diff --git a/backport-0006-CVE-2025-30258.patch b/backport-0006-CVE-2025-30258.patch
new file mode 100644
index 0000000000000000000000000000000000000000..71ca241df65a8bf502c0e09d8e7ddf3040b03024
--- /dev/null
+++ b/backport-0006-CVE-2025-30258.patch
@@ -0,0 +1,48 @@
+From 9b7c067717d815e16f9ea3cec88bca09a6cce7cb Mon Sep 17 00:00:00 2001
+From: Werner Koch <wk@gnupg.org>
+Date: Fri, 2 May 2025 11:11:05 +0200
+Subject: [PATCH] gpg: Fix another regression due to the T7547 fix.
+
+* g10/getkey.c (get_pubkey_for_sig): Keep a requested
+PUBKEY_USAGE_CERT.
+(finish_lookup): For correctness in future use cases allow
+PUBKEY_USAGE_CERT to also trigger verify mode.
+--
+
+The case here was that a cert-only primary key was removed with
+export-clean.
+
+GnuPG-bug-id: 7583
+---
+ g10/getkey.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/g10/getkey.c b/g10/getkey.c
+index e3264062f..ae0e00220 100644
+--- a/g10/getkey.c
++++ b/g10/getkey.c
+@@ -341,8 +341,10 @@ get_pubkey_for_sig (ctrl_t ctrl, PKT_public_key *pk, PKT_signature *sig,
+   /* Make sure to request only keys cabable of signing.  This makes
+    * sure that a subkey w/o a valid backsig or with bad usage flags
+    * will be skipped.  We also request the verification mode so that
+-   * expired and reoked keys are returned.  */
+-  pk->req_usage = (PUBKEY_USAGE_SIG | PUBKEY_USAGE_VERIFY);
++   * expired and revoked keys are returned.  We keep only a requested
++   * CERT usage in PK for the sake of key signatures.  */
++  pk->req_usage = (PUBKEY_USAGE_SIG | PUBKEY_USAGE_VERIFY
++                   | (pk->req_usage & PUBKEY_USAGE_CERT));
+ 
+   /* First try the ISSUER_FPR info.  */
+   fpr = issuer_fpr_raw (sig, &fprlen);
+@@ -3736,7 +3738,7 @@ finish_lookup (kbnode_t keyblock, unsigned int req_usage, int want_exact,
+   /* The verify mode is used to change the behaviour so that we can
+    * return an expired or revoked key for signature verification.  */
+   verify_mode = ((req_usage & PUBKEY_USAGE_VERIFY)
+-                 && (req_usage & PUBKEY_USAGE_SIG));
++                 && (req_usage & (PUBKEY_USAGE_CERT|PUBKEY_USAGE_SIG)));
+ 
+ #define USAGE_MASK  (PUBKEY_USAGE_SIG|PUBKEY_USAGE_ENC|PUBKEY_USAGE_CERT)
+   req_usage &= USAGE_MASK;
+-- 
+2.43.0
+
diff --git a/gnupg2.spec b/gnupg2.spec
index f243371153807e1e8051e30c162324086b16500a..d78854bdede4793b35e940f3ace0898a9422574d 100644
--- a/gnupg2.spec
+++ b/gnupg2.spec
@@ -1,6 +1,6 @@
 Name: gnupg2
 Version: 2.4.3
-Release: 9
+Release: 10
 Summary: Utility for secure communication and data storage
 
 License: GPLv3+
@@ -26,7 +26,8 @@ Patch15: backport-0002-CVE-2025-30258.patch
 Patch16: backport-0003-CVE-2025-30258.patch
 Patch17: backport-0004-CVE-2025-30258.patch
 Patch18: backport-0005-CVE-2025-30258.patch
-Patch19: backport-gpg-Fix-double-free-of-internal-data.patch
+Patch19: backport-0006-CVE-2025-30258.patch
+Patch20: backport-gpg-Fix-double-free-of-internal-data.patch
 
 BuildRequires: gcc
 BuildRequires: autoconf automake
@@ -132,6 +133,9 @@ make check
 
 
 %changelog
+* Tue May 6 2025 yixiangzhike <yixiangzhike007@163.com> - 2.4.3-10
+- backport follow-up patch for CVE-2025-30258
+
 * Sat Apr 19 2025 zhengxiaoxiao <zhengxiaoxiao2@huawei.com> - 2.4.3-9
 - set development_version=no to mark stable builds