10 changed files with 71 additions and 151 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,14 +1,5 @@
-SOURCES/BOOTAA64.CSV
-SOURCES/BOOTIA32.CSV
-SOURCES/BOOTX64.CSV
-SOURCES/fbaa64.efi
-SOURCES/fbia32.efi
-SOURCES/fbx64.efi
-SOURCES/mmaa64.efi
-SOURCES/mmia32.efi
-SOURCES/mmx64.efi
-SOURCES/redhatsecureboot501.cer
-SOURCES/redhatsecurebootca5.cer
-SOURCES/shimaa64.efi
-SOURCES/shimia32.efi
-SOURCES/shimx64.efi
+/redhatsecureboot501.cer
+/redhatsecurebootca5.cer
+/shimaa64.efi
+/shimia32.efi
+/shimx64.efi
--- a/.shim.metadata
+++ b/.shim.metadata
@ -1,14 +0,0 @@
-fe978419c312c0c415d52befb4f6561e2d9556a7 SOURCES/BOOTAA64.CSV
-9650b41c0227b343478d03f4d7fcd6c8d3744440 SOURCES/BOOTIA32.CSV
-6801abf1c4d54f15f869470c99e480433940407a SOURCES/BOOTX64.CSV
-317f45115504f1ba56f0113dc217460e3c26cf82 SOURCES/fbaa64.efi
-4fd02a6b3ec5dc58fcba1a3d8dec69e0cb86f5d5 SOURCES/fbia32.efi
-b26bb4ed41e96d6e2b2471dc5d50f0f2c88ff884 SOURCES/fbx64.efi
-b2e0f92dba676facda778be739e2959f5e51c077 SOURCES/mmaa64.efi
-e8316a74f06a29385eeb7fd734f582e60dc7a2a4 SOURCES/mmia32.efi
-77f25d23c6b0bb2f79a47d574f8af5ffe91e2466 SOURCES/mmx64.efi
-ba0b760e594ff668ee72ae348adf3e49b97f75fb SOURCES/redhatsecureboot501.cer
-e6f506462069aa17d2e8610503635c20f3a995c3 SOURCES/redhatsecurebootca5.cer
-750bd7932437b1fb6610c233f69db1b70d67fab1 SOURCES/shimaa64.efi
-0cd6ef62726de2f1321bfe6b70f47b788ac38666 SOURCES/shimia32.efi
-86855303a18b978cf90d6c244bfe30897f449996 SOURCES/shimx64.efi
--- a/BOOTAA64.CSV
+++ b/BOOTAA64.CSV
--- a/BOOTIA32.CSV
+++ b/BOOTIA32.CSV
--- a/BOOTX64.CSV
+++ b/BOOTX64.CSV
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-8
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1-x86_64-efi.functional}
--- a/rpminspect.yaml
+++ b/rpminspect.yaml
@ -0,0 +1,15 @@
+---
+inspections:
+  # These just flag when things change "too much"
+  changedfiles: off
+  filesize: off
+  patches: off
+  upstream: off
+
+  # shim is... well, shim
+  disttag: off
+
+
+elf:
+  # This is PE-land
+  exclude_path: ".*.efi.debug"
--- a/SOURCES/shim.rpmmacros
+++ b/SOURCES/shim.rpmmacros
@ -3,8 +3,6 @@
 %global vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
 %global vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}

-%global grub_version 2.02-87.el8_1.11
-
 %global bootcsvaa64 %{expand:%{SOURCE10}}
 %global bootcsvia32 %{expand:%{SOURCE11}}
 %global bootcsvx64 %{expand:%{SOURCE12}}
@ -15,19 +13,9 @@
 %global shimefix64 %{expand:%{SOURCE22}}
 #%%global shimefiarm %%{expand:%%{SOURCE23}

-%global fbefiaa64 %{expand:%{SOURCE30}}
-%global fbefiia32 %{expand:%{SOURCE31}}
-%global fbefix64 %{expand:%{SOURCE32}}
-#%%global fbefiarm %%{expand:%%{SOURCE33}
-
-%global mmefiaa64 %{expand:%{SOURCE40}}
-%global mmefiia32 %{expand:%{SOURCE41}}
-%global mmefix64 %{expand:%{SOURCE42}}
-#%%global mmefiarm %%{expand:%%{SOURCE43}
-
-%global shimveraa64 15-7.el8_1
-%global shimveria32 15.8-2.el8
-%global shimverx64 15.8-2.el8
+%global shimveraa64 15-4.el8
+%global shimveria32 15-8.el8
+%global shimverx64 15-8.el8
 #%%global shimverarm 15-1.el8

 %global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64
@ -48,10 +36,6 @@
 %global shimveralt %{expand:%{shimver%{?efi_alt_arch}}}
 %global shimdir %{expand:%{shimdir%{efi_arch}}}
 %global shimdiralt %{expand:%{shimdir%{?efi_alt_arch}}}
-%global fbefi %{expand:%{fbefi%{efi_arch}}}
-%global fbefialt %{expand:%{fbefi%{?efi_alt_arch}}}
-%global mmefi %{expand:%{mmefi%{efi_arch}}}
-%global mmefialt %{expand:%{mmefi%{?efi_alt_arch}}}

 %global unsignednone shim-unsigned-none
 %global unsigned %{expand:%%{unsigned%{efi_arch}}}
@ -64,7 +48,6 @@ Requires: mokutil >= 1:0.3.0-1						\
 Requires: efi-filesystem						\
 Provides: shim-signed-%{-a*} = %{version}-%{release}			\
 Requires: dbxtool >= 0.6-3						\
-Conflicts: grub2-efi-%{-a*} < %{grub_version}				\
 %{expand:%%if 0%%{-p*}							\
 Provides: shim = %{version}-%{release}					\
 Provides: shim-signed = %{version}-%{release}				\
@ -85,17 +68,15 @@ version signed by the UEFI signing service.				\

 # -a <efiarch>
 # -i <input>
-%define hash(a:i:d:)								\
-	if [ 0%{?_unsigned_test_build:%{_unsigned_test_build}} -ne 0 ] ; then	\
-		pesign -i %{-i*} -h -P > shim.hash				\
-		read file0 hash0 < shim.hash					\
-		read file1 hash1 < %{-d*}/shim%{-a*}.hash			\
-		if ! [ "$hash0" = "$hash1" ] ; then				\
-			echo Invalid signature\! > /dev/stderr			\
-			echo $hash0 vs $hash1					\
-			exit 1							\
-		fi								\
-	fi									\
+%define hash(a:i:d:)							\
+	pesign -i %{-i*} -h -P > shim.hash				\
+	read file0 hash0 < shim.hash					\
+	read file1 hash1 < %{-d*}/shim%{-a*}.hash			\
+	if ! [ "$hash0" = "$hash1" ]; then				\
+		echo Invalid signature\! > /dev/stderr			\
+		echo $hash0 vs $hash1					\
+		exit 1							\
+	fi								\
 	%{nil}

 # -i <input>
@ -107,25 +88,9 @@ version signed by the UEFI signing service.				\
 # -b <binary prefix>
 # -a <efiarch>
 # -i <input>
-%define distrosign(b:a:d:)							\
-	if [ 0%{?_unsigned_test_build:%{_unsigned_test_build}} -ne 0 ] ; then	\
-		if [ "%{-b*}%{-a*}" = "shim%{efi_arch}" ] ; then		\
-			cp -av "%{shimefi}" %{-b*}%{-a*}-unsigned.efi		\
-		elif [ "%{-b*}%{-a*}" = "shim%{efi_alt_arch}" ] ; then		\
-			cp -av "%{shimefialt}" %{-b*}%{-a*}-unsigned.efi	\
-		elif [ "%{-b*}%{-a*}" = "mm%{efi_arch}" ] ; then		\
-			cp -av "%{mmefi}" %{-b*}%{-a*}-unsigned.efi		\
-		elif [ "%{-b*}%{-a*}" = "mm%{efi_alt_arch}" ] ; then		\
-			cp -av "%{mmefialt}" %{-b*}%{-a*}-unsigned.efi		\
-		elif [ "%{-b*}%{-a*}" = "fb%{efi_arch}" ] ; then		\
-			cp -av "%{fbefi}" %{-b*}%{-a*}-unsigned.efi		\
-		elif [ "%{-b*}%{-a*}" = "fb%{efi_alt_arch}" ] ; then		\
-			cp -av "%{fbefialt}" %{-b*}%{-a*}-unsigned.efi		\
-		fi								\
-	else									\
-		cp -av %{-d*}/%{-b*}%{-a*}.efi %{-b*}%{-a*}-unsigned.efi	\
-	fi									\
-	%{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi -n redhatsecureboot501 -a %{SOURCE2} -c %{SOURCE1} } \
+%define distrosign(b:a:d:)						\
+	cp -av %{-d*}/%{-b*}%{-a*}.efi %{-b*}%{-a*}-unsigned.efi	\
+	%{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi -n redhatsecureboot501 -a %{SOURCE2} -c %{SOURCE1} }\
 	%{nil}

 # -a <efiarch>
@ -133,18 +98,16 @@ version signed by the UEFI signing service.				\
 # -b <1|0> # signed by this builder?
 # -c <1|0> # signed by UEFI CA?
 # -i <shimARCH.efi>
-# -d /usr/share dir for this build (full path)
 %define define_build(a:A:b:c:i:d:)					\
 if [ "%{-c*}" = "yes-temporarily-disabled-20180723" ]; then		\
 	%{expand:%%hash -i %{-i*} -a %{-a*} -d %{-d*}}			\
 fi									\
 cp %{-i*} shim%{-a*}.efi						\
-if [ "%{-b*}" = "yes" ] ; then						\
+if [ "%{-b*}" = "yes" ]; then						\
 	%{expand:%%distrosign -b shim -a %{-a*} -d %{-d*}}		\
 	mv shim%{-a*}-signed.efi shim%{-a*}-%{efi_vendor}.efi		\
 fi									\
-if [ "%{-c*}" = "no" ] ||						\
-   [ 0%{?_unsigned_test_build:%{_unsigned_test_build}} -ne 0 ] ; then	\
+if [ "%{-c*}" = "no" ]; then						\
 	cp shim%{-a*}-%{efi_vendor}.efi shim%{-a*}.efi			\
 fi									\
 %{expand:%%distrosign -b mm -a %{-a*} -d %{-d*}}			\
@ -179,10 +142,10 @@ install -m 0700 fb%{-a*}.efi						\\\
 # -A <EFIARCH>
 %define define_files(a:A:)						\
 %{expand:%%files -n shim-%{-a*}}					\
-%%verify(not mtime) %{efi_esp_dir}/*%{-a*}*.efi				\
-%%verify(not mtime) %{efi_esp_dir}/BOOT%{-A*}.CSV			\
-%%verify(not mtime) %{efi_esp_boot}/*%{-a*}.efi				\
-%%verify(not mtime) %{efi_esp_boot}/*%{-A*}.EFI				\
+%{efi_esp_dir}/*%{-a*}*.efi						\
+%{efi_esp_dir}/BOOT%{-A*}.CSV						\
+%{efi_esp_boot}/*%{-a*}.efi						\
+%{efi_esp_boot}/*%{-A*}.EFI						\
 %{nil}

 %ifarch x86_64
--- a/SPECS/shim.spec
+++ b/SPECS/shim.spec
@ -1,6 +1,6 @@
 Name:		shim
-Version:	15.8
-Release:	4%{?dist}
+Version:	15
+Release:	15%{?dist}
 Summary:	First-stage UEFI bootloader
 License:	BSD
 URL:		https://github.com/rhboot/shim/
@ -21,36 +21,28 @@ Source2:	redhatsecurebootca5.cer
 # match, 1 and 11 match, ...
 Source10:	BOOTAA64.CSV
 Source20:	shimaa64.efi
-Source30:	mmaa64.efi
-Source40:	fbaa64.efi
 Source11:	BOOTIA32.CSV
 Source21:	shimia32.efi
-Source31:	mmia32.efi
-Source41:	fbia32.efi
 Source12:	BOOTX64.CSV
 Source22:	shimx64.efi
-Source32:	mmx64.efi
-Source42:	fbx64.efi
 #Source13:	BOOTARM.CSV
 #Source23:	shimarm.efi
-#Source33:	mmarm.efi
-#Source43:	fbarm.efi

 %include %{SOURCE0}

 BuildRequires:	pesign >= 0.112-20.fc27
-# Right now we're just including all of the parts from them as sources here
-# to make the build+errata process less maddening.  We do this because
-# %%{efi} won't expand before choosing where to make the src.rpm in koji,
-# and we could be on a non-efi architecture, in which case we won't have a
-# valid expansion here...
-# %% ifarch x86_64
-# BuildRequires:	%% {unsignedx64} = %% {shimverx64}
-# BuildRequires:	%% {unsignedia32} = %% {shimveria32}
-# %% endif
-# %% ifarch aarch64
-# BuildRequires:	%% {unsignedaa64} = %% {shimveraa64}
-# %% endif
+# We need this because %%{efi} won't expand before choosing where to make
+# the src.rpm in koji, and we could be on a non-efi architecture, in which
+# case we won't have a valid expansion here...  To be solved in the future
+# (shim 16+) by making the unsigned packages all provide "shim-unsigned", so
+# we can just BuildRequires that.
+%ifarch x86_64
+BuildRequires:	%{unsignedx64} = %{shimverx64}
+BuildRequires:	%{unsignedia32} = %{shimveria32}
+%endif
+%ifarch aarch64
+BuildRequires:	%{unsignedaa64} = %{shimveraa64}
+%endif
 #%%ifarch arm
 #BuildRequires:	%%{unsignedarm} = %%{shimverarm}
 #%%endif
@ -71,14 +63,12 @@ rm -rf shim-%{version}
 mkdir shim-%{version}

 %build
-export PS4='${LINENO}: '

 cd shim-%{version}
-# Temporarily using _sourcedir to avoid build dep annoyances.
 %if %{efi_has_alt_arch}
-%define_build -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -i %{shimefialt} -b yes -c %{is_alt_signed} -d %{_sourcedir}
+%define_build -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -i %{shimefialt} -b yes -c %{is_alt_signed} -d %{shimdiralt}
 %endif
-%define_build -a %{efi_arch} -A %{efi_arch_upper} -i %{shimefi} -b yes -c %{is_signed} -d %{_sourcedir}
+%define_build -a %{efi_arch} -A %{efi_arch_upper} -i %{shimefi} -b yes -c %{is_signed} -d %{shimdir}

 %install
 rm -rf $RPM_BUILD_ROOT
@ -107,50 +97,16 @@ install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi
 %endif

 %if %{provide_legacy_shim}
-%verify(not mtime) %{efi_esp_dir}/shim.efi
+%{efi_esp_dir}/shim.efi
 %endif

 %changelog
-* Tue Apr 16 2024 Peter Jones <pjones@redhat.com> - 15.8-4
- Bump the release to *-4* to work around a build system issue.
-  Related: RHEL-11259
-
-* Wed Apr 10 2024 Peter Jones <pjones@redhat.com> - 15.8-3
- Bump the release to -3 to work around a build system issue.
-  Related: RHEL-11259
-
-* Thu Mar 28 2024 Peter Jones <pjones@redhat.com> - 15.8-2.el8
- Fix rpm verify issue found in testing.
-  Related: RHEL-11259
-
-* Thu Mar 21 2024 Peter Jones <pjones@redhat.com> - 15.8-1.el8
- Update to shim-15.8 for CVE-2023-40547
-  Resolves: RHEL-11259
-
-* Wed Apr 20 2022 Peter Jones <pjones@redhat.com> - 15.5-2.el8
- Include the actual signed shim binaries.
-  Resolves: rhbz#1970632
-  Resolves: rhbz#1982071
-  Resolves: rhbz#2000946
-  Resolves: rhbz#2002265
-
-* Tue Apr 19 2022 Peter Jones <pjones@redhat.com> - 15.5-1
- Update to shim-15.5
-  Resolves: rhbz#1970632
-  Resolves: rhbz#1982071
-  Resolves: rhbz#2000946
-  Resolves: rhbz#2002265
-
-* Mon Sep 21 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-16
- Fix an incorrect allocation size
-  Resolves: rhbz#1877253
-
 * Fri Jul 31 2020 Peter Jones <pjones@redhat.com> - 15-15
 - Update once again for new signed shim builds.
-  Resolves: rhbz#1861977
+  Resolves: rhbz#1862232

 * Tue Jul 28 2020 Peter Jones <pjones@redhat.com> - 15-14
- Get rid of our %%dist hack for now.
+- Get rid of our %dist hack for now.

 * Tue Jul 28 2020 Peter Jones <pjones@redhat.com> - 15-13
 - New signing keys
@ -162,9 +118,7 @@ install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi

 * Thu Jun 11 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-12
 - Fix firmware update bug in aarch64 caused by shim ignoring arguments
-  Resolves: rhbz#1830871
 - Fix a shim crash when attempting to netboot
-  Resolves: rhbz#1795654

 * Fri Jun 07 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-11
 - Update the shim-unsigned-aarch64 version number
--- a/5
+++ b/5
@ -0,0 +1,5 @@
+SHA512 (redhatsecureboot501.cer) = eb2c2d342680d4c3453d3e4f30abdd1f6b0e98292e1be0410d0163afd01552a863b70ffaabeecd6e3981cd4d167198091a837c7d70f96a3a06de2d28b3355308
+SHA512 (redhatsecurebootca5.cer) = 0285fd7cb1755b399cdd2d848d9eba51b72ef2dd8ea5d40d7061c29685a12e15bf8eb083cb2f8c14eb69d248cb3af2c2332e06f80e19ed4cc029070198c0d522
+SHA512 (shimaa64.efi) = 0457d3b9cce7bbb85eff9efd78a48f36b61a1ddf7c02cf94e7573487806133ea70d360166f088bd855b3ab09593f3179b8fd83cbf8a9e7e6271bc5a63957a5d7
+SHA512 (shimia32.efi) = 31a6e9debec0e77d6f14c95861694f7aaa48b23314cf36e28cc7dea73aef8749361e3f2e653ab82ac2edca3037cef2111bbf1b747078ebd987966498b9b92eaf
+SHA512 (shimx64.efi) = 89b7c679067665f48b402773250a0fc7e1369bc1a824d8333e02cd0a66b905304e1a5a187b6ad54f72848060f7291cb1d91a2bc6ca7aa8baf063305c21c5d2d0