Update changelog

- Use AlmaLinux cert
- Add conflicts to old shim
10 changed files with 57 additions and 40 deletions
--- a/SOURCES/almalinuxsecurebootca0.cer
+++ b/SOURCES/almalinuxsecurebootca0.cer
--- a/SOURCES/grub.macros
+++ b/SOURCES/grub.macros
@ -285,7 +285,13 @@ Requires:	%{name}-common = %{evr}					\
 Requires:	%{name}-tools-minimal >= %{evr}				\
 Requires:	%{name}-tools-extra = %{evr}				\
 Requires:	%{name}-tools = %{evr}					\
+Requires:	%{efi_esp_dir}/shim%%(echo %{1} | cut -d- -f2).efi	\
 Provides:	%{name}-efi = %{evr}					\
+Provides:	almalinux(grub2-sig-key) = 202303				\
+%{expand:%%ifarch x86_64						\
+Conflicts:	shim-x64 <= 15.6-1.el8.alma					\
+Conflicts:	shim-ia32 <= 15.6-1.el8.alma				\
+%%endif}										\
 %{?legacy_provides:Provides:	%{name} = %{evr}}			\
 %{-o:Obsoletes:	%{name}-efi < %{evr}}					\
 									\
@ -401,10 +407,8 @@ done								\
 	-p /EFI/BOOT -d grub-core				\\\
 	--sbat %{4}./sbat.csv					\\\
 	${GRUB_MODULES}						\
-%{expand:%%{pesign -s -i %%{2}.orig -o %%{2}.one -a %%{5} -c %%{6} -n %%{7}}}	\
-%{expand:%%{pesign -s -i %%{3}.orig -o %%{3}.one -a %%{5} -c %%{6} -n %%{7}}}	\
-%{expand:%%{pesign -s -i %%{2}.one -o %%{2} -a %%{8} -c %%{9} -n %%{10}}}	\
-%{expand:%%{pesign -s -i %%{3}.one -o %%{3} -a %%{8} -c %%{9} -n %%{10}}}	\
+%{expand:%%{pesign -s -i %%{2}.orig -o %%{2} -a %%{5} -c %%{6} -n %%{7}}}	\
+%{expand:%%{pesign -s -i %%{3}.orig -o %%{3} -a %%{5} -c %%{6} -n %%{7}}}	\
 %{nil}
 %else
 %define efi_mkimage()						\
@ -540,7 +544,7 @@ install -D -m 700 unicode.pf2					\\\
 	$RPM_BUILD_ROOT%{efi_esp_dir}/fonts/unicode.pf2		\
 ${RPM_BUILD_ROOT}/%{_bindir}/%{name}-editenv			\\\
 	${RPM_BUILD_ROOT}%{efi_esp_dir}/grubenv create		\
-ln -sf ../efi/EFI/%{efi_vendor}/grubenv				\\\
+ln -sf ../efi/EFI/%{efidir}/grubenv				\\\
 	$RPM_BUILD_ROOT/boot/grub2/grubenv			\
 cd ..								\
 %{nil}
--- a/SOURCES/redhatsecureboot301.cer
+++ b/SOURCES/redhatsecureboot301.cer
--- a/SOURCES/redhatsecureboot502.cer
+++ b/SOURCES/redhatsecureboot502.cer
--- a/SOURCES/redhatsecureboot601.cer
+++ b/SOURCES/redhatsecureboot601.cer
--- a/SOURCES/redhatsecureboot701.cer
+++ b/SOURCES/redhatsecureboot701.cer
--- a/SOURCES/redhatsecurebootca3.cer
+++ b/SOURCES/redhatsecurebootca3.cer
--- a/SOURCES/redhatsecurebootca5.cer
+++ b/SOURCES/redhatsecurebootca5.cer
--- a/SOURCES/sbat.csv.in
+++ b/SOURCES/sbat.csv.in
@ -1,3 +1,4 @@
 sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
 grub,3,Free Software Foundation,grub,@@VERSION@@,https//www.gnu.org/software/grub/
-grub.rh,2,Red Hat,grub2,@@VERSION_RELEASE@@,mailto:secalert@redhat.com
+grub.rh,2,Red Hat,grub2,@@RHEL_VERSION_RELEASE@@,mailto:secalert@redhat.com
+grub.almalinux,2,AlmaLinux,grub2,@@VERSION_RELEASE@@,mail:security@almalinux.org
--- a/SPECS/grub2.spec
+++ b/SPECS/grub2.spec
@ -1,3 +1,7 @@
+%global efi_vendor almalinux
+%global efidir almalinux
+%global efi_esp_dir /boot/efi/EFI/%{efidir}
+
 %undefine _hardened_build

 %global tarversion 2.02
@ -7,7 +11,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.02
-Release:	148%{?dist}
+Release:	142%{?dist}.3.alma.1
 Summary:	Bootloader with support for Linux, Multiboot and more
 Group:		System Environment/Base
 License:	GPLv3+
@ -24,31 +28,29 @@ Source6:	gitignore
 Source8:	strtoull_test.c
 Source9:	20-grub.install
 Source12:	99-grub-mkconfig.install
-Source13:	redhatsecurebootca3.cer
-Source14:	redhatsecureboot301.cer
-Source15:	redhatsecurebootca5.cer
-Source16:	redhatsecureboot502.cer
-Source17:	redhatsecureboot601.cer
-Source18:	redhatsecureboot701.cer
+Source13:	almalinuxsecurebootca0.cer
 Source19:	sbat.csv.in

 %include %{SOURCE1}

 %if 0%{with_efi_arch}
 %define old_sb_ca	%{SOURCE13}
-%define old_sb_cer	%{SOURCE14}
-%define old_sb_key	redhatsecureboot301
-%define sb_ca		%{SOURCE15}
-%define sb_cer		%{SOURCE16}
-%define sb_key		redhatsecureboot502
+%define old_sb_cer	%{SOURCE13}
+%define old_sb_key	almalinuxsecurebootca0
+%define sb_ca		%{SOURCE13}
+%define sb_cer		%{SOURCE13}
+%define sb_key		almalinuxsecurebootca0
 %endif

 %ifarch ppc64le
-%define old_sb_cer	%{SOURCE17}
-%define sb_cer		%{SOURCE18}
-%define sb_key		redhatsecureboot702
+%define old_sb_cer	%{SOURCE13}
+%define sb_cer		%{SOURCE13}
+%define sb_key		almalinuxsecurebootca0
 %endif

+# AlmaLinux: keep upstream EVR for RHEL SBAT entry
+%define rhel_version_release $(echo %{version}-%{release} | sed 's/\.alma.*//')
+
 # generate with do-rebase
 %include %{SOURCE2}

@ -166,7 +168,7 @@ This subpackage provides tools for support of all platforms.
 mkdir grub-%{grubefiarch}-%{tarversion}
 grep -A100000 '# stuff "make" creates' .gitignore > grub-%{grubefiarch}-%{tarversion}/.gitignore
 cp %{SOURCE4} grub-%{grubefiarch}-%{tarversion}/unifont.pcf.gz
-sed -e "s,@@VERSION@@,%{version},g" -e "s,@@VERSION_RELEASE@@,%{version}-%{release},g" \
+sed -e "s,@@VERSION@@,%{version},g" -e "s,@@VERSION_RELEASE@@,%{version}-%{release},g" -e "s,@@RHEL_VERSION_RELEASE@@,%{rhel_version_release},g" \
    %{SOURCE19} > grub-%{grubefiarch}-%{tarversion}/sbat.csv
 git add grub-%{grubefiarch}-%{tarversion}
 %endif
@ -341,6 +343,20 @@ if [ "$1" = 0 ]; then
 	/sbin/install-info --delete --info-dir=%{_infodir} %{_infodir}/%{name}-dev.info.gz || :
 fi

+%if 0%{with_efi_arch}
+%posttrans %{package_arch}
+if [ -d /sys/firmware/efi ] && [ ! -f %{efi_esp_dir}/grub.cfg ]; then
+    grub2-mkconfig -o %{efi_esp_dir}/grub.cfg || :
+fi
+%endif
+
+%if 0%{with_alt_efi_arch}
+%posttrans %{alt_package_arch}
+if [ -d /sys/firmware/efi ] && [ ! -f %{efi_esp_dir}/grub.cfg ]; then
+    grub2-mkconfig -o %{efi_esp_dir}/grub.cfg || :
+fi
+%endif
+
 %files common -f grub.lang
 %dir %{_libdir}/grub/
 %dir %{_datarootdir}/grub/
@ -510,30 +526,26 @@ fi
 %endif

 %changelog
-* Mon Feb 06 2023 Robbie Harwood <rharwood@redhat.com> - 2.02-148
- ppc64le: cas5, take 3
- Resolves: #2139508
+* Mon Feb 27 2023 Eduard Abdullin <eabdullin@almalinux.org> - 2.02-142.el8_7.3.alma.1
+- Use AlmaLinux cert

-* Tue Jan 10 2023 Robbie Harwood <rharwood@redhat.com> - 2.02-147
- Enable TDX measurement to RTMR register
- Resolves: #1981485
+* Tue Feb 21 2023 Andrew Lukoshko <alukoshko@almalinux.org> - 2.02-142.el8_7.3.alma
+- Debrand for AlmaLinux

-* Wed Dec 14 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-146
- ppc64le: fix lpar cas5
+* Mon Feb 06 2023 Robbie Harwood <rharwood@redhat.com> - 2.02-142.el8_7.3
+- Sync with 8.8 (actually 2.02-148)
 - Resolves: #2139508
+* Thu Jan 19 2023 Robbie Harwood <rharwood@redhat.com> - 2.02-142.el8_7.2
+- Sync with 8.8 (actually 2.02-147)
+- Resolves: #2162411

-* Tue Nov 08 2022 Robbie Harwood <rharwood@redhat.com> - 1:2.02-145
- Font CVE fixes
+* Thu Nov 08 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-142.el8_7.1
+- Sync with 8.8 (actually 2.02-145)
 - Resolves: CVE-2022-2601

-* Tue Oct 18 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-144
- blscfg: don't assume newline at end of cfg
- Resolves: #2121132
-
-* Wed Oct 12 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-143
- x86-efi: Fix an incorrect array size in kernel allocation
- Also merge with 8.7
- Resolves: #2031288
+* Thu Sep 08 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-142
+- Drop the arena size changes
+- Resolves: #2118896

 * Thu Aug 25 2022 Robbie Harwood <rharwood@redhat.com> - 2.02-141
 - Implement vec5 for cas negotiation
Author	SHA1	Message	Date
eabdullin	5fa4494e2e	Update changelog	7 months ago
eabdullin	e7bc153b91	- Use AlmaLinux cert - Add conflicts to old shim	7 months ago
eabdullin	9ded7eb3db	Merge branch 'c8' into a8	7 months ago
Andrew Lukoshko	3d7e7f7222	Merge branch 'c8' into a8	9 months ago
Andrew Lukoshko	c8fc592c96	Merge branch 'c8' into a8	11 months ago
Andrew Lukoshko	2485d22941	Remove epoch from Red Hat sbat entry	1 year ago
eabdullin	bcb1651fe1	Update sbat	1 year ago
eabdullin	7c8932dcd0	Merge branch 'c8' into a8	1 year ago
Andrew Lukoshko	814bf9efb9	Keep Red Hat entry in SBAT	1 year ago
eabdullin	7faece4aae	Merge branch 'c8' into a8	1 year ago
eabdullin	4bcb992cc3	AlmaLinux changes	2 years ago
Andrew Lukoshko	33d2c41b51	AlmaLinux changes	2 years ago