SHIM_CANONICAL_VERSION=$(shell dpkg-query -W -f'$${Version}' shim-canonical-unsigned)

check:
	mkdir -p build
	# Verifying that the image is signed with the correct key.
	#sbverify --cert cyphermox.crt shimx64.efi.signed
	sbverify --cert MicCorUEFCA2011_2011-06-27.crt $(SHIM_BASE).signed
	# Verifying that we have the correct binary.
	sbattach --detach build/detached-sig $(SHIM_BASE).signed 
	cp /usr/lib/shim/$(SHIM_BASE) build/$(SHIM_BASE).signed
	sbattach --attach build/detached-sig build/$(SHIM_BASE).signed
	cmp $(SHIM_BASE).signed build/$(SHIM_BASE).signed
	####
	# Construct dual-signed shim
	./download-signed shim-canonical-unsigned $(SHIM_CANONICAL_VERSION) shim-canonical signed
	# Verify that the downloaded binary has signatures chained to Canonical Master CA
	sbverify --cert CanonicalMasterCA.crt $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE).signed
	# Detach Canonical signature
	sbattach --detach $(SHIM_CANONICAL_VERSION)/detached-sig-canonical $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE).signed
	rm $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE).signed
	# Compare that shims are all the same now
	cmp /usr/lib/shim/$(SHIM_BASE) $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE)
	# Reattach Canonical signature
	sbattach --attach $(SHIM_CANONICAL_VERSION)/detached-sig-canonical $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE)
	# Verify that attachment worked
	sbverify --cert CanonicalMasterCA.crt $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE)
	# Attach Microsoft signature
	sbattach --attach build/detached-sig $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE)
	# Validate that this shim is now dualsigned
	sbverify --list $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE)
	sbverify --cert CanonicalMasterCA.crt $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE)
	sbverify --cert MicCorUEFCA2011_2011-06-27.crt $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE)
	cp $(SHIM_CANONICAL_VERSION)/$(SHIM_BASE) build/$(SHIM_BASE).dualsigned

clean:
	rm -rf build $(SHIM_CANONICAL_VERSION) $shim_boot.csv BOOT$(EFI_ARCH).CSV
