diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..41c693e
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+SOURCES/pesign-0.109.tar.bz2
+SOURCES/rh-test-certs.tar.bz2
diff --git a/.pesign.metadata b/.pesign.metadata
new file mode 100644
index 0000000..257cce9
--- /dev/null
+++ b/.pesign.metadata
@@ -0,0 +1,2 @@
+d3bee4233c8d6bb712a9a54467f3eaea3a52c703 SOURCES/pesign-0.109.tar.bz2
+36df9ec87e76174c354441f516032faf9341f647 SOURCES/rh-test-certs.tar.bz2
diff --git a/SOURCES/0001-Use-the-right-signing-method-on-the-RHEL-signing-mac.patch b/SOURCES/0001-Use-the-right-signing-method-on-the-RHEL-signing-mac.patch
new file mode 100644
index 0000000..c679215
--- /dev/null
+++ b/SOURCES/0001-Use-the-right-signing-method-on-the-RHEL-signing-mac.patch
@@ -0,0 +1,26 @@
+From c889e85273814fe0290d1fdd280e93214133d7c0 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Thu, 24 Oct 2013 15:22:13 -0400
+Subject: [PATCH 01/15] Use the right signing method on the RHEL signing macro.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/macros.pesign | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/macros.pesign b/src/macros.pesign
+index 7f6e6ef..143ef8e 100644
+--- a/src/macros.pesign
++++ b/src/macros.pesign
+@@ -30,7 +30,7 @@
+       certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss}		\
+       sattrs=$(mktemp -p $PWD --suffix=.der)				\
+       %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force		\
+-      rpm-sign --key "%{-n*}" --rsasign ${sattrs}			\
++      rpm-sign --key "%{-n*}" --rsadgstsign ${sattrs}			\
+       %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i}			\\\
+                  --certdir ${nss} -c signer %{-o}			\
+       rm -rf ${sattrs} ${sattrs}.sig ${nss}				\
+-- 
+2.5.5
+
diff --git a/SOURCES/0002-Fix-error-detected-by-coverity.patch b/SOURCES/0002-Fix-error-detected-by-coverity.patch
new file mode 100644
index 0000000..1da2914
--- /dev/null
+++ b/SOURCES/0002-Fix-error-detected-by-coverity.patch
@@ -0,0 +1,26 @@
+From cca5baa1797e5cee78a32ba444c0327bd316d7b1 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 25 Oct 2013 10:08:32 -0400
+Subject: [PATCH 02/15] Fix error detected by coverity.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/siglist.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/siglist.c b/src/siglist.c
+index ca097e6..2080b98 100644
+--- a/src/siglist.c
++++ b/src/siglist.c
+@@ -147,6 +147,8 @@ signature_list_add_sig(signature_list *sl, efi_guid_t owner,
+ 	}
+ 
+ 	struct efi_signature_data *sd = calloc(1, sl->SignatureSize);
++	if (!sd)
++		return -1;
+ 	memcpy(&sd->SignatureOwner, &owner, sizeof (owner));
+ 	memcpy(sd->SignatureData, sig, sl->SignatureSize -
+ 						sizeof (efi_guid_t));
+-- 
+2.5.5
+
diff --git a/SOURCES/0003-One-more-tweak-for-RHEL-signing-rules.patch b/SOURCES/0003-One-more-tweak-for-RHEL-signing-rules.patch
new file mode 100644
index 0000000..d85423f
--- /dev/null
+++ b/SOURCES/0003-One-more-tweak-for-RHEL-signing-rules.patch
@@ -0,0 +1,28 @@
+From d895607d9575600e6bbc13724caa704982540f8d Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 29 Oct 2013 11:27:31 -0400
+Subject: [PATCH 03/15] One more tweak for RHEL signing rules.
+
+It never ends.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/macros.pesign | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/macros.pesign b/src/macros.pesign
+index 143ef8e..7faa4a1 100644
+--- a/src/macros.pesign
++++ b/src/macros.pesign
+@@ -22,7 +22,7 @@
+ # -s 					# perform signing
+ %pesign(i:o:C:e:c:n:a:s)						\
+   if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then		\
+-    if [ "0%{?rhel}" -ge "7" ]; then					\
++    if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then		\
+       nss=$(mktemp -p $PWD -d)						\
+       echo > ${nss}/pwfile						\
+       certutil -N -d ${nss} -f ${nss}/pwfile				\
+-- 
+2.5.5
+
diff --git a/SOURCES/0004-Changes-to-make-sure-we-inherit-CFLAGS-properly-from.patch b/SOURCES/0004-Changes-to-make-sure-we-inherit-CFLAGS-properly-from.patch
new file mode 100644
index 0000000..4dcf54a
--- /dev/null
+++ b/SOURCES/0004-Changes-to-make-sure-we-inherit-CFLAGS-properly-from.patch
@@ -0,0 +1,152 @@
+From b328f6ede664d5c37ecbd957355a991862191ff9 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 18 Mar 2014 11:41:18 -0400
+Subject: [PATCH 04/15] Changes to make sure we inherit CFLAGS properly from
+ rpmbuild.
+
+This makes sure we build with -fstack-protector-strong when invoked
+correctly with it in CFLAGS="" from make.
+
+Signed-off-by: Peter Jones <pesign-owner@fedoraproject.org>
+---
+ Make.defaults          |  7 ++++---
+ Make.efirules          |  6 +++---
+ Make.rules             | 10 +++++-----
+ libdpe/pe_allocspace.c |  1 +
+ src/Makefile           |  2 +-
+ src/efikeygen.c        |  2 +-
+ util/Makefile          |  2 +-
+ 7 files changed, 16 insertions(+), 14 deletions(-)
+
+diff --git a/Make.defaults b/Make.defaults
+index e2c967b..0995e5b 100644
+--- a/Make.defaults
++++ b/Make.defaults
+@@ -5,7 +5,8 @@ HOSTARCH   = $(shell uname -m | sed s,i[3456789]86,ia32,)
+ ARCH	   := $(shell uname -m | sed s,i[3456789]86,ia32,)
+ INCDIR	   = -I$(TOPDIR)/include
+ CPPFLAGS   = -DCONFIG_$(ARCH)
+-CFLAGS	   = $(ARCH3264) -g -O0 -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE
++CFLAGS	   = -g -O0
++BUILDFLAGS := $(CFLAGS) $(ARCH3264) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function
+ ASFLAGS    = $(ARCH3264)
+ LDFLAGS	   = -nostdlib
+ CCLDFLAGS  = -shared
+@@ -21,7 +22,7 @@ RANLIB        = $(bindir)ranlib
+ OBJCOPY       = $(bindir)objcopy
+ 
+ ifeq ($(ARCH),ia64)
+-  CFLAGS += -mfixed-range=f32-f127
++  BUILDFLAGS += -mfixed-range=f32-f127
+   LIBDIR = $(PREFIX)/lib64
+ endif
+ 
+@@ -33,7 +34,7 @@ ifeq ($(ARCH), ia32)
+ endif
+ 
+ ifeq ($(ARCH), x86_64)
+-  CFLAGS += -mno-red-zone
++  BUILDFLAGS += -mno-red-zone
+   LIBDIR := $(PREFIX)/lib64
+   ifeq ($(HOSTARCH), ia32)
+     ARCH3264 := -m64
+diff --git a/Make.efirules b/Make.efirules
+index 9aa4b5b..bed36b1 100644
+--- a/Make.efirules
++++ b/Make.efirules
+@@ -6,10 +6,10 @@
+ 	$(LD) $(LDFLAGS) -o $@ $^ $(LIBS)
+ 
+ %.o: %.c
+-	$(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -D__UEFI__ -c $< -o $@
++	$(CC) $(INCDIR) $(BUILDFLAGS) $(CPPFLAGS) -D__UEFI__ -c $< -o $@
+ 
+ %.S: %.c
+-	$(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -D__UEFI__ -S $< -o $@
++	$(CC) $(INCDIR) $(BUILDFLAGS) $(CPPFLAGS) -D__UEFI__ -S $< -o $@
+ 
+ %.E: %.c
+-	$(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -D__UEFI__ -E $< -o $@
++	$(CC) $(INCDIR) $(BUILDFLAGS) $(CPPFLAGS) -D__UEFI__ -E $< -o $@
+diff --git a/Make.rules b/Make.rules
+index 999d717..2749521 100644
+--- a/Make.rules
++++ b/Make.rules
+@@ -5,18 +5,18 @@
+ 	$(CC) $(CCLDFLAGS) -o $@ $^ $(foreach lib,$(LIBS),-l$(lib)) $(foreach pklib,$(PKLIBS), $(shell pkg-config --libs-only-l --libs-only-other $(pklib))) -lpthread
+ 
+ %.so : 
+-	$(CC) $(INCDIR) $(CFLAGS) -Wl,-soname,$(SONAME) $(CCLDFLAGS) $^ -o $@
++	$(CC) $(INCDIR) $(BUILDFLAGS) -Wl,-soname,$(SONAME) $(CCLDFLAGS) $^ -o $@
+ 
+ %.o: %.c
+-	$(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -c $< -o $@
++	$(CC) $(INCDIR) $(BUILDFLAGS) $(CPPFLAGS) -c $< -o $@
+ 
+ .%.P : %.c
+-	$(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -M -MM -MF $@ $^
++	$(CC) $(INCDIR) $(BUILDFLAGS) $(CPPFLAGS) -M -MM -MF $@ $^
+ 
+ %.S: %.c
+-	$(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -S $< -o $@
++	$(CC) $(INCDIR) $(BUILDFLAGS) $(CPPFLAGS) -S $< -o $@
+ 
+ %.E: %.c
+-	$(CC) $(INCDIR) $(CFLAGS) $(CPPFLAGS) -E $< -o $@
++	$(CC) $(INCDIR) $(BUILDFLAGS) $(CPPFLAGS) -E $< -o $@
+ 
+ %.c : %.h
+diff --git a/libdpe/pe_allocspace.c b/libdpe/pe_allocspace.c
+index 716373c..1f0f44a 100644
+--- a/libdpe/pe_allocspace.c
++++ b/libdpe/pe_allocspace.c
+@@ -19,6 +19,7 @@
+ 
+ #include "libdpe.h"
+ 
++#include <assert.h>
+ #include <unistd.h>
+ #include <sys/mman.h>
+ #include <sys/types.h>
+diff --git a/src/Makefile b/src/Makefile
+index f478aa6..e45d2a3 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -8,7 +8,7 @@ LIBS = popt
+ STATIC_LIBS = $(TOPDIR)/libdpe/libdpe.a
+ LDFLAGS =
+ CCLDFLAGS = -L../libdpe $(foreach pklib,$(PKLIBS), $(shell pkg-config --libs-only-L $(pklib)))
+-CFLAGS += -I../include/ $(foreach pklib,$(PKLIBS), $(shell pkg-config --cflags $(pklib))) -Werror
++BUILDFLAGS += -I../include/ $(foreach pklib,$(PKLIBS), $(shell pkg-config --cflags $(pklib))) -Werror
+ 
+ TARGETS = pesign authvar client efisiglist efikeygen peverify
+ 
+diff --git a/src/efikeygen.c b/src/efikeygen.c
+index ac27acc..45ee5c5 100644
+--- a/src/efikeygen.c
++++ b/src/efikeygen.c
+@@ -333,7 +333,7 @@ populate_extensions(cms_context *cms, CERTCertificate *cert,
+ 
+ 	oid = SECOID_FindOIDByTag(SEC_OID_PKCS9_EXTENSION_REQUEST);
+ 
+-	for (int i; crq->attributes[i]; i++) {
++	for (int i = 0 ; crq->attributes[i]; i++) {
+ 		attr = crq->attributes[i];
+ 		if (attr->attrType.len != oid->oid.len)
+ 			continue;
+diff --git a/util/Makefile b/util/Makefile
+index 1cf782c..ff11cb8 100644
+--- a/util/Makefile
++++ b/util/Makefile
+@@ -7,7 +7,7 @@ FORMAT=efi-app-$(HOSTARCH)
+ LDFLAGS = -nostdlib -T $(LIBDIR)/gnuefi/elf_$(HOSTARCH)_efi.lds -shared -Bsymbolic $(LIBDIR)/gnuefi/crt0-efi-$(HOSTARCH).o -L$(LIBDIR)
+ LIBS=-lefi -lgnuefi $(shell $(CC) -print-libgcc-file-name)
+ CCLDFLAGS =
+-CFLAGS = -I/usr/include/efi/ -I/usr/include/efi/$(HOSTARCH)/ -I/usr/include/efi/protocol -fpic -fshort-wchar -fno-reorder-functions -fno-strict-aliasing -fno-merge-constants -mno-red-zone -Wimplicit-function-declaration
++BUILDFLAGS = -I/usr/include/efi/ -I/usr/include/efi/$(HOSTARCH)/ -I/usr/include/efi/protocol -fpic -fshort-wchar -fno-reorder-functions -fno-strict-aliasing -fno-merge-constants -mno-red-zone -Wimplicit-function-declaration
+ 
+ TARGETS = setupsb.efi dumpsb.efi clearpk.efi
+ 
+-- 
+2.5.5
+
diff --git a/SOURCES/0005-Allow-aarch64-in-the-rhel-build-macros.patch b/SOURCES/0005-Allow-aarch64-in-the-rhel-build-macros.patch
new file mode 100644
index 0000000..07a09bb
--- /dev/null
+++ b/SOURCES/0005-Allow-aarch64-in-the-rhel-build-macros.patch
@@ -0,0 +1,28 @@
+From abc2125fad51b2a3889248412ecc654c38d2efbb Mon Sep 17 00:00:00 2001
+From: "d.marlin" <dmarlin@redhat.com>
+Date: Wed, 27 Aug 2014 16:26:45 -0400
+Subject: [PATCH 05/15] Allow aarch64 in the rhel build macros.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/macros.pesign | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/macros.pesign b/src/macros.pesign
+index 7faa4a1..39374ce 100644
+--- a/src/macros.pesign
++++ b/src/macros.pesign
+@@ -21,7 +21,9 @@
+ # -a <input ca cert filename>		# rhel only
+ # -s 					# perform signing
+ %pesign(i:o:C:e:c:n:a:s)						\
+-  if [ -x %{_pesign} -a "%{_target_cpu}" == "x86_64" ]; then		\
++  if [ -x %{_pesign} ] &&  						\\\
++       [ "%{_target_cpu}" == "x86_64" -o 				\\\
++         "%{_target_cpu}" == "aarch64" ]; then				\
+     if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then		\
+       nss=$(mktemp -p $PWD -d)						\
+       echo > ${nss}/pwfile						\
+-- 
+2.5.5
+
diff --git a/SOURCES/0006-Build-as-PIE-RELRO-binaries.patch b/SOURCES/0006-Build-as-PIE-RELRO-binaries.patch
new file mode 100644
index 0000000..7e7bec8
--- /dev/null
+++ b/SOURCES/0006-Build-as-PIE-RELRO-binaries.patch
@@ -0,0 +1,59 @@
+From 1d2859fa0e9cad7e0f36fef6ff17b91e10902777 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 2 Sep 2014 11:08:23 -0400
+Subject: [PATCH 06/15] Build as PIE+RELRO binaries.
+
+Resolves: rhbz#1092542
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ Make.defaults   | 2 +-
+ libdpe/Makefile | 3 +++
+ src/Makefile    | 4 ++--
+ 3 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/Make.defaults b/Make.defaults
+index 0995e5b..5ff74ee 100644
+--- a/Make.defaults
++++ b/Make.defaults
+@@ -6,7 +6,7 @@ ARCH	   := $(shell uname -m | sed s,i[3456789]86,ia32,)
+ INCDIR	   = -I$(TOPDIR)/include
+ CPPFLAGS   = -DCONFIG_$(ARCH)
+ CFLAGS	   = -g -O0
+-BUILDFLAGS := $(CFLAGS) $(ARCH3264) -fpic -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function
++BUILDFLAGS := $(CFLAGS) $(ARCH3264) -Wall -fshort-wchar -fno-strict-aliasing -fno-merge-constants --std=gnu99 -D_GNU_SOURCE -Wno-unused-result -Wno-unused-function
+ ASFLAGS    = $(ARCH3264)
+ LDFLAGS	   = -nostdlib
+ CCLDFLAGS  = -shared
+diff --git a/libdpe/Makefile b/libdpe/Makefile
+index 81d3c0b..a8b0c26 100644
+--- a/libdpe/Makefile
++++ b/libdpe/Makefile
+@@ -5,6 +5,9 @@ SONAME = libdpe.so.0
+ 
+ include $(TOPDIR)/Make.defaults
+ 
++BUILDFLAGS += -fPIC
++CCLDFLAGS += -fPIC -Wl,-z,relro,-z,now
++
+ TARGETS = libdpe.so libdpe.a
+ all : $(TARGETS)
+ 
+diff --git a/src/Makefile b/src/Makefile
+index e45d2a3..766ffe8 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -7,8 +7,8 @@ PKLIBS = nss
+ LIBS = popt
+ STATIC_LIBS = $(TOPDIR)/libdpe/libdpe.a
+ LDFLAGS =
+-CCLDFLAGS = -L../libdpe $(foreach pklib,$(PKLIBS), $(shell pkg-config --libs-only-L $(pklib)))
+-BUILDFLAGS += -I../include/ $(foreach pklib,$(PKLIBS), $(shell pkg-config --cflags $(pklib))) -Werror
++CCLDFLAGS = -L../libdpe $(foreach pklib,$(PKLIBS), $(shell pkg-config --libs-only-L $(pklib))) -pie -fPIE -Wl,-z,relro,-z,now
++BUILDFLAGS += -I../include/ $(foreach pklib,$(PKLIBS), $(shell pkg-config --cflags $(pklib))) -Werror -fPIE
+ 
+ TARGETS = pesign authvar client efisiglist efikeygen peverify
+ 
+-- 
+2.5.5
+
diff --git a/SOURCES/0007-Fix-some-man-page-errors.patch b/SOURCES/0007-Fix-some-man-page-errors.patch
new file mode 100644
index 0000000..69d5c74
--- /dev/null
+++ b/SOURCES/0007-Fix-some-man-page-errors.patch
@@ -0,0 +1,95 @@
+From 054279b3c15f28513e2d5eefb2035392ec811ca5 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 2 Sep 2014 11:27:58 -0400
+Subject: [PATCH 07/15] Fix some man page errors.
+
+Resolves: rhbz#948850
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+---
+ src/pesign-client.1 |  6 +++---
+ src/pesign.1        | 17 ++++++++++++++---
+ 2 files changed, 17 insertions(+), 6 deletions(-)
+
+diff --git a/src/pesign-client.1 b/src/pesign-client.1
+index 1ccfbb3..9dae89b 100644
+--- a/src/pesign-client.1
++++ b/src/pesign-client.1
+@@ -39,15 +39,15 @@ When using \fB-\-unlock\fR, read the token's PIN from the file \fIpinfile\fR.
+ Sign the binary specified by \fIinfile\fR.
+ 
+ .TP
+-\fB-\-detached\fR
++\fB-\-export\fR
+ When used with \fB-\-sign\fR, write the signature to \fIoutfile\fR.
+ 
+ .TP
+-\fB-\-in\fR=\fIinfile\fR
++\fB-\-infile\fR=\fIinfile\fR
+ When used with \fB-\-sign\fR, specify the input binary.
+ 
+ .TP
+-\fB-\-out\fR=\fIoutfile\fR
++\fB-\-outfile\fR=\fIoutfile\fR
+ When used with \fB-\-sign\fR, specify output file.  If \fB-\-detached\fR
+ is specified, this will be a DER-formatted signature.  Otherwise, the
+ output will be the signed PE binary.
+diff --git a/src/pesign.1 b/src/pesign.1
+index 0a62e36..03603ca 100644
+--- a/src/pesign.1
++++ b/src/pesign.1
+@@ -5,7 +5,8 @@ pesign \- command line tool for signing UEFI applications
+ .SH SYNOPSIS
+ \fBpesign\fR [--in=\fIinfile\fR | -i \fIinfile\fR]
+        [--out=\fIoutfile\fR | -o \fIoutfile\fR]
+-       [--token=\fItoken\fR | -t \fItoken\fR]
++       [--certdir=\fIcertdir/fR | -n \fIcertdir\fR]
++       [--nss-token=\fItoken\fR | -t \fItoken\fR]
+        [--certificate=\fInickname\fR | -c \fInickname\fR]
+        [--force | -f] [--sign | -s] [--hash | -h]
+        [--digest_type=\fIdigest\fR | -d \fIdigest\fR]
+@@ -13,6 +14,7 @@ pesign \- command line tool for signing UEFI applications
+        [--export-pubkey=\fIoutkey\fR | -K \fIoutkey\fR]
+        [--export-cert=\fIoutcert\fR | -C \fIoutcert\fR]
+        [--ascii-armor | -a] [--daemonize | -D] [--nofork | -N]
++       [--signature-number=\fIsignum\fR | -u \fIsignum\fR]
+ 
+ .SH DESCRIPTION
+ \fBpesign\fR is a command line tool for manipulating signatures and 
+@@ -28,7 +30,11 @@ Specify input binary.
+ Specify output binary.
+ 
+ .TP
+-\fB-\-token\fR=\fItoken\fR
++\fB-\-certdir\fR=\fIcertdir\fR
++Specify nss certificate database directory.
++
++.TP
++\fB-\-nss-token\fR=\fItoken\fR
+ Use the specified NSS token's certificate database.
+ 
+ .TP
+@@ -51,7 +57,8 @@ Display the cryptographic digest of the input binary on standard output.
+ .TP
+ \fB-\-digest_type\fR=\fIdigest\fR
+ Use the specified digest in hashing and signing operations. By default,
+-this value is "sha256".  Use "--digest=help" to list the available digests.
++this value is "sha256".  Use "--digest_type=help" to list the available
++digests.
+ 
+ .TP
+ \fB-\-show-signature\fR
+@@ -62,6 +69,10 @@ Show information about the signature of the input binary.
+ Remove the signature section from the binary.
+ 
+ .TP
++\fB-\-signature-number\fR=\fIsignum\fR
++Specify which signature to operate on.  This field is zero-indexed.
++
++.TP
+ \fB-\-export-pubkey\fR=\fIoutkey\fR
+ Export the public key specified by --certificate to \fIoutkey\fR
+ 
+-- 
+2.5.5
+
diff --git a/SOURCES/0008-A-more-plugable-way-of-setting-ACLs-for-pesign.patch b/SOURCES/0008-A-more-plugable-way-of-setting-ACLs-for-pesign.patch
new file mode 100644
index 0000000..09e2170
--- /dev/null
+++ b/SOURCES/0008-A-more-plugable-way-of-setting-ACLs-for-pesign.patch
@@ -0,0 +1,98 @@
+From f1212565b3783564a50f98a652588091a6680908 Mon Sep 17 00:00:00 2001
+From: Pat Riehecky <riehecky@fnal.gov>
+Date: Fri, 12 Sep 2014 09:37:07 -0500
+Subject: [PATCH 08/15] A more plugable way of setting ACLs for pesign
+
+The sysvinit script provided with pesign sets ACLS for the pesign/socket
+file for kojibuilder:kojibuilder.  The systemd unit, however, does not.
+
+I've built a more general solution for both the sysvinit and systemd
+unit that should allow for greater flexibility and compat behavior.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+(cherry picked from commit 3c2374b57f26f15efa7c883e0fbbbaf3c490d074)
+---
+ src/pesign-authorize-groups | 17 +++++++++++++++++
+ src/pesign-authorize-users  | 17 +++++++++++++++++
+ src/pesign.service          |  2 ++
+ src/pesign.sysvinit         |  6 ++----
+ 4 files changed, 38 insertions(+), 4 deletions(-)
+ create mode 100644 src/pesign-authorize-groups
+ create mode 100644 src/pesign-authorize-users
+
+diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
+new file mode 100644
+index 0000000..1048904
+--- /dev/null
++++ b/src/pesign-authorize-groups
+@@ -0,0 +1,17 @@
++#!/bin/bash
++
++#
++# With /run/pesign/socket on tmpfs, a simple way of restoring the
++# acls for specific groups is useful
++#
++#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
++#
++
++# License: GPLv2
++
++if [[ -r /etc/pesign/authorize-groups ]]; then
++    for group in $(cat /etc/pesign/authorize-groups); do
++        setfacl -m g:${group}:rx /var/run/pesign
++        setfacl -m g:${group}:rw /var/run/pesign/socket
++    done
++fi
+diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
+new file mode 100644
+index 0000000..1993570
+--- /dev/null
++++ b/src/pesign-authorize-users
+@@ -0,0 +1,17 @@
++#!/bin/bash
++
++#
++# With /run/pesign/socket on tmpfs, a simple way of restoring the
++# acls for specific users is useful
++#
++#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
++#
++
++# License: GPLv2
++
++if [[ -r /etc/pesign/authorize-users ]]; then
++    for username in $(cat /etc/pesign/authorize-users); do
++        setfacl -m u:${username}:rx /var/run/pesign
++        setfacl -m u:${username}:rw /var/run/pesign/socket
++    done
++fi
+diff --git a/src/pesign.service b/src/pesign.service
+index 75a73c3..d6a412e 100644
+--- a/src/pesign.service
++++ b/src/pesign.service
+@@ -6,3 +6,5 @@ PrivateTmp=true
+ Type=forking
+ PIDFile=/var/run/pesign.pid
+ ExecStart=/usr/bin/pesign --daemonize
++ExecStartPost=/usr/sbin/pesign-authorize-users
++ExecStartPost=/usr/sbin/pesign-authorize-groups
+diff --git a/src/pesign.sysvinit b/src/pesign.sysvinit
+index ea37c58..6f20560 100644
+--- a/src/pesign.sysvinit
++++ b/src/pesign.sysvinit
+@@ -24,10 +24,8 @@ start(){
+     RETVAL=$?
+     echo
+     touch /var/lock/subsys/pesign
+-    setfacl -m u:kojibuilder:x /var/run/pesign
+-    setfacl -m u:kojibuilder:rw /var/run/pesign/socket
+-    setfacl -m g:kojibuilder:x /var/run/pesign
+-    setfacl -m g:kojibuilder:rw /var/run/pesign/socket
++    /usr/sbin/pesign-authorize-users
++    /usr/sbin/pesign-authorize-groups
+ }
+ 
+ stop(){
+-- 
+2.5.5
+
diff --git a/SOURCES/0009-Add-install-targets-for-3c2374b-and-make-the-filenam.patch b/SOURCES/0009-Add-install-targets-for-3c2374b-and-make-the-filenam.patch
new file mode 100644
index 0000000..1a3fd99
--- /dev/null
+++ b/SOURCES/0009-Add-install-targets-for-3c2374b-and-make-the-filenam.patch
@@ -0,0 +1,66 @@
+From fc08bd9a51b4bf576f7d6c1df6fb3f3d8dba26c1 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 9 Jun 2015 16:00:00 -0400
+Subject: [PATCH 09/15] Add "install" targets for 3c2374b and make the
+ filenames a little nicer.
+
+Related: rhbz#1141263
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+(cherry picked from commit 95195477dac72d4fcc09726314da4a8dd3552d49)
+---
+ src/Makefile                | 6 ++++++
+ src/pesign-authorize-groups | 4 ++--
+ src/pesign-authorize-users  | 4 ++--
+ 3 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/src/Makefile b/src/Makefile
+index 766ffe8..6b1e582 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -72,6 +72,12 @@ install_systemd:
+ 	$(INSTALL) -m 644 tmpfiles.conf $(INSTALLROOT)/usr/lib/tmpfiles.d/pesign.conf
+ 	$(INSTALL) -d -m 755 $(INSTALLROOT)/usr/lib/systemd/system/
+ 	$(INSTALL) -m 644 pesign.service $(INSTALLROOT)/usr/lib/systemd/system/
++	$(INSTALL) -d -m 755 $(INSTALLROOT)$(PREFIX)/sbin/
++	$(INSTALL) -m 755 pesign-authorize-users $(INSTALLROOT)$(PREFIX)/sbin/pesign-authorize-users
++	$(INSTALL) -m 755 pesign-authorize-groups $(INSTALLROOT)$(PREFIX)/sbin/pesign-authorize-groups
++	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
++	$(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/users
++	$(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/groups
+ 
+ install_sysvinit:
+ 	$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/
+diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
+index 1048904..e3864ce 100644
+--- a/src/pesign-authorize-groups
++++ b/src/pesign-authorize-groups
+@@ -9,8 +9,8 @@
+ 
+ # License: GPLv2
+ 
+-if [[ -r /etc/pesign/authorize-groups ]]; then
+-    for group in $(cat /etc/pesign/authorize-groups); do
++if [[ -r /etc/pesign/groups ]]; then
++    for group in $(cat /etc/pesign/groups); do
+         setfacl -m g:${group}:rx /var/run/pesign
+         setfacl -m g:${group}:rw /var/run/pesign/socket
+     done
+diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
+index 1993570..e500204 100644
+--- a/src/pesign-authorize-users
++++ b/src/pesign-authorize-users
+@@ -9,8 +9,8 @@
+ 
+ # License: GPLv2
+ 
+-if [[ -r /etc/pesign/authorize-users ]]; then
+-    for username in $(cat /etc/pesign/authorize-users); do
++if [[ -r /etc/pesign/users ]]; then
++    for username in $(cat /etc/pesign/users); do
+         setfacl -m u:${username}:rx /var/run/pesign
+         setfacl -m u:${username}:rw /var/run/pesign/socket
+     done
+-- 
+2.5.5
+
diff --git a/SOURCES/0010-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch b/SOURCES/0010-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch
new file mode 100644
index 0000000..5ea0513
--- /dev/null
+++ b/SOURCES/0010-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch
@@ -0,0 +1,40 @@
+From 82cf315182deacdc488b465cb50d8c0d692f4dcc Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Thu, 19 Nov 2015 11:36:59 -0500
+Subject: [PATCH 10/15] setfacl the nss DBs to our authorized users, not just
+ the socket.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+(cherry picked from commit 1a9a8eefe8f9a9b21996151a5afd956df22921ea)
+---
+ src/pesign-authorize-groups | 2 ++
+ src/pesign-authorize-users  | 2 ++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
+index e3864ce..2236bea 100644
+--- a/src/pesign-authorize-groups
++++ b/src/pesign-authorize-groups
+@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/groups ]]; then
+     for group in $(cat /etc/pesign/groups); do
+         setfacl -m g:${group}:rx /var/run/pesign
+         setfacl -m g:${group}:rw /var/run/pesign/socket
++        setfacl -m g:${username}:rx /etc/pki/pesign
++        setfacl -m g:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
+     done
+ fi
+diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
+index e500204..9c38a25 100644
+--- a/src/pesign-authorize-users
++++ b/src/pesign-authorize-users
+@@ -13,5 +13,7 @@ if [[ -r /etc/pesign/users ]]; then
+     for username in $(cat /etc/pesign/users); do
+         setfacl -m u:${username}:rx /var/run/pesign
+         setfacl -m u:${username}:rw /var/run/pesign/socket
++        setfacl -m u:${username}:rx /etc/pki/pesign
++        setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
+     done
+ fi
+-- 
+2.5.5
+
diff --git a/SOURCES/0011-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch b/SOURCES/0011-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch
new file mode 100644
index 0000000..b0b0ef9
--- /dev/null
+++ b/SOURCES/0011-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch
@@ -0,0 +1,55 @@
+From 4bf644cdc1908aaa04de304174d985665de5947d Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 20 Nov 2015 19:19:49 -0500
+Subject: [PATCH 11/15] Don't setfacl when the socket or dir aren't there.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+(cherry picked from commit 4c70ae807156099bf027b57a94b7eae0a810b947)
+---
+ src/pesign-authorize-groups | 10 ++++++----
+ src/pesign-authorize-users  | 10 ++++++----
+ 2 files changed, 12 insertions(+), 8 deletions(-)
+
+diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
+index 2236bea..2222809 100644
+--- a/src/pesign-authorize-groups
++++ b/src/pesign-authorize-groups
+@@ -11,9 +11,11 @@
+ 
+ if [[ -r /etc/pesign/groups ]]; then
+     for group in $(cat /etc/pesign/groups); do
+-        setfacl -m g:${group}:rx /var/run/pesign
+-        setfacl -m g:${group}:rw /var/run/pesign/socket
+-        setfacl -m g:${username}:rx /etc/pki/pesign
+-        setfacl -m g:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
++	if [ -d /var/run/pesign ]; then
++	    setfacl -m g:${group}:rx /var/run/pesign
++	    if [ -e /var/run/pesign/socket ]; then
++		setfacl -m g:${group}:rw /var/run/pesign/socket
++	    fi
++	fi
+     done
+ fi
+diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
+index 9c38a25..22bddec 100644
+--- a/src/pesign-authorize-users
++++ b/src/pesign-authorize-users
+@@ -11,9 +11,11 @@
+ 
+ if [[ -r /etc/pesign/users ]]; then
+     for username in $(cat /etc/pesign/users); do
+-        setfacl -m u:${username}:rx /var/run/pesign
+-        setfacl -m u:${username}:rw /var/run/pesign/socket
+-        setfacl -m u:${username}:rx /etc/pki/pesign
+-        setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
++	if [ -d /var/run/pesign ]; then
++	    setfacl -m g:${username}:rx /var/run/pesign
++	    if [ -e /var/run/pesign/socket ]; then
++		setfacl -m g:${username}:rw /var/run/pesign/socket
++	    fi
++	fi
+     done
+ fi
+-- 
+2.5.5
+
diff --git a/SOURCES/0012-setfacl-the-db-as-well.patch b/SOURCES/0012-setfacl-the-db-as-well.patch
new file mode 100644
index 0000000..f5e4c7d
--- /dev/null
+++ b/SOURCES/0012-setfacl-the-db-as-well.patch
@@ -0,0 +1,52 @@
+From cdca8c5dfeee969267dacc5846d8c11e84c2fcfe Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Fri, 20 Nov 2015 19:21:39 -0500
+Subject: [PATCH 12/15] setfacl the db as well
+
+And also get all our "-m [ug]:${name}:$perm" arguments right.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+(cherry picked from commit f7a16f89f3ed327d3e2f4ce897917c2966fb427d)
+---
+ src/pesign-authorize-groups | 4 ++++
+ src/pesign-authorize-users  | 8 ++++++--
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
+index 2222809..13aefa6 100644
+--- a/src/pesign-authorize-groups
++++ b/src/pesign-authorize-groups
+@@ -17,5 +17,9 @@ if [[ -r /etc/pesign/groups ]]; then
+ 		setfacl -m g:${group}:rw /var/run/pesign/socket
+ 	    fi
+ 	fi
++	if [ -d /etc/pki/pesign ]; then
++	    setfacl -m g:${group}:rx /etc/pki/pesign
++	    setfacl -m g:${group}:r /etc/pki/pesign/{cert8,key3,secmod}.db
++	fi
+     done
+ fi
+diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
+index 22bddec..a43ce44 100644
+--- a/src/pesign-authorize-users
++++ b/src/pesign-authorize-users
+@@ -12,10 +12,14 @@
+ if [[ -r /etc/pesign/users ]]; then
+     for username in $(cat /etc/pesign/users); do
+ 	if [ -d /var/run/pesign ]; then
+-	    setfacl -m g:${username}:rx /var/run/pesign
++	    setfacl -m u:${username}:rx /var/run/pesign
+ 	    if [ -e /var/run/pesign/socket ]; then
+-		setfacl -m g:${username}:rw /var/run/pesign/socket
++		setfacl -m u:${username}:rw /var/run/pesign/socket
+ 	    fi
+ 	fi
++	if [ -d /etc/pki/pesign ]; then
++	    setfacl -m u:${username}:rx /etc/pki/pesign
++	    setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
++	fi
+     done
+ fi
+-- 
+2.5.5
+
diff --git a/SOURCES/0013-Improve-our-setfacl-scripts-for-database-and-socket-.patch b/SOURCES/0013-Improve-our-setfacl-scripts-for-database-and-socket-.patch
new file mode 100644
index 0000000..c1fb088
--- /dev/null
+++ b/SOURCES/0013-Improve-our-setfacl-scripts-for-database-and-socket-.patch
@@ -0,0 +1,92 @@
+From 9cd3272fc54f7941f347c4ec9e15176c2ed7da36 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Wed, 20 Apr 2016 11:44:08 -0400
+Subject: [PATCH 13/15] Improve our setfacl scripts for database and socket
+ ownership.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+(cherry picked from commit a90c967205733c35a97c0c3e67131fa9b5b935fc)
+---
+ src/pesign-authorize-groups | 15 ++++++++++-----
+ src/pesign-authorize-users  | 19 ++++++++++++-------
+ 2 files changed, 22 insertions(+), 12 deletions(-)
+
+diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
+index 13aefa6..a4f895e 100644
+--- a/src/pesign-authorize-groups
++++ b/src/pesign-authorize-groups
+@@ -1,4 +1,5 @@
+ #!/bin/bash
++set -e
+ 
+ #
+ # With /run/pesign/socket on tmpfs, a simple way of restoring the
+@@ -9,7 +10,7 @@
+ 
+ # License: GPLv2
+ 
+-if [[ -r /etc/pesign/groups ]]; then
++if [ -r /etc/pesign/groups ]; then
+     for group in $(cat /etc/pesign/groups); do
+ 	if [ -d /var/run/pesign ]; then
+ 	    setfacl -m g:${group}:rx /var/run/pesign
+@@ -17,9 +18,13 @@ if [[ -r /etc/pesign/groups ]]; then
+ 		setfacl -m g:${group}:rw /var/run/pesign/socket
+ 	    fi
+ 	fi
+-	if [ -d /etc/pki/pesign ]; then
+-	    setfacl -m g:${group}:rx /etc/pki/pesign
+-	    setfacl -m g:${group}:r /etc/pki/pesign/{cert8,key3,secmod}.db
+-	fi
++	for x in /etc/pki/pesign* ; do
++	    if [ -d ${x} ]; then
++		setfacl -m g:${group}:rx /etc/pki/pesign
++		for y in ${x}/{cert8,key3,secmod}.db ; do
++		    setfacl -m g:${group}:rw ${y}
++		done
++	    fi
++	done
+     done
+ fi
+diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
+index a43ce44..8b9a885 100644
+--- a/src/pesign-authorize-users
++++ b/src/pesign-authorize-users
+@@ -1,4 +1,5 @@
+ #!/bin/bash
++set -e
+ 
+ #
+ # With /run/pesign/socket on tmpfs, a simple way of restoring the
+@@ -9,17 +10,21 @@
+ 
+ # License: GPLv2
+ 
+-if [[ -r /etc/pesign/users ]]; then
++if [ -r /etc/pesign/users ]; then
+     for username in $(cat /etc/pesign/users); do
+ 	if [ -d /var/run/pesign ]; then
+-	    setfacl -m u:${username}:rx /var/run/pesign
++	    setfacl -m g:${username}:rx /var/run/pesign
+ 	    if [ -e /var/run/pesign/socket ]; then
+-		setfacl -m u:${username}:rw /var/run/pesign/socket
++		setfacl -m g:${username}:rw /var/run/pesign/socket
+ 	    fi
+ 	fi
+-	if [ -d /etc/pki/pesign ]; then
+-	    setfacl -m u:${username}:rx /etc/pki/pesign
+-	    setfacl -m u:${username}:r /etc/pki/pesign/{cert8,key3,secmod}.db
+-	fi
++	for x in /etc/pki/pesign* ; do
++	    if [ -d ${x} ]; then
++		setfacl -m g:${username}:rx /etc/pki/pesign
++		for y in ${x}/{cert8,key3,secmod}.db ; do
++		    setfacl -m g:${username}:rw ${y}
++		done
++	    fi
++	done
+     done
+ fi
+-- 
+2.5.5
+
diff --git a/SOURCES/0014-Make-pesign-authorize-users-groups-not-be-in-sbin.patch b/SOURCES/0014-Make-pesign-authorize-users-groups-not-be-in-sbin.patch
new file mode 100644
index 0000000..d6043f7
--- /dev/null
+++ b/SOURCES/0014-Make-pesign-authorize-users-groups-not-be-in-sbin.patch
@@ -0,0 +1,124 @@
+From 0c973c36bf25a863db868d518265b5e7ee722764 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Wed, 10 Jun 2015 14:56:38 -0400
+Subject: [PATCH 14/15] Make pesign-authorize-{users,groups} not be in sbin.
+
+If it's in sbin, it needs a man page.  On fedora/rhel it should go in
+libexec, on debian probably /usr/share someplace.  This change puts it
+in libexec and makes it so you can put that wherever you like by doing:
+
+make libexecdir=/usr/share all
+make libexecdir=/usr/share install install_systemd
+
+or similar.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+(cherry picked from commit 8854461314f1d908dfb3e46a1654b731709df309)
+---
+ Make.defaults                               |  3 ++-
+ src/Makefile                                | 16 ++++++++++------
+ src/{pesign.service => pesign.service.in}   |  4 ++--
+ src/{pesign.sysvinit => pesign.sysvinit.in} |  4 ++--
+ 4 files changed, 16 insertions(+), 11 deletions(-)
+ rename src/{pesign.service => pesign.service.in} (55%)
+ rename src/{pesign.sysvinit => pesign.sysvinit.in} (92%)
+
+diff --git a/Make.defaults b/Make.defaults
+index 5ff74ee..125487e 100644
+--- a/Make.defaults
++++ b/Make.defaults
+@@ -12,7 +12,8 @@ LDFLAGS	   = -nostdlib
+ CCLDFLAGS  = -shared
+ INSTALL	   = install
+ # XXX this is broken
+-bindir     = /usr/bin/
++bindir     = $(PREFIX)/bin/
++libexecdir = $(PREFIX)/libexec
+ 
+ CC            = $(bindir)gcc
+ AS            = $(bindir)as
+diff --git a/src/Makefile b/src/Makefile
+index 6b1e582..41a622f 100644
+--- a/src/Makefile
++++ b/src/Makefile
+@@ -10,7 +10,8 @@ LDFLAGS =
+ CCLDFLAGS = -L../libdpe $(foreach pklib,$(PKLIBS), $(shell pkg-config --libs-only-L $(pklib))) -pie -fPIE -Wl,-z,relro,-z,now
+ BUILDFLAGS += -I../include/ $(foreach pklib,$(PKLIBS), $(shell pkg-config --cflags $(pklib))) -Werror -fPIE
+ 
+-TARGETS = pesign authvar client efisiglist efikeygen peverify
++TARGETS = pesign authvar client efisiglist efikeygen peverify \
++	pesign.service pesign.sysvinit
+ 
+ all : $(TARGETS)
+ 
+@@ -57,6 +58,9 @@ fuzzsocket : $(fuzzsocket_OBJECTS) -lrt
+ DEPS = $(generic_DEPS) $(authvar_DEPS) $(pesign_DEPS) $(client_DEPS) \
+ 	$(peverify_DEPS) $(efisiglist_DEPS) $(efikeygen_DEPS)
+ 
++pesign.sysvinit pesign.service : % : %.in
++	sed -e "s,@@LIBEXECDIR@@,$(libexecdir),g" $< > $@
++
+ deps : $(DEPS)
+ 
+ depclean :
+@@ -67,19 +71,19 @@ depclean :
+ clean : depclean
+ 	@rm -rfv *.o *.a *.so $(TARGETS)
+ 
+-install_systemd:
++install_systemd: pesign.service
+ 	$(INSTALL) -d -m 755 $(INSTALLROOT)/usr/lib/tmpfiles.d/
+ 	$(INSTALL) -m 644 tmpfiles.conf $(INSTALLROOT)/usr/lib/tmpfiles.d/pesign.conf
+ 	$(INSTALL) -d -m 755 $(INSTALLROOT)/usr/lib/systemd/system/
+ 	$(INSTALL) -m 644 pesign.service $(INSTALLROOT)/usr/lib/systemd/system/
+-	$(INSTALL) -d -m 755 $(INSTALLROOT)$(PREFIX)/sbin/
+-	$(INSTALL) -m 755 pesign-authorize-users $(INSTALLROOT)$(PREFIX)/sbin/pesign-authorize-users
+-	$(INSTALL) -m 755 pesign-authorize-groups $(INSTALLROOT)$(PREFIX)/sbin/pesign-authorize-groups
++	$(INSTALL) -d -m 755 $(INSTALLROOT)$(libexecdir)/pesign/
++	$(INSTALL) -m 755 pesign-authorize-users $(INSTALLROOT)$(libexecdir)/pesign/pesign-authorize-users
++	$(INSTALL) -m 755 pesign-authorize-groups $(INSTALLROOT)$(libexecdir)/pesign/pesign-authorize-groups
+ 	$(INSTALL) -d -m 700 $(INSTALLROOT)/etc/pesign
+ 	$(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/users
+ 	$(INSTALL) -m 600 /dev/null $(INSTALLROOT)/etc/pesign/groups
+ 
+-install_sysvinit:
++install_sysvinit: pesign.sysvinit
+ 	$(INSTALL) -d -m 755 $(INSTALLROOT)/etc/rc.d/init.d/
+ 	$(INSTALL) -m 755 pesign.sysvinit $(INSTALLROOT)/etc/rc.d/init.d/pesign
+ 
+diff --git a/src/pesign.service b/src/pesign.service.in
+similarity index 55%
+rename from src/pesign.service
+rename to src/pesign.service.in
+index d6a412e..aaa408e 100644
+--- a/src/pesign.service
++++ b/src/pesign.service.in
+@@ -6,5 +6,5 @@ PrivateTmp=true
+ Type=forking
+ PIDFile=/var/run/pesign.pid
+ ExecStart=/usr/bin/pesign --daemonize
+-ExecStartPost=/usr/sbin/pesign-authorize-users
+-ExecStartPost=/usr/sbin/pesign-authorize-groups
++ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-users
++ExecStartPost=@@LIBEXECDIR@@/pesign/pesign-authorize-groups
+diff --git a/src/pesign.sysvinit b/src/pesign.sysvinit.in
+similarity index 92%
+rename from src/pesign.sysvinit
+rename to src/pesign.sysvinit.in
+index 6f20560..d8fffca 100644
+--- a/src/pesign.sysvinit
++++ b/src/pesign.sysvinit.in
+@@ -24,8 +24,8 @@ start(){
+     RETVAL=$?
+     echo
+     touch /var/lock/subsys/pesign
+-    /usr/sbin/pesign-authorize-users
+-    /usr/sbin/pesign-authorize-groups
++    @@LIBEXECDIR@@/pesign/pesign-authorize-users
++    @@LIBEXECDIR@@/pesign/pesign-authorize-groups
+ }
+ 
+ stop(){
+-- 
+2.5.5
+
diff --git a/SOURCES/0015-Actually-setfacl-each-directory-of-our-key-storage.patch b/SOURCES/0015-Actually-setfacl-each-directory-of-our-key-storage.patch
new file mode 100644
index 0000000..ba46426
--- /dev/null
+++ b/SOURCES/0015-Actually-setfacl-each-directory-of-our-key-storage.patch
@@ -0,0 +1,51 @@
+From 0df758bbb282f9d4a81818b6f7816eb0eb663519 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Mon, 16 May 2016 15:25:53 -0400
+Subject: [PATCH 15/15] Actually setfacl /each/ directory of our key storage.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+(cherry picked from commit f0c285fe74f00402acb72cb4ae91891006e9cfa4)
+---
+ src/pesign-authorize-groups | 6 +++---
+ src/pesign-authorize-users  | 6 +++---
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/pesign-authorize-groups b/src/pesign-authorize-groups
+index a4f895e..cf51fb6 100644
+--- a/src/pesign-authorize-groups
++++ b/src/pesign-authorize-groups
+@@ -18,10 +18,10 @@ if [ -r /etc/pesign/groups ]; then
+ 		setfacl -m g:${group}:rw /var/run/pesign/socket
+ 	    fi
+ 	fi
+-	for x in /etc/pki/pesign* ; do
++	for x in /etc/pki/pesign*/ ; do
+ 	    if [ -d ${x} ]; then
+-		setfacl -m g:${group}:rx /etc/pki/pesign
+-		for y in ${x}/{cert8,key3,secmod}.db ; do
++		setfacl -m g:${group}:rx ${x}
++		for y in ${x}{cert8,key3,secmod}.db ; do
+ 		    setfacl -m g:${group}:rw ${y}
+ 		done
+ 	    fi
+diff --git a/src/pesign-authorize-users b/src/pesign-authorize-users
+index 8b9a885..940138e 100644
+--- a/src/pesign-authorize-users
++++ b/src/pesign-authorize-users
+@@ -18,10 +18,10 @@ if [ -r /etc/pesign/users ]; then
+ 		setfacl -m g:${username}:rw /var/run/pesign/socket
+ 	    fi
+ 	fi
+-	for x in /etc/pki/pesign* ; do
++	for x in /etc/pki/pesign*/ ; do
+ 	    if [ -d ${x} ]; then
+-		setfacl -m g:${username}:rx /etc/pki/pesign
+-		for y in ${x}/{cert8,key3,secmod}.db ; do
++		setfacl -m g:${username}:rx ${x}
++		for y in ${x}{cert8,key3,secmod}.db ; do
+ 		    setfacl -m g:${username}:rw ${y}
+ 		done
+ 	    fi
+-- 
+2.5.5
+
diff --git a/SPECS/pesign.spec b/SPECS/pesign.spec
new file mode 100644
index 0000000..0223bb4
--- /dev/null
+++ b/SPECS/pesign.spec
@@ -0,0 +1,312 @@
+Summary: Signing utility for UEFI binaries
+Name: pesign
+Version: 0.109
+Release: 10%{?dist}
+Group: Development/System
+License: GPLv2
+URL: https://github.com/vathpela/pesign
+BuildRequires: git gnu-efi gnu-efi-devel nspr nss nss-util popt-devel
+BuildRequires: coolkey opensc nss-tools
+BuildRequires: nspr-devel >= 4.9.2-1
+BuildRequires: nss-devel >= 3.13.6-1
+Requires: nspr nss nss-util nss-tools popt rpm coolkey opensc
+Requires(pre): shadow-utils
+ExclusiveArch: x86_64 aarch64
+
+# there is no tarball at github, of course.  To get this version do:
+# git clone https://github.com/vathpela/pesign.git
+# git checkout %%{version}
+Source0: pesign-%{version}.tar.bz2
+Source1: rh-test-certs.tar.bz2
+Patch0001: 0001-Use-the-right-signing-method-on-the-RHEL-signing-mac.patch
+Patch0002: 0002-Fix-error-detected-by-coverity.patch
+Patch0003: 0003-One-more-tweak-for-RHEL-signing-rules.patch
+Patch0004: 0004-Changes-to-make-sure-we-inherit-CFLAGS-properly-from.patch
+Patch0005: 0005-Allow-aarch64-in-the-rhel-build-macros.patch
+Patch0006: 0006-Build-as-PIE-RELRO-binaries.patch
+Patch0007: 0007-Fix-some-man-page-errors.patch
+Patch0008: 0008-A-more-plugable-way-of-setting-ACLs-for-pesign.patch
+Patch0009: 0009-Add-install-targets-for-3c2374b-and-make-the-filenam.patch
+Patch0010: 0010-setfacl-the-nss-DBs-to-our-authorized-users-not-just.patch
+Patch0011: 0011-Don-t-setfacl-when-the-socket-or-dir-aren-t-there.patch
+Patch0012: 0012-setfacl-the-db-as-well.patch
+Patch0013: 0013-Improve-our-setfacl-scripts-for-database-and-socket-.patch
+Patch0014: 0014-Make-pesign-authorize-users-groups-not-be-in-sbin.patch
+Patch0015: 0015-Actually-setfacl-each-directory-of-our-key-storage.patch
+
+%description
+This package contains the pesign utility for signing UEFI binaries as
+well as other associated tools.
+
+%prep
+%setup -q -a 1
+git init
+git config user.email "pesign-owner@fedoraproject.org"
+git config user.name "Fedora Ninjas"
+git add .
+git commit -a -q -m "%{version} baseline."
+git am %{patches} </dev/null
+
+%build
+make CFLAGS="%{optflags}" PREFIX=%{_prefix} LIBDIR=%{_libdir}
+
+%install
+rm -rf %{buildroot}
+mkdir -p %{buildroot}/%{_libdir}
+make PREFIX=%{_prefix} LIBDIR=%{_libdir} INSTALLROOT=%{buildroot} \
+	install
+rm -f %{buildroot}/usr/share/doc/pesign/COPYING
+%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
+make PREFIX=%{_prefix} LIBDIR=%{_libdir} INSTALLROOT=%{buildroot} \
+	install_systemd
+%endif
+
+# there's some stuff that's not really meant to be shipped yet
+rm -rf %{buildroot}/boot %{buildroot}/usr/include
+rm -rf %{buildroot}%{_libdir}/libdpe*
+mv rh-test-certs/etc/pki/pesign/* %{buildroot}/etc/pki/pesign/
+
+#modutil -force -dbdir %{buildroot}/etc/pki/pesign -add coolkey \
+#	-libfile %{_libdir}/pkcs11/libcoolkeypk11.so
+#modutil -force -dbdir %{buildroot}/etc/pki/pesign -add opensc \
+#	-libfile %{_libdir}/pkcs11/opensc-pkcs11.so
+
+%clean
+rm -rf %{buildroot}
+
+%pre
+getent group pesign >/dev/null || groupadd -r pesign
+getent passwd pesign >/dev/null || \
+	useradd -r -g pesign -d /var/run/pesign -s /sbin/nologin \
+		-c "Group for the pesign signing daemon" pesign
+exit 0
+
+%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
+%post
+%systemd_post pesign.service
+
+%preun
+%systemd_preun pesign.service
+
+%postun
+%systemd_postun_with_restart pesign.service
+%endif
+
+%files
+%defattr(-,root,root,-)
+%doc README TODO COPYING
+%{_bindir}/pesign
+%{_bindir}/pesign-client
+%{_bindir}/efikeygen
+%{_sysconfdir}/popt.d/pesign.popt
+%{_sysconfdir}/rpm/macros.pesign
+%{_libexecdir}/pesign/pesign-authorize-users
+%{_libexecdir}/pesign/pesign-authorize-groups
+%config(noreplace)/%{_sysconfdir}/pesign/users
+%config(noreplace)/%{_sysconfdir}/pesign/groups
+%{_mandir}/man*/*
+%dir %attr(0775,pesign,pesign) /etc/pki/pesign
+%attr(0664,pesign,pesign) /etc/pki/pesign/*
+%dir %attr(0770, pesign, pesign) %{_localstatedir}/run/%{name}
+%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/socket
+%ghost %attr(0660, -, -) %{_localstatedir}/run/%{name}/pesign.pid
+%if 0%{?rhel} >= 7 || 0%{?fedora} >= 17
+%{_prefix}/lib/tmpfiles.d/pesign.conf
+%{_unitdir}/pesign.service
+%endif
+
+%changelog
+* Mon May 16 2016 Peter Jones <pjones@redhat.com> - - 0.109-10
+- Add support for /etc/pesign/users and /etc/pesign/groups
+  Resolves: rhbz#1141263
+
+* Tue Sep 02 2014 Peter Jones <pjones@redhat.com> - 0.109-9
+- Fix man page errors.
+  Resolves: rhbz#948850
+
+* Tue Sep 02 2014 Peter Jones <pjones@redhat.com> - 0.109-9
+- Build as PIE+RELRO binaries.
+  Resolves: rhbz#1092542
+
+* Wed Aug 27 2014 Peter Jones <pjones@redhat.com> - 0.109-8
+- Include aarch64 in the rpm macro
+  Related: rhbz#1100042
+
+* Wed Aug 27 2014 Peter Jones <pjones@redhat.com> - 0.109-7
+- Add aarch64.
+  Resolves: rhbz#1100042
+
+* Thu Mar 20 2014 Peter Jones <pjones@redhat.com> - 0.109-6
+- Make sure CFLAGS is inherited properly for -fstack-protector-strong.
+  Resolves: rhbz#1070782
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 0.109-5
+- Mass rebuild 2013-12-27
+
+* Tue Oct 29 2013 Peter Jones <pjones@redhat.com> - 0.109-4
+- Tweak the signing rules just a bit more.
+  Related: rhbz1017857
+
+* Fri Oct 25 2013 Peter Jones <pjones@redhat.com> - 0.109-3
+- Update to fix a bug coverity found.
+  Related: rhbz1017857
+
+* Fri Oct 25 2013 Peter Jones <pjones@redhat.com> - 0.109-2
+- Fix the pesign macro for RHEL packages.
+  Related: rhbz1017857
+
+* Wed Oct 09 2013 Peter Jones <pjones@redhat.com> - 0.109-1
+- Update to 0.109
+  Related: rhbz#893260
+
+* Tue Oct 08 2013 Peter Jones <pjones@redhat.com> - 0.106-6
+- Don't create a new certificate database when signing on RHEL.
+
+* Wed Aug 07 2013 Peter Jones <pjones@redhat.com> - 0.106-5
+- Use --force with sattrs blob from mktemp()
+- Error if we get a zero-sized signed file result
+
+* Wed Aug 07 2013 Peter Jones <pjones@redhat.com> - 0.106-4
+- Don't require ascii mode for RHEL CA/signer cert import.
+
+* Tue Aug 06 2013 Peter Jones <pjones@redhat.com> - 0.106-3
+- More work on the RHEL %%pesign macro
+
+* Tue Aug 06 2013 Peter Jones <pjones@redhat.com> - 0.106-2
+- Add rhel %%pesign macro definitions.
+
+* Tue May 21 2013 Peter Jones <pjones@redhat.com> - 0.106-1
+- Update to 0.106
+- Hopefully fix the segfault dgilmore was seeing.
+
+* Mon May 20 2013 Peter Jones <pjones@redhat.com> - 0.105-1
+- Various bug fixes.
+
+* Wed May 15 2013 Peter Jones <pjones@redhat.com> - 0.104-1
+- Make sure alignment is correct on signature list entries
+  Resolves: rhbz#963361
+- Make sure section alignment is correct if we have to extend the file
+
+* Wed Feb 06 2013 Peter Jones <pjones@redhat.com> - 0.103-2
+- Conditionalize systemd bits so they don't show up in RHEL 6 builds
+
+* Tue Feb 05 2013 Peter Jones <pjones@redhat.com> - 0.103-1
+- One more compiler problem.  Let's expect a few more, shall we?
+
+* Tue Feb 05 2013 Peter Jones <pjones@redhat.com> - 0.102-1
+- Don't use --std=gnu11 because we have to work on RHEL 6 builders.
+
+* Mon Feb 04 2013 Peter Jones <pjones@redhat.com> - 0.101-1
+- Update to 0.101 to fix more "pesign -E" issues.
+
+* Fri Nov 30 2012 Peter Jones <pjones@redhat.com> - 0.100-1
+- Fix insertion of signatures from a file.
+
+* Mon Nov 26 2012 Matthew Garrett <mjg59@srcf.ucam.org> - 0.99-9
+- Add a patch needed for new shim builds
+
+* Fri Oct 19 2012 Peter Jones <pjones@redhat.com> - 0.99-8
+- Get the Fedora signing token name right.
+
+* Fri Oct 19 2012 Peter Jones <pjones@redhat.com>
+- Add coolkey and opensc modules to pki database during %%install.
+
+* Fri Oct 19 2012 Peter Jones <pjones@redhat.com> - 0.99-7
+- setfacl u:kojibuilder:rw /var/run/pesign/socket
+- Fix command line checking in client
+- Add client stdin pin reading.
+
+* Thu Oct 18 2012 Peter Jones <pjones@redhat.com> - 0.99-6
+- Automatically select daemon as signer when using rpm macros.
+
+* Thu Oct 18 2012 Peter Jones <pjones@redhat.com> - 0.99-5
+- Make it work on the -el6 branch as well.
+
+* Wed Oct 17 2012 Peter Jones <pjones@redhat.com> - 0.99-4
+- Fix some more bugs found by valgrind and coverity.
+- Don't build utils/ ; we're not using them and they're not ready anyway. 
+
+* Wed Oct 17 2012 Peter Jones <pjones@redhat.com> - 0.99-3
+- Fix daemon startup bug from 0.99-2
+
+* Wed Oct 17 2012 Peter Jones <pjones@redhat.com> - 0.99-2
+- Fix various bugs from 0.99-1
+- Don't make the database unreadable just yet.
+
+* Mon Oct 15 2012 Peter Jones <pjones@redhat.com> - 0.99-1
+- Update to 0.99
+- Add documentation for client/server mode.
+- Add --pinfd and --pinfile to server mode.
+
+* Fri Oct 12 2012 Peter Jones <pjones@redhat.com> - 0.98-1
+- Update to 0.98
+- Add client/server mode.
+
+* Mon Oct 01 2012 Peter Jones <pjones@redhat.com> - 0.10-5
+- Fix missing section address fixup.
+
+* Wed Aug 15 2012 Peter Jones <pjones@redhat.com> - 0.10-4
+- Make macros.pesign even better (and make it work right for i686 packages)
+
+* Tue Aug 14 2012 Peter Jones <pjones@redhat.com> - 0.10-3
+- Only sign things on x86_64; all else ignore gracefully.
+
+* Tue Aug 14 2012 Peter Jones <pjones@redhat.com> - 0.10-2
+- Make macros.pesign more reliable
+
+* Mon Aug 13 2012 Peter Jones <pjones@redhat.com> - 0.10-1
+- Update to 0.10
+- Include rpm macros to support easy custom signing of signed packages.
+
+* Fri Aug 10 2012 Peter Jones <pjones@redhat.com> - 0.9-1
+- Update to 0.9
+- Bug fix from Gary Ching-Pang Lin
+- Support NSS Token selection for use with smart cards.
+
+* Wed Aug 08 2012 Peter Jones <pjones@redhat.com> - 0.8-1
+- Update to 0.8
+- Don't open the db read-write
+- Fix permissions on keystore (everybody can sign with test keys)
+
+* Wed Aug 08 2012 Peter Jones <pjones@redhat.com> - 0.7-2
+- Include test keys.
+
+* Mon Jul 30 2012 Peter Jones <pjones@redhat.com> - 0.7-1
+- Update to 0.7
+- Better fix for MS compatibility.
+
+* Mon Jul 30 2012 Peter Jones <pjones@redhat.com> - 0.6-1
+- Update to 0.6
+- Bug-for-bug compatibility with signtool.exe .
+
+* Fri Jul 20 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.5-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Wed Jul 11 2012 Peter Jones <pjones@redhat.com> - 0.5-1
+- Rebase to 0.5
+- Do more rigorous bounds checking when hashing a new binary.
+
+* Tue Jul 10 2012 Peter Jones <pjones@redhat.com> - 0.3-2
+- Rebase to 0.4
+
+* Fri Jun 22 2012 Peter Jones <pjones@redhat.com> - 0.3-2
+- Move man page to a more reasonable place.
+
+* Fri Jun 22 2012 Peter Jones <pjones@redhat.com> - 0.3-1
+- Update to upstream's 0.3 .
+
+* Thu Jun 21 2012 Peter Jones <pjones@redhat.com> - 0.2-4
+- Do not build with smp flags.
+
+* Thu Jun 21 2012 Peter Jones <pjones@redhat.com> - 0.2-3
+- Make it build on i686, though it's unclear it'll ever be necessary.
+
+* Thu Jun 21 2012 Peter Jones <pjones@redhat.com> - 0.2-2
+- Fix compile problem with f18's compiler.
+
+* Thu Jun 21 2012 Peter Jones <pjones@redhat.com> - 0.2-1
+- Fix some rpmlint complaints nirik pointed out
+- Add popt-devel build dep
+
+* Fri Jun 15 2012 Peter Jones <pjones@redhat.com> - 0.1-1
+- First version of SRPM.