diff --git a/pesign-gen-repackage-spec b/pesign-gen-repackage-spec
index 5d67d70..98fdcf8 100644
--- a/pesign-gen-repackage-spec
+++ b/pesign-gen-repackage-spec
@@ -152,7 +152,7 @@ sub load_package {
 		$res{$tag} = query_single($rpm, $tag);
 	}
 	my @files;
-	my @list = query_array($rpm, qw(filenames fileflags filemodes fileusername filegroupname filesizes filemtimes filelinktos));
+	my @list = query_array($rpm, qw(filenames fileflags filemodes fileusername filegroupname filesizes filemtimes filelinktos fileverifyflags));
 	for my $file (@list) {
 		my $new = {
 				name   => $file->[0],
@@ -163,6 +163,7 @@ sub load_package {
 				size   => $file->[5],
 				mtime  => $file->[6],
 				target => $file->[7],
+				verify => $file->[8],
 		};
 		push(@files, $new);
 		if ($new->{name} =~ /\.ko$/ && S_ISREG($new->{mode})) {
@@ -264,7 +265,7 @@ sub print_package {
 		print SPEC "$tag: " . quote($p->{$tag}) . "\n";
 	}
 	print SPEC "BuildArch: noarch\n" if $p->{arch} eq "noarch";
-	for my $dep (keys(%dep2tag)) {
+	for my $dep (sort(keys(%dep2tag))) {
 		print_deps($dep, $p->{$dep});
 	}
 	if ($cert_subpackage && $p->{is_kmp}) {
@@ -273,7 +274,7 @@ sub print_package {
 	print SPEC "\%description -n $p->{name}\n";
 	print SPEC quote($p->{description}) . "\n\n";
 
-	for my $script (keys(%script2tag)) {
+	for my $script (sort(keys(%script2tag))) {
 		next unless $p->{$script};
 		print SPEC "\%$script -p $p->{$script}{interp} -n $p->{name}";
 		print_script("$script-$p->{name}", $p->{$script});
@@ -343,6 +344,18 @@ my %filetypes = (
 	ghost     => (1 << 6),
 );
 
+my %verifyflags = (
+	filedigest=> (1 << 0),
+	size      => (1 << 1),
+	link      => (1 << 2),
+	user      => (1 << 3),
+	group     => (1 << 4),
+	mtime     => (1 << 5),
+	mode      => (1 << 6),
+	rdev      => (1 << 7),
+	caps      => (1 << 8),
+);
+
 sub print_files {
 	my $files = shift;
 
@@ -385,6 +398,15 @@ sub print_files {
 			# perl core does not provide lutimes()/utimensat()
 			system("touch", "-h", "-d\@$f->{mtime}", $path);
 		}
+		my $verify_attrs = "";
+		for my $flag (sort(keys(%verifyflags))) {
+			if (!($f->{verify} & $verifyflags{$flag})) {
+				$verify_attrs .= "$flag ";
+			}
+		}
+		if ($verify_attrs) {
+			$attrs .= "%verify(not $verify_attrs) ";
+		}
 
 		print SPEC "$attrs " . quote($f->{name}) . "\n";
 		if (-e "$path.sig") {
@@ -412,7 +434,7 @@ if ($sourcerpm !~ /^(.+)-([^-]+)-([^-]+)\.(no)?src\.rpm$/) {
 my ($main_name, $main_ver, $main_rel, $nosrc) = ($1, $2, $3, $4);
 if (!exists($packages{$main_name})) {
 	# create an empty main package
-	my $first = (values(%packages))[0];
+	my $first = (sort(keys(%packages)))[0];
 	$packages{$main_name} = {
 		name => $main_name,
 		version => $main_ver,
@@ -420,7 +442,7 @@ if (!exists($packages{$main_name})) {
 	};
 	for my $tag (qw(description changelog arch), @simple_tags) {
 		next if $packages{$main_name}->{$tag};
-		$packages{$main_name}->{$tag} = $first->{$tag};
+		$packages{$main_name}->{$tag} = $packages{$first}->{$tag};
 	}
 }
 $packages{$main_name}->{nosource} = $nosrc ? 1 : 0;
@@ -440,9 +462,9 @@ $kmp_basename = $main_name unless $kmp_basename;
 
 open(SPEC, '>', "$output/repackage.spec") or die "$output/repackage.spec: $!\n";
 print_package($packages{$main_name}, 1);
-for my $p (values(%packages)) {
-	next if $p->{name} eq $main_name;
-	print_package($p, 0);
+for my $name (sort(keys(%packages))) {
+	next if $name eq $main_name;
+	print_package($packages{$name}, 0);
 }
 if ($cert_subpackage) {
 	my $certdir = "/etc/uefi/certs";
diff --git a/pesign-obs-integration.changes b/pesign-obs-integration.changes
index 41b801d..fbb279c 100644
--- a/pesign-obs-integration.changes
+++ b/pesign-obs-integration.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Thu Jan 22 15:56:41 UTC 2015 - mmarek@suse.cz
+
+- Add support for file verify flags (bnc#905420).
+
+-------------------------------------------------------------------
+Thu Jan 22 15:55:26 UTC 2015 - mmarek@suse.cz
+
+- Sort the parts of the repackage spec file for easier debugging.
+
 -------------------------------------------------------------------
 Tue Sep 16 17:08:36 CEST 2014 - mls@suse.de
 
@@ -5,7 +15,7 @@ Tue Sep 16 17:08:36 CEST 2014 - mls@suse.de
   exists
 
 -------------------------------------------------------------------
-Wed Sep  3 01:48:48 CEST 2014 - ro@suse.de
+Wed Sep  3 01:41:37 CEST 2014 - ro@suse.de
 
 - sanitize release line in specfile
 
diff --git a/pesign-obs-integration.spec b/pesign-obs-integration.spec
index 0f87b10..0b8e6ab 100644
--- a/pesign-obs-integration.spec
+++ b/pesign-obs-integration.spec
@@ -1,7 +1,7 @@
 #
 # spec file for package pesign-obs-integration
 #
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed