* [pve-devel] [PATCH proxmox-secure-boot-support] ship apt pinning snippet
@ 2024-06-21 7:04 Fabian Grünbichler
2024-06-21 9:22 ` [pve-devel] applied: " Thomas Lamprecht
0 siblings, 1 reply; 2+ messages in thread
From: Fabian Grünbichler @ 2024-06-21 7:04 UTC (permalink / raw)
To: pve-devel
this should ensure that a shim-signed package from a non-Proxmox repository
cannot overtake ours, even if the version is newer. since
proxmox-secure-boot-support is optional, this is entirely opt-in.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
not the most elegant solution, but the only one I could come up with. the next
bookworm point release will likely ship with a shim-signed version higher than
our current one, so we probably want to roll this out rather fast..
debian/99-proxmox-secure-boot-support | 7 +++++++
debian/proxmox-secure-boot-support.install | 1 +
2 files changed, 8 insertions(+)
create mode 100644 debian/99-proxmox-secure-boot-support
create mode 100644 debian/proxmox-secure-boot-support.install
diff --git a/debian/99-proxmox-secure-boot-support b/debian/99-proxmox-secure-boot-support
new file mode 100644
index 0000000..03c4b89
--- /dev/null
+++ b/debian/99-proxmox-secure-boot-support
@@ -0,0 +1,7 @@
+# automatically added by proxmox-secure-boot-support, to ensure Proxmox version
+# of shim-signed stays installed even if Debian repositories contain an
+# upgraded version earlier than Proxmox ones, since they embed different
+# certificates and are incompatible.
+Package: shim-signed
+Pin: release o=Proxmox
+Pin-Priority: 900
diff --git a/debian/proxmox-secure-boot-support.install b/debian/proxmox-secure-boot-support.install
new file mode 100644
index 0000000..f10aab3
--- /dev/null
+++ b/debian/proxmox-secure-boot-support.install
@@ -0,0 +1 @@
+debian/99-proxmox-secure-boot-support /etc/apt/preferences.d/
--
2.39.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
* [pve-devel] applied: [PATCH proxmox-secure-boot-support] ship apt pinning snippet
2024-06-21 7:04 [pve-devel] [PATCH proxmox-secure-boot-support] ship apt pinning snippet Fabian Grünbichler
@ 2024-06-21 9:22 ` Thomas Lamprecht
0 siblings, 0 replies; 2+ messages in thread
From: Thomas Lamprecht @ 2024-06-21 9:22 UTC (permalink / raw)
To: Proxmox VE development discussion, Fabian Grünbichler
On 21/06/2024 09:04, Fabian Grünbichler wrote:
> this should ensure that a shim-signed package from a non-Proxmox repository
> cannot overtake ours, even if the version is newer. since
> proxmox-secure-boot-support is optional, this is entirely opt-in.
>
> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> ---
> not the most elegant solution, but the only one I could come up with. the next
> bookworm point release will likely ship with a shim-signed version higher than
> our current one, so we probably want to roll this out rather fast..
>
> debian/99-proxmox-secure-boot-support | 7 +++++++
> debian/proxmox-secure-boot-support.install | 1 +
> 2 files changed, 8 insertions(+)
> create mode 100644 debian/99-proxmox-secure-boot-support
> create mode 100644 debian/proxmox-secure-boot-support.install
>
>
applied, thanks!
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-06-21 9:23 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-06-21 7:04 [pve-devel] [PATCH proxmox-secure-boot-support] ship apt pinning snippet Fabian Grünbichler
2024-06-21 9:22 ` [pve-devel] applied: " Thomas Lamprecht
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal