Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package shim-signed
We've just got new signatures back from Microsoft to match our shim
binaries for amd64, i386 and arm64. I've fixed up the packaging a lot
to accommodate the new arches (previously we had amd64 only).
We've made a lot of progress with shim, and we're nearing the end of
the process for Secure Boot in Buster. I'm asking for this unblock
today to cover most of what we need, with potentially a further
unblock for a new set of signed binaries with some shim bugfixes to
come. That'll depend on how long new signatures take to come. (Yay!).
The main set of changes here are in version 1.29.
diff -Nru shim-signed-1.28+nmu1/Makefile shim-signed-1.30/Makefile
--- shim-signed-1.28+nmu1/Makefile 2018-11-04 07:09:26.000000000 +0000
+++ shim-signed-1.30/Makefile 2019-04-19 15:18:30.000000000 +0100
@@ -3,12 +3,12 @@
check:
mkdir -p build
# Verifying that the image is signed with the correct key.
- sbverify --cert MicCorUEFCA2011_2011-06-27.crt shimx64.efi.signed
+ sbverify --cert MicCorUEFCA2011_2011-06-27.crt
shim$(EFI_ARCH).efi.signed
# Verifying that we have the correct binary.
- sbattach --detach build/detached-sig shimx64.efi.signed
- cp /usr/lib/shim/shimx64.efi build/shimx64.efi.signed
- sbattach --attach build/detached-sig build/shimx64.efi.signed
- cmp shimx64.efi.signed build/shimx64.efi.signed
+ sbattach --detach build/detached-sig shim$(EFI_ARCH).efi.signed
+ cp /usr/lib/shim/shim$(EFI_ARCH).efi build/shim$(EFI_ARCH).efi.signed
+ sbattach --attach build/detached-sig build/shim$(EFI_ARCH).efi.signed
+ cmp shim$(EFI_ARCH).efi.signed build/shim$(EFI_ARCH).efi.signed
clean:
rm -rf build
diff -Nru shim-signed-1.28+nmu1/debian/changelog
shim-signed-1.30/debian/changelog
--- shim-signed-1.28+nmu1/debian/changelog 2018-11-04 07:09:26.000000000
+0000
+++ shim-signed-1.30/debian/changelog 2019-04-23 00:01:10.000000000 +0100
@@ -1,3 +1,62 @@
+shim-signed (1.30) unstable; urgency=medium
+
+ * Force the built-using version to be 15+1533136590.3beb971-6. That
+ *does* match the source we've used, we're only using -5 due to
+ toolchain changes elsewhere. Ick :-(
+
+ -- Steve McIntyre <93...@debian.org> Tue, 23 Apr 2019 00:01:10 +0100
+
+shim-signed (1.29) unstable; urgency=medium
+
+ * New signed binaries available from MS for amd64, arm64 and i386
+ * Change maintainer to be the EFI team
+ * Update the build-depends
+ + Specifically depend on sbsigntool (>= 0.9.2-2) to fix a bug in the
+ PE/COFF checksum that otherwise breaks the build
+ * Tweak the binary package setup a lot
+ + We're now building for 3 arches
+ + Depend on the right grub-efi-$arch-bin package for each arch
+ + Depend on the right shim-helpers-$arch-signed package for each
+ arch
+ + Remove the old Replaces: and Breaks:, as we don't clash with files
+ from the shim binary package any more.
+ * Stop copying helper binaries into our package now
+ + We just depend on shim-helpers-ARCH-signed now
+ * Tweak build, don't assume amd64
+ * Add lintian overrides for things we can't really change:
+ + We're including pre-built binaries, as that's where our signatures
+ are coming from. We have the matching source in the shim source
+ package.
+ * Update Standards-Version to 4.3.0 (no changes needed)
+
+ -- Steve McIntyre <93...@debian.org> Mon, 22 Apr 2019 22:57:55 +0100
+
+shim-signed (1.28+nmu3) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * (Still) explicitly uploading from a chroot with older binaries
+ installed for shim and sbsigntool, and update Build-Depends to
+ point to those speficic versions. This package will *not* function
+ with other versions installed.
+ * Add Breaks: shim (<= 0.9+1474479173.6c180c6-1), Closes: #924100
+ * +nmu2 fixed the installability problem caused by waiting for
+ Microsoft's signature on the new shim packages. Closes: #922179
+
+ -- Steve McIntyre <93...@debian.org> Sat, 09 Mar 2019 23:52:41 +0000
+
+shim-signed (1.28+nmu2) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Copy the helper binaries from the shim binary so that we no longer
+ need to depend on it. See #922179 for more details. Add a Replaces:
+ shim and to allow us to over-write binaries there.
+ * Explicitly uploading in a chroot with older binaries installed for
+ shim and sbsigntool, and update Build-Depends to point to those
+ speficic versions. This package will *not* function with other
+ versions installed.
+
+ -- Steve McIntyre <93...@debian.org> Sun, 03 Mar 2019 22:33:41 +0000
+
shim-signed (1.28+nmu1) unstable; urgency=medium
* Non-maintainer upload.
diff -Nru shim-signed-1.28+nmu1/debian/control shim-signed-1.30/debian/control
--- shim-signed-1.28+nmu1/debian/control 2018-11-04 07:09:26.000000000
+0000
+++ shim-signed-1.30/debian/control 2019-04-22 23:59:15.000000000 +0100
@@ -1,15 +1,34 @@
Source: shim-signed
Section: utils
Priority: optional
-Maintainer: Steve Langasek <vor...@debian.org>
-Build-Depends: debhelper (>= 9), shim, sbsigntool (>= 0.6-0ubuntu4), po-debconf
-Standards-Version: 3.9.4
+Maintainer: Debian EFI Team <debian-...@lists.debian.org>
+Uploaders: Steve McIntyre <93...@debian.org>, Steve Langasek
<vor...@debian.org>
+Build-Depends: debhelper (>= 9),
+# Need shim-unsigned version 15+1533136590.3beb971-5 so we can check the
+# signature on the right version of shim. Version -6 saw arm64 toolchain
+# changes that changed the binary. Ugh. :-(
+ shim-unsigned (= 15+1533136590.3beb971-5),
+# sbsigntool before 0.9.2-2 had a horrid bug with checksum calculation
+# which broke our build
+ sbsigntool (>= 0.9.2-2),
+ po-debconf
+Standards-Version: 4.3.0
+Vcs-Browser: https://salsa.debian.org/efi-team/shim-signed
+Vcs-Git: https://salsa.debian.org/efi-team/shim-signed.git
Package: shim-signed
-Architecture: amd64
-Depends: ${misc:Depends}, shim (= ${shim:Version}), grub-efi-amd64-bin,
grub2-common (>= 2.02~beta2-36ubuntu12), mokutil
+Architecture: amd64 i386 arm64
+Depends: ${misc:Depends},
+ grub-efi-amd64-bin [amd64],
+ shim-helpers-amd64-signed (>= 1+15+1533136590.3beb971+5) [amd64],
+ grub-efi-ia32-bin [i386],
+ shim-helpers-i386-signed (>= 1+15+1533136590.3beb971+5) [i386],
+ grub-efi-arm64-bin [arm64],
+ shim-helpers-arm64-signed (>= 1+15+1533136590.3beb971+5) [arm64],
+ grub2-common (>= 2.02+dfsg1-16),
+ mokutil
Recommends: secureboot-db
-Built-Using: shim (= ${shim:Version})
+Built-Using: shim (= 15+1533136590.3beb971-6)
Description: Secure Boot chain-loading bootloader (Microsoft-signed binary)
This package provides a minimalist boot loader which allows verifying
signatures of other UEFI binaries against either the Secure Boot DB/DBX or
diff -Nru shim-signed-1.28+nmu1/debian/copyright
shim-signed-1.30/debian/copyright
--- shim-signed-1.28+nmu1/debian/copyright 2018-11-04 07:09:26.000000000
+0000
+++ shim-signed-1.30/debian/copyright 2019-04-19 15:09:58.000000000 +0100
@@ -1,7 +1,7 @@
Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: shim
-Upstream-Contact: Matthew Garrett <m...@redhat.com>
-Source: https://github.com/mjg59/shim.git
+Upstream-Contact: Peter Jones <pjo...@redhat.com>
+Source: https://github.com/rhboot/shim
Files: *
Copyright: 2012 Red Hat, Inc
diff -Nru shim-signed-1.28+nmu1/debian/rules shim-signed-1.30/debian/rules
--- shim-signed-1.28+nmu1/debian/rules 2018-11-04 07:09:26.000000000 +0000
+++ shim-signed-1.30/debian/rules 2019-04-19 15:28:53.000000000 +0100
@@ -1,7 +1,19 @@
#! /usr/bin/make -f
VERSION := $(shell LC_ALL=C dpkg-parsechangelog | grep ^Version: | cut -d ' '
-f 2)
-SHIM_VERSION := $(shell dpkg-query -f '$${Version}\n' -W shim)
+SHIM_VERSION := $(shell dpkg-query -f '$${Version}\n' -W shim-unsigned)
+
+include /usr/share/dpkg/architecture.mk
+
+ifeq ($(DEB_HOST_ARCH),amd64)
+export EFI_ARCH := x64
+endif
+ifeq ($(DEB_HOST_ARCH),arm64)
+export EFI_ARCH := aa64
+endif
+ifeq ($(DEB_HOST_ARCH),i386)
+export EFI_ARCH := ia32
+endif
%:
dh $@
diff -Nru shim-signed-1.28+nmu1/debian/shim-signed.install
shim-signed-1.30/debian/shim-signed.install
--- shim-signed-1.28+nmu1/debian/shim-signed.install 2018-11-04
07:09:26.000000000 +0000
+++ shim-signed-1.30/debian/shim-signed.install 2019-04-22 18:08:11.000000000
+0100
@@ -1,3 +1,3 @@
-shimx64.efi.signed /usr/lib/shim
+build/shim*.efi.signed /usr/lib/shim
debian/source_shim-signed.py /usr/share/apport/package-hooks/
update-secureboot-policy /usr/sbin/
diff -Nru shim-signed-1.28+nmu1/debian/shim-signed.postinst
shim-signed-1.30/debian/shim-signed.postinst
--- shim-signed-1.28+nmu1/debian/shim-signed.postinst 2018-11-04
07:09:26.000000000 +0000
+++ shim-signed-1.30/debian/shim-signed.postinst 2019-04-22
17:52:51.000000000 +0100
@@ -4,6 +4,20 @@
# Must load the confmodule for our template to be installed correctly.
. /usr/share/debconf/confmodule
+ARCH=$(dpkg --print-architecture)
+case ${ARCH} in
+ amd64)
+ GRUB_EFI_TARGET="x86_64-efi";;
+ i386)
+ GRUB_EFI_TARGET="i386-efi";;
+ arm64)
+ GRUB_EFI_TARGET="arm64-efi";;
+ *)
+ echo "Unsupported dpkg architecture ${ARCH} in $0. ABORT"
+ exit 1
+ ;;
+esac
+
config_item ()
{
if [ -f /etc/default/grub ]; then
@@ -30,7 +44,7 @@
if [ "$bootloader_id" ] && [ -d "/boot/efi/EFI/$bootloader_id" ] \
&& which grub-install >/dev/null 2>&1
then
- grub-install --target=x86_64-efi
+ grub-install --target=${GRUB_EFI_TARGET}
if dpkg --compare-versions "$2" lt-nl "1.22~"; then
rm -f /boot/efi/EFI/ubuntu/MokManager.efi
fi
diff -Nru shim-signed-1.28+nmu1/debian/source/lintian-overrides
shim-signed-1.30/debian/source/lintian-overrides
--- shim-signed-1.28+nmu1/debian/source/lintian-overrides 1970-01-01
01:00:00.000000000 +0100
+++ shim-signed-1.30/debian/source/lintian-overrides 2019-04-22
22:53:19.000000000 +0100
@@ -0,0 +1,3 @@
+shim-signed: source-contains-prebuilt-windows-binary shimaa64.efi.signed
+shim-signed: source-contains-prebuilt-windows-binary shimia32.efi.signed
+shim-signed: source-contains-prebuilt-windows-binary shimx64.efi.signed
Binary files /tmp/gyjEQeEol0/shim-signed-1.28+nmu1/shimaa64.efi.signed and
/tmp/Z3ESxao_Zf/shim-signed-1.30/shimaa64.efi.signed differ
Binary files /tmp/gyjEQeEol0/shim-signed-1.28+nmu1/shimia32.efi.signed and
/tmp/Z3ESxao_Zf/shim-signed-1.30/shimia32.efi.signed differ
Binary files /tmp/gyjEQeEol0/shim-signed-1.28+nmu1/shimx64.efi.signed and
/tmp/Z3ESxao_Zf/shim-signed-1.30/shimx64.efi.signed differ
unblock shim-signed/1.30
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
