Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package shim for openSUSE:Factory checked in
at 2021-05-02 18:35:23
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/shim (Old)
and /work/SRC/openSUSE:Factory/.shim.new.1947 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim"
Sun May 2 18:35:23 2021 rev:94 rq:888995 version:15.4
Changes:
--------
--- /work/SRC/openSUSE:Factory/shim/shim.changes 2021-04-10
15:26:29.766316259 +0200
+++ /work/SRC/openSUSE:Factory/.shim.new.1947/shim.changes 2021-05-02
18:35:40.793059319 +0200
@@ -1,0 +2,8 @@
+Wed Apr 28 09:28:30 UTC 2021 - Gary Ching-Pang Lin <g...@suse.com>
+
+- Split the keys in vendor-dbx.bin to vendor-dbx-sles and
+ vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce
+ the size of MokListXRT (bsc#1185261)
+ + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz
+
+-------------------------------------------------------------------
New:
----
vendor-dbx-opensuse.bin
vendor-dbx-sles.bin
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ shim.spec ++++++
--- /var/tmp/diff_new_pack.ytlyp9/_old 2021-05-02 18:35:41.493056336 +0200
+++ /var/tmp/diff_new_pack.ytlyp9/_new 2021-05-02 18:35:41.497056319 +0200
@@ -60,8 +60,10 @@
Source12: signature-opensuse.aarch64.asc
Source13: signature-sles.aarch64.asc
Source50: dbx-cert.tar.xz
-# vendor-dbx.bin is generated by generate-vendor-dbx.sh in dbx-cert.tar.xz
+# vendor-dbx*.bin are generated by generate-vendor-dbx.sh in dbx-cert.tar.xz
Source51: vendor-dbx.bin
+Source52: vendor-dbx-sles.bin
+Source53: vendor-dbx-opensuse.bin
Source99: SIGNATURE_UPDATE.txt
# PATCH-FIX-SUSE shim-arch-independent-names.patch g...@suse.com -- Use the
Arch-independent names
Patch1: shim-arch-independent-names.patch
@@ -111,7 +113,6 @@
%description -n shim-debugsource
The source code of UEFI shim loader
-
%prep
%setup -q
%patch1 -p1
@@ -165,6 +166,7 @@
if test "$suffix" = "opensuse"; then
cert=%{SOURCE2}
verify='openSUSE Secure Boot CA1'
+ vendor_dbx=%{SOURCE53}
%ifarch x86_64
signature=%{SOURCE1}
%else
@@ -176,6 +178,7 @@
elif test "$suffix" = "sles"; then
cert=%{SOURCE4}
verify='SUSE Linux Enterprise Secure Boot CA1'
+ vendor_dbx=%{SOURCE52}
%ifarch x86_64
signature=%{SOURCE11}
%else
@@ -187,6 +190,7 @@
elif test "$suffix" = "devel"; then
cert=%{_sourcedir}/_projectcert.crt
verify=`openssl x509 -in "$cert" -noout -email`
+ vendor_dbx=%{SOURCE51}
signature=''
test -e "$cert" || continue
else
@@ -198,7 +202,7 @@
make RELEASE=0 SHIMSTEM=shim \
VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \
DEFAULT_LOADER="\\\\\\\\grub.efi" \
- VENDOR_DBX_FILE=%{SOURCE51} \
+ VENDOR_DBX_FILE=$vendor_dbx \
shim.efi.debug shim.efi
#
# assert correct certificate embedded
++++++ dbx-cert.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/dbx-cert/generate-vendor-dbx.sh
new/dbx-cert/generate-vendor-dbx.sh
--- old/dbx-cert/generate-vendor-dbx.sh 2020-07-10 09:18:35.508195647 +0200
+++ new/dbx-cert/generate-vendor-dbx.sh 2021-04-28 11:21:35.387363178 +0200
@@ -3,16 +3,20 @@
# This script goes through all .crt files in this directory and stores
# them in EFI signature database format.
-OUTPUT=vendor-dbx.bin
+FLAVORS="openSUSE SLES"
-mkdir tmp
+for flavor in ${FLAVORS}; do
+ OUTPUT=vendor-dbx-$(echo ${flavor} | tr '[:upper:]' '[:lower:]').bin
-for cert in *.crt
-do
- BASENAME=`basename $cert .crt`
- openssl x509 -in $cert -outform der -out tmp/${BASENAME}.der
- efisiglist -a -c tmp/${BASENAME}.der -o tmp/${BASENAME}.bin
-done
+ mkdir tmp
+
+ for cert in ${flavor}-*.crt
+ do
+ BASENAME=`basename $cert .crt`
+ openssl x509 -in $cert -outform der -out tmp/${BASENAME}.der
+ efisiglist -a -c tmp/${BASENAME}.der -o tmp/${BASENAME}.bin
+ done
-cat tmp/*bin > $OUTPUT
-rm -rf tmp
+ cat tmp/*bin > $OUTPUT
+ rm -rf tmp
+done
