| Age | Commit message (Collapse) | Author |
|
It's safer to do it here before a new shim is installed.
As we don't have any files installed at this point, we can't look up
knowwn signatures from a file. Instead, we now substitute the
signature fingerprints directly into shim-signed.preinst at package
build time.
Put the postinst back to where it was before the signature checks were
added.
|
|
If we have a sig from a key listed in DBX, don't just ignore
it. Firmware should refuse to boot things in a revoked chain so we
should fail here too.
Tweak the output too - switch from using a boolean $SAFE value to
using an error string in $SB_BOOT_ERROR so we can have more specific
errors printed.
|
|
|
|
If SecureBoot is enabled, check that our shim binary is signed by at
least one of the certificates enrolled in firmware.
|
|
|
|
Not ideal behaviour either, but don't break upgrades. Copy the
behaviour from the grub packages here. Closes: #990984
|
|
Don't fail if they return errors. Closes: #988114
|
|
|
|
in postinst and postrm. We have nothing to do here. Closes: #988059
|
|
Try to avoid errors if people are doing weird things
|
|
There's no guarantee that it will be called when needed, so switch to
the binary packages instead.
|
|
Separate this from the actual signed shim binaries so that we can
sensibly support co-installability using Multi-Arch. Closes: #928486
|
|
Don't assume that we're on amd64 so we want x86_64-efi ...
|
|
shim-signed (1.28) unstable; urgency=medium
* Initial Debian upload, based on Ubuntu package.
|