Bug#919067: Please add a Recommends: on shim-signed

[Colin Watson]

On Sat, Jan 12, 2019 at 12:58:52PM +0000, Steve McIntyre wrote:
> NB: Ubuntu doesn't have the depends/recommends here, so I can only
> assume that some other method is used to ensure that shim-signed is
> installed there. I asked Steve Langasek about this, but I've not had
> an answer yet.

I guess I can see the argument about having a recommendation here, since
GRUB does make use of shim if it's installed.

Ubuntu instead does this with a grub-installer change that explicitly
installs both grub-efi-amd64-signed and shim-signed in the amd64/efi
case.  What do you think about going with that instead, or maybe in
addition to your approach?  Unpicking the patch I think it's something
like this:

diff --git a/grub-installer b/grub-installer
index 04016fb7..7fbcf7ee 100755
--- a/grub-installer
+++ b/grub-installer
@@ -346,7 +346,7 @@ case $ARCH in
 		if [ -f /sys/firmware/efi/fw_platform_size ] ; then
 			SIZE=$(cat /sys/firmware/efi/fw_platform_size)
 			if [ $SIZE -eq 64 ] ; then
-				grub_package="grub-efi-amd64"
+				grub_package="grub-efi-amd64-signed"
 			elif [ $SIZE -eq 32 ] ; then
 				grub_package="grub-efi-ia32"
 			fi
@@ -484,14 +484,17 @@ db_progress INFO grub-installer/progress/step_install
 # to grub legacy, or vice-versa
 case "$grub_package" in
     grub)
-	log-output -t grub-installer $chroot $ROOT dpkg -P grub-pc-bin grub-pc grub-efi grub-efi-amd64-bin grub-efi-amd64 grub-efi-ia32-bin grub-efi-ia32
+	log-output -t grub-installer $chroot $ROOT dpkg -P grub-pc-bin grub-pc grub-efi grub-efi-amd64-bin grub-efi-amd64 grub-efi-amd64-signed grub-efi-ia32-bin grub-efi-ia32
 	;;
     grub-pc)
-	log-output -t grub-installer $chroot $ROOT dpkg -P grub grub-legacy grub-efi grub-efi-amd64-bin grub-efi-amd64 grub-efi-ia32-bin grub-efi-ia32
-    ;;
-    grub-efi*)
+	log-output -t grub-installer $chroot $ROOT dpkg -P grub grub-legacy grub-efi grub-efi-amd64-bin grub-efi-amd64 grub-efi-amd64-signed grub-efi-ia32-bin grub-efi-ia32
+	;;
+    grub-efi-amd64-signed)
 	log-output -t grub-installer $chroot $ROOT dpkg -P grub grub-legacy grub-pc-bin grub-pc
-    ;;
+	;;
+    grub-efi*)
+	log-output -t grub-installer $chroot $ROOT dpkg -P grub grub-legacy grub-pc-bin grub-pc grub-efi-amd64-signed
+	;;
 esac
 
 exit_code=0
@@ -507,6 +510,11 @@ case "$grub_package" in
    *)
 	# Will pull in os-prober based on global setting for Recommends
 	apt-install $grub_package || exit_code=$? 
+	case $grub_package in
+	    *-signed)
+		apt-install shim-signed || true
+		;;
+	esac
 	;;
 esac
 

-- 
Colin Watson                                       [cjwatson at debian.org]