Package Details: shim-signed 15.7+ubuntu+1.56-1

Git Clone URL: https://aur.archlinux.org/shim-signed.git (read-only, click to copy)
Package Base: shim-signed
Description: Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments (prebuilt x64 binaries from Ubuntu)
Upstream URL: https://packages.ubuntu.com/noble/shim-signed
Keywords: fbx64 mmx64 MokManager SecureBoot shim shimx64 UEFI
Licenses: BSD
Submitter: nl6720
Maintainer: nl6720
Last Packager: nl6720
Votes: 27
Popularity: 0.46
First Submitted: 2016-12-07 12:04 (UTC)
Last Updated: 2023-12-15 09:26 (UTC)

Pinned Comments

nl6720 commented on 2021-05-28 11:19 (UTC)

shim 15.4 requires SBAT. It will not launch EFI binaries without a .sbat section.

nl6720 commented on 2016-12-07 13:17 (UTC) (edited on 2023-12-15 09:27 (UTC) by nl6720)

shimx64.efi is signed with Microsoft key, they also have a hardcoded Ubuntu key inside. MokManager (mmx64.efi) is signed with Ubuntu's key.

shimx64.efi can launch any EFI binary signed with Microsoft keys.

More information is available on the wiki: Secure Boot#shim.

fbx64.efi scan the ESP for CSV files with bootloader information and adds boot entries to the NVRAM. Read README.fallback.

Latest Comments

1 2 3 4 Next › Last »

nl6720 commented on 2023-12-19 11:16 (UTC) (edited on 2023-12-21 10:13 (UTC) by nl6720)

Using Debian's shim would require adding an epoch to the PKGBUILD. :(

If anyone wants to try, here's an untested diff (without the epoch):

diff --git a/PKGBUILD b/PKGBUILD
index e7fa104647005d6d752191f627ea13da9168cb1b..fdac313830baef1be4a7dab0482e89e3be93339a 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,25 +1,50 @@
 # Maintainer: nl6720 <nl6720@archlinux.org>

 pkgname='shim-signed'
-pkgver='15.7+ubuntu+1.56'
+pkgver='15.7+debian+1.40'
 pkgrel='1'
-pkgdesc='Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments (prebuilt x64 binaries from Ubuntu)'
-url='https://packages.ubuntu.com/noble/shim-signed'
+pkgdesc='Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments (prebuilt x64, IA32 and AA64 binaries from Debian)'
+url='https://tracker.debian.org/pkg/shim-signed'
 arch=('any')
 license=('BSD')
 options=('!strip')
 install="${pkgname}.install"
-source=("http://archive.ubuntu.com/ubuntu/pool/main/s/shim-signed/shim-signed_${pkgver##*+ubuntu+}+${pkgver%%+ubuntu*}-0ubuntu1_amd64.deb")
-sha256sums=('b2d84b300e68ac2139afee3f9a609857ef80f12eed9218087ced4b31ecb7fd76')
-sha512sums=('43ee11ec0ed04f224fb7452b2baaca45882a719063879f423c4118b6b99e99fd3fb20fa1a7de02af7b885f4d5c5e86e9868fb41557e74c52fbf04e3988199bd6')
+source=("http://deb.debian.org/debian/pool/main/s/shim-signed/shim-signed_${pkgver##*+debian+}.tar.xz"
+        "http://ftp.debian.org/debian/pool/main/s/shim-helpers-amd64-signed/shim-helpers-amd64-signed_1+${pkgver%%+debian+*}+1_amd64.deb"
+        "http://ftp.debian.org/debian/pool/main/s/shim-helpers-i386-signed/shim-helpers-i386-signed_1+${pkgver%%+debian+*}+1_i386.deb"
+        "http://ftp.debian.org/debian/pool/main/s/shim-helpers-arm64-signed/shim-helpers-arm64-signed_1+${pkgver%%+debian+*}+1_arm64.deb")
+noextract=("shim-helpers-amd64-signed_1+${pkgver%%+debian+*}+1_amd64.deb"
+           "shim-helpers-i386-signed_1+${pkgver%%+debian+*}+1_i386.deb"
+           "shim-helpers-arm64-signed_1+${pkgver%%+debian+*}+1_arm64.deb")
+md5sums=('1dcbbb922e650db660c773227cbe9eeb'
+         '5fc737504651ec2d22cd0e425546b6b1'
+         'a2b4ddc85455662c76f59ba6487c13ef'
+         '0fb529c47fcc7cca9c675a771a4717cd')
+sha256sums=('4b2672a177acc5a7e1a8a1d88e118d07918dce51aa60ae26a99edce4f48e9ca5'
+            '81218cec1bacf045a30c8215e92c433b53bc51f9be9010baba4ffd71093437f3'
+            'd22b5b9db03ce3e52404dc4afa2a61398bfe4e3b18d292ae8f2461c2176fa9e0'
+            '84374882eccc15a10418fbc31d15f7f74cc9619089847d4d145ba562281e02dd')
+sha512sums=('f3eab6fbb65cd55b894917f8b09abd4ed326a96f6d8d14793c79a4a5586797c82671e9023043227a586c444ba8a83ec412370965e43ca165b5a2f900890a9e99'
+            'e0e075d746b24b240042d59a0f0db2155d3f1f1ff729d63a12b2852a1b54ee1e557f00d8f80a3f075e4786c1e6e752748d266a20fce0c9bd1f2bef47697e2e01'
+            '88ade890592e3725f42e220925a2c9485df6625f3af311d9c2c2ae58c7c6d37cc8efe051dcf87e6ecf8f083422cfeeb2e1c76045ded67f87b053bddc151f9028'
+            'a03f88589455b4b61489107ef7f64adb4099772fade3632376668e392018be79089a064de2c57fd0bad0dafc73c25a10c7ed5608dc36c25194290d0b188d872a')

 prepare() {
+   local debfile
+
    cd "$srcdir"
-   bsdtar -xf data.tar.xz
+   for debfile in ${noextract[@]}; do
+       bsdtar -xOf "$debfile" data.tar.xz | bsdtar -x usr/lib/shim/
+   done
 }

 package() {
-   install -Dm0644 "${srcdir}/usr/lib/shim/shimx64.efi.signed.latest" "${pkgdir}/usr/share/${pkgname}/shimx64.efi"
-   install -Dm0644 "${srcdir}/usr/lib/shim/"{mm,fb}x64.efi "${pkgdir}/usr/share/${pkgname}/"
-   install -Dm0644 "${srcdir}/usr/share/doc/shim-signed/copyright" "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
+   local uefiarch
+
+   for uefiarch in x64 ia32 aa64; do
+       install -Dm0644 "${srcdir}/shim-signed.git/shim${uefiarch}.efi.signed" "${pkgdir}/usr/share/${pkgname}/shim${uefiarch}.efi"
+       install -Dm0644 "${srcdir}/usr/lib/shim/mm${uefiarch}.efi.signed" "${pkgdir}/usr/share/${pkgname}/mm${uefiarch}.efi"
+       install -Dm0644 "${srcdir}/usr/lib/shim/fb${uefiarch}.efi.signed" "${pkgdir}/usr/share/${pkgname}/fb${uefiarch}.efi"
+   done
+   install -Dm0644 "${srcdir}/shim-signed.git/debian/copyright" "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
 }

ItachiSan commented on 2023-12-15 13:24 (UTC)

Great update :)

I may also suggest in the future using the Debian package, as they support also x86_32 and ARM64: https://tracker.debian.org/pkg/shim-signed

Otherwise, you can ping this comment and people will know they can fetch the stuff from the Debian binary :)

Jark5455 commented on 2023-06-27 23:01 (UTC) (edited on 2023-06-27 23:02 (UTC) by Jark5455)

Ubuntus shim appears to be signed right now until 2042, can we use that for now? They also appear to be still updating it.

nl6720 commented on 2023-06-27 16:46 (UTC)

There's a Fedora bug for the expired certificate: https://bugzilla.redhat.com/show_bug.cgi?id=2198977

Reading an unrelated bug, it doesn't appear like Fedora (or anyone else?) will release a new signed shim anytime soon.

Jark5455 commented on 2023-06-22 16:40 (UTC) (edited on 2023-06-27 23:14 (UTC) by Jark5455)

I am not sure if this should go here or to fedoras page, but currently when I try to boot the os from the grub menu I receive the error "bad shim signature". Running mokutil --list-enrolled shows that the fedora signature expired on Dec 5 2022.

Edit: This is a grub issue https://bbs.archlinux.org/viewtopic.php?id=286617

nl6720 commented on 2022-11-26 17:11 (UTC)

Please do not flag the package out-of-date if there is no updated Fedora package available.

adrianinsaval commented on 2022-07-05 21:46 (UTC)

How hard would it be to provide a grub-signed package alongside this? The instructions in the wiki to use grub no longer work, it seems it's necessary to use grub-mkimage instead of grub-install but I'm not sure how to do this, for now I just used a copy of fedora's signed grub but it would be better to have a package for this

tom.ty89 commented on 2022-05-31 14:41 (UTC) (edited on 2022-05-31 14:46 (UTC) by tom.ty89)

It seems to me that it's a bad idea to include fbx64.efi in the package, especially when bootx64.csv is not included, since shim will appear to fail with no reason if a user copied fbx64.efi to the ESP as well (by doing something like cp /usr/share/shim-signed/*x64.efi $esp/EFI/BOOT/; ...; mv|cp $esp/EFI/BOOT/{shim,boot}x64.efi).

I suppose it will fail too if shimx64.efi is renamed (instead of copied) to bootx64.efi even if bootx64.csv is included. So it probably is still bad unless it ships also bootx64.efi (a dup of shimx64.efi).

Added a note on the wiki page already though.

nl6720 commented on 2022-05-27 08:24 (UTC)

I added shimia32.efi, mmia32.efi and fbia32.efi to the package. IMHO the files are small enough to not warrant a separate package.