# macros for use with pesign
#
# this makes it possible to invoke your build as:
# rpmbuild --define 'pe_signing_token test2' --define "pe_signing_cert signing key for test2" -ba shim.spec
# and then in the spec do:
# %pesign -s -i shim.orig -o shim.efi
# And magically get the right thing.

%__pesign_token %{nil}%{?pe_signing_token:-t "%{pe_signing_token}"}
%__pesign_cert %{!?pe_signing_cert:-c "Red Hat Test Certificate"}%{?pe_signing_cert:-c "%{pe_signing_cert}"}

# -i <input filename>
# -o <output filename>
# -C <output cert filename>
# -e <output sattr filename>
# -c <input certificate filename>	# rhel only
# -n <input certificate name>		# rhel only
# -a <input ca cert filename>		# rhel only
# -s 					# perform signing
%pesign(i:o:C:e:c:n:a:s)						\
  if [ '%{_target_cpu}' == 'x86_64' ]; then				\
    out="%{-o*}%{!-o:`mktemp pesign-XXXXXXX.efi`}"			\
    if [ -S /var/run/pesign/socketdir/socket ]; then			\
      pesign-client -c 'ALT Linux UEFI SB Signer'			\\\
                    %{-i} -o "$out" %{-e} %{-s} %{-C}			\
    else								\
      pesign %{__pesign_token} %{__pesign_cert}				\\\
             %{-i} -o "$out" %{-e} %{-s} %{-C} ||:			\
    fi									\
  else									\
    if [ -n "%{-i*}" -a -n "%{-o*}" ]; then				\
      mv "%{-i*}" "%{-o*}"						\
    elif [ -n "%{-i*}" -a -n "%{-e*}" ]; then				\
      touch "%{-e*}"							\
    fi									\
  fi									\
  if [ -s "$out" ]; then						\
    chmod 644 "$out"							\
    if [ -z "%{-o*}" -o "%{-i*}" = "%{-o*}" ]; then			\
      mv "$out" "%{-i*}"						\
    fi									\
  else									\
    if [ -e "$out" ]; then						\
      rm -f "$out"							\
    fi									\
    echo "pesign failed"						\
  fi ;

