diff --git a/Add-support-for-digest-lists.patch b/Add-support-for-digest-lists.patch
new file mode 100644
index 0000000..87e38e9
--- /dev/null
+++ b/Add-support-for-digest-lists.patch
@@ -0,0 +1,58 @@
+From 9caa3773a41c531c21b4a696a6928ed953f18b7f Mon Sep 17 00:00:00 2001
+From: Roberto Sassu <roberto.sassu@huawei.com>
+Date: Sat, 27 Jun 2020 13:38:07 +0200
+Subject: [PATCH] Add support for digest lists
+
+---
+ pesign-gen-repackage-spec |  7 +++++++
+ pesign-repackage.spec.in  | 11 +++++++++--
+ 2 files changed, 16 insertions(+), 2 deletions(-)
+
+diff --git a/pesign-gen-repackage-spec b/pesign-gen-repackage-spec
+index 96f07b5..682c5c1 100755
+--- a/pesign-gen-repackage-spec
++++ b/pesign-gen-repackage-spec
+@@ -432,6 +432,13 @@ sub print_files {
+ 		if (-e "$path.sig") {
+ 			print SPEC "$attrs " . quote($f->{name}) . ".sig\n";
+ 		}
++
++		my $digest_list_sig = $f->{name};
++		$digest_list_sig =~ s/digest_lists/digest_lists.sig/;
++
++		if (-e "$directory/$digest_list_sig.sig") {
++			print SPEC "$attrs " . quote($digest_list_sig) . ".sig\n";
++		}
+ 	}
+ }
+ 
+diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
+index 76732b5..141f990 100644
+--- a/pesign-repackage.spec.in
++++ b/pesign-repackage.spec.in
+@@ -119,13 +119,20 @@ fi
+ mkdir nss-db
+ nss_db=$PWD/nss-db
+ echo foofoofoo > "$nss_db/passwd"
+-certutil -N -d "$nss_db" -f "$nss_db/passwd"
+-certutil -A -d "$nss_db" -f "$nss_db/passwd" -n cert -t CT,CT,CT -i "$cert"
++
++if test "$(wc -l <cert.crt)" -gt 1; then
++	certutil -N -d "$nss_db" -f "$nss_db/passwd"
++	certutil -A -d "$nss_db" -f "$nss_db/passwd" -n cert -t CT,CT,CT -i "$cert"
++fi
+ 
+ sigs=($(find -type f -name '*.sig' -printf '%%P\n'))
+ for sig in "${sigs[@]}"; do
+ 	f=%buildroot/${sig%.sig}
+ 	case "/$sig" in
++	*/etc/ima/digest_lists/*)
++		mkdir -p %buildroot/etc/ima/digest_lists.sig
++		cp $sig %buildroot/etc/ima/digest_lists.sig
++		;;
+ 	*.ko.sig)
+ 		/usr/lib/rpm/pesign/kernel-sign-file -i pkcs7 -s "$sig" sha256 "$cert" "$f"
+ 		;;
+-- 
+2.27.GIT
+
diff --git a/Apply-correct-mask-in-pesign-gen-repackage-spec.patch b/Apply-correct-mask-in-pesign-gen-repackage-spec.patch
new file mode 100644
index 0000000..513d3b6
--- /dev/null
+++ b/Apply-correct-mask-in-pesign-gen-repackage-spec.patch
@@ -0,0 +1,25 @@
+From fa21260c3b525ac2db3027c06adcdd282de2bd98 Mon Sep 17 00:00:00 2001
+From: Roberto Sassu <roberto.sassu@huawei.com>
+Date: Tue, 14 Jul 2020 12:38:42 +0200
+Subject: [PATCH 1/3] Apply correct mask in pesign-gen-repackage-spec
+
+---
+ pesign-gen-repackage-spec | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pesign-gen-repackage-spec b/pesign-gen-repackage-spec
+index fa0935e..e554c5d 100755
+--- a/pesign-gen-repackage-spec
++++ b/pesign-gen-repackage-spec
+@@ -376,7 +376,7 @@ sub print_files {
+ 			$attrs .= "\%dir ";
+ 			utime($f->{mtime}, $f->{mtime}, $path);
+ 		}
+-		$attrs .= sprintf('%%attr(%04o, %s, %s) ', ($f->{mode} & 0777),
++		$attrs .= sprintf('%%attr(%04o, %s, %s) ', ($f->{mode} & oct(7777)),
+ 			$f->{owner}, $f->{group});
+ 		if ($f->{flags} & $filetypes{config}) {
+ 			$attrs .= "%config ";
+-- 
+2.27.GIT
+
diff --git a/Disable-building-debug-packages.patch b/Disable-building-debug-packages.patch
new file mode 100644
index 0000000..bb574cc
--- /dev/null
+++ b/Disable-building-debug-packages.patch
@@ -0,0 +1,24 @@
+From c93cc80bd005f04eec1c933b23d3ba263cf21461 Mon Sep 17 00:00:00 2001
+From: Roberto Sassu <roberto.sassu@huawei.com>
+Date: Sat, 27 Jun 2020 13:56:09 +0200
+Subject: [PATCH] Disable building debug packages
+
+---
+ pesign-repackage.spec.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
+index fe00f0a..90ae17c 100644
+--- a/pesign-repackage.spec.in
++++ b/pesign-repackage.spec.in
+@@ -21,6 +21,7 @@
+ 
+ # Do not generate any debug packages from the repackage specfile
+ %undefine _build_create_debug
++%global debug_package %{nil}
+ 
+ Name:           pesign-repackage
+ Version:        1.0
+-- 
+2.27.GIT
+
diff --git a/Don-t-set-files-variable-in-brp-99-pesign.patch b/Don-t-set-files-variable-in-brp-99-pesign.patch
new file mode 100644
index 0000000..7d62780
--- /dev/null
+++ b/Don-t-set-files-variable-in-brp-99-pesign.patch
@@ -0,0 +1,25 @@
+From 6deabd288aa9daffe09b555dd3deff69f0081dcf Mon Sep 17 00:00:00 2001
+From: Roberto Sassu <roberto.sassu@huawei.com>
+Date: Tue, 14 Jul 2020 14:46:40 +0200
+Subject: [PATCH] Don't set files variable in brp-99-pesign
+
+---
+ brp-99-pesign | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/brp-99-pesign b/brp-99-pesign
+index c2492b3..c991d83 100644
+--- a/brp-99-pesign
++++ b/brp-99-pesign
+@@ -22,7 +22,7 @@
+ 
+ set -e
+ 
+-files="*.ko"
++#files="*.ko"
+ if test -n "${BRP_PESIGN_FILES+x}"; then
+ 	files=${BRP_PESIGN_FILES}
+ fi
+-- 
+2.27.GIT
+
diff --git a/Require-nss-util-for-building-in-pesign-repackage.sp.patch b/Require-nss-util-for-building-in-pesign-repackage.sp.patch
new file mode 100644
index 0000000..6a16178
--- /dev/null
+++ b/Require-nss-util-for-building-in-pesign-repackage.sp.patch
@@ -0,0 +1,28 @@
+From f1afdd8f47351449b85da91ae690fb0d06bc3431 Mon Sep 17 00:00:00 2001
+From: Roberto Sassu <roberto.sassu@huawei.com>
+Date: Tue, 14 Jul 2020 14:49:12 +0200
+Subject: [PATCH] Require nss-util for building in pesign-repackage.spec.in
+
+---
+ pesign-repackage.spec.in | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
+index 141f990..3758329 100644
+--- a/pesign-repackage.spec.in
++++ b/pesign-repackage.spec.in
+@@ -25,7 +25,11 @@
+ Name:           pesign-repackage
+ Version:        1.0
+ Release:        1
++%if 0%{?suse_version}
+ BuildRequires:  openssl mozilla-nss-tools
++%else
++BuildRequires:  openssl nss-util
++%endif
+ %ifarch %ix86 x86_64 ia64
+ BuildRequires:  pesign
+ %endif
+-- 
+2.27.GIT
+
diff --git a/Skip-processing-of-ghost-files-as-they-are-not-extra.patch b/Skip-processing-of-ghost-files-as-they-are-not-extra.patch
new file mode 100644
index 0000000..eff371c
--- /dev/null
+++ b/Skip-processing-of-ghost-files-as-they-are-not-extra.patch
@@ -0,0 +1,46 @@
+From bbebbe1e51ff38601bb9e14e323327d21dedb048 Mon Sep 17 00:00:00 2001
+From: Roberto Sassu <roberto.sassu@huawei.com>
+Date: Tue, 14 Jul 2020 12:39:44 +0200
+Subject: [PATCH 2/3] Skip processing of ghost files as they are not extracted
+ from RPMs
+
+---
+ pesign-gen-repackage-spec | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/pesign-gen-repackage-spec b/pesign-gen-repackage-spec
+index e554c5d..96f07b5 100755
+--- a/pesign-gen-repackage-spec
++++ b/pesign-gen-repackage-spec
+@@ -392,17 +392,17 @@ sub print_files {
+ 		}
+ 		if ($f->{flags} & $filetypes{ghost}) {
+ 			$attrs .= "%ghost ";
+-			if (S_ISREG($f->{mode})) {
+-				open(my $fh, '>', $path) or die "$path: $!\n";
+-				if ($f->{size} > 0) {
+-					sysseek($fh, $f->{size} - 1, SEEK_SET);
+-					syswrite($fh, ' ', 1);
+-				}
+-				close($fh);
+-				utime($f->{mtime}, $f->{mtime}, $path);
+-			} elsif (S_ISLNK($f->{mode})) {
+-				symlink($f->{target}, $path);
+-			}
++#			if (S_ISREG($f->{mode})) {
++#				open(my $fh, '>', $path) or die "$path: $!\n";
++#				if ($f->{size} > 0) {
++#					sysseek($fh, $f->{size} - 1, SEEK_SET);
++#					syswrite($fh, ' ', 1);
++#				}
++#				close($fh);
++#				utime($f->{mtime}, $f->{mtime}, $path);
++#			} elsif (S_ISLNK($f->{mode})) {
++#				symlink($f->{target}, $path);
++#			}
+ 		}
+ 		# mtime of symlinks is also not preserved by cpio
+ 		if (S_ISLNK($f->{mode})) {
+-- 
+2.27.GIT
+
diff --git a/Undefine-__brp_digest_list-in-pesign-repackage.spec..patch b/Undefine-__brp_digest_list-in-pesign-repackage.spec..patch
new file mode 100644
index 0000000..7547a5b
--- /dev/null
+++ b/Undefine-__brp_digest_list-in-pesign-repackage.spec..patch
@@ -0,0 +1,26 @@
+From b9006b66251441a10e1714e697cb45c2fb49a410 Mon Sep 17 00:00:00 2001
+From: Roberto Sassu <roberto.sassu@huawei.com>
+Date: Tue, 14 Jul 2020 17:11:10 +0200
+Subject: [PATCH] Undefine __brp_digest_list in pesign-repackage.spec.in
+
+---
+ pesign-repackage.spec.in | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/pesign-repackage.spec.in b/pesign-repackage.spec.in
+index 90ae17c..034f56c 100644
+--- a/pesign-repackage.spec.in
++++ b/pesign-repackage.spec.in
+@@ -174,7 +174,8 @@ popd
+ 	--directory=%buildroot "${rpms[@]}"
+ rpmbuild --define "%%buildroot %buildroot" --define "%%disturl $disturl" \
+ 	 --define "%%_builddir $PWD" \
+-	 --define "%_suse_insert_debug_package %%{nil}" -bb repackage.spec
++	 --define "%_suse_insert_debug_package %%{nil}" \
++	 --undefine "%%__brp_digest_list" -bb repackage.spec
+ 
+ # This is needed by the kernel packages. Ideally, we should not run _any_ brp
+ # checks, because the RPMs passed them once already
+-- 
+2.27.GIT
+
diff --git a/pesign-obs-integration.spec b/pesign-obs-integration.spec
new file mode 100644
index 0000000..c25810f
--- /dev/null
+++ b/pesign-obs-integration.spec
@@ -0,0 +1,90 @@
+#
+# spec file for package pesign-obs-integration
+#
+# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+# needssslcertforbuild
+
+%global debug_package %{nil}
+
+Name:           pesign-obs-integration
+Summary:        Macros and scripts to sign the kernel and bootloader
+License:        GPL-2.0-only
+Group:          Development/Tools/Other
+Version:        10.1
+Release:        0
+Requires:       fipscheck
+%if 0%{?suse_version}
+Requires:       mozilla-nss-tools
+%else
+Requires:       nss-util
+%endif
+Requires:       openssl
+%ifarch %ix86 x86_64 ia64 aarch64 %arm
+Requires:       pesign
+%endif
+BuildRequires:  openssl
+Url:            http://en.opensuse.org/openSUSE:UEFI_Image_File_Sign_Tools
+Source:         %{name}_%{version}.tar.gz
+Patch0:         Require-nss-util-for-building-in-pesign-repackage.sp.patch
+Patch1:         Apply-correct-mask-in-pesign-gen-repackage-spec.patch
+Patch2:         Skip-processing-of-ghost-files-as-they-are-not-extra.patch
+Patch3:         Add-support-for-digest-lists.patch
+Patch4:         Don-t-set-files-variable-in-brp-99-pesign.patch
+Patch5:         Disable-building-debug-packages.patch
+Patch6:         Undefine-__brp_digest_list-in-pesign-repackage.spec..patch
+BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+%if 0%{?suse_version}
+# suse-module-tools <= 15.0.10 contains modsign-verify
+Requires:       suse-module-tools >= 15.0.10
+%endif
+
+%description
+This package provides scripts and rpm macros to automate signing of the
+boot loader, kernel and kernel modules in the openSUSE Buildservice.
+
+%prep
+%autosetup -n %{name} -p1
+
+%build
+
+%install
+
+mkdir -p %buildroot/usr/lib/rpm/brp-suse.d %buildroot/usr/lib/rpm/pesign
+install pesign-gen-repackage-spec kernel-sign-file gen-hmac %buildroot/usr/lib/rpm/pesign
+install brp-99-pesign %buildroot/usr/lib/rpm/brp-suse.d
+# brp-99-compress-vmlinux has nothing to do with signing. It is packaged in
+# pesign-obs-integration because this package is already used by the kernel
+# build
+install brp-99-compress-vmlinux %buildroot/usr/lib/rpm/brp-suse.d
+install -m644 pesign-repackage.spec.in %buildroot/usr/lib/rpm/pesign
+mkdir -p %buildroot/usr/bin
+install modsign-repackage %buildroot/usr/bin/
+install -pm 755 modsign-verify %buildroot/usr/bin/
+if test -e _projectcert.crt; then
+	openssl x509 -inform PEM -in _projectcert.crt \
+		-outform DER -out %buildroot/usr/lib/rpm/pesign/pesign-cert.x509
+else
+	echo "No buildservice project certificate available"
+fi
+
+%files
+%defattr(-,root,root)
+%license COPYING
+%doc README
+/usr/bin/modsign-repackage
+/usr/bin/modsign-verify
+/usr/lib/rpm/*
+
+%changelog
diff --git a/pesign-obs-integration_10.1.tar.gz b/pesign-obs-integration_10.1.tar.gz
new file mode 100644
index 0000000..636326d
Binary files /dev/null and b/pesign-obs-integration_10.1.tar.gz differ