From 1554303a7f715b862601a3341e1f8b6b0b434133 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Wed, 29 Jul 2020 13:16:11 -0400
Subject: [PATCH] import fwupd-1.1.4-7.el8_2

---
 ...secureboot.cer => redhatsecureboot301.cer} | Bin
 SOURCES/redhatsecureboot503.cer               | Bin 0 -> 964 bytes
 ...curebootca.cer => redhatsecurebootca3.cer} | Bin
 SOURCES/redhatsecurebootca5.cer               | Bin 0 -> 920 bytes
 SPECS/fwupd.spec                              |  22 ++++++++++++++----
 5 files changed, 17 insertions(+), 5 deletions(-)
 rename SOURCES/{secureboot.cer => redhatsecureboot301.cer} (100%)
 create mode 100644 SOURCES/redhatsecureboot503.cer
 rename SOURCES/{securebootca.cer => redhatsecurebootca3.cer} (100%)
 create mode 100644 SOURCES/redhatsecurebootca5.cer

diff --git a/SOURCES/secureboot.cer b/SOURCES/redhatsecureboot301.cer
similarity index 100%
rename from SOURCES/secureboot.cer
rename to SOURCES/redhatsecureboot301.cer
diff --git a/SOURCES/redhatsecureboot503.cer b/SOURCES/redhatsecureboot503.cer
new file mode 100644
index 0000000000000000000000000000000000000000..50e375c7461e78286033119e7b6f9d55fdb3543c
GIT binary patch
literal 964
zcmXqLVm@Hd#I#}oGZP~d6DPygP|MB7r^(JY;AP{~YV&CO&dbQi&B|a9ZzyIU!p0oR
z!o|ZIl$xU8kyxUm;F*`KXQ*f(4-#kQk${RT1g9pK7NsgU<>!|uI6Eqs8Y&qmz)j<1
z6ca8^O-{^7Eh=#+N=?Z~EYVBO&oz(}=QT1gFf*_;G%zqQvWODrHMTG?G_-(n4bpHr
zK*K-{;sAMU4hYUn&&$k9S1>g&CdwU6j7rFUXJlnyZerwTFlb`rVrpV!WSFGBlyl!b
z@AvOl&N7VJBQfm-*Gb3trqyBYpMP7O)-t#1KVhSL*Xm1lv+vaB_D}D5y>Gs;>;9|c
zS*nVeCj;4XQ<W5EH}Tym*%7#-`^=J5b6<()Q(oN)UG=c#X@PDG|D|)8BFXE`LN70!
z({ppBocU#L2Mzmw%yzNu{TCnYNRo7l+8N3Ar9?sTf%8%I4E>qR$0JPJB$l15Dm#Ah
z*G9?ng;qBhTt7zi_9piI<x>B1HKryy*<#h?ozG0H9pAq!Hx`|9`sDeVhoQ|+Ba2Qv
zo-yfhS&G=>BcJvO?o=@Oz`Lz_kxrWF{OxXgEW`@xmVMa7-nq`c>PBzQ|M_C~MBFr9
zPrLh_iJ6gsadCw~nE?+l)MbSk8UM2|888^|fq48N9t$%QdxL=(h_4Fb^B8ckacHwK
zva+%>GaJZ)#Q9jnSVS6UDoF(Enx4Ng{cq63UVh2ku$$W8v?Qy{B4HrbAaW*u>2r;Y
zU7miEXYbA6p6F6GYkog++yK)hFm4zb1h29y$1xV|D)`m!I6+~4tbNet)HA$J5+1X7
z^`aP;7*9J<6!|s6!sq4b3!SQO4a7XU<hYNmSt)Sj{sGGme_8wLH;80w@%iX1pZIcx
z0HbhszX{Wf-ZPa(;$1I}aZKu3Gg0`%X1>c(LMA*hcX#E?K3&s2<&fsu=j-COdYrFG
zd%)%2@WE8TTRmd4$Nz&#rSC6shKtRebdaxGHOuddxkF-v`v-gbQf5te+s{&O)6ChW
zul|X<TE>wxt5?3lD7D<Zy*<)^qe1vpo8k7zPNfShjXovv+vL_x{LZ@Qx1!(5?Fo~D
krrxM3=gkuDU3No_PxZqi?)hb&YG1?o*9G0@RS=B?0A4m<y8r+H

literal 0
HcmV?d00001

diff --git a/SOURCES/securebootca.cer b/SOURCES/redhatsecurebootca3.cer
similarity index 100%
rename from SOURCES/securebootca.cer
rename to SOURCES/redhatsecurebootca3.cer
diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer
new file mode 100644
index 0000000000000000000000000000000000000000..dfb0284954861282d1a0ce16c8c5cdc71c27659f
GIT binary patch
literal 920
zcmXqLVxD5q#8k6@nTe5!iIbtZm{+@~;bN2lFB_*;n@8JsUPeZ4RtAH3LoovpHs(+k
zE*{>X)D#7e#1b6^&%9(kLq!95kT^4s1XNrhI5oMnC{@8JKfgr5*-^pNP{}|6ZW<?}
zm~e4wa$-(uQHeuQYDz|8iC%Jku7R95uaSX)nSrH&g`ugjS(G@hv4w%5p#_vndj~Wz
zDj|ECk(GhDiIJbdpox)-sfm%1;oPoQj^Z+n3p+UXFTAqySFqmPd3*j?Ys@hSTEP8<
zf#2*zv*WjwCq+F|Q?70*n-_6VPwv(E$rjn}*LF=h`h($l`O@&r`;HrrOo-N1I9RfZ
zxvgQ_lF0WfJ6z&|9Ilj$E@Ww)^ZxU(`JeguueG>6NxP$#b?ru1p1aqn$3D)YB{Qqo
zjCvjz?|=HkE#3AN-xTZpws*U~)f@D<hHx*rr)(NEvzYZp!}C-TDRu*$;<gRCi<g-#
z^KFcsxIBILE9>Z{t~uwMZy8<;F%jD%$u6!n#qYzp^Sryh{C;x9qf@!N=T4ui@b#({
zSD&^p3kNZ=9lAQ9%xdfP9doNToV+k2^LHOF<JVRuW=00a#lZ%F2C~5TmgQp+V-Y!%
zzx26A#x764$+P!na8Gn8n>D{5oE&78StJa^8n7$i2k94PWc<&<YQPMnkb@nV)_}pz
z$RPVX&M7PHOp)E}n3L-lp9;}?o3i@APVs%}E9D|KM%wramRy`J6~x-Y+I90o>xr*#
z`sciS&XK#@>h!OC8{=mczNLHbADCJ+pE=-CsaDOF#s}?5Q)1qq&%R~#cz>QmiAiVx
zk5XXYstAL9d+iK-w@u$FES<YPN5Z<$i*sS8`10oxUvmRDUKTjPckPLhB$Kz)rb~A;
z7pqN`Wn_C2lv%-c*}%nRLuvV$khM?pl$8F*{-4ao^K*vP9Lw!IjTb)uU|-JJoj<4R
z;o3irGXj>ybMIPOFY~9lmn~9nUf%vMc88@((p0B(#qL+!COmt7`j5IhPVzo{cRPw}
Pd!}BnFF!b8N6JS4>O*3Z

literal 0
HcmV?d00001

diff --git a/SPECS/fwupd.spec b/SPECS/fwupd.spec
index abb2f26..f159daa 100644
--- a/SPECS/fwupd.spec
+++ b/SPECS/fwupd.spec
@@ -26,12 +26,17 @@
 Summary:   Firmware update daemon
 Name:      fwupd
 Version:   1.1.4
-Release:   6%{?dist}
+Release:   7%{?dist}
 License:   LGPLv2+
 URL:       https://github.com/hughsie/fwupd
 Source0:   http://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz
-Source1:   securebootca.cer
-Source2:   secureboot.cer
+
+# these are numbered high just to keep them wildly away from colliding with
+# the real package sources, in order to reduce churn.
+Source300:   redhatsecurebootca3.cer
+Source301:   redhatsecureboot301.cer
+Source500:   redhatsecurebootca5.cer
+Source503:   redhatsecureboot503.cer
 
 # backport from upstream
 Patch0:    0001-trivial-Relax-the-timing-requirements-on-the-FuDevic.patch
@@ -39,6 +44,7 @@ Patch1:    0001-Relax-the-certificate-time-checks-in-the-self-tests-.patch
 Patch2:    0001-Disable-wacomhid-by-default-as-probing-the-device-st.patch
 Patch3:    0001-uefi-add-a-new-option-to-specify-the-os-name.patch
 
+BuildRequires: efi-srpm-macros
 BuildRequires: gettext
 BuildRequires: glib2-devel >= %{glib2_version}
 BuildRequires: libappstream-glib-devel >= %{libappstream_version}
@@ -148,7 +154,7 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
 
 %meson \
     -Dgtkdoc=true \
-    -Defi_os_dir=redhat \
+    -Defi_os_dir=%{efi_vendor} \
 %if 0%{?enable_tests}
     -Dtests=true \
 %else
@@ -200,7 +206,9 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
 %global efiarch aa64
 %endif
 %global fwup_efi_fn $RPM_BUILD_ROOT%{_libexecdir}/fwupd/efi/fwupd%{efiarch}.efi
-%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.signed -a %{SOURCE1} -c %{SOURCE2} -n redhatsecureboot301
+%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.tmp -a %{SOURCE300} -c %{SOURCE301} -n redhatsecureboot301
+%pesign -s -i %{fwup_efi_fn}.tmp -o %{fwup_efi_fn}.signed -a %{SOURCE500} -c %{SOURCE503} -n redhatsecureboot503
+rm -fv %{fwup_efi_fn}.tmp
 %endif
 
 mkdir -p --mode=0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/fwupd/gnupg
@@ -333,6 +341,10 @@ mkdir -p --mode=0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/fwupd/gnupg
 %{_datadir}/installed-tests/fwupd/*.py*
 
 %changelog
+* Mon Jul 27 2020 Peter Jones <pjones@redhat.com> - 1.1.4-7
+- Add signing with redhatsecureboot503 cert
+  Related: CVE-2020-10713
+
 * Wed Feb 19 2020 Richard Hughes <richard@hughsie.com> 1.1.4-6
 - Rebuild to get the EFI executable signed with the Red Hat key
 - Resolves: #1713033