import pesign-0.112-27.el8_7

2023-04-04 08:52:29 +00:00 · 2023-04-04 08:52:29 +00:00 · eac30791a3
commit eac30791a3
parent 6c0d5908cb
34 changed files with 257 additions and 262 deletions
--- a/SOURCES/0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch
+++ b/SOURCES/0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch
@ -1,8 +1,8 @@
-From 33bcca8303cad962606df3bfc6a031a9b0626375 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Thu, 21 Apr 2016 10:47:34 -0400
-Subject: [PATCH 01/29] cms: kill generate_integer(), it doesn't build on i686
+Subject: [PATCH] cms: kill generate_integer(), it doesn't build on i686 and
- and it's unused.
+ it's unused.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
@ -67,6 +67,3 @@ index 7d77faf..c7d7268 100644
 extern int generate_string(cms_context *cms, SECItem *der, char *str);
 extern int wrap_in_set(cms_context *cms, SECItem *der, SECItem **items);
 extern int wrap_in_seq(cms_context *cms, SECItem *der,
 -- 
 2.13.4
--- a/SOURCES/0002-Fix-command-line-parsing.patch
+++ b/SOURCES/0002-Fix-command-line-parsing.patch
@ -1,7 +1,7 @@
-From 5be0515dee24308fd7e270bf2e0fb5e5a7a78f32 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Julien Cristau <jcristau@debian.org>
 Date: Thu, 9 Jun 2016 14:30:37 +0200
-Subject: [PATCH 02/29] Fix command line parsing
+Subject: [PATCH] Fix command line parsing
 The gettext translation domain should be passed as .arg, not .descrip,
 otherwise popt won't process any of the command line options (it stops
@ -68,6 +68,3 @@ index 1328fe9..0d49c1a 100644
 		{.longName = "dbfile",
 		 .shortName = 'D',
 		 .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,
 -- 
 2.13.4
--- a/SOURCES/0003-gcc-don-t-error-on-stuff-in-includes.patch
+++ b/SOURCES/0003-gcc-don-t-error-on-stuff-in-includes.patch
@ -1,7 +1,7 @@
-From 6de291458cbab99bcc317e282c16e1523d6de9b8 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 10 Aug 2016 17:12:39 -0400
-Subject: [PATCH 03/29] gcc: don't error on stuff in includes.
+Subject: [PATCH] gcc: don't error on stuff in includes.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
@ -21,6 +21,3 @@ index c97b452..3511080 100644
 AS	:= $(CROSS_COMPILE)as
 AR	:= $(CROSS_COMPILE)gcc-ar
 RANLIB	:= $(CROSS_COMPILE)gcc-ranlib
 -- 
 2.13.4
--- a/SOURCES/0004-Fix-certficate-argument-name.patch
+++ b/SOURCES/0004-Fix-certficate-argument-name.patch
@ -1,7 +1,7 @@
-From b20fc54c08e8afe1365e56cacade3ec39984da8d Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 18 Apr 2017 19:00:34 -0400
-Subject: [PATCH 04/29] Fix "certficate" argument name.
+Subject: [PATCH] Fix "certficate" argument name.
 This fixes our typoed argument name by making the incorrectly spelled
 version be a popt alias, and fixing the real implementation to be
@ -34,6 +34,3 @@ index 7b3385d..5a97748 100644
 pesign alias --cert --certificate
 +pesign alias --certficate --certificate
 pesign alias --daemon --daemonize
 -- 
 2.13.4
--- a/SOURCES/0005-Fix-description-of-ascii-armor-option-in-manpage.patch
+++ b/SOURCES/0005-Fix-description-of-ascii-armor-option-in-manpage.patch
@ -1,7 +1,7 @@
-From 7bc8e8b04c74be5c4e0ebf211affc37cf9f5db37 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Julien Cristau <jcristau@debian.org>
 Date: Mon, 27 Jun 2016 15:38:38 +0200
-Subject: [PATCH 05/29] Fix description of --ascii-armor option in manpage
+Subject: [PATCH] Fix description of --ascii-armor option in manpage
 The --ascii option does not exist.
 ---
@ -21,6 +21,3 @@ index 47d1aec..29ae060 100644
 Use ascii armoring on exported certificates.
 .TP
 -- 
 2.13.4
--- a/SOURCES/0006-Make-ascii-work-since-we-documented-it.patch
+++ b/SOURCES/0006-Make-ascii-work-since-we-documented-it.patch
@ -1,7 +1,7 @@
-From 9f411f4e797e983d2e8cb51dc5b9ab8db250c2e3 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 18 Apr 2017 19:05:40 -0400
-Subject: [PATCH 06/29] Make --ascii work, since we documented it.
+Subject: [PATCH] Make --ascii work, since we documented it.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
@ -17,6 +17,3 @@ index 5a97748..5ae0c5c 100644
 pesign alias --certficate --certificate
 pesign alias --daemon --daemonize
 +pesign alias --ascii --ascii-armor
 -- 
 2.13.4
--- a/SOURCES/0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch
+++ b/SOURCES/0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch
@ -1,8 +1,8 @@
-From d618de733865eab359890b4e677c368a133dad99 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Pat Riehecky <riehecky@fnal.gov>
 Date: Mon, 7 Nov 2016 11:37:08 -0600
-Subject: [PATCH 07/29] Switch pesign client to also accept token/cert macros
+Subject: [PATCH] Switch pesign client to also accept token/cert macros rather
- rather than use hard coded values
+ than use hard coded values
 ---
 src/macros.pesign | 6 +++---
@ -27,6 +27,3 @@ index 18e5b5e..69280e9 100644
 		 --certdir ${_pesign_nssdir}				\\\
                  %{-i} %{-o} %{-e} %{-s} %{-C}				\
     fi									\
 -- 
 2.13.4
--- a/SOURCES/0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch
+++ b/SOURCES/0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch
@ -1,7 +1,7 @@
-From 2cd211bcc612ad8cb99c778461ca02a9f3e5e44b Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: David Michael <david.michael@coreos.com>
 Date: Thu, 16 Feb 2017 15:08:30 -0800
-Subject: [PATCH 08/29] pesigcheck: Verify with the cert as an object signer
+Subject: [PATCH] pesigcheck: Verify with the cert as an object signer
 ---
 src/certdb.c | 2 +-
@ -20,6 +20,3 @@ index 2a08042..b7c99bb 100644
 						digest, HASH_AlgSHA256,
 						PR_FALSE, atTime);
 	if (!result) {
 -- 
 2.13.4
--- a/SOURCES/0009-pesigcheck-make-certfile-actually-work.patch
+++ b/SOURCES/0009-pesigcheck-make-certfile-actually-work.patch
@ -1,7 +1,7 @@
-From e0238e2363f9668aee07b2e44a8f358e694551c0 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 24 Apr 2017 15:18:10 -0400
-Subject: [PATCH 09/29] pesigcheck: make --certfile actually work
+Subject: [PATCH] pesigcheck: make --certfile actually work
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
@ -42,6 +42,3 @@ index 0d49c1a..d7be542 100644
 		 .argDescrip = "<certfile>" },
 		POPT_AUTOALIAS
 		POPT_AUTOHELP
 -- 
 2.13.4
--- a/SOURCES/0010-signerInfos-make-sure-err-is-always-initialized.patch
+++ b/SOURCES/0010-signerInfos-make-sure-err-is-always-initialized.patch
@ -1,7 +1,7 @@
-From 799808b265ac6f82fa1268fd696d70357acce69c Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 25 Apr 2017 16:15:07 -0400
-Subject: [PATCH 10/29] signerInfos: make sure err is always initialized
+Subject: [PATCH] signerInfos: make sure err is always initialized
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
@ -22,6 +22,3 @@ index 721db90..9e0af23 100644
 	if (!signerInfo_list_p)
 		return -1;
 -- 
 2.13.4
--- a/SOURCES/0011-pesign-make-pesign-h-tell-you-the-file-name.patch
+++ b/SOURCES/0011-pesign-make-pesign-h-tell-you-the-file-name.patch
@ -1,7 +1,7 @@
-From 868b42b338d919917ea31cfbf0f96e9586947eaf Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 25 Apr 2017 16:23:36 -0400
-Subject: [PATCH 11/29] pesign: make "pesign -h" tell you the file name.
+Subject: [PATCH] pesign: make "pesign -h" tell you the file name.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
@ -21,6 +21,3 @@ index 279a17a..5879cfc 100644
 	int j = ctx->selected_digest;
 	for (unsigned int i = 0; i < ctx->digests[j].pe_digest->len; i++)
 		printf("%02x",
 -- 
 2.13.4
--- a/SOURCES/0012-Add-coverity-build-scripts.patch
+++ b/SOURCES/0012-Add-coverity-build-scripts.patch
@ -1,27 +1,18 @@
-From 95327e6d9bd4f70980acd8fd6c9524265990dc4d Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 10 May 2017 10:49:57 -0400
-Subject: [PATCH 12/29] Add coverity build scripts
+Subject: [PATCH] Add coverity build scripts
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 .gitignore    |  1 +
 Make.coverity | 37 +++++++++++++++++++++++++++++++++++++
 Make.defaults |  2 ++
 Make.rules    |  4 ++++
 Makefile      |  1 +
 .gitignore    |  1 +
 5 files changed, 45 insertions(+)
 create mode 100644 Make.coverity
 diff --git a/.gitignore b/.gitignore
 index 1635ba2..847e172 100644
 --- a/.gitignore
 +++ b/.gitignore
@@ -12,3 +12,4 @@
 *.tar.*
 *.rpm
 core.*
 +cov-int
 diff --git a/Make.coverity b/Make.coverity
 new file mode 100644
 index 0000000..b80b091
@ -99,6 +90,12 @@ index db8eb7e..ca1a359 100644
 SUBDIRS := include libdpe src
-- 
+diff --git a/.gitignore b/.gitignore
-2.13.4
+index 1635ba2..847e172 100644
-
+--- a/.gitignore
 +++ b/.gitignore
@@ -12,3 +12,4 @@
 *.tar.*
 *.rpm
 core.*
 +cov-int
--- a/SOURCES/0013-Document-implicit-fallthrough.patch
+++ b/SOURCES/0013-Document-implicit-fallthrough.patch
@ -1,7 +1,7 @@
-From 4b9e7cf3e869de36daf2ea705b9efef55ae87ef8 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Sat, 8 Jul 2017 16:31:18 -0400
-Subject: [PATCH 13/29] Document implicit fallthrough.
+Subject: [PATCH] Document implicit fallthrough.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
@ -20,6 +20,3 @@ index ad659ca..03e0c47 100644
 	case IMPORT|SIGN|EXPORT:
 	default:
 		fprintf(stderr, "authvar: invalid flags: ");
 -- 
 2.13.4
--- a/SOURCES/0014-Actually-setfacl-each-directory-of-our-key-storage.patch
+++ b/SOURCES/0014-Actually-setfacl-each-directory-of-our-key-storage.patch
@ -1,7 +1,7 @@
-From a95e28e5cb10d417c81c8720e8521eb63793da37 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 16 May 2016 15:25:53 -0400
-Subject: [PATCH 14/29] Actually setfacl /each/ directory of our key storage.
+Subject: [PATCH] Actually setfacl /each/ directory of our key storage.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
@ -45,6 +45,3 @@ index 8b9a885..940138e 100644
 		    setfacl -m g:${username}:rw ${y}
 		done
 	    fi
 -- 
 2.13.4
--- a/SOURCES/0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch
+++ b/SOURCES/0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch
@ -1,7 +1,7 @@
-From a3cc2ad5d49ed61187527281da351e80d8f76a89 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 22 Aug 2016 13:31:38 -0400
-Subject: [PATCH 15/29] oid: add SHIM_EKU_MODULE_SIGNING_ONLY and fix our array
+Subject: [PATCH] oid: add SHIM_EKU_MODULE_SIGNING_ONLY and fix our array
 indices.
 That was all kinds of wrong.
@ -54,6 +54,3 @@ index 599f49d..0e00781 100644
 	END_OID_LIST
 } ms_oid_t;
 -- 
 2.13.4
--- a/SOURCES/0016-efikeygen-add-modsign.patch
+++ b/SOURCES/0016-efikeygen-add-modsign.patch
@ -1,13 +1,13 @@
-From 9b4b12928c0450ac69d83293e179eec439465c03 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 22 Aug 2016 13:43:56 -0400
-Subject: [PATCH 16/29] efikeygen: add --modsign
+Subject: [PATCH] efikeygen: add --modsign
 ---
- src/cms_common.c | 29 ++++++++++++++++++++++++++++
+ src/cms_common.c | 29 +++++++++++++++++++++++++++
 src/efikeygen.c  | 61 ++++++++++++++++++++++++++++++++++++++++++++------------
 src/cms_common.h |  1 +
- src/efikeygen.c  | 59 ++++++++++++++++++++++++++++++++++++++++++++------------
+ 3 files changed, 78 insertions(+), 13 deletions(-)
 3 files changed, 77 insertions(+), 12 deletions(-)
 diff --git a/src/cms_common.c b/src/cms_common.c
 index 6a4e6a7..2df2cfe 100644
@ -49,18 +49,6 @@ index 6a4e6a7..2df2cfe 100644
 int
 generate_octet_string(cms_context *cms, SECItem *encoded, SECItem *original)
 {
 diff --git a/src/cms_common.h b/src/cms_common.h
 index c7d7268..7a31273 100644
 --- a/src/cms_common.h
 +++ b/src/cms_common.h
@@ -123,6 +123,7 @@ extern int wrap_in_seq(cms_context *cms, SECItem *der,
 			SECItem *items, int num_items);
 extern int make_context_specific(cms_context *cms, int ctxt, SECItem *encoded,
 			SECItem *original);
 +extern int make_eku_oid(cms_context *cms, SECItem *encoded, SECOidTag oid_tag);
 extern int generate_validity(cms_context *cms, SECItem *der, time_t start,
 				time_t end);
 extern int generate_common_name(cms_context *cms, SECItem *der, char *cn);
 diff --git a/src/efikeygen.c b/src/efikeygen.c
 index 8a515a5..9390578 100644
 --- a/src/efikeygen.c
@ -86,15 +74,17 @@ index 8a515a5..9390578 100644
 -		.len = 12,
 -		.type = siBuffer
 -	};
 -
 -
 +	SECItem values[2];
 +	SECItem wrapped = { 0 };
-+	SECStatus status;
+ 	SECStatus status;
 +	SECOidTag tag;
 +	int rc;
 +
 +	if (modsign_only < 1 || modsign_only > 2)
 +		cmsreterr(-1, cms, "could not encode extended key usage");
- 
+
 +	rc = make_eku_oid(cms, &values[0], SEC_OID_EXT_KEY_USAGE_CODE_SIGN);
 +	if (rc < 0)
 +		cmsreterr(-1, cms, "could not encode extended key usage");
@ -108,8 +98,7 @@ index 8a515a5..9390578 100644
 +	rc = wrap_in_seq(cms, &wrapped, values, modsign_only);
 +	if (rc < 0)
 +		cmsreterr(-1, cms, "could not encode extended key usage");
- 
+
 -	SECStatus status;
 	status = CERT_AddExtension(extHandle, SEC_OID_X509_EXT_KEY_USAGE,
 -					&value, PR_FALSE, PR_TRUE);
@ -192,6 +181,15 @@ index 8a515a5..9390578 100644
 	if (rc < 0)
 		exit(1);
-- 
+diff --git a/src/cms_common.h b/src/cms_common.h
-2.13.4
+index c7d7268..7a31273 100644
-
+--- a/src/cms_common.h
 +++ b/src/cms_common.h
@@ -123,6 +123,7 @@ extern int wrap_in_seq(cms_context *cms, SECItem *der,
 			SECItem *items, int num_items);
 extern int make_context_specific(cms_context *cms, int ctxt, SECItem *encoded,
 			SECItem *original);
 +extern int make_eku_oid(cms_context *cms, SECItem *encoded, SECOidTag oid_tag);
 extern int generate_validity(cms_context *cms, SECItem *der, time_t start,
 				time_t end);
 extern int generate_common_name(cms_context *cms, SECItem *der, char *cn);
--- a/SOURCES/0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch
+++ b/SOURCES/0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch
@ -1,7 +1,7 @@
-From 0456758e0c0873d1251bdf77d27f0f6175cbf289 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 25 Apr 2017 16:25:02 -0400
-Subject: [PATCH 17/29] check_cert_db(): try even harder to pick a reasonable
+Subject: [PATCH] check_cert_db(): try even harder to pick a reasonable
 validation time.
 Signed-off-by: Peter Jones <pjones@redhat.com>
@ -116,6 +116,3 @@ index b7c99bb..1a4baf1 100644
 	/* Verify the signature */
 	result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
 						certUsageObjectSigner,
 -- 
 2.13.4
--- a/SOURCES/0018-show-which-db-we-re-checking.patch
+++ b/SOURCES/0018-show-which-db-we-re-checking.patch
@ -1,7 +1,7 @@
-From 01b89fb7a191f4639a93c5a7c47a80752118ba95 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 25 Apr 2017 16:58:50 -0400
-Subject: [PATCH 18/29] show which db we're checking
+Subject: [PATCH] show which db we're checking
 ---
 src/certdb.c             | 35 ++++++++++++++++++++++++++++++++++-
@ -132,6 +132,3 @@ index 1b916e3..7b5cc89 100644
 	int fd;
 	struct dblist *next;
 	size_t size;
 -- 
 2.13.4
--- a/SOURCES/0019-more-about-the-time.patch
+++ b/SOURCES/0019-more-about-the-time.patch
@ -1,7 +1,7 @@
-From 713e61448a6ffa3e6029a7c89fad61b8cb08c9ff Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 25 Apr 2017 17:00:46 -0400
-Subject: [PATCH 19/29] more about the time
+Subject: [PATCH] more about the time
 ---
 src/certdb.c | 59 +++++++++++++++++++++++++++++++++--------------------------
@ -11,7 +11,7 @@ diff --git a/src/certdb.c b/src/certdb.c
 index 673e074..1078a8a 100644
 --- a/src/certdb.c
 +++ b/src/certdb.c
-@@ -345,8 +345,10 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
+@@ -345,14 +345,46 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
 	PRBool result;
 	SECStatus rv;
 	db_status status = NOT_FOUND;
@ -23,10 +23,14 @@ index 673e074..1078a8a 100644
 	efi_guid_t efi_x509 = efi_guid_x509_cert;
-@@ -358,6 +360,36 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
+ 	if (memcmp(sigtype, &efi_x509, sizeof(efi_guid_t)) != 0)
- 	if (!cinfo)
+ 		return NOT_FOUND;
 		goto out;
 +	cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
 +				    NULL, NULL);
 +	if (!cinfo)
 +		goto out;
 +
 +	notBefore = earlyNow;
 +	notAfter = lateNow;
 +	find_cert_times(cinfo, &notBefore, &notAfter);
@ -52,14 +56,9 @@ index 673e074..1078a8a 100644
 +	atTime = earlyNow / 2 + lateNow / 2;
 +
 +
-+	cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
+ 	cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
-+				    NULL, NULL);
+ 				    NULL, NULL);
-+	if (!cinfo)
+ 	if (!cinfo)
 +		goto out;
 +
 	/* Generate the digest of contentInfo */
 	/* XXX support only sha256 for now */
 	digest = SECITEM_AllocItem(NULL, NULL, 32);
@@ -401,31 +433,6 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
 			PORT_ErrorToString(PORT_GetError()));
 		goto out;
@ -92,6 +91,3 @@ index 673e074..1078a8a 100644
 	/* Verify the signature */
 	result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
 -- 
 2.13.4
--- a/SOURCES/0020-try-to-say-why-something-fails.patch
+++ b/SOURCES/0020-try-to-say-why-something-fails.patch
@ -1,13 +1,13 @@
-From 81583146602bba96728fa7544c8e856b32c22ee4 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 25 Apr 2017 17:01:13 -0400
-Subject: [PATCH 20/29] try to say why something fails
+Subject: [PATCH] try to say why something fails
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/certdb.c             |  15 ++-
 src/certdb.h             |   2 +-
 src/pesigcheck.c         | 244 ++++++++++++++++++++++++++++++++++++++++++-----
 src/certdb.h             |   2 +-
 src/pesigcheck_context.h |   1 +
 4 files changed, 233 insertions(+), 29 deletions(-)
@ -58,19 +58,6 @@ index 1078a8a..fae80af 100644
 -	return check_db(which, ctx, check_cert, data, datalen);
 +	return check_db(which, ctx, check_cert, data, datalen, match);
 }
 diff --git a/src/certdb.h b/src/certdb.h
 index ccf3c87..8402299 100644
 --- a/src/certdb.h
 +++ b/src/certdb.h
@@ -43,7 +43,7 @@ typedef struct {
 extern db_status check_db_hash(db_specifier which, pesigcheck_context *ctx);
 extern db_status check_db_cert(db_specifier which, pesigcheck_context *ctx,
 -				void *data, ssize_t datalen);
 +				void *data, ssize_t datalen, SECItem *match);
 extern void init_cert_db(pesigcheck_context *ctx, int use_system_dbs);
 extern int add_cert_db(pesigcheck_context *ctx, const char *filename);
 diff --git a/src/pesigcheck.c b/src/pesigcheck.c
 index d7be542..c8e1086 100644
 --- a/src/pesigcheck.c
@ -402,6 +389,19 @@ index d7be542..c8e1086 100644
 	pesigcheck_context_fini(&ctx);
 	NSS_Shutdown();
 diff --git a/src/certdb.h b/src/certdb.h
 index ccf3c87..8402299 100644
 --- a/src/certdb.h
 +++ b/src/certdb.h
@@ -43,7 +43,7 @@ typedef struct {
 extern db_status check_db_hash(db_specifier which, pesigcheck_context *ctx);
 extern db_status check_db_cert(db_specifier which, pesigcheck_context *ctx,
 -				void *data, ssize_t datalen);
 +				void *data, ssize_t datalen, SECItem *match);
 extern void init_cert_db(pesigcheck_context *ctx, int use_system_dbs);
 extern int add_cert_db(pesigcheck_context *ctx, const char *filename);
 diff --git a/src/pesigcheck_context.h b/src/pesigcheck_context.h
 index 7b5cc89..aec415e 100644
 --- a/src/pesigcheck_context.h
@ -414,6 +414,3 @@ index 7b5cc89..aec415e 100644
 	hashlist *hashes;
 -- 
 2.13.4
--- a/SOURCES/0021-Fix-race-condition-in-SEC_GetPassword.patch
+++ b/SOURCES/0021-Fix-race-condition-in-SEC_GetPassword.patch
@ -1,7 +1,7 @@
-From a40c584691ae071e93e8adf4e5c05bcd90c68159 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Julien Cristau <jcristau@debian.org>
 Date: Sat, 6 May 2017 22:45:34 +0200
-Subject: [PATCH 21/29] Fix race condition in SEC_GetPassword
+Subject: [PATCH] Fix race condition in SEC_GetPassword
 A side effect of echoOff is to discard unread input, so if we print the
 prompt before echoOff, the user (or process) at the other end might
@ -29,6 +29,3 @@ index cd1c07e..d4eae0d 100644
 	}
 	fgets ( phrase, sizeof(phrase), input);
 -- 
 2.13.4
--- a/SOURCES/0022-sysvinit-Create-the-socket-directory-at-runtime.patch
+++ b/SOURCES/0022-sysvinit-Create-the-socket-directory-at-runtime.patch
@ -1,7 +1,7 @@
-From 27afa5a4ea8de1679603f5871935096280d0b12e Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: David Michael <david.michael@coreos.com>
 Date: Tue, 13 Jun 2017 13:20:16 -0700
-Subject: [PATCH 22/29] sysvinit: Create the socket directory at runtime
+Subject: [PATCH] sysvinit: Create the socket directory at runtime
 This better supports non-systemd configurations with tmpfs on /run.
 ---
@ -22,6 +22,3 @@ index d8fffca..dc508d8 100644
     daemon /usr/bin/pesign --daemonize
     RETVAL=$?
     echo
 -- 
 2.13.4
--- a/SOURCES/0023-Better-authorization-scripts.-Again.patch
+++ b/SOURCES/0023-Better-authorization-scripts.-Again.patch
@ -1,7 +1,7 @@
-From 31560e2784722b986b8a73cc28e3510870180b07 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 8 Aug 2017 15:44:44 -0400
-Subject: [PATCH 23/29] Better authorization scripts.  Again.
+Subject: [PATCH] Better authorization scripts. Again.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
@ -212,6 +212,3 @@ index dc508d8..b0e0f84 100644
 }
 stop(){
 -- 
 2.13.4
--- a/SOURCES/0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch
+++ b/SOURCES/0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch
@ -1,8 +1,7 @@
-From a7b0f7e1ce2de1acea9a8c286a0ff3dd9bc245cb Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 8 Aug 2017 17:28:19 -0400
-Subject: [PATCH 24/29] Make the daemon also try to give better errors on
+Subject: [PATCH] Make the daemon also try to give better errors on -EPERM etc.
 -EPERM etc.
 Basically 6796e5f but also for the daemon.  This also tries to fix them
 up to save errno better, for more accurate reporting.
@ -90,6 +89,3 @@ index 5879cfc..6ceda34 100644
 		}
 		status = register_oids(ctxp->cms_ctx);
 -- 
 2.13.4
--- a/SOURCES/0025-certdb-fix-PRTime-printfs-for-i686.patch
+++ b/SOURCES/0025-certdb-fix-PRTime-printfs-for-i686.patch
@ -1,7 +1,7 @@
-From bc1043bf2b428971e29a61a341da9a57595bada5 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 9 Aug 2017 17:40:33 -0400
-Subject: [PATCH 25/29] certdb: fix PRTime printfs for i686
+Subject: [PATCH] certdb: fix PRTime printfs for i686
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
@ -26,6 +26,3 @@ index fae80af..29c9502 100644
 	cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
 				    NULL, NULL);
 	if (!cinfo)
 -- 
 2.13.4
--- a/SOURCES/0026-Clean-up-gcc-command-lines-a-little.patch
+++ b/SOURCES/0026-Clean-up-gcc-command-lines-a-little.patch
@ -1,7 +1,7 @@
-From a44115c9b4f43a1a7219f897bd33555e653d2e20 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Thu, 10 Aug 2017 10:02:38 -0400
-Subject: [PATCH 26/29] Clean up gcc command lines a little
+Subject: [PATCH] Clean up gcc command lines a little
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
@ -36,6 +36,3 @@ index 39b78f0..b6c0381 100644
 	-std=gnu11 -fshort-wchar -fPIC -flto -fno-strict-aliasing \
 	-fno-merge-constants -fkeep-inline-functions \
 	-D_GNU_SOURCE -DCONFIG_$(ARCH) -I${TOPDIR}/include \
 -- 
 2.13.4
--- a/SOURCES/0027-Make-pesign-users-groups-static-in-the-repo.patch
+++ b/SOURCES/0027-Make-pesign-users-groups-static-in-the-repo.patch
@ -1,7 +1,7 @@
-From a133d051c3f8acf3e058e92711eb528c3c0f41f9 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Thu, 10 Aug 2017 10:03:37 -0400
-Subject: [PATCH 27/29] Make pesign-{users,groups} static in the repo.
+Subject: [PATCH] Make pesign-{users,groups} static in the repo.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
@ -49,6 +49,3 @@ index 0000000..7f57cc5
 +++ b/src/pesign-users
@@ -0,0 +1 @@
 +pesign
 -- 
 2.13.4
--- a/SOURCES/0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch
+++ b/SOURCES/0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch
@ -1,8 +1,8 @@
-From 025eb8aea94761fdc45507b6192aafdef80d4842 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 9 Aug 2017 17:31:31 -0400
-Subject: [PATCH 28/29] rpm: Make the client signer use the fedora values
+Subject: [PATCH] rpm: Make the client signer use the fedora values unless
- unless overridden
+ overridden
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
@ -38,6 +38,3 @@ index 69280e9..22a3ee6 100644
 		 --certdir ${_pesign_nssdir}				\\\
                  %{-i} %{-o} %{-e} %{-s} %{-C}				\
     fi									\
 -- 
 2.13.4
--- a/SOURCES/0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch
+++ b/SOURCES/0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch
@ -1,15 +1,15 @@
-From 86a6b02e4b95ab3629446e71895cc5e57ad4482f Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 14 Aug 2017 11:37:43 -0400
-Subject: [PATCH 29/29] Make macros.pesign error in kojibuilder if we don't
+Subject: [PATCH] Make macros.pesign error in kojibuilder if we don't have
- have perms on the socket
+ perms on the socket
 ---
- src/macros.pesign | 9 +++++++++
+ src/macros.pesign | 15 +++++++++++++++
- 1 file changed, 9 insertions(+)
+ 1 file changed, 15 insertions(+)
 diff --git a/src/macros.pesign b/src/macros.pesign
-index 22a3ee6..1665b4c 100644
+index 22a3ee6..dfdac02 100644
 --- a/src/macros.pesign
 +++ b/src/macros.pesign
@@ -43,6 +43,21 @@
@ -34,6 +34,3 @@ index 22a3ee6..1665b4c 100644
     elif [ -S /var/run/pesign/socket ]; then				\
       %{_pesign_client} -t %{__pesign_client_token}			\\\
                         -c %{__pesign_client_cert}			\\\
 -- 
 2.13.4
--- a/SOURCES/0030-Replace-var-run-with-run.patch
+++ b/SOURCES/0030-Replace-var-run-with-run.patch
@ -1,4 +1,4 @@
-From cd26e9e9a7816efe2c1ce9c36d9cb14988c70dc9 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Mon, 8 Nov 2021 17:58:09 -0500
 Subject: [PATCH] Replace /var/run with /run
@ -15,8 +15,8 @@ don't backport well.
 Signed-off-by: Robbie Harwood <rharwood@redhat.com>
 ---
 src/Makefile           |  2 +-
 src/daemon.h           |  4 ++--
 src/Makefile           |  2 +-
 src/macros.pesign      | 12 ++++++------
 src/pesign-authorize   |  2 +-
 src/pesign.service.in  |  2 +-
@ -24,19 +24,6 @@ Signed-off-by: Robbie Harwood <rharwood@redhat.com>
 src/tmpfiles.conf      |  2 +-
 7 files changed, 17 insertions(+), 17 deletions(-)
 diff --git a/src/Makefile b/src/Makefile
 index 7d68fa1..a11e2b4 100644
 --- a/src/Makefile
 +++ b/src/Makefile
@@ -68,7 +68,7 @@ install_sysvinit: pesign.sysvinit
 install :
 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
 -	$(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
 +	$(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/
 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
 	$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
 	$(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir)
 diff --git a/src/daemon.h b/src/daemon.h
 index d97eab9..db42c16 100644
 --- a/src/daemon.h
@ -51,6 +38,19 @@ index d97eab9..db42c16 100644
 +#define PIDFILE		"/run/pesign.pid"
 #endif /* DAEMON_H */
 diff --git a/src/Makefile b/src/Makefile
 index 7d68fa1..a11e2b4 100644
 --- a/src/Makefile
 +++ b/src/Makefile
@@ -68,7 +68,7 @@ install_sysvinit: pesign.sysvinit
 install :
 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
 -	$(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
 +	$(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/
 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
 	$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
 	$(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir)
 diff --git a/src/macros.pesign b/src/macros.pesign
 index dfdac02..f135c29 100644
 --- a/src/macros.pesign
@ -146,6 +146,3 @@ index c1cf355..3375ad5 100644
@@ -1 +1 @@
 -D /var/run/pesign 0770 pesign pesign -
 +D /run/pesign 0770 pesign pesign -
 -- 
 2.33.0
--- a/SOURCES/0031-efikeygen-Fix-the-build-with-nss-3.44.patch
+++ b/SOURCES/0031-efikeygen-Fix-the-build-with-nss-3.44.patch
@ -1,4 +1,4 @@
-From d1a7496d18dc1e230115b30fa09e4481c485a27d Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 14 May 2019 11:28:38 -0400
 Subject: [PATCH] efikeygen: Fix the build with nss 3.44
@ -41,6 +41,3 @@ index 9390578..089e6a7 100644
 	if (is_ca)
 		type |= NS_CERT_TYPE_SSL_CA |
 -- 
 2.33.0
--- a/SOURCES/0032-Use-normal-file-permissions-instead-of-ACLs.patch
+++ b/SOURCES/0032-Use-normal-file-permissions-instead-of-ACLs.patch
@ -0,0 +1,82 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Wed, 18 Jan 2023 14:00:22 -0500
 Subject: [PATCH] Use normal file permissions instead of ACLs
 Fixes a symlink attack that can't be mitigated using getfacl/setfacl.
 pesign-authorize is now deprecated and will be removed in a future
 release.
 Resolves: CVE-2022-3560
 Signed-off-by: Robbie Harwood <rharwood@redhat.com>
 (cherry picked from commit 21d0c7afe0c0c23eee72a5e144995f0acb73b763)
 ---
 src/pesign-authorize | 53 +++++-----------------------------------------------
 1 file changed, 5 insertions(+), 48 deletions(-)
 diff --git a/src/pesign-authorize b/src/pesign-authorize
 index 83a30cd..b4e89e0 100755
 --- a/src/pesign-authorize
 +++ b/src/pesign-authorize
@@ -2,55 +2,12 @@
 set -e
 set -u
 -#
 -# With /run/pesign/socket on tmpfs, a simple way of restoring the
 -# acls for specific users is useful
 -#
 -#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
 -#
 -
 # License: GPLv2
 -declare -a fileusers=()
 -declare -a dirusers=()
 -for user in $(cat /etc/pesign/users); do
 -	dirusers[${#dirusers[@]}]=-m
 -	dirusers[${#dirusers[@]}]="u:$user:rwx"
 -	fileusers[${#fileusers[@]}]=-m
 -	fileusers[${#fileusers[@]}]="u:$user:rw"
 -done
 -
 -declare -a filegroups=()
 -declare -a dirgroups=()
 -for group in $(cat /etc/pesign/groups); do
 -	dirgroups[${#dirgroups[@]}]=-m
 -	dirgroups[${#dirgroups[@]}]="g:$group:rwx"
 -	filegroups[${#filegroups[@]}]=-m
 -	filegroups[${#filegroups[@]}]="g:$group:rw"
 -done
 -
 -update_subdir() {
 -	subdir=$1 && shift
 -	setfacl -bk "${subdir}"
 -	setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
 -	for x in "${subdir}"* ; do
 -		if [ -d "${x}" ]; then
 -			setfacl -bk ${x}
 -			setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
 -			update_subdir "${x}/"
 -		elif [ -e "${x}" ]; then
 -			setfacl -bk ${x}
 -			setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
 -		else
 -			:;
 -		fi
 -	done
 -}
 +# This script is deprecated and will be removed in a future release.
 -for x in /run/pesign/ /etc/pki/pesign*/ ; do
 -	if [ -d "${x}" ]; then
 -		update_subdir "${x}"
 -	else
 -		:;
 -	fi
 +sleep 3
 +for x in @@RUNDIR@@pesign/ /etc/pki/pesign/ ; do
 +	chown -R pesign:pesign "${x}" || true
 +	chmod -R ug+rwX "${x}" || true
 done
--- a/SOURCES/pesign.patches
+++ b/SOURCES/pesign.patches
@ -0,0 +1,32 @@
 Patch0001: 0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch
 Patch0002: 0002-Fix-command-line-parsing.patch
 Patch0003: 0003-gcc-don-t-error-on-stuff-in-includes.patch
 Patch0004: 0004-Fix-certficate-argument-name.patch
 Patch0005: 0005-Fix-description-of-ascii-armor-option-in-manpage.patch
 Patch0006: 0006-Make-ascii-work-since-we-documented-it.patch
 Patch0007: 0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch
 Patch0008: 0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch
 Patch0009: 0009-pesigcheck-make-certfile-actually-work.patch
 Patch0010: 0010-signerInfos-make-sure-err-is-always-initialized.patch
 Patch0011: 0011-pesign-make-pesign-h-tell-you-the-file-name.patch
 Patch0012: 0012-Add-coverity-build-scripts.patch
 Patch0013: 0013-Document-implicit-fallthrough.patch
 Patch0014: 0014-Actually-setfacl-each-directory-of-our-key-storage.patch
 Patch0015: 0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch
 Patch0016: 0016-efikeygen-add-modsign.patch
 Patch0017: 0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch
 Patch0018: 0018-show-which-db-we-re-checking.patch
 Patch0019: 0019-more-about-the-time.patch
 Patch0020: 0020-try-to-say-why-something-fails.patch
 Patch0021: 0021-Fix-race-condition-in-SEC_GetPassword.patch
 Patch0022: 0022-sysvinit-Create-the-socket-directory-at-runtime.patch
 Patch0023: 0023-Better-authorization-scripts.-Again.patch
 Patch0024: 0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch
 Patch0025: 0025-certdb-fix-PRTime-printfs-for-i686.patch
 Patch0026: 0026-Clean-up-gcc-command-lines-a-little.patch
 Patch0027: 0027-Make-pesign-users-groups-static-in-the-repo.patch
 Patch0028: 0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch
 Patch0029: 0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch
 Patch0030: 0030-Replace-var-run-with-run.patch
 Patch0031: 0031-efikeygen-Fix-the-build-with-nss-3.44.patch
 Patch0032: 0032-Use-normal-file-permissions-instead-of-ACLs.patch
--- a/SPECS/pesign.spec
+++ b/SPECS/pesign.spec
@ -3,7 +3,7 @@
 Name:    pesign
 Summary: Signing utility for UEFI binaries
 Version: 0.112
-Release: 26%{?dist}
+Release: 27%{?dist}
 License: GPLv2
 URL:     https://github.com/vathpela/pesign
@ -29,38 +29,9 @@ BuildRequires: rh-signing-tools >= 1.20-2
 Source0: https://github.com/vathpela/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2
 Source1: certs.tar.xz
 Source2: pesign.py
 Source3: pesign.patches
-Patch0001: 0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch
+%include %{SOURCE3}
 Patch0002: 0002-Fix-command-line-parsing.patch
 Patch0003: 0003-gcc-don-t-error-on-stuff-in-includes.patch
 Patch0004: 0004-Fix-certficate-argument-name.patch
 Patch0005: 0005-Fix-description-of-ascii-armor-option-in-manpage.patch
 Patch0006: 0006-Make-ascii-work-since-we-documented-it.patch
 Patch0007: 0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch
 Patch0008: 0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch
 Patch0009: 0009-pesigcheck-make-certfile-actually-work.patch
 Patch0010: 0010-signerInfos-make-sure-err-is-always-initialized.patch
 Patch0011: 0011-pesign-make-pesign-h-tell-you-the-file-name.patch
 Patch0012: 0012-Add-coverity-build-scripts.patch
 Patch0013: 0013-Document-implicit-fallthrough.patch
 Patch0014: 0014-Actually-setfacl-each-directory-of-our-key-storage.patch
 Patch0015: 0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch
 Patch0016: 0016-efikeygen-add-modsign.patch
 Patch0017: 0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch
 Patch0018: 0018-show-which-db-we-re-checking.patch
 Patch0019: 0019-more-about-the-time.patch
 Patch0020: 0020-try-to-say-why-something-fails.patch
 Patch0021: 0021-Fix-race-condition-in-SEC_GetPassword.patch
 Patch0022: 0022-sysvinit-Create-the-socket-directory-at-runtime.patch
 Patch0023: 0023-Better-authorization-scripts.-Again.patch
 Patch0024: 0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch
 Patch0025: 0025-certdb-fix-PRTime-printfs-for-i686.patch
 Patch0026: 0026-Clean-up-gcc-command-lines-a-little.patch
 Patch0027: 0027-Make-pesign-users-groups-static-in-the-repo.patch
 Patch0028: 0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch
 Patch0029: 0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch
 Patch0030: 0030-Replace-var-run-with-run.patch
 Patch0031: 0031-efikeygen-Fix-the-build-with-nss-3.44.patch
 %description
 This package contains the pesign utility for signing UEFI binaries as
@ -165,6 +136,10 @@ exit 0
 %{python3_sitelib}/mockbuild/plugins/pesign.*
 %changelog
 * Wed Jan 18 2023 Robbie Harwood <rharwood@redhat.com> - 0.112-27
 - Deprecate pesign-authorize and drop ACL
 - Resolves: CVE-2022-3560
 * Mon Nov 08 2021 Robbie Harwood <rharwood@redhat.com> - 0.112-26
 - Perform the /var/run to /run "migration" stupidity
 - Resolves: rhbz#1801976