Version in base suite: 1.44~1+deb12u1 Version in overlay suite: 1.51~1+deb12u1 Base version: shim-signed_1.44~1+deb12u1 Target version: shim-signed_1.51~1+deb12u1 Base files: shim-signed_1.44~1+deb12u1+15.8-1~deb12u1_arm64.deb Target files: shim-signed_1.51~1+deb12u1+16.1-2~deb12u1_arm64.deb [The following lists of changes regard files as different if they have different names, permissions or owners.] New files in second set of .debs, found in package shim-signed -------------------------------------------------------------- -rw-r--r-- root/root DEBIAN/templates Control files: lines which differ (wdiff format) ------------------------------------------------ Built-Using: shim (= [-15.8-1~deb12u1)-] {+16.1-2~deb12u1)+} Depends: {+debconf (>= 0.5) | debconf-2.0, mokutil,+} shim-signed-common (>= [-1.44~1+deb12u1),-] {+1.51~1+deb12u1),+} grub-efi-arm64-bin, shim-helpers-arm64-signed (>= 1+15.8+1~deb12u1), grub2-common (>= 2.06-13+deb12u1) Microsoft UEFI [-CA.-] {+CA(s).+} Installed-Size: [-990-] {+1077+} {+Pre-Depends: debconf+} Source: shim-signed [-(1.44~1+deb12u1)-] {+(1.51~1+deb12u1)+} Version: [-1.44~1+deb12u1+15.8-1~deb12u1-] {+1.51~1+deb12u1+16.1-2~deb12u1+} No differences were encountered between the postinst files Postrm files: lines which differ (wdiff format) ----------------------------------------------- # {+Automatically added by dh_installdebconf/13.11.4+} {+if [ "$1" = purge ] && [ -e /usr/share/debconf/confmodule ]; then+} {+ . /usr/share/debconf/confmodule+} {+ db_purge+} {+fi+} {+# End automatically added section+} {++} {++} {+#+} If we're not on an EFI system, do nothing else Preinst files: lines which differ (wdiff format) ------------------------------------------------ {+type=$1+} {++} {+. /usr/share/debconf/confmodule+} {++} {+# Only change LC_ALL after loading debconf to ensure any debconf templates+} {+# are properly localized.+} {+export LC_ALL=C+} {++} {+# Select the right target architecture for grub-install+} {+ARCH=$(dpkg --print-architecture)+} {+case ${ARCH} in+} {+ amd64)+} {+ EFI_ARCH="x64";;+} {+ i386)+} {+ EFI_ARCH="ia32";;+} {+ arm64)+} {+ EFI_ARCH="aa64";;+} {+ *)+} {+ echo "Unsupported dpkg architecture ${ARCH} in $0. ABORT"+} {+ exit 1+} {+ ;;+} {+esac+} {++} {+SHIM="/usr/lib/shim/shim${EFI_ARCH}.efi.signed"+} {+SHIM_SIGS=" 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3 b5:ee:b4:a6:70:60:48:07:3f:0e:d2:96:e7:f5:80:a7:90:b5:9e:aa"+} {++} {+# Known error possibilities+} {+ERR_NONE=0+} {+ERR_NO_VALID_SIG=1+} {+ERR_REVOKED=2+} {++} {+# Set the default error - no sigs found yet+} {+SB_BOOT_ERROR=$ERR_NO_VALID_SIG+} {++} {+case "$type" in+} {+ install|upgrade)+} {++} {+ echo "shim-signed: checking if we can safely install $SHIM"+} {++} {+ if ! type mokutil > /dev/null 2>&1; then+} {+ echo " Mokutil is not installed, assuming things will be OK."+} {+ SB_BOOT_ERROR=$ERR_NONE+} {+ else+} {+ # Check that we can safely boot this shim.+} {+ # We don't care if the platform is in setup mode.+} {+ SB_STATE=$(mokutil --sb-state 2>&1 | grep -v \+} {+ -e "Platform is in Setup Mode" \+} {+ -e "SecureBoot validation is disabled in shim")+} {+ # If SB is not enabled (etc.) then this shim is fine+} {+ case "${SB_STATE}" in+} {+ "SecureBoot disabled"|"This system doesn't support Secure Boot")+} {+ echo " ${SB_STATE}; shim installation is safe."+} {+ SB_BOOT_ERROR=$ERR_NONE+} {+ ;;+} {+ "EFI variables are not supported on this system"|"Cannot determine secure boot state")+} {+ echo " ${SB_STATE}; assuming shim installation is safe."+} {+ SB_BOOT_ERROR=$ERR_NONE+} {+ ;;+} {+ "SecureBoot enabled")+} {+ echo " ${SB_STATE}; need to check for signatures."+} {+ SB_BOOT_ERROR=$ERR_NO_VALID_SIG+} {+ ;;+} {+ *)+} {+ echo "Unexpected output from mokutil:"+} {+ echo '"""'+} {+ echo "${SB_STATE}"+} {+ echo '"""'+} {+ echo "Please report this as a bug agsinst shim-signed, including the above information."+} {+ exit 1+} {+ ;;+} {+ esac+} {+ fi+} {++} {+ if [ $SB_BOOT_ERROR != $ERR_NONE ]; then+} {+ echo "Checking shim signatures on $SHIM:"+} {++} {+ # Secure Boot is enabled - we need to check that our shim+} {+ # is signed by a key in the DB list.+} {++} {+ # Check against all the keys in the DB list+} {+ for dbkey in $(mokutil --db | awk '/^SHA1 Fingerprint:/ {print $3}'); do+} {+ for sig in ${SHIM_SIGS}; do+} {+ if [ "$dbkey" = "$sig" ]; then+} {+ echo "- signed by DB key $dbkey, should boot OK"+} {+ SB_BOOT_ERROR=$ERR_NONE+} {+ fi+} {+ done+} {+ done+} {++} {+ # Next, check against the blacklisted keys in DBX - any+} {+ # blacklisted sig will block boot of a shim signed with+} {+ # that sig.+} {+ for dbxkey in $(mokutil --dbx | awk '/^SHA1 Fingerprint:/ {print $3}'); do+} {+ for sig in ${SHIM_SIGS}; do+} {+ if [ "$dbxkey" = "$sig" ]; then+} {+ echo "- signed by DBX key $dbxkey, will be blocked from booting"+} {+ SB_BOOT_ERROR=$ERR_REVOKED+} {+ fi+} {+ done+} {+ done+} {+ fi+} {++} {+ if [ $SB_BOOT_ERROR != $ERR_NONE ]; then+} {+ if [ $SB_BOOT_ERROR = $ERR_NO_VALID_SIG ]; then+} {+ TEMPLATENAME=shim-signed/no-valid-sigs+} {+ elif [ $SB_BOOT_ERROR = $ERR_REVOKED ]; then+} {+ TEMPLATENAME=shim-signed/revoked-sig+} {+ fi+} {++} {+ db_version 2.0+} {+ db_fset "$TEMPLATENAME" seen false+} {+ db_reset "$TEMPLATENAME"+} {+ db_input critical "$TEMPLATENAME" || true+} {+ db_go+} {+ db_stop+} {+ exit 1+} {+ fi+} {+esac+} No differences were encountered between the prerm files No differences were encountered between the triggers files