Bug#925372: unblock: shim/15+1533136590.3beb971-6

Sat, 23 Mar 2019 14:31:32 -0700 

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Hey folks,

Please unblock package shim

I think we finally have a new shim package setup that's ready for
Buster, giving us a real chance of working Secure Boot with the
release. Apologies in advance, but this unblock is not a pretty one,
with a large set of changes. :-/ However, shim is clearly key to our
SB strategy for Debian. We've moved from a basically-unused amd64-only
shim package in Stretch and Buster so far (0.9+1474479173.6c180c6-1)
to something that will now provide a better working base for
us. Summary of changes:

1. We've moved to a new upstream (from 0.9+1474479173.6c180c6 to
   15+1533136590.3beb971). Upstream have been pushing us to make this
   change for a long time, and there are a lot of needed changes, both
   in security terms and for better architecture support. I'm not even
   attempting to attach a debdiff for this - it's ~200K lines.

2. As well as amd64, we're now also building shim for i386 and arm64,
   and we've submitted our binaries for signing by Microsoft for all
   three architectures. An important achievement in this process is
   that the new build is now 100% reproducible. \o/

3. We've significantly reworked the packaging setup for shim and
   shim-signed. The main part of this is to use Debian's binary
   signing service to manage the process of signing the helper
   binaries (mmXXX.efi and fbXXX.efi) so we're no longer using
   ephemeral keys for those in the shim build process. This helps for
   the reproducibility.

4. Along the way we've also renamed packages and re-arranged things
   for extra clarity and fixed quite a few bugs.

5. We've moved from a single maintainer to team maintenance for the
   shim packages.

Apologies for not getting this unblocked earlier, it's been quite a
ride in the last few months. :-/ We have done a lot of testing with
this code, just not yet directly in Buster.

I'm attaching a debdiff to show the small packaging changes *since*
the move to the new upstream shim release.

There will be a matching shim-signed unblock coming soon, as and when
we get our new shim binaries signed with the Microsoft key.

unblock shim/15+1533136590.3beb971-6

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru shim-15+1533136590.3beb971/debian/changelog 
shim-15+1533136590.3beb971/debian/changelog
--- shim-15+1533136590.3beb971/debian/changelog 2019-02-09 07:23:19.000000000 
+0000
+++ shim-15+1533136590.3beb971/debian/changelog 2019-03-23 18:19:13.000000000 
+0000
@@ -1,3 +1,73 @@
+shim (15+1533136590.3beb971-6) unstable; urgency=medium
+
+  [ Steve McIntyre ]
+  * Add Provides: and Breaks: to shim-helpers-$arch-signed to fix
+    clashes with the old shim-signed package for fbx64.efi.signed and
+    mmx64.efi.signed. Closes: #924619
+
+  [ Helmut Grohne ]
+  * Fix FTCBFS: Set CROSS_COMPILE. (Closes: #922152)
+
+ -- Steve McIntyre <93...@debian.org>  Sat, 23 Mar 2019 18:19:13 +0000
+
+shim (15+1533136590.3beb971-5) unstable; urgency=medium
+
+  [ Ansgar Burchardt ]
+  * Correct maintainer address in signing template
+
+  [ Steve McIntyre ]
+  * Remove Rules-Requires-Root in the signing template. We manually install
+    things owned by root. There might be better ways to do this, but this
+    will do for now.
+
+ -- Steve McIntyre <93...@debian.org>  Tue, 12 Mar 2019 01:38:19 +0000
+
+shim (15+1533136590.3beb971-4) unstable; urgency=medium
+
+  [ Steve McIntyre ]
+  * No-change sourceful upload to get rebuilds (and hence build logs) from
+    the buildds. Hoping to get this version signed by Microsoft, so let's
+    make our setup as clean as possible.
+
+ -- Steve McIntyre <93...@debian.org>  Sat, 09 Mar 2019 22:24:23 +0000
+
+shim (15+1533136590.3beb971-3) unstable; urgency=medium
+
+  [ Philipp Hahn ]
+  * debian/rules: fixing permissions no longer required
+  * debian/rules: Disable ephemeral key on Debian.
+  * Rename binary package to 'shim-unsigned'
+  * Add template for signing {mm,fb}$ARCH.efi. (Closes: #922228)
+
+  [ Luca Boccassi ]
+  * Override lintian error about template rules file.
+  * Include /usr/share/dpkg/architecture.mk instead of shelling out.
+  * Add uname.patch to avoid embedding the kernel architecture in the
+    binary and to use a fixed string instead.
+
+  [ Steve McIntyre ]
+  * Change maintenance address to be the EFI team
+  * Add me and vorlon to the Uploaders list
+  * Rename the helper binary packages to shim-helpers-$arch.
+  * Update the signing-template JSON metadata to match new practice:
+    + Move all the data under a new top-level "packages" key
+    + Add an empty "trusted_certs" key - the helper binaries do not do any
+      further verification with an embedded key.
+
+ -- Steve McIntyre <93...@debian.org>  Fri, 08 Mar 2019 21:59:43 +0000
+
+shim (15+1533136590.3beb971-2) unstable; urgency=medium
+
+  * Update debian/watch.
+  * Update VCS to point to salsa.
+  * Fix debian/rules syntax for arm64 build.
+  * Enable build for i386.
+  * Ensure DEB_HOST_ARCH is set even if not present in the environment.
+  * Update Standards-Version.
+  * Update debian/copyright (drop reference to file no longer in source)
+
+ -- Steve Langasek <vor...@debian.org>  Mon, 11 Feb 2019 05:18:18 +0000
+
 shim (15+1533136590.3beb971-1) unstable; urgency=medium
 
   * New upstream release.
diff -Nru shim-15+1533136590.3beb971/debian/control 
shim-15+1533136590.3beb971/debian/control
--- shim-15+1533136590.3beb971/debian/control   2019-02-09 07:11:25.000000000 
+0000
+++ shim-15+1533136590.3beb971/debian/control   2019-03-23 17:49:36.000000000 
+0000
@@ -1,17 +1,42 @@
 Source: shim
 Section: admin
 Priority: optional
-Maintainer: Steve Langasek <vor...@debian.org>
-Standards-Version: 3.9.8
+Maintainer: Debian EFI team <debian-...@lists.debian.org>
+Uploaders: Steve Langasek <vor...@debian.org>, Steve McIntyre 
<93...@debian.org>
+Standards-Version: 4.3.0
 Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl, 
libelf-dev
-Vcs-Git: https://git.launchpad.net/~ubuntu-core-dev/shim/+git/shim
+Vcs-Browser: https://salsa.debian.org/vorlon/shim
+Vcs-Git: https://salsa.debian.org/vorlon/shim.git
 
-Package: shim
-Architecture: amd64 arm64
+Package: shim-unsigned
+Architecture: amd64 arm64 i386
 Depends: ${shlibs:Depends}, ${misc:Depends}
+Conflicts: shim (<< 15+1533136590.3beb971-3~),
+Replaces: shim (<< 15+1533136590.3beb971-3~),
 Description: boot loader to chain-load signed boot loaders under Secure Boot
  This package provides a minimalist boot loader which allows verifying
  signatures of other UEFI binaries against either the Secure Boot DB/DBX or
  against a built-in signature database.  Its purpose is to allow a small,
  infrequently-changing binary to be signed by the UEFI CA, while allowing
  an OS distributor to revision their main bootloader independently of the CA.
+
+Package: shim-helpers-amd64-signed-template
+Architecture: amd64
+Depends: ${misc:Depends},
+Description: boot loader to chain-load signed boot loaders (signing template)
+ This package contains template files for shim-helpers-amd64-signed.
+ This is only needed for Secure Boot signing.
+
+Package: shim-helpers-i386-signed-template
+Architecture: i386
+Depends: ${misc:Depends},
+Description: boot loader to chain-load signed boot loaders (signing template)
+ This package contains template files for shim-helpers-i386-signed.
+ This is only needed for Secure Boot signing.
+
+Package: shim-helpers-arm64-signed-template
+Architecture: arm64
+Depends: ${misc:Depends},
+Description: boot loader to chain-load signed boot loaders (signing template)
+ This package contains template files for shim-helpers-arm64-signed.
+ This is only needed for Secure Boot signing.
diff -Nru shim-15+1533136590.3beb971/debian/copyright 
shim-15+1533136590.3beb971/debian/copyright
--- shim-15+1533136590.3beb971/debian/copyright 2019-02-09 07:05:30.000000000 
+0000
+++ shim-15+1533136590.3beb971/debian/copyright 2019-03-23 17:49:36.000000000 
+0000
@@ -162,7 +162,7 @@
 Copyright: 2007 KISA(Korea Information Security Agency)
 License: BSD-2-Clause
 
-Files: Cryptlib/OpenSSL/crypto/o_dir.h Cryptlib/OpenSSL/crypto/LPdir_nyi.c
+Files: Cryptlib/OpenSSL/crypto/LPdir_nyi.c
 Copyright: 2004, Richard Levitte <rich...@levitte.org>
 License: BSD-2-Clause
 
diff -Nru shim-15+1533136590.3beb971/debian/patches/series 
shim-15+1533136590.3beb971/debian/patches/series
--- shim-15+1533136590.3beb971/debian/patches/series    2019-02-09 
07:01:41.000000000 +0000
+++ shim-15+1533136590.3beb971/debian/patches/series    2019-03-23 
17:49:36.000000000 +0000
@@ -1 +1,2 @@
 fixup_git.patch
+uname.patch
diff -Nru shim-15+1533136590.3beb971/debian/patches/uname.patch 
shim-15+1533136590.3beb971/debian/patches/uname.patch
--- shim-15+1533136590.3beb971/debian/patches/uname.patch       1970-01-01 
01:00:00.000000000 +0100
+++ shim-15+1533136590.3beb971/debian/patches/uname.patch       2019-03-23 
17:49:36.000000000 +0000
@@ -0,0 +1,32 @@
+Author: Luca Boccassi <bl...@debian.org>
+Description: Makefile: use fixed build host if SOURCE_DATE_EPOCH is defined
+ If SOURCE_DATE_EPOCH is defined then we can be reasonably sure the
+ user wants the build to be fully reproducible, so use a fixed string.
+ In case of a cross build, using uname -s -m -p -i o will still report
+ the host's kernel architecture, which will trip some CIs like
+ Debian's.
+Forwarded: https://github.com/rhboot/shim/pull/169
+--- a/Makefile
++++ b/Makefile
+@@ -46,6 +46,12 @@ ifneq ($(origin ENABLE_HTTPBOOT), undefined)
+       SOURCES += httpboot.c include/httpboot.h
+ endif
+ 
++ifeq ($(SOURCE_DATE_EPOCH),)
++      UNAME=$(shell uname -s -m -p -i -o)
++else
++      UNAME=buildhost
++endif
++
+ SOURCES = $(foreach source,$(ORIG_SOURCES),$(TOPDIR)/$(source)) version.c
+ MOK_SOURCES = $(foreach source,$(ORIG_MOK_SOURCES),$(TOPDIR)/$(source))
+ FALLBACK_SRCS = $(foreach source,$(ORIG_FALLBACK_SRCS),$(TOPDIR)/$(source))
+@@ -66,7 +72,7 @@ shim_cert.h: shim.cer
+ 
+ version.c : $(TOPDIR)/version.c.in
+       sed     -e "s,@@VERSION@@,$(VERSION)," \
+-              -e "s,@@UNAME@@,$(shell uname -s -m -p -i -o)," \
++              -e "s,@@UNAME@@,$(UNAME)," \
+               -e "s,@@COMMIT@@,$(COMMIT_ID)," \
+               < $< > $@
+ 
diff -Nru shim-15+1533136590.3beb971/debian/rules 
shim-15+1533136590.3beb971/debian/rules
--- shim-15+1533136590.3beb971/debian/rules     2019-02-09 07:01:16.000000000 
+0000
+++ shim-15+1533136590.3beb971/debian/rules     2019-03-23 18:19:13.000000000 
+0000
@@ -1,5 +1,7 @@
 #!/usr/bin/make -f
 
+include /usr/share/dpkg/architecture.mk
+
 # Other vendors, add your certs here.  No sense in using
 # dpkg-vendor --derives-from, because only Canonical-generated binaries will
 # be signed with this key; so if you are building your own shim binary you
@@ -7,27 +9,33 @@
 ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes)
        cert=debian/canonical-uefi-ca.der
        distributor=ubuntu
+COMMON_OPTIONS ?= ENABLE_SHIM_CERT=1 ENABLE_SBSIGN=1
 else
        cert=debian/debian-uefi-ca.der
        distributor=debian
 endif
 
+include /usr/share/dpkg/architecture.mk
+
 ifeq ($(DEB_HOST_ARCH),amd64)
 export EFI_ARCH := x64
-else ($(DEB_HOST_ARCH),arm64)
+endif
+ifeq ($(DEB_HOST_ARCH),arm64)
 export EFI_ARCH := aa64
 endif
+ifeq ($(DEB_HOST_ARCH),i386)
+export EFI_ARCH := ia32
+endif
 
-COMMON_OPTIONS = \
+COMMON_OPTIONS += \
        RELEASE=15 \
        COMMIT_ID=3beb971b10659cf78144ddc5eeea83501384440c \
        MAKELEVEL=0 \
        EFI_PATH=/usr/lib \
        ENABLE_HTTPBOOT=true \
-       ENABLE_SHIM_CERT=1 \
-       ENABLE_SBSIGN=1 \
        VENDOR_CERT_FILE=$(cert) \
        EFIDIR=$(distributor) \
+       CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)- \
        $(NULL)
 
 %:
@@ -41,7 +49,4 @@
 
 override_dh_auto_install:
        dh_auto_install --destdir=debian/tmp -- $(COMMON_OPTIONS)
-
-override_dh_fixperms:
-       dh_fixperms
-       chmod a-x debian/shim/usr/lib/shim/shim$(EFI_ARCH).efi
+       ./debian/signing-template.generate
diff -Nru 
shim-15+1533136590.3beb971/debian/shim-helpers-amd64-signed-template.lintian-overrides
 
shim-15+1533136590.3beb971/debian/shim-helpers-amd64-signed-template.lintian-overrides
--- 
shim-15+1533136590.3beb971/debian/shim-helpers-amd64-signed-template.lintian-overrides
      1970-01-01 01:00:00.000000000 +0100
+++ 
shim-15+1533136590.3beb971/debian/shim-helpers-amd64-signed-template.lintian-overrides
      2019-03-23 17:49:36.000000000 +0000
@@ -0,0 +1 @@
+shim-helpers-amd64-signed-template: missing-dep-for-interpreter
diff -Nru 
shim-15+1533136590.3beb971/debian/shim-helpers-arm64-signed-template.lintian-overrides
 
shim-15+1533136590.3beb971/debian/shim-helpers-arm64-signed-template.lintian-overrides
--- 
shim-15+1533136590.3beb971/debian/shim-helpers-arm64-signed-template.lintian-overrides
      1970-01-01 01:00:00.000000000 +0100
+++ 
shim-15+1533136590.3beb971/debian/shim-helpers-arm64-signed-template.lintian-overrides
      2019-03-23 17:49:36.000000000 +0000
@@ -0,0 +1 @@
+shim-helpers-arm64-signed-template: missing-dep-for-interpreter
diff -Nru 
shim-15+1533136590.3beb971/debian/shim-helpers-i386-signed-template.lintian-overrides
 
shim-15+1533136590.3beb971/debian/shim-helpers-i386-signed-template.lintian-overrides
--- 
shim-15+1533136590.3beb971/debian/shim-helpers-i386-signed-template.lintian-overrides
       1970-01-01 01:00:00.000000000 +0100
+++ 
shim-15+1533136590.3beb971/debian/shim-helpers-i386-signed-template.lintian-overrides
       2019-03-23 17:49:36.000000000 +0000
@@ -0,0 +1 @@
+shim-helpers-i386-signed-template: missing-dep-for-interpreter
diff -Nru shim-15+1533136590.3beb971/debian/shim-unsigned.install 
shim-15+1533136590.3beb971/debian/shim-unsigned.install
--- shim-15+1533136590.3beb971/debian/shim-unsigned.install     1970-01-01 
01:00:00.000000000 +0100
+++ shim-15+1533136590.3beb971/debian/shim-unsigned.install     2019-03-23 
17:49:36.000000000 +0000
@@ -0,0 +1,4 @@
+/boot/efi/EFI/*/shim*.efi /usr/lib/shim
+/boot/efi/EFI/*/mm*.efi /usr/lib/shim
+/boot/efi/EFI/*/fb*.efi /usr/lib/shim
+/boot/efi/EFI/*/BOOT*.CSV /usr/lib/shim
diff -Nru shim-15+1533136590.3beb971/debian/shim.install 
shim-15+1533136590.3beb971/debian/shim.install
--- shim-15+1533136590.3beb971/debian/shim.install      2019-02-09 
07:01:16.000000000 +0000
+++ shim-15+1533136590.3beb971/debian/shim.install      1970-01-01 
01:00:00.000000000 +0100
@@ -1,4 +0,0 @@
-/boot/efi/EFI/*/shim*.efi /usr/lib/shim
-/boot/efi/EFI/*/mm*.efi /usr/lib/shim
-/boot/efi/EFI/*/fb*.efi /usr/lib/shim
-/boot/efi/EFI/*/BOOT*.CSV /usr/lib/shim
diff -Nru shim-15+1533136590.3beb971/debian/signing-template/README.source 
shim-15+1533136590.3beb971/debian/signing-template/README.source
--- shim-15+1533136590.3beb971/debian/signing-template/README.source    
1970-01-01 01:00:00.000000000 +0100
+++ shim-15+1533136590.3beb971/debian/signing-template/README.source    
2019-03-23 17:49:36.000000000 +0000
@@ -0,0 +1,4 @@
+This source package is generated by the Debian signing service from a
+template built by the shim package.  It should never be updated directly.
+
+ -- Philipp Matthias Hahn <pmh...@debian.org>  Sat, 07 Apr 2018 16:26:11 +0200
diff -Nru shim-15+1533136590.3beb971/debian/signing-template/changelog.in 
shim-15+1533136590.3beb971/debian/signing-template/changelog.in
--- shim-15+1533136590.3beb971/debian/signing-template/changelog.in     
1970-01-01 01:00:00.000000000 +0100
+++ shim-15+1533136590.3beb971/debian/signing-template/changelog.in     
2019-03-23 17:49:36.000000000 +0000
@@ -0,0 +1,11 @@
+shim-helpers-@arch@-signed (1+@version_mangled@) @distribution@; 
urgency=@urgency@
+
+  * Update to shim @version_binary@
+
+ -- Debian signing service <ftpmas...@debian.org>  @date@
+
+shim-helpers-@arch@-signed (1) unstable; urgency=medium
+
+  * Add template source package for signing
+
+ -- Philipp Matthias Hahn <pmh...@debian.org>  Sat, 07 Apr 2018 17:16:27 +0200
diff -Nru shim-15+1533136590.3beb971/debian/signing-template/compat 
shim-15+1533136590.3beb971/debian/signing-template/compat
--- shim-15+1533136590.3beb971/debian/signing-template/compat   1970-01-01 
01:00:00.000000000 +0100
+++ shim-15+1533136590.3beb971/debian/signing-template/compat   2019-03-23 
17:49:36.000000000 +0000
@@ -0,0 +1 @@
+9
diff -Nru shim-15+1533136590.3beb971/debian/signing-template/control.in 
shim-15+1533136590.3beb971/debian/signing-template/control.in
--- shim-15+1533136590.3beb971/debian/signing-template/control.in       
1970-01-01 01:00:00.000000000 +0100
+++ shim-15+1533136590.3beb971/debian/signing-template/control.in       
2019-03-23 18:19:13.000000000 +0000
@@ -0,0 +1,25 @@
+Source: shim-helpers-@arch@-signed
+Section: admin
+Priority: optional
+Maintainer: Debian EFI team <debian-...@lists.debian.org>
+Standards-Version: 4.3.0
+Build-Depends: debhelper (>= 10.1~),
+ sbsigntool [amd64 arm64 i386],
+ shim-unsigned (= @version_binary@),
+
+Package: shim-helpers-@arch@-signed
+Architecture: @arch@
+Conflicts: shim (<< 15+1533136590.3beb971-3~),
+Replaces: shim (<< 15+1533136590.3beb971-3~), shim-signed (<< 1.29),
+Breaks: shim-signed (<< 1.29),
+Depends: shim-unsigned (= @version_binary@), ${misc:Depends},
+Built-Using: shim (= @version_binary@)
+Description: boot loader to chain-load signed boot loaders (signed by Debian)
+ This package provides a minimalist boot loader which allows verifying
+ signatures of other UEFI binaries against either the Secure Boot DB/DBX or
+ against a built-in signature database.  Its purpose is to allow a small,
+ infrequently-changing binary to be signed by the UEFI CA, while allowing
+ an OS distributor to revision their main bootloader independently of the CA.
+ .
+ This package contains the MOK manager and fall-back manager signed by the
+ Debian UEFI CA to be used by shim-signed.
diff -Nru shim-15+1533136590.3beb971/debian/signing-template/copyright 
shim-15+1533136590.3beb971/debian/signing-template/copyright
--- shim-15+1533136590.3beb971/debian/signing-template/copyright        
1970-01-01 01:00:00.000000000 +0100
+++ shim-15+1533136590.3beb971/debian/signing-template/copyright        
2019-03-23 17:49:36.000000000 +0000
@@ -0,0 +1,51 @@
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Comment:
+ This file describes only the shim-helpers-signed-* source package.
+
+Files: debian/signatures/*
+License: public-domain
+ Digital signatures and certificates are presumed not to be
+ copyrightable works, and no copyright is claimed for them.
+Comment:
+ The signatures and certificates in this package cannot be regenerated
+ as-is without the associated private key material, but they can be
+ replaced using alternate private keys.
+
+Files: debian/rules
+Copyright: 2018 Philipp Matthias Hahn <pmh...@debian.org>
+License: GPL-2
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License version 2 as
+ published by the Free Software Foundation.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this package; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
+ .
+ On Debian systems, the complete text of the GNU General Public
+ License version 2 can be found in `/usr/share/common-licenses/GPL-2'.
+
+Files: debian/*
+Copyright: 2018 Philipp Matthias Hahn <pmh...@debian.org>
+License: GPL-2+
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or (at
+ your option) any later version.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this package; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301 USA
+ .
+ On Debian systems, the complete text of the GNU General Public
+ License version 2 can be found in `/usr/share/common-licenses/GPL-2'.
diff -Nru shim-15+1533136590.3beb971/debian/signing-template/rules 
shim-15+1533136590.3beb971/debian/signing-template/rules
--- shim-15+1533136590.3beb971/debian/signing-template/rules    1970-01-01 
01:00:00.000000000 +0100
+++ shim-15+1533136590.3beb971/debian/signing-template/rules    2019-03-23 
17:49:36.000000000 +0000
@@ -0,0 +1,18 @@
+#!/usr/bin/make -f
+
+SIG_DIR := debian/signatures/shim-unsigned
+
+%:
+       dh $@
+
+override_dh_auto_install:
+       set -e ; \
+       find "$(SIG_DIR)" -name '*.sig' -printf '%P\n' | \
+       while read sig; do \
+               install -o 0 -g 0 -m 0755 -d "debian/tmp/$${sig%/*}" ; \
+               install -o 0 -g 0 -m 0644 "/$${sig%.sig}" 
"debian/tmp/$${sig}ned" ; \
+               sbattach --attach "$(SIG_DIR)/$$sig" "debian/tmp/$${sig}ned" ; \
+       done
+
+override_dh_install:
+       dh_install --sourcedir=debian/tmp .
diff -Nru shim-15+1533136590.3beb971/debian/signing-template/source/format 
shim-15+1533136590.3beb971/debian/signing-template/source/format
--- shim-15+1533136590.3beb971/debian/signing-template/source/format    
1970-01-01 01:00:00.000000000 +0100
+++ shim-15+1533136590.3beb971/debian/signing-template/source/format    
2019-03-23 17:49:36.000000000 +0000
@@ -0,0 +1 @@
+3.0 (native)
diff -Nru shim-15+1533136590.3beb971/debian/signing-template.generate 
shim-15+1533136590.3beb971/debian/signing-template.generate
--- shim-15+1533136590.3beb971/debian/signing-template.generate 1970-01-01 
01:00:00.000000000 +0100
+++ shim-15+1533136590.3beb971/debian/signing-template.generate 2019-03-23 
17:49:36.000000000 +0000
@@ -0,0 +1,41 @@
+#!/bin/sh
+set -e -u
+
+distribution="$(dpkg-parsechangelog -S Distribution)"
+urgency="$(dpkg-parsechangelog -S Urgency)"
+date="$(dpkg-parsechangelog -S Date)"
+version_binary="$(dpkg-parsechangelog -S Version)"
+version_mangled="$(dpkg-parsechangelog -S Version | tr '-' '+')"
+
+subst () {
+       sed \
+               -e "s/@efi@/${EFI_ARCH}/g" \
+               -e "s/@arch@/${DEB_HOST_ARCH}/g" \
+               -e "s/@version_binary@/${version_binary}/g" \
+               -e "s/@version_mangled@/${version_mangled}/g" \
+               -e "s/@distribution@/${distribution}/g" \
+               -e "s/@urgency@/${urgency}/g" \
+               -e "s/@date@/${date}/g" \
+               "$@"
+}
+
+template='./debian/signing-template'
+pkg_name="shim-helpers-${DEB_HOST_ARCH}-signed-template"
+pkg_dir="debian/${pkg_name}/usr/share/code-signing/${pkg_name}"
+pkg_deb="${pkg_dir}/source-template/debian"
+
+install -o 0 -g 0 -m 0755 -d "${pkg_dir}"
+subst < ./debian/signing-template.json.in > "${pkg_dir}/files.json"
+
+find "${template}" -type f -printf '%P\n' |
+while read path
+do
+       src="${template}/${path}"
+       dst="${pkg_deb}/${path}"
+
+       install -o 0 -g 0 -m 0755 -d "${dst%/*}"
+       subst < "${src}" > "${dst%.in}"
+       chmod --reference="${src}" "${dst%.in}"
+done
+
+exit 0
diff -Nru shim-15+1533136590.3beb971/debian/signing-template.json.in 
shim-15+1533136590.3beb971/debian/signing-template.json.in
--- shim-15+1533136590.3beb971/debian/signing-template.json.in  1970-01-01 
01:00:00.000000000 +0100
+++ shim-15+1533136590.3beb971/debian/signing-template.json.in  2019-03-23 
17:49:36.000000000 +0000
@@ -0,0 +1,11 @@
+{
+  "packages": {
+    "shim-unsigned": {
+      "trusted_certs": [],
+      "files": [
+        {"sig_type": "efi", "file": "usr/lib/shim/fb@efi@.efi"},
+        {"sig_type": "efi", "file": "usr/lib/shim/mm@efi@.efi"}
+      ]
+    }
+  }
+}
diff -Nru shim-15+1533136590.3beb971/debian/watch 
shim-15+1533136590.3beb971/debian/watch
--- shim-15+1533136590.3beb971/debian/watch     2016-10-13 06:48:33.000000000 
+0100
+++ shim-15+1533136590.3beb971/debian/watch     2019-03-23 17:49:36.000000000 
+0000
@@ -2,4 +2,4 @@
 version=4
 
 
opts="repack,compression=xz,filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/shim-$1\.tar\.gz/"
 \
-  https://github.com/mjg59/shim/releases .*/v?(\d\S*)\.tar\.gz
+  https://github.com/rhboot/shim/releases .*/v?(\d\S*)\.tar\.gz

Reply via email to