Commit: 1fa9df2bdfc262317cdb2a95e832ab8dc97c188e
Parent: e6556a623d11a30a89d92de90504cc7983be0b05
Author: Randy Palamar
Date: Sat, 13 Jun 2026 06:10:51 -0600
app-crypt/gnupg: 2.5.20-r1
Diffstat:
3 files changed, 300 insertions(+), 188 deletions(-)
diff --git a/app-crypt/gnupg/files/gnupg-2.5.20-gpgme-poppler-expire.patch b/app-crypt/gnupg/files/gnupg-2.5.20-gpgme-poppler-expire.patch
@@ -0,0 +1,111 @@
+https://bugs.gentoo.org/976749
+
+From 32f56a2732f0ac6204aad946388789cdbb0e26eb Mon Sep 17 00:00:00 2001
+Message-ID: <32f56a2732f0ac6204aad946388789cdbb0e26eb.1781166873.git.sam@gentoo.org>
+From: Philip Le <philip.le@gnupg.com>
+Date: Thu, 21 May 2026 14:46:46 +0200
+Subject: [PATCH GnuPG] gpgsm: Fix regression in gpgsm_verify with expired
+ certificates.
+
+* sm/verify.c (gpgsm_verify): Display information about signers with
+expired certificate.
+--
+
+The loop over signers skipped the parsing of the current signer's
+information if the certificate is expired.
+
+GnuPG-bug-id: 8188
+Fixes-commit: fa1ac5c23d167dde6899536d6d80d9391737d21e
+---
+ sm/verify.c | 68 ++++++++++++++++++++++++++---------------------------
+ 1 file changed, 34 insertions(+), 34 deletions(-)
+
+diff --git a/sm/verify.c b/sm/verify.c
+index e56e0674e..e48b8e374 100644
+--- a/sm/verify.c
++++ b/sm/verify.c
+@@ -615,6 +615,40 @@ gpgsm_verify (ctrl_t ctrl, estream_t in_fp, estream_t data_fp,
+ keyexptime, 0,
+ NULL, 0, &verifyflags);
+
++ {
++ char *fpr, *buf, *tstr;
++
++ fpr = gpgsm_fpr_and_name_for_status (cert);
++ if (gpg_err_code (rc) == GPG_ERR_CERT_EXPIRED)
++ {
++ gpgsm_status (ctrl, STATUS_EXPKEYSIG, fpr);
++ rc = 0;
++ }
++ else
++ gpgsm_status (ctrl, STATUS_GOODSIG, fpr);
++
++ xfree (fpr);
++
++ /* FIXME: INFO_PKALGO correctly shows ECDSA but PKALGO is then
++ * ECC. We should use the ECDSA here and need to find a way to
++ * figure this out without using the bogus assumption in
++ * gpgsm_check_cms_signature that ECC is always ECDSA. */
++
++ fpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1);
++ tstr = strtimestamp_r (sigtime);
++ buf = xasprintf ("%s %s %s %s 0 0 %d %d 00", fpr, tstr,
++ *sigtime? sigtime : "0",
++ *keyexptime? keyexptime : "0",
++ info_pkalgo, algo);
++ xfree (tstr);
++ /* Handle the --assert-signer option. */
++ check_assert_signer_list (ctrl, fpr);
++ xfree (fpr);
++ /* Print the status line. */
++ gpgsm_status (ctrl, STATUS_VALIDSIG, buf);
++ xfree (buf);
++ }
++
+ audit_log_ok (ctrl->audit, AUDIT_CHAIN_STATUS, rc);
+ if (rc) /* of validate_chain */
+ {
+@@ -671,40 +705,6 @@ gpgsm_verify (ctrl_t ctrl, estream_t in_fp, estream_t data_fp,
+ goto next_signer;
+ }
+
+- {
+- char *fpr, *buf, *tstr;
+-
+- fpr = gpgsm_fpr_and_name_for_status (cert);
+- if (gpg_err_code (rc) == GPG_ERR_CERT_EXPIRED)
+- {
+- gpgsm_status (ctrl, STATUS_EXPKEYSIG, fpr);
+- rc = 0;
+- }
+- else
+- gpgsm_status (ctrl, STATUS_GOODSIG, fpr);
+-
+- xfree (fpr);
+-
+- /* FIXME: INFO_PKALGO correctly shows ECDSA but PKALGO is then
+- * ECC. We should use the ECDSA here and need to find a way to
+- * figure this out without using the bogus assumption in
+- * gpgsm_check_cms_signature that ECC is always ECDSA. */
+-
+- fpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1);
+- tstr = strtimestamp_r (sigtime);
+- buf = xasprintf ("%s %s %s %s 0 0 %d %d 00", fpr, tstr,
+- *sigtime? sigtime : "0",
+- *keyexptime? keyexptime : "0",
+- info_pkalgo, algo);
+- xfree (tstr);
+- /* Handle the --assert-signer option. */
+- check_assert_signer_list (ctrl, fpr);
+- xfree (fpr);
+- /* Print the status line. */
+- gpgsm_status (ctrl, STATUS_VALIDSIG, buf);
+- xfree (buf);
+- }
+-
+ audit_log_s (ctrl->audit, AUDIT_SIG_STATUS, "good");
+
+ for (i=0; (p = ksba_cert_get_subject (cert, i)); i++)
+--
+2.54.0
+
diff --git a/app-crypt/gnupg/gnupg-2.5.20-r1.ebuild b/app-crypt/gnupg/gnupg-2.5.20-r1.ebuild
@@ -0,0 +1,189 @@
+# Copyright 1999-2026 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+# Maintainers should:
+# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/
+# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159
+# (find the one for the current release then subscribe to it +
+# any subsequent ones linked within so you're covered for a while.)
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc
+# in-source builds are not supported: https://dev.gnupg.org/T6313#166339
+inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig
+
+MY_P="${P/_/-}"
+
+DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation"
+HOMEPAGE="https://gnupg.org/"
+SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2"
+SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )"
+S="${WORKDIR}/${MY_P}"
+
+LICENSE="GPL-3+"
+SLOT="0"
+KEYWORDS="~alpha amd64 arm arm64 ~hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 ~sparc x86 ~arm64-macos ~x64-macos ~x64-solaris"
+IUSE="+alternatives bzip2 doc ldap nls readline selinux +smartcard ssl test +tofu tpm tools usb user-socket wks-server"
+RESTRICT="!test? ( test )"
+REQUIRED_USE="test? ( tofu )"
+
+# Existence of executables is checked during configuration
+DEPEND="
+ >=dev-libs/libassuan-3.0.0-r1:=
+ >=dev-libs/libgcrypt-1.11.0:=
+ >=dev-libs/libgpg-error-1.56
+ >=dev-libs/libksba-1.6.3
+ >=dev-libs/npth-1.2
+ virtual/zlib:=
+ bzip2? ( app-arch/bzip2 )
+ ldap? ( net-nds/openldap:= )
+ readline? ( sys-libs/readline:0= )
+ smartcard? ( usb? ( virtual/libusb:1 ) )
+ tofu? ( >=dev-db/sqlite-3.27 )
+ tpm? ( >=app-crypt/tpm2-tss-2.4.0:= )
+ ssl? ( >=net-libs/gnutls-3.2:0= )
+"
+RDEPEND="
+ ${DEPEND}
+ nls? ( virtual/libintl )
+ selinux? ( sec-policy/selinux-gpg )
+ wks-server? ( virtual/mta )
+"
+PDEPEND="
+ || (
+ app-crypt/pinentry
+ app-crypt/pinentry-dmenu
+ )
+ alternatives? (
+ app-alternatives/gpg[-freepg(-)]
+ )
+"
+BDEPEND="
+ virtual/pkgconfig
+ doc? ( sys-apps/texinfo )
+ nls? ( sys-devel/gettext )
+ verify-sig? ( sec-keys/openpgp-keys-gnupg )
+"
+
+DOCS=(
+ ChangeLog NEWS README THANKS TODO VERSION
+ doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER
+)
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch
+ "${FILESDIR}"/0002-Fix-stub-functions-to-avoid-LTO-linking-bugs-followup.patch
+ "${FILESDIR}"/${PN}-2.5.20-gpgme-poppler-expire.patch
+)
+
+my_src_configure() {
+ local myconf=(
+ $(use_enable bzip2)
+ $(use_enable nls)
+ $(use_enable smartcard scdaemon)
+ $(use_enable ssl gnutls)
+ $(use_enable test all-tests)
+ $(use_enable test tests)
+ $(use_enable tofu)
+ $(use_enable tofu keyboxd)
+ $(use_enable tofu sqlite)
+ $(usex tpm '--with-tss=intel' '--disable-tpm2d')
+ $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver')
+ $(use_enable wks-server wks-tools)
+ $(use_with ldap)
+ $(use_with readline)
+
+ # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist.
+ # As of GnuPG 2.3, the mailprog substitution is used for the binary called
+ # by wks-client & wks-server; and if it's autodetected but not not exist at
+ # build time, then then 'gpg-wks-client --send' functionality will not
+ # work. This has an unwanted side-effect in stage3 builds: there was a
+ # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating
+ # the build where the install guide previously make the user chose the
+ # logger & mta early in the install.
+ --with-mailprog=/usr/libexec/sendmail
+
+ --disable-ntbtls
+ --enable-gpgsm
+ --enable-large-secmem
+
+ CC_FOR_BUILD="$(tc-getBUILD_CC)"
+ GPGRT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpgrt-config"
+
+ $("${S}/configure" --help | grep -o -- '--without-.*-prefix')
+ )
+
+ if use prefix && use usb; then
+ # bug #649598
+ append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0"
+ fi
+
+ if [[ ${CHOST} == *-solaris* ]] ; then
+ # these somehow are treated as fatal, but Solaris has different
+ # types for getpeername with socket_t
+ append-flags -Wno-incompatible-pointer-types
+ append-flags -Wno-unused-label
+ fi
+
+ # bug #663142
+ if use user-socket; then
+ myconf+=( --enable-run-gnupg-user-socket )
+ fi
+
+ # glib fails and picks up clang's internal stdint.h causing weird errors
+ tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h
+
+ econf "${myconf[@]}"
+}
+
+my_src_compile() {
+ default
+
+ use doc && emake -C doc html
+}
+
+my_src_test() {
+ export TESTFLAGS="--parallel=$(get_makeopts_jobs)"
+
+ default
+}
+
+my_src_install() {
+ emake DESTDIR="${D}" install
+
+ use tools && dobin tools/{gpgconf,gpgsplit,gpg-check-pattern} tools/make-dns-cert
+
+ if use alternatives; then
+ # rename for app-alternatives/gpg
+ mv "${ED}"/usr/bin/gpg{,-reference} || die
+ mv "${ED}"/usr/bin/gpgv{,-reference} || die
+ mv "${ED}"/usr/share/man/man1/gpg{,-reference}.1 || die
+ mv "${ED}"/usr/share/man/man1/gpgv{,-reference}.1 || die
+ else
+ dosym gpg /usr/bin/gpg2
+ dosym gpgv /usr/bin/gpgv2
+ echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die
+ echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die
+ fi
+
+ use doc && dodoc doc/gnupg.html/*
+}
+
+my_src_install_all() {
+ einstalldocs
+
+ use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot}
+ use doc && dodoc doc/*.png
+}
+
+pkg_postinst() {
+ # If /usr/bin/gpg and /usr/bin/gpgv do not exist, provide them.
+ if [[ ! -e ${EROOT}/usr/bin/gpg ]]; then
+ ln -sf -- gpg-reference "${EROOT}"/usr/bin/gpg || die
+ fi
+
+ if [[ ! -e ${EROOT}/usr/bin/gpgv ]]; then
+ ln -sf -- gpgv-reference "${EROOT}"/usr/bin/gpgv || die
+ fi
+}
diff --git a/app-crypt/gnupg/gnupg-2.5.20.ebuild b/app-crypt/gnupg/gnupg-2.5.20.ebuild
@@ -1,188 +0,0 @@
-# Copyright 1999-2026 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-# Maintainers should:
-# 1. Join the "Gentoo" project at https://dev.gnupg.org/project/view/27/
-# 2. Subscribe to release tasks like https://dev.gnupg.org/T6159
-# (find the one for the current release then subscribe to it +
-# any subsequent ones linked within so you're covered for a while.)
-
-VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc
-# in-source builds are not supported: https://dev.gnupg.org/T6313#166339
-inherit flag-o-matic out-of-source multiprocessing systemd toolchain-funcs verify-sig
-
-MY_P="${P/_/-}"
-
-DESCRIPTION="The GNU Privacy Guard, a GPL OpenPGP implementation"
-HOMEPAGE="https://gnupg.org/"
-SRC_URI="mirror://gnupg/gnupg/${MY_P}.tar.bz2"
-SRC_URI+=" verify-sig? ( mirror://gnupg/gnupg/${P}.tar.bz2.sig )"
-S="${WORKDIR}/${MY_P}"
-
-LICENSE="GPL-3+"
-SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~x64-macos ~x64-solaris"
-IUSE="+alternatives bzip2 doc ldap nls readline selinux +smartcard ssl test +tofu tpm tools usb user-socket wks-server"
-RESTRICT="!test? ( test )"
-REQUIRED_USE="test? ( tofu )"
-
-# Existence of executables is checked during configuration
-DEPEND="
- >=dev-libs/libassuan-3.0.0-r1:=
- >=dev-libs/libgcrypt-1.11.0:=
- >=dev-libs/libgpg-error-1.56
- >=dev-libs/libksba-1.6.3
- >=dev-libs/npth-1.2
- virtual/zlib:=
- bzip2? ( app-arch/bzip2 )
- ldap? ( net-nds/openldap:= )
- readline? ( sys-libs/readline:0= )
- smartcard? ( usb? ( virtual/libusb:1 ) )
- tofu? ( >=dev-db/sqlite-3.27 )
- tpm? ( >=app-crypt/tpm2-tss-2.4.0:= )
- ssl? ( >=net-libs/gnutls-3.2:0= )
-"
-RDEPEND="
- ${DEPEND}
- nls? ( virtual/libintl )
- selinux? ( sec-policy/selinux-gpg )
- wks-server? ( virtual/mta )
-"
-PDEPEND="
- || (
- app-crypt/pinentry
- app-crypt/pinentry-dmenu
- )
- alternatives? (
- app-alternatives/gpg[-freepg(-)]
- )
-"
-BDEPEND="
- virtual/pkgconfig
- doc? ( sys-apps/texinfo )
- nls? ( sys-devel/gettext )
- verify-sig? ( sec-keys/openpgp-keys-gnupg )
-"
-
-DOCS=(
- ChangeLog NEWS README THANKS TODO VERSION
- doc/FAQ doc/DETAILS doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER
-)
-
-PATCHES=(
- "${FILESDIR}"/${PN}-2.1.20-gpgscm-Use-shorter-socket-path-lengts-to-improve-tes.patch
- "${FILESDIR}"/0002-Fix-stub-functions-to-avoid-LTO-linking-bugs-followup.patch
-)
-
-my_src_configure() {
- local myconf=(
- $(use_enable bzip2)
- $(use_enable nls)
- $(use_enable smartcard scdaemon)
- $(use_enable ssl gnutls)
- $(use_enable test all-tests)
- $(use_enable test tests)
- $(use_enable tofu)
- $(use_enable tofu keyboxd)
- $(use_enable tofu sqlite)
- $(usex tpm '--with-tss=intel' '--disable-tpm2d')
- $(use smartcard && use_enable usb ccid-driver || echo '--disable-ccid-driver')
- $(use_enable wks-server wks-tools)
- $(use_with ldap)
- $(use_with readline)
-
- # Hardcode mailprog to /usr/libexec/sendmail even if it does not exist.
- # As of GnuPG 2.3, the mailprog substitution is used for the binary called
- # by wks-client & wks-server; and if it's autodetected but not not exist at
- # build time, then then 'gpg-wks-client --send' functionality will not
- # work. This has an unwanted side-effect in stage3 builds: there was a
- # [R]DEPEND on virtual/mta, which also brought in virtual/logger, bloating
- # the build where the install guide previously make the user chose the
- # logger & mta early in the install.
- --with-mailprog=/usr/libexec/sendmail
-
- --disable-ntbtls
- --enable-gpgsm
- --enable-large-secmem
-
- CC_FOR_BUILD="$(tc-getBUILD_CC)"
- GPGRT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpgrt-config"
-
- $("${S}/configure" --help | grep -o -- '--without-.*-prefix')
- )
-
- if use prefix && use usb; then
- # bug #649598
- append-cppflags -I"${ESYSROOT}/usr/include/libusb-1.0"
- fi
-
- if [[ ${CHOST} == *-solaris* ]] ; then
- # these somehow are treated as fatal, but Solaris has different
- # types for getpeername with socket_t
- append-flags -Wno-incompatible-pointer-types
- append-flags -Wno-unused-label
- fi
-
- # bug #663142
- if use user-socket; then
- myconf+=( --enable-run-gnupg-user-socket )
- fi
-
- # glib fails and picks up clang's internal stdint.h causing weird errors
- tc-is-clang && export gl_cv_absolute_stdint_h="${ESYSROOT}"/usr/include/stdint.h
-
- econf "${myconf[@]}"
-}
-
-my_src_compile() {
- default
-
- use doc && emake -C doc html
-}
-
-my_src_test() {
- export TESTFLAGS="--parallel=$(get_makeopts_jobs)"
-
- default
-}
-
-my_src_install() {
- emake DESTDIR="${D}" install
-
- use tools && dobin tools/{gpgconf,gpgsplit,gpg-check-pattern} tools/make-dns-cert
-
- if use alternatives; then
- # rename for app-alternatives/gpg
- mv "${ED}"/usr/bin/gpg{,-reference} || die
- mv "${ED}"/usr/bin/gpgv{,-reference} || die
- mv "${ED}"/usr/share/man/man1/gpg{,-reference}.1 || die
- mv "${ED}"/usr/share/man/man1/gpgv{,-reference}.1 || die
- else
- dosym gpg /usr/bin/gpg2
- dosym gpgv /usr/bin/gpgv2
- echo ".so man1/gpg.1" > "${ED}"/usr/share/man/man1/gpg2.1 || die
- echo ".so man1/gpgv.1" > "${ED}"/usr/share/man/man1/gpgv2.1 || die
- fi
-
- use doc && dodoc doc/gnupg.html/*
-}
-
-my_src_install_all() {
- einstalldocs
-
- use tools && dobin tools/{convert-from-106,mail-signed-keys,lspgpot}
- use doc && dodoc doc/*.png
-}
-
-pkg_postinst() {
- # If /usr/bin/gpg and /usr/bin/gpgv do not exist, provide them.
- if [[ ! -e ${EROOT}/usr/bin/gpg ]]; then
- ln -sf -- gpg-reference "${EROOT}"/usr/bin/gpg || die
- fi
-
- if [[ ! -e ${EROOT}/usr/bin/gpgv ]]; then
- ln -sf -- gpgv-reference "${EROOT}"/usr/bin/gpgv || die
- fi
-}