Bug#919067: Please add a Recommends: on shim-signed

[Steve McIntyre]

So, looking through this diff: (holy crap, the grub-installer script
is getting big! :-()

On that front, I'm *tempted* to say it's time to stop caring about and
supporting grub-legacy here, maybe?

On Sat, Jan 12, 2019 at 01:51:41PM +0000, Colin Watson wrote:

>diff --git a/grub-installer b/grub-installer
>index 04016fb7..7fbcf7ee 100755
>--- a/grub-installer
>+++ b/grub-installer
>@@ -346,7 +346,7 @@ case $ARCH in
> 		if [ -f /sys/firmware/efi/fw_platform_size ] ; then
> 			SIZE=$(cat /sys/firmware/efi/fw_platform_size)
> 			if [ $SIZE -eq 64 ] ; then
>-				grub_package="grub-efi-amd64"
>+				grub_package="grub-efi-amd64-signed"
> 			elif [ $SIZE -eq 32 ] ; then
> 				grub_package="grub-efi-ia32"
> 			fi

I'm minded to not take this - I feel that grub-efi-amd64-signed is
more of an equivalent to grub-efi-amd64-bin, just containing the
actual grub binaries for the other packages to use. The metapackage
grub-efi-amd64 is still the correct thing to be installing here.

>@@ -484,14 +484,17 @@ db_progress INFO grub-installer/progress/step_install
> # to grub legacy, or vice-versa
> case "$grub_package" in
>     grub)
>-	log-output -t grub-installer $chroot $ROOT dpkg -P grub-pc-bin grub-pc grub-efi grub-efi-amd64-bin grub-efi-amd64 grub-efi-ia32-bin grub-efi-ia32
>+	log-output -t grub-installer $chroot $ROOT dpkg -P grub-pc-bin grub-pc grub-efi grub-efi-amd64-bin grub-efi-amd64 grub-efi-amd64-signed grub-efi-ia32-bin grub-efi-ia32
> 	;;
>     grub-pc)
>-	log-output -t grub-installer $chroot $ROOT dpkg -P grub grub-legacy grub-efi grub-efi-amd64-bin grub-efi-amd64 grub-efi-ia32-bin grub-efi-ia32
>-    ;;
>-    grub-efi*)
>+	log-output -t grub-installer $chroot $ROOT dpkg -P grub grub-legacy grub-efi grub-efi-amd64-bin grub-efi-amd64 grub-efi-amd64-signed grub-efi-ia32-bin grub-efi-ia32
>+	;;
>+    grub-efi-amd64-signed)
> 	log-output -t grub-installer $chroot $ROOT dpkg -P grub grub-legacy grub-pc-bin grub-pc
>-    ;;
>+	;;
>+    grub-efi*)
>+	log-output -t grub-installer $chroot $ROOT dpkg -P grub grub-legacy grub-pc-bin grub-pc grub-efi-amd64-signed
>+	;;
> esac
> 
> exit_code=0

all obviously the right thing. I'm thinking it's time to wrap and
reformat those long command lines, though!

>@@ -507,6 +510,11 @@ case "$grub_package" in
>    *)
> 	# Will pull in os-prober based on global setting for Recommends
> 	apt-install $grub_package || exit_code=$? 
>+	case $grub_package in
>+	    *-signed)
>+		apt-install shim-signed || true
>+		;;
>+	esac
> 	;;
> esac

This would clearly be the right thing to do too if we changed the
grub_package setting at the top. Maybe if we just change that to match
grub-efi-amd64 for now?

I'm about to test this lot locally and double-check it DTRT for both
amd64/efi with -signed and i386/efi (without), anyway.

-- 
Steve McIntyre, Cambridge, UK.                                steve at einval.com
Google-bait:       http://www.debian.org/CD/free-linux-cd
  Debian does NOT ship free CDs. Please do NOT contact the mailing
  lists asking us to send them to you.