Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2013-03-01 10:55:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "shim", Maintainer is "GLin@suse.com" Changes: -------- --- /work/SRC/openSUSE:Factory/shim/shim.changes 2013-02-23 16:45:51.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2013-03-01 10:55:10.000000000 +0100 @@ -1,0 +2,11 @@ +Thu Feb 28 08:57:48 UTC 2013 - lnussel@suse.de + +- sign shim also with openSUSE certificate + +------------------------------------------------------------------- +Wed Feb 27 15:52:53 CET 2013 - mls@suse.de + +- identify project, export certificate as DER file +- don't create an unused extra keypair + +------------------------------------------------------------------- New: ---- SLES-UEFI-CA-Certificate.crt ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shim.spec ++++++ --- /var/tmp/diff_new_pack.jeFSgE/_old 2013-03-01 10:55:11.000000000 +0100 +++ /var/tmp/diff_new_pack.jeFSgE/_new 2013-03-01 10:55:11.000000000 +0100 @@ -32,6 +32,7 @@ Source1: shim-signed.efi Source2: openSUSE-UEFI-CA-Certificate.crt Source3: shim-install +Source4: SLES-UEFI-CA-Certificate.crt # PATCH-FIX-SUSE shim-suse-build.patch glin@suse.com -- Adjust Makefile for the build service Patch0: shim-suse-build.patch # PATCH-FIX-UPSTREAM shim-local-key-sign-mokmanager.patch glin@suse.com -- Sign MokManager.efi with the local generated certificate @@ -89,16 +90,46 @@ %build chmod +x "make-certs" -openssl x509 -in %{S:2} -outform DER -out openSUSE-UEFI-CA-Certificate.der + +if test -e %{_sourcedir}/_projectcert.crt ; then + prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash) + prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash) + opensusesubject=$(openssl x509 -in %{SOURCE2} -noout -subject_hash) + slessubject=$(openssl x509 -in %{SOURCE4} -noout -subject_hash) + if test "$prjissuer" = "$opensusesubject" ; then + suffix=opensuse + cert=%{SOURCE2} + fi + if test "$prjissuer" = "$slessubject" ; then + suffix=sles + cert=%{SOURCE4} + fi + if test "$prjsubject" = "$prjissuer" ; then + suffix=local + cert=%{_sourcedir}/_projectcert.crt + fi +fi +if test -z "$suffix" ; then + echo "cannot identify project, assuming openSUSE signing" + suffix=opensuse + cert=%{SOURCE2} +fi + +openssl x509 -in $cert -outform DER -out shim-$suffix.der +# create empty local cert file, we don't need a local key pair as we +# sign the mokmanager with our vendor key +touch shim.crt +touch shim.cer # make sure cast warnings don't trigger post build check -make VENDOR_CERT_FILE=openSUSE-UEFI-CA-Certificate.der 2>/dev/null +make VENDOR_CERT_FILE=shim-$suffix.der shim.efi MokManager.efi 2>/dev/null # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx -mv shim.efi shim-opensuse.efi +mv shim.efi shim-$suffix.efi %install -export BRP_PESIGN_FILES='%{_libdir}/efi/shim-opensuse.efi %{_libdir}/efi/MokManager.efi' +export BRP_PESIGN_FILES='%{_libdir}/efi/shim*.efi %{_libdir}/efi/MokManager.efi' install -d %{buildroot}/%{_libdir}/efi -install -m 444 shim-opensuse.efi %{buildroot}/%{_libdir}/efi +install -m 444 shim-*.efi %{buildroot}/%{_libdir}/efi +install -m 444 shim-*.der %{buildroot}/%{_libdir}/efi # FIXME: install signed shim here install -m 444 %{SOURCE1} %{buildroot}/%{_libdir}/efi/shim.efi install -m 444 MokManager.efi %{buildroot}/%{_libdir}/efi/MokManager.efi @@ -113,7 +144,8 @@ %doc COPYRIGHT %dir %{_libdir}/efi %{_libdir}/efi/shim.efi -%{_libdir}/efi/shim-opensuse.efi +%{_libdir}/efi/shim-*.efi +%{_libdir}/efi/shim-*.der %{_libdir}/efi/MokManager.efi %{_sbindir}/shim-install ++++++ SLES-UEFI-CA-Certificate.crt ++++++ -----BEGIN CERTIFICATE----- MIIG5TCCBM2gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk QHN1c2UuZGUwHhcNMTMwMTIyMTQyMDA4WhcNMzQxMjE4MTQyMDA4WjCBpjEtMCsG A1UEAwwkU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYD VQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4 IFByb2R1Y3RzIEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0B CQEWDWJ1aWxkQHN1c2UuZGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC AQCrLYL1Uq02iIgro6x6PFESFDtUKU7xO/bJanI7+AQAroowFuLBI67BBSmoq3hR QnH3OtQusGV8y+wvjaaunppvWMfjViZ88zssj5fKXrDr5U6BB566DJgHreWaEs2d FD13XpKRr3Nk9zdjAJu5YsR7hI1NMXsnj1X8w71OY9HLjv+Kq9917PJwZQjOGnAJ BQTi0ogHuLiwDqMKgg5rrYD4cJDPzoLEmEXnwHDIOSiWdD0bCzhN6GQDKldIxQ2O d/mjUgzB+dWslIb+bUKaoJgDtyPV20W74t7Y2uwoaEVr9QkPoM3tOPttf4qsWo8B J1TgeoF01ZeKcvSyvOXCKbfAN9sqURK2ZUTNThqZ//VPQmJP6fByrMJsbvTOSsQt HI+fFPrg1DC2KT8SzuGtWDRscHZ7MofvUKEQolVgkGwp8u68t/RAAwDpUdqIajzi yfp9qSDD+9uMeyiLa4rrAr2ATGohNBa0qha95slgvSepXbYKuHG5b4fWMsG7z4Uc dqE2vK8cQma1nsAeQBaq2/89294TOHEzKyspesfCBCnKQ3q+l9xelYRdvapj1CH/ cfUZf2/6X3VHN1P88RfRrPubswmrcOCEBT41upa2WKRDJ1GS6YhL6LJnrZSTjfe+ KsfNVS1D+KqSKiK0hfk6YK6O88mMGeAKQs3Ap8WthBLf0QIDAQABo4IBGjCCARYw DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUPU1Az5OFOQJLHPxaEt7f6LF+dV8w gdMGA1UdIwSByzCByIAUPU1Az5OFOQJLHPxaEt7f6LF+dV+hgaykgakwgaYxLTAr BgNVBAMMJFNVU0UgTGludXggRW50ZXJwcmlzZSBTZWN1cmUgQm9vdCBDQTELMAkG A1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UECgwYU1VTRSBMaW51 eCBQcm9kdWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFtMRwwGgYJKoZIhvcN AQkBFg1idWlsZEBzdXNlLmRlggEBMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0B AQsFAAOCAgEANtdMT47CjQtuERYa5jfygIO5F+urB4fl8pYcQQ/hTPE0KtAnAtrS 1strtMrVQ1t7Wu3fVbWYA6MZMXXkcwyyNbaWfj6roaSC6G5ZqCJ69oSyzaCbyaTI eOgzIIiVGOAj7tiM6T88Xp9qx4Xa3F6UQHF6xfwBT3nNKerGKOG01p7mBfBewwO5 Hxp7OAZmennUxV1uuT5/AsArxw9lMlawXhIAS7tRYHW+32D4tjHPDycldOw1hBjt z5JdehBiTmxhJ6onl0HSpsX84IMSbkeFIxLfxIF0TNas1pGnSGmh8FcV+ck9js3P yamJcNkgCstIwo3QZ2D5YdtQjOusyEuGjCIpDIQx36OMzeOo0SayOdzb2dSmcrHv 4DIkXDUELyIzu79A2R2KR7OQaGL6HGAVy6+yXHHygTbbUrb6ck2+aOG8913ChABc ZAiSFFRKVZzzj7FeIxZNA8GBUbhd20eQB2fUXDypeAnTG6P3dtTs84xNb1qGm3VC OAKjkWYQijLWmAOs9Q4NM/AXOeDTgXxA7iX7kWHRNeDbACirp7zM2ZOIP5ObIS6z yMqcG9DecSVbXiH3MJDTBoB1idQTTyreqpM/l6N8xNNVjEiLJGMEM1SeYq6S1lFV a+GcdOaLYkh7ya3I42l/tDOqH2OLIf7FEtocnc1xU6jTz8au1tZxec8= -----END CERTIFICATE----- -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org