import fwupd-1.4.2-4.el8

2020-11-03 06:44:56 -05:00 · 2020-11-03 06:44:56 -05:00 · 0cc62e157a
commit 0cc62e157a
parent 1554303a7f
10 changed files with 332 additions and 395 deletions
--- a/.fwupd.metadata
+++ b/.fwupd.metadata
@ -1 +1,2 @@
-9777016b6b861676e3e88153f7b310e4d985871a SOURCES/fwupd-1.1.4.tar.xz
+c152547682cb354b69e4e1a89b53369dd42f3e53 SOURCES/fwupd-1.4.2.tar.xz
+6991b6879b438a4672e97c534d10737bc54e6f39 SOURCES/libjcat-0.1.2.tar.xz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
-SOURCES/fwupd-1.1.4.tar.xz
+SOURCES/fwupd-1.4.2.tar.xz
+SOURCES/libjcat-0.1.2.tar.xz
--- a/SOURCES/0001-Disable-wacomhid-by-default-as-probing-the-device-st.patch
+++ b/SOURCES/0001-Disable-wacomhid-by-default-as-probing-the-device-st.patch
@ -1,28 +0,0 @@
-From d4a65700c5ed9544b6445213bd5f8a0dbc2cd1e5 Mon Sep 17 00:00:00 2001
-From: Richard Hughes <richard@hughsie.com>
-Date: Fri, 29 Nov 2019 14:00:39 +0000
-Subject: [PATCH] Disable wacomhid by default as probing the device stops the
- tablet working
-
-This is fixed properly in fwupd >= 1.2.2 but add this workaround here for
-stable distros that cannot rebase to a newer branch.
---
- data/daemon.conf | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/data/daemon.conf b/data/daemon.conf
-index 51ab19f4..03965d88 100644
--- a/data/daemon.conf
-+++ b/data/daemon.conf
-@@ -6,7 +6,7 @@ BlacklistDevices=
- 
- # Allow blacklisting specific plugins
- # Uses semicolons as delimiter
-BlacklistPlugins=test
-+BlacklistPlugins=test;wacomhid
- 
- # Maximum archive size that can be loaded in Mb, with 0 for the default
- ArchiveSizeMax=0
-- 
-2.23.0
-
--- a/SOURCES/0001-Do-not-use-the-LVFS.patch
+++ b/SOURCES/0001-Do-not-use-the-LVFS.patch
@ -0,0 +1,26 @@
+diff --git a/data/remotes.d/lvfs.conf b/data/remotes.d/lvfs.conf
+index 1249ef74..f533bf52 100644
+--- a/data/remotes.d/lvfs.conf
+++ b/data/remotes.d/lvfs.conf
+@@ -1,7 +1,7 @@
+ [fwupd Remote]
+ 
+ # this remote provides metadata and firmware marked as 'stable' from the LVFS
+-Enabled=true
+Enabled=false
+ Title=Linux Vendor Firmware Service
+ MetadataURI=https://cdn.fwupd.org/downloads/firmware.xml.gz
+ ReportURI=https://fwupd.org/lvfs/firmware/report
+diff --git a/libfwupd/fwupd-self-test.c b/libfwupd/fwupd-self-test.c
+index 679360b0..59660360 100644
+--- a/libfwupd/fwupd-self-test.c
+++ b/libfwupd/fwupd-self-test.c
+@@ -182,7 +182,7 @@ fwupd_remote_download_func (void)
+ 	g_assert_cmpint (fwupd_remote_get_kind (remote), ==, FWUPD_REMOTE_KIND_DOWNLOAD);
+ 	g_assert_cmpint (fwupd_remote_get_keyring_kind (remote), ==, FWUPD_KEYRING_KIND_JCAT);
+ 	g_assert_cmpint (fwupd_remote_get_priority (remote), ==, 0);
+-	g_assert (fwupd_remote_get_enabled (remote));
+//	g_assert (fwupd_remote_get_enabled (remote));
+ 	g_assert (fwupd_remote_get_metadata_uri (remote) != NULL);
+ 	g_assert (fwupd_remote_get_metadata_uri_sig (remote) != NULL);
+ 	g_assert_cmpstr (fwupd_remote_get_title (remote), ==, "Linux Vendor Firmware Service");
--- a/SOURCES/0001-Relax-the-certificate-time-checks-in-the-self-tests-.patch
+++ b/SOURCES/0001-Relax-the-certificate-time-checks-in-the-self-tests-.patch
@ -1,220 +0,0 @@
-commit 58f79c3d235290c4cecccc1d55cbcc2da8e988a6
-Author: Richard Hughes <richard@hughsie.com>
-Date:   Thu Aug 1 09:45:25 2019 +0100
-
-    Relax the certificate time checks in the self tests for the legacy certificate
-    
-    One test verifies a firmware with a signature from the old LVFS which was
-    hosted on secure-lvfs.rhcloud.com and used the original PKCS-7 key. This key
-    had a two year validity (expiring today, ohh the naivety...) rather than the
-    newer fwupd.org key which expires in the year 2058.
-    
-    For this specific test only, disable the certificate time checks to fix CI.
-    
-    Fixes https://github.com/hughsie/fwupd/issues/1264
-
-diff --git a/src/fu-engine.c b/src/fu-engine.c
-index ac102cfa..1a57b0af 100644
--- a/src/fu-engine.c
-+++ b/src/fu-engine.c
-@@ -1908,7 +1908,8 @@ fu_engine_get_existing_keyring_result (FuEngine *self,
- 	blob_sig = fu_common_get_contents_bytes (fwupd_remote_get_filename_cache_sig (remote), error);
- 	if (blob_sig == NULL)
- 		return NULL;
-	return fu_keyring_verify_data (kr, blob, blob_sig, error);
-+	return fu_keyring_verify_data (kr, blob, blob_sig,
-+				       FU_KEYRING_VERIFY_FLAG_NONE, error);
- }
- 
- /**
-@@ -1991,7 +1992,9 @@ fu_engine_update_metadata (FuEngine *self, const gchar *remote_id,
- 		pki_dir = g_build_filename (sysconfdir, "pki", "fwupd-metadata", NULL);
- 		if (!fu_keyring_add_public_keys (kr, pki_dir, error))
- 			return FALSE;
-		kr_result = fu_keyring_verify_data (kr, bytes_raw, bytes_sig, error);
-+		kr_result = fu_keyring_verify_data (kr, bytes_raw, bytes_sig,
-+						    FU_KEYRING_VERIFY_FLAG_NONE,
-+						    error);
- 		if (kr_result == NULL)
- 			return FALSE;
- 
-diff --git a/src/fu-keyring-gpg.c b/src/fu-keyring-gpg.c
-index af0bfbe0..a51ab7a4 100644
--- a/src/fu-keyring-gpg.c
-+++ b/src/fu-keyring-gpg.c
-@@ -231,6 +231,7 @@ static FuKeyringResult *
- fu_keyring_gpg_verify_data (FuKeyring *keyring,
- 			    GBytes *blob,
- 			    GBytes *blob_signature,
-+			    FuKeyringVerifyFlags flags,
- 			    GError **error)
- {
- 	FuKeyringGpg *self = FU_KEYRING_GPG (keyring);
-diff --git a/src/fu-keyring-pkcs7.c b/src/fu-keyring-pkcs7.c
-index d48dc5d0..dc310d37 100644
--- a/src/fu-keyring-pkcs7.c
-+++ b/src/fu-keyring-pkcs7.c
-@@ -182,6 +182,7 @@ static FuKeyringResult *
- fu_keyring_pkcs7_verify_data (FuKeyring *keyring,
- 			     GBytes *blob,
- 			     GBytes *blob_signature,
-+			     FuKeyringVerifyFlags flags,
- 			     GError **error)
- {
- 	FuKeyringPkcs7 *self = FU_KEYRING_PKCS7 (keyring);
-@@ -231,6 +232,14 @@ fu_keyring_pkcs7_verify_data (FuKeyring *keyring,
- 	for (gint i = 0; i < count; i++) {
- 		gnutls_pkcs7_signature_info_st info;
- 		gint64 signing_time = 0;
-+		gnutls_certificate_verify_flags verify_flags = 0;
-+
-+		/* use with care */
-+		if (flags & FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS) {
-+			g_debug ("WARNING: disabling time checks");
-+			verify_flags |= GNUTLS_VERIFY_DISABLE_TIME_CHECKS;
-+			verify_flags |= GNUTLS_VERIFY_DISABLE_TRUSTED_TIME_CHECKS;
-+		}
- 
- 		/* verify the data against the detached signature */
- 		rc = gnutls_pkcs7_verify (pkcs7, self->tl,
-@@ -238,7 +247,7 @@ fu_keyring_pkcs7_verify_data (FuKeyring *keyring,
- 					  0,    /* vdata_size */
- 					  i,    /* index */
- 					  &datum, /* data */
-					  0);   /* flags */
-+					  verify_flags);
- 		if (rc < 0) {
- 			g_set_error (error,
- 				     FWUPD_ERROR,
-diff --git a/src/fu-keyring-utils.c b/src/fu-keyring-utils.c
-index 0c5a7f04..465b4a02 100644
--- a/src/fu-keyring-utils.c
-+++ b/src/fu-keyring-utils.c
-@@ -167,7 +167,9 @@ fu_keyring_get_release_trust_flags (AsRelease *release,
- 				fu_keyring_get_name (kr));
- 		return FALSE;
- 	}
-	kr_result = fu_keyring_verify_data (kr, blob_payload, blob_signature, &error_local);
-+	kr_result = fu_keyring_verify_data (kr, blob_payload, blob_signature,
-+					    FU_KEYRING_VERIFY_FLAG_NONE,
-+					    &error_local);
- 	if (kr_result == NULL) {
- 		g_warning ("untrusted as failed to verify from %s keyring: %s",
- 			   fu_keyring_get_name (kr),
-diff --git a/src/fu-keyring.c b/src/fu-keyring.c
-index d8a88e8c..9b582563 100644
--- a/src/fu-keyring.c
-+++ b/src/fu-keyring.c
-@@ -40,13 +40,14 @@ FuKeyringResult *
- fu_keyring_verify_data (FuKeyring *keyring,
- 		       GBytes *blob,
- 		       GBytes *blob_signature,
-+		       FuKeyringVerifyFlags flags,
- 		       GError **error)
- {
- 	FuKeyringClass *klass = FU_KEYRING_GET_CLASS (keyring);
- 	g_return_val_if_fail (FU_IS_KEYRING (keyring), NULL);
- 	g_return_val_if_fail (blob != NULL, NULL);
- 	g_return_val_if_fail (blob_signature != NULL, NULL);
-	return klass->verify_data (keyring, blob, blob_signature, error);
-+	return klass->verify_data (keyring, blob, blob_signature, flags, error);
- }
- 
- const gchar *
-diff --git a/src/fu-keyring.h b/src/fu-keyring.h
-index 6e03694c..f097305d 100644
--- a/src/fu-keyring.h
-+++ b/src/fu-keyring.h
-@@ -17,6 +17,20 @@ G_BEGIN_DECLS
- #define FU_TYPE_KEYRING (fu_keyring_get_type ())
- G_DECLARE_DERIVABLE_TYPE (FuKeyring, fu_keyring, FU, KEYRING, GObject)
- 
-+/**
-+ * FuKeyringVerifyFlags:
-+ * @FU_KEYRING_VERIFY_FLAG_NONE:		No flags set
-+ * @FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS:	Disable checking of validity periods
-+ *
-+ * The flags to use when interacting with a keyring
-+ **/
-+typedef enum {
-+	FU_KEYRING_VERIFY_FLAG_NONE			= 0,
-+	FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS	= 1 << 2,
-+	/*< private >*/
-+	FU_KEYRING_VERIFY_FLAG_LAST
-+} FuKeyringVerifyFlags;
-+
- struct _FuKeyringClass
- {
- 	GObjectClass		 parent_class;
-@@ -28,6 +42,7 @@ struct _FuKeyringClass
- 	FuKeyringResult		*(*verify_data)		(FuKeyring	*keyring,
- 							 GBytes		*payload,
- 							 GBytes		*payload_signature,
-+							 FuKeyringVerifyFlags flags,
- 							 GError		**error);
- };
- 
-@@ -39,6 +54,7 @@ gboolean	 fu_keyring_add_public_keys		(FuKeyring	*keyring,
- FuKeyringResult	*fu_keyring_verify_data			(FuKeyring	*keyring,
- 							 GBytes		*blob,
- 							 GBytes		*blob_signature,
-+							 FuKeyringVerifyFlags flags,
- 							 GError		**error);
- const gchar	*fu_keyring_get_name			(FuKeyring	*self);
- void		 fu_keyring_set_name			(FuKeyring	*self,
-diff --git a/src/fu-self-test.c b/src/fu-self-test.c
-index 4f359614..98fac714 100644
--- a/src/fu-self-test.c
-+++ b/src/fu-self-test.c
-@@ -1947,7 +1947,9 @@ fu_keyring_gpg_func (void)
- 	g_assert_no_error (error);
- 	g_assert_nonnull (blob_pass);
- 	blob_sig = g_bytes_new_static (sig_gpgme, strlen (sig_gpgme));
-	result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig, &error);
-+	result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig,
-+					      FU_KEYRING_VERIFY_FLAG_NONE,
-+					      &error);
- 	g_assert_no_error (error);
- 	g_assert_nonnull (result_pass);
- 	g_assert_cmpint (fu_keyring_result_get_timestamp (result_pass), == , 1438072952);
-@@ -1960,7 +1962,8 @@ fu_keyring_gpg_func (void)
- 	blob_fail = fu_common_get_contents_bytes (fw_fail, &error);
- 	g_assert_no_error (error);
- 	g_assert_nonnull (blob_fail);
-	result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig, &error);
-+	result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig,
-+					      FU_KEYRING_VERIFY_FLAG_NONE, &error);
- 	g_assert_error (error, FWUPD_ERROR, FWUPD_ERROR_SIGNATURE_INVALID);
- 	g_assert_null (result_fail);
- 	g_clear_error (&error);
-@@ -2010,7 +2013,9 @@ fu_keyring_pkcs7_func (void)
- 	blob_sig = fu_common_get_contents_bytes (sig_fn, &error);
- 	g_assert_no_error (error);
- 	g_assert_nonnull (blob_sig);
-	result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig, &error);
-+	result_pass = fu_keyring_verify_data (keyring, blob_pass, blob_sig,
-+					      FU_KEYRING_VERIFY_FLAG_DISABLE_TIME_CHECKS,
-+					      &error);
- 	g_assert_no_error (error);
- 	g_assert_nonnull (result_pass);
- 	g_assert_cmpint (fu_keyring_result_get_timestamp (result_pass), >= , 1502871248);
-@@ -2022,7 +2027,8 @@ fu_keyring_pkcs7_func (void)
- 	blob_sig2 = fu_common_get_contents_bytes (sig_fn2, &error);
- 	g_assert_no_error (error);
- 	g_assert_nonnull (blob_sig2);
-	result_fail = fu_keyring_verify_data (keyring, blob_pass, blob_sig2, &error);
-+	result_fail = fu_keyring_verify_data (keyring, blob_pass, blob_sig2,
-+					      FU_KEYRING_VERIFY_FLAG_NONE, &error);
- 	g_assert_error (error, FWUPD_ERROR, FWUPD_ERROR_SIGNATURE_INVALID);
- 	g_assert_null (result_fail);
- 	g_clear_error (&error);
-@@ -2033,7 +2039,8 @@ fu_keyring_pkcs7_func (void)
- 	blob_fail = fu_common_get_contents_bytes (fw_fail, &error);
- 	g_assert_no_error (error);
- 	g_assert_nonnull (blob_fail);
-	result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig, &error);
-+	result_fail = fu_keyring_verify_data (keyring, blob_fail, blob_sig,
-+					      FU_KEYRING_VERIFY_FLAG_NONE, &error);
- 	g_assert_error (error, FWUPD_ERROR, FWUPD_ERROR_SIGNATURE_INVALID);
- 	g_assert_null (result_fail);
- 	g_clear_error (&error);
--- a/SOURCES/0001-Validate-that-gpgme_op_verify_result-returned-at-lea.patch
+++ b/SOURCES/0001-Validate-that-gpgme_op_verify_result-returned-at-lea.patch
@ -0,0 +1,114 @@
+From 839b89f45a38b2373bf5836337a33f450aaab72e Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Thu, 28 May 2020 10:41:23 +0100
+Subject: [PATCH] Validate that gpgme_op_verify_result() returned at least one
+ signature
+
+If a detached signature is actually a PGP message, gpgme_op_verify() returns
+the rather perplexing GPG_ERR_NO_ERROR, and then gpgme_op_verify_result()
+builds an empty list.
+
+Explicitly check for no signatures present to avoid returning a JcatResult with
+no timestamp and an empty authority.
+
+Many thanks to Justin Steven <justin@justinsteven.com> for the discovery and
+coordinated disclosure of this issue. Fixes CVE-2020-10759
+---
+ libjcat/jcat-gpg-engine.c |  7 +++++
+ libjcat/jcat-self-test.c  | 55 +++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 62 insertions(+)
+
+diff --git libjcat/jcat-gpg-engine.c libjcat/jcat-gpg-engine.c
+index 0812a62..bd44dba 100644
+--- libjcat/jcat-gpg-engine.c
+++ libjcat/jcat-gpg-engine.c
+@@ -267,6 +267,13 @@ jcat_gpg_engine_pubkey_verify (JcatEngine *engine,
+ 				     "no result record from libgpgme");
+ 		return NULL;
+ 	}
+	if (result->signatures == NULL) {
+		g_set_error_literal (error,
+				     G_IO_ERROR,
+				     G_IO_ERROR_FAILED,
+				     "no signatures from libgpgme");
+		return NULL;
+	}
+ 
+ 	/* look at each signature */
+ 	for (s = result->signatures; s != NULL ; s = s->next ) {
+diff --git libjcat/jcat-self-test.c libjcat/jcat-self-test.c
+index d79a3a9..fd4295e 100644
+--- libjcat/jcat-self-test.c
+++ libjcat/jcat-self-test.c
+@@ -393,6 +393,60 @@ jcat_gpg_engine_func (void)
+ #endif
+ }
+ 
+static void
+jcat_gpg_engine_msg_func (void)
+{
+#ifdef ENABLE_GPG
+	g_autofree gchar *fn = NULL;
+	g_autofree gchar *pki_dir = NULL;
+	g_autoptr(GBytes) data = NULL;
+	g_autoptr(GBytes) data_sig = NULL;
+	g_autoptr(GError) error = NULL;
+	g_autoptr(JcatContext) context = jcat_context_new ();
+	g_autoptr(JcatEngine) engine = NULL;
+	g_autoptr(JcatResult) result = NULL;
+	const gchar *sig =
+	"-----BEGIN PGP MESSAGE-----\n"
+	"owGbwMvMwMEovmZX76/pfOKMp0WSGOLOX3/ikZqTk6+jUJ5flJOiyNXJaMzCwMjB\n"
+	"ICumyCJmt5VRUil28/1+z1cwbaxMID0MXJwCMJG4RxwMLUYXDkUad34I3vrT8+X2\n"
+	"m+ZyHyMWnTiQYaQb/eLJGqbiAJc5Jr4a/PPqHNi7auwzGsKsljebabjtnJRzpDr0\n"
+	"YvwrnmmWLJUnTzjM3MH5Kn+RzqXkywsYdk9yD2OUdLy736CiemFMdcuF02lOZvPU\n"
+	"HaTKl76wW62QH8Lr8yGMQ1Xgc6nC2ZwUhvctky7NOZtc1T477uBTL81p31ZmaIUJ\n"
+	"paS8uWZl8UzX5sFsqQi37G1TbDc8Cm+oU/yRkFj2pLBzw367ncsa4n7EqEWu1yrN\n"
+	"yD39LUeErePdqfKCG+xhL6WkWt5ZJ/6//XnjouXhl5Z4tWspT49MtNp5d3aDQ43c\n"
+	"mnbresn6A7KMZgdOiwIA\n"
+	"=a9ui\n"
+	"-----END PGP MESSAGE-----\n";
+
+	/* set up context */
+	jcat_context_set_keyring_path (context, "/tmp/libjcat-self-test/var");
+	pki_dir = g_test_build_filename (G_TEST_DIST, "pki", NULL);
+	jcat_context_add_public_keys (context, pki_dir);
+
+	/* get engine */
+	engine = jcat_context_get_engine (context, JCAT_BLOB_KIND_GPG, &error);
+	g_assert_no_error (error);
+	g_assert_nonnull (engine);
+	g_assert_cmpint (jcat_engine_get_kind (engine), ==, JCAT_BLOB_KIND_GPG);
+	g_assert_cmpint (jcat_engine_get_verify_kind (engine), ==, JCAT_ENGINE_VERIFY_KIND_SIGNATURE);
+
+	/* verify with GnuPG, which should fail as the signature is not a
+	 * detached signature at all, but gnupg stabs us in the back by returning
+	 * success from gpgme_op_verify() with an empty list of signatures */
+	fn = g_test_build_filename (G_TEST_DIST, "colorhug", "firmware.bin", NULL);
+	data = jcat_get_contents_bytes (fn, &error);
+	g_assert_no_error (error);
+	g_assert_nonnull (data);
+	data_sig = g_bytes_new_static (sig, strlen (sig));
+	result = jcat_engine_pubkey_verify (engine, data, data_sig,
+					    JCAT_VERIFY_FLAG_NONE, &error);
+	g_assert_error (error, G_IO_ERROR, G_IO_ERROR_FAILED);
+	g_assert_null (result);
+#else
+	g_test_skip ("no GnuPG support enabled");
+#endif
+}
+
+ static void
+ jcat_pkcs7_engine_func (void)
+ {
+@@ -753,6 +807,7 @@ main (int argc, char **argv)
+ 	g_test_add_func ("/jcat/engine{sha1}", jcat_sha1_engine_func);
+ 	g_test_add_func ("/jcat/engine{sha256}", jcat_sha256_engine_func);
+ 	g_test_add_func ("/jcat/engine{gpg}", jcat_gpg_engine_func);
+	g_test_add_func ("/jcat/engine{gpg-msg}", jcat_gpg_engine_msg_func);
+ 	g_test_add_func ("/jcat/engine{pkcs7}", jcat_pkcs7_engine_func);
+ 	g_test_add_func ("/jcat/engine{pkcs7-self-signed}", jcat_pkcs7_engine_self_signed_func);
+ 	g_test_add_func ("/jcat/context{verify-blob}", jcat_context_verify_blob_func);
+-- 
+2.26.2
+
--- a/SOURCES/0001-synaptics-prometheus-Force-the-minor-version-from-0x.patch
+++ b/SOURCES/0001-synaptics-prometheus-Force-the-minor-version-from-0x.patch
@ -0,0 +1,32 @@
+From d7a1eb17bef650f13e7f96430f99294c36a40806 Mon Sep 17 00:00:00 2001
+From: Vincent Huang <vincent.huang@tw.synaptics.com>
+Date: Tue, 19 May 2020 13:09:28 +0800
+Subject: [PATCH] synaptics-prometheus: Force the minor version from 0x02 to
+ 0x01 to make sure the devices can be updated back to 0x01.
+
+---
+ plugins/synaptics-prometheus/fu-synaprom-device.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git plugins/synaptics-prometheus/fu-synaprom-device.c plugins/synaptics-prometheus/fu-synaprom-device.c
+index 5a19203c..299ebde2 100644
+--- a/plugins/synaptics-prometheus/fu-synaprom-device.c
+++ b/plugins/synaptics-prometheus/fu-synaprom-device.c
+@@ -142,6 +142,14 @@ fu_synaprom_device_set_version (FuSynapromDevice *self,
+ {
+ 	g_autofree gchar *str = NULL;
+ 
+	/* We decide to skip 10.02.xxxxxx firmware, so we force the minor version from 0x02 
+	** to 0x01 to make the devices with 0x02 minor version firmware allow to be updated
+	** back to minor version 0x01. */
+	if (vmajor == 0x0a && vminor == 0x02) {
+		g_debug ("quirking vminor from %02x to 01", vminor);
+		vminor = 0x01;
+	}
+
+ 	/* set display version */
+ 	str = g_strdup_printf ("%02u.%02u.%u", vmajor, vminor, buildnum);
+ 	fu_device_set_version (FU_DEVICE (self), str);
+-- 
+2.26.2
+
--- a/SOURCES/0001-trivial-Relax-the-timing-requirements-on-the-FuDevic.patch
+++ b/SOURCES/0001-trivial-Relax-the-timing-requirements-on-the-FuDevic.patch
@ -1,29 +0,0 @@
-From 48cea11bd5d3d8c7f7423ad9807b1e537bc051c8 Mon Sep 17 00:00:00 2001
-From: Richard Hughes <richard@hughsie.com>
-Date: Thu, 8 Nov 2018 20:05:12 +0000
-Subject: [PATCH] trivial: Relax the timing requirements on the FuDevice poll
- test
-
-If the poll source is scheduled just at the right time, we might only get 8x
-'10ms ticks' in a 100ms window. This fixes an occasional build failure on
-slower hardware and in CI.
---
- src/fu-self-test.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/fu-self-test.c b/src/fu-self-test.c
-index 3c774b55..edc0088d 100644
--- a/src/fu-self-test.c
-+++ b/src/fu-self-test.c
-@@ -2806,7 +2806,7 @@ fu_device_poll_func (void)
- 	fu_test_loop_run_with_timeout (100);
- 	fu_test_loop_quit ();
- 	cnt = fu_device_get_metadata_integer (device, "cnt");
-	g_assert_cmpint (cnt, >=, 9);
-+	g_assert_cmpint (cnt, >=, 8);
- 
- 	/* disable the poll */
- 	fu_device_set_poll_interval (device, 0);
-- 
-2.19.1
-
--- a/SOURCES/0001-uefi-add-a-new-option-to-specify-the-os-name.patch
+++ b/SOURCES/0001-uefi-add-a-new-option-to-specify-the-os-name.patch
@ -1,74 +0,0 @@
-From 3cd6171c44ef217acef059c871efc726eb9df062 Mon Sep 17 00:00:00 2001
-From: Gary Lin <glin@suse.com>
-Date: Thu, 28 Mar 2019 16:20:22 +0800
-Subject: [PATCH] uefi: add a new option to specify the os name
-
-fu_uefi_get_esp_path_for_os() generates the path to the OS directory
-based on "ID" in /etc/os-release, and it may not work for some distros.
-
-Take openSUSE as an example, the "ID" for openSUSE Leap is
-"opensuse-leap" and that for openSUSE Tumbleweed is "opensuse-tumbleweed".
-However, both of them use the same OS directory in the ESP, i.e.
-"/EFI/opensuse".
-
-This commit adds a new build option, efi_os_dir, to allow the packager to
-specify the name of OS directory at build time instead of the runtime
-detection.
-
-Signed-off-by: Gary Lin <glin@suse.com>
---
- meson_options.txt             | 1 +
- plugins/uefi/fu-uefi-common.c | 4 ++++
- plugins/uefi/meson.build      | 5 +++++
- 3 files changed, 10 insertions(+)
-
-diff --git a/meson_options.txt b/meson_options.txt
-index 23ef8cdb..c1767205 100644
--- a/meson_options.txt
-+++ b/meson_options.txt
-@@ -24,3 +24,4 @@ option('efi-ld', type : 'string', value : 'ld', description : 'the linker to use
- option('efi-libdir', type : 'string', description : 'path to the EFI lib directory')
- option('efi-ldsdir', type : 'string', description : 'path to the EFI lds directory')
- option('efi-includedir', type : 'string', value : '/usr/include/efi', description : 'path to the EFI header directory')
-+option('efi_os_dir', type: 'string', description : 'the name of OS directory in ESP')
-diff --git a/plugins/uefi/fu-uefi-common.c b/plugins/uefi/fu-uefi-common.c
-index 2e3268aa..4d9d03d7 100644
--- a/plugins/uefi/fu-uefi-common.c
-+++ b/plugins/uefi/fu-uefi-common.c
-@@ -246,6 +246,7 @@ gchar *
- fu_uefi_get_esp_path_for_os (const gchar *esp_path)
- {
- 	const gchar *os_release_id = NULL;
-+#ifndef EFI_OS_DIR
- 	g_autoptr(GError) error_local = NULL;
- 	g_autoptr(GHashTable) os_release = fwupd_get_os_release (&error_local);
- 	if (os_release != NULL) {
-@@ -255,6 +256,9 @@ fu_uefi_get_esp_path_for_os (const gchar *esp_path)
- 	}
- 	if (os_release_id == NULL)
- 		os_release_id = "unknown";
-+#else
-+	os_release_id = EFI_OS_DIR;
-+#endif
- 	return g_build_filename (esp_path, "EFI", os_release_id, NULL);
- }
- 
-diff --git a/plugins/uefi/meson.build b/plugins/uefi/meson.build
-index 140418a8..21d4b6c8 100644
--- a/plugins/uefi/meson.build
-+++ b/plugins/uefi/meson.build
-@@ -3,6 +3,11 @@ subdir('efi')
- cargs = ['-DG_LOG_DOMAIN="FuPluginUefi"']
- cargs += '-DEFI_APP_LOCATION_BUILD="' + app.full_path() + '"'
- 
-+efi_os_dir = get_option('efi_os_dir')
-+if efi_os_dir != ''
-+  cargs += '-DEFI_OS_DIR="' + efi_os_dir + '"'
-+endif
-+
- shared_module('fu_plugin_uefi',
-   sources : [
-     'fu-plugin-uefi.c',
-- 
-2.24.1
-
--- a/SPECS/fwupd.spec
+++ b/SPECS/fwupd.spec
@ -1,9 +1,10 @@
 %global glib2_version 2.45.8
-%global libappstream_version 0.7.4
+%global libxmlb_version 0.1.3
 %global libgusb_version 0.2.11
 %global libsoup_version 2.51.92
 %global systemd_version 231
 %global json_glib_version 1.1.1
+%global __meson_wrap_mode default

 %global enable_tests 1
 %global enable_dummy 1
@ -23,13 +24,19 @@
 %global have_dell 1
 %endif

+# only available recently
+%if 0%{?fedora} >= 30 || 0%{?rhel} >= 8
+%global have_modem_manager 1
+%endif
+
 Summary:   Firmware update daemon
 Name:      fwupd
-Version:   1.1.4
-Release:   7%{?dist}
+Version:   1.4.2
+Release:   4%{?dist}
 License:   LGPLv2+
-URL:       https://github.com/hughsie/fwupd
+URL:       https://github.com/fwupd/fwupd
 Source0:   http://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz
+Source1:   http://people.freedesktop.org/~hughsient/releases/libjcat-0.1.2.tar.xz

 # these are numbered high just to keep them wildly away from colliding with
 # the real package sources, in order to reduce churn.
@ -38,16 +45,14 @@ Source301:   redhatsecureboot301.cer
 Source500:   redhatsecurebootca5.cer
 Source503:   redhatsecureboot503.cer

-# backport from upstream
-Patch0:    0001-trivial-Relax-the-timing-requirements-on-the-FuDevic.patch
-Patch1:    0001-Relax-the-certificate-time-checks-in-the-self-tests-.patch
-Patch2:    0001-Disable-wacomhid-by-default-as-probing-the-device-st.patch
-Patch3:    0001-uefi-add-a-new-option-to-specify-the-os-name.patch
+Patch1:    0001-synaptics-prometheus-Force-the-minor-version-from-0x.patch
+Patch2:    0001-Do-not-use-the-LVFS.patch
+Patch3:    0001-Validate-that-gpgme_op_verify_result-returned-at-lea.patch

 BuildRequires: efi-srpm-macros
 BuildRequires: gettext
 BuildRequires: glib2-devel >= %{glib2_version}
-BuildRequires: libappstream-glib-devel >= %{libappstream_version}
+BuildRequires: libxmlb-devel >= %{libxmlb_version}
 BuildRequires: libgcab1-devel
 BuildRequires: libgudev1-devel
 BuildRequires: libgusb-devel >= %{libgusb_version}
@ -65,7 +70,6 @@ BuildRequires: valgrind-devel
 %endif
 BuildRequires: elfutils-libelf-devel
 BuildRequires: gtk-doc
-BuildRequires: libuuid-devel
 BuildRequires: gnutls-devel
 BuildRequires: gnutls-utils
 BuildRequires: meson
@ -74,9 +78,15 @@ BuildRequires: json-glib-devel >= %{json_glib_version}
 BuildRequires: vala
 BuildRequires: python3-devel
 BuildRequires: bash-completion
+BuildRequires: git-core
+%if 0%{?have_flashrom}
+BuildRequires: flashrom-devel >= 1.2-2
+%endif

-# until rh-signing-tools is fixed
-BuildRequires: nss-tools
+%if 0%{?have_modem_manager}
+BuildRequires: ModemManager-glib-devel >= 1.10.0
+BuildRequires: libqmi-devel >= 1.22.0
+%endif

 %if 0%{?have_redfish}
 BuildRequires: efivar-devel >= 33
@ -104,15 +114,17 @@ Requires(preun): systemd
 Requires(postun): systemd

 Requires: glib2%{?_isa} >= %{glib2_version}
-Requires: libappstream-glib%{?_isa} >= %{libappstream_version}
+Requires: libxmlb%{?_isa} >= %{libxmlb_version}
 Requires: libgusb%{?_isa} >= %{libgusb_version}
 Requires: libsoup%{?_isa} >= %{libsoup_version}
 Requires: bubblewrap
+Requires: shared-mime-info

 Obsoletes: fwupd-sign < 0.1.6
 Obsoletes: libebitdo < 0.7.5-3
 Obsoletes: libdfu < 1.0.0
 Obsoletes: fwupd-labels < 1.1.0-1
+Obsoletes: fwupdate

 %description
 fwupd is a daemon to allow session software to update device firmware.
@ -128,24 +140,33 @@ Files for development with %{name}.

 %package tests
 Summary: Data files for installed tests
-BuildArch: noarch
-Recommends: python3

 %description tests
 Data files for installed tests.

 %prep
-%autosetup -p1
+%setup -q
+%patch2 -p1 -b .lvfs-disabled
+
+mkdir -p subprojects/libjcat
+tar xfvs %{SOURCE1} -C subprojects/libjcat --strip-components=1
+
+# apply patch to subproject
+cd subprojects/libjcat
+%patch3 -p0 -b .gpgme-parsing
+cd -

 sed -ri '1s=^#!/usr/bin/(env )?python3=#!%{__python3}=' \
-        libfwupd/generate-version-script.py \
-        data/installed-tests/hardware.py \
-        po/test-deps \
+        contrib/ci/*.py \
+        contrib/firmware_packager/*.py \
+        contrib/*.py \
+        contrib/standalone-installer/assets/*.py \
+        contrib/standalone-installer/*.py \
+        data/device-tests/*.py \
+        libfwupdplugin/*.py \
+        plugins/dfu/contrib/*.py \
        po/make-images \
-        contrib/ci/generate_debian.py \
-        contrib/ci/generate_docker.py \
-        contrib/firmware-packager/firmware-packager \
-        plugins/dfu/contrib/parse-avrdude-conf.py
+        po/test-deps

 %build

@ -155,6 +176,10 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
 %meson \
    -Dgtkdoc=true \
    -Defi_os_dir=%{efi_vendor} \
+    -Dplugin_tpm=false \
+    -Dlibjcat:gtkdoc=false \
+    -Dlibjcat:introspection=false \
+    -Dlibjcat:tests=false \
 %if 0%{?enable_tests}
    -Dtests=true \
 %else
@ -164,6 +189,11 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
    -Dplugin_dummy=true \
 %else
    -Dplugin_dummy=false \
+%endif
+%if 0%{?have_flashrom}
+    -Dplugin_flashrom=true \
+%else
+    -Dplugin_flashrom=false \
 %endif
    -Dplugin_thunderbolt=true \
 %if 0%{?have_redfish}
@ -184,6 +214,11 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
 %else
    -Dplugin_dell=false \
    -Dplugin_synaptics=false \
+%endif
+%if 0%{?have_modem_manager}
+    -Dplugin_modem_manager=true \
+%else
+    -Dplugin_modem_manager=false \
 %endif
    -Dman=true

@ -213,77 +248,112 @@ rm -fv %{fwup_efi_fn}.tmp

 mkdir -p --mode=0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/fwupd/gnupg

+# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1757948
+mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/fwupd
+
 %find_lang %{name}

 %post
-/sbin/ldconfig
 %systemd_post fwupd.service

 %preun
 %systemd_preun fwupd.service

 %postun
-/sbin/ldconfig
 %systemd_postun_with_restart fwupd.service
 %systemd_postun_with_restart pesign.service

 %files -f %{name}.lang
-%doc README.md AUTHORS NEWS
+%doc README.md AUTHORS
 %license COPYING
+%config(noreplace)%{_sysconfdir}/fwupd/ata.conf
 %config(noreplace)%{_sysconfdir}/fwupd/daemon.conf
+%config(noreplace)%{_sysconfdir}/fwupd/upower.conf
 %if 0%{?have_uefi}
 %config(noreplace)%{_sysconfdir}/fwupd/uefi.conf
 %endif
 %if 0%{?have_redfish}
 %config(noreplace)%{_sysconfdir}/fwupd/redfish.conf
 %endif
+%config(noreplace)%{_sysconfdir}/fwupd/thunderbolt.conf
 %dir %{_libexecdir}/fwupd
 %{_libexecdir}/fwupd/fwupd
-%{_libexecdir}/fwupd/fwupdtool
+%{_libexecdir}/fwupd/fwupdoffline
 %if 0%{?have_uefi}
 %{_libexecdir}/fwupd/efi/*.efi
 %{_libexecdir}/fwupd/efi/*.efi.signed
-%{_libexecdir}/fwupd/fwupdate
+%{_bindir}/fwupdate
 %endif
 %{_bindir}/dfu-tool
 %{_bindir}/fwupdmgr
+%{_bindir}/fwupdtool
+%{_bindir}/fwupdagent
+%{_bindir}/jcat-tool
 %dir %{_sysconfdir}/fwupd
 %dir %{_sysconfdir}/fwupd/remotes.d
-%config(noreplace)%{_sysconfdir}/fwupd/remotes.d/fwupd.conf
+%if 0%{?have_dell}
+%config(noreplace)%{_sysconfdir}/fwupd/remotes.d/dell-esrt.conf
+%endif
 %config(noreplace)%{_sysconfdir}/fwupd/remotes.d/lvfs.conf
 %config(noreplace)%{_sysconfdir}/fwupd/remotes.d/lvfs-testing.conf
 %config(noreplace)%{_sysconfdir}/fwupd/remotes.d/vendor.conf
+%config(noreplace)%{_sysconfdir}/fwupd/remotes.d/vendor-directory.conf
 %config(noreplace)%{_sysconfdir}/pki/fwupd
 %{_sysconfdir}/pki/fwupd-metadata
-%{_sysconfdir}/dbus-1/system.d/org.freedesktop.fwupd.conf
+%{_datadir}/dbus-1/system.d/org.freedesktop.fwupd.conf
 %{_datadir}/bash-completion/completions/fwupdmgr
 %{_datadir}/bash-completion/completions/fwupdtool
+%{_datadir}/bash-completion/completions/fwupdagent
+%{_datadir}/fish/vendor_completions.d/fwupdmgr.fish
 %{_datadir}/fwupd/metainfo/org.freedesktop.fwupd*.metainfo.xml
-%{_datadir}/fwupd/remotes.d/fwupd/metadata.xml
+%if 0%{?have_dell}
+%{_datadir}/fwupd/remotes.d/dell-esrt/metadata.xml
+%endif
 %{_datadir}/fwupd/remotes.d/vendor/firmware/README.md
 %{_datadir}/dbus-1/interfaces/org.freedesktop.fwupd.xml
 %{_datadir}/polkit-1/actions/org.freedesktop.fwupd.policy
 %{_datadir}/polkit-1/rules.d/org.freedesktop.fwupd.rules
 %{_datadir}/dbus-1/system-services/org.freedesktop.fwupd.service
+%{_datadir}/man/man1/fwupdtool.1.gz
+%{_datadir}/man/man1/fwupdagent.1.gz
 %{_datadir}/man/man1/dfu-tool.1.gz
 %{_datadir}/man/man1/fwupdmgr.1.gz
+%if 0%{?have_uefi}
+%{_datadir}/man/man1/fwupdate.1.gz
+%endif
+%{_datadir}/man/man1/jcat-tool.1*
 %{_datadir}/metainfo/org.freedesktop.fwupd.metainfo.xml
-%{_datadir}/fwupd/firmware-packager
+%{_datadir}/icons/hicolor/scalable/apps/org.freedesktop.fwupd.svg
+%{_datadir}/fwupd/firmware_packager.py
+%{_datadir}/fwupd/simple_client.py
+%{_datadir}/fwupd/add_capsule_header.py
+%{_datadir}/fwupd/install_dell_bios_exe.py
 %{_unitdir}/fwupd-offline-update.service
 %{_unitdir}/fwupd.service
+%{_unitdir}/fwupd-refresh.service
+%{_unitdir}/fwupd-refresh.timer
+%{_presetdir}/fwupd-refresh.preset
 %{_unitdir}/system-update.target.wants/
 %dir %{_localstatedir}/lib/fwupd
+%dir %{_localstatedir}/cache/fwupd
 %dir %{_datadir}/fwupd/quirks.d
 %{_datadir}/fwupd/quirks.d/*.quirk
 %{_localstatedir}/lib/fwupd/builder/README.md
 %{_libdir}/libfwupd*.so.*
+%{_libdir}/libjcat.so.*
 %{_libdir}/girepository-1.0/Fwupd-2.0.typelib
+%{_libdir}/girepository-1.0/FwupdPlugin-1.0.typelib
 /usr/lib/udev/rules.d/*.rules
+/usr/lib/systemd/system-shutdown/fwupd.shutdown
 %dir %{_libdir}/fwupd-plugins-3
 %{_libdir}/fwupd-plugins-3/libfu_plugin_altos.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_amt.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_ata.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_ccgx.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_colorhug.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_coreboot.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_csr.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_cpu.so
 %if 0%{?have_dell}
 %{_libdir}/fwupd-plugins-3/libfu_plugin_dell.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_dell_esrt.so
@ -291,33 +361,53 @@ mkdir -p --mode=0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/fwupd/gnupg
 %{_libdir}/fwupd-plugins-3/libfu_plugin_dell_dock.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_dfu.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_ebitdo.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_emmc.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_ep963x.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_fastboot.so
+%if 0%{?have_flashrom}
 %{_libdir}/fwupd-plugins-3/libfu_plugin_flashrom.so
+%endif
+%{_libdir}/fwupd-plugins-3/libfu_plugin_fresco_pd.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_jabra.so
+%if 0%{?have_modem_manager}
+%{_libdir}/fwupd-plugins-3/libfu_plugin_modem_manager.so
+%endif
 %{_libdir}/fwupd-plugins-3/libfu_plugin_nitrokey.so
 %if 0%{?have_uefi}
 %{_libdir}/fwupd-plugins-3/libfu_plugin_nvme.so
 %endif
+%{_libdir}/fwupd-plugins-3/libfu_plugin_optionrom.so
 %if 0%{?have_redfish}
 %{_libdir}/fwupd-plugins-3/libfu_plugin_redfish.so
 %endif
 %{_libdir}/fwupd-plugins-3/libfu_plugin_rts54hid.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_rts54hub.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_solokey.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_steelseries.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_superio.so
 %if 0%{?have_dell}
-%{_libdir}/fwupd-plugins-3/libfu_plugin_synapticsmst.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_synaptics_mst.so
 %endif
+%{_libdir}/fwupd-plugins-3/libfu_plugin_synaptics_cxaudio.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_synaptics_prometheus.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_synaptics_rmi.so
 %if 0%{?enable_dummy}
 %{_libdir}/fwupd-plugins-3/libfu_plugin_test.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_invalid.so
 %endif
+%{_libdir}/fwupd-plugins-3/libfu_plugin_thelio_io.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_thunderbolt.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_thunderbolt_power.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_udev.so
 %if 0%{?have_uefi}
 %{_libdir}/fwupd-plugins-3/libfu_plugin_uefi.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_uefi_recovery.so
 %endif
-%{_libdir}/fwupd-plugins-3/libfu_plugin_unifying.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_logind.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_logitech_hidpp.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_upower.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_wacomhid.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_vli.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_wacom_raw.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_wacom_usb.so
 %ghost %{_localstatedir}/lib/fwupd/gnupg
 %if 0%{?have_uefi}
 %{_datadir}/locale/*/LC_IMAGES/fwupd*
@ -325,26 +415,50 @@ mkdir -p --mode=0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/fwupd/gnupg

 %files devel
 %{_datadir}/gir-1.0/Fwupd-2.0.gir
-%{_datadir}/gtk-doc/html/libfwupd
+%{_datadir}/gir-1.0/FwupdPlugin-1.0.gir
+%{_datadir}/gtk-doc/html/fwupd
 %{_datadir}/vala/vapi
 %{_includedir}/fwupd-1
+%{_includedir}/libjcat-1
 %{_libdir}/libfwupd*.so
+%{_libdir}/libjcat.so
 %{_libdir}/pkgconfig/fwupd.pc
+%{_libdir}/pkgconfig/fwupdplugin.pc
+%{_libdir}/pkgconfig/jcat.pc

 %files tests
+%if 0%{?enable_tests}
 %dir %{_datadir}/installed-tests/fwupd
-%{_datadir}/installed-tests/fwupd/firmware-example.xml.gz
-%{_datadir}/installed-tests/fwupd/firmware-example.xml.gz.asc
+%{_datadir}/installed-tests/fwupd/fwupd-tests.xml
 %{_datadir}/installed-tests/fwupd/*.test
 %{_datadir}/installed-tests/fwupd/*.cab
 %{_datadir}/installed-tests/fwupd/*.sh
-%{_datadir}/installed-tests/fwupd/*.py*
+%dir %{_sysconfdir}/fwupd/remotes.d
+%config(noreplace)%{_sysconfdir}/fwupd/remotes.d/fwupd-tests.conf
+%endif

 %changelog
-* Mon Jul 27 2020 Peter Jones <pjones@redhat.com> - 1.1.4-7
+* Fri Jul 24 2020 Peter Jones <pjones@redhat.com> - 1.4.2-4
 - Add signing with redhatsecureboot503 cert
  Related: CVE-2020-10713

+* Thu Jul 23 2020 Richard Hughes <richard@hughsie.com> 1.4.2-3
+- Obsolete the now-dead fwupdate package to prevent file conflicts
+- Resolves: #1859202
+
+* Fri Jun 05 2020 Richard Hughes <richard@hughsie.com> 1.4.2-2
+- Security fix for CVE-2020-10759
+- Resolves: #1844324
+
+* Mon May 18 2020 Richard Hughes <richard@hughsie.com> 1.4.2-1
+- New upstream release
+- Backport a patch to fix the synaptics fingerprint reader update.
+- Resolves: #1775277
+
+* Mon Apr 27 2020 Richard Hughes <richard@hughsie.com> 1.4.1-1
+- New upstream release
+- Resolves: #1775277
+
 * Wed Feb 19 2020 Richard Hughes <richard@hughsie.com> 1.1.4-6
 - Rebuild to get the EFI executable signed with the Red Hat key
 - Resolves: #1713033