shim.changes: Update change log for shim-install add ca_string for

SL Micro to update fallback loader

SIGNATURE_UPDATE.txt

@@ -1,25 +0,0 @@
-==== openSUSE ====
-For openSUSE, the devel project of shim is devel:openSUSE:Factory. ALWAYS
-use the latest Leap to build shim-opensuse.efi for UEFI CA. Tumbleweed
-shares the same binary with Leap, so do the older Leap releases.
-
-The steps to udpate signature-opensuse.asc:
-1) Branch devel:openSUSE:Factory/shim.
-2) Add the latest Leap, e.g. 42.2, to the build target.
-3) Build shim-opensuse.efi against the latest Leap.
-4) Strip the signature from shim-opensuse.efi with strip_signature.sh.
-5) Send shim-opensuse.efi to UEFI CA to request a new signature.
-6) Extract the signature from the signed shim.efi with extract_signature.sh
-7) Update signature-opensuse.asc.
-
-==== SLES ===
-Since there is no devel project for shim in SLES, just build shim-sles.efi with
-the latest SLES and then send it to UEFI CA for a new signature.
-
-The steps to update signature-sles.asc:
-1) Branch shim from the latest SLES and apply the update/fix.
-2) Build shim-sles.efi against the latest SLES.
-3) Strip the signature from shim-sles.efi with strip_signature.sh.
-4) Send shim-sles.efi to UEFI CA to request a new signature.
-5) Extract the signature from the signed shim.efi with extract_signature.sh
-6) Update signature-sles.asc.

attach_signature.sh

@@ -1,14 +0,0 @@
-#!/bin/bash
-# attach ascii armored signature to a PE binary
-set -e
-
-sig="$1"
-infile="$2"
-if [ -z "$sig" -o ! -e "$sig" -o -z "$infile" -o ! -e "$infile" ]; then
-	echo "USAGE: $0 sig.asc file.efi"
-	exit 1
-fi
-
-outfile="${infile%.efi}-signed.efi"
-
-pesign -m "$sig" -i "$infile" -o "$outfile"

extract_signature.sh

@@ -1,15 +0,0 @@
-#!/bin/bash
-# extract ascii armored signature from a PE binary
-set -e
-
-infile="$1"
-
-if [ -z "$infile" -o ! -e "$infile" ]; then
-	echo "USAGE: $0 file.efi"
-	exit 1
-fi
-
-# wtf?
-(pesign -h -P -i "$infile";
-perl $(dirname $0)/timestamp.pl "$infile";
-pesign -a -f -e /dev/stdout -i "$infile")|cat

generate-vendor-dbx.sh

@@ -1,22 +0,0 @@
-#!/bin/bash
-
-set -e
-
-# random UUID for SUSE
-owner=353f0911-0788-451c-aaf7-31688391e8fd
-
-: > vendor-dbx-opensuse.esl
-: > vendor-dbx-sles.esl
-# vendor dbx file with all certs for testing environment
-: > vendor-dbx.esl
-
-for cert in "$@"; do
-	esl="${cert##*/}"
-	esl="${cert%.crt}.esl"
-	cert-to-efi-sig-list -g "$owner" "$cert" "$esl"
-	case "$cert" in
-		*openSUSE*) cat "$esl" >> "vendor-dbx-opensuse.esl" ;;
-		*SLES*) cat "$esl" >> "vendor-dbx-sles.esl" ;;
-	esac
-	cat "$esl" >> "vendor-dbx.esl"
-done

remove_build_id.patch

@@ -1,26 +0,0 @@
-Index: shim-15.8/gnu-efi/Make.defaults
-===================================================================
---- shim-15.8.orig/gnu-efi/Make.defaults
-+++ shim-15.8/gnu-efi/Make.defaults
-@@ -205,7 +205,7 @@ endif
- 
- ASFLAGS += $(ARCH3264)
- LDFLAGS	+= -nostdlib --warn-common --no-undefined --fatal-warnings \
--	   --build-id=sha1 --no-warn-rwx-segments
-+	   --no-warn-rwx-segments
- 
- ifneq ($(ARCH),arm)
- export LIBGCC=$(shell $(CC) $(CFLAGS) $(ARCH3264) -print-libgcc-file-name)
-Index: shim-15.8/Make.defaults
-===================================================================
---- shim-15.8.orig/Make.defaults
-+++ shim-15.8/Make.defaults
-@@ -192,7 +192,7 @@ ifneq ($(origin SBAT_AUTOMATIC_DATE), un
- DEFINES		+= -DSBAT_AUTOMATIC_DATE=$(SBAT_AUTOMATIC_DATE)
- endif
- 
--LDFLAGS		= --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(LOCAL_EFI_PATH) -L$(LIBDIR) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) --build-id=sha1 $(ARCH_LDFLAGS) --no-undefined
-+LDFLAGS		= --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(LOCAL_EFI_PATH) -L$(LIBDIR) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) $(ARCH_LDFLAGS) --no-undefined
- 
- ifneq ($(DEBUG),)
- export DEBUG

revoked-SLES-UEFI-SIGN-Certificate-2013-01.crt

@@ -1,34 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIF/DCCA+SgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT
-RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES
-MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz
-IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk
-QHN1c2UuZGUwHhcNMTMwMTIyMTQ1ODUxWhcNMjIxMjAxMTQ1ODUxWjCBqzEyMDAG
-A1UEAwwpU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IFNpZ25rZXkx
-CzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0Ug
-TGludXggUHJvZHVjdHMgR21iSDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqG
-SIb3DQEJARYNYnVpbGRAc3VzZS5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
-AQoCggEBAOVY/g3+3Bsa1JZ2hfU+7Fy28h0CKF0Sjqy8J4m9a8yKFoY6rb4hG9MK
-o4wnCJfPab9flWXRk4PFiouI+0nmLJX74U0sq8nKw3Ijl0UojuthXc6CeZH4hIF5
-HDoVhig3SfkUxdT1zZVF4mcYZ3Pf+UlROJ7JpY4sEhtYMY/DJW5qv2HwrzSw427V
-R1upA18U7ddMF5fKoN8vjKVihUFSNK/Up0tOWalxfcG5s9ugjbJgZULsjfcs2+8t
-og46QBjTaR7CtpmPbsaOJb1Z6BGDXsHV5GmaZG00TS0BwRn8mAQ1ske1eIpcqmBN
-q5Mlh6BVaufBot0nXJp9Vnnuib4napkCAwEAAaOCASwwggEoMAwGA1UdEwEB/wQC
-MAAwHQYDVR0OBBYEFD+wd7bOvG/yUi4cFIxXx3fHiOPnMIHTBgNVHSMEgcswgciA
-FD1NQM+ThTkCSxz8WhLe3+ixfnVfoYGspIGpMIGmMS0wKwYDVQQDDCRTVVNFIExp
-bnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYD
-VQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0UgTGludXggUHJvZHVjdHMgR21i
-SDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqGSIb3DQEJARYNYnVpbGRAc3Vz
-ZS5kZYIBATAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJ
-KoZIhvcNAQELBQADggIBAFs0xW7Uzi3a52ho92ninU9yy1doEodWf8f37zmq3Kxf
-v/y+mFCFuMw5zps4xyK1xfDBmVZ6f5GMolfkPnioYzKujqTgFCmKDZXjXIgHEej5
-h+xzCalIYT3XT+JsmKvvZKcFMV9/py7+okEhekyFdak6WbxinisyEh6a7I+edNzB
-2/dPkbIS7x2UmlFzXvAYTCwOqMwCuOWsICK/NRrPlCEdkPJFq2HU11umtZ+U4eCM
-bJcCY2pqIVLxrDgRIMoUeJ7N2XIcfKlP8cHn9eHVWRd+n/v3nlJRvBjlw2d9oTm2
-EB0vfpp01ihr6yvkckLwWHdrRcmiy6OmtTScAEwpMGPmBcFiHIb1nxhPbKqqw9Xb
-t/y8tLRf6HvuhaApJhj3/ZBNLTLRSHk4O4DO4p3GpupPTvfxkx9cg/TxcF0kabPF
-+dwu5cbRZpvBmkQ947aul0y+3QRHgIhmyqdZzC2OuL6Sl74zZc3BgsQsBFeIN4gz
-YBsXtzyEVFsmSSj2ci+9JM8HCfeL0Ux7TeyoN5jAW5F7c8BSBBSSafZYUtq3DZHR
-8ILtz5L7cCLkZY3da5a/csVz3zicnrAG8uiU91Jy6hVh+Y83vARz6hp8O/tX4o00
-9ff5zunFUwyN3/krDEoX6dXMcSh8UftjzvFOYCUfF+cDt9eV8Ix0dcfP/cenyv/t
------END CERTIFICATE-----

revoked-SLES-UEFI-SIGN-Certificate-2013-04.crt

@@ -1,29 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIE/DCCA+SgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT
-RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES
-MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz
-IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk
-QHN1c2UuZGUwHhcNMTMwNDE4MTQzNDM0WhcNMjMwMjI1MTQzNDM0WjCBqzEyMDAG
-A1UEAwwpU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IFNpZ25rZXkx
-CzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0Ug
-TGludXggUHJvZHVjdHMgR21iSDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqG
-SIb3DQEJARYNYnVpbGRAc3VzZS5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
-AQoCggEBAOVY/g3+3Bsa1JZ2hfU+7Fy28h0CKF0Sjqy8J4m9a8yKFoY6rb4hG9MK
-o4wnCJfPab9flWXRk4PFiouI+0nmLJX74U0sq8nKw3Ijl0UojuthXc6CeZH4hIF5
-HDoVhig3SfkUxdT1zZVF4mcYZ3Pf+UlROJ7JpY4sEhtYMY/DJW5qv2HwrzSw427V
-R1upA18U7ddMF5fKoN8vjKVihUFSNK/Up0tOWalxfcG5s9ugjbJgZULsjfcs2+8t
-og46QBjTaR7CtpmPbsaOJb1Z6BGDXsHV5GmaZG00TS0BwRn8mAQ1ske1eIpcqmBN
-q5Mlh6BVaufBot0nXJp9Vnnuib4napkCAwEAAaOCASwwggEoMAwGA1UdEwEB/wQC
-MAAwHQYDVR0OBBYEFD+wd7bOvG/yUi4cFIxXx3fHiOPnMIHTBgNVHSMEgcswgciA
-FOyrDULEVs93BDa5c5k4YpZehyYvoYGspIGpMIGmMS0wKwYDVQQDDCRTVVNFIExp
-bnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYD
-VQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0UgTGludXggUHJvZHVjdHMgR21i
-SDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqGSIb3DQEJARYNYnVpbGRAc3Vz
-ZS5kZYIBATAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJ
-KoZIhvcNAQELBQADggEBAFEYo0sWgMCODHZEHWcoltp5RMcVj2DAYfw2NePbPqxW
-AmIgpMU0yG01JPbwJZu6dcuNeYoytgfDrSRLuloKm0JR8oR3+G7/oxbKQCxtMubB
-Qdflq7PIz73b/JSGiV5Pi77f9oAHijgnKEZrz4obs6sFp2gvuMvJ4w9jteCaofpq
-IDNhu7i2KFx4rC6FYF/p6V9xnVwOnZS1G56cJALfP/7kOD4k3TVSMiE2FCS3wLwR
-RI7VE0I/3oJHsi8CR++CT1BI02PI+EWgRcuW8jOzJ3+tYa77HCKpXNyIi7/L5QAK
-N5ZinPyv68tae+GHkL5U2FxLY365gABSXqXUA9mTquU=
------END CERTIFICATE-----

revoked-SLES-UEFI-SIGN-Certificate-2016-02.crt

@@ -1,29 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIE/DCCA+SgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT
-RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES
-MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz
-IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk
-QHN1c2UuZGUwHhcNMTYwMjI0MTUzMDI3WhcNMjYwMTAyMTUzMDI3WjCBqzEyMDAG
-A1UEAwwpU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IFNpZ25rZXkx
-CzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0Ug
-TGludXggUHJvZHVjdHMgR21iSDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqG
-SIb3DQEJARYNYnVpbGRAc3VzZS5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
-AQoCggEBAOVY/g3+3Bsa1JZ2hfU+7Fy28h0CKF0Sjqy8J4m9a8yKFoY6rb4hG9MK
-o4wnCJfPab9flWXRk4PFiouI+0nmLJX74U0sq8nKw3Ijl0UojuthXc6CeZH4hIF5
-HDoVhig3SfkUxdT1zZVF4mcYZ3Pf+UlROJ7JpY4sEhtYMY/DJW5qv2HwrzSw427V
-R1upA18U7ddMF5fKoN8vjKVihUFSNK/Up0tOWalxfcG5s9ugjbJgZULsjfcs2+8t
-og46QBjTaR7CtpmPbsaOJb1Z6BGDXsHV5GmaZG00TS0BwRn8mAQ1ske1eIpcqmBN
-q5Mlh6BVaufBot0nXJp9Vnnuib4napkCAwEAAaOCASwwggEoMAwGA1UdEwEB/wQC
-MAAwHQYDVR0OBBYEFD+wd7bOvG/yUi4cFIxXx3fHiOPnMIHTBgNVHSMEgcswgciA
-FOyrDULEVs93BDa5c5k4YpZehyYvoYGspIGpMIGmMS0wKwYDVQQDDCRTVVNFIExp
-bnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYD
-VQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0UgTGludXggUHJvZHVjdHMgR21i
-SDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqGSIb3DQEJARYNYnVpbGRAc3Vz
-ZS5kZYIBATAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJ
-KoZIhvcNAQELBQADggEBAKMaX+dWtp9Y9SW1XvV3xc/sAURe1uZfEBcd7g+yu9ff
-q/n9pbWW4gz9LtuIudi/CmltNlKHEQnB/RSgAd4VB28g7GeJNKVTn+5z7evgWUOz
-tEB0tHgTfVCx6dYoIsNxT9atIVHREDPXef/s2TARKfpd77BG+X0+ZsvQe8NuooP1
-B+qwl1rXR+cw46Q7dgM5XG418OPZsqHhk/AyC4/slHx65rQ//PBsgSANx8bBUr5Z
-nDzy1X/0aZqB56/e2sscuhjs7IcXNftztewsNB7w4XtmOuVZpj2obAhbWshPaMLY
-4PSS6JTVT/vhDJUJknm4XqbE16d0dSZPn8y1t6Ua0PM=
------END CERTIFICATE-----

revoked-SLES-UEFI-SIGN-Certificate-2020-07.crt

@@ -1,29 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFBDCCA+ygAwIBAgIJAO2HhbeP/BJ0MA0GCSqGSIb3DQEBCwUAMIGmMS0wKwYD
-VQQDDCRTVVNFIExpbnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNV
-BAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0UgTGludXgg
-UHJvZHVjdHMgR21iSDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqGSIb3DQEJ
-ARYNYnVpbGRAc3VzZS5kZTAeFw0yMDA3MjMxNDA3MThaFw0yNDA3MjIxNDA3MTha
-MIGrMTIwMAYDVQQDDClTVVNFIExpbnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3Qg
-U2lnbmtleTELMAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UE
-CgwYU1VTRSBMaW51eCBQcm9kdWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFt
-MRwwGgYJKoZIhvcNAQkBFg1idWlsZEBzdXNlLmRlMIIBIjANBgkqhkiG9w0BAQEF
-AAOCAQ8AMIIBCgKCAQEAwrRYIcn7XQ2/nQfdCUM7EUzIfYB5Lra03/q9nggEfUke
-N5O9qmA9uFWTvgdq2Nh8hia16TawyHMFyUd/PsdU2/pVydC6+OGDxE1sRJvu0pzP
-3wvr+QQXnDjBYon+AGkuw/K8baUInl/1He2idCIB7pH3tGjj6jcorK70yZHU5Hl1
-UwuQXlfQpG3zEJy1yZ7fg3RxAQ/716BOy1CceK0qCLi/qgR8w5GE92Xg1CHZe62u
-I+9EmhXBbY2UcsfxRGEtdCU55L0R/MtHztfVHZw9Vazw8rCCvBjwPOxxjUx5It5N
-yG0JaYXgAXqRXE88Gwo9VlEWNOKrC0vUUfxA63IZ0wIDAQABo4IBLDCCASgwDAYD
-VR0TAQH/BAIwADAdBgNVHQ4EFgQUSrDGl8kQcydsJ97/PCIPsAfh3mEwgdMGA1Ud
-IwSByzCByIAU7KsNQsRWz3cENrlzmThill6HJi+hgaykgakwgaYxLTArBgNVBAMM
-JFNVU0UgTGludXggRW50ZXJwcmlzZSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMC
-REUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UECgwYU1VTRSBMaW51eCBQcm9k
-dWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFtMRwwGgYJKoZIhvcNAQkBFg1i
-dWlsZEBzdXNlLmRlggEBMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEF
-BQcDAzANBgkqhkiG9w0BAQsFAAOCAQEAazJCs7IIjYUma9ZT1NLJZ7QSy/d6oAaW
-E6JI1u3LHancnU3kXH19U7z1mni74OQdlsbIyfddR+AIvIu1RrepQ6BHNVrXO90J
-LxvORpholbgeXk/FdIHWFu6AhL2jg8UM4Jxq/P3FxckGj25LxCPgd5C/L5ITufhf
-1yPQ3CDxqfUiqlfdrQCROJ21sErLoYXoZim5pd1kT5vimyVrdaLM7eTq6G5LbKZ3
-/TqRXPpVzwZGXXeZvM5s55kGKqNTUIZ2Cft5g9CBkRZujJ5gLGToxUHYbb6Fj5UT
-Xr5Yh68j1IgvhQz+abALb/87Z3r2V+BWh1icc0rnCli1ulmZMd0H8A==
------END CERTIFICATE-----

revoked-SLES-UEFI-SIGN-Certificate-2021-05.crt

@@ -1,29 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFBDCCA+ygAwIBAgIJAO2HhbeP/BJ+MA0GCSqGSIb3DQEBCwUAMIGmMS0wKwYD
-VQQDDCRTVVNFIExpbnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNV
-BAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0UgTGludXgg
-UHJvZHVjdHMgR21iSDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqGSIb3DQEJ
-ARYNYnVpbGRAc3VzZS5kZTAeFw0yMTAzMDgxMDE1MDhaFw0zMDEyMzExMDE1MDha
-MIGrMTIwMAYDVQQDDClTVVNFIExpbnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3Qg
-U2lnbmtleTELMAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UE
-CgwYU1VTRSBMaW51eCBQcm9kdWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFt
-MRwwGgYJKoZIhvcNAQkBFg1idWlsZEBzdXNlLmRlMIIBIjANBgkqhkiG9w0BAQEF
-AAOCAQ8AMIIBCgKCAQEAtvApQ4qgxDibOpYufFyQG3HDsQvwjPfrQHdYqkcKDZvz
-hKFJSpAu4gulkuKnOeMO1+ecpOC9f0G6mbIwYCsM/GKBCUKRQZPOB5eSeGU+NJaI
-XV6IimhfYi3MXmheVrP64Xd6pvcn/iplk2IPLbbdjIeiSImg1xtfnrcaWa+tzOMu
-MAQfF4wUlVnFF4Pnh0goS2sv2Lj3fVQ4XV7d8bsB9gwdWSQQMwbSb5SXoiLZOIrZ
-iI/n6DD5UL8Yap+2f5sBXA1MtonX91MSUu68Vh7l/9UXEntkx5byOdRAKxndIpnP
-QQazhXtQoFskPtVzKs+8jIemDOosn7cTkBgOEP49iQIDAQABo4IBLDCCASgwDAYD
-VR0TAQH/BAIwADAdBgNVHQ4EFgQUWiQESdKf0NinoYfm/A4muV0aqHswgdMGA1Ud
-IwSByzCByIAU7KsNQsRWz3cENrlzmThill6HJi+hgaykgakwgaYxLTArBgNVBAMM
-JFNVU0UgTGludXggRW50ZXJwcmlzZSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMC
-REUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UECgwYU1VTRSBMaW51eCBQcm9k
-dWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFtMRwwGgYJKoZIhvcNAQkBFg1i
-dWlsZEBzdXNlLmRlggEBMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEF
-BQcDAzANBgkqhkiG9w0BAQsFAAOCAQEAqFI4lVQf3heh0TWrZwc0ej30p1EhVJms
-NxCy/mtn6IDkRzmzAe9F/Tx5B6Kytjtj2WvU2mOhjDW61Tdvk2UBqlapTbT0X2oF
-Co4ww8gm2uDyY3nCEM0jdPj8XnA+T+raxwcw6NosK3J6g+bEWjkX0lWryl1jgxuA
-q3zup4t2rl792z+nAUAmCSrsYeQQxnKIeCvZCYMGgixSoYrv2SxD8hTFC8XW606v
-ITVb9fxaYF1cCjCLjhkQpnegViT0mV5QcPW/IIjqKla1N9sH26buFwcJIHXQRB4h
-1boVtIqiQZOe4BjGRTvRILGOa/WXn8UhQvMc39bCr1SxMRvpCV7zKw==
------END CERTIFICATE-----

revoked-SLES-UEFI-SIGN-Certificate-2022-05.crt

@@ -1,29 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFBDCCA+ygAwIBAgIJAO2HhbeP/BJ/MA0GCSqGSIb3DQEBCwUAMIGmMS0wKwYD
-VQQDDCRTVVNFIExpbnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNV
-BAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0UgTGludXgg
-UHJvZHVjdHMgR21iSDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqGSIb3DQEJ
-ARYNYnVpbGRAc3VzZS5kZTAeFw0yMjA2MDIyMjUyNTBaFw0zMjEyMzAyMjUyNTBa
-MIGrMTIwMAYDVQQDDClTVVNFIExpbnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3Qg
-U2lnbmtleTELMAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UE
-CgwYU1VTRSBMaW51eCBQcm9kdWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFt
-MRwwGgYJKoZIhvcNAQkBFg1idWlsZEBzdXNlLmRlMIIBIjANBgkqhkiG9w0BAQEF
-AAOCAQ8AMIIBCgKCAQEAwDNrJ6NGA3ca+mIR0xPimAmBiC0p/LKKFf2nM64gGr2p
-l+VYf4tZONMJpeJSASChD9KEuDFpAfKJm0S+lvmMUEJSxdj6p8ynLtypcE/k9+TP
-5j8STpdA5L+P9RIt0r4USGUNf9WT5CfLmQVx6EWjjnUqP6H7t4gS76NXxI6ODu7G
-ihPiG4acjYxtgAmErXHP42Tk8srzYN+RVddZLnKQWhLWahuomq8320iHm2biZ01B
-coHFZnPO62fw5LHeig94UXixf7NPgwPBr9owuKw4WouDfH4nCY6KEOZG+flF/ME+
-6TuExYRCPwG3wXgOmGHNYyH8vAvR9s99sZFIGXYdrwIDAQABo4IBLDCCASgwDAYD
-VR0TAQH/BAIwADAdBgNVHQ4EFgQUCsYrHz9TQnETJYbinTsQQVkcgkowgdMGA1Ud
-IwSByzCByIAU7KsNQsRWz3cENrlzmThill6HJi+hgaykgakwgaYxLTArBgNVBAMM
-JFNVU0UgTGludXggRW50ZXJwcmlzZSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMC
-REUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UECgwYU1VTRSBMaW51eCBQcm9k
-dWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFtMRwwGgYJKoZIhvcNAQkBFg1i
-dWlsZEBzdXNlLmRlggEBMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEF
-BQcDAzANBgkqhkiG9w0BAQsFAAOCAQEAgB40iq70uOw6SLvHhZb8NpJuETDdfQzE
-RuEDtd0bHgHfhvjLpzaHP8ZVLHr8lpsyaLwVE4598cmys8Zn1vvkCQOo4LwwVILR
-8Jar2gvgJ2xqTUVU3bYhr+MaGpScbDyK6n2Kb8/vuEpaHHTJWMx5js2jGh1G2+AG
-hohfQX+K5UPUKyBRfiDwcZhq2JpCOq5F/SDbm1kpX5dwzu/Y0yDYfukz4tqvpq+S
-8SW1+fv37Fbch6DjFw51ALUtkfPmNShlgcub3deyD0vZvBWxlJRllBv16c+yLXSx
-1XmOY8MOEntYKKgKb4zpNKAnCwP7yc/R5Chk1tvLgvoymbxAKfkd3Q==
------END CERTIFICATE-----

revoked-openSUSE-UEFI-SIGN-Certificate-2013-01.crt

@@ -1,32 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIFjTCCA3WgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl
-blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl
-bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW
-EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzAxMjgxNTEwMjhaFw0yMjEyMDcxNTEw
-MjhaMIGGMSUwIwYDVQQDDBxvcGVuU1VTRSBTZWN1cmUgQm9vdCBTaWdua2V5MQsw
-CQYDVQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMRkwFwYDVQQKDBBvcGVuU1VT
-RSBQcm9qZWN0MSEwHwYJKoZIhvcNAQkBFhJidWlsZEBvcGVuc3VzZS5vcmcwggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLNeCcz9j3S+vjlCzyEXczhpwo
-HRneRWkhXqCUSgu1QS5nAWuRdjqFZipji4cr6JSKEm4lE7AHPygrdiU+KbJVQuc7
-RCQdt5kyy0TStIjLqU+nswa+XKruKwQJquxYY1rIYsfZaEP7vQ6S/0zsAkS8lcmf
-0b4h+PSybVoK1U2YZczBjO/f8p/aRQV2+RrAi9UcBfLAuEqwEt9DytULGEazA77N
-p9cBgPHFyu7ZOh9KM31QAavXOkhuYllzYh447zIx7lgYfVkFivt91A1enUeb2K+2
-EZ885xOE5ADsCpeJIpDzFObfwXUHrSQ42OCP9rnA20XjboFcHinQeK5sp0sfAgMB
-AAGjggEHMIIBAzAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQDMvqcvw2IvyGSSw3o
-KgmlTV3vyDCBrgYDVR0jBIGmMIGjgBSZDSa38E3ZzmTn0Y79aHtKXeKGpaGBh6SB
-hDCBgTEgMB4GA1UEAwwXb3BlblNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYT
-AkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2pl
-Y3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNlLm9yZ4IBATAOBgNVHQ8B
-Af8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggIB
-AK25J4ntAoU8yF37KEUEFnh0WElBVYinTCB3VVNq0nJbcLq2Ak/yPb4/hVJGvUQx
-M2EgafGBfjA6sVvqvZEqbn0bQnSTJqjlwAUpzVB9ll3vanT0SwwmRdbHtFLfkmfc
-6sv7dUsizScXeth2C7vf2rxqJKBIdCs7EkUWibKm34y59wJYqsZT/jLeFraLi/+R
-NWeiWY9AlyXm5QzNqEr3qqhVQohKI0gRUwJS0dx3xSMFd8td+q+22iYuNMx2Dk3A
-D9HenFMZiSw4r+8R5mm8Dn6DJEB7Y5mJhR1zZk7Q3gVhwjeR/sdrIF9K8tSkyIHt
-T4f+qNF1vBfQ9+8zHqQ/X2o2Cky/eyW9rx3V/fYLOXzOdbxIy5nDOd5gbXIDoZNV
-cJn/af+MgMrUI7vqDZ1A1UmwKSAJRZjIJCX+2mjrAtQl9W7h8qZt2Hgq/4zCCNSH
-v4gGoDtYEtcvs1kqS56/XQRyZikDfEUkBE1hXOW4hepuS9Zs6LihGpKSffqQH0Oy
-gvCaWjLNzErjx5Hl9pTvH2qkLLX6P1i/YubW+3E6AuDks9u6eF78GkKb6ALsczQf
-jHf22C1rl9y3Ex+9q3vKzeo9HtIBv/FEyt+GEzdCXdf4Lmjmf1l1uBX6+EJFAVsG
-UPxqiJZLOo8dEbWIDzoxE8vXjZTNFBA9mkYmipdZwGaV
------END CERTIFICATE-----

revoked-openSUSE-UEFI-SIGN-Certificate-2013-08.crt

@@ -1,27 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEjTCCA3WgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl
-blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl
-bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW
-EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzA4MjYxNjE4MzdaFw0yMzA3MDUxNjE4
-MzdaMIGGMSUwIwYDVQQDDBxvcGVuU1VTRSBTZWN1cmUgQm9vdCBTaWdua2V5MQsw
-CQYDVQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMRkwFwYDVQQKDBBvcGVuU1VT
-RSBQcm9qZWN0MSEwHwYJKoZIhvcNAQkBFhJidWlsZEBvcGVuc3VzZS5vcmcwggEi
-MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLNeCcz9j3S+vjlCzyEXczhpwo
-HRneRWkhXqCUSgu1QS5nAWuRdjqFZipji4cr6JSKEm4lE7AHPygrdiU+KbJVQuc7
-RCQdt5kyy0TStIjLqU+nswa+XKruKwQJquxYY1rIYsfZaEP7vQ6S/0zsAkS8lcmf
-0b4h+PSybVoK1U2YZczBjO/f8p/aRQV2+RrAi9UcBfLAuEqwEt9DytULGEazA77N
-p9cBgPHFyu7ZOh9KM31QAavXOkhuYllzYh447zIx7lgYfVkFivt91A1enUeb2K+2
-EZ885xOE5ADsCpeJIpDzFObfwXUHrSQ42OCP9rnA20XjboFcHinQeK5sp0sfAgMB
-AAGjggEHMIIBAzAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQDMvqcvw2IvyGSSw3o
-KgmlTV3vyDCBrgYDVR0jBIGmMIGjgBRoQmAN4ixMR36VviPf6pUT5ZcXYqGBh6SB
-hDCBgTEgMB4GA1UEAwwXb3BlblNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYT
-AkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2pl
-Y3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNlLm9yZ4IBATAOBgNVHQ8B
-Af8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggEB
-AI3sxNvPFB/+Cjj9GVCvNbaOGFV+5X6Dd7ZMJat0xI93GS+FvUOO1i53iCpnfSld
-gE+2chifX2W3u6RyiJTTfwke4EVU4GWjFy78WwwszCih0byVa/YSQguvPuMjvQY6
-mw+exom0ri68328yWb1oCDaPOhI9Fr51hj50yUWWBbmpu2YPi5blN6CBE+9B2cbp
-HVDPxoUWjYJ9leK951nfSu0E1+cLNYDpZ39h4dBHNvU1a3AueVKIXyEYaiwy0VDS
-8CQJluUCE4eLlt/cbJqMs0/iY7nRnbVOOyZUYTYxq7ACvDrMyStkfdR4KLDzvLWo
-8Gu+1aY2qw6wZ+TKiiRRYjQ=
------END CERTIFICATE-----

revoked-openSUSE-UEFI-SIGN-Certificate-2020-01.crt

@@ -1,27 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIElTCCA32gAwIBAgIJAPq+2L9Aml5gMA0GCSqGSIb3DQEBCwUAMIGBMSAwHgYD
-VQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMCREUxEjAQBgNV
-BAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJvamVjdDEhMB8GCSqG
-SIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMB4XDTIwMDEwODE2MjU1NFoXDTI5
-MTExNjE2MjU1NFowgYYxJTAjBgNVBAMMHG9wZW5TVVNFIFNlY3VyZSBCb290IFNp
-Z25rZXkxCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoM
-EG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNl
-Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMs14JzP2PdL6+OU
-LPIRdzOGnCgdGd5FaSFeoJRKC7VBLmcBa5F2OoVmKmOLhyvolIoSbiUTsAc/KCt2
-JT4pslVC5ztEJB23mTLLRNK0iMupT6ezBr5cqu4rBAmq7FhjWshix9loQ/u9DpL/
-TOwCRLyVyZ/RviH49LJtWgrVTZhlzMGM79/yn9pFBXb5GsCL1RwF8sC4SrAS30PK
-1QsYRrMDvs2n1wGA8cXK7tk6H0ozfVABq9c6SG5iWXNiHjjvMjHuWBh9WQWK+33U
-DV6dR5vYr7YRnzznE4TkAOwKl4kikPMU5t/BdQetJDjY4I/2ucDbReNugVweKdB4
-rmynSx8CAwEAAaOCAQcwggEDMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFAMy+py/
-DYi/IZJLDegqCaVNXe/IMIGuBgNVHSMEgaYwgaOAFGhCYA3iLExHfpW+I9/qlRPl
-lxdioYGHpIGEMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTEL
-MAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNV
-U0UgUHJvamVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnggEB
-MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0B
-AQsFAAOCAQEAUWNziRn2X/uOcFWaCkKqIVa0xlk8joaztllVkRLoDpv97O6p087k
-OOfqNsv1gUgIHqQvZ9Z2woQcpd2gUa0uj5yqpqSGp0eSEtBOOKApVuybplTDSyC3
-6ENwF5BKMJ8ysURsIx6ZGCq1PbaruA28sG/XFrhxjezLwN9mcmLd6nCd4xmPuH78
-IsHPP6c6VzrFtNN3yP5ZIs9bIzDHTf2qGXvVYhLBrNuTczTwUzeSfKG+qpP/dO1I
-EGtd7tTFPTqNwXkWq3oat9TVYMdPLRWWZ2zzE65k0rdSSJTgc/1Z4WSKb55J6FMP
-8MJRwgi62+9JF6hsBy7WuBE8cWvtIwbyYA==
------END CERTIFICATE-----

revoked-openSUSE-UEFI-SIGN-Certificate-2020-07.crt

@@ -1,27 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIElTCCA32gAwIBAgIJAPq+2L9Aml5jMA0GCSqGSIb3DQEBCwUAMIGBMSAwHgYD
-VQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMCREUxEjAQBgNV
-BAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJvamVjdDEhMB8GCSqG
-SIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMB4XDTIwMDgwMzEyMzUzOVoXDTMw
-MDYxMjEyMzUzOVowgYYxJTAjBgNVBAMMHG9wZW5TVVNFIFNlY3VyZSBCb290IFNp
-Z25rZXkxCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoM
-EG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNl
-Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKVKfWLm7OvwYpDO
-4s0qzbUDWG2GTlxFOkZe4XaFsjxAnmuXZTVm1SJ3N12zSdRH60YMqcns7yuISYQz
-0K79shGDOfktO8iqxSE0JdUvhEFnJUECaXYAq+ioiSwkm7QQWhHAUE3htshJeMt4
-SK4dTGmTQNQBKCZ3xQTTHi1sOl8wYt0QdhkucqvgDUyPaxHrI4LV1OV9R3XjGclG
-ZD6QEkXLhVcir2yLIA9G1qPZDXpNbrdfSx3GDEnSsD+GS0D/k5oe32w1KGMnEM/S
-fYrY1nsP6/k0hVO1KH9WJWV/DUoyO/4U75C6swg7SVTxyigT3s92/UV4N9Es5kZv
-aHhsuncCAwEAAaOCAQcwggEDMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFMi9x6wa
-HYWWYhf9k+v8FPSiALgUMIGuBgNVHSMEgaYwgaOAFGhCYA3iLExHfpW+I9/qlRPl
-lxdioYGHpIGEMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTEL
-MAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNV
-U0UgUHJvamVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnggEB
-MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0B
-AQsFAAOCAQEAS1NWAHYBV1uaK7wE6c+Xz8t4c2hgTkFR4E0iVZ+2aTz8OFzztQZq
-CyZ9QYgSpApmvwmgFEQog6UUzw2f19W7qhIskDHfhBmK2uQtazHZ/Pd8oXyHrbgK
-TVh7GDc9OjrZe2wg03Q0N/KVUHD5lKYXY4rfAqKdc1XKfo7t8GIu+TnWDLXWVI40
-oDIXwSmg+JOZFXpf9cxZ2zENZnsaH0KTKNk6bNq8wjum4W54Tgk7UbDE6roJp5C3
-7cUt/j+dL00gyFK66PFR1wXflZFtKixxVbMOLa13ZldsuNs0ye6whPqIKZ9ev4M4
-rjWQD5k14Ui+48/MDJt4Nc2Sm1LYrdXJMw==
------END CERTIFICATE-----

revoked-openSUSE-UEFI-SIGN-Certificate-2021-05.crt

@@ -1,27 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIElTCCA32gAwIBAgIJAPq+2L9Aml5kMA0GCSqGSIb3DQEBCwUAMIGBMSAwHgYD
-VQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMCREUxEjAQBgNV
-BAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJvamVjdDEhMB8GCSqG
-SIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMB4XDTIxMDMwMjEzMDE1NFoXDTMx
-MDEwOTEzMDE1NFowgYYxJTAjBgNVBAMMHG9wZW5TVVNFIFNlY3VyZSBCb290IFNp
-Z25rZXkxCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoM
-EG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNl
-Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPLI9AESuA0aqXLg
-RwX7lU1td6HhC3Oj+kwKJJvF/kwA+1viW/1cC4vS9muigFHe3b4CPwZ9WRxb5Wyi
-3nxP1fjYwFmygBnqWvzMTxGZBFuhcQQpSPDbjWOEiFspVZbvkBF7t0cu1EcpKaHl
-+pPqVdWrh11mk7bSjnYGAZ0BFHQ3bnhCuH1+p4PIMLAFZIRQ9suW9t5caOoHK6pi
-fisOYy+WR3a/2AFTCZIdZIueVpvPHhGgjEDoE0wnoAg5lKDn+SAUS7JiWy/hdT2U
-c/OjH1onXi99kTWDOMwQA+g2d7JAPtLuepcKpiUbFaR+7KJYWhkfit6WYz40sC6Q
-PMAHIj8CAwEAAaOCAQcwggEDMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFJ3fQ9nx
-oCcnP1LGwHdZCO4BZxMlMIGuBgNVHSMEgaYwgaOAFGhCYA3iLExHfpW+I9/qlRPl
-lxdioYGHpIGEMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTEL
-MAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNV
-U0UgUHJvamVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnggEB
-MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0B
-AQsFAAOCAQEAnjK7rL3T/Fu443EQSB3cV2V84pQcOcQf3dCSx8VT14ZTgkp1RGM4
-qr4V8foA7Fyr9UE+x2zEMzcVy2eZ2aihO/qaQ/JGZi8cp1pjq0nNMUQjgXF0YGyn
-Qanjb/48V5eOF9Z1h/wQ0HISTdkwsvGUS0leHT3LjXWNRL9QBp1Qi5A5IE5t8vpX
-OxAvHNTsKsx6x2p8R3yVLX7rY84xvBJCqHDY9tYDQ2VbVX7CEw5x9FffobYpY/s1
-lCV/fhOThm/q/p9Pr3hydxKP4PoxxwBtII/p0zJTMWEEfOsK/zAS3v8Ltlz83gTk
-WX+2oXpj/WRFsYWIEXTPwEm4MwYWxw5rMw==
------END CERTIFICATE-----

revoked-openSUSE-UEFI-SIGN-Certificate-2022-06.crt

@@ -1,27 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIElTCCA32gAwIBAgIJAPq+2L9Aml5lMA0GCSqGSIb3DQEBCwUAMIGBMSAwHgYD
-VQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMCREUxEjAQBgNV
-BAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJvamVjdDEhMB8GCSqG
-SIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMB4XDTIyMDYxMzEzMjIxNloXDTMy
-MDQyMTEzMjIxNlowgYYxJTAjBgNVBAMMHG9wZW5TVVNFIFNlY3VyZSBCb290IFNp
-Z25rZXkxCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoM
-EG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNl
-Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALIpQH6tn3NeRGrk
-VgrzbnoFSWg/sk8TQYI93YDE8csRBkj9pZAZDpF92m6Y7pfhQ5C8eOUwwBmRxj/c
-KeCvo9hBhN39kBnP0U0fH5eE5WSBk2+H2DT5TeGKh35pxqPUXGyz5wFtIdVGlDeS
-O+XvFb82Se2MSJhnBO0AHMP0jdqm8M6VOwOVeYb99YTJcCRpglmMhlkqytCghmAL
-Xdn8AcI5cwuInkeDGynsjYJmgaAOWh6Vl2D1HvCzJ2bVEw8x346bt0AKzS8iMYpJ
-5TDLWfV565L6LTVqni1IPGfppDtOd9L7oc//SufGMWppYT8FBDjDquNSnXh80QE+
-vWHVF+cCAwEAAaOCAQcwggEDMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFP2fLBLl
-mdZ8x/kGdUGt9Ca3EkaeMIGuBgNVHSMEgaYwgaOAFGhCYA3iLExHfpW+I9/qlRPl
-lxdioYGHpIGEMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTEL
-MAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNV
-U0UgUHJvamVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnggEB
-MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0B
-AQsFAAOCAQEAW5MXYWfpK0ryVDBdXGPLWpORgKh6JT4nS7vU5BW5fX1DIc0fhE9q
-PmxwMX74OjXZ3520NfV1jrAg/dmyzUGu4pyvmTfRbwXweDnG1t3zb0PU1ntfzRht
-wnfQGm10eICZNKTwxp9D9ca6jIP0pQJXilRSBSqZpw0pNBPeX5FB87DBJnDkpsxV
-7FrzR+XjIZwFfBGNecyQdCBiCXtGUU7eDTKqtITL0WzwJ18heFKslwtcoESi6xSS
-jsVDsk0gyLxbGlAJy0VeEb1YhlJVbvZiCcEYq5W+U+S31807U+sz1nB+zAyc7JER
-JgSHwPK02VwNlY+9558V95Lkp+GZRSNJEA==
------END CERTIFICATE-----

shim-16.1.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:46319cd228d8f2c06c744241c0f342412329a7c630436fce7f82cf6936b1d603
-size 2348998

shim-arch-independent-names.patch

@@ -1,61 +0,0 @@
-From 71ca8f761fb5434ef65895345d96ccf063da7d66 Mon Sep 17 00:00:00 2001
-From: Gary Lin <glin@suse.com>
-Date: Tue, 22 Aug 2017 12:43:36 +0800
-Subject: [PATCH] Make the names of EFI binaries arch-independent
-
-Since we only build the 64-bit binaries, we don't have the issue of the
-mixed architecture binaries in the same directory. Besides, we will use
-the same install script for x86_64 and AArch64. It's easier to maintain
-the script with the same names.
-
-Signed-off-by: Gary Lin <glin@suse.com>
----
- fallback.c | 2 +-
- shim.c     | 2 +-
- shim.h     | 4 ++--
- 3 files changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/fallback.c b/fallback.c
-index fc81c5e4..44b2d464 100644
---- a/fallback.c
-+++ b/fallback.c
-@@ -1058,7 +1058,7 @@ debug_hook(void)
- 
- 	x = 1;
- 	console_print(L"add-symbol-file "DEBUGDIR
--		      L"fb" EFI_ARCH L".efi.debug %p -s .data %p\n",
-+		      L"fallback.efi.debug %p -s .data %p\n",
- 		      &_etext, &_edata);
- }
- 
-diff --git a/shim.c b/shim.c
-index 765c9254..6751a2bc 100644
---- a/shim.c
-+++ b/shim.c
-@@ -1811,7 +1811,7 @@ debug_hook(void)
- 	FreePool(data);
- 
- 	console_print(L"add-symbol-file "DEBUGDIR
--		      L"shim" EFI_ARCH L".efi.debug 0x%08x -s .data 0x%08x\n",
-+		      L"shim.efi.debug 0x%08x -s .data 0x%08x\n",
- 		      &_text, &_data);
- 
- 	console_print(L"Pausing for debugger attachment.\n");
-diff --git a/shim.h b/shim.h
-index 0a6c8cfa..b9c3c4d8 100644
---- a/shim.h
-+++ b/shim.h
-@@ -105,8 +105,8 @@
- #define DEBUGSRC L"/usr/src/debug/shim-" VERSIONSTR "." EFI_ARCH
- #endif
- 
--#define FALLBACK L"\\fb" EFI_ARCH L".efi"
--#define MOK_MANAGER L"\\mm" EFI_ARCH L".efi"
-+#define FALLBACK L"\\fallback.efi"
-+#define MOK_MANAGER L"\\MokManager.efi"
- 
- #if defined(VENDOR_DB_FILE)
- # define vendor_authorized vendor_db
--- 
-2.29.2
-

shim-change-debug-file-path.patch

@@ -1,54 +0,0 @@
-From ac7e88b1f2219ec2b09c9596e6f7d5911e5f6ffd Mon Sep 17 00:00:00 2001
-From: Gary Lin <glin@suse.com>
-Date: Thu, 4 Jan 2018 12:28:37 +0800
-Subject: [PATCH] Use our own debug path
-
-Signed-off-by: Gary Lin <glin@suse.com>
----
- Make.defaults | 2 +-
- fallback.c    | 2 +-
- shim.c        | 2 +-
- 3 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/Make.defaults b/Make.defaults
-index bef3cb51..d88367e3 100644
---- a/Make.defaults
-+++ b/Make.defaults
-@@ -167,7 +167,7 @@ BOOTEFINAME	?= BOOT$(ARCH_SUFFIX_UPPER).EFI
- BOOTCSVNAME	?= BOOT$(ARCH_SUFFIX_UPPER).CSV
- 
- DEFINES		+= -DEFI_ARCH='L"$(ARCH_SUFFIX)"' \
--		   -DDEBUGDIR='L"/usr/lib/debug/usr/share/shim/$(ARCH_SUFFIX)-$(VERSION)$(DASHRELEASE)/"'
-+		   -DDEBUGDIR=L\"/usr/lib/debug/usr/share/efi/"$(ARCH)/"\"
- 
- ifneq ($(origin VENDOR_DB_FILE), undefined)
- DEFINES		+= -DVENDOR_DB_FILE=\"$(VENDOR_DB_FILE)\"
-diff --git a/fallback.c b/fallback.c
-index 44b2d464..8e0de901 100644
---- a/fallback.c
-+++ b/fallback.c
-@@ -1058,7 +1058,7 @@ debug_hook(void)
- 
- 	x = 1;
- 	console_print(L"add-symbol-file "DEBUGDIR
--		      L"fallback.efi.debug %p -s .data %p\n",
-+		      L"fallback.debug %p -s .data %p\n",
- 		      &_etext, &_edata);
- }
- 
-diff --git a/shim.c b/shim.c
-index 1d539855..f8d2ba5f 100644
---- a/shim.c
-+++ b/shim.c
-@@ -1818,7 +1818,7 @@ debug_hook(void)
- 	FreePool(data);
- 
- 	console_print(L"add-symbol-file "DEBUGDIR
--		      L"shim.efi.debug 0x%08x -s .data 0x%08x\n",
-+		      L"shim.debug 0x%08x -s .data 0x%08x\n",
- 		      &_text, &_data);
- 
- 	console_print(L"Pausing for debugger attachment.\n");
--- 
-2.29.2
-

shim-disable-export-vendor-dbx.patch

@@ -1,36 +0,0 @@
-From 41da21f1f9d4af213f9f235a864772b99ce85fc7 Mon Sep 17 00:00:00 2001
-From: Gary Lin <glin@suse.com>
-Date: Fri, 18 Jun 2021 17:54:46 +0800
-Subject: [PATCH] Disable exporting vendor-dbx to MokListXRT
-
-As the vendor-dbx grows, it caused some problems when writing such
-a large variable. Some firmwares lie the avaiable space(*1) , and
-some even crash(*2) for no good reason after the writing of
-MokListXRT. Both shim and kernel don't rely on MokListXRT to block
-anything, so we just stop exporting vendor-dbx to MokListXRT to
-avoid the potential hassles.
-
-(*1) https://bugzilla.suse.com/show_bug.cgi?id=1185261
-(*2) https://github.com/rhboot/shim/pull/369#issuecomment-855275115
-
-Signed-off-by: Gary Lin <glin@suse.com>
----
- mok.c | 2 --
- 1 file changed, 2 deletions(-)
-
-diff --git a/mok.c b/mok.c
-index beac0ff6..a687a92b 100644
---- a/mok.c
-+++ b/mok.c
-@@ -194,8 +194,6 @@ struct mok_state_variable mok_state_variables[] = {
- 		     EFI_VARIABLE_NON_VOLATILE,
- 	 .no_attr = EFI_VARIABLE_RUNTIME_ACCESS,
- 	 .categorize_addend = categorize_deauthorized,
--	 .addend = &vendor_deauthorized,
--	 .addend_size = &vendor_deauthorized_size,
- 	 .flags = MOK_MIRROR_KEYDB |
- 		  MOK_MIRROR_DELETE_FIRST |
- 		  MOK_VARIABLE_LOG,
--- 
-2.31.1
-

shim-install

@@ -71,9 +71,12 @@ fi
 efi_distributor="$bootloader_id"
 bootloader_id="${bootloader_id}-secureboot"
 
+# bsc#1254336 The sl is for SL Micro. It can be removed afrer SL Micro is EoL
 case "$bootloader_id" in
     "sle"*)
         ca_string='SUSE Linux Enterprise Secure Boot CA1';;
+    "sl"*)
+        ca_string='SUSE Linux Enterprise Secure Boot CA1';;
     "opensuse"*)
         ca_string='openSUSE Secure Boot CA1';;
     *) ca_string="";;

shim.spec

@@ -14,36 +14,19 @@
 
 # Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
-# needssslcertforbuild
-
 
 %undefine _debuginfo_subpackages
 %undefine _build_create_debug
 %undefine _enable_debug_packages
-%ifarch aarch64
-%define grubplatform arm64-efi
-%else
-%define grubplatform %{_target_cpu}-efi
-%endif
-%if %{defined sle_version} && 0%{?sle_version} <= 150000
-%define sysefidir      /usr/lib64/efi
-%else
+# Move 'efi'-executables to '/usr/share/efi' (FATE#326960, bsc#1166523)
 %define sysefibasedir  %{_datadir}/efi
 %define sysefidir      %{sysefibasedir}/%{_target_cpu}
-%if "%{grubplatform}" == "x86_64-efi" && 0%{?suse_version} < 1600
+%if 0%{?suse_version} < 1600
+%ifarch x86_64
 # provide compatibility sym-link for residual kiwi, etc.
 %define shim_lib64_share_compat 1
 %endif
 %endif
-# Set gcc version, the minimum version is gcc-13
-%if %gcc_version < 13
-%define gcc_version 13
-%endif
-%global cc_compiler /usr/bin/gcc-%{gcc_version}
-
-%if 0%{?suse_version} >= 1600
-%define shim_use_fde_tpm_helper 1
-%endif
 
 Name:           shim
 Version:        16.1
@@ -52,18 +35,13 @@ Summary:        UEFI shim loader
 License:        BSD-2-Clause
 Group:          System/Boot
 URL:            https://github.com/rhboot/shim
-Source:         %{name}-%{version}.tar.bz2
-# run "extract_signature.sh shim.efi" where shim.efi is the binary
-# with the signature from the UEFI signing service.
-# Note: For signature requesting, check SIGNATURE_UPDATE.txt
-Source1:	shim-install
-Source2:	extract_signature.sh
-Source3:	attach_signature.sh
-Source4:	show_hash.sh
-Source5:	show_signatures.sh
-Source6:	timestamp.pl
-Source7:	strip_signature.sh
-Source8:	generate-vendor-dbx.sh
+Source:		shim-16.1-150300.4.31.1.x86_64.rpm
+Source1:	shim-debuginfo-16.1-150300.4.31.1.x86_64.rpm
+Source2:	shim-debugsource-16.1-150300.4.31.1.x86_64.rpm
+Source3:	shim-16.1-150300.4.31.1.aarch64.rpm
+Source4:	shim-debuginfo-16.1-150300.4.31.1.aarch64.rpm
+Source5:	shim-debugsource-16.1-150300.4.31.1.aarch64.rpm
+Source6:        shim-install
 # Certificates Used to Verify the Shim (DER format)
 # SUSE CA is also built-in to the shim via VENDOR_CERT_FILE
 # openSUSE Secure Boot CA, 2013-2035
@@ -74,62 +52,19 @@ Source12:	SUSE_Linux_Enterprise_Secure_Boot_CA_2013.crt
 Source13:	Microsoft_Corporation_UEFI_CA_2011.crt
 # Microsoft UEFI CA 2023, 2023-2038
 Source14:	Microsoft_UEFI_CA_2023.crt
-# Microsoft-signed shim
-Source30:	shim-opensuse.x86.efi
-Source31:	shim-opensuse.aarch64.efi
-Source32:	shim-sles.x86.efi
-Source33:	shim-sles.aarch64.efi
-# revoked certificates for dbx
-Source50:       revoked-openSUSE-UEFI-SIGN-Certificate-2013-01.crt
-Source51:       revoked-openSUSE-UEFI-SIGN-Certificate-2013-08.crt
-Source52:       revoked-openSUSE-UEFI-SIGN-Certificate-2020-01.crt
-Source53:       revoked-openSUSE-UEFI-SIGN-Certificate-2020-07.crt
-Source54:       revoked-openSUSE-UEFI-SIGN-Certificate-2021-05.crt
-Source55:       revoked-openSUSE-UEFI-SIGN-Certificate-2022-06.crt
-Source56:       revoked-SLES-UEFI-SIGN-Certificate-2013-01.crt
-Source57:       revoked-SLES-UEFI-SIGN-Certificate-2013-04.crt
-Source58:       revoked-SLES-UEFI-SIGN-Certificate-2016-02.crt
-Source59:       revoked-SLES-UEFI-SIGN-Certificate-2020-07.crt
-Source60:       revoked-SLES-UEFI-SIGN-Certificate-2021-05.crt
-Source61:       revoked-SLES-UEFI-SIGN-Certificate-2022-05.crt
-###
-Source99:       SIGNATURE_UPDATE.txt
-# PATCH-FIX-SUSE shim-arch-independent-names.patch glin@suse.com -- Use the Arch-independent names
-Patch1:         shim-arch-independent-names.patch
-# PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch glin@suse.com -- Change the default debug file path
-Patch2:         shim-change-debug-file-path.patch
-# PATCH-FIX-SUSE remove_build_id.patch -- Remove the build ID to make the binary reproducible when building with AArch64 container
-Patch3:         remove_build_id.patch
-# PATCH-FIX-SUSE shim-disable-export-vendor-dbx.patch bsc#1185261 glin@suse.com -- Disable exporting vendor-dbx to MokListXRT
-Patch4:         shim-disable-export-vendor-dbx.patch
-BuildRequires:  gcc%{gcc_version}
-BuildRequires:  dos2unix
-BuildRequires:  efitools
-BuildRequires:  mozilla-nss-tools
+#BuildRequires:	shim-susesigned
+BuildRequires:  fde-tpm-helper-rpm-macros
+BuildRequires:  update-bootloader-rpm-macros
 BuildRequires:  openssl >= 0.9.8
-BuildRequires:  pesign
-BuildRequires:  pesign-obs-integration
 # we need xxd in global macro in shim.spec
 BuildRequires:  vim
-%if 0%{?shim_use_fde_tpm_helper:1}
-BuildRequires:  fde-tpm-helper-rpm-macros
-%endif
-%if 0%{?suse_version} > 1320
-BuildRequires:  update-bootloader-rpm-macros
-%endif
-%if 0%{?update_bootloader_requires:1}
-%update_bootloader_requires
-%else
 Requires:       perl-Bootloader
-%endif
+BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+# For shim-install script
+Requires:       grub2-efi
 %if 0%{?fde_tpm_update_requires:1}
 %fde_tpm_update_requires
 %endif
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
-# For shim-install script grub is needed but we also want to use
-# shim for systemd-boot where shim-install is not actually used.
-# Requires:       grub2-%{grubplatform}
-Requires:       mokutil
 ExclusiveArch:  x86_64 aarch64
 
 # subject hash of openSUSE/SLE/devel certificates for identifying devel project
@@ -148,215 +83,54 @@ ExclusiveArch:  x86_64 aarch64
 shim is a trivial EFI application that, when run, attempts to open and
 execute another application.
 
-%if 0%{?shim_nx:1}
-%package -n shim-nx
-Summary:        UEFI shim loader - supports non-executable
-Group:          System/Boot
-Requires:	shim = %{version}
-
-%description -n shim-nx
-shim with NX_COMPAT field (aka. NxCompatible field in DllCharacteristics)
-for supporting non-executable
-%endif	# 0%{?shim_nx:1}
-
-%package -n shim-debuginfo
+%package debuginfo
 Summary:        UEFI shim loader - debug symbols
 Group:          Development/Debug
 
-%description -n shim-debuginfo
+%description debuginfo
 The debug symbols of UEFI shim loader
 
-%package -n shim-debugsource
+%package debugsource
 Summary:        UEFI shim loader - debug source
 Group:          Development/Debug
 
-%description -n shim-debugsource
+%description debugsource
 The source code of UEFI shim loader
 
 %prep
-%autosetup -p1
+%ifarch x86_64
+rpm2cpio %{SOURCE0} | cpio --extract --unconditional --preserve-modification-time --make-directories
+rpm2cpio %{SOURCE1} | cpio --extract --unconditional --preserve-modification-time --make-directories
+rpm2cpio %{SOURCE2} | cpio --extract --unconditional --preserve-modification-time --make-directories
+%endif
+%ifarch aarch64
+rpm2cpio %{SOURCE3} | cpio --extract --unconditional --preserve-modification-time --make-directories
+rpm2cpio %{SOURCE4} | cpio --extract --unconditional --preserve-modification-time --make-directories
+rpm2cpio %{SOURCE5} | cpio --extract --unconditional --preserve-modification-time --make-directories
+%endif
 
 %build
-# generate the vendor SBAT metadata
-%if 0%{?is_opensuse} == 1 || 0%{?sle_version} == 0
-distro_id="opensuse"
-distro_name="The openSUSE project"
-%else
-distro_id="sle"
-distro_name="SUSE Linux Enterprise"
-%endif
-distro_sbat=1
-sbat="shim.${distro_id},${distro_sbat},${distro_name},%{name},%{version},mail:security@suse.de"
-echo "${sbat}" > data/sbat.vendor.csv
-
-# generate dbx files based on revoked certs
-bash %{_sourcedir}/generate-vendor-dbx.sh %{_sourcedir}/revoked-*.crt
-ls -al *.esl
-
-# first, build MokManager and fallback as they don't depend on a
-# specific certificate
-make CC=%{cc_compiler} RELEASE=0 \
-     MMSTEM=MokManager FBSTEM=fallback \
-     POST_PROCESS_PE_FLAGS=-n \
-     MokManager.efi.debug fallback.efi.debug \
-     MokManager.efi fallback.efi
-# make sure all object files gets rebuilt
-rm -f *.o
-
-# now build variants of shim that embed different certificates
-default=''
-suffixes=(opensuse sles)
-# check whether the project cert is a known one. If it is we build
-# just one shim that embeds this specific cert. If it's a devel
-# project we build all variants to simplify testing.
-if test -e %{_sourcedir}/_projectcert.crt ; then
-    prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -inform PEM -noout -subject_hash)
-    prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -inform PEM -noout -issuer_hash)
-    opensusesubject=$(openssl x509 -in %{SOURCE11} -inform DER -noout -subject_hash)
-    slessubject=$(openssl x509 -in %{SOURCE12} -inform DER -noout -subject_hash)
-    if test "$prjissuer" = "$opensusesubject" ; then
-	suffixes=(opensuse)
-    elif test "$prjissuer" = "$slessubject" ; then
-	suffixes=(sles)
-    elif test "$prjsubject" = "$prjissuer" ; then
-	suffixes=(devel opensuse sles)
-    fi
-fi
-
-for suffix in "${suffixes[@]}"; do
-    if test "$suffix" = "opensuse"; then
-	cert=%{SOURCE11}
-	cp $cert shim-$suffix.der
-	verify='openSUSE Secure Boot CA1'
-	vendor_dbx='vendor-dbx-opensuse.esl'
-%ifarch x86_64
-	ms_shim=%{SOURCE30}
-%else
-	# opensuse aarch64
-	ms_shim=%{SOURCE31}
-%endif
-    elif test "$suffix" = "sles"; then
-	cert=%{SOURCE12}
-	cp $cert shim-$suffix.der
-	verify='SUSE Linux Enterprise Secure Boot CA1'
-	vendor_dbx='vendor-dbx-sles.esl'
-%ifarch x86_64
-	ms_shim=%{SOURCE32}
-%else
-	# sles aarch64
-	ms_shim=%{SOURCE33}
-%endif
-    elif test "$suffix" = "devel"; then
-	cert=%{_sourcedir}/_projectcert.crt
-	verify=`openssl x509 -in "$cert" -noout -email`
-	vendor_dbx='vendor-dbx.esl'
-	ms_shim=''
-	test -e "$cert" || continue
-	openssl x509 -in $cert -inform PEM -outform DER -out shim-$suffix.der
-    else
-	echo "invalid suffix"
-	false
-    fi
-
-    make CC=%{cc_compiler} RELEASE=0 ENABLE_CODESIGN_EKU=1 SHIMSTEM=shim \
-         VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \
-         DEFAULT_LOADER="\\\\\\\\grub.efi" \
-         VENDOR_DBX_FILE=$vendor_dbx \
-         shim.efi.debug shim.efi
-    #
-    # assert correct certificate embedded
-    grep -q "$verify" shim.efi
-    # Use ms-signed shim when the version equals with the version of newly built shim
-    # Version mismatch indicates development of a new shim.
-    if test -n "$ms_shim"; then
-	ms_version=$(strings "$ms_shim" | grep '$Version:' | sed -e 's/^.*: //' -e 's/ \$//')
-	dev_version=$(strings shim.efi | grep '$Version:' | sed -e 's/^.*: //' -e 's/ \$//')
-	if [ "$ms_version" = "$dev_version" ]; then
-		cp $ms_shim shim-$suffix.efi
-	else
-		cp shim.efi shim-$suffix.efi
-	fi
-	rm shim.efi
-    else
-	# devel shim
-	mv shim.efi shim-$suffix.efi
-    fi
-    # FIX: using debug info from devel shim doesn't match with ms-signed shim
-    mv shim.efi.debug shim-$suffix.debug
-    # remove the build cert if exists
-    rm -f shim_cert.h shim.cer shim.crt
-    # make sure all object files gets rebuilt
-    rm -f *.o
-
-%if 0%{?shim_nx:1}
-    # building shim.nx.efi
-    make CC=%{cc_compiler} RELEASE=0 ENABLE_CODESIGN_EKU=1 SHIMSTEM=shim.nx \
-         VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \
-         DEFAULT_LOADER="\\\\\\\\grub.efi" \
-         VENDOR_DBX_FILE=$vendor_dbx \
-	 POST_PROCESS_PE_FLAGS=-n \
-         shim.nx.efi.debug shim.nx.efi
-    #
-    # assert correct certificate embedded
-    grep -q "$verify" shim.nx.efi
-    mv shim.nx.efi shim-$suffix.nx.efi
-    mv shim.nx.efi.debug shim-$suffix.nx.debug
-    # remove the build cert if exists
-    rm -f shim_cert.h shim.cer shim.crt
-    # make sure all object files gets rebuilt
-    rm -f *.o
-%endif  # 0%{?shim_nx:1}
-done
-
-ln -s shim-${suffixes[0]}.efi shim.efi
-mv shim-${suffixes[0]}.debug shim.debug
-%if 0%{?shim_nx:1}
-ln -s shim-${suffixes[0]}.nx.efi shim.nx.efi
-mv shim-${suffixes[0]}.nx.debug shim.nx.debug
-%endif  # 0%{?shim_nx:1}
-
-# Collect the source for debugsource
-mkdir ../source
-find . \( -name "*.c" -o -name "*.h" \) -type f -exec cp --parents -a {} ../source/ \;
-mv ../source .
 
 %install
-export BRP_PESIGN_FILES='%{sysefidir}/shim*.efi %{sysefidir}/MokManager.efi %{sysefidir}/fallback.efi'
-install -d %{buildroot}/%{sysefidir}
-cp -a shim*.efi %{buildroot}/%{sysefidir}
-install -m 444 shim-*.der %{buildroot}/%{sysefidir}
-install -m 644 MokManager.efi %{buildroot}/%{sysefidir}/MokManager.efi
-install -m 644 fallback.efi %{buildroot}/%{sysefidir}/fallback.efi
-install -d %{buildroot}/%{_sbindir}
-install -m 755 %{SOURCE1} %{buildroot}/%{_sbindir}/
-# install SUSE certificate
-install -d %{buildroot}/%{_sysconfdir}/uefi/certs/
-for file in shim-*.der; do
-    filename=$(echo "$file" | cut -f 1 -d '.')
-    fpr=$(openssl x509 -sha1 -fingerprint -inform DER -noout -in $file | cut -c 18- | cut -d ":" -f 1,2,3,4 | sed 's/://g')
-    install -m 644 $file %{buildroot}/%{_sysconfdir}/uefi/certs/${fpr}-${filename}.crt
-done
+# purely repackaged
+cp -a etc usr %{buildroot}
+
 %if %{defined shim_lib64_share_compat}
-    [ "%{sysefidir}" != "/usr/lib64/efi" ] || exit 1
-    # provide compatibility sym-link for residual "consumers"
-    install -d %{buildroot}/usr/lib64/efi
-    ln -srf %{buildroot}/%{sysefidir}/*.efi %{buildroot}/usr/lib64/efi/
+echo old
+%else
+rm -rf %{buildroot}/usr/lib64/efi
 %endif
 
-# install the debug symbols
-install -d %{buildroot}/usr/lib/debug/%{sysefidir}
-install -m 644 shim.debug %{buildroot}/usr/lib/debug/%{sysefidir}
-install -m 644 MokManager.efi.debug %{buildroot}/usr/lib/debug/%{sysefidir}/MokManager.debug
-install -m 644 fallback.efi.debug %{buildroot}/usr/lib/debug/%{sysefidir}/fallback.debug
+# also copy over the susesigned shim
+# we did this to shortcut some cert work in 15-sp2, we currently do not need it
+#install -m 444 %{sysefidir}/shim-susesigned.* %{buildroot}/%{sysefidir}
 
-# install the debug source
-install -d %{buildroot}/usr/src/debug/%{name}-%{version}
-cp -r source/* %{buildroot}/usr/src/debug/%{name}-%{version}
+# Install the updated shim-install
+install -m 755 %{SOURCE6} %{buildroot}/%{_sbindir}
 
-%clean
-%{?buildroot:%__rm -rf "%{buildroot}"}
-
-%pretrans -p <lua>
+# This pretrans Lua script is directly copied from openSUSE:Factory/shim/shim.spec
+# Please remember to sync this script if it be modified
+%pretrans -n shim -p <lua>
 -- Using Lua
 print("INFO: Current Lua Version: " .. tostring(_VERSION))
 
@@ -395,10 +169,8 @@ local TARGET_CERT_HEXES = {
     -- Certificate #3, openSUSE Secure Boot CA 2013
     "%{opensuse_ca_hex}",
 %endif
-%if "%{prjissuer_hash}" == "%{slessubject_hash}"
-    -- Certificate #3, SUSE Linux Enterprise Secure Boot CA 2013
+    -- Certificate #4, SUSE Linux Enterprise Secure Boot CA 2013
     "%{sles_ca_hex}",
-%endif
 %if "%{prjissuer_hash}" == "%{prjsubjec_hash}"
     -- We put all keys for testing on devel/staging project
     -- Certificate #3, openSUSE Secure Boot CA 2013
@@ -545,49 +317,22 @@ end
 %fde_tpm_update_post shim
 %endif
 
-%if 0%{?update_bootloader_check_type_reinit_post:1}
+%if 0%{?update_bootloader_check_type_reinit_post:1} 
 %update_bootloader_check_type_reinit_post grub2-efi
 %else
 /sbin/update-bootloader --reinit || true
 %endif
 
-# copy from kernel-scriptlets/cert-script
-is_efi () {
-    local msg rc=0
-# The below statement fails if mokutil isn't installed or UEFI is unsupported.
-# It doesn't fail if UEFI is available but secure boot is off.
-    msg="$(mokutil --sb-state 2>&1)" || rc=$?
-    return $rc
-}
-# run mokutil for setting sbat policy to latest mode
-EFIVARFS=/sys/firmware/efi/efivars
-SBAT_POLICY="$EFIVARFS/SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23"
-if is_efi; then
-        if [ -w $EFIVARFS ] && \
-           [ ! -f "$SBAT_POLICY" ] && \
-           mokutil -h | grep -q "set-sbat-policy"; \
-        then
-        # Only apply CA check on the kernel package certs (bsc#1173115)
-                mokutil --set-sbat-policy latest
-        fi
-fi
-
-%if %{defined update_bootloader_posttrans}
 %posttrans
 %{?update_bootloader_posttrans}
 %{?fde_tpm_update_posttrans}
-%endif
 
 %files
 %defattr(-,root,root)
-%doc COPYRIGHT
 %dir %{?sysefibasedir}
 %dir %{sysefidir}
 %{sysefidir}/shim.efi
 %{sysefidir}/shim-*.efi
-%if 0%{?shim_nx:1}
-%exclude %{sysefidir}/shim-*.nx.efi
-%endif  # 0%{?shim_nx:1}
 %{sysefidir}/shim-*.der
 %{sysefidir}/MokManager.efi
 %{sysefidir}/fallback.efi
@@ -600,23 +345,13 @@ fi
 %dir /usr/lib64/efi
 /usr/lib64/efi/*.efi
 %endif
+/usr/share/doc/packages/shim
 
-%if 0%{?shim_nx:1}
-%files -n shim-nx
-%defattr(-,root,root)
-%{sysefidir}/shim.nx.efi
-%{sysefidir}/shim-*.nx.efi 
-%endif  # 0%{?shim_nx:1}
+%files debuginfo
+/usr/lib/debug/%{sysefidir}/*.debug
 
-%files -n shim-debuginfo
-%defattr(-,root,root,-)
-/usr/lib/debug%{sysefidir}/shim.debug
-/usr/lib/debug%{sysefidir}/MokManager.debug
-/usr/lib/debug%{sysefidir}/fallback.debug
-
-%files -n shim-debugsource
-%defattr(-,root,root,-)
-%dir /usr/src/debug/%{name}-%{version}
-/usr/src/debug/%{name}-%{version}/*
+%files debugsource
+%dir /usr/src/debug/shim-*
+/usr/src/debug/shim-*/*
 
 %changelog

show_hash.sh

@@ -1,12 +0,0 @@
-#!/bin/bash
-# show hash of PE binary
-set -e
-
-infile="$1"
-
-if [ -z "$infile" -o ! -e "$infile" ]; then
-	echo "USAGE: $0 file.efi"
-	exit 1
-fi
-
-pesign -h -P -i "$infile"

show_signatures.sh

@@ -1,12 +0,0 @@
-#!/bin/bash
-# show signatures on a PE binary
-set -e
-
-infile="$1"
-
-if [ -z "$infile" -o ! -e "$infile" ]; then
-	echo "USAGE: $0 file.efi"
-	exit 1
-fi
-
-pesign -S -i "$infile"

strip_signature.sh

@@ -1,13 +0,0 @@
-#!/bin/bash
-# strip the signature from a PE binary
-set -e
-
-infile="$1"
-if [ -z "$infile" -o ! -e "$infile" ]; then
-	echo "USAGE: $0 file.efi"
-	exit 1
-fi
-
-outfile="${infile%.efi}-unsigned.efi"
-
-pesign -r -i "$infile" -o "$outfile"

timestamp.pl

@@ -1,146 +0,0 @@
-#!/usr/bin/perl -w
-# Copyright (c) 2012-2021 SUSE LLC
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is
-# furnished to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in
-# all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-# SOFTWARE.
-
-=head1 timestamp.pl
-
-timestamp.pl - show or set pe timestamp in file
-
-=head1 SYNOPSIS
-
-timestamp.pl [OPTIONS] FILE...
-
-=head1 OPTIONS
-
-=over 4
-
-=item B<--set-form-file=FILE>
-
-parse timestamp, checksum, and linker version from file
-
-=item B<--help, -h>
-
-print help
-
-=back
-
-=head1 DESCRIPTION
-
-lorem ipsum ...
-
-=cut
-
-use strict;
-use Getopt::Long;
-Getopt::Long::Configure("no_ignore_case");
-use POSIX qw/strftime/;
-
-my %options;
-
-sub usage($) {
-	my $r = shift;
-	eval "use Pod::Usage; pod2usage($r);";
-	if ($@) {
-		die "cannot display help, install perl(Pod::Usage)\n";
-	}
-}
-
-GetOptions(
-	\%options,
-	"set-from-file=s",
-	"verbose|v",
-	"help|h",
-) or usage(1);
-
-usage(1) unless @ARGV;
-usage(0) if ($options{'help'});
-
-my $set_timestamp;
-my $set_checksum;
-my $set_linker;
-
-if ($options{'set-from-file'}) {
-	die "$options{'set-from-file'}: $!\n" unless open(my $fh, '<', $options{'set-from-file'});
-	while (<$fh>) {
-		chomp;
-		if (/^timestamp: ([0-9a-f]+)/) {
-			$set_timestamp = pack('L', hex($1));
-			next;
-		} elsif (/^linker: ([0-9a-f]+)/) {
-			$set_linker = pack('S', hex($1));
-			next;
-		} elsif (/^checksum: ([0-9a-f]+)/) {
-			$set_checksum = pack('L', hex($1));
-			next;
-		}
-		last if $set_timestamp && $set_checksum && $set_linker;
-	}
-	close($fh);
-	die "file didn't contain timestamp, checksum, or linker\n" unless $set_timestamp && $set_checksum && $set_linker;
-}
-
-sub do_show($)
-{
-	my $file = shift;
-	die "$file: $!\n" unless open(my $fh, '<', $file);
-	die "seek $file: $!\n" unless seek($fh, 136, 0);
-	my $value;
-	die "read $file: $!\n" unless read($fh, $value, 4);
-
-	my $timestamp = unpack('L', $value);
-	print strftime("# %Y-%m-%d %H:%M:%S\n", gmtime($timestamp));
-	printf ("timestamp: %x\n", $timestamp);
-
-	die "seek $file: $!\n" unless seek($fh, 154, 0);
-	die "read $file: $!\n" unless read($fh, $value, 2);
-
-	printf ("linker: %x\n", unpack('S', $value));
-
-	die "seek $file: $!\n" unless seek($fh, 216, 0);
-	die "read $file: $!\n" unless read($fh, $value, 4);
-
-	printf ("checksum: %x\n", unpack('L', $value));
-
-	close($fh);
-}
-
-sub do_set($)
-{
-	my $file = shift;
-	die "$file: $!\n" unless open(my $fh, '+<', $file);
-	die "seek $file: $!\n" unless seek($fh, 136, 0);
-	die "write $file: $!\n" unless print $fh $set_timestamp;
-
-	die "seek $file: $!\n" unless seek($fh, 154, 0);
-	die "write $file: $!\n" unless print $fh $set_linker;
-
-	die "seek $file: $!\n" unless seek($fh, 216, 0);
-	die "write $file: $!\n" unless print $fh $set_checksum;
-	close($fh);
-}
-
-for my $file (@ARGV) {
-	if ($options{'set-from-file'}) {
-		do_set($file);
-	} else {
-		do_show($file);
-	}
-
-}