953000 – sys-boot/shim secureboot.eclass doesn't sign the shim iteself

Bug 953000 - sys-boot/shim secureboot.eclass doesn't sign the shim iteself

Summary: sys-boot/shim secureboot.eclass doesn't sign the shim iteself

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial
Assignee:	Rick Farina (Zero_Chaos)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2025-04-01 11:38 UTC by Mark Liman
Modified:	2025-04-01 15:23 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Liman 2025-04-01 11:38:31 UTC

The secureboot_auto_sign --in-place function that is part of the shim ebuild doesn't sign the sign the shim itself, it only signs the mmx64.efi file due to the shim being named BOOTX64.EFI in uppercase it gets missed by the function

find "${ED}" -type f \
			\( -iname '*.efi' -o -iname '*.efi32' -o -iname '*.efi64' \) \
			-print0 || die

as it only searches for lowercase named files, this may be intended behavior however, if you want to use the shim with your own secure boot keys your alternatives are building the shim from source, where ironically the secureboot_auto_sign function will work because the source build output is lowercase named, or manually signing which seems like an unnecessary extra step.