From 86c7e55cc8096149e297cca727d8e33e5b5be076 Mon Sep 17 00:00:00 2001
From: eabdullin <ed.abdullin.1@gmail.com>
Date: Thu, 9 Mar 2023 11:35:03 +0300
Subject: [PATCH] - Use AlmaLinux cert - Add conflicts to old shim

---
 .shim.metadata                     |   2 +-
 SOURCES/almalinuxsecurebootca0.cer | Bin 0 -> 1787 bytes
 SOURCES/clsecureboot001.cer        | Bin 1561 -> 0 bytes
 SOURCES/shim.rpmmacros             |   7 ++++++-
 SPECS/shim.spec                    |  10 +++++-----
 5 files changed, 12 insertions(+), 7 deletions(-)
 create mode 100644 SOURCES/almalinuxsecurebootca0.cer
 delete mode 100644 SOURCES/clsecureboot001.cer

diff --git a/.shim.metadata b/.shim.metadata
index 310e5c3..177bafb 100644
--- a/.shim.metadata
+++ b/.shim.metadata
@@ -1,4 +1,4 @@
 bfee65ae45498fefd64b16edf9993415b625cb3c SOURCES/shimaa64.efi
-5957bbccac9f22c1738039679204be0bb57c3812 SOURCES/shimx64.efi
+8d5251f1166c9dd43426903459fe95d4bd262483 SOURCES/shimx64.efi
 122b21c2da0ca4ee839d4bb6beff7ddffd68f1a0 SOURCES/fbx64.efi
 a4f7a273cc9a531a6ef125b91353f479cfa5f79c SOURCES/mmx64.efi
diff --git a/SOURCES/almalinuxsecurebootca0.cer b/SOURCES/almalinuxsecurebootca0.cer
new file mode 100644
index 0000000000000000000000000000000000000000..6a4e99b9ed921c4af3db55a619260f1ab76110dc
GIT binary patch
literal 1787
zcmb7Edpy%?9NzEu+YQ4qp+X~z$h<!#p$oRjtthe5I<;n4v1uk{onoRAK8{FoFx^gc
z)hd-rIu)nr?ozG9NGF_fI7Am`6X*En{BeH&J@5N`pZ9&<&+mDF3_l2DxOH*_hG3YC
zc63{K)Mc`VR1X->NhS)Qi`TME^-dksg&-Xq2Cz{bpoK?*v3Lr+#1l0EMjD_^(GTMD
zB!UPL)n5=TknqD$I+(55K`6BGoxr#aQ34*7AqwMDg9H&mfiQx~@Sw6ns4M2o1LnrM
zj*bAGgM!g7R1KZf5ID|pa&dAA1xdG2GSJgV;wS_sr+Fwqoly#ygx9gdLs&@Wya0v}
z3LG4SP65Uf7hwvK$&cd3bH#kr3{2A~=u->>#eywd37;Auj^GLf30#RlB%EMPEi-l+
zkwox{5{U(2T$BpTN6nIqJ))wy{sLj#R%$>H)k_p74EruH#z6j)0c5b{#3zMt7(@o^
zW7O-~undMU6>I1J?%P(;)EDT<J`&<=PqZm?Eh+Gdc^{X>d~@7#vAD%qZ-ufkhh?j~
zapii8FZ6l4l2j4>$6Kvd%=FCfQ#Hi8bqZPzauDLVg0k(jF6nNqtfiz|Wxur8bX2ad
zdVcV5sacnCY_nO@_S&kodX}Gu=_h9qjw-&C&Q?YW8|~hwL@-lYMZxo*mT|n_rq!Dq
zNO?Kr*Z&ajuCl*+CptA}bH}3+sZUn7lNIOqU@O10Y8v~wWKcZqMh{nDsrrHAqC?Fn
zC5Od?^TaPN9vZwE>ENKiT9WIkzve%`+%Pg-+wtWhW?EoI?ykMo1m;;krtqoqrdY(Z
z>AG~nTPIVAdtr9e$os^OcI}Pat4B7uw#bZr_Ev0CoO20G4yS!W8C%*eNtWAYpL#d*
zedparl{a8zs7XrL79O+)cgO3rRq(Xe?bv+=_YavC&C0sI{5@^Is<rr7Q~oQL=9Ko_
zd&TbxFV50?)oW08?yPU9{?yXi;q$0tf$3uhOWxNtF#$EN9$(nj61mrZXRg<?fO5Aq
z{IFK_+_a`mJHJLPzOu2$``0#6NiXkuM_k_1)xDklhX*R_Aot#YOpZ%PWJx`Hvwv(+
zUSn91q<LmM;ZwJ8FJ8nt5r4k_e%;mzeMQkS+dKS(UD8v&r=*?B&+x(vVcja{*!1E*
zR`nr|@2-+JzzBqaj>w>gKnC3h)7Af**$k{YWr>DKj@ce|HuYY$w-4X7busAnE?sO0
z%rpc&tP$2Q5p}pRNtx`QBY$$Hy}hi^EzC7xG%sfQ5Hy0tA}}ElkTi6P2EzaYC>lh=
zl7Kdzs16YhM?esDptRPfdPAw7JRwLkg(U+Y4UdZT1n$5IPa2Kec@%;nJOpT9#`r7@
z85u`PBr&nB4i2&3%Ye=kMLRG8g8%`Ki%23t2=LQLO~*2UT1>u3z97|AGoqg0iKFNf
zr^ZU-duM1WW2`Y49;^^`UC`BhARRwieNz#L243SBz!P*O|5I1;uO$Gbj#^URPsEFj
znJ5J48Yh#m)_^Ae=Lv|2+!#zIQG$c)nJj+~w#N#V{a95^486KX5gC+(`LS(LuYLx&
zmK=g#7W3C{btC1qgXHu|&hAt1mVpg9@qz7)LQjirTbE=%tB>VaJ{w|W+SRlqtM=qq
z`BZ#(0JZP>i7X28yp;YFwn*+V^|hB(LiOc)PaARBXXK%~jS_tFjUyY$QX;*+r0V45
zkE=pT=tBm1C+#j}43w`s`%TdlzpX-LE<>U=F6|4*<{yn&V-xIkW##-D?u9_i{=os1
zQ~fq=HHqcUdPH1KbNZa$#kq3WF+jPXnVa;%`a)vjg(LknHdCYpovzocJ`VZSGQKX%
z9VuvTNmoc+L-8N(4b3q2QAF;sQhj@I<v<*0Ht?VN<knFg<}yq{?haG<fv+xMZkq1G
zfMeB!j>*nzv-=TicK8=0<z{!5STDIQowYE}{M!p%v*XagiZ@#a*rpBp-pFlw$j1cA
zMbdL^7Fn6pu1Ds+4F;K(`~A_^c|ytX^;TAfXxKtf>_FUZQQx>WuhjaYMX_P|t&zHv
TseG#v;Fg#3=RT@0&At3@_pP4Z

literal 0
HcmV?d00001

diff --git a/SOURCES/clsecureboot001.cer b/SOURCES/clsecureboot001.cer
deleted file mode 100644
index ca9ce5d92a13320a2995ed90f173ea719a132d8f..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1561
zcmZ`(Yfuwc6wXbS1jzzo5X>OBh=_zHxtj+9!bnI+p+=zweAJF{O%_-i65K3=V6`P`
zg!+Oiw$+NM3{cvRbwp7M<Fi^Fr&c?izU+V&99!x@6`xhd?qX>9<FB1_&iCE(?RW0E
z&?}q_y~s1afDicmiPrXi7P+NN-Rg^uj^4IR2t$PvWWGG#!%zUkK|ENy6Bok?LP0Si
zl<*5p_;iSIK?o`>c2G4W<HU+cYnj7oca~D53o|Qp3OorWau_ihrzdHqvK-?+R0(Az
z7|Q9ubd^k*lcpFCo(5Anpa4|{fVtHS>9CPDY!P9nY%kz?r;WtSRH=h<lwx`vX3o>8
zU|e*l3WsV{DvoP4TGbnDs9{5GAcS5Z!6h(4C{7Uq1bAm>@_|6YFE-;+7(G78M}rNd
zop2L0iATV2PECX)*l5Dk>U3O<$HA#wY63bL*TU2^EXQ6+VmX8d(^It7PU5jJhO385
zA`5A%ieN~rfG#CiV@9QqDqzb&l8`jD9Hy((P@^7aCo5+n4C4+6Mny(D>xqpR<A~4@
zqmyQ^`5uyXjdNXZcUIak6XmF^#>~zVhEx6umhZ5RVFal3r5M(h>Ej0sf_MTi2<Nf+
z5WW`xUfsxU^u*bvD~p;BZT`ZlS{`kb44-UksA{RrQuYYu^$hfNSXL8{z3Jxm_5F?=
z<~F*2-+9$rbMCAi1d`_Zr}s=-r<7cKDqWaAboR!y?hlMv-_7Y>%d}hSB1Z;Kc<pEI
zo~_rU(~Ubq_aFXn;F5XqA%9oLTJwXR?&~1GwLE>x_Vo?>QeGcGz_P@TPE#k$jU}t{
z=C4WMHPazOp*1PT3fm+ruI6lS_~q`^8L{y-bu+Gf%@__g=3FU^|HN|Z8E=KQmHrw0
zI*CrQY%Us>cb>W=8$P+bYg<Ipp*uG-uRY9I)=;lh+*`M_f1Y7^OmN1n@88dtY`TB&
z&A#Sjt$r(C0C=Fq3;I|`u0fO?O{@ff=LjG2poWX4A##`kll@8lL|;M~!&GD_l~&rW
zu#R4IMTK2SR#{zE!c|776l?)j3WM1z7!)J|0HI(hl#j&__~HWxjH5WMt_peJFsrki
z-H!kr@_n)ZoF*%rE{bu|o|m*GX*i7&n}AG#QSV0XKPQV|<lQM6!;${WwM^NW&&X&P
z%K^fWC?s;@w!OA)=U3-;uM`$-Z10+y`}^@nFZh!<er@Fc^0NQ?P52te#}GZ#L6I=1
zv=#*dR;*aIp$zyQxcNaq1i5D*pq>w+q?~#eYnR*Y9;aJhXnxTwk!v=F7YKwQfz8bV
zV01@f!?{5q0>0>7n9VhhK+@rCzjllgEbu48Bs8(uEH~tubc=NhbLDzdL9qcd<u52+
zf|(19MO>0ymIeCpOTfNz>=FRp+_ZMjPwTEfKR;4G<Kvk*tA=j<{X^%7$o0qY(8gE4
zMR%(wK0mdkX;<}ikJ4&txj4N+v2)2|^j_8;%~IJBH?iv*pQS1Da&~s<<tNF1ZV-ox
zd5=;=BDJQ)G#DRaNUixX;k_%f4n#+mdpdf2_P0BAXx(kGW6*Q}bZ)=>dG@D`O}rr^
zO(!d6#<-~YhKw(p3S9X|dM{X}bRc<Q#{En72-1ke-=gM9=k_)XXUto3bVId`h?NYq
z5|?y&!&kM(x-dNSru2cWcW+$X;r_TP*<X5nNp2-D%e0u4Vj3;N<42<pz7yr&M!6Ax
W>;161eWzPCUA!^tNx{O73;zPg)%xE6

diff --git a/SOURCES/shim.rpmmacros b/SOURCES/shim.rpmmacros
index d29c4a3..2a92cae 100644
--- a/SOURCES/shim.rpmmacros
+++ b/SOURCES/shim.rpmmacros
@@ -20,7 +20,7 @@
 #%%global mmefiarm %%{expand:%%{SOURCE43}
 
 %global shimveraa64 15-6.el9.alma
-%global shimverx64 15.6-1.el9.alma
+%global shimverx64 15.6-1.el9.alma.1
 #%%global shimverarm 15-1.el8
 
 %global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64
@@ -55,6 +55,11 @@ Requires: mokutil >= 1:0.3.0-1						\
 Requires: efi-filesystem						\
 Provides: shim-signed-%{-a*} = %{version}-%{release}			\
 Requires: dbxtool >= 0.6-3						\
+%{expand:%ifarch x86_64						\
+# SecureBoot keys dependencies						\
+Requires: almalinux(grub2-sig-key) >= 202303				\
+Requires: almalinux(kernel-sig-key) >= 202303				\
+%endif}				\
 %{expand:%%if 0%%{-p*}							\
 Provides: shim = %{version}-%{release}					\
 Provides: shim-signed = %{version}-%{release}				\
diff --git a/SPECS/shim.spec b/SPECS/shim.spec
index 06c03d4..17c4459 100644
--- a/SPECS/shim.spec
+++ b/SPECS/shim.spec
@@ -1,6 +1,6 @@
 Name:		shim
 Version:	15.6
-Release:	1.el9.alma
+Release:	1.el9.alma.1
 Summary:	First-stage UEFI bootloader
 License:	BSD
 URL:		https://github.com/rhboot/shim/
@@ -12,7 +12,7 @@ ExclusiveArch:	%{efi}
 ExcludeArch:	%{arm} %{ix86}
 
 Source0:	shim.rpmmacros
-Source1:	clsecureboot001.cer
+Source1:	almalinuxsecurebootca0.cer
 
 # keep these two lists of sources synched up arch-wise.  That is 0 and 10
 # match, 1 and 11 match, ...
@@ -39,7 +39,7 @@ BuildRequires:	pesign >= 0.112-20.fc27
 # we can just BuildRequires that.
 %ifarch x86_64
 ## BuildRequires:	%% {unsignedx64} = %% {shimverx64}
-BuildRequires:	shim-unsigned-x64 = 15.6-1.el9.alma
+BuildRequires:	shim-unsigned-x64 = 15.6-1.el9.alma.1
 %endif
 %ifarch aarch64
 BuildRequires:	%{unsignedaa64} = %{shimveraa64}
@@ -103,8 +103,8 @@ install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi
 %endif
 
 %changelog
-* Tue Aug 23 2022 Andrew Lukoshko <alukoshko@almalinux.org> - 15.6-1.el9.alma
-- AlmaLinux changes
+* Thu Mar 09 2023 Eduard Abdullin <eabdullin@almalinux.org> - 15.6-1.el9.alma.1
+- Use AlmaLinux cert
 
 * Mon Jun 06 2022 Peter Jones <pjones@redhat.com> - 15.6-1.el9
 - Update to shim-15.6