diff options
| author | Steve McIntyre <steve@einval.com> | 2023-11-01 23:37:50 +0000 |
|---|---|---|
| committer | Steve McIntyre <steve@einval.com> | 2023-11-02 00:47:18 +0000 |
| commit | 7686debad858ce35d7b393a424f9b684120c778c (patch) | |
| tree | 849f2428e3cd232a5c808926bb7aa3fa19591569 | |
| parent | e02f5a2563c356f77ed6bfa208bfd3c8b74eefd8 (diff) | |
| download | efi-boot-shim-7686debad858ce35d7b393a424f9b684120c778c.tar.gz efi-boot-shim-7686debad858ce35d7b393a424f9b684120c778c.zip | |
Tweak building with pesign changes
We used to use efisiglist to generate the DBX list. Newer versions of
the pesign package don't include it any more, and the recommended
replacement tool is now efisecdb from efivar. Tweak the
generate_dbx_list script to work with both old and new. Let's make
backports easy...
| -rw-r--r-- | debian/changelog | 6 | ||||
| -rw-r--r-- | debian/control | 2 | ||||
| -rwxr-xr-x | debian/generate_dbx_list | 32 |
3 files changed, 35 insertions, 5 deletions
diff --git a/debian/changelog b/debian/changelog index 1acd3a28..dd5cbddf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +shim (15.7-2) UNRELEASED; urgency=medium + + * Cope with changes in pesign packaging. + + -- Steve McIntyre <93sam@debian.org> Wed, 01 Nov 2023 23:35:52 +0000 + shim (15.7-1) unstable; urgency=medium * New upstream release fixing more bugs diff --git a/debian/control b/debian/control index c8a753b1..e251e917 100644 --- a/debian/control +++ b/debian/control @@ -12,6 +12,8 @@ Build-Depends: debhelper-compat (= 12), gcc-12, dos2unix, pesign (>= 0.112-5), + efivar, + uuid-runtime, xxd, libefivar-dev Vcs-Browser: https://salsa.debian.org/efi-team/shim diff --git a/debian/generate_dbx_list b/debian/generate_dbx_list index 95ec3e9e..db9dc0f6 100755 --- a/debian/generate_dbx_list +++ b/debian/generate_dbx_list @@ -17,11 +17,33 @@ IN=$2 OUT=$3 rm -f $OUT -for HASH in $(grep -E "[[:xdigit:]]{32} $ARCH" < $IN | \ - awk '{print $1}' | sort | uniq); do - echo " Adding $HASH to dbx list" - efisiglist -o $OUT -a -h $HASH -done +if [ -x /usr/bin/efisiglist ] ; then + # Older versions of the pesign package included the efisiglist + # utility. If we have that, use it. + for HASH in $(grep -E "[[:xdigit:]]{32} $ARCH" < $IN | \ + awk '{print $1}' | sort | uniq); do + echo " Adding $HASH to dbx list" + efisiglist -o $OUT -a -h $HASH + done +else + # It appears we don't have efisiglist, so use efisecdb + # instead. It's a little more awkward to drive. + UUID=$(uuidgen) + INTMP="" # First pass + for HASH in $(grep -E "[[:xdigit:]]{32} $ARCH" < $IN | \ + awk '{print $1}' | sort | uniq); do + echo " Adding $HASH to dbx list" + efisecdb -g $UUID -a -t sha256 -h $HASH $INTMP -o $OUT + + # Subsequent passes need to read the previous output as input + # each time, and won't overwrite the output. + mv -f $OUT $OUT.in + INTMP="-i $OUT.in" + done + if [ -f $OUT.in ]; then + mv -f $OUT.in $OUT + fi +fi # If we have an empty hashes file, create an empty DBX file touch $OUT |