From ceba4531c9a62435b36e46ac6224a0507b12e21b Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Fri, 19 Apr 2024 10:41:51 +0200 Subject: [PATCH] d/control: support last two grub versions as valid dependency Uploading grub is a two-step process, where code-signing is done through an HSM on a separate, isolated, and secured host. So, it happens that the repo contains the newer proxmox-grub already but still the old signed shim, with throws of our check that ensures installability w.r.t. dependency constraints in the whole repo. Allowing both versions is additionally providing some slightly better UX, as users can more easily downgrade (without scary apt removal warnings). We might to have to do the same for the shim, but wait for that until we actually have a newer version that is supported and asses then if that's OK w.r.t. security promises to factory provided secure boot project. Signed-off-by: Thomas Lamprecht --- debian/control | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/debian/control b/debian/control index f4b5a76..bcfb523 100644 --- a/debian/control +++ b/debian/control @@ -9,8 +9,10 @@ Package: proxmox-secure-boot-support Architecture: amd64 Section: admin Priority: optional -Depends: grub-efi-amd64-signed (= 1+2.06+13+pmx2), - proxmox-grub (= 2.06-13+pmx2), +# NOTE: always keep the last two grub versions as valid dependency to allow users to downgrade +# easily on issues and to make our repo upload simpler w.r.t. satisfying dependencies +Depends: grub-efi-amd64-signed (= 1+2.06+13+pmx1) | grub-efi-amd64-signed (= 1+2.06+13+pmx2), + proxmox-grub (= 2.06-13+pmx1) | proxmox-grub (= 1+2.06+13+pmx2), shim-helpers-amd64-signed (= 1+15.7+1+pmx1), shim-signed (= 1.39+pmx1+15.7-1+pmx1), shim-unsigned (= 15.7-1+pmx1),