Bug#919067: Please add a Recommends: on shim-signed

Sat, 12 Jan 2019 05:55:00 -0800 

On Sat, Jan 12, 2019 at 12:58:52PM +0000, Steve McIntyre wrote:
> NB: Ubuntu doesn't have the depends/recommends here, so I can only
> assume that some other method is used to ensure that shim-signed is
> installed there. I asked Steve Langasek about this, but I've not had
> an answer yet.

I guess I can see the argument about having a recommendation here, since
GRUB does make use of shim if it's installed.

Ubuntu instead does this with a grub-installer change that explicitly
installs both grub-efi-amd64-signed and shim-signed in the amd64/efi
case.  What do you think about going with that instead, or maybe in
addition to your approach?  Unpicking the patch I think it's something
like this:

diff --git a/grub-installer b/grub-installer
index 04016fb7..7fbcf7ee 100755
--- a/grub-installer
+++ b/grub-installer
@@ -346,7 +346,7 @@ case $ARCH in
                if [ -f /sys/firmware/efi/fw_platform_size ] ; then
                        SIZE=$(cat /sys/firmware/efi/fw_platform_size)
                        if [ $SIZE -eq 64 ] ; then
-                               grub_package="grub-efi-amd64"
+                               grub_package="grub-efi-amd64-signed"
                        elif [ $SIZE -eq 32 ] ; then
                                grub_package="grub-efi-ia32"
                        fi
@@ -484,14 +484,17 @@ db_progress INFO grub-installer/progress/step_install
 # to grub legacy, or vice-versa
 case "$grub_package" in
     grub)
-       log-output -t grub-installer $chroot $ROOT dpkg -P grub-pc-bin grub-pc 
grub-efi grub-efi-amd64-bin grub-efi-amd64 grub-efi-ia32-bin grub-efi-ia32
+       log-output -t grub-installer $chroot $ROOT dpkg -P grub-pc-bin grub-pc 
grub-efi grub-efi-amd64-bin grub-efi-amd64 grub-efi-amd64-signed 
grub-efi-ia32-bin grub-efi-ia32
        ;;
     grub-pc)
-       log-output -t grub-installer $chroot $ROOT dpkg -P grub grub-legacy 
grub-efi grub-efi-amd64-bin grub-efi-amd64 grub-efi-ia32-bin grub-efi-ia32
-    ;;
-    grub-efi*)
+       log-output -t grub-installer $chroot $ROOT dpkg -P grub grub-legacy 
grub-efi grub-efi-amd64-bin grub-efi-amd64 grub-efi-amd64-signed 
grub-efi-ia32-bin grub-efi-ia32
+       ;;
+    grub-efi-amd64-signed)
        log-output -t grub-installer $chroot $ROOT dpkg -P grub grub-legacy 
grub-pc-bin grub-pc
-    ;;
+       ;;
+    grub-efi*)
+       log-output -t grub-installer $chroot $ROOT dpkg -P grub grub-legacy 
grub-pc-bin grub-pc grub-efi-amd64-signed
+       ;;
 esac
 
 exit_code=0
@@ -507,6 +510,11 @@ case "$grub_package" in
    *)
        # Will pull in os-prober based on global setting for Recommends
        apt-install $grub_package || exit_code=$? 
+       case $grub_package in
+           *-signed)
+               apt-install shim-signed || true
+               ;;
+       esac
        ;;
 esac
 

-- 
Colin Watson                                       [cjwat...@debian.org]

Reply via email to