New upstream release (116)

Resolves: CVE-2022-3560 Signed-off-by: Robbie Harwood <rharwood@redhat.com>
2023-01-31 15:03:53 +00:00 · 2023-01-31 15:03:53 +00:00 · 0b14fad476
commit 0b14fad476
parent bb3aaa1ba2
26 changed files with 7 additions and 2589 deletions
--- a/0001-daemon-remove-always-true-comparison.patch
+++ b/0001-daemon-remove-always-true-comparison.patch
@ -1,24 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Tue, 8 Mar 2022 12:59:34 -0500
 Subject: [PATCH] daemon: remove always-true comparison
 Signed-off-by: Robbie Harwood <rharwood@redhat.com>
 ---
 src/daemon.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
 diff --git a/src/daemon.c b/src/daemon.c
 index 0a66deb..ff88210 100644
 --- a/src/daemon.c
 +++ b/src/daemon.c
@@ -221,8 +221,7 @@ malformed:
 	if (!ctx->cms->tokenname)
 		goto oom;
 -	if (!tp->value)
 -		pin = strndup((char *)tp->value, tp->size);
 +	pin = strndup((char *)tp->value, tp->size);
 	if (!pin)
 		goto oom;
--- a/0002-make-handle-some-gcc-Wanalyzer-flags-better.patch
+++ b/0002-make-handle-some-gcc-Wanalyzer-flags-better.patch
@ -1,40 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Fri, 11 Mar 2022 12:45:28 -0500
 Subject: [PATCH] make: handle some gcc -Wanalyzer flags better
 This makes it so we won't use the -Wanalyzer / -fanalyzer flags by
 default, because they're still pretty overzealous.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 Make.defaults | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/Make.defaults b/Make.defaults
 index 130c1ee..1c18904 100644
 --- a/Make.defaults
 +++ b/Make.defaults
@@ -32,11 +32,11 @@ CCLD	:= $(if $(filter undefined,$(origin CCLD)),$(CC),$(CCLD))
 CFLAGS	?= -O2 -g3 -pipe -fPIE -fstack-protector-all \
 	-fstack-clash-protection \
 	$(if $(filter x86_64 ia32,$(ARCH)),-fcf-protection=full,)
 -DIAGFLAGS ?= -fmessage-length=0 \
 +DIAGFLAGS ?= $(call enabled,ENABLE_GCC_ANALYZER,-fmessage-length=0 \
 	     -fdiagnostics-color=always \
 	     -fdiagnostics-format=text \
 	     -fdiagnostics-show-cwe \
 -	     -fanalyzer \
 +	     -fanalyzer) \
 	     $(call enabled,ENABLE_LEAK_CHECKER,-Wno-analyzer-malloc-leak,)
 AS	?= $(CROSS_COMPILE)as
 AR	?= $(CROSS_COMPILE)$(if $(filter $(CC),clang),llvm-ar,$(notdir $(CC))-ar)
@@ -59,7 +59,7 @@ endif
 cflags	= $(CFLAGS) $(ARCH3264) \
 	-Wall -Wextra -Wsign-compare -Wno-unused-result \
 	-Wno-unused-function -Wno-missing-field-initializers \
 -	-Wno-analyzer-malloc-leak \
 +	$(call enabled,ENABLE_LEAK_CHECKER,-Wno-analyzer-malloc-leak,) \
 	-Werror -Wno-error=cpp -Wno-free-nonheap-object \
 	-std=gnu11 -fshort-wchar -fPIC -fno-strict-aliasing \
 	-D_GNU_SOURCE -DCONFIG_$(ARCH) -I${TOPDIR}/include \
--- a/0003-Rename-dprintf-to-dbgprintf.patch
+++ b/0003-Rename-dprintf-to-dbgprintf.patch
@ -1,664 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Fri, 11 Mar 2022 12:46:16 -0500
 Subject: [PATCH] Rename "dprintf' to "dbgprintf"
 stdio defines a dprintf() macro now, so using dprintf() for our debug
 printer gets obnoxious warnings.  This renames it to dbgprintf().
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/cms_common.c    | 73 +++++++++++++++++++++++++++++------------------------
 src/cms_pe_common.c | 20 +++++++--------
 src/efikeygen.c     | 16 ++++++------
 src/file_pe.c       |  6 +++--
 src/password.c      | 68 ++++++++++++++++++++++++-------------------------
 src/pesign.c        | 10 ++++----
 src/util.h          | 26 +++++++++----------
 7 files changed, 114 insertions(+), 105 deletions(-)
 diff --git a/src/cms_common.c b/src/cms_common.c
 index ca37e6a..86341ca 100644
 --- a/src/cms_common.c
 +++ b/src/cms_common.c
@@ -333,13 +333,13 @@ void cms_set_pw_data(cms_context *cms, secuPWData *pwdata)
 	if (!pwdata) {
 		cms->pwdata.source = PW_SOURCE_INVALID;
 -		dprintf("pwdata:NULL");
 +		dbgprintf("pwdata:NULL");
 	} else {
 		memmove(&cms->pwdata, pwdata, sizeof(*pwdata));
 -		dprintf("pwdata:%p", pwdata);
 -		dprintf("pwdata->source:%d", pwdata->source);
 -		dprintf("pwdata->data:%p (\"%s\")", pwdata->data,
 -			pwdata->data ? pwdata->data : "(null)");
 +		dbgprintf("pwdata:%p", pwdata);
 +		dbgprintf("pwdata->source:%d", pwdata->source);
 +		dbgprintf("pwdata->data:%p (\"%s\")", pwdata->data,
 +			  pwdata->data ? pwdata->data : "(null)");
 	}
 	egress();
@@ -382,7 +382,7 @@ is_valid_cert(CERTCertificate *cert, void *data)
 	errnum = PORT_GetError();
 	if (errnum == SEC_ERROR_EXTENSION_NOT_FOUND) {
 -		dprintf("Got SEC_ERROR_EXTENSION_NOT_FOUND; clearing");
 +		dbgprintf("Got SEC_ERROR_EXTENSION_NOT_FOUND; clearing");
 		PORT_SetError(0);
 		errnum = 0;
 	}
@@ -415,7 +415,7 @@ is_valid_cert_without_private_key(CERTCertificate *cert, void *data)
 	errnum = PORT_GetError();
 	if (errnum == SEC_ERROR_EXTENSION_NOT_FOUND) {
 -		dprintf("Got SEC_ERROR_EXTENSION_NOT_FOUND; clearing");
 +		dbgprintf("Got SEC_ERROR_EXTENSION_NOT_FOUND; clearing");
 		PORT_SetError(0);
 		errnum = 0;
 	}
@@ -467,23 +467,23 @@ unescape_html_in_place(char *s)
 	size_t pos = 0;
 	char *s1;
 -	dprintf("unescaping pos:%zd sz:%zd \"%s\"", pos, sz, s);
 +	dbgprintf("unescaping pos:%zd sz:%zd \"%s\"", pos, sz, s);
 	do {
 		s1 = strchrnul(&s[pos], '%');
 		if (s1[0] == '\0')
 			break;
 -		dprintf("s1 is \"%s\"", s1);
 +		dbgprintf("s1 is \"%s\"", s1);
 		if ((size_t)(s1 - s) < (size_t)(sz - 3)) {
 			int c;
 			c = (hexchar_to_bin(s1[1]) << 4)
 			    | (hexchar_to_bin(s1[2]) & 0xf);
 -			dprintf("replacing %%%c%c with 0x%02hhx", s1[1], s1[2], (char)c);
 +			dbgprintf("replacing %%%c%c with 0x%02hhx", s1[1], s1[2], (char)c);
 			s1[0] = c;
 			memmove(&s1[1], &s1[3], sz - (&s1[3] - s));
 			sz -= 2;
 			pos = &s1[1] - s;
 -			dprintf("new pos:%zd sz:%zd s:\"%s\"", pos, sz, s);
 +			dbgprintf("new pos:%zd sz:%zd s:\"%s\"", pos, sz, s);
 		}
 	} while (pos < sz);
 }
@@ -499,7 +499,7 @@ resolve_pkcs11_token_in_place(char *tokenname)
 		char c = *cp;
 		*cp = '\0';
 -		dprintf("ntn:\"%s\"", ntn);
 +		dbgprintf("ntn:\"%s\"", ntn);
 		if (!strncmp(&ntn[pos], "token=", 6)) {
 			ntn += 6;
 			memmove(tokenname, ntn, cp - ntn + 1);
@@ -510,13 +510,13 @@ resolve_pkcs11_token_in_place(char *tokenname)
 		ntn = cp + (c ? 1 : 0);
 	}
 	unescape_html_in_place(tokenname);
 -	dprintf("token name is \"%s\"", tokenname);
 +	dbgprintf("token name is \"%s\"", tokenname);
 }
 #define resolve_token_name(tn) ({					\
 	char *s_ = tn;							\
 	if (!strncmp(tn, "pkcs11:", 7))	{				\
 -		dprintf("provided token name is pkcs11 uri; parsing");	\
 +		dbgprintf("provided token name is pkcs11 uri; parsing");\
 		s_ = strdupa(tn+7);					\
 		resolve_pkcs11_token_in_place(s_);			\
 	}								\
@@ -528,7 +528,8 @@ unlock_nss_token(cms_context *cms)
 {
 	char *tokenname = resolve_token_name(cms->tokenname);
 -	dprintf("setting password function to %s", cms->func ? "cms->func" : "SECU_GetModulePassword");
 +	dbgprintf("setting password function to %s",
 +		  cms->func ? "cms->func" : "SECU_GetModulePassword");
 	PK11_SetPasswordFunc(cms->func ? cms->func : SECU_GetModulePassword);
 	PK11SlotList *slots = NULL;
@@ -592,7 +593,8 @@ find_certificate(cms_context *cms, int needs_private_key)
 		return -1;
 	}
 -	dprintf("setting password function to %s", cms->func ? "cms->func" : "SECU_GetModulePassword");
 +	dbgprintf("setting password function to %s",
 +		  cms->func ? "cms->func" : "SECU_GetModulePassword");
 	PK11_SetPasswordFunc(cms->func ? cms->func : SECU_GetModulePassword);
 	PK11SlotList *slots = NULL;
@@ -610,10 +612,10 @@ find_certificate(cms_context *cms, int needs_private_key)
 	}
 	while (psle) {
 -		dprintf("looking for token \"%s\", got \"%s\"",
 -			tokenname, PK11_GetTokenName(psle->slot));
 +		dbgprintf("looking for token \"%s\", got \"%s\"",
 +			  tokenname, PK11_GetTokenName(psle->slot));
 		if (!strcmp(tokenname, PK11_GetTokenName(psle->slot))) {
 -			dprintf("found token \"%s\"", tokenname);
 +			dbgprintf("found token \"%s\"", tokenname);
 			break;
 		}
@@ -673,8 +675,9 @@ find_certificate(cms_context *cms, int needs_private_key)
 					psle->slot, is_valid_cert, &cbd);
 		errnum = PORT_GetError();
 		if (errnum)
 -			dprintf("PK11_TraverseCertsForNicknameInSlot():%s:%s",
 -				PORT_ErrorToName(errnum), PORT_ErrorToString(errnum));
 +			dbgprintf("PK11_TraverseCertsForNicknameInSlot():%s:%s",
 +				  PORT_ErrorToName(errnum),
 +				  PORT_ErrorToString(errnum));
 	} else {
 		status = PK11_TraverseCertsForNicknameInSlot(&nickname,
 					psle->slot,
@@ -682,28 +685,30 @@ find_certificate(cms_context *cms, int needs_private_key)
 					&cbd);
 		errnum = PORT_GetError();
 		if (errnum)
 -			dprintf("PK11_TraverseCertsForNicknameInSlot():%s:%s",
 -				PORT_ErrorToName(errnum), PORT_ErrorToString(errnum));
 +			dbgprintf("PK11_TraverseCertsForNicknameInSlot():%s:%s",
 +				PORT_ErrorToName(errnum),
 +				PORT_ErrorToString(errnum));
 	}
 -	dprintf("status:%d cbd.cert:%p", status, cbd.cert);
 +	dbgprintf("status:%d cbd.cert:%p", status, cbd.cert);
 	if (status == SECSuccess && cbd.cert != NULL) {
 		if (cms->cert)
 			CERT_DestroyCertificate(cms->cert);
 		cms->cert = CERT_DupCertificate(cbd.cert);
 	} else {
 		errnum = PORT_GetError();
 -		dprintf("token traversal %s; cert %sfound:%s:%s",
 -			status == SECSuccess ? "succeeded" : "failed",
 -			cbd.cert == NULL ? "not" : "",
 -			PORT_ErrorToName(errnum), PORT_ErrorToString(errnum));
 +		dbgprintf("token traversal %s; cert %sfound:%s:%s",
 +			  status == SECSuccess ? "succeeded" : "failed",
 +			  cbd.cert == NULL ? "not" : "",
 +			  PORT_ErrorToName(errnum),
 +			  PORT_ErrorToString(errnum));
 	}
 	save_port_err() {
 -		dprintf("Destroying cert list");
 +		dbgprintf("Destroying cert list");
 		CERT_DestroyCertList(certlist);
 -		dprintf("Destroying slot list element");
 +		dbgprintf("Destroying slot list element");
 		PK11_DestroySlotListElement(slots, &psle);
 -		dprintf("Destroying slot list");
 +		dbgprintf("Destroying slot list");
 		PK11_FreeSlotList(slots);
 		cms->psle = NULL;
 	}
@@ -723,7 +728,8 @@ find_slot_for_token(cms_context *cms, PK11SlotInfo **slot)
 	char *tokenname = resolve_token_name(cms->tokenname);
 -	dprintf("setting password function to %s", cms->func ? "cms->func" : "SECU_GetModulePassword");
 +	dbgprintf("setting password function to %s",
 +		  cms->func ? "cms->func" : "SECU_GetModulePassword");
 	PK11_SetPasswordFunc(cms->func ? cms->func : SECU_GetModulePassword);
 	PK11SlotList *slots = NULL;
@@ -792,7 +798,8 @@ find_certificate_by_callback(cms_context *cms,
 		return -1;
 	}
 -	dprintf("setting password function to %s", cms->func ? "cms->func" : "SECU_GetModulePassword");
 +	dbgprintf("setting password function to %s",
 +		  cms->func ? "cms->func" : "SECU_GetModulePassword");
 	PK11_SetPasswordFunc(cms->func ? cms->func : SECU_GetModulePassword);
 	PK11SlotList *slots = NULL;
 diff --git a/src/cms_pe_common.c b/src/cms_pe_common.c
 index 3a3921b..fb90ecb 100644
 --- a/src/cms_pe_common.c
 +++ b/src/cms_pe_common.c
@@ -188,8 +188,8 @@ generate_digest(cms_context *cms, Pe *pe, int padded)
 	}
 	if (!check_pointer_and_size(cms, pe, hash_base, hash_size))
 		cmsgotoerr(error, cms, "PE header is invalid");
 -	dprintf("beginning of hash");
 -	dprintf("digesting %tx + %zx", hash_base - map, hash_size);
 +	dbgprintf("beginning of hash");
 +	dbgprintf("digesting %tx + %zx", hash_base - map, hash_size);
 	generate_digest_step(cms, hash_base, hash_size);
 	/* 5. Skip over the image checksum
@@ -209,7 +209,7 @@ generate_digest(cms_context *cms, Pe *pe, int padded)
 		cmsgotoerr(error, cms, "PE data directory is invalid");
 	generate_digest_step(cms, hash_base, hash_size);
 -	dprintf("digesting %tx + %zx", hash_base - map, hash_size);
 +	dbgprintf("digesting %tx + %zx", hash_base - map, hash_size);
 	/* 8. Skip over the crt dir
 	 * 9. Hash everything up to the end of the image header. */
@@ -222,7 +222,7 @@ generate_digest(cms_context *cms, Pe *pe, int padded)
 		cmsgotoerr(error, cms, "PE relocations table is invalid");
 	generate_digest_step(cms, hash_base, hash_size);
 -	dprintf("digesting %tx + %zx", hash_base - map, hash_size);
 +	dbgprintf("digesting %tx + %zx", hash_base - map, hash_size);
 	/* 10. Set SUM_OF_BYTES_HASHED to the size of the header. */
 	hashed_bytes = pe32opthdr ? pe32opthdr->header_size
@@ -256,16 +256,16 @@ generate_digest(cms_context *cms, Pe *pe, int padded)
 			char *name = shdrs[i].name;
 			if (name && name[0] == '/')
 				name = get_str(cms, pe, name + 1);
 -			dprintf("section:\"%s\"", name ? name : "(null)");
 +			dbgprintf("section:\"%s\"", name ? name : "(null)");
 			if (name && !strcmp(name, ".vendor_cert")) {
 -				dprintf("skipping .vendor_cert section");
 +				dbgprintf("skipping .vendor_cert section");
 				hashed_bytes += hash_size;
 				continue;
 			}
 		}
 		generate_digest_step(cms, hash_base, hash_size);
 -		dprintf("digesting %tx + %zx", hash_base - map, hash_size);
 +		dbgprintf("digesting %tx + %zx", hash_base - map, hash_size);
 		hashed_bytes += hash_size;
 	}
@@ -285,15 +285,15 @@ generate_digest(cms_context *cms, Pe *pe, int padded)
 			memset(tmp_array, '\0', tmp_size);
 			memcpy(tmp_array, hash_base, hash_size);
 			generate_digest_step(cms, tmp_array, tmp_size);
 -			dprintf("digesting %tx + %zx", (ptrdiff_t)tmp_array,
 +			dbgprintf("digesting %tx + %zx", (ptrdiff_t)tmp_array,
 				tmp_size);
 		} else {
 			generate_digest_step(cms, hash_base, hash_size);
 -			dprintf("digesting %tx + %zx", hash_base - map,
 +			dbgprintf("digesting %tx + %zx", hash_base - map,
 				hash_size);
 		}
 	}
 -	dprintf("end of hash");
 +	dbgprintf("end of hash");
 	rc = generate_digest_finish(cms);
 	if (rc < 0)
 diff --git a/src/efikeygen.c b/src/efikeygen.c
 index 940fdf5..dd40502 100644
 --- a/src/efikeygen.c
 +++ b/src/efikeygen.c
@@ -1067,9 +1067,9 @@ int main(int argc, char *argv[])
 		errno = 0;
 		timeul = strtoul(not_valid_before, &endptr, 0);
 -		dprintf("not_valid_before:%lu", timeul);
 +		dbgprintf("not_valid_before:%lu", timeul);
 		if (errno == 0 && endptr && *endptr == 0) {
 -			dprintf("not_valid_before:%lu", timeul);
 +			dbgprintf("not_valid_before:%lu", timeul);
 			not_before = (PRTime)timeul * PR_USEC_PER_SEC;
 		} else {
 			prstatus = PR_ParseTimeString(not_valid_before,
@@ -1078,7 +1078,7 @@ int main(int argc, char *argv[])
 				 "could not parse date \"%s\"",
 				 not_valid_before);
 		}
 -		dprintf("not_before:%"PRId64, not_before);
 +		dbgprintf("not_before:%"PRId64, not_before);
 	}
 	if (not_valid_after) {
@@ -1086,11 +1086,11 @@ int main(int argc, char *argv[])
 		char *endptr;
 		errno = 0;
 -		dprintf("not_valid_after:%s", not_valid_after);
 +		dbgprintf("not_valid_after:%s", not_valid_after);
 		timeul = strtoul(not_valid_after, &endptr, 0);
 -		dprintf("not_valid_after:%lu", timeul);
 +		dbgprintf("not_valid_after:%lu", timeul);
 		if (errno == 0 && endptr && *endptr == 0) {
 -			dprintf("not_valid_after:%lu", timeul);
 +			dbgprintf("not_valid_after:%lu", timeul);
 			not_after = (PRTime)timeul * PR_USEC_PER_SEC;
 		} else {
 			prstatus = PR_ParseTimeString(not_valid_after, PR_TRUE,
@@ -1102,10 +1102,10 @@ int main(int argc, char *argv[])
 	} else {
 		// Mon Jan 19 03:14:07 GMT 2037, aka 0x7fffffff minus 1 year.
 		time_t time = 0x7ffffffful - 60ul * 60 * 24 * 365;
 -		dprintf("not_valid_after:%lu", time);
 +		dbgprintf("not_valid_after:%lu", time);
 		not_after = (PRTime)time * PR_USEC_PER_SEC;
 	}
 -	dprintf("not_after:%"PRId64, not_after);
 +	dbgprintf("not_after:%"PRId64, not_after);
 	CERTValidity *validity = NULL;
 	validity = CERT_CreateValidity(not_before, not_after);
 diff --git a/src/file_pe.c b/src/file_pe.c
 index fa97b89..fed6edb 100644
 --- a/src/file_pe.c
 +++ b/src/file_pe.c
@@ -264,7 +264,8 @@ pe_handle_action(pesign_context *ctxp, int action, int padding)
 		/* generate a signature and save it in a separate file */
 		case EXPORT_SIGNATURE|GENERATE_SIGNATURE:
 			perr = PORT_GetError();
 -			dprintf("PORT_GetError():%s:%s", PORT_ErrorToName(perr), PORT_ErrorToString(perr));
 +			dbgprintf("PORT_GetError():%s:%s",
 +				  PORT_ErrorToName(perr), PORT_ErrorToString(perr));
 			PORT_SetError(0);
 			rc = find_certificate(ctxp->cms_ctx, 1);
 			conderrx(rc < 0, 1, "Could not find certificate %s",
@@ -281,7 +282,8 @@ pe_handle_action(pesign_context *ctxp, int action, int padding)
 		case IMPORT_SIGNATURE|GENERATE_SIGNATURE:
 			check_inputs(ctxp);
 			perr = PORT_GetError();
 -			dprintf("PORT_GetError():%s:%s", PORT_ErrorToName(perr), PORT_ErrorToString(perr));
 +			dbgprintf("PORT_GetError():%s:%s",
 +				  PORT_ErrorToName(perr), PORT_ErrorToString(perr));
 			rc = find_certificate(ctxp->cms_ctx, 1);
 			conderrx(rc < 0, 1, "Could not find certificate %s",
 				 ctxp->cms_ctx->certname);
 diff --git a/src/password.c b/src/password.c
 index 05add9a..18c32ed 100644
 --- a/src/password.c
 +++ b/src/password.c
@@ -167,7 +167,7 @@ SECU_GetPasswordString(void *arg UNUSED, char *prompt)
 	char *ret;
 	ingress();
 	ret = get_password(stdin, stdout, prompt, NULL);
 -	dprintf("password:\"%s\"", ret ? ret : "(null)");
 +	dbgprintf("password:\"%s\"", ret ? ret : "(null)");
 	egress();
 	return ret;
 }
@@ -194,7 +194,7 @@ parse_pwfile_line(char *start, struct token_pass *tp)
 	size_t offset = 0;
 	span = strspn(line, whitespace_and_eol_chars);
 -	dprintf("whitespace span is %zd", span);
 +	dbgprintf("whitespace span is %zd", span);
 	if (span == 0 && line[span] == '\0')
 		return -1;
 	line += span;
@@ -210,17 +210,17 @@ parse_pwfile_line(char *start, struct token_pass *tp)
 			offset += escspan + 2;
 	} while(escspan < span);
 	span += offset;
 -	dprintf("non-whitespace span is %zd", span);
 +	dbgprintf("non-whitespace span is %zd", span);
 	if (line[span] == '\0') {
 -		dprintf("returning %td", (line + span) - start);
 +		dbgprintf("returning %td", (line + span) - start);
 		return (line + span) - start;
 	}
 	line[span] = '\0';
 	line += span + 1;
 	span = strspn(line, whitespace_and_eol_chars);
 -	dprintf("whitespace span is %zd", span);
 +	dbgprintf("whitespace span is %zd", span);
 	line += span;
 	tp->token = tp->pass;
 	tp->pass = line;
@@ -233,15 +233,15 @@ parse_pwfile_line(char *start, struct token_pass *tp)
 			offset += escspan + 2;
 	} while(escspan < span);
 	span += offset;
 -	dprintf("non-whitespace span is %zd", span);
 +	dbgprintf("non-whitespace span is %zd", span);
 	if (line[span] != '\0')
 		line[span++] = '\0';
 	resolve_escapes(tp->token);
 -	dprintf("Setting token pass %p to { %p, %p }", tp, tp->token, tp->pass);
 -	dprintf("token:\"%s\"", tp->token);
 -	dprintf("pass:\"%s\"", tp->pass);
 -	dprintf("returning %td", (line + span) - start);
 +	dbgprintf("Setting token pass %p to { %p, %p }", tp, tp->token, tp->pass);
 +	dbgprintf("token:\"%s\"", tp->token);
 +	dbgprintf("pass:\"%s\"", tp->pass);
 +	dbgprintf("returning %td", (line + span) - start);
 	return (line + span) - start;
 }
@@ -260,7 +260,7 @@ SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg)
 	char *path;
 	ingress();
 -	dprintf("token_name: %s", token_name);
 +	dbgprintf("token_name: %s", token_name);
 	if (cms->pwdata.source != PW_FROMFILEDB) {
 		cms->log(cms, LOG_ERR,
 			 "Got to %s() but no file is specified.\n",
@@ -289,8 +289,8 @@ SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg)
 		if (rc < 0 || file_len < 1)
 			goto err_file;
 		file[file_len-1] = '\0';
 -		dprintf("file_len:%zd", file_len);
 -		dprintf("file:\"%s\"", file);
 +		dbgprintf("file_len:%zd", file_len);
 +		dbgprintf("file:\"%s\"", file);
 		unbreak_line_continuations(file, file_len);
 	}
@@ -314,23 +314,23 @@ SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg)
 #pragma GCC diagnostic pop
 		span = strspn(start, whitespace_and_eol_chars);
 -		dprintf("whitespace span is %zd", span);
 +		dbgprintf("whitespace span is %zd", span);
 		start += span;
 		span = strcspn(start, eol_chars);
 -		dprintf("non-whitespace span is %zd", span);
 +		dbgprintf("non-whitespace span is %zd", span);
 		c = start[span];
 		start[span] = '\0';
 -		dprintf("file:\"%s\"", file);
 +		dbgprintf("file:\"%s\"", file);
 		rc = parse_pwfile_line(start, &phrases[nphrases++]);
 -		dprintf("parse_pwfile_line returned %d", rc);
 +		dbgprintf("parse_pwfile_line returned %d", rc);
 		if (rc < 0)
 			goto err_phrases;
 		if (c != '\0')
 			span++;
 		start += span;
 -		dprintf("start is file[%td] == '\\x%02hhx'", start - file,
 +		dbgprintf("start is file[%td] == '\\x%02hhx'", start - file,
 			start[0]);
 	}
@@ -359,7 +359,7 @@ err_file:
 err_phrases:
 	xfree(phrases);
 err:
 -	dprintf("ret:\"%s\"", ret ? ret : "(null)");
 +	dbgprintf("ret:\"%s\"", ret ? ret : "(null)");
 	egress();
 	return ret;
 }
@@ -412,10 +412,10 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
 	ingress();
 	if (PK11_ProtectedAuthenticationPath(slot)) {
 -		dprintf("prompting for PW_DEVICE data");
 +		dbgprintf("prompting for PW_DEVICE data");
 		pwdata = &pwxtrn;
 	} else {
 -		dprintf("using pwdata from cms");
 +		dbgprintf("using pwdata from cms");
 		pwdata = &cms->pwdata;
 	}
@@ -423,17 +423,17 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
 	    pwdata->source >= PW_SOURCE_MAX ||
 	    pwdata->orig_source <= PW_SOURCE_INVALID ||
 	    pwdata->orig_source >= PW_SOURCE_MAX) {
 -		dprintf("pwdata is invalid");
 +		dbgprintf("pwdata is invalid");
 		return NULL;
 	}
 -	dprintf("pwdata:%p retry:%d", pwdata, retry);
 -	dprintf("pwdata->source:%s (%d) orig:%s (%d)",
 -		pw_source_names[pwdata->source], pwdata->source,
 -		pw_source_names[pwdata->orig_source], pwdata->orig_source);
 -	dprintf("pwdata->data:%p (\"%s\")", pwdata->data,
 -		pwdata->data ? pwdata->data : "(null)");
 -	dprintf("pwdata->intdata:%ld", pwdata->intdata);
 +	dbgprintf("pwdata:%p retry:%d", pwdata, retry);
 +	dbgprintf("pwdata->source:%s (%d) orig:%s (%d)",
 +		  pw_source_names[pwdata->source], pwdata->source,
 +		  pw_source_names[pwdata->orig_source], pwdata->orig_source);
 +	dbgprintf("pwdata->data:%p (\"%s\")", pwdata->data,
 +		  pwdata->data ? pwdata->data : "(null)");
 +	dbgprintf("pwdata->intdata:%ld", pwdata->intdata);
 	if (retry) {
 		warnx("Incorrect password/PIN entered.");
@@ -470,7 +470,7 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
 	case PW_FROMFILEDB:
 	case PW_DATABASE:
 -		dprintf("pwdata->source:%s", pw_source_names[pwdata->source]);
 +		dbgprintf("pwdata->source:%s", pw_source_names[pwdata->source]);
 		/* Instead of opening and closing the file every time, get the pw
 		 * once, then keep it in memory (duh).
 		 */
@@ -480,17 +480,17 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
 		return pw;
 	case PW_FROMENV:
 -		dprintf("pwdata->source:PW_FROMENV");
 +		dbgprintf("pwdata->source:PW_FROMENV");
 		if (!pwdata || !pwdata->data)
 			break;
 		pw = get_env(pwdata->data);
 -		dprintf("env:%s pw:%s", pwdata->data, pw ? pw : "(null)");
 +		dbgprintf("env:%s pw:%s", pwdata->data, pw ? pw : "(null)");
 		pwdata->data = pw;
 		pwdata->source = PW_PLAINTEXT;
 		goto PW_PLAINTEXT;
 	case PW_FROMFILE:
 -		dprintf("pwdata->source:PW_FROMFILE");
 +		dbgprintf("pwdata->source:PW_FROMFILE");
 		in = fopen(pwdata->data, "r");
 		if (!in)
 			return NULL;
@@ -501,7 +501,7 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
 		goto PW_PLAINTEXT;
 	case PW_FROMFD:
 -		dprintf("pwdata->source:PW_FROMFD");
 +		dbgprintf("pwdata->source:PW_FROMFD");
 		rc = pwdata->intdata;
 		in = fdopen(pwdata->intdata, "r");
 		if (!in)
 diff --git a/src/pesign.c b/src/pesign.c
 index c2ff35f..f548d81 100644
 --- a/src/pesign.c
 +++ b/src/pesign.c
@@ -333,7 +333,7 @@ main(int argc, char *argv[])
 	while ((rc = poptGetNextOpt(optCon)) > 0) {
 		switch (rc) {
 		case POPT_RET_PWDB:
 -			dprintf("POPT_RET_PWDB:\"%s\"", pwdata.data ? pwdata.data : "(null)");
 +			dbgprintf("POPT_RET_PWDB:\"%s\"", pwdata.data ? pwdata.data : "(null)");
 			if (pwdata.source != PW_SOURCE_INVALID)
 				errx(1, "only one password/pin method can be used at a time");
 			if (pwdata.data == NULL)
@@ -346,7 +346,7 @@ main(int argc, char *argv[])
 			continue;
 		case POPT_RET_ENV:
 -			dprintf("POPT_RET_ENV:\"%s\"", pwdata.data ? pwdata.data : "(null)");
 +			dbgprintf("POPT_RET_ENV:\"%s\"", pwdata.data ? pwdata.data : "(null)");
 			if (pwdata.source != PW_SOURCE_INVALID)
 				errx(1, "only one password/pin method can be used at a time");
 			if (pwdata.data == NULL)
@@ -359,7 +359,7 @@ main(int argc, char *argv[])
 			continue;
 		case POPT_RET_PINFD:
 -			dprintf("POPT_RET_PINFD:\"%s\"", pwdata.data ? pwdata.data : "(null)");
 +			dbgprintf("POPT_RET_PINFD:\"%s\"", pwdata.data ? pwdata.data : "(null)");
 			if (pwdata.source != PW_SOURCE_INVALID)
 				errx(1, "only one password/pin method can be used at a time");
 			if (pwdata.data == NULL)
@@ -373,7 +373,7 @@ main(int argc, char *argv[])
 			continue;
 		case POPT_RET_PINFILE:
 -			dprintf("POPT_RET_PINFILE:\"%s\"", pwdata.data ? pwdata.data : "(null)");
 +			dbgprintf("POPT_RET_PINFILE:\"%s\"", pwdata.data ? pwdata.data : "(null)");
 			if (pwdata.source != PW_SOURCE_INVALID)
 				errx(1, "only one password/pin method can be used at a time");
 			if (pwdata.data == NULL)
@@ -387,7 +387,7 @@ main(int argc, char *argv[])
 		}
 	}
 -	dprintf("pwdata.source:%d %schecking for PESIGN_TOKEN_PIN",
 +	dbgprintf("pwdata.source:%d %schecking for PESIGN_TOKEN_PIN",
 		pwdata.source,
 		pwdata.source == PW_SOURCE_INVALID ? "" : "not ");
 	if (pwdata.source == PW_SOURCE_INVALID && secure_getenv("PESIGN_TOKEN_PIN")) {
 diff --git a/src/util.h b/src/util.h
 index ba8c621..6616011 100644
 --- a/src/util.h
 +++ b/src/util.h
@@ -269,28 +269,28 @@ proxy_fd_mode(int fd, char *infile, mode_t *outmode, size_t *inlength)
 extern long verbosity(void);
 -#define dprintf_(tv, file, func, line, fmt, args...) ({	\
 -		struct timeval tv;			\
 -		gettimeofday(&tv, NULL);		\
 -		warnx("%ld.%lu %s:%s():%d: " fmt,	\
 -		      tv.tv_sec, tv.tv_usec,		\
 -		      file, func, line, ##args);	\
 +#define dbgprintf_(tv, file, func, line, fmt, args...) ({	\
 +		struct timeval tv;				\
 +		gettimeofday(&tv, NULL);			\
 +		warnx("%ld.%lu %s:%s():%d: " fmt,		\
 +		      tv.tv_sec, tv.tv_usec,			\
 +		      file, func, line, ##args);		\
 	})
 #if defined(PESIGN_DEBUG)
 -#define dprintf(fmt, args...)					\
 -	dprintf_(CAT(CAT(CAT(tv_,__COUNTER__),__LINE__),_),	\
 -		 __FILE__, __func__, __LINE__ - 2, fmt, ##args)
 +#define dbgprintf(fmt, args...)					\
 +	dbgprintf_(CAT(CAT(CAT(tv_,__COUNTER__),__LINE__),_),	\
 +		   __FILE__, __func__, __LINE__ - 2, fmt, ##args)
 #else
 -#define dprintf(fmt, args...) ({						\
 +#define dbgprintf(fmt, args...) ({						\
 		if (verbosity() > 1)						\
 -			dprintf_(CAT(CAT(CAT(tv_,__COUNTER__),__LINE__),_),	\
 +			dbgprintf_(CAT(CAT(CAT(tv_,__COUNTER__),__LINE__),_),	\
 				 __FILE__, __func__, __LINE__ - 3,		\
 				 fmt, ##args);					\
 		0;								\
 	})
 #endif
 -#define ingress() dprintf("ingress");
 -#define egress() dprintf("egress");
 +#define ingress() dbgprintf("ingress");
 +#define egress() dbgprintf("egress");
 #endif /* PESIGN_UTIL_H */
 // vim:fenc=utf-8:tw=75:noet
--- a/0004-.gitignore-add-compile_commands.json-and-.cache.patch
+++ b/0004-.gitignore-add-compile_commands.json-and-.cache.patch
@ -1,30 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Fri, 11 Mar 2022 12:47:20 -0500
 Subject: [PATCH] .gitignore: add compile_commands.json and .cache/
 These are used by bear/cnc/clangd/etc, but there's no reason to trip
 over them all the time.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 .gitignore | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/.gitignore b/.gitignore
 index bf0617b..7425432 100644
 --- a/.gitignore
 +++ b/.gitignore
@@ -1,3 +1,4 @@
 +.cache/
 .*.d
 .*.P
 .*.sw?
@@ -26,6 +27,7 @@
 /*.rpm
 *-8be4df61-93ca-11d2-aa0d-00e098032b8c
 *-d719b2cb-3d3a-4596-a3bc-dad00e67656f
 +compile_commands.json
 core.*
 cov-int/
 pwfile
--- a/0005-pesign-print-digests-before-filenames-like-sha256sum.patch
+++ b/0005-pesign-print-digests-before-filenames-like-sha256sum.patch
@ -1,31 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Fri, 11 Mar 2022 12:44:46 -0500
 Subject: [PATCH] pesign: print digests before filenames like sha256sum does
 Most digest tools print the digest before the filename, there's no
 reason pesign needs to be different.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/file_pe.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)
 diff --git a/src/file_pe.c b/src/file_pe.c
 index fed6edb..805e614 100644
 --- a/src/file_pe.c
 +++ b/src/file_pe.c
@@ -121,12 +121,11 @@ print_digest(pesign_context *pctx)
 	if (!ctx)
 		return;
 -	printf("%s ", pctx->infile);
 	int j = ctx->selected_digest;
 	for (unsigned int i = 0; i < ctx->digests[j].pe_digest->len; i++)
 		printf("%02x",
 			(unsigned char)ctx->digests[j].pe_digest->data[i]);
 -	printf("\n");
 +	printf(" %s\n", pctx->infile);
 }
 void
--- a/0006-Add-pesum-an-authenticode-digest-generator.patch
+++ b/0006-Add-pesum-an-authenticode-digest-generator.patch
@ -1,318 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Fri, 11 Mar 2022 12:54:39 -0500
 Subject: [PATCH] Add 'pesum', an authenticode digest generator.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/pesum.c      | 195 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 src/.gitignore   |   1 +
 src/Makefile     |  12 +++-
 src/pesum.1.mdoc |  38 +++++++++++
 4 files changed, 244 insertions(+), 2 deletions(-)
 create mode 100644 src/pesum.c
 create mode 100644 src/pesum.1.mdoc
 diff --git a/src/pesum.c b/src/pesum.c
 new file mode 100644
 index 0000000..e4ddaf8
 --- /dev/null
 +++ b/src/pesum.c
@@ -0,0 +1,195 @@
 +// SPDX-License-Identifier: GPLv2
 +/*
 + * pesum.c - pesum command line tool
 + * Copyright Peter Jones <pjones@redhat.com>
 + */
 +
 +#include "fix_coverity.h"
 +
 +#include <err.h>
 +#include <popt.h>
 +
 +#include <nss.h>
 +#include <prerror.h>
 +
 +#include "pesign.h"
 +#include "pesign_standalone.h"
 +
 +static struct {
 +	int flag;
 +	const char *name;
 +} flag_names[] = {
 +	{DAEMONIZE, "daemonize"},
 +	{GENERATE_DIGEST, "hash"},
 +	{GENERATE_SIGNATURE, "sign"},
 +	{IMPORT_RAW_SIGNATURE, "import-raw-sig"},
 +	{IMPORT_SIGNATURE, "import-sig"},
 +	{IMPORT_SATTRS, "import-sattrs" },
 +	{EXPORT_SATTRS, "export-sattrs" },
 +	{EXPORT_SIGNATURE, "export-sig"},
 +	{EXPORT_PUBKEY, "export-pubkey"},
 +	{EXPORT_CERT, "export-cert"},
 +	{REMOVE_SIGNATURE, "remove"},
 +	{LIST_SIGNATURES, "list"},
 +	{FLAG_LIST_END, NULL},
 +};
 +
 +void
 +print_flag_name(FILE *f, int flag)
 +{
 +	for (int i = 0; flag_names[i].flag != FLAG_LIST_END; i++) {
 +		if (flag_names[i].flag == flag)
 +			fprintf(f, "%s ", flag_names[i].name);
 +	}
 +}
 +
 +static long *verbose;
 +
 +long
 +verbosity(void)
 +{
 +	if (!verbose)
 +		return 0;
 +	return *verbose;
 +}
 +
 +int
 +main(int argc, char *argv[])
 +{
 +	int rc;
 +	SECStatus status;
 +
 +	char *digest_name = "sha256";
 +	char *orig_digest_name = digest_name;
 +	int padding = 1;
 +	long verbose_cmd_line = 0;
 +	const char *infile;
 +
 +	int action = GENERATE_DIGEST|PRINT_DIGEST;
 +	file_format fmt = FORMAT_PE_BINARY;
 +
 +	setenv("NSS_DEFAULT_DB_TYPE", "sql", 0);
 +
 +	verbose = &verbose_cmd_line;
 +
 +	poptContext optCon;
 +	struct poptOption options[] = {
 +		{.argInfo = POPT_ARG_INTL_DOMAIN,
 +		 .arg = "pesum" },
 +		{.longName = "verbose",
 +		 .shortName = 'v',
 +		 .argInfo = POPT_ARG_VAL|POPT_ARG_LONG|POPT_ARGFLAG_OPTIONAL,
 +		 .arg = &verbose_cmd_line,
 +		 .val = 1,
 +		 .descrip = "be more verbose" },
 +		{.longName = "debug",
 +		 .shortName = '\0',
 +		 .argInfo = POPT_ARG_VAL|POPT_ARG_LONG|POPT_ARGFLAG_OPTIONAL,
 +		 .arg = &verbose_cmd_line,
 +		 .val = 2,
 +		 .descrip = "be very verbose" },
 +		{.longName = "digest-type",
 +		 .shortName = 'd',
 +		 .argInfo = POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT,
 +		 .arg = &digest_name,
 +		 .descrip = "digest type to use for pe hash" },
 +		{.longName = "digest_type",
 +		 .shortName = '\0',
 +		 .argInfo = POPT_ARG_STRING|POPT_ARGFLAG_DOC_HIDDEN,
 +		 .arg = &digest_name,
 +		 .descrip = "digest type to use for pe hash" },
 +		{.longName = "padding",
 +		 .shortName = 'P',
 +		 .argInfo = POPT_ARG_VAL,
 +		 .arg = &padding,
 +		 .val = 1,
 +		 .descrip = "pad data section (default)" },
 +		{.longName = "nopadding",
 +		 .shortName = 'p',
 +		 .argInfo = POPT_ARG_VAL,
 +		 .arg = &padding,
 +		 .val = 0,
 +		 .descrip = "do not pad the data section" },
 +		POPT_AUTOALIAS
 +		POPT_AUTOHELP
 +		POPT_TABLEEND
 +	};
 +
 +	optCon = poptGetContext("pesum", argc, (const char **)argv, options,0);
 +
 +	rc = poptReadDefaultConfig(optCon, 0);
 +	if (rc < 0 && !(rc == POPT_ERROR_ERRNO && errno == ENOENT))
 +		errx(1, "poptReadDefaultConfig failed: %s", poptStrerror(rc));
 +
 +	while ((rc = poptGetNextOpt(optCon)) > 0) {
 +		;
 +	}
 +
 +	if (rc < -1)
 +		errx(1, "Invalid argument: %s: %s",
 +		     poptBadOption(optCon, 0), poptStrerror(rc));
 +
 +	if (!poptPeekArg(optCon))
 +		errx(1, "nothing to do");
 +
 +	status = NSS_NoDB_Init(NULL);
 +	if (status != SECSuccess)
 +		errx(1, "Could not initialize nss.\n"
 +		        "NSS says \"%s\" errno says \"%m\"\n",
 +			PORT_ErrorToString(PORT_GetError()));
 +
 +	while ((infile = poptGetArg(optCon)) != NULL) {
 +		pesign_context *ctxp = NULL;
 +
 +		char *ext = strrchr(infile, '.');
 +		if (ext && strcmp(ext, ".ko") == 0)
 +			fmt = FORMAT_KERNEL_MODULE;
 +
 +		rc = pesign_context_new(&ctxp);
 +		if (rc < 0)
 +			err(1, "Could not initialize context");
 +
 +		ctxp->verbose = verbose_cmd_line;
 +
 +		ctxp->hash = 1;
 +		ctxp->infile = strdup(infile);
 +		if (!ctxp->infile)
 +			err(1, "Could not allocate memory");
 +
 +		rc = set_digest_parameters(ctxp->cms_ctx, digest_name);
 +		int is_help = strcmp(digest_name, "help") ? 0 : 1;
 +		if (rc < 0) {
 +			if (!is_help) {
 +				fprintf(stderr, "Digest \"%s\" not found.\n",
 +					digest_name);
 +			}
 +			exit(!is_help);
 +		}
 +
 +		errno = 0;
 +		switch (fmt) {
 +			case FORMAT_PE_BINARY:
 +				pe_handle_action(ctxp, action, padding);
 +				break;
 +			case FORMAT_KERNEL_MODULE:
 +				kmod_handle_action(ctxp, action);
 +				break;
 +		}
 +
 +		pesign_context_free(ctxp);
 +	}
 +
 +	poptFreeContext(optCon);
 +
 +	if (digest_name && digest_name != orig_digest_name)
 +		free(digest_name);
 +
 +	status = NSS_Shutdown();
 +	if (status != SECSuccess)
 +		errx(1, "could not shut down NSS: %s",
 +		     PORT_ErrorToString(PORT_GetError()));
 +
 +	return 0;
 +}
 +
 +// vim:fenc=utf-8:tw=75:noet
 diff --git a/src/.gitignore b/src/.gitignore
 index 64ce217..f8f6d66 100644
 --- a/src/.gitignore
 +++ b/src/.gitignore
@@ -5,6 +5,7 @@ client
 efikeygen
 efidbtool
 pesigcheck
 +pesum
 peverify
 pesign.service
 pesign.sysvinit
 diff --git a/src/Makefile b/src/Makefile
 index 7010514..79cf09e 100644
 --- a/src/Makefile
 +++ b/src/Makefile
@@ -6,7 +6,7 @@ include $(TOPDIR)/Make.rules
 include $(TOPDIR)/Make.defaults
 BINTARGETS=authvar client efikeygen pesigcheck pesign \
 -	   pesign-rpmbuild-helper pesign-authorize
 +	   pesign-rpmbuild-helper pesign-authorize pesum
 CFGTARGETS=tmpfiles.conf
 SVCTARGETS=pesign.sysvinit pesign.service
 MAN1TARGETS=authvar.1 efikeygen.1 pesigcheck.1 pesign-client.1 pesign.1
@@ -29,9 +29,12 @@ EFIKEYGEN_SOURCES = efikeygen.c
 PESIGCHECK_SOURCES = pesigcheck.c pesigcheck_context.c certdb.c
 PESIGN_SOURCES = pesign.c pesign_context.c actions.c daemon.c \
 		 file_pe.c file_kmod.c pesign_kmod.c
 +PESUM_SOURCES = pesum.c pesign_context.c actions.c \
 +		file_pe.c file_kmod.c pesign_kmod.c
 ALL_SOURCES=$(COMMON_SOURCES) $(AUTHVAR_SORUCES) $(CLIENT_SOURCES) \
 -	$(EFIKEYGEN_SOURCES) $(PESIGCHECK_SOURCES) $(PESIGN_SOURCES)
 +	$(EFIKEYGEN_SOURCES) $(PESIGCHECK_SOURCES) $(PESIGN_SOURCES) \
 +	$(PESUM_SOURCES)
 -include $(call deps-of,$(ALL_SOURCES))
 authvar : $(call objects-of,$(AUTHVAR_SOURCES) $(COMMON_SOURCES))
@@ -53,6 +56,10 @@ pesign : $(call objects-of,$(PESIGN_SOURCES) $(COMMON_SOURCES) $(COMMON_PE_SOURC
 pesign : LDLIBS+=$(TOPDIR)/libdpe/libdpe.a
 pesign : PKGS=efivar nss nspr popt
 +pesum : $(call objects-of,$(PESUM_SOURCES) $(COMMON_SOURCES) $(COMMON_PE_SOURCES))
 +pesum : LDLIBS+=$(TOPDIR)/libdpe/libdpe.a
 +pesum : PKGS=efivar nss nspr popt
 +
 deps : PKGS=efivar nss nspr popt uuid
 deps : $(ALL_SOURCES)
 	$(MAKE) -f $(TOPDIR)/Make.deps \
@@ -81,6 +88,7 @@ install :
 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
 	$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
 	$(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir)
 +	$(INSTALL) -m 755 pesum $(INSTALLROOT)$(bindir)
 	$(INSTALL) -m 755 client $(INSTALLROOT)$(bindir)pesign-client
 	$(INSTALL) -m 755 efikeygen $(INSTALLROOT)$(bindir)
 	$(INSTALL) -m 755 pesigcheck $(INSTALLROOT)$(bindir)
 diff --git a/src/pesum.1.mdoc b/src/pesum.1.mdoc
 new file mode 100644
 index 0000000..edd08ce
 --- /dev/null
 +++ b/src/pesum.1.mdoc
@@ -0,0 +1,38 @@
 +.Dd $Mdocdate: Mar 11 2022$
 +.Dt PESUM 1
 +.Os Linux
 +.Sh NAME
 +.Nm pesum
 +.Nd tool for generating Authenticode digests
 +.Sh SYNOPSIS
 +.Nm
 +.Bk -words
 +.Ar file0.efi
 +.Op Ar file1.efi ...
 +.Sh DESCRIPTION
 +.Nm
 +is a command line tool to generate Authenticode digests of PE binaries.
 +.Sh EXAMPLES
 +.Ss Getting the Authenticode digest of some files
 +host:$ \fBpesum shimx64.efi grubx64.efi\fR
 +8c5806e66bb5b052ebf860e1722474269cff3dde588610df21dbe8cf12c08390\ shimx64.efi
 +546a71319c22da1d81879383c4c74be06d1c374bdecfafc9fcc80bd541802bfc\ grubx64.efi
 +.Sh STANDARDS
 +.Rs
 +.%B Portable Executable
 +.%I Microsoft
 +.%D August 26, 2019
 +.%U https://docs.microsoft.com/en-us/windows/win32/debug/pe-format\ \&
 +.Re
 +
 +.Rs
 +.%B Windows Authenticode Portable Executable Signature Format
 +.%I Microsoft
 +.%D March 21, 2008
 +.%U https://web.archive.org/web/20130518222430/http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx\ \&
 +.Re
 +.Sh SEE ALSO
 +.Xr pesign 1
 +.LP
 +.Sh AUTHORS
 +.An Peter Jones
--- a/0007-Fix-building-signed-kernels-on-setups-other-than-koj.patch
+++ b/0007-Fix-building-signed-kernels-on-setups-other-than-koj.patch
@ -1,54 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Julian Sikorski <belegdol+github@gmail.com>
 Date: Wed, 23 Mar 2022 20:54:03 +0100
 Subject: [PATCH] Fix building signed kernels on setups other than koji
 Thanks to Will Springer for the idea. Details at
 https://bugzilla.redhat.com/show_bug.cgi?id=1880858
 Signed-off-by: Julian Sikorski <belegdol+github@gmail.com>
 Suggested-by: Will Springer <skirmisher@protonmail.com>
 ---
 src/pesign-rpmbuild-helper.in | 24 +++++++++++-------------
 1 file changed, 11 insertions(+), 13 deletions(-)
 diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
 index 0a845d2..c9d5570 100644
 --- a/src/pesign-rpmbuild-helper.in
 +++ b/src/pesign-rpmbuild-helper.in
@@ -172,24 +172,22 @@ main() {
     USERNAME="${USERNAME:-$(id -un)}"
     local socket="" || :
 -    if grep -q ID=fedora /etc/os-release \
 +    if [[ -S /run/pesign/socket ]] ; then
 +        socket=/run/pesign/socket
 +    elif [[ -S /var/run/pesign/socket ]]; then
 +        socket=/var/run/pesign/socket
 +    elif grep -q ID=fedora /etc/os-release \
        && [[ "${rhelver}" -lt 7 ]] \
        && [[ "${USERNAME}" = "mockbuild" ]] \
        && [[ "${vendor}" = "Fedora Project" ]] \
        && [[ "${HOSTNAME}" =~ bkernel.* ]]
     then
 -	if [[ -S /run/pesign/socket ]] ; then
 -	    socket=/run/pesign/socket
 -	elif [[ -S /var/run/pesign/socket ]]; then
 -	    socket=/var/run/pesign/socket
 -	else
 -	    echo "Warning: no pesign socket even though user is ${USERNAME}" 1>&2
 -	    echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2
 -	    ls -ld /run/pesign /var/run/pesign 1>&2 ||:
 -	    ls -l /run/pesign/socket /var/run/pesign/socket 1>&2 ||:
 -	    getfacl /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
 -	    getfacl -n /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
 -	fi
 +        echo "Warning: no pesign socket even though user is ${USERNAME}" 1>&2
 +        echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2
 +        ls -ld /run/pesign /var/run/pesign 1>&2 ||:
 +        ls -l /run/pesign/socket /var/run/pesign/socket 1>&2 ||:
 +        getfacl /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
 +        getfacl -n /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
     fi
     if [[ "${rhelver}" -ge 7 ]] ; then
--- a/0008-Add-D_GLIBCXX_ASSERTIONS-to-CPPFLAGS.patch
+++ b/0008-Add-D_GLIBCXX_ASSERTIONS-to-CPPFLAGS.patch
@ -1,23 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Fri, 25 Mar 2022 15:01:54 -0400
 Subject: [PATCH] Add -D_GLIBCXX_ASSERTIONS to CPPFLAGS
 Signed-off-by: Robbie Harwood <rharwood@redhat.com>
 ---
 Make.defaults | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/Make.defaults b/Make.defaults
 index 1c18904..05aadd0 100644
 --- a/Make.defaults
 +++ b/Make.defaults
@@ -79,7 +79,7 @@ ccldflags = $(cflags) $(CCLDFLAGS) $(LDFLAGS) \
 	$(call pkg-config-ccldflags)
 efi_cflags = $(cflags)
 ASFLAGS	?= $(ARCH3264)
 -CPPFLAGS ?= -D_FORTIFY_SOURCE=2
 +CPPFLAGS ?= -D_FORTIFY_SOURCE=2 -D_GLIBCXX_ASSERTIONS
 RANLIBFLAGS	?= $(if $(filter $(CC),gcc),-D)
 ARFLAGS ?= $(if $(filter $(CC),gcc),-Dcvqs)$(if $(filter $(CC),clang),-cqvs)
--- a/0009-macros.pesign-handle-centos-like-rhel-with-rhelver.patch
+++ b/0009-macros.pesign-handle-centos-like-rhel-with-rhelver.patch
@ -1,24 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 10 Aug 2021 12:39:08 -0400
 Subject: [PATCH] macros.pesign: handle centos like rhel with --rhelver
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/macros.pesign | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/src/macros.pesign b/src/macros.pesign
 index 34af57c..b7d6af1 100644
 --- a/src/macros.pesign
 +++ b/src/macros.pesign
@@ -34,7 +34,8 @@
     %{?__pesign_cert:--cert %{__pesign_cert}}				\\\
     %{?_buildhost:--hostname "%{_buildhost}"}				\\\
     %{?vendor:--vendor "%{vendor}"}					\\\
 -    %{?_rhel:--rhelver "%{_rhel}"}					\\\
 +    %{?rhel:--rhelver "%{rhel}"}					\\\
 +    %{?centos:--rhelver "%{centos}"}					\\\
     %{?-n:--rhelcert %{-n*}}%{?!-n:--rhelcert %{__pesign_cert}}	\\\
     %{?-a:--rhelcafile "%{-a*}"}					\\\
     %{?-c:--rhelcertfile "%{-c*}"}					\\\
--- a/0010-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch
+++ b/0010-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch
@ -1,25 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 4 Apr 2022 14:45:29 -0400
 Subject: [PATCH] Detect the presence of rpm-sign when checking for "rhel"-ness
 Signed-off-by: Peter Jones <pjones@redhat.com>
 [rharwood: manually reapply to main]
 Signed-off-by: Robbie Harwood <rharwood@redhat.com>
 ---
 src/pesign-rpmbuild-helper.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
 index c9d5570..9dee56e 100644
 --- a/src/pesign-rpmbuild-helper.in
 +++ b/src/pesign-rpmbuild-helper.in
@@ -190,7 +190,7 @@ main() {
         getfacl -n /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
     fi
 -    if [[ "${rhelver}" -ge 7 ]] ; then
 +    if [[ "${rhelver}" -ge 7 ]] && which rpm-sign >&/dev/null ; then
 	nssdir="$(mktemp -p "${PWD}" -d)"
 	echo > "${nssdir}/pwfile"
 	certutil -N -d "${nssdir}" -f "${nssdir}/pwfile"
--- a/0011-Rename-README-README.md.patch
+++ b/0011-Rename-README-README.md.patch
@ -1,17 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Fri, 13 May 2022 15:53:05 -0400
 Subject: [PATCH] Rename README -> README.md
 Rich text will let me compact links.
 Signed-off-by: Robbie Harwood <rharwood@redhat.com>
 ---
 README => README.md | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename README => README.md (100%)
 diff --git a/README b/README.md
 similarity index 100%
 rename from README
 rename to README.md
--- a/0012-README.md-show-off-a-bit-more.patch
+++ b/0012-README.md-show-off-a-bit-more.patch
@ -1,56 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Fri, 13 May 2022 16:09:12 -0400
 Subject: [PATCH] README.md: show off a bit more
 Prominently mention efikeygen and add examples of usage for it and
 pesign proper.
 Signed-off-by: Robbie Harwood <rharwood@redhat.com>
 ---
 README.md | 36 ++++++++++++++++++++++++++++++++----
 1 file changed, 32 insertions(+), 4 deletions(-)
 diff --git a/README.md b/README.md
 index d70bc53..e9f0cb7 100644
 --- a/README.md
 +++ b/README.md
@@ -1,6 +1,34 @@
 -Signing tool for PE-COFF binaries, hopefully at least vaguely compliant with
 -the PE and Authenticode specifications.
 +# pesign + efikeygen
 -This is vaguely analogous to the tool described by
 -http://msdn.microsoft.com/en-us/library/8s9b9yaz%28v=vs.80%29.aspx
 +Signing tools for PE-COFF binaries.  Compliant with the PE and Authenticode
 +specifications.
 +(These serve a similar purpose to Microsoft's
 +[SignTool.exe](http://msdn.microsoft.com/en-us/library/8s9b9yaz%28v=vs.80%29.aspx),
 +except for Linux.)
 +
 +## Examples
 +
 +Generate a key for use with pesign, stored on disk:
 +
 +```
 +efikeyen -d /etc/pki/pesign -S -TYPE -c 'CN=Your Name Key' -n 'Custom Secureboot'
 +```
 +
 +For more complex and secure use cases (e.g., hardware tokens), see
 +efikeygen man page (`man efikeygen`).
 +
 +Sign a UEFI application using that key:
 +
 +```
 +pesign -i grubx64.efi -o grubx64.efi.signed -c 'Custom Secureboot' -s
 +```
 +
 +Show signatures on a UEFI application:
 +
 +```
 +pesign -i grubx64.efi.signed -S
 +```
 +
 +For more signing/verification operations, see the pesign man page (`man
 +pesign`).
--- a/0013-Fix-missing-line-in-README.md.patch
+++ b/0013-Fix-missing-line-in-README.md.patch
@ -1,23 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Mon, 16 May 2022 15:31:25 -0400
 Subject: [PATCH] Fix missing line in README.md
 Signed-off-by: Robbie Harwood <rharwood@redhat.com>
 ---
 README.md | 2 ++
 1 file changed, 2 insertions(+)
 diff --git a/README.md b/README.md
 index e9f0cb7..7bbd6dd 100644
 --- a/README.md
 +++ b/README.md
@@ -15,6 +15,8 @@ Generate a key for use with pesign, stored on disk:
 efikeyen -d /etc/pki/pesign -S -TYPE -c 'CN=Your Name Key' -n 'Custom Secureboot'
 ```
 +(where TYPE is m if you're only signing kernel modules, and k otherwise).
 +
 For more complex and secure use cases (e.g., hardware tokens), see
 efikeygen man page (`man efikeygen`).
--- a/0014-Fix-typo-in-efikeygen-command.patch
+++ b/0014-Fix-typo-in-efikeygen-command.patch
@ -1,23 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Matt Bernhard <bernhard@voting.works>
 Date: Fri, 27 May 2022 14:40:49 -0400
 Subject: [PATCH] Fix typo in efikeygen command
 Signed-off-by: Matt Bernhard <mdb92nc@gmail.com>
 ---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/README.md b/README.md
 index 7bbd6dd..b6949a2 100644
 --- a/README.md
 +++ b/README.md
@@ -12,7 +12,7 @@ except for Linux.)
 Generate a key for use with pesign, stored on disk:
 ```
 -efikeyen -d /etc/pki/pesign -S -TYPE -c 'CN=Your Name Key' -n 'Custom Secureboot'
 +efikeygen -d /etc/pki/pesign -S -TYPE -c 'CN=Your Name Key' -n 'Custom Secureboot'
 ```
 (where TYPE is m if you're only signing kernel modules, and k otherwise).
--- a/0015-pesigcheck-Fix-crash-on-digest-match.patch
+++ b/0015-pesigcheck-Fix-crash-on-digest-match.patch
@ -1,53 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Visa Hankala <visa@hankala.org>
 Date: Fri, 10 Jun 2022 13:25:13 +0000
 Subject: [PATCH] pesigcheck: Fix crash on digest match
 Set selected_digest when the digest is found in db or dbx.
 This fixes the following crash of pesigcheck:
  Program received signal SIGSEGV, Segmentation fault.
  0x00005555555597fa in memcpy (__len=24, __src=0x31,
      __dest=0x55555558d908)
      at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
  34      return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
  (gdb) bt
  #0  0x00005555555597fa in memcpy (__len=24, __src=0x31,
      __dest=0x55555558d908)
      at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
  #1  get_digest (digest=digest@entry=0x55555558d908,
      ctx=<optimized out>, ctx=<optimized out>) at pesigcheck.c:226
  #2  0x00005555555592fd in check_signature (
      reasons=<synthetic pointer>, nreasons=<synthetic pointer>,
      ctx=0x7fffffffded0) at pesigcheck.c:262
  #3  main (argc=<optimized out>, argv=<optimized out>)
      at pesigcheck.c:512
 Signed-off-by: Visa Hankala <visa@hankala.org>
 ---
 src/certdb.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)
 diff --git a/src/certdb.c b/src/certdb.c
 index e013b9d..69d5daf 100644
 --- a/src/certdb.c
 +++ b/src/certdb.c
@@ -267,12 +267,16 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
 	if (memcmp(sigtype, &efi_sha256, sizeof(efi_guid_t)) == 0) {
 		digest = ctx->cms_ctx->digests[0].pe_digest->data;
 -		if (memcmp (digest, sig->data, 32) == 0)
 +		if (memcmp (digest, sig->data, 32) == 0) {
 +			ctx->cms_ctx->selected_digest = 0;
 			return FOUND;
 +		}
 	} else if (memcmp(sigtype, &efi_sha1, sizeof(efi_guid_t)) == 0) {
 		digest = ctx->cms_ctx->digests[1].pe_digest->data;
 -		if (memcmp (digest, sig->data, 20) == 0)
 +		if (memcmp (digest, sig->data, 20) == 0) {
 +			ctx->cms_ctx->selected_digest = 1;
 			return FOUND;
 +		}
 	}
 	return NOT_FOUND;
--- a/0016-cms-store-digest-as-pointer-instead-of-index.patch
+++ b/0016-cms-store-digest-as-pointer-instead-of-index.patch
@ -1,272 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Fri, 10 Jun 2022 14:40:33 -0400
 Subject: [PATCH] cms: store digest as pointer instead of index
 Storage as an index is problematic because the sentinel value -1 was
 used, but accesses were unchecked, leading to crashes like that in
 3b1031a6b779cb80c11b34eec84c5a0cc215efed ("pesigcheck: Fix crash on
 digest match").  By storing a pointer, we get an explicit NULL
 dereference: still a crash, but preferred since it's clearer.
 Since the index was previously also used for retrieving digest
 parameters, include a pointer to the relevant struct digest_param in the
 struct digest.
 Signed-off-by: Robbie Harwood <rharwood@redhat.com>
 ---
 src/certdb.c       | 15 ++++++++-------
 src/cms_common.c   | 34 ++++++++++------------------------
 src/content_info.c |  4 ++--
 src/file_kmod.c    |  2 +-
 src/file_pe.c      |  9 +++++----
 src/pesigcheck.c   |  4 +---
 src/cms_common.h   | 13 ++++++++++++-
 7 files changed, 39 insertions(+), 42 deletions(-)
 diff --git a/src/certdb.c b/src/certdb.c
 index 69d5daf..f512824 100644
 --- a/src/certdb.c
 +++ b/src/certdb.c
@@ -263,18 +263,19 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
 {
 	efi_guid_t efi_sha256 = efi_guid_sha256;
 	efi_guid_t efi_sha1 = efi_guid_sha1;
 -	void *digest;
 +	void *digest_data;
 +	struct digest *digests = ctx->cms_ctx->digests;
 	if (memcmp(sigtype, &efi_sha256, sizeof(efi_guid_t)) == 0) {
 -		digest = ctx->cms_ctx->digests[0].pe_digest->data;
 -		if (memcmp (digest, sig->data, 32) == 0) {
 -			ctx->cms_ctx->selected_digest = 0;
 +		digest_data = digests[0].pe_digest->data;
 +		if (memcmp (digest_data, sig->data, 32) == 0) {
 +			ctx->cms_ctx->selected_digest = &digests[0];
 			return FOUND;
 		}
 	} else if (memcmp(sigtype, &efi_sha1, sizeof(efi_guid_t)) == 0) {
 -		digest = ctx->cms_ctx->digests[1].pe_digest->data;
 -		if (memcmp (digest, sig->data, 20) == 0) {
 -			ctx->cms_ctx->selected_digest = 1;
 +		digest_data = digests[1].pe_digest->data;
 +		if (memcmp (digest_data, sig->data, 20) == 0) {
 +			ctx->cms_ctx->selected_digest = &digests[1];
 			return FOUND;
 		}
 	}
 diff --git a/src/cms_common.c b/src/cms_common.c
 index 86341ca..2275f67 100644
 --- a/src/cms_common.c
 +++ b/src/cms_common.c
@@ -33,15 +33,6 @@
 #include "hex.h"
 -struct digest_param {
 -	char *name;
 -	SECOidTag digest_tag;
 -	SECOidTag signature_tag;
 -	SECOidTag digest_encryption_tag;
 -	const efi_guid_t *efi_guid;
 -	int size;
 -};
 -
 static struct digest_param digest_params[] = {
 	{.name = "sha256",
 	 .digest_tag = SEC_OID_SHA256,
@@ -65,29 +56,25 @@ static int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]);
 SECOidTag
 digest_get_digest_oid(cms_context *cms)
 {
 -	int i = cms->selected_digest;
 -	return digest_params[i].digest_tag;
 +	return cms->selected_digest->digest_params->digest_tag;
 }
 SECOidTag
 digest_get_encryption_oid(cms_context *cms)
 {
 -	int i = cms->selected_digest;
 -	return digest_params[i].digest_encryption_tag;
 +	return cms->selected_digest->digest_params->digest_encryption_tag;
 }
 SECOidTag
 digest_get_signature_oid(cms_context *cms)
 {
 -	int i = cms->selected_digest;
 -	return digest_params[i].signature_tag;
 +	return cms->selected_digest->digest_params->signature_tag;
 }
 int
 digest_get_digest_size(cms_context *cms)
 {
 -	int i = cms->selected_digest;
 -	return digest_params[i].size;
 +	return cms->selected_digest->digest_params->size;
 }
 void
@@ -142,8 +129,6 @@ cms_context_init(cms_context *cms)
 	if (!cms->arena)
 		cnreterr(-1, cms, "could not create cryptographic arena");
 -	cms->selected_digest = -1;
 -
 	INIT_LIST_HEAD(&cms->pk12_ins);
 	cms->pk12_out.fd = -1;
 	cms->db_out = cms->dbx_out = cms->dbt_out = -1;
@@ -226,7 +211,7 @@ cms_context_fini(cms_context *cms)
 		memset(&cms->newsig, '\0', sizeof (cms->newsig));
 	}
 -	cms->selected_digest = -1;
 +	cms->selected_digest = NULL;
 	if (cms->ci_digest) {
 		free_poison(cms->ci_digest->data, cms->ci_digest->len);
@@ -351,7 +336,7 @@ set_digest_parameters(cms_context *cms, char *name)
 	if (strcmp(name, "help")) {
 		for (int i = 0; i < n_digest_params; i++) {
 			if (!strcmp(name, digest_params[i].name)) {
 -				cms->selected_digest = i;
 +				cms->selected_digest = &cms->digests[i];
 				return 0;
 			}
 		}
@@ -1279,6 +1264,7 @@ generate_digest_begin(cms_context *cms)
 			cngotoerr(err, cms, "could not create digest context");
 		PK11_DigestBegin(digests[i].pk11ctx);
 +		digests[i].digest_params = &digest_params[i];
 	}
 	cms->digests = digests;
@@ -1351,11 +1337,11 @@ generate_signature(cms_context *cms)
 {
 	int rc = 0;
 -	if (cms->digests[cms->selected_digest].pe_digest == NULL)
 +	if (cms->selected_digest->pe_digest == NULL)
 		cnreterr(-1, cms, "PE digest has not been allocated");
 -	if (content_is_empty(cms->digests[cms->selected_digest].pe_digest->data,
 -			cms->digests[cms->selected_digest].pe_digest->len))
 +	if (content_is_empty(cms->selected_digest->pe_digest->data,
 +			cms->selected_digest->pe_digest->len))
 		cnreterr(-1, cms, "PE binary has not been digested");
 	SECItem sd_der;
 diff --git a/src/content_info.c b/src/content_info.c
 index 9684850..777aa28 100644
 --- a/src/content_info.c
 +++ b/src/content_info.c
@@ -181,8 +181,8 @@ generate_spc_digest_info(cms_context *cms, SECItem *dip)
 	if (generate_algorithm_id(cms, &di.digestAlgorithm,
 			digest_get_digest_oid(cms)) < 0)
 		return -1;
 -	int i = cms->selected_digest;
 -	memcpy(&di.digest, cms->digests[i].pe_digest, sizeof (di.digest));
 +	memcpy(&di.digest, cms->selected_digest->pe_digest,
 +	       sizeof(di.digest));
 	if (content_is_empty(di.digest.data, di.digest.len)) {
 		cms->log(cms, LOG_ERR, "got empty digest");
 diff --git a/src/file_kmod.c b/src/file_kmod.c
 index 6880cda..c8875fc 100644
 --- a/src/file_kmod.c
 +++ b/src/file_kmod.c
@@ -60,7 +60,7 @@ ssize_t
 kmod_write_signature(cms_context *cms, int outfd)
 {
 	SEC_PKCS7ContentInfo *cinfo;
 -	SECItem *digest = cms->digests[cms->selected_digest].pe_digest;
 +	SECItem *digest = cms->selected_digest->pe_digest;
 	SECStatus rv;
 	struct write_sig_info info = {
 		.outfd = outfd,
 diff --git a/src/file_pe.c b/src/file_pe.c
 index 805e614..c22b2af 100644
 --- a/src/file_pe.c
 +++ b/src/file_pe.c
@@ -114,6 +114,8 @@ check_inputs(pesign_context *ctx)
 static void
 print_digest(pesign_context *pctx)
 {
 +	unsigned int i;
 +
 	if (!pctx)
 		return;
@@ -121,10 +123,9 @@ print_digest(pesign_context *pctx)
 	if (!ctx)
 		return;
 -	int j = ctx->selected_digest;
 -	for (unsigned int i = 0; i < ctx->digests[j].pe_digest->len; i++)
 -		printf("%02x",
 -			(unsigned char)ctx->digests[j].pe_digest->data[i]);
 +	unsigned char *ddata = ctx->selected_digest->pe_digest->data;
 +	for (i = 0; i < ctx->selected_digest->pe_digest->len; i++)
 +		printf("%02x", ddata[i]);
 	printf(" %s\n", pctx->infile);
 }
 diff --git a/src/pesigcheck.c b/src/pesigcheck.c
 index 6dc67f7..ebb404d 100644
 --- a/src/pesigcheck.c
 +++ b/src/pesigcheck.c
@@ -221,9 +221,7 @@ static void
 get_digest(pesigcheck_context *ctx, SECItem *digest)
 {
 	struct cms_context *cms = ctx->cms_ctx;
 -	struct digest *cms_digest = &cms->digests[cms->selected_digest];
 -
 -	memcpy(digest, cms_digest->pe_digest, sizeof (*digest));
 +	memcpy(digest, cms->selected_digest->pe_digest, sizeof(*digest));
 }
 static int
 diff --git a/src/cms_common.h b/src/cms_common.h
 index c7acbcf..c7d4f69 100644
 --- a/src/cms_common.h
 +++ b/src/cms_common.h
@@ -12,6 +12,7 @@
 #include <secpkcs7.h>
 #include <errno.h>
 +#include <efivar.h>
 #include <signal.h>
 #include <stdarg.h>
 #include <sys/types.h>
@@ -57,9 +58,19 @@
 		goto errlabel;						\
 	})
 +struct digest_param {
 +	char *name;
 +	SECOidTag digest_tag;
 +	SECOidTag signature_tag;
 +	SECOidTag digest_encryption_tag;
 +	const efi_guid_t *efi_guid;
 +	int size;
 +};
 +
 struct digest {
 	PK11Context *pk11ctx;
 	SECItem *pe_digest;
 +	struct digest_param *digest_params;
 };
 typedef struct pk12_file {
@@ -133,7 +144,7 @@ typedef struct cms_context {
 	int db_out, dbx_out, dbt_out;
 	struct digest *digests;
 -	int selected_digest;
 +	struct digest *selected_digest;
 	int omit_vendor_cert;
 	SECItem newsig;
--- a/0017-Fix-mandoc-invocation-to-not-produce-garbage.patch
+++ b/0017-Fix-mandoc-invocation-to-not-produce-garbage.patch
@ -1,31 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Thu, 7 Jul 2022 16:56:41 -0400
 Subject: [PATCH] Fix mandoc invocation to not produce garbage
 Bizarrely, mandoc doesn't default to outputting man - the default is
 "locale", which is either ASCII or UTF-8 (by locale).  This output is
 supposed to be some kind of plain-text, but it's formatted so strangely
 I'm not sure what the purpose is.  Regardless, it doesn't go well to
 feed this into man(1).
 Tell mandoc explicitly to produce man pages.
 Signed-off-by: Robbie Harwood <rharwood@redhat.com>
 ---
 Make.rules | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/Make.rules b/Make.rules
 index 12e322b..f6bf5fa 100644
 --- a/Make.rules
 +++ b/Make.rules
@@ -54,7 +54,7 @@ define substitute-version =
 endef
 %.1 : %.1.mdoc
 -	@mandoc -man -Ios=Linux $^ > $@
 +	@mandoc -man -T man -Ios=Linux $^ > $@
 % : %.in
 	@$(call substitute-version,$<,$@)
--- a/0018-Work-around-GCC-being-obnoxiously-incompatible-with-.patch
+++ b/0018-Work-around-GCC-being-obnoxiously-incompatible-with-.patch
@ -1,41 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 29 Aug 2022 15:31:52 -0400
 Subject: [PATCH] Work around GCC being obnoxiously incompatible with GCC
 GCC added and then later removed the diagnostic flag
 "-Wanalyzer-use-of-uninitialized-value", and so this doesn't work with
 newer versions of GCC.
 This patch removes the previous workaround for when it didn't work well.
 I really wish any of our compilers had any sense of rigor with this
 stuff at all.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/daemon.c | 5 -----
 1 file changed, 5 deletions(-)
 diff --git a/src/daemon.c b/src/daemon.c
 index ff88210..d66dd50 100644
 --- a/src/daemon.c
 +++ b/src/daemon.c
@@ -917,10 +917,6 @@ do_shutdown(context *ctx, int nsockets, struct pollfd *pollfds)
 	free(pollfds);
 }
 -/* GCC -fanalyzer has trouble with realloc
 - * https://bugzilla.redhat.com/show_bug.cgi?id=2047926 */
 -#pragma GCC diagnostic push
 -#pragma GCC diagnostic ignored "-Wanalyzer-use-of-uninitialized-value"
 static int
 handle_events(context *ctx)
 {
@@ -999,7 +995,6 @@ shutdown:
 	}
 	return 0;
 }
 -#pragma GCC diagnostic pop
 static int
 get_uid_and_gid(context *ctx, char **homedir)
--- a/0019-get_password_passthrough-handle-the-callback-context.patch
+++ b/0019-get_password_passthrough-handle-the-callback-context.patch
@ -1,51 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 29 Aug 2022 14:21:44 -0400
 Subject: [PATCH] get_password_passthrough(): handle the callback context right
 Right now, we have a few callback functions for PK11_Authenticate(), and
 they take different arguments.  This is incorrect; none of the callers
 ever pass anything through except our CMS context.
 This fixes get_password_passthrough() to correctly accept the CMS
 context and get the passthrough data from cms->pwdata instead of trying
 to treat the CMS context as the pwdata.
 Related: rhbz#2122777
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/password.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)
 diff --git a/src/password.c b/src/password.c
 index 18c32ed..8eb1c33 100644
 --- a/src/password.c
 +++ b/src/password.c
@@ -365,13 +365,23 @@ err:
 }
 char *
 -get_password_passthrough(PK11SlotInfo *slot UNUSED,
 -			 PRBool retry, void *arg)
 +get_password_passthrough(PK11SlotInfo *slot UNUSED, PRBool retry, void *arg)
 {
 +	cms_context *cms;
 +	secuPWData *pwdata;
 +
 +	dbgprintf("ctx:%p", arg);
 +
 	if (retry || !arg)
 		return NULL;
 -	char *ret = strdup(arg);
 +	cms = (cms_context *)arg;
 +	pwdata = &cms->pwdata;
 +
 +	if (pwdata->source != PW_PLAINTEXT)
 +		return NULL;
 +
 +	char *ret = strdup(pwdata->data);
 	if (!ret)
 		err(1, "Could not allocate memory");
--- a/0020-read_password-only-prune-CR-NL-from-the-end-of-the-f.patch
+++ b/0020-read_password-only-prune-CR-NL-from-the-end-of-the-f.patch
@ -1,47 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 29 Aug 2022 15:22:10 -0400
 Subject: [PATCH] read_password(): only prune CR/NL from the end of the file
 Right now, when we read the password/PIN from a file, we're pruning the
 end of the string from the file we read indiscriminately.  If you don't
 have a newline, that means we're cutting off the final digits of the
 text.
 This changes it to prune only common special characters from the
 pinfile, but also to prune /all/ of them.
 Related: rhbz#2122777
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/password.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)
 diff --git a/src/password.c b/src/password.c
 index 8eb1c33..ac1866e 100644
 --- a/src/password.c
 +++ b/src/password.c
@@ -79,6 +79,7 @@ read_password(FILE *in, FILE *out, char *buf, size_t bufsz)
 	int infd = fileno(in);
 	struct termios tio;
 	char *ret;
 +	int len;
 	ingress();
 	ret = fgets(buf, bufsz, in);
@@ -96,7 +97,14 @@ read_password(FILE *in, FILE *out, char *buf, size_t bufsz)
 	if (ret == NULL)
 		return -1;
 -	buf[strlen(buf)-1] = '\0';
 +	len = strlen(buf);
 +	while (len > 0 && (buf[len-1] == '\r' || buf[len-1] == '\n')) {
 +		buf[len-1] = '\0';
 +		len--;
 +	}
 +	if (len == 0)
 +		return -1;
 +
 	egress();
 	return 0;
 }
--- a/0021-Revert-cms-store-digest-as-pointer-instead-of-index.patch
+++ b/0021-Revert-cms-store-digest-as-pointer-instead-of-index.patch
@ -1,276 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 29 Aug 2022 16:22:18 -0400
 Subject: [PATCH] Revert "cms: store digest as pointer instead of index"
 In 926782c216532a83f9ff864dee39d2349d61fd23, we switched
 cms->selected_digest to be a pointer to the member of the digests array
 rather than an index.  Unfortunately this is just as bad, because the
 bugs that come up wind up setting pointers to NULL+(selected*offset),
 i.e. 0x10, and that doesn't get us any closer to actually finding any
 problem.
 For now, the new approach is going to be to make it an index again, but
 to default it to 0 (sha256) rather than -1, so if it isn't set at the
 correct part of the lifecycle it'll just default to the (nearly always)
 correct choice.
 This reverts commit 926782c216532a83f9ff864dee39d2349d61fd23.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/certdb.c       | 15 +++++++--------
 src/cms_common.c   | 34 ++++++++++++++++++++++++----------
 src/content_info.c |  4 ++--
 src/file_kmod.c    |  2 +-
 src/file_pe.c      |  9 ++++-----
 src/pesigcheck.c   |  4 +++-
 src/cms_common.h   | 13 +------------
 7 files changed, 42 insertions(+), 39 deletions(-)
 diff --git a/src/certdb.c b/src/certdb.c
 index f512824..69d5daf 100644
 --- a/src/certdb.c
 +++ b/src/certdb.c
@@ -263,19 +263,18 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
 {
 	efi_guid_t efi_sha256 = efi_guid_sha256;
 	efi_guid_t efi_sha1 = efi_guid_sha1;
 -	void *digest_data;
 -	struct digest *digests = ctx->cms_ctx->digests;
 +	void *digest;
 	if (memcmp(sigtype, &efi_sha256, sizeof(efi_guid_t)) == 0) {
 -		digest_data = digests[0].pe_digest->data;
 -		if (memcmp (digest_data, sig->data, 32) == 0) {
 -			ctx->cms_ctx->selected_digest = &digests[0];
 +		digest = ctx->cms_ctx->digests[0].pe_digest->data;
 +		if (memcmp (digest, sig->data, 32) == 0) {
 +			ctx->cms_ctx->selected_digest = 0;
 			return FOUND;
 		}
 	} else if (memcmp(sigtype, &efi_sha1, sizeof(efi_guid_t)) == 0) {
 -		digest_data = digests[1].pe_digest->data;
 -		if (memcmp (digest_data, sig->data, 20) == 0) {
 -			ctx->cms_ctx->selected_digest = &digests[1];
 +		digest = ctx->cms_ctx->digests[1].pe_digest->data;
 +		if (memcmp (digest, sig->data, 20) == 0) {
 +			ctx->cms_ctx->selected_digest = 1;
 			return FOUND;
 		}
 	}
 diff --git a/src/cms_common.c b/src/cms_common.c
 index 2275f67..86341ca 100644
 --- a/src/cms_common.c
 +++ b/src/cms_common.c
@@ -33,6 +33,15 @@
 #include "hex.h"
 +struct digest_param {
 +	char *name;
 +	SECOidTag digest_tag;
 +	SECOidTag signature_tag;
 +	SECOidTag digest_encryption_tag;
 +	const efi_guid_t *efi_guid;
 +	int size;
 +};
 +
 static struct digest_param digest_params[] = {
 	{.name = "sha256",
 	 .digest_tag = SEC_OID_SHA256,
@@ -56,25 +65,29 @@ static int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]);
 SECOidTag
 digest_get_digest_oid(cms_context *cms)
 {
 -	return cms->selected_digest->digest_params->digest_tag;
 +	int i = cms->selected_digest;
 +	return digest_params[i].digest_tag;
 }
 SECOidTag
 digest_get_encryption_oid(cms_context *cms)
 {
 -	return cms->selected_digest->digest_params->digest_encryption_tag;
 +	int i = cms->selected_digest;
 +	return digest_params[i].digest_encryption_tag;
 }
 SECOidTag
 digest_get_signature_oid(cms_context *cms)
 {
 -	return cms->selected_digest->digest_params->signature_tag;
 +	int i = cms->selected_digest;
 +	return digest_params[i].signature_tag;
 }
 int
 digest_get_digest_size(cms_context *cms)
 {
 -	return cms->selected_digest->digest_params->size;
 +	int i = cms->selected_digest;
 +	return digest_params[i].size;
 }
 void
@@ -129,6 +142,8 @@ cms_context_init(cms_context *cms)
 	if (!cms->arena)
 		cnreterr(-1, cms, "could not create cryptographic arena");
 +	cms->selected_digest = -1;
 +
 	INIT_LIST_HEAD(&cms->pk12_ins);
 	cms->pk12_out.fd = -1;
 	cms->db_out = cms->dbx_out = cms->dbt_out = -1;
@@ -211,7 +226,7 @@ cms_context_fini(cms_context *cms)
 		memset(&cms->newsig, '\0', sizeof (cms->newsig));
 	}
 -	cms->selected_digest = NULL;
 +	cms->selected_digest = -1;
 	if (cms->ci_digest) {
 		free_poison(cms->ci_digest->data, cms->ci_digest->len);
@@ -336,7 +351,7 @@ set_digest_parameters(cms_context *cms, char *name)
 	if (strcmp(name, "help")) {
 		for (int i = 0; i < n_digest_params; i++) {
 			if (!strcmp(name, digest_params[i].name)) {
 -				cms->selected_digest = &cms->digests[i];
 +				cms->selected_digest = i;
 				return 0;
 			}
 		}
@@ -1264,7 +1279,6 @@ generate_digest_begin(cms_context *cms)
 			cngotoerr(err, cms, "could not create digest context");
 		PK11_DigestBegin(digests[i].pk11ctx);
 -		digests[i].digest_params = &digest_params[i];
 	}
 	cms->digests = digests;
@@ -1337,11 +1351,11 @@ generate_signature(cms_context *cms)
 {
 	int rc = 0;
 -	if (cms->selected_digest->pe_digest == NULL)
 +	if (cms->digests[cms->selected_digest].pe_digest == NULL)
 		cnreterr(-1, cms, "PE digest has not been allocated");
 -	if (content_is_empty(cms->selected_digest->pe_digest->data,
 -			cms->selected_digest->pe_digest->len))
 +	if (content_is_empty(cms->digests[cms->selected_digest].pe_digest->data,
 +			cms->digests[cms->selected_digest].pe_digest->len))
 		cnreterr(-1, cms, "PE binary has not been digested");
 	SECItem sd_der;
 diff --git a/src/content_info.c b/src/content_info.c
 index 777aa28..9684850 100644
 --- a/src/content_info.c
 +++ b/src/content_info.c
@@ -181,8 +181,8 @@ generate_spc_digest_info(cms_context *cms, SECItem *dip)
 	if (generate_algorithm_id(cms, &di.digestAlgorithm,
 			digest_get_digest_oid(cms)) < 0)
 		return -1;
 -	memcpy(&di.digest, cms->selected_digest->pe_digest,
 -	       sizeof(di.digest));
 +	int i = cms->selected_digest;
 +	memcpy(&di.digest, cms->digests[i].pe_digest, sizeof (di.digest));
 	if (content_is_empty(di.digest.data, di.digest.len)) {
 		cms->log(cms, LOG_ERR, "got empty digest");
 diff --git a/src/file_kmod.c b/src/file_kmod.c
 index c8875fc..6880cda 100644
 --- a/src/file_kmod.c
 +++ b/src/file_kmod.c
@@ -60,7 +60,7 @@ ssize_t
 kmod_write_signature(cms_context *cms, int outfd)
 {
 	SEC_PKCS7ContentInfo *cinfo;
 -	SECItem *digest = cms->selected_digest->pe_digest;
 +	SECItem *digest = cms->digests[cms->selected_digest].pe_digest;
 	SECStatus rv;
 	struct write_sig_info info = {
 		.outfd = outfd,
 diff --git a/src/file_pe.c b/src/file_pe.c
 index c22b2af..805e614 100644
 --- a/src/file_pe.c
 +++ b/src/file_pe.c
@@ -114,8 +114,6 @@ check_inputs(pesign_context *ctx)
 static void
 print_digest(pesign_context *pctx)
 {
 -	unsigned int i;
 -
 	if (!pctx)
 		return;
@@ -123,9 +121,10 @@ print_digest(pesign_context *pctx)
 	if (!ctx)
 		return;
 -	unsigned char *ddata = ctx->selected_digest->pe_digest->data;
 -	for (i = 0; i < ctx->selected_digest->pe_digest->len; i++)
 -		printf("%02x", ddata[i]);
 +	int j = ctx->selected_digest;
 +	for (unsigned int i = 0; i < ctx->digests[j].pe_digest->len; i++)
 +		printf("%02x",
 +			(unsigned char)ctx->digests[j].pe_digest->data[i]);
 	printf(" %s\n", pctx->infile);
 }
 diff --git a/src/pesigcheck.c b/src/pesigcheck.c
 index ebb404d..6dc67f7 100644
 --- a/src/pesigcheck.c
 +++ b/src/pesigcheck.c
@@ -221,7 +221,9 @@ static void
 get_digest(pesigcheck_context *ctx, SECItem *digest)
 {
 	struct cms_context *cms = ctx->cms_ctx;
 -	memcpy(digest, cms->selected_digest->pe_digest, sizeof(*digest));
 +	struct digest *cms_digest = &cms->digests[cms->selected_digest];
 +
 +	memcpy(digest, cms_digest->pe_digest, sizeof (*digest));
 }
 static int
 diff --git a/src/cms_common.h b/src/cms_common.h
 index c7d4f69..c7acbcf 100644
 --- a/src/cms_common.h
 +++ b/src/cms_common.h
@@ -12,7 +12,6 @@
 #include <secpkcs7.h>
 #include <errno.h>
 -#include <efivar.h>
 #include <signal.h>
 #include <stdarg.h>
 #include <sys/types.h>
@@ -58,19 +57,9 @@
 		goto errlabel;						\
 	})
 -struct digest_param {
 -	char *name;
 -	SECOidTag digest_tag;
 -	SECOidTag signature_tag;
 -	SECOidTag digest_encryption_tag;
 -	const efi_guid_t *efi_guid;
 -	int size;
 -};
 -
 struct digest {
 	PK11Context *pk11ctx;
 	SECItem *pe_digest;
 -	struct digest_param *digest_params;
 };
 typedef struct pk12_file {
@@ -144,7 +133,7 @@ typedef struct cms_context {
 	int db_out, dbx_out, dbt_out;
 	struct digest *digests;
 -	struct digest *selected_digest;
 +	int selected_digest;
 	int omit_vendor_cert;
 	SECItem newsig;
--- a/0022-CMS-add-some-minor-cleanups.patch
+++ b/0022-CMS-add-some-minor-cleanups.patch
@ -1,149 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 29 Aug 2022 17:02:46 -0400
 Subject: [PATCH] CMS: add some minor cleanups
 We reverted 926782c216532a83f9ff864dee39d2349d61fd23 so that a future
 patch can try a different approach, but that commit also had a few
 cleanups that are worthwhile on their own.
 This patch re-introduces the cleanup to move "struct digest_param" to a
 more reasonable place and the cleanup to check_hash(), and takes it just
 a bit farther.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/certdb.c     | 26 +++++++++++++++-----------
 src/cms_common.c | 39 ++++++++++++++++-----------------------
 src/cms_common.h | 16 ++++++++++++++++
 3 files changed, 47 insertions(+), 34 deletions(-)
 diff --git a/src/certdb.c b/src/certdb.c
 index 69d5daf..eb5221f 100644
 --- a/src/certdb.c
 +++ b/src/certdb.c
@@ -263,20 +263,24 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
 {
 	efi_guid_t efi_sha256 = efi_guid_sha256;
 	efi_guid_t efi_sha1 = efi_guid_sha1;
 -	void *digest;
 +	void *digest_data;
 +	struct digest *digests = ctx->cms_ctx->digests;
 +	int selected_digest = -1;
 +	size_t size;
 	if (memcmp(sigtype, &efi_sha256, sizeof(efi_guid_t)) == 0) {
 -		digest = ctx->cms_ctx->digests[0].pe_digest->data;
 -		if (memcmp (digest, sig->data, 32) == 0) {
 -			ctx->cms_ctx->selected_digest = 0;
 -			return FOUND;
 -		}
 +		selected_digest = DIGEST_PARAM_SHA256;
 	} else if (memcmp(sigtype, &efi_sha1, sizeof(efi_guid_t)) == 0) {
 -		digest = ctx->cms_ctx->digests[1].pe_digest->data;
 -		if (memcmp (digest, sig->data, 20) == 0) {
 -			ctx->cms_ctx->selected_digest = 1;
 -			return FOUND;
 -		}
 +		selected_digest = DIGEST_PARAM_SHA1;
 +	} else {
 +		return NOT_FOUND;
 +	}
 +
 +	digest_data = digests[selected_digest].pe_digest->data;
 +	size = digest_params[selected_digest].size;
 +	if (memcmp (digest_data, sig->data, size) == 0) {
 +		ctx->cms_ctx->selected_digest = selected_digest;
 +		return FOUND;
 	}
 	return NOT_FOUND;
 diff --git a/src/cms_common.c b/src/cms_common.c
 index 86341ca..7bddedf 100644
 --- a/src/cms_common.c
 +++ b/src/cms_common.c
@@ -33,34 +33,27 @@
 #include "hex.h"
 -struct digest_param {
 -	char *name;
 -	SECOidTag digest_tag;
 -	SECOidTag signature_tag;
 -	SECOidTag digest_encryption_tag;
 -	const efi_guid_t *efi_guid;
 -	int size;
 -};
 -
 -static struct digest_param digest_params[] = {
 -	{.name = "sha256",
 -	 .digest_tag = SEC_OID_SHA256,
 -	 .signature_tag = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION,
 -	 .digest_encryption_tag = SEC_OID_PKCS1_RSA_ENCRYPTION,
 -	 .efi_guid = &efi_guid_sha256,
 -	 .size = 32
 +const struct digest_param digest_params[] = {
 +	[DIGEST_PARAM_SHA256] = {
 +		.name = "sha256",
 +		.digest_tag = SEC_OID_SHA256,
 +		.signature_tag = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION,
 +		.digest_encryption_tag = SEC_OID_PKCS1_RSA_ENCRYPTION,
 +		.efi_guid = &efi_guid_sha256,
 +		.size = 32
 	},
 #if 1
 -	{.name = "sha1",
 -	 .digest_tag = SEC_OID_SHA1,
 -	 .signature_tag = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION,
 -	 .digest_encryption_tag = SEC_OID_PKCS1_RSA_ENCRYPTION,
 -	 .efi_guid = &efi_guid_sha1,
 -	 .size = 20
 +	[DIGEST_PARAM_SHA1] = {
 +		.name = "sha1",
 +		.digest_tag = SEC_OID_SHA1,
 +		.signature_tag = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION,
 +		.digest_encryption_tag = SEC_OID_PKCS1_RSA_ENCRYPTION,
 +		.efi_guid = &efi_guid_sha1,
 +		.size = 20
 	},
 #endif
 };
 -static int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]);
 +const int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]);
 SECOidTag
 digest_get_digest_oid(cms_context *cms)
 diff --git a/src/cms_common.h b/src/cms_common.h
 index c7acbcf..e45402c 100644
 --- a/src/cms_common.h
 +++ b/src/cms_common.h
@@ -12,6 +12,7 @@
 #include <secpkcs7.h>
 #include <errno.h>
 +#include <efivar.h>
 #include <signal.h>
 #include <stdarg.h>
 #include <sys/types.h>
@@ -62,6 +63,21 @@ struct digest {
 	SECItem *pe_digest;
 };
 +#define DIGEST_PARAM_SHA256	0
 +#define DIGEST_PARAM_SHA1	1
 +
 +struct digest_param {
 +	char *name;
 +	SECOidTag digest_tag;
 +	SECOidTag signature_tag;
 +	SECOidTag digest_encryption_tag;
 +	const efi_guid_t *efi_guid;
 +	int size;
 +};
 +
 +extern const struct digest_param digest_params[2];
 +extern const int n_digest_params;
 +
 typedef struct pk12_file {
 	char *path;
 	int fd;
--- a/0023-CMS-make-cms-selected_digest-an-index-again.patch
+++ b/0023-CMS-make-cms-selected_digest-an-index-again.patch
@ -1,291 +0,0 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 30 Aug 2022 15:42:15 -0400
 Subject: [PATCH] CMS: make cms->selected_digest an index (again)
 In 926782c216532a83f9ff864dee39d2349d61fd23, we switched
 cms->selected_digest to be a pointer to the entry in cms->digests.
 Because cms->digests is lazily allocated, setting the selected_digest
 pointer has to be done at the right part of the CMS context life cycle,
 and in some cases it clearly is not:
 ==334217== Command: ./src/pesign -n tmp -s --pinfile tmp/pinfile -t OpenSC\ Card\ (testcard) -c kernel-signer -i tmp/unsigned.efi -o tmp/signed.efi --force
 ==334217==
 ==334217== Invalid read of size 8
 ==334217==    at 0x115E7D: digest_get_digest_oid (cms_common.c:59)
 ==334217==    by 0x11CF41: generate_algorithm_id_list (signed_data.c:33)
 ==334217==    by 0x11D348: generate_spc_signed_data (signed_data.c:279)
 ==334217==    by 0x11EDFD: calculate_signature_space (wincert.c:297)
 ==334217==    by 0x11467D: pe_handle_action (file_pe.c:298)
 ==334217==    by 0x10F962: main (pesign.c:585)
 ==334217==  Address 0x10 is not stack'd, malloc'd or (recently) free'd
 ==334217==
 ==334217==
 ==334217== Process terminating with default action of signal 11 (SIGSEGV): dumping core
 ==334217==  Access not within mapped region at address 0x10
 ==334217==    at 0x115E7D: digest_get_digest_oid (cms_common.c:59)
 ==334217==    by 0x11CF41: generate_algorithm_id_list (signed_data.c:33)
 ==334217==    by 0x11D348: generate_spc_signed_data (signed_data.c:279)
 ==334217==    by 0x11EDFD: calculate_signature_space (wincert.c:297)
 ==334217==    by 0x11467D: pe_handle_action (file_pe.c:298)
 ==334217==    by 0x10F962: main (pesign.c:585)
 ==334217==  If you believe this happened as a result of a stack
 ==334217==  overflow in your program's main thread (unlikely but
 ==334217==  possible), you can try to increase the size of the
 ==334217==  main thread stack using the --main-stacksize= flag.
 ==334217==  The main thread stack size used in this run was 8388608.
 ==334217==
 ==334217== HEAP SUMMARY:
 ==334217==     in use at exit: 588,544 bytes in 4,388 blocks
 ==334217==   total heap usage: 8,568 allocs, 4,180 frees, 2,077,115 bytes allocated
 ==334217==
 ==334217== LEAK SUMMARY:
 ==334217==    definitely lost: 25 bytes in 1 blocks
 ==334217==    indirectly lost: 0 bytes in 0 blocks
 ==334217==      possibly lost: 51,378 bytes in 166 blocks
 ==334217==    still reachable: 537,141 bytes in 4,221 blocks
 ==334217==                       of which reachable via heuristic:
 ==334217==                         length64           : 321,312 bytes in 590 blocks
 ==334217==         suppressed: 0 bytes in 0 blocks
 ==334217== Rerun with --leak-check=full to see details of leaked memory
 ==334217==
 ==334217== For lists of detected and suppressed errors, rerun with: -s
 ==334217== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
 Segmentation fault (core dumped)
 There is also a similar issue in the daemon code, and how to fix it
 there is not immediately clear to me.
 Currently, we realistically only support using sha256 digests, so for
 now I've chosen to paper over the issue by switching back to
 cms->selected_digest be an index into both ctx->digests and
 digest_params, but switching the default value from -1 to 0, aka
 DIGEST_PARAM_SHA256.  We can revisit this issue later whenever we add
 sha384 support (or whichever other digest).
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/certdb.c       |  2 +-
 src/cms_common.c   | 41 +++++++++++++++++++++++------------------
 src/content_info.c |  2 +-
 src/cms_common.h   |  5 +++--
 4 files changed, 28 insertions(+), 22 deletions(-)
 diff --git a/src/certdb.c b/src/certdb.c
 index eb5221f..467a01d 100644
 --- a/src/certdb.c
 +++ b/src/certdb.c
@@ -265,7 +265,7 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
 	efi_guid_t efi_sha1 = efi_guid_sha1;
 	void *digest_data;
 	struct digest *digests = ctx->cms_ctx->digests;
 -	int selected_digest = -1;
 +	unsigned int selected_digest;
 	size_t size;
 	if (memcmp(sigtype, &efi_sha256, sizeof(efi_guid_t)) == 0) {
 diff --git a/src/cms_common.c b/src/cms_common.c
 index 7bddedf..1c54c90 100644
 --- a/src/cms_common.c
 +++ b/src/cms_common.c
@@ -33,6 +33,10 @@
 #include "hex.h"
 +/*
 + * Note that cms->selected_digest defaults to 0, which means the first
 + * entry of this array is the default digest.
 + */
 const struct digest_param digest_params[] = {
 	[DIGEST_PARAM_SHA256] = {
 		.name = "sha256",
@@ -53,33 +57,33 @@ const struct digest_param digest_params[] = {
 	},
 #endif
 };
 -const int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]);
 +const unsigned int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]);
 SECOidTag
 digest_get_digest_oid(cms_context *cms)
 {
 -	int i = cms->selected_digest;
 +	unsigned int i = cms->selected_digest;
 	return digest_params[i].digest_tag;
 }
 SECOidTag
 digest_get_encryption_oid(cms_context *cms)
 {
 -	int i = cms->selected_digest;
 +	unsigned int i = cms->selected_digest;
 	return digest_params[i].digest_encryption_tag;
 }
 SECOidTag
 digest_get_signature_oid(cms_context *cms)
 {
 -	int i = cms->selected_digest;
 +	unsigned int i = cms->selected_digest;
 	return digest_params[i].signature_tag;
 }
 int
 digest_get_digest_size(cms_context *cms)
 {
 -	int i = cms->selected_digest;
 +	unsigned int i = cms->selected_digest;
 	return digest_params[i].size;
 }
@@ -91,7 +95,7 @@ teardown_digests(cms_context *ctx)
 	if (!digests)
 		return;
 -	for (int i = 0; i < n_digest_params; i++) {
 +	for (unsigned int i = 0; i < n_digest_params; i++) {
 		if (digests[i].pk11ctx) {
 			PK11_Finalize(digests[i].pk11ctx);
 			PK11_DestroyContext(digests[i].pk11ctx, PR_TRUE);
@@ -135,7 +139,7 @@ cms_context_init(cms_context *cms)
 	if (!cms->arena)
 		cnreterr(-1, cms, "could not create cryptographic arena");
 -	cms->selected_digest = -1;
 +	cms->selected_digest = DEFAULT_DIGEST_PARAM;
 	INIT_LIST_HEAD(&cms->pk12_ins);
 	cms->pk12_out.fd = -1;
@@ -219,7 +223,7 @@ cms_context_fini(cms_context *cms)
 		memset(&cms->newsig, '\0', sizeof (cms->newsig));
 	}
 -	cms->selected_digest = -1;
 +	cms->selected_digest = DEFAULT_DIGEST_PARAM;
 	if (cms->ci_digest) {
 		free_poison(cms->ci_digest->data, cms->ci_digest->len);
@@ -342,7 +346,7 @@ int
 set_digest_parameters(cms_context *cms, char *name)
 {
 	if (strcmp(name, "help")) {
 -		for (int i = 0; i < n_digest_params; i++) {
 +		for (unsigned int i = 0; i < n_digest_params; i++) {
 			if (!strcmp(name, digest_params[i].name)) {
 				cms->selected_digest = i;
 				return 0;
@@ -350,7 +354,7 @@ set_digest_parameters(cms_context *cms, char *name)
 		}
 	} else {
 		printf("Supported digests: ");
 -		for (int i = 0; digest_params[i].name != NULL; i++) {
 +		for (unsigned int i = 0; digest_params[i].name != NULL; i++) {
 			printf("%s ", digest_params[i].name);
 		}
 		printf("\n");
@@ -1265,7 +1269,7 @@ generate_digest_begin(cms_context *cms)
 			cnreterr(-1, cms, "could not allocate digest context");
 	}
 -	for (int i = 0; i < n_digest_params; i++) {
 +	for (unsigned int i = 0; i < n_digest_params; i++) {
 		digests[i].pk11ctx = PK11_CreateDigestContext(
 						digest_params[i].digest_tag);
 		if (!digests[i].pk11ctx)
@@ -1278,7 +1282,7 @@ generate_digest_begin(cms_context *cms)
 	return 0;
 err:
 -	for (int i = 0; i < n_digest_params; i++) {
 +	for (unsigned int i = 0; i < n_digest_params; i++) {
 		if (digests[i].pk11ctx)
 			PK11_DestroyContext(digests[i].pk11ctx, PR_TRUE);
 	}
@@ -1290,7 +1294,7 @@ err:
 void
 generate_digest_step(cms_context *cms, void *data, size_t len)
 {
 -	for (int i = 0; i < n_digest_params; i++)
 +	for (unsigned int i = 0; i < n_digest_params; i++)
 		PK11_DigestOp(cms->digests[i].pk11ctx, data, len);
 }
@@ -1299,7 +1303,7 @@ generate_digest_finish(cms_context *cms)
 {
 	void *mark = PORT_ArenaMark(cms->arena);
 -	for (int i = 0; i < n_digest_params; i++) {
 +	for (unsigned int i = 0; i < n_digest_params; i++) {
 		SECItem *digest = PORT_ArenaZAlloc(cms->arena,sizeof (SECItem));
 		if (digest == NULL)
 			cngotoerr(err, cms, "could not allocate memory");
@@ -1326,7 +1330,7 @@ generate_digest_finish(cms_context *cms)
 	PORT_ArenaUnmark(cms->arena, mark);
 	return 0;
 err:
 -	for (int i = 0; i < n_digest_params; i++) {
 +	for (unsigned int i = 0; i < n_digest_params; i++) {
 		if (cms->digests[i].pk11ctx)
 			PK11_DestroyContext(cms->digests[i].pk11ctx, PR_TRUE);
 	}
@@ -1343,12 +1347,13 @@ int
 generate_signature(cms_context *cms)
 {
 	int rc = 0;
 +	int i = cms->selected_digest;
 -	if (cms->digests[cms->selected_digest].pe_digest == NULL)
 +	if (cms->digests[i].pe_digest == NULL)
 		cnreterr(-1, cms, "PE digest has not been allocated");
 -	if (content_is_empty(cms->digests[cms->selected_digest].pe_digest->data,
 -			cms->digests[cms->selected_digest].pe_digest->len))
 +	if (content_is_empty(cms->digests[i].pe_digest->data,
 +			cms->digests[i].pe_digest->len))
 		cnreterr(-1, cms, "PE binary has not been digested");
 	SECItem sd_der;
 diff --git a/src/content_info.c b/src/content_info.c
 index 9684850..900974c 100644
 --- a/src/content_info.c
 +++ b/src/content_info.c
@@ -181,7 +181,7 @@ generate_spc_digest_info(cms_context *cms, SECItem *dip)
 	if (generate_algorithm_id(cms, &di.digestAlgorithm,
 			digest_get_digest_oid(cms)) < 0)
 		return -1;
 -	int i = cms->selected_digest;
 +	unsigned int i = cms->selected_digest;
 	memcpy(&di.digest, cms->digests[i].pe_digest, sizeof (di.digest));
 	if (content_is_empty(di.digest.data, di.digest.len)) {
 diff --git a/src/cms_common.h b/src/cms_common.h
 index e45402c..35a128a 100644
 --- a/src/cms_common.h
 +++ b/src/cms_common.h
@@ -65,6 +65,7 @@ struct digest {
 #define DIGEST_PARAM_SHA256	0
 #define DIGEST_PARAM_SHA1	1
 +#define DEFAULT_DIGEST_PARAM	DIGEST_PARAM_SHA256
 struct digest_param {
 	char *name;
@@ -76,7 +77,7 @@ struct digest_param {
 };
 extern const struct digest_param digest_params[2];
 -extern const int n_digest_params;
 +extern const unsigned int n_digest_params;
 typedef struct pk12_file {
 	char *path;
@@ -149,7 +150,7 @@ typedef struct cms_context {
 	int db_out, dbx_out, dbt_out;
 	struct digest *digests;
 -	int selected_digest;
 +	unsigned int selected_digest;
 	int omit_vendor_cert;
 	SECItem newsig;
--- a/pesign.patches
+++ b/pesign.patches
@ -1,23 +0,0 @@
 Patch0001: 0001-daemon-remove-always-true-comparison.patch
 Patch0002: 0002-make-handle-some-gcc-Wanalyzer-flags-better.patch
 Patch0003: 0003-Rename-dprintf-to-dbgprintf.patch
 Patch0004: 0004-.gitignore-add-compile_commands.json-and-.cache.patch
 Patch0005: 0005-pesign-print-digests-before-filenames-like-sha256sum.patch
 Patch0006: 0006-Add-pesum-an-authenticode-digest-generator.patch
 Patch0007: 0007-Fix-building-signed-kernels-on-setups-other-than-koj.patch
 Patch0008: 0008-Add-D_GLIBCXX_ASSERTIONS-to-CPPFLAGS.patch
 Patch0009: 0009-macros.pesign-handle-centos-like-rhel-with-rhelver.patch
 Patch0010: 0010-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch
 Patch0011: 0011-Rename-README-README.md.patch
 Patch0012: 0012-README.md-show-off-a-bit-more.patch
 Patch0013: 0013-Fix-missing-line-in-README.md.patch
 Patch0014: 0014-Fix-typo-in-efikeygen-command.patch
 Patch0015: 0015-pesigcheck-Fix-crash-on-digest-match.patch
 Patch0016: 0016-cms-store-digest-as-pointer-instead-of-index.patch
 Patch0017: 0017-Fix-mandoc-invocation-to-not-produce-garbage.patch
 Patch0018: 0018-Work-around-GCC-being-obnoxiously-incompatible-with-.patch
 Patch0019: 0019-get_password_passthrough-handle-the-callback-context.patch
 Patch0020: 0020-read_password-only-prune-CR-NL-from-the-end-of-the-f.patch
 Patch0021: 0021-Revert-cms-store-digest-as-pointer-instead-of-index.patch
 Patch0022: 0022-CMS-add-some-minor-cleanups.patch
 Patch0023: 0023-CMS-make-cms-selected_digest-an-index-again.patch
--- a/pesign.spec
+++ b/pesign.spec
@ -5,8 +5,8 @@
 Name:    pesign
 Summary: Signing utility for UEFI binaries
-Version: 115
+Version: 116
-Release: 9%{?dist}
+Release: 1%{?dist}
 License: GPL-2.0-only
 URL:     https://github.com/rhboot/pesign
@ -162,6 +162,10 @@ certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null
 %{python3_sitelib}/mockbuild/plugins/pesign.*
 %changelog
 * Tue Jan 31 2023 Robbie Harwood <rharwood@redhat.com> - 116-1
 - New upstream release (116)
 - Resolves: CVE-2022-3560
 * Wed Aug 31 2022 Robbie Harwood <rharwood@redhat.com> - 115-9
 - Roll up to pjones's smartcard/cms fixes
--- a/2
+++ b/2
@ -1,2 +1,2 @@
 SHA512 (certs.tar.xz) = ddac535c786d1a23074534323c4ce89f907d4f82b19c5d3a9c814b145fbac1599cd2386cf20c28d22aee7d5c4db441f052bab9ee655de756117a0a0bc99b525f
-SHA512 (pesign-115.tar.bz2) = 0091d70e286326b1ed74418ca8c5a2a63d42e6aa3eccdfc4f09a34241b2addfe878af17d1d74648b7da79d6cd7158fcca0f3a52f4a82a57cacae4617b42b1faa
+SHA512 (pesign-116.tar.bz2) = be3e1083f5e9f889cb8f7c50a8ebe723542fb2f6d1de8de9b04a9f21526ebaa8ab1efc7d4be11bcb0bc9862fa4bc6f78ee35e4d3496dd3b8927170b97795d25c
`@ -1,2 +1,2 @@`
	`SHA512 (certs.tar.xz) = ddac535c786d1a23074534323c4ce89f907d4f82b19c5d3a9c814b145fbac1599cd2386cf20c28d22aee7d5c4db441f052bab9ee655de756117a0a0bc99b525f`	`SHA512 (certs.tar.xz) = ddac535c786d1a23074534323c4ce89f907d4f82b19c5d3a9c814b145fbac1599cd2386cf20c28d22aee7d5c4db441f052bab9ee655de756117a0a0bc99b525f`
	`SHA512 (pesign-115.tar.bz2) = 0091d70e286326b1ed74418ca8c5a2a63d42e6aa3eccdfc4f09a34241b2addfe878af17d1d74648b7da79d6cd7158fcca0f3a52f4a82a57cacae4617b42b1faa`	`SHA512 (pesign-116.tar.bz2) = be3e1083f5e9f889cb8f7c50a8ebe723542fb2f6d1de8de9b04a9f21526ebaa8ab1efc7d4be11bcb0bc9862fa4bc6f78ee35e4d3496dd3b8927170b97795d25c`