From e914483c5becf89cd8ed0acf489b921a42e50b05 Mon Sep 17 00:00:00 2001 From: Philipp Hahn Date: Sat, 7 Apr 2018 13:06:30 +0200 Subject: [PATCH] Disable ephemeral key on Debian shim creates an ephemeral key, which gets embedded into shim and is used to sign the corresponding mok-manager (mm*.efi) and fall-back-manager (fb*.efi). This makes the build unreproducible. For Debian we will get those two binaries signed by our Debian-UEFI-CA, which is the primary (and only) key embedded in shim. --- debian/changelog | 1 + debian/rules | 5 ++--- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/debian/changelog b/debian/changelog index c6ad40d..0c22f57 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,7 @@ shim (15+1533136590.3beb971-3) UNRELEASED; urgency=medium [ Philipp Hahn ] * debian/rules: fixing permissions no longer required + * debian/rules: Disable ephemeral key on Debian. -- Luca Boccassi Fri, 15 Feb 2019 19:50:10 +0000 diff --git a/debian/rules b/debian/rules index 06c7b42..39cab2d 100755 --- a/debian/rules +++ b/debian/rules @@ -7,6 +7,7 @@ ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes) cert=debian/canonical-uefi-ca.der distributor=ubuntu +COMMON_OPTIONS ?= ENABLE_SHIM_CERT=1 ENABLE_SBSIGN=1 else cert=debian/debian-uefi-ca.der distributor=debian @@ -24,14 +25,12 @@ ifeq ($(DEB_HOST_ARCH),i386) export EFI_ARCH := ia32 endif -COMMON_OPTIONS = \ +COMMON_OPTIONS += \ RELEASE=15 \ COMMIT_ID=3beb971b10659cf78144ddc5eeea83501384440c \ MAKELEVEL=0 \ EFI_PATH=/usr/lib \ ENABLE_HTTPBOOT=true \ - ENABLE_SHIM_CERT=1 \ - ENABLE_SBSIGN=1 \ VENDOR_CERT_FILE=$(cert) \ EFIDIR=$(distributor) \ $(NULL)