shim.changes: Update change log for Fixed some issues in RPM Macro

and pretrans lus script with the old  rpm-4.14.3 on SLE-15-SP3

SLES-UEFI-CA-Certificate.crt

@@ -1,29 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIE5TCCA82gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT
-RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES
-MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz
-IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk
-QHN1c2UuZGUwHhcNMTMwNDE4MTQzMzQxWhcNMzUwMzE0MTQzMzQxWjCBpjEtMCsG
-A1UEAwwkU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYD
-VQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4
-IFByb2R1Y3RzIEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0B
-CQEWDWJ1aWxkQHN1c2UuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
-AQDN/avXKoT4gcM2NVA1LMfsBPH01sxgS8gTs3SbvfbEP2M+ZlHyfj9ufHZ7cZ1p
-ISoVm6ql5VbIeZgSNc17Y4y4Nynud1C8t2SP/iZK5YMYHGxdtIfv1zPE+Bo/KZqE
-WgHg2YFtMXdiKfXBZRTfSh37t0pGO/OQi6K4JioKw55UtQNggePZWDXtsAviT2vv
-abqLR9+kxdrQ0iWqhWM+LwXbTGkCpg41s8KucLD/JYAxxw05dKPApFDNnz+Ft2L7
-e5JtyB4S0u4PlvQBMNHt4hDs0rK4oeHFLbOxHvjF+nloneWhkg9eT0VCfpAYVYz+
-whMxuCHerDCdmeFrRGEMQz11AgMBAAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/
-MB0GA1UdDgQWBBTsqw1CxFbPdwQ2uXOZOGKWXocmLzCB0wYDVR0jBIHLMIHIgBTs
-qw1CxFbPdwQ2uXOZOGKWXocmL6GBrKSBqTCBpjEtMCsGA1UEAwwkU1VTRSBMaW51
-eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTESMBAGA1UE
-BwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3RzIEdtYkgx
-EzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxkQHN1c2Uu
-ZGWCAQEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQASviyFhVqU
-Wc1JUQgXwdljJynTnp0/FQOZJBSe7XdBGPmy91+3ITqrXgyqo/218KISiQl53Qlw
-pq+cIiGRAia1D7p7wbg7wsg+Trt0zZFXes30wfYq5pjfWadEBAgNCffkBz10TSjL
-jQrVwW5N+yUJMoq+r843TzV56Huy6LBOVhI5yTz7X7i2rSJYfyQWM8oeHLj8Yl5M
-rOB9gyTumxB4mOLmSqwKzJiUB0ppGPohdLUSSEKDdo6KSH/GjR7M7uBicwnzwJD3
-SVfT9nx9HKF2nXZlHvs5ViQQru3qP1tc6i0eXEnPTYW2+zkZcN0e5iHyozEZHsO0
-rvc1p6G0YWtO
------END CERTIFICATE-----

openSUSE-UEFI-CA-Certificate.crt

@@ -1,26 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEdDCCA1ygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl
-blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl
-bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW
-EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzA4MjYxNjEyMDdaFw0zNTA3MjIxNjEy
-MDdaMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UE
-BhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJv
-amVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMIIBIjANBgkq
-hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3t9hknqk/oPRfTtoDrGn8E6Sk/xHPnAt
-Tojcmp76M7Sm2w4jwQ2owdVlBIQE/zpIGE85MuTKTvkEnp8PzSBdYaunANil/yt/
-vuhHwy9bAsi73o4a6UbThu//iJmQ6xCJuIs/PqgHxlV6btNf/IM8PRbtJsUTc5Kx
-cB4ilcgAbCV2RvGi2dCwmGgPpy2xDWeJypRK6hLFkVV2f2x6LvkYiZ/49CRD1TVq
-ywAOLu1L4l0J2BuXcJmeWm+mgaidqVh2fWlxgtO6OpZDm/DaFcZO6cgVuenLx+Rx
-zuoQG2vEKnABqVK0F94AUs995P0PTQMYspAo1G/Erla8NmBJRotrCwIDAQABo4H0
-MIHxMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGhCYA3iLExHfpW+I9/qlRPl
-lxdiMIGuBgNVHSMEgaYwgaOAFGhCYA3iLExHfpW+I9/qlRPllxdioYGHpIGEMIGB
-MSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMCREUx
-EjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJvamVjdDEh
-MB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnggEBMA4GA1UdDwEB/wQE
-AwIBhjANBgkqhkiG9w0BAQsFAAOCAQEAiqOJwo7Z+YIL8zPO6RkXF6NlgM0zrgZR
-Vim2OId79J38KI6q4FMSDjpgxwbYOmF2O3cI9JSkjHxHOpnYhJsXzCBiLuJ25MY2
-DSbpLlM1Cvs6NZNFw5OCwQvzCOlXH1k3qdBsafto6n87r9P3WSeO1MeWc/QMCvc+
-5K9sjMd6bwl59EEf428R+z5ssaB75JK3yvky9d7DsHN947OCXc3sYdz+DD7Gteds
-LV2Sc//tqmqpm2aeXjptcLAxwM7fLyEQaAyH83egMzEKDxX27jKIxZpTcc0NGqEo
-idC/9lasSzs2BisBxevl3HKDPZSsKIMT+8FdJ5wT9jJf9h9Ktz5Tig==
------END CERTIFICATE-----

revoked-SLES-UEFI-SIGN-Certificate-2022-05.crt

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIFBDCCA+ygAwIBAgIJAO2HhbeP/BJ/MA0GCSqGSIb3DQEBCwUAMIGmMS0wKwYD
+VQQDDCRTVVNFIExpbnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNV
+BAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0UgTGludXgg
+UHJvZHVjdHMgR21iSDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqGSIb3DQEJ
+ARYNYnVpbGRAc3VzZS5kZTAeFw0yMjA2MDIyMjUyNTBaFw0zMjEyMzAyMjUyNTBa
+MIGrMTIwMAYDVQQDDClTVVNFIExpbnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3Qg
+U2lnbmtleTELMAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UE
+CgwYU1VTRSBMaW51eCBQcm9kdWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFt
+MRwwGgYJKoZIhvcNAQkBFg1idWlsZEBzdXNlLmRlMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAwDNrJ6NGA3ca+mIR0xPimAmBiC0p/LKKFf2nM64gGr2p
+l+VYf4tZONMJpeJSASChD9KEuDFpAfKJm0S+lvmMUEJSxdj6p8ynLtypcE/k9+TP
+5j8STpdA5L+P9RIt0r4USGUNf9WT5CfLmQVx6EWjjnUqP6H7t4gS76NXxI6ODu7G
+ihPiG4acjYxtgAmErXHP42Tk8srzYN+RVddZLnKQWhLWahuomq8320iHm2biZ01B
+coHFZnPO62fw5LHeig94UXixf7NPgwPBr9owuKw4WouDfH4nCY6KEOZG+flF/ME+
+6TuExYRCPwG3wXgOmGHNYyH8vAvR9s99sZFIGXYdrwIDAQABo4IBLDCCASgwDAYD
+VR0TAQH/BAIwADAdBgNVHQ4EFgQUCsYrHz9TQnETJYbinTsQQVkcgkowgdMGA1Ud
+IwSByzCByIAU7KsNQsRWz3cENrlzmThill6HJi+hgaykgakwgaYxLTArBgNVBAMM
+JFNVU0UgTGludXggRW50ZXJwcmlzZSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMC
+REUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UECgwYU1VTRSBMaW51eCBQcm9k
+dWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFtMRwwGgYJKoZIhvcNAQkBFg1i
+dWlsZEBzdXNlLmRlggEBMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEF
+BQcDAzANBgkqhkiG9w0BAQsFAAOCAQEAgB40iq70uOw6SLvHhZb8NpJuETDdfQzE
+RuEDtd0bHgHfhvjLpzaHP8ZVLHr8lpsyaLwVE4598cmys8Zn1vvkCQOo4LwwVILR
+8Jar2gvgJ2xqTUVU3bYhr+MaGpScbDyK6n2Kb8/vuEpaHHTJWMx5js2jGh1G2+AG
+hohfQX+K5UPUKyBRfiDwcZhq2JpCOq5F/SDbm1kpX5dwzu/Y0yDYfukz4tqvpq+S
+8SW1+fv37Fbch6DjFw51ALUtkfPmNShlgcub3deyD0vZvBWxlJRllBv16c+yLXSx
+1XmOY8MOEntYKKgKb4zpNKAnCwP7yc/R5Chk1tvLgvoymbxAKfkd3Q==
+-----END CERTIFICATE-----

revoked-openSUSE-UEFI-SIGN-Certificate-2022-06.crt

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIElTCCA32gAwIBAgIJAPq+2L9Aml5lMA0GCSqGSIb3DQEBCwUAMIGBMSAwHgYD
+VQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMCREUxEjAQBgNV
+BAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJvamVjdDEhMB8GCSqG
+SIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMB4XDTIyMDYxMzEzMjIxNloXDTMy
+MDQyMTEzMjIxNlowgYYxJTAjBgNVBAMMHG9wZW5TVVNFIFNlY3VyZSBCb290IFNp
+Z25rZXkxCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoM
+EG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNl
+Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALIpQH6tn3NeRGrk
+VgrzbnoFSWg/sk8TQYI93YDE8csRBkj9pZAZDpF92m6Y7pfhQ5C8eOUwwBmRxj/c
+KeCvo9hBhN39kBnP0U0fH5eE5WSBk2+H2DT5TeGKh35pxqPUXGyz5wFtIdVGlDeS
+O+XvFb82Se2MSJhnBO0AHMP0jdqm8M6VOwOVeYb99YTJcCRpglmMhlkqytCghmAL
+Xdn8AcI5cwuInkeDGynsjYJmgaAOWh6Vl2D1HvCzJ2bVEw8x346bt0AKzS8iMYpJ
+5TDLWfV565L6LTVqni1IPGfppDtOd9L7oc//SufGMWppYT8FBDjDquNSnXh80QE+
+vWHVF+cCAwEAAaOCAQcwggEDMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFP2fLBLl
+mdZ8x/kGdUGt9Ca3EkaeMIGuBgNVHSMEgaYwgaOAFGhCYA3iLExHfpW+I9/qlRPl
+lxdioYGHpIGEMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTEL
+MAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNV
+U0UgUHJvamVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnggEB
+MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0B
+AQsFAAOCAQEAW5MXYWfpK0ryVDBdXGPLWpORgKh6JT4nS7vU5BW5fX1DIc0fhE9q
+PmxwMX74OjXZ3520NfV1jrAg/dmyzUGu4pyvmTfRbwXweDnG1t3zb0PU1ntfzRht
+wnfQGm10eICZNKTwxp9D9ca6jIP0pQJXilRSBSqZpw0pNBPeX5FB87DBJnDkpsxV
+7FrzR+XjIZwFfBGNecyQdCBiCXtGUU7eDTKqtITL0WzwJ18heFKslwtcoESi6xSS
+jsVDsk0gyLxbGlAJy0VeEb1YhlJVbvZiCcEYq5W+U+S31807U+sz1nB+zAyc7JER
+JgSHwPK02VwNlY+9558V95Lkp+GZRSNJEA==
+-----END CERTIFICATE-----

shim-15.8.tar.bz2

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:a79f0a9b89f3681ab384865b1a46ab3f79d88b11b4ca59aa040ab03fffae80a9
-size 2315201

shim-16.1.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:46319cd228d8f2c06c744241c0f342412329a7c630436fce7f82cf6936b1d603
+size 2348998

shim-bsc1177315-verify-eku-codesign.patch

@@ -1,696 +0,0 @@
-From 6ff890bf0af9d37acc6ea8ad64f597060e8bb143 Mon Sep 17 00:00:00 2001
-From: Gary Lin <glin@suse.com>
-Date: Wed, 14 Oct 2020 14:31:12 +0800
-Subject: [PATCH] Enforce EKU CodeSign extension check
-
-Per NIAP OS_PP, the signer certificate of the UEFI image has to contain
-"CodeSign" extension in its Extended Key Usage(EKU).
-
-This commit borrows VerifyEKUsInPkcs7Signature() from edk2 and enforces
-the CodeSign check in Pkcs7Verify().
-+ Also merged the buffer use-after-free fix (*)
-
-(*) https://bugzilla.tianocore.org/show_bug.cgi?id=2459
-
-Signed-off-by: Gary Lin <glin@suse.com>
----
- Cryptlib/InternalCryptLib.h       |  32 ++
- Cryptlib/Library/BaseCryptLib.h   |  40 +++
- Cryptlib/Makefile                 |   1 +
- Cryptlib/Pk/CryptPkcs7Verify.c    |  10 +
- Cryptlib/Pk/CryptPkcs7VerifyEku.c | 516 ++++++++++++++++++++++++++++++
- 5 files changed, 599 insertions(+)
- create mode 100644 Cryptlib/Pk/CryptPkcs7VerifyEku.c
-
-diff --git a/Cryptlib/InternalCryptLib.h b/Cryptlib/InternalCryptLib.h
-index e9a4c20..8c9a2a4 100644
---- a/Cryptlib/InternalCryptLib.h
-+++ b/Cryptlib/InternalCryptLib.h
-@@ -30,5 +30,37 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
- #define OBJ_length(o) ((o)->length)
- #endif
- 
-+/**
-+  Check input P7Data is a wrapped ContentInfo structure or not. If not construct
-+  a new structure to wrap P7Data.
-+
-+  Caution: This function may receive untrusted input.
-+  UEFI Authenticated Variable is external input, so this function will do basic
-+  check for PKCS#7 data structure.
-+
-+  @param[in]  P7Data       Pointer to the PKCS#7 message to verify.
-+  @param[in]  P7Length     Length of the PKCS#7 message in bytes.
-+  @param[out] WrapFlag     If TRUE P7Data is a ContentInfo structure, otherwise
-+                           return FALSE.
-+  @param[out] WrapData     If return status of this function is TRUE:
-+                           1) when WrapFlag is TRUE, pointer to P7Data.
-+                           2) when WrapFlag is FALSE, pointer to a new ContentInfo
-+                           structure. It's caller's responsibility to free this
-+                           buffer.
-+  @param[out] WrapDataSize Length of ContentInfo structure in bytes.
-+
-+  @retval     TRUE         The operation is finished successfully.
-+  @retval     FALSE        The operation is failed due to lack of resources.
-+
-+**/
-+BOOLEAN
-+WrapPkcs7Data (
-+  IN  CONST UINT8  *P7Data,
-+  IN  UINTN        P7Length,
-+  OUT BOOLEAN      *WrapFlag,
-+  OUT UINT8        **WrapData,
-+  OUT UINTN        *WrapDataSize
-+  );
-+
- #endif
- 
-diff --git a/Cryptlib/Library/BaseCryptLib.h b/Cryptlib/Library/BaseCryptLib.h
-index 2df8bd2..ed482d3 100644
---- a/Cryptlib/Library/BaseCryptLib.h
-+++ b/Cryptlib/Library/BaseCryptLib.h
-@@ -2403,6 +2403,46 @@ Pkcs7Verify (
-   IN  UINTN        DataLength
-   );
- 
-+/**
-+  This function receives a PKCS#7 formatted signature blob,
-+  looks for the EKU SEQUENCE blob, and if found then looks
-+  for all the required EKUs. This function was created so that
-+  the Surface team can cut down on the number of Certificate
-+  Authorities (CA's) by checking EKU's on leaf signers for
-+  a specific product. This prevents one product's certificate
-+  from signing another product's firmware or unlock blobs.
-+
-+  Note that this function does not validate the certificate chain.
-+  That needs to be done before using this function.
-+
-+  @param[in]  Pkcs7Signature       The PKCS#7 signed information content block. An array
-+                                   containing the content block with both the signature,
-+                                   the signer's certificate, and any necessary intermediate
-+                                   certificates.
-+  @param[in]  Pkcs7SignatureSize   Number of bytes in Pkcs7Signature.
-+  @param[in]  RequiredEKUs         Array of null-terminated strings listing OIDs of
-+                                   required EKUs that must be present in the signature.
-+  @param[in]  RequiredEKUsSize     Number of elements in the RequiredEKUs string array.
-+  @param[in]  RequireAllPresent    If this is TRUE, then all of the specified EKU's
-+                                   must be present in the leaf signer.  If it is
-+                                   FALSE, then we will succeed if we find any
-+                                   of the specified EKU's.
-+
-+  @retval EFI_SUCCESS              The required EKUs were found in the signature.
-+  @retval EFI_INVALID_PARAMETER    A parameter was invalid.
-+  @retval EFI_NOT_FOUND            One or more EKU's were not found in the signature.
-+
-+**/
-+EFI_STATUS
-+EFIAPI
-+VerifyEKUsInPkcs7Signature (
-+  IN CONST UINT8    *Pkcs7Signature,
-+  IN CONST UINT32   SignatureSize,
-+  IN CONST CHAR8    *RequiredEKUs[],
-+  IN CONST UINT32   RequiredEKUsSize,
-+  IN BOOLEAN        RequireAllPresent
-+  );
-+
- /**
-   Extracts the attached content from a PKCS#7 signed data if existed. The input signed
-   data could be wrapped in a ContentInfo structure.
-diff --git a/Cryptlib/Makefile b/Cryptlib/Makefile
-index 18a33b1..a1d8b02 100644
---- a/Cryptlib/Makefile
-+++ b/Cryptlib/Makefile
-@@ -41,6 +41,7 @@ OBJS		=   Hash/CryptMd4Null.o \
- 		    Pk/CryptRsaExtNull.o \
- 		    Pk/CryptPkcs7SignNull.o \
- 		    Pk/CryptPkcs7Verify.o \
-+		    Pk/CryptPkcs7VerifyEku.o \
- 		    Pk/CryptDhNull.o \
- 		    Pk/CryptTs.o \
- 		    Pk/CryptX509.o \
-diff --git a/Cryptlib/Pk/CryptPkcs7Verify.c b/Cryptlib/Pk/CryptPkcs7Verify.c
-index 09895d8..da15be2 100644
---- a/Cryptlib/Pk/CryptPkcs7Verify.c
-+++ b/Cryptlib/Pk/CryptPkcs7Verify.c
-@@ -29,6 +29,8 @@ WITHOUT WARRANTIES OR REPRESENTATIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED.
- #include <openssl/pkcs7.h>
- 
- UINT8 mOidValue[9] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x07, 0x02 };
-+/* EKU CodeSign */
-+CHAR8 mOidCodeSign[] = "1.3.6.1.5.5.7.3.3";
- 
- #if 1
- #if OPENSSL_VERSION_NUMBER < 0x10100000L
-@@ -846,6 +848,8 @@ Pkcs7Verify (
-   CONST UINT8 *Temp;
-   UINTN       SignedDataSize;
-   BOOLEAN     Wrapped;
-+  CONST CHAR8 *Ekus[1];
-+  EFI_STATUS  EFI_Status;
- 
-   //
-   // Check input parameters.
-@@ -859,6 +863,7 @@ Pkcs7Verify (
-   DataBio   = NULL;
-   Cert      = NULL;
-   CertStore = NULL;
-+  Ekus[0]   = mOidCodeSign;
- 
-   //
-   // Register & Initialize necessary digest algorithms for PKCS#7 Handling
-@@ -958,6 +963,11 @@ Pkcs7Verify (
-   //
-   X509_STORE_set_purpose (CertStore, X509_PURPOSE_ANY);
- 
-+  EFI_Status = VerifyEKUsInPkcs7Signature(P7Data, P7Length, Ekus, 1, TRUE);
-+  if (EFI_Status != EFI_SUCCESS) {
-+	  goto _Exit;
-+  }
-+
-   //
-   // Verifies the PKCS#7 signedData structure
-   //
-diff --git a/Cryptlib/Pk/CryptPkcs7VerifyEku.c b/Cryptlib/Pk/CryptPkcs7VerifyEku.c
-new file mode 100644
-index 0000000..2c172e2
---- /dev/null
-+++ b/Cryptlib/Pk/CryptPkcs7VerifyEku.c
-@@ -0,0 +1,516 @@
-+/** @file
-+  This module verifies that Enhanced Key Usages (EKU's) are present within
-+  a PKCS7 signature blob using OpenSSL.
-+
-+  Copyright (C) Microsoft Corporation. All Rights Reserved.
-+  Copyright (c) 2019, Intel Corporation. All rights reserved.<BR>
-+
-+  SPDX-License-Identifier: BSD-2-Clause-Patent
-+
-+**/
-+
-+#include <Base.h>
-+#include "InternalCryptLib.h"
-+#include <openssl/x509v3.h>
-+#include <openssl/asn1.h>
-+#include <openssl/x509.h>
-+#include <openssl/bio.h>
-+#include <openssl/x509.h>
-+#include <openssl/pkcs7.h>
-+#include <openssl/bn.h>
-+#include <openssl/x509_vfy.h>
-+#include <openssl/pem.h>
-+#include <openssl/evp.h>
-+#include <openssl/asn1.h>
-+
-+/**
-+  This function will return the leaf signer certificate in a chain.  This is
-+  required because certificate chains are not guaranteed to have the
-+  certificates in the order that they were issued.
-+
-+  A typical certificate chain looks like this:
-+
-+
-+                 ----------------------------
-+                |            Root            |
-+                 ----------------------------
-+                               ^
-+                               |
-+                 ----------------------------
-+                |          Policy CA         | <-- Typical Trust Anchor.
-+                 ----------------------------
-+                               ^
-+                               |
-+                 ----------------------------
-+                |         Issuing CA         |
-+                 ----------------------------
-+                               ^
-+                               |
-+                 -----------------------------
-+                /  End-Entity (leaf) signer  / <-- Bottom certificate.
-+                -----------------------------  EKU: "1.3.6.1.4.1.311.76.9.21.1"
-+                                                    (Firmware Signing)
-+
-+
-+  @param[in]   CertChain            Certificate chain.
-+
-+  @param[out]  SignerCert           Last certificate in the chain.  For PKCS7 signatures,
-+                                    this will be the end-entity (leaf) signer cert.
-+
-+  @retval EFI_SUCCESS               The required EKUs were found in the signature.
-+  @retval EFI_INVALID_PARAMETER     A parameter was invalid.
-+  @retval EFI_NOT_FOUND             The number of signers found was not 1.
-+
-+**/
-+EFI_STATUS
-+GetSignerCertificate (
-+  IN CONST PKCS7 *CertChain,
-+  OUT X509       **SignerCert
-+  )
-+{
-+  EFI_STATUS      Status;
-+  STACK_OF(X509)  *Signers;
-+  INT32           NumberSigners;
-+
-+  Status         = EFI_SUCCESS;
-+  Signers        = NULL;
-+  NumberSigners  = 0;
-+
-+  if (CertChain == NULL || SignerCert == NULL) {
-+    Status = EFI_INVALID_PARAMETER;
-+    goto Exit;
-+  }
-+
-+  //
-+  // Get the signers from the chain.
-+  //
-+  Signers = PKCS7_get0_signers ((PKCS7*) CertChain, NULL, PKCS7_BINARY);
-+  if (Signers == NULL) {
-+    //
-+    // Fail to get signers form PKCS7
-+    //
-+    Status = EFI_INVALID_PARAMETER;
-+    goto Exit;
-+  }
-+
-+  //
-+  // There should only be one signer in the PKCS7 stack.
-+  //
-+  NumberSigners = sk_X509_num (Signers);
-+  if (NumberSigners != 1) {
-+    //
-+    // The number of singers should have been 1
-+    //
-+    Status = EFI_NOT_FOUND;
-+    goto Exit;
-+  }
-+
-+  *SignerCert = sk_X509_value (Signers, 0);
-+
-+Exit:
-+  //
-+  // Release Resources
-+  //
-+  if (Signers != NULL) {
-+    sk_X509_free (Signers);
-+  }
-+
-+  return Status;
-+}
-+
-+
-+/**
-+  Determines if the specified EKU represented in ASN1 form is present
-+  in a given certificate.
-+
-+  @param[in]  Cert                  The certificate to check.
-+
-+  @param[in]  Asn1ToFind            The EKU to look for.
-+
-+  @retval EFI_SUCCESS               We successfully identified the signing type.
-+  @retval EFI_INVALID_PARAMETER     A parameter was invalid.
-+  @retval EFI_NOT_FOUND             One or more EKU's were not found in the signature.
-+
-+**/
-+EFI_STATUS
-+IsEkuInCertificate (
-+  IN CONST X509  *Cert,
-+  IN ASN1_OBJECT *Asn1ToFind
-+  )
-+{
-+  EFI_STATUS          Status;
-+  X509                *ClonedCert;
-+  X509_EXTENSION      *Extension;
-+  EXTENDED_KEY_USAGE  *Eku;
-+  INT32               ExtensionIndex;
-+  INTN                NumExtensions;
-+  ASN1_OBJECT         *Asn1InCert;
-+  INTN                Index;
-+
-+  Status            = EFI_NOT_FOUND;
-+  ClonedCert        = NULL;
-+  Extension         = NULL;
-+  Eku               = NULL;
-+  ExtensionIndex    = -1;
-+  NumExtensions     = 0;
-+  Asn1InCert        = NULL;
-+
-+  if (Cert == NULL || Asn1ToFind == NULL) {
-+    Status = EFI_INVALID_PARAMETER;
-+    goto Exit;
-+  }
-+
-+  //
-+  // Clone the certificate.  This is required because the Extension API's
-+  // only work once per instance of an X509 object.
-+  //
-+  ClonedCert = X509_dup ((X509*)Cert);
-+  if (ClonedCert == NULL) {
-+    //
-+    // Fail to duplicate cert.
-+    //
-+    Status = EFI_INVALID_PARAMETER;
-+    goto Exit;
-+  }
-+
-+  //
-+  // Look for the extended key usage.
-+  //
-+  ExtensionIndex = X509_get_ext_by_NID (ClonedCert, NID_ext_key_usage, -1);
-+
-+  if (ExtensionIndex < 0) {
-+    //
-+    // Fail to find 'NID_ext_key_usage' in Cert.
-+    //
-+    goto Exit;
-+  }
-+
-+  Extension = X509_get_ext (ClonedCert, ExtensionIndex);
-+  if (Extension == NULL) {
-+    //
-+    // Fail to get Extension form cert.
-+    //
-+    goto Exit;
-+  }
-+
-+  Eku = (EXTENDED_KEY_USAGE*)X509V3_EXT_d2i (Extension);
-+  if (Eku == NULL) {
-+    //
-+    // Fail to get Eku from extension.
-+    //
-+    goto Exit;
-+  }
-+
-+  NumExtensions = sk_ASN1_OBJECT_num (Eku);
-+
-+  //
-+  // Now loop through the extensions, looking for the specified Eku.
-+  //
-+  for (Index = 0; Index < NumExtensions; Index++) {
-+    Asn1InCert = sk_ASN1_OBJECT_value (Eku, (INT32)Index);
-+    if (Asn1InCert == NULL) {
-+      //
-+      // Fail to get ASN object from Eku.
-+      //
-+      goto Exit;
-+    }
-+
-+    if (OBJ_cmp(Asn1InCert, Asn1ToFind) == 0) {
-+      //
-+      // Found Eku in certificate.
-+      //
-+      Status = EFI_SUCCESS;
-+      goto Exit;
-+    }
-+  }
-+
-+Exit:
-+
-+  //
-+  // Release Resources
-+  //
-+  if (ClonedCert != NULL) {
-+    X509_free (ClonedCert);
-+  }
-+
-+  if (Eku != NULL) {
-+    sk_ASN1_OBJECT_pop_free (Eku, ASN1_OBJECT_free);
-+  }
-+
-+  return Status;
-+}
-+
-+
-+/**
-+  Determines if the specified EKUs are present in a signing certificate.
-+
-+  @param[in]  SignerCert            The certificate to check.
-+  @param[in]  RequiredEKUs          The EKUs to look for.
-+  @param[in]  RequiredEKUsSize      The number of EKUs
-+  @param[in]  RequireAllPresent     If TRUE, then all the specified EKUs
-+                                    must be present in the certificate.
-+
-+  @retval EFI_SUCCESS               We successfully identified the signing type.
-+  @retval EFI_INVALID_PARAMETER     A parameter was invalid.
-+  @retval EFI_NOT_FOUND             One or more EKU's were not found in the signature.
-+**/
-+EFI_STATUS
-+CheckEKUs(
-+  IN CONST X509     *SignerCert,
-+  IN CONST CHAR8    *RequiredEKUs[],
-+  IN CONST UINT32   RequiredEKUsSize,
-+  IN BOOLEAN        RequireAllPresent
-+  )
-+{
-+  EFI_STATUS    Status;
-+  ASN1_OBJECT   *Asn1ToFind;
-+  UINT32        NumEkusFound;
-+  UINT32        Index;
-+
-+  Status       = EFI_NOT_FOUND;
-+  Asn1ToFind   = NULL;
-+  NumEkusFound = 0;
-+
-+  if (SignerCert == NULL || RequiredEKUs == NULL || RequiredEKUsSize == 0) {
-+    Status = EFI_INVALID_PARAMETER;
-+    goto Exit;
-+  }
-+
-+  for (Index = 0; Index < RequiredEKUsSize; Index++) {
-+    //
-+    // Finding required EKU in cert.
-+    //
-+    if (Asn1ToFind != NULL) {
-+      ASN1_OBJECT_free(Asn1ToFind);
-+      Asn1ToFind = NULL;
-+    }
-+
-+    Asn1ToFind = OBJ_txt2obj (RequiredEKUs[Index], 0);
-+    if (Asn1ToFind == NULL) {
-+      //
-+      // Fail to convert required EKU to ASN1.
-+      //
-+      Status = EFI_INVALID_PARAMETER;
-+      goto Exit;
-+    }
-+
-+    Status = IsEkuInCertificate (SignerCert, Asn1ToFind);
-+    if (Status == EFI_SUCCESS) {
-+      NumEkusFound++;
-+      if (!RequireAllPresent) {
-+        //
-+        // Found at least one, so we are done.
-+        //
-+        goto Exit;
-+      }
-+    } else {
-+      //
-+      // Fail to find Eku in cert
-+      break;
-+    }
-+  }
-+
-+Exit:
-+
-+  if (Asn1ToFind != NULL) {
-+    ASN1_OBJECT_free(Asn1ToFind);
-+  }
-+
-+  if (RequireAllPresent &&
-+      NumEkusFound == RequiredEKUsSize) {
-+    //
-+    // Found all required EKUs in certificate.
-+    //
-+    Status = EFI_SUCCESS;
-+  }
-+
-+  return Status;
-+}
-+
-+/**
-+  This function receives a PKCS#7 formatted signature blob,
-+  looks for the EKU SEQUENCE blob, and if found then looks
-+  for all the required EKUs. This function was created so that
-+  the Surface team can cut down on the number of Certificate
-+  Authorities (CA's) by checking EKU's on leaf signers for
-+  a specific product. This prevents one product's certificate
-+  from signing another product's firmware or unlock blobs.
-+
-+  Note that this function does not validate the certificate chain.
-+  That needs to be done before using this function.
-+
-+  @param[in]  Pkcs7Signature       The PKCS#7 signed information content block. An array
-+                                   containing the content block with both the signature,
-+                                   the signer's certificate, and any necessary intermediate
-+                                   certificates.
-+  @param[in]  Pkcs7SignatureSize   Number of bytes in Pkcs7Signature.
-+  @param[in]  RequiredEKUs         Array of null-terminated strings listing OIDs of
-+                                   required EKUs that must be present in the signature.
-+  @param[in]  RequiredEKUsSize     Number of elements in the RequiredEKUs string array.
-+  @param[in]  RequireAllPresent    If this is TRUE, then all of the specified EKU's
-+                                   must be present in the leaf signer.  If it is
-+                                   FALSE, then we will succeed if we find any
-+                                   of the specified EKU's.
-+
-+  @retval EFI_SUCCESS              The required EKUs were found in the signature.
-+  @retval EFI_INVALID_PARAMETER    A parameter was invalid.
-+  @retval EFI_NOT_FOUND            One or more EKU's were not found in the signature.
-+
-+**/
-+EFI_STATUS
-+EFIAPI
-+VerifyEKUsInPkcs7Signature (
-+  IN CONST UINT8    *Pkcs7Signature,
-+  IN CONST UINT32   SignatureSize,
-+  IN CONST CHAR8    *RequiredEKUs[],
-+  IN CONST UINT32   RequiredEKUsSize,
-+  IN BOOLEAN        RequireAllPresent
-+  )
-+{
-+  EFI_STATUS        Status;
-+  PKCS7             *Pkcs7;
-+  STACK_OF(X509)    *CertChain;
-+  INT32             SignatureType;
-+  INT32             NumberCertsInSignature;
-+  X509              *SignerCert;
-+  UINT8             *SignedData;
-+  UINT8             *Temp;
-+  UINTN             SignedDataSize;
-+  BOOLEAN           IsWrapped;
-+  BOOLEAN           Ok;
-+
-+  Status                    = EFI_SUCCESS;
-+  Pkcs7                     = NULL;
-+  CertChain                 = NULL;
-+  SignatureType             = 0;
-+  NumberCertsInSignature    = 0;
-+  SignerCert                = NULL;
-+  SignedData                = NULL;
-+  SignedDataSize            = 0;
-+  IsWrapped                 = FALSE;
-+  Ok                        = FALSE;
-+
-+  //
-+  //Validate the input parameters.
-+  //
-+  if (Pkcs7Signature   == NULL ||
-+      SignatureSize    == 0    ||
-+      RequiredEKUs     == NULL ||
-+      RequiredEKUsSize == 0) {
-+    Status = EFI_INVALID_PARAMETER;
-+    goto Exit;
-+  }
-+
-+  if (RequiredEKUsSize == 1) {
-+    RequireAllPresent = TRUE;
-+  }
-+
-+  //
-+  // Wrap the PKCS7 data if needed.
-+  //
-+  Ok = WrapPkcs7Data (Pkcs7Signature,
-+                      SignatureSize,
-+                      &IsWrapped,
-+                      &SignedData,
-+                      &SignedDataSize);
-+  if (!Ok) {
-+    //
-+    // Fail to Wrap the PKCS7 data.
-+    //
-+    Status = EFI_INVALID_PARAMETER;
-+    goto Exit;
-+  }
-+
-+  Temp = SignedData;
-+
-+  //
-+  // Create the PKCS7 object.
-+  //
-+  Pkcs7 = d2i_PKCS7 (NULL, (const unsigned char **)&Temp, (INT32)SignedDataSize);
-+  if (Pkcs7 == NULL) {
-+    //
-+    // Fail to read PKCS7 data.
-+    //
-+    Status = EFI_INVALID_PARAMETER;
-+    goto Exit;
-+  }
-+
-+  //
-+  // Get the certificate chain.
-+  //
-+  SignatureType = OBJ_obj2nid (Pkcs7->type);
-+  switch (SignatureType) {
-+  case NID_pkcs7_signed:
-+    if (Pkcs7->d.sign != NULL) {
-+      CertChain = Pkcs7->d.sign->cert;
-+    }
-+    break;
-+  case NID_pkcs7_signedAndEnveloped:
-+    if (Pkcs7->d.signed_and_enveloped != NULL) {
-+      CertChain = Pkcs7->d.signed_and_enveloped->cert;
-+    }
-+    break;
-+  default:
-+    break;
-+  }
-+
-+  //
-+  // Ensure we have a certificate stack
-+  //
-+  if (CertChain == NULL) {
-+    //
-+    // Fail to get the certificate stack from signature.
-+    //
-+    Status = EFI_INVALID_PARAMETER;
-+    goto Exit;
-+  }
-+
-+  //
-+  // Find out how many certificates were in the PKCS7 signature.
-+  //
-+  NumberCertsInSignature = sk_X509_num (CertChain);
-+
-+  if (NumberCertsInSignature == 0) {
-+    //
-+    // Fail to find any certificates in signature.
-+    //
-+    Status = EFI_INVALID_PARAMETER;
-+    goto Exit;
-+  }
-+
-+  //
-+  // Get the leaf signer.
-+  //
-+  Status = GetSignerCertificate (Pkcs7, &SignerCert);
-+  if (Status != EFI_SUCCESS || SignerCert == NULL) {
-+    //
-+    // Fail to get the end-entity leaf signer certificate.
-+    //
-+    Status = EFI_INVALID_PARAMETER;
-+    goto Exit;
-+  }
-+
-+  Status = CheckEKUs (SignerCert, RequiredEKUs, RequiredEKUsSize, RequireAllPresent);
-+  if (Status != EFI_SUCCESS) {
-+    goto Exit;
-+  }
-+
-+Exit:
-+
-+  //
-+  // Release Resources
-+  //
-+  // If the signature was not wrapped, then the call to WrapData() will allocate
-+  // the data and add a header to it
-+  //
-+  if (!IsWrapped && SignedData) {
-+    free (SignedData);
-+  }
-+
-+  if (Pkcs7 != NULL) {
-+    PKCS7_free (Pkcs7);
-+  }
-+
-+  return Status;
-+}
-+
--- 
-2.29.2
-

shim-install

@@ -60,6 +60,7 @@ fi
 if [ x"${GRUB_DISTRIBUTOR}" = x ] && [ -f "${sysconfdir}/os-release" ] ; then
     . "${sysconfdir}/os-release"
     GRUB_DISTRIBUTOR="${NAME} ${VERSION}"
+    OS_ID="${ID}"
 fi
 
 bootloader_id="$(echo "$GRUB_DISTRIBUTOR" | tr 'A-Z' 'a-z' | cut -d' ' -f1)"
@@ -78,6 +79,27 @@ case "$bootloader_id" in
     *) ca_string="";;
 esac
 
+case "$OS_ID" in
+    "opensuse-leap")
+        ca_string='SUSE Linux Enterprise Secure Boot CA1';;
+esac
+
+# bsc#1230316 Check if the system is encrypted SL-Micro
+is_encrypted_slm () {
+   if test "$GRUB_DISTRIBUTOR" = "SL Micro" && test -n "$GRUB_TPM2_SEALED_KEY" ; then
+       # return true
+       return 0
+   fi
+
+   # return false
+   return 1
+}
+
+# bsc#1230316 For encrypted SL-Micro, always install shim/grub2 with the "removable" way
+if is_encrypted_slm; then
+    removable=yes
+fi
+
 is_azure () {
     local bios_vendor;
     local product_name;
@@ -465,32 +487,36 @@ if test "$no_nvram" = no && test -n "$bootloader_id"; then
         $efibootmgr -b "$bootnum" -B
     done
 
-    efidir_drive="$("$grub_probe" --target=drive --device-map= "$efidir")"
-    efidir_disk="$("$grub_probe" --target=disk --device-map= "$efidir")"
-    if test -z "$efidir_drive" || test -z "$efidir_disk"; then
-        echo "Can't find GRUB drive for $efidir; unable to create EFI Boot Manager entry." >&2
-    # bsc#1119762 If the MD device is partitioned, we just need to create one
-    # boot entry since the partitions are nested partitions and the mirrored
-    # partitions share the same UUID.
-    elif [[ "$efidir_drive" == \(mduuid/* && "$efidir_drive" != \(mduuid/*,* ]]; then
-        eval $(mdadm --detail --export "$efidir_disk" |
-          perl -ne 'print if m{^MD_LEVEL=}; push( @D, $1) if (m{^MD_DEVICE_\S+_DEV=(\S+)$});
-                    sub END() {print "MD_DEVS=\"", join( " ", @D), "\"\n";};')
-        if [ "$MD_LEVEL" != "raid1" ]; then
-            echo "GRUB drive for $efidir not on RAID1; unable to create EFI Boot Manager entry." >&2
-        fi
-        for mddev in $MD_DEVS; do
-            efidir_drive="$("$grub_probe" --target=drive --device-map= -d "$mddev")"
-            efidir_disk="$("$grub_probe" --target=disk --device-map= -d "$mddev")"
+    # bsc#1230316 Skip the creation of the boot option for encrypted SL-Micro to make
+    # the system always boot from the default boot path (\EFI\BOOT\boot<arch>.efi)
+    if ! is_encrypted_slm; then
+        efidir_drive="$("$grub_probe" --target=drive --device-map= "$efidir")"
+        efidir_disk="$("$grub_probe" --target=disk --device-map= "$efidir")"
+        if test -z "$efidir_drive" || test -z "$efidir_disk"; then
+            echo "Can't find GRUB drive for $efidir; unable to create EFI Boot Manager entry." >&2
+        # bsc#1119762 If the MD device is partitioned, we just need to create one
+        # boot entry since the partitions are nested partitions and the mirrored
+        # partitions share the same UUID.
+        elif [[ "$efidir_drive" == \(mduuid/* && "$efidir_drive" != \(mduuid/*,* ]]; then
+            eval $(mdadm --detail --export "$efidir_disk" |
+              perl -ne 'print if m{^MD_LEVEL=}; push( @D, $1) if (m{^MD_DEVICE_\S+_DEV=(\S+)$});
+                        sub END() {print "MD_DEVS=\"", join( " ", @D), "\"\n";};')
+            if [ "$MD_LEVEL" != "raid1" ]; then
+                echo "GRUB drive for $efidir not on RAID1; unable to create EFI Boot Manager entry." >&2
+            fi
+            for mddev in $MD_DEVS; do
+                efidir_drive="$("$grub_probe" --target=drive --device-map= -d "$mddev")"
+                efidir_disk="$("$grub_probe" --target=disk --device-map= -d "$mddev")"
+                efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')"
+                efidir_d=${mddev#/dev/}
+                $efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \
+                  -L "$bootloader_id ($efidir_d)" -l "\\EFI\\$efi_distributor\\$efi_file"
+            done
+        else
             efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')"
-            efidir_d=${mddev#/dev/}
             $efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \
-              -L "$bootloader_id ($efidir_d)" -l "\\EFI\\$efi_distributor\\$efi_file"
-        done
-    else
-        efidir_part="$(echo "$efidir_drive" | sed 's/^([^,]*,[^0-9]*//; s/[^0-9].*//')"
-        $efibootmgr -c -d "$efidir_disk" -p "$efidir_part" -w \
-    	-L "$bootloader_id" -l "\\EFI\\$efi_distributor\\$efi_file"
+              -L "$bootloader_id" -l "\\EFI\\$efi_distributor\\$efi_file"
+        fi
     fi
 fi
 

shim.changes

@@ -1,3 +1,410 @@
+-------------------------------------------------------------------
+Fri Nov 28 08:30:55 UTC 2025 - Joey Lee <jlee@suse.com>
+
+- Fixed some issues in RPM Macro and pretrans lus script with the old
+  rpm-4.14.3 on SLE-15-SP3:
+    - shim.spec: Use io.open instead of pcall rpm.open in pretrans lua script
+    - shim.spec: Workaround the string comparison issue in elif directive
+    - shim.spec: Specify the certificate format in openssl commands
+
+-------------------------------------------------------------------
+Wed Nov 26 07:42:15 UTC 2025 - Joey Lee <jlee@suse.com>
+
+- Add Microsoft-signed 16.1 shim
+- shim.spec: Temporarily disable nx-shim
+    - We still need time to test nx (non-executable) shim and develop
+      the script for delivery. We will not support nx-shim on all Leap
+      and SLE distros because the function should also be supported by
+      grub2 and kernel.
+- shim.spec: Remove the reproducibility check for the shim binary
+    - The binutils on Leap 15.6 and SLE-15-SP3 has been upgraded to 2.45
+      when we are waiting shim-review and Microsoft signing. It causes
+      that the shim binary is NOT reproducible on build services.
+    - We just direct use the Microsoft signed-back shim binaries
+      because we build this binary before and have the logs to prove it.
+      Before we find a good approach to save/restore the build service
+      environment, let’s directly use the Microsoft signed-back shim for
+      delivery.
+- Certificates: Add Microsoft UEFI CA files to the target certificates
+  array in pretrans script.
+- Certificates: Convert the SUSE certificates from PEM to DER format
+- timestamp.pl: fix the size of checksum in PE Optional Header
+
+-------------------------------------------------------------------
+Mon Oct 13 16:31:45 UTC 2025 - Joey Lee <jlee@suse.com>
+
+- Add a pretrans script to verify that the UEFI db should have the
+  necessary certificate to allow the shim binary to boot. The installation
+  will be aborted if the db is missing the target certificate. To proceed,
+  the user must enroll the target certificate in the db or disable UEFI
+  Secure Boot.
+
+-------------------------------------------------------------------
+Tue Aug 19 07:48:52 UTC 2025 - Joey Lee <jlee@suse.com>
+
+- Removed the following patches because they are merged to shim 16.1:
+        - shim-alloc-one-more-byte-for-sprintf.patch
+        - shim-change-automatically-enable-MOK_POLICY_REQUIRE_NX.patch 
+
+-------------------------------------------------------------------
+Tue Aug 19 03:46:46 UTC 2025 - Joey Lee <jlee@suse.com>
+
+- Update to 16.1
+    - Patches (git log --oneline --reverse 16.0..16.1)
+        4040ec4 shim_start_image(): fix guid/handle pairing when uninstalling protocols
+        39c0aa1 str2ip6(): parsing of "uncompressed" ipv6 addresses
+        3133d19 test-mock-variables: make our filter list entries safer.
+        d44405e mock-variables: remove unused variable
+        0e8459f Update CI to use ubuntu-24.04 instead of ubuntu-20.04
+        d16a5a6 SbatLevel_Variable.txt: minor typo fix.
+        32804cf Realloc() needs one more byte for sprintf()
+        431d370 IPv6: Add more check to avoid multiple double colon and illegal char
+        5e4d93c Loader Proto: make freeing of bprop.buffer conditional.
+        33deac2 Prepare to move things from shim.c to verify.c
+        030e7df Move a bunch of stuff from shim.c to verify.c
+        f3ddda7 handle_image(): make verification conditional
+        774f226 Cache sections of a loaded image and sub-images from them.
+        eb0d20b loader-protocol: handle sub-section loading for UKIs
+        2f64bb9 loader-protocol: add workaround for EDK2 2025.02 page fault on FreePages
+        1abc7ca loader-protocol: NULL output variable in load_image on failure
+        fb77b44 Generate Authenticode for the entire PE file
+        b86b909 README: mention new loader protocol and interaction with UKIs
+        8522612 ci: add mkosi configuration and CI
+        9ebab84 mkosi workflow: fix the branch name for main.
+        72a4c41 shim: change automatically enable MOK_POLICY_REQUIRE_NX
+        a2f0dfa This is an organizational patch to move some things around in mok.c
+        54b9946 Update to the shim-16.1 branch of gnu-efi to get AsciiSPrint()
+        a5a6922 get_max_var_sz(): add more debugging for apple platforms
+        77a2922 Add a "VariableInfo" variable to mok-variables.
+        efc71c9 build: Avoid passing *FLAGS to sub-make
+        7670932 Fixes for 'make TOPDIR=... clean'
+        13ab598 add SbatLevel entry 2025051000 for PSA-2025-00012-1
+        617aed5 Update version to 16.1~rc1
+        d316ba8 format_variable_info(): fix wrong size test.
+        f5fad0e _do_sha256_sum(): Fix missing error check.
+        3a9734d doc: add howto for running mkosi locally
+        ced5f71 mkosi: remove spurious slashes from script
+        0076155 ci: update mkosi commit
+        5481105 fix http boot
+        121cddf loader-protocol: Handle UnloadImage after StartImage properly
+        6a1d1a9 loader-protocol: Fix memory leaks
+        27a5d22 gitignore: add more mkosi dirs and vscode dir
+        346ed15 mkosi: disable repository key check on Fedora
+        afc4955 Update version to 16.1
+    - 16.1 release note https://github.com/rhboot/shim/releases
+            shim_start_image(): fix guid/handle pairing when uninstalling protocols by @vathpela in #738
+            Fix uncompressed ipv6 netboot by @hrvach in #742
+            fix test segfaults caused by uninitialized memory by @Fabian-Gruenbichler in #739
+            Update CI to use ubuntu-24.04 instead of ubuntu-20.04 by @vathpela in #749
+            SbatLevel_Variable.txt: minor typo fix. by @vathpela in #751
+            Realloc() needs to allocate one more byte for sprintf() by @dennis-tseng99 in #746
+            IPv6: Add more check to avoid multiple double colon and illegal char by @dennis-tseng99 in #753
+            Loader proto v2 by @vathpela in #748
+            loader-protocol: add workaround for EDK2 2025.02 page fault on FreePages by @bluca in #750
+            Generate Authenticode for the entire PE file by @esnowberg in #604
+            README: mention new loader protocol and interaction with UKIs by @bluca in #755
+            ci: add mkosi configuration and CI by @bluca in #764
+            shim: change automatically enable MOK_POLICY_REQUIRE_NX by @vathpela in #761
+            Save var info by @vathpela in #763
+            build: Avoid passing *FLAGS to sub-make by @rosslagerwall in #758
+            Fixes for 'make TOPDIR=... clean' by @bluca in #762
+            add SbatLevel entry 2025051000 for PSA-2025-00012-1 by @Fabian-Gruenbichler in #766
+            Coverity fixes 20250804 by @vathpela in #767
+            ci: fixlets and docs for mkosi workflow by @bluca in #768
+            fix http boot by @jsetje in #770
+            Fix double free and leak in the loader protocol by @rosslagerwall in #769
+            gitignore: add more mkosi dirs and vscode dir by @bluca in #771
+    - Drop upstreamed patch:
+      The following patches are merged to 16.1
+        - shim-alloc-one-more-byte-for-sprintf.patch
+            - 32804cf5d9 Realloc() needs one more byte for sprintf()    [16.1]
+        - shim-change-automatically-enable-MOK_POLICY_REQUIRE_NX.patch 
+            - 72a4c41877 shim: change automatically enable MOK_POLICY_REQUIRE_NX [16.1]
+
+-------------------------------------------------------------------
+Tue Aug 12 03:03:21 UTC 2025 - Joey Lee <jlee@suse.com>
+
+- SLE shim should includes vendor-dbx-sles.esl instead of
+  vendor-dbx-opensuse.esl. Fixed it in shim.spec.
+
+        verify='SUSE Linux Enterprise Secure Boot CA1'
+-       vendor_dbx='vendor-dbx-opensuse.esl'
++       vendor_dbx='vendor-dbx-sles.esl'
+
+-------------------------------------------------------------------
+Wed Aug  6 06:27:40 UTC 2025 - Joey Lee <jlee@suse.com>
+
+- Building with the latest version of gcc in the codebase:
+    - We prefer that building shim with the latest version of gcc in codebase.
+    - Set the minimum version is gcc-13.
+        if gcc_version < 13
+                define gcc_version 13
+        endif
+  (bsc#1247432)
+
+-------------------------------------------------------------------
+Sat Aug  2 16:42:29 UTC 2025 - Joey Lee <jlee@suse.com>
+
+- Using gcc13 for building shim/shim-nx
+    - The gcc13 can workaround dxe_get_mem_attrs() hsi_status problem
+    - Add the following changes to shim.spec :
+        define gcc_version 13
+        global cc_compiler /usr/bin/gcc-%{gcc_version}
+        BuildRequires  gcc%{gcc_version}
+        make CC=%{cc_compiler} RELEASE=0 
+- Remove shim-disable-dxe-get-mem-attrs.patch
+    - This downstream patch can be removed after moving to gcc13 
+  (bsc#1247432)
+
+-------------------------------------------------------------------
+Thu Jul 31 12:47:58 UTC 2025 - Joey Lee <jlee@suse.com>
+
+- Add shim-disable-dxe-get-mem-attrs.patch
+    - On old edk2-stable202308 ovmf, running dxe_get_mem_attrs() causes
+      get_hsi_mem_info() confusion on hsi_status. It looks that hsi_status
+      has a copy after running dxe_get_mem_attrs(). Those elements in 
+      hsi_nx_is_enforced(), HEAPX|STACKX|ROW can NOT set into hsi_status.
+      Let's disabling the approach of DXE get memory attributes until
+      we found the root cause.
+  (bsc#1247432) 
+
+-------------------------------------------------------------------
+Mon Jul 28 16:25:46 UTC 2025 - Joey Lee <jlee@suse.com>
+
+- Removed pre script in shim package for checking UEFI db has valid key
+  for shim because it will interrupt group update of RPMs. It should be
+  moved to %pretrans and re-written by lua.
+
+-------------------------------------------------------------------
+Sun Jul 27 04:48:57 UTC 2025 - Joey Lee <jlee@suse.com>
+
+- Add pre script to shim package for checking UEFI db has valid key for shim.
+  It prevents that SUSE shim be installed on a machine which can no verify
+  and boot with it when secure boot is enabled.
+  User can still install shim success when secure boot is disabled even no
+  valid key in UEFI db. User should aware that shim can not be boot when
+  secure boot is enabled.
+  This checking will useful for changing Microsoft or SUSE CA in the future.
+  The shim be signed by new MS/SUSE key will NOT be installed on a machine
+  which does not have new key in UEFI db when secure boot is enabled. It
+  can prevent booting fail after shim package is updated.
+
+-------------------------------------------------------------------
+Fri Jul 25 06:01:26 UTC 2025 - Joey Lee <jlee@suse.com>
+
+- Building out shim.nx.efi for supporting non-executable
+    - Building additional shim with POST_PROCESS_PE_FLAGS=-n to set
+      the PE NX-compatibility DLL. (NxCompatible field in DllCharacteristics)
+    - Packaging shim.nx.efi to shim-nx RPM.
+    - Add MS signatures for shim.nx
+        - signature-opensuse-nx.x86_64.asc
+          signature-sles-nx.x86_64.asc
+          signature-opensuse-nx.aarch64.asc
+          signature-sles-nx.aarch64.asc
+        - We direc copy signatures of shim for shim.nx before we got
+          signatures from Microsoft.
+- Building MokManager.efi and fallback.efi with POST_PROCESS_PE_FLAGS=-n
+(bsc#1205588)
+
+-------------------------------------------------------------------
+Fri Jul 25 05:44:51 UTC 2025 - Joey Lee <jlee@suse.com>
+
+- Add shim-change-automatically-enable-MOK_POLICY_REQUIRE_NX.patch 
+    - shim: change automatically enable MOK_POLICY_REQUIRE_NX (PR #761)
+  (bsc#1205588)
+
+-------------------------------------------------------------------
+Tue Jul  8 13:44:42 UTC 2025 - Joey Lee <jlee@suse.com>
+
+- The old shim-16.0.tar.bz2 is repackaged from a local source which
+  includes quilt series files. It causes that we can not direct add
+  new patch file through shim.spec. I replaced it by shim-16.0 tarball
+  from upstream:
+  https://github.com/rhboot/shim/releases/download/16.0/shim-16.0.tar.bz2  
+
+-------------------------------------------------------------------
+Thu Jun  5 03:22:48 UTC 2025 - Dennis <dennis.tseng@suse.com>
+
+- rename incorrect certificat name revoked-SLES-UEFI-SIGN-Certificate-2022-06.crt
+  to revoked-openSUSE-UEFI-SIGN-Certificate-2022-06.crt, and
+  re-arrange its sequence. 
+
+-------------------------------------------------------------------
+Wed May 28 03:37:04 UTC 2025 - Tseng <dennis.tseng@suse.com>
+
+- add revoked-SLES-UEFI-SIGN-Certificate-2022-06.crt into dbx
+- build shim with EKU enable flag (ENABLE_CODESIGN_EKU) 
+  remove EKU enable flag when build MokManager and fallback
+
+-------------------------------------------------------------------
+Tue May  6 06:19:02 UTC 2025 - Dennis <dennis.tseng@suse.com>
+
+-- Update to version 16.0
+    - remove shim-bsc1177315-verify-eku-codesign.patch
+        remove it because shim github upstream has accepted it (PR #664)
+    - add revoked-SLES-UEFI-SIGN-Certificate-2022-05.crt to revoked certificates for dbx
+        SLES-UEFI-SIGN-Certificate-20220525.crt can be blacklisted,
+        and can be added to the vendor dbx.
+    - add shim-alloc-one-more-byte-for-sprintf.patch (bsc#1240871)
+        The codes already submitted to git upstream (PR #746)
+        In generate_sbat_var_defs.c, realloc() should allocate one more byte for
+        the end of string '\0' when running sprintf() later.
+    - Patches (git log --oneline --reverse 15.8..16.0)
+        126a07e Validate that a supplied vendor cert is not in PEM format
+        63edf92 sbat: Add grub.peimage,2 to latest (CVE-2024-2312)
+        3e1394e sbat: Also bump latest for grub,4 (and to todays date)
+        470a8cd undo change that limits certificate files to a single file
+        0287c6b shim: don't set second_stage to the empty string
+        3685b13 Fix SBAT.md for today's consensus about numbers
+        dc07432 Realize the suggestions as part of PR #672
+        e064e7d Update Code of Conduct contact address
+        e68f4ca make-certs: Handle missing OpenSSL installation
+        74a1f29 Update MokVars.txt  - Update documented mirrored variable attributes from RT to BS,RT  - Add missing MokSBStateRT  - Clarify that MokIgnoreDB is a mirror of MokDBState  - Add missing attributes for MokPWStore
+        f6674fe export DEFINES for sub makefile
+        47bbb5e Drop unused EFI_IMAGE_SECURITY_DATABASE_GUID definition
+        338fded Null-terminate 'arguments' in fallback
+        3d1dcd4 Fix "Verifiying" typo in error message
+        b5d359a CI: use checkout@v4
+        1d8365f CI: work around ownership issue on github
+        20094ca Update fedora CI targets
+        3cf0e09 Force gcc to produce DWARF4 so that gdb can use it
+        5f54182 includes: work around CLANG_PREREQ() double-definition
+        ab06527 Makefile: don't warn about clang when building compile_commands.json
+        0c9249d Suppress some warnings even harder in Cryptlib and OpenSSL.
+        fd7e16f Add building compile_commands.json to CI
+        314aecf Discard load-options that start with WINDOWS
+        ac85ba4 Fix the issue that the gBS->LoadImage pointer was empty.
+        d8c86b7 shim: Allow data after the end of device path node in load options
+        d197220 Backport EFI_HTTP_ERROR status code
+        6410312 netboot: Convert TFTP error codes to EFI status codes
+        ef8e729 httpboot: Convert HTTP status codes to EFI status codes
+        2a1cbe6 Update gnu-efi submodule for EFI_HTTP_ERROR
+        196cbb9 Increase EFI file alignment
+        ad8692e avoid EFIv2 runtime services on Apple x86 machines
+        0345331 Improve shortcut performance when comparing two boolean expressions
+        27562ea Fix bad reference to PathName in image loading
+        1508ece Move is_removable_media_path() to a shared location.
+        7864c10 Provide better error message when MokManager is not found
+        3e60895 tpm: Boot with a warning if the event log is full
+        b560c52 MokManager: remove redundant logical constraints
+        9229e7c Make mock_set_variable() correctly account for resource usage.
+        f7e1d72 tests: make it possible to use different limits for variable space
+        67efdfc test-mok-mirror: refactor the validation of test_mok_mirror_0
+        70366a2 test-mok-mirror: add a test case where MokListRT won't fit.
+        3caa75e test-mok-mirror: minor bug fix
+        dc45aa6 lib/simple_file.c: Allocate zeroed pool for SimpleFS entries
+        9415d3c simple_file: Allow to form a volume name from DevicePath
+        d6076cb simple_file: Use second variable to create filesystem entries
+        f99749a Ignore a minor clang-tidy nit
+        98173f0 Fall back to default loader when encountering errors on network boot
+        e42c319 test.mk: don't use a temporary random.bin
+        c66c157 pe: Enhance debug report for update_mem_attrs
+        1125212 Fix leak in error path
+        2daf1db Load concatenated EFI_SIGNATURE_LISTs from shim_certificate.efi
+        eeca60a Update SbatLevel_Variable.txt with peimage CVE-2024-2312 revocation
+        743f3fa Add generate_sbat_var_defs utility program
+        5ae408a Generate and use generated_sbat_var_defs.h
+        e886fb3 SbatLevel_Variable.txt: clarify where and how revocation data is tracked
+        15c1a9a Implement the CodeSign EKU check to fulfill the requirements of NIAP OS_PP.
+        eb02afc Optionally enabling codesign EKU check in compiling time.
+        7ae0ee6 Add docs for ENABLE_CODESIGN_EKU
+        38dfa37 Create utils file
+        83850cd Add configuration option to boot an alternative 2nd stage
+        bb114a3 Implement shim image load protocol
+        e7b3598 Move some stuff around
+        0322e10 Implement the rest of the loader protocol functions
+        e43aea8 Add EFI_LOAD_FILE2_PROTOCOL to gnu-efi
+        2bff460 loader-proto: Add support for loading files from disk to LoadImage()
+        5d17278 loader-proto: Mark load_image()'s handle_image() call as "in_protocol"
+        fe2ad36 Don't print full screen error dialog from handle_image() when called in_protocol
+        c57af36 loader-proto: Respect optional DevicePath parameter to load_image()
+        2b49dc1 Suppress file open failures for some netboot cases
+        3c3295d netboot: process revocations.efi as revocations not shim_certificate
+        c66ce2a Allow indepdent SkuSi and SBAT revocation updates
+        6b8e40c netboot can try to load shim_certificate_[0..9].efi
+        301cf52 Document how revocations can be delivered
+        7cde2cc post-process-pe: add tests to validate NX compliance
+        1294b47 regression: out of bounds read in CopyMem() in ad8692e
+        765f294 compiler.h: minor ALIGN_... fixes
+        5c1e6e4 Move error logging decls out of shim.h
+        d972515 Save the debug and error logs in mok-variables
+        e3f0338 Silence minor nit in load-options parsing debug output
+        3d7c057 get_mem_attrs(): ensure an error code is set on failure
+        49db3de mok: add MOK_VARIABLE_CONFIG_ONLY
+        887c0ed mok variables: add a format callback
+        e4857b4 Make test-mok-error failures *slightly* more clear.
+        589c3f2 Move memory attribute support to its own file.
+        848667d shim: add HSIStatus feature
+        e136e64 mock-variables: fix debugging printf format specifier oopsie
+        f0958ba test-mock-variables: improve some debug prints
+        b216543 Move mok state variable data flag definitions to the header.
+        fc0cfac Mirror some more efi variables to mok-variables
+        eeda3fa gnu-efi: add some DXE services.
+        c41b1f0 Add support for DXE memory attribute updates.
+        9269e9b Add DXE Services information to HSI
+        c868d54 hexdump: give a different debug log for size==0
+        1baf1ef HSI: Add decode_hsi_bits() for easier reading of the debug log
+        3bce118 pe: read_header(): allow skipping SecDir content validation
+        89e6150 Add shim's current NX_COMPAT status to HSIStatus
+        c5c5287 peimage.h: minor whitespace fixes
+        5007d83 peimage: add a bunch of comments to read_header()
+        489af5e README.tpm: reflect that vendor_db is in fact logged as "vendor_db"
+        1958b0f reject message with different values in multiple Content-Length header field
+        9c423e0 Some save_logs() improvements.
+        81d40e3 Disable log saving for now.
+        498b149 fallback: don't add new boot order entries backwards
+        06d8dec makefiles: Make GITTAG swizzle tildes to dashes
+        f02b2c1 make-archive: some minor housekeeping
+        794d237 Update version to 16.0~rc1
+        d45c610 SetSecureVariable(): free Cert on failure
+        76fab7b generate_sbat_var_defs: run clang-format on readfile()
+        6dadb70 generate_sbat_var_defs: Fix memory leak on realloc failure and fd leak.
+        f58c77e generate_sbat_var_defs: Ensure revlistentry->revocations is initialized.
+        b427a34 mirror_mok_db(): get rid of an unused variable+allocation
+        92630f2 mirror_one_mok_variable(): fix a memory leak on TPM log error.
+        38f0a9c mirror_mok_db(): Free our mok variable name correctly
+        db04321 shim_load_image(): initialize the buffer fully
+        7b75382 simple_dir_filter(): test our 'next' pointer
+        db1f1da Make 'make fanalyzer' work again.
+        28d8871 README.tpm: Update MokList entry to MokListRT
+        8932527 SBAT Level update for February 2025 GRUB CVEs
+        18d98bf Update version to 16.0 
+
+-------------------------------------------------------------------
+Fri Dec 20 11:34:51 CET 2024 - mls@suse.de
+
+- undefine %_enable_debug_packages to fix building with rpm-4.20
+
+-------------------------------------------------------------------
+Thu Sep 19 06:27:27 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Update shim-install to limit the scope of the 'removable'
+  SL-Micro to the image booting with TPM2 unsealing (bsc#1210382)
+  * 769e41d Limit the removable option to encrypted SL-Micro
+
+-------------------------------------------------------------------
+Mon Sep 16 06:56:21 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Update shim-install to apply the missing fix for openSUSE Leap
+  (bsc#1210382)
+  * 86b73d1 Fix that bootx64.efi is not updated on Leap
+- Update shim-install to use the 'removable' way for SL-Micro
+  (bsc#1230316)
+  * 433cc4e Always use the removable way for SL-Micro
+
+-------------------------------------------------------------------
+Tue Jun 25 04:12:39 UTC 2024 - Dennis Tseng <dennis.tseng@suse.com>
+
+- Update asc files of shim-15.8 after being signed back from 
+  Microsoft, including:
+  signature-opensuse.x86_64.asc,
+  signature-opensuse.aarch64.asc,
+  signature-sles.x86_64.asc,
+  signature-sles.aarch64.asc.
+
+- Enable aarch64 signature comparison which was disabled temporarily
+  before. Now, we got a real one. So it is enabled again.  
+
 -------------------------------------------------------------------
 Tue Apr  2 03:09:15 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
 

shim.spec

@@ -19,6 +19,7 @@
 
 %undefine _debuginfo_subpackages
 %undefine _build_create_debug
+%undefine _enable_debug_packages
 %ifarch aarch64
 %define grubplatform arm64-efi
 %else
@@ -34,13 +35,18 @@
 %define shim_lib64_share_compat 1
 %endif
 %endif
+# Set gcc version, the minimum version is gcc-13
+%if %gcc_version < 13
+%define gcc_version 13
+%endif
+%global cc_compiler /usr/bin/gcc-%{gcc_version}
 
 %if 0%{?suse_version} >= 1600
 %define shim_use_fde_tpm_helper 1
 %endif
 
 Name:           shim
-Version:        15.8
+Version:        16.1
 Release:        0
 Summary:        UEFI shim loader
 License:        BSD-2-Clause
@@ -50,49 +56,61 @@ Source:         %{name}-%{version}.tar.bz2
 # run "extract_signature.sh shim.efi" where shim.efi is the binary
 # with the signature from the UEFI signing service.
 # Note: For signature requesting, check SIGNATURE_UPDATE.txt
-Source1:        signature-opensuse.x86_64.asc
-Source2:        openSUSE-UEFI-CA-Certificate.crt
-Source3:        shim-install
-Source4:        SLES-UEFI-CA-Certificate.crt
-Source5:        extract_signature.sh
-Source6:        attach_signature.sh
-Source7:        show_hash.sh
-Source8:        show_signatures.sh
-Source9:        timestamp.pl
-Source10:       strip_signature.sh
-Source11:       signature-sles.x86_64.asc
-Source12:       signature-opensuse.aarch64.asc
-Source13:       signature-sles.aarch64.asc
-Source14:       generate-vendor-dbx.sh
+Source1:	shim-install
+Source2:	extract_signature.sh
+Source3:	attach_signature.sh
+Source4:	show_hash.sh
+Source5:	show_signatures.sh
+Source6:	timestamp.pl
+Source7:	strip_signature.sh
+Source8:	generate-vendor-dbx.sh
+# Certificates Used to Verify the Shim (DER format)
+# SUSE CA is also built-in to the shim via VENDOR_CERT_FILE
+# openSUSE Secure Boot CA, 2013-2035
+Source11:	openSUSE_Secure_Boot_CA_2013.crt
+# SUSE Linux Enterprise Secure Boot CA, 2013-2035
+Source12:	SUSE_Linux_Enterprise_Secure_Boot_CA_2013.crt
+# Microsoft Corporation UEFI CA 2011, 2011-2026
+Source13:	Microsoft_Corporation_UEFI_CA_2011.crt
+# Microsoft UEFI CA 2023, 2023-2038
+Source14:	Microsoft_UEFI_CA_2023.crt
+# Microsoft-signed shim
+Source30:	shim-opensuse.x86.efi
+Source31:	shim-opensuse.aarch64.efi
+Source32:	shim-sles.x86.efi
+Source33:	shim-sles.aarch64.efi
 # revoked certificates for dbx
 Source50:       revoked-openSUSE-UEFI-SIGN-Certificate-2013-01.crt
 Source51:       revoked-openSUSE-UEFI-SIGN-Certificate-2013-08.crt
 Source52:       revoked-openSUSE-UEFI-SIGN-Certificate-2020-01.crt
 Source53:       revoked-openSUSE-UEFI-SIGN-Certificate-2020-07.crt
 Source54:       revoked-openSUSE-UEFI-SIGN-Certificate-2021-05.crt
-Source55:       revoked-SLES-UEFI-SIGN-Certificate-2013-01.crt
-Source56:       revoked-SLES-UEFI-SIGN-Certificate-2013-04.crt
-Source57:       revoked-SLES-UEFI-SIGN-Certificate-2016-02.crt
-Source58:       revoked-SLES-UEFI-SIGN-Certificate-2020-07.crt
-Source59:       revoked-SLES-UEFI-SIGN-Certificate-2021-05.crt
+Source55:       revoked-openSUSE-UEFI-SIGN-Certificate-2022-06.crt
+Source56:       revoked-SLES-UEFI-SIGN-Certificate-2013-01.crt
+Source57:       revoked-SLES-UEFI-SIGN-Certificate-2013-04.crt
+Source58:       revoked-SLES-UEFI-SIGN-Certificate-2016-02.crt
+Source59:       revoked-SLES-UEFI-SIGN-Certificate-2020-07.crt
+Source60:       revoked-SLES-UEFI-SIGN-Certificate-2021-05.crt
+Source61:       revoked-SLES-UEFI-SIGN-Certificate-2022-05.crt
 ###
 Source99:       SIGNATURE_UPDATE.txt
 # PATCH-FIX-SUSE shim-arch-independent-names.patch glin@suse.com -- Use the Arch-independent names
 Patch1:         shim-arch-independent-names.patch
 # PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch glin@suse.com -- Change the default debug file path
 Patch2:         shim-change-debug-file-path.patch
-# PATCH-FIX-SUSE shim-bsc1177315-verify-eku-codesign.patch bsc#1177315 glin@suse.com -- Verify CodeSign in the signer's EKU
-Patch3:         shim-bsc1177315-verify-eku-codesign.patch
 # PATCH-FIX-SUSE remove_build_id.patch -- Remove the build ID to make the binary reproducible when building with AArch64 container
-Patch4:         remove_build_id.patch
+Patch3:         remove_build_id.patch
 # PATCH-FIX-SUSE shim-disable-export-vendor-dbx.patch bsc#1185261 glin@suse.com -- Disable exporting vendor-dbx to MokListXRT
-Patch5:         shim-disable-export-vendor-dbx.patch
+Patch4:         shim-disable-export-vendor-dbx.patch
+BuildRequires:  gcc%{gcc_version}
 BuildRequires:  dos2unix
 BuildRequires:  efitools
 BuildRequires:  mozilla-nss-tools
 BuildRequires:  openssl >= 0.9.8
 BuildRequires:  pesign
 BuildRequires:  pesign-obs-integration
+# we need xxd in global macro in shim.spec
+BuildRequires:  vim
 %if 0%{?shim_use_fde_tpm_helper:1}
 BuildRequires:  fde-tpm-helper-rpm-macros
 %endif
@@ -114,10 +132,33 @@ BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Requires:       mokutil
 ExclusiveArch:  x86_64 aarch64
 
+# subject hash of openSUSE/SLE/devel certificates for identifying devel project
+%global prjissuer_hash %(test -f %{_sourcedir}/_projectcert.crt && openssl x509 -in %{_sourcedir}/_projectcert.crt -inform PEM -noout -issuer_hash 2>/dev/null || echo "PRJ_ISSUER_NOT_FOUND")
+%global prjsubjec_hash %(test -f %{_sourcedir}/_projectcert.crt && openssl x509 -in %{_sourcedir}/_projectcert.crt -inform PEM -noout -subject_hash 2>/dev/null || echo "PRJ_SUBJECT_NOT_FOUND")
+%global opensusesubject_hash %(openssl x509 -in %{SOURCE11} -inform DER -noout -subject_hash 2>/dev/null)
+%global slessubject_hash %(openssl x509 -in %{SOURCE12} -inform DER -noout -subject_hash 2>/dev/null)
+# Hex content of certs (DER format) will be used in the TARGET_CERT_HEXES array in pretrans script
+%global opensuse_ca_hex %(xxd -p %{SOURCE11} | tr -d '\\n')
+%global sles_ca_hex %(xxd -p %{SOURCE12} | tr -d '\\n')
+%global microsoft_ca_hex %(xxd -p %{SOURCE13} | tr -d '\\n')
+%global microsoft_ca_2023_hex %(xxd -p %{SOURCE14} | tr -d '\\n')
+%global prjcert_hex %(test -f %{_sourcedir}/_projectcert.crt && (openssl x509 -in %{_sourcedir}/_projectcert.crt -outform DER -out - | xxd -p | tr -d '\\n') 2>/dev/null)
+
 %description
 shim is a trivial EFI application that, when run, attempts to open and
 execute another application.
 
+%if 0%{?shim_nx:1}
+%package -n shim-nx
+Summary:        UEFI shim loader - supports non-executable
+Group:          System/Boot
+Requires:	shim = %{version}
+
+%description -n shim-nx
+shim with NX_COMPAT field (aka. NxCompatible field in DllCharacteristics)
+for supporting non-executable
+%endif	# 0%{?shim_nx:1}
+
 %package -n shim-debuginfo
 Summary:        UEFI shim loader - debug symbols
 Group:          Development/Debug
@@ -154,8 +195,9 @@ ls -al *.esl
 
 # first, build MokManager and fallback as they don't depend on a
 # specific certificate
-make RELEASE=0 \
+make CC=%{cc_compiler} RELEASE=0 \
      MMSTEM=MokManager FBSTEM=fallback \
+     POST_PROCESS_PE_FLAGS=-n \
      MokManager.efi.debug fallback.efi.debug \
      MokManager.efi fallback.efi
 # make sure all object files gets rebuilt
@@ -168,10 +210,10 @@ suffixes=(opensuse sles)
 # just one shim that embeds this specific cert. If it's a devel
 # project we build all variants to simplify testing.
 if test -e %{_sourcedir}/_projectcert.crt ; then
-    prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash)
-    prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash)
-    opensusesubject=$(openssl x509 -in %{SOURCE2} -noout -subject_hash)
-    slessubject=$(openssl x509 -in %{SOURCE4} -noout -subject_hash)
+    prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -inform PEM -noout -subject_hash)
+    prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -inform PEM -noout -issuer_hash)
+    opensusesubject=$(openssl x509 -in %{SOURCE11} -inform DER -noout -subject_hash)
+    slessubject=$(openssl x509 -in %{SOURCE12} -inform DER -noout -subject_hash)
     if test "$prjissuer" = "$opensusesubject" ; then
 	suffixes=(opensuse)
     elif test "$prjissuer" = "$slessubject" ; then
@@ -183,40 +225,40 @@ fi
 
 for suffix in "${suffixes[@]}"; do
     if test "$suffix" = "opensuse"; then
-	cert=%{SOURCE2}
+	cert=%{SOURCE11}
+	cp $cert shim-$suffix.der
 	verify='openSUSE Secure Boot CA1'
 	vendor_dbx='vendor-dbx-opensuse.esl'
 %ifarch x86_64
-	signature=%{SOURCE1}
+	ms_shim=%{SOURCE30}
 %else
-	# AArch64 signature
-	# Disable AArch64 signature attachment temporarily
-	# until we get a real one.
-	#signature=%{SOURCE12}
+	# opensuse aarch64
+	ms_shim=%{SOURCE31}
 %endif
     elif test "$suffix" = "sles"; then
-	cert=%{SOURCE4}
+	cert=%{SOURCE12}
+	cp $cert shim-$suffix.der
 	verify='SUSE Linux Enterprise Secure Boot CA1'
-	vendor_dbx='vendor-dbx-opensuse.esl'
+	vendor_dbx='vendor-dbx-sles.esl'
 %ifarch x86_64
-	signature=%{SOURCE11}
+	ms_shim=%{SOURCE32}
 %else
-	# AArch64 signature
-	signature=%{SOURCE13}
+	# sles aarch64
+	ms_shim=%{SOURCE33}
 %endif
     elif test "$suffix" = "devel"; then
 	cert=%{_sourcedir}/_projectcert.crt
 	verify=`openssl x509 -in "$cert" -noout -email`
 	vendor_dbx='vendor-dbx.esl'
-	signature=''
+	ms_shim=''
 	test -e "$cert" || continue
+	openssl x509 -in $cert -inform PEM -outform DER -out shim-$suffix.der
     else
 	echo "invalid suffix"
 	false
     fi
 
-    openssl x509 -in $cert -outform DER -out shim-$suffix.der
-    make RELEASE=0 SHIMSTEM=shim \
+    make CC=%{cc_compiler} RELEASE=0 ENABLE_CODESIGN_EKU=1 SHIMSTEM=shim \
          VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \
          DEFAULT_LOADER="\\\\\\\\grub.efi" \
          VENDOR_DBX_FILE=$vendor_dbx \
@@ -224,46 +266,54 @@ for suffix in "${suffixes[@]}"; do
     #
     # assert correct certificate embedded
     grep -q "$verify" shim.efi
-    # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx
-    chmod 755 %{SOURCE9}
-    # alternative: verify signature
-    #sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi
-    if test -n "$signature"; then
-	head -1 "$signature" > hash1
-	cp shim.efi shim.efi.bak
-	# pe header contains timestamp and checksum. we need to
-	# restore that
-	%{SOURCE9} --set-from-file "$signature" shim.efi
-	pesign -h -P -i shim.efi > hash2
-	cat hash1 hash2
-	if ! cmp -s hash1 hash2; then
-		echo "ERROR: $suffix binary changed, need to request new signature!"
-%if %{defined shim_enforce_ms_signature} && 0%{?shim_enforce_ms_signature} > 0
-		# compare suffix (sles, opensuse) with distro_id (sle, opensuse)
-		# when hash mismatch and distro_id match with suffix, stop building 
-		if test "$suffix" = "$distro_id" || test "$suffix" = "${distro_id}s"; then
-			false
-		fi
-%endif
-		mv shim.efi.bak shim-$suffix.efi
-		rm shim.efi
+    # Use ms-signed shim when the version equals with the version of newly built shim
+    # Version mismatch indicates development of a new shim.
+    if test -n "$ms_shim"; then
+	ms_version=$(strings "$ms_shim" | grep '$Version:' | sed -e 's/^.*: //' -e 's/ \$//')
+	dev_version=$(strings shim.efi | grep '$Version:' | sed -e 's/^.*: //' -e 's/ \$//')
+	if [ "$ms_version" = "$dev_version" ]; then
+		cp $ms_shim shim-$suffix.efi
 	else
-		# attach signature
-		pesign -m "$signature" -i shim.efi -o shim-$suffix.efi
-		rm -f shim.efi
+		cp shim.efi shim-$suffix.efi
 	fi
+	rm shim.efi
     else
-        mv shim.efi shim-$suffix.efi
+	# devel shim
+	mv shim.efi shim-$suffix.efi
     fi
+    # FIX: using debug info from devel shim doesn't match with ms-signed shim
     mv shim.efi.debug shim-$suffix.debug
     # remove the build cert if exists
     rm -f shim_cert.h shim.cer shim.crt
     # make sure all object files gets rebuilt
     rm -f *.o
+
+%if 0%{?shim_nx:1}
+    # building shim.nx.efi
+    make CC=%{cc_compiler} RELEASE=0 ENABLE_CODESIGN_EKU=1 SHIMSTEM=shim.nx \
+         VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \
+         DEFAULT_LOADER="\\\\\\\\grub.efi" \
+         VENDOR_DBX_FILE=$vendor_dbx \
+	 POST_PROCESS_PE_FLAGS=-n \
+         shim.nx.efi.debug shim.nx.efi
+    #
+    # assert correct certificate embedded
+    grep -q "$verify" shim.nx.efi
+    mv shim.nx.efi shim-$suffix.nx.efi
+    mv shim.nx.efi.debug shim-$suffix.nx.debug
+    # remove the build cert if exists
+    rm -f shim_cert.h shim.cer shim.crt
+    # make sure all object files gets rebuilt
+    rm -f *.o
+%endif  # 0%{?shim_nx:1}
 done
 
 ln -s shim-${suffixes[0]}.efi shim.efi
 mv shim-${suffixes[0]}.debug shim.debug
+%if 0%{?shim_nx:1}
+ln -s shim-${suffixes[0]}.nx.efi shim.nx.efi
+mv shim-${suffixes[0]}.nx.debug shim.nx.debug
+%endif  # 0%{?shim_nx:1}
 
 # Collect the source for debugsource
 mkdir ../source
@@ -278,7 +328,7 @@ install -m 444 shim-*.der %{buildroot}/%{sysefidir}
 install -m 644 MokManager.efi %{buildroot}/%{sysefidir}/MokManager.efi
 install -m 644 fallback.efi %{buildroot}/%{sysefidir}/fallback.efi
 install -d %{buildroot}/%{_sbindir}
-install -m 755 %{SOURCE3} %{buildroot}/%{_sbindir}/
+install -m 755 %{SOURCE1} %{buildroot}/%{_sbindir}/
 # install SUSE certificate
 install -d %{buildroot}/%{_sysconfdir}/uefi/certs/
 for file in shim-*.der; do
@@ -306,6 +356,190 @@ cp -r source/* %{buildroot}/usr/src/debug/%{name}-%{version}
 %clean
 %{?buildroot:%__rm -rf "%{buildroot}"}
 
+%pretrans -p <lua>
+-- Using Lua
+print("INFO: Current Lua Version: " .. tostring(_VERSION))
+
+-- ==========================================================================================
+-- This pretrans script verifies that the UEFI db should have the necessary certificate to
+-- allow the shim binary to boot.
+-- The installation will be aborted if the db is missing the target certificate. To proceed,
+-- the user must enroll the target certificate in the db or disable UEFI Secure Boot.
+-- ==========================================================================================
+
+local db_filename = "/sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f"
+
+-- The db file existence check
+local f_check, err_check = io.open(db_filename, "rb")
+
+if not f_check then
+    print("WARNING: Attempt to open db EFI variable file failed. Error message: " .. tostring(err_check))
+    print("WARNING: This usually means the system is not booted in UEFI mode. Skipping all db check steps.")
+    return 0
+end
+f_check:close()
+
+-- ==========================================================================================
+-- This is the hardcoded target certificate content used to check for its existence.
+-- HEX_CONTENT=$(xxd -p taget_certificate.der | tr -d '\n') && echo "$HEX_CONTENT"
+-- ==========================================================================================
+
+-- Only the DER format is supported
+local TARGET_CERT_HEXES = {
+    -- Always check Microsoft keys
+    -- Certificate #1, Microsoft Corporation UEFI CA 2011
+    "%{microsoft_ca_hex}",
+    -- Certificate #2, Microsoft UEFI CA 2023
+    "%{microsoft_ca_2023_hex}",
+%if "%{prjissuer_hash}" == "%{opensusesubject_hash}"
+    -- Certificate #3, openSUSE Secure Boot CA 2013
+    "%{opensuse_ca_hex}",
+%endif
+%if "%{prjissuer_hash}" == "%{slessubject_hash}"
+    -- Certificate #3, SUSE Linux Enterprise Secure Boot CA 2013
+    "%{sles_ca_hex}",
+%endif
+%if "%{prjissuer_hash}" == "%{prjsubjec_hash}"
+    -- We put all keys for testing on devel/staging project
+    -- Certificate #3, openSUSE Secure Boot CA 2013
+    "%{opensuse_ca_hex}",
+    -- Certificate #4, SUSE Linux Enterprise Secure Boot CA 2013
+    "%{sles_ca_hex}",
+    -- Certificate #5, _projectcert.crt
+    "%{prjcert_hex}",
+%endif  # prjissuer_hash check
+}
+
+-- Check if the TARGET_CERT_HEXES array is empty
+if #TARGET_CERT_HEXES == 0 then
+    print("INFO: certificate list is empty. Skipping certificate check.")
+    -- Exiting safely as the certificate list is empty.
+    return 0
+else
+    -- Check if the Hex string for certificate is valid
+    for i, cert_hex in ipairs(TARGET_CERT_HEXES) do
+        if #cert_hex % 2 ~= 0 then
+            print("Error: The length of hard-coded hex string for certificate #" .. i .. " must be an even number.")
+            error("The Hex string is invalid. The transaction is being aborted in the pretrans script.")
+        end
+    end
+end
+
+-- =========================================================================
+-- Helper functions
+-- =========================================================================
+
+-- Convert hexadecimal string to original binary string
+local function hex_to_binary(hex)
+    local binary = ""
+    for i = 1, #hex, 2 do
+        local byte_hex = hex:sub(i, i + 1)
+        binary = binary .. string.char(tonumber(byte_hex, 16))
+    end
+    return binary
+end
+
+-- =========================================================================
+-- Main logic for checking if the db has any target certificate
+-- =========================================================================
+
+-- Read existing db contents
+local db_content = ""
+do
+    -- The db file is now confirmed to exist, open it again to read the contents
+    local f_db, err_db = io.open(db_filename, "rb")
+
+    if f_db then
+        local chunks = {}
+        local CHUNK_SIZE = 4096
+        local raw_content = ""
+        local chunk = f_db:read(CHUNK_SIZE)
+
+        while chunk do
+	    -- If an empty string is read, it means EOF has been reached and the loop is exited.
+            if chunk == "" then
+                break
+            end
+            table.insert(chunks, chunk)
+            chunk = f_db:read(CHUNK_SIZE)
+        end
+
+        raw_content = table.concat(chunks)
+
+        f_db:close()
+
+	-- Skip the first 4 bytes (EFI attributes)
+        if #raw_content > 4 then
+	    -- Truncate from the 5th byte to the end
+            db_content = string.sub(raw_content, 5)
+	    print("INFO: Successfully read existing db content")
+        else
+	    -- The file is too small or only has attributes, so it is considered blank.
+            db_content = ""
+            print("WARNING: db file content length is abnormal (<= 4 bytes). Treated as blank.")
+        end
+    end
+end
+
+-- Check all target certificates
+for i, cert_hex in ipairs(TARGET_CERT_HEXES) do
+
+    local target_binary_content = hex_to_binary(cert_hex)
+
+    -- Perform binary string matching
+    local start_pos, end_pos = db_content:find(target_binary_content, 1, true)
+
+    if start_pos then
+        -- Success: Certificate exist in db
+        -- Return 0 to allow the RPM transaction to continue
+        print("Target certificate #" .. i .. " was found in the db variable. Proceed with install.")
+        return 0
+    end
+end
+
+-- Certificate not present in db
+print("WARNING: The target certificate binary was not found in the db variable.")
+print("Please add the appropriate certificate to the db or disable UEFI secure boot.")
+
+-- Secure Boot status check: We only proceed with installation if the certificate is not present in the db and Secure Boot is disabled.
+local sb_filename = "/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c"
+
+local f_sb, err_sb = io.open(sb_filename, "rb")
+
+if not f_sb then
+    -- If the file is missing, it typically means the system is not UEFI, or Secure Boot is disabled/the variable is absent.
+    print("WARNING: SecureBoot EFI variable file does not exist. Proceed with install.")
+else
+    local raw_content_sb = ""
+    local sb_status = 0
+
+    -- Read file contents
+    local chunk_sb = f_sb:read(4096)
+    while chunk_sb do
+        if chunk_sb == "" then break end
+        raw_content_sb = raw_content_sb .. chunk_sb
+        chunk_sb = f_sb:read(4096)
+    end
+    f_sb:close()
+
+    -- SecureBoot status check
+    if #raw_content_sb >= 5 then
+	-- Skip the first 4-byte attribute header and read the 5th byte (status byte)
+        sb_status = string.byte(raw_content_sb, 5)
+
+        if sb_status == 0x00 then
+            print("INFO: Since Secure Boot is DISABLED, proceed with install.")
+            return 0
+        elseif sb_status == 0x01 then
+	    error("Fatal error: Secure Boot is ENABLED (status = 0x01), but the target certificate was not found in the db. Aborting installation.")
+        else
+            error("Fatal error: Secure Boot status is unrecognized (0x" .. string.format("%02x", sb_status) .. "). Aborting installation.")
+        end
+    else
+	error("Fatal error: SecureBoot variable content is too short to determine status. Aborting installation.")
+    end
+end
+
 %post
 %if 0%{?fde_tpm_update_post:1}
 %fde_tpm_update_post shim
@@ -351,6 +585,9 @@ fi
 %dir %{sysefidir}
 %{sysefidir}/shim.efi
 %{sysefidir}/shim-*.efi
+%if 0%{?shim_nx:1}
+%exclude %{sysefidir}/shim-*.nx.efi
+%endif  # 0%{?shim_nx:1}
 %{sysefidir}/shim-*.der
 %{sysefidir}/MokManager.efi
 %{sysefidir}/fallback.efi
@@ -364,6 +601,13 @@ fi
 /usr/lib64/efi/*.efi
 %endif
 
+%if 0%{?shim_nx:1}
+%files -n shim-nx
+%defattr(-,root,root)
+%{sysefidir}/shim.nx.efi
+%{sysefidir}/shim-*.nx.efi 
+%endif  # 0%{?shim_nx:1}
+
 %files -n shim-debuginfo
 %defattr(-,root,root,-)
 /usr/lib/debug%{sysefidir}/shim.debug

signature-opensuse.aarch64.asc

@@ -1,188 +0,0 @@
-hash: 96275dfd6282a522b011177ee049296952ac794832091f937fbbf92869028629
-# 2069-04-10 06:07:54
-timestamp: babababa
-linker: 2002
-checksum: ef25
------BEGIN AUTHENTICODE SIGNATURE-----
-MIIhwQYJKoZIhvcNAQcCoIIhsjCCIa4CAQExDzANBglghkgBZQMEAgEFADBcBgor
-BgEEAYI3AgEEoE4wTDAXBgorBgEEAYI3AgEPMAkDAQCgBKICgAAwMTANBglghkgB
-ZQMEAgEFAAQglidd/WKCpSKwERd+4EkpaVKseUgyCR+Tf7v5KGkChimgggs8MIIF
-JDCCBAygAwIBAgITMwAAABjnMIN/Ryp7WwABAAAAGDANBgkqhkiG9w0BAQsFADCB
-gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl
-ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi
-TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0xNTEwMjgyMDQz
-MzdaFw0xNzAxMjgyMDQzMzdaMIGVMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz
-aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv
-cnBvcmF0aW9uMQ0wCwYDVQQLEwRNT1BSMTAwLgYDVQQDEydNaWNyb3NvZnQgV2lu
-ZG93cyBVRUZJIERyaXZlciBQdWJsaXNoZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB
-DwAwggEKAoIBAQCxZkprRvykOB1+X8MMpDVlB36RVafGyaZ8Dsl5/8U92WKQvqdx
-T7SsnmbDv9TNSndVGzFvH5p4dn1Q/52kuDMpwpjGUqTWrx1+jrZOYrb02uTL/+QZ
-H/nxW96fPJqKIEnqe16lLp2WCjT6J7AzckF67KEW6voOzXITZLP8t3OCqNWIWXy3
-ABLiZllI3O+VAwmRlosEmPYcD2qM3KxhPNvT+GZ2gb+FrLKvuRNxpHK0iZBxnrSg
-SnTlSfqzOAf9LWP6f4ajn04tdPOCRh3xuPM/bHJlCS40hBH2hYAV40s1vKTL8/Uf
-lTVdaBrq6f6NZAc4RFWnQgc/32xiYIcQ6AmjAgMBAAGjggF9MIIBeTAfBgNVHSUE
-GDAWBggrBgEFBQcDAwYKKwYBBAGCN1ACATAdBgNVHQ4EFgQUI3JhxfMYweN5Brdl
-fggzjB4hb1owUQYDVR0RBEowSKRGMEQxDTALBgNVBAsTBE1PUFIxMzAxBgNVBAUT
-KjMxNjE5K2UyOTg0YTM1LWNmNGYtNDEwZC04ZWMzLTcxOTYxNWJmOGMxYjAfBgNV
-HSMEGDAWgBQTrb9DCb2CcJyM1U8xbtUimIob1DBTBgNVHR8ETDBKMEigRqBEhkJo
-dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb3JVRUZDQTIw
-MTFfMjAxMS0wNi0yNy5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRo
-dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvclVFRkNB
-MjAxMV8yMDExLTA2LTI3LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUA
-A4IBAQBxu75jhm/XBbQkp7pR8jykioQZc4KXLTqPQ1l/Z5KO1yY6oKImgbidhR3b
-ZV+cz5MqktoNxsf0Pt7WVxbuZe0nOe8UC7ldmH3NwbfukTSr0CNw4Sw+unFmLxDo
-g3BhCstsmP/yfDizuCkzPXVCjoBK3tCbNIZxfUEYjwSJAsFpeHvPEJlse2beTfpb
-ghe9sCMUOT2yiKjf+1tbY6FNeB6/DvpaxkBYX99jcLy1KHD5LWcoIjEREhFybILA
-mhoagQQ7upVbQLvJHAMyctmHUh432Kod0PpUUTwSrMChSAgB0t+l5DinGgowpoSj
-kjMiS55xRj22uZpnBzckogBCW0LGMIIGEDCCA/igAwIBAgIKYQjTxAAAAAAABDAN
-BgkqhkiG9w0BAQsFADCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0
-b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3Jh
-dGlvbjE7MDkGA1UEAxMyTWljcm9zb2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5
-IE1hcmtldHBsYWNlIFJvb3QwHhcNMTEwNjI3MjEyMjQ1WhcNMjYwNjI3MjEzMjQ1
-WjCBgTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT
-B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UE
-AxMiTWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTCCASIwDQYJKoZI
-hvcNAQEBBQADggEPADCCAQoCggEBAKUIbEzHRQlqSwykwId/BnUMQwFUZOAWfwft
-kn0LsnO/DArGSkVhoMUWLZbT9Sug+01Jm0GAkDy5VP3mvNGdxKQYin9BilxZg2gy
-u4xHye5xvCFPmop8/0Q/jY8ysiZIrnW17slMHkoZfuSCmh14d00MsL32D9MW07z6
-K6VROF31+7rbeALb/+wKG5bVg7gZE+m2wHtAe+EfKCfJ+u9WXhzmfpR+wPBEsnk5
-5dqyYotNvzhw4mgkFMkzpAg31VhpXtN87cEEUwjnTrAqh2MIYW9jFVnqsit51wxh
-Z4pb/V6th3+6hmdPcVgSIgQiIs6L71RxAM5QNVh2lQjuarGiAdUCAwEAAaOCAXYw
-ggFyMBIGCSsGAQQBgjcVAQQFAgMBAAEwIwYJKwYBBAGCNxUCBBYEFPjBa7d/d1NK
-8yU3HU6hJnsPIHCAMB0GA1UdDgQWBBQTrb9DCb2CcJyM1U8xbtUimIob1DAZBgkr
-BgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUw
-AwEB/zAfBgNVHSMEGDAWgBRFZlJD4X5YEb/WTp4jVQg7OiJqqDBcBgNVHR8EVTBT
-MFGgT6BNhktodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0
-cy9NaWNDb3JUaGlQYXJNYXJSb29fMjAxMC0xMC0wNS5jcmwwYAYIKwYBBQUHAQEE
-VDBSMFAGCCsGAQUFBzAChkRodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2Nl
-cnRzL01pY0NvclRoaVBhck1hclJvb18yMDEwLTEwLTA1LmNydDANBgkqhkiG9w0B
-AQsFAAOCAgEANQhC/zDMzvd2DK0QaFg1KUYydid87xJBJ0IbSqptgThIWRNV8+lY
-NKYWC4KqXa2C2oCDQQaPtB3yA7nzGl0b8VCQ+bNVhEIoHCC9sq5RFMXArJeVIRyQ
-2w/8d56Vc5GIyr29UrkFUA3fV56gYe0N5W0l2UAPF0DIzqNKwk2vmhIdCFSPvce8
-uSs9SSsfMvxqIWlPm8h+QjT8NgYXi48gQMCzmiV1J83JA6P2XdHnNlR6uVC10xLR
-B7+7dN/cHo+A1e0Y9C8UFmsv3maMsCPlx4TY7erBM4KtVksYLfFolQfNz/By8K67
-3YaFmCwhTDMr8A9K8GiHtZJVMnWhaoJqPKMlEaTtrdcErsvYQFmghNGVTGKRIhp0
-HYw9Rw5EpuSwmzQ1sfq2U6gsgeykBXHInbi66BtEZuRHVA6OVn+znxaYsobQaD6Q
-I7UvXo9QhY3GjYJfQaH0Lg3gmdJsdeS2abUhhvoH0fbiTdHarSx3Ux4lMjfHbFJy
-lYaw8TVhahn1sjuBUFamMi3+oon5QoYnGFWhgspam/gwmFQUpkeWJS/IJuRBlBpc
-Aj/lluOFWzw+P7tHFnJV4iUisdl75wMGKqP3HpBGwwAN1hmJ4w41J2IDcRWm79An
-oKBZN2D4OJS44Hhw+LpMhoeU9uCuAkXuZcK2o35pFnUHkpv1prxZg1gxghX4MIIV
-9AIBATCBmTCBgTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO
-BgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEr
-MCkGA1UEAxMiTWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMQITMwAA
-ABjnMIN/Ryp7WwABAAAAGDANBglghkgBZQMEAgEFAKCB4jAZBgkqhkiG9w0BCQMx
-DAYKKwYBBAGCNwIBBDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkq
-hkiG9w0BCQQxIgQgC5Mui2KqvNqQsTzZfuTIs4mo9KL7c0hG3k6fhLXdT1EwdgYK
-KwYBBAGCNwIBDDFoMGagMoAwAFMAVQBTAEUAIABMAGkAbgB1AHgAIABQAHIAbwBk
-AHUAYwB0AHMAIABHAG0AYgBIoTCALmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS93
-aGRjL2hjbC9kZWZhdWx0Lm1zcHgwDQYJKoZIhvcNAQEBBQAEggEAUpAOjQut0b9l
-iTNUwPVDzKzJNK4v8eNc176xvOSLqKkMBj2DmciVbi6va9u6Lp72cGz/8ixIm/pJ
-wuObM/xSQdd6NI9DWy1O4/MtAyIgl56ynXplEm9/tGlbu19mQo4TFBG+DuMEFoq3
-ZVg8s8n3upVrAOprYIQbhBenO8KgF9QOJ2er/+NyRlc/Kkdtlg5haN7QNhBxGl/z
-0JFnDE7weUDqn4RFYkS6SKH7iIG6YZN5FgmrgrMbIqqKLK0Ro7N/BhI+WilX8kLU
-F4uuT9bvKAtc/fZkR8ncvUp9F9+zHevqWyYp6vA6O1fis4RPvfcPzsstInUOsyN/
-LPeVYEqUK6GCE0owghNGBgorBgEEAYI3AwMBMYITNjCCEzIGCSqGSIb3DQEHAqCC
-EyMwghMfAgEDMQ8wDQYJYIZIAWUDBAIBBQAwggE8BgsqhkiG9w0BCRABBKCCASsE
-ggEnMIIBIwIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFlAwQCAQUABCDYr609VK4b
-Nh7kCWgKnvrLUKV15/Hk9cQt/xPyRZoRyAIGVk82mzoxGBMyMDE1MTIwMzA3NTY0
-MC44NzhaMAcCAQGAAgH0oIG4pIG1MIGyMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
-V2FzaGluZ3RvbjEPMA0GA1UEBxMGUmVkbW9kMR4wHAYDVQQKExVNaWNyb3NvZnQg
-Q29ycG9yYXRpb24xDTALBgNVBAsTBE1PUFIxJzAlBgNVBAsTHm5DaXBoZXIgRFNF
-IEVTTjozMUM1LTMwQkEtN0M5MTElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUtU3Rh
-bXAgU2VydmljZaCCDs4wggZxMIIEWaADAgECAgphCYEqAAAAAAACMA0GCSqGSIb3
-DQEBCwUAMIGIMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4G
-A1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMTIw
-MAYDVQQDEylNaWNyb3NvZnQgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgMjAx
-MDAeFw0xMDA3MDEyMTM2NTVaFw0yNTA3MDEyMTQ2NTVaMHwxCzAJBgNVBAYTAlVT
-MRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQK
-ExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1l
-LVN0YW1wIFBDQSAyMDEwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
-qR0NvHcRijog7PwTl/X6f2mUa3RUENWlCgCChfvtfGhLLF/Fw+Vhwna3PmYrW/AV
-UycEMR9BGxqVHc4JE458YTBZsTBED/FgiIRUQwzXTbg4CLNC3ZOs1nMwVyaCo0UN
-0Or1R4HNvyRgMlhgRvJYR4YyhB50YWeRX4FUsc+TTJLBxKZd0WETbijGGvmGgLvf
-YfxGwScdJGcSchohiq9LZIlQYrFd/XcfPfBXday9ikJNQFHRD5wGPmd/9WbAA5ZE
-fu/QS/1u5ZrKsajyeioKMfDaTgaRtogINeh4HLDpmc085y9Euqf03GS9pAHBIAmT
-eM38vMDJRF1eFpwBBU8iTQIDAQABo4IB5jCCAeIwEAYJKwYBBAGCNxUBBAMCAQAw
-HQYDVR0OBBYEFNVjOlyKMZDzQ3t8RhvFM2hahW1VMBkGCSsGAQQBgjcUAgQMHgoA
-UwB1AGIAQwBBMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQY
-MBaAFNX2VsuP6KJcYmjRPZSQW9fOmhjEMFYGA1UdHwRPME0wS6BJoEeGRWh0dHA6
-Ly9jcmwubWljcm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1Jvb0NlckF1
-dF8yMDEwLTA2LTIzLmNybDBaBggrBgEFBQcBAQROMEwwSgYIKwYBBQUHMAKGPmh0
-dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWljUm9vQ2VyQXV0XzIw
-MTAtMDYtMjMuY3J0MIGgBgNVHSABAf8EgZUwgZIwgY8GCSsGAQQBgjcuAzCBgTA9
-BggrBgEFBQcCARYxaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL1BLSS9kb2NzL0NQ
-Uy9kZWZhdWx0Lmh0bTBABggrBgEFBQcCAjA0HjIgHQBMAGUAZwBhAGwAXwBQAG8A
-bABpAGMAeQBfAFMAdABhAHQAZQBtAGUAbgB0AC4gHTANBgkqhkiG9w0BAQsFAAOC
-AgEAB+aIUQ3ixuCYP4FxAz2do6Ehb7Prpsz1Mb7PBeKp/vpXbRkws8LFZslq3/Xn
-8Hi9x6ieJeP5vO1rVFcIK1GCRBL7uVOMzPRgEop2zEBAQZvcXBf/XPleFzWYJFZL
-dO9CEMivv3/Gf/I3fVo/HPKZeUqRUgCvOA8X9S95gWXZqbVr5MfO9sp6AG9LMEQk
-IjzP7QOllo9ZKby2/QThcJ8ySif9Va8v/rbljjO7Yl+a21dA6fHOmWaQjP9qYn/d
-xUoLkSbiOewZSnFjnXshbcOco6I8+n99lmqQeKZt0uGc+R38ONiU9MalCpaGpL2e
-Gq4EQoO4tYCbIjggtSXlZOz39L9+Y1klD3ouOVd2onGqBooPiRa6YacRy5rYDkea
-gMXQzafQ732D8OE7cQnfXXSYIghh2rBQHm+98eEA3+cxB6STOvdlR3jo+KhIq/fe
-cn5ha293qYHLpwmsObvsxsvYgrRyzR30uIUBHoD7G4kqVDmyW9rIDVWZeodzOwjm
-mC3qjeAzLhIp9cAvVCch98isTtoouLGp25ayp0Kiyc8ZQU3ghvkqmqMRZjDTu3Qy
-S99je/WZii8bxyGvWbWu3EQ8l1Bx16HSxVXjad5XwdHeMMD9zOZN+w2/XU/pnR4Z
-OC+8z1gFLu8NoFA12u8JJxzVs341Hgi62jbb01+P3nSISRIwggTZMIIDwaADAgEC
-AhMzAAAAdHTMrak+fLWsAAAAAAB0MA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNVBAYT
-AlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYD
-VQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBU
-aW1lLVN0YW1wIFBDQSAyMDEwMB4XDTE1MTAwNzE4MTczOVoXDTE3MDEwNzE4MTcz
-OVowgbIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMQ8wDQYDVQQH
-EwZSZWRtb2QxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjENMAsGA1UE
-CxMETU9QUjEnMCUGA1UECxMebkNpcGhlciBEU0UgRVNOOjMxQzUtMzBCQS03Qzkx
-MSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNlMIIBIjANBgkq
-hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq0PYY+WjQQ/lOgaRo5Mgrb0qrtute02o
-WF86BQnBS1hCFzokjm2o3UXklFIw4n72MBasIASRfHd5TbSTnr56E2p9aMTxQjPY
-1GWNKLwnU3KcBwJWBIkW4qNgB06WO9ZTyvEVIjo/8pGgw9uJy2nqMv8/NEb8GaWS
-G8yM3Kyk982VsflslFjz2KFTaA2XMAuYaRZ+I6B0r+hE8575k9TjaLVq35Y4JF6h
-ZfZnya2w2fiAf3K3U2YrhwKgCAq6+42ZBV/Qv40YTb8vH2M8lLHnY1wJxuq0rrTJ
-ETzHzcr33jg0dv2LJBE5QPl+6r2u98RKXsHBU5Sha2C8xkTvsTPayQIDAQABo4IB
-GzCCARcwHQYDVR0OBBYEFDTGrFKKJ9PTHpe/DAN1d0q62OQxMB8GA1UdIwQYMBaA
-FNVjOlyKMZDzQ3t8RhvFM2hahW1VMFYGA1UdHwRPME0wS6BJoEeGRWh0dHA6Ly9j
-cmwubWljcm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01pY1RpbVN0YVBDQV8y
-MDEwLTA3LTAxLmNybDBaBggrBgEFBQcBAQROMEwwSgYIKwYBBQUHMAKGPmh0dHA6
-Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWljVGltU3RhUENBXzIwMTAt
-MDctMDEuY3J0MAwGA1UdEwEB/wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwgwDQYJ
-KoZIhvcNAQELBQADggEBAFmRjC7DqKiHQ0UajpmTyERutHCRU0hPJ7X4RtdcbiyL
-Lk4IXiJdZFH12iaJ1e4Te4yxuOoeAd+ANhUCi8PQ6L1mrFuRzS88SFeqLzFFAwsv
-DLiMVKNMnpLnYOVwiv4QgFCPik5QWq9xF07xtIWwMgpRUnEIcOQMrIozBjTTxOM0
-H44oG+FxA0Pr6dtA4ta1ScZgo5YRSBCk1XIqsS73R+rjK9u4SrrwIxAauEdMtdKl
-LLFKOsTWP45fP573kP+N5Szgbvfbe3HRDSiKE7yyb5omwLyIWZvlzxcdWYih/jAq
-ALMOQNMbB1Semcv6Q6zsVdCbTs2Zs+wcgojZYDvg6BKhggN4MIICYAIBATCB4qGB
-uKSBtTCBsjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xDzANBgNV
-BAcTBlJlZG1vZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMQ0wCwYD
-VQQLEwRNT1BSMScwJQYDVQQLEx5uQ2lwaGVyIERTRSBFU046MzFDNS0zMEJBLTdD
-OTExJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2WiJQoBATAJ
-BgUrDgMCGgUAAxUAEHYGrKIAUIRQppVzfxnEl04RHviggcIwgb+kgbwwgbkxCzAJ
-BgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25k
-MR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xDTALBgNVBAsTBE1PUFIx
-JzAlBgNVBAsTHm5DaXBoZXIgTlRTIEVTTjo1N0Y2LUMxRTAtNTU0QzErMCkGA1UE
-AxMiTWljcm9zb2Z0IFRpbWUgU291cmNlIE1hc3RlciBDbG9jazANBgkqhkiG9w0B
-AQUFAAIFANoKCl0wIhgPMjAxNTEyMDMwMDI1MDFaGA8yMDE1MTIwNDAwMjUwMVow
-dzA9BgorBgEEAYRZCgQBMS8wLTAKAgUA2goKXQIBADAKAgEAAgIGLwIB/zAHAgEA
-AgIYeTAKAgUA2gtb3QIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZCgMB
-oAowCAIBAAIDFuNgoQowCAIBAAIDB6EgMA0GCSqGSIb3DQEBBQUAA4IBAQBfi7jb
-OH28d5BTlq3PO/ns6ICJZ1eq899EIhLxW8sYhVN3wC8OkhNt1RQDmokO6mRZ8Kq3
-A8QoyBlE+6VeVUTV8PoqxKbTAC5ofTkBScsR1KJDquBQtOlfLhINpQfja9qkQ6HG
-WUZ/uYvGI0QR/Wn97p4lmY8Iu9t6B+h7lbbIfjonNz6RfuRnil83gZxwvuU0zsOV
-ujEpq+Xv+Qwpf84TZhop6R6745ns7mFx6oYqCzs64GlV+ro+UkaVU0ZBvQF0SrK0
-Zg+7S+tR9ZbiswMvQgPaBRCaSxzYLwpE32DOy0M8kAw7C/sYUMIY+1UGeGEYqvYn
-Oua0wsgQq1Oj2nINMYIC9TCCAvECAQEwgZMwfDELMAkGA1UEBhMCVVMxEzARBgNV
-BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv
-c29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAg
-UENBIDIwMTACEzMAAAB0dMytqT58tawAAAAAAHQwDQYJYIZIAWUDBAIBBQCgggEy
-MBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAvBgkqhkiG9w0BCQQxIgQgXCsJ
-dbLlwyLiabpo8dTN0JlBzu+7PIYWpljIrRy+/r8wgeIGCyqGSIb3DQEJEAIMMYHS
-MIHPMIHMMIGxBBQQdgasogBQhFCmlXN/GcSXThEe+DCBmDCBgKR+MHwxCzAJBgNV
-BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4w
-HAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29m
-dCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAAAdHTMrak+fLWsAAAAAAB0MBYEFKgc
-IScRN0miGsGgPdeTR+HhcRexMA0GCSqGSIb3DQEBCwUABIIBAGL830RGkR0nuISC
-5jjekrT+mzuFqwNwbXkQpgeBCowS3A05GgVdCTMcCQ2/ZVN9VVdnqeC1gq5123Vz
-fPUkozcg+6ICjLE5tTATth9Q0IcvPohWBZ61huLCzt4bgVi7P1U7SuT+2xBWFhus
-Phqsd8+44ux6U+U1ld+ecE8dfupDXn4sDMeat4XPovqg82jyFe+doyyPMTY1N9oP
-H+w2dYb8a32s4G1kajK5D+7fRxNXpDK/UIOrKvrMbnr1mUq+O6DJxppX1Xxbgzqf
-vlhwmei7T2GSMuJQ4Kwn3tzCQK2bWoCAU13e0iB+D7OLk27Ye18PawcrWg6+DOWY
-nSEK9MEAAAA=
------END AUTHENTICODE SIGNATURE-----

signature-opensuse.x86_64.asc

@@ -1,185 +0,0 @@
-hash: f5e892dd6ec4c2defa4a495c09219b621379b64da3d1b2e34adf4b5f1102bd39
-# 1970-01-01 00:00:00
-timestamp: 0
-linker: 2002
-checksum: 65ba
------BEGIN AUTHENTICODE SIGNATURE-----
-MIIhVgYJKoZIhvcNAQcCoIIhRzCCIUMCAQExDzANBglghkgBZQMEAgEFADBcBgor
-BgEEAYI3AgEEoE4wTDAXBgorBgEEAYI3AgEPMAkDAQCgBKICgAAwMTANBglghkgB
-ZQMEAgEFAAQg9eiS3W7Ewt76SklcCSGbYhN5tk2j0bLjSt9LXxECvTmgggswMIIF
-GDCCBACgAwIBAgITMwAAADgHaPPBgpJ3JAABAAAAODANBgkqhkiG9w0BAQsFADCB
-gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl
-ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi
-TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0yMDAzMDQxODMy
-MjdaFw0yMTAzMDMxODMyMjdaMIGGMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz
-aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv
-cnBvcmF0aW9uMTAwLgYDVQQDEydNaWNyb3NvZnQgV2luZG93cyBVRUZJIERyaXZl
-ciBQdWJsaXNoZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqfvRc
-QxLmFCRHe3DjwdBfbK52UWAymynl8XOwnxFXQ3xXMjrYtV3xF7pBs0vTcuQEh1GC
-VrDe9DN1tIehwR94n63EbDwclRlnWg6J3R1gTYi2ID9h0UOVeF4ADrv9lnY56T6E
-FC5wBhhTSg9g5gOzjxv7OHJJtWAkGbOrEmkTSDNc3w7pqbKdgIC4kHUh16xsTA06
-c1fIfZGg/BdRt/K9bp1gFNrI+gCP/HuxaKbj0whYPmyQ+F1ME10pp/ZXgKxU+Bfa
-XG/NMEzxkoXBThLquFSbmkhr2XKTLYbIdCk1Y9mSML5ei+2B4t4H8eNvVG3ZwEsn
-E7/HiLSdjRFWCuMRAgMBAAGjggGAMIIBfDAfBgNVHSUEGDAWBgorBgEEAYI3UAIB
-BggrBgEFBQcDAzAdBgNVHQ4EFgQUP/Rho+Fpo7FPkinO8OfIVSTDg/0wVAYDVR0R
-BE0wS6RJMEcxLTArBgNVBAsTJE1pY3Jvc29mdCBJcmVsYW5kIE9wZXJhdGlvbnMg
-TGltaXRlZDEWMBQGA1UEBRMNMjI5OTExKzQ1ODM2ODAfBgNVHSMEGDAWgBQTrb9D
-Cb2CcJyM1U8xbtUimIob1DBTBgNVHR8ETDBKMEigRqBEhkJodHRwOi8vd3d3Lm1p
-Y3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb3JVRUZDQTIwMTFfMjAxMS0wNi0y
-Ny5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRodHRwOi8vd3d3Lm1p
-Y3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvclVFRkNBMjAxMV8yMDExLTA2
-LTI3LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQAiK8d9dmvO
-MhRcgnO1k3THjsWQq8fuMLz3Dyb2frG0oAL1zvVyCbI8wHAkp/kMKlMvdw8FXbx2
-a8y6t0Qzlde0x0Jj9WdL6cQzx0EBrej/JCSoOTg+h8UhnBmAflstoc2SQen/FigC
-NdJvxaurF1KlHk3W06OVlvUdFifjJvkfqlDWji/o05muR4iDE3R4HD/3plMTZcD7
-/Z9oItK9y2NoyNxFZbyFS5FDqWwnqv4JliUA3FmbKLxALCScfjxPXYOsX/SDd6zt
-2hNpoVkoDSDfk99aWv5SNfH1xozil3oHbO/CNpAif7MkyW/OFF1+xoBQyJtJadca
-lMa9x3gWJ0NuMIIGEDCCA/igAwIBAgIKYQjTxAAAAAAABDANBgkqhkiG9w0BAQsF
-ADCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT
-B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE7MDkGA1UE
-AxMyTWljcm9zb2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5IE1hcmtldHBsYWNl
-IFJvb3QwHhcNMTEwNjI3MjEyMjQ1WhcNMjYwNjI3MjEzMjQ1WjCBgTELMAkGA1UE
-BhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAc
-BgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMiTWljcm9zb2Z0
-IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAKUIbEzHRQlqSwykwId/BnUMQwFUZOAWfwftkn0LsnO/DArGSkVh
-oMUWLZbT9Sug+01Jm0GAkDy5VP3mvNGdxKQYin9BilxZg2gyu4xHye5xvCFPmop8
-/0Q/jY8ysiZIrnW17slMHkoZfuSCmh14d00MsL32D9MW07z6K6VROF31+7rbeALb
-/+wKG5bVg7gZE+m2wHtAe+EfKCfJ+u9WXhzmfpR+wPBEsnk55dqyYotNvzhw4mgk
-FMkzpAg31VhpXtN87cEEUwjnTrAqh2MIYW9jFVnqsit51wxhZ4pb/V6th3+6hmdP
-cVgSIgQiIs6L71RxAM5QNVh2lQjuarGiAdUCAwEAAaOCAXYwggFyMBIGCSsGAQQB
-gjcVAQQFAgMBAAEwIwYJKwYBBAGCNxUCBBYEFPjBa7d/d1NK8yU3HU6hJnsPIHCA
-MB0GA1UdDgQWBBQTrb9DCb2CcJyM1U8xbtUimIob1DAZBgkrBgEEAYI3FAIEDB4K
-AFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSME
-GDAWgBRFZlJD4X5YEb/WTp4jVQg7OiJqqDBcBgNVHR8EVTBTMFGgT6BNhktodHRw
-Oi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNDb3JUaGlQ
-YXJNYXJSb29fMjAxMC0xMC0wNS5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUF
-BzAChkRodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY0NvclRo
-aVBhck1hclJvb18yMDEwLTEwLTA1LmNydDANBgkqhkiG9w0BAQsFAAOCAgEANQhC
-/zDMzvd2DK0QaFg1KUYydid87xJBJ0IbSqptgThIWRNV8+lYNKYWC4KqXa2C2oCD
-QQaPtB3yA7nzGl0b8VCQ+bNVhEIoHCC9sq5RFMXArJeVIRyQ2w/8d56Vc5GIyr29
-UrkFUA3fV56gYe0N5W0l2UAPF0DIzqNKwk2vmhIdCFSPvce8uSs9SSsfMvxqIWlP
-m8h+QjT8NgYXi48gQMCzmiV1J83JA6P2XdHnNlR6uVC10xLRB7+7dN/cHo+A1e0Y
-9C8UFmsv3maMsCPlx4TY7erBM4KtVksYLfFolQfNz/By8K673YaFmCwhTDMr8A9K
-8GiHtZJVMnWhaoJqPKMlEaTtrdcErsvYQFmghNGVTGKRIhp0HYw9Rw5EpuSwmzQ1
-sfq2U6gsgeykBXHInbi66BtEZuRHVA6OVn+znxaYsobQaD6QI7UvXo9QhY3GjYJf
-QaH0Lg3gmdJsdeS2abUhhvoH0fbiTdHarSx3Ux4lMjfHbFJylYaw8TVhahn1sjuB
-UFamMi3+oon5QoYnGFWhgspam/gwmFQUpkeWJS/IJuRBlBpcAj/lluOFWzw+P7tH
-FnJV4iUisdl75wMGKqP3HpBGwwAN1hmJ4w41J2IDcRWm79AnoKBZN2D4OJS44Hhw
-+LpMhoeU9uCuAkXuZcK2o35pFnUHkpv1prxZg1gxghWZMIIVlQIBATCBmTCBgTEL
-MAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1v
-bmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMiTWlj
-cm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMQITMwAAADgHaPPBgpJ3JAAB
-AAAAODANBglghkgBZQMEAgEFAKCB3DAZBgkqhkiG9w0BCQMxDAYKKwYBBAGCNwIB
-BDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQxIgQg
-iOz0cDx/prQlDkkSwqGZ+6dMZCSW1yjJ58QYmHdnoTUwcAYKKwYBBAGCNwIBDDFi
-MGCgMoAwAFMAVQBTAEUAIABMAGkAbgB1AHgAIABQAHIAbwBkAHUAYwB0AHMAIABH
-AG0AYgBIoSqAKGh0dHBzOi8vd3d3Lm1pY3Jvc29mdC5jb20vZW4tdXMvd2luZG93
-cyAwDQYJKoZIhvcNAQEBBQAEggEAFww+AGBg9zP7Yy9PE8xVldGmNTeLiodrHRMQ
-KQ5xee9acyyQ14OX+SmRK/Et5xZOmAWcThwze8dhWw8828Rl0rk11DGPjcI3yvxT
-bZ6kC+IWvSbdMcVNjsSzvWPuV2fk0n+Gar0WtyevCcfF4mjGdycHTlu79XFHWJA1
-HKAR15MKJgBLdEOSC7KMXhAtd+x4cYHw6q4ERhNsYlb0lQl0WGagTN3jSxL6BKpU
-e3b6qc8LKARWBskLQwChR4iXae1rxyVapzlaxd/1ARLfnwqQ8mdn5DBDJBMT8kmG
-52eLHD4xWEG8vSk5po4Tvv3oXd36kb5zaveBpYjeMbe0R+l3z6GCEvEwghLtBgor
-BgEEAYI3AwMBMYIS3TCCEtkGCSqGSIb3DQEHAqCCEsowghLGAgEDMQ8wDQYJYIZI
-AWUDBAIBBQAwggFVBgsqhkiG9w0BCRABBKCCAUQEggFAMIIBPAIBAQYKKwYBBAGE
-WQoDATAxMA0GCWCGSAFlAwQCAQUABCDnp0m6Gp85jNi3+6XFl+PYlqGdnRnuUIz7
-66oguVUesgIGXxcQeogEGBMyMDIwMDczMDIwMTEzMi4xODNaMASAAgH0oIHUpIHR
-MIHOMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH
-UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSkwJwYDVQQL
-EyBNaWNyb3NvZnQgT3BlcmF0aW9ucyBQdWVydG8gUmljbzEmMCQGA1UECxMdVGhh
-bGVzIFRTUyBFU046QzRCRC1FMzdGLTVGRkMxJTAjBgNVBAMTHE1pY3Jvc29mdCBU
-aW1lLVN0YW1wIFNlcnZpY2Wggg5EMIIE9TCCA92gAwIBAgITMwAAASM4sOSt2FqQ
-nQAAAAABIzANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMK
-V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0
-IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0Eg
-MjAxMDAeFw0xOTEyMTkwMTE0NTZaFw0yMTAzMTcwMTE0NTZaMIHOMQswCQYDVQQG
-EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG
-A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSkwJwYDVQQLEyBNaWNyb3NvZnQg
-T3BlcmF0aW9ucyBQdWVydG8gUmljbzEmMCQGA1UECxMdVGhhbGVzIFRTUyBFU046
-QzRCRC1FMzdGLTVGRkMxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNl
-cnZpY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCdvNDJsGSl3AEu
-8dmbwOEzjgs8Put17PVCxlrXWQzd1ZfmhkBLDMBKyJIM0ItH0ztLDg/Td4TtR2k1
-h6EvNDf0G+qC0dlgmZL/1TOFhZ04Tr98gOc0rfr7ijcK4xBxQtI5TAwiamlO0rel
-iW5f5AD+bIDNKraRBEIcbVWn/CKFeZavL4DCTa99DuK6i2BIv2GVkGWMEBwIlTLp
-wmKSYnHJzTjUUXYNg908rttnhCcD0D+g5HhIqDMvXoTJga5IwA1ToEFfk+Joq/oQ
-CXiDcrKbOsIETuao7lefo73MzUGtVpu48bKgb9OBgpSKeTR7610JmfZqWXY9648R
-bmWyo3dxAgMBAAGjggEbMIIBFzAdBgNVHQ4EFgQUgdRsFIDTjRv5EcKwaN4ZFfgM
-nh4wHwYDVR0jBBgwFoAU1WM6XIoxkPNDe3xGG8UzaFqFbVUwVgYDVR0fBE8wTTBL
-oEmgR4ZFaHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9jcmwvcHJvZHVjdHMv
-TWljVGltU3RhUENBXzIwMTAtMDctMDEuY3JsMFoGCCsGAQUFBwEBBE4wTDBKBggr
-BgEFBQcwAoY+aHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNU
-aW1TdGFQQ0FfMjAxMC0wNy0wMS5jcnQwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAK
-BggrBgEFBQcDCDANBgkqhkiG9w0BAQsFAAOCAQEAW+UBt6pX6Fuq9VeJU/pDvC1M
-xd9kt31H4J/0tUEAT8zkbP+ro49PcrR1jQ3znsMJEsmtX/EvXvgW515Jx+Zd0ep0
-tgZEUwDbU5l8bzC0wsr3mHvyUCH6LPmd4idG9ahw0pxI+kJnX9TMpqzwJOY8YcYY
-ol5cCC1I7x+esu6yx8StMJ7B9dhDvTJ5GkjVyTQpkpn4FBJAzc7udwt/ZelzUQD2
-rs9v1rJSFGXF9zQwjIL+YWYtp4XffR8cmiSbHJ9X/IWVwPvn9RzW6vG3ZIdzmIEZ
-za+0HZzvhrr7bt3chqmHUDDBj5wLeC+xMPcpI8tFKM+uP69Em0CEWLcuXjPTNzCC
-BnEwggRZoAMCAQICCmEJgSoAAAAAAAIwDQYJKoZIhvcNAQELBQAwgYgxCzAJBgNV
-BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4w
-HAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMTKU1pY3Jvc29m
-dCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDEwMB4XDTEwMDcwMTIxMzY1
-NVoXDTI1MDcwMTIxNDY1NVowfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hp
-bmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jw
-b3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpHQ28dxGKOiDs/BOX9fp/
-aZRrdFQQ1aUKAIKF++18aEssX8XD5WHCdrc+Zitb8BVTJwQxH0EbGpUdzgkTjnxh
-MFmxMEQP8WCIhFRDDNdNuDgIs0Ldk6zWczBXJoKjRQ3Q6vVHgc2/JGAyWGBG8lhH
-hjKEHnRhZ5FfgVSxz5NMksHEpl3RYRNuKMYa+YaAu99h/EbBJx0kZxJyGiGKr0tk
-iVBisV39dx898Fd1rL2KQk1AUdEPnAY+Z3/1ZsADlkR+79BL/W7lmsqxqPJ6Kgox
-8NpOBpG2iAg16HgcsOmZzTznL0S6p/TcZL2kAcEgCZN4zfy8wMlEXV4WnAEFTyJN
-AgMBAAGjggHmMIIB4jAQBgkrBgEEAYI3FQEEAwIBADAdBgNVHQ4EFgQU1WM6XIox
-kPNDe3xGG8UzaFqFbVUwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwCwYDVR0P
-BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU1fZWy4/oolxiaNE9
-lJBb186aGMQwVgYDVR0fBE8wTTBLoEmgR4ZFaHR0cDovL2NybC5taWNyb3NvZnQu
-Y29tL3BraS9jcmwvcHJvZHVjdHMvTWljUm9vQ2VyQXV0XzIwMTAtMDYtMjMuY3Js
-MFoGCCsGAQUFBwEBBE4wTDBKBggrBgEFBQcwAoY+aHR0cDovL3d3dy5taWNyb3Nv
-ZnQuY29tL3BraS9jZXJ0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5jcnQwgaAG
-A1UdIAEB/wSBlTCBkjCBjwYJKwYBBAGCNy4DMIGBMD0GCCsGAQUFBwIBFjFodHRw
-Oi8vd3d3Lm1pY3Jvc29mdC5jb20vUEtJL2RvY3MvQ1BTL2RlZmF1bHQuaHRtMEAG
-CCsGAQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAFAAbwBsAGkAYwB5AF8AUwB0AGEA
-dABlAG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQAH5ohRDeLG4Jg/gXED
-PZ2joSFvs+umzPUxvs8F4qn++ldtGTCzwsVmyWrf9efweL3HqJ4l4/m87WtUVwgr
-UYJEEvu5U4zM9GASinbMQEBBm9xcF/9c+V4XNZgkVkt070IQyK+/f8Z/8jd9Wj8c
-8pl5SpFSAK84Dxf1L3mBZdmptWvkx872ynoAb0swRCQiPM/tA6WWj1kpvLb9BOFw
-nzJKJ/1Vry/+tuWOM7tiX5rbV0Dp8c6ZZpCM/2pif93FSguRJuI57BlKcWOdeyFt
-w5yjojz6f32WapB4pm3S4Zz5Hfw42JT0xqUKloakvZ4argRCg7i1gJsiOCC1JeVk
-7Pf0v35jWSUPei45V3aicaoGig+JFrphpxHLmtgOR5qAxdDNp9DvfYPw4TtxCd9d
-dJgiCGHasFAeb73x4QDf5zEHpJM692VHeOj4qEir995yfmFrb3epgcunCaw5u+zG
-y9iCtHLNHfS4hQEegPsbiSpUObJb2sgNVZl6h3M7COaYLeqN4DMuEin1wC9UJyH3
-yKxO2ii4sanblrKnQqLJzxlBTeCG+SqaoxFmMNO7dDJL32N79ZmKLxvHIa9Zta7c
-RDyXUHHXodLFVeNp3lfB0d4wwP3M5k37Db9dT+mdHhk4L7zPWAUu7w2gUDXa7wkn
-HNWzfjUeCLraNtvTX4/edIhJEqGCAtIwggI7AgEBMIH8oYHUpIHRMIHOMQswCQYD
-VQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEe
-MBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSkwJwYDVQQLEyBNaWNyb3Nv
-ZnQgT3BlcmF0aW9ucyBQdWVydG8gUmljbzEmMCQGA1UECxMdVGhhbGVzIFRTUyBF
-U046QzRCRC1FMzdGLTVGRkMxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1w
-IFNlcnZpY2WiIwoBATAHBgUrDgMCGgMVALoXZo3g4p4Xwu4MNSgQnjP7+1eBoIGD
-MIGApH4wfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNV
-BAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQG
-A1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTAwDQYJKoZIhvcNAQEF
-BQACBQDizWwqMCIYDzIwMjAwNzMwMTk1NjI2WhgPMjAyMDA3MzExOTU2MjZaMHcw
-PQYKKwYBBAGEWQoEATEvMC0wCgIFAOLNbCoCAQAwCgIBAAICIwcCAf8wBwIBAAIC
-EJ8wCgIFAOLOvaoCAQAwNgYKKwYBBAGEWQoEAjEoMCYwDAYKKwYBBAGEWQoDAqAK
-MAgCAQACAwehIKEKMAgCAQACAwGGoDANBgkqhkiG9w0BAQUFAAOBgQBIx+XUDLw/
-bUbclab0tWWRb8Ukbsl2Sd3YBf6zr8VGExBCanphwdLmiI3bCKUuH9G/jdHi5WIL
-psCIv6VH2T6bdeDGlzb5wscXzWcsdYTlawr6sravdQa3W6A2KvG1IYltFiWZSgJG
-jE3IjC1oCdqVGrphhAVezG5O5ZTukUjNoTGCAw0wggMJAgEBMIGTMHwxCzAJBgNV
-BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4w
-HAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29m
-dCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAABIziw5K3YWpCdAAAAAAEjMA0GCWCG
-SAFlAwQCAQUAoIIBSjAaBgkqhkiG9w0BCQMxDQYLKoZIhvcNAQkQAQQwLwYJKoZI
-hvcNAQkEMSIEIL4dYLhC7mXmDydlRqnugjBt2GcgSi3yOoW70+CoaR8AMIH6Bgsq
-hkiG9w0BCRACLzGB6jCB5zCB5DCBvQQgEZozgz/7RMzEDaOjrMSkAAy/KcCiZDOW
-J1yq6vsVgbMwgZgwgYCkfjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGlu
-Z3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBv
-cmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMAIT
-MwAAASM4sOSt2FqQnQAAAAABIzAiBCBfuRgdnySv61pNMlDeS68/+shdmtIxqXMr
-cVR1ETd4szANBgkqhkiG9w0BAQsFAASCAQBiZpUPFsONIt2Rj1MRnOnGRkWQnPHf
-KKE2dAuxSRCaL83GWfDh2NgqT26JnFbA0JjnqlNzaabi00JxChh3XGedQ/ZpVqmE
-O3EPp/b38Q78iriZgxl2QFAPZd4eaT6xrRQ1POL7GdZ9jgbBZ778eT44OdVNpfRT
-gNo8AS+8JOwSo8ZzK1mfyg09WYVCr3HhjRMpfWlB2SejSgg2w4Obdq/WauP7oXOL
-t2EuIaq0oF3+PIbgm0xaCBKtscsXTgdBdssN+jVWxUA+4ayVVjg6VuKs6fpSBsQB
-WBxu434HBGDx9aitPUXzK3XBi2UiWG1mbhCfZv7oYlBVRNmP3riUvks8AAAAAAAA
------END AUTHENTICODE SIGNATURE-----

signature-sles.aarch64.asc

@@ -1,207 +0,0 @@
-hash: 04478d49dfa6c5f8442ec919568e1eda59de99cc1b5192f18028084409bbebe5
-# 1970-01-01 00:00:00
-timestamp: 0
-linker: 2702
-checksum: dfaa
------BEGIN AUTHENTICODE SIGNATURE-----
-MIIlYgYJKoZIhvcNAQcCoIIlUzCCJU8CAQExDzANBglghkgBZQMEAgEFADBcBgor
-BgEEAYI3AgEEoE4wTDAXBgorBgEEAYI3AgEPMAkDAQCgBKICgAAwMTANBglghkgB
-ZQMEAgEFAAQgBEeNSd+mxfhELskZVo4e2lnemcwbUZLxgCgIRAm76+WgggswMIIF
-GDCCBACgAwIBAgITMwAAAFRJgAequ/NAsgABAAAAVDANBgkqhkiG9w0BAQsFADCB
-gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl
-ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi
-TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0yMzAyMTYyMDE5
-NTdaFw0yNDAxMzEyMDE5NTdaMIGGMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz
-aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv
-cnBvcmF0aW9uMTAwLgYDVQQDEydNaWNyb3NvZnQgV2luZG93cyBVRUZJIERyaXZl
-ciBQdWJsaXNoZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3LnZl
-au6xJ+i9ZwLUwgOvwO/GIwWKO+IH0DJ07A2CPNJdQcBMu/p31gmVejU1i+FviW71
-IbBCKAyzFaOo9u0RquGymx04bLP+437N2ztW0pLth71fqp0b1DGjEj9u/E1SQaLP
-0MwQ/ooKo9co87S2C8CwX5EosLjQ8UZ016d3CG6Dh8Kqkc3Y1moN7dkDrLzonJsi
-8CfNFcJlj0YaFgsbEROFc6TB+MXsPXHDfjJLKjZxmc5goBKDNXkxbJrtyVGyb+RR
-+LpKlf7aP3zPfTMuRi31Wjnm1qKo7Jd8VlAXXesvrW2ZmzUKijEY5gQLyyjfTuNb
-eiZ4KaO5qGE4oNxNAgMBAAGjggGAMIIBfDAfBgNVHSUEGDAWBgorBgEEAYI3UAIB
-BggrBgEFBQcDAzAdBgNVHQ4EFgQUSWrbGag0281IoZ3+KJt6pFkKC+8wVAYDVR0R
-BE0wS6RJMEcxLTArBgNVBAsTJE1pY3Jvc29mdCBJcmVsYW5kIE9wZXJhdGlvbnMg
-TGltaXRlZDEWMBQGA1UEBRMNMjI5OTExKzUwMDE3OTAfBgNVHSMEGDAWgBQTrb9D
-Cb2CcJyM1U8xbtUimIob1DBTBgNVHR8ETDBKMEigRqBEhkJodHRwOi8vd3d3Lm1p
-Y3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb3JVRUZDQTIwMTFfMjAxMS0wNi0y
-Ny5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRodHRwOi8vd3d3Lm1p
-Y3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvclVFRkNBMjAxMV8yMDExLTA2
-LTI3LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQA8Xv+zvV/0
-jUxVVYztqDGphqsTbqaSzI93AMXhV/9xJRGrP8+pX/9LW7cDLBQHWAddeeP/bQRC
-yBeIGYhu7P9kuocvgW8pOD7ivj5JZdNYn8v0V7+T0boFkp+fEF0Ljc00VZf1yPWU
-DS5AiYUqqSL/ihu3NZFgRwJ6ia/Du72uLB5YPQ/4Icyr3VsUWafgZSl4J9QmmAmr
-rCa0U79ofm1Yfu1HnN76u84K+NQ30LBvPaA35JrcSI/OHKGxbD25lTCU65+yb0vI
-zYfFgvbG8VfrALOT6GhvN4NKGQzCQFLm7DMaibz7qcM8bKujdp9WL+Zb8MqxostZ
-05x9av9mlH22MIIGEDCCA/igAwIBAgIKYQjTxAAAAAAABDANBgkqhkiG9w0BAQsF
-ADCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT
-B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE7MDkGA1UE
-AxMyTWljcm9zb2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5IE1hcmtldHBsYWNl
-IFJvb3QwHhcNMTEwNjI3MjEyMjQ1WhcNMjYwNjI3MjEzMjQ1WjCBgTELMAkGA1UE
-BhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAc
-BgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMiTWljcm9zb2Z0
-IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAKUIbEzHRQlqSwykwId/BnUMQwFUZOAWfwftkn0LsnO/DArGSkVh
-oMUWLZbT9Sug+01Jm0GAkDy5VP3mvNGdxKQYin9BilxZg2gyu4xHye5xvCFPmop8
-/0Q/jY8ysiZIrnW17slMHkoZfuSCmh14d00MsL32D9MW07z6K6VROF31+7rbeALb
-/+wKG5bVg7gZE+m2wHtAe+EfKCfJ+u9WXhzmfpR+wPBEsnk55dqyYotNvzhw4mgk
-FMkzpAg31VhpXtN87cEEUwjnTrAqh2MIYW9jFVnqsit51wxhZ4pb/V6th3+6hmdP
-cVgSIgQiIs6L71RxAM5QNVh2lQjuarGiAdUCAwEAAaOCAXYwggFyMBIGCSsGAQQB
-gjcVAQQFAgMBAAEwIwYJKwYBBAGCNxUCBBYEFPjBa7d/d1NK8yU3HU6hJnsPIHCA
-MB0GA1UdDgQWBBQTrb9DCb2CcJyM1U8xbtUimIob1DAZBgkrBgEEAYI3FAIEDB4K
-AFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSME
-GDAWgBRFZlJD4X5YEb/WTp4jVQg7OiJqqDBcBgNVHR8EVTBTMFGgT6BNhktodHRw
-Oi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNDb3JUaGlQ
-YXJNYXJSb29fMjAxMC0xMC0wNS5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUF
-BzAChkRodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY0NvclRo
-aVBhck1hclJvb18yMDEwLTEwLTA1LmNydDANBgkqhkiG9w0BAQsFAAOCAgEANQhC
-/zDMzvd2DK0QaFg1KUYydid87xJBJ0IbSqptgThIWRNV8+lYNKYWC4KqXa2C2oCD
-QQaPtB3yA7nzGl0b8VCQ+bNVhEIoHCC9sq5RFMXArJeVIRyQ2w/8d56Vc5GIyr29
-UrkFUA3fV56gYe0N5W0l2UAPF0DIzqNKwk2vmhIdCFSPvce8uSs9SSsfMvxqIWlP
-m8h+QjT8NgYXi48gQMCzmiV1J83JA6P2XdHnNlR6uVC10xLRB7+7dN/cHo+A1e0Y
-9C8UFmsv3maMsCPlx4TY7erBM4KtVksYLfFolQfNz/By8K673YaFmCwhTDMr8A9K
-8GiHtZJVMnWhaoJqPKMlEaTtrdcErsvYQFmghNGVTGKRIhp0HYw9Rw5EpuSwmzQ1
-sfq2U6gsgeykBXHInbi66BtEZuRHVA6OVn+znxaYsobQaD6QI7UvXo9QhY3GjYJf
-QaH0Lg3gmdJsdeS2abUhhvoH0fbiTdHarSx3Ux4lMjfHbFJylYaw8TVhahn1sjuB
-UFamMi3+oon5QoYnGFWhgspam/gwmFQUpkeWJS/IJuRBlBpcAj/lluOFWzw+P7tH
-FnJV4iUisdl75wMGKqP3HpBGwwAN1hmJ4w41J2IDcRWm79AnoKBZN2D4OJS44Hhw
-+LpMhoeU9uCuAkXuZcK2o35pFnUHkpv1prxZg1gxghmlMIIZoQIBATCBmTCBgTEL
-MAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1v
-bmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMiTWlj
-cm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMQITMwAAAFRJgAequ/NAsgAB
-AAAAVDANBglghkgBZQMEAgEFAKCB3DAZBgkqhkiG9w0BCQMxDAYKKwYBBAGCNwIB
-BDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQxIgQg
-LcYGMAvB0idkCnQM+G+IMQt0fJORIvSY6QOYFPiyFVswcAYKKwYBBAGCNwIBDDFi
-MGCgMoAwAFMAVQBTAEUAIABMAGkAbgB1AHgAIABQAHIAbwBkAHUAYwB0AHMAIABH
-AG0AYgBIoSqAKGh0dHBzOi8vd3d3Lm1pY3Jvc29mdC5jb20vZW4tdXMvd2luZG93
-cyAwDQYJKoZIhvcNAQEBBQAEggEAif9/Js94QQLbY+n2RgCcN8AdDm6nRry1GdUZ
-YLjS0sIPKj8S8q8G8yl+OF2JwJClycVAB+klCnbYOxAuF6kZ4Zs6i76E9MFolY7V
-f6UycXb6gjKvU1jIJx+kd65Jlf5tzWex/T5grkxdvkpYzQjES3qGYKbRwZOsTjQG
-2RjXmYjVzCqxbLK6B8iMn590nBzkrF5eYFYj9HAHSuhXNc7IQfGNudbh6IO2roIp
-JUnEyryEGCuWlMboNT5uPmelxRlTcxHIqgjWHLqV7OgJW7Bgm1nOWSYnSyX0bNpm
-ZuaKGctaZaADxRrJfUb7JviGCWu6kQnXXf+qsUT61V43X+5N/6GCFv0wghb5Bgor
-BgEEAYI3AwMBMYIW6TCCFuUGCSqGSIb3DQEHAqCCFtYwghbSAgEDMQ8wDQYJYIZI
-AWUDBAIBBQAwggFRBgsqhkiG9w0BCRABBKCCAUAEggE8MIIBOAIBAQYKKwYBBAGE
-WQoDATAxMA0GCWCGSAFlAwQCAQUABCBr89EEDYEQ89Gcyjti1xGsTdSvHYU+NslR
-c5cDNSX5ZAIGZBMUoZOGGBMyMDIzMDMyMDIxMTEwNi4yMTFaMASAAgH0oIHQpIHN
-MIHKMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH
-UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQL
-ExxNaWNyb3NvZnQgQW1lcmljYSBPcGVyYXRpb25zMSYwJAYDVQQLEx1UaGFsZXMg
-VFNTIEVTTjpENkJELUUzRTctMTY4NTElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUt
-U3RhbXAgU2VydmljZaCCEVQwggcMMIIE9KADAgECAhMzAAABx/sAoEpb8ifcAAEA
-AAHHMA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNo
-aW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29y
-cG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEw
-MB4XDTIyMTEwNDE5MDEzNVoXDTI0MDIwMjE5MDEzNVowgcoxCzAJBgNVBAYTAlVT
-MRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQK
-ExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJTAjBgNVBAsTHE1pY3Jvc29mdCBBbWVy
-aWNhIE9wZXJhdGlvbnMxJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNOOkQ2QkQtRTNF
-Ny0xNjg1MSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNlMIIC
-IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr0LcVtnatNFMBrQTtG9P8ISA
-PyyGmxNfhEzaOVlt088pBUFAIasmN/eOijE6Ucaf3c2bVnN/02ih0smSqYkm5P3Z
-wU7ZW202b6cPDJjXcrjJj0qfnuccBtE3WU0vZ8CiQD7qrKxeF8YBNcS+PVtvsqhd
-5YW6AwhWqhjw1mYuLetF5b6aPif/3RzlyqG3SV7QPiSJends7gG435Rsy1HJ4Xnq
-ztOJR41I0j3EQ05JMF5QNRi7kT6vXTT+MHVj27FVQ7bef/U+2EAbFj2X2AOWbvgl
-YaYnM3m/I/OWDHUgGw8KIdsDh3W1eusnF2D7oenGgtahs+S1G5Uolf5ESg/9Z+38
-rhQwLgokY5k6p8k5arYWtszdJK6JiIRl843H74k7+QqlT2LbAQPq8ivQv0gdclW2
-aJun1KrW+v52R3vAHCOtbUmxvD1eNGHqGqLagtlq9UFXKXuXnqXJqruCYmfwdFMD
-0UP6ii1lFdeKL87PdjdAwyCiVcCEoLnvDzyvjNjxtkTdz6R4yF1N/X4PSQH4Flgs
-lyBIXggaSlPtvPuxAtuac/ITj4k0IRShGiYLBM2Dw6oesLOoxe07OUPO+qXXOcJM
-VHhE0MlhhnxfN2B1JWFPWwQ6ooWiqAOQDqzcDx+79shxA1Cx0K70eOBplMog27gY
-oLpBv7nRz4tHqoTyvA0CAwEAAaOCATYwggEyMB0GA1UdDgQWBBQFUNLdHD7BAF/V
-U/X/eEHLiUSSIDAfBgNVHSMEGDAWgBSfpxVdAF5iXYP05dJlpxtTNRnpcjBfBgNV
-HR8EWDBWMFSgUqBQhk5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2Ny
-bC9NaWNyb3NvZnQlMjBUaW1lLVN0YW1wJTIwUENBJTIwMjAxMCgxKS5jcmwwbAYI
-KwYBBQUHAQEEYDBeMFwGCCsGAQUFBzAChlBodHRwOi8vd3d3Lm1pY3Jvc29mdC5j
-b20vcGtpb3BzL2NlcnRzL01pY3Jvc29mdCUyMFRpbWUtU3RhbXAlMjBQQ0ElMjAy
-MDEwKDEpLmNydDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMIMA0G
-CSqGSIb3DQEBCwUAA4ICAQDQy5c8ogP0y8xAsLVca07wWy1mT+nqYgAFnz2972kN
-O+KJ7AE4f+SVbvOnkeeuOPq3xc+6TS8g3FuKKYEwYqvnRHxX58tjlscZsZeKnu7f
-GNUlpNT9bOQFHWALURuoXp8TLHhxj3PEq9jzFYBP2YNMLol70ojY1qpze3nMMJfp
-durdBBpaOLlJmRNTLhxd+RJGJQbY1XAcx6p/FigwqBasSDUxp+0yFPEBB9uBE3KI
-LAtq6fczGp4EMeon6YmkyCGAtXMKDFQQgdP/ITe7VghAVbPTVlP3hY1dFgc+t8YK
-2obFSFVKslkASATDHulCMht+WrIsukclEUP9DaMmpq7S0RLODMicI6PtqqGOhdna
-RltA0d+Wf+0tPt9SUVtrPJyO7WMPKbykCRXzmHK06zr0kn1YiUYNXCsOgaHF5ImO
-2ZwQ54UE1I55jjUdldyjy/UPJgxRm9NyXeO7adYr8K8f6Q2nPF0vWqFG7ewwaAl5
-ClKerzshfhB8zujVR0d1Ra7Z01lnXYhWuPqVZayFl7JHr6i6huhpU6BQ6/VgY0cB
-iksX4mNM+ISY81T1RYt7fWATNu/zkjINczipzbfg5S+3fCAo8gVB6+6A5L0vBg39
-dsFITv6MWJuQ8ZZy7fwlFBZE4d5IFbRudakNwKGdyLGM2otaNq7wm3ku7x41UGAm
-kDCCB3EwggVZoAMCAQICEzMAAAAVxedrngKbSZkAAAAAABUwDQYJKoZIhvcNAQEL
-BQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH
-EwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNV
-BAMTKU1pY3Jvc29mdCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDEwMB4X
-DTIxMDkzMDE4MjIyNVoXDTMwMDkzMDE4MzIyNVowfDELMAkGA1UEBhMCVVMxEzAR
-BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p
-Y3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3Rh
-bXAgUENBIDIwMTAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDk4aZM
-57RyIQt5osvXJHm9DtWC0/3unAcH0qlsTnXIyjVX9gF/bErg4r25PhdgM/9cT8dm
-95VTcVrifkpa/rg2Z4VGIwy1jRPPdzLAEBjoYH1qUoNEt6aORmsHFPPFdvWGUNzB
-RMhxXFExN6AKOG6N7dcP2CZTfDlhAnrEqv1yaa8dq6z2Nr41JmTamDu6GnszrYBb
-fowQHJ1S/rboYiXcag/PXfT+jlPP1uyFVk3v3byNpOORj7I5LFGc6XBpDco2LXCO
-Mcg1KL3jtIckw+DJj361VI/c+gVVmG1oO5pGve2krnopN6zL64NF50ZuyjLVwIYw
-XE8s4mKyzbnijYjklqwBSru+cakXW2dg3viSkR4dPf0gz3N9QZpGdc3EXzTdEonW
-/aUgfX782Z5F37ZyL9t9X4C626p+Nuw2TPYrbqgSUei/BQOj0XOmTTd0lBw0gg/w
-EPK3Rxjtp+iZfD9M269ewvPV2HM9Q07BMzlMjgK8QmguEOqEUUbi0b1qGFphAXPK
-Z6Je1yh2AuIzGHLXpyDwwvoSCtdjbwzJNmSLW6CmgyFdXzB0kZSU2LlQ+QuJYfM2
-BjUYhEfb3BvR/bLUHMVr9lxSUV0S2yW6r1AFemzFER1y7435UsSFF5PAPBXbGjfH
-CBUYP3irRbb1Hode2o+eFnJpxq57t7c+auIurQIDAQABo4IB3TCCAdkwEgYJKwYB
-BAGCNxUBBAUCAwEAATAjBgkrBgEEAYI3FQIEFgQUKqdS/mTEmr6CkTxGNSnPEP8v
-BO4wHQYDVR0OBBYEFJ+nFV0AXmJdg/Tl0mWnG1M1GelyMFwGA1UdIARVMFMwUQYM
-KwYBBAGCN0yDfQEBMEEwPwYIKwYBBQUHAgEWM2h0dHA6Ly93d3cubWljcm9zb2Z0
-LmNvbS9wa2lvcHMvRG9jcy9SZXBvc2l0b3J5Lmh0bTATBgNVHSUEDDAKBggrBgEF
-BQcDCDAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYD
-VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTV9lbLj+iiXGJo0T2UkFvXzpoYxDBW
-BgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2Ny
-bC9wcm9kdWN0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5jcmwwWgYIKwYBBQUH
-AQEETjBMMEoGCCsGAQUFBzAChj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtp
-L2NlcnRzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNydDANBgkqhkiG9w0BAQsF
-AAOCAgEAnVV9/Cqt4SwfZwExJFvhnnJL/Klv6lwUtj5OR2R4sQaTlz0xM7U518Jx
-Nj/aZGx80HU5bbsPMeTCj/ts0aGUGCLu6WZnOlNN3Zi6th542DYunKmCVgADsAW+
-iehp4LoJ7nvfam++Kctu2D9IdQHZGN5tggz1bSNU5HhTdSRXud2f8449xvNo32X2
-pFaq95W2KFUn0CS9QKC/GbYSEhFdPSfgQJY4rPf5KYnDvBewVIVCs/wMnosZiefw
-C2qBwoEZQhlSdYo2wh3DYXMuLGt7bj8sCXgU6ZGyqVvfSaN0DLzskYDSPeZKPmY7
-T7uG+jIa2Zb0j/aRAfbOxnT99kxybxCrdTDFNLB62FD+CljdQDzHVG2dY3RILLFO
-Ry3BFARxv2T5JL5zbcqOCb2zAVdJVGTZc9d/HltEAY5aGZFrDZ+kKNxnGSgkujhL
-mm77IVRrakURR6nxt67I6IleT53S0Ex2tVdUCbFpAUR+fKFhbHP+CrvsQWY9af3L
-wUFJfn6Tvsv4O+S3Fb+0zj6lMVGEvL8CwYKiexcdFYmNcP7ntdAoGokLjzbaukz5
-m/8K6TT4JDVnK+ANuOaMmdbhIurwJ0I9JZTmdHRbatGePu1+oDEzfbzL6Xu/OHBE
-0ZDxyKs6ijoIYn/ZcGNTTY3ugm2lBRDBcQZqELQdVTNYs6FwZvKhggLLMIICNAIB
-ATCB+KGB0KSBzTCByjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x
-EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv
-bjElMCMGA1UECxMcTWljcm9zb2Z0IEFtZXJpY2EgT3BlcmF0aW9uczEmMCQGA1UE
-CxMdVGhhbGVzIFRTUyBFU046RDZCRC1FM0U3LTE2ODUxJTAjBgNVBAMTHE1pY3Jv
-c29mdCBUaW1lLVN0YW1wIFNlcnZpY2WiIwoBATAHBgUrDgMCGgMVAOIASP0JSbv5
-R23wxciQivHyckYooIGDMIGApH4wfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldh
-c2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBD
-b3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIw
-MTAwDQYJKoZIhvcNAQEFBQACBQDnwtiGMCIYDzIwMjMwMzIwMjEwNTEwWhgPMjAy
-MzAzMjEyMTA1MTBaMHQwOgYKKwYBBAGEWQoEATEsMCowCgIFAOfC2IYCAQAwBwIB
-AAICAkYwBwIBAAICEbMwCgIFAOfEKgYCAQAwNgYKKwYBBAGEWQoEAjEoMCYwDAYK
-KwYBBAGEWQoDAqAKMAgCAQACAwehIKEKMAgCAQACAwGGoDANBgkqhkiG9w0BAQUF
-AAOBgQA3o66z40T47h4wEcnqjCErmCuDisVa7cvd4+ElidY8OUGeUpbEytUwVA0a
-xpeO6wSolRKjfvRNw+CI19gwd6jJuTxs2zEFwPhVv1LRHdRMA1e880yUIuyW8Gol
-i0AnXV9rG70hHJp3CmPJ07EM6PaTlGAQhtOSnZmt3EbpOa8PyDGCBA0wggQJAgEB
-MIGTMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH
-EwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNV
-BAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAABx/sAoEpb8ifc
-AAEAAAHHMA0GCWCGSAFlAwQCAQUAoIIBSjAaBgkqhkiG9w0BCQMxDQYLKoZIhvcN
-AQkQAQQwLwYJKoZIhvcNAQkEMSIEIMb7y9eYTXD51JKOcZroyxATiy9HALXVe+p+
-Gpxn3HAeMIH6BgsqhkiG9w0BCRACLzGB6jCB5zCB5DCBvQQgR+fl2+JSskULOeVY
-LbeMgk7HdIbREmAsjwtcy6MJkskwgZgwgYCkfjB8MQswCQYDVQQGEwJVUzETMBEG
-A1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWlj
-cm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFt
-cCBQQ0EgMjAxMAITMwAAAcf7AKBKW/In3AABAAABxzAiBCDawC6YVvLZ6RoyguNo
-tb7bPYiDNi1Lq3AJJTSBUXXuRzANBgkqhkiG9w0BAQsFAASCAgBuabic21jN5mcr
-JSSjkx1wLBYeWML4O4k28Yl45QEPKriORVt/+MkFUZYl2gZpRNbXmeFDXzh5H882
-rUeFQrL0MKfD/VthS7WbgHkt2ARKNQQjme8OONhPmY9Z9bbli6pDibfh0+GskgWh
-wZEjiiepJATXh4vl4aNC2Pt0AykSYo/ccLNcE7M2Id26uOUGTafyaY3NjBjzAiLh
-iuQlS/F+snuJe021UXj/Pokl1Ancp0bdxHSTBxGpu1oQVaBg1YmfaVAaqWYTUUdj
-vuohlQZuk+bUayC7Mi3xnAqOlVMIDaVfbS4j3RbVAC6KPwNBytGCfKUlPs0FqGjO
-i1Sd7Ifd6UbHVoaq1wfFbCapH4NQ/1oqlMSfGaRXAg9Z8IiI87JLTO7lfob/zT7F
-jbFiHDZDiZcODf8Lxa58hgyn35h/8aYvDf98gMN1MrTy4yZkSTVxxz0+cZdAMjeg
-DyXB6A3cqZvpL3fmM88CNKRrnJo5IYK9BU4QqLu5XGIChYdsJEjdDaG1+hFjaXzC
-1cpasZcNF9EDFprVmIHxJjJljxthMhU+JeDBGfvHqH+DQldaodALY7exjGPjhPBU
-qKjxF8AcoRdTdBTX9K6zL1sARYUKoOjQu4GJRXVlEqXStbVy0zSoaUYAXsGWiIgN
-+KppwX5z9ek02RqPcQksSamyAJOcaQAA
------END AUTHENTICODE SIGNATURE-----

signature-sles.x86_64.asc

@@ -1,208 +0,0 @@
-hash: 2b0d7d00e2d5ef27605375da81690afaab91d19ea4cc129ced8dfb34d9c5c2d3
-# 1970-01-01 00:00:00
-timestamp: 0
-linker: 2702
-checksum: c766
------BEGIN AUTHENTICODE SIGNATURE-----
-MIIljgYJKoZIhvcNAQcCoIIlfzCCJXsCAQExDzANBglghkgBZQMEAgEFADBcBgor
-BgEEAYI3AgEEoE4wTDAXBgorBgEEAYI3AgEPMAkDAQCgBKICgAAwMTANBglghkgB
-ZQMEAgEFAAQgKw19AOLV7ydgU3XagWkK+quR0Z6kzBKc7Y37NNnFwtOgggswMIIF
-GDCCBACgAwIBAgITMwAAAFRJgAequ/NAsgABAAAAVDANBgkqhkiG9w0BAQsFADCB
-gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl
-ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi
-TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0yMzAyMTYyMDE5
-NTdaFw0yNDAxMzEyMDE5NTdaMIGGMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz
-aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv
-cnBvcmF0aW9uMTAwLgYDVQQDEydNaWNyb3NvZnQgV2luZG93cyBVRUZJIERyaXZl
-ciBQdWJsaXNoZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3LnZl
-au6xJ+i9ZwLUwgOvwO/GIwWKO+IH0DJ07A2CPNJdQcBMu/p31gmVejU1i+FviW71
-IbBCKAyzFaOo9u0RquGymx04bLP+437N2ztW0pLth71fqp0b1DGjEj9u/E1SQaLP
-0MwQ/ooKo9co87S2C8CwX5EosLjQ8UZ016d3CG6Dh8Kqkc3Y1moN7dkDrLzonJsi
-8CfNFcJlj0YaFgsbEROFc6TB+MXsPXHDfjJLKjZxmc5goBKDNXkxbJrtyVGyb+RR
-+LpKlf7aP3zPfTMuRi31Wjnm1qKo7Jd8VlAXXesvrW2ZmzUKijEY5gQLyyjfTuNb
-eiZ4KaO5qGE4oNxNAgMBAAGjggGAMIIBfDAfBgNVHSUEGDAWBgorBgEEAYI3UAIB
-BggrBgEFBQcDAzAdBgNVHQ4EFgQUSWrbGag0281IoZ3+KJt6pFkKC+8wVAYDVR0R
-BE0wS6RJMEcxLTArBgNVBAsTJE1pY3Jvc29mdCBJcmVsYW5kIE9wZXJhdGlvbnMg
-TGltaXRlZDEWMBQGA1UEBRMNMjI5OTExKzUwMDE3OTAfBgNVHSMEGDAWgBQTrb9D
-Cb2CcJyM1U8xbtUimIob1DBTBgNVHR8ETDBKMEigRqBEhkJodHRwOi8vd3d3Lm1p
-Y3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb3JVRUZDQTIwMTFfMjAxMS0wNi0y
-Ny5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRodHRwOi8vd3d3Lm1p
-Y3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvclVFRkNBMjAxMV8yMDExLTA2
-LTI3LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQA8Xv+zvV/0
-jUxVVYztqDGphqsTbqaSzI93AMXhV/9xJRGrP8+pX/9LW7cDLBQHWAddeeP/bQRC
-yBeIGYhu7P9kuocvgW8pOD7ivj5JZdNYn8v0V7+T0boFkp+fEF0Ljc00VZf1yPWU
-DS5AiYUqqSL/ihu3NZFgRwJ6ia/Du72uLB5YPQ/4Icyr3VsUWafgZSl4J9QmmAmr
-rCa0U79ofm1Yfu1HnN76u84K+NQ30LBvPaA35JrcSI/OHKGxbD25lTCU65+yb0vI
-zYfFgvbG8VfrALOT6GhvN4NKGQzCQFLm7DMaibz7qcM8bKujdp9WL+Zb8MqxostZ
-05x9av9mlH22MIIGEDCCA/igAwIBAgIKYQjTxAAAAAAABDANBgkqhkiG9w0BAQsF
-ADCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT
-B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE7MDkGA1UE
-AxMyTWljcm9zb2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5IE1hcmtldHBsYWNl
-IFJvb3QwHhcNMTEwNjI3MjEyMjQ1WhcNMjYwNjI3MjEzMjQ1WjCBgTELMAkGA1UE
-BhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAc
-BgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMiTWljcm9zb2Z0
-IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAKUIbEzHRQlqSwykwId/BnUMQwFUZOAWfwftkn0LsnO/DArGSkVh
-oMUWLZbT9Sug+01Jm0GAkDy5VP3mvNGdxKQYin9BilxZg2gyu4xHye5xvCFPmop8
-/0Q/jY8ysiZIrnW17slMHkoZfuSCmh14d00MsL32D9MW07z6K6VROF31+7rbeALb
-/+wKG5bVg7gZE+m2wHtAe+EfKCfJ+u9WXhzmfpR+wPBEsnk55dqyYotNvzhw4mgk
-FMkzpAg31VhpXtN87cEEUwjnTrAqh2MIYW9jFVnqsit51wxhZ4pb/V6th3+6hmdP
-cVgSIgQiIs6L71RxAM5QNVh2lQjuarGiAdUCAwEAAaOCAXYwggFyMBIGCSsGAQQB
-gjcVAQQFAgMBAAEwIwYJKwYBBAGCNxUCBBYEFPjBa7d/d1NK8yU3HU6hJnsPIHCA
-MB0GA1UdDgQWBBQTrb9DCb2CcJyM1U8xbtUimIob1DAZBgkrBgEEAYI3FAIEDB4K
-AFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSME
-GDAWgBRFZlJD4X5YEb/WTp4jVQg7OiJqqDBcBgNVHR8EVTBTMFGgT6BNhktodHRw
-Oi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNDb3JUaGlQ
-YXJNYXJSb29fMjAxMC0xMC0wNS5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUF
-BzAChkRodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY0NvclRo
-aVBhck1hclJvb18yMDEwLTEwLTA1LmNydDANBgkqhkiG9w0BAQsFAAOCAgEANQhC
-/zDMzvd2DK0QaFg1KUYydid87xJBJ0IbSqptgThIWRNV8+lYNKYWC4KqXa2C2oCD
-QQaPtB3yA7nzGl0b8VCQ+bNVhEIoHCC9sq5RFMXArJeVIRyQ2w/8d56Vc5GIyr29
-UrkFUA3fV56gYe0N5W0l2UAPF0DIzqNKwk2vmhIdCFSPvce8uSs9SSsfMvxqIWlP
-m8h+QjT8NgYXi48gQMCzmiV1J83JA6P2XdHnNlR6uVC10xLRB7+7dN/cHo+A1e0Y
-9C8UFmsv3maMsCPlx4TY7erBM4KtVksYLfFolQfNz/By8K673YaFmCwhTDMr8A9K
-8GiHtZJVMnWhaoJqPKMlEaTtrdcErsvYQFmghNGVTGKRIhp0HYw9Rw5EpuSwmzQ1
-sfq2U6gsgeykBXHInbi66BtEZuRHVA6OVn+znxaYsobQaD6QI7UvXo9QhY3GjYJf
-QaH0Lg3gmdJsdeS2abUhhvoH0fbiTdHarSx3Ux4lMjfHbFJylYaw8TVhahn1sjuB
-UFamMi3+oon5QoYnGFWhgspam/gwmFQUpkeWJS/IJuRBlBpcAj/lluOFWzw+P7tH
-FnJV4iUisdl75wMGKqP3HpBGwwAN1hmJ4w41J2IDcRWm79AnoKBZN2D4OJS44Hhw
-+LpMhoeU9uCuAkXuZcK2o35pFnUHkpv1prxZg1gxghnRMIIZzQIBATCBmTCBgTEL
-MAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1v
-bmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMiTWlj
-cm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMQITMwAAAFRJgAequ/NAsgAB
-AAAAVDANBglghkgBZQMEAgEFAKCB3DAZBgkqhkiG9w0BCQMxDAYKKwYBBAGCNwIB
-BDAcBgorBgEEAYI3AgELMQ4wDAYKKwYBBAGCNwIBFTAvBgkqhkiG9w0BCQQxIgQg
-nl9Qe9t9Ct73RQ7L3246HC0dlQ8sxnBmAEwd2KVIiSMwcAYKKwYBBAGCNwIBDDFi
-MGCgMoAwAFMAVQBTAEUAIABMAGkAbgB1AHgAIABQAHIAbwBkAHUAYwB0AHMAIABH
-AG0AYgBIoSqAKGh0dHBzOi8vd3d3Lm1pY3Jvc29mdC5jb20vZW4tdXMvd2luZG93
-cyAwDQYJKoZIhvcNAQEBBQAEggEApEHFoAeD35yLRG+cqmAm+HpNsegwfxiROHWO
-D0JWTIrF4lPwhLwC6zkF6SPj+MxH1aJaGnfHLmPfHvPkHxr4aEQA1jMY5+IIUMpJ
-KyIN9sKGFRs3TMK5zYU9waOOOfSKnwf7tklge7ekTQM2uEr/ZAfU3GZpXyV0nI7i
-0iLTyRTwJ8uKob/6oRKuKqKJnpoymbr+8AhMF1IP8GbwINPfdN1T+Rn5+Q1+LXl6
-pEPwPmMFK4C4tGRlIXMs63uPwRDU/TghPZW/LmNWc8D4PGfUdht5M+yk/J/6s4fO
-dcP7D459SqlzVrEsk5pDTLHwLb1L8e7iYXJrQUf4Z3Y0GQfUGqGCFykwghclBgor
-BgEEAYI3AwMBMYIXFTCCFxEGCSqGSIb3DQEHAqCCFwIwghb+AgEDMQ8wDQYJYIZI
-AWUDBAIBBQAwggFZBgsqhkiG9w0BCRABBKCCAUgEggFEMIIBQAIBAQYKKwYBBAGE
-WQoDATAxMA0GCWCGSAFlAwQCAQUABCDWmLcKWCmN5uVF0nepDxHZfjFrUB7wcSG+
-TodKvtwaBQIGY/daGrubGBMyMDIzMDMyMDIxMTExNC4zMzFaMASAAgH0oIHYpIHV
-MIHSMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH
-UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMS0wKwYDVQQL
-EyRNaWNyb3NvZnQgSXJlbGFuZCBPcGVyYXRpb25zIExpbWl0ZWQxJjAkBgNVBAsT
-HVRoYWxlcyBUU1MgRVNOOkQwODItNEJGRC1FRUJBMSUwIwYDVQQDExxNaWNyb3Nv
-ZnQgVGltZS1TdGFtcCBTZXJ2aWNloIIReDCCBycwggUPoAMCAQICEzMAAAG6Hz8Z
-98F1vXwAAQAAAbowDQYJKoZIhvcNAQELBQAwfDELMAkGA1UEBhMCVVMxEzARBgNV
-BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv
-c29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAg
-UENBIDIwMTAwHhcNMjIwOTIwMjAyMjE5WhcNMjMxMjE0MjAyMjE5WjCB0jELMAkG
-A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx
-HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEtMCsGA1UECxMkTWljcm9z
-b2Z0IElyZWxhbmQgT3BlcmF0aW9ucyBMaW1pdGVkMSYwJAYDVQQLEx1UaGFsZXMg
-VFNTIEVTTjpEMDgyLTRCRkQtRUVCQTElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUt
-U3RhbXAgU2VydmljZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIhO
-FYMzkjWAE9UVnXF9hRGv0xBRxc+I5Hu3hxVFXyK3u38xusEb0pLkwjgGtDsaLLbr
-lMxqX3tFb/3BgEPEC3L0wX76gD8zHt+wiBV5mq5BWop29qRrgMJKKCPcpQnSjs9B
-/4XMFFvrpdPicZDv43FLgz9fHqMq0LJDw5JAHGDS30TCY9OF43P4d44Z9lE7CaVS
-2pJMF3L453MXB5yYK/KDbilhERP1jxn2yl+tGCRguIAsMG0oeOhXaw8uSGOhS6AC
-SHb+ebi0038MFHyoTNhKf+SYo4OpSY3xP4+swBBTKDoYP1wH+CfxG6h9fymBJQPQ
-Zaqfl0riiDLjmDunQtH1GD64Air5k9Jdwhq5wLmSWXjyFVL+IDfOpdixJ6f5o+Mh
-E6H4t31w+prygHmd2UHQ657UGx6FNuzwC+SpAHmV76MZYac4uAhTgaP47P2eeS1o
-ckvyhl9ya+9JzPfMkug3xevzFADWiLRMr066EMV7q3JSRAsnCS9GQ08C4FKPbSh8
-OPM33Lng0ffxANnHAAX/DE7cHcx7l9jaV3Acmkj7oqir4Eh2u5YxwiaTE37XaMum
-X2ES3PJ5NBaXq7YdLJwySD+U9pk/tl4dQ1t/Eeo7uDTliOyQkD8I74xpVB0T31/6
-7KHfkBkFVvy6wye21V+9IC8uSD++RgD3RwtN2kE/AgMBAAGjggFJMIIBRTAdBgNV
-HQ4EFgQUimLm8QMeJa25j9MWeabI2HSvZOUwHwYDVR0jBBgwFoAUn6cVXQBeYl2D
-9OXSZacbUzUZ6XIwXwYDVR0fBFgwVjBUoFKgUIZOaHR0cDovL3d3dy5taWNyb3Nv
-ZnQuY29tL3BraW9wcy9jcmwvTWljcm9zb2Z0JTIwVGltZS1TdGFtcCUyMFBDQSUy
-MDIwMTAoMSkuY3JsMGwGCCsGAQUFBwEBBGAwXjBcBggrBgEFBQcwAoZQaHR0cDov
-L3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jZXJ0cy9NaWNyb3NvZnQlMjBUaW1l
-LVN0YW1wJTIwUENBJTIwMjAxMCgxKS5jcnQwDAYDVR0TAQH/BAIwADAWBgNVHSUB
-Af8EDDAKBggrBgEFBQcDCDAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQAD
-ggIBAF/I8U6hbZhvDcn96nZ6tkbSEjXPvKZ6wroaXcgstEhpgaeEwleLuPXHLzEW
-tuJuYz4eshmhXqFr49lbAcX5SN5/cEsP0xdFayb7U5P94JZd3HjFvpWRNoNBhF3S
-DM0A38sI2H+hjhB/VfX1XcZiei1ROPAyCHcBgHLyQrEu6mnb3HhbIdr8h0Ta7WFy
-lGhLSFW6wmzKusP6aOlmnGSac5NMfla6lRvTYHd28rbbCgfSm1RhTgoZj+W8DTKt
-iEMwubHJ3mIPKmo8xtJIWXPnXq6XKgldrL5cynLMX/0WX65OuWbHV5GTELdfWvGV
-3DaZrHPUQ/UP31Keqb2xjVCb30LVwgbjIvYS77N1dARkN8F/9pJ1gO4IvZWMwyMl
-KKFGojO1f1wbjSWcA/57tsc+t2blrMWgSNHgzDr01jbPSupRjy3Ht9ZZs4xN02ei
-X3eG297NrtC6l4c/gzn20eqoqWx/uHWxmTgB0F5osBuTHOe77DyEA0uhArGlgKP9
-1jghgt/OVHoH65g0QqCtgZ+36mnCEg6IOhFoFrCc0fJFGVmb1+17gEe+HRMM7jBk
-4O06J+IooFrI3e3PJjPrQano/MyE3h+zAuBWGMDRcUlNKCDU7dGnWvH3XWwLrCCI
-cz+3GwRUMsLsDdPW2OVv7v1eEJiMSIZ2P+M7L20Q8aznU4OAMIIHcTCCBVmgAwIB
-AgITMwAAABXF52ueAptJmQAAAAAAFTANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UE
-BhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAc
-BgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0
-IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIwMTAwHhcNMjEwOTMwMTgyMjI1
-WhcNMzAwOTMwMTgzMjI1WjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGlu
-Z3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBv
-cmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDCC
-AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAOThpkzntHIhC3miy9ckeb0O
-1YLT/e6cBwfSqWxOdcjKNVf2AX9sSuDivbk+F2Az/1xPx2b3lVNxWuJ+Slr+uDZn
-hUYjDLWNE893MsAQGOhgfWpSg0S3po5GawcU88V29YZQ3MFEyHFcUTE3oAo4bo3t
-1w/YJlN8OWECesSq/XJprx2rrPY2vjUmZNqYO7oaezOtgFt+jBAcnVL+tuhiJdxq
-D89d9P6OU8/W7IVWTe/dvI2k45GPsjksUZzpcGkNyjYtcI4xyDUoveO0hyTD4MmP
-frVUj9z6BVWYbWg7mka97aSueik3rMvrg0XnRm7KMtXAhjBcTyziYrLNueKNiOSW
-rAFKu75xqRdbZ2De+JKRHh09/SDPc31BmkZ1zcRfNN0Sidb9pSB9fvzZnkXftnIv
-231fgLrbqn427DZM9ituqBJR6L8FA6PRc6ZNN3SUHDSCD/AQ8rdHGO2n6Jl8P0zb
-r17C89XYcz1DTsEzOUyOArxCaC4Q6oRRRuLRvWoYWmEBc8pnol7XKHYC4jMYcten
-IPDC+hIK12NvDMk2ZItboKaDIV1fMHSRlJTYuVD5C4lh8zYGNRiER9vcG9H9stQc
-xWv2XFJRXRLbJbqvUAV6bMURHXLvjflSxIUXk8A8FdsaN8cIFRg/eKtFtvUeh17a
-j54WcmnGrnu3tz5q4i6tAgMBAAGjggHdMIIB2TASBgkrBgEEAYI3FQEEBQIDAQAB
-MCMGCSsGAQQBgjcVAgQWBBQqp1L+ZMSavoKRPEY1Kc8Q/y8E7jAdBgNVHQ4EFgQU
-n6cVXQBeYl2D9OXSZacbUzUZ6XIwXAYDVR0gBFUwUzBRBgwrBgEEAYI3TIN9AQEw
-QTA/BggrBgEFBQcCARYzaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9E
-b2NzL1JlcG9zaXRvcnkuaHRtMBMGA1UdJQQMMAoGCCsGAQUFBwMIMBkGCSsGAQQB
-gjcUAgQMHgoAUwB1AGIAQwBBMAsGA1UdDwQEAwIBhjAPBgNVHRMBAf8EBTADAQH/
-MB8GA1UdIwQYMBaAFNX2VsuP6KJcYmjRPZSQW9fOmhjEMFYGA1UdHwRPME0wS6BJ
-oEeGRWh0dHA6Ly9jcmwubWljcm9zb2Z0LmNvbS9wa2kvY3JsL3Byb2R1Y3RzL01p
-Y1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNybDBaBggrBgEFBQcBAQROMEwwSgYIKwYB
-BQUHMAKGPmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2kvY2VydHMvTWljUm9v
-Q2VyQXV0XzIwMTAtMDYtMjMuY3J0MA0GCSqGSIb3DQEBCwUAA4ICAQCdVX38Kq3h
-LB9nATEkW+Geckv8qW/qXBS2Pk5HZHixBpOXPTEztTnXwnE2P9pkbHzQdTltuw8x
-5MKP+2zRoZQYIu7pZmc6U03dmLq2HnjYNi6cqYJWAAOwBb6J6Gngugnue99qb74p
-y27YP0h1AdkY3m2CDPVtI1TkeFN1JFe53Z/zjj3G82jfZfakVqr3lbYoVSfQJL1A
-oL8ZthISEV09J+BAljis9/kpicO8F7BUhUKz/AyeixmJ5/ALaoHCgRlCGVJ1ijbC
-HcNhcy4sa3tuPywJeBTpkbKpW99Jo3QMvOyRgNI95ko+ZjtPu4b6MhrZlvSP9pEB
-9s7GdP32THJvEKt1MMU0sHrYUP4KWN1APMdUbZ1jdEgssU5HLcEUBHG/ZPkkvnNt
-yo4JvbMBV0lUZNlz138eW0QBjloZkWsNn6Qo3GcZKCS6OEuabvshVGtqRRFHqfG3
-rsjoiV5PndLQTHa1V1QJsWkBRH58oWFsc/4Ku+xBZj1p/cvBQUl+fpO+y/g75LcV
-v7TOPqUxUYS8vwLBgqJ7Fx0ViY1w/ue10CgaiQuPNtq6TPmb/wrpNPgkNWcr4A24
-5oyZ1uEi6vAnQj0llOZ0dFtq0Z4+7X6gMTN9vMvpe784cETRkPHIqzqKOghif9lw
-Y1NNje6CbaUFEMFxBmoQtB1VM1izoXBm8qGCAtQwggI9AgEBMIIBAKGB2KSB1TCB
-0jELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl
-ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEtMCsGA1UECxMk
-TWljcm9zb2Z0IElyZWxhbmQgT3BlcmF0aW9ucyBMaW1pdGVkMSYwJAYDVQQLEx1U
-aGFsZXMgVFNTIEVTTjpEMDgyLTRCRkQtRUVCQTElMCMGA1UEAxMcTWljcm9zb2Z0
-IFRpbWUtU3RhbXAgU2VydmljZaIjCgEBMAcGBSsOAwIaAxUAdqNHe113gCJ87aZI
-Ga5QBUqIwvKggYMwgYCkfjB8MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGlu
-Z3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBv
-cmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFtcCBQQ0EgMjAxMDAN
-BgkqhkiG9w0BAQUFAAIFAOfCzGowIhgPMjAyMzAzMjAyMDEzMzBaGA8yMDIzMDMy
-MTIwMTMzMFowdDA6BgorBgEEAYRZCgQBMSwwKjAKAgUA58LMagIBADAHAgEAAgIo
-sTAHAgEAAgITWDAKAgUA58Qd6gIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgorBgEE
-AYRZCgMCoAowCAIBAAIDB6EgoQowCAIBAAIDAYagMA0GCSqGSIb3DQEBBQUAA4GB
-AFQv5G3OKjQK9etdeYFFznROY2X7c1SkMnQwwxm3+j0ifvXyI2sWUTXDSpw6500w
-NgkAw5aSKGdASAU86Guo+KChFeoPRFKEsd8vz5lkqD+ygzniQdZv9IwewyUKKEQp
-3tfj3jYfEAGHaviNrpKGRKX2JOvqTGBPFb9f1Ni9Zk6CMYIEDTCCBAkCAQEwgZMw
-fDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl
-ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMd
-TWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTACEzMAAAG6Hz8Z98F1vXwAAQAA
-AbowDQYJYIZIAWUDBAIBBQCgggFKMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRAB
-BDAvBgkqhkiG9w0BCQQxIgQg8iSGA5ZZFd75t8R/n+vXy/Xd8Hzr9NC5zXhiQqgn
-Gz8wgfoGCyqGSIb3DQEJEAIvMYHqMIHnMIHkMIG9BCApVb08M25w+tYGWsmlGtp1
-gy1nPcqWfqgMF3nlWYVzBTCBmDCBgKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
-EwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3Nv
-ZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBD
-QSAyMDEwAhMzAAABuh8/GffBdb18AAEAAAG6MCIEIJPReYCIzr/054P84PApGlAT
-MPM0RvB8udGeI69L54BFMA0GCSqGSIb3DQEBCwUABIICADU4cWidCUu/BiJ0NNqk
-qeqVjGfrmF/WRF4/wm6xtE/3zQk0fXwtn69aEHrw41TQEaZetk0SLeRtc9hiWLL/
-uP/MM2CkEJO1rbYXRa0HOURV3QOPzDG523o1qG1bx05MxNZKH+79xHAWKXWXYABL
-AR0QqSbm+WRGfjj6G6tg4i5TetX8Asxe3AozmopVqjI/Y0bQhySg7Rn1czGMzStO
-Da0Jj676MYbHrUwejdsjvSJ1NLrkQ144Fnun/BjLv8c3liOaUlK+F5YOnwwUvk//
-Gb1HZNo7zGug5LT/8a7WOnqtXWXL4Kk2wa/h3MlYEBM6TMjixvpY5aKbChCagi2x
-8deizMg1HuhYZlhCOpJnPkW+O7+z/89FIheAsQwUfJo/z/e+RPqdS8WE1Hr/vbUH
-7l/wQrIJpumK2B4aR7QRAAY+yUQxbARGn97BZh6sb5hX2MGYIs5uniuvi9IA8Gjt
-tIJdnecbWxVBa1pMtZuDKthgGc/IGSgMh2ckQ4k0466eMl/OkWsLVT0X46ZLdlt/
-+g9pnpFHBa5YSG+WbsiuSydYBzVmEc7dIcjIh6YRHcBOXuOr9SObW7ALOyCwOk7r
-kRcnmQvSVy6sbkzXVI9hdCp5vg5rsUnkCCfIqKeKNQUV0EugFLhY5J7LvowAuBFN
-nMkgl+w2bS05mxmBSrdLbAuOAAAAAAAA
------END AUTHENTICODE SIGNATURE-----

timestamp.pl

@@ -87,7 +87,7 @@ if ($options{'set-from-file'}) {
 			$set_linker = pack('S', hex($1));
 			next;
 		} elsif (/^checksum: ([0-9a-f]+)/) {
-			$set_checksum = pack('S', hex($1));
+			$set_checksum = pack('L', hex($1));
 			next;
 		}
 		last if $set_timestamp && $set_checksum && $set_linker;
@@ -114,9 +114,9 @@ sub do_show($)
 	printf ("linker: %x\n", unpack('S', $value));
 
 	die "seek $file: $!\n" unless seek($fh, 216, 0);
-	die "read $file: $!\n" unless read($fh, $value, 2);
+	die "read $file: $!\n" unless read($fh, $value, 4);
 
-	printf ("checksum: %x\n", unpack('S', $value));
+	printf ("checksum: %x\n", unpack('L', $value));
 
 	close($fh);
 }
@@ -132,7 +132,7 @@ sub do_set($)
 	die "write $file: $!\n" unless print $fh $set_linker;
 
 	die "seek $file: $!\n" unless seek($fh, 216, 0);
-	die "read $file: $!\n" unless print $fh $set_checksum;
+	die "write $file: $!\n" unless print $fh $set_checksum;
 	close($fh);
 }