From 070d3195de76b2dd55e2abaf3d3b6c71fc3ca9b1 Mon Sep 17 00:00:00 2001 From: Andrew Lukoshko Date: Tue, 5 Apr 2022 17:28:52 +0200 Subject: [PATCH] Use AlmaLinux cert and SBAT --- SOURCES/almalinuxsecurebootca0.cer | Bin 0 -> 1787 bytes SOURCES/redhatsecureboot301.cer | Bin 839 -> 0 bytes SOURCES/redhatsecureboot303.cer | Bin 899 -> 0 bytes SOURCES/redhatsecureboot502.cer | Bin 964 -> 0 bytes SOURCES/redhatsecureboot601.cer | Bin 916 -> 0 bytes SOURCES/redhatsecurebootca3.cer | Bin 977 -> 0 bytes SOURCES/redhatsecurebootca5.cer | Bin 920 -> 0 bytes SOURCES/sbat.csv.in | 3 ++- SPECS/grub2.spec | 33 +++++++++++++++-------------- 9 files changed, 19 insertions(+), 17 deletions(-) create mode 100644 SOURCES/almalinuxsecurebootca0.cer delete mode 100644 SOURCES/redhatsecureboot301.cer delete mode 100644 SOURCES/redhatsecureboot303.cer delete mode 100644 SOURCES/redhatsecureboot502.cer delete mode 100644 SOURCES/redhatsecureboot601.cer delete mode 100644 SOURCES/redhatsecurebootca3.cer delete mode 100644 SOURCES/redhatsecurebootca5.cer diff --git a/SOURCES/almalinuxsecurebootca0.cer b/SOURCES/almalinuxsecurebootca0.cer new file mode 100644 index 0000000000000000000000000000000000000000..6a4e99b9ed921c4af3db55a619260f1ab76110dc GIT binary patch literal 1787 zcmb7Edpy%?9NzEu+YQ4qp+X~z$hNhS)Qi`TME^-dksg&-Xq2Cz{bpoK?*v3Lr+#1l0EMjD_^(GTMD zB!UPL)n5=TknqD$I+(55K`6BGoxr#aQ34*7AqwMDg9H&mfiQx~@Sw6ns4M2o1LnrM zj*bAGgM!g7R1KZf5ID|pa&dAA1xdG2GSJgV;wS_sr+Fwqoly#ygx9gdLs&@Wya0v} z3LG4SP65Uf7hwvK$&cd3bH#kr3{2A~=u->>#eywd37;Auj^GLf30#RlB%EMPEi-l+ zkwox{5{U(2T$BpTN6nIqJ))wy{sLj#R%$>H)k_p74EruH#z6j)0c5b{#3zMt7(@o^ zW7O-~undMU6>I1J?%P(;)EDTd~@7#vAD%qZ-ufkhh?j~ zapii8FZ6l4l2j4>$6Kvd%=FCfQ#Hi8bqZPzauDLVg0k(jF6nNqtfiz|Wxur8bX2ad zdVcV5sacnCY_nO@_S&kodX}Gu=_h9qjw-&C&Q?YW8|~hwL@-lYMZxo*mT|n_rq!Dq zNO?Kr*Z&ajuCl*+CptA}bH}3+sZUn7lNIOqU@O10Y8v~wWKcZqMh{nDsrrHAqC?Fn zC5Od?^TaPN9vZwE>ENKiT9WIkzve%`+%Pg-+wtWhW?EoI?ykMo1m;;krtqoqrdY(Z z>AG~nTPIVAdtr9e$os^OcI}Pat4B7uw#bZr_Ev0CoO20G4yS!W8C%*eNtWAYpL#d* zedparl{a8zs7XrL79O+)cgO3rRq(Xe?bv+=_YavC&C0sI{5@^Isw>gKnC3h)7Af**$k{YWr>DKj@ce|HuYY$w-4X7busAnE?sO0 z%rpc&tP$2Q5p}pRNtx`QBY$$Hy}hi^EzC7xG%sfQ5Hy0tA}}ElkTi6P2EzaYC>lh= zl7Kdzs16YhM?esDptRPfdPAw7JRwLkg(U+Y4UdZT1n$5IPa2Kec@%;nJOpT9#`r7@ z85u`PBr&nB4i2&3%Ye=kMLRG8g8%`Ki%23t2=LQLO~*2UT1>u3z97|AGoqg0iKFNf zr^ZU-duM1WW2`Y49;^^`UC`BhARRwieNz#L243SBz!P*O|5I1;uO$Gbj#^URPsEFj znJ5J48Yh#m)_^Ae=Lv|2+!#zIQG$c)nJj+~w#N#V{a95^486KX5gC+(`LS(LuYLx& zmK=g#7W3C{btC1qgXHu|&hAt1mVpg9@qz7)LQjirTbE=%tB>VaJ{w|W+SRlqtM=qq z`BZ#(0JZP>i7X28yp;YFwn*+V^|hB(LiOc)PaARBXXK%~jS_tFjUyY$QX;*+r0V45 zkE=pT=tBm1C+#j}43w`s`%TdlzpX-LE<>U=F6|4*<{yn&V-xIkW##-D?u9_i{=os1 zQ~fq=HHqcUdPH1KbNZa$#kq3WF+jPXnVa;%`a)vjg(LknHdCYpovzocJ`VZSGQKX% z9VuvTNmoc+L-8N(4b3q2QAF;sQhj@I*nzv-=TicK8=0_FUZQQx>WuhjaYMX_P|t&zHv TseG#v;Fg#3=RT@0&At3@_pP4Z literal 0 HcmV?d00001 diff --git a/SOURCES/redhatsecureboot301.cer b/SOURCES/redhatsecureboot301.cer deleted file mode 100644 index 4ff8b79e6736e566dbf39603e0887a53345aa4e4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 839 zcmXqLVs5=#_OQj1C) zic(WD5=-=w^K%X4#CZ)(42%qc(A3<>AWEFq*xbO#zzobaj4}u^)G^S4Sf`BDy5h|A zyv)3GQtWJER6_O@BP#=Q6C*!^K@%evQxhX2!zT5vqmx`?o`(oz{$eeCezR_cLPyl% zHpefqUbuO&%O^nA}y6#9BjM%~U7Q(5kw6_YN1epR)|xb9Elg4_B`%!~|-ixmyz4P=2K zFU!Xw#v&5#_@80Rp3FS`6#W&an$HJBb(91l2O=d+v%~@6}B_2%&Mg` zDvt6_STWb-ZhXD^RgaJz3Cq5o4B43+oEZD&XVQnj{jXOGHfUJJB>qmC?A`ut>Ahpw zdM-|DZzz7Yc^I3-u|J*vqdKqQ`kIF?LJd~2r8XOg&f%Z+Yj((@r{(*;Y?_w8rSDJJ zntk_K74NJ(drfx5hIZaKImf>p{fSPd=}qfHlV8OA-0dHz$M#&#on!XF_3NjY{(Hxy zbKN4k{8NvC{Y9;Yo!51>R!)l5n2-{5CgAUe(k!NLc|1u*B2w==ttY-NzWb+N=75O& zzv2uf{%c3S9%5x`<-dQv`g=w9>l=;D-vz#WO}UeuefPU1`=|Tw9$I=mIi&>vg+x|L diff --git a/SOURCES/redhatsecureboot303.cer b/SOURCES/redhatsecureboot303.cer deleted file mode 100644 index 2c0087dbc5da376aef641bb23833401857c34940..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 899 zcmXqLVy-u6VoG1Y%*4pV#L4h}zvyHQr&GoTylk9WZ60mkc^MhGSs4s`4b=@)*_cCF zn1$tnQd1N>5=#_OQj1C) zic(WD5=-=w^K%X4#CZ)Z4a^Ko3@l8IOe~_rd5tX$3=NE+T!SD(9Rn?}bv(*gtt-w< z&&$k92is{(oSjXKO31!qWMyD(V&rEqXkz4IYGPz$II>2G|M$FqPFt5GY@Z}j_wdcG z>qlNkR*SLi2#vh>#O(I_Wno7c`4SC2=y=Zd`<9;a@{@2)?V*sz8{HTFd-E&#gtt#; zUgHuWz1pJ-y#K9{o_n?Q@4oA|9nu>-nGU?#lm1zM!m(4+W^!G6o63L4^zhgAs4rhs zUmj^WrxfJ3J}dJeuq`Lta*xk?}tZlL3PPH;Bj2!otkN-e4dL;_$JEv50IdKm9LW&^Yn$5_R6=HKv!R z$vZ?D$b+PnStJa^8bln#TEtw=Sv9h7u(GGU__1hC>W>)Y2mmH4U<5ES#PkO5sC<9x z!JKt`$32eKDcv>kntnv_@NIu_U*Q=Xk1EvP<=w1`yP>!G=8u`mTv|szZevQCch1^& z!q2ncK3iyARETApaF1br*%L8#fw_eaRczCW1C=8SIyp9OHWxSD>F|+J;%msh6TGS4 z7i9eW_V~}UtyNmb|NVAU_`StO+3?O0&CipWay2jh-RRBjrY}Bi{e-UnA#J9g_4+s? zD*o^EabCXQ^?4Wm+_igF-`xN2a7LS$!jkBBmcGB8+wcBUs^a;5FNJd^r+L3*+)39L zjQ8{>JTSZxpz7w(F!4!Co|pZnnG+e$u$S(t-F5BW&3P{?riLzZE|e}c7rGqT{#S2( H=YvQ9de&%$ diff --git a/SOURCES/redhatsecureboot502.cer b/SOURCES/redhatsecureboot502.cer deleted file mode 100644 index be0b5e211ccf8ad7ba74c88841c921cfdbad5a70..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 964 zcmXqLVm@Hd#I#}oGZP~d6DPygP|MB7r^(JU;AP{~YV&CO&dbQi&B|a9ZzyIU!p0oR z!o|ZIl$xU8kyxUm;F*`KXQ*f(4-#kQk${RT1g9pK7NsgU<>!|uI6Eqs8Y&qmz)j<1 z6ca8^O-{^7Eh=#+N=?Z~EYVBO&oz(}=QT1gFf*_;G%zqQGL91GHMTG?G_-(n4bpHr zK*K-{;sAMU4hYUn&&$k9S1>g&BFY_2j7rFUXJlnyZerwTFlb`rVrpV!WVlw+5~fxp zlC4%={*?v=&XRBAh?w3|ekJhoz zKe*}Ss+-Dp3y#N}_#^e|W8doa9aT(wxO?y2p89Cbu3Q!=zP!k}$2XsU9VoV!m$7=u zaXE&jl}!J>*zj`9usQhLT4_#)+wqRaoS&{Uz0p%LI=p$>w%yj@jOK-#m#OZnogtKa zXx0-|7pa7a%Pt;nc|B=yqk7|#ij=DjlCF{bKHcw(tDZ=IoA@v;?(+N1K5vh6$0wbX zowLen&AF!%E3#rkR^7F4a=E#$KV5;`11Av2kd# zF|x9 z$k^rSH+lBn4DN|8WwYk@BgYLeT>|5Vkzw{NgZMQ5DIkiD~`h}y9{<=D~#ILx2 z!|e$CoGxy;)T!q_Y)P}vi)7| puC*wrU@|^yJWH`pNJ3}E-0bhMGuf{5G|c)nwXm(hxVvuYUH~CAajXCU diff --git a/SOURCES/redhatsecureboot601.cer b/SOURCES/redhatsecureboot601.cer deleted file mode 100644 index c92b96b4e0d360b90333361ea61f565f196ea20e..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 916 zcmXqLVxC~o#8k0>nTe5!iId^-97p53+3_w0ylk9WZ60mkc^MhGSs4u64HXUK*_cCF zn0X|EQd1N>5=#_*enXpOwY^AOII)h zY9hwICPpP>zc8{gFgG#sGZ-{6axpbAGBQki!xdZoCRX_S>dV}-BbKHWadCWS=ictf zX!LID`KNZP*Y{*9L|}%3_emT z=3e&*+PO}C!>cFT-xY3>#+jTtA9;|7?{ zfN{gfkisa`?6XkHTKh%6xuB-@a@A8u|2@AV?)Y1R|85iijb|M5C)`>v`vA}Wwb4kOkuKYkrH2^@l99De!}lh|79J&NCf?#_qJr(?s~t*IWParC|#~@cmCKBc#uW$e87pz^*}ZFcLToW*~c?muOF`th~Ca6;MkH0u8E;ZRmJw4GFuwHdd(wk|9y*>0095ZYghmP diff --git a/SOURCES/redhatsecurebootca3.cer b/SOURCES/redhatsecurebootca3.cer deleted file mode 100644 index b2354007b9668258683b99a68fa5bdd3067c31b1..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 977 zcmXqLVm@oo#I$t*GZP~d6DPykKFO2}lmD>>ylk9WZ60mkc^MhGSs4s`4b=@)*_cCF zn1$tnQd1N>5=#_OQj1C) zic(WD5=-=w^K%X4#CZ)(42%qc(8R>VG)kP;*xbO#zzoWzwslR6O2{5!WMyD(V&rEq zXkz4IYGPz$nC+~vi6EDouC4!V-;tv&JA zN}nf->iaHo2tM8rAb&8=Njdj{a^${=Z?aE)&k<1VH{Q3Wx7jKD-_5CYum4K4d~JV` z`ccOE*<7!m22LI4&u3g0F3h!NN?ysm?c*7~^lIfF3D-Xhnr_&uU!bJ$?ZS8WW+A0- zr9raw{Iep~On)hDAUrqc*pZy>@YoE^;z#ABPp))utMY{K9XOZuN+87Vv97^}gccFK z6&c%&T=rzVyKuJ1S>c?Rq?77kYS zv==`X%}MC|0a-81!fL?G$oL;QPJxLO7^jR3 zp{b9(0{X(lQ;+K%h_CKtxc%nd+9kH!CBia&JkgcqO9LvF9(I1~^2+p(_fBqs&+@+g zjZG)^b(y8?lr#NV`RkoR|I-BpaSiJiPBV7drX0Bbe!0fPB95K&)ygj1YM5%bK;(6L z=7Y@r2hM%A`uyr;o|A^(c{icYtu_B=WuE^MZ_<i|1QMhsQHT z4}wg*#%C!d<*ePQAKPyWoS|9R;jPUx*P-5Ksuo_~6c3tyKHzf+y+r*{_;vOAw> zmv4Wk&h*1hGe;ze)#t#BH;PsH)$e|FOmna8+@9jW!^ymRMf{q+C84h)mppfN*sxn6 NnfI|Q%N6m!6aeL$dME$@ diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer deleted file mode 100644 index dfb0284954861282d1a0ce16c8c5cdc71c27659f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 920 zcmXqLVxD5q#8k6@nTe5!iIbtZm{+@~;bN2lFB_*;n@8JsUPeZ4RtAH3LoovpHs(+k zE*{>X)D#7e#1b6^&%9(kLq!95kT^4s1XNrhI5oMnC{@8JKfgr5*-^pNP{}|6ZW6NxP$#b?ru1p1aqn$3D)YB{Qqo zjCvjz?|=HkE#3AN-xTZpws*U~)f@DZ{t~uwMZy8<;F%jD%$u6!n#qYzp^Sryh{C;x9qf@!N=T4ui@b#({ zSD&^p3kNZ=9lAQ9%xdfP9doNToV+k2^LHOFD{5oE&78StJa^8n7$i2k94PWc<&xr*# z`sciS&XK#@>h!OC8{=mczNLHbADCJ+pE=-CsaDOF#s}?5Q)1qq&%R~#cz>QmiAiVx zk5XXYstAL9d+iK-w@u$FESybMIPOFY~9lmn~9nUf%vMc88@((p0B(#qL+!COmt7`j5IhPVzo{cRPw} Pd!}BnFF!b8N6JS4>O*3Z diff --git a/SOURCES/sbat.csv.in b/SOURCES/sbat.csv.in index 24545c0..f2094a3 100755 --- a/SOURCES/sbat.csv.in +++ b/SOURCES/sbat.csv.in @@ -1,3 +1,4 @@ sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md grub,1,Free Software Foundation,grub,2.02,https://www.gnu.org/software/grub/ -grub.rhel8,1,Red Hat Enterprise Linux 8,grub2,@@VERSION@@,mail:secalert@redhat.com \ No newline at end of file +grub.rhel8,1,Red Hat Enterprise Linux 8,grub2,@@RHEL_VERSION@@,mail:secalert@redhat.com +grub.almalinux8,1,AlmaLinux 8,grub2,@@VERSION@@,mail:security@almalinux.org diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec index 063db0f..3ff77f9 100644 --- a/SPECS/grub2.spec +++ b/SPECS/grub2.spec @@ -7,7 +7,7 @@ Name: grub2 Epoch: 1 Version: 2.02 -Release: 120%{?dist} +Release: 120%{?dist}.alma Summary: Bootloader with support for Linux, Multiboot and more Group: System Environment/Base License: GPLv3+ @@ -24,31 +24,29 @@ Source6: gitignore Source8: strtoull_test.c Source9: 20-grub.install Source12: 99-grub-mkconfig.install -Source13: redhatsecurebootca3.cer -Source14: redhatsecureboot301.cer -Source15: redhatsecurebootca5.cer -Source16: redhatsecureboot502.cer -Source17: redhatsecureboot303.cer -Source18: redhatsecureboot601.cer +Source13: almalinuxsecurebootca0.cer Source19: sbat.csv.in %include %{SOURCE1} %if 0%{with_efi_arch} %define old_sb_ca %{SOURCE13} -%define old_sb_cer %{SOURCE14} -%define old_sb_key redhatsecureboot301 -%define sb_ca %{SOURCE15} -%define sb_cer %{SOURCE16} -%define sb_key redhatsecureboot502 +%define old_sb_cer %{SOURCE13} +%define old_sb_key almalinuxsecurebootca0 +%define sb_ca %{SOURCE13} +%define sb_cer %{SOURCE13} +%define sb_key almalinuxsecurebootca0 %endif %ifarch ppc64le -%define old_sb_cer %{SOURCE17} -%define sb_cer %{SOURCE18} -%define sb_key redhatsecureboot602 +%define old_sb_cer %{SOURCE13} +%define sb_cer %{SOURCE13} +%define sb_key almalinuxsecurebootca0 %endif +# AlmaLinux: keep upstream EVR for RHEL SBAT entry +%define rhel_evr $(echo %{evr} | sed 's/\.alma.*//') + # generate with do-rebase %include %{SOURCE2} @@ -166,7 +164,7 @@ This subpackage provides tools for support of all platforms. mkdir grub-%{grubefiarch}-%{tarversion} grep -A100000 '# stuff "make" creates' .gitignore > grub-%{grubefiarch}-%{tarversion}/.gitignore cp %{SOURCE4} grub-%{grubefiarch}-%{tarversion}/unifont.pcf.gz -sed -e "s,@@VERSION@@,%{evr},g" %{SOURCE19} \ +sed -e "s,@@VERSION@@,%{evr},g" -e "s,@@RHEL_VERSION@@,%{rhel_evr},g" %{SOURCE19} \ > grub-%{grubefiarch}-%{tarversion}/sbat.csv git add grub-%{grubefiarch}-%{tarversion} %endif @@ -510,6 +508,9 @@ fi %endif %changelog +* Tue Apr 05 2022 Andrew Lukoshko - 2.06-120.alma +- Use AlmaLinux cert and SBAT + * Fri Feb 28 2022 Robbie Harwood - 2.06-120 - Bump signing - Resolves: #2032294