generate_dbx_list: pick a fixed UUID

otherwise our build won't be reproducible, doh!

2 files changed, 5 insertions, 3 deletions

diff --git a/debian/control b/debian/control
index e251e917..a7dc9108 100644
--- a/debian/control
+++ b/debian/control
@@ -13,7 +13,6 @@ Build-Depends: debhelper-compat (= 12),
 	       dos2unix,
 	       pesign (>= 0.112-5),
 	       efivar,
-	       uuid-runtime,
 	       xxd,
 	       libefivar-dev
 Vcs-Browser: https://salsa.debian.org/efi-team/shim
diff --git a/debian/generate_dbx_list b/debian/generate_dbx_list
index db9dc0f6..9f768943 100755
--- a/debian/generate_dbx_list
+++ b/debian/generate_dbx_list
@@ -16,6 +16,10 @@ ARCH=$1
 IN=$2
 OUT=$3
 
+# This needs to be fixed to make builds reproducible, of course. If
+# you're deriving from Debian, please generate your own.
+DEBIAN_UUID="fa31923d-6047-40bf-81d0-e63edefcf194"
+
 rm -f $OUT
 if [ -x /usr/bin/efisiglist ] ; then
     # Older versions of the pesign package included the efisiglist
@@ -28,12 +32,11 @@ if [ -x /usr/bin/efisiglist ] ; then
 else
     # It appears we don't have efisiglist, so use efisecdb
     # instead. It's a little more awkward to drive.
-    UUID=$(uuidgen)
     INTMP="" # First pass
     for HASH in $(grep -E "[[:xdigit:]]{32} $ARCH" < $IN | \
 		      awk '{print $1}' | sort | uniq); do
 	echo "  Adding $HASH to dbx list"
-	efisecdb -g $UUID -a -t sha256 -h $HASH $INTMP -o $OUT
+	efisecdb -g "$DEBIAN_UUID" -a -t sha256 -h $HASH $INTMP -o $OUT
 
 	# Subsequent passes need to read the previous output as input
 	# each time, and won't overwrite the output.