From fd1c0c9c9d54f58385fd26e2bd606fcebc1eca42 Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Tue, 8 Jul 2025 07:41:47 +0000
Subject: [PATCH] import CS shim-15.8-5.el10

---
 .gitignore     |  4 +--
 shim.conf      |  4 +++
 shim.rpmmacros |  4 +--
 shim.spec      | 82 ++++++--------------------------------------------
 sources        | 18 +++++------
 5 files changed, 27 insertions(+), 85 deletions(-)
 create mode 100644 shim.conf

diff --git a/.gitignore b/.gitignore
index b40443b..bb313bd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,10 +1,10 @@
 BOOTAA64.CSV
 BOOTX64.CSV
+centossecureboot201.cer
+centossecurebootca2.cer
 fbaa64.efi
 fbx64.efi
 mmaa64.efi
 mmx64.efi
-redhatsecureboot501.cer
-redhatsecurebootca5.cer
 shimaa64.efi
 shimx64.efi
diff --git a/shim.conf b/shim.conf
new file mode 100644
index 0000000..d25f720
--- /dev/null
+++ b/shim.conf
@@ -0,0 +1,4 @@
+shim-aa64
+shim-arm
+shim-ia32
+shim-x64
diff --git a/shim.rpmmacros b/shim.rpmmacros
index ccd0a92..320af54 100644
--- a/shim.rpmmacros
+++ b/shim.rpmmacros
@@ -3,7 +3,7 @@
 %global vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
 %global vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
 
-%global grub_version 2.06-27.el9_0.12
+%global grub_version 2.12-1.el10_0
 
 %global bootcsvaa64 %{expand:%{SOURCE10}}
 %global bootcsvx64 %{expand:%{SOURCE12}}
@@ -118,7 +118,7 @@ version signed by the UEFI signing service.				\
 	else									\
 		cp -av %{-d*}/%{-b*}%{-a*}.efi %{-b*}%{-a*}-unsigned.efi	\
 	fi									\
-	%{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi -n redhatsecureboot501 -a %{SOURCE2} -c %{SOURCE1} } \
+	%{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi -n centossecureboot201 -a %{SOURCE2} -c %{SOURCE1} } \
 	%{nil}
 
 # -a <efiarch>
diff --git a/shim.spec b/shim.spec
index 1bd0d23..c729a4d 100644
--- a/shim.spec
+++ b/shim.spec
@@ -1,6 +1,6 @@
 Name:		shim
 Version:	15.8
-Release:	4%{?dist}
+Release:	5%{?dist}
 Summary:	First-stage UEFI bootloader
 License:	BSD
 URL:		https://github.com/rhboot/shim/
@@ -12,8 +12,9 @@ ExclusiveArch:	%{efi}
 ExcludeArch:	%{arm} %{ix86}
 
 Source0:	shim.rpmmacros
-Source1:	redhatsecureboot501.cer
-Source2:	redhatsecurebootca5.cer
+Source1:	centossecureboot201.cer
+Source2:	centossecurebootca2.cer
+Source5:	shim.conf
 
 # keep these two lists of sources synched up arch-wise.  That is 0 and 10
 # match, 1 and 11 match, ...
@@ -90,6 +91,8 @@ install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_boot}/
 %if %{provide_legacy_shim}
 install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi
 %endif
+install -D -d -m 0755 $RPM_BUILD_ROOT%{_sysconfdir}/dnf/protected.d/
+install -m 0644 %{SOURCE5} $RPM_BUILD_ROOT%{_sysconfdir}/dnf/protected.d/
 
 ( cd $RPM_BUILD_ROOT ; find .%{efi_esp_root} -type f ) \
   | sed -e 's/\./\^/' -e 's,^\\\./,.*/,' -e 's,$,$,' > %{__brp_mangle_shebangs_exclude_from_file}
@@ -98,79 +101,14 @@ install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi
 %if %{efi_has_alt_arch}
 %define_files -a %{efi_alt_arch} -A %{efi_alt_arch_upper}
 %endif
+%{_sysconfdir}/dnf/protected.d/shim.conf
 
 %if %{provide_legacy_shim}
 %verify(not mtime) %{efi_esp_dir}/shim.efi
 %endif
 
 %changelog
-* Tue Apr 16 2024 Peter Jones <pjones@redhat.com> - 15.8-4
-- Rebuild to work around build system quirks.
-  Related: RHEL-11262
+* Wed Jul 2 2025 Nicolas Frayer <nfrayer@redhat.com> - 15.8-5
+- First build for Centos Stream 10
+- Resolves: #RHEL-45014
 
-* Wed Apr 03 2024 Peter Jones <pjones@redhat.com> - 15.8-3.el9
-- Fix rpm verification due to mtime granularity on FAT.
-  Related: RHEL-11262
-
-* Thu Mar 21 2024 Peter Jones <pjones@redhat.com> - 15.8-2.el9
-- Add the grub2-efi-ARCH conflict for SBAT.
-  Resolves: RHEL-11262
-
-* Thu Mar 21 2024 Peter Jones <pjones@redhat.com> - 15.8-1.el9
-- Update to shim-15.8 for CVE-2023-40547
-  Resolves: RHEL-11262
-
-* Thu Apr 14 2022 Peter Jones <pjones@redhat.com> - 15.5-2.el9
-- Attempt to make aarch64 build.
-  Related: rhbz#1932057
-
-* Thu Apr 14 2022 Peter Jones <pjones@redhat.com> - 15.5-1.el9
-- Rebuild for rhel-9.0.0
-  Resolves: rhbz#1932057
-
-* Mon Sep 21 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-16
-- Fix an incorrect allocation size
-
-* Fri Jul 31 2020 Peter Jones <pjones@redhat.com> - 15-15
-- Update once again for new signed shim builds.
-
-* Tue Jul 28 2020 Peter Jones <pjones@redhat.com> - 15-14
-- Get rid of our %%dist hack for now.
-
-* Tue Jul 28 2020 Peter Jones <pjones@redhat.com> - 15-13
-- New signing keys
-
-* Thu Jun 11 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-12
-- Fix firmware update bug in aarch64 caused by shim ignoring arguments
-- Fix a shim crash when attempting to netboot
-
-* Fri Jun 07 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-11
-- Update the shim-unsigned-aarch64 version number
-
-* Fri Jun 07 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-10
-- Add a gating.yaml file so the package can be properly gated
-
-* Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-9
-- Bump the NVR
-
-* Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-7
-- Make EFI variable copying fatal only on secureboot enabled systems
-- Fix booting shim from an EFI shell using a relative path
-
-* Thu Mar 14 2019 Peter Jones <pjones@redhat.com> - 15-6
-- Fix MoK mirroring issue which breaks kdump without intervention
-
-* Thu Jan 24 2019 Peter Jones <pjones@redhat.com> - 15-5
-- Rebuild for signing once again. If the signer actually works, then:
-
-* Tue Oct 16 2018 Peter Jones <pjones@redhat.com> - 15-4
-- Rebuild for signing
-
-* Mon Aug 13 2018 Troy Dawson <tdawson@redhat.com>
-- Release Bumped for el8 Mass Rebuild
-
-* Sat Aug 11 2018 Troy Dawson <tdawson@redhat.com>
-- Release Bumped for el8+8 Mass Rebuild
-
-* Mon Jul 23 2018 Peter Jones <pjones@redhat.com> - 15-1
-- Build for RHEL 8
diff --git a/sources b/sources
index e600756..b72e60d 100644
--- a/sources
+++ b/sources
@@ -1,10 +1,10 @@
 SHA512 (BOOTAA64.CSV) = 1c1bac8c2627b704e8b091d2e0c81d55a8bd7420450fe429e20efe8830fa377fdf48c51c2e658e3d0ecee491845bf5cc696ba848669dc26d23687ed5fe5efa76
-SHA512 (BOOTX64.CSV) = 3ed565c94bfc6f94136780ebbfebc0b19cb408b80e459bfece5de2e478d66605c1c7dd9f4186864cedbd420626945ae7b86e938e2d67f0163de596d05d859e0b
-SHA512 (fbaa64.efi) = daf5aa484238aa4718ad72dadb9693fa3779ba611b354e078499b80ae50ea278bbbfca6015240549ad2aed77cea188b16f951a952b0ce7bbcbd2f665cf7b71ce
-SHA512 (fbx64.efi) = 5da196c917fb8aca45adf054fc11db299bbcc1b95e8574776840aa3977f6a3ce59cc1afc3d2e8b1f1412446a80e76541eb0333747990ca7f2cd526066a69d2d1
-SHA512 (mmaa64.efi) = fd14191f19f3e31b7191d4ee3c52549f9f32012a51e723a6006ff4a59d4da70687337bbb82e852631534ac4e1098f3ef1c493596509aa64c9f6b08b3c1d83ae2
-SHA512 (mmx64.efi) = f63a76e7abd72d90e5a24649960f2918bc1f3a18c40f04e3c2264301ba88738a68e7817b9d2e23f45771ecbda628ed2b281c960a9e2e1852d505b166bda54e3c
-SHA512 (redhatsecureboot501.cer) = eb2c2d342680d4c3453d3e4f30abdd1f6b0e98292e1be0410d0163afd01552a863b70ffaabeecd6e3981cd4d167198091a837c7d70f96a3a06de2d28b3355308
-SHA512 (redhatsecurebootca5.cer) = 0285fd7cb1755b399cdd2d848d9eba51b72ef2dd8ea5d40d7061c29685a12e15bf8eb083cb2f8c14eb69d248cb3af2c2332e06f80e19ed4cc029070198c0d522
-SHA512 (shimaa64.efi) = 7eb1d50589134636e1eb28b2282676a37cd1fa1b5334b629e16c7ffd9b2b77c4617a6dfe855161f6578b8d76663b60a00788261974fed76488006d9c965c9a3f
-SHA512 (shimx64.efi) = 29079c05ee529d981f5c16d4a68a84bfde40945da3b06b1cb4779a38668f43102138f8e5a9210834d2c426e50736cc3dc81f988334e0f817872b2926b5f1d909
+SHA512 (BOOTX64.CSV) = 16936301ec1b098022aac2428d31a4849a585e047493a64916427a235287b8d81bc285b0371a270e77ed476b71c741b8d7e7158986b167c3d6bb982705764e16
+SHA512 (centossecureboot201.cer) = 9f7ae7ab43e4453df062c081fa111a79f2e0cb1901992583f6de4a93fb99730df095bfe129639720d534d318b6811750dd05ff207866397d96431a4ba7a1169e
+SHA512 (centossecurebootca2.cer) = 0241bc6293ff2d51f84453fdcda969dbab7c37ddd394ae15c9bed8d1ec157fc646671640c118df4d4c174c92771fef16b9c5e622021ef60a7aaa314f4901255b
+SHA512 (fbaa64.efi) = 5816080369a5fa47bed503b1fad4c31d35c88be2fc2a3c513c6bae7159bc95d989dfe3cb773fd6a452360040b6035689179bf29c5d68cc912d7272c7472c7d5d
+SHA512 (fbx64.efi) = 1bbf117734d042d92e331a9e619b0f48a7da1016c5fbc3ec5461247e9bb599df200b98ad9ffe82300550f884e8e3b2457763c7f3fd9cf142fbef76aa3b10d0a5
+SHA512 (mmaa64.efi) = c422b693831aee23bdf4224a6996edad9c6a91ebc66eeb9bc1bc5d98942a963fad2db077d0804d2b3382b483c7d39a0fb37987214810b4e14d193a97c3c2debe
+SHA512 (mmx64.efi) = caabd963f6a8a05bbb48f0298c683d1f97d3fe4bc68eee4521b2e8bc2c5cdb6ef405b7188031b8ff250b7a1ddafbdc5da241ac30545bfabca42ee2bc45507499
+SHA512 (shimaa64.efi) = 8ded3a96b6b02afb39e5df829913c1536afb1e711239f5f58620d4dec622a722725cdd8764830da0a93acce7f9741f6e9235a67254da12e240dc3ff032c536fb
+SHA512 (shimx64.efi) = b4dc7ff94feec631d63e496b72d9ea333179204407ba91399d7c5e2c762172a3ab91001604727641ac5b0eaf79fa350d981b05c101c523897987e12b494b03cd