diff --git a/.gitignore b/.gitignore index 2426073..e7dbb40 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ /shim.efi +/BOOT.CSV diff --git a/shim-signed.spec b/shim-signed.spec index a93f364..edb8bf1 100644 --- a/shim-signed.spec +++ b/shim-signed.spec @@ -1,15 +1,16 @@ Name: shim-signed -Version: 0.2 -Release: 4.4%{?dist} +Version: 0.4 +Release: 1%{?dist} Summary: First-stage UEFI bootloader Provides: shim = %{version}-%{release} License: BSD URL: http://www.codon.org.uk/~mjg59/shim/ Source0: shim.efi +Source1: BOOT.CSV -#BuildRequires: shim-unsigned = %{version}-%{release} -BuildRequires: shim-unsigned = 0.2-3.fc18 +BuildRequires: shim-unsigned = %{version}-%{release} +#BuildRequires: shim-unsigned = 0.2-3.fc18 BuildRequires: pesign >= 0.100-1%{dist} # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not @@ -40,8 +41,9 @@ the UEFI signing service. %package -n shim Summary: First-stage UEFI bootloader -#Requires: shim-unsigned >= %{version}-%{release} -Requires: shim-unsigned >= 0.2-3.fc18 +Requires: shim-unsigned = %{version}-%{release} +Requires: mokutil = %{version}-%{release} +#Requires: shim-unsigned >= 0.2-3.fc18 Provides: shim-signed = %{version}-%{release} Obsoletes: shim-signed < %{version}-%{release} @@ -60,10 +62,17 @@ mkdir shim-signed-%{version} %define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}} cd shim-signed-%{version} +pesign -i %{SOURCE0} -h -P > shim.hash +if ! cmp shim.hash %{_datadir}/shim/shim.hash ; then + echo Invalid signature\! > /dev/stderr + exit 1 +fi %pesign -s -i %{SOURCE0} -e shim.sig pesign -i %{SOURCE0} -o shim.efi -m shim.sig -u 1 pesign -i %{SOURCE0} -o tmp.efi -r -u 0 pesign -i tmp.efi -o shim-fedora.efi -m shim.sig +%pesign -s -i %{_datadir}/shim/MokManager.efi -o MokManager.efi +%pesign -s -i %{_datadir}/shim/fallback.efi -o fallback.efi %install rm -rf $RPM_BUILD_ROOT @@ -71,12 +80,29 @@ cd shim-signed-%{version} install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/ install -m 0644 shim.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi install -m 0644 shim-fedora.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim-fedora.efi +install -m 0644 MokManager.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/MokManager.efi +install -m 0644 %{SOURCE1} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV + +install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/ +install -m 0644 shim.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOTX64.EFI +install -m 0644 fallback.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fallback.efi %files -n shim /boot/efi/EFI/%{efidir}/shim.efi /boot/efi/EFI/%{efidir}/shim-fedora.efi +/boot/efi/EFI/%{efidir}/MokManager.efi +/boot/efi/EFI/%{efidir}/BOOT.CSV +/boot/efi/EFI/BOOT/BOOTX64.EFI +/boot/efi/EFI/BOOT/fallback.efi %changelog +* Thu Jun 20 2013 Peter Jones - 0.4-1 +- Provide a fallback for uninitialized Boot#### and BootOrder + Resolves: rhbz#963359 +- Move all signing from shim-unsigned to here +- properly compare our generated hash from shim-unsigned with the hash of + the signed binary (as opposed to doing it manually) + * Fri May 31 2013 Peter Jones - 0.2-4.4 - Re-sign to get alignments that match the new specification. Resolves: rhbz#963361 diff --git a/sources b/sources index de6fd72..f1cc6a9 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ -cb7c9f855ec1a13555e560db0847bbce shim.efi +abf18595e08e1be3458e5e18c87dfe3c shim.efi +49acd7f998e96a9e10fded83ee71086b BOOT.CSV