Try to fix the db problem nirik is seeing trying to upgrade the builders.

Signed-off-by: Peter Jones <pjones@redhat.com>

0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch

@@ -1,7 +1,7 @@
 From 33bcca8303cad962606df3bfc6a031a9b0626375 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Thu, 21 Apr 2016 10:47:34 -0400
-Subject: [PATCH 01/26] cms: kill generate_integer(), it doesn't build on i686
+Subject: [PATCH 01/28] cms: kill generate_integer(), it doesn't build on i686
  and it's unused.
 
 Signed-off-by: Peter Jones <pjones@redhat.com>

0002-Fix-command-line-parsing.patch

@@ -1,7 +1,7 @@
 From 5be0515dee24308fd7e270bf2e0fb5e5a7a78f32 Mon Sep 17 00:00:00 2001
 From: Julien Cristau <jcristau@debian.org>
 Date: Thu, 9 Jun 2016 14:30:37 +0200
-Subject: [PATCH 02/26] Fix command line parsing
+Subject: [PATCH 02/28] Fix command line parsing
 
 The gettext translation domain should be passed as .arg, not .descrip,
 otherwise popt won't process any of the command line options (it stops

0003-gcc-don-t-error-on-stuff-in-includes.patch

@@ -1,7 +1,7 @@
 From 6de291458cbab99bcc317e282c16e1523d6de9b8 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 10 Aug 2016 17:12:39 -0400
-Subject: [PATCH 03/26] gcc: don't error on stuff in includes.
+Subject: [PATCH 03/28] gcc: don't error on stuff in includes.
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---

0004-Fix-certficate-argument-name.patch

@@ -1,7 +1,7 @@
 From b20fc54c08e8afe1365e56cacade3ec39984da8d Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 18 Apr 2017 19:00:34 -0400
-Subject: [PATCH 04/26] Fix "certficate" argument name.
+Subject: [PATCH 04/28] Fix "certficate" argument name.
 
 This fixes our typoed argument name by making the incorrectly spelled
 version be a popt alias, and fixing the real implementation to be

0005-Fix-description-of-ascii-armor-option-in-manpage.patch

@@ -1,7 +1,7 @@
 From 7bc8e8b04c74be5c4e0ebf211affc37cf9f5db37 Mon Sep 17 00:00:00 2001
 From: Julien Cristau <jcristau@debian.org>
 Date: Mon, 27 Jun 2016 15:38:38 +0200
-Subject: [PATCH 05/26] Fix description of --ascii-armor option in manpage
+Subject: [PATCH 05/28] Fix description of --ascii-armor option in manpage
 
 The --ascii option does not exist.
 ---

0006-Make-ascii-work-since-we-documented-it.patch

@@ -1,7 +1,7 @@
 From 9f411f4e797e983d2e8cb51dc5b9ab8db250c2e3 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 18 Apr 2017 19:05:40 -0400
-Subject: [PATCH 06/26] Make --ascii work, since we documented it.
+Subject: [PATCH 06/28] Make --ascii work, since we documented it.
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---

0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch

@@ -1,7 +1,7 @@
 From d618de733865eab359890b4e677c368a133dad99 Mon Sep 17 00:00:00 2001
 From: Pat Riehecky <riehecky@fnal.gov>
 Date: Mon, 7 Nov 2016 11:37:08 -0600
-Subject: [PATCH 07/26] Switch pesign client to also accept token/cert macros
+Subject: [PATCH 07/28] Switch pesign client to also accept token/cert macros
  rather than use hard coded values
 
 ---

0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch

@@ -1,7 +1,7 @@
 From 2cd211bcc612ad8cb99c778461ca02a9f3e5e44b Mon Sep 17 00:00:00 2001
 From: David Michael <david.michael@coreos.com>
 Date: Thu, 16 Feb 2017 15:08:30 -0800
-Subject: [PATCH 08/26] pesigcheck: Verify with the cert as an object signer
+Subject: [PATCH 08/28] pesigcheck: Verify with the cert as an object signer
 
 ---
  src/certdb.c | 2 +-

0009-pesigcheck-make-certfile-actually-work.patch

@@ -1,7 +1,7 @@
 From e0238e2363f9668aee07b2e44a8f358e694551c0 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 24 Apr 2017 15:18:10 -0400
-Subject: [PATCH 09/26] pesigcheck: make --certfile actually work
+Subject: [PATCH 09/28] pesigcheck: make --certfile actually work
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---

0010-signerInfos-make-sure-err-is-always-initialized.patch

@@ -1,7 +1,7 @@
 From 799808b265ac6f82fa1268fd696d70357acce69c Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 25 Apr 2017 16:15:07 -0400
-Subject: [PATCH 10/26] signerInfos: make sure err is always initialized
+Subject: [PATCH 10/28] signerInfos: make sure err is always initialized
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---

0011-pesign-make-pesign-h-tell-you-the-file-name.patch

@@ -1,7 +1,7 @@
 From 868b42b338d919917ea31cfbf0f96e9586947eaf Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 25 Apr 2017 16:23:36 -0400
-Subject: [PATCH 11/26] pesign: make "pesign -h" tell you the file name.
+Subject: [PATCH 11/28] pesign: make "pesign -h" tell you the file name.
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---

0012-Add-coverity-build-scripts.patch

@@ -1,7 +1,7 @@
 From 95327e6d9bd4f70980acd8fd6c9524265990dc4d Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 10 May 2017 10:49:57 -0400
-Subject: [PATCH 12/26] Add coverity build scripts
+Subject: [PATCH 12/28] Add coverity build scripts
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---

0013-Document-implicit-fallthrough.patch

@@ -1,7 +1,7 @@
 From 4b9e7cf3e869de36daf2ea705b9efef55ae87ef8 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Sat, 8 Jul 2017 16:31:18 -0400
-Subject: [PATCH 13/26] Document implicit fallthrough.
+Subject: [PATCH 13/28] Document implicit fallthrough.
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---

0014-Actually-setfacl-each-directory-of-our-key-storage.patch

@@ -1,7 +1,7 @@
 From a95e28e5cb10d417c81c8720e8521eb63793da37 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 16 May 2016 15:25:53 -0400
-Subject: [PATCH 14/26] Actually setfacl /each/ directory of our key storage.
+Subject: [PATCH 14/28] Actually setfacl /each/ directory of our key storage.
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---

0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch

@@ -1,7 +1,7 @@
 From a3cc2ad5d49ed61187527281da351e80d8f76a89 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 22 Aug 2016 13:31:38 -0400
-Subject: [PATCH 15/26] oid: add SHIM_EKU_MODULE_SIGNING_ONLY and fix our array
+Subject: [PATCH 15/28] oid: add SHIM_EKU_MODULE_SIGNING_ONLY and fix our array
  indices.
 
 That was all kinds of wrong.

0016-efikeygen-add-modsign.patch

@@ -1,7 +1,7 @@
 From 9b4b12928c0450ac69d83293e179eec439465c03 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 22 Aug 2016 13:43:56 -0400
-Subject: [PATCH 16/26] efikeygen: add --modsign
+Subject: [PATCH 16/28] efikeygen: add --modsign
 
 ---
  src/cms_common.c | 29 ++++++++++++++++++++++++++++

0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch

@@ -1,7 +1,7 @@
 From 0456758e0c0873d1251bdf77d27f0f6175cbf289 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 25 Apr 2017 16:25:02 -0400
-Subject: [PATCH 17/26] check_cert_db(): try even harder to pick a reasonable
+Subject: [PATCH 17/28] check_cert_db(): try even harder to pick a reasonable
  validation time.
 
 Signed-off-by: Peter Jones <pjones@redhat.com>

0018-show-which-db-we-re-checking.patch

@@ -1,7 +1,7 @@
 From 01b89fb7a191f4639a93c5a7c47a80752118ba95 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 25 Apr 2017 16:58:50 -0400
-Subject: [PATCH 18/26] show which db we're checking
+Subject: [PATCH 18/28] show which db we're checking
 
 ---
  src/certdb.c             | 35 ++++++++++++++++++++++++++++++++++-

0019-more-about-the-time.patch

@@ -1,7 +1,7 @@
 From 713e61448a6ffa3e6029a7c89fad61b8cb08c9ff Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 25 Apr 2017 17:00:46 -0400
-Subject: [PATCH 19/26] more about the time
+Subject: [PATCH 19/28] more about the time
 
 ---
  src/certdb.c | 59 +++++++++++++++++++++++++++++++++--------------------------

0020-try-to-say-why-something-fails.patch

@@ -1,7 +1,7 @@
 From 81583146602bba96728fa7544c8e856b32c22ee4 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 25 Apr 2017 17:01:13 -0400
-Subject: [PATCH 20/26] try to say why something fails
+Subject: [PATCH 20/28] try to say why something fails
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---

0021-Fix-race-condition-in-SEC_GetPassword.patch

@@ -1,7 +1,7 @@
 From a40c584691ae071e93e8adf4e5c05bcd90c68159 Mon Sep 17 00:00:00 2001
 From: Julien Cristau <jcristau@debian.org>
 Date: Sat, 6 May 2017 22:45:34 +0200
-Subject: [PATCH 21/26] Fix race condition in SEC_GetPassword
+Subject: [PATCH 21/28] Fix race condition in SEC_GetPassword
 
 A side effect of echoOff is to discard unread input, so if we print the
 prompt before echoOff, the user (or process) at the other end might

0022-sysvinit-Create-the-socket-directory-at-runtime.patch

@@ -1,7 +1,7 @@
 From 27afa5a4ea8de1679603f5871935096280d0b12e Mon Sep 17 00:00:00 2001
 From: David Michael <david.michael@coreos.com>
 Date: Tue, 13 Jun 2017 13:20:16 -0700
-Subject: [PATCH 22/26] sysvinit: Create the socket directory at runtime
+Subject: [PATCH 22/28] sysvinit: Create the socket directory at runtime
 
 This better supports non-systemd configurations with tmpfs on /run.
 ---

0023-Better-authorization-scripts.-Again.patch

@@ -1,7 +1,7 @@
 From 31560e2784722b986b8a73cc28e3510870180b07 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 8 Aug 2017 15:44:44 -0400
-Subject: [PATCH 23/26] Better authorization scripts.  Again.
+Subject: [PATCH 23/28] Better authorization scripts.  Again.
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---

0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch

@@ -1,7 +1,7 @@
 From a7b0f7e1ce2de1acea9a8c286a0ff3dd9bc245cb Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 8 Aug 2017 17:28:19 -0400
-Subject: [PATCH 24/26] Make the daemon also try to give better errors on
+Subject: [PATCH 24/28] Make the daemon also try to give better errors on
  -EPERM etc.
 
 Basically 6796e5f but also for the daemon.  This also tries to fix them

0025-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch

@@ -1,7 +1,7 @@
 From 8836e45b3c863570249fcba005e6f9b151038025 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 9 Aug 2017 17:31:31 -0400
-Subject: [PATCH 25/26] rpm: Make the client signer use the fedora values
+Subject: [PATCH 25/28] rpm: Make the client signer use the fedora values
  unless overridden
 
 Signed-off-by: Peter Jones <pjones@redhat.com>

0026-certdb-fix-PRTime-printfs-for-i686.patch

@@ -1,26 +1,31 @@
-From c3838d2556508ebb98b3ee014f465a188ef51c57 Mon Sep 17 00:00:00 2001
+From 3c1918476f57c6b716cbcffd7ccec7949e4789ad Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 9 Aug 2017 17:40:33 -0400
-Subject: [PATCH 26/26] certdb: fix PRTime printfs for i686
+Subject: [PATCH 26/28] certdb: fix PRTime printfs for i686
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
- src/certdb.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
+ src/certdb.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
 
 diff --git a/src/certdb.c b/src/certdb.c
-index fae80af..38122a7 100644
+index fae80af..29c9502 100644
 --- a/src/certdb.c
 +++ b/src/certdb.c
-@@ -384,7 +384,7 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
+@@ -384,11 +384,10 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
  	}
  
  	if (lateNow < earlyNow)
 -		printf("Signature has impossible time constraint: %ld <= %ld\n",
+-		       earlyNow / 1000000, lateNow / 1000000);
 +		printf("Signature has impossible time constraint: %lld <= %lld\n",
- 		       earlyNow / 1000000, lateNow / 1000000);
++		       earlyNow / 1000000LL, lateNow / 1000000LL);
  	atTime = earlyNow / 2 + lateNow / 2;
  
+-
+ 	cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
+ 				    NULL, NULL);
+ 	if (!cinfo)
 -- 
 2.13.4
 

0027-Clean-up-gcc-command-lines-a-little.patch

@@ -0,0 +1,41 @@
+From 6be09b72dc7cbc2d5ef258f1111133b90bb508ce Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Thu, 10 Aug 2017 10:02:38 -0400
+Subject: [PATCH 27/28] Clean up gcc command lines a little
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ Make.defaults | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+diff --git a/Make.defaults b/Make.defaults
+index 39b78f0..b6c0381 100644
+--- a/Make.defaults
++++ b/Make.defaults
+@@ -20,8 +20,7 @@ CROSS_COMPILE	?= $(bindir)
+ PKG_CONFIG = $(CROSS_COMPILE)pkg-config
+ CC	:= $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC))
+ CCLD	:= $(if $(filter undefined,$(origin CCLD)),$(CC),$(CCLD))
+-CFLAGS	?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments \
+-	   -Wall -Werror -Wextra -Wno-error=cpp
++CFLAGS	?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments -Wno-error=cpp
+ AS	:= $(CROSS_COMPILE)as
+ AR	:= $(CROSS_COMPILE)gcc-ar
+ RANLIB	:= $(CROSS_COMPILE)gcc-ranlib
+@@ -36,10 +35,10 @@ ARCH	   := $(shell uname -m | sed s,i[3456789]86,ia32,)
+ 
+ SOFLAGS	= -shared
+ clang_cflags =
+-gcc_cflags = -Wmaybe-uninitialized
++gcc_cflags = -Wmaybe-uninitialized -grecord-gcc-switches
+ cflags	= $(CFLAGS) $(ARCH3264) \
+-	-Wall -Werror -Wno-cpp  -Wsign-compare -Wno-unused-result \
+-	-Wno-unused-function\
++	-Wall -Werror -Wextra -Wsign-compare -Wno-unused-result \
++	-Wno-unused-function -Wsign-compare \
+ 	-std=gnu11 -fshort-wchar -fPIC -flto -fno-strict-aliasing \
+ 	-fno-merge-constants -fkeep-inline-functions \
+ 	-D_GNU_SOURCE -DCONFIG_$(ARCH) -I${TOPDIR}/include \
+-- 
+2.13.4
+

0028-Make-pesign-users-groups-static-in-the-repo.patch

@@ -0,0 +1,54 @@
+From 6f250c3e9f3f14f860c91bc59491760efd9449fb Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Thu, 10 Aug 2017 10:03:37 -0400
+Subject: [PATCH 28/28] Make pesign-{users,groups} static in the repo.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/Makefile      | 5 +----
+ src/pesign-groups | 1 +
+ src/pesign-users  | 1 +
+ 3 files changed, 3 insertions(+), 4 deletions(-)
+ create mode 100644 src/pesign-groups
+ create mode 100644 src/pesign-users
+
+diff --git a/src/Makefile b/src/Makefile
+index 84ad130..7d68fa1 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.defaults
+ 
+ BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
+ SVCTARGETS=pesign.sysvinit pesign.service
+-TARGETS=$(BINTARGETS) $(SVCTARGETS) pesign-users pesign-groups
++TARGETS=$(BINTARGETS) $(SVCTARGETS)
+ 
+ all : deps $(TARGETS)
+ 
+@@ -65,9 +65,6 @@ install_sysvinit: pesign.sysvinit
+ 	$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/
+ 	$(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/rc.d/init.d/pesign
+ 
+-pesign-users pesign-groups :
+-	echo pesign > $@
+-
+ install :
+ 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
+ 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
+diff --git a/src/pesign-groups b/src/pesign-groups
+new file mode 100644
+index 0000000..7f57cc5
+--- /dev/null
++++ b/src/pesign-groups
+@@ -0,0 +1 @@
++pesign
+diff --git a/src/pesign-users b/src/pesign-users
+new file mode 100644
+index 0000000..7f57cc5
+--- /dev/null
++++ b/src/pesign-users
+@@ -0,0 +1 @@
++pesign
+-- 
+2.13.4
+

pesign.spec

@@ -54,6 +54,8 @@ Patch0023: 0023-Better-authorization-scripts.-Again.patch
 Patch0024: 0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch
 Patch0025: 0025-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch
 Patch0026: 0026-certdb-fix-PRTime-printfs-for-i686.patch
+Patch0027: 0027-Clean-up-gcc-command-lines-a-little.patch
+Patch0028: 0028-Make-pesign-users-groups-static-in-the-repo.patch
 
 %description
 This package contains the pesign utility for signing UEFI binaries as