.fwupd.metadata

@@ -0,0 +1,4 @@
+8430697c343d4cb67f7c80ab906b018c82ee2c71 SOURCES/1.7.tar.gz
+ba051e72126cffa054a9dca6f935c3d9d943dff5 SOURCES/40d3a4630619b83026f66bc64d97a582bbd9223ad53aa3f519ff5e2121d11ca6-DBXUpdate-20250507-x64.cab
+1ccb8ca216756718c1033b134f8f96ee38674a8a SOURCES/fwupd-1.9.31.tar.xz
+bd84b581906b4f5bf9ca86f31b0c1bc69a18135a SOURCES/fwupd-2.0.19.tar.xz

.gitignore

@@ -1,10 +1,4 @@
-SOURCES/DBXUpdate-20100307-x64.cab
-SOURCES/DBXUpdate-20140413-x64.cab
-SOURCES/DBXUpdate-20160809-x64.cab
-SOURCES/DBXUpdate-20200729-aa64.cab
-SOURCES/DBXUpdate-20200729-ia32.cab
-SOURCES/DBXUpdate-20200729-x64.cab
-SOURCES/almalinuxsecurebootca0.cer
-SOURCES/fwupd-1.7.8.tar.xz
-SOURCES/fwupd-efi-1.3.tar.xz
-SOURCES/libjcat-0.1.9.tar.xz
+SOURCES/1.7.tar.gz
+SOURCES/40d3a4630619b83026f66bc64d97a582bbd9223ad53aa3f519ff5e2121d11ca6-DBXUpdate-20250507-x64.cab
+SOURCES/fwupd-1.9.31.tar.xz
+SOURCES/fwupd-2.0.19.tar.xz

SOURCES/0001-Disable-the-UEFI-plugins-on-32bit-x86.patch

@@ -0,0 +1,31 @@
+From f14115c509eeadfc65dafb78e2f7b8718de29eff Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Mon, 12 Jan 2026 10:16:19 +0000
+Subject: [PATCH] Disable the UEFI plugins on 32bit x86
+
+Although UEFI on 32 bit i686 is certainly possible to support, the dbx update
+for IA32 has been downloaded only *once* by real users of fwupd, the other
+downloads all being by bots or people syncing the entire LVFS repo.
+
+There have been no KEKs uploaded for 32 bit-only targets, and all the platforms
+are seemlying EOL. I'm not even going to bother to upload the next dbx for IA32.
+---
+ meson.build | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/meson.build b/meson.build
+index 16cad5108..b0b610ad5 100644
+--- a/meson.build
++++ b/meson.build
+@@ -885,7 +885,7 @@ if dbusmock.returncode() != 0 and get_option('umockdev_tests').allowed()
+ endif
+ 
+ allow_uefi = host_machine.system() in ['linux', 'freebsd'] and \
+-  host_machine.cpu_family() in ['x86', 'x86_64', 'aarch64', 'riscv64', 'loongarch64']
++  host_machine.cpu_family() in ['x86_64', 'aarch64', 'riscv64', 'loongarch64']
+ 
+ subdir('generate-build')
+ subdir('libfwupd')
+-- 
+2.52.0
+

SOURCES/0001-Revert-Require-gnu-efi-3.0.18-or-later.patch

@@ -0,0 +1,45 @@
+From 856cde012b6ee114b8ce44e090651adbc6c6ddf8 Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Mon, 12 Jan 2026 12:07:40 +0000
+Subject: [PATCH] Revert "Require gnu-efi 3.0.18 or later"
+
+This reverts commit 26c6ec5c1e7765fb5dc6a4df511ab21ee6c6e67a.
+---
+ efi/meson.build | 6 ++++++
+ meson.build     | 3 ++-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/efi/meson.build b/efi/meson.build
+index a034bc2..af4bfa3 100644
+--- a/efi/meson.build
++++ b/efi/meson.build
+@@ -45,6 +45,12 @@ if efi_libdir == ''
+   endif
+ endif
+ 
++have_gnu_efi = gnu_efi_path_arch != '' and efi_libdir != ''
++
++if not have_gnu_efi and not gnuefi.found()
++  error('gnu-efi headers were not found')
++endif
++
+ # The name we need to look for on this arch and OS: elf_x86_64_fbsd_efi.lds
+ lds_os = ''
+ if host_cpu == 'x86_64' and host_machine.system() == 'freebsd'
+diff --git a/meson.build b/meson.build
+index d632aaa..7052105 100644
+--- a/meson.build
++++ b/meson.build
+@@ -13,7 +13,8 @@ cc_ld = find_program(cc.get_linker_id())
+ objcopy = find_program('objcopy')
+ objcopy_version = run_command(objcopy, '--version', check: true).stdout().split('\n')[0].split(' ')[-1]
+ 
+-gnuefi = dependency('gnu-efi', version: '>= 3.0.18')
++# pkgconfig introduced in 3.0.18, allows compiling against older
++gnuefi = dependency('gnu-efi', required: false)
+ prefix = get_option('prefix')
+ libdir = join_paths(prefix, get_option('libdir'))
+ libexecdir = join_paths(prefix, get_option('libexecdir'))
+-- 
+2.52.0
+

SOURCES/0001-Revert-trivial-Remove-some-dead-JCat-compat-code.patch

@@ -0,0 +1,118 @@
+From 8c5c3fe46c4a10eafd8a11f888216f61448121f3 Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Fri, 9 Jan 2026 16:36:24 +0000
+Subject: [PATCH] Revert "trivial: Remove some dead JCat compat code"
+
+This reverts commit b3cd790875065fdda7b8bf7328c325af8ce30a52 so we can build
+on RHEL 9 without also upreving libjcat.
+
+(cherry picked from commit 4f6726f410cedcae7707366d89ef36f9d370950b)
+---
+ meson.build      |  2 +-
+ src/fu-cabinet.c | 12 +++++++++++-
+ src/fu-engine.c  |  9 +++++++++
+ 3 files changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/meson.build b/meson.build
+index 5726be646..1766ce8b6 100644
+--- a/meson.build
++++ b/meson.build
+@@ -360,7 +360,7 @@ if build_standalone
+ endif
+ libjcat = dependency(
+   'jcat',
+-  version: '>= 0.2.0',
++  version: '>= 0.1.6',
+   fallback: ['libjcat', 'libjcat_dep'],
+ )
+ libjsonglib = dependency(
+diff --git a/src/fu-cabinet.c b/src/fu-cabinet.c
+index dabc1eb6d..28b91b450 100644
+--- a/src/fu-cabinet.c
++++ b/src/fu-cabinet.c
+@@ -12,6 +12,11 @@
+ 
+ #include "fu-cabinet.h"
+ 
++/* fixed in 0.1.14 */
++#ifndef JCAT_CHECK_VERSION
++#define JCAT_CHECK_VERSION LIBJCAT_CHECK_VERSION
++#endif
++
+ /**
+  * FuCabinet:
+  *
+@@ -225,6 +230,7 @@ fu_cabinet_parse_release(FuCabinet *self,
+ 
+ 	/* the jcat file signed the *checksum of the payload*, not the payload itself */
+ 	item = jcat_file_get_item_by_id(self->jcat_file, basename, NULL);
++#if JCAT_CHECK_VERSION(0, 2, 0)
+ 	if (item != NULL && jcat_item_has_target(item)) {
+ 		g_autofree gchar *checksum_sha256 = NULL;
+ 		g_autofree gchar *checksum_sha512 = NULL;
+@@ -265,7 +271,9 @@ fu_cabinet_parse_release(FuCabinet *self,
+ 			g_info("verified indirect payload %s: %u", basename, results->len);
+ 			release_flags |= FWUPD_RELEASE_FLAG_TRUSTED_PAYLOAD;
+ 		}
+-	} else if (item != NULL) {
++	}
++#endif
++	if (item != NULL) {
+ 		g_autoptr(GBytes) blob = NULL;
+ 		g_autoptr(GError) error_local = NULL;
+ 		g_autoptr(GPtrArray) results = NULL;
+@@ -1079,10 +1087,12 @@ fu_cabinet_init(FuCabinet *self)
+ 	self->builder = xb_builder_new();
+ 	self->jcat_file = jcat_file_new();
+ 	self->jcat_context = jcat_context_new();
++#if JCAT_CHECK_VERSION(0, 1, 13)
+ 	jcat_context_blob_kind_allow(self->jcat_context, JCAT_BLOB_KIND_SHA256);
+ 	jcat_context_blob_kind_allow(self->jcat_context, JCAT_BLOB_KIND_SHA512);
+ 	jcat_context_blob_kind_allow(self->jcat_context, JCAT_BLOB_KIND_PKCS7);
+ 	jcat_context_blob_kind_allow(self->jcat_context, JCAT_BLOB_KIND_GPG);
++#endif
+ }
+ 
+ static void
+diff --git a/src/fu-engine.c b/src/fu-engine.c
+index 498b6ebf8..9f2df208d 100644
+--- a/src/fu-engine.c
++++ b/src/fu-engine.c
+@@ -76,6 +76,11 @@
+ /* only needed until we hard depend on jcat 0.1.3 */
+ #include <libjcat/jcat-version.h>
+ 
++/* fixed in 0.1.14 */
++#ifndef JCAT_CHECK_VERSION
++#define JCAT_CHECK_VERSION LIBJCAT_CHECK_VERSION
++#endif
++
+ #ifdef HAVE_SYSTEMD
+ #include "fu-systemd.h"
+ #endif
+@@ -9336,10 +9341,12 @@ fu_engine_constructed(GObject *obj)
+ 
+ 	/* setup Jcat context */
+ 	self->jcat_context = jcat_context_new();
++#if JCAT_CHECK_VERSION(0, 1, 13)
+ 	jcat_context_blob_kind_allow(self->jcat_context, JCAT_BLOB_KIND_SHA256);
+ 	jcat_context_blob_kind_allow(self->jcat_context, JCAT_BLOB_KIND_SHA512);
+ 	jcat_context_blob_kind_allow(self->jcat_context, JCAT_BLOB_KIND_PKCS7);
+ 	jcat_context_blob_kind_allow(self->jcat_context, JCAT_BLOB_KIND_GPG);
++#endif
+ 	keyring_path = fu_path_from_kind(FU_PATH_KIND_LOCALSTATEDIR_PKG);
+ 	jcat_context_set_keyring_path(self->jcat_context, keyring_path);
+ 	pkidir_fw = fu_path_build(FU_PATH_KIND_SYSCONFDIR, "pki", "fwupd", NULL);
+@@ -9349,7 +9356,9 @@ fu_engine_constructed(GObject *obj)
+ 
+ 	/* add some runtime versions of things the daemon depends on */
+ 	fu_engine_add_runtime_version(self, "org.freedesktop.fwupd", VERSION);
++#if JCAT_CHECK_VERSION(0, 1, 11)
+ 	fu_engine_add_runtime_version(self, "com.hughsie.libjcat", jcat_version_string());
++#endif
+ 	fu_engine_add_runtime_version(self, "com.hughsie.libxmlb", xb_version_string());
+ 
+ 	/* optional kernel version */
+-- 
+2.52.0
+

SOURCES/0001-Use-usr-libexec-platform-python-for-RHEL.patch

@@ -1,29 +0,0 @@
-From 1fc24adecbb62b3cd77ef965c5daf1b72f6c7aa8 Mon Sep 17 00:00:00 2001
-From: Richard Hughes <richard@hughsie.com>
-Date: Tue, 22 Aug 2023 10:05:27 +0100
-Subject: [PATCH] Use /usr/libexec/platform-python for RHEL
-
----
- meson.build | 6 +-----
- 1 file changed, 1 insertion(+), 5 deletions(-)
-
-diff --git a/meson.build b/meson.build
-index bb406d616..ac90c8ee6 100644
---- a/meson.build
-+++ b/meson.build
-@@ -261,11 +261,7 @@ if libgcab.type_name() == 'pkgconfig' and cc.has_function('gcab_file_set_bytes',
- endif
- 
- bashcomp = dependency('bash-completion', required: false)
--if host_machine.system() != 'freebsd'
--  python3 = find_program('python3')
--else
--  python3 = find_program('python3.8', 'python3', 'python3.9')
--endif
-+python3 = find_program('/usr/libexec/platform-python')
- 
- if get_option('gnutls')
-   gnutls = dependency('gnutls', version : '>= 3.6.0')
--- 
-2.41.0
-

SOURCES/0001-redfish-Set-the-permissions-of-redfish.conf-at-insta.patch

@@ -1,28 +0,0 @@
-From 442f7f9200fbf6ec509dd0ee40eae2e37b2fb73e Mon Sep 17 00:00:00 2001
-From: Richard Hughes <richard@hughsie.com>
-Date: Tue, 20 Sep 2022 08:06:12 +0100
-Subject: [PATCH 1/3] redfish: Set the permissions of redfish.conf at install
- time
-
-Although typically we set the password using fu_plugin_set_secure_config_value()
-or something like Ansible or Puppet -- the user could just edit the file with
-vim and we still want the permissions set correctly.
----
- plugins/redfish/meson.build | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/plugins/redfish/meson.build b/plugins/redfish/meson.build
-index 34ba4b7f6..7b19574de 100644
---- a/plugins/redfish/meson.build
-+++ b/plugins/redfish/meson.build
-@@ -48,6 +48,7 @@ shared_module('fu_plugin_redfish',
- 
- install_data(['redfish.conf'],
-   install_dir:  join_paths(sysconfdir, 'fwupd'),
-+  install_mode: 'rw-r-----',
- )
- 
- if get_option('tests')
--- 
-2.39.1
-

SOURCES/0002-redfish-Only-create-users-using-IPMI-when-we-know-it.patch

@@ -1,47 +0,0 @@
-From 4f39b747a6d860e32a3000451dd2635366c81776 Mon Sep 17 00:00:00 2001
-From: Richard Hughes <richard@hughsie.com>
-Date: Tue, 20 Sep 2022 09:13:52 +0100
-Subject: [PATCH 2/3] redfish: Only create users using IPMI when we know it's
- going to work
-
-Make the IPMI auto-account feature allow-listed on specific vendors as some IPMI
-implementations are not specification compliant and do entirely the wrong thing.
----
- plugins/redfish/fu-plugin-redfish.c | 8 ++++++++
- plugins/redfish/redfish.quirk       | 2 +-
- 2 files changed, 9 insertions(+), 1 deletion(-)
-
-diff --git a/plugins/redfish/fu-plugin-redfish.c b/plugins/redfish/fu-plugin-redfish.c
-index deb0fe742..3972d4b4b 100644
---- a/plugins/redfish/fu-plugin-redfish.c
-+++ b/plugins/redfish/fu-plugin-redfish.c
-@@ -422,6 +422,14 @@ fu_plugin_redfish_startup(FuPlugin *plugin, GError **error)
- #ifdef HAVE_LINUX_IPMI_H
- 	/* we got neither a type 42 entry or config value, lets try IPMI */
- 	if (fu_redfish_backend_get_username(data->backend) == NULL) {
-+		if (!fu_context_has_hwid_flag(fu_plugin_get_context(plugin), "ipmi-create-user")) {
-+			g_set_error_literal(error,
-+					    FWUPD_ERROR,
-+					    FWUPD_ERROR_NOT_SUPPORTED,
-+					    "no username and password specified, "
-+					    "and no vendor quirk for 'ipmi-create-user'");
-+			return FALSE;
-+		}
- 		if (!fu_plugin_get_config_value_boolean(plugin, "IpmiDisableCreateUser")) {
- 			g_debug("attempting to create user using IPMI");
- 			if (!fu_redfish_plugin_ipmi_create_user(plugin, error))
-diff --git a/plugins/redfish/redfish.quirk b/plugins/redfish/redfish.quirk
-index b12439926..5e9722fda 100644
---- a/plugins/redfish/redfish.quirk
-+++ b/plugins/redfish/redfish.quirk
-@@ -1,6 +1,6 @@
- # Lenovo ThinkSystem
- [42f00735-c9ab-5374-bd63-a5deee5881e0]
--Flags = wildcard-targets,reset-required
-+Flags = wildcard-targets,reset-required,ipmi-create-user
- 
- [REDFISH\VENDOR_Lenovo&ID_BMC-Backup]
- ParentGuid = REDFISH\VENDOR_Lenovo&ID_BMC-Primary
--- 
-2.39.1
-

SOURCES/0003-Never-save-the-Redfish-passwords-to-a-file-readable-.patch

@@ -1,141 +0,0 @@
-From 41575afd93ca0e68bced78ca43a4488f124906a1 Mon Sep 17 00:00:00 2001
-From: Richard Hughes <richard@hughsie.com>
-Date: Wed, 21 Sep 2022 14:56:10 +0100
-Subject: [PATCH 3/3] Never save the Redfish passwords to a file readable by
- users
-
-When the redfish plugin automatically creates an OPERATOR user account on the
-BMC we save the autogenerated password to /etc/fwupd/redfish.conf, ensuring it
-is chmod'ed to 0660 before writing the file with g_key_file_save_to_file().
-
-Under the covers, g_key_file_save_to_file() calls g_file_set_contents() with
-the keyfile string data.
-I was under the impression that G_FILE_CREATE_REPLACE_DESTINATION was being
-used to copy permissions, but alas not.
-
-GLib instead calls g_file_set_contents_full() with the mode hardcoded to 0666,
-which undoes the previous chmod().
-
-Use g_file_set_contents_full() with the correct mode for newer GLib versions,
-and provide a fallback with the same semantics for older versions.
----
- contrib/fwupd.spec.in         |  3 ++
- libfwupdplugin/fu-plugin.c    | 65 +++++++++++++++++++++++++++++------
- libfwupdplugin/fu-self-test.c | 57 ++++++++++++++++++++++++++++++
- 3 files changed, 114 insertions(+), 11 deletions(-)
-
-diff --git a/contrib/fwupd.spec.in b/contrib/fwupd.spec.in
-index a50e30a9c..0854fcf4f 100644
---- a/contrib/fwupd.spec.in
-+++ b/contrib/fwupd.spec.in
-@@ -313,6 +313,9 @@ for fn in /etc/fwupd/remotes.d/*.conf; do
-     fi
- done
- 
-+# ensure this is private
-+chmod 0660 /etc/fwupd/redfish.conf
-+
- %preun
- %systemd_preun fwupd.service
- 
-diff --git a/libfwupdplugin/fu-plugin.c b/libfwupdplugin/fu-plugin.c
-index 18042a028..04951de85 100644
---- a/libfwupdplugin/fu-plugin.c
-+++ b/libfwupdplugin/fu-plugin.c
-@@ -9,6 +9,7 @@
- #include "config.h"
- 
- #include <errno.h>
-+#include <fcntl.h>
- #include <fwupd.h>
- #include <glib/gstdio.h>
- #include <gmodule.h>
-@@ -2256,6 +2257,46 @@ fu_plugin_set_config_value(FuPlugin *self, const gchar *key, const gchar *value,
- 	return g_key_file_save_to_file(keyfile, conf_path, error);
- }
- 
-+#if !GLIB_CHECK_VERSION(2, 66, 0)
-+
-+#define G_FILE_SET_CONTENTS_CONSISTENT 0
-+typedef guint GFileSetContentsFlags;
-+static gboolean
-+g_file_set_contents_full(const gchar *filename,
-+			 const gchar *contents,
-+			 gssize length,
-+			 GFileSetContentsFlags flags,
-+			 int mode,
-+			 GError **error)
-+{
-+	gint fd;
-+	gssize wrote;
-+
-+	if (length < 0)
-+		length = strlen(contents);
-+	fd = g_open(filename, O_CREAT, mode);
-+	if (fd <= 0) {
-+		g_set_error(error,
-+			    G_IO_ERROR,
-+			    G_IO_ERROR_FAILED,
-+			    "could not open %s file",
-+			    filename);
-+		return FALSE;
-+	}
-+	wrote = write(fd, contents, length);
-+	if (wrote != length) {
-+		g_set_error(error,
-+			    G_IO_ERROR,
-+			    G_IO_ERROR_FAILED,
-+			    "did not write %s file",
-+			    filename);
-+		g_close(fd, NULL);
-+		return FALSE;
-+	}
-+	return g_close(fd, error);
-+}
-+#endif
-+
- /**
-  * fu_plugin_set_secure_config_value:
-  * @self: a #FuPlugin
-@@ -2277,7 +2318,8 @@ fu_plugin_set_secure_config_value(FuPlugin *self,
- 				  GError **error)
- {
- 	g_autofree gchar *conf_path = fu_plugin_get_config_filename(self);
--	gint ret;
-+	g_autofree gchar *data = NULL;
-+	g_autoptr(GKeyFile) keyfile = g_key_file_new();
- 
- 	g_return_val_if_fail(FU_IS_PLUGIN(self), FALSE);
- 	g_return_val_if_fail(error == NULL || *error == NULL, FALSE);
-@@ -2286,17 +2328,18 @@ fu_plugin_set_secure_config_value(FuPlugin *self,
- 		g_set_error(error, FWUPD_ERROR, FWUPD_ERROR_NOT_FOUND, "%s is missing", conf_path);
- 		return FALSE;
- 	}
--	ret = g_chmod(conf_path, 0660);
--	if (ret == -1) {
--		g_set_error(error,
--			    FWUPD_ERROR,
--			    FWUPD_ERROR_INTERNAL,
--			    "failed to set permissions on %s",
--			    conf_path);
-+	if (!g_key_file_load_from_file(keyfile, conf_path, G_KEY_FILE_KEEP_COMMENTS, error))
- 		return FALSE;
--	}
--
--	return fu_plugin_set_config_value(self, key, value, error);
-+	g_key_file_set_string(keyfile, fu_plugin_get_name(self), key, value);
-+	data = g_key_file_to_data(keyfile, NULL, error);
-+	if (data == NULL)
-+		return FALSE;
-+	return g_file_set_contents_full(conf_path,
-+					data,
-+					-1,
-+					G_FILE_SET_CONTENTS_CONSISTENT,
-+					0660,
-+					error);
- }
- 
- /**
--- 
-2.39.1
-