shim.changes: Update change log for Fixed some issues in RPM Macro

and pretrans lus script with the old  rpm-4.14.3 on SLE-15-SP3

SIGNATURE_UPDATE.txt

@@ -0,0 +1,25 @@
+==== openSUSE ====
+For openSUSE, the devel project of shim is devel:openSUSE:Factory. ALWAYS
+use the latest Leap to build shim-opensuse.efi for UEFI CA. Tumbleweed
+shares the same binary with Leap, so do the older Leap releases.
+
+The steps to udpate signature-opensuse.asc:
+1) Branch devel:openSUSE:Factory/shim.
+2) Add the latest Leap, e.g. 42.2, to the build target.
+3) Build shim-opensuse.efi against the latest Leap.
+4) Strip the signature from shim-opensuse.efi with strip_signature.sh.
+5) Send shim-opensuse.efi to UEFI CA to request a new signature.
+6) Extract the signature from the signed shim.efi with extract_signature.sh
+7) Update signature-opensuse.asc.
+
+==== SLES ===
+Since there is no devel project for shim in SLES, just build shim-sles.efi with
+the latest SLES and then send it to UEFI CA for a new signature.
+
+The steps to update signature-sles.asc:
+1) Branch shim from the latest SLES and apply the update/fix.
+2) Build shim-sles.efi against the latest SLES.
+3) Strip the signature from shim-sles.efi with strip_signature.sh.
+4) Send shim-sles.efi to UEFI CA to request a new signature.
+5) Extract the signature from the signed shim.efi with extract_signature.sh
+6) Update signature-sles.asc.

attach_signature.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+# attach ascii armored signature to a PE binary
+set -e
+
+sig="$1"
+infile="$2"
+if [ -z "$sig" -o ! -e "$sig" -o -z "$infile" -o ! -e "$infile" ]; then
+	echo "USAGE: $0 sig.asc file.efi"
+	exit 1
+fi
+
+outfile="${infile%.efi}-signed.efi"
+
+pesign -m "$sig" -i "$infile" -o "$outfile"

extract_signature.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+# extract ascii armored signature from a PE binary
+set -e
+
+infile="$1"
+
+if [ -z "$infile" -o ! -e "$infile" ]; then
+	echo "USAGE: $0 file.efi"
+	exit 1
+fi
+
+# wtf?
+(pesign -h -P -i "$infile";
+perl $(dirname $0)/timestamp.pl "$infile";
+pesign -a -f -e /dev/stdout -i "$infile")|cat

generate-vendor-dbx.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+set -e
+
+# random UUID for SUSE
+owner=353f0911-0788-451c-aaf7-31688391e8fd
+
+: > vendor-dbx-opensuse.esl
+: > vendor-dbx-sles.esl
+# vendor dbx file with all certs for testing environment
+: > vendor-dbx.esl
+
+for cert in "$@"; do
+	esl="${cert##*/}"
+	esl="${cert%.crt}.esl"
+	cert-to-efi-sig-list -g "$owner" "$cert" "$esl"
+	case "$cert" in
+		*openSUSE*) cat "$esl" >> "vendor-dbx-opensuse.esl" ;;
+		*SLES*) cat "$esl" >> "vendor-dbx-sles.esl" ;;
+	esac
+	cat "$esl" >> "vendor-dbx.esl"
+done

remove_build_id.patch

@@ -0,0 +1,26 @@
+Index: shim-15.8/gnu-efi/Make.defaults
+===================================================================
+--- shim-15.8.orig/gnu-efi/Make.defaults
++++ shim-15.8/gnu-efi/Make.defaults
+@@ -205,7 +205,7 @@ endif
+ 
+ ASFLAGS += $(ARCH3264)
+ LDFLAGS	+= -nostdlib --warn-common --no-undefined --fatal-warnings \
+-	   --build-id=sha1 --no-warn-rwx-segments
++	   --no-warn-rwx-segments
+ 
+ ifneq ($(ARCH),arm)
+ export LIBGCC=$(shell $(CC) $(CFLAGS) $(ARCH3264) -print-libgcc-file-name)
+Index: shim-15.8/Make.defaults
+===================================================================
+--- shim-15.8.orig/Make.defaults
++++ shim-15.8/Make.defaults
+@@ -192,7 +192,7 @@ ifneq ($(origin SBAT_AUTOMATIC_DATE), un
+ DEFINES		+= -DSBAT_AUTOMATIC_DATE=$(SBAT_AUTOMATIC_DATE)
+ endif
+ 
+-LDFLAGS		= --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(LOCAL_EFI_PATH) -L$(LIBDIR) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) --build-id=sha1 $(ARCH_LDFLAGS) --no-undefined
++LDFLAGS		= --hash-style=sysv -nostdlib -znocombreloc -T $(EFI_LDS) -shared -Bsymbolic -L$(LOCAL_EFI_PATH) -L$(LIBDIR) -LCryptlib -LCryptlib/OpenSSL $(EFI_CRT_OBJS) $(ARCH_LDFLAGS) --no-undefined
+ 
+ ifneq ($(DEBUG),)
+ export DEBUG

revoked-SLES-UEFI-SIGN-Certificate-2013-01.crt

@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF/DCCA+SgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT
+RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES
+MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz
+IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk
+QHN1c2UuZGUwHhcNMTMwMTIyMTQ1ODUxWhcNMjIxMjAxMTQ1ODUxWjCBqzEyMDAG
+A1UEAwwpU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IFNpZ25rZXkx
+CzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0Ug
+TGludXggUHJvZHVjdHMgR21iSDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqG
+SIb3DQEJARYNYnVpbGRAc3VzZS5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAOVY/g3+3Bsa1JZ2hfU+7Fy28h0CKF0Sjqy8J4m9a8yKFoY6rb4hG9MK
+o4wnCJfPab9flWXRk4PFiouI+0nmLJX74U0sq8nKw3Ijl0UojuthXc6CeZH4hIF5
+HDoVhig3SfkUxdT1zZVF4mcYZ3Pf+UlROJ7JpY4sEhtYMY/DJW5qv2HwrzSw427V
+R1upA18U7ddMF5fKoN8vjKVihUFSNK/Up0tOWalxfcG5s9ugjbJgZULsjfcs2+8t
+og46QBjTaR7CtpmPbsaOJb1Z6BGDXsHV5GmaZG00TS0BwRn8mAQ1ske1eIpcqmBN
+q5Mlh6BVaufBot0nXJp9Vnnuib4napkCAwEAAaOCASwwggEoMAwGA1UdEwEB/wQC
+MAAwHQYDVR0OBBYEFD+wd7bOvG/yUi4cFIxXx3fHiOPnMIHTBgNVHSMEgcswgciA
+FD1NQM+ThTkCSxz8WhLe3+ixfnVfoYGspIGpMIGmMS0wKwYDVQQDDCRTVVNFIExp
+bnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYD
+VQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0UgTGludXggUHJvZHVjdHMgR21i
+SDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqGSIb3DQEJARYNYnVpbGRAc3Vz
+ZS5kZYIBATAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJ
+KoZIhvcNAQELBQADggIBAFs0xW7Uzi3a52ho92ninU9yy1doEodWf8f37zmq3Kxf
+v/y+mFCFuMw5zps4xyK1xfDBmVZ6f5GMolfkPnioYzKujqTgFCmKDZXjXIgHEej5
+h+xzCalIYT3XT+JsmKvvZKcFMV9/py7+okEhekyFdak6WbxinisyEh6a7I+edNzB
+2/dPkbIS7x2UmlFzXvAYTCwOqMwCuOWsICK/NRrPlCEdkPJFq2HU11umtZ+U4eCM
+bJcCY2pqIVLxrDgRIMoUeJ7N2XIcfKlP8cHn9eHVWRd+n/v3nlJRvBjlw2d9oTm2
+EB0vfpp01ihr6yvkckLwWHdrRcmiy6OmtTScAEwpMGPmBcFiHIb1nxhPbKqqw9Xb
+t/y8tLRf6HvuhaApJhj3/ZBNLTLRSHk4O4DO4p3GpupPTvfxkx9cg/TxcF0kabPF
++dwu5cbRZpvBmkQ947aul0y+3QRHgIhmyqdZzC2OuL6Sl74zZc3BgsQsBFeIN4gz
+YBsXtzyEVFsmSSj2ci+9JM8HCfeL0Ux7TeyoN5jAW5F7c8BSBBSSafZYUtq3DZHR
+8ILtz5L7cCLkZY3da5a/csVz3zicnrAG8uiU91Jy6hVh+Y83vARz6hp8O/tX4o00
+9ff5zunFUwyN3/krDEoX6dXMcSh8UftjzvFOYCUfF+cDt9eV8Ix0dcfP/cenyv/t
+-----END CERTIFICATE-----

revoked-SLES-UEFI-SIGN-Certificate-2013-04.crt

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE/DCCA+SgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT
+RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES
+MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz
+IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk
+QHN1c2UuZGUwHhcNMTMwNDE4MTQzNDM0WhcNMjMwMjI1MTQzNDM0WjCBqzEyMDAG
+A1UEAwwpU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IFNpZ25rZXkx
+CzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0Ug
+TGludXggUHJvZHVjdHMgR21iSDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqG
+SIb3DQEJARYNYnVpbGRAc3VzZS5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAOVY/g3+3Bsa1JZ2hfU+7Fy28h0CKF0Sjqy8J4m9a8yKFoY6rb4hG9MK
+o4wnCJfPab9flWXRk4PFiouI+0nmLJX74U0sq8nKw3Ijl0UojuthXc6CeZH4hIF5
+HDoVhig3SfkUxdT1zZVF4mcYZ3Pf+UlROJ7JpY4sEhtYMY/DJW5qv2HwrzSw427V
+R1upA18U7ddMF5fKoN8vjKVihUFSNK/Up0tOWalxfcG5s9ugjbJgZULsjfcs2+8t
+og46QBjTaR7CtpmPbsaOJb1Z6BGDXsHV5GmaZG00TS0BwRn8mAQ1ske1eIpcqmBN
+q5Mlh6BVaufBot0nXJp9Vnnuib4napkCAwEAAaOCASwwggEoMAwGA1UdEwEB/wQC
+MAAwHQYDVR0OBBYEFD+wd7bOvG/yUi4cFIxXx3fHiOPnMIHTBgNVHSMEgcswgciA
+FOyrDULEVs93BDa5c5k4YpZehyYvoYGspIGpMIGmMS0wKwYDVQQDDCRTVVNFIExp
+bnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYD
+VQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0UgTGludXggUHJvZHVjdHMgR21i
+SDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqGSIb3DQEJARYNYnVpbGRAc3Vz
+ZS5kZYIBATAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJ
+KoZIhvcNAQELBQADggEBAFEYo0sWgMCODHZEHWcoltp5RMcVj2DAYfw2NePbPqxW
+AmIgpMU0yG01JPbwJZu6dcuNeYoytgfDrSRLuloKm0JR8oR3+G7/oxbKQCxtMubB
+Qdflq7PIz73b/JSGiV5Pi77f9oAHijgnKEZrz4obs6sFp2gvuMvJ4w9jteCaofpq
+IDNhu7i2KFx4rC6FYF/p6V9xnVwOnZS1G56cJALfP/7kOD4k3TVSMiE2FCS3wLwR
+RI7VE0I/3oJHsi8CR++CT1BI02PI+EWgRcuW8jOzJ3+tYa77HCKpXNyIi7/L5QAK
+N5ZinPyv68tae+GHkL5U2FxLY365gABSXqXUA9mTquU=
+-----END CERTIFICATE-----

revoked-SLES-UEFI-SIGN-Certificate-2016-02.crt

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE/DCCA+SgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT
+RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES
+MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz
+IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk
+QHN1c2UuZGUwHhcNMTYwMjI0MTUzMDI3WhcNMjYwMTAyMTUzMDI3WjCBqzEyMDAG
+A1UEAwwpU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IFNpZ25rZXkx
+CzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0Ug
+TGludXggUHJvZHVjdHMgR21iSDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqG
+SIb3DQEJARYNYnVpbGRAc3VzZS5kZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
+AQoCggEBAOVY/g3+3Bsa1JZ2hfU+7Fy28h0CKF0Sjqy8J4m9a8yKFoY6rb4hG9MK
+o4wnCJfPab9flWXRk4PFiouI+0nmLJX74U0sq8nKw3Ijl0UojuthXc6CeZH4hIF5
+HDoVhig3SfkUxdT1zZVF4mcYZ3Pf+UlROJ7JpY4sEhtYMY/DJW5qv2HwrzSw427V
+R1upA18U7ddMF5fKoN8vjKVihUFSNK/Up0tOWalxfcG5s9ugjbJgZULsjfcs2+8t
+og46QBjTaR7CtpmPbsaOJb1Z6BGDXsHV5GmaZG00TS0BwRn8mAQ1ske1eIpcqmBN
+q5Mlh6BVaufBot0nXJp9Vnnuib4napkCAwEAAaOCASwwggEoMAwGA1UdEwEB/wQC
+MAAwHQYDVR0OBBYEFD+wd7bOvG/yUi4cFIxXx3fHiOPnMIHTBgNVHSMEgcswgciA
+FOyrDULEVs93BDa5c5k4YpZehyYvoYGspIGpMIGmMS0wKwYDVQQDDCRTVVNFIExp
+bnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYD
+VQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0UgTGludXggUHJvZHVjdHMgR21i
+SDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqGSIb3DQEJARYNYnVpbGRAc3Vz
+ZS5kZYIBATAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJ
+KoZIhvcNAQELBQADggEBAKMaX+dWtp9Y9SW1XvV3xc/sAURe1uZfEBcd7g+yu9ff
+q/n9pbWW4gz9LtuIudi/CmltNlKHEQnB/RSgAd4VB28g7GeJNKVTn+5z7evgWUOz
+tEB0tHgTfVCx6dYoIsNxT9atIVHREDPXef/s2TARKfpd77BG+X0+ZsvQe8NuooP1
+B+qwl1rXR+cw46Q7dgM5XG418OPZsqHhk/AyC4/slHx65rQ//PBsgSANx8bBUr5Z
+nDzy1X/0aZqB56/e2sscuhjs7IcXNftztewsNB7w4XtmOuVZpj2obAhbWshPaMLY
+4PSS6JTVT/vhDJUJknm4XqbE16d0dSZPn8y1t6Ua0PM=
+-----END CERTIFICATE-----

revoked-SLES-UEFI-SIGN-Certificate-2020-07.crt

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIFBDCCA+ygAwIBAgIJAO2HhbeP/BJ0MA0GCSqGSIb3DQEBCwUAMIGmMS0wKwYD
+VQQDDCRTVVNFIExpbnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNV
+BAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0UgTGludXgg
+UHJvZHVjdHMgR21iSDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqGSIb3DQEJ
+ARYNYnVpbGRAc3VzZS5kZTAeFw0yMDA3MjMxNDA3MThaFw0yNDA3MjIxNDA3MTha
+MIGrMTIwMAYDVQQDDClTVVNFIExpbnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3Qg
+U2lnbmtleTELMAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UE
+CgwYU1VTRSBMaW51eCBQcm9kdWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFt
+MRwwGgYJKoZIhvcNAQkBFg1idWlsZEBzdXNlLmRlMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAwrRYIcn7XQ2/nQfdCUM7EUzIfYB5Lra03/q9nggEfUke
+N5O9qmA9uFWTvgdq2Nh8hia16TawyHMFyUd/PsdU2/pVydC6+OGDxE1sRJvu0pzP
+3wvr+QQXnDjBYon+AGkuw/K8baUInl/1He2idCIB7pH3tGjj6jcorK70yZHU5Hl1
+UwuQXlfQpG3zEJy1yZ7fg3RxAQ/716BOy1CceK0qCLi/qgR8w5GE92Xg1CHZe62u
+I+9EmhXBbY2UcsfxRGEtdCU55L0R/MtHztfVHZw9Vazw8rCCvBjwPOxxjUx5It5N
+yG0JaYXgAXqRXE88Gwo9VlEWNOKrC0vUUfxA63IZ0wIDAQABo4IBLDCCASgwDAYD
+VR0TAQH/BAIwADAdBgNVHQ4EFgQUSrDGl8kQcydsJ97/PCIPsAfh3mEwgdMGA1Ud
+IwSByzCByIAU7KsNQsRWz3cENrlzmThill6HJi+hgaykgakwgaYxLTArBgNVBAMM
+JFNVU0UgTGludXggRW50ZXJwcmlzZSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMC
+REUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UECgwYU1VTRSBMaW51eCBQcm9k
+dWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFtMRwwGgYJKoZIhvcNAQkBFg1i
+dWlsZEBzdXNlLmRlggEBMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEF
+BQcDAzANBgkqhkiG9w0BAQsFAAOCAQEAazJCs7IIjYUma9ZT1NLJZ7QSy/d6oAaW
+E6JI1u3LHancnU3kXH19U7z1mni74OQdlsbIyfddR+AIvIu1RrepQ6BHNVrXO90J
+LxvORpholbgeXk/FdIHWFu6AhL2jg8UM4Jxq/P3FxckGj25LxCPgd5C/L5ITufhf
+1yPQ3CDxqfUiqlfdrQCROJ21sErLoYXoZim5pd1kT5vimyVrdaLM7eTq6G5LbKZ3
+/TqRXPpVzwZGXXeZvM5s55kGKqNTUIZ2Cft5g9CBkRZujJ5gLGToxUHYbb6Fj5UT
+Xr5Yh68j1IgvhQz+abALb/87Z3r2V+BWh1icc0rnCli1ulmZMd0H8A==
+-----END CERTIFICATE-----

revoked-SLES-UEFI-SIGN-Certificate-2021-05.crt

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIFBDCCA+ygAwIBAgIJAO2HhbeP/BJ+MA0GCSqGSIb3DQEBCwUAMIGmMS0wKwYD
+VQQDDCRTVVNFIExpbnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNV
+BAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0UgTGludXgg
+UHJvZHVjdHMgR21iSDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqGSIb3DQEJ
+ARYNYnVpbGRAc3VzZS5kZTAeFw0yMTAzMDgxMDE1MDhaFw0zMDEyMzExMDE1MDha
+MIGrMTIwMAYDVQQDDClTVVNFIExpbnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3Qg
+U2lnbmtleTELMAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UE
+CgwYU1VTRSBMaW51eCBQcm9kdWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFt
+MRwwGgYJKoZIhvcNAQkBFg1idWlsZEBzdXNlLmRlMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAtvApQ4qgxDibOpYufFyQG3HDsQvwjPfrQHdYqkcKDZvz
+hKFJSpAu4gulkuKnOeMO1+ecpOC9f0G6mbIwYCsM/GKBCUKRQZPOB5eSeGU+NJaI
+XV6IimhfYi3MXmheVrP64Xd6pvcn/iplk2IPLbbdjIeiSImg1xtfnrcaWa+tzOMu
+MAQfF4wUlVnFF4Pnh0goS2sv2Lj3fVQ4XV7d8bsB9gwdWSQQMwbSb5SXoiLZOIrZ
+iI/n6DD5UL8Yap+2f5sBXA1MtonX91MSUu68Vh7l/9UXEntkx5byOdRAKxndIpnP
+QQazhXtQoFskPtVzKs+8jIemDOosn7cTkBgOEP49iQIDAQABo4IBLDCCASgwDAYD
+VR0TAQH/BAIwADAdBgNVHQ4EFgQUWiQESdKf0NinoYfm/A4muV0aqHswgdMGA1Ud
+IwSByzCByIAU7KsNQsRWz3cENrlzmThill6HJi+hgaykgakwgaYxLTArBgNVBAMM
+JFNVU0UgTGludXggRW50ZXJwcmlzZSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMC
+REUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UECgwYU1VTRSBMaW51eCBQcm9k
+dWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFtMRwwGgYJKoZIhvcNAQkBFg1i
+dWlsZEBzdXNlLmRlggEBMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEF
+BQcDAzANBgkqhkiG9w0BAQsFAAOCAQEAqFI4lVQf3heh0TWrZwc0ej30p1EhVJms
+NxCy/mtn6IDkRzmzAe9F/Tx5B6Kytjtj2WvU2mOhjDW61Tdvk2UBqlapTbT0X2oF
+Co4ww8gm2uDyY3nCEM0jdPj8XnA+T+raxwcw6NosK3J6g+bEWjkX0lWryl1jgxuA
+q3zup4t2rl792z+nAUAmCSrsYeQQxnKIeCvZCYMGgixSoYrv2SxD8hTFC8XW606v
+ITVb9fxaYF1cCjCLjhkQpnegViT0mV5QcPW/IIjqKla1N9sH26buFwcJIHXQRB4h
+1boVtIqiQZOe4BjGRTvRILGOa/WXn8UhQvMc39bCr1SxMRvpCV7zKw==
+-----END CERTIFICATE-----

revoked-SLES-UEFI-SIGN-Certificate-2022-05.crt

@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIFBDCCA+ygAwIBAgIJAO2HhbeP/BJ/MA0GCSqGSIb3DQEBCwUAMIGmMS0wKwYD
+VQQDDCRTVVNFIExpbnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNV
+BAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxITAfBgNVBAoMGFNVU0UgTGludXgg
+UHJvZHVjdHMgR21iSDETMBEGA1UECwwKQnVpbGQgVGVhbTEcMBoGCSqGSIb3DQEJ
+ARYNYnVpbGRAc3VzZS5kZTAeFw0yMjA2MDIyMjUyNTBaFw0zMjEyMzAyMjUyNTBa
+MIGrMTIwMAYDVQQDDClTVVNFIExpbnV4IEVudGVycHJpc2UgU2VjdXJlIEJvb3Qg
+U2lnbmtleTELMAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UE
+CgwYU1VTRSBMaW51eCBQcm9kdWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFt
+MRwwGgYJKoZIhvcNAQkBFg1idWlsZEBzdXNlLmRlMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAwDNrJ6NGA3ca+mIR0xPimAmBiC0p/LKKFf2nM64gGr2p
+l+VYf4tZONMJpeJSASChD9KEuDFpAfKJm0S+lvmMUEJSxdj6p8ynLtypcE/k9+TP
+5j8STpdA5L+P9RIt0r4USGUNf9WT5CfLmQVx6EWjjnUqP6H7t4gS76NXxI6ODu7G
+ihPiG4acjYxtgAmErXHP42Tk8srzYN+RVddZLnKQWhLWahuomq8320iHm2biZ01B
+coHFZnPO62fw5LHeig94UXixf7NPgwPBr9owuKw4WouDfH4nCY6KEOZG+flF/ME+
+6TuExYRCPwG3wXgOmGHNYyH8vAvR9s99sZFIGXYdrwIDAQABo4IBLDCCASgwDAYD
+VR0TAQH/BAIwADAdBgNVHQ4EFgQUCsYrHz9TQnETJYbinTsQQVkcgkowgdMGA1Ud
+IwSByzCByIAU7KsNQsRWz3cENrlzmThill6HJi+hgaykgakwgaYxLTArBgNVBAMM
+JFNVU0UgTGludXggRW50ZXJwcmlzZSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMC
+REUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UECgwYU1VTRSBMaW51eCBQcm9k
+dWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFtMRwwGgYJKoZIhvcNAQkBFg1i
+dWlsZEBzdXNlLmRlggEBMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEF
+BQcDAzANBgkqhkiG9w0BAQsFAAOCAQEAgB40iq70uOw6SLvHhZb8NpJuETDdfQzE
+RuEDtd0bHgHfhvjLpzaHP8ZVLHr8lpsyaLwVE4598cmys8Zn1vvkCQOo4LwwVILR
+8Jar2gvgJ2xqTUVU3bYhr+MaGpScbDyK6n2Kb8/vuEpaHHTJWMx5js2jGh1G2+AG
+hohfQX+K5UPUKyBRfiDwcZhq2JpCOq5F/SDbm1kpX5dwzu/Y0yDYfukz4tqvpq+S
+8SW1+fv37Fbch6DjFw51ALUtkfPmNShlgcub3deyD0vZvBWxlJRllBv16c+yLXSx
+1XmOY8MOEntYKKgKb4zpNKAnCwP7yc/R5Chk1tvLgvoymbxAKfkd3Q==
+-----END CERTIFICATE-----

revoked-openSUSE-UEFI-SIGN-Certificate-2013-01.crt

@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFjTCCA3WgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl
+blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl
+bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW
+EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzAxMjgxNTEwMjhaFw0yMjEyMDcxNTEw
+MjhaMIGGMSUwIwYDVQQDDBxvcGVuU1VTRSBTZWN1cmUgQm9vdCBTaWdua2V5MQsw
+CQYDVQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMRkwFwYDVQQKDBBvcGVuU1VT
+RSBQcm9qZWN0MSEwHwYJKoZIhvcNAQkBFhJidWlsZEBvcGVuc3VzZS5vcmcwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLNeCcz9j3S+vjlCzyEXczhpwo
+HRneRWkhXqCUSgu1QS5nAWuRdjqFZipji4cr6JSKEm4lE7AHPygrdiU+KbJVQuc7
+RCQdt5kyy0TStIjLqU+nswa+XKruKwQJquxYY1rIYsfZaEP7vQ6S/0zsAkS8lcmf
+0b4h+PSybVoK1U2YZczBjO/f8p/aRQV2+RrAi9UcBfLAuEqwEt9DytULGEazA77N
+p9cBgPHFyu7ZOh9KM31QAavXOkhuYllzYh447zIx7lgYfVkFivt91A1enUeb2K+2
+EZ885xOE5ADsCpeJIpDzFObfwXUHrSQ42OCP9rnA20XjboFcHinQeK5sp0sfAgMB
+AAGjggEHMIIBAzAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQDMvqcvw2IvyGSSw3o
+KgmlTV3vyDCBrgYDVR0jBIGmMIGjgBSZDSa38E3ZzmTn0Y79aHtKXeKGpaGBh6SB
+hDCBgTEgMB4GA1UEAwwXb3BlblNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYT
+AkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2pl
+Y3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNlLm9yZ4IBATAOBgNVHQ8B
+Af8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggIB
+AK25J4ntAoU8yF37KEUEFnh0WElBVYinTCB3VVNq0nJbcLq2Ak/yPb4/hVJGvUQx
+M2EgafGBfjA6sVvqvZEqbn0bQnSTJqjlwAUpzVB9ll3vanT0SwwmRdbHtFLfkmfc
+6sv7dUsizScXeth2C7vf2rxqJKBIdCs7EkUWibKm34y59wJYqsZT/jLeFraLi/+R
+NWeiWY9AlyXm5QzNqEr3qqhVQohKI0gRUwJS0dx3xSMFd8td+q+22iYuNMx2Dk3A
+D9HenFMZiSw4r+8R5mm8Dn6DJEB7Y5mJhR1zZk7Q3gVhwjeR/sdrIF9K8tSkyIHt
+T4f+qNF1vBfQ9+8zHqQ/X2o2Cky/eyW9rx3V/fYLOXzOdbxIy5nDOd5gbXIDoZNV
+cJn/af+MgMrUI7vqDZ1A1UmwKSAJRZjIJCX+2mjrAtQl9W7h8qZt2Hgq/4zCCNSH
+v4gGoDtYEtcvs1kqS56/XQRyZikDfEUkBE1hXOW4hepuS9Zs6LihGpKSffqQH0Oy
+gvCaWjLNzErjx5Hl9pTvH2qkLLX6P1i/YubW+3E6AuDks9u6eF78GkKb6ALsczQf
+jHf22C1rl9y3Ex+9q3vKzeo9HtIBv/FEyt+GEzdCXdf4Lmjmf1l1uBX6+EJFAVsG
+UPxqiJZLOo8dEbWIDzoxE8vXjZTNFBA9mkYmipdZwGaV
+-----END CERTIFICATE-----

revoked-openSUSE-UEFI-SIGN-Certificate-2013-08.crt

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEjTCCA3WgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl
+blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl
+bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW
+EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzA4MjYxNjE4MzdaFw0yMzA3MDUxNjE4
+MzdaMIGGMSUwIwYDVQQDDBxvcGVuU1VTRSBTZWN1cmUgQm9vdCBTaWdua2V5MQsw
+CQYDVQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMRkwFwYDVQQKDBBvcGVuU1VT
+RSBQcm9qZWN0MSEwHwYJKoZIhvcNAQkBFhJidWlsZEBvcGVuc3VzZS5vcmcwggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLNeCcz9j3S+vjlCzyEXczhpwo
+HRneRWkhXqCUSgu1QS5nAWuRdjqFZipji4cr6JSKEm4lE7AHPygrdiU+KbJVQuc7
+RCQdt5kyy0TStIjLqU+nswa+XKruKwQJquxYY1rIYsfZaEP7vQ6S/0zsAkS8lcmf
+0b4h+PSybVoK1U2YZczBjO/f8p/aRQV2+RrAi9UcBfLAuEqwEt9DytULGEazA77N
+p9cBgPHFyu7ZOh9KM31QAavXOkhuYllzYh447zIx7lgYfVkFivt91A1enUeb2K+2
+EZ885xOE5ADsCpeJIpDzFObfwXUHrSQ42OCP9rnA20XjboFcHinQeK5sp0sfAgMB
+AAGjggEHMIIBAzAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBQDMvqcvw2IvyGSSw3o
+KgmlTV3vyDCBrgYDVR0jBIGmMIGjgBRoQmAN4ixMR36VviPf6pUT5ZcXYqGBh6SB
+hDCBgTEgMB4GA1UEAwwXb3BlblNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYT
+AkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2pl
+Y3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNlLm9yZ4IBATAOBgNVHQ8B
+Af8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggEB
+AI3sxNvPFB/+Cjj9GVCvNbaOGFV+5X6Dd7ZMJat0xI93GS+FvUOO1i53iCpnfSld
+gE+2chifX2W3u6RyiJTTfwke4EVU4GWjFy78WwwszCih0byVa/YSQguvPuMjvQY6
+mw+exom0ri68328yWb1oCDaPOhI9Fr51hj50yUWWBbmpu2YPi5blN6CBE+9B2cbp
+HVDPxoUWjYJ9leK951nfSu0E1+cLNYDpZ39h4dBHNvU1a3AueVKIXyEYaiwy0VDS
+8CQJluUCE4eLlt/cbJqMs0/iY7nRnbVOOyZUYTYxq7ACvDrMyStkfdR4KLDzvLWo
+8Gu+1aY2qw6wZ+TKiiRRYjQ=
+-----END CERTIFICATE-----

revoked-openSUSE-UEFI-SIGN-Certificate-2020-01.crt

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIElTCCA32gAwIBAgIJAPq+2L9Aml5gMA0GCSqGSIb3DQEBCwUAMIGBMSAwHgYD
+VQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMCREUxEjAQBgNV
+BAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJvamVjdDEhMB8GCSqG
+SIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMB4XDTIwMDEwODE2MjU1NFoXDTI5
+MTExNjE2MjU1NFowgYYxJTAjBgNVBAMMHG9wZW5TVVNFIFNlY3VyZSBCb290IFNp
+Z25rZXkxCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoM
+EG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNl
+Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMs14JzP2PdL6+OU
+LPIRdzOGnCgdGd5FaSFeoJRKC7VBLmcBa5F2OoVmKmOLhyvolIoSbiUTsAc/KCt2
+JT4pslVC5ztEJB23mTLLRNK0iMupT6ezBr5cqu4rBAmq7FhjWshix9loQ/u9DpL/
+TOwCRLyVyZ/RviH49LJtWgrVTZhlzMGM79/yn9pFBXb5GsCL1RwF8sC4SrAS30PK
+1QsYRrMDvs2n1wGA8cXK7tk6H0ozfVABq9c6SG5iWXNiHjjvMjHuWBh9WQWK+33U
+DV6dR5vYr7YRnzznE4TkAOwKl4kikPMU5t/BdQetJDjY4I/2ucDbReNugVweKdB4
+rmynSx8CAwEAAaOCAQcwggEDMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFAMy+py/
+DYi/IZJLDegqCaVNXe/IMIGuBgNVHSMEgaYwgaOAFGhCYA3iLExHfpW+I9/qlRPl
+lxdioYGHpIGEMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTEL
+MAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNV
+U0UgUHJvamVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnggEB
+MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0B
+AQsFAAOCAQEAUWNziRn2X/uOcFWaCkKqIVa0xlk8joaztllVkRLoDpv97O6p087k
+OOfqNsv1gUgIHqQvZ9Z2woQcpd2gUa0uj5yqpqSGp0eSEtBOOKApVuybplTDSyC3
+6ENwF5BKMJ8ysURsIx6ZGCq1PbaruA28sG/XFrhxjezLwN9mcmLd6nCd4xmPuH78
+IsHPP6c6VzrFtNN3yP5ZIs9bIzDHTf2qGXvVYhLBrNuTczTwUzeSfKG+qpP/dO1I
+EGtd7tTFPTqNwXkWq3oat9TVYMdPLRWWZ2zzE65k0rdSSJTgc/1Z4WSKb55J6FMP
+8MJRwgi62+9JF6hsBy7WuBE8cWvtIwbyYA==
+-----END CERTIFICATE-----

revoked-openSUSE-UEFI-SIGN-Certificate-2020-07.crt

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIElTCCA32gAwIBAgIJAPq+2L9Aml5jMA0GCSqGSIb3DQEBCwUAMIGBMSAwHgYD
+VQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMCREUxEjAQBgNV
+BAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJvamVjdDEhMB8GCSqG
+SIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMB4XDTIwMDgwMzEyMzUzOVoXDTMw
+MDYxMjEyMzUzOVowgYYxJTAjBgNVBAMMHG9wZW5TVVNFIFNlY3VyZSBCb290IFNp
+Z25rZXkxCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoM
+EG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNl
+Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKVKfWLm7OvwYpDO
+4s0qzbUDWG2GTlxFOkZe4XaFsjxAnmuXZTVm1SJ3N12zSdRH60YMqcns7yuISYQz
+0K79shGDOfktO8iqxSE0JdUvhEFnJUECaXYAq+ioiSwkm7QQWhHAUE3htshJeMt4
+SK4dTGmTQNQBKCZ3xQTTHi1sOl8wYt0QdhkucqvgDUyPaxHrI4LV1OV9R3XjGclG
+ZD6QEkXLhVcir2yLIA9G1qPZDXpNbrdfSx3GDEnSsD+GS0D/k5oe32w1KGMnEM/S
+fYrY1nsP6/k0hVO1KH9WJWV/DUoyO/4U75C6swg7SVTxyigT3s92/UV4N9Es5kZv
+aHhsuncCAwEAAaOCAQcwggEDMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFMi9x6wa
+HYWWYhf9k+v8FPSiALgUMIGuBgNVHSMEgaYwgaOAFGhCYA3iLExHfpW+I9/qlRPl
+lxdioYGHpIGEMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTEL
+MAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNV
+U0UgUHJvamVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnggEB
+MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0B
+AQsFAAOCAQEAS1NWAHYBV1uaK7wE6c+Xz8t4c2hgTkFR4E0iVZ+2aTz8OFzztQZq
+CyZ9QYgSpApmvwmgFEQog6UUzw2f19W7qhIskDHfhBmK2uQtazHZ/Pd8oXyHrbgK
+TVh7GDc9OjrZe2wg03Q0N/KVUHD5lKYXY4rfAqKdc1XKfo7t8GIu+TnWDLXWVI40
+oDIXwSmg+JOZFXpf9cxZ2zENZnsaH0KTKNk6bNq8wjum4W54Tgk7UbDE6roJp5C3
+7cUt/j+dL00gyFK66PFR1wXflZFtKixxVbMOLa13ZldsuNs0ye6whPqIKZ9ev4M4
+rjWQD5k14Ui+48/MDJt4Nc2Sm1LYrdXJMw==
+-----END CERTIFICATE-----

revoked-openSUSE-UEFI-SIGN-Certificate-2021-05.crt

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIElTCCA32gAwIBAgIJAPq+2L9Aml5kMA0GCSqGSIb3DQEBCwUAMIGBMSAwHgYD
+VQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMCREUxEjAQBgNV
+BAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJvamVjdDEhMB8GCSqG
+SIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMB4XDTIxMDMwMjEzMDE1NFoXDTMx
+MDEwOTEzMDE1NFowgYYxJTAjBgNVBAMMHG9wZW5TVVNFIFNlY3VyZSBCb290IFNp
+Z25rZXkxCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoM
+EG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNl
+Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPLI9AESuA0aqXLg
+RwX7lU1td6HhC3Oj+kwKJJvF/kwA+1viW/1cC4vS9muigFHe3b4CPwZ9WRxb5Wyi
+3nxP1fjYwFmygBnqWvzMTxGZBFuhcQQpSPDbjWOEiFspVZbvkBF7t0cu1EcpKaHl
++pPqVdWrh11mk7bSjnYGAZ0BFHQ3bnhCuH1+p4PIMLAFZIRQ9suW9t5caOoHK6pi
+fisOYy+WR3a/2AFTCZIdZIueVpvPHhGgjEDoE0wnoAg5lKDn+SAUS7JiWy/hdT2U
+c/OjH1onXi99kTWDOMwQA+g2d7JAPtLuepcKpiUbFaR+7KJYWhkfit6WYz40sC6Q
+PMAHIj8CAwEAAaOCAQcwggEDMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFJ3fQ9nx
+oCcnP1LGwHdZCO4BZxMlMIGuBgNVHSMEgaYwgaOAFGhCYA3iLExHfpW+I9/qlRPl
+lxdioYGHpIGEMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTEL
+MAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNV
+U0UgUHJvamVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnggEB
+MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0B
+AQsFAAOCAQEAnjK7rL3T/Fu443EQSB3cV2V84pQcOcQf3dCSx8VT14ZTgkp1RGM4
+qr4V8foA7Fyr9UE+x2zEMzcVy2eZ2aihO/qaQ/JGZi8cp1pjq0nNMUQjgXF0YGyn
+Qanjb/48V5eOF9Z1h/wQ0HISTdkwsvGUS0leHT3LjXWNRL9QBp1Qi5A5IE5t8vpX
+OxAvHNTsKsx6x2p8R3yVLX7rY84xvBJCqHDY9tYDQ2VbVX7CEw5x9FffobYpY/s1
+lCV/fhOThm/q/p9Pr3hydxKP4PoxxwBtII/p0zJTMWEEfOsK/zAS3v8Ltlz83gTk
+WX+2oXpj/WRFsYWIEXTPwEm4MwYWxw5rMw==
+-----END CERTIFICATE-----

revoked-openSUSE-UEFI-SIGN-Certificate-2022-06.crt

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIElTCCA32gAwIBAgIJAPq+2L9Aml5lMA0GCSqGSIb3DQEBCwUAMIGBMSAwHgYD
+VQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UEBhMCREUxEjAQBgNV
+BAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJvamVjdDEhMB8GCSqG
+SIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMB4XDTIyMDYxMzEzMjIxNloXDTMy
+MDQyMTEzMjIxNlowgYYxJTAjBgNVBAMMHG9wZW5TVVNFIFNlY3VyZSBCb290IFNp
+Z25rZXkxCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoM
+EG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNl
+Lm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALIpQH6tn3NeRGrk
+VgrzbnoFSWg/sk8TQYI93YDE8csRBkj9pZAZDpF92m6Y7pfhQ5C8eOUwwBmRxj/c
+KeCvo9hBhN39kBnP0U0fH5eE5WSBk2+H2DT5TeGKh35pxqPUXGyz5wFtIdVGlDeS
+O+XvFb82Se2MSJhnBO0AHMP0jdqm8M6VOwOVeYb99YTJcCRpglmMhlkqytCghmAL
+Xdn8AcI5cwuInkeDGynsjYJmgaAOWh6Vl2D1HvCzJ2bVEw8x346bt0AKzS8iMYpJ
+5TDLWfV565L6LTVqni1IPGfppDtOd9L7oc//SufGMWppYT8FBDjDquNSnXh80QE+
+vWHVF+cCAwEAAaOCAQcwggEDMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFP2fLBLl
+mdZ8x/kGdUGt9Ca3EkaeMIGuBgNVHSMEgaYwgaOAFGhCYA3iLExHfpW+I9/qlRPl
+lxdioYGHpIGEMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTEL
+MAkGA1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNV
+U0UgUHJvamVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnggEB
+MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0B
+AQsFAAOCAQEAW5MXYWfpK0ryVDBdXGPLWpORgKh6JT4nS7vU5BW5fX1DIc0fhE9q
+PmxwMX74OjXZ3520NfV1jrAg/dmyzUGu4pyvmTfRbwXweDnG1t3zb0PU1ntfzRht
+wnfQGm10eICZNKTwxp9D9ca6jIP0pQJXilRSBSqZpw0pNBPeX5FB87DBJnDkpsxV
+7FrzR+XjIZwFfBGNecyQdCBiCXtGUU7eDTKqtITL0WzwJ18heFKslwtcoESi6xSS
+jsVDsk0gyLxbGlAJy0VeEb1YhlJVbvZiCcEYq5W+U+S31807U+sz1nB+zAyc7JER
+JgSHwPK02VwNlY+9558V95Lkp+GZRSNJEA==
+-----END CERTIFICATE-----

shim-16.1.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:46319cd228d8f2c06c744241c0f342412329a7c630436fce7f82cf6936b1d603
+size 2348998

shim-arch-independent-names.patch

@@ -0,0 +1,61 @@
+From 71ca8f761fb5434ef65895345d96ccf063da7d66 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Tue, 22 Aug 2017 12:43:36 +0800
+Subject: [PATCH] Make the names of EFI binaries arch-independent
+
+Since we only build the 64-bit binaries, we don't have the issue of the
+mixed architecture binaries in the same directory. Besides, we will use
+the same install script for x86_64 and AArch64. It's easier to maintain
+the script with the same names.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ fallback.c | 2 +-
+ shim.c     | 2 +-
+ shim.h     | 4 ++--
+ 3 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/fallback.c b/fallback.c
+index fc81c5e4..44b2d464 100644
+--- a/fallback.c
++++ b/fallback.c
+@@ -1058,7 +1058,7 @@ debug_hook(void)
+ 
+ 	x = 1;
+ 	console_print(L"add-symbol-file "DEBUGDIR
+-		      L"fb" EFI_ARCH L".efi.debug %p -s .data %p\n",
++		      L"fallback.efi.debug %p -s .data %p\n",
+ 		      &_etext, &_edata);
+ }
+ 
+diff --git a/shim.c b/shim.c
+index 765c9254..6751a2bc 100644
+--- a/shim.c
++++ b/shim.c
+@@ -1811,7 +1811,7 @@ debug_hook(void)
+ 	FreePool(data);
+ 
+ 	console_print(L"add-symbol-file "DEBUGDIR
+-		      L"shim" EFI_ARCH L".efi.debug 0x%08x -s .data 0x%08x\n",
++		      L"shim.efi.debug 0x%08x -s .data 0x%08x\n",
+ 		      &_text, &_data);
+ 
+ 	console_print(L"Pausing for debugger attachment.\n");
+diff --git a/shim.h b/shim.h
+index 0a6c8cfa..b9c3c4d8 100644
+--- a/shim.h
++++ b/shim.h
+@@ -105,8 +105,8 @@
+ #define DEBUGSRC L"/usr/src/debug/shim-" VERSIONSTR "." EFI_ARCH
+ #endif
+ 
+-#define FALLBACK L"\\fb" EFI_ARCH L".efi"
+-#define MOK_MANAGER L"\\mm" EFI_ARCH L".efi"
++#define FALLBACK L"\\fallback.efi"
++#define MOK_MANAGER L"\\MokManager.efi"
+ 
+ #if defined(VENDOR_DB_FILE)
+ # define vendor_authorized vendor_db
+-- 
+2.29.2
+

shim-change-debug-file-path.patch

@@ -0,0 +1,54 @@
+From ac7e88b1f2219ec2b09c9596e6f7d5911e5f6ffd Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Thu, 4 Jan 2018 12:28:37 +0800
+Subject: [PATCH] Use our own debug path
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ Make.defaults | 2 +-
+ fallback.c    | 2 +-
+ shim.c        | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/Make.defaults b/Make.defaults
+index bef3cb51..d88367e3 100644
+--- a/Make.defaults
++++ b/Make.defaults
+@@ -167,7 +167,7 @@ BOOTEFINAME	?= BOOT$(ARCH_SUFFIX_UPPER).EFI
+ BOOTCSVNAME	?= BOOT$(ARCH_SUFFIX_UPPER).CSV
+ 
+ DEFINES		+= -DEFI_ARCH='L"$(ARCH_SUFFIX)"' \
+-		   -DDEBUGDIR='L"/usr/lib/debug/usr/share/shim/$(ARCH_SUFFIX)-$(VERSION)$(DASHRELEASE)/"'
++		   -DDEBUGDIR=L\"/usr/lib/debug/usr/share/efi/"$(ARCH)/"\"
+ 
+ ifneq ($(origin VENDOR_DB_FILE), undefined)
+ DEFINES		+= -DVENDOR_DB_FILE=\"$(VENDOR_DB_FILE)\"
+diff --git a/fallback.c b/fallback.c
+index 44b2d464..8e0de901 100644
+--- a/fallback.c
++++ b/fallback.c
+@@ -1058,7 +1058,7 @@ debug_hook(void)
+ 
+ 	x = 1;
+ 	console_print(L"add-symbol-file "DEBUGDIR
+-		      L"fallback.efi.debug %p -s .data %p\n",
++		      L"fallback.debug %p -s .data %p\n",
+ 		      &_etext, &_edata);
+ }
+ 
+diff --git a/shim.c b/shim.c
+index 1d539855..f8d2ba5f 100644
+--- a/shim.c
++++ b/shim.c
+@@ -1818,7 +1818,7 @@ debug_hook(void)
+ 	FreePool(data);
+ 
+ 	console_print(L"add-symbol-file "DEBUGDIR
+-		      L"shim.efi.debug 0x%08x -s .data 0x%08x\n",
++		      L"shim.debug 0x%08x -s .data 0x%08x\n",
+ 		      &_text, &_data);
+ 
+ 	console_print(L"Pausing for debugger attachment.\n");
+-- 
+2.29.2
+

shim-disable-export-vendor-dbx.patch

@@ -0,0 +1,36 @@
+From 41da21f1f9d4af213f9f235a864772b99ce85fc7 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Fri, 18 Jun 2021 17:54:46 +0800
+Subject: [PATCH] Disable exporting vendor-dbx to MokListXRT
+
+As the vendor-dbx grows, it caused some problems when writing such
+a large variable. Some firmwares lie the avaiable space(*1) , and
+some even crash(*2) for no good reason after the writing of
+MokListXRT. Both shim and kernel don't rely on MokListXRT to block
+anything, so we just stop exporting vendor-dbx to MokListXRT to
+avoid the potential hassles.
+
+(*1) https://bugzilla.suse.com/show_bug.cgi?id=1185261
+(*2) https://github.com/rhboot/shim/pull/369#issuecomment-855275115
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ mok.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/mok.c b/mok.c
+index beac0ff6..a687a92b 100644
+--- a/mok.c
++++ b/mok.c
+@@ -194,8 +194,6 @@ struct mok_state_variable mok_state_variables[] = {
+ 		     EFI_VARIABLE_NON_VOLATILE,
+ 	 .no_attr = EFI_VARIABLE_RUNTIME_ACCESS,
+ 	 .categorize_addend = categorize_deauthorized,
+-	 .addend = &vendor_deauthorized,
+-	 .addend_size = &vendor_deauthorized_size,
+ 	 .flags = MOK_MIRROR_KEYDB |
+ 		  MOK_MIRROR_DELETE_FIRST |
+ 		  MOK_VARIABLE_LOG,
+-- 
+2.31.1
+

shim-install

@@ -71,12 +71,9 @@ fi
 efi_distributor="$bootloader_id"
 bootloader_id="${bootloader_id}-secureboot"
 
-# bsc#1254336 The sl is for SL Micro. It can be removed afrer SL Micro is EoL
 case "$bootloader_id" in
     "sle"*)
         ca_string='SUSE Linux Enterprise Secure Boot CA1';;
-    "sl"*)
-        ca_string='SUSE Linux Enterprise Secure Boot CA1';;
     "opensuse"*)
         ca_string='openSUSE Secure Boot CA1';;
     *) ca_string="";;

shim.spec

@@ -14,19 +14,36 @@
 
 # Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
+# needssslcertforbuild
+
 
 %undefine _debuginfo_subpackages
 %undefine _build_create_debug
 %undefine _enable_debug_packages
-# Move 'efi'-executables to '/usr/share/efi' (FATE#326960, bsc#1166523)
+%ifarch aarch64
+%define grubplatform arm64-efi
+%else
+%define grubplatform %{_target_cpu}-efi
+%endif
+%if %{defined sle_version} && 0%{?sle_version} <= 150000
+%define sysefidir      /usr/lib64/efi
+%else
 %define sysefibasedir  %{_datadir}/efi
 %define sysefidir      %{sysefibasedir}/%{_target_cpu}
-%if 0%{?suse_version} < 1600
-%ifarch x86_64
+%if "%{grubplatform}" == "x86_64-efi" && 0%{?suse_version} < 1600
 # provide compatibility sym-link for residual kiwi, etc.
 %define shim_lib64_share_compat 1
 %endif
 %endif
+# Set gcc version, the minimum version is gcc-13
+%if %gcc_version < 13
+%define gcc_version 13
+%endif
+%global cc_compiler /usr/bin/gcc-%{gcc_version}
+
+%if 0%{?suse_version} >= 1600
+%define shim_use_fde_tpm_helper 1
+%endif
 
 Name:           shim
 Version:        16.1
@@ -35,13 +52,18 @@ Summary:        UEFI shim loader
 License:        BSD-2-Clause
 Group:          System/Boot
 URL:            https://github.com/rhboot/shim
-Source:		shim-16.1-150300.4.31.1.x86_64.rpm
-Source1:	shim-debuginfo-16.1-150300.4.31.1.x86_64.rpm
-Source2:	shim-debugsource-16.1-150300.4.31.1.x86_64.rpm
-Source3:	shim-16.1-150300.4.31.1.aarch64.rpm
-Source4:	shim-debuginfo-16.1-150300.4.31.1.aarch64.rpm
-Source5:	shim-debugsource-16.1-150300.4.31.1.aarch64.rpm
-Source6:        shim-install
+Source:         %{name}-%{version}.tar.bz2
+# run "extract_signature.sh shim.efi" where shim.efi is the binary
+# with the signature from the UEFI signing service.
+# Note: For signature requesting, check SIGNATURE_UPDATE.txt
+Source1:	shim-install
+Source2:	extract_signature.sh
+Source3:	attach_signature.sh
+Source4:	show_hash.sh
+Source5:	show_signatures.sh
+Source6:	timestamp.pl
+Source7:	strip_signature.sh
+Source8:	generate-vendor-dbx.sh
 # Certificates Used to Verify the Shim (DER format)
 # SUSE CA is also built-in to the shim via VENDOR_CERT_FILE
 # openSUSE Secure Boot CA, 2013-2035
@@ -52,19 +74,62 @@ Source12:	SUSE_Linux_Enterprise_Secure_Boot_CA_2013.crt
 Source13:	Microsoft_Corporation_UEFI_CA_2011.crt
 # Microsoft UEFI CA 2023, 2023-2038
 Source14:	Microsoft_UEFI_CA_2023.crt
-#BuildRequires:	shim-susesigned
-BuildRequires:  fde-tpm-helper-rpm-macros
-BuildRequires:  update-bootloader-rpm-macros
+# Microsoft-signed shim
+Source30:	shim-opensuse.x86.efi
+Source31:	shim-opensuse.aarch64.efi
+Source32:	shim-sles.x86.efi
+Source33:	shim-sles.aarch64.efi
+# revoked certificates for dbx
+Source50:       revoked-openSUSE-UEFI-SIGN-Certificate-2013-01.crt
+Source51:       revoked-openSUSE-UEFI-SIGN-Certificate-2013-08.crt
+Source52:       revoked-openSUSE-UEFI-SIGN-Certificate-2020-01.crt
+Source53:       revoked-openSUSE-UEFI-SIGN-Certificate-2020-07.crt
+Source54:       revoked-openSUSE-UEFI-SIGN-Certificate-2021-05.crt
+Source55:       revoked-openSUSE-UEFI-SIGN-Certificate-2022-06.crt
+Source56:       revoked-SLES-UEFI-SIGN-Certificate-2013-01.crt
+Source57:       revoked-SLES-UEFI-SIGN-Certificate-2013-04.crt
+Source58:       revoked-SLES-UEFI-SIGN-Certificate-2016-02.crt
+Source59:       revoked-SLES-UEFI-SIGN-Certificate-2020-07.crt
+Source60:       revoked-SLES-UEFI-SIGN-Certificate-2021-05.crt
+Source61:       revoked-SLES-UEFI-SIGN-Certificate-2022-05.crt
+###
+Source99:       SIGNATURE_UPDATE.txt
+# PATCH-FIX-SUSE shim-arch-independent-names.patch glin@suse.com -- Use the Arch-independent names
+Patch1:         shim-arch-independent-names.patch
+# PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch glin@suse.com -- Change the default debug file path
+Patch2:         shim-change-debug-file-path.patch
+# PATCH-FIX-SUSE remove_build_id.patch -- Remove the build ID to make the binary reproducible when building with AArch64 container
+Patch3:         remove_build_id.patch
+# PATCH-FIX-SUSE shim-disable-export-vendor-dbx.patch bsc#1185261 glin@suse.com -- Disable exporting vendor-dbx to MokListXRT
+Patch4:         shim-disable-export-vendor-dbx.patch
+BuildRequires:  gcc%{gcc_version}
+BuildRequires:  dos2unix
+BuildRequires:  efitools
+BuildRequires:  mozilla-nss-tools
 BuildRequires:  openssl >= 0.9.8
+BuildRequires:  pesign
+BuildRequires:  pesign-obs-integration
 # we need xxd in global macro in shim.spec
 BuildRequires:  vim
+%if 0%{?shim_use_fde_tpm_helper:1}
+BuildRequires:  fde-tpm-helper-rpm-macros
+%endif
+%if 0%{?suse_version} > 1320
+BuildRequires:  update-bootloader-rpm-macros
+%endif
+%if 0%{?update_bootloader_requires:1}
+%update_bootloader_requires
+%else
 Requires:       perl-Bootloader
-BuildRoot:      %{_tmppath}/%{name}-%{version}-build
-# For shim-install script
-Requires:       grub2-efi
+%endif
 %if 0%{?fde_tpm_update_requires:1}
 %fde_tpm_update_requires
 %endif
+BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+# For shim-install script grub is needed but we also want to use
+# shim for systemd-boot where shim-install is not actually used.
+# Requires:       grub2-%{grubplatform}
+Requires:       mokutil
 ExclusiveArch:  x86_64 aarch64
 
 # subject hash of openSUSE/SLE/devel certificates for identifying devel project
@@ -83,54 +148,215 @@ ExclusiveArch:  x86_64 aarch64
 shim is a trivial EFI application that, when run, attempts to open and
 execute another application.
 
-%package debuginfo
+%if 0%{?shim_nx:1}
+%package -n shim-nx
+Summary:        UEFI shim loader - supports non-executable
+Group:          System/Boot
+Requires:	shim = %{version}
+
+%description -n shim-nx
+shim with NX_COMPAT field (aka. NxCompatible field in DllCharacteristics)
+for supporting non-executable
+%endif	# 0%{?shim_nx:1}
+
+%package -n shim-debuginfo
 Summary:        UEFI shim loader - debug symbols
 Group:          Development/Debug
 
-%description debuginfo
+%description -n shim-debuginfo
 The debug symbols of UEFI shim loader
 
-%package debugsource
+%package -n shim-debugsource
 Summary:        UEFI shim loader - debug source
 Group:          Development/Debug
 
-%description debugsource
+%description -n shim-debugsource
 The source code of UEFI shim loader
 
 %prep
-%ifarch x86_64
-rpm2cpio %{SOURCE0} | cpio --extract --unconditional --preserve-modification-time --make-directories
-rpm2cpio %{SOURCE1} | cpio --extract --unconditional --preserve-modification-time --make-directories
-rpm2cpio %{SOURCE2} | cpio --extract --unconditional --preserve-modification-time --make-directories
-%endif
-%ifarch aarch64
-rpm2cpio %{SOURCE3} | cpio --extract --unconditional --preserve-modification-time --make-directories
-rpm2cpio %{SOURCE4} | cpio --extract --unconditional --preserve-modification-time --make-directories
-rpm2cpio %{SOURCE5} | cpio --extract --unconditional --preserve-modification-time --make-directories
-%endif
+%autosetup -p1
 
 %build
+# generate the vendor SBAT metadata
+%if 0%{?is_opensuse} == 1 || 0%{?sle_version} == 0
+distro_id="opensuse"
+distro_name="The openSUSE project"
+%else
+distro_id="sle"
+distro_name="SUSE Linux Enterprise"
+%endif
+distro_sbat=1
+sbat="shim.${distro_id},${distro_sbat},${distro_name},%{name},%{version},mail:security@suse.de"
+echo "${sbat}" > data/sbat.vendor.csv
+
+# generate dbx files based on revoked certs
+bash %{_sourcedir}/generate-vendor-dbx.sh %{_sourcedir}/revoked-*.crt
+ls -al *.esl
+
+# first, build MokManager and fallback as they don't depend on a
+# specific certificate
+make CC=%{cc_compiler} RELEASE=0 \
+     MMSTEM=MokManager FBSTEM=fallback \
+     POST_PROCESS_PE_FLAGS=-n \
+     MokManager.efi.debug fallback.efi.debug \
+     MokManager.efi fallback.efi
+# make sure all object files gets rebuilt
+rm -f *.o
+
+# now build variants of shim that embed different certificates
+default=''
+suffixes=(opensuse sles)
+# check whether the project cert is a known one. If it is we build
+# just one shim that embeds this specific cert. If it's a devel
+# project we build all variants to simplify testing.
+if test -e %{_sourcedir}/_projectcert.crt ; then
+    prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -inform PEM -noout -subject_hash)
+    prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -inform PEM -noout -issuer_hash)
+    opensusesubject=$(openssl x509 -in %{SOURCE11} -inform DER -noout -subject_hash)
+    slessubject=$(openssl x509 -in %{SOURCE12} -inform DER -noout -subject_hash)
+    if test "$prjissuer" = "$opensusesubject" ; then
+	suffixes=(opensuse)
+    elif test "$prjissuer" = "$slessubject" ; then
+	suffixes=(sles)
+    elif test "$prjsubject" = "$prjissuer" ; then
+	suffixes=(devel opensuse sles)
+    fi
+fi
+
+for suffix in "${suffixes[@]}"; do
+    if test "$suffix" = "opensuse"; then
+	cert=%{SOURCE11}
+	cp $cert shim-$suffix.der
+	verify='openSUSE Secure Boot CA1'
+	vendor_dbx='vendor-dbx-opensuse.esl'
+%ifarch x86_64
+	ms_shim=%{SOURCE30}
+%else
+	# opensuse aarch64
+	ms_shim=%{SOURCE31}
+%endif
+    elif test "$suffix" = "sles"; then
+	cert=%{SOURCE12}
+	cp $cert shim-$suffix.der
+	verify='SUSE Linux Enterprise Secure Boot CA1'
+	vendor_dbx='vendor-dbx-sles.esl'
+%ifarch x86_64
+	ms_shim=%{SOURCE32}
+%else
+	# sles aarch64
+	ms_shim=%{SOURCE33}
+%endif
+    elif test "$suffix" = "devel"; then
+	cert=%{_sourcedir}/_projectcert.crt
+	verify=`openssl x509 -in "$cert" -noout -email`
+	vendor_dbx='vendor-dbx.esl'
+	ms_shim=''
+	test -e "$cert" || continue
+	openssl x509 -in $cert -inform PEM -outform DER -out shim-$suffix.der
+    else
+	echo "invalid suffix"
+	false
+    fi
+
+    make CC=%{cc_compiler} RELEASE=0 ENABLE_CODESIGN_EKU=1 SHIMSTEM=shim \
+         VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \
+         DEFAULT_LOADER="\\\\\\\\grub.efi" \
+         VENDOR_DBX_FILE=$vendor_dbx \
+         shim.efi.debug shim.efi
+    #
+    # assert correct certificate embedded
+    grep -q "$verify" shim.efi
+    # Use ms-signed shim when the version equals with the version of newly built shim
+    # Version mismatch indicates development of a new shim.
+    if test -n "$ms_shim"; then
+	ms_version=$(strings "$ms_shim" | grep '$Version:' | sed -e 's/^.*: //' -e 's/ \$//')
+	dev_version=$(strings shim.efi | grep '$Version:' | sed -e 's/^.*: //' -e 's/ \$//')
+	if [ "$ms_version" = "$dev_version" ]; then
+		cp $ms_shim shim-$suffix.efi
+	else
+		cp shim.efi shim-$suffix.efi
+	fi
+	rm shim.efi
+    else
+	# devel shim
+	mv shim.efi shim-$suffix.efi
+    fi
+    # FIX: using debug info from devel shim doesn't match with ms-signed shim
+    mv shim.efi.debug shim-$suffix.debug
+    # remove the build cert if exists
+    rm -f shim_cert.h shim.cer shim.crt
+    # make sure all object files gets rebuilt
+    rm -f *.o
+
+%if 0%{?shim_nx:1}
+    # building shim.nx.efi
+    make CC=%{cc_compiler} RELEASE=0 ENABLE_CODESIGN_EKU=1 SHIMSTEM=shim.nx \
+         VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \
+         DEFAULT_LOADER="\\\\\\\\grub.efi" \
+         VENDOR_DBX_FILE=$vendor_dbx \
+	 POST_PROCESS_PE_FLAGS=-n \
+         shim.nx.efi.debug shim.nx.efi
+    #
+    # assert correct certificate embedded
+    grep -q "$verify" shim.nx.efi
+    mv shim.nx.efi shim-$suffix.nx.efi
+    mv shim.nx.efi.debug shim-$suffix.nx.debug
+    # remove the build cert if exists
+    rm -f shim_cert.h shim.cer shim.crt
+    # make sure all object files gets rebuilt
+    rm -f *.o
+%endif  # 0%{?shim_nx:1}
+done
+
+ln -s shim-${suffixes[0]}.efi shim.efi
+mv shim-${suffixes[0]}.debug shim.debug
+%if 0%{?shim_nx:1}
+ln -s shim-${suffixes[0]}.nx.efi shim.nx.efi
+mv shim-${suffixes[0]}.nx.debug shim.nx.debug
+%endif  # 0%{?shim_nx:1}
+
+# Collect the source for debugsource
+mkdir ../source
+find . \( -name "*.c" -o -name "*.h" \) -type f -exec cp --parents -a {} ../source/ \;
+mv ../source .
 
 %install
-# purely repackaged
-cp -a etc usr %{buildroot}
-
+export BRP_PESIGN_FILES='%{sysefidir}/shim*.efi %{sysefidir}/MokManager.efi %{sysefidir}/fallback.efi'
+install -d %{buildroot}/%{sysefidir}
+cp -a shim*.efi %{buildroot}/%{sysefidir}
+install -m 444 shim-*.der %{buildroot}/%{sysefidir}
+install -m 644 MokManager.efi %{buildroot}/%{sysefidir}/MokManager.efi
+install -m 644 fallback.efi %{buildroot}/%{sysefidir}/fallback.efi
+install -d %{buildroot}/%{_sbindir}
+install -m 755 %{SOURCE1} %{buildroot}/%{_sbindir}/
+# install SUSE certificate
+install -d %{buildroot}/%{_sysconfdir}/uefi/certs/
+for file in shim-*.der; do
+    filename=$(echo "$file" | cut -f 1 -d '.')
+    fpr=$(openssl x509 -sha1 -fingerprint -inform DER -noout -in $file | cut -c 18- | cut -d ":" -f 1,2,3,4 | sed 's/://g')
+    install -m 644 $file %{buildroot}/%{_sysconfdir}/uefi/certs/${fpr}-${filename}.crt
+done
 %if %{defined shim_lib64_share_compat}
-echo old
-%else
-rm -rf %{buildroot}/usr/lib64/efi
+    [ "%{sysefidir}" != "/usr/lib64/efi" ] || exit 1
+    # provide compatibility sym-link for residual "consumers"
+    install -d %{buildroot}/usr/lib64/efi
+    ln -srf %{buildroot}/%{sysefidir}/*.efi %{buildroot}/usr/lib64/efi/
 %endif
 
-# also copy over the susesigned shim
-# we did this to shortcut some cert work in 15-sp2, we currently do not need it
-#install -m 444 %{sysefidir}/shim-susesigned.* %{buildroot}/%{sysefidir}
+# install the debug symbols
+install -d %{buildroot}/usr/lib/debug/%{sysefidir}
+install -m 644 shim.debug %{buildroot}/usr/lib/debug/%{sysefidir}
+install -m 644 MokManager.efi.debug %{buildroot}/usr/lib/debug/%{sysefidir}/MokManager.debug
+install -m 644 fallback.efi.debug %{buildroot}/usr/lib/debug/%{sysefidir}/fallback.debug
 
-# Install the updated shim-install
-install -m 755 %{SOURCE6} %{buildroot}/%{_sbindir}
+# install the debug source
+install -d %{buildroot}/usr/src/debug/%{name}-%{version}
+cp -r source/* %{buildroot}/usr/src/debug/%{name}-%{version}
 
-# This pretrans Lua script is directly copied from openSUSE:Factory/shim/shim.spec
-# Please remember to sync this script if it be modified
-%pretrans -n shim -p <lua>
+%clean
+%{?buildroot:%__rm -rf "%{buildroot}"}
+
+%pretrans -p <lua>
 -- Using Lua
 print("INFO: Current Lua Version: " .. tostring(_VERSION))
 
@@ -169,8 +395,10 @@ local TARGET_CERT_HEXES = {
     -- Certificate #3, openSUSE Secure Boot CA 2013
     "%{opensuse_ca_hex}",
 %endif
-    -- Certificate #4, SUSE Linux Enterprise Secure Boot CA 2013
+%if "%{prjissuer_hash}" == "%{slessubject_hash}"
+    -- Certificate #3, SUSE Linux Enterprise Secure Boot CA 2013
     "%{sles_ca_hex}",
+%endif
 %if "%{prjissuer_hash}" == "%{prjsubjec_hash}"
     -- We put all keys for testing on devel/staging project
     -- Certificate #3, openSUSE Secure Boot CA 2013
@@ -317,22 +545,49 @@ end
 %fde_tpm_update_post shim
 %endif
 
-%if 0%{?update_bootloader_check_type_reinit_post:1} 
+%if 0%{?update_bootloader_check_type_reinit_post:1}
 %update_bootloader_check_type_reinit_post grub2-efi
 %else
 /sbin/update-bootloader --reinit || true
 %endif
 
+# copy from kernel-scriptlets/cert-script
+is_efi () {
+    local msg rc=0
+# The below statement fails if mokutil isn't installed or UEFI is unsupported.
+# It doesn't fail if UEFI is available but secure boot is off.
+    msg="$(mokutil --sb-state 2>&1)" || rc=$?
+    return $rc
+}
+# run mokutil for setting sbat policy to latest mode
+EFIVARFS=/sys/firmware/efi/efivars
+SBAT_POLICY="$EFIVARFS/SbatPolicy-605dab50-e046-4300-abb6-3dd810dd8b23"
+if is_efi; then
+        if [ -w $EFIVARFS ] && \
+           [ ! -f "$SBAT_POLICY" ] && \
+           mokutil -h | grep -q "set-sbat-policy"; \
+        then
+        # Only apply CA check on the kernel package certs (bsc#1173115)
+                mokutil --set-sbat-policy latest
+        fi
+fi
+
+%if %{defined update_bootloader_posttrans}
 %posttrans
 %{?update_bootloader_posttrans}
 %{?fde_tpm_update_posttrans}
+%endif
 
 %files
 %defattr(-,root,root)
+%doc COPYRIGHT
 %dir %{?sysefibasedir}
 %dir %{sysefidir}
 %{sysefidir}/shim.efi
 %{sysefidir}/shim-*.efi
+%if 0%{?shim_nx:1}
+%exclude %{sysefidir}/shim-*.nx.efi
+%endif  # 0%{?shim_nx:1}
 %{sysefidir}/shim-*.der
 %{sysefidir}/MokManager.efi
 %{sysefidir}/fallback.efi
@@ -345,13 +600,23 @@ end
 %dir /usr/lib64/efi
 /usr/lib64/efi/*.efi
 %endif
-/usr/share/doc/packages/shim
 
-%files debuginfo
-/usr/lib/debug/%{sysefidir}/*.debug
+%if 0%{?shim_nx:1}
+%files -n shim-nx
+%defattr(-,root,root)
+%{sysefidir}/shim.nx.efi
+%{sysefidir}/shim-*.nx.efi 
+%endif  # 0%{?shim_nx:1}
 
-%files debugsource
-%dir /usr/src/debug/shim-*
-/usr/src/debug/shim-*/*
+%files -n shim-debuginfo
+%defattr(-,root,root,-)
+/usr/lib/debug%{sysefidir}/shim.debug
+/usr/lib/debug%{sysefidir}/MokManager.debug
+/usr/lib/debug%{sysefidir}/fallback.debug
+
+%files -n shim-debugsource
+%defattr(-,root,root,-)
+%dir /usr/src/debug/%{name}-%{version}
+/usr/src/debug/%{name}-%{version}/*
 
 %changelog

show_hash.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+# show hash of PE binary
+set -e
+
+infile="$1"
+
+if [ -z "$infile" -o ! -e "$infile" ]; then
+	echo "USAGE: $0 file.efi"
+	exit 1
+fi
+
+pesign -h -P -i "$infile"

show_signatures.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+# show signatures on a PE binary
+set -e
+
+infile="$1"
+
+if [ -z "$infile" -o ! -e "$infile" ]; then
+	echo "USAGE: $0 file.efi"
+	exit 1
+fi
+
+pesign -S -i "$infile"

strip_signature.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+# strip the signature from a PE binary
+set -e
+
+infile="$1"
+if [ -z "$infile" -o ! -e "$infile" ]; then
+	echo "USAGE: $0 file.efi"
+	exit 1
+fi
+
+outfile="${infile%.efi}-unsigned.efi"
+
+pesign -r -i "$infile" -o "$outfile"

timestamp.pl

@@ -0,0 +1,146 @@
+#!/usr/bin/perl -w
+# Copyright (c) 2012-2021 SUSE LLC
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+
+=head1 timestamp.pl
+
+timestamp.pl - show or set pe timestamp in file
+
+=head1 SYNOPSIS
+
+timestamp.pl [OPTIONS] FILE...
+
+=head1 OPTIONS
+
+=over 4
+
+=item B<--set-form-file=FILE>
+
+parse timestamp, checksum, and linker version from file
+
+=item B<--help, -h>
+
+print help
+
+=back
+
+=head1 DESCRIPTION
+
+lorem ipsum ...
+
+=cut
+
+use strict;
+use Getopt::Long;
+Getopt::Long::Configure("no_ignore_case");
+use POSIX qw/strftime/;
+
+my %options;
+
+sub usage($) {
+	my $r = shift;
+	eval "use Pod::Usage; pod2usage($r);";
+	if ($@) {
+		die "cannot display help, install perl(Pod::Usage)\n";
+	}
+}
+
+GetOptions(
+	\%options,
+	"set-from-file=s",
+	"verbose|v",
+	"help|h",
+) or usage(1);
+
+usage(1) unless @ARGV;
+usage(0) if ($options{'help'});
+
+my $set_timestamp;
+my $set_checksum;
+my $set_linker;
+
+if ($options{'set-from-file'}) {
+	die "$options{'set-from-file'}: $!\n" unless open(my $fh, '<', $options{'set-from-file'});
+	while (<$fh>) {
+		chomp;
+		if (/^timestamp: ([0-9a-f]+)/) {
+			$set_timestamp = pack('L', hex($1));
+			next;
+		} elsif (/^linker: ([0-9a-f]+)/) {
+			$set_linker = pack('S', hex($1));
+			next;
+		} elsif (/^checksum: ([0-9a-f]+)/) {
+			$set_checksum = pack('L', hex($1));
+			next;
+		}
+		last if $set_timestamp && $set_checksum && $set_linker;
+	}
+	close($fh);
+	die "file didn't contain timestamp, checksum, or linker\n" unless $set_timestamp && $set_checksum && $set_linker;
+}
+
+sub do_show($)
+{
+	my $file = shift;
+	die "$file: $!\n" unless open(my $fh, '<', $file);
+	die "seek $file: $!\n" unless seek($fh, 136, 0);
+	my $value;
+	die "read $file: $!\n" unless read($fh, $value, 4);
+
+	my $timestamp = unpack('L', $value);
+	print strftime("# %Y-%m-%d %H:%M:%S\n", gmtime($timestamp));
+	printf ("timestamp: %x\n", $timestamp);
+
+	die "seek $file: $!\n" unless seek($fh, 154, 0);
+	die "read $file: $!\n" unless read($fh, $value, 2);
+
+	printf ("linker: %x\n", unpack('S', $value));
+
+	die "seek $file: $!\n" unless seek($fh, 216, 0);
+	die "read $file: $!\n" unless read($fh, $value, 4);
+
+	printf ("checksum: %x\n", unpack('L', $value));
+
+	close($fh);
+}
+
+sub do_set($)
+{
+	my $file = shift;
+	die "$file: $!\n" unless open(my $fh, '+<', $file);
+	die "seek $file: $!\n" unless seek($fh, 136, 0);
+	die "write $file: $!\n" unless print $fh $set_timestamp;
+
+	die "seek $file: $!\n" unless seek($fh, 154, 0);
+	die "write $file: $!\n" unless print $fh $set_linker;
+
+	die "seek $file: $!\n" unless seek($fh, 216, 0);
+	die "write $file: $!\n" unless print $fh $set_checksum;
+	close($fh);
+}
+
+for my $file (@ARGV) {
+	if ($options{'set-from-file'}) {
+		do_set($file);
+	} else {
+		do_show($file);
+	}
+
+}