From 0abd456d3c3a8a3d14c966472a54ee098f403a0e Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Feb 28 2018 17:21:42 +0000 Subject: Rename the .spec file and fix some paths. Signed-off-by: Peter Jones --- diff --git a/shim-signed.spec b/shim-signed.spec deleted file mode 100644 index d43d307..0000000 --- a/shim-signed.spec +++ /dev/null @@ -1,336 +0,0 @@ -%global debug_package %{nil} - -%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/')) - -# this is literally to make vim's \c not put a brace at the end. -%global _dist %{expand:%{?_module_build:%%{?dist}}} -%global dist %{expand:%%{_dist}} - -Name: shim-signed -Version: 13 -Release: 1%{dist} -Summary: First-stage UEFI bootloader -License: BSD -URL: http://github.com/rhboot/shim/ - -# Shim is only required on platforms implementing the UEFI secure boot -# protocol. The only one of those we currently wish to support is 64-bit x86. -# Adding further platforms will require adding appropriate relocation code. -ExclusiveArch: x86_64 aarch64 - -# keep these two lists of sources synched up arch-wise. That is 0 and 10 -# match, 1 and 11 match, ... -Source0: BOOTX64.CSV -Source1: BOOTAA64.CSV -Source2: BOOTIA32.CSV - -Source10: shimaa64.efi -Source11: shimia32.efi -Source12: shimx64.efi - -%global shimverx64 13-3.fc27 -%global shimveria32 13-3.fc27 -%global shimveraa64 13-3.fc27 - -%ifarch x86_64 -BuildRequires: shim-unsigned-x64 = %{shimverx64} -BuildRequires: shim-unsigned-ia32 = %{shimveria32} -%global shimdirx64 %{_datadir}/shim/%{shimverx64}/x64 -%global shimdiria32 %{_datadir}/shim/%{shimveria32}/ia32 -%endif -%ifarch aarch64 -BuildRequires: shim-unsigned-aarch64 = %{shimveraa64} -%global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64 -%endif -BuildRequires: pesign >= 0.112-20.fc27 - -%description -Initial UEFI bootloader that handles chaining to a trusted full bootloader -under secure boot environments. This package contains the version signed by -the UEFI signing service. - -%define define_pkg(a:p:) \ -%{expand:%%package -n shim-%{-a*}} \ -Summary: First-stage UEFI bootloader \ -Requires: mokutil >= 1:0.2.0-1 \ -Provides: shim-signed-%{-a*} = %{version}-%{release} \ -Requires: dbxtool >= 0.6-3 \ -%{expand:%%if 0%%{-p*} \ -Provides: shim = %{version}-%{release} \ -Provides: shim-signed = %{version}-%{release} \ -Obsoletes: shim-signed < %{version}-%{release} \ -Obsoletes: shim < %{version}-%{release} \ -%%endif} \ -# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI \ -# is not compatible with SysV (there's no red zone under UEFI) and \ -# there isn't a POSIX-style C library. \ -# BuildRequires: OpenSSL \ -Provides: bundled(openssl) = 1.0.2j \ - \ -%{expand:%%description -n shim-%{-a*}} \ -Initial UEFI bootloader that handles chaining to a trusted full \ -bootloader under secure boot environments. This package contains the \ -version signed by the UEFI signing service. \ -%{nil} - -%ifarch x86_64 -%define_pkg -a x64 -p 1 -%define_pkg -a ia32 -%endif -%ifarch aarch64 -%define_pkg -a aa64 -p 1 -%endif - -%prep -cd %{_builddir} -rm -rf shim-signed-%{version} -mkdir shim-signed-%{version} - -%build -%define vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}} -%define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}} - -# -a -# -i -%define hash(a:i:d:) \ - pesign -i %{-i*} -h -P > shim.hash \ - read file0 hash0 < shim.hash \ - read file1 hash1 < %{-d*}/shim%{-a*}.hash \ - if ! [ "$hash0" = "$hash1" ]; then \ - echo Invalid signature\! > /dev/stderr \ - echo $hash0 vs $hash1 \ - exit 1 \ - fi \ - %{nil} - -# -i -# -o -%define sign(i:o:) \ - %{expand:%%pesign -s -i %{-i*} -o %{-o*}} \ - %{nil} - -# -b -# -a -# -i -%define distrosign(b:a:d:) \ - cp -av %{-d*}/%{-b*}%{-a*}.efi %{-b*}%{-a*}-unsigned.efi \ - %{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi}\ - %{nil} - -# -a -# -A -# -b # signed by this builder? -# -c # signed by UEFI CA? -# -i -%define define_build(a:A:b:c:i:d:) \ -if [ "%{-c*}" = "yes" ]; then \ - %{expand:%%hash -i %{-i*} -a %{-a*} -d %{-d*}} \ -fi \ -cp %{-i*} shim%{-a*}.efi \ -if [ "%{-b*}" = "yes" ]; then \ - %{expand:%%distrosign -b shim -a %{-a*} -d %{-d*}} \ - mv shim%{-a*}-signed.efi shim%{-a*}-%{efidir}.efi \ -fi \ -if [ "%{-c*}" = "yes" ]; then \ - cp shim%{-a*}-%{efidir}.efi shim%{-a*}.efi \ -fi \ -%{expand:%%distrosign -b mm -a %{-a*} -d %{-d*}} \ -mv mm%{-a*}-signed.efi mm%{-a*}.efi \ -%{expand:%%distrosign -b fb -a %{-a*} -d %{-d*}} \ -mv fb%{-a*}-signed.efi fb%{-a*}.efi \ -rm -vf \\\ - mm%{-a*}-unsigned.efi \\\ - fb%{-a*}-unsigned.efi \\\ - shim%{-a*}-unsigned.efi \ -%{nil} - -cd shim-signed-%{version} -%ifarch aarch64 -%define_build -a aa64 -A AA64 -i %{SOURCE10} -b yes -c no -d %{shimdiraa64} -%endif -%ifarch x86_64 -%define_build -a ia32 -A IA32 -i %{SOURCE11} -b yes -c yes -d %{shimdiria32} -%define_build -a x64 -A X64 -i %{SOURCE12} -b yes -c yes -d %{shimdirx64} -%endif - -%install -# -a -# -A -# -b -%define do_install(a:A:b:) \ -install -m 0700 shim%{-a*}.efi \\\ - $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{-a*}.efi \ -install -m 0700 shim%{-a*}-%{efidir}.efi \\\ - $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{-a*}-%{efidir}.efi \ -install -m 0700 mm%{-a*}.efi \\\ - $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mm%{-a*}.efi \ -install -m 0700 %{-b*} \\\ - $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT%{-A*}.CSV \ -install -m 0700 shim%{-a*}.efi \\\ - $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOT%{-A*}.EFI \ -install -m 0700 fb%{-a*}.efi \\\ - $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fb%{-a*}.efi \ -%nil - -rm -rf $RPM_BUILD_ROOT -cd shim-signed-%{version} -install -D -d -m 0755 $RPM_BUILD_ROOT/boot/ -install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/ -install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/ -install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/ -install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/ - -%ifarch x86_64 -%do_install -a x64 -A X64 -b %{SOURCE0} -%do_install -a ia32 -A IA32 -b %{SOURCE2} -install -m 0700 %{SOURCE2} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV -install -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mmx64.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/MokManager.efi -install -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fbx64.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fallback.efi -install -m 0700 %{SOURCE12} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi -%endif -%ifarch aarch64 -%do_install -a aa64 -A AA64 -b %{SOURCE1} -install -m 0700 %{SOURCE10} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi -%endif - -# -a -# -A -%define define_files(a:A:) \ -%{expand:%%files -n shim-%{-a*}} \ -%dir /boot/efi \ -%dir /boot/efi/EFI \ -%dir /boot/efi/EFI/BOOT \ -%dir /boot/efi/EFI/%{efidir} \ -/boot/efi/EFI/%{efidir}/*%{-a*}*.efi \ -/boot/efi/EFI/%{efidir}/BOOT%{-A*}.CSV \ -/boot/efi/EFI/BOOT/*%{-a*}.efi \ -/boot/efi/EFI/BOOT/*%{-A*}.EFI \ -%{nil} - -%ifarch x86_64 -%define_files -a x64 -A X64 -/boot/efi/EFI/%{efidir}/BOOT.CSV -/boot/efi/EFI/%{efidir}/MokManager.efi -/boot/efi/EFI/%{efidir}/shim.efi -/boot/efi/EFI/BOOT/fallback.efi - -%define_files -a ia32 -A IA32 -%endif -%ifarch aarch64 -%define_files -a aa64 -A AA64 -/boot/efi/EFI/%{efidir}/shim.efi -%endif - -%changelog -* Wed Nov 01 2017 Peter Jones - 13-1 -- Now with the actual signed 64-bit build of shim 13 for x64 as well. -- Make everything under /boot/efi be mode 0700, since that's what FAT will - show anyway, so that rpm -V is correct. - Resolves: rhbz#1508516 - -* Tue Oct 24 2017 Peter Jones - 13-0.8 -- Now with signed 32-bit x86 build. - Related: rhbz#1474861 - -* Wed Oct 04 2017 Peter Jones - 13-0.7 -- Make /boot/efi/EFI/fedora/shim.efi still exist on aarch64 as well. - Resolves: rhbz#1497854 - -* Tue Sep 19 2017 Peter Jones - 13-0.6 -- Fix binary format issue on Aarch64 - Resolves: rhbz#1489604 - -* Tue Sep 05 2017 Peter Jones - 13-0.5 -- Make /boot/efi/EFI/fedora/shim.efi still exist on x86_64, since some - machines have boot entries that point to it. - -* Tue Aug 29 2017 Peter Jones - 13-0.4 -- Make our provides not get silently ignore by rpmbuild... - -* Fri Aug 25 2017 Peter Jones - 13-0.3 -- x64: use the new fbx64.efi and mm64.efi as fallback.efi and MokManager.efi -- Provide: "shim" in x64 and aa64 builds - -* Thu Aug 24 2017 Peter Jones - 13-0.2 -- Obsolete old shim builds. - -* Tue Aug 22 2017 Peter Jones - 13-0.1 -- Initial (partially unsigned) build for multi-arch support on x64/ia32. - -* Thu Mar 23 2017 Petr Šabata - 0.8-9 -- Re-enable dist tag for module builds - -* Tue Feb 17 2015 Peter Jones - 0.8-8 -- Don't dual-sign shim-%%{efidir}.efi either. - Resolves: rhbz#1184765 - -* Tue Feb 17 2015 Peter Jones - 0.8-8 -- Require dbxtool - -* Wed Dec 17 2014 Peter Jones - 0.8-7 -- Wrong -signed changes got built for aarch64 last time, for dumb reasons. - Related: rhbz#1170289 - -* Fri Dec 05 2014 Peter Jones - 0.8-6 -- Rebuild once more so we can use a different -unsigned version on different - arches (because we can't tag a newer build into aarch64 without an x86 - update to match.) - Related: rhbz#1170289 - -* Wed Dec 03 2014 Peter Jones - 0.8-5 -- Rebuild for aarch64 path fixes - Related: rhbz#1170289 - -* Thu Oct 30 2014 Peter Jones - 0.8-2 -- Remove the dist tag so people don't complain about what it says. - -* Fri Oct 24 2014 Peter Jones - 0.8-1 -- Update to shim 0.8 - rhbz#1148230 - rhbz#1148231 - rhbz#1148232 -- Handle building on aarch64 as well - -* Fri Jul 18 2014 Peter Jones - 0.7-2 -- Don't do multi-signing; too many machines screw up verification. - Resolves: rhbz#1049749 - -* Wed Nov 13 2013 Peter Jones - 0.7-1 -- Update to shim 0.7 - Resolves: rhbz#1023767 - -* Thu Oct 24 2013 Peter Jones - 0.5-1 -- Update to shim 0.5 - -* Thu Jun 20 2013 Peter Jones - 0.4-1 -- Provide a fallback for uninitialized Boot#### and BootOrder - Resolves: rhbz#963359 -- Move all signing from shim-unsigned to here -- properly compare our generated hash from shim-unsigned with the hash of - the signed binary (as opposed to doing it manually) - -* Fri May 31 2013 Peter Jones - 0.2-4.4 -- Re-sign to get alignments that match the new specification. - Resolves: rhbz#963361 - -* Thu Feb 14 2013 Fedora Release Engineering - 0.2-4.3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild - -* Wed Jan 02 2013 Peter Jones - 0.2-3.3 -- Add obsoletes and provides for earlier shim-signed packages, to cover - the package update cases where previous versions were installed. - Related: rhbz#888026 - -* Mon Dec 17 2012 Peter Jones - 0.2-3.2 -- Make the shim-unsigned dep be on the subpackage. - -* Sun Dec 16 2012 Peter Jones - 0.2-3.1 -- Rebuild to provide "shim" package directly instead of just as a Provides: - -* Sat Dec 15 2012 Peter Jones - 0.2-3 -- Also provide shim-fedora.efi, signed only by the fedora signer. -- Fix the fedora signature on the result to actually be correct. -- Update for shim-unsigned 0.2-3 - -* Mon Dec 03 2012 Peter Jones - 0.2-2 -- Initial build diff --git a/shim.spec b/shim.spec new file mode 100644 index 0000000..f596e3f --- /dev/null +++ b/shim.spec @@ -0,0 +1,339 @@ +%global debug_package %{nil} + +%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/')) + +# this is literally to make vim's \c not put a brace at the end. +%global _dist %{expand:%{?_module_build:%%{?dist}}} +%global dist %{expand:%%{_dist}} + +Name: shim +Version: 13 +Release: 2%{dist} +Summary: First-stage UEFI bootloader +License: BSD +URL: http://github.com/rhboot/shim/ + +# Shim is only required on platforms implementing the UEFI secure boot +# protocol. The only one of those we currently wish to support is 64-bit x86. +# Adding further platforms will require adding appropriate relocation code. +ExclusiveArch: x86_64 aarch64 + +# keep these two lists of sources synched up arch-wise. That is 0 and 10 +# match, 1 and 11 match, ... +Source0: BOOTX64.CSV +Source1: BOOTAA64.CSV +Source2: BOOTIA32.CSV + +Source10: shimaa64.efi +Source11: shimia32.efi +Source12: shimx64.efi + +%global shimverx64 13-3.fc27 +%global shimveria32 13-3.fc27 +%global shimveraa64 13-3.fc27 + +%ifarch x86_64 +BuildRequires: shim-unsigned-x64 = %{shimverx64} +BuildRequires: shim-unsigned-ia32 = %{shimveria32} +%global shimdirx64 %{_datadir}/shim/%{shimverx64}/x64 +%global shimdiria32 %{_datadir}/shim/%{shimveria32}/ia32 +%endif +%ifarch aarch64 +BuildRequires: shim-unsigned-aarch64 = %{shimveraa64} +%global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64 +%endif +BuildRequires: pesign >= 0.112-20.fc27 + +%description +Initial UEFI bootloader that handles chaining to a trusted full bootloader +under secure boot environments. This package contains the version signed by +the UEFI signing service. + +%define define_pkg(a:p:) \ +%{expand:%%package -n shim-%{-a*}} \ +Summary: First-stage UEFI bootloader \ +Requires: mokutil >= 1:0.2.0-1 \ +Provides: shim-signed-%{-a*} = %{version}-%{release} \ +Requires: dbxtool >= 0.6-3 \ +%{expand:%%if 0%%{-p*} \ +Provides: shim = %{version}-%{release} \ +Provides: shim-signed = %{version}-%{release} \ +Obsoletes: shim-signed < %{version}-%{release} \ +Obsoletes: shim < %{version}-%{release} \ +%%endif} \ +# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI \ +# is not compatible with SysV (there's no red zone under UEFI) and \ +# there isn't a POSIX-style C library. \ +# BuildRequires: OpenSSL \ +Provides: bundled(openssl) = 1.0.2j \ + \ +%{expand:%%description -n shim-%{-a*}} \ +Initial UEFI bootloader that handles chaining to a trusted full \ +bootloader under secure boot environments. This package contains the \ +version signed by the UEFI signing service. \ +%{nil} + +%ifarch x86_64 +%define_pkg -a x64 -p 1 +%define_pkg -a ia32 +%endif +%ifarch aarch64 +%define_pkg -a aa64 -p 1 +%endif + +%prep +cd %{_builddir} +rm -rf shim-%{version} +mkdir shim-%{version} + +%build +%define vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}} +%define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}} + +# -a +# -i +%define hash(a:i:d:) \ + pesign -i %{-i*} -h -P > shim.hash \ + read file0 hash0 < shim.hash \ + read file1 hash1 < %{-d*}/shim%{-a*}.hash \ + if ! [ "$hash0" = "$hash1" ]; then \ + echo Invalid signature\! > /dev/stderr \ + echo $hash0 vs $hash1 \ + exit 1 \ + fi \ + %{nil} + +# -i +# -o +%define sign(i:o:) \ + %{expand:%%pesign -s -i %{-i*} -o %{-o*}} \ + %{nil} + +# -b +# -a +# -i +%define distrosign(b:a:d:) \ + cp -av %{-d*}/%{-b*}%{-a*}.efi %{-b*}%{-a*}-unsigned.efi \ + %{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi}\ + %{nil} + +# -a +# -A +# -b # signed by this builder? +# -c # signed by UEFI CA? +# -i +%define define_build(a:A:b:c:i:d:) \ +if [ "%{-c*}" = "yes" ]; then \ + %{expand:%%hash -i %{-i*} -a %{-a*} -d %{-d*}} \ +fi \ +cp %{-i*} shim%{-a*}.efi \ +if [ "%{-b*}" = "yes" ]; then \ + %{expand:%%distrosign -b shim -a %{-a*} -d %{-d*}} \ + mv shim%{-a*}-signed.efi shim%{-a*}-%{efidir}.efi \ +fi \ +if [ "%{-c*}" = "yes" ]; then \ + cp shim%{-a*}-%{efidir}.efi shim%{-a*}.efi \ +fi \ +%{expand:%%distrosign -b mm -a %{-a*} -d %{-d*}} \ +mv mm%{-a*}-signed.efi mm%{-a*}.efi \ +%{expand:%%distrosign -b fb -a %{-a*} -d %{-d*}} \ +mv fb%{-a*}-signed.efi fb%{-a*}.efi \ +rm -vf \\\ + mm%{-a*}-unsigned.efi \\\ + fb%{-a*}-unsigned.efi \\\ + shim%{-a*}-unsigned.efi \ +%{nil} + +cd shim-%{version} +%ifarch aarch64 +%define_build -a aa64 -A AA64 -i %{SOURCE10} -b yes -c no -d %{shimdiraa64} +%endif +%ifarch x86_64 +%define_build -a ia32 -A IA32 -i %{SOURCE11} -b yes -c yes -d %{shimdiria32} +%define_build -a x64 -A X64 -i %{SOURCE12} -b yes -c yes -d %{shimdirx64} +%endif + +%install +# -a +# -A +# -b +%define do_install(a:A:b:) \ +install -m 0700 shim%{-a*}.efi \\\ + $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{-a*}.efi \ +install -m 0700 shim%{-a*}-%{efidir}.efi \\\ + $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{-a*}-%{efidir}.efi \ +install -m 0700 mm%{-a*}.efi \\\ + $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mm%{-a*}.efi \ +install -m 0700 %{-b*} \\\ + $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT%{-A*}.CSV \ +install -m 0700 shim%{-a*}.efi \\\ + $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOT%{-A*}.EFI \ +install -m 0700 fb%{-a*}.efi \\\ + $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fb%{-a*}.efi \ +%nil + +rm -rf $RPM_BUILD_ROOT +cd shim-%{version} +install -D -d -m 0755 $RPM_BUILD_ROOT/boot/ +install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/ +install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/ +install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/ +install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/ + +%ifarch x86_64 +%do_install -a x64 -A X64 -b %{SOURCE0} +%do_install -a ia32 -A IA32 -b %{SOURCE2} +install -m 0700 %{SOURCE2} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV +install -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mmx64.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/MokManager.efi +install -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fbx64.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fallback.efi +install -m 0700 %{SOURCE12} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi +%endif +%ifarch aarch64 +%do_install -a aa64 -A AA64 -b %{SOURCE1} +install -m 0700 %{SOURCE10} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi +%endif + +# -a +# -A +%define define_files(a:A:) \ +%{expand:%%files -n shim-%{-a*}} \ +%dir /boot/efi \ +%dir /boot/efi/EFI \ +%dir /boot/efi/EFI/BOOT \ +%dir /boot/efi/EFI/%{efidir} \ +/boot/efi/EFI/%{efidir}/*%{-a*}*.efi \ +/boot/efi/EFI/%{efidir}/BOOT%{-A*}.CSV \ +/boot/efi/EFI/BOOT/*%{-a*}.efi \ +/boot/efi/EFI/BOOT/*%{-A*}.EFI \ +%{nil} + +%ifarch x86_64 +%define_files -a x64 -A X64 +/boot/efi/EFI/%{efidir}/BOOT.CSV +/boot/efi/EFI/%{efidir}/MokManager.efi +/boot/efi/EFI/%{efidir}/shim.efi +/boot/efi/EFI/BOOT/fallback.efi + +%define_files -a ia32 -A IA32 +%endif +%ifarch aarch64 +%define_files -a aa64 -A AA64 +/boot/efi/EFI/%{efidir}/shim.efi +%endif + +%changelog +* Wed Feb 28 2018 Peter Jones - 13-2 +- Pivot the shim-signed package to be here. + +* Wed Nov 01 2017 Peter Jones - 13-1 +- Now with the actual signed 64-bit build of shim 13 for x64 as well. +- Make everything under /boot/efi be mode 0700, since that's what FAT will + show anyway, so that rpm -V is correct. + Resolves: rhbz#1508516 + +* Tue Oct 24 2017 Peter Jones - 13-0.8 +- Now with signed 32-bit x86 build. + Related: rhbz#1474861 + +* Wed Oct 04 2017 Peter Jones - 13-0.7 +- Make /boot/efi/EFI/fedora/shim.efi still exist on aarch64 as well. + Resolves: rhbz#1497854 + +* Tue Sep 19 2017 Peter Jones - 13-0.6 +- Fix binary format issue on Aarch64 + Resolves: rhbz#1489604 + +* Tue Sep 05 2017 Peter Jones - 13-0.5 +- Make /boot/efi/EFI/fedora/shim.efi still exist on x86_64, since some + machines have boot entries that point to it. + +* Tue Aug 29 2017 Peter Jones - 13-0.4 +- Make our provides not get silently ignore by rpmbuild... + +* Fri Aug 25 2017 Peter Jones - 13-0.3 +- x64: use the new fbx64.efi and mm64.efi as fallback.efi and MokManager.efi +- Provide: "shim" in x64 and aa64 builds + +* Thu Aug 24 2017 Peter Jones - 13-0.2 +- Obsolete old shim builds. + +* Tue Aug 22 2017 Peter Jones - 13-0.1 +- Initial (partially unsigned) build for multi-arch support on x64/ia32. + +* Thu Mar 23 2017 Petr Šabata - 0.8-9 +- Re-enable dist tag for module builds + +* Tue Feb 17 2015 Peter Jones - 0.8-8 +- Don't dual-sign shim-%%{efidir}.efi either. + Resolves: rhbz#1184765 + +* Tue Feb 17 2015 Peter Jones - 0.8-8 +- Require dbxtool + +* Wed Dec 17 2014 Peter Jones - 0.8-7 +- Wrong -signed changes got built for aarch64 last time, for dumb reasons. + Related: rhbz#1170289 + +* Fri Dec 05 2014 Peter Jones - 0.8-6 +- Rebuild once more so we can use a different -unsigned version on different + arches (because we can't tag a newer build into aarch64 without an x86 + update to match.) + Related: rhbz#1170289 + +* Wed Dec 03 2014 Peter Jones - 0.8-5 +- Rebuild for aarch64 path fixes + Related: rhbz#1170289 + +* Thu Oct 30 2014 Peter Jones - 0.8-2 +- Remove the dist tag so people don't complain about what it says. + +* Fri Oct 24 2014 Peter Jones - 0.8-1 +- Update to shim 0.8 + rhbz#1148230 + rhbz#1148231 + rhbz#1148232 +- Handle building on aarch64 as well + +* Fri Jul 18 2014 Peter Jones - 0.7-2 +- Don't do multi-signing; too many machines screw up verification. + Resolves: rhbz#1049749 + +* Wed Nov 13 2013 Peter Jones - 0.7-1 +- Update to shim 0.7 + Resolves: rhbz#1023767 + +* Thu Oct 24 2013 Peter Jones - 0.5-1 +- Update to shim 0.5 + +* Thu Jun 20 2013 Peter Jones - 0.4-1 +- Provide a fallback for uninitialized Boot#### and BootOrder + Resolves: rhbz#963359 +- Move all signing from shim-unsigned to here +- properly compare our generated hash from shim-unsigned with the hash of + the signed binary (as opposed to doing it manually) + +* Fri May 31 2013 Peter Jones - 0.2-4.4 +- Re-sign to get alignments that match the new specification. + Resolves: rhbz#963361 + +* Thu Feb 14 2013 Fedora Release Engineering - 0.2-4.3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Jan 02 2013 Peter Jones - 0.2-3.3 +- Add obsoletes and provides for earlier shim-signed packages, to cover + the package update cases where previous versions were installed. + Related: rhbz#888026 + +* Mon Dec 17 2012 Peter Jones - 0.2-3.2 +- Make the shim-unsigned dep be on the subpackage. + +* Sun Dec 16 2012 Peter Jones - 0.2-3.1 +- Rebuild to provide "shim" package directly instead of just as a Provides: + +* Sat Dec 15 2012 Peter Jones - 0.2-3 +- Also provide shim-fedora.efi, signed only by the fedora signer. +- Fix the fedora signature on the result to actually be correct. +- Update for shim-unsigned 0.2-3 + +* Mon Dec 03 2012 Peter Jones - 0.2-2 +- Initial build