--- /dev/null
+# proxmox-dbx.hashes
+#
+# This file contains the sha256 sums of the binaries that we want to
+# blacklist directly in our signed shim. Add entries below, with comments
+# to explain each entry (where possible).
+#
+# The data in this file needs should be of the form:
+#
+# <hex-encoded sha256 checksums> <arch>
+#
+# All other lines will be ignored. I'm using shell-style comments just
+# for clarity.
+#
+# The hashes are generated using:
+#
+# pesign --hash --padding --in <binary>
+#
+# on *either* the signed or unsigned binary, pesign doesn't care
+# which. See the helper script block_signed_deb for an easy way to
+# generate this information.
distributor=ubuntu
COMMON_OPTIONS ?= ENABLE_SHIM_CERT=1 ENABLE_SBSIGN=1
else
- cert=debian/debian-uefi-ca.der
- distributor=debian
+ cert=debian/proxmox-uefi-ca.der
+ distributor=proxmox
endif
deb_version := $(shell dpkg-parsechangelog | sed -ne "s/^Version: \(.*\)/\1/p")
--- /dev/null
+shim.proxmox,1,Proxmox,shim,@UPSTREAM_VERSION@,https://git.proxmox.com/?p=efi-boot-shim.git
* Update to shim @version_binary@
- -- Debian signing service <ftpmaster@debian.org> @date@
+ -- Proxmox signing service <support@proxmox.com> @date@
shim-helpers-@arch@-signed (1) unstable; urgency=medium
Source: shim-helpers-@arch@-signed
Section: admin
Priority: optional
-Maintainer: Debian EFI team <debian-efi@lists.debian.org>
+Maintainer: Proxmox Support Team <support@proxmox.com>
Standards-Version: 4.3.0
Build-Depends: debhelper (>= 10.1~),
sbsigntool [amd64 arm64 i386],
Breaks: shim-signed (<< 1.29),
Depends: shim-unsigned (>= @version_binary@), ${misc:Depends},
Built-Using: shim (= @version_binary@)
-Description: boot loader to chain-load signed boot loaders (signed by Debian)
+Description: boot loader to chain-load signed boot loaders (signed by Proxmox)
This package provides a minimalist boot loader which allows verifying
signatures of other UEFI binaries against either the Secure Boot DB/DBX or
against a built-in signature database. Its purpose is to allow a small,
an OS distributor to revision their main bootloader independently of the CA.
.
This package contains the MOK manager and fall-back manager signed by the
- Debian UEFI CA to be used by shim-signed.
+ Proxmox UEFI CA to be used by shim-signed.
debian/canonical-uefi-ca.der
debian/debian-uefi-ca.der
+debian/proxmox-uefi-ca.der