[devel-distro] [#110111] DONE (try 8) srpm=refind-0.6.12-alt3.src.rpm srpm=elilo-3.14-alt1.5926535.src.rpm ...

Michael Shigorin mike at osdn.org.ua
Thu Dec 19 02:17:12 MSK 2013 

	Здравствуйте.
Вниманию всех собирающих образы с поддержкой EFI: после прохождения
этих заданий в сизиф (бишь с ближайшего утра) несколько изменяется
работа с mkimage в случае необходимости включения подписанных для
условий UEFI SB бинарников.

Для mkimage потребуется патч вроде приложенного коммита
относительно 0.2.10 (надеюсь, на днях будет опубликован
и упакован).

В случае применения mkimage-profiles также потребуется патч
вроде приложенного (который ещё будет изменён до включения
в публикуемый репозиторий) -- это поверх 1.1.17.

Дальнейшие детали -- в более разумное время суток.


On Wed, Dec 18, 2013 at 09:18:19PM +0000, Girar Builder pender robot wrote:
> http://git.altlinux.org/tasks/archive/done/_107/110111/logs/events.8.1.log
> 
> 2013-Dec-18 21:10:17 :: task #110111 for sisyphus resumed by mike:
[...]
> #400 build refind-0.6.12-alt3.src.rpm
> #500 build elilo-3.14-alt1.5926535.src.rpm
> #600 build 2.00-alt20 from /people/mike/packages/grub2.git
[...]
> 2013-Dec-18 21:18:19 :: task #110111 for sisyphus DONE

On Wed, Dec 18, 2013 at 04:10:58PM +0000, Girar Builder awaiter robot wrote:
> http://git.altlinux.org/tasks/110111/logs/events.6.1.log
> 
> 2013-Dec-18 15:52:44 :: test-only task #110111 for sisyphus resumed by mike:
[...]
> 2013-Dec-18 15:54:32 :: [x86_64] #400: pesigning approved by mike
> 2013-Dec-18 15:54:44 :: [x86_64] #400: refind: pesign OK
> 2013-Dec-18 15:55:17 :: [x86_64] #500: pesigning approved by mike
> 2013-Dec-18 15:55:28 :: [x86_64] #500: elilo: pesign OK
> 2013-Dec-18 16:05:18 :: [x86_64] #600: pesigning approved by mike
> 2013-Dec-18 16:05:31 :: [x86_64] #600: grub2-efi: pesign OK
> 2013-Dec-18 16:05:31 :: [x86_64] #600 grub2.git 2.00-alt20: build OK

On Wed, Dec 18, 2013 at 09:06:58PM +0000, Girar Builder pender robot wrote:
> http://git.altlinux.org/tasks/archive/done/_108/110658/logs/events.3.3.log
> 
> 2013-Dec-18 20:59:40 :: task #110658 for sisyphus resumed by mike:
> #100 build shim-0.4-alt1.2.src.rpm
> #200 build 0.4-alt3 from /people/mike/packages/shim-signed.git
[...]
> 2013-Dec-18 21:06:57 :: task #110658 for sisyphus DONE

-- 
 ---- WBR, Michael Shigorin / http://altlinux.org
  ------ http://opennet.ru / http://anna-news.info
-------------- next part --------------
>From d7c348de603ef11f63fb4d8a0ddcc51c3e7b44dc Mon Sep 17 00:00:00 2001
From: Michael Shigorin <mike at altlinux.org>
Date: Wed, 18 Dec 2013 02:23:47 +0400
Subject: [PATCH] mki-copy-efiboot: drop -signed subpackages

There are no (un)signed EFI subpackages now but presence
of a signature or the lack thereof is being determined
by the build environment or postprocessing; just drop
the code written to support the experimental state
of affairs.
---
 tools/mki-copy-efiboot | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/tools/mki-copy-efiboot b/tools/mki-copy-efiboot
index 58f70a4..0116430 100755
--- a/tools/mki-copy-efiboot
+++ b/tools/mki-copy-efiboot
@@ -30,11 +30,11 @@ pkgs="$pkgs $EFI_BOOTLOADER"
 	pkgs="$pkgs $EFI_SHELL"
 
 [ -z "${EFI_CERT:-}" ] ||
-	pkgs="$pkgs alt-uefi-keys shim-signed $EFI_BOOTLOADER-signed"
+	pkgs="$pkgs alt-uefi-keys shim-signed"
 
 case "${EFI_BOOTLOADER:-}" in
 refind)	# won't boot unsigned kernels in SB mode
-	pkgs="$pkgs elilo${EFI_CERT:+-signed}"
+	pkgs="$pkgs elilo"
 	;;
 esac
 
@@ -69,11 +69,9 @@ mkdir $verbose -p -- \$boot
 if [ -n "${EFI_CERT:-}" ]; then
 	shim_path=\$boot/bootx64.efi
 	bin_path=\$boot/grubx64.efi
-	bin_suffix=-signed
 else
 	shim_path=
 	bin_path=\$boot/bootx64.efi
-	bin_suffix=
 fi
 
 stage2_size="\$[ \$(stat -c%s \$stage2) / 1024 + 1 ]"
@@ -84,7 +82,7 @@ efi_bindir=/usr/lib64/efi
 
 copy_shell() {
 	dest="\$efi/\$shell"
-	src="\$efi_bindir/shell${EFI_CERT:+-signed}.efi"
+	src="\$efi_bindir/shell.efi"
 	[ ! -f "\$src" ] ||
 		cp $verbose -pLf "\$src" "\$dest"
 }
@@ -115,7 +113,7 @@ copy_kernel() {
 
 copy_elilo() {
 	copy_kernel
-	cp $verbose -pLf \$efi_bindir/elilo\$bin_suffix.efi \${1:-\$bin_path}
+	cp $verbose -pLf \$efi_bindir/elilo.efi \${1:-\$bin_path}
 	cat > \$boot/elilo.conf <<- ELILO_EOF
 	default="linux"
 	image="vmlinuz"
@@ -126,7 +124,6 @@ copy_elilo() {
 	ELILO_EOF
 }
 
-# refind is currently signed by default
 refind_aux=\$efi/refind
 refind_boot=\$refind_aux/refind_x64.efi
 
-- 
1.8.3.4

-------------- next part --------------
>From 90429a850803cce7154755ffff74158053f62694 Mon Sep 17 00:00:00 2001
From: Michael Shigorin <mike at altlinux.org>
Date: Tue, 17 Dec 2013 14:22:11 +0200
Subject: [PATCH] efi: drop -signed subpackages

We chose to provide methods to sign packages but to avoid
signing these by default (with some arbitrary test keys)
the signatures are being added *after* the build by means
of rpmrebuild-pesign; all of this is made significantly
more complicated if there are separate -signed subpackages.

So these are being dropped in the packages; account for that.
---
 features.in/efi/config.mk | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/features.in/efi/config.mk b/features.in/efi/config.mk
index 68c46a5..cf1699f 100644
--- a/features.in/efi/config.mk
+++ b/features.in/efi/config.mk
@@ -18,11 +18,9 @@ use/efi/refind: use/efi
 	@$(call set,EFI_BOOTLOADER,refind)
 
 use/efi/signed: use/efi
-	@$(call set,MKI_VER_MINIMAL,0.2.7)	# refind->elilo handoff
+	@$(call set,MKI_VER_MINIMAL,0.2.7)	# refind->elilo handoff ### 0.2.11
 	@$(call set,EFI_CERT,altlinux)
 	@$(call add,THE_PACKAGES,shim-signed)
-	@$(call set,EFI_SHELL,efi-shell-signed)	# even more useful
-	@$(call add,RESCUE_PACKAGES,refind-signed)
 	@$(call add,RESCUE_PACKAGES,openssl sbsigntools)
 
 use/efi/shell: use/efi
-- 
1.8.3.4

More information about the devel-distro mailing list