Remove potential confusion with shim-signed. We will now end up with
shim-helpers-$arch-signed to make it clear that they just contain the
helper binaries (fb.efi and mm.efi)
Lintian parses the shebang in the rules files of the templates packages
and complains that there is no dependency on make. But they are special
packages, so override it.
as all EFI binaries are now unsigned. They are useless to any normal
user as
- shim is useless without being signed by an external UEFI CA.
- mm and fb won't be loaded by shim as they are now no longer linked to
corresponding shim by the ephemeral key any longer.
shim creates an ephemeral key, which gets embedded into shim and is used
to sign the corresponding mok-manager (mm*.efi) and fall-back-manager
(fb*.efi).
This makes the build unreproducible.
For Debian we will get those two binaries signed by our Debian-UEFI-CA,
which is the primary (and only) key embedded in shim.
- debian/patches/second-stage-path: dropped; the default loader path now
includes an arch suffix.
- debian/patches/sbsigntool-no-pesign: dropped; no longer needed.
* Drop remaining patches that were not being applied.
* Sync packaging from Ubuntu:
- debian/copyright: Update upstream source location.
- debian/control: add a Build-Depends on libelf-dev.
- Enable arm64 build.
- debian/patches/fixup_git.patch: don't run git in clean; we're not
really in a git tree.
- debian/rules, debian/shim.install: use the upstream install target as
intended, and move files to the target directory using dh_install.
- define RELEASE and COMMIT_ID for the snapshot.
- Set ENABLE_HTTPBOOT to enable the HTTP Boot feature.
- Update dh_auto_build/dh_auto_clean/dh_auto_install for new upstream
options: set MAKELEVEL.
- Define an EFI_ARCH variable, and use that for paths to shim. This
makes it possible to build a shim for other architectures than amd64.
- Set EFIDIR=$distro for dh_auto_install; that will let files be installed
in the "right" final directories, and makes boot.csv for us.
- Set ENABLE_SHIM_CERT, to keep using ephemeral self-signed certs built
at compile-time for MokManager and fallback.
- Set ENABLE_SBSIGN, to use sbsign instead of pesign for signing fallback
and MokManager.
