control: tags -1 +pending
Hsy guys,
Sorry, I've not been updating bugs here enough to share progress.
I've had changes for this ready for some time, just not pushed yet.
The shim 16.0 release has already happened upstream, and it passes CI
for me locally.
*However*, we're waiting on a bugfix for
https://github.com/rhboot/shim/issues/74
which is a show-stopper bug for secure boot chains where UKIs are
going to be a thing. A fix is coming Real Soon Now, I've been
promised. That's going to prompt a 16.1 release.
In the meantime, I really don't want to upload a 16.0 build, as that
makes things much more awkward in terms of the signing pipeline (etc.)
On Fri, Apr 11, 2025 at 09:11:38PM +0200, Emanuele Rocca wrote:
Hello Niels,
On 2024-12-28 01:06, Niels Thykier wrote:
Please review attached as an example of how to fix this problem.
Note: Untested, since I was doing my testing on amd64.
LGTM. I applied your patch and built the package with a regular user as >follows:
$ dpkg-buildpackage -us -uc -b -rfakeroot
The signed files in the resulting binary have the right user, group, and >permissions:
$ dpkg --contents shim-helpers-arm64-signed_1+15.8+1+nmu1_arm64.deb | grep -F .signed
-rw-r--r-- root/root 90752 2024-12-28 12:03 ./usr/lib/shim/fbaa64.efi.signed
-rw-r--r-- root/root 887472 2024-12-28 12:03 ./usr/lib/shim/mmaa64.efi.signed
As far as I understand though, the shim-helpers-arm64-signed source
package is generated by shim. I think the file we want to change is >debian/signing-template/rules in the shim sources. Ditto for >debian/signing-template/control.in.
See attached patch.
diff --git a/debian/signing-template/control.in b/debian/signing-template/control.in
index 9d75d92..3d02823 100644
--- a/debian/signing-template/control.in
+++ b/debian/signing-template/control.in
@@ -2,6 +2,7 @@ Source: shim-helpers-@arch@-signed
Section: admin
Priority: optional
Maintainer: Debian EFI team <debian-efi@lists.debian.org>
+Rules-Requires-Root: no
Standards-Version: 4.3.0
Build-Depends: debhelper (>= 10.1~),
sbsigntool [amd64 arm64 i386],
diff --git a/debian/signing-template/rules b/debian/signing-template/rules >index a972e7d..f034f83 100755
--- a/debian/signing-template/rules
+++ b/debian/signing-template/rules
@@ -9,8 +9,8 @@ override_dh_auto_install:
set -e ; \
find "$(SIG_DIR)" -name '*.sig' -printf '%P\n' | \
while read sig; do \
- install -o 0 -g 0 -m 0755 -d "debian/tmp/$${sig%/*}" ; \
- install -o 0 -g 0 -m 0644 "/$${sig%.sig}" "debian/tmp/$${sig}ned" ; \
+ install -m 0755 -d "debian/tmp/$${sig%/*}" ; \
+ install -m 0644 "/$${sig%.sig}" "debian/tmp/$${sig}ned" ; \
sbattach --attach "$(SIG_DIR)/$$sig" "debian/tmp/$${sig}ned" ; \
done
--
Steve McIntyre, Cambridge, UK.
steve@einval.com < Aardvark> I dislike C++ to start with. C++11 just seems to be
handing rope-creating factories for users to hang multiple
instances of themselves.
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)