-
shim-signed (1.33.1~16.04.10) xenial; urgency=medium
* Update to shim 15.4-0ubuntu7:
- Fix load option parsing, and thus fwupd execution (LP: #1929471) (PR #379)
- Fix occasional crashes in _relocate() on arm64 (LP: #1928010) (PR #383)
- Fix accidental deletion of RT variables (LP: #1934506) (PR #387)
- mok: relax the maximum variable size check (LP: #1934780) (PR #369)
shim-signed (1.33.1~16.04.9) xenial; urgency=medium
* Do not build a dual-signed shim (fixing regression from ~16.04.7), and
disable verifying fbx64.efi and mmx64.efi certificates as xenial's
sbverify is unable to (impish works fine)
* Clean up debhelper log file accidentally imported into git during 16.04.7
import.
shim-signed (1.33.1~16.04.8) xenial; urgency=medium
* debian/*.postinst: Unconditionally call grub-install with
--force-extra-removable, so that the \EFI\BOOT removable path as used in
cloud images receives the updates. LP: #1930742.
* Update to shim 15.4-0ubuntu5:
- Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
is causing systems to run out of EFI storage space, or just hang up
when trying to write it (LP: #1924605) (LP: #1928434)
- Further relax the check for variable mirroring on non-secureboot systems
avoiding boot failures on out of space conditons (pull request #372)
- Don't unhook ExitBootServices() when EBS protection is disabled
(LP: #1931136) (pull request #378)
shim-signed (1.33.1~16.04.7) xenial; urgency=medium
* New upstream release 15.4. LP: #1921134
* Update packaging to pull fb and mm from shim-signed package as in
later releases, dropping the runtime dependency on shim.
* Add download-signed script from linux-signed package
* Add a versioned dependency on the mokutil that introduces --timeout, and
call mokutil --timeout -1 so that users don't end up with broken systems
by missing MokManager on reboot after install. LP: #1856422.
* Add versioned dependencies on grub-efi-amd64-signed and grub2-common,
to ensure we have SBAT-compatible grub.efi and grub 2.04-compatible
grub-install present when we are installing new shim to the ESP.
* Include reworked Makefile from devel to better assert the integrity of
the executables.
-- Julian Andres Klode <email address hidden> Fri, 16 Jul 2021 13:04:57 +0200
-
shim-signed (1.33.1~16.04.9) xenial; urgency=medium
* Do not build a dual-signed shim (fixing regression from ~16.04.7), and
disable verifying fbx64.efi and mmx64.efi certificates as xenial's
sbverify is unable to (impish works fine)
* Clean up debhelper log file accidentally imported into git during 16.04.7
import.
shim-signed (1.33.1~16.04.8) xenial; urgency=medium
* debian/*.postinst: Unconditionally call grub-install with
--force-extra-removable, so that the \EFI\BOOT removable path as used in
cloud images receives the updates. LP: #1930742.
* Update to shim 15.4-0ubuntu5:
- Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
is causing systems to run out of EFI storage space, or just hang up
when trying to write it (LP: #1924605) (LP: #1928434)
- Further relax the check for variable mirroring on non-secureboot systems
avoiding boot failures on out of space conditons (pull request #372)
- Don't unhook ExitBootServices() when EBS protection is disabled
(LP: #1931136) (pull request #378)
shim-signed (1.33.1~16.04.7) xenial; urgency=medium
* New upstream release 15.4. LP: #1921134
* Update packaging to pull fb and mm from shim-signed package as in
later releases, dropping the runtime dependency on shim.
* Add download-signed script from linux-signed package
* Add a versioned dependency on the mokutil that introduces --timeout, and
call mokutil --timeout -1 so that users don't end up with broken systems
by missing MokManager on reboot after install. LP: #1856422.
* Add versioned dependencies on grub-efi-amd64-signed and grub2-common,
to ensure we have SBAT-compatible grub.efi and grub 2.04-compatible
grub-install present when we are installing new shim to the ESP.
* Include reworked Makefile from devel to better assert the integrity of
the executables.
-- Julian Andres Klode <email address hidden> Wed, 23 Jun 2021 18:20:36 +0200
-
shim-signed (1.33.1~16.04.8) xenial; urgency=medium
* debian/*.postinst: Unconditionally call grub-install with
--force-extra-removable, so that the \EFI\BOOT removable path as used in
cloud images receives the updates. LP: #1930742.
* Update to shim 15.4-0ubuntu5:
- Stop addending vendor dbx to MokListXRT during MokListX mirroring. This
is causing systems to run out of EFI storage space, or just hang up
when trying to write it (LP: #1924605) (LP: #1928434)
- Further relax the check for variable mirroring on non-secureboot systems
avoiding boot failures on out of space conditons (pull request #372)
- Don't unhook ExitBootServices() when EBS protection is disabled
(LP: #1931136) (pull request #378)
shim-signed (1.33.1~16.04.7) xenial; urgency=medium
* New upstream release 15.4. LP: #1921134
* Update packaging to pull fb and mm from shim-signed package as in
later releases, dropping the runtime dependency on shim.
* Add download-signed script from linux-signed package
* Add a versioned dependency on the mokutil that introduces --timeout, and
call mokutil --timeout -1 so that users don't end up with broken systems
by missing MokManager on reboot after install. LP: #1856422.
* Add versioned dependencies on grub-efi-amd64-signed and grub2-common,
to ensure we have SBAT-compatible grub.efi and grub 2.04-compatible
grub-install present when we are installing new shim to the ESP.
* Include reworked Makefile from devel to better assert the integrity of
the executables.
-- Julian Andres Klode <email address hidden> Tue, 22 Jun 2021 21:30:28 +0200
-
shim-signed (1.33.1~16.04.7) xenial; urgency=medium
* New upstream release 15.4. LP: #1921134
* Update packaging to pull fb and mm from shim-signed package as in
later releases, dropping the runtime dependency on shim.
* Add download-signed script from linux-signed package
* Add a versioned dependency on the mokutil that introduces --timeout, and
call mokutil --timeout -1 so that users don't end up with broken systems
by missing MokManager on reboot after install. LP: #1856422.
* Add versioned dependencies on grub-efi-amd64-signed and grub2-common,
to ensure we have SBAT-compatible grub.efi and grub 2.04-compatible
grub-install present when we are installing new shim to the ESP.
* Include reworked Makefile from devel to better assert the integrity of
the executables.
-- Steve Langasek <email address hidden> Thu, 13 May 2021 23:39:43 +0000
-
shim-signed (1.33.1~16.04.6) xenial; urgency=medium
* Update to the signed 15+1552672080.a4a1fbe-0ubuntu2 binary from Microsoft.
(LP: #1862171)
-- Julian Andres Klode <email address hidden> Fri, 07 Aug 2020 14:10:55 +0200
-
shim-signed (1.33.1~16.04.5) xenial; urgency=medium
* debian/control: make the sbsigntool dependency versioned to ensure updates
include getting the new sbsigntool so DKMS modules can be correctly signed.
(LP: #1818929)
-- Mathieu Trudel-Lapierre <email address hidden> Mon, 01 Apr 2019 12:15:21 -0400
-
shim-signed (1.33.1~16.04.4) xenial; urgency=medium
* update-secureboot-policy: (LP: #1748983)
- Backport update-secureboot-policy changes to generate a MOK and guide
users through re-enabling validation and automatically signing DKMS
modules.
* debian/shim-signed.postinst:
- When triggered, explicitly try to enroll the available MOK.
* debian/shim-signed.install, openssl.cnf: Install some default configuration
for creating our self-signed key.
* debian/shim-signed.dirs: make sure we have a directory where to put a MOK.
* debian/templates: update templates for update-secureboot-policy changes.
* debian/control: Breaks dkms (<< 2.2.0.3-2ubuntu11.5~) since we're changing
the behavior of update-secureboot-policy.
-- Mathieu Trudel-Lapierre <email address hidden> Mon, 28 Jan 2019 10:22:31 -0500
-
shim-signed (1.33.1~16.04.3) xenial; urgency=medium
* debian/control: Depends: on grub2 2.02~beta2-36ubuntu3.20 to ensure shim
cannot be installed without the new grub2 version that fixes chainloading
issues. (LP: #1792575)
shim-signed (1.33.1~16.04.2) xenial; urgency=medium
* Update to the signed 15+1533136590.3beb971-0ubuntu1 binary from Microsoft.
(LP: #1790724)
-- Mathieu Trudel-Lapierre <email address hidden> Tue, 11 Dec 2018 15:37:58 -0500
-
shim-signed (1.33.1~16.04.2) xenial; urgency=medium
* Update to the signed 15+1533136590.3beb971-0ubuntu1 binary from Microsoft.
(LP: #1790724)
-- Mathieu Trudel-Lapierre <email address hidden> Wed, 05 Sep 2018 11:23:24 -0400
-
shim-signed (1.33.1~16.04.1) xenial; urgency=medium
* Backport shim-signed 1.33.1 to 16.04. (LP: #1708245)
* debian/control: Depends on newer grub2-common to install the right files
for MokManager and fallback EFI binaries.
-- Mathieu Trudel-Lapierre <email address hidden> Thu, 11 Jan 2018 15:51:52 -0500
-
shim-signed (1.32~16.04.1) xenial; urgency=medium
* Backport shim-signed 1.32 to 16.04. (LP: #1700170)
shim-signed (1.32) artful; urgency=medium
* Handle cleanup of /var/lib/shim-signed on package purge.
shim-signed (1.31) artful; urgency=medium
* Fix regression in postinst when /var/lib/dkms does not exist.
(LP#1700195)
* Sort the list of dkms modules when recording.
shim-signed (1.30) artful; urgency=medium
* update-secureboot-policy: track the installed DKMS modules so we can skip
failing unattended upgrades if they hasn't changed (ie. if no new DKMS
modules have been installed, just honour the user's previous decision to
not disable shim validation). (LP: #1695578)
* update-secureboot-policy: allow re-enabling shim validation when no DKMS
packages are installed. (LP: #1673904)
* debian/source_shim-signed.py: add the textual representation of SecureBoot
and MokSBStateRT EFI variables rather than just adding the files directly;
also, make sure we include the relevant EFI bits from kernel log.
(LP: #1680279)
shim-signed (1.29) artful; urgency=medium
* Makefile: Generate BOOT$arch.CSV, for use with fallback.
* debian/rules: make sure we can do per-arch EFI files.
-- Mathieu Trudel-Lapierre <email address hidden> Mon, 10 Jul 2017 17:43:10 -0400
-
shim-signed (1.28~16.04.1) xenial; urgency=medium
* Adjust apport hook to include key files that tell us about the system's
current SB state. LP: #1680279.
-- Steve Langasek <email address hidden> Wed, 05 Apr 2017 15:14:49 -0700
-
shim-signed (1.27~16.04.1) xenial; urgency=medium
* Backport shim 0.9+1474479173.6c180c6-1ubuntu1 to 16.04. (LP: #1637290)
shim-signed (1.27) zesty; urgency=medium
[ Steve Langasek ]
* Update to the signed 0.9+1474479173.6c180c6-1ubuntu1 binary from
Microsoft.
* update-secureboot-policy:
- detect when we have no debconf prompting and error out instead of ending
up in an infinite loop. LP: #1673817.
- refactor to make the code easier to follow.
- remove a confusing boolean that would always re-prompt on a request to
--enable, but not on a request to --disable.
[ Mathieu Trudel-Lapierre ]
* update-secureboot-policy:
- some more fixes to properly handle non-interactive mode. (LP: #1673817)
shim-signed (1.23) zesty; urgency=medium
* debian/control: bump the Depends on grub2-common since that's needed to
install with the new updated EFI binaries filenames.
shim-signed (1.22) yakkety; urgency=medium
* Update to the signed 0.9+1474479173.6c180c6-0ubuntu1 binary from Microsoft.
(LP: #1581299)
* Update paths now that the shim binary has been renamed to include the
target architecture.
* debian/shim-signed.postinst: clean up old MokManager.efi from EFI/ubuntu;
since it's being replaced by mm$arch.efi.
-- Mathieu Trudel-Lapierre <email address hidden> Thu, 23 Mar 2017 16:58:44 -0400
-
shim-signed (1.21.4~16.04.1) xenial; urgency=medium
* Update to the signed 0.9+1474479173.6c180c6-0ubuntu1 binary from Microsoft.
(LP: #1637290, #1581299)
* Update paths now that the shim binary has been renamed to include the
target architecture.
* debian/shim-signed.postinst: clean up old MokManager.efi from EFI/ubuntu;
since it's being replaced by mm$arch.efi.
* debian/control: bump the Depends on grub2-common since that's needed to
install with the new updated EFI binaries filenames.
-- Mathieu Trudel-Lapierre <email address hidden> Tue, 08 Nov 2016 14:34:14 -0500
-
shim-signed (1.19~16.04.1) xenial; urgency=medium
* update-secureboot-policy:
- Add a --help option, document other options. (LP: #1604936)
- Rework prompting to display our Secure Boot warning and explanation
text more prominently, rather than forcing graphical users to hit
"Help" to see the full explanation for why we ask about disabling
Secure Boot. (LP: #1595611)
-- Mathieu Trudel-Lapierre <email address hidden> Tue, 02 Aug 2016 15:24:24 -0400
-
shim-signed (1.18~16.04.1) xenial; urgency=medium
* update-secureboot-policy: If /proc/sys/kernel/moksbstate_disabled is
present, prefer this unconditionally over MokSBStateRT. LP: #1604873.
-- Steve Langasek <email address hidden> Wed, 20 Jul 2016 12:09:58 -0700
-
shim-signed (1.17~16.04.1) xenial; urgency=medium
* Backport shim-signed 1.17 to 16.04. (LP: #1574727)
-- Mathieu Trudel-Lapierre <email address hidden> Thu, 07 Jul 2016 20:17:24 -0400
-
shim-signed (1.16~16.04.1) xenial; urgency=medium
* Backport shim-signed 1.16 to 16.04. (LP: #1574727)
-- Mathieu Trudel-Lapierre <email address hidden> Tue, 28 Jun 2016 19:37:46 -0400
-
shim-signed (1.15~16.04.1) xenial; urgency=medium
* Backport shim-signed 1.15 to 16.04. (LP: #1574727)
-- Mathieu Trudel-Lapierre <email address hidden> Tue, 21 Jun 2016 10:18:29 -0400
-
shim-signed (1.14~16.04.1) xenial; urgency=medium
* Backport shim-signed 1.14 to 12.04. (LP: #1574727)
-- Mathieu Trudel-Lapierre <email address hidden> Tue, 07 Jun 2016 16:22:58 -0400
-
shim-signed (1.12) xenial; urgency=medium
* debian/control: add Depends on mokutil, to ship a way for users to
control shim features, such as enrolling new keys.
-- Mathieu Trudel-Lapierre <email address hidden> Wed, 16 Dec 2015 10:19:23 -0500
-
shim-signed (1.11) wily; urgency=medium
* Add in an apport package hook for shim-signed and shim. (LP: #1490030)
-- Brian Murray <email address hidden> Fri, 11 Sep 2015 15:04:31 -0700
