Hello community,
here is the log from the commit of package shim for openSUSE:Factory checked in at 2019-04-17 11:22:51
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/shim (Old)
and /work/SRC/openSUSE:Factory/.shim.new.17052 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim"
Wed Apr 17 11:22:51 2019 rev:75 rq:694231 version:15+git47
Changes:
--------
--- /work/SRC/openSUSE:Factory/shim/shim.changes 2019-04-15 11:51:58.094534824 +0200
+++ /work/SRC/openSUSE:Factory/.shim.new.17052/shim.changes 2019-04-17 11:23:12.490408484 +0200
@@ -1,0 +2,6 @@
+Mon Apr 15 09:24:07 UTC 2019 - Gary Ching-Pang Lin
+
+- Add shim-opensuse-signed.efi, the openSUSE shim-15+git47 binary
+ (bsc#1113225)
+
+-------------------------------------------------------------------
New:
----
shim-opensuse-signed.efi
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ shim.spec ++++++
--- /var/tmp/diff_new_pack.jhMpX4/_old 2019-04-17 11:23:13.882410121 +0200
+++ /var/tmp/diff_new_pack.jhMpX4/_new 2019-04-17 11:23:13.886410126 +0200
@@ -59,6 +59,8 @@
Source11: signature-sles.x86_64.asc
Source12: signature-opensuse.aarch64.asc
Source13: signature-sles.aarch64.asc
+# bsc#1113225 the shim-15+git47 binary for opensuse
+Source20: shim-opensuse-signed.efi
Source99: SIGNATURE_UPDATE.txt
# PATCH-FIX-SUSE shim-arch-independent-names.patch glin@suse.com -- Use the Arch-independent names
Patch1: shim-arch-independent-names.patch
@@ -120,6 +122,12 @@
%endif
%build
+# copy the shim binary to "signed" dir
+# NOTE: this is the last resort and we should remove the binary
+# once we can build shim.efi properly
+mkdir signed
+cp %{SOURCE20} signed
+
# first, build MokManager and fallback as they don't depend on a
# specific certificate
make EFI_PATH=/usr/lib64 RELEASE=0 \
@@ -177,6 +185,7 @@
fi
openssl x509 -in $cert -outform DER -out shim-$suffix.der
+ # option for dbx: VENDOR_DBX_FILE=dbx
make EFI_PATH=/usr/lib64 RELEASE=0 SHIMSTEM=shim \
VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \
DEFAULT_LOADER="\\\\\\\\grub.efi" \
@@ -184,15 +193,19 @@
#
# assert correct certificate embedded
grep -q "$verify" shim.efi
- # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx
- chmod 755 %{SOURCE9}
+
+ # copy the shim binary directly
+ if test -f signed/shim-$suffix-signed.efi; then
+ rm -f shim.efi
+ mv -f signed/shim-$suffix-signed.efi shim-$suffix.efi
# alternative: verify signature
#sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi
- if test -n "$signature"; then
+ elif test -n "$signature"; then
head -1 "$signature" > hash1
cp shim.efi shim.efi.bak
# pe header contains timestamp and checksum. we need to
# restore that
+ chmod 755 %{SOURCE9}
%{SOURCE9} --set-from-file "$signature" shim.efi
pesign -h -P -i shim.efi > hash2
cat hash1 hash2