Merge pull request #1149 from flatcar/tormath1/sign

core_sign_update: use pkcs11 openssl engine
2025-08-09 14:06:58 +02:00 · 2024-01-23 17:11:30 +01:00 · 2024-01-23 17:11:30 +01:00 · 0987e80f53
commit 0987e80f53
parent 018778e391 05d4afbcc3
42 changed files with 1665 additions and 3 deletions
--- a/.github/workflows/portage-stable-packages-list
+++ b/.github/workflows/portage-stable-packages-list
@ -17,7 +17,9 @@ acct-group/messagebus
 acct-group/netperf
 acct-group/nobody
 acct-group/ntp
+acct-group/openct
 acct-group/pcap
+acct-group/pcscd
 acct-group/polkitd
 acct-group/portage
 acct-group/render
@ -34,6 +36,7 @@ acct-group/systemd-timesync
 acct-group/tape
 acct-group/tss
 acct-group/tty
+acct-group/usb
 acct-group/users
 acct-group/utmp
 acct-group/uucp
@ -47,6 +50,7 @@ acct-user/netperf
 acct-user/nobody
 acct-user/ntp
 acct-user/pcap
+acct-user/pcscd
 acct-user/polkitd
 acct-user/portage
 acct-user/root
@ -102,6 +106,7 @@ app-containers/runc
 app-crypt/adcli
 app-crypt/argon2
 app-crypt/efitools
+app-crypt/ccid
 app-crypt/libb2
 app-crypt/libmd
 app-crypt/mhash
@ -197,6 +202,7 @@ dev-libs/libnl
 dev-libs/libpcre
 dev-libs/libpcre2
 dev-libs/libpipeline
+dev-libs/libp11
 dev-libs/libsodium
 dev-libs/libtasn1
 dev-libs/libunistring
@ -213,6 +219,7 @@ dev-libs/nettle
 dev-libs/npth
 dev-libs/nspr
 dev-libs/oniguruma
+dev-libs/opensc
 dev-libs/popt
 dev-libs/protobuf
 dev-libs/userspace-rcu
@ -468,6 +475,7 @@ sys-apps/miscfiles
 sys-apps/net-tools
 sys-apps/nvme-cli
 sys-apps/pciutils
+sys-apps/pcsc-lite
 sys-apps/portage
 sys-apps/pv
 sys-apps/sandbox
--- a/9
+++ b/9
@ -136,7 +136,7 @@ i=1
 signature_sizes=""
 for key in "${private_keys[@]}"; do
 	if [[ "${key}" == pkcs11* ]]; then
-		openssl rsautl -engine pkcs11 -pkcs -sign -inkey ${key} -keyform engine -in update.pkcs11-padhash -out update.sig.${i}
+		OPENSSL_CONF=/etc/ssl/pkcs11.cnf openssl pkeyutl -engine pkcs11 -sign -keyform engine -inkey "${key}" -in update.pkcs11-padhash -out "update.sig.${i}"
 	elif [[ "${key}" == fero* ]]; then
 		fero-client \
 			--address $FLAGS_signing_server_address \
@ -163,8 +163,13 @@ delta_generator --signature_file ${files} --in_file update --out_file update.sig

 i=1
 for key in "${public_keys[@]}"; do
+	version="${i}"
+	if [ ${#public_keys[@]} == 1 ]; then
+		version=2
+	fi
+
 	delta_generator \
-		--public_key_version "${i}" \
+		--public_key_version "${version}" \
 		--public_key "${key}" \
 		--in_file update.signed

--- a/data/download_payloads
+++ b/data/download_payloads
@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [ $# -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
+  echo "Usage: $0 RELEASE_DESCRIPTORS..."
+  echo "Example: $0 alpha:1786.0.0 beta:1781.2.0"
+  echo "Downloads the release update payloads to ARCH-usr/VERSION/ folders."
+  echo "Expected to be run in .../sdk/src/scripts/data/"
+  echo "(usually before entering the chroot and running ./generate_payload data/ARCH-usr/VERSION/ keys/)."
+  exit 1
+fi
+
+if [ "$(basename "${PWD}")" != "data" ] || [ "$(basename "$(readlink -f ..)")" != "scripts" ]; then
+  echo "Expected to be run in .../sdk/src/scripts/data/" >&2
+  exit 1
+fi
+
+# Same as in copy-to-origin.sh and set-symlink.sh
+for TUPLE_COL in "$@"; do
+  IFS=":" read -r -a TUPLE <<< "${TUPLE_COL}"
+  CHANNEL="${TUPLE[0]}"
+  VERSION="${TUPLE[1]}"
+  for ARCH in amd64 arm64; do
+    echo "Downloading ${CHANNEL} ${VERSION} ${ARCH}"
+    rm -rf "${ARCH}-usr/${VERSION}"
+    mkdir -p "${ARCH}-usr/${VERSION}" && cd "${ARCH}-usr/${VERSION}"
+    BASEURL="https://bincache.flatcar-linux.net/images/${ARCH}/${VERSION}/"
+    # Note: Don't replace this with 'mapfile -t array < <(curl)' or 'read -r -a array <<< "$(curl)"' because that has no error checking
+    EXTRA_PAYLOADS=($(curl -H 'Accept: application/json' -fsSL "${BASEURL}" | jq -r ".[].name" | { grep -P '^(oem|flatcar)-.*raw(.sig)?$' || true ; }))
+    wget "${BASEURL}"{flatcar_production_update.bin.bz2,flatcar_production_update.bin.bz2.sig,flatcar_production_image.vmlinuz,flatcar_production_image.vmlinuz.sig}
+    for EXTRA_PAYLOAD in "${EXTRA_PAYLOADS[@]}"; do
+      wget "${BASEURL}${EXTRA_PAYLOAD}"
+    done
+    cd ../..
+  done
+done
+echo "Success"
--- a/433
+++ b/433
@ -0,0 +1,433 @@
+#!/usr/bin/env bash
+
+set -e
+
+if [ $# -lt 1 ]; then
+    echo "usage: $0 alpha:1786.0.0 beta:1781.2.0"
+    exit 1
+fi
+
+# DOWNLOAD can be set to 1 to download release artifacts automatically.
+DOWNLOAD="${DOWNLOAD:-0}"
+
+if [ -z "${PRIVATE_KEYS}" ]; then
+    echo "PRIVATE_KEYS must be set using the URI form (https://www.rfc-editor.org/rfc/rfc7512#section-2.3)"
+    echo "or using an absolute or relative path."
+    echo "e.g export PRIVATE_KEYS=pkcs11:id=%1?pin-value=12345"
+    echo "NOTE: If multiple keys are available, use '+' as a separator"
+    exit 1
+fi
+
+# Image signing key:
+# $ gpg2 --list-keys --list-options show-unusable-subkeys \
+#     --keyid-format SHORT F88CFEDEFF29A5B4D9523864E25D9AED0593B34A
+# pub   rsa4096/0593B34A 2018-02-26 [SC]
+#       F88CFEDEFF29A5B4D9523864E25D9AED0593B34A
+# uid         [ultimate] Flatcar Buildbot (Official Builds) <buildbot@flatcar-linux.org>
+# sub   rsa4096/064D542D 2018-02-26 [S] [revoked: 2018-03-14]
+# sub   rsa4096/D0FC498C 2018-03-14 [S] [revoked: 2018-09-26]
+# sub   rsa4096/896E394F 2018-09-26 [S] [expires: 2019-09-26]
+# sub   rsa4096/AF9CF1AF 2019-09-30 [S] [expires: 2020-09-29]
+# sub   rsa4096/FCBEAB91 2020-08-28 [S] [expires: 2021-08-28]
+# sub   rsa4096/250D4A42 2021-08-10 [S] [expires: 2022-08-10]
+GPG_LONG_ID="E25D9AED0593B34A"
+GPG_KEY="-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFqUFawBEACdnSVBBSx3negnGv7Ppf2D6fbIQAHSzUQ+BA5zEG02BS6EKbJh
+t5TzEKCRw6hpPC4vAHbiO8B36Y884sSU5Wc4WMiuJ0Z4XZiZ/DAOl5TFfWwhwU0l
+SEe/3BWKRtldEs2hM/NLT7A2pLh6gx5NVJNv7PMTDXVuS8AGqIj6eT41r6cPWE67
+pQhC1u91saqIOLB1PnWxw/a7go9x8sJBmEVz0/DRS3dw8qlTx/aKSooyaGzZsfAY
+L1+a/xst8LG4xfyHBSAuHSqi76LXCdBogU2vgz2V46z29hYRDfQQQGb4hE7UCrLp
+EBOVzdQv/vAA9B4FTB+f5a7Vi4pQnM4DBqKaf8XP4wgQWBW439yqna7rKFAW+JIr
+/w8YbczTTlJ2FT8v8z5tbMOZ5a6nXAn45YXh5d80CzqEVnaG8Bbavw3WR3jD81BO
+0WK+K2FcEXzOtWkkwmcj9PrOKVnBmBv5I+0xtpo9Do0vyONyXPDNH/I4b3xilupN
+bWV1SXUu8jpCf/PaNrj7oKHB9Nciv+4lqu/L5YmbaSLBxAvHSsxRpKV53dFtU+sR
+kQM5I774B+GnFvhd6k2uMerWFaA1aq7gv0oOm/H5ZkndR5+eS0SAx49OrMbxKkk0
+OKzVVxFDJ4pJWyix3dL7CwmewzuI0ZFHCANBKbiILEzDugAD3mEUZxa8lQARAQAB
+tD9GbGF0Y2FyIEJ1aWxkYm90IChPZmZpY2lhbCBCdWlsZHMpIDxidWlsZGJvdEBm
+bGF0Y2FyLWxpbnV4Lm9yZz6JAk4EEwEIADgWIQT4jP7e/ymltNlSOGTiXZrtBZOz
+SgUCWpQVrAIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRDiXZrtBZOzSi5G
+EACHLSjK24szSj4O8/N9B6TOLnNPJ17At/two/iHfTxrT8lcLM/JQd97wPqH+mVK
+hrZ8tCwTZemVeFNXPVy98VYBTjAXscnVh/22DIEYs1wbjD6w8TwgUvzUzpaQJUVu
+YlLG3vGAMGaK5FK41BFtsIkar6zaIVy5BPhrA6ASsL9wg9bwSrXT5eKksbaqAZEG
+sMiYZxYWzxQHlPu19afxmzBJdVY9YUHEqBYboslGMlLcgErzF7CaiLjDEPkt5Cic
+9J3HjIJwlKmVBT6DBdt/tuuzHQntYfPRfOaLVtF/QxRxKNyBtxYndG6k9Vq/cuIN
+i5fHpyZ66+9cwswrLISQpAVWa0AW/TENuduj8IU24zCGL7RZVf0jnmALrqkmBTfY
+KwtTdpaFle0dC7QP+B27vT/GhBao9KVazfLoAT82bt3hXqjDciAKAstEbqxs75f2
+JhIl0HvqyJ47zY/5zphxZlZ+TfqLvJPoEujEUeuEgKm8xmSgtR/49Ysal6ELxbEg
+hc6qLINFeSjyRL20aQkeXtQjmZJGuXbUsLBSbVgUOEU+4vvID7EiYyV7X36OmS5N
+4SV0MD0bNF578rL4UwhH1WSDSAgkmrfAhgFNof+MlI4qbn39tPiAT9J9dpENay0r
+yd59VhILA3eafkC6m0rtpejx81sDNoSp3UkUS1Qq167ZLkCDQRalBYrARAAsHEO
+v6b39tgGxFeheiTnq5j6N+/OjjJyG21x2Y/nSU5lgqPD8DtgKyFlKvP7Xu+BcaZ7
+hWjL0scvq0LOyagWdzWx5nNTSLuf8e+ShlcIs3u8kFX8QMddyD5l76S7nTl9kE1S
+i2WkO6B4JgzRQCAQyr2B/knfE2wrxPsJsnB1qzRIAXHKvs8ev8bR+FfFSENxI5Jg
+DoU3KbcyJ5lMKdVhIhSyGSPi1/emEpbEIv1XYV9l8g4b6Ht5fVsgeYUZbOF/z5Gc
+Kwf3ikGr3KCM/fl06xS/jpqM08Z/Uyei/L8b7tv9Wjop5SXN0yPAr0KIGQdnq5z
+GMPf9rkG0Xg47JSQcvDJb0o/Ybi3ND3Mj/Ci8q5UtBgs9PWVBS4JyihKYx2Lb+Wj
+LERdEuv2qRPXO045VgOT5g0Ntlc8EvmX3ulofbM2f1DnPnq3OxuYRIscR/Nv4gi
+coNLexv/+mmhdxVJKCSTVPp4SoK4MdBOT0B6pzZjcQBI1ldePQmRZMQgonekUaje
+wWy1hp9o+7qJ8yFkkaLTplbZjQtcwfI7cGqpogQmsIzuxCKxb1ze/jed/ApEj8RD
+6+RO/qa3R4EGKlSW7FZH20oEDLyFyeOAmSbZ8cqPny6m8egP5naXwWka4aYelObn
+5VY6OdX2CJQUuIq8lXue8wOAPpkPB61JnVjQqaUAEQEAAYkCNgQoAQgAIBYhBPiM
+/t7/KaW02VI4ZOJdmu0Fk7NKBQJaqVa3Ah0CAAoJEOJdmu0Fk7NK8WMP/R+T//rW
+QeuXMlV+l8bHKcbBGWBvvMV5XcsJKDxtzrclPJLqfuBXSDTwqlirXXqlEeI613kE
+UWG0b0Ny0K87g9CnkbsJiizGtyQJp2HuMnjRivTd/1V30ACCaK01nbu1/sdOk6Y4
+Cimv+mGEgzjcXVXs72p+qqhDEaMgf1GYjDrzVHUnKUNIU8QOG2HRVhpP27bOg9Ao
+a9Exdo04w3dXxso3KGeVkEE8dN0rKmHQ67jcCqKogzNlsIujbJkgRbwk/e3BgDWX
+ifQSMW4SAAl/PVP7z3h6QoLcYSddOMMYwqP5Oqe4obBaKgVrn705s/Z0pW5nEzFg
+38hEoJe+CCXjPl0zjHKQGzhwR/MLWvMf6jO06uvASiJuU/hefVCCek9b5SLn+IPU
+J+uLh57F1I7O4ohPWY9+sbrpibx2pcSmcefVMwX/iSt6RNlBITYVQLGN8+/0gcRz
+3jGf7m+M8Y7KYrmFxtwPsFejygDr6VVvoUarPPnJSzP+UdPqzUCcxdnV7Ub4QMRl
+wUyvnwgnpn0xOsZ/Pdh5gOC06Yrkjbr12DWIpUxy/9z/QR2TeImi02trRKpCh9xw
+0bKlsWBt1oUnNnQjnMUB9tmWsF1I6DrO/FUcB+5d7iy+MnPB1LIKS8JokODWIrOq
+dg763UZfGbp4EbLlO1vcwIdKC6AGoS6hoyPUiQRyBBgBCAAmFiEE+Iz+3v8ppbTZ
+Ujhk4l2a7QWTs0oFAlqUFisCGwIFCQHhM4ACQAkQ4l2a7QWTs0rBdCAEGQEIAB0W
+IQQeEA3Xpnem+aUyyfm1HeN3Bk1ULQUCWpQWKwAKCRC1HeN3Bk1ULe4hD/0XLBuo
+inLaN2wVQpbjeIEG9Shbaax+BmsuufjiVgNxKEkBg4q6/miCpdpjYmcvv7nNG5uK
+zuQ/fnLzgldiVS0G+0BVBelF1FlT85xaI/enIrsvTauGEsfie7/ljrkV//0MFqdB
+ZnM680JDVbvl8f2RDBACmz3PoJr8kg3PZwvb028effeTqhZ8zA5ZW5rum0Cn6dOb
+v3OrCyQw/aoUvjH65j3T+fr17Em5dYaxNShFxoMBKxSsr+V4opwGEzBRxuoLrzAl
+/LcazNAL/CLj+7JBxFj4FL5fB7VQcBEBDFBwg0ropojUeqT8Y2oyygnwLHc4otwV
+TNxezToTFucnIq87IAqpTdEe3dHXx1CRJAyIeXxh6j+rYpidiL4CegIczva/xE+P
+CqKV1qsGPysD301pXEYy4W1nLuST1tu/xbZCIJdqUwOxsVN5D9UVsFEr4Szfq0QC
+14UQzMeXJSdXE2Z1TAnl7381AUC8LoRp55BH5Jih/zrUT1+HrzwdWBZdBJc04f5I
+RiZqhZ8Goso5Ki6yFGCEXuitQUyWS0OWkZTX4m2rNIiPMw8PVweQ+yeqwaAapfm7
+JX4l3Wa9fRpwK8LLV5/iaXti7IEla51lCCHRn+yM+0XcYI//53qQXVobcaC8Z9uy
+LfJCjCtETknO2/uGL+kNyoZ4ykMfIhqOaxZWnqfzD/4kHM+EB4Yuti1kxFmSdnjp
+MLEOXNFRoJcvPL7kw6ZMQaWZ96UOdlcL2GiHWAyYThsSjWez+kZ60GuDL+JwfQaR
+InavuacP3Dw2eg8/W5XAT/G2EEmA4wuDMXZ07aPa3nJPdlCMcwxQLyHb6ZgModxZ
+IHXaX/JEylapdh0j4sQf5P8OvK2Qq212OVuIaZPnjloQDeJqJTzP9iGDaJ3Ne6gM
+n6nZ3ZIK1qtJc9WxRtjIOLS2ZdMSB5JWb1gE4nEkvDChbWKfeMpv5ox8G6HJe9Xk
+sygGj876vmyAHDwl8zsYMvWeFZONxsahKpDFjXKMcnIpV8ZPfaCT4r4G6x4Qil8u
+A1iwCKXo4d+uq3qrRKyhGOE+B+H/5QCGmmfAXhBVsR2aUldK0kx/IVi7HJD1aBRF
+k+cpC0+vMw4O4f4qXzm2z5qWHftcB/EBhN+h4+IIDSE+wEtz9OdEpXXbPZ1sd7eS
+8K4OjjliG2meTQE/wvn1BNtJVJ2rGQX6moCGx/1FYdLXLROv6hOnBslMVHFRbe+9
+OmTFXEDlb6Nh/08PwYdyqk4qXddebALpC0TmyEty8QnjEmL1IhDtMTDVlj/33imb
+L0waKqGJ5U3s2fA8VaDZQWL6U/c71xtuVFt6trS4rnsoBzlILPfC1n2wpPvKPEHL
+avOKXgf6jXnmSzi5GbnBgbkCDQRaqVbRARAA0R+Z6SrbAI5b8m/j+Q3yc2tc5wDB
+i7Hly0SW95ydLkKGaGvHhpLrBM5WwKdtQzF45A9tlyu6iGys5HWPRW3BqMpZrcv8
+2QHyoI2lYM/b0ioai2gSZB+lao955iJyBQ8c+pLSybxwcdaXTb6iBLGReCYXlrL
+QL6H+NYw338x8bhRvaDanPQis81GzxtSZgRjtZbAGSvOgq25A3oCTF45O8cfBz+I
+FxNaziS7x6lXuqOatv5n3HzffGOz3q1baKsxMRVGx3PdAI/LvRRd9SeBeTpFZQYY
+ujCC5K8ds7yxB39Hel5llKnoXLHNm/wLGukXY+PtJVzhtBDL0X3o6OUfsb9tPzwM
+oMyA8gRXf94nw2XRT8MMrjGChB7Clfq9AFP3e44D3MaVWbEGOWNG9rQ5s72dk7dF
+K416D5cc+BQ8mvllYzZ8gzOgYKnlfVmhqVDAIkFz601+lLRUdK4pD0t1BCmlINSY
+EKQNmp0NCSNVCbWWscKvTjboqb76oH/hjnIDqh3GeGdnIJ8vGwUdNN2NBA0rrK8o
+lD1Kc+e6Whe5xORc5krUZYtDCwW6ylRb118rmrHsojxoTH/kGr2IB0po59LT01l
+M6KjLfGWrz76jJZmDLQ2gDBZNjuqDV+raHaKpVgUlbTHvmVvumBCm50Haz5w2vbM
+txDxVhxU1FdYY00AEQEAAYkCNgQoAQgAIBYhBPiM/t7/KaW02VI4ZOJdmu0Fk7NK
+BQJbq1h6Ah0CAAoJEOJdmu0Fk7NKGuAP/0LeLoKVOI8GRiU25bBek4mElKV5YNwU
+8QMf75VPnRxklMFGkrPDuVCHVIsOUGo7jF4EHfH8ACgXNsFx8v9pMgsvk4WvfxbY
+hepoNNOF/PLsPc125Z3hNq3uJsAMEpijNt8pNXgMvYj6mUKRGuMcIm1KLlczknwU
+vtAIWSV+qqpCUL2miVPzp7Y8lexUeB1dsxAiF4btZIJ2i53S72kPMqwLzHdrPxDt
+TiIweNz/T5K+C19MDAZ9AVp5qTcPWhQMDnNz3bY/4B2NcAwPJTCRxt7Ne5Ufxpll
+3D92jwKZxREBdBPlRq/Qr4JEm4VXOw4QLFoU/WOyRBd4q4aNeFR00J5unZ2zcQ/E
+ZL5OvHmkZ2Xl27Cuky1dAnT6hdadjMgWfQB/giXfP8Tu0Qpi7ISv5fEyUh70RpKr
+SPdbUIR92IR8Qu862SSZsn7KoywUb2lFYzj6N9c1XORBexgRQgGAMdcT0REXyyS0
+bl+9aBRntiw00FkEe7V1+EOLTi40bbddLC0Oatxa35lYg38VYmnhHCrkUl3iCLa/
+AlhZmUGXSwmACNRzVRzFPAZMjdql+SEIF0XLYe96sb5twX2aztemy0GMU0ybK3pH
+eYrpccUsPRPiHvT4k5TqAA+D1Y1WDjEhidPCbYeyThhAu+lfJiSVn2ex8ESByA/c
+/QqOMREjkWlwiQRyBBgBCAAmFiEE+Iz+3v8ppbTZUjhk4l2a7QWTs0oFAlqpVtEC
+GwIFCQHhM4ACQAkQ4l2a7QWTs0rBdCAEGQEIAB0WIQSmIfHalsk8Y5UGgy1gNEOh
+0PxJjAUCWqlW0QAKCRBgNEOh0PxJjFXaD/0cyALbk6YivbqAMCMXnfBFj5kOoG5T
+EGC7quviOVI+U5yNyFzqJtayfaxX3EsF9IjZR4cW58gdcQALS/gGAukexDigoYUz
+2h1q2r4zr5pxbj+ez9+fftNDpwp7CmuaB5bzVh1bu8gwVJf4yaSsGubBIgfaysB0
+Mzc4eJqIpDFMRQvSOOv7TgzXqAsXQuphoqkB5RuiKtKeugv4qofH5fuM3C/Y4QZ8
+edQlTA41KOay1a76xAK85a8qMCjVQVCrepo5+LYXwZAryp4WKIbTSbUNRr5GGgSa
+UWBe0/Rz5eqOL3r1YV1WzttWgBLzZUZJqvaYoWtfJGwjxDAFebE+meqtLIh/IDEu
+Tc4D3Vge6kCI1jjNDKMZQYf6j1rybKPVzOgkxjCyRcgUI8Y904l9LZ3/BiRV8dY4
+nBjWmCYVJPlAVzfDxFwF+A2kKInskPriiYJpFX8MVjy/6GfkJTtMZo1bovSDZZ0n
+2MbQ+V3mftV8GkL+RPU5xQ79dPx6Ki81Dh31/T0d8FkEpWLbDy3gc1qgvRWcp6bC
+uS1Rg0pf7+ftRYDEW7BBOBzmqfNljolHMWPeZT/1sCs7PmDS+kErZARFm0huMljt
+8MNx50KljIVGDUbjOmDaOopTqKFhho/UTTe1Kho3iwTIYIgrzfuCT7t2k0Wx+/NI
+y6BcGlPHU/R95gl0D/4yrId19rW5h425bWYmKZ6Ilh+H1zipl5OS0iEllmm4sLcp
+Mub2+B+YFU3/EvbF0zkCny2HXy2gyZLhbvNm6Zr4FPW/xfaEnB4OXOOnUbA4+RNf
+7bTngPXwhaxN+wQti+Uo0LcwKAU5KIBC9KcT46NirakEu5+5XaU2r+lsa7hlJWfb
+17e4tmcOB4QfMTsJu+4DcWJqu+cdtm2N4VcorJCvfw/EffnGaGK0mwRvJp7CZiWi
+Vc3T70fH+Rbv6NrgJEFV90XuoetQROwqjBEdbL8iNcuvjWO8j8NSlRKrV+UivP+w
+yDf0UCQoMTnFshBM0ZnW+8i/jqsg3kKxs7xuxCZVMfwxzkNb6h/YlbqjRR/hFZ56
+Chf1guaCfYJn0vCtdTLWimasemZfcKX7oE9EIbrs8FZcd89FkU0wgrJRscoUAiVP
+mbkklT9AvTy7Gp4CCMS8Z22r3Q0d3GgIvFNhakLyDzBKPBf+vJyQEx9SdFIM/Kjv
+4grCEjQNrWXXsh8ecurhciHPuiykffmMYyWUzdcc0pQyyyhoYiGbmflGIKx/6M9D
+OOW2Q4k7ogubPRLZ/nabZnxJdIbi8WVXgSI2JCuO3+i9dpW+Q9s8F5mPht1QmQnI
+ZrA5R/pLRP2oE9x9LDvUPLkQdLIB9RRyTw6D5A1UOI4TuLPOhFpcXqNODjJcO7kC
+DQRbq1i2ARAApdwHI9mdWuHcct2tCY4uRFR9m0CliX2vJ3ZOHBmo1wS3HBv0BkAv
+zmQwOE5xMDk6i9aN/w6fYii0s1Pfj2cwLz8Iw93icnInk7WGU2KoryWM9+KNGIA+
+XOtyobwTh4BHY5ggeYDkdOs7Nrlj1FTlj428NaevU75Cm9xQm6aAZnZZtjSDBTWw
+BuSXfFa70kiZzpwKMP/jB8ylWdA74VzkCFfYcdwJHzzrcDS64VRqNhWM/vRFJmLP
+wN4MHkAE5RDb4cjGAwkwmZQuDzuk2O9oOukxKd7v/ZUmql4k0qDxi3M9dC3SJJ+O
+fVPRlyZ74UVlspgjr5zxSBCerj/aDbVSWWr6JjgeRTQdg6WKhO0+mfmttiANxv/a
+fBMDaxys9ee5sJL+WHP62fucD8ukmMEVM0P971U/JBfV8r8VRpy+OENgt6ynJ9dV
+4YCdOT2xo42YwkBCYcVOF6iY2YqFd3oDSZARqEk4vr+A2/eNDU37+OBWr8E1pfO7
+H6FW4/tVRxYjywat6743e0VTjNbwPGmOFBGc0VuwCJzRsY5dwIi9hlXDGwfNpgzd
+tB+ON4BEY4f8ooSYCfHa9G2HeXj/+txxN6Km8Oh8OnQpyfJ6POQQVXX+bUG1W8EC
+jNBdoi6m00ZqNVtDsNbdKdWTYYhKtgPUOreGmF75k+LLjiqO4jIE1E0AEQEAAYkE
+cgQYAQgAJhYhBPiM/t7/KaW02VI4ZOJdmu0Fk7NKBQJbq1i2AhsCBQkB4TOAAkAJ
+EOJdmu0Fk7NKwXQgBBkBCAAdFiEEYozCEpOAZdq047lJqKvwBYluOU8FAlurWLYA
+CgkQqKvwBYluOU9wWBAApKMHrxbOqWa0gij3ODcvzpky76y1YWG45iroC55B56X0
+XslUpHJno7vTLobV5aJDeXlgaYD2ptn53wW31fTZL/1P0lkyIu30OwYwLvOxaFjT
+rsVPCwTz80h6TzsaShFiKirZJhPg5UzC0xfmM4aaQGsoC/Z5pOTyfrYrXgbQPNUJ
+f8zagYqpo0WZoG2R2cNwH5VzlJAv/JBB0SdMVgBS7bUXP1eudqn1gmZxw6GUEGU5
+5tj4X72ceYHiA+MMlKWsvpwJD9iRsl3yuzcBi8yOA0/jSrXu+5BLGaAAXMyMKETg
+e1ierxZ64yoV+AU6xcKykVzThxG5SoH6NiXsCs0XBOpWxQjfJ4MAeWLfTRMf805
+2OSzRsIf1/p2byyTbuApshp//O9c+jbPgEvG7G4VeQdBROY2/46+XR7Q0BrDMom9
+Bmk93SSbG9oubYKKALrjJaPIzTieLM3t2zLKZ/RJ6JARYDd6+BMdVNs9QS6Hkwq1
+4lIDxz9jqenAXSpnK8fKg2xxzz/UFhoThlY/wlrWP+Sa4FQl1lorcz6Xid+yNoxF
+CZw+iWx7FMng0QDM9rtyhAbFkm7JFnDuojVFeNTdTUy+siAZB0cFdP84BkcYugvx
+WGM8uYydVOrPlI/nzGomgljIqgzvJm+Crun8eYggmItY53U6xDJmQT7Xrtk7YCa+
+0Q/+PRuDorQauvB53mfynLywqxn3h/NyegDrlyq+5Nqsjm3nq0umUSG4/kXMwALy
+0h6boyGWR/rkHnLOE1gLQ6fSlpcN8YHtsW6+czpkVH1b+wws/RPg49muTADHeYeM
+n5eC0aVrUq7D7IVH+UGILDWJuzq2b+jO/IpXd9kIPlwY/2PFIjwfoSd7W+pjgVXh
+6Z+xtWE5mVXnSfxPIXxv/cNd9LtYyT9R6RN7Xu+3hJz/BRp6MUANbdErYD36zERz
+GKUO2eJVbOJReevXb24SZzIJkpBF2qwI5dEl8yk12YpGCu75XtFRux3cVhDpdQsx
+/RZGV7Id1X55s4/LiqF5PSEFTB4kZpiY+meq3sKOPT+Ra9BLeur8yo7ftMK13WB
+BL2e/mzwfw+s2x1sjWRCuc5KbnK2yTY9ske2hdtAPmVJTDXBO3JWfZj5xKuuc3mp
+q7OEd9+gKTiW4PyZfxQIzwXi9BJ6R3+ax7WYR0bi7Gll0910RNFV3MOiLhupIS0Y
+BuipB6OgQNFUSjB6vammTd3R+98jIrtWyRDHPmdtgRcK86EbRpj6MHd7rATkdG+S
+D0+DXGwfuWIeq2OA+P6lHWEmjlepFSEBS72P5jmpbRtNd+aHN23VesPI/WBQkfBU
+4Tu51CGRd4KZk5ugFZ5YqjaM3m70od1zrsdq+BCNsfzuJqW5Ag0EXZHfzAEQALaX
+xQvhNPHFx5PiroyTkEX95SsFuoMVnkXHfjEsBKStVJ6ZEF6t1PV/q+Kj+rQB25up
+11tfQdElG8Elw46tsvlfWt4uVsdcttUWNHSsygwfmZbQxBVt+nlWXMaC3/124KP4
+ewOn6YAw9biL+cioV0L0fSw1bnUv9LtUZS0h+KuyQ1KFFv015z9uC2LLT/v0XP6S
+8AW9LNrKNI7q6XOW5JpJWSOLGpc6eS5F2T/eplpjxUr1Ua6PSH+g0LJSppbCqIf7
+lNaRCVSSTD2gxCRw1MwWPKqYnseXoilcQe+Zv/wW9k0wyj9ekfkca6mCqBGhe88D
+SqBZVaOfCRNNW1AdsTtIJcW9U1e0WFQIVMCADdLyze7ktTHIc8+/vsVM20/8eMEG
+MSspehWgJOEgNDhPTAHyolfa6z/U/lOvtTMkhO5L6XrIwSDaKvYHqVuRiOoPXYey
+Qfe+PAGszbM9+JH2j3JywKb7RuK5MUL5PBfUGgHseikK2697ix7z2theIjiAO0sm
+/JkLC2Q3zKxQL3szkO70xWB5L2yajifNtvncqqPUvq6aFkxcJ1H4DXoDpdytKBt8
+KtcjJcwPBrw7zMQ+bFXRdTDbtDGZxc0AhhfvboC0NtxzpTi0E2z4gY3YGjseJs6h
+BW4d875PKG8oBsMMNIqjIuldB0vTQQmh45D/DDG9ABEBAAGJBHIEGAEIACYWIQT4
+jP7e/ymltNlSOGTiXZrtBZOzSgUCXZHfzAIbAgUJAeEzgAJACRDiXZrtBZOzSsF0
+IAQZAQgAHRYhBMj+hTEBIuYmdT2wzzvCD/ivnPGvBQJdkd/MAAoJEDvCD/ivnPGv
+9UcP/2s31nMRdyXYAL14xiU5L4lQP2Rsr2BvcsdeCn/ZjK4e5tv52sOAYKkk7yhH
+2Egxss+liM70Tg3XWnTfmrxgM1uY64Pvx5G9qlLoDzXElEAHWlIkyV5bj/SUHS3c
+B2nuZjZEpDgXGYWQaHV5We0QepvV3e3sv9saOcQN5ihlGnr+MlEOxNQbAnOMamWj
+S2ztMakfo/kEH2OuZcikgmT5d2RjQooamgKQXKyVOzOlxYV0L5sGZLSK0DFV3KTI
+Qs/ccfr8MLv902If/mLF62lz5ba24p2wUtM+vrp9EaXWExTYR9WTcYBPM8tG7txF
+q8mopL7siu/fU/XPUitWjSi6ZDX6RFljESjdR3xs7CwI/DErEak2T8Y3/inAHnGM
+HB5amPkqv2LyeEEQ7ZhIjmA4mWgbTsPiQet+qY+GqSKlSIGoJv4KZKBmBKFW6PK6
+xZpWioGj+BLqtduHc0yPf0fW6FDaI57IHMZD8kVXw9dZpn14wExfeYsoptHXRecH
+1ouSWd4/IK6PJRWzoAiOu481IREkDml3Rlhqj6UUr5+eseQ6SFWdFo3KlfC+7O5K
+VsAmEx99bj/9w0NLr2lHw2uEAPTdpDVUWh0hURxCu4uyEVsCdUmNklVAz9t/zqKV
+a8A/MMYxaytsw5e+QftTKPlTBsCJkJo1qypcQDe78OdUIecYABUQAJIDOIV19WSK
+ruQW2ICZdMI/6BbGzrKMvxbJnzdC7PMnJbXDEqzsGMMYziK3Qhf/zi4SpUEP/RRe
+qJJjzzguFYEtP21/ugXFX0/4uWBkGGkPcSmqtanixg1LefJIlw6g1ZWeteU7x68d
+dNyyEC+BP7HaVHX1mCfhkPiPH3zvTa07boOJhsaYWOGyc16RtVlJSJXxgTEY2SJD
+JwtnSf5ujVOfIsOGQVshB95BZdGCYIru+n7YSD0ghcm6az0Dnwr6sscQLYOpwb/O
+mTp8P7lG9aEqbzSPDtVhWrrbIp+jibgTzGu+jqMFFpBSTcD6F3ClAOkmFpj6UHLn
+LnFWBs7rbznZVB1D1EM83ETnE9gc4C3n2OL08kAKHQ1RWDQcG3rU7evgxf0kBFdA
+tgn4tIU2qlyR9MG2hy7wsXA9oR9/CndX+NJrkYSQxiRT9OWi85WBIV6LqkdypE3O
+fbofQWtv8IuFfAv/a8Ah/38hXn2N1KcVm4IbrNeKjrlmVIhVSkHjVQcX5iw/tPuX
+rTqi0XMNnnf0GneaTTVSI1wTa66Ha9SY+MsWKEK7aBI6S+ecpSG7oRhsV7yvzXPQ
+ul9QP/O4K8SmteNujH88+sfj62+0qJeHnxAgMo62VXR9L7a0zSPIQJXpNun6BJn6
+HKbWRxot9GQuVdS+tRnE8fZulLeBvixyuQINBF9I4E0BEADd8vDObd3EctBbBMFc
+8BPjuEgnfC4c+EltYEm69EZvhVh3jtWtSBrTS9AaT+7+Dt2LphDal0Z1u753R6vL
+PVIVt01983cWOP8+tEG8Kj7ghfMV3hBJmYyK8Zumh37L7C9ye/JHUDyePmaDJuCb
+DSwKR6H7UXlAjnmP4gmSLnmAZXBEQX1E3AgZy9qMehRc/F4ZZQlU3bSreyNJCm1F
+3/FNhQRmsUDv4fHcYnWSwbl8OGqmRfCAj+bzWt998zjapvcwEe/OZfqXgdJ9ZWJc
+g8nirp0iwP5bKtC6UTZk5mU6+BukZ4oKhtwlX3/OuHDfshy4+QiSUL3aZhOAVGlx
+n0ZU2ERYFqef2x4+THRj9+Y4pSLNbapSHQgSj7kPupS7txtQnJzm+GxkmbbiwgtZ
+91Dtv6k5hycPiiCV+UfwvnKEA7lGHHkGCdLS/zWBDb8Iq6RwSOrfFlHG8ihR94zK
+rUEYUzrZQa9aCP1aWdrdcr/RejDgNREq+eR3x0OvPqKQRse/NtstvQDzALbztYgR
+7ObQMNrK7F+ba1uF9m3fZFi7l79xFT8kvFOzyBmCdVyxqRrbEmC0svG4x3SUMBEn
+dvNTjnQMId1WYvEkLldp3Waj0Zca2Yf86oWROLW39xVphTH8MouE97fvCNIKzKD9
+L7xF5TJrw02JHW5lR+4rGI8HMwARAQABiQRyBBgBCAAmFiEE+Iz+3v8ppbTZUjhk
+4l2a7QWTs0oFAl9I4E0CGwIFCQHhM4ACQAkQ4l2a7QWTs0rBdCAEGQEIAB0WIQR4
+KzvJ8Qz2OKXc9RBbKRDL/L6rkQUCX0jgTQAKCRBbKRDL/L6rkVMzEACYgX7Yk6hh
+Qp9BW27lwN0dJJ8+8l73SNFoco5nIcLnXZHiLFXygxXe6WJbEV2QXjp9gvFhtvYt
+ijx1RObW8qSnUzSPzYOIo/iYzpe1GgoHmKabF9vD8J3NbLTpt+px2ssIsn/s25fb
+gALBuXbtEx9viPIgpQz3s6LafGO4oPUQr0Q2rTyFdK3ib3X44A36KCh790+Rsqhz
+jgUWAm6LyXgW/QpjFel8QmnVgVmFJWEMttgDWvUtWlgMO+BgS958dDk1L/s9bQc+
+xqsIav2kvdt9c8/3+xOhC/bp5aa0NYGcdYSsOAMVofbG34dntV3/HKUnvCRnZd9T
+2n+s7P1kDnnJTOiVsw9ThF/dvU7zUj4SYvqtYUrwWfd+4xzzXIWISiauZBtx8HOH
+/Wi2li1gLkY1caYRzuJJphFY2bgSeZJQw9sjStVh49yOT9DdT4rNZoTS1HXjLSws
+YdLCYM7I8p3d6qMucqZhJ/usDH5pCSW/j92hHyl3P9M7fCUN2dVIg0OseVY9d8XF
+UnGdwFpbIaXmBbb3blo47CE68U1MUTSegitkJLQPM0YWmK+5+NI+Yh9HynepbAaq
+IVOzjoIMS2wshy4Yxg2zMTj4bWgJ2PhFGtqA4Ia7KP33Qj/iVl6JKEq6axhI7nZu
+8ofvuE7W5JudWR8KKraR9ULU7AEtiU9mask7D/9Y6PgP5rMp6+2uYYxBsc1is9dW
+XqdAVHEUSLroBRaqq3ywi/WsBOZR47J/k1xHeCPiGUot0tlHSKy84danVxFnSZm1
+8QtD6UEDgq0tWNrOSPG6tu+2I/Ma8FGrs6gWZxyVKu3G1HgnZ8gg0NzA5vATa5Kv
+stN3wCtzAU2NqrvP2T4mWeakXmDe61O696h101WfOazGC5NDjWDdTHQLdYdxPzr7
+yDinIBNPwBX9NEmjxS1x/QtMfMzE4hp8AZwEjgnYDWxiG4yFPdfEVlKgy3TxC68l
+VoGyrl3gbTSdXqj+gPHjeVpZviB11WZcEuMdjhKwILS5l4u/gZR1Akw5wPPc4g1O
+71M+qy8wivBs107Yzvin3BqnVjO+ZZ0Wm0HOg/bLYo+7zbWdq/C2PTJdCbKRWa0I
+hpZca59g7ANOc8ycEg7NVFsLwLeWwBwGRMkqQ8ciS6EOXY6VdkGbtZCC8r1SXdgh
+rkvnyXftWOnv/RmQzOchr1wwo2+D9VEu6EhCYBlRTKXZp9FZIF/y4n8eJt4YxaPN
+EoJhXjTMWaFJ4/BHSwgyQDa/LfTik5xZnk3zJb1XW8qQzCYvMkwjxil72kl60l9f
+C38qY4FLQmyjl5vQ3lgACKffbJJ9ujNgMkbNZgOX3dEGr6p0CzMFxLOavvG4a9nu
+ImM5rbOC6ZJdwLUTArkCDQRhEoRvARAArCO3OaYvwccaRumfHLqVyhEKNpeRG31Q
+MrR2QF/gncdpPama8f4sVqY7EJYgT4/zgoTP3mTSNNETj1KzcA+ZhJhzv548JWwt
+jokyFp5POXEq0PbTZ1Zg4/2Gn9QVxWa+dIstK6r2H+jz0oazB5sahf+BlAVH6+1n
+9YFq3utQ/xvkZk+R3qxNdAIDcLKFVUM6Z56fJSnl6Sx2PmJAM2MqZ2oJtfFpa9T/
+xv3Nsb0h4b/WvkM8vVpHqnSYdALlQMlho+lM/c/HiFyr4M8tGm3+SMW2TSP4zEe9
+SEOcfvLHRTpWDebaoMJ9sUU4aLNWswpnQ+YsEcmFvUTtcH6DpHOX3MDL+ol+Uy6I
+pc/ASp+7/pRgO0lqm27lzzNoBp0qdA2J2fgnET+z3HDx3MyliQsaCDf2e25pikLe
+JbtAh362peGWz5GkzqEi0kkbRRftjWLRNSosFEBQPx72jcdh312O3zcBk2q/oiAv
+tbzCUTWohVeL4lXxVMEeey/BLH+/KCyBR9TD/lPi1Hddd6Orrj5kjjWnUeqXPnSO
+RfPwI/zdQM1hECHP1gHp+lLNR0d64vZDN+A3L8YbD6N4qic6fJUXe/VFU7zHOTkb
+QitV6QkhifsJnYrOQbJ4pVVKgU6zvOy4vsSTLUqShvKkzHGbbtyR1zsLGS6nwrHD
+NeWZfEBgKVsAEQEAAYkEcgQYAQgAJhYhBPiM/t7/KaW02VI4ZOJdmu0Fk7NKBQJh
+EoRvAhsCBQkB4TOAAkAJEOJdmu0Fk7NKwXQgBBkBCAAdFiEEhYpWD5fJrrIuwccy
+lh3d1SUNSkIFAmEShG8ACgkQlh3d1SUNSkKoURAAn96VKV6sP9fkMzmf1mdQIfx9
+L++Yy+ZkGi3ZEGnnsPureu9EhaVmIuhhlCJHhgK3T4xqx8Pmn+xKLrnq2/V/xXqt
+HwLsgv+aex+9PnIXITDmXbsoFblt4FDz+mNhiBqXueKc95J5jsdib38nH+qA7v7b
+I5D5VrDYtgEc13KGOtRMeVF/iul/hMF8JJZUL/oQaTtUtk+5w5cmCyGucPj2Ivyd
+el9SLHCZqSc4BHYrHZAUy2IWB9u1y15j82HezcJcxpg355PaG5EnYaDY1wo+ZqMx
+ZvmZB2mUcDh9IKLTngbex0MmCoEr1qBcFrOvp5iZkGl0xmySGlWfAKKDLLL/hfEU
+ahjiFyA4DEooCGR2sPWUgNrEnVANJEBfq1azbouroRfdiSYBv/lqJGJwahPo4NCu
+kbyERBqYWvAKegjuGy0+rvTicFfaDx824Kt10aDxt56Hqd6/AvQeC+XFSfijpUr
+voPO8pPlwyUEzkxD9h0WbKWTDe3tdP9dILr3jTcBLvJLsUPQ5mrsU7ccB5OtpdOt
+NhIWzjr9jqBvRYm5xoOFh0ox5R0909IIRhwNbQqLDIi/xknK4LBwH1VDnWzc6LtZ
+LHjG0+9mQ5rqXnDotxbsYgJzqab4/lMsiwD7RynzGY4r6bBinOGU6FEST6I2f/TU
+TyRYTcyieT0mwBVJaJBK4Q/9EkVthCy8DLt6D3ZGTRED1Kw8j8+4X2ColntFjHzf
+x1pk8GOAcdOlEQFAzmaexQPfSKZtSXl5BxXkCjFJsXt37BQSgVuYcP5wZgyItlCk
+anDKWUN69AYFJEsaGPwENaYvnqsnisWqdYLoxkC1GsTaaVSsDi+eDPyGqmCmUnBh
+FDzA673kf/mUj+FHRsioncJFwln23Ml4UgGGorpz1DeSHqD0Qp4xwYMNTf8sBHmq
+BtJdFr4en0ajT9QlxADm4uReJMZeQ2LNtDj52UGWO1tcqSQFLhNmPzpMxJ1tjRcl
+McNTzxH9afCj6kd+1Lo3kvnqylUk9S3Hrguj9kp6cMYliVEMmmRs6pQdpcUnCtjx
+SJi/nIzHqZihlAzBn50X+Euare91mKbrmgFc/mvBfbIwILD7ZB+AKAZDLhLSmjlO
+4FSPe6TINjbpNC4aj/sEvShdL2UABOWKP9qG/XIxQCWY9zrvq/AjSlwjrT9ybon9
+Up4P4Y0iST50ruicfF5C63NjZAg0cHtk8wf8uwoqedH0yiHJpWaSDKIH146r8USn
+yr23wLqJv4jzqZyw5/qSpp6pYQ5LMenZLL5AcXwMFHo9w3csh/LCjHxESdS7Jlh6
+SXrvlKGv1V62GtLZE2SqveYjZN1Av8Pa4S1OYfqN262rDUi0vIYvvVYTeuAW8W74
+1b25Ag0EYvTakgEQAJW0+3yvZLYH3v7iT/1FMX0zxDaWKZOBC0H3JsMxKtrM7WA5
+0cnyMRqUoqBdH3ktgUBphFvyY4dmAHuwAjRwe160s77fXR2Y3XcWC5NRkeNUgIp9
+ghcN5dakkOuogxUCueQKDnB0zeSltvNkVcnRKWYbRhsy7NoEu4r7iQ2KtLCWhlRF
+A84kgmYfRRRCH5ngL/eKbE9cp/v1y5N4xYosJqx6RhajfsWHstH4g38CflSB/dHh
+9tDPvQ/QygCuS7ENS59JDmy2pTuL5bfdTGj8mYhV3O+bVgwMXDz5bDGAqnNIzgMp
+WmAxiRUnYVBWFgoHfdiZFQ3YjgTCC86CG/8keszlyqsOQhpe3qOL4Syq3mtsEkKv
+EJ8/jglN5tlGro79/tm6HGNBomGB8lqo80DDycW4LMGCenS/24we8KGOX946rwPF
+j7y5FHFHouyCREqIEX+WUU2RHioMLENxbdF6QYo3yz9b3U+UMyflhgOP5KAlJI4U
+enP1r6eagEyYO4I12sjlJYcINeP2k5NXwZCT8LIGblRXnWXDJF5coFd+pAl0c2o9
+lEh8WZv/wvQ44dfz0dyY3aZgYm0lro5xjtnNW/V/sJLcLSC8TIj7smHRJC07pxVK
+2u1x7sl2VzpNuGNnsqmNHj9oyQyBkwj8/Ne7PmFYkovV715PjAADtBG+OflABEB
+AAGJBHIEGAEIACYWIQT4jP7e/ymltNlSOGTiXZrtBZOzSgUCYvTakgIbAgUJAeEz
+gAJACRDiXZrtBZOzSsF0IAQZAQgAHRYhBI1tp4U8/hse00btDe299BEmfslUBQJi
+9NqSAAoJEO299BEmfslUF4IP/0mOsYR+W+BNBB1tUjYGHyA2NOblXu6zmVNCCDFc
+kayM+8NH6AbYpLO3TiM55JmeukRCM3se2Zvf/wr2Ks5ywDAXvdYxw38ueUJmnKSx
+yz/2yk4CJiYC6mnjvU4Gs7o+4yQQ4wPVSD6IVt1kVccuZEO0c9qTIbOhhIxHjXv6
+1pKY/kLElBHntLPoFZxwDSmtCTpnde8gmOUlg/tI2Ku8w+Sv/c0cGVWwJA/WmRMV
+tEvkBhtwgq/OrUkiU59PdUXD7Uuy7Btgh2LuOYaSQR5a4H4/Q6OZzEGrzqWoC946
+x55LtMolg/fhvMTo8siStREfd98KrBEDrryq3Zmv1j88sBoqUjyIF3a779Ktw8vs
+Vu9nz+x8Woy+OewBhYtoCbx7FlCtsbSjQkkgZ4t0X4pLH+G1uL28xsoXD8B1Grgc
+HXaBvS2pCpSAb7Zx6wSVkQKTm0/GEZSv43C427bywWeHLynoOUYSsY1BLDPwGbOU
+bDGB2tzuXysebAaWrmbYfC34ITBEzod/L5Pwh+AvJrOYjvOL81zMKk6Ldt57AjCB
+FZOrhqo4UMeFJeEbIywmGRlHg3EYqlrj8uuOu0PIFfDEHzFzdSyPIjNQGbFGmTuk
+ksynNf5VbV3j7pEi04qJrA0KwQQY3WDUypu0AllP7WldbxoJYye1KAQOnH/sXfN3
+vGseJ6kP/A1FDR5A/snA51kUalfZ6MbNxSC4RLRhKM0L8ICYl50X3DyJBS5ScakR
+JTkiaPv6l5RlpUs+R8L0FZ20gNSZIn70D3jFzh29lEGnbf+P2UKQvmr9TUBcZBNA
+Nfj2EXdmZAzQu8QEPk7/8PONeszftNYxSjk7UtO+Z9QQzTnipksIQDvIGBuX27a0
+i4a0NgHko0HsxtsfAruAWEXVlWyNtMcNvdozbHkPqr4kvw76we3MIPTSBuZ8DUuf
+upatEcblh2VyRIWbzFmvuq7GnAmfynyU9NU+2kjmW6peYX5/c72LKWghsnPCx8xF
+k15blEo/kSMKN5vr+ZyiFas7IDJd2xmx1pd2xYvoNBl72ClflvsdMEnqx6Tpdh9B
+uvyCrat1qt4F8aKqao8sXbopH7QvDBpqGqgMGLkoPheOXypBvnvoYKL7tOoF4XJL
+AFM9PKGECoegwC0Mla15amgkfViUWdCsDy8UsSlPfBdvHdJrhChuPDwZV9GztZjj
+NdYVRi1OaxZP24IN7o40VFxvMh12E3HaideLi5MzZxxkXhr8m485b2hgvkuNUjoD
+nvFn8rZe8axx9FFhpg7/JvCAik3IxRbusM3WDqmFuBGK33phfD5wAKIWrBwT3iMU
+4GnMNmKOMrYCE/edg4eOPFj+wjWw8ZGD8XrnHVI0k8fGOoLvAm/xuQINBGQHFqQB
+EACucSUehSi8KixdOc9pYVWBCoqu5V2NlrjbpVVpmPB118fLPaZV4MSB/AnHssWw
+XDeO9zWyyLYstN78D/dWcX8Al74JFtBAM0lfgnqE5na8JZYrEivdsjQUO3Cf250G
+yXJwpK+CXpAtH6qVrO595exknHKKTv2dfV51UxDXXzYhLznnYHZoTnzpMKUSwqwP
+ywdwDVkalpXfFxP43w+gSuX7uOAI/hhX/iRE0drVDy85422FZnncNdigO6JjARn7
+CAoYDcb4K1+zn9WcwzWqV4+yhYDt+yf+o+TLhyF9BarG8cQ1tE4RfaDMZuXp0iKL
+itX01mFb0sQ2ZF0YBhQdGaBj/AcfE4e7Sacz9gC93Xd3FaVt0zgsTxMt3Z0dMzAw
+9lf7i/aPFFJQLoAZtuYU4hb3S4CG0+l3WPTdW5U276bV5WrTyvibfpNs8mctH4lB
+I4jhSkqoPwZ+8gts3XT336P3F2Z/i3cbLmfjbSeAUYRV5BdkozbuWfO6JrZq/BId
+KEUMlVi99CJD1fREyMXnr3aROdw7jKhtW5x59Act/ZXB9jixJ5EdxMe5aLeYKNSm
+L8I4TXG4DEvbPu/HCHNMlDRoga1CCmVaUEhuJwQaH4PhhlX9M69Bmz42NS8A0Fol
+JkiCsCQTQjyzvgXb1Pa0WKUVjPkQIGEUAaQdAGcns9svJQARAQABiQRyBBgBCAAm
+FiEE+Iz+3v8ppbTZUjhk4l2a7QWTs0oFAmQHFqQCGwIFCQPCZwACQAkQ4l2a7QWT
+s0rBdCAEGQEIAB0WIQTpQm2LZ+Nd9Ha9BIGF98iGiDficQUCZAcWpAAKCRCF98iG
+iDficV5MEAClR4UiibpFIYRsbdtPQC/RUIRPbx8naJ8o9h3RqnQKQPgIPkJUS8d9
+vVHQlQ8rhzrzWctOMWHgDRDEojLjXwyYSHRBawJN39D/Fs+D6Nrg9gFkdBmrU2My
+Xia2Wgb+R2qUTnl8sP+d8k8zUC8UoZIX2ksK5yzw3Zwozg6X5Bd70zIru1RJtQd
+9ZFDb/PVobWGbqS+saGEDi0Wa7YrmRRA+kQtvMIywX5LFJ5/bSqH3BsJduwmCnJH
+84WcxYW6Ntbta7MsnmrDEwfKwmu6d0XgL0mUaOGlt7UoECckZLU/VWh+V9hhSjPi
+Dp1IX3ucfmWfsEokN1ePMnl1LWbew7yF5WsNl0/BLVczx99uoYZ6FeW3cy+8PT3q
+5Tuc7kjV9oQddJcS+slmlpyuXGH+vXa8WvSDWxPHat1tPhh2QEMGbVFeCw9XhwLu
+98YC+Hc2BImD9FfL46GMXPmiBJ5S9qqJjb2lGB+Y4lnbus8DavpudumgO2b3p4CH
+eWQYCZY993gcZIiI1/9YMXtXABZ034XoennSq1gzoAxmWGoEk9E/ZNcDLhigW2UN
+D8w/mfBKD729NhGSBlL8LmAxwHe61fnL2Z+yTjVvWfsgMXSsn1U0QYkjgE6rzqDY
+1w29Iduo1QLvcXQj+fVvu0O5zYPeRYV+RHG+l65KmB8Tjomq6FW2tsInD/92KSGF
+0TIk0rOjJA8Zy7Eers21QsTScUrfI3hntzcPpMZzWRBWuyXqf/4350lRTki3hMSx
+YB/eJlwehTmUAkC9E3oUE36PJqpp2mzC2cP68CIOdUtkdOVqzkfeZ54LlaJxgo5y
+BuC9AqUH5OfVNjZps3yygYv2ahIPBMR8JNduUiTAuvXbIENVy58q6/rZjHcKRp8b
+MUX6uWJrIXO5aSAIEljx9DbQoxSbmNJPiriuSKHbhrNPpI4xRlO9gTbaEC0ELKGC
+qw0lA1it1XvbZtP4CHcfJ0hyGvy9yvDH2poMgjkhu7OZdN1qBsBRHIIED/Ijy+tz
+nq7rQvmaDqZavlQbYREHdrjB/sS10Sblfu9h+vIwSx05UwSNGWNiDrvkQDPbVnTh
+R32zsNAlq+f0CEmsgbYPrE/lFwfFS49F2Kmma92qcDiK76Audz/dqz6xPvYQCqra
+a6Sa/uYr9aiaLsZTJ7nQ904KUE+Zwk7gcO32Bl7UO3NvkWlvSqOWGS/75WUgbrD6
+RARo6Xv6c8/OxgizzkboGBrdqqpmbG9PGi+gMrxShYtmZYcpD+dB91oKMC5q2lu6
+IGrEVlky2zd7KvrIE3YMETdYL0Eec/H0Jwuxnp9sr7GkBSUns0IczEK/En/NLcBm
+TkvXzMghTKTbYL9TjbK/CLzOR+5XXCHxXgDGLg==
+=VZfW
+-----END PGP PUBLIC KEY BLOCK-----
+"
+
+GNUPGHOME="${PWD}/gnupg"
+mkdir -p "${GNUPGHOME}"
+chmod 700 "${GNUPGHOME}"
+trap 'rm -rf ${GNUPGHOME}' EXIT
+
+if [ "${DOWNLOAD}" != 0 ]; then
+    echo "Downloading files"
+    pushd ./data
+    ./download_payloads "$@"
+    popd
+fi
+
+# Setup GnuPG for verifying the image signature
+gpg --batch --quiet --import <<< "${GPG_KEY}"
+
+for d in ./data/*/*; do
+    DATA_DIR="${d}"
+    echo "Verifying files for ${DATA_DIR}"
+    # Check that we have a signature for the files we work on
+    test -f "${DATA_DIR}/flatcar_production_update.bin.bz2.sig"
+    test -f "${DATA_DIR}/flatcar_production_image.vmlinuz.sig"
+    for FILE_PATH in "${DATA_DIR}"/*.sig; do
+      gpg --verify "${FILE_PATH}"
+    done
+    
+    echo "Generating extension payloads for ${DATA_DIR}"
+    shopt -s nullglob
+    for EXTENSION_PATH in "${DATA_DIR}/flatcar-"*.raw "${DATA_DIR}/oem-"*.raw; do
+      # Check that we have a signature for the files we work on
+      test -f "${EXTENSION_PATH}".sig
+      OUTPUT_PATH="${EXTENSION_PATH/.raw/.gz}"
+      if [ ! -f "${OUTPUT_PATH}" ]; then
+        echo "Generating ${OUTPUT_PATH}"
+        ./core_sign_update \
+          --image "${EXTENSION_PATH}" \
+          --output "${OUTPUT_PATH}" \
+          --private_keys "${PRIVATE_KEYS}" \
+          --public_keys "/mnt/host/source/src/scripts/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-au-key/files/official-v2.pub.pem" \
+          --keys_separator "+"
+      else
+        echo "ERROR: Found update payload already: ${OUTPUT_PATH}."
+        exit 1
+      fi
+    done
+    shopt -u nullglob
+    
+    echo "Extracting flatcar_production_update.bin.bz2 for ${DATA_DIR}"
+    bunzip2 -f -k "${DATA_DIR}/flatcar_production_update.bin.bz2"
+    
+    echo "Generating generic update payload for ${DATA_DIR}"
+    OUTPUT_PATH="${DATA_DIR}/flatcar_production_update.gz"
+    if [ ! -f "${OUTPUT_PATH}" ]; then
+        echo "Update payload not found. Building..."
+        ./core_sign_update \
+            --image "${DATA_DIR}/flatcar_production_update.bin" \
+            --kernel "${DATA_DIR}/flatcar_production_image.vmlinuz" \
+            --output "${OUTPUT_PATH}" \
+            --private_keys "${PRIVATE_KEYS}" \
+            --public_keys "/mnt/host/source/src/scripts/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-au-key/files/official-v2.pub.pem" \
+            --keys_separator "+"
+    else
+        echo "ERROR: Found update payload already: ${OUTPUT_PATH}."
+        exit 1
+    fi
+    
+    echo "Payload generated: ${OUTPUT_PATH}"
+done
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild
@ -93,8 +93,12 @@ RDEPEND="${RDEPEND}

 # Host dependencies that are needed to create and sign images
 # TODO:	sys-apps/mosys
+# app-crypt/ccid is required for pcsc-lite daemon to work.
 RDEPEND="${RDEPEND}
 	sys-fs/squashfs-tools
+	dev-libs/libp11
+	dev-libs/opensc
+	app-crypt/ccid
 	"

 # Host dependencies that are needed for delta_generator.
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r15.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r15.ebuild
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild
@ -9,7 +9,7 @@ CROS_WORKON_REPO="https://github.com"
 if [[ "${PV}" == 9999 ]]; then
 	KEYWORDS="~amd64 ~arm ~arm64 ~x86"
 else
-	CROS_WORKON_COMMIT="a482cb4b69ffa5cf92d9cd719409e7abd7f382a3" # flatcar-master
+	CROS_WORKON_COMMIT="937a45faef0f7fa88d3d2c3f7ba60a7f3e2e82f7" # flatcar-master
 	KEYWORDS="amd64 arm arm64 x86"
 fi

@ -183,6 +183,12 @@ src_install() {
 	if use arm64; then
 		sed -i -e '/pam_sss.so/d' "${D}"/usr/lib/pam.d/* || die
 	fi
+
+	if use cros_host; then
+		# inject custom SSL configuration required for signing payloads from the SDK container using OpenSSL.
+		insinto "/etc/ssl/"
+		doins "${S}/baselayout/pkcs11.cnf"
+	fi
 }

 pkg_postinst() {
--- a/sdk_container/src/third_party/portage-stable/acct-group/openct/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/acct-group/openct/metadata.xml
@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<!-- maintainer-needed -->
+</pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/acct-group/openct/openct-0-r2.ebuild
+++ b/sdk_container/src/third_party/portage-stable/acct-group/openct/openct-0-r2.ebuild
@ -0,0 +1,8 @@
+# Copyright 2020-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit acct-group
+
+ACCT_GROUP_ID=46
--- a/sdk_container/src/third_party/portage-stable/acct-group/pcscd/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/acct-group/pcscd/metadata.xml
@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<!-- maintainer-needed -->
+</pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/acct-group/pcscd/pcscd-0-r2.ebuild
+++ b/sdk_container/src/third_party/portage-stable/acct-group/pcscd/pcscd-0-r2.ebuild
@ -0,0 +1,8 @@
+# Copyright 2020-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit acct-group
+
+ACCT_GROUP_ID=47
--- a/sdk_container/src/third_party/portage-stable/acct-group/usb/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/acct-group/usb/metadata.xml
@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<!-- maintainer-needed -->
+</pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/acct-group/usb/usb-0-r2.ebuild
+++ b/sdk_container/src/third_party/portage-stable/acct-group/usb/usb-0-r2.ebuild
@ -0,0 +1,8 @@
+# Copyright 2020-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit acct-group
+
+ACCT_GROUP_ID=85
--- a/sdk_container/src/third_party/portage-stable/acct-user/pcscd/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/acct-user/pcscd/metadata.xml
@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<!-- maintainer-needed -->
+</pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/acct-user/pcscd/pcscd-0-r2.ebuild
+++ b/sdk_container/src/third_party/portage-stable/acct-user/pcscd/pcscd-0-r2.ebuild
@ -0,0 +1,13 @@
+# Copyright 2020-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit acct-user
+
+DESCRIPTION="A user for pcsc-lite"
+ACCT_USER_ID=47
+ACCT_USER_GROUPS=( pcscd openct usb )
+ACCT_USER_GROUPS=( pcscd openct )
+
+acct-user_add_deps
--- a/sdk_container/src/third_party/portage-stable/app-crypt/ccid/Manifest
+++ b/sdk_container/src/third_party/portage-stable/app-crypt/ccid/Manifest
@ -0,0 +1 @@
+DIST ccid-1.5.1.tar.bz2 702586 BLAKE2B 7b9e3c6daf03c186f34ac9b13bd960293a6481f9237ee52937ece1040bd3a79b7dab318e1244205a7feae992261ab5e82292d80ae023a4f621e0e7af7cdb9df5 SHA512 492bde96f5752e2a5316693c44e35e2d041785a00d15e094905c0aafad392f5329009d12801899367276328a582936ee53a1c5239c1813c4536001cb8a608f2e
--- a/sdk_container/src/third_party/portage-stable/app-crypt/ccid/ccid-1.5.1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-crypt/ccid/ccid-1.5.1.ebuild
@ -0,0 +1,45 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit udev
+
+DESCRIPTION="CCID free software driver"
+HOMEPAGE="https://ccid.apdu.fr https://github.com/LudovicRousseau/CCID"
+SRC_URI="https://ccid.apdu.fr/files/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~alpha amd64 arm ~arm64 ~hppa ~ia64 ppc ppc64 ~riscv ~sparc x86"
+IUSE="twinserial +usb"
+
+RDEPEND="
+	>=sys-apps/pcsc-lite-1.8.3
+	twinserial? ( dev-lang/perl )
+	usb? ( virtual/libusb:1 )
+"
+DEPEND="${RDEPEND}"
+BDEPEND="virtual/pkgconfig"
+
+src_configure() {
+	econf \
+		LEX=: \
+		$(use_enable twinserial) \
+		$(use_enable usb libusb)
+}
+
+src_install() {
+	default
+	udev_newrules src/92_pcscd_ccid.rules 92-pcsc-ccid.rules
+}
+
+pkg_postinst() {
+	udev_reload
+	einfo "Check https://github.com/LudovicRousseau/CCID/blob/master/INSTALL"
+	einfo "for more info about how to configure and use ccid"
+}
+
+pkg_postrm() {
+	udev_reload
+}
--- a/sdk_container/src/third_party/portage-stable/app-crypt/ccid/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/app-crypt/ccid/metadata.xml
@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<!-- maintainer-needed -->
+	<use>
+		<flag name="twinserial">Enable twinserial reader</flag>
+	</use>
+	<upstream>
+		<remote-id type="github">LudovicRousseau/CCID</remote-id>
+	</upstream>
+</pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/dev-libs/libp11/Manifest
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/libp11/Manifest
@ -0,0 +1 @@
+DIST libp11-0.4.12.tar.gz 516414 BLAKE2B a816749984753a1916dd58860c51b49d316946b59eb3bc839f6a21dcff14de48d7a4937f55fc7ad96a26b914591854d5cf11a1fbac2d5f2f5e04c833973c0e42 SHA512 674cfca2c9eaf162262204c94f9d59d3095dabbc348c1842e758b897e1a5bd4ba08b2d589ec3b2a2d1343a8760eab253e7008dc09ef5b499e2f16385efe5c8cc
--- a/sdk_container/src/third_party/portage-stable/dev-libs/libp11/files/libp11-0.4.12-openssl-3.1.patch
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/libp11/files/libp11-0.4.12-openssl-3.1.patch
@ -0,0 +1,50 @@
+https://github.com/OpenSC/libp11/pull/503
+https://bugs.gentoo.org/910203
+
+From 580c12b78b63d88010a6178d7c4c58186938c479 Mon Sep 17 00:00:00 2001
+From: Dominique Leuenberger <dimstar@opensuse.org>
+Date: Tue, 6 Jun 2023 14:27:46 +0200
+Subject: [PATCH] Detect openSSL 3.1; compatible to openSSL 3.0
+
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index d6b0ee91..b96979d9 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -33,7 +33,7 @@ AC_C_BIGENDIAN
+ # issues with applications linking to new openssl, old libp11, and vice versa
+ case "`$PKG_CONFIG --modversion --silence-errors libcrypto || \
+ 	$PKG_CONFIG --modversion openssl`" in
+-	3.0.*) # Predicted engines directory prefix for OpenSSL 3.x
+	3.1.*|3.0.*) # Predicted engines directory prefix for OpenSSL 3.x
+ 	    LIBP11_LT_OLDEST="3"
+ 	    debian_ssl_prefix="openssl-3.0.0";;
+ 	1.1.*) # Predicted engines directory prefix for OpenSSL 1.1.x
+From 0697773b403efb8e7fa9f0c0fddcb499fb9b6337 Mon Sep 17 00:00:00 2001
+From: Mike Gilbert <floppym@gentoo.org>
+Date: Thu, 13 Jul 2023 13:52:54 -0400
+Subject: [PATCH] configure: treat all openssl-3.x releases the same
+
+OpenSSL's soversion will not change for any 3.x minor release.
+
+https://www.openssl.org/policies/general/versioning-policy.html
+---
+ configure.ac | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index b96979d9..c344e84a 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -33,7 +33,7 @@ AC_C_BIGENDIAN
+ # issues with applications linking to new openssl, old libp11, and vice versa
+ case "`$PKG_CONFIG --modversion --silence-errors libcrypto || \
+ 	$PKG_CONFIG --modversion openssl`" in
+-	3.1.*|3.0.*) # Predicted engines directory prefix for OpenSSL 3.x
+	3.*) # Predicted engines directory prefix for OpenSSL 3.x
+ 	    LIBP11_LT_OLDEST="3"
+ 	    debian_ssl_prefix="openssl-3.0.0";;
+ 	1.1.*) # Predicted engines directory prefix for OpenSSL 1.1.x
--- a/sdk_container/src/third_party/portage-stable/dev-libs/libp11/libp11-0.4.12-r1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/libp11/libp11-0.4.12-r1.ebuild
@ -0,0 +1,31 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+DESCRIPTION="Abstraction layer to simplify PKCS#11 API"
+HOMEPAGE="https://github.com/opensc/libp11/wiki"
+SRC_URI="https://github.com/OpenSC/${PN}/releases/download/${P}/${P}.tar.gz"
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~loong ppc ppc64 ~riscv ~s390 sparc x86"
+IUSE="doc static-libs"
+
+RDEPEND="dev-libs/openssl:=[bindist(+)]"
+DEPEND="${RDEPEND}"
+BDEPEND="virtual/pkgconfig
+	doc? ( app-doc/doxygen )"
+
+src_configure() {
+	econf \
+		--enable-shared \
+		$(use_enable static-libs static) \
+		$(use_enable doc api-doc)
+}
+
+src_install() {
+	default
+
+	find "${ED}" -name '*.la' -delete || die
+}
--- a/sdk_container/src/third_party/portage-stable/dev-libs/libp11/libp11-0.4.12-r4.ebuild
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/libp11/libp11-0.4.12-r4.ebuild
@ -0,0 +1,51 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit autotools
+
+DESCRIPTION="Abstraction layer to simplify PKCS#11 API"
+HOMEPAGE="https://github.com/opensc/libp11/wiki"
+SRC_URI="https://github.com/OpenSC/${PN}/releases/download/${P}/${P}.tar.gz"
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+IUSE="doc static-libs test"
+RESTRICT="!test? ( test )"
+
+RDEPEND="
+	<dev-libs/openssl-3.1.4:=[bindist(+)]
+"
+DEPEND="${RDEPEND}
+	test? ( dev-libs/softhsm )
+"
+BDEPEND="
+	virtual/pkgconfig
+	doc? ( app-doc/doxygen )
+	test? ( >=dev-libs/opensc-0.23.0-r2 )
+"
+
+src_prepare() {
+	local PATCHES=(
+		"${FILESDIR}"/libp11-0.4.12-openssl-3.1.patch
+	)
+	default
+	eautoreconf
+}
+
+src_configure() {
+	local args=(
+		--enable-shared
+		$(use_enable static-libs static)
+		$(use_enable doc api-doc)
+	)
+	econf "${args[@]}"
+}
+
+src_install() {
+	default
+
+	find "${ED}" -name '*.la' -delete || die
+}
--- a/sdk_container/src/third_party/portage-stable/dev-libs/libp11/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/libp11/metadata.xml
@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<!-- maintainer-needed -->
+	<longdescription>
+		Library implementing a small layer on top of PKCS#11 API to make
+		using PKCS#11 implementations easier.
+	</longdescription>
+	<use>
+		<flag name="doc">Generate and install API documentation for the package.</flag>
+	</use>
+	<upstream>
+		<remote-id type="cpe">cpe:/a:opensc-project:libp11</remote-id>
+		<remote-id type="github">opensc/libp11</remote-id>
+		<remote-id type="sourceforge">opensc</remote-id>
+	</upstream>
+</pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/Manifest
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/Manifest
@ -0,0 +1 @@
+DIST opensc-0.23.0.tar.gz 2366469 BLAKE2B c0f74379a70347a58be27684ae2cf833e6f35328b566af2c6daa8276174864406fa176acf7ba84931970fe07e3dd8d6eccf7884f079cb0110c4d6ff9a76792dc SHA512 cd102cd64e719c59153960a4921b7525055045f16e6f6ffa8c9def6ce999a9c5098267b41f8753b41107f626bea20c34561002f5d38eddb4ce6b371913a17a1b
--- a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-CVE-2023-2977.patch
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-CVE-2023-2977.patch
@ -0,0 +1,49 @@
+From 81944d1529202bd28359bede57c0a15deb65ba8a Mon Sep 17 00:00:00 2001
+From: fullwaywang <fullwaywang@tencent.com>
+Date: Mon, 29 May 2023 10:38:48 +0800
+Subject: [PATCH] pkcs15init: correct left length calculation to fix buffer
+ overrun bug. Fixes #2785
+
+---
+ src/pkcs15init/pkcs15-cardos.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c
+index 9715cf390f..f41f73c349 100644
+--- a/src/pkcs15init/pkcs15-cardos.c
+++ b/src/pkcs15init/pkcs15-cardos.c
+@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+ 	sc_apdu_t apdu;
+         u8        rbuf[SC_MAX_APDU_BUFFER_SIZE];
+         int       r;
+-	const u8  *p = rbuf, *q;
+	const u8  *p = rbuf, *q, *pp;
+ 	size_t    len, tlen = 0, ilen = 0;
+ 
+ 	sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);
+@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+ 		return 0;
+ 
+ 	while (len != 0) {
+-		p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
+-		if (p == NULL)
+		pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
+		if (pp == NULL)
+ 			return 0;
+ 		if (card->type == SC_CARD_TYPE_CARDOS_M4_3)	{
+ 			/* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01	*/
+ 			/* and Package Number 0x07					*/
+-			q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);
+			q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);
+ 			if (q == NULL || ilen != 4)
+ 				return 0;
+ 			if (q[0] == 0x07)
+@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+ 		} else if (card->type == SC_CARD_TYPE_CARDOS_M4_4)	{
+ 			/* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03	*/
+ 			/* and Package Number 0x02					*/
+-			q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen);
+			q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen);
+ 			if (q == NULL || ilen != 4)
+ 				return 0;
+ 			if (q[0] == 0x02)
--- a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-backport-pr2656.patch
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-backport-pr2656.patch
@ -0,0 +1,215 @@
+https://bugs.gentoo.org/909781
+https://github.com/OpenSC/libp11/issues/478
+https://github.com/OpenSC/OpenSC/pull/2656
+
+From 99f7b82f187ca3512ceae6270c391243d018fdac Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 1 Dec 2022 20:08:53 +0100
+Subject: [PATCH 1/4] pkcs11-tool: Fix private key import
+
+---
+ src/tools/pkcs11-tool.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
+index aae205fe2c..cfee8526d5 100644
+--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
+@@ -3669,13 +3669,13 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
+ 		RSA_get0_factors(r, &r_p, &r_q);
+ 		RSA_get0_crt_params(r, &r_dmp1, &r_dmq1, &r_iqmp);
+ #else
+-		if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_d) != 1 ||
+		if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_D, &r_d) != 1 ||
+ 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_p) != 1 ||
+ 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 ||
+ 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 ||
+ 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 ||
+-			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT3, &r_iqmp) != 1) {
+ 			util_fatal("OpenSSL error during RSA private key parsing");
+			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) {
+ 		}
+ #endif
+ 		RSA_GET_BN(rsa, private_exponent, r_d);
+
+From 4a6e1d1dcd18757502027b1c5d2fb2cbaca28407 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 1 Dec 2022 20:11:41 +0100
+Subject: [PATCH 2/4] pkcs11-tool: Log more information on OpenSSL errors
+
+---
+ src/tools/pkcs11-tool.c | 15 ++++++---------
+ 1 file changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
+index cfee8526d5..f2e6b1dd91 100644
+--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
+@@ -3641,10 +3641,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
+ 	const BIGNUM *r_dmp1, *r_dmq1, *r_iqmp;
+ 	r = EVP_PKEY_get1_RSA(pkey);
+ 	if (!r) {
+-		if (private)
+-			util_fatal("OpenSSL error during RSA private key parsing");
+-		else
+-			util_fatal("OpenSSL error during RSA public key parsing");
+		util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public",
+			ERR_error_string(ERR_peek_last_error(), NULL));
+ 	}
+ 
+ 	RSA_get0_key(r, &r_n, &r_e, NULL);
+@@ -3654,10 +3652,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
+ 	BIGNUM *r_dmp1 = NULL, *r_dmq1 = NULL, *r_iqmp = NULL;
+ 	if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_N, &r_n) != 1 ||
+ 		EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &r_e) != 1) {
+-		if (private)
+-			util_fatal("OpenSSL error during RSA private key parsing");
+-		else
+-			util_fatal("OpenSSL error during RSA public key parsing");
+		util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public",
+			ERR_error_string(ERR_peek_last_error(), NULL));
+ 	 }
+ #endif
+ 	RSA_GET_BN(rsa, modulus, r_n);
+@@ -3674,8 +3670,9 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
+ 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 ||
+ 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 ||
+ 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 ||
+-			util_fatal("OpenSSL error during RSA private key parsing");
+ 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) {
+			util_fatal("OpenSSL error during RSA private key parsing: %s",
+				ERR_error_string(ERR_peek_last_error(), NULL));
+ 		}
+ #endif
+ 		RSA_GET_BN(rsa, private_exponent, r_d);
+
+From 267da3e81f1fc23a9ccce1462ab5deb1a4d4aec5 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 1 Dec 2022 20:38:31 +0100
+Subject: [PATCH 3/4] Reproducer for broken pkcs11-tool key import
+
+---
+ tests/Makefile.am                | 10 ++++---
+ tests/test-pkcs11-tool-import.sh | 48 ++++++++++++++++++++++++++++++++
+ 2 files changed, 54 insertions(+), 4 deletions(-)
+ create mode 100755 tests/test-pkcs11-tool-import.sh
+
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index d378e2ee00..9d8a24c321 100644
+--- a/tests/Makefile.am
+++ b/tests/Makefile.am
+@@ -14,8 +14,9 @@ dist_noinst_SCRIPTS = common.sh \
+                       test-pkcs11-tool-test-threads.sh \
+                       test-pkcs11-tool-sign-verify.sh \
+                       test-pkcs11-tool-allowed-mechanisms.sh \
+-                      test-pkcs11-tool-sym-crypt-test.sh\
+-                      test-pkcs11-tool-unwrap-wrap-test.sh
+                      test-pkcs11-tool-sym-crypt-test.sh \
+                      test-pkcs11-tool-unwrap-wrap-test.sh \
+                      test-pkcs11-tool-import.sh
+ 
+ .NOTPARALLEL:
+ TESTS = \
+@@ -25,8 +26,9 @@ TESTS = \
+         test-pkcs11-tool-test.sh \
+         test-pkcs11-tool-test-threads.sh \
+         test-pkcs11-tool-allowed-mechanisms.sh \
+-        test-pkcs11-tool-sym-crypt-test.sh\
+-        test-pkcs11-tool-unwrap-wrap-test.sh
+        test-pkcs11-tool-sym-crypt-test.sh \
+        test-pkcs11-tool-unwrap-wrap-test.sh \
+        test-pkcs11-tool-import.sh
+ XFAIL_TESTS = \
+         test-pkcs11-tool-test-threads.sh \
+         test-pkcs11-tool-test.sh
+diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh
+new file mode 100755
+index 0000000000..76ff8e51be
+--- /dev/null
+++ b/tests/test-pkcs11-tool-import.sh
+@@ -0,0 +1,48 @@
+#!/bin/bash
+SOURCE_PATH=${SOURCE_PATH:-..}
+
+source $SOURCE_PATH/tests/common.sh
+
+echo "======================================================="
+echo "Setup SoftHSM"
+echo "======================================================="
+if [[ ! -f $P11LIB ]]; then
+    echo "WARNING: The SoftHSM is not installed. Can not run this test"
+    exit 77;
+fi
+card_setup
+
+ID="0100"
+OPTS=""
+for KEYTYPE in "RSA" "EC"; do
+    echo "======================================================="
+    echo "Generate and import $KEYTYPE keys"
+    echo "======================================================="
+    if [ "$KEYTYPE" == "RSA" ]; then
+        ID="0100"
+    elif [ "$KEYTYPE" == "EC" ]; then
+        ID="0200"
+        OPTS="-pkeyopt ec_paramgen_curve:P-521"
+    fi
+    openssl genpkey -out "${KEYTYPE}_private.der" -outform DER -algorithm $KEYTYPE $OPTS
+    assert $? "Failed to generate private $KEYTYPE key"
+    $PKCS11_TOOL --write-object "${KEYTYPE}_private.der" --id "$ID" --type privkey \
+        --label "$KEYTYPE" -p "$PIN" --module "$P11LIB"
+    assert $? "Failed to write private $KEYTYPE key"
+
+    openssl pkey -in "${KEYTYPE}_private.der" -out "${KEYTYPE}_public.der" -pubout -inform DER -outform DER
+    assert $? "Failed to convert private $KEYTYPE key to public"
+    $PKCS11_TOOL --write-object "${KEYTYPE}_public.der" --id "$ID" --type pubkey --label "$KEYTYPE" \
+        -p $PIN --module $P11LIB
+    assert $? "Failed to write public $KEYTYPE key"
+    # certificate import already tested in all other tests
+
+    rm "${KEYTYPE}_private.der" "${KEYTYPE}_public.der"
+done
+
+echo "======================================================="
+echo "Cleanup"
+echo "======================================================="
+card_cleanup
+
+exit $ERRORS
+
+From 63a7bceeca43ece1eee201ef7a974b20b294ba4e Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jakuje@gmail.com>
+Date: Fri, 2 Dec 2022 18:07:43 +0100
+Subject: [PATCH 4/4] Simplify the new test
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Co-authored-by: Veronika Hanulíková <61348757+xhanulik@users.noreply.github.com>
+---
+ tests/test-pkcs11-tool-import.sh | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh
+index 76ff8e51be..c90b3b4926 100755
+--- a/tests/test-pkcs11-tool-import.sh
+++ b/tests/test-pkcs11-tool-import.sh
+@@ -12,15 +12,13 @@ if [[ ! -f $P11LIB ]]; then
+ fi
+ card_setup
+ 
+-ID="0100"
+-OPTS=""
+ for KEYTYPE in "RSA" "EC"; do
+     echo "======================================================="
+     echo "Generate and import $KEYTYPE keys"
+     echo "======================================================="
+-    if [ "$KEYTYPE" == "RSA" ]; then
+-        ID="0100"
+-    elif [ "$KEYTYPE" == "EC" ]; then
+    ID="0100"
+    OPTS=""
+    if [ "$KEYTYPE" == "EC" ]; then
+         ID="0200"
+         OPTS="-pkeyopt ec_paramgen_curve:P-521"
+     fi
--- a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-backport-pr2765.patch
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-backport-pr2765.patch
@ -0,0 +1,39 @@
+https://bugs.gentoo.org/909781
+https://github.com/OpenSC/OpenSC/pull/2765
+
+From 36178c8188521f2627d2eea428a7e53d149eed58 Mon Sep 17 00:00:00 2001
+From: Peter Popovec <popovec.peter@gmail.com>
+Date: Fri, 28 Apr 2023 10:50:25 +0200
+Subject: [PATCH] Fix pkcs11-tool unwrap / incorrect CKA_ID
+
+"object_id[]" and "id_len" must be allocated so that it is not deallocated
+or overwritten (on the stack) at the time of the C_UnwrapKey() call.
+
+	modified:   src/tools/pkcs11-tool.c
+---
+ src/tools/pkcs11-tool.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
+index 890ca27060..f3a01ab4cf 100644
+--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
+@@ -3347,6 +3347,8 @@ unwrap_key(CK_SESSION_HANDLE session)
+ 		{CKA_CLASS, &secret_key_class, sizeof(secret_key_class)},
+ 		{CKA_TOKEN, &_true, sizeof(_true)},
+ 	};
+	CK_BYTE object_id[100];
+	size_t id_len;
+ 	CK_OBJECT_HANDLE hSecretKey;
+ 	int n_attr = 2;
+ 	CK_RV rv;
+@@ -3450,9 +3452,6 @@ unwrap_key(CK_SESSION_HANDLE session)
+ 	}
+ 
+ 	if (opt_application_id != NULL) {
+-		CK_BYTE object_id[100];
+-		size_t id_len;
+-
+ 		id_len = sizeof(object_id);
+ 		if (!sc_hex_to_bin(opt_application_id, object_id, &id_len)) {
+ 			FILL_ATTR(keyTemplate[n_attr], CKA_ID, object_id, id_len);
--- a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc.module
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc.module
@ -0,0 +1,8 @@
+# This file describes how to load the opensc module
+# See: http://p11-glue.freedesktop.org/doc/p11-kit/config.html
+
+# This is a relative path, which means it will be loaded from
+# the p11-kit default path which is usually $(libdir)/pkcs11.
+# Doing it this way allows for packagers to package opensc for
+# 32-bit and 64-bit and make them parallel installable
+module: onepin-opensc-pkcs11.so
--- a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/metadata.xml
@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>soap@gentoo.org</email>
+		<name>David Seifert</name>
+	</maintainer>
+	<longdescription>
+		OpenSC is a library for accessing SmartCard devices. It is also
+		the core library of the OpenSC project.
+
+		Basic functionality (e.g. SELECT FILE, READ BINARY) should work on
+		any ISO 7816-4 compatible SmartCard.  Encryption and decryption
+		using private keys on the SmartCard is possible with PKCS #15
+		compatible cards, such as the FINEID (Finnish Electronic IDentity)
+		card.
+	</longdescription>
+	<use>
+		<flag name="ctapi">Use CT-API for accessing Smartcard hardware</flag>
+		<flag name="notify">Enable notifications</flag>
+		<flag name="openct">Use <pkg>dev-libs/openct</pkg> (and CT-API) for accessing Smartcard hardware</flag>
+		<flag name="pace">Use <pkg>dev-libs/openpace</pkg> for EAC version 2 support</flag>
+		<flag name="pcsc-lite">Use <pkg>sys-apps/pcsc-lite</pkg> (and PC/SC API) for accessing Smartcard hardware</flag>
+		<flag name="secure-messaging">Enable secure messaging</flag>
+	</use>
+	<upstream>
+		<remote-id type="github">OpenSC/OpenSC</remote-id>
+		<remote-id type="sourceforge">opensc</remote-id>
+	</upstream>
+</pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-0.23.0-r2.ebuild
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-0.23.0-r2.ebuild
@ -0,0 +1,81 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit autotools bash-completion-r1
+
+DESCRIPTION="Libraries and applications to access smartcards"
+HOMEPAGE="https://github.com/OpenSC/OpenSC/wiki"
+
+if [[ ${PV} == *9999 ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/OpenSC/OpenSC.git"
+else
+	SRC_URI="https://github.com/OpenSC/OpenSC/releases/download/${PV}/${P}.tar.gz"
+	KEYWORDS="amd64 ~arm ~arm64 ~hppa ~loong ~ppc ppc64 ~riscv ~s390 ~sparc x86"
+fi
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+IUSE="ctapi doc openct notify pace +pcsc-lite readline secure-messaging ssl test zlib"
+RESTRICT="!test? ( test )"
+
+RDEPEND="zlib? ( sys-libs/zlib )
+	readline? ( sys-libs/readline:0= )
+	ssl? ( dev-libs/openssl:0= )
+	openct? ( >=dev-libs/openct-0.5.0 )
+	pace? ( dev-libs/openpace:= )
+	pcsc-lite? ( >=sys-apps/pcsc-lite-1.3.0 )
+	notify? ( dev-libs/glib:2 )"
+DEPEND="${RDEPEND}
+	app-text/docbook-xsl-stylesheets
+	dev-libs/libxslt
+	test? ( dev-util/cmocka )"
+BDEPEND="virtual/pkgconfig"
+
+REQUIRED_USE="
+	pcsc-lite? ( !openct !ctapi )
+	openct? ( !pcsc-lite !ctapi )
+	ctapi? ( !pcsc-lite !openct )
+	|| ( pcsc-lite openct ctapi )"
+
+PATCHES=(
+	"${FILESDIR}"/${P}-CVE-2023-2977.patch
+	"${FILESDIR}"/${P}-backport-pr2656.patch
+)
+
+src_prepare() {
+	default
+	eautoreconf
+}
+
+src_configure() {
+	# don't want to run upstream's clang-tidy checks
+	export ac_cv_path_CLANGTIDY=""
+
+	econf \
+		--with-completiondir="$(get_bashcompdir)" \
+		--disable-strict \
+		--enable-man \
+		$(use_enable ctapi) \
+		$(use_enable doc) \
+		$(use_enable notify) \
+		$(use_enable openct) \
+		$(use_enable pace openpace) \
+		$(use_enable pcsc-lite pcsc) \
+		$(use_enable readline) \
+		$(use_enable secure-messaging sm) \
+		$(use_enable ssl openssl) \
+		$(use_enable test cmocka) \
+		$(use_enable zlib)
+}
+
+src_install() {
+	default
+
+	insinto /etc/pkcs11/modules/
+	doins "${FILESDIR}"/opensc.module
+
+	find "${ED}" -name '*.la' -delete || die
+}
--- a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-0.23.0-r3.ebuild
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-0.23.0-r3.ebuild
@ -0,0 +1,82 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit autotools bash-completion-r1
+
+DESCRIPTION="Libraries and applications to access smartcards"
+HOMEPAGE="https://github.com/OpenSC/OpenSC/wiki"
+
+if [[ ${PV} == *9999 ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/OpenSC/OpenSC.git"
+else
+	SRC_URI="https://github.com/OpenSC/OpenSC/releases/download/${PV}/${P}.tar.gz"
+	KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+fi
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+IUSE="ctapi doc openct notify pace +pcsc-lite readline secure-messaging ssl test zlib"
+RESTRICT="!test? ( test )"
+
+RDEPEND="zlib? ( sys-libs/zlib )
+	readline? ( sys-libs/readline:0= )
+	ssl? ( dev-libs/openssl:0= )
+	openct? ( >=dev-libs/openct-0.5.0 )
+	pace? ( dev-libs/openpace:= )
+	pcsc-lite? ( >=sys-apps/pcsc-lite-1.3.0 )
+	notify? ( dev-libs/glib:2 )"
+DEPEND="${RDEPEND}
+	app-text/docbook-xsl-stylesheets
+	dev-libs/libxslt
+	test? ( dev-util/cmocka )"
+BDEPEND="virtual/pkgconfig"
+
+REQUIRED_USE="
+	pcsc-lite? ( !openct !ctapi )
+	openct? ( !pcsc-lite !ctapi )
+	ctapi? ( !pcsc-lite !openct )
+	|| ( pcsc-lite openct ctapi )"
+
+PATCHES=(
+	"${FILESDIR}"/${P}-CVE-2023-2977.patch
+	"${FILESDIR}"/${P}-backport-pr2656.patch
+	"${FILESDIR}"/${P}-backport-pr2765.patch
+)
+
+src_prepare() {
+	default
+	eautoreconf
+}
+
+src_configure() {
+	# don't want to run upstream's clang-tidy checks
+	export ac_cv_path_CLANGTIDY=""
+
+	econf \
+		--with-completiondir="$(get_bashcompdir)" \
+		--disable-strict \
+		--enable-man \
+		$(use_enable ctapi) \
+		$(use_enable doc) \
+		$(use_enable notify) \
+		$(use_enable openct) \
+		$(use_enable pace openpace) \
+		$(use_enable pcsc-lite pcsc) \
+		$(use_enable readline) \
+		$(use_enable secure-messaging sm) \
+		$(use_enable ssl openssl) \
+		$(use_enable test cmocka) \
+		$(use_enable zlib)
+}
+
+src_install() {
+	default
+
+	insinto /etc/pkcs11/modules/
+	doins "${FILESDIR}"/opensc.module
+
+	find "${ED}" -name '*.la' -delete || die
+}
--- a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-9999.ebuild
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-9999.ebuild
@ -0,0 +1,81 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit bash-completion-r1 libtool
+
+DESCRIPTION="Libraries and applications to access smartcards"
+HOMEPAGE="https://github.com/OpenSC/OpenSC/wiki"
+
+if [[ ${PV} == *9999 ]]; then
+	inherit autotools git-r3
+	EGIT_REPO_URI="https://github.com/OpenSC/OpenSC.git"
+else
+	SRC_URI="https://github.com/OpenSC/OpenSC/releases/download/${PV}/${P}.tar.gz"
+	KEYWORDS="~amd64 ~ppc64 ~x86"
+fi
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+IUSE="ctapi doc openct notify pace +pcsc-lite readline secure-messaging ssl test zlib"
+RESTRICT="!test? ( test )"
+
+RDEPEND="zlib? ( sys-libs/zlib )
+	readline? ( sys-libs/readline:0= )
+	ssl? ( dev-libs/openssl:0= )
+	openct? ( >=dev-libs/openct-0.5.0 )
+	pace? ( dev-libs/openpace:= )
+	pcsc-lite? ( >=sys-apps/pcsc-lite-1.3.0 )
+	notify? ( dev-libs/glib:2 )"
+DEPEND="${RDEPEND}
+	app-text/docbook-xsl-stylesheets
+	dev-libs/libxslt
+	test? ( dev-util/cmocka )"
+BDEPEND="virtual/pkgconfig"
+
+REQUIRED_USE="
+	pcsc-lite? ( !openct !ctapi )
+	openct? ( !pcsc-lite !ctapi )
+	ctapi? ( !pcsc-lite !openct )
+	|| ( pcsc-lite openct ctapi )"
+
+src_prepare() {
+	default
+
+	if [[ ${PV} == *9999 ]]; then
+		eautoreconf
+	else
+		elibtoolize
+	fi
+}
+
+src_configure() {
+	# don't want to run upstream's clang-tidy checks
+	export ac_cv_path_CLANGTIDY=""
+
+	econf \
+		--with-completiondir="$(get_bashcompdir)" \
+		--disable-strict \
+		--enable-man \
+		$(use_enable ctapi) \
+		$(use_enable doc) \
+		$(use_enable notify) \
+		$(use_enable openct) \
+		$(use_enable pace openpace) \
+		$(use_enable pcsc-lite pcsc) \
+		$(use_enable readline) \
+		$(use_enable secure-messaging sm) \
+		$(use_enable ssl openssl) \
+		$(use_enable test cmocka) \
+		$(use_enable zlib)
+}
+
+src_install() {
+	default
+
+	insinto /etc/pkcs11/modules/
+	doins "${FILESDIR}"/opensc.module
+
+	find "${ED}" -name '*.la' -delete || die
+}
--- a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/Manifest
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/Manifest
@ -0,0 +1,2 @@
+DIST pcsc-lite-2.0.0.tar.bz2 799011 BLAKE2B d93fffebbe3daf389fcd8195c9fb3d76db64dbb98ac9c7ecd08338331389298e710ca71187cb73165868b0b5e66cb9735b60e22d508db1c1a81e04555103948a SHA512 4b34628d3269ae1859f19d2ab7eb74a76a55f3d76fbc9e4e420a081a065b1d0d7b98680552c7208f3265c684bed844afc6be1c2e5f103ad916ce7f38b52ee68c
+DIST pcsc-lite-2.0.1.tar.bz2 815103 BLAKE2B a9eea4a4da1a78fc22797b17c128889b2f7caf8c4aa02dd77f4ac79e4ec458fb0162578b5422552545cd39303750d5396f3687f8cfee7603fad8d60cb54ee1e8 SHA512 af007f00f43e8d897710580f6f27814c9e7d3ca489ff01edf2e3b979e46267915aa04d9c15f225a420fa681de936e42a1d4779d962717cf9a9f4a3d1ca31502b
--- a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/99-pcscd-hotplug-r1.rules
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/99-pcscd-hotplug-r1.rules
@ -0,0 +1,6 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+# We add this here so that it runs after ccid's and ifd-gempc's rules;
+# if we just added a pcscd-owned device, we hotplug the pcscd service.
+ACTION=="add", ENV{PCSCD}=="1", GROUP="pcscd", TAG+="systemd", ENV{SYSTEMD_WANTS}+="pcscd.service", RUN+="pcscd.sh"
--- a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcsc-lite-1.8.11-polkit-pcscd.patch
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcsc-lite-1.8.11-polkit-pcscd.patch
@ -0,0 +1,20 @@
+Index: pcsc-lite-1.8.11/doc/org.debian.pcsc-lite.policy
+===================================================================
+--- pcsc-lite-1.8.11.orig/doc/org.debian.pcsc-lite.policy
+++ pcsc-lite-1.8.11/doc/org.debian.pcsc-lite.policy
+@@ -15,6 +15,7 @@
+       <allow_inactive>auth_admin</allow_inactive>
+       <allow_active>yes</allow_active>
+     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:pcscd</annotate>
+   </action>
+ 
+   <action id="org.debian.pcsc-lite.access_card">
+@@ -25,6 +26,7 @@
+       <allow_inactive>auth_admin</allow_inactive>
+       <allow_active>yes</allow_active>
+     </defaults>
+    <annotate key="org.freedesktop.policykit.owner">unix-user:pcscd</annotate>
+   </action>
+ 
+ </policyconfig>
--- a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcsc-lite-1.9.8-systemd-user.patch
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcsc-lite-1.9.8-systemd-user.patch
@ -0,0 +1,18 @@
+Don't run the daemon as root
+https://bugs.gentoo.org/545390
+
+--- a/etc/pcscd.service.in
+++ b/etc/pcscd.service.in
+@@ -4,9 +4,12 @@
+ Documentation=man:pcscd(8)
+ 
+ [Service]
+PIDFile=/run/pcscd/pcscd.pid
+ ExecStart=@sbindir_exp@/pcscd --foreground --auto-exit $PCSCD_ARGS
+ ExecReload=@sbindir_exp@/pcscd --hotplug
+ EnvironmentFile=-@sysconfdir@/default/pcscd
+User=pcscd
+Group=pcscd
+ 
+ [Install]
+ Also=pcscd.socket
--- a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd-init.7
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd-init.7
@ -0,0 +1,22 @@
+#!/sbin/openrc-run
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+name="PC/SC Daemon"
+
+pidfile=/run/pcscd/pcscd.pid
+
+command=/usr/sbin/pcscd
+command_args="${EXTRA_OPTS}"
+
+start_stop_daemon_args="--user pcscd:pcscd"
+
+depend() {
+	need localmount
+	after udev openct dbus
+	use logger
+}
+
+start_pre() {
+	checkpath -q -d -m 0755 -o pcscd:pcscd /run/pcscd
+}
--- a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd-udev
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd-udev
@ -0,0 +1,14 @@
+#!/bin/sh
+#
+# pcscd.sh: udev external RUN script
+#
+# based on netifrc net.sh helper
+# Copyright 2007 Roy Marples <uberlord@gentoo.org>
+# Distributed under the terms of the GNU General Public License v2
+
+# make sure openrc is managing services
+if [ ! -d /run/openrc ]; then
+	exit 0
+fi
+
+IN_HOTPLUG=1 /etc/init.d/pcscd --quiet start
--- a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd.conf
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd.conf
@ -0,0 +1 @@
+d /run/pcscd 0755 pcscd pcscd -
--- a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/metadata.xml
@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="project">
+		<email>base-system@gentoo.org</email>
+		<name>Gentoo Base System</name>
+	</maintainer>
+	<use>
+		<flag name="embedded">limit RAM and CPU ressources by disabling features</flag>
+		<flag name="libusb" restrict="&gt;=sys-apps/pcsc-lite-1.8.0">Use <pkg>dev-libs/libusb</pkg> detection to hotplug new smartcard readers. This flag should only be enabled if you're running a non-Linux kernel or you don't want to use udev.</flag>
+		<flag name="udev">Use <pkg>virtual/libudev</pkg> rules to handle devices' permissions and hotplug support. Unless you know what you're doing do not disable this flag on Linux kernels. This is provided as an option for completeness.</flag>
+		<flag name="policykit">Uses <pkg>sys-auth/polkit</pkg> to restrict access to smartcard readers or smartcards to given users.</flag>
+	</use>
+	<upstream>
+		<changelog>https://salsa.debian.org/rousseau/PCSC/blob/master/ChangeLog</changelog>
+		<remote-id type="github">LudovicRousseau/PCSC</remote-id>
+	</upstream>
+</pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/pcsc-lite-2.0.0.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/pcsc-lite-2.0.0.ebuild
@ -0,0 +1,109 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{9..11} )
+
+inherit python-single-r1 systemd tmpfiles udev multilib-minimal
+
+DESCRIPTION="PC/SC Architecture smartcard middleware library"
+HOMEPAGE="https://pcsclite.apdu.fr https://github.com/LudovicRousseau/PCSC"
+SRC_URI="https://pcsclite.apdu.fr/files/${P}.tar.bz2"
+
+# GPL-2 is there for the init script; everything else comes from
+# upstream.
+LICENSE="BSD ISC MIT GPL-3+ GPL-2"
+SLOT="0"
+KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos"
+# This is called libusb so that it doesn't fool people in thinking that
+# it is _required_ for USB support. Otherwise they'll disable udev and
+# that's going to be worse.
+IUSE="doc embedded libusb policykit selinux systemd +udev"
+REQUIRED_USE="^^ ( udev libusb ) ${PYTHON_REQUIRED_USE}"
+
+# No dependencies need the MULTILIB_DEPS because the libraries are actually
+# standalone, the deps are only needed for the daemon itself.
+DEPEND="
+	libusb? ( virtual/libusb:1 )
+	udev? ( virtual/libudev:= )
+	policykit? ( >=sys-auth/polkit-0.111 )
+	acct-group/openct
+	acct-group/pcscd
+	acct-user/pcscd
+	${PYTHON_DEPS}"
+RDEPEND="${DEPEND}
+	selinux? ( sec-policy/selinux-pcscd )"
+BDEPEND="
+	sys-devel/flex
+	virtual/pkgconfig"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-1.8.11-polkit-pcscd.patch
+	"${FILESDIR}"/${PN}-1.9.8-systemd-user.patch
+)
+
+multilib_src_configure() {
+	ECONF_SOURCE="${S}" econf \
+		--disable-maintainer-mode \
+		--disable-strict \
+		--enable-usbdropdir="${EPREFIX}"/usr/$(get_libdir)/readers/usb \
+		--enable-ipcdir=/run/pcscd \
+		--with-systemdsystemunitdir="$(systemd_get_systemunitdir)" \
+		$(multilib_native_use_enable doc documentation) \
+		$(multilib_native_use_enable embedded) \
+		$(multilib_native_use_enable systemd libsystemd) \
+		$(multilib_native_use_enable udev libudev) \
+		$(multilib_native_use_enable libusb) \
+		$(multilib_native_use_enable policykit polkit)
+}
+
+multilib_src_install_all() {
+	einstalldocs
+	dodoc HELP SECURITY
+
+	newinitd "${FILESDIR}"/pcscd-init.7 pcscd
+	dotmpfiles "${FILESDIR}"/pcscd.conf
+
+	if use udev; then
+		exeinto "$(get_udevdir)"
+		newexe "${FILESDIR}"/pcscd-udev pcscd.sh
+
+		insinto "$(get_udevdir)"/rules.d
+		newins "${FILESDIR}"/99-pcscd-hotplug-r1.rules 99-pcscd-hotplug.rules
+	fi
+
+	python_fix_shebang "${ED}"/usr/bin/pcsc-spy
+
+	find "${ED}" -name '*.la' -delete || die
+}
+
+pkg_postinst() {
+	elog "Starting from version 1.6.5, pcsc-lite will start as user nobody in"
+	elog "the pcscd group, to avoid running as root."
+	elog
+	elog "This also means you need the newest drivers available so that the"
+	elog "devices get the proper owner."
+	elog
+	elog "Furthermore, a conf.d file is no longer installed by default, as"
+	elog "the default configuration does not require one. If you need to"
+	elog "pass further options to pcscd, create a file and set the"
+	elog "EXTRA_OPTS variable."
+	elog
+
+	if use udev; then
+		elog "Hotplug support is provided by udev rules."
+		elog "When using OpenRC you additionally need to tell it to hotplug"
+		elog "pcscd by setting this variable in /etc/rc.conf:"
+		elog
+		elog "    rc_hotplug=\"pcscd\""
+	fi
+
+	tmpfiles_process pcscd.conf
+
+	use udev && udev_reload
+}
+
+pkg_postrm() {
+	use udev && udev_reload
+}
--- a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/pcsc-lite-2.0.1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/pcsc-lite-2.0.1.ebuild
@ -0,0 +1,109 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{9..11} )
+
+inherit python-single-r1 systemd tmpfiles udev multilib-minimal
+
+DESCRIPTION="PC/SC Architecture smartcard middleware library"
+HOMEPAGE="https://pcsclite.apdu.fr https://github.com/LudovicRousseau/PCSC"
+SRC_URI="https://pcsclite.apdu.fr/files/${P}.tar.bz2"
+
+# GPL-2 is there for the init script; everything else comes from
+# upstream.
+LICENSE="BSD ISC MIT GPL-3+ GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos"
+# This is called libusb so that it doesn't fool people in thinking that
+# it is _required_ for USB support. Otherwise they'll disable udev and
+# that's going to be worse.
+IUSE="doc embedded libusb policykit selinux systemd +udev"
+REQUIRED_USE="^^ ( udev libusb ) ${PYTHON_REQUIRED_USE}"
+
+# No dependencies need the MULTILIB_DEPS because the libraries are actually
+# standalone, the deps are only needed for the daemon itself.
+DEPEND="
+	libusb? ( virtual/libusb:1 )
+	udev? ( virtual/libudev:= )
+	policykit? ( >=sys-auth/polkit-0.111 )
+	acct-group/openct
+	acct-group/pcscd
+	acct-user/pcscd
+	${PYTHON_DEPS}"
+RDEPEND="${DEPEND}
+	selinux? ( sec-policy/selinux-pcscd )"
+BDEPEND="
+	sys-devel/flex
+	virtual/pkgconfig"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-1.8.11-polkit-pcscd.patch
+	"${FILESDIR}"/${PN}-1.9.8-systemd-user.patch
+)
+
+multilib_src_configure() {
+	ECONF_SOURCE="${S}" econf \
+		--disable-maintainer-mode \
+		--disable-strict \
+		--enable-usbdropdir="${EPREFIX}"/usr/$(get_libdir)/readers/usb \
+		--enable-ipcdir=/run/pcscd \
+		--with-systemdsystemunitdir="$(systemd_get_systemunitdir)" \
+		$(multilib_native_use_enable doc documentation) \
+		$(multilib_native_use_enable embedded) \
+		$(multilib_native_use_enable systemd libsystemd) \
+		$(multilib_native_use_enable udev libudev) \
+		$(multilib_native_use_enable libusb) \
+		$(multilib_native_use_enable policykit polkit)
+}
+
+multilib_src_install_all() {
+	einstalldocs
+	dodoc HELP SECURITY
+
+	newinitd "${FILESDIR}"/pcscd-init.7 pcscd
+	dotmpfiles "${FILESDIR}"/pcscd.conf
+
+	if use udev; then
+		exeinto "$(get_udevdir)"
+		newexe "${FILESDIR}"/pcscd-udev pcscd.sh
+
+		insinto "$(get_udevdir)"/rules.d
+		newins "${FILESDIR}"/99-pcscd-hotplug-r1.rules 99-pcscd-hotplug.rules
+	fi
+
+	python_fix_shebang "${ED}"/usr/bin/pcsc-spy
+
+	find "${ED}" -name '*.la' -delete || die
+}
+
+pkg_postinst() {
+	elog "Starting from version 1.6.5, pcsc-lite will start as user nobody in"
+	elog "the pcscd group, to avoid running as root."
+	elog
+	elog "This also means you need the newest drivers available so that the"
+	elog "devices get the proper owner."
+	elog
+	elog "Furthermore, a conf.d file is no longer installed by default, as"
+	elog "the default configuration does not require one. If you need to"
+	elog "pass further options to pcscd, create a file and set the"
+	elog "EXTRA_OPTS variable."
+	elog
+
+	if use udev; then
+		elog "Hotplug support is provided by udev rules."
+		elog "When using OpenRC you additionally need to tell it to hotplug"
+		elog "pcscd by setting this variable in /etc/rc.conf:"
+		elog
+		elog "    rc_hotplug=\"pcscd\""
+	fi
+
+	tmpfiles_process pcscd.conf
+
+	use udev && udev_reload
+}
+
+pkg_postrm() {
+	use udev && udev_reload
+}
				`@ -0,0 +1 @@`
				`DIST ccid-1.5.1.tar.bz2 702586 BLAKE2B 7b9e3c6daf03c186f34ac9b13bd960293a6481f9237ee52937ece1040bd3a79b7dab318e1244205a7feae992261ab5e82292d80ae023a4f621e0e7af7cdb9df5 SHA512 492bde96f5752e2a5316693c44e35e2d041785a00d15e094905c0aafad392f5329009d12801899367276328a582936ee53a1c5239c1813c4536001cb8a608f2e`
				`@ -0,0 +1 @@`
				`DIST libp11-0.4.12.tar.gz 516414 BLAKE2B a816749984753a1916dd58860c51b49d316946b59eb3bc839f6a21dcff14de48d7a4937f55fc7ad96a26b914591854d5cf11a1fbac2d5f2f5e04c833973c0e42 SHA512 674cfca2c9eaf162262204c94f9d59d3095dabbc348c1842e758b897e1a5bd4ba08b2d589ec3b2a2d1343a8760eab253e7008dc09ef5b499e2f16385efe5c8cc`
				`@ -0,0 +1 @@`
				`DIST opensc-0.23.0.tar.gz 2366469 BLAKE2B c0f74379a70347a58be27684ae2cf833e6f35328b566af2c6daa8276174864406fa176acf7ba84931970fe07e3dd8d6eccf7884f079cb0110c4d6ff9a76792dc SHA512 cd102cd64e719c59153960a4921b7525055045f16e6f6ffa8c9def6ce999a9c5098267b41f8753b41107f626bea20c34561002f5d38eddb4ce6b371913a17a1b`