blob: 5fbd9c41742153815a0610405651a6860036204c (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
#!/bin/sh
#
# Helper script - generate a DBX file for inclusion into a shim build
#
# Takes an input file (e.g. debian-dbx.hashes) with data in the form
#
# <hex-encoded sha256 checksums> <arch>
#
# and generates a siglist of the hashes for just the architecture we
# want. No point including all the hashes for all the arches, it just
# bloats things and slows things down.
set -e
ARCH=$1
IN=$2
OUT=$3
DEBIAN_UUID="fa31923d-6047-40bf-81d0-e63edefcf194"
# This needs to be fixed to make builds reproducible, of course. If
# you're deriving from Debian, please generate your own.
UUID="$DEBIAN_UUID"
rm -f $OUT
if [ -x /usr/bin/efisiglist ] ; then
# Older versions of the pesign package included the efisiglist
# utility. If we have that, use it.
for HASH in $(grep -E "[[:xdigit:]]{32} $ARCH" < $IN | \
awk '{print $1}' | sort | uniq); do
echo " Adding $HASH to dbx list"
efisiglist -o $OUT -a -h $HASH
done
else
# It appears we don't have efisiglist, so use efisecdb
# instead. It's a little more awkward to drive.
INTMP="" # First pass
for HASH in $(grep -E "[[:xdigit:]]{32} $ARCH" < $IN | \
awk '{print $1}' | sort | uniq); do
echo " Adding $HASH to dbx list"
efisecdb -g "$UUID" -a -t sha256 -h $HASH $INTMP -o $OUT
# Subsequent passes need to read the previous output as input
# each time, and won't overwrite the output.
mv -f $OUT $OUT.in
INTMP="-i $OUT.in"
done
if [ -f $OUT.in ]; then
mv -f $OUT.in $OUT
fi
fi
# If we have an empty hashes file, create an empty DBX file
touch $OUT
|
