| Age | Commit message (Collapse) | Author |
|---|
|
|
|
Add a Debian SBAT template, and rules to use it
Adds a build-dep on dos2unix
|
|
|
|
Fixes: lintian: out-of-date-standards-version
See-also: https://lintian.debian.org/tags/out-of-date-standards-version.html
|
|
Fixes: lintian: uses-debhelper-compat-file
See-also: https://lintian.debian.org/tags/uses-debhelper-compat-file.html
|
|
Fixes: lintian: package-uses-old-debhelper-compat-version
See-also: https://lintian.debian.org/tags/package-uses-old-debhelper-compat-version.html
|
|
|
|
Pull upstream commit aaa09b35e73c4a35fc119d225e5241199d7cf5aa to fix
an FTBFS.
|
|
|
|
This allow us to block executing binaries with specific
checksums. Generate the dbx list at runtime from a simple list of
sha256 hashes, so we can update this easily. If we need to also
blacklist a cert later, we'll need to update this code to add that
option too.
Add a build-dep on pesign to get the needed efisiglist program.
|
|
To get better control of reproducibility during the lifetime of
Buster
|
|
|
|
Remove potential confusion with shim-signed. We will now end up with
shim-helpers-$arch-signed to make it clear that they just contain the
helper binaries (fb.efi and mm.efi)
|
|
Add me and vorlon to the Uploaders list
|
|
|
|
for getting the MOK-manager and fall-back binary to be signed by Debians
singing service instead of using an ephemeral key.
Closes: #922228
|
|
as all EFI binaries are now unsigned. They are useless to any normal
user as
- shim is useless without being signed by an external UEFI CA.
- mm and fb won't be loaded by shim as they are now no longer linked to
corresponding shim by the ephemeral key any longer.
|
|
|
|
|
|
|
|
- debian/patches/second-stage-path: dropped; the default loader path now
includes an arch suffix.
- debian/patches/sbsigntool-no-pesign: dropped; no longer needed.
* Drop remaining patches that were not being applied.
* Sync packaging from Ubuntu:
- debian/copyright: Update upstream source location.
- debian/control: add a Build-Depends on libelf-dev.
- Enable arm64 build.
- debian/patches/fixup_git.patch: don't run git in clean; we're not
really in a git tree.
- debian/rules, debian/shim.install: use the upstream install target as
intended, and move files to the target directory using dh_install.
- define RELEASE and COMMIT_ID for the snapshot.
- Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
- Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
options: set MAKELEVEL.
- Define an EFI_ARCH variable, and use that for paths to shim. This
makes it possible to build a shim for other architectures than amd64.
- Set EFIDIR=$distro for dh_auto_install; that will let files be installed
in the "right" final directories, and makes boot.csv for us.
- Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
at compile-time for MokManager and fallback.
- Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
and MokManager.
|
|
|
|
|
|
|
|
shim will now build and ship BOOT.CSV by itself.
|
|
|
|
|
|
|
|
* Update Standards-Version.
* Embed the newly-minted Debian CA certificate.
* Vendorize debian/rules so that the same package can be used in both
Debian and Ubuntu without modification.
* Fix debian/copyright to match the spec (last match wins, not first)
* Fix shim.efi to not be executable.
* Add watchfile.
* Support parallel builds, because eh why not
* Update Vcs-Bzr.
|
|
|
|
|
|
in 3.0k to build the netboot support.
|
|
sbsigntool instead of pesign.
|
|
stage so there's no point in building it.
|
|
|
|
|
