diff --git a/.gitignore b/.gitignore index 9b85752..296cdd7 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/shim-15.4.tar.bz2 +SOURCES/shim-15.5.tar.bz2 diff --git a/.shim-unsigned-x64.metadata b/.shim-unsigned-x64.metadata index 1a84976..e0f79e9 100644 --- a/.shim-unsigned-x64.metadata +++ b/.shim-unsigned-x64.metadata @@ -1 +1 @@ -d70485792a300bfa66f551adf7ae766451dfe7c0 SOURCES/shim-15.4.tar.bz2 +b91f5eaced7ba1dcaef266af10763461889be5df SOURCES/shim-15.5.tar.bz2 diff --git a/SOURCES/clsecureboot001.cer b/SOURCES/clsecureboot001.cer deleted file mode 100644 index ca9ce5d..0000000 Binary files a/SOURCES/clsecureboot001.cer and /dev/null differ diff --git a/SOURCES/redhatsecurebootca5.cer b/SOURCES/redhatsecurebootca5.cer new file mode 100644 index 0000000..dfb0284 Binary files /dev/null and b/SOURCES/redhatsecurebootca5.cer differ diff --git a/SOURCES/sbat.cloudlinux.csv b/SOURCES/sbat.cloudlinux.csv deleted file mode 100644 index c39de2e..0000000 --- a/SOURCES/sbat.cloudlinux.csv +++ /dev/null @@ -1 +0,0 @@ -shim.cloudlinux,1,CloudLinux,shim,15.4-4,security@cloudlinux.com diff --git a/SOURCES/sbat.redhat.csv b/SOURCES/sbat.redhat.csv new file mode 100644 index 0000000..2135543 --- /dev/null +++ b/SOURCES/sbat.redhat.csv @@ -0,0 +1 @@ +shim.redhat,1,Red Hat Inc,shim,15.5,secalert@redhat.com diff --git a/SPECS/shim-unsigned-x64.spec b/SPECS/shim-unsigned-x64.spec index b375f68..26331e2 100644 --- a/SPECS/shim-unsigned-x64.spec +++ b/SPECS/shim-unsigned-x64.spec @@ -1,7 +1,7 @@ %global pesign_vre 0.106-1 %global openssl_vre 1.0.2j -%global efidir almalinux +%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/')) %global shimrootdir %{_datadir}/shim/ %global shimversiondir %{shimrootdir}/%{version}-%{release} %global efiarch x64 @@ -19,23 +19,21 @@ %global dbxfile %{nil} Name: shim-unsigned-%{efiarch} -Version: 15.4 -Release: 4%{?dist}.alma +Version: 15.5 +Release: 1.el9 Summary: First-stage UEFI bootloader ExclusiveArch: x86_64 License: BSD URL: https://github.com/rhboot/shim Source0: https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2 -Source1: clsecureboot001.cer +Source1: redhatsecurebootca5.cer %if 0%{?dbxfile} Source2: %{dbxfile} %endif -Source3: sbat.cloudlinux.csv +Source3: sbat.redhat.csv Source100: shim-find-debuginfo.sh -Patch0001: 0001-Fix-a-broken-file-header-on-ia32.patch - BuildRequires: gcc make BuildRequires: elfutils-libelf-devel BuildRequires: git openssl-devel openssl @@ -122,13 +120,6 @@ make ${MAKEFLAGS} \ all cd .. -cd build-%{efialtarch} -setarch linux32 -B make ${MAKEFLAGS} \ - ARCH=%{efialtarch} \ - DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \ - all -cd .. - %install COMMITID=$(cat commit) MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} " @@ -150,14 +141,6 @@ make ${MAKEFLAGS} \ install-as-data install-debuginfo install-debugsource cd .. -cd build-%{efialtarch} -setarch linux32 make ${MAKEFLAGS} \ - ARCH=%{efialtarch} \ - DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \ - DESTDIR=${RPM_BUILD_ROOT} \ - install-as-data install-debuginfo install-debugsource -cd .. - %files %license COPYRIGHT %dir %{shimrootdir} @@ -167,24 +150,14 @@ cd .. %{shimdir}/*.hash %{shimdir}/*.CSV -%files -n shim-unsigned-%{efialtarch} -%license COPYRIGHT -%dir %{shimrootdir} -%dir %{shimversiondir} -%dir %{shimaltdir} -%{shimaltdir}/*.efi -%{shimaltdir}/*.hash -%{shimaltdir}/*.CSV - %files debuginfo -f build-%{efiarch}/debugfiles.list -%files -n shim-unsigned-%{efialtarch}-debuginfo -f build-%{efialtarch}/debugfiles.list - %files debugsource -f build-%{efiarch}/debugsource.list %changelog -* Fri Apr 02 2021 Andrew Lukoshko - 15.4-4.alma -- Use CloudLinux vendor cert and SBAT entry +* Wed Mar 09 2022 Peter Jones - 15.5-1 +- Update to shim-15.5 + Related: rhbz#1932057 * Thu Apr 01 2021 Peter Jones - 15.4-4 - Fix the sbat data to actually match /this/ product. @@ -254,17 +227,24 @@ cd .. - Fix MoK mirroring issue which breaks kdump without intervention Related: rhbz#1668966 -* Fri Jul 20 2018 Peter Jones - 15-1 +* Thu Apr 05 2018 Peter Jones - 15-1 - Update to shim 15 +- better checking for bad linker output +- flicker-free console if there's no error output +- improved http boot support +- better protocol re-installation +- dhcp proxy support +- tpm measurement even when verification is disabled +- REQUIRE_TPM build flag +- more reproducable builds +- measurement of everything verified through shim_verify() +- coverity and scan-build checker make targets +- misc cleanups -* Tue Sep 19 2017 Peter Jones - 13-3 -- Actually update to the *real* 13 final. - Related: rhbz#1489604 +* Fri Feb 09 2018 Fedora Release Engineering - 13-0.2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild -* Thu Aug 31 2017 Peter Jones - 13-2 -- Actually update to 13 final. - -* Fri Aug 18 2017 Peter Jones - 13-1 +* Fri Aug 18 2017 Peter Jones - 13-0.1 - Make a new shim-unsigned-x64 package like the shim-unsigned-aarch64 one. - This will (eventually) supersede what's in the "shim" package so we can make "shim" hold the signed one, which will confuse fewer people.