diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/Manifest b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/Manifest
new file mode 100644
index 0000000000..5f9b668c05
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/Manifest
@@ -0,0 +1,24 @@
+AUX gnupg-2.0.17-gpgsm-gencert.patch 1121 SHA256 fa8369a4466b3cce54215a348940422f46f4d359f9e9b3c7029a1138870888df SHA512 ecde032b205cc16c33ff21ded55b93e74058cd804d68e4a0738ac70d54b5b388b6f709d21719a5e418c662b7ee74bc4aef7a0c59de106e2d4bd06b7bc1a11138 WHIRLPOOL 5dc4d3de29290e8e274a0f4fef871cea7f49553846254d819ca776000978a72c694212559d9ad03312f94f71f406de4641c0575188d340017a7937b01753b8a0
+AUX gnupg-2.0.26-Need-to-init-the-trustdb-for-import.patch 895 SHA256 063f50e8293282ec59ccf30567dafc16f5cdec800d2965acf8cf8a5050d8a9b3 SHA512 85423d0c0a2d6e85d569bd31c8f8209fb8707c827f041055bc2a1b20ec1372257574a2b72d86cdc1fa61188966bbb0e0ca176505bbd2bb1e2df12257f33ae259 WHIRLPOOL b9ee365eb55e637ca80b1ab88f1b48a9f925be73aba4f3e8e1c5526cbdb18a4c6326aa0282b45c6ad285b9c0d2f624e161679abd41bfcbd6cbf37764c0123467
+AUX gnupg-2.0.26-misc-cve.patch 3201 SHA256 d0f16d14da9868b79d17fa49ff284ec05fb45ef61f35c864bde9e38dc7539de2 SHA512 bb2860e5d8bb1567238e25d05cda7cb76557fa43dca3b8e802f7b4664e9b46e10187f2cbb76d1bcea5816d14c936d704fd606bdf125855ef3401b08412ac1fed WHIRLPOOL eefd707be37662bccd63d671496c79b30a07c13fb7497562887c678495020c382b5fb664ec8d5c76c45077fd6cfe36d4fc33f804b544f0efd042f6eaa5d2ed36
+AUX gnupg-2.1-fix-gentoo-dash-issue.patch 514 SHA256 961d924cc441a01c49d68f640fdd9d8a15d47ef02c85e3e4e15f77afd3de6b30 SHA512 2c269c049916a392210e2daedc7bb58281a9132bc51c3f4c136ee75cd19a78b76bf13814eb4165a65f8169968d4de4d407d42b2b36dd4e5284b5b10a4684c118 WHIRLPOOL c0a904864331bcb585783e7b61a15f1f57e80671e124e6bdccd01f21ee1e1c70da46f9b17007480f3b1d2957e8e9440d21bc108464abcbd3473a468c2496f227
+AUX gnupg-2.1.12-fix-signature-checking.patch 1547 SHA256 fe0d44d068b258c757514ce4e54e9de3b40513113e0bb676ab697d1e7bd18c8a SHA512 24c7a853f5b37412903da560e6ee6dd0a98014941fb0f250061398bb29f021d1dc07b241700811eebb895e0715446f95220543c4dc57f70e21fde59827374a83 WHIRLPOOL 485fcdfc1499e9ac6d83bed86365114c492255a8b74f49efca9ffb5ca3dcde8294320831a355e3b72fe7ae9bef4f8fa8a322cc998ad9821af6a99da044b04451
+DIST gnupg-1.4.19.tar.bz2 3713811 SHA256 7f09319d044b0f6ee71fe3587bb873be701723ac0952cff5069046a78de8fd86 SHA512 cce2a83efb05f963ad0f8afd04999cc852889d46b4cad4cf399a37fd6e69f0911a5ccaa0192cb891a941cfa93125349b481efa789a127e3c0aa2c5ba53672741 WHIRLPOOL 14eaddca0981f05757aa0751b9563837efd3f5943a422d5f29e0de94eb6233b85b8848a1f4816ab7e897d6e656c7c08705115d53ed89f554604ffd2009c3c39f
+DIST gnupg-1.4.20.tar.bz2 3692881 SHA256 04988b1030fa28ddf961ca8ff6f0f8984e0cddcb1eb02859d5d8fe0fe237edcc SHA512 8a66d5a45dcf0508601452061eb1965c3c56c56f0e5ded00b7f54c6104de0a305c1d526abd37be2f55cd9bde79600d9cfaf60536af77ff733d778ace5fcd9dad WHIRLPOOL 26344b6ba0e5f0f11fa411f5af265c922b3b1d62ff030433eb8dc6fef00dbf2ec3370ecb081dd5c6cf85a4a37e7f12aacc83e07b803cc80adda29a11a4a3c715
+DIST gnupg-2.0.26.tar.bz2 4303384 SHA256 7758e30dc382ae7a7167ed41b7f936aa50af5ea2d6fccdef663b5b750b65b8e0 SHA512 5dd23baaac764fd48abd235ed52a85a2c7fd68b98fcde45c0f294ddb3b5629e8b1bd894585fbed4e6a6cb2bc4a5552c098c3cf1a849fffa469424fd0a4fee726 WHIRLPOOL 8d9b30337957f6bfeddea29116d862ef0c0ddd06d59bc2799db236b91b2c6767aad6f37f2166fc431c5d9454eb41f49f3e261bc38d0e89361f0c467f4591cd5a
+DIST gnupg-2.0.28.tar.bz2 4435779 SHA256 ce092ee4ab58fd19b9fb34a460c07b06c348f4360dd5dd4886d041eb521a534c SHA512 7e786fe0648d5ea453f9c7524fec4bd7d5eec26d28f723acf3cb2f7ec9c400c339f0926a179411876c3f8e08b06942dcec643dc930caf58239bbd4932f4bd3c1 WHIRLPOOL ccf7427e54a545914e89677618055a114b4c9dc4db48669a2fc726fced98475df4ed27c93bd180f1250d147111ee663c736cdf4e1d8afdc40ed967cdffd0eb66
+DIST gnupg-2.0.29.tar.bz2 4416251 SHA256 68ed6b386ba78425b05a60e8ee22785ff0fef190bdc6f1c612f19a58819d4ac9 SHA512 23b452c740ab5c1e1e37337ae0583dd3b15df58a5bb5639c0c2aef1fb603e0a7d90a257ac99b0d9dfb68b81fa061c0c64e0bfd256c00d64e2f432192f5052f37 WHIRLPOOL f3d59a9453b4a65c726788c35b065ffc9cde0b746705080cd3491c73439786d791da29cf8f5bf1e5594a0e39cfaec214e346fe18ec3acf0b425dc396aa189f33
+DIST gnupg-2.0.30.tar.bz2 4414652 SHA256 e329785a4f366ba5d72c2c678a7e388b0892ac8440c2f4e6810042123c235d71 SHA512 e60a57f7dc74b44f884fd50d5a9c51cef7df8c098644ebab9ef7d945a40b0e4a285d0dc80b10fe39d8e4c2cc9d6cbbe800a0ddae54883180dc755fe47ced3314 WHIRLPOOL 007315882becc1204edf6833a13610284ce7e1c73429fc3b4170c35ba61c645299f811f01b1bc0506b1cf94ce0de23af4cea33f51cf97397ec61caa15ce3ac6c
+DIST gnupg-2.1.12.tar.bz2 5510723 SHA256 ac34929d2400a58a349963865442ee6cdd75e500a8d5df083d29835e88bfc506 SHA512 fdf24d4980ba4011840fd2316a856db2bf50e531071c2bfb899af2b4f5580a9f2992f85a451670a7121d04b608bfb147cefdca1c6f6eb55bc23ecfe5052639e6 WHIRLPOOL ee5a748afee3aa4f8318c1bc1bcbd09232a71853291211f3c5cd8cc44fb70d126185ae9c13086247cd22a9b13c2102f4fa0553e25496c5152f2ce34dc2505d10
+DIST gnupg-2.1.13.tar.bz2 5545361 SHA256 4f9d83a6221daa60130fa79f0b1d37d6c20fffdd0320b640c7a597c5b6219675 SHA512 37b6271cdd68fc1d0ec848fa742932afbe8fc662597bcf20398585b51171e7abce40d99ab02f816160b34f7a8d1c60c6e43d8e0192ed107a521579b870b3ebd3 WHIRLPOOL 4b97e579bf988a2142bdb83420feef5e0549db0f0a17f2ee8b890e22cb54b38166459d25b05c7f9dcbb14dd5363bf08c24f377d09038884110e29dbbfeb9b73d
+EBUILD gnupg-1.4.19.ebuild 3372 SHA256 eb7614464a39d2a871f5963dcc61e82a13cbcab1aeedb0740228c726f895d2e9 SHA512 4726afc7f124f672e1e358fcc2b496728a8d3f507181d85d287f70eb743b5d3a527b020be2ba7473f4b60994169a380da501f100c09ed468818d2405c34b0797 WHIRLPOOL 1e9efd7a18e685fb42a1d8547b5668490b197ccdc4eab3bb07ca8075bcb58492a18f2d634ba8b1f91d2b8b872676106d31df4c38dcb645e113497989fcc13606
+EBUILD gnupg-1.4.20.ebuild 3384 SHA256 220365635e57bf6b01037ad79a28b86dffe7e80c5e9e80e3b1e837b747762f5e SHA512 4049594a0868d09b19e0611b502abcb3a6179525b5feb7dc608168071892847dab466242d138c96c93743480c7dcd81724e3038b199909ec1e7950e6916a6a38 WHIRLPOOL 01c17a71180ccb068155ed872f18774c90d9077323aa8b0db89b1e61f903f348c1f8f11970320d6ad30e17019bb17b9f6dc2e41bbea14001371ecba0fec4b860
+EBUILD gnupg-2.0.26-r3.ebuild 4937 SHA256 0c8a49c136a74580b1d439774aa5f719defca682f0beac59637da7610518f236 SHA512 89add708cee039960b75221b08145c68b9a8623f72e4112b92bd0bf962a461e9ab3d75698b8cdcf78a8d7e3afe4d70fe0978f9175b941b0048acebdcb20799a3 WHIRLPOOL 60fbff71c6b10e8fc5bcf86332e49f2d94217e706dd047afe8f5ceb22ccdf5acb52989a3da2f84aa3cdd0cd9f73aea447827d53a2ef583e22202e8ff04604030
+EBUILD gnupg-2.0.28.ebuild 4850 SHA256 22a7afe802626f9332fa07ccdbbb7b058c3d54ef4e64f9afa241080380eeab71 SHA512 34ebbe9c768e254248a79b92e746f2bad757d122bd329fb65436ae7c6f2405a43594d131b3ed88fa029579d76341de3ad7a59337c12a382e75b75f6ddd435a60 WHIRLPOOL 8d0a3bb121e247079b2330cb5294c572187c99fe591e535e4022c17c5c6c77241d990d89c459027641f392c185cf8260af28a5495e888f874558fe784f38b3cb
+EBUILD gnupg-2.0.29-r1.ebuild 4978 SHA256 7524b83ab9efaa9ea9cb54590ef2070d2f0a12e4063848703ae352913834a3b4 SHA512 3b177c3aa5949aa51a43c698dbd7bcdc208d152759acb2fd04b4c96a9fb2b31a608b06f5782f56a4cff1a03616c5947cbb8ef59eff948cbed9be220e7985f0e4 WHIRLPOOL b21df882aa93a645acaea838fdfc68e658408bbe0ab52e577b6f4ee65eb8e8dbc126d0a35f022edf9d239269c22fd82d68b239b8419397709d05532aa4f256e6
+EBUILD gnupg-2.0.30.ebuild 4980 SHA256 bd29bea48709efda695d96c1c31c383793a8ab56e742e74555b9e9b45a9bb335 SHA512 740d16d7c5aa29d8ade28b67d7bffacb036671b9aa1800ca04c5fb81d2dafbceb4529236e91b91c61e93cafed11cca7bd471ed165ce75941bf1fb38b9cbf5b90 WHIRLPOOL 8860cfdbe126f9a2a72126064ed866d21209ee55f318a1f6de1c56fed7a64fad1be78470968722f74ebb9eb1b67e87459525564ca40992fbe0a5226a09c9f218
+EBUILD gnupg-2.1.12-r1.ebuild 4505 SHA256 8d9582b49b8ef5cfc2bbd8259198826985000dd2cbfd7b3a686ffd6f546e5662 SHA512 e787f644803a19e5d65f5217cd2d326cccd1634febe3292e89663603d0bc251e6bab465b4e3ff55f51dadbcdf19ae03fa0c45a032135bcab6f80ab709ff16e0f WHIRLPOOL 660333c9f3811098e4de1b672dc57367c623d2c4fdeed7346eaee96f25c1109328fe93c9d8d2d04a7c583113e24bde61cb2bdd39adf83490e7f3ede5140816c8
+EBUILD gnupg-2.1.13.ebuild 4453 SHA256 51c1b9e0ff7e17d085193741a630469e223566a57cc276c0f7c94f413b659b96 SHA512 f70d133d4b62719a412f7ddfcb1641cfa6355e1f89ab4e347eb2f3668ae8f7244464e6dcf2b6d6ad5a0d123098ecb120fed0c2b0b941b6ecdc768895e074117a WHIRLPOOL 89beaf5768601c87a52a3e496b919f8a20cac84c10c946587cceb663ceef45a944f4ac1b0028df6d4ede399025d4caa09d37489d0c205f1cac4570691ae6335d
+MISC ChangeLog 10831 SHA256 206230b7d776f2fa5fca22b5a5747c233c239b53a4a2fbdd88b3356c12586e05 SHA512 427ecbf7cbbfbb6c21fc06f57a8d348942392f34db342d1e598e1e4f0066141b90f906033e09739e4382cd7e0f9349e3530765de1bb2192e977b885dbabae772 WHIRLPOOL faa1f9f7a83dfbcaa7f520157ebe9d8b67803dcb60ce5abb7c3bfd2c5bb157851ba017d3e6dddc9b69efbe1787a5ea058107743cbe6c563df4bb43cfc3afb8e6
+MISC ChangeLog-2015 89046 SHA256 295a825284cc7d9b7148c77733782937402db7e07fd7fbf0a9f44861d2018ce7 SHA512 9920db843f9cc1863f3529ac2022f591de8f0b930f82b64ca2859d542af679de3dcc733e5b55b8de060df9bf01ce68cd1828d0c179b1f9f05093cd6566efddc6 WHIRLPOOL d21dbe313d4c1b0e50012e0cc05560d13b712875514dbbea2f56be40ce85c99db8a7693a0f4492dd631119d37cbc796546fe5b62f5d6a6baf598d0a94c0ac0a3
+MISC metadata.xml 1085 SHA256 e71443e75b3f30d21e58ef2345e8accfa41a77ded9aa7e468d2f9cf86391aec6 SHA512 a1b9cff9cc07fb260a0f62c281ae2480bb5cc3e8aef2f3ddf8f320a77563abcaf3fedc61532928415307e2913c06b28c466c044cb56841247e73d25e800f0904 WHIRLPOOL b6fb597f66154504cc7d39813c37b7a67bf8ff31fc497bee71e61867e101c09a410010b8291e958415c7b79663679af1bce1677db3d512d432502efaa4976f9d
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.0.17-gpgsm-gencert.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.0.17-gpgsm-gencert.patch
new file mode 100644
index 0000000000..9506f81437
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.0.17-gpgsm-gencert.patch
@@ -0,0 +1,34 @@
+From c34486a64c223bcbfbb57d9abcf107d684b815b6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Diego=20Elio=20Petten=C3=B2?= <flameeyes@gmail.com>
+Date: Sun, 17 Apr 2011 01:34:39 +0200
+Subject: [PATCH] gpgsm-gencert.sh: make sure not to abort after creating temp
+ file.
+
+https://bugs.g10code.com/gnupg/issue1466
+
+---
+ tools/gpgsm-gencert.sh |    8 ++++----
+ 1 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/tools/gpgsm-gencert.sh b/tools/gpgsm-gencert.sh
+index b209c8e..e7c812f 100755
+--- a/tools/gpgsm-gencert.sh
++++ b/tools/gpgsm-gencert.sh
+@@ -178,10 +178,10 @@ Key-Length: $KEY_LENGTH
+ Key-Usage: $KEY_USAGE
+ Name-DN: $NAME
+ EOF
+-[ -n "$KEY_GRIP" ] && echo "Key-Grip: $KEY_GRIP"
+-[ -n "$EMAIL_ADDRESSES" ] && echo "$EMAIL_ADDRESSES"
+-[ -n "$DNS_ADDRESSES" ] && echo "$DNS_ADDRESSES"
+-[ -n "$URI_ADDRESSES" ] && echo "$URI_ADDRESSES"
++[ -n "$KEY_GRIP" ] && echo "Key-Grip: $KEY_GRIP" || true
++[ -n "$EMAIL_ADDRESSES" ] && echo "$EMAIL_ADDRESSES" || true
++[ -n "$DNS_ADDRESSES" ] && echo "$DNS_ADDRESSES" || true
++[ -n "$URI_ADDRESSES" ] && echo "$URI_ADDRESSES" || true
+ ) > "$file_parameter"
+ 
+ 
+-- 
+1.7.5.rc1
+
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.0.26-Need-to-init-the-trustdb-for-import.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.0.26-Need-to-init-the-trustdb-for-import.patch
new file mode 100644
index 0000000000..4c9eff26fd
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.0.26-Need-to-init-the-trustdb-for-import.patch
@@ -0,0 +1,35 @@
+From a2dcc5cc49c3e79d64bd1a2ad7a5bc4df5b073ee Mon Sep 17 00:00:00 2001
+From: Kristian Fiskerstrand <kf@sumptuouscapital.com>
+Date: Wed, 13 Aug 2014 11:13:34 +0200
+Subject: [PATCH] gpg: Need to init the trustdb for import.
+
+* g10/trustdb.c (clear_ownertrusts): Init trustdb.
+
+--
+
+This was fixed in 1.4 branch in commit
+23191d7851eae2217ecdac6484349849a24fd94a but was not applied to the
+2.0 branch that exhibits the same problem. This is actually a hack
+to fix a bug introduced with commit 2528178.
+
+GnuPG-bug-id: 1622
+---
+ g10/trustdb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/g10/trustdb.c b/g10/trustdb.c
+index f96701a..7bfef25 100644
+--- a/g10/trustdb.c
++++ b/g10/trustdb.c
+@@ -923,6 +923,8 @@ clear_ownertrusts (PKT_public_key *pk)
+   TRUSTREC rec;
+   int rc;
+ 
++  init_trustdb();
++
+   if (trustdb_args.no_trustdb && opt.trust_model == TM_ALWAYS)
+     return 0;
+ 
+-- 
+1.8.5.5
+
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.0.26-misc-cve.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.0.26-misc-cve.patch
new file mode 100644
index 0000000000..734a04abd5
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.0.26-misc-cve.patch
@@ -0,0 +1,118 @@
+From ed8383c618e124cfa708c9ee87563fcdf2f4649c Mon Sep 17 00:00:00 2001
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Fri, 19 Dec 2014 18:53:34 -0500
+Subject: [PATCH] sm: Avoid double-free on iconv failure
+
+* sm/minip12.c: (p12_build) if jnlib_iconv_open fails, avoid
+double-free of pwbuf.
+
+--
+
+Observed by Joshua Rogers <honey@internot.info>, who proposed a
+slightly different fix.
+
+Debian-Bug-Id: 773472
+
+Added fix at a second place - wk.
+---
+ sm/minip12.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/agent/minip12.c b/agent/minip12.c
+index 01b91b7..ca4d248 100644
+--- a/agent/minip12.c
++++ b/agent/minip12.c
+@@ -2422,6 +2422,7 @@ p12_build (gcry_mpi_t *kparms, const void *cert, size_t certlen,
+                      " requested charset '%s': %s\n",
+                      charset, strerror (errno));
+           gcry_free (pwbuf);
++          pwbuf = NULL;
+           goto failure;
+         }
+ 
+@@ -2436,6 +2437,7 @@ p12_build (gcry_mpi_t *kparms, const void *cert, size_t certlen,
+                      " requested charset '%s': %s\n",
+                      charset, strerror (errno));
+           gcry_free (pwbuf);
++          pwbuf = NULL;
+           jnlib_iconv_close (cd);
+           goto failure;
+         }
+-- 
+1.7.10.4
+
+From b0b3803e8c2959dd67ca96debc54b5c6464f0d41 Mon Sep 17 00:00:00 2001
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Fri, 19 Dec 2014 18:07:55 -0500
+Subject: [PATCH] scd: Avoid double-free on error condition in scd
+
+* scd/command.c (cmd_readkey): avoid double-free of cert
+
+--
+
+When ksba_cert_new() fails, cert will be double-freed.
+
+Debian-Bug-Id: 773471
+
+Original patch changed by wk to do the free only at leave.
+---
+ scd/command.c |    6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/scd/command.c b/scd/command.c
+index dd4191f..1cc580a 100644
+--- a/scd/command.c
++++ b/scd/command.c
+@@ -804,10 +804,8 @@ cmd_readkey (assuan_context_t ctx, char *line)
+ 
+   rc = ksba_cert_new (&kc);
+   if (rc)
+-    {
+-      xfree (cert);
+-      goto leave;
+-    }
++    goto leave;
++
+   rc = ksba_cert_init_from_mem (kc, cert, ncert);
+   if (rc)
+     {
+-- 
+1.7.10.4
+
+From abd5f6752d693b7f313c19604f0723ecec4d39a6 Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Mon, 22 Dec 2014 12:16:46 +0100
+Subject: [PATCH] dirmngr,gpgsm: Return NULL on fail
+
+* dirmngr/ldapserver.c (ldapserver_parse_one): Set SERVER to NULL.
+* sm/gpgsm.c (parse_keyserver_line): Ditto.
+--
+
+Reported-by: Joshua Rogers <git@internot.info>
+
+  "If something inside the ldapserver_parse_one function failed,
+   'server' would be freed, then returned, leading to a
+   use-after-free.  This code is likely copied from sm/gpgsm.c, which
+   was also susceptible to this bug."
+
+Signed-off-by: Werner Koch <wk@gnupg.org>
+---
+ dirmngr/ldapserver.c |    1 +
+ sm/gpgsm.c           |    1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/sm/gpgsm.c b/sm/gpgsm.c
+index 3398d17..72bceb4 100644
+--- a/sm/gpgsm.c
++++ b/sm/gpgsm.c
+@@ -862,6 +862,7 @@ parse_keyserver_line (char *line,
+     {
+       log_info (_("%s:%u: skipping this line\n"), filename, lineno);
+       keyserver_list_free (server);
++      server = NULL;
+     }
+ 
+   return server;
+-- 
+1.7.10.4
+
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.0.26-r3.ebuild b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.0.26-r3.ebuild
new file mode 100644
index 0000000000..a1958e6efb
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.0.26-r3.ebuild
@@ -0,0 +1,165 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-crypt/gnupg/gnupg-2.0.26-r3.ebuild,v 1.12 2015/03/30 03:06:10 tgall Exp $
+
+EAPI="5"
+
+inherit eutils flag-o-matic toolchain-funcs
+
+DESCRIPTION="The GNU Privacy Guard, a GPL pgp replacement"
+HOMEPAGE="http://www.gnupg.org/"
+SRC_URI="mirror://gnupg/gnupg/${P}.tar.bz2"
+# SRC_URI="ftp://ftp.gnupg.org/gcrypt/${PN}/${P}.tar.bz2"
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="alpha amd64 arm arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE="bzip2 doc ldap nls mta readline static selinux smartcard tools usb"
+
+COMMON_DEPEND_LIBS="
+	>=dev-libs/libassuan-2
+	>=dev-libs/libgcrypt-1.4:0=
+	>=dev-libs/libgpg-error-1.11
+	>=dev-libs/libksba-1.0.7
+	>=dev-libs/pth-1.3.7
+	>=net-misc/curl-7.10
+	sys-libs/zlib
+	bzip2? ( app-arch/bzip2 )
+	readline? ( sys-libs/readline )
+	smartcard? ( usb? ( virtual/libusb:0 ) )
+	ldap? ( net-nds/openldap )"
+COMMON_DEPEND_BINS="app-crypt/pinentry"
+
+# Existence of executables is checked during configuration.
+DEPEND="${COMMON_DEPEND_LIBS}
+	${COMMON_DEPEND_BINS}
+	static? (
+		>=dev-libs/libassuan-2[static-libs]
+		>=dev-libs/libgcrypt-1.4:0=[static-libs]
+		>=dev-libs/libgpg-error-1.11[static-libs]
+		>=dev-libs/libksba-1.0.7[static-libs]
+		>=dev-libs/pth-1.3.7[static-libs]
+		>=net-misc/curl-7.10[static-libs]
+		sys-libs/zlib[static-libs]
+		bzip2? ( app-arch/bzip2[static-libs] )
+	)
+	nls? ( sys-devel/gettext )
+	doc? ( sys-apps/texinfo )"
+
+RDEPEND="!static? ( ${COMMON_DEPEND_LIBS} )
+	${COMMON_DEPEND_BINS}
+	mta? ( virtual/mta )
+	!<=app-crypt/gnupg-2.0.1
+	selinux? ( sec-policy/selinux-gpg )
+	nls? ( virtual/libintl )"
+
+REQUIRED_USE="smartcard? ( !static )"
+
+src_prepare() {
+	epatch "${FILESDIR}/${PN}-2.0.17-gpgsm-gencert.patch"
+	epatch "${FILESDIR}/${P}-Need-to-init-the-trustdb-for-import.patch"
+	epatch "${FILESDIR}/${P}-misc-cve.patch"
+	epatch_user
+}
+
+src_configure() {
+	local myconf=()
+
+	# 'USE=static' support was requested:
+	# gnupg1: bug #29299
+	# gnupg2: bug #159623
+	use static && append-ldflags -static
+
+	if use smartcard; then
+		myconf+=(
+			--enable-scdaemon
+			$(use_enable usb ccid-driver)
+		)
+	else
+		myconf+=( --disable-scdaemon )
+	fi
+
+	if use elibc_SunOS || use elibc_AIX; then
+		myconf+=( --disable-symcryptrun )
+	else
+		myconf+=( --enable-symcryptrun )
+	fi
+
+	econf \
+		--docdir="${EPREFIX}/usr/share/doc/${PF}" \
+		--enable-gpg \
+		--enable-gpgsm \
+		--enable-agent \
+		--without-adns \
+		"${myconf[@]}" \
+		$(use_enable bzip2) \
+		$(use_enable nls) \
+		$(use_enable mta mailto) \
+		$(use_enable ldap) \
+		$(use_with readline) \
+		CC_FOR_BUILD="$(tc-getBUILD_CC)"
+}
+
+src_compile() {
+	default
+
+	if use doc; then
+		cd doc
+		emake html
+	fi
+}
+
+src_install() {
+	default
+
+	use tools && dobin tools/{convert-from-106,gpg-check-pattern} \
+		tools/{gpg-zip,gpgconf,gpgsplit,lspgpot,mail-signed-keys,make-dns-cert}
+
+	emake DESTDIR="${D}" -f doc/Makefile uninstall-nobase_dist_docDATA
+	rm "${ED}"/usr/share/gnupg/help* || die
+
+	dodoc ChangeLog NEWS README THANKS TODO VERSION doc/FAQ doc/DETAILS \
+		doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER doc/help*
+
+	dosym gpg2 /usr/bin/gpg
+	dosym gpgv2 /usr/bin/gpgv
+	dosym gpg2keys_hkp /usr/libexec/gpgkeys_hkp
+	dosym gpg2keys_finger /usr/libexec/gpgkeys_finger
+	dosym gpg2keys_curl /usr/libexec/gpgkeys_curl
+	if use ldap; then
+		dosym gpg2keys_ldap /usr/libexec/gpgkeys_ldap
+	fi
+	echo ".so man1/gpg2.1" > "${ED}"/usr/share/man/man1/gpg.1
+	echo ".so man1/gpgv2.1" > "${ED}"/usr/share/man/man1/gpgv.1
+
+	dodir /etc/env.d
+	echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg
+
+	if use doc; then
+		dohtml doc/gnupg.html/* doc/*.png
+	fi
+}
+
+pkg_postinst() {
+	elog "If you wish to view images emerge:"
+	elog "media-gfx/xloadimage, media-gfx/xli or any other viewer"
+	elog "Remember to use photo-viewer option in configuration file to activate"
+	elog "the right viewer."
+	elog
+
+	if use smartcard; then
+		elog "To use your OpenPGP smartcard (or token) with GnuPG you need one of"
+		use usb && elog " - a CCID-compatible reader, used directly through libusb;"
+		elog " - sys-apps/pcsc-lite and a compatible reader device;"
+		elog " - dev-libs/openct and a compatible reader device;"
+		elog " - a reader device and drivers exporting either PC/SC or CT-API interfaces."
+		elog ""
+		elog "General hint: you probably want to try installing sys-apps/pcsc-lite and"
+		elog "app-crypt/ccid first."
+	fi
+
+	ewarn "Please remember to restart gpg-agent if a different version"
+	ewarn "of the agent is currently used. If you are unsure of the gpg"
+	ewarn "agent you are using please run 'killall gpg-agent',"
+	ewarn "and to start a fresh daemon just run 'gpg-agent --daemon'."
+}
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/metadata.xml b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/metadata.xml
new file mode 100644
index 0000000000..04058e5e27
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/metadata.xml
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+  <maintainer type="project">
+    <email>crypto@gentoo.org</email>
+    <name>Crypto</name>
+  </maintainer>
+  <longdescription>
+    GnuPG is a complete and free implementation of the OpenPGP standard as
+    defined by RFC4880.
+  </longdescription>
+  <use>
+    <flag name="smartcard">
+      Build scdaemon software. Enables usage of OpenPGP cards. For
+      other type of smartcards, try
+      <pkg>app-crypt/gnupg-pkcs11-scd</pkg>.
+      Bring in <pkg>dev-libs/libusb</pkg> as a dependency; enable
+      scdaemon.
+    </flag>
+    <flag name="usb">
+      Build direct CCID access for scdaemon; requires
+      <pkg>dev-libs/libusb</pkg>.
+    </flag>
+    <flag name="mta">
+      Build mta support using
+      <pkg>virtual/mta</pkg>.
+    </flag>
+    <flag name="tofu">
+      Enable support for Trust of First use trust model; requires
+      <pkg>dev-db/sqlite</pkg>.
+    </flag>
+    <flag name="tools">
+      Install extra tools.
+    </flag>
+  </use>
+</pkgmetadata>
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords
index 1383b6198a..1295a35ea2 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.accept_keywords
@@ -41,3 +41,5 @@
 =sys-fs/quota-4.02 **
 =sys-fs/xfsprogs-3.2.2-r1 **
 =sys-process/lsof-4.89 ~arm64
+=apps-crypt/gnupg-2.0.26-r4 ~arm64
+=dev-libs/libksba-1.3.3 ~arm64
diff --git a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.provided b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.provided
index 7ff9f93672..5851346bdd 100644
--- a/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.provided
+++ b/sdk_container/src/third_party/coreos-overlay/profiles/coreos/arm64/package.provided
@@ -6,7 +6,6 @@ dev-lang/perl-5.12.4-r1
 dev-libs/gobject-introspection-1.40.0-r1
 sys-apps/kexec-tools-2.0.4-r1
 dev-util/boost-build-1.55.0
-app-crypt/gnupg-2.0.26-r3
 
 # build errors
 net-dns/bind-tools-9.10.1_p1