From 9b91206a20fa9e842f336647a18afc5d7e67327a Mon Sep 17 00:00:00 2001
From: Steve McIntyre <steve@einval.com>
Date: Sat, 4 May 2024 14:36:15 +0100
Subject: [PATCH] Install a copy of the Debian CA certificate into
 /usr/share/shim.

Closes: #1069054
---
 debian/changelog          | 2 ++
 debian/rules              | 2 ++
 debian/shim-unsigned.dirs | 1 +
 3 files changed, 5 insertions(+)
 create mode 100644 debian/shim-unsigned.dirs

diff --git a/debian/changelog b/debian/changelog
index 168e0ea..19f33d9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -17,6 +17,8 @@ shim (15.8-1~deb12u1) bookworm; urgency=medium
   * Force shim to use the latest revocations by default to block some
     older grub / peimage issues. This is:
     "shim,4\ngrub,4\ngrub.peimage,2\n"
+  * Install a copy of the Debian CA certificate into /usr/share/shim.
+    Closes: #1069054
 
   [ Bastien Roucariès ]
   * Port autopkgtest from ubuntu
diff --git a/debian/rules b/debian/rules
index 5edabe1..363bcb2 100755
--- a/debian/rules
+++ b/debian/rules
@@ -87,6 +87,8 @@ override_dh_auto_install:
 	# not needed for our build and causes debhelper to complain
 	rm -f debian/tmp/boot/efi/EFI/BOOT/BOOT*.EFI
 
+	install -m 644 $(cert) debian/shim-unsigned/usr/share/shim
+
 	# Generate the template packages that we'll use for SB signing later
 	./debian/signing-template.generate
 
diff --git a/debian/shim-unsigned.dirs b/debian/shim-unsigned.dirs
new file mode 100644
index 0000000..01c0a05
--- /dev/null
+++ b/debian/shim-unsigned.dirs
@@ -0,0 +1 @@
+/usr/share/shim