Add obsoletes and provides to fix errors in shim-unsigned upgrade to …

…shim (microsoft#11245) Prior ARM64 images and installations historically used "shim-unsigned" v15.4 in order to boot without Secure Boot enforcing. To ensure a seamless upgrade experience from the older unsigned shim to this new signed shim, include additional RPM dependency logic (Obsoletes on "shim-unsigned" so older installations with "shim-unsigned" installed will upgrade cleanly from the unsigned shim v15.4 to this new signed version of the shim v15.8+ Unlike dnf, our current tdnf does not gracefully handle Obsoletes properly. When the user runs "tdnf install shim-unsigned". The proper behavior with Obsoletes only in place is for this transaction to complete with nothing to do, which is what dnf does. However tdnf still attempts to perform the transaction, which yields undesired results. As a workaround to tdnf's lack of correct support of Obsoletes, add an additional Provides to the shim package to have it "provide" for shim-unsigned as well. This workaround can be removed when tdnf is updated with proper RPM Obsoletes behavior. Signed-off-by: Chris Co <[email protected]>
archana25-ms · Dec 2, 2024 · f49c769 · f49c769
1 parent 73929e3
commit f49c769
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 4 deletions.
diff --git a/SPECS/shim-unsigned-aarch64/shim-unsigned-aarch64.spec b/SPECS/shim-unsigned-aarch64/shim-unsigned-aarch64.spec
@@ -32,7 +32,7 @@ Name:		shim-unsigned-aarch64
 Provides:       shim-unsigned-%{efiarch}
 
 Version:	15.8
-Release:	3%{?dist}
+Release:	5%{?dist}
 Summary:	First-stage UEFI bootloader
 ExclusiveArch:	aarch64
 License:	BSD
@@ -160,6 +160,12 @@ HASH=$(cat %{buildroot}%{shimdir}/shim%{efiarch}.hash | cut -d ' ' -f 1)
 %files debugsource -f build-%{efiarch}/debugsource.list
 
 %changelog
+* Thu Nov 28 2024 Chris Co <[email protected]> - 15.8-5
+- Bump to match shim release
+
+* Tue Nov 26 2024 Chris Co <[email protected]> - 15.8-4
+- Bump to match shim release
+
 * Tue Mar 12 2024 Dan Streetman <[email protected]> - 15.8-3
 - Initial CBL-Mariner import from Fedora 40 (license: MIT).
 - license verified

diff --git a/SPECS/shim-unsigned-x64/shim-unsigned-x64.spec b/SPECS/shim-unsigned-x64/shim-unsigned-x64.spec
@@ -36,7 +36,7 @@
 
 Name:		shim-unsigned-%{efiarch}
 Version:	15.8
-Release:	3%{?dist}
+Release:	5%{?dist}
 Summary:	First-stage UEFI bootloader
 ExclusiveArch:	x86_64
 License:	BSD
@@ -221,6 +221,12 @@ HASH=$(cat %{buildroot}%{shimdir}/shim%{efiarch}.hash | cut -d ' ' -f 1)
 %files debugsource -f build-%{efiarch}/debugsource.list
 
 %changelog
+* Thu Nov 28 2024 Chris Co <[email protected]> - 15.8-5
+- Bump to match shim release
+
+* Tue Nov 26 2024 Chris Co <[email protected]> - 15.8-4
+- Bump to match shim release
+
 * Thu Feb 08 2024 Dan Streetman <[email protected]> - 15.8-3
 - Initial CBL-Mariner import from Fedora 40 (license: MIT).
 - license verified

diff --git a/SPECS/shim/shim.spec b/SPECS/shim/shim.spec
@@ -37,7 +37,7 @@
 Summary:        First stage UEFI bootloader
 Name:           shim
 Version:        15.8
-Release:        3%{?dist}
+Release:        5%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -49,6 +49,26 @@ Provides:       shim = %{version}-%{release}
 Obsoletes:      shim < %{version}-%{release}
 Provides:       shim-signed = %{version}-%{release}
 Provides:       shim-signed-%{efiarch} = %{version}-%{release}
+# Prior images and installations historically used "shim-unsigned" v15.4
+# in order to boot without Secure Boot enforcing.
+# To ensure a seamless upgrade experience from the older unsigned shim to
+# this new signed shim, include additional RPM dependency logic so older
+# installations will upgrade cleanly from the unsigned shim v15.4 to this new
+# signed version of the shim v15.8+
+Obsoletes:      shim-unsigned <= 15.4
+# Unlike dnf, our current tdnf does not gracefully handle Obsoletes properly.
+# When the user runs "tdnf install shim-unsigned". The proper
+# behavior with Obsoletes only in place is for this transaction to
+# complete with nothing to do, which is what dnf does. However tdnf still
+# attempts to perform the transaction, which yields undesired results and
+# potential RPM transaction errors.
+#
+# As a workaround to tdnf's lack of correct support of Obsoletes, add an
+# additional Provides to the shim package to have it "provide" for
+# shim-unsigned as well.
+# This workaround can be removed when tdnf is updated with proper RPM
+# Obsoletes behavior.
+Provides:       shim-unsigned = %{version}-%{release}
 
 # This is when grub was updated to be signed with the newer Azure Linux certificate
 Conflicts:      grub2-efi-binary < 2.06-22
@@ -167,7 +187,13 @@ fi
 /boot/efi/EFI/%{efidir}/*
 
 %changelog
-* Wed Nov 10 2024 Chris Co <[email protected]> - 15.8-3
+* Thu Nov 28 2024 Chris Co <[email protected]> - 15.8-5
+- Add Provides for shim-unsigned
+
+* Tue Nov 26 2024 Chris Co <[email protected]> - 15.8-4
+- Add obsoletes for shim-unsigned v15.4 package
+
+* Sun Nov 10 2024 Chris Co <[email protected]> - 15.8-3
 - update to 15.8
 - include mm
 - protect from dnf removal