gnupg: new version of patch to change key usage

app-crypt/gnupg/Manifest

@@ -1,4 +1,7 @@
 AUX gnupg-2.0.17-gpgsm-gencert.patch 1121 SHA256 fa8369a4466b3cce54215a348940422f46f4d359f9e9b3c7029a1138870888df SHA512 ecde032b205cc16c33ff21ded55b93e74058cd804d68e4a0738ac70d54b5b388b6f709d21719a5e418c662b7ee74bc4aef7a0c59de106e2d4bd06b7bc1a11138 WHIRLPOOL 5dc4d3de29290e8e274a0f4fef871cea7f49553846254d819ca776000978a72c694212559d9ad03312f94f71f406de4641c0575188d340017a7937b01753b8a0
 AUX gnupg-2.0.22-change_usage.patch 10466 SHA256 ad31713ed11531ded5006658350942d00ae59911e4fcab8f1ca532eacf0bd2ee SHA512 00d9c164f71a3a3ed3ec2019be32ea8f49d9dcff5d756e9be0bc77170c27447a2a68eaba22f569933ccf8ad770d65e73de368d526a5623139c0d466d62d17017 WHIRLPOOL 1a50ce231c7b008d633bdf6126aec7a3796e94173081cdd282dbee59bd1a21f1ba6c29ce76d20b60737f78e0f7414fc52e8c0d70d009e443eba2b1ed3e336926
+AUX gnupg-2.0.28-change_usage.patch 10466 SHA256 f71324032b8e80f7f6c263cf7131ef662888d7c7f4a6e535253bb4cc55c20f9e SHA512 b8437edf25b4cbd9c2a5d355f856fd81566b3e17cb23c103618afbd1c80c5150372fbecf5666b2c44a2014f5664944e40000cb10e45f7072a7efcd2692c3ad00 WHIRLPOOL 8b5cfb11608bc6be66eacff3e14d632d847131ec9982b89b917b1774d5eb2262ee329e347270e9255649702ffd91caa261ebf406eff10a040a38e57c5255e5c9
 DIST gnupg-2.0.22.tar.bz2 4277117 SHA256 437d0ab259854359fc48aa8795af80cff4975e559c111c92c03d0bc91408e251 SHA512 de534b2f4b8d3c320e97519fe0834bc403c96c6dbb2e24fc24eb68f4ff80374360ef66d83ddc3d6fa096c5199d3782abc5d06b866203378cba130b42802cc855 WHIRLPOOL c45e7b2560ae31f013f732863db99f6e23d0de83d03371fe592192c2b5f800503f7a1e273c59e4c99f3aa0401e8cfb2bdbf1c5029534f642305e768009f15fef
+DIST gnupg-2.0.28.tar.bz2 4435779 SHA256 ce092ee4ab58fd19b9fb34a460c07b06c348f4360dd5dd4886d041eb521a534c SHA512 7e786fe0648d5ea453f9c7524fec4bd7d5eec26d28f723acf3cb2f7ec9c400c339f0926a179411876c3f8e08b06942dcec643dc930caf58239bbd4932f4bd3c1 WHIRLPOOL ccf7427e54a545914e89677618055a114b4c9dc4db48669a2fc726fced98475df4ed27c93bd180f1250d147111ee663c736cdf4e1d8afdc40ed967cdffd0eb66
 EBUILD gnupg-2.0.22-r1.ebuild 4687 SHA256 006ecb48ee9050a4acf7fe5e41c17dd2d646bfa9a3f1562f5a4475e5803d4848 SHA512 9bd313b2ad7664e9877e3e9b999baabea35623c4e31e5abe04348c57655cc0447ae2059696f6a6f184f98d1b76521d83d36756e3e7c1641bb062066f481e981d WHIRLPOOL d42fc0979c08f640b497533a7c705424493a40da22915f6ce8f9d5744c5db892f5cde458c4ae71ad578b68f45bbf2cad9bf29224d2809e337acbea3a224abd97
+EBUILD gnupg-2.0.28-r1.ebuild 4938 SHA256 e7a38ffc9d2b504f26c370ccb5e6971cbdabc89c78f393c458182c8118e12e63 SHA512 844631cf2d583bb992a75a012da6da16665bfb364f5809b481389cc4a2e5fa82ca9283598838405a7f0ce077e468fb920526a2507871333d3afd302adaf8d488 WHIRLPOOL 2ef234ff3bfea01f53d47cfd72b16472c31c66017d546db7ec24ca0f6510b6fd5cfd04fd492a876d2cf0c5970c89caa8a30d0c382fae49df9cd91cd5c5b324df

app-crypt/gnupg/files/gnupg-2.0.28-change_usage.patch

@@ -0,0 +1,346 @@
+diff -Naur gnupg-2.0.28-orig/g10/keyedit.c gnupg-2.0.28/g10/keyedit.c
+--- gnupg-2.0.28-orig/g10/keyedit.c	2015-06-02 10:13:55.000000000 +0200
++++ gnupg-2.0.28/g10/keyedit.c	2015-09-28 11:40:08.216132804 +0200
+@@ -62,6 +62,7 @@
+ static int menu_addrevoker( KBNODE pub_keyblock,
+ 			    KBNODE sec_keyblock, int sensitive );
+ static int menu_expire( KBNODE pub_keyblock, KBNODE sec_keyblock );
++static int menu_usage( KBNODE pub_keyblock, KBNODE sec_keyblock );
+ static int menu_backsign(KBNODE pub_keyblock,KBNODE sec_keyblock);
+ static int menu_set_primary_uid( KBNODE pub_keyblock, KBNODE sec_keyblock );
+ static int menu_set_preferences( KBNODE pub_keyblock, KBNODE sec_keyblock );
+@@ -107,6 +108,11 @@
+     char *trust_regexp;
+ };
+ 
++/* Bad hack: Copy from keygen.c for menu_usage */
++struct opaque_data_usage_and_pk {
++    unsigned int usage;
++    PKT_public_key *pk;
++};
+ 
+ #ifdef ENABLE_CARD_SUPPORT
+ /* Given a node SEC_NODE with a secret key or subkey, locate the
+@@ -1366,7 +1372,7 @@
+     cmdREVSIG, cmdREVKEY, cmdREVUID, cmdDELSIG, cmdPRIMARY, cmdDEBUG,
+     cmdSAVE, cmdADDUID, cmdADDPHOTO, cmdDELUID, cmdADDKEY, cmdDELKEY,
+     cmdADDREVOKER, cmdTOGGLE, cmdSELKEY, cmdPASSWD, cmdTRUST, cmdPREF,
+-    cmdEXPIRE, cmdBACKSIGN, cmdENABLEKEY, cmdDISABLEKEY, cmdSHOWPREF,
++    cmdEXPIRE, cmdUSAGE, cmdBACKSIGN, cmdENABLEKEY, cmdDISABLEKEY, cmdSHOWPREF,
+     cmdSETPREF, cmdPREFKS, cmdNOTATION, cmdINVCMD, cmdSHOWPHOTO, cmdUPDTRUST,
+     cmdCHKTRUST, cmdADDCARDKEY, cmdKEYTOCARD, cmdBKUPTOCARD, cmdCLEAN,
+     cmdMINIMIZE, cmdNOP
+@@ -1436,6 +1442,8 @@
+       N_("delete signatures from the selected user IDs") },
+     { "expire"  , cmdEXPIRE    , KEYEDIT_NOT_SK|KEYEDIT_NEED_SK,
+       N_("change the expiration date for the key or selected subkeys") },
++    { "usage"   , cmdUSAGE     , KEYEDIT_NOT_SK|KEYEDIT_NEED_SK,
++      N_("change the usage flag for the key or selected subkeys") },
+     { "primary" , cmdPRIMARY   , KEYEDIT_NOT_SK|KEYEDIT_NEED_SK,
+       N_("flag the selected user ID as primary")},
+     { "toggle"  , cmdTOGGLE    , KEYEDIT_NEED_SK,
+@@ -2120,6 +2128,17 @@
+ 	      }
+ 	    break;
+ 
++	  case cmdUSAGE:
++	    if( menu_usage( keyblock, sec_keyblock ) )
++	      {
++		merge_keys_and_selfsig( sec_keyblock );
++		merge_keys_and_selfsig( keyblock );
++		sec_modified = 1;
++		modified = 1;
++		redisplay = 1;
++	      }
++	    break;
++
+ 	  case cmdBACKSIGN:
+ 	    if(menu_backsign(keyblock,sec_keyblock))
+ 	      {
+@@ -3792,6 +3811,286 @@
+ 		if( rc ) {
+ 		    log_error("make_keysig_packet failed: %s\n",
+ 						    g10_errstr(rc));
++		    free_secret_key( sk );
++		    return 0;
++		}
++		/* replace the packet */
++		newpkt = xmalloc_clear( sizeof *newpkt );
++		newpkt->pkttype = PKT_SIGNATURE;
++		newpkt->pkt.signature = newsig;
++		free_packet( node->pkt );
++		xfree( node->pkt );
++		node->pkt = newpkt;
++		if( sn ) {
++		    newpkt = xmalloc_clear( sizeof *newpkt );
++		    newpkt->pkttype = PKT_SIGNATURE;
++		    newpkt->pkt.signature = copy_signature( NULL, newsig );
++		    free_packet( sn->pkt );
++		    xfree( sn->pkt );
++		    sn->pkt = newpkt;
++		}
++		sub_pk = NULL;
++	    }
++	}
++    }
++
++    free_secret_key( sk );
++    update_trust=1;
++    return 1;
++}
++
++/* Bad hack: Copy from keygen.c for menu_usage */
++static void
++print_key_flags(int flags)
++{
++  if(flags&PUBKEY_USAGE_SIG)
++    tty_printf("%s ",_("Sign"));
++
++  if(flags&PUBKEY_USAGE_CERT)
++    tty_printf("%s ",_("Certify"));
++
++  if(flags&PUBKEY_USAGE_ENC)
++    tty_printf("%s ",_("Encrypt"));
++
++  if(flags&PUBKEY_USAGE_AUTH)
++    tty_printf("%s ",_("Authenticate"));
++}
++
++/* Bad hack: Copy from keygen.c for menu_usage */
++static void
++do_add_key_flags (PKT_signature *sig, unsigned int use)
++{
++    byte buf[1];
++
++    buf[0] = 0;
++
++    /* The spec says that all primary keys MUST be able to certify. */
++    if(sig->sig_class!=0x18)
++      buf[0] |= 0x01;
++
++    if (use & PUBKEY_USAGE_SIG)
++      buf[0] |= 0x02;
++    if (use & PUBKEY_USAGE_ENC)
++        buf[0] |= 0x04 | 0x08;
++    if (use & PUBKEY_USAGE_AUTH)
++        buf[0] |= 0x20;
++
++    build_sig_subpkt (sig, SIGSUBPKT_KEY_FLAGS, buf, 1);
++}
++
++static int
++keygen_add_key_flags (PKT_signature *sig, void *opaque)
++{
++    struct opaque_data_usage_and_pk *oduap = opaque;
++
++    do_add_key_flags (sig, oduap->usage);
++    return 0;
++}
++
++/* Bad hack: Copy from keygen.c for menu_usage */
++static unsigned int
++ask_key_flags(int algo,int subkey)
++{
++  /* TRANSLATORS: Please use only plain ASCII characters for the
++     translation.  If this is not possible use single digits.  The
++     string needs to 8 bytes long. Here is a description of the
++     functions:
++
++       s = Toggle signing capability
++       e = Toggle encryption capability
++       a = Toggle authentication capability
++       q = Finish
++  */
++  const char *togglers=_("SsEeAaQq");
++  char *answer=NULL;
++  unsigned int current=0;
++  unsigned int possible=openpgp_pk_algo_usage(algo);
++
++  if ( strlen(togglers) != 8 )
++    {
++      tty_printf ("NOTE: Bad translation at %s:%d. "
++                  "Please report.\n", __FILE__, __LINE__);
++      togglers = "11223300";
++    }
++
++  /* Only primary keys may certify. */
++  if(subkey)
++    possible&=~PUBKEY_USAGE_CERT;
++
++  /* Preload the current set with the possible set, minus
++     authentication, since nobody really uses auth yet. */
++  current=possible&~PUBKEY_USAGE_AUTH;
++
++  for(;;)
++    {
++      tty_printf("\n");
++      tty_printf(_("Possible actions for a %s key: "),
++		 gcry_pk_algo_name (algo));
++      print_key_flags(possible);
++      tty_printf("\n");
++      tty_printf(_("Current allowed actions: "));
++      print_key_flags(current);
++      tty_printf("\n\n");
++
++      if(possible&PUBKEY_USAGE_SIG)
++	tty_printf(_("   (%c) Toggle the sign capability\n"),
++		   togglers[0]);
++      if(possible&PUBKEY_USAGE_ENC)
++	tty_printf(_("   (%c) Toggle the encrypt capability\n"),
++		   togglers[2]);
++      if(possible&PUBKEY_USAGE_AUTH)
++	tty_printf(_("   (%c) Toggle the authenticate capability\n"),
++		   togglers[4]);
++
++      tty_printf(_("   (%c) Finished\n"),togglers[6]);
++      tty_printf("\n");
++
++      xfree(answer);
++      answer = cpr_get("keygen.flags",_("Your selection? "));
++      cpr_kill_prompt();
++
++      if(strlen(answer)>1)
++	tty_printf(_("Invalid selection.\n"));
++      else if(*answer=='\0' || *answer==togglers[6] || *answer==togglers[7])
++	break;
++      else if((*answer==togglers[0] || *answer==togglers[1])
++	      && possible&PUBKEY_USAGE_SIG)
++	{
++	  if(current&PUBKEY_USAGE_SIG)
++	    current&=~PUBKEY_USAGE_SIG;
++	  else
++	    current|=PUBKEY_USAGE_SIG;
++	}
++      else if((*answer==togglers[2] || *answer==togglers[3])
++	      && possible&PUBKEY_USAGE_ENC)
++	{
++	  if(current&PUBKEY_USAGE_ENC)
++	    current&=~PUBKEY_USAGE_ENC;
++	  else
++	    current|=PUBKEY_USAGE_ENC;
++	}
++      else if((*answer==togglers[4] || *answer==togglers[5])
++	      && possible&PUBKEY_USAGE_AUTH)
++	{
++	  if(current&PUBKEY_USAGE_AUTH)
++	    current&=~PUBKEY_USAGE_AUTH;
++	  else
++	    current|=PUBKEY_USAGE_AUTH;
++	}
++      else
++	tty_printf(_("Invalid selection.\n"));
++    }
++
++  xfree(answer);
++
++  return current;
++}
++
++/* Bad hack: mainly copy and paste of menu_expire */
++static int
++menu_usage( KBNODE pub_keyblock, KBNODE sec_keyblock )
++{
++    int n1, signumber, rc;
++    unsigned int use;
++    int mainkey=0;
++    PKT_secret_key *sk;    /* copy of the main sk */
++    PKT_public_key *main_pk, *sub_pk;
++    struct opaque_data_usage_and_pk oduap;
++    PKT_user_id *uid;
++    KBNODE node;
++    u32 keyid[2];
++
++    if( count_selected_keys( sec_keyblock ) ) {
++	tty_printf(_("Please remove selections from the secret keys.\n"));
++	return 0;
++    }
++
++    n1 = count_selected_keys( pub_keyblock );
++    if( n1 > 1 ) {
++	tty_printf(_("Please select at most one subkey.\n"));
++	return 0;
++    }
++    else if( n1 )
++	tty_printf(_("Changing usage of a subkey.\n"));
++    else
++      {
++	tty_printf(_("Changing usage of the primary key.\n"));
++	mainkey=1;
++	no_primary_warning(pub_keyblock);
++      }
++
++    use = ask_key_flags(PUBKEY_ALGO_RSA, n1); /* TODO: algo abfragen und einsetzen */
++    node = find_kbnode( sec_keyblock, PKT_SECRET_KEY );
++    sk = copy_secret_key( NULL, node->pkt->pkt.secret_key);
++
++    /* Now we can actually change the self signature(s) */
++    main_pk = sub_pk = NULL;
++    uid = NULL;
++    signumber = 0;
++    for( node=pub_keyblock; node; node = node->next ) {
++	if( node->pkt->pkttype == PKT_PUBLIC_KEY ) {
++	    main_pk = node->pkt->pkt.public_key;
++	    keyid_from_pk( main_pk, keyid );
++	}
++	else if( node->pkt->pkttype == PKT_PUBLIC_SUBKEY
++		 && (node->flag & NODFLG_SELKEY ) ) {
++	    sub_pk = node->pkt->pkt.public_key;
++	}
++	else if( node->pkt->pkttype == PKT_USER_ID )
++	    uid = node->pkt->pkt.user_id;
++	else if( main_pk && node->pkt->pkttype == PKT_SIGNATURE
++		 && ( mainkey || sub_pk ) ) {
++	    PKT_signature *sig = node->pkt->pkt.signature;
++	    if( keyid[0] == sig->keyid[0] && keyid[1] == sig->keyid[1]
++		&& ( (mainkey && uid
++		      && uid->created && (sig->sig_class&~3) == 0x10)
++		     || (!mainkey && sig->sig_class == 0x18)  )
++		&& sig->flags.chosen_selfsig )
++	      {
++		/* this is a selfsignature which is to be replaced */
++		PKT_signature *newsig;
++		PACKET *newpkt;
++		KBNODE sn;
++		int signumber2 = 0;
++
++		signumber++;
++
++		if( (mainkey && main_pk->version < 4)
++		    || (!mainkey && sub_pk->version < 4 ) ) {
++		    log_info(_(
++			"You can't change the expiration date of a v3 key\n"));
++		    free_secret_key( sk );
++		    return 0;
++		}
++
++		/* find the corresponding secret self-signature */
++		for( sn=sec_keyblock; sn; sn = sn->next ) {
++		    if( sn->pkt->pkttype == PKT_SIGNATURE ) {
++			PKT_signature *b = sn->pkt->pkt.signature;
++			if( keyid[0] == b->keyid[0] && keyid[1] == b->keyid[1]
++			    && sig->sig_class == b->sig_class
++			    && ++signumber2 == signumber )
++			    break;
++		    }
++		}
++		if( !sn )
++		    log_info(_("No corresponding signature in secret ring\n"));
++
++		if( mainkey ) {
++		  oduap.usage = use;
++		  oduap.pk = main_pk;
++		  rc = update_keysig_packet(&newsig, sig, main_pk, uid, NULL,
++					    sk, keygen_add_key_flags, &oduap);
++		}
++		else {
++		  oduap.usage = use;
++		  oduap.pk = sub_pk;
++		  rc = update_keysig_packet(&newsig, sig, main_pk, NULL, sub_pk,
++					    sk, keygen_add_key_flags, &oduap);
++		}
++		if( rc ) {
++		    log_error("make_keysig_packet failed: %s\n",
++						    g10_errstr(rc));
+ 		    free_secret_key( sk );
+ 		    return 0;
+ 		}

app-crypt/gnupg/gnupg-2.0.28-r1.ebuild

@@ -0,0 +1,168 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+
+EAPI="5"
+
+inherit eutils flag-o-matic toolchain-funcs
+
+DESCRIPTION="The GNU Privacy Guard, a GPL pgp replacement"
+HOMEPAGE="http://www.gnupg.org/"
+SRC_URI="mirror://gnupg/gnupg/${P}.tar.bz2"
+# SRC_URI="ftp://ftp.gnupg.org/gcrypt/${PN}/${P}.tar.bz2"
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="alpha amd64 arm ~arm64 hppa ~ia64 ~mips ~ppc ppc64 ~s390 ~sh ~sparc x86 ~ppc-aix ~amd64-fbsd ~x86-fbsd ~x64-freebsd ~x86-freebsd ~amd64-linux ~arm-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~sparc-solaris ~sparc64-solaris ~x64-solaris ~x86-solaris"
+IUSE="bzip2 changekeyusage doc ldap nls mta readline static selinux smartcard tools usb"
+
+COMMON_DEPEND_LIBS="
+	>=dev-libs/libassuan-2
+	>=dev-libs/libgcrypt-1.5:0=
+	>=dev-libs/libgpg-error-1.11
+	>=dev-libs/libksba-1.0.7
+	>=dev-libs/pth-1.3.7
+	>=net-misc/curl-7.10
+	sys-libs/zlib
+	bzip2? ( app-arch/bzip2 )
+	readline? ( sys-libs/readline )
+	smartcard? ( usb? ( virtual/libusb:0 ) )
+	ldap? ( net-nds/openldap )"
+COMMON_DEPEND_BINS="app-crypt/pinentry"
+
+# Existence of executables is checked during configuration.
+DEPEND="${COMMON_DEPEND_LIBS}
+	${COMMON_DEPEND_BINS}
+	static? (
+		>=dev-libs/libassuan-2[static-libs]
+		>=dev-libs/libgcrypt-1.4:0=[static-libs]
+		>=dev-libs/libgpg-error-1.11[static-libs]
+		>=dev-libs/libksba-1.0.7[static-libs]
+		>=dev-libs/pth-1.3.7[static-libs]
+		>=net-misc/curl-7.10[static-libs]
+		sys-libs/zlib[static-libs]
+		bzip2? ( app-arch/bzip2[static-libs] )
+	)
+	nls? ( sys-devel/gettext )
+	doc? ( sys-apps/texinfo )"
+
+RDEPEND="!static? ( ${COMMON_DEPEND_LIBS} )
+	${COMMON_DEPEND_BINS}
+	mta? ( virtual/mta )
+	!<=app-crypt/gnupg-2.0.1
+	selinux? ( sec-policy/selinux-gpg )
+	nls? ( virtual/libintl )"
+
+REQUIRED_USE="smartcard? ( !static )"
+
+src_prepare() {
+	epatch "${FILESDIR}/${PN}-2.0.17-gpgsm-gencert.patch"
+	use changekeyusage && epatch "${FILESDIR}/${P}-change_usage.patch"
+	epatch_user
+}
+
+src_configure() {
+	local myconf=()
+
+	# 'USE=static' support was requested:
+	# gnupg1: bug #29299
+	# gnupg2: bug #159623
+	use static && append-ldflags -static
+
+	if use smartcard; then
+		myconf+=(
+			--enable-scdaemon
+			$(use_enable usb ccid-driver)
+		)
+	else
+		myconf+=( --disable-scdaemon )
+	fi
+
+	if use elibc_SunOS || use elibc_AIX; then
+		myconf+=( --disable-symcryptrun )
+	else
+		myconf+=( --enable-symcryptrun )
+	fi
+
+	# glib fails and picks up clang's internal stdint.h causing weird errors
+	[[ ${CC} == clang ]] && export gl_cv_absolute_stdint_h=/usr/include/stdint.h
+
+	econf \
+		--docdir="${EPREFIX}/usr/share/doc/${PF}" \
+		--enable-gpg \
+		--enable-gpgsm \
+		--enable-agent \
+		--enable-large-secmem \
+		--without-adns \
+		"${myconf[@]}" \
+		$(use_enable bzip2) \
+		$(use_enable nls) \
+		$(use_enable mta mailto) \
+		$(use_enable ldap) \
+		$(use_with readline) \
+		CC_FOR_BUILD="$(tc-getBUILD_CC)"
+}
+
+src_compile() {
+	default
+
+	if use doc; then
+		cd doc
+		emake html
+	fi
+}
+
+src_install() {
+	default
+
+	use tools && dobin tools/{convert-from-106,gpg-check-pattern} \
+		tools/{gpg-zip,gpgconf,gpgsplit,lspgpot,mail-signed-keys,make-dns-cert}
+
+	emake DESTDIR="${D}" -f doc/Makefile uninstall-nobase_dist_docDATA
+	rm "${ED}"/usr/share/gnupg/help* || die
+
+	dodoc ChangeLog NEWS README THANKS TODO VERSION doc/FAQ doc/DETAILS \
+		doc/HACKING doc/TRANSLATE doc/OpenPGP doc/KEYSERVER doc/help*
+
+	dosym gpg2 /usr/bin/gpg
+	dosym gpgv2 /usr/bin/gpgv
+	dosym gpg2keys_hkp /usr/libexec/gpgkeys_hkp
+	dosym gpg2keys_finger /usr/libexec/gpgkeys_finger
+	dosym gpg2keys_curl /usr/libexec/gpgkeys_curl
+	if use ldap; then
+		dosym gpg2keys_ldap /usr/libexec/gpgkeys_ldap
+	fi
+	echo ".so man1/gpg2.1" > "${ED}"/usr/share/man/man1/gpg.1
+	echo ".so man1/gpgv2.1" > "${ED}"/usr/share/man/man1/gpgv.1
+
+	dodir /etc/env.d
+	echo "CONFIG_PROTECT=/usr/share/gnupg/qualified.txt" >> "${ED}"/etc/env.d/30gnupg
+
+	if use doc; then
+		dohtml doc/gnupg.html/* doc/*.png
+	fi
+}
+
+pkg_postinst() {
+	elog "If you wish to view images emerge:"
+	elog "media-gfx/xloadimage, media-gfx/xli or any other viewer"
+	elog "Remember to use photo-viewer option in configuration file to activate"
+	elog "the right viewer."
+	elog
+
+	if use smartcard; then
+		elog "To use your OpenPGP smartcard (or token) with GnuPG you need one of"
+		use usb && elog " - a CCID-compatible reader, used directly through libusb;"
+		elog " - sys-apps/pcsc-lite and a compatible reader device;"
+		elog " - dev-libs/openct and a compatible reader device;"
+		elog " - a reader device and drivers exporting either PC/SC or CT-API interfaces."
+		elog ""
+		elog "General hint: you probably want to try installing sys-apps/pcsc-lite and"
+		elog "app-crypt/ccid first."
+	fi
+
+	ewarn "Please remember to restart gpg-agent if a different version"
+	ewarn "of the agent is currently used. If you are unsure of the gpg"
+	ewarn "agent you are using please run 'killall gpg-agent',"
+	ewarn "and to start a fresh daemon just run 'gpg-agent --daemon'."
+}