Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package shim-signed
I've tweaked the shim-signed packaging to make what I believe are all
the changes wanted before we get our latest signed binaries back from
the Microsoft CA. Summary:
* Add Breaks/Replaces to shim-signed-common for
update-secureboot-policy etc. Closes: #929673
* update-secureboot-policy: fix error if /var/lib/dkms does not
exist. Closes: #923718
* Separate the helper scripts into a new shim-signed-common package,
apart from the actual signed shim binaries so that we can
sensibly support co-installability using Multi-Arch.
Closes: #928486
* Add/update translations:
+ Italian (Closes: #915993, thanks to Beatrice Torracca)
+ Swedish (Closes: #921410, thanks to Matrin Bagge)
+ Russian (Closes: #922229, thanks to Lev Lamberov)
+ Dutch (Closes: #917580, #926664, thanks to Frans Spiesschaert)
* Remove doc link used to quieten old lintian versions
The main fixes are for #928486 (which is blocking some users building
multi-arch live media), but I've also rolled in a trivial fix for
#923718 (cosmetic) and a bunch of translation updates (filtered out
here). #929673 showed I made a daft mistake with the 1.31 upload. :-(
I expect to make one more shim-signed upload before buster, just
adding the new signed binaries. I'm doing all the other changes here
and now to make that final change as small and as easy to review as
possible.
This package still has the same outstanding RC bug as version 1.30
(#928107), which is impossible to fix right now. When they arrive, the
new signed binaries will allow us to fix this with the 1.33 upload.
debdiff attached.
unblock shim-signed/1.32
-- System Information:
Debian Release: 10.0
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru shim-signed-1.30/debian/changelog shim-signed-1.32/debian/changelog
--- shim-signed-1.30/debian/changelog 2019-04-23 00:01:10.000000000 +0100
+++ shim-signed-1.32/debian/changelog 2019-05-28 14:23:54.000000000 +0100
@@ -1,3 +1,27 @@
+shim-signed (1.32) unstable; urgency=medium
+
+ * Add Breaks/Replaces to shim-signed-common for
+ update-secureboot-policy etc. Closes: #929673
+
+ -- Steve McIntyre <93...@debian.org> Tue, 28 May 2019 14:23:54 +0100
+
+shim-signed (1.31) unstable; urgency=medium
+
+ * update-secureboot-policy: fix error if /var/lib/dkms does not
+ exist. Closes: #923718
+ * Separate the helper scripts into a new shim-signed-common package,
+ apart from the actual signed shim binaries so that we can
+ sensibly support co-installability using Multi-Arch.
+ Closes: #928486
+ * Add/update translations:
+ + Italian (Closes: #915993, thanks to Beatrice Torracca)
+ + Swedish (Closes: #921410, thanks to Matrin Bagge)
+ + Russian (Closes: #922229, thanks to Lev Lamberov)
+ + Dutch (Closes: #917580, #926664, thanks to Frans Spiesschaert)
+ * Remove doc link used to quieten old lintian versions
+
+ -- Steve McIntyre <93...@debian.org> Mon, 27 May 2019 23:02:10 +0100
+
shim-signed (1.30) unstable; urgency=medium
* Force the built-using version to be 15+1533136590.3beb971-6. That
diff -Nru shim-signed-1.30/debian/control shim-signed-1.32/debian/control
--- shim-signed-1.30/debian/control 2019-04-22 23:59:15.000000000 +0100
+++ shim-signed-1.32/debian/control 2019-05-28 14:23:54.000000000 +0100
@@ -18,6 +18,7 @@
Package: shim-signed
Architecture: amd64 i386 arm64
+Multi-Arch: same
Depends: ${misc:Depends},
grub-efi-amd64-bin [amd64],
shim-helpers-amd64-signed (>= 1+15+1533136590.3beb971+5) [amd64],
@@ -25,8 +26,7 @@
shim-helpers-i386-signed (>= 1+15+1533136590.3beb971+5) [i386],
grub-efi-arm64-bin [arm64],
shim-helpers-arm64-signed (>= 1+15+1533136590.3beb971+5) [arm64],
- grub2-common (>= 2.02+dfsg1-16),
- mokutil
+ grub2-common (>= 2.02+dfsg1-16)
Recommends: secureboot-db
Built-Using: shim (= 15+1533136590.3beb971-6)
Description: Secure Boot chain-loading bootloader (Microsoft-signed binary)
@@ -38,3 +38,19 @@
.
This package contains the version of the bootloader binary signed by the
Microsoft UEFI CA.
+
+Package: shim-signed-common
+Multi-Arch: foreign
+Architecture: all
+Depends: ${misc:Depends}, mokutil
+Replaces: shim-signed (<< 1.32+15+1533136590.3beb971-5)
+Breaks: shim-signed (<< 1.32+15+1533136590.3beb971-5)
+Description: Secure Boot chain-loading bootloader (common helper scripts)
+ This package provides a minimalist boot loader which allows verifying
+ signatures of other UEFI binaries against either the Secure Boot DB/DBX or
+ against a built-in signature database. Its purpose is to allow a small,
+ infrequently-changing binary to be signed by the UEFI CA, while allowing
+ an OS distributor to revision their main bootloader independently of the CA.
+ .
+ This package contains common helper scripts for all versions of the
+ shim-signed package.
diff -Nru shim-signed-1.30/debian/lintian-overrides
shim-signed-1.32/debian/lintian-overrides
--- shim-signed-1.30/debian/lintian-overrides 2019-04-22 22:53:12.000000000
+0100
+++ shim-signed-1.32/debian/lintian-overrides 1970-01-01 01:00:00.000000000
+0100
@@ -1 +0,0 @@
-shim-signed: debconf-is-not-a-registry usr/sbin/update-secureboot-policy
diff -Nru shim-signed-1.30/debian/po/POTFILES.in
shim-signed-1.32/debian/po/POTFILES.in
--- shim-signed-1.30/debian/po/POTFILES.in 2019-03-06 21:15:15.000000000
+0000
+++ shim-signed-1.32/debian/po/POTFILES.in 2019-05-27 22:56:41.000000000
+0100
@@ -1 +1 @@
-[type: gettext/rfc822deb] templates
+[type: gettext/rfc822deb] shim-signed-common.templates
diff -Nru shim-signed-1.30/debian/rules shim-signed-1.32/debian/rules
--- shim-signed-1.30/debian/rules 2019-04-19 15:28:53.000000000 +0100
+++ shim-signed-1.32/debian/rules 2019-05-27 23:21:01.000000000 +0100
@@ -18,13 +18,17 @@
%:
dh $@
-docdir := debian/shim-signed/usr/share/doc/shim-signed
+docdir := debian/shim-signed-common/usr/share/doc/shim-signed-common
override_dh_installchangelogs:
- dh_installchangelogs
- # Quieten lintian, which otherwise gets confused by our odd version
- # number.
- ln $(docdir)/changelog $(docdir)/changelog.Debian
+ dh_installchangelogs -p shim-signed-common
+
+override_dh_installdocs:
+ dh_installdocs -p shim-signed-common
+ dh_installdocs --remaining-packages --link-doc=shim-signed-common
+
+override_dh_installdebconf:
+ dh_installdebconf -p shim-signed-common
override_dh_gencontrol:
dh_gencontrol -- -v$(VERSION)+$(SHIM_VERSION) \
diff -Nru shim-signed-1.30/debian/shim-signed-common.install
shim-signed-1.32/debian/shim-signed-common.install
--- shim-signed-1.30/debian/shim-signed-common.install 1970-01-01
01:00:00.000000000 +0100
+++ shim-signed-1.32/debian/shim-signed-common.install 2019-05-25
03:15:26.000000000 +0100
@@ -0,0 +1,2 @@
+debian/source_shim-signed.py /usr/share/apport/package-hooks/
+update-secureboot-policy /usr/sbin/
diff -Nru shim-signed-1.30/debian/shim-signed-common.links
shim-signed-1.32/debian/shim-signed-common.links
--- shim-signed-1.30/debian/shim-signed-common.links 1970-01-01
01:00:00.000000000 +0100
+++ shim-signed-1.32/debian/shim-signed-common.links 2019-03-06
21:15:15.000000000 +0000
@@ -0,0 +1 @@
+usr/share/apport/package-hooks/source_shim-signed.py
usr/share/apport/package-hooks/source_shim.py
diff -Nru shim-signed-1.30/debian/shim-signed-common.lintian-overrides
shim-signed-1.32/debian/shim-signed-common.lintian-overrides
--- shim-signed-1.30/debian/shim-signed-common.lintian-overrides
1970-01-01 01:00:00.000000000 +0100
+++ shim-signed-1.32/debian/shim-signed-common.lintian-overrides
2019-05-25 03:29:42.000000000 +0100
@@ -0,0 +1 @@
+shim-signed-common: debconf-is-not-a-registry usr/sbin/update-secureboot-policy
diff -Nru shim-signed-1.30/debian/shim-signed-common.postinst
shim-signed-1.32/debian/shim-signed-common.postinst
--- shim-signed-1.30/debian/shim-signed-common.postinst 1970-01-01
01:00:00.000000000 +0100
+++ shim-signed-1.32/debian/shim-signed-common.postinst 2019-04-22
17:52:51.000000000 +0100
@@ -0,0 +1,59 @@
+#! /bin/sh
+set -e
+
+# Must load the confmodule for our template to be installed correctly.
+. /usr/share/debconf/confmodule
+
+ARCH=$(dpkg --print-architecture)
+case ${ARCH} in
+ amd64)
+ GRUB_EFI_TARGET="x86_64-efi";;
+ i386)
+ GRUB_EFI_TARGET="i386-efi";;
+ arm64)
+ GRUB_EFI_TARGET="arm64-efi";;
+ *)
+ echo "Unsupported dpkg architecture ${ARCH} in $0. ABORT"
+ exit 1
+ ;;
+esac
+
+config_item ()
+{
+ if [ -f /etc/default/grub ]; then
+ . /etc/default/grub || return
+ for x in /etc/default/grub.d/*.cfg; do
+ if [ -e "$x" ]; then
+ . "$x"
+ fi
+ done
+ fi
+ eval echo "\$$1"
+}
+
+case $1 in
+ triggered)
+ SHIM_NOTRIGGER=y update-secureboot-policy
+ ;;
+ configure)
+ bootloader_id="$(config_item GRUB_DISTRIBUTOR | tr A-Z a-z | \
+ cut -d' ' -f1)"
+ case $bootloader_id in
+ kubuntu) bootloader_id=ubuntu ;;
+ esac
+ if [ "$bootloader_id" ] && [ -d "/boot/efi/EFI/$bootloader_id" ] \
+ && which grub-install >/dev/null 2>&1
+ then
+ grub-install --target=${GRUB_EFI_TARGET}
+ if dpkg --compare-versions "$2" lt-nl "1.22~"; then
+ rm -f /boot/efi/EFI/ubuntu/MokManager.efi
+ fi
+ fi
+
+ SHIM_NOTRIGGER=y update-secureboot-policy
+ ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff -Nru shim-signed-1.30/debian/shim-signed-common.templates
shim-signed-1.32/debian/shim-signed-common.templates
--- shim-signed-1.30/debian/shim-signed-common.templates 1970-01-01
01:00:00.000000000 +0100
+++ shim-signed-1.32/debian/shim-signed-common.templates 2019-03-06
21:15:15.000000000 +0000
@@ -0,0 +1,62 @@
+Template: shim/title/secureboot
+Type: text
+_Description: Configuring UEFI Secure Boot
+
+Template: shim/error/bad_secureboot_key
+Type: error
+_Description: Invalid password
+ The Secure Boot key you've entered is not valid. The password used must be
+ between 8 and 16 characters.
+
+Template: shim/disable_secureboot
+Type: boolean
+Default: true
+_Description: Disable UEFI Secure Boot?
+ If Secure Boot remains enabled on your system, your system may still boot but
+ any hardware that requires third-party drivers to work correctly may not be
+ usable.
+
+Template: shim/enable_secureboot
+Type: boolean
+Default: false
+_Description: Enable UEFI Secure Boot?
+ If Secure Boot is enabled on your system, your system may still boot but
+ any hardware that requires third-party drivers to work correctly may not be
+ usable.
+
+Template: shim/secureboot_explanation
+Type: note
+_Description: Your system has UEFI Secure Boot enabled
+ UEFI Secure Boot is not compatible with the use of third-party drivers.
+ .
+ The system will assist you in toggling UEFI Secure Boot. To ensure that this
+ change is being made by you as an authorized user, and not by an attacker,
+ you must choose a password now and then use the same password after reboot
+ to confirm the change.
+ .
+ If you choose to proceed but do not confirm the password upon reboot, the
+ Secure Boot configuration will not be changed, and the machine will continue
+ booting as before.
+ .
+ If Secure Boot remains enabled on your system, your system may still boot but
+ any hardware that requires third-party drivers to work correctly may not be
+ usable.
+
+Template: shim/secureboot_key
+Type: password
+_Description: UEFI Secure Boot password:
+ Please enter a password for configuring UEFI Secure Boot.
+ .
+ This password will be used after a reboot to confirm authorization for a
+ change to Secure Boot state.
+
+Template: shim/secureboot_key_again
+Type: password
+_Description: Re-enter password to verify:
+ Please enter the same password again to verify that you have typed it
+ correctly.
+
+Template: shim/error/secureboot_key_mismatch
+Type: error
+_Description: Password input error
+ The two passwords you entered were not the same. Please try again.
diff -Nru shim-signed-1.30/debian/shim-signed.install
shim-signed-1.32/debian/shim-signed.install
--- shim-signed-1.30/debian/shim-signed.install 2019-04-22 18:08:11.000000000
+0100
+++ shim-signed-1.32/debian/shim-signed.install 2019-05-25 03:15:14.000000000
+0100
@@ -1,3 +1 @@
build/shim*.efi.signed /usr/lib/shim
-debian/source_shim-signed.py /usr/share/apport/package-hooks/
-update-secureboot-policy /usr/sbin/
diff -Nru shim-signed-1.30/debian/shim-signed.links
shim-signed-1.32/debian/shim-signed.links
--- shim-signed-1.30/debian/shim-signed.links 2019-03-06 21:15:15.000000000
+0000
+++ shim-signed-1.32/debian/shim-signed.links 1970-01-01 01:00:00.000000000
+0100
@@ -1 +0,0 @@
-usr/share/apport/package-hooks/source_shim-signed.py
usr/share/apport/package-hooks/source_shim.py
diff -Nru shim-signed-1.30/debian/shim-signed.postinst
shim-signed-1.32/debian/shim-signed.postinst
--- shim-signed-1.30/debian/shim-signed.postinst 2019-04-22
17:52:51.000000000 +0100
+++ shim-signed-1.32/debian/shim-signed.postinst 1970-01-01
01:00:00.000000000 +0100
@@ -1,59 +0,0 @@
-#! /bin/sh
-set -e
-
-# Must load the confmodule for our template to be installed correctly.
-. /usr/share/debconf/confmodule
-
-ARCH=$(dpkg --print-architecture)
-case ${ARCH} in
- amd64)
- GRUB_EFI_TARGET="x86_64-efi";;
- i386)
- GRUB_EFI_TARGET="i386-efi";;
- arm64)
- GRUB_EFI_TARGET="arm64-efi";;
- *)
- echo "Unsupported dpkg architecture ${ARCH} in $0. ABORT"
- exit 1
- ;;
-esac
-
-config_item ()
-{
- if [ -f /etc/default/grub ]; then
- . /etc/default/grub || return
- for x in /etc/default/grub.d/*.cfg; do
- if [ -e "$x" ]; then
- . "$x"
- fi
- done
- fi
- eval echo "\$$1"
-}
-
-case $1 in
- triggered)
- SHIM_NOTRIGGER=y update-secureboot-policy
- ;;
- configure)
- bootloader_id="$(config_item GRUB_DISTRIBUTOR | tr A-Z a-z | \
- cut -d' ' -f1)"
- case $bootloader_id in
- kubuntu) bootloader_id=ubuntu ;;
- esac
- if [ "$bootloader_id" ] && [ -d "/boot/efi/EFI/$bootloader_id" ] \
- && which grub-install >/dev/null 2>&1
- then
- grub-install --target=${GRUB_EFI_TARGET}
- if dpkg --compare-versions "$2" lt-nl "1.22~"; then
- rm -f /boot/efi/EFI/ubuntu/MokManager.efi
- fi
- fi
-
- SHIM_NOTRIGGER=y update-secureboot-policy
- ;;
-esac
-
-#DEBHELPER#
-
-exit 0
diff -Nru shim-signed-1.30/debian/templates shim-signed-1.32/debian/templates
--- shim-signed-1.30/debian/templates 2019-03-06 21:15:15.000000000 +0000
+++ shim-signed-1.32/debian/templates 1970-01-01 01:00:00.000000000 +0100
@@ -1,62 +0,0 @@
-Template: shim/title/secureboot
-Type: text
-_Description: Configuring UEFI Secure Boot
-
-Template: shim/error/bad_secureboot_key
-Type: error
-_Description: Invalid password
- The Secure Boot key you've entered is not valid. The password used must be
- between 8 and 16 characters.
-
-Template: shim/disable_secureboot
-Type: boolean
-Default: true
-_Description: Disable UEFI Secure Boot?
- If Secure Boot remains enabled on your system, your system may still boot but
- any hardware that requires third-party drivers to work correctly may not be
- usable.
-
-Template: shim/enable_secureboot
-Type: boolean
-Default: false
-_Description: Enable UEFI Secure Boot?
- If Secure Boot is enabled on your system, your system may still boot but
- any hardware that requires third-party drivers to work correctly may not be
- usable.
-
-Template: shim/secureboot_explanation
-Type: note
-_Description: Your system has UEFI Secure Boot enabled
- UEFI Secure Boot is not compatible with the use of third-party drivers.
- .
- The system will assist you in toggling UEFI Secure Boot. To ensure that this
- change is being made by you as an authorized user, and not by an attacker,
- you must choose a password now and then use the same password after reboot
- to confirm the change.
- .
- If you choose to proceed but do not confirm the password upon reboot, the
- Secure Boot configuration will not be changed, and the machine will continue
- booting as before.
- .
- If Secure Boot remains enabled on your system, your system may still boot but
- any hardware that requires third-party drivers to work correctly may not be
- usable.
-
-Template: shim/secureboot_key
-Type: password
-_Description: UEFI Secure Boot password:
- Please enter a password for configuring UEFI Secure Boot.
- .
- This password will be used after a reboot to confirm authorization for a
- change to Secure Boot state.
-
-Template: shim/secureboot_key_again
-Type: password
-_Description: Re-enter password to verify:
- Please enter the same password again to verify that you have typed it
- correctly.
-
-Template: shim/error/secureboot_key_mismatch
-Type: error
-_Description: Password input error
- The two passwords you entered were not the same. Please try again.
diff -Nru shim-signed-1.30/update-secureboot-policy
shim-signed-1.32/update-secureboot-policy
--- shim-signed-1.30/update-secureboot-policy 2019-03-06 21:15:15.000000000
+0000
+++ shim-signed-1.32/update-secureboot-policy 2019-05-25 02:26:08.000000000
+0100
@@ -142,8 +142,9 @@
exit 0
fi
-if [ `find /var/lib/dkms -type d -print | wc -l ` -gt 1 ]; then
- setup_mok_validation $enable_secureboot
+if [ -d /var/lib/dkms ] &&
+ [ `find /var/lib/dkms -type d -print | wc -l ` -gt 1 ]; then
+ setup_mok_validation $enable_secureboot
else
echo "No DKMS packages installed: not changing Secure Boot validation
state."
fi
