Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2019-04-17 11:22:51 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.17052 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim" Wed Apr 17 11:22:51 2019 rev:75 rq:694231 version:15+git47 Changes: -------- --- /work/SRC/openSUSE:Factory/shim/shim.changes 2019-04-15 11:51:58.094534824 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.17052/shim.changes 2019-04-17 11:23:12.490408484 +0200 @@ -1,0 +2,6 @@ +Mon Apr 15 09:24:07 UTC 2019 - Gary Ching-Pang Lin <[email protected]> + +- Add shim-opensuse-signed.efi, the openSUSE shim-15+git47 binary + (bsc#1113225) + +------------------------------------------------------------------- New: ---- shim-opensuse-signed.efi ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shim.spec ++++++ --- /var/tmp/diff_new_pack.jhMpX4/_old 2019-04-17 11:23:13.882410121 +0200 +++ /var/tmp/diff_new_pack.jhMpX4/_new 2019-04-17 11:23:13.886410126 +0200 @@ -59,6 +59,8 @@ Source11: signature-sles.x86_64.asc Source12: signature-opensuse.aarch64.asc Source13: signature-sles.aarch64.asc +# bsc#1113225 the shim-15+git47 binary for opensuse +Source20: shim-opensuse-signed.efi Source99: SIGNATURE_UPDATE.txt # PATCH-FIX-SUSE shim-arch-independent-names.patch [email protected] -- Use the Arch-independent names Patch1: shim-arch-independent-names.patch @@ -120,6 +122,12 @@ %endif %build +# copy the shim binary to "signed" dir +# NOTE: this is the last resort and we should remove the binary +# once we can build shim.efi properly +mkdir signed +cp %{SOURCE20} signed + # first, build MokManager and fallback as they don't depend on a # specific certificate make EFI_PATH=/usr/lib64 RELEASE=0 \ @@ -177,6 +185,7 @@ fi openssl x509 -in $cert -outform DER -out shim-$suffix.der + # option for dbx: VENDOR_DBX_FILE=dbx make EFI_PATH=/usr/lib64 RELEASE=0 SHIMSTEM=shim \ VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \ DEFAULT_LOADER="\\\\\\\\grub.efi" \ @@ -184,15 +193,19 @@ # # assert correct certificate embedded grep -q "$verify" shim.efi - # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx - chmod 755 %{SOURCE9} + + # copy the shim binary directly + if test -f signed/shim-$suffix-signed.efi; then + rm -f shim.efi + mv -f signed/shim-$suffix-signed.efi shim-$suffix.efi # alternative: verify signature #sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi - if test -n "$signature"; then + elif test -n "$signature"; then head -1 "$signature" > hash1 cp shim.efi shim.efi.bak # pe header contains timestamp and checksum. we need to # restore that + chmod 755 %{SOURCE9} %{SOURCE9} --set-from-file "$signature" shim.efi pesign -h -P -i shim.efi > hash2 cat hash1 hash2
