Bug#925372: unblock: shim/15+1533136590.3beb971-6
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Hey folks,
Please unblock package shim
I think we finally have a new shim package setup that's ready for
Buster, giving us a real chance of working Secure Boot with the
release. Apologies in advance, but this unblock is not a pretty one,
with a large set of changes. :-/ However, shim is clearly key to our
SB strategy for Debian. We've moved from a basically-unused amd64-only
shim package in Stretch and Buster so far (0.9+1474479173.6c180c6-1)
to something that will now provide a better working base for
us. Summary of changes:
1. We've moved to a new upstream (from 0.9+1474479173.6c180c6 to
15+1533136590.3beb971). Upstream have been pushing us to make this
change for a long time, and there are a lot of needed changes, both
in security terms and for better architecture support. I'm not even
attempting to attach a debdiff for this - it's ~200K lines.
2. As well as amd64, we're now also building shim for i386 and arm64,
and we've submitted our binaries for signing by Microsoft for all
three architectures. An important achievement in this process is
that the new build is now 100% reproducible. \o/
3. We've significantly reworked the packaging setup for shim and
shim-signed. The main part of this is to use Debian's binary
signing service to manage the process of signing the helper
binaries (mmXXX.efi and fbXXX.efi) so we're no longer using
ephemeral keys for those in the shim build process. This helps for
the reproducibility.
4. Along the way we've also renamed packages and re-arranged things
for extra clarity and fixed quite a few bugs.
5. We've moved from a single maintainer to team maintenance for the
shim packages.
Apologies for not getting this unblocked earlier, it's been quite a
ride in the last few months. :-/ We have done a lot of testing with
this code, just not yet directly in Buster.
I'm attaching a debdiff to show the small packaging changes *since*
the move to the new upstream shim release.
There will be a matching shim-signed unblock coming soon, as and when
we get our new shim binaries signed with the Microsoft key.
unblock shim/15+1533136590.3beb971-6
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru shim-15+1533136590.3beb971/debian/changelog shim-15+1533136590.3beb971/debian/changelog
--- shim-15+1533136590.3beb971/debian/changelog 2019-02-09 07:23:19.000000000 +0000
+++ shim-15+1533136590.3beb971/debian/changelog 2019-03-23 18:19:13.000000000 +0000
@@ -1,3 +1,73 @@
+shim (15+1533136590.3beb971-6) unstable; urgency=medium
+
+ [ Steve McIntyre ]
+ * Add Provides: and Breaks: to shim-helpers-$arch-signed to fix
+ clashes with the old shim-signed package for fbx64.efi.signed and
+ mmx64.efi.signed. Closes: #924619
+
+ [ Helmut Grohne ]
+ * Fix FTCBFS: Set CROSS_COMPILE. (Closes: #922152)
+
+ -- Steve McIntyre <93sam@debian.org> Sat, 23 Mar 2019 18:19:13 +0000
+
+shim (15+1533136590.3beb971-5) unstable; urgency=medium
+
+ [ Ansgar Burchardt ]
+ * Correct maintainer address in signing template
+
+ [ Steve McIntyre ]
+ * Remove Rules-Requires-Root in the signing template. We manually install
+ things owned by root. There might be better ways to do this, but this
+ will do for now.
+
+ -- Steve McIntyre <93sam@debian.org> Tue, 12 Mar 2019 01:38:19 +0000
+
+shim (15+1533136590.3beb971-4) unstable; urgency=medium
+
+ [ Steve McIntyre ]
+ * No-change sourceful upload to get rebuilds (and hence build logs) from
+ the buildds. Hoping to get this version signed by Microsoft, so let's
+ make our setup as clean as possible.
+
+ -- Steve McIntyre <93sam@debian.org> Sat, 09 Mar 2019 22:24:23 +0000
+
+shim (15+1533136590.3beb971-3) unstable; urgency=medium
+
+ [ Philipp Hahn ]
+ * debian/rules: fixing permissions no longer required
+ * debian/rules: Disable ephemeral key on Debian.
+ * Rename binary package to 'shim-unsigned'
+ * Add template for signing {mm,fb}$ARCH.efi. (Closes: #922228)
+
+ [ Luca Boccassi ]
+ * Override lintian error about template rules file.
+ * Include /usr/share/dpkg/architecture.mk instead of shelling out.
+ * Add uname.patch to avoid embedding the kernel architecture in the
+ binary and to use a fixed string instead.
+
+ [ Steve McIntyre ]
+ * Change maintenance address to be the EFI team
+ * Add me and vorlon to the Uploaders list
+ * Rename the helper binary packages to shim-helpers-$arch.
+ * Update the signing-template JSON metadata to match new practice:
+ + Move all the data under a new top-level "packages" key
+ + Add an empty "trusted_certs" key - the helper binaries do not do any
+ further verification with an embedded key.
+
+ -- Steve McIntyre <93sam@debian.org> Fri, 08 Mar 2019 21:59:43 +0000
+
+shim (15+1533136590.3beb971-2) unstable; urgency=medium
+
+ * Update debian/watch.
+ * Update VCS to point to salsa.
+ * Fix debian/rules syntax for arm64 build.
+ * Enable build for i386.
+ * Ensure DEB_HOST_ARCH is set even if not present in the environment.
+ * Update Standards-Version.
+ * Update debian/copyright (drop reference to file no longer in source)
+
+ -- Steve Langasek <vorlon@debian.org> Mon, 11 Feb 2019 05:18:18 +0000
+
shim (15+1533136590.3beb971-1) unstable; urgency=medium
* New upstream release.
diff -Nru shim-15+1533136590.3beb971/debian/control shim-15+1533136590.3beb971/debian/control
--- shim-15+1533136590.3beb971/debian/control 2019-02-09 07:11:25.000000000 +0000
+++ shim-15+1533136590.3beb971/debian/control 2019-03-23 17:49:36.000000000 +0000
@@ -1,17 +1,42 @@
Source: shim
Section: admin
Priority: optional
-Maintainer: Steve Langasek <vorlon@debian.org>
-Standards-Version: 3.9.8
+Maintainer: Debian EFI team <debian-efi@lists.debian.org>
+Uploaders: Steve Langasek <vorlon@debian.org>, Steve McIntyre <93sam@debian.org>
+Standards-Version: 4.3.0
Build-Depends: debhelper (>= 9), gnu-efi (>= 3.0u), sbsigntool, openssl, libelf-dev
-Vcs-Git: https://git.launchpad.net/~ubuntu-core-dev/shim/+git/shim
+Vcs-Browser: https://salsa.debian.org/vorlon/shim
+Vcs-Git: https://salsa.debian.org/vorlon/shim.git
-Package: shim
-Architecture: amd64 arm64
+Package: shim-unsigned
+Architecture: amd64 arm64 i386
Depends: ${shlibs:Depends}, ${misc:Depends}
+Conflicts: shim (<< 15+1533136590.3beb971-3~),
+Replaces: shim (<< 15+1533136590.3beb971-3~),
Description: boot loader to chain-load signed boot loaders under Secure Boot
This package provides a minimalist boot loader which allows verifying
signatures of other UEFI binaries against either the Secure Boot DB/DBX or
against a built-in signature database. Its purpose is to allow a small,
infrequently-changing binary to be signed by the UEFI CA, while allowing
an OS distributor to revision their main bootloader independently of the CA.
+
+Package: shim-helpers-amd64-signed-template
+Architecture: amd64
+Depends: ${misc:Depends},
+Description: boot loader to chain-load signed boot loaders (signing template)
+ This package contains template files for shim-helpers-amd64-signed.
+ This is only needed for Secure Boot signing.
+
+Package: shim-helpers-i386-signed-template
+Architecture: i386
+Depends: ${misc:Depends},
+Description: boot loader to chain-load signed boot loaders (signing template)
+ This package contains template files for shim-helpers-i386-signed.
+ This is only needed for Secure Boot signing.
+
+Package: shim-helpers-arm64-signed-template
+Architecture: arm64
+Depends: ${misc:Depends},
+Description: boot loader to chain-load signed boot loaders (signing template)
+ This package contains template files for shim-helpers-arm64-signed.
+ This is only needed for Secure Boot signing.
diff -Nru shim-15+1533136590.3beb971/debian/copyright shim-15+1533136590.3beb971/debian/copyright
--- shim-15+1533136590.3beb971/debian/copyright 2019-02-09 07:05:30.000000000 +0000
+++ shim-15+1533136590.3beb971/debian/copyright 2019-03-23 17:49:36.000000000 +0000
@@ -162,7 +162,7 @@
Copyright: 2007 KISA(Korea Information Security Agency)
License: BSD-2-Clause
-Files: Cryptlib/OpenSSL/crypto/o_dir.h Cryptlib/OpenSSL/crypto/LPdir_nyi.c
+Files: Cryptlib/OpenSSL/crypto/LPdir_nyi.c
Copyright: 2004, Richard Levitte <richard@levitte.org>
License: BSD-2-Clause
diff -Nru shim-15+1533136590.3beb971/debian/patches/series shim-15+1533136590.3beb971/debian/patches/series
--- shim-15+1533136590.3beb971/debian/patches/series 2019-02-09 07:01:41.000000000 +0000
+++ shim-15+1533136590.3beb971/debian/patches/series 2019-03-23 17:49:36.000000000 +0000
@@ -1 +1,2 @@
fixup_git.patch
+uname.patch
diff -Nru shim-15+1533136590.3beb971/debian/patches/uname.patch shim-15+1533136590.3beb971/debian/patches/uname.patch
--- shim-15+1533136590.3beb971/debian/patches/uname.patch 1970-01-01 01:00:00.000000000 +0100
+++ shim-15+1533136590.3beb971/debian/patches/uname.patch 2019-03-23 17:49:36.000000000 +0000
@@ -0,0 +1,32 @@
+Author: Luca Boccassi <bluca@debian.org>
+Description: Makefile: use fixed build host if SOURCE_DATE_EPOCH is defined
+ If SOURCE_DATE_EPOCH is defined then we can be reasonably sure the
+ user wants the build to be fully reproducible, so use a fixed string.
+ In case of a cross build, using uname -s -m -p -i o will still report
+ the host's kernel architecture, which will trip some CIs like
+ Debian's.
+Forwarded: https://github.com/rhboot/shim/pull/169
+--- a/Makefile
++++ b/Makefile
+@@ -46,6 +46,12 @@ ifneq ($(origin ENABLE_HTTPBOOT), undefined)
+ SOURCES += httpboot.c include/httpboot.h
+ endif
+
++ifeq ($(SOURCE_DATE_EPOCH),)
++ UNAME=$(shell uname -s -m -p -i -o)
++else
++ UNAME=buildhost
++endif
++
+ SOURCES = $(foreach source,$(ORIG_SOURCES),$(TOPDIR)/$(source)) version.c
+ MOK_SOURCES = $(foreach source,$(ORIG_MOK_SOURCES),$(TOPDIR)/$(source))
+ FALLBACK_SRCS = $(foreach source,$(ORIG_FALLBACK_SRCS),$(TOPDIR)/$(source))
+@@ -66,7 +72,7 @@ shim_cert.h: shim.cer
+
+ version.c : $(TOPDIR)/version.c.in
+ sed -e "s,@@VERSION@@,$(VERSION)," \
+- -e "s,@@UNAME@@,$(shell uname -s -m -p -i -o)," \
++ -e "s,@@UNAME@@,$(UNAME)," \
+ -e "s,@@COMMIT@@,$(COMMIT_ID)," \
+ < $< > $@
+
diff -Nru shim-15+1533136590.3beb971/debian/rules shim-15+1533136590.3beb971/debian/rules
--- shim-15+1533136590.3beb971/debian/rules 2019-02-09 07:01:16.000000000 +0000
+++ shim-15+1533136590.3beb971/debian/rules 2019-03-23 18:19:13.000000000 +0000
@@ -1,5 +1,7 @@
#!/usr/bin/make -f
+include /usr/share/dpkg/architecture.mk
+
# Other vendors, add your certs here. No sense in using
# dpkg-vendor --derives-from, because only Canonical-generated binaries will
# be signed with this key; so if you are building your own shim binary you
@@ -7,27 +9,33 @@
ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes)
cert=debian/canonical-uefi-ca.der
distributor=ubuntu
+COMMON_OPTIONS ?= ENABLE_SHIM_CERT=1 ENABLE_SBSIGN=1
else
cert=debian/debian-uefi-ca.der
distributor=debian
endif
+include /usr/share/dpkg/architecture.mk
+
ifeq ($(DEB_HOST_ARCH),amd64)
export EFI_ARCH := x64
-else ($(DEB_HOST_ARCH),arm64)
+endif
+ifeq ($(DEB_HOST_ARCH),arm64)
export EFI_ARCH := aa64
endif
+ifeq ($(DEB_HOST_ARCH),i386)
+export EFI_ARCH := ia32
+endif
-COMMON_OPTIONS = \
+COMMON_OPTIONS += \
RELEASE=15 \
COMMIT_ID=3beb971b10659cf78144ddc5eeea83501384440c \
MAKELEVEL=0 \
EFI_PATH=/usr/lib \
ENABLE_HTTPBOOT=true \
- ENABLE_SHIM_CERT=1 \
- ENABLE_SBSIGN=1 \
VENDOR_CERT_FILE=$(cert) \
EFIDIR=$(distributor) \
+ CROSS_COMPILE=$(DEB_HOST_GNU_TYPE)- \
$(NULL)
%:
@@ -41,7 +49,4 @@
override_dh_auto_install:
dh_auto_install --destdir=debian/tmp -- $(COMMON_OPTIONS)
-
-override_dh_fixperms:
- dh_fixperms
- chmod a-x debian/shim/usr/lib/shim/shim$(EFI_ARCH).efi
+ ./debian/signing-template.generate
diff -Nru shim-15+1533136590.3beb971/debian/shim-helpers-amd64-signed-template.lintian-overrides shim-15+1533136590.3beb971/debian/shim-helpers-amd64-signed-template.lintian-overrides
--- shim-15+1533136590.3beb971/debian/shim-helpers-amd64-signed-template.lintian-overrides 1970-01-01 01:00:00.000000000 +0100
+++ shim-15+1533136590.3beb971/debian/shim-helpers-amd64-signed-template.lintian-overrides 2019-03-23 17:49:36.000000000 +0000
@@ -0,0 +1 @@
+shim-helpers-amd64-signed-template: missing-dep-for-interpreter
diff -Nru shim-15+1533136590.3beb971/debian/shim-helpers-arm64-signed-template.lintian-overrides shim-15+1533136590.3beb971/debian/shim-helpers-arm64-signed-template.lintian-overrides
--- shim-15+1533136590.3beb971/debian/shim-helpers-arm64-signed-template.lintian-overrides 1970-01-01 01:00:00.000000000 +0100
+++ shim-15+1533136590.3beb971/debian/shim-helpers-arm64-signed-template.lintian-overrides 2019-03-23 17:49:36.000000000 +0000
@@ -0,0 +1 @@
+shim-helpers-arm64-signed-template: missing-dep-for-interpreter
diff -Nru shim-15+1533136590.3beb971/debian/shim-helpers-i386-signed-template.lintian-overrides shim-15+1533136590.3beb971/debian/shim-helpers-i386-signed-template.lintian-overrides
--- shim-15+1533136590.3beb971/debian/shim-helpers-i386-signed-template.lintian-overrides 1970-01-01 01:00:00.000000000 +0100
+++ shim-15+1533136590.3beb971/debian/shim-helpers-i386-signed-template.lintian-overrides 2019-03-23 17:49:36.000000000 +0000
@@ -0,0 +1 @@
+shim-helpers-i386-signed-template: missing-dep-for-interpreter
diff -Nru shim-15+1533136590.3beb971/debian/shim-unsigned.install shim-15+1533136590.3beb971/debian/shim-unsigned.install
--- shim-15+1533136590.3beb971/debian/shim-unsigned.install 1970-01-01 01:00:00.000000000 +0100
+++ shim-15+1533136590.3beb971/debian/shim-unsigned.install 2019-03-23 17:49:36.000000000 +0000
@@ -0,0 +1,4 @@
+/boot/efi/EFI/*/shim*.efi /usr/lib/shim
+/boot/efi/EFI/*/mm*.efi /usr/lib/shim
+/boot/efi/EFI/*/fb*.efi /usr/lib/shim
+/boot/efi/EFI/*/BOOT*.CSV /usr/lib/shim
diff -Nru shim-15+1533136590.3beb971/debian/shim.install shim-15+1533136590.3beb971/debian/shim.install
--- shim-15+1533136590.3beb971/debian/shim.install 2019-02-09 07:01:16.000000000 +0000
+++ shim-15+1533136590.3beb971/debian/shim.install 1970-01-01 01:00:00.000000000 +0100
@@ -1,4 +0,0 @@
-/boot/efi/EFI/*/shim*.efi /usr/lib/shim
-/boot/efi/EFI/*/mm*.efi /usr/lib/shim
-/boot/efi/EFI/*/fb*.efi /usr/lib/shim
-/boot/efi/EFI/*/BOOT*.CSV /usr/lib/shim
diff -Nru shim-15+1533136590.3beb971/debian/signing-template/README.source shim-15+1533136590.3beb971/debian/signing-template/README.source
--- shim-15+1533136590.3beb971/debian/signing-template/README.source 1970-01-01 01:00:00.000000000 +0100
+++ shim-15+1533136590.3beb971/debian/signing-template/README.source 2019-03-23 17:49:36.000000000 +0000
@@ -0,0 +1,4 @@
+This source package is generated by the Debian signing service from a
+template built by the shim package. It should never be updated directly.
+
+ -- Philipp Matthias Hahn <pmhahn@debian.org> Sat, 07 Apr 2018 16:26:11 +0200
diff -Nru shim-15+1533136590.3beb971/debian/signing-template/changelog.in shim-15+1533136590.3beb971/debian/signing-template/changelog.in
--- shim-15+1533136590.3beb971/debian/signing-template/changelog.in 1970-01-01 01:00:00.000000000 +0100
+++ shim-15+1533136590.3beb971/debian/signing-template/changelog.in 2019-03-23 17:49:36.000000000 +0000
@@ -0,0 +1,11 @@
+shim-helpers-@arch@-signed (1+@version_mangled@) @distribution@; urgency=@urgency@
+
+ * Update to shim @version_binary@
+
+ -- Debian signing service <ftpmaster@debian.org> @date@
+
+shim-helpers-@arch@-signed (1) unstable; urgency=medium
+
+ * Add template source package for signing
+
+ -- Philipp Matthias Hahn <pmhahn@debian.org> Sat, 07 Apr 2018 17:16:27 +0200
diff -Nru shim-15+1533136590.3beb971/debian/signing-template/compat shim-15+1533136590.3beb971/debian/signing-template/compat
--- shim-15+1533136590.3beb971/debian/signing-template/compat 1970-01-01 01:00:00.000000000 +0100
+++ shim-15+1533136590.3beb971/debian/signing-template/compat 2019-03-23 17:49:36.000000000 +0000
@@ -0,0 +1 @@
+9
diff -Nru shim-15+1533136590.3beb971/debian/signing-template/control.in shim-15+1533136590.3beb971/debian/signing-template/control.in
--- shim-15+1533136590.3beb971/debian/signing-template/control.in 1970-01-01 01:00:00.000000000 +0100
+++ shim-15+1533136590.3beb971/debian/signing-template/control.in 2019-03-23 18:19:13.000000000 +0000
@@ -0,0 +1,25 @@
+Source: shim-helpers-@arch@-signed
+Section: admin
+Priority: optional
+Maintainer: Debian EFI team <debian-efi@lists.debian.org>
+Standards-Version: 4.3.0
+Build-Depends: debhelper (>= 10.1~),
+ sbsigntool [amd64 arm64 i386],
+ shim-unsigned (= @version_binary@),
+
+Package: shim-helpers-@arch@-signed
+Architecture: @arch@
+Conflicts: shim (<< 15+1533136590.3beb971-3~),
+Replaces: shim (<< 15+1533136590.3beb971-3~), shim-signed (<< 1.29),
+Breaks: shim-signed (<< 1.29),
+Depends: shim-unsigned (= @version_binary@), ${misc:Depends},
+Built-Using: shim (= @version_binary@)
+Description: boot loader to chain-load signed boot loaders (signed by Debian)
+ This package provides a minimalist boot loader which allows verifying
+ signatures of other UEFI binaries against either the Secure Boot DB/DBX or
+ against a built-in signature database. Its purpose is to allow a small,
+ infrequently-changing binary to be signed by the UEFI CA, while allowing
+ an OS distributor to revision their main bootloader independently of the CA.
+ .
+ This package contains the MOK manager and fall-back manager signed by the
+ Debian UEFI CA to be used by shim-signed.
diff -Nru shim-15+1533136590.3beb971/debian/signing-template/copyright shim-15+1533136590.3beb971/debian/signing-template/copyright
--- shim-15+1533136590.3beb971/debian/signing-template/copyright 1970-01-01 01:00:00.000000000 +0100
+++ shim-15+1533136590.3beb971/debian/signing-template/copyright 2019-03-23 17:49:36.000000000 +0000
@@ -0,0 +1,51 @@
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Comment:
+ This file describes only the shim-helpers-signed-* source package.
+
+Files: debian/signatures/*
+License: public-domain
+ Digital signatures and certificates are presumed not to be
+ copyrightable works, and no copyright is claimed for them.
+Comment:
+ The signatures and certificates in this package cannot be regenerated
+ as-is without the associated private key material, but they can be
+ replaced using alternate private keys.
+
+Files: debian/rules
+Copyright: 2018 Philipp Matthias Hahn <pmhahn@debian.org>
+License: GPL-2
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License version 2 as
+ published by the Free Software Foundation.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this package; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ .
+ On Debian systems, the complete text of the GNU General Public
+ License version 2 can be found in `/usr/share/common-licenses/GPL-2'.
+
+Files: debian/*
+Copyright: 2018 Philipp Matthias Hahn <pmhahn@debian.org>
+License: GPL-2+
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or (at
+ your option) any later version.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this package; if not, write to the Free Software
+ Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+ .
+ On Debian systems, the complete text of the GNU General Public
+ License version 2 can be found in `/usr/share/common-licenses/GPL-2'.
diff -Nru shim-15+1533136590.3beb971/debian/signing-template/rules shim-15+1533136590.3beb971/debian/signing-template/rules
--- shim-15+1533136590.3beb971/debian/signing-template/rules 1970-01-01 01:00:00.000000000 +0100
+++ shim-15+1533136590.3beb971/debian/signing-template/rules 2019-03-23 17:49:36.000000000 +0000
@@ -0,0 +1,18 @@
+#!/usr/bin/make -f
+
+SIG_DIR := debian/signatures/shim-unsigned
+
+%:
+ dh $@
+
+override_dh_auto_install:
+ set -e ; \
+ find "$(SIG_DIR)" -name '*.sig' -printf '%P\n' | \
+ while read sig; do \
+ install -o 0 -g 0 -m 0755 -d "debian/tmp/$${sig%/*}" ; \
+ install -o 0 -g 0 -m 0644 "/$${sig%.sig}" "debian/tmp/$${sig}ned" ; \
+ sbattach --attach "$(SIG_DIR)/$$sig" "debian/tmp/$${sig}ned" ; \
+ done
+
+override_dh_install:
+ dh_install --sourcedir=debian/tmp .
diff -Nru shim-15+1533136590.3beb971/debian/signing-template/source/format shim-15+1533136590.3beb971/debian/signing-template/source/format
--- shim-15+1533136590.3beb971/debian/signing-template/source/format 1970-01-01 01:00:00.000000000 +0100
+++ shim-15+1533136590.3beb971/debian/signing-template/source/format 2019-03-23 17:49:36.000000000 +0000
@@ -0,0 +1 @@
+3.0 (native)
diff -Nru shim-15+1533136590.3beb971/debian/signing-template.generate shim-15+1533136590.3beb971/debian/signing-template.generate
--- shim-15+1533136590.3beb971/debian/signing-template.generate 1970-01-01 01:00:00.000000000 +0100
+++ shim-15+1533136590.3beb971/debian/signing-template.generate 2019-03-23 17:49:36.000000000 +0000
@@ -0,0 +1,41 @@
+#!/bin/sh
+set -e -u
+
+distribution="$(dpkg-parsechangelog -S Distribution)"
+urgency="$(dpkg-parsechangelog -S Urgency)"
+date="$(dpkg-parsechangelog -S Date)"
+version_binary="$(dpkg-parsechangelog -S Version)"
+version_mangled="$(dpkg-parsechangelog -S Version | tr '-' '+')"
+
+subst () {
+ sed \
+ -e "s/@efi@/${EFI_ARCH}/g" \
+ -e "s/@arch@/${DEB_HOST_ARCH}/g" \
+ -e "s/@version_binary@/${version_binary}/g" \
+ -e "s/@version_mangled@/${version_mangled}/g" \
+ -e "s/@distribution@/${distribution}/g" \
+ -e "s/@urgency@/${urgency}/g" \
+ -e "s/@date@/${date}/g" \
+ "$@"
+}
+
+template='./debian/signing-template'
+pkg_name="shim-helpers-${DEB_HOST_ARCH}-signed-template"
+pkg_dir="debian/${pkg_name}/usr/share/code-signing/${pkg_name}"
+pkg_deb="${pkg_dir}/source-template/debian"
+
+install -o 0 -g 0 -m 0755 -d "${pkg_dir}"
+subst < ./debian/signing-template.json.in > "${pkg_dir}/files.json"
+
+find "${template}" -type f -printf '%P\n' |
+while read path
+do
+ src="${template}/${path}"
+ dst="${pkg_deb}/${path}"
+
+ install -o 0 -g 0 -m 0755 -d "${dst%/*}"
+ subst < "${src}" > "${dst%.in}"
+ chmod --reference="${src}" "${dst%.in}"
+done
+
+exit 0
diff -Nru shim-15+1533136590.3beb971/debian/signing-template.json.in shim-15+1533136590.3beb971/debian/signing-template.json.in
--- shim-15+1533136590.3beb971/debian/signing-template.json.in 1970-01-01 01:00:00.000000000 +0100
+++ shim-15+1533136590.3beb971/debian/signing-template.json.in 2019-03-23 17:49:36.000000000 +0000
@@ -0,0 +1,11 @@
+{
+ "packages": {
+ "shim-unsigned": {
+ "trusted_certs": [],
+ "files": [
+ {"sig_type": "efi", "file": "usr/lib/shim/fb@efi@.efi"},
+ {"sig_type": "efi", "file": "usr/lib/shim/mm@efi@.efi"}
+ ]
+ }
+ }
+}
diff -Nru shim-15+1533136590.3beb971/debian/watch shim-15+1533136590.3beb971/debian/watch
--- shim-15+1533136590.3beb971/debian/watch 2016-10-13 06:48:33.000000000 +0100
+++ shim-15+1533136590.3beb971/debian/watch 2019-03-23 17:49:36.000000000 +0000
@@ -2,4 +2,4 @@
version=4
opts="repack,compression=xz,filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/shim-$1\.tar\.gz/" \
- https://github.com/mjg59/shim/releases .*/v?(\d\S*)\.tar\.gz
+ https://github.com/rhboot/shim/releases .*/v?(\d\S*)\.tar\.gz
Reply to: