52 changed files with 2441 additions and 1403 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,4 @@
 SOURCES/certs.tar.xz
-SOURCES/pesign-113.tar.bz2
+SOURCES/pesign-0.112.tar.bz2
 /certs.tar.xz
 /pesign-0.112.tar.bz2
--- a/.pesign.metadata
+++ b/.pesign.metadata
@ -1,2 +0,0 @@
 b6777cc78ca2d2f250f3142e97e17dd855bc9b88 SOURCES/certs.tar.xz
 1fabe291298395b6dd3129e250d8b67345745834 SOURCES/pesign-113.tar.bz2
--- a/0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch
+++ b/0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch
@ -0,0 +1,72 @@
 From 33bcca8303cad962606df3bfc6a031a9b0626375 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Thu, 21 Apr 2016 10:47:34 -0400
 Subject: [PATCH 01/29] cms: kill generate_integer(), it doesn't build on i686
 and it's unused.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/cms_common.c | 34 ----------------------------------
 src/cms_common.h |  1 -
 2 files changed, 35 deletions(-)
 diff --git a/src/cms_common.c b/src/cms_common.c
 index b19bc62..6a4e6a7 100644
 --- a/src/cms_common.c
 +++ b/src/cms_common.c
@@ -641,40 +641,6 @@ generate_string(cms_context *cms, SECItem *der, char *str)
 	return 0;
 }
 -static SEC_ASN1Template IntegerTemplate[] = {
 -	{.kind = SEC_ASN1_INTEGER,
 -	 .offset = 0,
 -	 .sub = NULL,
 -	 .size = sizeof(long),
 -	},
 -	{ 0 },
 -};
 -
 -int
 -generate_integer(cms_context *cms, SECItem *der, unsigned long integer)
 -{
 -	void *ret;
 -
 -	uint32_t u32;
 -
 -	SECItem input = {
 -		.data = (void *)&integer,
 -		.len = sizeof(integer),
 -		.type = siUnsignedInteger,
 -	};
 -
 -	if (integer < 0x100000000) {
 -		u32 = integer & 0xffffffffUL;
 -		input.data = (void *)&u32;
 -		input.len = sizeof(u32);
 -	}
 -
 -	ret = SEC_ASN1EncodeItem(cms->arena, der, &input, IntegerTemplate);
 -	if (ret == NULL)
 -		cmsreterr(-1, cms, "could not encode data");
 -	return 0;
 -}
 -
 int
 generate_time(cms_context *cms, SECItem *encoded, time_t when)
 {
 diff --git a/src/cms_common.h b/src/cms_common.h
 index 7d77faf..c7d7268 100644
 --- a/src/cms_common.h
 +++ b/src/cms_common.h
@@ -117,7 +117,6 @@ extern int generate_object_id(cms_context *ctx, SECItem *encoded,
 				SECOidTag tag);
 extern int generate_empty_sequence(cms_context *ctx, SECItem *encoded);
 extern int generate_time(cms_context *ctx, SECItem *encoded, time_t when);
 -extern int generate_integer(cms_context *cms, SECItem *der, unsigned long integer);
 extern int generate_string(cms_context *cms, SECItem *der, char *str);
 extern int wrap_in_set(cms_context *cms, SECItem *der, SECItem **items);
 extern int wrap_in_seq(cms_context *cms, SECItem *der,
 -- 
 2.13.4
--- a/0002-Fix-command-line-parsing.patch
+++ b/0002-Fix-command-line-parsing.patch
@ -0,0 +1,73 @@
 From 5be0515dee24308fd7e270bf2e0fb5e5a7a78f32 Mon Sep 17 00:00:00 2001
 From: Julien Cristau <jcristau@debian.org>
 Date: Thu, 9 Jun 2016 14:30:37 +0200
 Subject: [PATCH 02/29] Fix command line parsing
 The gettext translation domain should be passed as .arg, not .descrip,
 otherwise popt won't process any of the command line options (it stops
 looping over the struct poptOption array when an entry has unset
 longName, shortName and arg).
 Signed-off-by: Julien Cristau <jcristau@debian.org>
 ---
 src/client.c     | 2 +-
 src/efikeygen.c  | 2 +-
 src/efisiglist.c | 2 +-
 src/pesigcheck.c | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)
 diff --git a/src/client.c b/src/client.c
 index 028419f..575c873 100644
 --- a/src/client.c
 +++ b/src/client.c
@@ -555,7 +555,7 @@ main(int argc, char *argv[])
 	struct poptOption options[] = {
 		{.argInfo = POPT_ARG_INTL_DOMAIN,
 -		 .descrip = "pesign" },
 +		 .arg = "pesign" },
 		{.longName = "token",
 		 .shortName = 't',
 		 .argInfo = POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT,
 diff --git a/src/efikeygen.c b/src/efikeygen.c
 index 6278849..8a515a5 100644
 --- a/src/efikeygen.c
 +++ b/src/efikeygen.c
@@ -486,7 +486,7 @@ int main(int argc, char *argv[])
 	poptContext optCon;
 	struct poptOption options[] = {
 		{.argInfo = POPT_ARG_INTL_DOMAIN,
 -		 .descrip = "pesign" },
 +		 .arg = "pesign" },
 		/* global nss-ish things */
 		{.longName = "dbdir",
 		 .shortName = 'd',
 diff --git a/src/efisiglist.c b/src/efisiglist.c
 index cd3f1ae..40d6a93 100644
 --- a/src/efisiglist.c
 +++ b/src/efisiglist.c
@@ -126,7 +126,7 @@ main(int argc, char *argv[])
 	struct poptOption options[] = {
 		{.argInfo = POPT_ARG_INTL_DOMAIN,
 -		 .descrip = "pesign" },
 +		 .arg = "pesign" },
 		{.longName = "infile",
 		 .shortName = 'i',
 		 .argInfo = POPT_ARG_STRING,
 diff --git a/src/pesigcheck.c b/src/pesigcheck.c
 index 1328fe9..0d49c1a 100644
 --- a/src/pesigcheck.c
 +++ b/src/pesigcheck.c
@@ -214,7 +214,7 @@ main(int argc, char *argv[])
 	poptContext optCon;
 	struct poptOption options[] = {
 		{.argInfo = POPT_ARG_INTL_DOMAIN,
 -		 .descrip = "pesign" },
 +		 .arg = "pesign" },
 		{.longName = "dbfile",
 		 .shortName = 'D',
 		 .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,
 -- 
 2.13.4
--- a/0003-gcc-don-t-error-on-stuff-in-includes.patch
+++ b/0003-gcc-don-t-error-on-stuff-in-includes.patch
@ -0,0 +1,26 @@
 From 6de291458cbab99bcc317e282c16e1523d6de9b8 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 10 Aug 2016 17:12:39 -0400
 Subject: [PATCH 03/29] gcc: don't error on stuff in includes.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 Make.defaults | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/Make.defaults b/Make.defaults
 index c97b452..3511080 100644
 --- a/Make.defaults
 +++ b/Make.defaults
@@ -19,7 +19,7 @@ PKG_CONFIG = $(CROSS_COMPILE)pkg-config
 CC	:= $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC))
 CCLD	:= $(if $(filter undefined,$(origin CCLD)),$(CC),$(CCLD))
 CFLAGS	?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments \
 -	   -Wall -Werror -Wextra
 +	   -Wall -Werror -Wextra -Wno-error=cpp
 AS	:= $(CROSS_COMPILE)as
 AR	:= $(CROSS_COMPILE)gcc-ar
 RANLIB	:= $(CROSS_COMPILE)gcc-ranlib
 -- 
 2.13.4
--- a/0004-Fix-certficate-argument-name.patch
+++ b/0004-Fix-certficate-argument-name.patch
@ -0,0 +1,39 @@
 From b20fc54c08e8afe1365e56cacade3ec39984da8d Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 18 Apr 2017 19:00:34 -0400
 Subject: [PATCH 04/29] Fix "certficate" argument name.
 This fixes our typoed argument name by making the incorrectly spelled
 version be a popt alias, and fixing the real implementation to be
 spelled right in pesign.c .
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/pesign.c    | 2 +-
 src/pesign.popt | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)
 diff --git a/src/pesign.c b/src/pesign.c
 index af374b6..279a17a 100644
 --- a/src/pesign.c
 +++ b/src/pesign.c
@@ -438,7 +438,7 @@ main(int argc, char *argv[])
 		 .arg = &ctxp->outfile,
 		 .descrip = "specify output file",
 		 .argDescrip = "<outfile>" },
 -		{.longName = "certficate",
 +		{.longName = "certificate",
 		 .shortName = 'c',
 		 .argInfo = POPT_ARG_STRING,
 		 .arg = &certname,
 diff --git a/src/pesign.popt b/src/pesign.popt
 index 7b3385d..5a97748 100644
 --- a/src/pesign.popt
 +++ b/src/pesign.popt
@@ -1,2 +1,3 @@
 pesign alias --cert --certificate
 +pesign alias --certficate --certificate
 pesign alias --daemon --daemonize
 -- 
 2.13.4
--- a/0005-Fix-description-of-ascii-armor-option-in-manpage.patch
+++ b/0005-Fix-description-of-ascii-armor-option-in-manpage.patch
@ -0,0 +1,26 @@
 From 7bc8e8b04c74be5c4e0ebf211affc37cf9f5db37 Mon Sep 17 00:00:00 2001
 From: Julien Cristau <jcristau@debian.org>
 Date: Mon, 27 Jun 2016 15:38:38 +0200
 Subject: [PATCH 05/29] Fix description of --ascii-armor option in manpage
 The --ascii option does not exist.
 ---
 src/pesign.1 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/pesign.1 b/src/pesign.1
 index 47d1aec..29ae060 100644
 --- a/src/pesign.1
 +++ b/src/pesign.1
@@ -81,7 +81,7 @@ Export the public key specified by \-\-certificate to \fIoutkey\fR
 Export the certificate specified by \-\-certificate to \fIoutcert\fR
 .TP
 -\fB-\-ascii\fR
 +\fB-\-ascii\-armor\fR
 Use ascii armoring on exported certificates.
 .TP
 -- 
 2.13.4
--- a/0006-Make-ascii-work-since-we-documented-it.patch
+++ b/0006-Make-ascii-work-since-we-documented-it.patch
@ -0,0 +1,22 @@
 From 9f411f4e797e983d2e8cb51dc5b9ab8db250c2e3 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 18 Apr 2017 19:05:40 -0400
 Subject: [PATCH 06/29] Make --ascii work, since we documented it.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/pesign.popt | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/src/pesign.popt b/src/pesign.popt
 index 5a97748..5ae0c5c 100644
 --- a/src/pesign.popt
 +++ b/src/pesign.popt
@@ -1,3 +1,4 @@
 pesign alias --cert --certificate
 pesign alias --certficate --certificate
 pesign alias --daemon --daemonize
 +pesign alias --ascii --ascii-armor
 -- 
 2.13.4
--- a/0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch
+++ b/0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch
@ -0,0 +1,32 @@
 From d618de733865eab359890b4e677c368a133dad99 Mon Sep 17 00:00:00 2001
 From: Pat Riehecky <riehecky@fnal.gov>
 Date: Mon, 7 Nov 2016 11:37:08 -0600
 Subject: [PATCH 07/29] Switch pesign client to also accept token/cert macros
 rather than use hard coded values
 ---
 src/macros.pesign | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 diff --git a/src/macros.pesign b/src/macros.pesign
 index 18e5b5e..69280e9 100644
 --- a/src/macros.pesign
 +++ b/src/macros.pesign
@@ -41,11 +41,11 @@
                  --certdir ${nss} -c signer %{-o}			\
       rm -rf ${sattrs} ${sattrs}.sig ${nss}				\
     elif [ -S /var/run/pesign/socket ]; then				\
 -      %{_pesign_client} -t "OpenSC Card (Fedora Signer)"		\\\
 -                        -c "/CN=Fedora Secure Boot Signer"		\\\
 +      %{_pesign_client} -t %{__pesign_token}				\\\
 +                        -c %{__pesign_cert}				\\\
                         %{-i} %{-o} %{-e} %{-s} %{-C}			\
     else								\
 -      %{_pesign} %{__pesign_token} -c %{__pesign_cert}			\\\
 +      %{_pesign} -t %{__pesign_token} -c %{__pesign_cert}		\\\
 		 --certdir ${_pesign_nssdir}				\\\
                  %{-i} %{-o} %{-e} %{-s} %{-C}				\
     fi									\
 -- 
 2.13.4
--- a/0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch
+++ b/0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch
@ -0,0 +1,25 @@
 From 2cd211bcc612ad8cb99c778461ca02a9f3e5e44b Mon Sep 17 00:00:00 2001
 From: David Michael <david.michael@coreos.com>
 Date: Thu, 16 Feb 2017 15:08:30 -0800
 Subject: [PATCH 08/29] pesigcheck: Verify with the cert as an object signer
 ---
 src/certdb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/certdb.c b/src/certdb.c
 index 2a08042..b7c99bb 100644
 --- a/src/certdb.c
 +++ b/src/certdb.c
@@ -339,7 +339,7 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
 	}
 	/* Verify the signature */
 	result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
 -						certUsageSSLServer,
 +						certUsageObjectSigner,
 						digest, HASH_AlgSHA256,
 						PR_FALSE, atTime);
 	if (!result) {
 -- 
 2.13.4
--- a/0009-pesigcheck-make-certfile-actually-work.patch
+++ b/0009-pesigcheck-make-certfile-actually-work.patch
@ -0,0 +1,47 @@
 From e0238e2363f9668aee07b2e44a8f358e694551c0 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 24 Apr 2017 15:18:10 -0400
 Subject: [PATCH 09/29] pesigcheck: make --certfile actually work
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/pesigcheck.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)
 diff --git a/src/pesigcheck.c b/src/pesigcheck.c
 index 0d49c1a..d7be542 100644
 --- a/src/pesigcheck.c
 +++ b/src/pesigcheck.c
@@ -130,7 +130,7 @@ check_signature(pesigcheck_context *ctx)
 	cert_iter iter;
 	generate_digest(ctx->cms_ctx, ctx->inpe, 1);
 -	
 +
 	if (check_db_hash(DBX, ctx) == FOUND)
 		return -1;
@@ -225,6 +225,11 @@ main(int argc, char *argv[])
 		 .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,
 		 .arg = (void *)callback,
 		 .descrip = (void *)ctxp },
 +		{.longName = "certfile",
 +		 .shortName = 'c',
 +		 .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,
 +		 .arg = (void *)callback,
 +		 .descrip = (void *)ctxp },
 		{.longName = "in",
 		 .shortName = 'i',
 		 .argInfo = POPT_ARG_STRING,
@@ -258,7 +263,7 @@ main(int argc, char *argv[])
 		 .shortName = 'c',
 		 .argInfo = POPT_ARG_STRING,
 		 .arg = &certfile,
 -		 .descrip = "the certificate (in DER form) for verification ",
 +		 .descrip = "import certfile (in DER encoding) for allowed certificate",
 		 .argDescrip = "<certfile>" },
 		POPT_AUTOALIAS
 		POPT_AUTOHELP
 -- 
 2.13.4
--- a/0010-signerInfos-make-sure-err-is-always-initialized.patch
+++ b/0010-signerInfos-make-sure-err-is-always-initialized.patch
@ -0,0 +1,27 @@
 From 799808b265ac6f82fa1268fd696d70357acce69c Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 25 Apr 2017 16:15:07 -0400
 Subject: [PATCH 10/29] signerInfos: make sure err is always initialized
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/signed_data.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/src/signed_data.c b/src/signed_data.c
 index 721db90..9e0af23 100644
 --- a/src/signed_data.c
 +++ b/src/signed_data.c
@@ -132,7 +132,8 @@ int
 generate_signerInfo_list(cms_context *cms, SpcSignerInfo ***signerInfo_list_p, SignerInfoType type)
 {
 	SpcSignerInfo **signerInfo_list;
 -	int err, rc;
 +	int err = 0;
 +	int rc;
 	if (!signerInfo_list_p)
 		return -1;
 -- 
 2.13.4
--- a/0011-pesign-make-pesign-h-tell-you-the-file-name.patch
+++ b/0011-pesign-make-pesign-h-tell-you-the-file-name.patch
@ -0,0 +1,26 @@
 From 868b42b338d919917ea31cfbf0f96e9586947eaf Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 25 Apr 2017 16:23:36 -0400
 Subject: [PATCH 11/29] pesign: make "pesign -h" tell you the file name.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/pesign.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/pesign.c b/src/pesign.c
 index 279a17a..5879cfc 100644
 --- a/src/pesign.c
 +++ b/src/pesign.c
@@ -387,7 +387,7 @@ print_digest(pesign_context *pctx)
 	if (!ctx)
 		return;
 -	printf("hash: ");
 +	printf("%s ", pctx->infile);
 	int j = ctx->selected_digest;
 	for (unsigned int i = 0; i < ctx->digests[j].pe_digest->len; i++)
 		printf("%02x",
 -- 
 2.13.4
--- a/0012-Add-coverity-build-scripts.patch
+++ b/0012-Add-coverity-build-scripts.patch
@ -0,0 +1,104 @@
 From 95327e6d9bd4f70980acd8fd6c9524265990dc4d Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 10 May 2017 10:49:57 -0400
 Subject: [PATCH 12/29] Add coverity build scripts
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 .gitignore    |  1 +
 Make.coverity | 37 +++++++++++++++++++++++++++++++++++++
 Make.defaults |  2 ++
 Make.rules    |  4 ++++
 Makefile      |  1 +
 5 files changed, 45 insertions(+)
 create mode 100644 Make.coverity
 diff --git a/.gitignore b/.gitignore
 index 1635ba2..847e172 100644
 --- a/.gitignore
 +++ b/.gitignore
@@ -12,3 +12,4 @@
 *.tar.*
 *.rpm
 core.*
 +cov-int
 diff --git a/Make.coverity b/Make.coverity
 new file mode 100644
 index 0000000..b80b091
 --- /dev/null
 +++ b/Make.coverity
@@ -0,0 +1,37 @@
 +include $(TOPDIR)/Make.version
 +include $(TOPDIR)/Make.rules
 +include $(TOPDIR)/Make.defaults
 +
 +COV_EMAIL=$(call get-config,coverity.email)
 +COV_TOKEN=$(call get-config,coverity.token)
 +COV_URL=$(call get-config,coverity.url)
 +COV_FILE=$(NAME)-coverity-$(VERSION)-$(COMMIT_ID).tar.bz2
 +
 +cov-int : clean
 +	cov-build --dir cov-int make all
 +
 +cov-clean :
 +	@rm -vf $(NAME)-coverity-*.tar.*
 +	@if [[ -d cov-int ]]; then rm -rf cov-int && echo "removed 'cov-int'"; fi
 +
 +cov-file : | $(COV_FILE)
 +
 +$(COV_FILE) : cov-int
 +	tar caf $@ cov-int
 +
 +cov-upload :
 +	@if [[ -n "$(COV_URL)" ]] &&					\
 +	    [[ -n "$(COV_TOKEN)" ]] &&					\
 +	    [[ -n "$(COV_EMAIL)" ]] ;					\
 +	then								\
 +		echo curl --form token=$(COV_TOKEN) --form email="$(COV_EMAIL)" --form file=@"$(COV_FILE)" --form version=$(VERSION).1 --form description="$(COMMIT_ID)" "$(COV_URL)" ; \
 +		curl --form token=$(COV_TOKEN) --form email="$(COV_EMAIL)" --form file=@"$(COV_FILE)" --form version=$(VERSION).1 --form description="$(COMMIT_ID)" "$(COV_URL)" ; \
 +	else								\
 +		echo Coverity output is in $(COV_FILE) ;		\
 +	fi
 +
 +coverity : cov-file cov-upload
 +
 +clean : | cov-clean
 +
 +.PHONY : coverity cov-upload cov-clean cov-file
 diff --git a/Make.defaults b/Make.defaults
 index 3511080..39b78f0 100644
 --- a/Make.defaults
 +++ b/Make.defaults
@@ -1,3 +1,5 @@
 +NAME	= pesign
 +COMMIT_ID ?= $(shell git log -1 --pretty=%H 2>/dev/null || echo master)
 prefix	?= /usr/
 prefix	:= $(abspath $(prefix))/
 libdir	?= $(prefix)lib64/
 diff --git a/Make.rules b/Make.rules
 index af5ecfe..5e3c83d 100644
 --- a/Make.rules
 +++ b/Make.rules
@@ -79,3 +79,7 @@ endef
 $(TOPDIR)/libdpe/%.a $(TOPDIR)/libdpe/% :
 	$(MAKE) -C $(TOPDIR)/libdpe $(notdir $@)
 +
 +define get-config =
 +$(shell git config --local --get "$(NAME).$(1)")
 +endef
 diff --git a/Makefile b/Makefile
 index db8eb7e..ca1a359 100644
 --- a/Makefile
 +++ b/Makefile
@@ -4,6 +4,7 @@ TOPDIR = $(realpath .)
 include $(TOPDIR)/Make.version
 include $(TOPDIR)/Make.rules
 include $(TOPDIR)/Make.defaults
 +include $(TOPDIR)/Make.coverity
 SUBDIRS := include libdpe src
 -- 
 2.13.4
--- a/0013-Document-implicit-fallthrough.patch
+++ b/0013-Document-implicit-fallthrough.patch
@ -0,0 +1,25 @@
 From 4b9e7cf3e869de36daf2ea705b9efef55ae87ef8 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Sat, 8 Jul 2017 16:31:18 -0400
 Subject: [PATCH 13/29] Document implicit fallthrough.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/authvar.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/src/authvar.c b/src/authvar.c
 index ad659ca..03e0c47 100644
 --- a/src/authvar.c
 +++ b/src/authvar.c
@@ -511,6 +511,7 @@ main(int argc, char *argv[])
 	case IMPORT|SET:
 	case IMPORT|SIGN|SET:
 		fprintf(stderr, "authvar: not implemented\n");
 +		/* fallthrough. */
 	case IMPORT|SIGN|EXPORT:
 	default:
 		fprintf(stderr, "authvar: invalid flags: ");
 -- 
 2.13.4
--- a/0014-Actually-setfacl-each-directory-of-our-key-storage.patch
+++ b/0014-Actually-setfacl-each-directory-of-our-key-storage.patch
@ -0,0 +1,50 @@
 From a95e28e5cb10d417c81c8720e8521eb63793da37 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 16 May 2016 15:25:53 -0400
 Subject: [PATCH 14/29] Actually setfacl /each/ directory of our key storage.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/pesign-authorize-groups | 6 +++---
 src/pesign-authorize-users  | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)
 diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
 index a4f895e..cf51fb6 100644
 --- a/src/pesign-authorize-groups
 +++ b/src/pesign-authorize-groups
@@ -18,10 +18,10 @@ if [ -r /etc/pesign/groups ]; then
 		setfacl -m g:${group}:rw /var/run/pesign/socket
 	    fi
 	fi
 -	for x in /etc/pki/pesign* ; do
 +	for x in /etc/pki/pesign*/ ; do
 	    if [ -d ${x} ]; then
 -		setfacl -m g:${group}:rx /etc/pki/pesign
 -		for y in ${x}/{cert8,key3,secmod}.db ; do
 +		setfacl -m g:${group}:rx ${x}
 +		for y in ${x}{cert8,key3,secmod}.db ; do
 		    setfacl -m g:${group}:rw ${y}
 		done
 	    fi
 diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
 index 8b9a885..940138e 100644
 --- a/src/pesign-authorize-users
 +++ b/src/pesign-authorize-users
@@ -18,10 +18,10 @@ if [ -r /etc/pesign/users ]; then
 		setfacl -m g:${username}:rw /var/run/pesign/socket
 	    fi
 	fi
 -	for x in /etc/pki/pesign* ; do
 +	for x in /etc/pki/pesign*/ ; do
 	    if [ -d ${x} ]; then
 -		setfacl -m g:${username}:rx /etc/pki/pesign
 -		for y in ${x}/{cert8,key3,secmod}.db ; do
 +		setfacl -m g:${username}:rx ${x}
 +		for y in ${x}{cert8,key3,secmod}.db ; do
 		    setfacl -m g:${username}:rw ${y}
 		done
 	    fi
 -- 
 2.13.4
--- a/0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch
+++ b/0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch
@ -0,0 +1,59 @@
 From a3cc2ad5d49ed61187527281da351e80d8f76a89 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 22 Aug 2016 13:31:38 -0400
 Subject: [PATCH 15/29] oid: add SHIM_EKU_MODULE_SIGNING_ONLY and fix our array
 indices.
 That was all kinds of wrong.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/oid.c | 10 +++++++---
 src/oid.h |  1 +
 2 files changed, 8 insertions(+), 3 deletions(-)
 diff --git a/src/oid.c b/src/oid.c
 index 9d8154f..7037e1e 100644
 --- a/src/oid.c
 +++ b/src/oid.c
@@ -33,6 +33,7 @@ static uint8_t oiddata[] = {
 	0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x0f,
 	0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x15,
 	0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01,
 +	0x2b, 0x06, 0x01, 0x04, 0x01, 0x92, 0x08, 0x10, 0x01, 0x02,
 };
 #define OID(num, desc_s, oidtype, length, value)		\
@@ -53,11 +54,14 @@ static struct {
 	OID(SPC_STATEMENT_TYPE_OBJID, "Statement Type", siDEROID, 10,
 		&oiddata[10]),
 	OID(SPC_PE_IMAGE_DATA_OBJID, "PE Image Data", siDEROID, 10,
 -		&oiddata[30]),
 +		&oiddata[20]),
 	OID(SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID, "Individual Key", siDEROID,
 -		10, &oiddata[40]),
 +		10, &oiddata[30]),
 	OID(szOID_CERTSRV_CA_VERSION, "Certification server CA version",
 -		siAsciiString, 9, &oiddata[50]),
 +		siAsciiString, 9, &oiddata[40]),
 +	OID(SHIM_EKU_MODULE_SIGNING_ONLY,
 +		"Certificate is used for kernel modules only", siDEROID, 10,
 +		&oiddata[49]),
 	{ .oid = END_OID_LIST }
 };
 diff --git a/src/oid.h b/src/oid.h
 index 599f49d..0e00781 100644
 --- a/src/oid.h
 +++ b/src/oid.h
@@ -25,6 +25,7 @@ typedef enum {
 	SPC_PE_IMAGE_DATA_OBJID,		/* 1.3.6.1.4.1.311.2.1.15 */
 	SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID,	/* 1.3.6.1.4.1.311.2.1.21 */
 	szOID_CERTSRV_CA_VERSION,		/* 1.3.6.1.4.1.311.21.1 */
 +	SHIM_EKU_MODULE_SIGNING_ONLY,		/* 1.3.6.1.4.1.2312.16.1.2 */
 	END_OID_LIST
 } ms_oid_t;
 -- 
 2.13.4
--- a/0016-efikeygen-add-modsign.patch
+++ b/0016-efikeygen-add-modsign.patch
@ -0,0 +1,197 @@
 From 9b4b12928c0450ac69d83293e179eec439465c03 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 22 Aug 2016 13:43:56 -0400
 Subject: [PATCH 16/29] efikeygen: add --modsign
 ---
 src/cms_common.c | 29 ++++++++++++++++++++++++++++
 src/cms_common.h |  1 +
 src/efikeygen.c  | 59 ++++++++++++++++++++++++++++++++++++++++++++------------
 3 files changed, 77 insertions(+), 12 deletions(-)
 diff --git a/src/cms_common.c b/src/cms_common.c
 index 6a4e6a7..2df2cfe 100644
 --- a/src/cms_common.c
 +++ b/src/cms_common.c
@@ -715,6 +715,35 @@ make_context_specific(cms_context *cms, int ctxt, SECItem *encoded,
 	return 0;
 }
 +static SEC_ASN1Template EKUOidSequence[] = {
 +	{
 +	.kind = SEC_ASN1_OBJECT_ID,
 +	.offset = 0,
 +	.sub = &SEC_AnyTemplate,
 +	.size = sizeof (SECItem),
 +	},
 +	{ 0 }
 +};
 +
 +int
 +make_eku_oid(cms_context *cms, SECItem *encoded, SECOidTag oid_tag)
 +{
 +	void *rv;
 +	SECOidData *oid_data;
 +
 +	oid_data = SECOID_FindOIDByTag(oid_tag);
 +	if (!oid_data)
 +		cmsreterr(-1, cms, "could not encode eku oid data");
 +
 +	rv = SEC_ASN1EncodeItem(cms->arena, encoded, &oid_data->oid,
 +				EKUOidSequence);
 +	if (rv == NULL)
 +		cmsreterr(-1, cms, "could not encode eku oid data");
 +
 +	encoded->type = siBuffer;
 +	return 0;
 +}
 +
 int
 generate_octet_string(cms_context *cms, SECItem *encoded, SECItem *original)
 {
 diff --git a/src/cms_common.h b/src/cms_common.h
 index c7d7268..7a31273 100644
 --- a/src/cms_common.h
 +++ b/src/cms_common.h
@@ -123,6 +123,7 @@ extern int wrap_in_seq(cms_context *cms, SECItem *der,
 			SECItem *items, int num_items);
 extern int make_context_specific(cms_context *cms, int ctxt, SECItem *encoded,
 			SECItem *original);
 +extern int make_eku_oid(cms_context *cms, SECItem *encoded, SECOidTag oid_tag);
 extern int generate_validity(cms_context *cms, SECItem *der, time_t start,
 				time_t end);
 extern int generate_common_name(cms_context *cms, SECItem *der, char *cn);
 diff --git a/src/efikeygen.c b/src/efikeygen.c
 index 8a515a5..9390578 100644
 --- a/src/efikeygen.c
 +++ b/src/efikeygen.c
@@ -49,6 +49,7 @@
 #include <libdpe/libdpe.h>
 #include "cms_common.h"
 +#include "oid.h"
 #include "util.h"
 typedef struct {
@@ -249,20 +250,34 @@ add_basic_constraints(cms_context *cms, void *extHandle)
 }
 static int
 -add_extended_key_usage(cms_context *cms, void *extHandle)
 +add_extended_key_usage(cms_context *cms, int modsign_only, void *extHandle)
 {
 -	SECItem value = {
 -		.data = (unsigned char *)"\x30\x0a\x06\x08\x2b\x06\x01"
 -					 "\x05\x05\x07\x03\x03",
 -		.len = 12,
 -		.type = siBuffer
 -	};
 +	SECItem values[2];
 +	SECItem wrapped = { 0 };
 +	SECStatus status;
 +	SECOidTag tag;
 +	int rc;
 +
 +	if (modsign_only < 1 || modsign_only > 2)
 +		cmsreterr(-1, cms, "could not encode extended key usage");
 +	rc = make_eku_oid(cms, &values[0], SEC_OID_EXT_KEY_USAGE_CODE_SIGN);
 +	if (rc < 0)
 +		cmsreterr(-1, cms, "could not encode extended key usage");
 +
 +	tag = find_ms_oid_tag(SHIM_EKU_MODULE_SIGNING_ONLY);
 +	printf("tag: %d\n", tag);
 +	rc = make_eku_oid(cms, &values[1], tag);
 +	if (rc < 0)
 +		cmsreterr(-1, cms, "could not encode extended key usage");
 +
 +	rc = wrap_in_seq(cms, &wrapped, values, modsign_only);
 +	if (rc < 0)
 +		cmsreterr(-1, cms, "could not encode extended key usage");
 -	SECStatus status;
 	status = CERT_AddExtension(extHandle, SEC_OID_X509_EXT_KEY_USAGE,
 -					&value, PR_FALSE, PR_TRUE);
 +					&wrapped, PR_FALSE, PR_TRUE);
 	if (status != SECSuccess)
 		cmsreterr(-1, cms, "could not encode extended key usage");
@@ -294,7 +309,7 @@ static int
 add_extensions_to_crq(cms_context *cms, CERTCertificateRequest *crq,
 			int is_ca, int is_self_signed, SECKEYPublicKey *pubkey,
 			SECKEYPublicKey *spubkey,
 -			char *url)
 +			char *url, int modsign_only)
 {
 	void *mark = PORT_ArenaMark(cms->arena);
@@ -319,7 +334,7 @@ add_extensions_to_crq(cms_context *cms, CERTCertificateRequest *crq,
 	if (rc < 0)
 		cmsreterr(-1, cms, "could not generate certificate extensions");
 -	rc = add_extended_key_usage(cms, extHandle);
 +	rc = add_extended_key_usage(cms, modsign_only, extHandle);
 	if (rc < 0)
 		cmsreterr(-1, cms, "could not generate certificate extensions");
@@ -469,6 +484,7 @@ int main(int argc, char *argv[])
 {
 	int is_ca = 0;
 	int is_self_signed = -1;
 +	int modsign_only = 0;
 	char *tokenname = "NSS Certificate DB";
 	char *signer = NULL;
 	char *nickname = NULL;
@@ -522,6 +538,18 @@ int main(int argc, char *argv[])
 		 .descrip = "Generate a self-signed certificate" },
 		/* stuff about the generated key */
 +		{.longName = "kernel",
 +		 .shortName = 'k',
 +		 .argInfo = POPT_ARG_VAL|POPT_ARGFLAG_OR,
 +		 .arg = &modsign_only,
 +		 .val = 1,
 +		 .descrip = "Generate a kernel-signing certificate" },
 +		{.longName = "module",
 +		 .shortName = 'm',
 +		 .argInfo = POPT_ARG_VAL|POPT_ARGFLAG_OR,
 +		 .arg = &modsign_only,
 +		 .val = 2,
 +		 .descrip = "Generate a module-signing certificate" },
 		{.longName = "nickname",
 		 .shortName = 'n',
 		 .argInfo = POPT_ARG_STRING,
@@ -628,6 +656,9 @@ int main(int argc, char *argv[])
 			liberr(1, "could not allocate cms context");
 	}
 +	if (modsign_only < 1 || modsign_only > 2)
 +		errx(1, "either --kernel or --module must be used");
 +
 	SECStatus status = NSS_InitReadWrite(dbdir);
 	if (status != SECSuccess)
 		nsserr(1, "could not initialize NSS");
@@ -639,6 +670,10 @@ int main(int argc, char *argv[])
 	SECKEYPublicKey *pubkey = NULL;
 	SECKEYPrivateKey *privkey = NULL;
 +	status = register_oids(cms);
 +	if (status != SECSuccess)
 +		nsserr(1, "Could not register OIDs");
 +
 	PK11SlotInfo *slot = NULL;
 	if (pubfile) {
 		rc = get_pubkey_from_file(pubfile, &pubkey);
@@ -713,7 +748,7 @@ int main(int argc, char *argv[])
 	crq = CERT_CreateCertificateRequest(name, spki, &attributes);
 	rc = add_extensions_to_crq(cms, crq, is_ca, is_self_signed, pubkey,
 -					spubkey, url);
 +					spubkey, url, modsign_only);
 	if (rc < 0)
 		exit(1);
 -- 
 2.13.4
--- a/0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch
+++ b/0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch
@ -0,0 +1,121 @@
 From 0456758e0c0873d1251bdf77d27f0f6175cbf289 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 25 Apr 2017 16:25:02 -0400
 Subject: [PATCH 17/29] check_cert_db(): try even harder to pick a reasonable
 validation time.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/certdb.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 66 insertions(+), 9 deletions(-)
 diff --git a/src/certdb.c b/src/certdb.c
 index b7c99bb..1a4baf1 100644
 --- a/src/certdb.c
 +++ b/src/certdb.c
@@ -250,12 +250,53 @@ check_db_hash(db_specifier which, pesigcheck_context *ctx)
 	return check_db(which, ctx, check_hash, NULL, 0);
 }
 -static PRTime
 -determine_reasonable_time(CERTCertificate *cert)
 +static void
 +find_cert_times(SEC_PKCS7ContentInfo *cinfo,
 +		PRTime *notBefore, PRTime *notAfter)
 {
 -	PRTime notBefore, notAfter;
 -	CERT_GetCertTimes(cert, &notBefore, &notAfter);
 -	return notBefore;
 +	CERTCertDBHandle *defaultdb, *certdb;
 +	SEC_PKCS7SignedData *sdp;
 +	CERTCertificate **certs = NULL;
 +	SECItem **rawcerts;
 +	int i, certcount;
 +	SECStatus rv;
 +
 +	if (cinfo->contentTypeTag->offset != SEC_OID_PKCS7_SIGNED_DATA) {
 +err:
 +		*notBefore = 0;
 +		*notAfter = 0x7fffffffffffffff;
 +		return;
 +	}
 +
 +	sdp = cinfo->content.signedData;
 +	rawcerts = sdp->rawCerts;
 +
 +	defaultdb = CERT_GetDefaultCertDB();
 +
 +	certdb = defaultdb;
 +	if (certdb == NULL)
 +		goto err;
 +
 +	certcount = 0;
 +	if (rawcerts != NULL) {
 +		for (; rawcerts[certcount] != NULL; certcount++)
 +			;
 +	}
 +	rv = CERT_ImportCerts(certdb, certUsageObjectSigner, certcount,
 +			      rawcerts, &certs, PR_FALSE, PR_FALSE, NULL);
 +	if (rv != SECSuccess)
 +		goto err;
 +
 +	for (i = 0; i < certcount; i++) {
 +		PRTime nb = 0, na = 0x7fffffffffff;
 +		CERT_GetCertTimes(certs[i], &nb, &na);
 +		if (*notBefore < nb)
 +			*notBefore = nb;
 +		if (*notAfter > na)
 +			*notAfter = na;
 +	}
 +
 +	CERT_DestroyCertArray(certs, certcount);
 }
 static db_status
@@ -271,6 +312,8 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
 	PRBool result;
 	SECStatus rv;
 	db_status status = NOT_FOUND;
 +	PRTime earlyNow = 0, lateNow = 0x7fffffffffffffff;
 +	PRTime notBefore = 0, notAfter = 0x7fffffffffffffff;
 	efi_guid_t efi_x509 = efi_guid_x509_cert;
@@ -327,16 +370,30 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
 	}
 	cert->timeOK = PR_TRUE;
 +	find_cert_times(cinfo, &notBefore, &notAfter);
 +	if (earlyNow < notBefore)
 +		earlyNow = notBefore;
 +	if (lateNow > notAfter)
 +		lateNow = notAfter;
 +
 	SECItem *eTime;
 	PRTime atTime;
 	// atTime = determine_reasonable_time(cert);
 	eTime = SEC_PKCS7GetSigningTime(cinfo);
 	if (eTime != NULL) {
 -		if (DER_DecodeTimeChoice (&atTime, eTime) != SECSuccess)
 -			atTime = determine_reasonable_time(cert);
 -	} else {
 -		atTime = determine_reasonable_time(cert);
 +		if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
 +			if (earlyNow < atTime)
 +				earlyNow = atTime;
 +			if (lateNow > atTime)
 +				lateNow = atTime;
 +		}
 	}
 +
 +	if (lateNow < earlyNow)
 +		printf("Impossible time constraints: %ld <= %ld\n",
 +		       earlyNow / 1000000, lateNow / 1000000);
 +	atTime = earlyNow / 2 + lateNow / 2;
 +
 	/* Verify the signature */
 	result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
 						certUsageObjectSigner,
 -- 
 2.13.4
--- a/0018-show-which-db-we-re-checking.patch
+++ b/0018-show-which-db-we-re-checking.patch
@ -0,0 +1,137 @@
 From 01b89fb7a191f4639a93c5a7c47a80752118ba95 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 25 Apr 2017 16:58:50 -0400
 Subject: [PATCH 18/29] show which db we're checking
 ---
 src/certdb.c             | 35 ++++++++++++++++++++++++++++++++++-
 src/pesigcheck_context.c |  2 ++
 src/pesigcheck_context.h |  1 +
 3 files changed, 37 insertions(+), 1 deletion(-)
 diff --git a/src/certdb.c b/src/certdb.c
 index 1a4baf1..673e074 100644
 --- a/src/certdb.c
 +++ b/src/certdb.c
@@ -18,6 +18,7 @@
  */
 #include <fcntl.h>
 +#include <libgen.h>
 #include <sys/mman.h>
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -42,17 +43,33 @@ add_db_file(pesigcheck_context *ctx, db_specifier which, const char *dbfile,
 		return -1;
 	db->type = type;
 -
 	db->fd = open(dbfile, O_RDONLY);
 	if (db->fd < 0) {
 		save_errno(free(db));
 		return -1;
 	}
 +	char *path = strdup(dbfile);
 +	if (!path) {
 +		save_errno(close(db->fd);
 +			   free(db));
 +		return -1;
 +	}
 +
 +	db->path = basename(path);
 +	db->path = strdup(db->path);
 +	free(path);
 +	if (!db->path) {
 +		save_errno(close(db->fd);
 +			   free(db));
 +		return -1;
 +	}
 +
 	struct stat sb;
 	int rc = fstat(db->fd, &sb);
 	if (rc < 0) {
 		save_errno(close(db->fd);
 +			   free(db->path);
 			   free(db));
 		return -1;
 	}
@@ -65,6 +82,7 @@ add_db_file(pesigcheck_context *ctx, db_specifier which, const char *dbfile,
 		rc = read_file(db->fd, (char **)&db->map, &sz);
 		if (rc < 0) {
 			save_errno(close(db->fd);
 +				   free(db->path);
 				   free(db));
 			return -1;
 		}
@@ -133,6 +151,7 @@ add_cert_file(pesigcheck_context *ctx, const char *filename)
 #define DB_PATH "/sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f"
 #define MOK_PATH "/sys/firmware/efi/efivars/MokListRT-605dab50-e046-4300-abb6-3dd810dd8b23"
 #define DBX_PATH "/sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f"
 +#define MOKX_PATH "/sys/firmware/efi/efivars/MokListXRT-605dab50-e046-4300-abb6-3dd810dd8b23"
 void
 init_cert_db(pesigcheck_context *ctx, int use_system_dbs)
@@ -167,6 +186,18 @@ init_cert_db(pesigcheck_context *ctx, int use_system_dbs)
 			"database \"%s\": %m\n", DBX_PATH);
 		exit(1);
 	}
 +
 +	rc = add_db_file(ctx, DBX, MOKX_PATH, DB_EFIVAR);
 +	if (rc < 0 && errno != ENOENT) {
 +		fprintf(stderr, "pesigcheck: Could not add key database "
 +			"\"%s\": %m\n", MOKX_PATH);
 +		exit(1);
 +	}
 +
 +	if (ctx->dbx == NULL) {
 +		fprintf(stderr, "pesigcheck: warning: "
 +			"No key recovation database available\n");
 +	}
 }
 typedef db_status (*checkfn)(pesigcheck_context *ctx, SECItem *sig,
@@ -187,6 +218,8 @@ check_db(db_specifier which, pesigcheck_context *ctx, checkfn check,
 	sig.type = siBuffer;
 	while (dbl) {
 +		printf("Searching %s %s\n", which == DB ? "db" : "dbx",
 +		       dbl->path);
 		EFI_SIGNATURE_LIST *certlist;
 		EFI_SIGNATURE_DATA *cert;
 		size_t dbsize = dbl->datalen;
 diff --git a/src/pesigcheck_context.c b/src/pesigcheck_context.c
 index b934cbe..5a355b1 100644
 --- a/src/pesigcheck_context.c
 +++ b/src/pesigcheck_context.c
@@ -87,6 +87,7 @@ pesigcheck_context_fini(pesigcheck_context *ctx)
 		munmap(db->map, db->size);
 		close(db->fd);
 		ctx->db = db->next;
 +		free(db->path);
 		free(db);
 	}
 	while (ctx->dbx) {
@@ -95,6 +96,7 @@ pesigcheck_context_fini(pesigcheck_context *ctx)
 		if (db->type == DB_CERT)
 			free(db->data);
 		munmap(db->map, db->size);
 +		free(db->path);
 		close(db->fd);
 		ctx->dbx = db->next;
 		free(db);
 diff --git a/src/pesigcheck_context.h b/src/pesigcheck_context.h
 index 1b916e3..7b5cc89 100644
 --- a/src/pesigcheck_context.h
 +++ b/src/pesigcheck_context.h
@@ -34,6 +34,7 @@ typedef enum {
 struct dblist {
 	db_f_type type;
 +	char *path;
 	int fd;
 	struct dblist *next;
 	size_t size;
 -- 
 2.13.4
--- a/0019-more-about-the-time.patch
+++ b/0019-more-about-the-time.patch
@ -0,0 +1,97 @@
 From 713e61448a6ffa3e6029a7c89fad61b8cb08c9ff Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 25 Apr 2017 17:00:46 -0400
 Subject: [PATCH 19/29] more about the time
 ---
 src/certdb.c | 59 +++++++++++++++++++++++++++++++++--------------------------
 1 file changed, 33 insertions(+), 26 deletions(-)
 diff --git a/src/certdb.c b/src/certdb.c
 index 673e074..1078a8a 100644
 --- a/src/certdb.c
 +++ b/src/certdb.c
@@ -345,8 +345,10 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
 	PRBool result;
 	SECStatus rv;
 	db_status status = NOT_FOUND;
 +	PRTime atTime = PR_Now();
 +	SECItem *eTime;
 	PRTime earlyNow = 0, lateNow = 0x7fffffffffffffff;
 -	PRTime notBefore = 0, notAfter = 0x7fffffffffffffff;
 +	PRTime notBefore, notAfter;
 	efi_guid_t efi_x509 = efi_guid_x509_cert;
@@ -358,6 +360,36 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
 	if (!cinfo)
 		goto out;
 +	notBefore = earlyNow;
 +	notAfter = lateNow;
 +	find_cert_times(cinfo, &notBefore, &notAfter);
 +	if (earlyNow < notBefore)
 +		earlyNow = notBefore;
 +	if (lateNow > notAfter)
 +		lateNow = notAfter;
 +
 +	// atTime = determine_reasonable_time(cert);
 +	eTime = SEC_PKCS7GetSigningTime(cinfo);
 +	if (eTime != NULL) {
 +		if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
 +			if (earlyNow < atTime)
 +				earlyNow = atTime;
 +			if (lateNow > atTime)
 +				lateNow = atTime;
 +		}
 +	}
 +
 +	if (lateNow < earlyNow)
 +		printf("Signature has impossible time constraint: %ld <= %ld\n",
 +		       earlyNow / 1000000, lateNow / 1000000);
 +	atTime = earlyNow / 2 + lateNow / 2;
 +
 +
 +	cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
 +				    NULL, NULL);
 +	if (!cinfo)
 +		goto out;
 +
 	/* Generate the digest of contentInfo */
 	/* XXX support only sha256 for now */
 	digest = SECITEM_AllocItem(NULL, NULL, 32);
@@ -401,31 +433,6 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
 			PORT_ErrorToString(PORT_GetError()));
 		goto out;
 	}
 -	cert->timeOK = PR_TRUE;
 -
 -	find_cert_times(cinfo, &notBefore, &notAfter);
 -	if (earlyNow < notBefore)
 -		earlyNow = notBefore;
 -	if (lateNow > notAfter)
 -		lateNow = notAfter;
 -
 -	SECItem *eTime;
 -	PRTime atTime;
 -	// atTime = determine_reasonable_time(cert);
 -	eTime = SEC_PKCS7GetSigningTime(cinfo);
 -	if (eTime != NULL) {
 -		if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
 -			if (earlyNow < atTime)
 -				earlyNow = atTime;
 -			if (lateNow > atTime)
 -				lateNow = atTime;
 -		}
 -	}
 -
 -	if (lateNow < earlyNow)
 -		printf("Impossible time constraints: %ld <= %ld\n",
 -		       earlyNow / 1000000, lateNow / 1000000);
 -	atTime = earlyNow / 2 + lateNow / 2;
 	/* Verify the signature */
 	result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
 -- 
 2.13.4
--- a/0020-try-to-say-why-something-fails.patch
+++ b/0020-try-to-say-why-something-fails.patch
@ -0,0 +1,419 @@
 From 81583146602bba96728fa7544c8e856b32c22ee4 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 25 Apr 2017 17:01:13 -0400
 Subject: [PATCH 20/29] try to say why something fails
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/certdb.c             |  15 ++-
 src/certdb.h             |   2 +-
 src/pesigcheck.c         | 244 ++++++++++++++++++++++++++++++++++++++++++-----
 src/pesigcheck_context.h |   1 +
 4 files changed, 233 insertions(+), 29 deletions(-)
 diff --git a/src/certdb.c b/src/certdb.c
 index 1078a8a..fae80af 100644
 --- a/src/certdb.c
 +++ b/src/certdb.c
@@ -205,7 +205,7 @@ typedef db_status (*checkfn)(pesigcheck_context *ctx, SECItem *sig,
 static db_status
 check_db(db_specifier which, pesigcheck_context *ctx, checkfn check,
 -	 void *data, ssize_t datalen)
 +	 void *data, ssize_t datalen, SECItem *match)
 {
 	SECItem pkcs7sig, sig;
 	dblist *dbl = which == DB ? ctx->db : ctx->dbx;
@@ -241,8 +241,12 @@ check_db(db_specifier which, pesigcheck_context *ctx, checkfn check,
 				found = check(ctx, &sig,
 					      &certlist->SignatureType,
 					      &pkcs7sig);
 -				if (found == FOUND)
 +				if (found == FOUND) {
 +					if (match)
 +						memcpy(match, &sig,
 +						       sizeof(sig));
 					return FOUND;
 +				}
 				cert = (EFI_SIGNATURE_DATA *)((uint8_t *)cert +
 				        certlist->SignatureSize);
 			}
@@ -280,7 +284,7 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
 db_status
 check_db_hash(db_specifier which, pesigcheck_context *ctx)
 {
 -	return check_db(which, ctx, check_hash, NULL, 0);
 +	return check_db(which, ctx, check_hash, NULL, 0, NULL);
 }
 static void
@@ -459,7 +463,8 @@ out:
 }
 db_status
 -check_db_cert(db_specifier which, pesigcheck_context *ctx, void *data, ssize_t datalen)
 +check_db_cert(db_specifier which, pesigcheck_context *ctx,
 +	      void *data, ssize_t datalen, SECItem *match)
 {
 -	return check_db(which, ctx, check_cert, data, datalen);
 +	return check_db(which, ctx, check_cert, data, datalen, match);
 }
 diff --git a/src/certdb.h b/src/certdb.h
 index ccf3c87..8402299 100644
 --- a/src/certdb.h
 +++ b/src/certdb.h
@@ -43,7 +43,7 @@ typedef struct {
 extern db_status check_db_hash(db_specifier which, pesigcheck_context *ctx);
 extern db_status check_db_cert(db_specifier which, pesigcheck_context *ctx,
 -				void *data, ssize_t datalen);
 +				void *data, ssize_t datalen, SECItem *match);
 extern void init_cert_db(pesigcheck_context *ctx, int use_system_dbs);
 extern int add_cert_db(pesigcheck_context *ctx, const char *filename);
 diff --git a/src/pesigcheck.c b/src/pesigcheck.c
 index d7be542..c8e1086 100644
 --- a/src/pesigcheck.c
 +++ b/src/pesigcheck.c
@@ -17,7 +17,9 @@
  * Author(s): Peter Jones <pjones@redhat.com>
  */
 +#include <err.h>
 #include <fcntl.h>
 +#include <stdbool.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -88,7 +90,8 @@ check_inputs(pesigcheck_context *ctx)
 }
 static int
 -cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen)
 +cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen,
 +		    SECItem *digest_out)
 {
 	SECItem sig, *pe_digest, *content;
 	uint8_t *digest;
@@ -109,6 +112,12 @@ cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen)
 	pe_digest = ctx->cms_ctx->digests[0].pe_digest;
 	content = cinfo->content.signedData->contentInfo.content.data;
 	digest = content->data + content->len - pe_digest->len;
 +	if (digest_out) {
 +		digest_out->data = malloc(pe_digest->len);
 +		digest_out->len = pe_digest->len;
 +		digest_out->type = pe_digest->type;
 +		memcpy(digest_out->data, digest, pe_digest->len);
 +	}
 	if (memcmp(pe_digest->data, digest, pe_digest->len) != 0)
 		goto out;
@@ -120,22 +129,149 @@ out:
 	return ret;
 }
 +struct reason {
 +	enum {
 +		WHITELISTED = 0,
 +		INVALID = 1,
 +		BLACKLISTED = 2,
 +		NO_WHITELIST = 3,
 +	} reason;
 +	enum {
 +		NONE = 0,
 +		DIGEST = 1,
 +		SIGNATURE = 2,
 +	} type;
 +	union {
 +		struct {
 +			SECItem digest;
 +		};
 +		struct {
 +			SECItem sig;
 +			SECItem db_cert;
 +		};
 +	};
 +};
 +
 +static void
 +print_digest(SECItem *digest)
 +{
 +	char buf[digest->len * 2 + 2];
 +
 +	for (unsigned int i = 0; i < digest->len; i++)
 +		snprintf(buf + i * 2, digest->len * 2, "%02x",
 +			 digest->data[i]);
 +	buf[digest->len * 2] = '\0';
 +	printf("%s\n", buf);
 +}
 +
 +static void
 +print_certificate(SECItem *cert)
 +{
 +	printf("put a breakpoint at %s:%d\n", __FILE__, __LINE__);
 +	printf("cert: %p\n", cert);
 +}
 +
 +static void
 +print_signatures(SECItem *database_cert, SECItem *signature)
 +{
 +	printf("put a breakpoint at %s:%d\n", __FILE__, __LINE__);
 +	print_certificate(database_cert);
 +	print_certificate(signature);
 +}
 +
 +static void
 +print_reason(struct reason *reason)
 +{
 +	switch (reason->reason) {
 +	case WHITELISTED:
 +		printf("Whitelist entry: ");
 +		if (reason->type == DIGEST)
 +			print_digest(&reason->digest);
 +		else if (reason->type == SIGNATURE)
 +			print_signatures(&reason->sig, &reason->db_cert);
 +		else
 +			errx(1, "Unknown data type %d\n", reason->type);
 +		break;
 +	case INVALID:
 +		if (reason->type == DIGEST) {
 +			printf("Invalid digest: ");
 +			print_digest(&reason->digest);
 +		} else if (reason->type == SIGNATURE) {
 +			printf("Invalid signature: ");
 +			print_signatures(&reason->sig, &reason->db_cert);
 +		} else {
 +			errx(1, "Unknown data type %d\n", reason->type);
 +		}
 +		break;
 +	case BLACKLISTED:
 +		if (reason->type == DIGEST) {
 +			printf("Invalid digest: ");
 +			print_digest(&reason->digest);
 +		} else if (reason->type == SIGNATURE) {
 +			printf("Invalid signature: ");
 +			print_signatures(&reason->sig, &reason->db_cert);
 +		} else {
 +			errx(1, "Unknown data type %d\n", reason->type);
 +		}
 +		break;
 +	case NO_WHITELIST:
 +		if (reason->type == NONE)
 +			printf("No matching whitelist entry.\n");
 +		else
 +			errx(1, "Invalid data type %d\n", reason->type);
 +		break;
 +	default:
 +		errx(1, "Unknown reason type %d\n", reason->reason);
 +		break;
 +	}
 +}
 +
 +static void
 +get_digest(pesigcheck_context *ctx, SECItem *digest)
 +{
 +	struct cms_context *cms = ctx->cms_ctx;
 +	struct digest *cms_digest = &cms->digests[cms->selected_digest];
 +
 +	memcpy(digest, cms_digest->pe_digest, sizeof (*digest));
 +}
 +
 static int
 -check_signature(pesigcheck_context *ctx)
 +check_signature(pesigcheck_context *ctx, int *nreasons,
 +		struct reason **reasons)
 {
 -	int has_valid_cert = 0;
 -	int has_invalid_cert = 0;
 +	bool has_valid_cert = false;
 +	bool is_invalid = false;
 +	struct reason *reasonps = NULL, *reason;
 +	int num_reasons = 16;
 +	int nreason = 0;
 	int rc = 0;
 +	int ret = -1;
 	cert_iter iter;
 +	reasonps = calloc(sizeof(struct reason), 512);
 +	if (!reasonps)
 +		err(1, "check_signature");
 +
 	generate_digest(ctx->cms_ctx, ctx->inpe, 1);
 -	if (check_db_hash(DBX, ctx) == FOUND)
 -		return -1;
 +	if (check_db_hash(DBX, ctx) == FOUND) {
 +		reason = &reasonps[nreason];
 +		reason->reason = BLACKLISTED;
 +		reason->type = DIGEST;
 +		get_digest(ctx, &reason->digest);
 +		reason += 1;
 +		is_invalid = true;
 +	}
 -	if (check_db_hash(DB, ctx) == FOUND)
 -		has_valid_cert = 1;
 +	if (check_db_hash(DB, ctx) == FOUND) {
 +		reason = &reasonps[nreason];
 +		reason->reason = WHITELISTED;
 +		reason->type = DIGEST;
 +		get_digest(ctx, &reason->digest);
 +		nreason += 1;
 +		has_valid_cert = true;
 +	}
 	rc = cert_iter_init(&iter, ctx->inpe);
 	if (rc < 0)
@@ -145,32 +281,81 @@ check_signature(pesigcheck_context *ctx)
 	ssize_t datalen;
 	while (1) {
 +		/*
 +		 * Make sure we always have enough for this iteration of the
 +		 * loop, plus one "NO_WHITELIST" entry at the end.
 +		 */
 +		if (nreason >= num_reasons - 4) {
 +			struct reason *new_reasons;
 +
 +			num_reasons += 16;
 +
 +			new_reasons = calloc(sizeof(struct reason), num_reasons);
 +			if (!new_reasons)
 +				err(1, "check_signature");
 +			reasonps = new_reasons;
 +		}
 +
 		rc = next_cert(&iter, &data, &datalen);
 		if (rc <= 0)
 			break;
 -		if (cert_matches_digest(ctx, data, datalen) < 0) {
 -			has_invalid_cert = 1;
 -			break;
 +		reason = &reasonps[nreason];
 +		if (cert_matches_digest(ctx, data, datalen,
 +					&reason->digest) < 0) {
 +			reason->reason = INVALID;
 +			reason->type = DIGEST;
 +			nreason += 1;
 +			is_invalid = true;
 		}
 -		if (check_db_cert(DBX, ctx, data, datalen) == FOUND) {
 -			has_invalid_cert = 1;
 -			break;
 +		reason = &reasonps[nreason];
 +		if (check_db_cert(DBX, ctx, data, datalen,
 +				  &reason->db_cert) == FOUND) {
 +			reason->reason = INVALID;
 +			reason->type = SIGNATURE;
 +			reason->sig.data = data;
 +			reason->sig.len = datalen;
 +			reason->type = siBuffer;
 +			nreason += 1;
 +			is_invalid = true;
 		}
 -		if (check_db_cert(DB, ctx, data, datalen) == FOUND)
 -			has_valid_cert = 1;
 +		reason = &reasonps[nreason];
 +		if (check_db_cert(DB, ctx, data, datalen,
 +				  &reason->db_cert) == FOUND) {
 +			reason->reason = WHITELISTED;
 +			reason->type = SIGNATURE;
 +			reason->sig.data = data;
 +			reason->sig.len = datalen;
 +			reason->type = siBuffer;
 +			nreason += 1;
 +			has_valid_cert = true;
 +		}
 	}
 err:
 -	if (has_invalid_cert)
 -		return -1;
 +	if (has_valid_cert != true) {
 +		if (is_invalid != true) {
 +			reason = &reasonps[nreason];
 +			reason->reason = NO_WHITELIST;
 +			reason->type = NONE;
 +			nreason += 1;
 +		}
 +		is_invalid = true;
 +	}
 -	if (has_valid_cert)
 -		return 0;
 +	if (is_invalid == false)
 +		ret = 0;
 -	return -1;
 +	if (nreasons && reasons) {
 +		*nreasons = nreason;
 +		*reasons = reasonps;
 +	} else {
 +		free(reasonps);
 +	}
 +
 +	return ret;
 }
 void
@@ -204,6 +389,9 @@ main(int argc, char *argv[])
 	pesigcheck_context ctx, *ctxp = &ctx;
 +	struct reason *reasons = NULL;
 +	int nreasons = 0;
 +
 	char *dbfile = NULL;
 	char *dbxfile = NULL;
 	char *certfile = NULL;
@@ -242,6 +430,12 @@ main(int argc, char *argv[])
 		 .arg = &ctx.quiet,
 		 .val = 1,
 		 .descrip = "return only; no text output." },
 +		{.longName = "verbose",
 +		 .shortName = 'v',
 +		 .argInfo = POPT_BIT_SET,
 +		 .arg = &ctx.verbose,
 +		 .val = 1,
 +		 .descrip = "print reasons for success and failure." },
 		{.longName = "no-system-db",
 		 .shortName = 'n',
 		 .argInfo = POPT_ARG_INT,
@@ -308,12 +502,16 @@ main(int argc, char *argv[])
 		exit(1);
 	}
 -	rc = check_signature(ctxp);
 +	rc = check_signature(ctxp, &nreasons, &reasons);
 -	close_input(ctxp);
 +	if (!ctx.quiet && ctx.verbose) {
 +		for (int i = 0; i < nreasons; i++)
 +			print_reason(&reasons[i]);
 +	}
 	if (!ctx.quiet)
 		printf("pesigcheck: \"%s\" is %s.\n", ctx.infile,
 			rc >= 0 ? "valid" : "invalid");
 +	close_input(ctxp);
 	pesigcheck_context_fini(&ctx);
 	NSS_Shutdown();
 diff --git a/src/pesigcheck_context.h b/src/pesigcheck_context.h
 index 7b5cc89..aec415e 100644
 --- a/src/pesigcheck_context.h
 +++ b/src/pesigcheck_context.h
@@ -61,6 +61,7 @@ typedef struct pesigcheck_context {
 	Pe *inpe;
 	int quiet;
 +	int verbose;
 	hashlist *hashes;
 -- 
 2.13.4
--- a/0021-Fix-race-condition-in-SEC_GetPassword.patch
+++ b/0021-Fix-race-condition-in-SEC_GetPassword.patch
@ -0,0 +1,34 @@
 From a40c584691ae071e93e8adf4e5c05bcd90c68159 Mon Sep 17 00:00:00 2001
 From: Julien Cristau <jcristau@debian.org>
 Date: Sat, 6 May 2017 22:45:34 +0200
 Subject: [PATCH 21/29] Fix race condition in SEC_GetPassword
 A side effect of echoOff is to discard unread input, so if we print the
 prompt before echoOff, the user (or process) at the other end might
 react to it by writing the password in between those steps, which is
 then discarded.  This bit me when trying to drive pesign with an expect
 script.
 Signed-off-by: Julien Cristau <jcristau@debian.org>
 ---
 src/password.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/password.c b/src/password.c
 index cd1c07e..d4eae0d 100644
 --- a/src/password.c
 +++ b/src/password.c
@@ -71,9 +71,9 @@ static char *SEC_GetPassword(FILE *input, FILE *output, char *prompt,
     for (;;) {
 	/* Prompt for password */
 	if (isTTY) {
 +	    echoOff(infd);
 	    fprintf(output, "%s", prompt);
             fflush (output);
 -	    echoOff(infd);
 	}
 	fgets ( phrase, sizeof(phrase), input);
 -- 
 2.13.4
--- a/0022-sysvinit-Create-the-socket-directory-at-runtime.patch
+++ b/0022-sysvinit-Create-the-socket-directory-at-runtime.patch
@ -0,0 +1,27 @@
 From 27afa5a4ea8de1679603f5871935096280d0b12e Mon Sep 17 00:00:00 2001
 From: David Michael <david.michael@coreos.com>
 Date: Tue, 13 Jun 2017 13:20:16 -0700
 Subject: [PATCH 22/29] sysvinit: Create the socket directory at runtime
 This better supports non-systemd configurations with tmpfs on /run.
 ---
 src/pesign.sysvinit.in | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
 index d8fffca..dc508d8 100644
 --- a/src/pesign.sysvinit.in
 +++ b/src/pesign.sysvinit.in
@@ -20,6 +20,9 @@ RETVAL=0
 start(){
     echo -n "Starting pesign: "
 +    mkdir /var/run/pesign 2>/dev/null &&
 +        chown pesign:pesign /var/run/pesign &&
 +        chmod 0770 /var/run/pesign
     daemon /usr/bin/pesign --daemonize
     RETVAL=$?
     echo
 -- 
 2.13.4
--- a/0023-Better-authorization-scripts.-Again.patch
+++ b/0023-Better-authorization-scripts.-Again.patch
@ -0,0 +1,217 @@
 From 31560e2784722b986b8a73cc28e3510870180b07 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 8 Aug 2017 15:44:44 -0400
 Subject: [PATCH 23/29] Better authorization scripts.  Again.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/Makefile                | 12 ++++++----
 src/pesign-authorize        | 56 +++++++++++++++++++++++++++++++++++++++++++++
 src/pesign-authorize-groups | 30 ------------------------
 src/pesign-authorize-users  | 30 ------------------------
 src/pesign.service.in       |  3 +--
 src/pesign.sysvinit.in      |  3 +--
 6 files changed, 65 insertions(+), 69 deletions(-)
 create mode 100755 src/pesign-authorize
 delete mode 100644 src/pesign-authorize-groups
 delete mode 100644 src/pesign-authorize-users
 diff --git a/src/Makefile b/src/Makefile
 index 654b792..84ad130 100644
 --- a/src/Makefile
 +++ b/src/Makefile
@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.defaults
 BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
 SVCTARGETS=pesign.sysvinit pesign.service
 -TARGETS=$(BINTARGETS) $(SVCTARGETS)
 +TARGETS=$(BINTARGETS) $(SVCTARGETS) pesign-users pesign-groups
 all : deps $(TARGETS)
@@ -65,6 +65,9 @@ install_sysvinit: pesign.sysvinit
 	$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/
 	$(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/rc.d/init.d/pesign
 +pesign-users pesign-groups :
 +	echo pesign > $@
 +
 install :
 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
@@ -88,10 +91,9 @@ install :
 	$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/
 	$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
 -	$(INSTALL) -m 750 pesign-authorize-users $(INSTALLROOT)$(libexecdir)/pesign/
 -	$(INSTALL) -m 750 pesign-authorize-groups $(INSTALLROOT)$(libexecdir)/pesign/
 +	$(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
 -	$(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/users
 -	$(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/groups
 +	$(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
 +	$(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups
 .PHONY: all deps clean install
 diff --git a/src/pesign-authorize b/src/pesign-authorize
 new file mode 100755
 index 0000000..a496f60
 --- /dev/null
 +++ b/src/pesign-authorize
@@ -0,0 +1,56 @@
 +#!/bin/bash
 +set -e
 +set -u
 +
 +#
 +# With /run/pesign/socket on tmpfs, a simple way of restoring the
 +# acls for specific users is useful
 +#
 +#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
 +#
 +
 +# License: GPLv2
 +declare -a fileusers=()
 +declare -a dirusers=()
 +for user in $(cat /etc/pesign/users); do
 +	dirusers[${#dirusers[@]}]=-m
 +	dirusers[${#dirusers[@]}]="u:$user:rwx"
 +	fileusers[${#fileusers[@]}]=-m
 +	fileusers[${#fileusers[@]}]="u:$user:rw"
 +done
 +
 +declare -a filegroups=()
 +declare -a dirgroups=()
 +for group in $(cat /etc/pesign/groups); do
 +	dirgroups[${#dirgroups[@]}]=-m
 +	dirgroups[${#dirgroups[@]}]="g:$group:rwx"
 +	filegroups[${#filegroups[@]}]=-m
 +	filegroups[${#filegroups[@]}]="g:$group:rw"
 +done
 +
 +update_subdir() {
 +	subdir=$1 && shift
 +
 +	setfacl -bk "${subdir}"
 +	setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
 +	for x in "${subdir}"* ; do
 +		if [ -d "${x}" ]; then
 +			setfacl -bk ${x}
 +			setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
 +			update_subdir "${x}/"
 +		elif [ -e "${x}" ]; then
 +			setfacl -bk ${x}
 +			setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
 +		else
 +			:;
 +		fi
 +	done
 +}
 +
 +for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
 +	if [ -d "${x}" ]; then
 +		update_subdir "${x}"
 +	else
 +		:;
 +	fi
 +done
 diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
 deleted file mode 100644
 index cf51fb6..0000000
 --- a/src/pesign-authorize-groups
 +++ /dev/null
@@ -1,30 +0,0 @@
 -#!/bin/bash
 -set -e
 -
 -#
 -# With /run/pesign/socket on tmpfs, a simple way of restoring the
 -# acls for specific groups is useful
 -#
 -#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
 -#
 -
 -# License: GPLv2
 -
 -if [ -r /etc/pesign/groups ]; then
 -    for group in $(cat /etc/pesign/groups); do
 -	if [ -d /var/run/pesign ]; then
 -	    setfacl -m g:${group}:rx /var/run/pesign
 -	    if [ -e /var/run/pesign/socket ]; then
 -		setfacl -m g:${group}:rw /var/run/pesign/socket
 -	    fi
 -	fi
 -	for x in /etc/pki/pesign*/ ; do
 -	    if [ -d ${x} ]; then
 -		setfacl -m g:${group}:rx ${x}
 -		for y in ${x}{cert8,key3,secmod}.db ; do
 -		    setfacl -m g:${group}:rw ${y}
 -		done
 -	    fi
 -	done
 -    done
 -fi
 diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
 deleted file mode 100644
 index 940138e..0000000
 --- a/src/pesign-authorize-users
 +++ /dev/null
@@ -1,30 +0,0 @@
 -#!/bin/bash
 -set -e
 -
 -#
 -# With /run/pesign/socket on tmpfs, a simple way of restoring the
 -# acls for specific users is useful
 -#
 -#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
 -#
 -
 -# License: GPLv2
 -
 -if [ -r /etc/pesign/users ]; then
 -    for username in $(cat /etc/pesign/users); do
 -	if [ -d /var/run/pesign ]; then
 -	    setfacl -m g:${username}:rx /var/run/pesign
 -	    if [ -e /var/run/pesign/socket ]; then
 -		setfacl -m g:${username}:rw /var/run/pesign/socket
 -	    fi
 -	fi
 -	for x in /etc/pki/pesign*/ ; do
 -	    if [ -d ${x} ]; then
 -		setfacl -m g:${username}:rx ${x}
 -		for y in ${x}{cert8,key3,secmod}.db ; do
 -		    setfacl -m g:${username}:rw ${y}
 -		done
 -	    fi
 -	done
 -    done
 -fi
 diff --git a/src/pesign.service.in b/src/pesign.service.in
 index aaa408e..c75a000 100644
 --- a/src/pesign.service.in
 +++ b/src/pesign.service.in
@@ -6,5 +6,4 @@ PrivateTmp=true
 Type=forking
 PIDFile=/var/run/pesign.pid
 ExecStart=/usr/bin/pesign --daemonize
 -ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-users
 -ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-groups
 +ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
 diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
 index dc508d8..b0e0f84 100644
 --- a/src/pesign.sysvinit.in
 +++ b/src/pesign.sysvinit.in
@@ -27,8 +27,7 @@ start(){
     RETVAL=$?
     echo
     touch /var/lock/subsys/pesign
 -    @@LIBEXECDIR@@/pesign/pesign-authorize-users
 -    @@LIBEXECDIR@@/pesign/pesign-authorize-groups
 +    @@LIBEXECDIR@@/pesign/pesign-authorize
 }
 stop(){
 -- 
 2.13.4
--- a/0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch
+++ b/0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch
@ -0,0 +1,95 @@
 From a7b0f7e1ce2de1acea9a8c286a0ff3dd9bc245cb Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 8 Aug 2017 17:28:19 -0400
 Subject: [PATCH 24/29] Make the daemon also try to give better errors on
 -EPERM etc.
 Basically 6796e5f but also for the daemon.  This also tries to fix them
 up to save errno better, for more accurate reporting.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/daemon.c | 27 +++++++++++++++++++++++++--
 src/pesign.c |  8 ++++++--
 2 files changed, 31 insertions(+), 4 deletions(-)
 diff --git a/src/daemon.c b/src/daemon.c
 index 7f694b2..942d576 100644
 --- a/src/daemon.c
 +++ b/src/daemon.c
@@ -19,6 +19,7 @@
 #include <errno.h>
 #include <fcntl.h>
 +#include <glob.h>
 #include <poll.h>
 #include <pwd.h>
 #include <signal.h>
@@ -1104,10 +1105,32 @@ daemonize(cms_context *cms_ctx, char *certdir, int do_fork)
 		"pesignd starting (pid %d)", ctx.pid);
 	SECStatus status = NSS_Init(certdir);
 +	int error = errno;
 	if (status != SECSuccess) {
 +		char *globpattern = NULL;
 +		rc = asprintf(&globpattern, "%s/cert*.db",
 +			      certdir);
 +		if (rc > 0) {
 +			glob_t globbuf;
 +			memset(&globbuf, 0, sizeof(globbuf));
 +			rc = glob(globpattern, GLOB_ERR, NULL,
 +				  &globbuf);
 +			if (rc != 0) {
 +				errno = error;
 +				ctx.backup_cms->log(ctx.backup_cms,
 +					ctx.priority|LOG_NOTICE,
 +					"Could not open NSS database (\"%s\"): %m",
 +					PORT_ErrorToString(PORT_GetError()));
 +				exit(1);
 +			}
 +		}
 +	}
 +	if (status != SECSuccess) {
 +		errno = error;
 		ctx.backup_cms->log(ctx.backup_cms, ctx.priority|LOG_NOTICE,
 -			"Could not initialize nss: %s\n",
 -			PORT_ErrorToString(PORT_GetError()));
 +				    "Could not initialize nss.\n"
 +				    "NSS says \"%s\" errno says \"%m\"\n",
 +				    PORT_ErrorToString(PORT_GetError()));
 		exit(1);
 	}
 diff --git a/src/pesign.c b/src/pesign.c
 index 5879cfc..6ceda34 100644
 --- a/src/pesign.c
 +++ b/src/pesign.c
@@ -660,10 +660,12 @@ main(int argc, char *argv[])
 	if (!daemon) {
 		SECStatus status;
 +		int error;
 		if (need_db) {
 			status = NSS_Init(certdir);
 			if (status != SECSuccess) {
 				char *globpattern = NULL;
 +				error = errno;
 				rc = asprintf(&globpattern, "%s/cert*.db",
 					      certdir);
 				if (rc > 0) {
@@ -680,8 +682,10 @@ main(int argc, char *argv[])
 		} else
 			status = NSS_NoDB_Init(NULL);
 		if (status != SECSuccess) {
 -			errx(1, "Could not initialize nss. NSS says \"%s\" errno says \"%m\"\n",
 -				PORT_ErrorToString(PORT_GetError()));
 +			errno = error;
 +			errx(1, "Could not initialize nss.\n"
 +			        "NSS says \"%s\" errno says \"%m\"\n",
 +			     PORT_ErrorToString(PORT_GetError()));
 		}
 		status = register_oids(ctxp->cms_ctx);
 -- 
 2.13.4
--- a/0025-certdb-fix-PRTime-printfs-for-i686.patch
+++ b/0025-certdb-fix-PRTime-printfs-for-i686.patch
@ -0,0 +1,31 @@
 From bc1043bf2b428971e29a61a341da9a57595bada5 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 9 Aug 2017 17:40:33 -0400
 Subject: [PATCH 25/29] certdb: fix PRTime printfs for i686
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/certdb.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)
 diff --git a/src/certdb.c b/src/certdb.c
 index fae80af..29c9502 100644
 --- a/src/certdb.c
 +++ b/src/certdb.c
@@ -384,11 +384,10 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
 	}
 	if (lateNow < earlyNow)
 -		printf("Signature has impossible time constraint: %ld <= %ld\n",
 -		       earlyNow / 1000000, lateNow / 1000000);
 +		printf("Signature has impossible time constraint: %lld <= %lld\n",
 +		       earlyNow / 1000000LL, lateNow / 1000000LL);
 	atTime = earlyNow / 2 + lateNow / 2;
 -
 	cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
 				    NULL, NULL);
 	if (!cinfo)
 -- 
 2.13.4
--- a/0026-Clean-up-gcc-command-lines-a-little.patch
+++ b/0026-Clean-up-gcc-command-lines-a-little.patch
@ -0,0 +1,41 @@
 From a44115c9b4f43a1a7219f897bd33555e653d2e20 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Thu, 10 Aug 2017 10:02:38 -0400
 Subject: [PATCH 26/29] Clean up gcc command lines a little
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 Make.defaults | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)
 diff --git a/Make.defaults b/Make.defaults
 index 39b78f0..b6c0381 100644
 --- a/Make.defaults
 +++ b/Make.defaults
@@ -20,8 +20,7 @@ CROSS_COMPILE	?= $(bindir)
 PKG_CONFIG = $(CROSS_COMPILE)pkg-config
 CC	:= $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC))
 CCLD	:= $(if $(filter undefined,$(origin CCLD)),$(CC),$(CCLD))
 -CFLAGS	?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments \
 -	   -Wall -Werror -Wextra -Wno-error=cpp
 +CFLAGS	?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments -Wno-error=cpp
 AS	:= $(CROSS_COMPILE)as
 AR	:= $(CROSS_COMPILE)gcc-ar
 RANLIB	:= $(CROSS_COMPILE)gcc-ranlib
@@ -36,10 +35,10 @@ ARCH	   := $(shell uname -m | sed s,i[3456789]86,ia32,)
 SOFLAGS	= -shared
 clang_cflags =
 -gcc_cflags = -Wmaybe-uninitialized
 +gcc_cflags = -Wmaybe-uninitialized -grecord-gcc-switches
 cflags	= $(CFLAGS) $(ARCH3264) \
 -	-Wall -Werror -Wno-cpp  -Wsign-compare -Wno-unused-result \
 -	-Wno-unused-function\
 +	-Wall -Werror -Wextra -Wsign-compare -Wno-unused-result \
 +	-Wno-unused-function -Wsign-compare \
 	-std=gnu11 -fshort-wchar -fPIC -flto -fno-strict-aliasing \
 	-fno-merge-constants -fkeep-inline-functions \
 	-D_GNU_SOURCE -DCONFIG_$(ARCH) -I${TOPDIR}/include \
 -- 
 2.13.4
--- a/0027-Make-pesign-users-groups-static-in-the-repo.patch
+++ b/0027-Make-pesign-users-groups-static-in-the-repo.patch
@ -0,0 +1,54 @@
 From a133d051c3f8acf3e058e92711eb528c3c0f41f9 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Thu, 10 Aug 2017 10:03:37 -0400
 Subject: [PATCH 27/29] Make pesign-{users,groups} static in the repo.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/Makefile      | 5 +----
 src/pesign-groups | 1 +
 src/pesign-users  | 1 +
 3 files changed, 3 insertions(+), 4 deletions(-)
 create mode 100644 src/pesign-groups
 create mode 100644 src/pesign-users
 diff --git a/src/Makefile b/src/Makefile
 index 84ad130..7d68fa1 100644
 --- a/src/Makefile
 +++ b/src/Makefile
@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.defaults
 BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
 SVCTARGETS=pesign.sysvinit pesign.service
 -TARGETS=$(BINTARGETS) $(SVCTARGETS) pesign-users pesign-groups
 +TARGETS=$(BINTARGETS) $(SVCTARGETS)
 all : deps $(TARGETS)
@@ -65,9 +65,6 @@ install_sysvinit: pesign.sysvinit
 	$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/
 	$(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/rc.d/init.d/pesign
 -pesign-users pesign-groups :
 -	echo pesign > $@
 -
 install :
 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
 diff --git a/src/pesign-groups b/src/pesign-groups
 new file mode 100644
 index 0000000..7f57cc5
 --- /dev/null
 +++ b/src/pesign-groups
@@ -0,0 +1 @@
 +pesign
 diff --git a/src/pesign-users b/src/pesign-users
 new file mode 100644
 index 0000000..7f57cc5
 --- /dev/null
 +++ b/src/pesign-users
@@ -0,0 +1 @@
 +pesign
 -- 
 2.13.4
--- a/0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch
+++ b/0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch
@ -0,0 +1,43 @@
 From 025eb8aea94761fdc45507b6192aafdef80d4842 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 9 Aug 2017 17:31:31 -0400
 Subject: [PATCH 28/29] rpm: Make the client signer use the fedora values
 unless overridden
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/macros.pesign | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)
 diff --git a/src/macros.pesign b/src/macros.pesign
 index 69280e9..22a3ee6 100644
 --- a/src/macros.pesign
 +++ b/src/macros.pesign
@@ -9,6 +9,9 @@
 %__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
 %__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
 +%__pesign_client_token %{!?pe_signing_token:"Fedora Signer (OpenSC Card)"}%{?pe_signing_token:"%{pe_signing_token}}
 +%__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}}
 +
 %_pesign /usr/bin/pesign
 %_pesign_client /usr/bin/pesign-client
@@ -41,11 +44,11 @@
                  --certdir ${nss} -c signer %{-o}			\
       rm -rf ${sattrs} ${sattrs}.sig ${nss}				\
     elif [ -S /var/run/pesign/socket ]; then				\
 -      %{_pesign_client} -t %{__pesign_token}				\\\
 -                        -c %{__pesign_cert}				\\\
 +      %{_pesign_client} -t %{__pesign_client_token}			\\\
 +                        -c %{__pesign_client_cert}			\\\
                         %{-i} %{-o} %{-e} %{-s} %{-C}			\
     else								\
 -      %{_pesign} -t %{__pesign_token} -c %{__pesign_cert}		\\\
 +      %{_pesign} %{__pesign_token} -c %{__pesign_cert}			\\\
 		 --certdir ${_pesign_nssdir}				\\\
                  %{-i} %{-o} %{-e} %{-s} %{-C}				\
     fi									\
 -- 
 2.13.4
--- a/0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch
+++ b/0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch
@ -0,0 +1,39 @@
 From 86a6b02e4b95ab3629446e71895cc5e57ad4482f Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 14 Aug 2017 11:37:43 -0400
 Subject: [PATCH 29/29] Make macros.pesign error in kojibuilder if we don't
 have perms on the socket
 ---
 src/macros.pesign | 9 +++++++++
 1 file changed, 9 insertions(+)
 diff --git a/src/macros.pesign b/src/macros.pesign
 index 22a3ee6..1665b4c 100644
 --- a/src/macros.pesign
 +++ b/src/macros.pesign
@@ -43,6 +43,21 @@
       %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i}			\\\
                  --certdir ${nss} -c signer %{-o}			\
       rm -rf ${sattrs} ${sattrs}.sig ${nss}				\
 +    elif [ "%{vendor}" == "Fedora Project" -a				\\\
 +           "$(id -un)" == "mockbuild" -a				\\\
 +           "$(uname -m)" == "x86_64" ] &&				\\\
 +         grep -q ID=fedora /etc/os-release && 				\\\
 +         [[ "%{_buildhost}" =~ ^bkernel.* ]] &&			\\\
 +         ! [ -S /var/run/pesign/socket ]; then				\
 +      echo "No socket even though this is %{_buildhost}"		\
 +      ls -ld /var/run/pesign || :					\
 +      getfacl /var/run/pesign || :					\
 +      ls -l /var/run/pesign/socket || :				\
 +      getfacl /var/run/pesign/socket || :				\
 +      echo =========== env ==============				\
 +      set								\
 +      echo =========== env ==============				\
 +      exit 1								\
     elif [ -S /var/run/pesign/socket ]; then				\
       %{_pesign_client} -t %{__pesign_client_token}			\\\
                         -c %{__pesign_client_cert}			\\\
 -- 
 2.13.4
--- a/0030-Replace-var-run-with-run.patch
+++ b/0030-Replace-var-run-with-run.patch
@ -0,0 +1,151 @@
 From cd26e9e9a7816efe2c1ce9c36d9cb14988c70dc9 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Mon, 8 Nov 2021 17:58:09 -0500
 Subject: [PATCH] Replace /var/run with /run
 This change is in violation of the FHS and is forced by systemd being
 obnoxious and logging warnings about it as if it's some kind of problem.
 This commit is a subset of the work in
 02d473fbfd782863a0dcef7e44822d1e7e56a4b3,
 f97d3b04a2eafb42272ede24e1353dd0a7f4347c,
 5f9058677e7241cc88b4e8620654bbaa08a4bce4, and
 cffa10d9b5eec9a9def3533b181a32b64fc29913 (all by pjones) because they
 don't backport well.
 Signed-off-by: Robbie Harwood <rharwood@redhat.com>
 ---
 src/Makefile           |  2 +-
 src/daemon.h           |  4 ++--
 src/macros.pesign      | 12 ++++++------
 src/pesign-authorize   |  2 +-
 src/pesign.service.in  |  2 +-
 src/pesign.sysvinit.in | 10 +++++-----
 src/tmpfiles.conf      |  2 +-
 7 files changed, 17 insertions(+), 17 deletions(-)
 diff --git a/src/Makefile b/src/Makefile
 index 7d68fa1..a11e2b4 100644
 --- a/src/Makefile
 +++ b/src/Makefile
@@ -68,7 +68,7 @@ install_sysvinit: pesign.sysvinit
 install :
 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
 -	$(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
 +	$(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/
 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
 	$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
 	$(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir)
 diff --git a/src/daemon.h b/src/daemon.h
 index d97eab9..db42c16 100644
 --- a/src/daemon.h
 +++ b/src/daemon.h
@@ -49,7 +49,7 @@ typedef enum {
 } pesignd_cmd;
 #define PESIGND_VERSION 0x2a9edaf0
 -#define SOCKPATH	"/var/run/pesign/socket"
 -#define PIDFILE		"/var/run/pesign.pid"
 +#define SOCKPATH	"/run/pesign/socket"
 +#define PIDFILE		"/run/pesign.pid"
 #endif /* DAEMON_H */
 diff --git a/src/macros.pesign b/src/macros.pesign
 index dfdac02..f135c29 100644
 --- a/src/macros.pesign
 +++ b/src/macros.pesign
@@ -48,17 +48,17 @@
            "$(uname -m)" == "x86_64" ] &&				\\\
          grep -q ID=fedora /etc/os-release && 				\\\
          [[ "%{_buildhost}" =~ ^bkernel.* ]] &&			\\\
 -         ! [ -S /var/run/pesign/socket ]; then				\
 +         ! [ -S /run/pesign/socket ]; then				\
       echo "No socket even though this is %{_buildhost}"		\
 -      ls -ld /var/run/pesign || :					\
 -      getfacl /var/run/pesign || :					\
 -      ls -l /var/run/pesign/socket || :				\
 -      getfacl /var/run/pesign/socket || :				\
 +      ls -ld /run/pesign || :					\
 +      getfacl /run/pesign || :					\
 +      ls -l /run/pesign/socket || :				\
 +      getfacl /run/pesign/socket || :				\
       echo =========== env ==============				\
       set								\
       echo =========== env ==============				\
       exit 1								\
 -    elif [ -S /var/run/pesign/socket ]; then				\
 +    elif [ -S /run/pesign/socket ]; then				\
       %{_pesign_client} -t %{__pesign_client_token}			\\\
                         -c %{__pesign_client_cert}			\\\
                         %{-i} %{-o} %{-e} %{-s} %{-C}			\
 diff --git a/src/pesign-authorize b/src/pesign-authorize
 index a496f60..83a30cd 100755
 --- a/src/pesign-authorize
 +++ b/src/pesign-authorize
@@ -47,7 +47,7 @@ update_subdir() {
 	done
 }
 -for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
 +for x in /run/pesign/ /etc/pki/pesign*/ ; do
 	if [ -d "${x}" ]; then
 		update_subdir "${x}"
 	else
 diff --git a/src/pesign.service.in b/src/pesign.service.in
 index c75a000..4ac2199 100644
 --- a/src/pesign.service.in
 +++ b/src/pesign.service.in
@@ -4,6 +4,6 @@ Description=Pesign signing daemon
 [Service]
 PrivateTmp=true
 Type=forking
 -PIDFile=/var/run/pesign.pid
 +PIDFile=/run/pesign.pid
 ExecStart=/usr/bin/pesign --daemonize
 ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
 diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
 index b0e0f84..bf8edec 100644
 --- a/src/pesign.sysvinit.in
 +++ b/src/pesign.sysvinit.in
@@ -4,7 +4,7 @@
 #
 # chkconfig: - 50 50
 # processname: /usr/bin/pesign
 -# pidfile: /var/run/pesign.pid
 +# pidfile: /run/pesign.pid
 ### BEGIN INIT INFO 
 # Provides: pesign
 # Default-Start:
@@ -20,9 +20,9 @@ RETVAL=0
 start(){
     echo -n "Starting pesign: "
 -    mkdir /var/run/pesign 2>/dev/null &&
 -        chown pesign:pesign /var/run/pesign &&
 -        chmod 0770 /var/run/pesign
 +    mkdir /run/pesign 2>/dev/null &&
 +        chown pesign:pesign /run/pesign &&
 +        chmod 0770 /run/pesign
     daemon /usr/bin/pesign --daemonize
     RETVAL=$?
     echo
@@ -32,7 +32,7 @@ start(){
 stop(){
     echo -n "Stopping pesign: "
 -    killproc -p /var/run/pesign.pid pesignd
 +    killproc -p /run/pesign.pid pesignd
     RETVAL=$?
     echo
     rm -f /var/lock/subsys/pesign
 diff --git a/src/tmpfiles.conf b/src/tmpfiles.conf
 index c1cf355..3375ad5 100644
 --- a/src/tmpfiles.conf
 +++ b/src/tmpfiles.conf
@@ -1 +1 @@
 -D /var/run/pesign 0770 pesign pesign -
 +D /run/pesign 0770 pesign pesign -
 -- 
 2.33.0
--- a/SOURCES/0001-efikeygen-Fix-the-build-with-nss-3.44.patch
+++ b/SOURCES/0001-efikeygen-Fix-the-build-with-nss-3.44.patch
@ -1,4 +1,4 @@
-From b535d1ac5cbcdf18a97d97a92581e38080d9e521 Mon Sep 17 00:00:00 2001
+From d1a7496d18dc1e230115b30fa09e4481c485a27d Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 14 May 2019 11:28:38 -0400
 Subject: [PATCH] efikeygen: Fix the build with nss 3.44
@ -23,15 +23,16 @@ This is fixed by just making it an int.
 Fixes github issue #48.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 (cherry picked from commit b535d1ac5cbcdf18a97d97a92581e38080d9e521)
 ---
 src/efikeygen.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/efikeygen.c b/src/efikeygen.c
-index ede76ef0b48..2cd953e9781 100644
+index 9390578..089e6a7 100644
 --- a/src/efikeygen.c
 +++ b/src/efikeygen.c
-@@ -208,7 +208,7 @@ static int
+@@ -206,7 +206,7 @@ static int
 add_cert_type(cms_context *cms, void *extHandle, int is_ca)
 {
 	SECItem bitStringValue;
@ -41,5 +42,5 @@ index ede76ef0b48..2cd953e9781 100644
 	if (is_ca)
 		type |= NS_CERT_TYPE_SSL_CA |
 -- 
-2.23.0
+2.33.0
--- a/SOURCES/0002-pesigcheck-Fix-a-wrong-assignment.patch
+++ b/SOURCES/0002-pesigcheck-Fix-a-wrong-assignment.patch
@ -1,49 +0,0 @@
 From c555fd74c009242c3864576bd5f17a1f8f4fdffd Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 18 Feb 2020 16:28:56 -0500
 Subject: [PATCH] pesigcheck: Fix a wrong assignment
 gcc says:
  pesigcheck.c: In function 'check_signature':
  pesigcheck.c:321:17: error: implicit conversion from 'enum <anonymous>' to 'enum <anonymous>' [-Werror=enum-conversion]
  321 |    reason->type = siBuffer;
      |                 ^
  pesigcheck.c:333:17: error: implicit conversion from 'enum <anonymous>' to 'enum <anonymous>' [-Werror=enum-conversion]
  333 |    reason->type = siBuffer;
      |                 ^
  cc1: all warnings being treated as errors
 And indeed, that line of code makes no sense at all - it was supposed to
 be reason->sig.type.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/pesigcheck.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/pesigcheck.c b/src/pesigcheck.c
 index 524cce307bf..8fa0f1ad03d 100644
 --- a/src/pesigcheck.c
 +++ b/src/pesigcheck.c
@@ -318,7 +318,7 @@ check_signature(pesigcheck_context *ctx, int *nreasons,
 			reason->type = SIGNATURE;
 			reason->sig.data = data;
 			reason->sig.len = datalen;
 -			reason->type = siBuffer;
 +			reason->sig.type = siBuffer;
 			nreason += 1;
 			is_invalid = true;
 		}
@@ -330,7 +330,7 @@ check_signature(pesigcheck_context *ctx, int *nreasons,
 			reason->type = SIGNATURE;
 			reason->sig.data = data;
 			reason->sig.len = datalen;
 -			reason->type = siBuffer;
 +			reason->sig.type = siBuffer;
 			nreason += 1;
 			has_valid_cert = true;
 		}
 -- 
 2.24.1
--- a/SOURCES/0003-Make-0.112-client-and-server-work-with-the-113-proto.patch
+++ b/SOURCES/0003-Make-0.112-client-and-server-work-with-the-113-proto.patch
@ -1,317 +0,0 @@
 From 84547e6b7173e4b10a1931fd25f329ea9a8f68b0 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Thu, 11 Jun 2020 16:23:14 -0400
 Subject: [PATCH] Make 0.112 client and server work with the 113 protocol and
 vise versa
 This makes the version of the sign API that takes a file type optional,
 and makes the client attempt to negotiate which version it's getting.
 It also leaves the server able to still handle the version from before
 the file type was added.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/client.c | 74 +++++++++++++++++++++++++++++++++++++---------------
 src/daemon.c | 63 +++++++++++++++++++++++++++++---------------
 src/daemon.h |  2 ++
 3 files changed, 97 insertions(+), 42 deletions(-)
 diff --git a/src/client.c b/src/client.c
 index aa373abd981..57bcc09cbe8 100644
 --- a/src/client.c
 +++ b/src/client.c
@@ -11,6 +11,7 @@
 #include <fcntl.h>
 #include <popt.h>
 #include <pwd.h>
 +#include <stdbool.h>
 #include <stddef.h>
 #include <stdlib.h>
 #include <sys/socket.h>
@@ -84,8 +85,8 @@ connect_to_server(void)
 static int32_t
 check_response(int sd, char **srvmsg);
 -static void
 -check_cmd_version(int sd, uint32_t command, char *name, int32_t version)
 +static int
 +check_cmd_version(int sd, uint32_t command, char *name, int32_t version, bool do_exit)
 {
 	struct msghdr msg;
 	struct iovec iov[1];
@@ -104,7 +105,7 @@ check_cmd_version(int sd, uint32_t command, char *name, int32_t version)
 	ssize_t n;
 	n = sendmsg(sd, &msg, 0);
 	if (n < 0) {
 -		fprintf(stderr, "check-cmd-version: kill daemon failed: %m\n");
 +		fprintf(stderr, "check-cmd-version: sendmsg failed: %m\n");
 		exit(1);
 	}
@@ -120,11 +121,17 @@ check_cmd_version(int sd, uint32_t command, char *name, int32_t version)
 	char *srvmsg = NULL;
 	int32_t rc = check_response(sd, &srvmsg);
 -	if (rc < 0)
 +
 +	if (do_exit && rc < 0)
 		errx(1, "command \"%s\" not known by server", name);
 -	if (rc != version)
 +
 +	if (do_exit && rc != version)
 		errx(1, "command \"%s\": client version %d, server version %d",
 			name, version, rc);
 +
 +	if (rc < 0)
 +		return rc;
 +	return rc == version;
 }
 static void
@@ -134,7 +141,7 @@ send_kill_daemon(int sd)
 	struct iovec iov;
 	pesignd_msghdr pm;
 -	check_cmd_version(sd, CMD_KILL_DAEMON, "kill-daemon", 0);
 +	check_cmd_version(sd, CMD_KILL_DAEMON, "kill-daemon", 0, true);
 	pm.version = PESIGND_VERSION;
 	pm.command = CMD_KILL_DAEMON;
@@ -276,7 +283,7 @@ unlock_token(int sd, char *tokenname, char *pin)
 	uint32_t size1 = pesignd_string_size(pin);
 -	check_cmd_version(sd, CMD_UNLOCK_TOKEN, "unlock-token", 0);
 +	check_cmd_version(sd, CMD_UNLOCK_TOKEN, "unlock-token", 0, true);
 	pm.version = PESIGND_VERSION;
 	pm.command = CMD_UNLOCK_TOKEN;
@@ -353,7 +360,7 @@ is_token_unlocked(int sd, char *tokenname)
 	uint32_t size0 = pesignd_string_size(tokenname);
 -	check_cmd_version(sd, CMD_IS_TOKEN_UNLOCKED, "is-token-unlocked", 0);
 +	check_cmd_version(sd, CMD_IS_TOKEN_UNLOCKED, "is-token-unlocked", 0, true);
 	pm.version = PESIGND_VERSION;
 	pm.command = CMD_IS_TOKEN_UNLOCKED;
@@ -452,6 +459,9 @@ static void
 sign(int sd, char *infile, char *outfile, char *tokenname, char *certname,
 	int attached, uint32_t format)
 {
 +	int rc;
 +	bool add_file_type;
 +
 	int infd = open(infile, O_RDONLY);
 	if (infd < 0) {
 		fprintf(stderr, "pesign-client: could not open input file "
@@ -481,12 +491,28 @@ oom:
 		exit(1);
 	}
 -	check_cmd_version(sd, attached ? CMD_SIGN_ATTACHED : CMD_SIGN_DETACHED,
 -			attached ? "sign-attached" : "sign-detached", 0);
 +	rc = check_cmd_version(sd,
 +			       attached ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE
 +					: CMD_SIGN_DETACHED_WITH_FILE_TYPE,
 +			       attached ? "sign-attached" : "sign-detached",
 +			       0, format == FORMAT_KERNEL_MODULE);
 +	if (rc >= 0) {
 +		add_file_type = true;
 +	} else {
 +		add_file_type = false;
 +		check_cmd_version(sd, attached ? CMD_SIGN_ATTACHED
 +					       : CMD_SIGN_DETACHED,
 +				  attached ? "sign-attached" : "sign-detached",
 +				  0, true);
 +	}
 +	printf("add_file_type:%d\n", add_file_type);
 	pm->version = PESIGND_VERSION;
 -	pm->command = attached ? CMD_SIGN_ATTACHED : CMD_SIGN_DETACHED;
 -	pm->size = size0 + size1 + sizeof(format);
 +	pm->command = attached ? (add_file_type ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE
 +						: CMD_SIGN_ATTACHED)
 +			       : (add_file_type ? CMD_SIGN_DETACHED_WITH_FILE_TYPE
 +						: CMD_SIGN_DETACHED);
 +	pm->size = size0 + size1 + (add_file_type ? sizeof(format) : 0);
 	iov[0].iov_base = pm;
 	iov[0].iov_len = sizeof (*pm);
@@ -503,25 +529,31 @@ oom:
 	}
 	char *buffer;
 -	buffer = malloc(size0 + size1);
 +	buffer = malloc(pm->size);
 	if (!buffer)
 		goto oom;
 -	iov[0].iov_base = &format;
 -	iov[0].iov_len = sizeof(format);
 +	int pos = 0;
 +
 +	if (add_file_type) {
 +		iov[pos].iov_base = &format;
 +		iov[pos].iov_len = sizeof(format);
 +		pos++;
 +	}
 	pesignd_string *tn = (pesignd_string *)buffer;
 	pesignd_string_set(tn, tokenname);
 -	iov[1].iov_base = tn;
 -	iov[1].iov_len = size0;
 +	iov[pos].iov_base = tn;
 +	iov[pos].iov_len = size0;
 +	pos++;
 	pesignd_string *cn = pesignd_string_next(tn);
 	pesignd_string_set(cn, certname);
 -	iov[2].iov_base = cn;
 -	iov[2].iov_len = size1;
 +	iov[pos].iov_base = cn;
 +	iov[pos].iov_len = size1;
 	msg.msg_iov = iov;
 -	msg.msg_iovlen = 3;
 +	msg.msg_iovlen = add_file_type ? 3 : 2;
 	n = sendmsg(sd, &msg, 0);
 	if (n < 0) {
@@ -535,7 +567,7 @@ oom:
 	send_fd(sd, outfd);
 	char *srvmsg = NULL;
 -	int rc = check_response(sd, &srvmsg);
 +	rc = check_response(sd, &srvmsg);
 	if (rc < 0) {
 		fprintf(stderr, "pesign-client: signing failed: \"%s\"\n",
 			srvmsg);
 diff --git a/src/daemon.c b/src/daemon.c
 index 9374d59be30..494beb9af72 100644
 --- a/src/daemon.c
 +++ b/src/daemon.c
@@ -12,6 +12,7 @@
 #include <poll.h>
 #include <pwd.h>
 #include <signal.h>
 +#include <stdbool.h>
 #include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
@@ -561,7 +562,7 @@ out:
 static void
 handle_signing(context *ctx, struct pollfd *pollfd, socklen_t size,
 -	int attached)
 +	       int attached, bool with_file_type)
 {
 	struct msghdr msg;
 	struct iovec iov;
@@ -585,8 +586,12 @@ oom:
 	n = recvmsg(pollfd->fd, &msg, MSG_WAITALL);
 -	file_format = *((uint32_t *) buffer);
 -	n -= sizeof(uint32_t);
 +	if (with_file_type) {
 +		file_format = *((uint32_t *) buffer);
 +		n -= sizeof(uint32_t);
 +	} else {
 +		file_format = FORMAT_PE_BINARY;
 +	}
 	pesignd_string *tn = (pesignd_string *)(buffer + sizeof(uint32_t));
 	if (n < (long long)sizeof(tn->size)) {
@@ -666,34 +671,44 @@ finish:
 	teardown_digests(ctx->cms);
 }
 +static inline void
 +handle_sign_helper(context *ctx, struct pollfd *pollfd, socklen_t size,
 +		   int attached, bool with_file_type)
 +{
 +	int rc = cms_context_alloc(&ctx->cms);
 +	if (rc < 0)
 +		return;
 +
 +	steal_from_cms(ctx->backup_cms, ctx->cms);
 +
 +	handle_signing(ctx, pollfd, size, attached, with_file_type);
 +
 +	hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms);
 +	cms_context_fini(ctx->cms);
 +}
 +
 static void
 handle_sign_attached(context *ctx, struct pollfd *pollfd, socklen_t size)
 {
 -	int rc = cms_context_alloc(&ctx->cms);
 -	if (rc < 0)
 -		return;
 +	handle_sign_helper(ctx, pollfd, size, 1, false);
 +}
 -	steal_from_cms(ctx->backup_cms, ctx->cms);
 -
 -	handle_signing(ctx, pollfd, size, 1);
 -
 -	hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms);
 -	cms_context_fini(ctx->cms);
 +static void
 +handle_sign_attached_with_file_type(context *ctx, struct pollfd *pollfd, socklen_t size)
 +{
 +	handle_sign_helper(ctx, pollfd, size, 1, true);
 }
 static void
 handle_sign_detached(context *ctx, struct pollfd *pollfd, socklen_t size)
 {
 -	int rc = cms_context_alloc(&ctx->cms);
 -	if (rc < 0)
 -		return;
 +	handle_sign_helper(ctx, pollfd, size, 0, false);
 +}
 -	steal_from_cms(ctx->backup_cms, ctx->cms);
 -
 -	handle_signing(ctx, pollfd, size, 0);
 -
 -	hide_stolen_goods_from_cms(ctx->cms, ctx->backup_cms);
 -	cms_context_fini(ctx->cms);
 +static void
 +handle_sign_detached_with_file_type(context *ctx, struct pollfd *pollfd, socklen_t size)
 +{
 +	handle_sign_helper(ctx, pollfd, size, 0, true);
 }
 static void
@@ -725,6 +740,12 @@ cmd_table_t cmd_table[] = {
 		{ CMD_UNLOCK_TOKEN, handle_unlock_token, "unlock-token", 0 },
 		{ CMD_SIGN_ATTACHED, handle_sign_attached, "sign-attached", 0 },
 		{ CMD_SIGN_DETACHED, handle_sign_detached, "sign-detached", 0 },
 +		{ CMD_SIGN_ATTACHED_WITH_FILE_TYPE,
 +		  handle_sign_attached_with_file_type,
 +		  "sign-attached-with-file-type", 0 },
 +		{ CMD_SIGN_DETACHED_WITH_FILE_TYPE,
 +		  handle_sign_detached_with_file_type,
 +		  "sign-detached-with-file-type", 0 },
 		{ CMD_RESPONSE, NULL, "response",  0 },
 		{ CMD_IS_TOKEN_UNLOCKED, handle_is_token_unlocked,
 			"is-token-unlocked", 0 },
 diff --git a/src/daemon.h b/src/daemon.h
 index dd430512f1a..834d62c72d0 100644
 --- a/src/daemon.h
 +++ b/src/daemon.h
@@ -33,6 +33,8 @@ typedef enum {
 	CMD_RESPONSE,
 	CMD_IS_TOKEN_UNLOCKED,
 	CMD_GET_CMD_VERSION,
 +	CMD_SIGN_ATTACHED_WITH_FILE_TYPE,
 +	CMD_SIGN_DETACHED_WITH_FILE_TYPE,
 	CMD_LIST_END
 } pesignd_cmd;
 -- 
 2.26.2
--- a/SOURCES/0004-Rename-var-run-to-run.patch
+++ b/SOURCES/0004-Rename-var-run-to-run.patch
@ -1,46 +0,0 @@
 From f886b7088dfea224e28c03b097c85c9bc20f5441 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Fri, 12 Jun 2020 11:49:44 -0400
 Subject: [PATCH] Rename /var/run/ to /run/
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/macros.pesign | 12 ++++++------
 src/tmpfiles.conf |  2 +-
 2 files changed, 7 insertions(+), 7 deletions(-)
 diff --git a/src/macros.pesign b/src/macros.pesign
 index 56f75cafbc4..5a6da1c6809 100644
 --- a/src/macros.pesign
 +++ b/src/macros.pesign
@@ -45,14 +45,14 @@
       rm -rf ${sattrs} ${sattrs}.sig ${nss}				\
     elif [ "$(id -un)" == "kojibuilder" -a				\\\
            grep -q ID=fedora /etc/os-release -a				\\\
 -           ! -S /var/run/pesign/socket ]; then				\
 +           ! -S /run/pesign/socket ]; then				\
       echo "No socket even though this is kojibuilder" 1>&2		\
 -      ls -ld /var/run/pesign 1>&2					\
 -      ls -l /var/run/pesign/socket 1>&2					\
 -      getfacl /var/run/pesign 1>&2					\
 -      getfacl /var/run/pesign/socket 1>&2				\
 +      ls -ld /run/pesign 1>&2					\
 +      ls -l /run/pesign/socket 1>&2					\
 +      getfacl /run/pesign 1>&2					\
 +      getfacl /run/pesign/socket 1>&2				\
       exit 1								\
 -    elif [ -S /var/run/pesign/socket ]; then				\
 +    elif [ -S /run/pesign/socket ]; then				\
       %{_pesign_client} -t %{__pesign_client_token}			\\\
                         -c %{__pesign_client_cert}			\\\
                         %{-i} %{-o} %{-e} %{-s} %{-C}			\
 diff --git a/src/tmpfiles.conf b/src/tmpfiles.conf
 index c1cf35597d8..3375ad52a44 100644
 --- a/src/tmpfiles.conf
 +++ b/src/tmpfiles.conf
@@ -1 +1 @@
 -D /var/run/pesign 0770 pesign pesign -
 +D /run/pesign 0770 pesign pesign -
 -- 
 2.26.2
--- a/SOURCES/0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch
+++ b/SOURCES/0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch
@ -1,30 +0,0 @@
 From 56eaa15e986d808c670381ca375216eb3abd1588 Mon Sep 17 00:00:00 2001
 From: Jeremy Cline <jcline@redhat.com>
 Date: Tue, 18 Feb 2020 16:37:53 -0500
 Subject: [PATCH] Apparently opensc got updated and the token name changed
 All the kernel builds started failing yesterday because the signing
 token could not be found. Update the token name in the macro shipped by
 pesign.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/macros.pesign | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/macros.pesign b/src/macros.pesign
 index 7c5cba170e9..56f75cafbc4 100644
 --- a/src/macros.pesign
 +++ b/src/macros.pesign
@@ -9,7 +9,7 @@
 %__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
 %__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
 -%__pesign_client_token %{!?pe_signing_token:"Fedora Signer (OpenSC Card)"}%{?pe_signing_token:"%{pe_signing_token}"}
 +%__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"}
 %__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}"}
 %_pesign /usr/bin/pesign
 -- 
 2.26.2
--- a/SOURCES/0006-client-try-run-and-var-run-for-the-socket-path.patch
+++ b/SOURCES/0006-client-try-run-and-var-run-for-the-socket-path.patch
@ -1,86 +0,0 @@
 From c662ad097eaa0d8c3691a22254f5d0e9622b26b7 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 6 Jul 2020 16:13:09 -0400
 Subject: [PATCH 6/7] client: try /run and /var/run for the socket path.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/client.c | 40 +++++++++++++++++++++++++++++-----------
 1 file changed, 29 insertions(+), 11 deletions(-)
 diff --git a/src/client.c b/src/client.c
 index 2119ef33bf8..a38383415d5 100644
 --- a/src/client.c
 +++ b/src/client.c
@@ -49,24 +49,24 @@ print_flag_name(FILE *f, int flag)
 }
 static int
 -connect_to_server(void)
 +connect_to_server_helper(const char * const sockpath)
 {
 -	int rc = access(SOCKPATH, R_OK);
 +	int rc = access(sockpath, R_OK);
 	if (rc != 0) {
 -		fprintf(stderr, "pesign-client: could not connect to server: "
 -			"%m\n");
 -		exit(1);
 +		warn("could not access socket \"%s\"", sockpath);
 +		return rc;
 	}
 	struct sockaddr_un addr_un = {
 		.sun_family = AF_UNIX,
 -		.sun_path = SOCKPATH,
 	};
 +	strncpy(addr_un.sun_path, sockpath, sizeof(addr_un.sun_path));
 +	addr_un.sun_path[sizeof(addr_un.sun_path)-1] = '\0';
 	int sd = socket(AF_UNIX, SOCK_STREAM, 0);
 	if (sd < 0) {
 -		fprintf(stderr, "pesign-client: could not open socket: %m\n");
 -		exit(1);
 +		warn("could not open socket \"%s\"", sockpath);
 +		return sd;
 	}
 	socklen_t len = strlen(addr_un.sun_path) +
@@ -74,14 +74,32 @@ connect_to_server(void)
 	rc = connect(sd, (struct sockaddr *)&addr_un, len);
 	if (rc < 0) {
 -		fprintf(stderr, "pesign-client: could not connect to daemon: "
 -			"%m\n");
 -		exit(1);
 +		warn("could not connect to daemon");
 +		return sd;
 	}
 	return sd;
 }
 +static int
 +connect_to_server(void)
 +{
 +	int rc, i;
 +	const char * const sockets[] = {
 +		"/run/pesign/socket",
 +		"/var/run/pesign/socket",
 +		NULL
 +	};
 +
 +	for (i = 0; sockets[i] != NULL; i++) {
 +		rc = connect_to_server_helper(sockets[i]);
 +		if (rc >= 0)
 +			return rc;
 +	}
 +
 +	exit(1);
 +}
 +
 static int32_t
 check_response(int sd, char **srvmsg);
 -- 
 2.26.2
--- a/SOURCES/0007-client-remove-an-extra-debug-print.patch
+++ b/SOURCES/0007-client-remove-an-extra-debug-print.patch
@ -1,25 +0,0 @@
 From ea81cec14d31cd0b0dbde5b42414bfae9daec9b8 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 14 Jul 2020 16:44:09 -0400
 Subject: [PATCH 07/11] client: remove an extra debug print
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/client.c | 1 -
 1 file changed, 1 deletion(-)
 diff --git a/src/client.c b/src/client.c
 index 0082be1f597..c9966295e5f 100644
 --- a/src/client.c
 +++ b/src/client.c
@@ -536,7 +536,6 @@ oom:
 				  0, true);
 	}
 -	printf("add_file_type:%d\n", add_file_type);
 	pm->version = PESIGND_VERSION;
 	pm->command = attached ? (add_file_type ? CMD_SIGN_ATTACHED_WITH_FILE_TYPE
 						: CMD_SIGN_ATTACHED)
 -- 
 2.26.2
--- a/SOURCES/0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
+++ b/SOURCES/0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
@ -1,379 +0,0 @@
 From 6c16b978fd33f3611e9f7aaf4f9c44bce1679485 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 6 Jul 2020 13:54:35 -0400
 Subject: [PATCH] Move most of macros.pesign to pesign-rpmbuild-helper
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 Make.defaults                 |   1 +
 src/Makefile                  |   8 +-
 src/macros.pesign             |  74 ++++--------
 src/pesign-rpmbuild-helper.in | 222 ++++++++++++++++++++++++++++++++++
 4 files changed, 252 insertions(+), 53 deletions(-)
 create mode 100644 src/pesign-rpmbuild-helper.in
 diff --git a/Make.defaults b/Make.defaults
 index 0bacafe0d01..d4cd626c11e 100644
 --- a/Make.defaults
 +++ b/Make.defaults
@@ -16,6 +16,7 @@ INSTALLROOT = $(DESTDIR)
 INSTALL	?= install
 CROSS_COMPILE	?=
 +EFI_ARCHES ?= aa64 ia32 x64
 PKG_CONFIG = $(CROSS_COMPILE)pkg-config
 CC	:= $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC))
 diff --git a/src/Makefile b/src/Makefile
 index 74327ba13f3..a7ca89159c6 100644
 --- a/src/Makefile
 +++ b/src/Makefile
@@ -5,7 +5,7 @@ include $(TOPDIR)/Make.version
 include $(TOPDIR)/Make.rules
 include $(TOPDIR)/Make.defaults
 -BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
 +BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign pesign-rpmbuild-helper
 SVCTARGETS=pesign.sysvinit pesign.service
 TARGETS=$(BINTARGETS) $(SVCTARGETS)
@@ -49,6 +49,11 @@ pesign : $(call objects-of,$(PESIGN_SOURCES) $(COMMON_SOURCES) $(COMMON_PE_SOURC
 pesign : LDLIBS+=$(TOPDIR)/libdpe/libdpe.a
 pesign : PKGS=efivar nss nspr popt
 +pesign-rpmbuild-helper: pesign-rpmbuild-helper.in
 +	sed \
 +		-e "s/@@EFI_ARCHES@@/$(EFI_ARCHES)/g" \
 +		$^ > $@
 +
 deps : PKGS=efivar nss nspr popt uuid
 deps : $(ALL_SOURCES)
 	$(MAKE) -f $(TOPDIR)/Make.deps \
@@ -94,6 +99,7 @@ install :
 	$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
 	$(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
 +	$(INSTALL) -m 755 pesign-rpmbuild-helper $(INSTALLROOT)$(libexecdir)/pesign/
 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
 	$(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
 	$(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups
 diff --git a/src/macros.pesign b/src/macros.pesign
 index 5a6da1c6809..2e984b4eeb3 100644
 --- a/src/macros.pesign
 +++ b/src/macros.pesign
@@ -6,7 +6,7 @@
 # %pesign -s -i shim.orig -o shim.efi
 # And magically get the right thing.
 -%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
 +%__pesign_token %{nil}%{?pe_signing_token:--token "%{pe_signing_token}"}
 %__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
 %__pesign_client_token %{!?pe_signing_token:"OpenSC Card (Fedora Signer)"}%{?pe_signing_token:"%{pe_signing_token}"}
@@ -24,54 +24,24 @@
 # -a <input ca cert filename>		# rhel only
 # -s 					# perform signing
 %pesign(i:o:C:e:c:n:a:s)						\
 -  _pesign_nssdir=/etc/pki/pesign					\
 -  if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then		\
 -    _pesign_nssdir=/etc/pki/pesign-rh-test				\
 -  fi									\
 -  if [ -x %{_pesign} ] &&  						\\\
 -       [ "%{_target_cpu}" == "x86_64" -o 				\\\
 -         "%{_target_cpu}" == "aarch64" ]; then				\
 -    if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then		\
 -      nss=$(mktemp -p $PWD -d)						\
 -      echo > ${nss}/pwfile						\
 -      certutil -N -d ${nss} -f ${nss}/pwfile				\
 -      certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss}		\
 -      certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss}		\
 -      sattrs=$(mktemp -p $PWD --suffix=.der)				\
 -      %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force		\
 -      rpm-sign --key "%{-n*}" --rsadgstsign ${sattrs}			\
 -      %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i}			\\\
 -                 --certdir ${nss} -c signer %{-o}			\
 -      rm -rf ${sattrs} ${sattrs}.sig ${nss}				\
 -    elif [ "$(id -un)" == "kojibuilder" -a				\\\
 -           grep -q ID=fedora /etc/os-release -a				\\\
 -           ! -S /run/pesign/socket ]; then				\
 -      echo "No socket even though this is kojibuilder" 1>&2		\
 -      ls -ld /run/pesign 1>&2					\
 -      ls -l /run/pesign/socket 1>&2					\
 -      getfacl /run/pesign 1>&2					\
 -      getfacl /run/pesign/socket 1>&2				\
 -      exit 1								\
 -    elif [ -S /run/pesign/socket ]; then				\
 -      %{_pesign_client} -t %{__pesign_client_token}			\\\
 -                        -c %{__pesign_client_cert}			\\\
 -                        %{-i} %{-o} %{-e} %{-s} %{-C}			\
 -    else								\
 -      %{_pesign} %{__pesign_token} -c %{__pesign_cert}			\\\
 -                 --certdir ${_pesign_nssdir}				\\\
 -                 %{-i} %{-o} %{-e} %{-s} %{-C}				\
 -    fi									\
 -  else									\
 -    if [ -n "%{-i*}" -a -n "%{-o*}" ]; then				\
 -      mv %{-i*} %{-o*}							\
 -    elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then				\
 -      touch %{-e*}							\
 -    fi									\
 -  fi									\
 -  if [ ! -s %{-o} ]; then						\
 -    if [ -e "%{-o*}" ]; then						\
 -      rm -f %{-o*}							\
 -    fi									\
 -    exit 1								\
 -  fi ;
 -
 +  %{_libexecdir}/pesign/pesign-rpmbuild-helper				\\\
 +    "%{_target_cpu}"							\\\
 +    "%{_pesign}"							\\\
 +    "%{_pesign_client}"							\\\
 +    %{?__pesign_client_token:--client-token %{__pesign_client_token}}	\\\
 +    %{?__pesign_client_cert:--client-cert %{__pesign_client_cert}}	\\\
 +    %{?__pesign_token:%{__pesign_token}}				\\\
 +    %{?__pesign_cert:--cert %{__pesign_cert}}				\\\
 +    %{?_buildhost:--hostname "%{_buildhost}"}				\\\
 +    %{?vendor:--vendor "%{vendor}"}					\\\
 +    %{?_rhel:--rhelver "%{_rhel}"}					\\\
 +    %{?-n:--rhelcert %{-n*}}%{?!-n:--rhelcert %{__pesign_cert}}	\\\
 +    %{?-a:--rhelcafile "%{-a*}"}					\\\
 +    %{?-c:--rhelcertfile "%{-c*}"}					\\\
 +    %{?-C:--certout "%{-C*}"}						\\\
 +    %{?-e:--sattrout "%{-e*}"}						\\\
 +    %{?-i:--in "%{-i*}"}						\\\
 +    %{?-o:--out "%{-o*}"}						\\\
 +    %{?-s:--sign}							\\\
 +    ;									\
 +%{nil}
 diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
 new file mode 100644
 index 00000000000..c5287c27e0c
 --- /dev/null
 +++ b/src/pesign-rpmbuild-helper.in
@@ -0,0 +1,222 @@
 +#!/bin/bash
 +# shellcheck shell=bash
 +
 +set -eu
 +set -x
 +
 +usage() {
 +    local status="${1}" && shift
 +    local out
 +    if [[ "${status}" -eq 0 ]] ; then
 +	out=/dev/stdout
 +    else
 +	out=/dev/stderr
 +    fi
 +
 +    if [[ $# -gt 0 ]] ; then
 +	echo "${0}: error: $*" >>"${out}"
 +    fi
 +    echo "usage: ${0} TARGET_CPU PESIGN_BINARY PESIGN_CLIENT_BINARY [OPTIONS]" >>"${out}"
 +    exit "${status}"
 +}
 +
 +is_efi_arch() {
 +    local arch="${1}"
 +    local arches=(@@EFI_ARCHES@@)
 +    local x
 +    for x in "${arches[@]}" ; do
 +	if [[ "${arch}" = "${x}" ]] ; then
 +	    return 0
 +	fi
 +    done
 +    return 1
 +}
 +
 +error_on_empty() {
 +    local f="${1}"
 +    if [[ ! -s "${f}" ]] ; then
 +	if [[ -e "${f}" ]] ; then
 +	    rm -f "${f}"
 +	fi
 +	echo "${0}: error: empty result file \"${f}\"">>/dev/stderr
 +	exit 1
 +    fi
 +}
 +
 +main() {
 +    if [[ $# -lt 3 ]] ; then
 +	usage 1 not enough arguments
 +    fi
 +    local target_cpu="${1}" && shift
 +    local bin="${1}" && shift
 +    local client="${1}" && shift
 +
 +    local rhelcafile="" || :
 +    local rhelcertfile="" || :
 +
 +    local certout=() || :
 +    local sattrout=() || :
 +    local input=() || :
 +    local output=() || :
 +    local client_token=() || :
 +    local client_cert=() || :
 +    local token=() || :
 +    local cert=() || :
 +    local rhelcert=() || :
 +    local rhelver=0 || :
 +    local sign="" || :
 +    local arch="" || :
 +    local vendor="" || :
 +    local HOSTNAME="" || :
 +
 +    while [[ $# -ge 2 ]] ; do
 +	case " ${1} " in
 +	" --rhelcafile ")
 +	    rhelcafile="${2}"
 +	    ;;
 +	" --rhelcertfile ")
 +	    rhelcertfile="${2}"
 +	    ;;
 +	" --hostname ")
 +	    HOSTNAME="${2}"
 +	    ;;
 +	" --certout ")
 +	    certout[0]=-C
 +	    certout[1]="${2}"
 +	    ;;
 +	" --sattrout ")
 +	    sattrout[0]=-e
 +	    sattrout[1]="${2}"
 +	    ;;
 +	" --client-token ")
 +	    client_token[0]=-t
 +	    client_token[1]="${2}"
 +	    ;;
 +	" --client-cert ")
 +	    client_cert[0]=-c
 +	    client_cert[1]="${2}"
 +	    ;;
 +	" --token ")
 +	    token[0]=-t
 +	    token[1]="${2}"
 +	    ;;
 +	" --cert ")
 +	    cert[0]=-c
 +	    cert[1]="${2}"
 +	    ;;
 +	" --rhelcert ")
 +	    rhelcert[0]=-c
 +	    rhelcert[1]="${2}"
 +	    ;;
 +	" --in ")
 +	    input[0]=-i
 +	    input[1]="${2}"
 +	    ;;
 +	" --out ")
 +	    output[0]=-o
 +	    output[1]="${2}"
 +	    ;;
 +	" --rhelver ")
 +	    rhelver="${2}"
 +	    ;;
 +	" --vendor ")
 +	    vendor="${2}"
 +	    ;;
 +	*)
 +	    break
 +	    ;;
 +	esac
 +	shift
 +	shift
 +    done
 +    if [[ $# -ge 1 ]] && [[ "${1}" = --sign ]] ; then
 +	sign=-s
 +	shift
 +    fi
 +
 +    if [[ -z "${target_cpu}" ]] ; then
 +	target_cpu="$(uname -m)"
 +    fi
 +
 +    target_cpu="${target_cpu/i?86/ia32}"
 +    target_cpu="${target_cpu/x86_64/x64}"
 +    target_cpu="${target_cpu/aarch64/aa64}"
 +    target_cpu="${target_cpu/arm*/arm/}"
 +
 +    local nssdir=/etc/pki/pesign
 +    if [[ "${#cert[@]}" -eq 2 ]] &&
 +       [[ "${cert[1]}" == "Red Hat Test Certificate" ]] ; then
 +	nssdir=/etc/pki/pesign-rh-test
 +    fi
 +
 +    # is_efi_arch is ultimately returning "is pesign configured to sign these
 +    # using the rpm macro", so if it isn't, we're just copying the input to
 +    # the output
 +    if [[ -x "${bin}" ]] && ! is_efi_arch "${target_cpu}" ; then
 +	if [[ -n "${input[*]}" ]] && [[ -n "${output[*]}" ]] ; then
 +	    cp -v "${input[1]}" "${output[1]}"
 +	elif [[ -n "${input[*]}" ]] && [[ -n "${sattrout[*]}" ]] ; then
 +	    touch "${sattrout[1]}"
 +	fi
 +
 +	# if there's a 0-sized output file, delete it and error out
 +	error_on_empty "${output[1]}"
 +	return 0
 +    fi
 +
 +    USERNAME="${USERNAME:-$(id -un)}"
 +
 +    local socket="" || :
 +    if grep -q ID=fedora /etc/os-release \
 +       && [[ "${rhelver}" -lt 7 ]] \
 +       && [[ "${USERNAME}" = "mockbuild" ]] \
 +       && [[ "${vendor}" = "Fedora Project" ]] \
 +       && [[ "${HOSTNAME}" =~ bkernel.* ]]
 +    then
 +	if [[ -S /run/pesign/socket ]] ; then
 +	    socket=/run/pesign/socket
 +	elif [[ -S /var/run/pesign/socket ]]; then
 +	    socket=/var/run/pesign/socket
 +	else
 +	    echo "Warning: no pesign socket even though user is ${USERNAME}" 1>&2
 +	    echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2
 +	    ls -ld /run/pesign /var/run/pesign 1>&2 ||:
 +	    ls -l /run/pesign/socket /var/run/pesign/socket 1>&2 ||:
 +	    getfacl /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
 +	    getfacl -n /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
 +	fi
 +    fi
 +
 +    if [[ "${rhelver}" -ge 7 ]] ; then
 +	nssdir="$(mktemp -p "${PWD}" -d)"
 +	echo > "${nssdir}/pwfile"
 +	certutil -N -d "${nssdir}" -f "${nssdir}/pwfile"
 +	certutil -A -n "ca" -t "CTu,CTu,CTu" -i "${rhelcafile}" -d "${nssdir}"
 +	certutil -A -n "signer" -t "CTu,CTu,CTu" -i "${rhelcertfile}" -d "${nssdir}"
 +	sattrs="$(mktemp -p "${PWD}" --suffix=.der)"
 +	"${bin}" -E "${sattrs}" --certdir "${nssdir}" \
 +	    "${input[@]}" --force
 +	rpm-sign --key "${rhelcert[1]}" --rsadgstsign "${sattrs}"
 +	"${bin}" -R "${sattrs}.sig" -I "${sattrs}" \
 +	    --certdir "${nssdir}" -c signer \
 +	    "${input[@]}" "${output[@]}"
 +	rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}"
 +    elif [[ -n "${socket}" ]] ; then
 +	"${client}" "${client_token[@]}" "${client_cert[@]}"    \
 +	    "${sattrout[@]}" "${certout[@]}"	\
 +	    ${sign} "${input[@]}" "${output[@]}"
 +    else
 +	"${bin}" --certdir "${nssdir}" "${token[@]}"	\
 +	    "${cert[@]}" ${sign} "${sattrout[@]}"	\
 +	    "${certout[@]}"    "${input[@]}" "${output[@]}"
 +    fi
 +
 +    # if there's a 0-sized output file, delete it and error out
 +    if [[ "${#output[@]}" -eq 2 ]] ; then
 +	error_on_empty "${output[1]}"
 +    fi
 +}
 +
 +main "${@}"
 +
 +# vim:filetype=sh:fenc=utf-8:tw=78:sts=4:sw=4
 -- 
 2.26.2
--- a/SOURCES/0009-pesign-authorize-shellcheck.patch
+++ b/SOURCES/0009-pesign-authorize-shellcheck.patch
@ -1,60 +0,0 @@
 From 3107894285164a3d25ca215a76593ebb6d4bc84c Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 14 Jul 2020 15:07:32 -0400
 Subject: [PATCH 09/11] pesign-authorize: shellcheck
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/pesign-authorize | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)
 diff --git a/src/pesign-authorize b/src/pesign-authorize
 index a496f601ab4..55cd5c4e55b 100755
 --- a/src/pesign-authorize
 +++ b/src/pesign-authorize
@@ -12,21 +12,21 @@ set -u
 # License: GPLv2
 declare -a fileusers=()
 declare -a dirusers=()
 -for user in $(cat /etc/pesign/users); do
 +while read -r user ; do
 	dirusers[${#dirusers[@]}]=-m
 	dirusers[${#dirusers[@]}]="u:$user:rwx"
 	fileusers[${#fileusers[@]}]=-m
 	fileusers[${#fileusers[@]}]="u:$user:rw"
 -done
 +done </etc/pesign/users
 declare -a filegroups=()
 declare -a dirgroups=()
 -for group in $(cat /etc/pesign/groups); do
 +while read -r group ; do
 	dirgroups[${#dirgroups[@]}]=-m
 	dirgroups[${#dirgroups[@]}]="g:$group:rwx"
 	filegroups[${#filegroups[@]}]=-m
 	filegroups[${#filegroups[@]}]="g:$group:rw"
 -done
 +done </etc/pesign/groups
 update_subdir() {
 	subdir=$1 && shift
@@ -35,12 +35,12 @@ update_subdir() {
 	setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
 	for x in "${subdir}"* ; do
 		if [ -d "${x}" ]; then
 -			setfacl -bk ${x}
 -			setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
 +			setfacl -bk "${x}"
 +			setfacl "${dirusers[@]}" "${dirgroups[@]}" "${x}"
 			update_subdir "${x}/"
 		elif [ -e "${x}" ]; then
 -			setfacl -bk ${x}
 -			setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
 +			setfacl -bk "${x}"
 +			setfacl "${fileusers[@]}" "${filegroups[@]}" "${x}"
 		else
 			:;
 		fi
 -- 
 2.26.2
--- a/SOURCES/0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch
+++ b/SOURCES/0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch
@ -1,26 +0,0 @@
 From 24bb6e1471b16b6be82f13b5b5a302b4e98c1b4d Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 14 Jul 2020 15:08:15 -0400
 Subject: [PATCH 10/11] pesign-authorize: don't setfacl /etc/pki/pesign-foo/
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/pesign-authorize | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/pesign-authorize b/src/pesign-authorize
 index 55cd5c4e55b..c5448329c2c 100755
 --- a/src/pesign-authorize
 +++ b/src/pesign-authorize
@@ -47,7 +47,7 @@ update_subdir() {
 	done
 }
 -for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
 +for x in /var/run/pesign/ /etc/pki/pesign/ ; do
 	if [ -d "${x}" ]; then
 		update_subdir "${x}"
 	else
 -- 
 2.26.2
--- a/SOURCES/0011-kernel-building-hack.patch
+++ b/SOURCES/0011-kernel-building-hack.patch
@ -1,41 +0,0 @@
 From 0b9048cbcc1cfc2afd9cbf781732882736cbe965 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 14 Jul 2020 16:42:39 -0400
 Subject: [PATCH 11/11] kernel building hack
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/pesign-rpmbuild-helper.in | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
 index c5287c27e0c..27b8261bc17 100644
 --- a/src/pesign-rpmbuild-helper.in
 +++ b/src/pesign-rpmbuild-helper.in
@@ -202,6 +202,23 @@ main() {
 	    "${input[@]}" "${output[@]}"
 	rm -rf "${sattrs}" "${sattrs}.sig" "${nssdir}"
     elif [[ -n "${socket}" ]] ; then
 +	### welcome haaaaack city
 +	if [[ "${client_token[1]}" = "OpenSC Card (Fedora Signer)" ]] ; then
 +	    if [[ "${input[1]}" =~ (/|^)vmlinuz($|[_.-]) ]] \
 +	       || [[ "${input[1]}" =~ (/|^)bzImage($|[_.-]) ]] ; then
 +		if [[ "${rhelcertfile}" =~ redhatsecureboot501.* ]] \
 +		   || [[ "${rhelcertfile}" =~ redhatsecureboot401.* ]] \
 +		   || [[ "${rhelcertfile}" =~ centossecureboot201.* ]] ; then
 +		    client_cert[1]=kernel-signer
 +		elif [[ "${rhelcertfile}" =~ redhatsecureboot502.* ]] \
 +		   || [[ "${rhelcertfile}" =~ centossecureboot202.* ]] ; then
 +		    client_cert[1]=grub2-signer
 +		elif [[ "${rhelcertfile}" =~ redhatsecureboot503.* ]] \
 +		   || [[ "${rhelcertfile}" =~ centossecureboot203.* ]] ; then
 +		    client_cert[1]=fwupd-signer
 +		fi
 +	    fi
 +	fi
 	"${client}" "${client_token[@]}" "${client_cert[@]}"    \
 	    "${sattrout[@]}" "${certout[@]}"	\
 	    ${sign} "${input[@]}" "${output[@]}"
 -- 
 2.26.2
--- a/SOURCES/0012-Use-run-not-var-run.patch
+++ b/SOURCES/0012-Use-run-not-var-run.patch
@ -1,105 +0,0 @@
 From db4c6e8cc57271dce6d204a3144982e544e55025 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Thu, 16 Jul 2020 16:28:26 -0400
 Subject: [PATCH] Use /run not /var/run
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/daemon.h           |  4 ++--
 src/Makefile           |  2 +-
 src/pesign-authorize   |  2 +-
 src/pesign.service.in  |  2 +-
 src/pesign.sysvinit.in | 10 +++++-----
 5 files changed, 10 insertions(+), 10 deletions(-)
 diff --git a/src/daemon.h b/src/daemon.h
 index 0368dc9256c..5fcd97ea717 100644
 --- a/src/daemon.h
 +++ b/src/daemon.h
@@ -51,8 +51,8 @@ typedef enum {
 } pesignd_cmd;
 #define PESIGND_VERSION 0x2a9edaf0
 -#define SOCKPATH	"/var/run/pesign/socket"
 -#define PIDFILE		"/var/run/pesign.pid"
 +#define SOCKPATH	"/run/pesign/socket"
 +#define PIDFILE		"/run/pesign.pid"
 static inline uint32_t UNUSED
 pesignd_string_size(char *buffer)
 diff --git a/src/Makefile b/src/Makefile
 index a7ca89159c6..f7fb5fc9ee5 100644
 --- a/src/Makefile
 +++ b/src/Makefile
@@ -78,7 +78,7 @@ install_sysvinit: pesign.sysvinit
 install :
 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
 -	$(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
 +	$(INSTALL) -d -m 770 $(INSTALLROOT)/run/pesign/
 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
 	$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
 	$(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir)
 diff --git a/src/pesign-authorize b/src/pesign-authorize
 index c5448329c2c..2381302440c 100755
 --- a/src/pesign-authorize
 +++ b/src/pesign-authorize
@@ -47,7 +47,7 @@ update_subdir() {
 	done
 }
 -for x in /var/run/pesign/ /etc/pki/pesign/ ; do
 +for x in /run/pesign/ /var/run/pesign/ /etc/pki/pesign/ ; do
 	if [ -d "${x}" ]; then
 		update_subdir "${x}"
 	else
 diff --git a/src/pesign.service.in b/src/pesign.service.in
 index c75a000892a..4ac2199bce2 100644
 --- a/src/pesign.service.in
 +++ b/src/pesign.service.in
@@ -4,6 +4,6 @@ Description=Pesign signing daemon
 [Service]
 PrivateTmp=true
 Type=forking
 -PIDFile=/var/run/pesign.pid
 +PIDFile=/run/pesign.pid
 ExecStart=/usr/bin/pesign --daemonize
 ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
 diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
 index b0e0f84ff0b..bf8edec8ff3 100644
 --- a/src/pesign.sysvinit.in
 +++ b/src/pesign.sysvinit.in
@@ -4,7 +4,7 @@
 #
 # chkconfig: - 50 50
 # processname: /usr/bin/pesign
 -# pidfile: /var/run/pesign.pid
 +# pidfile: /run/pesign.pid
 ### BEGIN INIT INFO 
 # Provides: pesign
 # Default-Start:
@@ -20,9 +20,9 @@ RETVAL=0
 start(){
     echo -n "Starting pesign: "
 -    mkdir /var/run/pesign 2>/dev/null &&
 -        chown pesign:pesign /var/run/pesign &&
 -        chmod 0770 /var/run/pesign
 +    mkdir /run/pesign 2>/dev/null &&
 +        chown pesign:pesign /run/pesign &&
 +        chmod 0770 /run/pesign
     daemon /usr/bin/pesign --daemonize
     RETVAL=$?
     echo
@@ -32,7 +32,7 @@ start(){
 stop(){
     echo -n "Stopping pesign: "
 -    killproc -p /var/run/pesign.pid pesignd
 +    killproc -p /run/pesign.pid pesignd
     RETVAL=$?
     echo
     rm -f /var/lock/subsys/pesign
 -- 
 2.26.2
--- a/SOURCES/0013-Turn-off-free-nonheap-object.patch
+++ b/SOURCES/0013-Turn-off-free-nonheap-object.patch
@ -1,35 +0,0 @@
 From 59428daf4863f192419eee4afec15cd099e99c9b Mon Sep 17 00:00:00 2001
 From: Jeff Law <law@redhat.com>
 Date: Mon, 16 Nov 2020 12:07:59 -0700
 Subject: [PATCH] Turn off -Wfree-nonheap-object
 authvar.c has a call to free (tokenname) where tokenname is set to a string constant
 and never changed.  That triggers GCC to issue a diagnostic that the value should not
 be passed to free.
 This is a false positive from GCC as the call is guarded by a suitable condition that
 always happens to be false.  But pesign is being built without optimization and thus
 the condition and free call are not optimized away.
 This patch just disables the warning.  A better solution would be to fix the sources
 or build with the optimizer enabled.
 ---
 Make.defaults | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/Make.defaults b/Make.defaults
 index d4cd626..705cc3a 100644
 --- a/Make.defaults
 +++ b/Make.defaults
@@ -40,7 +40,7 @@ gcc_cflags = -Wmaybe-uninitialized -grecord-gcc-switches -flto
 cflags	= $(CFLAGS) $(ARCH3264) \
 	-Wall -Wextra -Wsign-compare -Wno-unused-result \
 	-Wno-unused-function -Wno-missing-field-initializers \
 -	-Werror -Wno-error=cpp \
 +	-Werror -Wno-error=cpp -Wno-free-nonheap-object \
 	-std=gnu11 -fshort-wchar -fPIC -fno-strict-aliasing \
 	-D_GNU_SOURCE -DCONFIG_$(ARCH) -I${TOPDIR}/include \
 	$(if $(filter $(CC),clang),$(clang_cflags), ) \
 -- 
 2.28.0
--- a/SOURCES/0014-macros.pesign-handle-centos-like-rhel-with-rhelver.patch
+++ b/SOURCES/0014-macros.pesign-handle-centos-like-rhel-with-rhelver.patch
@ -1,26 +0,0 @@
 From efb69f149f256631a952e0a0db5b45ed5d391509 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 10 Aug 2021 12:39:08 -0400
 Subject: [PATCH] macros.pesign: handle centos like rhel with --rhelver
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/macros.pesign | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/src/macros.pesign b/src/macros.pesign
 index 34af57c5b3b..2ca1afb916e 100644
 --- a/src/macros.pesign
 +++ b/src/macros.pesign
@@ -35,6 +35,7 @@
     %{?_buildhost:--hostname "%{_buildhost}"}				\\\
     %{?vendor:--vendor "%{vendor}"}					\\\
 -    %{?_rhel:--rhelver "%{_rhel}"}					\\\
 +    %{?rhel:--rhelver "%{rhel}"}					\\\
 +    %{?centos:--rhelver "%{centos}"}					\\\
     %{?-n:--rhelcert %{-n*}}%{?!-n:--rhelcert %{__pesign_cert}}	\\\
     %{?-a:--rhelcafile "%{-a*}"}					\\\
     %{?-c:--rhelcertfile "%{-c*}"}					\\\
 -- 
 2.31.1
--- a/SOURCES/0015-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch
+++ b/SOURCES/0015-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch
@ -1,27 +0,0 @@
 From 3956d8a819541578b31c919270e915fbcc791e89 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Fri, 1 Oct 2021 17:58:20 -0400
 Subject: [PATCH] Detect the presence of rpm-sign when checking for
 "rhel"-ness.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 src/pesign-rpmbuild-helper.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
 index 27b8261bc17..d6ca29683b1 100644
 --- a/src/pesign-rpmbuild-helper.in
 +++ b/src/pesign-rpmbuild-helper.in
@@ -187,7 +187,7 @@ main() {
 	fi
     fi
 -    if [[ "${rhelver}" -ge 7 ]] ; then
 +    if [[ "${rhelver}" -ge 7 ]] && which rpm-sign >&/dev/null ; then
 	nssdir="$(mktemp -p "${PWD}" -d)"
 	echo > "${nssdir}/pwfile"
 	certutil -N -d "${nssdir}" -f "${nssdir}/pwfile"
 -- 
 2.31.1
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,6 @@
 --- !Policy
 product_versions:
  - rhel-8
 decision_context: osci_compose_gate
 rules:
  - !PassingTestCaseRule {test_case_name: kernel-qe.kernel-ci.hardware-pesign.tier0.functional}
--- a/SOURCES/pesign.py
+++ b/SOURCES/pesign.py
--- a/SPECS/pesign.spec
+++ b/SPECS/pesign.spec
@ -2,62 +2,65 @@
 Name:    pesign
 Summary: Signing utility for UEFI binaries
-Version: 113
+Version: 0.112
-Release: 21%{?dist}
+Release: 26%{?dist}
 License: GPLv2
 URL:     https://github.com/vathpela/pesign
 Obsoletes: pesign-rh-test-certs <= 0.111-7
-BuildRequires: make
+BuildRequires: git nspr nss nss-util popt-devel
 BuildRequires: gcc
 BuildRequires: git
 BuildRequires: nspr
 BuildRequires: nss
 BuildRequires: nss-util
 BuildRequires: popt-devel
 BuildRequires: nss-tools
 BuildRequires: nspr-devel >= 4.9.2-1
 BuildRequires: nss-devel >= 3.13.6-1
 BuildRequires: efivar-devel >= 31-1
 BuildRequires: libuuid-devel
-BuildRequires: tar
+BuildRequires: tar xz
-BuildRequires: xz
+BuildRequires: python3-rpm-macros python3
 BuildRequires: python3-rpm-macros
 BuildRequires: python3
 %if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
-BuildRequires: systemd-rpm-macros
+BuildRequires: systemd
 %endif
-Requires:      nspr
+Requires: nspr nss nss-util nss-tools popt rpm
 Requires:      nss
 Requires:      nss-tools >= 3.53
 Requires:      nss-util
 Requires:      popt
 Requires:      rpm
 Requires(pre): shadow-utils
 ExclusiveArch: %{ix86} x86_64 ia64 aarch64 %{arm}
 %if 0%{?rhel} == 7
 BuildRequires: rh-signing-tools >= 1.20-2
 %endif
-Source0: https://github.com/rhboot/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2
+Source0: https://github.com/vathpela/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2
 Source1: certs.tar.xz
 Source2: pesign.py
-Patch0001: 0001-efikeygen-Fix-the-build-with-nss-3.44.patch
+Patch0001: 0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch
-Patch0002: 0002-pesigcheck-Fix-a-wrong-assignment.patch
+Patch0002: 0002-Fix-command-line-parsing.patch
-Patch0003: 0003-Make-0.112-client-and-server-work-with-the-113-proto.patch
+Patch0003: 0003-gcc-don-t-error-on-stuff-in-includes.patch
-Patch0004: 0004-Rename-var-run-to-run.patch
+Patch0004: 0004-Fix-certficate-argument-name.patch
-Patch0005: 0005-Apparently-opensc-got-updated-and-the-token-name-cha.patch
+Patch0005: 0005-Fix-description-of-ascii-armor-option-in-manpage.patch
-Patch0006: 0006-client-try-run-and-var-run-for-the-socket-path.patch
+Patch0006: 0006-Make-ascii-work-since-we-documented-it.patch
-Patch0007: 0007-client-remove-an-extra-debug-print.patch
+Patch0007: 0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch
-Patch0008: 0008-Move-most-of-macros.pesign-to-pesign-rpmbuild-helper.patch
+Patch0008: 0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch
-Patch0009: 0009-pesign-authorize-shellcheck.patch
+Patch0009: 0009-pesigcheck-make-certfile-actually-work.patch
-Patch0010: 0010-pesign-authorize-don-t-setfacl-etc-pki-pesign-foo.patch
+Patch0010: 0010-signerInfos-make-sure-err-is-always-initialized.patch
-Patch0011: 0011-kernel-building-hack.patch
+Patch0011: 0011-pesign-make-pesign-h-tell-you-the-file-name.patch
-Patch0012: 0012-Use-run-not-var-run.patch
+Patch0012: 0012-Add-coverity-build-scripts.patch
-Patch0013: 0013-Turn-off-free-nonheap-object.patch
+Patch0013: 0013-Document-implicit-fallthrough.patch
-Patch0014: 0014-macros.pesign-handle-centos-like-rhel-with-rhelver.patch
+Patch0014: 0014-Actually-setfacl-each-directory-of-our-key-storage.patch
-Patch0015: 0015-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch
+Patch0015: 0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch
 Patch0016: 0016-efikeygen-add-modsign.patch
 Patch0017: 0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch
 Patch0018: 0018-show-which-db-we-re-checking.patch
 Patch0019: 0019-more-about-the-time.patch
 Patch0020: 0020-try-to-say-why-something-fails.patch
 Patch0021: 0021-Fix-race-condition-in-SEC_GetPassword.patch
 Patch0022: 0022-sysvinit-Create-the-socket-directory-at-runtime.patch
 Patch0023: 0023-Better-authorization-scripts.-Again.patch
 Patch0024: 0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch
 Patch0025: 0025-certdb-fix-PRTime-printfs-for-i686.patch
 Patch0026: 0026-Clean-up-gcc-command-lines-a-little.patch
 Patch0027: 0027-Make-pesign-users-groups-static-in-the-repo.patch
 Patch0028: 0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch
 Patch0029: 0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch
 Patch0030: 0030-Replace-var-run-with-run.patch
 Patch0031: 0031-efikeygen-Fix-the-build-with-nss-3.44.patch
 %description
 This package contains the pesign utility for signing UEFI binaries as
@ -107,7 +110,7 @@ rm -vf %{buildroot}/usr/share/doc/pesign-%{version}/COPYING
 cp -av libdpe/*.[ch] src/
 install -d -m 0755 %{buildroot}%{python3_sitelib}/mockbuild/plugins/
-install -m 0755 %{SOURCE2} %{buildroot}%{python3_sitelib}/mockbuild/plugins/
+install -m 0755 -p %{SOURCE2} %{buildroot}%{python3_sitelib}/mockbuild/plugins/
 %pre
 getent group pesign >/dev/null || groupadd -r pesign
@ -120,21 +123,14 @@ exit 0
 %post
 %systemd_post pesign.service
 #%%posttrans
 #%%{_libexecdir}/pesign/pesign-authorize
 %preun
 %systemd_preun pesign.service
 %postun
 %systemd_postun_with_restart pesign.service
 %posttrans
 certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null
 # this is disabled currently because it breaks the fedora kernel build root
 # generation - because we don't currently have a good way of populating
 # /etc/pesign/{users,groups} before the buildroot is installed, or
 # populating them and re-running pesign-authorize afterwards but before the
 # package build of e.g. kernel
 #%%{_libexecdir}/pesign/pesign-authorize
 %endif
 %files
@ -153,13 +149,12 @@ certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null
 %dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/
 %config(noreplace) %attr(0664,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/*
 %{_libexecdir}/pesign/pesign-authorize
 %{_libexecdir}/pesign/pesign-rpmbuild-helper
 %config(noreplace)/%{_sysconfdir}/pesign/users
 %config(noreplace)/%{_sysconfdir}/pesign/groups
 %{_sysconfdir}/popt.d/pesign.popt
 %{macrosdir}/macros.pesign
 %{_mandir}/man*/*
-%dir %attr(0770, pesign, pesign) %{_rundir}/%{name}
+%dir %attr(0770, pesign, pesign) /%{_rundir}/%{name}
 %ghost %attr(0660, -, -) %{_rundir}/%{name}/socket
 %ghost %attr(0660, -, -) %{_rundir}/%{name}/pesign.pid
 %if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
@ -170,104 +165,21 @@ certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null
 %{python3_sitelib}/mockbuild/plugins/pesign.*
 %changelog
-* Tue Dec 14 2021 Robbie Harwood <rharwood@redhat.com> - 113-21
+* Mon Nov 08 2021 Robbie Harwood <rharwood@redhat.com> - 0.112-26
- Sync with beta changes
+- Perform the /var/run to /run "migration" stupidity
- Resolves: rhbz#2030501
+- Resolves: rhbz#1801976
-* Tue Aug 10 2021 Peter Jones <pjones@redhat.com> - 113-18
+* Mon Oct 01 2018 Peter Jones <pjones@redhat.com> - 0.112-25
- Detect the CentOS version number correctly in rpm pesign macro
+- Preserve .py timestamp during install so .pyc/.pyo files have the same
-  Related: rhbz#1991688
+  timestamp on all arches, preventing rpmdiff from complaining.
  Related: rhbz#1625388
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 113-17
+* Fri Sep 28 2018 Peter Jones <pjones@redhat.com> - 0.112-24
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+- Require nss-tools at runtime so the rpm signing macros will have it
-  Related: rhbz#1991688
+  Resolves: rhbz#1625388
-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 113-16
+* Wed Aug 01 2018 Charalampos Stratakis <cstratak@redhat.com> - 0.112-23
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+- Rebuild for platform-python
 * Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 113-15
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
 * Mon Nov 16 2020 Jeff Law <law@redhat.com> - 113-14
 - Turn off -Wfree-nonheap-object
 * Mon Aug 03 2020 Peter Jones <pjones@redhat.com> - 113-13
 - Add the rundir related stuff that was staged on my f32 checkout.
 * Mon Aug 03 2020 Peter Jones <pjones@redhat.com> - 113-12
 - Try to make kernel and fwupd both work at the same time.
 * Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 113-11
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
 * Thu Jul 16 2020 Peter Jones <pjones@redhat.com> - 113-10
 - I really cannot figure out why bkernel01 thinks the certificate nickname
  starts with /CN=, but it does, so I'm gonna stop fighting with the sand.
 * Thu Jul 16 2020 Peter Jones <pjones@redhat.com> - 113-9
 - Even more kernel build debugging...
 * Tue Jul 07 2020 Peter Jones <pjones@redhat.com> - 113-8
 - More kernel build debugging...
 * Tue Jul 07 2020 Peter Jones <pjones@redhat.com> - 113-6
 - Disable the pesign-authorize call in posttrans, until we can figure out a
  better way to deal with that in the fedora kernel builder chroot setup
 * Tue Jul 07 2020 Peter Jones <pjones@redhat.com> - 113-5
 - Make pesign require nss-tools for the posttrans scriptlet
 - Move most of macros.pesign to /usr/libexec/pesign/pesign-rpmbuild-helper
 * Mon Jul 06 2020 Peter Jones <pjones@redhat.com> - 113-4
 - Attempt to fix kernel signing failures caused by -3...
 * Fri Jun 12 2020 Peter Jones <pjones@redhat.com> - 113-3
 - Fix the signer name for fedora and some other minor nits
  Related: rhbz#1708773
  Related: rhbz#1678146
 * Thu Jun 11 2020 Peter Jones <pjones@redhat.com> - 113-2
 - Fix a signing protocol bug we introduced in 113 that makes the fedora
  kernel builders fail.
  Related: rhbz#1708773
 * Thu Jun 11 2020 Javier Martinez Canillas <javierm@redhat.com> - 113-1
 - Update to 113 release
  Resolves: rhbz#1708773
 * Mon Jun 08 2020 Javier Martinez Canillas <javierm@redhat.com> - 0.112-31
 - Switch default NSS database to SQLite format (pjones)
  Resolves: rhbz#1827902
 * Mon Feb 24 2020 Peter Jones <pjones@redhat.com> - 0.112-30
 - Make sure the patch for -29 is actually in the build in f32, and
  synchronize with master.
 * Tue Feb 18 2020 Peter Jones <pjones@redhat.com> - 0.112-29
 - Rebuild to match OpenSC's token name mangling change.
 * Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-28
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 * Tue Nov 12 2019 Peter Jones <pjones@redhat.com> - 0.112-27
 - Rebuild to fix an NSS API issue.	
 * Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-26
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
 * Wed Mar  6 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.112-25
 - Fix build (#1675653)
 - Add missing closing quote in macro (#1651020)
 - Update obsolete /var/run/ path (#1678146)
 * Sat Feb 02 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-25
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
 * Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-24
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-23
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
 * Mon Jan 22 2018 Peter Robinson <pbrobinson@fedoraproject.org> 0.112-22
 - Minor spec cleanups, fix arm conditional
--- a/rpminspect.yaml
+++ b/rpminspect.yaml
@ -0,0 +1,13 @@
 ---
 inspections:
  # Not a Java package
  javabytecode: off
  # These just flag when things change "too much"
  changedfiles: off
  filesize: off
  patches: off
  upstream: off
  # https://bugzilla.redhat.com/show_bug.cgi?id=2010936
  annocheck: off
--- a/2
+++ b/2
@ -0,0 +1,2 @@
 SHA512 (certs.tar.xz) = 5df34f507a365ef87320776c99cbfad76365693901c71eaf64fec008afb9acfd7b615da5906b92a070c864e74f44934395c3f474ce5b33844cfa3df49a8ad188
 SHA512 (pesign-0.112.tar.bz2) = 96bff27ce5059f1ea299c21ac88998a0c17851b8b06ba2f3e286de5cd4d73651b670ac00ca035481faf9c963338527c89120c63ec891a95ce9ecb9130fbc5e5c
		`@ -1,2 +0,0 @@`
			`b6777cc78ca2d2f250f3142e97e17dd855bc9b88 SOURCES/certs.tar.xz`
			`1fabe291298395b6dd3129e250d8b67345745834 SOURCES/pesign-113.tar.bz2`
		`@ -0,0 +1,2 @@`
							`SHA512 (certs.tar.xz) = 5df34f507a365ef87320776c99cbfad76365693901c71eaf64fec008afb9acfd7b615da5906b92a070c864e74f44934395c3f474ce5b33844cfa3df49a8ad188`
							`SHA512 (pesign-0.112.tar.bz2) = 96bff27ce5059f1ea299c21ac88998a0c17851b8b06ba2f3e286de5cd4d73651b670ac00ca035481faf9c963338527c89120c63ec891a95ce9ecb9130fbc5e5c`