Package not found: SUSE:ALP:RISCV/resource-agents
Overview

File shim-susesigned.spec of Package shim-susesigned.16785

#
# spec file for package shim-susesigned
#
# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
# needssslcertforbuild


%undefine _debuginfo_subpackages
%undefine _build_create_debug
%ifarch aarch64
%define grubplatform arm64-efi
%else
%define grubplatform %{_target_cpu}-efi
%endif
%if %{defined sle_version} && 0%{?sle_version} <= 150000
%define sysefidir      /usr/lib64/efi
%else
%define sysefibasedir  %{_datadir}/efi
%define sysefidir      %{sysefibasedir}/%{_target_cpu}
%if "%{grubplatform}" == "x86_64-efi" && 0%{?suse_version} < 1600
# provide compatibility sym-link for residual kiwi, etc.
%define shim_lib64_share_compat 1
%endif
%endif

Name:           shim-susesigned
Version:        15+git47
Release:        0
Summary:        UEFI shim loader
License:        BSD-2-Clause
Group:          System/Boot
URL:            https://github.com/rhboot/shim
Source:         shim-%{version}.tar.bz2
# run "extract_signature.sh shim.efi" where shim.efi is the binary
# with the signature from the UEFI signing service.
# Note: For signature requesting, check SIGNATURE_UPDATE.txt
Source1:        SLES-UEFI-CA-Certificate.crt
Source50:       dbx-cert.tar.xz
# vendor-dbx.bin is generated by generate-vendor-dbx.sh in dbx-cert.tar.xz
Source51:       vendor-dbx.bin
# PATCH-FIX-SUSE shim-arch-independent-names.patch glin@suse.com -- Use the Arch-independent names
Patch1:         shim-arch-independent-names.patch
# PATCH-FIX-OPENSUSE shim-change-debug-file-path.patch glin@suse.com -- Change the default debug file path
Patch2:         shim-change-debug-file-path.patch
# PATCH-FIX-UPSTREAM shim-bsc1092000-fallback-menu.patch bsc#1092000 glin@suse.com -- Show a menu before reset
Patch3:         shim-bsc1092000-fallback-menu.patch
# PATCH-FIX-UPSTREAM shim-always-mirror-mok-variables.patch glin@suse.com -- Mirror MOK variables correctly
Patch4:         shim-always-mirror-mok-variables.patch
Patch5:         shim-correct-license-in-headers.patch
# PATCH-FIX-UPSTREAM gcc9-fix-warnings.patch mliska@suse.cz -- MokManager: Use CompareMem on MokListNode.Type instead of CompareGuid 
Patch6:         gcc9-fix-warnings.patch
# PATCH-FIX-OPENSUSE shim-fix-gnu-efi-3.0.11.patch glin@suse.com -- Fix the build error caused by the typo fix in gnu-efi 3.0.11
Patch7:         shim-fix-gnu-efi-3.0.11.patch
# PATCH-FIX-UPSTREAM shim-bsc1173411-only-check-efi-var-on-sb.patch bsc#1173411 glin@suse.com -- Make EFI variable copying check only fatal on SB systems
Patch8:         shim-bsc1173411-only-check-efi-var-on-sb.patch
# PATCH-FIX-UPSTREAM shim-bsc1175509-tpm2-fixes.patch bsc#1175509 glin@suse.com -- Upstream fixes for the TPM2 measurement
Patch9:         shim-bsc1175509-tpm2-fixes.patch
# PATCH-FIX-UPSTREAM shim-VLogError-Avoid-Null-pointer-dereferences.patch glin@suse.com -- Fix VlogError crash in AArch64
Patch10:        shim-VLogError-Avoid-Null-pointer-dereferences.patch
# PATCH-FIX-UPSTREAM shim-fix-verify-eku.patch glin@suse.com -- Fix the potential crash at verify_eku()
Patch11:        shim-fix-verify-eku.patch
# PATCH-FIX-UPSTREAM shim-do-not-write-string-literals.patch -- Fix the potential crash when accessing the DEFAULT_LOADER string
Patch12:        shim-do-not-write-string-literals.patch
# PATCH-FIX-UPSTREAM shim-bsc1177404-fix-a-use-of-strlen.patch bsc#1177404 glin@suse.com -- Fix the length of the option data string to launch the program correctly
Patch13:        shim-bsc1177404-fix-a-use-of-strlen.patch
# PATCH-FIX-UPSTREAM shim-bsc1175509-more-tpm-fixes.patch bsc#1175509 glin@suse.com -- Fix the file path in tpm event log
Patch14:        shim-bsc1175509-more-tpm-fixes.patch
# PATCH-FIX-SUSE shim-bsc1177315-verify-eku-codesign.patch bsc#1177315 glin@suse.com -- Verify CodeSign in the signer's EKU
Patch15:        shim-bsc1177315-verify-eku-codesign.patch
# PATCH-FIX-UPSTREAM shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch bsc#1177789 glin@suse.com -- Fix the NULL pointer dereference in AuthenticodeVerify()
Patch16:        shim-bsc1177789-fix-null-pointer-deref-AuthenticodeVerify.patch
# PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch glin@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not
Patch100:       shim-opensuse-cert-prompt.patch
BuildRequires:  gnu-efi >= 3.0.3
BuildRequires:  mozilla-nss-tools
BuildRequires:  openssl >= 0.9.8
BuildRequires:  pesign
BuildRequires:  pesign-obs-integration
%if 0%{?suse_version} > 1320
BuildRequires:  update-bootloader-rpm-macros
%endif
%if 0%{?update_bootloader_requires:1}
%update_bootloader_requires
%else
Requires:       perl-Bootloader
%endif
BuildRoot:      %{_tmppath}/%{name}-%{version}-build
# For shim-install script
Requires:       grub2-%{grubplatform}
ExclusiveArch:  x86_64
Conflicts:      shim

%description
shim is a trivial EFI application that, when run, attempts to open and
execute another application.

%prep
%setup -q -n shim-%{version}
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
%patch12 -p1
%patch13 -p1
%patch14 -p1
%patch15 -p1
%patch16 -p1
%if 0%{?is_opensuse} == 1
%patch100 -p1
%endif

%build
# Skip MokManager and fallback
#make EFI_PATH=/usr/lib64 RELEASE=0 \
#     MMSTEM=MokManager FBSTEM=fallback \
#     MokManager.efi fallback.efi

# Only build the SLES flavor
suffix="susesigned"
cert=%{SOURCE1}
verify='SUSE Linux Enterprise Secure Boot CA1'

openssl x509 -in $cert -outform DER -out shim-$suffix.der
make EFI_PATH=/usr/lib64 RELEASE=0 SHIMSTEM=shim \
     VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \
     DEFAULT_LOADER="\\\\\\\\grub.efi" \
     VENDOR_DBX_FILE=%{SOURCE51} \
     shim.efi
#
# assert correct certificate embedded
grep -q "$verify" shim.efi

mv shim.efi shim-$suffix.efi

%install
export BRP_PESIGN_FILES='%{sysefidir}/shim*.efi'
install -d %{buildroot}/%{sysefidir}
cp -a shim*.efi %{buildroot}/%{sysefidir}
install -m 444 shim-*.der %{buildroot}/%{sysefidir}
# install SUSE certificate
install -d %{buildroot}/%{_sysconfdir}/uefi/certs/
for file in shim-*.der; do
    fpr=$(openssl x509 -sha1 -fingerprint -inform DER -noout -in $file | cut -c 18- | cut -d ":" -f 1,2,3,4 | sed 's/://g')
    install -m 644 $file %{buildroot}/%{_sysconfdir}/uefi/certs/${fpr}-shim.crt
done
%if %{defined shim_lib64_share_compat}
    [ "%{sysefidir}" != "/usr/lib64/efi" ] || exit 1
    # provide compatibility sym-link for residual "consumers"
    install -d %{buildroot}/usr/lib64/efi
    ln -srf %{buildroot}/%{sysefidir}/*.efi %{buildroot}/usr/lib64/efi/
%endif

%clean
%{?buildroot:%__rm -rf "%{buildroot}"}

%post
%if 0%{?update_bootloader_check_type_reinit_post:1} 
%update_bootloader_check_type_reinit_post grub2-efi
%else
/sbin/update-bootloader --reinit || true
%endif

%if %{defined update_bootloader_posttrans}
%posttrans
%{?update_bootloader_posttrans}
%endif

%files
%defattr(-,root,root)
%doc COPYRIGHT
%dir %{?sysefibasedir}
%dir %{sysefidir}
%{sysefidir}/shim-*.efi
%{sysefidir}/shim-*.der
%dir %{_sysconfdir}/uefi/
%dir %{_sysconfdir}/uefi/certs/
%{_sysconfdir}/uefi/certs/*.crt
%if %{defined shim_lib64_share_compat}
# provide compatibility sym-link for previous kiwi, etc.
%dir /usr/lib64/efi
/usr/lib64/efi/*.efi
%endif

%changelog
openSUSE Build Service is sponsored by
Places