diff --git a/shim.rpmmacros b/shim.rpmmacros
new file mode 100644
index 0000000..dece167
--- /dev/null
+++ b/shim.rpmmacros
@@ -0,0 +1,170 @@
+%global debug_package %{nil}
+%global __brp_mangle_shebangs_exclude_from_file %{expand:%{_builddir}/shim-%{efi_arch}-%{version}-%{release}.%{_target_cpu}-shebangs.txt}
+%global vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
+%global vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
+
+%global bootcsvaa64 %{expand:%{SOURCE10}}
+%global bootcsvia32 %{expand:%{SOURCE11}}
+%global bootcsvx64 %{expand:%{SOURCE12}}
+#%%global bootcsvarm %%{expand:%%{SOURCE13}}
+
+%global shimefiaa64 %{expand:%{SOURCE20}}
+%global shimefiia32 %{expand:%{SOURCE21}}
+%global shimefix64 %{expand:%{SOURCE22}}
+#%%global shimefiarm %%{expand:%%{SOURCE23}
+
+%global shimveraa64 15-1.fc28
+%global shimveria32 15-1.fc28
+%global shimverx64 15-1.fc28
+#%%global shimverarm 15-1.fc28
+
+%global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64
+%global shimdiria32 %{_datadir}/shim/%{shimveria32}/ia32
+%global shimdirx64 %{_datadir}/shim/%{shimverx64}/x64
+#%%global shimdirarm %%{_datadir}/shim/%%{shimverarm}/arm
+
+%global bootcsv %{expand:%{bootcsv%{efi_arch}}}
+%global bootcsvalt %{expand:%{bootcsv%{?efi_alt_arch}}}
+%global shimefi %{expand:%{shimefi%{efi_arch}}}
+%global shimefialt %{expand:%{shimefi%{?efi_alt_arch}}}
+%global shimver %{expand:%{shimver%{efi_arch}}}
+%global shimveralt %{expand:%{shimver%{?efi_alt_arch}}}
+%global shimdir %{expand:%{shimdir%{efi_arch}}}
+%global shimdiralt %{expand:%{shimdir%{?efi_alt_arch}}}
+
+%ifarch aarch64
+%global unsignedarch aarch64
+%else
+%global unsignedarch %{efi_arch}
+%endif
+%global unsignedarchalt %{?efi_alt_arch}%{nil}
+%global unsigned shim-unsigned-%{?unsignedarch}%{nil}
+%global unsignedalt shim-unsigned-%{?unsignedarchalt}%{nil}
+
+%define define_pkg(a:p:)						\
+%{expand:%%package -n shim-%{-a*}}					\
+Summary: First-stage UEFI bootloader					\
+Requires: mokutil >= 1:0.2.0-1						\
+Provides: shim-signed-%{-a*} = %{version}-%{release}			\
+Requires: dbxtool >= 0.6-3						\
+%{expand:%%if 0%%{-p*}							\
+Provides: shim = %{version}-%{release}					\
+Provides: shim-signed = %{version}-%{release}				\
+Obsoletes: shim-signed < %{version}-%{release}				\
+Obsoletes: shim < %{version}-%{release}					\
+%%endif}								\
+# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI	\
+# is not compatible with SysV (there's no red zone under UEFI) and	\
+# there isn't a POSIX-style C library.					\
+# BuildRequires: OpenSSL						\
+Provides: bundled(openssl) = 1.0.2j					\
+									\
+%{expand:%%description -n shim-%{-a*}}					\
+Initial UEFI bootloader that handles chaining to a trusted full		\
+bootloader under secure boot environments. This package contains the	\
+version signed by the UEFI signing service.				\
+%{nil}
+
+# -a <efiarch>
+# -i <input>
+%define hash(a:i:d:)							\
+	pesign -i %{-i*} -h -P > shim.hash				\
+	read file0 hash0 < shim.hash					\
+	read file1 hash1 < %{-d*}/shim%{-a*}.hash			\
+	if ! [ "$hash0" = "$hash1" ]; then				\
+		echo Invalid signature\! > /dev/stderr			\
+		echo $hash0 vs $hash1					\
+		exit 1							\
+	fi								\
+	%{nil}
+
+# -i <input>
+# -o <output>
+%define sign(i:o:)							\
+	%{expand:%%pesign -s -i %{-i*} -o %{-o*}}			\
+	%{nil}
+
+# -b <binary prefix>
+# -a <efiarch>
+# -i <input>
+%define distrosign(b:a:d:)						\
+	cp -av %{-d*}/%{-b*}%{-a*}.efi %{-b*}%{-a*}-unsigned.efi	\
+	%{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi}\
+	%{nil}
+
+# -a <efiarch>
+# -A <EFIARCH>
+# -b <1|0> # signed by this builder?
+# -c <1|0> # signed by UEFI CA?
+# -i <shimARCH.efi>
+%define define_build(a:A:b:c:i:d:)					\
+if [ "%{-c*}" = "yes" ]; then						\
+	%{expand:%%hash -i %{-i*} -a %{-a*} -d %{-d*}}			\
+fi									\
+cp %{-i*} shim%{-a*}.efi						\
+if [ "%{-b*}" = "yes" ]; then						\
+	%{expand:%%distrosign -b shim -a %{-a*} -d %{-d*}}		\
+	mv shim%{-a*}-signed.efi shim%{-a*}-%{efi_vendor}.efi		\
+fi									\
+if [ "%{-c*}" = "no" ]; then						\
+	cp shim%{-a*}-%{efi_vendor}.efi shim%{-a*}.efi			\
+fi									\
+%{expand:%%distrosign -b mm -a %{-a*} -d %{-d*}}			\
+mv mm%{-a*}-signed.efi mm%{-a*}.efi					\
+%{expand:%%distrosign -b fb -a %{-a*} -d %{-d*}}			\
+mv fb%{-a*}-signed.efi fb%{-a*}.efi					\
+rm -vf									\\\
+	mm%{-a*}-unsigned.efi						\\\
+	fb%{-a*}-unsigned.efi						\\\
+	shim%{-a*}-unsigned.efi						\
+%{nil}
+
+# -a <efiarch>
+# -A <EFIARCH>
+# -b <BOOTCSV>
+%define do_install(a:A:b:)						\
+install -m 0700 shim%{-a*}.efi						\\\
+	$RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}.efi			\
+install -m 0700 shim%{-a*}-%{efi_vendor}.efi				\\\
+	$RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}-%{efi_vendor}.efi	\
+install -m 0700 mm%{-a*}.efi						\\\
+	$RPM_BUILD_ROOT%{efi_esp_dir}/mm%{-a*}.efi			\
+install -m 0700 %{-b*}							\\\
+	$RPM_BUILD_ROOT%{efi_esp_dir}/BOOT%{-A*}.CSV			\
+install -m 0700 shim%{-a*}.efi						\\\
+	$RPM_BUILD_ROOT%{efi_esp_boot}/BOOT%{-A*}.EFI			\
+install -m 0700 fb%{-a*}.efi						\\\
+	$RPM_BUILD_ROOT%{efi_esp_boot}/fb%{-a*}.efi			\
+%nil
+
+# -a <efiarch>
+# -A <EFIARCH>
+%define define_files(a:A:)						\
+%{expand:%%files -n shim-%{-a*}}					\
+%{efi_esp_dir}/*%{-a*}*.efi						\
+%{efi_esp_dir}/BOOT%{-A*}.CSV						\
+%{efi_esp_boot}/*%{-a*}.efi						\
+%{efi_esp_boot}/*%{-A*}.EFI						\
+%{nil}
+
+%ifarch x86_64
+%global is_signed yes
+%global is_alt_signed yes
+%global provide_legacy_shim 1
+%endif
+%ifarch aarch64
+%global is_signed no
+%global is_alt_signed no
+%global provide_legacy_shim 1
+%endif
+%ifnarch x86_64 aarch64
+%global is_signed no
+%global is_alt_signed no
+%global provide_legacy_shim 0
+%endif
+
+%if ! 0%{?vendor:1}
+%global vendor nopenopenope
+%endif
+
+# vim:filetype=rpmmacros
diff --git a/shim.spec b/shim.spec
index 066bbce..236d276 100644
--- a/shim.spec
+++ b/shim.spec
@@ -1,87 +1,51 @@
-%global debug_package %{nil}
-
-%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/'))
-
-# this is literally to make vim's \c not put a brace at the end.
+# this is to make us only expand %%{dist} if we're on a modularity build.
+# it's 2 macros make vim's \c not put a brace at the end of the changelog.
 %global _dist %{expand:%{?_module_build:%%{?dist}}}
 %global dist %{expand:%%{_dist}}
 
 Name:		shim
 Version:	15
-Release:	4%{?dist}
+Release:	4.1%{?dist}
 Summary:	First-stage UEFI bootloader
 License:	BSD
-URL:		http://github.com/rhboot/shim/
+URL:		https://github.com/rhboot/shim/
+Requires:	efi-filesystem
 
-# Shim is only required on platforms implementing the UEFI secure boot
-# protocol. The only one of those we currently wish to support is 64-bit x86.
-# Adding further platforms will require adding appropriate relocation code.
-ExclusiveArch:	x86_64 aarch64
+ExclusiveArch:	%{efi}
+# but we don't build a .i686 package, just a shim-ia32.x86_64 package
+ExcludeArch:	%{ix86}
+# and we don't have shim-unsigned-arm builds yet
+ExcludeArch:	%{arm}
+
+Source0:	shim.rpmmacros
 
 # keep these two lists of sources synched up arch-wise.  That is 0 and 10
 # match, 1 and 11 match, ...
-Source0:	BOOTX64.CSV
-Source1:	BOOTAA64.CSV
-Source2:	BOOTIA32.CSV
+Source10:	BOOTAA64.CSV
+Source20:	shimaa64.efi
+Source11:	BOOTIA32.CSV
+Source21:	shimia32.efi
+Source12:	BOOTX64.CSV
+Source22:	shimx64.efi
+#Source13:	BOOTARM.CSV
+#Source23:	shimarm.efi
 
-Source10:	shimaa64.efi
-Source11:	shimia32.efi
-Source12:	shimx64.efi
-#Source13:	shimx64-signed.efi
+%include %{SOURCE0}
 
-%global shimverx64 15-1.fc28
-%global shimveria32 15-1.fc28
-%global shimveraa64 15-1.fc28
-
-%ifarch x86_64
-BuildRequires:	shim-unsigned-x64 = %{shimverx64}
-BuildRequires:	shim-unsigned-ia32 = %{shimveria32}
-%global shimdirx64 %{_datadir}/shim/%{shimverx64}/x64
-%global shimdiria32 %{_datadir}/shim/%{shimveria32}/ia32
-%endif
-%ifarch aarch64
-BuildRequires:	shim-unsigned-aarch64 = %{shimveraa64}
-%global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64
-%endif
 BuildRequires:	pesign >= 0.112-20.fc27
-BuildRequires:	efi-srpm-macros efi-filesystem
+BuildRequires:	%{unsigned} = %{shimver}
+%if %{efi_has_alt_arch}
+BuildRequires:	%{unsignedalt} = %{shimveralt}
+%endif
 
 %description
 Initial UEFI bootloader that handles chaining to a trusted full bootloader
 under secure boot environments. This package contains the version signed by
 the UEFI signing service.
 
-%define define_pkg(a:p:)						\
-%{expand:%%package -n shim-%{-a*}}					\
-Summary: First-stage UEFI bootloader					\
-Requires: mokutil >= 1:0.2.0-1						\
-Requires: efi-filesystem						\
-Provides: shim-signed-%{-a*} = %{version}-%{release}			\
-Requires: dbxtool >= 0.6-3						\
-%{expand:%%if 0%%{-p*}							\
-Provides: shim = %{version}-%{release}					\
-Provides: shim-signed = %{version}-%{release}				\
-Obsoletes: shim-signed < %{version}-%{release}				\
-Obsoletes: shim < %{version}-%{release}					\
-%%endif}								\
-# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI	\
-# is not compatible with SysV (there's no red zone under UEFI) and	\
-# there isn't a POSIX-style C library.					\
-# BuildRequires: OpenSSL						\
-Provides: bundled(openssl) = 1.0.2j					\
-									\
-%{expand:%%description -n shim-%{-a*}}					\
-Initial UEFI bootloader that handles chaining to a trusted full		\
-bootloader under secure boot environments. This package contains the	\
-version signed by the UEFI signing service.				\
-%{nil}
-
-%ifarch x86_64
-%define_pkg -a x64 -p 1
-%define_pkg -a ia32
-%endif
-%ifarch aarch64
-%define_pkg -a aa64 -p 1
+%define_pkg -a %{efi_arch} -p 1
+%if %{efi_has_alt_arch}
+%define_pkg -a %{efi_alt_arch}
 %endif
 
 %prep
@@ -90,140 +54,47 @@ rm -rf shim-%{version}
 mkdir shim-%{version}
 
 %build
-%define vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
-%define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
-
-# -a <efiarch>
-# -i <input>
-%define hash(a:i:d:)							\
-	pesign -i %{-i*} -h -P > shim.hash				\
-	read file0 hash0 < shim.hash					\
-	read file1 hash1 < %{-d*}/shim%{-a*}.hash			\
-	if ! [ "$hash0" = "$hash1" ]; then				\
-		echo Invalid signature\! > /dev/stderr			\
-		echo $hash0 vs $hash1					\
-		exit 1							\
-	fi								\
-	%{nil}
-
-# -i <input>
-# -o <output>
-%define sign(i:o:)							\
-	%{expand:%%pesign -s -i %{-i*} -o %{-o*}}			\
-	%{nil}
-
-# -b <binary prefix>
-# -a <efiarch>
-# -i <input>
-%define distrosign(b:a:d:)						\
-	cp -av %{-d*}/%{-b*}%{-a*}.efi %{-b*}%{-a*}-unsigned.efi	\
-	%{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi}\
-	%{nil}
-
-# -a <efiarch>
-# -A <EFIARCH>
-# -b <yes|no> # signed by this builder?
-# -c <yes|no> # signed by UEFI CA?
-# -i <shimARCH.efi>
-%define define_build(a:A:b:c:i:d:)					\
-#if [ "%%{-c*}" = "yes" ]; then						\
-#	%%{expand:%%%%hash -i %%{-i*} -a %%{-a*} -d %%{-d*}}		\
-#fi									\
-cp %{-i*} shim%{-a*}.efi						\
-if [ "%{-b*}" = "yes" ]; then						\
-	%{expand:%%distrosign -b shim -a %{-a*} -d %{-d*}}		\
-	mv shim%{-a*}-signed.efi shim%{-a*}-%{efidir}.efi		\
-fi									\
-if [ "%{-c*}" = "no" ]; then						\
-	cp shim%{-a*}-%{efidir}.efi shim%{-a*}.efi			\
-fi									\
-%{expand:%%distrosign -b mm -a %{-a*} -d %{-d*}}			\
-mv mm%{-a*}-signed.efi mm%{-a*}.efi					\
-%{expand:%%distrosign -b fb -a %{-a*} -d %{-d*}}			\
-mv fb%{-a*}-signed.efi fb%{-a*}.efi					\
-rm -vf									\\\
-	mm%{-a*}-unsigned.efi						\\\
-	fb%{-a*}-unsigned.efi						\\\
-	shim%{-a*}-unsigned.efi						\
-%{nil}
 
 cd shim-%{version}
-%ifarch aarch64
-%define_build -a aa64 -A AA64 -i %{SOURCE10} -b yes -c no -d %{shimdiraa64}
-%endif
-%ifarch x86_64
-%define_build -a ia32 -A IA32 -i %{SOURCE11} -b yes -c yes -d %{shimdiria32}
-%define_build -a x64 -A X64 -i %{SOURCE12} -b yes -c yes -d %{shimdirx64}
+%if %{efi_has_alt_arch}
+%define_build -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -i %{shimefialt} -b yes -c %{is_alt_signed} -d %{shimdiralt}
 %endif
+%define_build -a %{efi_arch} -A %{efi_arch_upper} -i %{shimefi} -b yes -c %{is_signed} -d %{shimdir}
 
 %install
-# -a <efiarch>
-# -A <EFIARCH>
-# -b <BOOTCSV>
-%define do_install(a:A:b:)						\
-install -m 0700 shim%{-a*}.efi						\\\
-	$RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{-a*}.efi		\
-install -m 0700 shim%{-a*}-%{efidir}.efi				\\\
-	$RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{-a*}-%{efidir}.efi	\
-install -m 0700 mm%{-a*}.efi						\\\
-	$RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mm%{-a*}.efi		\
-install -m 0700 %{-b*}							\\\
-	$RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT%{-A*}.CSV		\
-install -m 0700 shim%{-a*}.efi						\\\
-	$RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOT%{-A*}.EFI		\
-install -m 0700 fb%{-a*}.efi						\\\
-	$RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fb%{-a*}.efi			\
-%nil
-
 rm -rf $RPM_BUILD_ROOT
 cd shim-%{version}
 install -D -d -m 0755 $RPM_BUILD_ROOT/boot/
-install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/
-install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/
-install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/
-install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/
+install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_root}/
+install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_efi}/
+install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_dir}/
+install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_boot}/
 
-%ifarch x86_64
-%do_install -a x64 -A X64 -b %{SOURCE0}
-%do_install -a ia32 -A IA32 -b %{SOURCE2}
-install -m 0700 %{SOURCE2} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV
-install -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mmx64.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/MokManager.efi
-install -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fbx64.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fallback.efi
-install -m 0700 %{SOURCE12} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi
-#install -m 0700 %%{SOURCE13} $RPM_BUILD_ROOT/boot/efi/EFI/%%{efidir}/shim.efi
-#install -m 0700 %%{SOURCE13} $RPM_BUILD_ROOT/boot/efi/EFI/%%{efidir}/shimx64.efi
-#install -m 0700 %%{SOURCE13} $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOTX64.EFI
-%endif
-%ifarch aarch64
-%do_install -a aa64 -A AA64 -b %{SOURCE1}
-install -m 0700 %{SOURCE10} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi
+%do_install -a %{efi_arch} -A %{efi_arch_upper} -b %{bootcsv}
+%if %{efi_has_alt_arch}
+%do_install -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -b %{bootcsvalt}
 %endif
 
-# -a <efiarch>
-# -A <EFIARCH>
-%define define_files(a:A:)						\
-%{expand:%%files -n shim-%{-a*}}					\
-/boot/efi/EFI/%{efidir}/*%{-a*}*.efi					\
-/boot/efi/EFI/%{efidir}/BOOT%{-A*}.CSV					\
-/boot/efi/EFI/BOOT/*%{-a*}.efi						\
-/boot/efi/EFI/BOOT/*%{-A*}.EFI						\
-%{nil}
-
-%ifarch x86_64
-%define_files -a x64 -A X64
-/boot/efi/EFI/%{efidir}/BOOT.CSV
-/boot/efi/EFI/%{efidir}/MokManager.efi
-/boot/efi/EFI/%{efidir}/shim.efi
-/boot/efi/EFI/BOOT/fallback.efi
-
-%define_files -a ia32 -A IA32
+%if %{provide_legacy_shim}
+install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi
 %endif
-%ifarch aarch64
-%define_files -a aa64 -A AA64
-/boot/efi/EFI/%{efidir}/shim.efi
+
+( cd $RPM_BUILD_ROOT ; find .%{efi_esp_root} -type f ) \
+  | sed -e 's/\./\^/' -e 's,^\\\./,.*/,' -e 's,$,$,' > %{__brp_mangle_shebangs_exclude_from_file}
+
+%define_files -a %{efi_arch} -A %{efi_arch_upper}
+%if %{efi_has_alt_arch}
+%define_files -a %{efi_alt_arch} -A %{efi_alt_arch_upper}
+%endif
+
+%if %{provide_legacy_shim}
+%{efi_esp_dir}/shim.efi
 %endif
 
 %changelog
+* Fri May 04 2018 Peter Jones <pjones@redhat.com> - 15-4.1
+- Rework the .spec to use efi-rpm-macros.
+
 * Fri May 04 2018 Peter Jones <pjones@redhat.com> - 15-4
 - Fix directory permissions to be 0700 on FAT filesystems