ubiquity

Merge ~xnox/ubiquity:drop-shim-signed-vendorize into ubiquity:master

  1. Git
  2. lp:~xnox/ubiquity
  3. drop-shim-signed-vendorize
  4. Merge into master
Proposed by Dimitri John Ledkov
Status: Rejected
Rejected by: Dimitri John Ledkov
Proposed branch: ~xnox/ubiquity:drop-shim-signed-vendorize
Merge into: ubiquity:master
Diff against target: 136 lines (+11/-22)
10 files modified
d-i/Makefile (+0/-1)
d-i/get-sources (+0/-5)
d-i/lists/amd64 (+0/-1)
d-i/manifest (+0/-1)
d-i/update-control (+0/-1)
debian/changelog (+5/-0)
debian/control (+1/-0)
debian/rules (+0/-9)
dev/null (+0/-1)
scripts/simple-plugins (+5/-3)
Reviewer Review Type Date Requested Status
Ubuntu Installer Team Pending
Review via email: mp+384771@code.launchpad.net

Commit message

Do not vendorize shim-signed scripts

Simply use shim-signed scripts that are installed in live session already anyway.

I actually have no idea why shim-signed got vendorized inside ubiquity, given that the scripts we call have always been available in the live session, as shim-signed has always been preinstalled on amd64, since its inception.

To post a comment you must log in.
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

TODO: test this

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Actually bootloaders are not preinstalled in the filesystem squashfs. Instead shim-signed is only in the pool, and is only installed in target.

Which imho is a waste of time, but oh well.

Unmerged commits

571cb72... by Dimitri John Ledkov

Do not vendorize shim-signed scripts, simply use shim-signed scripts that are installed in live session already anyway.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/d-i/Makefile b/d-i/Makefile
index fe85c58..7b3b478 100644
--- a/d-i/Makefile
+++ b/d-i/Makefile
@@ -14,7 +14,6 @@ PACKAGES += $(shell cat $(LISTDIR)/$(DEB_HOST_ARCH))
14endif14endif
15# We don't need to build console-setup.15# We don't need to build console-setup.
16PACKAGES := $(filter-out console-setup,$(PACKAGES))16PACKAGES := $(filter-out console-setup,$(PACKAGES))
17PACKAGES := $(filter-out shim-signed,$(PACKAGES))
1817
19update:18update:
20 @perl -MDpkg::Deps -e1 >/dev/null 2>&1 || { \19 @perl -MDpkg::Deps -e1 >/dev/null 2>&1 || { \
diff --git a/d-i/get-sources b/d-i/get-sources
index 500a824..48c7fcb 100755
--- a/d-i/get-sources
+++ b/d-i/get-sources
@@ -107,11 +107,6 @@ for subdir in .svn Fonts Keyboard/acm Keyboard/ckb Keyboard/locale; do
107 rm -rf "$SOURCEDIR/console-setup/$subdir"107 rm -rf "$SOURCEDIR/console-setup/$subdir"
108done108done
109109
110# We don't need binary blobs from shim-signed.
111for subdir in MicCorUEFCA2011_2011-06-27.crt shimx64.efi.signed; do
112 rm -rf "$SOURCEDIR/shim-signed/$subdir"
113done
114
115# Add a warning to budding hackers.110# Add a warning to budding hackers.
116cat > "$SOURCEDIR/README" <<EOF111cat > "$SOURCEDIR/README" <<EOF
117The files in this directory are updated automatically from the distribution112The files in this directory are updated automatically from the distribution
diff --git a/d-i/lists/amd64 b/d-i/lists/amd64
index ef9de81..8bc806e 100644
--- a/d-i/lists/amd64
+++ b/d-i/lists/amd64
@@ -1,3 +1,2 @@
1grub-installer1grub-installer
2partman-efi2partman-efi
3shim-signed
diff --git a/d-i/manifest b/d-i/manifest
index ce11a8d..432d4a7 100644
--- a/d-i/manifest
+++ b/d-i/manifest
@@ -28,6 +28,5 @@ partman-swapfile 1
28partman-target 98ubuntu128partman-target 98ubuntu1
29partman-xfs 6629partman-xfs 66
30preseed 1.71ubuntu1130preseed 1.71ubuntu11
31shim-signed 1.40.3
32tzsetup 1:0.94ubuntu231tzsetup 1:0.94ubuntu2
33user-setup 1.63ubuntu632user-setup 1.63ubuntu6
diff --git a/d-i/update-control b/d-i/update-control
index 0f75835..98f0716 100755
--- a/d-i/update-control
+++ b/d-i/update-control
@@ -88,7 +88,6 @@ for my $bd ($parsed->get_deps()) {
88for my $source (<source/*/debian/control>) {88for my $source (<source/*/debian/control>) {
89 # We don't build console-setup, so skip its build-dependencies.89 # We don't build console-setup, so skip its build-dependencies.
90 next if $source eq 'source/console-setup/debian/control';90 next if $source eq 'source/console-setup/debian/control';
91 next if $source eq 'source/shim-signed/debian/control';
92 open SOURCE, '<', $source or die "can't open $source: $!";91 open SOURCE, '<', $source or die "can't open $source: $!";
93 while (<SOURCE>) {92 while (<SOURCE>) {
94 if (/^Build-Depends(?:-Indep)?:\s*(.*)/i) {93 if (/^Build-Depends(?:-Indep)?:\s*(.*)/i) {
diff --git a/debian/changelog b/debian/changelog
index ee46088..90baaf8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,14 @@
1ubiquity (20.10.2) UNRELEASED; urgency=medium1ubiquity (20.10.2) UNRELEASED; urgency=medium
22
3 [ Jean-Baptiste Lallement ]
3 * zsys-setup: Use persistent device name for vdevs (LP: #1880869)4 * zsys-setup: Use persistent device name for vdevs (LP: #1880869)
4 * Only export pools created during installation and containing dataset5 * Only export pools created during installation and containing dataset
5 mounted under /target (LP: #1875045)6 mounted under /target (LP: #1875045)
67
8 [ Dimitri John Ledkov ]
9 * Do not vendorize shim-signed scripts, simply use shim-signed scripts
10 that are installed in live session already anyway.
11
7 -- Jean-Baptiste Lallement <jean-baptiste.lallement@ubuntu.com> Wed, 27 May 2020 13:49:15 +020012 -- Jean-Baptiste Lallement <jean-baptiste.lallement@ubuntu.com> Wed, 27 May 2020 13:49:15 +0200
813
9ubiquity (20.10.1) groovy; urgency=medium14ubiquity (20.10.1) groovy; urgency=medium
diff --git a/debian/control b/debian/control
index c946244..86c658f 100644
--- a/debian/control
+++ b/debian/control
@@ -97,6 +97,7 @@ Depends: adduser,
97 python3-pam,97 python3-pam,
98 rdate,98 rdate,
99 sbsigntool [amd64],99 sbsigntool [amd64],
100 shim-signed [amd64],
100 ubiquity-artwork-${mangled-version},101 ubiquity-artwork-${mangled-version},
101 ubiquity-casper,102 ubiquity-casper,
102 ubiquity-frontend-${mangled-version},103 ubiquity-frontend-${mangled-version},
diff --git a/debian/rules b/debian/rules
index 105aab1..bf2ac50 100755
--- a/debian/rules
+++ b/debian/rules
@@ -212,15 +212,6 @@ endif
212 d-i/source/debian-installer-utils/post-base-installer.d/10register-module \212 d-i/source/debian-installer-utils/post-base-installer.d/10register-module \
213 > debian/oem-config/usr/lib/ubiquity/debian-installer-utils/register-module.post-base-installer-oem213 > debian/oem-config/usr/lib/ubiquity/debian-installer-utils/register-module.post-base-installer-oem
214 chmod +x debian/oem-config/usr/lib/ubiquity/debian-installer-utils/register-module.post-base-installer-oem214 chmod +x debian/oem-config/usr/lib/ubiquity/debian-installer-utils/register-module.post-base-installer-oem
215ifeq ($(DEB_HOST_ARCH),amd64)
216 install d-i/source/shim-signed/openssl.cnf \
217 debian/ubiquity/usr/lib/ubiquity/shim-signed/openssl.cnf
218 sed 's,/usr/lib/shim/mok/openssl.cnf,/usr/lib/ubiquity/shim-signed/openssl.cnf,g' \
219 d-i/source/shim-signed/update-secureboot-policy \
220 > debian/ubiquity/usr/lib/ubiquity/shim-signed/update-secureboot-policy
221 chmod +x debian/ubiquity/usr/lib/ubiquity/shim-signed/update-secureboot-policy
222endif
223
224 touch install-stamp215 touch install-stamp
225216
226tests: install-stamp217tests: install-stamp
diff --git a/debian/ubiquity.dirs-amd64 b/debian/ubiquity.dirs-amd64
227deleted file mode 100644218deleted file mode 100644
index 9c24380..0000000
--- a/debian/ubiquity.dirs-amd64
+++ /dev/null
@@ -1 +0,0 @@
1usr/lib/ubiquity/shim-signed
diff --git a/scripts/simple-plugins b/scripts/simple-plugins
index 2558385..77fc89b 100755
--- a/scripts/simple-plugins
+++ b/scripts/simple-plugins
@@ -24,9 +24,11 @@ if [ "$1" = "prepare" ]; then
24 db_get ubiquity/secureboot_key24 db_get ubiquity/secureboot_key
25 if [ -n "$RET" ]; then25 if [ -n "$RET" ]; then
26 mkdir -p /var/lib/shim-signed/mok26 mkdir -p /var/lib/shim-signed/mok
27 /usr/lib/ubiquity/shim-signed/update-secureboot-policy --new-key27 /usr/sbin/update-secureboot-policy --new-key
28 printf '%s\n%s\n' "$RET" "$RET" | mokutil --import /var/lib/shim-signed/mok/MOK.der >/dev/null || true28 if [ -e /var/lib/shim-signed/mok/MOK.der ]; then
29 mokutil --timeout -1 >/dev/null || true29 printf '%s\n%s\n' "$RET" "$RET" | mokutil --import /var/lib/shim-signed/mok/MOK.der >/dev/null || true
30 mokutil --timeout -1 >/dev/null || true
31 fi
30 fi32 fi
31 # Always clear secureboot key.33 # Always clear secureboot key.
32 db_set ubiquity/secureboot_key ''34 db_set ubiquity/secureboot_key ''

Subscribers

People subscribed via source and target branches