%package -n %{-n*}-ueficert
Summary: UEFI Secure Boot Certificate For Package %{-n*}-kmp
Group: System/Kernel
%description -n %{-n*}-ueficert
This package contains the UEFI Secure Boot certificate used to sign
modules in the %{-n*}-kmp packages.

# The scriptlets are reused in kernel-binary.spec.in by a sed script that
# stops at the next line that starts with a percent sign
%post -n %{-n*}-ueficert
# Make the -cert subpackage scriptlets non-fatal and verbose in the
# Beta phase
set -x +e
if ! command -v mokutil >/dev/null; then
	exit 0
fi
# XXX: Only call mokutil if UEFI and shim are used
for cert in @CERTS@; do
	mokutil --import "$cert" --root-pw
done
exit 0

%preun -n %{-n*}-ueficert
set -x +e
if ! command -v mokutil >/dev/null; then
	exit 0
fi
for cert in @CERTS@; do
	ln "$cert" "$cert.delete"
done
exit 0

%postun -n %{-n*}-ueficert
set -x +e
if ! command -v mokutil >/dev/null; then
	exit 0
fi
for cert in @CERTS@; do
	if ! test -e "$cert"; then
		mokutil --delete "$cert.delete" --root-pw
	fi
	rm "$cert.delete"
done
exit 0

%files -n %{-n*}-ueficert
%defattr(-, root, root)
%dir /etc/uefi
/etc/uefi/certs