Shim 15.6 for openSUSE Tumbleweed

[jsegitz]

Confirm the following are included in your repo, checking each box:

• completed README.md file with the necessary information
• shim.efi to be signed
• public portion of your certificate(s) embedded in shim (the file passed to VENDOR_CERT_FILE)
• binaries, for which hashes are added to vendor_db ( if you use vendor_db and have hashes allow-listed )
• any extra patches to shim via your own git tree or as files
• any extra patches to grub via your own git tree or as files
• build logs
• a Dockerfile to reproduce the build of the provided shim EFI binaries

---

What is the link to your tag in a repo cloned from rhboot/shim-review?

---

https://github.com/jsegitz/shim-review/tree/openSUSE-shim-x86-20220907

---

What is the SHA256 hash of your final SHIM binary?

---

dee001e7b70db7c0ba53632ab93e3269e1c6cd35e97df5e7d60caf30a6782fd4

---

What is the link to your previous shim review request (if any, otherwise N/A)?

---

#188

[jsegitz]

This is very similar to #263 (e.g. the patches in shim). So it might make sens to first review #263 and then this one, as this basically is the same but for openSUSE

[jsegitz]

This seems stuck. Is there something we can do to help this review?

[jsegitz]

ping. Anything we can do to help?

[jsegitz]

and again. Don't want to be annoying but we need this approved please

[jsegitz]

can someone please reach out to me to discuss when/how this will get reviewed?

[frozencemetery]

You have named the resultant binary without an architecture. I don't like this - shimx64.efi is the normal name, or if you want opensuse in it, name it like you did in your other submission. See also comments on the PR review for that.

Since you're only building the one arch, there's no need for the ARCHITECTURE mess in your Dockerfile. (If you want your three submissions to build using similar Dockerfiles I would understand that, but they're not close right now, so...)

Whats the logic behind shim-bsc1198101-opensuse-cert-prompt.patch? It seems like just another instance of training users to click "accept" on security-related prompts and I'd prefer you drop it unless there's a good reason. Why wouldn't they trust the cert?

[jsegitz]

Thank you for your comments. I've renamed the file in my branch based on your comment and updated the tag.

The ARCHITECTURE logic is there because the SUSE shim and openSUSE shim come from the same sources. The Dockerfiles are different, but also based on another. Why do you think that this is a mess? It's a simple variable substitution and should be easy to read. I would prefer to keep it, but if you insist I will drop it.

shim-bsc1198101-opensuse-cert-prompt.patch is based on a requirement from our lawyers. I also dislike it, but IANAL (un)fortunately and have to accept it.

[frozencemetery]

Why do you think that this is a mess?

Because podman build . doesn't do the right thing, which makes your submission different from everyone else's.

shim-bsc1198101-opensuse-cert-prompt.patch is based on a requirement from our lawyers. I also dislike it, but IANAL (un)fortunately and have to accept it.

While I'm sympathetic to "lawyers said so", I don't think I'm willing to inflict that on the world. No other distro is doing anything like this, including the others with "SUSE" in their name.

Is there more you can say about what the requirement or concern actually is?

[jsegitz]

I'll reach out to them. We won't try to get this shim signed anymore since 15.7 just arrived at my desk. I'll add what I can find out to the next submission