From eeeec9a325c047824b41318e20ec3ce4f490d6f3 Mon Sep 17 00:00:00 2001
From: David Murphy <damurphy@vmware.com>
Date: Thu, 10 Oct 2024 14:49:54 -0600
Subject: [PATCH 1/6] Allow for secure-boot efivars directory having
 SecureBoot-xxx files, not directories with a data file

---
 salt/grains/extra.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/salt/grains/extra.py b/salt/grains/extra.py
index 300052f1eed..4180ff3b51e 100644
--- a/salt/grains/extra.py
+++ b/salt/grains/extra.py
@@ -66,7 +66,10 @@ def config():
 def __secure_boot(efivars_dir):
     """Detect if secure-boot is enabled."""
     enabled = False
-    sboot = glob.glob(os.path.join(efivars_dir, "SecureBoot-*/data"))
+    if "efivars" == os.path.basename(efivars_dir):
+        sboot = glob.glob(os.path.join(efivars_dir, "SecureBoot-*"))
+    else:
+        sboot = glob.glob(os.path.join(efivars_dir, "SecureBoot-*/data"))
     if len(sboot) == 1:
         # The minion is usually running as a privileged user, but is
         # not the case for the master.  Seems that the master can also

From 76f22f0f92388f107c3fd8b65462a70d0ae01bbc Mon Sep 17 00:00:00 2001
From: David Murphy <damurphy@vmware.com>
Date: Thu, 10 Oct 2024 14:57:13 -0600
Subject: [PATCH 2/6] Added changelog entry

---
 changelog/66955.fixed.md | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 changelog/66955.fixed.md

diff --git a/changelog/66955.fixed.md b/changelog/66955.fixed.md
new file mode 100644
index 00000000000..d45b8f650a7
--- /dev/null
+++ b/changelog/66955.fixed.md
@@ -0,0 +1 @@
+Allow for secure-boot efivars directory having SecureBoot-xxx files, not directories with a data file

From effada446c4a22a426396e7a313c9a645c702e95 Mon Sep 17 00:00:00 2001
From: David Murphy <damurphy@vmware.com>
Date: Fri, 11 Oct 2024 12:44:38 -0600
Subject: [PATCH 3/6] Initial test for testing secure-boot grain

---
 salt/grains/extra.py                          | 14 +++--
 .../functional/grains/test_secure_boot.py     | 51 +++++++++++++++++++
 2 files changed, 62 insertions(+), 3 deletions(-)
 create mode 100644 tests/pytests/functional/grains/test_secure_boot.py

diff --git a/salt/grains/extra.py b/salt/grains/extra.py
index 4180ff3b51e..6019c1bbe6f 100644
--- a/salt/grains/extra.py
+++ b/salt/grains/extra.py
@@ -82,12 +82,20 @@ def __secure_boot(efivars_dir):
     return enabled
 
 
-def uefi():
-    """Populate UEFI grains."""
-    efivars_dir = next(
+def get_secure_boot_path():
+    """
+    Provide paths for secure boot directories and files
+    """
+    efivars_path = next(
         filter(os.path.exists, ["/sys/firmware/efi/efivars", "/sys/firmware/efi/vars"]),
         None,
     )
+    return efivars_path
+
+
+def uefi():
+    """Populate UEFI grains."""
+    efivars_dir = get_secure_boot_path()
     grains = {
         "efi": bool(efivars_dir),
         "efi-secure-boot": __secure_boot(efivars_dir) if efivars_dir else False,
diff --git a/tests/pytests/functional/grains/test_secure_boot.py b/tests/pytests/functional/grains/test_secure_boot.py
new file mode 100644
index 00000000000..226d9e4c6d0
--- /dev/null
+++ b/tests/pytests/functional/grains/test_secure_boot.py
@@ -0,0 +1,51 @@
+"""
+    :codeauthor: :email:`David Murphy <david-dm.murphy@broadcom.com`
+"""
+
+## import logging
+import os
+import tempfile
+
+import pytest
+
+import salt.utils.files
+import salt.utils.path
+from tests.support.mock import patch
+
+pytestmark = [
+    pytest.mark.skip_unless_on_linux(reason="Only supported on Linux family"),
+]
+
+## log = logging.getLogger(__name__)
+
+
+def test_secure_boot_efivars():
+    _salt_utils_files_fopen = salt.utils.files.fopen
+
+    with tempfile.TemporaryDirectory() as tempdir:
+        secure_boot_path = os.path.join(tempdir, "secure-boot/efivars")
+
+        print(
+            f"DGM test_secure_boot_efivars, secure_boot_path '{secure_boot_path}'",
+            flush=True,
+        )
+
+        with _salt_utils_files_fopen(
+            os.path.join(secure_boot_path, "/SecureBoot-dog", "wb+")
+        ) as fd:
+            binary_data = b"\x06\x00\x00\x00\x01"
+            fd.write(binary_data)
+
+    secure_boot_path_file = os.path.join(secure_boot_path, "/SecureBoot-dog")
+    print(
+        f"DGM test_secure_boot_efivars secure_boot_path file '{secure_boot_path_file}'",
+        flush=True,
+    )
+
+    with patch("salt.grains.extra.get_secure_boot_path", return_value=secure_boot_path):
+        grains = salt.grains.extra.uefi()
+
+        print(f"DGM test_secure_boot_efivars grains '{grains}'", flush=True)
+
+        expected = {"efi": True, "efi-secure-boot": True}
+        assert grains == expected

From 1b680c6f1384346b742967603dcf8387d54b53c5 Mon Sep 17 00:00:00 2001
From: David Murphy <damurphy@vmware.com>
Date: Mon, 14 Oct 2024 15:28:35 -0600
Subject: [PATCH 4/6] Added tests to excerise changes for efi-secure-boot grain

---
 .../functional/grains/test_secure_boot.py     |  51 -------
 tests/pytests/unit/grains/test_secure_boot.py | 129 ++++++++++++++++++
 2 files changed, 129 insertions(+), 51 deletions(-)
 delete mode 100644 tests/pytests/functional/grains/test_secure_boot.py
 create mode 100644 tests/pytests/unit/grains/test_secure_boot.py

diff --git a/tests/pytests/functional/grains/test_secure_boot.py b/tests/pytests/functional/grains/test_secure_boot.py
deleted file mode 100644
index 226d9e4c6d0..00000000000
--- a/tests/pytests/functional/grains/test_secure_boot.py
+++ /dev/null
@@ -1,51 +0,0 @@
-"""
-    :codeauthor: :email:`David Murphy <david-dm.murphy@broadcom.com`
-"""
-
-## import logging
-import os
-import tempfile
-
-import pytest
-
-import salt.utils.files
-import salt.utils.path
-from tests.support.mock import patch
-
-pytestmark = [
-    pytest.mark.skip_unless_on_linux(reason="Only supported on Linux family"),
-]
-
-## log = logging.getLogger(__name__)
-
-
-def test_secure_boot_efivars():
-    _salt_utils_files_fopen = salt.utils.files.fopen
-
-    with tempfile.TemporaryDirectory() as tempdir:
-        secure_boot_path = os.path.join(tempdir, "secure-boot/efivars")
-
-        print(
-            f"DGM test_secure_boot_efivars, secure_boot_path '{secure_boot_path}'",
-            flush=True,
-        )
-
-        with _salt_utils_files_fopen(
-            os.path.join(secure_boot_path, "/SecureBoot-dog", "wb+")
-        ) as fd:
-            binary_data = b"\x06\x00\x00\x00\x01"
-            fd.write(binary_data)
-
-    secure_boot_path_file = os.path.join(secure_boot_path, "/SecureBoot-dog")
-    print(
-        f"DGM test_secure_boot_efivars secure_boot_path file '{secure_boot_path_file}'",
-        flush=True,
-    )
-
-    with patch("salt.grains.extra.get_secure_boot_path", return_value=secure_boot_path):
-        grains = salt.grains.extra.uefi()
-
-        print(f"DGM test_secure_boot_efivars grains '{grains}'", flush=True)
-
-        expected = {"efi": True, "efi-secure-boot": True}
-        assert grains == expected
diff --git a/tests/pytests/unit/grains/test_secure_boot.py b/tests/pytests/unit/grains/test_secure_boot.py
new file mode 100644
index 00000000000..f56f413beca
--- /dev/null
+++ b/tests/pytests/unit/grains/test_secure_boot.py
@@ -0,0 +1,129 @@
+"""
+    :codeauthor: :email:`David Murphy <david-dm.murphy@broadcom.com`
+"""
+
+import shutil
+
+import pytest
+
+import salt.grains.extra
+from tests.support.mock import patch
+
+pytestmark = [
+    pytest.mark.skip_unless_on_linux(reason="Only supported on Linux family"),
+]
+
+
+@pytest.mark.parametrize(
+    "setting_secure, extra_file, expected_enabled",
+    (
+        (True, False, True),
+        (True, True, False),
+        (False, False, False),
+        (False, True, False),
+    ),
+)
+def test_secure_boot_efivars(tmp_path, setting_secure, extra_file, expected_enabled):
+    secure_boot_path = tmp_path / "secure-boot"
+    secure_boot_path_vars = secure_boot_path / "efivars"
+    secure_boot_path_vars.mkdir(parents=True, exist_ok=True)
+    secure_boot_filepath = secure_boot_path_vars / "SecureBoot-dog"
+
+    if setting_secure:
+        secure_boot_filepath.write_bytes(b"\x06\x00\x00\x00\x01")
+    else:
+        secure_boot_filepath.write_bytes(b"\x06\x00\x00\x00\x00")
+
+    if extra_file:
+        secure_boot_filepath2 = secure_boot_path_vars / "SecureBoot-kat"
+        if setting_secure:
+            secure_boot_filepath2.write_bytes(b"\x06\x00\x00\x00\x01")
+        else:
+            secure_boot_filepath2.write_bytes(b"\x06\x00\x00\x00\x00")
+
+    with patch(
+        "salt.grains.extra.get_secure_boot_path", return_value=secure_boot_path_vars
+    ):
+        grains = salt.grains.extra.uefi()
+        expected = {"efi": True, "efi-secure-boot": expected_enabled}
+        assert grains == expected
+
+    shutil.rmtree(secure_boot_path)
+
+
+@pytest.mark.parametrize(
+    "setting_secure, extra_file, expected_enabled",
+    (
+        (True, False, True),
+        (True, True, False),
+        (False, False, False),
+        (False, True, False),
+    ),
+)
+def test_secure_boot_vars(tmp_path, setting_secure, extra_file, expected_enabled):
+    secure_boot_path = tmp_path / "secure-boot"
+    secure_boot_path_vars = secure_boot_path / "vars" / "SecureBoot-dog"
+    secure_boot_path_vars1 = secure_boot_path_vars / "SecureBoot-dog"
+    secure_boot_path_vars1.mkdir(parents=True, exist_ok=True)
+    secure_boot_filepath = secure_boot_path_vars1 / "data"
+
+    if setting_secure:
+        secure_boot_filepath.write_bytes(b"\x06\x00\x00\x00\x01")
+    else:
+        secure_boot_filepath.write_bytes(b"\x06\x00\x00\x00\x00")
+
+    if extra_file:
+        secure_boot_path_vars2 = secure_boot_path_vars / "SecureBoot-kat"
+        secure_boot_path_vars2.mkdir(parents=True, exist_ok=True)
+        secure_boot_filepath2 = secure_boot_path_vars2 / "data"
+        if setting_secure:
+            secure_boot_filepath2.write_bytes(b"\x06\x00\x00\x00\x01")
+        else:
+            secure_boot_filepath2.write_bytes(b"\x06\x00\x00\x00\x00")
+
+    with patch(
+        "salt.grains.extra.get_secure_boot_path", return_value=secure_boot_path_vars
+    ):
+        grains = salt.grains.extra.uefi()
+        expected = {"efi": True, "efi-secure-boot": expected_enabled}
+        assert grains == expected
+
+    shutil.rmtree(secure_boot_path)
+
+
+@pytest.mark.parametrize(
+    "setting_secure, expected_enabled",
+    (
+        (True, True),
+        (False, False),
+        (False, False),
+        (False, False),
+    ),
+)
+def test_secure_boot_efivars_and_vars(tmp_path, setting_secure, expected_enabled):
+    secure_boot_path = tmp_path / "secure-boot"
+    secure_boot_path_vars = secure_boot_path / "efivars"
+    secure_boot_path_vars.mkdir(parents=True, exist_ok=True)
+    secure_boot_filepath = secure_boot_path_vars / "SecureBoot-dog"
+
+    secure_boot_path_vars2 = secure_boot_path / "vars" / "SecureBoot-kat"
+    secure_boot_path_vars2.mkdir(parents=True, exist_ok=True)
+    secure_boot_filepath2 = secure_boot_path_vars2 / "data"
+
+    if setting_secure:
+        # efivars True, vars / data False
+        secure_boot_filepath.write_bytes(b"\x06\x00\x00\x00\x01")
+        secure_boot_filepath2.write_bytes(b"\x06\x00\x00\x00\x00")
+    else:
+        # efivars false, vars / data True
+        secure_boot_filepath.write_bytes(b"\x06\x00\x00\x00\x00")
+        secure_boot_filepath2.write_bytes(b"\x06\x00\x00\x00\x01")
+
+    with patch(
+        "salt.grains.extra.get_secure_boot_path", return_value=secure_boot_path_vars
+    ):
+        grains = salt.grains.extra.uefi()
+        expected = {"efi": True, "efi-secure-boot": expected_enabled}
+        assert grains == expected
+
+    shutil.rmtree(secure_boot_path)

From 061ca0d4d41abef4dede0d91a5367eaf183542b5 Mon Sep 17 00:00:00 2001
From: twangboy <shane.d.lee@gmail.com>
Date: Tue, 15 Oct 2024 14:05:49 -0600
Subject: [PATCH 5/6] Disable signing mac packages

---
 .github/workflows/ci.yml                             | 2 +-
 .github/workflows/nightly.yml                        | 6 +++---
 .github/workflows/release.yml                        | 2 +-
 .github/workflows/scheduled.yml                      | 2 +-
 .github/workflows/staging.yml                        | 6 +++---
 .github/workflows/templates/build-packages.yml.jinja | 2 +-
 6 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a1bbf26343f..464125f5f20 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,5 +1,5 @@
 # Do not edit these workflows directly as the changes made will be overwritten.
-# Instead, edit the template '.github/workflows/templates/ci.yml.jinja'
+# Instead, edit the template '.github\workflows\templates\ci.yml.jinja'
 ---
 name: CI
 run-name: "CI (${{ github.event_name == 'pull_request' && format('pr: #{0}', github.event.number) || format('{0}: {1}', startsWith(github.event.ref, 'refs/tags') && 'tag' || 'branch', github.ref_name) }})"
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index 69414ce310c..3a28b6a789a 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -1,5 +1,5 @@
 # Do not edit these workflows directly as the changes made will be overwritten.
-# Instead, edit the template '.github/workflows/templates/nightly.yml.jinja'
+# Instead, edit the template '.github\workflows\templates\nightly.yml.jinja'
 ---
 
 name: Nightly
@@ -514,7 +514,7 @@ jobs:
       python-version: "3.10.15"
       source: "onedir"
       environment: nightly
-      sign-macos-packages: true
+      sign-macos-packages: false
       sign-windows-packages: false
     secrets: inherit
 
@@ -532,7 +532,7 @@ jobs:
       python-version: "3.10.15"
       source: "src"
       environment: nightly
-      sign-macos-packages: true
+      sign-macos-packages: false
       sign-windows-packages: false
     secrets: inherit
   build-ci-deps:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 30ced2d7efa..be98cc82d8b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,5 +1,5 @@
 # Do not edit these workflows directly as the changes made will be overwritten.
-# Instead, edit the template '.github/workflows/templates/release.yml.jinja'
+# Instead, edit the template '.github\workflows\templates\release.yml.jinja'
 ---
 
 name: Release
diff --git a/.github/workflows/scheduled.yml b/.github/workflows/scheduled.yml
index dc57040b92c..631aea5709f 100644
--- a/.github/workflows/scheduled.yml
+++ b/.github/workflows/scheduled.yml
@@ -1,5 +1,5 @@
 # Do not edit these workflows directly as the changes made will be overwritten.
-# Instead, edit the template '.github/workflows/templates/scheduled.yml.jinja'
+# Instead, edit the template '.github\workflows\templates\scheduled.yml.jinja'
 ---
 
 name: Scheduled
diff --git a/.github/workflows/staging.yml b/.github/workflows/staging.yml
index 6a240294ad2..999b8015d72 100644
--- a/.github/workflows/staging.yml
+++ b/.github/workflows/staging.yml
@@ -1,5 +1,5 @@
 # Do not edit these workflows directly as the changes made will be overwritten.
-# Instead, edit the template '.github/workflows/templates/staging.yml.jinja'
+# Instead, edit the template '.github\workflows\templates\staging.yml.jinja'
 ---
 
 name: Stage Release
@@ -499,7 +499,7 @@ jobs:
       python-version: "3.10.15"
       source: "onedir"
       environment: staging
-      sign-macos-packages: true
+      sign-macos-packages: false
       sign-windows-packages: ${{ inputs.sign-windows-packages }}
     secrets: inherit
 
@@ -517,7 +517,7 @@ jobs:
       python-version: "3.10.15"
       source: "src"
       environment: staging
-      sign-macos-packages: true
+      sign-macos-packages: false
       sign-windows-packages: ${{ inputs.sign-windows-packages }}
     secrets: inherit
   build-ci-deps:
diff --git a/.github/workflows/templates/build-packages.yml.jinja b/.github/workflows/templates/build-packages.yml.jinja
index 745bcc3c9ca..e2ae278a044 100644
--- a/.github/workflows/templates/build-packages.yml.jinja
+++ b/.github/workflows/templates/build-packages.yml.jinja
@@ -19,7 +19,7 @@
       source: "<{ backend }>"
     <%- if gh_environment != "ci" %>
       environment: <{ gh_environment }>
-      sign-macos-packages: true
+      sign-macos-packages: false
       sign-windows-packages: <% if gh_environment == 'nightly' -%> false <%- else -%> ${{ inputs.sign-windows-packages }} <%- endif %>
     secrets: inherit
     <%- endif %>

From 28662c490b4a66cd3ad47f2f1c74e34040ed015e Mon Sep 17 00:00:00 2001
From: twangboy <shane.d.lee@gmail.com>
Date: Wed, 16 Oct 2024 09:17:43 -0600
Subject: [PATCH 6/6] Fix slashes

---
 .github/workflows/ci.yml        | 2 +-
 .github/workflows/nightly.yml   | 2 +-
 .github/workflows/release.yml   | 2 +-
 .github/workflows/scheduled.yml | 2 +-
 .github/workflows/staging.yml   | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 464125f5f20..a1bbf26343f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -1,5 +1,5 @@
 # Do not edit these workflows directly as the changes made will be overwritten.
-# Instead, edit the template '.github\workflows\templates\ci.yml.jinja'
+# Instead, edit the template '.github/workflows/templates/ci.yml.jinja'
 ---
 name: CI
 run-name: "CI (${{ github.event_name == 'pull_request' && format('pr: #{0}', github.event.number) || format('{0}: {1}', startsWith(github.event.ref, 'refs/tags') && 'tag' || 'branch', github.ref_name) }})"
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index 3a28b6a789a..10182dac0d5 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -1,5 +1,5 @@
 # Do not edit these workflows directly as the changes made will be overwritten.
-# Instead, edit the template '.github\workflows\templates\nightly.yml.jinja'
+# Instead, edit the template '.github/workflows/templates/nightly.yml.jinja'
 ---
 
 name: Nightly
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index be98cc82d8b..30ced2d7efa 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,5 +1,5 @@
 # Do not edit these workflows directly as the changes made will be overwritten.
-# Instead, edit the template '.github\workflows\templates\release.yml.jinja'
+# Instead, edit the template '.github/workflows/templates/release.yml.jinja'
 ---
 
 name: Release
diff --git a/.github/workflows/scheduled.yml b/.github/workflows/scheduled.yml
index 631aea5709f..dc57040b92c 100644
--- a/.github/workflows/scheduled.yml
+++ b/.github/workflows/scheduled.yml
@@ -1,5 +1,5 @@
 # Do not edit these workflows directly as the changes made will be overwritten.
-# Instead, edit the template '.github\workflows\templates\scheduled.yml.jinja'
+# Instead, edit the template '.github/workflows/templates/scheduled.yml.jinja'
 ---
 
 name: Scheduled
diff --git a/.github/workflows/staging.yml b/.github/workflows/staging.yml
index 999b8015d72..e625038505e 100644
--- a/.github/workflows/staging.yml
+++ b/.github/workflows/staging.yml
@@ -1,5 +1,5 @@
 # Do not edit these workflows directly as the changes made will be overwritten.
-# Instead, edit the template '.github\workflows\templates\staging.yml.jinja'
+# Instead, edit the template '.github/workflows/templates/staging.yml.jinja'
 ---
 
 name: Stage Release