sdk: add opensc dependency

it's used to interact with the HSM device.

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>

.github/workflows/portage-stable-packages-list

@@ -17,7 +17,9 @@ acct-group/messagebus
 acct-group/netperf
 acct-group/nobody
 acct-group/ntp
+acct-group/openct
 acct-group/pcap
+acct-group/pcscd
 acct-group/polkitd
 acct-group/portage
 acct-group/render
@@ -34,6 +36,7 @@ acct-group/systemd-timesync
 acct-group/tape
 acct-group/tss
 acct-group/tty
+acct-group/usb
 acct-group/users
 acct-group/utmp
 acct-group/uucp
@@ -47,6 +50,7 @@ acct-user/netperf
 acct-user/nobody
 acct-user/ntp
 acct-user/pcap
+acct-user/pcscd
 acct-user/polkitd
 acct-user/portage
 acct-user/root
@@ -214,6 +218,7 @@ dev-libs/nettle
 dev-libs/npth
 dev-libs/nspr
 dev-libs/oniguruma
+dev-libs/opensc
 dev-libs/popt
 dev-libs/protobuf
 dev-libs/userspace-rcu
@@ -469,6 +474,7 @@ sys-apps/miscfiles
 sys-apps/net-tools
 sys-apps/nvme-cli
 sys-apps/pciutils
+sys-apps/pcsc-lite
 sys-apps/portage
 sys-apps/pv
 sys-apps/sandbox

sdk_container/src/third_party/coreos-overlay/coreos-base/hard-host-depends/hard-host-depends-0.0.1.ebuild

@@ -96,6 +96,7 @@ RDEPEND="${RDEPEND}
 RDEPEND="${RDEPEND}
 	sys-fs/squashfs-tools
 	dev-libs/libp11
+	dev-libs/opensc
 	"
 
 # Host dependencies that are needed for delta_generator.

sdk_container/src/third_party/portage-stable/acct-group/openct/metadata.xml

@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<!-- maintainer-needed -->
+</pkgmetadata>

sdk_container/src/third_party/portage-stable/acct-group/openct/openct-0-r2.ebuild

@@ -0,0 +1,8 @@
+# Copyright 2020-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit acct-group
+
+ACCT_GROUP_ID=46

sdk_container/src/third_party/portage-stable/acct-group/pcscd/metadata.xml

@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<!-- maintainer-needed -->
+</pkgmetadata>

sdk_container/src/third_party/portage-stable/acct-group/pcscd/pcscd-0-r2.ebuild

@@ -0,0 +1,8 @@
+# Copyright 2020-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit acct-group
+
+ACCT_GROUP_ID=47

sdk_container/src/third_party/portage-stable/acct-group/usb/metadata.xml

@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<!-- maintainer-needed -->
+</pkgmetadata>

sdk_container/src/third_party/portage-stable/acct-group/usb/usb-0-r2.ebuild

@@ -0,0 +1,8 @@
+# Copyright 2020-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit acct-group
+
+ACCT_GROUP_ID=85

sdk_container/src/third_party/portage-stable/acct-user/pcscd/metadata.xml

@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<!-- maintainer-needed -->
+</pkgmetadata>

sdk_container/src/third_party/portage-stable/acct-user/pcscd/pcscd-0-r2.ebuild

@@ -0,0 +1,13 @@
+# Copyright 2020-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit acct-user
+
+DESCRIPTION="A user for pcsc-lite"
+ACCT_USER_ID=47
+ACCT_USER_GROUPS=( pcscd openct usb )
+ACCT_USER_GROUPS=( pcscd openct )
+
+acct-user_add_deps

sdk_container/src/third_party/portage-stable/dev-libs/opensc/Manifest

@@ -0,0 +1 @@
+DIST opensc-0.23.0.tar.gz 2366469 BLAKE2B c0f74379a70347a58be27684ae2cf833e6f35328b566af2c6daa8276174864406fa176acf7ba84931970fe07e3dd8d6eccf7884f079cb0110c4d6ff9a76792dc SHA512 cd102cd64e719c59153960a4921b7525055045f16e6f6ffa8c9def6ce999a9c5098267b41f8753b41107f626bea20c34561002f5d38eddb4ce6b371913a17a1b

sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-CVE-2023-2977.patch

@@ -0,0 +1,49 @@
+From 81944d1529202bd28359bede57c0a15deb65ba8a Mon Sep 17 00:00:00 2001
+From: fullwaywang <fullwaywang@tencent.com>
+Date: Mon, 29 May 2023 10:38:48 +0800
+Subject: [PATCH] pkcs15init: correct left length calculation to fix buffer
+ overrun bug. Fixes #2785
+
+---
+ src/pkcs15init/pkcs15-cardos.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/pkcs15init/pkcs15-cardos.c b/src/pkcs15init/pkcs15-cardos.c
+index 9715cf390f..f41f73c349 100644
+--- a/src/pkcs15init/pkcs15-cardos.c
++++ b/src/pkcs15init/pkcs15-cardos.c
+@@ -872,7 +872,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+ 	sc_apdu_t apdu;
+         u8        rbuf[SC_MAX_APDU_BUFFER_SIZE];
+         int       r;
+-	const u8  *p = rbuf, *q;
++	const u8  *p = rbuf, *q, *pp;
+ 	size_t    len, tlen = 0, ilen = 0;
+ 
+ 	sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);
+@@ -888,13 +888,13 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+ 		return 0;
+ 
+ 	while (len != 0) {
+-		p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
+-		if (p == NULL)
++		pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
++		if (pp == NULL)
+ 			return 0;
+ 		if (card->type == SC_CARD_TYPE_CARDOS_M4_3)	{
+ 			/* the verifyRC package on CardOS 4.3B use Manufacturer ID 0x01	*/
+ 			/* and Package Number 0x07					*/
+-			q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);
++			q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);
+ 			if (q == NULL || ilen != 4)
+ 				return 0;
+ 			if (q[0] == 0x07)
+@@ -902,7 +902,7 @@ static int cardos_have_verifyrc_package(sc_card_t *card)
+ 		} else if (card->type == SC_CARD_TYPE_CARDOS_M4_4)	{
+ 			/* the verifyRC package on CardOS 4.4 use Manufacturer ID 0x03	*/
+ 			/* and Package Number 0x02					*/
+-			q = sc_asn1_find_tag(card->ctx, p, tlen, 0x03, &ilen);
++			q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x03, &ilen);
+ 			if (q == NULL || ilen != 4)
+ 				return 0;
+ 			if (q[0] == 0x02)

sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-backport-pr2656.patch

@@ -0,0 +1,215 @@
+https://bugs.gentoo.org/909781
+https://github.com/OpenSC/libp11/issues/478
+https://github.com/OpenSC/OpenSC/pull/2656
+
+From 99f7b82f187ca3512ceae6270c391243d018fdac Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 1 Dec 2022 20:08:53 +0100
+Subject: [PATCH 1/4] pkcs11-tool: Fix private key import
+
+---
+ src/tools/pkcs11-tool.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
+index aae205fe2c..cfee8526d5 100644
+--- a/src/tools/pkcs11-tool.c
++++ b/src/tools/pkcs11-tool.c
+@@ -3669,13 +3669,13 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
+ 		RSA_get0_factors(r, &r_p, &r_q);
+ 		RSA_get0_crt_params(r, &r_dmp1, &r_dmq1, &r_iqmp);
+ #else
+-		if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_d) != 1 ||
++		if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_D, &r_d) != 1 ||
+ 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR1, &r_p) != 1 ||
+ 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 ||
+ 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 ||
+ 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 ||
+-			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT3, &r_iqmp) != 1) {
+ 			util_fatal("OpenSSL error during RSA private key parsing");
++			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) {
+ 		}
+ #endif
+ 		RSA_GET_BN(rsa, private_exponent, r_d);
+
+From 4a6e1d1dcd18757502027b1c5d2fb2cbaca28407 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 1 Dec 2022 20:11:41 +0100
+Subject: [PATCH 2/4] pkcs11-tool: Log more information on OpenSSL errors
+
+---
+ src/tools/pkcs11-tool.c | 15 ++++++---------
+ 1 file changed, 6 insertions(+), 9 deletions(-)
+
+diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
+index cfee8526d5..f2e6b1dd91 100644
+--- a/src/tools/pkcs11-tool.c
++++ b/src/tools/pkcs11-tool.c
+@@ -3641,10 +3641,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
+ 	const BIGNUM *r_dmp1, *r_dmq1, *r_iqmp;
+ 	r = EVP_PKEY_get1_RSA(pkey);
+ 	if (!r) {
+-		if (private)
+-			util_fatal("OpenSSL error during RSA private key parsing");
+-		else
+-			util_fatal("OpenSSL error during RSA public key parsing");
++		util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public",
++			ERR_error_string(ERR_peek_last_error(), NULL));
+ 	}
+ 
+ 	RSA_get0_key(r, &r_n, &r_e, NULL);
+@@ -3654,10 +3652,8 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
+ 	BIGNUM *r_dmp1 = NULL, *r_dmq1 = NULL, *r_iqmp = NULL;
+ 	if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_N, &r_n) != 1 ||
+ 		EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &r_e) != 1) {
+-		if (private)
+-			util_fatal("OpenSSL error during RSA private key parsing");
+-		else
+-			util_fatal("OpenSSL error during RSA public key parsing");
++		util_fatal("OpenSSL error during RSA %s key parsing: %s", private ? "private" : "public",
++			ERR_error_string(ERR_peek_last_error(), NULL));
+ 	 }
+ #endif
+ 	RSA_GET_BN(rsa, modulus, r_n);
+@@ -3674,8 +3670,9 @@ parse_rsa_pkey(EVP_PKEY *pkey, int private, struct rsakey_info *rsa)
+ 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_FACTOR2, &r_q) != 1 ||
+ 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &r_dmp1) != 1 ||
+ 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &r_dmq1) != 1 ||
+-			util_fatal("OpenSSL error during RSA private key parsing");
+ 			EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &r_iqmp) != 1) {
++			util_fatal("OpenSSL error during RSA private key parsing: %s",
++				ERR_error_string(ERR_peek_last_error(), NULL));
+ 		}
+ #endif
+ 		RSA_GET_BN(rsa, private_exponent, r_d);
+
+From 267da3e81f1fc23a9ccce1462ab5deb1a4d4aec5 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 1 Dec 2022 20:38:31 +0100
+Subject: [PATCH 3/4] Reproducer for broken pkcs11-tool key import
+
+---
+ tests/Makefile.am                | 10 ++++---
+ tests/test-pkcs11-tool-import.sh | 48 ++++++++++++++++++++++++++++++++
+ 2 files changed, 54 insertions(+), 4 deletions(-)
+ create mode 100755 tests/test-pkcs11-tool-import.sh
+
+diff --git a/tests/Makefile.am b/tests/Makefile.am
+index d378e2ee00..9d8a24c321 100644
+--- a/tests/Makefile.am
++++ b/tests/Makefile.am
+@@ -14,8 +14,9 @@ dist_noinst_SCRIPTS = common.sh \
+                       test-pkcs11-tool-test-threads.sh \
+                       test-pkcs11-tool-sign-verify.sh \
+                       test-pkcs11-tool-allowed-mechanisms.sh \
+-                      test-pkcs11-tool-sym-crypt-test.sh\
+-                      test-pkcs11-tool-unwrap-wrap-test.sh
++                      test-pkcs11-tool-sym-crypt-test.sh \
++                      test-pkcs11-tool-unwrap-wrap-test.sh \
++                      test-pkcs11-tool-import.sh
+ 
+ .NOTPARALLEL:
+ TESTS = \
+@@ -25,8 +26,9 @@ TESTS = \
+         test-pkcs11-tool-test.sh \
+         test-pkcs11-tool-test-threads.sh \
+         test-pkcs11-tool-allowed-mechanisms.sh \
+-        test-pkcs11-tool-sym-crypt-test.sh\
+-        test-pkcs11-tool-unwrap-wrap-test.sh
++        test-pkcs11-tool-sym-crypt-test.sh \
++        test-pkcs11-tool-unwrap-wrap-test.sh \
++        test-pkcs11-tool-import.sh
+ XFAIL_TESTS = \
+         test-pkcs11-tool-test-threads.sh \
+         test-pkcs11-tool-test.sh
+diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh
+new file mode 100755
+index 0000000000..76ff8e51be
+--- /dev/null
++++ b/tests/test-pkcs11-tool-import.sh
+@@ -0,0 +1,48 @@
++#!/bin/bash
++SOURCE_PATH=${SOURCE_PATH:-..}
++
++source $SOURCE_PATH/tests/common.sh
++
++echo "======================================================="
++echo "Setup SoftHSM"
++echo "======================================================="
++if [[ ! -f $P11LIB ]]; then
++    echo "WARNING: The SoftHSM is not installed. Can not run this test"
++    exit 77;
++fi
++card_setup
++
++ID="0100"
++OPTS=""
++for KEYTYPE in "RSA" "EC"; do
++    echo "======================================================="
++    echo "Generate and import $KEYTYPE keys"
++    echo "======================================================="
++    if [ "$KEYTYPE" == "RSA" ]; then
++        ID="0100"
++    elif [ "$KEYTYPE" == "EC" ]; then
++        ID="0200"
++        OPTS="-pkeyopt ec_paramgen_curve:P-521"
++    fi
++    openssl genpkey -out "${KEYTYPE}_private.der" -outform DER -algorithm $KEYTYPE $OPTS
++    assert $? "Failed to generate private $KEYTYPE key"
++    $PKCS11_TOOL --write-object "${KEYTYPE}_private.der" --id "$ID" --type privkey \
++        --label "$KEYTYPE" -p "$PIN" --module "$P11LIB"
++    assert $? "Failed to write private $KEYTYPE key"
++
++    openssl pkey -in "${KEYTYPE}_private.der" -out "${KEYTYPE}_public.der" -pubout -inform DER -outform DER
++    assert $? "Failed to convert private $KEYTYPE key to public"
++    $PKCS11_TOOL --write-object "${KEYTYPE}_public.der" --id "$ID" --type pubkey --label "$KEYTYPE" \
++        -p $PIN --module $P11LIB
++    assert $? "Failed to write public $KEYTYPE key"
++    # certificate import already tested in all other tests
++
++    rm "${KEYTYPE}_private.der" "${KEYTYPE}_public.der"
++done
++
++echo "======================================================="
++echo "Cleanup"
++echo "======================================================="
++card_cleanup
++
++exit $ERRORS
+
+From 63a7bceeca43ece1eee201ef7a974b20b294ba4e Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jakuje@gmail.com>
+Date: Fri, 2 Dec 2022 18:07:43 +0100
+Subject: [PATCH 4/4] Simplify the new test
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Co-authored-by: Veronika Hanulíková <61348757+xhanulik@users.noreply.github.com>
+---
+ tests/test-pkcs11-tool-import.sh | 8 +++-----
+ 1 file changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/tests/test-pkcs11-tool-import.sh b/tests/test-pkcs11-tool-import.sh
+index 76ff8e51be..c90b3b4926 100755
+--- a/tests/test-pkcs11-tool-import.sh
++++ b/tests/test-pkcs11-tool-import.sh
+@@ -12,15 +12,13 @@ if [[ ! -f $P11LIB ]]; then
+ fi
+ card_setup
+ 
+-ID="0100"
+-OPTS=""
+ for KEYTYPE in "RSA" "EC"; do
+     echo "======================================================="
+     echo "Generate and import $KEYTYPE keys"
+     echo "======================================================="
+-    if [ "$KEYTYPE" == "RSA" ]; then
+-        ID="0100"
+-    elif [ "$KEYTYPE" == "EC" ]; then
++    ID="0100"
++    OPTS=""
++    if [ "$KEYTYPE" == "EC" ]; then
+         ID="0200"
+         OPTS="-pkeyopt ec_paramgen_curve:P-521"
+     fi

sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc-0.23.0-backport-pr2765.patch

@@ -0,0 +1,39 @@
+https://bugs.gentoo.org/909781
+https://github.com/OpenSC/OpenSC/pull/2765
+
+From 36178c8188521f2627d2eea428a7e53d149eed58 Mon Sep 17 00:00:00 2001
+From: Peter Popovec <popovec.peter@gmail.com>
+Date: Fri, 28 Apr 2023 10:50:25 +0200
+Subject: [PATCH] Fix pkcs11-tool unwrap / incorrect CKA_ID
+
+"object_id[]" and "id_len" must be allocated so that it is not deallocated
+or overwritten (on the stack) at the time of the C_UnwrapKey() call.
+
+	modified:   src/tools/pkcs11-tool.c
+---
+ src/tools/pkcs11-tool.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
+index 890ca27060..f3a01ab4cf 100644
+--- a/src/tools/pkcs11-tool.c
++++ b/src/tools/pkcs11-tool.c
+@@ -3347,6 +3347,8 @@ unwrap_key(CK_SESSION_HANDLE session)
+ 		{CKA_CLASS, &secret_key_class, sizeof(secret_key_class)},
+ 		{CKA_TOKEN, &_true, sizeof(_true)},
+ 	};
++	CK_BYTE object_id[100];
++	size_t id_len;
+ 	CK_OBJECT_HANDLE hSecretKey;
+ 	int n_attr = 2;
+ 	CK_RV rv;
+@@ -3450,9 +3452,6 @@ unwrap_key(CK_SESSION_HANDLE session)
+ 	}
+ 
+ 	if (opt_application_id != NULL) {
+-		CK_BYTE object_id[100];
+-		size_t id_len;
+-
+ 		id_len = sizeof(object_id);
+ 		if (!sc_hex_to_bin(opt_application_id, object_id, &id_len)) {
+ 			FILL_ATTR(keyTemplate[n_attr], CKA_ID, object_id, id_len);

sdk_container/src/third_party/portage-stable/dev-libs/opensc/files/opensc.module

@@ -0,0 +1,8 @@
+# This file describes how to load the opensc module
+# See: http://p11-glue.freedesktop.org/doc/p11-kit/config.html
+
+# This is a relative path, which means it will be loaded from
+# the p11-kit default path which is usually $(libdir)/pkcs11.
+# Doing it this way allows for packagers to package opensc for
+# 32-bit and 64-bit and make them parallel installable
+module: onepin-opensc-pkcs11.so

sdk_container/src/third_party/portage-stable/dev-libs/opensc/metadata.xml

@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<email>soap@gentoo.org</email>
+		<name>David Seifert</name>
+	</maintainer>
+	<longdescription>
+		OpenSC is a library for accessing SmartCard devices. It is also
+		the core library of the OpenSC project.
+
+		Basic functionality (e.g. SELECT FILE, READ BINARY) should work on
+		any ISO 7816-4 compatible SmartCard.  Encryption and decryption
+		using private keys on the SmartCard is possible with PKCS #15
+		compatible cards, such as the FINEID (Finnish Electronic IDentity)
+		card.
+	</longdescription>
+	<use>
+		<flag name="ctapi">Use CT-API for accessing Smartcard hardware</flag>
+		<flag name="notify">Enable notifications</flag>
+		<flag name="openct">Use <pkg>dev-libs/openct</pkg> (and CT-API) for accessing Smartcard hardware</flag>
+		<flag name="pace">Use <pkg>dev-libs/openpace</pkg> for EAC version 2 support</flag>
+		<flag name="pcsc-lite">Use <pkg>sys-apps/pcsc-lite</pkg> (and PC/SC API) for accessing Smartcard hardware</flag>
+		<flag name="secure-messaging">Enable secure messaging</flag>
+	</use>
+	<upstream>
+		<remote-id type="github">OpenSC/OpenSC</remote-id>
+		<remote-id type="sourceforge">opensc</remote-id>
+	</upstream>
+</pkgmetadata>

sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-0.23.0-r2.ebuild

@@ -0,0 +1,81 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit autotools bash-completion-r1
+
+DESCRIPTION="Libraries and applications to access smartcards"
+HOMEPAGE="https://github.com/OpenSC/OpenSC/wiki"
+
+if [[ ${PV} == *9999 ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/OpenSC/OpenSC.git"
+else
+	SRC_URI="https://github.com/OpenSC/OpenSC/releases/download/${PV}/${P}.tar.gz"
+	KEYWORDS="amd64 ~arm ~arm64 ~hppa ~loong ~ppc ppc64 ~riscv ~s390 ~sparc x86"
+fi
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+IUSE="ctapi doc openct notify pace +pcsc-lite readline secure-messaging ssl test zlib"
+RESTRICT="!test? ( test )"
+
+RDEPEND="zlib? ( sys-libs/zlib )
+	readline? ( sys-libs/readline:0= )
+	ssl? ( dev-libs/openssl:0= )
+	openct? ( >=dev-libs/openct-0.5.0 )
+	pace? ( dev-libs/openpace:= )
+	pcsc-lite? ( >=sys-apps/pcsc-lite-1.3.0 )
+	notify? ( dev-libs/glib:2 )"
+DEPEND="${RDEPEND}
+	app-text/docbook-xsl-stylesheets
+	dev-libs/libxslt
+	test? ( dev-util/cmocka )"
+BDEPEND="virtual/pkgconfig"
+
+REQUIRED_USE="
+	pcsc-lite? ( !openct !ctapi )
+	openct? ( !pcsc-lite !ctapi )
+	ctapi? ( !pcsc-lite !openct )
+	|| ( pcsc-lite openct ctapi )"
+
+PATCHES=(
+	"${FILESDIR}"/${P}-CVE-2023-2977.patch
+	"${FILESDIR}"/${P}-backport-pr2656.patch
+)
+
+src_prepare() {
+	default
+	eautoreconf
+}
+
+src_configure() {
+	# don't want to run upstream's clang-tidy checks
+	export ac_cv_path_CLANGTIDY=""
+
+	econf \
+		--with-completiondir="$(get_bashcompdir)" \
+		--disable-strict \
+		--enable-man \
+		$(use_enable ctapi) \
+		$(use_enable doc) \
+		$(use_enable notify) \
+		$(use_enable openct) \
+		$(use_enable pace openpace) \
+		$(use_enable pcsc-lite pcsc) \
+		$(use_enable readline) \
+		$(use_enable secure-messaging sm) \
+		$(use_enable ssl openssl) \
+		$(use_enable test cmocka) \
+		$(use_enable zlib)
+}
+
+src_install() {
+	default
+
+	insinto /etc/pkcs11/modules/
+	doins "${FILESDIR}"/opensc.module
+
+	find "${ED}" -name '*.la' -delete || die
+}

sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-0.23.0-r3.ebuild

@@ -0,0 +1,82 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit autotools bash-completion-r1
+
+DESCRIPTION="Libraries and applications to access smartcards"
+HOMEPAGE="https://github.com/OpenSC/OpenSC/wiki"
+
+if [[ ${PV} == *9999 ]]; then
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/OpenSC/OpenSC.git"
+else
+	SRC_URI="https://github.com/OpenSC/OpenSC/releases/download/${PV}/${P}.tar.gz"
+	KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
+fi
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+IUSE="ctapi doc openct notify pace +pcsc-lite readline secure-messaging ssl test zlib"
+RESTRICT="!test? ( test )"
+
+RDEPEND="zlib? ( sys-libs/zlib )
+	readline? ( sys-libs/readline:0= )
+	ssl? ( dev-libs/openssl:0= )
+	openct? ( >=dev-libs/openct-0.5.0 )
+	pace? ( dev-libs/openpace:= )
+	pcsc-lite? ( >=sys-apps/pcsc-lite-1.3.0 )
+	notify? ( dev-libs/glib:2 )"
+DEPEND="${RDEPEND}
+	app-text/docbook-xsl-stylesheets
+	dev-libs/libxslt
+	test? ( dev-util/cmocka )"
+BDEPEND="virtual/pkgconfig"
+
+REQUIRED_USE="
+	pcsc-lite? ( !openct !ctapi )
+	openct? ( !pcsc-lite !ctapi )
+	ctapi? ( !pcsc-lite !openct )
+	|| ( pcsc-lite openct ctapi )"
+
+PATCHES=(
+	"${FILESDIR}"/${P}-CVE-2023-2977.patch
+	"${FILESDIR}"/${P}-backport-pr2656.patch
+	"${FILESDIR}"/${P}-backport-pr2765.patch
+)
+
+src_prepare() {
+	default
+	eautoreconf
+}
+
+src_configure() {
+	# don't want to run upstream's clang-tidy checks
+	export ac_cv_path_CLANGTIDY=""
+
+	econf \
+		--with-completiondir="$(get_bashcompdir)" \
+		--disable-strict \
+		--enable-man \
+		$(use_enable ctapi) \
+		$(use_enable doc) \
+		$(use_enable notify) \
+		$(use_enable openct) \
+		$(use_enable pace openpace) \
+		$(use_enable pcsc-lite pcsc) \
+		$(use_enable readline) \
+		$(use_enable secure-messaging sm) \
+		$(use_enable ssl openssl) \
+		$(use_enable test cmocka) \
+		$(use_enable zlib)
+}
+
+src_install() {
+	default
+
+	insinto /etc/pkcs11/modules/
+	doins "${FILESDIR}"/opensc.module
+
+	find "${ED}" -name '*.la' -delete || die
+}

sdk_container/src/third_party/portage-stable/dev-libs/opensc/opensc-9999.ebuild

@@ -0,0 +1,81 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit bash-completion-r1 libtool
+
+DESCRIPTION="Libraries and applications to access smartcards"
+HOMEPAGE="https://github.com/OpenSC/OpenSC/wiki"
+
+if [[ ${PV} == *9999 ]]; then
+	inherit autotools git-r3
+	EGIT_REPO_URI="https://github.com/OpenSC/OpenSC.git"
+else
+	SRC_URI="https://github.com/OpenSC/OpenSC/releases/download/${PV}/${P}.tar.gz"
+	KEYWORDS="~amd64 ~ppc64 ~x86"
+fi
+
+LICENSE="LGPL-2.1"
+SLOT="0"
+IUSE="ctapi doc openct notify pace +pcsc-lite readline secure-messaging ssl test zlib"
+RESTRICT="!test? ( test )"
+
+RDEPEND="zlib? ( sys-libs/zlib )
+	readline? ( sys-libs/readline:0= )
+	ssl? ( dev-libs/openssl:0= )
+	openct? ( >=dev-libs/openct-0.5.0 )
+	pace? ( dev-libs/openpace:= )
+	pcsc-lite? ( >=sys-apps/pcsc-lite-1.3.0 )
+	notify? ( dev-libs/glib:2 )"
+DEPEND="${RDEPEND}
+	app-text/docbook-xsl-stylesheets
+	dev-libs/libxslt
+	test? ( dev-util/cmocka )"
+BDEPEND="virtual/pkgconfig"
+
+REQUIRED_USE="
+	pcsc-lite? ( !openct !ctapi )
+	openct? ( !pcsc-lite !ctapi )
+	ctapi? ( !pcsc-lite !openct )
+	|| ( pcsc-lite openct ctapi )"
+
+src_prepare() {
+	default
+
+	if [[ ${PV} == *9999 ]]; then
+		eautoreconf
+	else
+		elibtoolize
+	fi
+}
+
+src_configure() {
+	# don't want to run upstream's clang-tidy checks
+	export ac_cv_path_CLANGTIDY=""
+
+	econf \
+		--with-completiondir="$(get_bashcompdir)" \
+		--disable-strict \
+		--enable-man \
+		$(use_enable ctapi) \
+		$(use_enable doc) \
+		$(use_enable notify) \
+		$(use_enable openct) \
+		$(use_enable pace openpace) \
+		$(use_enable pcsc-lite pcsc) \
+		$(use_enable readline) \
+		$(use_enable secure-messaging sm) \
+		$(use_enable ssl openssl) \
+		$(use_enable test cmocka) \
+		$(use_enable zlib)
+}
+
+src_install() {
+	default
+
+	insinto /etc/pkcs11/modules/
+	doins "${FILESDIR}"/opensc.module
+
+	find "${ED}" -name '*.la' -delete || die
+}

sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/Manifest

@@ -0,0 +1,2 @@
+DIST pcsc-lite-2.0.0.tar.bz2 799011 BLAKE2B d93fffebbe3daf389fcd8195c9fb3d76db64dbb98ac9c7ecd08338331389298e710ca71187cb73165868b0b5e66cb9735b60e22d508db1c1a81e04555103948a SHA512 4b34628d3269ae1859f19d2ab7eb74a76a55f3d76fbc9e4e420a081a065b1d0d7b98680552c7208f3265c684bed844afc6be1c2e5f103ad916ce7f38b52ee68c
+DIST pcsc-lite-2.0.1.tar.bz2 815103 BLAKE2B a9eea4a4da1a78fc22797b17c128889b2f7caf8c4aa02dd77f4ac79e4ec458fb0162578b5422552545cd39303750d5396f3687f8cfee7603fad8d60cb54ee1e8 SHA512 af007f00f43e8d897710580f6f27814c9e7d3ca489ff01edf2e3b979e46267915aa04d9c15f225a420fa681de936e42a1d4779d962717cf9a9f4a3d1ca31502b

sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/99-pcscd-hotplug-r1.rules

@@ -0,0 +1,6 @@
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+# We add this here so that it runs after ccid's and ifd-gempc's rules;
+# if we just added a pcscd-owned device, we hotplug the pcscd service.
+ACTION=="add", ENV{PCSCD}=="1", GROUP="pcscd", TAG+="systemd", ENV{SYSTEMD_WANTS}+="pcscd.service", RUN+="pcscd.sh"

sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcsc-lite-1.8.11-polkit-pcscd.patch

@@ -0,0 +1,20 @@
+Index: pcsc-lite-1.8.11/doc/org.debian.pcsc-lite.policy
+===================================================================
+--- pcsc-lite-1.8.11.orig/doc/org.debian.pcsc-lite.policy
++++ pcsc-lite-1.8.11/doc/org.debian.pcsc-lite.policy
+@@ -15,6 +15,7 @@
+       <allow_inactive>auth_admin</allow_inactive>
+       <allow_active>yes</allow_active>
+     </defaults>
++    <annotate key="org.freedesktop.policykit.owner">unix-user:pcscd</annotate>
+   </action>
+ 
+   <action id="org.debian.pcsc-lite.access_card">
+@@ -25,6 +26,7 @@
+       <allow_inactive>auth_admin</allow_inactive>
+       <allow_active>yes</allow_active>
+     </defaults>
++    <annotate key="org.freedesktop.policykit.owner">unix-user:pcscd</annotate>
+   </action>
+ 
+ </policyconfig>

sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcsc-lite-1.9.8-systemd-user.patch

@@ -0,0 +1,18 @@
+Don't run the daemon as root
+https://bugs.gentoo.org/545390
+
+--- a/etc/pcscd.service.in
++++ b/etc/pcscd.service.in
+@@ -4,9 +4,12 @@
+ Documentation=man:pcscd(8)
+ 
+ [Service]
++PIDFile=/run/pcscd/pcscd.pid
+ ExecStart=@sbindir_exp@/pcscd --foreground --auto-exit $PCSCD_ARGS
+ ExecReload=@sbindir_exp@/pcscd --hotplug
+ EnvironmentFile=-@sysconfdir@/default/pcscd
++User=pcscd
++Group=pcscd
+ 
+ [Install]
+ Also=pcscd.socket

sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd-init.7

@@ -0,0 +1,22 @@
+#!/sbin/openrc-run
+# Copyright 1999-2019 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+name="PC/SC Daemon"
+
+pidfile=/run/pcscd/pcscd.pid
+
+command=/usr/sbin/pcscd
+command_args="${EXTRA_OPTS}"
+
+start_stop_daemon_args="--user pcscd:pcscd"
+
+depend() {
+	need localmount
+	after udev openct dbus
+	use logger
+}
+
+start_pre() {
+	checkpath -q -d -m 0755 -o pcscd:pcscd /run/pcscd
+}

sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd-udev

@@ -0,0 +1,14 @@
+#!/bin/sh
+#
+# pcscd.sh: udev external RUN script
+#
+# based on netifrc net.sh helper
+# Copyright 2007 Roy Marples <uberlord@gentoo.org>
+# Distributed under the terms of the GNU General Public License v2
+
+# make sure openrc is managing services
+if [ ! -d /run/openrc ]; then
+	exit 0
+fi
+
+IN_HOTPLUG=1 /etc/init.d/pcscd --quiet start

sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/files/pcscd.conf

@@ -0,0 +1 @@
+d /run/pcscd 0755 pcscd pcscd -

sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/metadata.xml

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="project">
+		<email>base-system@gentoo.org</email>
+		<name>Gentoo Base System</name>
+	</maintainer>
+	<use>
+		<flag name="embedded">limit RAM and CPU ressources by disabling features</flag>
+		<flag name="libusb" restrict="&gt;=sys-apps/pcsc-lite-1.8.0">Use <pkg>dev-libs/libusb</pkg> detection to hotplug new smartcard readers. This flag should only be enabled if you're running a non-Linux kernel or you don't want to use udev.</flag>
+		<flag name="udev">Use <pkg>virtual/libudev</pkg> rules to handle devices' permissions and hotplug support. Unless you know what you're doing do not disable this flag on Linux kernels. This is provided as an option for completeness.</flag>
+		<flag name="policykit">Uses <pkg>sys-auth/polkit</pkg> to restrict access to smartcard readers or smartcards to given users.</flag>
+	</use>
+	<upstream>
+		<changelog>https://salsa.debian.org/rousseau/PCSC/blob/master/ChangeLog</changelog>
+		<remote-id type="github">LudovicRousseau/PCSC</remote-id>
+	</upstream>
+</pkgmetadata>

sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/pcsc-lite-2.0.0.ebuild

@@ -0,0 +1,109 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{9..11} )
+
+inherit python-single-r1 systemd tmpfiles udev multilib-minimal
+
+DESCRIPTION="PC/SC Architecture smartcard middleware library"
+HOMEPAGE="https://pcsclite.apdu.fr https://github.com/LudovicRousseau/PCSC"
+SRC_URI="https://pcsclite.apdu.fr/files/${P}.tar.bz2"
+
+# GPL-2 is there for the init script; everything else comes from
+# upstream.
+LICENSE="BSD ISC MIT GPL-3+ GPL-2"
+SLOT="0"
+KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos"
+# This is called libusb so that it doesn't fool people in thinking that
+# it is _required_ for USB support. Otherwise they'll disable udev and
+# that's going to be worse.
+IUSE="doc embedded libusb policykit selinux systemd +udev"
+REQUIRED_USE="^^ ( udev libusb ) ${PYTHON_REQUIRED_USE}"
+
+# No dependencies need the MULTILIB_DEPS because the libraries are actually
+# standalone, the deps are only needed for the daemon itself.
+DEPEND="
+	libusb? ( virtual/libusb:1 )
+	udev? ( virtual/libudev:= )
+	policykit? ( >=sys-auth/polkit-0.111 )
+	acct-group/openct
+	acct-group/pcscd
+	acct-user/pcscd
+	${PYTHON_DEPS}"
+RDEPEND="${DEPEND}
+	selinux? ( sec-policy/selinux-pcscd )"
+BDEPEND="
+	sys-devel/flex
+	virtual/pkgconfig"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-1.8.11-polkit-pcscd.patch
+	"${FILESDIR}"/${PN}-1.9.8-systemd-user.patch
+)
+
+multilib_src_configure() {
+	ECONF_SOURCE="${S}" econf \
+		--disable-maintainer-mode \
+		--disable-strict \
+		--enable-usbdropdir="${EPREFIX}"/usr/$(get_libdir)/readers/usb \
+		--enable-ipcdir=/run/pcscd \
+		--with-systemdsystemunitdir="$(systemd_get_systemunitdir)" \
+		$(multilib_native_use_enable doc documentation) \
+		$(multilib_native_use_enable embedded) \
+		$(multilib_native_use_enable systemd libsystemd) \
+		$(multilib_native_use_enable udev libudev) \
+		$(multilib_native_use_enable libusb) \
+		$(multilib_native_use_enable policykit polkit)
+}
+
+multilib_src_install_all() {
+	einstalldocs
+	dodoc HELP SECURITY
+
+	newinitd "${FILESDIR}"/pcscd-init.7 pcscd
+	dotmpfiles "${FILESDIR}"/pcscd.conf
+
+	if use udev; then
+		exeinto "$(get_udevdir)"
+		newexe "${FILESDIR}"/pcscd-udev pcscd.sh
+
+		insinto "$(get_udevdir)"/rules.d
+		newins "${FILESDIR}"/99-pcscd-hotplug-r1.rules 99-pcscd-hotplug.rules
+	fi
+
+	python_fix_shebang "${ED}"/usr/bin/pcsc-spy
+
+	find "${ED}" -name '*.la' -delete || die
+}
+
+pkg_postinst() {
+	elog "Starting from version 1.6.5, pcsc-lite will start as user nobody in"
+	elog "the pcscd group, to avoid running as root."
+	elog
+	elog "This also means you need the newest drivers available so that the"
+	elog "devices get the proper owner."
+	elog
+	elog "Furthermore, a conf.d file is no longer installed by default, as"
+	elog "the default configuration does not require one. If you need to"
+	elog "pass further options to pcscd, create a file and set the"
+	elog "EXTRA_OPTS variable."
+	elog
+
+	if use udev; then
+		elog "Hotplug support is provided by udev rules."
+		elog "When using OpenRC you additionally need to tell it to hotplug"
+		elog "pcscd by setting this variable in /etc/rc.conf:"
+		elog
+		elog "    rc_hotplug=\"pcscd\""
+	fi
+
+	tmpfiles_process pcscd.conf
+
+	use udev && udev_reload
+}
+
+pkg_postrm() {
+	use udev && udev_reload
+}

sdk_container/src/third_party/portage-stable/sys-apps/pcsc-lite/pcsc-lite-2.0.1.ebuild

@@ -0,0 +1,109 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{9..11} )
+
+inherit python-single-r1 systemd tmpfiles udev multilib-minimal
+
+DESCRIPTION="PC/SC Architecture smartcard middleware library"
+HOMEPAGE="https://pcsclite.apdu.fr https://github.com/LudovicRousseau/PCSC"
+SRC_URI="https://pcsclite.apdu.fr/files/${P}.tar.bz2"
+
+# GPL-2 is there for the init script; everything else comes from
+# upstream.
+LICENSE="BSD ISC MIT GPL-3+ GPL-2"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos"
+# This is called libusb so that it doesn't fool people in thinking that
+# it is _required_ for USB support. Otherwise they'll disable udev and
+# that's going to be worse.
+IUSE="doc embedded libusb policykit selinux systemd +udev"
+REQUIRED_USE="^^ ( udev libusb ) ${PYTHON_REQUIRED_USE}"
+
+# No dependencies need the MULTILIB_DEPS because the libraries are actually
+# standalone, the deps are only needed for the daemon itself.
+DEPEND="
+	libusb? ( virtual/libusb:1 )
+	udev? ( virtual/libudev:= )
+	policykit? ( >=sys-auth/polkit-0.111 )
+	acct-group/openct
+	acct-group/pcscd
+	acct-user/pcscd
+	${PYTHON_DEPS}"
+RDEPEND="${DEPEND}
+	selinux? ( sec-policy/selinux-pcscd )"
+BDEPEND="
+	sys-devel/flex
+	virtual/pkgconfig"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-1.8.11-polkit-pcscd.patch
+	"${FILESDIR}"/${PN}-1.9.8-systemd-user.patch
+)
+
+multilib_src_configure() {
+	ECONF_SOURCE="${S}" econf \
+		--disable-maintainer-mode \
+		--disable-strict \
+		--enable-usbdropdir="${EPREFIX}"/usr/$(get_libdir)/readers/usb \
+		--enable-ipcdir=/run/pcscd \
+		--with-systemdsystemunitdir="$(systemd_get_systemunitdir)" \
+		$(multilib_native_use_enable doc documentation) \
+		$(multilib_native_use_enable embedded) \
+		$(multilib_native_use_enable systemd libsystemd) \
+		$(multilib_native_use_enable udev libudev) \
+		$(multilib_native_use_enable libusb) \
+		$(multilib_native_use_enable policykit polkit)
+}
+
+multilib_src_install_all() {
+	einstalldocs
+	dodoc HELP SECURITY
+
+	newinitd "${FILESDIR}"/pcscd-init.7 pcscd
+	dotmpfiles "${FILESDIR}"/pcscd.conf
+
+	if use udev; then
+		exeinto "$(get_udevdir)"
+		newexe "${FILESDIR}"/pcscd-udev pcscd.sh
+
+		insinto "$(get_udevdir)"/rules.d
+		newins "${FILESDIR}"/99-pcscd-hotplug-r1.rules 99-pcscd-hotplug.rules
+	fi
+
+	python_fix_shebang "${ED}"/usr/bin/pcsc-spy
+
+	find "${ED}" -name '*.la' -delete || die
+}
+
+pkg_postinst() {
+	elog "Starting from version 1.6.5, pcsc-lite will start as user nobody in"
+	elog "the pcscd group, to avoid running as root."
+	elog
+	elog "This also means you need the newest drivers available so that the"
+	elog "devices get the proper owner."
+	elog
+	elog "Furthermore, a conf.d file is no longer installed by default, as"
+	elog "the default configuration does not require one. If you need to"
+	elog "pass further options to pcscd, create a file and set the"
+	elog "EXTRA_OPTS variable."
+	elog
+
+	if use udev; then
+		elog "Hotplug support is provided by udev rules."
+		elog "When using OpenRC you additionally need to tell it to hotplug"
+		elog "pcscd by setting this variable in /etc/rc.conf:"
+		elog
+		elog "    rc_hotplug=\"pcscd\""
+	fi
+
+	tmpfiles_process pcscd.conf
+
+	use udev && udev_reload
+}
+
+pkg_postrm() {
+	use udev && udev_reload
+}