From c37196e74688dc2d1b3bb2049ea4df99baba9fa5 Mon Sep 17 00:00:00 2001
From: Steve Langasek <steve.langasek@canonical.com>
Date: Thu, 13 Dec 2012 18:42:34 -0800
Subject: debian/patches/sbsigntool-not-pesign: Sign MokManager with sbsigntool
 instead of pesign.

---
 debian/changelog                     |  2 ++
 debian/control                       |  2 +-
 debian/patches/sbsigntool-not-pesign | 22 ++++++++++++++++++++++
 debian/patches/series                |  1 +
 4 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 debian/patches/sbsigntool-not-pesign

(limited to 'debian')

diff --git a/debian/changelog b/debian/changelog
index e43b513a..62c3aa4f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,8 @@ shim (0.2+20121127.9c0c64eb-0ubuntu1) UNRELEASED; urgency=low
   * New upstream snapshot.
   * Drop debian/patches/shim-before-loadimage; upstream has changed this to
     not call loadimage at all.
+  * debian/patches/sbsigntool-not-pesign: Sign MokManager with
+    sbsigntool instead of pesign.
 
  -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 12 Dec 2012 16:36:12 -0800
 
diff --git a/debian/control b/debian/control
index 0e27bb52..ef0b876e 100644
--- a/debian/control
+++ b/debian/control
@@ -4,7 +4,7 @@ Priority: optional
 Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
 XSBC-Original-Maintainer: Steve Langasek <vorlon@debian.org>
 Standards-Version: 3.9.3
-Build-Depends: debhelper (>= 9), gnu-efi
+Build-Depends: debhelper (>= 9), gnu-efi, sbsigntool
 Vcs-Bzr: lp:ubuntu/shim
 
 Package: shim
diff --git a/debian/patches/sbsigntool-not-pesign b/debian/patches/sbsigntool-not-pesign
new file mode 100644
index 00000000..66b0f121
--- /dev/null
+++ b/debian/patches/sbsigntool-not-pesign
@@ -0,0 +1,22 @@
+Description: Sign MokManager with sbsigntool instead of pesign
+ Ubuntu infrastructure uses sbsigntool for all other EFI signing, so we use
+ the same thing for signing MokManager with our ephemeral key.  This also
+ avoids an additional build dependency on libnss3-tools.
+Author: Steve Langasek <steve.langasek@canonical.com>
+Forwarded: not-needed
+
+Index: shim/Makefile
+===================================================================
+--- shim.orig/Makefile
++++ shim/Makefile
+@@ -88,8 +88,8 @@
+ 		-j .debug_line -j .debug_str -j .debug_ranges \
+ 		--target=efi-app-$(ARCH) $^ $@.debug
+ 
+-%.efi.signed: %.efi certdb/secmod.db
+-	pesign -n certdb -i $< -c "shim" -s -o $@ -f
++%.efi.signed: %.efi shim.crt
++	sbsign --key shim.key --cert shim.crt $<
+ 
+ clean:
+ 	$(MAKE) -C Cryptlib clean
diff --git a/debian/patches/series b/debian/patches/series
index 42f8afa0..78756329 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 prototypes
 second-stage-path
+sbsigntool-not-pesign
-- 
cgit v1.2.3