diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..5f094c1
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/sscg-2.3.3-stripped.tar.xz
diff --git a/.sscg.metadata b/.sscg.metadata
new file mode 100644
index 0000000..7151dd4
--- /dev/null
+++ b/.sscg.metadata
@@ -0,0 +1 @@
+6e880fc36f7d1ebf4a9668dbcb9276b3afcb2904 SOURCES/sscg-2.3.3-stripped.tar.xz
diff --git a/SOURCES/0001-Generate-manpage.patch b/SOURCES/0001-Generate-manpage.patch
new file mode 100644
index 0000000..f19bc36
--- /dev/null
+++ b/SOURCES/0001-Generate-manpage.patch
@@ -0,0 +1,56 @@
+From 71e2451c6ba4d5f17de9e24687b66b93f2e58954 Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Mon, 17 Sep 2018 09:58:25 -0400
+Subject: [PATCH 1/4] Generate manpage
+
+Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
+---
+ meson.build | 22 +++++++++++++++++++++-
+ 1 file changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/meson.build b/meson.build
+index e6f33475cce6891d17656bcd10e1afabd43bdc07..a2ca4ba1472bfff61fbbd30ba1ddc7ecc89e723c 100644
+--- a/meson.build
++++ b/meson.build
+@@ -5,11 +5,11 @@ project('sscg', 'c',
+ 'c_std=gnu99',
+ 'warning_level=1',
+ 'b_asneeded=true',
+ ],
+ license : 'MIT',
+- meson_version : '>=0.36.0')
++ meson_version : '>=0.40.0')
+
+ cc = meson.get_compiler('c')
+ test_cflags = [
+ '-Wpointer-arith',
+ '-Wmissing-declarations',
+@@ -139,5 +139,25 @@ cdata.set('version', meson.project_version())
+ configure_file(
+ input : 'config.h.in',
+ output : 'config.h',
+ configuration : cdata)
+
++# Generate a manpage from the POPT documentation
++help2man = find_program('help2man')
++
++manpage = custom_target('manpage',
++ output : 'sscg.8',
++ capture : true,
++ command : [
++ help2man,
++ '-s', '8',
++ '-n', 'Tool for generating x.509 certificates',
++ '-N',
++ sscg,
++ ],
++ install : true,
++ build_by_default : true,
++ install_dir : join_paths(
++ get_option('prefix'),
++ get_option('mandir'),
++ 'man8'),
++)
+--
+2.19.1
+
diff --git a/SOURCES/0002-Adjust-defaults-based-on-system-security-level.patch b/SOURCES/0002-Adjust-defaults-based-on-system-security-level.patch
new file mode 100644
index 0000000..7fe01d8
--- /dev/null
+++ b/SOURCES/0002-Adjust-defaults-based-on-system-security-level.patch
@@ -0,0 +1,249 @@
+From 942d9fa4f582a372af3d0bd499f073760dec2335 Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Tue, 27 Nov 2018 13:24:37 -0500
+Subject: [PATCH 2/4] Adjust defaults based on system security level
+
+Also permit arbitrary keylengths.
+
+Disallow keylengths smaller than the configured system minimum.
+
+Resolves: rhbz#1653323
+
+Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
+---
+ config.h.in | 1 -
+ include/sscg.h | 1 +
+ meson.build | 10 ++++++--
+ src/sscg.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++----
+ 4 files changed, 68 insertions(+), 8 deletions(-)
+ delete mode 100644 config.h.in
+
+diff --git a/config.h.in b/config.h.in
+deleted file mode 100644
+index 6044a4355f6c8bfac8d36e533f48f395c597e5ac..0000000000000000000000000000000000000000
+--- a/config.h.in
++++ /dev/null
+@@ -1 +0,0 @@
+-#define PACKAGE_VERSION "@version@"
+diff --git a/include/sscg.h b/include/sscg.h
+index 2bd42bbee965c754efb91febd10b6a94af6f508e..3e97cfe49a5cd8fc734ecf43a94156e376227eb7 100644
+--- a/include/sscg.h
++++ b/include/sscg.h
+@@ -137,10 +137,11 @@ struct sscg_options
+ const char *hostname;
+ char **subject_alt_names;
+
+ /* Encryption requirements */
+ int key_strength;
++ int minimum_key_strength;
+ const EVP_MD *hash_fn;
+
+ /* Output Files */
+ char *ca_file;
+ char *ca_key_file;
+diff --git a/meson.build b/meson.build
+index a2ca4ba1472bfff61fbbd30ba1ddc7ecc89e723c..c7b08ed3d6dff686f08a90ca869ba5881a9e8aaa 100644
+--- a/meson.build
++++ b/meson.build
+@@ -32,10 +32,11 @@ foreach cflag: test_cflags
+ endif
+ endforeach
+
+ pkg = import('pkgconfig')
+ crypto = dependency('libcrypto')
++ssl = dependency('libssl')
+ path_utils = dependency('path_utils')
+ talloc = dependency('talloc')
+
+ popt = dependency(
+ 'popt',
+@@ -47,10 +48,14 @@ if popt.found()
+ else
+ popt = subproject('popt').get_variable('libpopt_a')
+ popt_incdirs = include_directories('subprojects/popt')
+ endif
+
++has_get_sec_level = cc.has_function(
++ 'SSL_CTX_get_security_level',
++ dependencies: [ ssl])
++
+ sscg_lib_srcs = [
+ 'src/authority.c',
+ 'src/bignum.c',
+ 'src/key.c',
+ 'src/service.c',
+@@ -68,10 +73,11 @@ sscg_lib_hdrs = [
+ sscg_lib = static_library(
+ 'sscg',
+ sources : sscg_lib_srcs,
+ dependencies : [
+ crypto,
++ ssl,
+ talloc,
+ ],
+ install : false,
+ pic : true,
+ )
+@@ -133,13 +139,13 @@ init_bignum_test = executable(
+ install : false,
+ )
+ test('init_bignum_test', init_bignum_test)
+
+ cdata = configuration_data()
+-cdata.set('version', meson.project_version())
++cdata.set_quoted('PACKAGE_VERSION', meson.project_version())
++cdata.set('HAVE_SSL_CTX_GET_SECURITY_LEVEL', has_get_sec_level)
+ configure_file(
+- input : 'config.h.in',
+ output : 'config.h',
+ configuration : cdata)
+
+ # Generate a manpage from the POPT documentation
+ help2man = find_program('help2man')
+diff --git a/src/sscg.c b/src/sscg.c
+index b2c7cbbfd9dc69d9f55a18bc91ed6023c0e64c2e..85a42404aa94524b560755d506b893300a4414cd 100644
+--- a/src/sscg.c
++++ b/src/sscg.c
+@@ -15,30 +15,80 @@
+ along with sscg. If not, see <http://www.gnu.org/licenses/>.
+
+ Copyright 2017 by Stephen Gallagher <sgallagh@redhat.com>
+ */
+
++#define _GNU_SOURCE
+ #include <popt.h>
+ #include <stdlib.h>
+ #include <stdio.h>
+ #include <string.h>
+ #include <talloc.h>
+ #include <path_utils.h>
+ #include <unistd.h>
+ #include <openssl/evp.h>
++#include <openssl/ssl.h>
+ #include <sys/param.h>
+
+ #include "config.h"
+ #include "include/sscg.h"
+ #include "include/authority.h"
+ #include "include/service.h"
+
++static int
++get_security_level (void)
++{
++#ifdef HAVE_SSL_CTX_GET_SECURITY_LEVEL
++ SSL_CTX *ssl_ctx = SSL_CTX_new (TLS_method ());
++ int security_level = SSL_CTX_get_security_level (ssl_ctx);
++ SSL_CTX_free (ssl_ctx);
++ ssl_ctx = NULL;
++ return security_level;
++#else
++ return 0;
++#endif
++}
++
+ static int
+ set_default_options (struct sscg_options *opts)
+ {
++ int security_level = get_security_level ();
++
+ opts->lifetime = 3650;
+- opts->key_strength = 2048;
++
++ /* Select the default key strength based on the system security level
++ * See:
++ * https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_get_security_level.html
++ * for the specification of the minimums.
++ */
++ switch (security_level)
++ {
++ case 0:
++ case 1:
++ case 2:
++ /* Security level 2 and below permits lower key-strengths, but SSCG
++ * will set a minimum of 2048 bits
++ */
++ opts->key_strength = 2048;
++ break;
++
++ case 3: opts->key_strength = 3072; break;
++
++ case 4: opts->key_strength = 7680; break;
++
++ default:
++ /* Unknown security level. Default to the highest we know about */
++ fprintf (stderr,
++ "Unknown system security level %d. Defaulting to highest-known "
++ "level.\n",
++ security_level);
++ /* Fall through */
++
++ case 5: opts->key_strength = 15360; break;
++ }
++
++ opts->minimum_key_strength = opts->key_strength;
+ return 0;
+ }
+
+ static void
+ print_options (struct sscg_options *opts)
+@@ -115,10 +165,11 @@ main (int argc, const char **argv)
+ {
+ int ret, sret, opt;
+ size_t i;
+ poptContext pc;
+ struct sscg_options *options;
++ char *minimum_key_strength_help = NULL;
+
+ char *country = NULL;
+ char *state = NULL;
+ char *locality = NULL;
+ char *organization = NULL;
+@@ -170,10 +221,13 @@ main (int argc, const char **argv)
+
+ ret = set_default_options (options);
+ if (ret != EOK)
+ goto done;
+
++ minimum_key_strength_help =
++ talloc_asprintf (main_ctx, "%d or larger", options->minimum_key_strength);
++
+ options->verbosity = SSCG_DEFAULT;
+ struct poptOption long_options[] = {
+ POPT_AUTOHELP{ "quiet",
+ 'q',
+ POPT_ARG_VAL,
+@@ -291,11 +345,11 @@ main (int argc, const char **argv)
+ '\0',
+ POPT_ARG_INT | POPT_ARGFLAG_SHOW_DEFAULT,
+ &options->key_strength,
+ 0,
+ _ ("Strength of the certificate private keys in bits."),
+- _ ("{512,1024,2048,4096}") },
++ minimum_key_strength_help },
+ {
+ "hash-alg",
+ '\0',
+ POPT_ARG_STRING,
+ &hash_alg,
+@@ -527,15 +581,15 @@ main (int argc, const char **argv)
+ options->subject_alt_names[i + 1] = NULL;
+ i++;
+ }
+ }
+
+- if (options->key_strength != 512 && options->key_strength != 1024 &&
+- options->key_strength != 2048 && options->key_strength != 4096)
++ if (options->key_strength < options->minimum_key_strength)
+ {
+ fprintf (stderr,
+- "Key strength must be one of {512, 1024, 2048, 4096}.\n");
++ "Key strength must be at least %d bits.\n",
++ options->minimum_key_strength);
+ ret = EINVAL;
+ goto done;
+ }
+
+ if (!hash_alg)
+--
+2.19.1
+
diff --git a/SOURCES/0003-Adjust-hash-defaults-based-on-system-security-level.patch b/SOURCES/0003-Adjust-hash-defaults-based-on-system-security-level.patch
new file mode 100644
index 0000000..d3d1aee
--- /dev/null
+++ b/SOURCES/0003-Adjust-hash-defaults-based-on-system-security-level.patch
@@ -0,0 +1,137 @@
+From 298015e8a7cf35cc0de581203b44826d2ae1d406 Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Wed, 28 Nov 2018 08:00:08 -0500
+Subject: [PATCH 3/4] Adjust hash defaults based on system security level
+
+Unlike the key-strength, this does not set a minimum level because
+it's not a simple calculation. We will have to rely on libcrypto
+rejecting any explicitly-set algorithms as a violation of policy.
+
+Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
+---
+ include/sscg.h | 1 +
+ src/sscg.c | 40 +++++++++++++++++++++-------------------
+ 2 files changed, 22 insertions(+), 19 deletions(-)
+
+diff --git a/include/sscg.h b/include/sscg.h
+index 3e97cfe49a5cd8fc734ecf43a94156e376227eb7..fc90b81a0060af28529f3be6922b1b1501559300 100644
+--- a/include/sscg.h
++++ b/include/sscg.h
+@@ -138,10 +138,11 @@ struct sscg_options
+ char **subject_alt_names;
+
+ /* Encryption requirements */
+ int key_strength;
+ int minimum_key_strength;
++ char *hash_alg;
+ const EVP_MD *hash_fn;
+
+ /* Output Files */
+ char *ca_file;
+ char *ca_key_file;
+diff --git a/src/sscg.c b/src/sscg.c
+index 85a42404aa94524b560755d506b893300a4414cd..58855f764480d24d6c0f57460b22a3a83281e37e 100644
+--- a/src/sscg.c
++++ b/src/sscg.c
+@@ -64,28 +64,38 @@ set_default_options (struct sscg_options *opts)
+ {
+ case 0:
+ case 1:
+ case 2:
+ /* Security level 2 and below permits lower key-strengths, but SSCG
+- * will set a minimum of 2048 bits
++ * will set a minimum of 2048 bits and the sha256 hash algorithm.
+ */
++ opts->hash_alg = talloc_strdup (opts, "sha256");
+ opts->key_strength = 2048;
+ break;
+
+- case 3: opts->key_strength = 3072; break;
++ case 3:
++ opts->hash_alg = talloc_strdup (opts, "sha256");
++ opts->key_strength = 3072;
++ break;
+
+- case 4: opts->key_strength = 7680; break;
++ case 4:
++ opts->hash_alg = talloc_strdup (opts, "sha384");
++ opts->key_strength = 7680;
++ break;
+
+ default:
+ /* Unknown security level. Default to the highest we know about */
+ fprintf (stderr,
+ "Unknown system security level %d. Defaulting to highest-known "
+ "level.\n",
+ security_level);
+ /* Fall through */
+
+- case 5: opts->key_strength = 15360; break;
++ case 5:
++ opts->hash_alg = talloc_strdup (opts, "sha512");
++ opts->key_strength = 15360;
++ break;
+ }
+
+ opts->minimum_key_strength = opts->key_strength;
+ return 0;
+ }
+@@ -175,11 +185,10 @@ main (int argc, const char **argv)
+ char *organization = NULL;
+ char *organizational_unit = NULL;
+ char *email = NULL;
+ char *hostname = NULL;
+ char *packagename;
+- char *hash_alg = NULL;
+ char **alternative_names = NULL;
+
+ char *ca_file = NULL;
+ char *ca_key_file = NULL;
+ char *cert_file = NULL;
+@@ -349,14 +358,14 @@ main (int argc, const char **argv)
+ _ ("Strength of the certificate private keys in bits."),
+ minimum_key_strength_help },
+ {
+ "hash-alg",
+ '\0',
+- POPT_ARG_STRING,
+- &hash_alg,
++ POPT_ARG_STRING | POPT_ARGFLAG_SHOW_DEFAULT,
++ &options->hash_alg,
+ 0,
+- _ ("Hashing algorithm to use for signing. (default: sha256)"),
++ _ ("Hashing algorithm to use for signing."),
+ _ ("{sha256,sha384,sha512}"),
+ },
+ {
+ "ca-file",
+ '\0',
+@@ -590,21 +599,14 @@ main (int argc, const char **argv)
+ options->minimum_key_strength);
+ ret = EINVAL;
+ goto done;
+ }
+
+- if (!hash_alg)
+- {
+- /* Default to SHA256 */
+- options->hash_fn = EVP_sha256 ();
+- }
+- else
+- {
+- /* TODO: restrict this to approved hashes.
+- * For now, we'll only list SHA[256|384|512] in the help */
+- options->hash_fn = EVP_get_digestbyname (hash_alg);
+- }
++ /* TODO: restrict this to approved hashes.
++ * For now, we'll only list SHA[256|384|512] in the help */
++ options->hash_fn = EVP_get_digestbyname (options->hash_alg);
++
+ if (!options->hash_fn)
+ {
+ fprintf (stderr, "Unsupported hashing algorithm.");
+ ret = EINVAL;
+ goto done;
+--
+2.19.1
+
diff --git a/SOURCES/0004-Properly-check-all-return-values.patch b/SOURCES/0004-Properly-check-all-return-values.patch
new file mode 100644
index 0000000..e4c367a
--- /dev/null
+++ b/SOURCES/0004-Properly-check-all-return-values.patch
@@ -0,0 +1,63 @@
+From 9e4497d1dd2a337be1f69e0cfb24ce8080690ccf Mon Sep 17 00:00:00 2001
+From: Stephen Gallagher <sgallagh@redhat.com>
+Date: Wed, 28 Nov 2018 09:16:29 -0500
+Subject: [PATCH 4/4] Properly check all return values
+
+Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
+---
+ src/authority.c | 1 +
+ src/service.c | 1 +
+ src/x509.c | 1 +
+ 3 files changed, 3 insertions(+)
+
+diff --git a/src/authority.c b/src/authority.c
+index b735868416b7fb5d016f0854baf0f27cd5f98b26..4e0dccc6c1210beffb38acd9f7dfb6108ca4a4ad 100644
+--- a/src/authority.c
++++ b/src/authority.c
+@@ -178,10 +178,11 @@ create_private_CA (TALLOC_CTX *mem_ctx,
+ }
+ sk_X509_EXTENSION_push (ca_certinfo->extensions, ex);
+
+ /* Finalize the CSR */
+ ret = sscg_x509v3_csr_finalize (ca_certinfo, pkey, csr);
++ CHECK_OK (ret);
+
+ if (options->verbosity >= SSCG_DEBUG)
+ {
+ fprintf (stderr, "DEBUG: Writing CA CSR to ./debug-ca.csr\n");
+ BIO *ca_csr_out = BIO_new_file ("./debug-ca.csr", "w");
+diff --git a/src/service.c b/src/service.c
+index b292e94063f032fd3c34a8134702063ea46bfa0c..34c976dbe905528000b181c24d1fa95da3cd1377 100644
+--- a/src/service.c
++++ b/src/service.c
+@@ -124,10 +124,11 @@ create_service_cert (TALLOC_CTX *mem_ctx,
+ ret = sscg_x509v3_csr_new (tmp_ctx, svc_certinfo, pkey, &csr);
+ CHECK_OK (ret);
+
+ /* Finalize the CSR */
+ ret = sscg_x509v3_csr_finalize (svc_certinfo, pkey, csr);
++ CHECK_OK (ret);
+
+ if (options->verbosity >= SSCG_DEBUG)
+ {
+ fprintf (stderr,
+ "DEBUG: Writing service certificate CSR to ./debug-svc.csr\n");
+diff --git a/src/x509.c b/src/x509.c
+index 6d152fc969d745cc5cf085116c8688866f9d6ab4..18f0627bc64e7cb503a9e81c36dbe726186d1144 100644
+--- a/src/x509.c
++++ b/src/x509.c
+@@ -39,10 +39,11 @@ sscg_generate_serial (TALLOC_CTX *mem_ctx, struct sscg_bignum **serial)
+ {
+ return ENOMEM;
+ }
+
+ ret = sscg_init_bignum (tmp_ctx, 0, &bn);
++ CHECK_OK (ret);
+
+ /* We'll create a random number of sizeof(unsigned long) - 1 bits
+ to use as the serial. We use unsigned long to ensure that it
+ could be printed by BN_get_word() later. We omit the last bit
+ in order to ensure that we can't randomly get 0xffffffffL, which
+--
+2.19.1
+
diff --git a/SPECS/sscg.spec b/SPECS/sscg.spec
new file mode 100644
index 0000000..12b96cf
--- /dev/null
+++ b/SPECS/sscg.spec
@@ -0,0 +1,226 @@
+%global provider github
+%global provider_tld com
+%global project sgallagher
+%global repo sscg
+# https://github.com/sgallagher/sscg
+%global provider_prefix %{provider}.%{provider_tld}/%{project}/%{repo}
+%global import_path %{provider_prefix}
+
+
+Name: sscg
+Version: 2.3.3
+Release: 6%{?dist}
+Summary: Simple SSL certificate generator
+
+License: BSD
+URL: https://%{provider_prefix}
+
+# Run ./sscg-strip.sh to produce a tarball with the bundled popt library
+# stripped out to reduce license issues.
+Source0: https://%{provider_prefix}/releases/download/%{repo}-%{version}/%{repo}-%{version}-stripped.tar.xz
+
+BuildRequires: gcc
+BuildRequires: libtalloc-devel
+BuildRequires: openssl-devel
+BuildRequires: popt-devel
+BuildRequires: libpath_utils-devel
+BuildRequires: meson
+BuildRequires: ninja-build
+BuildRequires: help2man
+
+# Patches
+Patch0001: 0001-Generate-manpage.patch
+Patch0002: 0002-Adjust-defaults-based-on-system-security-level.patch
+Patch0003: 0003-Adjust-hash-defaults-based-on-system-security-level.patch
+Patch0004: 0004-Properly-check-all-return-values.patch
+
+%description
+A utility to aid in the creation of more secure "self-signed"
+certificates. The certificates created by this tool are generated in a
+way so as to create a CA certificate that can be safely imported into a
+client machine to trust the service certificate without needing to set
+up a full PKI environment and without exposing the machine to a risk of
+false signatures from the service certificate.
+
+
+%prep
+%autosetup -p1
+
+
+%build
+%meson
+%meson_build
+
+%install
+%meson_install
+
+%check
+
+%ifnarch %{arm}
+%meson_test
+%endif
+
+%files
+%license COPYING
+%doc README.md
+%{_bindir}/%{name}
+%{_mandir}/man8/%{name}.8*
+
+%changelog
+* Wed Nov 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-6
+- Fixes for issues detected by automated testing.
+- Resolves: rhbz#1653323
+
+* Wed Nov 28 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-5
+- Autodetect the minimum key strength from the system security level.
+- Autodetect the hash algorithm to use from the system security level.
+- Disallow setting a key strength below the system minimum.
+- Resolves: rhbz#1653323
+
+* Mon Sep 17 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-4
+- Add a manpage for sscg.
+
+* Thu Jul 05 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-3
+- Strip out bundled popt since RHEL 8 has a new-enough version.
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.3.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Fri Feb 02 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.3-1
+- Update to 2.3.3
+- Do not overwrite destination files without --force
+
+* Thu Jan 25 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.2-1
+- Update to 2.3.2
+- Properly support hostnames up to 64 characters
+- Resolves: rhbz#1535537
+
+* Tue Jan 02 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.1-2
+- Skip tests on 32-bit ARM for now
+
+* Tue Jan 02 2018 Stephen Gallagher <sgallagh@redhat.com> - 2.3.1-1
+- Update to 2.3.1
+- Bundle popt 1.16 on older releases like EPEL.
+
+* Mon Dec 18 2017 Stephen Gallagher <sgallagh@redhat.com> - 2.3.0-1
+- Update to 2.3.0
+- Switch to meson build system
+- Add support for non-DNS subjectAlternativeName values (issue #4)
+
+* Thu Sep 21 2017 Stephen Gallagher <sgallagh@redhat.com> - 2.2.0-1
+- Reorder combined PEM file
+- Resolves: RHBZ#1494208
+
+* Wed Sep 20 2017 Stephen Gallagher <sgallagh@redhat.com> - 2.1.0-1
+- Add --email argument for setting emailAddress in the issuer
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.4-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.0.4-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Mon Apr 03 2017 Stephen Gallagher <sgallagh@redhat.com> - 2.0.4-2
+- Bump release to perform taskotron tests
+
+* Tue Mar 21 2017 Stephen Gallagher <sgallagh@redhat.com> - 2.0.4-1
+- Update to 2.0.4
+- Addresses a potential race-condition when the key and certificate share the
+ same file.
+
+* Wed Mar 08 2017 Stephen Gallagher <sgallagh@redhat.com> - 2.0.3-1
+- Update to 2.0.3
+- Adds support for setting the file mode on the output certificates
+ and keys.
+
+* Fri Mar 03 2017 Stephen Gallagher <sgallagh@redhat.com> - 2.0.2-1
+- Update to 2.0.2
+- Always run with umask(077)
+
+* Fri Mar 03 2017 Stephen Gallagher <sgallagh@redhat.com> - 2.0.1-1
+- Update to 2.0.1
+- Fix an issue with passing certificate lifetime explicitly
+
+* Thu Feb 16 2017 Stephen Gallagher <sgallagh@redhat.com> - 2.0.0-1
+- Update to 2.0.0
+
+* Thu Feb 16 2017 Stephen Gallagher <sgallagh@redhat.com> - 1.1.0-6
+- Exclude PPC64 from the build since it doesn't support linking to OpenSSL
+
+* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Wed Nov 23 2016 Stephen Gallagher <sgallagh@redhat.com> - 1.1.0-4
+- Use compat-openssl10-devel on F26+
+
+* Thu Jul 21 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1.0-3
+- https://fedoraproject.org/wiki/Changes/golang1.7
+
+* Tue May 31 2016 Stephen Gallagher <sgallagh@redhat.com> - 1.1.0-2
+- Debundle spacelog
+
+* Wed May 25 2016 Stephen Gallagher <sgallagh@redhat.com> - 1.1.0-1
+- Update to 1.1.0
+- Add support for signing service keys with an existing CA
+
+* Wed May 25 2016 Stephen Gallagher <sgallagh@redhat.com> - 1.0.4-1
+- Add support for exporting the CA private key
+- Fix incorrect output from -version
+- Add README.md
+
+* Tue May 24 2016 Stephen Gallagher <sgallagh@redhat.com> - 1.0.3-1
+- Only sign certificates after all extensions have been added
+
+* Mon May 23 2016 Stephen Gallagher <sgallagh@redhat.com> - 1.0.2-1
+- Generate x509v3 certificates
+
+* Mon May 23 2016 Stephen Gallagher <sgallagh@redhat.com> - 1.0.1-1
+- Fix issue with temporary file creation
+
+* Mon May 23 2016 Stephen Gallagher <sgallagh@redhat.com> - 1.0.0-1
+- New upstream release 1.0.0
+- Rewritten in Go
+- Runtime depends only on OpenSSL, no more Python
+- Support for writing certificate and key in a single file
+
+* Wed May 18 2016 Stephen Gallagher <sgallagh@redhat.com> - 0.4.1-4
+- Add requirement on python-setuptools
+
+* Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.4.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Tue Nov 10 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.4.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Changes/python3.5
+
+* Fri Jun 19 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.4.1-1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Mon Mar 30 2015 Stephen Gallagher <sgallagh@redhat.com> 0.4.1-1
+- Change default CA location to match service certificate
+- Improve error handling
+
+* Tue Mar 24 2015 Stephen Gallagher <sgallagh@redhat.com> 0.4.0-1
+- Spec file cleanups
+- PEP8 Cleanups
+- Make location arguments optional
+
+* Mon Mar 23 2015 Stephen Gallagher <sgallagh@redhat.com> 0.3.0-1
+- Rename to sscg
+- Only build with default python interpreter
+
+* Tue Mar 17 2015 Stephen Gallagher <sgallagh@redhat.com> 0.2.1-1
+- Include the LICENSE file in the tarball
+
+* Tue Mar 17 2015 Stephen Gallagher <sgallagh@redhat.com> 0.2-2
+- Include the license in the build RPMs
+
+* Tue Mar 17 2015 Stephen Gallagher <sgallagh@redhat.com> 0.2-1
+- Add support for namedConstraints
+- Add support for subjectAltNames
+- Fix packaging issues from Fedora package review
+
+* Mon Mar 16 2015 Stephen Gallagher <sgallagh@redhat.com> 0.1-2
+- Update BuildRequires
+
+* Mon Mar 16 2015 Stephen Gallagher <sgallagh@redhat.com> 0.1-1
+- First packaging