shim.changes

@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Fri Nov 28 08:30:55 UTC 2025 - Joey Lee <jlee@suse.com>
+
+- Fixed some issues in RPM Macro and pretrans lus script with the old
+  rpm-4.14.3 on SLE-15-SP3:
+    - shim.spec: Use io.open instead of pcall rpm.open in pretrans lua script
+    - shim.spec: Workaround the string comparison issue in elif directive
+    - shim.spec: Specify the certificate format in openssl commands
+
 -------------------------------------------------------------------
 Wed Nov 26 07:42:15 UTC 2025 - Joey Lee <jlee@suse.com>
 

shim.spec

@@ -370,30 +370,14 @@ print("INFO: Current Lua Version: " .. tostring(_VERSION))
 local db_filename = "/sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f"
 
 -- The db file existence check
--- Use pcall to execute rpm.open to prevent errors from being thrown when
--- the file cannot be found, causing RPM to fail.
-local success, result = pcall(rpm.open, db_filename, "rb")
+local f_check, err_check = io.open(db_filename, "rb")
 
-local f_check = nil
-
-if not success then
-    -- pcall catches errors (e.g. "No such file or directory")
-    print("WARNING: Attempt to open db EFI variable file failed. Error message: " .. tostring(result))
+if not f_check then
+    print("WARNING: Attempt to open db EFI variable file failed. Error message: " .. tostring(err_check))
     print("WARNING: This usually means the system is not booted in UEFI mode. Skipping all db check steps.")
     return 0
-else
-    -- If pcall succeeds, result may be an archive handle or nil (depending on the behavior of rpm.open)
-    f_check = result
-    if not f_check then
-	-- The archive does not exist, but rpm.open returns nil
-        print("WARNING: db EFI variable file does not exist (rpm.open returned nil). Skipping db check steps.")
-        return 0
-    else
-	-- If the file exists and is successfully opened,
-	-- close the handle immediately so that subsequent code can open it again.
-        f_check:close()
-    end
 end
+f_check:close()
 
 -- ==========================================================================================
 -- This is the hardcoded target certificate content used to check for its existence.
@@ -463,13 +447,13 @@ end
 local db_content = ""
 do
     -- The db file is now confirmed to exist, open it again to read the contents
-    local f = rpm.open(db_filename, "rb")
+    local f_db, err_db = io.open(db_filename, "rb")
 
-    if f then
+    if f_db then
         local chunks = {}
         local CHUNK_SIZE = 4096
         local raw_content = ""
-        local chunk = f:read(CHUNK_SIZE)
+        local chunk = f_db:read(CHUNK_SIZE)
 
         while chunk do
 	    -- If an empty string is read, it means EOF has been reached and the loop is exited.
@@ -477,12 +461,12 @@ do
                 break
             end
             table.insert(chunks, chunk)
-            chunk = f:read(CHUNK_SIZE)
+            chunk = f_db:read(CHUNK_SIZE)
         end
 
         raw_content = table.concat(chunks)
 
-        f:close()
+        f_db:close()
 
 	-- Skip the first 4 bytes (EFI attributes)
         if #raw_content > 4 then
@@ -520,13 +504,12 @@ print("Please add the appropriate certificate to the db or disable UEFI secure b
 -- Secure Boot status check: We only proceed with installation if the certificate is not present in the db and Secure Boot is disabled.
 local sb_filename = "/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c"
 
-local success_sb, result_sb = pcall(rpm.open, sb_filename, "rb")
+local f_sb, err_sb = io.open(sb_filename, "rb")
 
-if not success_sb or not result_sb then
+if not f_sb then
     -- If the file is missing, it typically means the system is not UEFI, or Secure Boot is disabled/the variable is absent.
     print("WARNING: SecureBoot EFI variable file does not exist. Proceed with install.")
 else
-    local f_sb = result_sb
     local raw_content_sb = ""
     local sb_status = 0