diff --git a/debian/changelog b/debian/changelog index 1acd3a2..dd5cbdd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +shim (15.7-2) UNRELEASED; urgency=medium + + * Cope with changes in pesign packaging. + + -- Steve McIntyre <93sam@debian.org> Wed, 01 Nov 2023 23:35:52 +0000 + shim (15.7-1) unstable; urgency=medium * New upstream release fixing more bugs diff --git a/debian/control b/debian/control index c8a753b..e251e91 100644 --- a/debian/control +++ b/debian/control @@ -12,6 +12,8 @@ Build-Depends: debhelper-compat (= 12), gcc-12, dos2unix, pesign (>= 0.112-5), + efivar, + uuid-runtime, xxd, libefivar-dev Vcs-Browser: https://salsa.debian.org/efi-team/shim diff --git a/debian/generate_dbx_list b/debian/generate_dbx_list index 95ec3e9..db9dc0f 100755 --- a/debian/generate_dbx_list +++ b/debian/generate_dbx_list @@ -17,11 +17,33 @@ IN=$2 OUT=$3 rm -f $OUT -for HASH in $(grep -E "[[:xdigit:]]{32} $ARCH" < $IN | \ - awk '{print $1}' | sort | uniq); do - echo " Adding $HASH to dbx list" - efisiglist -o $OUT -a -h $HASH -done +if [ -x /usr/bin/efisiglist ] ; then + # Older versions of the pesign package included the efisiglist + # utility. If we have that, use it. + for HASH in $(grep -E "[[:xdigit:]]{32} $ARCH" < $IN | \ + awk '{print $1}' | sort | uniq); do + echo " Adding $HASH to dbx list" + efisiglist -o $OUT -a -h $HASH + done +else + # It appears we don't have efisiglist, so use efisecdb + # instead. It's a little more awkward to drive. + UUID=$(uuidgen) + INTMP="" # First pass + for HASH in $(grep -E "[[:xdigit:]]{32} $ARCH" < $IN | \ + awk '{print $1}' | sort | uniq); do + echo " Adding $HASH to dbx list" + efisecdb -g $UUID -a -t sha256 -h $HASH $INTMP -o $OUT + + # Subsequent passes need to read the previous output as input + # each time, and won't overwrite the output. + mv -f $OUT $OUT.in + INTMP="-i $OUT.in" + done + if [ -f $OUT.in ]; then + mv -f $OUT.in $OUT + fi +fi # If we have an empty hashes file, create an empty DBX file touch $OUT