commit shim for openSUSE:Factory

h_root Wed, 28 Aug 2013 12:19:04 -0700

Hello community,

here is the log from the commit of package shim for openSUSE:Factory checked in 
at 2013-08-28 21:17:50
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/shim (Old)
 and      /work/SRC/openSUSE:Factory/.shim.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "shim"

Changes:
--------
--- /work/SRC/openSUSE:Factory/shim/shim.changes        2013-08-27 
21:22:39.000000000 +0200
+++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes   2013-08-28 
21:17:52.000000000 +0200
@@ -1,0 +2,7 @@
+Wed Aug 28 07:16:51 UTC 2013 - [email protected]
+
+- also include old openSUSE 4096 bit certificate to be able to still
+  boot kernels signed with that key.
+- add show_signatures script
+
+-------------------------------------------------------------------

New:
----
  openSUSE-UEFI-CA-Certificate-4096.crt
  show_signatures.sh

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ shim.spec ++++++
--- /var/tmp/diff_new_pack.8MqiVw/_old  2013-08-28 21:17:52.000000000 +0200
+++ /var/tmp/diff_new_pack.8MqiVw/_new  2013-08-28 21:17:52.000000000 +0200
@@ -35,6 +35,8 @@
 Source5:        extract_signature.sh
 Source6:        attach_signature.sh
 Source7:        show_hash.sh
+Source8:        show_signatures.sh
+Source9:        openSUSE-UEFI-CA-Certificate-4096.crt
 # PATCH-FIX-SUSE shim-suse-build.patch [email protected] -- Adjust Makefile for 
the build service
 Patch0:         shim-suse-build.patch
 # PATCH-FIX-UPSTREAM shim-fix-pointer-casting.patch [email protected] -- Fix a 
casting issue and the size of an empty vendor_cert or dbx_cert. 
@@ -91,6 +93,7 @@
 %build
 chmod +x "make-certs"
 
+cert2=''
 if test -e %{_sourcedir}/_projectcert.crt ; then
     prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout 
-subject_hash)
     prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout 
-issuer_hash)
@@ -99,6 +102,7 @@
     if test "$prjissuer" = "$opensusesubject" ; then
         suffix=opensuse
         cert=%{SOURCE2}
+        cert2=%{SOURCE9}
     fi
     if test "$prjissuer" = "$slessubject" ; then
         suffix=sles
@@ -116,10 +120,14 @@
 fi
 
 openssl x509 -in $cert -outform DER -out shim-$suffix.der
-# create empty local cert file, we don't need a local key pair as we
-# sign the mokmanager with our vendor key
-touch shim.crt
-touch shim.cer
+if [ -z "$cert2" ]; then
+       # create empty local cert file, we don't need a local key pair as we
+       # sign the mokmanager with our vendor key
+       touch shim.crt
+       touch shim.cer
+else
+       cp $cert2 shim.crt
+fi
 # make sure cast warnings don't trigger post build check
 make VENDOR_CERT_FILE=shim-$suffix.der shim.efi MokManager.efi fallback.efi 
2>/dev/null
 # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx

++++++ openSUSE-UEFI-CA-Certificate-4096.crt ++++++
-----BEGIN CERTIFICATE-----
MIIGdDCCBFygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl
blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl
bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW
EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzAxMjgxNDUzMzBaFw0zNDEyMjQxNDUz
MzBaMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UE
BhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJv
amVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMIICIjANBgkq
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuqmSgrdlO0B96sOK5mJj1k4OetzmP6l8
YKdy+HdzN/3bS97vfqIIqb0YCgzmJROSLsXv6WQReuAtKbftgla6R/dOvKU/CxCN
z0uCbzuM+gN5Q7pSWifnm81QNDowFpxZlJBFvIP92zh5yWNEGqVzMN0jDjOFxLfh
O1sx6W8YBOYzScWrlTKysH6uK79gWenwvh3nmkx+68PV08azmizG6As4IAPDqtd/
w92iLTzjLVGp32wFDhLuDleojjvJgnOGngKa8oRcLlvfh07wKO0urjt8/3HKxcUf
RmbSyaLdfP8lOt/mFPpfN4kev9wjqdbIhLIZs6iKbu+hR40QfAR46V8vnPoeIYeM
ibsl1mvr0U7O6w7kTQuzW7JmJkCYf7n4HoPBgxTzgjKlsBGY0I+dTvZXozsKuTKx
ir/w6WWcdkIWoXJh00Nb9eWqFQr0exG0hwa1o0ESXjv7aJHwg39B6m8MZVppdpmg
i0G8pOKtHQZ6OR87YeSUHJ400ocIfYMOAybuB/5rHfC58BvCcjaZwHKTkHlyx28i
EXgFyzGMqbWlgmI5RJ8UzaM6rTaieIRSsyGbYrDa89BFMhGmY8xMIeeT8191bLbH
CpX7CMW9npoEqslHL67FMI3LXC5fgYKoPwUnj/TlT0gkjVobEXmXZB6sCDQ6BFTg
4dpPIFEjnxsCAwEAAaOB9DCB8TAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSZ
DSa38E3ZzmTn0Y79aHtKXeKGpTCBrgYDVR0jBIGmMIGjgBSZDSa38E3ZzmTn0Y79
aHtKXeKGpaGBh6SBhDCBgTEgMB4GA1UEAwwXb3BlblNVU0UgU2VjdXJlIEJvb3Qg
Q0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoMEG9w
ZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNlLm9y
Z4IBATAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAFsmHlxiAGKu
Qyx1qb6l7bEWgXAePQfVaaCEH4Mn+oq80kJ67S7s6We8e5QJOgYznk5mDk+PTUC/
phkP3aJRqZAf5UDrQkOHobpk7FFBxZKjZfULPls3H9+Hichw/XJ2/xJwG+Ja6pgD
dNO2UaKOjZHCiyZ4ehO7syle/EgQALVwKH4cVq6zIh4xUH4r9WvfdR5vkhhTgM/0
nzzoBnFRnCUpcsLPj10246wVuLQcliZBeKjiV4xqrMe6cXX8crHvZqqJPZ2jMTGD
eVIpVES12ZpMT7SbQbcDR1XgjqrL3U9vfcabdqLU60000ALvnDFNN0Sm7xhB+d3c
sDIyJMwSfIb9jWApsB/En5uRCM++ruqjyFiqTCORo9gzaocw6gut6WYs2TOrZ2NO
Tq4JNAFfCL/z0p8jdz1dJZmqpgFAlltKNNDWV6KlBPUAdxDEbIiuGoYweB+Zxed3
BKdlrKGcH0ewPmzt4vVLCl2yFoODxjVtndXieDt/BWIYltMjqYU1qrrOdISHdeAG
A24L/uxiU4Ej2bKKWNYtvrGMNLMUWBTx5afHMQnK9MD8Z6cpjccNaR0Pe9ZCBRGI
xyUitlfnU604q1GfYdymiq4mUvSEgy3vbbsVBvcAKElN+hWpAeZbiWc/KcBWKMtp
4aQ0yoLWDFkQNGU0rGazsu3hpOWta6mL
-----END CERTIFICATE-----
++++++ show_signatures.sh ++++++
#!/bin/bash
# show signatures on a PE binary
set -e

infile="$1"

if [ -z "$infile" -o ! -e "$infile" ]; then
        echo "USAGE: $0 file.efi"
        exit 1
fi

nssdir=`mktemp -d`
cleanup()
{
        rm -r "$nssdir"
}
trap cleanup EXIT
echo > "$nssdir/pw"
certutil -f "$nssdir/pw" -d "$nssdir" -N

pesign -n "$nssdir" -S -i "$infile"
-- 
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

commit shim for openSUSE:Factory

Reply via email to