Accepting request 196609 from home:lnussel:branches:devel:openSUSE:Factory
- also include old openSUSE 4096 bit certificate to be able to still boot kernels signed with that key. - add show_signatures script OBS-URL: https://build.opensuse.org/request/show/196609 OBS-URL: https://build.opensuse.org/package/show/devel:openSUSE:Factory/shim?expand=0&rev=38
This commit is contained in:
Gary Ching-Pang Lin
Git OBS Bridge
parent
e60c1a0266
commit
f83d4083f6
37
openSUSE-UEFI-CA-Certificate-4096.crt
Normal file
37
openSUSE-UEFI-CA-Certificate-4096.crt
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIGdDCCBFygAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgTEgMB4GA1UEAwwXb3Bl
|
||||||
|
blNVU0UgU2VjdXJlIEJvb3QgQ0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJl
|
||||||
|
bWJlcmcxGTAXBgNVBAoMEG9wZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEW
|
||||||
|
EmJ1aWxkQG9wZW5zdXNlLm9yZzAeFw0xMzAxMjgxNDUzMzBaFw0zNDEyMjQxNDUz
|
||||||
|
MzBaMIGBMSAwHgYDVQQDDBdvcGVuU1VTRSBTZWN1cmUgQm9vdCBDQTELMAkGA1UE
|
||||||
|
BhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEZMBcGA1UECgwQb3BlblNVU0UgUHJv
|
||||||
|
amVjdDEhMB8GCSqGSIb3DQEJARYSYnVpbGRAb3BlbnN1c2Uub3JnMIICIjANBgkq
|
||||||
|
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuqmSgrdlO0B96sOK5mJj1k4OetzmP6l8
|
||||||
|
YKdy+HdzN/3bS97vfqIIqb0YCgzmJROSLsXv6WQReuAtKbftgla6R/dOvKU/CxCN
|
||||||
|
z0uCbzuM+gN5Q7pSWifnm81QNDowFpxZlJBFvIP92zh5yWNEGqVzMN0jDjOFxLfh
|
||||||
|
O1sx6W8YBOYzScWrlTKysH6uK79gWenwvh3nmkx+68PV08azmizG6As4IAPDqtd/
|
||||||
|
w92iLTzjLVGp32wFDhLuDleojjvJgnOGngKa8oRcLlvfh07wKO0urjt8/3HKxcUf
|
||||||
|
RmbSyaLdfP8lOt/mFPpfN4kev9wjqdbIhLIZs6iKbu+hR40QfAR46V8vnPoeIYeM
|
||||||
|
ibsl1mvr0U7O6w7kTQuzW7JmJkCYf7n4HoPBgxTzgjKlsBGY0I+dTvZXozsKuTKx
|
||||||
|
ir/w6WWcdkIWoXJh00Nb9eWqFQr0exG0hwa1o0ESXjv7aJHwg39B6m8MZVppdpmg
|
||||||
|
i0G8pOKtHQZ6OR87YeSUHJ400ocIfYMOAybuB/5rHfC58BvCcjaZwHKTkHlyx28i
|
||||||
|
EXgFyzGMqbWlgmI5RJ8UzaM6rTaieIRSsyGbYrDa89BFMhGmY8xMIeeT8191bLbH
|
||||||
|
CpX7CMW9npoEqslHL67FMI3LXC5fgYKoPwUnj/TlT0gkjVobEXmXZB6sCDQ6BFTg
|
||||||
|
4dpPIFEjnxsCAwEAAaOB9DCB8TAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSZ
|
||||||
|
DSa38E3ZzmTn0Y79aHtKXeKGpTCBrgYDVR0jBIGmMIGjgBSZDSa38E3ZzmTn0Y79
|
||||||
|
aHtKXeKGpaGBh6SBhDCBgTEgMB4GA1UEAwwXb3BlblNVU0UgU2VjdXJlIEJvb3Qg
|
||||||
|
Q0ExCzAJBgNVBAYTAkRFMRIwEAYDVQQHDAlOdXJlbWJlcmcxGTAXBgNVBAoMEG9w
|
||||||
|
ZW5TVVNFIFByb2plY3QxITAfBgkqhkiG9w0BCQEWEmJ1aWxkQG9wZW5zdXNlLm9y
|
||||||
|
Z4IBATAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQADggIBAFsmHlxiAGKu
|
||||||
|
Qyx1qb6l7bEWgXAePQfVaaCEH4Mn+oq80kJ67S7s6We8e5QJOgYznk5mDk+PTUC/
|
||||||
|
phkP3aJRqZAf5UDrQkOHobpk7FFBxZKjZfULPls3H9+Hichw/XJ2/xJwG+Ja6pgD
|
||||||
|
dNO2UaKOjZHCiyZ4ehO7syle/EgQALVwKH4cVq6zIh4xUH4r9WvfdR5vkhhTgM/0
|
||||||
|
nzzoBnFRnCUpcsLPj10246wVuLQcliZBeKjiV4xqrMe6cXX8crHvZqqJPZ2jMTGD
|
||||||
|
eVIpVES12ZpMT7SbQbcDR1XgjqrL3U9vfcabdqLU60000ALvnDFNN0Sm7xhB+d3c
|
||||||
|
sDIyJMwSfIb9jWApsB/En5uRCM++ruqjyFiqTCORo9gzaocw6gut6WYs2TOrZ2NO
|
||||||
|
Tq4JNAFfCL/z0p8jdz1dJZmqpgFAlltKNNDWV6KlBPUAdxDEbIiuGoYweB+Zxed3
|
||||||
|
BKdlrKGcH0ewPmzt4vVLCl2yFoODxjVtndXieDt/BWIYltMjqYU1qrrOdISHdeAG
|
||||||
|
A24L/uxiU4Ej2bKKWNYtvrGMNLMUWBTx5afHMQnK9MD8Z6cpjccNaR0Pe9ZCBRGI
|
||||||
|
xyUitlfnU604q1GfYdymiq4mUvSEgy3vbbsVBvcAKElN+hWpAeZbiWc/KcBWKMtp
|
||||||
|
4aQ0yoLWDFkQNGU0rGazsu3hpOWta6mL
|
||||||
|
-----END CERTIFICATE-----
|
||||||
@ -1,3 +1,10 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Aug 28 07:16:51 UTC 2013 - lnussel@suse.de
|
||||||
|
|
||||||
|
- also include old openSUSE 4096 bit certificate to be able to still
|
||||||
|
boot kernels signed with that key.
|
||||||
|
- add show_signatures script
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Aug 27 06:41:03 UTC 2013 - lnussel@suse.de
|
Tue Aug 27 06:41:03 UTC 2013 - lnussel@suse.de
|
||||||
|
|
||||||
|
|||||||
@ -35,6 +35,8 @@ Source4: SLES-UEFI-CA-Certificate.crt
|
|||||||
Source5: extract_signature.sh
|
Source5: extract_signature.sh
|
||||||
Source6: attach_signature.sh
|
Source6: attach_signature.sh
|
||||||
Source7: show_hash.sh
|
Source7: show_hash.sh
|
||||||
|
Source8: show_signatures.sh
|
||||||
|
Source9: openSUSE-UEFI-CA-Certificate-4096.crt
|
||||||
# PATCH-FIX-SUSE shim-suse-build.patch glin@suse.com -- Adjust Makefile for the build service
|
# PATCH-FIX-SUSE shim-suse-build.patch glin@suse.com -- Adjust Makefile for the build service
|
||||||
Patch0: shim-suse-build.patch
|
Patch0: shim-suse-build.patch
|
||||||
# PATCH-FIX-UPSTREAM shim-fix-pointer-casting.patch glin@suse.com -- Fix a casting issue and the size of an empty vendor_cert or dbx_cert.
|
# PATCH-FIX-UPSTREAM shim-fix-pointer-casting.patch glin@suse.com -- Fix a casting issue and the size of an empty vendor_cert or dbx_cert.
|
||||||
@ -91,6 +93,7 @@ Authors:
|
|||||||
%build
|
%build
|
||||||
chmod +x "make-certs"
|
chmod +x "make-certs"
|
||||||
|
|
||||||
|
cert2=''
|
||||||
if test -e %{_sourcedir}/_projectcert.crt ; then
|
if test -e %{_sourcedir}/_projectcert.crt ; then
|
||||||
prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash)
|
prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash)
|
||||||
prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash)
|
prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash)
|
||||||
@ -99,6 +102,7 @@ if test -e %{_sourcedir}/_projectcert.crt ; then
|
|||||||
if test "$prjissuer" = "$opensusesubject" ; then
|
if test "$prjissuer" = "$opensusesubject" ; then
|
||||||
suffix=opensuse
|
suffix=opensuse
|
||||||
cert=%{SOURCE2}
|
cert=%{SOURCE2}
|
||||||
|
cert2=%{SOURCE9}
|
||||||
fi
|
fi
|
||||||
if test "$prjissuer" = "$slessubject" ; then
|
if test "$prjissuer" = "$slessubject" ; then
|
||||||
suffix=sles
|
suffix=sles
|
||||||
@ -116,10 +120,14 @@ if test -z "$suffix" ; then
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
openssl x509 -in $cert -outform DER -out shim-$suffix.der
|
openssl x509 -in $cert -outform DER -out shim-$suffix.der
|
||||||
|
if [ -z "$cert2" ]; then
|
||||||
# create empty local cert file, we don't need a local key pair as we
|
# create empty local cert file, we don't need a local key pair as we
|
||||||
# sign the mokmanager with our vendor key
|
# sign the mokmanager with our vendor key
|
||||||
touch shim.crt
|
touch shim.crt
|
||||||
touch shim.cer
|
touch shim.cer
|
||||||
|
else
|
||||||
|
cp $cert2 shim.crt
|
||||||
|
fi
|
||||||
# make sure cast warnings don't trigger post build check
|
# make sure cast warnings don't trigger post build check
|
||||||
make VENDOR_CERT_FILE=shim-$suffix.der shim.efi MokManager.efi fallback.efi 2>/dev/null
|
make VENDOR_CERT_FILE=shim-$suffix.der shim.efi MokManager.efi fallback.efi 2>/dev/null
|
||||||
# make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx
|
# make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx
|
||||||
|
|||||||
21
show_signatures.sh
Normal file
21
show_signatures.sh
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# show signatures on a PE binary
|
||||||
|
set -e
|
||||||
|
|
||||||
|
infile="$1"
|
||||||
|
|
||||||
|
if [ -z "$infile" -o ! -e "$infile" ]; then
|
||||||
|
echo "USAGE: $0 file.efi"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
nssdir=`mktemp -d`
|
||||||
|
cleanup()
|
||||||
|
{
|
||||||
|
rm -r "$nssdir"
|
||||||
|
}
|
||||||
|
trap cleanup EXIT
|
||||||
|
echo > "$nssdir/pw"
|
||||||
|
certutil -f "$nssdir/pw" -d "$nssdir" -N
|
||||||
|
|
||||||
|
pesign -n "$nssdir" -S -i "$infile"
|
||||||
Loading…
Reference in New Issue
Block a user