Accepting request 694231 from devel:openSUSE:Factory

OBS-URL: https://build.opensuse.org/request/show/694231 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shim?expand=0&rev=75
2019-04-17 09:22:51 +00:00 · 2019-04-17 09:22:51 +00:00 · e9778a5775
commit e9778a5775
parent 0e910a002f 34ba35f99d
4 changed files with 27 additions and 3 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -21,3 +21,5 @@
 *.xz filter=lfs diff=lfs merge=lfs -text
 *.zip filter=lfs diff=lfs merge=lfs -text
 *.zst filter=lfs diff=lfs merge=lfs -text
+## Specific LFS patterns
+shim-opensuse-signed.efi filter=lfs diff=lfs merge=lfs -text
--- a/shim-opensuse-signed.efi
+++ b/shim-opensuse-signed.efi
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:fd1cd4d4a1ac691e7a0af14c3dfb17daf3f2e6a2b286c9e233070979ec36bb6f
+size 1325584
--- a/shim.changes
+++ b/shim.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Apr 15 09:24:07 UTC 2019 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Add shim-opensuse-signed.efi, the openSUSE shim-15+git47 binary
+ (bsc#1113225)
+
 -------------------------------------------------------------------
 Fri Apr 12 08:50:49 UTC 2019 - Gary Ching-Pang Lin <glin@suse.com>

--- a/shim.spec
+++ b/shim.spec
@ -59,6 +59,8 @@ Source10:       strip_signature.sh
 Source11:       signature-sles.x86_64.asc
 Source12:       signature-opensuse.aarch64.asc
 Source13:       signature-sles.aarch64.asc
+# bsc#1113225 the shim-15+git47 binary for opensuse
+Source20:       shim-opensuse-signed.efi
 Source99:       SIGNATURE_UPDATE.txt
 # PATCH-FIX-SUSE shim-arch-independent-names.patch glin@suse.com -- Use the Arch-independent names
 Patch1:         shim-arch-independent-names.patch
@ -120,6 +122,12 @@ The source code of UEFI shim loader
 %endif

 %build
+# copy the shim binary to "signed" dir
+# NOTE: this is the last resort and we should remove the binary
+#       once we can build shim.efi properly
+mkdir signed
+cp %{SOURCE20} signed
+
 # first, build MokManager and fallback as they don't depend on a
 # specific certificate
 make EFI_PATH=/usr/lib64 RELEASE=0 \
@ -177,6 +185,7 @@ for suffix in "${suffixes[@]}"; do
    fi

    openssl x509 -in $cert -outform DER -out shim-$suffix.der
+    # option for dbx: VENDOR_DBX_FILE=dbx
    make EFI_PATH=/usr/lib64 RELEASE=0 SHIMSTEM=shim \
         VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \
         DEFAULT_LOADER="\\\\\\\\grub.efi" \
@ -184,15 +193,19 @@ for suffix in "${suffixes[@]}"; do
    #
    # assert correct certificate embedded
    grep -q "$verify" shim.efi
-    # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx
-    chmod 755 %{SOURCE9}
+
+    # copy the shim binary directly
+    if test -f signed/shim-$suffix-signed.efi; then
+        rm -f shim.efi
+        mv -f signed/shim-$suffix-signed.efi shim-$suffix.efi
    # alternative: verify signature
    #sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi
-    if test -n "$signature"; then
+    elif test -n "$signature"; then
 	head -1 "$signature" > hash1
 	cp shim.efi shim.efi.bak
 	# pe header contains timestamp and checksum. we need to
 	# restore that
+        chmod 755 %{SOURCE9}
 	%{SOURCE9} --set-from-file "$signature" shim.efi
 	pesign -h -P -i shim.efi > hash2
 	cat hash1 hash2