4 changed files with 44 additions and 7 deletions
--- a/SOURCES/0011-RHEL-9-disable-Wpointer-sign-for-now.patch
+++ b/SOURCES/0011-RHEL-9-disable-Wpointer-sign-for-now.patch
@ -0,0 +1,25 @@
 From 7e7fa748c8651ca3d9fdd55f0ad891c816949ff5 Mon Sep 17 00:00:00 2001
 From: Peter Jones <pjones@redhat.com>
 Date: Fri, 6 Aug 2021 16:43:37 -0400
 Subject: [PATCH] RHEL-9: disable -Wpointer-sign for now
 Signed-off-by: Peter Jones <pjones@redhat.com>
 ---
 Make.defaults | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/Make.defaults b/Make.defaults
 index e11ab5a7f2c..9b28720d186 100644
 --- a/Make.defaults
 +++ b/Make.defaults
@@ -42,6 +42,7 @@ EFI_LDS		= $(TOPDIR)/elf_$(ARCH)_efi.lds
 CFLAGS		= -ggdb -O0 -fno-stack-protector -fno-strict-aliasing -fpic \
 		  -fshort-wchar -Wall -Wsign-compare -Werror -fno-builtin \
 		  -Werror=sign-compare -ffreestanding -std=gnu89 \
 +		  -Wno-pointer-sign -Wno-address-of-packed-member \
 		  -I$(shell $(CC) -print-file-name=include) \
 		  "-DDEFAULT_LOADER=L\"$(DEFAULT_LOADER)\"" \
 		  "-DDEFAULT_LOADER_CHAR=\"$(DEFAULT_LOADER)\"" \
 -- 
 2.31.1
--- a/SOURCES/almalinuxsecurebootca0.cer
+++ b/SOURCES/almalinuxsecurebootca0.cer
--- a/SOURCES/securebootca.cer
+++ b/SOURCES/securebootca.cer
--- a/SPECS/shim-unsigned-aarch64.spec
+++ b/SPECS/shim-unsigned-aarch64.spec
@ -8,7 +8,7 @@
 %global __debug_install_post %{SOURCE100} aa64
 %undefine _debuginfo_subpackages
-%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/'))
+%global efidir almalinux
 %global shimrootdir %{_datadir}/shim/
 %global shimversiondir %{shimrootdir}/%{version}-%{release}
 %global efiarch aa64
@ -16,13 +16,13 @@
 Name:		shim-unsigned-aarch64
 Version:	15
-Release:	7%{?dist}
+Release:	6%{?dist}.alma.1
 Summary:	First-stage UEFI bootloader
 ExclusiveArch:	aarch64
 License:	BSD
 URL:		https://github.com/rhboot/shim
 Source0:	https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
-Source1:	securebootca.cer
+Source1:	almalinuxsecurebootca0.cer
 # currently here's what's in our dbx:
 # nothing.
 Source2:	dbx.esl
@ -39,7 +39,9 @@ Patch0007:	0007-shim-Properly-generate-absolute-paths-from-relative-.patch
 Patch0008:	0008-shim-Prevent-shim-to-set-itself-as-a-second-stage-lo.patch
 Patch0009:	0009-Fix-a-use-of-strlen-instead-of-Strlen.patch
 Patch0010:	0010-translate_slashes-don-t-write-to-string-literals.patch
 Patch0011:	0011-RHEL-9-disable-Wpointer-sign-for-now.patch
 BuildRequires:	gcc make
 BuildRequires:	elfutils-libelf-devel
 BuildRequires:	git openssl-devel openssl
 BuildRequires:	pesign >= %{pesign_vre}
@ -137,9 +139,8 @@ cd ..
 %files debugsource -f build-%{efiarch}/debugsource.list
 %changelog
-* Tue Apr 06 2021 Peter Jones <pjones@redhat.com> - 15-7
+* Wed Mar 29 2023 Eduard Abdullin <eabdullin@almalinux.org> - 15-6.alma.1
- Backport this to EL 8 so we can build-dep on the right version.
+- Use AlmaLinux cert
  Related: CVE-2020-14372 (and others)
 * Tue May 26 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-6
 - Fix a shim crash when attempting to netboot
@ -163,8 +164,19 @@ cd ..
 - Fix MoK mirroring issue which breaks kdump without intervention
  Related: rhbz#1668966
-* Fri Jul 20 2018 Peter Jones <pjones@redhat.com> - 15-1
+* Thu Apr 05 2018 Peter Jones <pjones@redhat.com> - 15-1
 - Update to shim 15
 - better checking for bad linker output
 - flicker-free console if there's no error output
 - improved http boot support
 - better protocol re-installation
 - dhcp proxy support
 - tpm measurement even when verification is disabled
 - REQUIRE_TPM build flag
 - more reproducable builds
 - measurement of everything verified through shim_verify()
 - coverity and scan-build checker make targets
 - misc cleanups
 * Tue Sep 19 2017 Peter Jones <pjones@redhat.com> - 13-3
 - Actually update to the *real* 13 final.