Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tik for openSUSE:Factory checked in at 2025-09-12 21:09:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tik (Old) and /work/SRC/openSUSE:Factory/.tik.new.1977 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tik" Fri Sep 12 21:09:40 2025 rev:33 rq:1304287 version:1.4.0 Changes: -------- --- /work/SRC/openSUSE:Factory/tik/tik.changes 2025-09-04 18:02:51.055475487 +0200 +++ /work/SRC/openSUSE:Factory/.tik.new.1977/tik.changes 2025-09-12 21:09:56.976288603 +0200 @@ -1,0 +2,17 @@ +Fri Sep 12 10:30:39 UTC 2025 - Richard Brown <[email protected]> + +- Require tik, not tik-experimental for module-sicu + +------------------------------------------------------------------- +Thu Sep 11 17:34:44 UTC 2025 - Richard Brown <[email protected]> + +- Update to version 1.4.0: + * Self Install and encryption rework (#59) + +------------------------------------------------------------------- +Tue Sep 09 09:03:00 UTC 2025 - Richard Brown <[email protected]> + +- Update to version 1.3.18: + * [15-encrypt] Also mount /run in chroot for udev + +------------------------------------------------------------------- Old: ---- tik-1.3.17.obscpio New: ---- tik-1.4.0.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tik.spec ++++++ --- /var/tmp/diff_new_pack.ICEXsE/_old 2025-09-12 21:09:57.756321494 +0200 +++ /var/tmp/diff_new_pack.ICEXsE/_new 2025-09-12 21:09:57.756321494 +0200 @@ -17,7 +17,7 @@ Name: tik -Version: 1.3.17 +Version: 1.4.0 Release: 0 Summary: Transactional Installation Kit License: MIT @@ -70,6 +70,13 @@ %description module-encrypt Encryption module for tik. Encrypts btrfs rootfs using various different supported credentials and recovery-keys. +%package module-sicu +Summary: SelfInstall CleanUp module for tik +Requires: tik + +%description module-sicu +SelfInstall CleanUp module for tik. Removes & reconfigures things in a SelfInstall-deployed system that cant otherwise be handled via systemd-repart. + %prep %autosetup @@ -95,6 +102,8 @@ install -D -m 644 usr/lib/tik/modules/pre/15-encrypt %{buildroot}%{_prefix}/lib/tik/modules/pre install -D -m 644 usr/lib/tik/modules/post/15-encrypt %{buildroot}%{_prefix}/lib/tik/modules/post +install -D -m 644 usr/lib/tik/modules/post/10-sicu %{buildroot}%{_prefix}/lib/tik/modules/post + %files %license LICENSE %doc README.md @@ -127,3 +136,6 @@ %{_prefix}/lib/tik/modules/pre/15-encrypt %{_prefix}/lib/tik/modules/post/15-encrypt +%files module-sicu +%{_prefix}/lib/tik/modules/post/10-sicu + ++++++ _service ++++++ --- /var/tmp/diff_new_pack.ICEXsE/_old 2025-09-12 21:09:57.780322507 +0200 +++ /var/tmp/diff_new_pack.ICEXsE/_new 2025-09-12 21:09:57.784322675 +0200 @@ -3,7 +3,7 @@ <service name="obs_scm" mode="manual"> <param name="url">https://github.com/sysrich/tik.git</param> <param name="scm">git</param> - <param name="revision">v1.3.17</param> + <param name="revision">v1.4.0</param> <param name="versionformat">@PARENT_TAG@</param> <param name="changesgenerate">enable</param> <param name="versionrewrite-pattern">v(.*)</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.ICEXsE/_old 2025-09-12 21:09:57.808323687 +0200 +++ /var/tmp/diff_new_pack.ICEXsE/_new 2025-09-12 21:09:57.812323855 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/sysrich/tik.git</param> - <param name="changesrevision">b81556ad4527e1eb0725c952027c9dbde3776d55</param></service></servicedata> + <param name="changesrevision">1631c4f06ba568917fda08b65646a822062a9d20</param></service></servicedata> (No newline at EOF) ++++++ tik-1.3.17.obscpio -> tik-1.4.0.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tik-1.3.17/usr/lib/tik/lib/tik-functions new/tik-1.4.0/usr/lib/tik/lib/tik-functions --- old/tik-1.3.17/usr/lib/tik/lib/tik-functions 2025-09-04 14:27:11.000000000 +0200 +++ new/tik-1.4.0/usr/lib/tik/lib/tik-functions 2025-09-11 19:32:43.000000000 +0200 @@ -366,8 +366,10 @@ # Even if there's no partitions using encryption, systemd-repart will need a key-file defined for the --key-file parameter. tik_keyfile=$(prun mktemp /tmp/tik.XXXXXXXXXX) log "[create_keyfile] Creating keyfile ${tik_keyfile}" - prun /usr/bin/dd bs=512 count=4 if=/dev/urandom of=${tik_keyfile} iflag=fullblock + /usr/bin/base64 -w 0 /dev/urandom | head -c 1k | prun tee ${tik_keyfile} prun /usr/bin/chmod 400 ${tik_keyfile} + # Add the key to roots cryptenroll keyring, and record tik_keyid for either interactions later + tik_keyid=$(prun cat ${tik_keyfile} | prun keyctl padd user cryptenroll @u) } wipe_keyfile() { @@ -378,8 +380,10 @@ # Assumes Slot 0 is always by the key-file at enrolment prun /usr/bin/systemd-cryptenroll --unlock-key-file=${tik_keyfile} --wipe-slot=0 ${probedpart} fi - # We're done with the key-file, so remove it + # We're done with the key-file, so remove it from the filesystem and keyring prun /usr/bin/rm ${tik_keyfile} + prun keyctl revoke ${tik_keyid} + prun keyctl reap } dump_image() { @@ -443,7 +447,7 @@ local image_target=$1 create_keyfile log "[dump_image_repart_self] self-deploying" - prun systemd-repart --no-pager --pretty=0 --empty=force --dry-run=no --key-file=${tik_keyfile} ${image_target} > >(d --progress --title="Installing ${TIK_OS_NAME}" --text="Deploying OS Image" --pulsate --auto-close --no-cancel --width=400) + prun systemd-repart --no-pager --pretty=0 --empty=force --dry-run=no --key-file=${tik_keyfile} --generate-fstab=/etc/fstab.repart ${image_target} > >(d --progress --title="Installing ${TIK_OS_NAME}" --text="Deploying OS Image" --pulsate --auto-close --no-cancel --width=400) } set_boot_target() { @@ -455,6 +459,8 @@ else # Cleanup any existing openSUSE boot entries prun-opt /usr/sbin/efibootmgr -B -L "openSUSE Boot Manager" + # Cleanup any existing ${TIK_OS_NAME} boot entries + prun-opt /usr/sbin/efibootmgr -B -L "${TIK_OS_NAME} Boot Manager" prun /usr/sbin/efibootmgr -O log "[set_boot_target] searching for ESP partition containing /EFI/systemd/shim.efi on ${TIK_INSTALL_DEVICE}" probe_partitions ${TIK_INSTALL_DEVICE} "vfat" "/EFI/systemd/shim.efi" @@ -463,7 +469,7 @@ fi efipartnum=$(lsblk ${probedpart} -p -n -r -o PARTN) log "[set_boot_target] found ESP on ${probedpart}, partition number ${efipartnum}" - prun /usr/sbin/efibootmgr -c -L "openSUSE Boot Manager" -d ${TIK_INSTALL_DEVICE} -l "\EFI\systemd\shim.efi" -p ${efipartnum} + prun /usr/sbin/efibootmgr -c -L "${TIK_OS_NAME} Boot Manager" -d ${TIK_INSTALL_DEVICE} -l "\EFI\systemd\shim.efi" -p ${efipartnum} # Log to show the resulting eficonfig log "[set_boot_target] $(prun /usr/sbin/efibootmgr)" efi_already_set=1 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tik-1.3.17/usr/lib/tik/modules/post/10-sicu new/tik-1.4.0/usr/lib/tik/modules/post/10-sicu --- old/tik-1.3.17/usr/lib/tik/modules/post/10-sicu 1970-01-01 01:00:00.000000000 +0100 +++ new/tik-1.4.0/usr/lib/tik/modules/post/10-sicu 2025-09-11 19:32:43.000000000 +0200 @@ -0,0 +1,106 @@ +# SPDX-License-Identifier: MIT +# SPDX-FileCopyrightText: Copyright 2025 SUSE LLC +# SPDX-FileCopyrightText: Copyright 2025 Richard Brown + +# Module that cleans up various things from a SelfInstall deployed system that otherwise can't be filtered out using repart.d config + +sicu_dir=/var/lib/tik/sicu +sicu_pipe=/tmp/sicupipe +if [ ! -d ${sicu_dir}/mnt ]; then + prun /usr/bin/mkdir -p ${sicu_dir}/mnt +fi +if [ ! -p ${sicu_pipe} ]; then + mkfifo ${sicu_pipe} +fi + +sicu_progress() { + log "[sicu_progress] Monitoring SelfInstall Clean Up progress" + (tail -f ${sicu_pipe}) | d --progress --title="Cleaning up installation" --auto-close --no-cancel --width=400 + rm ${sicu_pipe} + log "[sicu_progress] SelfInstall Clean Up progress reached 100%" +} + +find_crypt() { + echo "# Finding encrypted partition" > ${sicu_pipe} + log "[find_crypt] finding encrypted partition" + probe_partitions ${TIK_INSTALL_DEVICE} "crypto_LUKS" + if [ -z "${probedpart}" ]; then + error "encrypted partition not found" + fi + cryptpart=${probedpart} + log "[find_crypt] found ${cryptpart}" + echo "14" > ${sicu_pipe} +} + +find_esp() { + echo "# Finding ESP partition" > ${sicu_pipe} + log "[find_esp] finding ESP" + probe_partitions ${TIK_INSTALL_DEVICE} "vfat" + if [ -z "${probedpart}" ]; then + error "esp partition not found" + fi + esppart=${probedpart} + log "[find_esp] found ${esppart}" + echo "28" > ${sicu_pipe} +} + +open_partition() { + echo "# Opening ${cryptpart}" > ${sicu_pipe} + log "[open_partition] opening ${cryptpart} and mounting for chroot" + prun /usr/sbin/cryptsetup luksOpen --key-file=${tik_keyfile} ${cryptpart} aeon_root + echo "35" > ${sicu_pipe} + prun /usr/bin/mount -o compress=zstd:1 /dev/mapper/aeon_root ${sicu_dir}/mnt + prun /usr/bin/mount -t proc /proc "${sicu_dir}/mnt/proc" + prun /usr/bin/mount --bind /sys "${sicu_dir}/mnt/sys" + prun /usr/bin/mount -t securityfs securityfs "${sicu_dir}/mnt/sys/kernel/security" + prun /usr/bin/mount -t efivarfs efivarfs "${sicu_dir}/mnt/sys/firmware/efi/efivars" + prun /usr/bin/mount --bind /dev "${sicu_dir}/mnt/dev" + prun /usr/bin/mount --bind /run "${sicu_dir}/mnt/run" + prun /usr/bin/mount --bind /tmp "${sicu_dir}/mnt/tmp" + prun /usr/bin/mount -o compress=zstd:1,subvol=/@/.snapshots /dev/mapper/aeon_root ${sicu_dir}/mnt/.snapshots + prun /usr/bin/mount -o compress=zstd:1,subvol=/@/var /dev/mapper/aeon_root ${sicu_dir}/mnt/var + # Detect whether /etc is overlay else assume it's a T-U 5.0+ later bind mount + if grep -qF 'overlay /etc' ${sicu_dir}/mnt/etc/fstab ; then + etcmountcmd=$(cat ${sicu_dir}/mnt/etc/fstab | grep "overlay /etc" | sed 's/\/sysroot\//${sicu_dir}\/mnt\//g' | sed 's/\/work-etc.*/\/work-etc ${sicu_dir}\/mnt\/etc\//' | sed 's/overlay \/etc overlay/\/usr\/bin\/mount -t overlay overlay -o/') + eval prun "$etcmountcmd" + else + prun /usr/bin/mount -o bind ${sicu_dir}/mnt/etc ${sicu_dir}/mnt/etc + fi + prun /usr/bin/mount ${esppart} ${sicu_dir}/mnt/boot/efi + echo "42" > ${sicu_pipe} +} + +sicu() { + echo "# Writing fstab" > ${sicu_pipe} + log "[sicu] Writing fstab" + prun /usr/bin/cat ${sicu_dir}/mnt/etc/fstab.repart | prun tee ${sicu_dir}/mnt/etc/fstab + echo "/etc /etc none bind,x-initrd.mount 0 0" | prun tee -a ${sicu_dir}/mnt/etc/fstab + prun /usr/bin/rm /etc/fstab.repart + echo "56" > ${sicu_pipe} + echo "# Cleaning up tik installer" > ${sicu_pipe} + log "[sicu] Deleting tik user" + prun /usr/bin/chroot ${sicu_dir}/mnt userdel -r tik + log "[sicu] Enabling initial-setup" + prun /usr/bin/rm ${sicu_dir}/mnt/var/lib/gdm/block-initial-setup + log "[sicu] Disabling tik autologin" + prun /usr/bin/sed -i 's/DISPLAYMANAGER_AUTOLOGIN="tik"/DISPLAYMANAGER_AUTOLOGIN=""/' ${sicu_dir}/mnt/etc/sysconfig/displaymanager + echo "70" > ${sicu_pipe} +} + +close_partition() { + echo "# Closing ${cryptpart}" > ${sicu_pipe} + log "[close_partition] unmounting and closing ${cryptpart}" + for i in proc dev tmp 'boot/efi' etc var '.snapshots' 'sys/kernel/security' 'sys/firmware/efi/efivars' sys run; do + prun /usr/bin/umount "${sicu_dir}/mnt/$i" + done + prun /usr/bin/umount "${sicu_dir}/mnt" + prun /usr/sbin/cryptsetup luksClose aeon_root + echo "100" > ${sicu_pipe} +} + +sicu_progress & +find_crypt +find_esp +open_partition +sicu +close_partition diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tik-1.3.17/usr/lib/tik/modules/post/15-encrypt new/tik-1.4.0/usr/lib/tik/modules/post/15-encrypt --- old/tik-1.3.17/usr/lib/tik/modules/post/15-encrypt 2025-09-04 14:27:11.000000000 +0200 +++ new/tik-1.4.0/usr/lib/tik/modules/post/15-encrypt 2025-09-11 19:32:43.000000000 +0200 @@ -64,9 +64,13 @@ prun /usr/sbin/cryptsetup luksOpen --key-file=${tik_keyfile} ${cryptpart} aeon_root echo "35" > ${encrypt_pipe} prun /usr/bin/mount -o compress=zstd:1 /dev/mapper/aeon_root ${encrypt_dir}/mnt - for i in proc dev sys tmp 'sys/firmware/efi/efivars' 'sys/fs/cgroup'; do - prun /usr/bin/mount --bind "/$i" "${encrypt_dir}/mnt/$i" - done + prun /usr/bin/mount -t proc /proc "${encrypt_dir}/mnt/proc" + prun /usr/bin/mount --bind /sys "${encrypt_dir}/mnt/sys" + prun /usr/bin/mount -t securityfs securityfs "${encrypt_dir}/mnt/sys/kernel/security" + prun /usr/bin/mount -t efivarfs efivarfs "${encrypt_dir}/mnt/sys/firmware/efi/efivars" + prun /usr/bin/mount --bind /dev "${encrypt_dir}/mnt/dev" + prun /usr/bin/mount --bind /run "${encrypt_dir}/mnt/run" + prun /usr/bin/mount --bind /tmp "${encrypt_dir}/mnt/tmp" prun /usr/bin/mount -o compress=zstd:1,subvol=/@/.snapshots /dev/mapper/aeon_root ${encrypt_dir}/mnt/.snapshots prun /usr/bin/mount -o compress=zstd:1,subvol=/@/var /dev/mapper/aeon_root ${encrypt_dir}/mnt/var # Detect whether /etc is overlay else assume it's a T-U 5.0+ later bind mount @@ -77,16 +81,10 @@ prun /usr/bin/mount -o bind ${encrypt_dir}/mnt/etc ${encrypt_dir}/mnt/etc fi prun /usr/bin/mount ${esppart} ${encrypt_dir}/mnt/boot/efi - prun /usr/bin/mount -t tmpfs tmpfs "${encrypt_dir}/mnt/run" - prun /usr/bin/mount -t securityfs securityfs "${encrypt_dir}/mnt/sys/kernel/security" echo "42" > ${encrypt_pipe} } configure_encryption() { - # If Default Mode has been detected, configure crypttab for TPM - if [ "${tik_encrypt_mode}" == 0 ]; then - crypttab_opts=',tpm2-device=auto,tpm2-measure-pcr=yes' - fi echo "# Writing cmdline, crypttab, and fstab" > ${encrypt_pipe} log "[configure_encryption] configuring cmdline, crypttab, PCR policy, fstab and populating ${esppart}" espUUID=$(lsblk -n -r -o UUID ${esppart}) @@ -96,28 +94,23 @@ prun /usr/bin/sed -i -e "s,\$, root=UUID=${rootUUID}," ${encrypt_dir}/mnt/etc/kernel/cmdline # /etc/crypttab is a hard requirement of sdbootutil for updating predictions cryptUUID=$(lsblk -n -r -d -o UUID ${cryptpart}) - echo "aeon_root UUID=${cryptUUID} none x-initrd.attach${crypttab_opts}" | prun tee ${encrypt_dir}/mnt/etc/crypttab + echo "aeon_root UUID=${cryptUUID} none x-initrd.attach" | prun tee ${encrypt_dir}/mnt/etc/crypttab echo "# Installing boot loader" > ${encrypt_pipe} - # Populate /var if it's empty - if [ ! -d ${encrypt_dir}/mnt/var/lib ]; then - prun-opt /usr/bin/chroot ${encrypt_dir}/mnt systemd-tmpfiles --create --no-pager - fi - # If Default mode has been detected, configure PCR policy and PCR15 keys. + # FIXME: Dracut gets confused by previous installations on occasion with the default config, override the problematic option temporarily + /usr/bin/echo 'hostonly_cmdline="no"' | prun tee ${encrypt_dir}/mnt/etc/dracut.conf.d/99-tik.conf + # Install bootloader with sdbootutil + prun /usr/bin/chroot ${encrypt_dir}/mnt sdbootutil -vv --esp-path /boot/efi --no-variables install 1>&2 + echo "56" > ${encrypt_pipe} + echo "# Enrolling recovery key" > ${encrypt_pipe} + prun /usr/bin/chroot ${encrypt_dir}/mnt sdbootutil -vv --esp-path /boot/efi --method=recovery-key enroll 1>&2 + echo "70" > ${encrypt_pipe} + # If Default mode has been detected, configure PCR policy. # `etc/sysconfig/fde-tools` must be created before any calls to sdbtools, # because sdbootutil expects at least one of the configuration files being # present. See # https://github.com/openSUSE/sdbootutil/commit/8d3db8b01f5681c11054c37145aad3e3973a7741 if [ "${tik_encrypt_mode}" == 0 ]; then - # Make path for sdbootutil if it doesn't exist - if [ ! -d ${encrypt_dir}/mnt/var/lib/sdbootutil ]; then - prun /usr/bin/mkdir -p ${encrypt_dir}/mnt/var/lib/sdbootutil - fi - # Generate keys for signing PCR15 predictions - local private="${encrypt_dir}/mnt/var/lib/sdbootutil/measure-pcr-private.pem" - local public="${encrypt_dir}/mnt/var/lib/sdbootutil/measure-pcr-public.pem" - [ -f "$private" ] || prun openssl genrsa -out "$private" 4096 - # Writes "writing RSA key" in stderr and -noout is not doing what I was expecting - [ -f "$public" ] || prun openssl rsa -in "$private" -pubout -out "$public" 2> /dev/null + echo "# Enrolling TPM key" > ${encrypt_pipe} # Explaining the chosen PCR list below # - 4 - Bootloader and drivers, should never recovery key as bootloader should only be updated with new PCR measurements # - 5 - GPT Partition table, should never require recovery key as partition layout shouldn't change @@ -129,55 +122,52 @@ # - 1 - Not only changes with CPU/RAM/hardware changes, but also when UEFI config changes are made, which is too common to lockdown # - 2 - Includes option ROMs on pluggable hardware, such as external GPUs. Attaching a GPU to your laptop shouldn't hinder booting. # - 3 - Firmware from pluggable hardware. Attaching hardware to your laptop shouldn't hinder booting + prun /usr/bin/chroot ${encrypt_dir}/mnt sdbootutil -vv --esp-path /boot/efi --method=tpm2 enroll 1>&2 + else + echo "# Enrolling fallback password" > ${encrypt_pipe} + d --width=500 --height=300 --no-wrap --warning --icon=security-high-symbolic --title="Set Encryption Passphrase" --text="This ${TIK_OS_NAME} system is encrypted and will require a Passphrase on every boot\n\nYou will be prompted to set the Passphrase on the next screen\n\nFor more information please visit <tt>https://aeondesktop.org/encrypt</tt>" + log "[configure_encryption] Fallback Mode - Prompting user for passphrase for ${cryptpart}" + # Not using 'd' function to avoid logging the password + # FIXME - Now use 'd' function and logging=false + while true + do + if $gui; then + pw=$(zenity --password --title='Set Encryption Passphrase') + pw_check=$(zenity --password --title='Type Passphrase Again') + else + cenity pw --password --title="Set Encryption Passphrase" + cenity pw_check --password --title="Type Passphrase Again" + fi + # Ask again, and double check the user is putting the right passphrase again. + if [ "${pw}" != "${pw_check}" ]; then + d --warning --no-wrap --title="Passphrase did not match" --text="Please try again" + # Reset variable, so we can try again + pw="" + fi + if [ -n "${pw}" ]; then + prun /usr/sbin/cryptsetup luksAddKey --key-file=${tik_keyfile} --batch-mode --force-password "${cryptpart}" <<<"${pw}" + # Initrd wasn't generated by install or enroll as no TPM interaction, so do it now. + prun /usr/bin/chroot ${encrypt_dir}/mnt sdbootutil -vv --esp-path /boot/efi mkinitrd 1>&2 + fi + break + done fi - # Populate ESP - prun /usr/bin/chroot ${encrypt_dir}/mnt sdbootutil -vv --esp-path /boot/efi --no-variables install 1>&2 - echo "56" > ${encrypt_pipe} - echo "# Creating initrd" > ${encrypt_pipe} - # FIXME: Dracut gets confused by previous installations on occasion with the default config, override the problematic option temporarily - /usr/bin/echo 'hostonly_cmdline="no"' | prun tee ${encrypt_dir}/mnt/etc/dracut.conf.d/99-tik.conf - # mkinitrd done by add-all-kernels - prun /usr/bin/chroot ${encrypt_dir}/mnt sdbootutil -vv --esp-path /boot/efi --no-variables add-all-kernels 1>&2 # FIXME: Dracut gets confused by previous installations on occasion with the default config, remove override now initrd done prun /usr/bin/rm ${encrypt_dir}/mnt/etc/dracut.conf.d/99-tik.conf - echo "70" > ${encrypt_pipe} - # If Default mode has been detected, update predictions and enroll - if [ "${tik_encrypt_mode}" == 0 ]; then - prun /usr/bin/tee ${encrypt_dir}/mnt/etc/systemd/system/firstboot-update-predictions.service << EOF -[Unit] -Description=First Boot Update Predictions -ConditionSecurity=tpm2 - -[Service] -Type=oneshot -ExecStart=rm /etc/systemd/system/firstboot-update-predictions.service -ExecStart=rm /etc/systemd/system/default.target.wants/firstboot-update-predictions.service -ExecStart=/usr/bin/sdbootutil update-predictions - -[Install] -WantedBy=default.target -EOF - prun /usr/bin/ln -s ${encrypt_dir}/mnt/etc/systemd/system/firstboot-update-predictions.service ${encrypt_dir}/mnt/etc/systemd/system/default.target.wants/firstboot-update-predictions.service - log "[configure_encryption] Generating Predictions" - echo "# Generating TPM Predictions" > ${encrypt_pipe} - prun /usr/bin/chroot ${encrypt_dir}/mnt sdbootutil -vv update-predictions - echo "73" > ${encrypt_pipe} - log "[configure_encryption] Default Mode - Enrolling ${cryptpart} to TPM 2.0" - echo "# Enrolling to TPM" > ${encrypt_pipe} - prun /usr/bin/chroot ${encrypt_dir}/mnt systemd-cryptenroll --unlock-key-file=${tik_keyfile} --tpm2-device=auto ${cryptpart} - echo "76" > ${encrypt_pipe} - fi + echo "84" > ${encrypt_pipe} + } close_partition() { echo "# Closing ${cryptpart}" > ${encrypt_pipe} log "[close_partition] unmounting and closing ${cryptpart}" - for i in proc dev run tmp 'boot/efi' etc var '.snapshots' 'sys/kernel/security' 'sys/firmware/efi/efivars' 'sys/fs/cgroup' sys; do + for i in proc dev tmp 'boot/efi' etc var '.snapshots' 'sys/kernel/security' 'sys/firmware/efi/efivars' sys; do prun /usr/bin/umount "${encrypt_dir}/mnt/$i" done + prun /usr/bin/umount -l ${encrypt_dir}/mnt/run prun /usr/bin/umount ${encrypt_dir}/mnt prun /usr/sbin/cryptsetup luksClose aeon_root - echo "77" > ${encrypt_pipe} + echo "100" > ${encrypt_pipe} } generate_recoveryKey() { @@ -192,15 +182,11 @@ c="${raw_key[i]}" key="${key}${modhex[$((c>>4))]}${modhex[$((c&15))]}" done - echo "84" > ${encrypt_pipe} -} - -add_recoveryKey() { - echo "# Adding recovery key to ${cryptpart}" > ${encrypt_pipe} - log "[add_recoveryKey] adding recovery key to ${cryptpart}" - prun /usr/sbin/cryptsetup luksAddKey --key-file=${tik_keyfile} --batch-mode --force-password "${cryptpart}" <<<"${key}" - echo '{"type":"systemd-recovery","keyslots":["2"]}' | prun /usr/sbin/cryptsetup token import "${cryptpart}" - echo "100" > ${encrypt_pipe} + log "[generate_recoveryKey] adding recovery key to roots sdbootutil user keyring" + logging=false + pkexec keyctl add user sdbootutil ${key} @u + logging=true + echo "50" > ${encrypt_pipe} } display_recoveryKey() { @@ -216,42 +202,11 @@ log "[display_recoveryKey] recovery key dialogue dismissed" } -add_key() { - if [ "${tik_encrypt_mode}" == 1 ]; then - d --width=500 --height=300 --no-wrap --warning --icon=security-high-symbolic --title="Set Encryption Passphrase" --text="This ${TIK_OS_NAME} system is encrypted and will require a Passphrase on every boot\n\nYou will be prompted to set the Passphrase on the next screen\n\nFor more information please visit <tt>https://aeondesktop.org/encrypt</tt>" - log "[add_key] Fallback Mode - Prompting user for passphrase for ${cryptpart}" - # Not using 'd' function to avoid logging the password - # FIXME - Now use 'd' function and logging=false - while true - do - if $gui; then - key=$(zenity --password --title='Set Encryption Passphrase') - key_check=$(zenity --password --title='Type Passphrase Again') - else - cenity key --password --title="Set Encryption Passphrase" - cenity key_check --password --title="Type Passphrase Again" - fi - # Ask again, and double check the user is putting the right passphrase again. - if [ "${key}" != "${key_check}" ]; then - d --warning --no-wrap --title="Passphrase did not match" --text="Please try again" - # Reset variable, so we can try again - key="" - fi - if [ -n "${key}" ]; then - prun /usr/sbin/cryptsetup luksAddKey --key-file=${tik_keyfile} --batch-mode --force-password "${cryptpart}" <<<"${key}" - fi - break - done - fi -} - crypt_progress & find_crypt find_esp open_partition +generate_recoveryKey configure_encryption close_partition -add_key -generate_recoveryKey -add_recoveryKey display_recoveryKey diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tik-1.3.17/usr/lib/tik/modules/pre/10-welcome new/tik-1.4.0/usr/lib/tik/modules/pre/10-welcome --- old/tik-1.3.17/usr/lib/tik/modules/pre/10-welcome 2025-09-04 14:27:11.000000000 +0200 +++ new/tik-1.4.0/usr/lib/tik/modules/pre/10-welcome 2025-09-11 19:32:43.000000000 +0200 @@ -1,6 +1,6 @@ # SPDX-License-Identifier: MIT -# SPDX-FileCopyrightText: Copyright 2024 SUSE LLC -# SPDX-FileCopyrightText: Copyright 2024 Richard Brown +# SPDX-FileCopyrightText: Copyright 2025 SUSE LLC +# SPDX-FileCopyrightText: Copyright 2025 Richard Brown # SPDX-FileCopyrightText: Copyright 2024 Raymond Yip proceedInstall() { @@ -44,6 +44,27 @@ fi } +setup_env() { + # Setup environment for installation, mostly setting GNOME/gsettings vars to prevent screenlocking, etc + log "[setup_env] Setting up environment for Installation" + gsettings set org.gnome.shell favorite-apps [''] + gsettings set org.gnome.desktop.session idle-delay '0' + gsettings set org.gnome.desktop.screensaver lock-enabled 'false' + gsettings set org.gnome.desktop.screensaver user-switch-enabled 'false' + gsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-battery-type 'nothing' + gsettings set org.gnome.settings-daemon.plugins.power sleep-inactive-ac-type 'nothing' + gsettings set org.gnome.desktop.lockdown disable-lock-screen 'true' + gsettings set org.gnome.desktop.lockdown disable-log-out 'true' + gsettings set org.gnome.desktop.lockdown disable-printing 'true' + gsettings set org.gnome.desktop.lockdown disable-print-setup 'true' + gsettings set org.gnome.desktop.lockdown disable-user-switching 'true' + gsettings set org.gnome.desktop.lockdown user-administration-disabled 'true' + gsettings set org.gnome.software allow-updates 'false' + gsettings set org.gnome.software download-updates 'false' + gsettings set org.gnome.software download-updates-notify 'false' +} + +setup_env proceedInstall verify_efi checkLaptop ++++++ tik.obsinfo ++++++ --- /var/tmp/diff_new_pack.ICEXsE/_old 2025-09-12 21:09:57.912328072 +0200 +++ /var/tmp/diff_new_pack.ICEXsE/_new 2025-09-12 21:09:57.920328410 +0200 @@ -1,5 +1,5 @@ name: tik -version: 1.3.17 -mtime: 1756988831 -commit: b81556ad4527e1eb0725c952027c9dbde3776d55 +version: 1.4.0 +mtime: 1757611963 +commit: 1631c4f06ba568917fda08b65646a822062a9d20
