Obsolete pesign-rh-test-certs

Signed-off-by: Peter Jones <pjones@redhat.com>

.gitignore

@@ -2,3 +2,6 @@
 clog
 /rh-test-certs.tar.bz2
 *.rpm
+/certs.tar.xz
+.build*.log
+/pesign-*/

0001-Fix-one-more-Wsign-compare-problem-I-missed.patch

@@ -0,0 +1,71 @@
+From ae2520e013caf4f5d0dae89623dc08925d6cd472 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Wed, 28 Oct 2015 15:58:07 -0400
+Subject: [PATCH] Fix one more -Wsign-compare problem I missed.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/daemon.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/daemon.c b/src/daemon.c
+index 02b7352..175c874 100644
+--- a/src/daemon.c
++++ b/src/daemon.c
+@@ -194,7 +194,7 @@ malformed:
+ 		return;
+ 	}
+ 	n -= sizeof(tn->size);
+-	if (n < tn->size)
++	if ((size_t)n < tn->size)
+ 		goto malformed;
+ 	n -= tn->size;
+ 
+@@ -202,10 +202,10 @@ malformed:
+ 		goto malformed;
+ 
+ 	pesignd_string *tp = pesignd_string_next(tn);
+-	if (n < (long long)sizeof(tp->size))
++	if ((size_t)n < sizeof(tp->size))
+ 		goto malformed;
+ 	n -= sizeof(tp->size);
+-	if (n < tp->size)
++	if ((size_t)n < tp->size)
+ 		goto malformed;
+ 	n -= tp->size;
+ 
+@@ -298,7 +298,7 @@ malformed:
+ 		return;
+ 	}
+ 	n -= sizeof(tn->size);
+-	if (n < tn->size)
++	if ((size_t)n < tn->size)
+ 		goto malformed;
+ 	n -= tn->size;
+ 
+@@ -487,7 +487,7 @@ malformed:
+ 	}
+ 
+ 	n -= sizeof(tn->size);
+-	if (n < tn->size)
++	if ((size_t)n < tn->size)
+ 		goto malformed;
+ 	n -= tn->size;
+ 
+@@ -497,11 +497,11 @@ malformed:
+ 	if (!ctx->cms->tokenname)
+ 		goto oom;
+ 
+-	if (n < (long long)sizeof(tn->size))
++	if ((size_t)n < sizeof(tn->size))
+ 		goto malformed;
+ 	pesignd_string *cn = pesignd_string_next(tn);
+ 	n -= sizeof(cn->size);
+-	if (n < cn->size)
++	if ((size_t)n < cn->size)
+ 		goto malformed;
+ 
+ 	ctx->cms->certname = PORT_ArenaStrdup(ctx->cms->arena,
+-- 
+2.5.0
+

0001-Make-make-install_systemd-and-make-install_sysvinit-.patch

@@ -1,75 +0,0 @@
-From fd52dc1631d46cdf4eac9053be7e2e7a19977df2 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Fri, 24 Oct 2014 16:26:26 -0400
-Subject: [PATCH 1/2] Make "make install_systemd" and "make install_sysvinit"
- not error.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- include/Makefile        | 4 ++++
- include/libdpe/Makefile | 4 ++++
- libdpe/Makefile         | 4 ++++
- util/Makefile           | 4 ++++
- 4 files changed, 16 insertions(+)
-
-diff --git a/include/Makefile b/include/Makefile
-index 4314287..2b1f0ff 100644
---- a/include/Makefile
-+++ b/include/Makefile
-@@ -16,6 +16,10 @@ clean :
- install :
- 	@for x in $(SUBDIRS) ; do $(MAKE) -C $${x} TOPDIR=$(TOPDIR) SRCDIR=$(TOPDIR)/$@/ ARCH=$(ARCH) $@ ; done
- 
-+install_systemd:
-+
-+install_sysvinit:
-+
- .PHONY: all $(SUBDIRS) clean install
- 
- include $(TOPDIR)/Make.rules
-diff --git a/include/libdpe/Makefile b/include/libdpe/Makefile
-index f8a1e2c..f94001e 100644
---- a/include/libdpe/Makefile
-+++ b/include/libdpe/Makefile
-@@ -13,4 +13,8 @@ install:
- 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(PREFIX)/include/libdpe/
- 	$(INSTALL) -m 644 *.h $(INSTALLROOT)$(PREFIX)/include/libdpe/
- 
-+install_systemd:
-+
-+install_sysvinit:
-+
- include $(TOPDIR)/Make.rules
-diff --git a/libdpe/Makefile b/libdpe/Makefile
-index a8b0c26..b94379c 100644
---- a/libdpe/Makefile
-+++ b/libdpe/Makefile
-@@ -37,6 +37,10 @@ install :
- 		$(INSTALL) -m 755  $$x $(INSTALLROOT)$(LIBDIR) ; \
- 	done
- 
-+install_systemd:
-+
-+install_sysvinit:
-+
- .PHONY: all clean install
- 
- include $(TOPDIR)/Make.rules
-diff --git a/util/Makefile b/util/Makefile
-index ff11cb8..2f71b73 100644
---- a/util/Makefile
-+++ b/util/Makefile
-@@ -20,6 +20,10 @@ install :
- 	$(INSTALL) -d -m 755 $(INSTALLROOT)/boot/efi/EFI/redhat/
- 	$(INSTALL) -m 755 *.efi $(INSTALLROOT)/boot/efi/EFI/redhat/
- 
-+install_systemd:
-+
-+install_sysvinit:
-+
- .PHONY: all clean install
- 
- include $(TOPDIR)/Make.efirules
--- 
-1.9.3
-

0001-pesign-when-nss-fails-to-tell-us-EPERM-or-ENOENT-fig.patch

@@ -0,0 +1,63 @@
+From 6796e5f7b0ab1eb08f92887ae0427cf5a4120e0b Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Sun, 8 Nov 2015 14:42:29 -0500
+Subject: [PATCH 1/5] pesign: when nss fails to tell us -EPERM or -ENOENT,
+ figure it out.
+
+This should make -EPERM problems much easier for the user to diagnose.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/pesign.c | 24 ++++++++++++++++++++----
+ 1 file changed, 20 insertions(+), 4 deletions(-)
+
+diff --git a/src/pesign.c b/src/pesign.c
+index 1d72657..09b6a2b 100644
+--- a/src/pesign.c
++++ b/src/pesign.c
+@@ -17,7 +17,9 @@
+  * Author(s): Peter Jones <pjones@redhat.com>
+  */
+ 
++#include <err.h>
+ #include <fcntl.h>
++#include <glob.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -576,14 +578,28 @@ main(int argc, char *argv[])
+ 
+ 	if (!daemon) {
+ 		SECStatus status;
+-		if (need_db)
++		if (need_db) {
+ 			status = NSS_Init(certdir);
+-		else
++			if (status != SECSuccess) {
++				char *globpattern = NULL;
++				rc = asprintf(&globpattern, "%s/cert*.db",
++					      certdir);
++				if (rc > 0) {
++					glob_t globbuf;
++					memset(&globbuf, 0, sizeof(globbuf));
++					rc = glob(globpattern, GLOB_ERR, NULL,
++						  &globbuf);
++					if (rc != 0) {
++						err(1, "Could not open NSS database (\"%s\")",
++						     PORT_ErrorToString(PORT_GetError()));
++					}
++				}
++			}
++		} else
+ 			status = NSS_NoDB_Init(NULL);
+ 		if (status != SECSuccess) {
+-			fprintf(stderr, "Could not initialize nss: %s\n",
++			errx(1, "Could not initialize nss. NSS says \"%s\" errno says \"%m\"\n",
+ 				PORT_ErrorToString(PORT_GetError()));
+-			exit(1);
+ 		}
+ 
+ 		status = register_oids(ctxp->cms_ctx);
+-- 
+2.5.0
+

0002-Install-authvar-and-efisiglist.patch

@@ -1,39 +0,0 @@
-From 5a293fb24da9ee68f43bf94f08b07569d3556ce1 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Fri, 24 Oct 2014 16:29:19 -0400
-Subject: [PATCH 2/2] Install authvar and efisiglist
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- src/Makefile | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/src/Makefile b/src/Makefile
-index 4c86a2a..007505c 100644
---- a/src/Makefile
-+++ b/src/Makefile
-@@ -76,17 +76,19 @@ install :
- 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
- 	$(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
- 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(PREFIX)/bin/
-+	$(INSTALL) -m 755 authvar $(INSTALLROOT)$(PREFIX)/bin/
- 	$(INSTALL) -m 755 pesign $(INSTALLROOT)$(PREFIX)/bin/
- 	$(INSTALL) -m 755 client $(INSTALLROOT)$(PREFIX)/bin/pesign-client
- 	$(INSTALL) -m 755 efikeygen $(INSTALLROOT)$(PREFIX)/bin/
--	#$(INSTALL) -m 755 pesigcheck $(INSTALLROOT)$(PREFIX)/bin/
-+	$(INSTALL) -m 755 efisiglist $(INSTALLROOT)$(PREFIX)/bin/
-+	$(INSTALL) -m 755 pesigcheck $(INSTALLROOT)$(PREFIX)/bin/
- 	$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/popt.d/
- 	$(INSTALL) -m 644 pesign.popt $(INSTALLROOT)/etc/popt.d/
- 	$(INSTALL) -d -m 755 $(INSTALLROOT)/usr/share/man/man1/
- 	$(INSTALL) -m 644 pesign.1 $(INSTALLROOT)/usr/share/man/man1/
- 	$(INSTALL) -m 644 pesign-client.1 $(INSTALLROOT)/usr/share/man/man1/
- 	$(INSTALL) -m 644 efikeygen.1 $(INSTALLROOT)/usr/share/man/man1/
--	#$(INSTALL) -m 644 pesigcheck.1 $(INSTALLROOT)/usr/share/man/man1/
-+	$(INSTALL) -m 644 pesigcheck.1 $(INSTALLROOT)/usr/share/man/man1/
- 	$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/
- 	$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
- 
--- 
-1.9.3
-

0002-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch

@@ -0,0 +1,39 @@
+From 1a9a8eefe8f9a9b21996151a5afd956df22921ea Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Thu, 19 Nov 2015 11:36:59 -0500
+Subject: [PATCH 2/5] setfacl the nss DBs to our authorized users, not just the
+ socket.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/pesign-authorize-groups | 2 ++
+ src/pesign-authorize-users  | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
+index e3864ce..2236bea 100644
+--- a/src/pesign-authorize-groups
++++ b/src/pesign-authorize-groups
+@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/groups ]]; then
+     for group in $(cat /etc/pesign/groups); do
+         setfacl -m g:${group}:rx /var/run/pesign
+         setfacl -m g:${group}:rw /var/run/pesign/socket
++        setfacl -m g:${username}:rx /etc/pki/pesign
++        setfacl -m g:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
+     done
+ fi
+diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
+index e500204..9c38a25 100644
+--- a/src/pesign-authorize-users
++++ b/src/pesign-authorize-users
+@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/users ]]; then
+     for username in $(cat /etc/pesign/users); do
+         setfacl -m u:${username}:rx /var/run/pesign
+         setfacl -m u:${username}:rw /var/run/pesign/socket
++        setfacl -m u:${username}:rx /etc/pki/pesign
++        setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
+     done
+ fi
+-- 
+2.5.0
+

0003-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch

@@ -0,0 +1,54 @@
+From 4c70ae807156099bf027b57a94b7eae0a810b947 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 20 Nov 2015 19:19:49 -0500
+Subject: [PATCH 3/5] Don't setfacl when the socket or dir aren't there.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/pesign-authorize-groups | 10 ++++++----
+ src/pesign-authorize-users  | 10 ++++++----
+ 2 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
+index 2236bea..2222809 100644
+--- a/src/pesign-authorize-groups
++++ b/src/pesign-authorize-groups
+@@ -11,9 +11,11 @@
+ 
+ if [[ -r /etc/pesign/groups ]]; then
+     for group in $(cat /etc/pesign/groups); do
+-        setfacl -m g:${group}:rx /var/run/pesign
+-        setfacl -m g:${group}:rw /var/run/pesign/socket
+-        setfacl -m g:${username}:rx /etc/pki/pesign
+-        setfacl -m g:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
++	if [ -d /var/run/pesign ]; then
++	    setfacl -m g:${group}:rx /var/run/pesign
++	    if [ -e /var/run/pesign/socket ]; then
++		setfacl -m g:${group}:rw /var/run/pesign/socket
++	    fi
++	fi
+     done
+ fi
+diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
+index 9c38a25..22bddec 100644
+--- a/src/pesign-authorize-users
++++ b/src/pesign-authorize-users
+@@ -11,9 +11,11 @@
+ 
+ if [[ -r /etc/pesign/users ]]; then
+     for username in $(cat /etc/pesign/users); do
+-        setfacl -m u:${username}:rx /var/run/pesign
+-        setfacl -m u:${username}:rw /var/run/pesign/socket
+-        setfacl -m u:${username}:rx /etc/pki/pesign
+-        setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
++	if [ -d /var/run/pesign ]; then
++	    setfacl -m g:${username}:rx /var/run/pesign
++	    if [ -e /var/run/pesign/socket ]; then
++		setfacl -m g:${username}:rw /var/run/pesign/socket
++	    fi
++	fi
+     done
+ fi
+-- 
+2.5.0
+

0004-setfacl-the-db-as-well.patch

@@ -0,0 +1,51 @@
+From f7a16f89f3ed327d3e2f4ce897917c2966fb427d Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 20 Nov 2015 19:21:39 -0500
+Subject: [PATCH 4/5] setfacl the db as well
+
+And also get all our "-m [ug]:${name}:$perm" arguments right.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/pesign-authorize-groups | 4 ++++
+ src/pesign-authorize-users  | 8 ++++++--
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
+index 2222809..13aefa6 100644
+--- a/src/pesign-authorize-groups
++++ b/src/pesign-authorize-groups
+@@ -17,5 +17,9 @@ if [[ -r /etc/pesign/groups ]]; then
+ 		setfacl -m g:${group}:rw /var/run/pesign/socket
+ 	    fi
+ 	fi
++	if [ -d /etc/pki/pesign ]; then
++	    setfacl -m g:${group}:rx /etc/pki/pesign
++	    setfacl -m g:${group}:r /etc/pki/pesign/{cert8,key3,secmod}.db
++	fi
+     done
+ fi
+diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
+index 22bddec..a43ce44 100644
+--- a/src/pesign-authorize-users
++++ b/src/pesign-authorize-users
+@@ -12,10 +12,14 @@
+ if [[ -r /etc/pesign/users ]]; then
+     for username in $(cat /etc/pesign/users); do
+ 	if [ -d /var/run/pesign ]; then
+-	    setfacl -m g:${username}:rx /var/run/pesign
++	    setfacl -m u:${username}:rx /var/run/pesign
+ 	    if [ -e /var/run/pesign/socket ]; then
+-		setfacl -m g:${username}:rw /var/run/pesign/socket
++		setfacl -m u:${username}:rw /var/run/pesign/socket
+ 	    fi
+ 	fi
++	if [ -d /etc/pki/pesign ]; then
++	    setfacl -m u:${username}:rx /etc/pki/pesign
++	    setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
++	fi
+     done
+ fi
+-- 
+2.5.0
+

0005-Do-a-better-job-of-isolating-pesign-rh-test-crap.patch

@@ -0,0 +1,61 @@
+From bfa02b50f9bbb60c3b04f159864aa4a87b0020e2 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 30 Nov 2015 15:34:35 -0500
+Subject: [PATCH 5/5] Do a better job of isolating pesign-rh-test-crap
+
+---
+ src/Makefile      |  1 +
+ src/macros.pesign | 10 ++++++++--
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/Makefile b/src/Makefile
+index af3fd07..1822d3f 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -65,6 +65,7 @@ install_sysvinit: pesign.sysvinit
+ 
+ install :
+ 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
++	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
+ 	$(INSTALL) -d -m 770 $(INSTALLROOT)/var/run/pesign/
+ 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
+ 	$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
+diff --git a/src/macros.pesign b/src/macros.pesign
+index 39374ce..9644940 100644
+--- a/src/macros.pesign
++++ b/src/macros.pesign
+@@ -7,7 +7,7 @@
+ # And magically get the right thing.
+ 
+ %__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
+-%__pesign_cert %{!?pe_signing_cert:-c "Red Hat Test Certificate"}%{?pe_signing_cert:-c "%{pe_signing_cert}"}
++%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
+ 
+ %_pesign /usr/bin/pesign
+ %_pesign_client /usr/bin/pesign-client
+@@ -21,6 +21,10 @@
+ # -a <input ca cert filename>		# rhel only
+ # -s 					# perform signing
+ %pesign(i:o:C:e:c:n:a:s)						\
++  _pesign_nssdir=/etc/pki/pesign					\
++  if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then		\
++    _pesign_nssdir=/etc/pki/pesign-rh-test				\
++  fi									\
+   if [ -x %{_pesign} ] &&  						\\\
+        [ "%{_target_cpu}" == "x86_64" -o 				\\\
+          "%{_target_cpu}" == "aarch64" ]; then				\
+@@ -39,9 +43,10 @@
+     elif [ -S /var/run/pesign/socket ]; then				\
+       %{_pesign_client} -t "OpenSC Card (Fedora Signer)"		\\\
+                         -c "/CN=Fedora Secure Boot Signer"		\\\
+                         %{-i} %{-o} %{-e} %{-s} %{-C}			\
+     else								\
+-      %{_pesign} %{__pesign_token} %{__pesign_cert}			\\\
++      %{_pesign} %{__pesign_token} -c %{__pesign_cert}			\\\
++		 --certdir ${_pesign_nssdir}				\\\
+                  %{-i} %{-o} %{-e} %{-s} %{-C}				\
+     fi									\
+   else									\
+-- 
+2.5.0
+

pesign.spec

@@ -2,17 +2,19 @@
 
 Summary: Signing utility for UEFI binaries
 Name: pesign
-Version: 0.110
-Release: 3%{?dist}
+Version: 0.111
+Release: 7%{?dist}
 Group: Development/System
 License: GPLv2
 URL: https://github.com/vathpela/pesign
+Obsoletes: pesign-rh-test-certs <= 0.111-7
 BuildRequires: git nspr nss nss-util popt-devel
 BuildRequires: coolkey opensc nss-tools
 BuildRequires: nspr-devel >= 4.9.2-1
 BuildRequires: nss-devel >= 3.13.6-1
 BuildRequires: efivar-devel >= 0.14-1
 BuildRequires: libuuid-devel
+BuildRequires: tar xz
 Requires: nspr nss nss-util popt rpm coolkey opensc
 Requires(pre): shadow-utils
 ExclusiveArch: i686 x86_64 ia64 aarch64
@@ -21,16 +23,21 @@ BuildRequires: rh-signing-tools >= 1.20-2
 %endif
 
 Source0: https://github.com/vathpela/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2
-Source1: rh-test-certs.tar.bz2
-Patch0001: 0001-Make-make-install_systemd-and-make-install_sysvinit-.patch
-Patch0002: 0002-Install-authvar-and-efisiglist.patch
+Source1: certs.tar.xz
+Patch0001: 0001-Fix-one-more-Wsign-compare-problem-I-missed.patch
+Patch10001: 0001-pesign-when-nss-fails-to-tell-us-EPERM-or-ENOENT-fig.patch
+Patch10002: 0002-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch
+Patch10003: 0003-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch
+Patch10004: 0004-setfacl-the-db-as-well.patch
+Patch10005: 0005-Do-a-better-job-of-isolating-pesign-rh-test-crap.patch
 
 %description
 This package contains the pesign utility for signing UEFI binaries as
 well as other associated tools.
 
 %prep
-%setup -q -a 1
+%setup -q -a 0 
+%setup -a 1 -D -c -n pesign-%{version}/
 git init
 git config user.email "pesign-owner@fedoraproject.org"
 git config user.name "Fedora Ninjas"
@@ -56,12 +63,10 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} INSTALLROOT=%{buildroot} \
 # there's some stuff that's not really meant to be shipped yet
 rm -rf %{buildroot}/boot %{buildroot}/usr/include
 rm -rf %{buildroot}%{_libdir}/libdpe*
-mv rh-test-certs/etc/pki/pesign/* %{buildroot}/etc/pki/pesign/
-
-#modutil -force -dbdir %{buildroot}/etc/pki/pesign -add coolkey \
-#	-libfile %{_libdir}/pkcs11/libcoolkeypk11.so
-modutil -force -dbdir %{buildroot}/etc/pki/pesign -add opensc \
-	-libfile %{_libdir}/pkcs11/opensc-pkcs11.so
+mkdir -p %{buildroot}%{_sysconfdir}/pki/pesign/
+mkdir -p %{buildroot}%{_sysconfdir}/pki/pesign-rh-test/
+cp -a etc/pki/pesign/* %{buildroot}%{_sysconfdir}/pki/pesign/
+cp -a etc/pki/pesign-rh-test/* %{buildroot}%{_sysconfdir}/pki/pesign-rh-test/
 
 if [ %{macrosdir} != %{_sysconfdir}/rpm ]; then
 	mkdir -p %{buildroot}%{macrosdir}
@@ -69,6 +74,7 @@ if [ %{macrosdir} != %{_sysconfdir}/rpm ]; then
 		%{buildroot}%{macrosdir}
 	rmdir %{buildroot}%{_sysconfdir}/rpm
 fi
+rm -f %{buildroot}/usr/usr/share/doc/pesign-0.111/COPYING
 
 %pre
 getent group pesign >/dev/null || groupadd -r pesign
@@ -80,37 +86,89 @@ exit 0
 %if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
 %post
 %systemd_post pesign.service
-
+modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
+	-libfile %{_libdir}/pkcs11/opensc-pkcs11.so >/dev/null
+#modutil -force -dbdir %{_sysconfdir}/pki/pesign -add coolkey \
+#	-libfile %%{_libdir}/pkcs11/libcoolkeypk11.so
 %preun
 %systemd_preun pesign.service
 
 %postun
 %systemd_postun_with_restart pesign.service
+%else
+%post
+modutil -force -dbdir %{_sysconfdir}/pki/pesign -add opensc \
+	-libfile %{_libdir}/pkcs11/opensc-pkcs11.so >/dev/null
 %endif
 
 %files
 %defattr(-,root,root,-)
-%doc README TODO COPYING
+%{!?_licensedir:%global license %%doc}
+%license COPYING
+%doc README TODO
 %{_bindir}/authvar
 %{_bindir}/efikeygen
 %{_bindir}/efisiglist
 %{_bindir}/pesigcheck
 %{_bindir}/pesign
 %{_bindir}/pesign-client
+%dir %{_libexecdir}/pesign/
+%dir %attr(0770,pesign,pesign) %{_sysconfdir}/pki/pesign/
+%attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/*
+%dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/
+%attr(0664,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/*
+%{_libexecdir}/pesign/pesign-authorize-users
+%{_libexecdir}/pesign/pesign-authorize-groups
+%config(noreplace)/%{_sysconfdir}/pesign/users
+%config(noreplace)/%{_sysconfdir}/pesign/groups
 %{_sysconfdir}/popt.d/pesign.popt
 %{macrosdir}/macros.pesign
 %{_mandir}/man*/*
-%dir %attr(0775,pesign,pesign) /etc/pki/pesign
-%attr(0664,pesign,pesign) /etc/pki/pesign/*
+%dir %attr(0770,pesign,pesign) %{_sysconfdir}/pki/pesign
+%attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/*
 %dir %attr(0770, pesign, pesign) %{_localstatedir}/run/%{name}
 %ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/socket
 %ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/pesign.pid
 %if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
-%{_prefix}/lib/tmpfiles.d/pesign.conf
+%{_tmpfilesdir}/pesign.conf
 %{_unitdir}/pesign.service
 %endif
 
 %changelog
+* Thu Dec 10 2015 Peter Jones <pjones@redhat.com> - 0.111-7
+- Obsolete pesign-rh-test-certs, it was in -1's update.
+  Resolves: rhbz#1283475
+
+* Wed Dec 02 2015 Peter Jones <pjones@redhat.com> - 0.111-6
+- *Don't* use --certdir if we're using the socket.
+  Related: rhbz#1283475
+  Related: rhbz#1284063
+  Related: rhbz#1284561
+
+* Tue Dec 01 2015 Peter Jones <pjones@redhat.com> - 0.111-5
+- Actually do a better job of choosing which cert to use when, so people will
+  stop seeing any of this problem.  (Thanks for the thought, jforbes.)
+  Resolves: rhbz#1283475
+  Resolves: rhbz#1284063
+  Resolves: rhbz#1284561
+
+* Mon Nov 30 2015 Peter Jones <pjones@redhat.com> - 0.111-5
+- setfacl even harder.
+  Related: rhbz#1283475
+  Related: rhbz#1284063
+  Related: rhbz#1284561
+
+* Fri Nov 20 2015 Peter Jones <pjones@redhat.com> - 0.111-3
+- Better ACL setting code.
+  Related: rhbz#1283475
+
+* Thu Nov 19 2015 Peter Jones <pjones@redhat.com> - 0.111-2
+- Allow the mockbuild user to read the nss database if the account exists.
+
+* Wed Oct 28 2015 Peter Jones <pjones@redhat.com> - 0.111-1
+- Rebase to 0.111
+- Split test certs out into a "Recommends" subpackage.
+
 * Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.110-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
 

sources

@@ -1,2 +1,2 @@
-328db7cb27847cb610b7cf8f9c470455  rh-test-certs.tar.bz2
-a136d0b4fcbcb96b08e743368c31f83c  pesign-0.110.tar.bz2
+b2c6b74c2475a1442634d1386d888c24  pesign-0.111.tar.bz2
+e377e0bc924287ee09356a239c5f51a8  certs.tar.xz