Use --padding when calling pesign to generate hashes

for the dbx list, as recommended by Peter Jones. No actual changes
needed in our list of hashes at this point - they work out the same
either way.

3 files changed, 12 insertions, 2 deletions

diff --git a/debian/changelog b/debian/changelog
index 1db14b94..93512b93 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+shim (15+1533136590.3beb971-8) UNRELEASED; urgency=medium
+
+  [ Steve McIntyre ]
+  * Use --padding when calling pesign to generate hashes for the dbx
+    list, as recommended by Peter Jones. No actual changes needed in
+    our list of hashes at this point - they work out the same either
+    way.
+
+ -- Steve McIntyre <93sam@debian.org>  Wed, 08 May 2019 02:05:01 +0100
+
 shim (15+1533136590.3beb971-7) unstable; urgency=medium
 
   [ Ansgar Burchardt ]
diff --git a/debian/debian-dbx.hashes b/debian/debian-dbx.hashes
index e6e13c38..1e9d07d4 100644
--- a/debian/debian-dbx.hashes
+++ b/debian/debian-dbx.hashes
@@ -9,7 +9,7 @@
 #
 # The hashes are generated using:
 #
-#     pesign --hash -in <binary>
+#     pesign --hash --padding -in <binary>
 #
 # on *either* the signed or unsigned binary, pesign doesn't care
 # which.
diff --git a/debian/ubuntu-dbx.hashes b/debian/ubuntu-dbx.hashes
index b33fc101..0f773df8 100644
--- a/debian/ubuntu-dbx.hashes
+++ b/debian/ubuntu-dbx.hashes
@@ -9,7 +9,7 @@
 #
 # The hashes are generated using:
 #
-#     pesign --hash -in <binary>
+#     pesign --hash --padding -in <binary>
 #
 # on *either* the signed or unsigned binary, pesign doesn't care
 # which.