main/gnupg: upgrade to 2.4.0

8 files changed, 244 insertions, 371 deletions

diff --git a/main/gnupg/0001-Include-sys-select.h-for-FD_SETSIZE.patch b/main/gnupg/0001-Include-sys-select.h-for-FD_SETSIZE.patch
deleted file mode 100644
index a835f39278f..00000000000
--- a/main/gnupg/0001-Include-sys-select.h-for-FD_SETSIZE.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From d2f3053e156a8dfc3e2e7f8fa814f671d851b26f Mon Sep 17 00:00:00 2001
-From: Natanael Copa <ncopa@alpinelinux.org>
-Date: Fri, 4 Jul 2014 08:15:21 +0000
-Subject: [PATCH] Include sys/select.h for FD_SETSIZE
-
-This fixes the following compile error with musl libc:
-watchgnupg.c:225:18: error: 'FD_SETSIZE' undeclared (first use in this
-function)
-   else if (fd >= FD_SETSIZE)
-                  ^
-
-Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
----
- tools/watchgnupg.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/tools/watchgnupg.c b/tools/watchgnupg.c
-index 4f4d54d..7aede22 100644
---- a/tools/watchgnupg.c
-+++ b/tools/watchgnupg.c
-@@ -28,6 +28,7 @@
- #include <stdarg.h>
- #include <assert.h>
- #include <unistd.h>
-+#include <sys/select.h>
- #include <sys/socket.h>
- #include <sys/un.h>
- #include <netinet/in.h>
--- 
-2.0.1
-
diff --git a/main/gnupg/0110-avoid-simple-memory-dumps-via-ptrace.patch b/main/gnupg/0110-avoid-simple-memory-dumps-via-ptrace.patch
index 644b8a52837..35ab352c072 100644
--- a/main/gnupg/0110-avoid-simple-memory-dumps-via-ptrace.patch
+++ b/main/gnupg/0110-avoid-simple-memory-dumps-via-ptrace.patch
@@ -24,10 +24,10 @@ Upstream bug: https://dev.gnupg.org/T1211
 Patch-Source: https://sources.debian.org/data/main/g/gnupg2/2.2.27-2/debian/patches/block-ptrace-on-secret-daemons/Avoid-simple-memory-dumps-via-ptrace.patch
 
 diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c
-index b167c34..5afcf11 100644
+index 412eb43..1de989b 100644
 --- a/agent/gpg-agent.c
 +++ b/agent/gpg-agent.c
-@@ -50,6 +50,9 @@
+@@ -48,6 +48,9 @@
  # include <signal.h>
  #endif
  #include <npth.h>
@@ -37,7 +37,7 @@ index b167c34..5afcf11 100644
  
  #define INCLUDED_BY_MAIN_MODULE 1
  #define GNUPG_COMMON_NEED_AFLOCAL
-@@ -1030,6 +1033,11 @@ main (int argc, char **argv )
+@@ -1095,6 +1098,11 @@ main (int argc, char **argv)
  
    early_system_init ();
  
@@ -50,10 +50,10 @@ index b167c34..5afcf11 100644
       file descriptors and the signal mask.  This info is required to
       do the exec call properly.  We don't need it on Windows.  */
 diff --git a/configure.ac b/configure.ac
-index 7a2d410..2d8b050 100644
+index 099c6a8..4c9fcee 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -1426,7 +1426,7 @@ AC_CHECK_FUNCS([atexit canonicalize_file_name clock_gettime ctermid  \
+@@ -1419,7 +1419,7 @@ AC_CHECK_FUNCS([atexit canonicalize_file_name clock_gettime ctermid  \
                  ftruncate funlockfile getaddrinfo getenv getpagesize \
                  getpwnam getpwuid getrlimit getrusage gettimeofday   \
                  gmtime_r inet_ntop inet_pton isascii lstat memicmp   \
@@ -63,7 +63,7 @@ index 7a2d410..2d8b050 100644
                  stat stpcpy strcasecmp strerror strftime stricmp     \
                  strlwr strncasecmp strpbrk strsep strtol strtoul     \
 diff --git a/scd/scdaemon.c b/scd/scdaemon.c
-index 5c519f8..cab66a0 100644
+index e43769f..2066543 100644
 --- a/scd/scdaemon.c
 +++ b/scd/scdaemon.c
 @@ -37,6 +37,9 @@
@@ -76,8 +76,8 @@ index 5c519f8..cab66a0 100644
  
  #define INCLUDED_BY_MAIN_MODULE 1
  #define GNUPG_COMMON_NEED_AFLOCAL
-@@ -446,6 +449,12 @@ main (int argc, char **argv )
-   npth_t pipecon_handler;
+@@ -462,6 +465,12 @@ main (int argc, char **argv )
+   const char *application_priority = NULL;
  
    early_system_init ();
 +
@@ -86,6 +86,6 @@ index 5c519f8..cab66a0 100644
 +  prctl(PR_SET_DUMPABLE, 0);
 +#endif
 +
-   set_strusage (my_strusage);
+   gpgrt_set_strusage (my_strusage);
    gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN);
    /* Please note that we may running SUID(ROOT), so be very CAREFUL
diff --git a/main/gnupg/0210-dirmngr-hkp-avoid-potential-race-condition-when-some-host-die.patch b/main/gnupg/0210-dirmngr-hkp-avoid-potential-race-condition-when-some-host-die.patch
index 1aa79c6c387..32942e6f91f 100644
--- a/main/gnupg/0210-dirmngr-hkp-avoid-potential-race-condition-when-some-host-die.patch
+++ b/main/gnupg/0210-dirmngr-hkp-avoid-potential-race-condition-when-some-host-die.patch
@@ -1,3 +1,5 @@
+note: combination of previous 0210+0220
+--
 From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
 Date: Sat, 29 Oct 2016 01:25:05 -0400
 Subject: dirmngr: hkp: Avoid potential race condition when some hosts die.
@@ -37,11 +39,81 @@ Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
 
 Patch-Source: https://sources.debian.org/data/main/g/gnupg2/2.2.27-2/debian/patches/dirmngr-idling/dirmngr-hkp-Avoid-potential-race-condition-when-some.patch
 
+From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+Date: Sat, 29 Oct 2016 02:00:50 -0400
+Subject: dirmngr: Avoid need for hkp housekeeping.
+
+* dirmngr/ks-engine-hkp.c (host_is_alive): New function.  Test whether
+host is alive and resurrects it if it has been dead long enough.
+(select_random_host, map_host, ks_hkp_mark_host): Use host_is_alive
+instead of testing hostinfo_t->dead directly.
+(ks_hkp_housekeeping): Remove function, no longer needed.
+* dirmngr/dirmngr.c (housekeeping_thread): Remove call to
+ks_hkp_housekeeping.
+
+--
+
+Rather than resurrecting hosts upon scheduled resurrection times, test
+whether hosts should be resurrected as they're inspected for being
+dead.  This removes the need for explicit housekeeping, and makes host
+resurrections happen "just in time", rather than being clustered on
+HOUSEKEEPING_INTERVAL seconds.
+
+According to 392e068e9f143d41f6350345619543cbcd47380f,
+dns_stuff_housekeeping only works on Windows, so it also isn't
+necessary in debian, but it remains in place for now.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
+---
+ dirmngr/dirmngr.c       |  3 ---
+ dirmngr/dirmngr.h       |  1 -
+ dirmngr/ks-engine-hkp.c | 72 ++++++++++++++++++++++++-------------------------
+ 3 files changed, 35 insertions(+), 41 deletions(-)
+
+Patch-Source: https://sources.debian.org/data/main/g/gnupg2/2.2.27-2/debian/patches/dirmngr-idling/dirmngr-Avoid-need-for-hkp-housekeeping.patch
+
+diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
+index 977e7dd..5017c3f 100644
+--- a/dirmngr/dirmngr.c
++++ b/dirmngr/dirmngr.c
+@@ -2085,7 +2085,6 @@ housekeeping_thread (void *arg)
+   dirmngr_init_default_ctrl (&ctrlbuf);
+ 
+   dns_stuff_housekeeping ();
+-  ks_hkp_housekeeping (curtime);
+   if (network_activity_seen)
+     {
+       network_activity_seen = 0;
 diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
-index 14859c7..d425363 100644
+index 5292da8..690b37d 100644
 --- a/dirmngr/ks-engine-hkp.c
 +++ b/dirmngr/ks-engine-hkp.c
-@@ -225,29 +225,26 @@ host_in_pool_p (hostinfo_t hi, int tblidx)
+@@ -221,6 +221,24 @@ host_in_pool_p (hostinfo_t hi, int tblidx)
+   return 0;
+ }
+ 
++static int
++host_is_alive (hostinfo_t hi, time_t curtime)
++{
++  if (!hi)
++    return 0;
++  if (!hi->dead)
++    return 1;
++  if (!hi->died_at)
++    return 0; /* manually marked dead */
++  if (hi->died_at + RESURRECT_INTERVAL <= curtime
++      || hi->died_at > curtime)
++    {
++      hi->dead = 0;
++      log_info ("resurrected host '%s'", hi->name);
++      return 1;
++    }
++  return 0;
++}
+ 
+ /* Select a random host.  Consult HI->pool which indices into the global
+    hosttable.  Returns index into HI->pool or -1 if no host could be
+@@ -228,32 +246,32 @@ host_in_pool_p (hostinfo_t hi, int tblidx)
  static int
  select_random_host (hostinfo_t hi)
  {
@@ -50,6 +122,12 @@ index 14859c7..d425363 100644
 +  int *tbl = NULL;
 +  size_t tblsize = 0;
    int pidx, idx;
++  time_t curtime;
++
++  curtime = gnupg_get_time ();
+ 
+   /* CHECKTHIS();  See */
+   /*                 https://sources.debian.org/patches/gnupg2/2.2.20-1/dirmngr-idling/dirmngr-hkp-Avoid-potential-race-condition-when-some.patch/ */
  
    /* We create a new table so that we randomly select only from
       currently alive hosts.  */
@@ -57,8 +135,9 @@ index 14859c7..d425363 100644
 +  for (idx = 0;
         idx < hi->pool_len && (pidx = hi->pool[idx]) != -1;
         idx++)
-     if (hosttable[pidx] && !hosttable[pidx]->dead)
+-    if (hosttable[pidx] && !hosttable[pidx]->dead)
 -      tblsize++;
++    if (hosttable[pidx] && host_is_alive (hosttable[pidx], curtime))
 +      {
 +        tblsize++;
 +        tbl = xtryrealloc(tbl, tblsize * sizeof *tbl);
@@ -81,3 +160,125 @@ index 14859c7..d425363 100644
    if (tblsize == 1)  /* Save a get_uint_nonce.  */
      pidx = tbl[0];
    else
+@@ -471,6 +489,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
+   int is_pool;
+   int new_hosts = 0;
+   char *cname;
++  time_t curtime;
+ 
+   *r_host = NULL;
+   if (r_httpflags)
+@@ -510,6 +529,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
+     }
+   else
+     hi = hosttable[idx];
++  curtime = gnupg_get_time ();
+ 
+   is_pool = hi->pool != NULL;
+ 
+@@ -616,7 +636,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
+       if (force_reselect)
+         hi->poolidx = -1;
+       else if (hi->poolidx >= 0 && hi->poolidx < hosttable_size
+-               && hosttable[hi->poolidx] && hosttable[hi->poolidx]->dead)
++               && hosttable[hi->poolidx] && !host_is_alive (hosttable[hi->poolidx], curtime))
+         hi->poolidx = -1;
+ 
+       /* Select a host if needed.  */
+@@ -675,7 +695,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
+         return gpg_error_from_syserror ();
+     }
+ 
+-  if (hi->dead)
++  if (!host_is_alive (hi, curtime))
+     {
+       log_error ("host '%s' marked as dead\n", hi->name);
+       if (r_httphost)
+@@ -781,7 +801,8 @@ ks_hkp_mark_host (ctrl_t ctrl, const char *name, int alive)
+ {
+   gpg_error_t err = 0;
+   hostinfo_t hi, hi2;
+-  int idx, idx2, idx3, n;
++  int idx, idx2, idx3, n, is_alive;
++  time_t curtime;
+ 
+   if (!name || !*name || !strcmp (name, "localhost"))
+     return 0;
+@@ -796,13 +817,15 @@ ks_hkp_mark_host (ctrl_t ctrl, const char *name, int alive)
+       goto leave;
+     }
+ 
++  curtime = gnupg_get_time ();
+   hi = hosttable[idx];
+-  if (alive && hi->dead)
++  is_alive = host_is_alive (hi, curtime);
++  if (alive && !is_alive)
+     {
+       hi->dead = 0;
+       err = ks_printf_help (ctrl, "marking '%s' as alive", name);
+     }
+-  else if (!alive && !hi->dead)
++  else if (!alive && is_alive)
+     {
+       hi->dead = 1;
+       hi->died_at = 0; /* Manually set dead.  */
+@@ -836,14 +859,15 @@ ks_hkp_mark_host (ctrl_t ctrl, const char *name, int alive)
+ 
+           hi2 = hosttable[n];
+           if (!hi2)
+-            ;
+-          else if (alive && hi2->dead)
++            continue;
++          is_alive = host_is_alive (hi2, curtime);
++          if (alive && !is_alive)
+             {
+               hi2->dead = 0;
+               err = ks_printf_help (ctrl, "marking '%s' as alive",
+                                     hi2->name);
+             }
+-          else if (!alive && !hi2->dead)
++          else if (!alive && is_alive)
+             {
+               hi2->dead = 1;
+               hi2->died_at = 0; /* Manually set dead. */
+@@ -1149,40 +1173,6 @@ ks_hkp_resolve (ctrl_t ctrl, parsed_uri_t uri)
+ }
+ 
+ 
+-/* Housekeeping function called from the housekeeping thread.  It is
+-   used to mark dead hosts alive so that they may be tried again after
+-   some time.  */
+-void
+-ks_hkp_housekeeping (time_t curtime)
+-{
+-  int idx;
+-  hostinfo_t hi;
+-
+-  if (npth_mutex_lock (&hosttable_lock))
+-    log_fatal ("failed to acquire mutex\n");
+-
+-  for (idx=0; idx < hosttable_size; idx++)
+-    {
+-      hi = hosttable[idx];
+-      if (!hi)
+-        continue;
+-      if (!hi->dead)
+-        continue;
+-      if (!hi->died_at)
+-        continue; /* Do not resurrect manually shot hosts.  */
+-      if (hi->died_at + RESURRECT_INTERVAL <= curtime
+-          || hi->died_at > curtime)
+-        {
+-          hi->dead = 0;
+-          log_info ("resurrected host '%s'", hi->name);
+-        }
+-    }
+-
+-  if (npth_mutex_unlock (&hosttable_lock))
+-    log_fatal ("failed to release mutex\n");
+-}
+-
+-
+ /* Reload (SIGHUP) action for this module.  We mark all host alive
+  * even those which have been manually shot.  */
+ void
diff --git a/main/gnupg/0220-dirmngr-avoid-need-for-hkp-housekeeping.patch b/main/gnupg/0220-dirmngr-avoid-need-for-hkp-housekeeping.patch
deleted file mode 100644
index 0e125fd9b9f..00000000000
--- a/main/gnupg/0220-dirmngr-avoid-need-for-hkp-housekeeping.patch
+++ /dev/null
@@ -1,232 +0,0 @@
-From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-Date: Sat, 29 Oct 2016 02:00:50 -0400
-Subject: dirmngr: Avoid need for hkp housekeeping.
-
-* dirmngr/ks-engine-hkp.c (host_is_alive): New function.  Test whether
-host is alive and resurrects it if it has been dead long enough.
-(select_random_host, map_host, ks_hkp_mark_host): Use host_is_alive
-instead of testing hostinfo_t->dead directly.
-(ks_hkp_housekeeping): Remove function, no longer needed.
-* dirmngr/dirmngr.c (housekeeping_thread): Remove call to
-ks_hkp_housekeeping.
-
---
-
-Rather than resurrecting hosts upon scheduled resurrection times, test
-whether hosts should be resurrected as they're inspected for being
-dead.  This removes the need for explicit housekeeping, and makes host
-resurrections happen "just in time", rather than being clustered on
-HOUSEKEEPING_INTERVAL seconds.
-
-According to 392e068e9f143d41f6350345619543cbcd47380f,
-dns_stuff_housekeeping only works on Windows, so it also isn't
-necessary in debian, but it remains in place for now.
-
-Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
----
- dirmngr/dirmngr.c       |  3 ---
- dirmngr/dirmngr.h       |  1 -
- dirmngr/ks-engine-hkp.c | 72 ++++++++++++++++++++++++-------------------------
- 3 files changed, 35 insertions(+), 41 deletions(-)
-
-Patch-Source: https://sources.debian.org/data/main/g/gnupg2/2.2.27-2/debian/patches/dirmngr-idling/dirmngr-Avoid-need-for-hkp-housekeeping.patch
-
-diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
-index ae967dd..89eea4e 100644
---- a/dirmngr/dirmngr.c
-+++ b/dirmngr/dirmngr.c
-@@ -1935,12 +1935,10 @@ static void *
- housekeeping_thread (void *arg)
- {
-   static int sentinel;
--  time_t curtime;
-   struct server_control_s ctrlbuf;
- 
-   (void)arg;
- 
--  curtime = gnupg_get_time ();
-   if (sentinel)
-     {
-       log_info ("housekeeping is already going on\n");
-@@ -1954,7 +1952,6 @@ housekeeping_thread (void *arg)
-   dirmngr_init_default_ctrl (&ctrlbuf);
- 
-   dns_stuff_housekeeping ();
--  ks_hkp_housekeeping (curtime);
-   if (network_activity_seen)
-     {
-       network_activity_seen = 0;
-diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h
-index 1b52a1d..4afc19b 100644
---- a/dirmngr/dirmngr.h
-+++ b/dirmngr/dirmngr.h
-@@ -217,7 +217,6 @@ const char* dirmngr_get_current_socket_name (void);
- int dirmngr_use_tor (void);
- 
- /*-- Various housekeeping functions.  --*/
--void ks_hkp_housekeeping (time_t curtime);
- void ks_hkp_reload (void);
- 
- 
-diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
-index d425363..c50681d 100644
---- a/dirmngr/ks-engine-hkp.c
-+++ b/dirmngr/ks-engine-hkp.c
-@@ -218,6 +218,24 @@ host_in_pool_p (hostinfo_t hi, int tblidx)
-   return 0;
- }
- 
-+static int
-+host_is_alive (hostinfo_t hi, time_t curtime)
-+{
-+  if (!hi)
-+    return 0;
-+  if (!hi->dead)
-+    return 1;
-+  if (!hi->died_at)
-+    return 0; /* manually marked dead */
-+  if (hi->died_at + RESURRECT_INTERVAL <= curtime
-+      || hi->died_at > curtime)
-+    {
-+      hi->dead = 0;
-+      log_info ("resurrected host '%s'", hi->name);
-+      return 1;
-+    }
-+  return 0;
-+}
- 
- /* Select a random host.  Consult HI->pool which indices into the global
-    hosttable.  Returns index into HI->pool or -1 if no host could be
-@@ -228,13 +246,15 @@ select_random_host (hostinfo_t hi)
-   int *tbl = NULL;
-   size_t tblsize = 0;
-   int pidx, idx;
-+  time_t curtime;
- 
-+  curtime = gnupg_get_time ();
-   /* We create a new table so that we randomly select only from
-      currently alive hosts.  */
-   for (idx = 0;
-        idx < hi->pool_len && (pidx = hi->pool[idx]) != -1;
-        idx++)
--    if (hosttable[pidx] && !hosttable[pidx]->dead)
-+    if (hosttable[pidx] && host_is_alive (hosttable[pidx], curtime))
-       {
-         tblsize++;
-         tbl = xtryrealloc(tbl, tblsize * sizeof *tbl);
-@@ -462,6 +482,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
-   int is_pool;
-   int new_hosts = 0;
-   char *cname;
-+  time_t curtime;
- 
-   *r_host = NULL;
-   if (r_httpflags)
-@@ -501,6 +522,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
-     }
-   else
-     hi = hosttable[idx];
-+  curtime = gnupg_get_time ();
- 
-   is_pool = hi->pool != NULL;
- 
-@@ -607,7 +629,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
-       if (force_reselect)
-         hi->poolidx = -1;
-       else if (hi->poolidx >= 0 && hi->poolidx < hosttable_size
--               && hosttable[hi->poolidx] && hosttable[hi->poolidx]->dead)
-+               && hosttable[hi->poolidx] && !host_is_alive (hosttable[hi->poolidx], curtime))
-         hi->poolidx = -1;
- 
-       /* Select a host if needed.  */
-@@ -665,7 +687,7 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
-         return gpg_error_from_syserror ();
-     }
- 
--  if (hi->dead)
-+  if (!host_is_alive (hi, curtime))
-     {
-       log_error ("host '%s' marked as dead\n", hi->name);
-       if (r_httphost)
-@@ -770,7 +792,8 @@ ks_hkp_mark_host (ctrl_t ctrl, const char *name, int alive)
- {
-   gpg_error_t err = 0;
-   hostinfo_t hi, hi2;
--  int idx, idx2, idx3, n;
-+  int idx, idx2, idx3, n, is_alive;
-+  time_t curtime;
- 
-   if (!name || !*name || !strcmp (name, "localhost"))
-     return 0;
-@@ -779,13 +802,15 @@ ks_hkp_mark_host (ctrl_t ctrl, const char *name, int alive)
-   if (idx == -1)
-     return gpg_error (GPG_ERR_NOT_FOUND);
- 
-+  curtime = gnupg_get_time ();
-   hi = hosttable[idx];
--  if (alive && hi->dead)
-+  is_alive = host_is_alive (hi, curtime);
-+  if (alive && !is_alive)
-     {
-       hi->dead = 0;
-       err = ks_printf_help (ctrl, "marking '%s' as alive", name);
-     }
--  else if (!alive && !hi->dead)
-+  else if (!alive && is_alive)
-     {
-       hi->dead = 1;
-       hi->died_at = 0; /* Manually set dead.  */
-@@ -819,14 +844,15 @@ ks_hkp_mark_host (ctrl_t ctrl, const char *name, int alive)
- 
-           hi2 = hosttable[n];
-           if (!hi2)
--            ;
--          else if (alive && hi2->dead)
-+            continue;
-+          is_alive = host_is_alive (hi2, curtime);
-+          if (alive && !is_alive)
-             {
-               hi2->dead = 0;
-               err = ks_printf_help (ctrl, "marking '%s' as alive",
-                                     hi2->name);
-             }
--          else if (!alive && !hi2->dead)
-+          else if (!alive && is_alive)
-             {
-               hi2->dead = 1;
-               hi2->died_at = 0; /* Manually set dead. */
-@@ -1112,34 +1138,6 @@ ks_hkp_resolve (ctrl_t ctrl, parsed_uri_t uri)
- }
- 
- 
--/* Housekeeping function called from the housekeeping thread.  It is
--   used to mark dead hosts alive so that they may be tried again after
--   some time.  */
--void
--ks_hkp_housekeeping (time_t curtime)
--{
--  int idx;
--  hostinfo_t hi;
--
--  for (idx=0; idx < hosttable_size; idx++)
--    {
--      hi = hosttable[idx];
--      if (!hi)
--        continue;
--      if (!hi->dead)
--        continue;
--      if (!hi->died_at)
--        continue; /* Do not resurrect manually shot hosts.  */
--      if (hi->died_at + RESURRECT_INTERVAL <= curtime
--          || hi->died_at > curtime)
--        {
--          hi->dead = 0;
--          log_info ("resurrected host '%s'", hi->name);
--        }
--    }
--}
--
--
- /* Reload (SIGHUP) action for this module.  We mark all host alive
-  * even those which have been manually shot.  */
- void
diff --git a/main/gnupg/0320-gpg-default-to-aes256.patch b/main/gnupg/0320-gpg-default-to-aes256.patch
deleted file mode 100644
index 2d9a90fe375..00000000000
--- a/main/gnupg/0320-gpg-default-to-aes256.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-Date: Thu, 7 Sep 2017 19:04:00 -0400
-Subject: gpg: default to AES-256.
-
-* g10/main.h (DEFAULT_CIPHER_ALGO): Prefer AES256 by default.
-
---
-
-It's 2017, and pretty much everyone has AES-256 available.  Symmetric
-crypto is also rarely the bottleneck (asymmetric crypto is much more
-expensive).  AES-256 provides some level of protection against
-large-scale decryption efforts, and longer key lengths provide a hedge
-against unforseen cryptanalysis.
-
-Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-(cherry picked from commit 73ff075204df09db5248170a049f06498cdbb7aa)
----
- g10/main.h | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-Patch-Source: https://sources.debian.org/data/main/g/gnupg2/2.2.27-2/debian/patches/from-master/gpg-default-to-AES-256.patch
-
-diff --git a/g10/main.h b/g10/main.h
-index 68360e2..1983e42 100644
---- a/g10/main.h
-+++ b/g10/main.h
-@@ -31,7 +31,9 @@
-    (i.e. uncompressed) rather than 1 (zip).  However, the real world
-    issues of speed and size come into play here. */
- 
--#if GPG_USE_AES128
-+#if GPG_USE_AES256
-+# define DEFAULT_CIPHER_ALGO     CIPHER_ALGO_AES256
-+#elif GPG_USE_AES128
- # define DEFAULT_CIPHER_ALGO     CIPHER_ALGO_AES
- #elif GPG_USE_CAST5
- # define DEFAULT_CIPHER_ALGO     CIPHER_ALGO_CAST5
diff --git a/main/gnupg/0410-make-gpg-zip-use-tar-from-path.patch b/main/gnupg/0410-make-gpg-zip-use-tar-from-path.patch
deleted file mode 100644
index b0d619e9cdd..00000000000
--- a/main/gnupg/0410-make-gpg-zip-use-tar-from-path.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
-Date: Sun, 18 Nov 2018 17:29:52 -0500
-Subject: Make gpg-zip use tar from $PATH
-
-Apparently there is no clean way to configure this from ./configure,
-and upstream is deprecating gpg-zip anyway.  So just force-set tar to
-be manually "tar" (meaning, that we should look in the $PATH at
-runtime).
-
-See also https://dev.gnupg.org/T4251 and https://bugs.debian.org/913582
----
- tools/gpg-zip.in | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-Patch-Source: https://sources.debian.org/data/main/g/gnupg2/2.2.27-2/debian/patches/Make-gpg-zip-use-tar-from-PATH.patch
-
-diff --git a/tools/gpg-zip.in b/tools/gpg-zip.in
-index 9047e36..3821f3a 100644
---- a/tools/gpg-zip.in
-+++ b/tools/gpg-zip.in
-@@ -23,7 +23,7 @@
- # the GNU or POSIX variant of USTAR.
- 
- VERSION=@VERSION@
--TAR=@TAR@
-+TAR=tar
- GPG=gpg
- 
- usage="\
diff --git a/main/gnupg/0420-gpg-drop-import-clean-from-default-keyserver-import-options.patch b/main/gnupg/0420-gpg-drop-import-clean-from-default-keyserver-import-options.patch
index 46f23160ef6..26098e791fd 100644
--- a/main/gnupg/0420-gpg-drop-import-clean-from-default-keyserver-import-options.patch
+++ b/main/gnupg/0420-gpg-drop-import-clean-from-default-keyserver-import-options.patch
@@ -23,29 +23,29 @@ Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
 Patch-Source: https://sources.debian.org/data/main/g/gnupg2/2.2.27-2/debian/patches/gpg-drop-import-clean-from-default-keyserver-import-optio.patch
 
 diff --git a/doc/gpg.texi b/doc/gpg.texi
-index 7b603d7..104318a 100644
+index 804ecf9..b238278 100644
 --- a/doc/gpg.texi
 +++ b/doc/gpg.texi
-@@ -1982,7 +1982,7 @@ are available for all keyserver types, some common options are:
+@@ -2047,7 +2047,7 @@ are available for all keyserver types, some common options are:
  
  @end table
  
 -The default list of options is: "self-sigs-only, import-clean,
 +The default list of options is: "self-sigs-only,
- repair-keys, repair-pks-subkey-bug, export-attributes,
- honor-pka-record".
- 
+ repair-keys, repair-pks-subkey-bug, export-attributes". However, if
+ the actual used source is an LDAP server "no-self-sigs-only" is
+ assumed unless "self-sigs-only" has been explicitly configured.
 diff --git a/g10/gpg.c b/g10/gpg.c
-index 6b44cfb..caa0487 100644
+index 68c0454..205de60 100644
 --- a/g10/gpg.c
 +++ b/g10/gpg.c
-@@ -2348,8 +2348,7 @@ main (int argc, char **argv)
-     opt.export_options = EXPORT_ATTRIBUTES;
-     opt.keyserver_options.import_options = (IMPORT_REPAIR_KEYS
+@@ -2441,8 +2441,7 @@ main (int argc, char **argv)
  					    | IMPORT_REPAIR_PKS_SUBKEY_BUG
--                                            | IMPORT_SELF_SIGS_ONLY
+                                             | IMPORT_SELF_SIGS_ONLY
+                                             | IMPORT_COLLAPSE_UIDS
+-                                            | IMPORT_COLLAPSE_SUBKEYS
 -                                            | IMPORT_CLEAN);
-+                                            | IMPORT_SELF_SIGS_ONLY);
++                                            | IMPORT_COLLAPSE_SUBKEYS);
      opt.keyserver_options.export_options = EXPORT_ATTRIBUTES;
-     opt.keyserver_options.options = KEYSERVER_HONOR_PKA_RECORD;
+     opt.keyserver_options.options = 0;
      opt.verify_options = (LIST_SHOW_UID_VALIDITY
diff --git a/main/gnupg/APKBUILD b/main/gnupg/APKBUILD
index 9e537cb59a6..8896128d669 100644
--- a/main/gnupg/APKBUILD
+++ b/main/gnupg/APKBUILD
@@ -3,7 +3,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=gnupg
 # Upgrade to LTS versions only.
-pkgver=2.2.41
+pkgver=2.4.0
 _ver=${pkgver/_beta/-beta}
 pkgrel=0
 pkgdesc="GNU Privacy Guard 2 - meta package for full GnuPG suite"
@@ -45,6 +45,7 @@ subpackages="
 	$pkgname-dirmngr
 	$pkgname-gpgconf
 	$pkgname-scdaemon
+	$pkgname-keyboxd
 	$pkgname-wks-client:_wks_client
 	gpg
 	gpg-agent:_agent
@@ -54,18 +55,13 @@ subpackages="
 	$pkgname-utils
 	"
 source="https://gnupg.org/ftp/gcrypt/gnupg/gnupg-$_ver.tar.bz2
-	0001-Include-sys-select.h-for-FD_SETSIZE.patch
 	0010-avoid-beta-warning.patch
 	0020-avoid-regenerating-defsincdate-use-shipped-file.patch
 	0110-avoid-simple-memory-dumps-via-ptrace.patch
 	0210-dirmngr-hkp-avoid-potential-race-condition-when-some-host-die.patch
-	0220-dirmngr-avoid-need-for-hkp-housekeeping.patch
 	0230-dirmngr-avoid-automatically-checking-upstream-swdb.patch
-	0310-gpg-default-to-3072-bit-keys.patch
-	0320-gpg-default-to-aes256.patch
 	0330-gpg-default-to-sha512-for-all-signature-types-on-rsa-keys.patch
 	0340-gpg-prefer-sha512-and-sha384-in-personal-digest.patch
-	0410-make-gpg-zip-use-tar-from-path.patch
 	0420-gpg-drop-import-clean-from-default-keyserver-import-options.patch
 	fix-i18n.patch
 	60-scdaemon.rules
@@ -84,6 +80,9 @@ source="https://gnupg.org/ftp/gcrypt/gnupg/gnupg-$_ver.tar.bz2
 prepare() {
 	default_prepare
 
+	# tries to mkdir -p setup.scm/tests but this is a file?
+	rm tests/gpgme/setup.scm
+
 	autoreconf -vif
 }
 
@@ -111,7 +110,6 @@ check() {
 package() {
 	make DESTDIR="$pkgdir" install
 
-	install -m755 tools/gpg-zip "$pkgdir"/usr/bin/gpg-zip
 	install -Dm644 -t "$pkgdir"/lib/udev/rules.d/ "$srcdir"/60-scdaemon.rules
 
 	cd "$pkgdir"
@@ -199,7 +197,7 @@ lang() {
 }
 
 scdaemon() {
-	pkgdesc="GNU Privacy Guard 2 - smart card support"
+	pkgdesc="GNU Privacy Guard 2 - smart card support daemon"
 	depends="gpg-agent=$pkgver-r$pkgrel"
 	replaces="$pkgname"  # for backward compatibility
 
@@ -212,6 +210,7 @@ _wks_client() {
 	depends="gpg=$pkgver-r$pkgrel gpg-agent=$pkgver-r$pkgrel $pkgname-dirmngr=$pkgver-r$pkgrel"
 	replaces="$pkgname"  # for backward compatibility
 
+	amove usr/bin/gpg-wks-client
 	amove usr/libexec/gpg-wks-client
 }
 
@@ -223,31 +222,33 @@ _wks_server() {
 	amove usr/bin/gpg-wks-server
 }
 
+keyboxd() {
+	pkgdesc="GNU Privacy Guard 2 - keyboxd manager"
+	depends=""
+
+	amove usr/libexec/keyboxd
+}
+
 # Must be the last!
 utils() {
 	pkgdesc="GNU Privacy Guard 2 - utility programs"
 	depends=""
 	replaces="$pkgname"  # for backward compatibility
-	provider_priority=100  # highest (other provider of cmd:gpg-zip cmd:gpgsplit is gnupg1)
+	provider_priority=100  # highest (other provider of cmd:gpgsplit is gnupg1)
 
 	amove usr/*
 }
 
 sha512sums="
-f472e5058ea9881355f0c754a47acd0b5360c36e8976b8563dbc763a7cef792bf88227cc15fe5172d3e9bb9fc34d8448dd5c183949031e91a1997cc7f0f83b55  gnupg-2.2.41.tar.bz2
-c6cc4595081c5b025913fa3ebecf0dff87a84f3c669e3fef106e4fa040f1d4314ee52dd4c0e0002b213034fb0810221cfdd0033eae5349b6e3978f05d08bcac7  0001-Include-sys-select.h-for-FD_SETSIZE.patch
+094d631130d4dfe4421cc5e715eaec1888d0b4b764f1be9287be86cbc34430313211739d5481b34e9b59021d05cdbae8a87a1007031cc4dc6213045984a8559a  gnupg-2.4.0.tar.bz2
 0e2aef4ae5c43c43efe2c914534d73f8f7068b49b5826b1f999296c30395497c4af121e4e99152ff7b43dcf56d1792cd46aea5158ca48597d6e0fca6d7358711  0010-avoid-beta-warning.patch
 18004e52925b1f03e67a29a3d43b39e8119cf3426cdad4136824b932ad906ac499b4ceb3d7573177a9f16410d3b80c8f0e4bcdc54dd284f3f803a2cef609ad01  0020-avoid-regenerating-defsincdate-use-shipped-file.patch
-7c9f38ce480c5f6d06330c9b1fcfe9b32cac2b0b28695beec4e94e48508cf45a4f56ce406abfee795de11ed973598e8544440c3dfc0670cdeb37e27ca1e6caf0  0110-avoid-simple-memory-dumps-via-ptrace.patch
-6bc5ac393a72432ef09a31f524db973677fd730166457b881b88e6fad7536ac4fe8cceeed324b578125b9fd4d871645ae9c43c01b3563e00a146e8f835336ac3  0210-dirmngr-hkp-avoid-potential-race-condition-when-some-host-die.patch
-f4778aa2ec8a971ee700114b43b0446425b86459e4b21fd9b534f51de46a7ac9cfd21d79470b422a385e2a0244c54a5fb482ab76b4861f101745f77646f6f483  0220-dirmngr-avoid-need-for-hkp-housekeeping.patch
+d77a230e099ac26cf70acf4bf5c4a8446460f677857818027c16fd029292c249a24f31f7073e0388757cf567656e416b7f91af3bba62a85a2ffbdcf985c5050c  0110-avoid-simple-memory-dumps-via-ptrace.patch
+54d6b805ad89b384df140e1dc7c4ecd6703bf317fb97834026458fab92f3f0f4f426f0da86c0fbfe102bb1304a489d15ea2e728d5f97d4f0c9bf14cc30cb8c23  0210-dirmngr-hkp-avoid-potential-race-condition-when-some-host-die.patch
 1c38b039950fa9733e9584ac61d52e12aad56489d7f3aec396b2528d0bf41729971d3fe9b4d04d50595a2a954181892ed1ec93f1b7ade24e4da26744d78598fc  0230-dirmngr-avoid-automatically-checking-upstream-swdb.patch
-c4488de65913167a77fbc1c8d3a8867d15171c6021490e443ca0faddcb2109fff23f7f49c9a8922d1acd1e435530fc8a4bafb71f441d3cdf38618d3a113cf7e8  0310-gpg-default-to-3072-bit-keys.patch
-00dac445ba9f1c4c7e6078a8068e62e13e05c5b22e1d84b915f6f353eba55c4b172c6ea735f3bb551af0d6073652d3b6f0cafdfb1d6afb309626a7642775416f  0320-gpg-default-to-aes256.patch
 9e6c109f6617b4abb7a9d8abd4c8d128247dd21915bf7a75bb6a9f5b6da2a9d4dcee27147db3f88de79e4cb2621222ae62d95c0ce115658ef39bcd01587b5f82  0330-gpg-default-to-sha512-for-all-signature-types-on-rsa-keys.patch
 462af7b1e530e00d3870062666ef427d6df57ee8358b043c06fb8b7b54e50891fc8a49beeaabe45d1822d222ffc47da624798ceb8889a02e38ce85612453bb8b  0340-gpg-prefer-sha512-and-sha384-in-personal-digest.patch
-0e4d5d29de5279bda4e8b69334c664068404e697ad9e62868389ef1d97bc1a18d80e834d2d2e8147e0f537a81e6f3b360f18e1a958304a2cc2659c29e68c517a  0410-make-gpg-zip-use-tar-from-path.patch
-ac2199f2b49af1c0211ff6f7e441f0f7779d6101c2136f2d7cab0001d260598e4f2f07111aa478dd210a05385daa1f6aec77d9b0de3e379371433b0c82035855  0420-gpg-drop-import-clean-from-default-keyserver-import-options.patch
+0c1c44932e47ded65d412c48f859f1615a896ae1dd0a9e0e46fd491f3a25adc80e29fe12e329c3f541a60729cdf82330e81ab7bb7cacf1ddc6a9701a38bbbfaf  0420-gpg-drop-import-clean-from-default-keyserver-import-options.patch
 28cba87121c66b1bbc90bb0f3ca8c69ff19376243854577a4d24afa4a3d4a4b8a952a3a7bbecc200058b6f722cfcd4fc72d5630c822f78ef3fc819f972798e34  fix-i18n.patch
 4bfb9742279c2d1c872d63cd4bcb01f6a2a13d94618eff954d3a37451fa870a9bb29687330854ee47e8876d6e60dc81cb2569c3931beaefacda33db23c464402  60-scdaemon.rules
 "