shim (15.8-1+pmx1) bookworm; urgency=medium

  * Bump version for Proxmox build.

 -- Proxmox Support Team <support@proxmox.com>  Tue, 07 May 2024 09:08:22 +0200

shim (15.8-1~deb12u1) bookworm; urgency=medium

  [ Steve McIntyre ]
  * Cope with changes in pesign packaging.
  * New upstream release fixing more bugs
  * Remove all our previous patches, no longer needed:
    + Make-sbat_var.S-parse-right-with-buggy-gcc-binutils.patch (now
      upstream)
    + Enable-NX.patch (we don't want NX just yet until the whole boot
      stack is NX-capable)
    + block-grub-sbat3-debian.patch (not needed now upstream grub SBAT
      is 4)
  * Cherry-pick 2 new patches from upstream for grub revocations:
    + 0001-sbat-Add-grub.peimage-2-to-latest-CVE-2024-2312.patch
    + 0002-sbat-Also-bump-latest-for-grub-4-and-to-todays-date.patch
  * Log if the build is nx-compatible or not
  * Force shim to use the latest revocations by default to block some
    older grub / peimage issues. This is:
    "shim,4\ngrub,4\ngrub.peimage,2\n"
  * Install a copy of the Debian CA certificate into /usr/share/shim.
    Closes: #1069054
  * Clean up better after build. Closes: #1046268

  [ Bastien Roucariès ]
  * Port autopkgtest from ubuntu
  * Import MR-12: "shim-unsigned:amd64 cannot be installed alongside
    shim-unsigned:i386", thanks to adrian15 adrian15 (Closes: #936009).
  * Fix debian/watch and check signature

 -- Steve McIntyre <93sam@debian.org>  Sat, 04 May 2024 21:28:21 +0100

shim (15.7-1+pmx1) bookworm; urgency=medium

  * Bump version for Proxmox build.

 -- Proxmox Support Team <support@proxmox.com>  Mon, 20 Mar 2023 10:32:21 +0100

shim (15.7-1) unstable; urgency=medium

  * New upstream release fixing more bugs
  * Add further patches from upstream:
    + Make sbat_var.S parse right with buggy gcc/binutils
    + Enable NX support at build time, as required by policy for signing
      new shim binaries.
  * Switch to using gcc-12. Closes: #1022180
  * Update to Standards-Version 4.6.2 (no changes needed)
  * Block Debian grub binaries with sbat < 4 (see #1024617)

 -- Steve McIntyre <93sam@debian.org>  Mon, 30 Jan 2023 18:11:23 +0000

shim (15.6-1) unstable; urgency=medium

  * New upstream release fixing more bugs
    + Remove all our old patches, all now upstream:
      - fix-32b-format-strings.patch
      - fix-test-includes.patch

 -- Steve McIntyre <93sam@debian.org>  Thu, 21 Jul 2022 14:04:01 +0200

shim (15.5-1) UNRELEASED; urgency=medium

  * New upstream release fixing more bugs
    + Remove all our old patches, all now upstream:
      - Don-t-call-QueryVariableInfo-on-EFI-1.10-machines.patch
      - MOK-BootServicesData.patch
      -	fix-broken-ia32-reloc.patch
      -	fix-import_one_mok_state.patch
      - fix_arm64_rela_sections.patch
      - relax_check_for_import_mok_state.patch
  * Fix format strings for 32-bit builds
  * Tweak setup for dh_auto_test so the tests work
  * Add new build-dep on libefivar-dev for tests

 -- Steve McIntyre <93sam@debian.org>  Wed, 27 Apr 2022 22:50:08 +0100

shim (15.4-7) unstable; urgency=high

  * Tweak how we call grub-install; don't abort on error. Not ideal
    behaviour either, but don't break upgrades. Copy the behaviour
    from the grub packages here. Closes: #990966

 -- Steve McIntyre <93sam@debian.org>  Mon, 12 Jul 2021 08:53:54 +0100

shim (15.4-6) unstable; urgency=high

  * Add arm64 patch to tweak section layout and stop crashing
    problems. Upstream issue #371. Closes: #990082, #990190
  * In insecure mode, don't abort if we can't create the MokListXRT
    variable. Upstream issue #372. Closes: #989962, #990158

 -- Steve McIntyre <93sam@debian.org>  Wed, 23 Jun 2021 19:03:54 +0100

shim (15.4-5) unstable; urgency=medium

  * Add defensive code around calls to db_get. Don't fail if they
    return errors.

 -- Steve McIntyre <93sam@debian.org>  Thu, 06 May 2021 00:37:49 +0100

shim (15.4-4) unstable; urgency=medium

  * Fix up those maintainer scripts - if we're not running on an EFI
    system then exit cleanly.

 -- Steve McIntyre <93sam@debian.org>  Tue, 04 May 2021 17:53:21 +0100

shim (15.4-3) unstable; urgency=medium

  * Add maintainer scripts to the template packages to manage
    installing and removing fbXXX.efi and mmXXX.efi when we
    install/remove the shim-helpers-$arch-signed packages.
    Closes: #966845

 -- Steve McIntyre <93sam@debian.org>  Mon, 03 May 2021 20:48:49 +0100

shim (15.4-2) unstable; urgency=medium

  * Add two further patches from upstream:
    + fix import_one_mok_state() after split
    + Don't call QueryVariableInfo() on EFI 1.10 machines (e.g. older
      Intel Mac machines)

 -- Steve McIntyre <93sam@debian.org>  Wed, 21 Apr 2021 00:23:02 +0100

shim (15.4-1) unstable; urgency=medium

  * New upstream release fixing more bugs: SBAT and arm64 support
  * Print sha256 checksums of the EFI binaries when the build is done
  * Add two patches from upstream:
    + fix i386 binary relocations
    + allocate MOK config table as BootServicesData

 -- Steve McIntyre <93sam@debian.org>  Wed, 31 Mar 2021 18:25:00 +0100

shim (15.3-3) unstable; urgency=medium

  * Update the timestamp for the 15.3-2 upload.
  * Only include the upstream version in the Debian SBAT metadata, so
    we don't break reproducibility on every minor packaging change.

 -- Steve McIntyre <93sam@debian.org>  Wed, 24 Mar 2021 13:21:05 +0000

shim (15.3-2) unstable; urgency=medium

  * Add missing build-dep on xxd for build-time unit tests

 -- Steve McIntyre <93sam@debian.org>  Wed, 24 Mar 2021 02:21:53 +0000

shim (15.3-1) unstable; urgency=medium

  [ Steve McIntyre ]
  * Switch to much-newer release with many fixes
    + Particularly pulling in SBAT changes for better revocation support
    + Remove all our old patches, no longer needed:
      - avoid_null_vsprint.patch
      - check_null_sn_ln.patch
      - fixup_git.patch
      - uname.patch
      - use_compare_mem_gcc9.patch
    + Now includes a vendor copy of gnu-efi with quite a few extra
      fixes needed.
    + Update copyright file to cover these changes
  * Switch to using gcc-10 rather than gcc-9. Closes: #978521
  * Add dbx entries for all our existing grub binaries
    + They're insecure, let's break the chainloading hole.
  * Add Debian SBAT data
    + Add a Debian SBAT template, and rules to use it
    + Adds a build-dep on dos2unix

 -- Steve McIntyre <93sam@debian.org>  Tue, 23 Mar 2021 23:39:48 +0000

shim (15+1533136590.3beb971-10) unstable; urgency=medium

  [ Debian Janitor ]
  * Trim trailing whitespace.
  * Use secure copyright file specification URI.
  * debian/copyright: use spaces rather than tabs to start continuation
    lines.
  * Bump debhelper from old 11 to 12.
  * Set debhelper-compat version in Build-Depends.
  * Set upstream metadata fields: Bug-Database, Bug-Submit.
  * Update standards version to 4.4.1, no changes needed.

  [ Steve McIntyre ]
  * Trivial changes to generating the inbuilt dbx if we're using it.
  * Upload to pick up rotated Debian signing keys

 -- Steve McIntyre <93sam@debian.org>  Fri, 24 Jul 2020 01:22:46 +0100

shim (15+1533136590.3beb971-9) unstable; urgency=medium

  [ Steve McIntyre ]
  * In the -helpers-ARCH-signed packages, change the version
    dependency on shim-unsigned to be >= and not =. This will allow
    for installation to still work in the window while we wait for the
    template package to do its second trip through the
    archive. Closes: #955356

 -- Steve McIntyre <93sam@debian.org>  Mon, 30 Mar 2020 15:19:08 +0100

shim (15+1533136590.3beb971-8) unstable; urgency=medium

  [ Steve McIntyre ]
  * Use --padding when calling pesign to generate hashes for the dbx
    list, as recommended by Peter Jones. No actual changes needed in
    our list of hashes at this point - they work out the same either
    way.
  * Switch to using gcc-9 for builds, tweaking a patch from upstream
    to fix a FTBFS. Closes: #925816
  * Update debhelper compat level to 11 for shim and the
    signing-template

 -- Steve McIntyre <93sam@debian.org>  Tue, 24 Mar 2020 16:51:10 +0000

# Older entries have been removed from this changelog.
# To read the complete changelog use `apt changelog shim-unsigned`.