#!/bin/sh
#
# Helper script - generate a DBX file for inclusion into a shim build
#
# Takes an input file (e.g. debian-dbx.hashes) with data in the form
#
# <hex-encoded sha256 checksums> <arch>
#
# and generates a siglist of the hashes for just the architecture we
# want. No point including all the hashes for all the arches, it just
# bloats things and slows things down.

set -e

ARCH=$1
IN=$2
OUT=$3

DEBIAN_UUID="fa31923d-6047-40bf-81d0-e63edefcf194"

# This needs to be fixed to make builds reproducible, of course. If
# you're deriving from Debian, please generate your own.
UUID="$DEBIAN_UUID"

rm -f $OUT
if [ -x /usr/bin/efisiglist ] ; then
    # Older versions of the pesign package included the efisiglist
    # utility. If we have that, use it.
    for HASH in $(grep -E "[[:xdigit:]]{32} $ARCH" < $IN | \
		      awk '{print $1}' | sort | uniq); do
	echo "  Adding $HASH to dbx list"
	efisiglist -o $OUT -a -h $HASH
    done
else
    # It appears we don't have efisiglist, so use efisecdb
    # instead. It's a little more awkward to drive.
    INTMP="" # First pass
    for HASH in $(grep -E "[[:xdigit:]]{32} $ARCH" < $IN | \
		      awk '{print $1}' | sort | uniq); do
	echo "  Adding $HASH to dbx list"
	efisecdb -g "$UUID" -a -t sha256 -h $HASH $INTMP -o $OUT

	# Subsequent passes need to read the previous output as input
	# each time, and won't overwrite the output.
	mv -f $OUT $OUT.in
	INTMP="-i $OUT.in"
    done
    if [ -f $OUT.in ]; then
	mv -f $OUT.in $OUT
    fi
fi

# If we have an empty hashes file, create an empty DBX file
touch $OUT