From 2cab315fd4ecb50ceb25605de6a5b6b4df2a27c7 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 16 Jul 2020 13:42:13 -0400
Subject: [PATCH] this one seems to work in my mock setup

Signed-off-by: Peter Jones <pjones@redhat.com>
---
 ...-macros.pesign-to-pesign-rpmbuild-helper.patch | 15 ++++++++++-----
 0009-pesign-authorize-shellcheck.patch            |  2 +-
 ...thorize-don-t-setfacl-etc-pki-pesign-foo.patch |  2 +-
 0011-kernel-building-hack.patch                   | 12 ++++++------
 4 files changed, 18 insertions(+), 13 deletions(-)

diff --git a/0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch b/0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
index d216883..77b2fec 100644
--- a/0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
+++ b/0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
@@ -1,4 +1,4 @@
-From 6cab63b9b01533f82067ac15b9cc426937c8e48b Mon Sep 17 00:00:00 2001
+From e05840efa8dc9d0a9ff3104b9fa6e5736e0ec549 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 6 Jul 2020 13:54:35 -0400
 Subject: [PATCH 08/11] Move most of macros.pesign to pesign-rpmbuild-helper
@@ -7,9 +7,9 @@ Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
  Make.defaults                 |   1 +
  src/Makefile                  |   8 +-
- src/macros.pesign             |  74 ++++--------
+ src/macros.pesign             |  76 ++++--------
  src/pesign-rpmbuild-helper.in | 222 ++++++++++++++++++++++++++++++++++
- 4 files changed, 252 insertions(+), 53 deletions(-)
+ 4 files changed, 253 insertions(+), 54 deletions(-)
  create mode 100644 src/pesign-rpmbuild-helper.in
 
 diff --git a/Make.defaults b/Make.defaults
@@ -58,10 +58,10 @@ index 74327ba13f3..a7ca89159c6 100644
  	$(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
  	$(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups
 diff --git a/src/macros.pesign b/src/macros.pesign
-index 5a6da1c6809..2e984b4eeb3 100644
+index 5a6da1c6809..cb066b35f4a 100644
 --- a/src/macros.pesign
 +++ b/src/macros.pesign
-@@ -6,7 +6,7 @@
+@@ -6,11 +6,11 @@
  # %pesign -s -i shim.orig -o shim.efi
  # And magically get the right thing.
  
@@ -70,6 +70,11 @@ index 5a6da1c6809..2e984b4eeb3 100644
  %__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
  
  %__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"}
+-%__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}"}
++%__pesign_client_cert %{!?pe_signing_cert:"Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}"}
+ 
+ %_pesign /usr/bin/pesign
+ %_pesign_client /usr/bin/pesign-client
 @@ -24,54 +24,24 @@
  # -a <input ca cert filename>		# rhel only
  # -s 					# perform signing
diff --git a/0009-pesign-authorize-shellcheck.patch b/0009-pesign-authorize-shellcheck.patch
index 119b45a..3597f5f 100644
--- a/0009-pesign-authorize-shellcheck.patch
+++ b/0009-pesign-authorize-shellcheck.patch
@@ -1,4 +1,4 @@
-From a2c286c5b420b0f398221fb777eab5932c728f02 Mon Sep 17 00:00:00 2001
+From 3107894285164a3d25ca215a76593ebb6d4bc84c Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 14 Jul 2020 15:07:32 -0400
 Subject: [PATCH 09/11] pesign-authorize: shellcheck
diff --git a/0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch b/0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch
index 49286fd..d4a7b31 100644
--- a/0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch
+++ b/0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch
@@ -1,4 +1,4 @@
-From 14d8f7c1952f4f707b94e52a2985fe26c7426374 Mon Sep 17 00:00:00 2001
+From 24bb6e1471b16b6be82f13b5b5a302b4e98c1b4d Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 14 Jul 2020 15:08:15 -0400
 Subject: [PATCH 10/11] pesign-authorize: don't setfacl /etc/pki/pesign-foo/
diff --git a/0011-kernel-building-hack.patch b/0011-kernel-building-hack.patch
index f001c0a..69ffc56 100644
--- a/0011-kernel-building-hack.patch
+++ b/0011-kernel-building-hack.patch
@@ -1,4 +1,4 @@
-From e1bcbd2040dbf9633771bf4330f7e046e77a2d20 Mon Sep 17 00:00:00 2001
+From 0b9048cbcc1cfc2afd9cbf781732882736cbe965 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 14 Jul 2020 16:42:39 -0400
 Subject: [PATCH 11/11] kernel building hack
@@ -9,7 +9,7 @@ Signed-off-by: Peter Jones <pjones@redhat.com>
  1 file changed, 17 insertions(+)
 
 diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
-index c5287c27e0c..1fd0c2fc117 100644
+index c5287c27e0c..27b8261bc17 100644
 --- a/src/pesign-rpmbuild-helper.in
 +++ b/src/pesign-rpmbuild-helper.in
 @@ -202,6 +202,23 @@ main() {
@@ -17,19 +17,19 @@ index c5287c27e0c..1fd0c2fc117 100644
  	rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}"
      elif [[ -n "${socket}" ]] ; then
 +	### welcome haaaaack city
-+	if [[ "${client_token[1]}" = "/CN=Fedora Secure Boot Signer" ]] ; then
++	if [[ "${client_token[1]}" = "OpenSC Card (Fedora Signer)" ]] ; then
 +	    if [[ "${input[1]}" =~ (/|^)vmlinuz($|[_.-]) ]] \
 +	       || [[ "${input[1]}" =~ (/|^)bzImage($|[_.-]) ]] ; then
 +		if [[ "${rhelcertfile}" =~ redhatsecureboot501.* ]] \
 +		   || [[ "${rhelcertfile}" =~ redhatsecureboot401.* ]] \
 +		   || [[ "${rhelcertfile}" =~ centossecureboot201.* ]] ; then
-+		    client_token[1]=kernel-signer
++		    client_cert[1]=kernel-signer
 +		elif [[ "${rhelcertfile}" =~ redhatsecureboot502.* ]] \
 +		   || [[ "${rhelcertfile}" =~ centossecureboot202.* ]] ; then
-+		    client_token[1]=grub2-signer
++		    client_cert[1]=grub2-signer
 +		elif [[ "${rhelcertfile}" =~ redhatsecureboot503.* ]] \
 +		   || [[ "${rhelcertfile}" =~ centossecureboot203.* ]] ; then
-+		    client_token[1]=fwupd-signer
++		    client_cert[1]=fwupd-signer
 +		fi
 +	    fi
 +	fi