| Age | Commit message (Collapse) | Author | |
|---|---|---|---|
| 2026-06-08 | Merge pull request #2 from vyos/feat/T8966-legacy-escapeHEADrolling | Yuriy Andamasov | |
| T8966: add legacy-label escape to invalid-task-id rule (commit check exempt) | |||
| 2026-06-08 | T8966: add legacy-label escape to invalid-task-id rule (commit check exempt) | Yuriy Andamasov | |
| 2026-06-07 | Merge pull request #1 from vyos/feat/extends-mergify-t8966 | Yuriy Andamasov | |
| T8966: extends central vyos/mergify + product T-ID rule | |||
| 2026-06-07 | T8966: extends central vyos/mergify + product T-ID rule | Yuriy Andamasov | |
| Onboard vyos/shim-signed to the central Mergify baseline via `extends: mergify` and add the bot-excluded per-repo `invalid-task-id` rule, matching the 49-repo IS-531 product fleet. The 5 merge-protection gate labels were pre-created. Products already enabled; no central-config change. Validated via the Mergify config-simulator (200 OK). Rule body byte-identical to the fleet canonical. 🤖 Generated by [robots](https://vyos.io) | |||
| 2026-06-01 | Add signed SHIM binary including the VyOS Networks CA certificate | Christian Breunig | |
| 2026-05-19 | Fix up stupid omission in the previous package uploaddebian/1.50 | Steve McIntyre | |
| the changes in 1.49 did not take into account the "SecureBoot enabled" case when adding a default error trap. Closes: #1137098, #1137101. | |||
| 2026-05-19 | Make mokutil parsing more robust. Closes: #1137063debian/1.49 | Steve McIntyre | |
| Cope with "Platform is in Setup Mode" message If we get any other unexpected output, print what we got for debugging. | |||
| 2026-05-18 | Make sure we remove shim-signed.preinst during clean | Steve McIntyre | |
| 2026-05-18 | Update changelog and release 1.48debian/1.48 | Steve McIntyre | |
| 2026-05-18 | Tweak the URI linked for CA updates | Steve McIntyre | |
| 2026-05-18 | Switch to using debconf to display signature errors | Steve McIntyre | |
| 2026-05-18 | .gitignore: ignore the generated preinst file | Steve McIntyre | |
| 2026-05-17 | Update changelog | Steve McIntyre | |
| 2026-05-17 | Add more text to the failure messsage | Steve McIntyre | |
| And link to a wiki page for more info. Need to write that page! | |||
| 2026-05-17 | Move shim signature checks to preinst | Steve McIntyre | |
| It's safer to do it here before a new shim is installed. As we don't have any files installed at this point, we can't look up knowwn signatures from a file. Instead, we now substitute the signature fingerprints directly into shim-signed.preinst at package build time. Put the postinst back to where it was before the signature checks were added. | |||
| 2026-05-17 | Tweak the boot check logic further: DBX sigs are fatal | Steve McIntyre | |
| If we have a sig from a key listed in DBX, don't just ignore it. Firmware should refuse to boot things in a revoked chain so we should fail here too. Tweak the output too - switch from using a boolean $SAFE value to using an error string in $SB_BOOT_ERROR so we can have more specific errors printed. | |||
| 2026-05-14 | Update to boot check: ignore keys listed in DBX | Steve McIntyre | |
| 2026-05-14 | Check that we can boot on the current system | Steve McIntyre | |
| If SecureBoot is enabled, check that our shim binary is signed by at least one of the certificates enrolled in firmware. | |||
| 2026-05-14 | Grab the sha1 fingerprint of each used cert as we match them | Steve McIntyre | |
| Later, install that data alongside the shim binaries in the package. We can then use this data to check that we can boot the signed shim we're installing. | |||
| 2026-05-14 | Makefile: add clean rule | Steve McIntyre | |
| 2026-05-13 | Update lintian source overrides | Steve McIntyre | |
| 2026-05-13 | Update build-deps for 16.1-2 | Steve McIntyre | |
| 2026-05-13 | Add the new 16.1-2 binaries signed by Microsoft | Steve McIntyre | |
| 2026-05-13 | Update changelog | Steve McIntyre | |
| 2026-05-13 | Fix up cert filenames and explicitly sort them before use | Steve McIntyre | |
| 2026-05-06 | Add the "new" Microsoft 2023 UEFI CA key | Steve McIntyre | |
| Found at https://github.com/microsoft/secureboot_objects/blob/main/PreSignedObjects/DB/Certificates/microsoft%20uefi%20ca%202023.der and copied here in PEM format, ready to use. | |||
| 2026-05-06 | Shuffle test certificates | Steve McIntyre | |
| 2026-04-28 | Add support for verifying and then combining signatures | Steve McIntyre | |
| from multiple signed shims. * Move the verification logic out into a new helper script verify_combine_sigs - see comments there for how it works. * Rename the existing shim binaries and CA cert to match * Include some extra certs and binaries for testing with | |||
| 2025-07-29 | update-secureboot-policy: do better checking around DKMSdebian/1.47 | Steve McIntyre | |
| If we have DKMS modules installed: + Check to see if a DKMS MOK key has been created and enrolled; + Check that all the DKMS modules are signed with that key; If successful, don't tell users to disable Secure Boot. Closes: #1108278. Add dependencies on openssl and kmod for shim-signed-common, needed for implementing these check. | |||
| 2025-06-23 | No-change rebuild to upload source-only.debian/1.46 | Steve McIntyre | |
| 2025-06-22 | Release 1.45debian/1.45 | Steve McIntyre | |
| Add changelog entries for merged changes | |||
| 2025-06-22 | Merge branch 'update-translation-ca' into 'master' | Steve McIntyre | |
| Update/add Catalan po-debconf translation See merge request efi-team/shim-signed!4 | |||
| 2025-05-26 | Merge branch 'sdboot' into 'master' | Steve McIntyre | |
| Add alternative dependencies on systemd-boot See merge request efi-team/shim-signed!3 | |||
| 2025-05-26 | Add alternative dependencies on systemd-boot | Luca Boccassi | |
| 2025-04-23 | Added po-debconf Catalan translation | Carles Pina i Estany | |
| 2024-07-03 | Release 1.44debian/1.44 | Steve McIntyre | |
| With helpful fixes from Fabian Grünbichler | |||
| 2024-07-03 | Merge branch 'fix-build' into 'master' | Steve McIntyre | |
| fix shim-helpers substvar handling See merge request efi-team/shim-signed!2 | |||
| 2024-07-01 | d/rules: import architecture.mk earlier | Fabian Grünbichler | |
| else DEB_HOST_ARCH is not potentially not yet set and some invocations might print a spurious warning. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> | |||
| 2024-07-01 | ensure shim-helpers is installed in build environment | Fabian Grünbichler | |
| else the dpkg-query doesn't work. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> | |||
| 2024-06-29 | Fix broken usage of dpkg-querydebian/1.43 | Steve McIntyre | |
| 2024-06-28 | Tweak versioning in runtime dependenciesdebian/1.42 | Steve McIntyre | |
| using substvars to make things more automatic in future. | |||
| 2024-06-26 | Release shim-signed 1.41 for siddebian/1.41 | Steve McIntyre | |
| 2024-06-26 | Remove obsolete override for shimia32.efi.signed | Steve McIntyre | |
| 2024-06-26 | Switch from debian/compat to build-dep on debhelper-compat (= 13) | Steve McIntyre | |
| 2024-06-26 | New signed binaries corresponding to 15.8-1 | Steve McIntyre | |
| Update build-dep on shim-unsigned to use 15.8-1. Update SBAT to revoke grub binaries with sbat < 4. Stop building for i386. | |||
| 2023-08-04 | Add Romanian translation for debconf templatesdebian/1.40 | Steve McIntyre | |
| thanks to Remus-Gabriel Chelu. Closes: #1039090 | |||
| 2023-08-04 | Stop recommending secureboot-db, we don't have that package | Steve McIntyre | |
| Closes: #1042964, #1041449, #932358 | |||
| 2023-03-09 | Tweak dependencies between packagesdebian/1.39 | Steve McIntyre | |
| 2023-03-08 | Add some Closes:, let's kill some bugs! :-) | Steve McIntyre | |
| 2023-03-08 | Add pt_BR translation, thanks to Paulo Henrique de Lima Santana | Steve McIntyre | |
| Closes: #1026415 | |||
