gnupg24: add freepg patches

Add patches to GnuPG 2.4 from FreePG, a common resource for GnuPG
downstream packagers to track, maintain, and apply commonly-used patches
for GnuPG that have been refused by upstream.

https://gitlab.com/freepg/gnupg/

pkgs/tools/security/gnupg/24.nix

@@ -2,6 +2,7 @@
   lib,
   stdenv,
   fetchurl,
+  fetchFromGitLab,
   buildPackages,
   pkg-config,
   texinfo,
@@ -68,14 +69,29 @@ stdenv.mkDerivation rec {
     ]
     ++ lib.optionals withTpm2Tss [ tpm2-tss ];
 
+  freepgPatches = fetchFromGitLab {
+    domain = "gitlab.com";
+    owner = "freepg";
+    repo = "gnupg";
+    rev = "541772915dc4ec832c37f85bc629a22051f0e8f7";
+    hash = "sha256-QOUY6EfJbTTN242BtzLojDgECGjUwbLfPJgzn/mj5L8=";
+  };
+
   patches = [
     ./fix-libusb-include-path.patch
-    ./tests-add-test-cases-for-import-without-uid.patch
-    ./accept-subkeys-with-a-good-revocation-but-no-self-sig.patch
-    ./24-allow-import-of-previously-known-keys-even-without-UI.patch
-    ./24-revert-rfc4880bis-defaults.patch
-    # Patch for DoS vuln from https://seclists.org/oss-sec/2022/q3/27
+    # Patch for CVE-2022-3219
     ./v3-0001-Disallow-compressed-signatures-and-certificates.patch
+  ] ++ lib.map (v: "${freepgPatches}/STABLE-BRANCH-2-4-freepg/" + v) [
+      # 0001-Add-gitlab-build-toolchain.patch
+      "0002-gpg-accept-subkeys-with-a-good-revocation-but-no-sel.patch"
+      "0003-gpg-allow-import-of-previously-known-keys-even-witho.patch"
+      "0004-tests-add-test-cases-for-import-without-uid.patch"
+      "0005-gpg-drop-import-clean-from-default-keyserver-import-.patch"
+      "0006-Do-not-use-OCB-mode-even-if-AEAD-OCB-key-preference-.patch"
+      "0007-Revert-the-introduction-of-the-RFC4880bis-draft-into.patch"
+      "0008-avoid-systemd-deprecation-warning.patch"
+      "0009-Add-systemd-support-for-keyboxd.patch"
+      "0010-doc-Remove-profile-and-systemd-example-files.patch"
   ];
 
   postPatch =