
# macros for use with pesign
#
# this makes it possible to invoke your build as:
# rpmbuild --define 'pe_signing_token test2' --define "pe_signing_cert signing key for test2" -ba shim.spec
# and then in the spec do:
# %pesign -s -i shim.orig -o shim.efi
# And magically get the right thing.

%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
%__pesign_cert %{!?pe_signing_cert:"Red Hat Test Certificate"}%{?pe_signing_cert:"%{pe_signing_cert}"}

%__pesign_client_token %{!?pe_signing_token:"Fedora Signer (OpenSC Card)"}%{?pe_signing_token:"%{pe_signing_token}}
%__pesign_client_cert %{!?pe_signing_cert:"/CN=Fedora Secure Boot Signer"}%{?pe_signing_cert:"%{pe_signing_cert}}

%_pesign /usr/bin/pesign
%_pesign_client /usr/bin/pesign-client

# -i <input filename>
# -o <output filename>
# -C <output cert filename>
# -e <output sattr filename>
# -c <input certificate filename>	# rhel only
# -n <input certificate name>		# rhel only
# -a <input ca cert filename>		# rhel only
# -s 					# perform signing
%pesign(i:o:C:e:c:n:a:s)						\
  _pesign_nssdir=/etc/pki/pesign					\
  if [ %{__pesign_cert} = "Red Hat Test Certificate" ]; then		\
    _pesign_nssdir=/etc/pki/pesign-rh-test				\
  fi									\
  if [ -x %{_pesign} ] &&  						\\\
       [ "%{_target_cpu}" == "x86_64" -o 				\\\
         "%{_target_cpu}" == "aarch64" ]; then				\
    if [ "0%{?rhel}" -ge "7" -a -f /usr/bin/rpm-sign ]; then		\
      nss=$(mktemp -p $PWD -d)						\
      echo > ${nss}/pwfile						\
      certutil -N -d ${nss} -f ${nss}/pwfile				\
      certutil -A -n "ca" -t "CT,C," -i %{-a*} -d ${nss}		\
      certutil -A -n "signer" -t ",c," -i %{-c*} -d ${nss}		\
      sattrs=$(mktemp -p $PWD --suffix=.der)				\
      %{_pesign} %{-i} -E ${sattrs} --certdir ${nss} --force		\
      rpm-sign --key "%{-n*}" --rsadgstsign ${sattrs}			\
      %{_pesign} -R ${sattrs}.sig -I ${sattrs} %{-i}			\\\
                 --certdir ${nss} -c signer %{-o}			\
      rm -rf ${sattrs} ${sattrs}.sig ${nss}				\
    elif [ "%{vendor}" == "Fedora Project" -a				\\\
           "$(id -un)" == "mockbuild" -a				\\\
           "$(uname -m)" == "x86_64" ] &&				\\\
         grep -q ID=fedora /etc/os-release && 				\\\
         [[ "%{_buildhost}" =~ ^bkernel.* ]] &&			\\\
         ! [ -S /run/pesign/socket ]; then				\
      echo "No socket even though this is %{_buildhost}"		\
      ls -ld /run/pesign || :					\
      getfacl /run/pesign || :					\
      ls -l /run/pesign/socket || :				\
      getfacl /run/pesign/socket || :				\
      echo =========== env ==============				\
      set								\
      echo =========== env ==============				\
      exit 1								\
    elif [ -S /run/pesign/socket ]; then				\
      %{_pesign_client} -t %{__pesign_client_token}			\\\
                        -c %{__pesign_client_cert}			\\\
                        %{-i} %{-o} %{-e} %{-s} %{-C}			\
    else								\
      %{_pesign} %{__pesign_token} -c %{__pesign_cert}			\\\
		 --certdir ${_pesign_nssdir}				\\\
                 %{-i} %{-o} %{-e} %{-s} %{-C}				\
    fi									\
  else									\
    if [ -n "%{-i*}" -a -n "%{-o*}" ]; then				\
      mv %{-i*} %{-o*}							\
    elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then				\
      touch %{-e*}							\
    fi									\
  fi									\
  if [ ! -s %{-o} ]; then						\
    if [ -e "%{-o*}" ]; then						\
      rm -f %{-o*}							\
    fi									\
    exit 1								\
  fi ;