From abd05514c8afb7e894aff08b7e18275098927ba1 Mon Sep 17 00:00:00 2001
From: Louis Abel <label@rockylinux.org>
Date: Fri, 17 Mar 2023 15:02:43 -0700
Subject: [PATCH] backport sb-certs

---
 SOURCES/rocky-root-ca.der | Bin 0 -> 1177 bytes
 SOURCES/rocky-signing.der | Bin 0 -> 1183 bytes
 SOURCES/rockydup1.x509    | Bin 0 -> 1296 bytes
 SOURCES/rockykpatch1.x509 | Bin 0 -> 1289 bytes
 SPECS/rocky-release.spec  | 104 +++++++++++++++++++++++++++++++++-----
 5 files changed, 91 insertions(+), 13 deletions(-)
 create mode 100644 SOURCES/rocky-root-ca.der
 create mode 100644 SOURCES/rocky-signing.der
 create mode 100644 SOURCES/rockydup1.x509
 create mode 100644 SOURCES/rockykpatch1.x509

diff --git a/SOURCES/rocky-root-ca.der b/SOURCES/rocky-root-ca.der
new file mode 100644
index 0000000000000000000000000000000000000000..9d3a8079a91f3b1cd33d3fab888088905ba2f812
GIT binary patch
literal 1177
zcmXqLVwq~t#9X_8nTe5!NkkwgT;|<+O_c+yTA!}k(&{v8<Bc{0UN%mxHjlRNyo`+8
ztPBQ?R}8rgIN6v(S=fY`LW2zj4fsJE4jvAd)SSff#G+I~J_8<*5IYa6OMY2uk)f`E
zHi*x~qY{*#oL#BlnpcuqR8W*zoT?C<pH>3Wqu`cbnwOGTl9``psAwP$QqIjI5tN#f
zng~>tnwOrLmzr9XnU}6mlA4%ns9~T6Qo_t54>8dvGq1ElAviU;6lj!FetwBU5QuPg
zG*mNCfxDlRQB1rTq$abZ(xC|ClpK&gz5Jqd137VCBSQl-BLhQI15*RTC~;n6AlJ|W
z${nuWZemnIj$lSs2IeM4eg=akMlPl%Mn;CmN3!{&IsV=b{PV!m^5u%)*>WGk*WJ=#
zHIC2MT~aphcCtfT`7#A>)1#%Q?!<U6{qaib;UV{5mk+)F7t}mO%xS`gPr}-(ij`h0
zaFRA<TETo@z;o{c+bO1gE~*tAE;A1(M<kyK^H|`}efsr+zkenxx!rd*%Vhi@yRkmW
za6!Pnu<sRidP*(%_qrMndTyLj_q*oCcP|Aw^LZ0lU&QZU<##sy<e7P~;uGrsmZTh6
z`B<8n`I70PcC9B*OLiO%YbxZ~{P>K;;=tVzJE!k6n>sJWNcHNHDRUW3;?8GS&I>Ck
zx}qd);^rc9NJPBju-KYcvwpUIWcYoPZ^47}7j1P^E=5jRvXqILk%4h>tU<JaEHJ^z
z^0A1qi1_GaU%%$}LbUPJj+bp|@~Mx+@{fR%tgJGNgn?KCb_Jj;AuG(nYQW6M_}_pV
z#N%gS0p>gO90rU4Mh5>)#S_*Fv;US)V@>T<tXt`EdD0&}5tiBiJ!(s?bqcM2y*qHC
z^Q`;Y|9XPwc(qOAs=iXOY5V?TiSajiwmDq+xJgc=MBtW_{nDx4N>ASWUYT`L<mhXr
zpDY|d@&n&`%)NF%M2^Af>S>*&E9M#W6!)CmaG|s*Xve!x-t7_#IM+=UOnjTv+jDwe
zB<m)}jPz^Kf5r2@v`6mVdtHS6)T?S&sgM7@W^+^otkzs~#nE)yuCmVS!EtVkq5eEB
zT6MJ*o~_y(np@92{qm(kKE>$4+{cUN^Detwulb{M_oG_L)DU~8rz^en3}?*JlH}X|
c_V7=yQ^`A=4^OV%tr8$5>Jf5ymKM7)07Xo*0ssI2

literal 0
HcmV?d00001

diff --git a/SOURCES/rocky-signing.der b/SOURCES/rocky-signing.der
new file mode 100644
index 0000000000000000000000000000000000000000..9dc5eb5c5737a5a323cbe602c974655e4edc109e
GIT binary patch
literal 1183
zcmXqLVwr8w#N51qnTe5!iIK~ImyJ`a&7<u*FC!y2D}zDf6+><VPB!LH7B*p~&|pJB
z1AY*PgNMT<H7Bt=u_)D$&wvLc#LmO&l3$iuWT<PP4dQe0s08IFXICn?=9Q!t6%=I_
zrz!;Jr<H*8D7fX9=A|T-Waj4?DjLXxlymb)1f}MrCIVHZ=A~!mrKT2T=A|o?q$cJX
zY8a@2lrZziLrnC^%qy)>2u@8d1sdg)pI@R71R|Ur4b==(;O^&S6caB7smUy<bSMHj
zB?qKWFTW_=Ku(<3$jH#ZzywH`nOH^vxyDFbgT_mPz}q0tfW0k?>}{}rgEQ0fK*8gj
zT2w-`r<)j+kfWE8m4Ug5k)Oe!iIIz`iII`vB-25=M+?oiPOOVQ@ZGr4ZQX_EUztRz
zvdW*%+?DBh!%5;>)wHe!f+?@Im5V*jSG51(y>qMgvk*}u?cEW-nKo&6&UwA>_DYS%
z4Pkn<ordgg@v_?S794FEXRb6<yF^cES74rSWzXbUYkwD)?fI2_Do6Qp!Uu!zbF;*l
zW~WDga!-tvd{h*ppW=Sjz18qQsD7LI*_TBtj|)WYTsX0OKhwN38b2oMcqwr@zI8fd
z-P|fFd&E3lEP3gbS6fBxwp}??EwTI7%`|pF!}RsLtvByxbnd*j`q+F4pTk}W&JKI$
z9F95Hbl}sHUs?)(XH_WG9!$RJz<9{#|7|0dx#CtF`to*JtC^S?85kE=7?gn%w5%{A
z<9`+=0|o;=U@XY;gLo{=OzaH?Vj#XMh|god#m1q{#>mRb&dh8e3lisJ5n~ZKVX?V&
z&A;>cLY;qAcXl)}W!-+#0Z!(!$}AEFVhtibI@#B+`MnTrJhkIxTbg|8BeDD=$Z-SA
zdce40WH_{K!I8V0pS*F>doFcM!q4Nn<!_~$P3}(~+*-GsqiCC<(CyA%tMx)5wkIvu
zO`4Z$ArULtruLI>q1&%Wjzxys&o8?_rGNIEo{!}R^K@tPnHMI?$t^2LVPq(L^G}(l
zO;ve<FQ3zks-9kr9}DL{eU`d5F3s=o<<)$pSG&8T4n98M_h7w&<kPb)r$708S^a<a
zCTsQo|Dxh!r{3dqZ&LgJ|3qoy-XCf#pO5ak9<*P2neKwMZjpEI+RQm7e!1h;KKA1-
zWi|U$*;ICXU$!xFw>_)&x*~tc&8xivQ$H)k{9utSthu-N*OBcPA3uE}nSRTh%hb-k
VV8zlEe0OcHhLpEeyub9z5&$h@uxbDR

literal 0
HcmV?d00001

diff --git a/SOURCES/rockydup1.x509 b/SOURCES/rockydup1.x509
new file mode 100644
index 0000000000000000000000000000000000000000..2e079abe363a8e7e0790d0d1be165625b7d9f12c
GIT binary patch
literal 1296
zcmXqLV&yStV*av#nTe5!iIK;EmyJ`a&7<u*FC!y2D}zDf6+><VPB!LH7B*p~&|pJB
z1AY*PgNMT<H7Bt=u_)D$&wvLc#LmO&l3$iuWT<PP4dQe0s08IFXICn?=9Q!t6%=I_
zrz!;Jr<H*8D7fX9=A|T-Waj4?DjLXxlymb)1f}MrCIVHZ=A~!mrKT2T=A|o?q$cJX
zY8a@2lrZziLrnC^%qy)>2u@8d1sdg)pI@R71R|Ur4b==(;O^&S6caB7smUy<bSMHj
zB?qKWFTW_=Ku(<3$jH#ZzywH`nOH^vxyDFbgT~u~z}xx;x)5)xA$!}UC=(dU3ZVtS
z@B@ZuW_lhdoSajON{IG-6XPP}cxGf}U~XdUXE11D>|$zSY-HGf!pn84Cxe32kBEys
z1@re<h8fQPXl?vz_H{;ny`H((S=FDe^v!;$R=D70-O9$mzaHm9bUYY;9XxVEQb*WU
zerxA0i_e+S@|+fT?{KK4{FU6cV}|O=)XSHCosjt+?7aK_w+_h{D_O1N8+6^m`CLBQ
z$w+ba2ee#UC@n0!T)B9%#Gl(w^SS?4JmJtdrOM}bcGgU}?;ku;63cz|=;z4Dc?90E
z(cWZz=-auV*(dJ3>Jed;E(_V8yKQQX;Zs4wm)h>9Qfn`km9eE9Tjml!H&LWS{&$S5
zLisC)#Zla+oB7U&S!@rCS6~qDTyG)X`0-=TG@~4Ar$0doz4O1FnRemm<>~g1t)rB`
z%x1f=*z<MZo=%&hxiM@hw+hvEvYpRY6Pu+Ier>BAhtC~{Sq~Y{TPnNG{$>7l@iP&(
zYghCa?wnyfU3k&yH^R%CmL8sVs@|V#bGMkZMv=pb=(GB3H1{8xTT)xNl!Jfz?A2#Y
zd_Vr4`{w<biMqvGCzs0Ic%kUG^xpgRjC^;Qm>C%u7bh6RfpeCuFeBrC7A6A*13qAK
zkmU#QSeTjE8w_MYd_ER27Lm;-{m<-rtnRu|_Ux=#mTGJMyjOJq=POxd76}8f1`!{f
z?CaP3UWhiH+VQe2O+NLJSpE^@Gyu%&z%;<fuzAaZXJ++lp4Oy=yWJDq=OH2et^aQK
zfvrh0$FxN?s{Vy|IJ1TqG#$zM{m86F@ZYWVw@))(6`#EFuds;S{gnqJem+?`vFuUy
z>hdS2Zk*Kmzc}&bs$`}5O2(y+*|XF>?H4%fUl68sBj@pBqdgftz1`oxOb|$F7c7}w
zn%1kB?$x>1*e|>@=hd;&DyyTqi`#;|YJB!C+`IFjyxP<Y^Zdo1Sty@)RDb9G{phI=
z&z0^zEmg#Pc2(<=YcEXyPJG1j*q=@3qZs#tUupdbSF1O!@Xq@o{p;M!!UI+Rx)vR%
s`!y{`Y0l@=_Z-h|yIq(sKQHb_d-0PgYO^ZdZ*f@8t+DOYhR7#^0J9bH+yDRo

literal 0
HcmV?d00001

diff --git a/SOURCES/rockykpatch1.x509 b/SOURCES/rockykpatch1.x509
new file mode 100644
index 0000000000000000000000000000000000000000..4e72b1988fc0fdd7015b36209096fef79ee15edd
GIT binary patch
literal 1289
zcmXqLVr4aGVt%`TnTe5!iILlYmyJ`a&7<u*FC!y2D}zDf6+><VPB!LH7B*p~&|pJB
z1AY*PgNMT<H7Bt=u_)D$&wvLc#LmO&l3$iuWT<PP4dQe0s08IFXICn?=9Q!t6%=I_
zrz!;Jr<H*8D7fX9=A|T-Waj4?DjLXxlymb)1f}MrCIVHZ=A~!mrKT2T=A|o?q$cJX
zY8a@2lrZziLrnC^%qy)>2u@8d1sdg)pI@R71R|Ur4b==(;O^&S6caB7smUy<bSMHj
zB?qKWFTW_=Ku(<3$jH#ZzywH`nOH^vxyDG`!R+nqg2a;K429s#^gK`iIj0tt5bf<I
z#zn{x%*e{X+{D<=V9><a#ni;u$gtPGp^hhEg@Ps5J;hI#cN!H%C)R7v?Oi|rcFn2j
zzc*c5wxwgO)A!u|TZ=wa-dZ-jafMfV<l(U5Jx}MoyD?QXbe-2*p|<&@Keiq?^W=zK
ze89m>ljw!TMY1ZFltkuOy65<8Gq~)=t<v0(!MEQ}p(5aOOti{k-isj`Pi84<rZZSs
zc$dHZ_;|nnq`5hd-v<8HJF?=&B-15l9;cZ~z5A3qo6~2x(&P<ip0*T;SWhppb~(9W
zb-esB8<Fau35P8;O8+$~u2h_~spQ?Rb;|AhuRR<+wO$@u`e15VD~rPRO>@((9@Cg!
z^6c}p)3Xy*t2wsJpEJ`h^px(2`mR2=(vWvccN=NEU7!AeBTM1etf<gGk;YYzZl*se
zH9RjjH{$wpt95$37u*^rRY<x2*}x#i_o$t}{bk4<w=2ghrf{5Zybus}<B3r4Q*FLS
zul+LmWF!pKZ>R11HsNv>^P8(TWVm_)u4dmCUj1$AJEc;?BRf1~{>s1EDzvYu-_c>&
z6is%4zb=*@J7kYDF*7nSE>19r17|5&VMfOPEKCLr27JKeFUt?&u`n~SHyFr*_<Ss4
zEF#5|zW0Q@ZN0zIQrc~kmB?MqKcynz3?-|~B4HrbAmXEwef^r>3(>|?J6^V>$)`RN
z%Rhpg27s9ym<AXboTo-LT}=vjEpK1Tb@bCo-j&y;GYB7fEcnZB-Sc~~bB}Y`*nE`r
zTDqrN`$ktv`ttJfs|xkEogDwn+1ez)xG-1q^@`Iy+UeRKCcGC}+P$=!_x2un^VRal
zbgxSXx3tffIhA_msEiY@j@ag_=WQa^Th|^vm|2%1(%EprXRhJu%gm0i?Tw_~X1g3t
z+iKL3v*Os~DQ>QJ1(+tA9DOTf-YQr0w|eQ-ZI&yx?M}E+GEI1;<fLut&r&OT(?TPe
zt>q0D6(#ANF3jrL>Ui>-<K$+wKQaaUq1?Y4#BWSiSjGH(!^7m*suxefcFgWENZ<1`
a@XpN!*VXUN9f?q!>+rgjk8M-B&ME*sb?q(y

literal 0
HcmV?d00001

diff --git a/SPECS/rocky-release.spec b/SPECS/rocky-release.spec
index 6c9241c..661fa53 100644
--- a/SPECS/rocky-release.spec
+++ b/SPECS/rocky-release.spec
@@ -20,8 +20,8 @@
 %define distro_code  Green Obsidian
 %define major        8
 %define minor        8
-%define rocky_rel    1%{?rllh:.%{rllh}}%{!?rllh:.3}
-%define upstream_rel %{major}.%{minor}-0.1
+%define rocky_rel    1%{?rllh:.%{rllh}}%{!?rllh:.4}
+%define upstream_rel %{major}.%{minor}-0.2
 %define rpm_license  BSD-3-Clause
 %define dist         .el%{major}
 %define home_url     https://rockylinux.org/
@@ -152,6 +152,12 @@ Source1223:     Rocky-Devel.repo
 Source1226:     Rocky-Plus.repo
 Source1300:     rocky.1.gz
 
+# rocky secureboot certs placeholder (1400-1499)
+Source1400:     rockydup1.x509
+Source1401:     rockykpatch1.x509
+Source1402:     rocky-root-ca.der
+Source1403:     rocky-signing.der
+
 %description
 %{distro_name} release files.
 
@@ -174,6 +180,14 @@ Conflicts:      %{name} < 8.0
 %description -n rocky-gpg-keys%{?rltype}
 This package provides the RPM signature keys for Rocky.
 
+%package     -n rocky-sb-certs%{?rltype}
+Summary:        %{distro_name} public secureboot certificates
+Group:          System Environment/Base
+Provides:       system-sb-certs = %{version}-%{release}
+
+%description -n rocky-sb-certs%{?rltype}
+This package contains the %{distro_name} secureboot public certificates.
+
 %prep
 %if %{with rllookahead} && %{with rlbeta}
 echo "!! WARNING !!"
@@ -270,21 +284,61 @@ install -d -m 0755 %{buildroot}%{_prefix}/lib/systemd/system-preset/
 install -m 0644 %{SOURCE300} %{buildroot}/%{_prefix}/lib/systemd/system-preset/
 install -m 0644 %{SOURCE301} %{buildroot}/%{_prefix}/lib/systemd/system-preset/
 install -m 0644 %{SOURCE302} %{buildroot}/%{_prefix}/lib/systemd/system-preset/
+# systemd section
+################################################################################
 
-# dnf stuff
-install -d -m 0755 %{buildroot}%{_sysconfdir}/dnf/vars
-echo "%{contentdir}" > %{buildroot}%{_sysconfdir}/dnf/vars/contentdir
-echo "%{sigcontent}" > %{buildroot}%{_sysconfdir}/dnf/vars/sigcontentdir
-echo "%{?rltype}" > %{buildroot}%{_sysconfdir}/dnf/vars/rltype
-echo "%{major}-stream" > %{buildroot}%{_sysconfdir}/dnf/vars/stream
+################################################################################
+# start secureboot section
+install -d -m 0755 %{buildroot}%{_sysconfdir}/pki/sb-certs/
+install -d -m 0755 %{buildroot}%{_datadir}/pki/sb-certs/
 
-# Copy out GPG keys
-install -d -m 0755 %{buildroot}%{_sysconfdir}/pki/rpm-gpg
-install -p -m 0644 %{SOURCE101} %{buildroot}%{_sysconfdir}/pki/rpm-gpg/
-install -p -m 0644 %{SOURCE102} %{buildroot}%{_sysconfdir}/pki/rpm-gpg/
+# Backported certs for now
+install -m 0644 %{SOURCE1400} %{buildroot}%{_datadir}/pki/sb-certs/
+install -m 0644 %{SOURCE1401} %{buildroot}%{_datadir}/pki/sb-certs/
+install -m 0644 %{SOURCE1402} %{buildroot}%{_datadir}/pki/sb-certs/
+install -m 0644 %{SOURCE1403} %{buildroot}%{_datadir}/pki/sb-certs/
 
+# Placeholders
+# x86_64
+ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-root-ca.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-ca-x86_64.cer
+ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-signing.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-kernel-x86_64.cer
+ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-signing.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-grub2-x86_64.cer
+ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-signing.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-fwupd-x86_64.cer
 
-# Copy our yum repos
+# aarch64
+ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-root-ca.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-ca-aarch64.cer
+ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-signing.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-kernel-aarch64.cer
+ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-signing.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-grub2-aarch64.cer
+ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-signing.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-fwupd-aarch64.cer
+
+# ppc64le
+ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-root-ca.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-ca-ppc64le.cer
+ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-signing.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-kernel-ppc64le.cer
+ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-signing.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-grub2-ppc64le.cer
+ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-signing.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-fwupd-ppc64le.cer
+
+# armhfp
+ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-root-ca.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-ca-armhfp.cer
+ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-signing.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-kernel-armhfp.cer
+ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-signing.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-grub2-armhfp.cer
+ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-signing.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-fwupd-armhfp.cer
+
+# s390x
+ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-root-ca.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-ca-s390x.cer
+ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-signing.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-kernel-s390x.cer
+ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-signing.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-grub2-s390x.cer
+ln -sr %{buildroot}%{_datadir}/pki/sb-certs/rocky-signing.der %{buildroot}%{_datadir}/pki/sb-certs/secureboot-fwupd-s390x.cer
+
+# symlinks for everybody
+for x in $(ls %{buildroot}%{_datadir}/pki/sb-certs); do
+  ln -sr %{buildroot}%{_datadir}/pki/sb-certs/${x} %{buildroot}%{_sysconfdir}/pki/sb-certs/${x}
+done
+
+# end secureboot section
+################################################################################
+
+################################################################################
+# dnf repo section
 install -d -m 0755 %{buildroot}%{_sysconfdir}/yum.repos.d
 install -p -m 0644 %{SOURCE1200} %{buildroot}%{_sysconfdir}/yum.repos.d/
 install -p -m 0644 %{SOURCE1201} %{buildroot}%{_sysconfdir}/yum.repos.d/
@@ -300,6 +354,20 @@ install -p -m 0644 %{SOURCE1222} %{buildroot}%{_sysconfdir}/yum.repos.d/
 install -p -m 0644 %{SOURCE1223} %{buildroot}%{_sysconfdir}/yum.repos.d/
 install -p -m 0644 %{SOURCE1226} %{buildroot}%{_sysconfdir}/yum.repos.d/
 
+# dnf stuff
+install -d -m 0755 %{buildroot}%{_sysconfdir}/dnf/vars
+echo "%{contentdir}" > %{buildroot}%{_sysconfdir}/dnf/vars/contentdir
+echo "%{sigcontent}" > %{buildroot}%{_sysconfdir}/dnf/vars/sigcontentdir
+echo "%{?rltype}" > %{buildroot}%{_sysconfdir}/dnf/vars/rltype
+echo "%{major}-stream" > %{buildroot}%{_sysconfdir}/dnf/vars/stream
+
+# Copy out GPG keys
+install -d -m 0755 %{buildroot}%{_sysconfdir}/pki/rpm-gpg
+install -p -m 0644 %{SOURCE101} %{buildroot}%{_sysconfdir}/pki/rpm-gpg/
+install -p -m 0644 %{SOURCE102} %{buildroot}%{_sysconfdir}/pki/rpm-gpg/
+# end dnf repo section
+################################################################################
+
 %files
 %license LICENSE
 %doc Contributors COMMUNITY-CHARTER
@@ -330,7 +398,17 @@ install -p -m 0644 %{SOURCE1226} %{buildroot}%{_sysconfdir}/yum.repos.d/
 %files -n rocky-gpg-keys%{?rltype}
 %{_sysconfdir}/pki/rpm-gpg/
 
+%files -n rocky-sb-certs%{?rltype}
+# care: resetting symlinks is intended
+%dir %{_sysconfdir}/pki/sb-certs
+%dir %{_datadir}/pki/sb-certs
+%{_sysconfdir}/pki/sb-certs/*
+%{_datadir}/pki/sb-certs/*
+
 %changelog
+* Fri Mar 17 2023 Louis Abel <label@rockylinux.org> - 8.8-1.4
+- Backport rocky-sb-certs to Rocky Linux 8
+
 * Wed Jan 01 2023 Louis Abel <label@rockylinux.org> - 8.8-1.3
 - Move macros to a proper location