import shim-15-15.el8_2

4 months ago · a1bf76041c
commit a1bf76041c
9 changed files with 445 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,3 @@
+SOURCES/shimaa64.efi
+SOURCES/shimia32.efi
+SOURCES/shimx64.efi
--- a/.shim.metadata
+++ b/.shim.metadata
@ -0,0 +1,3 @@
+fddb9c22fd56e9c6975159ad72415c9a4cb7cebd SOURCES/shimaa64.efi
+3ee82cf8f17e7aee3502757daf86b4614a8b736e SOURCES/shimia32.efi
+9e2e19fa2f1d8371748d67b59f27ae9828734d03 SOURCES/shimx64.efi
--- a/SOURCES/BOOTAA64.CSV
+++ b/SOURCES/BOOTAA64.CSV
--- a/SOURCES/BOOTIA32.CSV
+++ b/SOURCES/BOOTIA32.CSV
--- a/SOURCES/BOOTX64.CSV
+++ b/SOURCES/BOOTX64.CSV
--- a/SOURCES/centossecureboot201.crt
+++ b/SOURCES/centossecureboot201.crt
@ -0,0 +1,84 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            93:c2:04:d8:bd:77:6b:11
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=CentOS Secure Boot CA 2/emailAddress=security@centos.org
+        Validity
+            Not Before: Jun  9 10:04:20 2020 GMT
+            Not After : Jan 18 10:04:20 2038 GMT
+        Subject: CN=CentOS Secure Boot Signing 201/emailAddress=security@centos.org
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (2048 bit)
+                Modulus:
+                    00:9e:ef:fe:76:1c:9f:9b:3e:f2:e4:c5:29:bd:19:
+                    32:01:59:f3:e6:99:fa:eb:b5:f8:94:0c:95:3a:65:
+                    5e:b1:72:d0:50:3e:70:64:8a:1a:d1:f6:4d:af:6d:
+                    57:ee:40:71:40:09:dd:30:0c:81:a1:8b:26:63:12:
+                    07:bf:e1:d1:45:9f:9b:09:a6:57:98:9e:ef:97:e9:
+                    bd:68:38:ea:aa:63:92:2e:0d:2f:8e:fb:be:88:40:
+                    9b:59:e3:bc:b7:6f:e3:bb:6b:1e:6e:9e:ee:57:b8:
+                    28:c6:d5:d6:bf:47:a6:e9:38:a9:8f:08:73:98:49:
+                    a8:58:d2:62:73:f1:1e:44:d4:88:3d:f9:aa:43:e2:
+                    72:2e:d7:43:3e:1d:b6:65:f6:d1:2e:ef:31:cb:9f:
+                    5e:e3:d4:ea:3c:23:9a:07:af:f9:4a:ee:43:9a:75:
+                    06:ed:9a:54:2c:ed:5b:ca:85:a5:10:16:cd:30:64:
+                    ea:d5:27:7e:23:f6:fc:ec:69:a9:43:2f:78:73:6b:
+                    33:78:8b:f8:54:db:3f:ce:95:a4:5a:04:9a:15:49:
+                    98:cd:34:7c:c7:8c:a9:8a:32:82:ae:c0:d6:34:93:
+                    e7:d2:54:82:45:ee:eb:54:9a:96:d4:da:4b:24:f8:
+                    09:56:d8:cd:7f:ec:7b:f3:bd:db:9b:8c:b6:18:87:
+                    fa:07
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: critical
+                CA:FALSE
+            X509v3 Key Usage: critical
+                Digital Signature
+            X509v3 Extended Key Usage: critical
+                Code Signing
+            X509v3 Subject Key Identifier: 
+                5D:4B:64:F2:FA:63:1E:5E:5F:DB:AA:DC:14:67:C6:6C:99:21:7A:22
+            X509v3 Authority Key Identifier: 
+                keyid:70:00:7F:99:20:9C:12:6B:E1:47:74:EA:EC:7B:6D:96:31:F3:4D:CA
+
+    Signature Algorithm: sha256WithRSAEncryption
+         39:4b:b5:cc:37:3f:cd:db:84:0f:63:7c:c4:e4:53:fb:5e:fd:
+         db:12:19:23:6f:0a:50:14:fd:4f:7c:f9:87:3d:f9:6d:5b:af:
+         07:a5:94:34:1b:84:07:f4:f1:a0:de:cc:73:87:99:31:c3:93:
+         66:c0:bc:f2:0f:b2:69:65:8e:da:b9:1a:8e:ae:38:56:f3:7c:
+         5a:8d:29:0d:3d:ad:84:e7:86:31:a2:8e:2a:a8:f8:f8:f7:87:
+         32:65:5d:81:47:53:b8:40:c5:1b:a7:46:1f:b0:60:a7:b4:97:
+         89:51:26:3c:de:46:b9:14:d5:a0:7d:99:cc:a7:7e:ed:89:18:
+         02:ce:e6:07:45:49:e2:04:7d:5b:03:65:ec:e6:c3:86:0d:82:
+         31:24:45:51:ec:15:ad:31:83:a8:1c:6e:52:4d:b8:0f:5d:0b:
+         e4:7b:51:49:39:46:8a:0b:fd:0c:46:af:b4:19:65:0f:12:f1:
+         fc:ee:fd:6b:4f:df:9a:73:7c:e0:c8:3d:c3:d5:b5:ab:4a:86:
+         36:97:e8:89:fb:af:f4:f1:c2:05:5d:17:fb:b6:df:a5:0e:45:
+         89:db:89:99:93:ce:f0:4e:e9:9c:f4:4a:03:b0:6e:be:a2:69:
+         ab:b1:f3:3b:ed:c7:97:f4:0e:0a:53:27:5a:7e:70:9a:35:ea:
+         7a:76:d1:bc
+-----BEGIN CERTIFICATE-----
+MIIDjjCCAnagAwIBAgIJAJPCBNi9d2sRMA0GCSqGSIb3DQEBCwUAMEYxIDAeBgNV
+BAMMF0NlbnRPUyBTZWN1cmUgQm9vdCBDQSAyMSIwIAYJKoZIhvcNAQkBFhNzZWN1
+cml0eUBjZW50b3Mub3JnMB4XDTIwMDYwOTEwMDQyMFoXDTM4MDExODEwMDQyMFow
+TTEnMCUGA1UEAwweQ2VudE9TIFNlY3VyZSBCb290IFNpZ25pbmcgMjAxMSIwIAYJ
+KoZIhvcNAQkBFhNzZWN1cml0eUBjZW50b3Mub3JnMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAnu/+dhyfmz7y5MUpvRkyAVnz5pn667X4lAyVOmVesXLQ
+UD5wZIoa0fZNr21X7kBxQAndMAyBoYsmYxIHv+HRRZ+bCaZXmJ7vl+m9aDjqqmOS
+Lg0vjvu+iECbWeO8t2/ju2sebp7uV7goxtXWv0em6TipjwhzmEmoWNJic/EeRNSI
+PfmqQ+JyLtdDPh22ZfbRLu8xy59e49TqPCOaB6/5Su5DmnUG7ZpULO1byoWlEBbN
+MGTq1Sd+I/b87GmpQy94c2szeIv4VNs/zpWkWgSaFUmYzTR8x4ypijKCrsDWNJPn
+0lSCRe7rVJqW1NpLJPgJVtjNf+x7873bm4y2GIf6BwIDAQABo3gwdjAMBgNVHRMB
+Af8EAjAAMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAzAd
+BgNVHQ4EFgQUXUtk8vpjHl5f26rcFGfGbJkheiIwHwYDVR0jBBgwFoAUcAB/mSCc
+EmvhR3Tq7HttljHzTcowDQYJKoZIhvcNAQELBQADggEBADlLtcw3P83bhA9jfMTk
+U/te/dsSGSNvClAU/U98+Yc9+W1brwellDQbhAf08aDezHOHmTHDk2bAvPIPsmll
+jtq5Go6uOFbzfFqNKQ09rYTnhjGijiqo+Pj3hzJlXYFHU7hAxRunRh+wYKe0l4lR
+JjzeRrkU1aB9mcynfu2JGALO5gdFSeIEfVsDZezmw4YNgjEkRVHsFa0xg6gcblJN
+uA9dC+R7UUk5RooL/QxGr7QZZQ8S8fzu/WtP35pzfODIPcPVtatKhjaX6In7r/Tx
+wgVdF/u236UORYnbiZmTzvBO6Zz0SgOwbr6iaaux8zvtx5f0DgpTJ1p+cJo16np2
+0bw=
+-----END CERTIFICATE-----
--- a/SOURCES/centossecurebootca2.crt
+++ b/SOURCES/centossecurebootca2.crt
@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDYjCCAkqgAwIBAgIJAIlReu6IOzL7MA0GCSqGSIb3DQEBCwUAMEYxIDAeBgNV
+BAMMF0NlbnRPUyBTZWN1cmUgQm9vdCBDQSAyMSIwIAYJKoZIhvcNAQkBFhNzZWN1
+cml0eUBjZW50b3Mub3JnMB4XDTIwMDYwOTA4MTkzMloXDTM4MDExODA4MTkzMlow
+RjEgMB4GA1UEAwwXQ2VudE9TIFNlY3VyZSBCb290IENBIDIxIjAgBgkqhkiG9w0B
+CQEWE3NlY3VyaXR5QGNlbnRvcy5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQChatbNaQDV0RTCqff1tl92xI6gu1k8jYufW8FyzZ6uDnxoGpBT0LiU
+WKuGjMQ89JgiApFzDYSLWrZg8NbTnVdz0hny4SMyspe5weUk6IToKXvEejZNFn6i
+vae2vfT0/ASKsgIvUcz4sWHMK43vbfv/pVpYGLgoG5aNUkt7VhkeURwJzR3ODgDp
+aL4bQ/7qEo8ASHCEvQx6klG330Z06O0kjS6GK12cPC1t5ZlimVXCNWP1jf0pMWmh
+aBrZjbyY0j8R7Yns3cEovAM230chsVdyFxSYpqCLzMlmWNxiIlvcAoDIRMWEa7Da
+SSAfJWH+ygAzad1PHlnCB0zAFbLAMJH1AgMBAAGjUzBRMB0GA1UdDgQWBBRwAH+Z
+IJwSa+FHdOrse22WMfNNyjAfBgNVHSMEGDAWgBRwAH+ZIJwSa+FHdOrse22WMfNN
+yjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAe5NcVSUd/POZs
+Jkiep8ATNwXglLAeYxB55F42sXx5OOdKMBmhqWQIVJvaih/wsfKIBfdUGv2L9dH8
+IQgiU1PRYx0baSVJno3HcQTbCqLvnvckusR7IUTDAFj774MvXwS6yV6pXzxDmuh2
+t8hRktOKFeUtdlDYqg9X3Ia3GkoB5huyEbuaZTNcV4TAfU/yAERNIAgRs+fLQU70
+OgGlWsp35J8qPkZKabGf0surDa2xa6iAoFyknxruoKQ8uNSB9KB7/0JvVouNx90+
+ncykWW96GVKs8+H5WGza10FqrchtThSNCSXTtLbTXoK0Atdvu0o04XUbsCGMnlcG
+zAVb3/m0
+-----END CERTIFICATE-----
--- a/SOURCES/shim.rpmmacros
+++ b/SOURCES/shim.rpmmacros
@ -0,0 +1,171 @@
+%global debug_package %{nil}
+%global __brp_mangle_shebangs_exclude_from_file %{expand:%{_builddir}/shim-%{efi_arch}-%{version}-%{release}.%{_target_cpu}-shebangs.txt}
+%global vendor_token_str %{expand:%%{nil}%%{?vendor_token_name:-t "%{vendor_token_name}"}}
+%global vendor_cert_str %{expand:%%{!?vendor_cert_nickname:-c "Red Hat Test Certificate"}%%{?vendor_cert_nickname:-c "%%{vendor_cert_nickname}"}}
+
+%global bootcsvaa64 %{expand:%{SOURCE10}}
+%global bootcsvia32 %{expand:%{SOURCE11}}
+%global bootcsvx64 %{expand:%{SOURCE12}}
+#%%global bootcsvarm %%{expand:%%{SOURCE13}}
+
+%global shimefiaa64 %{expand:%{SOURCE20}}
+%global shimefiia32 %{expand:%{SOURCE21}}
+%global shimefix64 %{expand:%{SOURCE22}}
+#%%global shimefiarm %%{expand:%%{SOURCE23}
+
+%global shimveraa64 15-4.el8
+%global shimveria32 15-8.el8
+%global shimverx64 15-8.el8
+#%%global shimverarm 15-1.el8
+
+%global shimdiraa64 %{_datadir}/shim/%{shimveraa64}/aa64
+%global shimdiria32 %{_datadir}/shim/%{shimveria32}/ia32
+%global shimdirx64 %{_datadir}/shim/%{shimverx64}/x64
+#%%global shimdirarm %%{_datadir}/shim/%%{shimverarm}/arm
+
+%global unsignedaa64 shim-unsigned-aarch64
+%global unsignedia32 shim-unsigned-ia32
+%global unsignedx64 shim-unsigned-x64
+#%%global unsignedarm shim-unsigned-arm
+
+%global bootcsv %{expand:%{bootcsv%{efi_arch}}}
+%global bootcsvalt %{expand:%{bootcsv%{?efi_alt_arch}}}
+%global shimefi %{expand:%{shimefi%{efi_arch}}}
+%global shimefialt %{expand:%{shimefi%{?efi_alt_arch}}}
+%global shimver %{expand:%{shimver%{efi_arch}}}
+%global shimveralt %{expand:%{shimver%{?efi_alt_arch}}}
+%global shimdir %{expand:%{shimdir%{efi_arch}}}
+%global shimdiralt %{expand:%{shimdir%{?efi_alt_arch}}}
+
+%global unsignednone shim-unsigned-none
+%global unsigned %{expand:%%{unsigned%{efi_arch}}}
+%global unsignedalt %{expand:%%{unsigned%{efi_alt_arch}}}
+
+%define define_pkg(a:p:)						\
+%{expand:%%package -n shim-%{-a*}}					\
+Summary: First-stage UEFI bootloader					\
+Requires: mokutil >= 1:0.3.0-1						\
+Requires: efi-filesystem						\
+Provides: shim-signed-%{-a*} = %{version}-%{release}			\
+Requires: dbxtool >= 0.6-3						\
+%{expand:%%if 0%%{-p*}							\
+Provides: shim = %{version}-%{release}					\
+Provides: shim-signed = %{version}-%{release}				\
+Obsoletes: shim-signed < %{version}-%{release}				\
+Obsoletes: shim < %{version}-%{release}					\
+%%endif}								\
+# Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI	\
+# is not compatible with SysV (there's no red zone under UEFI) and	\
+# there isn't a POSIX-style C library.					\
+# BuildRequires: OpenSSL						\
+Provides: bundled(openssl) = 1.0.2j					\
+									\
+%{expand:%%description -n shim-%{-a*}}					\
+Initial UEFI bootloader that handles chaining to a trusted full		\
+bootloader under secure boot environments. This package contains the	\
+version signed by the UEFI signing service.				\
+%{nil}
+
+# -a <efiarch>
+# -i <input>
+%define hash(a:i:d:)							\
+	pesign -i %{-i*} -h -P > shim.hash				\
+	read file0 hash0 < shim.hash					\
+	read file1 hash1 < %{-d*}/shim%{-a*}.hash			\
+	if ! [ "$hash0" = "$hash1" ]; then				\
+		echo Invalid signature\! > /dev/stderr			\
+		echo $hash0 vs $hash1					\
+		exit 1							\
+	fi								\
+	%{nil}
+
+# -i <input>
+# -o <output>
+%define sign(i:o:n:a:c:)									\
+	%{expand:%%pesign -s -i %{-i*} -o %{-o*} %{-n} %{-n*} %{-a} %{-a*} %{-c} %{-c*}}	\
+	%{nil}
+
+# -b <binary prefix>
+# -a <efiarch>
+# -i <input>
+%define distrosign(b:a:d:)						\
+	cp -av %{-d*}/%{-b*}%{-a*}.efi %{-b*}%{-a*}-unsigned.efi	\
+	%{expand:%%sign -i %{-b*}%{-a*}-unsigned.efi -o %{-b*}%{-a*}-signed.efi -n centossecureboot201 -a %{SOURCE2} -c %{SOURCE1} }\
+	%{nil}
+
+# -a <efiarch>
+# -A <EFIARCH>
+# -b <1|0> # signed by this builder?
+# -c <1|0> # signed by UEFI CA?
+# -i <shimARCH.efi>
+%define define_build(a:A:b:c:i:d:)					\
+if [ "%{-c*}" = "yes-temporarily-disabled-20180723" ]; then		\
+	%{expand:%%hash -i %{-i*} -a %{-a*} -d %{-d*}}			\
+fi									\
+cp %{-i*} shim%{-a*}.efi						\
+if [ "%{-b*}" = "yes" ]; then						\
+	%{expand:%%distrosign -b shim -a %{-a*} -d %{-d*}}		\
+	mv shim%{-a*}-signed.efi shim%{-a*}-%{efi_vendor}.efi		\
+fi									\
+if [ "%{-c*}" = "no" ]; then						\
+	cp shim%{-a*}-%{efi_vendor}.efi shim%{-a*}.efi			\
+fi									\
+%{expand:%%distrosign -b mm -a %{-a*} -d %{-d*}}			\
+mv mm%{-a*}-signed.efi mm%{-a*}.efi					\
+%{expand:%%distrosign -b fb -a %{-a*} -d %{-d*}}			\
+mv fb%{-a*}-signed.efi fb%{-a*}.efi					\
+rm -vf									\\\
+	mm%{-a*}-unsigned.efi						\\\
+	fb%{-a*}-unsigned.efi						\\\
+	shim%{-a*}-unsigned.efi						\
+%{nil}
+
+# -a <efiarch>
+# -A <EFIARCH>
+# -b <BOOTCSV>
+%define do_install(a:A:b:)						\
+install -m 0700 shim%{-a*}.efi						\\\
+	$RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}.efi			\
+install -m 0700 shim%{-a*}-%{efi_vendor}.efi				\\\
+	$RPM_BUILD_ROOT%{efi_esp_dir}/shim%{-a*}-%{efi_vendor}.efi	\
+install -m 0700 mm%{-a*}.efi						\\\
+	$RPM_BUILD_ROOT%{efi_esp_dir}/mm%{-a*}.efi			\
+install -m 0700 %{-b*}							\\\
+	$RPM_BUILD_ROOT%{efi_esp_dir}/BOOT%{-A*}.CSV			\
+install -m 0700 shim%{-a*}.efi						\\\
+	$RPM_BUILD_ROOT%{efi_esp_boot}/BOOT%{-A*}.EFI			\
+install -m 0700 fb%{-a*}.efi						\\\
+	$RPM_BUILD_ROOT%{efi_esp_boot}/fb%{-a*}.efi			\
+%nil
+
+# -a <efiarch>
+# -A <EFIARCH>
+%define define_files(a:A:)						\
+%{expand:%%files -n shim-%{-a*}}					\
+%{efi_esp_dir}/*%{-a*}*.efi						\
+%{efi_esp_dir}/BOOT%{-A*}.CSV						\
+%{efi_esp_boot}/*%{-a*}.efi						\
+%{efi_esp_boot}/*%{-A*}.EFI						\
+%{nil}
+
+%ifarch x86_64
+%global is_signed yes
+%global is_alt_signed yes
+%global provide_legacy_shim 1
+%endif
+%ifarch aarch64
+%global is_signed no
+%global is_alt_signed no
+%global provide_legacy_shim 1
+%endif
+%ifnarch x86_64 aarch64
+%global is_signed no
+%global is_alt_signed no
+%global provide_legacy_shim 0
+%endif
+
+%if ! 0%{?vendor:1}
+%global vendor nopenopenope
+%endif
+
+# vim:filetype=rpmmacros
--- a/SPECS/shim.spec
+++ b/SPECS/shim.spec
@ -0,0 +1,163 @@
+Name:		shim
+Version:	15
+Release:	15%{?dist}
+Summary:	First-stage UEFI bootloader
+License:	BSD
+URL:		https://github.com/rhboot/shim/
+BuildRequires:	efi-filesystem
+BuildRequires:	efi-srpm-macros >= 3-2
+
+ExclusiveArch:	%{efi}
+# but we don't build a .i686 package, just a shim-ia32.x86_64 package
+ExcludeArch:	%{ix86}
+# and we don't have shim-unsigned-arm builds *yet*
+ExcludeArch:	%{arm}
+
+Source0:	shim.rpmmacros
+Source1:	centossecureboot201.crt
+Source2:	centossecurebootca2.crt
+
+# keep these two lists of sources synched up arch-wise.  That is 0 and 10
+# match, 1 and 11 match, ...
+Source10:	BOOTAA64.CSV
+Source20:	shimaa64.efi
+Source11:	BOOTIA32.CSV
+Source21:	shimia32.efi
+Source12:	BOOTX64.CSV
+Source22:	shimx64.efi
+#Source13:	BOOTARM.CSV
+#Source23:	shimarm.efi
+
+%include %{SOURCE0}
+
+BuildRequires:	pesign >= 0.112-20.fc27
+# We need this because %%{efi} won't expand before choosing where to make
+# the src.rpm in koji, and we could be on a non-efi architecture, in which
+# case we won't have a valid expansion here...  To be solved in the future
+# (shim 16+) by making the unsigned packages all provide "shim-unsigned", so
+# we can just BuildRequires that.
+%ifarch x86_64
+BuildRequires:	%{unsignedx64} = %{shimverx64}
+BuildRequires:	%{unsignedia32} = %{shimveria32}
+%endif
+%ifarch aarch64
+BuildRequires:	%{unsignedaa64} = %{shimveraa64}
+%endif
+#%%ifarch arm
+#BuildRequires:	%%{unsignedarm} = %%{shimverarm}
+#%%endif
+
+%description
+Initial UEFI bootloader that handles chaining to a trusted full bootloader
+under secure boot environments. This package contains the version signed by
+the UEFI signing service.
+
+%define_pkg -a %{efi_arch} -p 1
+%if %{efi_has_alt_arch}
+%define_pkg -a %{efi_alt_arch}
+%endif
+
+%prep
+cd %{_builddir}
+rm -rf shim-%{version}
+mkdir shim-%{version}
+
+%build
+
+cd shim-%{version}
+%if %{efi_has_alt_arch}
+%define_build -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -i %{shimefialt} -b yes -c %{is_alt_signed} -d %{shimdiralt}
+%endif
+%define_build -a %{efi_arch} -A %{efi_arch_upper} -i %{shimefi} -b yes -c %{is_signed} -d %{shimdir}
+
+%install
+rm -rf $RPM_BUILD_ROOT
+cd shim-%{version}
+install -D -d -m 0755 $RPM_BUILD_ROOT/boot/
+install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_root}/
+install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_efi}/
+install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_dir}/
+install -D -d -m 0700 $RPM_BUILD_ROOT%{efi_esp_boot}/
+
+%do_install -a %{efi_arch} -A %{efi_arch_upper} -b %{bootcsv}
+%if %{efi_has_alt_arch}
+%do_install -a %{efi_alt_arch} -A %{efi_alt_arch_upper} -b %{bootcsvalt}
+%endif
+
+%if %{provide_legacy_shim}
+install -m 0700 %{shimefi} $RPM_BUILD_ROOT%{efi_esp_dir}/shim.efi
+%endif
+
+( cd $RPM_BUILD_ROOT ; find .%{efi_esp_root} -type f ) \
+  | sed -e 's/\./\^/' -e 's,^\\\./,.*/,' -e 's,$,$,' > %{__brp_mangle_shebangs_exclude_from_file}
+
+%define_files -a %{efi_arch} -A %{efi_arch_upper}
+%if %{efi_has_alt_arch}
+%define_files -a %{efi_alt_arch} -A %{efi_alt_arch_upper}
+%endif
+
+%if %{provide_legacy_shim}
+%{efi_esp_dir}/shim.efi
+%endif
+
+%changelog
+* Fri Oct 25 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 15-15
+- Rebuilt for MSVSphere 10
+
+* Fri Jul 31 2020 Peter Jones <pjones@redhat.com> - 15-15
+- Update once again for new signed shim builds.
+  Resolves: rhbz#1862232
+
+* Tue Jul 28 2020 Peter Jones <pjones@redhat.com> - 15-14
+- Get rid of our %dist hack for now.
+
+* Tue Jul 28 2020 Peter Jones <pjones@redhat.com> - 15-13
+- New signing keys
+  Related: CVE-2020-10713
+  Related: CVE-2020-14308
+  Related: CVE-2020-14309
+  Related: CVE-2020-14310
+  Related: CVE-2020-14311
+
+* Thu Jun 11 2020 Javier Martinez Canillas <javierm@redhat.com> - 15-12
+- Fix firmware update bug in aarch64 caused by shim ignoring arguments
+- Fix a shim crash when attempting to netboot
+
+* Fri Jun 07 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-11
+- Update the shim-unsigned-aarch64 version number
+  Related: rhbz#1715879
+
+* Fri Jun 07 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-10
+- Add a gating.yaml file so the package can be properly gated
+  Related: rhbz#1681809
+
+* Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-9
+- Bump the NVR
+  Related: rhbz#1715879
+
+* Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-7
+- Make EFI variable copying fatal only on secureboot enabled systems
+  Resolves: rhbz#1715879
+- Fix booting shim from an EFI shell using a relative path
+  Resolves: rhbz#1717061
+
+* Thu Mar 14 2019 Peter Jones <pjones@redhat.com> - 15-6
+- Fix MoK mirroring issue which breaks kdump without intervention
+  Resolves: rhbz#1668966
+
+* Thu Jan 24 2019 Peter Jones <pjones@redhat.com> - 15-5
+- Rebuild for signing once again. If the signer actually works, then:
+  Resolves: rhbz#1620941
+
+* Tue Oct 16 2018 Peter Jones <pjones@redhat.com> - 15-4
+- Rebuild for signing
+  Resolves: rhbz#1620941
+
+* Mon Aug 13 2018 Troy Dawson <tdawson@redhat.com>
+- Release Bumped for el8 Mass Rebuild
+
+* Sat Aug 11 2018 Troy Dawson <tdawson@redhat.com>
+- Release Bumped for el8+8 Mass Rebuild
+
+* Mon Jul 23 2018 Peter Jones <pjones@redhat.com> - 15-1
+- Build for RHEL 8