forked from devel-factory/shim-leap
Chun-Yi Lee
99bbbdf6fd
Unlike shim.spec, shim-leap.spec does not have #needssslcertforbuild because our shim.efi is already signed by openSUSE key in openSUSE:Factory:secure-boot/shim. It causes that the _projectcert.crt can not be found by shim-leap which means the openSUSE CA can not be added to the target certificates array in pretrans Lua script. I can not directly add '# needssslcertforbuild' to shim-leap.spec because it will causes that shim.efi be signed by openSUSE key again. Let's always put openSUSE Secure Boot CA to target certificates array because the shim.efi already has openSUSE signature. (bsc#1254679)
Since shim needs a "stable" environment to reproduce the binary to match the signature from UEFI CA, it's difficult to maintain shim in Tumbleweed due to the nature of a rolling release distro. Instead of compiling shim for Tumbleweed, we directly import the binary the latest stable Leap release to maintain a stable and reproducible shim binary.