From 3436d7ba57878f8f65bc78924d048765692c5094f16e64532fa471f1c3b89192 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Thu, 29 Aug 2013 08:43:23 +0000
Subject: [PATCH] Accepting request 196735 from
 home:lnussel:branches:devel:openSUSE:Factory

- always build a shim that embeds the distro's certificate (e.g.
  shim-opensuse.efi). If the package is built in the devel project
  additionally shim-devel.efi is created. That allows us to either
  load grub2/kernel signed by the distro or signed by the devel
  project, depending on use case. Also shim-$distro.efi from the
  devel project can be used to request additional signatures.

OBS-URL: https://build.opensuse.org/request/show/196735
OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=40
---
 shim.changes |  10 +++++
 shim.spec    | 123 ++++++++++++++++++++++++++++++---------------------
 2 files changed, 83 insertions(+), 50 deletions(-)

diff --git a/shim.changes b/shim.changes
index e7e8907..3bf850a 100644
--- a/shim.changes
+++ b/shim.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Wed Aug 28 15:54:38 UTC 2013 - lnussel@suse.de
+
+- always build a shim that embeds the distro's certificate (e.g.
+  shim-opensuse.efi). If the package is built in the devel project
+  additionally shim-devel.efi is created. That allows us to either
+  load grub2/kernel signed by the distro or signed by the devel
+  project, depending on use case. Also shim-$distro.efi from the
+  devel project can be used to request additional signatures.
+
 -------------------------------------------------------------------
 Wed Aug 28 07:16:51 UTC 2013 - lnussel@suse.de
 
diff --git a/shim.spec b/shim.spec
index bbd230e..53a9fad 100644
--- a/shim.spec
+++ b/shim.spec
@@ -93,75 +93,98 @@ Authors:
 %build
 chmod +x "make-certs"
 
-cert2=''
+# first, build MokManager and fallback as they don't depend on a
+# specific certificate
+make MokManager.efi fallback.efi 2>/dev/null
+
+# now build variants of shim that embed different certificates
+default=''
+suffixes=(opensuse sles)
+# check whether the project cert is a known one. If it is we build
+# just one shim that embeds this specific cert. If it's a devel
+# project we build all variants to simplify testing.
 if test -e %{_sourcedir}/_projectcert.crt ; then
     prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash)
     prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash)
     opensusesubject=$(openssl x509 -in %{SOURCE2} -noout -subject_hash)
     slessubject=$(openssl x509 -in %{SOURCE4} -noout -subject_hash)
-    if test "$prjissuer" = "$opensusesubject" ; then
-        suffix=opensuse
-        cert=%{SOURCE2}
-        cert2=%{SOURCE9}
+    if test "$prjissuer" = "$opensusesubject" ; then 
+	suffixes=(opensuse)
+    elif test "$prjissuer" = "$slessubject" ; then
+	suffixes=(sles)
+    elif test "$prjsubject" = "$prjissuer" ; then
+	suffixes=(devel opensuse sles)
     fi
-    if test "$prjissuer" = "$slessubject" ; then
-        suffix=sles
-        cert=%{SOURCE4}
-    fi
-    if test "$prjsubject" = "$prjissuer" ; then
-        suffix=local
-        cert=%{_sourcedir}/_projectcert.crt
-    fi
-fi
-if test -z "$suffix" ; then
-    echo "cannot identify project, assuming openSUSE signing"
-    suffix=opensuse
-    cert=%{SOURCE2}
 fi
 
-openssl x509 -in $cert -outform DER -out shim-$suffix.der
-if [ -z "$cert2" ]; then
-	# create empty local cert file, we don't need a local key pair as we
-	# sign the mokmanager with our vendor key
-	touch shim.crt
-	touch shim.cer
-else
-	cp $cert2 shim.crt
-fi
-# make sure cast warnings don't trigger post build check
-make VENDOR_CERT_FILE=shim-$suffix.der shim.efi MokManager.efi fallback.efi 2>/dev/null
-# make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx
-cp shim.efi shim-$suffix.efi
-chmod 755 %{SOURCE6} %{SOURCE7}
-# alternative: verify signature
-#sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi
-head -1 %{SOURCE1} > hash1
-%{SOURCE7} shim.efi > hash2
-cat hash1 hash2
-if ! cmp -s hash1 hash2; then
-	echo "ERROR: binary changed, need to request new signature!"
-	# don't fail in devel projects
-	prj="%{_project}"
-	if [ "${prj%%:*}" = "openSUSE" ]; then
-		false
-	fi
-fi
-%{SOURCE6} %{SOURCE1} shim.efi
+for suffix in "${suffixes[@]}"; do
+    if test "$suffix" = "opensuse"; then
+	cert=%{SOURCE2}
+	cert2=%{SOURCE9}
+    elif test "$suffix" = "sles"; then
+	cert=%{SOURCE4}
+	cert2=''
+    elif test "$suffix" = "devel"; then
+	cert=%{_sourcedir}/_projectcert.crt
+	cert2=''
+	test -e "$cert" || continue
+    else
+	echo "invalid suffix"
+	false
+    fi
+
+    openssl x509 -in $cert -outform DER -out shim-$suffix.der
+    if [ -z "$cert2" ]; then
+	    # create empty local cert file, we don't need a local key pair as we
+	    # sign the mokmanager with our vendor key
+	    touch shim.crt
+	    touch shim.cer
+    else
+	    cp $cert2 shim.crt
+	    rm -f shim.cer
+    fi
+    # make sure cast warnings don't trigger post build check
+    make VENDOR_CERT_FILE=shim-$suffix.der shim.efi 2>/dev/null
+    # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx
+    chmod 755 %{SOURCE6} %{SOURCE7}
+    # alternative: verify signature
+    #sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi
+    head -1 %{SOURCE1} > hash1
+    %{SOURCE7} shim.efi > hash2
+    cat hash1 hash2
+    if ! cmp -s hash1 hash2; then
+	    echo "ERROR: binary changed, need to request new signature!"
+	    # don't fail in devel projects
+	    prj="%{_project}"
+	    if [ "${prj%%:*}" = "openSUSE" ]; then
+		    false
+	    fi
+	    mv shim.efi shim-$suffix.efi
+    else
+	    %{SOURCE6} %{SOURCE1} shim.efi
+	    mv shim-signed.efi shim-$suffix.efi
+	    rm -f shim.efi
+    fi
+    rm -f shim.cer shim.crt
+done
+
+ln -s shim-${suffixes[0]}.efi shim.efi
 
 %install
 export BRP_PESIGN_FILES='%{_libdir}/efi/shim*.efi %{_libdir}/efi/MokManager.efi %{_libdir}/efi/fallback.efi'
 install -d %{buildroot}/%{_libdir}/efi
-install -m 644 shim-*.efi %{buildroot}/%{_libdir}/efi
+cp -a shim*.efi %{buildroot}/%{_libdir}/efi
 install -m 444 shim-*.der %{buildroot}/%{_libdir}/efi
-install -m 644 shim-signed.efi %{buildroot}/%{_libdir}/efi/shim.efi
 install -m 644 MokManager.efi %{buildroot}/%{_libdir}/efi/MokManager.efi
 install -m 644 fallback.efi %{buildroot}/%{_libdir}/efi/fallback.efi
 install -d %{buildroot}/%{_sbindir}
 install -m 755 %{SOURCE3} %{buildroot}/%{_sbindir}/
 # install SUSE certificate
-CERT_NAME=$(openssl x509 -sha1 -fingerprint -inform DER -in shim-*.der | grep "SHA1 Fingerprint" | cut -c 18- | cut -d ":" -f 1,2,3,4 | sed 's/://g')
 install -d %{buildroot}/%{_sysconfdir}/uefi/certs/
-install -m 444 shim-*.der %{buildroot}/%{_sysconfdir}/uefi/certs/$CERT_NAME.crt
+for file in shim-*.der; do
+    fpr=$(openssl x509 -sha1 -fingerprint -inform DER -noout -in $file | cut -c 18- | cut -d ":" -f 1,2,3,4 | sed 's/://g')
+    install -m 644 $file %{buildroot}/%{_sysconfdir}/uefi/certs/$fpr.crt
+done
 
 %clean
 %{?buildroot:%__rm -rf "%{buildroot}"}