diff --git a/gnupg-2.2.27.tar.bz2 b/gnupg-2.2.27.tar.bz2
deleted file mode 100644
index 451f1a3..0000000
--- a/gnupg-2.2.27.tar.bz2
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:34e60009014ea16402069136e0a5f63d9b65f90096244975db5cea74b3d02399
-size 7191555
diff --git a/gnupg-2.2.27.tar.bz2.sig b/gnupg-2.2.27.tar.bz2.sig
deleted file mode 100644
index 8c34ebe..0000000
Binary files a/gnupg-2.2.27.tar.bz2.sig and /dev/null differ
diff --git a/gnupg-2.3.1.tar.bz2 b/gnupg-2.3.1.tar.bz2
new file mode 100644
index 0000000..7719901
--- /dev/null
+++ b/gnupg-2.3.1.tar.bz2
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c498db346a9b9a4b399e514c8f56dfc0a888ce8f327f10376ff984452cd154ec
+size 7570431
diff --git a/gnupg-2.3.1.tar.bz2.sig b/gnupg-2.3.1.tar.bz2.sig
new file mode 100644
index 0000000..f03209c
Binary files /dev/null and b/gnupg-2.3.1.tar.bz2.sig differ
diff --git a/gnupg-add_legacy_FIPS_mode_option.patch b/gnupg-add_legacy_FIPS_mode_option.patch
index 258c800..793cd3e 100644
--- a/gnupg-add_legacy_FIPS_mode_option.patch
+++ b/gnupg-add_legacy_FIPS_mode_option.patch
@@ -3,11 +3,11 @@
  g10/gpg.c    |    9 +++++++++
  2 files changed, 27 insertions(+)
 
-Index: gnupg-2.2.20/doc/gpg.texi
+Index: gnupg-2.3.0/doc/gpg.texi
 ===================================================================
---- gnupg-2.2.20.orig/doc/gpg.texi
-+++ gnupg-2.2.20/doc/gpg.texi
-@@ -2133,6 +2133,24 @@ implies, this option is for experts only
+--- gnupg-2.3.0.orig/doc/gpg.texi
++++ gnupg-2.3.0/doc/gpg.texi
+@@ -2178,6 +2178,24 @@ implies, this option is for experts only
  understand the implications of what it allows you to do, leave this
  off. @option{--no-expert} disables this option.
  
@@ -32,36 +32,37 @@ Index: gnupg-2.2.20/doc/gpg.texi
  @end table
  
  
-Index: gnupg-2.2.20/g10/gpg.c
+Index: gnupg-2.3.0/g10/gpg.c
 ===================================================================
---- gnupg-2.2.20.orig/g10/gpg.c
-+++ gnupg-2.2.20/g10/gpg.c
-@@ -429,6 +429,7 @@ enum cmd_and_opt_values
-     oUseOnlyOpenPGPCard,
-     oIncludeKeyBlock,
+--- gnupg-2.3.0.orig/g10/gpg.c
++++ gnupg-2.3.0/g10/gpg.c
+@@ -437,6 +437,7 @@ enum cmd_and_opt_values
      oNoIncludeKeyBlock,
+     oChUid,
+     oForceSignKey,
 +    oSetLegacyFips,
  
      oNoop
    };
-@@ -874,6 +875,7 @@ static ARGPARSE_OPTS opts[] = {
-   ARGPARSE_s_n (oAllowMultipleMessages,      "allow-multiple-messages", "@"),
-   ARGPARSE_s_n (oNoAllowMultipleMessages, "no-allow-multiple-messages", "@"),
-   ARGPARSE_s_n (oAllowWeakDigestAlgos, "allow-weak-digest-algos", "@"),
+@@ -870,6 +871,7 @@ static gpgrt_opt_t opts[] = {
+   ARGPARSE_s_s (oAEADAlgo,   "aead-algo", "@"),
+   ARGPARSE_s_s (oDigestAlgo, "digest-algo", "@"),
+   ARGPARSE_s_s (oCertDigestAlgo, "cert-digest-algo", "@"),
 +  ARGPARSE_s_n (oSetLegacyFips, "set-legacy-fips", "@"),
  
-   ARGPARSE_s_s (oDefaultNewKeyAlgo, "default-new-key-algo", "@"),
  
-@@ -3614,6 +3616,13 @@ main (int argc, char **argv)
-             opt.flags.use_only_openpgp_card = 1;
+   ARGPARSE_header (NULL, N_("Options for unattended use")),
+@@ -3688,6 +3690,14 @@ main (int argc, char **argv)
+             opt.flags.full_timestrings = 1;
              break;
  
-+	  case oSetLegacyFips:
-+	    if(gcry_fips_mode_active())
-+	      gcry_control (GCRYCTL_INACTIVATE_FIPS_FLAG, "Enable legacy support in FIPS 140-2 mode");
-+	    else
-+	      log_info ("Command set-legacy-fips ignored as libgcrypt is not in FIPS mode\n");
-+	    break;
++         case oSetLegacyFips:
++           if(gcry_fips_mode_active())
++             gcry_control (GCRYCTL_INACTIVATE_FIPS_FLAG,
++                           "Enable legacy support in FIPS 140-2 mode");
++           else
++             log_info ("Command set-legacy-fips ignored as libgcrypt is not in FIPS mode\n");
++           break;
 +
  	  case oNoop: break;
  
diff --git a/gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch b/gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch
index 3c80a48..bf5711b 100644
--- a/gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch
+++ b/gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch
@@ -17,11 +17,11 @@ Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
  g10/import.c | 49 +++++++++++--------------------------------------
  1 file changed, 11 insertions(+), 38 deletions(-)
 
-Index: gnupg-2.2.19/g10/import.c
+Index: gnupg-2.3.0/g10/import.c
 ===================================================================
---- gnupg-2.2.19.orig/g10/import.c
-+++ gnupg-2.2.19/g10/import.c
-@@ -1792,7 +1792,6 @@ import_one_real (ctrl_t ctrl,
+--- gnupg-2.3.0.orig/g10/import.c
++++ gnupg-2.3.0/g10/import.c
+@@ -1876,7 +1876,6 @@ import_one_real (ctrl_t ctrl,
    size_t an;
    char pkstrbuf[PUBKEY_STRING_SIZE];
    int merge_keys_done = 0;
@@ -29,12 +29,12 @@ Index: gnupg-2.2.19/g10/import.c
    KEYDB_HANDLE hd = NULL;
  
    if (r_valid)
-@@ -1829,14 +1828,6 @@ import_one_real (ctrl_t ctrl,
+@@ -1913,14 +1912,6 @@ import_one_real (ctrl_t ctrl,
        log_printf ("\n");
      }
  
 -
--  if (!uidnode )
+-  if (!uidnode)
 -    {
 -      if (!silent)
 -        log_error( _("key %s: no user ID\n"), keystr_from_pk(pk));
@@ -44,16 +44,18 @@ Index: gnupg-2.2.19/g10/import.c
    if (screener && screener (keyblock, screener_arg))
      {
        log_error (_("key %s: %s\n"), keystr_from_pk (pk),
-@@ -1911,17 +1902,10 @@ import_one_real (ctrl_t ctrl,
+@@ -1999,19 +1990,10 @@ import_one_real (ctrl_t ctrl,
+             xfree(user);
  	  }
      }
- 
--  if (!delete_inv_parts (ctrl, keyblock, keyid, options ) )
+-
+-  /* Delete invalid parts and bail out if there are no user ids left.  */
+-  if (!delete_inv_parts (ctrl, keyblock, keyid, options))
 -    {
 -      if (!silent)
 -        {
--          log_error( _("key %s: no valid user IDs\n"), keystr_from_pk(pk));
--          if (!opt.quiet )
+-          log_error ( _("key %s: no valid user IDs\n"), keystr_from_pk(pk));
+-          if (!opt.quiet)
 -            log_info(_("this may be caused by a missing self-signature\n"));
 -        }
 -      stats->no_user_id++;
@@ -66,7 +68,7 @@ Index: gnupg-2.2.19/g10/import.c
  
    /* Get rid of deleted nodes.  */
    commit_kbnode (&keyblock);
-@@ -1931,24 +1915,11 @@ import_one_real (ctrl_t ctrl,
+@@ -2021,24 +2003,11 @@ import_one_real (ctrl_t ctrl,
      {
        apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid);
        commit_kbnode (&keyblock);
@@ -91,7 +93,7 @@ Index: gnupg-2.2.19/g10/import.c
      }
  
    /* The keyblock is valid and ready for real import.  */
-@@ -2006,6 +1977,13 @@ import_one_real (ctrl_t ctrl,
+@@ -2096,6 +2065,13 @@ import_one_real (ctrl_t ctrl,
        err = 0;
        stats->skipped_new_keys++;
      }
diff --git a/gnupg-dont-fail-with-seahorse-agent.patch b/gnupg-dont-fail-with-seahorse-agent.patch
index 6302c8b..e4bbb06 100644
--- a/gnupg-dont-fail-with-seahorse-agent.patch
+++ b/gnupg-dont-fail-with-seahorse-agent.patch
@@ -2,16 +2,16 @@
  g10/passphrase.c |    2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-Index: gnupg-2.1.0/g10/passphrase.c
+Index: gnupg-2.3.0/g10/passphrase.c
 ===================================================================
---- gnupg-2.1.0.orig/g10/passphrase.c	2014-11-07 16:52:11.080483153 +0100
-+++ gnupg-2.1.0/g10/passphrase.c	2014-11-07 16:52:11.996494299 +0100
-@@ -71,7 +71,7 @@ encode_s2k_iterations (int iterations)
-         {
-           /* Don't print an error if an older agent is used.  */
-           if (err && gpg_err_code (err) != GPG_ERR_ASS_PARAMETER)
--            log_error (_("problem with the agent: %s\n"), gpg_strerror (err));
-+            log_info (_("problem with the agent: %s\n"), gpg_strerror (err));
-           /* Default to 65536 which we used up to 2.0.13.  */
-           return 96;
-         }
+--- gnupg-2.3.0.orig/g10/passphrase.c
++++ gnupg-2.3.0/g10/passphrase.c
+@@ -222,7 +222,7 @@ passphrase_get (int newsymkey, int nocac
+     }
+   else
+     {
+-      log_error (_("problem with the agent: %s\n"), gpg_strerror (rc));
++      log_info (_("problem with the agent: %s\n"), gpg_strerror (rc));
+       /* Due to limitations in the API of the upper layers they
+          consider an error as no passphrase entered.  This works in
+          most cases but not during key creation where this should
diff --git a/gnupg-set_umask_before_open_outfile.patch b/gnupg-set_umask_before_open_outfile.patch
index 195e99c..7e78d69 100644
--- a/gnupg-set_umask_before_open_outfile.patch
+++ b/gnupg-set_umask_before_open_outfile.patch
@@ -1,7 +1,7 @@
-Index: gnupg-2.1.20/g10/plaintext.c
+Index: gnupg-2.3.0/g10/plaintext.c
 ===================================================================
---- gnupg-2.1.20.orig/g10/plaintext.c	2017-04-03 17:13:56.000000000 +0200
-+++ gnupg-2.1.20/g10/plaintext.c	2017-04-04 09:53:31.541145727 +0200
+--- gnupg-2.3.0.orig/g10/plaintext.c
++++ gnupg-2.3.0/g10/plaintext.c
 @@ -24,6 +24,7 @@
  #include <string.h>
  #include <errno.h>
@@ -39,5 +39,5 @@ Index: gnupg-2.1.20/g10/plaintext.c
 +	}
 +	umask(saved_umask);
      }
- #else /* __riscos__ */
-   /* If no output filename was given, i.e. we constructed it, convert
+ 
+  leave:
diff --git a/gpg2.changes b/gpg2.changes
index 8cd6050..1a4ba01 100644
--- a/gpg2.changes
+++ b/gpg2.changes
@@ -1,3 +1,77 @@
+-------------------------------------------------------------------
+Fri Jun 11 12:19:16 UTC 2021 - Pedro Monreal <pmonreal@suse.com>
+
+- GnuPG 2.3.1:
+  * The new configuration file common.conf is now used to enable
+    the use of the key database daemon with "use-keyboxd". Using
+    this option in gpg.conf and gpgsm.conf is supported for a
+    transitional period. See doc/example/common.conf for more.
+  * gpg: Force version 5 key creation for ed448 and cv448 algorithms.
+  * gpg: By default do not use the self-sigs-only option when
+    importing from an LDAP keyserver.
+  * gpg: Lookup a missing public key of the active card via LDAP.
+  * gpgsm: New command --show-certs.
+  * scd: Fix CCID driver for SCM SPR332/SPR532.
+  * scd: Further improvements for PKCS#15 cards.
+  * New configure option --with-tss to allow the selection of the
+    TSS library.
+- Rebase patches:
+  * gnupg-add_legacy_FIPS_mode_option.patch
+  * gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch
+  * gnupg-dont-fail-with-seahorse-agent.patch
+  * gnupg-set_umask_before_open_outfile.patch
+
+-------------------------------------------------------------------
+Fri Jun 11 12:15:37 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- GnuPG 2.3.0:
+  * A new experimental key database daemon is provided.  To enable
+    it put "use-keyboxd" into gpg.conf and gpgsm.conf.  Keys are stored
+    in a SQLite database and make key lookup much faster.
+  * New tool gpg-card as a flexible frontend for all types of
+    supported smartcards.
+  * New option --chuid for gpg, gpgsm, gpgconf, gpg-card, and
+    gpg-connect-agent.
+  * The gpg-wks-client tool is now installed under bin; a wrapper for
+    its old location at libexec is also installed.
+  * tpm2d: New daemon to physically bind keys to the local machine.
+  * gpg: Switch to ed25519/cv25519 as default public key algorithms.
+  * gpg: Verification results now depend on the --sender option and
+    the signer's UID subpacket.
+  * gpg: Do not use any 64-bit block size cipher algorithm for
+    encryption.  Use AES as last resort cipher preference instead of
+    3DES.  This can be reverted using --allow-old-cipher-algos.
+  * gpg: Support AEAD encryption mode using OCB or EAX.
+  * gpg: Support v5 keys and signatures.
+  * gpg: Support curve X448 (ed448, cv448).
+  * gpg: Allow use of group names in key listings.
+  * gpg: New option --full-timestrings to print date and time.
+  * gpg: New option --force-sign-key.
+  * gpg: New option --no-auto-trust-new-key.
+  * gpg: The legacy key discovery method PKA is no longer supported.
+    The command --print-pka-records and the PKA related import and
+    export options have been removed.
+  * gpg: Support export of Ed448 Secure Shell keys.
+  * gpgsm: Add basic ECC support.
+  * gpgsm: Support creation of EdDSA certificates.  [#4888]
+  * agent: Allow the use of "Label:" in a key file to customize the
+    pinentry prompt.
+  * agent: Support ssh-agent extensions for environment variables.
+    With a patched version of OpenSSH this avoids the need for the
+    "updatestartuptty" kludge.
+  * scd: Improve support for multiple card readers and tokens.
+  * scd: Support PIV cards.
+  * scd: Support for Rohde&Schwarz Cybersecurity cards.
+  * scd: Support Telesec Signature Cards v2.0
+  * scd: Support multiple application on certain smartcard.
+  * scd: New option --application-priority.
+  * scd: New option --pcsc-shared; see man page for important notes.
+  * dirmngr: Support a gpgNtds parameter in LDAP keyserver URLs.
+  * The symcryptrun tool, a wrapper for the now obsolete external
+    Chiasmus tool, has been removed.
+  * Full Unicode support for the command line.
+- dropped legacy commands: gpg-zip
+
 -------------------------------------------------------------------
 Wed Apr  7 20:56:23 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de>
 
diff --git a/gpg2.spec b/gpg2.spec
index 53739ec..7c53cc1 100644
--- a/gpg2.spec
+++ b/gpg2.spec
@@ -17,14 +17,14 @@
 
 
 Name:           gpg2
-Version:        2.2.27
+Version:        2.3.1
 Release:        0
 Summary:        File encryption, decryption, signature creation and verification utility
 License:        GPL-3.0-or-later
 Group:          Productivity/Networking/Security
 URL:            https://www.gnupg.org
-Source:         ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-%{version}.tar.bz2
-Source2:        ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-%{version}.tar.bz2.sig
+Source:         https://gnupg.org/ftp/gcrypt/gnupg/gnupg-%{version}.tar.bz2
+Source2:        https://gnupg.org/ftp/gcrypt/gnupg/gnupg-%{version}.tar.bz2.sig
 # https://www.gnupg.org/signature_key.html
 Source3:        %{name}.keyring
 Source4:        scdaemon.udev
@@ -41,10 +41,12 @@ Patch15:        gnupg-allow-import-of-previously-known-keys-even-without-UIDs.pa
 Patch1124847:   gnupg-gpg-agent-ulimit.patch
 BuildRequires:  expect
 BuildRequires:  fdupes
+BuildRequires:  ibmswtpm2
+BuildRequires:  ibmtss-devel
 BuildRequires:  libassuan-devel >= 2.5.0
-BuildRequires:  libgcrypt-devel >= 1.8.0
-BuildRequires:  libgpg-error-devel >= 1.27
-BuildRequires:  libksba-devel >= 1.3.5
+BuildRequires:  libgcrypt-devel >= 1.9.1
+BuildRequires:  libgpg-error-devel >= 1.41
+BuildRequires:  libksba-devel >= 1.3.4
 BuildRequires:  makeinfo
 BuildRequires:  npth-devel >= 1.2
 BuildRequires:  openldap2-devel
@@ -53,12 +55,12 @@ BuildRequires:  readline-devel
 BuildRequires:  pkgconfig(bzip2)
 BuildRequires:  pkgconfig(gnutls) >= 3.0
 BuildRequires:  pkgconfig(libusb-1.0)
-BuildRequires:  pkgconfig(sqlite3) >= 3.7
+BuildRequires:  pkgconfig(sqlite3) >= 3.27
 BuildRequires:  pkgconfig(zlib)
 # runtime dependency to support devel repository users - boo#955982
 Requires:       libassuan0 >= 2.5.0
-Requires:       libgcrypt20 >= 1.8.0
-Requires:       libksba >= 1.3.5
+Requires:       libgcrypt20 >= 1.9.1
+Requires:       libksba >= 1.3.4
 Requires:       pinentry
 Recommends:     dirmngr = %{version}
 Provides:       gnupg = %{version}
@@ -112,7 +114,6 @@ date=$(date -u +%%Y-%%m-%%dT%%H:%%M+0000 -r %{SOURCE99})
     --with-scdaemon-pgm=%{_bindir}/scdaemon \
     --enable-ldap \
     --enable-gpgsm=yes \
-    --enable-gpg \
     --enable-gpgtar \
     --enable-g13 \
     --enable-large-secmem \
@@ -120,8 +121,7 @@ date=$(date -u +%%Y-%%m-%%dT%%H:%%M+0000 -r %{SOURCE99})
     --with-gnu-ld \
     --with-default-trust-store-file=%{_sysconfdir}/ssl/ca-bundle.pem \
     --enable-build-timestamp=$date \
-    --enable-gpg-is-gpg2 \
-    --enable-Werror
+    --enable-gpg-is-gpg2
 
 %make_build
 
@@ -145,9 +145,6 @@ mv %{buildroot}%{_libdir}/scdaemon %{buildroot}%{_bindir}
 mv %{buildroot}%{_libdir}/dirmngr_ldap %{buildroot}%{_bindir}
 # install udev rules for scdaemon
 install -Dm 0644 %{SOURCE4} %{buildroot}%{_udevrulesdir}/60-scdaemon.rules
-# install legacy tools
-install -m 755 tools/gpg-zip %{buildroot}/%{_bindir}
-# install -m 755 tools/gpgsplit %%{buildroot}/%%{_bindir}
 
 %find_lang gnupg2
 %fdupes -s %{buildroot}