diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..72bdca2
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/gnupg-2.0.22.tar.bz2
diff --git a/.gnupg2.metadata b/.gnupg2.metadata
new file mode 100644
index 0000000..24b6425
--- /dev/null
+++ b/.gnupg2.metadata
@@ -0,0 +1 @@
+9ba9ee288e9bf813e0f1e25cbe06b58d3072d8b8 SOURCES/gnupg-2.0.22.tar.bz2
diff --git a/SOURCES/gnupg-2.0.18-protect-tool-env.patch b/SOURCES/gnupg-2.0.18-protect-tool-env.patch
new file mode 100644
index 0000000..e0c6c48
--- /dev/null
+++ b/SOURCES/gnupg-2.0.18-protect-tool-env.patch
@@ -0,0 +1,28 @@
+diff -u -r gnupg-2.0.18.orig/agent/protect-tool.c gnupg-2.0.18/agent/protect-tool.c
+--- gnupg-2.0.18.orig/agent/protect-tool.c 2011-07-22 14:00:44.000000000 +0200
++++ gnupg-2.0.18/agent/protect-tool.c 2012-04-10 22:42:17.397613438 +0200
+@@ -102,6 +102,7 @@
+ static int opt_status_msg;
+ static const char *opt_p12_charset;
+ static const char *opt_agent_program;
++static session_env_t opt_session_env;
+
+ static char *get_passphrase (int promptno);
+ static void release_passphrase (char *pw);
+@@ -1040,6 +1041,7 @@
+
+ opt_homedir = default_homedir ();
+
++ opt_session_env = session_env_new ();
+
+ pargs.argc = &argc;
+ pargs.argv = &argv;
+@@ -1091,7 +1093,7 @@
+ opt.verbose,
+ opt_homedir,
+ opt_agent_program,
+- NULL, NULL, NULL);
++ NULL, NULL, opt_session_env);
+
+ if (opt_prompt)
+ opt_prompt = percent_plus_unescape (opt_prompt, 0);
diff --git a/SOURCES/gnupg-2.0.20-insttools.patch b/SOURCES/gnupg-2.0.20-insttools.patch
new file mode 100644
index 0000000..80b796d
--- /dev/null
+++ b/SOURCES/gnupg-2.0.20-insttools.patch
@@ -0,0 +1,60 @@
+diff -up gnupg-2.0.20/tools/Makefile.am.insttools gnupg-2.0.20/tools/Makefile.am
+--- gnupg-2.0.20/tools/Makefile.am.insttools 2013-05-10 14:55:49.000000000 +0200
++++ gnupg-2.0.20/tools/Makefile.am 2013-05-28 11:30:22.711552140 +0200
+@@ -36,8 +36,8 @@ sbin_SCRIPTS = addgnupghome applygnupgde
+
+ bin_SCRIPTS = gpgsm-gencert.sh
+ if HAVE_USTAR
+-# bin_SCRIPTS += gpg-zip
+-noinst_SCRIPTS = gpg-zip
++bin_SCRIPTS += gpg-zip
++#noinst_SCRIPTS = gpg-zip
+ endif
+
+ if BUILD_SYMCRYPTRUN
+@@ -53,7 +53,7 @@ else
+ endif
+
+
+-bin_PROGRAMS = gpgconf gpg-connect-agent gpgkey2ssh ${symcryptrun} ${gpgtar}
++bin_PROGRAMS = gpgconf gpg-connect-agent ${symcryptrun} ${gpgtar} gpgsplit
+ if !HAVE_W32_SYSTEM
+ bin_PROGRAMS += watchgnupg gpgparsemail
+ endif
+@@ -62,7 +62,7 @@ if !DISABLE_REGEX
+ libexec_PROGRAMS = gpg-check-pattern
+ endif
+
+-noinst_PROGRAMS = clean-sat mk-tdata make-dns-cert gpgsplit
++noinst_PROGRAMS = clean-sat mk-tdata make-dns-cert gpgkey2ssh
+
+ common_libs = $(libcommon) ../jnlib/libjnlib.a ../gl/libgnu.a
+ pwquery_libs = ../common/libsimple-pwquery.a
+diff -up gnupg-2.0.20/tools/Makefile.in.insttools gnupg-2.0.20/tools/Makefile.in
+--- gnupg-2.0.20/tools/Makefile.in.insttools 2013-05-10 15:56:30.000000000 +0200
++++ gnupg-2.0.20/tools/Makefile.in 2013-05-28 11:29:48.556819325 +0200
+@@ -107,12 +107,12 @@ DIST_COMMON = $(srcdir)/Makefile.am $(sr
+ @GNUPG_PROTECT_TOOL_PGM_TRUE@am__append_6 = -DGNUPG_DEFAULT_PROTECT_TOOL="\"@GNUPG_PROTECT_TOOL_PGM@\""
+ @HAVE_W32_SYSTEM_TRUE@am__append_7 = gpg-connect-agent-w32info.o
+ bin_PROGRAMS = gpgconf$(EXEEXT) gpg-connect-agent$(EXEEXT) \
+- gpgkey2ssh$(EXEEXT) $(am__EXEEXT_1) $(am__EXEEXT_2) \
+- $(am__EXEEXT_3)
++ $(am__EXEEXT_1) $(am__EXEEXT_2) \
++ $(am__EXEEXT_3) gpgsplit$(EXEEXT)
+ @HAVE_W32_SYSTEM_FALSE@am__append_8 = watchgnupg gpgparsemail
+ @DISABLE_REGEX_FALSE@libexec_PROGRAMS = gpg-check-pattern$(EXEEXT)
+ noinst_PROGRAMS = clean-sat$(EXEEXT) mk-tdata$(EXEEXT) \
+- make-dns-cert$(EXEEXT) gpgsplit$(EXEEXT)
++ make-dns-cert$(EXEEXT) gpgkey2ssh$(EXEEXT)
+ subdir = tools
+ ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+ am__aclocal_m4_deps = $(top_srcdir)/gl/m4/absolute-header.m4 \
+@@ -488,7 +488,7 @@ AM_CFLAGS = $(LIBGCRYPT_CFLAGS) $(GPG_ER
+ sbin_SCRIPTS = addgnupghome applygnupgdefaults
+ bin_SCRIPTS = gpgsm-gencert.sh
+ # bin_SCRIPTS += gpg-zip
+-@HAVE_USTAR_TRUE@noinst_SCRIPTS = gpg-zip
++@HAVE_USTAR_TRUE@bin_SCRIPTS += gpg-zip
+ @BUILD_SYMCRYPTRUN_FALSE@symcryptrun =
+ @BUILD_SYMCRYPTRUN_TRUE@symcryptrun = symcryptrun
+ @BUILD_GPGTAR_FALSE@gpgtar =
diff --git a/SOURCES/gnupg-2.0.20-ocsp-keyusage.patch b/SOURCES/gnupg-2.0.20-ocsp-keyusage.patch
new file mode 100644
index 0000000..ad80887
--- /dev/null
+++ b/SOURCES/gnupg-2.0.20-ocsp-keyusage.patch
@@ -0,0 +1,17 @@
+diff -up gnupg-2.0.20/sm/certlist.c.keyusage gnupg-2.0.20/sm/certlist.c
+--- gnupg-2.0.20/sm/certlist.c.keyusage 2013-05-10 14:55:49.000000000 +0200
++++ gnupg-2.0.20/sm/certlist.c 2013-05-15 14:15:57.420276618 +0200
+@@ -146,10 +146,9 @@ cert_usage_p (ksba_cert_t cert, int mode
+
+ if (mode == 5)
+ {
+- if (use != ~0
+- && (have_ocsp_signing
+- || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN
+- |KSBA_KEYUSAGE_CRL_SIGN))))
++ if (have_ocsp_signing
++ || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN
++ |KSBA_KEYUSAGE_CRL_SIGN)))
+ return 0;
+ log_info (_("certificate should not have "
+ "been used for OCSP response signing\n"));
diff --git a/SOURCES/gnupg-2.0.20-secmem.patch b/SOURCES/gnupg-2.0.20-secmem.patch
new file mode 100644
index 0000000..9b115d6
--- /dev/null
+++ b/SOURCES/gnupg-2.0.20-secmem.patch
@@ -0,0 +1,33 @@
+diff -up gnupg-2.0.20/g10/gpg.c.secmem gnupg-2.0.20/g10/gpg.c
+--- gnupg-2.0.20/g10/gpg.c.secmem 2013-05-10 14:55:46.000000000 +0200
++++ gnupg-2.0.20/g10/gpg.c 2013-05-15 14:13:50.989541530 +0200
+@@ -794,7 +794,7 @@ make_libversion (const char *libname, co
+
+ if (maybe_setuid)
+ {
+- gcry_control (GCRYCTL_INIT_SECMEM, 0, 0); /* Drop setuid. */
++ gcry_control (GCRYCTL_INIT_SECMEM, 4096, 0); /* Drop setuid. */
+ maybe_setuid = 0;
+ }
+ s = getfnc (NULL);
+@@ -898,7 +898,7 @@ build_list (const char *text, char lette
+ char *string;
+
+ if (maybe_setuid)
+- gcry_control (GCRYCTL_INIT_SECMEM, 0, 0); /* Drop setuid. */
++ gcry_control (GCRYCTL_INIT_SECMEM, 4096, 0); /* Drop setuid. */
+
+ indent = utf8_charcount (text);
+ len = 0;
+diff -up gnupg-2.0.20/sm/gpgsm.c.secmem gnupg-2.0.20/sm/gpgsm.c
+--- gnupg-2.0.20/sm/gpgsm.c.secmem 2013-05-10 14:55:49.000000000 +0200
++++ gnupg-2.0.20/sm/gpgsm.c 2013-05-15 14:11:18.819249598 +0200
+@@ -493,7 +493,7 @@ make_libversion (const char *libname, co
+
+ if (maybe_setuid)
+ {
+- gcry_control (GCRYCTL_INIT_SECMEM, 0, 0); /* Drop setuid. */
++ gcry_control (GCRYCTL_INIT_SECMEM, 4096, 0); /* Drop setuid. */
+ maybe_setuid = 0;
+ }
+ s = getfnc (NULL);
diff --git a/SOURCES/gnupg-2.0.22-cve-2018-12020.patch b/SOURCES/gnupg-2.0.22-cve-2018-12020.patch
new file mode 100644
index 0000000..7ea32a2
--- /dev/null
+++ b/SOURCES/gnupg-2.0.22-cve-2018-12020.patch
@@ -0,0 +1,16 @@
+diff -up gnupg-2.0.22/g10/mainproc.c.sanitize-filename gnupg-2.0.22/g10/mainproc.c
+--- gnupg-2.0.22/g10/mainproc.c.sanitize-filename 2016-03-24 12:57:29.280170800 +0100
++++ gnupg-2.0.22/g10/mainproc.c 2018-06-21 13:42:53.448177540 +0200
+@@ -631,7 +631,11 @@ proc_plaintext( CTX c, PACKET *pkt )
+ if( pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8 ) )
+ log_info(_("NOTE: sender requested \"for-your-eyes-only\"\n"));
+ else if( opt.verbose )
+- log_info(_("original file name='%.*s'\n"), pt->namelen, pt->name);
++ {
++ char *tmp = make_printable_string (pt->name, pt->namelen, 0);
++ log_info (_("original file name='%.*s'\n"), (int)strlen (tmp), tmp);
++ xfree (tmp);
++ }
+ free_md_filter_context( &c->mfx );
+ if (gcry_md_open (&c->mfx.md, 0, 0))
+ BUG ();
diff --git a/SOURCES/gnupg-2.0.22-fips-algo.patch b/SOURCES/gnupg-2.0.22-fips-algo.patch
new file mode 100644
index 0000000..450d92b
--- /dev/null
+++ b/SOURCES/gnupg-2.0.22-fips-algo.patch
@@ -0,0 +1,78 @@
+diff -up gnupg-2.0.22/g10/encode.c.fips gnupg-2.0.22/g10/encode.c
+--- gnupg-2.0.22/g10/encode.c.fips 2013-10-04 14:32:53.000000000 +0200
++++ gnupg-2.0.22/g10/encode.c 2013-10-11 10:35:29.779420279 +0200
+@@ -732,7 +732,7 @@ encrypt_filter( void *opaque, int contro
+ if( efx->cfx.dek->algo == -1 ) {
+ /* because 3DES is implicitly in the prefs, this can only
+ * happen if we do not have any public keys in the list */
+- efx->cfx.dek->algo = DEFAULT_CIPHER_ALGO;
++ efx->cfx.dek->algo = gcry_fips_mode_active() ? CIPHER_ALGO_AES : DEFAULT_CIPHER_ALGO;
+ }
+
+ /* In case 3DES has been selected, print a warning if
+diff -up gnupg-2.0.22/g10/gpg.c.fips gnupg-2.0.22/g10/gpg.c
+--- gnupg-2.0.22/g10/gpg.c.fips 2013-10-11 10:35:29.775420188 +0200
++++ gnupg-2.0.22/g10/gpg.c 2013-10-11 10:35:29.780420301 +0200
+@@ -1973,7 +1973,7 @@ main (int argc, char **argv)
+ opt.compress_algo = -1; /* defaults to DEFAULT_COMPRESS_ALGO */
+ opt.s2k_mode = 3; /* iterated+salted */
+ opt.s2k_count = 0; /* Auto-calibrate when needed. */
+- opt.s2k_cipher_algo = CIPHER_ALGO_CAST5;
++ opt.s2k_cipher_algo = gcry_fips_mode_active() ? CIPHER_ALGO_AES : CIPHER_ALGO_CAST5;
+ opt.completes_needed = 1;
+ opt.marginals_needed = 3;
+ opt.max_cert_depth = 5;
+diff -up gnupg-2.0.22/g10/mainproc.c.fips gnupg-2.0.22/g10/mainproc.c
+--- gnupg-2.0.22/g10/mainproc.c.fips 2013-10-04 15:00:22.000000000 +0200
++++ gnupg-2.0.22/g10/mainproc.c 2016-03-24 12:52:24.463174830 +0100
+@@ -696,9 +696,11 @@ proc_plaintext( CTX c, PACKET *pkt )
+ often. There is no good way to specify what algorithms to
+ use in that case, so these three are the historical
+ answer. */
+- gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 );
++ if( !gcry_fips_mode_active() )
++ gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 );
+ gcry_md_enable( c->mfx.md, DIGEST_ALGO_SHA1 );
+- gcry_md_enable( c->mfx.md, DIGEST_ALGO_MD5 );
++ if( !gcry_fips_mode_active() )
++ gcry_md_enable( c->mfx.md, DIGEST_ALGO_MD5 );
+ }
+ if( opt.pgp2_workarounds && only_md5 && !opt.skip_verify ) {
+ /* This is a kludge to work around a bug in pgp2. It does only
+@@ -2160,24 +2162,30 @@ proc_tree( CTX c, KBNODE node )
+ else if( !c->any.data ) {
+ /* detached signature */
+ free_md_filter_context( &c->mfx );
+- if (gcry_md_open (&c->mfx.md, sig->digest_algo, 0))
+- BUG ();
++ if (gcry_md_open (&c->mfx.md, sig->digest_algo, 0)) {
++ log_error("Digest algorithm not available probably due to FIPS mode.\n");
++ return;
++ }
+
+ if( !opt.pgp2_workarounds )
+ ;
+ else if( sig->digest_algo == DIGEST_ALGO_MD5
+ && is_RSA( sig->pubkey_algo ) ) {
+ /* enable a workaround for a pgp2 bug */
+- if (gcry_md_open (&c->mfx.md2, DIGEST_ALGO_MD5, 0))
+- BUG ();
++ if (gcry_md_open (&c->mfx.md2, DIGEST_ALGO_MD5, 0)) {
++ log_error("Digest algorithm not available probably due to FIPS mode.\n");
++ return;
++ }
+ }
+ else if( sig->digest_algo == DIGEST_ALGO_SHA1
+ && sig->pubkey_algo == PUBKEY_ALGO_DSA
+ && sig->sig_class == 0x01 ) {
+ /* enable the workaround also for pgp5 when the detached
+ * signature has been created in textmode */
+- if (gcry_md_open (&c->mfx.md2, sig->digest_algo, 0 ))
+- BUG ();
++ if (gcry_md_open (&c->mfx.md2, sig->digest_algo, 0 )) {
++ log_error("Digest algorithm not available.\n");
++ return;
++ }
+ }
+ #if 0 /* workaround disabled */
+ /* Here we have another hack to work around a pgp 2 bug
diff --git a/SOURCES/gnupg-2.0.22-rsa-es.patch b/SOURCES/gnupg-2.0.22-rsa-es.patch
new file mode 100644
index 0000000..73c7f0b
--- /dev/null
+++ b/SOURCES/gnupg-2.0.22-rsa-es.patch
@@ -0,0 +1,21 @@
+diff -up gnupg-2.0.22/g10/misc.c.bz1233182 gnupg-2.0.22/g10/misc.c
+--- gnupg-2.0.22/g10/misc.c.bz1233182 2015-06-17 13:15:32.930000000 +0200
++++ gnupg-2.0.22/g10/misc.c 2015-06-19 13:56:28.246000000 +0200
+@@ -421,6 +421,8 @@ openpgp_cipher_algo_name (int algo)
+ int
+ map_pk_openpgp_to_gcry (int algo)
+ {
++ if (is_RSA (algo))
++ return (GCRY_PK_RSA);
+ switch (algo)
+ {
+ case PUBKEY_ALGO_ECDSA: return 301 /*GCRY_PK_ECDSA*/;
+@@ -1417,7 +1419,7 @@ pubkey_nbits( int algo, gcry_mpi_t *key
+ "(public-key(elg(p%m)(g%m)(y%m)))",
+ key[0], key[1], key[2] );
+ }
+- else if( algo == GCRY_PK_RSA ) {
++ else if( is_RSA (algo) ) {
+ rc = gcry_sexp_build ( &sexp, NULL,
+ "(public-key(rsa(n%m)(e%m)))",
+ key[0], key[1] );
diff --git a/SOURCES/gnupg-2.0.22.tar.bz2.sig b/SOURCES/gnupg-2.0.22.tar.bz2.sig
new file mode 100644
index 0000000..23b7bdd
Binary files /dev/null and b/SOURCES/gnupg-2.0.22.tar.bz2.sig differ
diff --git a/SPECS/gnupg2.spec b/SPECS/gnupg2.spec
new file mode 100644
index 0000000..38cdc42
--- /dev/null
+++ b/SPECS/gnupg2.spec
@@ -0,0 +1,572 @@
+Summary: Utility for secure communication and data storage
+Name: gnupg2
+Version: 2.0.22
+Release: 5%{?dist}
+
+License: GPLv3+
+Group: Applications/System
+Source0: ftp://ftp.gnupg.org/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2
+Source1: ftp://ftp.gnupg.org/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2.sig
+# svn export svn://cvs.gnupg.org/gnupg/trunk gnupg2; tar cjf gnupg-<date>svn.tar.bz2 gnupg2
+#Source0: gnupg2-20090809svn.tar.bz2
+Patch1: gnupg-2.0.20-insttools.patch
+Patch3: gnupg-2.0.20-secmem.patch
+Patch4: gnupg-2.0.18-protect-tool-env.patch
+Patch5: gnupg-2.0.20-ocsp-keyusage.patch
+Patch6: gnupg-2.0.22-fips-algo.patch
+Patch7: gnupg-2.0.22-rsa-es.patch
+Patch8: gnupg-2.0.22-cve-2018-12020.patch
+
+URL: http://www.gnupg.org/
+
+#BuildRequires: automake libtool texinfo transfig
+BuildRequires: bzip2-devel
+BuildRequires: curl-devel
+BuildRequires: docbook-utils
+BuildRequires: gettext
+BuildRequires: libassuan-devel >= 2.0.0
+BuildRequires: libgcrypt-devel >= 1.4
+BuildRequires: libgpg-error-devel => 1.4
+BuildRequires: libksba-devel >= 1.0.2
+BuildRequires: openldap-devel
+BuildRequires: libusb-devel
+BuildRequires: pcsc-lite-libs
+BuildRequires: pth-devel
+BuildRequires: readline-devel ncurses-devel
+BuildRequires: zlib-devel
+
+Requires(post): /sbin/install-info
+Requires(postun): /sbin/install-info
+Requires: pinentry
+
+%if 0%{?rhel} > 5
+# pgp-tools, perl-GnuPG-Interface requires 'gpg' (not sure why) -- Rex
+Provides: gpg = %{version}-%{release}
+# Obsolete GnuPG-1 package
+Provides: gnupg = %{version}-%{release}
+Obsoletes: gnupg <= 1.4.10
+%endif
+
+%package smime
+Summary: CMS encryption and signing tool and smart card support for GnuPG
+Requires: gnupg2 = %{version}-%{release}
+Group: Applications/Internet
+
+
+%description
+GnuPG is GNU's tool for secure communication and data storage. It can
+be used to encrypt data and to create digital signatures. It includes
+an advanced key management facility and is compliant with the proposed
+OpenPGP Internet standard as described in RFC2440 and the S/MIME
+standard as described by several RFCs.
+
+GnuPG 2.0 is a newer version of GnuPG with additional support for
+S/MIME. It has a different design philosophy that splits
+functionality up into several modules. The S/MIME and smartcard functionality
+is provided by the gnupg2-smime package.
+
+%description smime
+GnuPG is GNU's tool for secure communication and data storage. This
+package adds support for smart cards and S/MIME encryption and signing
+to the base GnuPG package
+
+%prep
+%setup -q -n gnupg-%{version}
+
+%if 0%{?rhel} > 5
+%patch1 -p1 -b .insttools
+%endif
+%patch3 -p1 -b .secmem
+%patch4 -p1 -b .ptool-env
+%patch5 -p1 -b .keyusage
+%patch6 -p1 -b .fips
+%patch7 -p1 -b .rsa-es
+%patch8 -p1 -b .sanitize-filename
+
+# pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper)
+# Note: this is just the name of the default shared lib to load in scdaemon,
+# it can use other implementations too (including non-pcsc ones).
+%global pcsclib %(basename $(ls -1 %{_libdir}/libpcsclite.so.? 2>/dev/null ) 2>/dev/null )
+
+sed -i -e 's/"libpcsclite\.so"/"%{pcsclib}"/' scd/{scdaemon,pcsc-wrapper}.c
+
+
+%build
+
+%configure \
+ --disable-rpath \
+ --enable-standard-socket
+
+# need scratch gpg database for tests
+mkdir -p $HOME/.gnupg
+
+make %{?_smp_mflags}
+
+
+%install
+make install DESTDIR=%{buildroot} \
+ INSTALL="install -p" \
+ docdir=%{_docdir}/%{name}-%{version}
+
+%if ! (0%{?rhel} > 5)
+# drop file conflicting with gnupg-1.x
+rm -f %{buildroot}%{_mandir}/man1/gpg-zip.1*
+%endif
+
+%find_lang %{name}
+
+# gpgconf.conf
+mkdir -p %{buildroot}%{_sysconfdir}/gnupg
+touch %{buildroot}%{_sysconfdir}/gnupg/gpgconf.conf
+
+# more docs
+install -m644 -p AUTHORS COPYING ChangeLog NEWS THANKS TODO \
+ %{buildroot}%{_docdir}/%{name}-%{version}/
+
+%if 0%{?rhel} > 5
+# compat symlinks
+ln -sf gpg2 %{buildroot}%{_bindir}/gpg
+ln -sf gpgv2 %{buildroot}%{_bindir}/gpgv
+ln -sf gpg2.1 %{buildroot}%{_mandir}/man1/gpg.1
+ln -sf gpgv2.1 %{buildroot}%{_mandir}/man1/gpgv.1
+%endif
+
+# info dir
+rm -f %{buildroot}%{_infodir}/dir
+
+
+%check
+# need scratch gpg database for tests
+mkdir -p $HOME/.gnupg
+# we skip the test on ppc as it hangs and we do not ship gnupg2
+# as multilib anyway
+%ifnarch ppc
+make -k check
+%endif
+
+%post
+/sbin/install-info %{_infodir}/gnupg.info %{_infodir}/dir ||:
+
+%preun
+if [ $1 -eq 0 ]; then
+ /sbin/install-info --delete %{_infodir}/gnupg.info %{_infodir}/dir ||:
+fi
+
+
+%files -f %{name}.lang
+%defattr(-,root,root,-)
+#doc AUTHORS COPYING ChangeLog NEWS README THANKS TODO
+%{_docdir}/%{name}-%{version}/
+%dir %{_sysconfdir}/gnupg
+%ghost %config(noreplace) %{_sysconfdir}/gnupg/gpgconf.conf
+## docs say to install suid root, but fedora/rh security folk say not to
+#attr(4755,root,root) %{_bindir}/gpg2
+%{_bindir}/gpg2
+%{_bindir}/gpgv2
+%{_bindir}/gpg-connect-agent
+%{_bindir}/gpg-agent
+%{_bindir}/gpgconf
+%{_bindir}/gpgparsemail
+%if 0%{?rhel} > 5
+%{_bindir}/gpg
+%{_bindir}/gpgv
+%{_bindir}/gpgsplit
+%{_bindir}/gpg-zip
+%else
+%{_bindir}/gpgkey2ssh
+%endif
+%{_bindir}/watchgnupg
+%{_sbindir}/*
+%{_datadir}/gnupg/
+%{_libexecdir}/*
+%{_infodir}/*.info*
+%{_mandir}/man?/*
+%exclude %{_datadir}/gnupg/com-certs.pem
+%exclude %{_mandir}/man?/gpgsm*
+%exclude %{_mandir}/man?/scdaemon*
+%exclude %{_libexecdir}/scdaemon
+
+%files smime
+%defattr(-,root,root,-)
+%{_bindir}/gpgsm*
+%{_bindir}/kbxutil
+%{_libexecdir}/scdaemon
+%{_mandir}/man?/gpgsm*
+%{_mandir}/man?/scdaemon*
+%{_datadir}/gnupg/com-certs.pem
+
+
+%changelog
+* Thu Jun 21 2018 Tomáš Mráz <tmraz@redhat.com> - 2.0.22-5
+- fix CVE-2018-12020 - missing sanitization of original filename
+
+* Thu Mar 24 2016 Tomáš Mráz <tmraz@redhat.com> - 2.0.22-4
+- allow import of RSA-E and RSA-S keys (patch by Marcel Kolaja) (#1233182)
+- do not abort when missing hash algorithm in FIPS mode (#1078962)
+
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.0.22-3
+- Mass rebuild 2014-01-24
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 2.0.22-2
+- Mass rebuild 2013-12-27
+
+* Thu Oct 10 2013 Tomáš Mráz <tmraz@redhat.com> - 2.0.22-1
+- new upstream release fixing CVE-2013-4402 and CVE-2013-4351
+
+* Fri Aug 23 2013 Tomáš Mráz <tmraz@redhat.com> - 2.0.21-1
+- new upstream release
+
+* Wed May 15 2013 Tomas Mraz <tmraz@redhat.com> - 2.0.20-1
+- new upstream release
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.19-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Wed Jan 2 2013 Tomas Mraz <tmraz@redhat.com> - 2.0.19-7
+- fix CVE-2012-6085 - skip invalid key packets (#891142)
+
+* Thu Nov 22 2012 Tomas Mraz <tmraz@redhat.com> - 2.0.19-6
+- use AES as default crypto algorithm in FIPS mode (#879047)
+
+* Fri Nov 16 2012 Jamie Nguyen <jamielinux@fedoraproject.org> - 2.0.19-5
+- rebuild for <f18 (#877106)
+
+* Fri Jul 27 2012 Tomas Mraz <tmraz@redhat.com> - 2.0.19-4
+- fix negated condition (#843842)
+
+* Thu Jul 26 2012 Tomas Mraz <tmraz@redhat.com> - 2.0.19-3
+- add compat symlinks and provides if built on RHEL
+
+* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.19-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Tue Apr 24 2012 Tomas Mraz <tmraz@redhat.com> - 2.0.19-1
+- new upstream release
+- set environment in protect-tool (#548528)
+- do not reject OCSP signing certs without keyUsage (#720174)
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.18-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Wed Oct 12 2011 Rex Dieter <rdieter@fedoraproject.org> 2.0.18-2
+- build with --enable-standard-socket
+
+* Wed Aug 17 2011 Tomas Mraz <tmraz@redhat.com> - 2.0.18-1
+- new upstream release (#728481)
+
+* Mon Jul 25 2011 Tomas Mraz <tmraz@redhat.com> - 2.0.17-2
+- fix a bug that shows up with the new libgcrypt release (#725369)
+
+* Thu Jan 20 2011 Tomas Mraz <tmraz@redhat.com> - 2.0.17-1
+- new upstream release (#669611)
+
+* Tue Aug 17 2010 Tomas Mraz <tmraz@redhat.com> - 2.0.16-3
+- drop the provides/obsoletes for gnupg
+- drop the man page file conflicting with gnupg-1.x
+
+* Fri Aug 13 2010 Tomas Mraz <tmraz@redhat.com> - 2.0.16-2
+- drop the compat symlinks as gnupg-1.x is revived
+
+* Tue Jul 27 2010 Rex Dieter <rdieter@fedoraproject.org> - 2.0.16-1
+- gnupg-2.0.16
+
+* Fri Jul 23 2010 Rex Dieter <rdieter@fedoraproject.org> - 2.0.14-4
+- gpgsm realloc patch (#617706)
+
+* Fri Jun 18 2010 Tomas Mraz <tmraz@redhat.com> - 2.0.14-3
+- initialize small amount of secmem for list of algorithms in help (#598847)
+ (necessary in the FIPS mode of libgcrypt)
+
+* Tue Feb 9 2010 Tomas Mraz <tmraz@redhat.com> - 2.0.14-2
+- disable selinux support - it is too rudimentary and restrictive (#562982)
+
+* Mon Jan 11 2010 Tomas Mraz <tmraz@redhat.com> - 2.0.14-1
+- new upstream version
+- fix a few tests so they do not need to execute gpg-agent
+
+* Tue Dec 8 2009 Michael Schwendt <mschwendt@fedoraproject.org> - 2.0.13-4
+- Explicitly BR libassuan-static in accordance with the Packaging
+ Guidelines (libassuan-devel is still static-only).
+
+* Fri Oct 23 2009 Tomas Mraz <tmraz@redhat.com> - 2.0.13-3
+- drop s390 specific ifnarchs as all the previously missing dependencies
+ are now there
+- split out gpgsm into a smime subpackage to reduce main package dependencies
+
+* Wed Oct 21 2009 Tomas Mraz <tmraz@redhat.com> - 2.0.13-2
+- provide/obsolete gnupg-1 and add compat symlinks to be able to drop
+ gnupg-1
+
+* Fri Sep 04 2009 Rex Dieter <rdieter@fedoraproject.org> - 2.0.13-1
+- gnupg-2.0.13
+- Unable to use gpg-agent + input methods (#228953)
+
+* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.12-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Wed Jun 17 2009 Rex Dieter <rdieter@fedoraproject.org> - 2.0.12-1
+- gnupg-2.0.12
+
+* Wed Mar 04 2009 Rex Dieter <rdieter@fedoraproject.org> - 2.0.11-1
+- gnupg-2.0.11
+
+* Tue Feb 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.10-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Sat Jan 31 2009 Karsten Hopp <karsten@redhat.com> 2.0.10-1
+- don't require pcsc-lite-libs and libusb on mainframe where
+ we don't have those packages as there's no hardware for that
+
+* Tue Jan 13 2009 Rex Dieter <rdieter@fedoraproject.org> 2.0.10-1
+- gnupg-2.0.10
+
+* Mon Aug 04 2008 Rex Dieter <rdieter@fedoraproject.org> 2.0.9-3
+- workaround rpm quirks
+
+* Sat May 24 2008 Tom "spot" Callaway <tcallawa@redhat.com> 2.0.9-2
+- Patch from upstream to fix curl 7.18.1+ and gcc4.3+ compile error
+
+* Mon May 19 2008 Tom "spot" Callaway <tcallawa@redhat.com> 2.0.9-1.1
+- minor release bump for sparc rebuild
+
+* Wed Mar 26 2008 Rex Dieter <rdieter@fedoraproject.org> 2.0.9-1
+- gnupg2-2.0.9
+- drop Provides: openpgp
+- versioned Provides: gpg
+- own %%_sysconfdir/gnupg
+
+* Fri Feb 08 2008 Rex Dieter <rdieter@fedoraproject.org> 2.0.8-3
+- respin (gcc43)
+
+* Wed Jan 23 2008 Rex Dieter <rdieter@fedoraproject.org> 2.0.8-2
+- avoid kde-filesystem dep (#427316)
+
+* Thu Dec 20 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 2.0.8-1
+- gnupg2-2.0.8
+
+* Mon Dec 17 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 2.0.8-0.1.rc1
+- gnupg2-2.0.8rc1
+
+* Tue Dec 04 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 2.0.7-5
+- respin for openldap
+
+* Mon Nov 12 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 2.0.7-4
+- Requires: kde-filesystem (#377841)
+
+* Wed Oct 03 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 2.0.7-3
+- %%build: (re)add mkdir -p $HOME/.gnupg
+
+* Wed Oct 03 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 2.0.7-2
+- Requires: dirmngr (#312831)
+
+* Mon Sep 10 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 2.0.7-1
+- gnupg-2.0.7
+
+* Fri Aug 24 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 2.0.6-2
+- respin (libassuan)
+
+* Thu Aug 16 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 2.0.6-1
+- gnupg-2.0.6
+- License: GPLv3+
+
+* Thu Aug 02 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 2.0.5-4
+- License: GPLv3
+
+* Mon Jul 16 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 2.0.5-3
+- 2.0.5 too many open files fix
+
+* Fri Jul 06 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 2.0.5-2
+- gnupg-2.0.5
+- gpg-agent not restarted after kde session crash/killed (#196327)
+- BR: libassuan-devel > 1.0.2, libksba-devel > 1.0.2
+
+* Fri May 18 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 2.0.4-1
+- gnupg-2.0.4
+
+* Thu Mar 08 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 2.0.3-1
+- gnupg-2.0.3
+
+* Fri Feb 02 2007 Rex Dieter <rdieter[AT]fedoraproject.org> 2.0.2-1
+- gnupg-2.0.2
+
+* Wed Dec 06 2006 Rex Dieter <rexdieter[AT]users.sf.net> 2.0.1-2
+- CVE-2006-6235 (#219934)
+
+* Wed Nov 29 2006 Rex Dieter <rexdieter[AT]users.sf.net> 2.0.1-1
+- gnupg-2.0.1
+- CVE-2006-6169 (#217950)
+
+* Sat Nov 25 2006 Rex Dieter <rexdieter[AT]users.sf.net> 2.0.1-0.3.rc1
+- gnupg-2.0.1rc1
+
+* Thu Nov 16 2006 Rex Dieter <rexdieter[AT]users.sf.net> 2.0.0-4
+- update %%description
+- drop dearmor patch
+
+* Mon Nov 13 2006 Rex Dieter <rexdieter[AT]users.sf.net> 2.0.0-3
+- BR: libassuan-static >= 1.0.0
+
+* Mon Nov 13 2006 Rex Dieter <rexdieter[AT]users.sf.net> 2.0.0-2
+- gnupg-2.0.0
+
+* Fri Nov 10 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.95-3
+- upstream 64bit patch
+
+* Mon Nov 06 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.95-2
+- fix (more) file conflicts with gnupg
+
+* Mon Nov 06 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.95-1
+- 1.9.95
+
+* Wed Oct 25 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.94-1
+- 1.9.94
+
+* Wed Oct 18 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.93-1
+- 1.9.93
+
+* Wed Oct 11 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.92-2
+- fix file conflicts with gnupg
+
+* Wed Oct 11 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.92-1
+- 1.9.92
+
+* Tue Oct 10 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.91-4
+- make check ||: (apparently checks return err even on success?)
+
+* Tue Oct 10 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.91-3
+- --enable-selinux-support
+- x86_64: --disable-optimization (to avoid gpg2 segfaults), for now
+
+* Thu Oct 05 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.91-1
+- 1.9.91
+
+* Wed Oct 04 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.22-8
+- respin
+
+* Tue Sep 26 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.90-1
+- 1.9.90 (doesn't build, not released)
+
+* Mon Sep 18 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.23-1
+- 1.9.23 (doesn't build, not released)
+
+* Mon Sep 18 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.22-7
+- gpg-agent-startup.sh: fix case where valid .gpg-agent-info exists
+
+* Mon Sep 18 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.22-6
+- fix "syntax error in gpg-agent-startup.sh" (#206887)
+
+* Thu Sep 07 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.22-3
+- fc6 respin (for libksba-1.0)
+
+* Tue Aug 29 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.22-2
+- fc6 respin
+
+* Fri Jul 28 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.22-1
+- 1.9.22
+
+* Thu Jun 22 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.21-3
+- fix "gpg-agent not restarted after kde session crash/killed (#196327)
+
+* Thu Jun 22 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.21-2
+- 1.9.21
+- omit gpg2 binary to address CVS-2006-3082 (#196190)
+
+* Mon Mar 6 2006 Ville Skyttä <ville.skytta at iki.fi>> 1.9.20-3
+- Don't hardcode pcsc-lite lib name (#184123)
+
+* Thu Feb 16 2006 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.20-2
+- fc4+: use /etc/kde/(env|shutdown) for scripts (#175744)
+
+* Fri Feb 10 2006 Rex Dieter <rexdieter[AT]users.sf.net>
+- fc5: gcc/glibc respin
+
+* Tue Dec 20 2005 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.20-1
+- 1.9.20
+
+* Thu Dec 01 2005 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.19-8
+- include gpg-agent-(startup|shutdown) scripts (#136533)
+- BR: libksba-devel >= 1.9.12
+- %%check: be permissive about failures (for now)
+
+* Wed Nov 30 2005 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.19-3
+- BR: libksba-devel >= 1.9.13
+
+* Tue Oct 11 2005 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.19-2
+- back to BR: libksba-devel = 1.9.11
+
+* Tue Oct 11 2005 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.19-1
+- 1.9.19
+
+* Fri Aug 26 2005 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.18-9
+- configure: NEED_KSBA_VERSION=0.9.12 -> 0.9.11
+
+* Fri Aug 26 2005 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.18-7
+- re-enable 'make check', rebuild against (older) libksba-0.9.11
+
+* Tue Aug 9 2005 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.18-6
+- don't 'make check' by default (regular builds pass, but FC4/5+plague fails)
+
+* Mon Aug 8 2005 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.18-5
+- 1.9.18
+- drop pth patch (--enable-gpg build fixed)
+- update description (from README)
+
+* Fri Jul 1 2005 Ville Skyttä <ville.skytta at iki.fi> - 1.9.17-1
+- 1.9.17, signal info patch applied upstream (#162264).
+- Patch to fix lvalue build error with gcc4 (upstream #485).
+- Patch scdaemon and pcsc-wrapper to load the versioned (non-devel)
+ pcsc-lite lib by default.
+
+* Fri May 13 2005 Michael Schwendt <mschwendt[AT]users.sf.net> - 1.9.16-3
+- Include upstream's patch for signal.c.
+
+* Tue May 10 2005 Michael Schwendt <mschwendt[AT]users.sf.net> - 1.9.16-1
+- Merge changes from Rex's 1.9.16-1 (Thu Apr 21):
+- opensc support unconditional
+- remove hard-coded .gz from %%post/%%postun
+- add %%check section
+- add pth patch
+- Put back patch modified from 1.9.15-4 to make tests verbose
+ and change signal.c to describe received signals better.
+
+* Sun May 8 2005 Michael Schwendt <mschwendt[AT]users.sf.net>
+- Drop patch0 again.
+
+* Sun May 8 2005 Michael Schwendt <mschwendt[AT]users.sf.net> - 1.9.15-4
+- Add patch0 temporarily to get some output from failing test.
+
+* Sat May 7 2005 David Woodhouse <dwmw2@infradead.org> 1.9.15-3
+- Rebuild.
+
+* Thu Apr 7 2005 Michael Schwendt <mschwendt[AT]users.sf.net>
+- rebuilt
+
+* Tue Feb 1 2005 Michael Schwendt <mschwendt[AT]users.sf.net> - 0:1.9.15-1
+- Make install-info in scriptlets less noisy.
+
+* Tue Jan 18 2005 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.15-0.fdr.1
+- 1.9.15
+
+* Fri Jan 07 2005 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.14-0.fdr.2
+- note patch/hack to build against older ( <1.0) libgpg-error-devel
+
+* Thu Jan 06 2005 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.14-0.fdr.1
+- 1.9.14
+- enable opensc support
+- BR: libassuan-devel >= 0.6.9
+
+* Thu Oct 21 2004 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.11-0.fdr.4
+- remove suid.
+
+* Thu Oct 21 2004 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.11-0.fdr.3
+- remove Provides: newpg
+
+* Wed Oct 20 2004 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.11-0.fdr.2
+- Requires: pinentry
+- gpg2 suid
+- update description
+
+* Tue Oct 19 2004 Rex Dieter <rexdieter[AT]users.sf.net> 1.9.11-0.fdr.1
+- first try
+- leave out opensc support (for now), enable --with-opensc
+