diff options
| -rw-r--r-- | debian/changelog | 3 | ||||
| -rw-r--r-- | debian/control | 1 | ||||
| -rwxr-xr-x | debian/rules | 17 | ||||
| -rw-r--r-- | debian/sbat.debian.csv.in | 1 |
4 files changed, 20 insertions, 2 deletions
diff --git a/debian/changelog b/debian/changelog index 2d466aa0..6c32c061 100644 --- a/debian/changelog +++ b/debian/changelog @@ -18,6 +18,9 @@ shim (15+1613861442.888f5b5-1) unstable; urgency=medium * Switch to using gcc-10 rather than gcc-9. Closes: #978521 * Add dbx entries for all our existing grub binaries + They're insecure, let's break the chainloading hole. + * Add Debian SBAT data + + Add a Debian SBAT template, and rules to use it + + Adds a build-dep on dos2unix -- Steve McIntyre <93sam@debian.org> Sun, 21 Feb 2021 13:50:16 +0100 diff --git a/debian/control b/debian/control index 06b167b3..dae419ce 100644 --- a/debian/control +++ b/debian/control @@ -10,6 +10,7 @@ Build-Depends: debhelper-compat (= 12), openssl, libelf-dev, gcc-10, + dos2unix, pesign (>= 0.112-5) Vcs-Browser: https://salsa.debian.org/efi-team/shim Vcs-Git: https://salsa.debian.org/efi-team/shim.git diff --git a/debian/rules b/debian/rules index 00c5547e..0306a937 100755 --- a/debian/rules +++ b/debian/rules @@ -15,8 +15,12 @@ else distributor=debian endif +deb_version := $(shell dpkg-parsechangelog | sed -ne "s/^Version: \(.*\)/\1/p") + DBX_LIST = dbx.esl DBX_HASHES = debian/$(distributor)-dbx.hashes +SBAT_IN = debian/sbat.$(distributor).csv.in +SBAT_DATA = data/sbat.$(distributor).csv include /usr/share/dpkg/architecture.mk @@ -53,14 +57,23 @@ $(DBX_LIST): $(DBX_HASHES) # Support an empty $(DBX_HASHES) touch $@ +$(SBAT_DATA): $(SBAT_IN) + rm -f $@ + set -e; \ + sed -e "s/@DEB_VERSION@/$(deb_version)/g" \ + -e "s/@UPSTREAM_VERSION@/$(plain_upstream_version)/g" \ + < $(SBAT_IN) > $(SBAT_DATA) + # If we have an empty $(SBAT_DATA), delete + if [ ! -s $(SBAT_DATA) ]; then rm -f $(SBAT_DATA); fi + %: dh $@ override_dh_auto_clean: dh_auto_clean -- MAKELEVEL=0 - rm -f $(DBX_LIST) + rm -f $(DBX_LIST) $(SBAT_DATA) sbat.*.csv -override_dh_auto_build: $(DBX_LIST) +override_dh_auto_build: $(DBX_LIST) $(SBAT_DATA) dh_auto_build -- $(COMMON_OPTIONS) override_dh_auto_install: diff --git a/debian/sbat.debian.csv.in b/debian/sbat.debian.csv.in new file mode 100644 index 00000000..d08b5b9a --- /dev/null +++ b/debian/sbat.debian.csv.in @@ -0,0 +1 @@ +shim.debian,1,Debian,shim,@DEB_VERSION@,https://tracker.debian.org/pkg/shim |