d/control: support last two grub versions as valid dependency

Uploading grub is a two-step process, where code-signing is done through an HSM on a separate, isolated, and secured host. So, it happens that the repo contains the newer proxmox-grub already but still the old signed shim, with throws of our check that ensures installability w.r.t. dependency constraints in the whole repo. Allowing both versions is additionally providing some slightly better UX, as users can more easily downgrade (without scary apt removal warnings). We might to have to do the same for the shim, but wait for that until we actually have a newer version that is supported and asses then if that's OK w.r.t. security promises to factory provided secure boot project. Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
2025-10-10 16:33:04 +00:00 · 2024-04-19 10:41:51 +02:00 · 2024-04-19 10:41:51 +02:00 · ceba4531c9
commit ceba4531c9
parent b5f1f85213
1 changed files with 4 additions and 2 deletions
--- a/debian/control
+++ b/debian/control
@ -9,8 +9,10 @@ Package: proxmox-secure-boot-support
 Architecture: amd64
 Section: admin
 Priority: optional
-Depends: grub-efi-amd64-signed (= 1+2.06+13+pmx2),
-         proxmox-grub (= 2.06-13+pmx2),
+# NOTE: always keep the last two grub versions as valid dependency to allow users to downgrade
+# easily on issues and to make our repo upload simpler w.r.t. satisfying dependencies
+Depends: grub-efi-amd64-signed (= 1+2.06+13+pmx1) | grub-efi-amd64-signed (= 1+2.06+13+pmx2),
+         proxmox-grub (= 2.06-13+pmx1) | proxmox-grub (= 1+2.06+13+pmx2),
         shim-helpers-amd64-signed (= 1+15.7+1+pmx1),
         shim-signed (= 1.39+pmx1+15.7-1+pmx1),
         shim-unsigned (= 15.7-1+pmx1),