Accepting request 888995 from devel:openSUSE:Factory

OBS-URL: https://build.opensuse.org/request/show/888995
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shim?expand=0&rev=94

dbx-cert.tar.xz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:7cea42a328d6dbac923fce1a15f1e941eee7c829aeff6c0b5016475cca99c47c
-size 7032
+oid sha256:c872989a35b85ff4a284871d95bae930f6372a31f3353e72890775bf151e5ff2
+size 7052

shim.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Apr 28 09:28:30 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Split the keys in vendor-dbx.bin to vendor-dbx-sles and
+  vendor-dbx-opensuse for shim-sles and shim-opensuse to reduce
+  the size of MokListXRT (bsc#1185261) 
+  + Also update generate-vendor-dbx.sh in dbx-cert.tar.xz
+
 -------------------------------------------------------------------
 Thu Apr  8 08:44:27 UTC 2021 - Gary Ching-Pang Lin <glin@suse.com>
 

shim.spec

@@ -60,8 +60,10 @@ Source11:       signature-sles.x86_64.asc
 Source12:       signature-opensuse.aarch64.asc
 Source13:       signature-sles.aarch64.asc
 Source50:       dbx-cert.tar.xz
-# vendor-dbx.bin is generated by generate-vendor-dbx.sh in dbx-cert.tar.xz
+# vendor-dbx*.bin are generated by generate-vendor-dbx.sh in dbx-cert.tar.xz
 Source51:       vendor-dbx.bin
+Source52:       vendor-dbx-sles.bin
+Source53:       vendor-dbx-opensuse.bin
 Source99:       SIGNATURE_UPDATE.txt
 # PATCH-FIX-SUSE shim-arch-independent-names.patch glin@suse.com -- Use the Arch-independent names
 Patch1:         shim-arch-independent-names.patch
@@ -111,7 +113,6 @@ Group:          Development/Debug
 %description -n shim-debugsource
 The source code of UEFI shim loader
 
-
 %prep
 %setup -q
 %patch1 -p1
@@ -152,7 +153,7 @@ if test -e %{_sourcedir}/_projectcert.crt ; then
     prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash)
     opensusesubject=$(openssl x509 -in %{SOURCE2} -noout -subject_hash)
     slessubject=$(openssl x509 -in %{SOURCE4} -noout -subject_hash)
-    if test "$prjissuer" = "$opensusesubject" ; then 
+    if test "$prjissuer" = "$opensusesubject" ; then
 	suffixes=(opensuse)
     elif test "$prjissuer" = "$slessubject" ; then
 	suffixes=(sles)
@@ -165,6 +166,7 @@ for suffix in "${suffixes[@]}"; do
     if test "$suffix" = "opensuse"; then
 	cert=%{SOURCE2}
 	verify='openSUSE Secure Boot CA1'
+	vendor_dbx=%{SOURCE53}
 %ifarch x86_64
 	signature=%{SOURCE1}
 %else
@@ -176,6 +178,7 @@ for suffix in "${suffixes[@]}"; do
     elif test "$suffix" = "sles"; then
 	cert=%{SOURCE4}
 	verify='SUSE Linux Enterprise Secure Boot CA1'
+	vendor_dbx=%{SOURCE52}
 %ifarch x86_64
 	signature=%{SOURCE11}
 %else
@@ -187,6 +190,7 @@ for suffix in "${suffixes[@]}"; do
     elif test "$suffix" = "devel"; then
 	cert=%{_sourcedir}/_projectcert.crt
 	verify=`openssl x509 -in "$cert" -noout -email`
+	vendor_dbx=%{SOURCE51}
 	signature=''
 	test -e "$cert" || continue
     else
@@ -198,7 +202,7 @@ for suffix in "${suffixes[@]}"; do
     make RELEASE=0 SHIMSTEM=shim \
          VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \
          DEFAULT_LOADER="\\\\\\\\grub.efi" \
-         VENDOR_DBX_FILE=%{SOURCE51} \
+         VENDOR_DBX_FILE=$vendor_dbx \
          shim.efi.debug shim.efi
     #
     # assert correct certificate embedded
@@ -281,7 +285,7 @@ cp -r source/* %{buildroot}/usr/src/debug/%{name}-%{version}
 %{?buildroot:%__rm -rf "%{buildroot}"}
 
 %post
-%if 0%{?update_bootloader_check_type_reinit_post:1} 
+%if 0%{?update_bootloader_check_type_reinit_post:1}
 %update_bootloader_check_type_reinit_post grub2-efi
 %else
 /sbin/update-bootloader --reinit || true