.fwupd.metadata

@@ -1,8 +0,0 @@
-b2620c36bd23ca699567fd4e4add039ee4375247 SOURCES/DBXUpdate-20100307-x64.cab
-dfdb1d0d42c1563ca63bd45c7e2ddc48cbfc5023 SOURCES/DBXUpdate-20140413-x64.cab
-a5f73c606abb93bf61625e4628d27a2cd460f162 SOURCES/DBXUpdate-20160809-x64.cab
-b5b2dc87daca1d3f8081a323290432c141aa405d SOURCES/DBXUpdate-20200729-aa64.cab
-3fb407561768a3a2f5fb49d7738b5e0650e70810 SOURCES/DBXUpdate-20200729-ia32.cab
-89db93c9d9d20f81791a262e817b99d8882c8bb0 SOURCES/DBXUpdate-20200729-x64.cab
-9b651aadcfa14f6f783c73e74b8bdac3c4373244 SOURCES/fwupd-1.5.9.tar.xz
-e01a97b6d16a188a43cb25caa42cdf9771803531 SOURCES/libjcat-0.1.5.tar.xz

.gitignore

@@ -4,5 +4,7 @@ SOURCES/DBXUpdate-20160809-x64.cab
 SOURCES/DBXUpdate-20200729-aa64.cab
 SOURCES/DBXUpdate-20200729-ia32.cab
 SOURCES/DBXUpdate-20200729-x64.cab
-SOURCES/fwupd-1.5.9.tar.xz
-SOURCES/libjcat-0.1.5.tar.xz
+SOURCES/almalinuxsecurebootca0.cer
+SOURCES/fwupd-1.7.8.tar.xz
+SOURCES/fwupd-efi-1.3.tar.xz
+SOURCES/libjcat-0.1.9.tar.xz

SOURCES/0001-Do-not-use-the-LVFS.patch

@@ -1,26 +0,0 @@
-diff --git a/data/remotes.d/lvfs.conf b/data/remotes.d/lvfs.conf
-index 1249ef74..f533bf52 100644
---- a/data/remotes.d/lvfs.conf
-+++ b/data/remotes.d/lvfs.conf
-@@ -1,7 +1,7 @@
- [fwupd Remote]
- 
- # this remote provides metadata and firmware marked as 'stable' from the LVFS
--Enabled=true
-+Enabled=false
- Title=Linux Vendor Firmware Service
- MetadataURI=https://cdn.fwupd.org/downloads/firmware.xml.gz
- ReportURI=https://fwupd.org/lvfs/firmware/report
-diff --git a/libfwupd/fwupd-self-test.c b/libfwupd/fwupd-self-test.c
-index 679360b0..59660360 100644
---- a/libfwupd/fwupd-self-test.c
-+++ b/libfwupd/fwupd-self-test.c
-@@ -182,7 +182,7 @@ fwupd_remote_download_func (void)
- 	g_assert_cmpint (fwupd_remote_get_kind (remote), ==, FWUPD_REMOTE_KIND_DOWNLOAD);
- 	g_assert_cmpint (fwupd_remote_get_keyring_kind (remote), ==, FWUPD_KEYRING_KIND_JCAT);
- 	g_assert_cmpint (fwupd_remote_get_priority (remote), ==, 0);
--	g_assert (fwupd_remote_get_enabled (remote));
-+//	g_assert (fwupd_remote_get_enabled (remote));
- 	g_assert (fwupd_remote_get_metadata_uri (remote) != NULL);
- 	g_assert (fwupd_remote_get_metadata_uri_sig (remote) != NULL);
- 	g_assert_cmpstr (fwupd_remote_get_title (remote), ==, "Linux Vendor Firmware Service");

SOURCES/0001-Use-usr-libexec-platform-python-for-RHEL.patch

@@ -0,0 +1,29 @@
+From 1fc24adecbb62b3cd77ef965c5daf1b72f6c7aa8 Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Tue, 22 Aug 2023 10:05:27 +0100
+Subject: [PATCH] Use /usr/libexec/platform-python for RHEL
+
+---
+ meson.build | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/meson.build b/meson.build
+index bb406d616..ac90c8ee6 100644
+--- a/meson.build
++++ b/meson.build
+@@ -261,11 +261,7 @@ if libgcab.type_name() == 'pkgconfig' and cc.has_function('gcab_file_set_bytes',
+ endif
+ 
+ bashcomp = dependency('bash-completion', required: false)
+-if host_machine.system() != 'freebsd'
+-  python3 = find_program('python3')
+-else
+-  python3 = find_program('python3.8', 'python3', 'python3.9')
+-endif
++python3 = find_program('/usr/libexec/platform-python')
+ 
+ if get_option('gnutls')
+   gnutls = dependency('gnutls', version : '>= 3.6.0')
+-- 
+2.41.0
+

SOURCES/0001-redfish-Set-the-permissions-of-redfish.conf-at-insta.patch

@@ -0,0 +1,28 @@
+From 442f7f9200fbf6ec509dd0ee40eae2e37b2fb73e Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Tue, 20 Sep 2022 08:06:12 +0100
+Subject: [PATCH 1/3] redfish: Set the permissions of redfish.conf at install
+ time
+
+Although typically we set the password using fu_plugin_set_secure_config_value()
+or something like Ansible or Puppet -- the user could just edit the file with
+vim and we still want the permissions set correctly.
+---
+ plugins/redfish/meson.build | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/plugins/redfish/meson.build b/plugins/redfish/meson.build
+index 34ba4b7f6..7b19574de 100644
+--- a/plugins/redfish/meson.build
++++ b/plugins/redfish/meson.build
+@@ -48,6 +48,7 @@ shared_module('fu_plugin_redfish',
+ 
+ install_data(['redfish.conf'],
+   install_dir:  join_paths(sysconfdir, 'fwupd'),
++  install_mode: 'rw-r-----',
+ )
+ 
+ if get_option('tests')
+-- 
+2.39.1
+

SOURCES/0002-redfish-Only-create-users-using-IPMI-when-we-know-it.patch

@@ -0,0 +1,47 @@
+From 4f39b747a6d860e32a3000451dd2635366c81776 Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Tue, 20 Sep 2022 09:13:52 +0100
+Subject: [PATCH 2/3] redfish: Only create users using IPMI when we know it's
+ going to work
+
+Make the IPMI auto-account feature allow-listed on specific vendors as some IPMI
+implementations are not specification compliant and do entirely the wrong thing.
+---
+ plugins/redfish/fu-plugin-redfish.c | 8 ++++++++
+ plugins/redfish/redfish.quirk       | 2 +-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/plugins/redfish/fu-plugin-redfish.c b/plugins/redfish/fu-plugin-redfish.c
+index deb0fe742..3972d4b4b 100644
+--- a/plugins/redfish/fu-plugin-redfish.c
++++ b/plugins/redfish/fu-plugin-redfish.c
+@@ -422,6 +422,14 @@ fu_plugin_redfish_startup(FuPlugin *plugin, GError **error)
+ #ifdef HAVE_LINUX_IPMI_H
+ 	/* we got neither a type 42 entry or config value, lets try IPMI */
+ 	if (fu_redfish_backend_get_username(data->backend) == NULL) {
++		if (!fu_context_has_hwid_flag(fu_plugin_get_context(plugin), "ipmi-create-user")) {
++			g_set_error_literal(error,
++					    FWUPD_ERROR,
++					    FWUPD_ERROR_NOT_SUPPORTED,
++					    "no username and password specified, "
++					    "and no vendor quirk for 'ipmi-create-user'");
++			return FALSE;
++		}
+ 		if (!fu_plugin_get_config_value_boolean(plugin, "IpmiDisableCreateUser")) {
+ 			g_debug("attempting to create user using IPMI");
+ 			if (!fu_redfish_plugin_ipmi_create_user(plugin, error))
+diff --git a/plugins/redfish/redfish.quirk b/plugins/redfish/redfish.quirk
+index b12439926..5e9722fda 100644
+--- a/plugins/redfish/redfish.quirk
++++ b/plugins/redfish/redfish.quirk
+@@ -1,6 +1,6 @@
+ # Lenovo ThinkSystem
+ [42f00735-c9ab-5374-bd63-a5deee5881e0]
+-Flags = wildcard-targets,reset-required
++Flags = wildcard-targets,reset-required,ipmi-create-user
+ 
+ [REDFISH\VENDOR_Lenovo&ID_BMC-Backup]
+ ParentGuid = REDFISH\VENDOR_Lenovo&ID_BMC-Primary
+-- 
+2.39.1
+

SOURCES/0003-Never-save-the-Redfish-passwords-to-a-file-readable-.patch

@@ -0,0 +1,141 @@
+From 41575afd93ca0e68bced78ca43a4488f124906a1 Mon Sep 17 00:00:00 2001
+From: Richard Hughes <richard@hughsie.com>
+Date: Wed, 21 Sep 2022 14:56:10 +0100
+Subject: [PATCH 3/3] Never save the Redfish passwords to a file readable by
+ users
+
+When the redfish plugin automatically creates an OPERATOR user account on the
+BMC we save the autogenerated password to /etc/fwupd/redfish.conf, ensuring it
+is chmod'ed to 0660 before writing the file with g_key_file_save_to_file().
+
+Under the covers, g_key_file_save_to_file() calls g_file_set_contents() with
+the keyfile string data.
+I was under the impression that G_FILE_CREATE_REPLACE_DESTINATION was being
+used to copy permissions, but alas not.
+
+GLib instead calls g_file_set_contents_full() with the mode hardcoded to 0666,
+which undoes the previous chmod().
+
+Use g_file_set_contents_full() with the correct mode for newer GLib versions,
+and provide a fallback with the same semantics for older versions.
+---
+ contrib/fwupd.spec.in         |  3 ++
+ libfwupdplugin/fu-plugin.c    | 65 +++++++++++++++++++++++++++++------
+ libfwupdplugin/fu-self-test.c | 57 ++++++++++++++++++++++++++++++
+ 3 files changed, 114 insertions(+), 11 deletions(-)
+
+diff --git a/contrib/fwupd.spec.in b/contrib/fwupd.spec.in
+index a50e30a9c..0854fcf4f 100644
+--- a/contrib/fwupd.spec.in
++++ b/contrib/fwupd.spec.in
+@@ -313,6 +313,9 @@ for fn in /etc/fwupd/remotes.d/*.conf; do
+     fi
+ done
+ 
++# ensure this is private
++chmod 0660 /etc/fwupd/redfish.conf
++
+ %preun
+ %systemd_preun fwupd.service
+ 
+diff --git a/libfwupdplugin/fu-plugin.c b/libfwupdplugin/fu-plugin.c
+index 18042a028..04951de85 100644
+--- a/libfwupdplugin/fu-plugin.c
++++ b/libfwupdplugin/fu-plugin.c
+@@ -9,6 +9,7 @@
+ #include "config.h"
+ 
+ #include <errno.h>
++#include <fcntl.h>
+ #include <fwupd.h>
+ #include <glib/gstdio.h>
+ #include <gmodule.h>
+@@ -2256,6 +2257,46 @@ fu_plugin_set_config_value(FuPlugin *self, const gchar *key, const gchar *value,
+ 	return g_key_file_save_to_file(keyfile, conf_path, error);
+ }
+ 
++#if !GLIB_CHECK_VERSION(2, 66, 0)
++
++#define G_FILE_SET_CONTENTS_CONSISTENT 0
++typedef guint GFileSetContentsFlags;
++static gboolean
++g_file_set_contents_full(const gchar *filename,
++			 const gchar *contents,
++			 gssize length,
++			 GFileSetContentsFlags flags,
++			 int mode,
++			 GError **error)
++{
++	gint fd;
++	gssize wrote;
++
++	if (length < 0)
++		length = strlen(contents);
++	fd = g_open(filename, O_CREAT, mode);
++	if (fd <= 0) {
++		g_set_error(error,
++			    G_IO_ERROR,
++			    G_IO_ERROR_FAILED,
++			    "could not open %s file",
++			    filename);
++		return FALSE;
++	}
++	wrote = write(fd, contents, length);
++	if (wrote != length) {
++		g_set_error(error,
++			    G_IO_ERROR,
++			    G_IO_ERROR_FAILED,
++			    "did not write %s file",
++			    filename);
++		g_close(fd, NULL);
++		return FALSE;
++	}
++	return g_close(fd, error);
++}
++#endif
++
+ /**
+  * fu_plugin_set_secure_config_value:
+  * @self: a #FuPlugin
+@@ -2277,7 +2318,8 @@ fu_plugin_set_secure_config_value(FuPlugin *self,
+ 				  GError **error)
+ {
+ 	g_autofree gchar *conf_path = fu_plugin_get_config_filename(self);
+-	gint ret;
++	g_autofree gchar *data = NULL;
++	g_autoptr(GKeyFile) keyfile = g_key_file_new();
+ 
+ 	g_return_val_if_fail(FU_IS_PLUGIN(self), FALSE);
+ 	g_return_val_if_fail(error == NULL || *error == NULL, FALSE);
+@@ -2286,17 +2328,18 @@ fu_plugin_set_secure_config_value(FuPlugin *self,
+ 		g_set_error(error, FWUPD_ERROR, FWUPD_ERROR_NOT_FOUND, "%s is missing", conf_path);
+ 		return FALSE;
+ 	}
+-	ret = g_chmod(conf_path, 0660);
+-	if (ret == -1) {
+-		g_set_error(error,
+-			    FWUPD_ERROR,
+-			    FWUPD_ERROR_INTERNAL,
+-			    "failed to set permissions on %s",
+-			    conf_path);
++	if (!g_key_file_load_from_file(keyfile, conf_path, G_KEY_FILE_KEEP_COMMENTS, error))
+ 		return FALSE;
+-	}
+-
+-	return fu_plugin_set_config_value(self, key, value, error);
++	g_key_file_set_string(keyfile, fu_plugin_get_name(self), key, value);
++	data = g_key_file_to_data(keyfile, NULL, error);
++	if (data == NULL)
++		return FALSE;
++	return g_file_set_contents_full(conf_path,
++					data,
++					-1,
++					G_FILE_SET_CONTENTS_CONSISTENT,
++					0660,
++					error);
+ }
+ 
+ /**
+-- 
+2.39.1
+

SOURCES/deps.patch

@@ -1,55 +0,0 @@
-diff --git meson.build meson.build
-index 02a93f57..93f77e62 100644
---- meson.build
-+++ meson.build
-@@ -211,7 +211,7 @@ if get_option('bluez')
- endif
- libxmlb = dependency('xmlb', version : '>= 0.1.13', fallback : ['libxmlb', 'libxmlb_dep'])
- if get_option('gusb')
--  gusb = dependency('gusb', version : '>= 0.3.5', fallback : ['gusb', 'gusb_dep'])
-+  gusb = dependency('gusb', version : '>= 0.3.0', fallback : ['gusb', 'gusb_dep'])
-   conf.set('HAVE_GUSB', '1')
- endif
- sqlite = dependency('sqlite3')
-diff --git plugins/cros-ec/fu-cros-ec-usb-device.c plugins/cros-ec/fu-cros-ec-usb-device.c
-index 5bf6f7e1..79a29b2d 100644
---- plugins/cros-ec/fu-cros-ec-usb-device.c
-+++ plugins/cros-ec/fu-cros-ec-usb-device.c
-@@ -109,6 +109,7 @@ static gboolean
- fu_cros_ec_usb_device_find_interface (FuUsbDevice *device,
- 				      GError **error)
- {
-+#if G_USB_CHECK_VERSION(0,3,3)
- 	GUsbDevice *usb_device = fu_usb_device_get_dev (device);
- 	FuCrosEcUsbDevice *self = FU_CROS_EC_USB_DEVICE (device);
- 	g_autoptr(GPtrArray) intfs = NULL;
-@@ -142,6 +143,13 @@ fu_cros_ec_usb_device_find_interface (FuUsbDevice *device,
- 			     FWUPD_ERROR_NOT_FOUND,
- 			     "no update interface found");
- 	return FALSE;
-+#else
-+	g_set_error_literal (error,
-+			     FWUPD_ERROR,
-+			     FWUPD_ERROR_NOT_SUPPORTED,
-+			     "this version of GUsb is not supported");
-+	return FALSE;
-+#endif
- }
- 
- static gboolean
-diff --git a/plugins/dfu/fu-dfu-device.c b/plugins/dfu/fu-dfu-device.c
-index 79854124..2879c6e5 100644
---- plugins/dfu/fu-dfu-device.c
-+++ plugins/dfu/fu-dfu-device.c
-@@ -1262,9 +1262,8 @@ fu_dfu_device_open (FuDevice *device, GError **error)
- 		g_set_error (error,
- 			     FWUPD_ERROR,
- 			     FWUPD_ERROR_NOT_SUPPORTED,
--			     "GUsb version %s too old to support GD32, "
--			     "fwupd needs to be rebuilt against 0.3.6 or later",
--			     g_usb_version_string ());
-+			     "GUsb version too old to support GD32, "
-+			     "fwupd needs to be rebuilt against 0.3.6 or later");
- 		return FALSE;
- #endif
- 	}

SOURCES/gnuefi-lib-dir-path.patch

@@ -1,29 +0,0 @@
-From 1e8912c79a70ec219ac8ca1af3ab20e42b735481 Mon Sep 17 00:00:00 2001
-From: Javier Martinez Canillas <javierm@redhat.com>
-Date: Tue, 13 Apr 2021 18:01:50 +0200
-Subject: [PATCH] uefi-capsule: Don't set gnu-efi lib dir path when using
- custom crt0
-
-The libefi.a and libgnuefi.a libraries are located in /usr/lib64 in RHEL8,
-not in /usr/lib/gnuefi/$gnu_efi_arch/ as is the case in Fedora. This leads
-to the linker not finding these libraries.
-
-Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
----
- plugins/uefi-capsule/efi/meson.build | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/plugins/uefi-capsule/efi/meson.build b/plugins/uefi-capsule/efi/meson.build
-index 99654184a20..543474c0311 100644
---- plugins/uefi-capsule/efi/meson.build
-+++ plugins/uefi-capsule/efi/meson.build
-@@ -80,7 +80,6 @@ if host_cpu == 'aarch64' or host_cpu == 'arm'
-     if cmd.returncode() != 0
-       warning('Cannot find SBAT section in @0@, using local copy'.format(join_paths(efi_crtdir, arch_crt_source)))
-       # The gnuefi libraries are still needed
--      efi_libdir = efi_crtdir
-       efi_crtdir = join_paths(meson.current_build_dir(), 'crt0')
-     endif
-   endif
--- 
-2.30.2

SPECS/fwupd.spec

@@ -1,10 +1,14 @@
+%global efi_vendor almalinux
+%global efidir almalinux
+%global efi_esp_dir /boot/efi/EFI/%{efidir}
+
 %global glib2_version 2.45.8
 %global libxmlb_version 0.1.3
 %global libgusb_version 0.2.11
 %global libcurl_version 7.61.0
 %global systemd_version 231
 %global json_glib_version 1.1.1
-%global __meson_wrap_mode default
+%global fwupdplugin_version 5
 
 # although we ship a few tiny python files these are utilities that 99.99%
 # of users do not need -- use this to avoid dragging python onto CoreOS
@@ -16,6 +20,7 @@
 %endif
 
 %global enable_dummy 1
+%global __meson_wrap_mode default
 
 # fwupd.efi is only available on these arches
 %ifarch x86_64 aarch64
@@ -32,18 +37,19 @@
 %endif
 
 # only available recently
-%if 0%{?fedora} >= 30 || 0%{?rhel} >= 8
+%if 0%{?fedora} >= 34 || 0%{?rhel} >= 9
 %global have_modem_manager 1
 %endif
 
 Summary:   Firmware update daemon
 Name:      fwupd
-Version:   1.5.9
-Release:   1%{?dist}
+Version:   1.7.8
+Release:   2%{?dist}.alma
 License:   LGPLv2+
 URL:       https://github.com/fwupd/fwupd
 Source0:   http://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz
-Source1:   http://people.freedesktop.org/~hughsient/releases/libjcat-0.1.5.tar.xz
+Source1:   http://people.freedesktop.org/~hughsient/releases/libjcat-0.1.9.tar.xz
+Source2:   http://people.freedesktop.org/~hughsient/releases/fwupd-efi-1.3.tar.xz
 
 Source10:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20100307-x64.cab
 Source11:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20140413-x64.cab
@@ -54,14 +60,12 @@ Source15:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20200729-x64.cab
 
 # these are numbered high just to keep them wildly away from colliding with
 # the real package sources, in order to reduce churn.
-Source300:   redhatsecurebootca3.cer
-Source301:   redhatsecureboot301.cer
-Source500:   redhatsecurebootca5.cer
-Source503:   redhatsecureboot503.cer
+Source300:   almalinuxsecurebootca0.cer
 
-Patch2:    0001-Do-not-use-the-LVFS.patch
-Patch4:    deps.patch
-Patch5:    gnuefi-lib-dir-path.patch
+Patch1:    0001-redfish-Set-the-permissions-of-redfish.conf-at-insta.patch
+Patch2:    0002-redfish-Only-create-users-using-IPMI-when-we-know-it.patch
+Patch3:    0003-Never-save-the-Redfish-passwords-to-a-file-readable-.patch
+Patch4:    0001-Use-usr-libexec-platform-python-for-RHEL.patch
 
 BuildRequires: efi-srpm-macros
 BuildRequires: gettext
@@ -83,7 +87,6 @@ BuildRequires: gcab
 BuildRequires: valgrind
 BuildRequires: valgrind-devel
 %endif
-BuildRequires: elfutils-libelf-devel
 BuildRequires: gtk-doc
 BuildRequires: gnutls-devel
 BuildRequires: gnutls-utils
@@ -97,11 +100,12 @@ BuildRequires: git-core
 %if 0%{?have_modem_manager}
 BuildRequires: ModemManager-glib-devel >= 1.10.0
 BuildRequires: libqmi-devel >= 1.22.0
+BuildRequires: libmbim-devel
 %endif
 
 %if 0%{?have_uefi}
 BuildRequires: efivar-devel >= 33
-BuildRequires: python3 python3-cairo python3-gobject python3-pillow
+BuildRequires: python3 python3-cairo python3-gobject
 BuildRequires: pango-devel
 BuildRequires: cairo-devel cairo-gobject-devel
 BuildRequires: freetype
@@ -130,11 +134,18 @@ Obsoletes: fwupd-sign < 0.1.6
 Obsoletes: libebitdo < 0.7.5-3
 Obsoletes: libdfu < 1.0.0
 Obsoletes: fwupd-labels < 1.1.0-1
-Obsoletes: fwupdate < 13
 
 Obsoletes: dbxtool < 9
 Provides: dbxtool
 
+%if 0%{?rhel} > 7
+Obsoletes: fwupdate < 13
+Obsoletes: fwupdate-efi < 13
+
+Provides: fwupdate
+Provides: fwupdate-efi
+%endif
+
 # optional, but a really good idea
 Recommends: udisks2
 
@@ -152,26 +163,26 @@ Files for development with %{name}.
 
 %package tests
 Summary: Data files for installed tests
+Requires: %{name}%{?_isa} = %{version}-%{release}
 
 %description tests
 Data files for installed tests.
 
 %prep
-%setup -q
-%patch2 -p1 -b .lvfs-disabled
-%patch4 -p0 -b .deps
-%patch5 -p0 -b .gnuefi
+%autosetup -p1
 
 mkdir -p subprojects/libjcat
 tar xfvs %{SOURCE1} -C subprojects/libjcat --strip-components=1
 
+mkdir -p subprojects/fwupd-efi
+tar xfvs %{SOURCE2} -C subprojects/fwupd-efi --strip-components=1
+
 sed -ri '1s=^#!/usr/bin/(env )?python3=#!%{__python3}=' \
         contrib/ci/*.py \
         contrib/firmware_packager/*.py \
         contrib/*.py \
         contrib/standalone-installer/assets/*.py \
         contrib/standalone-installer/*.py \
-        data/device-tests/*.py \
         libfwupdplugin/*.py \
         plugins/dfu/contrib/*.py \
         plugins/uefi-capsule/make-images.py \
@@ -183,7 +194,8 @@ sed -ri '1s=^#!/usr/bin/(env )?python3=#!%{__python3}=' \
 export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
 
 %meson \
-    -Dgtkdoc=true \
+    -Ddocs=gtkdoc \
+    -Dlvfs=disabled \
     -Defi_os_dir=%{efi_vendor} \
     -Dlibjcat:gtkdoc=false \
     -Dlibjcat:introspection=false \
@@ -208,11 +220,14 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
 %if 0%{?have_uefi}
     -Dplugin_uefi_capsule=true \
     -Dplugin_uefi_pk=false \
-    -Defi_sbat_distro_id="rhel" \
-    -Defi_sbat_distro_summary="Red Hat Enterprise Linux" \
-    -Defi_sbat_distro_pkgname="%{name}" \
-    -Defi_sbat_distro_version="%{version}" \
-    -Defi_sbat_distro_url="mail:secalert@redhat.com" \
+%ifarch x86_64
+    -Dfwupd-efi:efi_sbat_distro_id="almalinux" \
+    -Dfwupd-efi:efi_sbat_distro_summary="AlmaLinux" \
+    -Dfwupd-efi:efi_sbat_distro_pkgname="%{name}" \
+    -Dfwupd-efi:efi_sbat_distro_version="%{version}" \
+    -Dfwupd-efi:efi_sbat_distro_url="mail:security@almalinux.org" \
+    -Dfwupd-efi:efi-libdir="/usr/lib64" \
+%endif
     -Dplugin_tpm=false \
 %else
     -Dplugin_uefi_capsule=false \
@@ -231,8 +246,13 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
 %else
     -Dplugin_modem_manager=false \
 %endif
+    -Dplugin_logitech_bulkcontroller=false \
     -Dman=true \
     -Dbluez=false \
+    -Dplugin_cfu=false \
+    -Dplugin_mtd=false \
+    -Dplugin_powerd=false \
+    -Dplugin_uf2=false \
     -Dsupported_build=true
 
 %meson_build
@@ -250,17 +270,10 @@ mkdir -p %{buildroot}/%{_datadir}/dbxtool
 install %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{buildroot}/%{_datadir}/dbxtool
 
 # sign fwupd.efi loader
-%if 0%{?have_uefi}
 %ifarch x86_64
 %global efiarch x64
-%endif
-%ifarch aarch64
-%global efiarch aa64
-%endif
 %global fwup_efi_fn $RPM_BUILD_ROOT%{_libexecdir}/fwupd/efi/fwupd%{efiarch}.efi
-%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.tmp -a %{SOURCE300} -c %{SOURCE301} -n redhatsecureboot301
-%pesign -s -i %{fwup_efi_fn}.tmp -o %{fwup_efi_fn}.signed -a %{SOURCE500} -c %{SOURCE503} -n redhatsecureboot503
-rm -fv %{fwup_efi_fn}.tmp
+%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.signed -a %{SOURCE300} -c %{SOURCE301} -n clsecureboot001
 %endif
 
 mkdir -p --mode=0700 $RPM_BUILD_ROOT%{_localstatedir}/lib/fwupd/gnupg
@@ -291,7 +304,6 @@ done
 %doc README.md AUTHORS
 %license COPYING
 %config(noreplace)%{_sysconfdir}/fwupd/daemon.conf
-%config(noreplace)%{_sysconfdir}/fwupd/upower.conf
 %if 0%{?have_uefi}
 %config(noreplace)%{_sysconfdir}/fwupd/uefi_capsule.conf
 %endif
@@ -305,7 +317,9 @@ done
 %{_libexecdir}/fwupd/fwupdoffline
 %if 0%{?have_uefi}
 %{_libexecdir}/fwupd/efi/*.efi
+%ifarch x86_64
 %{_libexecdir}/fwupd/efi/*.efi.signed
+%endif
 %{_bindir}/fwupdate
 %endif
 %{_bindir}/dfu-tool
@@ -329,6 +343,7 @@ done
 %{_sysconfdir}/pki/fwupd-metadata
 %if 0%{?have_msr}
 /usr/lib/modules-load.d/fwupd-msr.conf
+%config(noreplace)%{_sysconfdir}/fwupd/msr.conf
 %endif
 %{_datadir}/dbus-1/system.d/org.freedesktop.fwupd.conf
 %{_datadir}/bash-completion/completions/fwupdmgr
@@ -378,93 +393,111 @@ done
 %dir %{_localstatedir}/cache/fwupd
 %dir %{_datadir}/fwupd/quirks.d
 %{_datadir}/fwupd/quirks.d/*.quirk
-%{_localstatedir}/lib/fwupd/builder/README.md
-%{_libdir}/libfwupd*.so.*
+%{_datadir}/doc/fwupd/builder/README.md
+%if 0%{?have_uefi}
+%{_sysconfdir}/grub.d/35_fwupd
+%endif
+%{_libdir}/libfwupd.so.2*
+%{_libdir}/libfwupdplugin.so.%{fwupdplugin_version}*
 %{_libdir}/libjcat.so.*
 %{_libdir}/girepository-1.0/Fwupd-2.0.typelib
 %{_libdir}/girepository-1.0/FwupdPlugin-1.0.typelib
 /usr/lib/udev/rules.d/*.rules
 /usr/lib/systemd/system-shutdown/fwupd.shutdown
-%dir %{_libdir}/fwupd-plugins-3
-%{_libdir}/fwupd-plugins-3/libfu_plugin_acpi_dmar.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_acpi_facp.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_altos.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_amt.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_ata.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_bcm57xx.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_ccgx.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_colorhug.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_cros_ec.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_cpu.so
+%dir %{_libdir}/fwupd-plugins-%{fwupdplugin_version}
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_acpi_dmar.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_acpi_facp.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_acpi_phat.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_amt.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_analogix.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_ata.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_bcm57xx.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_ccgx.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_colorhug.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_cros_ec.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_cpu.so
 %if 0%{?have_dell}
-%{_libdir}/fwupd-plugins-3/libfu_plugin_dell.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_dell_esrt.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_dell.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_dell_esrt.so
 %endif
-%{_libdir}/fwupd-plugins-3/libfu_plugin_dell_dock.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_dfu.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_dfu_csr.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_ebitdo.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_elantp.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_emmc.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_ep963x.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_fastboot.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_fresco_pd.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_hailuck.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_iommu.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_jabra.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_linux_lockdown.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_linux_sleep.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_linux_swap.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_linux_tainted.so
-%if 0%{?have_msr}
-%{_libdir}/fwupd-plugins-3/libfu_plugin_msr.so
-%endif
-%{_libdir}/fwupd-plugins-3/libfu_plugin_nitrokey.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_nvme.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_optionrom.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_pci_bcr.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_pci_mei.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_pixart_rf.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_redfish.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_rts54hid.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_rts54hub.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_solokey.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_steelseries.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_superio.so
-%if 0%{?have_dell}
-%{_libdir}/fwupd-plugins-3/libfu_plugin_synaptics_mst.so
-%endif
-%{_libdir}/fwupd-plugins-3/libfu_plugin_synaptics_cxaudio.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_synaptics_prometheus.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_synaptics_rmi.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_system76_launch.so
-%if 0%{?enable_dummy}
-%{_libdir}/fwupd-plugins-3/libfu_plugin_test.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_invalid.so
-%endif
-%{_libdir}/fwupd-plugins-3/libfu_plugin_thelio_io.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_thunderbolt.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_dell_dock.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_dfu.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_dfu_csr.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_ebitdo.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_elantp.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_elanfp.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_emmc.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_ep963x.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_fastboot.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_fresco_pd.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_genesys.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_hailuck.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_iommu.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_jabra.so
 %if 0%{?have_uefi}
-%{_libdir}/fwupd-plugins-3/libfu_plugin_bios.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_uefi_capsule.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_uefi_dbx.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_uefi_recovery.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_lenovo_thinklmi.so
 %endif
-%{_libdir}/fwupd-plugins-3/libfu_plugin_logind.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_logitech_hidpp.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_upower.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_vli.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_wacom_raw.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_wacom_usb.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_goodixmoc.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_linux_lockdown.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_linux_sleep.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_linux_swap.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_linux_tainted.so
+%if 0%{?have_msr}
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_msr.so
+%endif
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_nitrokey.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_nordic_hid.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_nvme.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_optionrom.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_parade_lspcon.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_pci_bcr.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_pci_mei.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_pixart_rf.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_realtek_mst.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_redfish.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_rts54hid.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_rts54hub.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_scsi.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_steelseries.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_superio.so
+%if 0%{?have_dell}
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_synaptics_mst.so
+%endif
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_synaptics_cape.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_synaptics_cxaudio.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_synaptics_prometheus.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_synaptics_rmi.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_system76_launch.so
+%if 0%{?enable_dummy}
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_test.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_invalid.so
+%endif
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_thelio_io.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_thunderbolt.so
+%if 0%{?have_uefi}
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_bios.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_uefi_capsule.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_uefi_dbx.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_uefi_recovery.so
+%endif
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_usi_dock.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_logind.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_logitech_hidpp.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_upower.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_vli.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_wacom_raw.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_wacom_usb.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_goodixmoc.so
 %ghost %{_localstatedir}/lib/fwupd/gnupg
 
 %if 0%{?have_modem_manager}
-%{_libdir}/fwupd-plugins-3/libfu_plugin_modem_manager.so
+%{_libdir}/fwupd-plugins-%{fwupdplugin_version}/libfu_plugin_modem_manager.so
 %endif
 %if 0%{?have_uefi}
 %{_datadir}/fwupd/uefi-capsule-ux.tar.xz
 %endif
+%if 0%{?have_modem_manager}
+%{_libdir}/fwupd-plugins-3/libfu_plugin_modem_manager.so
+%endif
 
 %files devel
 %{_datadir}/gir-1.0/Fwupd-2.0.gir
@@ -477,21 +510,57 @@ done
 %{_libdir}/libjcat.so
 %{_libdir}/pkgconfig/fwupd.pc
 %{_libdir}/pkgconfig/fwupdplugin.pc
+%if 0%{?have_uefi}
+%{_libdir}/pkgconfig/fwupd-efi.pc
+%endif
 %{_libdir}/pkgconfig/jcat.pc
 
 %files tests
 %if 0%{?enable_tests}
 %dir %{_datadir}/installed-tests/fwupd
+%{_datadir}/installed-tests/fwupd/tests/*
 %{_datadir}/installed-tests/fwupd/fwupd-tests.xml
 %{_datadir}/installed-tests/fwupd/*.test
 %{_datadir}/installed-tests/fwupd/*.cab
 %{_datadir}/installed-tests/fwupd/*.sh
+%if 0%{?have_uefi}
+%{_datadir}/installed-tests/fwupd/efi
+%endif
+%{_datadir}/fwupd/device-tests/*.json
 %{_libexecdir}/installed-tests/fwupd/*
 %dir %{_sysconfdir}/fwupd/remotes.d
 %config(noreplace)%{_sysconfdir}/fwupd/remotes.d/fwupd-tests.conf
 %endif
 
 %changelog
+* Wed Sep 27 2023 Eduard Abdullin <eabdullin@almalinux.org> - 1.7.8-2.alma
+- Use AlmaLinux cert
+
+* Mon Feb 20 2023 Richard Hughes <richard@hughsie.com> 1.7.8-2
+- Backport the Redfish security fixes which affect IDRAC.
+- Resolves: rhbz#2170950
+* Wed Jun 15 2022 Richard Hughes <richard@hughsie.com> 1.7.8-1
+- New upstream release
+- Resolves: rhbz#2095668
+
+* Thu Jan 13 2022 Richard Hughes <richard@hughsie.com> 1.7.4-1
+- Include support for Lenovo TBT4 Docking stations
+- Do not cause systemd-modules-load failures
+- Resolves: rhbz#2038258
+- Resolves: rhbz#2037294
+
+* Thu Dec 09 2021 Richard Hughes <richard@hughsie.com> 1.7.1-2
+- Disable the Logitech bulkcontroller plugin to avoid adding a dep to protobuf-c
+  which lives in AppStream, not BaseOS.
+- Resolves: rhbz#2029333
+
+* Mon Nov 01 2021 Richard Hughes <richard@hughsie.com> 1.7.1-1
+- New upstream release
+- Backport upstream changes
+- Include support for Dell TBT4 Docking stations
+- Resolves: rhbz#1969472
+- Resolves: rhbz#1976408
+
 * Tue Apr 13 2021 Richard Hughes <richard@hughsie.com> 1.5.9-3
 - Rebase to include the SBAT metadata section to allow fixing BootHole
 - Resolves: rhbz#1933012
@@ -601,7 +670,7 @@ done
 * Wed Aug 29 2018 Richard Hughes <richard@hughsie.com> 1.1.1-5
 - Include the certificates for secure boot signing
 
-* Tue Aug 23 2018 Richard Hughes <richard@hughsie.com> 1.1.1-4
+* Thu Aug 23 2018 Richard Hughes <richard@hughsie.com> 1.1.1-4
 - Rebuild to get the EFI executable signed with the Red Hat key
 
 * Thu Aug 23 2018 Richard Hughes <richard@hughsie.com> 1.1.1-3