Tweak building with pesign changes

We used to use efisiglist to generate the DBX list. Newer versions of the pesign package don't include it any more, and the recommended replacement tool is now efisecdb from efivar. Tweak the generate_dbx_list script to work with both old and new. Let's make backports easy...
2025-10-04 15:45:08 +00:00 · 2023-11-01 23:37:50 +00:00 · 2023-11-01 23:37:50 +00:00 · 7686debad8
commit 7686debad8
parent e02f5a2563
3 changed files with 35 additions and 5 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,9 @@
+shim (15.7-2) UNRELEASED; urgency=medium
+
+  * Cope with changes in pesign packaging.
+
+ -- Steve McIntyre <93sam@debian.org>  Wed, 01 Nov 2023 23:35:52 +0000
+
 shim (15.7-1) unstable; urgency=medium

  * New upstream release fixing more bugs
--- a/debian/control
+++ b/debian/control
@ -12,6 +12,8 @@ Build-Depends: debhelper-compat (= 12),
 	       gcc-12,
 	       dos2unix,
 	       pesign (>= 0.112-5),
+	       efivar,
+	       uuid-runtime,
 	       xxd,
 	       libefivar-dev
 Vcs-Browser: https://salsa.debian.org/efi-team/shim
--- a/debian/generate_dbx_list
+++ b/debian/generate_dbx_list
@ -17,11 +17,33 @@ IN=$2
 OUT=$3

 rm -f $OUT
-for HASH in $(grep -E "[[:xdigit:]]{32} $ARCH" < $IN | \
-		  awk '{print $1}' | sort | uniq); do
-    echo "  Adding $HASH to dbx list"
-    efisiglist -o $OUT -a -h $HASH
-done
+if [ -x /usr/bin/efisiglist ] ; then
+    # Older versions of the pesign package included the efisiglist
+    # utility. If we have that, use it.
+    for HASH in $(grep -E "[[:xdigit:]]{32} $ARCH" < $IN | \
+		      awk '{print $1}' | sort | uniq); do
+	echo "  Adding $HASH to dbx list"
+	efisiglist -o $OUT -a -h $HASH
+    done
+else
+    # It appears we don't have efisiglist, so use efisecdb
+    # instead. It's a little more awkward to drive.
+    UUID=$(uuidgen)
+    INTMP="" # First pass
+    for HASH in $(grep -E "[[:xdigit:]]{32} $ARCH" < $IN | \
+		      awk '{print $1}' | sort | uniq); do
+	echo "  Adding $HASH to dbx list"
+	efisecdb -g $UUID -a -t sha256 -h $HASH $INTMP -o $OUT
+
+	# Subsequent passes need to read the previous output as input
+	# each time, and won't overwrite the output.
+	mv -f $OUT $OUT.in
+	INTMP="-i $OUT.in"
+    done
+    if [ -f $OUT.in ]; then
+	mv -f $OUT.in $OUT
+    fi
+fi

 # If we have an empty hashes file, create an empty DBX file
 touch $OUT