import from tagless source r8

.gitignore

 SOURCES/shim-15.6.tar.bz2
+SOURCES/shim-15.8.tar.bz2

.shim-unsigned-x64.metadata

-3df0ab5cefc74fdf865cb36aea0e923cb4b6b3ed SOURCES/shim-15.6.tar.bz2
+a79f0a9b89f3681ab384865b1a46ab3f79d88b11b4ca59aa040ab03fffae80a9 SOURCES/shim-15.8.tar.bz2

SOURCES/sbat.rocky.csv

-shim.rocky,2,Rocky Linux,shim,15.8,security@rockylinux.org
+shim.rocky,3,Rocky Linux,shim,15.8,security@rockylinux.org

SPECS/shim-unsigned-x64.spec

@@ -8,7 +8,7 @@
 %global __debug_install_post %{SOURCE100} x64 ia32
 %undefine _debuginfo_subpackages
 
-%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/'))
+%global efidir %(eval echo $(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/rocky/'))
 %global shimrootdir %{_datadir}/shim/
 %global shimversiondir %{shimrootdir}/%{version}-%{release}
 %global efiarch x64
@@ -16,19 +16,20 @@
 %global efialtarch ia32
 %global shimaltdir %{shimversiondir}/%{efialtarch}
 
+# currently here's what's in our dbx: nothing
+%global dbxfile %{nil}
 Name:		shim-unsigned-%{efiarch}
-Version:	15.6
-Release:	1.el8
+Version:	15.8
+Release:	2%{?dist}
 Summary:	First-stage UEFI bootloader
 ExclusiveArch:	x86_64
 License:	BSD
 URL:		https://github.com/rhboot/shim
 Source0:	https://github.com/rhboot/shim/releases/download/%{version}/shim-%{version}.tar.bz2
-Source1:	redhatsecurebootca5.cer
-# currently here's what's in our dbx:
-# nothing.
-Source2:	dbx.esl
-Source3:	sbat.redhat.csv
+%if 0%{?dbxfile}
+Source2:	%{dbxfile}
+%endif
+Source3:	sbat.rocky.csv
 Source4:	shim.patches
 
 Source100:	shim-find-debuginfo.sh
@@ -40,6 +41,7 @@ BuildRequires:	elfutils-libelf-devel
 BuildRequires:	git openssl-devel openssl
 BuildRequires:	pesign >= %{pesign_vre}
 BuildRequires:	dos2unix findutils
+BuildRequires:  system-sb-certs
 
 # Shim uses OpenSSL, but cannot use the system copy as the UEFI ABI is not
 # compatible with SysV (there's no red zone under UEFI) and there isn't a
@@ -107,13 +109,16 @@ COMMITID=$(cat commit)
 MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
 MAKEFLAGS+="ENABLE_SHIM_HASH=true "
+MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
 MAKEFLAGS+="%{_smp_mflags}"
-if [ -s "%{SOURCE1}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
+if [ -f "/etc/pki/sb-certs/secureboot-ca-x86_64.cer" ]; then
+	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=/etc/pki/sb-certs/secureboot-ca-x86_64.cer"
 fi
-if [ -s "%{SOURCE2}" ]; then
+%if 0%{?dbxfile}
+if [ -f "%{SOURCE2}" ]; then
 	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
 fi
+%endif
 
 cd build-%{efiarch}
 make ${MAKEFLAGS} \
@@ -132,12 +137,15 @@ COMMITID=$(cat commit)
 MAKEFLAGS="TOPDIR=.. -f ../Makefile COMMITID=${COMMITID} "
 MAKEFLAGS+="EFIDIR=%{efidir} PKGNAME=shim RELEASE=%{release} "
 MAKEFLAGS+="ENABLE_HTTPBOOT=true ENABLE_SHIM_HASH=true "
-if [ -s "%{SOURCE1}" ]; then
-	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=%{SOURCE1}"
+MAKEFLAGS+="SBAT_AUTOMATIC_DATE=2023012900 "
+if [ -f "/etc/pki/sb-certs/secureboot-ca-x86_64.cer" ]; then
+	MAKEFLAGS="$MAKEFLAGS VENDOR_CERT_FILE=/etc/pki/sb-certs/secureboot-ca-x86_64.cer"
 fi
-if [ -s "%{SOURCE2}" ]; then
+%if 0%{?dbxfile}
+if [ -f "%{SOURCE2}" ]; then
 	MAKEFLAGS="$MAKEFLAGS VENDOR_DBX_FILE=%{SOURCE2}"
 fi
+%endif
 
 cd build-%{efiarch}
 make ${MAKEFLAGS} \
@@ -178,71 +186,8 @@ cd ..
 %files debugsource -f build-%{efiarch}/debugsource.list
 
 %changelog
-* Wed Jun 01 2022 Peter Jones <pjones@redhat.com> - 15.6-1.el8
-- Update to shim-15.6
-  Resolves: CVE-2022-28737
-
-* Thu Sep 17 2020 Peter Jones <pjones@redhat.com> - 15-9.el8
-- Fix an incorrect allocation size.
-  Related: rhbz#1877253
-
-* Thu Jul 30 2020 Peter Jones <pjones@redhat.com> - 15-8
-- Fix a load-address-dependent forever loop.
-  Resolves: rhbz#1861977
-  Related: CVE-2020-10713
-  Related: CVE-2020-14308
-  Related: CVE-2020-14309
-  Related: CVE-2020-14310
-  Related: CVE-2020-14311
-  Related: CVE-2020-15705
-  Related: CVE-2020-15706
-  Related: CVE-2020-15707
-
-* Sat Jul 25 2020 Peter Jones <pjones@redhat.com> - 15-7
-- Implement Lenny's workaround
-  Related: CVE-2020-10713
-  Related: CVE-2020-14308
-  Related: CVE-2020-14309
-  Related: CVE-2020-14310
-  Related: CVE-2020-14311
-
-* Fri Jul 24 2020 Peter Jones <pjones@redhat.com> - 15-5
-- Once more with the MokListRT config table patch added.
-  Related: CVE-2020-10713
-  Related: CVE-2020-14308
-  Related: CVE-2020-14309
-  Related: CVE-2020-14310
-  Related: CVE-2020-14311
-
-* Thu Jul 23 2020 Peter Jones <pjones@redhat.com> - 15-4
-- Rebuild for bug fixes and new signing keys
-  Related: CVE-2020-10713
-  Related: CVE-2020-14308
-  Related: CVE-2020-14309
-  Related: CVE-2020-14310
-  Related: CVE-2020-14311
-
-* Wed Jun 05 2019 Javier Martinez Canillas <javierm@redhat.com> - 15-3
-- Make EFI variable copying fatal only on secureboot enabled systems
-  Resolves: rhbz#1715878
-- Fix booting shim from an EFI shell using a relative path
-  Resolves: rhbz#1717064
-
-* Tue Feb 12 2019 Peter Jones <pjones@redhat.com> - 15-2
-- Fix MoK mirroring issue which breaks kdump without intervention
-  Related: rhbz#1668966
-
-* Fri Jul 20 2018 Peter Jones <pjones@redhat.com> - 15-1
-- Update to shim 15
-
-* Tue Sep 19 2017 Peter Jones <pjones@redhat.com> - 13-3
-- Actually update to the *real* 13 final.
-  Related: rhbz#1489604
-
-* Thu Aug 31 2017 Peter Jones <pjones@redhat.com> - 13-2
-- Actually update to 13 final.
-
-* Fri Aug 18 2017 Peter Jones <pjones@redhat.com> - 13-1
-- Make a new shim-unsigned-x64 package like the shim-unsigned-aarch64 one.
-- This will (eventually) supersede what's in the "shim" package so we can
-  make "shim" hold the signed one, which will confuse fewer people.
+* Wed Feb 14 2024 Sherif Nagy <sherif@rockylinux.org> - 15.8-2
+- bump sbat level for Rocky to 3
+
+* Mon Feb 12 2024 Louis Abel <label@resf.org> - 15.8-1
+- Update to shim-15.8