Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package keylime for openSUSE:Factory checked in at 2021-12-21 18:40:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/keylime (Old) and /work/SRC/openSUSE:Factory/.keylime.new.2520 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "keylime" Tue Dec 21 18:40:16 2021 rev:8 rq:941638 version:6.2.0 Changes: -------- --- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2021-12-13 20:46:42.760502103 +0100 +++ /work/SRC/openSUSE:Factory/.keylime.new.2520/keylime.changes 2021-12-21 18:40:19.125856991 +0100 @@ -1,0 +2,12 @@ +Wed Dec 15 13:22:32 UTC 2021 - Alberto Planas Dominguez <apla...@suse.com> + +- Fix keylime configuration file attributes + +------------------------------------------------------------------- +Tue Dec 14 17:07:39 UTC 2021 - Alberto Planas Dominguez <apla...@suse.com> + +- Requires python-psutil +- Disable automatic execution of the payload by default +- Use ramdom UUID by default + +------------------------------------------------------------------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ keylime.spec ++++++ --- /var/tmp/diff_new_pack.FzvTxV/_old 2021-12-21 18:40:19.581857400 +0100 +++ /var/tmp/diff_new_pack.FzvTxV/_new 2021-12-21 18:40:19.585857403 +0100 @@ -50,6 +50,7 @@ Requires: python-SQLAlchemy Requires: python-alembic Requires: python-cryptography +Requires: python-psutil Requires: python-python-gnupg Requires: python-pyzmq Requires: python-requests @@ -151,7 +152,7 @@ %python_expand %fdupes %{buildroot}%{$python_sitelib} -install -Dpm 644 %{srcname}.conf %{buildroot}%{_sysconfdir}/%{srcname}.conf +install -Dpm 600 %{srcname}.conf %{buildroot}%{_sysconfdir}/%{srcname}.conf install -Dpm 644 ./services/%{srcname}_agent.service %{buildroot}%{_unitdir}/%{srcname}_agent.service install -Dpm 644 ./services/%{srcname}_verifier.service %{buildroot}%{_unitdir}/%{srcname}_verifier.service install -Dpm 644 ./services/%{srcname}_registrar.service %{buildroot}%{_unitdir}/%{srcname}_registrar.service ++++++ keylime.conf.diff ++++++ --- /var/tmp/diff_new_pack.FzvTxV/_old 2021-12-21 18:40:19.645857457 +0100 +++ /var/tmp/diff_new_pack.FzvTxV/_new 2021-12-21 18:40:19.649857461 +0100 @@ -38,17 +38,27 @@ registrar_port = 8890 # The name of the RSA key that Keylime should use for protecting shares of U/V. -@@ -73,7 +77,8 @@ extract_payload_zip = True +@@ -62,7 +66,8 @@ tpm_ownerpassword = keylime + # After decryption, the archive will be unzipped to a directory in /var/lib/keylime/secure. + # Note: the limits on the size of the tmpfs partition set above with the 'secure_size' + # option will affect this. +-extract_payload_zip = True ++# extract_payload_zip = True ++extract_payload_zip = False + + # The agent's UUID. + # Set to "openstack", it will try to get the UUID from the metadata service. +@@ -73,7 +78,8 @@ extract_payload_zip = True # 'dmidecode -s system-uuid'. # If you set this to "hostname", Keylime will use the full qualified domain # name of current host as the agent id. -agent_uuid = d432fbb3-d2f1-4a97-9ef7-75bd81c00000 +# agent_uuid = d432fbb3-d2f1-4a97-9ef7-75bd81c00000 -+agent_uuid = hostname ++agent_uuid = generate # Whether to listen for revocation notifications from the verifier or not. listen_notfications = True -@@ -137,7 +142,8 @@ ek_handle = generate +@@ -137,7 +143,8 @@ ek_handle = generate cloudverifier_id = default # The IP address and port of verifier server binds to @@ -58,7 +68,7 @@ cloudverifier_port = 8881 # The address and port of registrar server that verifier communicates with -@@ -250,7 +256,8 @@ revocation_notifier = True +@@ -250,7 +257,8 @@ revocation_notifier = True # The revocation notifier IP address and port used to start the revocation service. # If the 'revocation_notifier' option is set to "true", then the verifier # automatically starts the revocation service. @@ -68,7 +78,7 @@ revocation_notifier_port = 8992 # The verifier limits the size of upload payloads (allowlists) which defaults to -@@ -354,10 +361,12 @@ max_payload_size = 1048576 +@@ -354,10 +362,12 @@ max_payload_size = 1048576 # and SHA-512). # Note that you can't set a policy on PCR10 and PCR16 because Keylime uses # them internally. @@ -83,7 +93,7 @@ # Specify the file containing allowlists for processing Linux IMA measurements # this file is used if tenant provides "default" as the allowlist file -@@ -409,7 +418,8 @@ max_retries = 10 +@@ -409,7 +419,8 @@ max_retries = 10 # might provide a signed list of EK public key hashes. Then you could write # an ek_check_script that checks the signature of the allowlist and then # compares the hash of the given EK with the allowlist. @@ -93,7 +103,7 @@ # Optional script to execute to check the EK and/or EK certificate against a # allowlist or any other additional EK processing you want to do. Runs in -@@ -435,7 +445,8 @@ ek_check_script= +@@ -435,7 +446,8 @@ ek_check_script= # The registrar's IP address and port used to communicate with other services # as well as the bind address for the registrar server.