Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package keylime for openSUSE:Factory checked
in at 2021-12-21 18:40:16
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
and /work/SRC/openSUSE:Factory/.keylime.new.2520 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "keylime"
Tue Dec 21 18:40:16 2021 rev:8 rq:941638 version:6.2.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2021-12-13
20:46:42.760502103 +0100
+++ /work/SRC/openSUSE:Factory/.keylime.new.2520/keylime.changes
2021-12-21 18:40:19.125856991 +0100
@@ -1,0 +2,12 @@
+Wed Dec 15 13:22:32 UTC 2021 - Alberto Planas Dominguez <apla...@suse.com>
+
+- Fix keylime configuration file attributes
+
+-------------------------------------------------------------------
+Tue Dec 14 17:07:39 UTC 2021 - Alberto Planas Dominguez <apla...@suse.com>
+
+- Requires python-psutil
+- Disable automatic execution of the payload by default
+- Use ramdom UUID by default
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ keylime.spec ++++++
--- /var/tmp/diff_new_pack.FzvTxV/_old 2021-12-21 18:40:19.581857400 +0100
+++ /var/tmp/diff_new_pack.FzvTxV/_new 2021-12-21 18:40:19.585857403 +0100
@@ -50,6 +50,7 @@
Requires: python-SQLAlchemy
Requires: python-alembic
Requires: python-cryptography
+Requires: python-psutil
Requires: python-python-gnupg
Requires: python-pyzmq
Requires: python-requests
@@ -151,7 +152,7 @@
%python_expand %fdupes %{buildroot}%{$python_sitelib}
-install -Dpm 644 %{srcname}.conf %{buildroot}%{_sysconfdir}/%{srcname}.conf
+install -Dpm 600 %{srcname}.conf %{buildroot}%{_sysconfdir}/%{srcname}.conf
install -Dpm 644 ./services/%{srcname}_agent.service
%{buildroot}%{_unitdir}/%{srcname}_agent.service
install -Dpm 644 ./services/%{srcname}_verifier.service
%{buildroot}%{_unitdir}/%{srcname}_verifier.service
install -Dpm 644 ./services/%{srcname}_registrar.service
%{buildroot}%{_unitdir}/%{srcname}_registrar.service
++++++ keylime.conf.diff ++++++
--- /var/tmp/diff_new_pack.FzvTxV/_old 2021-12-21 18:40:19.645857457 +0100
+++ /var/tmp/diff_new_pack.FzvTxV/_new 2021-12-21 18:40:19.649857461 +0100
@@ -38,17 +38,27 @@
registrar_port = 8890
# The name of the RSA key that Keylime should use for protecting shares of
U/V.
-@@ -73,7 +77,8 @@ extract_payload_zip = True
+@@ -62,7 +66,8 @@ tpm_ownerpassword = keylime
+ # After decryption, the archive will be unzipped to a directory in
/var/lib/keylime/secure.
+ # Note: the limits on the size of the tmpfs partition set above with the
'secure_size'
+ # option will affect this.
+-extract_payload_zip = True
++# extract_payload_zip = True
++extract_payload_zip = False
+
+ # The agent's UUID.
+ # Set to "openstack", it will try to get the UUID from the metadata service.
+@@ -73,7 +78,8 @@ extract_payload_zip = True
# 'dmidecode -s system-uuid'.
# If you set this to "hostname", Keylime will use the full qualified domain
# name of current host as the agent id.
-agent_uuid = d432fbb3-d2f1-4a97-9ef7-75bd81c00000
+# agent_uuid = d432fbb3-d2f1-4a97-9ef7-75bd81c00000
-+agent_uuid = hostname
++agent_uuid = generate
# Whether to listen for revocation notifications from the verifier or not.
listen_notfications = True
-@@ -137,7 +142,8 @@ ek_handle = generate
+@@ -137,7 +143,8 @@ ek_handle = generate
cloudverifier_id = default
# The IP address and port of verifier server binds to
@@ -58,7 +68,7 @@
cloudverifier_port = 8881
# The address and port of registrar server that verifier communicates with
-@@ -250,7 +256,8 @@ revocation_notifier = True
+@@ -250,7 +257,8 @@ revocation_notifier = True
# The revocation notifier IP address and port used to start the revocation
service.
# If the 'revocation_notifier' option is set to "true", then the verifier
# automatically starts the revocation service.
@@ -68,7 +78,7 @@
revocation_notifier_port = 8992
# The verifier limits the size of upload payloads (allowlists) which defaults
to
-@@ -354,10 +361,12 @@ max_payload_size = 1048576
+@@ -354,10 +362,12 @@ max_payload_size = 1048576
# and SHA-512).
# Note that you can't set a policy on PCR10 and PCR16 because Keylime uses
# them internally.
@@ -83,7 +93,7 @@
# Specify the file containing allowlists for processing Linux IMA measurements
# this file is used if tenant provides "default" as the allowlist file
-@@ -409,7 +418,8 @@ max_retries = 10
+@@ -409,7 +419,8 @@ max_retries = 10
# might provide a signed list of EK public key hashes. Then you could write
# an ek_check_script that checks the signature of the allowlist and then
# compares the hash of the given EK with the allowlist.
@@ -93,7 +103,7 @@
# Optional script to execute to check the EK and/or EK certificate against a
# allowlist or any other additional EK processing you want to do. Runs in
-@@ -435,7 +445,8 @@ ek_check_script=
+@@ -435,7 +446,8 @@ ek_check_script=
# The registrar's IP address and port used to communicate with other services
# as well as the bind address for the registrar server.
