diff --git a/.gitignore b/.gitignore
index 1d41c7c..e07cc94 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,4 @@
 /sbsigntools-0.9.2.tar.xz
 /sbsigntools-0.9.3.tar.xz
 /sbsigntools-0.9.4.tar.xz
+/sbsigntools-0.9.5.tar.xz
diff --git a/f12484869c9590682ac3253d583bf59b890bb826.patch b/f12484869c9590682ac3253d583bf59b890bb826.patch
deleted file mode 100644
index 11bed89..0000000
--- a/f12484869c9590682ac3253d583bf59b890bb826.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From f12484869c9590682ac3253d583bf59b890bb826 Mon Sep 17 00:00:00 2001
-From: dann frazier <dann.frazier@canonical.com>
-Date: Wed, 12 Aug 2020 15:27:08 -0600
-Subject: sbkeysync: Don't ignore errors from insert_new_keys()
-
-If insert_new_keys() fails, say due to a full variable store, we currently
-still exit(0). This can make it difficult to know something is wrong.
-For example, Debian and Ubuntu implement a secureboot-db systemd service
-to update the DB and DBX, which calls:
-
- ExecStart=/usr/bin/sbkeysync --no-default-keystores --keystore /usr/share/secureboot/updates --verbose
-
-But although this seemed to succeed on my system, looking at the logs shows
-a different story:
-
-Inserting key update /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin into dbx
-Error writing key update: Invalid argument
-Error syncing keystore file /usr/share/secureboot/updates/dbx/dbxupdate_x64.bin
-
-Signed-off-by: dann frazier <dann.frazier@canonical.com>
-Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
----
- src/sbkeysync.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/src/sbkeysync.c b/src/sbkeysync.c
-index e51f177..7748990 100644
---- a/src/sbkeysync.c
-+++ b/src/sbkeysync.c
-@@ -889,10 +889,12 @@ int main(int argc, char **argv)
- {
- 	bool use_default_keystore_dirs;
- 	struct sync_context *ctx;
-+	int rc;
- 
- 	use_default_keystore_dirs = true;
- 	ctx = talloc_zero(NULL, struct sync_context);
- 	list_head_init(&ctx->new_keys);
-+	rc = EXIT_SUCCESS;
- 
- 	for (;;) {
- 		int idx, c;
-@@ -985,10 +987,10 @@ int main(int argc, char **argv)
- 	if (ctx->verbose)
- 		print_new_keys(ctx);
- 
--	if (!ctx->dry_run)
--		insert_new_keys(ctx);
-+	if (!ctx->dry_run && insert_new_keys(ctx))
-+		rc = EXIT_FAILURE;
- 
- 	talloc_free(ctx);
- 
--	return EXIT_SUCCESS;
-+	return rc;
- }
--- 
-cgit 1.2.3-1.el7
-
diff --git a/sbsigntools-gnuefi.patch b/sbsigntools-gnuefi.patch
index 2e28883..4e3c07a 100644
--- a/sbsigntools-gnuefi.patch
+++ b/sbsigntools-gnuefi.patch
@@ -1,14 +1,14 @@
-diff -up sbsigntools-0.9.3/configure.ac.gnu-efi sbsigntools-0.9.3/configure.ac
---- sbsigntools-0.9.3/configure.ac.gnu-efi	2020-02-03 09:38:56.000000000 +0100
-+++ sbsigntools-0.9.3/configure.ac	2020-02-04 09:48:53.011259075 +0100
-@@ -64,19 +64,30 @@ PKG_CHECK_MODULES(uuid, uuid,
+diff -up sbsigntools-0.9.5/configure.ac.gnu-efi sbsigntools-0.9.5/configure.ac
+--- sbsigntools-0.9.5/configure.ac.gnu-efi	2023-05-05 12:56:50.000000000 +0200
++++ sbsigntools-0.9.5/configure.ac	2023-05-05 13:06:47.495361241 +0200
+@@ -67,19 +67,30 @@ PKG_CHECK_MODULES(uuid, uuid,
      AC_MSG_ERROR([libuuid (from the uuid package) is required]))
  
  dnl gnu-efi headers require extra include dirs
 -EFI_ARCH=$(uname -m | sed 's/i.86/ia32/;s/arm.*/arm/')
--AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = "aarch64" ])
+-AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = "aarch64" -o "$EFI_ARCH" = riscv64 ])
 +EFI_ARCH=$(uname -m | sed -e 's/i.86/ia32/;s/arm.*/arm/' -e 's/x86_64/x64/' -e 's/aarch64/aa64/')
-+AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = "aa64" ])
++AM_CONDITIONAL(TEST_BINARY_FORMAT, [ test "$EFI_ARCH" = "arm" -o "$EFI_ARCH" = "aa64" -o "$EFI_ARCH" = riscv64 ])
  
  ##
  # no consistent view of where gnu-efi should dump the efi stuff, so find it
@@ -36,7 +36,7 @@ diff -up sbsigntools-0.9.3/configure.ac.gnu-efi sbsigntools-0.9.3/configure.ac
  fi
  
  EFI_CPPFLAGS="-I/usr/include/efi -I/usr/include/efi/$EFI_ARCH \
-@@ -88,6 +99,9 @@ CPPFLAGS="$CPPFLAGS_save"
+@@ -91,6 +102,9 @@ CPPFLAGS="$CPPFLAGS_save"
  AC_SUBST(EFI_CPPFLAGS, $EFI_CPPFLAGS)
  AC_SUBST(EFI_ARCH, $EFI_ARCH)
  AC_SUBST(CRTPATH, $CRTPATH)
@@ -46,10 +46,10 @@ diff -up sbsigntools-0.9.3/configure.ac.gnu-efi sbsigntools-0.9.3/configure.ac
  
  AC_CONFIG_FILES([Makefile src/Makefile lib/ccan/Makefile]
  		[docs/Makefile tests/Makefile])
-diff -up sbsigntools-0.9.3/tests/Makefile.am.gnu-efi sbsigntools-0.9.3/tests/Makefile.am
---- sbsigntools-0.9.3/tests/Makefile.am.gnu-efi	2020-02-03 09:38:56.000000000 +0100
-+++ sbsigntools-0.9.3/tests/Makefile.am	2020-02-04 09:47:44.786665340 +0100
-@@ -14,7 +14,7 @@ if TEST_BINARY_FORMAT
+diff -up sbsigntools-0.9.5/tests/Makefile.am.gnu-efi sbsigntools-0.9.5/tests/Makefile.am
+--- sbsigntools-0.9.5/tests/Makefile.am.gnu-efi	2023-05-05 12:56:50.000000000 +0200
++++ sbsigntools-0.9.5/tests/Makefile.am	2023-05-05 12:57:50.674915069 +0200
+@@ -18,7 +18,7 @@ if TEST_BINARY_FORMAT
  EFILDFLAGS = --defsym=EFI_SUBSYSTEM=0x0a
  FORMAT = -O binary
  else
@@ -58,7 +58,7 @@ diff -up sbsigntools-0.9.3/tests/Makefile.am.gnu-efi sbsigntools-0.9.3/tests/Mak
  endif
  check_DATA = $(test_key) $(test_cert)
  check_SCRIPTS = test-wrapper.sh
-@@ -27,7 +27,7 @@ check_SCRIPTS = test-wrapper.sh
+@@ -31,7 +31,7 @@ check_SCRIPTS = test-wrapper.sh
  		$(FORMAT) $^ $@
  
  .$(OBJEXT).elf:
diff --git a/sbsigntools-mktarball.sh b/sbsigntools-mktarball.sh
index 07f8a30..b6e6f0f 100755
--- a/sbsigntools-mktarball.sh
+++ b/sbsigntools-mktarball.sh
@@ -12,8 +12,8 @@ tmp=$(mktemp -d)
 
 unset CDPATH
 pwd=$(pwd)
-version=0.9.4
-commit=d52f7bbb73401aab8a1d59e8d0d686ad9641035e
+version=0.9.5
+commit=9cfca9fe7aa7a8e29b92fe33ce8433e212c9a8ba
 
 pushd "$tmp"
 git clone git://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git
diff --git a/sbsigntools-openssl3.patch b/sbsigntools-openssl3.patch
deleted file mode 100644
index 3e14327..0000000
--- a/sbsigntools-openssl3.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up sbsigntools-0.9.4/src/idc.c.openssl3 sbsigntools-0.9.4/src/idc.c
---- sbsigntools-0.9.4/src/idc.c.openssl3	2020-07-04 01:14:29.000000000 +0200
-+++ sbsigntools-0.9.4/src/idc.c	2021-11-19 16:20:10.082475750 +0100
-@@ -189,7 +189,7 @@ int IDC_set(PKCS7 *p7, PKCS7_SIGNER_INFO
- 
- 	idc->data->type = OBJ_nid2obj(peid_nid);
- 	idc->data->value = ASN1_TYPE_new();
--	type_set_sequence(image, idc->data->value, peid, &IDC_PEID_it);
-+	type_set_sequence(image, idc->data->value, peid, ASN1_ITEM_rptr(IDC_PEID));
- 
-         idc->digest->alg->parameter = ASN1_TYPE_new();
-         idc->digest->alg->algorithm = OBJ_nid2obj(NID_sha256);
diff --git a/sbsigntools.spec b/sbsigntools.spec
index af4ed2e..0054308 100644
--- a/sbsigntools.spec
+++ b/sbsigntools.spec
@@ -2,8 +2,8 @@
 %define _warning_options -Wall -Werror=format-security -Wno-deprecated-declarations -Wno-maybe-uninitialized
 
 Name:          sbsigntools
-Version:       0.9.4
-Release:       11%{?dist}
+Version:       0.9.5
+Release:       1%{?dist}
 Summary:       Signing utility for UEFI secure boot
 License:       GPLv3+
 URL:           https://build.opensuse.org/package/show/home:jejb1:UEFI/sbsigntools
@@ -15,10 +15,6 @@ Source1:       %{name}-mktarball.sh
 Patch0:        %{name}-no-git.patch
 # add Fedora gnu-efi path and link statically against libefi.a/libgnuefi.a
 Patch1:        %{name}-gnuefi.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=1955828
-Patch2:        https://git.kernel.org/pub/scm/linux/kernel/git/jejb/sbsigntools.git/patch/?id=f12484869c9590682ac3253d583bf59b890bb826#/f12484869c9590682ac3253d583bf59b890bb826.patch
-# https://groups.io/g/sbsigntools/message/54
-Patch3:        %{name}-openssl3.patch
 # same as gnu-efi
 ExclusiveArch: x86_64 aarch64 %{arm} %{ix86}
 BuildRequires: make
@@ -86,6 +82,10 @@ make check
 %{_mandir}/man1/sbverify.1.*
 
 %changelog
+* Fri May 05 2023 Dominik Mierzejewski <dominik@greysector.net> - 0.9.5-1
+- update to 0.9.5 (#2179697)
+- drop obsolete patches
+
 * Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.4-11
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
 
diff --git a/sources b/sources
index 3141750..fe6a9a5 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (sbsigntools-0.9.4.tar.xz) = ad1a2ed2a937414c6aee593a6d37638a56076fdbda112943af16c46dcaca578d3dac6498dc02f7e62499328cd82b48ab635f4fbac1ae49c606c9a717d9301133
+SHA512 (sbsigntools-0.9.5.tar.xz) = dbe52b709724eaaa0d5859ca0088190ee417e721a626681ea84cae3f04a7484e5caf64eb469094d3e373724c1f530cc75fa8ac63eaa91f803db2fda2f46c594f