10 files changed, 338 insertions, 0 deletions
diff --git a/app-crypt/gnupg/Manifest b/app-crypt/gnupg/Manifest
index a85a849bd427..a0b20cfe49cf 100644
--- a/app-crypt/gnupg/Manifest
+++ b/app-crypt/gnupg/Manifest
@@ -6,3 +6,5 @@ DIST gnupg-2.3.8.tar.bz2 7644926 BLAKE2B afb960adb877398363d92585d54bccc82c816f8
 DIST gnupg-2.3.8.tar.bz2.sig 238 BLAKE2B ea0442109ed6166635b622d352d7476396836b9b7671da3a44b17d04a7a0b9d8dc6e48434c379578466907854ae255d7541064a21eda1a43f96bedf963b699b9 SHA512 e9e6ef800f2ef78e637e7d06c340e0c2e0441a8d065dd7dee484171411be784e6f0e6def634405c5231a429f8d73a1946eba8b1d35d7563e372fe07923ddd4c8
 DIST gnupg-2.4.0.tar.bz2 7666935 BLAKE2B cc4bcd439a3283df5932c0c41873a3b85de07103d9164ec6dc44552fa0d8c5e5973d74dcd3ffd3d4cf0564c9dab66c6e2adbcd7b34bbc4b5faf0f1bf0f3836aa SHA512 094d631130d4dfe4421cc5e715eaec1888d0b4b764f1be9287be86cbc34430313211739d5481b34e9b59021d05cdbae8a87a1007031cc4dc6213045984a8559a
 DIST gnupg-2.4.0.tar.bz2.sig 238 BLAKE2B 745dda62b3e87507d7a64fb32036675038927dc9e8d1c4baadd9117c33d189a01d2cfcb362694f6ca4ef291b36828a9ee4c908ce1ac5f27109efd1fa66bcb662 SHA512 383c3ece4f34fc2a4f4f483ed67f821df9a96597de090b99c5e0f0cac3cf7a0d9422e469fb8b13cf472297c56e989a43463eac5045d167950fe58a38df96c893
+DIST gnupg-2.4.1.tar.bz2 7341338 BLAKE2B 6da4b1ed44f8110421ea465b50a08915231a26ee450c1b11326b9b777772b9ea304ea0c0881e967ca9c6054bc526445951176c50d9a2e24b038c04354c778e59 SHA512 4d6b30ec4b8d786508ec1ac5f3c5b0ddebdc4f60aa72eb5d6ecc185ff0e9f1f4798f80ae16a3d136052b91ec54978ec0b7969a11a6c2727f30b3b6efabbaf388
+DIST gnupg-2.4.1.tar.bz2.sig 238 BLAKE2B b832f8930827ddeacf4ca864279acfb5256427aaa9164ea1d9a98528c4a637d1288269c8fa6a19427b768294a9833dbe3eeb596abb1774864ca92001921f0b54 SHA512 2fead4f71876bf839cffc78def542b2cfd1b76ac207a06d8725dca7e20572969d9d72fc28b0c84345ee56cc57f5e3ff83e79be24eab1ee6db91680ae95447809
diff --git a/app-crypt/gnupg/files/README-systemd b/app-crypt/gnupg/files/README-systemd
new file mode 100644
index 000000000000..cc38fd66ab57
--- /dev/null
+++ b/app-crypt/gnupg/files/README-systemd
@@ -0,0 +1,67 @@
+Socket-activated dirmngr and gpg-agent with systemd
+===================================================
+
+When used on a GNU/Linux system supervised by systemd, you can ensure
+that the GnuPG daemons dirmngr and gpg-agent are launched
+automatically the first time they're needed, and shut down cleanly at
+session logout.  This is done by enabling user services via
+socket-activation.
+
+System distributors
+-------------------
+
+The *.service and *.socket files (from this directory) should be
+placed in /usr/lib/systemd/user/ alongside other user-session services
+and sockets.
+
+To enable socket-activated dirmngr for all accounts on the system,
+use:
+
+    systemctl --user --global enable dirmngr.socket
+
+To enable socket-activated gpg-agent for all accounts on the system,
+use:
+
+    systemctl --user --global enable gpg-agent.socket
+
+Additionally, you can enable socket-activated gpg-agent ssh-agent
+emulation for all accounts on the system with:
+
+    systemctl --user --global enable gpg-agent-ssh.socket
+
+You can also enable restricted ("--extra-socket"-style) gpg-agent
+sockets for all accounts on the system with:
+
+    systemctl --user --global enable gpg-agent-extra.socket
+
+Individual users
+----------------
+
+A user on a system with systemd where this has not been installed
+system-wide can place these files in ~/.config/systemd/user/ to make
+them available.
+
+If a given service isn't installed system-wide, or if it's installed
+system-wide but not globally enabled, individual users will still need
+to enable them.  For example, to enable socket-activated dirmngr for
+all future sessions:
+
+    systemctl --user enable dirmngr.socket
+
+To enable socket-activated gpg-agent with ssh support, do:
+
+    systemctl --user enable gpg-agent.socket gpg-agent-ssh.socket
+
+These changes won't take effect until your next login after you've
+fully logged out (be sure to terminate any running daemons before
+logging out).
+
+If you'd rather try a socket-activated GnuPG daemon in an
+already-running session without logging out (with or without enabling
+it for all future sessions), kill any existing daemon and start the
+user socket directly.  For example, to set up socket-activated dirmgnr
+in the current session:
+
+    gpgconf --kill dirmngr
+    systemctl --user start dirmngr.socket
+
diff --git a/app-crypt/gnupg/files/dirmngr.service b/app-crypt/gnupg/files/dirmngr.service
new file mode 100644
index 000000000000..3c060cde5d87
--- /dev/null
+++ b/app-crypt/gnupg/files/dirmngr.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=GnuPG network certificate management daemon
+Documentation=man:dirmngr(8)
+Requires=dirmngr.socket
+
+[Service]
+ExecStart=/usr/bin/dirmngr --supervised
+ExecReload=/usr/bin/gpgconf --reload dirmngr
diff --git a/app-crypt/gnupg/files/dirmngr.socket b/app-crypt/gnupg/files/dirmngr.socket
new file mode 100644
index 000000000000..ebabf896ab43
--- /dev/null
+++ b/app-crypt/gnupg/files/dirmngr.socket
@@ -0,0 +1,11 @@
+[Unit]
+Description=GnuPG network certificate management daemon
+Documentation=man:dirmngr(8)
+
+[Socket]
+ListenStream=%t/gnupg/S.dirmngr
+SocketMode=0600
+DirectoryMode=0700
+
+[Install]
+WantedBy=sockets.target
diff --git a/app-crypt/gnupg/files/gpg-agent-browser.socket b/app-crypt/gnupg/files/gpg-agent-browser.socket
new file mode 100644
index 000000000000..bc8d344e1f2d
--- /dev/null
+++ b/app-crypt/gnupg/files/gpg-agent-browser.socket
@@ -0,0 +1,13 @@
+[Unit]
+Description=GnuPG cryptographic agent and passphrase cache (access for web browsers)
+Documentation=man:gpg-agent(1)
+
+[Socket]
+ListenStream=%t/gnupg/S.gpg-agent.browser
+FileDescriptorName=browser
+Service=gpg-agent.service
+SocketMode=0600
+DirectoryMode=0700
+
+[Install]
+WantedBy=sockets.target
diff --git a/app-crypt/gnupg/files/gpg-agent-extra.socket b/app-crypt/gnupg/files/gpg-agent-extra.socket
new file mode 100644
index 000000000000..5b87d09dfa2a
--- /dev/null
+++ b/app-crypt/gnupg/files/gpg-agent-extra.socket
@@ -0,0 +1,13 @@
+[Unit]
+Description=GnuPG cryptographic agent and passphrase cache (restricted)
+Documentation=man:gpg-agent(1)
+
+[Socket]
+ListenStream=%t/gnupg/S.gpg-agent.extra
+FileDescriptorName=extra
+Service=gpg-agent.service
+SocketMode=0600
+DirectoryMode=0700
+
+[Install]
+WantedBy=sockets.target
diff --git a/app-crypt/gnupg/files/gpg-agent-ssh.socket b/app-crypt/gnupg/files/gpg-agent-ssh.socket
new file mode 100644
index 000000000000..798c1d967595
--- /dev/null
+++ b/app-crypt/gnupg/files/gpg-agent-ssh.socket
@@ -0,0 +1,13 @@
+[Unit]
+Description=GnuPG cryptographic agent (ssh-agent emulation)
+Documentation=man:gpg-agent(1) man:ssh-add(1) man:ssh-agent(1) man:ssh(1)
+
+[Socket]
+ListenStream=%t/gnupg/S.gpg-agent.ssh
+FileDescriptorName=ssh
+Service=gpg-agent.service
+SocketMode=0600
+DirectoryMode=0700
+
+[Install]
+WantedBy=sockets.target
diff --git a/app-crypt/gnupg/files/gpg-agent.service b/app-crypt/gnupg/files/gpg-agent.service
new file mode 100644
index 000000000000..a050fccdc527
--- /dev/null
+++ b/app-crypt/gnupg/files/gpg-agent.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=GnuPG cryptographic agent and passphrase cache
+Documentation=man:gpg-agent(1)
+Requires=gpg-agent.socket
+
+[Service]
+ExecStart=/usr/bin/gpg-agent --supervised
+ExecReload=/usr/bin/gpgconf --reload gpg-agent
diff --git a/app-crypt/gnupg/files/gpg-agent.socket b/app-crypt/gnupg/files/gpg-agent.socket
new file mode 100644
index 000000000000..4257c2c80f18
--- /dev/null
+++ b/app-crypt/gnupg/files/gpg-agent.socket
@@ -0,0 +1,12 @@
+[Unit]
+Description=GnuPG cryptographic agent and passphrase cache
+Documentation=man:gpg-agent(1)
+
+[Socket]
+ListenStream=%t/gnupg/S.gpg-agent
+FileDescriptorName=std
+SocketMode=0600
+DirectoryMode=0700
+
+[Install]
+WantedBy=sockets.target
diff --git a/app-crypt/gnupg/gnupg-2.4.1.ebuild b/app-crypt/gnupg/gnupg-2.4.1.ebuild
new file mode 100644
index 000000000000..e515f99e699b
--- /dev/null
+++ b/app-crypt/gnupg/gnupg-2.4.1.ebuild
@@ -0,0 +1,191 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+# Maintainers should:
+# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/
+# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159
+# (find the one for the current release then subscribe to it +
+# any subsequent ones linked within so you're covered for a while.)
+
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/gnupg.asc
+# in-source builds are not supported: https://dev.gnupg.org/T6313#166339
+inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig
+
+MY_P="${P/_/-}"
+
+DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation"
+HOMEPAGE="https://gnupg.org/"
+SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2"
+SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )"
+S="${WORKDIR}/${MY_P}"
+
+LICENSE="GPL-3+"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x64-cygwin ~amd64-linux ~x86-linux ~arm64-macos ~ppc-macos ~x64-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE="bzip2 doc ldap nls readline selinux +smartcard ssl test +tofu tpm tools usb user-socket wks-server"
+RESTRICT="!test? ( test )"
+REQUIRED_USE="test? ( tofu )"
+
+# Existence of executables is checked during configuration.
+# Note: On each bump, update dep bounds on each version from configure.ac!
+DEPEND="
+	>=dev-libs/libassuan-2.5.0
+	>=dev-libs/libgcrypt-1.9.1:=
+	>=dev-libs/libgpg-error-1.46
+	>=dev-libs/libksba-1.6.3
+	>=dev-libs/npth-1.2
+	>=net-misc/curl-7.10
+	sys-libs/zlib
+	bzip2? ( app-arch/bzip2 )
+	ldap? ( net-nds/openldap:= )
+	readline? ( sys-libs/readline:0= )
+	smartcard? ( usb? ( virtual/libusb:1 ) )
+	tofu? ( >=dev-db/sqlite-3.27 )
+	tpm? ( >=app-crypt/tpm2-tss-2.4.0:= )
+	ssl? ( >=net-libs/gnutls-3.0:0= )
+"
+RDEPEND="
+	${DEPEND}
+	app-crypt/pinentry
+	nls? ( virtual/libintl )
+	selinux? ( sec-policy/selinux-gpg )
+	wks-server? ( virtual/mta )
+"
+BDEPEND="
+	virtual/pkgconfig
+	doc? ( sys-apps/texinfo )
+	nls? ( sys-devel/gettext )
+	verify-sig? ( sec-keys/openpgp-keys-gnupg )
+"
+
+DOCS=(
+	ChangeLog NEWS README THANKS TODO VERSION
+	doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER
+)
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch
+)
+
+src_prepare() {
+	default
+
+	GNUPG_SYSTEMD_UNITS=(
+		dirmngr.service
+		dirmngr.socket
+		gpg-agent-browser.socket
+		gpg-agent-extra.socket
+		gpg-agent.service
+		gpg-agent.socket
+		gpg-agent-ssh.socket
+	)
+
+	cp "${GNUPG_SYSTEMD_UNITS[@]/#/${FILESDIR}/}" "${T}" || die
+
+	# Inject SSH_AUTH_SOCK into user's sessions after enabling gpg-agent-ssh.socket in systemctl --user mode,
+	# idea borrowed from libdbus, see
+	#   https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/bus/systemd-user/dbus.socket.in#L6
+	#
+	# This cannot be upstreamed, as it requires determining the exact prefix of 'systemctl',
+	# which in turn requires discovery in Autoconf, something that upstream deeply resents.
+	sed -e "/DirectoryMode=/a ExecStartPost=-${EPREFIX}/bin/systemctl --user set-environment SSH_AUTH_SOCK=%t/gnupg/S.gpg-agent.ssh" \
+		-i "${T}"/gpg-agent-ssh.socket || die
+}
+
+my_src_configure() {
+	local myconf=(
+		$(use_enable bzip2)
+		$(use_enable nls)
+		$(use_enable smartcard scdaemon)
+		$(use_enable ssl gnutls)
+		$(use_enable test all-tests)
+		$(use_enable test tests)
+		$(use_enable tofu)
+		$(use_enable tofu keyboxd)
+		$(use_enable tofu sqlite)
+		$(usex tpm '--with-tss=intel' '--disable-tpm2d')
+		$(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver')
+		$(use_enable wks-server wks-tools)
+		$(use_with ldap)
+		$(use_with readline)
+
+		# Hardcode mailprog to /usr/libexec/sendmail even if it does not exist.
+		# As of GnuPG 2.3, the mailprog substitution is used for the binary called
+		# by wks-client & wks-server; and if it's autodetected but not not exist at
+		# build time, then then 'gpg-wks-client --send' functionality will not
+		# work. This has an unwanted side-effect in stage3 builds: there was a
+		# [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating
+		# the build where the install guide previously make the user chose the
+		# logger & mta early in the install.
+		--with-mailprog=/usr/libexec/sendmail
+
+		--disable-ntbtls
+		--enable-gpgsm
+		--enable-large-secmem
+
+		CC_FOR_BUILD="$(tc-getBUILD_CC)"
+		GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config"
+		KSBA_CONFIG="${ESYSROOT}/usr/bin/ksba-config"
+		LIBASSUAN_CONFIG="${ESYSROOT}/usr/bin/libassuan-config"
+		LIBGCRYPT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-libgcrypt-config"
+		NPTH_CONFIG="${ESYSROOT}/usr/bin/npth-config"
+
+		$("${S}/configure" --help | grep -o -- '--without-.*-prefix')
+	)
+
+	if use prefix && use usb; then
+		# bug #649598
+		append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0"
+	fi
+
+	# bug #663142
+	if use user-socket; then
+		myconf+=( --enable-run-gnupg-user-socket )
+	fi
+
+	# glib fails and picks up clang's internal stdint.h causing weird errors
+	tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h
+
+	econf "${myconf[@]}"
+}
+
+my_src_compile() {
+	default
+
+	use doc && emake -C doc html
+}
+
+my_src_test() {
+	export TESTFLAGS="--parallel=$(makeopts_jobs)"
+
+	default
+}
+
+my_src_install() {
+	emake DESTDIR="${D}" install
+
+	use tools && dobin tools/{gpgconf,gpgsplit,gpg-check-pattern} tools/make-dns-cert
+
+	dosym gpg /usr/bin/gpg2
+	dosym gpgv /usr/bin/gpgv2
+	echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die
+	echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die
+
+	dodir /etc/env.d
+	echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg || die
+
+	use doc && dodoc doc/gnupg.html/*
+}
+
+my_src_install_all() {
+	einstalldocs
+
+	use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot}
+	use doc && dodoc doc/*.png
+
+	# Dropped upstream in https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff;h=eae28f1bd4a5632e8f8e85b7248d1c4d4a10a5ed.
+	dodoc "${FILESDIR}"/README-systemd
+	systemd_douserunit "${GNUPG_SYSTEMD_UNITS[@]/#/${T}/}"
+}