Disable ephemeral key on Debian

shim creates an ephemeral key, which gets embedded into shim and is used to sign the corresponding mok-manager (mm*.efi) and fall-back-manager (fb*.efi). This makes the build unreproducible. For Debian we will get those two binaries signed by our Debian-UEFI-CA, which is the primary (and only) key embedded in shim.
2025-10-04 11:58:25 +00:00 · 2018-04-07 13:06:30 +02:00 · 2018-04-07 13:06:30 +02:00 · e914483c5b
commit e914483c5b
parent 4bb202a099
2 changed files with 3 additions and 3 deletions
--- a/debian/changelog
+++ b/debian/changelog
@ -2,6 +2,7 @@ shim (15+1533136590.3beb971-3) UNRELEASED; urgency=medium

  [ Philipp Hahn ]
  * debian/rules: fixing permissions no longer required
+  * debian/rules: Disable ephemeral key on Debian.

 -- Luca Boccassi <bluca@debian.org>  Fri, 15 Feb 2019 19:50:10 +0000

--- a/debian/rules
+++ b/debian/rules
@ -7,6 +7,7 @@
 ifeq ($(shell dpkg-vendor --is ubuntu && echo yes),yes)
 	cert=debian/canonical-uefi-ca.der
 	distributor=ubuntu
+COMMON_OPTIONS ?= ENABLE_SHIM_CERT=1 ENABLE_SBSIGN=1
 else
 	cert=debian/debian-uefi-ca.der
 	distributor=debian
@ -24,14 +25,12 @@ ifeq ($(DEB_HOST_ARCH),i386)
 export EFI_ARCH := ia32
 endif

-COMMON_OPTIONS = \
+COMMON_OPTIONS += \
 	RELEASE=15 \
 	COMMIT_ID=3beb971b10659cf78144ddc5eeea83501384440c \
 	MAKELEVEL=0 \
 	EFI_PATH=/usr/lib \
 	ENABLE_HTTPBOOT=true \
-	ENABLE_SHIM_CERT=1 \
-	ENABLE_SBSIGN=1 \
 	VENDOR_CERT_FILE=$(cert) \
 	EFIDIR=$(distributor) \
 	$(NULL)