diff --git a/.dbxtool.metadata b/.dbxtool.metadata
new file mode 100644
index 0000000..7004fd4
--- /dev/null
+++ b/.dbxtool.metadata
@@ -0,0 +1 @@
+61da2c3e4ea3411e6379a671b09c14eae6954fe6 SOURCES/dbxtool-8.tar.bz2
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..a159012
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/dbxtool-8.tar.bz2
diff --git a/SOURCES/0001-don-t-use-f-in-dbxtool.service.patch b/SOURCES/0001-don-t-use-f-in-dbxtool.service.patch
new file mode 100644
index 0000000..a2a5270
--- /dev/null
+++ b/SOURCES/0001-don-t-use-f-in-dbxtool.service.patch
@@ -0,0 +1,28 @@
+From 8a6039df37353a3ef9208de0c4d63b611f549922 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Thu, 19 Oct 2017 12:46:53 -0400
+Subject: [PATCH 1/2] *don't* use -f in dbxtool.service
+
+Use -q to make it quiet but don't try to override it when we think it
+won't work.
+
+Related: rhbz#1489942
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/dbxtool.service | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/dbxtool.service b/src/dbxtool.service
+index fcfb6e6..1a2a829 100644
+--- a/src/dbxtool.service
++++ b/src/dbxtool.service
+@@ -7,4 +7,4 @@ WantedBy=multi-user.target
+ 
+ [Service]
+ RemainAfterExit=yes
+-ExecStart=/usr/bin/dbxtool -a /usr/share/dbxtool/ -q -f
++ExecStart=/usr/bin/dbxtool -a /usr/share/dbxtool/ -q
+-- 
+2.14.2
+
diff --git a/SOURCES/0002-Make-quiet-exit-on-missing-PK-KEK-not-return-error-s.patch b/SOURCES/0002-Make-quiet-exit-on-missing-PK-KEK-not-return-error-s.patch
new file mode 100644
index 0000000..c4fa459
--- /dev/null
+++ b/SOURCES/0002-Make-quiet-exit-on-missing-PK-KEK-not-return-error-s.patch
@@ -0,0 +1,36 @@
+From 946380463bb9a233381fc122a8374806d77b1778 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 23 Oct 2017 09:45:48 -0400
+Subject: [PATCH 2/2] Make quiet exit on missing PK/KEK not return error
+ status.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/dbxtool.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/src/dbxtool.c b/src/dbxtool.c
+index 717c991..b2cb587 100644
+--- a/src/dbxtool.c
++++ b/src/dbxtool.c
+@@ -541,13 +541,14 @@ check_pk_and_kek(bool force, bool quiet)
+ 		}
+ 	}
+ 	if (!all_found) {
+-		if (!quiet) {
++		if (quiet) {
++			if (!force)
++				exit(0);
++		} else {
+ 			if (!force)
+ 				errx(1, "Not attempting to apply updates.");
+ 			warnx("attempting to apply updates anyway.");
+ 		}
+-		if (!force)
+-			exit(1);
+ 	}
+ }
+ 
+-- 
+2.14.2
+
diff --git a/SOURCES/0003-fix-relop-in-esl_iter_next.patch b/SOURCES/0003-fix-relop-in-esl_iter_next.patch
new file mode 100644
index 0000000..90c47b3
--- /dev/null
+++ b/SOURCES/0003-fix-relop-in-esl_iter_next.patch
@@ -0,0 +1,70 @@
+From 50b302ea7b6bd41c38d50b2af9d89af5f715068a Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Wed, 16 May 2018 14:06:48 +0200
+Subject: [PATCH] fix relop in esl_iter_next()
+
+esl_iter_next() seeks to the next EFI_SIGNATURE_LIST object in the
+signature database that's being processed.
+
+- The position of the current (just processed) EFI_SIGNATURE_LIST object
+  in the signature database is "iter->offset".
+
+- The size of the same is in "iter->esl->SignatureListSize".
+
+- The size of the whole signature dabatase (containing the current
+  EFI_SIGNATURE_LIST) is in "iter->len".
+
+Thus, we need to advance "iter->offset" by "iter->esl->SignatureListSize",
+to reach the next EFI_SIGNATURE_LIST object.
+
+While advancing, we must not exceed the whole signature database. In other
+words, the (exclusive) end of the just processed EFI_SIGNATURE_LIST object
+is required to precede, or equal, the (exclusive) end of the signature
+database. Hence the "good" condition is:
+
+  iter->offset + iter->esl->SignatureListSize <= iter->len
+
+The "bad" condition is the negation of the above:
+
+  iter->offset + iter->esl->SignatureListSize > iter->len
+
+Because we don't trust "iter->esl->SignatureListSize" (since that was
+simply read from the binary blob, not computed by ourselves), we don't
+want to add to it or subtract from it (integer overflow!), we just want to
+use it naked for comparison. So we subtract "iter->offset" from both
+sides: "iter->offset" and "iter->len" are known-good because we've checked
+and computed them all along, so we can perform integer operations on them.
+After the subtraction, we have the following condition for *bad*:
+
+  iter->esl->SignatureListSize > iter->len - iter->offset
+
+Another way to put the same condition, for *bad*, is to swing the sides
+around the relop (giving a spin to the relop as well):
+
+  iter->len - iter->offset < iter->esl->SignatureListSize
+
+The controlling expression in esl_iter_next() is just this, except for the
+typo in the relational operator. Fix it.
+
+Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1508808
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+---
+ src/iter.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/iter.c b/src/iter.c
+index 45ee059e74c..f19166ab276 100644
+--- a/src/iter.c
++++ b/src/iter.c
+@@ -222,7 +222,7 @@ esl_iter_next(esl_iter *iter, efi_guid_t *type,
+ 		vprintf("Getting next EFI_SIGNATURE_LIST\n");
+ 		efi_guid_t type;
+ 		esl_get_type(iter, &type);
+-		if (iter->len - iter->offset > iter->esl->SignatureListSize) {
++		if (iter->len - iter->offset < iter->esl->SignatureListSize) {
+ 			warnx("EFI Signature List is malformed");
+ 			errx(1, "list has %zd bytes left, element is %"PRIu32" bytes",
+ 			     iter->len - iter->offset,
+-- 
+2.29.2
+
diff --git a/SOURCES/dbxtool-8-ccldflags.patch b/SOURCES/dbxtool-8-ccldflags.patch
new file mode 100644
index 0000000..099f9a6
--- /dev/null
+++ b/SOURCES/dbxtool-8-ccldflags.patch
@@ -0,0 +1,45 @@
+From f229181c015f7353602e6b32e6ed61f9b47480ae Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20=C5=A0abata?= <contyk@redhat.com>
+Date: Thu, 12 Apr 2018 12:58:51 +0200
+Subject: [PATCH] Respect environment CCLDFLAGS
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Allow passing custom flags for the linker.
+
+Signed-off-by: Petr Šabata <contyk@redhat.com>
+---
+ Make.defaults | 2 +-
+ src/Makefile  | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Make.defaults b/Make.defaults
+index 9bfa5b2..1030be9 100644
+--- a/Make.defaults
++++ b/Make.defaults
+@@ -14,7 +14,7 @@ BUILDFLAGS = $(CFLAGS) -fPIC -fshort-wchar -fno-strict-aliasing \
+ 		--param=ssp-buffer-size=4 -fexceptions
+ ASFLAGS    =
+ LDFLAGS	   = -nostdlib
+-CCLDFLAGS  = -shared
++CCLDFLAGS += -shared
+ INSTALL	   = install
+ COMPILER  ?=
+ 
+diff --git a/src/Makefile b/src/Makefile
+index 1a6277a..669bfab 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -6,7 +6,7 @@ include $(TOPDIR)/Make.defaults
+ PKLIBS = efivar
+ LIBS = popt
+ LDFLAGS =
+-CCLDFLAGS = $(foreach pklib,$(PKLIBS), $(shell pkg-config --libs-only-L $(pklib)))
++CCLDFLAGS += $(foreach pklib,$(PKLIBS), $(shell pkg-config --libs-only-L $(pklib)))
+ BUILDFLAGS += $(foreach pklib,$(PKLIBS), $(shell pkg-config --cflags $(pklib)))
+ 
+ TARGETS = dbxtool
+-- 
+2.17.0
+
diff --git a/SPECS/dbxtool.spec b/SPECS/dbxtool.spec
new file mode 100644
index 0000000..00edfc4
--- /dev/null
+++ b/SPECS/dbxtool.spec
@@ -0,0 +1,144 @@
+Name:           dbxtool
+Version:        8
+Release:        5%{?dist}.2
+Summary:        Secure Boot DBX updater
+License:        GPLv2
+URL:            https://github.com/vathpela/dbxtool
+ExclusiveArch:  i386 x86_64 aarch64
+BuildRequires:  popt-devel git systemd
+BuildRequires:  efivar-devel >= 31-3
+Requires:       efivar >= 31-3
+Requires(post): systemd
+Requires(preun):systemd
+Source0:        https://github.com/vathpela/dbxtool/releases/download/dbxtool-%{version}/dbxtool-%{version}.tar.bz2
+Patch0000:      %{name}-8-ccldflags.patch
+Patch0001:      0001-don-t-use-f-in-dbxtool.service.patch
+Patch0002:      0002-Make-quiet-exit-on-missing-PK-KEK-not-return-error-s.patch
+Patch0003:      0003-fix-relop-in-esl_iter_next.patch
+
+%description
+This package contains DBX updates for UEFI Secure Boot.
+
+%prep
+%setup -q -n %{name}-%{version}
+git init
+git config user.email "%{name}-owner@fedoraproject.org"
+git config user.name "Fedora Ninjas"
+git add .
+git commit -a -q -m "%{version} baseline."
+git am %{patches} </dev/null
+git config --unset user.email
+git config --unset user.name
+
+%build
+make PREFIX=%{_prefix} LIBDIR=%{_libdir} CFLAGS="$RPM_OPT_FLAGS" CCLDFLAGS="%{__global_ldflags}"
+
+%install
+rm -rf $RPM_BUILD_ROOT
+mkdir -p %{buildroot}/%{_libdir}
+make PREFIX=%{_prefix} LIBDIR=%{_libdir} INSTALLROOT=%{buildroot} \
+        install
+rm -f %{buildroot}/%{_docdir}/%{name}/COPYING
+
+%post
+%systemd_post dbxtool.service
+
+%preun
+%systemd_preun dbxtool.service
+
+%files
+%{!?_licensedir:%global license %%doc}
+%license COPYING
+%{_bindir}/dbxtool
+%doc %{_mandir}/man1/*
+%dir %{_datadir}/dbxtool/
+%{_datadir}/dbxtool/*.bin
+%{_unitdir}/dbxtool.service
+
+%changelog
+* Wed Jan 20 2021 Jan Hlavac <jhlavac@redhat.com> - 8-5.el8_3.2
+- Enable manual gating
+  Related: rhbz#1681753
+  Related: rhbz#1912474
+
+* Fri Jan 15 2021 Javier Martinez Canillas <javierm@redhat.com> - 8-5.el8_3.1
+- Fix 'EFI Signature List is malformed' error (lersek)
+  Resolves: rhbz#1912474
+
+* Thu Apr 12 2018 Petr Šabata <contyk@redhat.com> - 8-5
+- Fix build flags injection (rhbz#1548123)
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 8-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Mon Oct 23 2017 Peter Jones <pjones@redhat.com> - 8-3
+- Also don't return error if we're using --quiet and PK/KEK are absent.
+  Resolves: rhbz#1489942
+
+* Thu Oct 19 2017 Peter Jones <pjones@redhat.com> - 8-2
+- Don't use -f in dbxtool.service; that'll make it do the thing we're
+  trying to avoid.
+  Resolves: rhbz#1489942
+
+* Wed Oct 18 2017 Peter Jones <pjones@redhat.com> - 8-1
+- Update to dbxtool 8
+- Make a "make coverity" rule to scan the source
+  Results at: https://scan.coverity.com/projects/rhboot-dbxtool
+- Don't try to apply anything if PK and KEK aren't enrolled
+- Add --force and --quiet for the PK/KEK checker, and use them in the
+  systemd service.
+  Resolves: rhbz#1489942
+- Add a .syntastic_c_config for vim's Syntastic modules
+- Use tsearch()/tfind()/tdestroy() from libc instead of ccan htables
+- Don't open the dbx file with O_RDWR|O_CREAT, use O_RDONLY.
+- Lots of minor bug fixes gcc -Wextra and friends found.
+
+* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 7-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 7-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Sat Jul 08 2017 Peter Jones <pjones@redhat.com> - 7-4
+- Rebuild for efivar-31-1.fc26
+  Related: rhbz#1468841
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 7-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Wed Aug 17 2016 Peter Jones <pjones@redhat.com> - 7-2
+- Rebuild for newer efivar.
+
+* Wed Aug 10 2016 Peter Jones <pjones@redhat.com> - 7-1
+- Update to version 7
+- Add new dbxupdate.bin for CVE-2016-3320 and
+  https://support.microsoft.com/en-us/kb/3179577
+
+* Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.6-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.6-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Mon Feb 23 2015 Peter Jones <pjones@redhat.com> - 0.6-4
+- Zbigniew Jędrzejewski-Szmek was kind enough to audit the systemd service,
+  and had some suggestions, as did Harald Hoyer and Lennart Poettering.
+  Related: rhbz#1181568
+
+* Tue Dec 09 2014 Peter Jones <pjones@redhat.com> - 0.6-3
+- Add systemd scriptlets for the service.
+
+* Thu Oct 09 2014 Peter Jones <pjones@redhat.com> - 0.6-2
+- Require efivar >= 0.14-1 specifically.
+
+* Wed Oct 08 2014 Peter Jones <pjones@redhat.com> - 0.6-1
+- Update to 0.6
+- make "dbxtool -l" correctly show not-well-known guids.
+
+* Tue Oct 07 2014 Peter Jones <pjones@redhat.com> - 0.5-1
+- Update to 0.5:
+- make applying to dbx when it doesn't exist work (lersek)
+- make displaying KEK work right
+
+* Wed Aug 20 2014 Peter Jones <pjones@redhat.com> - 0.4-1
+- First packaging attempt.