control: tags -1 +pending Hsy guys,
Sorry, I've not been updating bugs here enough to share progress. I've had changes for this ready for some time, just not pushed yet. The shim 16.0 release has already happened upstream, and it passes CI for me locally. *However*, we're waiting on a bugfix for https://github.com/rhboot/shim/issues/74 which is a show-stopper bug for secure boot chains where UKIs are going to be a thing. A fix is coming Real Soon Now, I've been promised. That's going to prompt a 16.1 release. In the meantime, I really don't want to upload a 16.0 build, as that makes things much more awkward in terms of the signing pipeline (etc.) On Fri, Apr 11, 2025 at 09:11:38PM +0200, Emanuele Rocca wrote: >Hello Niels, > >On 2024-12-28 01:06, Niels Thykier wrote: >> Please review attached as an example of how to fix this problem. >> >> Note: Untested, since I was doing my testing on amd64. > >LGTM. I applied your patch and built the package with a regular user as >follows: > >$ dpkg-buildpackage -us -uc -b -rfakeroot > >The signed files in the resulting binary have the right user, group, and >permissions: > >$ dpkg --contents shim-helpers-arm64-signed_1+15.8+1+nmu1_arm64.deb | grep -F >.signed >-rw-r--r-- root/root 90752 2024-12-28 12:03 >./usr/lib/shim/fbaa64.efi.signed >-rw-r--r-- root/root 887472 2024-12-28 12:03 >./usr/lib/shim/mmaa64.efi.signed > >As far as I understand though, the shim-helpers-arm64-signed source >package is generated by shim. I think the file we want to change is >debian/signing-template/rules in the shim sources. Ditto for >debian/signing-template/control.in. > >See attached patch. >diff --git a/debian/signing-template/control.in >b/debian/signing-template/control.in >index 9d75d92..3d02823 100644 >--- a/debian/signing-template/control.in >+++ b/debian/signing-template/control.in >@@ -2,6 +2,7 @@ Source: shim-helpers-@arch@-signed > Section: admin > Priority: optional > Maintainer: Debian EFI team <debian-...@lists.debian.org> >+Rules-Requires-Root: no > Standards-Version: 4.3.0 > Build-Depends: debhelper (>= 10.1~), > sbsigntool [amd64 arm64 i386], >diff --git a/debian/signing-template/rules b/debian/signing-template/rules >index a972e7d..f034f83 100755 >--- a/debian/signing-template/rules >+++ b/debian/signing-template/rules >@@ -9,8 +9,8 @@ override_dh_auto_install: > set -e ; \ > find "$(SIG_DIR)" -name '*.sig' -printf '%P\n' | \ > while read sig; do \ >- install -o 0 -g 0 -m 0755 -d "debian/tmp/$${sig%/*}" ; \ >- install -o 0 -g 0 -m 0644 "/$${sig%.sig}" >"debian/tmp/$${sig}ned" ; \ >+ install -m 0755 -d "debian/tmp/$${sig%/*}" ; \ >+ install -m 0644 "/$${sig%.sig}" "debian/tmp/$${sig}ned" ; \ > sbattach --attach "$(SIG_DIR)/$$sig" "debian/tmp/$${sig}ned" ; \ > done > -- Steve McIntyre, Cambridge, UK. st...@einval.com < Aardvark> I dislike C++ to start with. C++11 just seems to be handing rope-creating factories for users to hang multiple instances of themselves.
