diff --git a/.fwupd.metadata b/.fwupd.metadata
index 1150ab3..754037f 100644
--- a/.fwupd.metadata
+++ b/.fwupd.metadata
@@ -1,2 +1,8 @@
-c152547682cb354b69e4e1a89b53369dd42f3e53 SOURCES/fwupd-1.4.2.tar.xz
-6991b6879b438a4672e97c534d10737bc54e6f39 SOURCES/libjcat-0.1.2.tar.xz
+b2620c36bd23ca699567fd4e4add039ee4375247 SOURCES/DBXUpdate-20100307-x64.cab
+dfdb1d0d42c1563ca63bd45c7e2ddc48cbfc5023 SOURCES/DBXUpdate-20140413-x64.cab
+a5f73c606abb93bf61625e4628d27a2cd460f162 SOURCES/DBXUpdate-20160809-x64.cab
+b5b2dc87daca1d3f8081a323290432c141aa405d SOURCES/DBXUpdate-20200729-aa64.cab
+3fb407561768a3a2f5fb49d7738b5e0650e70810 SOURCES/DBXUpdate-20200729-ia32.cab
+89db93c9d9d20f81791a262e817b99d8882c8bb0 SOURCES/DBXUpdate-20200729-x64.cab
+acaf6614e6a7af7014c1697b7c440ef0c394a2f6 SOURCES/fwupd-1.5.5.tar.xz
+e01a97b6d16a188a43cb25caa42cdf9771803531 SOURCES/libjcat-0.1.5.tar.xz
diff --git a/.gitignore b/.gitignore
index 76f5375..01113d8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,8 @@
-SOURCES/fwupd-1.4.2.tar.xz
-SOURCES/libjcat-0.1.2.tar.xz
+SOURCES/DBXUpdate-20100307-x64.cab
+SOURCES/DBXUpdate-20140413-x64.cab
+SOURCES/DBXUpdate-20160809-x64.cab
+SOURCES/DBXUpdate-20200729-aa64.cab
+SOURCES/DBXUpdate-20200729-ia32.cab
+SOURCES/DBXUpdate-20200729-x64.cab
+SOURCES/fwupd-1.5.5.tar.xz
+SOURCES/libjcat-0.1.5.tar.xz
diff --git a/SOURCES/0001-Validate-that-gpgme_op_verify_result-returned-at-lea.patch b/SOURCES/0001-Validate-that-gpgme_op_verify_result-returned-at-lea.patch
deleted file mode 100644
index 0b6517e..0000000
--- a/SOURCES/0001-Validate-that-gpgme_op_verify_result-returned-at-lea.patch
+++ /dev/null
@@ -1,114 +0,0 @@
-From 839b89f45a38b2373bf5836337a33f450aaab72e Mon Sep 17 00:00:00 2001
-From: Richard Hughes <richard@hughsie.com>
-Date: Thu, 28 May 2020 10:41:23 +0100
-Subject: [PATCH] Validate that gpgme_op_verify_result() returned at least one
- signature
-
-If a detached signature is actually a PGP message, gpgme_op_verify() returns
-the rather perplexing GPG_ERR_NO_ERROR, and then gpgme_op_verify_result()
-builds an empty list.
-
-Explicitly check for no signatures present to avoid returning a JcatResult with
-no timestamp and an empty authority.
-
-Many thanks to Justin Steven <justin@justinsteven.com> for the discovery and
-coordinated disclosure of this issue. Fixes CVE-2020-10759
----
- libjcat/jcat-gpg-engine.c |  7 +++++
- libjcat/jcat-self-test.c  | 55 +++++++++++++++++++++++++++++++++++++++
- 2 files changed, 62 insertions(+)
-
-diff --git libjcat/jcat-gpg-engine.c libjcat/jcat-gpg-engine.c
-index 0812a62..bd44dba 100644
---- libjcat/jcat-gpg-engine.c
-+++ libjcat/jcat-gpg-engine.c
-@@ -267,6 +267,13 @@ jcat_gpg_engine_pubkey_verify (JcatEngine *engine,
- 				     "no result record from libgpgme");
- 		return NULL;
- 	}
-+	if (result->signatures == NULL) {
-+		g_set_error_literal (error,
-+				     G_IO_ERROR,
-+				     G_IO_ERROR_FAILED,
-+				     "no signatures from libgpgme");
-+		return NULL;
-+	}
- 
- 	/* look at each signature */
- 	for (s = result->signatures; s != NULL ; s = s->next ) {
-diff --git libjcat/jcat-self-test.c libjcat/jcat-self-test.c
-index d79a3a9..fd4295e 100644
---- libjcat/jcat-self-test.c
-+++ libjcat/jcat-self-test.c
-@@ -393,6 +393,60 @@ jcat_gpg_engine_func (void)
- #endif
- }
- 
-+static void
-+jcat_gpg_engine_msg_func (void)
-+{
-+#ifdef ENABLE_GPG
-+	g_autofree gchar *fn = NULL;
-+	g_autofree gchar *pki_dir = NULL;
-+	g_autoptr(GBytes) data = NULL;
-+	g_autoptr(GBytes) data_sig = NULL;
-+	g_autoptr(GError) error = NULL;
-+	g_autoptr(JcatContext) context = jcat_context_new ();
-+	g_autoptr(JcatEngine) engine = NULL;
-+	g_autoptr(JcatResult) result = NULL;
-+	const gchar *sig =
-+	"-----BEGIN PGP MESSAGE-----\n"
-+	"owGbwMvMwMEovmZX76/pfOKMp0WSGOLOX3/ikZqTk6+jUJ5flJOiyNXJaMzCwMjB\n"
-+	"ICumyCJmt5VRUil28/1+z1cwbaxMID0MXJwCMJG4RxwMLUYXDkUad34I3vrT8+X2\n"
-+	"m+ZyHyMWnTiQYaQb/eLJGqbiAJc5Jr4a/PPqHNi7auwzGsKsljebabjtnJRzpDr0\n"
-+	"YvwrnmmWLJUnTzjM3MH5Kn+RzqXkywsYdk9yD2OUdLy736CiemFMdcuF02lOZvPU\n"
-+	"HaTKl76wW62QH8Lr8yGMQ1Xgc6nC2ZwUhvctky7NOZtc1T477uBTL81p31ZmaIUJ\n"
-+	"paS8uWZl8UzX5sFsqQi37G1TbDc8Cm+oU/yRkFj2pLBzw367ncsa4n7EqEWu1yrN\n"
-+	"yD39LUeErePdqfKCG+xhL6WkWt5ZJ/6//XnjouXhl5Z4tWspT49MtNp5d3aDQ43c\n"
-+	"mnbresn6A7KMZgdOiwIA\n"
-+	"=a9ui\n"
-+	"-----END PGP MESSAGE-----\n";
-+
-+	/* set up context */
-+	jcat_context_set_keyring_path (context, "/tmp/libjcat-self-test/var");
-+	pki_dir = g_test_build_filename (G_TEST_DIST, "pki", NULL);
-+	jcat_context_add_public_keys (context, pki_dir);
-+
-+	/* get engine */
-+	engine = jcat_context_get_engine (context, JCAT_BLOB_KIND_GPG, &error);
-+	g_assert_no_error (error);
-+	g_assert_nonnull (engine);
-+	g_assert_cmpint (jcat_engine_get_kind (engine), ==, JCAT_BLOB_KIND_GPG);
-+	g_assert_cmpint (jcat_engine_get_verify_kind (engine), ==, JCAT_ENGINE_VERIFY_KIND_SIGNATURE);
-+
-+	/* verify with GnuPG, which should fail as the signature is not a
-+	 * detached signature at all, but gnupg stabs us in the back by returning
-+	 * success from gpgme_op_verify() with an empty list of signatures */
-+	fn = g_test_build_filename (G_TEST_DIST, "colorhug", "firmware.bin", NULL);
-+	data = jcat_get_contents_bytes (fn, &error);
-+	g_assert_no_error (error);
-+	g_assert_nonnull (data);
-+	data_sig = g_bytes_new_static (sig, strlen (sig));
-+	result = jcat_engine_pubkey_verify (engine, data, data_sig,
-+					    JCAT_VERIFY_FLAG_NONE, &error);
-+	g_assert_error (error, G_IO_ERROR, G_IO_ERROR_FAILED);
-+	g_assert_null (result);
-+#else
-+	g_test_skip ("no GnuPG support enabled");
-+#endif
-+}
-+
- static void
- jcat_pkcs7_engine_func (void)
- {
-@@ -753,6 +807,7 @@ main (int argc, char **argv)
- 	g_test_add_func ("/jcat/engine{sha1}", jcat_sha1_engine_func);
- 	g_test_add_func ("/jcat/engine{sha256}", jcat_sha256_engine_func);
- 	g_test_add_func ("/jcat/engine{gpg}", jcat_gpg_engine_func);
-+	g_test_add_func ("/jcat/engine{gpg-msg}", jcat_gpg_engine_msg_func);
- 	g_test_add_func ("/jcat/engine{pkcs7}", jcat_pkcs7_engine_func);
- 	g_test_add_func ("/jcat/engine{pkcs7-self-signed}", jcat_pkcs7_engine_self_signed_func);
- 	g_test_add_func ("/jcat/context{verify-blob}", jcat_context_verify_blob_func);
--- 
-2.26.2
-
diff --git a/SOURCES/0001-synaptics-prometheus-Force-the-minor-version-from-0x.patch b/SOURCES/0001-synaptics-prometheus-Force-the-minor-version-from-0x.patch
deleted file mode 100644
index 5760044..0000000
--- a/SOURCES/0001-synaptics-prometheus-Force-the-minor-version-from-0x.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From d7a1eb17bef650f13e7f96430f99294c36a40806 Mon Sep 17 00:00:00 2001
-From: Vincent Huang <vincent.huang@tw.synaptics.com>
-Date: Tue, 19 May 2020 13:09:28 +0800
-Subject: [PATCH] synaptics-prometheus: Force the minor version from 0x02 to
- 0x01 to make sure the devices can be updated back to 0x01.
-
----
- plugins/synaptics-prometheus/fu-synaprom-device.c | 8 ++++++++
- 1 file changed, 8 insertions(+)
-
-diff --git plugins/synaptics-prometheus/fu-synaprom-device.c plugins/synaptics-prometheus/fu-synaprom-device.c
-index 5a19203c..299ebde2 100644
---- a/plugins/synaptics-prometheus/fu-synaprom-device.c
-+++ b/plugins/synaptics-prometheus/fu-synaprom-device.c
-@@ -142,6 +142,14 @@ fu_synaprom_device_set_version (FuSynapromDevice *self,
- {
- 	g_autofree gchar *str = NULL;
- 
-+	/* We decide to skip 10.02.xxxxxx firmware, so we force the minor version from 0x02 
-+	** to 0x01 to make the devices with 0x02 minor version firmware allow to be updated
-+	** back to minor version 0x01. */
-+	if (vmajor == 0x0a && vminor == 0x02) {
-+		g_debug ("quirking vminor from %02x to 01", vminor);
-+		vminor = 0x01;
-+	}
-+
- 	/* set display version */
- 	str = g_strdup_printf ("%02u.%02u.%u", vmajor, vminor, buildnum);
- 	fu_device_set_version (FU_DEVICE (self), str);
--- 
-2.26.2
-
diff --git a/SOURCES/centos-ca-secureboot.der b/SOURCES/centos-ca-secureboot.der
deleted file mode 100644
index 44a2563..0000000
Binary files a/SOURCES/centos-ca-secureboot.der and /dev/null differ
diff --git a/SOURCES/centossecureboot001.der b/SOURCES/centossecureboot001.der
deleted file mode 100644
index e8216b1..0000000
Binary files a/SOURCES/centossecureboot001.der and /dev/null differ
diff --git a/SOURCES/centossecureboot203.der b/SOURCES/centossecureboot203.der
deleted file mode 100644
index 5df41c2..0000000
Binary files a/SOURCES/centossecureboot203.der and /dev/null differ
diff --git a/SOURCES/centossecurebootca2.der b/SOURCES/centossecurebootca2.der
deleted file mode 100644
index 42bdfcf..0000000
Binary files a/SOURCES/centossecurebootca2.der and /dev/null differ
diff --git a/SOURCES/deps.patch b/SOURCES/deps.patch
new file mode 100644
index 0000000..af718e1
--- /dev/null
+++ b/SOURCES/deps.patch
@@ -0,0 +1,39 @@
+diff --git meson.build meson.build
+index 02a93f57..93f77e62 100644
+--- meson.build
++++ meson.build
+@@ -206,7 +206,7 @@ else
+   gudev = dependency('', required : false)
+ endif
+ libxmlb = dependency('xmlb', version : '>= 0.1.13', fallback : ['libxmlb', 'libxmlb_dep'])
+-gusb = dependency('gusb', version : '>= 0.3.5', fallback : ['gusb', 'gusb_dep'])
++gusb = dependency('gusb', version : '>= 0.3.0', fallback : ['gusb', 'gusb_dep'])
+ sqlite = dependency('sqlite3')
+ libarchive = dependency('libarchive')
+ endif
+diff --git plugins/cros-ec/fu-cros-ec-usb-device.c plugins/cros-ec/fu-cros-ec-usb-device.c
+index 5bf6f7e1..79a29b2d 100644
+--- plugins/cros-ec/fu-cros-ec-usb-device.c
++++ plugins/cros-ec/fu-cros-ec-usb-device.c
+@@ -109,6 +109,7 @@ static gboolean
+ fu_cros_ec_usb_device_find_interface (FuUsbDevice *device,
+ 				      GError **error)
+ {
++#if G_USB_CHECK_VERSION(0,3,3)
+ 	GUsbDevice *usb_device = fu_usb_device_get_dev (device);
+ 	FuCrosEcUsbDevice *self = FU_CROS_EC_USB_DEVICE (device);
+ 	g_autoptr(GPtrArray) intfs = NULL;
+@@ -142,6 +143,13 @@ fu_cros_ec_usb_device_find_interface (FuUsbDevice *device,
+ 			     FWUPD_ERROR_NOT_FOUND,
+ 			     "no update interface found");
+ 	return FALSE;
++#else
++	g_set_error_literal (error,
++			     FWUPD_ERROR,
++			     FWUPD_ERROR_NOT_SUPPORTED,
++			     "this version of GUsb is not supported");
++	return FALSE;
++#endif
+ }
+ 
+ static gboolean
diff --git a/SOURCES/redhatsecureboot301.cer b/SOURCES/redhatsecureboot301.cer
new file mode 100644
index 0000000..4ff8b79
Binary files /dev/null and b/SOURCES/redhatsecureboot301.cer differ
diff --git a/SOURCES/redhatsecureboot503.cer b/SOURCES/redhatsecureboot503.cer
new file mode 100644
index 0000000..50e375c
Binary files /dev/null and b/SOURCES/redhatsecureboot503.cer differ
diff --git a/SOURCES/redhatsecurebootca3.cer b/SOURCES/redhatsecurebootca3.cer
new file mode 100644
index 0000000..b235400
Binary files /dev/null and b/SOURCES/redhatsecurebootca3.cer differ
diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer
new file mode 100644
index 0000000..dfb0284
Binary files /dev/null and b/SOURCES/redhatsecurebootca5.cer differ
diff --git a/SPECS/fwupd.spec b/SPECS/fwupd.spec
index caca4dc..87c672d 100644
--- a/SPECS/fwupd.spec
+++ b/SPECS/fwupd.spec
@@ -1,12 +1,20 @@
 %global glib2_version 2.45.8
 %global libxmlb_version 0.1.3
 %global libgusb_version 0.2.11
-%global libsoup_version 2.51.92
+%global libcurl_version 7.61.0
 %global systemd_version 231
 %global json_glib_version 1.1.1
 %global __meson_wrap_mode default
 
+# although we ship a few tiny python files these are utilities that 99.99%
+# of users do not need -- use this to avoid dragging python onto CoreOS
+%global __requires_exclude ^%{python3}$
+
+# PPC64 is too slow to complete the tests under 3 minutes...
+%ifnarch ppc64le
 %global enable_tests 1
+%endif
+
 %global enable_dummy 1
 
 # fwupd.efi is only available on these arches
@@ -14,9 +22,8 @@
 %global have_uefi 1
 %endif
 
-# redfish is only available on this arch
-%ifarch x86_64
-%global have_redfish 1
+%ifarch i686 x86_64
+%global have_msr 1
 %endif
 
 # libsmbios is only available on x86
@@ -31,23 +38,29 @@
 
 Summary:   Firmware update daemon
 Name:      fwupd
-Version:   1.4.2
-Release:   4%{?dist}
+Version:   1.5.5
+Release:   1%{?dist}
 License:   LGPLv2+
 URL:       https://github.com/fwupd/fwupd
 Source0:   http://people.freedesktop.org/~hughsient/releases/%{name}-%{version}.tar.xz
-Source1:   http://people.freedesktop.org/~hughsient/releases/libjcat-0.1.2.tar.xz
+Source1:   http://people.freedesktop.org/~hughsient/releases/libjcat-0.1.5.tar.xz
+
+Source10:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20100307-x64.cab
+Source11:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20140413-x64.cab
+Source12:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20160809-x64.cab
+Source13:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20200729-aa64.cab
+Source14:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20200729-ia32.cab
+Source15:  http://people.redhat.com/rhughes/dbx/DBXUpdate-20200729-x64.cab
 
 # these are numbered high just to keep them wildly away from colliding with
 # the real package sources, in order to reduce churn.
-Source300:   centos-ca-secureboot.der
-Source301:   centossecureboot001.der
-Source500:   centossecurebootca2.der
-Source503:   centossecureboot203.der
+Source300:   redhatsecurebootca3.cer
+Source301:   redhatsecureboot301.cer
+Source500:   redhatsecurebootca5.cer
+Source503:   redhatsecureboot503.cer
 
-Patch1:    0001-synaptics-prometheus-Force-the-minor-version-from-0x.patch
 Patch2:    0001-Do-not-use-the-LVFS.patch
-Patch3:    0001-Validate-that-gpgme_op_verify_result-returned-at-lea.patch
+Patch4:    deps.patch
 
 BuildRequires: efi-srpm-macros
 BuildRequires: gettext
@@ -56,11 +69,12 @@ BuildRequires: libxmlb-devel >= %{libxmlb_version}
 BuildRequires: libgcab1-devel
 BuildRequires: libgudev1-devel
 BuildRequires: libgusb-devel >= %{libgusb_version}
-BuildRequires: libsoup-devel >= %{libsoup_version}
+BuildRequires: libcurl-devel >= %{libcurl_version}
 BuildRequires: polkit-devel >= 0.103
 BuildRequires: sqlite-devel
 BuildRequires: gpgme-devel
 BuildRequires: systemd >= %{systemd_version}
+BuildRequires: systemd-devel
 BuildRequires: libarchive-devel
 BuildRequires: gobject-introspection-devel
 BuildRequires: gcab
@@ -79,19 +93,12 @@ BuildRequires: vala
 BuildRequires: python3-devel
 BuildRequires: bash-completion
 BuildRequires: git-core
-%if 0%{?have_flashrom}
-BuildRequires: flashrom-devel >= 1.2-2
-%endif
 
 %if 0%{?have_modem_manager}
 BuildRequires: ModemManager-glib-devel >= 1.10.0
 BuildRequires: libqmi-devel >= 1.22.0
 %endif
 
-%if 0%{?have_redfish}
-BuildRequires: efivar-devel >= 33
-%endif
-
 %if 0%{?have_uefi}
 BuildRequires: efivar-devel >= 33
 BuildRequires: python3 python3-cairo python3-gobject python3-pillow
@@ -116,7 +123,6 @@ Requires(postun): systemd
 Requires: glib2%{?_isa} >= %{glib2_version}
 Requires: libxmlb%{?_isa} >= %{libxmlb_version}
 Requires: libgusb%{?_isa} >= %{libgusb_version}
-Requires: libsoup%{?_isa} >= %{libsoup_version}
 Requires: bubblewrap
 Requires: shared-mime-info
 
@@ -124,7 +130,13 @@ Obsoletes: fwupd-sign < 0.1.6
 Obsoletes: libebitdo < 0.7.5-3
 Obsoletes: libdfu < 1.0.0
 Obsoletes: fwupd-labels < 1.1.0-1
-Obsoletes: fwupdate
+Obsoletes: fwupdate < 13
+
+Obsoletes: dbxtool < 9
+Provides: dbxtool
+
+# optional, but a really good idea
+Recommends: udisks2
 
 %description
 fwupd is a daemon to allow session software to update device firmware.
@@ -147,15 +159,11 @@ Data files for installed tests.
 %prep
 %setup -q
 %patch2 -p1 -b .lvfs-disabled
+%patch4 -p0 -b .deps
 
 mkdir -p subprojects/libjcat
 tar xfvs %{SOURCE1} -C subprojects/libjcat --strip-components=1
 
-# apply patch to subproject
-cd subprojects/libjcat
-%patch3 -p0 -b .gpgme-parsing
-cd -
-
 sed -ri '1s=^#!/usr/bin/(env )?python3=#!%{__python3}=' \
         contrib/ci/*.py \
         contrib/firmware_packager/*.py \
@@ -176,7 +184,7 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
 %meson \
     -Dgtkdoc=true \
     -Defi_os_dir=%{efi_vendor} \
-    -Dplugin_tpm=false \
+    -Dsupported_build=true \
     -Dlibjcat:gtkdoc=false \
     -Dlibjcat:introspection=false \
     -Dlibjcat:tests=false \
@@ -190,23 +198,21 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
 %else
     -Dplugin_dummy=false \
 %endif
-%if 0%{?have_flashrom}
-    -Dplugin_flashrom=true \
-%else
     -Dplugin_flashrom=false \
-%endif
-    -Dplugin_thunderbolt=true \
-%if 0%{?have_redfish}
-    -Dplugin_redfish=true \
+%if 0%{?have_msr}
+    -Dplugin_msr=true \
 %else
-    -Dplugin_redfish=false \
+    -Dplugin_msr=false \
 %endif
+    -Dplugin_thunderbolt=true \
 %if 0%{?have_uefi}
-    -Dplugin_uefi=true \
-    -Dplugin_nvme=true \
+    -Dplugin_uefi_capsule=true \
+    -Dplugin_uefi_pk=false \
+    -Dtpm=false \
 %else
-    -Dplugin_uefi=false \
-    -Dplugin_nvme=false \
+    -Dplugin_uefi_capsule=false \
+    -Dplugin_uefi_pk=false \
+    -Dtpm=false \
 %endif
 %if 0%{?have_dell}
     -Dplugin_dell=true \
@@ -232,6 +238,10 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
 %install
 %meson_install
 
+# on RHEL the LVFS is disabled by default
+mkdir -p %{buildroot}/%{_datadir}/dbxtool
+install %{SOURCE10} %{SOURCE11} %{SOURCE12} %{SOURCE13} %{SOURCE14} %{SOURCE15} %{buildroot}/%{_datadir}/dbxtool
+
 # sign fwupd.efi loader
 %if 0%{?have_uefi}
 %ifarch x86_64
@@ -241,8 +251,8 @@ export RHEL_ALLOW_PYTHON2_FOR_BUILD=1
 %global efiarch aa64
 %endif
 %global fwup_efi_fn $RPM_BUILD_ROOT%{_libexecdir}/fwupd/efi/fwupd%{efiarch}.efi
-%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.tmp -a %{SOURCE300} -c %{SOURCE301} -n centossecureboot001
-%pesign -s -i %{fwup_efi_fn}.tmp -o %{fwup_efi_fn}.signed -a %{SOURCE500} -c %{SOURCE503} -n centossecureboot203
+%pesign -s -i %{fwup_efi_fn} -o %{fwup_efi_fn}.tmp -a %{SOURCE300} -c %{SOURCE301} -n redhatsecureboot301
+%pesign -s -i %{fwup_efi_fn}.tmp -o %{fwup_efi_fn}.signed -a %{SOURCE500} -c %{SOURCE503} -n redhatsecureboot503
 rm -fv %{fwup_efi_fn}.tmp
 %endif
 
@@ -256,6 +266,11 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/fwupd
 %post
 %systemd_post fwupd.service
 
+# change vendor-installed remotes to use the default keyring type
+for fn in /etc/fwupd/remotes.d/*.conf;
+    do sed -i 's/Keyring=gpg/#Keyring=pkcs/g' "$fn";
+done
+
 %preun
 %systemd_preun fwupd.service
 
@@ -266,18 +281,18 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/fwupd
 %files -f %{name}.lang
 %doc README.md AUTHORS
 %license COPYING
-%config(noreplace)%{_sysconfdir}/fwupd/ata.conf
 %config(noreplace)%{_sysconfdir}/fwupd/daemon.conf
 %config(noreplace)%{_sysconfdir}/fwupd/upower.conf
 %if 0%{?have_uefi}
-%config(noreplace)%{_sysconfdir}/fwupd/uefi.conf
+%config(noreplace)%{_sysconfdir}/fwupd/uefi_capsule.conf
 %endif
-%if 0%{?have_redfish}
 %config(noreplace)%{_sysconfdir}/fwupd/redfish.conf
-%endif
 %config(noreplace)%{_sysconfdir}/fwupd/thunderbolt.conf
 %dir %{_libexecdir}/fwupd
 %{_libexecdir}/fwupd/fwupd
+%ifarch i686 x86_64
+%{_libexecdir}/fwupd/fwupd-detect-cet
+%endif
 %{_libexecdir}/fwupd/fwupdoffline
 %if 0%{?have_uefi}
 %{_libexecdir}/fwupd/efi/*.efi
@@ -285,6 +300,9 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/fwupd
 %{_bindir}/fwupdate
 %endif
 %{_bindir}/dfu-tool
+%if 0%{?have_uefi}
+%{_bindir}/dbxtool
+%endif
 %{_bindir}/fwupdmgr
 %{_bindir}/fwupdtool
 %{_bindir}/fwupdagent
@@ -300,6 +318,9 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/fwupd
 %config(noreplace)%{_sysconfdir}/fwupd/remotes.d/vendor-directory.conf
 %config(noreplace)%{_sysconfdir}/pki/fwupd
 %{_sysconfdir}/pki/fwupd-metadata
+%if 0%{?have_msr}
+/usr/lib/modules-load.d/fwupd-msr.conf
+%endif
 %{_datadir}/dbus-1/system.d/org.freedesktop.fwupd.conf
 %{_datadir}/bash-completion/completions/fwupdmgr
 %{_datadir}/bash-completion/completions/fwupdtool
@@ -314,14 +335,24 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/fwupd
 %{_datadir}/polkit-1/actions/org.freedesktop.fwupd.policy
 %{_datadir}/polkit-1/rules.d/org.freedesktop.fwupd.rules
 %{_datadir}/dbus-1/system-services/org.freedesktop.fwupd.service
-%{_datadir}/man/man1/fwupdtool.1.gz
-%{_datadir}/man/man1/fwupdagent.1.gz
-%{_datadir}/man/man1/dfu-tool.1.gz
-%{_datadir}/man/man1/fwupdmgr.1.gz
+%dir %{_datadir}/dbxtool
+%{_datadir}/dbxtool/DBXUpdate-20100307-x64.cab
+%{_datadir}/dbxtool/DBXUpdate-20140413-x64.cab
+%{_datadir}/dbxtool/DBXUpdate-20160809-x64.cab
+%{_datadir}/dbxtool/DBXUpdate-20200729-aa64.cab
+%{_datadir}/dbxtool/DBXUpdate-20200729-ia32.cab
+%{_datadir}/dbxtool/DBXUpdate-20200729-x64.cab
+%{_mandir}/man1/fwupdtool.1*
+%{_mandir}/man1/fwupdagent.1*
+%{_mandir}/man1/dfu-tool.1*
 %if 0%{?have_uefi}
-%{_datadir}/man/man1/fwupdate.1.gz
+%{_mandir}/man1/dbxtool.*
 %endif
-%{_datadir}/man/man1/jcat-tool.1*
+%{_mandir}/man1/fwupdmgr.1*
+%if 0%{?have_uefi}
+%{_mandir}/man1/fwupdate.1*
+%endif
+%{_mandir}/man1/jcat-tool.1*
 %{_datadir}/metainfo/org.freedesktop.fwupd.metainfo.xml
 %{_datadir}/icons/hicolor/scalable/apps/org.freedesktop.fwupd.svg
 %{_datadir}/fwupd/firmware_packager.py
@@ -346,12 +377,16 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/fwupd
 /usr/lib/udev/rules.d/*.rules
 /usr/lib/systemd/system-shutdown/fwupd.shutdown
 %dir %{_libdir}/fwupd-plugins-3
+%{_libdir}/fwupd-plugins-3/libfu_plugin_acpi_dmar.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_acpi_facp.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_altos.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_amt.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_ata.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_bcm57xx.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_ccgx.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_colorhug.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_coreboot.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_cros_ec.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_csr.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_cpu.so
 %if 0%{?have_dell}
@@ -361,25 +396,28 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/fwupd
 %{_libdir}/fwupd-plugins-3/libfu_plugin_dell_dock.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_dfu.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_ebitdo.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_elantp.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_emmc.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_ep963x.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_fastboot.so
-%if 0%{?have_flashrom}
-%{_libdir}/fwupd-plugins-3/libfu_plugin_flashrom.so
-%endif
 %{_libdir}/fwupd-plugins-3/libfu_plugin_fresco_pd.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_hailuck.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_iommu.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_jabra.so
-%if 0%{?have_modem_manager}
-%{_libdir}/fwupd-plugins-3/libfu_plugin_modem_manager.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_linux_lockdown.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_linux_sleep.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_linux_swap.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_linux_tainted.so
+%if 0%{?have_msr}
+%{_libdir}/fwupd-plugins-3/libfu_plugin_msr.so
 %endif
 %{_libdir}/fwupd-plugins-3/libfu_plugin_nitrokey.so
-%if 0%{?have_uefi}
 %{_libdir}/fwupd-plugins-3/libfu_plugin_nvme.so
-%endif
 %{_libdir}/fwupd-plugins-3/libfu_plugin_optionrom.so
-%if 0%{?have_redfish}
+%{_libdir}/fwupd-plugins-3/libfu_plugin_pci_bcr.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_pci_mei.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_pixart_rf.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_redfish.so
-%endif
 %{_libdir}/fwupd-plugins-3/libfu_plugin_rts54hid.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_rts54hub.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_solokey.so
@@ -397,9 +435,10 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/fwupd
 %endif
 %{_libdir}/fwupd-plugins-3/libfu_plugin_thelio_io.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_thunderbolt.so
-%{_libdir}/fwupd-plugins-3/libfu_plugin_thunderbolt_power.so
 %if 0%{?have_uefi}
-%{_libdir}/fwupd-plugins-3/libfu_plugin_uefi.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_bios.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_uefi_capsule.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_uefi_dbx.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_uefi_recovery.so
 %endif
 %{_libdir}/fwupd-plugins-3/libfu_plugin_logind.so
@@ -408,10 +447,14 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/fwupd
 %{_libdir}/fwupd-plugins-3/libfu_plugin_vli.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_wacom_raw.so
 %{_libdir}/fwupd-plugins-3/libfu_plugin_wacom_usb.so
+%{_libdir}/fwupd-plugins-3/libfu_plugin_goodixmoc.so
 %ghost %{_localstatedir}/lib/fwupd/gnupg
 %if 0%{?have_uefi}
 %{_datadir}/locale/*/LC_IMAGES/fwupd*
 %endif
+%if 0%{?have_modem_manager}
+%{_libdir}/fwupd-plugins-3/libfu_plugin_modem_manager.so
+%endif
 
 %files devel
 %{_datadir}/gir-1.0/Fwupd-2.0.gir
@@ -433,11 +476,22 @@ mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/cache/fwupd
 %{_datadir}/installed-tests/fwupd/*.test
 %{_datadir}/installed-tests/fwupd/*.cab
 %{_datadir}/installed-tests/fwupd/*.sh
+%{_libexecdir}/installed-tests/fwupd/*
 %dir %{_sysconfdir}/fwupd/remotes.d
 %config(noreplace)%{_sysconfdir}/fwupd/remotes.d/fwupd-tests.conf
 %endif
 
 %changelog
+* Mon Jan 11 2021 Richard Hughes <richard@hughsie.com> 1.5.5-1
+- Rebase package to include support for latest OEM hardware and to
+  support deploying UEFI SecureBoot dbx updates.
+- Resolves: #1870811
+
+* Wed Dec 16 2020 Richard Hughes <richard@hughsie.com> 1.5.4-1
+- Rebase package to include support for latest OEM hardware and to
+  support deploying UEFI SecureBoot dbx updates.
+- Resolves: #1870811
+
 * Fri Jul 24 2020 Peter Jones <pjones@redhat.com> - 1.4.2-4
 - Add signing with redhatsecureboot503 cert
   Related: CVE-2020-10713