diff --git a/0006-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch b/0006-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
index 8ae2207..d948caa 100644
--- a/0006-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
+++ b/0006-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
@@ -1,4 +1,4 @@
-From 853167a32574ce175c7de2ee730afc1a835191f4 Mon Sep 17 00:00:00 2001
+From 8499f7b340e4f6fbb5701db21fbabc25b8883c54 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 6 Jul 2020 13:54:35 -0400
 Subject: [PATCH 6/7] Move most of macros.pesign to pesign-rpmbuild-helper
@@ -6,9 +6,9 @@ Subject: [PATCH 6/7] Move most of macros.pesign to pesign-rpmbuild-helper
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
  src/Makefile               |   1 +
- src/macros.pesign          |  72 +++++-------------
- src/pesign-rpmbuild-helper | 152 +++++++++++++++++++++++++++++++++++++
- 3 files changed, 173 insertions(+), 52 deletions(-)
+ src/macros.pesign          |  73 +++++-------------
+ src/pesign-rpmbuild-helper | 153 +++++++++++++++++++++++++++++++++++++
+ 3 files changed, 174 insertions(+), 53 deletions(-)
  create mode 100755 src/pesign-rpmbuild-helper
 
 diff --git a/src/Makefile b/src/Makefile
@@ -24,19 +24,23 @@ index 74327ba13f3..c9e9cc6cd1b 100644
  	$(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
  	$(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups
 diff --git a/src/macros.pesign b/src/macros.pesign
-index 5a6da1c6809..4caf0ba9c8d 100644
+index 5a6da1c6809..e3a0de9c2f4 100644
 --- a/src/macros.pesign
 +++ b/src/macros.pesign
-@@ -6,7 +6,7 @@
+@@ -6,10 +6,10 @@
  # %pesign -s -i shim.orig -o shim.efi
  # And magically get the right thing.
  
 -%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
-+%__pesign_token %{nil}%{?pe_signing_token:"%{pe_signing_token}"}
++%__pesign_token %{nil}%{?pe_signing_token:--token "%{pe_signing_token}"}
  %__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
  
- %__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"}
-@@ -24,54 +24,22 @@
+-%__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"}
++%__pesign_client_token --token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"}
+ %__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}"}
+ 
+ %_pesign /usr/bin/pesign
+@@ -24,54 +24,21 @@
  # -a <input ca cert filename>		# rhel only
  # -s 					# perform signing
  %pesign(i:o:C:e:c:n:a:s)						\
@@ -95,24 +99,23 @@ index 5a6da1c6809..4caf0ba9c8d 100644
 +    "%{_target_cpu}"							\\\
 +    "%{_pesign}"							\\\
 +    "%{_pesign_client}"							\\\
-+    %{?__pesign_client_token?--client-token "%{__pesign_client_token}"}	\\\
-+    %{?__pesign_client_cert?--client-cert "%{__pesign_client_cert}"}	\\\
-+    %{?__pesign_token?--token "%{__pesign_token}"}			\\\
-+    %{?__pesign_cert?--cert "%{__pesign_cert}"}				\\\
++    %{?__pesign_client_token:--client-token %{__pesign_client_token}}	\\\
++    %{?__pesign_client_cert:--client-cert %{__pesign_client_cert}}	\\\
++    %{?__pesign_token:%{__pesign_token}}				\\\
++    %{?-n:--cert "%{-n*}"}%{?!-n:--cert "%{__pesign_cert}"}		\\\
 +    %{?_rhel:--rhelver "%{_rhel}"}					\\\
-+    %{?-a*:--cafile "%{-a*}"}						\\\
-+    %{?-c*:--certfile "%{-c*}"}						\\\
-+    %{?-n*:--certname "%{-n*}"}						\\\
-+    %{?-C*:--certout "%{-C*}"}						\\\
-+    %{?-e*:--sattrout "%{-e*}"}						\\\
-+    %{?-i*:--in "%{i*}"}						\\\
-+    %{?-o*:--out "%{o*}"}						\\\
++    %{?-a:--cafile "%{-a*}"}						\\\
++    %{?-c:--certfile "%{-c*}"}						\\\
++    %{?-C:--certout "%{-C*}"}						\\\
++    %{?-e:--sattrout "%{-e*}"}						\\\
++    %{?-i:--in "%{-i*}"}						\\\
++    %{?-o:--out "%{-o*}"}						\\\
 +    %{?-s:--sign}							\\\
 +    ;									\
 +%{nil}
 diff --git a/src/pesign-rpmbuild-helper b/src/pesign-rpmbuild-helper
 new file mode 100755
-index 00000000000..24514aa0b5d
+index 00000000000..fd385d1625d
 --- /dev/null
 +++ b/src/pesign-rpmbuild-helper
 @@ -0,0 +1,153 @@
diff --git a/0007-client-try-run-and-var-run-for-the-socket-path.patch b/0007-client-try-run-and-var-run-for-the-socket-path.patch
index 984805c..e9e89e5 100644
--- a/0007-client-try-run-and-var-run-for-the-socket-path.patch
+++ b/0007-client-try-run-and-var-run-for-the-socket-path.patch
@@ -1,18 +1,19 @@
-From 7ca77cc1d498db72fd6ea6103defaf7d76f4e946 Mon Sep 17 00:00:00 2001
+From c98b16d890a1e4651b3683853acb69fedd5a10dd Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 6 Jul 2020 16:13:09 -0400
 Subject: [PATCH 7/7] client: try /run and /var/run for the socket path.
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
- src/client.c | 40 +++++++++++++++++++++++++++++-----------
- 1 file changed, 29 insertions(+), 11 deletions(-)
+ src/client.c               | 40 ++++++++++++++++++++--------
+ src/pesign-rpmbuild-helper | 54 ++++++++++++++++++++++----------------
+ 2 files changed, 61 insertions(+), 33 deletions(-)
 
 diff --git a/src/client.c b/src/client.c
-index 2119ef33bf8..a38383415d5 100644
+index a4f1d1dbbe7..0082be1f597 100644
 --- a/src/client.c
 +++ b/src/client.c
-@@ -49,24 +49,24 @@ print_flag_name(FILE *f, int flag)
+@@ -61,24 +61,24 @@ print_flag_name(FILE *f, int flag)
  }
  
  static int
@@ -45,7 +46,7 @@ index 2119ef33bf8..a38383415d5 100644
  	}
  
  	socklen_t len = strlen(addr_un.sun_path) +
-@@ -74,14 +74,32 @@ connect_to_server(void)
+@@ -86,14 +86,32 @@ connect_to_server(void)
  
  	rc = connect(sd, (struct sockaddr *)&addr_un, len);
  	if (rc < 0) {
@@ -81,6 +82,112 @@ index 2119ef33bf8..a38383415d5 100644
  static int32_t
  check_response(int sd, char **srvmsg);
  
+diff --git a/src/pesign-rpmbuild-helper b/src/pesign-rpmbuild-helper
+index fd385d1625d..68b53ddf022 100755
+--- a/src/pesign-rpmbuild-helper
++++ b/src/pesign-rpmbuild-helper
+@@ -1,6 +1,7 @@
+ #!/bin/sh
+ 
+ set -eu
++set -x
+ 
+ main() {
+ 	local target_cpu="${1}" && shift
+@@ -32,32 +33,41 @@ main() {
+ 		" --certfile ")
+ 			certfile="${2}"
+ 			;;
+-		" --certname ")
+-			certname="${2}"
+-			;;
+ 		" --certout ")
+-			certout=(-C "${2}")
++			certout[0]=-C
++			certout[1]="${2}"
+ 			;;
+ 		" --sattrout ")
+-			sattrout=(-e "${2}")
++			sattrout[0]=-e
++			sattrout[1]="${2}"
+ 			;;
+ 		" --client-token ")
+-			client_token=(-t "${2}")
++			client_token[0]=-t
++			client_token[1]="${2}"
+ 			;;
+ 		" --client-cert ")
+-			client_cert=(-c "${2}")
++			client_cert[0]=-c
++			client_cert[1]="${2}"
+ 			;;
+ 		" --token ")
+-			token=(-t "${2}")
++			token[0]=-t
++			token="${2}"
+ 			;;
+ 		" --cert ")
+-			cert=(-c "${2}")
++			cert[0]=-c
++			cert[1]="${2}"
++			;;
++		" --certname ")
++			cert[0]=-c
++			cert[1]="${2}"
+ 			;;
+ 		" --in ")
+-			input=(-i "${2}")
++			input[0]=-i
++			input[1]="${2}"
+ 			;;
+ 		" --out ")
+-			output=(-o "${2}")
++			output[0]=-o
++			output[1]="${2}"
+ 			;;
+ 		" --rhelver ")
+ 			rhelver="${2}"
+@@ -75,8 +85,8 @@ main() {
+ 	fi
+ 
+ 	local nssdir=/etc/pki/pesign
+-	if [ "${certname}" == "Red Hat Test Certificate" ] ||
+-	   [ "${#cert[@]}" -eq 2 -a "${cert[1]}" == "Red Hat Test Certificate" ] ; then
++	if [ "${#cert[@]}" -eq 2 ] &&
++	   [ "${cert[1]}" == "Red Hat Test Certificate" ] ; then
+ 		nssdir=/etc/pki/pesign-rh-test
+ 	fi
+ 
+@@ -125,20 +135,20 @@ main() {
+ 		certutil -A -n "signer" -t "CTu,CTu,CTu" -i "${certfile}" -d ${nssdir}
+ 		sattrs="$(mktemp -p $PWD --suffix=.der)"
+ 		"${bin}" -E "${sattrs}" --certdir "${nssdir}" \
+-			${input[@]} --force
+-		rpm-sign --key "${certname}" --rsadgstsign "${sattrs}"
++			"${input[@]}" --force
++		rpm-sign --key "${cert[1]}" --rsadgstsign "${sattrs}"
+ 		"${bin}" -R "${sattrs}.sig" -I "${sattrs}" \
+ 			--certdir "${nssdir}" -c signer \
+-			${input[@]} ${output[@]}
++			"${input[@]}" "${output[@]}"
+ 		rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}"
+ 	elif [ -n "${socket}" ] ; then
+-		"${client}" ${client_token[@]} ${client_cert[@]}	\
+-			${sattrout[@]} ${certout[@]}			\
+-			${sign} ${input[@]} ${output[@]}
++		"${client}" "${client_token[@]}" "${client_cert[@]}"	\
++			"${sattrout[@]}" "${certout[@]}"		\
++			${sign} "${input[@]}" "${output[@]}"
+ 	else
+-		"${bin}" --certdir "${nssdir}" ${token[@]} ${cert[@]}	\
+-			${sign} ${sattrout[@]} ${certout[@]}		\
+-			${input[@]} ${output[@]}
++		"${bin}" --certdir "${nssdir}" "${token[@]}"		\
++			"${cert[@]}" ${sign} "${sattrout[@]}"		\
++			"${certout[@]}"	"${input[@]}" "${output[@]}"
+ 	fi
+ 
+ 	# if there's a 0-sized output file, delete it and error out
 -- 
 2.26.2
 
diff --git a/pesign.spec b/pesign.spec
index 9847ffe..40bff5d 100644
--- a/pesign.spec
+++ b/pesign.spec
@@ -3,7 +3,7 @@
 Name:    pesign
 Summary: Signing utility for UEFI binaries
 Version: 113
-Release: 5~2%{?dist}
+Release: 5~3%{?dist}
 License: GPLv2
 URL:     https://github.com/vathpela/pesign