Version in base suite: 1.47 Base version: shim-signed_1.47 Target version: shim-signed_1.51~1+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/s/shim-signed/shim-signed_1.47.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/s/shim-signed/shim-signed_1.51~1+deb13u1.dsc /srv/release.debian.org/tmp/Tt8CxNgRHP/shim-signed-1.51~1+deb13u1/TEST-shimx64.efi.signed.multi |binary /srv/release.debian.org/tmp/Tt8CxNgRHP/shim-signed-1.51~1+deb13u1/TEST-shimx64.efi.signed.snakeoil |binary /srv/release.debian.org/tmp/Tt8CxNgRHP/shim-signed-1.51~1+deb13u1/shimaa64.efi.signed |binary /srv/release.debian.org/tmp/Tt8CxNgRHP/shim-signed-1.51~1+deb13u1/shimaa64.efi.signed.MS-2011 |binary /srv/release.debian.org/tmp/Tt8CxNgRHP/shim-signed-1.51~1+deb13u1/shimaa64.efi.signed.MS-2023 |binary /srv/release.debian.org/tmp/Tt8CxNgRHP/shim-signed-1.51~1+deb13u1/shimx64.efi.signed |binary /srv/release.debian.org/tmp/Tt8CxNgRHP/shim-signed-1.51~1+deb13u1/shimx64.efi.signed.MS-2011 |binary /srv/release.debian.org/tmp/Tt8CxNgRHP/shim-signed-1.51~1+deb13u1/shimx64.efi.signed.MS-2023 |binary shim-signed-1.51~1+deb13u1/0001-MicCorUEFCA2011_2011-06-27.crt | 35 + shim-signed-1.51~1+deb13u1/0002-Microsoft_UEFI_CA_2023.crt | 33 + shim-signed-1.51~1+deb13u1/0010-snakeoil.crt | 21 shim-signed-1.51~1+deb13u1/0020-wrong.crt | 26 shim-signed-1.51~1+deb13u1/Makefile | 14 shim-signed-1.51~1+deb13u1/MicCorUEFCA2011_2011-06-27.crt | 35 - shim-signed-1.51~1+deb13u1/debian/changelog | 47 + shim-signed-1.51~1+deb13u1/debian/control | 10 shim-signed-1.51~1+deb13u1/debian/generate_preinst | 11 shim-signed-1.51~1+deb13u1/debian/rules | 9 shim-signed-1.51~1+deb13u1/debian/shim-signed.preinst | 7 shim-signed-1.51~1+deb13u1/debian/shim-signed.preinst.in | 126 +++ shim-signed-1.51~1+deb13u1/debian/shim-signed.templates | 29 shim-signed-1.51~1+deb13u1/debian/source/lintian-overrides | 3 shim-signed-1.51~1+deb13u1/verify_combine_sigs | 323 ++++++++++ 23 files changed, 668 insertions(+), 61 deletions(-) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpx_hhlk72/shim-signed_1.47.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpx_hhlk72/shim-signed_1.51~1+deb13u1.dsc: no acceptable signature found diff -Nru shim-signed-1.47/0001-MicCorUEFCA2011_2011-06-27.crt shim-signed-1.51~1+deb13u1/0001-MicCorUEFCA2011_2011-06-27.crt --- shim-signed-1.47/0001-MicCorUEFCA2011_2011-06-27.crt 1970-01-01 00:00:00.000000000 +0000 +++ shim-signed-1.51~1+deb13u1/0001-MicCorUEFCA2011_2011-06-27.crt 2026-06-22 21:30:37.000000000 +0000 @@ -0,0 +1,35 @@ +-----BEGIN CERTIFICATE----- +MIIGEDCCA/igAwIBAgIKYQjTxAAAAAAABDANBgkqhkiG9w0BAQsFADCBkTELMAkG +A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx +HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE7MDkGA1UEAxMyTWljcm9z +b2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5IE1hcmtldHBsYWNlIFJvb3QwHhcN +MTEwNjI3MjEyMjQ1WhcNMjYwNjI3MjEzMjQ1WjCBgTELMAkGA1UEBhMCVVMxEzAR +BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p +Y3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMiTWljcm9zb2Z0IENvcnBvcmF0 +aW9uIFVFRkkgQ0EgMjAxMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AKUIbEzHRQlqSwykwId/BnUMQwFUZOAWfwftkn0LsnO/DArGSkVhoMUWLZbT9Sug ++01Jm0GAkDy5VP3mvNGdxKQYin9BilxZg2gyu4xHye5xvCFPmop8/0Q/jY8ysiZI +rnW17slMHkoZfuSCmh14d00MsL32D9MW07z6K6VROF31+7rbeALb/+wKG5bVg7gZ +E+m2wHtAe+EfKCfJ+u9WXhzmfpR+wPBEsnk55dqyYotNvzhw4mgkFMkzpAg31Vhp +XtN87cEEUwjnTrAqh2MIYW9jFVnqsit51wxhZ4pb/V6th3+6hmdPcVgSIgQiIs6L +71RxAM5QNVh2lQjuarGiAdUCAwEAAaOCAXYwggFyMBIGCSsGAQQBgjcVAQQFAgMB +AAEwIwYJKwYBBAGCNxUCBBYEFPjBa7d/d1NK8yU3HU6hJnsPIHCAMB0GA1UdDgQW +BBQTrb9DCb2CcJyM1U8xbtUimIob1DAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMA +QTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRFZlJD +4X5YEb/WTp4jVQg7OiJqqDBcBgNVHR8EVTBTMFGgT6BNhktodHRwOi8vY3JsLm1p +Y3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNDb3JUaGlQYXJNYXJSb29f +MjAxMC0xMC0wNS5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRodHRw +Oi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY0NvclRoaVBhck1hclJv +b18yMDEwLTEwLTA1LmNydDANBgkqhkiG9w0BAQsFAAOCAgEANQhC/zDMzvd2DK0Q +aFg1KUYydid87xJBJ0IbSqptgThIWRNV8+lYNKYWC4KqXa2C2oCDQQaPtB3yA7nz +Gl0b8VCQ+bNVhEIoHCC9sq5RFMXArJeVIRyQ2w/8d56Vc5GIyr29UrkFUA3fV56g +Ye0N5W0l2UAPF0DIzqNKwk2vmhIdCFSPvce8uSs9SSsfMvxqIWlPm8h+QjT8NgYX +i48gQMCzmiV1J83JA6P2XdHnNlR6uVC10xLRB7+7dN/cHo+A1e0Y9C8UFmsv3maM +sCPlx4TY7erBM4KtVksYLfFolQfNz/By8K673YaFmCwhTDMr8A9K8GiHtZJVMnWh +aoJqPKMlEaTtrdcErsvYQFmghNGVTGKRIhp0HYw9Rw5EpuSwmzQ1sfq2U6gsgeyk +BXHInbi66BtEZuRHVA6OVn+znxaYsobQaD6QI7UvXo9QhY3GjYJfQaH0Lg3gmdJs +deS2abUhhvoH0fbiTdHarSx3Ux4lMjfHbFJylYaw8TVhahn1sjuBUFamMi3+oon5 +QoYnGFWhgspam/gwmFQUpkeWJS/IJuRBlBpcAj/lluOFWzw+P7tHFnJV4iUisdl7 +5wMGKqP3HpBGwwAN1hmJ4w41J2IDcRWm79AnoKBZN2D4OJS44Hhw+LpMhoeU9uCu +AkXuZcK2o35pFnUHkpv1prxZg1g= +-----END CERTIFICATE----- diff -Nru shim-signed-1.47/0002-Microsoft_UEFI_CA_2023.crt shim-signed-1.51~1+deb13u1/0002-Microsoft_UEFI_CA_2023.crt --- shim-signed-1.47/0002-Microsoft_UEFI_CA_2023.crt 1970-01-01 00:00:00.000000000 +0000 +++ shim-signed-1.51~1+deb13u1/0002-Microsoft_UEFI_CA_2023.crt 2026-06-22 21:30:37.000000000 +0000 @@ -0,0 +1,33 @@ +-----BEGIN CERTIFICATE----- +MIIFpDCCA4ygAwIBAgITMwAAABY2vzaJnxV1zAAAAAAAFjANBgkqhkiG9w0BAQsF +ADBaMQswCQYDVQQGEwJVUzEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9u +MSswKQYDVQQDEyJNaWNyb3NvZnQgUlNBIERldmljZXMgUm9vdCBDQSAyMDIxMB4X +DTIzMDYxMzE5MjE0N1oXDTM4MDYxMzE5MzE0N1owTjELMAkGA1UEBhMCVVMxHjAc +BgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEfMB0GA1UEAxMWTWljcm9zb2Z0 +IFVFRkkgQ0EgMjAyMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL0i +Kq7vGjGFE3hRp5v9/HjRY7gam2P1EgbbS0E1am+r9WoEzJfPu9QICRphOg3ms6BG +/wmt3oAk3BKA8l/ZFu3iQp3NL01hAmGKHEsdGGI5hpdxrT5/XXETS+kqAMG+1bcA +n15lsiwa/3Tt6oPSOYkzNXN9oKL6QORmUFiq/IfoXCCDNOyr4gvFXz7/SCsRkSbv +GG5XxZ8Yc5nv4Wp0K7svf1COHdo9drYE5cwuEMeDG4Oj5KUTE3FuM3ijqDzsSCZe +x8ZeDYeaqsxVNIGtnZD15pZjpugHIBfIkx7SrqTcrn1Zv4heYgyuW/IpQFYdJkDe +haatVtHPVUd2X5w52wMCAwEAAaOCAW0wggFpMA4GA1UdDwEB/wQEAwIBhjAQBgkr +BgEEAYI3FQEEAwIBADAdBgNVHQ4EFgQUgaprMkTJNbzg1mKK85gnQh4ySX0wGQYJ +KwYBBAGCNxQCBAweCgBTAHUAYgBDAEEwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSME +GDAWgBSERIYGAJg/LKqzxYnzrC7J5p0JAzBlBgNVHR8EXjBcMFqgWKBWhlRodHRw +Oi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNyb3NvZnQlMjBSU0El +MjBEZXZpY2VzJTIwUm9vdCUyMENBJTIwMjAyMS5jcmwwcgYIKwYBBQUHAQEEZjBk +MGIGCCsGAQUFBzAChlZodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2Nl +cnRzL01pY3Jvc29mdCUyMFJTQSUyMERldmljZXMlMjBSb290JTIwQ0ElMjAyMDIx +LmNydDANBgkqhkiG9w0BAQsFAAOCAgEAB2ATKlOHEg8a81oUlRfl2NeVVJuLDt2R +pe3HXUdQk0W3lYhfFxlBY3a1grCoxZ2ZFTaJSb4Swmb7gwywgc7lpKvCoJrr9Qc8 +/iH4mtwZIQyeJCzRXKIWCkvr7EicsVt02wFkwuOAaqsazXcbajmat7pwRP9nlMWB +BvDLgQSTJyGZvYeIFJwicQ4LL1y+uJBUfMAevCubo1YXS5fn438TNPqwNGub9rIt +99h72CDTXKeVTE8q+eceaK/8bI/Ihj2fyNHvTRrI0fb9LXzj6EHB6ifB+44lhlqJ +phC+zuOPpXvEGqDodZD9IbDBo8UWI148zi/+jJi/CFz2ucWyPLbMyOx/0nd0y+3z +lsmLjRwqiQ+jj73OKoVGmiOij0LAmdbqhR9hGb4WNbd1oJWAZQaH1As1yMSqDs6i +CmNgyksrXCcEgq8+WIN6WthnPxBT9QwW9yZLioC5xR+g3tjTYUQURaf1q5qIF/23 +lFQCi+S3U6E+jZ5QgqgA4HiUG76zxDAfsg7b8EaQweZX/nzBcLIcS2TZEAMbNPtm +z4JunkCoETfyZYshCa88k2I987yD3T9VkBXSMa8R5/jKoILhuc+zV5PHVTesf0G/ +H5Y88yaU+djSVSSKirZB8OAWwCOSjHEKTGoNGVX3OpySIZah1fgKjJ2/yevKiEL8 +S7Tv/ycwIWE= +-----END CERTIFICATE----- diff -Nru shim-signed-1.47/0010-snakeoil.crt shim-signed-1.51~1+deb13u1/0010-snakeoil.crt --- shim-signed-1.47/0010-snakeoil.crt 1970-01-01 00:00:00.000000000 +0000 +++ shim-signed-1.51~1+deb13u1/0010-snakeoil.crt 2026-06-22 21:30:37.000000000 +0000 @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDdzCCAl+gAwIBAgIULTs+L+8XzClMGhAvyFIdsp/PYgUwDQYJKoZIhvcNAQEL +BQAwSjELMAkGA1UEBhMCVVMxETAPBgNVBAgMCENvbG9yYWRvMRUwEwYDVQQHDAxG +b3J0IENvbGxpbnMxETAPBgNVBAoMCFNuYWtlT2lsMCAXDTIwMDkwNzE4NDMyMloY +DzIxMjAwODE0MTg0MzIyWjBKMQswCQYDVQQGEwJVUzERMA8GA1UECAwIQ29sb3Jh +ZG8xFTATBgNVBAcMDEZvcnQgQ29sbGluczERMA8GA1UECgwIU25ha2VPaWwwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIi65d6LmojD5S9q8vE/LI2HHQ +boiO5/1KrFVc6kpxD6XdkJwpBoItYIfSls9CPnzvNWOAxR3hIeBd1U/prAPPxvQ1 +wuDLMXfWkcGaYHfPnme/YluAjnpuLH1MQcumgOzj5xYBvZZk+RbytX/phH7FW4Tx ++L1oBYnsfh3BSE/NTtEEHV1nXAXpa/dvyefWMlrlbwjfM5362lZzM6yrJGcOcWEy +I66UYCIVO2Yhe/ZVF5B/tPGtd2oACz11xLeqLPM1WBjlekAG2Zi7UCPIvDCpdn5u +Vna2ZRQmJyDDdh0Ja2VMC19dkMd/5nOAI21O+FvYPOkBWYX8f4DzDyVQlmIFAgMB +AAGjUzBRMB0GA1UdDgQWBBRjuNXuXfh7mi8I3eTboeYGyFTa2zAfBgNVHSMEGDAW +gBRjuNXuXfh7mi8I3eTboeYGyFTa2zAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3 +DQEBCwUAA4IBAQBW2ckn0APqBnwSiOXCWkMCnvY7K7UOfxAlotEsMFSrkzdEa4IE +sn0+A3RV/r3HZGqIaE8GMsBqp8UiVIbL5H67dkqvJEke94/7wEUC16JSSOBc0Mac +HeArDWsL/WIbzKiVcRrmgX+XwJFlsUN5UtR/feTHR08yiy5srSCIJEqli/cTrOxS +JAgvWPLxcoFhOKf6Mi+nwWdrQEbpXvvv8Jv/qyyz5e/VmTRY0wIVmUjd+Yseu+5M +3+cpKtlYaawMxVni5RibA0A12fm+i60fGPrkCNhascUrNY+Oppaf/h+QmKOwEM7h +pqKXyGFQyU6dB6cFBQ/uD5IABUYuEOuL7VFY +-----END CERTIFICATE----- diff -Nru shim-signed-1.47/0020-wrong.crt shim-signed-1.51~1+deb13u1/0020-wrong.crt --- shim-signed-1.47/0020-wrong.crt 1970-01-01 00:00:00.000000000 +0000 +++ shim-signed-1.51~1+deb13u1/0020-wrong.crt 2026-06-22 21:30:37.000000000 +0000 @@ -0,0 +1,26 @@ +-----BEGIN CERTIFICATE----- +MIIEUzCCAzugAwIBAgIUa3jcFK7TK14FlPqQlHZGuPANPiMwDQYJKoZIhvcNAQEL +BQAwgYoxCzAJBgNVBAYTAkdCMQ4wDAYDVQQIDAVDYW1iczESMBAGA1UEBwwJQ2Ft +YnJpZGdlMQ8wDQYDVQQKDAZTbGVkZ2UxJTAjBgNVBAMMHFNlY3VyZSBCb290IFNp +Z25pbmcgdGVzdCBrZXkxHzAdBgkqhkiG9w0BCQEWEHN0ZXZlQGVpbnZhbC5jb20w +IBcNMTkwNDI4MjMyNDA1WhgPMjExOTA0MDQyMzI0MDVaMIGKMQswCQYDVQQGEwJH +QjEOMAwGA1UECAwFQ2FtYnMxEjAQBgNVBAcMCUNhbWJyaWRnZTEPMA0GA1UECgwG +U2xlZGdlMSUwIwYDVQQDDBxTZWN1cmUgQm9vdCBTaWduaW5nIHRlc3Qga2V5MR8w +HQYJKoZIhvcNAQkBFhBzdGV2ZUBlaW52YWwuY29tMIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEArc9AXOIymkUfi3XJD1vZk7LR4cBVdQR71RGQxuM4omg/ +dvu+xaLH+hiwUGQ4/BvOBh95JcKg+ryCRWuILNTbYmxSB6TlJcv/JQgJ7iUmzVcH +NFeEvtfV6Xd5zbh4wqK6ugtiqa7SGEhYKncHcbCL44gZdMKyamEeb5BMaL1VbBSQ +baNeNUiaHeLwREBmNTi+tb0Btq1vTuzNzBN8baGk2RvP91gCUeCN+ILA0DXZ4a43 +flrLt+5d3go76p464htYB+Ab/Z/AFgEBWoKZm6MYZc8igCMdTyLY5Pn4FIX7r23T +5g1u8pCf5MaEO1+ABxnVxim3hbvouABjlNj3BE2HZwIDAQABo4GsMIGpMB0GA1Ud +DgQWBBSND9MzlvKlYN9gpyzKQaKbkq1kjTAfBgNVHSMEGDAWgBSND9MzlvKlYN9g +pyzKQaKbkq1kjTAMBgNVHRMBAf8EAjAAMCsGA1UdJQQkMCIGCCsGAQUFBwMDBgor +BgEEAYI3CgMGBgorBgEEAZIIEAECMCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdl +bmVyYXRlZCBDZXJ0aWZpY2F0ZTANBgkqhkiG9w0BAQsFAAOCAQEABJDbjwU0Ua+B +xFGfJlYFBlOzGa+Ppj0zQFonSnEA6zXVTOrnZulScKVUzEBaTA64TY6YdGELums+ +vGPiJ5/JWAY6FAiceXAEy+aIUXBHT1NQbis4kGOaYYiFCMkSOA1QH34/3zLVk3y1 +n//BSURlCh4amKoUZO3H1rS8hqQRYP4Hprv7TTJ+qvlKlKiYZcuODFyAusx+No1T +5ht9dGzDtq9CX7Xi4BVHNVddEN1wKC8+9PlGB837DQUqofXGGt7C9fhIa10h/xWL +KC+c5gaqgG8nBr7qVI7xlAqDq9Mr4ZoWwv43HGHno57d95blMj17aGjBRHF/Y2ak +ebBQxN+Z7A== +-----END CERTIFICATE----- diff -Nru shim-signed-1.47/Makefile shim-signed-1.51~1+deb13u1/Makefile --- shim-signed-1.47/Makefile 2025-06-22 21:53:30.000000000 +0000 +++ shim-signed-1.51~1+deb13u1/Makefile 2026-06-22 21:30:37.000000000 +0000 @@ -1,15 +1,7 @@ -all: verify +all: verify_combine -verify: - mkdir -p build - # Verifying that the image is signed with the correct key. - sbverify --cert MicCorUEFCA2011_2011-06-27.crt shim$(EFI_ARCH).efi.signed - # Verifying that we have the correct binary. - sbattach --detach build/detached-sig shim$(EFI_ARCH).efi.signed - cp /usr/lib/shim/shim$(EFI_ARCH).efi build/shim$(EFI_ARCH).efi.signed - sbattach --attach build/detached-sig build/shim$(EFI_ARCH).efi.signed - cmp shim$(EFI_ARCH).efi.signed build/shim$(EFI_ARCH).efi.signed - sha256sum shim$(EFI_ARCH).efi.signed build/shim$(EFI_ARCH).efi.signed +verify_combine: + ./verify_combine_sigs -a ${EFI_ARCH} shim*$(EFI_ARCH).efi*signed* clean: rm -rf build diff -Nru shim-signed-1.47/MicCorUEFCA2011_2011-06-27.crt shim-signed-1.51~1+deb13u1/MicCorUEFCA2011_2011-06-27.crt --- shim-signed-1.47/MicCorUEFCA2011_2011-06-27.crt 2019-03-06 21:15:15.000000000 +0000 +++ shim-signed-1.51~1+deb13u1/MicCorUEFCA2011_2011-06-27.crt 1970-01-01 00:00:00.000000000 +0000 @@ -1,35 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIGEDCCA/igAwIBAgIKYQjTxAAAAAAABDANBgkqhkiG9w0BAQsFADCBkTELMAkG -A1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQx -HjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE7MDkGA1UEAxMyTWljcm9z -b2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5IE1hcmtldHBsYWNlIFJvb3QwHhcN -MTEwNjI3MjEyMjQ1WhcNMjYwNjI3MjEzMjQ1WjCBgTELMAkGA1UEBhMCVVMxEzAR -BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p -Y3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMiTWljcm9zb2Z0IENvcnBvcmF0 -aW9uIFVFRkkgQ0EgMjAxMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -AKUIbEzHRQlqSwykwId/BnUMQwFUZOAWfwftkn0LsnO/DArGSkVhoMUWLZbT9Sug -+01Jm0GAkDy5VP3mvNGdxKQYin9BilxZg2gyu4xHye5xvCFPmop8/0Q/jY8ysiZI -rnW17slMHkoZfuSCmh14d00MsL32D9MW07z6K6VROF31+7rbeALb/+wKG5bVg7gZ -E+m2wHtAe+EfKCfJ+u9WXhzmfpR+wPBEsnk55dqyYotNvzhw4mgkFMkzpAg31Vhp -XtN87cEEUwjnTrAqh2MIYW9jFVnqsit51wxhZ4pb/V6th3+6hmdPcVgSIgQiIs6L -71RxAM5QNVh2lQjuarGiAdUCAwEAAaOCAXYwggFyMBIGCSsGAQQBgjcVAQQFAgMB -AAEwIwYJKwYBBAGCNxUCBBYEFPjBa7d/d1NK8yU3HU6hJnsPIHCAMB0GA1UdDgQW -BBQTrb9DCb2CcJyM1U8xbtUimIob1DAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMA -QTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRFZlJD -4X5YEb/WTp4jVQg7OiJqqDBcBgNVHR8EVTBTMFGgT6BNhktodHRwOi8vY3JsLm1p -Y3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNDb3JUaGlQYXJNYXJSb29f -MjAxMC0xMC0wNS5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRodHRw -Oi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY0NvclRoaVBhck1hclJv -b18yMDEwLTEwLTA1LmNydDANBgkqhkiG9w0BAQsFAAOCAgEANQhC/zDMzvd2DK0Q -aFg1KUYydid87xJBJ0IbSqptgThIWRNV8+lYNKYWC4KqXa2C2oCDQQaPtB3yA7nz -Gl0b8VCQ+bNVhEIoHCC9sq5RFMXArJeVIRyQ2w/8d56Vc5GIyr29UrkFUA3fV56g -Ye0N5W0l2UAPF0DIzqNKwk2vmhIdCFSPvce8uSs9SSsfMvxqIWlPm8h+QjT8NgYX -i48gQMCzmiV1J83JA6P2XdHnNlR6uVC10xLRB7+7dN/cHo+A1e0Y9C8UFmsv3maM -sCPlx4TY7erBM4KtVksYLfFolQfNz/By8K673YaFmCwhTDMr8A9K8GiHtZJVMnWh -aoJqPKMlEaTtrdcErsvYQFmghNGVTGKRIhp0HYw9Rw5EpuSwmzQ1sfq2U6gsgeyk -BXHInbi66BtEZuRHVA6OVn+znxaYsobQaD6QI7UvXo9QhY3GjYJfQaH0Lg3gmdJs -deS2abUhhvoH0fbiTdHarSx3Ux4lMjfHbFJylYaw8TVhahn1sjuBUFamMi3+oon5 -QoYnGFWhgspam/gwmFQUpkeWJS/IJuRBlBpcAj/lluOFWzw+P7tHFnJV4iUisdl7 -5wMGKqP3HpBGwwAN1hmJ4w41J2IDcRWm79AnoKBZN2D4OJS44Hhw+LpMhoeU9uCu -AkXuZcK2o35pFnUHkpv1prxZg1g= ------END CERTIFICATE----- Binary files /srv/release.debian.org/tmp/hJYbbAjlFb/shim-signed-1.47/TEST-shimx64.efi.signed.multi and /srv/release.debian.org/tmp/Tt8CxNgRHP/shim-signed-1.51~1+deb13u1/TEST-shimx64.efi.signed.multi differ Binary files /srv/release.debian.org/tmp/hJYbbAjlFb/shim-signed-1.47/TEST-shimx64.efi.signed.snakeoil and /srv/release.debian.org/tmp/Tt8CxNgRHP/shim-signed-1.51~1+deb13u1/TEST-shimx64.efi.signed.snakeoil differ diff -Nru shim-signed-1.47/debian/changelog shim-signed-1.51~1+deb13u1/debian/changelog --- shim-signed-1.47/debian/changelog 2025-07-29 17:40:12.000000000 +0000 +++ shim-signed-1.51~1+deb13u1/debian/changelog 2026-06-22 21:30:37.000000000 +0000 @@ -1,3 +1,50 @@ +shim-signed (1.51~1+deb13u1) trixie; urgency=medium + + * Signed versions of the 16.1-2~deb13u1 shim build for trixie + * Update build-dep to use 16.1-2~deb13u1 + + -- Steve McIntyre <93sam@debian.org> Mon, 22 Jun 2026 22:30:37 +0100 + +shim-signed (1.51) unstable; urgency=medium + + * In preinst, don't look for the included binary. There's no point. + * More minor tweaks to the verify_combine_sigs script, and add an + explicit license + + -- Steve McIntyre <93sam@debian.org> Sun, 21 Jun 2026 23:20:48 +0100 + +shim-signed (1.50) unstable; urgency=medium + + * Fix up stupid omission in the previous package upload - the + changes in 1.49 did not take into account the "SecureBoot enabled" + case when adding a default error trap. Closes: #1137098, #1137101. + + -- Steve McIntyre <93sam@debian.org> Tue, 19 May 2026 23:35:39 +0100 + +shim-signed (1.49) unstable; urgency=medium + + * Make mokutil parsing more robust. Closes: #1137063 + + Cope with "Platform is in Setup Mode" message + + If we get any other unexpected output, print what we got for debugging. + + -- Steve McIntyre <93sam@debian.org> Tue, 19 May 2026 09:42:16 +0100 + +shim-signed (1.48) unstable; urgency=medium + + * Add support for verifying and then combining signatures from + multiple signed shims. + + Existing sbverify versions in Debian are buggy when verifying. + + Switch to using a python script verify_combine_sigs to fill in + the gaps. + * In preinst, try to verify that the signed shim we're trying to + install will actually boot on this system - let's not break + systems on upgrade. + * We now include a dual-signed shim including the 2023 CA. + Closes: #1112197 + * The shim included is now NX-capable. Closes: #1064102 + + -- Steve McIntyre <93sam@debian.org> Sun, 17 May 2026 22:47:06 +0100 + shim-signed (1.47) unstable; urgency=medium * update-secureboot-policy: do better checking around DKMS diff -Nru shim-signed-1.47/debian/control shim-signed-1.51~1+deb13u1/debian/control --- shim-signed-1.47/debian/control 2025-07-29 17:21:12.000000000 +0000 +++ shim-signed-1.51~1+deb13u1/debian/control 2026-06-22 21:30:37.000000000 +0000 @@ -4,22 +4,26 @@ Maintainer: Debian EFI Team Uploaders: Steve McIntyre <93sam@debian.org>, Steve Langasek Build-Depends: debhelper (>= 13), - shim-unsigned (= 15.8-1), + shim-unsigned (= 16.1-2~deb13u1), shim-helpers-amd64-signed [amd64], shim-helpers-arm64-signed [arm64], # sbsigntool before 0.9.2-2 had a horrid bug with checksum calculation # which broke our build sbsigntool (>= 0.9.2-2), po-debconf, - debhelper-compat (= 13) + debhelper-compat (= 13), + python3-cryptography, Standards-Version: 4.5.1 Vcs-Browser: https://salsa.debian.org/efi-team/shim-signed Vcs-Git: https://salsa.debian.org/efi-team/shim-signed.git +Rules-Requires-Root: no Package: shim-signed Architecture: amd64 arm64 Multi-Arch: same +Pre-Depends: debconf Depends: ${misc:Depends}, + mokutil, shim-signed-common (>= ${source:Version}), grub-efi-amd64-bin [amd64] | systemd-boot [amd64], shim-helpers-amd64-signed (>= ${helpers:Version}) [amd64], @@ -35,7 +39,7 @@ an OS distributor to revision their main bootloader independently of the CA. . This package contains the version of the bootloader binary signed by the - Microsoft UEFI CA. + Microsoft UEFI CA(s). Package: shim-signed-common Multi-Arch: foreign diff -Nru shim-signed-1.47/debian/generate_preinst shim-signed-1.51~1+deb13u1/debian/generate_preinst --- shim-signed-1.47/debian/generate_preinst 1970-01-01 00:00:00.000000000 +0000 +++ shim-signed-1.51~1+deb13u1/debian/generate_preinst 2026-06-22 21:30:37.000000000 +0000 @@ -0,0 +1,11 @@ +#!/bin/sh +# +# Embed the signatures for the shim binary in preinst, so we have them +# before any files are installed. + +KNOWN_SIGS="" +for entry in $(cat build/*-signatures); do + KNOWN_SIGS="$KNOWN_SIGS $entry" +done + +sed "s,@@SHIM_SIGNATURES@@,${KNOWN_SIGS}," debian/shim-signed.preinst.in > debian/shim-signed.preinst diff -Nru shim-signed-1.47/debian/rules shim-signed-1.51~1+deb13u1/debian/rules --- shim-signed-1.47/debian/rules 2025-06-22 21:53:30.000000000 +0000 +++ shim-signed-1.51~1+deb13u1/debian/rules 2026-06-22 21:30:37.000000000 +0000 @@ -22,16 +22,19 @@ docdir := debian/shim-signed-common/usr/share/doc/shim-signed-common -override_dh_installdebconf: - dh_installdebconf -p shim-signed-common - override_dh_installdeb: ifeq ($(VENDOR),Debian) # Remove apport files from Debian builds, they're not useful find debian/shim-signed-common -name '*apport*' | xargs rm -rvf endif + # Generate preinst from preinst.in + debian/generate_preinst dh_installdeb +override_dh_clean: + rm -f debian/shim-signed.preinst + dh_clean + override_dh_gencontrol: dh_gencontrol -- -v$(VERSION)+$(SHIM_VERSION) \ -Vshim:Version=$(SHIM_VERSION) \ diff -Nru shim-signed-1.47/debian/shim-signed.preinst shim-signed-1.51~1+deb13u1/debian/shim-signed.preinst --- shim-signed-1.47/debian/shim-signed.preinst 2021-05-08 23:48:07.000000000 +0000 +++ shim-signed-1.51~1+deb13u1/debian/shim-signed.preinst 1970-01-01 00:00:00.000000000 +0000 @@ -1,7 +0,0 @@ -#! /bin/sh - -set -e - -#DEBHELPER# - -exit 0 diff -Nru shim-signed-1.47/debian/shim-signed.preinst.in shim-signed-1.51~1+deb13u1/debian/shim-signed.preinst.in --- shim-signed-1.47/debian/shim-signed.preinst.in 1970-01-01 00:00:00.000000000 +0000 +++ shim-signed-1.51~1+deb13u1/debian/shim-signed.preinst.in 2026-06-22 21:30:37.000000000 +0000 @@ -0,0 +1,126 @@ +#! /bin/sh + +set -e + +type=$1 + +. /usr/share/debconf/confmodule + +# Only change LC_ALL after loading debconf to ensure any debconf templates +# are properly localized. +export LC_ALL=C + +# Select the right target architecture for grub-install +ARCH=$(dpkg --print-architecture) +case ${ARCH} in + amd64) + EFI_ARCH="x64";; + i386) + EFI_ARCH="ia32";; + arm64) + EFI_ARCH="aa64";; + *) + echo "Unsupported dpkg architecture ${ARCH} in $0. ABORT" + exit 1 + ;; +esac + +SHIM="/usr/lib/shim/shim${EFI_ARCH}.efi.signed" +SHIM_SIGS="@@SHIM_SIGNATURES@@" + +# Known error possibilities +ERR_NONE=0 +ERR_NO_VALID_SIG=1 +ERR_REVOKED=2 + +# Set the default error - no sigs found yet +SB_BOOT_ERROR=$ERR_NO_VALID_SIG + +case "$type" in + install|upgrade) + + echo "shim-signed: checking if we can safely install $SHIM" + + if ! type mokutil > /dev/null 2>&1; then + echo " Mokutil is not installed, assuming things will be OK." + SB_BOOT_ERROR=$ERR_NONE + else + # Check that we can safely boot this shim. + # We don't care if the platform is in setup mode. + SB_STATE=$(mokutil --sb-state 2>&1 | grep -v \ + -e "Platform is in Setup Mode" \ + -e "SecureBoot validation is disabled in shim") + # If SB is not enabled (etc.) then this shim is fine + case "${SB_STATE}" in + "SecureBoot disabled"|"This system doesn't support Secure Boot") + echo " ${SB_STATE}; shim installation is safe." + SB_BOOT_ERROR=$ERR_NONE + ;; + "EFI variables are not supported on this system"|"Cannot determine secure boot state") + echo " ${SB_STATE}; assuming shim installation is safe." + SB_BOOT_ERROR=$ERR_NONE + ;; + "SecureBoot enabled") + echo " ${SB_STATE}; need to check for signatures." + SB_BOOT_ERROR=$ERR_NO_VALID_SIG + ;; + *) + echo "Unexpected output from mokutil:" + echo '"""' + echo "${SB_STATE}" + echo '"""' + echo "Please report this as a bug agsinst shim-signed, including the above information." + exit 1 + ;; + esac + fi + + if [ $SB_BOOT_ERROR != $ERR_NONE ]; then + echo "Checking shim signatures on $SHIM:" + + # Secure Boot is enabled - we need to check that our shim + # is signed by a key in the DB list. + + # Check against all the keys in the DB list + for dbkey in $(mokutil --db | awk '/^SHA1 Fingerprint:/ {print $3}'); do + for sig in ${SHIM_SIGS}; do + if [ "$dbkey" = "$sig" ]; then + echo "- signed by DB key $dbkey, should boot OK" + SB_BOOT_ERROR=$ERR_NONE + fi + done + done + + # Next, check against the blacklisted keys in DBX - any + # blacklisted sig will block boot of a shim signed with + # that sig. + for dbxkey in $(mokutil --dbx | awk '/^SHA1 Fingerprint:/ {print $3}'); do + for sig in ${SHIM_SIGS}; do + if [ "$dbxkey" = "$sig" ]; then + echo "- signed by DBX key $dbxkey, will be blocked from booting" + SB_BOOT_ERROR=$ERR_REVOKED + fi + done + done + fi + + if [ $SB_BOOT_ERROR != $ERR_NONE ]; then + if [ $SB_BOOT_ERROR = $ERR_NO_VALID_SIG ]; then + TEMPLATENAME=shim-signed/no-valid-sigs + elif [ $SB_BOOT_ERROR = $ERR_REVOKED ]; then + TEMPLATENAME=shim-signed/revoked-sig + fi + + db_version 2.0 + db_fset "$TEMPLATENAME" seen false + db_reset "$TEMPLATENAME" + db_input critical "$TEMPLATENAME" || true + db_go + db_stop + exit 1 + fi +esac + +#DEBHELPER# + +exit 0 diff -Nru shim-signed-1.47/debian/shim-signed.templates shim-signed-1.51~1+deb13u1/debian/shim-signed.templates --- shim-signed-1.47/debian/shim-signed.templates 1970-01-01 00:00:00.000000000 +0000 +++ shim-signed-1.51~1+deb13u1/debian/shim-signed.templates 2026-06-22 21:30:37.000000000 +0000 @@ -0,0 +1,29 @@ +Template: shim-signed/no-valid-sigs +Type: error +_Description: No valid UEFI Secure Boot signatures found + UEFI Secure Boot is enabled on your system, but the signed shim + binary in this package is not signed with a key that your system + trusts. This is a FATAL ERROR - your system will not currently + boot with this signed shim installed. + . + To fix this error, you probably need to update the trusted + certificates list (DB) on your system. See + . + https://wiki.debian.org/SecureBoot/CAChanges + . + for more information about how to do this. + +Template: shim-signed/revoked-sig +Type: error +_Description: Shim signed with a revoked key + UEFI Secure Boot is enabled on your system, but the signed shim + binary in this package is signed by a key that has been revoked on + your system. This is a FATAL ERROR - your system will not currently + boot with this shim installed. + . + To fix this error, you probably need to update the trusted + certificates revocation list (DBX) on your system. See + . + https://wiki.debian.org/SecureBoot/CAChanges + . + for more information about how to do this. diff -Nru shim-signed-1.47/debian/source/lintian-overrides shim-signed-1.51~1+deb13u1/debian/source/lintian-overrides --- shim-signed-1.47/debian/source/lintian-overrides 2025-06-22 21:53:30.000000000 +0000 +++ shim-signed-1.51~1+deb13u1/debian/source/lintian-overrides 2026-06-22 21:30:37.000000000 +0000 @@ -1,2 +1 @@ -shim-signed: source-contains-prebuilt-windows-binary [shimaa64.efi.signed] -shim-signed: source-contains-prebuilt-windows-binary [shimx64.efi.signed] +shim-signed: source-contains-prebuilt-windows-binary [*shim*.efi.signed*] Binary files /srv/release.debian.org/tmp/hJYbbAjlFb/shim-signed-1.47/shimaa64.efi.signed and /srv/release.debian.org/tmp/Tt8CxNgRHP/shim-signed-1.51~1+deb13u1/shimaa64.efi.signed differ Binary files /srv/release.debian.org/tmp/hJYbbAjlFb/shim-signed-1.47/shimaa64.efi.signed.MS-2011 and /srv/release.debian.org/tmp/Tt8CxNgRHP/shim-signed-1.51~1+deb13u1/shimaa64.efi.signed.MS-2011 differ Binary files /srv/release.debian.org/tmp/hJYbbAjlFb/shim-signed-1.47/shimaa64.efi.signed.MS-2023 and /srv/release.debian.org/tmp/Tt8CxNgRHP/shim-signed-1.51~1+deb13u1/shimaa64.efi.signed.MS-2023 differ Binary files /srv/release.debian.org/tmp/hJYbbAjlFb/shim-signed-1.47/shimx64.efi.signed and /srv/release.debian.org/tmp/Tt8CxNgRHP/shim-signed-1.51~1+deb13u1/shimx64.efi.signed differ Binary files /srv/release.debian.org/tmp/hJYbbAjlFb/shim-signed-1.47/shimx64.efi.signed.MS-2011 and /srv/release.debian.org/tmp/Tt8CxNgRHP/shim-signed-1.51~1+deb13u1/shimx64.efi.signed.MS-2011 differ Binary files /srv/release.debian.org/tmp/hJYbbAjlFb/shim-signed-1.47/shimx64.efi.signed.MS-2023 and /srv/release.debian.org/tmp/Tt8CxNgRHP/shim-signed-1.51~1+deb13u1/shimx64.efi.signed.MS-2023 differ diff -Nru shim-signed-1.47/verify_combine_sigs shim-signed-1.51~1+deb13u1/verify_combine_sigs --- shim-signed-1.47/verify_combine_sigs 1970-01-01 00:00:00.000000000 +0000 +++ shim-signed-1.51~1+deb13u1/verify_combine_sigs 2026-06-22 21:30:37.000000000 +0000 @@ -0,0 +1,323 @@ +#!/usr/bin/python3 +# +# verify_combine_sigs +# +# Helper script for shim-signed +# +# Microsoft currently only return signed binaries with one signature +# included; if they are signing with more than key/cert, then we will +# get multiple separate signed binaries, one per key/cert. +# +# Check that all our signed shims are signed with an expected key that +# we can remove and re-add; error out otherwise. +# +# Then finally we will add all those signatures to one output binary. +# +# Order of the listed signed shims matters here - list them *in the +# same order* as the signatures we'd like in the final binary. It's +# recommended to do this in the order: +# +# +# ... +# +# +# as that is most likely to work with older firmware implementations. +# That's most easily achieved by naming the signatures like +# 0001-first-CA.crt, 0002-second-CA.crt, etc. +# +# Copyright (c) 2026 Steve McIntyre <93sam@debian.org> +# License: BSD-2-Clause + +import os +import glob +import re +import sys +import subprocess +import argparse +import shutil +from cryptography import x509 +from cryptography.hazmat.backends import default_backend +from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives.serialization import pkcs7 + +# Allowed certificates - each binary must be signed with a certificate +# from this set. +SIGN_CERTS = "0*.crt" + +# Full path to sbverify for safety +SBVERIFY = "/usr/bin/sbverify" + +# Location of unsigned shim binary build(s) +UNSIGNED_PATH = "/usr/lib/shim" + +def parse_args(): + parser = argparse.ArgumentParser(description="verify_combine_sigs") + parser.add_argument( + "--efi_arch", "-a", help="EFI architecture for binaries", required=True + ) + parser.add_argument("signed", help="signed binaries to verify/merge", nargs="+") + args = parser.parse_args() + return args + + +def grab_cert_details(check_cert: str) -> (str, str): + """ + Parse a certificate from disk and grab out: + - a hash of the certificate for comparison later + - the Subject test in a format matching the output of sbverify -l + """ + print(f"Loading details from {check_cert}") + with open(check_cert, "rb") as inf: + pem_data = inf.read() + cert = x509.load_pem_x509_certificate(pem_data) + subject = "/" + "/".join([x.value for x in cert.subject]) + sha1 = cert.fingerprint(hashes.SHA1()).hex() + sha256 = cert.fingerprint(hashes.SHA256()).hex() + print(f" - {subject}") + print(f" - sha1sum {sha1}") + print(f" - sha256sum {sha256}") + return subject, sha1, sha256 + + +def list_signatures(signed_filename: str): + cmd = [SBVERIFY, "-l", signed_filename] + output = subprocess.check_output(cmd, stderr=subprocess.DEVNULL, text=True) + for line in output.splitlines(): + print(line) + + +def verify_signature(signed_filename: str, certs: list[str]): + cmd = [SBVERIFY, signed_filename] + for cert in certs: + cmd.extend(["--cert", cert]) + subprocess.check_output(cmd, stderr=subprocess.STDOUT) + + +def parse_sbverify(signed_filename: str) -> list[dict]: + cmd = [SBVERIFY, "-l", signed_filename] + output = subprocess.check_output(cmd, text=True, stderr=subprocess.STDOUT) + signatures = [] + state = 0 + for line in output.splitlines(): + if line.startswith("signature"): + state = 1 + continue + if state == 1 and line.startswith("image signature issuers:"): + state = 2 + continue + if state == 2: + issuer = line[3:] + signatures.append(issuer) + state = 0 + continue + + return signatures + + +def detach_signature(signed_filename: str, signum: int, outfile: str): + """ + Detach a numbered signature from the signature table in a + signed binary. + """ + cmd = [ + "sbattach", + "--signum", + f"{signum}", + "--detach", + outfile, + signed_filename, + ] + subprocess.check_output(cmd, text=True, stderr=subprocess.STDOUT) + + +def certs_in_detached_signature(detached: str) -> list[dict]: + """ + Extract certificate details from a PKCS7 blob. + """ + with open(detached, "rb") as inf: + pkcs7_data = inf.read() + + output = [] + certs = pkcs7.load_der_pkcs7_certificates(pkcs7_data) + for cert in certs: + subject = "/" + "/".join([x.value for x in cert.subject]) + sha1 = cert.fingerprint(hashes.SHA1()).hex() + sha256 = cert.fingerprint(hashes.SHA256()).hex() + output.append({"sha1": sha1, "sha256": sha256, "subject": subject}) + + # We want them in the order CA -> leaf + output.reverse() + return output + + +def attach_sig(sigfile: str, unsigned: str): + """ + Use sbattach to add a signature onto a binary. + """ + cmd = [ + "sbattach", + "--attach", + sigfile, + unsigned, + ] + subprocess.check_output(cmd, text=True, stderr=subprocess.STDOUT) + + +def checksum_file(filename: str) -> str: + """ + Calculate the sha256sum of a file + """ + with open(filename, "rb") as inf: + data = inf.read() + hashalg = hashes.SHA256() + hasher = hashes.Hash(hashalg, backend=default_backend()) + hasher.update(data) + digest = hasher.finalize() + return digest.hex() + + +def main(): + + args = parse_args() + + print("Loading details of all the expected certificates") + print("==========") + known_certs = {} + for check_cert in sorted(glob.glob(SIGN_CERTS)): + subject, sha1, sha256 = grab_cert_details(check_cert) + known_certs[subject] = { + "sha1": sha1, + "sha256": sha256, + "filename": check_cert + } + print("") + + print(f"Verifying signatures for arch {args.efi_arch} ...") + print("==========\n") + + build = "build" + shutil.rmtree(build, ignore_errors=True) + os.mkdir(build) + + for signed in args.signed: + + print(f"Checking {signed}") + print("----------\n") + + # Verify that the image is signed and valid + print("Looking for any valid checksum and signature") + try: + verify_signature(signed, sorted(glob.glob(SIGN_CERTS))) + except Exception as exc: + print(f"Invalid signature on {signed}: {exc}") + sys.exit(1) + + signatures = parse_sbverify(signed) + num = len(signatures) + if num != 1: + print(f"Only expected 1 signature, but {signed} has {num}!") + print("Abort") + sys.exit(1) + # else + print(f"{signed} has 1 signature, good!") + + # Now see what signature we have. We'll have to extract the + # signature table here, then extract the list of certificates + # included in the 1 signature we have. + detached_sig = "detached.sig" + detach_signature(signed, 1, detached_sig) + sig_certs = certs_in_detached_signature(detached_sig) + + matched_filename = None + + print("certs attached:") + for cert in sig_certs: + print(f' - {cert["subject"]}') + print(f' - sha1 {cert["sha1"]}') + print(f' - sha256 {cert["sha256"]}') + + # Now we need to compare the root certificate there to our + # known certificates + for subject, data in known_certs.items(): + if ( + sig_certs[0]["subject"] == subject + and sig_certs[0]["sha256"] == data["sha256"] + ): + print( + f'\nroot certificate matches a known certificate ({data["filename"]})' + ) + matched_filename = data["filename"] + matched_sha1 = data["sha1"] + + if matched_filename is None: + print(f"\nERROR: {signed} signature unknown, abort!") + sys.exit(1) + + # Move the detached signature to one side, for future use + new_filename = os.path.join(build, f"detached-{matched_filename}") + shutil.move(detached_sig, new_filename) + + # And write out the sha1 checksum of the cert for later use + sha1_filename = os.path.join(build, f"sha1-{matched_filename}") + with open(sha1_filename, "w") as outf: + output = (':'.join(re.findall('..', matched_sha1))) + outf.write(output) + + # Copy our matching unsigned binary into the ${BUILD} directory. + unsigned = f"{build}/shim{args.efi_arch}.efi.signed" + shutil.copy( + f"{UNSIGNED_PATH}/shim{args.efi_arch}.efi", + unsigned, + ) + + # Attach the signature to our unsigned binary, so we know that + # the binary has not been tampered with during the signing + # process. + print("Checking the signature applies to our original binary") + attach_sig(new_filename, unsigned) + print(" Signature applies OK") + + # Now compare the result to the signed binary we were given + print("Comparing the signed binaries") + old_sha = checksum_file(signed) + print(f"{old_sha} {signed}") + new_sha = checksum_file(unsigned) + print(f"{new_sha} {unsigned}") + + if old_sha != new_sha: + print("\nERROR: signatures don't match, abort!") + sys.exit(1) + + print("Binaries match!\n") + + # If we've got this far, then we've checked all the binaries we + # were given and things look OK. Now we want to build a single + # output image with all the signatures attached. + + print(f"Building final combined shim for arch {args.efi_arch} ...") + print("==========") + + shutil.copy( + f"{UNSIGNED_PATH}/shim{args.efi_arch}.efi", + unsigned, + ) + + for sig in sorted(glob.glob(f"{build}/detached-*")): + print(f"Adding signature {sig}") + attach_sig(sig, unsigned) + + # Stick the signature fingerprints together in a file for us to + # use later in packaging. + with open(f"{unsigned}-signatures", "w") as outf: + for fp in sorted(glob.glob(f"{build}/sha1-*")): + with open(fp) as inf: + fingerprint = inf.read() + outf.write(fingerprint + "\n") + + # And finally show the list of signatures + print(f"Signatures on {unsigned} :") + list_signatures(unsigned) + + +if __name__ == "__main__": + main()