Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2025-11-27 15:17:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new.14147 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim" Thu Nov 27 15:17:59 2025 rev:134 rq:1320216 version:16.1 Changes: -------- --- /work/SRC/openSUSE:Factory/shim/shim.changes 2025-08-20 13:25:25.924667563 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new.14147/shim.changes 2025-11-27 15:18:32.701348490 +0100 @@ -1,0 +2,32 @@ +Wed Nov 26 07:42:15 UTC 2025 - Joey Lee <[email protected]> + +- Add Microsoft-signed 16.1 shim +- shim.spec: Temporarily disable nx-shim + - We still need time to test nx (non-executable) shim and develop + the script for delivery. We will not support nx-shim on all Leap + and SLE distros because the function should also be supported by + grub2 and kernel. +- shim.spec: Remove the reproducibility check for the shim binary + - The binutils on Leap 15.6 and SLE-15-SP3 has been upgraded to 2.45 + when we are waiting shim-review and Microsoft signing. It causes + that the shim binary is NOT reproducible on build services. + - We just direct use the Microsoft signed-back shim binaries + because we build this binary before and have the logs to prove it. + Before we find a good approach to save/restore the build service + environment, let’s directly use the Microsoft signed-back shim for + delivery. +- Certificates: Add Microsoft UEFI CA files to the target certificates + array in pretrans script. +- Certificates: Convert the SUSE certificates from PEM to DER format +- timestamp.pl: fix the size of checksum in PE Optional Header + +------------------------------------------------------------------- +Mon Oct 13 16:31:45 UTC 2025 - Joey Lee <[email protected]> + +- Add a pretrans script to verify that the UEFI db should have the + necessary certificate to allow the shim binary to boot. The installation + will be aborted if the db is missing the target certificate. To proceed, + the user must enroll the target certificate in the db or disable UEFI + Secure Boot. + +------------------------------------------------------------------- Old: ---- SLES-UEFI-CA-Certificate.crt openSUSE-UEFI-CA-Certificate.crt signature-opensuse-nx.aarch64.asc signature-opensuse-nx.x86_64.asc signature-opensuse.aarch64.asc signature-opensuse.x86_64.asc signature-sles-nx.aarch64.asc signature-sles-nx.x86_64.asc signature-sles.aarch64.asc signature-sles.x86_64.asc New: ---- Microsoft_Corporation_UEFI_CA_2011.crt Microsoft_UEFI_CA_2023.crt SUSE_Linux_Enterprise_Secure_Boot_CA_2013.crt _scmsync.obsinfo build.specials.obscpio openSUSE_Secure_Boot_CA_2013.crt shim-opensuse.aarch64.efi shim-opensuse.x86.efi shim-sles.aarch64.efi shim-sles.x86.efi ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shim.spec ++++++ --- /var/tmp/diff_new_pack.macDS0/_old 2025-11-27 15:18:33.937400613 +0100 +++ /var/tmp/diff_new_pack.macDS0/_new 2025-11-27 15:18:33.937400613 +0100 @@ -56,27 +56,29 @@ # run "extract_signature.sh shim.efi" where shim.efi is the binary # with the signature from the UEFI signing service. # Note: For signature requesting, check SIGNATURE_UPDATE.txt -Source1: signature-opensuse.x86_64.asc -# openSUSE Secure Boot CA, 2013-2035, PEM format -Source2: openSUSE-UEFI-CA-Certificate.crt -Source3: shim-install -# SUSE Linux Enterprise Secure Boot CA, 2013-2035, PEM format -Source4: SLES-UEFI-CA-Certificate.crt -Source5: extract_signature.sh -Source6: attach_signature.sh -Source7: show_hash.sh -Source8: show_signatures.sh -Source9: timestamp.pl -Source10: strip_signature.sh -Source11: signature-sles.x86_64.asc -Source12: signature-opensuse.aarch64.asc -Source13: signature-sles.aarch64.asc -Source14: generate-vendor-dbx.sh -# signatures for shim.nx -Source20: signature-opensuse-nx.x86_64.asc -Source21: signature-sles-nx.x86_64.asc -Source22: signature-opensuse-nx.aarch64.asc -Source23: signature-sles-nx.aarch64.asc +Source1: shim-install +Source2: extract_signature.sh +Source3: attach_signature.sh +Source4: show_hash.sh +Source5: show_signatures.sh +Source6: timestamp.pl +Source7: strip_signature.sh +Source8: generate-vendor-dbx.sh +# Certificates Used to Verify the Shim (DER format) +# SUSE CA is also built-in to the shim via VENDOR_CERT_FILE +# openSUSE Secure Boot CA, 2013-2035 +Source11: openSUSE_Secure_Boot_CA_2013.crt +# SUSE Linux Enterprise Secure Boot CA, 2013-2035 +Source12: SUSE_Linux_Enterprise_Secure_Boot_CA_2013.crt +# Microsoft Corporation UEFI CA 2011, 2011-2026 +Source13: Microsoft_Corporation_UEFI_CA_2011.crt +# Microsoft UEFI CA 2023, 2023-2038 +Source14: Microsoft_UEFI_CA_2023.crt +# Microsoft-signed shim +Source30: shim-opensuse.x86.efi +Source31: shim-opensuse.aarch64.efi +Source32: shim-sles.x86.efi +Source33: shim-sles.aarch64.efi # revoked certificates for dbx Source50: revoked-openSUSE-UEFI-SIGN-Certificate-2013-01.crt Source51: revoked-openSUSE-UEFI-SIGN-Certificate-2013-08.crt @@ -107,6 +109,8 @@ BuildRequires: openssl >= 0.9.8 BuildRequires: pesign BuildRequires: pesign-obs-integration +# we need xxd in global macro in shim.spec +BuildRequires: vim %if 0%{?shim_use_fde_tpm_helper:1} BuildRequires: fde-tpm-helper-rpm-macros %endif @@ -128,10 +132,23 @@ Requires: mokutil ExclusiveArch: x86_64 aarch64 +# subject hash of openSUSE/SLE/devel certificates for identifying devel project +%global prjissuer_hash %(test -f %{_sourcedir}/_projectcert.crt && openssl x509 -in %{_sourcedir}/_projectcert.crt -inform PEM -noout -issuer_hash 2>/dev/null || echo "PRJ_ISSUER_NOT_FOUND") +%global prjsubjec_hash %(test -f %{_sourcedir}/_projectcert.crt && openssl x509 -in %{_sourcedir}/_projectcert.crt -inform PEM -noout -subject_hash 2>/dev/null || echo "PRJ_SUBJECT_NOT_FOUND") +%global opensusesubject_hash %(openssl x509 -in %{SOURCE11} -inform DER -noout -subject_hash 2>/dev/null) +%global slessubject_hash %(openssl x509 -in %{SOURCE12} -inform DER -noout -subject_hash 2>/dev/null) +# Hex content of certs (DER format) will be used in the TARGET_CERT_HEXES array in pretrans script +%global opensuse_ca_hex %(xxd -p %{SOURCE11} | tr -d '\\n') +%global sles_ca_hex %(xxd -p %{SOURCE12} | tr -d '\\n') +%global microsoft_ca_hex %(xxd -p %{SOURCE13} | tr -d '\\n') +%global microsoft_ca_2023_hex %(xxd -p %{SOURCE14} | tr -d '\\n') +%global prjcert_hex %(test -f %{_sourcedir}/_projectcert.crt && (openssl x509 -in %{_sourcedir}/_projectcert.crt -outform DER -out - | xxd -p | tr -d '\\n') 2>/dev/null) + %description shim is a trivial EFI application that, when run, attempts to open and execute another application. +%if 0%{?shim_nx:1} %package -n shim-nx Summary: UEFI shim loader - supports non-executable Group: System/Boot @@ -140,6 +157,7 @@ %description -n shim-nx shim with NX_COMPAT field (aka. NxCompatible field in DllCharacteristics) for supporting non-executable +%endif # 0%{?shim_nx:1} %package -n shim-debuginfo Summary: UEFI shim loader - debug symbols @@ -194,8 +212,8 @@ if test -e %{_sourcedir}/_projectcert.crt ; then prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash) prjissuer=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -issuer_hash) - opensusesubject=$(openssl x509 -in %{SOURCE2} -noout -subject_hash) - slessubject=$(openssl x509 -in %{SOURCE4} -noout -subject_hash) + opensusesubject=$(openssl x509 -in %{SOURCE11} -noout -subject_hash) + slessubject=$(openssl x509 -in %{SOURCE12} -noout -subject_hash) if test "$prjissuer" = "$opensusesubject" ; then suffixes=(opensuse) elif test "$prjissuer" = "$slessubject" ; then @@ -207,38 +225,30 @@ for suffix in "${suffixes[@]}"; do if test "$suffix" = "opensuse"; then - cert=%{SOURCE2} + cert=%{SOURCE11} verify='openSUSE Secure Boot CA1' vendor_dbx='vendor-dbx-opensuse.esl' %ifarch x86_64 - signature=%{SOURCE1} - signature_nx=%{SOURCE20} + ms_shim=%{SOURCE30} %else - # AArch64 signature - # Disable AArch64 signature attachment temporarily - # until we get a real one. - # Now, we got a real one. So enable it again. - signature=%{SOURCE12} - signature_nx=%{SOURCE22} + # opensuse aarch64 + ms_shim=%{SOURCE31} %endif elif test "$suffix" = "sles"; then - cert=%{SOURCE4} + cert=%{SOURCE12} verify='SUSE Linux Enterprise Secure Boot CA1' vendor_dbx='vendor-dbx-sles.esl' %ifarch x86_64 - signature=%{SOURCE11} - signature_nx=%{SOURCE21} + ms_shim=%{SOURCE32} %else - # AArch64 signature - signature=%{SOURCE13} - signature_nx=%{SOURCE23} + # sles aarch64 + ms_shim=%{SOURCE33} %endif elif test "$suffix" = "devel"; then cert=%{_sourcedir}/_projectcert.crt verify=`openssl x509 -in "$cert" -noout -email` vendor_dbx='vendor-dbx.esl' - signature='' - signature_nx='' + ms_shim='' test -e "$cert" || continue else echo "invalid suffix" @@ -254,43 +264,29 @@ # # assert correct certificate embedded grep -q "$verify" shim.efi - # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx - chmod 755 %{SOURCE9} - # alternative: verify signature - #sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi - if test -n "$signature"; then - head -1 "$signature" > hash1 - cp shim.efi shim.efi.bak - # pe header contains timestamp and checksum. we need to - # restore that - %{SOURCE9} --set-from-file "$signature" shim.efi - pesign -h -P -i shim.efi > hash2 - cat hash1 hash2 - if ! cmp -s hash1 hash2; then - echo "ERROR: $suffix binary changed, need to request new signature!" -%if %{defined shim_enforce_ms_signature} && 0%{?shim_enforce_ms_signature} > 0 - # compare suffix (sles, opensuse) with distro_id (sle, opensuse) - # when hash mismatch and distro_id match with suffix, stop building - if test "$suffix" = "$distro_id" || test "$suffix" = "${distro_id}s"; then - false - fi -%endif - mv shim.efi.bak shim-$suffix.efi - rm shim.efi + # Use ms-signed shim when the version equals with the version of newly built shim + # Version mismatch indicates development of a new shim. + if test -n "$ms_shim"; then + ms_version=$(strings "$ms_shim" | grep '$Version:' | sed -e 's/^.*: //' -e 's/ \$//') + dev_version=$(strings shim.efi | grep '$Version:' | sed -e 's/^.*: //' -e 's/ \$//') + if [ "$ms_version" = "$dev_version" ]; then + cp $ms_shim shim-$suffix.efi else - # attach signature - pesign -m "$signature" -i shim.efi -o shim-$suffix.efi - rm -f shim.efi + cp shim.efi shim-$suffix.efi fi + rm shim.efi else + # devel shim mv shim.efi shim-$suffix.efi fi + # FIX: using debug info from devel shim doesn't match with ms-signed shim mv shim.efi.debug shim-$suffix.debug # remove the build cert if exists rm -f shim_cert.h shim.cer shim.crt # make sure all object files gets rebuilt rm -f *.o +%if 0%{?shim_nx:1} # building shim.nx.efi make CC=%{cc_compiler} RELEASE=0 ENABLE_CODESIGN_EKU=1 SHIMSTEM=shim.nx \ VENDOR_CERT_FILE=shim-$suffix.der ENABLE_HTTPBOOT=1 \ @@ -301,48 +297,21 @@ # # assert correct certificate embedded grep -q "$verify" shim.nx.efi - # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx - chmod 755 %{SOURCE9} - # alternative: verify signature - #sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi - if test -n "$signature_nx"; then - head -1 "$signature_nx" > hash1 - cp shim.nx.efi shim.nx.efi.bak - # pe header contains timestamp and checksum. we need to - # restore that - %{SOURCE9} --set-from-file "$signature_nx" shim.nx.efi - pesign -h -P -i shim.nx.efi > hash2 - cat hash1 hash2 - if ! cmp -s hash1 hash2; then - echo "ERROR: $suffix nx binary changed, need to request new signature!" -%if %{defined shim_enforce_ms_signature} && 0%{?shim_enforce_ms_signature} > 0 - # compare suffix (sles, opensuse) with distro_id (sle, opensuse) - # when hash mismatch and distro_id match with suffix, stop building - if test "$suffix" = "$distro_id" || test "$suffix" = "${distro_id}s"; then - false - fi -%endif - mv shim.nx.efi.bak shim-$suffix.nx.efi - rm shim.nx.efi - else - # attach signature - pesign -m "$signature" -i shim.nx.efi -o shim-$suffix.nx.efi - rm -f shim.nx.efi - fi - else mv shim.nx.efi shim-$suffix.nx.efi - fi mv shim.nx.efi.debug shim-$suffix.nx.debug # remove the build cert if exists rm -f shim_cert.h shim.cer shim.crt # make sure all object files gets rebuilt rm -f *.o +%endif # 0%{?shim_nx:1} done ln -s shim-${suffixes[0]}.efi shim.efi mv shim-${suffixes[0]}.debug shim.debug +%if 0%{?shim_nx:1} ln -s shim-${suffixes[0]}.nx.efi shim.nx.efi mv shim-${suffixes[0]}.nx.debug shim.nx.debug +%endif # 0%{?shim_nx:1} # Collect the source for debugsource mkdir ../source @@ -357,7 +326,7 @@ install -m 644 MokManager.efi %{buildroot}/%{sysefidir}/MokManager.efi install -m 644 fallback.efi %{buildroot}/%{sysefidir}/fallback.efi install -d %{buildroot}/%{_sbindir} -install -m 755 %{SOURCE3} %{buildroot}/%{_sbindir}/ +install -m 755 %{SOURCE1} %{buildroot}/%{_sbindir}/ # install SUSE certificate install -d %{buildroot}/%{_sysconfdir}/uefi/certs/ for file in shim-*.der; do @@ -385,6 +354,205 @@ %clean %{?buildroot:%__rm -rf "%{buildroot}"} +%pretrans -p <lua> +-- Using Lua +print("INFO: Current Lua Version: " .. tostring(_VERSION)) + +-- ========================================================================================== +-- This pretrans script verifies that the UEFI db should have the necessary certificate to +-- allow the shim binary to boot. +-- The installation will be aborted if the db is missing the target certificate. To proceed, +-- the user must enroll the target certificate in the db or disable UEFI Secure Boot. +-- ========================================================================================== + +local db_filename = "/sys/firmware/efi/efivars/db-d719b2cb-3d3a-4596-a3bc-dad00e67656f" + +-- The db file existence check +-- Use pcall to execute rpm.open to prevent errors from being thrown when +-- the file cannot be found, causing RPM to fail. +local success, result = pcall(rpm.open, db_filename, "rb") + +local f_check = nil + +if not success then + -- pcall catches errors (e.g. "No such file or directory") + print("WARNING: Attempt to open db EFI variable file failed. Error message: " .. tostring(result)) + print("WARNING: This usually means the system is not booted in UEFI mode. Skipping all db check steps.") + return 0 +else + -- If pcall succeeds, result may be an archive handle or nil (depending on the behavior of rpm.open) + f_check = result + if not f_check then + -- The archive does not exist, but rpm.open returns nil + print("WARNING: db EFI variable file does not exist (rpm.open returned nil). Skipping db check steps.") + return 0 + else + -- If the file exists and is successfully opened, + -- close the handle immediately so that subsequent code can open it again. + f_check:close() + end +end + +-- ========================================================================================== +-- This is the hardcoded target certificate content used to check for its existence. +-- HEX_CONTENT=$(xxd -p taget_certificate.der | tr -d '\n') && echo "$HEX_CONTENT" +-- ========================================================================================== + +-- Only the DER format is supported +local TARGET_CERT_HEXES = { + -- Always check Microsoft keys + -- Certificate #1, Microsoft Corporation UEFI CA 2011 + "%{microsoft_ca_hex}", + -- Certificate #2, Microsoft UEFI CA 2023 + "%{microsoft_ca_2023_hex}", +%if "%{prjissuer_hash}" == "%{opensusesubject_hash}" + -- Certificate #3, openSUSE Secure Boot CA 2013 + "%{opensuse_ca_hex}", +%elif "%{prjissuer_hash}" == "%{slessubject_hash}" + -- Certificate #3, SUSE Linux Enterprise Secure Boot CA 2013 + "%{sles_ca_hex}", +%elif "%{prjissuer_hash}" == "%{prjsubjec_hash}" + -- We put all keys for testing on devel/staging project + -- Certificate #3, openSUSE Secure Boot CA 2013 + "%{opensuse_ca_hex}", + -- Certificate #4, SUSE Linux Enterprise Secure Boot CA 2013 + "%{sles_ca_hex}", + -- Certificate #5, _projectcert.crt + "%{prjcert_hex}", +%endif # prjissuer_hash check +} + +-- Check if the TARGET_CERT_HEXES array is empty +if #TARGET_CERT_HEXES == 0 then + print("INFO: certificate list is empty. Skipping certificate check.") + -- Exiting safely as the certificate list is empty. + return 0 +else + -- Check if the Hex string for certificate is valid + for i, cert_hex in ipairs(TARGET_CERT_HEXES) do + if #cert_hex % 2 ~= 0 then + print("Error: The length of hard-coded hex string for certificate #" .. i .. " must be an even number.") + error("The Hex string is invalid. The transaction is being aborted in the pretrans script.") + end + end +end + +-- ========================================================================= +-- Helper functions +-- ========================================================================= + +-- Convert hexadecimal string to original binary string +local function hex_to_binary(hex) + local binary = "" + for i = 1, #hex, 2 do + local byte_hex = hex:sub(i, i + 1) + binary = binary .. string.char(tonumber(byte_hex, 16)) + end + return binary +end + +-- ========================================================================= +-- Main logic for checking if the db has any target certificate +-- ========================================================================= + +-- Read existing db contents +local db_content = "" +do + -- The db file is now confirmed to exist, open it again to read the contents + local f = rpm.open(db_filename, "rb") + + if f then + local chunks = {} + local CHUNK_SIZE = 4096 + local raw_content = "" + local chunk = f:read(CHUNK_SIZE) + + while chunk do + -- If an empty string is read, it means EOF has been reached and the loop is exited. + if chunk == "" then + break + end + table.insert(chunks, chunk) + chunk = f:read(CHUNK_SIZE) + end + + raw_content = table.concat(chunks) + + f:close() + + -- Skip the first 4 bytes (EFI attributes) + if #raw_content > 4 then + -- Truncate from the 5th byte to the end + db_content = string.sub(raw_content, 5) + print("INFO: Successfully read existing db content") + else + -- The file is too small or only has attributes, so it is considered blank. + db_content = "" + print("WARNING: db file content length is abnormal (<= 4 bytes). Treated as blank.") + end + end +end + +-- Check all target certificates +for i, cert_hex in ipairs(TARGET_CERT_HEXES) do + + local target_binary_content = hex_to_binary(cert_hex) + + -- Perform binary string matching + local start_pos, end_pos = db_content:find(target_binary_content, 1, true) + + if start_pos then + -- Success: Certificate exist in db + -- Return 0 to allow the RPM transaction to continue + print("Target certificate #" .. i .. " was found in the db variable. Proceed with install.") + return 0 + end +end + +-- Certificate not present in db +print("WARNING: The target certificate binary was not found in the db variable.") +print("Please add the appropriate certificate to the db or disable UEFI secure boot.") + +-- Secure Boot status check: We only proceed with installation if the certificate is not present in the db and Secure Boot is disabled. +local sb_filename = "/sys/firmware/efi/efivars/SecureBoot-8be4df61-93ca-11d2-aa0d-00e098032b8c" + +local success_sb, result_sb = pcall(rpm.open, sb_filename, "rb") + +if not success_sb or not result_sb then + -- If the file is missing, it typically means the system is not UEFI, or Secure Boot is disabled/the variable is absent. + print("WARNING: SecureBoot EFI variable file does not exist. Proceed with install.") +else + local f_sb = result_sb + local raw_content_sb = "" + local sb_status = 0 + + -- Read file contents + local chunk_sb = f_sb:read(4096) + while chunk_sb do + if chunk_sb == "" then break end + raw_content_sb = raw_content_sb .. chunk_sb + chunk_sb = f_sb:read(4096) + end + f_sb:close() + + -- SecureBoot status check + if #raw_content_sb >= 5 then + -- Skip the first 4-byte attribute header and read the 5th byte (status byte) + sb_status = string.byte(raw_content_sb, 5) + + if sb_status == 0x00 then + print("INFO: Since Secure Boot is DISABLED, proceed with install.") + return 0 + elseif sb_status == 0x01 then + error("Fatal error: Secure Boot is ENABLED (status = 0x01), but the target certificate was not found in the db. Aborting installation.") + else + error("Fatal error: Secure Boot status is unrecognized (0x" .. string.format("%02x", sb_status) .. "). Aborting installation.") + end + else + error("Fatal error: SecureBoot variable content is too short to determine status. Aborting installation.") + end +end + %post %if 0%{?fde_tpm_update_post:1} %fde_tpm_update_post shim @@ -430,7 +598,9 @@ %dir %{sysefidir} %{sysefidir}/shim.efi %{sysefidir}/shim-*.efi +%if 0%{?shim_nx:1} %exclude %{sysefidir}/shim-*.nx.efi +%endif # 0%{?shim_nx:1} %{sysefidir}/shim-*.der %{sysefidir}/MokManager.efi %{sysefidir}/fallback.efi @@ -444,10 +614,12 @@ /usr/lib64/efi/*.efi %endif +%if 0%{?shim_nx:1} %files -n shim-nx %defattr(-,root,root) %{sysefidir}/shim.nx.efi %{sysefidir}/shim-*.nx.efi +%endif # 0%{?shim_nx:1} %files -n shim-debuginfo %defattr(-,root,root,-) ++++++ _scmsync.obsinfo ++++++ mtime: 1764143518 commit: aa888406eebde49d82abc52ef85de0d169a287d028b07b20afc4e0afc85fdba9 url: https://src.opensuse.org/devel-factory/shim.git revision: aa888406eebde49d82abc52ef85de0d169a287d028b07b20afc4e0afc85fdba9 projectscmsync: https://src.opensuse.org/devel-factory/_ObsPrj.git ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2025-11-26 16:14:42.000000000 +0100 @@ -0,0 +1 @@ +.osc ++++++ timestamp.pl ++++++ --- /var/tmp/diff_new_pack.macDS0/_old 2025-11-27 15:18:34.333417313 +0100 +++ /var/tmp/diff_new_pack.macDS0/_new 2025-11-27 15:18:34.341417650 +0100 @@ -87,7 +87,7 @@ $set_linker = pack('S', hex($1)); next; } elsif (/^checksum: ([0-9a-f]+)/) { - $set_checksum = pack('S', hex($1)); + $set_checksum = pack('L', hex($1)); next; } last if $set_timestamp && $set_checksum && $set_linker; @@ -114,9 +114,9 @@ printf ("linker: %x\n", unpack('S', $value)); die "seek $file: $!\n" unless seek($fh, 216, 0); - die "read $file: $!\n" unless read($fh, $value, 2); + die "read $file: $!\n" unless read($fh, $value, 4); - printf ("checksum: %x\n", unpack('S', $value)); + printf ("checksum: %x\n", unpack('L', $value)); close($fh); } @@ -132,7 +132,7 @@ die "write $file: $!\n" unless print $fh $set_linker; die "seek $file: $!\n" unless seek($fh, 216, 0); - die "read $file: $!\n" unless print $fh $set_checksum; + die "write $file: $!\n" unless print $fh $set_checksum; close($fh); }
