it's indeed not really nice that we have to resort to this but we
found no good alternative so this is by design -> avoid erroring out
on lintian checking.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
this should ensure that a shim-signed package from a non-Proxmox repository
cannot overtake ours, even if the version is newer. since
proxmox-secure-boot-support is optional, this is entirely opt-in.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Uploading grub is a two-step process, where code-signing is done
through an HSM on a separate, isolated, and secured host.
So, it happens that the repo contains the newer proxmox-grub already
but still the old signed shim, with throws of our check that ensures
installability w.r.t. dependency constraints in the whole repo.
Allowing both versions is additionally providing some slightly better
UX, as users can more easily downgrade (without scary apt removal
warnings).
We might to have to do the same for the shim, but wait for that until
we actually have a newer version that is supported and asses then if
that's OK w.r.t. security promises to factory provided secure boot
project.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Got recently bumped for an opt-in quirk added to grub-mkrescue to
support installing the secure boot shim on our ISO.
Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
