Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2013-08-30 11:49:18 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim" Changes: -------- --- /work/SRC/openSUSE:Factory/shim/shim.changes 2013-08-28 21:17:52.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2013-08-30 11:49:19.000000000 +0200 @@ -1,0 +2,10 @@ +Wed Aug 28 15:54:38 UTC 2013 - [email protected] + +- always build a shim that embeds the distro's certificate (e.g. + shim-opensuse.efi). If the package is built in the devel project + additionally shim-devel.efi is created. That allows us to either + load grub2/kernel signed by the distro or signed by the devel + project, depending on use case. Also shim-$distro.efi from the + devel project can be used to request additional signatures. + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shim.spec ++++++ --- /var/tmp/diff_new_pack.VjIeva/_old 2013-08-30 11:49:20.000000000 +0200 +++ /var/tmp/diff_new_pack.VjIeva/_new 2013-08-30 11:49:20.000000000 +0200 @@ -93,75 +93,98 @@ %build chmod +x "make-certs" -cert2='' +# first, build MokManager and fallback as they don't depend on a +# specific certificate +make MokManager.efi fallback.efi 2>/dev/null + +# now build variants of shim that embed different certificates +default='' +suffixes=(opensuse sles) +# check whether the project cert is a known one. If it is we build +# just one shim that embeds this specific cert. If it's a devel +# project we build all variants to simplify testing. if test -e %{_sourcedir}/_projectcert.crt ; then prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash) prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash) opensusesubject=$(openssl x509 -in %{SOURCE2} -noout -subject_hash) slessubject=$(openssl x509 -in %{SOURCE4} -noout -subject_hash) if test "$prjissuer" = "$opensusesubject" ; then - suffix=opensuse + suffixes=(opensuse) + elif test "$prjissuer" = "$slessubject" ; then + suffixes=(sles) + elif test "$prjsubject" = "$prjissuer" ; then + suffixes=(devel opensuse sles) + fi +fi + +for suffix in "${suffixes[@]}"; do + if test "$suffix" = "opensuse"; then cert=%{SOURCE2} cert2=%{SOURCE9} - fi - if test "$prjissuer" = "$slessubject" ; then - suffix=sles + elif test "$suffix" = "sles"; then cert=%{SOURCE4} - fi - if test "$prjsubject" = "$prjissuer" ; then - suffix=local + cert2='' + elif test "$suffix" = "devel"; then cert=%{_sourcedir}/_projectcert.crt + cert2='' + test -e "$cert" || continue + else + echo "invalid suffix" + false fi -fi -if test -z "$suffix" ; then - echo "cannot identify project, assuming openSUSE signing" - suffix=opensuse - cert=%{SOURCE2} -fi -openssl x509 -in $cert -outform DER -out shim-$suffix.der -if [ -z "$cert2" ]; then + openssl x509 -in $cert -outform DER -out shim-$suffix.der + if [ -z "$cert2" ]; then # create empty local cert file, we don't need a local key pair as we # sign the mokmanager with our vendor key touch shim.crt touch shim.cer -else + else cp $cert2 shim.crt -fi -# make sure cast warnings don't trigger post build check -make VENDOR_CERT_FILE=shim-$suffix.der shim.efi MokManager.efi fallback.efi 2>/dev/null -# make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx -cp shim.efi shim-$suffix.efi -chmod 755 %{SOURCE6} %{SOURCE7} -# alternative: verify signature -#sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi -head -1 %{SOURCE1} > hash1 -%{SOURCE7} shim.efi > hash2 -cat hash1 hash2 -if ! cmp -s hash1 hash2; then + rm -f shim.cer + fi + # make sure cast warnings don't trigger post build check + make VENDOR_CERT_FILE=shim-$suffix.der shim.efi 2>/dev/null + # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx + chmod 755 %{SOURCE6} %{SOURCE7} + # alternative: verify signature + #sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi + head -1 %{SOURCE1} > hash1 + %{SOURCE7} shim.efi > hash2 + cat hash1 hash2 + if ! cmp -s hash1 hash2; then echo "ERROR: binary changed, need to request new signature!" # don't fail in devel projects prj="%{_project}" if [ "${prj%%:*}" = "openSUSE" ]; then false fi -fi -%{SOURCE6} %{SOURCE1} shim.efi + mv shim.efi shim-$suffix.efi + else + %{SOURCE6} %{SOURCE1} shim.efi + mv shim-signed.efi shim-$suffix.efi + rm -f shim.efi + fi + rm -f shim.cer shim.crt +done + +ln -s shim-${suffixes[0]}.efi shim.efi %install export BRP_PESIGN_FILES='%{_libdir}/efi/shim*.efi %{_libdir}/efi/MokManager.efi %{_libdir}/efi/fallback.efi' install -d %{buildroot}/%{_libdir}/efi -install -m 644 shim-*.efi %{buildroot}/%{_libdir}/efi +cp -a shim*.efi %{buildroot}/%{_libdir}/efi install -m 444 shim-*.der %{buildroot}/%{_libdir}/efi -install -m 644 shim-signed.efi %{buildroot}/%{_libdir}/efi/shim.efi install -m 644 MokManager.efi %{buildroot}/%{_libdir}/efi/MokManager.efi install -m 644 fallback.efi %{buildroot}/%{_libdir}/efi/fallback.efi install -d %{buildroot}/%{_sbindir} install -m 755 %{SOURCE3} %{buildroot}/%{_sbindir}/ # install SUSE certificate -CERT_NAME=$(openssl x509 -sha1 -fingerprint -inform DER -in shim-*.der | grep "SHA1 Fingerprint" | cut -c 18- | cut -d ":" -f 1,2,3,4 | sed 's/://g') install -d %{buildroot}/%{_sysconfdir}/uefi/certs/ -install -m 444 shim-*.der %{buildroot}/%{_sysconfdir}/uefi/certs/$CERT_NAME.crt +for file in shim-*.der; do + fpr=$(openssl x509 -sha1 -fingerprint -inform DER -noout -in $file | cut -c 18- | cut -d ":" -f 1,2,3,4 | sed 's/://g') + install -m 644 $file %{buildroot}/%{_sysconfdir}/uefi/certs/$fpr.crt +done %clean %{?buildroot:%__rm -rf "%{buildroot}"} -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
