Update to shim-16.1

Signed-off-by: Peter Jones <pjones@redhat.com>

.gitignore

@@ -1,8 +1,4 @@
-*~
 *.tar.*
-*.rpm
-.build*.log
-.*.sw?
 clog
-rhtest.cer
+*.rpm
 shim-*/

0001-CI-don-t-use-make-s-it-s-more-trouble-than-help.patch

@@ -1,65 +0,0 @@
-From ab40c869a2765262d9a911fe6284a606fd1fe0d6 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Wed, 24 Mar 2021 16:02:18 -0400
-Subject: [PATCH 1/2] CI: don't use 'make -s'; it's more trouble than help.
-
-This hides more subtle failures way too well; nerf it out.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- .github/workflows/pullrequest.yml | 18 +++++++++++++-----
- 1 file changed, 13 insertions(+), 5 deletions(-)
-
-diff --git a/.github/workflows/pullrequest.yml b/.github/workflows/pullrequest.yml
-index 41ca282c887..6df69833346 100644
---- a/.github/workflows/pullrequest.yml
-+++ b/.github/workflows/pullrequest.yml
-@@ -110,14 +110,18 @@ jobs:
-         id: update-submodules
-         run: |
-           make update
-+      - name: Do 'make clean' on ${{ matrix.distro }} for ${{ matrix.efiarch }}
-+        id: clean
-+        run: |
-+          make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean
-       - name: Do the build on ${{ matrix.distro }} for ${{ matrix.efiarch }}
-         id: build
-         run: |
--          make -s CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean all || make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean all
-+          make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true all
-       - name: Install on ${{ matrix.distro }} for ${{ matrix.efiarch }}
-         id: install
-         run: |
--          make -s CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install || make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install
-+          make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install
-           echo 'results:'
-           find /destdir -type f
- 
-@@ -190,17 +194,21 @@ jobs:
-         id: update-submodules
-         run: |
-           make update
-+      - name: Do 'make clean' on ${{ matrix.distro }} for ${{ matrix.efiarch }}
-+        id: clean
-+        run: |
-+          make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean
-       - name: Run tests on ${{ matrix.distro }} for ${{ matrix.efiarch }}
-         id: test
-         run: |
--          make -s ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true test || make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true test
-+          make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true test
-       - name: Do the build on ${{ matrix.distro }} for ${{ matrix.efiarch }}
-         id: build
-         run: |
--          make -s ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean all || make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean all
-+          make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true all
-       - name: Install on ${{ matrix.distro }} for ${{ matrix.efiarch }}
-         id: install
-         run: |
--          make -s ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install || make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install
-+          make ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install
-           echo 'results:'
-           find /destdir -type f
--- 
-2.30.2
-

0002-Make-building-outside-of-the-top-directory-work.patch

@@ -1,177 +0,0 @@
-From fbd1a9b47c04ca0b917482dbb84625d4732054b3 Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Wed, 24 Mar 2021 17:51:48 -0400
-Subject: [PATCH 2/2] Make building outside of the top directory work.
-
-This also makes the cross-build targets (and not the others) /use/ this
-functionality, so we'll catch it if we break it again.
-
-This fixes issue #340.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- .github/workflows/pullrequest.yml | 16 ++++++++----
- Make.defaults                     |  1 +
- Makefile                          | 43 ++++++++++++++++++++-----------
- lib/Makefile                      |  2 +-
- 5 files changed, 42 insertions(+), 22 deletions(-)
-
-diff --git a/.github/workflows/pullrequest.yml b/.github/workflows/pullrequest.yml
-index 6df69833346..5329496c6a8 100644
---- a/.github/workflows/pullrequest.yml
-+++ b/.github/workflows/pullrequest.yml
-@@ -110,18 +110,24 @@ jobs:
-         id: update-submodules
-         run: |
-           make update
--      - name: Do 'make clean' on ${{ matrix.distro }} for ${{ matrix.efiarch }}
--        id: clean
-+      - name: Make a build directory for ${{ matrix.distro }} for ${{ matrix.efiarch }}
-+        id: builddir
-         run: |
--          make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true clean
-+          rm -rf build-${{ matrix.distro }}-${{ matrix.efiarch }}
-+          mkdir build-${{ matrix.distro }}-${{ matrix.efiarch }}
-+          cd build-${{ matrix.distro }}-${{ matrix.efiarch }}
-       - name: Do the build on ${{ matrix.distro }} for ${{ matrix.efiarch }}
-         id: build
-         run: |
--          make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true all
-+          pwd
-+          cd build-${{ matrix.distro }}-${{ matrix.efiarch }}
-+          make TOPDIR=.. -f ../Makefile CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true all
-       - name: Install on ${{ matrix.distro }} for ${{ matrix.efiarch }}
-         id: install
-         run: |
--          make CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install
-+          pwd
-+          cd build-${{ matrix.distro }}-${{ matrix.efiarch }}
-+          make TOPDIR=.. -f ../Makefile CROSS_COMPILE=${{ matrix.gccarch }}-linux-gnu- ARCH=${{ matrix.makearch }} PREFIX=/usr DESTDIR=/destdir EFIDIR=test ENABLE_SHIM_HASH=true install
-           echo 'results:'
-           find /destdir -type f
- 
-diff --git a/Make.defaults b/Make.defaults
-index b7721547dee..a775083ee0b 100644
---- a/Make.defaults
-+++ b/Make.defaults
-@@ -1,6 +1,7 @@
- 
- # load the local configuration if it exists
- -include Make.local
-+-include $(TOPDIR)/Make.local
- 
- COMPILER	?= gcc
- CC		= $(CROSS_COMPILE)$(COMPILER)
-diff --git a/Makefile b/Makefile
-index e349c6f9d49..b2f33b17289 100644
---- a/Makefile
-+++ b/Makefile
-@@ -45,7 +45,7 @@ MOK_OBJS = MokManager.o PasswordCrypt.o crypt_blowfish.o errlog.o sbat_data.o
- ORIG_MOK_SOURCES = MokManager.c PasswordCrypt.c crypt_blowfish.c shim.h $(wildcard include/*.h)
- FALLBACK_OBJS = fallback.o tpm.o errlog.o sbat_data.o
- ORIG_FALLBACK_SRCS = fallback.c
--SBATPATH = data/sbat.csv
-+SBATPATH = $(TOPDIR)/data/sbat.csv
- 
- ifeq ($(SOURCE_DATE_EPOCH),)
- 	UNAME=$(shell uname -s -m -p -i -o)
-@@ -146,21 +146,23 @@ $(MMSONAME): $(MOK_OBJS) $(LIBS)
- 
- gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a: CFLAGS+=-DGNU_EFI_USE_EXTERNAL_STDARG
- gnu-efi/$(ARCH_GNUEFI)/gnuefi/libgnuefi.a gnu-efi/$(ARCH_GNUEFI)/lib/libefi.a:
-+	mkdir -p gnu-efi/lib gnu-efi/gnuefi
- 	$(MAKE) -C gnu-efi \
- 		ARCH=$(ARCH_GNUEFI) TOPDIR=$(TOPDIR)/gnu-efi \
-+		-f $(TOPDIR)/gnu-efi/Makefile \
- 		lib gnuefi inc
- 
- Cryptlib/libcryptlib.a:
- 	for i in Hash Hmac Cipher Rand Pk Pem SysCall; do mkdir -p Cryptlib/$$i; done
--	$(MAKE) VPATH=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile
-+	$(MAKE) TOPDIR=$(TOPDIR) VPATH=$(TOPDIR)/Cryptlib -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile
- 
- Cryptlib/OpenSSL/libopenssl.a:
- 	for i in x509v3 x509 txt_db stack sha rsa rc4 rand pkcs7 pkcs12 pem ocsp objects modes md5 lhash kdf hmac evp err dso dh conf comp cmac buffer bn bio async/arch asn1 aes; do mkdir -p Cryptlib/OpenSSL/crypto/$$i; done
--	$(MAKE) VPATH=$(TOPDIR)/Cryptlib/OpenSSL -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile
-+	$(MAKE) TOPDIR=$(TOPDIR) VPATH=$(TOPDIR)/Cryptlib/OpenSSL -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile
- 
- lib/lib.a: | $(TOPDIR)/lib/Makefile $(wildcard $(TOPDIR)/include/*.[ch])
--	if [ ! -d lib ]; then mkdir lib ; fi
--	$(MAKE) VPATH=$(TOPDIR)/lib -C lib -f $(TOPDIR)/lib/Makefile lib.a
-+	mkdir -p lib
-+	$(MAKE) VPATH=$(TOPDIR)/lib TOPDIR=$(TOPDIR) -C lib -f $(TOPDIR)/lib/Makefile
- 
- buildid : $(TOPDIR)/buildid.c
- 	$(HOSTCC) -I/usr/include -Og -g3 -Wall -Werror -Wextra -o $@ $< -lelf
-@@ -275,35 +277,46 @@ else
- endif
- 
- test :
--	@make -f include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" all
-+	@make -f $(TOPDIR)/include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" all
- 
- $(patsubst %.c,%,$(wildcard test-*.c)) :
--	@make -f include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" $@
-+	@make -f $(TOPDIR)/include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" $@
- 
- .PHONY : $(patsubst %.c,%,$(wildcard test-*.c)) test
- 
- clean-test-objs:
--	@make -f include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" clean
-+	@make -f $(TOPDIR)/include/test.mk EFI_INCLUDES="$(EFI_INCLUDES)" ARCH_DEFINES="$(ARCH_DEFINES)" clean
- 
- clean-gnu-efi:
--	$(MAKE) -C gnu-efi \
--		ARCH=$(ARCH_GNUEFI) TOPDIR=$(TOPDIR)/gnu-efi \
--		clean
-+	@if [ -d gnu-efi ] ; then \
-+		$(MAKE) -C gnu-efi \
-+			ARCH=$(ARCH_GNUEFI) TOPDIR=$(TOPDIR)/gnu-efi \
-+			-f $(TOPDIR)/gnu-efi/Makefile \
-+			clean ; \
-+	fi
-+
-+clean-lib-objs:
-+	@if [ -d lib ] ; then \
-+		$(MAKE) -C lib TOPDIR=$(TOPDIR) -f $(TOPDIR)/lib/Makefile clean ; \
-+	fi
- 
- clean-shim-objs:
--	$(MAKE) -C lib -f $(TOPDIR)/lib/Makefile clean
- 	@rm -rvf $(TARGET) *.o $(SHIM_OBJS) $(MOK_OBJS) $(FALLBACK_OBJS) $(KEYS) certdb $(BOOTCSVNAME)
- 	@rm -vf *.debug *.so *.efi *.efi.* *.tar.* version.c buildid
- 	@rm -vf Cryptlib/*.[oa] Cryptlib/*/*.[oa]
- 	@if [ -d .git ] ; then git clean -f -d -e 'Cryptlib/OpenSSL/*'; fi
- 
- clean-openssl-objs:
--	$(MAKE) -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile clean
-+	@if [ -d Cryptlib/Openssl ] ; then \
-+		$(MAKE) -C Cryptlib/OpenSSL -f $(TOPDIR)/Cryptlib/OpenSSL/Makefile clean ; \
-+	fi
- 
- clean-cryptlib-objs:
--	$(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean
-+	@if [ -d Cryptlib ] ; then \
-+		$(MAKE) -C Cryptlib -f $(TOPDIR)/Cryptlib/Makefile clean ; \
-+	fi
- 
--clean: clean-shim-objs clean-test-objs clean-gnu-efi clean-openssl-objs clean-cryptlib-objs
-+clean: clean-shim-objs clean-test-objs clean-gnu-efi clean-openssl-objs clean-cryptlib-objs clean-lib-objs
- 
- GITTAG = $(VERSION)
- 
-diff --git a/lib/Makefile b/lib/Makefile
-index 6d83f789a91..de59476270e 100644
---- a/lib/Makefile
-+++ b/lib/Makefile
-@@ -1,6 +1,6 @@
- TARGET = lib.a
- 
--LIBFILES_UNSORTED := $(foreach x,$(wildcard *.c),$(patsubst %.c,%.o,$(x)))
-+LIBFILES_UNSORTED := $(patsubst %.c,%.o,$(subst $(TOPDIR)/lib/,,$(wildcard $(TOPDIR)/lib/*.c)))
- LIBFILES := $(sort $(LIBFILES_UNSORTED))
- 
- CRYPTDIR	= $(TOPDIR)/Cryptlib
--- 
-2.30.2
-

0003-Make-building-outside-of-this-directory-work.patch

@@ -1,26 +0,0 @@
-From 65ecce23f005c4d611f48996112d4592164594cf Mon Sep 17 00:00:00 2001
-From: Peter Jones <pjones@redhat.com>
-Date: Wed, 24 Mar 2021 17:50:17 -0400
-Subject: [PATCH] Make building outside of this directory work.
-
-Signed-off-by: Peter Jones <pjones@redhat.com>
----
- gnu-efi/Make.defaults | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/gnu-efi/Make.defaults b/gnu-efi/Make.defaults
-index 362bd1f8238..fd1d123d851 100755
---- a/gnu-efi/Make.defaults
-+++ b/gnu-efi/Make.defaults
-@@ -92,7 +92,7 @@ endif
- #
- # Where to build the package
- #
--OBJDIR       := $(TOPDIR)/$(ARCH)
-+OBJDIR       := $(abspath .)/$(ARCH)
- 
- #
- # Variables below derived from variables above
--- 
-2.30.2
-

README.md

@@ -1,3 +0,0 @@
-# shim-unsigned-x64
-
-The shim-unsigned-x64 package

rpminspect.yaml

@@ -0,0 +1,41 @@
+# rpminspect configuration
+
+---
+common:
+    workdir: /var/tmp/rpminspect
+    profiledir: /usr/share/rpminspect/profiles/fedora
+koji:
+    hub: https://koji.fedoraproject.org/kojihub
+    download_ursine: https://kojipkgs.fedoraproject.org
+    download_mbs: https://kojipkgs.fedoraproject.org
+commands:
+    msgunfmt: msgunfmt
+    desktop-file-validate: desktop-file-validate
+    abidiff: abidiff
+    kmidiff: kmidiff
+    annocheck: annocheck
+    udevadm: udevadm
+vendor:
+    vendor_data_dir: /usr/share/rpminspect
+    licensedb:
+        - /usr/share/fedora-license-data/licenses/fedora-licenses.json
+    favor_release: newest
+inspections:
+    abidiff: off
+    disttag: off
+    manpage: off
+    javabytecode: off
+metadata:
+    # Required Vendor string.  This is part of the RPM header and is
+    # the value expected in packages checked by rpminspect.
+    vendor: Fedora Project
+
+    # Allowed build host subdomain.  The RPM header contains information about
+    # where the package was built.  rpminspect verifies the hostnames are in
+    # the expected subdomain listed below.
+    #
+    # This is an array of allowed subdomains.
+    buildhost_subdomain:
+        - .fedoraproject.org
+        - .bos.redhat.com
+

sbat.redhat.csv

@@ -1 +0,0 @@
-shim.redhat,1,The Fedora Project,shim,15.3,https://src.fedoraproject.org/rpms/shim-unsigned-x64

sbat.redhat.csv.in

@@ -0,0 +1,3 @@
+shim.rh,3,The Fedora Project,shim,@@VERSION@@,https://src.fedoraproject.org/rpms/shim-unsigned-aarch64
+shim.redhat,3,The Fedora Project,shim,@@VERSION@@,https://src.fedoraproject.org/rpms/shim-unsigned-aarch64
+shim.fedora,3,The Fedora Project,shim,@@VERSION@@-@@RELEASE@@,https://src.fedoraproject.org/rpms/shim-unsigned-aarch64

shim-find-debuginfo.sh

@@ -20,9 +20,9 @@ fi
 findsource()
 {
     (
-        cd "${RPM_BUILD_ROOT}"
-        find usr/src/debug/ -type d | sed -e "s,^,%dir /," | sort -u | tac
-        find usr/src/debug/ -type f | sed -e "s,^,/," | sort -u | tac
+        cd ${RPM_BUILD_ROOT}
+        find usr/src/debug/ -type d | sed "s,^,%dir /,"
+        find usr/src/debug/ -type f | sed "s,^,/,"
     )
 }
 
@@ -32,12 +32,9 @@ finddebug()
     declare -a dirs=()
     declare -a files=()
     declare -a excludes=()
-    declare -a tmp=()
 
-    pushd "${RPM_BUILD_ROOT}" >/dev/null 2>&1
-
-    mapfile -t tmp < <(find usr/lib/debug/ -type f -iname "*.efi.debug")
-    for x in "${tmp[@]}" ; do
+    pushd ${RPM_BUILD_ROOT} >/dev/null 2>&1
+    for x in $(find usr/lib/debug/ -type f -iname *.efi.debug); do
         if ! [ -e "${x}" ]; then
             break
         fi
@@ -60,10 +57,8 @@ finddebug()
             excludes[${#excludes[@]}]=${x%%.debug}
         fi
     done
-    for x in "${files[@]}" ; do
-        declare name
-
-        name=$(dirname "/${x}")
+    for x in ${files[@]} ; do
+        declare name=$(dirname /${x})
         while [ "${name}" != "/" ]; do
             case "${name}" in
             "/usr/lib/debug"|"/usr/lib"|"/usr")
@@ -72,24 +67,24 @@ finddebug()
                 dirs[${#dirs[@]}]=${name}
                 ;;
             esac
-            name=$(dirname "${name}")
+            name=$(dirname ${name})
         done
     done
 
     popd >/dev/null 2>&1
-    for x in "${dirs[@]}" ; do
+    for x in ${dirs[@]} ; do
         echo "%dir ${x}"
     done | sort | uniq
-    for x in "${files[@]}" ; do
+    for x in ${files[@]} ; do
         echo "/${x}"
     done | sort | uniq
-    for x in "${excludes[@]}" ; do
+    for x in ${excludes[@]} ; do
         echo "%exclude /${x}"
     done
 }
 
-findsource > "build-${mainarch}/debugsource.list"
-finddebug "${mainarch}" > "build-${mainarch}/debugfiles.list"
+findsource > build-${mainarch}/debugsource.list
+finddebug ${mainarch} > build-${mainarch}/debugfiles.list
 if [ -v altarch ]; then
-    finddebug "${altarch}" > "build-${altarch}/debugfiles.list"
+    finddebug ${altarch} > build-${altarch}/debugfiles.list
 fi

shim-unsigned-aarch64.spec

@@ -1,49 +1,55 @@
 %global pesign_vre 0.106-1
 %global openssl_vre 1.0.2j
+%global shim_commit_id afc49558b34548644c1cd0ad1b6526a9470182ed
+
+# For prereleases, % global prerelease rc2, and downpatch Makefile
+%if %{defined prerelease}
+%global dashpre -%{prerelease}
+%global dotpre .%{prerelease}
+%global tildepre ~%{prerelease}
+%global zdpd 0%{dotpre}.
+%endif
 
 %global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/'))
 %global shimrootdir %{_datadir}/shim/
 %global shimversiondir %{shimrootdir}/%{version}-%{release}
 %global efiarch aa64
 %global shimdir %{shimversiondir}/%{efiarch}
-%global efialtarch arm
-%global shimaltdir %{shimversiondir}/%{efialtarch}
 
 %global debug_package %{nil}
 %global __debug_package 1
-%global __debug_install_post %{SOURCE100} %{efiarch} %{efialtarch}
 %global _binaries_in_noarch_packages_terminate_build 0
+%global __debug_install_post %{SOURCE100} %{efiarch}
 %undefine _debuginfo_subpackages
 
 # currently here's what's in our dbx: nothing
 %global dbxfile %{nil}
 
 Name:		shim-unsigned-aarch64
-Version:	15.3
-Release:	1%{?dist}
+Version:	16.1
+Release:	1
 Summary:	First-stage UEFI bootloader
 ExclusiveArch:	aarch64
-License:	BSD
+License:	BSD-2-Clause AND OpenSSL
 URL:		https://github.com/rhboot/shim
-Source0:	https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
+Source0:	https://github.com/rhboot/shim/releases/download/%{version}%{?dashpre}/shim-%{version}%{?dotpre}.tar.bz2
 Source1:	fedora-ca-20200709.cer
 %if 0%{?dbxfile}
 Source2:	%{dbxfile}
 %endif
-Source3:	sbat.redhat.csv
+Source3:	sbat.redhat.csv.in
+Source4:	shim.patches
 
 Source100:	shim-find-debuginfo.sh
 
-Patch0001:	0001-CI-don-t-use-make-s-it-s-more-trouble-than-help.patch
-Patch0002:	0002-Make-building-outside-of-the-top-directory-work.patch
-Patch0003:	0003-Make-building-outside-of-this-directory-work.patch
+%include %{SOURCE4}
 
 BuildRequires:	gcc make
 BuildRequires:	elfutils-libelf-devel
 BuildRequires:	git openssl-devel openssl
 BuildRequires:	pesign >= %{pesign_vre}
 BuildRequires:	dos2unix findutils
-BuildRequires:	binutils-arm-linux-gnu gcc-arm-linux-gnu
+BuildRequires:	sed
 
 # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
 # compatible with SysV (there's no red zone under UEFI) and there isn't a
@@ -62,29 +68,14 @@ use this package or when debugging this package.
 %description
 %desc
 
-%package -n shim-unsigned-%{efialtarch}
-Summary:	First-stage UEFI bootloader (unsigned data)
-Provides:	bundled(openssl) = %{openssl_vre}
-
-%description -n shim-unsigned-%{efialtarch}
-%desc
-
 %package debuginfo
-Summary:	Debug information for shim-unsigned-%{efiarch}
+Summary:	Debug information for shim-unsigned-aarch64
 AutoReqProv:	0
 BuildArch:	noarch
 
 %description debuginfo
 %debug_desc
 
-%package -n shim-unsigned-%{efialtarch}-debuginfo
-Summary:	Debug information for shim-unsigned-%{efialtarch}
-AutoReqProv:	0
-BuildArch:	noarch
-
-%description -n shim-unsigned-%{efialtarch}-debuginfo
-%debug_desc
-
 %package debugsource
 Summary:	Debug Source for shim-unsigned
 AutoReqProv:	0
@@ -94,25 +85,26 @@ BuildArch:	noarch
 %debug_desc
 
 %prep
-%autosetup -S git -n shim-%{version}
+%autosetup -S git_am -n shim-%{version}
 git config --unset user.email
 git config --unset user.name
 mkdir build-%{efiarch}
-mkdir build-%{efialtarch}
-cp %{SOURCE3} data/
+sed -e 's/@@VERSION@@/%{version}/g' \
+    -e 's/@@RELEASE@@/%{release}/g' \
+    < %{SOURCE3} > data/sbat.redhat.csv
 
 %build
-COMMITID=$(cat commit)
-MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
+COMMIT_ID=%{shim_commit_id}
+MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
 MAKEFLAGS+="ENABLE_SHIM_HASH=true "
-MAKEFLAGS+="%{_smp_mflags}"
+MAKEFLAGS+=" %{_smp_mflags} "
 if [ -f "%{SOURCE1}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
+	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} "
 fi
 %if 0%{?dbxfile}
 if [ -f "%{SOURCE2}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
+	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} "
 fi
 %endif
 
@@ -122,24 +114,17 @@ make ${MAKEFLAGS} \
 	all
 cd ..
 
-cd build-%{efialtarch}
-make ${MAKEFLAGS} \
-	ARCH=%{efialtarch} CROSS_COMPILE=arm-linux-gnu- \
-	DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
-	all
-cd ..
-
 %install
-COMMITID=$(cat commit)
-MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
+COMMIT_ID=%{shim_commit_id}
+MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMIT_ID=${COMMIT_ID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
 MAKEFLAGS+="ENABLE_SHIM_HASH=true "
 if [ -f "%{SOURCE1}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
+	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1} "
 fi
 %if 0%{?dbxfile}
 if [ -f "%{SOURCE2}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
+	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2} "
 fi
 %endif
 
@@ -151,15 +136,6 @@ make ${MAKEFLAGS} \
 install -m 0644 BOOT*.CSV "${RPM_BUILD_ROOT}/%{shimdir}/"
 cd ..
 
-cd build-%{efialtarch}
-make ${MAKEFLAGS} \
-	ARCH=%{efialtarch} CROSS_COMPILE=arm-linux-gnu- \
-	DEFAULT_LOADER='\\\\grub%{efialtarch}.efi' \
-	DESTDIR=${RPM_BUILD_ROOT} \
-	install-as-data install-debuginfo install-debugsource
-install -m 0644 BOOT*.CSV "${RPM_BUILD_ROOT}/%{shimaltdir}/"
-cd ..
-
 %files
 %license COPYRIGHT
 %dir %{shimrootdir}
@@ -169,39 +145,38 @@ cd ..
 %{shimdir}/*.hash
 %{shimdir}/*.CSV
 
-%files -n shim-unsigned-%{efialtarch}
-%license COPYRIGHT
-%dir %{shimrootdir}
-%dir %{shimversiondir}
-%dir %{shimaltdir}
-%{shimaltdir}/*.efi
-%{shimaltdir}/*.hash
-%{shimaltdir}/*.CSV
-
 %files debuginfo -f build-%{efiarch}/debugfiles.list
 
-%files -n shim-unsigned-%{efialtarch}-debuginfo -f build-%{efialtarch}/debugfiles.list
-
 %files debugsource -f build-%{efiarch}/debugsource.list
 
 %changelog
-* Wed Mar 24 2021 Peter Jones <pjones@redhat.com> - 15.3-1
-- Update to shim 15.3
-  - Support for revocations via the ".sbat" section and SBAT EFI variable
-  - A new unit test framework and a bunch of unit tests
-  - No external gnu-efi dependency
-  - Better CI
-  Resolves: CVE-2020-14372
-  Resolves: CVE-2020-25632
-  Resolves: CVE-2020-25647
-  Resolves: CVE-2020-27749
-  Resolves: CVE-2020-27779
-  Resolves: CVE-2021-20225
-  Resolves: CVE-2021-20233
+* Wed Sep 03 2025 Peter Jones <pjones@redhat.com> - 16.1-1
+- Update to shim-16.1
 
-* Tue Jan 21 2020 Peter Jones <pjones@redhat.com> - 15-2
-- Fix a minor rebuild issue; note that this means it won't match the
-  result that's in shim-15-8.
+* Fri Mar 22 2024 Nicolas Frayer <nfrayer@redhat.com>
+- Migrate to SPDX license
+- Please refer to https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_2
+
+* Thu Mar 07 2024 Peter Jones <pjones@redhat.com> - 15.8-2
+- Update to shim-15.8
+  Resolves: CVE-2023-40546
+  Resolves: CVE-2023-40547
+  Resolves: CVE-2023-40548
+  Resolves: CVE-2023-40549
+  Resolves: CVE-2023-40550
+  Resolves: CVE-2023-40551
+  Resolves: rhbz#2113005
+  Resolves: rhbz#2189197
+  Resolves: rhbz#2238884
+  Resolves: rhbz#2259264
+
+* Thu Jul 07 2022 Robbie Harwood <rharwood@redhat.com> - 15.6-2
+- Add pjones's aarch64 relocation fix
+- Resolves: #2101248
+
+* Wed Jun 15 2022 Peter Jones <pjones@redhat.com> - 15.6-1
+- Update to shim-15.6
+  Resolves: CVE-2022-28737
 
 * Thu Apr 05 2018 Peter Jones <pjones@redhat.com> - 15-1
 - Update to shim 15

sources

@@ -1 +1 @@
-SHA512 (shim-15.3.tar.bz2) = 48de811917b5b60311788467786a7259b5efe8e61ff9af01d37d3138c98309310562c91c6e83ed11924c20774bfee5184b44b901c51e15be4167b97281655e65
+SHA512 (shim-16.1.tar.bz2) = ca5f80e82f3b80b622028f03ef23105c98ee1b6a25f52a59c823080a3202dd4b9962266489296e99f955eb92e36ce13e0b1d57f688350006bba45f2718f159fb