fix: Allow updating shim-unsigned-* separately from shim (#16079)

corvus-callidus · web-flow · commit 7f740a449c25 · 2026-03-06T18:46:50.000-08:00
This PR introduces two small changes:

Remove shim from the entangled specs check.
Unlike the kernel where we have signed packages that must be kept in perfect lockstep with the unsigned packages, the shim-unsigned and shim packages need not be kept in perfect alignment. Given the update and upstream signing process for the shim binaries, it makes sense to follow the Fedora model and allow updating shim-unsigned, completing upstream signing, then later updating shim once we have the signed binaries.

For shim, replace the macro-based BuildRequires on shim-unsigned-%{efiarch} with explicit architecture package names for x86_64 and aarch64.
The previous dependency could resolve through an unversioned virtual provide on aarch64, which pulled in a freshly rebuilt shim-unsigned node and made delta build logic rebuild shim unnecessarily. That rebuild will fail when shim-unsigned is updated to a new version (e.g. 16.1) while shim remains at an earlier version.
diff --git a/SPECS/shim/shim.spec b/SPECS/shim/shim.spec
@@ -37,7 +37,7 @@
 Summary:        First stage UEFI bootloader
 Name:           shim
 Version:        15.8
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -73,7 +73,12 @@ Provides:       shim-unsigned = %{version}-%{release}
 # This is when grub was updated to be signed with the newer Azure Linux certificate
 Conflicts:      grub2-efi-binary < 2.06-22
 
-BuildRequires:  shim-unsigned-%{efiarch} = %{version}-%{release}
+%ifarch x86_64
+BuildRequires:  shim-unsigned-x64 = %{version}
+%endif
+%ifarch aarch64
+BuildRequires:  shim-unsigned-aarch64 = %{version}
+%endif
 BuildRequires:  binutils
 BuildRequires:  coreutils
 BuildRequires:  efivar
@@ -187,6 +192,9 @@ fi
 /boot/efi/EFI/%{efidir}/*
 
 %changelog
+* Mon Mar 02 2026 Lynsey Rydberg <lyrydber@microsoft.com> - 15.8-6
+- Change BuildRequires to allow updating shim-unsigned separately
+
 * Thu Nov 28 2024 Chris Co <chrco@microsoft.com> - 15.8-5
 - Add Provides for shim-unsigned
 
diff --git a/toolkit/scripts/check_entangled_specs.py b/toolkit/scripts/check_entangled_specs.py
@@ -60,7 +60,6 @@
         "SPECS/cyrus-sasl-bootstrap/cyrus-sasl-bootstrap.spec"
     ]),
     frozenset([
-        "SPECS/shim/shim.spec",
         "SPECS/shim-unsigned-x64/shim-unsigned-x64.spec",
         "SPECS/shim-unsigned-aarch64/shim-unsigned-aarch64.spec"
     ]),
