diff options
| author | Steve McIntyre <93sam@debian.org> | 2024-05-26 21:26:55 +0000 |
|---|---|---|
| committer | Steve McIntyre <93sam@debian.org> | 2024-05-26 21:26:55 +0000 |
| commit | 5757ae8a5b8f58817b1c6906f39bbd339b0e2aba (patch) | |
| tree | b92e8b437f4efeca6a7fc6b5bd228c55933c7107 | |
| parent | 35d8c4ab76290f6e0402f2d5c2b0ae8cc6f807a7 (diff) | |
| parent | 57b6c43301b1943197eef3d816639277869231d7 (diff) | |
| download | efi-boot-shim-5757ae8a5b8f58817b1c6906f39bbd339b0e2aba.tar.gz efi-boot-shim-5757ae8a5b8f58817b1c6906f39bbd339b0e2aba.zip | |
Merge branch 'remove-ubuntu-files' into 'master'
Remove Ubuntu CA and dbx files from the repository
See merge request efi-team/shim!16
| -rw-r--r-- | debian/canonical-uefi-ca.der | bin | 1080 -> 0 bytes | |||
| -rwxr-xr-x | debian/rules | 16 | ||||
| -rw-r--r-- | debian/ubuntu-dbx.hashes | 22 |
3 files changed, 4 insertions, 34 deletions
diff --git a/debian/canonical-uefi-ca.der b/debian/canonical-uefi-ca.der Binary files differdeleted file mode 100644 index b4098d9c..00000000 --- a/debian/canonical-uefi-ca.der +++ /dev/null diff --git a/debian/rules b/debian/rules index 40a61670..786ba356 100755 --- a/debian/rules +++ b/debian/rules @@ -2,18 +2,10 @@ include /usr/share/dpkg/architecture.mk -# Other vendors, add your certs here. No sense in using -# dpkg-vendor --derives-from, because only Canonical-generated binaries will -# be signed with this key; so if you are building your own shim binary you -# should be building the other binaries also. -ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes) - cert=debian/canonical-uefi-ca.der - distributor=ubuntu -COMMON_OPTIONS ?= ENABLE_SHIM_CERT=1 ENABLE_SBSIGN=1 -else - cert=debian/debian-uefi-ca.der - distributor=debian -endif +# Downstreams: add your own certs here. Only Debian binaries will be signed by this key. +# You must generate and manage your own key if you (re)build shim, GRUB, or Linux. +cert=debian/debian-uefi-ca.der +distributor=debian deb_version := $(shell dpkg-parsechangelog | sed -ne "s/^Version: \(.*\)/\1/p") upstream_version := $(shell echo $(deb_version) | sed -e "s/-[^-]*$$//") diff --git a/debian/ubuntu-dbx.hashes b/debian/ubuntu-dbx.hashes deleted file mode 100644 index e1ac3596..00000000 --- a/debian/ubuntu-dbx.hashes +++ /dev/null @@ -1,22 +0,0 @@ -# debian-dbx.hashes -# -# This file contains the sha256 sums of the binaries that we want to -# blacklist directly in our signed shim. Add entries below, with comments -# to explain each entry (where possible). -# -# The data in this file needs should be of the form: -# -# <hex-encoded sha256 checksums> <arch> -# -# All other lines will be ignored. I'm using shell-style comments just -# for clarity. -# -# The hashes are generated using: -# -# pesign --hash --padding --in <binary> -# -# on *either* the signed or unsigned binary, pesign doesn't care -# which. See the helper script block_signed_deb for an easy way to -# generate this information. - -# ... This file intentionally left blank for now ... |