Hello community, here is the log from the commit of package shim for openSUSE:Factory checked in at 2014-08-18 11:23:47 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/shim (Old) and /work/SRC/openSUSE:Factory/.shim.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "shim" Changes: -------- --- /work/SRC/openSUSE:Factory/shim/shim.changes 2014-04-21 11:05:28.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.shim.new/shim.changes 2014-08-18 11:23:49.000000000 +0200 @@ -1,0 +2,176 @@ +Tue Aug 12 14:19:36 UTC 2014 - jseg...@suse.com + +- updated shim to new version (OpenSSL 0.9.8za) and requested a new + certificate from Microsoft. Removed + * shim-allow-fallback-use-system-loadimage.patch + * shim-bnc872503-check-key-encoding.patch + * shim-bnc877003-fetch-from-the-same-device.patch + * shim-correct-user_insecure-usage.patch + * shim-fallback-avoid-duplicate-bootorder.patch + * shim-fallback-improve-entries-creation.patch + * shim-fix-dhcpv4-path-generation.patch + * shim-fix-uninitialized-variable.patch + * shim-fix-verify-mok.patch + * shim-get-variable-check.patch + * shim-improve-error-messages.patch + * shim-mokmanager-delete-bs-var-right.patch + * shim-mokmanager-handle-keystroke-error.patch + * shim-remove-unused-variables.patch + since they're included in upstream and rebased the remaining onces. + Added shim-signed-unsigned-compares.patch to fix some compiler + warnings + +------------------------------------------------------------------- +Tue Aug 12 09:18:42 UTC 2014 - g...@suse.com + +- Keep shim-devel.efi for the devel project + +------------------------------------------------------------------- +Fri Aug 8 11:18:36 UTC 2014 - lnus...@suse.de + +- don't fail the build if the UEFI signing service signature can't + be attached anymore. This way shim can still pass through staging + projects. We will verify the correct signature for release builds + using openQA instead. + +------------------------------------------------------------------- +Mon Aug 4 07:53:22 UTC 2014 - mch...@suse.com + +- shim-install: fix GRUB shows broken letters at boot by calling + grub2-install to initialize /boot/grub2 directory with files + needed by grub.cfg (bnc#889765) + +------------------------------------------------------------------- +Wed May 28 04:13:33 UTC 2014 - g...@suse.com + +- Add shim-remove-unused-variables.patch to remove the unused + variables +- Add shim-bnc872503-check-key-encoding.patch to check the encoding + of the keys (bnc#872503) +- Add shim-bnc877003-fetch-from-the-same-device.patch to fetch the + netboot image from the same device (bnc#877003) +- Refresh shim-opensuse-cert-prompt.patch + +------------------------------------------------------------------- +Wed May 14 09:39:02 UTC 2014 - g...@suse.com + +- Use --reinit instead of --refresh in %post to update the files + in /boot + +------------------------------------------------------------------- +Tue Apr 29 07:38:11 UTC 2014 - mch...@suse.com + +- shim-install: fix boot partition and rollback support kluge + (bnc#875385) + +------------------------------------------------------------------- +Thu Apr 10 08:20:20 UTC 2014 - g...@suse.com + +- Replace shim-mokmanager-support-sha1.patch with + shim-mokmanager-support-sha-family.patch to support the SHA + family + +------------------------------------------------------------------- +Mon Apr 7 09:32:21 UTC 2014 - g...@suse.com + +- Add shim-mokmanager-support-sha1.patch to support SHA1 hashes in + MOK + +------------------------------------------------------------------- +Mon Mar 31 11:57:13 UTC 2014 - mch...@suse.com + +- snapper rollback support (fate#317062) + - refresh shim-install + +------------------------------------------------------------------- +Thu Mar 13 02:32:15 UTC 2014 - g...@suse.com + +- Insert the right signature (bnc#867974) + +------------------------------------------------------------------- +Mon Mar 10 07:56:44 UTC 2014 - g...@suse.com + +- Add shim-fix-uninitialized-variable.patch to fix the use of + uninitialzed variables in lib + +------------------------------------------------------------------- +Fri Mar 7 09:09:12 UTC 2014 - g...@suse.com + +- Add shim-mokmanager-delete-bs-var-right.patch to delete the BS+NV + variables the right way +- Update shim-opensuse-cert-prompt.patch to delete openSUSE_Verify + correctly + +------------------------------------------------------------------- +Thu Mar 6 07:37:57 UTC 2014 - g...@suse.com + +- Add shim-fallback-avoid-duplicate-bootorder.patch to fix the + duplicate entries in BootOrder +- Add shim-allow-fallback-use-system-loadimage.patch to handle the + shim protocol properly to keep only one protocol entity +- Refresh shim-opensuse-cert-prompt.patch + +------------------------------------------------------------------- +Thu Mar 6 03:53:49 UTC 2014 - mch...@suse.com + +- shim-install: fix the $prefix to use grub2-mkrelpath for paths + on btrfs subvolume (bnc#866690). + +------------------------------------------------------------------- +Tue Mar 4 04:19:05 UTC 2014 - g...@suse.com + +- FATE#315002: Update shim-install to install shim.efi as the EFI + default bootloader when none exists in \EFI\boot. + +------------------------------------------------------------------- +Thu Feb 27 09:46:49 UTC 2014 - fcro...@suse.com + +- Update signature-sles.asc: shim signed by UEFI signing service, + based on code from "Thu Feb 20 11:57:01 UTC 2014" + +------------------------------------------------------------------- +Fri Feb 21 08:45:46 UTC 2014 - g...@suse.com + +- Add shim-opensuse-cert-prompt.patch to show the prompt to ask + whether the user trusts the openSUSE certificate or not + +------------------------------------------------------------------- +Thu Feb 20 11:57:01 UTC 2014 - lnus...@suse.de + +- allow package to carry multiple signatures +- check correct certificate is embedded + +------------------------------------------------------------------- +Thu Feb 20 10:06:47 UTC 2014 - lnus...@suse.de + +- always clean up generated files that embed certificates + (shim_cert.h shim.cer shim.crt) to make sure next build loop + rebuilds them properly + +------------------------------------------------------------------- +Mon Feb 17 09:58:56 UTC 2014 - g...@suse.com + +- Add shim-bnc863205-mokmanager-fix-hash-delete.patch to fix the + hash deletion operation to avoid ruining the whole list + (bnc#863205) + +------------------------------------------------------------------- +Tue Feb 11 06:30:02 UTC 2014 - g...@suse.com + +- Update shim-mokx-support.patch to support the resetting of MOK + blacklist +- Add shim-get-variable-check.patch to fix the variable checking + in get_variable_attr +- Add shim-fallback-improve-entries-creation.patch to improve the + boot entry pathes and avoid generating the boot entries that + are already there +- Update SUSE certificate +- Update attach_signature.sh, show_hash.sh, strip_signature.sh, + extract_signature.sh and show_signatures.sh to remove the + creation of the temporary nss database +- Add shim-only-os-name.patch: remove the kernel version of the + build server +- Match the the prefix of the project name properly by escaping the + percent sign. + +------------------------------------------------------------------- Old: ---- microsoft.asc shim-0.7.tar.bz2 shim-correct-user_insecure-usage.patch shim-fix-dhcpv4-path-generation.patch shim-fix-verify-mok.patch shim-improve-error-messages.patch shim-mokmanager-handle-keystroke-error.patch New: ---- shim-0.7.318.81ee561d.tar.bz2 shim-bnc863205-mokmanager-fix-hash-delete.patch shim-mokmanager-support-sha-family.patch shim-only-os-name.patch shim-opensuse-cert-prompt.patch shim-signed-unsigned-compares.patch signature-opensuse.asc signature-sles.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ shim.spec ++++++ --- /var/tmp/diff_new_pack.7KXjJh/_old 2014-08-18 11:23:50.000000000 +0200 +++ /var/tmp/diff_new_pack.7KXjJh/_new 2014-08-18 11:23:50.000000000 +0200 @@ -17,9 +17,13 @@ # needssslcertforbuild +%define commit 81ee561dde0213bc487aa1b701799f6d2faeaf31 +%define shortcommit 81ee561d Name: shim -Version: 0.7 +# to ensure newer versions of the git export are always higher numbers the output of +# git rev-list master|wc -l is added before the git commit hash +Version: 0.7.318.%{shortcommit} Release: 0 Summary: UEFI shim loader License: BSD-2-Clause @@ -28,7 +32,7 @@ Source: %{name}-%{version}.tar.bz2 # run "extract_signature.sh shim.efi" where shim.efi is the binary # with the signature from the UEFI signing service. -Source1: microsoft.asc +Source1: signature-opensuse.asc Source2: openSUSE-UEFI-CA-Certificate.crt Source3: shim-install Source4: SLES-UEFI-CA-Certificate.crt @@ -38,18 +42,20 @@ Source8: show_signatures.sh Source9: openSUSE-UEFI-CA-Certificate-4096.crt Source10: timestamp.pl -# PATCH-FIX-UPSTREAM shim-fix-verify-mok.patch g...@suse.com -- Fix the error handling in verify_mok() -Patch1: shim-fix-verify-mok.patch -# PATCH-FIX-UPSTREAM shim-improve-error-messages.patch g...@suse.com -- Improve the error messages -Patch2: shim-improve-error-messages.patch -# PATCH-FIX-UPSTREAM shim-correct-user_insecure-usage.patch g...@suse.com -- Correct the usage of the user insecure mode variable -Patch3: shim-correct-user_insecure-usage.patch -# PATCH-FIX-UPSTREAM shim-fix-dhcpv4-path-generation.patch g...@suse.com -- Fix path generation for DHCPv4 bootloader -Patch4: shim-fix-dhcpv4-path-generation.patch +Source11: strip_signature.sh +Source12: signature-sles.asc # PATCH-FIX-UPSTREAM shim-mokx-support.patch g...@suse.com -- Support MOK blacklist -Patch5: shim-mokx-support.patch -# PATCH-FIX-UPSTREAM shim-mokmanager-handle-keystroke-error.patch g...@suse.com -- Handle the error status from ReadKeyStroke to avoid the unexpected keys -Patch6: shim-mokmanager-handle-keystroke-error.patch +Patch1: shim-mokx-support.patch +# PATCH-FIX-SUSE shim-only-os-name.patch g...@suse.com -- Only include the OS name in version.c +Patch2: shim-only-os-name.patch +# PATCH-FIX-UPSTREAM shim-bnc863205-mokmanager-fix-hash-delete.patch bnc#863205 g...@suse.com -- Fix the hash deletion operation to avoid ruining the whole list +Patch3: shim-bnc863205-mokmanager-fix-hash-delete.patch +# PATCH-FIX-UPSTREAM shim-mokmanager-support-sha-family.patch g...@suse.com -- Support SHA hashes in MOK +Patch4: shim-mokmanager-support-sha-family.patch +# PATCH-FIX-OPENSUSE shim-signed-unsigned-compares.patch jseg...@suse.com -- Fixed some signed - unsigned comparisons +Patch5: shim-signed-unsigned-compares.patch +# PATCH-FIX-OPENSUSE shim-opensuse-cert-prompt.patch g...@suse.com -- Show the prompt to ask whether the user trusts openSUSE certificate or not +Patch100: shim-opensuse-cert-prompt.patch BuildRequires: gnu-efi >= 3.0t BuildRequires: mozilla-nss-tools BuildRequires: openssl >= 0.9.8 @@ -57,7 +63,8 @@ BuildRequires: pesign-obs-integration Requires: perl-Bootloader BuildRoot: %{_tmppath}/%{name}-%{version}-build -Recommends: grub2-efi +# For shim-install script +Requires: grub2-efi ExclusiveArch: x86_64 %description @@ -77,7 +84,7 @@ %patch3 -p1 %patch4 -p1 %patch5 -p1 -%patch6 -p1 +%patch100 -p1 %build # first, build MokManager and fallback as they don't depend on a @@ -108,12 +115,18 @@ if test "$suffix" = "opensuse"; then cert=%{SOURCE2} cert2=%{SOURCE9} + verify='openSUSE Secure Boot CA1' + signature=%{SOURCE1} elif test "$suffix" = "sles"; then cert=%{SOURCE4} cert2='' + verify='SUSE Linux Enterprise Secure Boot CA1' + signature=%{SOURCE12} elif test "$suffix" = "devel"; then cert=%{_sourcedir}/_projectcert.crt cert2='' + verify=`openssl x509 -in "$cert" -noout -email` + signature='' test -e "$cert" || continue else echo "invalid suffix" @@ -121,6 +134,7 @@ fi openssl x509 -in $cert -outform DER -out shim-$suffix.der + rm -f shim_cert.h shim.cer shim.crt if [ -z "$cert2" ]; then # create empty local cert file, we don't need a local key pair as we # sign the mokmanager with our vendor key @@ -128,36 +142,36 @@ touch shim.cer else cp $cert2 shim.crt - rm -f shim.cer fi # make sure cast warnings don't trigger post build check make EFI_PATH=/usr/lib64 VENDOR_CERT_FILE=shim-$suffix.der shim.efi 2>/dev/null + # + # assert correct certificate embedded + grep -q "$verify" shim.efi # make VENDOR_CERT_FILE=cert.der VENDOR_DBX_FILE=dbx - chmod 755 %{SOURCE6} %{SOURCE7} %{SOURCE10} + chmod 755 %{SOURCE10} # alternative: verify signature #sbverify --cert MicCorThiParMarRoo_2010-10-05.pem shim-signed.efi - head -1 %{SOURCE1} > hash1 + if test -n "$signature"; then + head -1 "$signature" > hash1 cp shim.efi shim.efi.bak # pe header contains timestamp and checksum. we need to # restore that - %{SOURCE10} --set-from-file %{SOURCE1} shim.efi - %{SOURCE7} shim.efi > hash2 + %{SOURCE10} --set-from-file "$signature" shim.efi + pesign -h -P -i shim.efi > hash2 cat hash1 hash2 if ! cmp -s hash1 hash2; then - echo "ERROR: binary changed, need to request new signature!" - # don't fail in devel projects - prj="%{_project}" - if [ "${prj%%:*}" = "openSUSE" -o "${prj%%:*}" = "SUSE" ]; then - false - fi + echo "ERROR: $suffix binary changed, need to request new signature!" mv shim.efi.bak shim-$suffix.efi rm shim.efi else # attach signature - %{SOURCE6} %{SOURCE1} shim.efi - mv shim-signed.efi shim-$suffix.efi + pesign -m "$signature" -i shim.efi -o shim-$suffix.efi rm -f shim.efi fi + else + mv shim.efi shim-$suffix.efi + fi rm -f shim.cer shim.crt # make sure cert.o gets rebuilt rm -f cert.o @@ -185,7 +199,7 @@ %{?buildroot:%__rm -rf "%{buildroot}"} %post -/sbin/update-bootloader --refresh || true +/sbin/update-bootloader --reinit || true %files %defattr(-,root,root) ++++++ SLES-UEFI-CA-Certificate.crt ++++++ --- /var/tmp/diff_new_pack.7KXjJh/_old 2014-08-18 11:23:50.000000000 +0200 +++ /var/tmp/diff_new_pack.7KXjJh/_new 2014-08-18 11:23:50.000000000 +0200 @@ -1,39 +1,29 @@ -----BEGIN CERTIFICATE----- -MIIG5TCCBM2gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT +MIIE5TCCA82gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpjEtMCsGA1UEAwwkU1VT RSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTES MBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3Rz IEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxk -QHN1c2UuZGUwHhcNMTMwMTIyMTQyMDA4WhcNMzQxMjE4MTQyMDA4WjCBpjEtMCsG +QHN1c2UuZGUwHhcNMTMwNDE4MTQzMzQxWhcNMzUwMzE0MTQzMzQxWjCBpjEtMCsG A1UEAwwkU1VTRSBMaW51eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYD VQQGEwJERTESMBAGA1UEBwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4 IFByb2R1Y3RzIEdtYkgxEzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0B -CQEWDWJ1aWxkQHN1c2UuZGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC -AQCrLYL1Uq02iIgro6x6PFESFDtUKU7xO/bJanI7+AQAroowFuLBI67BBSmoq3hR -QnH3OtQusGV8y+wvjaaunppvWMfjViZ88zssj5fKXrDr5U6BB566DJgHreWaEs2d -FD13XpKRr3Nk9zdjAJu5YsR7hI1NMXsnj1X8w71OY9HLjv+Kq9917PJwZQjOGnAJ -BQTi0ogHuLiwDqMKgg5rrYD4cJDPzoLEmEXnwHDIOSiWdD0bCzhN6GQDKldIxQ2O -d/mjUgzB+dWslIb+bUKaoJgDtyPV20W74t7Y2uwoaEVr9QkPoM3tOPttf4qsWo8B -J1TgeoF01ZeKcvSyvOXCKbfAN9sqURK2ZUTNThqZ//VPQmJP6fByrMJsbvTOSsQt -HI+fFPrg1DC2KT8SzuGtWDRscHZ7MofvUKEQolVgkGwp8u68t/RAAwDpUdqIajzi -yfp9qSDD+9uMeyiLa4rrAr2ATGohNBa0qha95slgvSepXbYKuHG5b4fWMsG7z4Uc -dqE2vK8cQma1nsAeQBaq2/89294TOHEzKyspesfCBCnKQ3q+l9xelYRdvapj1CH/ -cfUZf2/6X3VHN1P88RfRrPubswmrcOCEBT41upa2WKRDJ1GS6YhL6LJnrZSTjfe+ -KsfNVS1D+KqSKiK0hfk6YK6O88mMGeAKQs3Ap8WthBLf0QIDAQABo4IBGjCCARYw -DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUPU1Az5OFOQJLHPxaEt7f6LF+dV8w -gdMGA1UdIwSByzCByIAUPU1Az5OFOQJLHPxaEt7f6LF+dV+hgaykgakwgaYxLTAr -BgNVBAMMJFNVU0UgTGludXggRW50ZXJwcmlzZSBTZWN1cmUgQm9vdCBDQTELMAkG -A1UEBhMCREUxEjAQBgNVBAcMCU51cmVtYmVyZzEhMB8GA1UECgwYU1VTRSBMaW51 -eCBQcm9kdWN0cyBHbWJIMRMwEQYDVQQLDApCdWlsZCBUZWFtMRwwGgYJKoZIhvcN -AQkBFg1idWlsZEBzdXNlLmRlggEBMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0B -AQsFAAOCAgEANtdMT47CjQtuERYa5jfygIO5F+urB4fl8pYcQQ/hTPE0KtAnAtrS -1strtMrVQ1t7Wu3fVbWYA6MZMXXkcwyyNbaWfj6roaSC6G5ZqCJ69oSyzaCbyaTI -eOgzIIiVGOAj7tiM6T88Xp9qx4Xa3F6UQHF6xfwBT3nNKerGKOG01p7mBfBewwO5 -Hxp7OAZmennUxV1uuT5/AsArxw9lMlawXhIAS7tRYHW+32D4tjHPDycldOw1hBjt -z5JdehBiTmxhJ6onl0HSpsX84IMSbkeFIxLfxIF0TNas1pGnSGmh8FcV+ck9js3P -yamJcNkgCstIwo3QZ2D5YdtQjOusyEuGjCIpDIQx36OMzeOo0SayOdzb2dSmcrHv -4DIkXDUELyIzu79A2R2KR7OQaGL6HGAVy6+yXHHygTbbUrb6ck2+aOG8913ChABc -ZAiSFFRKVZzzj7FeIxZNA8GBUbhd20eQB2fUXDypeAnTG6P3dtTs84xNb1qGm3VC -OAKjkWYQijLWmAOs9Q4NM/AXOeDTgXxA7iX7kWHRNeDbACirp7zM2ZOIP5ObIS6z -yMqcG9DecSVbXiH3MJDTBoB1idQTTyreqpM/l6N8xNNVjEiLJGMEM1SeYq6S1lFV -a+GcdOaLYkh7ya3I42l/tDOqH2OLIf7FEtocnc1xU6jTz8au1tZxec8= +CQEWDWJ1aWxkQHN1c2UuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB +AQDN/avXKoT4gcM2NVA1LMfsBPH01sxgS8gTs3SbvfbEP2M+ZlHyfj9ufHZ7cZ1p +ISoVm6ql5VbIeZgSNc17Y4y4Nynud1C8t2SP/iZK5YMYHGxdtIfv1zPE+Bo/KZqE +WgHg2YFtMXdiKfXBZRTfSh37t0pGO/OQi6K4JioKw55UtQNggePZWDXtsAviT2vv +abqLR9+kxdrQ0iWqhWM+LwXbTGkCpg41s8KucLD/JYAxxw05dKPApFDNnz+Ft2L7 +e5JtyB4S0u4PlvQBMNHt4hDs0rK4oeHFLbOxHvjF+nloneWhkg9eT0VCfpAYVYz+ +whMxuCHerDCdmeFrRGEMQz11AgMBAAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/ +MB0GA1UdDgQWBBTsqw1CxFbPdwQ2uXOZOGKWXocmLzCB0wYDVR0jBIHLMIHIgBTs +qw1CxFbPdwQ2uXOZOGKWXocmL6GBrKSBqTCBpjEtMCsGA1UEAwwkU1VTRSBMaW51 +eCBFbnRlcnByaXNlIFNlY3VyZSBCb290IENBMQswCQYDVQQGEwJERTESMBAGA1UE +BwwJTnVyZW1iZXJnMSEwHwYDVQQKDBhTVVNFIExpbnV4IFByb2R1Y3RzIEdtYkgx +EzARBgNVBAsMCkJ1aWxkIFRlYW0xHDAaBgkqhkiG9w0BCQEWDWJ1aWxkQHN1c2Uu +ZGWCAQEwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQASviyFhVqU +Wc1JUQgXwdljJynTnp0/FQOZJBSe7XdBGPmy91+3ITqrXgyqo/218KISiQl53Qlw +pq+cIiGRAia1D7p7wbg7wsg+Trt0zZFXes30wfYq5pjfWadEBAgNCffkBz10TSjL +jQrVwW5N+yUJMoq+r843TzV56Huy6LBOVhI5yTz7X7i2rSJYfyQWM8oeHLj8Yl5M +rOB9gyTumxB4mOLmSqwKzJiUB0ppGPohdLUSSEKDdo6KSH/GjR7M7uBicwnzwJD3 +SVfT9nx9HKF2nXZlHvs5ViQQru3qP1tc6i0eXEnPTYW2+zkZcN0e5iHyozEZHsO0 +rvc1p6G0YWtO -----END CERTIFICATE----- ++++++ attach_signature.sh ++++++ --- /var/tmp/diff_new_pack.7KXjJh/_old 2014-08-18 11:23:50.000000000 +0200 +++ /var/tmp/diff_new_pack.7KXjJh/_new 2014-08-18 11:23:50.000000000 +0200 @@ -11,13 +11,4 @@ outfile="${infile%.efi}-signed.efi" -nssdir=`mktemp -d` -cleanup() -{ - rm -r "$nssdir" -} -trap cleanup EXIT -echo > "$nssdir/pw" -certutil -f "$nssdir/pw" -d "$nssdir" -N - -pesign -n "$nssdir" -m "$sig" -i "$infile" -o "$outfile" +pesign -m "$sig" -i "$infile" -o "$outfile" ++++++ extract_signature.sh ++++++ --- /var/tmp/diff_new_pack.7KXjJh/_old 2014-08-18 11:23:50.000000000 +0200 +++ /var/tmp/diff_new_pack.7KXjJh/_new 2014-08-18 11:23:50.000000000 +0200 @@ -9,16 +9,7 @@ exit 1 fi -nssdir=`mktemp -d` -cleanup() -{ - rm -r "$nssdir" -} -trap cleanup EXIT -echo > "$nssdir/pw" -certutil -f "$nssdir/pw" -d "$nssdir" -N - # wtf? -(pesign -n "$nssdir" -h -P -i "$infile"; +(pesign -h -P -i "$infile"; perl $(dirname $0)/timestamp.pl "$infile"; -pesign -n "$nssdir" -a -f -e /dev/stdout -i "$infile")|cat +pesign -a -f -e /dev/stdout -i "$infile")|cat ++++++ shim-bnc863205-mokmanager-fix-hash-delete.patch ++++++ >From 23cdee7b62fc62cd988d74b2180014595da9e4c5 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <g...@suse.com> Date: Thu, 13 Feb 2014 15:05:45 +0800 Subject: [PATCH 1/2] MokManager: calculate the variable size correctly MokSize of the hash signature list includes the owner GUID, so we should not add the 16bytes compensation. Signed-off-by: Gary Ching-Pang Lin <g...@suse.com> --- MokManager.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) Index: shim-0.7/MokManager.c =================================================================== --- shim-0.7.orig/MokManager.c +++ shim-0.7/MokManager.c @@ -940,7 +940,9 @@ static EFI_STATUS write_back_mok_list (M if (list[i].Mok == NULL) continue; - DataSize += sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_GUID); + DataSize += sizeof(EFI_SIGNATURE_LIST); + if (CompareGuid(&(list[i].Type), &CertType) == 0) + DataSize += sizeof(EFI_GUID); DataSize += list[i].MokSize; } @@ -1046,6 +1048,7 @@ static void delete_hash_in_list (UINT8 * { EFI_GUID HashType = EFI_CERT_SHA256_GUID; UINT32 sig_size; + UINT32 list_num; int i, del_ind; void *start, *end; UINT32 remain; @@ -1057,8 +1060,10 @@ static void delete_hash_in_list (UINT8 * (mok[i].MokSize < sig_size)) continue; + list_num = mok[i].MokSize / sig_size; + del_ind = match_hash(hash, hash_size, 0, mok[i].Mok, - mok[i].MokSize); + list_num); while (del_ind >= 0) { /* Remove the hash */ if (sig_size == mok[i].MokSize) { @@ -1073,9 +1078,10 @@ static void delete_hash_in_list (UINT8 * mem_move(start, end, remain); mok[i].MokSize -= sig_size; + list_num--; del_ind = match_hash(hash, hash_size, del_ind, - mok[i].Mok, mok[i].MokSize); + mok[i].Mok, list_num); } } } ++++++ shim-install ++++++ --- /var/tmp/diff_new_pack.7KXjJh/_old 2014-08-18 11:23:50.000000000 +0200 +++ /var/tmp/diff_new_pack.7KXjJh/_new 2014-08-18 11:23:50.000000000 +0200 @@ -4,14 +4,19 @@ bootdir= efidir= install_device= +efibootdir= +ca_string= removable=no clean=no sysconfdir="/etc" libdir="/usr/lib64" source_dir="$libdir/efi" grub_probe="`which grub2-probe`" +grub_mkrelpath="`which grub2-mkrelpath`" +grub_install="`which grub2-install`" self="`basename $0`" grub_cfg="/boot/grub2/grub.cfg" +update_boot=no # Get GRUB_DISTRIBUTOR. if test -f "${sysconfdir}/default/grub" ; then @@ -26,6 +31,14 @@ efi_distributor="$bootloader_id" bootloader_id="${bootloader_id}-secureboot" +case "$bootloader_id" in + "sle"*) + ca_string='SUSE Linux Enterprise Secure Boot CA1';; + "opensuse"*) + ca_string='openSUSE Secure Boot CA1';; + *) ca_string="";; +esac + usage () { echo "Usage: $self [OPTION] [INSTALL_DEVICE]" echo @@ -169,18 +182,32 @@ if test -n "$efidir"; then efi_file=shim.efi + efibootdir="$efidir/EFI/boot" + mkdir -p "$efibootdir" || exit 1 efidir="$efidir/EFI/$efi_distributor" mkdir -p "$efidir" || exit 1 else exit 1; fi +if test -f "$efibootdir/bootx64.efi"; then + if test -n "$ca_string" && (grep -q "$ca_string" "$efibootdir/bootx64.efi"); then + update_boot=yes + fi +else + update_boot=yes +fi + if test "$clean" = "yes"; then rm -f "${efidir}/shim.efi" rm -f "${efidir}/MokManager.efi" rm -f "${efidir}/grub.efi" rm -f "${efidir}/grub.cfg" rm -f "${efidir}/boot.csv" + if test "$update_boot" = "yes"; then + rm -f "${efibootdir}/bootx64.efi" + rm -f "${efibootdir}/fallback.efi" + fi efibootmgr="`which efibootmgr`" if test "$removable" = no && test -n "$bootloader_id" && test -n "$efibootmgr"; then # Delete old entries from the same distributor. @@ -196,17 +223,38 @@ cp "${source_dir}/MokManager.efi" "${efidir}" cp "${source_dir}/grub.efi" "${efidir}" echo "shim.efi,${bootloader_id}" | iconv -f ascii -t ucs2 > "${efidir}/boot.csv" +if test "$update_boot" = "yes"; then + cp "${source_dir}/shim.efi" "${efibootdir}/bootx64.efi" + cp "${source_dir}/fallback.efi" "${efibootdir}" +fi + + +make_grubcfg () { grub_cfg_dirname=`dirname $grub_cfg` grub_cfg_basename=`basename $grub_cfg` cfg_fs_uuid=`"$grub_probe" --target=fs_uuid "$grub_cfg_dirname"` -(cat << EOF +if test "x$SUSE_BTRFS_SNAPSHOT_BOOTING" = "xtrue"; then +cat <<EOF +set btrfs_relative_path="yes" +EOF +if ${grub_mkrelpath} --usage | grep -q -e '--relative'; then + grub_mkrelpath="${grub_mkrelpath} -r" +fi +fi +cat <<EOF search --fs-uuid --set=root ${cfg_fs_uuid} -set prefix=(\${root})${grub_cfg_dirname} +set prefix=(\${root})`${grub_mkrelpath} ${grub_cfg_dirname}` +configfile \$prefix/${grub_cfg_basename} EOF -echo "configfile \$prefix/${grub_cfg_basename}") \ -> "${efidir}/grub.cfg" + +} + +make_grubcfg > "${efidir}/grub.cfg" +# bnc#889765 GRUB shows broken letters at boot +# invoke grub_install to initialize /boot/grub2 directory with files needed by grub.cfg +${grub_install} --no-nvram efibootmgr="`which efibootmgr`" if test "$removable" = no && test -n "$bootloader_id" && test -n "$efibootmgr"; then ++++++ shim-mokmanager-support-sha-family.patch ++++++ >From f110c89b169505156741ee4ce4b0952e899ed0d8 Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <g...@suse.com> Date: Thu, 3 Apr 2014 18:26:37 +0800 Subject: [PATCH 1/5] MokManager: Support SHA1 hash in MOK Add SHA1 hash support and amend the code to make it easier to support other SHA digests. --- MokManager.c | 121 ++++++++++++++++++++++++++++++++++++----------------------- 1 file changed, 75 insertions(+), 46 deletions(-) Index: shim-0.7/MokManager.c =================================================================== --- shim-0.7.orig/MokManager.c +++ shim-0.7/MokManager.c @@ -25,6 +25,9 @@ #define EFI_VARIABLE_APPEND_WRITE 0x00000040 EFI_GUID SHIM_LOCK_GUID = { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} }; +EFI_GUID EFI_CERT_SHA224_GUID = { 0xb6e5233, 0xa65c, 0x44c9, {0x94, 0x7, 0xd9, 0xab, 0x83, 0xbf, 0xc8, 0xbd} }; +EFI_GUID EFI_CERT_SHA384_GUID = { 0xff3e5307, 0x9fd0, 0x48c9, {0x85, 0xf1, 0x8a, 0xd5, 0x6c, 0x70, 0x1e, 0x1} }; +EFI_GUID EFI_CERT_SHA512_GUID = { 0x93e0fae, 0xa6c4, 0x4f50, {0x9f, 0x1b, 0xd4, 0x1e, 0x2b, 0x89, 0xc1, 0x9a} }; #define CERT_STRING L"Select an X509 certificate to enroll:\n\n" #define HASH_STRING L"Select a file to trust:\n\n" @@ -93,31 +96,84 @@ done: return status; } +static BOOLEAN is_sha_hash (EFI_GUID Type) +{ + EFI_GUID Sha1 = EFI_CERT_SHA1_GUID; + EFI_GUID Sha224 = EFI_CERT_SHA224_GUID; + EFI_GUID Sha256 = EFI_CERT_SHA256_GUID; + EFI_GUID Sha384 = EFI_CERT_SHA384_GUID; + EFI_GUID Sha512 = EFI_CERT_SHA512_GUID; + + if (CompareGuid(&Type, &Sha1) == 0) + return TRUE; + else if (CompareGuid(&Type, &Sha224) == 0) + return TRUE; + else if (CompareGuid(&Type, &Sha256) == 0) + return TRUE; + else if (CompareGuid(&Type, &Sha384) == 0) + return TRUE; + else if (CompareGuid(&Type, &Sha512) == 0) + return TRUE; + + return FALSE; +} + +static UINT32 sha_size (EFI_GUID Type) +{ + EFI_GUID Sha1 = EFI_CERT_SHA1_GUID; + EFI_GUID Sha224 = EFI_CERT_SHA224_GUID; + EFI_GUID Sha256 = EFI_CERT_SHA256_GUID; + EFI_GUID Sha384 = EFI_CERT_SHA384_GUID; + EFI_GUID Sha512 = EFI_CERT_SHA512_GUID; + + if (CompareGuid(&Type, &Sha1) == 0) + return SHA1_DIGEST_SIZE; + else if (CompareGuid(&Type, &Sha224) == 0) + return SHA224_DIGEST_LENGTH; + else if (CompareGuid(&Type, &Sha256) == 0) + return SHA256_DIGEST_SIZE; + else if (CompareGuid(&Type, &Sha384) == 0) + return SHA384_DIGEST_LENGTH; + else if (CompareGuid(&Type, &Sha512) == 0) + return SHA512_DIGEST_LENGTH; + + return 0; +} + +static BOOLEAN is_valid_siglist (EFI_GUID Type, UINT32 SigSize) +{ + EFI_GUID CertType = X509_GUID; + UINT32 hash_sig_size; + + if (CompareGuid (&Type, &CertType) == 0 && SigSize != 0) + return TRUE; + + if (!is_sha_hash (Type)) + return FALSE; + + hash_sig_size = sha_size (Type) + sizeof(EFI_GUID); + if (SigSize != hash_sig_size) + return FALSE; + + return TRUE; +} + static UINT32 count_keys(void *Data, UINTN DataSize) { EFI_SIGNATURE_LIST *CertList = Data; - EFI_GUID CertType = X509_GUID; - EFI_GUID HashType = EFI_CERT_SHA256_GUID; UINTN dbsize = DataSize; UINT32 MokNum = 0; while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) { - if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) && - (CompareGuid (&CertList->SignatureType, &HashType) != 0)) { - console_notify(L"Doesn't look like a key or hash"); - dbsize -= CertList->SignatureListSize; - CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + - CertList->SignatureListSize); - continue; + if (CertList->SignatureListSize == 0 || + CertList->SignatureListSize <= CertList->SignatureSize) { + console_errorbox(L"Corrupted signature list"); + return 0; } - if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) && - (CertList->SignatureSize != 48)) { - console_notify(L"Doesn't look like a valid hash"); - dbsize -= CertList->SignatureListSize; - CertList = (EFI_SIGNATURE_LIST *) ((UINT8 *) CertList + - CertList->SignatureListSize); - continue; + if (!is_valid_siglist(CertList->SignatureType, CertList->SignatureSize)) { + console_errorbox(L"Invalid signature list found"); + return 0; } MokNum++; @@ -134,7 +190,6 @@ static MokListNode *build_mok_list(UINT3 EFI_SIGNATURE_LIST *CertList = Data; EFI_SIGNATURE_DATA *Cert; EFI_GUID CertType = X509_GUID; - EFI_GUID HashType = EFI_CERT_SHA256_GUID; UINTN dbsize = DataSize; UINTN count = 0; @@ -146,21 +201,8 @@ static MokListNode *build_mok_list(UINT3 } while ((dbsize > 0) && (dbsize >= CertList->SignatureListSize)) { - if ((CompareGuid (&CertList->SignatureType, &CertType) != 0) && - (CompareGuid (&CertList->SignatureType, &HashType) != 0)) { - dbsize -= CertList->SignatureListSize; - CertList = (EFI_SIGNATURE_LIST *)((UINT8 *) CertList + - CertList->SignatureListSize); - continue; - } - - if ((CompareGuid (&CertList->SignatureType, &HashType) == 0) && - (CertList->SignatureSize != 48)) { - dbsize -= CertList->SignatureListSize; - CertList = (EFI_SIGNATURE_LIST *)((UINT8 *) CertList + - CertList->SignatureListSize); - continue; - } + /* Omit the signature check here since we already did it + in count_keys() */ Cert = (EFI_SIGNATURE_DATA *) (((UINT8 *) CertList) + sizeof (EFI_SIGNATURE_LIST) + CertList->SignatureHeaderSize); @@ -380,22 +422,46 @@ static void show_x509_info (X509 *X509Ce FreePool(text); } -static void show_sha256_digest (UINT8 *hash) +static void show_sha_digest (EFI_GUID Type, UINT8 *hash) { + EFI_GUID Sha1 = EFI_CERT_SHA1_GUID; + EFI_GUID Sha224 = EFI_CERT_SHA224_GUID; + EFI_GUID Sha256 = EFI_CERT_SHA256_GUID; + EFI_GUID Sha384 = EFI_CERT_SHA384_GUID; + EFI_GUID Sha512 = EFI_CERT_SHA512_GUID; CHAR16 *text[5]; POOL_PRINT hash_string1; POOL_PRINT hash_string2; int i; + int length; + + if (CompareGuid(&Type, &Sha1) == 0) { + length = SHA1_DIGEST_SIZE; + text[0] = L"SHA1 hash"; + } else if (CompareGuid(&Type, &Sha224) == 0) { + length = SHA224_DIGEST_LENGTH; + text[0] = L"SHA224 hash"; + } else if (CompareGuid(&Type, &Sha256) == 0) { + length = SHA256_DIGEST_SIZE; + text[0] = L"SHA256 hash"; + } else if (CompareGuid(&Type, &Sha384) == 0) { + length = SHA384_DIGEST_LENGTH; + text[0] = L"SHA384 hash"; + } else if (CompareGuid(&Type, &Sha512) == 0) { + length = SHA512_DIGEST_LENGTH; + text[0] = L"SHA512 hash"; + } else { + return; + } ZeroMem(&hash_string1, sizeof(hash_string1)); ZeroMem(&hash_string2, sizeof(hash_string2)); - text[0] = L"SHA256 hash"; text[1] = L""; - for (i=0; i<16; i++) + for (i=0; i<length/2; i++) CatPrint(&hash_string1, L"%02x ", hash[i]); - for (i=16; i<32; i++) + for (i=length/2; i<length; i++) CatPrint(&hash_string2, L"%02x ", hash[i]); text[2] = hash_string1.str; @@ -411,7 +477,7 @@ static void show_sha256_digest (UINT8 *h FreePool(hash_string2.str); } -static void show_efi_hash (void *Mok, UINTN MokSize) +static void show_efi_hash (EFI_GUID Type, void *Mok, UINTN MokSize) { UINTN sig_size; UINTN hash_num; @@ -420,7 +486,7 @@ static void show_efi_hash (void *Mok, UI int key_num = 0; int i; - sig_size = SHA256_DIGEST_SIZE + sizeof(EFI_GUID); + sig_size = sha_size(Type) + sizeof(EFI_GUID); if ((MokSize % sig_size) != 0) { console_errorbox(L"Corrupted Hash List"); return; @@ -429,7 +495,7 @@ static void show_efi_hash (void *Mok, UI if (hash_num == 1) { hash = (UINT8 *)Mok + sizeof(EFI_GUID); - show_sha256_digest(hash); + show_sha_digest(Type, hash); return; } @@ -452,7 +518,7 @@ static void show_efi_hash (void *Mok, UI break; hash = (UINT8 *)Mok + sig_size*key_num + sizeof(EFI_GUID); - show_sha256_digest(hash); + show_sha_digest(Type, hash); } for (i=0; menu_strings[i] != NULL; i++) @@ -467,7 +533,6 @@ static void show_mok_info (EFI_GUID Type UINT8 hash[SHA1_DIGEST_SIZE]; X509 *X509Cert; EFI_GUID CertType = X509_GUID; - EFI_GUID HashType = EFI_CERT_SHA256_GUID; if (!Mok || MokSize == 0) return; @@ -488,8 +553,8 @@ static void show_mok_info (EFI_GUID Type console_notify(L"Not a valid X509 certificate"); return; } - } else if (CompareGuid (&Type, &HashType) == 0) { - show_efi_hash(Mok, MokSize); + } else if (is_sha_hash(Type)) { + show_efi_hash(Type, Mok, MokSize); } } @@ -504,15 +569,18 @@ static EFI_STATUS list_keys (void *KeyLi if (KeyListSize < (sizeof(EFI_SIGNATURE_LIST) + sizeof(EFI_SIGNATURE_DATA))) { console_notify(L"No MOK keys found"); - return 0; + return EFI_NOT_FOUND; } MokNum = count_keys(KeyList, KeyListSize); + if (MokNum == 0) { + console_errorbox(L"Invalid key list"); + return EFI_ABORTED; + } keys = build_mok_list(MokNum, KeyList, KeyListSize); - if (!keys) { - console_notify(L"Failed to construct key list"); - return 0; + console_errorbox(L"Failed to construct key list"); + return EFI_ABORTED; } menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (MokNum + 2)); @@ -837,7 +905,7 @@ static EFI_STATUS store_keys (void *MokN return EFI_SUCCESS; } -static UINTN mok_enrollment_prompt (void *MokNew, UINTN MokNewSize, int auth, +static INTN mok_enrollment_prompt (void *MokNew, UINTN MokNewSize, int auth, BOOLEAN MokX) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; @@ -974,7 +1042,7 @@ static EFI_STATUS write_back_mok_list (M } else { CertList->SignatureListSize = list[i].MokSize + sizeof(EFI_SIGNATURE_LIST); - CertList->SignatureSize = SHA256_DIGEST_SIZE + sizeof(EFI_GUID); + CertList->SignatureSize = sha_size(list[i].Type) + sizeof(EFI_GUID); CopyMem(CertData, list[i].Mok, list[i].MokSize); } @@ -1043,10 +1111,9 @@ static void mem_move (void *dest, void * d[i] = s[i]; } -static void delete_hash_in_list (UINT8 *hash, UINT32 hash_size, +static void delete_hash_in_list (EFI_GUID Type, UINT8 *hash, UINT32 hash_size, MokListNode *mok, INTN mok_num) { - EFI_GUID HashType = EFI_CERT_SHA256_GUID; UINT32 sig_size; UINT32 list_num; int i, del_ind; @@ -1056,7 +1123,7 @@ static void delete_hash_in_list (UINT8 * sig_size = hash_size + sizeof(EFI_GUID); for (i = 0; i < mok_num; i++) { - if ((CompareGuid(&(mok[i].Type), &HashType) != 0) || + if ((CompareGuid(&(mok[i].Type), &Type) != 0) || (mok[i].MokSize < sig_size)) continue; @@ -1086,7 +1153,7 @@ static void delete_hash_in_list (UINT8 * } } -static void delete_hash_list (void *hash_list, UINT32 list_size, +static void delete_hash_list (EFI_GUID Type, void *hash_list, UINT32 list_size, MokListNode *mok, INTN mok_num) { UINT32 hash_size; @@ -1095,7 +1162,7 @@ static void delete_hash_list (void *hash UINT8 *hash; int i; - hash_size = SHA256_DIGEST_SIZE; + hash_size = sha_size (Type); sig_size = hash_size + sizeof(EFI_GUID); if (list_size < sig_size) return; @@ -1105,7 +1172,7 @@ static void delete_hash_list (void *hash hash = hash_list + sizeof(EFI_GUID); for (i = 0; i < hash_num; i++) { - delete_hash_in_list (hash, hash_size, mok, mok_num); + delete_hash_in_list (Type, hash, hash_size, mok, mok_num); hash += sig_size; } } @@ -1114,7 +1181,6 @@ static EFI_STATUS delete_keys (void *Mok { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_GUID CertType = X509_GUID; - EFI_GUID HashType = EFI_CERT_SHA256_GUID; EFI_STATUS efi_status; CHAR16 *db_name; CHAR16 *auth_name; @@ -1161,7 +1227,13 @@ static EFI_STATUS delete_keys (void *Mok efi_status = get_variable_attr (db_name, &MokListData, &MokListDataSize, shim_lock_guid, &attributes); - if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) { + if (efi_status != EFI_SUCCESS) { + if (MokX) + console_errorbox(L"Failed to retrieve MokListX"); + else + console_errorbox(L"Failed to retrieve MokList"); + return EFI_ABORTED; + } else if (attributes & EFI_VARIABLE_RUNTIME_ACCESS) { if (MokX) { err_str1 = L"MokListX is compromised!"; err_str2 = L"Erase all keys in MokListX!"; @@ -1170,7 +1242,11 @@ static EFI_STATUS delete_keys (void *Mok err_str2 = L"Erase all keys in MokList!"; } console_alertbox((CHAR16 *[]){err_str1, err_str2, NULL}); - LibDeleteVariable(db_name, &shim_lock_guid); + uefi_call_wrapper(RT->SetVariable, 5, db_name, + &shim_lock_guid, + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS, + 0, NULL); return EFI_ACCESS_DENIED; } @@ -1180,23 +1256,56 @@ static EFI_STATUS delete_keys (void *Mok /* Construct lists */ mok_num = count_keys(MokListData, MokListDataSize); + if (mok_num == 0) { + if (MokX) { + err_str1 = L"Failed to construct the key list of MokListX"; + err_str2 = L"Reset MokListX!"; + } else { + err_str1 = L"Failed to construct the key list of MokList"; + err_str2 = L"Reset MokList!"; + } + console_alertbox((CHAR16 *[]){err_str1, err_str2, NULL}); + uefi_call_wrapper(RT->SetVariable, 5, db_name, + &shim_lock_guid, + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS, + 0, NULL); + efi_status = EFI_ABORTED; + goto error; + } mok = build_mok_list(mok_num, MokListData, MokListDataSize); + if (!mok) { + console_errorbox(L"Failed to construct key list"); + efi_status = EFI_ABORTED; + goto error; + } del_num = count_keys(MokDel, MokDelSize); + if (del_num == 0) { + console_errorbox(L"Invalid key delete list"); + efi_status = EFI_ABORTED; + goto error; + } del_key = build_mok_list(del_num, MokDel, MokDelSize); + if (!del_key) { + console_errorbox(L"Failed to construct key list"); + efi_status = EFI_ABORTED; + goto error; + } /* Search and destroy */ for (i = 0; i < del_num; i++) { if (CompareGuid(&(del_key[i].Type), &CertType) == 0) { delete_cert(del_key[i].Mok, del_key[i].MokSize, mok, mok_num); - } else if (CompareGuid(&(del_key[i].Type), &HashType) == 0) { - delete_hash_list(del_key[i].Mok, del_key[i].MokSize, - mok, mok_num); + } else if (is_sha_hash(del_key[i].Type)) { + delete_hash_list(del_key[i].Type, del_key[i].Mok, + del_key[i].MokSize, mok, mok_num); } } efi_status = write_back_mok_list(mok, mok_num, MokX); +error: if (MokListData) FreePool(MokListData); if (mok) ++++++ shim-mokx-support.patch ++++++ ++++ 1359 lines (skipped) ++++ between /work/SRC/openSUSE:Factory/shim/shim-mokx-support.patch ++++ and /work/SRC/openSUSE:Factory/.shim.new/shim-mokx-support.patch ++++++ shim-only-os-name.patch ++++++ Index: shim-0.7/Makefile =================================================================== --- shim-0.7.orig/Makefile +++ shim-0.7/Makefile @@ -67,7 +67,7 @@ shim_cert.h: shim.cer version.c : version.c.in sed -e "s,@@VERSION@@,$(VERSION)," \ - -e "s,@@UNAME@@,$(shell uname -a)," \ + -e "s,@@UNAME@@,$(shell uname -o)," \ -e "s,@@COMMIT@@,$(shell if [ -d .git ] ; then git log -1 --pretty=format:%H ; elif [ -f commit ]; then cat commit ; else echo commit id not available; fi)," \ < version.c.in > version.c ++++++ shim-opensuse-cert-prompt.patch ++++++ >From b13d18d4069032ccf6c885774e9eada6a1d80ddd Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin <g...@suse.com> Date: Tue, 18 Feb 2014 17:29:19 +0800 Subject: [PATCH 1/3] Show the build-in certificate prompt This is an openSUSE-only patch. Pop up a window to ask if the user is willing to trust the built-in openSUSE certificate. If yes, set openSUSE_Verify, a BootService variable, to 1, and shim won't bother the user afterward. If no, continue the booting process without using the built-in certificate to verify the EFI images, and the window will show up again after reboot. The state will store in use_openSUSE_cert, a volatile RT variable. --- shim.c | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 97 insertions(+), 19 deletions(-) Index: shim-0.7/shim.c =================================================================== --- shim-0.7.orig/shim.c +++ shim-0.7/shim.c @@ -90,6 +90,7 @@ UINT8 *vendor_dbx; */ verification_method_t verification_method; int loader_is_participating; +BOOLEAN use_builtin_cert; #define EFI_IMAGE_SECURITY_DATABASE_GUID { 0xd719b2cb, 0x3d3a, 0x4596, { 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f }} @@ -817,7 +818,7 @@ static EFI_STATUS verify_buffer (char *d if (status == EFI_SUCCESS) return status; - if (cert) { + if (cert && use_builtin_cert) { /* * Check against the shim build key */ @@ -1523,11 +1524,14 @@ EFI_STATUS mirror_mok_list() if (efi_status != EFI_SUCCESS) DataSize = 0; - FullDataSize = DataSize - + sizeof (*CertList) - + sizeof (EFI_GUID) - + vendor_cert_size - ; + FullDataSize = DataSize; + if (use_builtin_cert) { + FullDataSize += sizeof (*CertList) + + sizeof (EFI_GUID) + + vendor_cert_size; + } else if (DataSize == 0) { + return EFI_SUCCESS; + } FullData = AllocatePool(FullDataSize); if (!FullData) { perror(L"Failed to allocate space for MokListRT\n"); @@ -1539,21 +1543,24 @@ EFI_STATUS mirror_mok_list() CopyMem(p, Data, DataSize); p += DataSize; } - CertList = (EFI_SIGNATURE_LIST *)p; - p += sizeof (*CertList); - CertData = (EFI_SIGNATURE_DATA *)p; - p += sizeof (EFI_GUID); - - CertList->SignatureType = EFI_CERT_X509_GUID; - CertList->SignatureListSize = vendor_cert_size - + sizeof (*CertList) - + sizeof (*CertData) - -1; - CertList->SignatureHeaderSize = 0; - CertList->SignatureSize = vendor_cert_size + sizeof (EFI_GUID); - CertData->SignatureOwner = SHIM_LOCK_GUID; - CopyMem(p, vendor_cert, vendor_cert_size); + if (use_builtin_cert) { + CertList = (EFI_SIGNATURE_LIST *)p; + p += sizeof (*CertList); + CertData = (EFI_SIGNATURE_DATA *)p; + p += sizeof (EFI_GUID); + + CertList->SignatureType = EFI_CERT_X509_GUID; + CertList->SignatureListSize = vendor_cert_size + + sizeof (*CertList) + + sizeof (*CertData) + -1; + CertList->SignatureHeaderSize = 0; + CertList->SignatureSize = vendor_cert_size + sizeof (EFI_GUID); + + CertData->SignatureOwner = SHIM_LOCK_GUID; + CopyMem(p, vendor_cert, vendor_cert_size); + } efi_status = uefi_call_wrapper(RT->SetVariable, 5, L"MokListRT", &shim_lock_guid, @@ -1600,7 +1607,7 @@ EFI_STATUS check_mok_request(EFI_HANDLE check_var(L"MokPW") || check_var(L"MokAuth") || check_var(L"MokDel") || check_var(L"MokDB") || check_var(L"MokXNew") || check_var(L"MokXDel") || - check_var(L"MokXAuth")) { + check_var(L"MokXAuth") || check_var(L"ClearVerify")) { efi_status = start_image(image_handle, MOK_MANAGER); if (efi_status != EFI_SUCCESS) { @@ -1840,6 +1847,75 @@ uninstall_shim_protocols(void) &shim_lock_guid, &shim_lock_interface); } +#define VENDOR_VERIFY L"openSUSE_Verify" + +/* Show the built-in certificate prompt if necessary */ +static int builtin_cert_prompt(void) +{ + EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; + EFI_STATUS status; + UINT32 attributes; + UINTN len = sizeof(UINT8); + UINT8 data; + + use_builtin_cert = FALSE; + + if (vendor_cert_size == 0) + return 0; + + status = uefi_call_wrapper(RT->GetVariable, 5, VENDOR_VERIFY, + &shim_lock_guid, &attributes, + &len, &data); + if (status != EFI_SUCCESS || + (attributes & EFI_VARIABLE_RUNTIME_ACCESS)) { + int choice; + + if (status != EFI_NOT_FOUND) + LibDeleteVariable(VENDOR_VERIFY, &shim_lock_guid); + + CHAR16 *str[] = {L"Trust openSUSE Certificate", + L"", + L"Do you agree to use the built-in openSUSE certificate", + L"to verify boot loaders and kernels?", + NULL}; + choice = console_yes_no(str); + if (choice != 1) { + data = 0; + goto done; + } + + data = 1; + status = uefi_call_wrapper(RT->SetVariable, 5, + VENDOR_VERIFY, + &shim_lock_guid, + EFI_VARIABLE_NON_VOLATILE | + EFI_VARIABLE_BOOTSERVICE_ACCESS, + sizeof(UINT8), &data); + if (status != EFI_SUCCESS) { + console_error(L"Failed to set openSUSE_Verify", status); + return -1; + } + } + + use_builtin_cert = TRUE; + data = 1; + +done: + /* Setup a runtime variable to show the current state */ + status = uefi_call_wrapper(RT->SetVariable, 5, + L"use_openSUSE_cert", + &shim_lock_guid, + EFI_VARIABLE_BOOTSERVICE_ACCESS | + EFI_VARIABLE_RUNTIME_ACCESS, + sizeof(UINT8), &data); + if (status != EFI_SUCCESS) { + console_error(L"Failed to set use_openSUSE_cert", status); + return -1; + } + + return 0; +} + EFI_STATUS efi_main (EFI_HANDLE image_handle, EFI_SYSTEM_TABLE *passed_systab) { EFI_STATUS efi_status; @@ -1895,6 +1971,8 @@ EFI_STATUS efi_main (EFI_HANDLE image_ha */ hook_system_services(systab); loader_is_participating = 0; + if (builtin_cert_prompt() != 0) + return EFI_ABORTED; } } Index: shim-0.7/MokManager.c =================================================================== --- shim-0.7.orig/MokManager.c +++ shim-0.7/MokManager.c @@ -1701,6 +1701,36 @@ static INTN mok_pw_prompt (void *MokPW, return -1; } +static INTN mok_clear_verify_prompt(void *ClearVerify, UINTN ClearVerifySize) { + EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; + EFI_STATUS status; + + if (console_yes_no((CHAR16 *[]){L"Do you want to revoke openSUSE certificate?", NULL}) != 1) + return 0; + + if (ClearVerifySize == PASSWORD_CRYPT_SIZE) { + status = match_password((PASSWORD_CRYPT *)ClearVerify, NULL, 0, + NULL, NULL); + } + if (status != EFI_SUCCESS) + return -1; + + status = uefi_call_wrapper(RT->SetVariable, 5, + L"openSUSE_Verify", &shim_lock_guid, + EFI_VARIABLE_BOOTSERVICE_ACCESS | EFI_VARIABLE_NON_VOLATILE, + 0, NULL); + if (status != EFI_SUCCESS) { + console_error(L"Failed to delete openSUSE_Verify", status); + return -1; + } + + console_notify(L"The system must now be rebooted"); + uefi_call_wrapper(RT->ResetSystem, 4, EfiResetWarm, + EFI_SUCCESS, 0, NULL); + console_notify(L"Failed to reboot"); + return -1; +} + static BOOLEAN verify_certificate(UINT8 *cert, UINTN size) { X509 *X509Cert; @@ -2053,6 +2083,7 @@ typedef enum { MOK_CHANGE_SB, MOK_SET_PW, MOK_CHANGE_DB, + MOK_CLEAR_VERIFY, MOK_KEY_ENROLL, MOK_HASH_ENROLL } mok_menu_item; @@ -2064,7 +2095,8 @@ static EFI_STATUS enter_mok_menu(EFI_HAN void *MokPW, UINTN MokPWSize, void *MokDB, UINTN MokDBSize, void *MokXNew, UINTN MokXNewSize, - void *MokXDel, UINTN MokXDelSize) + void *MokXDel, UINTN MokXDelSize, + void *ClearVerify, UINTN ClearVerifySize) { CHAR16 **menu_strings; mok_menu_item *menu_item; @@ -2138,6 +2170,9 @@ static EFI_STATUS enter_mok_menu(EFI_HAN if (MokDB) menucount++; + if (ClearVerify) + menucount++; + menu_strings = AllocateZeroPool(sizeof(CHAR16 *) * (menucount + 1)); if (!menu_strings) @@ -2207,6 +2242,12 @@ static EFI_STATUS enter_mok_menu(EFI_HAN i++; } + if (ClearVerify) { + menu_strings[i] = L"Revoke openSUSE certificate"; + menu_item[i] = MOK_CLEAR_VERIFY; + i++; + } + menu_strings[i] = L"Enroll key from disk"; menu_item[i] = MOK_KEY_ENROLL; i++; @@ -2257,6 +2298,9 @@ static EFI_STATUS enter_mok_menu(EFI_HAN case MOK_CHANGE_DB: mok_db_prompt(MokDB, MokDBSize); break; + case MOK_CLEAR_VERIFY: + mok_clear_verify_prompt(ClearVerify, ClearVerifySize); + break; case MOK_KEY_ENROLL: mok_key_enroll(); break; @@ -2282,6 +2326,7 @@ static EFI_STATUS check_mok_request(EFI_ EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; UINTN MokNewSize = 0, MokDelSize = 0, MokSBSize = 0, MokPWSize = 0; UINTN MokDBSize = 0, MokXNewSize = 0, MokXDelSize = 0; + UINTN ClearVerifySize = 0; void *MokNew = NULL; void *MokDel = NULL; void *MokSB = NULL; @@ -2289,6 +2334,7 @@ static EFI_STATUS check_mok_request(EFI_ void *MokDB = NULL; void *MokXNew = NULL; void *MokXDel = NULL; + void *ClearVerify = NULL; EFI_STATUS status; status = get_variable(L"MokNew", (UINT8 **)&MokNew, &MokNewSize, @@ -2361,9 +2407,20 @@ static EFI_STATUS check_mok_request(EFI_ console_error(L"Could not retrieve MokXDel", status); } + status = get_variable(L"ClearVerify", (UINT8 **)&ClearVerify, &ClearVerifySize, + shim_lock_guid); + if (status == EFI_SUCCESS) { + if (LibDeleteVariable(L"ClearVerify", &shim_lock_guid) != EFI_SUCCESS) { + console_notify(L"Failed to delete ClearVerify"); + } + } else if (EFI_ERROR(status) && status != EFI_NOT_FOUND) { + console_error(L"Could not retrieve ClearVerify", status); + } + enter_mok_menu(image_handle, MokNew, MokNewSize, MokDel, MokDelSize, MokSB, MokSBSize, MokPW, MokPWSize, MokDB, MokDBSize, - MokXNew, MokXNewSize, MokXDel, MokXDelSize); + MokXNew, MokXNewSize, MokXDel, MokXDelSize, + ClearVerify, ClearVerifySize); if (MokNew) FreePool (MokNew); @@ -2386,6 +2443,9 @@ static EFI_STATUS check_mok_request(EFI_ if (MokXDel) FreePool (MokXDel); + if (ClearVerify) + FreePool (ClearVerify); + LibDeleteVariable(L"MokAuth", &shim_lock_guid); LibDeleteVariable(L"MokDelAuth", &shim_lock_guid); LibDeleteVariable(L"MokXAuth", &shim_lock_guid); ++++++ shim-signed-unsigned-compares.patch ++++++ Index: shim-0.7/MokManager.c =================================================================== --- shim-0.7.orig/MokManager.c +++ shim-0.7/MokManager.c @@ -483,8 +483,8 @@ static void show_efi_hash (EFI_GUID Type UINTN hash_num; UINT8 *hash; CHAR16 **menu_strings; - int key_num = 0; - int i; + UINTN key_num = 0; + UINTN i; sig_size = sha_size(Type) + sizeof(EFI_GUID); if ((MokSize % sig_size) != 0) { @@ -562,7 +562,7 @@ static EFI_STATUS list_keys (void *KeyLi { UINT32 MokNum = 0; MokListNode *keys = NULL; - int key_num = 0; + UINT32 key_num = 0; CHAR16 **menu_strings; unsigned int i; @@ -1088,7 +1088,7 @@ static int match_hash (UINT8 *hash, UINT void *hash_list, UINT32 list_num) { UINT8 *ptr; - int i; + UINTN i; ptr = hash_list + sizeof(EFI_GUID); for (i = start; i < list_num; i++) { @@ -1103,7 +1103,7 @@ static int match_hash (UINT8 *hash, UINT static void mem_move (void *dest, void *src, UINTN size) { UINT8 *d, *s; - int i; + UINTN i; d = (UINT8 *)dest; s = (UINT8 *)src; @@ -1160,7 +1160,7 @@ static void delete_hash_list (EFI_GUID T UINT32 hash_num; UINT32 sig_size; UINT8 *hash; - int i; + UINT32 i; hash_size = sha_size (Type); sig_size = hash_size + sizeof(EFI_GUID); ++++++ show_hash.sh ++++++ --- /var/tmp/diff_new_pack.7KXjJh/_old 2014-08-18 11:23:50.000000000 +0200 +++ /var/tmp/diff_new_pack.7KXjJh/_new 2014-08-18 11:23:50.000000000 +0200 @@ -9,13 +9,4 @@ exit 1 fi -nssdir=`mktemp -d` -cleanup() -{ - rm -r "$nssdir" -} -trap cleanup EXIT -echo > "$nssdir/pw" -certutil -f "$nssdir/pw" -d "$nssdir" -N - -pesign -n "$nssdir" -h -P -i "$infile" +pesign -h -P -i "$infile" ++++++ show_signatures.sh ++++++ --- /var/tmp/diff_new_pack.7KXjJh/_old 2014-08-18 11:23:50.000000000 +0200 +++ /var/tmp/diff_new_pack.7KXjJh/_new 2014-08-18 11:23:50.000000000 +0200 @@ -9,13 +9,4 @@ exit 1 fi -nssdir=`mktemp -d` -cleanup() -{ - rm -r "$nssdir" -} -trap cleanup EXIT -echo > "$nssdir/pw" -certutil -f "$nssdir/pw" -d "$nssdir" -N - -pesign -n "$nssdir" -S -i "$infile" +pesign -S -i "$infile" ++++++ signature-opensuse.asc ++++++ hash: bdd01126e9d85710d3fe75af1cc1702a29f081b4f6fdf6a2b2135c0297a9cec5 # 2069-04-10 06:07:54 timestamp: babababa checksum: ff45 -----BEGIN AUTHENTICODE SIGNATURE----- MIIh3AYJKoZIhvcNAQcCoIIhzTCCIckCAQExDzANBglghkgBZQMEAgEFADBcBgor BgEEAYI3AgEEoE4wTDAXBgorBgEEAYI3AgEPMAkDAQCgBKICgAAwMTANBglghkgB ZQMEAgEFAAQgvdARJunYVxDT/nWvHMFwKinwgbT2/faishNcApepzsWgggs8MIIF JDCCBAygAwIBAgITMwAAAApmQvP0n7c3lgABAAAACjANBgkqhkiG9w0BAQsFADCB gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0xMzA5MjQxNzU0 MDNaFw0xNDEyMjQxNzU0MDNaMIGVMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv cnBvcmF0aW9uMQ0wCwYDVQQLEwRNT1BSMTAwLgYDVQQDEydNaWNyb3NvZnQgV2lu ZG93cyBVRUZJIERyaXZlciBQdWJsaXNoZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQCc2PZRP3t6i2DCLSAuWrFHZKfyD98yckc9yxqqqJACgekdZi4s ZEN1vYcVfiUhW4hFpdH3kcPah7wf+uqgyQa1hb/9AzDH63JYfaHLWA+Jx0leY0cG CsIFviaUHrCEgxhkeXdrGfHroDcWArv2yBBvj+zvePVE9/VpDoBK+2nAFxz0oG23 BzE5duVpHIZn96fNyoDKYvCf649VqjM+O5/b5jlDylkMWAIVTvWqE0r/7YnC1Vcc cgJDQk8IaIWSepRsjrvvf8C8uG3ZSxVjQeuPz7ETAryJIWvYdz240MzVAJD7SazH SbVJm1LPHfS2FEpx3uUNOuo3IJrrxqeals8FAgMBAAGjggF9MIIBeTAfBgNVHSUE GDAWBggrBgEFBQcDAwYKKwYBBAGCN1ACATAdBgNVHQ4EFgQU6t49RpSALGo0XSnP ixuEhp5y0NEwUQYDVR0RBEowSKRGMEQxDTALBgNVBAsTBE1PUFIxMzAxBgNVBAUT KjMxNjE5KzAxMjU1ZjQ2LTc0ZjUtNGZjNC1iYzcxLWU0ZGE5NzM2YmVlZTAfBgNV HSMEGDAWgBQTrb9DCb2CcJyM1U8xbtUimIob1DBTBgNVHR8ETDBKMEigRqBEhkJo dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb3JVRUZDQTIw MTFfMjAxMS0wNi0yNy5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRo dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvclVFRkNB MjAxMV8yMDExLTA2LTI3LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUA A4IBAQAqJ9a9LzTGipmJ7IVkSf5JNK1cBhXsWBlmQ5kFNzeoa+RskUuUeM45NTS3 We7F628BW3BrhT8dK+Uf6YB7F46qng+VWNal2RPFjHSSy60QartzlUJoAaQvNjhC 5gv3LQRmaIZdtdjOLJAclnMETQWrt0wXGsGYwPk3a7kYXsdSO7U+bSwRRkL/v74g 78bCVxwgBhWctw/yxCjpl/bOg79XrZpHxH3szpgwz4YaFWRxxiYAoCYLROKeqObj PEB8BG83vkpG3K84wBiyT5ab63FtjnbOvD0dGRNO1vIWzC41eEi0mYGW69cya8o+ Ot4bqI6YYSpWmkah9FhW9OLfoCpdMIIGEDCCA/igAwIBAgIKYQjTxAAAAAAABDAN BgkqhkiG9w0BAQsFADCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0 b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3Jh dGlvbjE7MDkGA1UEAxMyTWljcm9zb2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5 IE1hcmtldHBsYWNlIFJvb3QwHhcNMTEwNjI3MjEyMjQ1WhcNMjYwNjI3MjEzMjQ1 WjCBgTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UE AxMiTWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAKUIbEzHRQlqSwykwId/BnUMQwFUZOAWfwft kn0LsnO/DArGSkVhoMUWLZbT9Sug+01Jm0GAkDy5VP3mvNGdxKQYin9BilxZg2gy u4xHye5xvCFPmop8/0Q/jY8ysiZIrnW17slMHkoZfuSCmh14d00MsL32D9MW07z6 K6VROF31+7rbeALb/+wKG5bVg7gZE+m2wHtAe+EfKCfJ+u9WXhzmfpR+wPBEsnk5 5dqyYotNvzhw4mgkFMkzpAg31VhpXtN87cEEUwjnTrAqh2MIYW9jFVnqsit51wxh Z4pb/V6th3+6hmdPcVgSIgQiIs6L71RxAM5QNVh2lQjuarGiAdUCAwEAAaOCAXYw ggFyMBIGCSsGAQQBgjcVAQQFAgMBAAEwIwYJKwYBBAGCNxUCBBYEFPjBa7d/d1NK 8yU3HU6hJnsPIHCAMB0GA1UdDgQWBBQTrb9DCb2CcJyM1U8xbtUimIob1DAZBgkr BgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUw AwEB/zAfBgNVHSMEGDAWgBRFZlJD4X5YEb/WTp4jVQg7OiJqqDBcBgNVHR8EVTBT MFGgT6BNhktodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0 cy9NaWNDb3JUaGlQYXJNYXJSb29fMjAxMC0xMC0wNS5jcmwwYAYIKwYBBQUHAQEE VDBSMFAGCCsGAQUFBzAChkRodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2Nl cnRzL01pY0NvclRoaVBhck1hclJvb18yMDEwLTEwLTA1LmNydDANBgkqhkiG9w0B AQsFAAOCAgEANQhC/zDMzvd2DK0QaFg1KUYydid87xJBJ0IbSqptgThIWRNV8+lY NKYWC4KqXa2C2oCDQQaPtB3yA7nzGl0b8VCQ+bNVhEIoHCC9sq5RFMXArJeVIRyQ 2w/8d56Vc5GIyr29UrkFUA3fV56gYe0N5W0l2UAPF0DIzqNKwk2vmhIdCFSPvce8 uSs9SSsfMvxqIWlPm8h+QjT8NgYXi48gQMCzmiV1J83JA6P2XdHnNlR6uVC10xLR B7+7dN/cHo+A1e0Y9C8UFmsv3maMsCPlx4TY7erBM4KtVksYLfFolQfNz/By8K67 3YaFmCwhTDMr8A9K8GiHtZJVMnWhaoJqPKMlEaTtrdcErsvYQFmghNGVTGKRIhp0 HYw9Rw5EpuSwmzQ1sfq2U6gsgeykBXHInbi66BtEZuRHVA6OVn+znxaYsobQaD6Q I7UvXo9QhY3GjYJfQaH0Lg3gmdJsdeS2abUhhvoH0fbiTdHarSx3Ux4lMjfHbFJy lYaw8TVhahn1sjuBUFamMi3+oon5QoYnGFWhgspam/gwmFQUpkeWJS/IJuRBlBpc Aj/lluOFWzw+P7tHFnJV4iUisdl75wMGKqP3HpBGwwAN1hmJ4w41J2IDcRWm79An oKBZN2D4OJS44Hhw+LpMhoeU9uCuAkXuZcK2o35pFnUHkpv1prxZg1gxghYTMIIW DwIBATCBmTCBgTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO BgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEr MCkGA1UEAxMiTWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMQITMwAA AApmQvP0n7c3lgABAAAACjANBglghkgBZQMEAgEFAKCCAREwGQYJKoZIhvcNAQkD MQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwLwYJ KoZIhvcNAQkEMSIEIKOfDrPjsHj5IpbLDH/emIN2ujjTNjWxi+JiBMeM1lejMIGk BgorBgEEAYI3AgEMMYGVMIGSoF6AXABoAHQAdABwADoALwAvAHcAdwB3AC4AbQBp AGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvAHcAaABkAGMALwBoAGMAbAAvAGQAZQBm AGEAdQBsAHQALgBtAHMAcAB4oTCALmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS93 aGRjL2hjbC9kZWZhdWx0Lm1zcHgwDQYJKoZIhvcNAQEBBQAEggEAThlP7UGIWeaL wSgeXtn8Whnj2NuB/+fBohdlEmuU4oOJsKt07jxVrzXWHO0/znARfCMhsqGnwQq6 IU45DSbqHiBsPS2bucCmygVJZjS+lYUY0o1OSiAOgkcOb3byqbOhFx+yU4jyi1I6 vZsetJf0VIB/50CUDWw/jgC29MS5uLKPbljn6Gav6BmWkbzR7g7e44QInagtQsEm kxI4FaHRkaKnkTtrJZ2htMCGJUEm83iyEaFB1jfwE+eSVilltwZeUiM8cm5jSIeZ CWyF2+bOgaOyIk47XVZWI0683wwf43yftlRMsuySQuD7Vk4sKsRM87Nl1SszQSqI murrQX0OHqGCEzUwghMxBgorBgEEAYI3AwMBMYITITCCEx0GCSqGSIb3DQEHAqCC Ew4wghMKAgEDMQ8wDQYJYIZIAWUDBAIBBQAwggE1BgsqhkiG9w0BCRABBKCCASQE ggEgMIIBHAIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFlAwQCAQUABCBhVxDrnAE1 Odf8YYCrsCpxqlspu1YwtY7Xj0HNqt+MlgIGU8faFW37GBMyMDE0MDgwMjAwMjcx My4yMzVaMAcCAQGAAgH0oIGxpIGuMIGrMQswCQYDVQQGEwJVUzELMAkGA1UECBMC V0ExEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3Jh dGlvbjENMAsGA1UECxMETU9QUjEnMCUGA1UECxMebkNpcGhlciBEU0UgRVNOOjMx QzUtMzBCQS03QzkxMSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2 aWNloIIOwDCCBnEwggRZoAMCAQICCmEJgSoAAAAAAAIwDQYJKoZIhvcNAQELBQAw gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdS ZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNVBAMT KU1pY3Jvc29mdCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDEwMB4XDTEw MDcwMTIxMzY1NVoXDTI1MDcwMTIxNDY1NVowfDELMAkGA1UEBhMCVVMxEzARBgNV BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv c29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAg UENBIDIwMTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCpHQ28dxGK OiDs/BOX9fp/aZRrdFQQ1aUKAIKF++18aEssX8XD5WHCdrc+Zitb8BVTJwQxH0Eb GpUdzgkTjnxhMFmxMEQP8WCIhFRDDNdNuDgIs0Ldk6zWczBXJoKjRQ3Q6vVHgc2/ JGAyWGBG8lhHhjKEHnRhZ5FfgVSxz5NMksHEpl3RYRNuKMYa+YaAu99h/EbBJx0k ZxJyGiGKr0tkiVBisV39dx898Fd1rL2KQk1AUdEPnAY+Z3/1ZsADlkR+79BL/W7l msqxqPJ6Kgox8NpOBpG2iAg16HgcsOmZzTznL0S6p/TcZL2kAcEgCZN4zfy8wMlE XV4WnAEFTyJNAgMBAAGjggHmMIIB4jAQBgkrBgEEAYI3FQEEAwIBADAdBgNVHQ4E FgQU1WM6XIoxkPNDe3xGG8UzaFqFbVUwGQYJKwYBBAGCNxQCBAweCgBTAHUAYgBD AEEwCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU1fZW y4/oolxiaNE9lJBb186aGMQwVgYDVR0fBE8wTTBLoEmgR4ZFaHR0cDovL2NybC5t aWNyb3NvZnQuY29tL3BraS9jcmwvcHJvZHVjdHMvTWljUm9vQ2VyQXV0XzIwMTAt MDYtMjMuY3JsMFoGCCsGAQUFBwEBBE4wTDBKBggrBgEFBQcwAoY+aHR0cDovL3d3 dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0y My5jcnQwgaAGA1UdIAEB/wSBlTCBkjCBjwYJKwYBBAGCNy4DMIGBMD0GCCsGAQUF BwIBFjFodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vUEtJL2RvY3MvQ1BTL2RlZmF1 bHQuaHRtMEAGCCsGAQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAFAAbwBsAGkAYwB5 AF8AUwB0AGEAdABlAG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQAH5ohR DeLG4Jg/gXEDPZ2joSFvs+umzPUxvs8F4qn++ldtGTCzwsVmyWrf9efweL3HqJ4l 4/m87WtUVwgrUYJEEvu5U4zM9GASinbMQEBBm9xcF/9c+V4XNZgkVkt070IQyK+/ f8Z/8jd9Wj8c8pl5SpFSAK84Dxf1L3mBZdmptWvkx872ynoAb0swRCQiPM/tA6WW j1kpvLb9BOFwnzJKJ/1Vry/+tuWOM7tiX5rbV0Dp8c6ZZpCM/2pif93FSguRJuI5 7BlKcWOdeyFtw5yjojz6f32WapB4pm3S4Zz5Hfw42JT0xqUKloakvZ4argRCg7i1 gJsiOCC1JeVk7Pf0v35jWSUPei45V3aicaoGig+JFrphpxHLmtgOR5qAxdDNp9Dv fYPw4TtxCd9ddJgiCGHasFAeb73x4QDf5zEHpJM692VHeOj4qEir995yfmFrb3ep gcunCaw5u+zGy9iCtHLNHfS4hQEegPsbiSpUObJb2sgNVZl6h3M7COaYLeqN4DMu Ein1wC9UJyH3yKxO2ii4sanblrKnQqLJzxlBTeCG+SqaoxFmMNO7dDJL32N79ZmK LxvHIa9Zta7cRDyXUHHXodLFVeNp3lfB0d4wwP3M5k37Db9dT+mdHhk4L7zPWAUu 7w2gUDXa7wknHNWzfjUeCLraNtvTX4/edIhJEjCCBNIwggO6oAMCAQICEzMAAABP rehUlVAolGcAAAAAAE8wDQYJKoZIhvcNAQELBQAwfDELMAkGA1UEBhMCVVMxEzAR BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p Y3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3Rh bXAgUENBIDIwMTAwHhcNMTQwNTIzMTcyMDA4WhcNMTUwODIzMTcyMDA4WjCBqzEL MAkGA1UEBhMCVVMxCzAJBgNVBAgTAldBMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYD VQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xDTALBgNVBAsTBE1PUFIxJzAlBgNV BAsTHm5DaXBoZXIgRFNFIEVTTjozMUM1LTMwQkEtN0M5MTElMCMGA1UEAxMcTWlj cm9zb2Z0IFRpbWUtU3RhbXAgU2VydmljZTCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAKFVkneQwi1RLhVhgJoMVZY6JIU3jigasjbuZClciQzP0d0z9Ev8 mxS2T2+fdfVkWZWKQXeYmD5mejixNPhFpoQR0zWhpfNQe4XA7x4l8a48+P483uz3 7sMyBlYtYaQEnfBPmCqG/Wbr9cdH9QVx94F4NKVZFnSa/eEq3hDRLfqqiDmkRTN4 t+w8d3Yx41CVzx6TBgh6bE2km58m5YS/+54xLirgm44nHlmQCut58IGTZ6CArg/1 g1cqGrFbMUZC/mhSgCA4uFNSRctPc56zSTBbsM5vP6PqOW6J8VWJICxREyBqg2gV Qp7JhZmczo+DtG+W3QyjPO8Thwx+mo3iFnkCAwEAAaOCARswggEXMB0GA1UdDgQW BBQrpekQU9AS8xkbQCwKTRfMxEXJLjAfBgNVHSMEGDAWgBTVYzpcijGQ80N7fEYb xTNoWoVtVTBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLm1pY3Jvc29mdC5j b20vcGtpL2NybC9wcm9kdWN0cy9NaWNUaW1TdGFQQ0FfMjAxMC0wNy0wMS5jcmww WgYIKwYBBQUHAQEETjBMMEoGCCsGAQUFBzAChj5odHRwOi8vd3d3Lm1pY3Jvc29m dC5jb20vcGtpL2NlcnRzL01pY1RpbVN0YVBDQV8yMDEwLTA3LTAxLmNydDAMBgNV HRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMIMA0GCSqGSIb3DQEBCwUAA4IB AQBhbgv5FjD4pzjfVhGhfk23Gom8Ip4kfRTobqi7up1JHBTWidiUVKwoszU9TPi+ PTuCNBDJgWuMIXNGcpXRTLTENDW9Maln6yp7zFUEtYGulWSFT9EGMLfjBTLoBl4M GxU8IDviiM6GuCy7vV0QbsNfeBZpo761j42sHJccu7LPTk8VD24W1diIEaCjePJW FRBKidTcAQRHki0xDK4xYbN9GFncfhXaMlQn4TN/mRx6YBTELjiP1RH3rdW9I/NX 0kXfCGth/BbVctp6rGRkK8NQaHkq9rXqt+C75sVwASx/JxMkXS1q+Rnwbilso9Rq LsiE9SszQjNKzc+rebhHpUELoYIDcTCCAlkCAQEwgduhgbGkga4wgasxCzAJBgNV BAYTAlVTMQswCQYDVQQIEwJXQTEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMV TWljcm9zb2Z0IENvcnBvcmF0aW9uMQ0wCwYDVQQLEwRNT1BSMScwJQYDVQQLEx5u Q2lwaGVyIERTRSBFU046MzFDNS0zMEJBLTdDOTExJTAjBgNVBAMTHE1pY3Jvc29m dCBUaW1lLVN0YW1wIFNlcnZpY2WiJQoBATAJBgUrDgMCGgUAAxUAKLyR2kF+5obQ k1yVhHi3u5xWWaqggcIwgb+kgbwwgbkxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpX YXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQg Q29ycG9yYXRpb24xDTALBgNVBAsTBE1PUFIxJzAlBgNVBAsTHm5DaXBoZXIgTlRT IEVTTjpCMDI3LUM2RjgtMUQ4ODErMCkGA1UEAxMiTWljcm9zb2Z0IFRpbWUgU291 cmNlIE1hc3RlciBDbG9jazANBgkqhkiG9w0BAQUFAAIFANeGrl0wIhgPMjAxNDA4 MDIwMDI1MDFaGA8yMDE0MDgwMzAwMjUwMVowdzA9BgorBgEEAYRZCgQBMS8wLTAK AgUA14auXQIBADAKAgEAAgIJAAIB/zAHAgEAAgIYWjAKAgUA14f/3QIBADA2Bgor BgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZCgMBoAowCAIBAAIDFuNgoQowCAIBAAID B6EgMA0GCSqGSIb3DQEBBQUAA4IBAQCFCxo0b2hLnmf+xoh21SzjNvFsZm6WfCFc PlGAEgOqq1Dlp9KNsYik0tjif3xLKmMjM1sBE8JJ85c2iYDMm/y5PUyyM16zlojk q4zwcJEiPzEzBPzKqtgGRvJElVY37BuowRCgbRv5gi6eKGiHObCFf0ElAwGNJydf DDxy7BmNS5/kPk926NxynXs1kdqPdUmyZmh/3wtm0w9S6+NIzfCXLp0kxCP3kPVv kEHTiPUj/ogu4DVvkbECmJyZwtjhlsEcr+VxT2PYNdQX+89UdreCR0deUXY7Y6WS M1Zr7cVhFJAWjLPB8ciqG8WDmijJviFDp8e+7lrBCxZdRwXilBKiMYIC9TCCAvEC AQEwgZMwfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNV BAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQG A1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIwMTACEzMAAABPrehUlVAo lGcAAAAAAE8wDQYJYIZIAWUDBAIBBQCgggEyMBoGCSqGSIb3DQEJAzENBgsqhkiG 9w0BCRABBDAvBgkqhkiG9w0BCQQxIgQg2Fdy/47bukVF9tAPO8fA4meI/cXYbmn7 z135MrP1QSowgeIGCyqGSIb3DQEJEAIMMYHSMIHPMIHMMIGxBBQovJHaQX7mhtCT XJWEeLe7nFZZqjCBmDCBgKR+MHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNo aW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29y cG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEw AhMzAAAAT63oVJVQKJRnAAAAAABPMBYEFCYplGRrdF2iEXIxRDr2Yo/nmNd0MA0G CSqGSIb3DQEBCwUABIIBAIUNbJ8A82Vn/zft6B33oO5uQqRZcSD6zqqM3z7a/Tb2 VLnhWYmDjxsLesS8kXcSZKv5MBVBA01FQQaL6jEwkjRx/qYM8ly6qthXGsgN0WoE vXKnOPjJ40Iz03g/AlMHzs2lI9hYWw/iaArpzdiCgD0qeOt12K+HANTEm3azsDWr d7F/rUlHOQJxbCkxuMhpN8kFcV8qtgiVJ5jYna6AlOEDOL0E7Z15Tesid2ZjJn/5 /hrND9ZCeYcgROjy154VnT0a0zEWaiN6Rp8xqYYGSnLiXZAZPMtHNkXAIRUy34ut XgbI8J3rkmRK1vZYNa4dHD7X/7cohNa9/XZZi4Usn8k= -----END AUTHENTICODE SIGNATURE----- ++++++ signature-sles.asc ++++++ hash: f31fd461c5e99510403fc97c1da2d8a9cbe270597d32badf8fd66b77495f8d94 # 2069-04-10 06:07:54 timestamp: babababa checksum: 61c9 -----BEGIN AUTHENTICODE SIGNATURE----- MIIh9AYJKoZIhvcNAQcCoIIh5TCCIeECAQExDzANBglghkgBZQMEAgEFADBcBgor BgEEAYI3AgEEoE4wTDAXBgorBgEEAYI3AgEPMAkDAQCgBKICgAAwMTANBglghkgB ZQMEAgEFAAQg8x/UYcXplRBAP8l8HaLYqcvicFl9Mrrfj9Zrd0lfjZSgggs8MIIF JDCCBAygAwIBAgITMwAAAApmQvP0n7c3lgABAAAACjANBgkqhkiG9w0BAQsFADCB gTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1Jl ZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UEAxMi TWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTAeFw0xMzA5MjQxNzU0 MDNaFw0xNDEyMjQxNzU0MDNaMIGVMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2Fz aGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENv cnBvcmF0aW9uMQ0wCwYDVQQLEwRNT1BSMTAwLgYDVQQDEydNaWNyb3NvZnQgV2lu ZG93cyBVRUZJIERyaXZlciBQdWJsaXNoZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQCc2PZRP3t6i2DCLSAuWrFHZKfyD98yckc9yxqqqJACgekdZi4s ZEN1vYcVfiUhW4hFpdH3kcPah7wf+uqgyQa1hb/9AzDH63JYfaHLWA+Jx0leY0cG CsIFviaUHrCEgxhkeXdrGfHroDcWArv2yBBvj+zvePVE9/VpDoBK+2nAFxz0oG23 BzE5duVpHIZn96fNyoDKYvCf649VqjM+O5/b5jlDylkMWAIVTvWqE0r/7YnC1Vcc cgJDQk8IaIWSepRsjrvvf8C8uG3ZSxVjQeuPz7ETAryJIWvYdz240MzVAJD7SazH SbVJm1LPHfS2FEpx3uUNOuo3IJrrxqeals8FAgMBAAGjggF9MIIBeTAfBgNVHSUE GDAWBggrBgEFBQcDAwYKKwYBBAGCN1ACATAdBgNVHQ4EFgQU6t49RpSALGo0XSnP ixuEhp5y0NEwUQYDVR0RBEowSKRGMEQxDTALBgNVBAsTBE1PUFIxMzAxBgNVBAUT KjMxNjE5KzAxMjU1ZjQ2LTc0ZjUtNGZjNC1iYzcxLWU0ZGE5NzM2YmVlZTAfBgNV HSMEGDAWgBQTrb9DCb2CcJyM1U8xbtUimIob1DBTBgNVHR8ETDBKMEigRqBEhkJo dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb3JVRUZDQTIw MTFfMjAxMS0wNi0yNy5jcmwwYAYIKwYBBQUHAQEEVDBSMFAGCCsGAQUFBzAChkRo dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NlcnRzL01pY0NvclVFRkNB MjAxMV8yMDExLTA2LTI3LmNydDAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBCwUA A4IBAQAqJ9a9LzTGipmJ7IVkSf5JNK1cBhXsWBlmQ5kFNzeoa+RskUuUeM45NTS3 We7F628BW3BrhT8dK+Uf6YB7F46qng+VWNal2RPFjHSSy60QartzlUJoAaQvNjhC 5gv3LQRmaIZdtdjOLJAclnMETQWrt0wXGsGYwPk3a7kYXsdSO7U+bSwRRkL/v74g 78bCVxwgBhWctw/yxCjpl/bOg79XrZpHxH3szpgwz4YaFWRxxiYAoCYLROKeqObj PEB8BG83vkpG3K84wBiyT5ab63FtjnbOvD0dGRNO1vIWzC41eEi0mYGW69cya8o+ Ot4bqI6YYSpWmkah9FhW9OLfoCpdMIIGEDCCA/igAwIBAgIKYQjTxAAAAAAABDAN BgkqhkiG9w0BAQsFADCBkTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0 b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3Jh dGlvbjE7MDkGA1UEAxMyTWljcm9zb2Z0IENvcnBvcmF0aW9uIFRoaXJkIFBhcnR5 IE1hcmtldHBsYWNlIFJvb3QwHhcNMTEwNjI3MjEyMjQ1WhcNMjYwNjI3MjEzMjQ1 WjCBgTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcT B1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjErMCkGA1UE AxMiTWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMTCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAKUIbEzHRQlqSwykwId/BnUMQwFUZOAWfwft kn0LsnO/DArGSkVhoMUWLZbT9Sug+01Jm0GAkDy5VP3mvNGdxKQYin9BilxZg2gy u4xHye5xvCFPmop8/0Q/jY8ysiZIrnW17slMHkoZfuSCmh14d00MsL32D9MW07z6 K6VROF31+7rbeALb/+wKG5bVg7gZE+m2wHtAe+EfKCfJ+u9WXhzmfpR+wPBEsnk5 5dqyYotNvzhw4mgkFMkzpAg31VhpXtN87cEEUwjnTrAqh2MIYW9jFVnqsit51wxh Z4pb/V6th3+6hmdPcVgSIgQiIs6L71RxAM5QNVh2lQjuarGiAdUCAwEAAaOCAXYw ggFyMBIGCSsGAQQBgjcVAQQFAgMBAAEwIwYJKwYBBAGCNxUCBBYEFPjBa7d/d1NK 8yU3HU6hJnsPIHCAMB0GA1UdDgQWBBQTrb9DCb2CcJyM1U8xbtUimIob1DAZBgkr BgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUw AwEB/zAfBgNVHSMEGDAWgBRFZlJD4X5YEb/WTp4jVQg7OiJqqDBcBgNVHR8EVTBT MFGgT6BNhktodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0 cy9NaWNDb3JUaGlQYXJNYXJSb29fMjAxMC0xMC0wNS5jcmwwYAYIKwYBBQUHAQEE VDBSMFAGCCsGAQUFBzAChkRodHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2Nl cnRzL01pY0NvclRoaVBhck1hclJvb18yMDEwLTEwLTA1LmNydDANBgkqhkiG9w0B AQsFAAOCAgEANQhC/zDMzvd2DK0QaFg1KUYydid87xJBJ0IbSqptgThIWRNV8+lY NKYWC4KqXa2C2oCDQQaPtB3yA7nzGl0b8VCQ+bNVhEIoHCC9sq5RFMXArJeVIRyQ 2w/8d56Vc5GIyr29UrkFUA3fV56gYe0N5W0l2UAPF0DIzqNKwk2vmhIdCFSPvce8 uSs9SSsfMvxqIWlPm8h+QjT8NgYXi48gQMCzmiV1J83JA6P2XdHnNlR6uVC10xLR B7+7dN/cHo+A1e0Y9C8UFmsv3maMsCPlx4TY7erBM4KtVksYLfFolQfNz/By8K67 3YaFmCwhTDMr8A9K8GiHtZJVMnWhaoJqPKMlEaTtrdcErsvYQFmghNGVTGKRIhp0 HYw9Rw5EpuSwmzQ1sfq2U6gsgeykBXHInbi66BtEZuRHVA6OVn+znxaYsobQaD6Q I7UvXo9QhY3GjYJfQaH0Lg3gmdJsdeS2abUhhvoH0fbiTdHarSx3Ux4lMjfHbFJy lYaw8TVhahn1sjuBUFamMi3+oon5QoYnGFWhgspam/gwmFQUpkeWJS/IJuRBlBpc Aj/lluOFWzw+P7tHFnJV4iUisdl75wMGKqP3HpBGwwAN1hmJ4w41J2IDcRWm79An oKBZN2D4OJS44Hhw+LpMhoeU9uCuAkXuZcK2o35pFnUHkpv1prxZg1gxghYrMIIW JwIBATCBmTCBgTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO BgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEr MCkGA1UEAxMiTWljcm9zb2Z0IENvcnBvcmF0aW9uIFVFRkkgQ0EgMjAxMQITMwAA AApmQvP0n7c3lgABAAAACjANBglghkgBZQMEAgEFAKCCAREwGQYJKoZIhvcNAQkD MQwGCisGAQQBgjcCAQQwHAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwLwYJ KoZIhvcNAQkEMSIEIJrzMZcr8o7z/mk2WCbI8fEz7nZbYeVPQtJjL0exXBCxMIGk BgorBgEEAYI3AgEMMYGVMIGSoF6AXABoAHQAdABwADoALwAvAHcAdwB3AC4AbQBp AGMAcgBvAHMAbwBmAHQALgBjAG8AbQAvAHcAaABkAGMALwBoAGMAbAAvAGQAZQBm AGEAdQBsAHQALgBtAHMAcAB4oTCALmh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS93 aGRjL2hjbC9kZWZhdWx0Lm1zcHgwDQYJKoZIhvcNAQEBBQAEggEAjHDQORfm8d8T eyJMiPDMRPFiO/aBL7UtF4rtDUeYi+c9UU6KDVXHi19Z9DNt3pkRRm4DxFVdDPXU P1TFD8HWbQPQ7YGGRjDOv1BwxZ+5F6xmNgoxUh0khKisi3l0LPq6Zauee7ebgly3 6A6GQSKlaXH7MXxMsgbvGFdXAQs/KVMb3xzuttby/jcQ9lxoMr4SVcM6Vu6fFZ24 DWhHFtONzHFSvJ3Sf10d8teTvikrIaXg7pzNU+T7+sMXsiyhVhWiFFFtetaaxtT4 vcKDuGHNP797WM1YYxZz+2sMbWyi81h+We6ReHn0V+UUW4b7i4yh0p2Vy3xPrzb6 TgGQIyi536GCE00wghNJBgorBgEEAYI3AwMBMYITOTCCEzUGCSqGSIb3DQEHAqCC EyYwghMiAgEDMQ8wDQYJYIZIAWUDBAIBBQAwggE9BgsqhkiG9w0BCRABBKCCASwE ggEoMIIBJAIBAQYKKwYBBAGEWQoDATAxMA0GCWCGSAFlAwQCAQUABCAqAR+tIZOx IQiET4LQ+OsCmH0VlrTUkAPePwl/JtC8pAIGUt6TDOrUGBMyMDE0MDIyNzAxMDcz My43NzNaMAcCAQGAAgH0oIG5pIG2MIGzMQswCQYDVQQGEwJVUzETMBEGA1UECBMK V2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0 IENvcnBvcmF0aW9uMQ0wCwYDVQQLEwRNT1BSMScwJQYDVQQLEx5uQ2lwaGVyIERT RSBFU046QzBGNC0zMDg2LURFRjgxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0 YW1wIFNlcnZpY2Wggg7QMIIGcTCCBFmgAwIBAgIKYQmBKgAAAAAAAjANBgkqhkiG 9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAO BgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjEy MDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IDIw MTAwHhcNMTAwNzAxMjEzNjU1WhcNMjUwNzAxMjE0NjU1WjB8MQswCQYDVQQGEwJV UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGlt ZS1TdGFtcCBQQ0EgMjAxMDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AKkdDbx3EYo6IOz8E5f1+n9plGt0VBDVpQoAgoX77XxoSyxfxcPlYcJ2tz5mK1vw FVMnBDEfQRsalR3OCROOfGEwWbEwRA/xYIiEVEMM1024OAizQt2TrNZzMFcmgqNF DdDq9UeBzb8kYDJYYEbyWEeGMoQedGFnkV+BVLHPk0ySwcSmXdFhE24oxhr5hoC7 32H8RsEnHSRnEnIaIYqvS2SJUGKxXf13Hz3wV3WsvYpCTUBR0Q+cBj5nf/VmwAOW RH7v0Ev9buWayrGo8noqCjHw2k4GkbaICDXoeByw6ZnNPOcvRLqn9NxkvaQBwSAJ k3jN/LzAyURdXhacAQVPIk0CAwEAAaOCAeYwggHiMBAGCSsGAQQBgjcVAQQDAgEA MB0GA1UdDgQWBBTVYzpcijGQ80N7fEYbxTNoWoVtVTAZBgkrBgEEAYI3FAIEDB4K AFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSME GDAWgBTV9lbLj+iiXGJo0T2UkFvXzpoYxDBWBgNVHR8ETzBNMEugSaBHhkVodHRw Oi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJB dXRfMjAxMC0wNi0yMy5jcmwwWgYIKwYBBQUHAQEETjBMMEoGCCsGAQUFBzAChj5o dHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpL2NlcnRzL01pY1Jvb0NlckF1dF8y MDEwLTA2LTIzLmNydDCBoAYDVR0gAQH/BIGVMIGSMIGPBgkrBgEEAYI3LgMwgYEw PQYIKwYBBQUHAgEWMWh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9QS0kvZG9jcy9D UFMvZGVmYXVsdC5odG0wQAYIKwYBBQUHAgIwNB4yIB0ATABlAGcAYQBsAF8AUABv AGwAaQBjAHkAXwBTAHQAYQB0AGUAbQBlAG4AdAAuIB0wDQYJKoZIhvcNAQELBQAD ggIBAAfmiFEN4sbgmD+BcQM9naOhIW+z66bM9TG+zwXiqf76V20ZMLPCxWbJat/1 5/B4vceoniXj+bzta1RXCCtRgkQS+7lTjMz0YBKKdsxAQEGb3FwX/1z5Xhc1mCRW S3TvQhDIr79/xn/yN31aPxzymXlKkVIArzgPF/UveYFl2am1a+THzvbKegBvSzBE JCI8z+0DpZaPWSm8tv0E4XCfMkon/VWvL/625Y4zu2JfmttXQOnxzplmkIz/amJ/ 3cVKC5Em4jnsGUpxY517IW3DnKOiPPp/fZZqkHimbdLhnPkd/DjYlPTGpQqWhqS9 nhquBEKDuLWAmyI4ILUl5WTs9/S/fmNZJQ96LjlXdqJxqgaKD4kWumGnEcua2A5H moDF0M2n0O99g/DhO3EJ3110mCIIYdqwUB5vvfHhAN/nMQekkzr3ZUd46PioSKv3 3nJ+YWtvd6mBy6cJrDm77MbL2IK0cs0d9LiFAR6A+xuJKlQ5slvayA1VmXqHczsI 5pgt6o3gMy4SKfXAL1QnIffIrE7aKLixqduWsqdCosnPGUFN4Ib5KpqjEWYw07t0 MkvfY3v1mYovG8chr1m1rtxEPJdQcdeh0sVV42neV8HR3jDA/czmTfsNv11P6Z0e GTgvvM9YBS7vDaBQNdrvCScc1bN+NR4Iuto229Nfj950iEkSMIIE2jCCA8KgAwIB AgITMwAAACiQZ7kEsDxuZgAAAAAAKDANBgkqhkiG9w0BAQsFADB8MQswCQYDVQQG EwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwG A1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQg VGltZS1TdGFtcCBQQ0EgMjAxMDAeFw0xMzAzMjcyMDEzMTNaFw0xNDA2MjcyMDEz MTNaMIGzMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMQ0wCwYD VQQLEwRNT1BSMScwJQYDVQQLEx5uQ2lwaGVyIERTRSBFU046QzBGNC0zMDg2LURF RjgxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2UwggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDdpUi/akidSiGckmve4C3c5GP4zLmJ xMcbvee10/vtrs8x/vNmsEQD2plnCFq/dQYiEYnQZ1LM+s+SN0Xo+vG9M9PMc+O4 IaSgFX3LL8QDBdo/lnPTWeWYTQtWhi+dR9HWX52R6ceE2ZVrMky0awBS4EHTPGl0 qM7MfWidUlXmcH8UB6KeZ7CGRPMzP3Ndxij4F19SAS1EL9bteAi45TsvwLnDS8O3 Oy/TprWcsUhK3TIJVqEbS1rTqiYnDBJDYMVq19pADWCYiUG7k3Pdv/7EjFvO+lUn yk1Nmm99EWyxRyOwTHxsfwahdIIfUngY6QYaFlCawzrdgYH3mydyIX91AgMBAAGj ggEbMIIBFzAdBgNVHQ4EFgQU3JgInXnRBLKLR8Nx0Izns+awU50wHwYDVR0jBBgw FoAU1WM6XIoxkPNDe3xGG8UzaFqFbVUwVgYDVR0fBE8wTTBLoEmgR4ZFaHR0cDov L2NybC5taWNyb3NvZnQuY29tL3BraS9jcmwvcHJvZHVjdHMvTWljVGltU3RhUENB XzIwMTAtMDctMDEuY3JsMFoGCCsGAQUFBwEBBE4wTDBKBggrBgEFBQcwAoY+aHR0 cDovL3d3dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNUaW1TdGFQQ0FfMjAx MC0wNy0wMS5jcnQwDAYDVR0TAQH/BAIwADATBgNVHSUEDDAKBggrBgEFBQcDCDAN BgkqhkiG9w0BAQsFAAOCAQEAgiLztz1kfhJL/Cb84OS30MQUTgn+q1aa0VqYpr6M QR6UtDK+hLS3RXbj72AYJIeoz+m00VQpvMrkyxJ7wPHUDp8xMxsRP3o73d0CqhjK yjz6luNsu6+7yYQ+x9gMhctyCwEbpPUxERAMRaVaSJl+2r5Fhte6TeSB/9NYCnZl Blkv9sJCzwTJqxv6YZ3185hJcLFJ0GTEIejuYBdTfusC2miVi/UKPAHbo7WYFFF0 nlPp2nKYZqBfKc+Prx+CnNPr5vFMG1T46DLcwRXDrCpudAUWg+NEmJ/L7+gweX+v UqU6H99lx43+J9hHGZIItIs0jmknNxoC9pGzlSL/CEgq/qGCA3kwggJhAgEBMIHj oYG5pIG2MIGzMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4G A1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMQ0w CwYDVQQLEwRNT1BSMScwJQYDVQQLEx5uQ2lwaGVyIERTRSBFU046QzBGNC0zMDg2 LURFRjgxJTAjBgNVBAMTHE1pY3Jvc29mdCBUaW1lLVN0YW1wIFNlcnZpY2WiJQoB ATAJBgUrDgMCGgUAAxUA8120HsdfO2ZOZQ7emART9hWnH0SggcIwgb+kgbwwgbkx CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xDTALBgNVBAsTBE1P UFIxJzAlBgNVBAsTHm5DaXBoZXIgTlRTIEVTTjpCMDI3LUM2RjgtMUQ4ODErMCkG A1UEAxMiTWljcm9zb2Z0IFRpbWUgU291cmNlIE1hc3RlciBDbG9jazANBgkqhkiG 9w0BAQUFAAIFANa4+LowIhgPMjAxNDAyMjYyMzM1MjJaGA8yMDE0MDIyNzIzMzUy MlowdzA9BgorBgEEAYRZCgQBMS8wLTAKAgUA1rj4ugIBADAKAgEAAgIM/AIB/zAH AgEAAgIV3zAKAgUA1rpKOgIBADA2BgorBgEEAYRZCgQCMSgwJjAMBgorBgEEAYRZ CgMBoAowCAIBAAIDFuNgoQowCAIBAAIDB6EgMA0GCSqGSIb3DQEBBQUAA4IBAQBm lwBgKM7WFYZn7KoOxHuc0HCwn9KJ7P2+V1ixjuYcd9TJPbpom+P6TqrtdVyqC1qN P1ika8uTrueq+WIyDkpbBeRjgRPxywB8p6swJXn3a8FQJlYM8wZlX6k4DXOQ5a1I 8Df1MoZedlnFIJFCuailsPek9CZSuawhHvQu6tutrNrCtOJpHGwP/g7QhqDby6MU 9W08fcBbMQ+Q+NN9R+O5914iiyXTxNYply2O6zmRRXVV8Os49n6MAdLMQwlW/Hjf Qx9xsPgmOpnwA3IVmPCEtJnHbNPnmX23cB3zQ5HQ8Rgzh4a2iGFTUKVLQzP2XbJI GAt0fd2U/pFkRHTpexsrMYIC9TCCAvECAQEwgZMwfDELMAkGA1UEBhMCVVMxEzAR BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p Y3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3Rh bXAgUENBIDIwMTACEzMAAAAokGe5BLA8bmYAAAAAACgwDQYJYIZIAWUDBAIBBQCg ggEyMBoGCSqGSIb3DQEJAzENBgsqhkiG9w0BCRABBDAvBgkqhkiG9w0BCQQxIgQg igCH0fhbYKLF4fSmxZObvVlmifs8MaWR0dGzScGuExwwgeIGCyqGSIb3DQEJEAIM MYHSMIHPMIHMMIGxBBTzXbQex187Zk5lDt6YBFP2FacfRDCBmDCBgKR+MHwxCzAJ BgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25k MR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jv c29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAAAKJBnuQSwPG5mAAAAAAAoMBYE FP/tXYkB9TLyFTNFAIYorcmDMtYiMA0GCSqGSIb3DQEBCwUABIIBABg8AdKpFO37 Mdc4SKY28D2Sff2uoRuCoLxMZPhC7rR14gC1sXKSBHIoNyMBR32mYJnJsTAgJRwT YTEmsHYl6l37/tkLAsRS21lt+YuynR9/fdGlwvqxc41HkUHdcTRjvsetVZ7v2HSz vpCBje4TsAaxblVCsyXiH94CyMR3Aq6brcoG+QJKh14NFLLLIxN2melZYivfcAJR ES78bXBRGa6hPqsvOIZ6USSC1rAwHodonNcp4Xb1QMPoXKcMPyUAYdzz0q673Mec hsP7HKqhezXDmpGe6Hg4RrO/In7qyRok6LZ4DH5hsp6dp0Omcgqm3kmcqTTNmtF6 0JelOr7e+os= -----END AUTHENTICODE SIGNATURE----- ++++++ strip_signature.sh ++++++ --- /var/tmp/diff_new_pack.7KXjJh/_old 2014-08-18 11:23:50.000000000 +0200 +++ /var/tmp/diff_new_pack.7KXjJh/_new 2014-08-18 11:23:50.000000000 +0200 @@ -10,13 +10,4 @@ outfile="${infile%.efi}-unsigned.efi" -nssdir=`mktemp -d` -cleanup() -{ - rm -r "$nssdir" -} -trap cleanup EXIT -echo > "$nssdir/pw" -certutil -f "$nssdir/pw" -d "$nssdir" -N - -pesign -n "$nssdir" -r -i "$infile" -o "$outfile" +pesign -r -i "$infile" -o "$outfile" -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org