3 files changed, 27 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index 32b12bf8e..f2d335e83 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,9 @@
+Noteworthy changes in version 2.2.36 (unreleased)
+-------------------------------------------------
+
+  Release-info: https://dev.gnupg.org/T5949
+
+
 Noteworthy changes in version 2.2.35 (2022-04-25)
 -------------------------------------------------
 
diff --git a/build-aux/speedo.mk b/build-aux/speedo.mk
index d050457e6..94e663123 100644
--- a/build-aux/speedo.mk
+++ b/build-aux/speedo.mk
@@ -243,6 +243,9 @@ $(eval $(call READ_AUTOGEN_template,AUTHENTICODE_SIGNHOST))
 $(eval $(call READ_AUTOGEN_template,AUTHENTICODE_TOOL))
 $(eval $(call READ_AUTOGEN_template,AUTHENTICODE_KEY))
 $(eval $(call READ_AUTOGEN_template,AUTHENTICODE_CERTS))
+$(eval $(call READ_AUTOGEN_template,OSSLSIGNCODE))
+$(eval $(call READ_AUTOGEN_template,OSSLPKCS11ENGINE))
+$(eval $(call READ_AUTOGEN_template,SCUTEMODULE))
 
 # All files given in AUTHENTICODE_FILES are signed before
 # they are put into the installer.
@@ -1431,6 +1434,15 @@ define AUTHENTICODE_sign
         /fd sha256 /du https://gnupg.org a.exe ;\
      scp "$(AUTHENTICODE_SIGNHOST):a.exe" $(2);\
      echo "speedo: signed file is '$(2)'" ;\
+   elif [ "$(AUTHENTICODE_KEY)" = card ]; then \
+     echo "speedo: Signing using a card";\
+     $(OSSLSIGNCODE) sign \
+       -pkcs11engine $(OSSLPKCS11ENGINE) \
+       -pkcs11module $(SCUTEMODULE) \
+       -certs $(AUTHENTICODE_CERTS) \
+       -h sha256 -n GnuPG -i https://gnupg.org \
+       -ts http://rfc3161timestamp.globalsign.com/advanced \
+       -in $(1) -out $(2).tmp ; mv $(2).tmp $(2) ; \
    elif [ -e "$(AUTHENTICODE_KEY)" ]; then \
      echo "speedo: Signing using key $(AUTHENTICODE_KEY)";\
      osslsigncode sign -certs $(AUTHENTICODE_CERTS) \
@@ -1443,6 +1455,14 @@ define AUTHENTICODE_sign
    fi
 endef
 
+# Help target for testing to sign a file.
+# Usage: make -f speedo.mk test-authenticode-sign TARGETOS=w32 FILE=foo.exe
+test-authenticode-sign:
+	(set -e; \
+	 echo "Test signining of $(FILE)" ; \
+	 $(call AUTHENTICODE_sign,"$(FILE)","$(FILE)");\
+	)
+
 
 # Build the installer from the source tarball.
 installer-from-source: dist-source
diff --git a/configure.ac b/configure.ac
index d17d76325..f4363cd96 100644
--- a/configure.ac
+++ b/configure.ac
@@ -29,7 +29,7 @@ min_automake_version="1.14"
 m4_define([mym4_package],[gnupg])
 m4_define([mym4_major], [2])
 m4_define([mym4_minor], [2])
-m4_define([mym4_micro], [35])
+m4_define([mym4_micro], [36])
 
 # To start a new development series, i.e a new major or minor number
 # you need to mark an arbitrary commit before the first beta release