Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package keylime for openSUSE:Factory checked
in at 2022-10-01 17:41:57
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
and /work/SRC/openSUSE:Factory/.keylime.new.2275 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "keylime"
Sat Oct 1 17:41:57 2022 rev:23 rq:1006460 version:6.5.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2022-07-18
18:33:11.689694116 +0200
+++ /work/SRC/openSUSE:Factory/.keylime.new.2275/keylime.changes
2022-10-01 17:42:03.985550949 +0200
@@ -1,0 +2,104 @@
+Mon Sep 26 07:15:17 UTC 2022 - apla...@suse.com
+
+- Remove keylime.conf.diff patch. Now the configuration file is
+ generated during build time
+- The "config" subpackage shared only the logger configuration file
+- New "tenant" subpackage for the Tenant command line tool
+- Drop webapp service port in firewall XML service file
+- Update to version v6.5.0:
+ * Bump up versions to 6.5.0
+ * Enable testing of Rust agent as well as Python by default
+ * New readthedocs location for keylime
+ * test_restful: Add test for /keys/verify endpoint to rust tests
+ * test_restful: Fix testing with rust agent
+ * run_tests: Install rust agent when RUST_TEST is defined
+ * A fix for "per-agent verifier-issued epoch timestamp"
+ * Move SQLite ref integrity pragma to keylime_db
+ * Separate CA key store password from server key password
+ * Generate missing key and certificates
+ * verifier: Add a configuration option to set timeouts
+ * config: Change default value for getfloat() to -1.0
+ * tenant: Add request_timeout configuration option
+ * tpm_main: Move agent specific initialization to tpm_init()
+ * failure: Do not read the verifier config on load
+ * logging, verifier: Read configuration only when needed
+ * tpm_ek_ca: Access tenant config file when needed
+ * tpm_main: Only access agent configuration if needed
+ * keylime_agent: Use a single tpm instance
+ * config: Evaluate snippets in /usr/etc/keylime before /etc/keylime
+ * Remove ignore_hostname argument from RequestsClient() calls
+ * requests_client: Ignore hostname verification by default
+ * web_util: Remove unneeded checks for absolute paths before joining
+ * requests_client: remove RequestClient class variables
+ * elchecking/policies: Use config.getlist() for measured_boot_imports
+ * mappings: Add back missing option measured_boot_imports to verifier config
+ * verifier: Fail earlier if mTLS cert is missing when required
+ * crypto: Replace if block with conditional argument passing
+ * config: Drop unused getdict()
+ * config: Use python generator to strip strings in the list
+ * verifier: Drop 'cloud' from 'cloudverifier_' variables
+ * verifier: Always generate TLS context to contact the agent
+ * ca_util: Replace if block with conditional argument
+ * Drop broken auto-ipsec demos
+ * tenant: Do not disable TLS when enable_agent_mtls = False
+ * test_config: Reload configuration on tearDown
+ * Change the meaning of trusted_client_ca=default for the agent
+ * Install configuration files in test scripts
+ * Add jinja2 as requirement for building and testing
+ * tenant: Fix mention to old configuration section
+ * tenant, verifier: Fix mTLS disablement
+ * tenant: Do not try to verify EK cert when not required
+ * Adjust test_restful to use the new configuration file
+ * ima: Do not try to read excludelist if it is None
+ * tenant: Use empty tpm_policy by default
+ * Read measured boot configuration when needed
+ * Add support for password encrypted keys
+ * Change owner of config files and fix sed command in services installer
+ * installer: Build and install split configuration files
+ * Fix configuration unit tests
+ * Remove trailing and leading white spaces in config.get_list()
+ * Make changes to use the new configuration files
+ * Add script to convert old config to new config
+ * Ignore false positive for lints
+ * Implement additional test to cover in-use deletion case
+ * Enable referential integrity for foreign keys in Keylime DB
+ * Prevent deletion of in-use allowlists via tenant + better error handling
+ * Fixes #1046 by explicitly and carefully dealing with a corner case.
+ * Fixes #1072 by explicitly and carefully dealing with yet another corner
case.
+ * Define context agent due to keylime-tests PR#193
+ * Adds two small utilities which are used by "Offline Attestation"
(enhancement #73)
+ * This commit solves #1091 by adding a per-agent verifier-issued epoch
timestamp
+ * Remove keylime-bot
+ * Verifier log message improvements for large-scale testing.
+ * Bump version to 6.4.3
+ * KEYLIME_DIR should not be clobbered in TEST_MODE
+ * registrar: parse EK cert with pyasn1
+ * Reject invalid hash algorithms passed as arguments
+ * Treat tpm_cert_store as absolute path
+ * Fix for cloudverifier_tornado: 408 ('timeout') errors are retried instead
of causing immediate attestation failure
+ * Typo fix: the two certificates got copied over each other during the
openssl process by mistake.
+ * I downloaded the certs from here:
+ * Remove cryptodome.py from keylime
+ * Refactor allowlist handling on verifier to prevent premature DB writes
+ * With this change, the `verifier` will now use the `tpm2_print` command to
extract clock information from the quote. It will then uses this information to
make decisions about the attestation of the agent (i.e., the quote timestamp
has to monotonically grow in a TPM which wasn't restarted/reset). In order to
make this comparison the clock information from the previous quote is stored on
the database and then both timestamps are compared.
+ * tpm_ek_ca: remove atmel keys
+ * Throw an error if --exclude is used without --allowlist
+ * Complete implementation of the Allowlists API
+ * readme: minor fixes
+ * Handle output file and algo validation errors
+ * Fixes #1063 in a minimalistic way, by making log output configurable
+ * Fix spacing
+ * Update fmf plans to run test which checking tenant verify options
+ * Fixes #1057 ensuring that the verifier can be restarted cleanly when mTLS
for agents is disabled
+ * Adds a per-agent counter for "successfull attestations" on Keylime.
+ * Replace tabs with spaces
+ * Keep original control structure, minimize change
+ * Update installer.sh for RHEL8, PowerTools
+ * Set swtpm context which is later used for test filtering
+ * Update fmf plans to run tests which checking ek_certs
+ * Minor fixes
+ * Expand documentation for Measured Boot with additional info/examples.
+ * Fix the project logo in the readme (#1049)
+ * Add docs status to README
+
+-------------------------------------------------------------------
Old:
----
keylime-v6.4.2.tar.xz
keylime.conf.diff
New:
----
agent.conf.diff
keylime-v6.5.0.tar.xz
registrar.conf.diff
verifier.conf.diff
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ keylime.spec ++++++
--- /var/tmp/diff_new_pack.wc63o9/_old 2022-10-01 17:42:05.033552860 +0200
+++ /var/tmp/diff_new_pack.wc63o9/_new 2022-10-01 17:42:05.037552867 +0200
@@ -27,7 +27,7 @@
%define _config_norepl %config(noreplace)
%endif
Name: keylime
-Version: 6.4.2
+Version: 6.5.0
Release: 0
Summary: Open source TPM software for Bootstrapping and Maintaining
Trust
License: Apache-2.0 AND MIT
@@ -37,8 +37,11 @@
Source2: %{name}-user.conf
Source3: logrotate.%{name}
Source4: tmpfiles.%{name}
-# PATCH-FIX-OPENSUSE keylime.conf.diff
-Patch1: keylime.conf.diff
+# openSUSE adjustments for generated configuration files
+Source10: agent.conf.diff
+Source11: registrar.conf.diff
+Source12: verifier.conf.diff
+BuildRequires: %{python_module Jinja2}
BuildRequires: %{python_module setuptools}
BuildRequires: fdupes
BuildRequires: firewall-macros
@@ -78,7 +81,7 @@
Conflicts: rust-keylime
%description -n %{name}-config
-Subpackage of %{name} for the shared configuration file of the agent
+Subpackage of %{name} for the shared configuration files for the agent
and the server components.
%package -n %{name}-firewalld
@@ -93,6 +96,8 @@
Summary: Certify store for the TPM
Requires: python3-%{name} = %{version}
Conflicts: rust-keylime
+Provides: user(keylime)
+%sysusers_requires
%description -n %{name}-tpm_cert_store
Subpackage of %{name} for storing the TPM certificates.
@@ -134,13 +139,24 @@
%description -n %{name}-verifier
Subpackage of %{name} for verifier service.
+%package -n %{name}-tenant
+Summary: Keylime tenant command line tool
+Requires: %{name}-config = %{version}
+Requires: %{name}-tpm_cert_store = %{version}
+Requires: python3-%{name} = %{version}
+Recommends: %{name}-firewalld = %{version}
+Conflicts: rust-keylime
+
+%description -n %{name}-tenant
+Subpackage of %{name} for tenant command line tool.
+
%package -n %{name}-logrotate
Summary: Logrotate for Keylime servies
Requires: logrotate
Conflicts: rust-keylime
%description -n %{name}-logrotate
-Subpacakge of %{name} for logrotate for Keylime services
+Subpackage of %{name} for logrotate for Keylime services
%prep
%autosetup -p1 -n %{name}-v%{version}
@@ -153,6 +169,12 @@
export VERSION=%{version}
%python_install
+%{python_expand # Patch the generated configuration files
+patch -s --fuzz=0 %{buildroot}%{$python_sitelib}/%{srcname}/config/agent.conf
< %{SOURCE10}
+patch -s --fuzz=0
%{buildroot}%{$python_sitelib}/%{srcname}/config/registrar.conf < %{SOURCE11}
+patch -s --fuzz=0
%{buildroot}%{$python_sitelib}/%{srcname}/config/verifier.conf < %{SOURCE12}
+}
+
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_verifier
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_registrar
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_agent
@@ -164,7 +186,12 @@
%python_expand %fdupes %{buildroot}%{$python_sitelib}
-install -Dpm 0600 %{srcname}.conf %{buildroot}%{_distconfdir}/%{srcname}.conf
+%{python_expand # Install configuration files
+for cfg in %{buildroot}%{$python_sitelib}/%{srcname}/config/*.conf; do
+ install -Dpm 0600 "$cfg" %{buildroot}%{_distconfdir}/%{srcname}/$(basename
"$cfg")
+done
+}
+
install -Dpm 0644 ./services/%{srcname}_agent.service
%{buildroot}%{_unitdir}/%{srcname}_agent.service
install -Dpm 0644 ./services/%{srcname}_agent_secure.mount
%{buildroot}%{_unitdir}/var-lib-%{srcname}-secure.mount
install -Dpm 0644 ./services/%{srcname}_verifier.service
%{buildroot}%{_unitdir}/%{srcname}_verifier.service
@@ -218,7 +245,7 @@
%service_add_post %{srcname}_verifier.service
%preun -n %{srcname}-verifier
-%service_del_preun %{srcname}_agent.service
+%service_del_preun %{srcname}_verifier.service
%postun -n %{srcname}-verifier
%service_del_postun %{srcname}_verifier.service
@@ -265,7 +292,9 @@
%{python_sitelib}/*
%files -n %{srcname}-config
-%_config_norepl %attr (0600,keylime,tss) %{_distconfdir}/%{srcname}.conf
+%dir %attr(0700,keylime,tss) %{_distconfdir}/%{srcname}
+%_config_norepl %attr (0600,keylime,tss) %{_distconfdir}/%{srcname}/ca.conf
+%_config_norepl %attr (0600,keylime,tss)
%{_distconfdir}/%{srcname}/logging.conf
%files -n %{srcname}-firewalld
%dir %{_prefix}/lib/firewalld
@@ -274,8 +303,8 @@
%files -n %{srcname}-tpm_cert_store
%dir %attr(0700,keylime,tss) %{_sharedstatedir}/%{srcname}
-%dir %{_sharedstatedir}/%{srcname}/tpm_cert_store
-%{_sharedstatedir}/%{srcname}/tpm_cert_store/*
+%dir %attr(0700,keylime,tss) %{_sharedstatedir}/%{srcname}/tpm_cert_store
+%attr(0600,keylime,tss) %{_sharedstatedir}/%{srcname}/tpm_cert_store/*
# We use this subpackage to store other unrelated things, as far as is
# required by all the services
%{_sysusersdir}/%{srcname}-user.conf
@@ -283,15 +312,25 @@
%{_tmpfilesdir}/%{srcname}.conf
%files -n %{srcname}-agent
+%dir %attr(0700,keylime,tss) %{_distconfdir}/%{srcname}
+%_config_norepl %attr (0600,keylime,tss) %{_distconfdir}/%{srcname}/agent.conf
%{_unitdir}/%{srcname}_agent.service
%{_unitdir}/var-lib-%{srcname}-secure.mount
%files -n %{srcname}-registrar
+%dir %attr(0700,keylime,tss) %{_distconfdir}/%{srcname}
+%_config_norepl %attr (0600,keylime,tss)
%{_distconfdir}/%{srcname}/registrar.conf
%{_unitdir}/%{srcname}_registrar.service
%files -n %{srcname}-verifier
+%dir %attr(0700,keylime,tss) %{_distconfdir}/%{srcname}
+%_config_norepl %attr (0600,keylime,tss)
%{_distconfdir}/%{srcname}/verifier.conf
%{_unitdir}/%{srcname}_verifier.service
+%files -n %{srcname}-tenant
+%dir %attr(0700,keylime,tss) %{_distconfdir}/%{srcname}
+%_config_norepl %attr (0600,keylime,tss) %{_distconfdir}/%{srcname}/tenant.conf
+
%files -n %{srcname}-logrotate
%_config_norepl %{_distconfdir}/logrotate.d/%{srcname}
%dir %attr(0750,keylime,tss) %{_localstatedir}/log/%{srcname}
++++++ _service ++++++
--- /var/tmp/diff_new_pack.wc63o9/_old 2022-10-01 17:42:05.073552933 +0200
+++ /var/tmp/diff_new_pack.wc63o9/_new 2022-10-01 17:42:05.077552940 +0200
@@ -1,7 +1,7 @@
<services>
<service name="tar_scm" mode="disabled">
<param name="versionformat">@PARENT_TAG@</param>
- <param name="revision">refs/tags/v6.4.2</param>
+ <param name="revision">refs/tags/v6.5.0</param>
<param name="url">https://github.com/keylime/keylime.git</param>
<param name="scm">git</param>
<param name="changesgenerate">enable</param>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.wc63o9/_old 2022-10-01 17:42:05.097552977 +0200
+++ /var/tmp/diff_new_pack.wc63o9/_new 2022-10-01 17:42:05.101552984 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://github.com/keylime/keylime.git</param>
- <param
name="changesrevision">3661637256d42b997574f8d252476cafcdf21954</param></service></servicedata>
+ <param
name="changesrevision">d2ddf4e0ce2cc8e1224f874090f9efab8a02b63b</param></service></servicedata>
(No newline at EOF)
++++++ agent.conf.diff ++++++
--- agent.conf.ORIG 2022-09-26 10:45:14.032956447 +0200
+++ agent.conf 2022-09-26 10:56:45.789550501 +0200
@@ -14,10 +14,12 @@
# 'dmidecode -s system-uuid'.
# If you set this to "hostname", Keylime will use the full qualified domain
# name of current host as the agent id.
-uuid = d432fbb3-d2f1-4a97-9ef7-75bd81c00000
+# uuid = d432fbb3-d2f1-4a97-9ef7-75bd81c00000
+uuid = hostname
# The binding address and port for the agent server
-ip = 127.0.0.1
+# ip = 127.0.0.1
+ip = 0.0.0.0
port = 9002
# Address and port where the verifier and tenant can connect to reach the
agent.
@@ -26,7 +28,8 @@
contact_port = 9002
# The address and port of registrar server which agent communicate with
-registrar_ip = 127.0.0.1
+# registrar_ip = 127.0.0.1
+registrar_ip = <REMOTE_IP>
registrar_port = 8890
# Enable mTLS communication between agent, verifier and tenant.
@@ -100,7 +103,8 @@
enable_revocation_notifications = True
# The IP to listen for revocation notifications via ZeroMQ
-revocation_notification_ip = 127.0.0.1
+# revocation_notification_ip = 127.0.0.1
+revocation_notification_ip = <REMOTE_IP>
# The port to listen for revocation notifications via ZeroMQ
revocation_notification_port = 8992
@@ -151,7 +155,8 @@
# List of hash algorithms used for PCRs
# Accepted values: sha512, sha384, sha256, sha1
-tpm_hash_alg = sha1
+# tpm_hash_alg = sha1
+tpm_hash_alg = sha256
# List of encryption algorithms to use with the TPM
# Accepted values: ecc, rsa
@@ -182,5 +187,5 @@
# If cv_ca directory exists:
# chown keylime /var/lib/keylime/cv_ca
# chown keylime /var/lib/keylime/cv_ca/cacert.crt
-run_as =
-
+# run_as =
+run_as = keylime:tss
++++++ keylime-v6.4.2.tar.xz -> keylime-v6.5.0.tar.xz ++++++
/work/SRC/openSUSE:Factory/keylime/keylime-v6.4.2.tar.xz
/work/SRC/openSUSE:Factory/.keylime.new.2275/keylime-v6.5.0.tar.xz differ: char
15, line 1
++++++ keylime.xml ++++++
--- /var/tmp/diff_new_pack.wc63o9/_old 2022-10-01 17:42:05.153553079 +0200
+++ /var/tmp/diff_new_pack.wc63o9/_new 2022-10-01 17:42:05.157553086 +0200
@@ -2,7 +2,6 @@
<service>
<short>Keylime</short>
<description>Keylime is a remote attestation tool that requires access to
several ports.</description>
- <port protocol="tcp" port="443"/><!-- Webapp -->
<port protocol="tcp" port="8881"/><!-- Verifier -->
<port protocol="tcp" port="8890"/><!-- Registrar -->
<port protocol="tcp" port="8891"/><!-- Registrar TLS -->
++++++ registrar.conf.diff ++++++
--- registrar.conf.ORIG 2022-09-26 10:45:14.032956447 +0200
+++ registrar.conf 2022-09-26 10:59:47.477707174 +0200
@@ -5,7 +5,8 @@
version = 2.0
# The registrar server IP address and port
-ip = 127.0.0.1
+# ip = 127.0.0.1
+ip = 0.0.0.0
port = 8890
tls_port = 8891
++++++ verifier.conf.diff ++++++
--- verifier.conf.ORIG 2022-09-26 10:45:14.032956447 +0200
+++ verifier.conf 2022-09-26 11:02:37.781854035 +0200
@@ -5,7 +5,8 @@
uuid = default
# The verifier server IP address and port
-ip = 127.0.0.1
+# ip = 127.0.0.1
+ip = 0.0.0.0
port = 8881
# The address and port of registrar server that the verifier communicates with
@@ -191,7 +192,8 @@
enabled_revocation_notifications = ['agent']
# The binding address and port of the revocation notifier service via ZeroMQ.
-zmq_ip = 127.0.0.1
+# zmq_ip = 127.0.0.1
+zmp_ip = 0.0.0.0
zmq_port = 8992
# Webhook url for revocation notifications.
