sbchooser: test --first-sig-only

vathpela · vathpela · commit e74939b7caa1 · 2026-03-04T14:29:07.000-05:00
This test submits the following shims, each listed twice, in a random
order:

  shim-16.1-4.el10.x64.msft2011.efi
  shim-16.1-4.el10.x64.msft2011.msft2023.efi
  shim-16.1-4.el10.x64.msft2023.efi

Against a "db" which includes:
  The 2023 UEFI CA cert

This test puts "--first-sig-only" on the sbchooser command line, so all
but the first signature on each input should be ignored.

This should produce the following output (annotated here):

shim-16.1-4.el10.x64.msft2023.efi - allowed by 2023 cert
shim-16.1-4.el10.x64.msft2023.efi - same

Note that shim-16.1-4.el10.x64.msft2011.msft2023.efi is not included,
because its first signature is with the 2011 cert.

Signed-off-by: Peter Jones &lt;pjones@redhat.com&gt;
diff --git a/tests/Makefile b/tests/Makefile
@@ -23,6 +23,7 @@ TESTS = test.dmpstore.export \
 	test.sbchooser.sha512.vs.db \
 	test.sbchooser.db.vs.dbx \
 	test.sbchooser.identical.secbits \
+	test.sbchooser.first.sig.only \
 
 all: clean $(TESTS)
 
@@ -420,6 +421,29 @@ test.sbchooser.identical.secbits:
 	$(quiet)rm -f test.sbchooser.identical.secbits.result
 	$(quiet)echo passed
 
+test.sbchooser.first.sig.only.result:
+	$(quiet)ls -1 shim-16.1-4.el10.x64.msft2011.efi \
+		      shim-16.1-4.el10.x64.msft2011.msft2023.efi \
+		      shim-16.1-4.el10.x64.msft2023.efi \
+		      shim-16.1-4.el10.x64.msft2011.efi \
+		      shim-16.1-4.el10.x64.msft2011.msft2023.efi \
+		      shim-16.1-4.el10.x64.msft2023.efi \
+		| sort -R | LD_LIBRARY_PATH=../src ../src/sbchooser -d db.msft2023 \
+								    --no-system-dbx \
+								    --first-sig-only \
+		> "$@"
+
+test.sbchooser.first.sig.only:
+	$(quiet)echo testing sbchooser sorting with only the first signature
+	$(quiet)$(MAKE) --quiet test.sbchooser.first.sig.only.result
+	$(quiet)if ! cmp test.sbchooser.first.sig.only.goal.txt test.sbchooser.first.sig.only.result ; then \
+		diff -U 200 test.sbchooser.first.sig.only.goal.txt test.sbchooser.first.sig.only.result ; \
+		exit 1 ; \
+	fi
+	$(quiet)cmp test.sbchooser.first.sig.only.goal.txt test.sbchooser.first.sig.only.result
+	$(quiet)rm -f test.sbchooser.first.sig.only.result
+	$(quiet)echo passed
+
 .PHONY: all clean $(TESTS)
 
 # vim:ft=make
diff --git a/tests/test.sbchooser.first.sig.only.goal.txt b/tests/test.sbchooser.first.sig.only.goal.txt
@@ -0,0 +1,2 @@
+shim-16.1-4.el10.x64.msft2023.efi
+shim-16.1-4.el10.x64.msft2023.efi

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+shim-16.1-4.el10.x64.msft2023.efi`
	`2`	`+shim-16.1-4.el10.x64.msft2023.efi`