backport SecureBoot support from 13.10 for 12.04.4

Hello Steve, or anyone else affected,

Accepted sbsigntool into raring-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/sbsigntool/0.6-0ubuntu4~13.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Steve, or anyone else affected,

Accepted gnu-efi into raring-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/gnu-efi/3.0u+debian-1ubuntu2~13.04.0 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Steve, or anyone else affected,

Accepted gnu-efi into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/gnu-efi/3.0u+debian-1ubuntu2~12.10.0 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Steve, or anyone else affected,

Accepted sbsigntool into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/sbsigntool/0.6-0ubuntu4~12.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Steve, or anyone else affected,

Accepted gnu-efi into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/gnu-efi/3.0u+debian-1ubuntu2~12.04.0 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Steve, or anyone else affected,

Accepted sbsigntool into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/sbsigntool/0.6-0ubuntu4~12.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Testing on precise:
 - Built all the rdepends using the new gnu-efi => all built fine
 - Tested shim-signed on a UEFI SB machine with and without SB => boots fine
 - Rebuild current shim-signed with -proposed packages => builds fine
 - Rebuild new shim-signed with -proposed packages => fails to build
 - Install linux-signed-generic-lts-raring with -proposed packages => installs fine
 - Rebuild linux-signed-generic-lts-raring with -proposed packages => builds fine

So everything looks good with the exception of shim-signed failing to build from source. I have uploaded a fixed version of the source to the queue which addresses that.

Hello Steve, or anyone else affected,

Accepted shim-signed into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/shim-signed/1.4.0~ubuntu12.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Confirmed a rebuilt version of shim boots fine under UEFI.

Hello Steve, or anyone else affected,

Accepted shim-signed into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/shim-signed/1.4.0~ubuntu12.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Steve, or anyone else affected,

Accepted shim-signed into raring-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/shim-signed/1.4.0~ubuntu13.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Confirmed the new shim-signed boots on precise.

This bug was fixed in the package gnu-efi - 3.0u+debian-1ubuntu2~12.04.0

---------------
gnu-efi (3.0u+debian-1ubuntu2~12.04.0) precise; urgency=low

  * Backport gnu-efi from saucy to precise to support new versions of
    shim. LP: #1229572.

gnu-efi (3.0u+debian-1ubuntu2) saucy; urgency=low

  * debian/patches/gcc46-compatibility: don't break with old compilers
    and -DGNU_EFI_USE_MS_ABI.

gnu-efi (3.0u+debian-1ubuntu1) saucy; urgency=low

  * Merge from Debian experimental, remaining changes:
    - pass architecture arguments when building the x86_64 code on i386
  * Dropped changes, included upstream:
    - build with -fno-stack-protector.

gnu-efi (3.0u+debian-1) experimental; urgency=low

  * Merging upstream version 3.0u+debian (Closes: #712639).
  * Dropping no-stack-protector.patch, included upstream.

gnu-efi (3.0t+debian-2) experimental; urgency=low

  * Dropping suggests on elilo.

gnu-efi (3.0t+debian-1) experimental; urgency=low

  * Merging upstream version 3.0t+debian.
  * Updating year in copyright file.
  * Refreshing no-stack-protector.patch.

gnu-efi (3.0s+debian-3) unstable; urgency=low

  * Removing all references to my old email address.

gnu-efi (3.0s+debian-2) unstable; urgency=low

  * Adding no-stack-protector.patch from Colin Watson
    <email address hidden> to make other packages being able to link
    against gnu-efi.
  * Dropping dpkg-source compression levels.
  * Adding dpkg-source local-options.

gnu-efi (3.0s+debian-1ubuntu2) raring; urgency=low

  * Restore -fno-stack-protector; this is needed to build packages linked
    against gnu-efi, such as efilinux. This change is now in a patch with a
    header explaining the reasoning, to try to avoid it being dropped in
    future.

gnu-efi (3.0s+debian-1ubuntu1) raring; urgency=low

  * Merge from Debian unstable, dropped changes:
    - gnuefi/elf_x86_64_efi.lds: align the .reloc section; merged upstream.
    - Build with -fno-stack-protector; no longer needed.
  * debian/rules: past architecture arguments when building the x86_64 code on
    i386; otherwise the upstream build system wrongly assumes that if uname
    says x86_64, it doesn't have to pass -m64 to the compiler.

gnu-efi (3.0s+debian-1) unstable; urgency=low

  * Merging upstream version 3.0s+debian.

gnu-efi (3.0r+debian-1) experimental; urgency=low

  * Merging upstream version 3.0r+debian (Closes: #637276, #679627):
    - Rebuilding upstream tarball without debian directory.
  * Removing useless whitespaces at EOL and EOF.
  * Updating package to debhelper version 9.
  * Updating package to standards version 3.9.4.
  * Making build-depends on binutils unversioned, already fulfilled by
    wheezy.
  * Sorting architectures in gcc-multilib build-depends alphabetically.
  * Wrapping build-depends to 80 chars per line.
  * Adding homepage field.
  * Sorting architectures field alphabetically.
  * Removing pre-wheezy conflicts on libc6-i386.
  * Removing French spacing in package long-description.
  * Rewriting copyright file in copyright-format version 1.0.
  * Prefixing debhelper files with package name.
  * Simplifying debhelper docs file by using wildcard.
  * Removing watch file.
  * Reorga...

This bug was fixed in the package sbsigntool - 0.6-0ubuntu4~12.04.1

---------------
sbsigntool (0.6-0ubuntu4~12.04.1) precise; urgency=low

  * Backport to update SecureBoot support. LP: #1229572.

sbsigntool (0.6-0ubuntu4) saucy; urgency=low

  * debian/patches/efi_arch_ia32.patch: Use AC_CANONICAL_HOST, not uname -m,
    to determine target. Closes LP: #1066038.
  * debian/patches/Align-signature-data-to-8-bytes.patch: Align signature
    data to 8 bytes. This matches the Microsoft signing implementation,
    which enables us to use sbattach to verify the integrity of the binaries
    returned by the SysDev signing service.
  * debian/patches/update_checksums.patch: make sure we update the PE checksum
    field as well, also needed for matching the Microsoft signing
    implementation.
  * debian/patches/fix-signature-padding.patch: fix calculation of the
    size of our signature data, so that we don't write out extra zeroes
    when we detach a signature.

sbsigntool (0.6-0ubuntu3) saucy; urgency=low

  * Build-depend on gcc-multilib to support building the test suite.

sbsigntool (0.6-0ubuntu2) raring; urgency=low

  * Mark sbsigntool Multi-Arch: foreign.
 -- Steve Langasek <email address hidden> Tue, 24 Sep 2013 14:35:28 -0700

This bug was fixed in the package shim-signed - 1.4.0~ubuntu12.04.1

---------------
shim-signed (1.4.0~ubuntu12.04.1) precise; urgency=low

  * Backport to Ubuntu 12.04 LTS. (LP: #1229572)
  * Change dependency on sbsigntool from 0.6-0ubuntu4 to 0.6-0ubuntu4~
 -- Stephane Graber <email address hidden> Thu, 07 Nov 2013 12:14:39 -0500

All test builds passed on quantal too.

And same thing on raring.

Confirmed that a rebuilt shim on raring boots fine.

And confirmed on quantal too.

current and new shim-signed still build fine using quantal-proposed

same result on raring

linux-signed builds fine on both quantal-proposed and raring-proposed

and finally confirmed installability on both quantal and raring. Marking both verification-done and releasing those in a minute.

This bug was fixed in the package gnu-efi - 3.0u+debian-1ubuntu2~12.10.0

---------------
gnu-efi (3.0u+debian-1ubuntu2~12.10.0) quantal; urgency=low

  * Backport gnu-efi from saucy to quantal to support new versions of
    shim. LP: #1229572.

gnu-efi (3.0u+debian-1ubuntu2) saucy; urgency=low

  * debian/patches/gcc46-compatibility: don't break with old compilers
    and -DGNU_EFI_USE_MS_ABI.

gnu-efi (3.0u+debian-1ubuntu1) saucy; urgency=low

  * Merge from Debian experimental, remaining changes:
    - pass architecture arguments when building the x86_64 code on i386
  * Dropped changes, included upstream:
    - build with -fno-stack-protector.

gnu-efi (3.0u+debian-1) experimental; urgency=low

  * Merging upstream version 3.0u+debian (Closes: #712639).
  * Dropping no-stack-protector.patch, included upstream.

gnu-efi (3.0t+debian-2) experimental; urgency=low

  * Dropping suggests on elilo.

gnu-efi (3.0t+debian-1) experimental; urgency=low

  * Merging upstream version 3.0t+debian.
  * Updating year in copyright file.
  * Refreshing no-stack-protector.patch.

gnu-efi (3.0s+debian-3) unstable; urgency=low

  * Removing all references to my old email address.

gnu-efi (3.0s+debian-2) unstable; urgency=low

  * Adding no-stack-protector.patch from Colin Watson
    <email address hidden> to make other packages being able to link
    against gnu-efi.
  * Dropping dpkg-source compression levels.
  * Adding dpkg-source local-options.

gnu-efi (3.0s+debian-1ubuntu2) raring; urgency=low

  * Restore -fno-stack-protector; this is needed to build packages linked
    against gnu-efi, such as efilinux. This change is now in a patch with a
    header explaining the reasoning, to try to avoid it being dropped in
    future.

gnu-efi (3.0s+debian-1ubuntu1) raring; urgency=low

  * Merge from Debian unstable, dropped changes:
    - gnuefi/elf_x86_64_efi.lds: align the .reloc section; merged upstream.
    - Build with -fno-stack-protector; no longer needed.
  * debian/rules: past architecture arguments when building the x86_64 code on
    i386; otherwise the upstream build system wrongly assumes that if uname
    says x86_64, it doesn't have to pass -m64 to the compiler.

gnu-efi (3.0s+debian-1) unstable; urgency=low

  * Merging upstream version 3.0s+debian.

gnu-efi (3.0r+debian-1) experimental; urgency=low

  * Merging upstream version 3.0r+debian (Closes: #637276, #679627):
    - Rebuilding upstream tarball without debian directory.
  * Removing useless whitespaces at EOL and EOF.
  * Updating package to debhelper version 9.
  * Updating package to standards version 3.9.4.
  * Making build-depends on binutils unversioned, already fulfilled by
    wheezy.
  * Sorting architectures in gcc-multilib build-depends alphabetically.
  * Wrapping build-depends to 80 chars per line.
  * Adding homepage field.
  * Sorting architectures field alphabetically.
  * Removing pre-wheezy conflicts on libc6-i386.
  * Removing French spacing in package long-description.
  * Rewriting copyright file in copyright-format version 1.0.
  * Prefixing debhelper files with package name.
  * Simplifying debhelper docs file by using wildcard.
  * Removing watch file.
  * Reorga...

This bug was fixed in the package sbsigntool - 0.6-0ubuntu4~12.10.1

---------------
sbsigntool (0.6-0ubuntu4~12.10.1) quantal; urgency=low

  * Backport to update SecureBoot support. LP: #1229572.

sbsigntool (0.6-0ubuntu4) saucy; urgency=low

  * debian/patches/efi_arch_ia32.patch: Use AC_CANONICAL_HOST, not uname -m,
    to determine target. Closes LP: #1066038.
  * debian/patches/Align-signature-data-to-8-bytes.patch: Align signature
    data to 8 bytes. This matches the Microsoft signing implementation,
    which enables us to use sbattach to verify the integrity of the binaries
    returned by the SysDev signing service.
  * debian/patches/update_checksums.patch: make sure we update the PE checksum
    field as well, also needed for matching the Microsoft signing
    implementation.
  * debian/patches/fix-signature-padding.patch: fix calculation of the
    size of our signature data, so that we don't write out extra zeroes
    when we detach a signature.

sbsigntool (0.6-0ubuntu3) saucy; urgency=low

  * Build-depend on gcc-multilib to support building the test suite.
 -- Steve Langasek <email address hidden> Tue, 24 Sep 2013 14:35:28 -0700

This bug was fixed in the package shim-signed - 1.4.0~ubuntu12.10.1

---------------
shim-signed (1.4.0~ubuntu12.10.1) quantal; urgency=low

  * Backport to Ubuntu 12.10. (LP: #1229572)
  * Change dependency on sbsigntool from 0.6-0ubuntu4 to 0.6-0ubuntu4~
 -- Stephane Graber <email address hidden> Thu, 07 Nov 2013 12:14:39 -0500

This bug was fixed in the package gnu-efi - 3.0u+debian-1ubuntu2~13.04.0

---------------
gnu-efi (3.0u+debian-1ubuntu2~13.04.0) raring; urgency=low

  * Backport gnu-efi from saucy to raring to support new versions of
    shim. LP: #1229572.

gnu-efi (3.0u+debian-1ubuntu2) saucy; urgency=low

  * debian/patches/gcc46-compatibility: don't break with old compilers
    and -DGNU_EFI_USE_MS_ABI.

gnu-efi (3.0u+debian-1ubuntu1) saucy; urgency=low

  * Merge from Debian experimental, remaining changes:
    - pass architecture arguments when building the x86_64 code on i386
  * Dropped changes, included upstream:
    - build with -fno-stack-protector.

gnu-efi (3.0u+debian-1) experimental; urgency=low

  * Merging upstream version 3.0u+debian (Closes: #712639).
  * Dropping no-stack-protector.patch, included upstream.

gnu-efi (3.0t+debian-2) experimental; urgency=low

  * Dropping suggests on elilo.

gnu-efi (3.0t+debian-1) experimental; urgency=low

  * Merging upstream version 3.0t+debian.
  * Updating year in copyright file.
  * Refreshing no-stack-protector.patch.

gnu-efi (3.0s+debian-3) unstable; urgency=low

  * Removing all references to my old email address.

gnu-efi (3.0s+debian-2) unstable; urgency=low

  * Adding no-stack-protector.patch from Colin Watson
    <email address hidden> to make other packages being able to link
    against gnu-efi.
  * Dropping dpkg-source compression levels.
  * Adding dpkg-source local-options.
 -- Steve Langasek <email address hidden> Tue, 24 Sep 2013 14:21:08 -0700

This bug was fixed in the package sbsigntool - 0.6-0ubuntu4~13.04.1

---------------
sbsigntool (0.6-0ubuntu4~13.04.1) raring; urgency=low

  * Backport to update SecureBoot support. LP: #1229572.

sbsigntool (0.6-0ubuntu4) saucy; urgency=low

  * debian/patches/efi_arch_ia32.patch: Use AC_CANONICAL_HOST, not uname -m,
    to determine target. Closes LP: #1066038.
  * debian/patches/Align-signature-data-to-8-bytes.patch: Align signature
    data to 8 bytes. This matches the Microsoft signing implementation,
    which enables us to use sbattach to verify the integrity of the binaries
    returned by the SysDev signing service.
  * debian/patches/update_checksums.patch: make sure we update the PE checksum
    field as well, also needed for matching the Microsoft signing
    implementation.
  * debian/patches/fix-signature-padding.patch: fix calculation of the
    size of our signature data, so that we don't write out extra zeroes
    when we detach a signature.

sbsigntool (0.6-0ubuntu3) saucy; urgency=low

  * Build-depend on gcc-multilib to support building the test suite.
 -- Steve Langasek <email address hidden> Tue, 24 Sep 2013 14:35:28 -0700

This bug was fixed in the package shim-signed - 1.4.0~ubuntu13.04.1

---------------
shim-signed (1.4.0~ubuntu13.04.1) raring; urgency=low

  * Backport to Ubuntu 13.04. (LP: #1229572)
  * Change dependency on sbsigntool from 0.6-0ubuntu4 to 0.6-0ubuntu4~
 -- Stephane Graber <email address hidden> Thu, 07 Nov 2013 12:14:39 -0500