Disable ephemeral key on Debian

shim creates an ephemeral key, which gets embedded into shim and is used
to sign the corresponding mok-manager (mm*.efi) and fall-back-manager
(fb*.efi).
This makes the build unreproducible.

For Debian we will get those two binaries signed by our Debian-UEFI-CA,
which is the primary (and only) key embedded in shim.

debian/changelog

@@ -2,6 +2,7 @@ shim (15+1533136590.3beb971-3) UNRELEASED; urgency=medium
 
   [ Philipp Hahn ]
   * debian/rules: fixing permissions no longer required
+  * debian/rules: Disable ephemeral key on Debian.
 
  -- Luca Boccassi <bluca@debian.org>  Fri, 15 Feb 2019 19:50:10 +0000
 

debian/rules

@@ -7,6 +7,7 @@
 ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes)
 	cert=debian/canonical-uefi-ca.der
 	distributor=ubuntu
+COMMON_OPTIONS ?= ENABLE_SHIM_CERT=1 ENABLE_SBSIGN=1
 else
 	cert=debian/debian-uefi-ca.der
 	distributor=debian
@@ -24,14 +25,12 @@ ifeq ($(DEB_HOST_ARCH),i386)
 export EFI_ARCH := ia32
 endif
 
-COMMON_OPTIONS = \
+COMMON_OPTIONS += \
 	RELEASE=15 \
 	COMMIT_ID=3beb971b10659cf78144ddc5eeea83501384440c \
 	MAKELEVEL=0 \
 	EFI_PATH=/usr/lib \
 	ENABLE_HTTPBOOT=true \
-	ENABLE_SHIM_CERT=1 \
-	ENABLE_SBSIGN=1 \
 	VENDOR_CERT_FILE=$(cert) \
 	EFIDIR=$(distributor) \
 	$(NULL)