From 056fcd05b81258a249e40f7358d708d838929ad2 Mon Sep 17 00:00:00 2001
From: Michal Suchanek <msuchanek@suse.de>
Date: Fri, 29 Aug 2025 11:25:25 +0200
Subject: [PATCH] Create archive first

Signed-off-by: Chun-Yi Lee <jlee@suse.com>
---
 brp-99-pesign | 95 +++++++++++++++++++++++++--------------------------
 1 file changed, 47 insertions(+), 48 deletions(-)

Index: pesign-obs-integration-10.2+git20240723.d344d91/brp-99-pesign
===================================================================
--- pesign-obs-integration-10.2+git20240723.d344d91.orig/brp-99-pesign
+++ pesign-obs-integration-10.2+git20240723.d344d91/brp-99-pesign
@@ -89,6 +89,53 @@ else
 	cert=/dev/null
 fi
 
+cd "$RPM_BUILD_ROOT"
+args=()
+for pattern in $files; do
+	pattern=${pattern#/}
+	if test "${pattern:0:2}" != "./"; then
+		pattern="./$pattern"
+	fi
+	if test -d "$pattern"; then
+		pattern="$pattern/*"
+	fi
+	args=("${args[@]}" -o -path "$pattern")
+done
+# delete the leading -o
+unset args[0]
+
+archive=$output/$RPM_PACKAGE_NAME.cpio.rsasign
+archive_dir=$output/$RPM_PACKAGE_NAME
+mkdir -p "$archive_dir"
+# create an empty nss database to make pesign happy
+nss_db=$(mktemp -d)
+trap 'rm -rf "$nss_db"' EXIT
+# strong password (in FIPS mode it is checked for strength)
+echo 'Eir4;Qua.daeJ,hP0' > "$nss_db/passwd"
+certutil -N -d "$nss_db" -f "$nss_db/passwd"
+
+echo "Creating $archive"
+files=($(find . -type f \( "${args[@]}" \)))
+for f in "${files[@]}"; do
+	dest="$archive_dir/$f"
+	mkdir -p "${dest%/*}"
+	case "$f" in
+	./boot/* | *.efi | */lib/modules/*/vmlinu[xz] | */lib/modules/*/[Ii]mage | */lib/modules/*/z[Ii]mage)
+		if [ -f /usr/bin/pesign ]; then
+			pesign --certdir="$nss_db" -i "$f" -E $dest
+		else
+			# Non PE architectures like s390x
+			cp "$f" "$dest"
+		fi
+		;;
+	*)
+		cp "$f" "$dest"
+	esac
+done
+cd "$archive_dir"
+find . -type f | cpio -H newc -o >"$archive"
+rm -rf "$archive_dir"
+
 if test -e $RPM_SOURCE_DIR/pesign-spec-macros; then
 	sed "
 		s:%{name}:$RPM_PACKAGE_NAME:g
@@ -136,50 +183,3 @@ for rpmlintrc in $RPM_SOURCE_DIR/*rpmlin
 		cp "$rpmlintrc" "$output/"
 	fi
 done
-
-cd "$RPM_BUILD_ROOT"
-args=()
-for pattern in $files; do
-	pattern=${pattern#/}
-	if test "${pattern:0:2}" != "./"; then
-		pattern="./$pattern"
-	fi
-	if test -d "$pattern"; then
-		pattern="$pattern/*"
-	fi
-	args=("${args[@]}" -o -path "$pattern")
-done
-# delete the leading -o
-unset args[0]
-
-archive=$output/$RPM_PACKAGE_NAME.cpio.rsasign
-archive_dir=$output/$RPM_PACKAGE_NAME
-mkdir -p "$archive_dir"
-# create an empty nss database to make pesign happy
-nss_db=$(mktemp -d)
-trap 'rm -rf "$nss_db"' EXIT
-echo foofoofoo > "$nss_db/passwd"
-certutil -N -d "$nss_db" -f "$nss_db/passwd"
-
-echo "Creating $archive"
-files=($(find . -type f \( "${args[@]}" \)))
-for f in "${files[@]}"; do
-	dest="$archive_dir/$f"
-	mkdir -p "${dest%/*}"
-	case "$f" in
-	./boot/* | *.efi | */lib/modules/*/vmlinu[xz] | */lib/modules/*/[Ii]mage | */lib/modules/*/z[Ii]mage)
-		if [ -f /usr/bin/pesign ]; then
-			pesign --certdir="$nss_db" -i "$f" -E $dest
-		else
-			# Non PE architectures like s390x
-			cp "$f" "$dest"
-		fi
-		;;
-	*)
-		cp "$f" "$dest"
-	esac
-done
-cd "$archive_dir"
-find . -type f | cpio -H newc -o >"$archive"
-rm -rf "$archive_dir"
-