From 3bee5b7cb37fff8269a44f68552d505c9a307b81 Mon Sep 17 00:00:00 2001
From: CentOS Buildsys <bugs@centos.org>
Date: Nov 21 2013 22:40:46 +0000
Subject: import shim-signed-0.7-5.el7.src.rpm


---

diff --git a/.shim-signed.metadata b/.shim-signed.metadata
new file mode 100644
index 0000000..d6bdf58
--- /dev/null
+++ b/.shim-signed.metadata
@@ -0,0 +1,2 @@
+a44fe59367a951161a126ca69ed762d2ad4ebf2a SOURCES/redhatsecureboot003.cer
+e8c5e9f13efc3f87c2a5fa5c045603dc2fabb269 SOURCES/redhatsecurebootca2.cer
diff --git a/README.md b/README.md
deleted file mode 100644
index 0e7897f..0000000
--- a/README.md
+++ /dev/null
@@ -1,5 +0,0 @@
-The master branch has no content
- 
-Look at the c7 branch if you are working with CentOS-7, or the c4/c5/c6 branch for CentOS-4, 5 or 6
- 
-If you find this file in a distro specific branch, it means that no content has been checked in yet
diff --git a/SOURCES/BOOT.CSV b/SOURCES/BOOT.CSV
new file mode 100644
index 0000000..fd5fb6d
Binary files /dev/null and b/SOURCES/BOOT.CSV differ
diff --git a/SPECS/shim-signed.spec b/SPECS/shim-signed.spec
new file mode 100644
index 0000000..38f39b9
--- /dev/null
+++ b/SPECS/shim-signed.spec
@@ -0,0 +1,165 @@
+Name:           shim-signed
+Version:        0.7
+Release:        5%{?dist}
+Summary:        First-stage UEFI bootloader
+Provides:	shim = %{version}-%{release}
+%define unsigned_release 4%{?dist}
+
+License:        BSD
+URL:            http://www.codon.org.uk/~mjg59/shim/
+Source1:	BOOT.CSV
+Source2:	redhatsecureboot003.cer
+Source3:	redhatsecurebootca2.cer
+
+BuildRequires: shim-unsigned = %{version}-%{unsigned_release}
+BuildRequires: pesign >= 0.106-5%{dist}
+
+# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
+# compatible with SysV (there's no red zone under UEFI) and there isn't a
+# POSIX-style C library.
+# BuildRequires: OpenSSL
+Provides: bundled(openssl) = 0.9.8w
+
+# Shim is only required on platforms implementing the UEFI secure boot
+# protocol. The only one of those we currently wish to support is 64-bit x86.
+# Adding further platforms will require adding appropriate relocation code.
+ExclusiveArch: x86_64
+
+%global debug_package %{nil}
+
+# Figure out the right file path to use
+%if 0%{?rhel}
+%global efidir redhat
+%endif
+%if 0%{?fedora}
+%global efidir fedora
+%endif
+
+%description
+Initial UEFI bootloader that handles chaining to a trusted full bootloader
+under secure boot environments. This package contains the version signed by
+the UEFI signing service.
+
+%package -n shim
+Summary: First-stage UEFI bootloader
+Requires: shim-unsigned = %{version}-%{unsigned_release}
+Requires: mokutil = %{version}-%{unsigned_release}
+Provides: shim-signed = %{version}-%{release}
+Obsoletes: shim-signed < %{version}-%{release}
+
+%description -n shim
+Initial UEFI bootloader that handles chaining to a trusted full bootloader
+under secure boot environments. This package contains the version signed by
+the UEFI signing service.
+
+%prep
+cd %{_builddir}
+rm -rf shim-signed-%{version}
+mkdir shim-signed-%{version}
+
+%build
+%define vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
+%define vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
+
+cd shim-signed-%{version}
+pesign -i %{_datadir}/shim/shim.efi -h -P > shim.hash
+if ! cmp shim.hash %{_datadir}/shim/shim.hash ; then
+	echo Invalid signature\! > /dev/stderr
+	exit 1
+fi
+%pesign -s -i %{_datadir}/shim/shim.efi -o shim.efi -a %{SOURCE3} -c %{SOURCE2} -n redhatsecureboot003
+%pesign -s -i %{_datadir}/shim/MokManager.efi -o MokManager.efi -a %{SOURCE3} -c %{SOURCE2} -n redhatsecureboot003
+%pesign -s -i %{_datadir}/shim/fallback.efi -o fallback.efi -a %{SOURCE3} -c %{SOURCE2} -n redhatsecureboot003
+
+%install
+rm -rf $RPM_BUILD_ROOT
+cd shim-signed-%{version}
+install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/
+install -m 0644 shim.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/shim.efi
+install -m 0644 MokManager.efi $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/MokManager.efi
+install -m 0644 %{SOURCE1} $RPM_BUILD_ROOT/boot/efi/EFI/%{efidir}/BOOT.CSV
+
+install -D -d -m 0755 $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/
+install -m 0644 shim.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/BOOTX64.EFI
+install -m 0644 fallback.efi $RPM_BUILD_ROOT/boot/efi/EFI/BOOT/fallback.efi
+
+%files -n shim
+/boot/efi/EFI/%{efidir}/shim.efi
+/boot/efi/EFI/%{efidir}/MokManager.efi
+/boot/efi/EFI/%{efidir}/BOOT.CSV
+/boot/efi/EFI/BOOT/BOOTX64.EFI
+/boot/efi/EFI/BOOT/fallback.efi
+
+%changelog
+* Thu Nov 21 2013 Peter Jones <pjones@redhat.com> - 0.7-5
+- Fix shim-unsigned deps.
+  Related: rhbz#1032583
+
+* Thu Nov 21 2013 Peter Jones <pjones@redhat.com> - 0.7-4
+- Make dhcp4 work better.
+  Related: rhbz#1032583
+
+* Thu Nov 14 2013 Peter Jones <pjones@redhat.com> - 0.7-3
+- Make lockdown include UEFI and other KEK/DB entries.
+  Related: rhbz#1030492
+
+* Fri Nov 08 2013 Peter Jones <pjones@redhat.com> - 0.7-2
+- Handle SetupMode better in lockdown as well
+  Related: rhbz#996863
+
+* Wed Nov 06 2013 Peter Jones <pjones@redhat.com> - 0.7-1
+- Don't treat SetupMode variable's presence as meaning we're in SetupMode.
+  Related: rhbz#996863
+
+* Wed Nov 06 2013 Peter Jones <pjones@redhat.com> - 0.6-3
+- Use the correct CA and signer certificates.
+  Related: rhbz#996863
+
+* Thu Oct 31 2013 Peter Jones <pjones@redhat.com> - 0.6-1
+- Update to 0.6-1
+  Resolves: rhbz#1008379
+
+* Wed Aug 07 2013 Peter Jones <pjones@redhat.com> - 0.4-3.2
+- Depend on newer pesign.
+  Related: rhbz#989442
+
+* Tue Aug 06 2013 Peter Jones <pjones@redhat.com> - 0.4-3.1
+- Rebuild with newer pesign
+  Related: rhbz#989442
+
+* Tue Aug 06 2013 Peter Jones <pjones@redhat.com> - 0.4-3
+- Update for RHEL signing with early test keys.
+  Related: rhbz#989442
+
+* Thu Jun 20 2013 Peter Jones <pjones@redhat.com> - 0.4-1
+- Provide a fallback for uninitialized Boot#### and BootOrder
+  Resolves: rhbz#963359
+- Move all signing from shim-unsigned to here
+- properly compare our generated hash from shim-unsigned with the hash of
+  the signed binary (as opposed to doing it manually)
+
+* Fri May 31 2013 Peter Jones <pjones@redhat.com> - 0.2-4.4
+- Re-sign to get alignments that match the new specification.
+  Resolves: rhbz#963361
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.2-4.3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Wed Jan 02 2013 Peter Jones <pjones@redhat.com> - 0.2-3.3
+- Add obsoletes and provides for earlier shim-signed packages, to cover
+  the package update cases where previous versions were installed.
+  Related: rhbz#888026
+
+* Mon Dec 17 2012 Peter Jones <pjones@redhat.com> - 0.2-3.2
+- Make the shim-unsigned dep be on the subpackage.
+
+* Sun Dec 16 2012 Peter Jones <pjones@redhat.com> - 0.2-3.1
+- Rebuild to provide "shim" package directly instead of just as a Provides:
+
+* Sat Dec 15 2012 Peter Jones <pjones@redhat.com> - 0.2-3
+- Also provide shim-fedora.efi, signed only by the fedora signer.
+- Fix the fedora signature on the result to actually be correct.
+- Update for shim-unsigned 0.2-3
+
+* Mon Dec 03 2012 Peter Jones <pjones@redhat.com> - 0.2-2
+- Initial build