Hello Niels,
On 2024-12-28 01:06, Niels Thykier wrote:
> Please review attached as an example of how to fix this problem.
>
> Note: Untested, since I was doing my testing on amd64.
LGTM. I applied your patch and built the package with a regular user as
follows:
$ dpkg-buildpackage -us -uc -b -rfakeroot
The signed files in the resulting binary have the right user, group, and
permissions:
$ dpkg --contents shim-helpers-arm64-signed_1+15.8+1+nmu1_arm64.deb | grep -F
.signed
-rw-r--r-- root/root 90752 2024-12-28 12:03 ./usr/lib/shim/fbaa64.efi.signed
-rw-r--r-- root/root 887472 2024-12-28 12:03 ./usr/lib/shim/mmaa64.efi.signed
As far as I understand though, the shim-helpers-arm64-signed source
package is generated by shim. I think the file we want to change is
debian/signing-template/rules in the shim sources. Ditto for
debian/signing-template/control.in.
See attached patch.
diff --git a/debian/signing-template/control.in b/debian/signing-template/control.in
index 9d75d92..3d02823 100644
--- a/debian/signing-template/control.in
+++ b/debian/signing-template/control.in
@@ -2,6 +2,7 @@ Source: shim-helpers-@arch@-signed
Section: admin
Priority: optional
Maintainer: Debian EFI team <debian-...@lists.debian.org>
+Rules-Requires-Root: no
Standards-Version: 4.3.0
Build-Depends: debhelper (>= 10.1~),
sbsigntool [amd64 arm64 i386],
diff --git a/debian/signing-template/rules b/debian/signing-template/rules
index a972e7d..f034f83 100755
--- a/debian/signing-template/rules
+++ b/debian/signing-template/rules
@@ -9,8 +9,8 @@ override_dh_auto_install:
set -e ; \
find "$(SIG_DIR)" -name '*.sig' -printf '%P\n' | \
while read sig; do \
- install -o 0 -g 0 -m 0755 -d "debian/tmp/$${sig%/*}" ; \
- install -o 0 -g 0 -m 0644 "/$${sig%.sig}" "debian/tmp/$${sig}ned" ; \
+ install -m 0755 -d "debian/tmp/$${sig%/*}" ; \
+ install -m 0644 "/$${sig%.sig}" "debian/tmp/$${sig}ned" ; \
sbattach --attach "$(SIG_DIR)/$$sig" "debian/tmp/$${sig}ned" ; \
done
