Update to match f26 and f27 builds.

Signed-off-by: Peter Jones <pjones@redhat.com>
2017-08-15 11:18:06 -04:00 · 2017-08-15 11:18:06 -04:00 · e82e9090a7
commit e82e9090a7
parent 21140f4937
31 changed files with 172 additions and 31 deletions
--- a/0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch
+++ b/0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch
@ -1,7 +1,7 @@
 From 33bcca8303cad962606df3bfc6a031a9b0626375 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Thu, 21 Apr 2016 10:47:34 -0400
-Subject: [PATCH 01/28] cms: kill generate_integer(), it doesn't build on i686
+Subject: [PATCH 01/29] cms: kill generate_integer(), it doesn't build on i686
 and it's unused.
 Signed-off-by: Peter Jones <pjones@redhat.com>
--- a/0002-Fix-command-line-parsing.patch
+++ b/0002-Fix-command-line-parsing.patch
@ -1,7 +1,7 @@
 From 5be0515dee24308fd7e270bf2e0fb5e5a7a78f32 Mon Sep 17 00:00:00 2001
 From: Julien Cristau <jcristau@debian.org>
 Date: Thu, 9 Jun 2016 14:30:37 +0200
-Subject: [PATCH 02/28] Fix command line parsing
+Subject: [PATCH 02/29] Fix command line parsing
 The gettext translation domain should be passed as .arg, not .descrip,
 otherwise popt won't process any of the command line options (it stops
--- a/0003-gcc-don-t-error-on-stuff-in-includes.patch
+++ b/0003-gcc-don-t-error-on-stuff-in-includes.patch
@ -1,7 +1,7 @@
 From 6de291458cbab99bcc317e282c16e1523d6de9b8 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 10 Aug 2016 17:12:39 -0400
-Subject: [PATCH 03/28] gcc: don't error on stuff in includes.
+Subject: [PATCH 03/29] gcc: don't error on stuff in includes.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
--- a/0004-Fix-certficate-argument-name.patch
+++ b/0004-Fix-certficate-argument-name.patch
@ -1,7 +1,7 @@
 From b20fc54c08e8afe1365e56cacade3ec39984da8d Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 18 Apr 2017 19:00:34 -0400
-Subject: [PATCH 04/28] Fix "certficate" argument name.
+Subject: [PATCH 04/29] Fix "certficate" argument name.
 This fixes our typoed argument name by making the incorrectly spelled
 version be a popt alias, and fixing the real implementation to be
--- a/0005-Fix-description-of-ascii-armor-option-in-manpage.patch
+++ b/0005-Fix-description-of-ascii-armor-option-in-manpage.patch
@ -1,7 +1,7 @@
 From 7bc8e8b04c74be5c4e0ebf211affc37cf9f5db37 Mon Sep 17 00:00:00 2001
 From: Julien Cristau <jcristau@debian.org>
 Date: Mon, 27 Jun 2016 15:38:38 +0200
-Subject: [PATCH 05/28] Fix description of --ascii-armor option in manpage
+Subject: [PATCH 05/29] Fix description of --ascii-armor option in manpage
 The --ascii option does not exist.
 ---
--- a/0006-Make-ascii-work-since-we-documented-it.patch
+++ b/0006-Make-ascii-work-since-we-documented-it.patch
@ -1,7 +1,7 @@
 From 9f411f4e797e983d2e8cb51dc5b9ab8db250c2e3 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 18 Apr 2017 19:05:40 -0400
-Subject: [PATCH 06/28] Make --ascii work, since we documented it.
+Subject: [PATCH 06/29] Make --ascii work, since we documented it.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
--- a/0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch
+++ b/0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch
@ -1,7 +1,7 @@
 From d618de733865eab359890b4e677c368a133dad99 Mon Sep 17 00:00:00 2001
 From: Pat Riehecky <riehecky@fnal.gov>
 Date: Mon, 7 Nov 2016 11:37:08 -0600
-Subject: [PATCH 07/28] Switch pesign client to also accept token/cert macros
+Subject: [PATCH 07/29] Switch pesign client to also accept token/cert macros
 rather than use hard coded values
 ---
--- a/0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch
+++ b/0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch
@ -1,7 +1,7 @@
 From 2cd211bcc612ad8cb99c778461ca02a9f3e5e44b Mon Sep 17 00:00:00 2001
 From: David Michael <david.michael@coreos.com>
 Date: Thu, 16 Feb 2017 15:08:30 -0800
-Subject: [PATCH 08/28] pesigcheck: Verify with the cert as an object signer
+Subject: [PATCH 08/29] pesigcheck: Verify with the cert as an object signer
 ---
 src/certdb.c | 2 +-
--- a/0009-pesigcheck-make-certfile-actually-work.patch
+++ b/0009-pesigcheck-make-certfile-actually-work.patch
@ -1,7 +1,7 @@
 From e0238e2363f9668aee07b2e44a8f358e694551c0 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 24 Apr 2017 15:18:10 -0400
-Subject: [PATCH 09/28] pesigcheck: make --certfile actually work
+Subject: [PATCH 09/29] pesigcheck: make --certfile actually work
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
--- a/0010-signerInfos-make-sure-err-is-always-initialized.patch
+++ b/0010-signerInfos-make-sure-err-is-always-initialized.patch
@ -1,7 +1,7 @@
 From 799808b265ac6f82fa1268fd696d70357acce69c Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 25 Apr 2017 16:15:07 -0400
-Subject: [PATCH 10/28] signerInfos: make sure err is always initialized
+Subject: [PATCH 10/29] signerInfos: make sure err is always initialized
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
--- a/0011-pesign-make-pesign-h-tell-you-the-file-name.patch
+++ b/0011-pesign-make-pesign-h-tell-you-the-file-name.patch
@ -1,7 +1,7 @@
 From 868b42b338d919917ea31cfbf0f96e9586947eaf Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 25 Apr 2017 16:23:36 -0400
-Subject: [PATCH 11/28] pesign: make "pesign -h" tell you the file name.
+Subject: [PATCH 11/29] pesign: make "pesign -h" tell you the file name.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
--- a/0012-Add-coverity-build-scripts.patch
+++ b/0012-Add-coverity-build-scripts.patch
@ -1,7 +1,7 @@
 From 95327e6d9bd4f70980acd8fd6c9524265990dc4d Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 10 May 2017 10:49:57 -0400
-Subject: [PATCH 12/28] Add coverity build scripts
+Subject: [PATCH 12/29] Add coverity build scripts
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
--- a/0013-Document-implicit-fallthrough.patch
+++ b/0013-Document-implicit-fallthrough.patch
@ -1,7 +1,7 @@
 From 4b9e7cf3e869de36daf2ea705b9efef55ae87ef8 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Sat, 8 Jul 2017 16:31:18 -0400
-Subject: [PATCH 13/28] Document implicit fallthrough.
+Subject: [PATCH 13/29] Document implicit fallthrough.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
--- a/0014-Actually-setfacl-each-directory-of-our-key-storage.patch
+++ b/0014-Actually-setfacl-each-directory-of-our-key-storage.patch
@ -1,7 +1,7 @@
 From a95e28e5cb10d417c81c8720e8521eb63793da37 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 16 May 2016 15:25:53 -0400
-Subject: [PATCH 14/28] Actually setfacl /each/ directory of our key storage.
+Subject: [PATCH 14/29] Actually setfacl /each/ directory of our key storage.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
--- a/0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch
+++ b/0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch
@ -1,7 +1,7 @@
 From a3cc2ad5d49ed61187527281da351e80d8f76a89 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 22 Aug 2016 13:31:38 -0400
-Subject: [PATCH 15/28] oid: add SHIM_EKU_MODULE_SIGNING_ONLY and fix our array
+Subject: [PATCH 15/29] oid: add SHIM_EKU_MODULE_SIGNING_ONLY and fix our array
 indices.
 That was all kinds of wrong.
--- a/0016-efikeygen-add-modsign.patch
+++ b/0016-efikeygen-add-modsign.patch
@ -1,7 +1,7 @@
 From 9b4b12928c0450ac69d83293e179eec439465c03 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 22 Aug 2016 13:43:56 -0400
-Subject: [PATCH 16/28] efikeygen: add --modsign
+Subject: [PATCH 16/29] efikeygen: add --modsign
 ---
 src/cms_common.c | 29 ++++++++++++++++++++++++++++
--- a/0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch
+++ b/0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch
@ -1,7 +1,7 @@
 From 0456758e0c0873d1251bdf77d27f0f6175cbf289 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 25 Apr 2017 16:25:02 -0400
-Subject: [PATCH 17/28] check_cert_db(): try even harder to pick a reasonable
+Subject: [PATCH 17/29] check_cert_db(): try even harder to pick a reasonable
 validation time.
 Signed-off-by: Peter Jones <pjones@redhat.com>
--- a/0018-show-which-db-we-re-checking.patch
+++ b/0018-show-which-db-we-re-checking.patch
@ -1,7 +1,7 @@
 From 01b89fb7a191f4639a93c5a7c47a80752118ba95 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 25 Apr 2017 16:58:50 -0400
-Subject: [PATCH 18/28] show which db we're checking
+Subject: [PATCH 18/29] show which db we're checking
 ---
 src/certdb.c             | 35 ++++++++++++++++++++++++++++++++++-
--- a/0019-more-about-the-time.patch
+++ b/0019-more-about-the-time.patch
@ -1,7 +1,7 @@
 From 713e61448a6ffa3e6029a7c89fad61b8cb08c9ff Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 25 Apr 2017 17:00:46 -0400
-Subject: [PATCH 19/28] more about the time
+Subject: [PATCH 19/29] more about the time
 ---
 src/certdb.c | 59 +++++++++++++++++++++++++++++++++--------------------------
--- a/0020-try-to-say-why-something-fails.patch
+++ b/0020-try-to-say-why-something-fails.patch
@ -1,7 +1,7 @@
 From 81583146602bba96728fa7544c8e856b32c22ee4 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 25 Apr 2017 17:01:13 -0400
-Subject: [PATCH 20/28] try to say why something fails
+Subject: [PATCH 20/29] try to say why something fails
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
--- a/0021-Fix-race-condition-in-SEC_GetPassword.patch
+++ b/0021-Fix-race-condition-in-SEC_GetPassword.patch
@ -1,7 +1,7 @@
 From a40c584691ae071e93e8adf4e5c05bcd90c68159 Mon Sep 17 00:00:00 2001
 From: Julien Cristau <jcristau@debian.org>
 Date: Sat, 6 May 2017 22:45:34 +0200
-Subject: [PATCH 21/28] Fix race condition in SEC_GetPassword
+Subject: [PATCH 21/29] Fix race condition in SEC_GetPassword
 A side effect of echoOff is to discard unread input, so if we print the
 prompt before echoOff, the user (or process) at the other end might
--- a/0022-sysvinit-Create-the-socket-directory-at-runtime.patch
+++ b/0022-sysvinit-Create-the-socket-directory-at-runtime.patch
@ -1,7 +1,7 @@
 From 27afa5a4ea8de1679603f5871935096280d0b12e Mon Sep 17 00:00:00 2001
 From: David Michael <david.michael@coreos.com>
 Date: Tue, 13 Jun 2017 13:20:16 -0700
-Subject: [PATCH 22/28] sysvinit: Create the socket directory at runtime
+Subject: [PATCH 22/29] sysvinit: Create the socket directory at runtime
 This better supports non-systemd configurations with tmpfs on /run.
 ---
--- a/0023-Better-authorization-scripts.-Again.patch
+++ b/0023-Better-authorization-scripts.-Again.patch
@ -1,7 +1,7 @@
 From 31560e2784722b986b8a73cc28e3510870180b07 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 8 Aug 2017 15:44:44 -0400
-Subject: [PATCH 23/28] Better authorization scripts.  Again.
+Subject: [PATCH 23/29] Better authorization scripts.  Again.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
--- a/0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch
+++ b/0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch
@ -1,7 +1,7 @@
 From a7b0f7e1ce2de1acea9a8c286a0ff3dd9bc245cb Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 8 Aug 2017 17:28:19 -0400
-Subject: [PATCH 24/28] Make the daemon also try to give better errors on
+Subject: [PATCH 24/29] Make the daemon also try to give better errors on
 -EPERM etc.
 Basically 6796e5f but also for the daemon.  This also tries to fix them
--- a/0025-certdb-fix-PRTime-printfs-for-i686.patch
+++ b/0025-certdb-fix-PRTime-printfs-for-i686.patch
@ -1,7 +1,7 @@
 From bc1043bf2b428971e29a61a341da9a57595bada5 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 9 Aug 2017 17:40:33 -0400
-Subject: [PATCH 25/28] certdb: fix PRTime printfs for i686
+Subject: [PATCH 25/29] certdb: fix PRTime printfs for i686
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
--- a/0026-Clean-up-gcc-command-lines-a-little.patch
+++ b/0026-Clean-up-gcc-command-lines-a-little.patch
@ -1,7 +1,7 @@
 From a44115c9b4f43a1a7219f897bd33555e653d2e20 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Thu, 10 Aug 2017 10:02:38 -0400
-Subject: [PATCH 26/28] Clean up gcc command lines a little
+Subject: [PATCH 26/29] Clean up gcc command lines a little
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
--- a/0027-Make-pesign-users-groups-static-in-the-repo.patch
+++ b/0027-Make-pesign-users-groups-static-in-the-repo.patch
@ -1,7 +1,7 @@
 From a133d051c3f8acf3e058e92711eb528c3c0f41f9 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Thu, 10 Aug 2017 10:03:37 -0400
-Subject: [PATCH 27/28] Make pesign-{users,groups} static in the repo.
+Subject: [PATCH 27/29] Make pesign-{users,groups} static in the repo.
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
--- a/0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch
+++ b/0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch
@ -1,7 +1,7 @@
 From 025eb8aea94761fdc45507b6192aafdef80d4842 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Wed, 9 Aug 2017 17:31:31 -0400
-Subject: [PATCH 28/28] rpm: Make the client signer use the fedora values
+Subject: [PATCH 28/29] rpm: Make the client signer use the fedora values
 unless overridden
 Signed-off-by: Peter Jones <pjones@redhat.com>
--- a/0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch
+++ b/0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch
@ -0,0 +1,39 @@
 From 86a6b02e4b95ab3629446e71895cc5e57ad4482f Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Mon, 14 Aug 2017 11:37:43 -0400
 Subject: [PATCH 29/29] Make macros.pesign error in kojibuilder if we don't
 have perms on the socket
 ---
 src/macros.pesign | 9 +++++++++
 1 file changed, 9 insertions(+)
 diff --git a/src/macros.pesign b/src/macros.pesign
 index 22a3ee6..1665b4c 100644
 --- a/src/macros.pesign
 +++ b/src/macros.pesign
@@ -43,6 +43,21 @@
       %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i}			\\\
                  --certdir ${nss} -c signer %{-o}			\
       rm -rf ${sattrs} ${sattrs}.sig ${nss}				\
 +    elif [ "%{vendor}" == "Fedora Project" -a				\\\
 +           "$(id -un)" == "mockbuild" -a				\\\
 +           "$(uname -m)" == "x86_64" ] &&				\\\
 +         grep -q ID=fedora /etc/os-release && 				\\\
 +         [[ "%{_buildhost}" =~ ^bkernel.* ]] &&			\\\
 +         ! [ -S /var/run/pesign/socket ]; then				\
 +      echo "No socket even though this is "%{_buildhost}"		\
 +      ls -ld /var/run/pesign || :					\
 +      getfacl /var/run/pesign || :					\
 +      ls -l /var/run/pesign/socket || :				\
 +      getfacl /var/run/pesign/socket || :				\
 +      echo =========== env ==============				\
 +      set								\
 +      echo =========== env ==============				\
 +      exit 1								\
     elif [ -S /var/run/pesign/socket ]; then				\
       %{_pesign_client} -t %{__pesign_client_token}			\\\
                         -c %{__pesign_client_cert}			\\\
 -- 
 2.13.4
--- a/pesign.py
+++ b/pesign.py
@ -0,0 +1,91 @@
 #!/usr/bin/python3
 #
 # Copyright 2017 Peter Jones <Peter Jones@random>
 #
 # Distributed under terms of the GPLv3 license.
 """
 mock plugin to make sure pesign and mockbuild users have the right uid and
 gid.
 """
 from mockbuild.trace_decorator import getLog, traceLog
 import mockbuild.util
 requires_api_version = "1.1"
@traceLog()
 def init(plugins, conf, buildroot):
    """ hello """
    Pesign(plugins, conf, buildroot)
 def getuid(name):
    """ get a uid for a user name """
    output = mockbuild.util.do(["getent", "passwd", "%s" % (name,)],
                               returnOutput=1, printOutput=True)
    output = output.split(':')
    return output[2], output[3]
 def getgid(name):
    """ get a gid for a group name """
    output = mockbuild.util.do(["getent", "group", "%s" % (name,)],
                               returnOutput=1, printOutput=True)
    return output.split(':')[2]
 def newgroup(name, gid, rootdir):
    """ create a group with a gid """
    getLog().info("creating group %s with gid %s" % (name, gid))
    mockbuild.util.do(["groupadd",
                       "-g", "%s" % (gid,),
                       "-R", "%s" % (rootdir,),
                       "%s" % (name,),
                      ])
 def newuser(name, uid, gid, rootdir):
    """ create a user with a uid """
    getLog().info("creating user %s with uid %s" % (name, uid))
    mockbuild.util.do(["useradd",
                       "-u", "%s" % (uid,),
                       "-g", "%s" % (gid,),
                       "-R", "%s" % (rootdir,),
                       "%s" % (name,)])
 class Pesign(object):
    """ Creates some stuff in our mock root """
    # pylint: disable=too-few-public-methods
    @traceLog()
    def __init__(self, plugins, conf, buildroot):
        """ Effectively we're doing:
            getent group pesign >/dev/null || groupadd -r pesign
            getent passwd pesign >/dev/null || \
                    useradd -r -g pesign -d /var/run/pesign -s /sbin/nologin \
                    -c "Group for the pesign signing daemon" pesign
        """
        self.buildroot = buildroot
        self.pesign_opts = conf
        self.config = buildroot.config
        self.state = buildroot.state
        self.users = {}
        self.groups = {}
        plugins.add_hook("postinit", self._pesignPostInitHook)
    @traceLog()
    def _pesignPostInitHook(self):
        """ find our uid and gid lists """
        for user in self.pesign_opts['users']:
            uid, gid = getuid(user)
            self.users[user] = [user, uid, gid]
        for group in self.pesign_opts['groups']:
            gid = getgid(group)
            self.groups[group] = [group, gid]
        # create our users
        rootdir = self.buildroot.make_chroot_path()
        for name, gid in self.groups.values():
            newgroup(name, gid, rootdir)
        for name, uid, gid in self.users.values():
            newuser(name, uid, gid, rootdir)
 # -*- coding: utf-8 -*-
 # vim:fenc=utf-8:tw=75
--- a/pesign.spec
+++ b/pesign.spec
@ -3,7 +3,7 @@
 Summary: Signing utility for UEFI binaries
 Name: pesign
 Version: 0.112
-Release: 6%{?dist}
+Release: 19%{?dist}
 Group: Development/System
 License: GPLv2
 URL: https://github.com/vathpela/pesign
@ -15,6 +15,7 @@ BuildRequires: nss-devel >= 3.13.6-1
 BuildRequires: efivar-devel >= 30-4
 BuildRequires: libuuid-devel
 BuildRequires: tar xz
 BuildRequires: python3-rpm-macros python3
 %if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
 BuildRequires: systemd
 %endif
@ -27,6 +28,7 @@ BuildRequires: rh-signing-tools >= 1.20-2
 Source0: https://github.com/vathpela/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2
 Source1: certs.tar.xz
 Source2: pesign.py
 Patch0001: 0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch
 Patch0002: 0002-Fix-command-line-parsing.patch
@ -56,6 +58,7 @@ Patch0025: 0025-certdb-fix-PRTime-printfs-for-i686.patch
 Patch0026: 0026-Clean-up-gcc-command-lines-a-little.patch
 Patch0027: 0027-Make-pesign-users-groups-static-in-the-repo.patch
 Patch0028: 0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch
 Patch0029: 0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch
 %description
 This package contains the pesign utility for signing UEFI binaries as
@ -105,6 +108,9 @@ rm -vf %{buildroot}/usr/share/doc/pesign-%{version}/COPYING
 # and find-debuginfo.sh has some pretty awful deficencies too...
 cp -av libdpe/*.[ch] src/
 install -d -m 0755 %{buildroot}%{python3_sitelib}/mockbuild/plugins/
 install -m 0755 %{SOURCE2} %{buildroot}%{python3_sitelib}/mockbuild/plugins/
 %pre
 getent group pesign >/dev/null || groupadd -r pesign
 getent passwd pesign >/dev/null || \
@ -116,8 +122,8 @@ exit 0
 %post
 %systemd_post pesign.service
-%posttrans
+#%%posttrans
-%{_libexecdir}/pesign/pesign-authorize
+#%%{_libexecdir}/pesign/pesign-authorize
 %preun
 %systemd_preun pesign.service
@ -155,8 +161,13 @@ exit 0
 %{_tmpfilesdir}/pesign.conf
 %{_unitdir}/pesign.service
 %endif
 %{python3_sitelib}/mockbuild/plugins/*/pesign.*
 %{python3_sitelib}/mockbuild/plugins/pesign.*
 %changelog
 * Tue Aug 15 2017 Peter Jones <pjones@redhat.com> - 0.112-19
 - Update to match f26 and f27 builds.
 * Thu Aug 10 2017 Peter Jones <pjones@redhat.com> - 0.112-6
 - Try to fix the db problem nirik is seeing trying to upgrade the builders.