From f928ecce0c043e3a677e7297127a7d9d1d93703d Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Oct 30 2018 05:05:33 +0000
Subject: import shim-signed-15-1.el7


---

diff --git a/.shim-signed.metadata b/.shim-signed.metadata
index 897b7da..8405870 100644
--- a/.shim-signed.metadata
+++ b/.shim-signed.metadata
@@ -1,4 +1,4 @@
 8686e2ab33689a7f71268db3c8dc0a51ba291d93 SOURCES/mokutil-0.3.0.tar.gz
 a6499bf4e2e9038c79e00f3fea79c5dfd978eb16 SOURCES/shimaa64.efi
-09c724498ed275fb4a76f04700f5b2d39413405f SOURCES/shimia32.efi
-224b166130e25c00ac9a6c33d7816acc6b98cde5 SOURCES/shimx64.efi
+e609f8ddc446dc27a2aec3577e2b7869126662c0 SOURCES/shimia32.efi
+1316e2b5fb83b29acc00c5050799afb7ccd6b6e2 SOURCES/shimx64.efi
diff --git a/SOURCES/0001-Fix-the-potential-buffer-overflow.patch b/SOURCES/0001-Fix-the-potential-buffer-overflow.patch
index ef8518f..f752a3f 100644
--- a/SOURCES/0001-Fix-the-potential-buffer-overflow.patch
+++ b/SOURCES/0001-Fix-the-potential-buffer-overflow.patch
@@ -1,7 +1,7 @@
 From 1313fa02a5b2bfe61ee6702696600fc148ec2d6e Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Tue, 4 Nov 2014 15:50:03 +0800
-Subject: [PATCH 1/7] Fix the potential buffer overflow
+Subject: [PATCH 01/10] Fix the potential buffer overflow
 
 Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
 ---
@@ -9,7 +9,7 @@ Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
  1 file changed, 2 insertions(+), 3 deletions(-)
 
 diff --git a/src/mokutil.c b/src/mokutil.c
-index 5b34f22..93fb6fa 100644
+index 5b34f22fd98..93fb6fabcab 100644
 --- a/src/mokutil.c
 +++ b/src/mokutil.c
 @@ -1743,7 +1743,7 @@ set_toggle (const char * VarName, uint32_t state)
@@ -32,5 +32,5 @@ index 5b34f22..93fb6fa 100644
  	tvar.mok_toggle_state = state;
  
 -- 
-2.7.4
+2.17.1
 
diff --git a/SOURCES/0002-Fix-the-32bit-signedness-comparison.patch b/SOURCES/0002-Fix-the-32bit-signedness-comparison.patch
index de24b1c..33ca700 100644
--- a/SOURCES/0002-Fix-the-32bit-signedness-comparison.patch
+++ b/SOURCES/0002-Fix-the-32bit-signedness-comparison.patch
@@ -1,14 +1,14 @@
 From cdb4b6f3bfd6ada6558ddfb889e27150f0841b28 Mon Sep 17 00:00:00 2001
 From: Gary Ching-Pang Lin <glin@suse.com>
 Date: Mon, 24 Nov 2014 11:38:54 +0800
-Subject: [PATCH 2/7] Fix the 32bit signedness comparison
+Subject: [PATCH 02/10] Fix the 32bit signedness comparison
 
 ---
  src/mokutil.c | 4 ++--
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/src/mokutil.c b/src/mokutil.c
-index 93fb6fa..a7e83f7 100644
+index 93fb6fabcab..a7e83f71f0b 100644
 --- a/src/mokutil.c
 +++ b/src/mokutil.c
 @@ -1284,7 +1284,7 @@ issue_mok_request (char **files, uint32_t total, MokRequest req,
@@ -30,5 +30,5 @@ index 93fb6fa..a7e83f7 100644
  						list[i].mok_size - offset);
  			if (write_size < 0) {
 -- 
-2.7.4
+2.17.1
 
diff --git a/SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch b/SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch
index 80a677a..a9fe4e9 100644
--- a/SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch
+++ b/SOURCES/0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch
@@ -1,7 +1,8 @@
 From 9eb111a7f7b897ba4ae19a68708e010a5c384260 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Fri, 19 Jun 2015 16:53:36 -0400
-Subject: [PATCH 3/7] Build with -fshort-wchar so toggle passwords work right.
+Subject: [PATCH 03/10] Build with -fshort-wchar so toggle passwords work
+ right.
 
 This source tree uses:
 
@@ -25,7 +26,7 @@ Signed-off-by: Peter Jones <pjones@redhat.com>
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/configure.ac b/configure.ac
-index fe28fb9..69d412a 100644
+index fe28fb92241..69d412ac633 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -37,7 +37,7 @@ else
@@ -38,5 +39,5 @@ index fe28fb9..69d412a 100644
  AC_ARG_ENABLE(strict, AS_HELP_STRING([--enable-strict],[Enable strict compilation options]), enable_strict=$enableval,
  		enable_strict=$default_strict)
 -- 
-2.7.4
+2.17.1
 
diff --git a/SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch b/SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
index 3e75fda..f45fd42 100644
--- a/SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
+++ b/SOURCES/0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
@@ -1,7 +1,7 @@
 From ecc8fb0d92f0f453414a98172df22e23fb5893f5 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 16 Jun 2015 17:06:30 -0400
-Subject: [PATCH 4/7] Don't allow sha1 on the mokutil command line.
+Subject: [PATCH 04/10] Don't allow sha1 on the mokutil command line.
 
 Related: rhbz#1115843
 
@@ -11,7 +11,7 @@ Signed-off-by: Peter Jones <pjones@redhat.com>
  1 file changed, 2 insertions(+)
 
 diff --git a/src/mokutil.c b/src/mokutil.c
-index a7e83f7..1fb34f9 100644
+index a7e83f71f0b..1fb34f9d3aa 100644
 --- a/src/mokutil.c
 +++ b/src/mokutil.c
 @@ -1351,10 +1351,12 @@ identify_hash_type (const char *hash_str, efi_guid_t *type)
@@ -28,5 +28,5 @@ index a7e83f7..1fb34f9 100644
  		*type = efi_guid_sha224;
  		hash_size = SHA224_DIGEST_LENGTH;
 -- 
-2.7.4
+2.17.1
 
diff --git a/SOURCES/0005-Make-all-efi_guid_t-const.patch b/SOURCES/0005-Make-all-efi_guid_t-const.patch
index 0e12a37..b041fc4 100644
--- a/SOURCES/0005-Make-all-efi_guid_t-const.patch
+++ b/SOURCES/0005-Make-all-efi_guid_t-const.patch
@@ -1,7 +1,7 @@
 From eba569a8e6c33f07042758cbfa1706d7339464e1 Mon Sep 17 00:00:00 2001
 From: Gary Lin <glin@suse.com>
 Date: Wed, 13 Jan 2016 16:05:21 +0800
-Subject: [PATCH 5/7] Make all efi_guid_t const
+Subject: [PATCH 05/10] Make all efi_guid_t const
 
 All UEFI GUIDs defined in efivar are const. Declare all of them const
 to make gcc happy.
@@ -12,7 +12,7 @@ Signed-off-by: Gary Lin <glin@suse.com>
  1 file changed, 9 insertions(+), 9 deletions(-)
 
 diff --git a/src/mokutil.c b/src/mokutil.c
-index 1fb34f9..d2c52b4 100644
+index 1fb34f9d3aa..d2c52b4caaf 100644
 --- a/src/mokutil.c
 +++ b/src/mokutil.c
 @@ -200,7 +200,7 @@ efichar_from_char (efi_char16_t *dest, const char *src, size_t dest_len)
@@ -83,5 +83,5 @@ index 1fb34f9..d2c52b4 100644
  {
  	uint8_t *authvar_data;
 -- 
-2.7.4
+2.17.1
 
diff --git a/SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch b/SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
index a0d87f3..af8b621 100644
--- a/SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
+++ b/SOURCES/0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
@@ -1,7 +1,7 @@
-From b68dca2d4de779387c4b5306bb9cfc9a3bab2572 Mon Sep 17 00:00:00 2001
+From 951daed3f98e9a3de2bc36cd82525cdbf7595e3e Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 14 Jun 2016 10:19:43 -0400
-Subject: [PATCH 6/7] mokutil: be explicit about file modes in all cases.
+Subject: [PATCH 06/10] mokutil: be explicit about file modes in all cases.
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
@@ -9,7 +9,7 @@ Signed-off-by: Peter Jones <pjones@redhat.com>
  1 file changed, 4 insertions(+), 2 deletions(-)
 
 diff --git a/src/mokutil.c b/src/mokutil.c
-index d2c52b4..d554f6c 100644
+index d2c52b4caaf..d554f6cca21 100644
 --- a/src/mokutil.c
 +++ b/src/mokutil.c
 @@ -574,7 +574,8 @@ delete_data_from_list (const efi_guid_t *var_guid, const char *var_name,
@@ -33,5 +33,5 @@ index d2c52b4..d554f6c 100644
  			case ENROLL_MOK:
  				fprintf (stderr, "Failed to enroll new keys\n");
 -- 
-2.7.4
+2.17.1
 
diff --git a/SOURCES/0007-Add-bash-completion-file.patch b/SOURCES/0007-Add-bash-completion-file.patch
index 725ad66..29720ad 100644
--- a/SOURCES/0007-Add-bash-completion-file.patch
+++ b/SOURCES/0007-Add-bash-completion-file.patch
@@ -1,29 +1,18 @@
-From d16c76d139f9a9a56b49c0dd51cd9056f626031e Mon Sep 17 00:00:00 2001
+From a797a566127f7469d744b2748f98d1fa5ea8d8f9 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Tue, 14 Jun 2016 10:20:14 -0400
-Subject: [PATCH 7/7] Add bash completion file.
+Subject: [PATCH 07/10] Add bash completion file.
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
- Makefile.am  |  5 +++++
  configure.ac | 17 +++++++++++++++++
+ Makefile.am  |  5 +++++
  data/mokutil | 37 +++++++++++++++++++++++++++++++++++++
  3 files changed, 59 insertions(+)
  create mode 100755 data/mokutil
 
-diff --git a/Makefile.am b/Makefile.am
-index 9f0d419..c17cc4a 100644
---- a/Makefile.am
-+++ b/Makefile.am
-@@ -1 +1,6 @@
- SUBDIRS = src man
-+
-+if ENABLE_BASH_COMPLETION
-+  bashcompletiondir = $(BASH_COMPLETION_DIR)
-+  dist_bashcompletion_DATA = data/mokutil
-+endif
 diff --git a/configure.ac b/configure.ac
-index 69d412a..7b52a06 100644
+index 69d412ac633..7b52a063df0 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -86,6 +86,23 @@ AC_CHECK_FUNCS([memset])
@@ -50,9 +39,20 @@ index 69d412a..7b52a06 100644
  AC_CONFIG_FILES([Makefile
                   src/Makefile
  		 man/Makefile])
+diff --git a/Makefile.am b/Makefile.am
+index 9f0d4192515..c17cc4a86d8 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -1 +1,6 @@
+ SUBDIRS = src man
++
++if ENABLE_BASH_COMPLETION
++  bashcompletiondir = $(BASH_COMPLETION_DIR)
++  dist_bashcompletion_DATA = data/mokutil
++endif
 diff --git a/data/mokutil b/data/mokutil
 new file mode 100755
-index 0000000..800b039
+index 00000000000..800b039e7f4
 --- /dev/null
 +++ b/data/mokutil
 @@ -0,0 +1,37 @@
@@ -94,5 +94,5 @@ index 0000000..800b039
 +
 +complete -F _mokutil mokutil
 -- 
-2.7.4
+2.17.1
 
diff --git a/SOURCES/0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch b/SOURCES/0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch
new file mode 100644
index 0000000..5642502
--- /dev/null
+++ b/SOURCES/0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch
@@ -0,0 +1,27 @@
+From b5f004ddbd8ef1f9f1d664d41d5dcc4272621080 Mon Sep 17 00:00:00 2001
+From: Tyler Hicks <tyhicks@canonical.com>
+Date: Mon, 20 Jun 2016 11:18:17 -0500
+Subject: [PATCH 08/10] Fix typo in error message when the system lacks Secure
+ Boot support
+
+Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
+---
+ src/mokutil.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index d554f6cca21..27f1292f3a9 100644
+--- a/src/mokutil.c
++++ b/src/mokutil.c
+@@ -2297,7 +2297,7 @@ main (int argc, char *argv[])
+ 		rc = efi_get_variable (efi_guid_global, "SecureBoot",
+ 				       &data, &data_size, &attributes);
+ 		if (rc < 0) {
+-			fprintf(stderr, "This system does't support Secure Boot\n");
++			fprintf(stderr, "This system doesn't support Secure Boot\n");
+ 			ret = -1;
+ 			goto out;
+ 		}
+-- 
+2.17.1
+
diff --git a/SOURCES/0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch b/SOURCES/0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch
new file mode 100644
index 0000000..0bed1d9
--- /dev/null
+++ b/SOURCES/0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch
@@ -0,0 +1,27 @@
+From 2fa167f3905ebee27221fc2b1db4b79e215d8ca0 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 3 Apr 2017 16:33:38 -0400
+Subject: [PATCH 09/10] list_keys_in_var(): check errno correctly, not ret
+ twice.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/mokutil.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 27f1292f3a9..0be9e8491fd 100644
+--- a/src/mokutil.c
++++ b/src/mokutil.c
+@@ -602,7 +602,7 @@ list_keys_in_var (const char *var_name, const efi_guid_t guid)
+ 
+ 	ret = efi_get_variable (guid, var_name, &data, &data_size, &attributes);
+ 	if (ret < 0) {
+-		if (ret == ENOENT) {
++		if (errno == ENOENT) {
+ 			printf ("%s is empty\n", var_name);
+ 			return 0;
+ 		}
+-- 
+2.17.1
+
diff --git a/SOURCES/0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch b/SOURCES/0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch
new file mode 100644
index 0000000..2d57007
--- /dev/null
+++ b/SOURCES/0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch
@@ -0,0 +1,101 @@
+From 57f7c776dca0322fab107460cac71ac4b6e79b9a Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 15 May 2018 11:20:15 -0400
+Subject: [PATCH 10/10] generate_hash() / generate_pw_hash(): don't use
+ strlen() for strncpy bounds
+
+New gcc rightly comlplains when we do the following:
+
+strncpy (dest, src, strlen(src));
+
+For two reasons:
+a) it doesn't copy the NUL byte
+b) it's otherwise the same thing strcpy() would have done
+
+This patch replaces that with stpncpy (just because it's slightly easier
+to use) and the real bounds for the destination.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/mokutil.c | 33 ++++++++++++++++++++++-----------
+ 1 file changed, 22 insertions(+), 11 deletions(-)
+
+diff --git a/src/mokutil.c b/src/mokutil.c
+index 0be9e8491fd..b5080107600 100644
+--- a/src/mokutil.c
++++ b/src/mokutil.c
+@@ -764,9 +764,10 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len)
+ {
+ 	pw_crypt_t new_crypt;
+ 	char settings[SETTINGS_LEN];
++	char *next;
+ 	char *crypt_string;
+ 	const char *prefix;
+-	int hash_len, prefix_len;
++	int hash_len, settings_len = sizeof (settings) - 2;
+ 
+ 	if (!password || !pw_crypt || password[pw_len] != '\0')
+ 		return -1;
+@@ -774,15 +775,19 @@ generate_hash (pw_crypt_t *pw_crypt, char *password, unsigned int pw_len)
+ 	prefix = get_crypt_prefix (pw_crypt->method);
+ 	if (!prefix)
+ 		return -1;
+-	prefix_len = strlen(prefix);
+ 
+ 	pw_crypt->salt_size = get_salt_size (pw_crypt->method);
+ 	generate_salt ((char *)pw_crypt->salt, pw_crypt->salt_size);
+ 
+-	strncpy (settings, prefix, prefix_len);
+-	strncpy (settings + prefix_len, (const char *)pw_crypt->salt,
+-		 pw_crypt->salt_size);
+-	settings[pw_crypt->salt_size + prefix_len] = '\0';
++	memset (settings, 0, sizeof (settings));
++	next = stpncpy (settings, prefix, settings_len);
++	if (pw_crypt->salt_size > settings_len - (next - settings)) {
++		errno = EOVERFLOW;
++		return -1;
++	}
++	next = stpncpy (next, (const char *)pw_crypt->salt,
++			pw_crypt->salt_size);
++	*next = '\0';
+ 
+ 	crypt_string = crypt (password, settings);
+ 	if (!crypt_string)
+@@ -1929,10 +1934,11 @@ static int
+ generate_pw_hash (const char *input_pw)
+ {
+ 	char settings[SETTINGS_LEN];
++        char *next;
+ 	char *password = NULL;
+ 	char *crypt_string;
+ 	const char *prefix;
+-	int prefix_len;
++	int settings_len = sizeof (settings) - 2;
+ 	unsigned int pw_len, salt_size;
+ 
+ 	if (input_pw) {
+@@ -1958,12 +1964,17 @@ generate_pw_hash (const char *input_pw)
+ 	prefix = get_crypt_prefix (DEFAULT_CRYPT_METHOD);
+ 	if (!prefix)
+ 		return -1;
+-	prefix_len = strlen(prefix);
+ 
+-	strncpy (settings, prefix, prefix_len);
++	memset (settings, 0, sizeof (settings));
++	next = stpncpy (settings, prefix, settings_len);
+ 	salt_size = get_salt_size (DEFAULT_CRYPT_METHOD);
+-	generate_salt ((settings + prefix_len), salt_size);
+-	settings[DEFAULT_SALT_SIZE + prefix_len] = '\0';
++	if (salt_size > settings_len - (next - settings)) {
++		errno = EOVERFLOW;
++		return -1;
++	}
++	generate_salt (next, salt_size);
++	next += salt_size;
++	*next = '\0';
+ 
+ 	crypt_string = crypt (password, settings);
+ 	free (password);
+-- 
+2.17.1
+
diff --git a/SOURCES/BOOTIA32.CSV b/SOURCES/BOOTIA32.CSV
index 1f0e21f..4e658b2 100644
Binary files a/SOURCES/BOOTIA32.CSV and b/SOURCES/BOOTIA32.CSV differ
diff --git a/SOURCES/BOOTX64.CSV b/SOURCES/BOOTX64.CSV
index da8cf51..7692a93 100644
Binary files a/SOURCES/BOOTX64.CSV and b/SOURCES/BOOTX64.CSV differ
diff --git a/SOURCES/centos-ca-secureboot.der b/SOURCES/centos-ca-secureboot.der
deleted file mode 100644
index 44a2563..0000000
Binary files a/SOURCES/centos-ca-secureboot.der and /dev/null differ
diff --git a/SOURCES/centossecureboot001.crt b/SOURCES/centossecureboot001.crt
deleted file mode 100644
index 321c4ec..0000000
--- a/SOURCES/centossecureboot001.crt
+++ /dev/null
@@ -1,81 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            b6:16:15:71:72:fb:31:7e
-        Signature Algorithm: sha256WithRSAEncryption
-        Issuer: CN=CentOS Secure Boot (CA key 1)/emailAddress=security@centos.org
-        Validity
-            Not Before: Aug  1 11:47:30 2018 GMT
-            Not After : Dec 31 11:47:30 2037 GMT
-        Subject: CN=CentOS Secure Boot (key 1)/emailAddress=security@centos.org
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-            RSA Public Key: (2048 bit)
-                Modulus (2048 bit):
-                    00:c1:a3:6a:f4:2d:71:83:6c:21:ca:0c:b7:ac:fa:
-                    76:80:43:03:40:87:5d:de:e9:1e:df:ad:e7:2b:51:
-                    cb:f8:31:0f:9a:db:ab:23:25:04:11:05:57:7d:f2:
-                    4b:8d:1e:b3:75:78:1d:b9:57:8b:18:0b:bb:7e:e3:
-                    24:0f:6a:40:5f:2b:4f:03:a5:85:94:d2:f9:08:a0:
-                    bc:db:a5:ea:4f:7f:e8:7c:d1:a9:f8:f0:9c:25:18:
-                    00:14:c4:c4:35:7d:1d:4c:8a:8d:95:f8:ed:65:97:
-                    a5:a4:da:7d:cb:f0:33:3b:b7:03:94:68:47:05:57:
-                    6c:96:91:ac:14:f2:e3:f6:6d:4a:18:cf:68:8a:35:
-                    6f:8e:26:99:7f:db:c9:83:54:c2:c3:bf:ad:45:a0:
-                    aa:a0:86:5f:20:b1:86:1b:ae:b7:28:15:11:f9:65:
-                    53:5d:70:33:9b:a3:c7:b5:c8:11:ff:55:3b:e7:46:
-                    f1:6c:6b:8c:bb:f2:9f:36:23:b1:2d:23:2f:8f:4f:
-                    6c:a8:cc:ae:f5:56:9e:22:6c:0e:9a:4a:b1:bd:b2:
-                    76:15:5c:05:85:b8:5e:dc:8c:a5:c3:e0:75:51:a4:
-                    94:9b:03:2e:7b:f8:d3:b9:dd:7f:88:ce:2e:2f:28:
-                    4c:b4:92:2f:e6:e0:67:0a:d0:ff:c5:d2:79:a6:ef:
-                    94:0f
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Basic Constraints: critical
-                CA:FALSE
-            X509v3 Key Usage: 
-                Digital Signature
-            X509v3 Subject Key Identifier: 
-                F0:37:C6:EA:EC:36:D4:05:7A:52:6C:0E:C6:D5:A9:5B:32:4E:E1:29
-            X509v3 Authority Key Identifier: 
-                keyid:54:EC:81:85:89:3E:E9:1A:DB:08:F7:44:88:54:7E:8E:3F:74:3A:F3
-
-    Signature Algorithm: sha256WithRSAEncryption
-        97:97:ba:a6:0b:5b:bb:84:39:2e:ef:8b:51:9a:89:bb:65:3c:
-        dc:15:d0:5a:88:c5:af:ce:93:f5:c1:74:98:15:59:a9:38:da:
-        11:fd:46:d5:4f:23:7c:03:1f:ae:0c:70:93:94:a7:61:2f:4b:
-        2f:5f:bb:cc:8a:d7:4a:24:66:73:85:b4:19:13:fc:6a:61:4a:
-        28:1f:a2:38:f4:72:90:03:c4:3e:64:63:8b:fb:15:22:22:4e:
-        b9:43:d9:b4:3d:3a:60:c1:4d:3a:09:85:68:7a:bc:3b:f9:ef:
-        f3:f5:e9:c9:4f:80:8c:c6:e9:cb:ef:28:44:b0:5d:d4:9e:4f:
-        0f:02:9a:65:aa:98:35:b4:6f:d2:80:e3:08:ef:12:d0:17:56:
-        a6:a1:42:1e:1d:ab:e5:33:c0:fd:88:0d:40:42:81:c8:27:30:
-        17:07:57:3e:05:9d:aa:05:0e:5b:3a:79:b4:29:aa:7c:42:5a:
-        ad:43:59:fb:34:4d:dc:62:58:63:e4:fb:de:bb:fd:6c:4e:97:
-        58:f4:b9:99:4a:71:fe:7f:16:50:55:25:46:39:96:9b:88:6c:
-        75:19:33:9e:70:b3:04:82:fe:16:a8:8e:22:47:83:6d:16:77:
-        da:26:ad:31:d8:06:6d:c5:7e:46:4b:21:ab:ae:ec:2a:93:71:
-        da:7f:89:1d
------BEGIN CERTIFICATE-----
-MIIDdTCCAl2gAwIBAgIJALYWFXFy+zF+MA0GCSqGSIb3DQEBCwUAMEwxJjAkBgNV
-BAMMHUNlbnRPUyBTZWN1cmUgQm9vdCAoQ0Ega2V5IDEpMSIwIAYJKoZIhvcNAQkB
-FhNzZWN1cml0eUBjZW50b3Mub3JnMB4XDTE4MDgwMTExNDczMFoXDTM3MTIzMTEx
-NDczMFowSTEjMCEGA1UEAxMaQ2VudE9TIFNlY3VyZSBCb290IChrZXkgMSkxIjAg
-BgkqhkiG9w0BCQEWE3NlY3VyaXR5QGNlbnRvcy5vcmcwggEiMA0GCSqGSIb3DQEB
-AQUAA4IBDwAwggEKAoIBAQDBo2r0LXGDbCHKDLes+naAQwNAh13e6R7frecrUcv4
-MQ+a26sjJQQRBVd98kuNHrN1eB25V4sYC7t+4yQPakBfK08DpYWU0vkIoLzbpepP
-f+h80an48JwlGAAUxMQ1fR1Mio2V+O1ll6Wk2n3L8DM7twOUaEcFV2yWkawU8uP2
-bUoYz2iKNW+OJpl/28mDVMLDv61FoKqghl8gsYYbrrcoFRH5ZVNdcDObo8e1yBH/
-VTvnRvFsa4y78p82I7EtIy+PT2yozK71Vp4ibA6aSrG9snYVXAWFuF7cjKXD4HVR
-pJSbAy57+NO53X+Izi4vKEy0ki/m4GcK0P/F0nmm75QPAgMBAAGjXTBbMAwGA1Ud
-EwEB/wQCMAAwCwYDVR0PBAQDAgeAMB0GA1UdDgQWBBTwN8bq7DbUBXpSbA7G1alb
-Mk7hKTAfBgNVHSMEGDAWgBRU7IGFiT7pGtsI90SIVH6OP3Q68zANBgkqhkiG9w0B
-AQsFAAOCAQEAl5e6pgtbu4Q5Lu+LUZqJu2U83BXQWojFr86T9cF0mBVZqTjaEf1G
-1U8jfAMfrgxwk5SnYS9LL1+7zIrXSiRmc4W0GRP8amFKKB+iOPRykAPEPmRji/sV
-IiJOuUPZtD06YMFNOgmFaHq8O/nv8/XpyU+AjMbpy+8oRLBd1J5PDwKaZaqYNbRv
-0oDjCO8S0BdWpqFCHh2r5TPA/YgNQEKByCcwFwdXPgWdqgUOWzp5tCmqfEJarUNZ
-+zRN3GJYY+T73rv9bE6XWPS5mUpx/n8WUFUlRjmWm4hsdRkznnCzBIL+FqiOIkeD
-bRZ32iatMdgGbcV+Rkshq67sKpNx2n+JHQ==
------END CERTIFICATE-----
diff --git a/SPECS/shim-signed.spec b/SPECS/shim-signed.spec
index 5c1d022..0ee04e5 100644
--- a/SPECS/shim-signed.spec
+++ b/SPECS/shim-signed.spec
@@ -1,14 +1,23 @@
 Name:           shim-signed
-Version:        12
-Release:        2%{?dist}%{?buildid}
+Version:        15
+Release:        1%{?dist}%{?buildid}
 Summary:        First-stage UEFI bootloader
-%define unsigned_release 2%{?dist}
+%define unsigned_release 1%{?dist}
 
 License:        BSD
-URL:            http://www.codon.org.uk/~mjg59/shim/
+URL:            https://github.com/rhboot/shim/
 # incorporate mokutil for packaging simplicity
 %global mokutil_version 0.3.0
 Source0:        https://github.com/lcp/mokutil/archive/mokutil-%{mokutil_version}.tar.gz
+Source1:        secureboot.cer
+Source2:        securebootca.cer
+Source10:       shimx64.efi
+Source11:       shimia32.efi
+Source12:       shimaa64.efi
+Source20:       BOOTX64.CSV
+Source21:       BOOTIA32.CSV
+Source22:       BOOTAA64.CSV
+
 Patch0001: 0001-Fix-the-potential-buffer-overflow.patch
 Patch0002: 0002-Fix-the-32bit-signedness-comparison.patch
 Patch0003: 0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch
@@ -16,16 +25,9 @@ Patch0004: 0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
 Patch0005: 0005-Make-all-efi_guid_t-const.patch
 Patch0006: 0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
 Patch0007: 0007-Add-bash-completion-file.patch
-
-Source1:	centossecureboot001.crt
-Source2:	centos-ca-secureboot.der
-%define pesign_name centossecureboot001
-Source10:	shimx64.efi
-Source11:	shimia32.efi
-#Source12:	shimaa64.efi
-Source20:	BOOTX64.CSV
-Source21:	BOOTIA32.CSV
-Source22:	BOOTAA64.CSV
+Patch0008: 0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch
+Patch0009: 0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch
+Patch0010: 0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch
 
 %ifarch x86_64
 %global efiarch X64
@@ -40,7 +42,7 @@ Source22:	BOOTAA64.CSV
 %ifarch aarch64
 %global efiarch AA64
 %global efiarchlc aa64
-#%global shimsrc %{SOURCE12}
+%global shimsrc %{SOURCE12}
 %global bootsrc %{SOURCE22}
 %endif
 %define unsigned_dir %{_datadir}/shim/%{efiarchlc}-%{version}-%{unsigned_release}/
@@ -74,7 +76,7 @@ This package provides debug information for package %{name}.\
 Debug information is useful when developing applications that use this\
 package or when debugging this package.\
 %files -n mokutil-debuginfo -f debugfiles.list\
-%defattr(-,root,root)\
+%defattr(-,root,root,-)\
 %endif\
 %{nil}
 
@@ -93,7 +95,7 @@ the UEFI signing service.
 Summary: First-stage UEFI bootloader
 Requires: mokutil = %{version}-%{release}
 Provides: shim = %{version}-%{release}
-Obsoletes: shim
+Obsoletes: shim <= 12
 # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
 # compatible with SysV (there's no red zone under UEFI) and there isn't a
 # POSIX-style C library.
@@ -147,27 +149,27 @@ cd ..
 %ifarch %{ca_signed_arches}
 pesign -i %{shimsrc} -h -P > shim%{efiarchlc}.hash
 if ! cmp shim%{efiarchlc}.hash %{unsigned_dir}shim%{efiarchlc}.hash ; then
-	echo Invalid signature\! > /dev/stderr
-	echo saved hash is $(cat %{unsigned_dir}shim%{efiarchlc}.hash) > /dev/stderr
-	echo shim%{efiarchlc}.efi hash is $(cat shim%{efiarchlc}.hash) > /dev/stderr
-	exit 1
+  echo Invalid signature\! > /dev/stderr
+  echo saved hash is $(cat %{unsigned_dir}shim%{efiarchlc}.hash) > /dev/stderr
+  echo shim%{efiarchlc}.efi hash is $(cat shim%{efiarchlc}.hash) > /dev/stderr
+  exit 1
 fi
 cp %{shimsrc} shim%{efiarchlc}.efi
 %ifarch x86_64
 pesign -i %{shimsrcia32} -h -P > shimia32.hash
 if ! cmp shimia32.hash %{unsigned_dir_ia32}shimia32.hash ; then
-	echo Invalid signature\! > /dev/stderr
-	echo saved hash is $(cat %{unsigned_dir_ia32}shimia32.hash) > /dev/stderr
-	echo shimia32.efi hash is $(cat shimia32.hash) > /dev/stderr
-	exit 1
+  echo Invalid signature\! > /dev/stderr
+  echo saved hash is $(cat %{unsigned_dir_ia32}shimia32.hash) > /dev/stderr
+  echo shimia32.efi hash is $(cat shimia32.hash) > /dev/stderr
+  exit 1
 fi
 cp %{shimsrcia32} shimia32.efi
 %endif
 %endif
 %ifarch %{rh_signed_arches}
-%pesign -s -i %{unsigned_dir}shim%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name} -o shim%{efiarchlc}-%{efidir}.efi
+%pesign -s -i %{unsigned_dir}shim%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301 -o shim%{efiarchlc}-%{efidir}.efi
 %ifarch x86_64
-%pesign -s -i %{unsigned_dir_ia32}shimia32.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name} -o shimia32-%{efidir}.efi
+%pesign -s -i %{unsigned_dir_ia32}shimia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301 -o shimia32-%{efidir}.efi
 %endif
 %endif
 %ifarch %{rh_signed_arches}
@@ -176,12 +178,12 @@ cp shim%{efiarchlc}-%{efidir}.efi shim%{efiarchlc}.efi
 %endif
 %endif
 
-%pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name}
-%pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name}
+%pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301
+%pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301
 
 %ifarch x86_64
-%pesign -s -i %{unsigned_dir_ia32}mmia32.efi -o mmia32.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name}
-%pesign -s -i %{unsigned_dir_ia32}fbia32.efi -o fbia32.efi -a %{SOURCE2} -c %{SOURCE1} -n %{pesign_name}
+%pesign -s -i %{unsigned_dir_ia32}mmia32.efi -o mmia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301
+%pesign -s -i %{unsigned_dir_ia32}fbia32.efi -o fbia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301
 %endif
 
 cd mokutil-%{mokutil_version}
@@ -191,56 +193,54 @@ make %{?_smp_mflags}
 
 %install
 rm -rf $RPM_BUILD_ROOT
-install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/
-install -m 0644 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi
-install -m 0644 shim%{efiarchlc}-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
-install -m 0644 mm%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi
-install -m 0644 mm%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/MokManager.efi
-install -m 0644 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV
-
-install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/
-install -m 0644 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOT%{efiarch}.EFI
-install -m 0644 fb%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fb%{efiarchlc}.efi
-install -m 0644 fb%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fallback.efi
+install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/
+install -m 0700 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi
+install -m 0700 shim%{efiarchlc}-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
+install -m 0700 mm%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi
+install -m 0700 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV
+
+install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/
+install -m 0700 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOT%{efiarch}.EFI
+install -m 0700 fb%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fb%{efiarchlc}.efi
 
 %ifarch aarch64
 # In case old boot entries aren't updated
-install -m 0644 %{shimsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi
+install -m 0700 %{shimsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi
 %endif
 
 %ifarch x86_64
 # In case old boot entries aren't updated
-install -m 0644 shimx64.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi
-install -m 0644 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV
+install -m 0700 shimx64.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi
+install -m 0700 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV
 
-install -m 0644 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi
-install -m 0644 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi
-install -m 0644 shimia32-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
-install -m 0644 mmia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mmia32.efi
-install -m 0644 %{bootsrcia32} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOTIA32.CSV
+install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi
+install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi
+install -m 0700 shimia32-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
+install -m 0700 mmia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mmia32.efi
+install -m 0700 %{bootsrcia32} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOTIA32.CSV
 
-install -m 0644 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOTIA32.EFI
-install -m 0644 fbia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fbia32.efi
+install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOTIA32.EFI
+install -m 0700 fbia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fbia32.efi
 %endif
 
 cd mokutil-%{mokutil_version}
 make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
 
 %files -n shim-%{efiarchlc}
+%defattr(0700,root,root,-)
 /boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi
 /boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
 /boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi
-/boot/efi/EFI/%{efidir}/MokManager.efi
 /boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV
 /boot/efi/EFI/BOOT/BOOT%{efiarch}.EFI
 /boot/efi/EFI/BOOT/fb%{efiarchlc}.efi
-/boot/efi/EFI/BOOT/fallback.efi
 /boot/efi/EFI/%{efidir}/shim.efi
 
 %ifarch x86_64
 /boot/efi/EFI/%{efidir}/BOOT.CSV
 
 %files -n shim-ia32
+%defattr(0700,root,root,-)
 /boot/efi/EFI/%{efidir}/shimia32.efi
 /boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
 /boot/efi/EFI/%{efidir}/mmia32.efi
@@ -258,11 +258,19 @@ make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
 %{_datadir}/bash-completion/completions/mokutil
 
 %changelog
-* Fri Aug 24 2018 Fabian Arrotin <arrfab@centos.org> - 12-2.el7
-- Rebuilt with new shim (built with new key/cert)
-
-* Thu Aug 31 2017 Karanbir Singh <kbsingh@centos.org> - 12-1.el7.centos
-- interim build
+* Fri Jul 20 2018 Peter Jones <pjones@redhat.com> - 15-1
+- Update to shim version 15
+  Resolves: rhbz#1589962
+
+* Wed Jul 11 2018 Peter Jones <pjones@redhat.com> - 12-3
+- Fix broken file owner/modes
+  Resolves: rhbz#1595677
+
+* Sat Jun 23 2018 Peter Jones <pjones@redhat.com> - 12-2
+- Fix /boot/efi/... permissions to match the filesystem's requirements
+  Related: rhbz#1512749
+- Minor .spec cleanups
+  Related: rhbz#1512749
 
 * Mon May 01 2017 Peter Jones <pjones@redhat.com> - 12-1
 - Update to 12-1 to work around a signtool.exe bug