- identify project, export certificate as DER file

OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=12
2013-02-27 14:53:25 +00:00 · 2013-02-27 14:53:25 +00:00 · c0a6a69e10
commit c0a6a69e10
parent 4f72d9c0de
3 changed files with 77 additions and 5 deletions
--- a/SLES-UEFI-CA-Certificate.crt
+++ b/SLES-UEFI-CA-Certificate.crt
@ -0,0 +1,39 @@
+-----BEGIN CERTIFICATE-----
+MIIG5TCCBM2gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT
+RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES
+MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz
+IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk
+QHN1c2UuZGUwHhcNMTMwMTIyMTQyMDA4WhcNMzQxMjE4MTQyMDA4WjCBpjEtMCsG
+A1UEAwwkU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYD
+VQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4
+IFByb2R1Y3RzIEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0B
+CQEWDWJ1aWxkQHN1c2UuZGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
+AQCrLYL1Uq02iIgro6x6PFESFDtUKU7xO/bJanI7+AQAroowFuLBI67BBSmoq3hR
+QnH3OtQusGV8y+wvjaaunppvWMfjViZ88zssj5fKXrDr5U6BB566DJgHreWaEs2d
+FD13XpKRr3Nk9zdjAJu5YsR7hI1NMXsnj1X8w71OY9HLjv+Kq9917PJwZQjOGnAJ
+BQTi0ogHuLiwDqMKgg5rrYD4cJDPzoLEmEXnwHDIOSiWdD0bCzhN6GQDKldIxQ2O
+d/mjUgzB+dWslIb+bUKaoJgDtyPV20W74t7Y2uwoaEVr9QkPoM3tOPttf4qsWo8B
+J1TgeoF01ZeKcvSyvOXCKbfAN9sqURK2ZUTNThqZ//VPQmJP6fByrMJsbvTOSsQt
+HI+fFPrg1DC2KT8SzuGtWDRscHZ7MofvUKEQolVgkGwp8u68t/RAAwDpUdqIajzi
+yfp9qSDD+9uMeyiLa4rrAr2ATGohNBa0qha95slgvSepXbYKuHG5b4fWMsG7z4Uc
+dqE2vK8cQma1nsAeQBaq2/89294TOHEzKyspesfCBCnKQ3q+l9xelYRdvapj1CH/
+cfUZf2/6X3VHN1P88RfRrPubswmrcOCEBT41upa2WKRDJ1GS6YhL6LJnrZSTjfe+
+KsfNVS1D+KqSKiK0hfk6YK6O88mMGeAKQs3Ap8WthBLf0QIDAQABo4IBGjCCARYw
+DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUPU1Az5OFOQJLHPxaEt7f6LF+dV8w
+gdMGA1UdIwSByzCByIAUPU1Az5OFOQJLHPxaEt7f6LF+dV+hgaykgakwgaYxLTAr
+BgNVBAMMJFNVU0UgTGludXggRW50ZXJwcmlzZSBTZWN1cmUgQm9vdCBDQTELMAkG
+A1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UECgwYU1VTRSBMaW51
+eCBQcm9kdWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFtMRwwGgYJKoZIhvcN
+AQkBFg1idWlsZEBzdXNlLmRlggEBMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0B
+AQsFAAOCAgEANtdMT47CjQtuERYa5jfygIO5F+urB4fl8pYcQQ/hTPE0KtAnAtrS
+1strtMrVQ1t7Wu3fVbWYA6MZMXXkcwyyNbaWfj6roaSC6G5ZqCJ69oSyzaCbyaTI
+eOgzIIiVGOAj7tiM6T88Xp9qx4Xa3F6UQHF6xfwBT3nNKerGKOG01p7mBfBewwO5
+Hxp7OAZmennUxV1uuT5/AsArxw9lMlawXhIAS7tRYHW+32D4tjHPDycldOw1hBjt
+z5JdehBiTmxhJ6onl0HSpsX84IMSbkeFIxLfxIF0TNas1pGnSGmh8FcV+ck9js3P
+yamJcNkgCstIwo3QZ2D5YdtQjOusyEuGjCIpDIQx36OMzeOo0SayOdzb2dSmcrHv
+4DIkXDUELyIzu79A2R2KR7OQaGL6HGAVy6+yXHHygTbbUrb6ck2+aOG8913ChABc
+ZAiSFFRKVZzzj7FeIxZNA8GBUbhd20eQB2fUXDypeAnTG6P3dtTs84xNb1qGm3VC
+OAKjkWYQijLWmAOs9Q4NM/AXOeDTgXxA7iX7kWHRNeDbACirp7zM2ZOIP5ObIS6z
+yMqcG9DecSVbXiH3MJDTBoB1idQTTyreqpM/l6N8xNNVjEiLJGMEM1SeYq6S1lFV
+a+GcdOaLYkh7ya3I42l/tDOqH2OLIf7FEtocnc1xU6jTz8au1tZxec8=
+-----END CERTIFICATE-----
--- a/shim.changes
+++ b/shim.changes
@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Wed Feb 27 15:52:53 CET 2013 - mls@suse.de
+
+- identify project, export certificate as DER file
+
 -------------------------------------------------------------------
 Thu Feb 21 10:08:12 UTC 2013 - glin@suse.com

--- a/shim.spec
+++ b/shim.spec
@ -32,6 +32,7 @@ Source:         %{name}-%{version}.tar.bz2
 Source1:        shim-signed.efi
 Source2:        openSUSE-UEFI-CA-Certificate.crt
 Source3:        shim-install
+Source4:        SLES-UEFI-CA-Certificate.crt
 # PATCH-FIX-SUSE shim-suse-build.patch glin@suse.com -- Adjust Makefile for the build service
 Patch0:         shim-suse-build.patch
 # PATCH-FIX-UPSTREAM shim-local-key-sign-mokmanager.patch glin@suse.com -- Sign MokManager.efi with the local generated certificate
@ -89,16 +90,42 @@ Authors:

 %build
 chmod +x "make-certs"
-openssl x509 -in %{S:2} -outform DER -out openSUSE-UEFI-CA-Certificate.der
+
+if test -e %{_sourcedir}/_projectcert.crt ; then
+    prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash)
+    prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash)
+    opensusesubject=$(openssl x509 -in %{SOURCE2} -noout -subject_hash)
+    slessubject=$(openssl x509 -in %{SOURCE4} -noout -subject_hash)
+    if test "$prjissuer" = "$opensusesubject" ; then
+        suffix=opensuse
+        cert=%{SOURCE2}
+    fi
+    if test "$prjissuer" = "$slessubject" ; then
+        suffix=sles
+        cert=%{SOURCE4}
+    fi
+    if test "$prjsubject" = "$prjissuer" ; then
+        suffix=local
+        cert=%{_sourcedir}/_projectcert.crt
+    fi
+fi
+if test -n "$suffix" ; then
+    echo "cannot identify project, assuming openSUSE signing"
+    suffix=opensuse
+    cert=%{SOURCE2}
+fi
+
+openssl x509 -in $cert -outform DER -out shim-$suffix.der
 # make sure cast warnings don't trigger post build check
-make VENDOR_CERT_FILE=openSUSE-UEFI-CA-Certificate.der 2>/dev/null
+make VENDOR_CERT_FILE=shim-$suffix.der 2>/dev/null
 # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx
-mv shim.efi shim-opensuse.efi
+mv shim.efi shim-$suffix.efi

 %install
 export BRP_PESIGN_FILES='%{_libdir}/efi/shim-opensuse.efi %{_libdir}/efi/MokManager.efi'
 install -d %{buildroot}/%{_libdir}/efi
-install -m 444 shim-opensuse.efi %{buildroot}/%{_libdir}/efi
+install -m 444 shim-*.efi %{buildroot}/%{_libdir}/efi
+install -m 444 shim-*.der %{buildroot}/%{_libdir}/efi
 # FIXME: install signed shim here
 install -m 444 %{SOURCE1} %{buildroot}/%{_libdir}/efi/shim.efi
 install -m 444 MokManager.efi %{buildroot}/%{_libdir}/efi/MokManager.efi
@ -113,7 +140,8 @@ install -m 755 %{SOURCE3} %{buildroot}/%{_sbindir}/
 %doc COPYRIGHT
 %dir %{_libdir}/efi
 %{_libdir}/efi/shim.efi
-%{_libdir}/efi/shim-opensuse.efi
+%{_libdir}/efi/shim-*.efi
+%{_libdir}/efi/shim-*.der
 %{_libdir}/efi/MokManager.efi
 %{_sbindir}/shim-install