Bug#927816: unblock: shim-signed/1.30

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#927816: unblock: shim-signed/1.30
From: Steve McIntyre <steve@einval.com>
Date: Tue, 23 Apr 2019 19:55:14 +0100
Message-id: <[🔎] 155604571496.11508.6927050010419489997.reportbug@tack.local>
Reply-to: Steve McIntyre <steve@einval.com>, 927816@bugs.debian.org
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package shim-signed

We've just got new signatures back from Microsoft to match our shim
binaries for amd64, i386 and arm64. I've fixed up the packaging a lot
to accommodate the new arches (previously we had amd64 only).

We've made a lot of progress with shim, and we're nearing the end of
the process for Secure Boot in Buster. I'm asking for this unblock
today to cover most of what we need, with potentially a further
unblock for a new set of signed binaries with some shim bugfixes to
come. That'll depend on how long new signatures take to come. (Yay!).

The main set of changes here are in version 1.29.

diff -Nru shim-signed-1.28+nmu1/Makefile shim-signed-1.30/Makefile
--- shim-signed-1.28+nmu1/Makefile	2018-11-04 07:09:26.000000000 +0000
+++ shim-signed-1.30/Makefile	2019-04-19 15:18:30.000000000 +0100
@@ -3,12 +3,12 @@
 check:
 	mkdir -p build
 	# Verifying that the image is signed with the correct key.
-	sbverify --cert MicCorUEFCA2011_2011-06-27.crt shimx64.efi.signed
+	sbverify --cert MicCorUEFCA2011_2011-06-27.crt shim$(EFI_ARCH).efi.signed
 	# Verifying that we have the correct binary.
-	sbattach --detach build/detached-sig shimx64.efi.signed 
-	cp /usr/lib/shim/shimx64.efi build/shimx64.efi.signed
-	sbattach --attach build/detached-sig build/shimx64.efi.signed
-	cmp shimx64.efi.signed build/shimx64.efi.signed
+	sbattach --detach build/detached-sig shim$(EFI_ARCH).efi.signed 
+	cp /usr/lib/shim/shim$(EFI_ARCH).efi build/shim$(EFI_ARCH).efi.signed
+	sbattach --attach build/detached-sig build/shim$(EFI_ARCH).efi.signed
+	cmp shim$(EFI_ARCH).efi.signed build/shim$(EFI_ARCH).efi.signed
 
 clean:
 	rm -rf build
diff -Nru shim-signed-1.28+nmu1/debian/changelog shim-signed-1.30/debian/changelog
--- shim-signed-1.28+nmu1/debian/changelog	2018-11-04 07:09:26.000000000 +0000
+++ shim-signed-1.30/debian/changelog	2019-04-23 00:01:10.000000000 +0100
@@ -1,3 +1,62 @@
+shim-signed (1.30) unstable; urgency=medium
+
+  * Force the built-using version to be 15+1533136590.3beb971-6. That
+    *does* match the source we've used, we're only using -5 due to
+    toolchain changes elsewhere. Ick :-(
+
+ -- Steve McIntyre <93sam@debian.org>  Tue, 23 Apr 2019 00:01:10 +0100
+
+shim-signed (1.29) unstable; urgency=medium
+
+  * New signed binaries available from MS for amd64, arm64 and i386
+  * Change maintainer to be the EFI team
+  * Update the build-depends
+    + Specifically depend on sbsigntool (>= 0.9.2-2) to fix a bug in the
+      PE/COFF checksum that otherwise breaks the build
+  * Tweak the binary package setup a lot
+    + We're now building for 3 arches
+    + Depend on the right grub-efi-$arch-bin package for each arch
+    + Depend on the right shim-helpers-$arch-signed package for each
+      arch
+    + Remove the old Replaces: and Breaks:, as we don't clash with files
+      from the shim binary package any more.
+  * Stop copying helper binaries into our package now
+    + We just depend on shim-helpers-ARCH-signed now
+  * Tweak build, don't assume amd64
+  * Add lintian overrides for things we can't really change:
+    + We're including pre-built binaries, as that's where our signatures
+      are coming from. We have the matching source in the shim source
+      package.
+  * Update Standards-Version to 4.3.0 (no changes needed)
+
+ -- Steve McIntyre <93sam@debian.org>  Mon, 22 Apr 2019 22:57:55 +0100
+
+shim-signed (1.28+nmu3) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * (Still) explicitly uploading from a chroot with older binaries
+    installed for shim and sbsigntool, and update Build-Depends to
+    point to those speficic versions. This package will *not* function
+    with other versions installed.
+  * Add Breaks: shim (<= 0.9+1474479173.6c180c6-1), Closes: #924100
+  * +nmu2 fixed the installability problem caused by waiting for
+    Microsoft's signature on the new shim packages. Closes: #922179
+
+ -- Steve McIntyre <93sam@debian.org>  Sat, 09 Mar 2019 23:52:41 +0000
+
+shim-signed (1.28+nmu2) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Copy the helper binaries from the shim binary so that we no longer
+    need to depend on it. See #922179 for more details. Add a Replaces:
+    shim and to allow us to over-write binaries there.
+  * Explicitly uploading in a chroot with older binaries installed for
+    shim and sbsigntool, and update Build-Depends to point to those
+    speficic versions. This package will *not* function with other
+    versions installed.
+
+ -- Steve McIntyre <93sam@debian.org>  Sun, 03 Mar 2019 22:33:41 +0000
+
 shim-signed (1.28+nmu1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -Nru shim-signed-1.28+nmu1/debian/control shim-signed-1.30/debian/control
--- shim-signed-1.28+nmu1/debian/control	2018-11-04 07:09:26.000000000 +0000
+++ shim-signed-1.30/debian/control	2019-04-22 23:59:15.000000000 +0100
@@ -1,15 +1,34 @@
 Source: shim-signed
 Section: utils
 Priority: optional
-Maintainer: Steve Langasek <vorlon@debian.org>
-Build-Depends: debhelper (>= 9), shim, sbsigntool (>= 0.6-0ubuntu4), po-debconf
-Standards-Version: 3.9.4
+Maintainer: Debian EFI Team <debian-efi@lists.debian.org>
+Uploaders: Steve McIntyre <93sam@debian.org>, Steve Langasek <vorlon@debian.org>
+Build-Depends: debhelper (>= 9),
+# Need shim-unsigned version 15+1533136590.3beb971-5 so we can check the
+# signature on the right version of shim. Version -6 saw arm64 toolchain
+# changes that changed the binary. Ugh. :-(
+ shim-unsigned (= 15+1533136590.3beb971-5),
+# sbsigntool before 0.9.2-2 had a horrid bug with checksum calculation
+# which broke our build
+ sbsigntool (>= 0.9.2-2),
+ po-debconf
+Standards-Version: 4.3.0
+Vcs-Browser: https://salsa.debian.org/efi-team/shim-signed
+Vcs-Git: https://salsa.debian.org/efi-team/shim-signed.git
 
 Package: shim-signed
-Architecture: amd64
-Depends: ${misc:Depends}, shim (= ${shim:Version}), grub-efi-amd64-bin, grub2-common (>= 2.02~beta2-36ubuntu12), mokutil
+Architecture: amd64 i386 arm64
+Depends: ${misc:Depends},
+ grub-efi-amd64-bin [amd64],
+ shim-helpers-amd64-signed (>= 1+15+1533136590.3beb971+5) [amd64],
+ grub-efi-ia32-bin [i386],
+ shim-helpers-i386-signed (>= 1+15+1533136590.3beb971+5) [i386],
+ grub-efi-arm64-bin [arm64],
+ shim-helpers-arm64-signed (>= 1+15+1533136590.3beb971+5) [arm64],
+ grub2-common (>= 2.02+dfsg1-16),
+ mokutil
 Recommends: secureboot-db
-Built-Using: shim (= ${shim:Version})
+Built-Using: shim (= 15+1533136590.3beb971-6)
 Description: Secure Boot chain-loading bootloader (Microsoft-signed binary)
  This package provides a minimalist boot loader which allows verifying
  signatures of other UEFI binaries against either the Secure Boot DB/DBX or
diff -Nru shim-signed-1.28+nmu1/debian/copyright shim-signed-1.30/debian/copyright
--- shim-signed-1.28+nmu1/debian/copyright	2018-11-04 07:09:26.000000000 +0000
+++ shim-signed-1.30/debian/copyright	2019-04-19 15:09:58.000000000 +0100
@@ -1,7 +1,7 @@
 Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Upstream-Name: shim
-Upstream-Contact: Matthew Garrett <mjg@redhat.com>
-Source: https://github.com/mjg59/shim.git
+Upstream-Contact: Peter Jones <pjones@redhat.com>
+Source: https://github.com/rhboot/shim
 
 Files: *
 Copyright: 2012 Red Hat, Inc
diff -Nru shim-signed-1.28+nmu1/debian/rules shim-signed-1.30/debian/rules
--- shim-signed-1.28+nmu1/debian/rules	2018-11-04 07:09:26.000000000 +0000
+++ shim-signed-1.30/debian/rules	2019-04-19 15:28:53.000000000 +0100
@@ -1,7 +1,19 @@
 #! /usr/bin/make -f
 
 VERSION := $(shell LC_ALL=C dpkg-parsechangelog | grep ^Version: | cut -d ' ' -f 2)
-SHIM_VERSION := $(shell dpkg-query -f '$${Version}\n' -W shim)
+SHIM_VERSION := $(shell dpkg-query -f '$${Version}\n' -W shim-unsigned)
+
+include /usr/share/dpkg/architecture.mk
+
+ifeq ($(DEB_HOST_ARCH),amd64)
+export EFI_ARCH := x64
+endif
+ifeq ($(DEB_HOST_ARCH),arm64)
+export EFI_ARCH := aa64
+endif
+ifeq ($(DEB_HOST_ARCH),i386)
+export EFI_ARCH := ia32
+endif
 
 %:
 	dh $@
diff -Nru shim-signed-1.28+nmu1/debian/shim-signed.install shim-signed-1.30/debian/shim-signed.install
--- shim-signed-1.28+nmu1/debian/shim-signed.install	2018-11-04 07:09:26.000000000 +0000
+++ shim-signed-1.30/debian/shim-signed.install	2019-04-22 18:08:11.000000000 +0100
@@ -1,3 +1,3 @@
-shimx64.efi.signed /usr/lib/shim
+build/shim*.efi.signed /usr/lib/shim
 debian/source_shim-signed.py /usr/share/apport/package-hooks/
 update-secureboot-policy /usr/sbin/
diff -Nru shim-signed-1.28+nmu1/debian/shim-signed.postinst shim-signed-1.30/debian/shim-signed.postinst
--- shim-signed-1.28+nmu1/debian/shim-signed.postinst	2018-11-04 07:09:26.000000000 +0000
+++ shim-signed-1.30/debian/shim-signed.postinst	2019-04-22 17:52:51.000000000 +0100
@@ -4,6 +4,20 @@
 # Must load the confmodule for our template to be installed correctly.
 . /usr/share/debconf/confmodule
 
+ARCH=$(dpkg --print-architecture)
+case ${ARCH} in
+    amd64)
+	GRUB_EFI_TARGET="x86_64-efi";;
+    i386)
+	GRUB_EFI_TARGET="i386-efi";;
+    arm64)
+	GRUB_EFI_TARGET="arm64-efi";;
+    *)
+	echo "Unsupported dpkg architecture ${ARCH} in $0. ABORT"
+	exit 1
+	;;
+esac
+
 config_item ()
 {
     if [ -f /etc/default/grub ]; then
@@ -30,7 +44,7 @@
 	if [ "$bootloader_id" ] && [ -d "/boot/efi/EFI/$bootloader_id" ] \
 	   && which grub-install >/dev/null 2>&1
 	then
-	    grub-install --target=x86_64-efi
+	    grub-install --target=${GRUB_EFI_TARGET}
             if dpkg --compare-versions "$2" lt-nl "1.22~"; then
                 rm -f /boot/efi/EFI/ubuntu/MokManager.efi
             fi
diff -Nru shim-signed-1.28+nmu1/debian/source/lintian-overrides shim-signed-1.30/debian/source/lintian-overrides
--- shim-signed-1.28+nmu1/debian/source/lintian-overrides	1970-01-01 01:00:00.000000000 +0100
+++ shim-signed-1.30/debian/source/lintian-overrides	2019-04-22 22:53:19.000000000 +0100
@@ -0,0 +1,3 @@
+shim-signed: source-contains-prebuilt-windows-binary shimaa64.efi.signed
+shim-signed: source-contains-prebuilt-windows-binary shimia32.efi.signed
+shim-signed: source-contains-prebuilt-windows-binary shimx64.efi.signed
Binary files /tmp/gyjEQeEol0/shim-signed-1.28+nmu1/shimaa64.efi.signed and /tmp/Z3ESxao_Zf/shim-signed-1.30/shimaa64.efi.signed differ
Binary files /tmp/gyjEQeEol0/shim-signed-1.28+nmu1/shimia32.efi.signed and /tmp/Z3ESxao_Zf/shim-signed-1.30/shimia32.efi.signed differ
Binary files /tmp/gyjEQeEol0/shim-signed-1.28+nmu1/shimx64.efi.signed and /tmp/Z3ESxao_Zf/shim-signed-1.30/shimx64.efi.signed differ


unblock shim-signed/1.30

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Reply to:
Follow-Ups:
- Processed: Re: Bug#927816: unblock: shim-signed/1.30
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#927816: unblock: shim-signed/1.30
  - From: Niels Thykier <niels@thykier.net>
- Processed: Re: Bug#927816: unblock: shim-signed/1.30
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#927816: marked as done (unblock: shim-signed/1.30)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Prev by Date: Bug#927807: marked as done (unblock: node-jquery/2.2.4+dfsg-4)
Next by Date: Bug#927378: node-superagent 0.20.0+dfsg-1+deb9u2 flagged for acceptance
Previous by thread: Bug#927784: marked as done (unblock: cups/2.2.10-6)
Next by thread: Processed: Re: Bug#927816: unblock: shim-signed/1.30
Index(es):
- Date
- Thread