@nl6720 Would you kindly let us know when the package will be updated? It is currently out of date
Search Criteria
Package Details: shim-signed 15.8+ubuntu+1.59-1
Package Actions
| Git Clone URL: | https://aur.archlinux.org/shim-signed.git (read-only, click to copy) |
|---|---|
| Package Base: | shim-signed |
| Description: | Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments (prebuilt x64 and AA64 binaries from Ubuntu) |
| Upstream URL: | https://packages.ubuntu.com/noble/shim-signed |
| Keywords: | fbx64 mmx64 MokManager SecureBoot shim shimx64 UEFI |
| Licenses: | BSD-2-Clause |
| Submitter: | nl6720 |
| Maintainer: | nl6720 |
| Last Packager: | nl6720 |
| Votes: | 40 |
| Popularity: | 0.44 |
| First Submitted: | 2016-12-07 12:04 (UTC) |
| Last Updated: | 2025-09-13 11:26 (UTC) |
Dependencies (0)
Required by (3)
- refind-btrfs-c3-c4-git (optional)
- refind-git (optional)
- secureboot-grub
Sources (2)
adv commented on 2024-04-05 15:49 (UTC)
philch commented on 2024-04-01 20:48 (UTC) (edited on 2024-04-01 20:51 (UTC) by philch)
Thank you @nl6720 and @solsticedhiver for the response.
Yes I have executed the grub-install command using the helper scripts available in this repository: Aur-secureboot-grub 0.2.3-1 and this script runs without any error and creates the grubx64.efi. The difference I see is that with previous release the command sudo mokutil --list-sbat-revocations returns:
sbat,1,2022052400
grub,2
But, with the present release the output is
sbat,1,2023012900
shim,2
grub,3
grub.debian,4
Which tells me that some thing is amiss with the sbat versioning.
solsticedhiver commented on 2024-04-01 13:59 (UTC) (edited on 2024-04-01 14:51 (UTC) by solsticedhiver)
@philch Have you tried to re-install grub? not the package, but the booloader with grub-install .... With the latest grub package installed, of course.
I think I saw a warning about resintalling with a recent grub update (of the package)
Note: I don't use grub as bootloader
Edit: Also, looking at the install file of grub, on can see:
Grub does no longer support side-loading modules when secure boot is
enabled. Thus booting will fail, unless you have an efi executable
'grubx64.efi' with bundled modules
nl6720 commented on 2024-04-01 13:04 (UTC)
Sorry, I have no idea about GRUB. All I've read about using Secure Boot + GRUB is that it is a pain.
philch commented on 2024-04-01 12:47 (UTC) (edited on 2024-04-01 12:57 (UTC) by philch)
This release 15.8+ubuntu+1.57-1 is not working on my aptop. Get below error on boot up and PC shuts down:
Verifying shim SBAT: Security Violation Failure Something went terribly wrong [...]
Restoring to earlier version 15.7+ubuntu+1.56-1 and tried re-install and checked the sbat revocation:
sudo mokutil --list-sbat-revocations
sbat,1,2023012900
shim,2
grub,3
grub.debian,4
My current sbat file is as follows:
sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
grub,3,Free Software Foundation,grub,2:2.12-2,https//www.gnu.org/software/grub/
grub.arch,1,Arch Linux,grub,2:2.12-2,https://archlinux.org/packages/core/x86_64/grub/
Please advice.
solsticedhiver commented on 2024-03-31 21:59 (UTC) (edited on 2024-03-31 22:16 (UTC) by solsticedhiver)
There is something weird. The deb package is gone. The package can't be built anymore.
solsticedhiver commented on 2024-03-26 23:04 (UTC)
OK. That's one way to dodge the question.
Also, I am wondering why we need to have all the binaries of the arch installed; because only ne will be used, right? Like x86_64 and never any aarch64 efi binaries...
and if you add, later on, the 32bit binaries
nl6720 commented on 2024-03-23 15:04 (UTC)
The EFI binaries are not run in Linux, so I don't see an issue with using arch=('any').
solsticedhiver commented on 2024-03-21 18:22 (UTC) (edited on 2024-03-22 22:51 (UTC) by solsticedhiver)
The package does not follow the PKGBUILD man page and recommended guidelines.
You are supposed to use an arch=('any') if the pacakge contains no architecture specific files. This is not true here because it contains binaries for either x86_64 or aarch64.
You can make a proper multi-arch PKGBUILD i.e. that builds either a x86_64 package or an aarch64 one with this patch applied:
--- PKGBUILD 2024-03-21 19:19:03.227604132 +0100
+++ PKGBUILD.new 2024-03-21 19:17:58.894824873 +0100
@@ -3,34 +3,33 @@
pkgname='shim-signed'
pkgver='15.8+ubuntu+1.57'
pkgrel='1'
-pkgdesc='Initial UEFI bootloader that handles chaining to a trusted full bootloader under secure boot environments (prebuilt x64 and AA64 binaries from Ubuntu)'
+pkgdesc='Secure Boot chain-loading bootloader (Microsoft-signed binary from Ubuntu)'
url='https://packages.ubuntu.com/noble/shim-signed'
-arch=('any')
+arch=('x86_64' 'aarch64')
license=('BSD-2-Clause')
options=('!strip' '!debug')
install="${pkgname}.install"
-source=("http://archive.ubuntu.com/ubuntu/pool/main/s/shim-signed/shim-signed_${pkgver##*+ubuntu+}+${pkgver%%+ubuntu*}-0ubuntu1_amd64.deb"
- "http://ports.ubuntu.com/pool/main/s/shim-signed/shim-signed_${pkgver##*+ubuntu+}+${pkgver%%+ubuntu*}-0ubuntu1_arm64.deb")
-noextract=("shim-signed_${pkgver##*+ubuntu+}+${pkgver%%+ubuntu*}-0ubuntu1_arm64.deb")
-sha256sums=('532a97f7376ac8e5d7bedb8b2d4283769251266d19a78e3e12ec44f53a1dab6a'
- '5f942542c21c41ffa14d22b890a6f51ccbfa0b3231f8a475265f90cb6e1cb924')
-sha512sums=('de1c60b442d7484aa210c308ca422fe0d93439b50aeba192d2bbec7ec4d92779355d6ca838bb3d221fad8c4ea343dae37c13606200daf6f8f1436b120a4e9690'
- 'ed0c856460c5a2aef8d9c4214ee9f2ba0c4926c4efec8add7171c0adada68f6c87f43461d67f8ca8747e9eaa037b2b90810d8daebecbc1c3a67bea34f781ea3e')
+source_x86_64=("http://archive.ubuntu.com/ubuntu/pool/main/s/shim-signed/shim-signed_${pkgver##*+ubuntu+}+${pkgver%%+ubuntu*}-0ubuntu1_amd64.deb")
+source_aarch64=("http://ports.ubuntu.com/pool/main/s/shim-signed/shim-signed_${pkgver##*+ubuntu+}+${pkgver%%+ubuntu*}-0ubuntu1_arm64.deb")
+sha256sums_x86_64=('532a97f7376ac8e5d7bedb8b2d4283769251266d19a78e3e12ec44f53a1dab6a')
+sha256sums_aarch64=('5f942542c21c41ffa14d22b890a6f51ccbfa0b3231f8a475265f90cb6e1cb924')
+sha512sums_x86_64=('de1c60b442d7484aa210c308ca422fe0d93439b50aeba192d2bbec7ec4d92779355d6ca838bb3d221fad8c4ea343dae37c13606200daf6f8f1436b120a4e9690')
+sha512sums_aarch64=('ed0c856460c5a2aef8d9c4214ee9f2ba0c4926c4efec8add7171c0adada68f6c87f43461d67f8ca8747e9eaa037b2b90810d8daebecbc1c3a67bea34f781ea3e')
prepare() {
local debfile
cd "$srcdir"
bsdtar -xf data.tar.xz
- for debfile in ${noextract[@]}; do
- bsdtar -xOf "$debfile" data.tar.xz | bsdtar -x usr/lib/shim/
- done
}
-
package() {
- install -Dm0644 "${srcdir}/usr/lib/shim/shimx64.efi.signed.latest" "${pkgdir}/usr/share/${pkgname}/shimx64.efi"
- install -Dm0644 "${srcdir}/usr/lib/shim/shimaa64.efi.signed.latest" "${pkgdir}/usr/share/${pkgname}/shimaa64.efi"
- install -Dm0644 "${srcdir}/usr/lib/shim/"{mm,fb}{x64,aa64}".efi" "${pkgdir}/usr/share/${pkgname}/"
+ if [ $CARCH == "x86_64" ] ;then
+ install -Dm0644 "${srcdir}/usr/lib/shim/shimx64.efi.signed.latest" "${pkgdir}/usr/share/${pkgname}/shimx64.efi"
+ install -Dm0644 "${srcdir}/usr/lib/shim/"{mm,fb}x64".efi" "${pkgdir}/usr/share/${pkgname}/"
+ elif [ "$CARCH" == "aarch64" ] ;then
+ install -Dm0644 "${srcdir}/usr/lib/shim/shimaa64.efi.signed.latest" "${pkgdir}/usr/share/${pkgname}/shimaa64.efi"
+ install -Dm0644 "${srcdir}/usr/lib/shim/"{mm,fb}aa64".efi" "${pkgdir}/usr/share/${pkgname}/"
+ fi
install -Dm0644 "${srcdir}/usr/share/doc/shim-signed/copyright" "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
}
The pkgdesc is also quite long and could be shorter than 100 characters.
nl6720 commented on 2024-03-21 11:32 (UTC) (edited on 2024-03-21 11:32 (UTC) by nl6720)
For 15.8, it looks like going with Fedora's shim-15.8-3 is not a good idea. shimia32.efi and shimaa64.efi are unsigned while other aa64 binaries are signed by "Red Hat Test Certifying CA"?! Only x64 binaries look ok.
Pinned Comments
nl6720 commented on 2021-05-28 11:19 (UTC)
shim 15.4 requires SBAT. It will not launch EFI binaries without a
.sbatsection.nl6720 commented on 2016-12-07 13:17 (UTC) (edited on 2024-12-08 10:29 (UTC) by nl6720)
shimx64.efiis signed with Microsoft key, they also have a hardcoded Ubuntu key inside. MokManager (mmx64.efi) is signed with Ubuntu's key.shimx64.efican launch any EFI binary signed with Microsoft keys.More information is available on the wiki: Secure Boot#shim.
fbx64.efiscan the ESP for CSV files with bootloader information and adds boot entries to the NVRAM. Read README.fallback.Alternative signed shim sources: