From 7686debad858ce35d7b393a424f9b684120c778c Mon Sep 17 00:00:00 2001
From: Steve McIntyre <steve@einval.com>
Date: Wed, 1 Nov 2023 23:37:50 +0000
Subject: [PATCH] Tweak building with pesign changes

We used to use efisiglist to generate the DBX list. Newer versions of
the pesign package don't include it any more, and the recommended
replacement tool is now efisecdb from efivar. Tweak the
generate_dbx_list script to work with both old and new. Let's make
backports easy...
---
 debian/changelog         |  6 ++++++
 debian/control           |  2 ++
 debian/generate_dbx_list | 32 +++++++++++++++++++++++++++-----
 3 files changed, 35 insertions(+), 5 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 1acd3a2..dd5cbdd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+shim (15.7-2) UNRELEASED; urgency=medium
+
+  * Cope with changes in pesign packaging.
+
+ -- Steve McIntyre <93sam@debian.org>  Wed, 01 Nov 2023 23:35:52 +0000
+
 shim (15.7-1) unstable; urgency=medium
 
   * New upstream release fixing more bugs
diff --git a/debian/control b/debian/control
index c8a753b..e251e91 100644
--- a/debian/control
+++ b/debian/control
@@ -12,6 +12,8 @@ Build-Depends: debhelper-compat (= 12),
 	       gcc-12,
 	       dos2unix,
 	       pesign (>= 0.112-5),
+	       efivar,
+	       uuid-runtime,
 	       xxd,
 	       libefivar-dev
 Vcs-Browser: https://salsa.debian.org/efi-team/shim
diff --git a/debian/generate_dbx_list b/debian/generate_dbx_list
index 95ec3e9..db9dc0f 100755
--- a/debian/generate_dbx_list
+++ b/debian/generate_dbx_list
@@ -17,11 +17,33 @@ IN=$2
 OUT=$3
 
 rm -f $OUT
-for HASH in $(grep -E "[[:xdigit:]]{32} $ARCH" < $IN | \
-		  awk '{print $1}' | sort | uniq); do
-    echo "  Adding $HASH to dbx list"
-    efisiglist -o $OUT -a -h $HASH
-done
+if [ -x /usr/bin/efisiglist ] ; then
+    # Older versions of the pesign package included the efisiglist
+    # utility. If we have that, use it.
+    for HASH in $(grep -E "[[:xdigit:]]{32} $ARCH" < $IN | \
+		      awk '{print $1}' | sort | uniq); do
+	echo "  Adding $HASH to dbx list"
+	efisiglist -o $OUT -a -h $HASH
+    done
+else
+    # It appears we don't have efisiglist, so use efisecdb
+    # instead. It's a little more awkward to drive.
+    UUID=$(uuidgen)
+    INTMP="" # First pass
+    for HASH in $(grep -E "[[:xdigit:]]{32} $ARCH" < $IN | \
+		      awk '{print $1}' | sort | uniq); do
+	echo "  Adding $HASH to dbx list"
+	efisecdb -g $UUID -a -t sha256 -h $HASH $INTMP -o $OUT
+
+	# Subsequent passes need to read the previous output as input
+	# each time, and won't overwrite the output.
+	mv -f $OUT $OUT.in
+	INTMP="-i $OUT.in"
+    done
+    if [ -f $OUT.in ]; then
+	mv -f $OUT.in $OUT
+    fi
+fi
 
 # If we have an empty hashes file, create an empty DBX file
 touch $OUT
-- 
2.39.2