From 13f2169e0bfcad50fd4242feae22587cd942bb9c Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Feb 28 2018 15:19:32 +0000
Subject: Final signed shim 13-1.


That took long enough.

Signed-off-by: Peter Jones <pjones@redhat.com>

---

diff --git a/shim-signed.spec b/shim-signed.spec
index a3ec123..d43d307 100644
--- a/shim-signed.spec
+++ b/shim-signed.spec
@@ -8,7 +8,7 @@
 
 Name:		shim-signed
 Version:	13
-Release:	0.7%{dist}
+Release:	1%{dist}
 Summary:	First-stage UEFI bootloader
 License:	BSD
 URL:		http://github.com/rhboot/shim/
@@ -27,7 +27,6 @@ Source2:	BOOTIA32.CSV
 Source10:	shimaa64.efi
 Source11:	shimia32.efi
 Source12:	shimx64.efi
-Source13:	shimx64-signed.efi
 
 %global shimverx64 13-3.fc27
 %global shimveria32 13-3.fc27
@@ -36,7 +35,6 @@ Source13:	shimx64-signed.efi
 %ifarch x86_64
 BuildRequires: shim-unsigned-x64 = %{shimverx64}
 BuildRequires: shim-unsigned-ia32 = %{shimveria32}
-BuildRequires: shim-unsigned = 0.8-1.fc22
 %global shimdirx64 %{_datadir}/shim/%{shimverx64}/x64
 %global shimdiria32 %{_datadir}/shim/%{shimveria32}/ia32
 %endif
@@ -160,44 +158,49 @@ cd shim-signed-%{version}
 # -A <EFIARCH>
 # -b <BOOTCSV>
 %define do_install(a:A:b:)						\
-install -m 0644 shim%{-a*}.efi						\\\
+install -m 0700 shim%{-a*}.efi						\\\
 	$RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{-a*}.efi		\
-install -m 0644 shim%{-a*}-%{efidir}.efi				\\\
+install -m 0700 shim%{-a*}-%{efidir}.efi				\\\
 	$RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{-a*}-%{efidir}.efi	\
-install -m 0644 mm%{-a*}.efi						\\\
+install -m 0700 mm%{-a*}.efi						\\\
 	$RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mm%{-a*}.efi		\
-install -m 0644 %{-b*}							\\\
+install -m 0700 %{-b*}							\\\
 	$RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT%{-A*}.CSV		\
-install -m 0644 shim%{-a*}.efi						\\\
+install -m 0700 shim%{-a*}.efi						\\\
 	$RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOT%{-A*}.EFI		\
-install -m 0644 fb%{-a*}.efi						\\\
+install -m 0700 fb%{-a*}.efi						\\\
 	$RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fb%{-a*}.efi			\
 %nil
 
 rm -rf $RPM_BUILD_ROOT
 cd shim-signed-%{version}
-install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/
-install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/
+install -D -d -m 0755 $RPM_BUILD_ROOT/boot/
+install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/
+install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/
+install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/
+install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/
 
 %ifarch x86_64
 %do_install -a x64 -A X64 -b %{SOURCE0}
 %do_install -a ia32 -A IA32 -b %{SOURCE2}
-install -m 0644 %{SOURCE2} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV
-install -m 0644 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mmx64.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/MokManager.efi
-install -m 0644 %{SOURCE13} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi
-install -m 0644 %{SOURCE13} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimx64.efi
-install -m 0644 %{SOURCE13} $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOTX64.EFI
-install -m 0644 $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fbx64.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fallback.efi
+install -m 0700 %{SOURCE2} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV
+install -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mmx64.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/MokManager.efi
+install -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fbx64.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fallback.efi
+install -m 0700 %{SOURCE12} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi
 %endif
 %ifarch aarch64
 %do_install -a aa64 -A AA64 -b %{SOURCE1}
-install -m 0644 %{SOURCE10} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi
+install -m 0700 %{SOURCE10} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi
 %endif
 
 # -a <efiarch>
 # -A <EFIARCH>
 %define define_files(a:A:)						\
 %{expand:%%files -n shim-%{-a*}}					\
+%dir /boot/efi								\
+%dir /boot/efi/EFI							\
+%dir /boot/efi/EFI/BOOT							\
+%dir /boot/efi/EFI/%{efidir}						\
 /boot/efi/EFI/%{efidir}/*%{-a*}*.efi					\
 /boot/efi/EFI/%{efidir}/BOOT%{-A*}.CSV					\
 /boot/efi/EFI/BOOT/*%{-a*}.efi						\
@@ -219,6 +222,16 @@ install -m 0644 %{SOURCE10} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi
 %endif
 
 %changelog
+* Wed Nov 01 2017 Peter Jones <pjones@redhat.com> - 13-1
+- Now with the actual signed 64-bit build of shim 13 for x64 as well.
+- Make everything under /boot/efi be mode 0700, since that's what FAT will
+  show anyway, so that rpm -V is correct.
+  Resolves: rhbz#1508516
+
+* Tue Oct 24 2017 Peter Jones <pjones@redhat.com> - 13-0.8
+- Now with signed 32-bit x86 build.
+  Related: rhbz#1474861
+
 * Wed Oct 04 2017 Peter Jones <pjones@redhat.com> - 13-0.7
 - Make /boot/efi/EFI/fedora/shim.efi still exist on aarch64 as well.
   Resolves: rhbz#1497854
diff --git a/sources b/sources
index e896a27..9e135b5 100644
--- a/sources
+++ b/sources
@@ -1,4 +1,3 @@
-SHA512 (shimx64-signed.efi) = 4aad924e65356ff97d52a9c5ebf72cec9be51670db312f6a57ec80d1a254c855d3f90475dcf35deba565c09f498bba1156e0a66c17c31588721656a8f368d59b
 SHA512 (shimaa64.efi) = 779893923f9707bb20476bf9dfd9a613e72efad4f6cd7fd569f1a46cf5565b210d62b5c78e8ef5b8eb40ba673561fd74dd3195d82f72492348a3e31f859bf3b5
-SHA512 (shimia32.efi) = 19573da07e0a4531b4bfa829e3ab61ad9f8015284f75f4425721d5fb6df79c602344261939fb053147df4db6c37fad751e5ac32e3250b3ef653b42ec09c468ac
-SHA512 (shimx64.efi) = 95888ea0208de7baa8607866cc6a8dd7301bd1b8432322bace02d4f5e391a39b8ead03bdb5fabde1a8171bc08d4ca3904db8da53e6a6a152aae6475457a79a07
+SHA512 (shimia32.efi) = 9f9d491c690faf70f0420f8a154d7a3b98e6d71b4da16d2e61f724694f7e55235aafec0233917f4907f1da1bc9598fa36e040666b94d2942e1fbbdfdd3a30826
+SHA512 (shimx64.efi) = 50e53ec4b17b4ddf0b7b0341c1de9a14027c2de940cd36218ba727b8742be03f793480bb7b330a897127c0691532262a2a0eb5022270ac323e6d2e07201a6191