diff --git a/net-misc/wget/Manifest b/net-misc/wget/Manifest
index e8fccc9..7053a35 100644
--- a/net-misc/wget/Manifest
+++ b/net-misc/wget/Manifest
@@ -1,2 +1,2 @@
-DIST wget-1.20.3.tar.gz 4489249 BLAKE2B 89fa7997a02be6fb1a869d1bf359ce4e43b41f8069d1520e6d0b48739b9b6030b1dec7b7e8cbe833ea1070b30f551b1a9d72c6f4a43bb58df20b680b42a68805 SHA512 e8b82b40e270296228094a78d47f81580bdbdea9e6b93fd61b37dccb39430aeb9bda5397dc53a31c952a61629383c7e2a8c8abf414c8a4dd369af6ecf2717e6c
-DIST wget-1.21.1.tar.gz 4884887 BLAKE2B 28a3044f33df1d24e13900e8018a38cabae21fb41dd2e089bdbfd759b4adee3771ab558b84f5a8b6f546bc84a3387c973903f9fe06562093d3566e22d1528587 SHA512 784efbf9fe43a1671109e32a9c36237eb2d5c19cf756bf6f6e65517fb21464d3d94b1d6f491852d23b3ddff63e38fe6b60df9125c91b139993af59875e3a0712
+DIST wget-1.21.3.tar.gz 5079864 BLAKE2B 4ff40a30cb3be82ea492d0eae324a9d43de30a0169d3b219ce25f3d667915f90c7eb1559760d1605340f112e96e028613265e0be73aaba7935c69cc06a4ae4f6 SHA512 29889ecbf590dff0f39183d9e0621741d731a554d990e5c995a4644725dca62e8e19601d40db0ef7d62ebf54e5457c7409965e4832b6e60e4ccbc9c8caa30718
+DIST wget-1.21.3.tar.gz.sig 854 BLAKE2B 71f69492397ae9e36284be9acdd1c94da34a7397c14a6de1a867c0d1e807bf961f8a2e098ab5629425691ce595227fb08f046416245fda2a6025929079f2d7c2 SHA512 b9f41496e0083545bc703c97b0758500f337527647cdc422152d7855d05351e3a62685269238c78300eafdbfaed8afecaeb988901a3d8a6b002e9fb3d70efe4f
diff --git a/net-misc/wget/files/wget-1.20.3-gcc10-fno-common.patch b/net-misc/wget/files/wget-1.20.3-gcc10-fno-common.patch
deleted file mode 100644
index 3b99f40..0000000
--- a/net-misc/wget/files/wget-1.20.3-gcc10-fno-common.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 04b7369490344d014b05dee5d48ca78cd04733ce Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
-Date: Sat, 22 Feb 2020 13:40:50 +0100
-Subject: [PATCH] * tests/unit-tests.c: Fix 'multiple definition of...' with
- gcc 10
-
----
- tests/unit-tests.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/tests/unit-tests.c b/tests/unit-tests.c
-index 5fae8a219..f66e5e664 100644
---- a/tests/unit-tests.c
-+++ b/tests/unit-tests.c
-@@ -37,7 +37,7 @@ as that of the covered work.  */
- 
- #include "unit-tests.h"
- 
--const char *program_argstring = "TEST";
-+extern const char *program_argstring;
- 
- static int tests_run;
- 
-@@ -69,7 +69,7 @@ all_tests(void)
-   return NULL;
- }
- 
--const char *program_name; /* Needed by lib/error.c. */
-+extern const char *program_name; /* Needed by lib/error.c. */
- 
- int
- main (int argc _GL_UNUSED, const char *argv[])
diff --git a/net-misc/wget/files/wget-1.21.3-hsts-type.patch b/net-misc/wget/files/wget-1.21.3-hsts-type.patch
new file mode 100644
index 0000000..bac1330
--- /dev/null
+++ b/net-misc/wget/files/wget-1.21.3-hsts-type.patch
@@ -0,0 +1,211 @@
+https://bugs.gentoo.org/850676
+https://git.savannah.gnu.org/cgit/wget.git/commit/?id=cb114fbbf73eb687d28b01341c8d4266ffa96c9d
+
+From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
+Date: Sun, 20 Mar 2022 12:18:20 +0100
+Subject: Fix HSTS portability by using int64_t instead of time_t.
+
+* src/hsts.c: Use int64_t instead of time_t.
+* src/http.c: Use int64_t for parsing Strict-Transport-Security.
+--- a/src/hsts.c
++++ b/src/hsts.c
+@@ -61,8 +61,8 @@ struct hsts_kh {
+ };
+ 
+ struct hsts_kh_info {
+-  time_t created;
+-  time_t max_age;
++  int64_t created;
++  int64_t max_age;
+   bool include_subdomains;
+ };
+ 
+@@ -166,7 +166,7 @@ end:
+ static bool
+ hsts_new_entry_internal (hsts_store_t store,
+                          const char *host, int port,
+-                         time_t created, time_t max_age,
++                         int64_t created, int64_t max_age,
+                          bool include_subdomains,
+                          bool check_validity,
+                          bool check_expired,
+@@ -216,21 +216,21 @@ bail:
+ static bool
+ hsts_add_entry (hsts_store_t store,
+                 const char *host, int port,
+-                time_t max_age, bool include_subdomains)
++                int64_t max_age, bool include_subdomains)
+ {
+-  time_t t = time (NULL);
++  int64_t t = (int64_t) time (NULL);
+ 
+   /* It might happen time() returned -1 */
+-  return (t == (time_t)(-1) ?
++  return (t == -1) ?
+       false :
+-      hsts_new_entry_internal (store, host, port, t, max_age, include_subdomains, false, true, false));
++      hsts_new_entry_internal (store, host, port, t, max_age, include_subdomains, false, true, false);
+ }
+ 
+ /* Creates a new entry, unless an identical one already exists. */
+ static bool
+ hsts_new_entry (hsts_store_t store,
+                 const char *host, int port,
+-                time_t created, time_t max_age,
++                int64_t created, int64_t max_age,
+                 bool include_subdomains)
+ {
+   return hsts_new_entry_internal (store, host, port, created, max_age, include_subdomains, true, true, true);
+@@ -245,7 +245,7 @@ hsts_remove_entry (hsts_store_t store, struct hsts_kh *kh)
+ static bool
+ hsts_store_merge (hsts_store_t store,
+                   const char *host, int port,
+-                  time_t created, time_t max_age,
++                  int64_t created, int64_t max_age,
+                   bool include_subdomains)
+ {
+   enum hsts_kh_match match_type = NO_MATCH;
+@@ -276,11 +276,11 @@ hsts_read_database (hsts_store_t store, FILE *fp, bool merge_with_existing_entri
+   size_t len = 0;
+   int items_read;
+   bool result = false;
+-  bool (*func)(hsts_store_t, const char *, int, time_t, time_t, bool);
++  bool (*func)(hsts_store_t, const char *, int, int64_t, int64_t, bool);
+ 
+   char host[256];
+   int port;
+-  time_t created, max_age;
++  int64_t created, max_age;
+   int include_subdomains;
+ 
+   func = (merge_with_existing_entries ? hsts_store_merge : hsts_new_entry);
+@@ -326,10 +326,9 @@ hsts_store_dump (hsts_store_t store, FILE *fp)
+       struct hsts_kh *kh = (struct hsts_kh *) it.key;
+       struct hsts_kh_info *khi = (struct hsts_kh_info *) it.value;
+ 
+-      if (fprintf (fp, "%s\t%d\t%d\t%lu\t%lu\n",
++      if (fprintf (fp, "%s\t%d\t%d\t%" PRId64 "\t%" PRId64 "\n",
+                    kh->host, kh->explicit_port, khi->include_subdomains,
+-                   (unsigned long) khi->created,
+-                   (unsigned long) khi->max_age) < 0)
++                   khi->created, khi->max_age) < 0)
+         {
+           logprintf (LOG_ALWAYS, "Could not write the HSTS database correctly.\n");
+           break;
+@@ -439,7 +438,7 @@ hsts_match (hsts_store_t store, struct url *u)
+ bool
+ hsts_store_entry (hsts_store_t store,
+                   enum url_scheme scheme, const char *host, int port,
+-                  time_t max_age, bool include_subdomains)
++                  int64_t max_age, bool include_subdomains)
+ {
+   bool result = false;
+   enum hsts_kh_match match = NO_MATCH;
+@@ -464,9 +463,9 @@ hsts_store_entry (hsts_store_t store,
+                * 'created' field too. The RFC also states that we have to
+                * update the entry each time we see HSTS header.
+                * See also Section 11.2. */
+-              time_t t = time (NULL);
++              int64_t t = (int64_t) time (NULL);
+ 
+-              if (t != (time_t)(-1) && t != entry->created)
++              if (t != -1 && t != entry->created)
+                 {
+                   entry->created = t;
+                   entry->max_age = max_age;
+@@ -792,7 +791,7 @@ test_hsts_read_database (void)
+   hsts_store_t table;
+   char *file = NULL;
+   FILE *fp = NULL;
+-  time_t created = time(NULL) - 10;
++  int64_t created = time(NULL) - 10;
+ 
+   if (opt.homedir)
+     {
+@@ -801,9 +800,9 @@ test_hsts_read_database (void)
+       if (fp)
+         {
+           fputs ("# dummy comment\n", fp);
+-          fprintf (fp, "foo.example.com\t0\t1\t%lu\t123\n",(unsigned long) created);
+-          fprintf (fp, "bar.example.com\t0\t0\t%lu\t456\n", (unsigned long) created);
+-          fprintf (fp, "test.example.com\t8080\t0\t%lu\t789\n", (unsigned long) created);
++          fprintf (fp, "foo.example.com\t0\t1\t%" PRId64 "\t123\n", created);
++          fprintf (fp, "bar.example.com\t0\t0\t%" PRId64 "\t456\n", created);
++          fprintf (fp, "test.example.com\t8080\t0\t%" PRId64 "\t789\n", created);
+           fclose (fp);
+ 
+           table = hsts_store_open (file);
+--- a/src/hsts.h
++++ b/src/hsts.h
+@@ -46,7 +46,7 @@ bool hsts_store_has_changed (hsts_store_t);
+ 
+ bool hsts_store_entry (hsts_store_t,
+                        enum url_scheme, const char *, int,
+-                       time_t, bool);
++                       int64_t, bool);
+ bool hsts_match (hsts_store_t, struct url *);
+ 
+ #endif /* HAVE_HSTS */
+--- a/src/http.c
++++ b/src/http.c
+@@ -1300,7 +1300,7 @@ parse_content_disposition (const char *hdr, char **filename)
+ 
+ #ifdef HAVE_HSTS
+ static bool
+-parse_strict_transport_security (const char *header, time_t *max_age, bool *include_subdomains)
++parse_strict_transport_security (const char *header, int64_t *max_age, bool *include_subdomains)
+ {
+   param_token name, value;
+   const char *c_max_age = NULL;
+@@ -1330,7 +1330,7 @@ parse_strict_transport_security (const char *header, time_t *max_age, bool *incl
+            * Also, time_t is normally defined as a long, so this should not break.
+            */
+           if (max_age)
+-            *max_age = (time_t) strtol (c_max_age, NULL, 10);
++            *max_age = (int64_t) strtoll (c_max_age, NULL, 10);
+           if (include_subdomains)
+             *include_subdomains = is;
+ 
+@@ -3184,9 +3184,6 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
+ #else
+   extern hsts_store_t hsts_store;
+ #endif
+-  const char *hsts_params;
+-  time_t max_age;
+-  bool include_subdomains;
+ #endif
+ 
+   int sock = -1;
+@@ -3674,21 +3671,24 @@ gethttp (const struct url *u, struct url *original_url, struct http_stat *hs,
+ #ifdef HAVE_HSTS
+   if (opt.hsts && hsts_store)
+     {
+-      hsts_params = resp_header_strdup (resp, "Strict-Transport-Security");
++      int64_t max_age;
++      const char *hsts_params = resp_header_strdup (resp, "Strict-Transport-Security");
++      bool include_subdomains;
++
+       if (parse_strict_transport_security (hsts_params, &max_age, &include_subdomains))
+         {
+           /* process strict transport security */
+           if (hsts_store_entry (hsts_store, u->scheme, u->host, u->port, max_age, include_subdomains))
+-            DEBUGP(("Added new HSTS host: %s:%u (max-age: %lu, includeSubdomains: %s)\n",
++            DEBUGP(("Added new HSTS host: %s:%" PRIu32 " (max-age: %" PRId64 ", includeSubdomains: %s)\n",
+                    u->host,
+-                   (unsigned) u->port,
+-                   (unsigned long) max_age,
++                   (uint32_t) u->port,
++                   max_age,
+                    (include_subdomains ? "true" : "false")));
+           else
+-            DEBUGP(("Updated HSTS host: %s:%u (max-age: %lu, includeSubdomains: %s)\n",
++            DEBUGP(("Updated HSTS host: %s:%" PRIu32 " (max-age: %" PRId64 ", includeSubdomains: %s)\n",
+                    u->host,
+-                   (unsigned) u->port,
+-                   (unsigned long) max_age,
++                   (uint32_t) u->port,
++                   max_age,
+                    (include_subdomains ? "true" : "false")));
+         }
+       xfree (hsts_params);
+cgit v1.1
diff --git a/net-misc/wget/metadata.xml b/net-misc/wget/metadata.xml
index bcdf4d3..07aa81b 100644
--- a/net-misc/wget/metadata.xml
+++ b/net-misc/wget/metadata.xml
@@ -1,17 +1,18 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
- <maintainer type="project">
- <email>base-system@gentoo.org</email>
- <name>Gentoo Base System</name>
- </maintainer>
-<use>
- <flag name="cookie_check">Enable cookie checks via <pkg>net-libs/libpsl</pkg></flag>
- <flag name="metalink">Enable support for <pkg>media-libs/libmetalink</pkg></flag>
- <flag name="ntlm">Enable support for NTLM (Windows-based) authorization</flag>
- <flag name="uuid">Generate UUIDs for the WARC (Web ARChive file format) using libuuid; otherwise use a simple RNG (random number generator)</flag>
-</use>
-<upstream>
- <remote-id type="cpe">cpe:/a:gnu:wget</remote-id>
-</upstream>
+	<maintainer type="project">
+		<email>base-system@gentoo.org</email>
+		<name>Gentoo Base System</name>
+	</maintainer>
+	<use>
+		<flag name="cookie-check">Enable cookie checks via <pkg>net-libs/libpsl</pkg></flag>
+		<flag name="metalink">Enable support for <pkg>media-libs/libmetalink</pkg></flag>
+		<flag name="ntlm">Enable support for NTLM (Windows-based) authorization</flag>
+		<flag name="uuid">Generate UUIDs for the WARC (Web ARChive file format) using libuuid; otherwise use a simple RNG (random number generator)</flag>
+	</use>
+	<upstream>
+		<remote-id type="cpe">cpe:/a:gnu:wget</remote-id>
+		<remote-id type="gitlab">gnuwget/wget</remote-id>
+	</upstream>
 </pkgmetadata>
diff --git a/net-misc/wget/wget-1.21.1.ebuild b/net-misc/wget/wget-1.21.3-r1.ebuild
similarity index 63%
rename from net-misc/wget/wget-1.21.1.ebuild
rename to net-misc/wget/wget-1.21.3-r1.ebuild
index 3ab8c9a..00fdfc0 100644
--- a/net-misc/wget/wget-1.21.1.ebuild
+++ b/net-misc/wget/wget-1.21.3-r1.ebuild
@@ -1,32 +1,38 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
 
 PYTHON_COMPAT=( python3_{6..9} )
-
-inherit flag-o-matic python-any-r1 toolchain-funcs
+VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/wget.asc
+inherit flag-o-matic python-any-r1 toolchain-funcs verify-sig
 
 DESCRIPTION="Network utility to retrieve files from the WWW"
 HOMEPAGE="https://www.gnu.org/software/wget/"
 SRC_URI="mirror://gnu/wget/${P}.tar.gz"
+SRC_URI+=" verify-sig? ( mirror://gnu/wget/${P}.tar.gz.sig )"
 
-LICENSE="GPL-3"
+LICENSE="GPL-3+"
 SLOT="0"
 KEYWORDS="*"
-IUSE="cookie_check debug gnutls idn ipv6 metalink nls ntlm pcre +ssl static test uuid zlib"
-REQUIRED_USE=" ntlm? ( !gnutls ssl ) gnutls? ( ssl )"
+IUSE="cookie-check debug gnutls idn ipv6 metalink nls ntlm pcre +ssl static test uuid zlib"
+REQUIRED_USE="ntlm? ( !gnutls ssl ) gnutls? ( ssl )"
 RESTRICT="!test? ( test )"
 
-# Force a newer libidn2 to avoid libunistring deps. #612498
+# * Force a newer libidn2 to avoid libunistring deps. #bug #612498
+# * Metalink can use gpgme automagically (so let's always depend on it)
+# for signed metalink resources.
 LIB_DEPEND="
-	cookie_check? ( net-libs/libpsl )
+	cookie-check? ( net-libs/libpsl )
 	idn? ( >=net-dns/libidn2-0.14:=[static-libs(+)] )
-	metalink? ( media-libs/libmetalink )
+	metalink? (
+		app-crypt/gpgme
+		media-libs/libmetalink
+	)
 	pcre? ( dev-libs/libpcre2[static-libs(+)] )
 	ssl? (
-		gnutls? ( net-libs/gnutls:0=[static-libs(+)] )
-		!gnutls? ( dev-libs/openssl:0=[static-libs(+)] )
+		gnutls? ( net-libs/gnutls:=[static-libs(+)] )
+		!gnutls? ( dev-libs/openssl:=[static-libs(+)] )
 	)
 	uuid? ( sys-apps/util-linux[static-libs(+)] )
 	zlib? ( sys-libs/zlib[static-libs(+)] )
@@ -35,21 +41,27 @@
 DEPEND="
 	${RDEPEND}
 	static? ( ${LIB_DEPEND} )
-	test? (
-		${PYTHON_DEPS}
-		dev-lang/perl
-		dev-perl/HTTP-Daemon
-		dev-perl/HTTP-Message
-		dev-perl/IO-Socket-SSL
-	)
 "
 BDEPEND="
 	app-arch/xz-utils
+	dev-lang/perl
+	sys-apps/texinfo
 	virtual/pkgconfig
 	nls? ( sys-devel/gettext )
+	test? (
+		${PYTHON_DEPS}
+		>=dev-perl/HTTP-Daemon-6.60.0
+		dev-perl/HTTP-Message
+		dev-perl/IO-Socket-SSL
+	)
+	verify-sig? ( >=sec-keys/openpgp-keys-wget-20230313 )
 "
 
-DOCS=( AUTHORS MAILING-LIST NEWS README doc/sample.wgetrc )
+DOCS=( AUTHORS MAILING-LIST NEWS README )
+
+PATCHES=(
+	"${FILESDIR}"/${P}-hsts-type.patch
+)
 
 pkg_setup() {
 	use test && python-any-r1_pkg_setup
@@ -57,17 +69,7 @@
 
 src_prepare() {
 	default
-
-	# revert some hack that breaks linking, bug #585924
-	if [[ ${CHOST} == *-darwin* ]] \
-	|| [[ ${CHOST} == *-solaris* ]] \
-	|| [[ ${CHOST} == *-uclibc* ]] \
-	|| [[ ${CHOST} == *-cygwin* ]] \
-	; then
-		sed -i \
-			-e 's/^  LIBICONV=$/:/' \
-			configure || die
-	fi
+	sed -i -e "s:/usr/local/etc:${EPREFIX}/etc:g" doc/{sample.wgetrc,wget.texi} || die
 }
 
 src_configure() {
@@ -84,8 +86,9 @@
 	# There is no flag that controls this.  libunistring-prefix only
 	# controls the search path (which is why we turn it off below).
 	# Further, libunistring is only needed w/older libidn2 installs,
-	# and since we force the latest, we can force off libunistring. #612498
+	# and since we force the latest, we can force off libunistring. # bug #612498
 	local myeconfargs=(
+		ac_cv_libunistring=no
 		--disable-assert
 		--disable-pcre
 		--disable-rpath
@@ -99,24 +102,13 @@
 		$(use_enable pcre pcre2)
 		$(use_enable ssl digest)
 		$(use_enable ssl opie)
-		$(use_with cookie_check libpsl)
-		$(use_with idn libidn)
+		$(use_with cookie-check libpsl)
+		$(use_enable idn iri)
 		$(use_with metalink)
 		$(use_with ssl ssl $(usex gnutls gnutls openssl))
 		$(use_with uuid libuuid)
 		$(use_with zlib)
 	)
-	ac_cv_libunistring=no \
+
 	econf "${myeconfargs[@]}"
 }
-
-src_install() {
-	default
-
-	sed -i \
-		-e "s:/usr/local/etc:${EPREFIX}/etc:g" \
-		"${ED}"/etc/wgetrc \
-		"${ED}"/usr/share/man/man1/wget.1 \
-		"${ED}"/usr/share/info/wget.info \
-		|| die
-}