[shim-signed] Update to shim 0.8

Peter Jones pjones at fedoraproject.org
Fri Oct 24 22:15:32 UTC 2014 

commit e5d6859b97ca4c18493b17ecb44bff8ebefe9b49
Author: Peter Jones <pjones at redhat.com>
Date:   Fri Oct 24 18:09:20 2014 -0400

    Update to shim 0.8
    
      rhbz#1148230
      rhbz#1148231
      rhbz#1148232
    - Handle building on aarch64 as well
    
    Signed-off-by: Peter Jones <pjones at redhat.com>

 .gitignore       |    4 ++--
 shim-signed.spec |   46 ++++++++++++++++++++++++++++++++++++----------
 sources          |    3 ++-
 3 files changed, 40 insertions(+), 13 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index e7dbb40..f9ae468 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-/shim.efi
-/BOOT.CSV
+BOOT.CSV
+shim*.efi
diff --git a/shim-signed.spec b/shim-signed.spec
index 8422ca1..2fda94e 100644
--- a/shim-signed.spec
+++ b/shim-signed.spec
@@ -1,13 +1,20 @@
+%ifarch x86_64
+%global efiarch x64
+%endif
+%ifarch aarch64
+%global efiarch aa64
+%endif
+
 Name:           shim-signed
-Version:        0.7
-Release:        2%{?dist}
+Version:        0.8
+Release:        1%{?dist}
 Summary:        First-stage UEFI bootloader
 Provides:	shim = %{version}-%{release}
-%define unsignedver %{version}-1%{?dist}
+%define unsignedver 0.8-1%{?dist}
 
 License:        BSD
 URL:            http://www.codon.org.uk/~mjg59/shim/
-Source0:	shim.efi
+Source0:	shim%{efiarch}.efi
 Source1:	BOOT.CSV
 
 BuildRequires: shim-unsigned = %{unsignedver}
@@ -17,7 +24,7 @@ BuildRequires: pesign >= 0.100-1%{dist}
 # compatible with SysV (there's no red zone under UEFI) and there isn't a
 # POSIX-style C library.
 # BuildRequires: OpenSSL
-Provides: bundled(openssl) = 0.9.8w
+Provides: bundled(openssl) = 0.9.8zb
 
 # Shim is only required on platforms implementing the UEFI secure boot
 # protocol. The only one of those we currently wish to support is 64-bit x86.
@@ -34,6 +41,9 @@ ExclusiveArch: x86_64
 %global efidir fedora
 %endif
 
+%define ca_signed_arches x86_64
+%define rh_signed_arches x86_64 aarch64
+
 %description
 Initial UEFI bootloader that handles chaining to a trusted full bootloader
 under secure boot environments. This package contains the version signed by
@@ -41,8 +51,7 @@ the UEFI signing service.
 
 %package -n shim
 Summary: First-stage UEFI bootloader
-Requires: shim-unsigned = %{unsignedver}
-Requires: mokutil = %{unsignedver}
+Requires: mokutil >= 1:0.2.0-1
 Provides: shim-signed = %{version}-%{release}
 Obsoletes: shim-signed < %{version}-%{release}
 
@@ -61,13 +70,23 @@ mkdir shim-signed-%{version}
 %define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
 
 cd shim-signed-%{version}
+%ifarch %{ca_signed_arches}
 pesign -i %{SOURCE0} -h -P > shim.hash
 if ! cmp shim.hash %{_datadir}/shim/shim.hash ; then
 	echo Invalid signature\! > /dev/stderr
 	exit 1
 fi
 cp %{SOURCE0} shim.efi
-%pesign -s -i %{_datadir}/shim/shim.efi -o shim-fedora.efi
+%endif
+%ifarch %{rh_signed_arches}
+%pesign -s -i shim.efi -o shim-%{efidir}.efi
+%endif
+%ifarch %{rh_signed_arches}
+%ifnarch %{ca_signed_arches}
+cp shim-%{efidir}.efi shim.efi
+%endif
+%endif
+
 %pesign -s -i %{_datadir}/shim/MokManager.efi -o MokManager.efi
 %pesign -s -i %{_datadir}/shim/fallback.efi -o fallback.efi
 
@@ -76,7 +95,7 @@ rm -rf $RPM_BUILD_ROOT
 cd shim-signed-%{version}
 install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/
 install -m 0644 shim.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi
-install -m 0644 shim-fedora.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim-fedora.efi
+install -m 0644 shim-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim-%{efidir}.efi
 install -m 0644 MokManager.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/MokManager.efi
 install -m 0644 %{SOURCE1} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV
 
@@ -86,13 +105,20 @@ install -m 0644 fallback.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fallback.efi
 
 %files -n shim
 /boot/efi/EFI/%{efidir}/shim.efi
-/boot/efi/EFI/%{efidir}/shim-fedora.efi
+/boot/efi/EFI/%{efidir}/shim-%{efidir}.efi
 /boot/efi/EFI/%{efidir}/MokManager.efi
 /boot/efi/EFI/%{efidir}/BOOT.CSV
 /boot/efi/EFI/BOOT/BOOTX64.EFI
 /boot/efi/EFI/BOOT/fallback.efi
 
 %changelog
+* Fri Oct 24 2014 Peter Jones <pjones at redhat.com> - 0.8-1
+- Update to shim 0.8
+  rhbz#1148230
+  rhbz#1148231
+  rhbz#1148232
+- Handle building on aarch64 as well
+
 * Fri Jul 18 2014 Peter Jones <pjones at redhat.com> - 0.7-2
 - Don't do multi-signing; too many machines screw up verification.
   Resolves: rhbz#1049749
diff --git a/sources b/sources
index f977def..5b1882a 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,3 @@
 49acd7f998e96a9e10fded83ee71086b  BOOT.CSV
-aa8eae148f6ac90c370eb50c88b974e1  shim.efi
+abd377408acc02ee7f2f16320ee9b49a  shimx64.efi
+7d02a6fcbc097efb2c0e3d462a8916b3  shimaa64.efi

More information about the scm-commits mailing list