The wimboot release process is mildly convoluted due to the
requirement for UEFI Secure Boot signing.
Release binaries are committed to the source tree since they are irreplaceable: the signed versions cannot ever be recreated if lost, and the as-submitted unsigned versions are required to verify that no code was altered by the external signing process.
-
Ensure that all checks are passing on the current code, and that there are zero defects reported via Coverity Scan.
-
Edit
src/Makefileto updateVERSION, and to incrementSBAT_GENERATIONif needed (i.e. if the release fixes a new Secure Boot exploit). -
Edit
CHANGELOG.mdto create a section and link for the new release. -
Rebuild with the new version number:
make -C src clean all -
Commit these changes with a message such as:
[release] Release version 2.7.0 -
Tag the commit, e.g.:
git tag v2.7.0 -
Push the tag (and only the tag), e.g.
git push origin v2.7.0This will automatically create a prerelease including the unsigned binaries as committed to the source tree.
-
When the tag checks have completed successfully, push as normal:
git push -
Submit
src/wimboot.cabfor UEFI Secure Boot signing using whatever process is current at the time.
-
Wait for Microsoft to sign the UEFI Secure Boot submission.
-
Create a signed binary branch based on the release tag, e.g.:
git checkout -b v2.7.0-signed v2.7.0 -
Download the
.zipfile containing the signed binaries. -
Unzip the signed binaries using:
unzip -d src -o -DD *.zip -
Verify that the binaries have not been altered by the signing process:
make -C src -
Commit the signed binaries with a message such as:
[release] Release version 2.7.0-signed -
Push the signed binary branch, e.g.:
git push origin v2.7.0-signedThis will automatically replace the unsigned binaries and convert the prerelease to a full release.