* [pve-devel] [PATCH proxmox-secure-boot-support] ship apt pinning snippet
@ 2024-06-21 7:04 Fabian Grünbichler
2024-06-21 9:22 ` [pve-devel] applied: " Thomas Lamprecht
0 siblings, 1 reply; 2+ messages in thread
From: Fabian Grünbichler @ 2024-06-21 7:04 UTC (permalink / raw)
To: pve-devel
this should ensure that a shim-signed package from a non-Proxmox repository
cannot overtake ours, even if the version is newer. since
proxmox-secure-boot-support is optional, this is entirely opt-in.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
not the most elegant solution, but the only one I could come up with. the next
bookworm point release will likely ship with a shim-signed version higher than
our current one, so we probably want to roll this out rather fast..
debian/99-proxmox-secure-boot-support | 7 +++++++
debian/proxmox-secure-boot-support.install | 1 +
2 files changed, 8 insertions(+)
create mode 100644 debian/99-proxmox-secure-boot-support
create mode 100644 debian/proxmox-secure-boot-support.install
diff --git a/debian/99-proxmox-secure-boot-support b/debian/99-proxmox-secure-boot-support
new file mode 100644
index 0000000..03c4b89
--- /dev/null
+++ b/debian/99-proxmox-secure-boot-support
@@ -0,0 +1,7 @@
+# automatically added by proxmox-secure-boot-support, to ensure Proxmox version
+# of shim-signed stays installed even if Debian repositories contain an
+# upgraded version earlier than Proxmox ones, since they embed different
+# certificates and are incompatible.
+Package: shim-signed
+Pin: release o=Proxmox
+Pin-Priority: 900
diff --git a/debian/proxmox-secure-boot-support.install b/debian/proxmox-secure-boot-support.install
new file mode 100644
index 0000000..f10aab3
--- /dev/null
+++ b/debian/proxmox-secure-boot-support.install
@@ -0,0 +1 @@
+debian/99-proxmox-secure-boot-support /etc/apt/preferences.d/
--
2.39.2
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
* [pve-devel] applied: [PATCH proxmox-secure-boot-support] ship apt pinning snippet
2024-06-21 7:04 [pve-devel] [PATCH proxmox-secure-boot-support] ship apt pinning snippet Fabian Grünbichler
@ 2024-06-21 9:22 ` Thomas Lamprecht
0 siblings, 0 replies; 2+ messages in thread
From: Thomas Lamprecht @ 2024-06-21 9:22 UTC (permalink / raw)
To: Proxmox VE development discussion, Fabian Grünbichler
On 21/06/2024 09:04, Fabian Grünbichler wrote:
> this should ensure that a shim-signed package from a non-Proxmox repository
> cannot overtake ours, even if the version is newer. since
> proxmox-secure-boot-support is optional, this is entirely opt-in.
>
> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> ---
> not the most elegant solution, but the only one I could come up with. the next
> bookworm point release will likely ship with a shim-signed version higher than
> our current one, so we probably want to roll this out rather fast..
>
> debian/99-proxmox-secure-boot-support | 7 +++++++
> debian/proxmox-secure-boot-support.install | 1 +
> 2 files changed, 8 insertions(+)
> create mode 100644 debian/99-proxmox-secure-boot-support
> create mode 100644 debian/proxmox-secure-boot-support.install
>
>
applied, thanks!
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2024-06-21 9:23 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-06-21 7:04 [pve-devel] [PATCH proxmox-secure-boot-support] ship apt pinning snippet Fabian Grünbichler
2024-06-21 9:22 ` [pve-devel] applied: " Thomas Lamprecht
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox