summaryrefslogtreecommitdiff
path: root/debian/rules
diff options
context:
space:
mode:
authorPhilipp Hahn <hahn@univention.de>2018-04-07 13:06:30 +0200
committerLuca Boccassi <bluca@debian.org>2019-02-15 21:25:37 +0000
commite914483c5becf89cd8ed0acf489b921a42e50b05 (patch)
tree66cc2e328c4be9fdf9c66c5f3b551dffa681022f /debian/rules
parent4bb202a09934485b580d01b2780a1b21c2a797ba (diff)
downloadefi-boot-shim-e914483c5becf89cd8ed0acf489b921a42e50b05.tar.gz
efi-boot-shim-e914483c5becf89cd8ed0acf489b921a42e50b05.zip
Disable ephemeral key on Debian
shim creates an ephemeral key, which gets embedded into shim and is used to sign the corresponding mok-manager (mm*.efi) and fall-back-manager (fb*.efi). This makes the build unreproducible. For Debian we will get those two binaries signed by our Debian-UEFI-CA, which is the primary (and only) key embedded in shim.
Diffstat (limited to 'debian/rules')
-rwxr-xr-xdebian/rules5
1 files changed, 2 insertions, 3 deletions
diff --git a/debian/rules b/debian/rules
index 06c7b422..39cab2d7 100755
--- a/debian/rules
+++ b/debian/rules
@@ -7,6 +7,7 @@
ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes)
cert=debian/canonical-uefi-ca.der
distributor=ubuntu
+COMMON_OPTIONS ?= ENABLE_SHIM_CERT=1 ENABLE_SBSIGN=1
else
cert=debian/debian-uefi-ca.der
distributor=debian
@@ -24,14 +25,12 @@ ifeq ($(DEB_HOST_ARCH),i386)
export EFI_ARCH := ia32
endif
-COMMON_OPTIONS = \
+COMMON_OPTIONS += \
RELEASE=15 \
COMMIT_ID=3beb971b10659cf78144ddc5eeea83501384440c \
MAKELEVEL=0 \
EFI_PATH=/usr/lib \
ENABLE_HTTPBOOT=true \
- ENABLE_SHIM_CERT=1 \
- ENABLE_SBSIGN=1 \
VENDOR_CERT_FILE=$(cert) \
EFIDIR=$(distributor) \
$(NULL)