- Update to 2.5.1:

* gpg: The support for composite Kyber+ECC public key algorithms
    does now use the final FIPS-203 and LibrePGP specifications. The
    experimental keys from 2.5.0 are no longer supported. [T6815]
  * gpg: New commands --add-recipients and --change-recipients. [T1825]
  * gpg: New option --proc-all-sigs. [T7261]
  * gpg: Fix a regression in 2.5.0 in gpgme's tests. [T7195]
  * gpg: Make --no-literal work again for -c and --store. [T5852]
  * gpg: Improve detection of input data read errors. [T6528]
  * gpg: Fix getting key by IPGP record (rfc-4398). [T7288]
  * gpgsm: New option --assert-signer. [T7286]
  * gpgsm: More improvements to PKCS#12 parsing to cope with latest
    IVBB changes. [T7213]
  * agent: Fix KEYTOCARD command when used with a loopback pinentry. [T7283]
  * gpg-mail-tube: Make sure GNUPGHOME is set in vsd mode.  New option
    --as-attach. [rG4511997e9e1b]
  * Now uses the process spawn API from libgpg-error. [T7192,T7194]
  * Removed the --enable-gpg-is-gpg2 configure time option.
    [rG2125f228d36c]
  * Rebase patches:
    - gnupg-add_legacy_FIPS_mode_option.patch
    - gnupg-revert-rfc4880bis.patch
    - gnupg-nobetasuffix.patch

OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=306

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -0,0 +1 @@
+.osc

gnupg-2.0.9-langinfo.patch

@@ -0,0 +1,17 @@
+# fix [bnc#305725] - non latin characters displayed incorrectly by pinentry
+---
+# jnlib/utf8conv.c |    1 +
+# 1 file changed, 1 insertion(+)
+#
+Index: gnupg-2.1.0/common/utf8conv.c
+===================================================================
+--- gnupg-2.1.0.orig/common/utf8conv.c	2014-10-11 19:45:14.000000000 +0200
++++ gnupg-2.1.0/common/utf8conv.c	2014-11-07 11:35:05.491413258 +0100
+@@ -198,6 +198,7 @@ set_native_charset (const char *newset)
+ #else /*!HAVE_W32_SYSTEM && !HAVE_ANDROID_SYSTEM*/
+ 
+ #ifdef HAVE_LANGINFO_CODESET
++	  setlocale(LC_ALL, "");
+       newset = nl_langinfo (CODESET);
+ #else /*!HAVE_LANGINFO_CODESET*/
+       /* Try to get the used charset from environment variables.  */

gnupg-2.2.16-secmem.patch

@@ -0,0 +1,35 @@
+Index: gnupg-2.2.16/g10/gpg.c
+===================================================================
+--- gnupg-2.2.16.orig/g10/gpg.c
++++ gnupg-2.2.16/g10/gpg.c
+@@ -973,7 +973,7 @@ make_libversion (const char *libname, co
+ 
+   if (maybe_setuid)
+     {
+-      gcry_control (GCRYCTL_INIT_SECMEM, 0, 0);  /* Drop setuid. */
++      gcry_control (GCRYCTL_INIT_SECMEM, 4096, 0);  /* Drop setuid. */
+       maybe_setuid = 0;
+     }
+   s = getfnc (NULL);
+@@ -1125,7 +1125,7 @@ build_list (const char *text, char lette
+   char *string;
+ 
+   if (maybe_setuid)
+-    gcry_control (GCRYCTL_INIT_SECMEM, 0, 0);  /* Drop setuid. */
++    gcry_control (GCRYCTL_INIT_SECMEM, 4096, 0);  /* Drop setuid. */
+ 
+   indent = utf8_charcount (text, -1);
+   len = 0;
+Index: gnupg-2.2.16/sm/gpgsm.c
+===================================================================
+--- gnupg-2.2.16.orig/sm/gpgsm.c
++++ gnupg-2.2.16/sm/gpgsm.c
+@@ -533,7 +533,7 @@ make_libversion (const char *libname, co
+ 
+   if (maybe_setuid)
+     {
+-      gcry_control (GCRYCTL_INIT_SECMEM, 0, 0);  /* Drop setuid. */
++      gcry_control (GCRYCTL_INIT_SECMEM, 4096, 0);  /* Drop setuid. */
+       maybe_setuid = 0;
+     }
+   s = getfnc (NULL);

gnupg-2.4.5.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f68f7d75d06cb1635c336d34d844af97436c3f64ea14bcb7c869782f96f44277
+size 7889060

gnupg-2.5.1.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8a34bb318499867962c939e156666ada93ed81f01926590ac68f3ff79178375e
+size 8126739

gnupg-accept_subkeys_with_a_good_revocation_but_no_self-sig_during_import.patch

@@ -0,0 +1,33 @@
+From f361141a44365ff7db2d2cfbf118d5b54b52c3d5 Mon Sep 17 00:00:00 2001
+From: Vincent Breitmoser <look@my.amazin.horse>
+Date: Thu, 13 Jun 2019 21:27:43 +0200
+Subject: [PATCH] gpg: accept subkeys with a good revocation but no self-sig
+ during import
+
+* g10/import.c (chk_self_sigs): Set the NODE_GOOD_SELFSIG flag when we
+encounter a valid revocation signature. This allows import of subkey
+revocation signatures, even in the absence of a corresponding subkey
+binding signature.
+
+--
+
+This fixes the remaining test in import-incomplete.scm.
+
+GnuPG-Bug-id: 4393
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ g10/import.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/g10/import.c b/g10/import.c
+index 2be214e63..ae2453803 100644
+--- a/g10/import.c
++++ b/g10/import.c
+@@ -3536,6 +3536,7 @@ chk_self_sigs (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid, int *non_self)
+                   /* It's valid, so is it newer? */
+                   if (sig->timestamp >= rsdate)
+                     {
++                      knode->flag |= NODE_GOOD_SELFSIG; /* Subkey is valid.  */
+                       if (rsnode)
+                         {
+                           /* Delete the last revocation sig since

gnupg-add-test-cases-for-import-without-uid.patch

@@ -0,0 +1,202 @@
+From 4c40bfa90bda748e5dada0bb1cc8fae14d744f07 Mon Sep 17 00:00:00 2001
+From: Vincent Breitmoser <look@my.amazin.horse>
+Date: Thu, 13 Jun 2019 21:27:41 +0200
+Subject: [PATCH] tests: add test cases for import without uid
+
+This commit adds a test case that does the following, in order:
+- Import of a primary key plus user id
+- Check that import of a subkey works, without a user id present in the
+imported key
+- Check that import of a subkey revocation works, without a user id or
+subkey binding signature present in the imported key
+- Check that import of a primary key revocation works, without a user id
+present in the imported key
+
+--
+
+Note that this test currently fails.  The following changesets will
+fix gpg so that the tests pass.
+
+GnuPG-Bug-id: 4393
+Signed-Off-By: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ tests/openpgp/Makefile.am                     |  1 +
+ tests/openpgp/import-incomplete.scm           | 68 +++++++++++++++++++
+ .../import-incomplete/primary+revocation.asc  |  9 +++
+ .../primary+subkey+sub-revocation.asc         | 10 +++
+ .../primary+subkey+sub-sig.asc                | 10 +++
+ .../import-incomplete/primary+uid-sig.asc     | 10 +++
+ .../openpgp/import-incomplete/primary+uid.asc | 10 +++
+ 7 files changed, 118 insertions(+)
+ create mode 100755 tests/openpgp/import-incomplete.scm
+ create mode 100644 tests/openpgp/import-incomplete/primary+revocation.asc
+ create mode 100644 tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc
+ create mode 100644 tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc
+ create mode 100644 tests/openpgp/import-incomplete/primary+uid-sig.asc
+ create mode 100644 tests/openpgp/import-incomplete/primary+uid.asc
+
+diff --git a/tests/openpgp/Makefile.am b/tests/openpgp/Makefile.am
+index e5be42b41..d886bc8f7 100644
+--- a/tests/openpgp/Makefile.am
++++ b/tests/openpgp/Makefile.am
+@@ -78,6 +78,7 @@ XTESTS = \
+ 	gpgv-forged-keyring.scm \
+ 	armor.scm \
+ 	import.scm \
++	import-incomplete.scm \
+ 	import-revocation-certificate.scm \
+ 	ecc.scm \
+ 	4gb-packet.scm \
+diff --git a/tests/openpgp/import-incomplete.scm b/tests/openpgp/import-incomplete.scm
+new file mode 100755
+index 000000000..727a027c6
+--- /dev/null
++++ b/tests/openpgp/import-incomplete.scm
+@@ -0,0 +1,68 @@
++#!/usr/bin/env gpgscm
++
++;; Copyright (C) 2016 g10 Code GmbH
++;;
++;; This file is part of GnuPG.
++;;
++;; GnuPG is free software; you can redistribute it and/or modify
++;; it under the terms of the GNU General Public License as published by
++;; the Free Software Foundation; either version 3 of the License, or
++;; (at your option) any later version.
++;;
++;; GnuPG is distributed in the hope that it will be useful,
++;; but WITHOUT ANY WARRANTY; without even the implied warranty of
++;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++;; GNU General Public License for more details.
++;;
++;; You should have received a copy of the GNU General Public License
++;; along with this program; if not, see <http://www.gnu.org/licenses/>.
++
++(load (in-srcdir "tests" "openpgp" "defs.scm"))
++(setup-environment)
++
++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+uid.asc")))
++
++(info "Test import of new subkey, from a certificate without uid")
++(define keyid "573EA710367356BB")
++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+subkey+sub-sig.asc")))
++(tr:do
++ (tr:pipe-do
++  (pipe:gpg `(--list-keys --with-colons ,keyid)))
++ (tr:call-with-content
++  (lambda (c)
++    ;; XXX we do not have a regexp library
++    (unless (any (lambda (line)
++		   (and (string-prefix? line "sub:")
++			(string-contains? line "573EA710367356BB")))
++		 (string-split-newlines c))
++	    (exit 1)))))
++
++(info "Test import of a subkey revocation, from a certificate without uid")
++(define keyid "573EA710367356BB")
++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+subkey+sub-revocation.asc")))
++(tr:do
++ (tr:pipe-do
++  (pipe:gpg `(--list-keys --with-colons ,keyid)))
++ (tr:call-with-content
++  (lambda (c)
++    ;; XXX we do not have a regexp library
++    (unless (any (lambda (line)
++		   (and (string-prefix? line "sub:r:")
++			(string-contains? line "573EA710367356BB")))
++		 (string-split-newlines c))
++	    (exit 1)))))
++
++(info "Test import of revocation, from a certificate without uid")
++(call-check `(,(tool 'gpg) --import ,(in-srcdir "tests" "openpgp" "import-incomplete" "primary+revocation.asc")))
++(tr:do
++ (tr:pipe-do
++  (pipe:gpg `(--list-keys --with-colons ,keyid)))
++ (tr:call-with-content
++  (lambda (c)
++    ;; XXX we do not have a regexp library
++    (unless (any (lambda (line)
++		   (and (string-prefix? line "pub:r:")
++			(string-contains? line "0843DA969AA8DAFB")))
++		 (string-split-newlines c))
++	    (exit 1)))))
++
+diff --git a/tests/openpgp/import-incomplete/primary+revocation.asc b/tests/openpgp/import-incomplete/primary+revocation.asc
+new file mode 100644
+index 000000000..6b7b60802
+--- /dev/null
++++ b/tests/openpgp/import-incomplete/primary+revocation.asc
+@@ -0,0 +1,9 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Comment: [E] primary key, revocation signature over primary (no user ID)
++
++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ
++631VAN2IeAQgFggAIBYhBLRpj5W82H/gSMzKKQhD2paaqNr7BQJc2ZQZAh0AAAoJ
++EAhD2paaqNr7qAwA/2jBUpnN0BxwRO/4CrxvrLIsL+C9aSXJUOTv8XkP4lvtAQD3
++XsDFfFNgEueiTfF7HtOGt5LPmRqVvUpQSMVgJJW6CQ==
++=tM90
++-----END PGP PUBLIC KEY BLOCK-----
+diff --git a/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc b/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc
+new file mode 100644
+index 000000000..83a51a549
+--- /dev/null
++++ b/tests/openpgp/import-incomplete/primary+subkey+sub-revocation.asc
+@@ -0,0 +1,10 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Comment: [D] primary key, subkey, subkey revocation (no user ID)
++
++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ
++631VAN24OARc2ZQhEgorBgEEAZdVAQUBAQdABsd5ha0AWXdXcSmfeiWIfrNcGqQK
++j++lwwWDAOlkVicDAQgHiHgEKBYIACAWIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC
++XNmnkAIdAgAKCRAIQ9qWmqja+ylaAQDmIKf86BJEq4OpDqU+V9D+wn2cyuxbyWVQ
++3r9LiL9qNwD/QAjyrhSN8L3Mfq+wdTHo5i0yB9ZCCpHLXSbhCqfWZwQ=
++=dwx2
++-----END PGP PUBLIC KEY BLOCK-----
+diff --git a/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc b/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc
+new file mode 100644
+index 000000000..dc47a02d8
+--- /dev/null
++++ b/tests/openpgp/import-incomplete/primary+subkey+sub-sig.asc
+@@ -0,0 +1,10 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Comment: [B] primary key, subkey, subkey binding sig (no user ID)
++
++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ
++631VAN24OARc2ZQhEgorBgEEAZdVAQUBAQdABsd5ha0AWXdXcSmfeiWIfrNcGqQK
++j++lwwWDAOlkVicDAQgHiHgEGBYIACAWIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC
++XNmUIQIbDAAKCRAIQ9qWmqja++vFAP98G1L+1/rWTGbsnxOAV2RocBYIroAvsbkR
++Ly6FdP8YNwEA7jOgT05CoKIe37MstpOz23mM80AK369Ca3JMmKKCQgg=
++=xuDu
++-----END PGP PUBLIC KEY BLOCK-----
+diff --git a/tests/openpgp/import-incomplete/primary+uid-sig.asc b/tests/openpgp/import-incomplete/primary+uid-sig.asc
+new file mode 100644
+index 000000000..134607d0e
+--- /dev/null
++++ b/tests/openpgp/import-incomplete/primary+uid-sig.asc
+@@ -0,0 +1,10 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Comment: [C] primary key and self-sig expiring in 2024 (no user ID)
++
++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ
++631VAN2IlgQTFggAPgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBLRpj5W8
++2H/gSMzKKQhD2paaqNr7BQJc2ZR1BQkJZgHcAAoJEAhD2paaqNr79soA/0lWkUsu
++3NLwgbni6EzJxnTzgeNMpljqNpipHAwfix9hAP93AVtFdC8g7hdUZxawobl9lnSN
++9ohXOEBWvdJgVv2YAg==
++=KWIK
++-----END PGP PUBLIC KEY BLOCK-----
+diff --git a/tests/openpgp/import-incomplete/primary+uid.asc b/tests/openpgp/import-incomplete/primary+uid.asc
+new file mode 100644
+index 000000000..055f30086
+--- /dev/null
++++ b/tests/openpgp/import-incomplete/primary+uid.asc
+@@ -0,0 +1,10 @@
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++Comment: [A] primary key, user ID, and self-sig expiring in 2021
++
++mDMEXNmUGRYJKwYBBAHaRw8BAQdA75R8VlchvmEd2Iz/8l07RoKUaUPDB71Ao1zZ
++631VAN20CHRlc3Qga2V5iJYEExYIAD4WIQS0aY+VvNh/4EjMyikIQ9qWmqja+wUC
++XNmUGQIbAwUJA8JnAAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAIQ9qWmqja
+++0G1AQDdQiwhXxjXLMqoth+D4SigVHTJK8ORwifzsy3UE7mPGwD/aZ67XbAF/lgI
++kv2O1Jo0u9BL9RNNF+L0DM7rAFbfMAs=
++=1eII
++-----END PGP PUBLIC KEY BLOCK-----

gnupg-add_legacy_FIPS_mode_option.patch

@@ -0,0 +1,69 @@
+---
+ doc/gpg.texi |   18 ++++++++++++++++++
+ g10/gpg.c    |    9 +++++++++
+ 2 files changed, 27 insertions(+)
+
+Index: gnupg-2.5.1/doc/gpg.texi
+===================================================================
+--- gnupg-2.5.1.orig/doc/gpg.texi
++++ gnupg-2.5.1/doc/gpg.texi
+@@ -2340,6 +2340,24 @@ implies, this option is for experts only
+ understand the implications of what it allows you to do, leave this
+ off. @option{--no-expert} disables this option.
+ 
++@item --set-legacy-fips
++@itemx --set-legacy-fips
++@opindex set-legacy-fips
++Enable legacy support even when the libgcrypt library is in FIPS 140-2
++mode. The legacy mode of libgcrypt allows the use of all ciphers,
++including non-approved ciphers. This mode is needed when for legacy
++reasons a message must be encrypted or decrypted. Legacy reasons for
++decryptions include the decryption of old messages created with a
++public key that use cipher settings which do not meet FIPS 140-2
++requirements. Legacy reasons for encryption include the encryption
++of messages with a recipients public key where the recipient is not
++bound to FIPS 140-2 regulation and therefore provided a key using
++non-approved ciphers. Although the legacy mode is a violation of strict
++FIPS 140-2 rule interpretations, it is wise to use this mode or
++either not being able to access old messages or not being able
++to create encrypted messages to a recipient that is not adhering
++to FIPS 140-2 rules.
++
+ @end table
+ 
+ 
+Index: gnupg-2.5.1/g10/gpg.c
+===================================================================
+--- gnupg-2.5.1.orig/g10/gpg.c
++++ gnupg-2.5.1/g10/gpg.c
+@@ -455,6 +455,7 @@ enum cmd_and_opt_values
+     oForceSignKey,
+     oForbidGenKey,
+     oRequireCompliance,
++    oSetLegacyFips,
+     oCompatibilityFlags,
+     oAddDesigRevoker,
+     oAssertSigner,
+@@ -906,6 +907,7 @@ static gpgrt_opt_t opts[] = {
+   ARGPARSE_s_s (oCipherAlgo, "cipher-algo", "@"),
+   ARGPARSE_s_s (oDigestAlgo, "digest-algo", "@"),
+   ARGPARSE_s_s (oCertDigestAlgo, "cert-digest-algo", "@"),
++  ARGPARSE_s_n (oSetLegacyFips, "set-legacy-fips", "@"),
+   ARGPARSE_s_n (oRequirePQCEncryption, "require-pqc-encryption", "@"),
+ 
+   ARGPARSE_header (NULL, N_("Options for unattended use")),
+@@ -3855,6 +3857,14 @@ main (int argc, char **argv)
+             keybox_set_buffersize (pargs.r.ret_ulong, 0);
+             break;
+ 
++         case oSetLegacyFips:
++           if(gcry_fips_mode_active())
++             gcry_control (GCRYCTL_INACTIVATE_FIPS_FLAG,
++                           "Enable legacy support in FIPS 140-2 mode");
++           else
++             log_info ("Command set-legacy-fips ignored as libgcrypt is not in FIPS mode\n");
++           break;
++
+ 	  case oNoop: break;
+ 
+ 	  default:

gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch

@@ -0,0 +1,108 @@
+From a1db83d8a3308277f01b96833c13693bd7e13ff9 Mon Sep 17 00:00:00 2001
+From: Vincent Breitmoser <look@my.amazin.horse>
+Date: Thu, 13 Jun 2019 21:27:42 +0200
+Subject: [PATCH] gpg: allow import of previously known keys, even without UIDs
+
+* g10/import.c (import_one): Accept an incoming OpenPGP certificate that
+has no user id, as long as we already have a local variant of the cert
+that matches the primary key.
+
+--
+
+This fixes two of the three broken tests in import-incomplete.scm.
+
+GnuPG-Bug-id: 4393
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ g10/import.c | 49 +++++++++++--------------------------------------
+ 1 file changed, 11 insertions(+), 38 deletions(-)
+
+Index: gnupg-2.4.0/g10/import.c
+===================================================================
+--- gnupg-2.4.0.orig/g10/import.c
++++ gnupg-2.4.0/g10/import.c
+@@ -1954,7 +1954,6 @@ import_one_real (ctrl_t ctrl,
+   size_t an;
+   char pkstrbuf[PUBKEY_STRING_SIZE];
+   int merge_keys_done = 0;
+-  int any_filter = 0;
+   KEYDB_HANDLE hd = NULL;
+ 
+   if (r_valid)
+@@ -1991,14 +1990,6 @@ import_one_real (ctrl_t ctrl,
+       log_printf ("\n");
+     }
+ 
+-
+-  if (!uidnode)
+-    {
+-      if (!silent)
+-        log_error( _("key %s: no user ID\n"), keystr_from_pk(pk));
+-      return 0;
+-    }
+-
+   if (screener && screener (keyblock, screener_arg))
+     {
+       log_error (_("key %s: %s\n"), keystr_from_pk (pk),
+@@ -2078,18 +2069,10 @@ import_one_real (ctrl_t ctrl,
+ 	  }
+     }
+ 
+-  /* Delete invalid parts and bail out if there are no user ids left.  */
+-  if (!delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs))
+-    {
+-      if (!silent)
+-        {
+-          log_error ( _("key %s: no valid user IDs\n"), keystr_from_pk(pk));
+-          if (!opt.quiet)
+-            log_info(_("this may be caused by a missing self-signature\n"));
+-        }
+-      stats->no_user_id++;
+-      return 0;
+-    }
++  /* Delete invalid parts, and note if we have any valid ones left.
++   * We will later abort import if this key is new but contains
++   * no valid uids.  */
++  delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs);
+ 
+   /* Get rid of deleted nodes.  */
+   commit_kbnode (&keyblock);
+@@ -2099,24 +2082,11 @@ import_one_real (ctrl_t ctrl,
+     {
+       apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid);
+       commit_kbnode (&keyblock);
+-      any_filter = 1;
+     }
+   if (import_filter.drop_sig)
+     {
+       apply_drop_sig_filter (ctrl, keyblock, import_filter.drop_sig);
+       commit_kbnode (&keyblock);
+-      any_filter = 1;
+-    }
+-
+-  /* If we ran any filter we need to check that at least one user id
+-   * is left in the keyring.  Note that we do not use log_error in
+-   * this case. */
+-  if (any_filter && !any_uid_left (keyblock))
+-    {
+-      if (!opt.quiet )
+-        log_info ( _("key %s: no valid user IDs\n"), keystr_from_pk (pk));
+-      stats->no_user_id++;
+-      return 0;
+     }
+ 
+   /* The keyblock is valid and ready for real import.  */
+@@ -2174,6 +2144,13 @@ import_one_real (ctrl_t ctrl,
+       err = 0;
+       stats->skipped_new_keys++;
+     }
++  else if (err && !any_uid_left (keyblock))
++    {
++      if (!silent)
++        log_info( _("key %s: new key but contains no user ID - skipped\n"), keystr(keyid));
++      err = 0;
++      stats->no_user_id++;
++    }
+   else if (err)  /* Insert this key. */
+     {
+       /* Note: ERR can only be NO_PUBKEY or UNUSABLE_PUBKEY.  */

gnupg-allow-large-rsa.patch

@@ -0,0 +1,13 @@
+Index: gnupg-2.4.0/g10/keygen.c
+===================================================================
+--- gnupg-2.4.0.orig/g10/keygen.c
++++ gnupg-2.4.0/g10/keygen.c
+@@ -2461,7 +2461,7 @@ get_keysize_range (int algo, unsigned in
+ 
+     default:
+       *min = opt.compliance == CO_DE_VS ? 2048: 1024;
+-      *max = 4096;
++      *max = opt.flags.large_rsa == 1 ? 8192 : 4096;
+       def = 3072;
+       break;
+     }

gnupg-detect_FIPS_mode.patch

@@ -0,0 +1,18 @@
+Index: gnupg-2.3.8/g10/mainproc.c
+===================================================================
+--- gnupg-2.3.8.orig/g10/mainproc.c
++++ gnupg-2.3.8/g10/mainproc.c
+@@ -1011,7 +1011,12 @@ proc_plaintext( CTX c, PACKET *pkt )
+          according to 2440, so hopefully it won't come up that often.
+          There is no good way to specify what algorithms to use in
+          that case, so these there are the historical answer. */
+-	gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
++
++	/* Libgcrypt manual says that gcry_version_check must be called
++	 * before calling gcry_fips_mode_active. */
++	gcry_check_version (NULL);
++	if(!gcry_fips_mode_active())
++	  gcry_md_enable(c->mfx.md, DIGEST_ALGO_RMD160);
+ 	gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
+     }
+   if (DBG_HASHING)

gnupg-dont-fail-with-seahorse-agent.patch

@@ -0,0 +1,17 @@
+---
+ g10/passphrase.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: gnupg-2.3.0/g10/passphrase.c
+===================================================================
+--- gnupg-2.3.0.orig/g10/passphrase.c
++++ gnupg-2.3.0/g10/passphrase.c
+@@ -222,7 +222,7 @@ passphrase_get (int newsymkey, int nocac
+     }
+   else
+     {
+-      log_error (_("problem with the agent: %s\n"), gpg_strerror (rc));
++      log_info (_("problem with the agent: %s\n"), gpg_strerror (rc));
+       /* Due to limitations in the API of the upper layers they
+          consider an error as no passphrase entered.  This works in
+          most cases but not during key creation where this should

gnupg-gpg-agent-ulimit.patch

@@ -0,0 +1,35 @@
+gpg-agent is in the chain of commands in xinitrc.
+It receives a list of commands via argv[] which it is supposed to launch via exec.
+In this mode all what matters is a bunch of setenv() of gpg related variables.
+At no point it must fiddle with ulimit that was provided by its callers.
+In case of xinitrc it was most likely pam_limits which, for example, configured the coredump settings for this session.
+
+Every code path before the fork() call does no sensitive things, so coredumps do not matter.
+
+gpg-agent does fork a child in this mode.
+That child has the liberty to tweak ulimit in every way it wants.
+This is what this patch does.
+
+Without this patch, all applications launched after gpg-agent are unable to coredump, because systemd-coredump check the ulimit of the crashed process.
+As a result, crashes of desktop applications can not be debugged.
+
+References: bsc#1124847
+
+--- a/agent/gpg-agent.c
++++ b/agent/gpg-agent.c
+@@ -1049,7 +1049,6 @@ main (int argc, char **argv )
+   gcry_control (GCRYCTL_USE_SECURE_RNDPOOL);
+   gcry_set_progress_handler (agent_libgcrypt_progress_cb, NULL);
+ 
+-  disable_core_dumps ();
+ 
+   /* Set default options.  */
+   parse_rereadable_options (NULL, 0); /* Reset them to default values. */
+@@ -1738,6 +1737,7 @@ main (int argc, char **argv )
+       /*
+          This is the child
+        */
++      disable_core_dumps ();
+ 
+       initialize_modules ();
+ 

gnupg-nobetasuffix.patch

@@ -0,0 +1,24 @@
+Index: gnupg-2.5.1/autogen.sh
+===================================================================
+--- gnupg-2.5.1.orig/autogen.sh
++++ gnupg-2.5.1/autogen.sh
+@@ -244,7 +244,7 @@ if [ "$myhost" = "find-version" ]; then
+     fi
+ 
+     beta=no
+-    if [ -e .git ]; then
++    if false; then
+       ingit=yes
+       tmp=$(git describe --match "${matchstr1}" --long 2>/dev/null)
+       if [ -n "$tmp" ]; then
+@@ -270,8 +270,8 @@ if [ "$myhost" = "find-version" ]; then
+       rvd=$((0x$(echo ${rev} | dd bs=1 count=4 2>/dev/null)))
+     else
+       ingit=no
+-      beta=yes
+-      tmp="-unknown"
++      beta=no
++      tmp=""
+       cid="0000000"
+       rev="0000000"
+       rvd="0"

gnupg-revert-rfc4880bis.patch

@@ -0,0 +1,202 @@
+From 4583f4fe2e11b3dd070066628c3f16776cc74f72 Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Mon, 31 Oct 2022 16:14:18 +0100
+Subject: [PATCH GnuPG] gpg: Merge --rfc4880bis features into --gnupg
+
+* g10/gpg.c (oRFC4880bis): Remove.
+(opts): Make --rfc4880bis a Noop.
+(compliance_options): Make rfc4880bis to gnupg.
+(set_compliance_option): Remove rfc4880bis stuff.
+(main): Ditto.  Note that this now activates the --mimemode option.
+* g10/keygen.c (keygen_set_std_prefs): Remove rfc4880bis protection.
+(keygen_upd_std_prefs): Always announce support for v5 keys.
+(read_parameter_file): Activate the v4 and v5 keywords.
+--
+
+Index: gnupg-2.5.1/g10/gpg.c
+===================================================================
+--- gnupg-2.5.1.orig/g10/gpg.c
++++ gnupg-2.5.1/g10/gpg.c
+@@ -254,6 +254,7 @@ enum cmd_and_opt_values
+     oGnuPG,
+     oRFC2440,
+     oRFC4880,
++    oRFC4880bis,
+     oOpenPGP,
+     oPGP7,
+     oPGP8,
+@@ -653,6 +654,7 @@ static gpgrt_opt_t opts[] = {
+   ARGPARSE_s_n (oGnuPG, "no-pgp8", "@"),
+   ARGPARSE_s_n (oRFC2440, "rfc2440", "@"),
+   ARGPARSE_s_n (oRFC4880, "rfc4880", "@"),
++  ARGPARSE_s_n (oRFC4880bis, "rfc4880bis", "@"),
+   ARGPARSE_s_n (oOpenPGP, "openpgp", N_("use strict OpenPGP behavior")),
+   ARGPARSE_s_n (oPGP7, "pgp6", "@"),
+   ARGPARSE_s_n (oPGP7, "pgp7", "@"),
+@@ -1006,7 +1008,6 @@ static gpgrt_opt_t opts[] = {
+   ARGPARSE_s_n (oNoop, "no-allow-multiple-messages", "@"),
+   ARGPARSE_s_s (oNoop, "aead-algo", "@"),
+   ARGPARSE_s_s (oNoop, "personal-aead-preferences","@"),
+-  ARGPARSE_s_n (oNoop, "rfc4880bis", "@"),
+   ARGPARSE_s_n (oNoop, "override-compliance-check", "@"),
+ 
+ 
+@@ -2261,7 +2262,7 @@ static struct gnupg_compliance_option co
+   {
+     { "gnupg",      oGnuPG },
+     { "openpgp",    oOpenPGP },
+-    { "rfc4880bis", oGnuPG },
++    { "rfc4880bis", oRFC4880bis },
+     { "rfc4880",    oRFC4880 },
+     { "rfc2440",    oRFC2440 },
+     { "pgp6",       oPGP7 },
+@@ -2277,8 +2278,28 @@ static struct gnupg_compliance_option co
+ static void
+ set_compliance_option (enum cmd_and_opt_values option)
+ {
++  opt.flags.rfc4880bis = 0;  /* Clear because it is initially set.  */
++
+   switch (option)
+     {
++    case oRFC4880bis:
++      opt.flags.rfc4880bis = 1;
++      opt.compliance = CO_RFC4880;
++      opt.flags.dsa2 = 1;
++      opt.flags.require_cross_cert = 1;
++      opt.rfc2440_text = 0;
++      opt.allow_non_selfsigned_uid = 1;
++      opt.allow_freeform_uid = 1;
++      opt.escape_from = 1;
++      opt.not_dash_escaped = 0;
++      opt.def_cipher_algo = 0;
++      opt.def_digest_algo = 0;
++      opt.cert_digest_algo = 0;
++      opt.compress_algo = -1;
++      opt.s2k_mode = 3; /* iterated+salted */
++      opt.s2k_digest_algo = DIGEST_ALGO_SHA256;
++      opt.s2k_cipher_algo = CIPHER_ALGO_AES256;
++      break;
+     case oOpenPGP:
+     case oRFC4880:
+       /* This is effectively the same as RFC2440, but with
+@@ -2322,6 +2343,7 @@ set_compliance_option (enum cmd_and_opt_
+     case oPGP8:  opt.compliance = CO_PGP8;  break;
+     case oGnuPG:
+       opt.compliance = CO_GNUPG;
++      opt.flags.rfc4880bis = 1;
+       break;
+ 
+     case oDE_VS:
+@@ -2526,6 +2548,7 @@ main (int argc, char **argv)
+     opt.weak_digests = NULL;
+     opt.with_subkey_fingerprint = 1;
+     opt.compliance = CO_GNUPG;
++    opt.flags.rfc4880bis = 1;
+ 
+     /* Check special options given on the command line.  */
+     orig_argc = argc;
+@@ -3085,6 +3108,7 @@ main (int argc, char **argv)
+           case oOpenPGP:
+           case oRFC2440:
+           case oRFC4880:
++          case oRFC4880bis:
+           case oPGP7:
+           case oPGP8:
+           case oGnuPG:
+@@ -3990,6 +4014,11 @@ main (int argc, char **argv)
+     if( may_coredump && !opt.quiet )
+ 	log_info(_("WARNING: program may create a core file!\n"));
+ 
++    if (!opt.flags.rfc4880bis)
++      {
++        opt.mimemode = 0; /* This will use text mode instead.  */
++      }
++
+     if (eyes_only) {
+       if (opt.set_filename)
+ 	  log_info(_("WARNING: %s overrides %s\n"),
+@@ -4212,7 +4241,7 @@ main (int argc, char **argv)
+     /* Check our chosen algorithms against the list of legal
+        algorithms. */
+ 
+-    if(!GNUPG)
++    if(!GNUPG && !opt.flags.rfc4880bis)
+       {
+ 	const char *badalg=NULL;
+ 	preftype_t badtype=PREFTYPE_NONE;
+Index: gnupg-2.5.1/g10/keygen.c
+===================================================================
+--- gnupg-2.5.1.orig/g10/keygen.c
++++ gnupg-2.5.1/g10/keygen.c
+@@ -453,7 +453,7 @@ keygen_set_std_prefs (const char *string
+ 	      strcat(dummy_string,"S7 ");
+ 	    strcat(dummy_string,"S2 "); /* 3DES */
+ 
+-            if (!openpgp_aead_test_algo (AEAD_ALGO_OCB))
++            if (opt.flags.rfc4880bis && !openpgp_aead_test_algo (AEAD_ALGO_OCB))
+ 	      strcat(dummy_string,"A2 ");
+ 
+             if (personal)
+@@ -938,7 +938,7 @@ keygen_upd_std_prefs (PKT_signature *sig
+   /* Make sure that the MDC feature flag is set if needed.  */
+   add_feature_mdc (sig,mdc_available);
+   add_feature_aead (sig, aead_available);
+-  add_feature_v5 (sig, 1);
++  add_feature_v5 (sig, opt.flags.rfc4880bis);
+   add_keyserver_modify (sig,ks_modify);
+   keygen_add_keyserver_url(sig,NULL);
+ 
+@@ -3974,7 +3974,10 @@ parse_key_parameter_part (ctrl_t ctrl,
+                 }
+             }
+           else if (!ascii_strcasecmp (s, "v5"))
+-            keyversion = 5;
++            {
++              if (opt.flags.rfc4880bis)
++                keyversion = 5;
++            }
+           else if (!ascii_strcasecmp (s, "v4"))
+             keyversion = 4;
+           else
+@@ -4235,7 +4238,7 @@ parse_key_parameter_part (ctrl_t ctrl,
+  *   ecdsa := Use algorithm ECDSA.
+  *   eddsa := Use algorithm EdDSA.
+  *   ecdh  := Use algorithm ECDH.
+- *   v5    := Create version 5 key
++ *   v5    := Create version 5 key (requires option --rfc4880bis)
+  *
+  * There are several defaults and fallbacks depending on the
+  * algorithm.  PART can be used to select which part of STRING is
+@@ -5206,9 +5209,9 @@ read_parameter_file (ctrl_t ctrl, const
+ 	    }
+ 	}
+ 
+-        if ((keywords[i].key == pVERSION
+-             || keywords[i].key == pSUBVERSION))
+-          ; /* Ignore version.  */
++        if (!opt.flags.rfc4880bis && (keywords[i].key == pVERSION
++                                      || keywords[i].key == pSUBVERSION))
++          ; /* Ignore version unless --rfc4880bis is active.  */
+         else
+           {
+             r = xmalloc_clear( sizeof *r + strlen( value ) );
+@@ -5303,11 +5306,14 @@ quickgen_set_para (struct para_data_s *p
+   r->next = para;
+   para = r;
+ 
+-  r = xmalloc_clear (sizeof *r + 20);
+-  r->key = for_subkey? pSUBVERSION : pVERSION;
+-  snprintf (r->u.value, 20, "%d", version);
+-  r->next = para;
+-  para = r;
++  if (opt.flags.rfc4880bis)
++    {
++      r = xmalloc_clear (sizeof *r + 20);
++      r->key = for_subkey? pSUBVERSION : pVERSION;
++      snprintf (r->u.value, 20, "%d", version);
++      r->next = para;
++      para = r;
++    }
+ 
+   if (keytime)
+     {

gnupg-set_umask_before_open_outfile.patch

@@ -0,0 +1,43 @@
+Index: gnupg-2.3.0/g10/plaintext.c
+===================================================================
+--- gnupg-2.3.0.orig/g10/plaintext.c
++++ gnupg-2.3.0/g10/plaintext.c
+@@ -24,6 +24,7 @@
+ #include <string.h>
+ #include <errno.h>
+ #include <sys/types.h>
++#include <sys/stat.h>
+ #ifdef HAVE_DOSISH_SYSTEM
+ # include <fcntl.h> /* for setmode() */
+ #endif
+@@ -38,6 +39,9 @@
+ #include "../common/status.h"
+ #include "../common/i18n.h"
+ 
++/* define safe permissions for creating plaintext files */
++#define GPG_SAFE_PERMS (S_IRUSR | S_IWUSR)
++#define GPG_SAFE_UMASK (0777 & ~GPG_SAFE_PERMS)
+ 
+ /* Get the output filename.  On success, the actual filename that is
+    used is set in *FNAMEP and a filepointer is returned in *FP.
+@@ -161,11 +165,15 @@ get_output_file (const byte *embedded_na
+       log_error (_("error creating '%s': %s\n"), fname, gpg_strerror (err));
+       goto leave;
+     }
+-  else if (!(fp = es_fopen (fname, "wb")))
+-    {
+-      err = gpg_error_from_syserror ();
+-      log_error (_("error creating '%s': %s\n"), fname, gpg_strerror (err));
+-      goto leave;
++    else {
++	mode_t saved_umask = umask(GPG_SAFE_UMASK);
++	if( !(fp = es_fopen(fname,"wb")) ) {
++		err = gpg_error_from_syserror ();
++		log_error(_("error creating `%s': %s\n"), fname, strerror(errno) );
++		umask(saved_umask);
++		goto leave;
++	}
++	umask(saved_umask);
+     }
+ 
+  leave:

gpg2.keyring

@@ -0,0 +1,86 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBFjLuq4BDACnM7zNSIaVMAacTwjXa5TGYe13i6ilHe4VL0NShzrgzjcQg531
+3cRgiiiNA7OSOypMqVs73Jez6ZUctn2GVsHBrS/io9NcuC9pVwf8a61WlcEa+EtB
+a3G7HlBmEWnwaUdAtWKNuAi9Xn+Ir7H2xEdksmmd5a0/QnL+sX705boVPF/tpYtb
+LGpPxa78tNrtxDkSwy8Wmi0IADYLI5yI7/yUGeJd8RSCU/fLRKC9fG7YOZRq0tsO
+MhVNWmtUjbG6e73Lu8LKnCZgs1/fC8hvPyARieSV5mdN8s1oWd7oYctfgL4uBleD
+ItAA8GhjKejutzHN8Ei/APw6AiiSyEjnPg+cTX8OgvLGJWjks0H6mPZeB1v/kGyZ
+hBS9vm540h2/MmlVN2ntiCK5TZGeSWpqddiqusfVXotMRpN4HeLKoZh4RAncaCbZ
+F/S+YLeN+kMXY4k3Fqt1fjTX6veFCbthI9pDdHzU9LfUVNp9D/5ktC/tYMORMegV
++wSMxi9G2YWKJkMAEQEAAYkBzgQfAQgAOBYhBFuAxXVCmPDLVdjtarzvfilLCS4o
+BQJYy8DdFwyAAZSlyaA8L+XKOwldjh/fcjz0YraxAgcAAAoJELzvfilLCS4oNgoL
+/0+K1xIx8JW7Lk5M6bYCvNA4fdlEcwQIT4UidJFM9m+suxYFWIGfebvHpRlEuJTg
+dBjkEit8uLAoJXU0BRkKTLrzTF+qDUE79Wfx/R+0nOgJ7aMykQOi0AvuwzMYz4dg
+xIVS2Daou4DF7bh/KF8+fqrmq8P8W1ZrkuFDanMWpHeAPx1uj2skYbo7uPqFdvlJ
+hlNHrcxlcCkjf1InAt0Xt5lMvEsCRUPf9xAH4mNEhs0lh9c+200YPRmtnLWAzc1K
+ckLIC8Q+mUR3DjZDqBlDBEPegXkrI0+MlvRA+9AnAm4YPqTMUfpZ6ZOAWeFjC/6Z
+QYxG/AdWGkb4WFindzklQfybEuiekP8vU07ACQwSwH8PYe0UCom1YrlRUjX7QLkn
+ZLWoeZg8BZy9GTM1Ut7Q1Q2uTw6mxxISuef+RFgYOHjWwLpFWZpqC88xERl7o/iz
+iERJRt/593IctbjO9wenWt2peIAwzR4nz7LqM6ZFTdRAETmcdSvYRhg2Qt8hUE47
+CbQkQW5kcmUgSGVpbmVja2UgKFJlbGVhc2UgU2lnbmluZyBLZXkpiQHUBBMBCAA+
+FiEEW4DFdUKY8MtV2O1qvO9+KUsJLigFAljLuq4CGwMFCRLMAwAFCwkIBwIGFQgJ
+CgsCBBYCAwECHgECF4AACgkQvO9+KUsJLihC/QwAhCC+SEvcFLcutgZ8HfcCtoZs
+IoVzZEy7DjqIvGgnTssD8HCLnIAHCDvnP7dJW3uMuLCdSqym3cjlEIiQMsaGywkl
+fzJISAwJrGQdWSKRd535jXpEXQlXDKal/IwMKAUt0PZtlCc9S3gwixQryxdJ28lJ
+6h2T9fVDr8ZswMmTAFG91uctfhjKOMgPt8UhSPGW484WsIsQgkbOvf+Kfswl0eHu
+ywX+pKAB5ZQ/9GVC6Ug4xfrdiJL0azJTPnvjMY5JYp6/L9RURs5hP5AnHR2j/PPo
+sAtsFCjmbRbOMiASzklnUJPbSz5kfLloDWZmrUScjbzmsXehGyt433JGyRhZJl4x
+/jPbzKhaaAHsGd+fRao6vlLOwFywDDVMp6JuyK7UeUb7I8ekTbSkGFA+l2Oa3O6/
+Y7PYhq7hwwAFuZckYI98IpHNCG1fS9W07FyKdvQbK1PbF1JFRKfsUCWYMKqDnbqE
+o5jivPEHZImw6iYhhXcyEYl8fjcb9T6/S+wOP7aviQGzBBABCAAdFiEElKXJoDwv
+5co7CV2OH99yPPRitrEFAljLv5sACgkQH99yPPRitrFw4gv/XFMFN+/LHsn9hJOP
+4rCwl1yUuxXuYmZgc0sRoY3EpeQkJVyKurQuqqKoy2VuoMiF0O1kAQmGoFtVPUk7
+b8hCoutqB5GyeyKcoLP+WINgVhB2gXg7TSp3MPLBKkgqvSDvPitgRxBqFb4LW8LJ
+bDbfwGrzIvXfDV3WvsrHVPbc2fhlWdL8d+3AE6mFiXF3eTpgmV3ApSBQV12MkkCk
+icLIPmp+ZxZON+OP52ZXkRtfMgOy4Oa/41agrViDAZdMOGeGkhPertQheQZgXzmo
+GF5Wz498HPM80Kv35X91l3iGzL+icEtO+tWea2YscsZ6qpRe2lfVPHk3B+anlmCj
+m4kM4cBd39xa4HHSVh/bRHbZNtgVr7slQCKxlHgQOGVI5vCxPCwEsgJ2KBk03Nk/
+IA9EKO+czfh3/bHW6uMbEqrYDCnt+hmzZrpKDSGcwS/KOhvMUIMlb7/8vDKum6mp
+/8xAtVZ6IAxYZNt3qg7Y7aLRtzCTyqm8rJQrZPtRaQcgLoEimDMEX0PliRYJKwYB
+BAHaRw8BAQdAz75Hlekc16JhhfI0MKdEVxLdkxhcMCO0ZG6WMBAmNpe0H1dlcm5l
+ciBLb2NoIChkaXN0IHNpZ25pbmcgMjAyMCmImgQTFgoAQhYhBG2qbmSnbShAVxtJ
+AlKIl7gmQDraBQJfQ+w1AhsDBQkShccRBQsJCAcCAyICAQYVCgkICwIEFgIDAQIe
+BwIXgAAKCRBSiJe4JkA62nmuAP9uL/HOdB0gvwWrH+FpURJLs4bnaZaPIk9ARrU0
+EXRgJgD/YCGfHQXpIPT0ZaXuwJexK04Z+qMFR/bM1q1Leo5CjgaIbQQQEQsAHRYh
+BIBhWHD1utaQMzaG0PKthaweQrNnBQJfQ/HmAAoJEPKthaweQrNnIZkA3jG6LcZv
+V/URn8Y8OJqsyYa4C3NI4nN+OhEvYhgA4PHzMnALeXIpA2gblvjFIPJPAhDBAU37
+c5PA6+6IdQQQFggAHRYhBK6oTtzwGthsRwHIXGMROuhmWH0KBQJfQ/IlAAoJEGMR
+OuhmWH0K1+MA/0uJ5AHcnSfIBEWHNJwwVVLGyrxAWtS2U+zeymp/UvlPAQDErCLZ
+l0dBiPG3vlowFx5TNep7tanBs6ZJn8F1ao1tAIkBMwQQAQgAHRYhBNhpISPEBl3q
+Xg86tSSbOdJPJeO2BQJfQ/OuAAoJECSbOdJPJeO2DVoH/0o9if66ph6FJrgr+A/W
+HNVeHxmM5tUQhpL1wpRS70SKcsJgolf5CxO5iTQf3HlZe544xGbIU/aCTJsWw9zi
+UE8KmhAtKV4eL/7oQ7xx4nxPnABLpudtM8A44nsM1x/XiYrJnnDm29QjYEGd2Hi8
+7npc7VWKzLoj+I/WcXquynJi5O9TUxW9Bknd1pjpxFkf8v+msjBzCD5VKJgr0CR8
+wA6peQBWeGZX2HacosMIZH4TfL0r0TFla6LJIkNBz9DyIm1yL4L8oRH0950hQljP
+C7TM3L7aRpX+4Kph6llFz6g7MALGFP95kyJ6o+XED9ORuuQVZMBMIkNC0tXOu10V
+bdqIdQQQFgoAHRYhBMHTS2khnkruwLocIeP9/yGORbcrBQJfQ/P8AAoJEOP9/yGO
+Rbcr3lQBAMas8Vl3Hdl3g2I283lz1uHiGvlwcnk2TLeB+U4zIwC9AQCy0nnazVNt
+VQPID1ZCMoaOX7AzOjaqQDLf4j+dVTxgBJgzBGCkgocWCSsGAQQB2kcPAQEHQJmd
+fwp8jEN5P3eEjhQiWk6zQi8utvgOvYD57XmE+H8+tCBOaWliZSBZdXRha2EgKEdu
+dVBHIFJlbGVhc2UgS2V5KYiaBBMWCgBCFiEErI4RW/c+LY1H+pkI6Y6bLRnGyL0F
+AmCkgocCGwMFCQsNBpkFCwkIBwIDIgIBBhUKCQgLAgQWAgMBAh4HAheAAAoJEOmO
+my0Zxsi9/4IA/1rvSr3MU+Sv4jhNDzD+CeC3gmHkPew6pi9VHEsEwdgmAQD2BtiX
+7w1sJL/CBylGWv5jxj4345mP9YfZm0RsgzPjDIh1BBAWCAAdFiEEJJyzdxdQdF1c
+3TI84mewUjZPAo0FAmFAQ54ACgkQ4mewUjZPAo1CiAD+KTT1UVdQTGHMyvHwZocS
+QjU8xhcZrTet+dvvjrE5+4MA/RBdJPZgFevUKu68NEy0Lo+RbkeCtmQJ/c8v5ieF
+vW0AiQEzBBABCAAdFiEEEkEkvTtIYq96CkLxALRevUynur4FAmFAQ7cACgkQALRe
+vUynur4kaAgAolPR8TNWVS0vXMKrr0k0l2M/8QkZTaLZx1GT9Nx1yb4WJKY7ElPM
+YkhGDxetvFBETx0pH/6R3jtj6Crmur+NKHVSRY+rCYpFPDn6ciIOryssRx2G4kCZ
+t+nFB9JyDbBOZAR8DK4pN1mAxG/yLDt4oKcUQsP2xlEFum+phxyR8KyYCpkwKRxY
+eK+6lfilQuveoUwp/Xx5wXPNUy6q4eOOovCW7gS7I7288NGHCa2ul8sD6vA9C4mM
+4Zxaole9P9wwJe1zZFtCIy88zHM9vqv+YM9DxMCaW24+rUztr7eD4bCRdG+QlSh+
+7R/TaqSxY1eAAd1J5tma9CNJO73pTKU+/JhTBGFpSqMTCSskAwMCCAEBBwIDBF6X
+D9NmUQDgiyYNbhs1DMJ14mIw812wY1HVx/4QWYWiBunhrvSFxVbzsjD7/Wv+v3bm
+MPrL+M2DLyFiSewNmcS0JEdudVBHLmNvbSAoUmVsZWFzZSBTaWduaW5nIEtleSAy
+MDIxKYiaBBMTCABCFiEEAvON/3Mf+XywOaHaVJ5pXpBboggFAmFpSqMCGwMFCQ9x
+14oFCwkIBwIDIgIBBhUKCQgLAgQWAgMBAh4HAheAAAoJEFSeaV6QW6IITkoA/RYa
+jaTl1eEBU/Gdm12o3jrI55N5xZK2XTqSx25clVyjAP0XwMW/Og5+ND1ri3bAqADV
+WlBDUswz8wYxsb0C4kYBkoh1BBAWCgAdFiEEbapuZKdtKEBXG0kCUoiXuCZAOtoF
+AmFpTvEACgkQUoiXuCZAOtrJQAEAh7YyykjAy/Qs1yC3ji8iBfIVnPXvblrIx3SR
+RyDwRC8BAKtZbEuKTtPlgkLUgMleTcZJ/vEhJE+GvfQ9o5gWCqEFiHUEEBYKAB0W
+IQTB00tpIZ5K7sC6HCHj/f8hjkW3KwUCYWlPWgAKCRDj/f8hjkW3Kx4eAQDp6aGS
+N/fU4xLl8RSvQUVjVA+aCTrMQR3hRwqw8liF2wEA3O3ECxz6e1+DoItYoJBBLKLw
+eiInsGZ/+h5XYrpXTgA=
+=4+Sn
+-----END PGP PUBLIC KEY BLOCK-----

gpg2.spec

@@ -0,0 +1,196 @@
+#
+# spec file for package gpg2
+#
+# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2024 Andreas Stieger <Andreas.Stieger@gmx.de>
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+Name:           gpg2
+Version:        2.5.1
+Release:        0
+Summary:        File encryption, decryption, signature creation and verification utility
+License:        GPL-3.0-or-later
+Group:          Productivity/Networking/Security
+URL:            https://www.gnupg.org
+Source:         https://gnupg.org/ftp/gcrypt/gnupg/gnupg-%{version}.tar.bz2
+Source2:        https://gnupg.org/ftp/gcrypt/gnupg/gnupg-%{version}.tar.bz2.sig
+# https://www.gnupg.org/signature_key.html
+Source3:        https://gnupg.org/signature_key.asc#/%{name}.keyring
+Source4:        scdaemon.udev
+Source5:        gpg2-systemd-user.tar.xz
+Source99:       %{name}.changes
+Patch1:         gnupg-gpg-agent-ulimit.patch
+Patch2:         gnupg-2.0.9-langinfo.patch
+Patch3:         gnupg-dont-fail-with-seahorse-agent.patch
+Patch4:         gnupg-set_umask_before_open_outfile.patch
+Patch5:         gnupg-detect_FIPS_mode.patch
+Patch6:         gnupg-add_legacy_FIPS_mode_option.patch
+Patch7:         gnupg-2.2.16-secmem.patch
+Patch8:         gnupg-accept_subkeys_with_a_good_revocation_but_no_self-sig_during_import.patch
+Patch9:         gnupg-add-test-cases-for-import-without-uid.patch
+Patch10:        gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch
+#PATCH-FIX-SUSE Allow 8192 bit RSA keys in keygen UI when large_rsa is set
+Patch11:        gnupg-allow-large-rsa.patch
+#PATCH-FIX-SUSE Revert the rfc4880bis features default of key generation
+Patch12:        gnupg-revert-rfc4880bis.patch
+#PATCH-FIX-OPENSUSE Do not pull revision info from GIT when autoconf is run
+Patch13:        gnupg-nobetasuffix.patch
+BuildRequires:  expect
+BuildRequires:  fdupes
+BuildRequires:  ibmswtpm2
+BuildRequires:  ibmtss-devel
+BuildRequires:  libassuan-devel >= 2.5.0
+BuildRequires:  libgcrypt-devel >= 1.9.1
+BuildRequires:  libgpg-error-devel >= 1.46
+BuildRequires:  libksba-devel >= 1.6.3
+BuildRequires:  makeinfo
+BuildRequires:  npth-devel >= 1.2
+BuildRequires:  openldap2-devel
+BuildRequires:  pkgconfig
+BuildRequires:  readline-devel
+BuildRequires:  pkgconfig(bzip2)
+BuildRequires:  pkgconfig(gnutls) >= 3.2
+BuildRequires:  pkgconfig(libusb-1.0)
+BuildRequires:  pkgconfig(sqlite3) >= 3.27
+BuildRequires:  pkgconfig(zlib)
+Requires:       pinentry
+Recommends:     dirmngr = %{version}
+Provides:       gnupg = %{version}
+Provides:       gpg = 1.4.9
+Provides:       newpg
+Obsoletes:      gpg < 1.4.9
+
+%description
+GnuPG is a hybrid-encryption software program; it uses a combination
+of symmetric-key and public-key cryptography to encrypt/decrypt
+messages and/or to sign and verify them.
+
+gpg2 provides GPGSM, gpg-agent, and a keybox library.
+
+%package -n dirmngr
+Summary:        Keyserver, CRL, and OCSP access for GnuPG
+Group:          Productivity/Networking/Security
+
+%description -n dirmngr
+Since version  2.1 of GnuPG, dirmngr takes care of accessing the OpenPGP
+keyservers. As with previous versions it is also used as a server for managing
+and downloading certificate
+revocation lists (CRLs) for X.509 certificates, downloading X.509 certificates,
+and providing access to OCSP providers.  Dirmngr is invoked internally by gpg,
+gpgsm, or via the gpg-connect-agent tool.
+
+%package tpm
+Summary:        TPM2 support for GnuPG
+Group:          Productivity/Networking/Security
+
+%description tpm
+Version 2.3 of GnuPG introduced support for converting GPG private
+keys to TPM2 wrapped form.  This package enables that support.  The
+keytotpm command will not function unless this package is installed.
+
+%lang_package
+
+%prep
+%autosetup -p1 -a5 -n gnupg-%{version}
+
+# In order to compensate for gnupg-add_legacy_FIPS_mode_option.patch
+# to not have man pages and info files have the build date (boo#1047218)
+touch -d 2018-05-04 doc/gpg.texi
+
+%build
+date=$(date -u +%%Y-%%m-%%dT%%H:%%M+0000 -r %{SOURCE99})
+%configure \
+    --docdir=%{_docdir}/%{name} \
+    --disable-rpath \
+    --enable-g13 \
+    --enable-large-secmem \
+    --with-gnu-ld \
+    --with-default-trust-store-file=%{_sysconfdir}/ssl/ca-bundle.pem \
+    --enable-build-timestamp=$date
+
+%make_build
+
+%install
+%make_install
+mkdir -p %{buildroot}%{_sysconfdir}/gnupg/
+
+# install gpgconf.conf bnc#391347
+install -m 644 doc/examples/gpgconf.conf %{buildroot}%{_sysconfdir}/gnupg
+# delete to prevent fdupes from creating cross-partition hardlink
+rm -rf %{buildroot}%{_docdir}/gpg2/examples/gpgconf.conf
+
+# remove info dir
+rm %{buildroot}%{_infodir}/dir
+
+# compat symlinks
+ln -sf gpg %{buildroot}%{_bindir}/gpg2
+ln -sf gpgv %{buildroot}%{_bindir}/gpgv2
+ln -sf gpg.1 %{buildroot}%{_mandir}/man1/gpg2.1
+ln -sf gpgv.1 %{buildroot}%{_mandir}/man1/gpgv2.1
+ln -sf gnupg.7 %{buildroot}%{_mandir}/man7/gnupg2.7
+
+# install udev rules for scdaemon
+install -Dm 0644 %{SOURCE4} %{buildroot}%{_udevrulesdir}/60-scdaemon.rules
+
+# Move the systemd user units to the appropriate directory
+install -d -m 755 %{buildroot}%{_userunitdir}
+cp systemd-user/gpg-agent*.s* %{buildroot}%{_userunitdir}
+cp systemd-user/dirmngr.s* %{buildroot}%{_userunitdir}
+cp systemd-user/README.systemd %{buildroot}%{_docdir}/gpg2/
+
+%find_lang gnupg2
+%fdupes -s %{buildroot}
+
+%check
+%make_build check || :
+
+%post
+%udev_rules_update
+
+%files lang -f gnupg2.lang
+
+%files
+%license COPYING*
+%doc AUTHORS NEWS THANKS TODO ChangeLog
+%{_infodir}/gnupg*
+%dir %{_mandir}/manh/
+%{_mandir}/*/[aghsw]*%{ext_man}
+%doc %{_docdir}/%{name}
+%{_bindir}/[gkw]*
+%{_libexecdir}/[gks]*
+%{_sbindir}/addgnupghome
+%{_sbindir}/applygnupgdefaults
+%{_sbindir}/g13-syshelp
+%{_udevrulesdir}/60-scdaemon.rules
+%{_datadir}/gnupg
+%dir %{_sysconfdir}/gnupg
+%config(noreplace) %{_sysconfdir}/gnupg/gpgconf.conf
+%{_userunitdir}/gpg-agent*
+%if 0%{?sle_version} >= 150500
+%exclude %{_userunitdir}/dirmngr.*
+%endif
+
+%files -n dirmngr
+%license COPYING*
+%{_mandir}/*/dirmngr*%{ext_man}
+%{_bindir}/dirmngr*
+%{_libexecdir}/dirmngr_ldap
+%{_userunitdir}/dirmngr.*
+
+%files tpm
+%license COPYING*
+%{_libexecdir}/tpm2daemon*
+
+%changelog

scdaemon.udev

@@ -0,0 +1,65 @@
+# do not edit this file, it will be overwritten on update
+
+SUBSYSTEM!="usb", GOTO="gnupg_rules_end"
+ACTION!="add", GOTO="gnupg_rules_end"
+
+# USB SmartCard Readers
+## Cherry GmbH (XX33, ST2000)
+SUBSYSTEM=="usb", ATTR{idVendor}=="046a", ATTR{idProduct}=="0005", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="046a", ATTR{idProduct}=="0010", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="046a", ATTR{idProduct}=="003e", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## SCM Microsystems, Inc (SCR331-DI, SCR335, SCR3320, SCR331, SCR3310 and SPR532)
+SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="5111", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="5115", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="5116", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="5117", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="e001", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="04e6", ATTR{idProduct}=="e003", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Omnikey AG (CardMan 3821, CardMan 6121)
+SUBSYSTEM=="usb", ATTR{idVendor}=="076b", ATTR{idProduct}=="3821", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="076b", ATTR{idProduct}=="6622", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Gemalto
+SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="3437", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="3438", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="3478", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="34c2", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="08e6", ATTR{idProduct}=="34ec", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Reiner (SCT cyberJack)
+SUBSYSTEM=="usb", ATTR{idVendor}=="0c4b", ATTR{idProduct}=="0500", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Kobil (KAAN)
+SUBSYSTEM=="usb", ATTR{idVendor}=="0d46", ATTR{idProduct}=="2012", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## VASCO (DIGIPASS 920)
+SUBSYSTEM=="usb", ATTR{idVendor}=="1a44", ATTR{idProduct}=="0920", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Crypto Stick
+SUBSYSTEM=="usb", ATTR{idVendor}=="20a0", ATTR{idProduct}=="4107", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Nitrokey
+SUBSYSTEM=="usb", ATTR{idVendor}=="20a0", ATTR{idProduct}=="4108", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="20a0", ATTR{idProduct}=="4109", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+SUBSYSTEM=="usb", ATTR{idVendor}=="20a0", ATTR{idProduct}=="4211", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Gnuk Token
+SUBSYSTEM=="usb", ATTR{idVendor}=="234b", ATTR{idProduct}=="0000", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Alcor Micro Corp cardreader (in ThinkPad X250)
+SUBSYSTEM=="usb", ATTR{idVendor}=="058f", ATTR{idProduct}=="9540", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Fujitsu Siemens
+SUBSYSTEM=="usb", ATTR{idVendor}=="0bf8", ATTR{idProduct}=="1006", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Yubico
+# Yubikey NEO OTP+CCID
+SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0111", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+# Yubikey NEO CCID
+SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0112", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+# Yubikey NEO U2F+CCID
+SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0115", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+# Yubikey NEO OTP+U2F+CCID
+SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0116", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+# Yubikey 4 CCID
+SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0404", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+# Yubikey 4 OTP+CCID
+SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0405", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+# Yubikey 4 U2F+CCID
+SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0406", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+# Yubikey 4 OTP+U2F+CCID
+SUBSYSTEM=="usb", ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0407", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+## Trustica Cryptoucan
+SUBSYSTEM=="usb", ATTR{idVendor}=="1fc9", ATTR{idProduct}=="81e6", ENV{ID_SMARTCARD_READER}="1", ENV{ID_SMARTCARD_READER_DRIVER}="gnupg"
+
+LABEL="gnupg_rules_end"