<feed xmlns='http://www.w3.org/2005/Atom'>
<title>shim-signed.git/debian, branch debian/1.48</title>
<subtitle>VyOS code for the shim-signed package (mirror of https://github.com/vyos/shim-signed.git)
</subtitle>
<id>https://git.amelek.net/vyos/shim-signed.git/atom?h=debian%2F1.48</id>
<link rel='self' href='https://git.amelek.net/vyos/shim-signed.git/atom?h=debian%2F1.48'/>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/shim-signed.git/'/>
<updated>2026-05-18T13:12:28+00:00</updated>
<entry>
<title>Update changelog and release 1.48</title>
<updated>2026-05-18T13:12:28+00:00</updated>
<author>
<name>Steve McIntyre</name>
<email>steve@einval.com</email>
</author>
<published>2026-05-18T13:12:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/shim-signed.git/commit/?id=409da09ec16bd2a28041db9608661a7f8fc7ec37'/>
<id>urn:sha1:409da09ec16bd2a28041db9608661a7f8fc7ec37</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Tweak the URI linked for CA updates</title>
<updated>2026-05-18T13:06:58+00:00</updated>
<author>
<name>Steve McIntyre</name>
<email>steve@einval.com</email>
</author>
<published>2026-05-18T13:06:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/shim-signed.git/commit/?id=0f5a44c8169294fd1362ee6d018f93a76f0d1f05'/>
<id>urn:sha1:0f5a44c8169294fd1362ee6d018f93a76f0d1f05</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Switch to using debconf to display signature errors</title>
<updated>2026-05-17T23:56:13+00:00</updated>
<author>
<name>Steve McIntyre</name>
<email>steve@einval.com</email>
</author>
<published>2026-05-17T23:52:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/shim-signed.git/commit/?id=04a3449adcd413433c45774ac7b150ededaa1c4e'/>
<id>urn:sha1:04a3449adcd413433c45774ac7b150ededaa1c4e</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Update changelog</title>
<updated>2026-05-17T21:49:28+00:00</updated>
<author>
<name>Steve McIntyre</name>
<email>steve@einval.com</email>
</author>
<published>2026-05-17T21:46:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/shim-signed.git/commit/?id=5bf524a5960e24df055123cb491d52fe8f265c94'/>
<id>urn:sha1:5bf524a5960e24df055123cb491d52fe8f265c94</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Add more text to the failure messsage</title>
<updated>2026-05-17T21:45:41+00:00</updated>
<author>
<name>Steve McIntyre</name>
<email>steve@einval.com</email>
</author>
<published>2026-05-17T21:45:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/shim-signed.git/commit/?id=ca8556f025821178897986b431bf1bfdc38abb09'/>
<id>urn:sha1:ca8556f025821178897986b431bf1bfdc38abb09</id>
<content type='text'>
And link to a wiki page for more info. Need to write that page!
</content>
</entry>
<entry>
<title>Move shim signature checks to preinst</title>
<updated>2026-05-17T21:40:01+00:00</updated>
<author>
<name>Steve McIntyre</name>
<email>steve@einval.com</email>
</author>
<published>2026-05-17T21:34:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/shim-signed.git/commit/?id=32c23f8e7c8dace4677a5393a86cb91857630ff0'/>
<id>urn:sha1:32c23f8e7c8dace4677a5393a86cb91857630ff0</id>
<content type='text'>
It's safer to do it here before a new shim is installed.

As we don't have any files installed at this point, we can't look up
knowwn signatures from a file. Instead, we now substitute the
signature fingerprints directly into shim-signed.preinst at package
build time.

Put the postinst back to where it was before the signature checks were
added.
</content>
</entry>
<entry>
<title>Tweak the boot check logic further: DBX sigs are fatal</title>
<updated>2026-05-17T21:39:45+00:00</updated>
<author>
<name>Steve McIntyre</name>
<email>steve@einval.com</email>
</author>
<published>2026-05-17T20:43:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/shim-signed.git/commit/?id=ccec529c3644e56a9889f013438d09a4c5d349d6'/>
<id>urn:sha1:ccec529c3644e56a9889f013438d09a4c5d349d6</id>
<content type='text'>
If we have a sig from a key listed in DBX, don't just ignore
it. Firmware should refuse to boot things in a revoked chain so we
should fail here too.

Tweak the output too - switch from using a boolean $SAFE value to
using an error string in $SB_BOOT_ERROR so we can have more specific
errors printed.
</content>
</entry>
<entry>
<title>Update to boot check: ignore keys listed in DBX</title>
<updated>2026-05-14T15:53:15+00:00</updated>
<author>
<name>Steve McIntyre</name>
<email>steve@einval.com</email>
</author>
<published>2026-05-14T15:53:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/shim-signed.git/commit/?id=0140b59d00318019177364b0a56f180052394868'/>
<id>urn:sha1:0140b59d00318019177364b0a56f180052394868</id>
<content type='text'>
</content>
</entry>
<entry>
<title>Check that we can boot on the current system</title>
<updated>2026-05-14T15:33:23+00:00</updated>
<author>
<name>Steve McIntyre</name>
<email>steve@einval.com</email>
</author>
<published>2026-05-14T15:33:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/shim-signed.git/commit/?id=be5e1a1dd8e69d54bd52ff55f801028af6b83767'/>
<id>urn:sha1:be5e1a1dd8e69d54bd52ff55f801028af6b83767</id>
<content type='text'>
If SecureBoot is enabled, check that our shim binary is signed by at
least one of the certificates enrolled in firmware.
</content>
</entry>
<entry>
<title>Grab the sha1 fingerprint of each used cert as we match them</title>
<updated>2026-05-14T05:38:14+00:00</updated>
<author>
<name>Steve McIntyre</name>
<email>steve@einval.com</email>
</author>
<published>2026-05-13T23:18:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.amelek.net/vyos/shim-signed.git/commit/?id=51d7291fc779e9c961c942fb503ffa2d02205b3c'/>
<id>urn:sha1:51d7291fc779e9c961c942fb503ffa2d02205b3c</id>
<content type='text'>
Later, install that data alongside the shim binaries in the package.

We can then use this data to check that we can boot the signed shim
we're installing.
</content>
</entry>
</feed>
