-
Notifications
You must be signed in to change notification settings - Fork 131
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lernstick shim-15.8-1x64 (20240731) #429
Comments
Verification mail sent to Jörg |
thanks & verified! |
Getting some build errors as below, could you please verify.GPG error: http://deb.debian.org/debian bookworm InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0E98404D386FA1D9 NO_PUBKEY 6ED0E7B82643E131 NO_PUBKEY F8D2585B8783D481
|
@MuthuvelKuppusamy that's an interesting error, because we use the official Debian docker image. Just retried with The image used to build was |
We updated to a shim with the automatic revocations to the upstream 15.8 ones, instead of the Debian ones which already revoke every shim with SBAT level < 4. |
Build failed with default dockerfile:
review helper: https://github.com/jclab-joseph/other-shim-reviews/tree/master/20240730-lernstick-shim-amd64-20240721 hash also different:
|
@jclab-joseph thanks for catching it. I missed updating the Dockerfile to the new tag. Can you try again with https://github.com/Lernstick/shim-review/tree/lernstick-shim-amd64-20240730? |
Review of reproducibility for lernstick-shim-amd64-20240730review helper : https://github.com/jclab-joseph/other-shim-reviews/tree/master/20240730-lernstick-shim-amd64-20240730 shim
Patches: $ git clone -b lernstick_15.8-2-lernstick https://github.com/Lernstick/shim.git shim-dest
$ diff -urN shim-15.8 shim-dest/ | grep -E '^--- |^\+\+\+ ' | grep -v -E '/.git/|/debian/'
--- shim-15.8/commit 2024-01-23 04:18:05.000000000 +0900
+++ shim-dest/commit 1970-01-01 09:00:00.000000000 +0900
--- shim-15.8/gnu-efi/lib/Makefile.orig 2024-01-23 04:18:05.000000000 +0900
+++ shim-dest/gnu-efi/lib/Makefile.orig 1970-01-01 09:00:00.000000000 +0900
=> not changed actually. Patch files for debian packaging:
certificate
grub
$ git clone -b debian/2.12-2_deb13u1 https://salsa.debian.org/grub-team/grub.git grub-src
$ git clone -b lernstick/2.12 https://github.com/Lernstick/grub.git grub-dest
$ diff -urN grub-src grub-dest/ | grep -E '^--- |^\+\+\+ ' | grep -v -E '/.git/'
--- grub-src/debian/build-efi-images 2024-07-30 13:51:27.032002336 +0900
+++ grub-dest/debian/build-efi-images 2024-07-30 13:50:55.189784241 +0900
--- grub-src/debian/changelog 2024-07-30 13:51:27.032002336 +0900
+++ grub-dest/debian/changelog 2024-07-30 13:50:55.189784241 +0900
--- grub-src/debian/sbat.lernstick.csv.in 1970-01-01 09:00:00.000000000 +0900
+++ grub-dest/debian/sbat.lernstick.csv.in 2024-07-30 13:50:55.265779988 +0900
...
$ diff -urN grub-src/debian/build-efi-images grub-dest/debian/build-efi-images
--- grub-src/debian/build-efi-images 2024-07-30 13:51:27.032002336 +0900
+++ grub-dest/debian/build-efi-images 2024-07-30 13:50:55.189784241 +0900
@@ -142,6 +142,7 @@
peimage
png
probe
+ read
reboot
regexp
search
--- grub-src/debian/sbat.debian.csv.in 2024-07-30 13:51:27.111997860 +0900
+++ grub-dest/debian/sbat.lernstick.csv.in 2024-07-30 13:50:55.265779988 +0900
@@ -2,4 +2,5 @@
grub,4,Free Software Foundation,grub,@UPSTREAM_VERSION@,https://www.gnu.org/software/grub/
grub.debian,5,Debian,grub2,@DEB_VERSION@,https://tracker.debian.org/pkg/grub2
grub.debian13,1,Debian,grub2,@DEB_VERSION@,https://tracker.debian.org/pkg/grub2
+grub.lernstick,1,Debian,grub2,@DEB_VERSION@,https://github.com/Lernstick/grub
grub.peimage,2,Canonical,grub2,@DEB_VERSION@,https://salsa.debian.org/grub-team/grub/-/blob/master/debian/patches/secure-boot/efi-use-peimage-shim.patch
|
Review of lernstick-shim-amd64-20240730
Shim
GRUB2
Kernel
Note
and from the provided build logs
@THS-on can you confirm that my notes are correct? other than this, LGTM |
Yes, we set it to
Correct our CA is 2048bit |
Marking as accepted with two reviews in the box |
Confirm the following are included in your repo, checking each box:
What is the link to your tag in a repo cloned from rhboot/shim-review?
https://github.com/Lernstick/shim-review/tree/lernstick-shim-amd64-20240731
What is the SHA256 hash of your final SHIM binary?
What is the link to your previous shim review request (if any, otherwise N/A)?
#275
If no security contacts have changed since verification, what is the link to your request, where they've been verified (if any, otherwise N/A)?
The text was updated successfully, but these errors were encountered: