More kernel build debugging...

Signed-off-by: Peter Jones <pjones@redhat.com>
2020-07-07 15:24:12 -04:00 · 2020-07-07 15:24:12 -04:00 · 2335e6390f
commit 2335e6390f
parent 658f5fea05
7 changed files with 513 additions and 293 deletions
--- a/0007-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
+++ b/0007-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
@ -1,287 +0,0 @@
-From 22658f290fcf66213ca6237e37ae97bba39a8a0b Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Mon, 6 Jul 2020 13:54:35 -0400
-Subject: [PATCH] Move most of macros.pesign to pesign-rpmbuild-helper
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
---
- src/Makefile               |   1 +
- src/macros.pesign          |  73 +++++------------
- src/pesign-rpmbuild-helper | 163 +++++++++++++++++++++++++++++++++++++
- 3 files changed, 184 insertions(+), 53 deletions(-)
- create mode 100644 src/pesign-rpmbuild-helper
-
-diff --git a/src/Makefile b/src/Makefile
-index 74327ba13f3..c9e9cc6cd1b 100644
--- a/src/Makefile
-+++ b/src/Makefile
-@@ -94,6 +94,7 @@ install :
- 	$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
- 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
- 	$(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
-+	$(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/
- 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
- 	$(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
- 	$(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups
-diff --git a/src/macros.pesign b/src/macros.pesign
-index 5a6da1c6809..e3a0de9c2f4 100644
--- a/src/macros.pesign
-+++ b/src/macros.pesign
-@@ -6,10 +6,10 @@
- # %pesign -s -i shim.orig -o shim.efi
- # And magically get the right thing.
- 
-%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
-+%__pesign_token %{nil}%{?pe_signing_token:--token "%{pe_signing_token}"}
- %__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
- 
- %__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"}
- %__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}"}
- 
- %_pesign /usr/bin/pesign
-@@ -24,54 +24,21 @@
- # -a <input ca cert filename>		# rhel only
- # -s 					# perform signing
- %pesign(i:o:C:e:c:n:a:s)						\
-  _pesign_nssdir=/etc/pki/pesign					\
-  if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then		\
-    _pesign_nssdir=/etc/pki/pesign-rh-test				\
-  fi									\
-  if [ -x %{_pesign} ] &&  						\\\
-       [ "%{_target_cpu}" == "x86_64" -o 				\\\
-         "%{_target_cpu}" == "aarch64" ]; then				\
-    if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then		\
-      nss=$(mktemp -p $PWD -d)						\
-      echo > ${nss}/pwfile						\
-      certutil -N -d ${nss} -f ${nss}/pwfile				\
-      certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss}		\
-      certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss}		\
-      sattrs=$(mktemp -p $PWD --suffix=.der)				\
-      %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force		\
-      rpm-sign --key "%{-n*}" --rsadgstsign ${sattrs}			\
-      %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i}			\\\
-                 --certdir ${nss} -c signer %{-o}			\
-      rm -rf ${sattrs} ${sattrs}.sig ${nss}				\
-    elif [ "$(id -un)" == "kojibuilder" -a				\\\
-           grep -q ID=fedora /etc/os-release -a				\\\
-           ! -S /run/pesign/socket ]; then				\
-      echo "No socket even though this is kojibuilder" 1>&2		\
-      ls -ld /run/pesign 1>&2					\
-      ls -l /run/pesign/socket 1>&2					\
-      getfacl /run/pesign 1>&2					\
-      getfacl /run/pesign/socket 1>&2				\
-      exit 1								\
-    elif [ -S /run/pesign/socket ]; then				\
-      %{_pesign_client} -t %{__pesign_client_token}			\\\
-                        -c %{__pesign_client_cert}			\\\
-                        %{-i} %{-o} %{-e} %{-s} %{-C}			\
-    else								\
-      %{_pesign} %{__pesign_token} -c %{__pesign_cert}			\\\
-                 --certdir ${_pesign_nssdir}				\\\
-                 %{-i} %{-o} %{-e} %{-s} %{-C}				\
-    fi									\
-  else									\
-    if [ -n "%{-i*}" -a -n "%{-o*}" ]; then				\
-      mv %{-i*} %{-o*}							\
-    elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then				\
-      touch %{-e*}							\
-    fi									\
-  fi									\
-  if [ ! -s %{-o} ]; then						\
-    if [ -e "%{-o*}" ]; then						\
-      rm -f %{-o*}							\
-    fi									\
-    exit 1								\
-  fi ;
-
-+  %{_libexecdir}/pesign/pesign-rpmbuild-helper				\\\
-+    "%{_target_cpu}"							\\\
-+    "%{_pesign}"							\\\
-+    "%{_pesign_client}"							\\\
-+    %{?__pesign_client_token:--client-token %{__pesign_client_token}}	\\\
-+    %{?__pesign_client_cert:--client-cert %{__pesign_client_cert}}	\\\
-+    %{?__pesign_token:%{__pesign_token}}				\\\
-+    %{?-n:--cert "\"%{-n*}\""}%{?!-n:--cert "\"%{__pesign_cert}\""}		\\\
-+    %{?_rhel:--rhelver "%{_rhel}"}					\\\
-+    %{?-a:--cafile "%{-a*}"}						\\\
-+    %{?-c:--certfile "%{-c*}"}						\\\
-+    %{?-C:--certout "%{-C*}"}						\\\
-+    %{?-e:--sattrout "%{-e*}"}						\\\
-+    %{?-i:--in "%{-i*}"}						\\\
-+    %{?-o:--out "%{-o*}"}						\\\
-+    %{?-s:--sign}							\\\
-+    ;									\
-+%{nil}
-diff --git a/src/pesign-rpmbuild-helper b/src/pesign-rpmbuild-helper
-new file mode 100644
-index 00000000000..f3d66320bcc
--- /dev/null
-+++ b/src/pesign-rpmbuild-helper
-@@ -0,0 +1,164 @@
-+#!/bin/sh
-+
-+set -eu
-+set -x
-+
-+main() {
-+	local target_cpu="${1}" && shift
-+	local bin="${1}" && shift
-+	local client="${1}" && shift
-+
-+	local cafile="" || :
-+	local certfile="" || :
-+
-+	local certout=() || :
-+	local sattrout=() || :
-+	local input=() || :
-+	local output=() || :
-+	local client_token=() || :
-+	local client_cert=() || :
-+	local token=() || :
-+	local cert=() || :
-+	local rhelver=0 || :
-+	local sign="" || :
-+
-+	local username="$(id -un)"
-+
-+	while [[ $# -ge 2 ]] ; do
-+		case " ${1} " in
-+		" --cafile ")
-+			cafile="${2}"
-+			;;
-+		" --certfile ")
-+			certfile="${2}"
-+			;;
-+		" --certout ")
-+			certout[0]=-C
-+			certout[1]="${2}"
-+			;;
-+		" --sattrout ")
-+			sattrout[0]=-e
-+			sattrout[1]="${2}"
-+			;;
-+		" --client-token ")
-+			client_token[0]=-t
-+			client_token[1]="${2}"
-+			;;
-+		" --client-cert ")
-+			client_cert[0]=-c
-+			client_cert[1]="${2}"
-+			;;
-+		" --token ")
-+			token[0]=-t
-+			token="${2}"
-+			;;
-+		" --cert ")
-+			cert[0]=-c
-+			cert[1]="${2}"
-+			;;
-+		" --certname ")
-+			cert[0]=-c
-+			cert[1]="${2}"
-+			;;
-+		" --in ")
-+			input[0]=-i
-+			input[1]="${2}"
-+			;;
-+		" --out ")
-+			output[0]=-o
-+			output[1]="${2}"
-+			;;
-+		" --rhelver ")
-+			rhelver="${2}"
-+			;;
-+		*)
-+			break
-+			;;
-+		esac
-+		shift
-+		shift
-+	done
-+	if [ $# -ge 1 -a "${1}" = --sign ] ; then
-+		sign=-s
-+		shift
-+	fi
-+
-+	local nssdir=/etc/pki/pesign
-+	if [ "${#cert[@]}" -eq 2 ] &&
-+	   [ "${cert[1]}" == "Red Hat Test Certificate" ] ; then
-+		nssdir=/etc/pki/pesign-rh-test
-+	fi
-+
-+	if [ -x "${bin}" ] &&
-+	   [ "${target_cpu}" != "x86_64" -a "${target_cpu}" != "aarch64" ] ; then
-+		if [ -n "${input[*]}" -a -n "${output[*]}" ] ; then
-+			mv -v "${input[1]}" "${output[1]}"
-+		elif [ -n "${input[*]}" -a -n "${sattrout[*]}" ] ; then
-+			touch "${sattrout[1]}"
-+		fi
-+
-+		# if there's a 0-sized output file, delete it and error out
-+		if [ ! -s "${output[1]}" ] ; then
-+			if [ -e "${output[1]}" ] ; then
-+				rm -f "${output[1]}"
-+			fi
-+			exit 1
-+		fi
-+		return 0
-+	fi
-+
-+	local socket="" || :
-+	if grep -q ID=fedora /etc/os-release && [ "${rhelver}" -lt 7 ] &&
-+	   [ "${username}" = "kojibuilder" -o "${username}" = "mockbuild" ] ; then
-+		if [ -S /run/pesign/socket ] ; then
-+			socket=/run/pesign/socket
-+		elif [ -S /var/run/pesign/socket ]; then
-+			socket=/var/run/pesign/socket
-+		else
-+			echo "Warning: no pesign socket even though user is ${username}" 1>&2
-+			echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2
-+                       ls -ld /run/pesign 1>&2 ||:
-+                       ls -l /run/pesign/socket 1>&2 ||:
-+                       getfacl /run/pesign 1>&2 || :
-+                       getfacl /run/pesign/socket 1>&2 ||:
-+                       ls -ld /var/run/pesign 1>&2 ||:
-+                       ls -l /var/run/pesign/socket 1>&2 ||:
-+                       getfacl /var/run/pesign 1>&2 || :
-+                       getfacl /var/run/pesign/socket 1>&2 || :
-+		fi
-+	fi
-+
-+	if [ "${rhelver}" -ge 7 ] ; then
-+		nssdir=$(mktemp -p $PWD -d)
-+		echo > ${nssdir}/pwfile
-+		certutil -N -d ${nssdir} -f ${nssdir}/pwfile
-+		certutil -A -n "ca" -t "CTu,CTu,CTu" -i "${cafile}" -d ${nssdir}
-+		certutil -A -n "signer" -t "CTu,CTu,CTu" -i "${certfile}" -d ${nssdir}
-+		sattrs="$(mktemp -p $PWD --suffix=.der)"
-+		"${bin}" -E "${sattrs}" --certdir "${nssdir}" \
-+			"${input[@]}" --force
-+		rpm-sign --key "${cert[1]}" --rsadgstsign "${sattrs}"
-+		"${bin}" -R "${sattrs}.sig" -I "${sattrs}" \
-+			--certdir "${nssdir}" -c signer \
-+			"${input[@]}" "${output[@]}"
-+		rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}"
-+	elif [ -n "${socket}" ] ; then
-+		"${client}" "${client_token[@]}" "${client_cert[@]}"	\
-+			"${sattrout[@]}" "${certout[@]}"		\
-+			${sign} "${input[@]}" "${output[@]}"
-+	else
-+		"${bin}" --certdir "${nssdir}" "${token[@]}"		\
-+			"${cert[@]}" ${sign} "${sattrout[@]}"		\
-+			"${certout[@]}"	"${input[@]}" "${output[@]}"
-+	fi
-+
-+	# if there's a 0-sized output file, delete it and error out
-+	if [ "${#output[@]}" -eq 2 ] && ! [ -s "${output[1]}" ] ; then
-+		if [ -e "${output[1]}" ] ; then
-+			rm -f "${output[1]}"
-+		fi
-+		exit 1
-+	fi
-+}
-+
-+main "${@}"
-- 
-2.26.2
-
--- a/0007-client-remove-an-extra-debug-print.patch
+++ b/0007-client-remove-an-extra-debug-print.patch
@ -1,7 +1,7 @@
-From 722d60568a1aba99a39918c187b7331e2c368b29 Mon Sep 17 00:00:00 2001
+From ea81cec14d31cd0b0dbde5b42414bfae9daec9b8 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
-Date: Tue, 7 Jul 2020 15:23:36 -0400
-Subject: [PATCH] remove debug print
+Date: Tue, 14 Jul 2020 16:44:09 -0400
+Subject: [PATCH 07/11] client: remove an extra debug print

 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
--- a/0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
+++ b/0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
@ -0,0 +1,375 @@
+From 25981d57c4d56c53128d561bbe29593a6a20b259 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 6 Jul 2020 13:54:35 -0400
+Subject: [PATCH 08/11] Move most of macros.pesign to pesign-rpmbuild-helper
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ Make.defaults                 |   1 +
+ src/Makefile                  |   8 +-
+ src/macros.pesign             |  73 ++++--------
+ src/pesign-rpmbuild-helper.in | 216 ++++++++++++++++++++++++++++++++++
+ 4 files changed, 245 insertions(+), 53 deletions(-)
+ create mode 100644 src/pesign-rpmbuild-helper.in
+
+diff --git a/Make.defaults b/Make.defaults
+index 0bacafe0d01..302da50efb5 100644
+--- a/Make.defaults
+++ b/Make.defaults
+@@ -16,6 +16,7 @@ INSTALLROOT = $(DESTDIR)
+ 
+ INSTALL	?= install
+ CROSS_COMPILE	?=
+EFI_ARCHES ?= aa64 ia32 x64
+ 
+ PKG_CONFIG = $(CROSS_COMPILE)pkg-config
+ CC	:= $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC))
+diff --git a/src/Makefile b/src/Makefile
+index 74327ba13f3..a7ca89159c6 100644
+--- a/src/Makefile
+++ b/src/Makefile
+@@ -5,7 +5,7 @@ include $(TOPDIR)/Make.version
+ include $(TOPDIR)/Make.rules
+ include $(TOPDIR)/Make.defaults
+ 
+-BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
+BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign pesign-rpmbuild-helper
+ SVCTARGETS=pesign.sysvinit pesign.service
+ TARGETS=$(BINTARGETS) $(SVCTARGETS)
+ 
+@@ -49,6 +49,11 @@ pesign : $(call objects-of,$(PESIGN_SOURCES) $(COMMON_SOURCES) $(COMMON_PE_SOURC
+ pesign : LDLIBS+=$(TOPDIR)/libdpe/libdpe.a
+ pesign : PKGS=efivar nss nspr popt
+ 
+pesign-rpmbuild-helper: pesign-rpmbuild-helper.in
+	sed \
+		-e "s/@@EFI_ARCHES@@/$(EFI_ARCHES)/g" \
+		$^ > $@
+
+ deps : PKGS=efivar nss nspr popt uuid
+ deps : $(ALL_SOURCES)
+ 	$(MAKE) -f $(TOPDIR)/Make.deps \
+@@ -94,6 +99,7 @@ install :
+ 	$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
+ 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
+ 	$(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
+	$(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/
+ 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
+ 	$(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
+ 	$(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups
+diff --git a/src/macros.pesign b/src/macros.pesign
+index 5a6da1c6809..730d3bc449c 100644
+--- a/src/macros.pesign
+++ b/src/macros.pesign
+@@ -6,7 +6,7 @@
+ # %pesign -s -i shim.orig -o shim.efi
+ # And magically get the right thing.
+ 
+-%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
+%__pesign_token %{nil}%{?pe_signing_token:--token "%{pe_signing_token}"}
+ %__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
+ 
+ %__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"}
+@@ -24,54 +24,23 @@
+ # -a <input ca cert filename>		# rhel only
+ # -s 					# perform signing
+ %pesign(i:o:C:e:c:n:a:s)						\
+-  _pesign_nssdir=/etc/pki/pesign					\
+-  if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then		\
+-    _pesign_nssdir=/etc/pki/pesign-rh-test				\
+-  fi									\
+-  if [ -x %{_pesign} ] &&  						\\\
+-       [ "%{_target_cpu}" == "x86_64" -o 				\\\
+-         "%{_target_cpu}" == "aarch64" ]; then				\
+-    if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then		\
+-      nss=$(mktemp -p $PWD -d)						\
+-      echo > ${nss}/pwfile						\
+-      certutil -N -d ${nss} -f ${nss}/pwfile				\
+-      certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss}		\
+-      certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss}		\
+-      sattrs=$(mktemp -p $PWD --suffix=.der)				\
+-      %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force		\
+-      rpm-sign --key "%{-n*}" --rsadgstsign ${sattrs}			\
+-      %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i}			\\\
+-                 --certdir ${nss} -c signer %{-o}			\
+-      rm -rf ${sattrs} ${sattrs}.sig ${nss}				\
+-    elif [ "$(id -un)" == "kojibuilder" -a				\\\
+-           grep -q ID=fedora /etc/os-release -a				\\\
+-           ! -S /run/pesign/socket ]; then				\
+-      echo "No socket even though this is kojibuilder" 1>&2		\
+-      ls -ld /run/pesign 1>&2					\
+-      ls -l /run/pesign/socket 1>&2					\
+-      getfacl /run/pesign 1>&2					\
+-      getfacl /run/pesign/socket 1>&2				\
+-      exit 1								\
+-    elif [ -S /run/pesign/socket ]; then				\
+-      %{_pesign_client} -t %{__pesign_client_token}			\\\
+-                        -c %{__pesign_client_cert}			\\\
+-                        %{-i} %{-o} %{-e} %{-s} %{-C}			\
+-    else								\
+-      %{_pesign} %{__pesign_token} -c %{__pesign_cert}			\\\
+-                 --certdir ${_pesign_nssdir}				\\\
+-                 %{-i} %{-o} %{-e} %{-s} %{-C}				\
+-    fi									\
+-  else									\
+-    if [ -n "%{-i*}" -a -n "%{-o*}" ]; then				\
+-      mv %{-i*} %{-o*}							\
+-    elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then				\
+-      touch %{-e*}							\
+-    fi									\
+-  fi									\
+-  if [ ! -s %{-o} ]; then						\
+-    if [ -e "%{-o*}" ]; then						\
+-      rm -f %{-o*}							\
+-    fi									\
+-    exit 1								\
+-  fi ;
+-
+  %{_libexecdir}/pesign/pesign-rpmbuild-helper				\\\
+    "%{_target_cpu}"							\\\
+    "%{_pesign}"							\\\
+    "%{_pesign_client}"							\\\
+    %{?__pesign_client_token:--client-token %{__pesign_client_token}}	\\\
+    %{?__pesign_client_cert:--client-cert %{__pesign_client_cert}}	\\\
+    %{?__pesign_token:%{__pesign_token}}				\\\
+    %{?__pesign_cert:--cert %{__pesign_cert}}				\\\
+    %{?vendor:--vendor %{vendor}}					\\\
+    %{?_rhel:--rhelver "%{_rhel}"}					\\\
+    %{?-n:--rhelcert "%{-n*}"}%{?!-n:--rhelcert "%{__pesign_cert}"}	\\\
+    %{?-a:--rhelcafile "%{-a*}"}					\\\
+    %{?-c:--rhelcertfile "%{-c*}"}					\\\
+    %{?-C:--certout "%{-C*}"}						\\\
+    %{?-e:--sattrout "%{-e*}"}						\\\
+    %{?-i:--in "%{-i*}"}						\\\
+    %{?-o:--out "%{-o*}"}						\\\
+    %{?-s:--sign}							\\\
+    ;									\
+%{nil}
+diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
+new file mode 100644
+index 00000000000..cb53550121f
+--- /dev/null
+++ b/src/pesign-rpmbuild-helper.in
+@@ -0,0 +1,219 @@
+#!/bin/bash
+# shellcheck shell=bash
+
+set -eu
+set -x
+
+usage() {
+    local status="${1}" && shift
+    local out
+    if [[ "${status}" -eq 0 ]] ; then
+	out=/dev/stdout
+    else
+	out=/dev/stderr
+    fi
+
+    if [[ $# -gt 0 ]] ; then
+	echo "${0}: error: $*" >>"${out}"
+    fi
+    echo "usage: ${0} TARGET_CPU PESIGN_BINARY PESIGN_CLIENT_BINARY [OPTIONS]" >>"${out}"
+    exit "${status}"
+}
+
+is_efi_arch() {
+    local arch="${1}"
+    local arches=(@@EFI_ARCHES@@)
+    local x
+    for x in "${arches[@]}" ; do
+	if [[ "${arch}" = "${x}" ]] ; then
+	    return 0
+	fi
+    done
+    return 1
+}
+
+error_on_empty() {
+    local f="${1}"
+    if [[ ! -s "${f}" ]] ; then
+	if [[ -e "${f}" ]] ; then
+	    rm -f "${f}"
+	fi
+	echo "${0}: error: empty result file \"${f}\"">>/dev/stderr
+	exit 1
+    fi
+}
+
+main() {
+    if [[ $# -lt 3 ]] ; then
+	usage 1 not enough arguments
+    fi
+    local target_cpu="${1}" && shift
+    local bin="${1}" && shift
+    local client="${1}" && shift
+
+    local rhelcafile="" || :
+    local rhelcertfile="" || :
+
+    local certout=() || :
+    local sattrout=() || :
+    local input=() || :
+    local output=() || :
+    local client_token=() || :
+    local client_cert=() || :
+    local token=() || :
+    local cert=() || :
+    local rhelcert=() || :
+    local rhelver=0 || :
+    local sign="" || :
+    local arch="" || :
+    local vendor="" || :
+
+    while [[ $# -ge 2 ]] ; do
+	case " ${1} " in
+	" --rhelcafile ")
+	    rhelcafile="${2}"
+	    ;;
+	" --rhelcertfile ")
+	    rhelcertfile="${2}"
+	    ;;
+	" --certout ")
+	    certout[0]=-C
+	    certout[1]="${2}"
+	    ;;
+	" --sattrout ")
+	    sattrout[0]=-e
+	    sattrout[1]="${2}"
+	    ;;
+	" --client-token ")
+	    client_token[0]=-t
+	    client_token[1]="${2}"
+	    ;;
+	" --client-cert ")
+	    client_cert[0]=-c
+	    client_cert[1]="${2}"
+	    ;;
+	" --token ")
+	    token[0]=-t
+	    token[1]="${2}"
+	    ;;
+	" --cert ")
+	    cert[0]=-c
+	    cert[1]="${2}"
+	    ;;
+	" --rhelcert ")
+	    rhelcert[0]=-c
+	    rhelcert[1]="${2}"
+	    ;;
+	" --in ")
+	    input[0]=-i
+	    input[1]="${2}"
+	    ;;
+	" --out ")
+	    output[0]=-o
+	    output[1]="${2}"
+	    ;;
+	" --rhelver ")
+	    rhelver="${2}"
+	    ;;
+	" --vendor ")
+	    vendor="${2}"
+	    ;;
+	*)
+	    break
+	    ;;
+	esac
+	shift
+	shift
+    done
+    if [[ $# -ge 1 ]] && [[ "${1}" = --sign ]] ; then
+	sign=-s
+	shift
+    fi
+
+    if [[ -z "${target_cpu}" ]] ; then
+	target_cpu="$(uname -m)"
+    fi
+
+    target_cpu="${target_cpu/i?86/ia32}"
+    target_cpu="${target_cpu/x86_64/x64}"
+    target_cpu="${target_cpu/aarch64/aa64}"
+    target_cpu="${target_cpu/arm*/arm/}"
+
+    local nssdir=/etc/pki/pesign
+    if [[ "${#cert[@]}" -eq 2 ]] &&
+       [[ "${cert[1]}" == "Red Hat Test Certificate" ]] ; then
+	nssdir=/etc/pki/pesign-rh-test
+    fi
+
+    # is_efi_arch is ultimately returning "is pesign configured to sign these
+    # using the rpm macro", so if it isn't, we're just copying the input to
+    # the output
+    if [[ -x "${bin}" ]] && ! is_efi_arch "${target_cpu}" ; then
+	if [[ -n "${input[*]}" ]] && [[ -n "${output[*]}" ]] ; then
+	    cp -v "${input[1]}" "${output[1]}"
+	elif [[ -n "${input[*]}" ]] && [[ -n "${sattrout[*]}" ]] ; then
+	    touch "${sattrout[1]}"
+	fi
+
+	# if there's a 0-sized output file, delete it and error out
+	error_on_empty "${output[1]}"
+	return 0
+    fi
+
+    USERNAME="${USERNAME:-$(id -un)}"
+    HOSTNAME="${HOSTNAME:-$(hostname)}"
+
+    local socket="" || :
+    if grep -q ID=fedora /etc/os-release \
+       && [[ "${rhelver}" -lt 7 ]] \
+       && [[ "${USERNAME}" = "mockbuild" ]] \
+       && [[ "${vendor}" == "Fedora Project" ]] \
+       && [[ "${HOSTNAME}" =~ bkernel.* ]]
+    then
+	if [[ -S /run/pesign/socket ]] ; then
+	    socket=/run/pesign/socket
+	elif [[ -S /var/run/pesign/socket ]]; then
+	    socket=/var/run/pesign/socket
+	else
+	    echo "Warning: no pesign socket even though user is ${USERNAME}" 1>&2
+	    echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2
+	    ls -ld /run/pesign /var/run/pesign 1>&2 ||:
+	    ls -l /run/pesign/socket /var/run/pesign/socket 1>&2 ||:
+	    getfacl /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
+	    getfacl -n /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
+	fi
+    fi
+
+    if [[ "${rhelver}" -ge 7 ]] ; then
+	nssdir="$(mktemp -p "${PWD}" -d)"
+	echo > "${nssdir}/pwfile"
+	certutil -N -d "${nssdir}" -f "${nssdir}/pwfile"
+	certutil -A -n "ca" -t "CTu,CTu,CTu" -i "${rhelcafile}" -d "${nssdir}"
+	certutil -A -n "signer" -t "CTu,CTu,CTu" -i "${rhelcertfile}" -d "${nssdir}"
+	sattrs="$(mktemp -p "${PWD}" --suffix=.der)"
+	"${bin}" -E "${sattrs}" --certdir "${nssdir}" \
+	    "${input[@]}" --force
+	rpm-sign --key "${rhelcert[1]}" --rsadgstsign "${sattrs}"
+	"${bin}" -R "${sattrs}.sig" -I "${sattrs}" \
+	    --certdir "${nssdir}" -c signer \
+	    "${input[@]}" "${output[@]}"
+	rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}"
+    elif [[ -n "${socket}" ]] ; then
+	"${client}" "${client_token[@]}" "${client_cert[@]}"    \
+	    "${sattrout[@]}" "${certout[@]}"	\
+	    ${sign} "${input[@]}" "${output[@]}"
+    else
+	"${bin}" --certdir "${nssdir}" "${token[@]}"	\
+	    "${cert[@]}" ${sign} "${sattrout[@]}"	\
+	    "${certout[@]}"    "${input[@]}" "${output[@]}"
+    fi
+
+    # if there's a 0-sized output file, delete it and error out
+    if [[ "${#output[@]}" -eq 2 ]] ; then
+	error_on_empty "${output[1]}"
+    fi
+}
+
+main "${@}"
+
+# vim:filetype=sh:fenc=utf-8:tw=78:sts=4:sw=4
+-- 
+2.26.2
+
--- a/0009-pesign-authorize-shellcheck.patch
+++ b/0009-pesign-authorize-shellcheck.patch
@ -0,0 +1,60 @@
+From 91d45fea14dfce71f79534b0df276cf8175c0565 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 14 Jul 2020 15:07:32 -0400
+Subject: [PATCH 09/11] pesign-authorize: shellcheck
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/pesign-authorize | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/src/pesign-authorize b/src/pesign-authorize
+index a496f601ab4..55cd5c4e55b 100755
+--- a/src/pesign-authorize
+++ b/src/pesign-authorize
+@@ -12,21 +12,21 @@ set -u
+ # License: GPLv2
+ declare -a fileusers=()
+ declare -a dirusers=()
+-for user in $(cat /etc/pesign/users); do
+while read -r user ; do
+ 	dirusers[${#dirusers[@]}]=-m
+ 	dirusers[${#dirusers[@]}]="u:$user:rwx"
+ 	fileusers[${#fileusers[@]}]=-m
+ 	fileusers[${#fileusers[@]}]="u:$user:rw"
+-done
+done </etc/pesign/users
+ 
+ declare -a filegroups=()
+ declare -a dirgroups=()
+-for group in $(cat /etc/pesign/groups); do
+while read -r group ; do
+ 	dirgroups[${#dirgroups[@]}]=-m
+ 	dirgroups[${#dirgroups[@]}]="g:$group:rwx"
+ 	filegroups[${#filegroups[@]}]=-m
+ 	filegroups[${#filegroups[@]}]="g:$group:rw"
+-done
+done </etc/pesign/groups
+ 
+ update_subdir() {
+ 	subdir=$1 && shift
+@@ -35,12 +35,12 @@ update_subdir() {
+ 	setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
+ 	for x in "${subdir}"* ; do
+ 		if [ -d "${x}" ]; then
+-			setfacl -bk ${x}
+-			setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
+			setfacl -bk "${x}"
+			setfacl "${dirusers[@]}" "${dirgroups[@]}" "${x}"
+ 			update_subdir "${x}/"
+ 		elif [ -e "${x}" ]; then
+-			setfacl -bk ${x}
+-			setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
+			setfacl -bk "${x}"
+			setfacl "${fileusers[@]}" "${filegroups[@]}" "${x}"
+ 		else
+ 			:;
+ 		fi
+-- 
+2.26.2
+
--- a/0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch
+++ b/0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch
@ -0,0 +1,26 @@
+From 34efa71e9837bcf2e4c52234bc472e554c24c567 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 14 Jul 2020 15:08:15 -0400
+Subject: [PATCH 10/11] pesign-authorize: don't setfacl /etc/pki/pesign-foo/
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/pesign-authorize | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pesign-authorize b/src/pesign-authorize
+index 55cd5c4e55b..c5448329c2c 100755
+--- a/src/pesign-authorize
+++ b/src/pesign-authorize
+@@ -47,7 +47,7 @@ update_subdir() {
+ 	done
+ }
+ 
+-for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
+for x in /var/run/pesign/ /etc/pki/pesign/ ; do
+ 	if [ -d "${x}" ]; then
+ 		update_subdir "${x}"
+ 	else
+-- 
+2.26.2
+
--- a/0011-kernel-building-hack.patch
+++ b/0011-kernel-building-hack.patch
@ -0,0 +1,40 @@
+From 43d1c74b391485178da1d38722da0f28ece8b336 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 14 Jul 2020 16:42:39 -0400
+Subject: [PATCH 11/11] kernel building hack
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/pesign-rpmbuild-helper.in | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
+index d9236035928..2666c74a9ba 100644
+--- a/src/pesign-rpmbuild-helper.in
+++ b/src/pesign-rpmbuild-helper.in
+@@ -195,6 +195,22 @@ main() {
+ 	    "${input[@]}" "${output[@]}"
+ 	rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}"
+     elif [[ -n "${socket}" ]] ; then
+	### welcome haaaaack city
+	if [[ "${client_token[1]}" = "/CN=Fedora Secure Boot Signer" ]] ; then
+	    if [[ "${input[1]}" =~ (/|^)vmlinuz($|[_.-]) ]] \
+	       || [[ "${input[1]}" =~ (/|^)bzImage($|[_.-]) ]] ; then
+		if [[ "${rhelcertfile}" =~ redhatsecureboot501.* ]] \
+		   || [[ "${rhelcertfile}" =~ centossecureboot201.* ]] ; then
+		    client_token[1]=kernel-signer
+		elif [[ "${rhelcertfile}" =~ redhatsecureboot502.* ]] \
+		   || [[ "${rhelcertfile}" =~ centossecureboot202.* ]] ; then
+		    client_token[1]=grub2-signer
+		elif [[ "${rhelcertfile}" =~ redhatsecureboot503.* ]] \
+		   || [[ "${rhelcertfile}" =~ centossecureboot203.* ]] ; then
+		    client_token[1]=fwupd-signer
+		fi
+	    fi
+	fi
+ 	"${client}" "${client_token[@]}" "${client_cert[@]}"    \
+ 	    "${sattrout[@]}" "${certout[@]}"	\
+ 	    ${sign} "${input[@]}" "${output[@]}"
+-- 
+2.26.2
+
--- a/pesign.spec
+++ b/pesign.spec
@ -3,7 +3,7 @@
 Name:    pesign
 Summary: Signing utility for UEFI binaries
 Version: 113
-Release: 8%{?dist}
+Release: 9%{?dist}
 License: GPLv2
 URL:     https://github.com/vathpela/pesign

@ -48,8 +48,11 @@ Patch0003: 0003-Make-0.112-client-and-server-work-with-the-113-proto.patch
 Patch0004: 0004-Rename-var-run-to-run.patch
 Patch0005: 0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch
 Patch0006: 0006-client-try-run-and-var-run-for-the-socket-path.patch
-Patch0007: 0007-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
-Patch0008: 0008-remove-debug-print.patch
+Patch0007: 0007-client-remove-an-extra-debug-print.patch
+Patch0008: 0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
+Patch0009: 0009-pesign-authorize-shellcheck.patch
+Patch0010: 0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch
+Patch0011: 0011-kernel-building-hack.patch

 %description
 This package contains the pesign utility for signing UEFI binaries as
@ -162,6 +165,9 @@ certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null
 %{python3_sitelib}/mockbuild/plugins/pesign.*

 %changelog
+* Thu Jul 16 2020 Peter Jones <pjones@redhat.com> - 113-9
+- Even more kernel build debugging...
+
 * Tue Jul 07 2020 Peter Jones <pjones@redhat.com> - 113-8
 - More kernel build debugging...