overlay app-crypt/gnupg: move to portage-stable

We drop Flatcar patches from gnupg ebuilds, to make the maintenance
easier keeping the repo in sync with Gentoo upstream.
So move the ebuilds to portage-stable.

sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/Manifest

@@ -1,2 +0,0 @@
-DIST gnupg-2.2.35.tar.bz2 7262687 BLAKE2B 18b5965151ded3b3f28d139824e14d7a6f1673c5192ec5f5a80366a6d5f2e04ed7fa035e2bff105e1752753584f992626ccc9ea8840c2bfa39ffe7ca39b81f7f SHA512 ad9f8d10890b7fafb15a7422e2cebaf0f85ce7cf5f880f4edd8d1dec46aa73c01f9096e601f6edd665f8684d1f5892634991a400e00b3185e6b201f549004d3e
-DIST gnupg-2.2.35.tar.bz2.sig 119 BLAKE2B d95323703c12c9474b21fa91ddb70d4d4d464c794223e21f6ae5d4de955f07a5cabde50612e977168ea6071c4b12be3262cbafe9bcaa8e9a0b009318c0ff6718 SHA512 9043894730520e974e7bc17e0f95419c319fbcd514f102faf644e2f5580e238719cecb8b5e778ecf20f9212ee2554206eb0686e8b5fce7f8c556146657660fe2

sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch

@@ -1,33 +0,0 @@
-From e3bdb7d17264b8d5bd9abab97c96d9c4a50e4f61 Mon Sep 17 00:00:00 2001
-From: Kristian Fiskerstrand <kf@sumptuouscapital.com>
-Date: Mon, 3 Apr 2017 23:44:56 +0300
-Subject: [PATCH] gpgscm: Use shorter socket path lengts to improve test
- reliability
-
---
-As socket lengths are normally restricted to 108 characters
-(UNIX_PATH_MAX variable in /usr/include/linux/un.h), using 42 characters
-by default easily results in errors.
----
- tests/gpgscm/tests.scm | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/tests/gpgscm/tests.scm b/tests/gpgscm/tests.scm
-index 592b36f..f54a387 100644
---- a/tests/gpgscm/tests.scm
-+++ b/tests/gpgscm/tests.scm
-@@ -273,9 +273,9 @@
-   (canonical-path (_mkdtemp (if (null? components)
- 				(path-join
- 				 (get-temp-path)
--				 (string-append "gpgscm-" (get-isotime) "-"
-+				 (string-append "gscm"
- 						(basename-suffix *scriptname* ".scm")
--						"-XXXXXX"))
-+						"XXXXXX"))
- 				(apply path-join components)))))
- 
- ;; Make a temporary directory and remove it at interpreter shutdown.
--- 
-2.10.2
-

sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-2.2.35-status-messages-garbled.patch

@@ -1,45 +0,0 @@
-https://bugs.gentoo.org/855395
-https://marc.info/?l=oss-security&m=165657063921408&w=2
-https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=7b1db7192e6e4d0cfc439b23b13831837c85bc21
-
-From 7b1db7192e6e4d0cfc439b23b13831837c85bc21 Mon Sep 17 00:00:00 2001
-From: Werner Koch <wk@gnupg.org>
-Date: Tue, 14 Jun 2022 11:33:27 +0200
-Subject: [PATCH] g10: Fix garbled status messages in NOTATION_DATA
-
-* g10/cpr.c (write_status_text_and_buffer): Fix off-by-one
---
-
-Depending on the escaping and line wrapping the computed remaining
-buffer length could be wrong.  Fixed by always using a break to
-terminate the escape detection loop.  Might have happened for all
-status lines which may wrap.
-
-GnuPG-bug-id: T6027
---- a/g10/cpr.c
-+++ b/g10/cpr.c
-@@ -328,20 +328,15 @@ write_status_text_and_buffer (int no, const char *string,
-             }
-           first = 0;
-         }
--      for (esc=0, s=buffer, n=len; n && !esc; s++, n--)
-+      for (esc=0, s=buffer, n=len; n; s++, n--)
-         {
-           if (*s == '%' || *(const byte*)s <= lower_limit
-               || *(const byte*)s == 127 )
-             esc = 1;
-           if (wrap && ++count > wrap)
--            {
--              dowrap=1;
--              break;
--            }
--        }
--      if (esc)
--        {
--          s--; n++;
-+            dowrap=1;
-+          if (esc || dowrap)
-+            break;
-         }
-       if (s != buffer)
-         es_fwrite (buffer, s-buffer, 1, statusfp);

sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch

@@ -1,32 +0,0 @@
-From: Vincent Breitmoser <look@my.amazin.horse>
-Date: Thu, 13 Jun 2019 21:27:43 +0200
-Subject: gpg: accept subkeys with a good revocation but no self-sig during
- import
-
-* g10/import.c (chk_self_sigs): Set the NODE_GOOD_SELFSIG flag when we
-encounter a valid revocation signature. This allows import of subkey
-revocation signatures, even in the absence of a corresponding subkey
-binding signature.
-
---
-
-This fixes the remaining test in import-incomplete.scm.
-
-GnuPG-Bug-id: 4393
-Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
----
- g10/import.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/g10/import.c b/g10/import.c
-index f9acf95..9217911 100644
---- a/g10/import.c
-+++ b/g10/import.c
-@@ -3602,6 +3602,7 @@ chk_self_sigs (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid, int *non_self)
-                   /* It's valid, so is it newer? */
-                   if (sig->timestamp >= rsdate)
-                     {
-+                      knode->flag |= NODE_GOOD_SELFSIG; /* Subkey is valid.  */
-                       if (rsnode)
-                         {
-                           /* Delete the last revocation sig since

sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/files/gnupg-allow-import-of-previously-known-keys-even-without-UI.patch

@@ -1,106 +0,0 @@
-From: Vincent Breitmoser <look@my.amazin.horse>
-Date: Thu, 13 Jun 2019 21:27:42 +0200
-Subject: gpg: allow import of previously known keys, even without UIDs
-
-* g10/import.c (import_one): Accept an incoming OpenPGP certificate that
-has no user id, as long as we already have a local variant of the cert
-that matches the primary key.
-
---
-
-This fixes two of the three broken tests in import-incomplete.scm.
-
-GnuPG-Bug-id: 4393
-Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
----
- g10/import.c | 44 +++++++++++---------------------------------
- 1 file changed, 11 insertions(+), 33 deletions(-)
-
-diff --git a/g10/import.c b/g10/import.c
-index 5d3162c..f9acf95 100644
---- a/g10/import.c
-+++ b/g10/import.c
-@@ -1788,7 +1788,6 @@ import_one_real (ctrl_t ctrl,
-   size_t an;
-   char pkstrbuf[PUBKEY_STRING_SIZE];
-   int merge_keys_done = 0;
--  int any_filter = 0;
-   KEYDB_HANDLE hd = NULL;
- 
-   if (r_valid)
-@@ -1825,14 +1824,6 @@ import_one_real (ctrl_t ctrl,
-       log_printf ("\n");
-     }
- 
--
--  if (!uidnode )
--    {
--      if (!silent)
--        log_error( _("key %s: no user ID\n"), keystr_from_pk(pk));
--      return 0;
--    }
--
-   if (screener && screener (keyblock, screener_arg))
-     {
-       log_error (_("key %s: %s\n"), keystr_from_pk (pk),
-@@ -1907,17 +1898,10 @@ import_one_real (ctrl_t ctrl,
- 	  }
-     }
- 
--  if (!delete_inv_parts (ctrl, keyblock, keyid, options ) )
--    {
--      if (!silent)
--        {
--          log_error( _("key %s: no valid user IDs\n"), keystr_from_pk(pk));
--          if (!opt.quiet )
--            log_info(_("this may be caused by a missing self-signature\n"));
--        }
--      stats->no_user_id++;
--      return 0;
--    }
-+  /* Delete invalid parts, and note if we have any valid ones left.
-+   * We will later abort import if this key is new but contains
-+   * no valid uids.  */
-+  delete_inv_parts (ctrl, keyblock, keyid, options);
- 
-   /* Get rid of deleted nodes.  */
-   commit_kbnode (&keyblock);
-@@ -1927,24 +1911,11 @@ import_one_real (ctrl_t ctrl,
-     {
-       apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid);
-       commit_kbnode (&keyblock);
--      any_filter = 1;
-     }
-   if (import_filter.drop_sig)
-     {
-       apply_drop_sig_filter (ctrl, keyblock, import_filter.drop_sig);
-       commit_kbnode (&keyblock);
--      any_filter = 1;
--    }
--
--  /* If we ran any filter we need to check that at least one user id
--   * is left in the keyring.  Note that we do not use log_error in
--   * this case. */
--  if (any_filter && !any_uid_left (keyblock))
--    {
--      if (!opt.quiet )
--        log_info ( _("key %s: no valid user IDs\n"), keystr_from_pk (pk));
--      stats->no_user_id++;
--      return 0;
-     }
- 
-   /* The keyblock is valid and ready for real import.  */
-@@ -2002,6 +1973,13 @@ import_one_real (ctrl_t ctrl,
-       err = 0;
-       stats->skipped_new_keys++;
-     }
-+  else if (err && !any_uid_left (keyblock))
-+    {
-+      if (!silent)
-+        log_info( _("key %s: new key but contains no user ID - skipped\n"), keystr(keyid));
-+      err = 0;
-+      stats->no_user_id++;
-+    }
-   else if (err)  /* Insert this key. */
-     {
-       /* Note: ERR can only be NO_PUBKEY or UNUSABLE_PUBKEY.  */

sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/gnupg-2.2.35-r1.ebuild

@@ -1,165 +0,0 @@
-# Copyright 1999-2022 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-# Flatcar: use EAPI=7, until EAPI 8 could be fully supported
-EAPI=7
-
-VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/gnupg.asc
-inherit flag-o-matic systemd toolchain-funcs verify-sig
-
-MY_P="${P/_/-}"
-
-DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation"
-HOMEPAGE="https://gnupg.org/"
-SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2"
-SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )"
-S="${WORKDIR}/${MY_P}"
-
-LICENSE="GPL-3"
-SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x64-cygwin ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
-IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test tofu tools usb user-socket wks-server"
-RESTRICT="!test? ( test )"
-
-# Existence of executables is checked during configuration.
-# Note: On each bump, update dep bounds on each version from configure.ac!
-DEPEND=">=dev-libs/libassuan-2.5.0
-	>=dev-libs/libgcrypt-1.8.0:=
-	>=dev-libs/libgpg-error-1.29
-	>=dev-libs/libksba-1.3.5
-	>=dev-libs/npth-1.2
-	>=net-misc/curl-7.10
-	sys-libs/zlib
-	bzip2? ( app-arch/bzip2 )
-	ldap? ( net-nds/openldap:= )
-	readline? ( sys-libs/readline:0= )
-	smartcard? ( usb? ( virtual/libusb:1 ) )
-	ssl? ( >=net-libs/gnutls-3.0:0= )
-	tofu? ( >=dev-db/sqlite-3.7 )"
-
-RDEPEND="${DEPEND}
-	app-crypt/pinentry
-	nls? ( virtual/libintl )
-	selinux? ( sec-policy/selinux-gpg )
-	wks-server? ( virtual/mta )"
-
-BDEPEND="virtual/pkgconfig
-	doc? ( sys-apps/texinfo )
-	nls? ( sys-devel/gettext )
-	verify-sig? ( sec-keys/openpgp-keys-gnupg )"
-
-DOCS=(
-	ChangeLog NEWS README THANKS TODO VERSION
-	doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER
-)
-
-PATCHES=(
-	"${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch
-	"${FILESDIR}"/${P}-status-messages-garbled.patch
-	# Flatcar: the patches below are added only for Flatcar, to address the
-	# upstream gnupg issue https://dev.gnupg.org/T4393.
-	"${FILESDIR}/${PN}-allow-import-of-previously-known-keys-even-without-UI.patch"
-	"${FILESDIR}/${PN}-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch"
-)
-
-src_prepare() {
-	default
-
-	# Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode,
-	# idea borrowed from libdbus, see
-	#   https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6
-	#
-	# This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl',
-	# which in turn requires discovery in Autoconf, something that upstream deeply resents.
-	sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \
-		-i doc/examples/systemd-user/gpg-agent-ssh.socket || die
-}
-
-src_configure() {
-	local myconf=(
-		$(use_enable bzip2)
-		$(use_enable nls)
-		$(use_enable smartcard scdaemon)
-		$(use_enable ssl gnutls)
-		$(use_enable test all-tests)
-		$(use_enable test tests)
-		$(use_enable tofu)
-		$(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver')
-		$(use_enable wks-server wks-tools)
-		$(use_with ldap)
-		$(use_with readline)
-		--with-mailprog=/usr/libexec/sendmail
-		--disable-ntbtls
-		--enable-gpg
-		--enable-gpgsm
-		--enable-large-secmem
-
-		CC_FOR_BUILD="$(tc-getBUILD_CC)"
-		GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config"
-		KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config"
-		LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config"
-		LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config"
-		NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config"
-
-		$("${S}/configure" --help | grep -o -- '--without-.*-prefix')
-	)
-
-	if use prefix && use usb; then
-		# bug #649598
-		append-cppflags -I"${EPREFIX}/usr/include/libusb-1.0"
-	fi
-
-	# bug #663142
-	if use user-socket; then
-		myconf+=( --enable-run-gnupg-user-socket )
-	fi
-
-	# glib fails and picks up clang's internal stdint.h causing weird errors
-	tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h
-
-	# Hardcode mailprog to /usr/libexec/sendmail even if it does not exist.
-	# As of GnuPG 2.3, the mailprog substitution is used for the binary called
-	# by wks-client & wks-server; and if it's autodetected but not not exist at
-	# build time, then then 'gpg-wks-client --send' functionality will not
-	# work. This has an unwanted side-effect in stage3 builds: there was a
-	# [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating
-	# the build where the install guide previously make the user chose the
-	# logger & mta early in the install.
-
-	econf "${myconf[@]}"
-}
-
-src_compile() {
-	default
-
-	use doc && emake -C doc html
-}
-
-src_test() {
-	# bug #638574
-	use tofu && export TESTFLAGS=--parallel
-
-	default
-}
-
-src_install() {
-	default
-
-	use tools &&
-		dobin \
-			tools/{convert-from-106,gpg-check-pattern} \
-			tools/{gpg-zip,gpgconf,gpgsplit,lspgpot,mail-signed-keys} \
-			tools/make-dns-cert
-
-	dosym gpg /usr/bin/gpg2
-	dosym gpgv /usr/bin/gpgv2
-	echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die
-	echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die
-
-	dodir /etc/env.d
-	echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die
-
-	use doc && dodoc doc/gnupg.html/* doc/*.png
-
-	systemd_douserunit doc/examples/systemd-user/*.{service,socket}
-}

sdk_container/src/third_party/coreos-overlay/app-crypt/gnupg/metadata.xml

@@ -1,40 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
-<pkgmetadata>
-	<maintainer type="person">
-		<email>zlogene@gentoo.org</email>
-		<name>Mikle Kolyada</name>
-	</maintainer>
-	<maintainer type="project">
-		<email>base-system@gentoo.org</email>
-		<name>Gentoo Base System</name>
-	</maintainer>
-	<use>
-		<flag name="smartcard">
-		Build scdaemon software. Enables usage of OpenPGP cards. For
-		other type of smartcards, try <pkg>app-crypt/gnupg-pkcs11-scd</pkg>.
-		Bring in <pkg>dev-libs/libusb</pkg> as a dependency; enable scdaemon.
-		</flag>
-		<flag name="usb">
-		Build direct CCID access for scdaemon; requires <pkg>dev-libs/libusb</pkg>.
-		</flag>
-		<flag name="user-socket">
-		try a socket directory which is not removed by init manager at session end
-		</flag>
-		<flag name="tofu">
-		Enable support for Trust on First use trust model; requires <pkg>dev-db/sqlite</pkg>.
-		</flag>
-		<flag name="tools">
-		Install extra tools (including gpgsplit and gpg-zip).
-		</flag>
-		<flag name="tpm">
-		Enable TPM support via <pkg>app-crypt/tpm2-tss</pkg> and build tpm2d.
-		</flag>
-		<flag name="wks-server">
-		Install the wks-server
-		</flag>
-	</use>
-	<upstream>
-		<remote-id type="cpe">cpe:/a:gnupg:gnupg</remote-id>
-	</upstream>
-</pkgmetadata>