diff options
| author | Philipp Hahn <hahn@univention.de> | 2018-04-07 13:06:30 +0200 |
|---|---|---|
| committer | Luca Boccassi <bluca@debian.org> | 2019-02-15 21:25:37 +0000 |
| commit | e914483c5becf89cd8ed0acf489b921a42e50b05 (patch) | |
| tree | 66cc2e328c4be9fdf9c66c5f3b551dffa681022f /debian/rules | |
| parent | 4bb202a09934485b580d01b2780a1b21c2a797ba (diff) | |
| download | efi-boot-shim-e914483c5becf89cd8ed0acf489b921a42e50b05.tar.gz efi-boot-shim-e914483c5becf89cd8ed0acf489b921a42e50b05.zip | |
Disable ephemeral key on Debian
shim creates an ephemeral key, which gets embedded into shim and is used
to sign the corresponding mok-manager (mm*.efi) and fall-back-manager
(fb*.efi).
This makes the build unreproducible.
For Debian we will get those two binaries signed by our Debian-UEFI-CA,
which is the primary (and only) key embedded in shim.
Diffstat (limited to 'debian/rules')
| -rwxr-xr-x | debian/rules | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/debian/rules b/debian/rules index 06c7b422..39cab2d7 100755 --- a/debian/rules +++ b/debian/rules @@ -7,6 +7,7 @@ ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes) cert=debian/canonical-uefi-ca.der distributor=ubuntu +COMMON_OPTIONS ?= ENABLE_SHIM_CERT=1 ENABLE_SBSIGN=1 else cert=debian/debian-uefi-ca.der distributor=debian @@ -24,14 +25,12 @@ ifeq ($(DEB_HOST_ARCH),i386) export EFI_ARCH := ia32 endif -COMMON_OPTIONS = \ +COMMON_OPTIONS += \ RELEASE=15 \ COMMIT_ID=3beb971b10659cf78144ddc5eeea83501384440c \ MAKELEVEL=0 \ EFI_PATH=/usr/lib \ ENABLE_HTTPBOOT=true \ - ENABLE_SHIM_CERT=1 \ - ENABLE_SBSIGN=1 \ VENDOR_CERT_FILE=$(cert) \ EFIDIR=$(distributor) \ $(NULL) |