From a1b92a51da67c0774f3c73a4ff4dd902a2210e2e Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Mon, 10 Aug 2020 18:25:09 +0000
Subject: [PATCH] import fwupd-1.4.2-4.el8

---
 ...secureboot.cer => redhatsecureboot301.cer} | Bin
 SOURCES/redhatsecureboot503.cer               | Bin 0 -> 964 bytes
 ...curebootca.cer => redhatsecurebootca3.cer} | Bin
 SOURCES/redhatsecurebootca5.cer               | Bin 0 -> 920 bytes
 SPECS/fwupd.spec                              |  31 ++++++++++++++----
 5 files changed, 24 insertions(+), 7 deletions(-)
 rename SOURCES/{secureboot.cer => redhatsecureboot301.cer} (100%)
 create mode 100644 SOURCES/redhatsecureboot503.cer
 rename SOURCES/{securebootca.cer => redhatsecurebootca3.cer} (100%)
 create mode 100644 SOURCES/redhatsecurebootca5.cer

diff --git a/SOURCES/secureboot.cer b/SOURCES/redhatsecureboot301.cer
similarity index 100%
rename from SOURCES/secureboot.cer
rename to SOURCES/redhatsecureboot301.cer
diff --git a/SOURCES/redhatsecureboot503.cer b/SOURCES/redhatsecureboot503.cer
new file mode 100644
index 0000000000000000000000000000000000000000..50e375c7461e78286033119e7b6f9d55fdb3543c
GIT binary patch
literal 964
zcmXqLVm@Hd#I#}oGZP~d6DPygP|MB7r^(JY;AP{~YV&CO&dbQi&B|a9ZzyIU!p0oR
z!o|ZIl$xU8kyxUm;F*`KXQ*f(4-#kQk${RT1g9pK7NsgU<>!|uI6Eqs8Y&qmz)j<1
z6ca8^O-{^7Eh=#+N=?Z~EYVBO&oz(}=QT1gFf*_;G%zqQvWODrHMTG?G_-(n4bpHr
zK*K-{;sAMU4hYUn&&$k9S1>g&CdwU6j7rFUXJlnyZerwTFlb`rVrpV!WSFGBlyl!b
z@AvOl&N7VJBQfm-*Gb3trqyBYpMP7O)-t#1KVhSL*Xm1lv+vaB_D}D5y>Gs;>;9|c
zS*nVeCj;4XQ<W5EH}Tym*%7#-`^=J5b6<()Q(oN)UG=c#X@PDG|D|)8BFXE`LN70!
z({ppBocU#L2Mzmw%yzNu{TCnYNRo7l+8N3Ar9?sTf%8%I4E>qR$0JPJB$l15Dm#Ah
z*G9?ng;qBhTt7zi_9piI<x>B1HKryy*<#h?ozG0H9pAq!Hx`|9`sDeVhoQ|+Ba2Qv
zo-yfhS&G=>BcJvO?o=@Oz`Lz_kxrWF{OxXgEW`@xmVMa7-nq`c>PBzQ|M_C~MBFr9
zPrLh_iJ6gsadCw~nE?+l)MbSk8UM2|888^|fq48N9t$%QdxL=(h_4Fb^B8ckacHwK
zva+%>GaJZ)#Q9jnSVS6UDoF(Enx4Ng{cq63UVh2ku$$W8v?Qy{B4HrbAaW*u>2r;Y
zU7miEXYbA6p6F6GYkog++yK)hFm4zb1h29y$1xV|D)`m!I6+~4tbNet)HA$J5+1X7
z^`aP;7*9J<6!|s6!sq4b3!SQO4a7XU<hYNmSt)Sj{sGGme_8wLH;80w@%iX1pZIcx
z0HbhszX{Wf-ZPa(;$1I}aZKu3Gg0`%X1>c(LMA*hcX#E?K3&s2<&fsu=j-COdYrFG
zd%)%2@WE8TTRmd4$Nz&#rSC6shKtRebdaxGHOuddxkF-v`v-gbQf5te+s{&O)6ChW
zul|X<TE>wxt5?3lD7D<Zy*<)^qe1vpo8k7zPNfShjXovv+vL_x{LZ@Qx1!(5?Fo~D
krrxM3=gkuDU3No_PxZqi?)hb&YG1?o*9G0@RS=B?0A4m<y8r+H

literal 0
HcmV?d00001

diff --git a/SOURCES/securebootca.cer b/SOURCES/redhatsecurebootca3.cer
similarity index 100%
rename from SOURCES/securebootca.cer
rename to SOURCES/redhatsecurebootca3.cer
diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer
new file mode 100644
index 0000000000000000000000000000000000000000..dfb0284954861282d1a0ce16c8c5cdc71c27659f
GIT binary patch
literal 920
zcmXqLVxD5q#8k6@nTe5!iIbtZm{+@~;bN2lFB_*;n@8JsUPeZ4RtAH3LoovpHs(+k
zE*{>X)D#7e#1b6^&%9(kLq!95kT^4s1XNrhI5oMnC{@8JKfgr5*-^pNP{}|6ZW<?}
zm~e4wa$-(uQHeuQYDz|8iC%Jku7R95uaSX)nSrH&g`ugjS(G@hv4w%5p#_vndj~Wz
zDj|ECk(GhDiIJbdpox)-sfm%1;oPoQj^Z+n3p+UXFTAqySFqmPd3*j?Ys@hSTEP8<
zf#2*zv*WjwCq+F|Q?70*n-_6VPwv(E$rjn}*LF=h`h($l`O@&r`;HrrOo-N1I9RfZ
zxvgQ_lF0WfJ6z&|9Ilj$E@Ww)^ZxU(`JeguueG>6NxP$#b?ru1p1aqn$3D)YB{Qqo
zjCvjz?|=HkE#3AN-xTZpws*U~)f@D<hHx*rr)(NEvzYZp!}C-TDRu*$;<gRCi<g-#
z^KFcsxIBILE9>Z{t~uwMZy8<;F%jD%$u6!n#qYzp^Sryh{C;x9qf@!N=T4ui@b#({
zSD&^p3kNZ=9lAQ9%xdfP9doNToV+k2^LHOF<JVRuW=00a#lZ%F2C~5TmgQp+V-Y!%
zzx26A#x764$+P!na8Gn8n>D{5oE&78StJa^8n7$i2k94PWc<&<YQPMnkb@nV)_}pz
z$RPVX&M7PHOp)E}n3L-lp9;}?o3i@APVs%}E9D|KM%wramRy`J6~x-Y+I90o>xr*#
z`sciS&XK#@>h!OC8{=mczNLHbADCJ+pE=-CsaDOF#s}?5Q)1qq&%R~#cz>QmiAiVx
zk5XXYstAL9d+iK-w@u$FES<YPN5Z<$i*sS8`10oxUvmRDUKTjPckPLhB$Kz)rb~A;
z7pqN`Wn_C2lv%-c*}%nRLuvV$khM?pl$8F*{-4ao^K*vP9Lw!IjTb)uU|-JJoj<4R
z;o3irGXj>ybMIPOFY~9lmn~9nUf%vMc88@((p0B(#qL+!COmt7`j5IhPVzo{cRPw}
Pd!}BnFF!b8N6JS4>O*3Z

literal 0
HcmV?d00001

diff --git a/SPECS/fwupd.spec b/SPECS/fwupd.spec
index dffaedd..e7655ad 100644
--- a/SPECS/fwupd.spec
+++ b/SPECS/fwupd.spec
@@ -32,18 +32,24 @@
 Summary:   Firmware update daemon
 Name:      fwupd
 Version:   1.4.2
-Release:   2%{?dist}
+Release:   4%{?dist}
 License:   LGPLv2+
 URL:       https://github.com/fwupd/fwupd
 Source0:   http://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz
-Source1:   securebootca.cer
-Source2:   secureboot.cer
-Source3:   http://people.freedesktop.org/~hughsient/releases/libjcat-0.1.2.tar.xz
+Source1:   http://people.freedesktop.org/~hughsient/releases/libjcat-0.1.2.tar.xz
+
+# these are numbered high just to keep them wildly away from colliding with
+# the real package sources, in order to reduce churn.
+Source300:   redhatsecurebootca3.cer
+Source301:   redhatsecureboot301.cer
+Source500:   redhatsecurebootca5.cer
+Source503:   redhatsecureboot503.cer
 
 Patch1:    0001-synaptics-prometheus-Force-the-minor-version-from-0x.patch
 Patch2:    0001-Do-not-use-the-LVFS.patch
 Patch3:    0001-Validate-that-gpgme_op_verify_result-returned-at-lea.patch
 
+BuildRequires: efi-srpm-macros
 BuildRequires: gettext
 BuildRequires: glib2-devel >= %{glib2_version}
 BuildRequires: libxmlb-devel >= %{libxmlb_version}
@@ -118,6 +124,7 @@ Obsoletes: fwupd-sign < 0.1.6
 Obsoletes: libebitdo < 0.7.5-3
 Obsoletes: libdfu < 1.0.0
 Obsoletes: fwupd-labels < 1.1.0-1
+Obsoletes: fwupdate
 
 %description
 fwupd is a daemon to allow session software to update device firmware.
@@ -142,7 +149,7 @@ Data files for installed tests.
 %patch2 -p1 -b .lvfs-disabled
 
 mkdir -p subprojects/libjcat
-tar xfvs %{SOURCE3} -C subprojects/libjcat --strip-components=1
+tar xfvs %{SOURCE1} -C subprojects/libjcat --strip-components=1
 
 # apply patch to subproject
 cd subprojects/libjcat
@@ -168,7 +175,7 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
 
 %meson \
     -Dgtkdoc=true \
-    -Defi_os_dir=redhat \
+    -Defi_os_dir=%{efi_vendor} \
     -Dplugin_tpm=false \
     -Dlibjcat:gtkdoc=false \
     -Dlibjcat:introspection=false \
@@ -234,7 +241,9 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
 %global efiarch aa64
 %endif
 %global fwup_efi_fn $RPM_BUILD_ROOT%{_libexecdir}/fwupd/efi/fwupd%{efiarch}.efi
-%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.signed -a %{SOURCE1} -c %{SOURCE2} -n redhatsecureboot301
+%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.tmp -a %{SOURCE300} -c %{SOURCE301} -n redhatsecureboot301
+%pesign -s -i %{fwup_efi_fn}.tmp -o %{fwup_efi_fn}.signed -a %{SOURCE500} -c %{SOURCE503} -n redhatsecureboot503
+rm -fv %{fwup_efi_fn}.tmp
 %endif
 
 mkdir -p --mode=0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/fwupd/gnupg
@@ -429,6 +438,14 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/fwupd
 %endif
 
 %changelog
+* Fri Jul 24 2020 Peter Jones <pjones@redhat.com> - 1.4.2-4
+- Add signing with redhatsecureboot503 cert
+  Related: CVE-2020-10713
+
+* Thu Jul 23 2020 Richard Hughes <richard@hughsie.com> 1.4.2-3
+- Obsolete the now-dead fwupdate package to prevent file conflicts
+- Resolves: #1859202
+
 * Fri Jun 05 2020 Richard Hughes <richard@hughsie.com> 1.4.2-2
 - Security fix for CVE-2020-10759
 - Resolves: #1844324