From 09283f08f001305db5a3299b53acba85bf6c9876 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Mon, 4 Nov 2013 17:51:55 +0800
Subject: [PATCH 34/74] Exclude ca.crt while signing EFI images

If ca.crt was added into the certificate database, ca.crt would be the first
certificate in the signature. Because shim couldn't verify ca.crt with the
embedded shim.cer, it failed to load MokManager.efi.signed and
fallback.efi.signed.

Signed-off-by: Gary Ching-Pang Lin <glin@suse.com>
---
 Makefile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/Makefile b/Makefile
index 46e5ef9..df190a2 100644
--- a/Makefile
+++ b/Makefile
@@ -73,7 +73,6 @@ version.c : version.c.in
 
 certdb/secmod.db: shim.crt
 	-mkdir certdb
-	certutil -A -n 'my CA' -d certdb/ -t CT,CT,CT -i ca.crt
 	pk12util -d certdb/ -i shim.p12 -W "" -K ""
 	certutil -d certdb/ -A -i shim.crt -n shim -t u
 
-- 
1.9.3