%package -n %{-n*}-ueficert
Summary: UEFI Secure Boot Certificate For Package %{-n*}-kmp
Group: System/Kernel
%description -n %{-n*}-ueficert
This package contains the UEFI Secure Boot certificate used to sign
modules in the %{-n*}-kmp packages.

# The scriptlets are reused in kernel-binary.spec.in by a sed script that
# stops at the next line that starts with a percent sign
%post -n %{-n*}-ueficert
command -v mokutil >/dev/null || exit 0
# XXX: Only call mokutil if UEFI and shim are used
for cert in @CERTS@; do
	mokutil --import "$cert" --root-pw || echo "Failed to import $cert"
done
exit 0

%preun -n %{-n*}-ueficert
command -v mokutil >/dev/null || exit 0
for cert in @CERTS@; do
	ln "$cert" "$cert.delete"
done
exit 0

%postun -n %{-n*}-ueficert
command -v mokutil >/dev/null || exit 0
for cert in @CERTS@; do
	[ -e "$cert" ] || mokutil --delete "$cert.delete" --root-pw || echo "Failed to delete $cert"
	rm "$cert.delete"
done
exit 0

%files -n %{-n*}-ueficert
%defattr(-, root, root)
%dir /etc/uefi
/etc/uefi/certs
