diff --git a/debian/changelog b/debian/changelog index 79d7966..4afcdf1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -9,9 +9,11 @@ shim (12+1503074702.5202f80-0ubuntu1) UNRELEASED; urgency=medium makes it possible to build a shim for other architectures than amd64. - Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built at compile-time for MokManager and fallback. + - Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback + and MokManager. * debian/patches/second-stage-path: dropped; the default loader path now includes an arch suffix. - * debian/patches/sbsigntool-no-pesign: refreshed. + * debian/patches/sbsigntool-no-pesign: dropped; no longer needed.. * debian/patches/0001-shim-fix-the-mirroring-MokSBState-fail.patch: dropped, included upstream. diff --git a/debian/patches/sbsigntool-not-pesign b/debian/patches/sbsigntool-not-pesign deleted file mode 100644 index 1220cab..0000000 --- a/debian/patches/sbsigntool-not-pesign +++ /dev/null @@ -1,26 +0,0 @@ -Description: Sign MokManager with sbsigntool instead of pesign - Ubuntu infrastructure uses sbsigntool for all other EFI signing, so we use - the same thing for signing MokManager with our ephemeral key. This also - avoids an additional build dependency on libnss3-tools. -Author: Steve Langasek -Forwarded: not-needed - ---- - Makefile | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -Index: b/Makefile -=================================================================== ---- a/Makefile -+++ b/Makefile -@@ -206,8 +206,8 @@ endif - -j .note.gnu.build-id \ - $(FORMAT) $^ $@.debug - --%.efi.signed: %.efi certdb/secmod.db -- $(PESIGN) -n certdb -i $< -c "shim" -s -o $@ -f -+%.efi.signed: %.efi shim.crt -+ sbsign --key shim.key --cert shim.crt $< - - clean: - $(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean diff --git a/debian/patches/series b/debian/patches/series index b8e0e10..e69de29 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +0,0 @@ -sbsigntool-not-pesign diff --git a/debian/rules b/debian/rules index b5f2136..3dc47ae 100755 --- a/debian/rules +++ b/debian/rules @@ -24,6 +24,7 @@ override_dh_auto_build: MAKELEVEL=0 \ EFI_PATH=/usr/lib \ ENABLE_SHIM_CERT=1 \ + ENABLE_SBSIGN=1 \ VENDOR_CERT_FILE=$(cert) override_dh_fixperms: