Roll up to pjones's smartcard/cms fixes

Signed-off-by: Robbie Harwood <rharwood@redhat.com>

0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch

@@ -1,72 +0,0 @@
-From 33bcca8303cad962606df3bfc6a031a9b0626375 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Thu, 21 Apr 2016 10:47:34 -0400
-Subject: [PATCH 01/29] cms: kill generate_integer(), it doesn't build on i686
- and it's unused.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- src/cms_common.c | 34 ----------------------------------
- src/cms_common.h |  1 -
- 2 files changed, 35 deletions(-)
-
-diff --git a/src/cms_common.c b/src/cms_common.c
-index b19bc62..6a4e6a7 100644
---- a/src/cms_common.c
-+++ b/src/cms_common.c
-@@ -641,40 +641,6 @@ generate_string(cms_context *cms, SECItem *der, char *str)
- 	return 0;
- }
- 
--static SEC_ASN1Template IntegerTemplate[] = {
--	{.kind = SEC_ASN1_INTEGER,
--	 .offset = 0,
--	 .sub = NULL,
--	 .size = sizeof(long),
--	},
--	{ 0 },
--};
--
--int
--generate_integer(cms_context *cms, SECItem *der, unsigned long integer)
--{
--	void *ret;
--
--	uint32_t u32;
--
--	SECItem input = {
--		.data = (void *)&integer,
--		.len = sizeof(integer),
--		.type = siUnsignedInteger,
--	};
--
--	if (integer < 0x100000000) {
--		u32 = integer & 0xffffffffUL;
--		input.data = (void *)&u32;
--		input.len = sizeof(u32);
--	}
--
--	ret = SEC_ASN1EncodeItem(cms->arena, der, &input, IntegerTemplate);
--	if (ret == NULL)
--		cmsreterr(-1, cms, "could not encode data");
--	return 0;
--}
--
- int
- generate_time(cms_context *cms, SECItem *encoded, time_t when)
- {
-diff --git a/src/cms_common.h b/src/cms_common.h
-index 7d77faf..c7d7268 100644
---- a/src/cms_common.h
-+++ b/src/cms_common.h
-@@ -117,7 +117,6 @@ extern int generate_object_id(cms_context *ctx, SECItem *encoded,
- 				SECOidTag tag);
- extern int generate_empty_sequence(cms_context *ctx, SECItem *encoded);
- extern int generate_time(cms_context *ctx, SECItem *encoded, time_t when);
--extern int generate_integer(cms_context *cms, SECItem *der, unsigned long integer);
- extern int generate_string(cms_context *cms, SECItem *der, char *str);
- extern int wrap_in_set(cms_context *cms, SECItem *der, SECItem **items);
- extern int wrap_in_seq(cms_context *cms, SECItem *der,
--- 
-2.13.4
-

0001-daemon-remove-always-true-comparison.patch

@@ -0,0 +1,24 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Tue, 8 Mar 2022 12:59:34 -0500
+Subject: [PATCH] daemon: remove always-true comparison
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+---
+ src/daemon.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/daemon.c b/src/daemon.c
+index 0a66deb..ff88210 100644
+--- a/src/daemon.c
++++ b/src/daemon.c
+@@ -221,8 +221,7 @@ malformed:
+ 	if (!ctx->cms->tokenname)
+ 		goto oom;
+ 
+-	if (!tp->value)
+-		pin = strndup((char *)tp->value, tp->size);
++	pin = strndup((char *)tp->value, tp->size);
+ 	if (!pin)
+ 		goto oom;
+ 

0002-Fix-command-line-parsing.patch

@@ -1,73 +0,0 @@
-From 5be0515dee24308fd7e270bf2e0fb5e5a7a78f32 Mon Sep 17 00:00:00 2001
-From: Julien Cristau <jcristau@debian.org>
-Date: Thu, 9 Jun 2016 14:30:37 +0200
-Subject: [PATCH 02/29] Fix command line parsing
-
-The gettext translation domain should be passed as .arg, not .descrip,
-otherwise popt won't process any of the command line options (it stops
-looping over the struct poptOption array when an entry has unset
-longName, shortName and arg).
-
-Signed-off-by: Julien Cristau <jcristau@debian.org>
----
- src/client.c     | 2 +-
- src/efikeygen.c  | 2 +-
- src/efisiglist.c | 2 +-
- src/pesigcheck.c | 2 +-
- 4 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/src/client.c b/src/client.c
-index 028419f..575c873 100644
---- a/src/client.c
-+++ b/src/client.c
-@@ -555,7 +555,7 @@ main(int argc, char *argv[])
- 
- 	struct poptOption options[] = {
- 		{.argInfo = POPT_ARG_INTL_DOMAIN,
--		 .descrip = "pesign" },
-+		 .arg = "pesign" },
- 		{.longName = "token",
- 		 .shortName = 't',
- 		 .argInfo = POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT,
-diff --git a/src/efikeygen.c b/src/efikeygen.c
-index 6278849..8a515a5 100644
---- a/src/efikeygen.c
-+++ b/src/efikeygen.c
-@@ -486,7 +486,7 @@ int main(int argc, char *argv[])
- 	poptContext optCon;
- 	struct poptOption options[] = {
- 		{.argInfo = POPT_ARG_INTL_DOMAIN,
--		 .descrip = "pesign" },
-+		 .arg = "pesign" },
- 		/* global nss-ish things */
- 		{.longName = "dbdir",
- 		 .shortName = 'd',
-diff --git a/src/efisiglist.c b/src/efisiglist.c
-index cd3f1ae..40d6a93 100644
---- a/src/efisiglist.c
-+++ b/src/efisiglist.c
-@@ -126,7 +126,7 @@ main(int argc, char *argv[])
- 
- 	struct poptOption options[] = {
- 		{.argInfo = POPT_ARG_INTL_DOMAIN,
--		 .descrip = "pesign" },
-+		 .arg = "pesign" },
- 		{.longName = "infile",
- 		 .shortName = 'i',
- 		 .argInfo = POPT_ARG_STRING,
-diff --git a/src/pesigcheck.c b/src/pesigcheck.c
-index 1328fe9..0d49c1a 100644
---- a/src/pesigcheck.c
-+++ b/src/pesigcheck.c
-@@ -214,7 +214,7 @@ main(int argc, char *argv[])
- 	poptContext optCon;
- 	struct poptOption options[] = {
- 		{.argInfo = POPT_ARG_INTL_DOMAIN,
--		 .descrip = "pesign" },
-+		 .arg = "pesign" },
- 		{.longName = "dbfile",
- 		 .shortName = 'D',
- 		 .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,
--- 
-2.13.4
-

0002-make-handle-some-gcc-Wanalyzer-flags-better.patch

@@ -0,0 +1,40 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 11 Mar 2022 12:45:28 -0500
+Subject: [PATCH] make: handle some gcc -Wanalyzer flags better
+
+This makes it so we won't use the -Wanalyzer / -fanalyzer flags by
+default, because they're still pretty overzealous.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ Make.defaults | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/Make.defaults b/Make.defaults
+index 130c1ee..1c18904 100644
+--- a/Make.defaults
++++ b/Make.defaults
+@@ -32,11 +32,11 @@ CCLD	:= $(if $(filter undefined,$(origin CCLD)),$(CC),$(CCLD))
+ CFLAGS	?= -O2 -g3 -pipe -fPIE -fstack-protector-all \
+ 	-fstack-clash-protection \
+ 	$(if $(filter x86_64 ia32,$(ARCH)),-fcf-protection=full,)
+-DIAGFLAGS ?= -fmessage-length=0 \
++DIAGFLAGS ?= $(call enabled,ENABLE_GCC_ANALYZER,-fmessage-length=0 \
+ 	     -fdiagnostics-color=always \
+ 	     -fdiagnostics-format=text \
+ 	     -fdiagnostics-show-cwe \
+-	     -fanalyzer \
++	     -fanalyzer) \
+ 	     $(call enabled,ENABLE_LEAK_CHECKER,-Wno-analyzer-malloc-leak,)
+ AS	?= $(CROSS_COMPILE)as
+ AR	?= $(CROSS_COMPILE)$(if $(filter $(CC),clang),llvm-ar,$(notdir $(CC))-ar)
+@@ -59,7 +59,7 @@ endif
+ cflags	= $(CFLAGS) $(ARCH3264) \
+ 	-Wall -Wextra -Wsign-compare -Wno-unused-result \
+ 	-Wno-unused-function -Wno-missing-field-initializers \
+-	-Wno-analyzer-malloc-leak \
++	$(call enabled,ENABLE_LEAK_CHECKER,-Wno-analyzer-malloc-leak,) \
+ 	-Werror -Wno-error=cpp -Wno-free-nonheap-object \
+ 	-std=gnu11 -fshort-wchar -fPIC -fno-strict-aliasing \
+ 	-D_GNU_SOURCE -DCONFIG_$(ARCH) -I${TOPDIR}/include \

0003-Rename-dprintf-to-dbgprintf.patch

@@ -0,0 +1,664 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 11 Mar 2022 12:46:16 -0500
+Subject: [PATCH] Rename "dprintf' to "dbgprintf"
+
+stdio defines a dprintf() macro now, so using dprintf() for our debug
+printer gets obnoxious warnings.  This renames it to dbgprintf().
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/cms_common.c    | 73 +++++++++++++++++++++++++++++------------------------
+ src/cms_pe_common.c | 20 +++++++--------
+ src/efikeygen.c     | 16 ++++++------
+ src/file_pe.c       |  6 +++--
+ src/password.c      | 68 ++++++++++++++++++++++++-------------------------
+ src/pesign.c        | 10 ++++----
+ src/util.h          | 26 +++++++++----------
+ 7 files changed, 114 insertions(+), 105 deletions(-)
+
+diff --git a/src/cms_common.c b/src/cms_common.c
+index ca37e6a..86341ca 100644
+--- a/src/cms_common.c
++++ b/src/cms_common.c
+@@ -333,13 +333,13 @@ void cms_set_pw_data(cms_context *cms, secuPWData *pwdata)
+ 
+ 	if (!pwdata) {
+ 		cms->pwdata.source = PW_SOURCE_INVALID;
+-		dprintf("pwdata:NULL");
++		dbgprintf("pwdata:NULL");
+ 	} else {
+ 		memmove(&cms->pwdata, pwdata, sizeof(*pwdata));
+-		dprintf("pwdata:%p", pwdata);
+-		dprintf("pwdata->source:%d", pwdata->source);
+-		dprintf("pwdata->data:%p (\"%s\")", pwdata->data,
+-			pwdata->data ? pwdata->data : "(null)");
++		dbgprintf("pwdata:%p", pwdata);
++		dbgprintf("pwdata->source:%d", pwdata->source);
++		dbgprintf("pwdata->data:%p (\"%s\")", pwdata->data,
++			  pwdata->data ? pwdata->data : "(null)");
+ 	}
+ 
+ 	egress();
+@@ -382,7 +382,7 @@ is_valid_cert(CERTCertificate *cert, void *data)
+ 
+ 	errnum = PORT_GetError();
+ 	if (errnum == SEC_ERROR_EXTENSION_NOT_FOUND) {
+-		dprintf("Got SEC_ERROR_EXTENSION_NOT_FOUND; clearing");
++		dbgprintf("Got SEC_ERROR_EXTENSION_NOT_FOUND; clearing");
+ 		PORT_SetError(0);
+ 		errnum = 0;
+ 	}
+@@ -415,7 +415,7 @@ is_valid_cert_without_private_key(CERTCertificate *cert, void *data)
+ 
+ 	errnum = PORT_GetError();
+ 	if (errnum == SEC_ERROR_EXTENSION_NOT_FOUND) {
+-		dprintf("Got SEC_ERROR_EXTENSION_NOT_FOUND; clearing");
++		dbgprintf("Got SEC_ERROR_EXTENSION_NOT_FOUND; clearing");
+ 		PORT_SetError(0);
+ 		errnum = 0;
+ 	}
+@@ -467,23 +467,23 @@ unescape_html_in_place(char *s)
+ 	size_t pos = 0;
+ 	char *s1;
+ 
+-	dprintf("unescaping pos:%zd sz:%zd \"%s\"", pos, sz, s);
++	dbgprintf("unescaping pos:%zd sz:%zd \"%s\"", pos, sz, s);
+ 	do {
+ 		s1 = strchrnul(&s[pos], '%');
+ 		if (s1[0] == '\0')
+ 			break;
+-		dprintf("s1 is \"%s\"", s1);
++		dbgprintf("s1 is \"%s\"", s1);
+ 		if ((size_t)(s1 - s) < (size_t)(sz - 3)) {
+ 			int c;
+ 
+ 			c = (hexchar_to_bin(s1[1]) << 4)
+ 			    | (hexchar_to_bin(s1[2]) & 0xf);
+-			dprintf("replacing %%%c%c with 0x%02hhx", s1[1], s1[2], (char)c);
++			dbgprintf("replacing %%%c%c with 0x%02hhx", s1[1], s1[2], (char)c);
+ 			s1[0] = c;
+ 			memmove(&s1[1], &s1[3], sz - (&s1[3] - s));
+ 			sz -= 2;
+ 			pos = &s1[1] - s;
+-			dprintf("new pos:%zd sz:%zd s:\"%s\"", pos, sz, s);
++			dbgprintf("new pos:%zd sz:%zd s:\"%s\"", pos, sz, s);
+ 		}
+ 	} while (pos < sz);
+ }
+@@ -499,7 +499,7 @@ resolve_pkcs11_token_in_place(char *tokenname)
+ 		char c = *cp;
+ 		*cp = '\0';
+ 
+-		dprintf("ntn:\"%s\"", ntn);
++		dbgprintf("ntn:\"%s\"", ntn);
+ 		if (!strncmp(&ntn[pos], "token=", 6)) {
+ 			ntn += 6;
+ 			memmove(tokenname, ntn, cp - ntn + 1);
+@@ -510,13 +510,13 @@ resolve_pkcs11_token_in_place(char *tokenname)
+ 		ntn = cp + (c ? 1 : 0);
+ 	}
+ 	unescape_html_in_place(tokenname);
+-	dprintf("token name is \"%s\"", tokenname);
++	dbgprintf("token name is \"%s\"", tokenname);
+ }
+ 
+ #define resolve_token_name(tn) ({					\
+ 	char *s_ = tn;							\
+ 	if (!strncmp(tn, "pkcs11:", 7))	{				\
+-		dprintf("provided token name is pkcs11 uri; parsing");	\
++		dbgprintf("provided token name is pkcs11 uri; parsing");\
+ 		s_ = strdupa(tn+7);					\
+ 		resolve_pkcs11_token_in_place(s_);			\
+ 	}								\
+@@ -528,7 +528,8 @@ unlock_nss_token(cms_context *cms)
+ {
+ 	char *tokenname = resolve_token_name(cms->tokenname);
+ 
+-	dprintf("setting password function to %s", cms->func ? "cms->func" : "SECU_GetModulePassword");
++	dbgprintf("setting password function to %s",
++		  cms->func ? "cms->func" : "SECU_GetModulePassword");
+ 	PK11_SetPasswordFunc(cms->func ? cms->func : SECU_GetModulePassword);
+ 
+ 	PK11SlotList *slots = NULL;
+@@ -592,7 +593,8 @@ find_certificate(cms_context *cms, int needs_private_key)
+ 		return -1;
+ 	}
+ 
+-	dprintf("setting password function to %s", cms->func ? "cms->func" : "SECU_GetModulePassword");
++	dbgprintf("setting password function to %s",
++		  cms->func ? "cms->func" : "SECU_GetModulePassword");
+ 	PK11_SetPasswordFunc(cms->func ? cms->func : SECU_GetModulePassword);
+ 
+ 	PK11SlotList *slots = NULL;
+@@ -610,10 +612,10 @@ find_certificate(cms_context *cms, int needs_private_key)
+ 	}
+ 
+ 	while (psle) {
+-		dprintf("looking for token \"%s\", got \"%s\"",
+-			tokenname, PK11_GetTokenName(psle->slot));
++		dbgprintf("looking for token \"%s\", got \"%s\"",
++			  tokenname, PK11_GetTokenName(psle->slot));
+ 		if (!strcmp(tokenname, PK11_GetTokenName(psle->slot))) {
+-			dprintf("found token \"%s\"", tokenname);
++			dbgprintf("found token \"%s\"", tokenname);
+ 			break;
+ 		}
+ 
+@@ -673,8 +675,9 @@ find_certificate(cms_context *cms, int needs_private_key)
+ 					psle->slot, is_valid_cert, &cbd);
+ 		errnum = PORT_GetError();
+ 		if (errnum)
+-			dprintf("PK11_TraverseCertsForNicknameInSlot():%s:%s",
+-				PORT_ErrorToName(errnum), PORT_ErrorToString(errnum));
++			dbgprintf("PK11_TraverseCertsForNicknameInSlot():%s:%s",
++				  PORT_ErrorToName(errnum),
++				  PORT_ErrorToString(errnum));
+ 	} else {
+ 		status = PK11_TraverseCertsForNicknameInSlot(&nickname,
+ 					psle->slot,
+@@ -682,28 +685,30 @@ find_certificate(cms_context *cms, int needs_private_key)
+ 					&cbd);
+ 		errnum = PORT_GetError();
+ 		if (errnum)
+-			dprintf("PK11_TraverseCertsForNicknameInSlot():%s:%s",
+-				PORT_ErrorToName(errnum), PORT_ErrorToString(errnum));
++			dbgprintf("PK11_TraverseCertsForNicknameInSlot():%s:%s",
++				PORT_ErrorToName(errnum),
++				PORT_ErrorToString(errnum));
+ 	}
+-	dprintf("status:%d cbd.cert:%p", status, cbd.cert);
++	dbgprintf("status:%d cbd.cert:%p", status, cbd.cert);
+ 	if (status == SECSuccess && cbd.cert != NULL) {
+ 		if (cms->cert)
+ 			CERT_DestroyCertificate(cms->cert);
+ 		cms->cert = CERT_DupCertificate(cbd.cert);
+ 	} else {
+ 		errnum = PORT_GetError();
+-		dprintf("token traversal %s; cert %sfound:%s:%s",
+-			status == SECSuccess ? "succeeded" : "failed",
+-			cbd.cert == NULL ? "not" : "",
+-			PORT_ErrorToName(errnum), PORT_ErrorToString(errnum));
++		dbgprintf("token traversal %s; cert %sfound:%s:%s",
++			  status == SECSuccess ? "succeeded" : "failed",
++			  cbd.cert == NULL ? "not" : "",
++			  PORT_ErrorToName(errnum),
++			  PORT_ErrorToString(errnum));
+ 	}
+ 
+ 	save_port_err() {
+-		dprintf("Destroying cert list");
++		dbgprintf("Destroying cert list");
+ 		CERT_DestroyCertList(certlist);
+-		dprintf("Destroying slot list element");
++		dbgprintf("Destroying slot list element");
+ 		PK11_DestroySlotListElement(slots, &psle);
+-		dprintf("Destroying slot list");
++		dbgprintf("Destroying slot list");
+ 		PK11_FreeSlotList(slots);
+ 		cms->psle = NULL;
+ 	}
+@@ -723,7 +728,8 @@ find_slot_for_token(cms_context *cms, PK11SlotInfo **slot)
+ 
+ 	char *tokenname = resolve_token_name(cms->tokenname);
+ 
+-	dprintf("setting password function to %s", cms->func ? "cms->func" : "SECU_GetModulePassword");
++	dbgprintf("setting password function to %s",
++		  cms->func ? "cms->func" : "SECU_GetModulePassword");
+ 	PK11_SetPasswordFunc(cms->func ? cms->func : SECU_GetModulePassword);
+ 
+ 	PK11SlotList *slots = NULL;
+@@ -792,7 +798,8 @@ find_certificate_by_callback(cms_context *cms,
+ 		return -1;
+ 	}
+ 
+-	dprintf("setting password function to %s", cms->func ? "cms->func" : "SECU_GetModulePassword");
++	dbgprintf("setting password function to %s",
++		  cms->func ? "cms->func" : "SECU_GetModulePassword");
+ 	PK11_SetPasswordFunc(cms->func ? cms->func : SECU_GetModulePassword);
+ 
+ 	PK11SlotList *slots = NULL;
+diff --git a/src/cms_pe_common.c b/src/cms_pe_common.c
+index 3a3921b..fb90ecb 100644
+--- a/src/cms_pe_common.c
++++ b/src/cms_pe_common.c
+@@ -188,8 +188,8 @@ generate_digest(cms_context *cms, Pe *pe, int padded)
+ 	}
+ 	if (!check_pointer_and_size(cms, pe, hash_base, hash_size))
+ 		cmsgotoerr(error, cms, "PE header is invalid");
+-	dprintf("beginning of hash");
+-	dprintf("digesting %tx + %zx", hash_base - map, hash_size);
++	dbgprintf("beginning of hash");
++	dbgprintf("digesting %tx + %zx", hash_base - map, hash_size);
+ 	generate_digest_step(cms, hash_base, hash_size);
+ 
+ 	/* 5. Skip over the image checksum
+@@ -209,7 +209,7 @@ generate_digest(cms_context *cms, Pe *pe, int padded)
+ 		cmsgotoerr(error, cms, "PE data directory is invalid");
+ 
+ 	generate_digest_step(cms, hash_base, hash_size);
+-	dprintf("digesting %tx + %zx", hash_base - map, hash_size);
++	dbgprintf("digesting %tx + %zx", hash_base - map, hash_size);
+ 
+ 	/* 8. Skip over the crt dir
+ 	 * 9. Hash everything up to the end of the image header. */
+@@ -222,7 +222,7 @@ generate_digest(cms_context *cms, Pe *pe, int padded)
+ 		cmsgotoerr(error, cms, "PE relocations table is invalid");
+ 
+ 	generate_digest_step(cms, hash_base, hash_size);
+-	dprintf("digesting %tx + %zx", hash_base - map, hash_size);
++	dbgprintf("digesting %tx + %zx", hash_base - map, hash_size);
+ 
+ 	/* 10. Set SUM_OF_BYTES_HASHED to the size of the header. */
+ 	hashed_bytes = pe32opthdr ? pe32opthdr->header_size
+@@ -256,16 +256,16 @@ generate_digest(cms_context *cms, Pe *pe, int padded)
+ 			char *name = shdrs[i].name;
+ 			if (name && name[0] == '/')
+ 				name = get_str(cms, pe, name + 1);
+-			dprintf("section:\"%s\"", name ? name : "(null)");
++			dbgprintf("section:\"%s\"", name ? name : "(null)");
+ 			if (name && !strcmp(name, ".vendor_cert")) {
+-				dprintf("skipping .vendor_cert section");
++				dbgprintf("skipping .vendor_cert section");
+ 				hashed_bytes += hash_size;
+ 				continue;
+ 			}
+ 		}
+ 
+ 		generate_digest_step(cms, hash_base, hash_size);
+-		dprintf("digesting %tx + %zx", hash_base - map, hash_size);
++		dbgprintf("digesting %tx + %zx", hash_base - map, hash_size);
+ 
+ 		hashed_bytes += hash_size;
+ 	}
+@@ -285,15 +285,15 @@ generate_digest(cms_context *cms, Pe *pe, int padded)
+ 			memset(tmp_array, '\0', tmp_size);
+ 			memcpy(tmp_array, hash_base, hash_size);
+ 			generate_digest_step(cms, tmp_array, tmp_size);
+-			dprintf("digesting %tx + %zx", (ptrdiff_t)tmp_array,
++			dbgprintf("digesting %tx + %zx", (ptrdiff_t)tmp_array,
+ 				tmp_size);
+ 		} else {
+ 			generate_digest_step(cms, hash_base, hash_size);
+-			dprintf("digesting %tx + %zx", hash_base - map,
++			dbgprintf("digesting %tx + %zx", hash_base - map,
+ 				hash_size);
+ 		}
+ 	}
+-	dprintf("end of hash");
++	dbgprintf("end of hash");
+ 
+ 	rc = generate_digest_finish(cms);
+ 	if (rc < 0)
+diff --git a/src/efikeygen.c b/src/efikeygen.c
+index 940fdf5..dd40502 100644
+--- a/src/efikeygen.c
++++ b/src/efikeygen.c
+@@ -1067,9 +1067,9 @@ int main(int argc, char *argv[])
+ 
+ 		errno = 0;
+ 		timeul = strtoul(not_valid_before, &endptr, 0);
+-		dprintf("not_valid_before:%lu", timeul);
++		dbgprintf("not_valid_before:%lu", timeul);
+ 		if (errno == 0 && endptr && *endptr == 0) {
+-			dprintf("not_valid_before:%lu", timeul);
++			dbgprintf("not_valid_before:%lu", timeul);
+ 			not_before = (PRTime)timeul * PR_USEC_PER_SEC;
+ 		} else {
+ 			prstatus = PR_ParseTimeString(not_valid_before,
+@@ -1078,7 +1078,7 @@ int main(int argc, char *argv[])
+ 				 "could not parse date \"%s\"",
+ 				 not_valid_before);
+ 		}
+-		dprintf("not_before:%"PRId64, not_before);
++		dbgprintf("not_before:%"PRId64, not_before);
+ 	}
+ 
+ 	if (not_valid_after) {
+@@ -1086,11 +1086,11 @@ int main(int argc, char *argv[])
+ 		char *endptr;
+ 
+ 		errno = 0;
+-		dprintf("not_valid_after:%s", not_valid_after);
++		dbgprintf("not_valid_after:%s", not_valid_after);
+ 		timeul = strtoul(not_valid_after, &endptr, 0);
+-		dprintf("not_valid_after:%lu", timeul);
++		dbgprintf("not_valid_after:%lu", timeul);
+ 		if (errno == 0 && endptr && *endptr == 0) {
+-			dprintf("not_valid_after:%lu", timeul);
++			dbgprintf("not_valid_after:%lu", timeul);
+ 			not_after = (PRTime)timeul * PR_USEC_PER_SEC;
+ 		} else {
+ 			prstatus = PR_ParseTimeString(not_valid_after, PR_TRUE,
+@@ -1102,10 +1102,10 @@ int main(int argc, char *argv[])
+ 	} else {
+ 		// Mon Jan 19 03:14:07 GMT 2037, aka 0x7fffffff minus 1 year.
+ 		time_t time = 0x7ffffffful - 60ul * 60 * 24 * 365;
+-		dprintf("not_valid_after:%lu", time);
++		dbgprintf("not_valid_after:%lu", time);
+ 		not_after = (PRTime)time * PR_USEC_PER_SEC;
+ 	}
+-	dprintf("not_after:%"PRId64, not_after);
++	dbgprintf("not_after:%"PRId64, not_after);
+ 
+ 	CERTValidity *validity = NULL;
+ 	validity = CERT_CreateValidity(not_before, not_after);
+diff --git a/src/file_pe.c b/src/file_pe.c
+index fa97b89..fed6edb 100644
+--- a/src/file_pe.c
++++ b/src/file_pe.c
+@@ -264,7 +264,8 @@ pe_handle_action(pesign_context *ctxp, int action, int padding)
+ 		/* generate a signature and save it in a separate file */
+ 		case EXPORT_SIGNATURE|GENERATE_SIGNATURE:
+ 			perr = PORT_GetError();
+-			dprintf("PORT_GetError():%s:%s", PORT_ErrorToName(perr), PORT_ErrorToString(perr));
++			dbgprintf("PORT_GetError():%s:%s",
++				  PORT_ErrorToName(perr), PORT_ErrorToString(perr));
+ 			PORT_SetError(0);
+ 			rc = find_certificate(ctxp->cms_ctx, 1);
+ 			conderrx(rc < 0, 1, "Could not find certificate %s",
+@@ -281,7 +282,8 @@ pe_handle_action(pesign_context *ctxp, int action, int padding)
+ 		case IMPORT_SIGNATURE|GENERATE_SIGNATURE:
+ 			check_inputs(ctxp);
+ 			perr = PORT_GetError();
+-			dprintf("PORT_GetError():%s:%s", PORT_ErrorToName(perr), PORT_ErrorToString(perr));
++			dbgprintf("PORT_GetError():%s:%s",
++				  PORT_ErrorToName(perr), PORT_ErrorToString(perr));
+ 			rc = find_certificate(ctxp->cms_ctx, 1);
+ 			conderrx(rc < 0, 1, "Could not find certificate %s",
+ 				 ctxp->cms_ctx->certname);
+diff --git a/src/password.c b/src/password.c
+index 05add9a..18c32ed 100644
+--- a/src/password.c
++++ b/src/password.c
+@@ -167,7 +167,7 @@ SECU_GetPasswordString(void *arg UNUSED, char *prompt)
+ 	char *ret;
+ 	ingress();
+ 	ret = get_password(stdin, stdout, prompt, NULL);
+-	dprintf("password:\"%s\"", ret ? ret : "(null)");
++	dbgprintf("password:\"%s\"", ret ? ret : "(null)");
+ 	egress();
+ 	return ret;
+ }
+@@ -194,7 +194,7 @@ parse_pwfile_line(char *start, struct token_pass *tp)
+ 	size_t offset = 0;
+ 
+ 	span = strspn(line, whitespace_and_eol_chars);
+-	dprintf("whitespace span is %zd", span);
++	dbgprintf("whitespace span is %zd", span);
+ 	if (span == 0 && line[span] == '\0')
+ 		return -1;
+ 	line += span;
+@@ -210,17 +210,17 @@ parse_pwfile_line(char *start, struct token_pass *tp)
+ 			offset += escspan + 2;
+ 	} while(escspan < span);
+ 	span += offset;
+-	dprintf("non-whitespace span is %zd", span);
++	dbgprintf("non-whitespace span is %zd", span);
+ 
+ 	if (line[span] == '\0') {
+-		dprintf("returning %td", (line + span) - start);
++		dbgprintf("returning %td", (line + span) - start);
+ 		return (line + span) - start;
+ 	}
+ 	line[span] = '\0';
+ 
+ 	line += span + 1;
+ 	span = strspn(line, whitespace_and_eol_chars);
+-	dprintf("whitespace span is %zd", span);
++	dbgprintf("whitespace span is %zd", span);
+ 	line += span;
+ 	tp->token = tp->pass;
+ 	tp->pass = line;
+@@ -233,15 +233,15 @@ parse_pwfile_line(char *start, struct token_pass *tp)
+ 			offset += escspan + 2;
+ 	} while(escspan < span);
+ 	span += offset;
+-	dprintf("non-whitespace span is %zd", span);
++	dbgprintf("non-whitespace span is %zd", span);
+ 	if (line[span] != '\0')
+ 		line[span++] = '\0';
+ 
+ 	resolve_escapes(tp->token);
+-	dprintf("Setting token pass %p to { %p, %p }", tp, tp->token, tp->pass);
+-	dprintf("token:\"%s\"", tp->token);
+-	dprintf("pass:\"%s\"", tp->pass);
+-	dprintf("returning %td", (line + span) - start);
++	dbgprintf("Setting token pass %p to { %p, %p }", tp, tp->token, tp->pass);
++	dbgprintf("token:\"%s\"", tp->token);
++	dbgprintf("pass:\"%s\"", tp->pass);
++	dbgprintf("returning %td", (line + span) - start);
+ 	return (line + span) - start;
+ }
+ 
+@@ -260,7 +260,7 @@ SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg)
+ 	char *path;
+ 
+ 	ingress();
+-	dprintf("token_name: %s", token_name);
++	dbgprintf("token_name: %s", token_name);
+ 	if (cms->pwdata.source != PW_FROMFILEDB) {
+ 		cms->log(cms, LOG_ERR,
+ 			 "Got to %s() but no file is specified.\n",
+@@ -289,8 +289,8 @@ SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg)
+ 		if (rc < 0 || file_len < 1)
+ 			goto err_file;
+ 		file[file_len-1] = '\0';
+-		dprintf("file_len:%zd", file_len);
+-		dprintf("file:\"%s\"", file);
++		dbgprintf("file_len:%zd", file_len);
++		dbgprintf("file:\"%s\"", file);
+ 
+ 		unbreak_line_continuations(file, file_len);
+ 	}
+@@ -314,23 +314,23 @@ SECU_FilePasswd(PK11SlotInfo *slot, PRBool retry, void *arg)
+ #pragma GCC diagnostic pop
+ 
+ 		span = strspn(start, whitespace_and_eol_chars);
+-		dprintf("whitespace span is %zd", span);
++		dbgprintf("whitespace span is %zd", span);
+ 		start += span;
+ 		span = strcspn(start, eol_chars);
+-		dprintf("non-whitespace span is %zd", span);
++		dbgprintf("non-whitespace span is %zd", span);
+ 
+ 		c = start[span];
+ 		start[span] = '\0';
+-		dprintf("file:\"%s\"", file);
++		dbgprintf("file:\"%s\"", file);
+ 		rc = parse_pwfile_line(start, &phrases[nphrases++]);
+-		dprintf("parse_pwfile_line returned %d", rc);
++		dbgprintf("parse_pwfile_line returned %d", rc);
+ 		if (rc < 0)
+ 			goto err_phrases;
+ 
+ 		if (c != '\0')
+ 			span++;
+ 		start += span;
+-		dprintf("start is file[%td] == '\\x%02hhx'", start - file,
++		dbgprintf("start is file[%td] == '\\x%02hhx'", start - file,
+ 			start[0]);
+ 	}
+ 
+@@ -359,7 +359,7 @@ err_file:
+ err_phrases:
+ 	xfree(phrases);
+ err:
+-	dprintf("ret:\"%s\"", ret ? ret : "(null)");
++	dbgprintf("ret:\"%s\"", ret ? ret : "(null)");
+ 	egress();
+ 	return ret;
+ }
+@@ -412,10 +412,10 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
+ 	ingress();
+ 
+ 	if (PK11_ProtectedAuthenticationPath(slot)) {
+-		dprintf("prompting for PW_DEVICE data");
++		dbgprintf("prompting for PW_DEVICE data");
+ 		pwdata = &pwxtrn;
+ 	} else {
+-		dprintf("using pwdata from cms");
++		dbgprintf("using pwdata from cms");
+ 		pwdata = &cms->pwdata;
+ 	}
+ 
+@@ -423,17 +423,17 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
+ 	    pwdata->source >= PW_SOURCE_MAX ||
+ 	    pwdata->orig_source <= PW_SOURCE_INVALID ||
+ 	    pwdata->orig_source >= PW_SOURCE_MAX) {
+-		dprintf("pwdata is invalid");
++		dbgprintf("pwdata is invalid");
+ 		return NULL;
+ 	}
+ 
+-	dprintf("pwdata:%p retry:%d", pwdata, retry);
+-	dprintf("pwdata->source:%s (%d) orig:%s (%d)",
+-		pw_source_names[pwdata->source], pwdata->source,
+-		pw_source_names[pwdata->orig_source], pwdata->orig_source);
+-	dprintf("pwdata->data:%p (\"%s\")", pwdata->data,
+-		pwdata->data ? pwdata->data : "(null)");
+-	dprintf("pwdata->intdata:%ld", pwdata->intdata);
++	dbgprintf("pwdata:%p retry:%d", pwdata, retry);
++	dbgprintf("pwdata->source:%s (%d) orig:%s (%d)",
++		  pw_source_names[pwdata->source], pwdata->source,
++		  pw_source_names[pwdata->orig_source], pwdata->orig_source);
++	dbgprintf("pwdata->data:%p (\"%s\")", pwdata->data,
++		  pwdata->data ? pwdata->data : "(null)");
++	dbgprintf("pwdata->intdata:%ld", pwdata->intdata);
+ 
+ 	if (retry) {
+ 		warnx("Incorrect password/PIN entered.");
+@@ -470,7 +470,7 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
+ 
+ 	case PW_FROMFILEDB:
+ 	case PW_DATABASE:
+-		dprintf("pwdata->source:%s", pw_source_names[pwdata->source]);
++		dbgprintf("pwdata->source:%s", pw_source_names[pwdata->source]);
+ 		/* Instead of opening and closing the file every time, get the pw
+ 		 * once, then keep it in memory (duh).
+ 		 */
+@@ -480,17 +480,17 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
+ 		return pw;
+ 
+ 	case PW_FROMENV:
+-		dprintf("pwdata->source:PW_FROMENV");
++		dbgprintf("pwdata->source:PW_FROMENV");
+ 		if (!pwdata || !pwdata->data)
+ 			break;
+ 		pw = get_env(pwdata->data);
+-		dprintf("env:%s pw:%s", pwdata->data, pw ? pw : "(null)");
++		dbgprintf("env:%s pw:%s", pwdata->data, pw ? pw : "(null)");
+ 		pwdata->data = pw;
+ 		pwdata->source = PW_PLAINTEXT;
+ 		goto PW_PLAINTEXT;
+ 
+ 	case PW_FROMFILE:
+-		dprintf("pwdata->source:PW_FROMFILE");
++		dbgprintf("pwdata->source:PW_FROMFILE");
+ 		in = fopen(pwdata->data, "r");
+ 		if (!in)
+ 			return NULL;
+@@ -501,7 +501,7 @@ SECU_GetModulePassword(PK11SlotInfo *slot, PRBool retry, void *arg)
+ 		goto PW_PLAINTEXT;
+ 
+ 	case PW_FROMFD:
+-		dprintf("pwdata->source:PW_FROMFD");
++		dbgprintf("pwdata->source:PW_FROMFD");
+ 		rc = pwdata->intdata;
+ 		in = fdopen(pwdata->intdata, "r");
+ 		if (!in)
+diff --git a/src/pesign.c b/src/pesign.c
+index c2ff35f..f548d81 100644
+--- a/src/pesign.c
++++ b/src/pesign.c
+@@ -333,7 +333,7 @@ main(int argc, char *argv[])
+ 	while ((rc = poptGetNextOpt(optCon)) > 0) {
+ 		switch (rc) {
+ 		case POPT_RET_PWDB:
+-			dprintf("POPT_RET_PWDB:\"%s\"", pwdata.data ? pwdata.data : "(null)");
++			dbgprintf("POPT_RET_PWDB:\"%s\"", pwdata.data ? pwdata.data : "(null)");
+ 			if (pwdata.source != PW_SOURCE_INVALID)
+ 				errx(1, "only one password/pin method can be used at a time");
+ 			if (pwdata.data == NULL)
+@@ -346,7 +346,7 @@ main(int argc, char *argv[])
+ 			continue;
+ 
+ 		case POPT_RET_ENV:
+-			dprintf("POPT_RET_ENV:\"%s\"", pwdata.data ? pwdata.data : "(null)");
++			dbgprintf("POPT_RET_ENV:\"%s\"", pwdata.data ? pwdata.data : "(null)");
+ 			if (pwdata.source != PW_SOURCE_INVALID)
+ 				errx(1, "only one password/pin method can be used at a time");
+ 			if (pwdata.data == NULL)
+@@ -359,7 +359,7 @@ main(int argc, char *argv[])
+ 			continue;
+ 
+ 		case POPT_RET_PINFD:
+-			dprintf("POPT_RET_PINFD:\"%s\"", pwdata.data ? pwdata.data : "(null)");
++			dbgprintf("POPT_RET_PINFD:\"%s\"", pwdata.data ? pwdata.data : "(null)");
+ 			if (pwdata.source != PW_SOURCE_INVALID)
+ 				errx(1, "only one password/pin method can be used at a time");
+ 			if (pwdata.data == NULL)
+@@ -373,7 +373,7 @@ main(int argc, char *argv[])
+ 			continue;
+ 
+ 		case POPT_RET_PINFILE:
+-			dprintf("POPT_RET_PINFILE:\"%s\"", pwdata.data ? pwdata.data : "(null)");
++			dbgprintf("POPT_RET_PINFILE:\"%s\"", pwdata.data ? pwdata.data : "(null)");
+ 			if (pwdata.source != PW_SOURCE_INVALID)
+ 				errx(1, "only one password/pin method can be used at a time");
+ 			if (pwdata.data == NULL)
+@@ -387,7 +387,7 @@ main(int argc, char *argv[])
+ 		}
+ 	}
+ 
+-	dprintf("pwdata.source:%d %schecking for PESIGN_TOKEN_PIN",
++	dbgprintf("pwdata.source:%d %schecking for PESIGN_TOKEN_PIN",
+ 		pwdata.source,
+ 		pwdata.source == PW_SOURCE_INVALID ? "" : "not ");
+ 	if (pwdata.source == PW_SOURCE_INVALID && secure_getenv("PESIGN_TOKEN_PIN")) {
+diff --git a/src/util.h b/src/util.h
+index ba8c621..6616011 100644
+--- a/src/util.h
++++ b/src/util.h
+@@ -269,28 +269,28 @@ proxy_fd_mode(int fd, char *infile, mode_t *outmode, size_t *inlength)
+ 
+ extern long verbosity(void);
+ 
+-#define dprintf_(tv, file, func, line, fmt, args...) ({	\
+-		struct timeval tv;			\
+-		gettimeofday(&tv, NULL);		\
+-		warnx("%ld.%lu %s:%s():%d: " fmt,	\
+-		      tv.tv_sec, tv.tv_usec,		\
+-		      file, func, line, ##args);	\
++#define dbgprintf_(tv, file, func, line, fmt, args...) ({	\
++		struct timeval tv;				\
++		gettimeofday(&tv, NULL);			\
++		warnx("%ld.%lu %s:%s():%d: " fmt,		\
++		      tv.tv_sec, tv.tv_usec,			\
++		      file, func, line, ##args);		\
+ 	})
+ #if defined(PESIGN_DEBUG)
+-#define dprintf(fmt, args...)					\
+-	dprintf_(CAT(CAT(CAT(tv_,__COUNTER__),__LINE__),_),	\
+-		 __FILE__, __func__, __LINE__ - 2, fmt, ##args)
++#define dbgprintf(fmt, args...)					\
++	dbgprintf_(CAT(CAT(CAT(tv_,__COUNTER__),__LINE__),_),	\
++		   __FILE__, __func__, __LINE__ - 2, fmt, ##args)
+ #else
+-#define dprintf(fmt, args...) ({						\
++#define dbgprintf(fmt, args...) ({						\
+ 		if (verbosity() > 1)						\
+-			dprintf_(CAT(CAT(CAT(tv_,__COUNTER__),__LINE__),_),	\
++			dbgprintf_(CAT(CAT(CAT(tv_,__COUNTER__),__LINE__),_),	\
+ 				 __FILE__, __func__, __LINE__ - 3,		\
+ 				 fmt, ##args);					\
+ 		0;								\
+ 	})
+ #endif
+-#define ingress() dprintf("ingress");
+-#define egress() dprintf("egress");
++#define ingress() dbgprintf("ingress");
++#define egress() dbgprintf("egress");
+ 
+ #endif /* PESIGN_UTIL_H */
+ // vim:fenc=utf-8:tw=75:noet

0003-gcc-don-t-error-on-stuff-in-includes.patch

@@ -1,26 +0,0 @@
-From 6de291458cbab99bcc317e282c16e1523d6de9b8 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Wed, 10 Aug 2016 17:12:39 -0400
-Subject: [PATCH 03/29] gcc: don't error on stuff in includes.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- Make.defaults | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Make.defaults b/Make.defaults
-index c97b452..3511080 100644
---- a/Make.defaults
-+++ b/Make.defaults
-@@ -19,7 +19,7 @@ PKG_CONFIG = $(CROSS_COMPILE)pkg-config
- CC	:= $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC))
- CCLD	:= $(if $(filter undefined,$(origin CCLD)),$(CC),$(CCLD))
- CFLAGS	?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments \
--	   -Wall -Werror -Wextra
-+	   -Wall -Werror -Wextra -Wno-error=cpp
- AS	:= $(CROSS_COMPILE)as
- AR	:= $(CROSS_COMPILE)gcc-ar
- RANLIB	:= $(CROSS_COMPILE)gcc-ranlib
--- 
-2.13.4
-

0004-.gitignore-add-compile_commands.json-and-.cache.patch

@@ -0,0 +1,30 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 11 Mar 2022 12:47:20 -0500
+Subject: [PATCH] .gitignore: add compile_commands.json and .cache/
+
+These are used by bear/cnc/clangd/etc, but there's no reason to trip
+over them all the time.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ .gitignore | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/.gitignore b/.gitignore
+index bf0617b..7425432 100644
+--- a/.gitignore
++++ b/.gitignore
+@@ -1,3 +1,4 @@
++.cache/
+ .*.d
+ .*.P
+ .*.sw?
+@@ -26,6 +27,7 @@
+ /*.rpm
+ *-8be4df61-93ca-11d2-aa0d-00e098032b8c
+ *-d719b2cb-3d3a-4596-a3bc-dad00e67656f
++compile_commands.json
+ core.*
+ cov-int/
+ pwfile

0004-Fix-certficate-argument-name.patch

@@ -1,39 +0,0 @@
-From b20fc54c08e8afe1365e56cacade3ec39984da8d Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Tue, 18 Apr 2017 19:00:34 -0400
-Subject: [PATCH 04/29] Fix "certficate" argument name.
-
-This fixes our typoed argument name by making the incorrectly spelled
-version be a popt alias, and fixing the real implementation to be
-spelled right in pesign.c .
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- src/pesign.c    | 2 +-
- src/pesign.popt | 1 +
- 2 files changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/pesign.c b/src/pesign.c
-index af374b6..279a17a 100644
---- a/src/pesign.c
-+++ b/src/pesign.c
-@@ -438,7 +438,7 @@ main(int argc, char *argv[])
- 		 .arg = &ctxp->outfile,
- 		 .descrip = "specify output file",
- 		 .argDescrip = "<outfile>" },
--		{.longName = "certficate",
-+		{.longName = "certificate",
- 		 .shortName = 'c',
- 		 .argInfo = POPT_ARG_STRING,
- 		 .arg = &certname,
-diff --git a/src/pesign.popt b/src/pesign.popt
-index 7b3385d..5a97748 100644
---- a/src/pesign.popt
-+++ b/src/pesign.popt
-@@ -1,2 +1,3 @@
- pesign alias --cert --certificate
-+pesign alias --certficate --certificate
- pesign alias --daemon --daemonize
--- 
-2.13.4
-

0005-Fix-description-of-ascii-armor-option-in-manpage.patch

@@ -1,26 +0,0 @@
-From 7bc8e8b04c74be5c4e0ebf211affc37cf9f5db37 Mon Sep 17 00:00:00 2001
-From: Julien Cristau <jcristau@debian.org>
-Date: Mon, 27 Jun 2016 15:38:38 +0200
-Subject: [PATCH 05/29] Fix description of --ascii-armor option in manpage
-
-The --ascii option does not exist.
----
- src/pesign.1 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/pesign.1 b/src/pesign.1
-index 47d1aec..29ae060 100644
---- a/src/pesign.1
-+++ b/src/pesign.1
-@@ -81,7 +81,7 @@ Export the public key specified by \-\-certificate to \fIoutkey\fR
- Export the certificate specified by \-\-certificate to \fIoutcert\fR
- 
- .TP
--\fB-\-ascii\fR
-+\fB-\-ascii\-armor\fR
- Use ascii armoring on exported certificates.
- 
- .TP
--- 
-2.13.4
-

0005-pesign-print-digests-before-filenames-like-sha256sum.patch

@@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 11 Mar 2022 12:44:46 -0500
+Subject: [PATCH] pesign: print digests before filenames like sha256sum does
+
+Most digest tools print the digest before the filename, there's no
+reason pesign needs to be different.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/file_pe.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/src/file_pe.c b/src/file_pe.c
+index fed6edb..805e614 100644
+--- a/src/file_pe.c
++++ b/src/file_pe.c
+@@ -121,12 +121,11 @@ print_digest(pesign_context *pctx)
+ 	if (!ctx)
+ 		return;
+ 
+-	printf("%s ", pctx->infile);
+ 	int j = ctx->selected_digest;
+ 	for (unsigned int i = 0; i < ctx->digests[j].pe_digest->len; i++)
+ 		printf("%02x",
+ 			(unsigned char)ctx->digests[j].pe_digest->data[i]);
+-	printf("\n");
++	printf(" %s\n", pctx->infile);
+ }
+ 
+ void

0006-Add-pesum-an-authenticode-digest-generator.patch

@@ -0,0 +1,318 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 11 Mar 2022 12:54:39 -0500
+Subject: [PATCH] Add 'pesum', an authenticode digest generator.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/pesum.c      | 195 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ src/.gitignore   |   1 +
+ src/Makefile     |  12 +++-
+ src/pesum.1.mdoc |  38 +++++++++++
+ 4 files changed, 244 insertions(+), 2 deletions(-)
+ create mode 100644 src/pesum.c
+ create mode 100644 src/pesum.1.mdoc
+
+diff --git a/src/pesum.c b/src/pesum.c
+new file mode 100644
+index 0000000..e4ddaf8
+--- /dev/null
++++ b/src/pesum.c
+@@ -0,0 +1,195 @@
++// SPDX-License-Identifier: GPLv2
++/*
++ * pesum.c - pesum command line tool
++ * Copyright Peter Jones <pjones@redhat.com>
++ */
++
++#include "fix_coverity.h"
++
++#include <err.h>
++#include <popt.h>
++
++#include <nss.h>
++#include <prerror.h>
++
++#include "pesign.h"
++#include "pesign_standalone.h"
++
++static struct {
++	int flag;
++	const char *name;
++} flag_names[] = {
++	{DAEMONIZE, "daemonize"},
++	{GENERATE_DIGEST, "hash"},
++	{GENERATE_SIGNATURE, "sign"},
++	{IMPORT_RAW_SIGNATURE, "import-raw-sig"},
++	{IMPORT_SIGNATURE, "import-sig"},
++	{IMPORT_SATTRS, "import-sattrs" },
++	{EXPORT_SATTRS, "export-sattrs" },
++	{EXPORT_SIGNATURE, "export-sig"},
++	{EXPORT_PUBKEY, "export-pubkey"},
++	{EXPORT_CERT, "export-cert"},
++	{REMOVE_SIGNATURE, "remove"},
++	{LIST_SIGNATURES, "list"},
++	{FLAG_LIST_END, NULL},
++};
++
++void
++print_flag_name(FILE *f, int flag)
++{
++	for (int i = 0; flag_names[i].flag != FLAG_LIST_END; i++) {
++		if (flag_names[i].flag == flag)
++			fprintf(f, "%s ", flag_names[i].name);
++	}
++}
++
++static long *verbose;
++
++long
++verbosity(void)
++{
++	if (!verbose)
++		return 0;
++	return *verbose;
++}
++
++int
++main(int argc, char *argv[])
++{
++	int rc;
++	SECStatus status;
++
++	char *digest_name = "sha256";
++	char *orig_digest_name = digest_name;
++	int padding = 1;
++	long verbose_cmd_line = 0;
++	const char *infile;
++
++	int action = GENERATE_DIGEST|PRINT_DIGEST;
++	file_format fmt = FORMAT_PE_BINARY;
++
++	setenv("NSS_DEFAULT_DB_TYPE", "sql", 0);
++
++	verbose = &verbose_cmd_line;
++
++	poptContext optCon;
++	struct poptOption options[] = {
++		{.argInfo = POPT_ARG_INTL_DOMAIN,
++		 .arg = "pesum" },
++		{.longName = "verbose",
++		 .shortName = 'v',
++		 .argInfo = POPT_ARG_VAL|POPT_ARG_LONG|POPT_ARGFLAG_OPTIONAL,
++		 .arg = &verbose_cmd_line,
++		 .val = 1,
++		 .descrip = "be more verbose" },
++		{.longName = "debug",
++		 .shortName = '\0',
++		 .argInfo = POPT_ARG_VAL|POPT_ARG_LONG|POPT_ARGFLAG_OPTIONAL,
++		 .arg = &verbose_cmd_line,
++		 .val = 2,
++		 .descrip = "be very verbose" },
++		{.longName = "digest-type",
++		 .shortName = 'd',
++		 .argInfo = POPT_ARG_STRING|POPT_ARGFLAG_SHOW_DEFAULT,
++		 .arg = &digest_name,
++		 .descrip = "digest type to use for pe hash" },
++		{.longName = "digest_type",
++		 .shortName = '\0',
++		 .argInfo = POPT_ARG_STRING|POPT_ARGFLAG_DOC_HIDDEN,
++		 .arg = &digest_name,
++		 .descrip = "digest type to use for pe hash" },
++		{.longName = "padding",
++		 .shortName = 'P',
++		 .argInfo = POPT_ARG_VAL,
++		 .arg = &padding,
++		 .val = 1,
++		 .descrip = "pad data section (default)" },
++		{.longName = "nopadding",
++		 .shortName = 'p',
++		 .argInfo = POPT_ARG_VAL,
++		 .arg = &padding,
++		 .val = 0,
++		 .descrip = "do not pad the data section" },
++		POPT_AUTOALIAS
++		POPT_AUTOHELP
++		POPT_TABLEEND
++	};
++
++	optCon = poptGetContext("pesum", argc, (const char **)argv, options,0);
++
++	rc = poptReadDefaultConfig(optCon, 0);
++	if (rc < 0 && !(rc == POPT_ERROR_ERRNO && errno == ENOENT))
++		errx(1, "poptReadDefaultConfig failed: %s", poptStrerror(rc));
++
++	while ((rc = poptGetNextOpt(optCon)) > 0) {
++		;
++	}
++
++	if (rc < -1)
++		errx(1, "Invalid argument: %s: %s",
++		     poptBadOption(optCon, 0), poptStrerror(rc));
++
++	if (!poptPeekArg(optCon))
++		errx(1, "nothing to do");
++
++	status = NSS_NoDB_Init(NULL);
++	if (status != SECSuccess)
++		errx(1, "Could not initialize nss.\n"
++		        "NSS says \"%s\" errno says \"%m\"\n",
++			PORT_ErrorToString(PORT_GetError()));
++
++	while ((infile = poptGetArg(optCon)) != NULL) {
++		pesign_context *ctxp = NULL;
++
++		char *ext = strrchr(infile, '.');
++		if (ext && strcmp(ext, ".ko") == 0)
++			fmt = FORMAT_KERNEL_MODULE;
++
++		rc = pesign_context_new(&ctxp);
++		if (rc < 0)
++			err(1, "Could not initialize context");
++
++		ctxp->verbose = verbose_cmd_line;
++
++		ctxp->hash = 1;
++		ctxp->infile = strdup(infile);
++		if (!ctxp->infile)
++			err(1, "Could not allocate memory");
++
++		rc = set_digest_parameters(ctxp->cms_ctx, digest_name);
++		int is_help = strcmp(digest_name, "help") ? 0 : 1;
++		if (rc < 0) {
++			if (!is_help) {
++				fprintf(stderr, "Digest \"%s\" not found.\n",
++					digest_name);
++			}
++			exit(!is_help);
++		}
++
++		errno = 0;
++		switch (fmt) {
++			case FORMAT_PE_BINARY:
++				pe_handle_action(ctxp, action, padding);
++				break;
++			case FORMAT_KERNEL_MODULE:
++				kmod_handle_action(ctxp, action);
++				break;
++		}
++
++		pesign_context_free(ctxp);
++	}
++
++	poptFreeContext(optCon);
++
++	if (digest_name && digest_name != orig_digest_name)
++		free(digest_name);
++
++	status = NSS_Shutdown();
++	if (status != SECSuccess)
++		errx(1, "could not shut down NSS: %s",
++		     PORT_ErrorToString(PORT_GetError()));
++
++	return 0;
++}
++
++// vim:fenc=utf-8:tw=75:noet
+diff --git a/src/.gitignore b/src/.gitignore
+index 64ce217..f8f6d66 100644
+--- a/src/.gitignore
++++ b/src/.gitignore
+@@ -5,6 +5,7 @@ client
+ efikeygen
+ efidbtool
+ pesigcheck
++pesum
+ peverify
+ pesign.service
+ pesign.sysvinit
+diff --git a/src/Makefile b/src/Makefile
+index 7010514..79cf09e 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -6,7 +6,7 @@ include $(TOPDIR)/Make.rules
+ include $(TOPDIR)/Make.defaults
+ 
+ BINTARGETS=authvar client efikeygen pesigcheck pesign \
+-	   pesign-rpmbuild-helper pesign-authorize
++	   pesign-rpmbuild-helper pesign-authorize pesum
+ CFGTARGETS=tmpfiles.conf
+ SVCTARGETS=pesign.sysvinit pesign.service
+ MAN1TARGETS=authvar.1 efikeygen.1 pesigcheck.1 pesign-client.1 pesign.1
+@@ -29,9 +29,12 @@ EFIKEYGEN_SOURCES = efikeygen.c
+ PESIGCHECK_SOURCES = pesigcheck.c pesigcheck_context.c certdb.c
+ PESIGN_SOURCES = pesign.c pesign_context.c actions.c daemon.c \
+ 		 file_pe.c file_kmod.c pesign_kmod.c
++PESUM_SOURCES = pesum.c pesign_context.c actions.c \
++		file_pe.c file_kmod.c pesign_kmod.c
+ 
+ ALL_SOURCES=$(COMMON_SOURCES) $(AUTHVAR_SORUCES) $(CLIENT_SOURCES) \
+-	$(EFIKEYGEN_SOURCES) $(PESIGCHECK_SOURCES) $(PESIGN_SOURCES)
++	$(EFIKEYGEN_SOURCES) $(PESIGCHECK_SOURCES) $(PESIGN_SOURCES) \
++	$(PESUM_SOURCES)
+ -include $(call deps-of,$(ALL_SOURCES))
+ 
+ authvar : $(call objects-of,$(AUTHVAR_SOURCES) $(COMMON_SOURCES))
+@@ -53,6 +56,10 @@ pesign : $(call objects-of,$(PESIGN_SOURCES) $(COMMON_SOURCES) $(COMMON_PE_SOURC
+ pesign : LDLIBS+=$(TOPDIR)/libdpe/libdpe.a
+ pesign : PKGS=efivar nss nspr popt
+ 
++pesum : $(call objects-of,$(PESUM_SOURCES) $(COMMON_SOURCES) $(COMMON_PE_SOURCES))
++pesum : LDLIBS+=$(TOPDIR)/libdpe/libdpe.a
++pesum : PKGS=efivar nss nspr popt
++
+ deps : PKGS=efivar nss nspr popt uuid
+ deps : $(ALL_SOURCES)
+ 	$(MAKE) -f $(TOPDIR)/Make.deps \
+@@ -81,6 +88,7 @@ install :
+ 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(bindir)
+ 	$(INSTALL) -m 755 authvar $(INSTALLROOT)$(bindir)
+ 	$(INSTALL) -m 755 pesign $(INSTALLROOT)$(bindir)
++	$(INSTALL) -m 755 pesum $(INSTALLROOT)$(bindir)
+ 	$(INSTALL) -m 755 client $(INSTALLROOT)$(bindir)pesign-client
+ 	$(INSTALL) -m 755 efikeygen $(INSTALLROOT)$(bindir)
+ 	$(INSTALL) -m 755 pesigcheck $(INSTALLROOT)$(bindir)
+diff --git a/src/pesum.1.mdoc b/src/pesum.1.mdoc
+new file mode 100644
+index 0000000..edd08ce
+--- /dev/null
++++ b/src/pesum.1.mdoc
+@@ -0,0 +1,38 @@
++.Dd $Mdocdate: Mar 11 2022$
++.Dt PESUM 1
++.Os Linux
++.Sh NAME
++.Nm pesum
++.Nd tool for generating Authenticode digests
++.Sh SYNOPSIS
++.Nm
++.Bk -words
++.Ar file0.efi
++.Op Ar file1.efi ...
++.Sh DESCRIPTION
++.Nm
++is a command line tool to generate Authenticode digests of PE binaries.
++.Sh EXAMPLES
++.Ss Getting the Authenticode digest of some files
++host:$ \fBpesum shimx64.efi grubx64.efi\fR
++8c5806e66bb5b052ebf860e1722474269cff3dde588610df21dbe8cf12c08390\ shimx64.efi
++546a71319c22da1d81879383c4c74be06d1c374bdecfafc9fcc80bd541802bfc\ grubx64.efi
++.Sh STANDARDS
++.Rs
++.%B Portable Executable
++.%I Microsoft
++.%D August 26, 2019
++.%U https://docs.microsoft.com/en-us/windows/win32/debug/pe-format\ \&
++.Re
++
++.Rs
++.%B Windows Authenticode Portable Executable Signature Format
++.%I Microsoft
++.%D March 21, 2008
++.%U https://web.archive.org/web/20130518222430/http://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx\ \&
++.Re
++.Sh SEE ALSO
++.Xr pesign 1
++.LP
++.Sh AUTHORS
++.An Peter Jones

0006-Make-ascii-work-since-we-documented-it.patch

@@ -1,22 +0,0 @@
-From 9f411f4e797e983d2e8cb51dc5b9ab8db250c2e3 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Tue, 18 Apr 2017 19:05:40 -0400
-Subject: [PATCH 06/29] Make --ascii work, since we documented it.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- src/pesign.popt | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/pesign.popt b/src/pesign.popt
-index 5a97748..5ae0c5c 100644
---- a/src/pesign.popt
-+++ b/src/pesign.popt
-@@ -1,3 +1,4 @@
- pesign alias --cert --certificate
- pesign alias --certficate --certificate
- pesign alias --daemon --daemonize
-+pesign alias --ascii --ascii-armor
--- 
-2.13.4
-

0007-Fix-building-signed-kernels-on-setups-other-than-koj.patch

@@ -0,0 +1,54 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Julian Sikorski <belegdol+github@gmail.com>
+Date: Wed, 23 Mar 2022 20:54:03 +0100
+Subject: [PATCH] Fix building signed kernels on setups other than koji
+
+Thanks to Will Springer for the idea. Details at
+https://bugzilla.redhat.com/show_bug.cgi?id=1880858
+
+Signed-off-by: Julian Sikorski <belegdol+github@gmail.com>
+Suggested-by: Will Springer <skirmisher@protonmail.com>
+---
+ src/pesign-rpmbuild-helper.in | 24 +++++++++++-------------
+ 1 file changed, 11 insertions(+), 13 deletions(-)
+
+diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
+index 0a845d2..c9d5570 100644
+--- a/src/pesign-rpmbuild-helper.in
++++ b/src/pesign-rpmbuild-helper.in
+@@ -172,24 +172,22 @@ main() {
+     USERNAME="${USERNAME:-$(id -un)}"
+ 
+     local socket="" || :
+-    if grep -q ID=fedora /etc/os-release \
++    if [[ -S /run/pesign/socket ]] ; then
++        socket=/run/pesign/socket
++    elif [[ -S /var/run/pesign/socket ]]; then
++        socket=/var/run/pesign/socket
++    elif grep -q ID=fedora /etc/os-release \
+        && [[ "${rhelver}" -lt 7 ]] \
+        && [[ "${USERNAME}" = "mockbuild" ]] \
+        && [[ "${vendor}" = "Fedora Project" ]] \
+        && [[ "${HOSTNAME}" =~ bkernel.* ]]
+     then
+-	if [[ -S /run/pesign/socket ]] ; then
+-	    socket=/run/pesign/socket
+-	elif [[ -S /var/run/pesign/socket ]]; then
+-	    socket=/var/run/pesign/socket
+-	else
+-	    echo "Warning: no pesign socket even though user is ${USERNAME}" 1>&2
+-	    echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2
+-	    ls -ld /run/pesign /var/run/pesign 1>&2 ||:
+-	    ls -l /run/pesign/socket /var/run/pesign/socket 1>&2 ||:
+-	    getfacl /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
+-	    getfacl -n /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
+-	fi
++        echo "Warning: no pesign socket even though user is ${USERNAME}" 1>&2
++        echo "Warning: if this is a non-scratch koji build, this is wrong" 1>&2
++        ls -ld /run/pesign /var/run/pesign 1>&2 ||:
++        ls -l /run/pesign/socket /var/run/pesign/socket 1>&2 ||:
++        getfacl /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
++        getfacl -n /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
+     fi
+ 
+     if [[ "${rhelver}" -ge 7 ]] ; then

0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch

@@ -1,32 +0,0 @@
-From d618de733865eab359890b4e677c368a133dad99 Mon Sep 17 00:00:00 2001
-From: Pat Riehecky <riehecky@fnal.gov>
-Date: Mon, 7 Nov 2016 11:37:08 -0600
-Subject: [PATCH 07/29] Switch pesign client to also accept token/cert macros
- rather than use hard coded values
-
----
- src/macros.pesign | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/src/macros.pesign b/src/macros.pesign
-index 18e5b5e..69280e9 100644
---- a/src/macros.pesign
-+++ b/src/macros.pesign
-@@ -41,11 +41,11 @@
-                  --certdir ${nss} -c signer %{-o}			\
-       rm -rf ${sattrs} ${sattrs}.sig ${nss}				\
-     elif [ -S /var/run/pesign/socket ]; then				\
--      %{_pesign_client} -t "OpenSC Card (Fedora Signer)"		\\\
--                        -c "/CN=Fedora Secure Boot Signer"		\\\
-+      %{_pesign_client} -t %{__pesign_token}				\\\
-+                        -c %{__pesign_cert}				\\\
-                         %{-i} %{-o} %{-e} %{-s} %{-C}			\
-     else								\
--      %{_pesign} %{__pesign_token} -c %{__pesign_cert}			\\\
-+      %{_pesign} -t %{__pesign_token} -c %{__pesign_cert}		\\\
- 		 --certdir ${_pesign_nssdir}				\\\
-                  %{-i} %{-o} %{-e} %{-s} %{-C}				\
-     fi									\
--- 
-2.13.4
-

0008-Add-D_GLIBCXX_ASSERTIONS-to-CPPFLAGS.patch

@@ -0,0 +1,23 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Fri, 25 Mar 2022 15:01:54 -0400
+Subject: [PATCH] Add -D_GLIBCXX_ASSERTIONS to CPPFLAGS
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+---
+ Make.defaults | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Make.defaults b/Make.defaults
+index 1c18904..05aadd0 100644
+--- a/Make.defaults
++++ b/Make.defaults
+@@ -79,7 +79,7 @@ ccldflags = $(cflags) $(CCLDFLAGS) $(LDFLAGS) \
+ 	$(call pkg-config-ccldflags)
+ efi_cflags = $(cflags)
+ ASFLAGS	?= $(ARCH3264)
+-CPPFLAGS ?= -D_FORTIFY_SOURCE=2
++CPPFLAGS ?= -D_FORTIFY_SOURCE=2 -D_GLIBCXX_ASSERTIONS
+ RANLIBFLAGS	?= $(if $(filter $(CC),gcc),-D)
+ ARFLAGS ?= $(if $(filter $(CC),gcc),-Dcvqs)$(if $(filter $(CC),clang),-cqvs)
+ 

0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch

@@ -1,25 +0,0 @@
-From 2cd211bcc612ad8cb99c778461ca02a9f3e5e44b Mon Sep 17 00:00:00 2001
-From: David Michael <david.michael@coreos.com>
-Date: Thu, 16 Feb 2017 15:08:30 -0800
-Subject: [PATCH 08/29] pesigcheck: Verify with the cert as an object signer
-
----
- src/certdb.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/certdb.c b/src/certdb.c
-index 2a08042..b7c99bb 100644
---- a/src/certdb.c
-+++ b/src/certdb.c
-@@ -339,7 +339,7 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
- 	}
- 	/* Verify the signature */
- 	result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
--						certUsageSSLServer,
-+						certUsageObjectSigner,
- 						digest, HASH_AlgSHA256,
- 						PR_FALSE, atTime);
- 	if (!result) {
--- 
-2.13.4
-

0009-macros.pesign-handle-centos-like-rhel-with-rhelver.patch

@@ -0,0 +1,24 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 10 Aug 2021 12:39:08 -0400
+Subject: [PATCH] macros.pesign: handle centos like rhel with --rhelver
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/macros.pesign | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/macros.pesign b/src/macros.pesign
+index 34af57c..b7d6af1 100644
+--- a/src/macros.pesign
++++ b/src/macros.pesign
+@@ -34,7 +34,8 @@
+     %{?__pesign_cert:--cert %{__pesign_cert}}				\\\
+     %{?_buildhost:--hostname "%{_buildhost}"}				\\\
+     %{?vendor:--vendor "%{vendor}"}					\\\
+-    %{?_rhel:--rhelver "%{_rhel}"}					\\\
++    %{?rhel:--rhelver "%{rhel}"}					\\\
++    %{?centos:--rhelver "%{centos}"}					\\\
+     %{?-n:--rhelcert %{-n*}}%{?!-n:--rhelcert %{__pesign_cert}}	\\\
+     %{?-a:--rhelcafile "%{-a*}"}					\\\
+     %{?-c:--rhelcertfile "%{-c*}"}					\\\

0009-pesigcheck-make-certfile-actually-work.patch

@@ -1,47 +0,0 @@
-From e0238e2363f9668aee07b2e44a8f358e694551c0 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Mon, 24 Apr 2017 15:18:10 -0400
-Subject: [PATCH 09/29] pesigcheck: make --certfile actually work
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- src/pesigcheck.c | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/src/pesigcheck.c b/src/pesigcheck.c
-index 0d49c1a..d7be542 100644
---- a/src/pesigcheck.c
-+++ b/src/pesigcheck.c
-@@ -130,7 +130,7 @@ check_signature(pesigcheck_context *ctx)
- 	cert_iter iter;
- 
- 	generate_digest(ctx->cms_ctx, ctx->inpe, 1);
--	
-+
- 	if (check_db_hash(DBX, ctx) == FOUND)
- 		return -1;
- 
-@@ -225,6 +225,11 @@ main(int argc, char *argv[])
- 		 .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,
- 		 .arg = (void *)callback,
- 		 .descrip = (void *)ctxp },
-+		{.longName = "certfile",
-+		 .shortName = 'c',
-+		 .argInfo = POPT_ARG_CALLBACK|POPT_CBFLAG_POST,
-+		 .arg = (void *)callback,
-+		 .descrip = (void *)ctxp },
- 		{.longName = "in",
- 		 .shortName = 'i',
- 		 .argInfo = POPT_ARG_STRING,
-@@ -258,7 +263,7 @@ main(int argc, char *argv[])
- 		 .shortName = 'c',
- 		 .argInfo = POPT_ARG_STRING,
- 		 .arg = &certfile,
--		 .descrip = "the certificate (in DER form) for verification ",
-+		 .descrip = "import certfile (in DER encoding) for allowed certificate",
- 		 .argDescrip = "<certfile>" },
- 		POPT_AUTOALIAS
- 		POPT_AUTOHELP
--- 
-2.13.4
-

0010-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch

@@ -0,0 +1,25 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 4 Apr 2022 14:45:29 -0400
+Subject: [PATCH] Detect the presence of rpm-sign when checking for "rhel"-ness
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+[rharwood: manually reapply to main]
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+---
+ src/pesign-rpmbuild-helper.in | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pesign-rpmbuild-helper.in b/src/pesign-rpmbuild-helper.in
+index c9d5570..9dee56e 100644
+--- a/src/pesign-rpmbuild-helper.in
++++ b/src/pesign-rpmbuild-helper.in
+@@ -190,7 +190,7 @@ main() {
+         getfacl -n /run/pesign /run/pesign/socket /var/run/pesign /var/run/pesign/socket 1>&2 ||:
+     fi
+ 
+-    if [[ "${rhelver}" -ge 7 ]] ; then
++    if [[ "${rhelver}" -ge 7 ]] && which rpm-sign >&/dev/null ; then
+ 	nssdir="$(mktemp -p "${PWD}" -d)"
+ 	echo > "${nssdir}/pwfile"
+ 	certutil -N -d "${nssdir}" -f "${nssdir}/pwfile"

0010-signerInfos-make-sure-err-is-always-initialized.patch

@@ -1,27 +0,0 @@
-From 799808b265ac6f82fa1268fd696d70357acce69c Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Tue, 25 Apr 2017 16:15:07 -0400
-Subject: [PATCH 10/29] signerInfos: make sure err is always initialized
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- src/signed_data.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/signed_data.c b/src/signed_data.c
-index 721db90..9e0af23 100644
---- a/src/signed_data.c
-+++ b/src/signed_data.c
-@@ -132,7 +132,8 @@ int
- generate_signerInfo_list(cms_context *cms, SpcSignerInfo ***signerInfo_list_p, SignerInfoType type)
- {
- 	SpcSignerInfo **signerInfo_list;
--	int err, rc;
-+	int err = 0;
-+	int rc;
- 
- 	if (!signerInfo_list_p)
- 		return -1;
--- 
-2.13.4
-

0011-Rename-README-README.md.patch

@@ -0,0 +1,17 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Fri, 13 May 2022 15:53:05 -0400
+Subject: [PATCH] Rename README -> README.md
+
+Rich text will let me compact links.
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+---
+ README => README.md | 0
+ 1 file changed, 0 insertions(+), 0 deletions(-)
+ rename README => README.md (100%)
+
+diff --git a/README b/README.md
+similarity index 100%
+rename from README
+rename to README.md

0011-pesign-make-pesign-h-tell-you-the-file-name.patch

@@ -1,26 +0,0 @@
-From 868b42b338d919917ea31cfbf0f96e9586947eaf Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Tue, 25 Apr 2017 16:23:36 -0400
-Subject: [PATCH 11/29] pesign: make "pesign -h" tell you the file name.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- src/pesign.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/pesign.c b/src/pesign.c
-index 279a17a..5879cfc 100644
---- a/src/pesign.c
-+++ b/src/pesign.c
-@@ -387,7 +387,7 @@ print_digest(pesign_context *pctx)
- 	if (!ctx)
- 		return;
- 
--	printf("hash: ");
-+	printf("%s ", pctx->infile);
- 	int j = ctx->selected_digest;
- 	for (unsigned int i = 0; i < ctx->digests[j].pe_digest->len; i++)
- 		printf("%02x",
--- 
-2.13.4
-

0012-Add-coverity-build-scripts.patch

@@ -1,104 +0,0 @@
-From 95327e6d9bd4f70980acd8fd6c9524265990dc4d Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Wed, 10 May 2017 10:49:57 -0400
-Subject: [PATCH 12/29] Add coverity build scripts
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- .gitignore    |  1 +
- Make.coverity | 37 +++++++++++++++++++++++++++++++++++++
- Make.defaults |  2 ++
- Make.rules    |  4 ++++
- Makefile      |  1 +
- 5 files changed, 45 insertions(+)
- create mode 100644 Make.coverity
-
-diff --git a/.gitignore b/.gitignore
-index 1635ba2..847e172 100644
---- a/.gitignore
-+++ b/.gitignore
-@@ -12,3 +12,4 @@
- *.tar.*
- *.rpm
- core.*
-+cov-int
-diff --git a/Make.coverity b/Make.coverity
-new file mode 100644
-index 0000000..b80b091
---- /dev/null
-+++ b/Make.coverity
-@@ -0,0 +1,37 @@
-+include $(TOPDIR)/Make.version
-+include $(TOPDIR)/Make.rules
-+include $(TOPDIR)/Make.defaults
-+
-+COV_EMAIL=$(call get-config,coverity.email)
-+COV_TOKEN=$(call get-config,coverity.token)
-+COV_URL=$(call get-config,coverity.url)
-+COV_FILE=$(NAME)-coverity-$(VERSION)-$(COMMIT_ID).tar.bz2
-+
-+cov-int : clean
-+	cov-build --dir cov-int make all
-+
-+cov-clean :
-+	@rm -vf $(NAME)-coverity-*.tar.*
-+	@if [[ -d cov-int ]]; then rm -rf cov-int && echo "removed 'cov-int'"; fi
-+
-+cov-file : | $(COV_FILE)
-+
-+$(COV_FILE) : cov-int
-+	tar caf $@ cov-int
-+
-+cov-upload :
-+	@if [[ -n "$(COV_URL)" ]] &&					\
-+	    [[ -n "$(COV_TOKEN)" ]] &&					\
-+	    [[ -n "$(COV_EMAIL)" ]] ;					\
-+	then								\
-+		echo curl --form token=$(COV_TOKEN) --form email="$(COV_EMAIL)" --form file=@"$(COV_FILE)" --form version=$(VERSION).1 --form description="$(COMMIT_ID)" "$(COV_URL)" ; \
-+		curl --form token=$(COV_TOKEN) --form email="$(COV_EMAIL)" --form file=@"$(COV_FILE)" --form version=$(VERSION).1 --form description="$(COMMIT_ID)" "$(COV_URL)" ; \
-+	else								\
-+		echo Coverity output is in $(COV_FILE) ;		\
-+	fi
-+
-+coverity : cov-file cov-upload
-+
-+clean : | cov-clean
-+
-+.PHONY : coverity cov-upload cov-clean cov-file
-diff --git a/Make.defaults b/Make.defaults
-index 3511080..39b78f0 100644
---- a/Make.defaults
-+++ b/Make.defaults
-@@ -1,3 +1,5 @@
-+NAME	= pesign
-+COMMIT_ID ?= $(shell git log -1 --pretty=%H 2>/dev/null || echo master)
- prefix	?= /usr/
- prefix	:= $(abspath $(prefix))/
- libdir	?= $(prefix)lib64/
-diff --git a/Make.rules b/Make.rules
-index af5ecfe..5e3c83d 100644
---- a/Make.rules
-+++ b/Make.rules
-@@ -79,3 +79,7 @@ endef
- 
- $(TOPDIR)/libdpe/%.a $(TOPDIR)/libdpe/% :
- 	$(MAKE) -C $(TOPDIR)/libdpe $(notdir $@)
-+
-+define get-config =
-+$(shell git config --local --get "$(NAME).$(1)")
-+endef
-diff --git a/Makefile b/Makefile
-index db8eb7e..ca1a359 100644
---- a/Makefile
-+++ b/Makefile
-@@ -4,6 +4,7 @@ TOPDIR = $(realpath .)
- include $(TOPDIR)/Make.version
- include $(TOPDIR)/Make.rules
- include $(TOPDIR)/Make.defaults
-+include $(TOPDIR)/Make.coverity
- 
- SUBDIRS := include libdpe src
- 
--- 
-2.13.4
-

0012-README.md-show-off-a-bit-more.patch

@@ -0,0 +1,56 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Fri, 13 May 2022 16:09:12 -0400
+Subject: [PATCH] README.md: show off a bit more
+
+Prominently mention efikeygen and add examples of usage for it and
+pesign proper.
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+---
+ README.md | 36 ++++++++++++++++++++++++++++++++----
+ 1 file changed, 32 insertions(+), 4 deletions(-)
+
+diff --git a/README.md b/README.md
+index d70bc53..e9f0cb7 100644
+--- a/README.md
++++ b/README.md
+@@ -1,6 +1,34 @@
+-Signing tool for PE-COFF binaries, hopefully at least vaguely compliant with
+-the PE and Authenticode specifications.
++# pesign + efikeygen
+ 
+-This is vaguely analogous to the tool described by
+-http://msdn.microsoft.com/en-us/library/8s9b9yaz%28v=vs.80%29.aspx
++Signing tools for PE-COFF binaries.  Compliant with the PE and Authenticode
++specifications.
+ 
++(These serve a similar purpose to Microsoft's
++[SignTool.exe](http://msdn.microsoft.com/en-us/library/8s9b9yaz%28v=vs.80%29.aspx),
++except for Linux.)
++
++## Examples
++
++Generate a key for use with pesign, stored on disk:
++
++```
++efikeyen -d /etc/pki/pesign -S -TYPE -c 'CN=Your Name Key' -n 'Custom Secureboot'
++```
++
++For more complex and secure use cases (e.g., hardware tokens), see
++efikeygen man page (`man efikeygen`).
++
++Sign a UEFI application using that key:
++
++```
++pesign -i grubx64.efi -o grubx64.efi.signed -c 'Custom Secureboot' -s
++```
++
++Show signatures on a UEFI application:
++
++```
++pesign -i grubx64.efi.signed -S
++```
++
++For more signing/verification operations, see the pesign man page (`man
++pesign`).

0013-Document-implicit-fallthrough.patch

@@ -1,25 +0,0 @@
-From 4b9e7cf3e869de36daf2ea705b9efef55ae87ef8 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Sat, 8 Jul 2017 16:31:18 -0400
-Subject: [PATCH 13/29] Document implicit fallthrough.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- src/authvar.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/authvar.c b/src/authvar.c
-index ad659ca..03e0c47 100644
---- a/src/authvar.c
-+++ b/src/authvar.c
-@@ -511,6 +511,7 @@ main(int argc, char *argv[])
- 	case IMPORT|SET:
- 	case IMPORT|SIGN|SET:
- 		fprintf(stderr, "authvar: not implemented\n");
-+		/* fallthrough. */
- 	case IMPORT|SIGN|EXPORT:
- 	default:
- 		fprintf(stderr, "authvar: invalid flags: ");
--- 
-2.13.4
-

0013-Fix-missing-line-in-README.md.patch

@@ -0,0 +1,23 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Mon, 16 May 2022 15:31:25 -0400
+Subject: [PATCH] Fix missing line in README.md
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+---
+ README.md | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/README.md b/README.md
+index e9f0cb7..7bbd6dd 100644
+--- a/README.md
++++ b/README.md
+@@ -15,6 +15,8 @@ Generate a key for use with pesign, stored on disk:
+ efikeyen -d /etc/pki/pesign -S -TYPE -c 'CN=Your Name Key' -n 'Custom Secureboot'
+ ```
+ 
++(where TYPE is m if you're only signing kernel modules, and k otherwise).
++
+ For more complex and secure use cases (e.g., hardware tokens), see
+ efikeygen man page (`man efikeygen`).
+ 

0014-Actually-setfacl-each-directory-of-our-key-storage.patch

@@ -1,50 +0,0 @@
-From a95e28e5cb10d417c81c8720e8521eb63793da37 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Mon, 16 May 2016 15:25:53 -0400
-Subject: [PATCH 14/29] Actually setfacl /each/ directory of our key storage.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- src/pesign-authorize-groups | 6 +++---
- src/pesign-authorize-users  | 6 +++---
- 2 files changed, 6 insertions(+), 6 deletions(-)
-
-diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
-index a4f895e..cf51fb6 100644
---- a/src/pesign-authorize-groups
-+++ b/src/pesign-authorize-groups
-@@ -18,10 +18,10 @@ if [ -r /etc/pesign/groups ]; then
- 		setfacl -m g:${group}:rw /var/run/pesign/socket
- 	    fi
- 	fi
--	for x in /etc/pki/pesign* ; do
-+	for x in /etc/pki/pesign*/ ; do
- 	    if [ -d ${x} ]; then
--		setfacl -m g:${group}:rx /etc/pki/pesign
--		for y in ${x}/{cert8,key3,secmod}.db ; do
-+		setfacl -m g:${group}:rx ${x}
-+		for y in ${x}{cert8,key3,secmod}.db ; do
- 		    setfacl -m g:${group}:rw ${y}
- 		done
- 	    fi
-diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
-index 8b9a885..940138e 100644
---- a/src/pesign-authorize-users
-+++ b/src/pesign-authorize-users
-@@ -18,10 +18,10 @@ if [ -r /etc/pesign/users ]; then
- 		setfacl -m g:${username}:rw /var/run/pesign/socket
- 	    fi
- 	fi
--	for x in /etc/pki/pesign* ; do
-+	for x in /etc/pki/pesign*/ ; do
- 	    if [ -d ${x} ]; then
--		setfacl -m g:${username}:rx /etc/pki/pesign
--		for y in ${x}/{cert8,key3,secmod}.db ; do
-+		setfacl -m g:${username}:rx ${x}
-+		for y in ${x}{cert8,key3,secmod}.db ; do
- 		    setfacl -m g:${username}:rw ${y}
- 		done
- 	    fi
--- 
-2.13.4
-

0014-Fix-typo-in-efikeygen-command.patch

@@ -0,0 +1,23 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Matt Bernhard <bernhard@voting.works>
+Date: Fri, 27 May 2022 14:40:49 -0400
+Subject: [PATCH] Fix typo in efikeygen command
+
+Signed-off-by: Matt Bernhard <mdb92nc@gmail.com>
+---
+ README.md | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/README.md b/README.md
+index 7bbd6dd..b6949a2 100644
+--- a/README.md
++++ b/README.md
+@@ -12,7 +12,7 @@ except for Linux.)
+ Generate a key for use with pesign, stored on disk:
+ 
+ ```
+-efikeyen -d /etc/pki/pesign -S -TYPE -c 'CN=Your Name Key' -n 'Custom Secureboot'
++efikeygen -d /etc/pki/pesign -S -TYPE -c 'CN=Your Name Key' -n 'Custom Secureboot'
+ ```
+ 
+ (where TYPE is m if you're only signing kernel modules, and k otherwise).

0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch

@@ -1,59 +0,0 @@
-From a3cc2ad5d49ed61187527281da351e80d8f76a89 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Mon, 22 Aug 2016 13:31:38 -0400
-Subject: [PATCH 15/29] oid: add SHIM_EKU_MODULE_SIGNING_ONLY and fix our array
- indices.
-
-That was all kinds of wrong.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- src/oid.c | 10 +++++++---
- src/oid.h |  1 +
- 2 files changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/src/oid.c b/src/oid.c
-index 9d8154f..7037e1e 100644
---- a/src/oid.c
-+++ b/src/oid.c
-@@ -33,6 +33,7 @@ static uint8_t oiddata[] = {
- 	0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x0f,
- 	0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x02, 0x01, 0x15,
- 	0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x15, 0x01,
-+	0x2b, 0x06, 0x01, 0x04, 0x01, 0x92, 0x08, 0x10, 0x01, 0x02,
- };
- 
- #define OID(num, desc_s, oidtype, length, value)		\
-@@ -53,11 +54,14 @@ static struct {
- 	OID(SPC_STATEMENT_TYPE_OBJID, "Statement Type", siDEROID, 10,
- 		&oiddata[10]),
- 	OID(SPC_PE_IMAGE_DATA_OBJID, "PE Image Data", siDEROID, 10,
--		&oiddata[30]),
-+		&oiddata[20]),
- 	OID(SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID, "Individual Key", siDEROID,
--		10, &oiddata[40]),
-+		10, &oiddata[30]),
- 	OID(szOID_CERTSRV_CA_VERSION, "Certification server CA version",
--		siAsciiString, 9, &oiddata[50]),
-+		siAsciiString, 9, &oiddata[40]),
-+	OID(SHIM_EKU_MODULE_SIGNING_ONLY,
-+		"Certificate is used for kernel modules only", siDEROID, 10,
-+		&oiddata[49]),
- 	{ .oid = END_OID_LIST }
- };
- 
-diff --git a/src/oid.h b/src/oid.h
-index 599f49d..0e00781 100644
---- a/src/oid.h
-+++ b/src/oid.h
-@@ -25,6 +25,7 @@ typedef enum {
- 	SPC_PE_IMAGE_DATA_OBJID,		/* 1.3.6.1.4.1.311.2.1.15 */
- 	SPC_INDIVIDUAL_SP_KEY_PURPOSE_OBJID,	/* 1.3.6.1.4.1.311.2.1.21 */
- 	szOID_CERTSRV_CA_VERSION,		/* 1.3.6.1.4.1.311.21.1 */
-+	SHIM_EKU_MODULE_SIGNING_ONLY,		/* 1.3.6.1.4.1.2312.16.1.2 */
- 	END_OID_LIST
- } ms_oid_t;
- 
--- 
-2.13.4
-

0015-pesigcheck-Fix-crash-on-digest-match.patch

@@ -0,0 +1,53 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Visa Hankala <visa@hankala.org>
+Date: Fri, 10 Jun 2022 13:25:13 +0000
+Subject: [PATCH] pesigcheck: Fix crash on digest match
+
+Set selected_digest when the digest is found in db or dbx.
+This fixes the following crash of pesigcheck:
+
+  Program received signal SIGSEGV, Segmentation fault.
+  0x00005555555597fa in memcpy (__len=24, __src=0x31,
+      __dest=0x55555558d908)
+      at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
+  34      return __builtin___memcpy_chk (__dest, __src, __len, __bos0 (__dest));
+  (gdb) bt
+  #0  0x00005555555597fa in memcpy (__len=24, __src=0x31,
+      __dest=0x55555558d908)
+      at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
+  #1  get_digest (digest=digest@entry=0x55555558d908,
+      ctx=<optimized out>, ctx=<optimized out>) at pesigcheck.c:226
+  #2  0x00005555555592fd in check_signature (
+      reasons=<synthetic pointer>, nreasons=<synthetic pointer>,
+      ctx=0x7fffffffded0) at pesigcheck.c:262
+  #3  main (argc=<optimized out>, argv=<optimized out>)
+      at pesigcheck.c:512
+
+Signed-off-by: Visa Hankala <visa@hankala.org>
+---
+ src/certdb.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/certdb.c b/src/certdb.c
+index e013b9d..69d5daf 100644
+--- a/src/certdb.c
++++ b/src/certdb.c
+@@ -267,12 +267,16 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
+ 
+ 	if (memcmp(sigtype, &efi_sha256, sizeof(efi_guid_t)) == 0) {
+ 		digest = ctx->cms_ctx->digests[0].pe_digest->data;
+-		if (memcmp (digest, sig->data, 32) == 0)
++		if (memcmp (digest, sig->data, 32) == 0) {
++			ctx->cms_ctx->selected_digest = 0;
+ 			return FOUND;
++		}
+ 	} else if (memcmp(sigtype, &efi_sha1, sizeof(efi_guid_t)) == 0) {
+ 		digest = ctx->cms_ctx->digests[1].pe_digest->data;
+-		if (memcmp (digest, sig->data, 20) == 0)
++		if (memcmp (digest, sig->data, 20) == 0) {
++			ctx->cms_ctx->selected_digest = 1;
+ 			return FOUND;
++		}
+ 	}
+ 
+ 	return NOT_FOUND;

0016-cms-store-digest-as-pointer-instead-of-index.patch

@@ -0,0 +1,272 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Fri, 10 Jun 2022 14:40:33 -0400
+Subject: [PATCH] cms: store digest as pointer instead of index
+
+Storage as an index is problematic because the sentinel value -1 was
+used, but accesses were unchecked, leading to crashes like that in
+3b1031a6b779cb80c11b34eec84c5a0cc215efed ("pesigcheck: Fix crash on
+digest match").  By storing a pointer, we get an explicit NULL
+dereference: still a crash, but preferred since it's clearer.
+
+Since the index was previously also used for retrieving digest
+parameters, include a pointer to the relevant struct digest_param in the
+struct digest.
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+---
+ src/certdb.c       | 15 ++++++++-------
+ src/cms_common.c   | 34 ++++++++++------------------------
+ src/content_info.c |  4 ++--
+ src/file_kmod.c    |  2 +-
+ src/file_pe.c      |  9 +++++----
+ src/pesigcheck.c   |  4 +---
+ src/cms_common.h   | 13 ++++++++++++-
+ 7 files changed, 39 insertions(+), 42 deletions(-)
+
+diff --git a/src/certdb.c b/src/certdb.c
+index 69d5daf..f512824 100644
+--- a/src/certdb.c
++++ b/src/certdb.c
+@@ -263,18 +263,19 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
+ {
+ 	efi_guid_t efi_sha256 = efi_guid_sha256;
+ 	efi_guid_t efi_sha1 = efi_guid_sha1;
+-	void *digest;
++	void *digest_data;
++	struct digest *digests = ctx->cms_ctx->digests;
+ 
+ 	if (memcmp(sigtype, &efi_sha256, sizeof(efi_guid_t)) == 0) {
+-		digest = ctx->cms_ctx->digests[0].pe_digest->data;
+-		if (memcmp (digest, sig->data, 32) == 0) {
+-			ctx->cms_ctx->selected_digest = 0;
++		digest_data = digests[0].pe_digest->data;
++		if (memcmp (digest_data, sig->data, 32) == 0) {
++			ctx->cms_ctx->selected_digest = &digests[0];
+ 			return FOUND;
+ 		}
+ 	} else if (memcmp(sigtype, &efi_sha1, sizeof(efi_guid_t)) == 0) {
+-		digest = ctx->cms_ctx->digests[1].pe_digest->data;
+-		if (memcmp (digest, sig->data, 20) == 0) {
+-			ctx->cms_ctx->selected_digest = 1;
++		digest_data = digests[1].pe_digest->data;
++		if (memcmp (digest_data, sig->data, 20) == 0) {
++			ctx->cms_ctx->selected_digest = &digests[1];
+ 			return FOUND;
+ 		}
+ 	}
+diff --git a/src/cms_common.c b/src/cms_common.c
+index 86341ca..2275f67 100644
+--- a/src/cms_common.c
++++ b/src/cms_common.c
+@@ -33,15 +33,6 @@
+ 
+ #include "hex.h"
+ 
+-struct digest_param {
+-	char *name;
+-	SECOidTag digest_tag;
+-	SECOidTag signature_tag;
+-	SECOidTag digest_encryption_tag;
+-	const efi_guid_t *efi_guid;
+-	int size;
+-};
+-
+ static struct digest_param digest_params[] = {
+ 	{.name = "sha256",
+ 	 .digest_tag = SEC_OID_SHA256,
+@@ -65,29 +56,25 @@ static int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]);
+ SECOidTag
+ digest_get_digest_oid(cms_context *cms)
+ {
+-	int i = cms->selected_digest;
+-	return digest_params[i].digest_tag;
++	return cms->selected_digest->digest_params->digest_tag;
+ }
+ 
+ SECOidTag
+ digest_get_encryption_oid(cms_context *cms)
+ {
+-	int i = cms->selected_digest;
+-	return digest_params[i].digest_encryption_tag;
++	return cms->selected_digest->digest_params->digest_encryption_tag;
+ }
+ 
+ SECOidTag
+ digest_get_signature_oid(cms_context *cms)
+ {
+-	int i = cms->selected_digest;
+-	return digest_params[i].signature_tag;
++	return cms->selected_digest->digest_params->signature_tag;
+ }
+ 
+ int
+ digest_get_digest_size(cms_context *cms)
+ {
+-	int i = cms->selected_digest;
+-	return digest_params[i].size;
++	return cms->selected_digest->digest_params->size;
+ }
+ 
+ void
+@@ -142,8 +129,6 @@ cms_context_init(cms_context *cms)
+ 	if (!cms->arena)
+ 		cnreterr(-1, cms, "could not create cryptographic arena");
+ 
+-	cms->selected_digest = -1;
+-
+ 	INIT_LIST_HEAD(&cms->pk12_ins);
+ 	cms->pk12_out.fd = -1;
+ 	cms->db_out = cms->dbx_out = cms->dbt_out = -1;
+@@ -226,7 +211,7 @@ cms_context_fini(cms_context *cms)
+ 		memset(&cms->newsig, '\0', sizeof (cms->newsig));
+ 	}
+ 
+-	cms->selected_digest = -1;
++	cms->selected_digest = NULL;
+ 
+ 	if (cms->ci_digest) {
+ 		free_poison(cms->ci_digest->data, cms->ci_digest->len);
+@@ -351,7 +336,7 @@ set_digest_parameters(cms_context *cms, char *name)
+ 	if (strcmp(name, "help")) {
+ 		for (int i = 0; i < n_digest_params; i++) {
+ 			if (!strcmp(name, digest_params[i].name)) {
+-				cms->selected_digest = i;
++				cms->selected_digest = &cms->digests[i];
+ 				return 0;
+ 			}
+ 		}
+@@ -1279,6 +1264,7 @@ generate_digest_begin(cms_context *cms)
+ 			cngotoerr(err, cms, "could not create digest context");
+ 
+ 		PK11_DigestBegin(digests[i].pk11ctx);
++		digests[i].digest_params = &digest_params[i];
+ 	}
+ 
+ 	cms->digests = digests;
+@@ -1351,11 +1337,11 @@ generate_signature(cms_context *cms)
+ {
+ 	int rc = 0;
+ 
+-	if (cms->digests[cms->selected_digest].pe_digest == NULL)
++	if (cms->selected_digest->pe_digest == NULL)
+ 		cnreterr(-1, cms, "PE digest has not been allocated");
+ 
+-	if (content_is_empty(cms->digests[cms->selected_digest].pe_digest->data,
+-			cms->digests[cms->selected_digest].pe_digest->len))
++	if (content_is_empty(cms->selected_digest->pe_digest->data,
++			cms->selected_digest->pe_digest->len))
+ 		cnreterr(-1, cms, "PE binary has not been digested");
+ 
+ 	SECItem sd_der;
+diff --git a/src/content_info.c b/src/content_info.c
+index 9684850..777aa28 100644
+--- a/src/content_info.c
++++ b/src/content_info.c
+@@ -181,8 +181,8 @@ generate_spc_digest_info(cms_context *cms, SECItem *dip)
+ 	if (generate_algorithm_id(cms, &di.digestAlgorithm,
+ 			digest_get_digest_oid(cms)) < 0)
+ 		return -1;
+-	int i = cms->selected_digest;
+-	memcpy(&di.digest, cms->digests[i].pe_digest, sizeof (di.digest));
++	memcpy(&di.digest, cms->selected_digest->pe_digest,
++	       sizeof(di.digest));
+ 
+ 	if (content_is_empty(di.digest.data, di.digest.len)) {
+ 		cms->log(cms, LOG_ERR, "got empty digest");
+diff --git a/src/file_kmod.c b/src/file_kmod.c
+index 6880cda..c8875fc 100644
+--- a/src/file_kmod.c
++++ b/src/file_kmod.c
+@@ -60,7 +60,7 @@ ssize_t
+ kmod_write_signature(cms_context *cms, int outfd)
+ {
+ 	SEC_PKCS7ContentInfo *cinfo;
+-	SECItem *digest = cms->digests[cms->selected_digest].pe_digest;
++	SECItem *digest = cms->selected_digest->pe_digest;
+ 	SECStatus rv;
+ 	struct write_sig_info info = {
+ 		.outfd = outfd,
+diff --git a/src/file_pe.c b/src/file_pe.c
+index 805e614..c22b2af 100644
+--- a/src/file_pe.c
++++ b/src/file_pe.c
+@@ -114,6 +114,8 @@ check_inputs(pesign_context *ctx)
+ static void
+ print_digest(pesign_context *pctx)
+ {
++	unsigned int i;
++
+ 	if (!pctx)
+ 		return;
+ 
+@@ -121,10 +123,9 @@ print_digest(pesign_context *pctx)
+ 	if (!ctx)
+ 		return;
+ 
+-	int j = ctx->selected_digest;
+-	for (unsigned int i = 0; i < ctx->digests[j].pe_digest->len; i++)
+-		printf("%02x",
+-			(unsigned char)ctx->digests[j].pe_digest->data[i]);
++	unsigned char *ddata = ctx->selected_digest->pe_digest->data;
++	for (i = 0; i < ctx->selected_digest->pe_digest->len; i++)
++		printf("%02x", ddata[i]);
+ 	printf(" %s\n", pctx->infile);
+ }
+ 
+diff --git a/src/pesigcheck.c b/src/pesigcheck.c
+index 6dc67f7..ebb404d 100644
+--- a/src/pesigcheck.c
++++ b/src/pesigcheck.c
+@@ -221,9 +221,7 @@ static void
+ get_digest(pesigcheck_context *ctx, SECItem *digest)
+ {
+ 	struct cms_context *cms = ctx->cms_ctx;
+-	struct digest *cms_digest = &cms->digests[cms->selected_digest];
+-
+-	memcpy(digest, cms_digest->pe_digest, sizeof (*digest));
++	memcpy(digest, cms->selected_digest->pe_digest, sizeof(*digest));
+ }
+ 
+ static int
+diff --git a/src/cms_common.h b/src/cms_common.h
+index c7acbcf..c7d4f69 100644
+--- a/src/cms_common.h
++++ b/src/cms_common.h
+@@ -12,6 +12,7 @@
+ #include <secpkcs7.h>
+ 
+ #include <errno.h>
++#include <efivar.h>
+ #include <signal.h>
+ #include <stdarg.h>
+ #include <sys/types.h>
+@@ -57,9 +58,19 @@
+ 		goto errlabel;						\
+ 	})
+ 
++struct digest_param {
++	char *name;
++	SECOidTag digest_tag;
++	SECOidTag signature_tag;
++	SECOidTag digest_encryption_tag;
++	const efi_guid_t *efi_guid;
++	int size;
++};
++
+ struct digest {
+ 	PK11Context *pk11ctx;
+ 	SECItem *pe_digest;
++	struct digest_param *digest_params;
+ };
+ 
+ typedef struct pk12_file {
+@@ -133,7 +144,7 @@ typedef struct cms_context {
+ 	int db_out, dbx_out, dbt_out;
+ 
+ 	struct digest *digests;
+-	int selected_digest;
++	struct digest *selected_digest;
+ 	int omit_vendor_cert;
+ 
+ 	SECItem newsig;

0016-efikeygen-add-modsign.patch

@@ -1,197 +0,0 @@
-From 9b4b12928c0450ac69d83293e179eec439465c03 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Mon, 22 Aug 2016 13:43:56 -0400
-Subject: [PATCH 16/29] efikeygen: add --modsign
-
----
- src/cms_common.c | 29 ++++++++++++++++++++++++++++
- src/cms_common.h |  1 +
- src/efikeygen.c  | 59 ++++++++++++++++++++++++++++++++++++++++++++------------
- 3 files changed, 77 insertions(+), 12 deletions(-)
-
-diff --git a/src/cms_common.c b/src/cms_common.c
-index 6a4e6a7..2df2cfe 100644
---- a/src/cms_common.c
-+++ b/src/cms_common.c
-@@ -715,6 +715,35 @@ make_context_specific(cms_context *cms, int ctxt, SECItem *encoded,
- 	return 0;
- }
- 
-+static SEC_ASN1Template EKUOidSequence[] = {
-+	{
-+	.kind = SEC_ASN1_OBJECT_ID,
-+	.offset = 0,
-+	.sub = &SEC_AnyTemplate,
-+	.size = sizeof (SECItem),
-+	},
-+	{ 0 }
-+};
-+
-+int
-+make_eku_oid(cms_context *cms, SECItem *encoded, SECOidTag oid_tag)
-+{
-+	void *rv;
-+	SECOidData *oid_data;
-+
-+	oid_data = SECOID_FindOIDByTag(oid_tag);
-+	if (!oid_data)
-+		cmsreterr(-1, cms, "could not encode eku oid data");
-+
-+	rv = SEC_ASN1EncodeItem(cms->arena, encoded, &oid_data->oid,
-+				EKUOidSequence);
-+	if (rv == NULL)
-+		cmsreterr(-1, cms, "could not encode eku oid data");
-+
-+	encoded->type = siBuffer;
-+	return 0;
-+}
-+
- int
- generate_octet_string(cms_context *cms, SECItem *encoded, SECItem *original)
- {
-diff --git a/src/cms_common.h b/src/cms_common.h
-index c7d7268..7a31273 100644
---- a/src/cms_common.h
-+++ b/src/cms_common.h
-@@ -123,6 +123,7 @@ extern int wrap_in_seq(cms_context *cms, SECItem *der,
- 			SECItem *items, int num_items);
- extern int make_context_specific(cms_context *cms, int ctxt, SECItem *encoded,
- 			SECItem *original);
-+extern int make_eku_oid(cms_context *cms, SECItem *encoded, SECOidTag oid_tag);
- extern int generate_validity(cms_context *cms, SECItem *der, time_t start,
- 				time_t end);
- extern int generate_common_name(cms_context *cms, SECItem *der, char *cn);
-diff --git a/src/efikeygen.c b/src/efikeygen.c
-index 8a515a5..9390578 100644
---- a/src/efikeygen.c
-+++ b/src/efikeygen.c
-@@ -49,6 +49,7 @@
- #include <libdpe/libdpe.h>
- 
- #include "cms_common.h"
-+#include "oid.h"
- #include "util.h"
- 
- typedef struct {
-@@ -249,20 +250,34 @@ add_basic_constraints(cms_context *cms, void *extHandle)
- }
- 
- static int
--add_extended_key_usage(cms_context *cms, void *extHandle)
-+add_extended_key_usage(cms_context *cms, int modsign_only, void *extHandle)
- {
--	SECItem value = {
--		.data = (unsigned char *)"\x30\x0a\x06\x08\x2b\x06\x01"
--					 "\x05\x05\x07\x03\x03",
--		.len = 12,
--		.type = siBuffer
--	};
-+	SECItem values[2];
-+	SECItem wrapped = { 0 };
-+	SECStatus status;
-+	SECOidTag tag;
-+	int rc;
-+
-+	if (modsign_only < 1 || modsign_only > 2)
-+		cmsreterr(-1, cms, "could not encode extended key usage");
- 
-+	rc = make_eku_oid(cms, &values[0], SEC_OID_EXT_KEY_USAGE_CODE_SIGN);
-+	if (rc < 0)
-+		cmsreterr(-1, cms, "could not encode extended key usage");
-+
-+	tag = find_ms_oid_tag(SHIM_EKU_MODULE_SIGNING_ONLY);
-+	printf("tag: %d\n", tag);
-+	rc = make_eku_oid(cms, &values[1], tag);
-+	if (rc < 0)
-+		cmsreterr(-1, cms, "could not encode extended key usage");
-+
-+	rc = wrap_in_seq(cms, &wrapped, values, modsign_only);
-+	if (rc < 0)
-+		cmsreterr(-1, cms, "could not encode extended key usage");
- 
--	SECStatus status;
- 
- 	status = CERT_AddExtension(extHandle, SEC_OID_X509_EXT_KEY_USAGE,
--					&value, PR_FALSE, PR_TRUE);
-+					&wrapped, PR_FALSE, PR_TRUE);
- 	if (status != SECSuccess)
- 		cmsreterr(-1, cms, "could not encode extended key usage");
- 
-@@ -294,7 +309,7 @@ static int
- add_extensions_to_crq(cms_context *cms, CERTCertificateRequest *crq,
- 			int is_ca, int is_self_signed, SECKEYPublicKey *pubkey,
- 			SECKEYPublicKey *spubkey,
--			char *url)
-+			char *url, int modsign_only)
- {
- 	void *mark = PORT_ArenaMark(cms->arena);
- 
-@@ -319,7 +334,7 @@ add_extensions_to_crq(cms_context *cms, CERTCertificateRequest *crq,
- 	if (rc < 0)
- 		cmsreterr(-1, cms, "could not generate certificate extensions");
- 
--	rc = add_extended_key_usage(cms, extHandle);
-+	rc = add_extended_key_usage(cms, modsign_only, extHandle);
- 	if (rc < 0)
- 		cmsreterr(-1, cms, "could not generate certificate extensions");
- 
-@@ -469,6 +484,7 @@ int main(int argc, char *argv[])
- {
- 	int is_ca = 0;
- 	int is_self_signed = -1;
-+	int modsign_only = 0;
- 	char *tokenname = "NSS Certificate DB";
- 	char *signer = NULL;
- 	char *nickname = NULL;
-@@ -522,6 +538,18 @@ int main(int argc, char *argv[])
- 		 .descrip = "Generate a self-signed certificate" },
- 
- 		/* stuff about the generated key */
-+		{.longName = "kernel",
-+		 .shortName = 'k',
-+		 .argInfo = POPT_ARG_VAL|POPT_ARGFLAG_OR,
-+		 .arg = &modsign_only,
-+		 .val = 1,
-+		 .descrip = "Generate a kernel-signing certificate" },
-+		{.longName = "module",
-+		 .shortName = 'm',
-+		 .argInfo = POPT_ARG_VAL|POPT_ARGFLAG_OR,
-+		 .arg = &modsign_only,
-+		 .val = 2,
-+		 .descrip = "Generate a module-signing certificate" },
- 		{.longName = "nickname",
- 		 .shortName = 'n',
- 		 .argInfo = POPT_ARG_STRING,
-@@ -628,6 +656,9 @@ int main(int argc, char *argv[])
- 			liberr(1, "could not allocate cms context");
- 	}
- 
-+	if (modsign_only < 1 || modsign_only > 2)
-+		errx(1, "either --kernel or --module must be used");
-+
- 	SECStatus status = NSS_InitReadWrite(dbdir);
- 	if (status != SECSuccess)
- 		nsserr(1, "could not initialize NSS");
-@@ -639,6 +670,10 @@ int main(int argc, char *argv[])
- 	SECKEYPublicKey *pubkey = NULL;
- 	SECKEYPrivateKey *privkey = NULL;
- 
-+	status = register_oids(cms);
-+	if (status != SECSuccess)
-+		nsserr(1, "Could not register OIDs");
-+
- 	PK11SlotInfo *slot = NULL;
- 	if (pubfile) {
- 		rc = get_pubkey_from_file(pubfile, &pubkey);
-@@ -713,7 +748,7 @@ int main(int argc, char *argv[])
- 	crq = CERT_CreateCertificateRequest(name, spki, &attributes);
- 
- 	rc = add_extensions_to_crq(cms, crq, is_ca, is_self_signed, pubkey,
--					spubkey, url);
-+					spubkey, url, modsign_only);
- 	if (rc < 0)
- 		exit(1);
- 
--- 
-2.13.4
-

0017-Fix-mandoc-invocation-to-not-produce-garbage.patch

@@ -0,0 +1,31 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Thu, 7 Jul 2022 16:56:41 -0400
+Subject: [PATCH] Fix mandoc invocation to not produce garbage
+
+Bizarrely, mandoc doesn't default to outputting man - the default is
+"locale", which is either ASCII or UTF-8 (by locale).  This output is
+supposed to be some kind of plain-text, but it's formatted so strangely
+I'm not sure what the purpose is.  Regardless, it doesn't go well to
+feed this into man(1).
+
+Tell mandoc explicitly to produce man pages.
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+---
+ Make.rules | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Make.rules b/Make.rules
+index 12e322b..f6bf5fa 100644
+--- a/Make.rules
++++ b/Make.rules
+@@ -54,7 +54,7 @@ define substitute-version =
+ endef
+ 
+ %.1 : %.1.mdoc
+-	@mandoc -man -Ios=Linux $^ > $@
++	@mandoc -man -T man -Ios=Linux $^ > $@
+ 
+ % : %.in
+ 	@$(call substitute-version,$<,$@)

0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch

@@ -1,121 +0,0 @@
-From 0456758e0c0873d1251bdf77d27f0f6175cbf289 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Tue, 25 Apr 2017 16:25:02 -0400
-Subject: [PATCH 17/29] check_cert_db(): try even harder to pick a reasonable
- validation time.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- src/certdb.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++++++++--------
- 1 file changed, 66 insertions(+), 9 deletions(-)
-
-diff --git a/src/certdb.c b/src/certdb.c
-index b7c99bb..1a4baf1 100644
---- a/src/certdb.c
-+++ b/src/certdb.c
-@@ -250,12 +250,53 @@ check_db_hash(db_specifier which, pesigcheck_context *ctx)
- 	return check_db(which, ctx, check_hash, NULL, 0);
- }
- 
--static PRTime
--determine_reasonable_time(CERTCertificate *cert)
-+static void
-+find_cert_times(SEC_PKCS7ContentInfo *cinfo,
-+		PRTime *notBefore, PRTime *notAfter)
- {
--	PRTime notBefore, notAfter;
--	CERT_GetCertTimes(cert, &notBefore, &notAfter);
--	return notBefore;
-+	CERTCertDBHandle *defaultdb, *certdb;
-+	SEC_PKCS7SignedData *sdp;
-+	CERTCertificate **certs = NULL;
-+	SECItem **rawcerts;
-+	int i, certcount;
-+	SECStatus rv;
-+
-+	if (cinfo->contentTypeTag->offset != SEC_OID_PKCS7_SIGNED_DATA) {
-+err:
-+		*notBefore = 0;
-+		*notAfter = 0x7fffffffffffffff;
-+		return;
-+	}
-+
-+	sdp = cinfo->content.signedData;
-+	rawcerts = sdp->rawCerts;
-+
-+	defaultdb = CERT_GetDefaultCertDB();
-+
-+	certdb = defaultdb;
-+	if (certdb == NULL)
-+		goto err;
-+
-+	certcount = 0;
-+	if (rawcerts != NULL) {
-+		for (; rawcerts[certcount] != NULL; certcount++)
-+			;
-+	}
-+	rv = CERT_ImportCerts(certdb, certUsageObjectSigner, certcount,
-+			      rawcerts, &certs, PR_FALSE, PR_FALSE, NULL);
-+	if (rv != SECSuccess)
-+		goto err;
-+
-+	for (i = 0; i < certcount; i++) {
-+		PRTime nb = 0, na = 0x7fffffffffff;
-+		CERT_GetCertTimes(certs[i], &nb, &na);
-+		if (*notBefore < nb)
-+			*notBefore = nb;
-+		if (*notAfter > na)
-+			*notAfter = na;
-+	}
-+
-+	CERT_DestroyCertArray(certs, certcount);
- }
- 
- static db_status
-@@ -271,6 +312,8 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
- 	PRBool result;
- 	SECStatus rv;
- 	db_status status = NOT_FOUND;
-+	PRTime earlyNow = 0, lateNow = 0x7fffffffffffffff;
-+	PRTime notBefore = 0, notAfter = 0x7fffffffffffffff;
- 
- 	efi_guid_t efi_x509 = efi_guid_x509_cert;
- 
-@@ -327,16 +370,30 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
- 	}
- 	cert->timeOK = PR_TRUE;
- 
-+	find_cert_times(cinfo, &notBefore, &notAfter);
-+	if (earlyNow < notBefore)
-+		earlyNow = notBefore;
-+	if (lateNow > notAfter)
-+		lateNow = notAfter;
-+
- 	SECItem *eTime;
- 	PRTime atTime;
- 	// atTime = determine_reasonable_time(cert);
- 	eTime = SEC_PKCS7GetSigningTime(cinfo);
- 	if (eTime != NULL) {
--		if (DER_DecodeTimeChoice (&atTime, eTime) != SECSuccess)
--			atTime = determine_reasonable_time(cert);
--	} else {
--		atTime = determine_reasonable_time(cert);
-+		if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
-+			if (earlyNow < atTime)
-+				earlyNow = atTime;
-+			if (lateNow > atTime)
-+				lateNow = atTime;
-+		}
- 	}
-+
-+	if (lateNow < earlyNow)
-+		printf("Impossible time constraints: %ld <= %ld\n",
-+		       earlyNow / 1000000, lateNow / 1000000);
-+	atTime = earlyNow / 2 + lateNow / 2;
-+
- 	/* Verify the signature */
- 	result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
- 						certUsageObjectSigner,
--- 
-2.13.4
-

0018-Work-around-GCC-being-obnoxiously-incompatible-with-.patch

@@ -0,0 +1,41 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 29 Aug 2022 15:31:52 -0400
+Subject: [PATCH] Work around GCC being obnoxiously incompatible with GCC
+
+GCC added and then later removed the diagnostic flag
+"-Wanalyzer-use-of-uninitialized-value", and so this doesn't work with
+newer versions of GCC.
+
+This patch removes the previous workaround for when it didn't work well.
+I really wish any of our compilers had any sense of rigor with this
+stuff at all.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/daemon.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/src/daemon.c b/src/daemon.c
+index ff88210..d66dd50 100644
+--- a/src/daemon.c
++++ b/src/daemon.c
+@@ -917,10 +917,6 @@ do_shutdown(context *ctx, int nsockets, struct pollfd *pollfds)
+ 	free(pollfds);
+ }
+ 
+-/* GCC -fanalyzer has trouble with realloc
+- * https://bugzilla.redhat.com/show_bug.cgi?id=2047926 */
+-#pragma GCC diagnostic push
+-#pragma GCC diagnostic ignored "-Wanalyzer-use-of-uninitialized-value"
+ static int
+ handle_events(context *ctx)
+ {
+@@ -999,7 +995,6 @@ shutdown:
+ 	}
+ 	return 0;
+ }
+-#pragma GCC diagnostic pop
+ 
+ static int
+ get_uid_and_gid(context *ctx, char **homedir)

0018-show-which-db-we-re-checking.patch

@@ -1,137 +0,0 @@
-From 01b89fb7a191f4639a93c5a7c47a80752118ba95 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Tue, 25 Apr 2017 16:58:50 -0400
-Subject: [PATCH 18/29] show which db we're checking
-
----
- src/certdb.c             | 35 ++++++++++++++++++++++++++++++++++-
- src/pesigcheck_context.c |  2 ++
- src/pesigcheck_context.h |  1 +
- 3 files changed, 37 insertions(+), 1 deletion(-)
-
-diff --git a/src/certdb.c b/src/certdb.c
-index 1a4baf1..673e074 100644
---- a/src/certdb.c
-+++ b/src/certdb.c
-@@ -18,6 +18,7 @@
-  */
- 
- #include <fcntl.h>
-+#include <libgen.h>
- #include <sys/mman.h>
- #include <sys/types.h>
- #include <sys/stat.h>
-@@ -42,17 +43,33 @@ add_db_file(pesigcheck_context *ctx, db_specifier which, const char *dbfile,
- 		return -1;
- 
- 	db->type = type;
--
- 	db->fd = open(dbfile, O_RDONLY);
- 	if (db->fd < 0) {
- 		save_errno(free(db));
- 		return -1;
- 	}
- 
-+	char *path = strdup(dbfile);
-+	if (!path) {
-+		save_errno(close(db->fd);
-+			   free(db));
-+		return -1;
-+	}
-+
-+	db->path = basename(path);
-+	db->path = strdup(db->path);
-+	free(path);
-+	if (!db->path) {
-+		save_errno(close(db->fd);
-+			   free(db));
-+		return -1;
-+	}
-+
- 	struct stat sb;
- 	int rc = fstat(db->fd, &sb);
- 	if (rc < 0) {
- 		save_errno(close(db->fd);
-+			   free(db->path);
- 			   free(db));
- 		return -1;
- 	}
-@@ -65,6 +82,7 @@ add_db_file(pesigcheck_context *ctx, db_specifier which, const char *dbfile,
- 		rc = read_file(db->fd, (char **)&db->map, &sz);
- 		if (rc < 0) {
- 			save_errno(close(db->fd);
-+				   free(db->path);
- 				   free(db));
- 			return -1;
- 		}
-@@ -133,6 +151,7 @@ add_cert_file(pesigcheck_context *ctx, const char *filename)
- #define DB_PATH "/sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f"
- #define MOK_PATH "/sys/firmware/efi/efivars/MokListRT-605dab50-e046-4300-abb6-3dd810dd8b23"
- #define DBX_PATH "/sys/firmware/efi/efivars/dbx-d719b2cb-3d3a-4596-a3bc-dad00e67656f"
-+#define MOKX_PATH "/sys/firmware/efi/efivars/MokListXRT-605dab50-e046-4300-abb6-3dd810dd8b23"
- 
- void
- init_cert_db(pesigcheck_context *ctx, int use_system_dbs)
-@@ -167,6 +186,18 @@ init_cert_db(pesigcheck_context *ctx, int use_system_dbs)
- 			"database \"%s\": %m\n", DBX_PATH);
- 		exit(1);
- 	}
-+
-+	rc = add_db_file(ctx, DBX, MOKX_PATH, DB_EFIVAR);
-+	if (rc < 0 && errno != ENOENT) {
-+		fprintf(stderr, "pesigcheck: Could not add key database "
-+			"\"%s\": %m\n", MOKX_PATH);
-+		exit(1);
-+	}
-+
-+	if (ctx->dbx == NULL) {
-+		fprintf(stderr, "pesigcheck: warning: "
-+			"No key recovation database available\n");
-+	}
- }
- 
- typedef db_status (*checkfn)(pesigcheck_context *ctx, SECItem *sig,
-@@ -187,6 +218,8 @@ check_db(db_specifier which, pesigcheck_context *ctx, checkfn check,
- 	sig.type = siBuffer;
- 
- 	while (dbl) {
-+		printf("Searching %s %s\n", which == DB ? "db" : "dbx",
-+		       dbl->path);
- 		EFI_SIGNATURE_LIST *certlist;
- 		EFI_SIGNATURE_DATA *cert;
- 		size_t dbsize = dbl->datalen;
-diff --git a/src/pesigcheck_context.c b/src/pesigcheck_context.c
-index b934cbe..5a355b1 100644
---- a/src/pesigcheck_context.c
-+++ b/src/pesigcheck_context.c
-@@ -87,6 +87,7 @@ pesigcheck_context_fini(pesigcheck_context *ctx)
- 		munmap(db->map, db->size);
- 		close(db->fd);
- 		ctx->db = db->next;
-+		free(db->path);
- 		free(db);
- 	}
- 	while (ctx->dbx) {
-@@ -95,6 +96,7 @@ pesigcheck_context_fini(pesigcheck_context *ctx)
- 		if (db->type == DB_CERT)
- 			free(db->data);
- 		munmap(db->map, db->size);
-+		free(db->path);
- 		close(db->fd);
- 		ctx->dbx = db->next;
- 		free(db);
-diff --git a/src/pesigcheck_context.h b/src/pesigcheck_context.h
-index 1b916e3..7b5cc89 100644
---- a/src/pesigcheck_context.h
-+++ b/src/pesigcheck_context.h
-@@ -34,6 +34,7 @@ typedef enum {
- 
- struct dblist {
- 	db_f_type type;
-+	char *path;
- 	int fd;
- 	struct dblist *next;
- 	size_t size;
--- 
-2.13.4
-

0019-get_password_passthrough-handle-the-callback-context.patch

@@ -0,0 +1,51 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 29 Aug 2022 14:21:44 -0400
+Subject: [PATCH] get_password_passthrough(): handle the callback context right
+
+Right now, we have a few callback functions for PK11_Authenticate(), and
+they take different arguments.  This is incorrect; none of the callers
+ever pass anything through except our CMS context.
+
+This fixes get_password_passthrough() to correctly accept the CMS
+context and get the passthrough data from cms->pwdata instead of trying
+to treat the CMS context as the pwdata.
+
+Related: rhbz#2122777
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/password.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/src/password.c b/src/password.c
+index 18c32ed..8eb1c33 100644
+--- a/src/password.c
++++ b/src/password.c
+@@ -365,13 +365,23 @@ err:
+ }
+ 
+ char *
+-get_password_passthrough(PK11SlotInfo *slot UNUSED,
+-			 PRBool retry, void *arg)
++get_password_passthrough(PK11SlotInfo *slot UNUSED, PRBool retry, void *arg)
+ {
++	cms_context *cms;
++	secuPWData *pwdata;
++
++	dbgprintf("ctx:%p", arg);
++
+ 	if (retry || !arg)
+ 		return NULL;
+ 
+-	char *ret = strdup(arg);
++	cms = (cms_context *)arg;
++	pwdata = &cms->pwdata;
++
++	if (pwdata->source != PW_PLAINTEXT)
++		return NULL;
++
++	char *ret = strdup(pwdata->data);
+ 	if (!ret)
+ 		err(1, "Could not allocate memory");
+ 

0019-more-about-the-time.patch

@@ -1,97 +0,0 @@
-From 713e61448a6ffa3e6029a7c89fad61b8cb08c9ff Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Tue, 25 Apr 2017 17:00:46 -0400
-Subject: [PATCH 19/29] more about the time
-
----
- src/certdb.c | 59 +++++++++++++++++++++++++++++++++--------------------------
- 1 file changed, 33 insertions(+), 26 deletions(-)
-
-diff --git a/src/certdb.c b/src/certdb.c
-index 673e074..1078a8a 100644
---- a/src/certdb.c
-+++ b/src/certdb.c
-@@ -345,8 +345,10 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
- 	PRBool result;
- 	SECStatus rv;
- 	db_status status = NOT_FOUND;
-+	PRTime atTime = PR_Now();
-+	SECItem *eTime;
- 	PRTime earlyNow = 0, lateNow = 0x7fffffffffffffff;
--	PRTime notBefore = 0, notAfter = 0x7fffffffffffffff;
-+	PRTime notBefore, notAfter;
- 
- 	efi_guid_t efi_x509 = efi_guid_x509_cert;
- 
-@@ -358,6 +360,36 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
- 	if (!cinfo)
- 		goto out;
- 
-+	notBefore = earlyNow;
-+	notAfter = lateNow;
-+	find_cert_times(cinfo, &notBefore, &notAfter);
-+	if (earlyNow < notBefore)
-+		earlyNow = notBefore;
-+	if (lateNow > notAfter)
-+		lateNow = notAfter;
-+
-+	// atTime = determine_reasonable_time(cert);
-+	eTime = SEC_PKCS7GetSigningTime(cinfo);
-+	if (eTime != NULL) {
-+		if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
-+			if (earlyNow < atTime)
-+				earlyNow = atTime;
-+			if (lateNow > atTime)
-+				lateNow = atTime;
-+		}
-+	}
-+
-+	if (lateNow < earlyNow)
-+		printf("Signature has impossible time constraint: %ld <= %ld\n",
-+		       earlyNow / 1000000, lateNow / 1000000);
-+	atTime = earlyNow / 2 + lateNow / 2;
-+
-+
-+	cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
-+				    NULL, NULL);
-+	if (!cinfo)
-+		goto out;
-+
- 	/* Generate the digest of contentInfo */
- 	/* XXX support only sha256 for now */
- 	digest = SECITEM_AllocItem(NULL, NULL, 32);
-@@ -401,31 +433,6 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
- 			PORT_ErrorToString(PORT_GetError()));
- 		goto out;
- 	}
--	cert->timeOK = PR_TRUE;
--
--	find_cert_times(cinfo, &notBefore, &notAfter);
--	if (earlyNow < notBefore)
--		earlyNow = notBefore;
--	if (lateNow > notAfter)
--		lateNow = notAfter;
--
--	SECItem *eTime;
--	PRTime atTime;
--	// atTime = determine_reasonable_time(cert);
--	eTime = SEC_PKCS7GetSigningTime(cinfo);
--	if (eTime != NULL) {
--		if (DER_DecodeTimeChoice (&atTime, eTime) == SECSuccess) {
--			if (earlyNow < atTime)
--				earlyNow = atTime;
--			if (lateNow > atTime)
--				lateNow = atTime;
--		}
--	}
--
--	if (lateNow < earlyNow)
--		printf("Impossible time constraints: %ld <= %ld\n",
--		       earlyNow / 1000000, lateNow / 1000000);
--	atTime = earlyNow / 2 + lateNow / 2;
- 
- 	/* Verify the signature */
- 	result = SEC_PKCS7VerifyDetachedSignatureAtTime(cinfo,
--- 
-2.13.4
-

0020-read_password-only-prune-CR-NL-from-the-end-of-the-f.patch

@@ -0,0 +1,47 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 29 Aug 2022 15:22:10 -0400
+Subject: [PATCH] read_password(): only prune CR/NL from the end of the file
+
+Right now, when we read the password/PIN from a file, we're pruning the
+end of the string from the file we read indiscriminately.  If you don't
+have a newline, that means we're cutting off the final digits of the
+text.
+
+This changes it to prune only common special characters from the
+pinfile, but also to prune /all/ of them.
+
+Related: rhbz#2122777
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/password.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/src/password.c b/src/password.c
+index 8eb1c33..ac1866e 100644
+--- a/src/password.c
++++ b/src/password.c
+@@ -79,6 +79,7 @@ read_password(FILE *in, FILE *out, char *buf, size_t bufsz)
+ 	int infd = fileno(in);
+ 	struct termios tio;
+ 	char *ret;
++	int len;
+ 
+ 	ingress();
+ 	ret = fgets(buf, bufsz, in);
+@@ -96,7 +97,14 @@ read_password(FILE *in, FILE *out, char *buf, size_t bufsz)
+ 	if (ret == NULL)
+ 		return -1;
+ 
+-	buf[strlen(buf)-1] = '\0';
++	len = strlen(buf);
++	while (len > 0 && (buf[len-1] == '\r' || buf[len-1] == '\n')) {
++		buf[len-1] = '\0';
++		len--;
++	}
++	if (len == 0)
++		return -1;
++
+ 	egress();
+ 	return 0;
+ }

0020-try-to-say-why-something-fails.patch

@@ -1,419 +0,0 @@
-From 81583146602bba96728fa7544c8e856b32c22ee4 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Tue, 25 Apr 2017 17:01:13 -0400
-Subject: [PATCH 20/29] try to say why something fails
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- src/certdb.c             |  15 ++-
- src/certdb.h             |   2 +-
- src/pesigcheck.c         | 244 ++++++++++++++++++++++++++++++++++++++++++-----
- src/pesigcheck_context.h |   1 +
- 4 files changed, 233 insertions(+), 29 deletions(-)
-
-diff --git a/src/certdb.c b/src/certdb.c
-index 1078a8a..fae80af 100644
---- a/src/certdb.c
-+++ b/src/certdb.c
-@@ -205,7 +205,7 @@ typedef db_status (*checkfn)(pesigcheck_context *ctx, SECItem *sig,
- 
- static db_status
- check_db(db_specifier which, pesigcheck_context *ctx, checkfn check,
--	 void *data, ssize_t datalen)
-+	 void *data, ssize_t datalen, SECItem *match)
- {
- 	SECItem pkcs7sig, sig;
- 	dblist *dbl = which == DB ? ctx->db : ctx->dbx;
-@@ -241,8 +241,12 @@ check_db(db_specifier which, pesigcheck_context *ctx, checkfn check,
- 				found = check(ctx, &sig,
- 					      &certlist->SignatureType,
- 					      &pkcs7sig);
--				if (found == FOUND)
-+				if (found == FOUND) {
-+					if (match)
-+						memcpy(match, &sig,
-+						       sizeof(sig));
- 					return FOUND;
-+				}
- 				cert = (EFI_SIGNATURE_DATA *)((uint8_t *)cert +
- 				        certlist->SignatureSize);
- 			}
-@@ -280,7 +284,7 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
- db_status
- check_db_hash(db_specifier which, pesigcheck_context *ctx)
- {
--	return check_db(which, ctx, check_hash, NULL, 0);
-+	return check_db(which, ctx, check_hash, NULL, 0, NULL);
- }
- 
- static void
-@@ -459,7 +463,8 @@ out:
- }
- 
- db_status
--check_db_cert(db_specifier which, pesigcheck_context *ctx, void *data, ssize_t datalen)
-+check_db_cert(db_specifier which, pesigcheck_context *ctx,
-+	      void *data, ssize_t datalen, SECItem *match)
- {
--	return check_db(which, ctx, check_cert, data, datalen);
-+	return check_db(which, ctx, check_cert, data, datalen, match);
- }
-diff --git a/src/certdb.h b/src/certdb.h
-index ccf3c87..8402299 100644
---- a/src/certdb.h
-+++ b/src/certdb.h
-@@ -43,7 +43,7 @@ typedef struct {
- 
- extern db_status check_db_hash(db_specifier which, pesigcheck_context *ctx);
- extern db_status check_db_cert(db_specifier which, pesigcheck_context *ctx,
--				void *data, ssize_t datalen);
-+				void *data, ssize_t datalen, SECItem *match);
- 
- extern void init_cert_db(pesigcheck_context *ctx, int use_system_dbs);
- extern int add_cert_db(pesigcheck_context *ctx, const char *filename);
-diff --git a/src/pesigcheck.c b/src/pesigcheck.c
-index d7be542..c8e1086 100644
---- a/src/pesigcheck.c
-+++ b/src/pesigcheck.c
-@@ -17,7 +17,9 @@
-  * Author(s): Peter Jones <pjones@redhat.com>
-  */
- 
-+#include <err.h>
- #include <fcntl.h>
-+#include <stdbool.h>
- #include <stdio.h>
- #include <stdlib.h>
- #include <string.h>
-@@ -88,7 +90,8 @@ check_inputs(pesigcheck_context *ctx)
- }
- 
- static int
--cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen)
-+cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen,
-+		    SECItem *digest_out)
- {
- 	SECItem sig, *pe_digest, *content;
- 	uint8_t *digest;
-@@ -109,6 +112,12 @@ cert_matches_digest(pesigcheck_context *ctx, void *data, ssize_t datalen)
- 	pe_digest = ctx->cms_ctx->digests[0].pe_digest;
- 	content = cinfo->content.signedData->contentInfo.content.data;
- 	digest = content->data + content->len - pe_digest->len;
-+	if (digest_out) {
-+		digest_out->data = malloc(pe_digest->len);
-+		digest_out->len = pe_digest->len;
-+		digest_out->type = pe_digest->type;
-+		memcpy(digest_out->data, digest, pe_digest->len);
-+	}
- 	if (memcmp(pe_digest->data, digest, pe_digest->len) != 0)
- 		goto out;
- 
-@@ -120,22 +129,149 @@ out:
- 	return ret;
- }
- 
-+struct reason {
-+	enum {
-+		WHITELISTED = 0,
-+		INVALID = 1,
-+		BLACKLISTED = 2,
-+		NO_WHITELIST = 3,
-+	} reason;
-+	enum {
-+		NONE = 0,
-+		DIGEST = 1,
-+		SIGNATURE = 2,
-+	} type;
-+	union {
-+		struct {
-+			SECItem digest;
-+		};
-+		struct {
-+			SECItem sig;
-+			SECItem db_cert;
-+		};
-+	};
-+};
-+
-+static void
-+print_digest(SECItem *digest)
-+{
-+	char buf[digest->len * 2 + 2];
-+
-+	for (unsigned int i = 0; i < digest->len; i++)
-+		snprintf(buf + i * 2, digest->len * 2, "%02x",
-+			 digest->data[i]);
-+	buf[digest->len * 2] = '\0';
-+	printf("%s\n", buf);
-+}
-+
-+static void
-+print_certificate(SECItem *cert)
-+{
-+	printf("put a breakpoint at %s:%d\n", __FILE__, __LINE__);
-+	printf("cert: %p\n", cert);
-+}
-+
-+static void
-+print_signatures(SECItem *database_cert, SECItem *signature)
-+{
-+	printf("put a breakpoint at %s:%d\n", __FILE__, __LINE__);
-+	print_certificate(database_cert);
-+	print_certificate(signature);
-+}
-+
-+static void
-+print_reason(struct reason *reason)
-+{
-+	switch (reason->reason) {
-+	case WHITELISTED:
-+		printf("Whitelist entry: ");
-+		if (reason->type == DIGEST)
-+			print_digest(&reason->digest);
-+		else if (reason->type == SIGNATURE)
-+			print_signatures(&reason->sig, &reason->db_cert);
-+		else
-+			errx(1, "Unknown data type %d\n", reason->type);
-+		break;
-+	case INVALID:
-+		if (reason->type == DIGEST) {
-+			printf("Invalid digest: ");
-+			print_digest(&reason->digest);
-+		} else if (reason->type == SIGNATURE) {
-+			printf("Invalid signature: ");
-+			print_signatures(&reason->sig, &reason->db_cert);
-+		} else {
-+			errx(1, "Unknown data type %d\n", reason->type);
-+		}
-+		break;
-+	case BLACKLISTED:
-+		if (reason->type == DIGEST) {
-+			printf("Invalid digest: ");
-+			print_digest(&reason->digest);
-+		} else if (reason->type == SIGNATURE) {
-+			printf("Invalid signature: ");
-+			print_signatures(&reason->sig, &reason->db_cert);
-+		} else {
-+			errx(1, "Unknown data type %d\n", reason->type);
-+		}
-+		break;
-+	case NO_WHITELIST:
-+		if (reason->type == NONE)
-+			printf("No matching whitelist entry.\n");
-+		else
-+			errx(1, "Invalid data type %d\n", reason->type);
-+		break;
-+	default:
-+		errx(1, "Unknown reason type %d\n", reason->reason);
-+		break;
-+	}
-+}
-+
-+static void
-+get_digest(pesigcheck_context *ctx, SECItem *digest)
-+{
-+	struct cms_context *cms = ctx->cms_ctx;
-+	struct digest *cms_digest = &cms->digests[cms->selected_digest];
-+
-+	memcpy(digest, cms_digest->pe_digest, sizeof (*digest));
-+}
-+
- static int
--check_signature(pesigcheck_context *ctx)
-+check_signature(pesigcheck_context *ctx, int *nreasons,
-+		struct reason **reasons)
- {
--	int has_valid_cert = 0;
--	int has_invalid_cert = 0;
-+	bool has_valid_cert = false;
-+	bool is_invalid = false;
-+	struct reason *reasonps = NULL, *reason;
-+	int num_reasons = 16;
-+	int nreason = 0;
- 	int rc = 0;
-+	int ret = -1;
- 
- 	cert_iter iter;
- 
-+	reasonps = calloc(sizeof(struct reason), 512);
-+	if (!reasonps)
-+		err(1, "check_signature");
-+
- 	generate_digest(ctx->cms_ctx, ctx->inpe, 1);
- 
--	if (check_db_hash(DBX, ctx) == FOUND)
--		return -1;
-+	if (check_db_hash(DBX, ctx) == FOUND) {
-+		reason = &reasonps[nreason];
-+		reason->reason = BLACKLISTED;
-+		reason->type = DIGEST;
-+		get_digest(ctx, &reason->digest);
-+		reason += 1;
-+		is_invalid = true;
-+	}
- 
--	if (check_db_hash(DB, ctx) == FOUND)
--		has_valid_cert = 1;
-+	if (check_db_hash(DB, ctx) == FOUND) {
-+		reason = &reasonps[nreason];
-+		reason->reason = WHITELISTED;
-+		reason->type = DIGEST;
-+		get_digest(ctx, &reason->digest);
-+		nreason += 1;
-+		has_valid_cert = true;
-+	}
- 
- 	rc = cert_iter_init(&iter, ctx->inpe);
- 	if (rc < 0)
-@@ -145,32 +281,81 @@ check_signature(pesigcheck_context *ctx)
- 	ssize_t datalen;
- 
- 	while (1) {
-+		/*
-+		 * Make sure we always have enough for this iteration of the
-+		 * loop, plus one "NO_WHITELIST" entry at the end.
-+		 */
-+		if (nreason >= num_reasons - 4) {
-+			struct reason *new_reasons;
-+
-+			num_reasons += 16;
-+
-+			new_reasons = calloc(sizeof(struct reason), num_reasons);
-+			if (!new_reasons)
-+				err(1, "check_signature");
-+			reasonps = new_reasons;
-+		}
-+
- 		rc = next_cert(&iter, &data, &datalen);
- 		if (rc <= 0)
- 			break;
- 
--		if (cert_matches_digest(ctx, data, datalen) < 0) {
--			has_invalid_cert = 1;
--			break;
-+		reason = &reasonps[nreason];
-+		if (cert_matches_digest(ctx, data, datalen,
-+					&reason->digest) < 0) {
-+			reason->reason = INVALID;
-+			reason->type = DIGEST;
-+			nreason += 1;
-+			is_invalid = true;
- 		}
- 
--		if (check_db_cert(DBX, ctx, data, datalen) == FOUND) {
--			has_invalid_cert = 1;
--			break;
-+		reason = &reasonps[nreason];
-+		if (check_db_cert(DBX, ctx, data, datalen,
-+				  &reason->db_cert) == FOUND) {
-+			reason->reason = INVALID;
-+			reason->type = SIGNATURE;
-+			reason->sig.data = data;
-+			reason->sig.len = datalen;
-+			reason->type = siBuffer;
-+			nreason += 1;
-+			is_invalid = true;
- 		}
- 
--		if (check_db_cert(DB, ctx, data, datalen) == FOUND)
--			has_valid_cert = 1;
-+		reason = &reasonps[nreason];
-+		if (check_db_cert(DB, ctx, data, datalen,
-+				  &reason->db_cert) == FOUND) {
-+			reason->reason = WHITELISTED;
-+			reason->type = SIGNATURE;
-+			reason->sig.data = data;
-+			reason->sig.len = datalen;
-+			reason->type = siBuffer;
-+			nreason += 1;
-+			has_valid_cert = true;
-+		}
- 	}
- 
- err:
--	if (has_invalid_cert)
--		return -1;
-+	if (has_valid_cert != true) {
-+		if (is_invalid != true) {
-+			reason = &reasonps[nreason];
-+			reason->reason = NO_WHITELIST;
-+			reason->type = NONE;
-+			nreason += 1;
-+		}
-+		is_invalid = true;
-+	}
- 
--	if (has_valid_cert)
--		return 0;
-+	if (is_invalid == false)
-+		ret = 0;
- 
--	return -1;
-+	if (nreasons && reasons) {
-+		*nreasons = nreason;
-+		*reasons = reasonps;
-+	} else {
-+		free(reasonps);
-+	}
-+
-+	return ret;
- }
- 
- void
-@@ -204,6 +389,9 @@ main(int argc, char *argv[])
- 
- 	pesigcheck_context ctx, *ctxp = &ctx;
- 
-+	struct reason *reasons = NULL;
-+	int nreasons = 0;
-+
- 	char *dbfile = NULL;
- 	char *dbxfile = NULL;
- 	char *certfile = NULL;
-@@ -242,6 +430,12 @@ main(int argc, char *argv[])
- 		 .arg = &ctx.quiet,
- 		 .val = 1,
- 		 .descrip = "return only; no text output." },
-+		{.longName = "verbose",
-+		 .shortName = 'v',
-+		 .argInfo = POPT_BIT_SET,
-+		 .arg = &ctx.verbose,
-+		 .val = 1,
-+		 .descrip = "print reasons for success and failure." },
- 		{.longName = "no-system-db",
- 		 .shortName = 'n',
- 		 .argInfo = POPT_ARG_INT,
-@@ -308,12 +502,16 @@ main(int argc, char *argv[])
- 		exit(1);
- 	}
- 
--	rc = check_signature(ctxp);
-+	rc = check_signature(ctxp, &nreasons, &reasons);
- 
--	close_input(ctxp);
-+	if (!ctx.quiet && ctx.verbose) {
-+		for (int i = 0; i < nreasons; i++)
-+			print_reason(&reasons[i]);
-+	}
- 	if (!ctx.quiet)
- 		printf("pesigcheck: \"%s\" is %s.\n", ctx.infile,
- 			rc >= 0 ? "valid" : "invalid");
-+	close_input(ctxp);
- 	pesigcheck_context_fini(&ctx);
- 
- 	NSS_Shutdown();
-diff --git a/src/pesigcheck_context.h b/src/pesigcheck_context.h
-index 7b5cc89..aec415e 100644
---- a/src/pesigcheck_context.h
-+++ b/src/pesigcheck_context.h
-@@ -61,6 +61,7 @@ typedef struct pesigcheck_context {
- 	Pe *inpe;
- 
- 	int quiet;
-+	int verbose;
- 
- 	hashlist *hashes;
- 
--- 
-2.13.4
-

0021-Fix-race-condition-in-SEC_GetPassword.patch

@@ -1,34 +0,0 @@
-From a40c584691ae071e93e8adf4e5c05bcd90c68159 Mon Sep 17 00:00:00 2001
-From: Julien Cristau <jcristau@debian.org>
-Date: Sat, 6 May 2017 22:45:34 +0200
-Subject: [PATCH 21/29] Fix race condition in SEC_GetPassword
-
-A side effect of echoOff is to discard unread input, so if we print the
-prompt before echoOff, the user (or process) at the other end might
-react to it by writing the password in between those steps, which is
-then discarded.  This bit me when trying to drive pesign with an expect
-script.
-
-Signed-off-by: Julien Cristau <jcristau@debian.org>
----
- src/password.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/password.c b/src/password.c
-index cd1c07e..d4eae0d 100644
---- a/src/password.c
-+++ b/src/password.c
-@@ -71,9 +71,9 @@ static char *SEC_GetPassword(FILE *input, FILE *output, char *prompt,
-     for (;;) {
- 	/* Prompt for password */
- 	if (isTTY) {
-+	    echoOff(infd);
- 	    fprintf(output, "%s", prompt);
-             fflush (output);
--	    echoOff(infd);
- 	}
- 
- 	fgets ( phrase, sizeof(phrase), input);
--- 
-2.13.4
-

0021-Revert-cms-store-digest-as-pointer-instead-of-index.patch

@@ -0,0 +1,276 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 29 Aug 2022 16:22:18 -0400
+Subject: [PATCH] Revert "cms: store digest as pointer instead of index"
+
+In 926782c216532a83f9ff864dee39d2349d61fd23, we switched
+cms->selected_digest to be a pointer to the member of the digests array
+rather than an index.  Unfortunately this is just as bad, because the
+bugs that come up wind up setting pointers to NULL+(selected*offset),
+i.e. 0x10, and that doesn't get us any closer to actually finding any
+problem.
+
+For now, the new approach is going to be to make it an index again, but
+to default it to 0 (sha256) rather than -1, so if it isn't set at the
+correct part of the lifecycle it'll just default to the (nearly always)
+correct choice.
+
+This reverts commit 926782c216532a83f9ff864dee39d2349d61fd23.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/certdb.c       | 15 +++++++--------
+ src/cms_common.c   | 34 ++++++++++++++++++++++++----------
+ src/content_info.c |  4 ++--
+ src/file_kmod.c    |  2 +-
+ src/file_pe.c      |  9 ++++-----
+ src/pesigcheck.c   |  4 +++-
+ src/cms_common.h   | 13 +------------
+ 7 files changed, 42 insertions(+), 39 deletions(-)
+
+diff --git a/src/certdb.c b/src/certdb.c
+index f512824..69d5daf 100644
+--- a/src/certdb.c
++++ b/src/certdb.c
+@@ -263,19 +263,18 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
+ {
+ 	efi_guid_t efi_sha256 = efi_guid_sha256;
+ 	efi_guid_t efi_sha1 = efi_guid_sha1;
+-	void *digest_data;
+-	struct digest *digests = ctx->cms_ctx->digests;
++	void *digest;
+ 
+ 	if (memcmp(sigtype, &efi_sha256, sizeof(efi_guid_t)) == 0) {
+-		digest_data = digests[0].pe_digest->data;
+-		if (memcmp (digest_data, sig->data, 32) == 0) {
+-			ctx->cms_ctx->selected_digest = &digests[0];
++		digest = ctx->cms_ctx->digests[0].pe_digest->data;
++		if (memcmp (digest, sig->data, 32) == 0) {
++			ctx->cms_ctx->selected_digest = 0;
+ 			return FOUND;
+ 		}
+ 	} else if (memcmp(sigtype, &efi_sha1, sizeof(efi_guid_t)) == 0) {
+-		digest_data = digests[1].pe_digest->data;
+-		if (memcmp (digest_data, sig->data, 20) == 0) {
+-			ctx->cms_ctx->selected_digest = &digests[1];
++		digest = ctx->cms_ctx->digests[1].pe_digest->data;
++		if (memcmp (digest, sig->data, 20) == 0) {
++			ctx->cms_ctx->selected_digest = 1;
+ 			return FOUND;
+ 		}
+ 	}
+diff --git a/src/cms_common.c b/src/cms_common.c
+index 2275f67..86341ca 100644
+--- a/src/cms_common.c
++++ b/src/cms_common.c
+@@ -33,6 +33,15 @@
+ 
+ #include "hex.h"
+ 
++struct digest_param {
++	char *name;
++	SECOidTag digest_tag;
++	SECOidTag signature_tag;
++	SECOidTag digest_encryption_tag;
++	const efi_guid_t *efi_guid;
++	int size;
++};
++
+ static struct digest_param digest_params[] = {
+ 	{.name = "sha256",
+ 	 .digest_tag = SEC_OID_SHA256,
+@@ -56,25 +65,29 @@ static int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]);
+ SECOidTag
+ digest_get_digest_oid(cms_context *cms)
+ {
+-	return cms->selected_digest->digest_params->digest_tag;
++	int i = cms->selected_digest;
++	return digest_params[i].digest_tag;
+ }
+ 
+ SECOidTag
+ digest_get_encryption_oid(cms_context *cms)
+ {
+-	return cms->selected_digest->digest_params->digest_encryption_tag;
++	int i = cms->selected_digest;
++	return digest_params[i].digest_encryption_tag;
+ }
+ 
+ SECOidTag
+ digest_get_signature_oid(cms_context *cms)
+ {
+-	return cms->selected_digest->digest_params->signature_tag;
++	int i = cms->selected_digest;
++	return digest_params[i].signature_tag;
+ }
+ 
+ int
+ digest_get_digest_size(cms_context *cms)
+ {
+-	return cms->selected_digest->digest_params->size;
++	int i = cms->selected_digest;
++	return digest_params[i].size;
+ }
+ 
+ void
+@@ -129,6 +142,8 @@ cms_context_init(cms_context *cms)
+ 	if (!cms->arena)
+ 		cnreterr(-1, cms, "could not create cryptographic arena");
+ 
++	cms->selected_digest = -1;
++
+ 	INIT_LIST_HEAD(&cms->pk12_ins);
+ 	cms->pk12_out.fd = -1;
+ 	cms->db_out = cms->dbx_out = cms->dbt_out = -1;
+@@ -211,7 +226,7 @@ cms_context_fini(cms_context *cms)
+ 		memset(&cms->newsig, '\0', sizeof (cms->newsig));
+ 	}
+ 
+-	cms->selected_digest = NULL;
++	cms->selected_digest = -1;
+ 
+ 	if (cms->ci_digest) {
+ 		free_poison(cms->ci_digest->data, cms->ci_digest->len);
+@@ -336,7 +351,7 @@ set_digest_parameters(cms_context *cms, char *name)
+ 	if (strcmp(name, "help")) {
+ 		for (int i = 0; i < n_digest_params; i++) {
+ 			if (!strcmp(name, digest_params[i].name)) {
+-				cms->selected_digest = &cms->digests[i];
++				cms->selected_digest = i;
+ 				return 0;
+ 			}
+ 		}
+@@ -1264,7 +1279,6 @@ generate_digest_begin(cms_context *cms)
+ 			cngotoerr(err, cms, "could not create digest context");
+ 
+ 		PK11_DigestBegin(digests[i].pk11ctx);
+-		digests[i].digest_params = &digest_params[i];
+ 	}
+ 
+ 	cms->digests = digests;
+@@ -1337,11 +1351,11 @@ generate_signature(cms_context *cms)
+ {
+ 	int rc = 0;
+ 
+-	if (cms->selected_digest->pe_digest == NULL)
++	if (cms->digests[cms->selected_digest].pe_digest == NULL)
+ 		cnreterr(-1, cms, "PE digest has not been allocated");
+ 
+-	if (content_is_empty(cms->selected_digest->pe_digest->data,
+-			cms->selected_digest->pe_digest->len))
++	if (content_is_empty(cms->digests[cms->selected_digest].pe_digest->data,
++			cms->digests[cms->selected_digest].pe_digest->len))
+ 		cnreterr(-1, cms, "PE binary has not been digested");
+ 
+ 	SECItem sd_der;
+diff --git a/src/content_info.c b/src/content_info.c
+index 777aa28..9684850 100644
+--- a/src/content_info.c
++++ b/src/content_info.c
+@@ -181,8 +181,8 @@ generate_spc_digest_info(cms_context *cms, SECItem *dip)
+ 	if (generate_algorithm_id(cms, &di.digestAlgorithm,
+ 			digest_get_digest_oid(cms)) < 0)
+ 		return -1;
+-	memcpy(&di.digest, cms->selected_digest->pe_digest,
+-	       sizeof(di.digest));
++	int i = cms->selected_digest;
++	memcpy(&di.digest, cms->digests[i].pe_digest, sizeof (di.digest));
+ 
+ 	if (content_is_empty(di.digest.data, di.digest.len)) {
+ 		cms->log(cms, LOG_ERR, "got empty digest");
+diff --git a/src/file_kmod.c b/src/file_kmod.c
+index c8875fc..6880cda 100644
+--- a/src/file_kmod.c
++++ b/src/file_kmod.c
+@@ -60,7 +60,7 @@ ssize_t
+ kmod_write_signature(cms_context *cms, int outfd)
+ {
+ 	SEC_PKCS7ContentInfo *cinfo;
+-	SECItem *digest = cms->selected_digest->pe_digest;
++	SECItem *digest = cms->digests[cms->selected_digest].pe_digest;
+ 	SECStatus rv;
+ 	struct write_sig_info info = {
+ 		.outfd = outfd,
+diff --git a/src/file_pe.c b/src/file_pe.c
+index c22b2af..805e614 100644
+--- a/src/file_pe.c
++++ b/src/file_pe.c
+@@ -114,8 +114,6 @@ check_inputs(pesign_context *ctx)
+ static void
+ print_digest(pesign_context *pctx)
+ {
+-	unsigned int i;
+-
+ 	if (!pctx)
+ 		return;
+ 
+@@ -123,9 +121,10 @@ print_digest(pesign_context *pctx)
+ 	if (!ctx)
+ 		return;
+ 
+-	unsigned char *ddata = ctx->selected_digest->pe_digest->data;
+-	for (i = 0; i < ctx->selected_digest->pe_digest->len; i++)
+-		printf("%02x", ddata[i]);
++	int j = ctx->selected_digest;
++	for (unsigned int i = 0; i < ctx->digests[j].pe_digest->len; i++)
++		printf("%02x",
++			(unsigned char)ctx->digests[j].pe_digest->data[i]);
+ 	printf(" %s\n", pctx->infile);
+ }
+ 
+diff --git a/src/pesigcheck.c b/src/pesigcheck.c
+index ebb404d..6dc67f7 100644
+--- a/src/pesigcheck.c
++++ b/src/pesigcheck.c
+@@ -221,7 +221,9 @@ static void
+ get_digest(pesigcheck_context *ctx, SECItem *digest)
+ {
+ 	struct cms_context *cms = ctx->cms_ctx;
+-	memcpy(digest, cms->selected_digest->pe_digest, sizeof(*digest));
++	struct digest *cms_digest = &cms->digests[cms->selected_digest];
++
++	memcpy(digest, cms_digest->pe_digest, sizeof (*digest));
+ }
+ 
+ static int
+diff --git a/src/cms_common.h b/src/cms_common.h
+index c7d4f69..c7acbcf 100644
+--- a/src/cms_common.h
++++ b/src/cms_common.h
+@@ -12,7 +12,6 @@
+ #include <secpkcs7.h>
+ 
+ #include <errno.h>
+-#include <efivar.h>
+ #include <signal.h>
+ #include <stdarg.h>
+ #include <sys/types.h>
+@@ -58,19 +57,9 @@
+ 		goto errlabel;						\
+ 	})
+ 
+-struct digest_param {
+-	char *name;
+-	SECOidTag digest_tag;
+-	SECOidTag signature_tag;
+-	SECOidTag digest_encryption_tag;
+-	const efi_guid_t *efi_guid;
+-	int size;
+-};
+-
+ struct digest {
+ 	PK11Context *pk11ctx;
+ 	SECItem *pe_digest;
+-	struct digest_param *digest_params;
+ };
+ 
+ typedef struct pk12_file {
+@@ -144,7 +133,7 @@ typedef struct cms_context {
+ 	int db_out, dbx_out, dbt_out;
+ 
+ 	struct digest *digests;
+-	struct digest *selected_digest;
++	int selected_digest;
+ 	int omit_vendor_cert;
+ 
+ 	SECItem newsig;

0022-CMS-add-some-minor-cleanups.patch

@@ -0,0 +1,149 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 29 Aug 2022 17:02:46 -0400
+Subject: [PATCH] CMS: add some minor cleanups
+
+We reverted 926782c216532a83f9ff864dee39d2349d61fd23 so that a future
+patch can try a different approach, but that commit also had a few
+cleanups that are worthwhile on their own.
+
+This patch re-introduces the cleanup to move "struct digest_param" to a
+more reasonable place and the cleanup to check_hash(), and takes it just
+a bit farther.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/certdb.c     | 26 +++++++++++++++-----------
+ src/cms_common.c | 39 ++++++++++++++++-----------------------
+ src/cms_common.h | 16 ++++++++++++++++
+ 3 files changed, 47 insertions(+), 34 deletions(-)
+
+diff --git a/src/certdb.c b/src/certdb.c
+index 69d5daf..eb5221f 100644
+--- a/src/certdb.c
++++ b/src/certdb.c
+@@ -263,20 +263,24 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
+ {
+ 	efi_guid_t efi_sha256 = efi_guid_sha256;
+ 	efi_guid_t efi_sha1 = efi_guid_sha1;
+-	void *digest;
++	void *digest_data;
++	struct digest *digests = ctx->cms_ctx->digests;
++	int selected_digest = -1;
++	size_t size;
+ 
+ 	if (memcmp(sigtype, &efi_sha256, sizeof(efi_guid_t)) == 0) {
+-		digest = ctx->cms_ctx->digests[0].pe_digest->data;
+-		if (memcmp (digest, sig->data, 32) == 0) {
+-			ctx->cms_ctx->selected_digest = 0;
+-			return FOUND;
+-		}
++		selected_digest = DIGEST_PARAM_SHA256;
+ 	} else if (memcmp(sigtype, &efi_sha1, sizeof(efi_guid_t)) == 0) {
+-		digest = ctx->cms_ctx->digests[1].pe_digest->data;
+-		if (memcmp (digest, sig->data, 20) == 0) {
+-			ctx->cms_ctx->selected_digest = 1;
+-			return FOUND;
+-		}
++		selected_digest = DIGEST_PARAM_SHA1;
++	} else {
++		return NOT_FOUND;
++	}
++
++	digest_data = digests[selected_digest].pe_digest->data;
++	size = digest_params[selected_digest].size;
++	if (memcmp (digest_data, sig->data, size) == 0) {
++		ctx->cms_ctx->selected_digest = selected_digest;
++		return FOUND;
+ 	}
+ 
+ 	return NOT_FOUND;
+diff --git a/src/cms_common.c b/src/cms_common.c
+index 86341ca..7bddedf 100644
+--- a/src/cms_common.c
++++ b/src/cms_common.c
+@@ -33,34 +33,27 @@
+ 
+ #include "hex.h"
+ 
+-struct digest_param {
+-	char *name;
+-	SECOidTag digest_tag;
+-	SECOidTag signature_tag;
+-	SECOidTag digest_encryption_tag;
+-	const efi_guid_t *efi_guid;
+-	int size;
+-};
+-
+-static struct digest_param digest_params[] = {
+-	{.name = "sha256",
+-	 .digest_tag = SEC_OID_SHA256,
+-	 .signature_tag = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION,
+-	 .digest_encryption_tag = SEC_OID_PKCS1_RSA_ENCRYPTION,
+-	 .efi_guid = &efi_guid_sha256,
+-	 .size = 32
++const struct digest_param digest_params[] = {
++	[DIGEST_PARAM_SHA256] = {
++		.name = "sha256",
++		.digest_tag = SEC_OID_SHA256,
++		.signature_tag = SEC_OID_PKCS1_SHA256_WITH_RSA_ENCRYPTION,
++		.digest_encryption_tag = SEC_OID_PKCS1_RSA_ENCRYPTION,
++		.efi_guid = &efi_guid_sha256,
++		.size = 32
+ 	},
+ #if 1
+-	{.name = "sha1",
+-	 .digest_tag = SEC_OID_SHA1,
+-	 .signature_tag = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION,
+-	 .digest_encryption_tag = SEC_OID_PKCS1_RSA_ENCRYPTION,
+-	 .efi_guid = &efi_guid_sha1,
+-	 .size = 20
++	[DIGEST_PARAM_SHA1] = {
++		.name = "sha1",
++		.digest_tag = SEC_OID_SHA1,
++		.signature_tag = SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION,
++		.digest_encryption_tag = SEC_OID_PKCS1_RSA_ENCRYPTION,
++		.efi_guid = &efi_guid_sha1,
++		.size = 20
+ 	},
+ #endif
+ };
+-static int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]);
++const int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]);
+ 
+ SECOidTag
+ digest_get_digest_oid(cms_context *cms)
+diff --git a/src/cms_common.h b/src/cms_common.h
+index c7acbcf..e45402c 100644
+--- a/src/cms_common.h
++++ b/src/cms_common.h
+@@ -12,6 +12,7 @@
+ #include <secpkcs7.h>
+ 
+ #include <errno.h>
++#include <efivar.h>
+ #include <signal.h>
+ #include <stdarg.h>
+ #include <sys/types.h>
+@@ -62,6 +63,21 @@ struct digest {
+ 	SECItem *pe_digest;
+ };
+ 
++#define DIGEST_PARAM_SHA256	0
++#define DIGEST_PARAM_SHA1	1
++
++struct digest_param {
++	char *name;
++	SECOidTag digest_tag;
++	SECOidTag signature_tag;
++	SECOidTag digest_encryption_tag;
++	const efi_guid_t *efi_guid;
++	int size;
++};
++
++extern const struct digest_param digest_params[2];
++extern const int n_digest_params;
++
+ typedef struct pk12_file {
+ 	char *path;
+ 	int fd;

0022-sysvinit-Create-the-socket-directory-at-runtime.patch

@@ -1,27 +0,0 @@
-From 27afa5a4ea8de1679603f5871935096280d0b12e Mon Sep 17 00:00:00 2001
-From: David Michael <david.michael@coreos.com>
-Date: Tue, 13 Jun 2017 13:20:16 -0700
-Subject: [PATCH 22/29] sysvinit: Create the socket directory at runtime
-
-This better supports non-systemd configurations with tmpfs on /run.
----
- src/pesign.sysvinit.in | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
-index d8fffca..dc508d8 100644
---- a/src/pesign.sysvinit.in
-+++ b/src/pesign.sysvinit.in
-@@ -20,6 +20,9 @@ RETVAL=0
- 
- start(){
-     echo -n "Starting pesign: "
-+    mkdir /var/run/pesign 2>/dev/null &&
-+        chown pesign:pesign /var/run/pesign &&
-+        chmod 0770 /var/run/pesign
-     daemon /usr/bin/pesign --daemonize
-     RETVAL=$?
-     echo
--- 
-2.13.4
-

0023-Better-authorization-scripts.-Again.patch

@@ -1,217 +0,0 @@
-From 31560e2784722b986b8a73cc28e3510870180b07 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Tue, 8 Aug 2017 15:44:44 -0400
-Subject: [PATCH 23/29] Better authorization scripts.  Again.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- src/Makefile                | 12 ++++++----
- src/pesign-authorize        | 56 +++++++++++++++++++++++++++++++++++++++++++++
- src/pesign-authorize-groups | 30 ------------------------
- src/pesign-authorize-users  | 30 ------------------------
- src/pesign.service.in       |  3 +--
- src/pesign.sysvinit.in      |  3 +--
- 6 files changed, 65 insertions(+), 69 deletions(-)
- create mode 100755 src/pesign-authorize
- delete mode 100644 src/pesign-authorize-groups
- delete mode 100644 src/pesign-authorize-users
-
-diff --git a/src/Makefile b/src/Makefile
-index 654b792..84ad130 100644
---- a/src/Makefile
-+++ b/src/Makefile
-@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.defaults
- 
- BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
- SVCTARGETS=pesign.sysvinit pesign.service
--TARGETS=$(BINTARGETS) $(SVCTARGETS)
-+TARGETS=$(BINTARGETS) $(SVCTARGETS) pesign-users pesign-groups
- 
- all : deps $(TARGETS)
- 
-@@ -65,6 +65,9 @@ install_sysvinit: pesign.sysvinit
- 	$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/
- 	$(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/rc.d/init.d/pesign
- 
-+pesign-users pesign-groups :
-+	echo pesign > $@
-+
- install :
- 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
- 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
-@@ -88,10 +91,9 @@ install :
- 	$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rpm/
- 	$(INSTALL) -m 644 macros.pesign $(INSTALLROOT)/etc/rpm/
- 	$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
--	$(INSTALL) -m 750 pesign-authorize-users $(INSTALLROOT)$(libexecdir)/pesign/
--	$(INSTALL) -m 750 pesign-authorize-groups $(INSTALLROOT)$(libexecdir)/pesign/
-+	$(INSTALL) -m 750 pesign-authorize $(INSTALLROOT)$(libexecdir)/pesign/
- 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
--	$(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/users
--	$(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/groups
-+	$(INSTALL) -m 600 pesign-users $(INSTALLROOT)/etc/pesign/users
-+	$(INSTALL) -m 600 pesign-groups $(INSTALLROOT)/etc/pesign/groups
- 
- .PHONY: all deps clean install
-diff --git a/src/pesign-authorize b/src/pesign-authorize
-new file mode 100755
-index 0000000..a496f60
---- /dev/null
-+++ b/src/pesign-authorize
-@@ -0,0 +1,56 @@
-+#!/bin/bash
-+set -e
-+set -u
-+
-+#
-+# With /run/pesign/socket on tmpfs, a simple way of restoring the
-+# acls for specific users is useful
-+#
-+#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
-+#
-+
-+# License: GPLv2
-+declare -a fileusers=()
-+declare -a dirusers=()
-+for user in $(cat /etc/pesign/users); do
-+	dirusers[${#dirusers[@]}]=-m
-+	dirusers[${#dirusers[@]}]="u:$user:rwx"
-+	fileusers[${#fileusers[@]}]=-m
-+	fileusers[${#fileusers[@]}]="u:$user:rw"
-+done
-+
-+declare -a filegroups=()
-+declare -a dirgroups=()
-+for group in $(cat /etc/pesign/groups); do
-+	dirgroups[${#dirgroups[@]}]=-m
-+	dirgroups[${#dirgroups[@]}]="g:$group:rwx"
-+	filegroups[${#filegroups[@]}]=-m
-+	filegroups[${#filegroups[@]}]="g:$group:rw"
-+done
-+
-+update_subdir() {
-+	subdir=$1 && shift
-+
-+	setfacl -bk "${subdir}"
-+	setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
-+	for x in "${subdir}"* ; do
-+		if [ -d "${x}" ]; then
-+			setfacl -bk ${x}
-+			setfacl "${dirusers[@]}" "${dirgroups[@]}" ${x}
-+			update_subdir "${x}/"
-+		elif [ -e "${x}" ]; then
-+			setfacl -bk ${x}
-+			setfacl "${fileusers[@]}" "${filegroups[@]}" ${x}
-+		else
-+			:;
-+		fi
-+	done
-+}
-+
-+for x in /var/run/pesign/ /etc/pki/pesign*/ ; do
-+	if [ -d "${x}" ]; then
-+		update_subdir "${x}"
-+	else
-+		:;
-+	fi
-+done
-diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
-deleted file mode 100644
-index cf51fb6..0000000
---- a/src/pesign-authorize-groups
-+++ /dev/null
-@@ -1,30 +0,0 @@
--#!/bin/bash
--set -e
--
--#
--# With /run/pesign/socket on tmpfs, a simple way of restoring the
--# acls for specific groups is useful
--#
--#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
--#
--
--# License: GPLv2
--
--if [ -r /etc/pesign/groups ]; then
--    for group in $(cat /etc/pesign/groups); do
--	if [ -d /var/run/pesign ]; then
--	    setfacl -m g:${group}:rx /var/run/pesign
--	    if [ -e /var/run/pesign/socket ]; then
--		setfacl -m g:${group}:rw /var/run/pesign/socket
--	    fi
--	fi
--	for x in /etc/pki/pesign*/ ; do
--	    if [ -d ${x} ]; then
--		setfacl -m g:${group}:rx ${x}
--		for y in ${x}{cert8,key3,secmod}.db ; do
--		    setfacl -m g:${group}:rw ${y}
--		done
--	    fi
--	done
--    done
--fi
-diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
-deleted file mode 100644
-index 940138e..0000000
---- a/src/pesign-authorize-users
-+++ /dev/null
-@@ -1,30 +0,0 @@
--#!/bin/bash
--set -e
--
--#
--# With /run/pesign/socket on tmpfs, a simple way of restoring the
--# acls for specific users is useful
--#
--#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
--#
--
--# License: GPLv2
--
--if [ -r /etc/pesign/users ]; then
--    for username in $(cat /etc/pesign/users); do
--	if [ -d /var/run/pesign ]; then
--	    setfacl -m g:${username}:rx /var/run/pesign
--	    if [ -e /var/run/pesign/socket ]; then
--		setfacl -m g:${username}:rw /var/run/pesign/socket
--	    fi
--	fi
--	for x in /etc/pki/pesign*/ ; do
--	    if [ -d ${x} ]; then
--		setfacl -m g:${username}:rx ${x}
--		for y in ${x}{cert8,key3,secmod}.db ; do
--		    setfacl -m g:${username}:rw ${y}
--		done
--	    fi
--	done
--    done
--fi
-diff --git a/src/pesign.service.in b/src/pesign.service.in
-index aaa408e..c75a000 100644
---- a/src/pesign.service.in
-+++ b/src/pesign.service.in
-@@ -6,5 +6,4 @@ PrivateTmp=true
- Type=forking
- PIDFile=/var/run/pesign.pid
- ExecStart=/usr/bin/pesign --daemonize
--ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-users
--ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-groups
-+ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize
-diff --git a/src/pesign.sysvinit.in b/src/pesign.sysvinit.in
-index dc508d8..b0e0f84 100644
---- a/src/pesign.sysvinit.in
-+++ b/src/pesign.sysvinit.in
-@@ -27,8 +27,7 @@ start(){
-     RETVAL=$?
-     echo
-     touch /var/lock/subsys/pesign
--    @@LIBEXECDIR@@/pesign/pesign-authorize-users
--    @@LIBEXECDIR@@/pesign/pesign-authorize-groups
-+    @@LIBEXECDIR@@/pesign/pesign-authorize
- }
- 
- stop(){
--- 
-2.13.4
-

0023-CMS-make-cms-selected_digest-an-index-again.patch

@@ -0,0 +1,291 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 30 Aug 2022 15:42:15 -0400
+Subject: [PATCH] CMS: make cms->selected_digest an index (again)
+
+In 926782c216532a83f9ff864dee39d2349d61fd23, we switched
+cms->selected_digest to be a pointer to the entry in cms->digests.
+
+Because cms->digests is lazily allocated, setting the selected_digest
+pointer has to be done at the right part of the CMS context life cycle,
+and in some cases it clearly is not:
+
+==334217== Command: ./src/pesign -n tmp -s --pinfile tmp/pinfile -t OpenSC\ Card\ (testcard) -c kernel-signer -i tmp/unsigned.efi -o tmp/signed.efi --force
+==334217==
+==334217== Invalid read of size 8
+==334217==    at 0x115E7D: digest_get_digest_oid (cms_common.c:59)
+==334217==    by 0x11CF41: generate_algorithm_id_list (signed_data.c:33)
+==334217==    by 0x11D348: generate_spc_signed_data (signed_data.c:279)
+==334217==    by 0x11EDFD: calculate_signature_space (wincert.c:297)
+==334217==    by 0x11467D: pe_handle_action (file_pe.c:298)
+==334217==    by 0x10F962: main (pesign.c:585)
+==334217==  Address 0x10 is not stack'd, malloc'd or (recently) free'd
+==334217==
+==334217==
+==334217== Process terminating with default action of signal 11 (SIGSEGV): dumping core
+==334217==  Access not within mapped region at address 0x10
+==334217==    at 0x115E7D: digest_get_digest_oid (cms_common.c:59)
+==334217==    by 0x11CF41: generate_algorithm_id_list (signed_data.c:33)
+==334217==    by 0x11D348: generate_spc_signed_data (signed_data.c:279)
+==334217==    by 0x11EDFD: calculate_signature_space (wincert.c:297)
+==334217==    by 0x11467D: pe_handle_action (file_pe.c:298)
+==334217==    by 0x10F962: main (pesign.c:585)
+==334217==  If you believe this happened as a result of a stack
+==334217==  overflow in your program's main thread (unlikely but
+==334217==  possible), you can try to increase the size of the
+==334217==  main thread stack using the --main-stacksize= flag.
+==334217==  The main thread stack size used in this run was 8388608.
+==334217==
+==334217== HEAP SUMMARY:
+==334217==     in use at exit: 588,544 bytes in 4,388 blocks
+==334217==   total heap usage: 8,568 allocs, 4,180 frees, 2,077,115 bytes allocated
+==334217==
+==334217== LEAK SUMMARY:
+==334217==    definitely lost: 25 bytes in 1 blocks
+==334217==    indirectly lost: 0 bytes in 0 blocks
+==334217==      possibly lost: 51,378 bytes in 166 blocks
+==334217==    still reachable: 537,141 bytes in 4,221 blocks
+==334217==                       of which reachable via heuristic:
+==334217==                         length64           : 321,312 bytes in 590 blocks
+==334217==         suppressed: 0 bytes in 0 blocks
+==334217== Rerun with --leak-check=full to see details of leaked memory
+==334217==
+==334217== For lists of detected and suppressed errors, rerun with: -s
+==334217== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
+Segmentation fault (core dumped)
+
+There is also a similar issue in the daemon code, and how to fix it
+there is not immediately clear to me.
+
+Currently, we realistically only support using sha256 digests, so for
+now I've chosen to paper over the issue by switching back to
+cms->selected_digest be an index into both ctx->digests and
+digest_params, but switching the default value from -1 to 0, aka
+DIGEST_PARAM_SHA256.  We can revisit this issue later whenever we add
+sha384 support (or whichever other digest).
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/certdb.c       |  2 +-
+ src/cms_common.c   | 41 +++++++++++++++++++++++------------------
+ src/content_info.c |  2 +-
+ src/cms_common.h   |  5 +++--
+ 4 files changed, 28 insertions(+), 22 deletions(-)
+
+diff --git a/src/certdb.c b/src/certdb.c
+index eb5221f..467a01d 100644
+--- a/src/certdb.c
++++ b/src/certdb.c
+@@ -265,7 +265,7 @@ check_hash(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
+ 	efi_guid_t efi_sha1 = efi_guid_sha1;
+ 	void *digest_data;
+ 	struct digest *digests = ctx->cms_ctx->digests;
+-	int selected_digest = -1;
++	unsigned int selected_digest;
+ 	size_t size;
+ 
+ 	if (memcmp(sigtype, &efi_sha256, sizeof(efi_guid_t)) == 0) {
+diff --git a/src/cms_common.c b/src/cms_common.c
+index 7bddedf..1c54c90 100644
+--- a/src/cms_common.c
++++ b/src/cms_common.c
+@@ -33,6 +33,10 @@
+ 
+ #include "hex.h"
+ 
++/*
++ * Note that cms->selected_digest defaults to 0, which means the first
++ * entry of this array is the default digest.
++ */
+ const struct digest_param digest_params[] = {
+ 	[DIGEST_PARAM_SHA256] = {
+ 		.name = "sha256",
+@@ -53,33 +57,33 @@ const struct digest_param digest_params[] = {
+ 	},
+ #endif
+ };
+-const int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]);
++const unsigned int n_digest_params = sizeof (digest_params) / sizeof (digest_params[0]);
+ 
+ SECOidTag
+ digest_get_digest_oid(cms_context *cms)
+ {
+-	int i = cms->selected_digest;
++	unsigned int i = cms->selected_digest;
+ 	return digest_params[i].digest_tag;
+ }
+ 
+ SECOidTag
+ digest_get_encryption_oid(cms_context *cms)
+ {
+-	int i = cms->selected_digest;
++	unsigned int i = cms->selected_digest;
+ 	return digest_params[i].digest_encryption_tag;
+ }
+ 
+ SECOidTag
+ digest_get_signature_oid(cms_context *cms)
+ {
+-	int i = cms->selected_digest;
++	unsigned int i = cms->selected_digest;
+ 	return digest_params[i].signature_tag;
+ }
+ 
+ int
+ digest_get_digest_size(cms_context *cms)
+ {
+-	int i = cms->selected_digest;
++	unsigned int i = cms->selected_digest;
+ 	return digest_params[i].size;
+ }
+ 
+@@ -91,7 +95,7 @@ teardown_digests(cms_context *ctx)
+ 	if (!digests)
+ 		return;
+ 
+-	for (int i = 0; i < n_digest_params; i++) {
++	for (unsigned int i = 0; i < n_digest_params; i++) {
+ 		if (digests[i].pk11ctx) {
+ 			PK11_Finalize(digests[i].pk11ctx);
+ 			PK11_DestroyContext(digests[i].pk11ctx, PR_TRUE);
+@@ -135,7 +139,7 @@ cms_context_init(cms_context *cms)
+ 	if (!cms->arena)
+ 		cnreterr(-1, cms, "could not create cryptographic arena");
+ 
+-	cms->selected_digest = -1;
++	cms->selected_digest = DEFAULT_DIGEST_PARAM;
+ 
+ 	INIT_LIST_HEAD(&cms->pk12_ins);
+ 	cms->pk12_out.fd = -1;
+@@ -219,7 +223,7 @@ cms_context_fini(cms_context *cms)
+ 		memset(&cms->newsig, '\0', sizeof (cms->newsig));
+ 	}
+ 
+-	cms->selected_digest = -1;
++	cms->selected_digest = DEFAULT_DIGEST_PARAM;
+ 
+ 	if (cms->ci_digest) {
+ 		free_poison(cms->ci_digest->data, cms->ci_digest->len);
+@@ -342,7 +346,7 @@ int
+ set_digest_parameters(cms_context *cms, char *name)
+ {
+ 	if (strcmp(name, "help")) {
+-		for (int i = 0; i < n_digest_params; i++) {
++		for (unsigned int i = 0; i < n_digest_params; i++) {
+ 			if (!strcmp(name, digest_params[i].name)) {
+ 				cms->selected_digest = i;
+ 				return 0;
+@@ -350,7 +354,7 @@ set_digest_parameters(cms_context *cms, char *name)
+ 		}
+ 	} else {
+ 		printf("Supported digests: ");
+-		for (int i = 0; digest_params[i].name != NULL; i++) {
++		for (unsigned int i = 0; digest_params[i].name != NULL; i++) {
+ 			printf("%s ", digest_params[i].name);
+ 		}
+ 		printf("\n");
+@@ -1265,7 +1269,7 @@ generate_digest_begin(cms_context *cms)
+ 			cnreterr(-1, cms, "could not allocate digest context");
+ 	}
+ 
+-	for (int i = 0; i < n_digest_params; i++) {
++	for (unsigned int i = 0; i < n_digest_params; i++) {
+ 		digests[i].pk11ctx = PK11_CreateDigestContext(
+ 						digest_params[i].digest_tag);
+ 		if (!digests[i].pk11ctx)
+@@ -1278,7 +1282,7 @@ generate_digest_begin(cms_context *cms)
+ 	return 0;
+ 
+ err:
+-	for (int i = 0; i < n_digest_params; i++) {
++	for (unsigned int i = 0; i < n_digest_params; i++) {
+ 		if (digests[i].pk11ctx)
+ 			PK11_DestroyContext(digests[i].pk11ctx, PR_TRUE);
+ 	}
+@@ -1290,7 +1294,7 @@ err:
+ void
+ generate_digest_step(cms_context *cms, void *data, size_t len)
+ {
+-	for (int i = 0; i < n_digest_params; i++)
++	for (unsigned int i = 0; i < n_digest_params; i++)
+ 		PK11_DigestOp(cms->digests[i].pk11ctx, data, len);
+ }
+ 
+@@ -1299,7 +1303,7 @@ generate_digest_finish(cms_context *cms)
+ {
+ 	void *mark = PORT_ArenaMark(cms->arena);
+ 
+-	for (int i = 0; i < n_digest_params; i++) {
++	for (unsigned int i = 0; i < n_digest_params; i++) {
+ 		SECItem *digest = PORT_ArenaZAlloc(cms->arena,sizeof (SECItem));
+ 		if (digest == NULL)
+ 			cngotoerr(err, cms, "could not allocate memory");
+@@ -1326,7 +1330,7 @@ generate_digest_finish(cms_context *cms)
+ 	PORT_ArenaUnmark(cms->arena, mark);
+ 	return 0;
+ err:
+-	for (int i = 0; i < n_digest_params; i++) {
++	for (unsigned int i = 0; i < n_digest_params; i++) {
+ 		if (cms->digests[i].pk11ctx)
+ 			PK11_DestroyContext(cms->digests[i].pk11ctx, PR_TRUE);
+ 	}
+@@ -1343,12 +1347,13 @@ int
+ generate_signature(cms_context *cms)
+ {
+ 	int rc = 0;
++	int i = cms->selected_digest;
+ 
+-	if (cms->digests[cms->selected_digest].pe_digest == NULL)
++	if (cms->digests[i].pe_digest == NULL)
+ 		cnreterr(-1, cms, "PE digest has not been allocated");
+ 
+-	if (content_is_empty(cms->digests[cms->selected_digest].pe_digest->data,
+-			cms->digests[cms->selected_digest].pe_digest->len))
++	if (content_is_empty(cms->digests[i].pe_digest->data,
++			cms->digests[i].pe_digest->len))
+ 		cnreterr(-1, cms, "PE binary has not been digested");
+ 
+ 	SECItem sd_der;
+diff --git a/src/content_info.c b/src/content_info.c
+index 9684850..900974c 100644
+--- a/src/content_info.c
++++ b/src/content_info.c
+@@ -181,7 +181,7 @@ generate_spc_digest_info(cms_context *cms, SECItem *dip)
+ 	if (generate_algorithm_id(cms, &di.digestAlgorithm,
+ 			digest_get_digest_oid(cms)) < 0)
+ 		return -1;
+-	int i = cms->selected_digest;
++	unsigned int i = cms->selected_digest;
+ 	memcpy(&di.digest, cms->digests[i].pe_digest, sizeof (di.digest));
+ 
+ 	if (content_is_empty(di.digest.data, di.digest.len)) {
+diff --git a/src/cms_common.h b/src/cms_common.h
+index e45402c..35a128a 100644
+--- a/src/cms_common.h
++++ b/src/cms_common.h
+@@ -65,6 +65,7 @@ struct digest {
+ 
+ #define DIGEST_PARAM_SHA256	0
+ #define DIGEST_PARAM_SHA1	1
++#define DEFAULT_DIGEST_PARAM	DIGEST_PARAM_SHA256
+ 
+ struct digest_param {
+ 	char *name;
+@@ -76,7 +77,7 @@ struct digest_param {
+ };
+ 
+ extern const struct digest_param digest_params[2];
+-extern const int n_digest_params;
++extern const unsigned int n_digest_params;
+ 
+ typedef struct pk12_file {
+ 	char *path;
+@@ -149,7 +150,7 @@ typedef struct cms_context {
+ 	int db_out, dbx_out, dbt_out;
+ 
+ 	struct digest *digests;
+-	int selected_digest;
++	unsigned int selected_digest;
+ 	int omit_vendor_cert;
+ 
+ 	SECItem newsig;

0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch

@@ -1,95 +0,0 @@
-From a7b0f7e1ce2de1acea9a8c286a0ff3dd9bc245cb Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Tue, 8 Aug 2017 17:28:19 -0400
-Subject: [PATCH 24/29] Make the daemon also try to give better errors on
- -EPERM etc.
-
-Basically 6796e5f but also for the daemon.  This also tries to fix them
-up to save errno better, for more accurate reporting.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- src/daemon.c | 27 +++++++++++++++++++++++++--
- src/pesign.c |  8 ++++++--
- 2 files changed, 31 insertions(+), 4 deletions(-)
-
-diff --git a/src/daemon.c b/src/daemon.c
-index 7f694b2..942d576 100644
---- a/src/daemon.c
-+++ b/src/daemon.c
-@@ -19,6 +19,7 @@
- 
- #include <errno.h>
- #include <fcntl.h>
-+#include <glob.h>
- #include <poll.h>
- #include <pwd.h>
- #include <signal.h>
-@@ -1104,10 +1105,32 @@ daemonize(cms_context *cms_ctx, char *certdir, int do_fork)
- 		"pesignd starting (pid %d)", ctx.pid);
- 
- 	SECStatus status = NSS_Init(certdir);
-+	int error = errno;
- 	if (status != SECSuccess) {
-+		char *globpattern = NULL;
-+		rc = asprintf(&globpattern, "%s/cert*.db",
-+			      certdir);
-+		if (rc > 0) {
-+			glob_t globbuf;
-+			memset(&globbuf, 0, sizeof(globbuf));
-+			rc = glob(globpattern, GLOB_ERR, NULL,
-+				  &globbuf);
-+			if (rc != 0) {
-+				errno = error;
-+				ctx.backup_cms->log(ctx.backup_cms,
-+					ctx.priority|LOG_NOTICE,
-+					"Could not open NSS database (\"%s\"): %m",
-+					PORT_ErrorToString(PORT_GetError()));
-+				exit(1);
-+			}
-+		}
-+	}
-+	if (status != SECSuccess) {
-+		errno = error;
- 		ctx.backup_cms->log(ctx.backup_cms, ctx.priority|LOG_NOTICE,
--			"Could not initialize nss: %s\n",
--			PORT_ErrorToString(PORT_GetError()));
-+				    "Could not initialize nss.\n"
-+				    "NSS says \"%s\" errno says \"%m\"\n",
-+				    PORT_ErrorToString(PORT_GetError()));
- 		exit(1);
- 	}
- 
-diff --git a/src/pesign.c b/src/pesign.c
-index 5879cfc..6ceda34 100644
---- a/src/pesign.c
-+++ b/src/pesign.c
-@@ -660,10 +660,12 @@ main(int argc, char *argv[])
- 
- 	if (!daemon) {
- 		SECStatus status;
-+		int error;
- 		if (need_db) {
- 			status = NSS_Init(certdir);
- 			if (status != SECSuccess) {
- 				char *globpattern = NULL;
-+				error = errno;
- 				rc = asprintf(&globpattern, "%s/cert*.db",
- 					      certdir);
- 				if (rc > 0) {
-@@ -680,8 +682,10 @@ main(int argc, char *argv[])
- 		} else
- 			status = NSS_NoDB_Init(NULL);
- 		if (status != SECSuccess) {
--			errx(1, "Could not initialize nss. NSS says \"%s\" errno says \"%m\"\n",
--				PORT_ErrorToString(PORT_GetError()));
-+			errno = error;
-+			errx(1, "Could not initialize nss.\n"
-+			        "NSS says \"%s\" errno says \"%m\"\n",
-+			     PORT_ErrorToString(PORT_GetError()));
- 		}
- 
- 		status = register_oids(ctxp->cms_ctx);
--- 
-2.13.4
-

0025-certdb-fix-PRTime-printfs-for-i686.patch

@@ -1,31 +0,0 @@
-From bc1043bf2b428971e29a61a341da9a57595bada5 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Wed, 9 Aug 2017 17:40:33 -0400
-Subject: [PATCH 25/29] certdb: fix PRTime printfs for i686
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- src/certdb.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/src/certdb.c b/src/certdb.c
-index fae80af..29c9502 100644
---- a/src/certdb.c
-+++ b/src/certdb.c
-@@ -384,11 +384,10 @@ check_cert(pesigcheck_context *ctx, SECItem *sig, efi_guid_t *sigtype,
- 	}
- 
- 	if (lateNow < earlyNow)
--		printf("Signature has impossible time constraint: %ld <= %ld\n",
--		       earlyNow / 1000000, lateNow / 1000000);
-+		printf("Signature has impossible time constraint: %lld <= %lld\n",
-+		       earlyNow / 1000000LL, lateNow / 1000000LL);
- 	atTime = earlyNow / 2 + lateNow / 2;
- 
--
- 	cinfo = SEC_PKCS7DecodeItem(pkcs7sig, NULL, NULL, NULL, NULL, NULL,
- 				    NULL, NULL);
- 	if (!cinfo)
--- 
-2.13.4
-

0026-Clean-up-gcc-command-lines-a-little.patch

@@ -1,41 +0,0 @@
-From a44115c9b4f43a1a7219f897bd33555e653d2e20 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Thu, 10 Aug 2017 10:02:38 -0400
-Subject: [PATCH 26/29] Clean up gcc command lines a little
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- Make.defaults | 9 ++++-----
- 1 file changed, 4 insertions(+), 5 deletions(-)
-
-diff --git a/Make.defaults b/Make.defaults
-index 39b78f0..b6c0381 100644
---- a/Make.defaults
-+++ b/Make.defaults
-@@ -20,8 +20,7 @@ CROSS_COMPILE	?= $(bindir)
- PKG_CONFIG = $(CROSS_COMPILE)pkg-config
- CC	:= $(if $(filter default,$(origin CC)),$(CROSS_COMPILE)gcc,$(CC))
- CCLD	:= $(if $(filter undefined,$(origin CCLD)),$(CC),$(CCLD))
--CFLAGS	?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments \
--	   -Wall -Werror -Wextra -Wno-error=cpp
-+CFLAGS	?= -O0 -g3 -fvar-tracking -fvar-tracking-assignments -Wno-error=cpp
- AS	:= $(CROSS_COMPILE)as
- AR	:= $(CROSS_COMPILE)gcc-ar
- RANLIB	:= $(CROSS_COMPILE)gcc-ranlib
-@@ -36,10 +35,10 @@ ARCH	   := $(shell uname -m | sed s,i[3456789]86,ia32,)
- 
- SOFLAGS	= -shared
- clang_cflags =
--gcc_cflags = -Wmaybe-uninitialized
-+gcc_cflags = -Wmaybe-uninitialized -grecord-gcc-switches
- cflags	= $(CFLAGS) $(ARCH3264) \
--	-Wall -Werror -Wno-cpp  -Wsign-compare -Wno-unused-result \
--	-Wno-unused-function\
-+	-Wall -Werror -Wextra -Wsign-compare -Wno-unused-result \
-+	-Wno-unused-function -Wsign-compare \
- 	-std=gnu11 -fshort-wchar -fPIC -flto -fno-strict-aliasing \
- 	-fno-merge-constants -fkeep-inline-functions \
- 	-D_GNU_SOURCE -DCONFIG_$(ARCH) -I${TOPDIR}/include \
--- 
-2.13.4
-

0027-Make-pesign-users-groups-static-in-the-repo.patch

@@ -1,54 +0,0 @@
-From a133d051c3f8acf3e058e92711eb528c3c0f41f9 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Thu, 10 Aug 2017 10:03:37 -0400
-Subject: [PATCH 27/29] Make pesign-{users,groups} static in the repo.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- src/Makefile      | 5 +----
- src/pesign-groups | 1 +
- src/pesign-users  | 1 +
- 3 files changed, 3 insertions(+), 4 deletions(-)
- create mode 100644 src/pesign-groups
- create mode 100644 src/pesign-users
-
-diff --git a/src/Makefile b/src/Makefile
-index 84ad130..7d68fa1 100644
---- a/src/Makefile
-+++ b/src/Makefile
-@@ -7,7 +7,7 @@ include $(TOPDIR)/Make.defaults
- 
- BINTARGETS=authvar client efikeygen efisiglist pesigcheck pesign
- SVCTARGETS=pesign.sysvinit pesign.service
--TARGETS=$(BINTARGETS) $(SVCTARGETS) pesign-users pesign-groups
-+TARGETS=$(BINTARGETS) $(SVCTARGETS)
- 
- all : deps $(TARGETS)
- 
-@@ -65,9 +65,6 @@ install_sysvinit: pesign.sysvinit
- 	$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/
- 	$(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/rc.d/init.d/pesign
- 
--pesign-users pesign-groups :
--	echo pesign > $@
--
- install :
- 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign/
- 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pki/pesign-rh-test/
-diff --git a/src/pesign-groups b/src/pesign-groups
-new file mode 100644
-index 0000000..7f57cc5
---- /dev/null
-+++ b/src/pesign-groups
-@@ -0,0 +1 @@
-+pesign
-diff --git a/src/pesign-users b/src/pesign-users
-new file mode 100644
-index 0000000..7f57cc5
---- /dev/null
-+++ b/src/pesign-users
-@@ -0,0 +1 @@
-+pesign
--- 
-2.13.4
-

0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch

@@ -1,43 +0,0 @@
-From 025eb8aea94761fdc45507b6192aafdef80d4842 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Wed, 9 Aug 2017 17:31:31 -0400
-Subject: [PATCH 28/29] rpm: Make the client signer use the fedora values
- unless overridden
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- src/macros.pesign | 9 ++++++---
- 1 file changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/src/macros.pesign b/src/macros.pesign
-index 69280e9..22a3ee6 100644
---- a/src/macros.pesign
-+++ b/src/macros.pesign
-@@ -9,6 +9,9 @@
- %__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
- %__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}
- 
-+%__pesign_client_token %{!?pe_signing_token:"Fedora Signer (OpenSC Card)"}%{?pe_signing_token:"%{pe_signing_token}"}
-+%__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}"}
-+
- %_pesign /usr/bin/pesign
- %_pesign_client /usr/bin/pesign-client
- 
-@@ -41,11 +44,11 @@
-                  --certdir ${nss} -c signer %{-o}			\
-       rm -rf ${sattrs} ${sattrs}.sig ${nss}				\
-     elif [ -S /var/run/pesign/socket ]; then				\
--      %{_pesign_client} -t %{__pesign_token}				\\\
--                        -c %{__pesign_cert}				\\\
-+      %{_pesign_client} -t %{__pesign_client_token}			\\\
-+                        -c %{__pesign_client_cert}			\\\
-                         %{-i} %{-o} %{-e} %{-s} %{-C}			\
-     else								\
--      %{_pesign} -t %{__pesign_token} -c %{__pesign_cert}		\\\
-+      %{_pesign} %{__pesign_token} -c %{__pesign_cert}			\\\
- 		 --certdir ${_pesign_nssdir}				\\\
-                  %{-i} %{-o} %{-e} %{-s} %{-C}				\
-     fi									\
--- 
-2.13.4
-

0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch

@@ -1,39 +0,0 @@
-From 86a6b02e4b95ab3629446e71895cc5e57ad4482f Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Mon, 14 Aug 2017 11:37:43 -0400
-Subject: [PATCH 29/29] Make macros.pesign error in kojibuilder if we don't
- have perms on the socket
-
----
- src/macros.pesign | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/src/macros.pesign b/src/macros.pesign
-index 22a3ee6..1665b4c 100644
---- a/src/macros.pesign
-+++ b/src/macros.pesign
-@@ -43,6 +43,21 @@
-       %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i}			\\\
-                  --certdir ${nss} -c signer %{-o}			\
-       rm -rf ${sattrs} ${sattrs}.sig ${nss}				\
-+    elif [ "%{vendor}" == "Fedora Project" -a				\\\
-+           "$(id -un)" == "mockbuild" -a				\\\
-+           "$(uname -m)" == "x86_64" ] &&				\\\
-+         grep -q ID=fedora /etc/os-release && 				\\\
-+         [[ "%{_buildhost}" =~ ^bkernel.* ]] &&			\\\
-+         ! [ -S /var/run/pesign/socket ]; then				\
-+      echo "No socket even though this is %{_buildhost}"		\
-+      ls -ld /var/run/pesign || :					\
-+      getfacl /var/run/pesign || :					\
-+      ls -l /var/run/pesign/socket || :				\
-+      getfacl /var/run/pesign/socket || :				\
-+      echo =========== env ==============				\
-+      set								\
-+      echo =========== env ==============				\
-+      exit 1								\
-     elif [ -S /var/run/pesign/socket ]; then				\
-       %{_pesign_client} -t %{__pesign_client_token}			\\\
-                         -c %{__pesign_client_cert}			\\\
--- 
-2.13.4
-

pesign.patches

@@ -0,0 +1,23 @@
+Patch0001: 0001-daemon-remove-always-true-comparison.patch
+Patch0002: 0002-make-handle-some-gcc-Wanalyzer-flags-better.patch
+Patch0003: 0003-Rename-dprintf-to-dbgprintf.patch
+Patch0004: 0004-.gitignore-add-compile_commands.json-and-.cache.patch
+Patch0005: 0005-pesign-print-digests-before-filenames-like-sha256sum.patch
+Patch0006: 0006-Add-pesum-an-authenticode-digest-generator.patch
+Patch0007: 0007-Fix-building-signed-kernels-on-setups-other-than-koj.patch
+Patch0008: 0008-Add-D_GLIBCXX_ASSERTIONS-to-CPPFLAGS.patch
+Patch0009: 0009-macros.pesign-handle-centos-like-rhel-with-rhelver.patch
+Patch0010: 0010-Detect-the-presence-of-rpm-sign-when-checking-for-rh.patch
+Patch0011: 0011-Rename-README-README.md.patch
+Patch0012: 0012-README.md-show-off-a-bit-more.patch
+Patch0013: 0013-Fix-missing-line-in-README.md.patch
+Patch0014: 0014-Fix-typo-in-efikeygen-command.patch
+Patch0015: 0015-pesigcheck-Fix-crash-on-digest-match.patch
+Patch0016: 0016-cms-store-digest-as-pointer-instead-of-index.patch
+Patch0017: 0017-Fix-mandoc-invocation-to-not-produce-garbage.patch
+Patch0018: 0018-Work-around-GCC-being-obnoxiously-incompatible-with-.patch
+Patch0019: 0019-get_password_passthrough-handle-the-callback-context.patch
+Patch0020: 0020-read_password-only-prune-CR-NL-from-the-end-of-the-f.patch
+Patch0021: 0021-Revert-cms-store-digest-as-pointer-instead-of-index.patch
+Patch0022: 0022-CMS-add-some-minor-cleanups.patch
+Patch0023: 0023-CMS-make-cms-selected_digest-an-index-again.patch

pesign.spec

@@ -1,33 +1,39 @@
 %global macrosdir %(d=%{_rpmconfigdir}/macros.d; [ -d $d ] || d=%{_sysconfdir}/rpm; echo $d)
 
+# No.  I have enough trouble already.
+%undefine _auto_set_build_flags
+
 Name:    pesign
 Summary: Signing utility for UEFI binaries
-Version: 0.112
-Release: 25%{?dist}
-License: GPLv2
-URL:     https://github.com/vathpela/pesign
+Version: 115
+Release: 9%{?dist}
+License: GPL-2.0-only
+URL:     https://github.com/rhboot/pesign
 
 Obsoletes: pesign-rh-test-certs <= 0.111-7
+BuildRequires: efivar-devel >= 38-1
 BuildRequires: gcc
 BuildRequires: git
+BuildRequires: libuuid-devel
+BuildRequires: make
+BuildRequires: mandoc
 BuildRequires: nspr
+BuildRequires: nspr-devel >= 4.9.2-1
 BuildRequires: nss
+BuildRequires: nss-devel >= 3.13.6-1
+BuildRequires: nss-tools
 BuildRequires: nss-util
 BuildRequires: popt-devel
-BuildRequires: nss-tools
-BuildRequires: nspr-devel >= 4.9.2-1
-BuildRequires: nss-devel >= 3.13.6-1
-BuildRequires: efivar-devel >= 31-1
-BuildRequires: libuuid-devel
+BuildRequires: python3
+BuildRequires: python3-rpm-macros
 BuildRequires: tar
 BuildRequires: xz
-BuildRequires: python3-rpm-macros
-BuildRequires: python3
 %if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
 BuildRequires: systemd-rpm-macros
 %endif
 Requires:      nspr
 Requires:      nss
+Requires:      nss-tools >= 3.53
 Requires:      nss-util
 Requires:      popt
 Requires:      rpm
@@ -37,39 +43,13 @@ ExclusiveArch: %{ix86} x86_64 ia64 aarch64 %{arm}
 BuildRequires: rh-signing-tools >= 1.20-2
 %endif
 
-Source0: https://github.com/vathpela/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2
+Source0: https://github.com/rhboot/pesign/releases/download/%{version}/pesign-%{version}.tar.bz2
 Source1: certs.tar.xz
 Source2: pesign.py
+Source3: pesign.patches
 
-Patch0001: 0001-cms-kill-generate_integer-it-doesn-t-build-on-i686-a.patch
-Patch0002: 0002-Fix-command-line-parsing.patch
-Patch0003: 0003-gcc-don-t-error-on-stuff-in-includes.patch
-Patch0004: 0004-Fix-certficate-argument-name.patch
-Patch0005: 0005-Fix-description-of-ascii-armor-option-in-manpage.patch
-Patch0006: 0006-Make-ascii-work-since-we-documented-it.patch
-Patch0007: 0007-Switch-pesign-client-to-also-accept-token-cert-macro.patch
-Patch0008: 0008-pesigcheck-Verify-with-the-cert-as-an-object-signer.patch
-Patch0009: 0009-pesigcheck-make-certfile-actually-work.patch
-Patch0010: 0010-signerInfos-make-sure-err-is-always-initialized.patch
-Patch0011: 0011-pesign-make-pesign-h-tell-you-the-file-name.patch
-Patch0012: 0012-Add-coverity-build-scripts.patch
-Patch0013: 0013-Document-implicit-fallthrough.patch
-Patch0014: 0014-Actually-setfacl-each-directory-of-our-key-storage.patch
-Patch0015: 0015-oid-add-SHIM_EKU_MODULE_SIGNING_ONLY-and-fix-our-arr.patch
-Patch0016: 0016-efikeygen-add-modsign.patch
-Patch0017: 0017-check_cert_db-try-even-harder-to-pick-a-reasonable-v.patch
-Patch0018: 0018-show-which-db-we-re-checking.patch
-Patch0019: 0019-more-about-the-time.patch
-Patch0020: 0020-try-to-say-why-something-fails.patch
-Patch0021: 0021-Fix-race-condition-in-SEC_GetPassword.patch
-Patch0022: 0022-sysvinit-Create-the-socket-directory-at-runtime.patch
-Patch0023: 0023-Better-authorization-scripts.-Again.patch
-Patch0024: 0024-Make-the-daemon-also-try-to-give-better-errors-on-EP.patch
-Patch0025: 0025-certdb-fix-PRTime-printfs-for-i686.patch
-Patch0026: 0026-Clean-up-gcc-command-lines-a-little.patch
-Patch0027: 0027-Make-pesign-users-groups-static-in-the-repo.patch
-Patch0028: 0028-rpm-Make-the-client-signer-use-the-fedora-values-unl.patch
-Patch0029: 0029-Make-macros.pesign-error-in-kojibuilder-if-we-don-t-.patch
+# generate with tool
+%include %{SOURCE3}
 
 %description
 This package contains the pesign utility for signing UEFI binaries as
@@ -87,9 +67,6 @@ git am %{patches} </dev/null
 git config --unset user.email
 git config --unset user.name
 
-# https://bugzilla.redhat.com/show_bug.cgi?id=1678146
-sed -i 's|/var/run/pesign|/run/pesign|' src/tmpfiles.conf
-
 %build
 make PREFIX=%{_prefix} LIBDIR=%{_libdir}
 
@@ -127,7 +104,7 @@ install -m 0755 %{SOURCE2} %{buildroot}%{python3_sitelib}/mockbuild/plugins/
 %pre
 getent group pesign >/dev/null || groupadd -r pesign
 getent passwd pesign >/dev/null || \
-	useradd -r -g pesign -d /var/run/pesign -s /sbin/nologin \
+	useradd -r -g pesign -d /run/pesign -s /sbin/nologin \
 		-c "Group for the pesign signing daemon" pesign
 exit 0
 
@@ -135,40 +112,48 @@ exit 0
 %post
 %systemd_post pesign.service
 
-#%%posttrans
-#%%{_libexecdir}/pesign/pesign-authorize
-
 %preun
 %systemd_preun pesign.service
 
 %postun
 %systemd_postun_with_restart pesign.service
+
+%posttrans
+certutil -d %{_sysconfdir}/pki/pesign/ -X -L > /dev/null
+
+# this is disabled currently because it breaks the fedora kernel build root
+# generation - because we don't currently have a good way of populating
+# /etc/pesign/{users,groups} before the buildroot is installed, or
+# populating them and re-running pesign-authorize afterwards but before the
+# package build of e.g. kernel
+#%%{_libexecdir}/pesign/pesign-authorize
 %endif
 
 %files
 %{!?_licensedir:%global license %%doc}
 %license COPYING
-%doc README TODO
+%doc README.md TODO
 %{_bindir}/authvar
 %{_bindir}/efikeygen
-%{_bindir}/efisiglist
 %{_bindir}/pesigcheck
 %{_bindir}/pesign
 %{_bindir}/pesign-client
+%{_bindir}/pesum
 %dir %{_libexecdir}/pesign/
 %dir %attr(0770,pesign,pesign) %{_sysconfdir}/pki/pesign/
 %config(noreplace) %attr(0660,pesign,pesign) %{_sysconfdir}/pki/pesign/*
 %dir %attr(0775,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/
 %config(noreplace) %attr(0664,pesign,pesign) %{_sysconfdir}/pki/pesign-rh-test/*
 %{_libexecdir}/pesign/pesign-authorize
+%{_libexecdir}/pesign/pesign-rpmbuild-helper
 %config(noreplace)/%{_sysconfdir}/pesign/users
 %config(noreplace)/%{_sysconfdir}/pesign/groups
 %{_sysconfdir}/popt.d/pesign.popt
 %{macrosdir}/macros.pesign
 %{_mandir}/man*/*
-%dir %attr(0770, pesign, pesign) %{_localstatedir}/run/%{name}
-%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/socket
-%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/pesign.pid
+%dir %attr(0770, pesign, pesign) %{_rundir}/%{name}
+%ghost %attr(0660, -, -) %{_rundir}/%{name}/socket
+%ghost %attr(0660, -, -) %{_rundir}/%{name}/pesign.pid
 %if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
 %{_tmpfilesdir}/pesign.conf
 %{_unitdir}/pesign.service
@@ -177,6 +162,126 @@ exit 0
 %{python3_sitelib}/mockbuild/plugins/pesign.*
 
 %changelog
+* Wed Aug 31 2022 Robbie Harwood <rharwood@redhat.com> - 115-9
+- Roll up to pjones's smartcard/cms fixes
+
+* Tue Aug 02 2022 Robbie Harwood <rharwood@redhat.com> - 115-8
+- Rebuild for python bytecode change
+- See-also: #2107826
+
+* Thu Jul 07 2022 Robbie Harwood <rharwood@redhat.com> - 115-6
+- Fix formatting of man pages
+- Resolves: #2104778
+
+* Mon Apr 04 2022 Robbie Harwood <rharwood@redhat.com> - 115-5
+- Detect presence of rpm-sign when checking for rhel-ness
+
+* Fri Apr 01 2022 Robbie Harwood <rharwood@redhat.com> - 115-4
+- Correctly handle rhel and centos macros
+
+* Fri Mar 25 2022 Robbie Harwood <rharwood@redhat.com> - 115-3
+- Add -D_GLIBCXX_ASSERTIONS to CPPFLAGS
+
+* Thu Mar 24 2022 Robbie Harwood <rharwood@redhat.com> - 115-2
+- Add support for non-koji signing in macros
+- Resolves: #1880858
+
+* Tue Mar 08 2022 Robbie Harwood <rharwood@redhat.com> - 115-1
+- New upstream version (115)
+
+* Mon Feb 14 2022 Robbie Harwood <rharwood@redhat.com> - 114-4
+- Disable -fanalyzer since it's broken and pragmas don't work
+- See-also: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=104370
+
+* Mon Feb 14 2022 Robbie Harwood <rharwood@redhat.com> - 114-3
+- Fix explicit NULL deref when daemonizing
+
+* Wed Feb 02 2022 Robbie Harwood <rharwood@redhat.com> - 114-2
+- Attempt to fix signing parsing by dropping pesign_args
+
+* Tue Feb 01 2022 Robbie Harwood <rharwood@redhat.com> - 114-1
+- New upstream version (114)
+
+* Fri Jan 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 113-18
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Fri Jul 23 2021 Fedora Release Engineering <releng@fedoraproject.org> - 113-17
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 113-16
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
+* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 113-15
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Mon Nov 16 2020 Jeff Law <law@redhat.com> - 113-14
+- Turn off -Wfree-nonheap-object
+
+* Mon Aug 03 2020 Peter Jones <pjones@redhat.com> - 113-13
+- Add the rundir related stuff that was staged on my f32 checkout.
+
+* Mon Aug 03 2020 Peter Jones <pjones@redhat.com> - 113-12
+- Try to make kernel and fwupd both work at the same time.
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 113-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Thu Jul 16 2020 Peter Jones <pjones@redhat.com> - 113-10
+- I really cannot figure out why bkernel01 thinks the certificate nickname
+  starts with /CN=, but it does, so I'm gonna stop fighting with the sand.
+
+* Thu Jul 16 2020 Peter Jones <pjones@redhat.com> - 113-9
+- Even more kernel build debugging...
+
+* Tue Jul 07 2020 Peter Jones <pjones@redhat.com> - 113-8
+- More kernel build debugging...
+
+* Tue Jul 07 2020 Peter Jones <pjones@redhat.com> - 113-6
+- Disable the pesign-authorize call in posttrans, until we can figure out a
+  better way to deal with that in the fedora kernel builder chroot setup
+
+* Tue Jul 07 2020 Peter Jones <pjones@redhat.com> - 113-5
+- Make pesign require nss-tools for the posttrans scriptlet
+- Move most of macros.pesign to /usr/libexec/pesign/pesign-rpmbuild-helper
+
+* Mon Jul 06 2020 Peter Jones <pjones@redhat.com> - 113-4
+- Attempt to fix kernel signing failures caused by -3...
+
+* Fri Jun 12 2020 Peter Jones <pjones@redhat.com> - 113-3
+- Fix the signer name for fedora and some other minor nits
+  Related: rhbz#1708773
+  Related: rhbz#1678146
+
+* Thu Jun 11 2020 Peter Jones <pjones@redhat.com> - 113-2
+- Fix a signing protocol bug we introduced in 113 that makes the fedora
+  kernel builders fail.
+  Related: rhbz#1708773
+
+* Thu Jun 11 2020 Javier Martinez Canillas <javierm@redhat.com> - 113-1
+- Update to 113 release
+  Resolves: rhbz#1708773
+
+* Mon Jun 08 2020 Javier Martinez Canillas <javierm@redhat.com> - 0.112-31
+- Switch default NSS database to SQLite format (pjones)
+  Resolves: rhbz#1827902
+
+* Mon Feb 24 2020 Peter Jones <pjones@redhat.com> - 0.112-30
+- Make sure the patch for -29 is actually in the build in f32, and
+  synchronize with master.
+
+* Tue Feb 18 2020 Peter Jones <pjones@redhat.com> - 0.112-29
+- Rebuild to match OpenSC's token name mangling change.
+
+* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-28
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Tue Nov 12 2019 Peter Jones <pjones@redhat.com> - 0.112-27
+- Rebuild to fix an NSS API issue.	
+
+* Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.112-26
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
 * Wed Mar  6 2019 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.112-25
 - Fix build (#1675653)
 - Add missing closing quote in macro (#1651020)

rpminspect.yaml

@@ -0,0 +1,13 @@
+---
+inspections:
+  # Not a Java package
+  javabytecode: off
+
+  # These just flag when things change "too much"
+  changedfiles: off
+  filesize: off
+  patches: off
+  upstream: off
+
+  # https://bugzilla.redhat.com/show_bug.cgi?id=2010936
+  annocheck: off

sources

@@ -1,2 +1,2 @@
-e377e0bc924287ee09356a239c5f51a8  certs.tar.xz
-eae1d66e160be744ff310ad7592ae31e  pesign-0.112.tar.bz2
+SHA512 (certs.tar.xz) = ddac535c786d1a23074534323c4ce89f907d4f82b19c5d3a9c814b145fbac1599cd2386cf20c28d22aee7d5c4db441f052bab9ee655de756117a0a0bc99b525f
+SHA512 (pesign-115.tar.bz2) = 0091d70e286326b1ed74418ca8c5a2a63d42e6aa3eccdfc4f09a34241b2addfe878af17d1d74648b7da79d6cd7158fcca0f3a52f4a82a57cacae4617b42b1faa