Use AlmaLinux cert and SBAT

2022-04-05 17:28:52 +02:00 · 2022-04-05 17:28:52 +02:00 · 070d3195de
parent 22a96b9d91
commit 070d3195de
9 changed files with 19 additions and 17 deletions
--- a/SOURCES/almalinuxsecurebootca0.cer
+++ b/SOURCES/almalinuxsecurebootca0.cer
--- a/SOURCES/redhatsecureboot301.cer
+++ b/SOURCES/redhatsecureboot301.cer
--- a/SOURCES/redhatsecureboot303.cer
+++ b/SOURCES/redhatsecureboot303.cer
--- a/SOURCES/redhatsecureboot502.cer
+++ b/SOURCES/redhatsecureboot502.cer
--- a/SOURCES/redhatsecureboot601.cer
+++ b/SOURCES/redhatsecureboot601.cer
--- a/SOURCES/redhatsecurebootca3.cer
+++ b/SOURCES/redhatsecurebootca3.cer
--- a/SOURCES/redhatsecurebootca5.cer
+++ b/SOURCES/redhatsecurebootca5.cer
--- a/SOURCES/sbat.csv.in
+++ b/SOURCES/sbat.csv.in
@ -1,3 +1,4 @@
 sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
 grub,1,Free Software Foundation,grub,2.02,https://www.gnu.org/software/grub/
-grub.rhel8,1,Red Hat Enterprise Linux 8,grub2,@@VERSION@@,mail:secalert@redhat.com
+grub.rhel8,1,Red Hat Enterprise Linux 8,grub2,@@RHEL_VERSION@@,mail:secalert@redhat.com
+grub.almalinux8,1,AlmaLinux 8,grub2,@@VERSION@@,mail:security@almalinux.org
--- a/SPECS/grub2.spec
+++ b/SPECS/grub2.spec
@ -7,7 +7,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.02
-Release:	120%{?dist}
+Release:	120%{?dist}.alma
 Summary:	Bootloader with support for Linux, Multiboot and more
 Group:		System Environment/Base
 License:	GPLv3+
@ -24,31 +24,29 @@ Source6:	gitignore
 Source8:	strtoull_test.c
 Source9:	20-grub.install
 Source12:	99-grub-mkconfig.install
-Source13:	redhatsecurebootca3.cer
-Source14:	redhatsecureboot301.cer
-Source15:	redhatsecurebootca5.cer
-Source16:	redhatsecureboot502.cer
-Source17:	redhatsecureboot303.cer
-Source18:	redhatsecureboot601.cer
+Source13:	almalinuxsecurebootca0.cer
 Source19:	sbat.csv.in

 %include %{SOURCE1}

 %if 0%{with_efi_arch}
 %define old_sb_ca	%{SOURCE13}
-%define old_sb_cer	%{SOURCE14}
-%define old_sb_key	redhatsecureboot301
-%define sb_ca		%{SOURCE15}
-%define sb_cer		%{SOURCE16}
-%define sb_key		redhatsecureboot502
+%define old_sb_cer	%{SOURCE13}
+%define old_sb_key	almalinuxsecurebootca0
+%define sb_ca		%{SOURCE13}
+%define sb_cer		%{SOURCE13}
+%define sb_key		almalinuxsecurebootca0
 %endif

 %ifarch ppc64le
-%define old_sb_cer	%{SOURCE17}
-%define sb_cer		%{SOURCE18}
-%define sb_key		redhatsecureboot602
+%define old_sb_cer	%{SOURCE13}
+%define sb_cer		%{SOURCE13}
+%define sb_key		almalinuxsecurebootca0
 %endif

+# AlmaLinux: keep upstream EVR for RHEL SBAT entry
+%define rhel_evr $(echo %{evr} | sed 's/\.alma.*//')
+
 # generate with do-rebase
 %include %{SOURCE2}

@ -166,7 +164,7 @@ This subpackage provides tools for support of all platforms.
 mkdir grub-%{grubefiarch}-%{tarversion}
 grep -A100000 '# stuff "make" creates' .gitignore > grub-%{grubefiarch}-%{tarversion}/.gitignore
 cp %{SOURCE4} grub-%{grubefiarch}-%{tarversion}/unifont.pcf.gz
-sed -e "s,@@VERSION@@,%{evr},g" %{SOURCE19} \
+sed -e "s,@@VERSION@@,%{evr},g" -e "s,@@RHEL_VERSION@@,%{rhel_evr},g" %{SOURCE19} \
 	> grub-%{grubefiarch}-%{tarversion}/sbat.csv
 git add grub-%{grubefiarch}-%{tarversion}
 %endif
@ -510,6 +508,9 @@ fi
 %endif

 %changelog
+* Tue Apr 05 2022 Andrew Lukoshko <alukoshko@almalinux.org> - 2.06-120.alma
+- Use AlmaLinux cert and SBAT
+
 * Fri Feb 28 2022 Robbie Harwood <rharwood@redhat.com> - 2.06-120
 - Bump signing
 - Resolves: #2032294