Package Details: shim-signed 15.8+ubuntu+1.58-1

Git Clone URL: https://aur.archlinux.org/shim-signed.git (read-only, click to copy)
Package Base: shim-signed
Description: Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments (prebuilt x64 and AA64 binaries from Ubuntu)
Upstream URL: https://packages.ubuntu.com/noble/shim-signed
Keywords: fbx64 mmx64 MokManager SecureBoot shim shimx64 UEFI
Licenses: BSD-2-Clause
Submitter: nl6720
Maintainer: nl6720
Last Packager: nl6720
Votes: 30
Popularity: 2.33
First Submitted: 2016-12-07 12:04 (UTC)
Last Updated: 2024-04-10 11:55 (UTC)

Pinned Comments

nl6720 commented on 2021-05-28 11:19 (UTC)

shim 15.4 requires SBAT. It will not launch EFI binaries without a .sbat section.

nl6720 commented on 2016-12-07 13:17 (UTC) (edited on 2023-12-15 09:27 (UTC) by nl6720)

shimx64.efi is signed with Microsoft key, they also have a hardcoded Ubuntu key inside. MokManager (mmx64.efi) is signed with Ubuntu's key.

shimx64.efi can launch any EFI binary signed with Microsoft keys.

More information is available on the wiki: Secure Boot#shim.

fbx64.efi scan the ESP for CSV files with bootloader information and adds boot entries to the NVRAM. Read README.fallback.

Latest Comments

« First ‹ Previous 1 2 3 4 5 Next › Last »

solsticedhiver commented on 2024-03-21 18:22 (UTC) (edited on 2024-03-22 22:51 (UTC) by solsticedhiver)

The package does not follow the PKGBUILD man page and recommended guidelines.

You are supposed to use an arch=('any') if the pacakge contains no architecture specific files. This is not true here because it contains binaries for either x86_64 or aarch64.

You can make a proper multi-arch PKGBUILD i.e. that builds either a x86_64 package or an aarch64 one with this patch applied:


--- PKGBUILD    2024-03-21 19:19:03.227604132 +0100
+++ PKGBUILD.new    2024-03-21 19:17:58.894824873 +0100
@@ -3,34 +3,33 @@
 pkgname='shim-signed'
 pkgver='15.8+ubuntu+1.57'
 pkgrel='1'
-pkgdesc='Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments (prebuilt x64 and AA64 binaries from Ubuntu)'
+pkgdesc='Secure Boot chain-loading bootloader (Microsoft-signed binary from Ubuntu)'
 url='https://packages.ubuntu.com/noble/shim-signed'
-arch=('any')
+arch=('x86_64' 'aarch64')
 license=('BSD-2-Clause')
 options=('!strip' '!debug')
 install="${pkgname}.install"
-source=("http://archive.ubuntu.com/ubuntu/pool/main/s/shim-signed/shim-signed_${pkgver##*+ubuntu+}+${pkgver%%+ubuntu*}-0ubuntu1_amd64.deb"
-        "http://ports.ubuntu.com/pool/main/s/shim-signed/shim-signed_${pkgver##*+ubuntu+}+${pkgver%%+ubuntu*}-0ubuntu1_arm64.deb")
-noextract=("shim-signed_${pkgver##*+ubuntu+}+${pkgver%%+ubuntu*}-0ubuntu1_arm64.deb")
-sha256sums=('532a97f7376ac8e5d7bedb8b2d4283769251266d19a78e3e12ec44f53a1dab6a'
-            '5f942542c21c41ffa14d22b890a6f51ccbfa0b3231f8a475265f90cb6e1cb924')
-sha512sums=('de1c60b442d7484aa210c308ca422fe0d93439b50aeba192d2bbec7ec4d92779355d6ca838bb3d221fad8c4ea343dae37c13606200daf6f8f1436b120a4e9690'
-            'ed0c856460c5a2aef8d9c4214ee9f2ba0c4926c4efec8add7171c0adada68f6c87f43461d67f8ca8747e9eaa037b2b90810d8daebecbc1c3a67bea34f781ea3e')
+source_x86_64=("http://archive.ubuntu.com/ubuntu/pool/main/s/shim-signed/shim-signed_${pkgver##*+ubuntu+}+${pkgver%%+ubuntu*}-0ubuntu1_amd64.deb")
+source_aarch64=("http://ports.ubuntu.com/pool/main/s/shim-signed/shim-signed_${pkgver##*+ubuntu+}+${pkgver%%+ubuntu*}-0ubuntu1_arm64.deb")
+sha256sums_x86_64=('532a97f7376ac8e5d7bedb8b2d4283769251266d19a78e3e12ec44f53a1dab6a')
+sha256sums_aarch64=('5f942542c21c41ffa14d22b890a6f51ccbfa0b3231f8a475265f90cb6e1cb924')
+sha512sums_x86_64=('de1c60b442d7484aa210c308ca422fe0d93439b50aeba192d2bbec7ec4d92779355d6ca838bb3d221fad8c4ea343dae37c13606200daf6f8f1436b120a4e9690')
+sha512sums_aarch64=('ed0c856460c5a2aef8d9c4214ee9f2ba0c4926c4efec8add7171c0adada68f6c87f43461d67f8ca8747e9eaa037b2b90810d8daebecbc1c3a67bea34f781ea3e')

 prepare() {
    local debfile

    cd "$srcdir"
    bsdtar -xf data.tar.xz
-   for debfile in ${noextract[@]}; do
-       bsdtar -xOf "$debfile" data.tar.xz | bsdtar -x usr/lib/shim/
-   done
 }

-
 package() {
-   install -Dm0644 "${srcdir}/usr/lib/shim/shimx64.efi.signed.latest" "${pkgdir}/usr/share/${pkgname}/shimx64.efi"
-   install -Dm0644 "${srcdir}/usr/lib/shim/shimaa64.efi.signed.latest" "${pkgdir}/usr/share/${pkgname}/shimaa64.efi"
-   install -Dm0644 "${srcdir}/usr/lib/shim/"{mm,fb}{x64,aa64}".efi" "${pkgdir}/usr/share/${pkgname}/"
+   if [ $CARCH == "x86_64" ] ;then
+       install -Dm0644 "${srcdir}/usr/lib/shim/shimx64.efi.signed.latest" "${pkgdir}/usr/share/${pkgname}/shimx64.efi"
+       install -Dm0644 "${srcdir}/usr/lib/shim/"{mm,fb}x64".efi" "${pkgdir}/usr/share/${pkgname}/"
+   elif [ "$CARCH" == "aarch64" ] ;then
+       install -Dm0644 "${srcdir}/usr/lib/shim/shimaa64.efi.signed.latest" "${pkgdir}/usr/share/${pkgname}/shimaa64.efi"
+       install -Dm0644 "${srcdir}/usr/lib/shim/"{mm,fb}aa64".efi" "${pkgdir}/usr/share/${pkgname}/"
+   fi
    install -Dm0644 "${srcdir}/usr/share/doc/shim-signed/copyright" "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
 }

The pkgdesc is also quite long and could be shorter than 100 characters.

nl6720 commented on 2024-03-21 11:32 (UTC) (edited on 2024-03-21 11:32 (UTC) by nl6720)

For 15.8, it looks like going with Fedora's shim-15.8-3 is not a good idea. shimia32.efi and shimaa64.efi are unsigned while other aa64 binaries are signed by "Red Hat Test Certifying CA"?! Only x64 binaries look ok.

Shorrer commented on 2024-03-18 22:48 (UTC)

Apparently Fedora now updated it's certificate in their shim package, according to previously mentioned bug report: https://bugzilla.redhat.com/show_bug.cgi?id=2198977 It is also a newer version (15.8)

nl6720 commented on 2023-12-19 11:16 (UTC) (edited on 2023-12-21 10:13 (UTC) by nl6720)

Using Debian's shim would require adding an epoch to the PKGBUILD. :(

If anyone wants to try, here's an untested diff (without the epoch):

diff --git a/PKGBUILD b/PKGBUILD
index e7fa104647005d6d752191f627ea13da9168cb1b..fdac313830baef1be4a7dab0482e89e3be93339a 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -1,25 +1,50 @@
 # Maintainer: nl6720 <nl6720@archlinux.org>

 pkgname='shim-signed'
-pkgver='15.7+ubuntu+1.56'
+pkgver='15.7+debian+1.40'
 pkgrel='1'
-pkgdesc='Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments (prebuilt x64 binaries from Ubuntu)'
-url='https://packages.ubuntu.com/noble/shim-signed'
+pkgdesc='Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments (prebuilt x64, IA32 and AA64 binaries from Debian)'
+url='https://tracker.debian.org/pkg/shim-signed'
 arch=('any')
 license=('BSD')
 options=('!strip')
 install="${pkgname}.install"
-source=("http://archive.ubuntu.com/ubuntu/pool/main/s/shim-signed/shim-signed_${pkgver##*+ubuntu+}+${pkgver%%+ubuntu*}-0ubuntu1_amd64.deb")
-sha256sums=('b2d84b300e68ac2139afee3f9a609857ef80f12eed9218087ced4b31ecb7fd76')
-sha512sums=('43ee11ec0ed04f224fb7452b2baaca45882a719063879f423c4118b6b99e99fd3fb20fa1a7de02af7b885f4d5c5e86e9868fb41557e74c52fbf04e3988199bd6')
+source=("http://deb.debian.org/debian/pool/main/s/shim-signed/shim-signed_${pkgver##*+debian+}.tar.xz"
+        "http://ftp.debian.org/debian/pool/main/s/shim-helpers-amd64-signed/shim-helpers-amd64-signed_1+${pkgver%%+debian+*}+1_amd64.deb"
+        "http://ftp.debian.org/debian/pool/main/s/shim-helpers-i386-signed/shim-helpers-i386-signed_1+${pkgver%%+debian+*}+1_i386.deb"
+        "http://ftp.debian.org/debian/pool/main/s/shim-helpers-arm64-signed/shim-helpers-arm64-signed_1+${pkgver%%+debian+*}+1_arm64.deb")
+noextract=("shim-helpers-amd64-signed_1+${pkgver%%+debian+*}+1_amd64.deb"
+           "shim-helpers-i386-signed_1+${pkgver%%+debian+*}+1_i386.deb"
+           "shim-helpers-arm64-signed_1+${pkgver%%+debian+*}+1_arm64.deb")
+md5sums=('1dcbbb922e650db660c773227cbe9eeb'
+         '5fc737504651ec2d22cd0e425546b6b1'
+         'a2b4ddc85455662c76f59ba6487c13ef'
+         '0fb529c47fcc7cca9c675a771a4717cd')
+sha256sums=('4b2672a177acc5a7e1a8a1d88e118d07918dce51aa60ae26a99edce4f48e9ca5'
+            '81218cec1bacf045a30c8215e92c433b53bc51f9be9010baba4ffd71093437f3'
+            'd22b5b9db03ce3e52404dc4afa2a61398bfe4e3b18d292ae8f2461c2176fa9e0'
+            '84374882eccc15a10418fbc31d15f7f74cc9619089847d4d145ba562281e02dd')
+sha512sums=('f3eab6fbb65cd55b894917f8b09abd4ed326a96f6d8d14793c79a4a5586797c82671e9023043227a586c444ba8a83ec412370965e43ca165b5a2f900890a9e99'
+            'e0e075d746b24b240042d59a0f0db2155d3f1f1ff729d63a12b2852a1b54ee1e557f00d8f80a3f075e4786c1e6e752748d266a20fce0c9bd1f2bef47697e2e01'
+            '88ade890592e3725f42e220925a2c9485df6625f3af311d9c2c2ae58c7c6d37cc8efe051dcf87e6ecf8f083422cfeeb2e1c76045ded67f87b053bddc151f9028'
+            'a03f88589455b4b61489107ef7f64adb4099772fade3632376668e392018be79089a064de2c57fd0bad0dafc73c25a10c7ed5608dc36c25194290d0b188d872a')

 prepare() {
+   local debfile
+
    cd "$srcdir"
-   bsdtar -xf data.tar.xz
+   for debfile in ${noextract[@]}; do
+       bsdtar -xOf "$debfile" data.tar.xz | bsdtar -x usr/lib/shim/
+   done
 }

 package() {
-   install -Dm0644 "${srcdir}/usr/lib/shim/shimx64.efi.signed.latest" "${pkgdir}/usr/share/${pkgname}/shimx64.efi"
-   install -Dm0644 "${srcdir}/usr/lib/shim/"{mm,fb}x64.efi "${pkgdir}/usr/share/${pkgname}/"
-   install -Dm0644 "${srcdir}/usr/share/doc/shim-signed/copyright" "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
+   local uefiarch
+
+   for uefiarch in x64 ia32 aa64; do
+       install -Dm0644 "${srcdir}/shim-signed.git/shim${uefiarch}.efi.signed" "${pkgdir}/usr/share/${pkgname}/shim${uefiarch}.efi"
+       install -Dm0644 "${srcdir}/usr/lib/shim/mm${uefiarch}.efi.signed" "${pkgdir}/usr/share/${pkgname}/mm${uefiarch}.efi"
+       install -Dm0644 "${srcdir}/usr/lib/shim/fb${uefiarch}.efi.signed" "${pkgdir}/usr/share/${pkgname}/fb${uefiarch}.efi"
+   done
+   install -Dm0644 "${srcdir}/shim-signed.git/debian/copyright" "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
 }

ItachiSan commented on 2023-12-15 13:24 (UTC)

Great update :)

I may also suggest in the future using the Debian package, as they support also x86_32 and ARM64: https://tracker.debian.org/pkg/shim-signed

Otherwise, you can ping this comment and people will know they can fetch the stuff from the Debian binary :)

Jark5455 commented on 2023-06-27 23:01 (UTC) (edited on 2023-06-27 23:02 (UTC) by Jark5455)

Ubuntus shim appears to be signed right now until 2042, can we use that for now? They also appear to be still updating it.

nl6720 commented on 2023-06-27 16:46 (UTC)

There's a Fedora bug for the expired certificate: https://bugzilla.redhat.com/show_bug.cgi?id=2198977

Reading an unrelated bug, it doesn't appear like Fedora (or anyone else?) will release a new signed shim anytime soon.

Jark5455 commented on 2023-06-22 16:40 (UTC) (edited on 2023-06-27 23:14 (UTC) by Jark5455)

I am not sure if this should go here or to fedoras page, but currently when I try to boot the os from the grub menu I receive the error "bad shim signature". Running mokutil --list-enrolled shows that the fedora signature expired on Dec 5 2022.

Edit: This is a grub issue https://bbs.archlinux.org/viewtopic.php?id=286617

nl6720 commented on 2022-11-26 17:11 (UTC)

Please do not flag the package out-of-date if there is no updated Fedora package available.

adrianinsaval commented on 2022-07-05 21:46 (UTC)

How hard would it be to provide a grub-signed package alongside this? The instructions in the wiki to use grub no longer work, it seems it's necessary to use grub-mkimage instead of grub-install but I'm not sure how to do this, for now I just used a copy of fedora's signed grub but it would be better to have a package for this

« First ‹ Previous 1 2 3 4 5 Next › Last »