Accepting request 694231 from devel:openSUSE:Factory
OBS-URL: https://build.opensuse.org/request/show/694231 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shim?expand=0&rev=75
This commit is contained in:
commit
e9778a5775
2
.gitattributes
vendored
2
.gitattributes
vendored
@ -21,3 +21,5 @@
|
||||
*.xz filter=lfs diff=lfs merge=lfs -text
|
||||
*.zip filter=lfs diff=lfs merge=lfs -text
|
||||
*.zst filter=lfs diff=lfs merge=lfs -text
|
||||
## Specific LFS patterns
|
||||
shim-opensuse-signed.efi filter=lfs diff=lfs merge=lfs -text
|
||||
|
3
shim-opensuse-signed.efi
Normal file
3
shim-opensuse-signed.efi
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:fd1cd4d4a1ac691e7a0af14c3dfb17daf3f2e6a2b286c9e233070979ec36bb6f
|
||||
size 1325584
|
@ -1,3 +1,9 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Apr 15 09:24:07 UTC 2019 - Gary Ching-Pang Lin <glin@suse.com>
|
||||
|
||||
- Add shim-opensuse-signed.efi, the openSUSE shim-15+git47 binary
|
||||
(bsc#1113225)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Apr 12 08:50:49 UTC 2019 - Gary Ching-Pang Lin <glin@suse.com>
|
||||
|
||||
|
19
shim.spec
19
shim.spec
@ -59,6 +59,8 @@ Source10: strip_signature.sh
|
||||
Source11: signature-sles.x86_64.asc
|
||||
Source12: signature-opensuse.aarch64.asc
|
||||
Source13: signature-sles.aarch64.asc
|
||||
# bsc#1113225 the shim-15+git47 binary for opensuse
|
||||
Source20: shim-opensuse-signed.efi
|
||||
Source99: SIGNATURE_UPDATE.txt
|
||||
# PATCH-FIX-SUSE shim-arch-independent-names.patch glin@suse.com -- Use the Arch-independent names
|
||||
Patch1: shim-arch-independent-names.patch
|
||||
@ -120,6 +122,12 @@ The source code of UEFI shim loader
|
||||
%endif
|
||||
|
||||
%build
|
||||
# copy the shim binary to "signed" dir
|
||||
# NOTE: this is the last resort and we should remove the binary
|
||||
# once we can build shim.efi properly
|
||||
mkdir signed
|
||||
cp %{SOURCE20} signed
|
||||
|
||||
# first, build MokManager and fallback as they don't depend on a
|
||||
# specific certificate
|
||||
make EFI_PATH=/usr/lib64 RELEASE=0 \
|
||||
@ -177,6 +185,7 @@ for suffix in "${suffixes[@]}"; do
|
||||
fi
|
||||
|
||||
openssl x509 -in $cert -outform DER -out shim-$suffix.der
|
||||
# option for dbx: VENDOR_DBX_FILE=dbx
|
||||
make EFI_PATH=/usr/lib64 RELEASE=0 SHIMSTEM=shim \
|
||||
VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \
|
||||
DEFAULT_LOADER="\\\\\\\\grub.efi" \
|
||||
@ -184,15 +193,19 @@ for suffix in "${suffixes[@]}"; do
|
||||
#
|
||||
# assert correct certificate embedded
|
||||
grep -q "$verify" shim.efi
|
||||
# make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx
|
||||
chmod 755 %{SOURCE9}
|
||||
|
||||
# copy the shim binary directly
|
||||
if test -f signed/shim-$suffix-signed.efi; then
|
||||
rm -f shim.efi
|
||||
mv -f signed/shim-$suffix-signed.efi shim-$suffix.efi
|
||||
# alternative: verify signature
|
||||
#sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi
|
||||
if test -n "$signature"; then
|
||||
elif test -n "$signature"; then
|
||||
head -1 "$signature" > hash1
|
||||
cp shim.efi shim.efi.bak
|
||||
# pe header contains timestamp and checksum. we need to
|
||||
# restore that
|
||||
chmod 755 %{SOURCE9}
|
||||
%{SOURCE9} --set-from-file "$signature" shim.efi
|
||||
pesign -h -P -i shim.efi > hash2
|
||||
cat hash1 hash2
|
||||
|
Loading…
Reference in New Issue
Block a user