RHEL 9.0.0 Alpha bootstrap

The content of this branch was automatically imported from Fedora ELN
with the following as its source:
https://src.fedoraproject.org/rpms/pesign#2ee3400b3c6ed63e365a4361219b79a833cd76ea

.gitignore

@@ -0,0 +1,7 @@
+/pesign-*.tar.bz2
+clog
+/rh-test-certs.tar.bz2
+*.rpm
+/certs.tar.xz
+.build*.log
+/pesign-*/

0001-efikeygen-Fix-the-build-with-nss-3.44.patch

@@ -0,0 +1,45 @@
+From b535d1ac5cbcdf18a97d97a92581e38080d9e521 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 14 May 2019 11:28:38 -0400
+Subject: [PATCH] efikeygen: Fix the build with nss 3.44
+
+NSS 3.44 adds some certificate types, which changes a type and makes
+some encoding stuff weird.  As a result, we get:
+
+gcc8 -I/wrkdirs/usr/ports/sysutils/pesign/work/pesign-0.110/include -O2 -pipe  -fstack-protector-strong -Wl,-rpath=/usr/local/lib/gcc8 -isystem /usr/local/include -fno-strict-aliasing  -g -O0 -g -O0  -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function -I../include/  -I/usr/local/include/nss -I/usr/local/include/nss/nss -I/usr/local/include/nspr  -Werror -fPIC -isystem /usr/local/include -DCONFIG_amd64 -DCONFIG_amd64 -c efikeygen.c -o efikeygen.o
+In file included from /usr/local/include/nss/nss/cert.h:22,
+                 from efikeygen.c:39:
+efikeygen.c: In function 'add_cert_type':
+/usr/local/include/nss/nss/certt.h:445:5: error: unsigned conversion from 'int' to 'unsigned char' changes value from '496' to '240' [-Werror=overflow]
+     (NS_CERT_TYPE_SSL_CLIENT | NS_CERT_TYPE_SSL_SERVER | NS_CERT_TYPE_EMAIL | \
+     ^
+efikeygen.c:208:23: note: in expansion of macro 'NS_CERT_TYPE_APP'
+  unsigned char type = NS_CERT_TYPE_APP;
+                       ^~~~~~~~~~~~~~~~
+cc1: all warnings being treated as errors
+
+This is fixed by just making it an int.
+
+Fixes github issue #48.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/efikeygen.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/efikeygen.c b/src/efikeygen.c
+index ede76ef0b48..2cd953e9781 100644
+--- a/src/efikeygen.c
++++ b/src/efikeygen.c
+@@ -208,7 +208,7 @@ static int
+ add_cert_type(cms_context *cms, void *extHandle, int is_ca)
+ {
+ 	SECItem bitStringValue;
+-	unsigned char type = NS_CERT_TYPE_APP;
++	int type = NS_CERT_TYPE_APP;
+ 
+ 	if (is_ca)
+ 		type |= NS_CERT_TYPE_SSL_CA |
+-- 
+2.23.0
+

0002-pesigcheck-Fix-a-wrong-assignment.patch

@@ -0,0 +1,49 @@
+From c555fd74c009242c3864576bd5f17a1f8f4fdffd Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 18 Feb 2020 16:28:56 -0500
+Subject: [PATCH] pesigcheck: Fix a wrong assignment
+
+gcc says:
+
+  pesigcheck.c: In function 'check_signature':
+  pesigcheck.c:321:17: error: implicit conversion from 'enum <anonymous>' to 'enum <anonymous>' [-Werror=enum-conversion]
+  321 |    reason->type = siBuffer;
+      |                 ^
+  pesigcheck.c:333:17: error: implicit conversion from 'enum <anonymous>' to 'enum <anonymous>' [-Werror=enum-conversion]
+  333 |    reason->type = siBuffer;
+      |                 ^
+  cc1: all warnings being treated as errors
+
+And indeed, that line of code makes no sense at all - it was supposed to
+be reason->sig.type.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/pesigcheck.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/pesigcheck.c b/src/pesigcheck.c
+index 524cce307bf..8fa0f1ad03d 100644
+--- a/src/pesigcheck.c
++++ b/src/pesigcheck.c
+@@ -318,7 +318,7 @@ check_signature(pesigcheck_context *ctx, int *nreasons,
+ 			reason->type = SIGNATURE;
+ 			reason->sig.data = data;
+ 			reason->sig.len = datalen;
+-			reason->type = siBuffer;
++			reason->sig.type = siBuffer;
+ 			nreason += 1;
+ 			is_invalid = true;
+ 		}
+@@ -330,7 +330,7 @@ check_signature(pesigcheck_context *ctx, int *nreasons,
+ 			reason->type = SIGNATURE;
+ 			reason->sig.data = data;
+ 			reason->sig.len = datalen;
+-			reason->type = siBuffer;
++			reason->sig.type = siBuffer;
+ 			nreason += 1;
+ 			has_valid_cert = true;
+ 		}
+-- 
+2.24.1
+

0003-Make-0.112-client-and-server-work-with-the-113-proto.patch

@@ -0,0 +1,317 @@
+From 84547e6b7173e4b10a1931fd25f329ea9a8f68b0 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Thu, 11 Jun 2020 16:23:14 -0400
+Subject: [PATCH] Make 0.112 client and server work with the 113 protocol and
+ vise versa
+
+This makes the version of the sign API that takes a file type optional,
+and makes the client attempt to negotiate which version it's getting.
+It also leaves the server able to still handle the version from before
+the file type was added.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/client.c | 74 +++++++++++++++++++++++++++++++++++++---------------
+ src/daemon.c | 63 +++++++++++++++++++++++++++++---------------
+ src/daemon.h |  2 ++
+ 3 files changed, 97 insertions(+), 42 deletions(-)
+
+diff --git a/src/client.c b/src/client.c
+index aa373abd981..57bcc09cbe8 100644
+--- a/src/client.c
++++ b/src/client.c
+@@ -11,6 +11,7 @@
+ #include <fcntl.h>
+ #include <popt.h>
+ #include <pwd.h>
++#include <stdbool.h>
+ #include <stddef.h>
+ #include <stdlib.h>
+ #include <sys/socket.h>
+@@ -84,8 +85,8 @@ connect_to_server(void)
+ static int32_t
+ check_response(int sd, char **srvmsg);
+ 
+-static void
+-check_cmd_version(int sd, uint32_t command, char *name, int32_t version)
++static int
++check_cmd_version(int sd, uint32_t command, char *name, int32_t version, bool do_exit)
+ {
+ 	struct msghdr msg;
+ 	struct iovec iov[1];
+@@ -104,7 +105,7 @@ check_cmd_version(int sd, uint32_t command, char *name, int32_t version)
+ 	ssize_t n;
+ 	n = sendmsg(sd, &msg, 0);
+ 	if (n < 0) {
+-		fprintf(stderr, "check-cmd-version: kill daemon failed: %m\n");
++		fprintf(stderr, "check-cmd-version: sendmsg failed: %m\n");
+ 		exit(1);
+ 	}
+ 
+@@ -120,11 +121,17 @@ check_cmd_version(int sd, uint32_t command, char *name, int32_t version)
+ 
+ 	char *srvmsg = NULL;
+ 	int32_t rc = check_response(sd, &srvmsg);
+-	if (rc < 0)
++
++	if (do_exit && rc < 0)
+ 		errx(1, "command \"%s\" not known by server", name);
+-	if (rc != version)
++
++	if (do_exit && rc != version)
+ 		errx(1, "command \"%s\": client version %d, server version %d",
+ 			name, version, rc);
++
++	if (rc < 0)
++		return rc;
++	return rc == version;
+ }
+ 
+ static void
+@@ -134,7 +141,7 @@ send_kill_daemon(int sd)
+ 	struct iovec iov;
+ 	pesignd_msghdr pm;
+ 
+-	check_cmd_version(sd, CMD_KILL_DAEMON, "kill-daemon", 0);
++	check_cmd_version(sd, CMD_KILL_DAEMON, "kill-daemon", 0, true);
+ 
+ 	pm.version = PESIGND_VERSION;
+ 	pm.command = CMD_KILL_DAEMON;
+@@ -276,7 +283,7 @@ unlock_token(int sd, char *tokenname, char *pin)
+ 
+ 	uint32_t size1 = pesignd_string_size(pin);
+ 
+-	check_cmd_version(sd, CMD_UNLOCK_TOKEN, "unlock-token", 0);
++	check_cmd_version(sd, CMD_UNLOCK_TOKEN, "unlock-token", 0, true);
+ 
+ 	pm.version = PESIGND_VERSION;
+ 	pm.command = CMD_UNLOCK_TOKEN;
+@@ -353,7 +360,7 @@ is_token_unlocked(int sd, char *tokenname)
+ 
+ 	uint32_t size0 = pesignd_string_size(tokenname);
+ 
+-	check_cmd_version(sd, CMD_IS_TOKEN_UNLOCKED, "is-token-unlocked", 0);
++	check_cmd_version(sd, CMD_IS_TOKEN_UNLOCKED, "is-token-unlocked", 0, true);
+ 
+ 	pm.version = PESIGND_VERSION;
+ 	pm.command = CMD_IS_TOKEN_UNLOCKED;
+@@ -452,6 +459,9 @@ static void
+ sign(int sd, char *infile, char *outfile, char *tokenname, char *certname,
+ 	int attached, uint32_t format)
+ {
++	int rc;
++	bool add_file_type;
++
+ 	int infd = open(infile, O_RDONLY);
+ 	if (infd < 0) {
+ 		fprintf(stderr, "pesign-client: could not open input file "
+@@ -481,12 +491,28 @@ oom:
+ 		exit(1);
+ 	}
+ 
+-	check_cmd_version(sd, attached ? CMD_SIGN_ATTACHED : CMD_SIGN_DETACHED,
+-			attached ? "sign-attached" : "sign-detached", 0);
++	rc = check_cmd_version(sd,
++			       attached ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE
++					: CMD_SIGN_DETACHED_WITH_FILE_TYPE,
++			       attached ? "sign-attached" : "sign-detached",
++			       0, format == FORMAT_KERNEL_MODULE);
++	if (rc >= 0) {
++		add_file_type = true;
++	} else {
++		add_file_type = false;
++		check_cmd_version(sd, attached ? CMD_SIGN_ATTACHED
++					       : CMD_SIGN_DETACHED,
++				  attached ? "sign-attached" : "sign-detached",
++				  0, true);
++	}
+ 
++	printf("add_file_type:%d\n", add_file_type);
+ 	pm->version = PESIGND_VERSION;
+-	pm->command = attached ? CMD_SIGN_ATTACHED : CMD_SIGN_DETACHED;
+-	pm->size = size0 + size1 + sizeof(format);
++	pm->command = attached ? (add_file_type ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE
++						: CMD_SIGN_ATTACHED)
++			       : (add_file_type ? CMD_SIGN_DETACHED_WITH_FILE_TYPE
++						: CMD_SIGN_DETACHED);
++	pm->size = size0 + size1 + (add_file_type ? sizeof(format) : 0);
+ 	iov[0].iov_base = pm;
+ 	iov[0].iov_len = sizeof (*pm);
+ 
+@@ -503,25 +529,31 @@ oom:
+ 	}
+ 
+ 	char *buffer;
+-	buffer = malloc(size0 + size1);
++	buffer = malloc(pm->size);
+ 	if (!buffer)
+ 		goto oom;
+ 
+-	iov[0].iov_base = &format;
+-	iov[0].iov_len = sizeof(format);
++	int pos = 0;
++
++	if (add_file_type) {
++		iov[pos].iov_base = &format;
++		iov[pos].iov_len = sizeof(format);
++		pos++;
++	}
+ 
+ 	pesignd_string *tn = (pesignd_string *)buffer;
+ 	pesignd_string_set(tn, tokenname);
+-	iov[1].iov_base = tn;
+-	iov[1].iov_len = size0;
++	iov[pos].iov_base = tn;
++	iov[pos].iov_len = size0;
++	pos++;
+ 
+ 	pesignd_string *cn = pesignd_string_next(tn);
+ 	pesignd_string_set(cn, certname);
+-	iov[2].iov_base = cn;
+-	iov[2].iov_len = size1;
++	iov[pos].iov_base = cn;
++	iov[pos].iov_len = size1;
+ 
+ 	msg.msg_iov = iov;
+-	msg.msg_iovlen = 3;
++	msg.msg_iovlen = add_file_type ? 3 : 2;
+ 
+ 	n = sendmsg(sd, &msg, 0);
+ 	if (n < 0) {
+@@ -535,7 +567,7 @@ oom:
+ 	send_fd(sd, outfd);
+ 
+ 	char *srvmsg = NULL;
+-	int rc = check_response(sd, &srvmsg);
++	rc = check_response(sd, &srvmsg);
+ 	if (rc < 0) {
+ 		fprintf(stderr, "pesign-client: signing failed: \"%s\"\n",
+ 			srvmsg);
+diff --git a/src/daemon.c b/src/daemon.c
+index 9374d59be30..494beb9af72 100644
+--- a/src/daemon.c
++++ b/src/daemon.c
+@@ -12,6 +12,7 @@
+ #include <poll.h>
+ #include <pwd.h>
+ #include <signal.h>
++#include <stdbool.h>
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <string.h>
+@@ -561,7 +562,7 @@ out:
+ 
+ static void
+ handle_signing(context *ctx, struct pollfd *pollfd, socklen_t size,
+-	int attached)
++	       int attached, bool with_file_type)
+ {
+ 	struct msghdr msg;
+ 	struct iovec iov;
+@@ -585,8 +586,12 @@ oom:
+ 
+ 	n = recvmsg(pollfd->fd, &msg, MSG_WAITALL);
+ 
+-	file_format = *((uint32_t *) buffer);
+-	n -= sizeof(uint32_t);
++	if (with_file_type) {
++		file_format = *((uint32_t *) buffer);
++		n -= sizeof(uint32_t);
++	} else {
++		file_format = FORMAT_PE_BINARY;
++	}
+ 
+ 	pesignd_string *tn = (pesignd_string *)(buffer + sizeof(uint32_t));
+ 	if (n < (long long)sizeof(tn->size)) {
+@@ -666,34 +671,44 @@ finish:
+ 	teardown_digests(ctx->cms);
+ }
+ 
++static inline void
++handle_sign_helper(context *ctx, struct pollfd *pollfd, socklen_t size,
++		   int attached, bool with_file_type)
++{
++	int rc = cms_context_alloc(&ctx->cms);
++	if (rc < 0)
++		return;
++
++	steal_from_cms(ctx->backup_cms, ctx->cms);
++
++	handle_signing(ctx, pollfd, size, attached, with_file_type);
++
++	hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms);
++	cms_context_fini(ctx->cms);
++}
++
+ static void
+ handle_sign_attached(context *ctx, struct pollfd *pollfd, socklen_t size)
+ {
+-	int rc = cms_context_alloc(&ctx->cms);
+-	if (rc < 0)
+-		return;
++	handle_sign_helper(ctx, pollfd, size, 1, false);
++}
+ 
+-	steal_from_cms(ctx->backup_cms, ctx->cms);
+-
+-	handle_signing(ctx, pollfd, size, 1);
+-
+-	hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms);
+-	cms_context_fini(ctx->cms);
++static void
++handle_sign_attached_with_file_type(context *ctx, struct pollfd *pollfd, socklen_t size)
++{
++	handle_sign_helper(ctx, pollfd, size, 1, true);
+ }
+ 
+ static void
+ handle_sign_detached(context *ctx, struct pollfd *pollfd, socklen_t size)
+ {
+-	int rc = cms_context_alloc(&ctx->cms);
+-	if (rc < 0)
+-		return;
++	handle_sign_helper(ctx, pollfd, size, 0, false);
++}
+ 
+-	steal_from_cms(ctx->backup_cms, ctx->cms);
+-
+-	handle_signing(ctx, pollfd, size, 0);
+-
+-	hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms);
+-	cms_context_fini(ctx->cms);
++static void
++handle_sign_detached_with_file_type(context *ctx, struct pollfd *pollfd, socklen_t size)
++{
++	handle_sign_helper(ctx, pollfd, size, 0, true);
+ }
+ 
+ static void
+@@ -725,6 +740,12 @@ cmd_table_t cmd_table[] = {
+ 		{ CMD_UNLOCK_TOKEN, handle_unlock_token, "unlock-token", 0 },
+ 		{ CMD_SIGN_ATTACHED, handle_sign_attached, "sign-attached", 0 },
+ 		{ CMD_SIGN_DETACHED, handle_sign_detached, "sign-detached", 0 },
++		{ CMD_SIGN_ATTACHED_WITH_FILE_TYPE,
++		  handle_sign_attached_with_file_type,
++		  "sign-attached-with-file-type", 0 },
++		{ CMD_SIGN_DETACHED_WITH_FILE_TYPE,
++		  handle_sign_detached_with_file_type,
++		  "sign-detached-with-file-type", 0 },
+ 		{ CMD_RESPONSE, NULL, "response",  0 },
+ 		{ CMD_IS_TOKEN_UNLOCKED, handle_is_token_unlocked,
+ 			"is-token-unlocked", 0 },
+diff --git a/src/daemon.h b/src/daemon.h
+index dd430512f1a..834d62c72d0 100644
+--- a/src/daemon.h
++++ b/src/daemon.h
+@@ -33,6 +33,8 @@ typedef enum {
+ 	CMD_RESPONSE,
+ 	CMD_IS_TOKEN_UNLOCKED,
+ 	CMD_GET_CMD_VERSION,
++	CMD_SIGN_ATTACHED_WITH_FILE_TYPE,
++	CMD_SIGN_DETACHED_WITH_FILE_TYPE,
+ 	CMD_LIST_END
+ } pesignd_cmd;
+ 
+-- 
+2.26.2
+

0004-Rename-var-run-to-run.patch

@@ -0,0 +1,46 @@
+From f886b7088dfea224e28c03b097c85c9bc20f5441 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 12 Jun 2020 11:49:44 -0400
+Subject: [PATCH] Rename /var/run/ to /run/
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/macros.pesign | 12 ++++++------
+ src/tmpfiles.conf |  2 +-
+ 2 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/macros.pesign b/src/macros.pesign
+index 56f75cafbc4..5a6da1c6809 100644
+--- a/src/macros.pesign
++++ b/src/macros.pesign
+@@ -45,14 +45,14 @@
+       rm -rf ${sattrs} ${sattrs}.sig ${nss}				\
+     elif [ "$(id -un)" == "kojibuilder" -a				\\\
+            grep -q ID=fedora /etc/os-release -a				\\\
+-           ! -S /var/run/pesign/socket ]; then				\
++           ! -S /run/pesign/socket ]; then				\
+       echo "No socket even though this is kojibuilder" 1>&2		\
+-      ls -ld /var/run/pesign 1>&2					\
+-      ls -l /var/run/pesign/socket 1>&2					\
+-      getfacl /var/run/pesign 1>&2					\
+-      getfacl /var/run/pesign/socket 1>&2				\
++      ls -ld /run/pesign 1>&2					\
++      ls -l /run/pesign/socket 1>&2					\
++      getfacl /run/pesign 1>&2					\
++      getfacl /run/pesign/socket 1>&2				\
+       exit 1								\
+-    elif [ -S /var/run/pesign/socket ]; then				\
++    elif [ -S /run/pesign/socket ]; then				\
+       %{_pesign_client} -t %{__pesign_client_token}			\\\
+                         -c %{__pesign_client_cert}			\\\
+                         %{-i} %{-o} %{-e} %{-s} %{-C}			\
+diff --git a/src/tmpfiles.conf b/src/tmpfiles.conf
+index c1cf35597d8..3375ad52a44 100644
+--- a/src/tmpfiles.conf
++++ b/src/tmpfiles.conf
+@@ -1 +1 @@
+-D /var/run/pesign 0770 pesign pesign -
++D /run/pesign 0770 pesign pesign -
+-- 
+2.26.2
+

0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch

@@ -0,0 +1,30 @@
+From 56eaa15e986d808c670381ca375216eb3abd1588 Mon Sep 17 00:00:00 2001
+From: Jeremy Cline <jcline@redhat.com>
+Date: Tue, 18 Feb 2020 16:37:53 -0500
+Subject: [PATCH] Apparently opensc got updated and the token name changed
+
+All the kernel builds started failing yesterday because the signing
+token could not be found. Update the token name in the macro shipped by
+pesign.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/macros.pesign | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/macros.pesign b/src/macros.pesign
+index 7c5cba170e9..56f75cafbc4 100644
+--- a/src/macros.pesign
++++ b/src/macros.pesign
+@@ -9,7 +9,7 @@
+ %__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
+ %__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
+ 
+-%__pesign_client_token %{!?pe_signing_token:"Fedora Signer (OpenSC Card)"}%{?pe_signing_token:"%{pe_signing_token}"}
++%__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"}
+ %__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}"}
+ 
+ %_pesign /usr/bin/pesign
+-- 
+2.26.2
+

0006-client-try-run-and-var-run-for-the-socket-path.patch

@@ -0,0 +1,86 @@
+From c662ad097eaa0d8c3691a22254f5d0e9622b26b7 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 6 Jul 2020 16:13:09 -0400
+Subject: [PATCH 6/7] client: try /run and /var/run for the socket path.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/client.c | 40 +++++++++++++++++++++++++++++-----------
+ 1 file changed, 29 insertions(+), 11 deletions(-)
+
+diff --git a/src/client.c b/src/client.c
+index 2119ef33bf8..a38383415d5 100644
+--- a/src/client.c
++++ b/src/client.c
+@@ -49,24 +49,24 @@ print_flag_name(FILE *f, int flag)
+ }
+ 
+ static int
+-connect_to_server(void)
++connect_to_server_helper(const char * const sockpath)
+ {
+-	int rc = access(SOCKPATH, R_OK);
++	int rc = access(sockpath, R_OK);
+ 	if (rc != 0) {
+-		fprintf(stderr, "pesign-client: could not connect to server: "
+-			"%m\n");
+-		exit(1);
++		warn("could not access socket \"%s\"", sockpath);
++		return rc;
+ 	}
+ 
+ 	struct sockaddr_un addr_un = {
+ 		.sun_family = AF_UNIX,
+-		.sun_path = SOCKPATH,
+ 	};
++	strncpy(addr_un.sun_path, sockpath, sizeof(addr_un.sun_path));
++	addr_un.sun_path[sizeof(addr_un.sun_path)-1] = '\0';
+ 
+ 	int sd = socket(AF_UNIX, SOCK_STREAM, 0);
+ 	if (sd < 0) {
+-		fprintf(stderr, "pesign-client: could not open socket: %m\n");
+-		exit(1);
++		warn("could not open socket \"%s\"", sockpath);
++		return sd;
+ 	}
+ 
+ 	socklen_t len = strlen(addr_un.sun_path) +
+@@ -74,14 +74,32 @@ connect_to_server(void)
+ 
+ 	rc = connect(sd, (struct sockaddr *)&addr_un, len);
+ 	if (rc < 0) {
+-		fprintf(stderr, "pesign-client: could not connect to daemon: "
+-			"%m\n");
+-		exit(1);
++		warn("could not connect to daemon");
++		return sd;
+ 	}
+ 
+ 	return sd;
+ }
+ 
++static int
++connect_to_server(void)
++{
++	int rc, i;
++	const char * const sockets[] = {
++		"/run/pesign/socket",
++		"/var/run/pesign/socket",
++		NULL
++	};
++
++	for (i = 0; sockets[i] != NULL; i++) {
++		rc = connect_to_server_helper(sockets[i]);
++		if (rc >= 0)
++			return rc;
++	}
++
++	exit(1);
++}
++
+ static int32_t
+ check_response(int sd, char **srvmsg);
+ 
+-- 
+2.26.2
+

0007-client-remove-an-extra-debug-print.patch

@@ -0,0 +1,25 @@
+From ea81cec14d31cd0b0dbde5b42414bfae9daec9b8 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 14 Jul 2020 16:44:09 -0400
+Subject: [PATCH 07/11] client: remove an extra debug print
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/client.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/client.c b/src/client.c
+index 0082be1f597..c9966295e5f 100644
+--- a/src/client.c
++++ b/src/client.c
+@@ -536,7 +536,6 @@ oom:
+ 				  0, true);
+ 	}
+ 
+-	printf("add_file_type:%d\n", add_file_type);
+ 	pm->version = PESIGND_VERSION;
+ 	pm->command = attached ? (add_file_type ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE
+ 						: CMD_SIGN_ATTACHED)
+-- 
+2.26.2
+

0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch

@@ -0,0 +1,379 @@
+From 6c16b978fd33f3611e9f7aaf4f9c44bce1679485 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 6 Jul 2020 13:54:35 -0400
+Subject: [PATCH] Move most of macros.pesign to pesign-rpmbuild-helper
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ Make.defaults                 |   1 +
+ src/Makefile                  |   8 +-
+ src/macros.pesign             |  74 ++++--------
+ src/pesign-rpmbuild-helper.in | 222 ++++++++++++++++++++++++++++++++++
+ 4 files changed, 252 insertions(+), 53 deletions(-)
+ create mode 100644 src/pesign-rpmbuild-helper.in
+
+diff --git a/Make.defaults b/Make.defaults
+index 0bacafe0d01..d4cd626c11e 100644
+--- a/Make.defaults
++++ b/Make.defaults
+@@ -16,6 +16,7 @@ INSTALLROOT = $(DESTDIR)
+ 
+ INSTALL	?= install
+ CROSS_COMPILE	?=
++EFI_ARCHES ?= aa64 ia32 x64
+ 
+ PKG_CONFIG = $(CROSS_COMPILE)pkg-config
+ CC	:= $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC))
+diff --git a/src/Makefile b/src/Makefile
+index 74327ba13f3..a7ca89159c6 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -5,7 +5,7 @@ include $(TOPDIR)/Make.version
+ include $(TOPDIR)/Make.rules
+ include $(TOPDIR)/Make.defaults
+ 
+-BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
++BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign pesign-rpmbuild-helper
+ SVCTARGETS=pesign.sysvinit pesign.service
+ TARGETS=$(BINTARGETS) $(SVCTARGETS)
+ 
+@@ -49,6 +49,11 @@ pesign : $(call objects-of,$(PESIGN_SOURCES) $(COMMON_SOURCES) $(COMMON_PE_SOURC
+ pesign : LDLIBS+=$(TOPDIR)/libdpe/libdpe.a
+ pesign : PKGS=efivar nss nspr popt
+ 
++pesign-rpmbuild-helper: pesign-rpmbuild-helper.in
++	sed \
++		-e "s/@@EFI_ARCHES@@/$(EFI_ARCHES)/g" \
++		$^ > $@
++
+ deps : PKGS=efivar nss nspr popt uuid
+ deps : $(ALL_SOURCES)
+ 	$(MAKE) -f $(TOPDIR)/Make.deps \
+@@ -94,6 +99,7 @@ install :
+ 	$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
+ 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
+ 	$(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
++	$(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/
+ 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
+ 	$(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
+ 	$(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups
+diff --git a/src/macros.pesign b/src/macros.pesign
+index 5a6da1c6809..2e984b4eeb3 100644
+--- a/src/macros.pesign
++++ b/src/macros.pesign
+@@ -6,7 +6,7 @@
+ # %pesign -s -i shim.orig -o shim.efi
+ # And magically get the right thing.
+ 
+-%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
++%__pesign_token %{nil}%{?pe_signing_token:--token "%{pe_signing_token}"}
+ %__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
+ 
+ %__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"}
+@@ -24,54 +24,24 @@
+ # -a <input ca cert filename>		# rhel only
+ # -s 					# perform signing
+ %pesign(i:o:C:e:c:n:a:s)						\
+-  _pesign_nssdir=/etc/pki/pesign					\
+-  if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then		\
+-    _pesign_nssdir=/etc/pki/pesign-rh-test				\
+-  fi									\
+-  if [ -x %{_pesign} ] &&  						\\\
+-       [ "%{_target_cpu}" == "x86_64" -o 				\\\
+-         "%{_target_cpu}" == "aarch64" ]; then				\
+-    if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then		\
+-      nss=$(mktemp -p $PWD -d)						\
+-      echo > ${nss}/pwfile						\
+-      certutil -N -d ${nss} -f ${nss}/pwfile				\
+-      certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss}		\
+-      certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss}		\
+-      sattrs=$(mktemp -p $PWD --suffix=.der)				\
+-      %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force		\
+-      rpm-sign --key "%{-n*}" --rsadgstsign ${sattrs}			\
+-      %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i}			\\\
+-                 --certdir ${nss} -c signer %{-o}			\
+-      rm -rf ${sattrs} ${sattrs}.sig ${nss}				\
+-    elif [ "$(id -un)" == "kojibuilder" -a				\\\
+-           grep -q ID=fedora /etc/os-release -a				\\\
+-           ! -S /run/pesign/socket ]; then				\
+-      echo "No socket even though this is kojibuilder" 1>&2		\
+-      ls -ld /run/pesign 1>&2					\
+-      ls -l /run/pesign/socket 1>&2					\
+-      getfacl /run/pesign 1>&2					\
+-      getfacl /run/pesign/socket 1>&2				\
+-      exit 1								\
+-    elif [ -S /run/pesign/socket ]; then				\
+-      %{_pesign_client} -t %{__pesign_client_token}			\\\
+-                        -c %{__pesign_client_cert}			\\\
+-                        %{-i} %{-o} %{-e} %{-s} %{-C}			\
+-    else								\
+-      %{_pesign} %{__pesign_token} -c %{__pesign_cert}			\\\
+-                 --certdir ${_pesign_nssdir}				\\\
+-                 %{-i} %{-o} %{-e} %{-s} %{-C}				\
+-    fi									\
+-  else									\
+-    if [ -n "%{-i*}" -a -n "%{-o*}" ]; then				\
+-      mv %{-i*} %{-o*}							\
+-    elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then				\
+-      touch %{-e*}							\
+-    fi									\
+-  fi									\
+-  if [ ! -s %{-o} ]; then						\
+-    if [ -e "%{-o*}" ]; then						\
+-      rm -f %{-o*}							\
+-    fi									\
+-    exit 1								\
+-  fi ;
+-
++  %{_libexecdir}/pesign/pesign-rpmbuild-helper				\\\
++    "%{_target_cpu}"							\\\
++    "%{_pesign}"							\\\
++    "%{_pesign_client}"							\\\
++    %{?__pesign_client_token:--client-token %{__pesign_client_token}}	\\\
++    %{?__pesign_client_cert:--client-cert %{__pesign_client_cert}}	\\\
++    %{?__pesign_token:%{__pesign_token}}				\\\
++    %{?__pesign_cert:--cert %{__pesign_cert}}				\\\
++    %{?_buildhost:--hostname "%{_buildhost}"}				\\\
++    %{?vendor:--vendor "%{vendor}"}					\\\
++    %{?_rhel:--rhelver "%{_rhel}"}					\\\
++    %{?-n:--rhelcert %{-n*}}%{?!-n:--rhelcert %{__pesign_cert}}	\\\
++    %{?-a:--rhelcafile "%{-a*}"}					\\\
++    %{?-c:--rhelcertfile "%{-c*}"}					\\\
++    %{?-C:--certout "%{-C*}"}						\\\
++    %{?-e:--sattrout "%{-e*}"}						\\\
++    %{?-i:--in "%{-i*}"}						\\\
++    %{?-o:--out "%{-o*}"}						\\\
++    %{?-s:--sign}							\\\
++    ;									\
++%{nil}
+diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
+new file mode 100644
+index 00000000000..c5287c27e0c
+--- /dev/null
++++ b/src/pesign-rpmbuild-helper.in
+@@ -0,0 +1,222 @@
++#!/bin/bash
++# shellcheck shell=bash
++
++set -eu
++set -x
++
++usage() {
++    local status="${1}" && shift
++    local out
++    if [[ "${status}" -eq 0 ]] ; then
++	out=/dev/stdout
++    else
++	out=/dev/stderr
++    fi
++
++    if [[ $# -gt 0 ]] ; then
++	echo "${0}: error: $*" >>"${out}"
++    fi
++    echo "usage: ${0} TARGET_CPU PESIGN_BINARY PESIGN_CLIENT_BINARY [OPTIONS]" >>"${out}"
++    exit "${status}"
++}
++
++is_efi_arch() {
++    local arch="${1}"
++    local arches=(@@EFI_ARCHES@@)
++    local x
++    for x in "${arches[@]}" ; do
++	if [[ "${arch}" = "${x}" ]] ; then
++	    return 0
++	fi
++    done
++    return 1
++}
++
++error_on_empty() {
++    local f="${1}"
++    if [[ ! -s "${f}" ]] ; then
++	if [[ -e "${f}" ]] ; then
++	    rm -f "${f}"
++	fi
++	echo "${0}: error: empty result file \"${f}\"">>/dev/stderr
++	exit 1
++    fi
++}
++
++main() {
++    if [[ $# -lt 3 ]] ; then
++	usage 1 not enough arguments
++    fi
++    local target_cpu="${1}" && shift
++    local bin="${1}" && shift
++    local client="${1}" && shift
++
++    local rhelcafile="" || :
++    local rhelcertfile="" || :
++
++    local certout=() || :
++    local sattrout=() || :
++    local input=() || :
++    local output=() || :
++    local client_token=() || :
++    local client_cert=() || :
++    local token=() || :
++    local cert=() || :
++    local rhelcert=() || :
++    local rhelver=0 || :
++    local sign="" || :
++    local arch="" || :
++    local vendor="" || :
++    local HOSTNAME="" || :
++
++    while [[ $# -ge 2 ]] ; do
++	case " ${1} " in
++	" --rhelcafile ")
++	    rhelcafile="${2}"
++	    ;;
++	" --rhelcertfile ")
++	    rhelcertfile="${2}"
++	    ;;
++	" --hostname ")
++	    HOSTNAME="${2}"
++	    ;;
++	" --certout ")
++	    certout[0]=-C
++	    certout[1]="${2}"
++	    ;;
++	" --sattrout ")
++	    sattrout[0]=-e
++	    sattrout[1]="${2}"
++	    ;;
++	" --client-token ")
++	    client_token[0]=-t
++	    client_token[1]="${2}"
++	    ;;
++	" --client-cert ")
++	    client_cert[0]=-c
++	    client_cert[1]="${2}"
++	    ;;
++	" --token ")
++	    token[0]=-t
++	    token[1]="${2}"
++	    ;;
++	" --cert ")
++	    cert[0]=-c
++	    cert[1]="${2}"
++	    ;;
++	" --rhelcert ")
++	    rhelcert[0]=-c
++	    rhelcert[1]="${2}"
++	    ;;
++	" --in ")
++	    input[0]=-i
++	    input[1]="${2}"
++	    ;;
++	" --out ")
++	    output[0]=-o
++	    output[1]="${2}"
++	    ;;
++	" --rhelver ")
++	    rhelver="${2}"
++	    ;;
++	" --vendor ")
++	    vendor="${2}"
++	    ;;
++	*)
++	    break
++	    ;;
++	esac
++	shift
++	shift
++    done
++    if [[ $# -ge 1 ]] && [[ "${1}" = --sign ]] ; then
++	sign=-s
++	shift
++    fi
++
++    if [[ -z "${target_cpu}" ]] ; then
++	target_cpu="$(uname -m)"
++    fi
++
++    target_cpu="${target_cpu/i?86/ia32}"
++    target_cpu="${target_cpu/x86_64/x64}"
++    target_cpu="${target_cpu/aarch64/aa64}"
++    target_cpu="${target_cpu/arm*/arm/}"
++
++    local nssdir=/etc/pki/pesign
++    if [[ "${#cert[@]}" -eq 2 ]] &&
++       [[ "${cert[1]}" == "Red Hat Test Certificate" ]] ; then
++	nssdir=/etc/pki/pesign-rh-test
++    fi
++
++    # is_efi_arch is ultimately returning "is pesign configured to sign these
++    # using the rpm macro", so if it isn't, we're just copying the input to
++    # the output
++    if [[ -x "${bin}" ]] && ! is_efi_arch "${target_cpu}" ; then
++	if [[ -n "${input[*]}" ]] && [[ -n "${output[*]}" ]] ; then
++	    cp -v "${input[1]}" "${output[1]}"
++	elif [[ -n "${input[*]}" ]] && [[ -n "${sattrout[*]}" ]] ; then
++	    touch "${sattrout[1]}"
++	fi
++
++	# if there's a 0-sized output file, delete it and error out
++	error_on_empty "${output[1]}"
++	return 0
++    fi
++
++    USERNAME="${USERNAME:-$(id -un)}"
++
++    local socket="" || :
++    if grep -q ID=fedora /etc/os-release \
++       && [[ "${rhelver}" -lt 7 ]] \
++       && [[ "${USERNAME}" = "mockbuild" ]] \
++       && [[ "${vendor}" = "Fedora Project" ]] \
++       && [[ "${HOSTNAME}" =~ bkernel.* ]]
++    then
++	if [[ -S /run/pesign/socket ]] ; then
++	    socket=/run/pesign/socket
++	elif [[ -S /var/run/pesign/socket ]]; then
++	    socket=/var/run/pesign/socket
++	else
++	    echo "Warning: no pesign socket even though user is ${USERNAME}" 1>&2
++	    echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2
++	    ls -ld /run/pesign /var/run/pesign 1>&2 ||:
++	    ls -l /run/pesign/socket /var/run/pesign/socket 1>&2 ||:
++	    getfacl /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
++	    getfacl -n /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
++	fi
++    fi
++
++    if [[ "${rhelver}" -ge 7 ]] ; then
++	nssdir="$(mktemp -p "${PWD}" -d)"
++	echo > "${nssdir}/pwfile"
++	certutil -N -d "${nssdir}" -f "${nssdir}/pwfile"
++	certutil -A -n "ca" -t "CTu,CTu,CTu" -i "${rhelcafile}" -d "${nssdir}"
++	certutil -A -n "signer" -t "CTu,CTu,CTu" -i "${rhelcertfile}" -d "${nssdir}"
++	sattrs="$(mktemp -p "${PWD}" --suffix=.der)"
++	"${bin}" -E "${sattrs}" --certdir "${nssdir}" \
++	    "${input[@]}" --force
++	rpm-sign --key "${rhelcert[1]}" --rsadgstsign "${sattrs}"
++	"${bin}" -R "${sattrs}.sig" -I "${sattrs}" \
++	    --certdir "${nssdir}" -c signer \
++	    "${input[@]}" "${output[@]}"
++	rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}"
++    elif [[ -n "${socket}" ]] ; then
++	"${client}" "${client_token[@]}" "${client_cert[@]}"    \
++	    "${sattrout[@]}" "${certout[@]}"	\
++	    ${sign} "${input[@]}" "${output[@]}"
++    else
++	"${bin}" --certdir "${nssdir}" "${token[@]}"	\
++	    "${cert[@]}" ${sign} "${sattrout[@]}"	\
++	    "${certout[@]}"    "${input[@]}" "${output[@]}"
++    fi
++
++    # if there's a 0-sized output file, delete it and error out
++    if [[ "${#output[@]}" -eq 2 ]] ; then
++	error_on_empty "${output[1]}"
++    fi
++}
++
++main "${@}"
++
++# vim:filetype=sh:fenc=utf-8:tw=78:sts=4:sw=4
+-- 
+2.26.2
+

0009-pesign-authorize-shellcheck.patch

@@ -0,0 +1,60 @@
+From 3107894285164a3d25ca215a76593ebb6d4bc84c Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 14 Jul 2020 15:07:32 -0400
+Subject: [PATCH 09/11] pesign-authorize: shellcheck
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/pesign-authorize | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/src/pesign-authorize b/src/pesign-authorize
+index a496f601ab4..55cd5c4e55b 100755
+--- a/src/pesign-authorize
++++ b/src/pesign-authorize
+@@ -12,21 +12,21 @@ set -u
+ # License: GPLv2
+ declare -a fileusers=()
+ declare -a dirusers=()
+-for user in $(cat /etc/pesign/users); do
++while read -r user ; do
+ 	dirusers[${#dirusers[@]}]=-m
+ 	dirusers[${#dirusers[@]}]="u:$user:rwx"
+ 	fileusers[${#fileusers[@]}]=-m
+ 	fileusers[${#fileusers[@]}]="u:$user:rw"
+-done
++done </etc/pesign/users
+ 
+ declare -a filegroups=()
+ declare -a dirgroups=()
+-for group in $(cat /etc/pesign/groups); do
++while read -r group ; do
+ 	dirgroups[${#dirgroups[@]}]=-m
+ 	dirgroups[${#dirgroups[@]}]="g:$group:rwx"
+ 	filegroups[${#filegroups[@]}]=-m
+ 	filegroups[${#filegroups[@]}]="g:$group:rw"
+-done
++done </etc/pesign/groups
+ 
+ update_subdir() {
+ 	subdir=$1 && shift
+@@ -35,12 +35,12 @@ update_subdir() {
+ 	setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
+ 	for x in "${subdir}"* ; do
+ 		if [ -d "${x}" ]; then
+-			setfacl -bk ${x}
+-			setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
++			setfacl -bk "${x}"
++			setfacl "${dirusers[@]}" "${dirgroups[@]}" "${x}"
+ 			update_subdir "${x}/"
+ 		elif [ -e "${x}" ]; then
+-			setfacl -bk ${x}
+-			setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
++			setfacl -bk "${x}"
++			setfacl "${fileusers[@]}" "${filegroups[@]}" "${x}"
+ 		else
+ 			:;
+ 		fi
+-- 
+2.26.2
+

0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch

@@ -0,0 +1,26 @@
+From 24bb6e1471b16b6be82f13b5b5a302b4e98c1b4d Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 14 Jul 2020 15:08:15 -0400
+Subject: [PATCH 10/11] pesign-authorize: don't setfacl /etc/pki/pesign-foo/
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/pesign-authorize | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pesign-authorize b/src/pesign-authorize
+index 55cd5c4e55b..c5448329c2c 100755
+--- a/src/pesign-authorize
++++ b/src/pesign-authorize
+@@ -47,7 +47,7 @@ update_subdir() {
+ 	done
+ }
+ 
+-for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
++for x in /var/run/pesign/ /etc/pki/pesign/ ; do
+ 	if [ -d "${x}" ]; then
+ 		update_subdir "${x}"
+ 	else
+-- 
+2.26.2
+

0011-kernel-building-hack.patch

@@ -0,0 +1,41 @@
+From 0b9048cbcc1cfc2afd9cbf781732882736cbe965 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 14 Jul 2020 16:42:39 -0400
+Subject: [PATCH 11/11] kernel building hack
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/pesign-rpmbuild-helper.in | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
+index c5287c27e0c..27b8261bc17 100644
+--- a/src/pesign-rpmbuild-helper.in
++++ b/src/pesign-rpmbuild-helper.in
+@@ -202,6 +202,23 @@ main() {
+ 	    "${input[@]}" "${output[@]}"
+ 	rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}"
+     elif [[ -n "${socket}" ]] ; then
++	### welcome haaaaack city
++	if [[ "${client_token[1]}" = "OpenSC Card (Fedora Signer)" ]] ; then
++	    if [[ "${input[1]}" =~ (/|^)vmlinuz($|[_.-]) ]] \
++	       || [[ "${input[1]}" =~ (/|^)bzImage($|[_.-]) ]] ; then
++		if [[ "${rhelcertfile}" =~ redhatsecureboot501.* ]] \
++		   || [[ "${rhelcertfile}" =~ redhatsecureboot401.* ]] \
++		   || [[ "${rhelcertfile}" =~ centossecureboot201.* ]] ; then
++		    client_cert[1]=kernel-signer
++		elif [[ "${rhelcertfile}" =~ redhatsecureboot502.* ]] \
++		   || [[ "${rhelcertfile}" =~ centossecureboot202.* ]] ; then
++		    client_cert[1]=grub2-signer
++		elif [[ "${rhelcertfile}" =~ redhatsecureboot503.* ]] \
++		   || [[ "${rhelcertfile}" =~ centossecureboot203.* ]] ; then
++		    client_cert[1]=fwupd-signer
++		fi
++	    fi
++	fi
+ 	"${client}" "${client_token[@]}" "${client_cert[@]}"    \
+ 	    "${sattrout[@]}" "${certout[@]}"	\
+ 	    ${sign} "${input[@]}" "${output[@]}"
+-- 
+2.26.2
+

0012-Use-run-not-var-run.patch

@@ -0,0 +1,105 @@
+From db4c6e8cc57271dce6d204a3144982e544e55025 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Thu, 16 Jul 2020 16:28:26 -0400
+Subject: [PATCH] Use /run not /var/run
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/daemon.h           |  4 ++--
+ src/Makefile           |  2 +-
+ src/pesign-authorize   |  2 +-
+ src/pesign.service.in  |  2 +-
+ src/pesign.sysvinit.in | 10 +++++-----
+ 5 files changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/src/daemon.h b/src/daemon.h
+index 0368dc9256c..5fcd97ea717 100644
+--- a/src/daemon.h
++++ b/src/daemon.h
+@@ -51,8 +51,8 @@ typedef enum {
+ } pesignd_cmd;
+ 
+ #define PESIGND_VERSION 0x2a9edaf0
+-#define SOCKPATH	"/var/run/pesign/socket"
+-#define PIDFILE		"/var/run/pesign.pid"
++#define SOCKPATH	"/run/pesign/socket"
++#define PIDFILE		"/run/pesign.pid"
+ 
+ static inline uint32_t UNUSED
+ pesignd_string_size(char *buffer)
+diff --git a/src/Makefile b/src/Makefile
+index a7ca89159c6..f7fb5fc9ee5 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -78,7 +78,7 @@ install_sysvinit: pesign.sysvinit
+ install :
+ 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
+ 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
+-	$(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
++	$(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/
+ 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
+ 	$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
+ 	$(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir)
+diff --git a/src/pesign-authorize b/src/pesign-authorize
+index c5448329c2c..2381302440c 100755
+--- a/src/pesign-authorize
++++ b/src/pesign-authorize
+@@ -47,7 +47,7 @@ update_subdir() {
+ 	done
+ }
+ 
+-for x in /var/run/pesign/ /etc/pki/pesign/ ; do
++for x in /run/pesign/ /var/run/pesign/ /etc/pki/pesign/ ; do
+ 	if [ -d "${x}" ]; then
+ 		update_subdir "${x}"
+ 	else
+diff --git a/src/pesign.service.in b/src/pesign.service.in
+index c75a000892a..4ac2199bce2 100644
+--- a/src/pesign.service.in
++++ b/src/pesign.service.in
+@@ -4,6 +4,6 @@ Description=Pesign signing daemon
+ [Service]
+ PrivateTmp=true
+ Type=forking
+-PIDFile=/var/run/pesign.pid
++PIDFile=/run/pesign.pid
+ ExecStart=/usr/bin/pesign --daemonize
+ ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
+diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
+index b0e0f84ff0b..bf8edec8ff3 100644
+--- a/src/pesign.sysvinit.in
++++ b/src/pesign.sysvinit.in
+@@ -4,7 +4,7 @@
+ #
+ # chkconfig: - 50 50
+ # processname: /usr/bin/pesign
+-# pidfile: /var/run/pesign.pid
++# pidfile: /run/pesign.pid
+ ### BEGIN INIT INFO 
+ # Provides: pesign
+ # Default-Start:
+@@ -20,9 +20,9 @@ RETVAL=0
+ 
+ start(){
+     echo -n "Starting pesign: "
+-    mkdir /var/run/pesign 2>/dev/null &&
+-        chown pesign:pesign /var/run/pesign &&
+-        chmod 0770 /var/run/pesign
++    mkdir /run/pesign 2>/dev/null &&
++        chown pesign:pesign /run/pesign &&
++        chmod 0770 /run/pesign
+     daemon /usr/bin/pesign --daemonize
+     RETVAL=$?
+     echo
+@@ -32,7 +32,7 @@ start(){
+ 
+ stop(){
+     echo -n "Stopping pesign: "
+-    killproc -p /var/run/pesign.pid pesignd
++    killproc -p /run/pesign.pid pesignd
+     RETVAL=$?
+     echo
+     rm -f /var/lock/subsys/pesign
+-- 
+2.26.2
+

pesign.py

@@ -0,0 +1,91 @@
+#!/usr/bin/python3
+#
+# Copyright 2017 Peter Jones <Peter Jones@random>
+#
+# Distributed under terms of the GPLv3 license.
+
+"""
+mock plugin to make sure pesign and mockbuild users have the right uid and
+gid.
+"""
+
+from mockbuild.trace_decorator import getLog, traceLog
+import mockbuild.util
+
+requires_api_version = "1.1"
+
+@traceLog()
+def init(plugins, conf, buildroot):
+    """ hello """
+    Pesign(plugins, conf, buildroot)
+
+def getuid(name):
+    """ get a uid for a user name """
+    output = mockbuild.util.do(["getent", "passwd", "%s" % (name,)],
+                               returnOutput=1, printOutput=True)
+    output = output.split(':')
+    return output[2], output[3]
+
+def getgid(name):
+    """ get a gid for a group name """
+    output = mockbuild.util.do(["getent", "group", "%s" % (name,)],
+                               returnOutput=1, printOutput=True)
+    return output.split(':')[2]
+
+def newgroup(name, gid, rootdir):
+    """ create a group with a gid """
+    getLog().info("creating group %s with gid %s" % (name, gid))
+    mockbuild.util.do(["groupadd",
+                       "-g", "%s" % (gid,),
+                       "-R", "%s" % (rootdir,),
+                       "%s" % (name,),
+                      ])
+
+def newuser(name, uid, gid, rootdir):
+    """ create a user with a uid """
+    getLog().info("creating user %s with uid %s" % (name, uid))
+    mockbuild.util.do(["useradd",
+                       "-u", "%s" % (uid,),
+                       "-g", "%s" % (gid,),
+                       "-R", "%s" % (rootdir,),
+                       "%s" % (name,)])
+
+class Pesign(object):
+    """ Creates some stuff in our mock root """
+    # pylint: disable=too-few-public-methods
+    @traceLog()
+    def __init__(self, plugins, conf, buildroot):
+        """ Effectively we're doing:
+            getent group pesign >/dev/null || groupadd -r pesign
+            getent passwd pesign >/dev/null || \
+                    useradd -r -g pesign -d /var/run/pesign -s /sbin/nologin \
+                    -c "Group for the pesign signing daemon" pesign
+        """
+
+        self.buildroot = buildroot
+        self.pesign_opts = conf
+        self.config = buildroot.config
+        self.state = buildroot.state
+        self.users = {}
+        self.groups = {}
+        plugins.add_hook("postinit", self._pesignPostInitHook)
+
+    @traceLog()
+    def _pesignPostInitHook(self):
+        """ find our uid and gid lists """
+        for user in self.pesign_opts['users']:
+            uid, gid = getuid(user)
+            self.users[user] = [user, uid, gid]
+        for group in self.pesign_opts['groups']:
+            gid = getgid(group)
+            self.groups[group] = [group, gid]
+
+        # create our users
+        rootdir = self.buildroot.make_chroot_path()
+        for name, gid in self.groups.values():
+            newgroup(name, gid, rootdir)
+        for name, uid, gid in self.users.values():
+            newuser(name, uid, gid, rootdir)
+
+# -*- coding: utf-8 -*-
+# vim:fenc=utf-8:tw=75

pesign.spec

@@ -0,0 +1,496 @@
+%global macrosdir %(d=%{_rpmconfigdir}/macros.d; [ -d $d ] || d=%{_sysconfdir}/rpm; echo $d)
+
+Name:    pesign
+Summary: Signing utility for UEFI binaries
+Version: 113
+Release: 13%{?dist}
+License: GPLv2
+URL:     https://github.com/vathpela/pesign
+
+Obsoletes: pesign-rh-test-certs <= 0.111-7
+BuildRequires: gcc
+BuildRequires: git
+BuildRequires: nspr
+BuildRequires: nss
+BuildRequires: nss-util
+BuildRequires: popt-devel
+BuildRequires: nss-tools
+BuildRequires: nspr-devel >= 4.9.2-1
+BuildRequires: nss-devel >= 3.13.6-1
+BuildRequires: efivar-devel >= 31-1
+BuildRequires: libuuid-devel
+BuildRequires: tar
+BuildRequires: xz
+BuildRequires: python3-rpm-macros
+BuildRequires: python3
+%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
+BuildRequires: systemd-rpm-macros
+%endif
+Requires:      nspr
+Requires:      nss
+Requires:      nss-tools >= 3.53
+Requires:      nss-util
+Requires:      popt
+Requires:      rpm
+Requires(pre): shadow-utils
+ExclusiveArch: %{ix86} x86_64 ia64 aarch64 %{arm}
+%if 0%{?rhel} == 7
+BuildRequires: rh-signing-tools >= 1.20-2
+%endif
+
+Source0: https://github.com/rhboot/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2
+Source1: certs.tar.xz
+Source2: pesign.py
+
+Patch0001: 0001-efikeygen-Fix-the-build-with-nss-3.44.patch
+Patch0002: 0002-pesigcheck-Fix-a-wrong-assignment.patch
+Patch0003: 0003-Make-0.112-client-and-server-work-with-the-113-proto.patch
+Patch0004: 0004-Rename-var-run-to-run.patch
+Patch0005: 0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch
+Patch0006: 0006-client-try-run-and-var-run-for-the-socket-path.patch
+Patch0007: 0007-client-remove-an-extra-debug-print.patch
+Patch0008: 0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
+Patch0009: 0009-pesign-authorize-shellcheck.patch
+Patch0010: 0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch
+Patch0011: 0011-kernel-building-hack.patch
+Patch0012: 0012-Use-run-not-var-run.patch
+
+%description
+This package contains the pesign utility for signing UEFI binaries as
+well as other associated tools.
+
+%prep
+%setup -q -T -b 0
+%setup -q -T -D -c -n pesign-%{version}/ -a 1
+git init
+git config user.email "pesign-owner@fedoraproject.org"
+git config user.name "Fedora Ninjas"
+git add .
+git commit -a -q -m "%{version} baseline."
+git am %{patches} </dev/null
+git config --unset user.email
+git config --unset user.name
+
+%build
+make PREFIX=%{_prefix} LIBDIR=%{_libdir}
+
+%install
+mkdir -p %{buildroot}/%{_libdir}
+make PREFIX=%{_prefix} LIBDIR=%{_libdir} INSTALLROOT=%{buildroot} \
+	install
+%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
+make PREFIX=%{_prefix} LIBDIR=%{_libdir} INSTALLROOT=%{buildroot} \
+	install_systemd
+%endif
+
+# there's some stuff that's not really meant to be shipped yet
+rm -rf %{buildroot}/boot %{buildroot}/usr/include
+rm -rf %{buildroot}%{_libdir}/libdpe*
+mkdir -p %{buildroot}%{_sysconfdir}/pki/pesign/
+mkdir -p %{buildroot}%{_sysconfdir}/pki/pesign-rh-test/
+cp -a etc/pki/pesign/* %{buildroot}%{_sysconfdir}/pki/pesign/
+cp -a etc/pki/pesign-rh-test/* %{buildroot}%{_sysconfdir}/pki/pesign-rh-test/
+
+if [ %{macrosdir} != %{_sysconfdir}/rpm ]; then
+	mkdir -p %{buildroot}%{macrosdir}
+	mv %{buildroot}%{_sysconfdir}/rpm/macros.pesign \
+		%{buildroot}%{macrosdir}
+	rmdir %{buildroot}%{_sysconfdir}/rpm
+fi
+rm -vf %{buildroot}/usr/share/doc/pesign-%{version}/COPYING
+
+# and find-debuginfo.sh has some pretty awful deficencies too...
+cp -av libdpe/*.[ch] src/
+
+install -d -m 0755 %{buildroot}%{python3_sitelib}/mockbuild/plugins/
+install -m 0755 %{SOURCE2} %{buildroot}%{python3_sitelib}/mockbuild/plugins/
+
+%pre
+getent group pesign >/dev/null || groupadd -r pesign
+getent passwd pesign >/dev/null || \
+	useradd -r -g pesign -d /run/pesign -s /sbin/nologin \
+		-c "Group for the pesign signing daemon" pesign
+exit 0
+
+%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
+%post
+%systemd_post pesign.service
+
+%preun
+%systemd_preun pesign.service
+
+%postun
+%systemd_postun_with_restart pesign.service
+
+%posttrans
+certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null
+
+# this is disabled currently because it breaks the fedora kernel build root
+# generation - because we don't currently have a good way of populating
+# /etc/pesign/{users,groups} before the buildroot is installed, or
+# populating them and re-running pesign-authorize afterwards but before the
+# package build of e.g. kernel
+#%%{_libexecdir}/pesign/pesign-authorize
+%endif
+
+%files
+%{!?_licensedir:%global license %%doc}
+%license COPYING
+%doc README TODO
+%{_bindir}/authvar
+%{_bindir}/efikeygen
+%{_bindir}/efisiglist
+%{_bindir}/pesigcheck
+%{_bindir}/pesign
+%{_bindir}/pesign-client
+%dir %{_libexecdir}/pesign/
+%dir %attr(0770,pesign,pesign) %{_sysconfdir}/pki/pesign/
+%config(noreplace) %attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/*
+%dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/
+%config(noreplace) %attr(0664,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/*
+%{_libexecdir}/pesign/pesign-authorize
+%{_libexecdir}/pesign/pesign-rpmbuild-helper
+%config(noreplace)/%{_sysconfdir}/pesign/users
+%config(noreplace)/%{_sysconfdir}/pesign/groups
+%{_sysconfdir}/popt.d/pesign.popt
+%{macrosdir}/macros.pesign
+%{_mandir}/man*/*
+%dir %attr(0770, pesign, pesign) %{_rundir}/%{name}
+%ghost %attr(0660, -, -) %{_rundir}/%{name}/socket
+%ghost %attr(0660, -, -) %{_rundir}/%{name}/pesign.pid
+%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
+%{_tmpfilesdir}/pesign.conf
+%{_unitdir}/pesign.service
+%endif
+%{python3_sitelib}/mockbuild/plugins/*/pesign.*
+%{python3_sitelib}/mockbuild/plugins/pesign.*
+
+%changelog
+* Mon Aug 03 2020 Peter Jones <pjones@redhat.com> - 113-13
+- Add the rundir related stuff that was staged on my f32 checkout.
+
+* Mon Aug 03 2020 Peter Jones <pjones@redhat.com> - 113-12
+- Try to make kernel and fwupd both work at the same time.
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 113-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Thu Jul 16 2020 Peter Jones <pjones@redhat.com> - 113-10
+- I really cannot figure out why bkernel01 thinks the certificate nickname
+  starts with /CN=, but it does, so I'm gonna stop fighting with the sand.
+
+* Thu Jul 16 2020 Peter Jones <pjones@redhat.com> - 113-9
+- Even more kernel build debugging...
+
+* Tue Jul 07 2020 Peter Jones <pjones@redhat.com> - 113-8
+- More kernel build debugging...
+
+* Tue Jul 07 2020 Peter Jones <pjones@redhat.com> - 113-6
+- Disable the pesign-authorize call in posttrans, until we can figure out a
+  better way to deal with that in the fedora kernel builder chroot setup
+
+* Tue Jul 07 2020 Peter Jones <pjones@redhat.com> - 113-5
+- Make pesign require nss-tools for the posttrans scriptlet
+- Move most of macros.pesign to /usr/libexec/pesign/pesign-rpmbuild-helper
+
+* Mon Jul 06 2020 Peter Jones <pjones@redhat.com> - 113-4
+- Attempt to fix kernel signing failures caused by -3...
+
+* Fri Jun 12 2020 Peter Jones <pjones@redhat.com> - 113-3
+- Fix the signer name for fedora and some other minor nits
+  Related: rhbz#1708773
+  Related: rhbz#1678146
+
+* Thu Jun 11 2020 Peter Jones <pjones@redhat.com> - 113-2
+- Fix a signing protocol bug we introduced in 113 that makes the fedora
+  kernel builders fail.
+  Related: rhbz#1708773
+
+* Thu Jun 11 2020 Javier Martinez Canillas <javierm@redhat.com> - 113-1
+- Update to 113 release
+  Resolves: rhbz#1708773
+
+* Mon Jun 08 2020 Javier Martinez Canillas <javierm@redhat.com> - 0.112-31
+- Switch default NSS database to SQLite format (pjones)
+  Resolves: rhbz#1827902
+
+* Mon Feb 24 2020 Peter Jones <pjones@redhat.com> - 0.112-30
+- Make sure the patch for -29 is actually in the build in f32, and
+  synchronize with master.
+
+* Tue Feb 18 2020 Peter Jones <pjones@redhat.com> - 0.112-29
+- Rebuild to match OpenSC's token name mangling change.
+
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-28
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Tue Nov 12 2019 Peter Jones <pjones@redhat.com> - 0.112-27
+- Rebuild to fix an NSS API issue.	
+
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-26
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Wed Mar  6 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.112-25
+- Fix build (#1675653)
+- Add missing closing quote in macro (#1651020)
+- Update obsolete /var/run/ path (#1678146)
+
+* Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-25
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-24
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-23
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Mon Jan 22 2018 Peter Robinson <pbrobinson@fedoraproject.org> 0.112-22
+- Minor spec cleanups, fix arm conditional
+
+* Fri Oct 06 2017 Troy Dawson <tdawson@redhat.com> - 0.112-21
+- Cleanup spec file conditionals
+
+* Tue Aug 15 2017 Peter Jones <pjones@redhat.com> - 0.112-20
+- Maybe fewer typoes would be better.
+
+* Tue Aug 15 2017 Peter Jones <pjones@redhat.com> - 0.112-19
+- Update to match f26's build so new kernel builds will work.
+
+* Thu Aug 10 2017 Peter Jones <pjones@redhat.com> - 0.112-10
+- Try to fix the db problem nirik is seeing trying to upgrade the builders.
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Sat Jul 08 2017 Peter Jones <pjones@redhat.com> - 0.112-7
+- Rebuild for efivar-31-1.fc26
+  Related: rhbz#1468841
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Fri Jan 06 2017 Peter Jones <pjones@redhat.com> - 0.112-5
+- Don't Req: or BuildReq: coolkey or opensc; those belong in system deploy
+  scripts.
+  Related: rhbz#1349073
+
+* Wed Aug 17 2016 Peter Jones <pjones@redhat.com> - 0.112-4
+- Build as -4 to make bodhi happy.
+
+* Fri Aug 12 2016 Adam Williamson <awilliam@redhat.com> - 0.112-3
+- backport fix for command line parsing from upstream master
+
+* Wed Aug 10 2016 Peter Jones <pjones@redhat.com> - 0.112-2
+- Build with newer efivar.
+
+* Wed Apr 20 2016 Peter Jones <pjones@redhat.com> - 0.112-1
+- Update to 0.112
+- Also fix up some spec file woes:
+  - dumb things in %%setup
+  - find-debuginfo.sh not working right for some source files...
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.111-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Thu Dec 10 2015 Peter Jones <pjones@redhat.com> - 0.111-7
+- Obsolete pesign-rh-test-certs, it was in -1's update.
+  Resolves: rhbz#1283475
+
+* Wed Dec 02 2015 Peter Jones <pjones@redhat.com> - 0.111-6
+- *Don't* use --certdir if we're using the socket.
+  Related: rhbz#1283475
+  Related: rhbz#1284063
+  Related: rhbz#1284561
+
+* Tue Dec 01 2015 Peter Jones <pjones@redhat.com> - 0.111-5
+- Actually do a better job of choosing which cert to use when, so people will
+  stop seeing any of this problem.  (Thanks for the thought, jforbes.)
+  Resolves: rhbz#1283475
+  Resolves: rhbz#1284063
+  Resolves: rhbz#1284561
+
+* Mon Nov 30 2015 Peter Jones <pjones@redhat.com> - 0.111-5
+- setfacl even harder.
+  Related: rhbz#1283475
+  Related: rhbz#1284063
+  Related: rhbz#1284561
+
+* Fri Nov 20 2015 Peter Jones <pjones@redhat.com> - 0.111-3
+- Better ACL setting code.
+  Related: rhbz#1283475
+
+* Thu Nov 19 2015 Peter Jones <pjones@redhat.com> - 0.111-2
+- Allow the mockbuild user to read the nss database if the account exists.
+
+* Wed Oct 28 2015 Peter Jones <pjones@redhat.com> - 0.111-1
+- Rebase to 0.111
+- Split test certs out into a "Recommends" subpackage.
+
+* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.110-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Wed Mar  4 2015 Ville Skyttä <ville.skytta@iki.fi> - 0.110-2
+- Install macros in %%{_rpmconfigdir}/macros.d where available (#1074281)
+
+* Fri Oct 24 2014 Peter Jones <pjones@redhat.com> - 0.110-1
+- Update to pesign-0.110
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.108-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.108-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Thu May 29 2014 Peter Jones <pjones@redhat.com> - 0.108-2
+- Fix a networking problem nirik observed when reinstalling builders.
+
+* Sat Aug 10 2013 Peter Jones <pjones@redhat.com> - 0.108-1
+- Remove errant result files and raise an error from %%pesign 
+
+* Tue Aug 06 2013 Peter Jones <pjones@redhat.com> - 0.106-3
+- Add code for signing in RHEL 7
+
+* Mon Aug 05 2013 Peter Jones <pjones@redhat.com> - 0.106-2
+- Fix for new %%doc rules.
+
+* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.106-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
+
+* Tue May 21 2013 Peter Jones <pjones@redhat.com> - 0.106-1
+- Update to 0.106
+- Hopefully fix the segfault dgilmore was seeing.
+
+* Mon May 20 2013 Peter Jones <pjones@redhat.com> - 0.105-1
+- Various bug fixes.
+
+* Wed May 15 2013 Peter Jones <pjones@redhat.com> - 0.104-1
+- Make sure alignment is correct on signature list entries
+  Resolves: rhbz#963361
+- Make sure section alignment is correct if we have to extend the file
+
+* Wed Feb 06 2013 Peter Jones <pjones@redhat.com> - 0.103-2
+- Conditionalize systemd bits so they don't show up in RHEL 6 builds
+
+* Tue Feb 05 2013 Peter Jones <pjones@redhat.com> - 0.103-1
+- One more compiler problem.  Let's expect a few more, shall we?
+
+* Tue Feb 05 2013 Peter Jones <pjones@redhat.com> - 0.102-1
+- Don't use --std=gnu11 because we have to work on RHEL 6 builders.
+
+* Mon Feb 04 2013 Peter Jones <pjones@redhat.com> - 0.101-1
+- Update to 0.101 to fix more "pesign -E" issues.
+
+* Fri Nov 30 2012 Peter Jones <pjones@redhat.com> - 0.100-1
+- Fix insertion of signatures from a file.
+
+* Mon Nov 26 2012 Matthew Garrett <mjg59@srcf.ucam.org> - 0.99-9
+- Add a patch needed for new shim builds
+
+* Fri Oct 19 2012 Peter Jones <pjones@redhat.com> - 0.99-8
+- Get the Fedora signing token name right.
+
+* Fri Oct 19 2012 Peter Jones <pjones@redhat.com>
+- Add coolkey and opensc modules to pki database during %%install.
+
+* Fri Oct 19 2012 Peter Jones <pjones@redhat.com> - 0.99-7
+- setfacl u:kojibuilder:rw /var/run/pesign/socket
+- Fix command line checking in client
+- Add client stdin pin reading.
+
+* Thu Oct 18 2012 Peter Jones <pjones@redhat.com> - 0.99-6
+- Automatically select daemon as signer when using rpm macros.
+
+* Thu Oct 18 2012 Peter Jones <pjones@redhat.com> - 0.99-5
+- Make it work on the -el6 branch as well.
+
+* Wed Oct 17 2012 Peter Jones <pjones@redhat.com> - 0.99-4
+- Fix some more bugs found by valgrind and coverity.
+- Don't build utils/ ; we're not using them and they're not ready anyway. 
+
+* Wed Oct 17 2012 Peter Jones <pjones@redhat.com> - 0.99-3
+- Fix daemon startup bug from 0.99-2
+
+* Wed Oct 17 2012 Peter Jones <pjones@redhat.com> - 0.99-2
+- Fix various bugs from 0.99-1
+- Don't make the database unreadable just yet.
+
+* Mon Oct 15 2012 Peter Jones <pjones@redhat.com> - 0.99-1
+- Update to 0.99
+- Add documentation for client/server mode.
+- Add --pinfd and --pinfile to server mode.
+
+* Fri Oct 12 2012 Peter Jones <pjones@redhat.com> - 0.98-1
+- Update to 0.98
+- Add client/server mode.
+
+* Mon Oct 01 2012 Peter Jones <pjones@redhat.com> - 0.10-5
+- Fix missing section address fixup.
+
+* Wed Aug 15 2012 Peter Jones <pjones@redhat.com> - 0.10-4
+- Make macros.pesign even better (and make it work right for i686 packages)
+
+* Tue Aug 14 2012 Peter Jones <pjones@redhat.com> - 0.10-3
+- Only sign things on x86_64; all else ignore gracefully.
+
+* Tue Aug 14 2012 Peter Jones <pjones@redhat.com> - 0.10-2
+- Make macros.pesign more reliable
+
+* Mon Aug 13 2012 Peter Jones <pjones@redhat.com> - 0.10-1
+- Update to 0.10
+- Include rpm macros to support easy custom signing of signed packages.
+
+* Fri Aug 10 2012 Peter Jones <pjones@redhat.com> - 0.9-1
+- Update to 0.9
+- Bug fix from Gary Ching-Pang Lin
+- Support NSS Token selection for use with smart cards.
+
+* Wed Aug 08 2012 Peter Jones <pjones@redhat.com> - 0.8-1
+- Update to 0.8
+- Don't open the db read-write
+- Fix permissions on keystore (everybody can sign with test keys)
+
+* Wed Aug 08 2012 Peter Jones <pjones@redhat.com> - 0.7-2
+- Include test keys.
+
+* Mon Jul 30 2012 Peter Jones <pjones@redhat.com> - 0.7-1
+- Update to 0.7
+- Better fix for MS compatibility.
+
+* Mon Jul 30 2012 Peter Jones <pjones@redhat.com> - 0.6-1
+- Update to 0.6
+- Bug-for-bug compatibility with signtool.exe .
+
+* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.5-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Wed Jul 11 2012 Peter Jones <pjones@redhat.com> - 0.5-1
+- Rebase to 0.5
+- Do more rigorous bounds checking when hashing a new binary.
+
+* Tue Jul 10 2012 Peter Jones <pjones@redhat.com> - 0.3-2
+- Rebase to 0.4
+
+* Fri Jun 22 2012 Peter Jones <pjones@redhat.com> - 0.3-2
+- Move man page to a more reasonable place.
+
+* Fri Jun 22 2012 Peter Jones <pjones@redhat.com> - 0.3-1
+- Update to upstream's 0.3 .
+
+* Thu Jun 21 2012 Peter Jones <pjones@redhat.com> - 0.2-4
+- Do not build with smp flags.
+
+* Thu Jun 21 2012 Peter Jones <pjones@redhat.com> - 0.2-3
+- Make it build on i686, though it's unclear it'll ever be necessary.
+
+* Thu Jun 21 2012 Peter Jones <pjones@redhat.com> - 0.2-2
+- Fix compile problem with f18's compiler.
+
+* Thu Jun 21 2012 Peter Jones <pjones@redhat.com> - 0.2-1
+- Fix some rpmlint complaints nirik pointed out
+- Add popt-devel build dep
+
+* Fri Jun 15 2012 Peter Jones <pjones@redhat.com> - 0.1-1
+- First version of SRPM.

sources

@@ -0,0 +1,2 @@
+SHA512 (certs.tar.xz) = ddac535c786d1a23074534323c4ce89f907d4f82b19c5d3a9c814b145fbac1599cd2386cf20c28d22aee7d5c4db441f052bab9ee655de756117a0a0bc99b525f
+SHA512 (pesign-113.tar.bz2) = 89c5e33bf6ac8f8dc4b65192e5fd4bf1fea285106d1de2a6ea02a8c5090f2ec5976b1d80c60e57f74fa56dc25b174a4dd5682292db44ab9aeab69ea992dfef36