Version in base suite: 1.38 Base version: shim-signed_1.38 Target version: shim-signed_1.39~1+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/shim-signed/shim-signed_1.38.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/s/shim-signed/shim-signed_1.39~1+deb11u1.dsc /srv/release.debian.org/tmp/sllwrhbx4j/shim-signed-1.39~1+deb11u1/shimia32.efi.signed |binary /srv/release.debian.org/tmp/sllwrhbx4j/shim-signed-1.39~1+deb11u1/shimx64.efi.signed |binary shim-signed-1.39~1+deb11u1/debian/changelog | 14 ++++++++++ shim-signed-1.39~1+deb11u1/debian/control | 4 +- shim-signed-1.39~1+deb11u1/debian/shim-signed.postinst | 4 ++ shim-signed-1.39~1+deb11u1/debian/shim-signed.postrm | 4 ++ 6 files changed, 22 insertions(+), 4 deletions(-) diff -Nru shim-signed-1.38/debian/changelog shim-signed-1.39~1+deb11u1/debian/changelog --- shim-signed-1.38/debian/changelog 2021-07-12 11:46:52.000000000 +0000 +++ shim-signed-1.39~1+deb11u1/debian/changelog 2023-03-08 22:48:28.000000000 +0000 @@ -1,3 +1,17 @@ +shim-signed (1.39~1+deb11u1) bullseye; urgency=medium + + * Build against new signed binaries corresponding to 15.7-1~deb11u1 + Pulls multiple bugfixes in for the signed version: + + Make sbat_var.S parse right with buggy gcc/binutils + + Enable NX support at build time, as required by policy for signing + new shim binaries. + * Update build-dep on shim-unsigned to use 15.7-1~deb11u1 + * Block Debian grub binaries with sbat < 4 (see #1024617) + + Update Depends on grub2-common to match. + * postinst/postrm: make config_item() more robust + + -- Steve McIntyre <93sam@debian.org> Wed, 08 Mar 2023 22:48:46 +0000 + shim-signed (1.38) unstable; urgency=medium * Tweak how we call grub-install; don't abort on error. Not ideal diff -Nru shim-signed-1.38/debian/control shim-signed-1.39~1+deb11u1/debian/control --- shim-signed-1.38/debian/control 2021-07-12 11:46:52.000000000 +0000 +++ shim-signed-1.39~1+deb11u1/debian/control 2023-03-08 22:47:42.000000000 +0000 @@ -4,7 +4,7 @@ Maintainer: Debian EFI Team Uploaders: Steve McIntyre <93sam@debian.org>, Steve Langasek Build-Depends: debhelper (>= 13), - shim-unsigned (= 15.4-7), + shim-unsigned (= 15.7-1~deb11u1), # sbsigntool before 0.9.2-2 had a horrid bug with checksum calculation # which broke our build sbsigntool (>= 0.9.2-2), @@ -24,7 +24,7 @@ shim-helpers-i386-signed (>= 1+15.4+2) [i386], grub-efi-arm64-bin [arm64], shim-helpers-arm64-signed (>= 1+15.4+2) [arm64], - grub2-common (>= 2.02+dfsg1-16) + grub2-common (>= 2.06-3~deb11u5) Recommends: secureboot-db Built-Using: shim (= ${shim:Version}) Description: Secure Boot chain-loading bootloader (Microsoft-signed binary) diff -Nru shim-signed-1.38/debian/shim-signed.postinst shim-signed-1.39~1+deb11u1/debian/shim-signed.postinst --- shim-signed-1.38/debian/shim-signed.postinst 2021-07-12 11:45:15.000000000 +0000 +++ shim-signed-1.39~1+deb11u1/debian/shim-signed.postinst 2023-02-23 22:50:10.000000000 +0000 @@ -41,7 +41,9 @@ . /etc/default/grub || return for x in /etc/default/grub.d/*.cfg; do if [ -e "$x" ]; then - . "$x" + # Lose any output here so we don't confuse our + # caller. The xen packages echo stuff here, Aargh! + . "$x" > /dev/null fi done fi diff -Nru shim-signed-1.38/debian/shim-signed.postrm shim-signed-1.39~1+deb11u1/debian/shim-signed.postrm --- shim-signed-1.38/debian/shim-signed.postrm 2021-07-12 11:46:03.000000000 +0000 +++ shim-signed-1.39~1+deb11u1/debian/shim-signed.postrm 2023-02-23 22:50:10.000000000 +0000 @@ -44,7 +44,9 @@ . /etc/default/grub || return for x in /etc/default/grub.d/*.cfg; do if [ -e "$x" ]; then - . "$x" + # Lose any output here so we don't confuse our + # caller. The xen packages echo stuff here, Aargh! + . "$x" > /dev/null fi done fi Binary files /srv/release.debian.org/tmp/8c6hWQMDAe/shim-signed-1.38/shimia32.efi.signed and /srv/release.debian.org/tmp/sllwrhbx4j/shim-signed-1.39~1+deb11u1/shimia32.efi.signed differ Binary files /srv/release.debian.org/tmp/8c6hWQMDAe/shim-signed-1.38/shimx64.efi.signed and /srv/release.debian.org/tmp/sllwrhbx4j/shim-signed-1.39~1+deb11u1/shimx64.efi.signed differ