diff --git a/SOURCES/0001-Allow-aarch64-in-the-rhel-build-macros.patch b/SOURCES/0001-Allow-aarch64-in-the-rhel-build-macros.patch
deleted file mode 100644
index 562398e..0000000
--- a/SOURCES/0001-Allow-aarch64-in-the-rhel-build-macros.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From b6572d6ed9c1a1d9b5584ee4307067d9264ca5da Mon Sep 17 00:00:00 2001
-From: "d.marlin" <dmarlin@redhat.com>
-Date: Wed, 27 Aug 2014 16:26:45 -0400
-Subject: [PATCH] Allow aarch64 in the rhel build macros.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- src/macros.pesign | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/src/macros.pesign b/src/macros.pesign
-index 7faa4a1..39374ce 100644
---- a/src/macros.pesign
-+++ b/src/macros.pesign
-@@ -21,7 +21,9 @@
- # -a <input ca cert filename>		# rhel only
- # -s 					# perform signing
- %pesign(i:o:C:e:c:n:a:s)						\
--  if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then		\
-+  if [ -x %{_pesign} ] &&  						\\\
-+       [ "%{_target_cpu}" == "x86_64" -o 				\\\
-+         "%{_target_cpu}" == "aarch64" ]; then				\
-     if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then		\
-       nss=$(mktemp -p $PWD -d)						\
-       echo > ${nss}/pwfile						\
--- 
-1.9.3
-
diff --git a/SOURCES/0001-Build-as-PIE-RELRO-binaries.patch b/SOURCES/0001-Build-as-PIE-RELRO-binaries.patch
deleted file mode 100644
index 36d7dda..0000000
--- a/SOURCES/0001-Build-as-PIE-RELRO-binaries.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From c40c25a50563c6d3a669475b9b6ff954706c98b1 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Tue, 2 Sep 2014 11:08:23 -0400
-Subject: [PATCH] Build as PIE+RELRO binaries.
-
-Resolves: rhbz#1092542
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- Make.defaults   | 2 +-
- libdpe/Makefile | 3 +++
- src/Makefile    | 4 ++--
- 3 files changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/Make.defaults b/Make.defaults
-index 0995e5b..5ff74ee 100644
---- a/Make.defaults
-+++ b/Make.defaults
-@@ -6,7 +6,7 @@ ARCH	   := $(shell uname -m | sed s,i[3456789]86,ia32,)
- INCDIR	   = -I$(TOPDIR)/include
- CPPFLAGS   = -DCONFIG_$(ARCH)
- CFLAGS	   = -g -O0
--BUILDFLAGS := $(CFLAGS) $(ARCH3264) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function
-+BUILDFLAGS := $(CFLAGS) $(ARCH3264) -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function
- ASFLAGS    = $(ARCH3264)
- LDFLAGS	   = -nostdlib
- CCLDFLAGS  = -shared
-diff --git a/libdpe/Makefile b/libdpe/Makefile
-index 81d3c0b..a8b0c26 100644
---- a/libdpe/Makefile
-+++ b/libdpe/Makefile
-@@ -5,6 +5,9 @@ SONAME = libdpe.so.0
- 
- include $(TOPDIR)/Make.defaults
- 
-+BUILDFLAGS += -fPIC
-+CCLDFLAGS += -fPIC -Wl,-z,relro,-z,now
-+
- TARGETS = libdpe.so libdpe.a
- all : $(TARGETS)
- 
-diff --git a/src/Makefile b/src/Makefile
-index e45d2a3..766ffe8 100644
---- a/src/Makefile
-+++ b/src/Makefile
-@@ -7,8 +7,8 @@ PKLIBS = nss
- LIBS = popt
- STATIC_LIBS = $(TOPDIR)/libdpe/libdpe.a
- LDFLAGS =
--CCLDFLAGS = -L../libdpe $(foreach pklib,$(PKLIBS), $(shell pkg-config --libs-only-L $(pklib)))
--BUILDFLAGS += -I../include/ $(foreach pklib,$(PKLIBS), $(shell pkg-config --cflags $(pklib))) -Werror
-+CCLDFLAGS = -L../libdpe $(foreach pklib,$(PKLIBS), $(shell pkg-config --libs-only-L $(pklib))) -pie -fPIE -Wl,-z,relro,-z,now
-+BUILDFLAGS += -I../include/ $(foreach pklib,$(PKLIBS), $(shell pkg-config --cflags $(pklib))) -Werror -fPIE
- 
- TARGETS = pesign authvar client efisiglist efikeygen peverify
- 
--- 
-1.9.3
-
diff --git a/SOURCES/0001-Changes-to-make-sure-we-inherit-CFLAGS-properly-from.patch b/SOURCES/0001-Changes-to-make-sure-we-inherit-CFLAGS-properly-from.patch
deleted file mode 100644
index ac6f413..0000000
--- a/SOURCES/0001-Changes-to-make-sure-we-inherit-CFLAGS-properly-from.patch
+++ /dev/null
@@ -1,152 +0,0 @@
-From f209086af1f0e11b41fdfb24a64bd6fdc4420b2a Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Tue, 18 Mar 2014 11:41:18 -0400
-Subject: [PATCH] Changes to make sure we inherit CFLAGS properly from
- rpmbuild.
-
-This makes sure we build with -fstack-protector-strong when invoked
-correctly with it in CFLAGS="" from make.
-
-Signed-off-by: Peter Jones <pesign-owner@fedoraproject.org>
----
- Make.defaults                          |   7 ++++---
- Make.efirules                          |   6 +++---
- Make.rules                             |  10 +++++-----
- libdpe/pe_allocspace.c                 |   1 +
- src/Makefile                           |   2 +-
- src/efikeygen.c                        |   2 +-
- util/Makefile                          |   2 +-
- 10 files changed, 16 insertions(+), 14 deletions(-)
-
-diff --git a/Make.defaults b/Make.defaults
-index e2c967b..0995e5b 100644
---- a/Make.defaults
-+++ b/Make.defaults
-@@ -5,7 +5,8 @@ HOSTARCH   = $(shell uname -m | sed s,i[3456789]86,ia32,)
- ARCH	   := $(shell uname -m | sed s,i[3456789]86,ia32,)
- INCDIR	   = -I$(TOPDIR)/include
- CPPFLAGS   = -DCONFIG_$(ARCH)
--CFLAGS	   = $(ARCH3264) -g -O0 -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE
-+CFLAGS	   = -g -O0
-+BUILDFLAGS := $(CFLAGS) $(ARCH3264) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function
- ASFLAGS    = $(ARCH3264)
- LDFLAGS	   = -nostdlib
- CCLDFLAGS  = -shared
-@@ -21,7 +22,7 @@ RANLIB        = $(bindir)ranlib
- OBJCOPY       = $(bindir)objcopy
- 
- ifeq ($(ARCH),ia64)
--  CFLAGS += -mfixed-range=f32-f127
-+  BUILDFLAGS += -mfixed-range=f32-f127
-   LIBDIR = $(PREFIX)/lib64
- endif
- 
-@@ -33,7 +34,7 @@ ifeq ($(ARCH), ia32)
- endif
- 
- ifeq ($(ARCH), x86_64)
--  CFLAGS += -mno-red-zone
-+  BUILDFLAGS += -mno-red-zone
-   LIBDIR := $(PREFIX)/lib64
-   ifeq ($(HOSTARCH), ia32)
-     ARCH3264 := -m64
-diff --git a/Make.efirules b/Make.efirules
-index 9aa4b5b..bed36b1 100644
---- a/Make.efirules
-+++ b/Make.efirules
-@@ -6,10 +6,10 @@
- 	$(LD) $(LDFLAGS) -o $@ $^ $(LIBS)
- 
- %.o: %.c
--	$(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -D__UEFI__ -c $< -o $@
-+	$(CC) $(INCDIR) $(BUILDFLAGS) $(CPPFLAGS) -D__UEFI__ -c $< -o $@
- 
- %.S: %.c
--	$(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -D__UEFI__ -S $< -o $@
-+	$(CC) $(INCDIR) $(BUILDFLAGS) $(CPPFLAGS) -D__UEFI__ -S $< -o $@
- 
- %.E: %.c
--	$(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -D__UEFI__ -E $< -o $@
-+	$(CC) $(INCDIR) $(BUILDFLAGS) $(CPPFLAGS) -D__UEFI__ -E $< -o $@
-diff --git a/Make.rules b/Make.rules
-index 999d717..2749521 100644
---- a/Make.rules
-+++ b/Make.rules
-@@ -5,18 +5,18 @@
- 	$(CC) $(CCLDFLAGS) -o $@ $^ $(foreach lib,$(LIBS),-l$(lib)) $(foreach pklib,$(PKLIBS), $(shell pkg-config --libs-only-l --libs-only-other $(pklib))) -lpthread
- 
- %.so : 
--	$(CC) $(INCDIR) $(CFLAGS) -Wl,-soname,$(SONAME) $(CCLDFLAGS) $^ -o $@
-+	$(CC) $(INCDIR) $(BUILDFLAGS) -Wl,-soname,$(SONAME) $(CCLDFLAGS) $^ -o $@
- 
- %.o: %.c
--	$(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -c $< -o $@
-+	$(CC) $(INCDIR) $(BUILDFLAGS) $(CPPFLAGS) -c $< -o $@
- 
- .%.P : %.c
--	$(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -M -MM -MF $@ $^
-+	$(CC) $(INCDIR) $(BUILDFLAGS) $(CPPFLAGS) -M -MM -MF $@ $^
- 
- %.S: %.c
--	$(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -S $< -o $@
-+	$(CC) $(INCDIR) $(BUILDFLAGS) $(CPPFLAGS) -S $< -o $@
- 
- %.E: %.c
--	$(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -E $< -o $@
-+	$(CC) $(INCDIR) $(BUILDFLAGS) $(CPPFLAGS) -E $< -o $@
- 
- %.c : %.h
-diff --git a/libdpe/pe_allocspace.c b/libdpe/pe_allocspace.c
-index 716373c..1f0f44a 100644
---- a/libdpe/pe_allocspace.c
-+++ b/libdpe/pe_allocspace.c
-@@ -19,6 +19,7 @@
- 
- #include "libdpe.h"
- 
-+#include <assert.h>
- #include <unistd.h>
- #include <sys/mman.h>
- #include <sys/types.h>
-diff --git a/src/Makefile b/src/Makefile
-index f478aa6..e45d2a3 100644
---- a/src/Makefile
-+++ b/src/Makefile
-@@ -8,7 +8,7 @@ LIBS = popt
- STATIC_LIBS = $(TOPDIR)/libdpe/libdpe.a
- LDFLAGS =
- CCLDFLAGS = -L../libdpe $(foreach pklib,$(PKLIBS), $(shell pkg-config --libs-only-L $(pklib)))
--CFLAGS += -I../include/ $(foreach pklib,$(PKLIBS), $(shell pkg-config --cflags $(pklib))) -Werror
-+BUILDFLAGS += -I../include/ $(foreach pklib,$(PKLIBS), $(shell pkg-config --cflags $(pklib))) -Werror
- 
- TARGETS = pesign authvar client efisiglist efikeygen peverify
- 
-diff --git a/src/efikeygen.c b/src/efikeygen.c
-index ac27acc..45ee5c5 100644
---- a/src/efikeygen.c
-+++ b/src/efikeygen.c
-@@ -333,7 +333,7 @@ populate_extensions(cms_context *cms, CERTCertificate *cert,
- 
- 	oid = SECOID_FindOIDByTag(SEC_OID_PKCS9_EXTENSION_REQUEST);
- 
--	for (int i; crq->attributes[i]; i++) {
-+	for (int i = 0 ; crq->attributes[i]; i++) {
- 		attr = crq->attributes[i];
- 		if (attr->attrType.len != oid->oid.len)
- 			continue;
-diff --git a/util/Makefile b/util/Makefile
-index 1cf782c..ff11cb8 100644
---- a/util/Makefile
-+++ b/util/Makefile
-@@ -7,7 +7,7 @@ FORMAT=efi-app-$(HOSTARCH)
- LDFLAGS = -nostdlib -T $(LIBDIR)/gnuefi/elf_$(HOSTARCH)_efi.lds -shared -Bsymbolic $(LIBDIR)/gnuefi/crt0-efi-$(HOSTARCH).o -L$(LIBDIR)
- LIBS=-lefi -lgnuefi $(shell $(CC) -print-libgcc-file-name)
- CCLDFLAGS =
--CFLAGS = -I/usr/include/efi/ -I/usr/include/efi/$(HOSTARCH)/ -I/usr/include/efi/protocol -fpic -fshort-wchar -fno-reorder-functions -fno-strict-aliasing -fno-merge-constants -mno-red-zone -Wimplicit-function-declaration
-+BUILDFLAGS = -I/usr/include/efi/ -I/usr/include/efi/$(HOSTARCH)/ -I/usr/include/efi/protocol -fpic -fshort-wchar -fno-reorder-functions -fno-strict-aliasing -fno-merge-constants -mno-red-zone -Wimplicit-function-declaration
- 
- TARGETS = setupsb.efi dumpsb.efi clearpk.efi
- 
--- 
-1.8.5.3
-
diff --git a/SOURCES/0001-Fix-error-detected-by-coverity.patch b/SOURCES/0001-Fix-error-detected-by-coverity.patch
deleted file mode 100644
index 0404ee0..0000000
--- a/SOURCES/0001-Fix-error-detected-by-coverity.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 8beb32309aec95f1e367553bf5fa3e0a1ddf547d Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Fri, 25 Oct 2013 10:08:32 -0400
-Subject: [PATCH] Fix error detected by coverity.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- src/siglist.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/src/siglist.c b/src/siglist.c
-index ca097e6..2080b98 100644
---- a/src/siglist.c
-+++ b/src/siglist.c
-@@ -147,6 +147,8 @@ signature_list_add_sig(signature_list *sl, efi_guid_t owner,
- 	}
- 
- 	struct efi_signature_data *sd = calloc(1, sl->SignatureSize);
-+	if (!sd)
-+		return -1;
- 	memcpy(&sd->SignatureOwner, &owner, sizeof (owner));
- 	memcpy(sd->SignatureData, sig, sl->SignatureSize -
- 						sizeof (efi_guid_t));
--- 
-1.8.3.1
-
diff --git a/SOURCES/0001-Fix-some-man-page-errors.patch b/SOURCES/0001-Fix-some-man-page-errors.patch
deleted file mode 100644
index 3696932..0000000
--- a/SOURCES/0001-Fix-some-man-page-errors.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-From d5eb3d4a1e4eff14ef99aac1e805c06a1dafad2c Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Tue, 2 Sep 2014 11:27:58 -0400
-Subject: [PATCH] Fix some man page errors.
-
-Resolves: rhbz#948850
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- src/pesign-client.1 |  6 +++---
- src/pesign.1        | 17 ++++++++++++++---
- 2 files changed, 17 insertions(+), 6 deletions(-)
-
-diff --git a/src/pesign-client.1 b/src/pesign-client.1
-index bca4e88..e00c887 100644
---- a/src/pesign-client.1
-+++ b/src/pesign-client.1
-@@ -42,15 +42,15 @@ When using \fB-\-unlock\fR, read the token's PIN from the file \fIpinfile\fR.
- Sign the binary specified by \fIinfile\fR.
- 
- .TP
--\fB-\-detached\fR
-+\fB-\-export\fR
- When used with \fB-\-sign\fR, write the signature to \fIoutfile\fR.
- 
- .TP
--\fB-\-in\fR=\fIinfile\fR
-+\fB-\-infile\fR=\fIinfile\fR
- When used with \fB-\-sign\fR, specify the input binary.
- 
- .TP
--\fB-\-out\fR=\fIoutfile\fR
-+\fB-\-outfile\fR=\fIoutfile\fR
- When used with \fB-\-sign\fR, specify output file.  If \fB-\-detached\fR
- is specified, this will be a DER-formatted signature.  Otherwise, the
- output will be the signed PE binary.
-diff --git a/src/pesign.1 b/src/pesign.1
-index f69984e..56732d4 100644
---- a/src/pesign.1
-+++ b/src/pesign.1
-@@ -5,7 +5,8 @@ pesign \- command line tool for signing UEFI applications
- .SH SYNOPSIS
- \fBpesign\fR [--in=\fIinfile\fR | -i \fIinfile\fR]
-        [--out=\fIoutfile\fR | -o \fIoutfile\fR]
--       [--token=\fItoken\fR | -t \fItoken\fR]
-+       [--certdir=\fIcertdir/fR | -n \fIcertdir\fR]
-+       [--nss-token=\fItoken\fR | -t \fItoken\fR]
-        [--certificate=\fInickname\fR | -c \fInickname\fR]
-        [--force | -f] [--sign | -s] [--hash | -h]
-        [--digest_type=\fIdigest\fR | -d \fIdigest\fR]
-@@ -13,6 +14,7 @@ pesign \- command line tool for signing UEFI applications
-        [--export-pubkey=\fIoutkey\fR | -K \fIoutkey\fR]
-        [--export-cert=\fIoutcert\fR | -C \fIoutcert\fR]
-        [--ascii-armor | -a] [--daemonize | -D] [--nofork | -N]
-+       [--signature-number=\fIsignum\fR | -u \fIsignum\fR]
- 
- .SH DESCRIPTION
- \fBpesign\fR is a command line tool for manipulating signatures and 
-@@ -28,7 +30,11 @@ Specify input binary.
- Specify output binary.
- 
- .TP
--\fB-\-token\fR=\fItoken\fR
-+\fB-\-certdir\fR=\fIcertdir\fR
-+Specify nss certificate database directory.
-+
-+.TP
-+\fB-\-nss-token\fR=\fItoken\fR
- Use the specified NSS token's certificate database.
- 
- .TP
-@@ -51,7 +57,8 @@ Display the cryptographic digest of the input binary on standard output.
- .TP
- \fB-\-digest_type\fR=\fIdigest\fR
- Use the specified digest in hashing and signing operations. By default,
--this value is "sha256".  Use "--digest=help" to list the available digests.
-+this value is "sha256".  Use "--digest_type=help" to list the available
-+digests.
- 
- .TP
- \fB-\-show-signature\fR
-@@ -62,6 +69,10 @@ Show information about the signature of the input binary.
- Remove the signature section from the binary.
- 
- .TP
-+\fB-\-signature-number\fR=\fIsignum\fR
-+Specify which signature to operate on.  This field is zero-indexed.
-+
-+.TP
- \fB-\-export-pubkey\fR=\fIoutkey\fR
- Export the public key specified by --certificate to \fIoutkey\fR
- 
--- 
-1.9.3
-
diff --git a/SOURCES/0001-One-more-tweak-for-RHEL-signing-rules.patch b/SOURCES/0001-One-more-tweak-for-RHEL-signing-rules.patch
deleted file mode 100644
index c218c5d..0000000
--- a/SOURCES/0001-One-more-tweak-for-RHEL-signing-rules.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From 44d896bec9124d42e2ca2035e46599c446640ba3 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Tue, 29 Oct 2013 11:27:31 -0400
-Subject: [PATCH] One more tweak for RHEL signing rules.
-
-It never ends.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- src/macros.pesign | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/macros.pesign b/src/macros.pesign
-index 143ef8e..7faa4a1 100644
---- a/src/macros.pesign
-+++ b/src/macros.pesign
-@@ -22,7 +22,7 @@
- # -s 					# perform signing
- %pesign(i:o:C:e:c:n:a:s)						\
-   if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then		\
--    if [ "0%{?rhel}" -ge "7" ]; then					\
-+    if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then		\
-       nss=$(mktemp -p $PWD -d)						\
-       echo > ${nss}/pwfile						\
-       certutil -N -d ${nss} -f ${nss}/pwfile				\
--- 
-1.8.3.1
-
diff --git a/SOURCES/0001-Use-the-right-signing-method-on-the-RHEL-signing-mac.patch b/SOURCES/0001-Use-the-right-signing-method-on-the-RHEL-signing-mac.patch
index 6e2855f..c679215 100644
--- a/SOURCES/0001-Use-the-right-signing-method-on-the-RHEL-signing-mac.patch
+++ b/SOURCES/0001-Use-the-right-signing-method-on-the-RHEL-signing-mac.patch
@@ -1,7 +1,7 @@
-From 776e724687ebc2958ac6c78cd30e9d8b6a0c6eec Mon Sep 17 00:00:00 2001
+From c889e85273814fe0290d1fdd280e93214133d7c0 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Thu, 24 Oct 2013 15:22:13 -0400
-Subject: [PATCH] Use the right signing method on the RHEL signing macro.
+Subject: [PATCH 01/15] Use the right signing method on the RHEL signing macro.
 
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
@@ -22,5 +22,5 @@ index 7f6e6ef..143ef8e 100644
                   --certdir ${nss} -c signer %{-o}			\
        rm -rf ${sattrs} ${sattrs}.sig ${nss}				\
 -- 
-1.8.3.1
+2.5.5
 
diff --git a/SOURCES/0002-Fix-error-detected-by-coverity.patch b/SOURCES/0002-Fix-error-detected-by-coverity.patch
new file mode 100644
index 0000000..1da2914
--- /dev/null
+++ b/SOURCES/0002-Fix-error-detected-by-coverity.patch
@@ -0,0 +1,26 @@
+From cca5baa1797e5cee78a32ba444c0327bd316d7b1 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 25 Oct 2013 10:08:32 -0400
+Subject: [PATCH 02/15] Fix error detected by coverity.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/siglist.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/siglist.c b/src/siglist.c
+index ca097e6..2080b98 100644
+--- a/src/siglist.c
++++ b/src/siglist.c
+@@ -147,6 +147,8 @@ signature_list_add_sig(signature_list *sl, efi_guid_t owner,
+ 	}
+ 
+ 	struct efi_signature_data *sd = calloc(1, sl->SignatureSize);
++	if (!sd)
++		return -1;
+ 	memcpy(&sd->SignatureOwner, &owner, sizeof (owner));
+ 	memcpy(sd->SignatureData, sig, sl->SignatureSize -
+ 						sizeof (efi_guid_t));
+-- 
+2.5.5
+
diff --git a/SOURCES/0003-One-more-tweak-for-RHEL-signing-rules.patch b/SOURCES/0003-One-more-tweak-for-RHEL-signing-rules.patch
new file mode 100644
index 0000000..d85423f
--- /dev/null
+++ b/SOURCES/0003-One-more-tweak-for-RHEL-signing-rules.patch
@@ -0,0 +1,28 @@
+From d895607d9575600e6bbc13724caa704982540f8d Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 29 Oct 2013 11:27:31 -0400
+Subject: [PATCH 03/15] One more tweak for RHEL signing rules.
+
+It never ends.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/macros.pesign | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/macros.pesign b/src/macros.pesign
+index 143ef8e..7faa4a1 100644
+--- a/src/macros.pesign
++++ b/src/macros.pesign
+@@ -22,7 +22,7 @@
+ # -s 					# perform signing
+ %pesign(i:o:C:e:c:n:a:s)						\
+   if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then		\
+-    if [ "0%{?rhel}" -ge "7" ]; then					\
++    if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then		\
+       nss=$(mktemp -p $PWD -d)						\
+       echo > ${nss}/pwfile						\
+       certutil -N -d ${nss} -f ${nss}/pwfile				\
+-- 
+2.5.5
+
diff --git a/SOURCES/0004-Changes-to-make-sure-we-inherit-CFLAGS-properly-from.patch b/SOURCES/0004-Changes-to-make-sure-we-inherit-CFLAGS-properly-from.patch
new file mode 100644
index 0000000..4dcf54a
--- /dev/null
+++ b/SOURCES/0004-Changes-to-make-sure-we-inherit-CFLAGS-properly-from.patch
@@ -0,0 +1,152 @@
+From b328f6ede664d5c37ecbd957355a991862191ff9 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 18 Mar 2014 11:41:18 -0400
+Subject: [PATCH 04/15] Changes to make sure we inherit CFLAGS properly from
+ rpmbuild.
+
+This makes sure we build with -fstack-protector-strong when invoked
+correctly with it in CFLAGS="" from make.
+
+Signed-off-by: Peter Jones <pesign-owner@fedoraproject.org>
+---
+ Make.defaults          |  7 ++++---
+ Make.efirules          |  6 +++---
+ Make.rules             | 10 +++++-----
+ libdpe/pe_allocspace.c |  1 +
+ src/Makefile           |  2 +-
+ src/efikeygen.c        |  2 +-
+ util/Makefile          |  2 +-
+ 7 files changed, 16 insertions(+), 14 deletions(-)
+
+diff --git a/Make.defaults b/Make.defaults
+index e2c967b..0995e5b 100644
+--- a/Make.defaults
++++ b/Make.defaults
+@@ -5,7 +5,8 @@ HOSTARCH   = $(shell uname -m | sed s,i[3456789]86,ia32,)
+ ARCH	   := $(shell uname -m | sed s,i[3456789]86,ia32,)
+ INCDIR	   = -I$(TOPDIR)/include
+ CPPFLAGS   = -DCONFIG_$(ARCH)
+-CFLAGS	   = $(ARCH3264) -g -O0 -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE
++CFLAGS	   = -g -O0
++BUILDFLAGS := $(CFLAGS) $(ARCH3264) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function
+ ASFLAGS    = $(ARCH3264)
+ LDFLAGS	   = -nostdlib
+ CCLDFLAGS  = -shared
+@@ -21,7 +22,7 @@ RANLIB        = $(bindir)ranlib
+ OBJCOPY       = $(bindir)objcopy
+ 
+ ifeq ($(ARCH),ia64)
+-  CFLAGS += -mfixed-range=f32-f127
++  BUILDFLAGS += -mfixed-range=f32-f127
+   LIBDIR = $(PREFIX)/lib64
+ endif
+ 
+@@ -33,7 +34,7 @@ ifeq ($(ARCH), ia32)
+ endif
+ 
+ ifeq ($(ARCH), x86_64)
+-  CFLAGS += -mno-red-zone
++  BUILDFLAGS += -mno-red-zone
+   LIBDIR := $(PREFIX)/lib64
+   ifeq ($(HOSTARCH), ia32)
+     ARCH3264 := -m64
+diff --git a/Make.efirules b/Make.efirules
+index 9aa4b5b..bed36b1 100644
+--- a/Make.efirules
++++ b/Make.efirules
+@@ -6,10 +6,10 @@
+ 	$(LD) $(LDFLAGS) -o $@ $^ $(LIBS)
+ 
+ %.o: %.c
+-	$(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -D__UEFI__ -c $< -o $@
++	$(CC) $(INCDIR) $(BUILDFLAGS) $(CPPFLAGS) -D__UEFI__ -c $< -o $@
+ 
+ %.S: %.c
+-	$(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -D__UEFI__ -S $< -o $@
++	$(CC) $(INCDIR) $(BUILDFLAGS) $(CPPFLAGS) -D__UEFI__ -S $< -o $@
+ 
+ %.E: %.c
+-	$(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -D__UEFI__ -E $< -o $@
++	$(CC) $(INCDIR) $(BUILDFLAGS) $(CPPFLAGS) -D__UEFI__ -E $< -o $@
+diff --git a/Make.rules b/Make.rules
+index 999d717..2749521 100644
+--- a/Make.rules
++++ b/Make.rules
+@@ -5,18 +5,18 @@
+ 	$(CC) $(CCLDFLAGS) -o $@ $^ $(foreach lib,$(LIBS),-l$(lib)) $(foreach pklib,$(PKLIBS), $(shell pkg-config --libs-only-l --libs-only-other $(pklib))) -lpthread
+ 
+ %.so : 
+-	$(CC) $(INCDIR) $(CFLAGS) -Wl,-soname,$(SONAME) $(CCLDFLAGS) $^ -o $@
++	$(CC) $(INCDIR) $(BUILDFLAGS) -Wl,-soname,$(SONAME) $(CCLDFLAGS) $^ -o $@
+ 
+ %.o: %.c
+-	$(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -c $< -o $@
++	$(CC) $(INCDIR) $(BUILDFLAGS) $(CPPFLAGS) -c $< -o $@
+ 
+ .%.P : %.c
+-	$(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -M -MM -MF $@ $^
++	$(CC) $(INCDIR) $(BUILDFLAGS) $(CPPFLAGS) -M -MM -MF $@ $^
+ 
+ %.S: %.c
+-	$(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -S $< -o $@
++	$(CC) $(INCDIR) $(BUILDFLAGS) $(CPPFLAGS) -S $< -o $@
+ 
+ %.E: %.c
+-	$(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -E $< -o $@
++	$(CC) $(INCDIR) $(BUILDFLAGS) $(CPPFLAGS) -E $< -o $@
+ 
+ %.c : %.h
+diff --git a/libdpe/pe_allocspace.c b/libdpe/pe_allocspace.c
+index 716373c..1f0f44a 100644
+--- a/libdpe/pe_allocspace.c
++++ b/libdpe/pe_allocspace.c
+@@ -19,6 +19,7 @@
+ 
+ #include "libdpe.h"
+ 
++#include <assert.h>
+ #include <unistd.h>
+ #include <sys/mman.h>
+ #include <sys/types.h>
+diff --git a/src/Makefile b/src/Makefile
+index f478aa6..e45d2a3 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -8,7 +8,7 @@ LIBS = popt
+ STATIC_LIBS = $(TOPDIR)/libdpe/libdpe.a
+ LDFLAGS =
+ CCLDFLAGS = -L../libdpe $(foreach pklib,$(PKLIBS), $(shell pkg-config --libs-only-L $(pklib)))
+-CFLAGS += -I../include/ $(foreach pklib,$(PKLIBS), $(shell pkg-config --cflags $(pklib))) -Werror
++BUILDFLAGS += -I../include/ $(foreach pklib,$(PKLIBS), $(shell pkg-config --cflags $(pklib))) -Werror
+ 
+ TARGETS = pesign authvar client efisiglist efikeygen peverify
+ 
+diff --git a/src/efikeygen.c b/src/efikeygen.c
+index ac27acc..45ee5c5 100644
+--- a/src/efikeygen.c
++++ b/src/efikeygen.c
+@@ -333,7 +333,7 @@ populate_extensions(cms_context *cms, CERTCertificate *cert,
+ 
+ 	oid = SECOID_FindOIDByTag(SEC_OID_PKCS9_EXTENSION_REQUEST);
+ 
+-	for (int i; crq->attributes[i]; i++) {
++	for (int i = 0 ; crq->attributes[i]; i++) {
+ 		attr = crq->attributes[i];
+ 		if (attr->attrType.len != oid->oid.len)
+ 			continue;
+diff --git a/util/Makefile b/util/Makefile
+index 1cf782c..ff11cb8 100644
+--- a/util/Makefile
++++ b/util/Makefile
+@@ -7,7 +7,7 @@ FORMAT=efi-app-$(HOSTARCH)
+ LDFLAGS = -nostdlib -T $(LIBDIR)/gnuefi/elf_$(HOSTARCH)_efi.lds -shared -Bsymbolic $(LIBDIR)/gnuefi/crt0-efi-$(HOSTARCH).o -L$(LIBDIR)
+ LIBS=-lefi -lgnuefi $(shell $(CC) -print-libgcc-file-name)
+ CCLDFLAGS =
+-CFLAGS = -I/usr/include/efi/ -I/usr/include/efi/$(HOSTARCH)/ -I/usr/include/efi/protocol -fpic -fshort-wchar -fno-reorder-functions -fno-strict-aliasing -fno-merge-constants -mno-red-zone -Wimplicit-function-declaration
++BUILDFLAGS = -I/usr/include/efi/ -I/usr/include/efi/$(HOSTARCH)/ -I/usr/include/efi/protocol -fpic -fshort-wchar -fno-reorder-functions -fno-strict-aliasing -fno-merge-constants -mno-red-zone -Wimplicit-function-declaration
+ 
+ TARGETS = setupsb.efi dumpsb.efi clearpk.efi
+ 
+-- 
+2.5.5
+
diff --git a/SOURCES/0005-Allow-aarch64-in-the-rhel-build-macros.patch b/SOURCES/0005-Allow-aarch64-in-the-rhel-build-macros.patch
new file mode 100644
index 0000000..07a09bb
--- /dev/null
+++ b/SOURCES/0005-Allow-aarch64-in-the-rhel-build-macros.patch
@@ -0,0 +1,28 @@
+From abc2125fad51b2a3889248412ecc654c38d2efbb Mon Sep 17 00:00:00 2001
+From: "d.marlin" <dmarlin@redhat.com>
+Date: Wed, 27 Aug 2014 16:26:45 -0400
+Subject: [PATCH 05/15] Allow aarch64 in the rhel build macros.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/macros.pesign | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/macros.pesign b/src/macros.pesign
+index 7faa4a1..39374ce 100644
+--- a/src/macros.pesign
++++ b/src/macros.pesign
+@@ -21,7 +21,9 @@
+ # -a <input ca cert filename>		# rhel only
+ # -s 					# perform signing
+ %pesign(i:o:C:e:c:n:a:s)						\
+-  if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then		\
++  if [ -x %{_pesign} ] &&  						\\\
++       [ "%{_target_cpu}" == "x86_64" -o 				\\\
++         "%{_target_cpu}" == "aarch64" ]; then				\
+     if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then		\
+       nss=$(mktemp -p $PWD -d)						\
+       echo > ${nss}/pwfile						\
+-- 
+2.5.5
+
diff --git a/SOURCES/0006-Build-as-PIE-RELRO-binaries.patch b/SOURCES/0006-Build-as-PIE-RELRO-binaries.patch
new file mode 100644
index 0000000..7e7bec8
--- /dev/null
+++ b/SOURCES/0006-Build-as-PIE-RELRO-binaries.patch
@@ -0,0 +1,59 @@
+From 1d2859fa0e9cad7e0f36fef6ff17b91e10902777 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 2 Sep 2014 11:08:23 -0400
+Subject: [PATCH 06/15] Build as PIE+RELRO binaries.
+
+Resolves: rhbz#1092542
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ Make.defaults   | 2 +-
+ libdpe/Makefile | 3 +++
+ src/Makefile    | 4 ++--
+ 3 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/Make.defaults b/Make.defaults
+index 0995e5b..5ff74ee 100644
+--- a/Make.defaults
++++ b/Make.defaults
+@@ -6,7 +6,7 @@ ARCH	   := $(shell uname -m | sed s,i[3456789]86,ia32,)
+ INCDIR	   = -I$(TOPDIR)/include
+ CPPFLAGS   = -DCONFIG_$(ARCH)
+ CFLAGS	   = -g -O0
+-BUILDFLAGS := $(CFLAGS) $(ARCH3264) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function
++BUILDFLAGS := $(CFLAGS) $(ARCH3264) -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function
+ ASFLAGS    = $(ARCH3264)
+ LDFLAGS	   = -nostdlib
+ CCLDFLAGS  = -shared
+diff --git a/libdpe/Makefile b/libdpe/Makefile
+index 81d3c0b..a8b0c26 100644
+--- a/libdpe/Makefile
++++ b/libdpe/Makefile
+@@ -5,6 +5,9 @@ SONAME = libdpe.so.0
+ 
+ include $(TOPDIR)/Make.defaults
+ 
++BUILDFLAGS += -fPIC
++CCLDFLAGS += -fPIC -Wl,-z,relro,-z,now
++
+ TARGETS = libdpe.so libdpe.a
+ all : $(TARGETS)
+ 
+diff --git a/src/Makefile b/src/Makefile
+index e45d2a3..766ffe8 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -7,8 +7,8 @@ PKLIBS = nss
+ LIBS = popt
+ STATIC_LIBS = $(TOPDIR)/libdpe/libdpe.a
+ LDFLAGS =
+-CCLDFLAGS = -L../libdpe $(foreach pklib,$(PKLIBS), $(shell pkg-config --libs-only-L $(pklib)))
+-BUILDFLAGS += -I../include/ $(foreach pklib,$(PKLIBS), $(shell pkg-config --cflags $(pklib))) -Werror
++CCLDFLAGS = -L../libdpe $(foreach pklib,$(PKLIBS), $(shell pkg-config --libs-only-L $(pklib))) -pie -fPIE -Wl,-z,relro,-z,now
++BUILDFLAGS += -I../include/ $(foreach pklib,$(PKLIBS), $(shell pkg-config --cflags $(pklib))) -Werror -fPIE
+ 
+ TARGETS = pesign authvar client efisiglist efikeygen peverify
+ 
+-- 
+2.5.5
+
diff --git a/SOURCES/0007-Fix-some-man-page-errors.patch b/SOURCES/0007-Fix-some-man-page-errors.patch
new file mode 100644
index 0000000..69d5c74
--- /dev/null
+++ b/SOURCES/0007-Fix-some-man-page-errors.patch
@@ -0,0 +1,95 @@
+From 054279b3c15f28513e2d5eefb2035392ec811ca5 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 2 Sep 2014 11:27:58 -0400
+Subject: [PATCH 07/15] Fix some man page errors.
+
+Resolves: rhbz#948850
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/pesign-client.1 |  6 +++---
+ src/pesign.1        | 17 ++++++++++++++---
+ 2 files changed, 17 insertions(+), 6 deletions(-)
+
+diff --git a/src/pesign-client.1 b/src/pesign-client.1
+index 1ccfbb3..9dae89b 100644
+--- a/src/pesign-client.1
++++ b/src/pesign-client.1
+@@ -39,15 +39,15 @@ When using \fB-\-unlock\fR, read the token's PIN from the file \fIpinfile\fR.
+ Sign the binary specified by \fIinfile\fR.
+ 
+ .TP
+-\fB-\-detached\fR
++\fB-\-export\fR
+ When used with \fB-\-sign\fR, write the signature to \fIoutfile\fR.
+ 
+ .TP
+-\fB-\-in\fR=\fIinfile\fR
++\fB-\-infile\fR=\fIinfile\fR
+ When used with \fB-\-sign\fR, specify the input binary.
+ 
+ .TP
+-\fB-\-out\fR=\fIoutfile\fR
++\fB-\-outfile\fR=\fIoutfile\fR
+ When used with \fB-\-sign\fR, specify output file.  If \fB-\-detached\fR
+ is specified, this will be a DER-formatted signature.  Otherwise, the
+ output will be the signed PE binary.
+diff --git a/src/pesign.1 b/src/pesign.1
+index 0a62e36..03603ca 100644
+--- a/src/pesign.1
++++ b/src/pesign.1
+@@ -5,7 +5,8 @@ pesign \- command line tool for signing UEFI applications
+ .SH SYNOPSIS
+ \fBpesign\fR [--in=\fIinfile\fR | -i \fIinfile\fR]
+        [--out=\fIoutfile\fR | -o \fIoutfile\fR]
+-       [--token=\fItoken\fR | -t \fItoken\fR]
++       [--certdir=\fIcertdir/fR | -n \fIcertdir\fR]
++       [--nss-token=\fItoken\fR | -t \fItoken\fR]
+        [--certificate=\fInickname\fR | -c \fInickname\fR]
+        [--force | -f] [--sign | -s] [--hash | -h]
+        [--digest_type=\fIdigest\fR | -d \fIdigest\fR]
+@@ -13,6 +14,7 @@ pesign \- command line tool for signing UEFI applications
+        [--export-pubkey=\fIoutkey\fR | -K \fIoutkey\fR]
+        [--export-cert=\fIoutcert\fR | -C \fIoutcert\fR]
+        [--ascii-armor | -a] [--daemonize | -D] [--nofork | -N]
++       [--signature-number=\fIsignum\fR | -u \fIsignum\fR]
+ 
+ .SH DESCRIPTION
+ \fBpesign\fR is a command line tool for manipulating signatures and 
+@@ -28,7 +30,11 @@ Specify input binary.
+ Specify output binary.
+ 
+ .TP
+-\fB-\-token\fR=\fItoken\fR
++\fB-\-certdir\fR=\fIcertdir\fR
++Specify nss certificate database directory.
++
++.TP
++\fB-\-nss-token\fR=\fItoken\fR
+ Use the specified NSS token's certificate database.
+ 
+ .TP
+@@ -51,7 +57,8 @@ Display the cryptographic digest of the input binary on standard output.
+ .TP
+ \fB-\-digest_type\fR=\fIdigest\fR
+ Use the specified digest in hashing and signing operations. By default,
+-this value is "sha256".  Use "--digest=help" to list the available digests.
++this value is "sha256".  Use "--digest_type=help" to list the available
++digests.
+ 
+ .TP
+ \fB-\-show-signature\fR
+@@ -62,6 +69,10 @@ Show information about the signature of the input binary.
+ Remove the signature section from the binary.
+ 
+ .TP
++\fB-\-signature-number\fR=\fIsignum\fR
++Specify which signature to operate on.  This field is zero-indexed.
++
++.TP
+ \fB-\-export-pubkey\fR=\fIoutkey\fR
+ Export the public key specified by --certificate to \fIoutkey\fR
+ 
+-- 
+2.5.5
+
diff --git a/SOURCES/0008-A-more-plugable-way-of-setting-ACLs-for-pesign.patch b/SOURCES/0008-A-more-plugable-way-of-setting-ACLs-for-pesign.patch
new file mode 100644
index 0000000..09e2170
--- /dev/null
+++ b/SOURCES/0008-A-more-plugable-way-of-setting-ACLs-for-pesign.patch
@@ -0,0 +1,98 @@
+From f1212565b3783564a50f98a652588091a6680908 Mon Sep 17 00:00:00 2001
+From: Pat Riehecky <riehecky@fnal.gov>
+Date: Fri, 12 Sep 2014 09:37:07 -0500
+Subject: [PATCH 08/15] A more plugable way of setting ACLs for pesign
+
+The sysvinit script provided with pesign sets ACLS for the pesign/socket
+file for kojibuilder:kojibuilder.  The systemd unit, however, does not.
+
+I've built a more general solution for both the sysvinit and systemd
+unit that should allow for greater flexibility and compat behavior.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+(cherry picked from commit 3c2374b57f26f15efa7c883e0fbbbaf3c490d074)
+---
+ src/pesign-authorize-groups | 17 +++++++++++++++++
+ src/pesign-authorize-users  | 17 +++++++++++++++++
+ src/pesign.service          |  2 ++
+ src/pesign.sysvinit         |  6 ++----
+ 4 files changed, 38 insertions(+), 4 deletions(-)
+ create mode 100644 src/pesign-authorize-groups
+ create mode 100644 src/pesign-authorize-users
+
+diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
+new file mode 100644
+index 0000000..1048904
+--- /dev/null
++++ b/src/pesign-authorize-groups
+@@ -0,0 +1,17 @@
++#!/bin/bash
++
++#
++# With /run/pesign/socket on tmpfs, a simple way of restoring the
++# acls for specific groups is useful
++#
++#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
++#
++
++# License: GPLv2
++
++if [[ -r /etc/pesign/authorize-groups ]]; then
++    for group in $(cat /etc/pesign/authorize-groups); do
++        setfacl -m g:${group}:rx /var/run/pesign
++        setfacl -m g:${group}:rw /var/run/pesign/socket
++    done
++fi
+diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
+new file mode 100644
+index 0000000..1993570
+--- /dev/null
++++ b/src/pesign-authorize-users
+@@ -0,0 +1,17 @@
++#!/bin/bash
++
++#
++# With /run/pesign/socket on tmpfs, a simple way of restoring the
++# acls for specific users is useful
++#
++#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
++#
++
++# License: GPLv2
++
++if [[ -r /etc/pesign/authorize-users ]]; then
++    for username in $(cat /etc/pesign/authorize-users); do
++        setfacl -m u:${username}:rx /var/run/pesign
++        setfacl -m u:${username}:rw /var/run/pesign/socket
++    done
++fi
+diff --git a/src/pesign.service b/src/pesign.service
+index 75a73c3..d6a412e 100644
+--- a/src/pesign.service
++++ b/src/pesign.service
+@@ -6,3 +6,5 @@ PrivateTmp=true
+ Type=forking
+ PIDFile=/var/run/pesign.pid
+ ExecStart=/usr/bin/pesign --daemonize
++ExecStartPost=/usr/sbin/pesign-authorize-users
++ExecStartPost=/usr/sbin/pesign-authorize-groups
+diff --git a/src/pesign.sysvinit b/src/pesign.sysvinit
+index ea37c58..6f20560 100644
+--- a/src/pesign.sysvinit
++++ b/src/pesign.sysvinit
+@@ -24,10 +24,8 @@ start(){
+     RETVAL=$?
+     echo
+     touch /var/lock/subsys/pesign
+-    setfacl -m u:kojibuilder:x /var/run/pesign
+-    setfacl -m u:kojibuilder:rw /var/run/pesign/socket
+-    setfacl -m g:kojibuilder:x /var/run/pesign
+-    setfacl -m g:kojibuilder:rw /var/run/pesign/socket
++    /usr/sbin/pesign-authorize-users
++    /usr/sbin/pesign-authorize-groups
+ }
+ 
+ stop(){
+-- 
+2.5.5
+
diff --git a/SOURCES/0009-Add-install-targets-for-3c2374b-and-make-the-filenam.patch b/SOURCES/0009-Add-install-targets-for-3c2374b-and-make-the-filenam.patch
new file mode 100644
index 0000000..1a3fd99
--- /dev/null
+++ b/SOURCES/0009-Add-install-targets-for-3c2374b-and-make-the-filenam.patch
@@ -0,0 +1,66 @@
+From fc08bd9a51b4bf576f7d6c1df6fb3f3d8dba26c1 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 9 Jun 2015 16:00:00 -0400
+Subject: [PATCH 09/15] Add "install" targets for 3c2374b and make the
+ filenames a little nicer.
+
+Related: rhbz#1141263
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+(cherry picked from commit 95195477dac72d4fcc09726314da4a8dd3552d49)
+---
+ src/Makefile                | 6 ++++++
+ src/pesign-authorize-groups | 4 ++--
+ src/pesign-authorize-users  | 4 ++--
+ 3 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/src/Makefile b/src/Makefile
+index 766ffe8..6b1e582 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -72,6 +72,12 @@ install_systemd:
+ 	$(INSTALL) -m 644 tmpfiles.conf $(INSTALLROOT)/usr/lib/tmpfiles.d/pesign.conf
+ 	$(INSTALL) -d -m 755 $(INSTALLROOT)/usr/lib/systemd/system/
+ 	$(INSTALL) -m 644 pesign.service $(INSTALLROOT)/usr/lib/systemd/system/
++	$(INSTALL) -d -m 755 $(INSTALLROOT)$(PREFIX)/sbin/
++	$(INSTALL) -m 755 pesign-authorize-users $(INSTALLROOT)$(PREFIX)/sbin/pesign-authorize-users
++	$(INSTALL) -m 755 pesign-authorize-groups $(INSTALLROOT)$(PREFIX)/sbin/pesign-authorize-groups
++	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
++	$(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/users
++	$(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/groups
+ 
+ install_sysvinit:
+ 	$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/
+diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
+index 1048904..e3864ce 100644
+--- a/src/pesign-authorize-groups
++++ b/src/pesign-authorize-groups
+@@ -9,8 +9,8 @@
+ 
+ # License: GPLv2
+ 
+-if [[ -r /etc/pesign/authorize-groups ]]; then
+-    for group in $(cat /etc/pesign/authorize-groups); do
++if [[ -r /etc/pesign/groups ]]; then
++    for group in $(cat /etc/pesign/groups); do
+         setfacl -m g:${group}:rx /var/run/pesign
+         setfacl -m g:${group}:rw /var/run/pesign/socket
+     done
+diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
+index 1993570..e500204 100644
+--- a/src/pesign-authorize-users
++++ b/src/pesign-authorize-users
+@@ -9,8 +9,8 @@
+ 
+ # License: GPLv2
+ 
+-if [[ -r /etc/pesign/authorize-users ]]; then
+-    for username in $(cat /etc/pesign/authorize-users); do
++if [[ -r /etc/pesign/users ]]; then
++    for username in $(cat /etc/pesign/users); do
+         setfacl -m u:${username}:rx /var/run/pesign
+         setfacl -m u:${username}:rw /var/run/pesign/socket
+     done
+-- 
+2.5.5
+
diff --git a/SOURCES/0010-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch b/SOURCES/0010-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch
new file mode 100644
index 0000000..5ea0513
--- /dev/null
+++ b/SOURCES/0010-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch
@@ -0,0 +1,40 @@
+From 82cf315182deacdc488b465cb50d8c0d692f4dcc Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Thu, 19 Nov 2015 11:36:59 -0500
+Subject: [PATCH 10/15] setfacl the nss DBs to our authorized users, not just
+ the socket.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+(cherry picked from commit 1a9a8eefe8f9a9b21996151a5afd956df22921ea)
+---
+ src/pesign-authorize-groups | 2 ++
+ src/pesign-authorize-users  | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
+index e3864ce..2236bea 100644
+--- a/src/pesign-authorize-groups
++++ b/src/pesign-authorize-groups
+@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/groups ]]; then
+     for group in $(cat /etc/pesign/groups); do
+         setfacl -m g:${group}:rx /var/run/pesign
+         setfacl -m g:${group}:rw /var/run/pesign/socket
++        setfacl -m g:${username}:rx /etc/pki/pesign
++        setfacl -m g:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
+     done
+ fi
+diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
+index e500204..9c38a25 100644
+--- a/src/pesign-authorize-users
++++ b/src/pesign-authorize-users
+@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/users ]]; then
+     for username in $(cat /etc/pesign/users); do
+         setfacl -m u:${username}:rx /var/run/pesign
+         setfacl -m u:${username}:rw /var/run/pesign/socket
++        setfacl -m u:${username}:rx /etc/pki/pesign
++        setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
+     done
+ fi
+-- 
+2.5.5
+
diff --git a/SOURCES/0011-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch b/SOURCES/0011-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch
new file mode 100644
index 0000000..b0b0ef9
--- /dev/null
+++ b/SOURCES/0011-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch
@@ -0,0 +1,55 @@
+From 4bf644cdc1908aaa04de304174d985665de5947d Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 20 Nov 2015 19:19:49 -0500
+Subject: [PATCH 11/15] Don't setfacl when the socket or dir aren't there.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+(cherry picked from commit 4c70ae807156099bf027b57a94b7eae0a810b947)
+---
+ src/pesign-authorize-groups | 10 ++++++----
+ src/pesign-authorize-users  | 10 ++++++----
+ 2 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
+index 2236bea..2222809 100644
+--- a/src/pesign-authorize-groups
++++ b/src/pesign-authorize-groups
+@@ -11,9 +11,11 @@
+ 
+ if [[ -r /etc/pesign/groups ]]; then
+     for group in $(cat /etc/pesign/groups); do
+-        setfacl -m g:${group}:rx /var/run/pesign
+-        setfacl -m g:${group}:rw /var/run/pesign/socket
+-        setfacl -m g:${username}:rx /etc/pki/pesign
+-        setfacl -m g:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
++	if [ -d /var/run/pesign ]; then
++	    setfacl -m g:${group}:rx /var/run/pesign
++	    if [ -e /var/run/pesign/socket ]; then
++		setfacl -m g:${group}:rw /var/run/pesign/socket
++	    fi
++	fi
+     done
+ fi
+diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
+index 9c38a25..22bddec 100644
+--- a/src/pesign-authorize-users
++++ b/src/pesign-authorize-users
+@@ -11,9 +11,11 @@
+ 
+ if [[ -r /etc/pesign/users ]]; then
+     for username in $(cat /etc/pesign/users); do
+-        setfacl -m u:${username}:rx /var/run/pesign
+-        setfacl -m u:${username}:rw /var/run/pesign/socket
+-        setfacl -m u:${username}:rx /etc/pki/pesign
+-        setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
++	if [ -d /var/run/pesign ]; then
++	    setfacl -m g:${username}:rx /var/run/pesign
++	    if [ -e /var/run/pesign/socket ]; then
++		setfacl -m g:${username}:rw /var/run/pesign/socket
++	    fi
++	fi
+     done
+ fi
+-- 
+2.5.5
+
diff --git a/SOURCES/0012-setfacl-the-db-as-well.patch b/SOURCES/0012-setfacl-the-db-as-well.patch
new file mode 100644
index 0000000..f5e4c7d
--- /dev/null
+++ b/SOURCES/0012-setfacl-the-db-as-well.patch
@@ -0,0 +1,52 @@
+From cdca8c5dfeee969267dacc5846d8c11e84c2fcfe Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 20 Nov 2015 19:21:39 -0500
+Subject: [PATCH 12/15] setfacl the db as well
+
+And also get all our "-m [ug]:${name}:$perm" arguments right.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+(cherry picked from commit f7a16f89f3ed327d3e2f4ce897917c2966fb427d)
+---
+ src/pesign-authorize-groups | 4 ++++
+ src/pesign-authorize-users  | 8 ++++++--
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
+index 2222809..13aefa6 100644
+--- a/src/pesign-authorize-groups
++++ b/src/pesign-authorize-groups
+@@ -17,5 +17,9 @@ if [[ -r /etc/pesign/groups ]]; then
+ 		setfacl -m g:${group}:rw /var/run/pesign/socket
+ 	    fi
+ 	fi
++	if [ -d /etc/pki/pesign ]; then
++	    setfacl -m g:${group}:rx /etc/pki/pesign
++	    setfacl -m g:${group}:r /etc/pki/pesign/{cert8,key3,secmod}.db
++	fi
+     done
+ fi
+diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
+index 22bddec..a43ce44 100644
+--- a/src/pesign-authorize-users
++++ b/src/pesign-authorize-users
+@@ -12,10 +12,14 @@
+ if [[ -r /etc/pesign/users ]]; then
+     for username in $(cat /etc/pesign/users); do
+ 	if [ -d /var/run/pesign ]; then
+-	    setfacl -m g:${username}:rx /var/run/pesign
++	    setfacl -m u:${username}:rx /var/run/pesign
+ 	    if [ -e /var/run/pesign/socket ]; then
+-		setfacl -m g:${username}:rw /var/run/pesign/socket
++		setfacl -m u:${username}:rw /var/run/pesign/socket
+ 	    fi
+ 	fi
++	if [ -d /etc/pki/pesign ]; then
++	    setfacl -m u:${username}:rx /etc/pki/pesign
++	    setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
++	fi
+     done
+ fi
+-- 
+2.5.5
+
diff --git a/SOURCES/0013-Improve-our-setfacl-scripts-for-database-and-socket-.patch b/SOURCES/0013-Improve-our-setfacl-scripts-for-database-and-socket-.patch
new file mode 100644
index 0000000..c1fb088
--- /dev/null
+++ b/SOURCES/0013-Improve-our-setfacl-scripts-for-database-and-socket-.patch
@@ -0,0 +1,92 @@
+From 9cd3272fc54f7941f347c4ec9e15176c2ed7da36 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Wed, 20 Apr 2016 11:44:08 -0400
+Subject: [PATCH 13/15] Improve our setfacl scripts for database and socket
+ ownership.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+(cherry picked from commit a90c967205733c35a97c0c3e67131fa9b5b935fc)
+---
+ src/pesign-authorize-groups | 15 ++++++++++-----
+ src/pesign-authorize-users  | 19 ++++++++++++-------
+ 2 files changed, 22 insertions(+), 12 deletions(-)
+
+diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
+index 13aefa6..a4f895e 100644
+--- a/src/pesign-authorize-groups
++++ b/src/pesign-authorize-groups
+@@ -1,4 +1,5 @@
+ #!/bin/bash
++set -e
+ 
+ #
+ # With /run/pesign/socket on tmpfs, a simple way of restoring the
+@@ -9,7 +10,7 @@
+ 
+ # License: GPLv2
+ 
+-if [[ -r /etc/pesign/groups ]]; then
++if [ -r /etc/pesign/groups ]; then
+     for group in $(cat /etc/pesign/groups); do
+ 	if [ -d /var/run/pesign ]; then
+ 	    setfacl -m g:${group}:rx /var/run/pesign
+@@ -17,9 +18,13 @@ if [[ -r /etc/pesign/groups ]]; then
+ 		setfacl -m g:${group}:rw /var/run/pesign/socket
+ 	    fi
+ 	fi
+-	if [ -d /etc/pki/pesign ]; then
+-	    setfacl -m g:${group}:rx /etc/pki/pesign
+-	    setfacl -m g:${group}:r /etc/pki/pesign/{cert8,key3,secmod}.db
+-	fi
++	for x in /etc/pki/pesign* ; do
++	    if [ -d ${x} ]; then
++		setfacl -m g:${group}:rx /etc/pki/pesign
++		for y in ${x}/{cert8,key3,secmod}.db ; do
++		    setfacl -m g:${group}:rw ${y}
++		done
++	    fi
++	done
+     done
+ fi
+diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
+index a43ce44..8b9a885 100644
+--- a/src/pesign-authorize-users
++++ b/src/pesign-authorize-users
+@@ -1,4 +1,5 @@
+ #!/bin/bash
++set -e
+ 
+ #
+ # With /run/pesign/socket on tmpfs, a simple way of restoring the
+@@ -9,17 +10,21 @@
+ 
+ # License: GPLv2
+ 
+-if [[ -r /etc/pesign/users ]]; then
++if [ -r /etc/pesign/users ]; then
+     for username in $(cat /etc/pesign/users); do
+ 	if [ -d /var/run/pesign ]; then
+-	    setfacl -m u:${username}:rx /var/run/pesign
++	    setfacl -m g:${username}:rx /var/run/pesign
+ 	    if [ -e /var/run/pesign/socket ]; then
+-		setfacl -m u:${username}:rw /var/run/pesign/socket
++		setfacl -m g:${username}:rw /var/run/pesign/socket
+ 	    fi
+ 	fi
+-	if [ -d /etc/pki/pesign ]; then
+-	    setfacl -m u:${username}:rx /etc/pki/pesign
+-	    setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
+-	fi
++	for x in /etc/pki/pesign* ; do
++	    if [ -d ${x} ]; then
++		setfacl -m g:${username}:rx /etc/pki/pesign
++		for y in ${x}/{cert8,key3,secmod}.db ; do
++		    setfacl -m g:${username}:rw ${y}
++		done
++	    fi
++	done
+     done
+ fi
+-- 
+2.5.5
+
diff --git a/SOURCES/0014-Make-pesign-authorize-users-groups-not-be-in-sbin.patch b/SOURCES/0014-Make-pesign-authorize-users-groups-not-be-in-sbin.patch
new file mode 100644
index 0000000..d6043f7
--- /dev/null
+++ b/SOURCES/0014-Make-pesign-authorize-users-groups-not-be-in-sbin.patch
@@ -0,0 +1,124 @@
+From 0c973c36bf25a863db868d518265b5e7ee722764 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Wed, 10 Jun 2015 14:56:38 -0400
+Subject: [PATCH 14/15] Make pesign-authorize-{users,groups} not be in sbin.
+
+If it's in sbin, it needs a man page.  On fedora/rhel it should go in
+libexec, on debian probably /usr/share someplace.  This change puts it
+in libexec and makes it so you can put that wherever you like by doing:
+
+make libexecdir=/usr/share all
+make libexecdir=/usr/share install install_systemd
+
+or similar.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+(cherry picked from commit 8854461314f1d908dfb3e46a1654b731709df309)
+---
+ Make.defaults                               |  3 ++-
+ src/Makefile                                | 16 ++++++++++------
+ src/{pesign.service => pesign.service.in}   |  4 ++--
+ src/{pesign.sysvinit => pesign.sysvinit.in} |  4 ++--
+ 4 files changed, 16 insertions(+), 11 deletions(-)
+ rename src/{pesign.service => pesign.service.in} (55%)
+ rename src/{pesign.sysvinit => pesign.sysvinit.in} (92%)
+
+diff --git a/Make.defaults b/Make.defaults
+index 5ff74ee..125487e 100644
+--- a/Make.defaults
++++ b/Make.defaults
+@@ -12,7 +12,8 @@ LDFLAGS	   = -nostdlib
+ CCLDFLAGS  = -shared
+ INSTALL	   = install
+ # XXX this is broken
+-bindir     = /usr/bin/
++bindir     = $(PREFIX)/bin/
++libexecdir = $(PREFIX)/libexec
+ 
+ CC            = $(bindir)gcc
+ AS            = $(bindir)as
+diff --git a/src/Makefile b/src/Makefile
+index 6b1e582..41a622f 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -10,7 +10,8 @@ LDFLAGS =
+ CCLDFLAGS = -L../libdpe $(foreach pklib,$(PKLIBS), $(shell pkg-config --libs-only-L $(pklib))) -pie -fPIE -Wl,-z,relro,-z,now
+ BUILDFLAGS += -I../include/ $(foreach pklib,$(PKLIBS), $(shell pkg-config --cflags $(pklib))) -Werror -fPIE
+ 
+-TARGETS = pesign authvar client efisiglist efikeygen peverify
++TARGETS = pesign authvar client efisiglist efikeygen peverify \
++	pesign.service pesign.sysvinit
+ 
+ all : $(TARGETS)
+ 
+@@ -57,6 +58,9 @@ fuzzsocket : $(fuzzsocket_OBJECTS) -lrt
+ DEPS = $(generic_DEPS) $(authvar_DEPS) $(pesign_DEPS) $(client_DEPS) \
+ 	$(peverify_DEPS) $(efisiglist_DEPS) $(efikeygen_DEPS)
+ 
++pesign.sysvinit pesign.service : % : %.in
++	sed -e "s,@@LIBEXECDIR@@,$(libexecdir),g" $< > $@
++
+ deps : $(DEPS)
+ 
+ depclean :
+@@ -67,19 +71,19 @@ depclean :
+ clean : depclean
+ 	@rm -rfv *.o *.a *.so $(TARGETS)
+ 
+-install_systemd:
++install_systemd: pesign.service
+ 	$(INSTALL) -d -m 755 $(INSTALLROOT)/usr/lib/tmpfiles.d/
+ 	$(INSTALL) -m 644 tmpfiles.conf $(INSTALLROOT)/usr/lib/tmpfiles.d/pesign.conf
+ 	$(INSTALL) -d -m 755 $(INSTALLROOT)/usr/lib/systemd/system/
+ 	$(INSTALL) -m 644 pesign.service $(INSTALLROOT)/usr/lib/systemd/system/
+-	$(INSTALL) -d -m 755 $(INSTALLROOT)$(PREFIX)/sbin/
+-	$(INSTALL) -m 755 pesign-authorize-users $(INSTALLROOT)$(PREFIX)/sbin/pesign-authorize-users
+-	$(INSTALL) -m 755 pesign-authorize-groups $(INSTALLROOT)$(PREFIX)/sbin/pesign-authorize-groups
++	$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
++	$(INSTALL) -m 755 pesign-authorize-users $(INSTALLROOT)$(libexecdir)/pesign/pesign-authorize-users
++	$(INSTALL) -m 755 pesign-authorize-groups $(INSTALLROOT)$(libexecdir)/pesign/pesign-authorize-groups
+ 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
+ 	$(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/users
+ 	$(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/groups
+ 
+-install_sysvinit:
++install_sysvinit: pesign.sysvinit
+ 	$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/
+ 	$(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/rc.d/init.d/pesign
+ 
+diff --git a/src/pesign.service b/src/pesign.service.in
+similarity index 55%
+rename from src/pesign.service
+rename to src/pesign.service.in
+index d6a412e..aaa408e 100644
+--- a/src/pesign.service
++++ b/src/pesign.service.in
+@@ -6,5 +6,5 @@ PrivateTmp=true
+ Type=forking
+ PIDFile=/var/run/pesign.pid
+ ExecStart=/usr/bin/pesign --daemonize
+-ExecStartPost=/usr/sbin/pesign-authorize-users
+-ExecStartPost=/usr/sbin/pesign-authorize-groups
++ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-users
++ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-groups
+diff --git a/src/pesign.sysvinit b/src/pesign.sysvinit.in
+similarity index 92%
+rename from src/pesign.sysvinit
+rename to src/pesign.sysvinit.in
+index 6f20560..d8fffca 100644
+--- a/src/pesign.sysvinit
++++ b/src/pesign.sysvinit.in
+@@ -24,8 +24,8 @@ start(){
+     RETVAL=$?
+     echo
+     touch /var/lock/subsys/pesign
+-    /usr/sbin/pesign-authorize-users
+-    /usr/sbin/pesign-authorize-groups
++    @@LIBEXECDIR@@/pesign/pesign-authorize-users
++    @@LIBEXECDIR@@/pesign/pesign-authorize-groups
+ }
+ 
+ stop(){
+-- 
+2.5.5
+
diff --git a/SOURCES/0015-Actually-setfacl-each-directory-of-our-key-storage.patch b/SOURCES/0015-Actually-setfacl-each-directory-of-our-key-storage.patch
new file mode 100644
index 0000000..ba46426
--- /dev/null
+++ b/SOURCES/0015-Actually-setfacl-each-directory-of-our-key-storage.patch
@@ -0,0 +1,51 @@
+From 0df758bbb282f9d4a81818b6f7816eb0eb663519 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 16 May 2016 15:25:53 -0400
+Subject: [PATCH 15/15] Actually setfacl /each/ directory of our key storage.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+(cherry picked from commit f0c285fe74f00402acb72cb4ae91891006e9cfa4)
+---
+ src/pesign-authorize-groups | 6 +++---
+ src/pesign-authorize-users  | 6 +++---
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
+index a4f895e..cf51fb6 100644
+--- a/src/pesign-authorize-groups
++++ b/src/pesign-authorize-groups
+@@ -18,10 +18,10 @@ if [ -r /etc/pesign/groups ]; then
+ 		setfacl -m g:${group}:rw /var/run/pesign/socket
+ 	    fi
+ 	fi
+-	for x in /etc/pki/pesign* ; do
++	for x in /etc/pki/pesign*/ ; do
+ 	    if [ -d ${x} ]; then
+-		setfacl -m g:${group}:rx /etc/pki/pesign
+-		for y in ${x}/{cert8,key3,secmod}.db ; do
++		setfacl -m g:${group}:rx ${x}
++		for y in ${x}{cert8,key3,secmod}.db ; do
+ 		    setfacl -m g:${group}:rw ${y}
+ 		done
+ 	    fi
+diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
+index 8b9a885..940138e 100644
+--- a/src/pesign-authorize-users
++++ b/src/pesign-authorize-users
+@@ -18,10 +18,10 @@ if [ -r /etc/pesign/users ]; then
+ 		setfacl -m g:${username}:rw /var/run/pesign/socket
+ 	    fi
+ 	fi
+-	for x in /etc/pki/pesign* ; do
++	for x in /etc/pki/pesign*/ ; do
+ 	    if [ -d ${x} ]; then
+-		setfacl -m g:${username}:rx /etc/pki/pesign
+-		for y in ${x}/{cert8,key3,secmod}.db ; do
++		setfacl -m g:${username}:rx ${x}
++		for y in ${x}{cert8,key3,secmod}.db ; do
+ 		    setfacl -m g:${username}:rw ${y}
+ 		done
+ 	    fi
+-- 
+2.5.5
+
diff --git a/SPECS/pesign.spec b/SPECS/pesign.spec
index 989e850..0223bb4 100644
--- a/SPECS/pesign.spec
+++ b/SPECS/pesign.spec
@@ -1,7 +1,7 @@
 Summary: Signing utility for UEFI binaries
 Name: pesign
 Version: 0.109
-Release: 9%{?dist}
+Release: 10%{?dist}
 Group: Development/System
 License: GPLv2
 URL: https://github.com/vathpela/pesign
@@ -19,12 +19,20 @@ ExclusiveArch: x86_64 aarch64
 Source0: pesign-%{version}.tar.bz2
 Source1: rh-test-certs.tar.bz2
 Patch0001: 0001-Use-the-right-signing-method-on-the-RHEL-signing-mac.patch
-Patch0002: 0001-Fix-error-detected-by-coverity.patch
-Patch0003: 0001-One-more-tweak-for-RHEL-signing-rules.patch
-Patch0004: 0001-Changes-to-make-sure-we-inherit-CFLAGS-properly-from.patch
-Patch0005: 0001-Allow-aarch64-in-the-rhel-build-macros.patch
-Patch0006: 0001-Build-as-PIE-RELRO-binaries.patch
-Patch0007: 0001-Fix-some-man-page-errors.patch
+Patch0002: 0002-Fix-error-detected-by-coverity.patch
+Patch0003: 0003-One-more-tweak-for-RHEL-signing-rules.patch
+Patch0004: 0004-Changes-to-make-sure-we-inherit-CFLAGS-properly-from.patch
+Patch0005: 0005-Allow-aarch64-in-the-rhel-build-macros.patch
+Patch0006: 0006-Build-as-PIE-RELRO-binaries.patch
+Patch0007: 0007-Fix-some-man-page-errors.patch
+Patch0008: 0008-A-more-plugable-way-of-setting-ACLs-for-pesign.patch
+Patch0009: 0009-Add-install-targets-for-3c2374b-and-make-the-filenam.patch
+Patch0010: 0010-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch
+Patch0011: 0011-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch
+Patch0012: 0012-setfacl-the-db-as-well.patch
+Patch0013: 0013-Improve-our-setfacl-scripts-for-database-and-socket-.patch
+Patch0014: 0014-Make-pesign-authorize-users-groups-not-be-in-sbin.patch
+Patch0015: 0015-Actually-setfacl-each-directory-of-our-key-storage.patch
 
 %description
 This package contains the pesign utility for signing UEFI binaries as
@@ -92,6 +100,10 @@ exit 0
 %{_bindir}/efikeygen
 %{_sysconfdir}/popt.d/pesign.popt
 %{_sysconfdir}/rpm/macros.pesign
+%{_libexecdir}/pesign/pesign-authorize-users
+%{_libexecdir}/pesign/pesign-authorize-groups
+%config(noreplace)/%{_sysconfdir}/pesign/users
+%config(noreplace)/%{_sysconfdir}/pesign/groups
 %{_mandir}/man*/*
 %dir %attr(0775,pesign,pesign) /etc/pki/pesign
 %attr(0664,pesign,pesign) /etc/pki/pesign/*
@@ -104,6 +116,10 @@ exit 0
 %endif
 
 %changelog
+* Mon May 16 2016 Peter Jones <pjones@redhat.com> - - 0.109-10
+- Add support for /etc/pesign/users and /etc/pesign/groups
+  Resolves: rhbz#1141263
+
 * Tue Sep 02 2014 Peter Jones <pjones@redhat.com> - 0.109-9
 - Fix man page errors.
   Resolves: rhbz#948850