[Merge] ~juliank/shim/+git/shim-signed:alternatives into ~ubuntu-core-dev/shim/+git/shim-signed:master

Steve Langasek mp+436050 at code.launchpad.net
Fri Jan 27 16:13:17 UTC 2023 

Review: Needs Fixing



Diff comments:

> diff --git a/debian/shim-signed.postinst b/debian/shim-signed.postinst
> old mode 100644
> new mode 100755
> index ebc0c42..e46be3f
> --- a/debian/shim-signed.postinst
> +++ b/debian/shim-signed.postinst
> @@ -54,13 +123,32 @@ case $(dpkg --print-architecture) in
>  	grubarch=arm64-efi
>  	;;
>  esac
> -case $1 in
> -    triggered)
> +case "$1:$2" in
> +	triggered:shim-secureboot-policy)

-1 on the indentation changes, makes the case block less readable

>  	if [ -e /var/lib/shim-signed/mok/MOK.priv ]; then
>  	    SHIM_NOTRIGGER=y update-secureboot-policy --enroll-key
>  	fi
>  	;;
> -    configure)
> +	triggered:shim-kernel-check)
> +	setup_alternatives
> +	# If we did not switch to the latest shim, do not reinstall shim and grub.
> +	if update-alternatives --query shimx64.efi.signed | grep "Best: /usr/lib/shim/shimx64.efi.signed.previous" -q; then
> +		exit 0
> +	fi

doesn't this check need to happen before invoking setup_alternatives, which will reorder the alternatives and thus change the output of update-alternatives --query to report the current shim as Best?

> +	bootloader_id="$(config_item GRUB_DISTRIBUTOR | tr A-Z a-z | \
> +			 cut -d' ' -f1)"
> +	case $bootloader_id in
> +	    kubuntu) bootloader_id=ubuntu ;;
> +	esac
> +	# Check /boot/grub to see if we previously installed to an ESP. We don't
> +	# want to trigger the install code just by installing the package,
> +	# normally the installer installs grub itself first.
> +	if [ -e /boot/grub/${grubarch}/core.efi ]; then
> +	    /usr/lib/grub/grub-multi-install --target=${grubarch} --auto-nvram
> +	fi
> +    ;;
> +	configure:*)
> +	setup_alternatives
>  	bootloader_id="$(config_item GRUB_DISTRIBUTOR | tr A-Z a-z | \
>  			 cut -d' ' -f1)"
>  	case $bootloader_id in


-- 
https://code.launchpad.net/~juliank/shim/+git/shim-signed/+merge/436050
Your team Ubuntu Core Development Team is subscribed to branch ~ubuntu-core-dev/shim/+git/shim-signed:master.

More information about the Ubuntu-reviews mailing list