Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package keylime for openSUSE:Factory checked in at 2025-12-10 15:29:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/keylime (Old) and /work/SRC/openSUSE:Factory/.keylime.new.1939 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "keylime" Wed Dec 10 15:29:59 2025 rev:50 rq:1321784 version:7.13.0+40 Changes: -------- --- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2025-08-22 17:47:17.114704725 +0200 +++ /work/SRC/openSUSE:Factory/.keylime.new.1939/keylime.changes 2025-12-10 15:30:50.875054364 +0100 @@ -1,0 +2,111 @@ +Tue Dec 09 13:34:39 UTC 2025 - [email protected] + +- Update to version 7.13.0+40 (CVE-2025-13609, bsc#1254199): + * Fix registrar duplicate UUID vulnerability (#1825) + * [Automatic] Update Keylime base image 2025-12-01 + * Include new attestation information fields (#1818) + * Fix Database race conditions and SQLAlchemy 2.0 compatibility (#1823) + * ci: add push model tests to the packit plan + * push-model: require HTTPS for authentication and attestation endpoints + * Fix operational_state tracking in push mode attestations + * templates: add push model authentication config options to 2.5 templates + * Improve test coverage for authentication components + * Security: Hash authentication tokens in logs + * Fix stale IMA policy cache in verification + * Fix authentication behavior on failed attestations for push mode + * Add shared memory infrastructure for multiprocess communication + * Add agent authentication (challenge/response) protocol for push mode + * Convert CRLF to LF line endings in attestation_controller.py + * Add agent-driven (push) attestation protocol with PULL mode regression fixes (#1814) + * [Automatic] Update Keylime base image (2025-11-01) (#1816) + * docs: Fix man page RST formatting for rst2man compatibility (#1813) + * tests: Enable more tests in CI + * Apply limit on keylime-policy workers + * tpm: fix ECC signature parsing to support variable-length coordinates + * tpm: fix ECC P-521 credential activation with consistent marshaling + * tpm: fix ECC P-521 coordinate validation + * tests: Test keylime-policy both for filelist-ext.xml match and mismatch (#1806) + * [Automatic] Update Keylime base image 2025-10-01 + * Remove deprecated disabled_signing_algorithms configuration option (#1804) + * algorithms: add support for specific RSA algorithms + * algorithms: add support for specific ECC curve algorithms + * Update manages based on review feedback + * Created manpage for keylime-policy and edited manpages for keylime verifier, registrar, agent + * Manpage for keylime agent + * Manpage for keylime verifier + * Manpage for keylime registrar + * Use constants for timeout and max retries defaults + * tests: Add unit tests for the timeout configuration + * verifier: Use timeout from `request_timeout` config option + * revocation_notifier: Use timeout setting from config file + * tenant: Set timeout when getting version from agent + * verify/evidence: SEV-SNP evidence type/verifier + * verify/evidence: Add evidence type to request JSON + +------------------------------------------------------------------- +Tue Dec 09 13:07:30 UTC 2025 - Alberto Planas Dominguez <[email protected]> + +- Update to version v7.13.0: + * Bump version to 7.13.0 + * Avoid re-encoding certificate stored in DB + * Revert "models: Do not re-encode certificate stored in DB" + * Revert "registrar_agent: Use pyasn1 to parse PEM" + * CI: Enable test add-agent-with-malformed-ek-cert + * [Automatic] Update Keylime base image 2025-09-01 + * policy/sign: use print() when writing to /dev/stdout + * registrar_agent: Use pyasn1 to parse PEM + * models: Do not re-encode certificate stored in DB + * mba: normalize vendor_db in EV_EFI_VARIABLE_AUTHORITY events + * Fix minor typo (exponantial->exponential) + * mb: support vendor_db as logged by newer shim versions + * mb: support EV_EFI_HANDOFF_TABLES events on PCR1 + * Remove unnecessary configuration values + * cloud_verifier_tornado: handle exception in notify_error() + * requests_client: close the session at the end of the resource manager + * Manpage for keylime_tenant (#1786) + * Add 2.5 templates including Push Model changes + * [Automatic] Update Keylime base image 2025-08-01 + * Initial version of verify evidence API + * packit: Enable connection leak test in CI + * db: Do not read pool size and max overflow for sqlite + * Use context managers to close DB sessions + * revocations: Try to send notifications on shutdown + * verifier: Gracefully shutdown on signal + * [Automatic] Update Keylime base image 2025-07-01 + * Use `fork` as `multiprocessing` start method + * Fix inaccuracy in threat model and add reference to SBAT + * Explain TPM properties and expand vTPM discussion + * Misc formatting fixes + * Add diagrams and tweak formatting + * Fix formatting issues + * Fix invalid RST and update TOC + * Expand threat model page to include adversarial model + * CI: Enable CONTAINER_ENGINE to allow other engines + * Add --push-model option to avoid requests to agents + * [Automatic] Update Keylime base image 2025-06-04 + * docker: Remove tpm2-tools compilation from base image + * tests: fix rpm repo tests from create-runtime-policy + * tests: skip measured-boot related tests for s390x and ppc64le + * templates: duplicate str_to_version() in the adjust script + * policy: fix mypy issues with rpm_repo + * revocation_notifier: fix mypy issue by replacing deprecated call + * Fix create_runtime_policy in python < 3.12 + * [Automatic] Update Keylime base image 2025-06-02 + * Fix after review + * fixed CONSTANT names C0103 errors + * [Automatic] Update Keylime base image 2025-05-02 + * [Automatic] Update Keylime base image 2025-04-04 + * [Automatic] Update Keylime base image 2025-04-01 + * Extend meta_data field in verifierdb + * docs: update issue templates + * docs: add GitHub PR template with documentation reminders + * [Automatic] Update Keylime base image 2025-03-10 + * tpm_util: fix quote signature extraction for ECDSA + * packit: Add compatibility/api_version_compatibility test + * registrar: Log API versions during startup + * lint: Fix mypy warnings + * Remove excessive logging on exception + * tests: change test_mba_parsing to not need keylime installed + * scripts: Fix coverage information downloading script + +------------------------------------------------------------------- Old: ---- keylime-v7.12.1.tar.xz New: ---- keylime-7.13.0+40.tar.xz keylime.obsinfo ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ keylime.spec ++++++ --- /var/tmp/diff_new_pack.ZT0TFS/_old 2025-12-10 15:30:53.035145747 +0100 +++ /var/tmp/diff_new_pack.ZT0TFS/_new 2025-12-10 15:30:53.039145916 +0100 @@ -1,7 +1,6 @@ # # spec file for package keylime # -# Copyright (c) 2025 SUSE LLC # Copyright (c) 2025 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties @@ -32,12 +31,12 @@ %endif %{?sle15_python_module_pythons} Name: keylime -Version: 7.12.1 +Version: 7.13.0+40 Release: 0 Summary: Open source TPM software for Bootstrapping and Maintaining Trust License: Apache-2.0 AND MIT AND BSD-3-Clause URL: https://github.com/keylime/keylime -Source0: %{name}-v%{version}.tar.xz +Source0: %{name}-%{version}.tar.xz Source1: keylime.xml Source2: %{name}-user.conf Source3: logrotate.%{name} @@ -159,7 +158,7 @@ Subpackage of %{name} for logrotate for Keylime services %prep -%autosetup -p1 -n %{name}-v%{version} +%autosetup -p1 -n %{name}-%{version} %build %pyproject_wheel @@ -294,7 +293,7 @@ %python_alternative %{_bindir}/%{srcname}_userdata_encrypt %python_alternative %{_bindir}/%{srcname}_verifier %{python_sitelib}/keylime -%{python_sitelib}/keylime-%{version}.dist-info +%{python_sitelib}/keylime-*.dist-info %files -n %{srcname}-config %dir %attr(0700,keylime,tss) %{_distconfdir}/%{srcname} ++++++ _service ++++++ --- /var/tmp/diff_new_pack.ZT0TFS/_old 2025-12-10 15:30:53.107148793 +0100 +++ /var/tmp/diff_new_pack.ZT0TFS/_new 2025-12-10 15:30:53.111148962 +0100 @@ -1,15 +1,21 @@ <services> - <service name="tar_scm" mode="manual"> - <param name="versionformat">@PARENT_TAG@</param> - <param name="revision">refs/tags/v7.12.1</param> + <service mode="manual" name="obs_scm"> <param name="url">https://github.com/keylime/keylime.git</param> + <!-- <param name="versionformat">@PARENT_TAG@</param> --> + <param name="versionformat">@PARENT_TAG@+@TAG_OFFSET@</param> <param name="scm">git</param> + <param name="revision">v7.13.0</param> + <param name="revision">master</param> + <param name="match-tag">*</param> + <param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param> + <param name="versionrewrite-replacement">\1</param> <param name="changesgenerate">enable</param> + <param name="changesauthor">[email protected]</param> </service> - <service name="recompress" mode="manual"> - <param name="compression">xz</param> + <service mode="manual" name="tar" /> + <service mode="manual" name="recompress"> <param name="file">*.tar</param> + <param name="compression">xz</param> </service> - <service name="set_version" mode="manual"/> </services> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.ZT0TFS/_old 2025-12-10 15:30:53.143150316 +0100 +++ /var/tmp/diff_new_pack.ZT0TFS/_new 2025-12-10 15:30:53.143150316 +0100 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/keylime/keylime.git</param> - <param name="changesrevision">50ba49b812a322b03c2356a00ed01c9a99dbec88</param></service></servicedata> + <param name="changesrevision">dc75773679b1862e3b571f513e5aa9904efaf136</param></service></servicedata> (No newline at EOF) ++++++ keylime-v7.12.1.tar.xz -> keylime-7.13.0+40.tar.xz ++++++ /work/SRC/openSUSE:Factory/keylime/keylime-v7.12.1.tar.xz /work/SRC/openSUSE:Factory/.keylime.new.1939/keylime-7.13.0+40.tar.xz differ: char 15, line 1 ++++++ keylime.obsinfo ++++++ name: keylime version: 7.13.0+40 mtime: 1764941702 commit: dc75773679b1862e3b571f513e5aa9904efaf136 ++++++ registrar.conf.diff ++++++ --- /var/tmp/diff_new_pack.ZT0TFS/_old 2025-12-10 15:30:53.263155392 +0100 +++ /var/tmp/diff_new_pack.ZT0TFS/_new 2025-12-10 15:30:53.271155731 +0100 @@ -1,9 +1,9 @@ -diff --git a/config/registrar.conf b/config/registrar.conf -index f69fcd3..dbb03a6 100644 ---- a/config/registrar.conf -+++ b/config/registrar.conf +diff --git i/registrar.conf w/registrar.conf +index 19348f6..683cc40 100644 +--- i/registrar.conf ++++ w/registrar.conf @@ -5,7 +5,8 @@ - version = 2.4 + version = 2.5 # The binding address and port for the registrar server -ip = "127.0.0.1"
