diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/Manifest b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/Manifest
index e2a729dfe8..5e6b9023e6 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/Manifest
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/Manifest
@@ -1,5 +1,2 @@
-DIST gnupg-2.2.16-scdaemon_shared-access.patch 2586 BLAKE2B 42fd5482c4e86751ce62836125997c2295c44bc5db0671a06460fd306b2ed93f290fb898fc1b1e463a863eddf9ab5f99ea3c90a55499ef45ca1ed6edf2854663 SHA512 38abaa4200114ae6b6f220fabc0a84a056761949c97bd0564557f4411a299b9a1939893555c27e26da2d8e8da4bc97a298fa7e68f1e80fe99c3f88cc329eaa84
-DIST gnupg-2.2.27.tar.bz2 7191555 BLAKE2B d652aad382cf07cc458b29ff82718edd47457d8236dcbeee51f22d88503be141f009e9ea45b6dafe614115d9558fe371509579e58ce17a5f04540a31aa406ea3 SHA512 cf336962116c9c08ac80b1299654b94948033ef51d6d5e7f54c2f07bbf7d92c7b0bddb606ceee2cdd837063f519b8d59af5a82816b840a0fc47d90c07b0e95ab
-DIST gnupg-2.2.29.tar.bz2 7215986 BLAKE2B 04b777730b8fcbe8d93dfc8985aadd6bc7385ac2ac9684e6248cb3ae6d008daae5aa976ffa3bae27fe9e89bc2c4c1d4ae81dcaa259fb08d13f894f00f12072e9 SHA512 12645e230fc6aa4811420ef33def6baa590e847ecdf7e5f8b96eb49122e6406cbdba4595d0b52fa26700d5d5def67acb4ed7dfe7f778e496d4d21ccbef3c476b
-DIST gnupg-2.2.31.tar.bz2 7212188 BLAKE2B 57a2b6c6ea491137a708e18a0119502621b7bdf0591818d19beb8b08a521a7dbf60472243e1723f53acbfb9a5de612b8e5040c45dc847bdda26012244edb11be SHA512 2f6fa200e08d6b8993b482e5825bea6083afc8686c4e1ae80386b36ae49e1c2d73066c508edaa359a7794cb26ba7a00f81555a906fa422d1117e41415cfa2fea
-DIST gnupg-2.3.2.tar.bz2 7589445 BLAKE2B f7e35ed553ea89cdb073abb1432f67fa00bb625f6e686e534f96bca11d88f09ea272b3cb0d6706e4bce2c023f8c5b8d628742aa2f60752a2e605132cd32f62ed SHA512 2747cbe38546f500d165f024ebb2dc5be70fa68d20702af3f61e97db685eba94caf65307293137c76ea6cfcc189ed24aaee025c80cd33f26609e5fe512bdda73
+DIST gnupg-2.2.35.tar.bz2 7262687 BLAKE2B 18b5965151ded3b3f28d139824e14d7a6f1673c5192ec5f5a80366a6d5f2e04ed7fa035e2bff105e1752753584f992626ccc9ea8840c2bfa39ffe7ca39b81f7f SHA512 ad9f8d10890b7fafb15a7422e2cebaf0f85ce7cf5f880f4edd8d1dec46aa73c01f9096e601f6edd665f8684d1f5892634991a400e00b3185e6b201f549004d3e
+DIST gnupg-2.2.35.tar.bz2.sig 119 BLAKE2B d95323703c12c9474b21fa91ddb70d4d4d464c794223e21f6ae5d4de955f07a5cabde50612e977168ea6071c4b12be3262cbafe9bcaa8e9a0b009318c0ff6718 SHA512 9043894730520e974e7bc17e0f95419c319fbcd514f102faf644e2f5580e238719cecb8b5e778ecf20f9212ee2554206eb0686e8b5fce7f8c556146657660fe2
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.2.35-status-messages-garbled.patch b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.2.35-status-messages-garbled.patch
new file mode 100644
index 0000000000..23dbf00b18
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.2.35-status-messages-garbled.patch
@@ -0,0 +1,45 @@
+https://bugs.gentoo.org/855395
+https://marc.info/?l=oss-security&m=165657063921408&w=2
+https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=7b1db7192e6e4d0cfc439b23b13831837c85bc21
+
+From 7b1db7192e6e4d0cfc439b23b13831837c85bc21 Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Tue, 14 Jun 2022 11:33:27 +0200
+Subject: [PATCH] g10: Fix garbled status messages in NOTATION_DATA
+
+* g10/cpr.c (write_status_text_and_buffer): Fix off-by-one
+--
+
+Depending on the escaping and line wrapping the computed remaining
+buffer length could be wrong.  Fixed by always using a break to
+terminate the escape detection loop.  Might have happened for all
+status lines which may wrap.
+
+GnuPG-bug-id: T6027
+--- a/g10/cpr.c
++++ b/g10/cpr.c
+@@ -328,20 +328,15 @@ write_status_text_and_buffer (int no, const char *string,
+             }
+           first = 0;
+         }
+-      for (esc=0, s=buffer, n=len; n && !esc; s++, n--)
++      for (esc=0, s=buffer, n=len; n; s++, n--)
+         {
+           if (*s == '%' || *(const byte*)s <= lower_limit
+               || *(const byte*)s == 127 )
+             esc = 1;
+           if (wrap && ++count > wrap)
+-            {
+-              dowrap=1;
+-              break;
+-            }
+-        }
+-      if (esc)
+-        {
+-          s--; n++;
++            dowrap=1;
++          if (esc || dowrap)
++            break;
+         }
+       if (s != buffer)
+         es_fwrite (buffer, s-buffer, 1, statusfp);
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.29.ebuild b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.35-r1.ebuild
similarity index 79%
rename from sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.29.ebuild
rename to sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.35-r1.ebuild
index c7231c63b2..7f49ba7cf7 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.29.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.35-r1.ebuild
@@ -1,35 +1,40 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2022 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 # Flatcar: use EAPI=7, until EAPI 8 could be fully supported
 EAPI=7
 
-inherit flag-o-matic systemd toolchain-funcs
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/gnupg.asc
+inherit flag-o-matic systemd toolchain-funcs verify-sig
 
 MY_P="${P/_/-}"
 
 DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation"
 HOMEPAGE="https://gnupg.org/"
 SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2"
+SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )"
+S="${WORKDIR}/${MY_P}"
 
 LICENSE="GPL-3"
 SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl tofu tools usb user-socket wks-server"
+KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test tofu tools usb user-socket wks-server"
+RESTRICT="!test? ( test )"
 
 # Existence of executables is checked during configuration.
+# Note: On each bump, update dep bounds on each version from configure.ac!
 DEPEND=">=dev-libs/libassuan-2.5.0
-	>=dev-libs/libgcrypt-1.8.0
+	>=dev-libs/libgcrypt-1.8.0:=
 	>=dev-libs/libgpg-error-1.29
-	>=dev-libs/libksba-1.3.4
+	>=dev-libs/libksba-1.3.5
 	>=dev-libs/npth-1.2
 	>=net-misc/curl-7.10
+	sys-libs/zlib
 	bzip2? ( app-arch/bzip2 )
-	ldap? ( net-nds/openldap )
+	ldap? ( net-nds/openldap:= )
 	readline? ( sys-libs/readline:0= )
 	smartcard? ( usb? ( virtual/libusb:1 ) )
 	ssl? ( >=net-libs/gnutls-3.0:0= )
-	sys-libs/zlib
 	tofu? ( >=dev-db/sqlite-3.7 )"
 
 RDEPEND="${DEPEND}
@@ -40,9 +45,8 @@ RDEPEND="${DEPEND}
 
 BDEPEND="virtual/pkgconfig
 	doc? ( sys-apps/texinfo )
-	nls? ( sys-devel/gettext )"
-
-S="${WORKDIR}/${MY_P}"
+	nls? ( sys-devel/gettext )
+	verify-sig? ( sec-keys/openpgp-keys-gnupg )"
 
 DOCS=(
 	ChangeLog NEWS README THANKS TODO VERSION
@@ -50,7 +54,8 @@ DOCS=(
 )
 
 PATCHES=(
-	"${FILESDIR}/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch"
+	"${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch
+	"${FILESDIR}"/${P}-status-messages-garbled.patch
 	# Flatcar: the patches below are added only for Flatcar, to address the
 	# upstream gnupg issue https://dev.gnupg.org/T4393.
 	"${FILESDIR}/${PN}-allow-import-of-previously-known-keys-even-without-UI.patch"
@@ -76,6 +81,8 @@ src_configure() {
 		$(use_enable nls)
 		$(use_enable smartcard scdaemon)
 		$(use_enable ssl gnutls)
+		$(use_enable test all-tests)
+		$(use_enable test tests)
 		$(use_enable tofu)
 		$(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver')
 		$(use_enable wks-server wks-tools)
@@ -83,16 +90,17 @@ src_configure() {
 		$(use_with readline)
 		--with-mailprog=/usr/libexec/sendmail
 		--disable-ntbtls
-		--enable-all-tests
 		--enable-gpg
 		--enable-gpgsm
 		--enable-large-secmem
+
 		CC_FOR_BUILD="$(tc-getBUILD_CC)"
 		GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config"
 		KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config"
 		LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config"
 		LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config"
 		NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config"
+
 		$("${S}/configure" --help | grep -o -- '--without-.*-prefix')
 	)
 
@@ -101,14 +109,13 @@ src_configure() {
 		append-cppflags -I"${EPREFIX}/usr/include/libusb-1.0"
 	fi
 
-	#bug 663142
+	# bug #663142
 	if use user-socket; then
 		myconf+=( --enable-run-gnupg-user-socket )
 	fi
 
 	# glib fails and picks up clang's internal stdint.h causing weird errors
-	[[ ${CC} == *clang ]] && \
-		export gl_cv_absolute_stdint_h=/usr/include/stdint.h
+	tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h
 
 	# Hardcode mailprog to /usr/libexec/sendmail even if it does not exist.
 	# As of GnuPG 2.3, the mailprog substitution is used for the binary called
@@ -129,8 +136,9 @@ src_compile() {
 }
 
 src_test() {
-	#Bug: 638574
+	# bug #638574
 	use tofu && export TESTFLAGS=--parallel
+
 	default
 }
 
diff --git a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/metadata.xml b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/metadata.xml
index f6fc64ff0b..9704490d3e 100644
--- a/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/metadata.xml
+++ b/sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/metadata.xml
@@ -5,20 +5,11 @@
 		<email>zlogene@gentoo.org</email>
 		<name>Mikle Kolyada</name>
 	</maintainer>
-	<maintainer type="person">
-		<email>polynomial-c@gentoo.org</email>
-		<name>Lars Wendler</name>
-	</maintainer>
 	<maintainer type="project">
 		<email>base-system@gentoo.org</email>
 		<name>Gentoo Base System</name>
 	</maintainer>
 	<use>
-		<flag name="scd-shared-access">
-		Allow concurrent access to scdaemon by multiple apps from same
-		user. Useful if you want to use scdaemon with gnupg and for
-		example NitroKey.
-		</flag>
 		<flag name="smartcard">
 		Build scdaemon software. Enables usage of OpenPGP cards. For
 		other type of smartcards, try <pkg>app-crypt/gnupg-pkcs11-scd</pkg>.
@@ -36,6 +27,9 @@
 		<flag name="tools">
 		Install extra tools (including gpgsplit and gpg-zip).
 		</flag>
+		<flag name="tpm">
+		Enable TPM support via <pkg>app-crypt/tpm2-tss</pkg> and build tpm2d.
+		</flag>
 		<flag name="wks-server">
 		Install the wks-server
 		</flag>
diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-07-11-gnupg-2.2.35.md b/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-07-11-gnupg-2.2.35.md
new file mode 100644
index 0000000000..a13b6994c0
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/changelog/security/2022-07-11-gnupg-2.2.35.md
@@ -0,0 +1 @@
+- gnupg ([CVE-2022-34903](https://nvd.nist.gov/vuln/detail/CVE-2022-34903))
diff --git a/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-07-11-gnupg-2.2.35-update.md b/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-07-11-gnupg-2.2.35-update.md
new file mode 100644
index 0000000000..918e2a733a
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/changelog/updates/2022-07-11-gnupg-2.2.35-update.md
@@ -0,0 +1 @@
+- gnupg ([2.2.35](https://dev.gnupg.org/T5928))