Add obsoletes and provides to fix errors in shim-unsigned upgrade to shim (#11245)

christopherco · web-flow · commit f49c769c37e4 · 2024-12-02T15:42:06.000-08:00
Prior ARM64 images and installations historically used "shim-unsigned" v15.4 in order to boot without Secure Boot enforcing.
To ensure a seamless upgrade experience from the older unsigned shim to this new signed shim, include additional RPM dependency logic (Obsoletes on "shim-unsigned" so older installations with "shim-unsigned" installed will upgrade cleanly from the unsigned shim v15.4 to this new signed version of the shim v15.8+

Unlike dnf, our current tdnf does not gracefully handle Obsoletes properly.
When the user runs "tdnf install shim-unsigned". The proper
behavior with Obsoletes only in place is for this transaction to
complete with nothing to do, which is what dnf does. However tdnf still
attempts to perform the transaction, which yields undesired results.

As a workaround to tdnf's lack of correct support of Obsoletes, add an
additional Provides to the shim package to have it "provide" for
shim-unsigned as well.

This workaround can be removed when tdnf is updated with proper RPM
Obsoletes behavior.

Signed-off-by: Chris Co &lt;chrco@microsoft.com&gt;
diff --git a/SPECS/shim-unsigned-aarch64/shim-unsigned-aarch64.spec b/SPECS/shim-unsigned-aarch64/shim-unsigned-aarch64.spec
@@ -32,7 +32,7 @@ Name:		shim-unsigned-aarch64
 Provides:       shim-unsigned-%{efiarch}
 
 Version:	15.8
-Release:	3%{?dist}
+Release:	5%{?dist}
 Summary:	First-stage UEFI bootloader
 ExclusiveArch:	aarch64
 License:	BSD
@@ -160,6 +160,12 @@ HASH=$(cat %{buildroot}%{shimdir}/shim%{efiarch}.hash | cut -d ' ' -f 1)
 %files debugsource -f build-%{efiarch}/debugsource.list
 
 %changelog
+* Thu Nov 28 2024 Chris Co <chrco@microsoft.com> - 15.8-5
+- Bump to match shim release
+
+* Tue Nov 26 2024 Chris Co <chrco@microsoft.com> - 15.8-4
+- Bump to match shim release
+
 * Tue Mar 12 2024 Dan Streetman <ddstreet@microsoft.com> - 15.8-3
 - Initial CBL-Mariner import from Fedora 40 (license: MIT).
 - license verified
diff --git a/SPECS/shim-unsigned-x64/shim-unsigned-x64.spec b/SPECS/shim-unsigned-x64/shim-unsigned-x64.spec
@@ -36,7 +36,7 @@
 
 Name:		shim-unsigned-%{efiarch}
 Version:	15.8
-Release:	3%{?dist}
+Release:	5%{?dist}
 Summary:	First-stage UEFI bootloader
 ExclusiveArch:	x86_64
 License:	BSD
@@ -221,6 +221,12 @@ HASH=$(cat %{buildroot}%{shimdir}/shim%{efiarch}.hash | cut -d ' ' -f 1)
 %files debugsource -f build-%{efiarch}/debugsource.list
 
 %changelog
+* Thu Nov 28 2024 Chris Co <chrco@microsoft.com> - 15.8-5
+- Bump to match shim release
+
+* Tue Nov 26 2024 Chris Co <chrco@microsoft.com> - 15.8-4
+- Bump to match shim release
+
 * Thu Feb 08 2024 Dan Streetman <ddstreet@microsoft.com> - 15.8-3
 - Initial CBL-Mariner import from Fedora 40 (license: MIT).
 - license verified
diff --git a/SPECS/shim/shim.spec b/SPECS/shim/shim.spec
@@ -37,7 +37,7 @@
 Summary:        First stage UEFI bootloader
 Name:           shim
 Version:        15.8
-Release:        3%{?dist}
+Release:        5%{?dist}
 License:        BSD
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -49,6 +49,26 @@ Provides:       shim = %{version}-%{release}
 Obsoletes:      shim < %{version}-%{release}
 Provides:       shim-signed = %{version}-%{release}
 Provides:       shim-signed-%{efiarch} = %{version}-%{release}
+# Prior images and installations historically used "shim-unsigned" v15.4
+# in order to boot without Secure Boot enforcing.
+# To ensure a seamless upgrade experience from the older unsigned shim to
+# this new signed shim, include additional RPM dependency logic so older
+# installations will upgrade cleanly from the unsigned shim v15.4 to this new
+# signed version of the shim v15.8+
+Obsoletes:      shim-unsigned <= 15.4
+# Unlike dnf, our current tdnf does not gracefully handle Obsoletes properly.
+# When the user runs "tdnf install shim-unsigned". The proper
+# behavior with Obsoletes only in place is for this transaction to
+# complete with nothing to do, which is what dnf does. However tdnf still
+# attempts to perform the transaction, which yields undesired results and
+# potential RPM transaction errors.
+#
+# As a workaround to tdnf's lack of correct support of Obsoletes, add an
+# additional Provides to the shim package to have it "provide" for
+# shim-unsigned as well.
+# This workaround can be removed when tdnf is updated with proper RPM
+# Obsoletes behavior.
+Provides:       shim-unsigned = %{version}-%{release}
 
 # This is when grub was updated to be signed with the newer Azure Linux certificate
 Conflicts:      grub2-efi-binary < 2.06-22
@@ -167,7 +187,13 @@ fi
 /boot/efi/EFI/%{efidir}/*
 
 %changelog
-* Wed Nov 10 2024 Chris Co <chrco@microsoft.com> - 15.8-3
+* Thu Nov 28 2024 Chris Co <chrco@microsoft.com> - 15.8-5
+- Add Provides for shim-unsigned
+
+* Tue Nov 26 2024 Chris Co <chrco@microsoft.com> - 15.8-4
+- Add obsoletes for shim-unsigned v15.4 package
+
+* Sun Nov 10 2024 Chris Co <chrco@microsoft.com> - 15.8-3
 - update to 15.8
 - include mm
 - protect from dnf removal
