.gitignore

@@ -1,4 +1,2 @@
 SOURCES/certs.tar.xz
 SOURCES/pesign-0.112.tar.bz2
-/certs.tar.xz
-/pesign-0.112.tar.bz2

.pesign.metadata

@@ -0,0 +1,2 @@
+53d9b43ef6eadb4512ce9738b5a6efbb40477983 SOURCES/certs.tar.xz
+7cba5cfddabc425d0a927edfdd6865cc92f00c7b SOURCES/pesign-0.112.tar.bz2

SOURCES/0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch

@@ -1,8 +1,8 @@
-From 33bcca8303cad962606df3bfc6a031a9b0626375 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Thu, 21 Apr 2016 10:47:34 -0400
-Subject: [PATCH 01/29] cms: kill generate_integer(), it doesn't build on i686
- and it's unused.
+Subject: [PATCH] cms: kill generate_integer(), it doesn't build on i686 and
+ it's unused.
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
@@ -67,6 +67,3 @@ index 7d77faf..c7d7268 100644
  extern int generate_string(cms_context *cms, SECItem *der, char *str);
  extern int wrap_in_set(cms_context *cms, SECItem *der, SECItem **items);
  extern int wrap_in_seq(cms_context *cms, SECItem *der,
--- 
-2.13.4
-

SOURCES/0002-Fix-command-line-parsing.patch

@@ -1,7 +1,7 @@
-From 5be0515dee24308fd7e270bf2e0fb5e5a7a78f32 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Julien Cristau <jcristau@debian.org>
 Date: Thu, 9 Jun 2016 14:30:37 +0200
-Subject: [PATCH 02/29] Fix command line parsing
+Subject: [PATCH] Fix command line parsing
 
 The gettext translation domain should be passed as .arg, not .descrip,
 otherwise popt won't process any of the command line options (it stops
@@ -68,6 +68,3 @@ index 1328fe9..0d49c1a 100644
  		{.longName = "dbfile",
  		 .shortName = 'D',
  		 .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,
--- 
-2.13.4
-

SOURCES/0003-gcc-don-t-error-on-stuff-in-includes.patch

@@ -1,7 +1,7 @@
-From 6de291458cbab99bcc317e282c16e1523d6de9b8 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 10 Aug 2016 17:12:39 -0400
-Subject: [PATCH 03/29] gcc: don't error on stuff in includes.
+Subject: [PATCH] gcc: don't error on stuff in includes.
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
@@ -21,6 +21,3 @@ index c97b452..3511080 100644
  AS	:= $(CROSS_COMPILE)as
  AR	:= $(CROSS_COMPILE)gcc-ar
  RANLIB	:= $(CROSS_COMPILE)gcc-ranlib
--- 
-2.13.4
-

SOURCES/0004-Fix-certficate-argument-name.patch

@@ -1,7 +1,7 @@
-From b20fc54c08e8afe1365e56cacade3ec39984da8d Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 18 Apr 2017 19:00:34 -0400
-Subject: [PATCH 04/29] Fix "certficate" argument name.
+Subject: [PATCH] Fix "certficate" argument name.
 
 This fixes our typoed argument name by making the incorrectly spelled
 version be a popt alias, and fixing the real implementation to be
@@ -34,6 +34,3 @@ index 7b3385d..5a97748 100644
  pesign alias --cert --certificate
 +pesign alias --certficate --certificate
  pesign alias --daemon --daemonize
--- 
-2.13.4
-

SOURCES/0005-Fix-description-of-ascii-armor-option-in-manpage.patch

@@ -1,7 +1,7 @@
-From 7bc8e8b04c74be5c4e0ebf211affc37cf9f5db37 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Julien Cristau <jcristau@debian.org>
 Date: Mon, 27 Jun 2016 15:38:38 +0200
-Subject: [PATCH 05/29] Fix description of --ascii-armor option in manpage
+Subject: [PATCH] Fix description of --ascii-armor option in manpage
 
 The --ascii option does not exist.
 ---
@@ -21,6 +21,3 @@ index 47d1aec..29ae060 100644
  Use ascii armoring on exported certificates.
  
  .TP
--- 
-2.13.4
-

SOURCES/0006-Make-ascii-work-since-we-documented-it.patch

@@ -1,7 +1,7 @@
-From 9f411f4e797e983d2e8cb51dc5b9ab8db250c2e3 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 18 Apr 2017 19:05:40 -0400
-Subject: [PATCH 06/29] Make --ascii work, since we documented it.
+Subject: [PATCH] Make --ascii work, since we documented it.
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
@@ -17,6 +17,3 @@ index 5a97748..5ae0c5c 100644
  pesign alias --certficate --certificate
  pesign alias --daemon --daemonize
 +pesign alias --ascii --ascii-armor
--- 
-2.13.4
-

SOURCES/0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch

@@ -1,8 +1,8 @@
-From d618de733865eab359890b4e677c368a133dad99 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Pat Riehecky <riehecky@fnal.gov>
 Date: Mon, 7 Nov 2016 11:37:08 -0600
-Subject: [PATCH 07/29] Switch pesign client to also accept token/cert macros
- rather than use hard coded values
+Subject: [PATCH] Switch pesign client to also accept token/cert macros rather
+ than use hard coded values
 
 ---
  src/macros.pesign | 6 +++---
@@ -27,6 +27,3 @@ index 18e5b5e..69280e9 100644
  		 --certdir ${_pesign_nssdir}				\\\
                   %{-i} %{-o} %{-e} %{-s} %{-C}				\
      fi									\
--- 
-2.13.4
-

SOURCES/0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch

@@ -1,7 +1,7 @@
-From 2cd211bcc612ad8cb99c778461ca02a9f3e5e44b Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: David Michael <david.michael@coreos.com>
 Date: Thu, 16 Feb 2017 15:08:30 -0800
-Subject: [PATCH 08/29] pesigcheck: Verify with the cert as an object signer
+Subject: [PATCH] pesigcheck: Verify with the cert as an object signer
 
 ---
  src/certdb.c | 2 +-
@@ -20,6 +20,3 @@ index 2a08042..b7c99bb 100644
  						digest, HASH_AlgSHA256,
  						PR_FALSE, atTime);
  	if (!result) {
--- 
-2.13.4
-

SOURCES/0009-pesigcheck-make-certfile-actually-work.patch

@@ -1,7 +1,7 @@
-From e0238e2363f9668aee07b2e44a8f358e694551c0 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 24 Apr 2017 15:18:10 -0400
-Subject: [PATCH 09/29] pesigcheck: make --certfile actually work
+Subject: [PATCH] pesigcheck: make --certfile actually work
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
@@ -42,6 +42,3 @@ index 0d49c1a..d7be542 100644
  		 .argDescrip = "<certfile>" },
  		POPT_AUTOALIAS
  		POPT_AUTOHELP
--- 
-2.13.4
-

SOURCES/0010-signerInfos-make-sure-err-is-always-initialized.patch

@@ -1,7 +1,7 @@
-From 799808b265ac6f82fa1268fd696d70357acce69c Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 25 Apr 2017 16:15:07 -0400
-Subject: [PATCH 10/29] signerInfos: make sure err is always initialized
+Subject: [PATCH] signerInfos: make sure err is always initialized
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
@@ -22,6 +22,3 @@ index 721db90..9e0af23 100644
  
  	if (!signerInfo_list_p)
  		return -1;
--- 
-2.13.4
-

SOURCES/0011-pesign-make-pesign-h-tell-you-the-file-name.patch

@@ -1,7 +1,7 @@
-From 868b42b338d919917ea31cfbf0f96e9586947eaf Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 25 Apr 2017 16:23:36 -0400
-Subject: [PATCH 11/29] pesign: make "pesign -h" tell you the file name.
+Subject: [PATCH] pesign: make "pesign -h" tell you the file name.
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
@@ -21,6 +21,3 @@ index 279a17a..5879cfc 100644
  	int j = ctx->selected_digest;
  	for (unsigned int i = 0; i < ctx->digests[j].pe_digest->len; i++)
  		printf("%02x",
--- 
-2.13.4
-

SOURCES/0012-Add-coverity-build-scripts.patch

@@ -1,27 +1,18 @@
-From 95327e6d9bd4f70980acd8fd6c9524265990dc4d Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 10 May 2017 10:49:57 -0400
-Subject: [PATCH 12/29] Add coverity build scripts
+Subject: [PATCH] Add coverity build scripts
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
- .gitignore    |  1 +
  Make.coverity | 37 +++++++++++++++++++++++++++++++++++++
  Make.defaults |  2 ++
  Make.rules    |  4 ++++
  Makefile      |  1 +
+ .gitignore    |  1 +
  5 files changed, 45 insertions(+)
  create mode 100644 Make.coverity
 
-diff --git a/.gitignore b/.gitignore
-index 1635ba2..847e172 100644
---- a/.gitignore
-+++ b/.gitignore
-@@ -12,3 +12,4 @@
- *.tar.*
- *.rpm
- core.*
-+cov-int
 diff --git a/Make.coverity b/Make.coverity
 new file mode 100644
 index 0000000..b80b091
@@ -99,6 +90,12 @@ index db8eb7e..ca1a359 100644
  
  SUBDIRS := include libdpe src
  
--- 
-2.13.4
-
+diff --git a/.gitignore b/.gitignore
+index 1635ba2..847e172 100644
+--- a/.gitignore
++++ b/.gitignore
+@@ -12,3 +12,4 @@
+ *.tar.*
+ *.rpm
+ core.*
++cov-int

SOURCES/0013-Document-implicit-fallthrough.patch

@@ -1,7 +1,7 @@
-From 4b9e7cf3e869de36daf2ea705b9efef55ae87ef8 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Sat, 8 Jul 2017 16:31:18 -0400
-Subject: [PATCH 13/29] Document implicit fallthrough.
+Subject: [PATCH] Document implicit fallthrough.
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
@@ -20,6 +20,3 @@ index ad659ca..03e0c47 100644
  	case IMPORT|SIGN|EXPORT:
  	default:
  		fprintf(stderr, "authvar: invalid flags: ");
--- 
-2.13.4
-

SOURCES/0014-Actually-setfacl-each-directory-of-our-key-storage.patch

@@ -1,7 +1,7 @@
-From a95e28e5cb10d417c81c8720e8521eb63793da37 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 16 May 2016 15:25:53 -0400
-Subject: [PATCH 14/29] Actually setfacl /each/ directory of our key storage.
+Subject: [PATCH] Actually setfacl /each/ directory of our key storage.
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
@@ -45,6 +45,3 @@ index 8b9a885..940138e 100644
  		    setfacl -m g:${username}:rw ${y}
  		done
  	    fi
--- 
-2.13.4
-

SOURCES/0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch

@@ -1,7 +1,7 @@
-From a3cc2ad5d49ed61187527281da351e80d8f76a89 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 22 Aug 2016 13:31:38 -0400
-Subject: [PATCH 15/29] oid: add SHIM_EKU_MODULE_SIGNING_ONLY and fix our array
+Subject: [PATCH] oid: add SHIM_EKU_MODULE_SIGNING_ONLY and fix our array
  indices.
 
 That was all kinds of wrong.
@@ -54,6 +54,3 @@ index 599f49d..0e00781 100644
  	END_OID_LIST
  } ms_oid_t;
  
--- 
-2.13.4
-

SOURCES/0016-efikeygen-add-modsign.patch

@@ -1,13 +1,13 @@
-From 9b4b12928c0450ac69d83293e179eec439465c03 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 22 Aug 2016 13:43:56 -0400
-Subject: [PATCH 16/29] efikeygen: add --modsign
+Subject: [PATCH] efikeygen: add --modsign
 
 ---
- src/cms_common.c | 29 ++++++++++++++++++++++++++++
+ src/cms_common.c | 29 +++++++++++++++++++++++++++
+ src/efikeygen.c  | 61 ++++++++++++++++++++++++++++++++++++++++++++------------
  src/cms_common.h |  1 +
- src/efikeygen.c  | 59 ++++++++++++++++++++++++++++++++++++++++++++------------
- 3 files changed, 77 insertions(+), 12 deletions(-)
+ 3 files changed, 78 insertions(+), 13 deletions(-)
 
 diff --git a/src/cms_common.c b/src/cms_common.c
 index 6a4e6a7..2df2cfe 100644
@@ -49,18 +49,6 @@ index 6a4e6a7..2df2cfe 100644
  int
  generate_octet_string(cms_context *cms, SECItem *encoded, SECItem *original)
  {
-diff --git a/src/cms_common.h b/src/cms_common.h
-index c7d7268..7a31273 100644
---- a/src/cms_common.h
-+++ b/src/cms_common.h
-@@ -123,6 +123,7 @@ extern int wrap_in_seq(cms_context *cms, SECItem *der,
- 			SECItem *items, int num_items);
- extern int make_context_specific(cms_context *cms, int ctxt, SECItem *encoded,
- 			SECItem *original);
-+extern int make_eku_oid(cms_context *cms, SECItem *encoded, SECOidTag oid_tag);
- extern int generate_validity(cms_context *cms, SECItem *der, time_t start,
- 				time_t end);
- extern int generate_common_name(cms_context *cms, SECItem *der, char *cn);
 diff --git a/src/efikeygen.c b/src/efikeygen.c
 index 8a515a5..9390578 100644
 --- a/src/efikeygen.c
@@ -86,15 +74,17 @@ index 8a515a5..9390578 100644
 -		.len = 12,
 -		.type = siBuffer
 -	};
+-
+-
 +	SECItem values[2];
 +	SECItem wrapped = { 0 };
-+	SECStatus status;
+ 	SECStatus status;
 +	SECOidTag tag;
 +	int rc;
 +
 +	if (modsign_only < 1 || modsign_only > 2)
 +		cmsreterr(-1, cms, "could not encode extended key usage");
- 
++
 +	rc = make_eku_oid(cms, &values[0], SEC_OID_EXT_KEY_USAGE_CODE_SIGN);
 +	if (rc < 0)
 +		cmsreterr(-1, cms, "could not encode extended key usage");
@@ -108,8 +98,7 @@ index 8a515a5..9390578 100644
 +	rc = wrap_in_seq(cms, &wrapped, values, modsign_only);
 +	if (rc < 0)
 +		cmsreterr(-1, cms, "could not encode extended key usage");
- 
--	SECStatus status;
++
  
  	status = CERT_AddExtension(extHandle, SEC_OID_X509_EXT_KEY_USAGE,
 -					&value, PR_FALSE, PR_TRUE);
@@ -192,6 +181,15 @@ index 8a515a5..9390578 100644
  	if (rc < 0)
  		exit(1);
  
--- 
-2.13.4
-
+diff --git a/src/cms_common.h b/src/cms_common.h
+index c7d7268..7a31273 100644
+--- a/src/cms_common.h
++++ b/src/cms_common.h
+@@ -123,6 +123,7 @@ extern int wrap_in_seq(cms_context *cms, SECItem *der,
+ 			SECItem *items, int num_items);
+ extern int make_context_specific(cms_context *cms, int ctxt, SECItem *encoded,
+ 			SECItem *original);
++extern int make_eku_oid(cms_context *cms, SECItem *encoded, SECOidTag oid_tag);
+ extern int generate_validity(cms_context *cms, SECItem *der, time_t start,
+ 				time_t end);
+ extern int generate_common_name(cms_context *cms, SECItem *der, char *cn);

SOURCES/0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch

@@ -1,7 +1,7 @@
-From 0456758e0c0873d1251bdf77d27f0f6175cbf289 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 25 Apr 2017 16:25:02 -0400
-Subject: [PATCH 17/29] check_cert_db(): try even harder to pick a reasonable
+Subject: [PATCH] check_cert_db(): try even harder to pick a reasonable
  validation time.
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
@@ -116,6 +116,3 @@ index b7c99bb..1a4baf1 100644
  	/* Verify the signature */
  	result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
  						certUsageObjectSigner,
--- 
-2.13.4
-

SOURCES/0018-show-which-db-we-re-checking.patch

@@ -1,7 +1,7 @@
-From 01b89fb7a191f4639a93c5a7c47a80752118ba95 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 25 Apr 2017 16:58:50 -0400
-Subject: [PATCH 18/29] show which db we're checking
+Subject: [PATCH] show which db we're checking
 
 ---
  src/certdb.c             | 35 ++++++++++++++++++++++++++++++++++-
@@ -132,6 +132,3 @@ index 1b916e3..7b5cc89 100644
  	int fd;
  	struct dblist *next;
  	size_t size;
--- 
-2.13.4
-

SOURCES/0019-more-about-the-time.patch

@@ -1,7 +1,7 @@
-From 713e61448a6ffa3e6029a7c89fad61b8cb08c9ff Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 25 Apr 2017 17:00:46 -0400
-Subject: [PATCH 19/29] more about the time
+Subject: [PATCH] more about the time
 
 ---
  src/certdb.c | 59 +++++++++++++++++++++++++++++++++--------------------------
@@ -11,7 +11,7 @@ diff --git a/src/certdb.c b/src/certdb.c
 index 673e074..1078a8a 100644
 --- a/src/certdb.c
 +++ b/src/certdb.c
-@@ -345,8 +345,10 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
+@@ -345,14 +345,46 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
  	PRBool result;
  	SECStatus rv;
  	db_status status = NOT_FOUND;
@@ -23,10 +23,14 @@ index 673e074..1078a8a 100644
  
  	efi_guid_t efi_x509 = efi_guid_x509_cert;
  
-@@ -358,6 +360,36 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
- 	if (!cinfo)
- 		goto out;
+ 	if (memcmp(sigtype, &efi_x509, sizeof(efi_guid_t)) != 0)
+ 		return NOT_FOUND;
  
++	cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
++				    NULL, NULL);
++	if (!cinfo)
++		goto out;
++
 +	notBefore = earlyNow;
 +	notAfter = lateNow;
 +	find_cert_times(cinfo, &notBefore, &notAfter);
@@ -52,14 +56,9 @@ index 673e074..1078a8a 100644
 +	atTime = earlyNow / 2 + lateNow / 2;
 +
 +
-+	cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
-+				    NULL, NULL);
-+	if (!cinfo)
-+		goto out;
-+
- 	/* Generate the digest of contentInfo */
- 	/* XXX support only sha256 for now */
- 	digest = SECITEM_AllocItem(NULL, NULL, 32);
+ 	cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
+ 				    NULL, NULL);
+ 	if (!cinfo)
 @@ -401,31 +433,6 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
  			PORT_ErrorToString(PORT_GetError()));
  		goto out;
@@ -92,6 +91,3 @@ index 673e074..1078a8a 100644
  
  	/* Verify the signature */
  	result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
--- 
-2.13.4
-

SOURCES/0020-try-to-say-why-something-fails.patch

@@ -1,13 +1,13 @@
-From 81583146602bba96728fa7544c8e856b32c22ee4 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 25 Apr 2017 17:01:13 -0400
-Subject: [PATCH 20/29] try to say why something fails
+Subject: [PATCH] try to say why something fails
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
  src/certdb.c             |  15 ++-
- src/certdb.h             |   2 +-
  src/pesigcheck.c         | 244 ++++++++++++++++++++++++++++++++++++++++++-----
+ src/certdb.h             |   2 +-
  src/pesigcheck_context.h |   1 +
  4 files changed, 233 insertions(+), 29 deletions(-)
 
@@ -58,19 +58,6 @@ index 1078a8a..fae80af 100644
 -	return check_db(which, ctx, check_cert, data, datalen);
 +	return check_db(which, ctx, check_cert, data, datalen, match);
  }
-diff --git a/src/certdb.h b/src/certdb.h
-index ccf3c87..8402299 100644
---- a/src/certdb.h
-+++ b/src/certdb.h
-@@ -43,7 +43,7 @@ typedef struct {
- 
- extern db_status check_db_hash(db_specifier which, pesigcheck_context *ctx);
- extern db_status check_db_cert(db_specifier which, pesigcheck_context *ctx,
--				void *data, ssize_t datalen);
-+				void *data, ssize_t datalen, SECItem *match);
- 
- extern void init_cert_db(pesigcheck_context *ctx, int use_system_dbs);
- extern int add_cert_db(pesigcheck_context *ctx, const char *filename);
 diff --git a/src/pesigcheck.c b/src/pesigcheck.c
 index d7be542..c8e1086 100644
 --- a/src/pesigcheck.c
@@ -402,6 +389,19 @@ index d7be542..c8e1086 100644
  	pesigcheck_context_fini(&ctx);
  
  	NSS_Shutdown();
+diff --git a/src/certdb.h b/src/certdb.h
+index ccf3c87..8402299 100644
+--- a/src/certdb.h
++++ b/src/certdb.h
+@@ -43,7 +43,7 @@ typedef struct {
+ 
+ extern db_status check_db_hash(db_specifier which, pesigcheck_context *ctx);
+ extern db_status check_db_cert(db_specifier which, pesigcheck_context *ctx,
+-				void *data, ssize_t datalen);
++				void *data, ssize_t datalen, SECItem *match);
+ 
+ extern void init_cert_db(pesigcheck_context *ctx, int use_system_dbs);
+ extern int add_cert_db(pesigcheck_context *ctx, const char *filename);
 diff --git a/src/pesigcheck_context.h b/src/pesigcheck_context.h
 index 7b5cc89..aec415e 100644
 --- a/src/pesigcheck_context.h
@@ -414,6 +414,3 @@ index 7b5cc89..aec415e 100644
  
  	hashlist *hashes;
  
--- 
-2.13.4
-

SOURCES/0021-Fix-race-condition-in-SEC_GetPassword.patch

@@ -1,7 +1,7 @@
-From a40c584691ae071e93e8adf4e5c05bcd90c68159 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Julien Cristau <jcristau@debian.org>
 Date: Sat, 6 May 2017 22:45:34 +0200
-Subject: [PATCH 21/29] Fix race condition in SEC_GetPassword
+Subject: [PATCH] Fix race condition in SEC_GetPassword
 
 A side effect of echoOff is to discard unread input, so if we print the
 prompt before echoOff, the user (or process) at the other end might
@@ -29,6 +29,3 @@ index cd1c07e..d4eae0d 100644
  	}
  
  	fgets ( phrase, sizeof(phrase), input);
--- 
-2.13.4
-

SOURCES/0022-sysvinit-Create-the-socket-directory-at-runtime.patch

@@ -1,7 +1,7 @@
-From 27afa5a4ea8de1679603f5871935096280d0b12e Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: David Michael <david.michael@coreos.com>
 Date: Tue, 13 Jun 2017 13:20:16 -0700
-Subject: [PATCH 22/29] sysvinit: Create the socket directory at runtime
+Subject: [PATCH] sysvinit: Create the socket directory at runtime
 
 This better supports non-systemd configurations with tmpfs on /run.
 ---
@@ -22,6 +22,3 @@ index d8fffca..dc508d8 100644
      daemon /usr/bin/pesign --daemonize
      RETVAL=$?
      echo
--- 
-2.13.4
-

SOURCES/0023-Better-authorization-scripts.-Again.patch

@@ -1,7 +1,7 @@
-From 31560e2784722b986b8a73cc28e3510870180b07 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 8 Aug 2017 15:44:44 -0400
-Subject: [PATCH 23/29] Better authorization scripts.  Again.
+Subject: [PATCH] Better authorization scripts. Again.
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
@@ -212,6 +212,3 @@ index dc508d8..b0e0f84 100644
  }
  
  stop(){
--- 
-2.13.4
-

SOURCES/0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch

@@ -1,8 +1,7 @@
-From a7b0f7e1ce2de1acea9a8c286a0ff3dd9bc245cb Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 8 Aug 2017 17:28:19 -0400
-Subject: [PATCH 24/29] Make the daemon also try to give better errors on
- -EPERM etc.
+Subject: [PATCH] Make the daemon also try to give better errors on -EPERM etc.
 
 Basically 6796e5f but also for the daemon.  This also tries to fix them
 up to save errno better, for more accurate reporting.
@@ -90,6 +89,3 @@ index 5879cfc..6ceda34 100644
  		}
  
  		status = register_oids(ctxp->cms_ctx);
--- 
-2.13.4
-

SOURCES/0025-certdb-fix-PRTime-printfs-for-i686.patch

@@ -1,7 +1,7 @@
-From bc1043bf2b428971e29a61a341da9a57595bada5 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 9 Aug 2017 17:40:33 -0400
-Subject: [PATCH 25/29] certdb: fix PRTime printfs for i686
+Subject: [PATCH] certdb: fix PRTime printfs for i686
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
@@ -26,6 +26,3 @@ index fae80af..29c9502 100644
  	cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
  				    NULL, NULL);
  	if (!cinfo)
--- 
-2.13.4
-

SOURCES/0026-Clean-up-gcc-command-lines-a-little.patch

@@ -1,7 +1,7 @@
-From a44115c9b4f43a1a7219f897bd33555e653d2e20 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Thu, 10 Aug 2017 10:02:38 -0400
-Subject: [PATCH 26/29] Clean up gcc command lines a little
+Subject: [PATCH] Clean up gcc command lines a little
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
@@ -36,6 +36,3 @@ index 39b78f0..b6c0381 100644
  	-std=gnu11 -fshort-wchar -fPIC -flto -fno-strict-aliasing \
  	-fno-merge-constants -fkeep-inline-functions \
  	-D_GNU_SOURCE -DCONFIG_$(ARCH) -I${TOPDIR}/include \
--- 
-2.13.4
-

SOURCES/0027-Make-pesign-users-groups-static-in-the-repo.patch

@@ -1,7 +1,7 @@
-From a133d051c3f8acf3e058e92711eb528c3c0f41f9 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Thu, 10 Aug 2017 10:03:37 -0400
-Subject: [PATCH 27/29] Make pesign-{users,groups} static in the repo.
+Subject: [PATCH] Make pesign-{users,groups} static in the repo.
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
@@ -49,6 +49,3 @@ index 0000000..7f57cc5
 +++ b/src/pesign-users
 @@ -0,0 +1 @@
 +pesign
--- 
-2.13.4
-

SOURCES/0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch

@@ -1,8 +1,8 @@
-From 025eb8aea94761fdc45507b6192aafdef80d4842 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 9 Aug 2017 17:31:31 -0400
-Subject: [PATCH 28/29] rpm: Make the client signer use the fedora values
- unless overridden
+Subject: [PATCH] rpm: Make the client signer use the fedora values unless
+ overridden
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
@@ -38,6 +38,3 @@ index 69280e9..22a3ee6 100644
  		 --certdir ${_pesign_nssdir}				\\\
                   %{-i} %{-o} %{-e} %{-s} %{-C}				\
      fi									\
--- 
-2.13.4
-

SOURCES/0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch

@@ -1,15 +1,15 @@
-From 86a6b02e4b95ab3629446e71895cc5e57ad4482f Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 14 Aug 2017 11:37:43 -0400
-Subject: [PATCH 29/29] Make macros.pesign error in kojibuilder if we don't
- have perms on the socket
+Subject: [PATCH] Make macros.pesign error in kojibuilder if we don't have
+ perms on the socket
 
 ---
- src/macros.pesign | 9 +++++++++
- 1 file changed, 9 insertions(+)
+ src/macros.pesign | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
 
 diff --git a/src/macros.pesign b/src/macros.pesign
-index 22a3ee6..1665b4c 100644
+index 22a3ee6..dfdac02 100644
 --- a/src/macros.pesign
 +++ b/src/macros.pesign
 @@ -43,6 +43,21 @@
@@ -34,6 +34,3 @@ index 22a3ee6..1665b4c 100644
      elif [ -S /var/run/pesign/socket ]; then				\
        %{_pesign_client} -t %{__pesign_client_token}			\\\
                          -c %{__pesign_client_cert}			\\\
--- 
-2.13.4
-

SOURCES/0030-Replace-var-run-with-run.patch

@@ -1,4 +1,4 @@
-From cd26e9e9a7816efe2c1ce9c36d9cb14988c70dc9 Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Mon, 8 Nov 2021 17:58:09 -0500
 Subject: [PATCH] Replace /var/run with /run
@@ -15,8 +15,8 @@ don't backport well.
 
 Signed-off-by: Robbie Harwood <rharwood@redhat.com>
 ---
- src/Makefile           |  2 +-
  src/daemon.h           |  4 ++--
+ src/Makefile           |  2 +-
  src/macros.pesign      | 12 ++++++------
  src/pesign-authorize   |  2 +-
  src/pesign.service.in  |  2 +-
@@ -24,19 +24,6 @@ Signed-off-by: Robbie Harwood <rharwood@redhat.com>
  src/tmpfiles.conf      |  2 +-
  7 files changed, 17 insertions(+), 17 deletions(-)
 
-diff --git a/src/Makefile b/src/Makefile
-index 7d68fa1..a11e2b4 100644
---- a/src/Makefile
-+++ b/src/Makefile
-@@ -68,7 +68,7 @@ install_sysvinit: pesign.sysvinit
- install :
- 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
- 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
--	$(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
-+	$(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/
- 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
- 	$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
- 	$(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir)
 diff --git a/src/daemon.h b/src/daemon.h
 index d97eab9..db42c16 100644
 --- a/src/daemon.h
@@ -51,6 +38,19 @@ index d97eab9..db42c16 100644
 +#define PIDFILE		"/run/pesign.pid"
  
  #endif /* DAEMON_H */
+diff --git a/src/Makefile b/src/Makefile
+index 7d68fa1..a11e2b4 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -68,7 +68,7 @@ install_sysvinit: pesign.sysvinit
+ install :
+ 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
+ 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
+-	$(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
++	$(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/
+ 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
+ 	$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
+ 	$(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir)
 diff --git a/src/macros.pesign b/src/macros.pesign
 index dfdac02..f135c29 100644
 --- a/src/macros.pesign
@@ -146,6 +146,3 @@ index c1cf355..3375ad5 100644
 @@ -1 +1 @@
 -D /var/run/pesign 0770 pesign pesign -
 +D /run/pesign 0770 pesign pesign -
--- 
-2.33.0
-

SOURCES/0031-efikeygen-Fix-the-build-with-nss-3.44.patch

@@ -1,4 +1,4 @@
-From d1a7496d18dc1e230115b30fa09e4481c485a27d Mon Sep 17 00:00:00 2001
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 14 May 2019 11:28:38 -0400
 Subject: [PATCH] efikeygen: Fix the build with nss 3.44
@@ -41,6 +41,3 @@ index 9390578..089e6a7 100644
  
  	if (is_ca)
  		type |= NS_CERT_TYPE_SSL_CA |
--- 
-2.33.0
-

SOURCES/0032-Use-normal-file-permissions-instead-of-ACLs.patch

@@ -0,0 +1,82 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Wed, 18 Jan 2023 14:00:22 -0500
+Subject: [PATCH] Use normal file permissions instead of ACLs
+
+Fixes a symlink attack that can't be mitigated using getfacl/setfacl.
+
+pesign-authorize is now deprecated and will be removed in a future
+release.
+
+Resolves: CVE-2022-3560
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+(cherry picked from commit 21d0c7afe0c0c23eee72a5e144995f0acb73b763)
+---
+ src/pesign-authorize | 53 +++++-----------------------------------------------
+ 1 file changed, 5 insertions(+), 48 deletions(-)
+
+diff --git a/src/pesign-authorize b/src/pesign-authorize
+index 83a30cd..b4e89e0 100755
+--- a/src/pesign-authorize
++++ b/src/pesign-authorize
+@@ -2,55 +2,12 @@
+ set -e
+ set -u
+ 
+-#
+-# With /run/pesign/socket on tmpfs, a simple way of restoring the
+-# acls for specific users is useful
+-#
+-#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
+-#
+-
+ # License: GPLv2
+-declare -a fileusers=()
+-declare -a dirusers=()
+-for user in $(cat /etc/pesign/users); do
+-	dirusers[${#dirusers[@]}]=-m
+-	dirusers[${#dirusers[@]}]="u:$user:rwx"
+-	fileusers[${#fileusers[@]}]=-m
+-	fileusers[${#fileusers[@]}]="u:$user:rw"
+-done
+-
+-declare -a filegroups=()
+-declare -a dirgroups=()
+-for group in $(cat /etc/pesign/groups); do
+-	dirgroups[${#dirgroups[@]}]=-m
+-	dirgroups[${#dirgroups[@]}]="g:$group:rwx"
+-	filegroups[${#filegroups[@]}]=-m
+-	filegroups[${#filegroups[@]}]="g:$group:rw"
+-done
+-
+-update_subdir() {
+-	subdir=$1 && shift
+ 
+-	setfacl -bk "${subdir}"
+-	setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
+-	for x in "${subdir}"* ; do
+-		if [ -d "${x}" ]; then
+-			setfacl -bk ${x}
+-			setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
+-			update_subdir "${x}/"
+-		elif [ -e "${x}" ]; then
+-			setfacl -bk ${x}
+-			setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
+-		else
+-			:;
+-		fi
+-	done
+-}
++# This script is deprecated and will be removed in a future release.
+ 
+-for x in /run/pesign/ /etc/pki/pesign*/ ; do
+-	if [ -d "${x}" ]; then
+-		update_subdir "${x}"
+-	else
+-		:;
+-	fi
++sleep 3
++for x in @@RUNDIR@@pesign/ /etc/pki/pesign/ ; do
++	chown -R pesign:pesign "${x}" || true
++	chmod -R ug+rwX "${x}" || true
+ done

SOURCES/pesign.patches

@@ -0,0 +1,32 @@
+Patch0001: 0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch
+Patch0002: 0002-Fix-command-line-parsing.patch
+Patch0003: 0003-gcc-don-t-error-on-stuff-in-includes.patch
+Patch0004: 0004-Fix-certficate-argument-name.patch
+Patch0005: 0005-Fix-description-of-ascii-armor-option-in-manpage.patch
+Patch0006: 0006-Make-ascii-work-since-we-documented-it.patch
+Patch0007: 0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch
+Patch0008: 0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch
+Patch0009: 0009-pesigcheck-make-certfile-actually-work.patch
+Patch0010: 0010-signerInfos-make-sure-err-is-always-initialized.patch
+Patch0011: 0011-pesign-make-pesign-h-tell-you-the-file-name.patch
+Patch0012: 0012-Add-coverity-build-scripts.patch
+Patch0013: 0013-Document-implicit-fallthrough.patch
+Patch0014: 0014-Actually-setfacl-each-directory-of-our-key-storage.patch
+Patch0015: 0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch
+Patch0016: 0016-efikeygen-add-modsign.patch
+Patch0017: 0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch
+Patch0018: 0018-show-which-db-we-re-checking.patch
+Patch0019: 0019-more-about-the-time.patch
+Patch0020: 0020-try-to-say-why-something-fails.patch
+Patch0021: 0021-Fix-race-condition-in-SEC_GetPassword.patch
+Patch0022: 0022-sysvinit-Create-the-socket-directory-at-runtime.patch
+Patch0023: 0023-Better-authorization-scripts.-Again.patch
+Patch0024: 0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch
+Patch0025: 0025-certdb-fix-PRTime-printfs-for-i686.patch
+Patch0026: 0026-Clean-up-gcc-command-lines-a-little.patch
+Patch0027: 0027-Make-pesign-users-groups-static-in-the-repo.patch
+Patch0028: 0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch
+Patch0029: 0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch
+Patch0030: 0030-Replace-var-run-with-run.patch
+Patch0031: 0031-efikeygen-Fix-the-build-with-nss-3.44.patch
+Patch0032: 0032-Use-normal-file-permissions-instead-of-ACLs.patch

SPECS/pesign.spec

@@ -3,7 +3,7 @@
 Name:    pesign
 Summary: Signing utility for UEFI binaries
 Version: 0.112
-Release: 26%{?dist}
+Release: 27%{?dist}
 License: GPLv2
 URL:     https://github.com/vathpela/pesign
 
@@ -29,38 +29,9 @@ BuildRequires: rh-signing-tools >= 1.20-2
 Source0: https://github.com/vathpela/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2
 Source1: certs.tar.xz
 Source2: pesign.py
+Source3: pesign.patches
 
-Patch0001: 0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch
-Patch0002: 0002-Fix-command-line-parsing.patch
-Patch0003: 0003-gcc-don-t-error-on-stuff-in-includes.patch
-Patch0004: 0004-Fix-certficate-argument-name.patch
-Patch0005: 0005-Fix-description-of-ascii-armor-option-in-manpage.patch
-Patch0006: 0006-Make-ascii-work-since-we-documented-it.patch
-Patch0007: 0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch
-Patch0008: 0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch
-Patch0009: 0009-pesigcheck-make-certfile-actually-work.patch
-Patch0010: 0010-signerInfos-make-sure-err-is-always-initialized.patch
-Patch0011: 0011-pesign-make-pesign-h-tell-you-the-file-name.patch
-Patch0012: 0012-Add-coverity-build-scripts.patch
-Patch0013: 0013-Document-implicit-fallthrough.patch
-Patch0014: 0014-Actually-setfacl-each-directory-of-our-key-storage.patch
-Patch0015: 0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch
-Patch0016: 0016-efikeygen-add-modsign.patch
-Patch0017: 0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch
-Patch0018: 0018-show-which-db-we-re-checking.patch
-Patch0019: 0019-more-about-the-time.patch
-Patch0020: 0020-try-to-say-why-something-fails.patch
-Patch0021: 0021-Fix-race-condition-in-SEC_GetPassword.patch
-Patch0022: 0022-sysvinit-Create-the-socket-directory-at-runtime.patch
-Patch0023: 0023-Better-authorization-scripts.-Again.patch
-Patch0024: 0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch
-Patch0025: 0025-certdb-fix-PRTime-printfs-for-i686.patch
-Patch0026: 0026-Clean-up-gcc-command-lines-a-little.patch
-Patch0027: 0027-Make-pesign-users-groups-static-in-the-repo.patch
-Patch0028: 0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch
-Patch0029: 0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch
-Patch0030: 0030-Replace-var-run-with-run.patch
-Patch0031: 0031-efikeygen-Fix-the-build-with-nss-3.44.patch
+%include %{SOURCE3}
 
 %description
 This package contains the pesign utility for signing UEFI binaries as
@@ -165,6 +136,10 @@ exit 0
 %{python3_sitelib}/mockbuild/plugins/pesign.*
 
 %changelog
+* Wed Jan 18 2023 Robbie Harwood <rharwood@redhat.com> - 0.112-27
+- Deprecate pesign-authorize and drop ACL
+- Resolves: CVE-2022-3560
+
 * Mon Nov 08 2021 Robbie Harwood <rharwood@redhat.com> - 0.112-26
 - Perform the /var/run to /run "migration" stupidity
 - Resolves: rhbz#1801976

gating.yaml

@@ -1,6 +0,0 @@
---- !Policy
-product_versions:
-  - rhel-8
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: kernel-qe.kernel-ci.hardware-pesign.tier0.functional}

rpminspect.yaml

@@ -1,13 +0,0 @@
----
-inspections:
-  # Not a Java package
-  javabytecode: off
-
-  # These just flag when things change "too much"
-  changedfiles: off
-  filesize: off
-  patches: off
-  upstream: off
-
-  # https://bugzilla.redhat.com/show_bug.cgi?id=2010936
-  annocheck: off

sources

@@ -1,2 +0,0 @@
-SHA512 (certs.tar.xz) = 5df34f507a365ef87320776c99cbfad76365693901c71eaf64fec008afb9acfd7b615da5906b92a070c864e74f44934395c3f474ce5b33844cfa3df49a8ad188
-SHA512 (pesign-0.112.tar.bz2) = 96bff27ce5059f1ea299c21ac88998a0c17851b8b06ba2f3e286de5cd4d73651b670ac00ca035481faf9c963338527c89120c63ec891a95ce9ecb9130fbc5e5c