From ea8904665dacefd6fb3c03c8bd4ad2969c7cd8cd1e4dcee180ff89d167159c7c Mon Sep 17 00:00:00 2001 From: Stephan Kulow Date: Mon, 5 Dec 2016 08:35:58 +0000 Subject: [PATCH] Accepting request 443762 from home:gary_lin:branches:devel:openSUSE:Factory - Add SIGNATURE_UPDATE.txt to state the steps to update signature-*.asc - Update the comment of strip_signature.sh OBS-URL: https://build.opensuse.org/request/show/443762 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=123 --- SIGNATURE_UPDATE.txt | 25 +++++++++++++++++++++++++ shim.changes | 7 +++++++ shim.spec | 5 +++-- strip_signature.sh | 2 +- 4 files changed, 36 insertions(+), 3 deletions(-) create mode 100644 SIGNATURE_UPDATE.txt diff --git a/SIGNATURE_UPDATE.txt b/SIGNATURE_UPDATE.txt new file mode 100644 index 0000000..265e452 --- /dev/null +++ b/SIGNATURE_UPDATE.txt @@ -0,0 +1,25 @@ +==== openSUSE ==== +For openSUSE, the devel project of shim is devel:openSUSE:Factory. ALWAYS +use the latest Leap to build shim-opensuse.efi for UEFI CA. Tumbleweed +shares the same binary with Leap, so do the older Leap releases. + +The steps to udpate signature-opensuse.asc: +1) Branch devel:openSUSE:Factory/shim. +2) Add the latest Leap, e.g. 42.2, to the build target. +3) Build shim-opensuse.efi against the latest Leap. +4) Strip the signature from shim-opensuse.efi with strip_signature.sh. +5) Send shim-opensuse.efi to UEFI CA to request a new signature. +6) Extract the signature from the signed shim.efi with extract_signature.sh +7) Update signature-opensuse.asc. + +==== SLES === +Since there is no devel project for shim in SLES, just build shim-sles.efi with +the latest SLES and then send it to UEFI CA for a new signature. + +The steps to update signature-sles.asc: +1) Branch shim from the latest SLES and apply the update/fix. +2) Build shim-sles.efi against the latest SLES. +3) Strip the signature from shim-sles.efi with strip_signature.sh. +4) Send shim-sles.efi to UEFI CA to request a new signature. +5) Extract the signature from the signed shim.efi with extract_signature.sh +6) Update signature-sles.asc. diff --git a/shim.changes b/shim.changes index d0aece7..0aa554a 100644 --- a/shim.changes +++ b/shim.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri Nov 18 09:23:01 UTC 2016 - glin@suse.com + +- Add SIGNATURE_UPDATE.txt to state the steps to update + signature-*.asc +- Update the comment of strip_signature.sh + ------------------------------------------------------------------- Wed Sep 21 09:55:40 UTC 2016 - mchang@suse.com diff --git a/shim.spec b/shim.spec index 73a1f29..ae35282 100644 --- a/shim.spec +++ b/shim.spec @@ -14,10 +14,9 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # - - # needssslcertforbuild + %undefine _build_create_debug Name: shim @@ -30,6 +29,7 @@ Url: https://github.com/mjg59/shim Source: %{name}-%{version}.tar.bz2 # run "extract_signature.sh shim.efi" where shim.efi is the binary # with the signature from the UEFI signing service. +# Note: For signature requesting, check SIGNATURE_UPDATE.txt Source1: signature-opensuse.asc Source2: openSUSE-UEFI-CA-Certificate.crt Source3: shim-install @@ -42,6 +42,7 @@ Source9: openSUSE-UEFI-CA-Certificate-4096.crt Source10: timestamp.pl Source11: strip_signature.sh Source12: signature-sles.asc +Source99: SIGNATURE_UPDATE.txt # PATCH-FIX-SUSE shim-only-os-name.patch glin@suse.com -- Only include the OS name in version.c Patch1: shim-only-os-name.patch # PATCH-FIX-UPSTREAM FATE#320129 shim-httpboot-support.patch glin@suse.com -- Add HTTPBoot support diff --git a/strip_signature.sh b/strip_signature.sh index ccda812..4362c84 100644 --- a/strip_signature.sh +++ b/strip_signature.sh @@ -1,5 +1,5 @@ #!/bin/bash -# attach ascii armored signature to a PE binary +# strip the signature from a PE binary set -e infile="$1"