devel-factory/shim
SHA256
3
0
Fork 1
forked from pool/shim
Code Pull Requests Activity

16.1-add-MS-signed-shim-v3 #3

Manually merged
joeyli merged 2 commits from joeyli/shim:16.1-add-MS-signed-shim-v3 into main 2025-11-28 04:49:47 +01:00
Conversation 0 Commits 2 Files Changed 1 +11 -7
1 changed files with 11 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
shim.spec
View File

@@ -210,10 +210,10 @@ suffixes=(opensuse sles)
# just one shim that embeds this specific cert. If it's a devel
# project we build all variants to simplify testing.
if test -e %{_sourcedir}/_projectcert.crt ; then
prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash)
prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash)
opensusesubject=$(openssl x509 -in %{SOURCE11} -noout -subject_hash)
slessubject=$(openssl x509 -in %{SOURCE12} -noout -subject_hash)
prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -inform PEM -noout -subject_hash)
prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -inform PEM -noout -issuer_hash)
opensusesubject=$(openssl x509 -in %{SOURCE11} -inform DER -noout -subject_hash)
slessubject=$(openssl x509 -in %{SOURCE12} -inform DER -noout -subject_hash)
if test "$prjissuer" = "$opensusesubject" ; then
suffixes=(opensuse)
elif test "$prjissuer" = "$slessubject" ; then
@@ -226,6 +226,7 @@ fi
for suffix in "${suffixes[@]}"; do
if test "$suffix" = "opensuse"; then
cert=%{SOURCE11}
cp $cert shim-$suffix.der
verify='openSUSE Secure Boot CA1'
vendor_dbx='vendor-dbx-opensuse.esl'
%ifarch x86_64
@@ -236,6 +237,7 @@ for suffix in "${suffixes[@]}"; do
%endif
elif test "$suffix" = "sles"; then
cert=%{SOURCE12}
cp $cert shim-$suffix.der
verify='SUSE Linux Enterprise Secure Boot CA1'
vendor_dbx='vendor-dbx-sles.esl'
%ifarch x86_64
@@ -250,12 +252,12 @@ for suffix in "${suffixes[@]}"; do
vendor_dbx='vendor-dbx.esl'
ms_shim=''
test -e "$cert" || continue
openssl x509 -in $cert -inform PEM -outform DER -out shim-$suffix.der
else
echo "invalid suffix"
false
fi
openssl x509 -in $cert -outform DER -out shim-$suffix.der
make CC=%{cc_compiler} RELEASE=0 ENABLE_CODESIGN_EKU=1 SHIMSTEM=shim \
VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \
DEFAULT_LOADER="\\\\\\\\grub.efi" \
@@ -408,10 +410,12 @@ local TARGET_CERT_HEXES = {
%if "%{prjissuer_hash}" == "%{opensusesubject_hash}"
-- Certificate #3, openSUSE Secure Boot CA 2013
"%{opensuse_ca_hex}",
%elif "%{prjissuer_hash}" == "%{slessubject_hash}"
%endif
%if "%{prjissuer_hash}" == "%{slessubject_hash}"
-- Certificate #3, SUSE Linux Enterprise Secure Boot CA 2013
"%{sles_ca_hex}",
%elif "%{prjissuer_hash}" == "%{prjsubjec_hash}"
%endif
%if "%{prjissuer_hash}" == "%{prjsubjec_hash}"
-- We put all keys for testing on devel/staging project
-- Certificate #3, openSUSE Secure Boot CA 2013
"%{opensuse_ca_hex}",