From 6851ad8cf4a22a6df7d6f756807dcaf85d3c6239 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 26 Mar 2026 10:18:13 -0400
Subject: [PATCH 1/2] efisecdb: fix the "default" hash

When we run `efisecdb -t help` it says:

  $ efisecdb -t help
  Supported hashes: sha512 sha384 sha256 sha1
  Default hash is sha256

But in practice we see:
  $ efisecdb -o dbx.bin -a -g {empty} -h e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
  efisecdb: hash type is not set

This changes it so we actually default to sha256.

Signed-off-by: Peter Jones <pjones@redhat.com>
---
 src/efisecdb.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/efisecdb.c b/src/efisecdb.c
index 40484da7..7b0b35b4 100644
--- a/src/efisecdb.c
+++ b/src/efisecdb.c
@@ -68,7 +68,8 @@ set_hash_parameters(char *name, int *hash_number)
 	if (strcmp(name, "help")) {
 		out = stderr;
 		for (int i = 0; i < n_hash_params; i++) {
-			if (!strcmp(name, hash_params[i].name)) {
+			if (!strcmp(name, hash_params[i].name) ||
+			    (!strcmp(name, "default") && hash_params[i].def == true)) {
 				*hash_number = i;
 				return;
 			}
@@ -360,6 +361,11 @@ main(int argc, char *argv[])
 	atexit(free_infiles);
 	atexit(maybe_free_secdb);
 
+	/*
+	 * Set the "default" hash
+	 */
+	set_hash_parameters("default", &hash_index);
+
 	/*
 	 * parse the command line.
 	 *

From af1f034300a54ac94ac6b607977f6f3b4a86fb6f Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 26 Mar 2026 10:29:24 -0400
Subject: [PATCH 2/2] efisecdb: hide SHA-1 support

While it's nice to support SHA-1 so we can e.g. build test databases
that look like that one insane vendor's 'db', there's no reason to
advertise this and encourage people to do it.

This patch makes it so "efisecdb -t help" doesn't show that we support
SHA-1.

Signed-off-by: Peter Jones <pjones@redhat.com>
---
 src/efisecdb.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/efisecdb.c b/src/efisecdb.c
index 7b0b35b4..b48bdfc1 100644
--- a/src/efisecdb.c
+++ b/src/efisecdb.c
@@ -33,6 +33,7 @@ struct hash_param {
 	efi_secdb_type_t algorithm;
 	ssize_t size;
 	bool def;
+	bool hidden;
 };
 
 static struct hash_param hash_params[] = {
@@ -40,21 +41,25 @@ static struct hash_param hash_params[] = {
 	 .algorithm = EFI_SECDB_TYPE_SHA512,
 	 .size = 64,
 	 .def = false,
+	 .hidden = false,
 	},
 	{.name = "sha384",
 	 .algorithm = EFI_SECDB_TYPE_SHA384,
 	 .size = 48,
 	 .def = false,
+	 .hidden = false,
 	},
 	{.name = "sha256",
 	 .algorithm = EFI_SECDB_TYPE_SHA256,
 	 .size = 32,
 	 .def = true,
+	 .hidden = false,
 	},
 	{.name = "sha1",
 	 .algorithm = EFI_SECDB_TYPE_SHA1,
 	 .size = 20,
 	 .def = false,
+	 .hidden = true,
 	},
 };
 static int n_hash_params = sizeof(hash_params) / sizeof(hash_params[0]);
@@ -81,9 +86,11 @@ set_hash_parameters(char *name, int *hash_number)
 
 	fprintf(out, "Supported hashes:");
 	for (int i = 0; i < n_hash_params; i++) {
-		fprintf(out, " %s", hash_params[i].name);
 		if (hash_params[i].def)
 			def = i;
+		if (hash_params[i].hidden)
+			continue;
+		fprintf(out, " %s", hash_params[i].name);
 	}
 	fprintf(out, "\n");
 	if (def >= 0)