Accepting request 443762 from home:gary_lin:branches:devel:openSUSE:Factory

- Add SIGNATURE_UPDATE.txt to state the steps to update signature-*.asc - Update the comment of strip_signature.sh OBS-URL: https://build.opensuse.org/request/show/443762 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=123
2016-12-05 08:35:58 +00:00 · 2016-12-05 08:35:58 +00:00 · ea8904665d
commit ea8904665d
parent da918f60a8
4 changed files with 36 additions and 3 deletions
--- a/SIGNATURE_UPDATE.txt
+++ b/SIGNATURE_UPDATE.txt
@ -0,0 +1,25 @@
+==== openSUSE ====
+For openSUSE, the devel project of shim is devel:openSUSE:Factory. ALWAYS
+use the latest Leap to build shim-opensuse.efi for UEFI CA. Tumbleweed
+shares the same binary with Leap, so do the older Leap releases.
+
+The steps to udpate signature-opensuse.asc:
+1) Branch devel:openSUSE:Factory/shim.
+2) Add the latest Leap, e.g. 42.2, to the build target.
+3) Build shim-opensuse.efi against the latest Leap.
+4) Strip the signature from shim-opensuse.efi with strip_signature.sh.
+5) Send shim-opensuse.efi to UEFI CA to request a new signature.
+6) Extract the signature from the signed shim.efi with extract_signature.sh
+7) Update signature-opensuse.asc.
+
+==== SLES ===
+Since there is no devel project for shim in SLES, just build shim-sles.efi with
+the latest SLES and then send it to UEFI CA for a new signature.
+
+The steps to update signature-sles.asc:
+1) Branch shim from the latest SLES and apply the update/fix.
+2) Build shim-sles.efi against the latest SLES.
+3) Strip the signature from shim-sles.efi with strip_signature.sh.
+4) Send shim-sles.efi to UEFI CA to request a new signature.
+5) Extract the signature from the signed shim.efi with extract_signature.sh
+6) Update signature-sles.asc.
--- a/shim.changes
+++ b/shim.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Fri Nov 18 09:23:01 UTC 2016 - glin@suse.com
+
+- Add SIGNATURE_UPDATE.txt to state the steps to update
+  signature-*.asc
+- Update the comment of strip_signature.sh
+
 -------------------------------------------------------------------
 Wed Sep 21 09:55:40 UTC 2016 - mchang@suse.com

--- a/shim.spec
+++ b/shim.spec
@ -14,10 +14,9 @@

 # Please submit bugfixes or comments via http://bugs.opensuse.org/
 #
-
-
 # needssslcertforbuild

+
 %undefine _build_create_debug

 Name:           shim
@ -30,6 +29,7 @@ Url:            https://github.com/mjg59/shim
 Source:         %{name}-%{version}.tar.bz2
 # run "extract_signature.sh shim.efi" where shim.efi is the binary
 # with the signature from the UEFI signing service.
+# Note: For signature requesting, check SIGNATURE_UPDATE.txt
 Source1:        signature-opensuse.asc
 Source2:        openSUSE-UEFI-CA-Certificate.crt
 Source3:        shim-install
@ -42,6 +42,7 @@ Source9:        openSUSE-UEFI-CA-Certificate-4096.crt
 Source10:       timestamp.pl
 Source11:       strip_signature.sh
 Source12:       signature-sles.asc
+Source99:       SIGNATURE_UPDATE.txt
 # PATCH-FIX-SUSE shim-only-os-name.patch glin@suse.com -- Only include the OS name in version.c
 Patch1:         shim-only-os-name.patch
 # PATCH-FIX-UPSTREAM FATE#320129 shim-httpboot-support.patch glin@suse.com -- Add HTTPBoot support
--- a/strip_signature.sh
+++ b/strip_signature.sh
@ -1,5 +1,5 @@
 #!/bin/bash
-# attach ascii armored signature to a PE binary
+# strip the signature from a PE binary
 set -e

 infile="$1"