mirror of
https://git.proxmox.com/git/efi-boot-shim
synced 2025-11-02 18:17:01 +00:00
de3def7f53
Only include the hashes for the architecture we're building for - no point in adding bloat and delay here. Add a script "block_signed_deb" to scan a set of .deb files, extract the hashes for .efi binaries and list them in the format wanted for the dbx hashes file. Split out the code to use that file from the rules file into a separate helper.
23 lines
691 B
Plaintext
23 lines
691 B
Plaintext
# debian-dbx.hashes
|
|
#
|
|
# This file contains the sha256 sums of the binaries that we want to
|
|
# blacklist directly in our signed shim. Add entries below, with comments
|
|
# to explain each entry (where possible).
|
|
#
|
|
# The data in this file needs should be of the form:
|
|
#
|
|
# <hex-encoded sha256 checksums> <arch>
|
|
#
|
|
# All other lines will be ignored. I'm using shell-style comments just
|
|
# for clarity.
|
|
#
|
|
# The hashes are generated using:
|
|
#
|
|
# pesign --hash --padding --in <binary>
|
|
#
|
|
# on *either* the signed or unsigned binary, pesign doesn't care
|
|
# which. See the helper script block_signed_deb for an easy way to
|
|
# generate this information.
|
|
|
|
# ... This file intentionally left blank for now ...
|