Merge pull request #1149 from flatcar/tormath1/sign

core_sign_update: use pkcs11 openssl engine
2025-08-10 14:36:58 +02:00 · 2024-01-23 17:11:30 +01:00 · 2024-01-23 17:11:30 +01:00 · 0987e80f53
commit 0987e80f53
parent 018778e391 05d4afbcc3
42 changed files with 1665 additions and 3 deletions
--- a/.github/workflows/portage-stable-packages-list
+++ b/.github/workflows/portage-stable-packages-list
@ -17,7 +17,9 @@ acct-group/messagebus
 acct-group/netperf
 acct-group/nobody
 acct-group/ntp
 acct-group/openct
 acct-group/pcap
 acct-group/pcscd
 acct-group/polkitd
 acct-group/portage
 acct-group/render
@ -34,6 +36,7 @@ acct-group/systemd-timesync
 acct-group/tape
 acct-group/tss
 acct-group/tty
 acct-group/usb
 acct-group/users
 acct-group/utmp
 acct-group/uucp
@ -47,6 +50,7 @@ acct-user/netperf
 acct-user/nobody
 acct-user/ntp
 acct-user/pcap
 acct-user/pcscd
 acct-user/polkitd
 acct-user/portage
 acct-user/root
@ -102,6 +106,7 @@ app-containers/runc
 app-crypt/adcli
 app-crypt/argon2
 app-crypt/efitools
 app-crypt/ccid
 app-crypt/libb2
 app-crypt/libmd
 app-crypt/mhash
@ -197,6 +202,7 @@ dev-libs/libnl
 dev-libs/libpcre
 dev-libs/libpcre2
 dev-libs/libpipeline
 dev-libs/libp11
 dev-libs/libsodium
 dev-libs/libtasn1
 dev-libs/libunistring
@ -213,6 +219,7 @@ dev-libs/nettle
 dev-libs/npth
 dev-libs/nspr
 dev-libs/oniguruma
 dev-libs/opensc
 dev-libs/popt
 dev-libs/protobuf
 dev-libs/userspace-rcu
@ -468,6 +475,7 @@ sys-apps/miscfiles
 sys-apps/net-tools
 sys-apps/nvme-cli
 sys-apps/pciutils
 sys-apps/pcsc-lite
 sys-apps/portage
 sys-apps/pv
 sys-apps/sandbox
--- a/9
+++ b/9
@ -136,7 +136,7 @@ i=1
 signature_sizes=""
 for key in "${private_keys[@]}"; do
 	if [[ "${key}" == pkcs11* ]]; then
-		openssl rsautl -engine pkcs11 -pkcs -sign -inkey ${key} -keyform engine -in update.pkcs11-padhash -out update.sig.${i}
+		OPENSSL_CONF=/etc/ssl/pkcs11.cnf openssl pkeyutl -engine pkcs11 -sign -keyform engine -inkey "${key}" -in update.pkcs11-padhash -out "update.sig.${i}"
 	elif [[ "${key}" == fero* ]]; then
 		fero-client \
 			--address $FLAGS_signing_server_address \
@ -163,8 +163,13 @@ delta_generator --signature_file ${files} --in_file update --out_file update.sig
 i=1
 for key in "${public_keys[@]}"; do
 	version="${i}"
 	if [ ${#public_keys[@]} == 1 ]; then
 		version=2
 	fi
 	delta_generator \
-		--public_key_version "${i}" \
+		--public_key_version "${version}" \
 		--public_key "${key}" \
 		--in_file update.signed
--- a/data/download_payloads
+++ b/data/download_payloads
@ -0,0 +1,37 @@
 #!/usr/bin/env bash
 set -euo pipefail
 if [ $# -lt 1 ] || [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
  echo "Usage: $0 RELEASE_DESCRIPTORS..."
  echo "Example: $0 alpha:1786.0.0 beta:1781.2.0"
  echo "Downloads the release update payloads to ARCH-usr/VERSION/ folders."
  echo "Expected to be run in .../sdk/src/scripts/data/"
  echo "(usually before entering the chroot and running ./generate_payload data/ARCH-usr/VERSION/ keys/)."
  exit 1
 fi
 if [ "$(basename "${PWD}")" != "data" ] || [ "$(basename "$(readlink -f ..)")" != "scripts" ]; then
  echo "Expected to be run in .../sdk/src/scripts/data/" >&2
  exit 1
 fi
 # Same as in copy-to-origin.sh and set-symlink.sh
 for TUPLE_COL in "$@"; do
  IFS=":" read -r -a TUPLE <<< "${TUPLE_COL}"
  CHANNEL="${TUPLE[0]}"
  VERSION="${TUPLE[1]}"
  for ARCH in amd64 arm64; do
    echo "Downloading ${CHANNEL} ${VERSION} ${ARCH}"
    rm -rf "${ARCH}-usr/${VERSION}"
    mkdir -p "${ARCH}-usr/${VERSION}" && cd "${ARCH}-usr/${VERSION}"
    BASEURL="https://bincache.flatcar-linux.net/images/${ARCH}/${VERSION}/"
    # Note: Don't replace this with 'mapfile -t array < <(curl)' or 'read -r -a array <<< "$(curl)"' because that has no error checking
    EXTRA_PAYLOADS=($(curl -H 'Accept: application/json' -fsSL "${BASEURL}" | jq -r ".[].name" | { grep -P '^(oem|flatcar)-.*raw(.sig)?$' || true ; }))
    wget "${BASEURL}"{flatcar_production_update.bin.bz2,flatcar_production_update.bin.bz2.sig,flatcar_production_image.vmlinuz,flatcar_production_image.vmlinuz.sig}
    for EXTRA_PAYLOAD in "${EXTRA_PAYLOADS[@]}"; do
      wget "${BASEURL}${EXTRA_PAYLOAD}"
    done
    cd ../..
  done
 done
 echo "Success"
--- a/433
+++ b/433
@ -0,0 +1,433 @@
 #!/usr/bin/env bash
 set -e
 if [ $# -lt 1 ]; then
    echo "usage: $0 alpha:1786.0.0 beta:1781.2.0"
    exit 1
 fi
 # DOWNLOAD can be set to 1 to download release artifacts automatically.
 DOWNLOAD="${DOWNLOAD:-0}"
 if [ -z "${PRIVATE_KEYS}" ]; then
    echo "PRIVATE_KEYS must be set using the URI form (https://www.rfc-editor.org/rfc/rfc7512#section-2.3)"
    echo "or using an absolute or relative path."
    echo "e.g export PRIVATE_KEYS=pkcs11:id=%1?pin-value=12345"
    echo "NOTE: If multiple keys are available, use '+' as a separator"
    exit 1
 fi
 # Image signing key:
 # $ gpg2 --list-keys --list-options show-unusable-subkeys \
 #     --keyid-format SHORT F88CFEDEFF29A5B4D9523864E25D9AED0593B34A
 # pub   rsa4096/0593B34A 2018-02-26 [SC]
 #       F88CFEDEFF29A5B4D9523864E25D9AED0593B34A
 # uid         [ultimate] Flatcar Buildbot (Official Builds) <buildbot@flatcar-linux.org>
 # sub   rsa4096/064D542D 2018-02-26 [S] [revoked: 2018-03-14]
 # sub   rsa4096/D0FC498C 2018-03-14 [S] [revoked: 2018-09-26]
 # sub   rsa4096/896E394F 2018-09-26 [S] [expires: 2019-09-26]
 # sub   rsa4096/AF9CF1AF 2019-09-30 [S] [expires: 2020-09-29]
 # sub   rsa4096/FCBEAB91 2020-08-28 [S] [expires: 2021-08-28]
 # sub   rsa4096/250D4A42 2021-08-10 [S] [expires: 2022-08-10]
 GPG_LONG_ID="E25D9AED0593B34A"
 GPG_KEY="-----BEGIN PGP PUBLIC KEY BLOCK-----
 mQINBFqUFawBEACdnSVBBSx3negnGv7Ppf2D6fbIQAHSzUQ+BA5zEG02BS6EKbJh
 t5TzEKCRw6hpPC4vAHbiO8B36Y884sSU5Wc4WMiuJ0Z4XZiZ/DAOl5TFfWwhwU0l
 SEe/3BWKRtldEs2hM/NLT7A2pLh6gx5NVJNv7PMTDXVuS8AGqIj6eT41r6cPWE67
 pQhC1u91saqIOLB1PnWxw/a7go9x8sJBmEVz0/DRS3dw8qlTx/aKSooyaGzZsfAY
 L1+a/xst8LG4xfyHBSAuHSqi76LXCdBogU2vgz2V46z29hYRDfQQQGb4hE7UCrLp
 EBOVzdQv/vAA9B4FTB+f5a7Vi4pQnM4DBqKaf8XP4wgQWBW439yqna7rKFAW+JIr
 /w8YbczTTlJ2FT8v8z5tbMOZ5a6nXAn45YXh5d80CzqEVnaG8Bbavw3WR3jD81BO
 0WK+K2FcEXzOtWkkwmcj9PrOKVnBmBv5I+0xtpo9Do0vyONyXPDNH/I4b3xilupN
 bWV1SXUu8jpCf/PaNrj7oKHB9Nciv+4lqu/L5YmbaSLBxAvHSsxRpKV53dFtU+sR
 kQM5I774B+GnFvhd6k2uMerWFaA1aq7gv0oOm/H5ZkndR5+eS0SAx49OrMbxKkk0
 OKzVVxFDJ4pJWyix3dL7CwmewzuI0ZFHCANBKbiILEzDugAD3mEUZxa8lQARAQAB
 tD9GbGF0Y2FyIEJ1aWxkYm90IChPZmZpY2lhbCBCdWlsZHMpIDxidWlsZGJvdEBm
 bGF0Y2FyLWxpbnV4Lm9yZz6JAk4EEwEIADgWIQT4jP7e/ymltNlSOGTiXZrtBZOz
 SgUCWpQVrAIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRDiXZrtBZOzSi5G
 EACHLSjK24szSj4O8/N9B6TOLnNPJ17At/two/iHfTxrT8lcLM/JQd97wPqH+mVK
 hrZ8tCwTZemVeFNXPVy98VYBTjAXscnVh/22DIEYs1wbjD6w8TwgUvzUzpaQJUVu
 YlLG3vGAMGaK5FK41BFtsIkar6zaIVy5BPhrA6ASsL9wg9bwSrXT5eKksbaqAZEG
 sMiYZxYWzxQHlPu19afxmzBJdVY9YUHEqBYboslGMlLcgErzF7CaiLjDEPkt5Cic
 9J3HjIJwlKmVBT6DBdt/tuuzHQntYfPRfOaLVtF/QxRxKNyBtxYndG6k9Vq/cuIN
 i5fHpyZ66+9cwswrLISQpAVWa0AW/TENuduj8IU24zCGL7RZVf0jnmALrqkmBTfY
 KwtTdpaFle0dC7QP+B27vT/GhBao9KVazfLoAT82bt3hXqjDciAKAstEbqxs75f2
 JhIl0HvqyJ47zY/5zphxZlZ+TfqLvJPoEujEUeuEgKm8xmSgtR/49Ysal6ELxbEg
 hc6qLINFeSjyRL20aQkeXtQjmZJGuXbUsLBSbVgUOEU+4vvID7EiYyV7X36OmS5N
 4SV0MD0bNF578rL4UwhH1WSDSAgkmrfAhgFNof+MlI4qbn39tPiAT9J9dpENay0r
 +yd59VhILA3eafkC6m0rtpejx81sDNoSp3UkUS1Qq167ZLkCDQRalBYrARAAsHEO
 v6b39tgGxFeheiTnq5j6N+/OjjJyG21x2Y/nSU5lgqPD8DtgKyFlKvP7Xu+BcaZ7
 hWjL0scvq0LOyagWdzWx5nNTSLuf8e+ShlcIs3u8kFX8QMddyD5l76S7nTl9kE1S
 i2WkO6B4JgzRQCAQyr2B/knfE2wrxPsJsnB1qzRIAXHKvs8ev8bR+FfFSENxI5Jg
 DoU3KbcyJ5lMKdVhIhSyGSPi1/emEpbEIv1XYV9l8g4b6Ht5fVsgeYUZbOF/z5Gc
 +Kwf3ikGr3KCM/fl06xS/jpqM08Z/Uyei/L8b7tv9Wjop5SXN0yPAr0KIGQdnq5z
 GMPf9rkG0Xg47JSQcvDJb0o/Ybi3ND3Mj/Ci8q5UtBgs9PWVBS4JyihKYx2Lb+Wj
 +LERdEuv2qRPXO045VgOT5g0Ntlc8EvmX3ulofbM2f1DnPnq3OxuYRIscR/Nv4gi
 coNLexv/+mmhdxVJKCSTVPp4SoK4MdBOT0B6pzZjcQBI1ldePQmRZMQgonekUaje
 wWy1hp9o+7qJ8yFkkaLTplbZjQtcwfI7cGqpogQmsIzuxCKxb1ze/jed/ApEj8RD
 6+RO/qa3R4EGKlSW7FZH20oEDLyFyeOAmSbZ8cqPny6m8egP5naXwWka4aYelObn
 5VY6OdX2CJQUuIq8lXue8wOAPpkPB61JnVjQqaUAEQEAAYkCNgQoAQgAIBYhBPiM
 /t7/KaW02VI4ZOJdmu0Fk7NKBQJaqVa3Ah0CAAoJEOJdmu0Fk7NK8WMP/R+T//rW
 QeuXMlV+l8bHKcbBGWBvvMV5XcsJKDxtzrclPJLqfuBXSDTwqlirXXqlEeI613kE
 UWG0b0Ny0K87g9CnkbsJiizGtyQJp2HuMnjRivTd/1V30ACCaK01nbu1/sdOk6Y4
 Cimv+mGEgzjcXVXs72p+qqhDEaMgf1GYjDrzVHUnKUNIU8QOG2HRVhpP27bOg9Ao
 a9Exdo04w3dXxso3KGeVkEE8dN0rKmHQ67jcCqKogzNlsIujbJkgRbwk/e3BgDWX
 ifQSMW4SAAl/PVP7z3h6QoLcYSddOMMYwqP5Oqe4obBaKgVrn705s/Z0pW5nEzFg
 38hEoJe+CCXjPl0zjHKQGzhwR/MLWvMf6jO06uvASiJuU/hefVCCek9b5SLn+IPU
 J+uLh57F1I7O4ohPWY9+sbrpibx2pcSmcefVMwX/iSt6RNlBITYVQLGN8+/0gcRz
 3jGf7m+M8Y7KYrmFxtwPsFejygDr6VVvoUarPPnJSzP+UdPqzUCcxdnV7Ub4QMRl
 wUyvnwgnpn0xOsZ/Pdh5gOC06Yrkjbr12DWIpUxy/9z/QR2TeImi02trRKpCh9xw
 0bKlsWBt1oUnNnQjnMUB9tmWsF1I6DrO/FUcB+5d7iy+MnPB1LIKS8JokODWIrOq
 dg763UZfGbp4EbLlO1vcwIdKC6AGoS6hoyPUiQRyBBgBCAAmFiEE+Iz+3v8ppbTZ
 Ujhk4l2a7QWTs0oFAlqUFisCGwIFCQHhM4ACQAkQ4l2a7QWTs0rBdCAEGQEIAB0W
 IQQeEA3Xpnem+aUyyfm1HeN3Bk1ULQUCWpQWKwAKCRC1HeN3Bk1ULe4hD/0XLBuo
 inLaN2wVQpbjeIEG9Shbaax+BmsuufjiVgNxKEkBg4q6/miCpdpjYmcvv7nNG5uK
 zuQ/fnLzgldiVS0G+0BVBelF1FlT85xaI/enIrsvTauGEsfie7/ljrkV//0MFqdB
 ZnM680JDVbvl8f2RDBACmz3PoJr8kg3PZwvb028effeTqhZ8zA5ZW5rum0Cn6dOb
 v3OrCyQw/aoUvjH65j3T+fr17Em5dYaxNShFxoMBKxSsr+V4opwGEzBRxuoLrzAl
 /LcazNAL/CLj+7JBxFj4FL5fB7VQcBEBDFBwg0ropojUeqT8Y2oyygnwLHc4otwV
 TNxezToTFucnIq87IAqpTdEe3dHXx1CRJAyIeXxh6j+rYpidiL4CegIczva/xE+P
 CqKV1qsGPysD301pXEYy4W1nLuST1tu/xbZCIJdqUwOxsVN5D9UVsFEr4Szfq0QC
 14UQzMeXJSdXE2Z1TAnl7381AUC8LoRp55BH5Jih/zrUT1+HrzwdWBZdBJc04f5I
 RiZqhZ8Goso5Ki6yFGCEXuitQUyWS0OWkZTX4m2rNIiPMw8PVweQ+yeqwaAapfm7
 JX4l3Wa9fRpwK8LLV5/iaXti7IEla51lCCHRn+yM+0XcYI//53qQXVobcaC8Z9uy
 LfJCjCtETknO2/uGL+kNyoZ4ykMfIhqOaxZWnqfzD/4kHM+EB4Yuti1kxFmSdnjp
 MLEOXNFRoJcvPL7kw6ZMQaWZ96UOdlcL2GiHWAyYThsSjWez+kZ60GuDL+JwfQaR
 InavuacP3Dw2eg8/W5XAT/G2EEmA4wuDMXZ07aPa3nJPdlCMcwxQLyHb6ZgModxZ
 IHXaX/JEylapdh0j4sQf5P8OvK2Qq212OVuIaZPnjloQDeJqJTzP9iGDaJ3Ne6gM
 n6nZ3ZIK1qtJc9WxRtjIOLS2ZdMSB5JWb1gE4nEkvDChbWKfeMpv5ox8G6HJe9Xk
 sygGj876vmyAHDwl8zsYMvWeFZONxsahKpDFjXKMcnIpV8ZPfaCT4r4G6x4Qil8u
 A1iwCKXo4d+uq3qrRKyhGOE+B+H/5QCGmmfAXhBVsR2aUldK0kx/IVi7HJD1aBRF
 k+cpC0+vMw4O4f4qXzm2z5qWHftcB/EBhN+h4+IIDSE+wEtz9OdEpXXbPZ1sd7eS
 8K4OjjliG2meTQE/wvn1BNtJVJ2rGQX6moCGx/1FYdLXLROv6hOnBslMVHFRbe+9
 OmTFXEDlb6Nh/08PwYdyqk4qXddebALpC0TmyEty8QnjEmL1IhDtMTDVlj/33imb
 L0waKqGJ5U3s2fA8VaDZQWL6U/c71xtuVFt6trS4rnsoBzlILPfC1n2wpPvKPEHL
 avOKXgf6jXnmSzi5GbnBgbkCDQRaqVbRARAA0R+Z6SrbAI5b8m/j+Q3yc2tc5wDB
 i7Hly0SW95ydLkKGaGvHhpLrBM5WwKdtQzF45A9tlyu6iGys5HWPRW3BqMpZrcv8
 +2QHyoI2lYM/b0ioai2gSZB+lao955iJyBQ8c+pLSybxwcdaXTb6iBLGReCYXlrL
 QL6H+NYw338x8bhRvaDanPQis81GzxtSZgRjtZbAGSvOgq25A3oCTF45O8cfBz+I
 FxNaziS7x6lXuqOatv5n3HzffGOz3q1baKsxMRVGx3PdAI/LvRRd9SeBeTpFZQYY
 ujCC5K8ds7yxB39Hel5llKnoXLHNm/wLGukXY+PtJVzhtBDL0X3o6OUfsb9tPzwM
 oMyA8gRXf94nw2XRT8MMrjGChB7Clfq9AFP3e44D3MaVWbEGOWNG9rQ5s72dk7dF
 K416D5cc+BQ8mvllYzZ8gzOgYKnlfVmhqVDAIkFz601+lLRUdK4pD0t1BCmlINSY
 EKQNmp0NCSNVCbWWscKvTjboqb76oH/hjnIDqh3GeGdnIJ8vGwUdNN2NBA0rrK8o
 +lD1Kc+e6Whe5xORc5krUZYtDCwW6ylRb118rmrHsojxoTH/kGr2IB0po59LT01l
 M6KjLfGWrz76jJZmDLQ2gDBZNjuqDV+raHaKpVgUlbTHvmVvumBCm50Haz5w2vbM
 txDxVhxU1FdYY00AEQEAAYkCNgQoAQgAIBYhBPiM/t7/KaW02VI4ZOJdmu0Fk7NK
 BQJbq1h6Ah0CAAoJEOJdmu0Fk7NKGuAP/0LeLoKVOI8GRiU25bBek4mElKV5YNwU
 8QMf75VPnRxklMFGkrPDuVCHVIsOUGo7jF4EHfH8ACgXNsFx8v9pMgsvk4WvfxbY
 hepoNNOF/PLsPc125Z3hNq3uJsAMEpijNt8pNXgMvYj6mUKRGuMcIm1KLlczknwU
 vtAIWSV+qqpCUL2miVPzp7Y8lexUeB1dsxAiF4btZIJ2i53S72kPMqwLzHdrPxDt
 TiIweNz/T5K+C19MDAZ9AVp5qTcPWhQMDnNz3bY/4B2NcAwPJTCRxt7Ne5Ufxpll
 3D92jwKZxREBdBPlRq/Qr4JEm4VXOw4QLFoU/WOyRBd4q4aNeFR00J5unZ2zcQ/E
 ZL5OvHmkZ2Xl27Cuky1dAnT6hdadjMgWfQB/giXfP8Tu0Qpi7ISv5fEyUh70RpKr
 SPdbUIR92IR8Qu862SSZsn7KoywUb2lFYzj6N9c1XORBexgRQgGAMdcT0REXyyS0
 bl+9aBRntiw00FkEe7V1+EOLTi40bbddLC0Oatxa35lYg38VYmnhHCrkUl3iCLa/
 AlhZmUGXSwmACNRzVRzFPAZMjdql+SEIF0XLYe96sb5twX2aztemy0GMU0ybK3pH
 eYrpccUsPRPiHvT4k5TqAA+D1Y1WDjEhidPCbYeyThhAu+lfJiSVn2ex8ESByA/c
 /QqOMREjkWlwiQRyBBgBCAAmFiEE+Iz+3v8ppbTZUjhk4l2a7QWTs0oFAlqpVtEC
 GwIFCQHhM4ACQAkQ4l2a7QWTs0rBdCAEGQEIAB0WIQSmIfHalsk8Y5UGgy1gNEOh
 0PxJjAUCWqlW0QAKCRBgNEOh0PxJjFXaD/0cyALbk6YivbqAMCMXnfBFj5kOoG5T
 EGC7quviOVI+U5yNyFzqJtayfaxX3EsF9IjZR4cW58gdcQALS/gGAukexDigoYUz
 2h1q2r4zr5pxbj+ez9+fftNDpwp7CmuaB5bzVh1bu8gwVJf4yaSsGubBIgfaysB0
 Mzc4eJqIpDFMRQvSOOv7TgzXqAsXQuphoqkB5RuiKtKeugv4qofH5fuM3C/Y4QZ8
 edQlTA41KOay1a76xAK85a8qMCjVQVCrepo5+LYXwZAryp4WKIbTSbUNRr5GGgSa
 UWBe0/Rz5eqOL3r1YV1WzttWgBLzZUZJqvaYoWtfJGwjxDAFebE+meqtLIh/IDEu
 Tc4D3Vge6kCI1jjNDKMZQYf6j1rybKPVzOgkxjCyRcgUI8Y904l9LZ3/BiRV8dY4
 nBjWmCYVJPlAVzfDxFwF+A2kKInskPriiYJpFX8MVjy/6GfkJTtMZo1bovSDZZ0n
 2MbQ+V3mftV8GkL+RPU5xQ79dPx6Ki81Dh31/T0d8FkEpWLbDy3gc1qgvRWcp6bC
 uS1Rg0pf7+ftRYDEW7BBOBzmqfNljolHMWPeZT/1sCs7PmDS+kErZARFm0huMljt
 8MNx50KljIVGDUbjOmDaOopTqKFhho/UTTe1Kho3iwTIYIgrzfuCT7t2k0Wx+/NI
 y6BcGlPHU/R95gl0D/4yrId19rW5h425bWYmKZ6Ilh+H1zipl5OS0iEllmm4sLcp
 Mub2+B+YFU3/EvbF0zkCny2HXy2gyZLhbvNm6Zr4FPW/xfaEnB4OXOOnUbA4+RNf
 7bTngPXwhaxN+wQti+Uo0LcwKAU5KIBC9KcT46NirakEu5+5XaU2r+lsa7hlJWfb
 17e4tmcOB4QfMTsJu+4DcWJqu+cdtm2N4VcorJCvfw/EffnGaGK0mwRvJp7CZiWi
 Vc3T70fH+Rbv6NrgJEFV90XuoetQROwqjBEdbL8iNcuvjWO8j8NSlRKrV+UivP+w
 yDf0UCQoMTnFshBM0ZnW+8i/jqsg3kKxs7xuxCZVMfwxzkNb6h/YlbqjRR/hFZ56
 Chf1guaCfYJn0vCtdTLWimasemZfcKX7oE9EIbrs8FZcd89FkU0wgrJRscoUAiVP
 mbkklT9AvTy7Gp4CCMS8Z22r3Q0d3GgIvFNhakLyDzBKPBf+vJyQEx9SdFIM/Kjv
 4grCEjQNrWXXsh8ecurhciHPuiykffmMYyWUzdcc0pQyyyhoYiGbmflGIKx/6M9D
 OOW2Q4k7ogubPRLZ/nabZnxJdIbi8WVXgSI2JCuO3+i9dpW+Q9s8F5mPht1QmQnI
 ZrA5R/pLRP2oE9x9LDvUPLkQdLIB9RRyTw6D5A1UOI4TuLPOhFpcXqNODjJcO7kC
 DQRbq1i2ARAApdwHI9mdWuHcct2tCY4uRFR9m0CliX2vJ3ZOHBmo1wS3HBv0BkAv
 zmQwOE5xMDk6i9aN/w6fYii0s1Pfj2cwLz8Iw93icnInk7WGU2KoryWM9+KNGIA+
 XOtyobwTh4BHY5ggeYDkdOs7Nrlj1FTlj428NaevU75Cm9xQm6aAZnZZtjSDBTWw
 BuSXfFa70kiZzpwKMP/jB8ylWdA74VzkCFfYcdwJHzzrcDS64VRqNhWM/vRFJmLP
 wN4MHkAE5RDb4cjGAwkwmZQuDzuk2O9oOukxKd7v/ZUmql4k0qDxi3M9dC3SJJ+O
 fVPRlyZ74UVlspgjr5zxSBCerj/aDbVSWWr6JjgeRTQdg6WKhO0+mfmttiANxv/a
 fBMDaxys9ee5sJL+WHP62fucD8ukmMEVM0P971U/JBfV8r8VRpy+OENgt6ynJ9dV
 4YCdOT2xo42YwkBCYcVOF6iY2YqFd3oDSZARqEk4vr+A2/eNDU37+OBWr8E1pfO7
 H6FW4/tVRxYjywat6743e0VTjNbwPGmOFBGc0VuwCJzRsY5dwIi9hlXDGwfNpgzd
 tB+ON4BEY4f8ooSYCfHa9G2HeXj/+txxN6Km8Oh8OnQpyfJ6POQQVXX+bUG1W8EC
 jNBdoi6m00ZqNVtDsNbdKdWTYYhKtgPUOreGmF75k+LLjiqO4jIE1E0AEQEAAYkE
 cgQYAQgAJhYhBPiM/t7/KaW02VI4ZOJdmu0Fk7NKBQJbq1i2AhsCBQkB4TOAAkAJ
 EOJdmu0Fk7NKwXQgBBkBCAAdFiEEYozCEpOAZdq047lJqKvwBYluOU8FAlurWLYA
 CgkQqKvwBYluOU9wWBAApKMHrxbOqWa0gij3ODcvzpky76y1YWG45iroC55B56X0
 XslUpHJno7vTLobV5aJDeXlgaYD2ptn53wW31fTZL/1P0lkyIu30OwYwLvOxaFjT
 rsVPCwTz80h6TzsaShFiKirZJhPg5UzC0xfmM4aaQGsoC/Z5pOTyfrYrXgbQPNUJ
 f8zagYqpo0WZoG2R2cNwH5VzlJAv/JBB0SdMVgBS7bUXP1eudqn1gmZxw6GUEGU5
 5tj4X72ceYHiA+MMlKWsvpwJD9iRsl3yuzcBi8yOA0/jSrXu+5BLGaAAXMyMKETg
 +e1ierxZ64yoV+AU6xcKykVzThxG5SoH6NiXsCs0XBOpWxQjfJ4MAeWLfTRMf805
 2OSzRsIf1/p2byyTbuApshp//O9c+jbPgEvG7G4VeQdBROY2/46+XR7Q0BrDMom9
 Bmk93SSbG9oubYKKALrjJaPIzTieLM3t2zLKZ/RJ6JARYDd6+BMdVNs9QS6Hkwq1
 4lIDxz9jqenAXSpnK8fKg2xxzz/UFhoThlY/wlrWP+Sa4FQl1lorcz6Xid+yNoxF
 CZw+iWx7FMng0QDM9rtyhAbFkm7JFnDuojVFeNTdTUy+siAZB0cFdP84BkcYugvx
 WGM8uYydVOrPlI/nzGomgljIqgzvJm+Crun8eYggmItY53U6xDJmQT7Xrtk7YCa+
 0Q/+PRuDorQauvB53mfynLywqxn3h/NyegDrlyq+5Nqsjm3nq0umUSG4/kXMwALy
 0h6boyGWR/rkHnLOE1gLQ6fSlpcN8YHtsW6+czpkVH1b+wws/RPg49muTADHeYeM
 n5eC0aVrUq7D7IVH+UGILDWJuzq2b+jO/IpXd9kIPlwY/2PFIjwfoSd7W+pjgVXh
 6Z+xtWE5mVXnSfxPIXxv/cNd9LtYyT9R6RN7Xu+3hJz/BRp6MUANbdErYD36zERz
 GKUO2eJVbOJReevXb24SZzIJkpBF2qwI5dEl8yk12YpGCu75XtFRux3cVhDpdQsx
 +/RZGV7Id1X55s4/LiqF5PSEFTB4kZpiY+meq3sKOPT+Ra9BLeur8yo7ftMK13WB
 BL2e/mzwfw+s2x1sjWRCuc5KbnK2yTY9ske2hdtAPmVJTDXBO3JWfZj5xKuuc3mp
 q7OEd9+gKTiW4PyZfxQIzwXi9BJ6R3+ax7WYR0bi7Gll0910RNFV3MOiLhupIS0Y
 BuipB6OgQNFUSjB6vammTd3R+98jIrtWyRDHPmdtgRcK86EbRpj6MHd7rATkdG+S
 D0+DXGwfuWIeq2OA+P6lHWEmjlepFSEBS72P5jmpbRtNd+aHN23VesPI/WBQkfBU
 4Tu51CGRd4KZk5ugFZ5YqjaM3m70od1zrsdq+BCNsfzuJqW5Ag0EXZHfzAEQALaX
 xQvhNPHFx5PiroyTkEX95SsFuoMVnkXHfjEsBKStVJ6ZEF6t1PV/q+Kj+rQB25up
 11tfQdElG8Elw46tsvlfWt4uVsdcttUWNHSsygwfmZbQxBVt+nlWXMaC3/124KP4
 ewOn6YAw9biL+cioV0L0fSw1bnUv9LtUZS0h+KuyQ1KFFv015z9uC2LLT/v0XP6S
 8AW9LNrKNI7q6XOW5JpJWSOLGpc6eS5F2T/eplpjxUr1Ua6PSH+g0LJSppbCqIf7
 lNaRCVSSTD2gxCRw1MwWPKqYnseXoilcQe+Zv/wW9k0wyj9ekfkca6mCqBGhe88D
 SqBZVaOfCRNNW1AdsTtIJcW9U1e0WFQIVMCADdLyze7ktTHIc8+/vsVM20/8eMEG
 MSspehWgJOEgNDhPTAHyolfa6z/U/lOvtTMkhO5L6XrIwSDaKvYHqVuRiOoPXYey
 Qfe+PAGszbM9+JH2j3JywKb7RuK5MUL5PBfUGgHseikK2697ix7z2theIjiAO0sm
 /JkLC2Q3zKxQL3szkO70xWB5L2yajifNtvncqqPUvq6aFkxcJ1H4DXoDpdytKBt8
 KtcjJcwPBrw7zMQ+bFXRdTDbtDGZxc0AhhfvboC0NtxzpTi0E2z4gY3YGjseJs6h
 BW4d875PKG8oBsMMNIqjIuldB0vTQQmh45D/DDG9ABEBAAGJBHIEGAEIACYWIQT4
 jP7e/ymltNlSOGTiXZrtBZOzSgUCXZHfzAIbAgUJAeEzgAJACRDiXZrtBZOzSsF0
 IAQZAQgAHRYhBMj+hTEBIuYmdT2wzzvCD/ivnPGvBQJdkd/MAAoJEDvCD/ivnPGv
 9UcP/2s31nMRdyXYAL14xiU5L4lQP2Rsr2BvcsdeCn/ZjK4e5tv52sOAYKkk7yhH
 2Egxss+liM70Tg3XWnTfmrxgM1uY64Pvx5G9qlLoDzXElEAHWlIkyV5bj/SUHS3c
 B2nuZjZEpDgXGYWQaHV5We0QepvV3e3sv9saOcQN5ihlGnr+MlEOxNQbAnOMamWj
 S2ztMakfo/kEH2OuZcikgmT5d2RjQooamgKQXKyVOzOlxYV0L5sGZLSK0DFV3KTI
 Qs/ccfr8MLv902If/mLF62lz5ba24p2wUtM+vrp9EaXWExTYR9WTcYBPM8tG7txF
 q8mopL7siu/fU/XPUitWjSi6ZDX6RFljESjdR3xs7CwI/DErEak2T8Y3/inAHnGM
 HB5amPkqv2LyeEEQ7ZhIjmA4mWgbTsPiQet+qY+GqSKlSIGoJv4KZKBmBKFW6PK6
 xZpWioGj+BLqtduHc0yPf0fW6FDaI57IHMZD8kVXw9dZpn14wExfeYsoptHXRecH
 1ouSWd4/IK6PJRWzoAiOu481IREkDml3Rlhqj6UUr5+eseQ6SFWdFo3KlfC+7O5K
 VsAmEx99bj/9w0NLr2lHw2uEAPTdpDVUWh0hURxCu4uyEVsCdUmNklVAz9t/zqKV
 a8A/MMYxaytsw5e+QftTKPlTBsCJkJo1qypcQDe78OdUIecYABUQAJIDOIV19WSK
 ruQW2ICZdMI/6BbGzrKMvxbJnzdC7PMnJbXDEqzsGMMYziK3Qhf/zi4SpUEP/RRe
 qJJjzzguFYEtP21/ugXFX0/4uWBkGGkPcSmqtanixg1LefJIlw6g1ZWeteU7x68d
 dNyyEC+BP7HaVHX1mCfhkPiPH3zvTa07boOJhsaYWOGyc16RtVlJSJXxgTEY2SJD
 JwtnSf5ujVOfIsOGQVshB95BZdGCYIru+n7YSD0ghcm6az0Dnwr6sscQLYOpwb/O
 mTp8P7lG9aEqbzSPDtVhWrrbIp+jibgTzGu+jqMFFpBSTcD6F3ClAOkmFpj6UHLn
 LnFWBs7rbznZVB1D1EM83ETnE9gc4C3n2OL08kAKHQ1RWDQcG3rU7evgxf0kBFdA
 tgn4tIU2qlyR9MG2hy7wsXA9oR9/CndX+NJrkYSQxiRT9OWi85WBIV6LqkdypE3O
 fbofQWtv8IuFfAv/a8Ah/38hXn2N1KcVm4IbrNeKjrlmVIhVSkHjVQcX5iw/tPuX
 rTqi0XMNnnf0GneaTTVSI1wTa66Ha9SY+MsWKEK7aBI6S+ecpSG7oRhsV7yvzXPQ
 ul9QP/O4K8SmteNujH88+sfj62+0qJeHnxAgMo62VXR9L7a0zSPIQJXpNun6BJn6
 HKbWRxot9GQuVdS+tRnE8fZulLeBvixyuQINBF9I4E0BEADd8vDObd3EctBbBMFc
 8BPjuEgnfC4c+EltYEm69EZvhVh3jtWtSBrTS9AaT+7+Dt2LphDal0Z1u753R6vL
 PVIVt01983cWOP8+tEG8Kj7ghfMV3hBJmYyK8Zumh37L7C9ye/JHUDyePmaDJuCb
 DSwKR6H7UXlAjnmP4gmSLnmAZXBEQX1E3AgZy9qMehRc/F4ZZQlU3bSreyNJCm1F
 3/FNhQRmsUDv4fHcYnWSwbl8OGqmRfCAj+bzWt998zjapvcwEe/OZfqXgdJ9ZWJc
 g8nirp0iwP5bKtC6UTZk5mU6+BukZ4oKhtwlX3/OuHDfshy4+QiSUL3aZhOAVGlx
 n0ZU2ERYFqef2x4+THRj9+Y4pSLNbapSHQgSj7kPupS7txtQnJzm+GxkmbbiwgtZ
 91Dtv6k5hycPiiCV+UfwvnKEA7lGHHkGCdLS/zWBDb8Iq6RwSOrfFlHG8ihR94zK
 rUEYUzrZQa9aCP1aWdrdcr/RejDgNREq+eR3x0OvPqKQRse/NtstvQDzALbztYgR
 7ObQMNrK7F+ba1uF9m3fZFi7l79xFT8kvFOzyBmCdVyxqRrbEmC0svG4x3SUMBEn
 dvNTjnQMId1WYvEkLldp3Waj0Zca2Yf86oWROLW39xVphTH8MouE97fvCNIKzKD9
 L7xF5TJrw02JHW5lR+4rGI8HMwARAQABiQRyBBgBCAAmFiEE+Iz+3v8ppbTZUjhk
 4l2a7QWTs0oFAl9I4E0CGwIFCQHhM4ACQAkQ4l2a7QWTs0rBdCAEGQEIAB0WIQR4
 KzvJ8Qz2OKXc9RBbKRDL/L6rkQUCX0jgTQAKCRBbKRDL/L6rkVMzEACYgX7Yk6hh
 Qp9BW27lwN0dJJ8+8l73SNFoco5nIcLnXZHiLFXygxXe6WJbEV2QXjp9gvFhtvYt
 ijx1RObW8qSnUzSPzYOIo/iYzpe1GgoHmKabF9vD8J3NbLTpt+px2ssIsn/s25fb
 gALBuXbtEx9viPIgpQz3s6LafGO4oPUQr0Q2rTyFdK3ib3X44A36KCh790+Rsqhz
 jgUWAm6LyXgW/QpjFel8QmnVgVmFJWEMttgDWvUtWlgMO+BgS958dDk1L/s9bQc+
 xqsIav2kvdt9c8/3+xOhC/bp5aa0NYGcdYSsOAMVofbG34dntV3/HKUnvCRnZd9T
 2n+s7P1kDnnJTOiVsw9ThF/dvU7zUj4SYvqtYUrwWfd+4xzzXIWISiauZBtx8HOH
 /Wi2li1gLkY1caYRzuJJphFY2bgSeZJQw9sjStVh49yOT9DdT4rNZoTS1HXjLSws
 YdLCYM7I8p3d6qMucqZhJ/usDH5pCSW/j92hHyl3P9M7fCUN2dVIg0OseVY9d8XF
 UnGdwFpbIaXmBbb3blo47CE68U1MUTSegitkJLQPM0YWmK+5+NI+Yh9HynepbAaq
 IVOzjoIMS2wshy4Yxg2zMTj4bWgJ2PhFGtqA4Ia7KP33Qj/iVl6JKEq6axhI7nZu
 8ofvuE7W5JudWR8KKraR9ULU7AEtiU9mask7D/9Y6PgP5rMp6+2uYYxBsc1is9dW
 XqdAVHEUSLroBRaqq3ywi/WsBOZR47J/k1xHeCPiGUot0tlHSKy84danVxFnSZm1
 8QtD6UEDgq0tWNrOSPG6tu+2I/Ma8FGrs6gWZxyVKu3G1HgnZ8gg0NzA5vATa5Kv
 stN3wCtzAU2NqrvP2T4mWeakXmDe61O696h101WfOazGC5NDjWDdTHQLdYdxPzr7
 yDinIBNPwBX9NEmjxS1x/QtMfMzE4hp8AZwEjgnYDWxiG4yFPdfEVlKgy3TxC68l
 VoGyrl3gbTSdXqj+gPHjeVpZviB11WZcEuMdjhKwILS5l4u/gZR1Akw5wPPc4g1O
 71M+qy8wivBs107Yzvin3BqnVjO+ZZ0Wm0HOg/bLYo+7zbWdq/C2PTJdCbKRWa0I
 hpZca59g7ANOc8ycEg7NVFsLwLeWwBwGRMkqQ8ciS6EOXY6VdkGbtZCC8r1SXdgh
 rkvnyXftWOnv/RmQzOchr1wwo2+D9VEu6EhCYBlRTKXZp9FZIF/y4n8eJt4YxaPN
 EoJhXjTMWaFJ4/BHSwgyQDa/LfTik5xZnk3zJb1XW8qQzCYvMkwjxil72kl60l9f
 C38qY4FLQmyjl5vQ3lgACKffbJJ9ujNgMkbNZgOX3dEGr6p0CzMFxLOavvG4a9nu
 ImM5rbOC6ZJdwLUTArkCDQRhEoRvARAArCO3OaYvwccaRumfHLqVyhEKNpeRG31Q
 MrR2QF/gncdpPama8f4sVqY7EJYgT4/zgoTP3mTSNNETj1KzcA+ZhJhzv548JWwt
 jokyFp5POXEq0PbTZ1Zg4/2Gn9QVxWa+dIstK6r2H+jz0oazB5sahf+BlAVH6+1n
 9YFq3utQ/xvkZk+R3qxNdAIDcLKFVUM6Z56fJSnl6Sx2PmJAM2MqZ2oJtfFpa9T/
 xv3Nsb0h4b/WvkM8vVpHqnSYdALlQMlho+lM/c/HiFyr4M8tGm3+SMW2TSP4zEe9
 SEOcfvLHRTpWDebaoMJ9sUU4aLNWswpnQ+YsEcmFvUTtcH6DpHOX3MDL+ol+Uy6I
 pc/ASp+7/pRgO0lqm27lzzNoBp0qdA2J2fgnET+z3HDx3MyliQsaCDf2e25pikLe
 JbtAh362peGWz5GkzqEi0kkbRRftjWLRNSosFEBQPx72jcdh312O3zcBk2q/oiAv
 tbzCUTWohVeL4lXxVMEeey/BLH+/KCyBR9TD/lPi1Hddd6Orrj5kjjWnUeqXPnSO
 RfPwI/zdQM1hECHP1gHp+lLNR0d64vZDN+A3L8YbD6N4qic6fJUXe/VFU7zHOTkb
 QitV6QkhifsJnYrOQbJ4pVVKgU6zvOy4vsSTLUqShvKkzHGbbtyR1zsLGS6nwrHD
 NeWZfEBgKVsAEQEAAYkEcgQYAQgAJhYhBPiM/t7/KaW02VI4ZOJdmu0Fk7NKBQJh
 EoRvAhsCBQkB4TOAAkAJEOJdmu0Fk7NKwXQgBBkBCAAdFiEEhYpWD5fJrrIuwccy
 lh3d1SUNSkIFAmEShG8ACgkQlh3d1SUNSkKoURAAn96VKV6sP9fkMzmf1mdQIfx9
 L++Yy+ZkGi3ZEGnnsPureu9EhaVmIuhhlCJHhgK3T4xqx8Pmn+xKLrnq2/V/xXqt
 HwLsgv+aex+9PnIXITDmXbsoFblt4FDz+mNhiBqXueKc95J5jsdib38nH+qA7v7b
 I5D5VrDYtgEc13KGOtRMeVF/iul/hMF8JJZUL/oQaTtUtk+5w5cmCyGucPj2Ivyd
 el9SLHCZqSc4BHYrHZAUy2IWB9u1y15j82HezcJcxpg355PaG5EnYaDY1wo+ZqMx
 ZvmZB2mUcDh9IKLTngbex0MmCoEr1qBcFrOvp5iZkGl0xmySGlWfAKKDLLL/hfEU
 ahjiFyA4DEooCGR2sPWUgNrEnVANJEBfq1azbouroRfdiSYBv/lqJGJwahPo4NCu
 +kbyERBqYWvAKegjuGy0+rvTicFfaDx824Kt10aDxt56Hqd6/AvQeC+XFSfijpUr
 voPO8pPlwyUEzkxD9h0WbKWTDe3tdP9dILr3jTcBLvJLsUPQ5mrsU7ccB5OtpdOt
 NhIWzjr9jqBvRYm5xoOFh0ox5R0909IIRhwNbQqLDIi/xknK4LBwH1VDnWzc6LtZ
 LHjG0+9mQ5rqXnDotxbsYgJzqab4/lMsiwD7RynzGY4r6bBinOGU6FEST6I2f/TU
 TyRYTcyieT0mwBVJaJBK4Q/9EkVthCy8DLt6D3ZGTRED1Kw8j8+4X2ColntFjHzf
 x1pk8GOAcdOlEQFAzmaexQPfSKZtSXl5BxXkCjFJsXt37BQSgVuYcP5wZgyItlCk
 anDKWUN69AYFJEsaGPwENaYvnqsnisWqdYLoxkC1GsTaaVSsDi+eDPyGqmCmUnBh
 FDzA673kf/mUj+FHRsioncJFwln23Ml4UgGGorpz1DeSHqD0Qp4xwYMNTf8sBHmq
 BtJdFr4en0ajT9QlxADm4uReJMZeQ2LNtDj52UGWO1tcqSQFLhNmPzpMxJ1tjRcl
 McNTzxH9afCj6kd+1Lo3kvnqylUk9S3Hrguj9kp6cMYliVEMmmRs6pQdpcUnCtjx
 SJi/nIzHqZihlAzBn50X+Euare91mKbrmgFc/mvBfbIwILD7ZB+AKAZDLhLSmjlO
 4FSPe6TINjbpNC4aj/sEvShdL2UABOWKP9qG/XIxQCWY9zrvq/AjSlwjrT9ybon9
 Up4P4Y0iST50ruicfF5C63NjZAg0cHtk8wf8uwoqedH0yiHJpWaSDKIH146r8USn
 yr23wLqJv4jzqZyw5/qSpp6pYQ5LMenZLL5AcXwMFHo9w3csh/LCjHxESdS7Jlh6
 SXrvlKGv1V62GtLZE2SqveYjZN1Av8Pa4S1OYfqN262rDUi0vIYvvVYTeuAW8W74
 1b25Ag0EYvTakgEQAJW0+3yvZLYH3v7iT/1FMX0zxDaWKZOBC0H3JsMxKtrM7WA5
 0cnyMRqUoqBdH3ktgUBphFvyY4dmAHuwAjRwe160s77fXR2Y3XcWC5NRkeNUgIp9
 ghcN5dakkOuogxUCueQKDnB0zeSltvNkVcnRKWYbRhsy7NoEu4r7iQ2KtLCWhlRF
 A84kgmYfRRRCH5ngL/eKbE9cp/v1y5N4xYosJqx6RhajfsWHstH4g38CflSB/dHh
 9tDPvQ/QygCuS7ENS59JDmy2pTuL5bfdTGj8mYhV3O+bVgwMXDz5bDGAqnNIzgMp
 WmAxiRUnYVBWFgoHfdiZFQ3YjgTCC86CG/8keszlyqsOQhpe3qOL4Syq3mtsEkKv
 EJ8/jglN5tlGro79/tm6HGNBomGB8lqo80DDycW4LMGCenS/24we8KGOX946rwPF
 j7y5FHFHouyCREqIEX+WUU2RHioMLENxbdF6QYo3yz9b3U+UMyflhgOP5KAlJI4U
 enP1r6eagEyYO4I12sjlJYcINeP2k5NXwZCT8LIGblRXnWXDJF5coFd+pAl0c2o9
 lEh8WZv/wvQ44dfz0dyY3aZgYm0lro5xjtnNW/V/sJLcLSC8TIj7smHRJC07pxVK
 +2u1x7sl2VzpNuGNnsqmNHj9oyQyBkwj8/Ne7PmFYkovV715PjAADtBG+OflABEB
 AAGJBHIEGAEIACYWIQT4jP7e/ymltNlSOGTiXZrtBZOzSgUCYvTakgIbAgUJAeEz
 gAJACRDiXZrtBZOzSsF0IAQZAQgAHRYhBI1tp4U8/hse00btDe299BEmfslUBQJi
 9NqSAAoJEO299BEmfslUF4IP/0mOsYR+W+BNBB1tUjYGHyA2NOblXu6zmVNCCDFc
 kayM+8NH6AbYpLO3TiM55JmeukRCM3se2Zvf/wr2Ks5ywDAXvdYxw38ueUJmnKSx
 yz/2yk4CJiYC6mnjvU4Gs7o+4yQQ4wPVSD6IVt1kVccuZEO0c9qTIbOhhIxHjXv6
 1pKY/kLElBHntLPoFZxwDSmtCTpnde8gmOUlg/tI2Ku8w+Sv/c0cGVWwJA/WmRMV
 tEvkBhtwgq/OrUkiU59PdUXD7Uuy7Btgh2LuOYaSQR5a4H4/Q6OZzEGrzqWoC946
 x55LtMolg/fhvMTo8siStREfd98KrBEDrryq3Zmv1j88sBoqUjyIF3a779Ktw8vs
 Vu9nz+x8Woy+OewBhYtoCbx7FlCtsbSjQkkgZ4t0X4pLH+G1uL28xsoXD8B1Grgc
 HXaBvS2pCpSAb7Zx6wSVkQKTm0/GEZSv43C427bywWeHLynoOUYSsY1BLDPwGbOU
 bDGB2tzuXysebAaWrmbYfC34ITBEzod/L5Pwh+AvJrOYjvOL81zMKk6Ldt57AjCB
 FZOrhqo4UMeFJeEbIywmGRlHg3EYqlrj8uuOu0PIFfDEHzFzdSyPIjNQGbFGmTuk
 ksynNf5VbV3j7pEi04qJrA0KwQQY3WDUypu0AllP7WldbxoJYye1KAQOnH/sXfN3
 vGseJ6kP/A1FDR5A/snA51kUalfZ6MbNxSC4RLRhKM0L8ICYl50X3DyJBS5ScakR
 JTkiaPv6l5RlpUs+R8L0FZ20gNSZIn70D3jFzh29lEGnbf+P2UKQvmr9TUBcZBNA
 Nfj2EXdmZAzQu8QEPk7/8PONeszftNYxSjk7UtO+Z9QQzTnipksIQDvIGBuX27a0
 i4a0NgHko0HsxtsfAruAWEXVlWyNtMcNvdozbHkPqr4kvw76we3MIPTSBuZ8DUuf
 upatEcblh2VyRIWbzFmvuq7GnAmfynyU9NU+2kjmW6peYX5/c72LKWghsnPCx8xF
 k15blEo/kSMKN5vr+ZyiFas7IDJd2xmx1pd2xYvoNBl72ClflvsdMEnqx6Tpdh9B
 uvyCrat1qt4F8aKqao8sXbopH7QvDBpqGqgMGLkoPheOXypBvnvoYKL7tOoF4XJL
 AFM9PKGECoegwC0Mla15amgkfViUWdCsDy8UsSlPfBdvHdJrhChuPDwZV9GztZjj
 NdYVRi1OaxZP24IN7o40VFxvMh12E3HaideLi5MzZxxkXhr8m485b2hgvkuNUjoD
 nvFn8rZe8axx9FFhpg7/JvCAik3IxRbusM3WDqmFuBGK33phfD5wAKIWrBwT3iMU
 4GnMNmKOMrYCE/edg4eOPFj+wjWw8ZGD8XrnHVI0k8fGOoLvAm/xuQINBGQHFqQB
 EACucSUehSi8KixdOc9pYVWBCoqu5V2NlrjbpVVpmPB118fLPaZV4MSB/AnHssWw
 XDeO9zWyyLYstN78D/dWcX8Al74JFtBAM0lfgnqE5na8JZYrEivdsjQUO3Cf250G
 yXJwpK+CXpAtH6qVrO595exknHKKTv2dfV51UxDXXzYhLznnYHZoTnzpMKUSwqwP
 ywdwDVkalpXfFxP43w+gSuX7uOAI/hhX/iRE0drVDy85422FZnncNdigO6JjARn7
 CAoYDcb4K1+zn9WcwzWqV4+yhYDt+yf+o+TLhyF9BarG8cQ1tE4RfaDMZuXp0iKL
 itX01mFb0sQ2ZF0YBhQdGaBj/AcfE4e7Sacz9gC93Xd3FaVt0zgsTxMt3Z0dMzAw
 9lf7i/aPFFJQLoAZtuYU4hb3S4CG0+l3WPTdW5U276bV5WrTyvibfpNs8mctH4lB
 I4jhSkqoPwZ+8gts3XT336P3F2Z/i3cbLmfjbSeAUYRV5BdkozbuWfO6JrZq/BId
 KEUMlVi99CJD1fREyMXnr3aROdw7jKhtW5x59Act/ZXB9jixJ5EdxMe5aLeYKNSm
 L8I4TXG4DEvbPu/HCHNMlDRoga1CCmVaUEhuJwQaH4PhhlX9M69Bmz42NS8A0Fol
 JkiCsCQTQjyzvgXb1Pa0WKUVjPkQIGEUAaQdAGcns9svJQARAQABiQRyBBgBCAAm
 FiEE+Iz+3v8ppbTZUjhk4l2a7QWTs0oFAmQHFqQCGwIFCQPCZwACQAkQ4l2a7QWT
 s0rBdCAEGQEIAB0WIQTpQm2LZ+Nd9Ha9BIGF98iGiDficQUCZAcWpAAKCRCF98iG
 iDficV5MEAClR4UiibpFIYRsbdtPQC/RUIRPbx8naJ8o9h3RqnQKQPgIPkJUS8d9
 vVHQlQ8rhzrzWctOMWHgDRDEojLjXwyYSHRBawJN39D/Fs+D6Nrg9gFkdBmrU2My
 +Xia2Wgb+R2qUTnl8sP+d8k8zUC8UoZIX2ksK5yzw3Zwozg6X5Bd70zIru1RJtQd
 9ZFDb/PVobWGbqS+saGEDi0Wa7YrmRRA+kQtvMIywX5LFJ5/bSqH3BsJduwmCnJH
 84WcxYW6Ntbta7MsnmrDEwfKwmu6d0XgL0mUaOGlt7UoECckZLU/VWh+V9hhSjPi
 Dp1IX3ucfmWfsEokN1ePMnl1LWbew7yF5WsNl0/BLVczx99uoYZ6FeW3cy+8PT3q
 5Tuc7kjV9oQddJcS+slmlpyuXGH+vXa8WvSDWxPHat1tPhh2QEMGbVFeCw9XhwLu
 98YC+Hc2BImD9FfL46GMXPmiBJ5S9qqJjb2lGB+Y4lnbus8DavpudumgO2b3p4CH
 eWQYCZY993gcZIiI1/9YMXtXABZ034XoennSq1gzoAxmWGoEk9E/ZNcDLhigW2UN
 D8w/mfBKD729NhGSBlL8LmAxwHe61fnL2Z+yTjVvWfsgMXSsn1U0QYkjgE6rzqDY
 1w29Iduo1QLvcXQj+fVvu0O5zYPeRYV+RHG+l65KmB8Tjomq6FW2tsInD/92KSGF
 0TIk0rOjJA8Zy7Eers21QsTScUrfI3hntzcPpMZzWRBWuyXqf/4350lRTki3hMSx
 YB/eJlwehTmUAkC9E3oUE36PJqpp2mzC2cP68CIOdUtkdOVqzkfeZ54LlaJxgo5y
 BuC9AqUH5OfVNjZps3yygYv2ahIPBMR8JNduUiTAuvXbIENVy58q6/rZjHcKRp8b
 MUX6uWJrIXO5aSAIEljx9DbQoxSbmNJPiriuSKHbhrNPpI4xRlO9gTbaEC0ELKGC
 qw0lA1it1XvbZtP4CHcfJ0hyGvy9yvDH2poMgjkhu7OZdN1qBsBRHIIED/Ijy+tz
 nq7rQvmaDqZavlQbYREHdrjB/sS10Sblfu9h+vIwSx05UwSNGWNiDrvkQDPbVnTh
 R32zsNAlq+f0CEmsgbYPrE/lFwfFS49F2Kmma92qcDiK76Audz/dqz6xPvYQCqra
 a6Sa/uYr9aiaLsZTJ7nQ904KUE+Zwk7gcO32Bl7UO3NvkWlvSqOWGS/75WUgbrD6
 RARo6Xv6c8/OxgizzkboGBrdqqpmbG9PGi+gMrxShYtmZYcpD+dB91oKMC5q2lu6
 IGrEVlky2zd7KvrIE3YMETdYL0Eec/H0Jwuxnp9sr7GkBSUns0IczEK/En/NLcBm
 TkvXzMghTKTbYL9TjbK/CLzOR+5XXCHxXgDGLg==
 =VZfW
 -----END PGP PUBLIC KEY BLOCK-----
 "
 GNUPGHOME="${PWD}/gnupg"
 mkdir -p "${GNUPGHOME}"
 chmod 700 "${GNUPGHOME}"
 trap 'rm -rf ${GNUPGHOME}' EXIT
 if [ "${DOWNLOAD}" != 0 ]; then
    echo "Downloading files"
    pushd ./data
    ./download_payloads "$@"
    popd
 fi
 # Setup GnuPG for verifying the image signature
 gpg --batch --quiet --import <<< "${GPG_KEY}"
 for d in ./data/*/*; do
    DATA_DIR="${d}"
    echo "Verifying files for ${DATA_DIR}"
    # Check that we have a signature for the files we work on
    test -f "${DATA_DIR}/flatcar_production_update.bin.bz2.sig"
    test -f "${DATA_DIR}/flatcar_production_image.vmlinuz.sig"
    for FILE_PATH in "${DATA_DIR}"/*.sig; do
      gpg --verify "${FILE_PATH}"
    done
    echo "Generating extension payloads for ${DATA_DIR}"
    shopt -s nullglob
    for EXTENSION_PATH in "${DATA_DIR}/flatcar-"*.raw "${DATA_DIR}/oem-"*.raw; do
      # Check that we have a signature for the files we work on
      test -f "${EXTENSION_PATH}".sig
      OUTPUT_PATH="${EXTENSION_PATH/.raw/.gz}"
      if [ ! -f "${OUTPUT_PATH}" ]; then
        echo "Generating ${OUTPUT_PATH}"
        ./core_sign_update \
          --image "${EXTENSION_PATH}" \
          --output "${OUTPUT_PATH}" \
          --private_keys "${PRIVATE_KEYS}" \
          --public_keys "/mnt/host/source/src/scripts/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-au-key/files/official-v2.pub.pem" \
          --keys_separator "+"
      else
        echo "ERROR: Found update payload already: ${OUTPUT_PATH}."
        exit 1
      fi
    done
    shopt -u nullglob
    echo "Extracting flatcar_production_update.bin.bz2 for ${DATA_DIR}"
    bunzip2 -f -k "${DATA_DIR}/flatcar_production_update.bin.bz2"
    echo "Generating generic update payload for ${DATA_DIR}"
    OUTPUT_PATH="${DATA_DIR}/flatcar_production_update.gz"
    if [ ! -f "${OUTPUT_PATH}" ]; then
        echo "Update payload not found. Building..."
        ./core_sign_update \
            --image "${DATA_DIR}/flatcar_production_update.bin" \
            --kernel "${DATA_DIR}/flatcar_production_image.vmlinuz" \
            --output "${OUTPUT_PATH}" \
            --private_keys "${PRIVATE_KEYS}" \
            --public_keys "/mnt/host/source/src/scripts/sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-au-key/files/official-v2.pub.pem" \
            --keys_separator "+"
    else
        echo "ERROR: Found update payload already: ${OUTPUT_PATH}."
        exit 1
    fi
    echo "Payload generated: ${OUTPUT_PATH}"
 done
--- a/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild
@ -93,8 +93,12 @@ RDEPEND="${RDEPEND}
 # Host dependencies that are needed to create and sign images
 # TODO:	sys-apps/mosys
 # app-crypt/ccid is required for pcsc-lite daemon to work.
 RDEPEND="${RDEPEND}
 	sys-fs/squashfs-tools
 	dev-libs/libp11
 	dev-libs/opensc
 	app-crypt/ccid
 	"
 # Host dependencies that are needed for delta_generator.
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r15.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-3.6.8-r15.ebuild
--- a/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/sys-apps/baselayout/baselayout-9999.ebuild
@ -9,7 +9,7 @@ CROS_WORKON_REPO="https://github.com"
 if [[ "${PV}" == 9999 ]]; then
 	KEYWORDS="~amd64 ~arm ~arm64 ~x86"
 else
-	CROS_WORKON_COMMIT="a482cb4b69ffa5cf92d9cd719409e7abd7f382a3" # flatcar-master
+	CROS_WORKON_COMMIT="937a45faef0f7fa88d3d2c3f7ba60a7f3e2e82f7" # flatcar-master
 	KEYWORDS="amd64 arm arm64 x86"
 fi
@ -183,6 +183,12 @@ src_install() {
 	if use arm64; then
 		sed -i -e '/pam_sss.so/d' "${D}"/usr/lib/pam.d/* || die
 	fi
 	if use cros_host; then
 		# inject custom SSL configuration required for signing payloads from the SDK container using OpenSSL.
 		insinto "/etc/ssl/"
 		doins "${S}/baselayout/pkcs11.cnf"
 	fi
 }
 pkg_postinst() {
--- a/sdk_container/src/third_party/portage-stable/acct-group/openct/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/acct-group/openct/metadata.xml
@ -0,0 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 	<!-- maintainer-needed -->
 </pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/acct-group/openct/openct-0-r2.ebuild
+++ b/sdk_container/src/third_party/portage-stable/acct-group/openct/openct-0-r2.ebuild
@ -0,0 +1,8 @@
 # Copyright 2020-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 EAPI=7
 inherit acct-group
 ACCT_GROUP_ID=46
--- a/sdk_container/src/third_party/portage-stable/acct-group/pcscd/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/acct-group/pcscd/metadata.xml
@ -0,0 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 	<!-- maintainer-needed -->
 </pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/acct-group/pcscd/pcscd-0-r2.ebuild
+++ b/sdk_container/src/third_party/portage-stable/acct-group/pcscd/pcscd-0-r2.ebuild
@ -0,0 +1,8 @@
 # Copyright 2020-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 EAPI=7
 inherit acct-group
 ACCT_GROUP_ID=47
--- a/sdk_container/src/third_party/portage-stable/acct-group/usb/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/acct-group/usb/metadata.xml
@ -0,0 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 	<!-- maintainer-needed -->
 </pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/acct-group/usb/usb-0-r2.ebuild
+++ b/sdk_container/src/third_party/portage-stable/acct-group/usb/usb-0-r2.ebuild
@ -0,0 +1,8 @@
 # Copyright 2020-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 EAPI=7
 inherit acct-group
 ACCT_GROUP_ID=85
--- a/sdk_container/src/third_party/portage-stable/acct-user/pcscd/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/acct-user/pcscd/metadata.xml
@ -0,0 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 	<!-- maintainer-needed -->
 </pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/acct-user/pcscd/pcscd-0-r2.ebuild
+++ b/sdk_container/src/third_party/portage-stable/acct-user/pcscd/pcscd-0-r2.ebuild
@ -0,0 +1,13 @@
 # Copyright 2020-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 EAPI=7
 inherit acct-user
 DESCRIPTION="A user for pcsc-lite"
 ACCT_USER_ID=47
 ACCT_USER_GROUPS=( pcscd openct usb )
 ACCT_USER_GROUPS=( pcscd openct )
 acct-user_add_deps
--- a/sdk_container/src/third_party/portage-stable/app-crypt/ccid/Manifest
+++ b/sdk_container/src/third_party/portage-stable/app-crypt/ccid/Manifest
@ -0,0 +1 @@
 DIST ccid-1.5.1.tar.bz2 702586 BLAKE2B 7b9e3c6daf03c186f34ac9b13bd960293a6481f9237ee52937ece1040bd3a79b7dab318e1244205a7feae992261ab5e82292d80ae023a4f621e0e7af7cdb9df5 SHA512 492bde96f5752e2a5316693c44e35e2d041785a00d15e094905c0aafad392f5329009d12801899367276328a582936ee53a1c5239c1813c4536001cb8a608f2e
--- a/sdk_container/src/third_party/portage-stable/app-crypt/ccid/ccid-1.5.1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/app-crypt/ccid/ccid-1.5.1.ebuild
@ -0,0 +1,45 @@
 # Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 EAPI=8
 inherit udev
 DESCRIPTION="CCID free software driver"
 HOMEPAGE="https://ccid.apdu.fr https://github.com/LudovicRousseau/CCID"
 SRC_URI="https://ccid.apdu.fr/files/${P}.tar.bz2"
 LICENSE="GPL-2"
 SLOT="0"
 KEYWORDS="~alpha amd64 arm ~arm64 ~hppa ~ia64 ppc ppc64 ~riscv ~sparc x86"
 IUSE="twinserial +usb"
 RDEPEND="
 	>=sys-apps/pcsc-lite-1.8.3
 	twinserial? ( dev-lang/perl )
 	usb? ( virtual/libusb:1 )
 "
 DEPEND="${RDEPEND}"
 BDEPEND="virtual/pkgconfig"
 src_configure() {
 	econf \
 		LEX=: \
 		$(use_enable twinserial) \
 		$(use_enable usb libusb)
 }
 src_install() {
 	default
 	udev_newrules src/92_pcscd_ccid.rules 92-pcsc-ccid.rules
 }
 pkg_postinst() {
 	udev_reload
 	einfo "Check https://github.com/LudovicRousseau/CCID/blob/master/INSTALL"
 	einfo "for more info about how to configure and use ccid"
 }
 pkg_postrm() {
 	udev_reload
 }
--- a/sdk_container/src/third_party/portage-stable/app-crypt/ccid/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/app-crypt/ccid/metadata.xml
@ -0,0 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 	<!-- maintainer-needed -->
 	<use>
 		<flag name="twinserial">Enable twinserial reader</flag>
 	</use>
 	<upstream>
 		<remote-id type="github">LudovicRousseau/CCID</remote-id>
 	</upstream>
 </pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/dev-libs/libp11/Manifest
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/libp11/Manifest
@ -0,0 +1 @@
 DIST libp11-0.4.12.tar.gz 516414 BLAKE2B a816749984753a1916dd58860c51b49d316946b59eb3bc839f6a21dcff14de48d7a4937f55fc7ad96a26b914591854d5cf11a1fbac2d5f2f5e04c833973c0e42 SHA512 674cfca2c9eaf162262204c94f9d59d3095dabbc348c1842e758b897e1a5bd4ba08b2d589ec3b2a2d1343a8760eab253e7008dc09ef5b499e2f16385efe5c8cc
--- a/sdk_container/src/third_party/portage-stable/dev-libs/libp11/files/libp11-0.4.12-openssl-3.1.patch
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/libp11/files/libp11-0.4.12-openssl-3.1.patch
@ -0,0 +1,50 @@
 https://github.com/OpenSC/libp11/pull/503
 https://bugs.gentoo.org/910203
 From 580c12b78b63d88010a6178d7c4c58186938c479 Mon Sep 17 00:00:00 2001
 From: Dominique Leuenberger <dimstar@opensuse.org>
 Date: Tue, 6 Jun 2023 14:27:46 +0200
 Subject: [PATCH] Detect openSSL 3.1; compatible to openSSL 3.0
 ---
 configure.ac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/configure.ac b/configure.ac
 index d6b0ee91..b96979d9 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -33,7 +33,7 @@ AC_C_BIGENDIAN
 # issues with applications linking to new openssl, old libp11, and vice versa
 case "`$PKG_CONFIG --modversion --silence-errors libcrypto || \
 	$PKG_CONFIG --modversion openssl`" in
 -	3.0.*) # Predicted engines directory prefix for OpenSSL 3.x
 +	3.1.*|3.0.*) # Predicted engines directory prefix for OpenSSL 3.x
 	    LIBP11_LT_OLDEST="3"
 	    debian_ssl_prefix="openssl-3.0.0";;
 	1.1.*) # Predicted engines directory prefix for OpenSSL 1.1.x
 From 0697773b403efb8e7fa9f0c0fddcb499fb9b6337 Mon Sep 17 00:00:00 2001
 From: Mike Gilbert <floppym@gentoo.org>
 Date: Thu, 13 Jul 2023 13:52:54 -0400
 Subject: [PATCH] configure: treat all openssl-3.x releases the same
 OpenSSL's soversion will not change for any 3.x minor release.
 https://www.openssl.org/policies/general/versioning-policy.html
 ---
 configure.ac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/configure.ac b/configure.ac
 index b96979d9..c344e84a 100644
 --- a/configure.ac
 +++ b/configure.ac
@@ -33,7 +33,7 @@ AC_C_BIGENDIAN
 # issues with applications linking to new openssl, old libp11, and vice versa
 case "`$PKG_CONFIG --modversion --silence-errors libcrypto || \
 	$PKG_CONFIG --modversion openssl`" in
 -	3.1.*|3.0.*) # Predicted engines directory prefix for OpenSSL 3.x
 +	3.*) # Predicted engines directory prefix for OpenSSL 3.x
 	    LIBP11_LT_OLDEST="3"
 	    debian_ssl_prefix="openssl-3.0.0";;
 	1.1.*) # Predicted engines directory prefix for OpenSSL 1.1.x
--- a/sdk_container/src/third_party/portage-stable/dev-libs/libp11/libp11-0.4.12-r1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/libp11/libp11-0.4.12-r1.ebuild
@ -0,0 +1,31 @@
 # Copyright 1999-2022 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 EAPI=8
 DESCRIPTION="Abstraction layer to simplify PKCS#11 API"
 HOMEPAGE="https://github.com/opensc/libp11/wiki"
 SRC_URI="https://github.com/OpenSC/${PN}/releases/download/${P}/${P}.tar.gz"
 LICENSE="LGPL-2.1"
 SLOT="0"
 KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~loong ppc ppc64 ~riscv ~s390 sparc x86"
 IUSE="doc static-libs"
 RDEPEND="dev-libs/openssl:=[bindist(+)]"
 DEPEND="${RDEPEND}"
 BDEPEND="virtual/pkgconfig
 	doc? ( app-doc/doxygen )"
 src_configure() {
 	econf \
 		--enable-shared \
 		$(use_enable static-libs static) \
 		$(use_enable doc api-doc)
 }
 src_install() {
 	default
 	find "${ED}" -name '*.la' -delete || die
 }
--- a/sdk_container/src/third_party/portage-stable/dev-libs/libp11/libp11-0.4.12-r4.ebuild
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/libp11/libp11-0.4.12-r4.ebuild
@ -0,0 +1,51 @@
 # Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 EAPI=8
 inherit autotools
 DESCRIPTION="Abstraction layer to simplify PKCS#11 API"
 HOMEPAGE="https://github.com/opensc/libp11/wiki"
 SRC_URI="https://github.com/OpenSC/${PN}/releases/download/${P}/${P}.tar.gz"
 LICENSE="LGPL-2.1"
 SLOT="0"
 KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
 IUSE="doc static-libs test"
 RESTRICT="!test? ( test )"
 RDEPEND="
 	<dev-libs/openssl-3.1.4:=[bindist(+)]
 "
 DEPEND="${RDEPEND}
 	test? ( dev-libs/softhsm )
 "
 BDEPEND="
 	virtual/pkgconfig
 	doc? ( app-doc/doxygen )
 	test? ( >=dev-libs/opensc-0.23.0-r2 )
 "
 src_prepare() {
 	local PATCHES=(
 		"${FILESDIR}"/libp11-0.4.12-openssl-3.1.patch
 	)
 	default
 	eautoreconf
 }
 src_configure() {
 	local args=(
 		--enable-shared
 		$(use_enable static-libs static)
 		$(use_enable doc api-doc)
 	)
 	econf "${args[@]}"
 }
 src_install() {
 	default
 	find "${ED}" -name '*.la' -delete || die
 }
--- a/sdk_container/src/third_party/portage-stable/dev-libs/libp11/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/libp11/metadata.xml
@ -0,0 +1,17 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 	<!-- maintainer-needed -->
 	<longdescription>
 		Library implementing a small layer on top of PKCS#11 API to make
 		using PKCS#11 implementations easier.
 	</longdescription>
 	<use>
 		<flag name="doc">Generate and install API documentation for the package.</flag>
 	</use>
 	<upstream>
 		<remote-id type="cpe">cpe:/a:opensc-project:libp11</remote-id>
 		<remote-id type="github">opensc/libp11</remote-id>
 		<remote-id type="sourceforge">opensc</remote-id>
 	</upstream>
 </pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/Manifest
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/Manifest
@ -0,0 +1 @@
 DIST opensc-0.23.0.tar.gz 2366469 BLAKE2B c0f74379a70347a58be27684ae2cf833e6f35328b566af2c6daa8276174864406fa176acf7ba84931970fe07e3dd8d6eccf7884f079cb0110c4d6ff9a76792dc SHA512 cd102cd64e719c59153960a4921b7525055045f16e6f6ffa8c9def6ce999a9c5098267b41f8753b41107f626bea20c34561002f5d38eddb4ce6b371913a17a1b
--- a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-CVE-2023-2977.patch
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-CVE-2023-2977.patch
@ -0,0 +1,49 @@
 From 81944d1529202bd28359bede57c0a15deb65ba8a Mon Sep 17 00:00:00 2001
 From: fullwaywang <fullwaywang@tencent.com>
 Date: Mon, 29 May 2023 10:38:48 +0800
 Subject: [PATCH] pkcs15init: correct left length calculation to fix buffer
 overrun bug. Fixes #2785
 ---
 src/pkcs15init/pkcs15-cardos.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)
 diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c
 index 9715cf390f..f41f73c349 100644
 --- a/src/pkcs15init/pkcs15-cardos.c
 +++ b/src/pkcs15init/pkcs15-cardos.c
@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
 	sc_apdu_t apdu;
         u8        rbuf[SC_MAX_APDU_BUFFER_SIZE];
         int       r;
 -	const u8  *p = rbuf, *q;
 +	const u8  *p = rbuf, *q, *pp;
 	size_t    len, tlen = 0, ilen = 0;
 	sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);
@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
 		return 0;
 	while (len != 0) {
 -		p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
 -		if (p == NULL)
 +		pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
 +		if (pp == NULL)
 			return 0;
 		if (card->type == SC_CARD_TYPE_CARDOS_M4_3)	{
 			/* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01	*/
 			/* and Package Number 0x07					*/
 -			q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);
 +			q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);
 			if (q == NULL || ilen != 4)
 				return 0;
 			if (q[0] == 0x07)
@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
 		} else if (card->type == SC_CARD_TYPE_CARDOS_M4_4)	{
 			/* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03	*/
 			/* and Package Number 0x02					*/
 -			q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen);
 +			q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen);
 			if (q == NULL || ilen != 4)
 				return 0;
 			if (q[0] == 0x02)
--- a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-backport-pr2656.patch
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-backport-pr2656.patch
@ -0,0 +1,215 @@
 https://bugs.gentoo.org/909781
 https://github.com/OpenSC/libp11/issues/478
 https://github.com/OpenSC/OpenSC/pull/2656
 From 99f7b82f187ca3512ceae6270c391243d018fdac Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Thu, 1 Dec 2022 20:08:53 +0100
 Subject: [PATCH 1/4] pkcs11-tool: Fix private key import
 ---
 src/tools/pkcs11-tool.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
 index aae205fe2c..cfee8526d5 100644
 --- a/src/tools/pkcs11-tool.c
 +++ b/src/tools/pkcs11-tool.c
@@ -3669,13 +3669,13 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
 		RSA_get0_factors(r, &r_p, &r_q);
 		RSA_get0_crt_params(r, &r_dmp1, &r_dmq1, &r_iqmp);
 #else
 -		if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_d) != 1 ||
 +		if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_D, &r_d) != 1 ||
 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_p) != 1 ||
 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 ||
 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 ||
 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 ||
 -			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT3, &r_iqmp) != 1) {
 			util_fatal("OpenSSL error during RSA private key parsing");
 +			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) {
 		}
 #endif
 		RSA_GET_BN(rsa, private_exponent, r_d);
 From 4a6e1d1dcd18757502027b1c5d2fb2cbaca28407 Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Thu, 1 Dec 2022 20:11:41 +0100
 Subject: [PATCH 2/4] pkcs11-tool: Log more information on OpenSSL errors
 ---
 src/tools/pkcs11-tool.c | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)
 diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
 index cfee8526d5..f2e6b1dd91 100644
 --- a/src/tools/pkcs11-tool.c
 +++ b/src/tools/pkcs11-tool.c
@@ -3641,10 +3641,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
 	const BIGNUM *r_dmp1, *r_dmq1, *r_iqmp;
 	r = EVP_PKEY_get1_RSA(pkey);
 	if (!r) {
 -		if (private)
 -			util_fatal("OpenSSL error during RSA private key parsing");
 -		else
 -			util_fatal("OpenSSL error during RSA public key parsing");
 +		util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public",
 +			ERR_error_string(ERR_peek_last_error(), NULL));
 	}
 	RSA_get0_key(r, &r_n, &r_e, NULL);
@@ -3654,10 +3652,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
 	BIGNUM *r_dmp1 = NULL, *r_dmq1 = NULL, *r_iqmp = NULL;
 	if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_N, &r_n) != 1 ||
 		EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &r_e) != 1) {
 -		if (private)
 -			util_fatal("OpenSSL error during RSA private key parsing");
 -		else
 -			util_fatal("OpenSSL error during RSA public key parsing");
 +		util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public",
 +			ERR_error_string(ERR_peek_last_error(), NULL));
 	 }
 #endif
 	RSA_GET_BN(rsa, modulus, r_n);
@@ -3674,8 +3670,9 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 ||
 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 ||
 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 ||
 -			util_fatal("OpenSSL error during RSA private key parsing");
 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) {
 +			util_fatal("OpenSSL error during RSA private key parsing: %s",
 +				ERR_error_string(ERR_peek_last_error(), NULL));
 		}
 #endif
 		RSA_GET_BN(rsa, private_exponent, r_d);
 From 267da3e81f1fc23a9ccce1462ab5deb1a4d4aec5 Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Thu, 1 Dec 2022 20:38:31 +0100
 Subject: [PATCH 3/4] Reproducer for broken pkcs11-tool key import
 ---
 tests/Makefile.am                | 10 ++++---
 tests/test-pkcs11-tool-import.sh | 48 ++++++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+), 4 deletions(-)
 create mode 100755 tests/test-pkcs11-tool-import.sh
 diff --git a/tests/Makefile.am b/tests/Makefile.am
 index d378e2ee00..9d8a24c321 100644
 --- a/tests/Makefile.am
 +++ b/tests/Makefile.am
@@ -14,8 +14,9 @@ dist_noinst_SCRIPTS = common.sh \
                       test-pkcs11-tool-test-threads.sh \
                       test-pkcs11-tool-sign-verify.sh \
                       test-pkcs11-tool-allowed-mechanisms.sh \
 -                      test-pkcs11-tool-sym-crypt-test.sh\
 -                      test-pkcs11-tool-unwrap-wrap-test.sh
 +                      test-pkcs11-tool-sym-crypt-test.sh \
 +                      test-pkcs11-tool-unwrap-wrap-test.sh \
 +                      test-pkcs11-tool-import.sh
 .NOTPARALLEL:
 TESTS = \
@@ -25,8 +26,9 @@ TESTS = \
         test-pkcs11-tool-test.sh \
         test-pkcs11-tool-test-threads.sh \
         test-pkcs11-tool-allowed-mechanisms.sh \
 -        test-pkcs11-tool-sym-crypt-test.sh\
 -        test-pkcs11-tool-unwrap-wrap-test.sh
 +        test-pkcs11-tool-sym-crypt-test.sh \
 +        test-pkcs11-tool-unwrap-wrap-test.sh \
 +        test-pkcs11-tool-import.sh
 XFAIL_TESTS = \
         test-pkcs11-tool-test-threads.sh \
         test-pkcs11-tool-test.sh
 diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh
 new file mode 100755
 index 0000000000..76ff8e51be
 --- /dev/null
 +++ b/tests/test-pkcs11-tool-import.sh
@@ -0,0 +1,48 @@
 +#!/bin/bash
 +SOURCE_PATH=${SOURCE_PATH:-..}
 +
 +source $SOURCE_PATH/tests/common.sh
 +
 +echo "======================================================="
 +echo "Setup SoftHSM"
 +echo "======================================================="
 +if [[ ! -f $P11LIB ]]; then
 +    echo "WARNING: The SoftHSM is not installed. Can not run this test"
 +    exit 77;
 +fi
 +card_setup
 +
 +ID="0100"
 +OPTS=""
 +for KEYTYPE in "RSA" "EC"; do
 +    echo "======================================================="
 +    echo "Generate and import $KEYTYPE keys"
 +    echo "======================================================="
 +    if [ "$KEYTYPE" == "RSA" ]; then
 +        ID="0100"
 +    elif [ "$KEYTYPE" == "EC" ]; then
 +        ID="0200"
 +        OPTS="-pkeyopt ec_paramgen_curve:P-521"
 +    fi
 +    openssl genpkey -out "${KEYTYPE}_private.der" -outform DER -algorithm $KEYTYPE $OPTS
 +    assert $? "Failed to generate private $KEYTYPE key"
 +    $PKCS11_TOOL --write-object "${KEYTYPE}_private.der" --id "$ID" --type privkey \
 +        --label "$KEYTYPE" -p "$PIN" --module "$P11LIB"
 +    assert $? "Failed to write private $KEYTYPE key"
 +
 +    openssl pkey -in "${KEYTYPE}_private.der" -out "${KEYTYPE}_public.der" -pubout -inform DER -outform DER
 +    assert $? "Failed to convert private $KEYTYPE key to public"
 +    $PKCS11_TOOL --write-object "${KEYTYPE}_public.der" --id "$ID" --type pubkey --label "$KEYTYPE" \
 +        -p $PIN --module $P11LIB
 +    assert $? "Failed to write public $KEYTYPE key"
 +    # certificate import already tested in all other tests
 +
 +    rm "${KEYTYPE}_private.der" "${KEYTYPE}_public.der"
 +done
 +
 +echo "======================================================="
 +echo "Cleanup"
 +echo "======================================================="
 +card_cleanup
 +
 +exit $ERRORS
 From 63a7bceeca43ece1eee201ef7a974b20b294ba4e Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jakuje@gmail.com>
 Date: Fri, 2 Dec 2022 18:07:43 +0100
 Subject: [PATCH 4/4] Simplify the new test
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Co-authored-by: Veronika Hanulíková <61348757+xhanulik@users.noreply.github.com>
 ---
 tests/test-pkcs11-tool-import.sh | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)
 diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh
 index 76ff8e51be..c90b3b4926 100755
 --- a/tests/test-pkcs11-tool-import.sh
 +++ b/tests/test-pkcs11-tool-import.sh
@@ -12,15 +12,13 @@ if [[ ! -f $P11LIB ]]; then
 fi
 card_setup
 -ID="0100"
 -OPTS=""
 for KEYTYPE in "RSA" "EC"; do
     echo "======================================================="
     echo "Generate and import $KEYTYPE keys"
     echo "======================================================="
 -    if [ "$KEYTYPE" == "RSA" ]; then
 -        ID="0100"
 -    elif [ "$KEYTYPE" == "EC" ]; then
 +    ID="0100"
 +    OPTS=""
 +    if [ "$KEYTYPE" == "EC" ]; then
         ID="0200"
         OPTS="-pkeyopt ec_paramgen_curve:P-521"
     fi
--- a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-backport-pr2765.patch
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-backport-pr2765.patch
@ -0,0 +1,39 @@
 https://bugs.gentoo.org/909781
 https://github.com/OpenSC/OpenSC/pull/2765
 From 36178c8188521f2627d2eea428a7e53d149eed58 Mon Sep 17 00:00:00 2001
 From: Peter Popovec <popovec.peter@gmail.com>
 Date: Fri, 28 Apr 2023 10:50:25 +0200
 Subject: [PATCH] Fix pkcs11-tool unwrap / incorrect CKA_ID
 "object_id[]" and "id_len" must be allocated so that it is not deallocated
 or overwritten (on the stack) at the time of the C_UnwrapKey() call.
 	modified:   src/tools/pkcs11-tool.c
 ---
 src/tools/pkcs11-tool.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)
 diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
 index 890ca27060..f3a01ab4cf 100644
 --- a/src/tools/pkcs11-tool.c
 +++ b/src/tools/pkcs11-tool.c
@@ -3347,6 +3347,8 @@ unwrap_key(CK_SESSION_HANDLE session)
 		{CKA_CLASS, &secret_key_class, sizeof(secret_key_class)},
 		{CKA_TOKEN, &_true, sizeof(_true)},
 	};
 +	CK_BYTE object_id[100];
 +	size_t id_len;
 	CK_OBJECT_HANDLE hSecretKey;
 	int n_attr = 2;
 	CK_RV rv;
@@ -3450,9 +3452,6 @@ unwrap_key(CK_SESSION_HANDLE session)
 	}
 	if (opt_application_id != NULL) {
 -		CK_BYTE object_id[100];
 -		size_t id_len;
 -
 		id_len = sizeof(object_id);
 		if (!sc_hex_to_bin(opt_application_id, object_id, &id_len)) {
 			FILL_ATTR(keyTemplate[n_attr], CKA_ID, object_id, id_len);
--- a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc.module
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc.module
@ -0,0 +1,8 @@
 # This file describes how to load the opensc module
 # See: http://p11-glue.freedesktop.org/doc/p11-kit/config.html
 # This is a relative path, which means it will be loaded from
 # the p11-kit default path which is usually $(libdir)/pkcs11.
 # Doing it this way allows for packagers to package opensc for
 # 32-bit and 64-bit and make them parallel installable
 module: onepin-opensc-pkcs11.so
--- a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/metadata.xml
@ -0,0 +1,30 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 	<maintainer type="person">
 		<email>soap@gentoo.org</email>
 		<name>David Seifert</name>
 	</maintainer>
 	<longdescription>
 		OpenSC is a library for accessing SmartCard devices. It is also
 		the core library of the OpenSC project.
 		Basic functionality (e.g. SELECT FILE, READ BINARY) should work on
 		any ISO 7816-4 compatible SmartCard.  Encryption and decryption
 		using private keys on the SmartCard is possible with PKCS #15
 		compatible cards, such as the FINEID (Finnish Electronic IDentity)
 		card.
 	</longdescription>
 	<use>
 		<flag name="ctapi">Use CT-API for accessing Smartcard hardware</flag>
 		<flag name="notify">Enable notifications</flag>
 		<flag name="openct">Use <pkg>dev-libs/openct</pkg> (and CT-API) for accessing Smartcard hardware</flag>
 		<flag name="pace">Use <pkg>dev-libs/openpace</pkg> for EAC version 2 support</flag>
 		<flag name="pcsc-lite">Use <pkg>sys-apps/pcsc-lite</pkg> (and PC/SC API) for accessing Smartcard hardware</flag>
 		<flag name="secure-messaging">Enable secure messaging</flag>
 	</use>
 	<upstream>
 		<remote-id type="github">OpenSC/OpenSC</remote-id>
 		<remote-id type="sourceforge">opensc</remote-id>
 	</upstream>
 </pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-0.23.0-r2.ebuild
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-0.23.0-r2.ebuild
@ -0,0 +1,81 @@
 # Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 EAPI=8
 inherit autotools bash-completion-r1
 DESCRIPTION="Libraries and applications to access smartcards"
 HOMEPAGE="https://github.com/OpenSC/OpenSC/wiki"
 if [[ ${PV} == *9999 ]]; then
 	inherit git-r3
 	EGIT_REPO_URI="https://github.com/OpenSC/OpenSC.git"
 else
 	SRC_URI="https://github.com/OpenSC/OpenSC/releases/download/${PV}/${P}.tar.gz"
 	KEYWORDS="amd64 ~arm ~arm64 ~hppa ~loong ~ppc ppc64 ~riscv ~s390 ~sparc x86"
 fi
 LICENSE="LGPL-2.1"
 SLOT="0"
 IUSE="ctapi doc openct notify pace +pcsc-lite readline secure-messaging ssl test zlib"
 RESTRICT="!test? ( test )"
 RDEPEND="zlib? ( sys-libs/zlib )
 	readline? ( sys-libs/readline:0= )
 	ssl? ( dev-libs/openssl:0= )
 	openct? ( >=dev-libs/openct-0.5.0 )
 	pace? ( dev-libs/openpace:= )
 	pcsc-lite? ( >=sys-apps/pcsc-lite-1.3.0 )
 	notify? ( dev-libs/glib:2 )"
 DEPEND="${RDEPEND}
 	app-text/docbook-xsl-stylesheets
 	dev-libs/libxslt
 	test? ( dev-util/cmocka )"
 BDEPEND="virtual/pkgconfig"
 REQUIRED_USE="
 	pcsc-lite? ( !openct !ctapi )
 	openct? ( !pcsc-lite !ctapi )
 	ctapi? ( !pcsc-lite !openct )
 	|| ( pcsc-lite openct ctapi )"
 PATCHES=(
 	"${FILESDIR}"/${P}-CVE-2023-2977.patch
 	"${FILESDIR}"/${P}-backport-pr2656.patch
 )
 src_prepare() {
 	default
 	eautoreconf
 }
 src_configure() {
 	# don't want to run upstream's clang-tidy checks
 	export ac_cv_path_CLANGTIDY=""
 	econf \
 		--with-completiondir="$(get_bashcompdir)" \
 		--disable-strict \
 		--enable-man \
 		$(use_enable ctapi) \
 		$(use_enable doc) \
 		$(use_enable notify) \
 		$(use_enable openct) \
 		$(use_enable pace openpace) \
 		$(use_enable pcsc-lite pcsc) \
 		$(use_enable readline) \
 		$(use_enable secure-messaging sm) \
 		$(use_enable ssl openssl) \
 		$(use_enable test cmocka) \
 		$(use_enable zlib)
 }
 src_install() {
 	default
 	insinto /etc/pkcs11/modules/
 	doins "${FILESDIR}"/opensc.module
 	find "${ED}" -name '*.la' -delete || die
 }
--- a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-0.23.0-r3.ebuild
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-0.23.0-r3.ebuild
@ -0,0 +1,82 @@
 # Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 EAPI=8
 inherit autotools bash-completion-r1
 DESCRIPTION="Libraries and applications to access smartcards"
 HOMEPAGE="https://github.com/OpenSC/OpenSC/wiki"
 if [[ ${PV} == *9999 ]]; then
 	inherit git-r3
 	EGIT_REPO_URI="https://github.com/OpenSC/OpenSC.git"
 else
 	SRC_URI="https://github.com/OpenSC/OpenSC/releases/download/${PV}/${P}.tar.gz"
 	KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
 fi
 LICENSE="LGPL-2.1"
 SLOT="0"
 IUSE="ctapi doc openct notify pace +pcsc-lite readline secure-messaging ssl test zlib"
 RESTRICT="!test? ( test )"
 RDEPEND="zlib? ( sys-libs/zlib )
 	readline? ( sys-libs/readline:0= )
 	ssl? ( dev-libs/openssl:0= )
 	openct? ( >=dev-libs/openct-0.5.0 )
 	pace? ( dev-libs/openpace:= )
 	pcsc-lite? ( >=sys-apps/pcsc-lite-1.3.0 )
 	notify? ( dev-libs/glib:2 )"
 DEPEND="${RDEPEND}
 	app-text/docbook-xsl-stylesheets
 	dev-libs/libxslt
 	test? ( dev-util/cmocka )"
 BDEPEND="virtual/pkgconfig"
 REQUIRED_USE="
 	pcsc-lite? ( !openct !ctapi )
 	openct? ( !pcsc-lite !ctapi )
 	ctapi? ( !pcsc-lite !openct )
 	|| ( pcsc-lite openct ctapi )"
 PATCHES=(
 	"${FILESDIR}"/${P}-CVE-2023-2977.patch
 	"${FILESDIR}"/${P}-backport-pr2656.patch
 	"${FILESDIR}"/${P}-backport-pr2765.patch
 )
 src_prepare() {
 	default
 	eautoreconf
 }
 src_configure() {
 	# don't want to run upstream's clang-tidy checks
 	export ac_cv_path_CLANGTIDY=""
 	econf \
 		--with-completiondir="$(get_bashcompdir)" \
 		--disable-strict \
 		--enable-man \
 		$(use_enable ctapi) \
 		$(use_enable doc) \
 		$(use_enable notify) \
 		$(use_enable openct) \
 		$(use_enable pace openpace) \
 		$(use_enable pcsc-lite pcsc) \
 		$(use_enable readline) \
 		$(use_enable secure-messaging sm) \
 		$(use_enable ssl openssl) \
 		$(use_enable test cmocka) \
 		$(use_enable zlib)
 }
 src_install() {
 	default
 	insinto /etc/pkcs11/modules/
 	doins "${FILESDIR}"/opensc.module
 	find "${ED}" -name '*.la' -delete || die
 }
--- a/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-9999.ebuild
+++ b/sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-9999.ebuild
@ -0,0 +1,81 @@
 # Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 EAPI=8
 inherit bash-completion-r1 libtool
 DESCRIPTION="Libraries and applications to access smartcards"
 HOMEPAGE="https://github.com/OpenSC/OpenSC/wiki"
 if [[ ${PV} == *9999 ]]; then
 	inherit autotools git-r3
 	EGIT_REPO_URI="https://github.com/OpenSC/OpenSC.git"
 else
 	SRC_URI="https://github.com/OpenSC/OpenSC/releases/download/${PV}/${P}.tar.gz"
 	KEYWORDS="~amd64 ~ppc64 ~x86"
 fi
 LICENSE="LGPL-2.1"
 SLOT="0"
 IUSE="ctapi doc openct notify pace +pcsc-lite readline secure-messaging ssl test zlib"
 RESTRICT="!test? ( test )"
 RDEPEND="zlib? ( sys-libs/zlib )
 	readline? ( sys-libs/readline:0= )
 	ssl? ( dev-libs/openssl:0= )
 	openct? ( >=dev-libs/openct-0.5.0 )
 	pace? ( dev-libs/openpace:= )
 	pcsc-lite? ( >=sys-apps/pcsc-lite-1.3.0 )
 	notify? ( dev-libs/glib:2 )"
 DEPEND="${RDEPEND}
 	app-text/docbook-xsl-stylesheets
 	dev-libs/libxslt
 	test? ( dev-util/cmocka )"
 BDEPEND="virtual/pkgconfig"
 REQUIRED_USE="
 	pcsc-lite? ( !openct !ctapi )
 	openct? ( !pcsc-lite !ctapi )
 	ctapi? ( !pcsc-lite !openct )
 	|| ( pcsc-lite openct ctapi )"
 src_prepare() {
 	default
 	if [[ ${PV} == *9999 ]]; then
 		eautoreconf
 	else
 		elibtoolize
 	fi
 }
 src_configure() {
 	# don't want to run upstream's clang-tidy checks
 	export ac_cv_path_CLANGTIDY=""
 	econf \
 		--with-completiondir="$(get_bashcompdir)" \
 		--disable-strict \
 		--enable-man \
 		$(use_enable ctapi) \
 		$(use_enable doc) \
 		$(use_enable notify) \
 		$(use_enable openct) \
 		$(use_enable pace openpace) \
 		$(use_enable pcsc-lite pcsc) \
 		$(use_enable readline) \
 		$(use_enable secure-messaging sm) \
 		$(use_enable ssl openssl) \
 		$(use_enable test cmocka) \
 		$(use_enable zlib)
 }
 src_install() {
 	default
 	insinto /etc/pkcs11/modules/
 	doins "${FILESDIR}"/opensc.module
 	find "${ED}" -name '*.la' -delete || die
 }
--- a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/Manifest
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/Manifest
@ -0,0 +1,2 @@
 DIST pcsc-lite-2.0.0.tar.bz2 799011 BLAKE2B d93fffebbe3daf389fcd8195c9fb3d76db64dbb98ac9c7ecd08338331389298e710ca71187cb73165868b0b5e66cb9735b60e22d508db1c1a81e04555103948a SHA512 4b34628d3269ae1859f19d2ab7eb74a76a55f3d76fbc9e4e420a081a065b1d0d7b98680552c7208f3265c684bed844afc6be1c2e5f103ad916ce7f38b52ee68c
 DIST pcsc-lite-2.0.1.tar.bz2 815103 BLAKE2B a9eea4a4da1a78fc22797b17c128889b2f7caf8c4aa02dd77f4ac79e4ec458fb0162578b5422552545cd39303750d5396f3687f8cfee7603fad8d60cb54ee1e8 SHA512 af007f00f43e8d897710580f6f27814c9e7d3ca489ff01edf2e3b979e46267915aa04d9c15f225a420fa681de936e42a1d4779d962717cf9a9f4a3d1ca31502b
--- a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/99-pcscd-hotplug-r1.rules
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/99-pcscd-hotplug-r1.rules
@ -0,0 +1,6 @@
 # Copyright 1999-2019 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 # We add this here so that it runs after ccid's and ifd-gempc's rules;
 # if we just added a pcscd-owned device, we hotplug the pcscd service.
 ACTION=="add", ENV{PCSCD}=="1", GROUP="pcscd", TAG+="systemd", ENV{SYSTEMD_WANTS}+="pcscd.service", RUN+="pcscd.sh"
--- a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcsc-lite-1.8.11-polkit-pcscd.patch
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcsc-lite-1.8.11-polkit-pcscd.patch
@ -0,0 +1,20 @@
 Index: pcsc-lite-1.8.11/doc/org.debian.pcsc-lite.policy
 ===================================================================
 --- pcsc-lite-1.8.11.orig/doc/org.debian.pcsc-lite.policy
 +++ pcsc-lite-1.8.11/doc/org.debian.pcsc-lite.policy
@@ -15,6 +15,7 @@
       <allow_inactive>auth_admin</allow_inactive>
       <allow_active>yes</allow_active>
     </defaults>
 +    <annotate key="org.freedesktop.policykit.owner">unix-user:pcscd</annotate>
   </action>
   <action id="org.debian.pcsc-lite.access_card">
@@ -25,6 +26,7 @@
       <allow_inactive>auth_admin</allow_inactive>
       <allow_active>yes</allow_active>
     </defaults>
 +    <annotate key="org.freedesktop.policykit.owner">unix-user:pcscd</annotate>
   </action>
 </policyconfig>
--- a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcsc-lite-1.9.8-systemd-user.patch
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcsc-lite-1.9.8-systemd-user.patch
@ -0,0 +1,18 @@
 Don't run the daemon as root
 https://bugs.gentoo.org/545390
 --- a/etc/pcscd.service.in
 +++ b/etc/pcscd.service.in
@@ -4,9 +4,12 @@
 Documentation=man:pcscd(8)
 [Service]
 +PIDFile=/run/pcscd/pcscd.pid
 ExecStart=@sbindir_exp@/pcscd --foreground --auto-exit $PCSCD_ARGS
 ExecReload=@sbindir_exp@/pcscd --hotplug
 EnvironmentFile=-@sysconfdir@/default/pcscd
 +User=pcscd
 +Group=pcscd
 [Install]
 Also=pcscd.socket
--- a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd-init.7
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd-init.7
@ -0,0 +1,22 @@
 #!/sbin/openrc-run
 # Copyright 1999-2019 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 name="PC/SC Daemon"
 pidfile=/run/pcscd/pcscd.pid
 command=/usr/sbin/pcscd
 command_args="${EXTRA_OPTS}"
 start_stop_daemon_args="--user pcscd:pcscd"
 depend() {
 	need localmount
 	after udev openct dbus
 	use logger
 }
 start_pre() {
 	checkpath -q -d -m 0755 -o pcscd:pcscd /run/pcscd
 }
--- a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd-udev
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd-udev
@ -0,0 +1,14 @@
 #!/bin/sh
 #
 # pcscd.sh: udev external RUN script
 #
 # based on netifrc net.sh helper
 # Copyright 2007 Roy Marples <uberlord@gentoo.org>
 # Distributed under the terms of the GNU General Public License v2
 # make sure openrc is managing services
 if [ ! -d /run/openrc ]; then
 	exit 0
 fi
 IN_HOTPLUG=1 /etc/init.d/pcscd --quiet start
--- a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd.conf
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd.conf
@ -0,0 +1 @@
 d /run/pcscd 0755 pcscd pcscd -
--- a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/metadata.xml
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/metadata.xml
@ -0,0 +1,18 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 	<maintainer type="project">
 		<email>base-system@gentoo.org</email>
 		<name>Gentoo Base System</name>
 	</maintainer>
 	<use>
 		<flag name="embedded">limit RAM and CPU ressources by disabling features</flag>
 		<flag name="libusb" restrict="&gt;=sys-apps/pcsc-lite-1.8.0">Use <pkg>dev-libs/libusb</pkg> detection to hotplug new smartcard readers. This flag should only be enabled if you're running a non-Linux kernel or you don't want to use udev.</flag>
 		<flag name="udev">Use <pkg>virtual/libudev</pkg> rules to handle devices' permissions and hotplug support. Unless you know what you're doing do not disable this flag on Linux kernels. This is provided as an option for completeness.</flag>
 		<flag name="policykit">Uses <pkg>sys-auth/polkit</pkg> to restrict access to smartcard readers or smartcards to given users.</flag>
 	</use>
 	<upstream>
 		<changelog>https://salsa.debian.org/rousseau/PCSC/blob/master/ChangeLog</changelog>
 		<remote-id type="github">LudovicRousseau/PCSC</remote-id>
 	</upstream>
 </pkgmetadata>
--- a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/pcsc-lite-2.0.0.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/pcsc-lite-2.0.0.ebuild
@ -0,0 +1,109 @@
 # Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 EAPI=8
 PYTHON_COMPAT=( python3_{9..11} )
 inherit python-single-r1 systemd tmpfiles udev multilib-minimal
 DESCRIPTION="PC/SC Architecture smartcard middleware library"
 HOMEPAGE="https://pcsclite.apdu.fr https://github.com/LudovicRousseau/PCSC"
 SRC_URI="https://pcsclite.apdu.fr/files/${P}.tar.bz2"
 # GPL-2 is there for the init script; everything else comes from
 # upstream.
 LICENSE="BSD ISC MIT GPL-3+ GPL-2"
 SLOT="0"
 KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos"
 # This is called libusb so that it doesn't fool people in thinking that
 # it is _required_ for USB support. Otherwise they'll disable udev and
 # that's going to be worse.
 IUSE="doc embedded libusb policykit selinux systemd +udev"
 REQUIRED_USE="^^ ( udev libusb ) ${PYTHON_REQUIRED_USE}"
 # No dependencies need the MULTILIB_DEPS because the libraries are actually
 # standalone, the deps are only needed for the daemon itself.
 DEPEND="
 	libusb? ( virtual/libusb:1 )
 	udev? ( virtual/libudev:= )
 	policykit? ( >=sys-auth/polkit-0.111 )
 	acct-group/openct
 	acct-group/pcscd
 	acct-user/pcscd
 	${PYTHON_DEPS}"
 RDEPEND="${DEPEND}
 	selinux? ( sec-policy/selinux-pcscd )"
 BDEPEND="
 	sys-devel/flex
 	virtual/pkgconfig"
 PATCHES=(
 	"${FILESDIR}"/${PN}-1.8.11-polkit-pcscd.patch
 	"${FILESDIR}"/${PN}-1.9.8-systemd-user.patch
 )
 multilib_src_configure() {
 	ECONF_SOURCE="${S}" econf \
 		--disable-maintainer-mode \
 		--disable-strict \
 		--enable-usbdropdir="${EPREFIX}"/usr/$(get_libdir)/readers/usb \
 		--enable-ipcdir=/run/pcscd \
 		--with-systemdsystemunitdir="$(systemd_get_systemunitdir)" \
 		$(multilib_native_use_enable doc documentation) \
 		$(multilib_native_use_enable embedded) \
 		$(multilib_native_use_enable systemd libsystemd) \
 		$(multilib_native_use_enable udev libudev) \
 		$(multilib_native_use_enable libusb) \
 		$(multilib_native_use_enable policykit polkit)
 }
 multilib_src_install_all() {
 	einstalldocs
 	dodoc HELP SECURITY
 	newinitd "${FILESDIR}"/pcscd-init.7 pcscd
 	dotmpfiles "${FILESDIR}"/pcscd.conf
 	if use udev; then
 		exeinto "$(get_udevdir)"
 		newexe "${FILESDIR}"/pcscd-udev pcscd.sh
 		insinto "$(get_udevdir)"/rules.d
 		newins "${FILESDIR}"/99-pcscd-hotplug-r1.rules 99-pcscd-hotplug.rules
 	fi
 	python_fix_shebang "${ED}"/usr/bin/pcsc-spy
 	find "${ED}" -name '*.la' -delete || die
 }
 pkg_postinst() {
 	elog "Starting from version 1.6.5, pcsc-lite will start as user nobody in"
 	elog "the pcscd group, to avoid running as root."
 	elog
 	elog "This also means you need the newest drivers available so that the"
 	elog "devices get the proper owner."
 	elog
 	elog "Furthermore, a conf.d file is no longer installed by default, as"
 	elog "the default configuration does not require one. If you need to"
 	elog "pass further options to pcscd, create a file and set the"
 	elog "EXTRA_OPTS variable."
 	elog
 	if use udev; then
 		elog "Hotplug support is provided by udev rules."
 		elog "When using OpenRC you additionally need to tell it to hotplug"
 		elog "pcscd by setting this variable in /etc/rc.conf:"
 		elog
 		elog "    rc_hotplug=\"pcscd\""
 	fi
 	tmpfiles_process pcscd.conf
 	use udev && udev_reload
 }
 pkg_postrm() {
 	use udev && udev_reload
 }
--- a/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/pcsc-lite-2.0.1.ebuild
+++ b/sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/pcsc-lite-2.0.1.ebuild
@ -0,0 +1,109 @@
 # Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 EAPI=8
 PYTHON_COMPAT=( python3_{9..11} )
 inherit python-single-r1 systemd tmpfiles udev multilib-minimal
 DESCRIPTION="PC/SC Architecture smartcard middleware library"
 HOMEPAGE="https://pcsclite.apdu.fr https://github.com/LudovicRousseau/PCSC"
 SRC_URI="https://pcsclite.apdu.fr/files/${P}.tar.bz2"
 # GPL-2 is there for the init script; everything else comes from
 # upstream.
 LICENSE="BSD ISC MIT GPL-3+ GPL-2"
 SLOT="0"
 KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos"
 # This is called libusb so that it doesn't fool people in thinking that
 # it is _required_ for USB support. Otherwise they'll disable udev and
 # that's going to be worse.
 IUSE="doc embedded libusb policykit selinux systemd +udev"
 REQUIRED_USE="^^ ( udev libusb ) ${PYTHON_REQUIRED_USE}"
 # No dependencies need the MULTILIB_DEPS because the libraries are actually
 # standalone, the deps are only needed for the daemon itself.
 DEPEND="
 	libusb? ( virtual/libusb:1 )
 	udev? ( virtual/libudev:= )
 	policykit? ( >=sys-auth/polkit-0.111 )
 	acct-group/openct
 	acct-group/pcscd
 	acct-user/pcscd
 	${PYTHON_DEPS}"
 RDEPEND="${DEPEND}
 	selinux? ( sec-policy/selinux-pcscd )"
 BDEPEND="
 	sys-devel/flex
 	virtual/pkgconfig"
 PATCHES=(
 	"${FILESDIR}"/${PN}-1.8.11-polkit-pcscd.patch
 	"${FILESDIR}"/${PN}-1.9.8-systemd-user.patch
 )
 multilib_src_configure() {
 	ECONF_SOURCE="${S}" econf \
 		--disable-maintainer-mode \
 		--disable-strict \
 		--enable-usbdropdir="${EPREFIX}"/usr/$(get_libdir)/readers/usb \
 		--enable-ipcdir=/run/pcscd \
 		--with-systemdsystemunitdir="$(systemd_get_systemunitdir)" \
 		$(multilib_native_use_enable doc documentation) \
 		$(multilib_native_use_enable embedded) \
 		$(multilib_native_use_enable systemd libsystemd) \
 		$(multilib_native_use_enable udev libudev) \
 		$(multilib_native_use_enable libusb) \
 		$(multilib_native_use_enable policykit polkit)
 }
 multilib_src_install_all() {
 	einstalldocs
 	dodoc HELP SECURITY
 	newinitd "${FILESDIR}"/pcscd-init.7 pcscd
 	dotmpfiles "${FILESDIR}"/pcscd.conf
 	if use udev; then
 		exeinto "$(get_udevdir)"
 		newexe "${FILESDIR}"/pcscd-udev pcscd.sh
 		insinto "$(get_udevdir)"/rules.d
 		newins "${FILESDIR}"/99-pcscd-hotplug-r1.rules 99-pcscd-hotplug.rules
 	fi
 	python_fix_shebang "${ED}"/usr/bin/pcsc-spy
 	find "${ED}" -name '*.la' -delete || die
 }
 pkg_postinst() {
 	elog "Starting from version 1.6.5, pcsc-lite will start as user nobody in"
 	elog "the pcscd group, to avoid running as root."
 	elog
 	elog "This also means you need the newest drivers available so that the"
 	elog "devices get the proper owner."
 	elog
 	elog "Furthermore, a conf.d file is no longer installed by default, as"
 	elog "the default configuration does not require one. If you need to"
 	elog "pass further options to pcscd, create a file and set the"
 	elog "EXTRA_OPTS variable."
 	elog
 	if use udev; then
 		elog "Hotplug support is provided by udev rules."
 		elog "When using OpenRC you additionally need to tell it to hotplug"
 		elog "pcscd by setting this variable in /etc/rc.conf:"
 		elog
 		elog "    rc_hotplug=\"pcscd\""
 	fi
 	tmpfiles_process pcscd.conf
 	use udev && udev_reload
 }
 pkg_postrm() {
 	use udev && udev_reload
 }
		`@ -0,0 +1 @@`
							`DIST ccid-1.5.1.tar.bz2 702586 BLAKE2B 7b9e3c6daf03c186f34ac9b13bd960293a6481f9237ee52937ece1040bd3a79b7dab318e1244205a7feae992261ab5e82292d80ae023a4f621e0e7af7cdb9df5 SHA512 492bde96f5752e2a5316693c44e35e2d041785a00d15e094905c0aafad392f5329009d12801899367276328a582936ee53a1c5239c1813c4536001cb8a608f2e`
		`@ -0,0 +1 @@`
							`DIST libp11-0.4.12.tar.gz 516414 BLAKE2B a816749984753a1916dd58860c51b49d316946b59eb3bc839f6a21dcff14de48d7a4937f55fc7ad96a26b914591854d5cf11a1fbac2d5f2f5e04c833973c0e42 SHA512 674cfca2c9eaf162262204c94f9d59d3095dabbc348c1842e758b897e1a5bd4ba08b2d589ec3b2a2d1343a8760eab253e7008dc09ef5b499e2f16385efe5c8cc`
		`@ -0,0 +1 @@`
							`DIST opensc-0.23.0.tar.gz 2366469 BLAKE2B c0f74379a70347a58be27684ae2cf833e6f35328b566af2c6daa8276174864406fa176acf7ba84931970fe07e3dd8d6eccf7884f079cb0110c4d6ff9a76792dc SHA512 cd102cd64e719c59153960a4921b7525055045f16e6f6ffa8c9def6ce999a9c5098267b41f8753b41107f626bea20c34561002f5d38eddb4ce6b371913a17a1b`
		`@ -0,0 +1,2 @@`
							`DIST pcsc-lite-2.0.0.tar.bz2 799011 BLAKE2B d93fffebbe3daf389fcd8195c9fb3d76db64dbb98ac9c7ecd08338331389298e710ca71187cb73165868b0b5e66cb9735b60e22d508db1c1a81e04555103948a SHA512 4b34628d3269ae1859f19d2ab7eb74a76a55f3d76fbc9e4e420a081a065b1d0d7b98680552c7208f3265c684bed844afc6be1c2e5f103ad916ce7f38b52ee68c`
							`DIST pcsc-lite-2.0.1.tar.bz2 815103 BLAKE2B a9eea4a4da1a78fc22797b17c128889b2f7caf8c4aa02dd77f4ac79e4ec458fb0162578b5422552545cd39303750d5396f3687f8cfee7603fad8d60cb54ee1e8 SHA512 af007f00f43e8d897710580f6f27814c9e7d3ca489ff01edf2e3b979e46267915aa04d9c15f225a420fa681de936e42a1d4779d962717cf9a9f4a3d1ca31502b`