sbsigntool: Fix compilation when gnu-efi is missing and re-add patches

commit fa5550d97de6("sbsigntool: Update to latest and change repos")
tried to fix compilation for arm architectures.
Due to the changes in the upstream package though host gnu-efi was
required to compile the package. Also that commit removed a useful
commit (-x support on sbsigntool), which I mistakenly remembered it was
already upstreamed.

So fix the gnu-efi error and fixup the useful patch to keep the
existring functionality.  The old package was also depending on
binutils-dev being installed on the host. Fix that and depend on
binutils-native.
While at it purge the unused patches.

Fixes: commit fa5550d97de6("sbsigntool: Update to latest and change repos")
Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>

11 files changed, 144 insertions, 380 deletions

diff --git a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/0001-configure-Dont-t-check-for-gnu-efi.patch b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/0001-configure-Dont-t-check-for-gnu-efi.patch
new file mode 100644
index 0000000..7ebff80
--- /dev/null
+++ b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/0001-configure-Dont-t-check-for-gnu-efi.patch
@@ -0,0 +1,52 @@
+From 7a555e12924393104b4bdd361ca74c9d3e589166 Mon Sep 17 00:00:00 2001
+From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
+Date: Wed, 10 Mar 2021 15:51:49 +0200
+Subject: [PATCH 1/3] configure: Dont't check for gnu-efi
+
+The configure.ac is searching the gnu-efi libs in hardcoded paths making
+the configure fail.
+We explictly include the paths in our .bb recipe, so let's get rid of
+the check
+
+Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
+---
+ configure.ac | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 4ffb68ffa024..346296f82f06 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -17,9 +17,9 @@ AC_PROG_MKDIR_P
+ AC_CHECK_TOOL(OBJCOPY, [objcopy])
+ AC_CHECK_TOOL(STRIP, [strip])
+ 
+- AC_CHECK_HEADER([bfd.h], [],
+-  AC_MSG_ERROR([bfd.h not found.]
+-[bfd.h is usually distributed in a binutils development package.]))
++ #AC_CHECK_HEADER([bfd.h], [],
++  #AC_MSG_ERROR([bfd.h not found.]
++#[bfd.h is usually distributed in a binutils development package.]))
+ 
+ if test $cross_compiling = no; then
+   AM_MISSING_PROG(HELP2MAN, help2man)
+@@ -75,12 +75,11 @@ for path in /lib /lib64 /usr/lib /usr/lib64 /usr/lib32 /lib/efi /lib64/efi /usr/
+        CRTPATH=$path
+     fi
+ done
+-if test -z "$CRTPATH"; then
+-   AC_MSG_ERROR([cannot find the gnu-efi crt path])
+-fi
++#if test -z "$CRTPATH"; then
++   #AC_MSG_ERROR([cannot find the gnu-efi crt path])
++#fi
+ 
+-EFI_CPPFLAGS="-I/usr/include/efi -I/usr/include/efi/$EFI_ARCH \
+- -DEFI_FUNCTION_WRAPPER"
++EFI_CPPFLAGS="-DEFI_FUNCTION_WRAPPER"
+ CPPFLAGS_save="$CPPFLAGS"
+ CPPFLAGS="$CPPFLAGS $EFI_CPPFLAGS"
+ AC_CHECK_HEADERS([efi.h], [], [], $EFI_INCLUDES)
+-- 
+2.30.2
+
diff --git a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/0002-docs-Don-t-build-man-pages.patch b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/0002-docs-Don-t-build-man-pages.patch
new file mode 100644
index 0000000..df6abbc
--- /dev/null
+++ b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/0002-docs-Don-t-build-man-pages.patch
@@ -0,0 +1,29 @@
+From fb2663b257947effc510ec4133214a22d344a9a8 Mon Sep 17 00:00:00 2001
+From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
+Date: Wed, 10 Mar 2021 15:52:52 +0200
+Subject: [PATCH 2/3] docs: Don't build man pages
+
+Man pages not needed on embedded targets
+
+Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
+---
+ docs/Makefile.am | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/docs/Makefile.am b/docs/Makefile.am
+index 89ed11012492..6918dd8cc3b8 100644
+--- a/docs/Makefile.am
++++ b/docs/Makefile.am
+@@ -1,9 +1,4 @@
+ 
+-man1_MANS = sbsign.1 sbverify.1 sbattach.1 sbvarsign.1 sbsiglist.1 \
+-               sbkeysync.1
+-
+-EXTRA_DIST = sbsign.1.in sbverify.1.in sbattach.1.in \
+-               sbvarsign.1.in sbsiglist.1.in sbkeysync.1.in
+ CLEANFILES = $(man1_MANS)
+ 
+ $(builddir)/%.1: $(srcdir)/%.1.in $(top_builddir)/src/%
+-- 
+2.30.2
+
diff --git a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/sbsign-add-x-option-to-avoid-overwrite-existing-sign.patch b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/0003-sbsign-add-x-option-to-avoid-overwrite-existing-sign.patch
index b67f56a..7d35805 100644
--- a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/sbsign-add-x-option-to-avoid-overwrite-existing-sign.patch
+++ b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/0003-sbsign-add-x-option-to-avoid-overwrite-existing-sign.patch
@@ -1,20 +1,20 @@
-From 0016a571a5ea1ab65817973f179800947e1aa8de Mon Sep 17 00:00:00 2001
-From: Lans Zhang <jia.zhang@windriver.com>
-Date: Fri, 15 Jan 2016 09:40:56 +0800
-Subject: [PATCH] sbsign: add -x option to avoid overwrite existing signature
-
-Upstream-Status: Pending
+From 441f69eb94daa514f7dd4ba0db45a4e31f93015f Mon Sep 17 00:00:00 2001
+From: Ilias Apalodimas <ilias.apalodimas@linaro.org>
+Date: Wed, 10 Mar 2021 15:53:21 +0200
+Subject: [PATCH 3/3] sbsign: add -x option to avoid overwrite existing
+ signature
 
 Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
+Signed-off-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
 ---
  src/sbsign.c | 17 +++++++++++++++--
  1 file changed, 15 insertions(+), 2 deletions(-)
 
 diff --git a/src/sbsign.c b/src/sbsign.c
-index dcf6eed..7dc101f 100644
+index 898fe669f9dd..3a5ed3248948 100644
 --- a/src/sbsign.c
 +++ b/src/sbsign.c
-@@ -66,6 +66,7 @@ struct sign_context {
+@@ -69,6 +69,7 @@ struct sign_context {
  };
  
  static struct option options[] = {
@@ -22,29 +22,29 @@ index dcf6eed..7dc101f 100644
         { "output", required_argument, NULL, 'o' },
         { "cert", required_argument, NULL, 'c' },
         { "key", required_argument, NULL, 'k' },
-@@ -87,6 +88,7 @@ static void usage(void)
-                "\t--cert <certfile>  certificate (x509 certificate)\n"
+@@ -94,6 +95,7 @@ static void usage(void)
+                "\t--addcert <addcertfile> additional intermediate certificates in a file\n"
                 "\t--detached         write a detached signature, instead of\n"
                 "\t                    a signed binary\n"
 +               "\t--noresign         don't re-sign the binary if signed\n"
                 "\t--output <file>    write signed data to <file>\n"
                 "\t                    (default <efi-boot-image>.signed,\n"
                 "\t                    or <efi-boot-image>.pk7 for detached\n"
-@@ -114,7 +116,7 @@ int main(int argc, char **argv)
-        const char *keyfilename, *certfilename;
+@@ -155,7 +157,7 @@ int main(int argc, char **argv)
+        const char *keyfilename, *certfilename, *addcertfilename, *engine;
         struct sign_context *ctx;
         uint8_t *buf, *tmp;
 -       int rc, c, sigsize;
 +       int rc, c, sigsize, no_resign = 0;
+        EVP_PKEY *pkey;
  
         ctx = talloc_zero(NULL, struct sign_context);
- 
-@@ -123,11 +125,14 @@ int main(int argc, char **argv)
+@@ -167,11 +169,14 @@ int main(int argc, char **argv)
  
         for (;;) {
                 int idx;
--               c = getopt_long(argc, argv, "o:c:k:dvVh", options, &idx);
-+               c = getopt_long(argc, argv, "xo:c:k:dvVh", options, &idx);
+-               c = getopt_long(argc, argv, "o:c:k:dvVhe:a:", options, &idx);
++               c = getopt_long(argc, argv, "xo:c:k:dvVhe:a:", options, &idx);
                 if (c == -1)
                         break;
  
@@ -55,7 +55,7 @@ index dcf6eed..7dc101f 100644
                 case 'o':
                         ctx->outfilename = talloc_strdup(ctx, optarg);
                         break;
-@@ -178,6 +183,14 @@ int main(int argc, char **argv)
+@@ -228,6 +233,14 @@ int main(int argc, char **argv)
         if (!ctx->image)
                 return EXIT_FAILURE;
  
@@ -71,5 +71,5 @@ index dcf6eed..7dc101f 100644
  
         ERR_load_crypto_strings();
 -- 
-1.9.1
+2.30.2
 
diff --git a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Fix-for-multi-sign.patch b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Fix-for-multi-sign.patch
deleted file mode 100644
index 873ade0..0000000
--- a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Fix-for-multi-sign.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From e58a528ef57e53008222f238cce7c326a14572e2 Mon Sep 17 00:00:00 2001
-From: James Bottomley <JBottomley@Parallels.com>
-Date: Mon, 30 Sep 2013 19:25:37 -0700
-Subject: [PATCH] Fix for multi-sign
-
-Upstream-Status: Inappropriate [embedded specific]
-
-The new Tianocore multi-sign code fails now for images signed with
-sbsigntools.  The reason is that we don't actually align the signature table,
-we just slap it straight after the binary data.  Unfortunately, the new
-multi-signature code checks that our alignment offsets are correct and fails
-the signature for this reason.  Fix by adding junk to the end of the image to
-align the signature section.
-
-Signed-off-by: James Bottomley <JBottomley@Parallels.com>
----
- src/image.c | 8 +++++++-
- 1 file changed, 7 insertions(+), 1 deletion(-)
-
-diff --git a/src/image.c b/src/image.c
-index 10eba0e..519e288 100644
---- a/src/image.c
-+++ b/src/image.c
-@@ -385,7 +385,13 @@ static int image_find_regions(struct image *image)
- 
-        /* record the size of non-signature data */
-        r = &image->checksum_regions[image->n_checksum_regions - 1];
--       image->data_size = (r->data - (void *)image->buf) + r->size;
-+       /*
-+        * The new Tianocore multisign does a stricter check of the signatures
-+        * in particular, the signature table must start at an aligned offset
-+        * fix this by adding bytes to the end of the text section (which must
-+        * be included in the hash)
-+        */
-+       image->data_size = align_up((r->data - (void *)image->buf) + r->size, 8);
- 
-        return 0;
- }
--- 
-1.8.4
-
diff --git a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Fix-the-deprecated-ASN1_STRING_data-in-openssl-1.1.0.patch b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Fix-the-deprecated-ASN1_STRING_data-in-openssl-1.1.0.patch
deleted file mode 100644
index 3619945..0000000
--- a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Fix-the-deprecated-ASN1_STRING_data-in-openssl-1.1.0.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From 6ef94a67490176a6d84b4968f303e6d1c51a49ce Mon Sep 17 00:00:00 2001
-From: Lans Zhang <jia.zhang@windriver.com>
-Date: Wed, 16 Aug 2017 10:09:43 +0800
-Subject: [PATCH] Fix the deprecated ASN1_STRING_data() in openssl-1.1.0
-
-Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
----
- src/idc.c       | 4 ++--
- src/idc.h       | 4 ++++
- src/sbkeysync.c | 3 ++-
- 3 files changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/src/idc.c b/src/idc.c
-index 236cefd..7f99a53 100644
---- a/src/idc.c
-+++ b/src/idc.c
-@@ -238,7 +238,7 @@ struct idc *IDC_get(PKCS7 *p7, BIO *bio)
- 
-        /* extract the idc from the signed PKCS7 'other' data */
-        str = p7->d.sign->contents->d.other->value.asn1_string;
--       idcbuf = buf = ASN1_STRING_data(str);
-+       idcbuf = buf = (const unsigned char *)ASN1_STRING_get0_data(str);
-        idc = d2i_IDC(NULL, &buf, ASN1_STRING_length(str));
- 
-        /* If we were passed a BIO, write the idc data, minus type and length,
-@@ -289,7 +289,7 @@ int IDC_check_hash(struct idc *idc, struct image *image)
-        }
- 
-        /* check hash against the one we calculated from the image */
--       buf = ASN1_STRING_data(str);
-+       buf = (const unsigned char *)ASN1_STRING_get0_data(str);
-        if (memcmp(buf, sha, sizeof(sha))) {
-                fprintf(stderr, "Hash doesn't match image\n");
-                fprintf(stderr, " got:       %s\n", sha256_str(buf));
-diff --git a/src/idc.h b/src/idc.h
-index a6526de..8011237 100644
---- a/src/idc.h
-+++ b/src/idc.h
-@@ -36,6 +36,10 @@
- 
- #include <openssl/pkcs7.h>
- 
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#define ASN1_STRING_get0_data  ASN1_STRING_data
-+#endif
-+
- struct idc;
- 
- int IDC_set(PKCS7 *p7, PKCS7_SIGNER_INFO *si, struct image *image);
-diff --git a/src/sbkeysync.c b/src/sbkeysync.c
-index a63d3b8..223a047 100644
---- a/src/sbkeysync.c
-+++ b/src/sbkeysync.c
-@@ -54,6 +54,7 @@
- 
- #include "fileio.h"
- #include "efivars.h"
-+#include "idc.h"
- 
- #define EFIVARS_MOUNTPOINT     "/sys/firmware/efi/efivars"
- #define PSTORE_FSTYPE          0x6165676C
-@@ -210,7 +211,7 @@ static int x509_key_parse(struct key *key, uint8_t *data, size_t len)
-        serial = x509->cert_info->serialNumber;
- 
-        key->id_len = ASN1_STRING_length(serial);
--       key->id = talloc_memdup(key, ASN1_STRING_data(serial), key->id_len);
-+       key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len);
- 
-        key->description = talloc_array(key, char, description_len);
-        X509_NAME_oneline(x509->cert_info->subject,
--- 
-2.7.5
-
diff --git a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Update-OpenSSL-API-usage-to-support-OpenSSL-1.1.patch b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Update-OpenSSL-API-usage-to-support-OpenSSL-1.1.patch
deleted file mode 100644
index f517e47..0000000
--- a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/Update-OpenSSL-API-usage-to-support-OpenSSL-1.1.patch
+++ /dev/null
@@ -1,158 +0,0 @@
-From ddf7f08d27d6a44eb62928b33c66204ffa3d7edb Mon Sep 17 00:00:00 2001
-From: Lans Zhang <jia.zhang@windriver.com>
-Date: Tue, 15 Aug 2017 13:05:14 +0800
-Subject: [PATCH] Update OpenSSL API usage to support OpenSSL 1.1
-
-Most structure definitions in OpenSSL are now opaque and we must call
-the appropriate accessor functions to get information from them.
-Not all the accessors are available in older versions, so define the
-missing accessors as macros.
-
-The X509_retrieve_match() function is no longer usable, as we cannot
-initialise an X509_OBJECT ourselves.  Instead, iterate over the
-certificate store and use X509_OBJECT_get_type and X509_cmp to
-compare certificates.
-
-Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
-Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
----
- src/sbkeysync.c |  7 +++----
- src/sbverify.c  | 52 ++++++++++++++++++++++++++++++++++++++--------------
- 2 files changed, 41 insertions(+), 18 deletions(-)
-
-diff --git a/src/sbkeysync.c b/src/sbkeysync.c
-index ef028ef..19e3064 100644
---- a/src/sbkeysync.c
-+++ b/src/sbkeysync.c
-@@ -204,16 +204,15 @@ static int x509_key_parse(struct key *key, uint8_t *data, size_t len)
-                return -1;
- 
-        /* we use the X509 serial number as the key ID */
--       if (!x509->cert_info || !x509->cert_info->serialNumber)
-+       serial = X509_get_serialNumber(x509);
-+       if (!serial)
-                goto out;
- 
--       serial = x509->cert_info->serialNumber;
--
-        key->id_len = ASN1_STRING_length(serial);
-        key->id = talloc_memdup(key, ASN1_STRING_get0_data(serial), key->id_len);
- 
-        key->description = talloc_array(key, char, description_len);
--       X509_NAME_oneline(x509->cert_info->subject,
-+       X509_NAME_oneline(X509_get_subject_name(x509),
-                        key->description, description_len);
- 
-        rc = 0;
-diff --git a/src/sbverify.c b/src/sbverify.c
-index fb03d21..0aed71a 100644
---- a/src/sbverify.c
-+++ b/src/sbverify.c
-@@ -55,6 +55,14 @@
- #include <openssl/pem.h>
- #include <openssl/x509v3.h>
- 
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#define X509_OBJECT_get0_X509(obj) ((obj)->data.x509)
-+#define X509_OBJECT_get_type(obj) ((obj)->type)
-+#define X509_STORE_CTX_get0_cert(ctx) ((ctx)->cert)
-+#define X509_STORE_get0_objects(certs) ((certs)->objs)
-+#define X509_get_extended_key_usage(cert) ((cert)->ex_xkusage)
-+#endif
-+
- static const char *toolname = "sbverify";
- static const int cert_name_len = 160;
- 
-@@ -123,9 +131,9 @@ static void print_signature_info(PKCS7 *p7)
- 
-        for (i = 0; i < sk_X509_num(p7->d.sign->cert); i++) {
-                cert = sk_X509_value(p7->d.sign->cert, i);
--               X509_NAME_oneline(cert->cert_info->subject,
-+               X509_NAME_oneline(X509_get_subject_name(cert),
-                                subject_name, cert_name_len);
--               X509_NAME_oneline(cert->cert_info->issuer,
-+               X509_NAME_oneline(X509_get_issuer_name(cert),
-                                issuer_name, cert_name_len);
- 
-                printf(" - subject: %s\n", subject_name);
-@@ -136,20 +144,26 @@ static void print_signature_info(PKCS7 *p7)
- static void print_certificate_store_certs(X509_STORE *certs)
- {
-        char subject_name[cert_name_len + 1], issuer_name[cert_name_len + 1];
-+       STACK_OF(X509_OBJECT) *objs;
-        X509_OBJECT *obj;
-+       X509 *cert;
-        int i;
- 
-        printf("certificate store:\n");
- 
--       for (i = 0; i < sk_X509_OBJECT_num(certs->objs); i++) {
--               obj = sk_X509_OBJECT_value(certs->objs, i);
-+       objs = X509_STORE_get0_objects(certs);
-+
-+       for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
-+               obj = sk_X509_OBJECT_value(objs, i);
- 
--               if (obj->type != X509_LU_X509)
-+               if (X509_OBJECT_get_type(obj) != X509_LU_X509)
-                        continue;
- 
--               X509_NAME_oneline(obj->data.x509->cert_info->subject,
-+               cert = X509_OBJECT_get0_X509(obj);
-+
-+               X509_NAME_oneline(X509_get_subject_name(cert),
-                                subject_name, cert_name_len);
--               X509_NAME_oneline(obj->data.x509->cert_info->issuer,
-+               X509_NAME_oneline(X509_get_issuer_name(cert),
-                                issuer_name, cert_name_len);
- 
-                printf(" - subject: %s\n", subject_name);
-@@ -182,12 +196,21 @@ static int load_detached_signature_data(struct image *image,
- 
- static int cert_in_store(X509 *cert, X509_STORE_CTX *ctx)
- {
--       X509_OBJECT obj;
-+       STACK_OF(X509_OBJECT) *objs;
-+       X509_OBJECT *obj;
-+       int i;
-+
-+       objs = X509_STORE_get0_objects(X509_STORE_CTX_get0_store(ctx));
- 
--       obj.type = X509_LU_X509;
--       obj.data.x509 = cert;
-+       for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
-+               obj = sk_X509_OBJECT_value(objs, i);
- 
--       return X509_OBJECT_retrieve_match(ctx->ctx->objs, &obj) != NULL;
-+               if (X509_OBJECT_get_type(obj) == X509_LU_X509 &&
-+                   !X509_cmp(X509_OBJECT_get0_X509(obj), cert))
-+                       return 1;
-+       }
-+
-+       return 0;
- }
- 
- static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
-@@ -195,15 +218,16 @@ static int x509_verify_cb(int status, X509_STORE_CTX *ctx)
-        int err = X509_STORE_CTX_get_error(ctx);
- 
-        /* also accept code-signing keys */
--       if (err == X509_V_ERR_INVALID_PURPOSE
--                       && ctx->cert->ex_xkusage == XKU_CODE_SIGN)
-+       if (err == X509_V_ERR_INVALID_PURPOSE &&
-+                       X509_get_extended_key_usage(X509_STORE_CTX_get0_cert(ctx))
-+                       == XKU_CODE_SIGN)
-                status = 1;
- 
-        /* all certs given with the --cert argument are trusted */
-        else if (err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY ||
-                        err == X509_V_ERR_CERT_UNTRUSTED) {
- 
--               if (cert_in_store(ctx->current_cert, ctx))
-+               if (cert_in_store(X509_STORE_CTX_get_current_cert(ctx), ctx))
-                        status = 1;
-        }
- 
--- 
-2.7.5
-
diff --git a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/ccan.git.tar.bz2 b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/ccan.git.tar.bz2
deleted file mode 100644
index 9a2994f..0000000
--- a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/ccan.git.tar.bz2
+++ /dev/null
diff --git a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/disable-man-page-creation.patch b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/disable-man-page-creation.patch
deleted file mode 100644
index 9310628..0000000
--- a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/disable-man-page-creation.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-Upstream-Status: Inappropriate [embedded specific]
-
-diff --git a/docs/Makefile.am b/docs/Makefile.am
-index 1b5a588..6918dd8 100644
---- a/docs/Makefile.am
-+++ b/docs/Makefile.am
-@@ -1,8 +1,4 @@
- 
--man1_MANS = sbsign.1 sbverify.1 sbattach.1 sbvarsign.1 sbsiglist.1
--
--EXTRA_DIST = sbsign.1.in sbverify.1.in sbattach.1.in \
--               sbvarsign.1.in sbsiglist.1.in
- CLEANFILES = $(man1_MANS)
- 
- $(builddir)/%.1: $(srcdir)/%.1.in $(top_builddir)/src/%
diff --git a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/fix-mixed-implicit-and-normal-rules.patch b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/fix-mixed-implicit-and-normal-rules.patch
deleted file mode 100644
index 3031e4a..0000000
--- a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/fix-mixed-implicit-and-normal-rules.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From 05e73dbe1f25600ad0dbb36b2d690560c5a36281 Mon Sep 17 00:00:00 2001
-From: Lans Zhang <jia.zhang@windriver.com>
-Date: Tue, 31 Mar 2015 15:34:38 +0800
-Subject: [PATCH] Fix mixed implicit and normal rules
-
-Upstream-Status: Inappropriate [embedded specific]
-
-This patch comes from upstream:
-http://git.yoctoproject.org/cgit/cgit.cgi/meta-luv/plain/recipes-devtools/sbsigntool/sbsigntool/fix-mixed-implicit-and-normal-rules.patch
-
-Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
----
- Makefile | 4 ----
- 1 file changed, 4 deletions(-)
-
-diff --git a/Makefile b/Makefile
-index 65d0d8f..a83185d 100644
---- a/Makefile
-+++ b/Makefile
-@@ -39,10 +39,6 @@ $(SCOREDIR)/SUMMARY: $(MODS:%=$(SCOREDIR)/%.score)
-        $(CC) -v >> $@
-        cat $^ | grep 'Total score:' >> $@
- 
--$(SCOREDIR)/%.score: ccan/%/_info tools/ccanlint/ccanlint $(OBJFILES)
--       mkdir -p `dirname $@`
--       $(CCANLINT) -v -s ccan/$* > $@ || true
--
- $(ALL_DEPENDS): %/.depends: %/_info tools/ccan_depends
-        tools/ccan_depends $* > $@ || ( rm -f $@; exit 1 )
- 
--- 
-1.8.3.1
-
diff --git a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/image-fix-the-segment-fault-caused-by-the-uninitiali.patch b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/image-fix-the-segment-fault-caused-by-the-uninitiali.patch
deleted file mode 100644
index 6fef038..0000000
--- a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool/image-fix-the-segment-fault-caused-by-the-uninitiali.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From a6862cb3bb3b00a1d6704b2bd1fedbd1374be861 Mon Sep 17 00:00:00 2001
-From: Lans Zhang <jia.zhang@windriver.com>
-Date: Thu, 6 Apr 2017 11:11:14 +0800
-Subject: [PATCH] image: fix the segment fault caused by the uninitialized
- sigbuf
-
-The uninitialized struct image might contain a non-zeroed sigbuf and then
-it is wrongly freed by image_add_signature().
-
-Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
----
- src/image.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/image.c b/src/image.c
-index cc55791..644e8f1 100644
---- a/src/image.c
-+++ b/src/image.c
-@@ -395,7 +395,7 @@ struct image *image_load(const char *filename)
-        struct image *image;
-        int rc;
- 
--       image = talloc(NULL, struct image);
-+       image = talloc_zero(NULL, struct image);
-        if (!image) {
-                perror("talloc(image)");
-                return NULL;
--- 
-2.11.0
-
diff --git a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool_git.bb b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool_git.bb
index 2c2e9d9..271a33f 100644
--- a/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool_git.bb
+++ b/meta-signing-key/recipes-devtools/sbsigntool/sbsigntool_git.bb
@@ -8,18 +8,24 @@ LIC_FILES_CHKSUM = "\
 "
 
 DEPENDS += "binutils openssl gnu-efi gnu-efi-native"
-DEPENDS += "help2man-native coreutils-native openssl-native util-linux-native"
+DEPENDS += "binutils-native help2man-native coreutils-native openssl-native util-linux-native"
 
-PV = "0.8+git${SRCPV}"
-
-SRC_URI = "\
-    git://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git;protocol=https;name=sbsigntool \
+SRC_URI = " \
+    git://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git;protocol=https;name=sbsigntools \
+    git://github.com/rustyrussell/ccan.git;protocol=https;destsuffix=git/lib/ccan.git;name=ccan \
+    file://0001-configure-Dont-t-check-for-gnu-efi.patch \
+    file://0002-docs-Don-t-build-man-pages.patch \
+    file://0003-sbsign-add-x-option-to-avoid-overwrite-existing-sign.patch \
 "
-SRCREV="f12484869c9590682ac3253d583bf59b890bb826"
+SRCREV_sbsigntools  ?= "f12484869c9590682ac3253d583bf59b890bb826"
+SRCREV_ccan         ?= "b1f28e17227f2320d07fe052a8a48942fe17caa5"
+SRCREV_FORMAT       =  "sbsigntools_ccan"
+
+PV = "0.9.2-git${SRCPV}"
 
 S = "${WORKDIR}/git"
 
-inherit native  autotools-brokensep pkgconfig
+inherit autotools-brokensep pkgconfig native
 
 def efi_arch(d):
     import re
@@ -35,16 +41,43 @@ def efi_arch(d):
 #    --with-libtool-sysroot \
 #"
 
+HOST_EXTRACFLAGS += "\
+    INCLUDES+='-I${S}/lib/ccan.git/ \
+              -I${STAGING_INCDIR_NATIVE}/efi \
+              -I${STAGING_INCDIR_NATIVE} \
+"
+
 EXTRA_OEMAKE += "\
     INCLUDES='-I${S}/lib/ccan.git' \
-    EFI_CPPFLAGS='-I${STAGING_INCDIR}/efi \
+    EFI_CPPFLAGS='-I${STAGING_INCDIR} -I${STAGING_INCDIR}/efi \
                   -I${STAGING_INCDIR}/efi/${@efi_arch(d)}' \
 "
 
-do_configure() {
-    cd "${S}"
-    ./autogen.sh
-    oe_runconf
+do_configure_prepend() {
+    cd ${S}
+
+    if [ ! -e lib/ccan ]; then
+
+        # Use empty SCOREDIR because 'make scores' is not run.
+        # The default setting depends on (non-whitelisted) host tools.
+        sed -i -e 's#^\(SCOREDIR=\).*#\1#' lib/ccan.git/Makefile
+
+        lib/ccan.git/tools/create-ccan-tree \
+            --build-type=automake lib/ccan \
+            talloc read_write_all build_assert array_size endian
+    fi
+
+    # Create generatable docs from git
+    (
+    echo "Authors of sbsigntool:"
+    echo
+    git log --format='%an' | sort -u | sed 's,^,\t,'
+    ) > AUTHORS
+
+    # Generate simple ChangeLog
+    git log --date=short --format='%ad %t %an <%ae>%n%n  * %s%n' > ChangeLog
+    
+    cd ${B}
 }
 
 BBCLASSEXTEND = "native nativesdk"