.gitignore

@@ -1,2 +1,4 @@
-SOURCES/redhatsecurebootca5.cer
-SOURCES/shim-15.8.tar.bz2
+almalinux-sb-cert-1.der
+almalinux-sb-cert-2.der
+almalinux-sb-cert-3.der
+shim-16.1.tar.bz2

.shim-unsigned-x64.metadata

@@ -1,2 +0,0 @@
-e6f506462069aa17d2e8610503635c20f3a995c3 SOURCES/redhatsecurebootca5.cer
-cdec924ca437a4509dcb178396996ddf92c11183 SOURCES/shim-15.8.tar.bz2

SOURCES/sbat.redhat.csv

@@ -1 +0,0 @@
-shim.redhat,3,Red Hat Inc,shim,15.8,secalert@redhat.com

SPECS/shim-unsigned-x64.spec

@@ -1,258 +0,0 @@
-%global pesign_vre 0.106-1
-%global gnuefi_vre 1:3.0.5-6
-%global openssl_vre 1.0.2j
-
-%global debug_package %{nil}
-%global __debug_package 1
-%global _binaries_in_noarch_packages_terminate_build 0
-%global __debug_install_post %{SOURCE100} x64 ia32
-%undefine _debuginfo_subpackages
-
-%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/'))
-%global shimrootdir %{_datadir}/shim/
-%global shimversiondir %{shimrootdir}/%{version}-%{release}
-%global efiarch x64
-%global shimdir %{shimversiondir}/%{efiarch}
-%global efialtarch ia32
-%global shimaltdir %{shimversiondir}/%{efialtarch}
-
-Name:		shim-unsigned-%{efiarch}
-Version:	15.8
-Release:	2.el8
-Summary:	First-stage UEFI bootloader
-ExclusiveArch:	x86_64
-License:	BSD
-URL:		https://github.com/rhboot/shim
-Source0:	https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
-Source1:	redhatsecurebootca5.cer
-# currently here's what's in our dbx:
-# nothing.
-Source2:	dbx.esl
-Source3:	sbat.redhat.csv
-Source4:	shim.patches
-
-Source100:	shim-find-debuginfo.sh
-
-%include %{SOURCE4}
-
-BuildRequires:	gcc make
-BuildRequires:	elfutils-libelf-devel
-BuildRequires:	git openssl-devel openssl
-BuildRequires:	pesign >= %{pesign_vre}
-BuildRequires:	dos2unix findutils
-
-# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
-# compatible with SysV (there's no red zone under UEFI) and there isn't a
-# POSIX-style C library.
-# BuildRequires:	OpenSSL
-Provides:	bundled(openssl) = %{openssl_vre}
-
-%global desc \
-Initial UEFI bootloader that handles chaining to a trusted full \
-bootloader under secure boot environments.
-%global debug_desc \
-This package provides debug information for package %{expand:%%{name}} \
-Debug information is useful when developing applications that \
-use this package or when debugging this package.
-
-%description
-%desc
-
-%package -n shim-unsigned-%{efialtarch}
-Summary:	First-stage UEFI bootloader (unsigned data)
-Provides:	bundled(openssl) = %{openssl_vre}
-
-%description -n shim-unsigned-%{efialtarch}
-%desc
-
-%package debuginfo
-Summary:	Debug information for shim-unsigned-%{efiarch}
-Requires:	%{name}-debugsource = %{version}-%{release}
-Group:		Development/Debug
-AutoReqProv:	0
-BuildArch:	noarch
-
-%description debuginfo
-%debug_desc
-
-%package -n shim-unsigned-%{efialtarch}-debuginfo
-Summary:	Debug information for shim-unsigned-%{efialtarch}
-Group:		Development/Debug
-Requires:	%{name}-debugsource = %{version}-%{release}
-AutoReqProv:	0
-BuildArch:	noarch
-
-%description -n shim-unsigned-%{efialtarch}-debuginfo
-%debug_desc
-
-%package debugsource
-Summary:	Debug Source for shim-unsigned
-Group:		Development/Debug
-AutoReqProv:	0
-BuildArch:	noarch
-
-%description debugsource
-%debug_desc
-
-%prep
-%autosetup -S git_am -n shim-%{version}
-git config --unset user.email
-git config --unset user.name
-mkdir build-%{efiarch}
-mkdir build-%{efialtarch}
-cp %{SOURCE3} data/
-
-%build
-COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6
-MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} "
-MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
-MAKEFLAGS+="ENABLE_SHIM_HASH=true "
-MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
-MAKEFLAGS+="%{_smp_mflags}"
-if [ -s "%{SOURCE1}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} "
-fi
-if [ -s "%{SOURCE2}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} "
-fi
-
-cd build-%{efiarch}
-make ${MAKEFLAGS} \
-	DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \
-	all
-cd ..
-
-cd build-%{efialtarch}
-setarch linux32 -B make ${MAKEFLAGS} ARCH=%{efialtarch} \
-	DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
-	all
-cd ..
-
-%install
-COMMIT_ID=5914984a1ffeab841f482c791426d7ca9935a5e6
-MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} "
-MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
-MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
-MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
-if [ -s "%{SOURCE1}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} "
-fi
-if [ -s "%{SOURCE2}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} "
-fi
-
-cd build-%{efiarch}
-make ${MAKEFLAGS} \
-	DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \
-	DESTDIR=${RPM_BUILD_ROOT} \
-	install-as-data install-debuginfo install-debugsource
-cd ..
-
-cd build-%{efialtarch}
-setarch linux32 make ${MAKEFLAGS} ARCH=%{efialtarch} \
-	DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
-	DESTDIR=${RPM_BUILD_ROOT} \
-	install-as-data install-debuginfo install-debugsource
-cd ..
-
-%files
-%license COPYRIGHT
-%dir %{shimrootdir}
-%dir %{shimversiondir}
-%dir %{shimdir}
-%{shimdir}/*.CSV
-%{shimdir}/*.efi
-%{shimdir}/*.hash
-
-%files -n shim-unsigned-%{efialtarch}
-%license COPYRIGHT
-%dir %{shimrootdir}
-%dir %{shimversiondir}
-%dir %{shimaltdir}
-%{shimaltdir}/*.CSV
-%{shimaltdir}/*.efi
-%{shimaltdir}/*.hash
-
-%files debuginfo -f build-%{efiarch}/debugfiles.list
-
-%files -n shim-unsigned-%{efialtarch}-debuginfo -f build-%{efialtarch}/debugfiles.list
-
-%files debugsource -f build-%{efiarch}/debugsource.list
-
-%changelog
-* Wed Feb 07 2024 Peter Jones <pjones@redhat.com> - 15.8-2.el8
-- Rebuild to fix the commit ident and MAKEFLAGS
-  Resolves: RHEL-11259
-
-* Tue Dec 05 2023 Peter Jones <pjones@redhat.com> - 15.8-1.el8
-- Update to shim-15.8 for CVE-2023-40547
-  Resolves: RHEL-11259
-
-* Wed Jun 01 2022 Peter Jones <pjones@redhat.com> - 15.6-1.el8
-- Update to shim-15.6
-  Resolves: CVE-2022-28737
-
-* Thu Sep 17 2020 Peter Jones <pjones@redhat.com> - 15-9.el8
-- Fix an incorrect allocation size.
-  Related: rhbz#1877253
-
-* Thu Jul 30 2020 Peter Jones <pjones@redhat.com> - 15-8
-- Fix a load-address-dependent forever loop.
-  Resolves: rhbz#1861977
-  Related: CVE-2020-10713
-  Related: CVE-2020-14308
-  Related: CVE-2020-14309
-  Related: CVE-2020-14310
-  Related: CVE-2020-14311
-  Related: CVE-2020-15705
-  Related: CVE-2020-15706
-  Related: CVE-2020-15707
-
-* Sat Jul 25 2020 Peter Jones <pjones@redhat.com> - 15-7
-- Implement Lenny's workaround
-  Related: CVE-2020-10713
-  Related: CVE-2020-14308
-  Related: CVE-2020-14309
-  Related: CVE-2020-14310
-  Related: CVE-2020-14311
-
-* Fri Jul 24 2020 Peter Jones <pjones@redhat.com> - 15-5
-- Once more with the MokListRT config table patch added.
-  Related: CVE-2020-10713
-  Related: CVE-2020-14308
-  Related: CVE-2020-14309
-  Related: CVE-2020-14310
-  Related: CVE-2020-14311
-
-* Thu Jul 23 2020 Peter Jones <pjones@redhat.com> - 15-4
-- Rebuild for bug fixes and new signing keys
-  Related: CVE-2020-10713
-  Related: CVE-2020-14308
-  Related: CVE-2020-14309
-  Related: CVE-2020-14310
-  Related: CVE-2020-14311
-
-* Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-3
-- Make EFI variable copying fatal only on secureboot enabled systems
-  Resolves: rhbz#1715878
-- Fix booting shim from an EFI shell using a relative path
-  Resolves: rhbz#1717064
-
-* Tue Feb 12 2019 Peter Jones <pjones@redhat.com> - 15-2
-- Fix MoK mirroring issue which breaks kdump without intervention
-  Related: rhbz#1668966
-
-* Fri Jul 20 2018 Peter Jones <pjones@redhat.com> - 15-1
-- Update to shim 15
-
-* Tue Sep 19 2017 Peter Jones <pjones@redhat.com> - 13-3
-- Actually update to the *real* 13 final.
-  Related: rhbz#1489604
-
-* Thu Aug 31 2017 Peter Jones <pjones@redhat.com> - 13-2
-- Actually update to 13 final.
-
-* Fri Aug 18 2017 Peter Jones <pjones@redhat.com> - 13-1
-- Make a new shim-unsigned-x64 package like the shim-unsigned-aarch64 one.
-- This will (eventually) supersede what's in the "shim" package so we can
-  make "shim" hold the signed one, which will confuse fewer people.

sbat.almalinux.csv

@@ -0,0 +1 @@
+shim.almalinux,3,AlmaLinux,shim,16.1,security@almalinux.org

shim-find-debuginfo.sh

@@ -32,7 +32,6 @@ finddebug()
     declare -a dirs=()
     declare -a files=()
     declare -a excludes=()
-
     pushd ${RPM_BUILD_ROOT} >/dev/null 2>&1
     for x in $(find usr/lib/debug/ -type f -iname *.efi.debug); do
         if ! [ -e "${x}" ]; then

shim-unsigned-x64.spec

@@ -0,0 +1,282 @@
+%global pesign_vre 0.106-1
+%global openssl_vre 1.0.2j
+%global shim_commit_id afc49558b34548644c1cd0ad1b6526a9470182ed
+
+%global efidir almalinux
+%global shimrootdir %{_datadir}/shim/
+%global shimversiondir %{shimrootdir}/%{version}-%{release}
+%global efiarch x64
+%global shimdir %{shimversiondir}/%{efiarch}
+%global efialtarch ia32
+%global shimaltdir %{shimversiondir}/%{efialtarch}
+
+%global debug_package %{nil}
+%global __debug_package 1
+%global _binaries_in_noarch_packages_terminate_build 0
+%global __debug_install_post %{SOURCE100} %{efiarch} %{efialtarch}
+%undefine _debuginfo_subpackages
+
+
+Name:		shim-unsigned-%{efiarch}
+Version:	16.1
+Release:	1%{?dist}.alma.1
+Summary:	First-stage UEFI bootloader
+ExclusiveArch:	x86_64
+License:	BSD
+URL:		https://github.com/rhboot/shim
+Source0:	https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
+Source4:	shim.patches
+
+Source100:	shim-find-debuginfo.sh
+
+# AlmaLinux Source
+Source2: dbx.esl
+Source3: sbat.almalinux.csv
+Source101: almalinux-sb-cert-1.der
+Source102: almalinux-sb-cert-2.der
+Source103: almalinux-sb-cert-3.der
+
+%include %{SOURCE4}
+
+BuildRequires:	gcc make
+BuildRequires:	elfutils-libelf-devel
+BuildRequires:	git openssl-devel openssl
+BuildRequires:	pesign >= %{pesign_vre}
+BuildRequires:	dos2unix findutils
+BuildRequires:  efitools
+
+# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
+# compatible with SysV (there's no red zone under UEFI) and there isn't a
+# POSIX-style C library.
+# BuildRequires:	OpenSSL
+Provides:	bundled(openssl) = %{openssl_vre}
+
+%global desc \
+Initial UEFI bootloader that handles chaining to a trusted full \
+bootloader under secure boot environments.
+%global debug_desc \
+This package provides debug information for package %{expand:%%{name}} \
+Debug information is useful when developing applications that \
+use this package or when debugging this package.
+
+%description
+%desc
+
+%package -n shim-unsigned-%{efialtarch}
+Summary:	First-stage UEFI bootloader (unsigned data)
+Provides:	bundled(openssl) = %{openssl_vre}
+
+%description -n shim-unsigned-%{efialtarch}
+%desc
+
+%package debuginfo
+Summary:	Debug information for shim-unsigned-%{efiarch}
+Group:		Development/Debug
+AutoReqProv:	0
+BuildArch:	noarch
+
+%description debuginfo
+%debug_desc
+
+%package -n shim-unsigned-%{efialtarch}-debuginfo
+Summary:	Debug information for shim-unsigned-%{efialtarch}
+Group:		Development/Debug
+AutoReqProv:	0
+BuildArch:	noarch
+
+%description -n shim-unsigned-%{efialtarch}-debuginfo
+%debug_desc
+
+%package debugsource
+Summary:	Debug Source for shim-unsigned
+Group:		Development/Debug
+AutoReqProv:	0
+BuildArch:	noarch
+
+%description debugsource
+%debug_desc
+
+%prep
+%autosetup -S git_am -n shim-%{version}
+git config --unset user.email
+git config --unset user.name
+mkdir build-%{efiarch}
+mkdir build-%{efialtarch}
+cp %{SOURCE3} data/
+
+%build
+# Prepare vendor_db.esl file
+openssl x509 -inform DER -in %{SOURCE101} -out 01.pem
+openssl x509 -inform DER -in %{SOURCE102} -out 02.pem
+openssl x509 -inform DER -in %{SOURCE103} -out 03.pem
+cert-to-efi-sig-list -g 9DD8A2AC-0977-4AEF-99A0-E794FD2A31FE 01.pem 01.esl
+cert-to-efi-sig-list -g 33D81FE3-5EC0-44F8-AB02-C9DA554F63D8 02.pem 02.esl
+cert-to-efi-sig-list -g 50413300-1AC7-49DA-B755-BB0D93E634B6 03.pem 03.esl
+cat 01.esl 02.esl 03.esl > vendor_db.esl
+COMMIT_ID=%{shim_commit_id}
+MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} "
+MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
+MAKEFLAGS+="ENABLE_SHIM_HASH=true "
+MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
+MAKEFLAGS+="%{_smp_mflags}"
+if [ -s vendor_db.esl ]; then
+	MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=../vendor_db.esl"
+fi
+if [ -s "%{SOURCE2}" ]; then
+ 	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
+fi
+
+cd build-%{efiarch}
+make ${MAKEFLAGS} \
+	DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \
+	all
+cd ..
+
+%install
+COMMIT_ID=%{shim_commit_id}
+MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} "
+MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
+MAKEFLAGS+="ENABLE_SHIM_HASH=true "
+MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
+if [ -s vendor_db.esl ]; then
+	MAKEFLAGS="$MAKEFLAGS VENDOR_DB_FILE=../vendor_db.esl"
+fi
+if [ -s "%{SOURCE2}" ]; then
+	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
+fi
+
+cd build-%{efiarch}
+make ${MAKEFLAGS} \
+	DEFAULT_LOADER='\\\\grub%{efiarch}.efi' \
+	DESTDIR=${RPM_BUILD_ROOT} \
+	install-as-data install-debuginfo install-debugsource
+cd ..
+
+%files
+%license COPYRIGHT
+%dir %{shimrootdir}
+%dir %{shimversiondir}
+%dir %{shimdir}
+%{shimdir}/*.CSV
+%{shimdir}/*.efi
+%{shimdir}/*.hash
+
+%files debuginfo -f build-%{efiarch}/debugfiles.list
+
+%files debugsource -f build-%{efiarch}/debugsource.list
+
+%changelog
+* Wed Oct 29 2025 Eduard Abdullin <eabdullin@almalinux.org> - 16.1-1.el9.alma.1
+- Use AlmaLinux OS cert and SBAT entry
+
+* Mon Aug 18 2025 Peter Jones <pjones@redhat.com> - 16.1-1.el9
+- Update to shim-16.1
+  Resolves: RHEL-67333
+
+* Wed Feb 07 2024 Peter Jones <pjones@redhat.com> - 15.8-2.el9
+- Rebuild to fix the commit ident and MAKEFLAGS
+  Resolves: RHEL-11262
+
+* Tue Jan 23 2024 Peter Jones <pjones@redhat.com> - 15.8-1.el9
+- Update to shim-15.8 for CVE-2023-40547
+  Resolves: RHEL-11262
+
+* Wed Jun 01 2022 Peter Jones <pjones@redhat.com> - 15.6-1.el9
+- Update to shim-15.6 for CVE-2022-28737
+
+* Tue May 24 2022 Peter Jones <pjones@redhat.com> - 15.6~rc1-1.el9
+- Update to shim-15.6~rc1 for CVE-2022-28737
+
+* Wed Mar 09 2022 Peter Jones <pjones@redhat.com> - 15.5-1
+- Update to shim-15.5
+  Related: rhbz#1932057
+
+* Thu Apr 01 2021 Peter Jones <pjones@redhat.com> - 15.4-4
+- Fix the sbat data to actually match /this/ product.
+  Resolves: CVE-2020-14372
+  Resolves: CVE-2020-25632
+  Resolves: CVE-2020-25647
+  Resolves: CVE-2020-27749
+  Resolves: CVE-2020-27779
+  Resolves: CVE-2021-20225
+  Resolves: CVE-2021-20233
+
+* Wed Mar 31 2021 Peter Jones <pjones@redhat.com> - 15.4-3
+- Build with the correct certificate trust list for this OS.
+  Resolves: CVE-2020-14372
+  Resolves: CVE-2020-25632
+  Resolves: CVE-2020-25647
+  Resolves: CVE-2020-27749
+  Resolves: CVE-2020-27779
+  Resolves: CVE-2021-20225
+  Resolves: CVE-2021-20233
+
+* Wed Mar 31 2021 Peter Jones <pjones@redhat.com> - 15.4-2
+- Fix the ia32 build.
+  Resolves: CVE-2020-14372
+  Resolves: CVE-2020-25632
+  Resolves: CVE-2020-25647
+  Resolves: CVE-2020-27749
+  Resolves: CVE-2020-27779
+  Resolves: CVE-2021-20225
+  Resolves: CVE-2021-20233
+
+* Tue Mar 30 2021 Peter Jones <pjones@redhat.com> - 15.4-1
+- Update to shim 15.4
+  - Support for revocations via the ".sbat" section and SBAT EFI variable
+  - A new unit test framework and a bunch of unit tests
+  - No external gnu-efi dependency
+  - Better CI
+  Resolves: CVE-2020-14372
+  Resolves: CVE-2020-25632
+  Resolves: CVE-2020-25647
+  Resolves: CVE-2020-27749
+  Resolves: CVE-2020-27779
+  Resolves: CVE-2021-20225
+  Resolves: CVE-2021-20233
+
+* Wed Mar 24 2021 Peter Jones <pjones@redhat.com> - 15.3-0~1
+- Update to shim 15.3
+  - Support for revocations via the ".sbat" section and SBAT EFI variable
+  - A new unit test framework and a bunch of unit tests
+  - No external gnu-efi dependency
+  - Better CI
+  Resolves: CVE-2020-14372
+  Resolves: CVE-2020-25632
+  Resolves: CVE-2020-25647
+  Resolves: CVE-2020-27749
+  Resolves: CVE-2020-27779
+  Resolves: CVE-2021-20225
+  Resolves: CVE-2021-20233
+
+* Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-3
+- Make EFI variable copying fatal only on secureboot enabled systems
+  Resolves: rhbz#1715878
+- Fix booting shim from an EFI shell using a relative path
+  Resolves: rhbz#1717064
+
+* Tue Feb 12 2019 Peter Jones <pjones@redhat.com> - 15-2
+- Fix MoK mirroring issue which breaks kdump without intervention
+  Related: rhbz#1668966
+
+* Thu Apr 05 2018 Peter Jones <pjones@redhat.com> - 15-1
+- Update to shim 15
+- better checking for bad linker output
+- flicker-free console if there's no error output
+- improved http boot support
+- better protocol re-installation
+- dhcp proxy support
+- tpm measurement even when verification is disabled
+- REQUIRE_TPM build flag
+- more reproducable builds
+- measurement of everything verified through shim_verify()
+- coverity and scan-build checker make targets
+- misc cleanups
+
+* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 13-0.2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Fri Aug 18 2017 Peter Jones <pjones@redhat.com> - 13-0.1
+- Make a new shim-unsigned-x64 package like the shim-unsigned-aarch64 one.
+- This will (eventually) supersede what's in the "shim" package so we can
+  make "shim" hold the signed one, which will confuse fewer people.

sources

@@ -0,0 +1,4 @@
+SHA512 (almalinux-sb-cert-1.der) = 9190a7d5808d3f4181f0f868d07ba83368357a02970f40594e5ec880d33771d890c69f1dfd4ce6c2bc92e6e14217be1aebf7ecc045e6603032b50e33228763ae
+SHA512 (almalinux-sb-cert-2.der) = 15a8e4b8a835f26ec552e9574ebec683cef13101734cd6b5ec52925a4e58f199325443a368be85093963998e633258c61c003b66151859694cc47bedd9fbd911
+SHA512 (almalinux-sb-cert-3.der) = 8cc47b54781dc140e8c96977ca10f30bf875f469d27b77a5423bf62d7f41689679069746cfe4fd373e880297e769b445398454ad5256873007b88b755fe894cf
+SHA512 (shim-16.1.tar.bz2) = ca5f80e82f3b80b622028f03ef23105c98ee1b6a25f52a59c823080a3202dd4b9962266489296e99f955eb92e36ce13e0b1d57f688350006bba45f2718f159fb