[pve-devel] [PATCH proxmox-secure-boot-support] ship apt pinning snippet

[Fabian Grünbichler]

this should ensure that a shim-signed package from a non-Proxmox repository
cannot overtake ours, even if the version is newer. since
proxmox-secure-boot-support is optional, this is entirely opt-in.

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
not the most elegant solution, but the only one I could come up with. the next
bookworm point release will likely ship with a shim-signed version higher than
our current one, so we probably want to roll this out rather fast..

 debian/99-proxmox-secure-boot-support      | 7 +++++++
 debian/proxmox-secure-boot-support.install | 1 +
 2 files changed, 8 insertions(+)
 create mode 100644 debian/99-proxmox-secure-boot-support
 create mode 100644 debian/proxmox-secure-boot-support.install

diff --git a/debian/99-proxmox-secure-boot-support b/debian/99-proxmox-secure-boot-support
new file mode 100644
index 0000000..03c4b89
--- /dev/null
+++ b/debian/99-proxmox-secure-boot-support
@@ -0,0 +1,7 @@
+# automatically added by proxmox-secure-boot-support, to ensure Proxmox version
+# of shim-signed stays installed even if Debian repositories contain an
+# upgraded version earlier than Proxmox ones, since they embed different
+# certificates and are incompatible.
+Package: shim-signed
+Pin: release o=Proxmox
+Pin-Priority: 900
diff --git a/debian/proxmox-secure-boot-support.install b/debian/proxmox-secure-boot-support.install
new file mode 100644
index 0000000..f10aab3
--- /dev/null
+++ b/debian/proxmox-secure-boot-support.install
@@ -0,0 +1 @@
+debian/99-proxmox-secure-boot-support /etc/apt/preferences.d/
-- 
2.39.2