From ea1c89b047eb4b071efb533808b7d6ca6ae6e719 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Wed, 25 Jun 2014 10:03:08 -0400
Subject: [PATCH] Exclude ca.crt while signing EFI images

If ca.crt was added into the certificate database, ca.crt would be the first
certificate in the signature. Because shim couldn't verify ca.crt with the
embedded shim.cer, it failed to load MokManager.efi.signed and
fallback.efi.signed.

Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
 Makefile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/Makefile b/Makefile
index 46e5ef9..df190a2 100644
--- a/Makefile
+++ b/Makefile
@@ -73,7 +73,6 @@ version.c : version.c.in
 
 certdb/secmod.db: shim.crt
 	-mkdir certdb
-	certutil -A -n 'my CA' -d certdb/ -t CT,CT,CT -i ca.crt
 	pk12util -d certdb/ -i shim.p12 -W "" -K ""
 	certutil -d certdb/ -A -i shim.crt -n shim -t u