app-crypt/gnupg: Sync with Gentoo

It's from Gentoo commit 04d43b00ae470bc5afda1e0b66f843f1ef0dc053.

Signed-off-by: Flatcar Buildbot <buildbot@flatcar-linux.org>

sdk_container/src/third_party/portage-stable/app-crypt/gnupg/Manifest

@@ -1,4 +1,6 @@
 DIST gnupg-2.4.9.tar.bz2 8086407 BLAKE2B 5bbd278c570d3e389ab26dd37e1adac6c1b19f9bd369ebf30d75f48d0ab901c6f5fe4e4713b763f57b9e74efab654186ebff1a968348b0b9f70c82618b4b3b62 SHA512 4638016b390a0024fa0cbe14181c43a81991e4275043855397ef099b927985d175d32452fc15b06485623b9292662dd6da464b2e5def8b77b2e4e48a072ab521
 DIST gnupg-2.4.9.tar.bz2.sig 147 BLAKE2B fbf956c0659d9e2a5df9ceb6911ebea8591fd1b647d81e0f324b688271493519d7d25025d9d8d7906e706f57031429c8d8a3ba79c8ab7e300631137ebb38eedf SHA512 03328ba7de3faab1aab025784ef16cc04dd34d2cc09db2c513b7e38836b8036e04d2bb3c71aa64769b5a40a7a877373ee2d11b6e2bf8b67938216277dcd18a6f
-DIST gnupg-2.5.16.tar.bz2 8304335 BLAKE2B 722c90ac88b2eeacb150dc6fa5f4d83b5577d0285871cd7d336463d25aabd1087cdca103a23b251b2067de6c3046615d9fcb552721ceef4826f4dd3e96c5525a SHA512 0a48628e9e7f8050022e5204bf9febd1f2db6ee9d55b573207884fc2ef2825d814015851141ba6851bd4466f0cc0827123e5f474003c054f3af55f4bd1440bf7
-DIST gnupg-2.5.16.tar.bz2.sig 119 BLAKE2B 5ef9b298b49049cd5cdb1bcc03cd09ad96015cd34060249fccff6d3ab4a0b950a545d631c05818484c52166ae89825f6def928787051f3eed010e8300945160e SHA512 295d37ecf4c1f5fc4531cd0a0901ecbacd521a744991b086e14573e1b5198e55476367767bc708b4eec38aac32a30c03265d13c0c5bd9c79c8254e408ef58aec
+DIST gnupg-2.5.17.tar.bz2 8308629 BLAKE2B e52c4cf6219a8ce877511c2cfb2e32abf9fafc66c280ddd5f37b7dc6abffaeb60a5ebe925332fd00735a81bb8bb9ebeff79d04d112bd52ec00c2e8692cea6eb0 SHA512 8c1fe6afb04034ed1579080cf8d384f5b331ac1bc277f77c8e9103d29971c944fcb4c072586d2c045630ef34483b355a1b35f1785dded6f8d8da1e4760bef308
+DIST gnupg-2.5.17.tar.bz2.sig 119 BLAKE2B b404b6cdff76187c410a7751708e1cbb0ad173658b8c0dde9726063b16c6e9d5c673cb6ae86142e00ca48790dc314968625ec6aa2364ba4a48a3cf0c03e9b06f SHA512 385de45addf2c857ebf054bcc85d03d4fc0ccd70149138baac5cfcefccd7c0b0e48219dd9da757f36b1c6411816dcb43213920442796da03fb38ee59709877a4
+DIST gnupg-2.5.18.tar.bz2 8307830 BLAKE2B 5d591f609a580c5e9a023c83707ad4baf3794595ff08eaa571c619bf5469fe32ca787cd39be3d0572cb8021e1dc66135d9523009e92c9c3b862ccd53a7060b12 SHA512 34542728ef09d23d63af21cfbc943e4a81a1c367b2bf4b892afe7428b06eaa3d105e34f5dcec1758e91ec9bac1c13fdd72418d946cd8580e34c07b57a07139a2
+DIST gnupg-2.5.18.tar.bz2.sig 119 BLAKE2B 1634053f0799b64e4d6fba6eab8357f89fdd611ad9853e6677c151b1af5ab231cf27908e2317c76676b86b8047fd5e6388df30312c8243d1f36608750b6d58d6 SHA512 70d8f8a7ce02de5fc73d069b52baac6b74d8440e9d20391779ef0f784375a63058def58f00107de81b676a7ef13afdaa5814ebde7c54a5e4603bbca1d005617c

sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/0001-Fix-stub-functions-to-avoid-LTO-linking-bugs.patch

@@ -0,0 +1,200 @@
+https://bugs.gentoo.org/854222
+
+From 81760cc931d69f37cf2a8ad54616a1af590fd2cf Mon Sep 17 00:00:00 2001
+Message-ID: <81760cc931d69f37cf2a8ad54616a1af590fd2cf.1770174575.git.sam@gentoo.org>
+From: Werner Koch <wk@gnupg.org>
+Date: Wed, 28 Jan 2026 13:45:00 +0100
+Subject: [PATCH GnuPG] Fix stub functions to avoid LTO linking bugs.
+
+--
+---
+ g10/gpgv.c       | 42 ++++++++++++++++++++++++++++--------------
+ g10/test-stubs.c | 36 +++++++++++++++++++++++-------------
+ 2 files changed, 51 insertions(+), 27 deletions(-)
+
+diff --git a/g10/gpgv.c b/g10/gpgv.c
+index b65dfa66b..23704e21c 100644
+--- a/g10/gpgv.c
++++ b/g10/gpgv.c
+@@ -462,10 +462,13 @@ keyserver_any_configured (ctrl_t ctrl)
+ }
+ 
+ int
+-keyserver_import_keyid (u32 *keyid, void *dummy, unsigned int flags)
++keyserver_import_keyid (ctrl_t ctrl,
++                        u32 *keyid,struct keyserver_spec *keyserver,
++                        unsigned int flags)
+ {
++  (void)ctrl;
+   (void)keyid;
+-  (void)dummy;
++  (void)keyserver;
+   (void)flags;
+   return -1;
+ }
+@@ -493,9 +496,14 @@ keyserver_import_fpr_ntds (ctrl_t ctrl,
+ }
+ 
+ int
+-keyserver_import_cert (const char *name)
++keyserver_import_cert (ctrl_t ctrl, const char *name, int dane_mode,
++                       unsigned char **fpr,size_t *fpr_len)
+ {
++  (void)ctrl;
+   (void)name;
++  (void)dane_mode;
++  (void)fpr;
++  (void)fpr_len;
+   return -1;
+ }
+ 
+@@ -511,11 +519,17 @@ keyserver_import_wkd (ctrl_t ctrl, const char *name, unsigned int flags,
+   return GPG_ERR_BUG;
+ }
+ 
+-int
+-keyserver_import_mbox (const char *name,struct keyserver_spec *spec)
++gpg_error_t
++keyserver_import_mbox (ctrl_t ctrl, const char *mbox,
++                       unsigned char **fpr, size_t *fprlen,
++                       struct keyserver_spec *keyserver, unsigned int flags)
+ {
+-  (void)name;
+-  (void)spec;
++  (void)ctrl;
++  (void)mbox;
++  (void)fpr;
++  (void)fprlen;
++  (void)keyserver;
++  (void)flags;
+   return -1;
+ }
+ 
+@@ -647,14 +661,11 @@ parse_preferred_keyserver(PKT_signature *sig)
+   return NULL;
+ }
+ 
+-struct keyserver_spec *
+-parse_keyserver_uri (const char *uri, int require_scheme,
+-                     const char *configname, unsigned int configlineno)
++keyserver_spec_t
++parse_keyserver_uri (const char *string, int require_scheme)
+ {
+-  (void)uri;
++  (void)string;
+   (void)require_scheme;
+-  (void)configname;
+-  (void)configlineno;
+   return NULL;
+ }
+ 
+@@ -666,11 +677,14 @@ free_keyserver_spec (struct keyserver_spec *keyserver)
+ 
+ /* Stubs to avoid linking to photoid.c */
+ void
+-show_photos (const struct user_attribute *attrs, int count, PKT_public_key *pk)
++show_photos (ctrl_t ctrl, const struct user_attribute *attrs, int count,
++             PKT_public_key *pk, PKT_user_id *uid)
+ {
++  (void)ctrl;
+   (void)attrs;
+   (void)count;
+   (void)pk;
++  (void)uid;
+ }
+ 
+ int
+diff --git a/g10/test-stubs.c b/g10/test-stubs.c
+index 9b41c8929..16d10972d 100644
+--- a/g10/test-stubs.c
++++ b/g10/test-stubs.c
+@@ -193,10 +193,13 @@ keyserver_any_configured (ctrl_t ctrl)
+ }
+ 
+ int
+-keyserver_import_keyid (u32 *keyid, void *dummy, unsigned int flags)
++keyserver_import_keyid (ctrl_t ctrl,
++                        u32 *keyid,struct keyserver_spec *keyserver,
++                        unsigned int flags)
+ {
++  (void)ctrl;
+   (void)keyid;
+-  (void)dummy;
++  (void)keyserver;
+   (void)flags;
+   return -1;
+ }
+@@ -224,9 +227,14 @@ keyserver_import_fpr_ntds (ctrl_t ctrl,
+ }
+ 
+ int
+-keyserver_import_cert (const char *name)
++keyserver_import_cert (ctrl_t ctrl, const char *name, int dane_mode,
++                       unsigned char **fpr,size_t *fpr_len)
+ {
++  (void)ctrl;
+   (void)name;
++  (void)dane_mode;
++  (void)fpr;
++  (void)fpr_len;
+   return -1;
+ }
+ 
+@@ -242,15 +250,17 @@ keyserver_import_wkd (ctrl_t ctrl, const char *name, unsigned int flags,
+   return GPG_ERR_BUG;
+ }
+ 
+-int
+-keyserver_import_mbox (ctrl_t ctrl, const char *mbox, unsigned char **fpr,
+-                       size_t *fprlen, struct keyserver_spec *keyserver)
++gpg_error_t
++keyserver_import_mbox (ctrl_t ctrl, const char *mbox,
++                       unsigned char **fpr, size_t *fprlen,
++                       struct keyserver_spec *keyserver, unsigned int flags)
+ {
+   (void)ctrl;
+   (void)mbox;
+   (void)fpr;
+   (void)fprlen;
+   (void)keyserver;
++  (void)flags;
+   return -1;
+ }
+ 
+@@ -381,14 +391,11 @@ parse_preferred_keyserver(PKT_signature *sig)
+   return NULL;
+ }
+ 
+-struct keyserver_spec *
+-parse_keyserver_uri (const char *uri, int require_scheme,
+-                     const char *configname, unsigned int configlineno)
++keyserver_spec_t
++parse_keyserver_uri (const char *string, int require_scheme)
+ {
+-  (void)uri;
++  (void)string;
+   (void)require_scheme;
+-  (void)configname;
+-  (void)configlineno;
+   return NULL;
+ }
+ 
+@@ -400,11 +407,14 @@ free_keyserver_spec (struct keyserver_spec *keyserver)
+ 
+ /* Stubs to avoid linking to photoid.c */
+ void
+-show_photos (const struct user_attribute *attrs, int count, PKT_public_key *pk)
++show_photos (ctrl_t ctrl, const struct user_attribute *attrs, int count,
++             PKT_public_key *pk, PKT_user_id *uid)
+ {
++  (void)ctrl;
+   (void)attrs;
+   (void)count;
+   (void)pk;
++  (void)uid;
+ }
+ 
+ int
+-- 
+2.53.0
+

sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/0002-Fix-stub-functions-to-avoid-LTO-linking-bugs-followup.patch

@@ -0,0 +1,47 @@
+https://bugs.gentoo.org/854222
+
+From 40b28085f30f6031bd72ae24d736c9116d70f547 Mon Sep 17 00:00:00 2001
+Message-ID: <40b28085f30f6031bd72ae24d736c9116d70f547.1770174958.git.sam@gentoo.org>
+From: Sam James <sam@gentoo.org>
+Date: Sun, 4 Jan 2026 02:04:39 +0000
+Subject: [PATCH GnuPG] Fix -Wlto-type-mismatch warnings [T4416]
+
+* agent/t-protect.c (convert_from_openpgp_native): Sync stub definition.
+
+--
+
+GnuPG-bug-id: 4416
+
+When building with GCC -flto, some warnings appear because of
+mismatched definitions in stubs (gpgv or tests). Sync them with the
+real definitions to fix the warnings, as they just drifted over time.
+
+Followup to 81760cc931d69f37cf2a8ad54616a1af590fd2cf.
+
+Signed-off-by: Sam James <sam@gentoo.org>
+---
+ agent/t-protect.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/agent/t-protect.c b/agent/t-protect.c
+index e6edbffba..9508de36a 100644
+--- a/agent/t-protect.c
++++ b/agent/t-protect.c
+@@ -341,9 +341,12 @@ main (int argc, char **argv)
+ 
+ /* Stub function.  */
+ gpg_error_t
+-convert_from_openpgp_native (gcry_sexp_t s_pgp, const char *passphrase,
+-                             unsigned char **r_key)
++convert_from_openpgp_native (ctrl_t ctrl,
++			     gcry_sexp_t s_pgp,
++			     const char *passphrase,
++			     unsigned char **r_key)
+ {
++  (void)ctrl;
+   (void)s_pgp;
+   (void)passphrase;
+   (void)r_key;
+-- 
+2.53.0
+

sdk_container/src/third_party/portage-stable/app-crypt/gnupg/files/0003-agent-Fix-the-regression-in-pkdecrypt-with-TPM-RSA.patch

@@ -0,0 +1,40 @@
+From 6eed3959303c81c9699fe9273030e480732f72be Mon Sep 17 00:00:00 2001
+Message-ID: <6eed3959303c81c9699fe9273030e480732f72be.1771025112.git.sam@gentoo.org>
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Thu, 12 Feb 2026 11:51:17 +0900
+Subject: [PATCH GnuPG] agent: Fix the regression in pkdecrypt with TPM RSA.
+
+* agent/divert-tpm2.c (divert_tpm2_pkdecrypt): Care about additional
+0x00.
+
+--
+
+GnuPG-bug-id: 8045
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+---
+ agent/divert-tpm2.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/agent/divert-tpm2.c b/agent/divert-tpm2.c
+index 5500c07f1..839a039bc 100644
+--- a/agent/divert-tpm2.c
++++ b/agent/divert-tpm2.c
+@@ -138,6 +138,15 @@ divert_tpm2_pkdecrypt (ctrl_t ctrl,
+       if (!smatch (&s, n, "a"))
+         return gpg_error (GPG_ERR_UNKNOWN_SEXP);
+       n = snext (&s);
++      /* NOTE: gpg-agent protocol uses signed integer for RSA (%m in
++       * MPI), where 0x00 is added when the MSB is 1.  TPM2 uses
++       * unsigned integer.  We need to remove this 0x00, or else
++       * it may result GPG_ERR_TOO_LARGE in tpm2daemon.  */
++      if (!*s && (n&1))
++        {
++          s++;
++          n--;
++        }
+     }
+   else if (smatch (&s, n, "ecdh"))
+     {
+-- 
+2.53.0
+

sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.5.17-r1.ebuild

@@ -0,0 +1,220 @@
+# Copyright 1999-2026 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+# Maintainers should:
+# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/
+# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159
+# (find the one for the current release then subscribe to it +
+# any subsequent ones linked within so you're covered for a while.)
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc
+# in-source builds are not supported: https://dev.gnupg.org/T6313#166339
+inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig
+
+MY_P="${P/_/-}"
+
+DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation"
+HOMEPAGE="https://gnupg.org/"
+SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2"
+SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )"
+S="${WORKDIR}/${MY_P}"
+
+LICENSE="GPL-3+"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~x64-macos ~x64-solaris"
+IUSE="+alternatives bzip2 doc ldap nls readline selinux +smartcard ssl test +tofu tpm tools usb user-socket wks-server"
+RESTRICT="!test? ( test )"
+REQUIRED_USE="test? ( tofu )"
+
+# Existence of executables is checked during configuration.
+# Note: On each bump, update dep bounds on each version from configure.ac!
+DEPEND="
+	>=dev-libs/libassuan-3.0.0-r1:=
+	>=dev-libs/libgcrypt-1.11.0:=
+	>=dev-libs/libgpg-error-1.56
+	>=dev-libs/libksba-1.6.3
+	>=dev-libs/npth-1.2
+	virtual/zlib:=
+	bzip2? ( app-arch/bzip2 )
+	ldap? ( net-nds/openldap:= )
+	readline? ( sys-libs/readline:0= )
+	smartcard? ( usb? ( virtual/libusb:1 ) )
+	tofu? ( >=dev-db/sqlite-3.27 )
+	tpm? ( >=app-crypt/tpm2-tss-2.4.0:= )
+	ssl? ( >=net-libs/gnutls-3.2:0= )
+"
+RDEPEND="
+	${DEPEND}
+	nls? ( virtual/libintl )
+	selinux? ( sec-policy/selinux-gpg )
+	wks-server? ( virtual/mta )
+"
+PDEPEND="
+	app-crypt/pinentry
+	alternatives? (
+		app-alternatives/gpg[-freepg(-)]
+	)
+"
+BDEPEND="
+	virtual/pkgconfig
+	doc? ( sys-apps/texinfo )
+	nls? ( sys-devel/gettext )
+	verify-sig? ( sec-keys/openpgp-keys-gnupg )
+"
+
+DOCS=(
+	ChangeLog NEWS README THANKS TODO VERSION
+	doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER
+)
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch
+	"${FILESDIR}"/0001-Fix-stub-functions-to-avoid-LTO-linking-bugs.patch
+	"${FILESDIR}"/0002-Fix-stub-functions-to-avoid-LTO-linking-bugs-followup.patch
+)
+
+src_prepare() {
+	default
+
+	GNUPG_SYSTEMD_UNITS=(
+		dirmngr.service
+		dirmngr.socket
+		gpg-agent-browser.socket
+		gpg-agent-extra.socket
+		gpg-agent.service
+		gpg-agent.socket
+		gpg-agent-ssh.socket
+	)
+
+	cp "${GNUPG_SYSTEMD_UNITS[@]/#/${FILESDIR}/}" "${T}" || die
+
+	# Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode,
+	# idea borrowed from libdbus, see
+	#   https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6
+	#
+	# This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl',
+	# which in turn requires discovery in Autoconf, something that upstream deeply resents.
+	sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \
+		-i "${T}"/gpg-agent-ssh.socket || die
+
+	# Since 2.5.3, --supervised is called --deprecated-supervised.  See
+	# https://dev.gnupg.org/rGa019a0fcd8dfb9d1eae5bc991fdd54b7cf55641e
+	sed -i "s/--supervised/--deprecated-supervised/g" "${T}"/*.service || die
+}
+
+my_src_configure() {
+	local myconf=(
+		$(use_enable bzip2)
+		$(use_enable nls)
+		$(use_enable smartcard scdaemon)
+		$(use_enable ssl gnutls)
+		$(use_enable test all-tests)
+		$(use_enable test tests)
+		$(use_enable tofu)
+		$(use_enable tofu keyboxd)
+		$(use_enable tofu sqlite)
+		$(usex tpm '--with-tss=intel' '--disable-tpm2d')
+		$(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver')
+		$(use_enable wks-server wks-tools)
+		$(use_with ldap)
+		$(use_with readline)
+
+		# Hardcode mailprog to /usr/libexec/sendmail even if it does not exist.
+		# As of GnuPG 2.3, the mailprog substitution is used for the binary called
+		# by wks-client & wks-server; and if it's autodetected but not not exist at
+		# build time, then then 'gpg-wks-client --send' functionality will not
+		# work. This has an unwanted side-effect in stage3 builds: there was a
+		# [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating
+		# the build where the install guide previously make the user chose the
+		# logger & mta early in the install.
+		--with-mailprog=/usr/libexec/sendmail
+
+		--disable-ntbtls
+		--enable-gpgsm
+		--enable-large-secmem
+
+		CC_FOR_BUILD="$(tc-getBUILD_CC)"
+		GPGRT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpgrt-config"
+
+		$("${S}/configure" --help | grep -o -- '--without-.*-prefix')
+	)
+
+	if use prefix && use usb; then
+		# bug #649598
+		append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0"
+	fi
+
+	if [[ ${CHOST} == *-solaris* ]] ; then
+		# these somehow are treated as fatal, but Solaris has different
+		# types for getpeername with socket_t
+		append-flags -Wno-incompatible-pointer-types
+		append-flags -Wno-unused-label
+	fi
+
+	# bug #663142
+	if use user-socket; then
+		myconf+=( --enable-run-gnupg-user-socket )
+	fi
+
+	# glib fails and picks up clang's internal stdint.h causing weird errors
+	tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h
+
+	econf "${myconf[@]}"
+}
+
+my_src_compile() {
+	default
+
+	use doc && emake -C doc html
+}
+
+my_src_test() {
+	export TESTFLAGS="--parallel=$(makeopts_jobs)"
+
+	default
+}
+
+my_src_install() {
+	emake DESTDIR="${D}" install
+
+	use tools && dobin tools/{gpgconf,gpgsplit,gpg-check-pattern} tools/make-dns-cert
+
+	if use alternatives; then
+		# rename for app-alternatives/gpg
+		mv "${ED}"/usr/bin/gpg{,-reference} || die
+		mv "${ED}"/usr/bin/gpgv{,-reference} || die
+		mv "${ED}"/usr/share/man/man1/gpg{,-reference}.1 || die
+		mv "${ED}"/usr/share/man/man1/gpgv{,-reference}.1 || die
+	else
+		dosym gpg /usr/bin/gpg2
+		dosym gpgv /usr/bin/gpgv2
+		echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die
+		echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die
+	fi
+
+	use doc && dodoc doc/gnupg.html/*
+}
+
+my_src_install_all() {
+	einstalldocs
+
+	use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot}
+	use doc && dodoc doc/*.png
+
+	# Dropped upstream in https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=eae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed.
+	dodoc "${FILESDIR}"/README-systemd
+	systemd_douserunit "${GNUPG_SYSTEMD_UNITS[@]/#/${T}/}"
+}
+
+pkg_postinst() {
+	# If /usr/bin/gpg and /usr/bin/gpgv do not exist, provide them.
+	if [[ ! -e ${EROOT}/usr/bin/gpg ]]; then
+		ln -sf -- gpg-reference "${EROOT}"/usr/bin/gpg || die
+	fi
+
+	if [[ ! -e ${EROOT}/usr/bin/gpgv ]]; then
+		ln -sf -- gpgv-reference "${EROOT}"/usr/bin/gpgv || die
+	fi
+}

sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.5.17-r2.ebuild

@@ -0,0 +1,221 @@
+# Copyright 1999-2026 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+# Maintainers should:
+# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/
+# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159
+# (find the one for the current release then subscribe to it +
+# any subsequent ones linked within so you're covered for a while.)
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc
+# in-source builds are not supported: https://dev.gnupg.org/T6313#166339
+inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig
+
+MY_P="${P/_/-}"
+
+DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation"
+HOMEPAGE="https://gnupg.org/"
+SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2"
+SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )"
+S="${WORKDIR}/${MY_P}"
+
+LICENSE="GPL-3+"
+SLOT="0"
+KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~x64-macos ~x64-solaris"
+IUSE="+alternatives bzip2 doc ldap nls readline selinux +smartcard ssl test +tofu tpm tools usb user-socket wks-server"
+RESTRICT="!test? ( test )"
+REQUIRED_USE="test? ( tofu )"
+
+# Existence of executables is checked during configuration.
+# Note: On each bump, update dep bounds on each version from configure.ac!
+DEPEND="
+	>=dev-libs/libassuan-3.0.0-r1:=
+	>=dev-libs/libgcrypt-1.11.0:=
+	>=dev-libs/libgpg-error-1.56
+	>=dev-libs/libksba-1.6.3
+	>=dev-libs/npth-1.2
+	virtual/zlib:=
+	bzip2? ( app-arch/bzip2 )
+	ldap? ( net-nds/openldap:= )
+	readline? ( sys-libs/readline:0= )
+	smartcard? ( usb? ( virtual/libusb:1 ) )
+	tofu? ( >=dev-db/sqlite-3.27 )
+	tpm? ( >=app-crypt/tpm2-tss-2.4.0:= )
+	ssl? ( >=net-libs/gnutls-3.2:0= )
+"
+RDEPEND="
+	${DEPEND}
+	nls? ( virtual/libintl )
+	selinux? ( sec-policy/selinux-gpg )
+	wks-server? ( virtual/mta )
+"
+PDEPEND="
+	app-crypt/pinentry
+	alternatives? (
+		app-alternatives/gpg[-freepg(-)]
+	)
+"
+BDEPEND="
+	virtual/pkgconfig
+	doc? ( sys-apps/texinfo )
+	nls? ( sys-devel/gettext )
+	verify-sig? ( sec-keys/openpgp-keys-gnupg )
+"
+
+DOCS=(
+	ChangeLog NEWS README THANKS TODO VERSION
+	doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER
+)
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch
+	"${FILESDIR}"/0001-Fix-stub-functions-to-avoid-LTO-linking-bugs.patch
+	"${FILESDIR}"/0002-Fix-stub-functions-to-avoid-LTO-linking-bugs-followup.patch
+	"${FILESDIR}"/0003-agent-Fix-the-regression-in-pkdecrypt-with-TPM-RSA.patch
+)
+
+src_prepare() {
+	default
+
+	GNUPG_SYSTEMD_UNITS=(
+		dirmngr.service
+		dirmngr.socket
+		gpg-agent-browser.socket
+		gpg-agent-extra.socket
+		gpg-agent.service
+		gpg-agent.socket
+		gpg-agent-ssh.socket
+	)
+
+	cp "${GNUPG_SYSTEMD_UNITS[@]/#/${FILESDIR}/}" "${T}" || die
+
+	# Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode,
+	# idea borrowed from libdbus, see
+	#   https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6
+	#
+	# This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl',
+	# which in turn requires discovery in Autoconf, something that upstream deeply resents.
+	sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \
+		-i "${T}"/gpg-agent-ssh.socket || die
+
+	# Since 2.5.3, --supervised is called --deprecated-supervised.  See
+	# https://dev.gnupg.org/rGa019a0fcd8dfb9d1eae5bc991fdd54b7cf55641e
+	sed -i "s/--supervised/--deprecated-supervised/g" "${T}"/*.service || die
+}
+
+my_src_configure() {
+	local myconf=(
+		$(use_enable bzip2)
+		$(use_enable nls)
+		$(use_enable smartcard scdaemon)
+		$(use_enable ssl gnutls)
+		$(use_enable test all-tests)
+		$(use_enable test tests)
+		$(use_enable tofu)
+		$(use_enable tofu keyboxd)
+		$(use_enable tofu sqlite)
+		$(usex tpm '--with-tss=intel' '--disable-tpm2d')
+		$(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver')
+		$(use_enable wks-server wks-tools)
+		$(use_with ldap)
+		$(use_with readline)
+
+		# Hardcode mailprog to /usr/libexec/sendmail even if it does not exist.
+		# As of GnuPG 2.3, the mailprog substitution is used for the binary called
+		# by wks-client & wks-server; and if it's autodetected but not not exist at
+		# build time, then then 'gpg-wks-client --send' functionality will not
+		# work. This has an unwanted side-effect in stage3 builds: there was a
+		# [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating
+		# the build where the install guide previously make the user chose the
+		# logger & mta early in the install.
+		--with-mailprog=/usr/libexec/sendmail
+
+		--disable-ntbtls
+		--enable-gpgsm
+		--enable-large-secmem
+
+		CC_FOR_BUILD="$(tc-getBUILD_CC)"
+		GPGRT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpgrt-config"
+
+		$("${S}/configure" --help | grep -o -- '--without-.*-prefix')
+	)
+
+	if use prefix && use usb; then
+		# bug #649598
+		append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0"
+	fi
+
+	if [[ ${CHOST} == *-solaris* ]] ; then
+		# these somehow are treated as fatal, but Solaris has different
+		# types for getpeername with socket_t
+		append-flags -Wno-incompatible-pointer-types
+		append-flags -Wno-unused-label
+	fi
+
+	# bug #663142
+	if use user-socket; then
+		myconf+=( --enable-run-gnupg-user-socket )
+	fi
+
+	# glib fails and picks up clang's internal stdint.h causing weird errors
+	tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h
+
+	econf "${myconf[@]}"
+}
+
+my_src_compile() {
+	default
+
+	use doc && emake -C doc html
+}
+
+my_src_test() {
+	export TESTFLAGS="--parallel=$(makeopts_jobs)"
+
+	default
+}
+
+my_src_install() {
+	emake DESTDIR="${D}" install
+
+	use tools && dobin tools/{gpgconf,gpgsplit,gpg-check-pattern} tools/make-dns-cert
+
+	if use alternatives; then
+		# rename for app-alternatives/gpg
+		mv "${ED}"/usr/bin/gpg{,-reference} || die
+		mv "${ED}"/usr/bin/gpgv{,-reference} || die
+		mv "${ED}"/usr/share/man/man1/gpg{,-reference}.1 || die
+		mv "${ED}"/usr/share/man/man1/gpgv{,-reference}.1 || die
+	else
+		dosym gpg /usr/bin/gpg2
+		dosym gpgv /usr/bin/gpgv2
+		echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die
+		echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die
+	fi
+
+	use doc && dodoc doc/gnupg.html/*
+}
+
+my_src_install_all() {
+	einstalldocs
+
+	use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot}
+	use doc && dodoc doc/*.png
+
+	# Dropped upstream in https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=eae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed.
+	dodoc "${FILESDIR}"/README-systemd
+	systemd_douserunit "${GNUPG_SYSTEMD_UNITS[@]/#/${T}/}"
+}
+
+pkg_postinst() {
+	# If /usr/bin/gpg and /usr/bin/gpgv do not exist, provide them.
+	if [[ ! -e ${EROOT}/usr/bin/gpg ]]; then
+		ln -sf -- gpg-reference "${EROOT}"/usr/bin/gpg || die
+	fi
+
+	if [[ ! -e ${EROOT}/usr/bin/gpgv ]]; then
+		ln -sf -- gpgv-reference "${EROOT}"/usr/bin/gpgv || die
+	fi
+}

sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.5.17.ebuild

@@ -1,4 +1,4 @@
-# Copyright 1999-2025 Gentoo Authors
+# Copyright 1999-2026 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=8
@@ -195,9 +195,6 @@ my_src_install() {
 		echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die
 	fi
 
-	dodir /etc/env.d
-	echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die
-
 	use doc && dodoc doc/gnupg.html/*
 }
 

sdk_container/src/third_party/portage-stable/app-crypt/gnupg/gnupg-2.5.18.ebuild

@@ -1,4 +1,4 @@
-# Copyright 1999-2025 Gentoo Authors
+# Copyright 1999-2026 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=8
@@ -71,6 +71,7 @@ DOCS=(
 
 PATCHES=(
 	"${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch
+	"${FILESDIR}"/0002-Fix-stub-functions-to-avoid-LTO-linking-bugs-followup.patch
 )
 
 src_prepare() {
@@ -103,9 +104,6 @@ src_prepare() {
 }
 
 my_src_configure() {
-	# Upstream don't support LTO, bug #854222.
-	filter-lto
-
 	local myconf=(
 		$(use_enable bzip2)
 		$(use_enable nls)