Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package keylime for openSUSE:Factory checked in at 2022-07-18 18:33:05 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/keylime (Old) and /work/SRC/openSUSE:Factory/.keylime.new.1523 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "keylime" Mon Jul 18 18:33:05 2022 rev:22 rq:989361 version:6.4.2 Changes: -------- --- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2022-06-30 13:18:10.637525058 +0200 +++ /work/SRC/openSUSE:Factory/.keylime.new.1523/keylime.changes 2022-07-18 18:33:11.689694116 +0200 @@ -1,0 +2,40 @@ +Fri Jul 15 08:31:50 UTC 2022 - Alberto Planas Dominguez <apla...@suse.com> + +- Replace python-gpg requirement +- Fix consolidation for _distconfdir and _sysconfdir macro + +------------------------------------------------------------------- +Wed Jul 13 13:43:12 UTC 2022 - apla...@suse.com + +- Update to version v6.4.2: + * Bump version # to 6.4.2 + * Use python3-gpg instead of python3-gnupg + * Update Packit CI tests to test both agent and zeromq revocation notifiers + * ima_ast: Make entry parsing stricter + * ima_ast: Calculate length of "n" and "n-ng" in bytes + * Fix broken URLs in README (Additional Reading) + * Remove CFSSL leftovers + * signing: move exception handing to verify_signature() + * Set revocation_notifiers = agent as default in keylime.conf + * cloud_verifier: Support /notifications/revocation REST API + * keylime_agent: Support /notifications/revocation REST method + * revocation_notifier: Factor out revocation message processing + * keylime: initialize supplementary groups when dropping privileges + * Refactor allowlist processing to enable verifier-side signature checks + * Full removal of the tenant WebApp + * update roadmap for 2022 and 2023 + * docs: make Python requirements less strict + * docs: update API documentation for 2.1, add missing fields for agent quote + * Add python3-alembic to distros + * Update fmf plans to run test with IMA policy + * Drop SPDX-License-Identifier header + * Adjust CI test name according to keylime-tests PR#125 + * ci: Run lint with Python 3.6 as well + * [trivial]: fix style of recently added docs files + * Improve error handling when doing signature verification + * Fix coverage file paths in submit-HEAD-coverage workflow + * Adding files from keylime-docs into main repo +- Fix keylime service home directory +- Adjust the directory for the TPM certificates + +------------------------------------------------------------------- Old: ---- keylime-v6.4.1.tar.xz New: ---- keylime-v6.4.2.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ keylime.spec ++++++ --- /var/tmp/diff_new_pack.9nS5e1/_old 2022-07-18 18:33:12.361695071 +0200 +++ /var/tmp/diff_new_pack.9nS5e1/_new 2022-07-18 18:33:12.365695077 +0200 @@ -27,7 +27,7 @@ %define _config_norepl %config(noreplace) %endif Name: keylime -Version: 6.4.1 +Version: 6.4.2 Release: 0 Summary: Open source TPM software for Bootstrapping and Maintaining Trust License: Apache-2.0 AND MIT @@ -52,9 +52,9 @@ Requires: python-SQLAlchemy Requires: python-alembic Requires: python-cryptography +Requires: python-gpg Requires: python-lark-parser Requires: python-psutil -Requires: python-python-gnupg Requires: python-pyzmq Requires: python-requests Requires: python-simplejson @@ -153,8 +153,6 @@ export VERSION=%{version} %python_install -cp -r %{srcname}/static %{buildroot}%{python_sitelib}/%{srcname} - %python_clone -a %{buildroot}%{_bindir}/%{srcname}_verifier %python_clone -a %{buildroot}%{_bindir}/%{srcname}_registrar %python_clone -a %{buildroot}%{_bindir}/%{srcname}_agent @@ -163,7 +161,6 @@ %python_clone -a %{buildroot}%{_bindir}/%{srcname}_migrations_apply %python_clone -a %{buildroot}%{_bindir}/%{srcname}_userdata_encrypt %python_clone -a %{buildroot}%{_bindir}/%{srcname}_ima_emulator -%python_clone -a %{buildroot}%{_bindir}/%{srcname}_webapp %python_expand %fdupes %{buildroot}%{$python_sitelib} @@ -179,9 +176,9 @@ install -Dpm 0644 %{SOURCE4} %{buildroot}%{_tmpfilesdir}/%{name}.conf install -d %{buildroot}%{_localstatedir}/log/%{name} -mkdir -p %{buildroot}/%{_localstatedir}/%{srcname} -cp -r ./tpm_cert_store %{buildroot}%{_localstatedir}/%{srcname}/ -%fdupes %{buildroot}%{_localstatedir}/%{srcname}/ +mkdir -p %{buildroot}/%{_sharedstatedir}/%{srcname} +cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/%{srcname}/ +%fdupes %{buildroot}%{_sharedstatedir}/%{srcname}/ # %%check # %%pyunittest -v @@ -195,7 +192,6 @@ %python_install_alternative %{srcname}_migrations_apply %python_install_alternative %{srcname}_userdata_encrypt %python_install_alternative %{srcname}_ima_emulator -%python_install_alternative %{srcname}_webapp %postun %python_uninstall_alternative %{srcname}_verifier @@ -206,7 +202,6 @@ %python_uninstall_alternative %{srcname}_migrations_apply %python_uninstall_alternative %{srcname}_userdata_encrypt %python_uninstall_alternative %{srcname}_ima_emulator -%python_uninstall_alternative %{srcname}_webapp %post -n %{srcname}-firewalld %firewalld_reload @@ -258,7 +253,7 @@ %files %{python_files} %doc README.md -%license LICENSE keylime/static/icons/ICON-LICENSE +%license LICENSE %python_alternative %{_bindir}/%{srcname}_verifier %python_alternative %{_bindir}/%{srcname}_registrar %python_alternative %{_bindir}/%{srcname}_agent @@ -267,11 +262,10 @@ %python_alternative %{_bindir}/%{srcname}_migrations_apply %python_alternative %{_bindir}/%{srcname}_userdata_encrypt %python_alternative %{_bindir}/%{srcname}_ima_emulator -%python_alternative %{_bindir}/%{srcname}_webapp %{python_sitelib}/* %files -n %{srcname}-config -%{_config_norepl} %attr (600,keylime,tss) %{_distconfdir}/%{srcname}.conf +%_config_norepl %attr (0600,keylime,tss) %{_distconfdir}/%{srcname}.conf %files -n %{srcname}-firewalld %dir %{_prefix}/lib/firewalld @@ -279,11 +273,11 @@ %{_prefix}/lib/firewalld/services/%{srcname}.xml %files -n %{srcname}-tpm_cert_store -%dir %{_localstatedir}/%{srcname}/tpm_cert_store -%{_localstatedir}/%{srcname}/tpm_cert_store/* +%dir %attr(0700,keylime,tss) %{_sharedstatedir}/%{srcname} +%dir %{_sharedstatedir}/%{srcname}/tpm_cert_store +%{_sharedstatedir}/%{srcname}/tpm_cert_store/* # We use this subpackage to store other unrelated things, as far as is # required by all the services -%dir %attr(0700,keylime,tss) %{_localstatedir}/%{srcname} %{_sysusersdir}/%{srcname}-user.conf %ghost %dir %attr(0700,keylime,tss) %{_rundir}/%{srcname} %{_tmpfilesdir}/%{srcname}.conf @@ -299,7 +293,7 @@ %{_unitdir}/%{srcname}_verifier.service %files -n %{srcname}-logrotate -%{_config_norepl} %{_distconfdir}/logrotate.d/%{srcname} -%dir %attr(750,keylime,tss) %{_localstatedir}/log/%{srcname} +%_config_norepl %{_distconfdir}/logrotate.d/%{srcname} +%dir %attr(0750,keylime,tss) %{_localstatedir}/log/%{srcname} %changelog ++++++ _service ++++++ --- /var/tmp/diff_new_pack.9nS5e1/_old 2022-07-18 18:33:12.397695123 +0200 +++ /var/tmp/diff_new_pack.9nS5e1/_new 2022-07-18 18:33:12.397695123 +0200 @@ -1,7 +1,7 @@ <services> <service name="tar_scm" mode="disabled"> <param name="versionformat">@PARENT_TAG@</param> - <param name="revision">refs/tags/v6.4.1</param> + <param name="revision">refs/tags/v6.4.2</param> <param name="url">https://github.com/keylime/keylime.git</param> <param name="scm">git</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.9nS5e1/_old 2022-07-18 18:33:12.417695151 +0200 +++ /var/tmp/diff_new_pack.9nS5e1/_new 2022-07-18 18:33:12.421695157 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/keylime/keylime.git</param> - <param name="changesrevision">bbc191948341b71c64a38d897470f300c7ebcbb1</param></service></servicedata> + <param name="changesrevision">3661637256d42b997574f8d252476cafcdf21954</param></service></servicedata> (No newline at EOF) ++++++ keylime-v6.4.1.tar.xz -> keylime-v6.4.2.tar.xz ++++++ /work/SRC/openSUSE:Factory/keylime/keylime-v6.4.1.tar.xz /work/SRC/openSUSE:Factory/.keylime.new.1523/keylime-v6.4.2.tar.xz differ: char 15, line 1 ++++++ keylime.conf.diff ++++++ --- /var/tmp/diff_new_pack.9nS5e1/_old 2022-07-18 18:33:12.453695203 +0200 +++ /var/tmp/diff_new_pack.9nS5e1/_new 2022-07-18 18:33:12.453695203 +0200 @@ -1,7 +1,7 @@ -Index: keylime-v6.4.1/keylime.conf +Index: keylime-v6.4.2/keylime.conf =================================================================== ---- keylime-v6.4.1.orig/keylime.conf -+++ keylime-v6.4.1/keylime.conf +--- keylime-v6.4.2.orig/keylime.conf ++++ keylime-v6.4.2/keylime.conf @@ -7,7 +7,8 @@ enable_tls = True # The address and port of the revocation notifier service on the verifier from @@ -72,7 +72,7 @@ cloudverifier_port = 8881 # The address and port of registrar server that verifier communicates with -@@ -276,7 +283,8 @@ revocation_notifier = True +@@ -288,7 +295,8 @@ revocation_notifiers = agent # The binding address and port of the revocation notifier service. # If the 'revocation_notifier' option is set to "true", then the verifier # automatically starts the revocation service. @@ -81,8 +81,8 @@ +revocation_notifier_ip = 0.0.0.0 revocation_notifier_port = 8992 - # Enable revocation notifications via webhook. This can be used to notify other -@@ -413,7 +421,8 @@ max_payload_size = 1048576 + # Webhook url for revocation notifications. +@@ -426,7 +434,8 @@ max_payload_size = 1048576 # and SHA-512). # Note that you can't set a policy on PCR10 and PCR16 because Keylime uses # them internally. @@ -92,7 +92,7 @@ # Specify the file containing allowlists for processing Linux IMA measurements # this file is used if tenant provides "default" as the allowlist file -@@ -465,7 +474,8 @@ max_retries = 5 +@@ -478,7 +487,8 @@ max_retries = 5 # might provide a signed list of EK public key hashes. Then you could write # an ek_check_script that checks the signature of the allowlist and then # compares the hash of the given EK with the allowlist. @@ -102,7 +102,7 @@ # Optional script to execute to check the EK and/or EK certificate against a # allowlist or any other additional EK processing you want to do. Runs in -@@ -491,7 +501,8 @@ ek_check_script= +@@ -504,7 +514,8 @@ ek_check_script= # The registrar's IP address and port used to communicate with other services # as well as the bind address for the registrar server.