79c0b9a33d
- fix shell syntax error OBS-URL: https://build.opensuse.org/request/show/195685 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=34
179 lines
6.6 KiB
RPMSpec
179 lines
6.6 KiB
RPMSpec
#
|
|
# spec file for package shim
|
|
#
|
|
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
|
#
|
|
# All modifications and additions to the file contributed by third parties
|
|
# remain the property of their copyright owners, unless otherwise agreed
|
|
# upon. The license for this file, and modifications and additions to the
|
|
# file, is the same license as for the pristine package itself (unless the
|
|
# license for the pristine package is not an Open Source License, in which
|
|
# case the license is the MIT License). An "Open Source License" is a
|
|
# license that conforms to the Open Source Definition (Version 1.9)
|
|
# published by the Open Source Initiative.
|
|
|
|
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
|
#
|
|
|
|
|
|
# needssslcertforbuild
|
|
|
|
Name: shim
|
|
Version: 0.4
|
|
Release: 0
|
|
Summary: UEFI shim loader
|
|
License: BSD-2-Clause
|
|
Group: System/Boot
|
|
Url: https://github.com/mjg59/shim
|
|
Source: %{name}-%{version}.tar.bz2
|
|
# run "extract_signature.sh shim.efi" where shim.efi is the binary
|
|
# with the signature from the UEFI signing service.
|
|
Source1: microsoft.asc
|
|
Source2: openSUSE-UEFI-CA-Certificate.crt
|
|
Source3: shim-install
|
|
Source4: SLES-UEFI-CA-Certificate.crt
|
|
Source5: extract_signature.sh
|
|
Source6: attach_signature.sh
|
|
Source7: show_hash.sh
|
|
# PATCH-FIX-SUSE shim-suse-build.patch glin@suse.com -- Adjust Makefile for the build service
|
|
Patch0: shim-suse-build.patch
|
|
# PATCH-FIX-UPSTREAM shim-fix-pointer-casting.patch glin@suse.com -- Fix a casting issue and the size of an empty vendor_cert or dbx_cert.
|
|
Patch1: shim-fix-pointer-casting.patch
|
|
# PATCH-FIX-UPSTREAM shim-merge-lf-loader-code.patch glin@suse.com -- Merge the Linux Foundation loader UI code
|
|
Patch2: shim-merge-lf-loader-code.patch
|
|
# PATCH-FIX-UPSTREAM shim-fix-simple-file-selector.patch glin@suse.com -- Fix the buffer allocation in the simple file selector
|
|
Patch3: shim-fix-simple-file-selector.patch
|
|
# PATCH-FIX-UPSTREAM shim-mokmanager-support-crypt-hash-method.patch glin@suse.com -- Support the password hashes from /etc/shadow
|
|
Patch4: shim-mokmanager-support-crypt-hash-method.patch
|
|
# PATCH-FIX-UPSTREAM shim-bnc804631-fix-broken-bootpath.patch bnc#804631 glin@suse.com -- Fix the broken bootpath generated in generate_path()
|
|
Patch5: shim-bnc804631-fix-broken-bootpath.patch
|
|
# PATCH-FIX-UPSTREAM shim-bnc798043-no-doulbe-separators.patch bnc#798043 glin@suse.com -- Remove all double-separators from the bootpath
|
|
Patch6: shim-bnc798043-no-doulbe-separators.patch
|
|
# PATCH-FIX-UPSTREAM shim-bnc807760-change-pxe-2nd-loader-name.patch bnc#807760 glin@suse.com -- Change the PXE 2nd stage loader to match the filename we are using
|
|
Patch7: shim-bnc807760-change-pxe-2nd-loader-name.patch
|
|
# PATCH-FIX-UPSTREAM shim-bnc808106-correct-certcount.patch bnc#808106 glin@suse.com -- Correct the certifcate count of the signature list
|
|
Patch8: shim-bnc808106-correct-certcount.patch
|
|
# PATCH-FIX-UPSTREAM shim-mokmanager-ui-revamp.patch glin@suse.com -- Revamp the MokManager UI
|
|
Patch9: shim-mokmanager-ui-revamp.patch
|
|
BuildRequires: gnu-efi >= 3.0t
|
|
BuildRequires: mozilla-nss-tools
|
|
BuildRequires: openssl >= 0.9.8
|
|
BuildRequires: pesign
|
|
BuildRequires: pesign-obs-integration
|
|
Requires: perl-Bootloader
|
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
|
Recommends: grub2-efi
|
|
ExclusiveArch: x86_64
|
|
|
|
%description
|
|
shim is a trivial EFI application that, when run, attempts to open and
|
|
execute another application.
|
|
|
|
|
|
|
|
Authors:
|
|
--------
|
|
Matthew Garrett <mjg59@srcf.ucam.org>
|
|
|
|
%prep
|
|
%setup -q
|
|
%patch0 -p1
|
|
%patch1 -p1
|
|
%patch2 -p1
|
|
%patch3 -p1
|
|
%patch4 -p1
|
|
%patch5 -p1
|
|
%patch6 -p1
|
|
%patch7 -p1
|
|
%patch8 -p1
|
|
%patch9 -p1
|
|
|
|
%build
|
|
chmod +x "make-certs"
|
|
|
|
if test -e %{_sourcedir}/_projectcert.crt ; then
|
|
prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash)
|
|
prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash)
|
|
opensusesubject=$(openssl x509 -in %{SOURCE2} -noout -subject_hash)
|
|
slessubject=$(openssl x509 -in %{SOURCE4} -noout -subject_hash)
|
|
if test "$prjissuer" = "$opensusesubject" ; then
|
|
suffix=opensuse
|
|
cert=%{SOURCE2}
|
|
fi
|
|
if test "$prjissuer" = "$slessubject" ; then
|
|
suffix=sles
|
|
cert=%{SOURCE4}
|
|
fi
|
|
if test "$prjsubject" = "$prjissuer" ; then
|
|
suffix=local
|
|
cert=%{_sourcedir}/_projectcert.crt
|
|
fi
|
|
fi
|
|
if test -z "$suffix" ; then
|
|
echo "cannot identify project, assuming openSUSE signing"
|
|
suffix=opensuse
|
|
cert=%{SOURCE2}
|
|
fi
|
|
|
|
openssl x509 -in $cert -outform DER -out shim-$suffix.der
|
|
# create empty local cert file, we don't need a local key pair as we
|
|
# sign the mokmanager with our vendor key
|
|
touch shim.crt
|
|
touch shim.cer
|
|
# make sure cast warnings don't trigger post build check
|
|
make VENDOR_CERT_FILE=shim-$suffix.der shim.efi MokManager.efi fallback.efi 2>/dev/null
|
|
# make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx
|
|
cp shim.efi shim-$suffix.efi
|
|
chmod 755 %{SOURCE6} %{SOURCE7}
|
|
# alternative: verify signature
|
|
#sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi
|
|
head -1 %{SOURCE1} > hash1
|
|
%{SOURCE7} shim.efi > hash2
|
|
cat hash1 hash2
|
|
if ! cmp -s hash1 hash2; then
|
|
echo "ERROR: binary changed, need to request new signature!"
|
|
# don't fail in devel projects
|
|
prj="%{_project}"
|
|
if [ "${prj%%:*}" = "openSUSE" ]; then
|
|
false
|
|
fi
|
|
fi
|
|
%{SOURCE6} %{SOURCE1} shim.efi
|
|
|
|
%install
|
|
export BRP_PESIGN_FILES='%{_libdir}/efi/shim*.efi %{_libdir}/efi/MokManager.efi %{_libdir}/efi/fallback.efi'
|
|
install -d %{buildroot}/%{_libdir}/efi
|
|
install -m 644 shim-*.efi %{buildroot}/%{_libdir}/efi
|
|
install -m 444 shim-*.der %{buildroot}/%{_libdir}/efi
|
|
install -m 644 shim-signed.efi %{buildroot}/%{_libdir}/efi/shim.efi
|
|
install -m 644 MokManager.efi %{buildroot}/%{_libdir}/efi/MokManager.efi
|
|
install -m 644 fallback.efi %{buildroot}/%{_libdir}/efi/fallback.efi
|
|
install -d %{buildroot}/%{_sbindir}
|
|
install -m 755 %{SOURCE3} %{buildroot}/%{_sbindir}/
|
|
# install SUSE certificate
|
|
CERT_NAME=$(openssl x509 -sha1 -fingerprint -inform DER -in shim-*.der | grep "SHA1 Fingerprint" | cut -c 18- | cut -d ":" -f 1,2,3,4 | sed 's/://g')
|
|
install -d %{buildroot}/%{_sysconfdir}/uefi/certs/
|
|
install -m 444 shim-*.der %{buildroot}/%{_sysconfdir}/uefi/certs/$CERT_NAME.crt
|
|
|
|
%clean
|
|
%{?buildroot:%__rm -rf "%{buildroot}"}
|
|
|
|
%post
|
|
/sbin/update-bootloader --refresh || true
|
|
|
|
%files
|
|
%defattr(-,root,root)
|
|
%doc COPYRIGHT
|
|
%dir %{_libdir}/efi
|
|
%{_libdir}/efi/shim.efi
|
|
%{_libdir}/efi/shim-*.efi
|
|
%{_libdir}/efi/shim-*.der
|
|
%{_libdir}/efi/MokManager.efi
|
|
%{_libdir}/efi/fallback.efi
|
|
%{_sbindir}/shim-install
|
|
%dir %{_sysconfdir}/uefi/
|
|
%dir %{_sysconfdir}/uefi/certs/
|
|
%{_sysconfdir}/uefi/certs/*.crt
|
|
|
|
%changelog
|