gnupg: new version of patch to change key usage

2015-09-28 11:55:47 +02:00 · 2015-09-28 11:55:47 +02:00 · c53f12ac1d
parent 45b04685b1
commit c53f12ac1d
3 changed files with 517 additions and 0 deletions
--- a/app-crypt/gnupg/Manifest
+++ b/app-crypt/gnupg/Manifest
@ -1,4 +1,7 @@
 AUX gnupg-2.0.17-gpgsm-gencert.patch 1121 SHA256 fa8369a4466b3cce54215a348940422f46f4d359f9e9b3c7029a1138870888df SHA512 ecde032b205cc16c33ff21ded55b93e74058cd804d68e4a0738ac70d54b5b388b6f709d21719a5e418c662b7ee74bc4aef7a0c59de106e2d4bd06b7bc1a11138 WHIRLPOOL 5dc4d3de29290e8e274a0f4fef871cea7f49553846254d819ca776000978a72c694212559d9ad03312f94f71f406de4641c0575188d340017a7937b01753b8a0
 AUX gnupg-2.0.22-change_usage.patch 10466 SHA256 ad31713ed11531ded5006658350942d00ae59911e4fcab8f1ca532eacf0bd2ee SHA512 00d9c164f71a3a3ed3ec2019be32ea8f49d9dcff5d756e9be0bc77170c27447a2a68eaba22f569933ccf8ad770d65e73de368d526a5623139c0d466d62d17017 WHIRLPOOL 1a50ce231c7b008d633bdf6126aec7a3796e94173081cdd282dbee59bd1a21f1ba6c29ce76d20b60737f78e0f7414fc52e8c0d70d009e443eba2b1ed3e336926
+AUX gnupg-2.0.28-change_usage.patch 10466 SHA256 f71324032b8e80f7f6c263cf7131ef662888d7c7f4a6e535253bb4cc55c20f9e SHA512 b8437edf25b4cbd9c2a5d355f856fd81566b3e17cb23c103618afbd1c80c5150372fbecf5666b2c44a2014f5664944e40000cb10e45f7072a7efcd2692c3ad00 WHIRLPOOL 8b5cfb11608bc6be66eacff3e14d632d847131ec9982b89b917b1774d5eb2262ee329e347270e9255649702ffd91caa261ebf406eff10a040a38e57c5255e5c9
 DIST gnupg-2.0.22.tar.bz2 4277117 SHA256 437d0ab259854359fc48aa8795af80cff4975e559c111c92c03d0bc91408e251 SHA512 de534b2f4b8d3c320e97519fe0834bc403c96c6dbb2e24fc24eb68f4ff80374360ef66d83ddc3d6fa096c5199d3782abc5d06b866203378cba130b42802cc855 WHIRLPOOL c45e7b2560ae31f013f732863db99f6e23d0de83d03371fe592192c2b5f800503f7a1e273c59e4c99f3aa0401e8cfb2bdbf1c5029534f642305e768009f15fef
+DIST gnupg-2.0.28.tar.bz2 4435779 SHA256 ce092ee4ab58fd19b9fb34a460c07b06c348f4360dd5dd4886d041eb521a534c SHA512 7e786fe0648d5ea453f9c7524fec4bd7d5eec26d28f723acf3cb2f7ec9c400c339f0926a179411876c3f8e08b06942dcec643dc930caf58239bbd4932f4bd3c1 WHIRLPOOL ccf7427e54a545914e89677618055a114b4c9dc4db48669a2fc726fced98475df4ed27c93bd180f1250d147111ee663c736cdf4e1d8afdc40ed967cdffd0eb66
 EBUILD gnupg-2.0.22-r1.ebuild 4687 SHA256 006ecb48ee9050a4acf7fe5e41c17dd2d646bfa9a3f1562f5a4475e5803d4848 SHA512 9bd313b2ad7664e9877e3e9b999baabea35623c4e31e5abe04348c57655cc0447ae2059696f6a6f184f98d1b76521d83d36756e3e7c1641bb062066f481e981d WHIRLPOOL d42fc0979c08f640b497533a7c705424493a40da22915f6ce8f9d5744c5db892f5cde458c4ae71ad578b68f45bbf2cad9bf29224d2809e337acbea3a224abd97
+EBUILD gnupg-2.0.28-r1.ebuild 4938 SHA256 e7a38ffc9d2b504f26c370ccb5e6971cbdabc89c78f393c458182c8118e12e63 SHA512 844631cf2d583bb992a75a012da6da16665bfb364f5809b481389cc4a2e5fa82ca9283598838405a7f0ce077e468fb920526a2507871333d3afd302adaf8d488 WHIRLPOOL 2ef234ff3bfea01f53d47cfd72b16472c31c66017d546db7ec24ca0f6510b6fd5cfd04fd492a876d2cf0c5970c89caa8a30d0c382fae49df9cd91cd5c5b324df
--- a/app-crypt/gnupg/files/gnupg-2.0.28-change_usage.patch
+++ b/app-crypt/gnupg/files/gnupg-2.0.28-change_usage.patch
@ -0,0 +1,346 @@
+diff -Naur gnupg-2.0.28-orig/g10/keyedit.c gnupg-2.0.28/g10/keyedit.c
+--- gnupg-2.0.28-orig/g10/keyedit.c	2015-06-02 10:13:55.000000000 +0200
+++ gnupg-2.0.28/g10/keyedit.c	2015-09-28 11:40:08.216132804 +0200
+@@ -62,6 +62,7 @@
+ static int menu_addrevoker( KBNODE pub_keyblock,
+ 			    KBNODE sec_keyblock, int sensitive );
+ static int menu_expire( KBNODE pub_keyblock, KBNODE sec_keyblock );
+static int menu_usage( KBNODE pub_keyblock, KBNODE sec_keyblock );
+ static int menu_backsign(KBNODE pub_keyblock,KBNODE sec_keyblock);
+ static int menu_set_primary_uid( KBNODE pub_keyblock, KBNODE sec_keyblock );
+ static int menu_set_preferences( KBNODE pub_keyblock, KBNODE sec_keyblock );
+@@ -107,6 +108,11 @@
+     char *trust_regexp;
+ };
+ 
+/* Bad hack: Copy from keygen.c for menu_usage */
+struct opaque_data_usage_and_pk {
+    unsigned int usage;
+    PKT_public_key *pk;
+};
+ 
+ #ifdef ENABLE_CARD_SUPPORT
+ /* Given a node SEC_NODE with a secret key or subkey, locate the
+@@ -1366,7 +1372,7 @@
+     cmdREVSIG, cmdREVKEY, cmdREVUID, cmdDELSIG, cmdPRIMARY, cmdDEBUG,
+     cmdSAVE, cmdADDUID, cmdADDPHOTO, cmdDELUID, cmdADDKEY, cmdDELKEY,
+     cmdADDREVOKER, cmdTOGGLE, cmdSELKEY, cmdPASSWD, cmdTRUST, cmdPREF,
+-    cmdEXPIRE, cmdBACKSIGN, cmdENABLEKEY, cmdDISABLEKEY, cmdSHOWPREF,
+    cmdEXPIRE, cmdUSAGE, cmdBACKSIGN, cmdENABLEKEY, cmdDISABLEKEY, cmdSHOWPREF,
+     cmdSETPREF, cmdPREFKS, cmdNOTATION, cmdINVCMD, cmdSHOWPHOTO, cmdUPDTRUST,
+     cmdCHKTRUST, cmdADDCARDKEY, cmdKEYTOCARD, cmdBKUPTOCARD, cmdCLEAN,
+     cmdMINIMIZE, cmdNOP
+@@ -1436,6 +1442,8 @@
+       N_("delete signatures from the selected user IDs") },
+     { "expire"  , cmdEXPIRE    , KEYEDIT_NOT_SK|KEYEDIT_NEED_SK,
+       N_("change the expiration date for the key or selected subkeys") },
+    { "usage"   , cmdUSAGE     , KEYEDIT_NOT_SK|KEYEDIT_NEED_SK,
+      N_("change the usage flag for the key or selected subkeys") },
+     { "primary" , cmdPRIMARY   , KEYEDIT_NOT_SK|KEYEDIT_NEED_SK,
+       N_("flag the selected user ID as primary")},
+     { "toggle"  , cmdTOGGLE    , KEYEDIT_NEED_SK,
+@@ -2120,6 +2128,17 @@
+ 	      }
+ 	    break;
+ 
+	  case cmdUSAGE:
+	    if( menu_usage( keyblock, sec_keyblock ) )
+	      {
+		merge_keys_and_selfsig( sec_keyblock );
+		merge_keys_and_selfsig( keyblock );
+		sec_modified = 1;
+		modified = 1;
+		redisplay = 1;
+	      }
+	    break;
+
+ 	  case cmdBACKSIGN:
+ 	    if(menu_backsign(keyblock,sec_keyblock))
+ 	      {
+@@ -3792,6 +3811,286 @@
+ 		if( rc ) {
+ 		    log_error("make_keysig_packet failed: %s\n",
+ 						    g10_errstr(rc));
+		    free_secret_key( sk );
+		    return 0;
+		}
+		/* replace the packet */
+		newpkt = xmalloc_clear( sizeof *newpkt );
+		newpkt->pkttype = PKT_SIGNATURE;
+		newpkt->pkt.signature = newsig;
+		free_packet( node->pkt );
+		xfree( node->pkt );
+		node->pkt = newpkt;
+		if( sn ) {
+		    newpkt = xmalloc_clear( sizeof *newpkt );
+		    newpkt->pkttype = PKT_SIGNATURE;
+		    newpkt->pkt.signature = copy_signature( NULL, newsig );
+		    free_packet( sn->pkt );
+		    xfree( sn->pkt );
+		    sn->pkt = newpkt;
+		}
+		sub_pk = NULL;
+	    }
+	}
+    }
+
+    free_secret_key( sk );
+    update_trust=1;
+    return 1;
+}
+
+/* Bad hack: Copy from keygen.c for menu_usage */
+static void
+print_key_flags(int flags)
+{
+  if(flags&PUBKEY_USAGE_SIG)
+    tty_printf("%s ",_("Sign"));
+
+  if(flags&PUBKEY_USAGE_CERT)
+    tty_printf("%s ",_("Certify"));
+
+  if(flags&PUBKEY_USAGE_ENC)
+    tty_printf("%s ",_("Encrypt"));
+
+  if(flags&PUBKEY_USAGE_AUTH)
+    tty_printf("%s ",_("Authenticate"));
+}
+
+/* Bad hack: Copy from keygen.c for menu_usage */
+static void
+do_add_key_flags (PKT_signature *sig, unsigned int use)
+{
+    byte buf[1];
+
+    buf[0] = 0;
+
+    /* The spec says that all primary keys MUST be able to certify. */
+    if(sig->sig_class!=0x18)
+      buf[0] |= 0x01;
+
+    if (use & PUBKEY_USAGE_SIG)
+      buf[0] |= 0x02;
+    if (use & PUBKEY_USAGE_ENC)
+        buf[0] |= 0x04 | 0x08;
+    if (use & PUBKEY_USAGE_AUTH)
+        buf[0] |= 0x20;
+
+    build_sig_subpkt (sig, SIGSUBPKT_KEY_FLAGS, buf, 1);
+}
+
+static int
+keygen_add_key_flags (PKT_signature *sig, void *opaque)
+{
+    struct opaque_data_usage_and_pk *oduap = opaque;
+
+    do_add_key_flags (sig, oduap->usage);
+    return 0;
+}
+
+/* Bad hack: Copy from keygen.c for menu_usage */
+static unsigned int
+ask_key_flags(int algo,int subkey)
+{
+  /* TRANSLATORS: Please use only plain ASCII characters for the
+     translation.  If this is not possible use single digits.  The
+     string needs to 8 bytes long. Here is a description of the
+     functions:
+
+       s = Toggle signing capability
+       e = Toggle encryption capability
+       a = Toggle authentication capability
+       q = Finish
+  */
+  const char *togglers=_("SsEeAaQq");
+  char *answer=NULL;
+  unsigned int current=0;
+  unsigned int possible=openpgp_pk_algo_usage(algo);
+
+  if ( strlen(togglers) != 8 )
+    {
+      tty_printf ("NOTE: Bad translation at %s:%d. "
+                  "Please report.\n", __FILE__, __LINE__);
+      togglers = "11223300";
+    }
+
+  /* Only primary keys may certify. */
+  if(subkey)
+    possible&=~PUBKEY_USAGE_CERT;
+
+  /* Preload the current set with the possible set, minus
+     authentication, since nobody really uses auth yet. */
+  current=possible&~PUBKEY_USAGE_AUTH;
+
+  for(;;)
+    {
+      tty_printf("\n");
+      tty_printf(_("Possible actions for a %s key: "),
+		 gcry_pk_algo_name (algo));
+      print_key_flags(possible);
+      tty_printf("\n");
+      tty_printf(_("Current allowed actions: "));
+      print_key_flags(current);
+      tty_printf("\n\n");
+
+      if(possible&PUBKEY_USAGE_SIG)
+	tty_printf(_("   (%c) Toggle the sign capability\n"),
+		   togglers[0]);
+      if(possible&PUBKEY_USAGE_ENC)
+	tty_printf(_("   (%c) Toggle the encrypt capability\n"),
+		   togglers[2]);
+      if(possible&PUBKEY_USAGE_AUTH)
+	tty_printf(_("   (%c) Toggle the authenticate capability\n"),
+		   togglers[4]);
+
+      tty_printf(_("   (%c) Finished\n"),togglers[6]);
+      tty_printf("\n");
+
+      xfree(answer);
+      answer = cpr_get("keygen.flags",_("Your selection? "));
+      cpr_kill_prompt();
+
+      if(strlen(answer)>1)
+	tty_printf(_("Invalid selection.\n"));
+      else if(*answer=='\0' || *answer==togglers[6] || *answer==togglers[7])
+	break;
+      else if((*answer==togglers[0] || *answer==togglers[1])
+	      && possible&PUBKEY_USAGE_SIG)
+	{
+	  if(current&PUBKEY_USAGE_SIG)
+	    current&=~PUBKEY_USAGE_SIG;
+	  else
+	    current|=PUBKEY_USAGE_SIG;
+	}
+      else if((*answer==togglers[2] || *answer==togglers[3])
+	      && possible&PUBKEY_USAGE_ENC)
+	{
+	  if(current&PUBKEY_USAGE_ENC)
+	    current&=~PUBKEY_USAGE_ENC;
+	  else
+	    current|=PUBKEY_USAGE_ENC;
+	}
+      else if((*answer==togglers[4] || *answer==togglers[5])
+	      && possible&PUBKEY_USAGE_AUTH)
+	{
+	  if(current&PUBKEY_USAGE_AUTH)
+	    current&=~PUBKEY_USAGE_AUTH;
+	  else
+	    current|=PUBKEY_USAGE_AUTH;
+	}
+      else
+	tty_printf(_("Invalid selection.\n"));
+    }
+
+  xfree(answer);
+
+  return current;
+}
+
+/* Bad hack: mainly copy and paste of menu_expire */
+static int
+menu_usage( KBNODE pub_keyblock, KBNODE sec_keyblock )
+{
+    int n1, signumber, rc;
+    unsigned int use;
+    int mainkey=0;
+    PKT_secret_key *sk;    /* copy of the main sk */
+    PKT_public_key *main_pk, *sub_pk;
+    struct opaque_data_usage_and_pk oduap;
+    PKT_user_id *uid;
+    KBNODE node;
+    u32 keyid[2];
+
+    if( count_selected_keys( sec_keyblock ) ) {
+	tty_printf(_("Please remove selections from the secret keys.\n"));
+	return 0;
+    }
+
+    n1 = count_selected_keys( pub_keyblock );
+    if( n1 > 1 ) {
+	tty_printf(_("Please select at most one subkey.\n"));
+	return 0;
+    }
+    else if( n1 )
+	tty_printf(_("Changing usage of a subkey.\n"));
+    else
+      {
+	tty_printf(_("Changing usage of the primary key.\n"));
+	mainkey=1;
+	no_primary_warning(pub_keyblock);
+      }
+
+    use = ask_key_flags(PUBKEY_ALGO_RSA, n1); /* TODO: algo abfragen und einsetzen */
+    node = find_kbnode( sec_keyblock, PKT_SECRET_KEY );
+    sk = copy_secret_key( NULL, node->pkt->pkt.secret_key);
+
+    /* Now we can actually change the self signature(s) */
+    main_pk = sub_pk = NULL;
+    uid = NULL;
+    signumber = 0;
+    for( node=pub_keyblock; node; node = node->next ) {
+	if( node->pkt->pkttype == PKT_PUBLIC_KEY ) {
+	    main_pk = node->pkt->pkt.public_key;
+	    keyid_from_pk( main_pk, keyid );
+	}
+	else if( node->pkt->pkttype == PKT_PUBLIC_SUBKEY
+		 && (node->flag & NODFLG_SELKEY ) ) {
+	    sub_pk = node->pkt->pkt.public_key;
+	}
+	else if( node->pkt->pkttype == PKT_USER_ID )
+	    uid = node->pkt->pkt.user_id;
+	else if( main_pk && node->pkt->pkttype == PKT_SIGNATURE
+		 && ( mainkey || sub_pk ) ) {
+	    PKT_signature *sig = node->pkt->pkt.signature;
+	    if( keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1]
+		&& ( (mainkey && uid
+		      && uid->created && (sig->sig_class&~3) == 0x10)
+		     || (!mainkey && sig->sig_class == 0x18)  )
+		&& sig->flags.chosen_selfsig )
+	      {
+		/* this is a selfsignature which is to be replaced */
+		PKT_signature *newsig;
+		PACKET *newpkt;
+		KBNODE sn;
+		int signumber2 = 0;
+
+		signumber++;
+
+		if( (mainkey && main_pk->version < 4)
+		    || (!mainkey && sub_pk->version < 4 ) ) {
+		    log_info(_(
+			"You can't change the expiration date of a v3 key\n"));
+		    free_secret_key( sk );
+		    return 0;
+		}
+
+		/* find the corresponding secret self-signature */
+		for( sn=sec_keyblock; sn; sn = sn->next ) {
+		    if( sn->pkt->pkttype == PKT_SIGNATURE ) {
+			PKT_signature *b = sn->pkt->pkt.signature;
+			if( keyid[0] == b->keyid[0] && keyid[1] == b->keyid[1]
+			    && sig->sig_class == b->sig_class
+			    && ++signumber2 == signumber )
+			    break;
+		    }
+		}
+		if( !sn )
+		    log_info(_("No corresponding signature in secret ring\n"));
+
+		if( mainkey ) {
+		  oduap.usage = use;
+		  oduap.pk = main_pk;
+		  rc = update_keysig_packet(&newsig, sig, main_pk, uid, NULL,
+					    sk, keygen_add_key_flags, &oduap);
+		}
+		else {
+		  oduap.usage = use;
+		  oduap.pk = sub_pk;
+		  rc = update_keysig_packet(&newsig, sig, main_pk, NULL, sub_pk,
+					    sk, keygen_add_key_flags, &oduap);
+		}
+		if( rc ) {
+		    log_error("make_keysig_packet failed: %s\n",
+						    g10_errstr(rc));
+ 		    free_secret_key( sk );
+ 		    return 0;
+ 		}
--- a/app-crypt/gnupg/gnupg-2.0.28-r1.ebuild
+++ b/app-crypt/gnupg/gnupg-2.0.28-r1.ebuild
@ -0,0 +1,168 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+
+inherit eutils flag-o-matic toolchain-funcs
+
+DESCRIPTION="The GNU Privacy Guard, a GPL pgp replacement"
+HOMEPAGE="http://www.gnupg.org/"
+SRC_URI="mirror://gnupg/gnupg/${P}.tar.bz2"
+# SRC_URI="ftp://ftp.gnupg.org/gcrypt/${PN}/${P}.tar.bz2"
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="alpha amd64 arm ~arm64 hppa ~ia64 ~mips ~ppc ppc64 ~s390 ~sh ~sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE="bzip2 changekeyusage doc ldap nls mta readline static selinux smartcard tools usb"
+
+COMMON_DEPEND_LIBS="
+	>=dev-libs/libassuan-2
+	>=dev-libs/libgcrypt-1.5:0=
+	>=dev-libs/libgpg-error-1.11
+	>=dev-libs/libksba-1.0.7
+	>=dev-libs/pth-1.3.7
+	>=net-misc/curl-7.10
+	sys-libs/zlib
+	bzip2? ( app-arch/bzip2 )
+	readline? ( sys-libs/readline )
+	smartcard? ( usb? ( virtual/libusb:0 ) )
+	ldap? ( net-nds/openldap )"
+COMMON_DEPEND_BINS="app-crypt/pinentry"
+
+# Existence of executables is checked during configuration.
+DEPEND="${COMMON_DEPEND_LIBS}
+	${COMMON_DEPEND_BINS}
+	static? (
+		>=dev-libs/libassuan-2[static-libs]
+		>=dev-libs/libgcrypt-1.4:0=[static-libs]
+		>=dev-libs/libgpg-error-1.11[static-libs]
+		>=dev-libs/libksba-1.0.7[static-libs]
+		>=dev-libs/pth-1.3.7[static-libs]
+		>=net-misc/curl-7.10[static-libs]
+		sys-libs/zlib[static-libs]
+		bzip2? ( app-arch/bzip2[static-libs] )
+	)
+	nls? ( sys-devel/gettext )
+	doc? ( sys-apps/texinfo )"
+
+RDEPEND="!static? ( ${COMMON_DEPEND_LIBS} )
+	${COMMON_DEPEND_BINS}
+	mta? ( virtual/mta )
+	!<=app-crypt/gnupg-2.0.1
+	selinux? ( sec-policy/selinux-gpg )
+	nls? ( virtual/libintl )"
+
+REQUIRED_USE="smartcard? ( !static )"
+
+src_prepare() {
+	epatch "${FILESDIR}/${PN}-2.0.17-gpgsm-gencert.patch"
+	use changekeyusage && epatch "${FILESDIR}/${P}-change_usage.patch"
+	epatch_user
+}
+
+src_configure() {
+	local myconf=()
+
+	# 'USE=static' support was requested:
+	# gnupg1: bug #29299
+	# gnupg2: bug #159623
+	use static && append-ldflags -static
+
+	if use smartcard; then
+		myconf+=(
+			--enable-scdaemon
+			$(use_enable usb ccid-driver)
+		)
+	else
+		myconf+=( --disable-scdaemon )
+	fi
+
+	if use elibc_SunOS || use elibc_AIX; then
+		myconf+=( --disable-symcryptrun )
+	else
+		myconf+=( --enable-symcryptrun )
+	fi
+
+	# glib fails and picks up clang's internal stdint.h causing weird errors
+	[[ ${CC} == clang ]] && export gl_cv_absolute_stdint_h=/usr/include/stdint.h
+
+	econf \
+		--docdir="${EPREFIX}/usr/share/doc/${PF}" \
+		--enable-gpg \
+		--enable-gpgsm \
+		--enable-agent \
+		--enable-large-secmem \
+		--without-adns \
+		"${myconf[@]}" \
+		$(use_enable bzip2) \
+		$(use_enable nls) \
+		$(use_enable mta mailto) \
+		$(use_enable ldap) \
+		$(use_with readline) \
+		CC_FOR_BUILD="$(tc-getBUILD_CC)"
+}
+
+src_compile() {
+	default
+
+	if use doc; then
+		cd doc
+		emake html
+	fi
+}
+
+src_install() {
+	default
+
+	use tools && dobin tools/{convert-from-106,gpg-check-pattern} \
+		tools/{gpg-zip,gpgconf,gpgsplit,lspgpot,mail-signed-keys,make-dns-cert}
+
+	emake DESTDIR="${D}" -f doc/Makefile uninstall-nobase_dist_docDATA
+	rm "${ED}"/usr/share/gnupg/help* || die
+
+	dodoc ChangeLog NEWS README THANKS TODO VERSION doc/FAQ doc/DETAILS \
+		doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER doc/help*
+
+	dosym gpg2 /usr/bin/gpg
+	dosym gpgv2 /usr/bin/gpgv
+	dosym gpg2keys_hkp /usr/libexec/gpgkeys_hkp
+	dosym gpg2keys_finger /usr/libexec/gpgkeys_finger
+	dosym gpg2keys_curl /usr/libexec/gpgkeys_curl
+	if use ldap; then
+		dosym gpg2keys_ldap /usr/libexec/gpgkeys_ldap
+	fi
+	echo ".so man1/gpg2.1" > "${ED}"/usr/share/man/man1/gpg.1
+	echo ".so man1/gpgv2.1" > "${ED}"/usr/share/man/man1/gpgv.1
+
+	dodir /etc/env.d
+	echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg
+
+	if use doc; then
+		dohtml doc/gnupg.html/* doc/*.png
+	fi
+}
+
+pkg_postinst() {
+	elog "If you wish to view images emerge:"
+	elog "media-gfx/xloadimage, media-gfx/xli or any other viewer"
+	elog "Remember to use photo-viewer option in configuration file to activate"
+	elog "the right viewer."
+	elog
+
+	if use smartcard; then
+		elog "To use your OpenPGP smartcard (or token) with GnuPG you need one of"
+		use usb && elog " - a CCID-compatible reader, used directly through libusb;"
+		elog " - sys-apps/pcsc-lite and a compatible reader device;"
+		elog " - dev-libs/openct and a compatible reader device;"
+		elog " - a reader device and drivers exporting either PC/SC or CT-API interfaces."
+		elog ""
+		elog "General hint: you probably want to try installing sys-apps/pcsc-lite and"
+		elog "app-crypt/ccid first."
+	fi
+
+	ewarn "Please remember to restart gpg-agent if a different version"
+	ewarn "of the agent is currently used. If you are unsure of the gpg"
+	ewarn "agent you are using please run 'killall gpg-agent',"
+	ewarn "and to start a fresh daemon just run 'gpg-agent --daemon'."
+}