scm \
+diff --git a/tests/openpgp/import-incomplete.scm b/tests/openpgp/import-incomplete.scm
+new file mode 100755
+index 0000000..727a027
+--- /dev/null
++++ b/tests/openpgp/import-incomplete.scm
+@@ -0,0 +1,68 @@
++#!/usr/bin/env gpgscm
++
++;; Copyright (C) 2016 g10 Code GmbH
++;;
++;; This file is part of GnuPG.
++;;
++;; GnuPG is free software; you can redistribute it and/or modify
++;; it under the terms of the GNU General Public License as published by
++;; the Free Software Foundation; either version 3 of the License, or
++;; (at your option) any later version.
++;;
++;; GnuPG is distributed in the hope that it will be useful,
++;; but WITHOUT ANY WARRANTY; without even the implied warranty of
++;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++;; GNU General Public License for more details.
++;;
++;; You should have received a copy of the GNU General Public License
++;; along with this program; if not, see <http://www.gnu.org/licenses/>.
++
++(load (in-srcdir "tests" "openpgp" "defs.scm"))
++(setup-environment)
++
++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+uid.asc")))
++
++(info "Test import of new subkey, from a certificate without uid")
++(define keyid "573EA710367356BB")
++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+subkey+sub-sig.asc")))
++(tr:do
++ (tr:pipe-do
++  (pipe:gpg `(--list-keys --with-colons ,keyid)))
++ (tr:call-with-content
++  (lambda (c)
++    ;; XXX we do not have a regexp library
++    (unless (any (lambda (line)
++		   (and (string-prefix? line "sub:")
++			(string-contains? line "573EA710367356BB")))
++		 (string-split-newlines c))
++	    (exit 1)))))
++
++(info "Test import of a subkey revocation, from a certificate without uid")
++(define keyid "573EA710367356BB")
++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+subkey+sub-revocation.asc")))
++(tr:do
++ (tr:pipe-do
++  (pipe:gpg `(--list-keys --with-colons ,keyid)))
++ (tr:call-with-content
++  (lambda (c)
++    ;; XXX we do not have a regexp library
++    (unless (any (lambda (line)
++		   (and (string-prefix? line "sub:r:")
++			(string-contains? line "573EA710367356BB")))
++		 (string-split-newlines c))
++	    (exit 1)))))
++
++(info "Test import of revocation, from a certificate without uid")
++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+revocation.asc")))
++(tr:do
++ (tr:pipe-do
++  (pipe:gpg `(--list-keys --with-colons ,keyid)))
++ (tr:call-with-content
++  (lambda (c)
++    ;; XXX we do not have a regexp library
++    (unless (any (lambda (line)
++		   (and (string-prefix? line "pub:r:")
++			(string-contains? line "0843DA969AA8DAFB")))
++		 (string-split-newlines c))
++	    (exit 1)))))
++
+diff --git a/tests/openpgp/import-incomplete/primary+revocation.asc b/tests/openpgp/import-incomplete/primary+revocation.asc
+new file mode 100644
+index 0000000..6b7b608
+--- /dev/null
++++ b/tests/openpgp/import-incomplete/primary+revocation.asc
+@@ -0,0 +1,9 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Comment: [E] primary key, revocation signature over primary (no user ID)
++
++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ
++631VAN2IeAQgFggAIBYhBLRpj5W82H/gSMzKKQhD2paaqNr7BQJc2ZQZAh0AAAoJ
++EAhD2paaqNr7qAwA/2jBUpnN0BxwRO/4CrxvrLIsL+C9aSXJUOTv8XkP4lvtAQD3
++XsDFfFNgEueiTfF7HtOGt5LPmRqVvUpQSMVgJJW6CQ==
++=tM90
++-----END PGP PUBLIC KEY BLOCK-----
+diff --git a/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc b/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc
+new file mode 100644
+index 0000000..83a51a5
+--- /dev/null
++++ b/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc
+@@ -0,0 +1,10 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Comment: [D] primary key, subkey, subkey revocation (no user ID)
++
++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ
++631VAN24OARc2ZQhEgorBgEEAZdVAQUBAQdABsd5ha0AWXdXcSmfeiWIfrNcGqQK
++j++lwwWDAOlkVicDAQgHiHgEKBYIACAWIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC
++XNmnkAIdAgAKCRAIQ9qWmqja+ylaAQDmIKf86BJEq4OpDqU+V9D+wn2cyuxbyWVQ
++3r9LiL9qNwD/QAjyrhSN8L3Mfq+wdTHo5i0yB9ZCCpHLXSbhCqfWZwQ=
++=dwx2
++-----END PGP PUBLIC KEY BLOCK-----
+diff --git a/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc b/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc
+new file mode 100644
+index 0000000..dc47a02
+--- /dev/null
++++ b/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc
+@@ -0,0 +1,10 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Comment: [B] primary key, subkey, subkey binding sig (no user ID)
++
++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ
++631VAN24OARc2ZQhEgorBgEEAZdVAQUBAQdABsd5ha0AWXdXcSmfeiWIfrNcGqQK
++j++lwwWDAOlkVicDAQgHiHgEGBYIACAWIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC
++XNmUIQIbDAAKCRAIQ9qWmqja++vFAP98G1L+1/rWTGbsnxOAV2RocBYIroAvsbkR
++Ly6FdP8YNwEA7jOgT05CoKIe37MstpOz23mM80AK369Ca3JMmKKCQgg=
++=xuDu
++-----END PGP PUBLIC KEY BLOCK-----
+diff --git a/tests/openpgp/import-incomplete/primary+uid-sig.asc b/tests/openpgp/import-incomplete/primary+uid-sig.asc
+new file mode 100644
+index 0000000..134607d
+--- /dev/null
++++ b/tests/openpgp/import-incomplete/primary+uid-sig.asc
+@@ -0,0 +1,10 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Comment: [C] primary key and self-sig expiring in 2024 (no user ID)
++
++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ
++631VAN2IlgQTFggAPgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBLRpj5W8
++2H/gSMzKKQhD2paaqNr7BQJc2ZR1BQkJZgHcAAoJEAhD2paaqNr79soA/0lWkUsu
++3NLwgbni6EzJxnTzgeNMpljqNpipHAwfix9hAP93AVtFdC8g7hdUZxawobl9lnSN
++9ohXOEBWvdJgVv2YAg==
++=KWIK
++-----END PGP PUBLIC KEY BLOCK-----
+diff --git a/tests/openpgp/import-incomplete/primary+uid.asc b/tests/openpgp/import-incomplete/primary+uid.asc
+new file mode 100644
+index 0000000..055f300
+--- /dev/null
++++ b/tests/openpgp/import-incomplete/primary+uid.asc
+@@ -0,0 +1,10 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Comment: [A] primary key, user ID, and self-sig expiring in 2021
++
++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ
++631VAN20CHRlc3Qga2V5iJYEExYIAD4WIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC
++XNmUGQIbAwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAIQ9qWmqja
+++0G1AQDdQiwhXxjXLMqoth+D4SigVHTJK8ORwifzsy3UE7mPGwD/aZ67XbAF/lgI
++kv2O1Jo0u9BL9RNNF+L0DM7rAFbfMAs=
++=1eII
++-----END PGP PUBLIC KEY BLOCK-----
diff --git a/SOURCES/gnupg-2.2.21-coverity.patch b/SOURCES/gnupg-2.2.21-coverity.patch
new file mode 100644
index 0000000..f7419ff
--- /dev/null
+++ b/SOURCES/gnupg-2.2.21-coverity.patch
@@ -0,0 +1,240 @@
+diff -up gnupg-2.2.21/common/server-help.c.coverity gnupg-2.2.21/common/server-help.c
+--- gnupg-2.2.21/common/server-help.c.coverity 2019-02-11 10:59:34.000000000 +0100
++++ gnupg-2.2.21/common/server-help.c  2020-07-20 17:09:57.416148768 +0200
+@@ -156,7 +156,7 @@ get_option_value (char *line, const char
+   *pend = 0;
+   *r_value = xtrystrdup (p);
+   *pend = c;
+-  if (!p)
++  if (!*r_value)
+     return my_error_from_syserror ();
+   return 0;
+ }
+
+From 7a707a3eff1c3fbe17a74337776871f408377cee Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Fri, 9 Apr 2021 16:13:07 +0200
+Subject: [PATCH GnuPG 03/19] g10: Fix memory leaks
+
+* g10/card-util.c (change_pin): free answer on errors
+  (ask_card_keyattr): free answer on error
+* g10/cpr.c (do_get_from_fd): free string
+* g10/gpg.c (check_permissions): free dir on weird error
+* g10/import.c (append_new_uid): release knode
+* g10/keyedit.c (menu_set_keyserver_url): free answer
+  (menu_set_keyserver_url): free user
+* g10/keygen.c (print_status_key_not_created): move allocation after
+  sanity check
+  (ask_expire_interval): free answer
+  (card_store_key_with_backup): goto leave instaed of return
+* g10/keyserver.c (parse_keyserver_uri): goto fail instead of return
+* g10/revoke.c (gen_desig_revoke): release kdbhd
+  (gen_desig_revoke): free answer
+* g10/tofu.c (ask_about_binding): free sqerr and response
+* g10/trustdb.c (ask_ownertrust): free pk
+
+--
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ g10/card-util.c | 14 +++++++++++---
+ g10/cpr.c       |  6 +++++-
+ g10/gpg.c       |  1 +
+ g10/import.c    |  5 ++++-
+ g10/keyedit.c   |  8 +++++++-
+ g10/keygen.c    | 15 +++++++++++----
+ g10/keyserver.c |  2 +-
+ g10/revoke.c    |  6 +++++-
+ g10/tofu.c      |  4 ++++
+ g10/trustdb.c   |  1 +
+ 10 files changed, 50 insertions(+), 12 deletions(-)
+
+diff --git a/g10/card-util.c b/g10/card-util.c
+index 36f096f06..c7df8380d 100644
+--- a/g10/card-util.c
++++ b/g10/card-util.c
+@@ -127,7 +127,7 @@ change_pin (int unblock_v2, int allow_admin)
+   else
+     for (;;)
+       {
+-	char *answer;
++	char *answer = NULL;
+ 
+ 	tty_printf ("\n");
+ 	tty_printf ("1 - change PIN\n"
+diff --git a/g10/tofu.c b/g10/tofu.c
+index f49083844..83786a08d 100644
+--- a/g10/tofu.c
++++ b/g10/tofu.c
+@@ -1687,6 +1687,8 @@ ask_about_binding (ctrl_t ctrl,
+          GPGSQL_ARG_END);
+       if (rc)
+         {
++          sqlite3_free (sqerr);
++          sqerr = NULL;
+           rc = gpg_error (GPG_ERR_GENERAL);
+           break;
+         }
+-- 
+2.30.2
+
+
+From 7c8048b686a6e811d0b24febf3c5e2528e7881f1 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 13 Apr 2021 16:23:31 +0200
+Subject: [PATCH GnuPG 14/19] dirmgr: Avoid memory leaks
+
+* dirmngr/domaininfo.c (insert_or_update): free di_new
+
+--
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ dirmngr/domaininfo.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/dirmngr/domaininfo.c b/dirmngr/domaininfo.c
+index b41aef366..87782b4b1 100644
+--- a/dirmngr/domaininfo.c
++++ b/dirmngr/domaininfo.c
+@@ -193,6 +193,7 @@ insert_or_update (const char *domain,
+           log_error ("domaininfo: error allocating helper array: %s\n",
+                      gpg_strerror (gpg_err_code_from_syserror ()));
+           drop_extra = bucket;
++          xfree (di_new);
+           goto leave;
+         }
+       narray = 0;
+-- 
+2.30.2
+
+
+From ab3b8c53993b3305088efde756a44bac6e6492d4 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 13 Apr 2021 16:34:40 +0200
+Subject: [PATCH GnuPG 15/19] scd: Avoid memory leaks and uninitialized memory
+
+* scd/app-piv.c (do_decipher): goto leave, initialize outdatalen
+
+--
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ scd/app-piv.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/scd/app-piv.c b/scd/app-piv.c
+index 143cc047a..94257f0ee 100644
+--- a/scd/app-piv.c
++++ b/scd/app-piv.c
+@@ -2483,7 +2483,7 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr,
+   gpg_error_t err;
+   data_object_t dobj;
+   unsigned char *outdata = NULL;
+-  size_t outdatalen;
++  size_t outdatalen = 0;
+   const unsigned char *s;
+   size_t n;
+   int keyref, mechanism;
+@@ -2582,7 +2582,7 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr,
+   /* Now verify the Application PIN.  */
+   err = verify_chv (app, ctrl, 0x80, 0, pincb, pincb_arg);
+   if (err)
+-    return err;
++    goto leave;
+ 
+   /* Build the Dynamic Authentication Template.  */
+   err = concat_tlv_list (0, &apdudata, &apdudatalen,
+-- 
+2.30.2
+
+
+From f182bf91443618323e34261039045a6bde269be5 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 13 Apr 2021 16:44:48 +0200
+Subject: [PATCH GnuPG 16/19] tools: Avoid memory leaks
+
+* tools/wks-util.c (wks_cmd_print_wkd_url): Free addrspec on error
+  (wks_cmd_print_wkd_hash): Free addrspec on error
+
+--
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ tools/wks-util.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/tools/wks-util.c b/tools/wks-util.c
+index 516c7fe00..38dd194ff 100644
+--- a/tools/wks-util.c
++++ b/tools/wks-util.c
+@@ -1192,11 +1192,14 @@ gpg_error_t
+ wks_cmd_print_wkd_hash (const char *userid)
+ {
+   gpg_error_t err;
+-  char *addrspec, *fname;
++  char *addrspec = NULL, *fname;
+ 
+   err = wks_fname_from_userid (userid, 1, &fname, &addrspec);
+   if (err)
+-    return err;
++    {
++      xfree (addrspec);
++      return err;
++    }
+ 
+   es_printf ("%s %s\n", fname, addrspec);
+ 
+@@ -1211,12 +1214,15 @@ gpg_error_t
+ wks_cmd_print_wkd_url (const char *userid)
+ {
+   gpg_error_t err;
+-  char *addrspec, *fname;
++  char *addrspec = NULL, *fname;
+   char *domain;
+ 
+   err = wks_fname_from_userid (userid, 1, &fname, &addrspec);
+   if (err)
+-    return err;
++    {
++      xfree (addrspec);
++      return err;
++    }
+ 
+   domain = strchr (addrspec, '@');
+   if (domain)
+-- 
+2.30.2
+
+
+From 600fabd8268c765d45d48873e7a8610e6dae0966 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 14 Apr 2021 15:59:12 +0200
+Subject: [PATCH GnuPG 17/19] scd: Use the same allocator to free memory
+
+* scd/command.c (cmd_getinfo): Use free instead of gcry_free to match
+  the original allocator
+
+--
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ scd/command.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/scd/command.c b/scd/command.c
+index cb0dd379a..9d85c5a41 100644
+--- a/scd/command.c
++++ b/scd/command.c
+@@ -1832,7 +1832,8 @@ cmd_getinfo (assuan_context_t ctx, char *line)
+         rc = assuan_send_data (ctx, p, strlen (p));
+       else
+         rc = gpg_error (GPG_ERR_NO_DATA);
+-      xfree (p);
++      /* allocated by scd/ccid-driver.c which is not using x*alloc/gcry_* */
++      free (p);
+     }
+   else if (!strcmp (line, "deny_admin"))
+     rc = opt.allow_admin? gpg_error (GPG_ERR_GENERAL) : 0;
+-- 
+2.30.2
diff --git a/SOURCES/gnupg-2.2.23-large-rsa.patch b/SOURCES/gnupg-2.2.23-large-rsa.patch
new file mode 100644
index 0000000..47f861b
--- /dev/null
+++ b/SOURCES/gnupg-2.2.23-large-rsa.patch
@@ -0,0 +1,12 @@
+diff -up gnupg-2.2.23/g10/keygen.c.large-rsa gnupg-2.2.23/g10/keygen.c
+--- gnupg-2.2.23/g10/keygen.c.large-rsa	2020-09-04 13:53:42.030486671 +0200
++++ gnupg-2.2.23/g10/keygen.c	2020-09-04 13:55:52.896669542 +0200
+@@ -2262,7 +2262,7 @@ get_keysize_range (int algo, unsigned in
+ 
+     default:
+       *min = opt.compliance == CO_DE_VS ? 2048: 1024;
+-      *max = 4096;
++      *max = opt.flags.large_rsa == 1 ? 8192 : 4096;
+       def = 3072;
+       break;
+     }
diff --git a/SOURCES/gnupg-2.4.0-gpg-allow-import-of-previously-known-keys-even-without-UI.patch b/SOURCES/gnupg-2.4.0-gpg-allow-import-of-previously-known-keys-even-without-UI.patch
new file mode 100644
index 0000000..3af14ba
--- /dev/null
+++ b/SOURCES/gnupg-2.4.0-gpg-allow-import-of-previously-known-keys-even-without-UI.patch
@@ -0,0 +1,108 @@
+From c9485d59f735dbf7509a0136a896fe76f9cc915a Mon Sep 17 00:00:00 2001
+From: Vincent Breitmoser <look@my.amazin.horse>
+Date: Thu, 13 Jun 2019 21:27:42 +0200
+Subject: gpg: allow import of previously known keys, even without UIDs
+
+* g10/import.c (import_one): Accept an incoming OpenPGP certificate that
+has no user id, as long as we already have a local variant of the cert
+that matches the primary key.
+
+--
+
+This fixes two of the three broken tests in import-incomplete.scm.
+
+GnuPG-Bug-id: 4393
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ g10/import.c | 45 +++++++++++----------------------------------
+ 1 file changed, 11 insertions(+), 34 deletions(-)
+
+diff --git a/g10/import.c b/g10/import.c
+index 9fab46ca6..c70a6221c 100644
+--- a/g10/import.c
++++ b/g10/import.c
+@@ -1954,7 +1954,6 @@ import_one_real (ctrl_t ctrl,
+   size_t an;
+   char pkstrbuf[PUBKEY_STRING_SIZE];
+   int merge_keys_done = 0;
+-  int any_filter = 0;
+   KEYDB_HANDLE hd = NULL;
+ 
+   if (r_valid)
+@@ -1991,14 +1990,6 @@ import_one_real (ctrl_t ctrl,
+       log_printf ("\n");
+     }
+ 
+-
+-  if (!uidnode)
+-    {
+-      if (!silent)
+-        log_error( _("key %s: no user ID\n"), keystr_from_pk(pk));
+-      return 0;
+-    }
+-
+   if (screener && screener (keyblock, screener_arg))
+     {
+       log_error (_("key %s: %s\n"), keystr_from_pk (pk),
+@@ -2078,18 +2069,10 @@ import_one_real (ctrl_t ctrl,
+ 	  }
+     }
+ 
+-  /* Delete invalid parts and bail out if there are no user ids left.  */
+-  if (!delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs))
+-    {
+-      if (!silent)
+-        {
+-          log_error ( _("key %s: no valid user IDs\n"), keystr_from_pk(pk));
+-          if (!opt.quiet)
+-            log_info(_("this may be caused by a missing self-signature\n"));
+-        }
+-      stats->no_user_id++;
+-      return 0;
+-    }
++  /* Delete invalid parts, and note if we have any valid ones left.
++   * We will later abort import if this key is new but contains
++   * no valid uids.  */
++  delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs);
+ 
+   /* Get rid of deleted nodes.  */
+   commit_kbnode (&keyblock);
+@@ -2099,24 +2082,11 @@ import_one_real (ctrl_t ctrl,
+     {
+       apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid);
+       commit_kbnode (&keyblock);
+-      any_filter = 1;
+     }
+   if (import_filter.drop_sig)
+     {
+       apply_drop_sig_filter (ctrl, keyblock, import_filter.drop_sig);
+       commit_kbnode (&keyblock);
+-      any_filter = 1;
+-    }
+-
+-  /* If we ran any filter we need to check that at least one user id
+-   * is left in the keyring.  Note that we do not use log_error in
+-   * this case. */
+-  if (any_filter && !any_uid_left (keyblock))
+-    {
+-      if (!opt.quiet )
+-        log_info ( _("key %s: no valid user IDs\n"), keystr_from_pk (pk));
+-      stats->no_user_id++;
+-      return 0;
+     }
+ 
+   /* The keyblock is valid and ready for real import.  */
+@@ -2174,6 +2144,13 @@ import_one_real (ctrl_t ctrl,
+       err = 0;
+       stats->skipped_new_keys++;
+     }
++  else if (err && !any_uid_left (keyblock))
++    {
++      if (!silent)
++        log_info( _("key %s: new key but contains no user ID - skipped\n"), keystr(keyid));
++      err = 0;
++      stats->no_user_id++;
++    }
+   else if (err)  /* Insert this key. */
+     {
+       /* Note: ERR can only be NO_PUBKEY or UNUSABLE_PUBKEY.  */
diff --git a/SOURCES/gnupg-2.4.1-file-is-digest.patch b/SOURCES/gnupg-2.4.1-file-is-digest.patch
new file mode 100644
index 0000000..3da3549
--- /dev/null
+++ b/SOURCES/gnupg-2.4.1-file-is-digest.patch
@@ -0,0 +1,226 @@
+From cdd5082a9e3bdfc8de4aee4835dbdd607b4510be Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= <tmraz@fedoraproject.org>
+Date: Tue, 5 Aug 2014 17:04:08 +0200
+Subject: [PATCH gnupg] add --file-is-digest option needed for copr
+
+---
+ g10/gpg.c     |  4 +++
+ g10/options.h |  1 +
+ g10/sign.c    | 93 ++++++++++++++++++++++++++++++++++++++++++++-------
+ 3 files changed, 85 insertions(+), 13 deletions(-)
+
+diff --git a/g10/gpg.c b/g10/gpg.c
+index f9bc8395f..dcab0a11a 100644
+--- a/g10/gpg.c
++++ b/g10/gpg.c
+@@ -395,6 +395,7 @@ enum cmd_and_opt_values
+     oTTYtype,
+     oLCctype,
+     oLCmessages,
++    oFileIsDigest,
+     oXauthority,
+     oGroup,
+     oUnGroup,
+@@ -656,6 +657,7 @@ static gpgrt_opt_t opts[] = {
+   ARGPARSE_s_s (oTempDir,  "temp-directory", "@"),
+   ARGPARSE_s_s (oExecPath, "exec-path", "@"),
+   ARGPARSE_s_n (oExpert,      "expert", "@"),
++  ARGPARSE_s_n (oFileIsDigest, "file-is-digest", "@"),
+   ARGPARSE_s_n (oNoExpert, "no-expert", "@"),
+   ARGPARSE_s_n (oNoSecmemWarn, "no-secmem-warning", "@"),
+   ARGPARSE_s_n (oRequireSecmem, "require-secmem", "@"),
+@@ -2484,6 +2486,7 @@ main (int argc, char **argv)
+     opt.keyid_format = KF_NONE;
+     opt.def_sig_expire = "0";
+     opt.def_cert_expire = "0";
++    opt.file_is_digest = 0;
+     opt.passphrase_repeat = 1;
+     opt.emit_version = 0;
+     opt.weak_digests = NULL;
+@@ -3111,6 +3114,7 @@ main (int argc, char **argv)
+ 	  case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break;
+ 
+ 	  case oForceAEAD: opt.force_aead = 1; break;
++	  case oFileIsDigest: opt.file_is_digest = 1; break;
+ 
+           case oDisableSignerUID: opt.flags.disable_signer_uid = 1; break;
+           case oIncludeKeyBlock:  opt.flags.include_key_block = 1; break;
+diff --git a/g10/options.h b/g10/options.h
+index 9015e321f..10852046c 100644
+--- a/g10/options.h
++++ b/g10/options.h
+@@ -219,6 +219,7 @@ struct
+   int no_auto_check_trustdb;
+   int preserve_permissions;
+   int no_homedir_creation;
++  int file_is_digest;
+   struct groupitem *grouplist;
+   int mangle_dos_filenames;
+   int enable_progress_filter;
+diff --git a/g10/sign.c b/g10/sign.c
+index b5e9d422d..7ad143649 100644
+--- a/g10/sign.c
++++ b/g10/sign.c
+@@ -40,6 +40,7 @@
+ #include "pkglue.h"
+ #include "../common/sysutils.h"
+ #include "call-agent.h"
++#include "../common/host2net.h"
+ #include "../common/mbox-util.h"
+ #include "../common/compliance.h"
+ 
+@@ -945,6 +946,8 @@ write_signature_packets (ctrl_t ctrl,
+ 
+       if (pk->version >= 5)
+         sig->version = 5;  /* Required for v5 keys.  */
++      else if (opt.file_is_digest)
++        sig->version = 3;
+       else
+         sig->version = 4;  /* Required.  */
+ 
+@@ -962,14 +965,22 @@ write_signature_packets (ctrl_t ctrl,
+       if (gcry_md_copy (&md, hash))
+         BUG ();
+ 
+-      build_sig_subpkt_from_sig (sig, pk, 0);
+-      mk_notation_policy_etc (ctrl, sig, NULL, pk);
+-      if (opt.flags.include_key_block && IS_SIG (sig))
+-        err = mk_sig_subpkt_key_block (ctrl, sig, pk);
+-      else
+-        err = 0;
+-      hash_sigversion_to_magic (md, sig, extrahash);
+-      gcry_md_final (md);
++      if (!opt.file_is_digest)
++        {
++          build_sig_subpkt_from_sig (sig, pk, 0);
++          mk_notation_policy_etc (ctrl, sig, NULL, pk);
++          if (opt.flags.include_key_block && IS_SIG (sig))
++            err = mk_sig_subpkt_key_block (ctrl, sig, pk);
++          else
++            err = 0;
++
++          hash_sigversion_to_magic (md, sig, extrahash);
++          gcry_md_final (md);
++        }
++      else if (sig->version >= 4)
++        {
++          log_bug("file-is-digest doesn't work with v4 sigs\n");
++        }
+ 
+       if (!err)
+         err = do_sign (ctrl, pk, sig, md, hash_for (pk), cache_nonce, 0);
+@@ -1034,6 +1045,8 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
+   SK_LIST sk_rover = NULL;
+   int multifile = 0;
+   u32 duration=0;
++  int sigclass = 0x00;
++  u32 timestamp = 0;
+   pt_extra_hash_data_t extrahash = NULL;
+ 
+   pfx = new_progress_context ();
+@@ -1056,7 +1069,16 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
+     fname = NULL;
+ 
+   if (fname && filenames->next && (!detached || encryptflag))
+-    log_bug ("multiple files can only be detached signed");
++    log_bug ("multiple files can only be detached signed\n");
++
++  if (opt.file_is_digest && (multifile || !fname))
++    log_bug ("file-is-digest only works with one file\n");
++  if (opt.file_is_digest && !detached)
++    log_bug ("file-is-digest can only write detached signatures\n");
++  if (opt.file_is_digest && !opt.def_digest_algo)
++    log_bug ("file-is-digest needs --digest-algo\n");
++  if (opt.file_is_digest && opt.textmode)
++    log_bug ("file-is-digest doesn't work with --textmode\n");
+ 
+   if (encryptflag == 2
+       && (rc = setup_symkey (&efx.symkey_s2k, &efx.symkey_dek)))
+@@ -1077,7 +1099,7 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
+     goto leave;
+ 
+   /* Prepare iobufs. */
+-  if (multifile)    /* have list of filenames */
++  if (multifile || opt.file_is_digest)  /* have list of filenames */
+     inp = NULL;     /* we do it later */
+   else
+     {
+@@ -1240,7 +1262,7 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
+   for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next)
+     gcry_md_enable (mfx.md, hash_for (sk_rover->pk));
+ 
+-  if (!multifile)
++  if (!multifile && !opt.file_is_digest)
+     iobuf_push_filter (inp, md_filter, &mfx);
+ 
+   if (detached && !encryptflag)
+@@ -1306,6 +1328,8 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
+ 
+   write_status_begin_signing (mfx.md);
+ 
++  sigclass = opt.textmode && !outfile? 0x01 : 0x00;
++
+   /* Setup the inner packet. */
+   if (detached)
+     {
+@@ -1353,6 +1377,49 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
+           if (opt.verbose)
+             log_printf ("\n");
+ 	}
++      else if (opt.file_is_digest)
++        {
++          byte *mdb, ts[5] = {0};
++          size_t mdlen;
++          const char *fp;
++          int c, d;
++
++          gcry_md_final(mfx.md);
++          /* this assumes gcry_md_read returns the same buffer */
++          mdb = gcry_md_read(mfx.md, opt.def_digest_algo);
++          mdlen = gcry_md_get_algo_dlen(opt.def_digest_algo);
++          if (strlen(fname) != mdlen * 2 + 11)
++            log_bug("digests must be %zu + '@' + 5 bytes\n", mdlen);
++          d = -1;
++          for (fp = fname ; *fp; )
++            {
++               c = *fp++;
++               if (c >= '0' && c <= '9')
++                 c -= '0';
++               else if (c >= 'a' && c <= 'f')
++                 c -= 'a' - 10;
++               else if (c >= 'A' && c <= 'F')
++                 c -= 'A' - 10;
++               else
++                 log_bug("filename is not hex\n");
++               if (d >= 0)
++                {
++                   *mdb++ = d << 4 | c;
++                   c = -1;
++                   if (--mdlen == 0)
++                    {
++                       mdb = ts;
++                       if (*fp++ != '@')
++                         log_bug("missing time separator\n");
++                     }
++                 }
++               d = c;
++            }
++          sigclass = ts[0];
++          if (sigclass != 0x00 && sigclass != 0x01)
++            log_bug("bad cipher class\n");
++          timestamp = buf32_to_u32(ts + 1);
++        }
+       else
+         {
+           /* Read, so that the filter can calculate the digest. */
+@@ -1374,8 +1441,8 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
+ 
+   /* Write the signatures. */
+   rc = write_signature_packets (ctrl, sk_list, out, mfx.md, extrahash,
+-                                opt.textmode && !outfile? 0x01 : 0x00,
+-                                0, duration, detached ? 'D':'S', NULL);
++                                sigclass,
++                                timestamp, duration, detached ? 'D':'S', NULL);
+   if (rc)
+     goto leave;
+ 
diff --git a/SOURCES/gnupg-2.4.3-restore-systemd-sockets.patch b/SOURCES/gnupg-2.4.3-restore-systemd-sockets.patch
new file mode 100644
index 0000000..53d0ad1
--- /dev/null
+++ b/SOURCES/gnupg-2.4.3-restore-systemd-sockets.patch
@@ -0,0 +1,275 @@
+From eae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Mon, 23 Jan 2023 16:34:19 +0100
+Subject: [PATCH] doc: Remove profile and systemd example files.
+
+--
+
+The profiles are not any longer useful because global options are way
+more powerful (/etc/gnupg/gpg.conf et al.).  The use of systemd is
+deprecated because of additional complexity and the race between
+systemd based autolaunching and the explicit gnupg based and lockfile
+protected autolaunching.
+
+GnuPG-bug-id: 6336
+---
+diff --git b/doc/Makefile.am a/doc/Makefile.am
+index 390153c76..0093c43a8 100644
+--- b/doc/Makefile.am
++++ a/doc/Makefile.am
+@@ -22,6 +22,14 @@ AM_CPPFLAGS =
+            examples/qualified.txt                                       \
+ 	   examples/common.conf                                         \
+            examples/gpgconf.rnames examples/gpgconf.conf                \
++	   examples/systemd-user/README 				\
++	   examples/systemd-user/dirmngr.service 			\
++	   examples/systemd-user/dirmngr.socket				\
++	   examples/systemd-user/gpg-agent.service 			\
++	   examples/systemd-user/gpg-agent.socket 			\
++	   examples/systemd-user/gpg-agent-ssh.socket 			\
++	   examples/systemd-user/gpg-agent-browser.socket		\
++	   examples/systemd-user/gpg-agent-extra.socket 		\
+ 	   examples/pwpattern.list
+ 
+ helpfiles = help.txt help.be.txt help.ca.txt help.cs.txt		\
+diff --git b/doc/Makefile.in a/doc/Makefile.in
+index 390153c76..0093c43a8 100644
+--- b/doc/Makefile.in
++++ a/doc/Makefile.in
+@@ -475,6 +475,14 @@ AM_CPPFLAGS =
+            examples/qualified.txt                                       \
+ 	   examples/common.conf                                         \
+            examples/gpgconf.rnames examples/gpgconf.conf                \
++	   examples/systemd-user/README 				\
++	   examples/systemd-user/dirmngr.service 			\
++	   examples/systemd-user/dirmngr.socket				\
++	   examples/systemd-user/gpg-agent.service 			\
++	   examples/systemd-user/gpg-agent.socket 			\
++	   examples/systemd-user/gpg-agent-ssh.socket 			\
++	   examples/systemd-user/gpg-agent-browser.socket		\
++	   examples/systemd-user/gpg-agent-extra.socket 		\
+ 	   examples/pwpattern.list
+ 
+ helpfiles = help.txt help.be.txt help.ca.txt help.cs.txt		\
+diff --git b/doc/examples/README a/doc/examples/README
+index cd341ab57..67508c471 100644
+--- b/doc/examples/README
++++ a/doc/examples/README
+@@ -8,6 +8,8 @@ trustlist.txt   A list of trustworthy root certificates
+ 
+ gpgconf.conf    A sample configuration file for gpgconf.
+ 
++systemd-user    Sample files for a Linux-only init system.
++
+ qualified.txt   Sample file for qualified.txt.
+ 
+ common.conf     Sample file for common options.
+diff --git b/doc/examples/gpgconf.conf a/doc/examples/gpgconf.conf
+index 314b955b9..a61d4d453 100644
+--- b/doc/examples/gpgconf.conf
++++ a/doc/examples/gpgconf.conf
+@@ -1,9 +1,5 @@
+ # gpgconf.conf - configuration for gpgconf
+ #----------------------------------------------------------------------
+-#
+-# === The use of this feature is deprecated ===
+-# == Please use the more powerful global options. ==
+-#
+ # This file is read by gpgconf(1) to setup defaults for all or
+ # specified users and groups.  It may be used to change the hardwired
+ # defaults in gpgconf and to enforce certain values for the various
+diff --git b/doc/examples/systemd-user/README a/doc/examples/systemd-user/README
+new file mode 100644
+index 000000000..43122f568
+--- /dev/null
++++ a/doc/examples/systemd-user/README
+@@ -0,0 +1,66 @@
++Socket-activated dirmngr and gpg-agent with systemd
++===================================================
++
++When used on a GNU/Linux system supervised by systemd, you can ensure
++that the GnuPG daemons dirmngr and gpg-agent are launched
++automatically the first time they're needed, and shut down cleanly at
++session logout.  This is done by enabling user services via
++socket-activation.
++
++System distributors
++-------------------
++
++The *.service and *.socket files (from this directory) should be
++placed in /usr/lib/systemd/user/ alongside other user-session services
++and sockets.
++
++To enable socket-activated dirmngr for all accounts on the system,
++use:
++
++    systemctl --user --global enable dirmngr.socket
++
++To enable socket-activated gpg-agent for all accounts on the system,
++use:
++
++    systemctl --user --global enable gpg-agent.socket
++
++Additionally, you can enable socket-activated gpg-agent ssh-agent
++emulation for all accounts on the system with:
++
++    systemctl --user --global enable gpg-agent-ssh.socket
++
++You can also enable restricted ("--extra-socket"-style) gpg-agent
++sockets for all accounts on the system with:
++
++    systemctl --user --global enable gpg-agent-extra.socket
++
++Individual users
++----------------
++
++A user on a system with systemd where this has not been installed
++system-wide can place these files in ~/.config/systemd/user/ to make
++them available.
++
++If a given service isn't installed system-wide, or if it's installed
++system-wide but not globally enabled, individual users will still need
++to enable them.  For example, to enable socket-activated dirmngr for
++all future sessions:
++
++    systemctl --user enable dirmngr.socket
++
++To enable socket-activated gpg-agent with ssh support, do:
++
++    systemctl --user enable gpg-agent.socket gpg-agent-ssh.socket
++
++These changes won't take effect until your next login after you've
++fully logged out (be sure to terminate any running daemons before
++logging out).
++
++If you'd rather try a socket-activated GnuPG daemon in an
++already-running session without logging out (with or without enabling
++it for all future sessions), kill any existing daemon and start the
++user socket directly.  For example, to set up socket-activated dirmgnr
++in the current session:
++
++    gpgconf --kill dirmngr
++    systemctl --user start dirmngr.socket
+diff --git b/doc/examples/systemd-user/dirmngr.service a/doc/examples/systemd-user/dirmngr.service
+new file mode 100644
+index 000000000..3c060cde5
+--- /dev/null
++++ a/doc/examples/systemd-user/dirmngr.service
+@@ -0,0 +1,8 @@
++[Unit]
++Description=GnuPG network certificate management daemon
++Documentation=man:dirmngr(8)
++Requires=dirmngr.socket
++
++[Service]
++ExecStart=/usr/bin/dirmngr --supervised
++ExecReload=/usr/bin/gpgconf --reload dirmngr
+diff --git b/doc/examples/systemd-user/dirmngr.socket a/doc/examples/systemd-user/dirmngr.socket
+new file mode 100644
+index 000000000..ebabf896a
+--- /dev/null
++++ a/doc/examples/systemd-user/dirmngr.socket
+@@ -0,0 +1,11 @@
++[Unit]
++Description=GnuPG network certificate management daemon
++Documentation=man:dirmngr(8)
++
++[Socket]
++ListenStream=%t/gnupg/S.dirmngr
++SocketMode=0600
++DirectoryMode=0700
++
++[Install]
++WantedBy=sockets.target
+diff --git b/doc/examples/systemd-user/gpg-agent-browser.socket a/doc/examples/systemd-user/gpg-agent-browser.socket
+new file mode 100644
+index 000000000..bc8d344e1
+--- /dev/null
++++ a/doc/examples/systemd-user/gpg-agent-browser.socket
+@@ -0,0 +1,13 @@
++[Unit]
++Description=GnuPG cryptographic agent and passphrase cache (access for web browsers)
++Documentation=man:gpg-agent(1)
++
++[Socket]
++ListenStream=%t/gnupg/S.gpg-agent.browser
++FileDescriptorName=browser
++Service=gpg-agent.service
++SocketMode=0600
++DirectoryMode=0700
++
++[Install]
++WantedBy=sockets.target
+diff --git b/doc/examples/systemd-user/gpg-agent-extra.socket a/doc/examples/systemd-user/gpg-agent-extra.socket
+new file mode 100644
+index 000000000..5b87d09df
+--- /dev/null
++++ a/doc/examples/systemd-user/gpg-agent-extra.socket
+@@ -0,0 +1,13 @@
++[Unit]
++Description=GnuPG cryptographic agent and passphrase cache (restricted)
++Documentation=man:gpg-agent(1)
++
++[Socket]
++ListenStream=%t/gnupg/S.gpg-agent.extra
++FileDescriptorName=extra
++Service=gpg-agent.service
++SocketMode=0600
++DirectoryMode=0700
++
++[Install]
++WantedBy=sockets.target
+diff --git b/doc/examples/systemd-user/gpg-agent-ssh.socket a/doc/examples/systemd-user/gpg-agent-ssh.socket
+new file mode 100644
+index 000000000..798c1d967
+--- /dev/null
++++ a/doc/examples/systemd-user/gpg-agent-ssh.socket
+@@ -0,0 +1,13 @@
++[Unit]
++Description=GnuPG cryptographic agent (ssh-agent emulation)
++Documentation=man:gpg-agent(1) man:ssh-add(1) man:ssh-agent(1) man:ssh(1)
++
++[Socket]
++ListenStream=%t/gnupg/S.gpg-agent.ssh
++FileDescriptorName=ssh
++Service=gpg-agent.service
++SocketMode=0600
++DirectoryMode=0700
++
++[Install]
++WantedBy=sockets.target
+diff --git b/doc/examples/systemd-user/gpg-agent.service a/doc/examples/systemd-user/gpg-agent.service
+new file mode 100644
+index 000000000..a050fccdc
+--- /dev/null
++++ a/doc/examples/systemd-user/gpg-agent.service
+@@ -0,0 +1,8 @@
++[Unit]
++Description=GnuPG cryptographic agent and passphrase cache
++Documentation=man:gpg-agent(1)
++Requires=gpg-agent.socket
++
++[Service]
++ExecStart=/usr/bin/gpg-agent --supervised
++ExecReload=/usr/bin/gpgconf --reload gpg-agent
+diff --git b/doc/examples/systemd-user/gpg-agent.socket a/doc/examples/systemd-user/gpg-agent.socket
+new file mode 100644
+index 000000000..4257c2c80
+--- /dev/null
++++ a/doc/examples/systemd-user/gpg-agent.socket
+@@ -0,0 +1,12 @@
++[Unit]
++Description=GnuPG cryptographic agent and passphrase cache
++Documentation=man:gpg-agent(1)
++
++[Socket]
++ListenStream=%t/gnupg/S.gpg-agent
++FileDescriptorName=std
++SocketMode=0600
++DirectoryMode=0700
++
++[Install]
++WantedBy=sockets.target
+-- 
+2.41.0
+
diff --git a/SOURCES/gnupg-2.4.5-revert-default-eddsa.patch b/SOURCES/gnupg-2.4.5-revert-default-eddsa.patch
new file mode 100644
index 0000000..8a7776d
--- /dev/null
+++ b/SOURCES/gnupg-2.4.5-revert-default-eddsa.patch
@@ -0,0 +1,162 @@
+From ff31dde456f32950f0df6c974b4c41f1d650d68f Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Mon, 5 Oct 2020 14:21:31 +0200
+Subject: [PATCH GnuPG] gpg: Switch to ed25519+cv25519 as default algo.
+
+* g10/keygen.c (DEFAULT_STD_KEY_PARAM): Change to former future
+default ago.
+(ask_algo): Change default and also the way we indicate the default
+algo in the list of algos.
+(ask_curve): Indicate the default curve.
+
+Signed-off-by: Werner Koch <wk@gnupg.org>
+---
+ g10/keygen.c | 57 ++++++++++++++++++++++++++--------------------------
+ 1 file changed, 29 insertions(+), 28 deletions(-)
+
+diff --git a/g10/keygen.c b/g10/keygen.c
+index 16e4e58ea..b510525e3 100644
+--- a/g10/keygen.c
++++ b/g10/keygen.c
+@@ -47,10 +47,11 @@
+ #include "../common/mbox-util.h"
+ 
+ 
+-/* The default algorithms.  If you change them, you should ensure the value
+-   is inside the bounds enforced by ask_keysize and gen_xxx.  See also
+-   get_keysize_range which encodes the allowed ranges.  */
+-#define DEFAULT_STD_KEY_PARAM  "rsa3072/cert,sign+rsa3072/encr"
++/* The default algorithms.  If you change them, you should ensure the
++   value is inside the bounds enforced by ask_keysize and gen_xxx.
++   See also get_keysize_range which encodes the allowed ranges.  The
++   default answer in ask_algo also needs to be adjusted.  */
++#define DEFAULT_STD_KEY_PARAM  "ed25519/cert,sign+cv25519/encr"
+ #define FUTURE_STD_KEY_PARAM   "ed25519/cert,sign+cv25519/encr"
+ 
+ /* When generating keys using the streamlined key generation dialog,
+@@ -2112,50 +2113,49 @@ ask_algo (ctrl_t ctrl, int addmode, int *r_subkey_algo, unsigned int *r_usage,
+ 
+ #if GPG_USE_RSA
+   if (!addmode)
+-    tty_printf (_("   (%d) RSA and RSA (default)\n"), 1 );
++    tty_printf (_("   (%d) RSA and RSA%s\n"), 1, "");
+ #endif
+ 
+   if (!addmode && opt.compliance != CO_DE_VS)
+-    tty_printf (_("   (%d) DSA and Elgamal\n"), 2 );
++    tty_printf (_("   (%d) DSA and Elgamal%s\n"), 2, "");
+ 
+   if (opt.compliance != CO_DE_VS)
+-    tty_printf (_("   (%d) DSA (sign only)\n"), 3 );
++    tty_printf (_("   (%d) DSA (sign only)%s\n"), 3, "");
+ #if GPG_USE_RSA
+-  tty_printf (_("   (%d) RSA (sign only)\n"), 4 );
++  tty_printf (_("   (%d) RSA (sign only)%s\n"), 4, "");
+ #endif
+ 
+   if (addmode)
+     {
+       if (opt.compliance != CO_DE_VS)
+-        tty_printf (_("   (%d) Elgamal (encrypt only)\n"), 5 );
++        tty_printf (_("   (%d) Elgamal (encrypt only)%s\n"), 5, "");
+ #if GPG_USE_RSA
+-      tty_printf (_("   (%d) RSA (encrypt only)\n"), 6 );
++      tty_printf (_("   (%d) RSA (encrypt only)%s\n"), 6, "");
+ #endif
+     }
+   if (opt.expert)
+     {
+       if (opt.compliance != CO_DE_VS)
+-        tty_printf (_("   (%d) DSA (set your own capabilities)\n"), 7 );
++        tty_printf (_("   (%d) DSA (set your own capabilities)%s\n"), 7, "");
+ #if GPG_USE_RSA
+-      tty_printf (_("   (%d) RSA (set your own capabilities)\n"), 8 );
++      tty_printf (_("   (%d) RSA (set your own capabilities)%s\n"), 8, "");
+ #endif
+     }
+ 
+ #if GPG_USE_ECDSA || GPG_USE_ECDH || GPG_USE_EDDSA
+-  if (opt.expert && !addmode)
+-    tty_printf (_("   (%d) ECC and ECC\n"), 9 );
+-  if (opt.expert)
+-    tty_printf (_("  (%d) ECC (sign only)\n"), 10 );
++  if (!addmode)
++    tty_printf (_("   (%d) ECC (sign and encrypt)%s\n"), 9, _(" *default*") );
++  tty_printf (_("  (%d) ECC (sign only)\n"), 10 );
+   if (opt.expert)
+-    tty_printf (_("  (%d) ECC (set your own capabilities)\n"), 11 );
+-  if (opt.expert && addmode)
+-    tty_printf (_("  (%d) ECC (encrypt only)\n"), 12 );
++    tty_printf (_("  (%d) ECC (set your own capabilities)%s\n"), 11, "");
++  if (addmode)
++    tty_printf (_("  (%d) ECC (encrypt only)%s\n"), 12, "");
+ #endif
+ 
+   if (opt.expert && r_keygrip)
+-    tty_printf (_("  (%d) Existing key\n"), 13 );
++    tty_printf (_("  (%d) Existing key%s\n"), 13, "");
+   if (r_keygrip)
+-    tty_printf (_("  (%d) Existing key from card\n"), 14 );
++    tty_printf (_("  (%d) Existing key from card%s\n"), 14, "");
+ 
+   for (;;)
+     {
+@@ -2164,7 +2164,7 @@ ask_algo (ctrl_t ctrl, int addmode, int *r_subkey_algo, unsigned int *r_usage,
+       xfree (answer);
+       answer = cpr_get ("keygen.algo", _("Your selection? "));
+       cpr_kill_prompt ();
+-      algo = *answer? atoi (answer) : 1;
++      algo = *answer? atoi (answer) : 9;  /* Default algo is 9 */
+ 
+       if (opt.compliance == CO_DE_VS
+           && (algo == 2 || algo == 3 || algo == 5 || algo == 7))
+@@ -2220,13 +2220,13 @@ ask_algo (ctrl_t ctrl, int addmode, int *r_subkey_algo, unsigned int *r_usage,
+           break;
+ 	}
+       else if ((algo == 9 || !strcmp (answer, "ecc+ecc"))
+-               && opt.expert && !addmode)
++               && !addmode)
+         {
+           algo = PUBKEY_ALGO_ECDSA;
+           *r_subkey_algo = PUBKEY_ALGO_ECDH;
+           break;
+ 	}
+-      else if ((algo == 10 || !strcmp (answer, "ecc/s")) && opt.expert)
++      else if ((algo == 10 || !strcmp (answer, "ecc/s")))
+         {
+           algo = PUBKEY_ALGO_ECDSA;
+           *r_usage = PUBKEY_USAGE_SIG;
+@@ -2239,7 +2239,7 @@ ask_algo (ctrl_t ctrl, int addmode, int *r_subkey_algo, unsigned int *r_usage,
+           break;
+ 	}
+       else if ((algo == 12 || !strcmp (answer, "ecc/e"))
+-               && opt.expert && addmode)
++               && addmode)
+         {
+           algo = PUBKEY_ALGO_ECDH;
+           *r_usage = PUBKEY_USAGE_ENC;
+@@ -2616,7 +2616,7 @@ ask_curve (int *algo, int *subkey_algo, const char *current)
+     { "NIST P-256",      NULL, NULL,               MY_USE_ECDSADH,  0, 1, 0 },
+     { "NIST P-384",      NULL, NULL,               MY_USE_ECDSADH,  0, 0, 0 },
+     { "NIST P-521",      NULL, NULL,               MY_USE_ECDSADH,  0, 1, 0 },
+-    { "brainpoolP256r1", NULL, "Brainpool P-256",  MY_USE_ECDSADH,  1, 1, 0 },
++    { "brainpoolP256r1", NULL, "Brainpool P-256",  MY_USE_ECDSADH,  1, 0, 0 },
+     { "brainpoolP384r1", NULL, "Brainpool P-384",  MY_USE_ECDSADH,  1, 1, 0 },
+     { "brainpoolP512r1", NULL, "Brainpool P-512",  MY_USE_ECDSADH,  1, 1, 0 },
+     { "secp256k1",       NULL, NULL,               MY_USE_ECDSADH,  0, 1, 0 },
+@@ -2672,9 +2672,10 @@ ask_curve (int *algo, int *subkey_algo, const char *current)
+         }
+ 
+       curves[idx].available = 1;
+-      tty_printf ("   (%d) %s\n", idx + 1,
++      tty_printf ("   (%d) %s%s\n", idx + 1,
+                   curves[idx].pretty_name?
+-                  curves[idx].pretty_name:curves[idx].name);
++                  curves[idx].pretty_name:curves[idx].name,
++                  idx == 0? _(" *default*"):"");
+     }
+   gcry_sexp_release (keyparms);
+ 
+-- 
+2.31.1
+
diff --git a/SOURCES/gnupg-2.4.5-sast.patch b/SOURCES/gnupg-2.4.5-sast.patch
new file mode 100644
index 0000000..5d95e7e
--- /dev/null
+++ b/SOURCES/gnupg-2.4.5-sast.patch
@@ -0,0 +1,1016 @@
+From 2e4b1f78505513c333532755a715bce0f5ad3c99 Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Tue, 28 May 2024 11:52:04 +0200
+Subject: [PATCH GnuPG] tpm: Do not use fprintf for logging.
+
+* tpm2d/intel-tss.h (TSS_Create): Replace fprintf logging by
+log_error.
+---
+ tpm2d/intel-tss.h | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/tpm2d/intel-tss.h b/tpm2d/intel-tss.h
+index 53da5cee2..1649cca05 100644
+--- a/tpm2d/intel-tss.h
++++ b/tpm2d/intel-tss.h
+@@ -300,7 +300,7 @@ TSS_Create(TSS_CONTEXT **tssContext)
+ 	}
+       else
+ 	{
+-	  fprintf(stderr, "Unknown TPM_INTERFACE_TYPE %s\n", intType);
++	  log_error ("tss: Unknown TPM_INTERFACE_TYPE %s\n", intType);
+ 	}
+     }
+ 
+@@ -352,15 +352,15 @@ TSS_Hash_Generate(TPMT_HA *digest, ...)
+   rc = TSS_Hash_GetMd(&algo, digest->hashAlg);
+   if (rc)
+     {
+-      fprintf(stderr, "TSS_HASH_GENERATE: Unknown hash %d\n",
+-	      digest->hashAlg);
++      log_error ("TSS_Hash_Generate: Unknown hash %d\n", digest->hashAlg);
+       goto out;
+     }
+ 
+   rc = gcry_md_open (&md, algo, 0);
+   if (rc != 0)
+     {
+-      fprintf(stderr, "TSS_Hash_Generate: EVP_MD_CTX_create failed\n");
++      log_error ("TSS_Hash_Generate: EVP_MD_CTX_create failed: %s\n",
++                 gpg_strerror (rc));
+       rc = TPM_RC_FAILURE;
+       goto out;
+     }
+@@ -374,7 +374,7 @@ TSS_Hash_Generate(TPMT_HA *digest, ...)
+ 	break;
+       if (length < 0)
+ 	{
+-	  fprintf(stderr, "TSS_Hash_Generate: Length is negative\n");
++	  log_error ("TSS_Hash_Generate: Length is negative\n");
+ 	  goto out_free;
+ 	}
+       if (length != 0)
+@@ -408,9 +408,8 @@ tpm2_error(TPM_RC rc, const char *reason)
+ {
+   const char *msg;
+ 
+-  fprintf(stderr, "%s failed with %d\n", reason, rc);
+   msg = Tss2_RC_Decode(rc);
+-  fprintf(stderr, "%s\n", msg);
++  log_error ("%s failed with error %d (%s)\n", reason, rc, msg);
+ }
+ 
+ static inline int
+-- 
+2.45.2
+
+From e0543f97be007983a0a052df09a852a11331ee5d Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Wed, 15 May 2024 15:27:20 +0900
+Subject: [PATCH GnuPG] tpm2d: Use BYTE type to acces TPM2B object.
+
+* tpm2d/tpm2.c (tpm2_SensitiveToDuplicate): Don't use the cast
+of (TPM2B *).
+
+--
+
+While it works (since the actual access is done by the macros),
+compiler may complain the alignment property of type BYTE * and TPM2B
+object is different.
+
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+---
+ tpm2d/tpm2.c | 27 +++++++++++++--------------
+ 1 file changed, 13 insertions(+), 14 deletions(-)
+
+diff --git a/tpm2d/tpm2.c b/tpm2d/tpm2.c
+index 3e908ddb1..d0b32ed35 100644
+--- a/tpm2d/tpm2.c
++++ b/tpm2d/tpm2.c
+@@ -695,8 +695,8 @@ TPM_RC tpm2_SensitiveToDuplicate (TPMT_SENSITIVE *s,
+     {
+       TPMT_HA hash;
+       const int hlen = TSS_GetDigestSize (nalg);
+-      TPM2B *digest = (TPM2B *)buf;
+-      TPM2B *s2b;
++      BYTE *digest;
++      BYTE *s2b;
+       int32_t size;
+       unsigned char null_iv[AES_128_BLOCK_SIZE_BYTES];
+       UINT16 bsize, written = 0;
+@@ -707,13 +707,12 @@ TPM_RC tpm2_SensitiveToDuplicate (TPMT_SENSITIVE *s,
+       memset (null_iv, 0, sizeof (null_iv));
+ 
+       /* reserve space for hash before the encrypted sensitive */
+-      bsize = sizeof (digest->size) + hlen;
+-      buf += bsize;
++      digest = buf;
++      bsize = sizeof (uint16_t /* TPM2B.size */) + hlen;
+       p->size += bsize;
+-      s2b = (TPM2B *)buf;
++      s2b = digest + bsize;
+ 
+       /* marshal the digest size */
+-      buf = (BYTE *)&digest->size;
+       bsize = hlen;
+       size = 2;
+       TSS_UINT16_Marshal (&bsize, &written, &buf, &size);
+@@ -721,13 +720,13 @@ TPM_RC tpm2_SensitiveToDuplicate (TPMT_SENSITIVE *s,
+       /* marshal the unencrypted sensitive in place */
+       size = sizeof (*s);
+       bsize = 0;
+-      buf = s2b->buffer;
++      buf = s2b + offsetof (TPM2B, buffer);
+       TSS_TPMT_SENSITIVE_Marshal (s, &bsize, &buf, &size);
+-      buf = (BYTE *)&s2b->size;
++      buf = s2b;
+       size = 2;
+       TSS_UINT16_Marshal (&bsize, &written, &buf, &size);
+ 
+-      bsize = bsize + sizeof (s2b->size);
++      bsize = bsize + sizeof (uint16_t /* TPM2B.size */);
+       p->size += bsize;
+ 
+       /* compute hash of unencrypted marshalled sensitive and
+@@ -736,7 +735,7 @@ TPM_RC tpm2_SensitiveToDuplicate (TPMT_SENSITIVE *s,
+       TSS_Hash_Generate (&hash, bsize, s2b,
+ 			 name->size, name->name,
+ 			 0, NULL);
+-      memcpy (digest->buffer, &hash.digest, hlen);
++      memcpy (digest + offsetof (TPM2B, buffer), &hash.digest, hlen);
+       gcry_cipher_open (&hd, GCRY_CIPHER_AES128,
+ 			GCRY_CIPHER_MODE_CFB, GCRY_CIPHER_SECURE);
+       gcry_cipher_setiv (hd, null_iv, sizeof (null_iv));
+@@ -749,20 +748,20 @@ TPM_RC tpm2_SensitiveToDuplicate (TPMT_SENSITIVE *s,
+   else if (symdef->algorithm == TPM_ALG_NULL)
+     {
+       /* Code is for debugging only, should never be used in production */
+-      TPM2B *s2b = (TPM2B *)buf;
++      BYTE *s2b = buf;
+       int32_t size = sizeof (*s);
+       UINT16 bsize = 0, written = 0;
+ 
+       log_error ("Secret key sent to TPM unencrypted\n");
+-      buf = s2b->buffer;
++      buf = s2b + offsetof (TPM2B, buffer);
+ 
+       /* marshal the unencrypted sensitive in place */
+       TSS_TPMT_SENSITIVE_Marshal (s, &bsize, &buf, &size);
+-      buf = (BYTE *)&s2b->size;
++      buf = s2b;
+       size = 2;
+       TSS_UINT16_Marshal (&bsize, &written, &buf, &size);
+ 
+-      p->size += bsize + sizeof (s2b->size);
++      p->size += bsize + sizeof (uint16_t /* TPM2B.size */);
+     }
+   else
+     {
+-- 
+2.45.2
+
+
+From d631c8198c254107c0a4e704511fa0f33d3dda5f Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Tue, 28 May 2024 12:45:21 +0200
+Subject: [PATCH GnuPG] tpm: Improve error handling and check returned lengths.
+
+* tpm2d/command.c (cmd_pkdecrypt): Handle unknown algo.  Also slightly
+rework error handling.
+* tpm2d/tpm2.c (sexp_to_tpm2_public_ecc): Check length before checking
+for 0x04.  Rework error handling.
+(tpm2_ObjectPublic_GetName): Check the return value of
+TSS_GetDigestSize before use.  Erro handling rework.
+(tpm2_SensitiveToDuplicate): Ditto.
+(tpm2_import_key): Ditto.
+* tpm2d/intel-tss.h (TSS_Hash_Generate): Check passed length for
+negative values.  Check return value of TSS_GetDigestSize.  Use
+dedicated 16 bit length variable.
+--
+
+These are reworked and improved fixes as reported in
+GnuPG-bug-id: 7129
+---
+ tpm2d/command.c   |  12 ++--
+ tpm2d/intel-tss.h |  23 +++++---
+ tpm2d/tpm2.c      | 139 +++++++++++++++++++++++++++++-----------------
+ 3 files changed, 109 insertions(+), 65 deletions(-)
+
+diff --git a/tpm2d/command.c b/tpm2d/command.c
+index 6f8cb5506..8f69a5e11 100644
+--- a/tpm2d/command.c
++++ b/tpm2d/command.c
+@@ -291,12 +291,12 @@ cmd_pkdecrypt (assuan_context_t ctx, char *line)
+ {
+   ctrl_t ctrl = assuan_get_pointer (ctx);
+   int rc;
+-  unsigned char *shadow_info;
++  unsigned char *shadow_info = NULL;
+   size_t len;
+   TSS_CONTEXT *tssc;
+   TPM_HANDLE key;
+   TPMI_ALG_PUBLIC type;
+-  unsigned char *crypto;
++  unsigned char *crypto = NULL;
+   size_t cryptolen;
+   char *buf;
+   size_t buflen;
+@@ -313,7 +313,7 @@ cmd_pkdecrypt (assuan_context_t ctx, char *line)
+ 
+   rc = assuan_inquire (ctx, "EXTRA", &crypto, &cryptolen, MAXLEN_KEYDATA);
+   if (rc)
+-    goto out_freeshadow;
++    goto out;
+ 
+   rc = tpm2_start (&tssc);
+   if (rc)
+@@ -329,6 +329,11 @@ cmd_pkdecrypt (assuan_context_t ctx, char *line)
+   else if (type == TPM_ALG_ECC)
+     rc = tpm2_ecc_decrypt (ctrl, tssc, key, pin_cb, crypto,
+ 			   cryptolen, &buf, &buflen);
++  else
++    {
++      rc = GPG_ERR_PUBKEY_ALGO;
++      goto end_out;
++    }
+ 
+   tpm2_flush_handle (tssc, key);
+ 
+@@ -343,7 +348,6 @@ cmd_pkdecrypt (assuan_context_t ctx, char *line)
+ 
+  out:
+   xfree (crypto);
+- out_freeshadow:
+   xfree (shadow_info);
+ 
+   return rc;
+diff --git a/tpm2d/intel-tss.h b/tpm2d/intel-tss.h
+index 1649cca05..da085fac7 100644
+--- a/tpm2d/intel-tss.h
++++ b/tpm2d/intel-tss.h
+@@ -344,7 +344,7 @@ TSS_Hash_Generate(TPMT_HA *digest, ...)
+   int length;
+   uint8_t *buffer;
+   int algo;
+-  gcry_md_hd_t md;
++  gcry_md_hd_t md = NULL;
+   va_list ap;
+ 
+   va_start(ap, digest);
+@@ -353,7 +353,7 @@ TSS_Hash_Generate(TPMT_HA *digest, ...)
+   if (rc)
+     {
+       log_error ("TSS_Hash_Generate: Unknown hash %d\n", digest->hashAlg);
+-      goto out;
++      goto leave;
+     }
+ 
+   rc = gcry_md_open (&md, algo, 0);
+@@ -362,7 +362,7 @@ TSS_Hash_Generate(TPMT_HA *digest, ...)
+       log_error ("TSS_Hash_Generate: EVP_MD_CTX_create failed: %s\n",
+                  gpg_strerror (rc));
+       rc = TPM_RC_FAILURE;
+-      goto out;
++      goto leave;
+     }
+ 
+   rc = TPM_RC_FAILURE;
+@@ -374,19 +374,24 @@ TSS_Hash_Generate(TPMT_HA *digest, ...)
+ 	break;
+       if (length < 0)
+ 	{
+-	  log_error ("TSS_Hash_Generate: Length is negative\n");
+-	  goto out_free;
++	  log_error ("%s: Length is negative\n", "TSS_Hash_Generate");
++	  goto leave;
+ 	}
+       if (length != 0)
+ 	gcry_md_write (md, buffer, length);
+     }
+ 
+-  memcpy (&digest->digest, gcry_md_read (md, algo),
+-	  TSS_GetDigestSize(digest->hashAlg));
++  length = TSS_GetDigestSize(digest->hashAlg);
++  if (length < 0)
++    {
++      log_error ("%s: Length is negative\n", "TSS_GetDigestSize");
++      goto leave;
++    }
++  memcpy (&digest->digest, gcry_md_read (md, algo), length);
+   rc = TPM_RC_SUCCESS;
+- out_free:
++
++ leave:
+   gcry_md_close (md);
+- out:
+   va_end(ap);
+   return rc;
+ }
+diff --git a/tpm2d/tpm2.c b/tpm2d/tpm2.c
+index d0b32ed35..2a49bf99b 100644
+--- a/tpm2d/tpm2.c
++++ b/tpm2d/tpm2.c
+@@ -446,46 +446,55 @@ static int
+ sexp_to_tpm2_public_ecc (TPMT_PUBLIC *p, gcry_sexp_t key)
+ {
+   const char *q;
+-  gcry_sexp_t l;
+-  int rc = GPG_ERR_BAD_PUBKEY;
++  gcry_sexp_t l = NULL;
++  int rc;
+   size_t len;
+   TPMI_ECC_CURVE curve;
+-  char *curve_name;
++  char *curve_name = NULL;
+ 
+   l = gcry_sexp_find_token (key, "curve", 0);
+   if (!l)
+-    return rc;
++    {
++      rc = GPG_ERR_NO_PUBKEY;
++      goto leave;
++    }
+   curve_name = gcry_sexp_nth_string (l, 1);
+   if (!curve_name)
+-    goto out;
++    {
++      rc = GPG_ERR_INV_CURVE;
++      goto leave;
++    }
+   rc = tpm2_ecc_curve (curve_name, &curve);
+-  gcry_free (curve_name);
+   if (rc)
+-    goto out;
+-  gcry_sexp_release (l);
++    goto leave;
+ 
++  gcry_sexp_release (l);
+   l = gcry_sexp_find_token (key, "q", 0);
+   if (!l)
+-    return rc;
++    {
++      rc = GPG_ERR_NO_PUBKEY;
++      goto leave;
++    }
+   q = gcry_sexp_nth_data (l, 1, &len);
+   /* This is a point representation, the first byte tells you what
+    * type.  The only format we understand is uncompressed (0x04)
+    * which has layout 0x04 | x | y */
+-  if (q[0] != 0x04)
++  if (!q || len < 2 || q[0] != 0x04)
+     {
+-      log_error ("Point format for q is not uncompressed\n");
+-      goto out;
++      log_error ("tss: point format for q is not uncompressed\n");
++      rc = GPG_ERR_BAD_PUBKEY;
++      goto leave;
+     }
+   q++;
+   len--;
+   /* now should have to equal sized big endian point numbers */
+   if ((len & 0x01) == 1)
+     {
+-      log_error ("Point format for q has incorrect length\n");
+-      goto out;
++      log_error ("tss: point format for q has incorrect length\n");
++      rc = GPG_ERR_BAD_PUBKEY;
++      goto leave;
+     }
+-
+-  len >>= 1;
++  len >>= 1; /* Compute length of one coordinate.  */
+ 
+   p->type = TPM_ALG_ECC;
+   p->nameAlg = TPM_ALG_SHA256;
+@@ -502,7 +511,9 @@ sexp_to_tpm2_public_ecc (TPMT_PUBLIC *p, gcry_sexp_t key)
+   VAL_2B (p->unique.ecc.x, size) = len;
+   memcpy (VAL_2B (p->unique.ecc.y, buffer), q + len, len);
+   VAL_2B (p->unique.ecc.y, size) = len;
+- out:
++
++ leave:
++  gcry_free (curve_name);
+   gcry_sexp_release (l);
+   return rc;
+ }
+@@ -637,36 +648,42 @@ tpm2_ObjectPublic_GetName (NAME_2B *name,
+   uint16_t written = 0;
+   TPMT_HA digest;
+   uint32_t sizeInBytes;
++  INT32 size = MAX_RESPONSE_SIZE;
+   uint8_t buffer[MAX_RESPONSE_SIZE];
++  uint8_t *buffer1 = buffer;
++  TPMI_ALG_HASH nameAlgNbo;
++  int length;
+ 
+   /* marshal the TPMT_PUBLIC */
+-  if (rc == 0)
+-    {
+-      INT32 size = MAX_RESPONSE_SIZE;
+-      uint8_t *buffer1 = buffer;
+-      rc = TSS_TPMT_PUBLIC_Marshal (tpmtPublic, &written, &buffer1, &size);
+-    }
++  rc = TSS_TPMT_PUBLIC_Marshal (tpmtPublic, &written, &buffer1, &size);
++  if (rc)
++    goto leave;
++
+   /* hash the public area */
+-  if (rc == 0)
+-    {
+-      sizeInBytes = TSS_GetDigestSize (tpmtPublic->nameAlg);
+-      digest.hashAlg = tpmtPublic->nameAlg;       /* Name digest algorithm */
+-      /* generate the TPMT_HA */
+-      rc = TSS_Hash_Generate (&digest, written, buffer, 0, NULL);
+-    }
+-  if (rc == 0)
++  length = TSS_GetDigestSize (tpmtPublic->nameAlg);
++  if (length < 0)
+     {
+-      TPMI_ALG_HASH nameAlgNbo;
+-
+-      /* copy the digest */
+-      memcpy (name->name + sizeof (TPMI_ALG_HASH),
+-	      (uint8_t *)&digest.digest, sizeInBytes);
+-      /* copy the hash algorithm */
+-      nameAlgNbo = htons (tpmtPublic->nameAlg);
+-      memcpy (name->name, (uint8_t *)&nameAlgNbo, sizeof (TPMI_ALG_HASH));
+-      /* set the size */
+-      name->size = sizeInBytes + sizeof (TPMI_ALG_HASH);
++      rc = TPM_RC_VALUE;
++      goto leave;
+     }
++  sizeInBytes = length;
++  digest.hashAlg = tpmtPublic->nameAlg;       /* Name digest algorithm */
++
++  /* generate the TPMT_HA */
++  rc = TSS_Hash_Generate (&digest, written, buffer, 0, NULL);
++  if (rc)
++    goto leave;
++
++  /* copy the digest */
++  memcpy (name->name + sizeof (TPMI_ALG_HASH),
++          (uint8_t *)&digest.digest, sizeInBytes);
++  /* copy the hash algorithm */
++  nameAlgNbo = htons (tpmtPublic->nameAlg);
++  memcpy (name->name, (uint8_t *)&nameAlgNbo, sizeof (TPMI_ALG_HASH));
++  /* set the size */
++  name->size = sizeInBytes + sizeof (TPMI_ALG_HASH);
++
++ leave:
+   return rc;
+ }
+ 
+@@ -694,7 +711,7 @@ TPM_RC tpm2_SensitiveToDuplicate (TPMT_SENSITIVE *s,
+       && symdef->mode.aes == TPM_ALG_CFB)
+     {
+       TPMT_HA hash;
+-      const int hlen = TSS_GetDigestSize (nalg);
++      int hlen;
+       BYTE *digest;
+       BYTE *s2b;
+       int32_t size;
+@@ -706,6 +723,14 @@ TPM_RC tpm2_SensitiveToDuplicate (TPMT_SENSITIVE *s,
+        * the AES routines alter the passed in iv */
+       memset (null_iv, 0, sizeof (null_iv));
+ 
++      hlen = TSS_GetDigestSize (nalg);
++      if (hlen < 0)
++        {
++          log_error ("%s: unknown symmetric algo id %d\n",
++                     "TSS_GetDigestSize", (int)nalg);
++          return TPM_RC_SYMMETRIC;
++        }
++
+       /* reserve space for hash before the encrypted sensitive */
+       digest = buf;
+       bsize = sizeof (uint16_t /* TPM2B.size */) + hlen;
+@@ -765,7 +790,7 @@ TPM_RC tpm2_SensitiveToDuplicate (TPMT_SENSITIVE *s,
+     }
+   else
+     {
+-      log_error ("Unknown symmetric algorithm\n");
++      log_error ("tss: Unknown symmetric algorithm\n");
+       return TPM_RC_SYMMETRIC;
+     }
+ 
+@@ -795,7 +820,9 @@ tpm2_import_key (ctrl_t ctrl, TSS_CONTEXT *tssc,
+   TPM_RC rc;
+ 
+   uint32_t size;
+-  uint16_t len;
++  uint16_t u16len;
++  size_t len;
++  int dlen;
+   BYTE *buffer;
+   int ret;
+   char *passphrase;
+@@ -817,14 +844,22 @@ tpm2_import_key (ctrl_t ctrl, TSS_CONTEXT *tssc,
+ 
+   /* add an authorization password to the key which the TPM will check */
+ 
+-  ret = pin_cb (ctrl,  _("Please enter the TPM Authorization passphrase for the key."), &passphrase);
++  ret = pin_cb (ctrl,
++           _("Please enter the TPM Authorization passphrase for the key."),
++                &passphrase);
+   if (ret)
+     return ret;
+   len = strlen(passphrase);
+-  if (len > TSS_GetDigestSize(objectPublic.publicArea.nameAlg))
++  dlen = TSS_GetDigestSize(objectPublic.publicArea.nameAlg);
++  if (dlen < 0)
++    {
++      log_error ("%s: error getting digest size\n", "TSS_GetDigestSize");
++      return GPG_ERR_DIGEST_ALGO;
++    }
++  if (len > dlen)
+     {
+-      len = TSS_GetDigestSize(objectPublic.publicArea.nameAlg);
+-      log_error ("Truncating Passphrase to TPM allowed %d\n", len);
++      len = dlen;
++      log_info ("tss: truncating Passphrase to TPM allowed size of %zu\n", len);
+     }
+   VAL_2B (s.authValue, size) = len;
+   memcpy (VAL_2B (s.authValue, buffer), passphrase, len);
+@@ -885,16 +920,16 @@ tpm2_import_key (ctrl_t ctrl, TSS_CONTEXT *tssc,
+ 
+   size = sizeof (pub);
+   buffer = pub;
+-  len = 0;
++  u16len = 0;
+   TSS_TPM2B_PUBLIC_Marshal (&objectPublic,
+-                            &len, &buffer, &size);
++                            &u16len, &buffer, &size);
+   pub_len = len;
+ 
+   size = sizeof (priv);
+   buffer = priv;
+-  len = 0;
++  u16len = 0;
+   TSS_TPM2B_PRIVATE_Marshal ((TPM2B_PRIVATE *)&outPrivate,
+-			     &len, &buffer, &size);
++			     &u16len, &buffer, &size);
+   priv_len = len;
+ 
+   *shadow_info = make_tpm2_shadow_info (parent, pub, pub_len,
+-- 
+2.45.2
+
+From bcc002cd45d1c6bd51c2b2093f92d396970c082e Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Tue, 28 May 2024 13:46:36 +0200
+Subject: [PATCH GnuPG] gpg: Avoid a double free on error in the key
+ generation.
+
+* g10/keygen.c (card_store_key_with_backup): Avoid double free and
+simplify error handling.
+--
+
+This is part of
+GnuPG-bug-id: 7129
+Co-authored-by: Jakub Jelen <jjelen@redhat.com>
+---
+ g10/keygen.c | 53 +++++++++++++++++++++++-----------------------------
+ 1 file changed, 23 insertions(+), 30 deletions(-)
+
+diff --git a/g10/keygen.c b/g10/keygen.c
+index 4bdb9f53a..0c37f27f8 100644
+--- a/g10/keygen.c
++++ b/g10/keygen.c
+@@ -5846,11 +5846,10 @@ static gpg_error_t
+ card_store_key_with_backup (ctrl_t ctrl, PKT_public_key *sub_psk,
+                             const char *backup_dir)
+ {
++  gpg_error_t err;
+   PKT_public_key *sk;
+   gnupg_isotime_t timestamp;
+-  gpg_error_t err;
+-  char *hexgrip;
+-  int rc;
++  char *hexgrip = NULL;
+   struct agent_card_info_s info;
+   gcry_cipher_hd_t cipherhd = NULL;
+   char *cache_nonce = NULL;
+@@ -5858,9 +5857,14 @@ card_store_key_with_backup (ctrl_t ctrl, PKT_public_key *sub_psk,
+   size_t keklen;
+   char *ecdh_param_str = NULL;
+ 
++  memset (&info, 0, sizeof (info));
++
+   sk = copy_public_key (NULL, sub_psk);
+   if (!sk)
+-    return gpg_error_from_syserror ();
++    {
++      err = gpg_error_from_syserror ();
++      goto leave;
++    }
+ 
+   epoch2isotime (timestamp, (time_t)sk->timestamp);
+   if (sk->pubkey_algo == PUBKEY_ALGO_ECDH)
+@@ -5868,37 +5872,23 @@ card_store_key_with_backup (ctrl_t ctrl, PKT_public_key *sub_psk,
+       ecdh_param_str = ecdh_param_str_from_pk (sk);
+       if (!ecdh_param_str)
+         {
+-          free_public_key (sk);
+-          return gpg_error_from_syserror ();
++          err = gpg_error_from_syserror ();
++          goto leave;
+         }
+     }
+ 
+   err = hexkeygrip_from_pk (sk, &hexgrip);
+   if (err)
+-    {
+-      xfree (ecdh_param_str);
+-      free_public_key (sk);
+-      goto leave;
+-    }
++    goto leave;
+ 
+-  memset(&info, 0, sizeof (info));
+-  rc = agent_scd_getattr ("SERIALNO", &info);
+-  if (rc)
+-    {
+-      xfree (ecdh_param_str);
+-      free_public_key (sk);
+-      err = (gpg_error_t)rc;
+-      goto leave;
+-    }
++  err = agent_scd_getattr ("SERIALNO", &info);
++  if (err)
++    goto leave;
+ 
+-  rc = agent_keytocard (hexgrip, 2, 1, info.serialno,
+-                        timestamp, ecdh_param_str);
+-  xfree (info.serialno);
+-  if (rc)
+-    {
+-      err = (gpg_error_t)rc;
+-      goto leave;
+-    }
++  err = agent_keytocard (hexgrip, 2, 1, info.serialno,
++                         timestamp, ecdh_param_str);
++  if (err)
++    goto leave;
+ 
+   err = agent_keywrap_key (ctrl, 1, &kek, &keklen);
+   if (err)
+@@ -5931,10 +5921,13 @@ card_store_key_with_backup (ctrl_t ctrl, PKT_public_key *sub_psk,
+   if (err)
+     log_error ("writing card key to backup file: %s\n", gpg_strerror (err));
+   else
+-    /* Remove secret key data in agent side.  */
+-    agent_scd_learn (NULL, 1);
++    {
++      /* Remove secret key data in agent side.  */
++      agent_scd_learn (NULL, 1);
++    }
+ 
+  leave:
++  xfree (info.serialno);
+   xfree (ecdh_param_str);
+   xfree (cache_nonce);
+   gcry_cipher_close (cipherhd);
+-- 
+2.45.2
+
+From 021c27510b52f86a95ae70b5f4ed5d2c3886c3e8 Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Tue, 28 May 2024 13:54:57 +0200
+Subject: [PATCH GnuPG] wks: Make sure that ERR is always initialized.
+
+* tools/wks-util.c (install_key_from_spec_file): Initialize ERR in case
+the loop is never run.
+--
+
+This is part of
+GnuPG-bug-id: 7129
+Co-authored-by: Jakub Jelen <jjelen@redhat.com>
+---
+ tools/wks-util.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/wks-util.c b/tools/wks-util.c
+index 4a15d672a..fed568873 100644
+--- a/tools/wks-util.c
++++ b/tools/wks-util.c
+@@ -1185,6 +1185,7 @@ install_key_from_spec_file (const char *fname)
+       goto leave;
+     }
+ 
++  err = 0;
+   while (es_read_line (fp, &line, &linelen, &maxlen) > 0)
+     {
+       if (!maxlen)
+-- 
+2.45.2
+
+From fdc5003956407da1984f40fc27115e4704587e15 Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Tue, 28 May 2024 16:37:25 +0200
+Subject: [PATCH GnuPG] agent: Make sure to return success in ephemeral store
+ mode.
+
+* agent/genkey.c (store_key): Clear ERR on success.
+--
+
+This fixes a real problem which might let ephemeral store mode fail
+randomly.
+
+This is part of
+GnuPG-bug-id: 7129
+Co-authored-by: Jakub Jelen <jjelen@redhat.com>
+---
+ agent/genkey.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/agent/genkey.c b/agent/genkey.c
+index 503a7eb53..bb7e74e9b 100644
+--- a/agent/genkey.c
++++ b/agent/genkey.c
+@@ -116,6 +116,7 @@ store_key (ctrl_t ctrl, gcry_sexp_t private,
+       ek->keybuf = buf;
+       buf = NULL;
+       ek->keybuflen = len;
++      err = 0;
+     }
+   else
+     err = agent_write_private_key (ctrl, grip, buf, len, force,
+-- 
+2.45.2
+
+From bdbf5cee2ff5bc0773011abde4074003ef9dac70 Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Tue, 28 May 2024 16:44:18 +0200
+Subject: [PATCH GnuPG] agent: Avoid double free of empty string in the PIN
+ caching.
+
+* agent/call-scd.c (handle_pincache_get): Set PIN to NULL.  Also add
+DBG_CACHE conditionals and don't return the pin in the debug output.
+--
+
+This is part of
+GnuPG-bug-id: 7129
+Co-authored-by: Jakub Jelen <jjelen@redhat.com>
+---
+ agent/call-scd.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/agent/call-scd.c b/agent/call-scd.c
+index 3da16e619..ed6bd687e 100644
+--- a/agent/call-scd.c
++++ b/agent/call-scd.c
+@@ -196,7 +196,8 @@ handle_pincache_get (const char *args, assuan_context_t ctx)
+   const char *key;
+   char *pin = NULL;
+ 
+-  log_debug ("%s: enter '%s'\n", __func__, args);
++  if (DBG_CACHE)
++    log_debug ("%s: enter '%s'\n", __func__, args);
+   key = args;
+   if (strlen (key) < 5)
+     {
+@@ -210,11 +211,14 @@ handle_pincache_get (const char *args, assuan_context_t ctx)
+   if (!pin || !*pin)
+     {
+       xfree (pin);
++      pin = NULL;
+       err = 0;  /* Not found is indicated by sending no data back.  */
+-      log_debug ("%s: not cached\n", __func__);
++      if (DBG_CACHE)
++        log_debug ("%s: not cached\n", __func__);
+       goto leave;
+     }
+-  log_debug ("%s: cache returned '%s'\n", __func__, pin);
++  if (DBG_CACHE)
++    log_debug ("%s: cache returned '%s'\n", __func__, "[hidden]"/*pin*/);
+   err = assuan_send_data (ctx, pin, strlen (pin));
+ 
+  leave:
+-- 
+2.45.2
+
+From 379fc5569d604c4a7b5f12b2bbfc4106893c2a9e Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 28 May 2024 16:50:59 +0200
+Subject: [PATCH GnuPG] agent: Avoid uninitialized access in GENKEY command on
+ parameter error.
+
+* agent/command.c (cmd_genkey): Moved init_membuf to the top.
+--
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+
+This is part of
+GnuPG-bug-id: 7129
+---
+ agent/command.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/agent/command.c b/agent/command.c
+index b152a5ea4..417a8815f 100644
+--- a/agent/command.c
++++ b/agent/command.c
+@@ -1170,6 +1170,8 @@ cmd_genkey (assuan_context_t ctx, char *line)
+   int c;
+   unsigned int flags = 0;
+ 
++  init_membuf (&outbuf, 512);
++
+   if (ctrl->restricted)
+     return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN));
+ 
+@@ -1227,8 +1229,6 @@ cmd_genkey (assuan_context_t ctx, char *line)
+   if (rc)
+     goto leave;
+ 
+-  init_membuf (&outbuf, 512);
+-
+   /* If requested, ask for the password to be used for the key.  If
+      this is not used the regular Pinentry mechanism is used.  */
+   if (opt_inq_passwd && !(flags & GENKEY_FLAG_NO_PROTECTION))
+-- 
+2.45.2
+
+From 4c1b0070354db0b9b0516d9e5453e47fc03a0aac Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 28 May 2024 16:57:41 +0200
+Subject: [PATCH GnuPG] scd: Avoid buffer overrun with more than 16 PC/SC
+ readers.
+
+* scd/apdu.c (apdu_dev_list_start): Fix end condition.
+
+--
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+
+This is part of
+GnuPG-bug-id: 7129
+Fixes-commit: e8534f899915a039610973a84042cbe25a5e7ce2
+---
+ scd/apdu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scd/apdu.c b/scd/apdu.c
+index 98158648b..2e38a273a 100644
+--- a/scd/apdu.c
++++ b/scd/apdu.c
+@@ -2094,7 +2094,7 @@ apdu_dev_list_start (const char *portstr, struct dev_list **l_p)
+           nreader -= n + 1;
+           p += n + 1;
+           dl->idx_max++;
+-          if (dl->idx_max > MAX_READER)
++          if (dl->idx_max >= MAX_READER)
+             {
+               log_error ("too many readers from pcsc_list_readers\n");
+               dl->idx_max--;
+-- 
+2.45.2
+
+From 28c705a3be5c4aec477719d652b503568abc88a0 Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Tue, 28 May 2024 17:08:12 +0200
+Subject: [PATCH GnuPG] gpgsm: Silence a lint warning
+
+* sm/keydb.c (keydb_search): Init skipped.
+--
+
+Skipped is not actually used.
+This is part of
+GnuPG-bug-id: 7129
+Reported-by: Jakub Jelen <jjelen@redhat.com>
+---
+ sm/keydb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sm/keydb.c b/sm/keydb.c
+index 151ae8103..9d704a110 100644
+--- a/sm/keydb.c
++++ b/sm/keydb.c
+@@ -1611,7 +1611,7 @@ keydb_search (ctrl_t ctrl, KEYDB_HANDLE hd,
+               KEYDB_SEARCH_DESC *desc, size_t ndesc)
+ {
+   gpg_error_t err = gpg_error (GPG_ERR_EOF);
+-  unsigned long skipped;
++  unsigned long skipped = 0;
+   int i;
+ 
+   if (!hd)
+-- 
+2.45.2
+
+From dcb0b6fd4822107d68bcb046d4d0650d02c82522 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 28 May 2024 17:15:03 +0200
+Subject: [PATCH GnuPG] gpgsm: Avoid double free when checking rsaPSS
+ signatures.
+
+* sm/certcheck.c (gpgsm_check_cms_signature): Do not free s_sig on
+error. Its owned and freed by the caller.
+
+--
+This is part of
+GnuPG-bug-id: 7129
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Fixes-commit: 969abcf40cdfc65f3ee859c5e62889e1a8ccde91
+---
+ sm/certcheck.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/sm/certcheck.c b/sm/certcheck.c
+index f4db858c3..ef1b6ec54 100644
+--- a/sm/certcheck.c
++++ b/sm/certcheck.c
+@@ -630,13 +630,11 @@ gpgsm_check_cms_signature (ksba_cert_t cert, gcry_sexp_t s_sig,
+       rc = extract_pss_params (s_sig, &algo, &saltlen);
+       if (rc)
+         {
+-          gcry_sexp_release (s_sig);
+           return rc;
+         }
+       if (algo != mdalgo)
+         {
+           log_error ("PSS hash algo mismatch (%d/%d)\n", mdalgo, algo);
+-          gcry_sexp_release (s_sig);
+           return gpg_error (GPG_ERR_DIGEST_ALGO);
+         }
+     }
+-- 
+2.45.2
+
+From 9adaa79ab43e2f87178b8ee5ab1a353cba384606 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 28 May 2024 17:19:37 +0200
+Subject: [PATCH GnuPG] gpg-auth: Fix use after free.
+
+* tools/gpg-auth.c (ssh_authorized_keys): Move free after printing error
+message.
+--
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+This is part of
+GnuPG-bug-id: 7129
+---
+ tools/gpg-auth.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/gpg-auth.c b/tools/gpg-auth.c
+index a818bee5d..c47bb4e54 100644
+--- a/tools/gpg-auth.c
++++ b/tools/gpg-auth.c
+@@ -818,7 +818,6 @@ ssh_authorized_keys (const char *user, struct ssh_key_list **r_ssh_key_list)
+       xfree (fname);
+       return err;
+     }
+-  xfree (fname);
+ 
+   maxlen = 2048; /* Set limit.  */
+   while ((len = es_read_line (fp, &line, &length_of_line, &maxlen)) > 0)
+@@ -861,6 +860,7 @@ ssh_authorized_keys (const char *user, struct ssh_key_list **r_ssh_key_list)
+   *r_ssh_key_list = ssh_key_list;
+ 
+  leave:
++  xfree (fname);
+   xfree (line);
+   es_fclose (fp);
+   return err;
+-- 
+2.45.2
+
+From 62695cd1c080d6cf0557d95d4977bc69c9d1de61 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 4 Jul 2024 13:57:44 +0200
+Subject: [PATCH GnuPG] tpm2: Fix key import
+
+* tpm2d/tpm2.c (tpm2_import_key): Set the lengths from right variables.
+--
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+Fixes-commit: d631c8198c254107c0a4e704511fa0f33d3dda5f
+---
+ tpm2d/tpm2.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tpm2d/tpm2.c b/tpm2d/tpm2.c
+index 2a49bf99b..a4677fb98 100644
+--- a/tpm2d/tpm2.c
++++ b/tpm2d/tpm2.c
+@@ -923,14 +923,14 @@ tpm2_import_key (ctrl_t ctrl, TSS_CONTEXT *tssc,
+   u16len = 0;
+   TSS_TPM2B_PUBLIC_Marshal (&objectPublic,
+                             &u16len, &buffer, &size);
+-  pub_len = len;
++  pub_len = u16len;
+ 
+   size = sizeof (priv);
+   buffer = priv;
+   u16len = 0;
+   TSS_TPM2B_PRIVATE_Marshal ((TPM2B_PRIVATE *)&outPrivate,
+ 			     &u16len, &buffer, &size);
+-  priv_len = len;
++  priv_len = u16len;
+ 
+   *shadow_info = make_tpm2_shadow_info (parent, pub, pub_len,
+ 					priv, priv_len, shadow_len);
+-- 
+2.45.2
+
diff --git a/SOURCES/gnupg2-revert-rfc4880bis.patch b/SOURCES/gnupg2-revert-rfc4880bis.patch
new file mode 100644
index 0000000..8bc65ed
--- /dev/null
+++ b/SOURCES/gnupg2-revert-rfc4880bis.patch
@@ -0,0 +1,200 @@
+From 1e4f1550996334d2a631a5d769e937d29ace47bb Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 9 Feb 2023 16:38:58 +0100
+Subject: [PATCH gnupg] Revert the introduction of the RFC4880bis draft into
+ defaults
+
+This reverts commit 4583f4fe2 (gpg: Merge --rfc4880bis features into
+--gnupg, 2022-10-31).
+---
+ g10/gpg.c    | 35 ++++++++++++++++++++++++++++++++---
+ g10/keygen.c | 30 ++++++++++++++++++------------
+ 2 files changed, 50 insertions(+), 15 deletions(-)
+
+diff --git a/g10/gpg.c b/g10/gpg.c
+index dcab0a11a..796888013 100644
+--- a/g10/gpg.c
++++ b/g10/gpg.c
+@@ -247,6 +247,7 @@ enum cmd_and_opt_values
+     oGnuPG,
+     oRFC2440,
+     oRFC4880,
++    oRFC4880bis,
+     oOpenPGP,
+     oPGP7,
+     oPGP8,
+@@ -636,6 +637,7 @@ static gpgrt_opt_t opts[] = {
+   ARGPARSE_s_n (oGnuPG, "no-pgp8", "@"),
+   ARGPARSE_s_n (oRFC2440, "rfc2440", "@"),
+   ARGPARSE_s_n (oRFC4880, "rfc4880", "@"),
++  ARGPARSE_s_n (oRFC4880bis, "rfc4880bis", "@"),
+   ARGPARSE_s_n (oOpenPGP, "openpgp", N_("use strict OpenPGP behavior")),
+   ARGPARSE_s_n (oPGP7, "pgp6", "@"),
+   ARGPARSE_s_n (oPGP7, "pgp7", "@"),
+@@ -978,7 +980,6 @@ static gpgrt_opt_t opts[] = {
+   ARGPARSE_s_n (oNoop, "no-allow-multiple-messages", "@"),
+   ARGPARSE_s_s (oNoop, "aead-algo", "@"),
+   ARGPARSE_s_s (oNoop, "personal-aead-preferences","@"),
+-  ARGPARSE_s_n (oNoop, "rfc4880bis", "@"),
+   ARGPARSE_s_n (oNoop, "override-compliance-check", "@"),
+ 
+ 
+@@ -2227,7 +2228,7 @@ static struct gnupg_compliance_option compliance_options[] =
+   {
+     { "gnupg",      oGnuPG },
+     { "openpgp",    oOpenPGP },
+-    { "rfc4880bis", oGnuPG },
++    { "rfc4880bis", oRFC4880bis },
+     { "rfc4880",    oRFC4880 },
+     { "rfc2440",    oRFC2440 },
+     { "pgp6",       oPGP7 },
+@@ -2243,8 +2244,28 @@ static struct gnupg_compliance_option compliance_options[] =
+ static void
+ set_compliance_option (enum cmd_and_opt_values option)
+ {
++  opt.flags.rfc4880bis = 0;  /* Clear because it is initially set.  */
++
+   switch (option)
+     {
++    case oRFC4880bis:
++      opt.flags.rfc4880bis = 1;
++      opt.compliance = CO_RFC4880;
++      opt.flags.dsa2 = 1;
++      opt.flags.require_cross_cert = 1;
++      opt.rfc2440_text = 0;
++      opt.allow_non_selfsigned_uid = 1;
++      opt.allow_freeform_uid = 1;
++      opt.escape_from = 1;
++      opt.not_dash_escaped = 0;
++      opt.def_cipher_algo = 0;
++      opt.def_digest_algo = 0;
++      opt.cert_digest_algo = 0;
++      opt.compress_algo = -1;
++      opt.s2k_mode = 3; /* iterated+salted */
++      opt.s2k_digest_algo = DIGEST_ALGO_SHA256;
++      opt.s2k_cipher_algo = CIPHER_ALGO_AES256;
++      break;
+     case oOpenPGP:
+     case oRFC4880:
+       /* This is effectively the same as RFC2440, but with
+@@ -2288,6 +2309,7 @@ set_compliance_option (enum cmd_and_opt_values option)
+     case oPGP8:  opt.compliance = CO_PGP8;  break;
+     case oGnuPG:
+       opt.compliance = CO_GNUPG;
++      opt.flags.rfc4880bis = 1;
+       break;
+ 
+     case oDE_VS:
+@@ -2491,6 +2513,7 @@ main (int argc, char **argv)
+     opt.emit_version = 0;
+     opt.weak_digests = NULL;
+     opt.compliance = CO_GNUPG;
++    opt.flags.rfc4880bis = 1;
+ 
+     /* Check special options given on the command line.  */
+     orig_argc = argc;
+@@ -3033,6 +3056,7 @@ main (int argc, char **argv)
+           case oOpenPGP:
+           case oRFC2440:
+           case oRFC4880:
++          case oRFC4880bis:
+           case oPGP7:
+           case oPGP8:
+           case oGnuPG:
+@@ -3862,6 +3886,11 @@ main (int argc, char **argv)
+     if( may_coredump && !opt.quiet )
+ 	log_info(_("WARNING: program may create a core file!\n"));
+ 
++    if (!opt.flags.rfc4880bis)
++      {
++        opt.mimemode = 0; /* This will use text mode instead.  */
++      }
++
+     if (eyes_only) {
+       if (opt.set_filename)
+ 	  log_info(_("WARNING: %s overrides %s\n"),
+@@ -4078,7 +4107,7 @@ main (int argc, char **argv)
+     /* Check our chosen algorithms against the list of legal
+        algorithms. */
+ 
+-    if(!GNUPG)
++    if(!GNUPG && !opt.flags.rfc4880bis)
+       {
+ 	const char *badalg=NULL;
+ 	preftype_t badtype=PREFTYPE_NONE;
+diff --git a/g10/keygen.c b/g10/keygen.c
+index a2cfe3ccf..2a1dd1f81 100644
+--- a/g10/keygen.c
++++ b/g10/keygen.c
+@@ -404,7 +404,7 @@ keygen_set_std_prefs (const char *string,int personal)
+ 	      strcat(dummy_string,"S7 ");
+ 	    strcat(dummy_string,"S2 "); /* 3DES */
+ 
+-            if (!openpgp_aead_test_algo (AEAD_ALGO_OCB))
++            if (opt.flags.rfc4880bis && !openpgp_aead_test_algo (AEAD_ALGO_OCB))
+ 	      strcat(dummy_string,"A2 ");
+ 
+             if (personal)
+@@ -889,7 +889,7 @@ keygen_upd_std_prefs (PKT_signature *sig, void *opaque)
+   /* Make sure that the MDC feature flag is set if needed.  */
+   add_feature_mdc (sig,mdc_available);
+   add_feature_aead (sig, aead_available);
+-  add_feature_v5 (sig, 1);
++  add_feature_v5 (sig, opt.flags.rfc4880bis);
+   add_keyserver_modify (sig,ks_modify);
+   keygen_add_keyserver_url(sig,NULL);
+ 
+@@ -3382,7 +3382,10 @@ parse_key_parameter_part (ctrl_t ctrl,
+                 }
+             }
+           else if (!ascii_strcasecmp (s, "v5"))
+-            keyversion = 5;
++            {
++              if (opt.flags.rfc4880bis)
++                keyversion = 5;
++            }
+           else if (!ascii_strcasecmp (s, "v4"))
+             keyversion = 4;
+           else
+@@ -3641,7 +3644,7 @@ parse_key_parameter_part (ctrl_t ctrl,
+  *   ecdsa := Use algorithm ECDSA.
+  *   eddsa := Use algorithm EdDSA.
+  *   ecdh  := Use algorithm ECDH.
+- *   v5    := Create version 5 key
++ *   v5    := Create version 5 key (requires option --rfc4880bis)
+  *
+  * There are several defaults and fallbacks depending on the
+  * algorithm.  PART can be used to select which part of STRING is
+@@ -4513,9 +4516,9 @@ read_parameter_file (ctrl_t ctrl, const char *fname )
+ 	    }
+ 	}
+ 
+-        if ((keywords[i].key == pVERSION
+-             || keywords[i].key == pSUBVERSION))
+-          ; /* Ignore version.  */
++        if (!opt.flags.rfc4880bis && (keywords[i].key == pVERSION
++                                      || keywords[i].key == pSUBVERSION))
++          ; /* Ignore version unless --rfc4880bis is active.  */
+         else
+           {
+             r = xmalloc_clear( sizeof *r + strlen( value ) );
+@@ -4610,11 +4613,14 @@ quickgen_set_para (struct para_data_s *para, int for_subkey,
+       para = r;
+     }
+ 
+-  r = xmalloc_clear (sizeof *r + 20);
+-  r->key = for_subkey? pSUBVERSION : pVERSION;
+-  snprintf (r->u.value, 20, "%d", version);
+-  r->next = para;
+-  para = r;
++  if (opt.flags.rfc4880bis)
++    {
++      r = xmalloc_clear (sizeof *r + 20);
++      r->key = for_subkey? pSUBVERSION : pVERSION;
++      snprintf (r->u.value, 20, "%d", version);
++      r->next = para;
++      para = r;
++    }
+ 
+   if (keytime)
+     {
diff --git a/SOURCES/signature_key.asc b/SOURCES/signature_key.asc
new file mode 100644
index 0000000..151e8fa
--- /dev/null
+++ b/SOURCES/signature_key.asc
@@ -0,0 +1,86 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBFjLuq4BDACnM7zNSIaVMAacTwjXa5TGYe13i6ilHe4VL0NShzrgzjcQg531
+3cRgiiiNA7OSOypMqVs73Jez6ZUctn2GVsHBrS/io9NcuC9pVwf8a61WlcEa+EtB
+a3G7HlBmEWnwaUdAtWKNuAi9Xn+Ir7H2xEdksmmd5a0/QnL+sX705boVPF/tpYtb
+LGpPxa78tNrtxDkSwy8Wmi0IADYLI5yI7/yUGeJd8RSCU/fLRKC9fG7YOZRq0tsO
+MhVNWmtUjbG6e73Lu8LKnCZgs1/fC8hvPyARieSV5mdN8s1oWd7oYctfgL4uBleD
+ItAA8GhjKejutzHN8Ei/APw6AiiSyEjnPg+cTX8OgvLGJWjks0H6mPZeB1v/kGyZ
+hBS9vm540h2/MmlVN2ntiCK5TZGeSWpqddiqusfVXotMRpN4HeLKoZh4RAncaCbZ
+F/S+YLeN+kMXY4k3Fqt1fjTX6veFCbthI9pDdHzU9LfUVNp9D/5ktC/tYMORMegV
++wSMxi9G2YWKJkMAEQEAAYkBzgQfAQgAOBYhBFuAxXVCmPDLVdjtarzvfilLCS4o
+BQJYy8DdFwyAAZSlyaA8L+XKOwldjh/fcjz0YraxAgcAAAoJELzvfilLCS4oNgoL
+/0+K1xIx8JW7Lk5M6bYCvNA4fdlEcwQIT4UidJFM9m+suxYFWIGfebvHpRlEuJTg
+dBjkEit8uLAoJXU0BRkKTLrzTF+qDUE79Wfx/R+0nOgJ7aMykQOi0AvuwzMYz4dg
+xIVS2Daou4DF7bh/KF8+fqrmq8P8W1ZrkuFDanMWpHeAPx1uj2skYbo7uPqFdvlJ
+hlNHrcxlcCkjf1InAt0Xt5lMvEsCRUPf9xAH4mNEhs0lh9c+200YPRmtnLWAzc1K
+ckLIC8Q+mUR3DjZDqBlDBEPegXkrI0+MlvRA+9AnAm4YPqTMUfpZ6ZOAWeFjC/6Z
+QYxG/AdWGkb4WFindzklQfybEuiekP8vU07ACQwSwH8PYe0UCom1YrlRUjX7QLkn
+ZLWoeZg8BZy9GTM1Ut7Q1Q2uTw6mxxISuef+RFgYOHjWwLpFWZpqC88xERl7o/iz
+iERJRt/593IctbjO9wenWt2peIAwzR4nz7LqM6ZFTdRAETmcdSvYRhg2Qt8hUE47
+CbQkQW5kcmUgSGVpbmVja2UgKFJlbGVhc2UgU2lnbmluZyBLZXkpiQHUBBMBCAA+
+FiEEW4DFdUKY8MtV2O1qvO9+KUsJLigFAljLuq4CGwMFCRLMAwAFCwkIBwIGFQgJ
+CgsCBBYCAwECHgECF4AACgkQvO9+KUsJLihC/QwAhCC+SEvcFLcutgZ8HfcCtoZs
+IoVzZEy7DjqIvGgnTssD8HCLnIAHCDvnP7dJW3uMuLCdSqym3cjlEIiQMsaGywkl
+fzJISAwJrGQdWSKRd535jXpEXQlXDKal/IwMKAUt0PZtlCc9S3gwixQryxdJ28lJ
+6h2T9fVDr8ZswMmTAFG91uctfhjKOMgPt8UhSPGW484WsIsQgkbOvf+Kfswl0eHu
+ywX+pKAB5ZQ/9GVC6Ug4xfrdiJL0azJTPnvjMY5JYp6/L9RURs5hP5AnHR2j/PPo
+sAtsFCjmbRbOMiASzklnUJPbSz5kfLloDWZmrUScjbzmsXehGyt433JGyRhZJl4x
+/jPbzKhaaAHsGd+fRao6vlLOwFywDDVMp6JuyK7UeUb7I8ekTbSkGFA+l2Oa3O6/
+Y7PYhq7hwwAFuZckYI98IpHNCG1fS9W07FyKdvQbK1PbF1JFRKfsUCWYMKqDnbqE
+o5jivPEHZImw6iYhhXcyEYl8fjcb9T6/S+wOP7aviQGzBBABCAAdFiEElKXJoDwv
+5co7CV2OH99yPPRitrEFAljLv5sACgkQH99yPPRitrFw4gv/XFMFN+/LHsn9hJOP
+4rCwl1yUuxXuYmZgc0sRoY3EpeQkJVyKurQuqqKoy2VuoMiF0O1kAQmGoFtVPUk7
+b8hCoutqB5GyeyKcoLP+WINgVhB2gXg7TSp3MPLBKkgqvSDvPitgRxBqFb4LW8LJ
+bDbfwGrzIvXfDV3WvsrHVPbc2fhlWdL8d+3AE6mFiXF3eTpgmV3ApSBQV12MkkCk
+icLIPmp+ZxZON+OP52ZXkRtfMgOy4Oa/41agrViDAZdMOGeGkhPertQheQZgXzmo
+GF5Wz498HPM80Kv35X91l3iGzL+icEtO+tWea2YscsZ6qpRe2lfVPHk3B+anlmCj
+m4kM4cBd39xa4HHSVh/bRHbZNtgVr7slQCKxlHgQOGVI5vCxPCwEsgJ2KBk03Nk/
+IA9EKO+czfh3/bHW6uMbEqrYDCnt+hmzZrpKDSGcwS/KOhvMUIMlb7/8vDKum6mp
+/8xAtVZ6IAxYZNt3qg7Y7aLRtzCTyqm8rJQrZPtRaQcgLoEimDMEX0PliRYJKwYB
+BAHaRw8BAQdAz75Hlekc16JhhfI0MKdEVxLdkxhcMCO0ZG6WMBAmNpe0H1dlcm5l
+ciBLb2NoIChkaXN0IHNpZ25pbmcgMjAyMCmImgQTFgoAQhYhBG2qbmSnbShAVxtJ
+AlKIl7gmQDraBQJfQ+w1AhsDBQkShccRBQsJCAcCAyICAQYVCgkICwIEFgIDAQIe
+BwIXgAAKCRBSiJe4JkA62nmuAP9uL/HOdB0gvwWrH+FpURJLs4bnaZaPIk9ARrU0
+EXRgJgD/YCGfHQXpIPT0ZaXuwJexK04Z+qMFR/bM1q1Leo5CjgaIbQQQEQsAHRYh
+BIBhWHD1utaQMzaG0PKthaweQrNnBQJfQ/HmAAoJEPKthaweQrNnIZkA3jG6LcZv
+V/URn8Y8OJqsyYa4C3NI4nN+OhEvYhgA4PHzMnALeXIpA2gblvjFIPJPAhDBAU37
+c5PA6+6IdQQQFggAHRYhBK6oTtzwGthsRwHIXGMROuhmWH0KBQJfQ/IlAAoJEGMR
+OuhmWH0K1+MA/0uJ5AHcnSfIBEWHNJwwVVLGyrxAWtS2U+zeymp/UvlPAQDErCLZ
+l0dBiPG3vlowFx5TNep7tanBs6ZJn8F1ao1tAIkBMwQQAQgAHRYhBNhpISPEBl3q
+Xg86tSSbOdJPJeO2BQJfQ/OuAAoJECSbOdJPJeO2DVoH/0o9if66ph6FJrgr+A/W
+HNVeHxmM5tUQhpL1wpRS70SKcsJgolf5CxO5iTQf3HlZe544xGbIU/aCTJsWw9zi
+UE8KmhAtKV4eL/7oQ7xx4nxPnABLpudtM8A44nsM1x/XiYrJnnDm29QjYEGd2Hi8
+7npc7VWKzLoj+I/WcXquynJi5O9TUxW9Bknd1pjpxFkf8v+msjBzCD5VKJgr0CR8
+wA6peQBWeGZX2HacosMIZH4TfL0r0TFla6LJIkNBz9DyIm1yL4L8oRH0950hQljP
+C7TM3L7aRpX+4Kph6llFz6g7MALGFP95kyJ6o+XED9ORuuQVZMBMIkNC0tXOu10V
+bdqIdQQQFgoAHRYhBMHTS2khnkruwLocIeP9/yGORbcrBQJfQ/P8AAoJEOP9/yGO
+Rbcr3lQBAMas8Vl3Hdl3g2I283lz1uHiGvlwcnk2TLeB+U4zIwC9AQCy0nnazVNt
+VQPID1ZCMoaOX7AzOjaqQDLf4j+dVTxgBJgzBGCkgocWCSsGAQQB2kcPAQEHQJmd
+fwp8jEN5P3eEjhQiWk6zQi8utvgOvYD57XmE+H8+tCBOaWliZSBZdXRha2EgKEdu
+dVBHIFJlbGVhc2UgS2V5KYiaBBMWCgBCFiEErI4RW/c+LY1H+pkI6Y6bLRnGyL0F
+AmCkgocCGwMFCQsNBpkFCwkIBwIDIgIBBhUKCQgLAgQWAgMBAh4HAheAAAoJEOmO
+my0Zxsi9/4IA/1rvSr3MU+Sv4jhNDzD+CeC3gmHkPew6pi9VHEsEwdgmAQD2BtiX
+7w1sJL/CBylGWv5jxj4345mP9YfZm0RsgzPjDIh1BBAWCAAdFiEEJJyzdxdQdF1c
+3TI84mewUjZPAo0FAmFAQ54ACgkQ4mewUjZPAo1CiAD+KTT1UVdQTGHMyvHwZocS
+QjU8xhcZrTet+dvvjrE5+4MA/RBdJPZgFevUKu68NEy0Lo+RbkeCtmQJ/c8v5ieF
+vW0AiQEzBBABCAAdFiEEEkEkvTtIYq96CkLxALRevUynur4FAmFAQ7cACgkQALRe
+vUynur4kaAgAolPR8TNWVS0vXMKrr0k0l2M/8QkZTaLZx1GT9Nx1yb4WJKY7ElPM
+YkhGDxetvFBETx0pH/6R3jtj6Crmur+NKHVSRY+rCYpFPDn6ciIOryssRx2G4kCZ
+t+nFB9JyDbBOZAR8DK4pN1mAxG/yLDt4oKcUQsP2xlEFum+phxyR8KyYCpkwKRxY
+eK+6lfilQuveoUwp/Xx5wXPNUy6q4eOOovCW7gS7I7288NGHCa2ul8sD6vA9C4mM
+4Zxaole9P9wwJe1zZFtCIy88zHM9vqv+YM9DxMCaW24+rUztr7eD4bCRdG+QlSh+
+7R/TaqSxY1eAAd1J5tma9CNJO73pTKU+/JhTBGFpSqMTCSskAwMCCAEBBwIDBF6X
+D9NmUQDgiyYNbhs1DMJ14mIw812wY1HVx/4QWYWiBunhrvSFxVbzsjD7/Wv+v3bm
+MPrL+M2DLyFiSewNmcS0JEdudVBHLmNvbSAoUmVsZWFzZSBTaWduaW5nIEtleSAy
+MDIxKYiaBBMTCABCFiEEAvON/3Mf+XywOaHaVJ5pXpBboggFAmFpSqMCGwMFCQ9x
+14oFCwkIBwIDIgIBBhUKCQgLAgQWAgMBAh4HAheAAAoJEFSeaV6QW6IITkoA/RYa
+jaTl1eEBU/Gdm12o3jrI55N5xZK2XTqSx25clVyjAP0XwMW/Og5+ND1ri3bAqADV
+WlBDUswz8wYxsb0C4kYBkoh1BBAWCgAdFiEEbapuZKdtKEBXG0kCUoiXuCZAOtoF
+AmFpTvEACgkQUoiXuCZAOtrJQAEAh7YyykjAy/Qs1yC3ji8iBfIVnPXvblrIx3SR
+RyDwRC8BAKtZbEuKTtPlgkLUgMleTcZJ/vEhJE+GvfQ9o5gWCqEFiHUEEBYKAB0W
+IQTB00tpIZ5K7sC6HCHj/f8hjkW3KwUCYWlPWgAKCRDj/f8hjkW3Kx4eAQDp6aGS
+N/fU4xLl8RSvQUVjVA+aCTrMQR3hRwqw8liF2wEA3O3ECxz6e1+DoItYoJBBLKLw
+eiInsGZ/+h5XYrpXTgA=
+=4+Sn
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/SPECS/gnupg2.spec b/SPECS/gnupg2.spec
new file mode 100644
index 0000000..ba286ae
--- /dev/null
+++ b/SPECS/gnupg2.spec
@@ -0,0 +1,981 @@
+%bcond_with bootstrap
+
+Summary: Utility for secure communication and data storage
+Name:    gnupg2
+Version: 2.4.5
+Release: 1%{?dist}
+
+License: CC0-1.0 AND GPL-2.0-or-later AND GPL-3.0-or-later AND LGPL-2.1-or-later AND LGPL-3.0-or-later AND (BSD-3-Clause OR LGPL-3.0-or-later OR GPL-2.0-or-later) AND CC-BY-4.0 AND MIT
+Source0: https://gnupg.org/ftp/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2
+Source1: https://gnupg.org/ftp/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2.sig
+Source2: https://gnupg.org/signature_key.asc
+# needed for compatibility with system FIPS mode
+Patch3:  gnupg-2.1.10-secmem.patch
+# non-upstreamable patch adding file-is-digest option needed for Copr
+# https://dev.gnupg.org/T1646
+Patch4:  gnupg-2.4.1-file-is-digest.patch
+Patch6:  gnupg-2.1.1-fips-algo.patch
+# allow 8192 bit RSA keys in keygen UI with large RSA
+Patch9:  gnupg-2.2.23-large-rsa.patch
+# fix missing uid on refresh from keys.openpgp.org
+# https://salsa.debian.org/debian/gnupg2/commit/f292beac1171c6c77faf41d1f88c2e0942ed4437
+Patch20: gnupg-2.2.18-tests-add-test-cases-for-import-without-uid.patch
+Patch21: gnupg-2.4.0-gpg-allow-import-of-previously-known-keys-even-without-UI.patch
+Patch22: gnupg-2.2.18-gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch
+# Fixes for issues found in Coverity scan - reported upstream
+Patch30: gnupg-2.2.21-coverity.patch
+# Revert the introduction of the RFC4880bis draft into defaults
+Patch31: gnupg2-revert-rfc4880bis.patch
+# Mostly reverts https://dev.gnupg.org/rGeae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed
+Patch33: gnupg-2.4.3-restore-systemd-sockets.patch
+# Revert default EdDSA key types -- they do not work in FIPS Mode
+Patch34: gnupg-2.4.5-revert-default-eddsa.patch
+# https://dev.gnupg.org/T7129
+Patch35: gnupg-2.4.5-sast.patch
+
+URL:     https://www.gnupg.org/
+
+BuildRequires: gcc
+BuildRequires: bzip2-devel
+BuildRequires: curl-devel
+BuildRequires: docbook-utils
+BuildRequires: gettext
+%if %{without bootstrap}
+# Require gnupg2 to verify sources, unless bootstrapping
+BuildRequires: gnupg2
+%endif
+BuildRequires: libassuan-devel >= 2.5.0
+BuildRequires: libgcrypt-devel >= 1.9.1
+BuildRequires: libgpg-error-devel >= 1.46
+BuildRequires: libksba-devel >= 1.6.3
+BuildRequires: openldap-devel
+BuildRequires: pcsc-lite-libs
+BuildRequires: ncurses-devel
+BuildRequires: npth-devel
+BuildRequires: readline-devel
+BuildRequires: zlib-devel
+BuildRequires: gnutls-devel
+BuildRequires: sqlite-devel
+BuildRequires: fuse
+BuildRequires: make
+BuildRequires: systemd-rpm-macros
+BuildRequires: tpm2-tss-devel
+# for tests
+BuildRequires: openssh-clients
+BuildRequires: swtpm
+
+Requires: libgcrypt >= 1.9.1
+Requires: libgpg-error >= 1.46
+
+Recommends: pinentry
+
+Recommends: gnupg2-smime
+
+# for USB smart card support
+Recommends: pcsc-lite-ccid
+
+# pgp-tools, perl-GnuPG-Interface requires 'gpg' (not sure why) -- Rex
+Provides: gpg = %{version}-%{release}
+# Obsolete GnuPG-1 package
+Provides: gnupg = %{version}-%{release}
+Obsoletes: gnupg < 1.4.24
+
+Provides: dirmngr = %{version}-%{release}
+Obsoletes: dirmngr < 1.2.0-1
+
+%{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}}
+
+%package smime
+Summary: CMS encryption and signing tool and smart card support for GnuPG
+Requires: gnupg2%{?_isa} = %{version}-%{release}
+
+
+%description
+GnuPG is GNU's tool for secure communication and data storage.  It can
+be used to encrypt data and to create digital signatures.  It includes
+an advanced key management facility and is compliant with the proposed
+OpenPGP Internet standard as described in RFC2440 and the S/MIME
+standard as described by several RFCs.
+
+GnuPG 2.0 is a newer version of GnuPG with additional support for
+S/MIME.  It has a different design philosophy that splits
+functionality up into several modules. The S/MIME and smartcard functionality
+is provided by the gnupg2-smime package.
+
+%description smime
+GnuPG is GNU's tool for secure communication and data storage. This
+package adds support for smart cards and S/MIME encryption and signing
+to the base GnuPG package
+
+%prep
+%if ! %{with bootstrap}
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
+%endif
+%setup -q -n gnupg-%{version}
+
+%patch 3 -p1 -b .secmem
+%patch 4 -p1 -b .file-is-digest
+%patch 6 -p1 -b .fips
+%patch 9 -p1 -b .large-rsa
+
+%patch 20 -p1 -b .test_missing_uid
+%patch 21 -p1 -b .prev_known_key
+%patch 22 -p1 -b .good_revoc
+
+%patch 30 -p1 -b .coverity
+%patch 31 -p1 -b .revert-rfc4880bis
+%patch 33 -p1 -b .restore-systemd-sockets
+%patch 34 -p1 -R -b .eddsa
+%patch 35 -p1 -b .sast
+
+# pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper)
+# Note: this is just the name of the default shared lib to load in scdaemon,
+# it can use other implementations too (including non-pcsc ones).
+%global pcsclib %(basename $(ls -1 %{_libdir}/libpcsclite.so.? 2>/dev/null ) 2>/dev/null )
+
+sed -i -e 's/"libpcsclite\.so"/"%{pcsclib}"/' scd/scdaemon.c
+
+
+%build
+%configure \
+  --disable-rpath \
+  --enable-g13 \
+  --disable-ccid-driver \
+  --with-tss=intel \
+  --enable-large-secmem
+
+# need scratch gpg database for tests
+mkdir -p $HOME/.gnupg
+
+%make_build
+
+
+%install
+%make_install \
+  docdir=%{_pkgdocdir}
+
+%find_lang %{name}
+
+# gpgconf.conf
+mkdir -p %{buildroot}%{_sysconfdir}/gnupg
+touch %{buildroot}%{_sysconfdir}/gnupg/gpgconf.conf
+mkdir -p %{buildroot}%{_sysconfdir}/profile.d
+echo "export GPG_TTY=\$(tty)" > %{buildroot}%{_sysconfdir}/profile.d/gnupg2.sh
+echo "setenv GPG_TTY \`tty\`" > %{buildroot}%{_sysconfdir}/profile.d/gnupg2.csh
+
+# more docs
+install -m644 -p AUTHORS NEWS THANKS TODO \
+  %{buildroot}%{_pkgdocdir}
+
+# compat symlinks
+ln -sf gpg %{buildroot}%{_bindir}/gpg2
+ln -sf gpgv %{buildroot}%{_bindir}/gpgv2
+ln -sf gpg.1 %{buildroot}%{_mandir}/man1/gpg2.1
+ln -sf gpgv.1 %{buildroot}%{_mandir}/man1/gpgv2.1
+ln -sf gnupg.7 %{buildroot}%{_mandir}/man7/gnupg2.7
+
+# info dir
+rm -f %{buildroot}%{_infodir}/dir
+
+# drop the gpg scheme interpreter
+rm -f %{buildroot}%{_bindir}/gpgscm
+
+# Move the systemd user units to appropriate directory
+install -d -m755 %{buildroot}%{_userunitdir}
+mv %{buildroot}%{_pkgdocdir}/examples/systemd-user/*.socket %{buildroot}%{_userunitdir}
+mv %{buildroot}%{_pkgdocdir}/examples/systemd-user/*.service %{buildroot}%{_userunitdir}
+
+%check
+# need scratch gpg database for tests
+mkdir -p $HOME/.gnupg
+make -k check
+
+
+%files -f %{name}.lang
+%license COPYING
+#doc AUTHORS NEWS README THANKS TODO
+%{_pkgdocdir}
+%dir %{_sysconfdir}/gnupg
+%ghost %config(noreplace) %{_sysconfdir}/gnupg/gpgconf.conf
+%{_sysconfdir}/profile.d/gnupg2.sh
+%{_sysconfdir}/profile.d/gnupg2.csh
+## docs say to install suid root, but fedora/rh security folk say not to
+%{_bindir}/gpg2
+%{_bindir}/gpgv2
+%{_bindir}/gpg-card
+%{_bindir}/gpg-connect-agent
+%{_bindir}/gpg-agent
+%{_bindir}/gpg-wks-client
+%{_bindir}/gpgconf
+%{_bindir}/gpgparsemail
+%{_bindir}/gpgtar
+%{_bindir}/g13
+%{_bindir}/dirmngr
+%{_bindir}/dirmngr-client
+%{_bindir}/gpg
+%{_bindir}/gpgv
+%{_bindir}/gpgsplit
+%{_bindir}/watchgnupg
+%{_bindir}/gpg-wks-server
+%{_sbindir}/addgnupghome
+%{_sbindir}/applygnupgdefaults
+%{_sbindir}/g13-syshelp
+%{_datadir}/gnupg/
+%{_libexecdir}/*
+%{_infodir}/*.info*
+%{_mandir}/man?/*
+%{_userunitdir}/*
+%exclude %{_mandir}/man?/gpgsm*
+
+%files smime
+%{_bindir}/gpgsm*
+%{_bindir}/kbxutil
+%{_mandir}/man?/gpgsm*
+
+
+%changelog
+* Thu Jul 04 2024 Jakub Jelen <jjelen@redhat.com> - 2.4.5-1
+- New upstream release (#2268461)
+- Set GPG_TTY in profile.d (#2264985)
+
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 2.4.4-2
+- Bump release for June 2024 mass rebuild
+
+* Fri Jan 26 2024 Jakub Jelen <jjelen@redhat.com> - 2.4.4-1
+- New upstream release (#2260333)
+
+* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Nov 10 2023 Jakub Jelen <jjelen@redhat.com> - 2.4.3-4
+- Avoid creation of development versions (#2249037)
+
+* Mon Nov 06 2023 Jakub Jelen <jjelen@redhat.com> - 2.4.3-3
+- Restore systemd units and sockets (#2158627)
+
+* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Mon Jul 10 2023 Jakub Jelen <jjelen@redhat.com> - 2.4.3-1
+- New upstream release (#2193503)
+
+* Thu Jun 01 2023 Michael J Gruber <mjg@fedoraproject.org> - 2.4.2-2
+- fix emacs usage (rhbz#2212090)
+
+* Wed May 31 2023 Jakub Jelen <jjelen@redhat.com> - 2.4.2-1
+- New upstream release
+- Build with TPM2 support
+
+* Fri Apr 28 2023 Todd Zullinger <tmz@pobox.com> - 2.4.1-1
+- update to 2.4.1 (#2193503)
+
+* Fri Apr 28 2023 Todd Zullinger <tmz@pobox.com> - 2.4.0-4
+- remove %%skip_verify, brainpool signatures are supported now
+
+* Fri Mar 03 2023 Jakub Jelen <jjelen@redhat.com> - 2.4.0-3
+- Revert introduction of the RFC4880bis draft into defaults
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Tue Dec 20 2022 Todd Zullinger <tmz@pobox.com> - 2.4.0-1
+- update to 2.4.0 (#2155170)
+
+* Mon Oct 17 2022 Todd Zullinger <tmz@pobox.com> - 2.3.8-1
+- update to 2.3.8
+- BR systemd-rpm-macros for %%{_userunitdir}
+
+* Mon Oct 17 2022 Todd Zullinger <tmz@pobox.com> - 2.3.7-5
+- verify upstream signatures in %%prep, unless bootstrapping
+
+* Wed Oct 05 2022 Todd Zullinger <tmz@pobox.com> - 2.3.7-4
+- update BR/R versions for libassuan, libgpg-error, and libksba
+- drop with/without unversioned_gpg, last used with fedora-29
+
+* Mon Aug 01 2022 Jakub Jelen <jjelen@redhat.com> - 2.3.7-3
+- Fix yubikey 5 detection (#2107766)
+
+* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.7-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Tue Jul 12 2022 Jakub Jelen <jjelen@redhat.com> - 2.3.7-1
+- New upstream release (#2106045)
+
+* Mon Jul 04 2022 Jakub Jelen <jjelen@redhat.com> - 2.3.6-2
+- Fix for CVE-2022-34903 (#2103242)
+- Fix focing AEAD through configuration files (#2093760)
+
+* Mon Apr 25 2022 Jakub Jelen <jjelen@redhat.com> - 2.3.6-1
+- New upstream release (#2078550)
+
+* Mon Apr 25 2022 Jakub Jelen <jjelen@redhat.com> - 2.3.5-1
+- New upstream release (#2077616)
+
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.4-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Tue Dec 21 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.4-1
+- New upstream release (#2034437)
+
+* Mon Nov 15 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.3-2
+- Fix file-is-digest patch (#2022904)
+
+* Wed Oct 13 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.3-1
+- New upstream release (2013388)
+
+* Wed Oct 06 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.2-3
+- Fix crash in agent when deciphering (#2009978)
+- Recommend pcsc-lite-ccid to support USB smart cards (#2007923)
+
+* Mon Sep 20 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.2-2
+- Disable ccid driver to avoid clash with pcscd (#2005714)
+
+* Wed Aug 25 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.2-1
+- New upstream relase (#1997276)
+
+* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Wed Apr 21 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.1-1
+- New upstream release (#1947159)
+
+* Mon Mar 29 2021 Jakub Jelen <jjelen@redhat.com> - 2.2.27-4
+- Add a configuration to not require exclusive access to PCSC
+
+* Thu Feb 18 2021 Jakub Jelen <jjelen@redhat.com> - 2.2.27-3
+- Bump required libgpg-error version (#1930110)
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.27-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Tue Jan 12 2021 Jakub Jelen <jjelen@redhat.com> - 2.2.27-1
+- New upstream release (#1909825)
+
+* Mon Jan 04 2021 Jakub Jelen <jjelen@redhat.com> - 2.2.26-1
+- New upstream release (#1909825)
+
+* Tue Nov 24 2020 Jakub Jelen <jjelen@redhat.com> - 2.2.25-2
+- Enable gpgtar (#1901103)
+
+* Tue Nov 24 2020 Jakub Jelen <jjelen@redhat.com> - 2.2.25-1
+- Update to 2.2.25 (#1900815)
+
+* Thu Nov 19 2020 Jakub Jelen <jjelen@redhat.com> - 2.2.24-1
+- Update to 2.2.24 (#1898504)
+
+* Fri Sep  4 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.23-1
+- upgrade to 2.2.23
+
+* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.21-4
+- Second attempt - Rebuilt for
+  https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.21-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 21 2020 Tom Stellard <tstellar@redhat.com> - 2.2.21-2
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+
+* Mon Jul 20 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.21-1
+- upgrade to 2.2.21
+
+* Mon May  4 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.20-3
+- fixes for issues found in Coverity scan
+
+* Thu Apr 30 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.20-2
+- move systemd user units to _userunitdir (no activation by default)
+
+* Tue Apr 14 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.20-1
+- upgrade to 2.2.20
+
+* Wed Jan 29 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.19-1
+- upgrade to 2.2.19
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.18-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Sat Jan  4 2020 Marcel Härry <mh+fedora@scrit.ch> - 2.2.18-3
+- Add patches to be able to deal with keys without uids (#1787708)
+
+* Fri Dec  6 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.18-2
+- fix abort when decrypting data with anonymous recipient (#1780057)
+
+* Tue Dec  3 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.18-1
+- upgrade to 2.2.18
+
+* Wed Nov  6 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.17-3
+- fix the gnupg(7) manual page (#1769072)
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.17-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Mon Jul 15 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.17-1
+- upgrade to 2.2.17
+
+* Mon Jul  1 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.16-1
+- upgrade to 2.2.16
+
+* Tue Feb 26 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.13-1
+- upgrade to 2.2.13
+
+* Sun Feb 17 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.2.12-3
+- Rebuild for readline 8.0
+
+* Mon Feb  4 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.12-2
+- make it build with gcc-9
+
+* Tue Jan  8 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.12-1
+- upgrade to 2.2.12
+
+* Sat Dec 08 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.2.11-2
+- Provide unversioned GPG on F30+
+
+* Fri Nov 30 2018 Tomáš Mráz <tmraz@redhat.com> - 2.2.11-1
+- upgrade to 2.2.11
+
+* Wed Aug  1 2018 Tomáš Mráz <tmraz@redhat.com> - 2.2.9-1
+- upgrade to 2.2.9
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.8-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Mon Jun 11 2018 Tomáš Mráz <tmraz@redhat.com> - 2.2.8-1
+- upgrade to 2.2.8 fixing CVE 2018-12020
+
+* Wed Apr 11 2018 Tomáš Mráz <tmraz@redhat.com> - 2.2.6-1
+- upgrade to 2.2.6
+
+* Fri Mar  2 2018 Tomáš Mráz <tmraz@redhat.com> - 2.2.5-1
+- upgrade to 2.2.5
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.4-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Fri Jan 12 2018 Tomáš Mráz <tmraz@redhat.com> - 2.2.4-1
+- upgrade to 2.2.4
+
+* Tue Nov 21 2017 Tomáš Mráz <tmraz@redhat.com> - 2.2.3-1
+- upgrade to 2.2.3
+
+* Wed Nov  8 2017 Tomáš Mráz <tmraz@redhat.com> - 2.2.2-1
+- upgrade to 2.2.2
+
+* Tue Oct  3 2017 Tomáš Mráz <tmraz@redhat.com> - 2.2.1-1
+- upgrade to 2.2.1
+
+* Tue Sep  5 2017 Tomáš Mráz <tmraz@redhat.com> - 2.2.0-1
+- upgrade to 2.2.0
+
+* Wed Aug  9 2017 Tomáš Mráz <tmraz@redhat.com> - 2.1.22-1
+- upgrade to 2.1.22
+
+* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.21-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Fri Jul 28 2017 Tomáš Mráz <tmraz@redhat.com> - 2.1.21-4
+- explictly remove gpgscm from the buildroot
+
+* Tue Jul 18 2017 Tomáš Mráz <tmraz@redhat.com> - 2.1.21-3
+- rebase the insttools patch
+- enable large secure memory support
+
+* Tue May 16 2017 Tomáš Mráz <tmraz@redhat.com> - 2.1.21-2
+- scdaemon is now needed by gpg
+
+* Tue May 16 2017 Tomáš Mráz <tmraz@redhat.com> - 2.1.21-1
+- upgrade to 2.1.21
+
+* Tue Apr 25 2017 Tomáš Mráz <tmraz@redhat.com> - 2.1.20-2
+- libdns aliasing issues fixed
+
+* Mon Apr 24 2017 Tomáš Mráz <tmraz@redhat.com> - 2.1.20-1
+- upgrade to 2.1.20
+- disable bundled libdns for now (#1444352)
+
+* Fri Mar 24 2017 Tomáš Mráz <tmraz@redhat.com> - 2.1.19-1
+- upgrade to 2.1.19
+- shorten time waiting on gpg-agent/dirmngr to start by exponential
+  backoff (#1431749)
+
+* Wed Mar  1 2017 Tomáš Mráz <tmraz@redhat.com> - 2.1.18-2
+- upgrade to 2.1.18
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.17-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Thu Jan 12 2017 Igor Gnatenko <ignatenko@redhat.com> - 2.1.17-2
+- Rebuild for readline 7.x
+
+* Thu Dec 22 2016 Tomáš Mráz <tmraz@redhat.com> - 2.1.17-1
+- upgrade to 2.1.17
+
+* Mon Nov 28 2016 Tomáš Mráz <tmraz@redhat.com> - 2.1.16-1
+- upgrade to 2.1.16
+
+* Mon Aug 22 2016 Tomáš Mráz <tmraz@redhat.com> - 2.1.13-2
+- avoid using libgcrypt without initialization (#1366909)
+
+* Tue Jul 12 2016 Tomáš Mráz <tmraz@redhat.com> - 2.1.13-1
+- upgrade to 2.1.13
+
+* Thu May  5 2016 Tomáš Mráz <tmraz@redhat.com> - 2.1.12-1
+- upgrade to 2.1.12
+
+* Tue Apr 12 2016 Tomáš Mráz <tmraz@redhat.com> - 2.1.11-4
+- make the pinentry dependency weak as for the public-key operations it
+  is not needed (#1324595)
+
+* Mon Mar  7 2016 Tomáš Mráz <tmraz@redhat.com> - 2.1.11-3
+- add recommends weak dependency for gnupg2-smime
+
+* Sat Mar  5 2016 Peter Robinson <pbrobinson@fedoraproject.org> 2.1.11-2
+- Don't ship ChangeLog, core details already covered in NEWS
+
+* Tue Feb 16 2016 Tomáš Mráz <tmraz@redhat.com> - 2.1.11-1
+- upgrade to 2.1.11
+
+* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 2.1.10-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Wed Jan 13 2016 Dan Horák <dan[at]danny.cz> - 2.1.10-3
+- fix the insttools patch
+
+* Wed Jan 13 2016 Tomáš Mráz <tmraz@redhat.com> - 2.1.10-2
+- rebase the insttools patch needed for full gpgv1 replacement
+
+* Mon Dec  7 2015 Tomáš Mráz <tmraz@redhat.com> - 2.1.10-1
+- upgrade to 2.1.10
+
+* Mon Oct 12 2015 Tomáš Mráz <tmraz@redhat.com> - 2.1.9-1
+- upgrade to 2.1.9
+
+* Fri Sep 11 2015 Tomáš Mráz <tmraz@redhat.com> - 2.1.8-1
+- upgrade to 2.1.8
+
+* Thu Aug 13 2015 Tomáš Mráz <tmraz@redhat.com> - 2.1.7-1
+- upgrade to 2.1.7
+
+* Tue Aug 11 2015 Tomáš Mráz <tmraz@redhat.com> - 2.1.6-1
+- upgrade to 2.1.6
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.1.5-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Fri Jun 12 2015 Tomáš Mráz <tmraz@redhat.com> - 2.1.5-1
+- upgrade to 2.1.5
+
+* Tue May 26 2015 Tomáš Mráz <tmraz@redhat.com> - 2.1.4-2
+- use gnutls for TLS support in dirmngr (#1224816)
+
+* Fri May 15 2015 Robert Scheck <robert@fedoraproject.org> - 2.1.4-1
+- upgrade to 2.1.4 (#1192353)
+
+* Thu Apr 16 2015 Tomáš Mráz <tmraz@redhat.com> - 2.1.3-1
+- new upstream release fixing minor bugs
+
+* Sat Feb 21 2015 Till Maas <opensource@till.name> - 2.1.2-2
+- Rebuilt for Fedora 23 Change
+  https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
+
+* Wed Feb 18 2015 Tomáš Mráz <tmraz@redhat.com> - 2.1.2-1
+- new upstream release fixing two minor security issues
+
+* Fri Jan 30 2015 Tomáš Mráz <tmraz@redhat.com> - 2.1.1-2
+- resolve conflict with gnupg by renaming conflicting manual page (#1187472)
+
+* Thu Jan 29 2015 Tomáš Mráz <tmraz@redhat.com> - 2.1.1-1
+- new upstream release
+- this release now includes the dirmngr which is obsoleted as separate package
+
+* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.25-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Tue Aug  5 2014 Tomáš Mráz <tmraz@redhat.com> - 2.0.25-1
+- new upstream release fixing a minor regression introduced by the previous one
+- add --file-is-digest option needed for copr
+
+* Sat Jul 12 2014 Tom Callaway <spot@fedoraproject.org> - 2.0.24-2
+- fix license handling
+
+* Wed Jun 25 2014 Tomáš Mráz <tmraz@redhat.com> - 2.0.24-1
+- new upstream release fixing CVE-2014-4617
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.22-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Wed May  7 2014 Tomáš Mráz <tmraz@redhat.com> - 2.0.22-3
+- do not dump core if hash algorithm not available in the FIPS mode
+
+* Tue Mar  4 2014 Tomáš Mráz <tmraz@redhat.com> - 2.0.22-2
+- rebuilt against new libgcrypt
+
+* Tue Oct  8 2013 Tomáš Mráz <tmraz@redhat.com> - 2.0.22-1
+- new upstream release fixing CVE-2013-4402
+
+* Fri Aug 23 2013 Tomáš Mráz <tmraz@redhat.com> - 2.0.21-1
+- new upstream release
+
+* Wed Aug  7 2013 Tomas Mraz <tmraz@redhat.com> - 2.0.20-3
+- adjust to the unversioned docdir change (#993785)
+
+* Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.20-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Wed May 15 2013 Tomas Mraz <tmraz@redhat.com> - 2.0.20-1
+- new upstream release
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.19-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Wed Jan  2 2013 Tomas Mraz <tmraz@redhat.com> - 2.0.19-7
+- fix CVE-2012-6085 - skip invalid key packets (#891142)
+
+* Thu Nov 22 2012 Tomas Mraz <tmraz@redhat.com> - 2.0.19-6
+- use AES as default crypto algorithm in FIPS mode (#879047)
+
+* Fri Nov 16 2012 Jamie Nguyen <jamielinux@fedoraproject.org> - 2.0.19-5
+- rebuild for <f18 (#877106)
+
+* Fri Jul 27 2012 Tomas Mraz <tmraz@redhat.com> - 2.0.19-4
+- fix negated condition (#843842)
+
+* Thu Jul 26 2012 Tomas Mraz <tmraz@redhat.com> - 2.0.19-3
+- add compat symlinks and provides if built on RHEL
+
+* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.19-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Tue Apr 24 2012 Tomas Mraz <tmraz@redhat.com> - 2.0.19-1
+- new upstream release
+- set environment in protect-tool (#548528)
+- do not reject OCSP signing certs without keyUsage (#720174)
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.18-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Wed Oct 12 2011 Rex Dieter <rdieter@fedoraproject.org> 2.0.18-2
+- build with --enable-standard-socket
+
+* Wed Aug 17 2011 Tomas Mraz <tmraz@redhat.com> - 2.0.18-1
+- new upstream release (#728481)
+
+* Mon Jul 25 2011 Tomas Mraz <tmraz@redhat.com> - 2.0.17-2
+- fix a bug that shows up with the new libgcrypt release (#725369)
+
+* Thu Jan 20 2011 Tomas Mraz <tmraz@redhat.com> - 2.0.17-1
+- new upstream release (#669611)
+
+* Tue Aug 17 2010 Tomas Mraz <tmraz@redhat.com> - 2.0.16-3
+- drop the provides/obsoletes for gnupg
+- drop the man page file conflicting with gnupg-1.x
+
+* Fri Aug 13 2010 Tomas Mraz <tmraz@redhat.com> - 2.0.16-2
+- drop the compat symlinks as gnupg-1.x is revived
+
+* Tue Jul 27 2010 Rex Dieter <rdieter@fedoraproject.org> - 2.0.16-1
+- gnupg-2.0.16
+
+* Fri Jul 23 2010 Rex Dieter <rdieter@fedoraproject.org> - 2.0.14-4
+- gpgsm realloc patch (#617706)
+
+* Fri Jun 18 2010 Tomas Mraz <tmraz@redhat.com> - 2.0.14-3
+- initialize small amount of secmem for list of algorithms in help (#598847)
+  (necessary in the FIPS mode of libgcrypt)
+
+* Tue Feb  9 2010 Tomas Mraz <tmraz@redhat.com> - 2.0.14-2
+- disable selinux support - it is too rudimentary and restrictive (#562982)
+
+* Mon Jan 11 2010 Tomas Mraz <tmraz@redhat.com> - 2.0.14-1
+- new upstream version
+- fix a few tests so they do not need to execute gpg-agent
+
+* Tue Dec  8 2009 Michael Schwendt <mschwendt@fedoraproject.org> - 2.0.13-4
+- Explicitly BR libassuan-static in accordance with the Packaging
+  Guidelines (libassuan-devel is still static-only).
+
+* Fri Oct 23 2009 Tomas Mraz <tmraz@redhat.com> - 2.0.13-3
+- drop s390 specific ifnarchs as all the previously missing dependencies
+  are now there
+- split out gpgsm into a smime subpackage to reduce main package dependencies
+
+* Wed Oct 21 2009 Tomas Mraz <tmraz@redhat.com> - 2.0.13-2
+- provide/obsolete gnupg-1 and add compat symlinks to be able to drop
+  gnupg-1
+
+* Fri Sep 04 2009 Rex Dieter <rdieter@fedoraproject.org> - 2.0.13-1
+- gnupg-2.0.13
+- Unable to use gpg-agent + input methods (#228953)
+
+* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.12-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Wed Jun 17 2009 Rex Dieter <rdieter@fedoraproject.org> - 2.0.12-1
+- gnupg-2.0.12
+
+* Wed Mar 04 2009 Rex Dieter <rdieter@fedoraproject.org> - 2.0.11-1
+- gnupg-2.0.11
+
+* Tue Feb 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.10-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Sat Jan 31 2009 Karsten Hopp <karsten@redhat.com> 2.0.10-1
+- don't require pcsc-lite-libs and libusb on mainframe where
+  we don't have those packages as there's no hardware for that
+
+* Tue Jan 13 2009 Rex Dieter <rdieter@fedoraproject.org> 2.0.10-1
+- gnupg-2.0.10
+
+* Mon Aug 04 2008 Rex Dieter <rdieter@fedoraproject.org> 2.0.9-3
+- workaround rpm quirks
+
+* Sat May 24 2008 Tom "spot" Callaway <tcallawa@redhat.com> 2.0.9-2
+- Patch from upstream to fix curl 7.18.1+ and gcc4.3+ compile error
+
+* Mon May 19 2008 Tom "spot" Callaway <tcallawa@redhat.com> 2.0.9-1.1
+- minor release bump for sparc rebuild
+
+* Wed Mar 26 2008 Rex Dieter <rdieter@fedoraproject.org> 2.0.9-1
+- gnupg2-2.0.9
+- drop Provides: openpgp
+- versioned Provides: gpg
+- own %%_sysconfdir/gnupg
+
+* Fri Feb 08 2008 Rex Dieter <rdieter@fedoraproject.org> 2.0.8-3
+- respin (gcc43)
+
+* Wed Jan 23 2008 Rex Dieter <rdieter@fedoraproject.org> 2.0.8-2
+- avoid kde-filesystem dep (#427316)
+
+* Thu Dec 20 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 2.0.8-1
+- gnupg2-2.0.8
+
+* Mon Dec 17 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 2.0.8-0.1.rc1
+- gnupg2-2.0.8rc1
+
+* Tue Dec 04 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 2.0.7-5
+- respin for openldap
+
+* Mon Nov 12 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 2.0.7-4
+- Requires: kde-filesystem (#377841)
+
+* Wed Oct 03 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 2.0.7-3
+- %%build: (re)add mkdir -p $HOME/.gnupg
+
+* Wed Oct 03 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 2.0.7-2
+- Requires: dirmngr (#312831)
+
+* Mon Sep 10 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 2.0.7-1
+- gnupg-2.0.7
+
+* Fri Aug 24 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 2.0.6-2
+- respin (libassuan)
+
+* Thu Aug 16 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 2.0.6-1
+- gnupg-2.0.6
+- License: GPLv3+
+
+* Thu Aug 02 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 2.0.5-4
+- License: GPLv3
+
+* Mon Jul 16 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 2.0.5-3
+- 2.0.5 too many open files fix
+
+* Fri Jul 06 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 2.0.5-2
+- gnupg-2.0.5
+- gpg-agent not restarted after kde session crash/killed (#196327)
+- BR: libassuan-devel > 1.0.2, libksba-devel > 1.0.2
+
+* Fri May 18 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 2.0.4-1
+- gnupg-2.0.4
+
+* Thu Mar 08 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 2.0.3-1
+- gnupg-2.0.3
+
+* Fri Feb 02 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 2.0.2-1
+- gnupg-2.0.2
+
+* Wed Dec 06 2006 Rex Dieter <rexdieter[AT]users.sf.net> 2.0.1-2
+- CVE-2006-6235 (#219934)
+
+* Wed Nov 29 2006 Rex Dieter <rexdieter[AT]users.sf.net> 2.0.1-1
+- gnupg-2.0.1
+- CVE-2006-6169 (#217950)
+
+* Sat Nov 25 2006 Rex Dieter <rexdieter[AT]users.sf.net> 2.0.1-0.3.rc1
+- gnupg-2.0.1rc1
+
+* Thu Nov 16 2006 Rex Dieter <rexdieter[AT]users.sf.net> 2.0.0-4
+- update %%description
+- drop dearmor patch
+
+* Mon Nov 13 2006 Rex Dieter <rexdieter[AT]users.sf.net> 2.0.0-3
+- BR: libassuan-static >= 1.0.0
+
+* Mon Nov 13 2006 Rex Dieter <rexdieter[AT]users.sf.net> 2.0.0-2
+- gnupg-2.0.0
+
+* Fri Nov 10 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.95-3
+- upstream 64bit patch
+
+* Mon Nov 06 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.95-2
+- fix (more) file conflicts with gnupg
+
+* Mon Nov 06 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.95-1
+- 1.9.95
+
+* Wed Oct 25 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.94-1
+- 1.9.94
+
+* Wed Oct 18 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.93-1
+- 1.9.93
+
+* Wed Oct 11 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.92-2
+- fix file conflicts with gnupg
+
+* Wed Oct 11 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.92-1
+- 1.9.92
+
+* Tue Oct 10 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.91-4
+- make check ||: (apparently checks return err even on success?)
+
+* Tue Oct 10 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.91-3
+- --enable-selinux-support
+- x86_64: --disable-optimization (to avoid gpg2 segfaults), for now
+
+* Thu Oct 05 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.91-1
+- 1.9.91
+
+* Wed Oct 04 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.22-8
+- respin
+
+* Tue Sep 26 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.90-1
+- 1.9.90 (doesn't build, not released)
+
+* Mon Sep 18 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.23-1
+- 1.9.23 (doesn't build, not released)
+
+* Mon Sep 18 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.22-7
+- gpg-agent-startup.sh: fix case where valid .gpg-agent-info exists
+
+* Mon Sep 18 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.22-6
+- fix "syntax error in gpg-agent-startup.sh" (#206887)
+
+* Thu Sep 07 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.22-3
+- fc6 respin (for libksba-1.0)
+
+* Tue Aug 29 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.22-2
+- fc6 respin
+
+* Fri Jul 28 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.22-1
+- 1.9.22
+
+* Thu Jun 22 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.21-3
+- fix "gpg-agent not restarted after kde session crash/killed (#196327)
+
+* Thu Jun 22 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.21-2
+- 1.9.21
+- omit gpg2 binary to address CVS-2006-3082 (#196190)
+
+* Mon Mar  6 2006 Ville Skyttä <ville.skytta at iki.fi>> 1.9.20-3
+- Don't hardcode pcsc-lite lib name (#184123)
+
+* Thu Feb 16 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.20-2
+- fc4+: use /etc/kde/(env|shutdown) for scripts (#175744)
+
+* Fri Feb 10 2006 Rex Dieter <rexdieter[AT]users.sf.net>
+- fc5: gcc/glibc respin
+
+* Tue Dec 20 2005 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.20-1
+- 1.9.20
+
+* Thu Dec 01 2005 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.19-8
+- include gpg-agent-(startup|shutdown) scripts (#136533)
+- BR: libksba-devel >= 1.9.12
+- %%check: be permissive about failures (for now)
+
+* Wed Nov 30 2005 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.19-3
+- BR: libksba-devel >= 1.9.13
+
+* Tue Oct 11 2005 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.19-2
+- back to BR: libksba-devel = 1.9.11
+
+* Tue Oct 11 2005 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.19-1
+- 1.9.19
+
+* Fri Aug 26 2005 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.18-9
+- configure: NEED_KSBA_VERSION=0.9.12 -> 0.9.11
+
+* Fri Aug 26 2005 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.18-7
+- re-enable 'make check', rebuild against (older) libksba-0.9.11
+
+* Tue Aug  9 2005 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.18-6
+- don't 'make check' by default (regular builds pass, but FC4/5+plague fails)
+
+* Mon Aug  8 2005 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.18-5
+- 1.9.18
+- drop pth patch (--enable-gpg build fixed)
+- update description (from README)
+
+* Fri Jul  1 2005 Ville Skyttä <ville.skytta at iki.fi> - 1.9.17-1
+- 1.9.17, signal info patch applied upstream (#162264).
+- Patch to fix lvalue build error with gcc4 (upstream #485).
+- Patch scdaemon and pcsc-wrapper to load the versioned (non-devel)
+  pcsc-lite lib by default.
+
+* Fri May 13 2005 Michael Schwendt <mschwendt[AT]users.sf.net> - 1.9.16-3
+- Include upstream's patch for signal.c.
+
+* Tue May 10 2005 Michael Schwendt <mschwendt[AT]users.sf.net> - 1.9.16-1
+- Merge changes from Rex's 1.9.16-1 (Thu Apr 21):
+-   opensc support unconditional
+-   remove hard-coded .gz from %%post/%%postun
+-   add %%check section
+-   add pth patch
+- Put back patch modified from 1.9.15-4 to make tests verbose
+  and change signal.c to describe received signals better.
+
+* Sun May  8 2005 Michael Schwendt <mschwendt[AT]users.sf.net>
+- Drop patch0 again.
+
+* Sun May  8 2005 Michael Schwendt <mschwendt[AT]users.sf.net> - 1.9.15-4
+- Add patch0 temporarily to get some output from failing test.
+
+* Sat May  7 2005 David Woodhouse <dwmw2@infradead.org> 1.9.15-3
+- Rebuild.
+
+* Thu Apr  7 2005 Michael Schwendt <mschwendt[AT]users.sf.net>
+- rebuilt
+
+* Tue Feb  1 2005 Michael Schwendt <mschwendt[AT]users.sf.net> - 0:1.9.15-1
+- Make install-info in scriptlets less noisy.
+
+* Tue Jan 18 2005 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.15-0.fdr.1
+- 1.9.15
+
+* Fri Jan 07 2005 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.14-0.fdr.2
+- note patch/hack to build against older ( <1.0) libgpg-error-devel
+
+* Thu Jan 06 2005 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.14-0.fdr.1
+- 1.9.14
+- enable opensc support
+- BR: libassuan-devel >= 0.6.9
+
+* Thu Oct 21 2004 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.11-0.fdr.4
+- remove suid.
+
+* Thu Oct 21 2004 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.11-0.fdr.3
+- remove Provides: newpg
+
+* Wed Oct 20 2004 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.11-0.fdr.2
+- Requires: pinentry
+- gpg2 suid
+- update description
+
+* Tue Oct 19 2004 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.11-0.fdr.1
+- first try
+- leave out opensc support (for now), enable --with-opensc
+