Accepting request 842009 from home:dirkmueller:branches:Base:System

- Sync from git master directly - drop 0001-Add-support-for-kernel-module-compression.patch 0001-Enable-find_provides-and-requires.patch 0001-Initialize-compress-variable.patch 0001-Keep-the-files-in-the-OTHER-directory.patch 0001-Passthrough-license-tag.patch 0001-brp-99-compress-vmlinux-support-xz-compressed-vmlinu.patch 0001-sign-stage3.bin-from-s390-tools-with-sign-files-bsc-.patch pesign-sign-s390x-kernel.patch (upstream) - add parallel-compression.patch OBS-URL: https://build.opensuse.org/request/show/842009 OBS-URL: https://build.opensuse.org/package/show/Base:System/pesign-obs-integration?expand=0&rev=94
2020-10-19 08:43:41 +00:00 · 2020-10-19 08:43:41 +00:00 · e7dce62cd8
commit e7dce62cd8
parent bb7f067c5f
16 changed files with 105 additions and 451 deletions
--- a/0001-Add-support-for-kernel-module-compression.patch
+++ b/0001-Add-support-for-kernel-module-compression.patch
@ -1,122 +0,0 @@
 From b6855233b8f131531b8d55761ed709890632b417 Mon Sep 17 00:00:00 2001
 From: Takashi Iwai <tiwai@suse.de>
 Date: Tue, 28 May 2019 07:07:56 +0200
 Subject: [PATCH] Add support for kernel module compression
 This adds the support for kernel module compression in
 pesign-obs-integration infrastructure.  The kernel-binary spec needs
 to pass $BRP_PESIGN_COMPRESS_KERNEL for enabling the compression.
 Currently only "xz" is supported.
 pesign-gen-repackage-spec received a new option --compress, which is
 passed from pesign-repackage.spec, where brp-99-pesign enables it per
 the variable above.
 With --compress option, pesign-gen-repackage-spec script just
 compresses the kernel object at the last repackaging phase.
 Bugzilla: http://bugzilla.suse.com/show_bug.cgi?id=1135854
 Signed-off-by: Takashi Iwai <tiwai@suse.de>
 ---
 README                    |  7 +++++++
 brp-99-pesign             |  8 ++++++++
 pesign-gen-repackage-spec | 13 ++++++++++++-
 pesign-repackage.spec.in  |  3 ++-
 4 files changed, 29 insertions(+), 2 deletions(-)
 diff --git a/README b/README
 index 7593302..32afb8f 100644
 --- a/README
 +++ b/README
@@ -36,3 +36,10 @@ Debian packages can use the dh-signobs debhelper to automate signing and
 repacking. Build-depend on dh-signobs and add --with signobs to the dh line
 in debian/rules to use the fully automated helper.
 Consult the dh_signobs manpage for more information.
 +
 +When BRP_PESIGN_COMPRESS_MODULE is passed, the script tries to compress the
 +kernel modules at the repackaging phase. Currently only xz format is supported.
 +For enable the compression feature, put the following along with
 +BRP_PESIGN_FILES setup:
 +
 +export BRP_PESIGN_COMPRESS_MODULE="xz"
 diff --git a/brp-99-pesign b/brp-99-pesign
 index 2ebb261..68d9f45 100644
 --- a/brp-99-pesign
 +++ b/brp-99-pesign
@@ -57,6 +57,13 @@ if ! mkdir -p "$output"; then
 	echo "$0: warning: $output cannot be created, giving up" >&2
 	exit 0
 fi
 +
 +if test "${BRP_PESIGN_COMPRESS_MODULE}" = "xz"; then
 +	pesign_repackage_compress="--compress xz"
 +else
 +	pesign_repackage_compress=""
 +fi
 +
 cert=$RPM_SOURCE_DIR/_projectcert.crt
 if test -e "$cert"; then
 	echo "Using signing certificate $cert"
@@ -66,6 +73,7 @@ else
 fi
 sed "
 	s:@NAME@:$RPM_PACKAGE_NAME:g
 +	s:@PESIGN_REPACKAGE_COMPRESS@:$pesign_repackage_compress:g
 	/@CERT@/ {
 		r $cert
 		d
 diff --git a/pesign-gen-repackage-spec b/pesign-gen-repackage-spec
 index 9cd374a..fef0a9d 100755
 --- a/pesign-gen-repackage-spec
 +++ b/pesign-gen-repackage-spec
@@ -30,6 +30,7 @@ my $directory;
 my $output = ".";
 my $cert_subpackage;
 my $kmp_basename;
 +my $compress;
 my @rpms;
 $ENV{LC_ALL} = "en_US.UTF-8";
@@ -39,6 +40,7 @@ GetOptions(
 	"directory|d=s" => \$directory,
 	"output|o=s" => \$output,
 	"cert-subpackage|c=s" => \$cert_subpackage,
 +	"compress|C=s" => \$compress,
 ) or die $USAGE;
 @rpms = @ARGV;
 if (!@rpms) {
@@ -417,7 +419,16 @@ sub print_files {
 			$attrs .= "%verify(not $verify_attrs) ";
 		}
 -		print SPEC "$attrs " . quote($f->{name}) . "\n";
 +		if ($compress eq "xz" &&
 +		    $f->{name} =~ /\.ko$/ && S_ISREG($f->{mode})) {
 +			system("xz", "-f", "-9", $path);
 +			chmod($f->{mode}, $path . ".xz");
 +			utime($f->{mtime}, $f->{mtime}, $path . ".xz");
 +			print SPEC "$attrs " . quote($f->{name}) . ".xz\n";
 +		} else {
 +			print SPEC "$attrs " . quote($f->{name}) . "\n";
 +		}
 +
 		if (-e "$path.sig") {
 			print SPEC "$attrs " . quote($f->{name}) . ".sig\n";
 		}
 diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
 index bcaa0e1..ca8d325 100644
 --- a/pesign-repackage.spec.in
 +++ b/pesign-repackage.spec.in
@@ -145,7 +145,8 @@ for sig in "${sigs[@]}"; do
 	esac
 done
 popd
 -/usr/lib/rpm/pesign/pesign-gen-repackage-spec --directory=%buildroot "${rpms[@]}"
 +/usr/lib/rpm/pesign/pesign-gen-repackage-spec @PESIGN_REPACKAGE_COMPRESS@ \
 +	--directory=%buildroot "${rpms[@]}"
 rpmbuild --define "%%buildroot %buildroot" --define "%%disturl $disturl" \
 	 --define "%%_builddir $PWD" \
 	 --define "%_suse_insert_debug_package %%{nil}" -bb repackage.spec
 -- 
 2.21.0
--- a/0001-Enable-find_provides-and-requires.patch
+++ b/0001-Enable-find_provides-and-requires.patch
@ -1,55 +0,0 @@
 From 42b934760a75cf077d3c5831aaa14d3d104ba5cd Mon Sep 17 00:00:00 2001
 From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
 Date: Wed, 3 Apr 2019 05:48:28 +0200
 Subject: [PATCH] Enable find_provides and requires
 to get automatic provides instead of manual ones
 like the original package did
 Without this patch,
 rpm -qpv --provides $rpm
 differed significantly between OBS build and local osc build.
 ---
 pesign-gen-repackage-spec | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)
 diff --git a/pesign-gen-repackage-spec b/pesign-gen-repackage-spec
 index 9cd374a..61eb8ba 100755
 --- a/pesign-gen-repackage-spec
 +++ b/pesign-gen-repackage-spec
@@ -246,10 +246,6 @@ sub print_package {
 	if ($is_main) {
 		print SPEC "Name: $p->{name}\n";
 		print SPEC "Buildroot: $directory\n";
 -		print SPEC "\%define _use_internal_dependency_generator 0\n";
 -		print SPEC "\%define __find_provides %{nil}\n";
 -		print SPEC "\%define __find_requires %{nil}\n";
 -		print SPEC "\%define __find_supplements %{nil}\n";
 		if ($p->{nosource}) {
 			# We do not generate any no(src).rpm, but we want the
 			# %{sourcerpm} tag in the binary packages to match.
@@ -309,14 +305,20 @@ my %depflags = (
 	"<"    => (1 << 1),
 	">"    => (1 << 2),
 	"="    => (1 << 3),
 +	find_requires => (1 << 14),
 +	find_provides => (1 << 15),
 	rpmlib => (1 << 24),
 +	config => (1 << 28),
 );
 sub print_deps {
 	my ($depname, $list) = @_;
 +DEPLOOP:
 	foreach my $d (@$list) {
 -		next if ($d->{flags} & $depflags{rpmlib});
 +		for my $flag (qw(rpmlib config find_requires find_provides)) {
 +			next DEPLOOP if ($d->{flags} & $depflags{$flag});
 +		}
 		print SPEC $depname;
 		my @deptypes;
 -- 
 2.25.1
--- a/0001-Initialize-compress-variable.patch
+++ b/0001-Initialize-compress-variable.patch
@ -1,31 +0,0 @@
 From 1c61b9001cf2053df9d05fa518b2c2a9be99f903 Mon Sep 17 00:00:00 2001
 From: Gary Lin <glin@suse.com>
 Date: Thu, 1 Aug 2019 10:38:51 +0800
 Subject: [PATCH] Initialize compress variable
 $compress in pesign-gen-repackage-spec wasn't initialized and this may
 caused a warning like this:
 Use of uninitialized value $compress in string eq at /usr/lib/rpm/pesign/pesign-gen-repackage-spec line 422.
 Signed-off-by: Gary Lin <glin@suse.com>
 ---
 pesign-gen-repackage-spec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/pesign-gen-repackage-spec b/pesign-gen-repackage-spec
 index fef0a9d..fa0935e 100755
 --- a/pesign-gen-repackage-spec
 +++ b/pesign-gen-repackage-spec
@@ -30,7 +30,7 @@ my $directory;
 my $output = ".";
 my $cert_subpackage;
 my $kmp_basename;
 -my $compress;
 +my $compress = "";
 my @rpms;
 $ENV{LC_ALL} = "en_US.UTF-8";
 -- 
 2.22.0
--- a/0001-Keep-the-files-in-the-OTHER-directory.patch
+++ b/0001-Keep-the-files-in-the-OTHER-directory.patch
@ -1,49 +0,0 @@
 From dafa41a72190c0fa02afe6acdc06f05eb0eda937 Mon Sep 17 00:00:00 2001
 From: Gary Lin <glin@suse.com>
 Date: Wed, 6 Nov 2019 11:43:44 +0800
 Subject: [PATCH] Keep the files in the OTHER directory
 We currently only kept the "*.log" files for the repackaging while there
 are some use cases that the user might need other types of files.
 Update pesign-repackage.spec.in to filter out the meta and internal files
 and keep the files in the OTHER directory.
 Bugzilla entry:
 OBS do not export some files to API OTHER on x86_64
 https://bugzilla.suse.com/show_bug.cgi?id=1155474
 Signed-off-by: Gary Lin <glin@suse.com>
 ---
 pesign-repackage.spec.in | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)
 diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
 index ca8d325..1679878 100644
 --- a/pesign-repackage.spec.in
 +++ b/pesign-repackage.spec.in
@@ -84,10 +84,18 @@ for rpm in %_sourcedir/*.rpm; do
 	rpms=("${rpms[@]}" "$rpm")
 done
 popd
 -for log in %_sourcedir/*.log; do
 -	if test -e "$log"; then
 +# Copy files other than the meta files and RPMs to %_topdir/OTHER
 +OTHER_FILES=`find %_sourcedir/ -maxdepth 1 -type f \
 +	-not -regex '.*\.\(rpm\|spec\|rsasign\|sig\|crt\)' \
 +	-not -name "_buildenv" \
 +	-not -name "_statistics" \
 +	-not -name "logfile" \
 +	-not -name "meta" \
 +	-print`
 +for file in $OTHER_FILES; do
 +	if test -e "$file"; then
 		mkdir -p "%_topdir/OTHER"
 -		cp "$log" "$_"
 +		cp "$file" "$_"
 	fi
 done
 mkdir rsasigned
 -- 
 2.23.0
--- a/0001-Passthrough-license-tag.patch
+++ b/0001-Passthrough-license-tag.patch
@ -1,41 +0,0 @@
 From 2bd2e52380ba9c568ceba2d8d92b9cd50a22c881 Mon Sep 17 00:00:00 2001
 From: "Bernhard M. Wiedemann" <bwiedemann@suse.de>
 Date: Tue, 2 Apr 2019 17:02:13 +0200
 Subject: [PATCH 1/2] Passthrough %license tag
 matters for fwupd package file /usr/share/licenses/fwupd/COPYING
 and added 3 more bits from rpm/lib/rpmfiles.h
 ---
 pesign-gen-repackage-spec | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)
 diff --git a/pesign-gen-repackage-spec b/pesign-gen-repackage-spec
 index 1856d9d..9cd374a 100755
 --- a/pesign-gen-repackage-spec
 +++ b/pesign-gen-repackage-spec
@@ -345,6 +345,10 @@ my %filetypes = (
 	missingok => (1 << 3),
 	noreplace => (1 << 4),
 	ghost     => (1 << 6),
 +	license   => (1 << 7),
 +	readme    => (1 << 8),
 +	pubkey    => (1 << 11),
 +	artifact  => (1 << 12),
 );
 my %verifyflags = (
@@ -381,7 +385,9 @@ sub print_files {
 			}
 			$attrs .= "(" . join(",", @cfg_attrs) . ")" if @cfg_attrs;
 		}
 -		$attrs .= "%doc " if $f->{flags} & $filetypes{doc};
 +		for my $filetype (qw(doc license readme pubkey artifact)) {
 +			$attrs .= "%$filetype " if $f->{flags} & $filetypes{$filetype};
 +		}
 		if ($f->{flags} & $filetypes{ghost}) {
 			$attrs .= "%ghost ";
 			if (S_ISREG($f->{mode})) {
 -- 
 2.21.0
--- a/0001-brp-99-compress-vmlinux-support-xz-compressed-vmlinu.patch
+++ b/0001-brp-99-compress-vmlinux-support-xz-compressed-vmlinu.patch
@ -1,38 +0,0 @@
 From: Jiri Slaby <jslaby@suse.cz>
 Date: Wed, 6 Nov 2019 10:57:01 +0100
 Subject: brp-99-compress-vmlinux: support xz-compressed vmlinux
 Patch-mainline: submitted as PR#16
 References: bnc#1155921
 Signed-off-by: Jiri Slaby <jslaby@suse.cz>
 ---
 brp-99-compress-vmlinux | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)
 diff --git a/brp-99-compress-vmlinux b/brp-99-compress-vmlinux
 index 2c8222d23024..ffe3841fb836 100755
 --- a/brp-99-compress-vmlinux
 +++ b/brp-99-compress-vmlinux
@@ -11,11 +11,13 @@ kernel-*)
 	exit 0
 esac
 for f in $RPM_BUILD_ROOT/boot/vmlinux-*; do
 -	if test -e "$f" -a -e "$f.gz"; then
 -		echo "gzip $f"
 -		# Deliberately not using gzip -n; the vmlinux image has a
 -		# predictable timestamp (bnc#880848#c20)
 -		gzip -k -9 -f "$f"
 -	fi
 +	for compression in gz/gzip xz; do
 +		if test -e "$f" -a -e "$f.${compression%/*}"; then
 +			echo "${compression#*/} $f"
 +			# Deliberately not using -n; the vmlinux image has a
 +			# predictable timestamp (bnc#880848#c20)
 +			${compression#*/} -k -9 -f "$f"
 +		fi
 +	done
 done
 -- 
 2.24.0
--- a/0001-sign-stage3.bin-from-s390-tools-with-sign-files-bsc-.patch
+++ b/0001-sign-stage3.bin-from-s390-tools-with-sign-files-bsc-.patch
@ -1,26 +0,0 @@
 From 2ef935c08c201676665922c913db2fea429e45cc Mon Sep 17 00:00:00 2001
 From: Marcus Meissner <meissner@suse.de>
 Date: Thu, 13 Feb 2020 16:20:45 +0100
 Subject: [PATCH] sign stage3.bin from s390-tools with sign-files (bsc#1163524)
 ---
 pesign-repackage.spec.in | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
 index 1679878..3d3108b 100644
 --- a/pesign-repackage.spec.in
 +++ b/pesign-repackage.spec.in
@@ -148,6 +148,9 @@ for sig in "${sigs[@]}"; do
 			/usr/lib/rpm/pesign/gen-hmac -r %buildroot "/${sig%.sig}"
 		fi
 		;;
 +	*stage3.bin.sig)
 +		/usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f"
 +		;;
 	*)
 		echo "Warning: unhandled signature: $sig" >&2
 	esac
 -- 
 2.16.4
--- a/17
+++ b/17
@ -0,0 +1,17 @@
 <services>
  <service name="tar_scm" mode="disabled">
    <param name="url">https://github.com/openSUSE/pesign-obs-integration.git</param>
    <param name="scm">git</param>
    <param name="exclude">.git</param>
    <param name="revision">master</param>
    <param name="versionformat">10.1+%ct</param>
    <param name="changesgenerate">enable</param>
  </service>
  <service name="recompress" mode="disabled">
    <param name="file">pesign-obs-integration-*.tar</param>
    <param name="compression">gz</param>
  </service>
  <service name="set_version" mode="disabled">
    <param name="basename">pesign-obs-integration</param>
  </service>
 </services>
--- a/4
+++ b/4
@ -0,0 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">https://github.com/openSUSE/pesign-obs-integration.git</param>
              <param name="changesrevision">a5e821a6876c15eea5b188385900357993b41e1b</param></service></servicedata>
--- a/parallel-compression.patch
+++ b/parallel-compression.patch
@ -0,0 +1,41 @@
 Index: pesign-obs-integration/pesign-gen-repackage-spec
 ===================================================================
 --- pesign-obs-integration.orig/pesign-gen-repackage-spec
 +++ pesign-obs-integration/pesign-gen-repackage-spec
@@ -391,6 +391,7 @@ my %verifyflags = (
 sub print_files {
 	my $files = shift;
 +	my @tocompress;
 	for my $f (@$files) {
 		my $path = "$directory/$f->{name}";
@@ -445,9 +446,9 @@ sub print_files {
 		if ($compress eq "xz" &&
 		    $f->{name} =~ /\.ko$/ && S_ISREG($f->{mode})) {
 -			system("xz", "-f", "-9", $path);
 -			chmod($f->{mode}, $path . ".xz");
 -			utime($f->{mtime}, $f->{mtime}, $path . ".xz");
 +			chmod($f->{mode}, $path);
 +			utime($f->{mtime}, $f->{mtime}, $path);
 +			push(@tocompress, $path);
 			print SPEC "$attrs " . quote($f->{name}) . ".xz\n";
 		} else {
 			print SPEC "$attrs " . quote($f->{name}) . "\n";
@@ -457,6 +458,15 @@ sub print_files {
 			print SPEC "$attrs " . quote($f->{name}) . ".sig\n";
 		}
 	}
 +
 +	if ($#tocompress >= 0) {
 +		my $m = "$output/modulelist.txt";
 +		open(M, '>', $m) or die "$m: $!\n";
 +		print M join("\n", @tocompress);
 +		close(M);
 +		system("xargs -a $m -t -P 4 -n 1 xz -f");
 +		unlink($m);
 +	}
 }
 my %packages;
--- a/pesign-obs-integration-10.1+1595385080.tar.gz
+++ b/pesign-obs-integration-10.1+1595385080.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:ae254d8544651b0da0f339dfb8eaf08d49490b556af1267ca8201d4d250299eb
 size 36528
--- a/pesign-obs-integration.changes
+++ b/pesign-obs-integration.changes
@ -1,3 +1,17 @@
 -------------------------------------------------------------------
 Thu Oct 15 21:13:24 UTC 2020 - dmueller@suse.com
 - Sync from git master directly
 - drop 0001-Add-support-for-kernel-module-compression.patch
  0001-Enable-find_provides-and-requires.patch
  0001-Initialize-compress-variable.patch
  0001-Keep-the-files-in-the-OTHER-directory.patch
  0001-Passthrough-license-tag.patch
  0001-brp-99-compress-vmlinux-support-xz-compressed-vmlinu.patch
  0001-sign-stage3.bin-from-s390-tools-with-sign-files-bsc-.patch
  pesign-sign-s390x-kernel.patch (upstream)
 - add parallel-compression.patch
 -------------------------------------------------------------------
 Wed Sep  2 03:39:46 UTC 2020 - Gary Ching-Pang Lin <glin@suse.com>
--- a/pesign-obs-integration.spec
+++ b/pesign-obs-integration.spec
@ -18,79 +18,61 @@
 Name:           pesign-obs-integration
 Version:        10.1+1595385080
 Release:        0
 Summary:        Macros and scripts to sign the kernel and bootloader
 License:        GPL-2.0-only
 Group:          Development/Tools/Other
-Version:        10.1
+URL:            https://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools
-Release:        0
+Source:         %{name}-%{version}.tar.gz
 Patch1:         0001-Forward-_binary_payload-to-the-repackaged-rpm.patch
 # https://github.com/openSUSE/pesign-obs-integration/pull/21
 Patch2:         parallel-compression.patch
 BuildRequires:  openssl
 Requires:       fipscheck
 Requires:       mozilla-nss-tools
 Requires:       openssl
 %ifarch %ix86 x86_64 ia64 aarch64 %arm
 Requires:       pesign
 %endif
 BuildRequires:  openssl
 URL:            http://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools
 Source:         %{name}_%{version}.tar.gz
 Patch1:         0001-Passthrough-license-tag.patch
 Patch2:         0001-Add-support-for-kernel-module-compression.patch
 Patch3:         0001-Initialize-compress-variable.patch
 Patch4:         0001-Keep-the-files-in-the-OTHER-directory.patch
 Patch5:         0001-brp-99-compress-vmlinux-support-xz-compressed-vmlinu.patch
 # https://github.com/openSUSE/pesign-obs-integration/pull/17
 Patch6:         0001-sign-stage3.bin-from-s390-tools-with-sign-files-bsc-.patch
 # https://github.com/openSUSE/pesign-obs-integration/pull/18
 Patch7:         pesign-sign-s390x-kernel.patch
 Patch8:         0001-Enable-find_provides-and-requires.patch
 Patch9:         0001-Forward-_binary_payload-to-the-repackaged-rpm.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 # suse-module-tools <= 15.0.10 contains modsign-verify
 Requires:       suse-module-tools >= 15.0.10
 %ifarch %{ix86} x86_64 ia64 aarch64 %{arm}
 Requires:       pesign
 %endif
 %description
 This package provides scripts and rpm macros to automate signing of the
 boot loader, kernel and kernel modules in the openSUSE Buildservice.
 %prep
-%setup -D -n %{name}
+%setup -q -D
-%patch1 -p1
+%autopatch -p1
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
 %build
 %install
-mkdir -p %buildroot/usr/lib/rpm/brp-suse.d %buildroot/usr/lib/rpm/pesign
+mkdir -p %{buildroot}%{_prefix}/lib/rpm/brp-suse.d %{buildroot}%{_prefix}/lib/rpm/pesign
-install pesign-gen-repackage-spec kernel-sign-file gen-hmac %buildroot/usr/lib/rpm/pesign
+install pesign-gen-repackage-spec kernel-sign-file gen-hmac %{buildroot}%{_prefix}/lib/rpm/pesign
-install brp-99-pesign %buildroot/usr/lib/rpm/brp-suse.d
+install brp-99-pesign %{buildroot}%{_prefix}/lib/rpm/brp-suse.d
 # brp-99-compress-vmlinux has nothing to do with signing. It is packaged in
 # pesign-obs-integration because this package is already used by the kernel
 # build
-install brp-99-compress-vmlinux %buildroot/usr/lib/rpm/brp-suse.d
+install brp-99-compress-vmlinux %{buildroot}%{_prefix}/lib/rpm/brp-suse.d
-install -m644 pesign-repackage.spec.in %buildroot/usr/lib/rpm/pesign
+install -m644 pesign-repackage.spec.in %{buildroot}%{_prefix}/lib/rpm/pesign
-mkdir -p %buildroot/usr/bin
+mkdir -p %{buildroot}%{_bindir}
-install modsign-repackage %buildroot/usr/bin/
+install modsign-repackage %{buildroot}%{_bindir}/
-install -pm 755 modsign-verify %buildroot/usr/bin/
+install -pm 755 modsign-verify %{buildroot}%{_bindir}/
 if test -e _projectcert.crt; then
 	openssl x509 -inform PEM -in _projectcert.crt \
-		-outform DER -out %buildroot/usr/lib/rpm/pesign/pesign-cert.x509
+		-outform DER -out %{buildroot}%{_prefix}/lib/rpm/pesign/pesign-cert.x509
 else
 	echo "No buildservice project certificate available"
 fi
 %files
 %defattr(-,root,root)
 %license COPYING
 %doc README
-/usr/bin/modsign-repackage
+%{_bindir}/modsign-repackage
-/usr/bin/modsign-verify
+%{_bindir}/modsign-verify
-/usr/lib/rpm/*
+%{_prefix}/lib/rpm/*
 %changelog
--- a/pesign-obs-integration_10.1.dsc
+++ b/pesign-obs-integration_10.1.dsc
@ -2,7 +2,7 @@ Format: 3.0 (native)
 Source: pesign-obs-integration
 Binary: pesign-obs-integration, dh-signobs
 Architecture: all
-Version: 10.1
+Version: 10.1+1595385080
 Maintainer: Michal Marek <mmarek@suse.cz>
 Standards-Version: 3.9.8
 Build-Depends: debhelper (>= 7), openssl, shellcheck
--- a/pesign-obs-integration_10.1.tar.gz
+++ b/pesign-obs-integration_10.1.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:aa851dbdad6c83cee002fbe7f4e8b3f72e556da361cbf3843c5bcf479eaeec1e
 size 34917
--- a/pesign-sign-s390x-kernel.patch
+++ b/pesign-sign-s390x-kernel.patch
@ -1,42 +0,0 @@
 Index: pesign-obs-integration/pesign-repackage.spec.in
 ===================================================================
 --- pesign-obs-integration.orig/pesign-repackage.spec.in
 +++ pesign-obs-integration/pesign-repackage.spec.in
@@ -122,6 +122,8 @@ for sig in "${sigs[@]}"; do
 		/usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f"
 		;;
 	/boot/* | *.efi.sig)
 +%ifarch %ix86 x86_64 aarch64 %arm
 +		# PE style signature injection
 		infile=${sig%.sig}
 		cpio -i --to-stdout ${infile#./} <%_sourcedir/@NAME@.cpio.rsasign > ${infile}.sattrs
 		test -s ${infile}.sattrs || exit 1
@@ -134,6 +136,10 @@ for sig in "${sigs[@]}"; do
 		    echo "hash mismatch error: $ohash $nhash"
 		    exit 1
 		fi
 +%else
 +		# appending to the file itself, e.g. for s390x.
 +		/usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f"
 +%endif
 		# Regenerate the HMAC if it exists
 		hmac="${f%%/*}/.${f##*/}.hmac"
 		if test -e "$hmac"; then
 Index: pesign-obs-integration/brp-99-pesign
 ===================================================================
 --- pesign-obs-integration.orig/brp-99-pesign
 +++ pesign-obs-integration/brp-99-pesign
@@ -109,7 +109,12 @@ for f in "${files[@]}"; do
 	mkdir -p "${dest%/*}"
 	case "$f" in
 	./boot/* | *.efi)
 -		pesign --certdir="$nss_db" -i "$f" -E $dest
 +		if [ -f /usr/bin/pesign ]; then
 +			pesign --certdir="$nss_db" -i "$f" -E $dest
 +		else
 +			# Non PE architectures like s390x
 +			cp "$f" "$dest"
 +		fi
 		;;
 	*)
 		cp "$f" "$dest"