• Bug#1089433: shim-helpers-arm64-signed: Supporting rootless builds by d

    From Steve McIntyre@21:1/5 to Emanuele Rocca on Thu Apr 17 18:00:01 2025
    control: tags -1 +pending

    Hsy guys,

    Sorry, I've not been updating bugs here enough to share progress.

    I've had changes for this ready for some time, just not pushed yet.

    The shim 16.0 release has already happened upstream, and it passes CI
    for me locally.

    *However*, we're waiting on a bugfix for

    https://github.com/rhboot/shim/issues/74

    which is a show-stopper bug for secure boot chains where UKIs are
    going to be a thing. A fix is coming Real Soon Now, I've been
    promised. That's going to prompt a 16.1 release.

    In the meantime, I really don't want to upload a 16.0 build, as that
    makes things much more awkward in terms of the signing pipeline (etc.)

    On Fri, Apr 11, 2025 at 09:11:38PM +0200, Emanuele Rocca wrote:
    Hello Niels,

    On 2024-12-28 01:06, Niels Thykier wrote:
    Please review attached as an example of how to fix this problem.

    Note: Untested, since I was doing my testing on amd64.

    LGTM. I applied your patch and built the package with a regular user as >follows:

    $ dpkg-buildpackage -us -uc -b -rfakeroot

    The signed files in the resulting binary have the right user, group, and >permissions:

    $ dpkg --contents shim-helpers-arm64-signed_1+15.8+1+nmu1_arm64.deb | grep -F .signed
    -rw-r--r-- root/root 90752 2024-12-28 12:03 ./usr/lib/shim/fbaa64.efi.signed
    -rw-r--r-- root/root 887472 2024-12-28 12:03 ./usr/lib/shim/mmaa64.efi.signed

    As far as I understand though, the shim-helpers-arm64-signed source
    package is generated by shim. I think the file we want to change is >debian/signing-template/rules in the shim sources. Ditto for >debian/signing-template/control.in.

    See attached patch.

    diff --git a/debian/signing-template/control.in b/debian/signing-template/control.in
    index 9d75d92..3d02823 100644
    --- a/debian/signing-template/control.in
    +++ b/debian/signing-template/control.in
    @@ -2,6 +2,7 @@ Source: shim-helpers-@arch@-signed
    Section: admin
    Priority: optional
    Maintainer: Debian EFI team <debian-efi@lists.debian.org>
    +Rules-Requires-Root: no
    Standards-Version: 4.3.0
    Build-Depends: debhelper (>= 10.1~),
    sbsigntool [amd64 arm64 i386],
    diff --git a/debian/signing-template/rules b/debian/signing-template/rules >index a972e7d..f034f83 100755
    --- a/debian/signing-template/rules
    +++ b/debian/signing-template/rules
    @@ -9,8 +9,8 @@ override_dh_auto_install:
    set -e ; \
    find "$(SIG_DIR)" -name '*.sig' -printf '%P\n' | \
    while read sig; do \
    - install -o 0 -g 0 -m 0755 -d "debian/tmp/$${sig%/*}" ; \
    - install -o 0 -g 0 -m 0644 "/$${sig%.sig}" "debian/tmp/$${sig}ned" ; \
    + install -m 0755 -d "debian/tmp/$${sig%/*}" ; \
    + install -m 0644 "/$${sig%.sig}" "debian/tmp/$${sig}ned" ; \
    sbattach --attach "$(SIG_DIR)/$$sig" "debian/tmp/$${sig}ned" ; \
    done


    --
    Steve McIntyre, Cambridge, UK. steve@einval.com < Aardvark> I dislike C++ to start with. C++11 just seems to be
    handing rope-creating factories for users to hang multiple
    instances of themselves.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)