Version in base suite: 1.44~1+deb12u1
Version in overlay suite: 1.51~1+deb12u1
Base version: shim-signed_1.44~1+deb12u1
Target version: shim-signed_1.51~1+deb12u1
Base files: shim-signed_1.44~1+deb12u1+15.8-1~deb12u1_i386.deb
Target files: shim-signed_1.51~1+deb12u1+16.1-2~deb12u1_i386.deb
New files in second set of .debs, found in package shim-signed
-rw-r--r-- root/root DEBIAN/templates
Control files: lines which differ
Built-Using: shim (= 15.8-1~deb12u1) 16.1-2~deb12u1)
Depends: debconf (>= 0.5) | debconf-2.0, mokutil, shim-signed-common (>= 1.44~1+deb12u1), 1.51~1+deb12u1), grub-efi-ia32-bin, shim-helpers-i386-signed (>= 1+15.8+1~deb12u1), grub2-common (>= 2.06-13+deb12u1)
Microsoft UEFI CA. CA(s).
Installed-Size: 773 853
Pre-Depends: debconf
Postrm files: lines which differ
# Automatically added by dh_installdebconf/13.11.4
if [ "$1" = purge ] && [ -e /usr/share/debconf/confmodule ]; then
. /usr/share/debconf/confmodule
db_purge
fi
# End automatically added section
{++}
{++}
# If we're not on an EFI system, do nothing else
Preinst files: lines which differ
type=$1
{++}
. /usr/share/debconf/confmodule
{++}
# Only change LC_ALL after loading debconf to ensure any debconf templates
# are properly localized.
export LC_ALL=C
{++}
# Select the right target architecture for grub-install
ARCH=$(dpkg --print-architecture)
case ${ARCH} in
amd64)
EFI_ARCH="x64";;
i386)
EFI_ARCH="ia32";;
arm64)
EFI_ARCH="aa64";;
*)
echo "Unsupported dpkg architecture ${ARCH} in $0. ABORT"
exit 1
;;
esac
{++}
SHIM="/usr/lib/shim/shim${EFI_ARCH}.efi.signed"
SHIM_SIGS=" 46:de:f6:3b:5c:e6:1c:f8:ba:0d:e2:e6:63:9c:10:19:d0:ed:14:f3 b5:ee:b4:a6:70:60:48:07:3f:0e:d2:96:e7:f5:80:a7:90:b5:9e:aa"
{++}
# Known error possibilities
ERR_NONE=0
ERR_NO_VALID_SIG=1
ERR_REVOKED=2
{++}
# Set the default error - no sigs found yet
SB_BOOT_ERROR=$ERR_NO_VALID_SIG
{++}
case "$type" in
install|upgrade)
{++}
echo "shim-signed: checking if we can safely install $SHIM"
{++}
if ! type mokutil > /dev/null 2>&1; then
echo " Mokutil is not installed, assuming things will be OK."
SB_BOOT_ERROR=$ERR_NONE
else
# Check that we can safely boot this shim.
# We don't care if the platform is in setup mode.
SB_STATE=$(mokutil --sb-state 2>&1 | grep -v \
-e "Platform is in Setup Mode" \
-e "SecureBoot validation is disabled in shim")
# If SB is not enabled (etc.) then this shim is fine
case "${SB_STATE}" in
"SecureBoot disabled"|"This system doesn't support Secure Boot")
echo " ${SB_STATE}; shim installation is safe."
SB_BOOT_ERROR=$ERR_NONE
;;
"EFI variables are not supported on this system"|"Cannot determine secure boot state")
echo " ${SB_STATE}; assuming shim installation is safe."
SB_BOOT_ERROR=$ERR_NONE
;;
"SecureBoot enabled")
echo " ${SB_STATE}; need to check for signatures."
SB_BOOT_ERROR=$ERR_NO_VALID_SIG
;;
*)
echo "Unexpected output from mokutil:"
echo '"""'
echo "${SB_STATE}"
echo '"""'
echo "Please report this as a bug agsinst shim-signed, including the above information."
exit 1
;;
esac
fi
{++}
if [ $SB_BOOT_ERROR != $ERR_NONE ]; then
echo "Checking shim signatures on $SHIM:"
{++}
# Secure Boot is enabled - we need to check that our shim
# is signed by a key in the DB list.
{++}
# Check against all the keys in the DB list
for dbkey in $(mokutil --db | awk '/^SHA1 Fingerprint:/ {print $3}'); do
for sig in ${SHIM_SIGS}; do
if [ "$dbkey" = "$sig" ]; then
echo "- signed by DB key $dbkey, should boot OK"
SB_BOOT_ERROR=$ERR_NONE
fi
done
done
{++}
# Next, check against the blacklisted keys in DBX - any
# blacklisted sig will block boot of a shim signed with
# that sig.
for dbxkey in $(mokutil --dbx | awk '/^SHA1 Fingerprint:/ {print $3}'); do
for sig in ${SHIM_SIGS}; do
if [ "$dbxkey" = "$sig" ]; then
echo "- signed by DBX key $dbxkey, will be blocked from booting"
SB_BOOT_ERROR=$ERR_REVOKED
fi
done
done
fi
{++}
if [ $SB_BOOT_ERROR != $ERR_NONE ]; then
if [ $SB_BOOT_ERROR = $ERR_NO_VALID_SIG ]; then
TEMPLATENAME=shim-signed/no-valid-sigs
elif [ $SB_BOOT_ERROR = $ERR_REVOKED ]; then
TEMPLATENAME=shim-signed/revoked-sig
fi
{++}
db_version 2.0
db_fset "$TEMPLATENAME" seen false
db_reset "$TEMPLATENAME"
db_input critical "$TEMPLATENAME" || true
db_go
db_stop
exit 1
fi
esac