Control: retitle -1 unblock: shim-signed/1.33
Hey folks,
We've just got the new signed binaries back from Microsoft this
morning, so I've now updated to use them and just uploaded
shim-unsigned 1.33. Summary of changes since 1.30:
* Build against new signed binaries corresponding to
15+1533136590.3beb971-7
* Update Build-Depends and Depends to match. Closes: #928107
* Drop the hard-coded version in Built-Using; pick up the version of
shim we're using properly.
* Display the sha256sums of the binaries as we check them
* Add Breaks/Replaces to shim-signed-common for
update-secureboot-policy etc. Closes: #929673
* update-secureboot-policy: fix error if /var/lib/dkms does not
exist. Closes: #923718
* Separate the helper scripts into a new shim-signed-common package,
apart from the actual signed shim binaries so that we can
sensibly support co-installability using Multi-Arch.
Closes: #928486
* Add/update translations:
+ Italian (Closes: #915993, thanks to Beatrice Torracca)
+ Swedish (Closes: #921410, thanks to Matrin Bagge)
+ Russian (Closes: #922229, thanks to Lev Lamberov)
+ Dutch (Closes: #917580, #926664, thanks to Frans Spiesschaert)
* Remove doc link used to quieten old lintian versions
The main fixes are for #928486 (which is blocking some users building
multi-arch live media), but I've also rolled in a trivial fix for
#923718 (cosmetic) and a bunch of translation updates (filtered out
here). #929673 showed I made a daft mistake with the 1.31 upload. :-(
This package fixes our one outstanding RC bug in version 1.30
(#928107), which was impossible to fix until now.
debdiff attached.
unblock shim-signed/1.33
--
Steve McIntyre, Cambridge, UK. steve@einval.com
We don't need no education.
We don't need no thought control.
diff -Nru shim-signed-1.30/Makefile shim-signed-1.33/Makefile
--- shim-signed-1.30/Makefile 2019-04-19 15:18:30.000000000 +0100
+++ shim-signed-1.33/Makefile 2019-06-09 17:16:05.000000000 +0100
@@ -9,6 +9,7 @@
cp /usr/lib/shim/shim$(EFI_ARCH).efi build/shim$(EFI_ARCH).efi.signed
sbattach --attach build/detached-sig build/shim$(EFI_ARCH).efi.signed
cmp shim$(EFI_ARCH).efi.signed build/shim$(EFI_ARCH).efi.signed
+ sha256sum shim$(EFI_ARCH).efi.signed build/shim$(EFI_ARCH).efi.signed
clean:
rm -rf build
diff -Nru shim-signed-1.30/debian/changelog shim-signed-1.33/debian/changelog
--- shim-signed-1.30/debian/changelog 2019-04-23 00:01:10.000000000 +0100
+++ shim-signed-1.33/debian/changelog 2019-06-09 17:32:54.000000000 +0100
@@ -1,3 +1,38 @@
+shim-signed (1.33) unstable; urgency=medium
+
+ * Build against new signed binaries corresponding to
+ 15+1533136590.3beb971-7
+ * Update Build-Depends and Depends to match. Closes: #928107
+ * Drop the hard-coded version in Built-Using; pick up the version of
+ shim we're using properly.
+ * Display the sha256sums of the binaries as we check them
+
+ -- Steve McIntyre <93sam@debian.org> Sun, 09 Jun 2019 17:32:54 +0100
+
+shim-signed (1.32) unstable; urgency=medium
+
+ * Add Breaks/Replaces to shim-signed-common for
+ update-secureboot-policy etc. Closes: #929673
+
+ -- Steve McIntyre <93sam@debian.org> Tue, 28 May 2019 14:23:54 +0100
+
+shim-signed (1.31) unstable; urgency=medium
+
+ * update-secureboot-policy: fix error if /var/lib/dkms does not
+ exist. Closes: #923718
+ * Separate the helper scripts into a new shim-signed-common package,
+ apart from the actual signed shim binaries so that we can
+ sensibly support co-installability using Multi-Arch.
+ Closes: #928486
+ * Add/update translations:
+ + Italian (Closes: #915993, thanks to Beatrice Torracca)
+ + Swedish (Closes: #921410, thanks to Matrin Bagge)
+ + Russian (Closes: #922229, thanks to Lev Lamberov)
+ + Dutch (Closes: #917580, #926664, thanks to Frans Spiesschaert)
+ * Remove doc link used to quieten old lintian versions
+
+ -- Steve McIntyre <93sam@debian.org> Mon, 27 May 2019 23:02:10 +0100
+
shim-signed (1.30) unstable; urgency=medium
* Force the built-using version to be 15+1533136590.3beb971-6. That
diff -Nru shim-signed-1.30/debian/control shim-signed-1.33/debian/control
--- shim-signed-1.30/debian/control 2019-04-22 23:59:15.000000000 +0100
+++ shim-signed-1.33/debian/control 2019-06-09 16:50:25.000000000 +0100
@@ -4,10 +4,7 @@
Maintainer: Debian EFI Team <debian-efi@lists.debian.org>
Uploaders: Steve McIntyre <93sam@debian.org>, Steve Langasek <vorlon@debian.org>
Build-Depends: debhelper (>= 9),
-# Need shim-unsigned version 15+1533136590.3beb971-5 so we can check the
-# signature on the right version of shim. Version -6 saw arm64 toolchain
-# changes that changed the binary. Ugh. :-(
- shim-unsigned (= 15+1533136590.3beb971-5),
+ shim-unsigned (= 15+1533136590.3beb971-7),
# sbsigntool before 0.9.2-2 had a horrid bug with checksum calculation
# which broke our build
sbsigntool (>= 0.9.2-2),
@@ -18,17 +15,17 @@
Package: shim-signed
Architecture: amd64 i386 arm64
+Multi-Arch: same
Depends: ${misc:Depends},
grub-efi-amd64-bin [amd64],
- shim-helpers-amd64-signed (>= 1+15+1533136590.3beb971+5) [amd64],
+ shim-helpers-amd64-signed (>= 1+15+1533136590.3beb971+7) [amd64],
grub-efi-ia32-bin [i386],
- shim-helpers-i386-signed (>= 1+15+1533136590.3beb971+5) [i386],
+ shim-helpers-i386-signed (>= 1+15+1533136590.3beb971+7) [i386],
grub-efi-arm64-bin [arm64],
- shim-helpers-arm64-signed (>= 1+15+1533136590.3beb971+5) [arm64],
- grub2-common (>= 2.02+dfsg1-16),
- mokutil
+ shim-helpers-arm64-signed (>= 1+15+1533136590.3beb971+7) [arm64],
+ grub2-common (>= 2.02+dfsg1-16)
Recommends: secureboot-db
-Built-Using: shim (= 15+1533136590.3beb971-6)
+Built-Using: shim (= ${shim:Version})
Description: Secure Boot chain-loading bootloader (Microsoft-signed binary)
This package provides a minimalist boot loader which allows verifying
signatures of other UEFI binaries against either the Secure Boot DB/DBX or
@@ -38,3 +35,19 @@
.
This package contains the version of the bootloader binary signed by the
Microsoft UEFI CA.
+
+Package: shim-signed-common
+Multi-Arch: foreign
+Architecture: all
+Depends: ${misc:Depends}, mokutil
+Replaces: shim-signed (<< 1.32+15+1533136590.3beb971-5)
+Breaks: shim-signed (<< 1.32+15+1533136590.3beb971-5)
+Description: Secure Boot chain-loading bootloader (common helper scripts)
+ This package provides a minimalist boot loader which allows verifying
+ signatures of other UEFI binaries against either the Secure Boot DB/DBX or
+ against a built-in signature database. Its purpose is to allow a small,
+ infrequently-changing binary to be signed by the UEFI CA, while allowing
+ an OS distributor to revision their main bootloader independently of the CA.
+ .
+ This package contains common helper scripts for all versions of the
+ shim-signed package.
diff -Nru shim-signed-1.30/debian/lintian-overrides shim-signed-1.33/debian/lintian-overrides
--- shim-signed-1.30/debian/lintian-overrides 2019-04-22 22:53:12.000000000 +0100
+++ shim-signed-1.33/debian/lintian-overrides 1970-01-01 01:00:00.000000000 +0100
@@ -1 +0,0 @@
-shim-signed: debconf-is-not-a-registry usr/sbin/update-secureboot-policy
diff -Nru shim-signed-1.30/debian/po/POTFILES.in shim-signed-1.33/debian/po/POTFILES.in
--- shim-signed-1.30/debian/po/POTFILES.in 2019-03-06 21:15:15.000000000 +0000
+++ shim-signed-1.33/debian/po/POTFILES.in 2019-05-27 22:56:41.000000000 +0100
@@ -1 +1 @@
-[type: gettext/rfc822deb] templates
+[type: gettext/rfc822deb] shim-signed-common.templates
diff -Nru shim-signed-1.30/debian/rules shim-signed-1.33/debian/rules
--- shim-signed-1.30/debian/rules 2019-04-19 15:28:53.000000000 +0100
+++ shim-signed-1.33/debian/rules 2019-05-27 23:21:01.000000000 +0100
@@ -18,13 +18,17 @@
%:
dh $@
-docdir := debian/shim-signed/usr/share/doc/shim-signed
+docdir := debian/shim-signed-common/usr/share/doc/shim-signed-common
override_dh_installchangelogs:
- dh_installchangelogs
- # Quieten lintian, which otherwise gets confused by our odd version
- # number.
- ln $(docdir)/changelog $(docdir)/changelog.Debian
+ dh_installchangelogs -p shim-signed-common
+
+override_dh_installdocs:
+ dh_installdocs -p shim-signed-common
+ dh_installdocs --remaining-packages --link-doc=shim-signed-common
+
+override_dh_installdebconf:
+ dh_installdebconf -p shim-signed-common
override_dh_gencontrol:
dh_gencontrol -- -v$(VERSION)+$(SHIM_VERSION) \
diff -Nru shim-signed-1.30/debian/shim-signed-common.install shim-signed-1.33/debian/shim-signed-common.install
--- shim-signed-1.30/debian/shim-signed-common.install 1970-01-01 01:00:00.000000000 +0100
+++ shim-signed-1.33/debian/shim-signed-common.install 2019-05-25 03:15:26.000000000 +0100
@@ -0,0 +1,2 @@
+debian/source_shim-signed.py /usr/share/apport/package-hooks/
+update-secureboot-policy /usr/sbin/
diff -Nru shim-signed-1.30/debian/shim-signed-common.links shim-signed-1.33/debian/shim-signed-common.links
--- shim-signed-1.30/debian/shim-signed-common.links 1970-01-01 01:00:00.000000000 +0100
+++ shim-signed-1.33/debian/shim-signed-common.links 2019-03-06 21:15:15.000000000 +0000
@@ -0,0 +1 @@
+usr/share/apport/package-hooks/source_shim-signed.py usr/share/apport/package-hooks/source_shim.py
diff -Nru shim-signed-1.30/debian/shim-signed-common.lintian-overrides shim-signed-1.33/debian/shim-signed-common.lintian-overrides
--- shim-signed-1.30/debian/shim-signed-common.lintian-overrides 1970-01-01 01:00:00.000000000 +0100
+++ shim-signed-1.33/debian/shim-signed-common.lintian-overrides 2019-05-25 03:29:42.000000000 +0100
@@ -0,0 +1 @@
+shim-signed-common: debconf-is-not-a-registry usr/sbin/update-secureboot-policy
diff -Nru shim-signed-1.30/debian/shim-signed-common.postinst shim-signed-1.33/debian/shim-signed-common.postinst
--- shim-signed-1.30/debian/shim-signed-common.postinst 1970-01-01 01:00:00.000000000 +0100
+++ shim-signed-1.33/debian/shim-signed-common.postinst 2019-04-22 17:52:51.000000000 +0100
@@ -0,0 +1,59 @@
+#! /bin/sh
+set -e
+
+# Must load the confmodule for our template to be installed correctly.
+. /usr/share/debconf/confmodule
+
+ARCH=$(dpkg --print-architecture)
+case ${ARCH} in
+ amd64)
+ GRUB_EFI_TARGET="x86_64-efi";;
+ i386)
+ GRUB_EFI_TARGET="i386-efi";;
+ arm64)
+ GRUB_EFI_TARGET="arm64-efi";;
+ *)
+ echo "Unsupported dpkg architecture ${ARCH} in $0. ABORT"
+ exit 1
+ ;;
+esac
+
+config_item ()
+{
+ if [ -f /etc/default/grub ]; then
+ . /etc/default/grub || return
+ for x in /etc/default/grub.d/*.cfg; do
+ if [ -e "$x" ]; then
+ . "$x"
+ fi
+ done
+ fi
+ eval echo "\$$1"
+}
+
+case $1 in
+ triggered)
+ SHIM_NOTRIGGER=y update-secureboot-policy
+ ;;
+ configure)
+ bootloader_id="$(config_item GRUB_DISTRIBUTOR | tr A-Z a-z | \
+ cut -d' ' -f1)"
+ case $bootloader_id in
+ kubuntu) bootloader_id=ubuntu ;;
+ esac
+ if [ "$bootloader_id" ] && [ -d "/boot/efi/EFI/$bootloader_id" ] \
+ && which grub-install >/dev/null 2>&1
+ then
+ grub-install --target=${GRUB_EFI_TARGET}
+ if dpkg --compare-versions "$2" lt-nl "1.22~"; then
+ rm -f /boot/efi/EFI/ubuntu/MokManager.efi
+ fi
+ fi
+
+ SHIM_NOTRIGGER=y update-secureboot-policy
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff -Nru shim-signed-1.30/debian/shim-signed-common.templates shim-signed-1.33/debian/shim-signed-common.templates
--- shim-signed-1.30/debian/shim-signed-common.templates 1970-01-01 01:00:00.000000000 +0100
+++ shim-signed-1.33/debian/shim-signed-common.templates 2019-03-06 21:15:15.000000000 +0000
@@ -0,0 +1,62 @@
+Template: shim/title/secureboot
+Type: text
+_Description: Configuring UEFI Secure Boot
+
+Template: shim/error/bad_secureboot_key
+Type: error
+_Description: Invalid password
+ The Secure Boot key you've entered is not valid. The password used must be
+ between 8 and 16 characters.
+
+Template: shim/disable_secureboot
+Type: boolean
+Default: true
+_Description: Disable UEFI Secure Boot?
+ If Secure Boot remains enabled on your system, your system may still boot but
+ any hardware that requires third-party drivers to work correctly may not be
+ usable.
+
+Template: shim/enable_secureboot
+Type: boolean
+Default: false
+_Description: Enable UEFI Secure Boot?
+ If Secure Boot is enabled on your system, your system may still boot but
+ any hardware that requires third-party drivers to work correctly may not be
+ usable.
+
+Template: shim/secureboot_explanation
+Type: note
+_Description: Your system has UEFI Secure Boot enabled
+ UEFI Secure Boot is not compatible with the use of third-party drivers.
+ .
+ The system will assist you in toggling UEFI Secure Boot. To ensure that this
+ change is being made by you as an authorized user, and not by an attacker,
+ you must choose a password now and then use the same password after reboot
+ to confirm the change.
+ .
+ If you choose to proceed but do not confirm the password upon reboot, the
+ Secure Boot configuration will not be changed, and the machine will continue
+ booting as before.
+ .
+ If Secure Boot remains enabled on your system, your system may still boot but
+ any hardware that requires third-party drivers to work correctly may not be
+ usable.
+
+Template: shim/secureboot_key
+Type: password
+_Description: UEFI Secure Boot password:
+ Please enter a password for configuring UEFI Secure Boot.
+ .
+ This password will be used after a reboot to confirm authorization for a
+ change to Secure Boot state.
+
+Template: shim/secureboot_key_again
+Type: password
+_Description: Re-enter password to verify:
+ Please enter the same password again to verify that you have typed it
+ correctly.
+
+Template: shim/error/secureboot_key_mismatch
+Type: error
+_Description: Password input error
+ The two passwords you entered were not the same. Please try again.
diff -Nru shim-signed-1.30/debian/shim-signed.install shim-signed-1.33/debian/shim-signed.install
--- shim-signed-1.30/debian/shim-signed.install 2019-04-22 18:08:11.000000000 +0100
+++ shim-signed-1.33/debian/shim-signed.install 2019-05-25 03:15:14.000000000 +0100
@@ -1,3 +1 @@
build/shim*.efi.signed /usr/lib/shim
-debian/source_shim-signed.py /usr/share/apport/package-hooks/
-update-secureboot-policy /usr/sbin/
diff -Nru shim-signed-1.30/debian/shim-signed.links shim-signed-1.33/debian/shim-signed.links
--- shim-signed-1.30/debian/shim-signed.links 2019-03-06 21:15:15.000000000 +0000
+++ shim-signed-1.33/debian/shim-signed.links 1970-01-01 01:00:00.000000000 +0100
@@ -1 +0,0 @@
-usr/share/apport/package-hooks/source_shim-signed.py usr/share/apport/package-hooks/source_shim.py
diff -Nru shim-signed-1.30/debian/shim-signed.postinst shim-signed-1.33/debian/shim-signed.postinst
--- shim-signed-1.30/debian/shim-signed.postinst 2019-04-22 17:52:51.000000000 +0100
+++ shim-signed-1.33/debian/shim-signed.postinst 1970-01-01 01:00:00.000000000 +0100
@@ -1,59 +0,0 @@
-#! /bin/sh
-set -e
-
-# Must load the confmodule for our template to be installed correctly.
-. /usr/share/debconf/confmodule
-
-ARCH=$(dpkg --print-architecture)
-case ${ARCH} in
- amd64)
- GRUB_EFI_TARGET="x86_64-efi";;
- i386)
- GRUB_EFI_TARGET="i386-efi";;
- arm64)
- GRUB_EFI_TARGET="arm64-efi";;
- *)
- echo "Unsupported dpkg architecture ${ARCH} in $0. ABORT"
- exit 1
- ;;
-esac
-
-config_item ()
-{
- if [ -f /etc/default/grub ]; then
- . /etc/default/grub || return
- for x in /etc/default/grub.d/*.cfg; do
- if [ -e "$x" ]; then
- . "$x"
- fi
- done
- fi
- eval echo "\$$1"
-}
-
-case $1 in
- triggered)
- SHIM_NOTRIGGER=y update-secureboot-policy
- ;;
- configure)
- bootloader_id="$(config_item GRUB_DISTRIBUTOR | tr A-Z a-z | \
- cut -d' ' -f1)"
- case $bootloader_id in
- kubuntu) bootloader_id=ubuntu ;;
- esac
- if [ "$bootloader_id" ] && [ -d "/boot/efi/EFI/$bootloader_id" ] \
- && which grub-install >/dev/null 2>&1
- then
- grub-install --target=${GRUB_EFI_TARGET}
- if dpkg --compare-versions "$2" lt-nl "1.22~"; then
- rm -f /boot/efi/EFI/ubuntu/MokManager.efi
- fi
- fi
-
- SHIM_NOTRIGGER=y update-secureboot-policy
- ;;
-esac
-
-#DEBHELPER#
-
-exit 0
diff -Nru shim-signed-1.30/debian/templates shim-signed-1.33/debian/templates
--- shim-signed-1.30/debian/templates 2019-03-06 21:15:15.000000000 +0000
+++ shim-signed-1.33/debian/templates 1970-01-01 01:00:00.000000000 +0100
@@ -1,62 +0,0 @@
-Template: shim/title/secureboot
-Type: text
-_Description: Configuring UEFI Secure Boot
-
-Template: shim/error/bad_secureboot_key
-Type: error
-_Description: Invalid password
- The Secure Boot key you've entered is not valid. The password used must be
- between 8 and 16 characters.
-
-Template: shim/disable_secureboot
-Type: boolean
-Default: true
-_Description: Disable UEFI Secure Boot?
- If Secure Boot remains enabled on your system, your system may still boot but
- any hardware that requires third-party drivers to work correctly may not be
- usable.
-
-Template: shim/enable_secureboot
-Type: boolean
-Default: false
-_Description: Enable UEFI Secure Boot?
- If Secure Boot is enabled on your system, your system may still boot but
- any hardware that requires third-party drivers to work correctly may not be
- usable.
-
-Template: shim/secureboot_explanation
-Type: note
-_Description: Your system has UEFI Secure Boot enabled
- UEFI Secure Boot is not compatible with the use of third-party drivers.
- .
- The system will assist you in toggling UEFI Secure Boot. To ensure that this
- change is being made by you as an authorized user, and not by an attacker,
- you must choose a password now and then use the same password after reboot
- to confirm the change.
- .
- If you choose to proceed but do not confirm the password upon reboot, the
- Secure Boot configuration will not be changed, and the machine will continue
- booting as before.
- .
- If Secure Boot remains enabled on your system, your system may still boot but
- any hardware that requires third-party drivers to work correctly may not be
- usable.
-
-Template: shim/secureboot_key
-Type: password
-_Description: UEFI Secure Boot password:
- Please enter a password for configuring UEFI Secure Boot.
- .
- This password will be used after a reboot to confirm authorization for a
- change to Secure Boot state.
-
-Template: shim/secureboot_key_again
-Type: password
-_Description: Re-enter password to verify:
- Please enter the same password again to verify that you have typed it
- correctly.
-
-Template: shim/error/secureboot_key_mismatch
-Type: error
-_Description: Password input error
- The two passwords you entered were not the same. Please try again.
Binary files /tmp/gVpIQ5rzCl/shim-signed-1.30/shimaa64.efi.signed and /tmp/SXHcRWNCX6/shim-signed-1.33/shimaa64.efi.signed differ
Binary files /tmp/gVpIQ5rzCl/shim-signed-1.30/shimia32.efi.signed and /tmp/SXHcRWNCX6/shim-signed-1.33/shimia32.efi.signed differ
Binary files /tmp/gVpIQ5rzCl/shim-signed-1.30/shimx64.efi.signed and /tmp/SXHcRWNCX6/shim-signed-1.33/shimx64.efi.signed differ
diff -Nru shim-signed-1.30/update-secureboot-policy shim-signed-1.33/update-secureboot-policy
--- shim-signed-1.30/update-secureboot-policy 2019-03-06 21:15:15.000000000 +0000
+++ shim-signed-1.33/update-secureboot-policy 2019-05-25 02:26:08.000000000 +0100
@@ -142,8 +142,9 @@
exit 0
fi
-if [ `find /var/lib/dkms -type d -print | wc -l ` -gt 1 ]; then
- setup_mok_validation $enable_secureboot
+if [ -d /var/lib/dkms ] &&
+ [ `find /var/lib/dkms -type d -print | wc -l ` -gt 1 ]; then
+ setup_mok_validation $enable_secureboot
else
echo "No DKMS packages installed: not changing Secure Boot validation state."
fi
Attachment:
signature.asc
Description: PGP signature