arrfab / rpms / shim-signed

Forked from rpms/shim-signed 4 years ago
Clone
3bee5b
Name:           shim-signed
f928ec
Version:        15
071877
Release:        2%{?dist}%{?buildid}
3bee5b
Summary:        First-stage UEFI bootloader
f6e3e1
%define unsigned_release 5%{?dist}
3bee5b
3bee5b
License:        BSD
f928ec
URL:            https://github.com/rhboot/shim/
5cf28a
# incorporate mokutil for packaging simplicity
89397c
%global mokutil_version 0.3.0
5cf28a
Source0:        https://github.com/lcp/mokutil/archive/mokutil-%{mokutil_version}.tar.gz
f6e3e1
Source1:        secureboot.cer
f6e3e1
Source2:        securebootca.cer
f928ec
Source10:       shimx64.efi
f928ec
Source11:       shimia32.efi
f928ec
Source12:       shimaa64.efi
f928ec
Source20:       BOOTX64.CSV
f928ec
Source21:       BOOTIA32.CSV
f928ec
Source22:       BOOTAA64.CSV
f928ec
89397c
Patch0001: 0001-Fix-the-potential-buffer-overflow.patch
89397c
Patch0002: 0002-Fix-the-32bit-signedness-comparison.patch
89397c
Patch0003: 0003-Build-with-fshort-wchar-so-toggle-passwords-work-rig.patch
89397c
Patch0004: 0004-Don-t-allow-sha1-on-the-mokutil-command-line.patch
89397c
Patch0005: 0005-Make-all-efi_guid_t-const.patch
89397c
Patch0006: 0006-mokutil-be-explicit-about-file-modes-in-all-cases.patch
89397c
Patch0007: 0007-Add-bash-completion-file.patch
f928ec
Patch0008: 0008-Fix-typo-in-error-message-when-the-system-lacks-Secu.patch
f928ec
Patch0009: 0009-list_keys_in_var-check-errno-correctly-not-ret-twice.patch
f928ec
Patch0010: 0010-generate_hash-generate_pw_hash-don-t-use-strlen-for-.patch
5cf28a
5cf28a
%ifarch x86_64
5cf28a
%global efiarch X64
5cf28a
%global efiarchlc x64
89397c
%global shimsrc %{SOURCE10}
89397c
%global bootsrc %{SOURCE20}
89397c
89397c
%global shimsrcia32 %{SOURCE11}
89397c
%global bootsrcia32 %{SOURCE21}
89397c
%define unsigned_dir_ia32 %{_datadir}/shim/ia32-%{version}-%{unsigned_release}/
5cf28a
%endif
5cf28a
%ifarch aarch64
5cf28a
%global efiarch AA64
5cf28a
%global efiarchlc aa64
f928ec
%global shimsrc %{SOURCE12}
89397c
%global bootsrc %{SOURCE22}
5cf28a
%endif
5cf28a
%define unsigned_dir %{_datadir}/shim/%{efiarchlc}-%{version}-%{unsigned_release}/
3bee5b
5cf28a
BuildRequires: git
5cf28a
BuildRequires: openssl-devel openssl
3bee5b
BuildRequires: pesign >= 0.106-5%{dist}
5cf28a
BuildRequires: efivar-devel
89397c
BuildRequires: shim-unsigned-%{efiarchlc} = %{version}-%{unsigned_release}
89397c
%ifarch x86_64
89397c
BuildRequires: shim-unsigned-ia32 = %{version}-%{unsigned_release}
89397c
%endif
5cf28a
5cf28a
# for mokutil's configure
5cf28a
BuildRequires: autoconf automake
3bee5b
3bee5b
# Shim is only required on platforms implementing the UEFI secure boot
3bee5b
# protocol. The only one of those we currently wish to support is 64-bit x86.
3bee5b
# Adding further platforms will require adding appropriate relocation code.
68c47f
ExclusiveArch: x86_64 aarch64
3bee5b
5cf28a
%define debug_package \
5cf28a
%ifnarch noarch\
5cf28a
%global __debug_package 1\
5cf28a
%package -n mokutil-debuginfo\
5cf28a
Summary: Debug information for package %{name}\
5cf28a
Group: Development/Debug\
5cf28a
AutoReqProv: 0\
5cf28a
%description -n mokutil-debuginfo\
5cf28a
This package provides debug information for package %{name}.\
5cf28a
Debug information is useful when developing applications that use this\
5cf28a
package or when debugging this package.\
5cf28a
%files -n mokutil-debuginfo -f debugfiles.list\
f928ec
%defattr(-,root,root,-)\
5cf28a
%endif\
5cf28a
%{nil}
3bee5b
3bee5b
# Figure out the right file path to use
5cf28a
%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/'))
3bee5b
68c47f
%define ca_signed_arches x86_64
68c47f
%define rh_signed_arches x86_64 aarch64
68c47f
3bee5b
%description
3bee5b
Initial UEFI bootloader that handles chaining to a trusted full bootloader
3bee5b
under secure boot environments. This package contains the version signed by
3bee5b
the UEFI signing service.
3bee5b
89397c
%package -n shim-%{efiarchlc}
89397c
Summary: First-stage UEFI bootloader
89397c
Requires: mokutil = %{version}-%{release}
89397c
Provides: shim = %{version}-%{release}
f928ec
Obsoletes: shim <= 12
89397c
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
89397c
# compatible with SysV (there's no red zone under UEFI) and there isn't a
89397c
# POSIX-style C library.
89397c
# BuildRequires: OpenSSL
89397c
Provides: bundled(openssl) = 0.9.8zb
89397c
89397c
%description -n shim-%{efiarchlc}
89397c
Initial UEFI bootloader that handles chaining to a trusted full bootloader
89397c
under secure boot environments. This package contains the version signed by
89397c
the UEFI signing service.
89397c
89397c
%ifarch x86_64
89397c
%package -n shim-ia32
3bee5b
Summary: First-stage UEFI bootloader
5cf28a
Requires: mokutil = %{version}-%{release}
89397c
# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
89397c
# compatible with SysV (there's no red zone under UEFI) and there isn't a
89397c
# POSIX-style C library.
89397c
# BuildRequires: OpenSSL
89397c
Provides: bundled(openssl) = 0.9.8zb
3bee5b
89397c
%description -n shim-ia32
3bee5b
Initial UEFI bootloader that handles chaining to a trusted full bootloader
3bee5b
under secure boot environments. This package contains the version signed by
3bee5b
the UEFI signing service.
89397c
%endif
3bee5b
5cf28a
%package -n mokutil
5cf28a
Summary: Utilities for managing Secure Boot/MoK keys.
5cf28a
5cf28a
%description -n mokutil
5cf28a
Utilities for managing the "Machine's Own Keys" list.
5cf28a
3bee5b
%prep
89397c
%setup -T -q -a 0 -n shim-signed-%{version} -c
5cf28a
git init
5cf28a
git config user.email "example@example.com"
5cf28a
git config user.name "rpmbuild -bp"
5cf28a
git add .
5cf28a
git commit -a -q -m "%{version} baseline."
89397c
cd mokutil-%{mokutil_version}
89397c
git am --ignore-whitespace --directory=mokutil-%{mokutil_version} %{patches} 
5cf28a
git config --unset user.email
5cf28a
git config --unset user.name
89397c
cd ..
3bee5b
3bee5b
%build
3bee5b
%define vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
3bee5b
%define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
3bee5b
68c47f
%ifarch %{ca_signed_arches}
89397c
pesign -i %{shimsrc} -h -P > shim%{efiarchlc}.hash
89397c
if ! cmp shim%{efiarchlc}.hash %{unsigned_dir}shim%{efiarchlc}.hash ; then
f928ec
  echo Invalid signature\! > /dev/stderr
f928ec
  echo saved hash is $(cat %{unsigned_dir}shim%{efiarchlc}.hash) > /dev/stderr
f928ec
  echo shim%{efiarchlc}.efi hash is $(cat shim%{efiarchlc}.hash) > /dev/stderr
f928ec
  exit 1
89397c
fi
89397c
cp %{shimsrc} shim%{efiarchlc}.efi
89397c
%ifarch x86_64
89397c
pesign -i %{shimsrcia32} -h -P > shimia32.hash
89397c
if ! cmp shimia32.hash %{unsigned_dir_ia32}shimia32.hash ; then
f928ec
  echo Invalid signature\! > /dev/stderr
f928ec
  echo saved hash is $(cat %{unsigned_dir_ia32}shimia32.hash) > /dev/stderr
f928ec
  echo shimia32.efi hash is $(cat shimia32.hash) > /dev/stderr
f928ec
  exit 1
3bee5b
fi
89397c
cp %{shimsrcia32} shimia32.efi
89397c
%endif
68c47f
%endif
68c47f
%ifarch %{rh_signed_arches}
f6e3e1
%pesign -s -i %{unsigned_dir}shim%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301 -o shim%{efiarchlc}-%{efidir}.efi
89397c
%ifarch x86_64
f6e3e1
%pesign -s -i %{unsigned_dir_ia32}shimia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301 -o shimia32-%{efidir}.efi
89397c
%endif
68c47f
%endif
68c47f
%ifarch %{rh_signed_arches}
68c47f
%ifnarch %{ca_signed_arches}
89397c
cp shim%{efiarchlc}-%{efidir}.efi shim%{efiarchlc}.efi
68c47f
%endif
68c47f
%endif
68c47f
f6e3e1
%pesign -s -i %{unsigned_dir}mm%{efiarchlc}.efi -o mm%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301
f6e3e1
%pesign -s -i %{unsigned_dir}fb%{efiarchlc}.efi -o fb%{efiarchlc}.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301
89397c
89397c
%ifarch x86_64
f6e3e1
%pesign -s -i %{unsigned_dir_ia32}mmia32.efi -o mmia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301
f6e3e1
%pesign -s -i %{unsigned_dir_ia32}fbia32.efi -o fbia32.efi -a %{SOURCE2} -c %{SOURCE1} -n redhatsecureboot301
89397c
%endif
5cf28a
5cf28a
cd mokutil-%{mokutil_version}
5cf28a
./autogen.sh
5cf28a
%configure
5cf28a
make %{?_smp_mflags}
3bee5b
3bee5b
%install
3bee5b
rm -rf $RPM_BUILD_ROOT
f928ec
install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/
f928ec
install -m 0700 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi
f928ec
install -m 0700 shim%{efiarchlc}-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
f928ec
install -m 0700 mm%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi
f928ec
install -m 0700 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV
f928ec
f928ec
install -D -d -m 0700 $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/
f928ec
install -m 0700 shim%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOT%{efiarch}.EFI
f928ec
install -m 0700 fb%{efiarchlc}.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fb%{efiarchlc}.efi
89397c
89397c
%ifarch aarch64
89397c
# In case old boot entries aren't updated
f928ec
install -m 0700 %{shimsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi
89397c
%endif
89397c
89397c
%ifarch x86_64
89397c
# In case old boot entries aren't updated
f928ec
install -m 0700 shimx64.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi
f928ec
install -m 0700 %{bootsrc} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV
89397c
f928ec
install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi
f928ec
install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32.efi
f928ec
install -m 0700 shimia32-%{efidir}.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
f928ec
install -m 0700 mmia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/mmia32.efi
f928ec
install -m 0700 %{bootsrcia32} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOTIA32.CSV
89397c
f928ec
install -m 0700 shimia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOTIA32.EFI
f928ec
install -m 0700 fbia32.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fbia32.efi
89397c
%endif
3bee5b
5cf28a
cd mokutil-%{mokutil_version}
5cf28a
make PREFIX=%{_prefix} LIBDIR=%{_libdir} DESTDIR=%{buildroot} install
5cf28a
89397c
%files -n shim-%{efiarchlc}
f928ec
%defattr(0700,root,root,-)
f6e3e1
%verify(not mtime) /boot/efi/EFI/%{efidir}/shim%{efiarchlc}.efi
f6e3e1
%verify(not mtime) /boot/efi/EFI/%{efidir}/shim%{efiarchlc}-%{efidir}.efi
f6e3e1
%verify(not mtime) /boot/efi/EFI/%{efidir}/mm%{efiarchlc}.efi
f6e3e1
%verify(not mtime) /boot/efi/EFI/%{efidir}/BOOT%{efiarch}.CSV
f6e3e1
%verify(not mtime) /boot/efi/EFI/BOOT/BOOT%{efiarch}.EFI
f6e3e1
%verify(not mtime) /boot/efi/EFI/BOOT/fb%{efiarchlc}.efi
f6e3e1
%verify(not mtime) /boot/efi/EFI/%{efidir}/shim.efi
89397c
89397c
%ifarch x86_64
f6e3e1
%verify(not mtime) /boot/efi/EFI/%{efidir}/BOOT.CSV
89397c
89397c
%files -n shim-ia32
f928ec
%defattr(0700,root,root,-)
f6e3e1
%verify(not mtime) /boot/efi/EFI/%{efidir}/shimia32.efi
f6e3e1
%verify(not mtime) /boot/efi/EFI/%{efidir}/shimia32-%{efidir}.efi
f6e3e1
%verify(not mtime) /boot/efi/EFI/%{efidir}/mmia32.efi
f6e3e1
%verify(not mtime) /boot/efi/EFI/%{efidir}/BOOTIA32.CSV
f6e3e1
%verify(not mtime) /boot/efi/EFI/BOOT/BOOTIA32.EFI
f6e3e1
%verify(not mtime) /boot/efi/EFI/BOOT/fbia32.efi
89397c
%endif
3bee5b
5cf28a
%files -n mokutil
5cf28a
%{!?_licensedir:%global license %%doc}
5cf28a
%license mokutil-%{mokutil_version}/COPYING
5cf28a
%doc mokutil-%{mokutil_version}/README
5cf28a
%{_bindir}/mokutil
5cf28a
%{_mandir}/man1/*
89397c
%{_datadir}/bash-completion/completions/mokutil
5cf28a
3bee5b
%changelog
f6e3e1
* Thu Mar 21 2019 Peter Jones <pjones@redhat.com> - 15-2
f6e3e1
- Fix MoK mirroring issue which breaks kdump without intervention
f6e3e1
  Related: rhbz#1649270
5aa06c
f928ec
* Fri Jul 20 2018 Peter Jones <pjones@redhat.com> - 15-1
f928ec
- Update to shim version 15
f928ec
  Resolves: rhbz#1589962
f928ec
f928ec
* Wed Jul 11 2018 Peter Jones <pjones@redhat.com> - 12-3
f928ec
- Fix broken file owner/modes
f928ec
  Resolves: rhbz#1595677
f928ec
f928ec
* Sat Jun 23 2018 Peter Jones <pjones@redhat.com> - 12-2
f928ec
- Fix /boot/efi/... permissions to match the filesystem's requirements
f928ec
  Related: rhbz#1512749
f928ec
- Minor .spec cleanups
f928ec
  Related: rhbz#1512749
f42455
89397c
* Mon May 01 2017 Peter Jones <pjones@redhat.com> - 12-1
89397c
- Update to 12-1 to work around a signtool.exe bug
89397c
  Resolves: rhbz#1445393
89397c
89397c
* Mon Apr 24 2017 Peter Jones <pjones@redhat.com> - 11-4
89397c
- Another shot at better obsoletes.
89397c
  Related: rhbz#1310764
89397c
89397c
* Mon Apr 24 2017 Peter Jones <pjones@redhat.com> - 11-3
89397c
- Fix Obsoletes
89397c
  Related: rhbz#1310764
89397c
89397c
* Thu Apr 13 2017 Peter Jones <pjones@redhat.com> - 11-2
89397c
- Make sure Aarch64 still has shim.efi as well
89397c
  Related: rhbz#1310766
89397c
89397c
* Wed Apr 12 2017 Peter Jones <pjones@redhat.com> - 11-1
89397c
- Rebuild with signed shim
89397c
  Related: rhbz#1310766
89397c
89397c
* Mon Apr 03 2017 Peter Jones <pjones@redhat.com> - 11-0.1
89397c
- Update to 11-0.1 to match shim-11-1
89397c
  Related: rhbz#1310766
89397c
- Fix regression in PE loader
89397c
  Related: rhbz#1310766
89397c
- Fix case where BDS invokes us wrong and we exec shim again as a result
89397c
  Related: rhbz#1310766
89397c
89397c
* Mon Mar 27 2017 Peter Jones <pjones@redhat.com> - 10-0.1
89397c
- Support ia32
89397c
  Resolves: rhbz#1310766
89397c
- Handle various different load option implementation differences
89397c
- TPM 1 and TPM 2 support.
89397c
- Update to OpenSSL 1.0.2k
89397c
5cf28a
* Mon Jul 20 2015 Peter Jones <pjones@redhat.com> - 0.9-2
5cf28a
- Apparently I'm *never* going to learn to build this in the right target
5cf28a
  the first time through.
5cf28a
  Related: rhbz#1100048
5cf28a
5cf28a
* Mon Jun 29 2015 Peter Jones <pjones@redhat.com> - 0.9-0.1
5cf28a
- Bump version for 0.9
5cf28a
  Also use mokutil-0.3.0
5cf28a
  Related: rhbz#1100048
5cf28a
5cf28a
* Tue Jun 23 2015 Peter Jones <pjones@redhat.com> - 0.7-14.1
5cf28a
- Fix mokutil_version usage.
5cf28a
  Related: rhbz#1100048
5cf28a
5cf28a
* Mon Jun 22 2015 Peter Jones <pjones@redhat.com> - 0.7-14
5cf28a
- Pull in aarch64 build so they can compose that tree.
5cf28a
  (-14 to match -unsigned)
5cf28a
  Related: rhbz#1100048
5cf28a
5cf28a
* Wed Feb 25 2015 Peter Jones <pjones@redhat.com> - 0.7-12
5cf28a
- Fix some minor build bugs on Aarch64
5cf28a
  Related: rhbz#1190191
5cf28a
5cf28a
* Tue Feb 24 2015 Peter Jones <pjones@redhat.com> - 0.7-11
5cf28a
- Fix section loading on Aarch64
5cf28a
  Related: rhbz#1190191
5cf28a
5cf28a
* Wed Dec 17 2014 Peter Jones <pjones@redhat.com> - 0.7-10
5cf28a
- Rebuild for Aarch64 to get \EFI\BOOT\BOOTAA64.EFI named right.
5cf28a
  (I managed to fix the inputs but not the outputs in -9.)
5cf28a
  Related: rhbz#1100048
5cf28a
5cf28a
* Wed Dec 17 2014 Peter Jones <pjones@redhat.com> - 0.7-9
5cf28a
- Rebuild for Aarch64 to get \EFI\BOOT\BOOTAA64.EFI named right.
5cf28a
  Related: rhbz#1100048
5cf28a
5cf28a
* Tue Oct 21 2014 Peter Jones <pjones@redhat.com> - 0.7-8
5cf28a
- Build for aarch64 as well 
5cf28a
  Related: rhbz#1100048
68c47f
- out-of-bounds memory read flaw in DHCPv6 packet processing
68c47f
  Resolves: CVE-2014-3675
68c47f
- heap-based buffer overflow flaw in IPv6 address parsing
68c47f
  Resolves: CVE-2014-3676
68c47f
- memory corruption flaw when processing Machine Owner Keys (MOKs)
68c47f
  Resolves: CVE-2014-3677
Karanbir Singh c49d55
5cf28a
* Tue Sep 23 2014 Peter Jones <pjones@redhat.com> - 0.7-7
5cf28a
- Make sure we use the right keys on Aarch64.
5cf28a
  (It's only a demo at this stage.)
5cf28a
  Related: rhbz#1100048
5cf28a
5cf28a
* Tue Sep 23 2014 Peter Jones <pjones@redhat.com> - 0.7-6
5cf28a
- Add ARM Aarch64.
5cf28a
  Related: rhbz#1100048
5cf28a
409188
* Thu Feb 27 2014 Peter Jones <pjones@redhat.com> - 0.7-5.2
409188
- Get the right signatures on shim-redhat.efi
409188
  Related: rhbz#1064449
409188
409188
* Thu Feb 27 2014 Peter Jones <pjones@redhat.com> - 0.7-5.1
409188
- Update for signed shim for RHEL 7
409188
  Resolves: rhbz#1064449
409188
3bee5b
* Thu Nov 21 2013 Peter Jones <pjones@redhat.com> - 0.7-5
3bee5b
- Fix shim-unsigned deps.
3bee5b
  Related: rhbz#1032583
3bee5b
3bee5b
* Thu Nov 21 2013 Peter Jones <pjones@redhat.com> - 0.7-4
3bee5b
- Make dhcp4 work better.
3bee5b
  Related: rhbz#1032583
3bee5b
3bee5b
* Thu Nov 14 2013 Peter Jones <pjones@redhat.com> - 0.7-3
3bee5b
- Make lockdown include UEFI and other KEK/DB entries.
3bee5b
  Related: rhbz#1030492
3bee5b
3bee5b
* Fri Nov 08 2013 Peter Jones <pjones@redhat.com> - 0.7-2
3bee5b
- Handle SetupMode better in lockdown as well
3bee5b
  Related: rhbz#996863
3bee5b
3bee5b
* Wed Nov 06 2013 Peter Jones <pjones@redhat.com> - 0.7-1
3bee5b
- Don't treat SetupMode variable's presence as meaning we're in SetupMode.
3bee5b
  Related: rhbz#996863
3bee5b
3bee5b
* Wed Nov 06 2013 Peter Jones <pjones@redhat.com> - 0.6-3
3bee5b
- Use the correct CA and signer certificates.
3bee5b
  Related: rhbz#996863
3bee5b
3bee5b
* Thu Oct 31 2013 Peter Jones <pjones@redhat.com> - 0.6-1
3bee5b
- Update to 0.6-1
3bee5b
  Resolves: rhbz#1008379
3bee5b
3bee5b
* Wed Aug 07 2013 Peter Jones <pjones@redhat.com> - 0.4-3.2
3bee5b
- Depend on newer pesign.
3bee5b
  Related: rhbz#989442
3bee5b
3bee5b
* Tue Aug 06 2013 Peter Jones <pjones@redhat.com> - 0.4-3.1
3bee5b
- Rebuild with newer pesign
3bee5b
  Related: rhbz#989442
3bee5b
3bee5b
* Tue Aug 06 2013 Peter Jones <pjones@redhat.com> - 0.4-3
3bee5b
- Update for RHEL signing with early test keys.
3bee5b
  Related: rhbz#989442
3bee5b
3bee5b
* Thu Jun 20 2013 Peter Jones <pjones@redhat.com> - 0.4-1
3bee5b
- Provide a fallback for uninitialized Boot#### and BootOrder
3bee5b
  Resolves: rhbz#963359
3bee5b
- Move all signing from shim-unsigned to here
3bee5b
- properly compare our generated hash from shim-unsigned with the hash of
3bee5b
  the signed binary (as opposed to doing it manually)
3bee5b
3bee5b
* Fri May 31 2013 Peter Jones <pjones@redhat.com> - 0.2-4.4
3bee5b
- Re-sign to get alignments that match the new specification.
3bee5b
  Resolves: rhbz#963361
3bee5b
3bee5b
* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.2-4.3
3bee5b
- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
3bee5b
3bee5b
* Wed Jan 02 2013 Peter Jones <pjones@redhat.com> - 0.2-3.3
3bee5b
- Add obsoletes and provides for earlier shim-signed packages, to cover
3bee5b
  the package update cases where previous versions were installed.
3bee5b
  Related: rhbz#888026
3bee5b
3bee5b
* Mon Dec 17 2012 Peter Jones <pjones@redhat.com> - 0.2-3.2
3bee5b
- Make the shim-unsigned dep be on the subpackage.
3bee5b
3bee5b
* Sun Dec 16 2012 Peter Jones <pjones@redhat.com> - 0.2-3.1
3bee5b
- Rebuild to provide "shim" package directly instead of just as a Provides:
3bee5b
3bee5b
* Sat Dec 15 2012 Peter Jones <pjones@redhat.com> - 0.2-3
3bee5b
- Also provide shim-fedora.efi, signed only by the fedora signer.
3bee5b
- Fix the fedora signature on the result to actually be correct.
3bee5b
- Update for shim-unsigned 0.2-3
3bee5b
3bee5b
* Mon Dec 03 2012 Peter Jones <pjones@redhat.com> - 0.2-2
3bee5b
- Initial build