Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package disk-encryption-tool for openSUSE:Factory checked in at 2023-12-22 22:40:49 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/disk-encryption-tool (Old) and /work/SRC/openSUSE:Factory/.disk-encryption-tool.new.28375 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "disk-encryption-tool" Fri Dec 22 22:40:49 2023 rev:3 rq:1134500 version:1+git20231221.d2e7fe6 Changes: -------- --- /work/SRC/openSUSE:Factory/disk-encryption-tool/disk-encryption-tool.changes 2023-12-15 21:47:31.570691649 +0100 +++ /work/SRC/openSUSE:Factory/.disk-encryption-tool.new.28375/disk-encryption-tool.changes 2023-12-22 22:40:59.819260565 +0100 @@ -1,0 +2,14 @@ +Thu Dec 21 15:28:58 UTC 2023 - lnus...@suse.com + +- Update to version 1+git20231221.d2e7fe6: + * Fix setting separate crypt password + +------------------------------------------------------------------- +Wed Dec 20 17:20:08 UTC 2023 - lnus...@suse.com + +- Update to version 1+git20231220.6a5fb7f: + * refactor luks detection + * Tweak combustion deps + * Fix combustion support (boo#1218131) + +------------------------------------------------------------------- Old: ---- disk-encryption-tool-1+git20231214.1708e01.obscpio New: ---- disk-encryption-tool-1+git20231221.d2e7fe6.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ disk-encryption-tool.spec ++++++ --- /var/tmp/diff_new_pack.0phF6A/_old 2023-12-22 22:41:00.951302216 +0100 +++ /var/tmp/diff_new_pack.0phF6A/_new 2023-12-22 22:41:00.951302216 +0100 @@ -28,7 +28,7 @@ %endif Name: disk-encryption-tool -Version: 1+git20231214.1708e01%{git_version} +Version: 1+git20231221.d2e7fe6%{git_version} Release: 0 Summary: Tool to reencrypt kiwi raw images License: MIT ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.0phF6A/_old 2023-12-22 22:41:00.999303982 +0100 +++ /var/tmp/diff_new_pack.0phF6A/_new 2023-12-22 22:41:01.003304129 +0100 @@ -3,6 +3,6 @@ <param name="url">https://github.com/lnussel/disk-encryption-tool.git</param> <param name="changesrevision">702dff62d37b74244b58b41f78b41cd2befe581b</param></service><service name="tar_scm"> <param name="url">https://github.com/openSUSE/disk-encryption-tool.git</param> - <param name="changesrevision">1708e014184aba1d69c3294a990594a35abbe71c</param></service></servicedata> + <param name="changesrevision">d2e7fe6e0781b71a19f35ca4fd27bca559c31fd7</param></service></servicedata> (No newline at EOF) ++++++ disk-encryption-tool-1+git20231214.1708e01.obscpio -> disk-encryption-tool-1+git20231221.d2e7fe6.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/disk-encryption-tool-1+git20231214.1708e01/README.md new/disk-encryption-tool-1+git20231221.d2e7fe6/README.md --- old/disk-encryption-tool-1+git20231214.1708e01/README.md 2023-12-14 11:04:59.000000000 +0100 +++ new/disk-encryption-tool-1+git20231221.d2e7fe6/README.md 2023-12-21 16:03:00.000000000 +0100 @@ -39,9 +39,9 @@ script would have to look like this: #!/bin/bash - # combustion: encrypt - if [ "$1" = "--encrypt" ]; then - echo 12345 | disk-encryption-tool -v --gen-key + # combustion: prepare + if [ "$1" = "--prepare" ]; then + echo 12345 | disk-encryption-tool -v else echo root:12345 | chpasswd fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/disk-encryption-tool-1+git20231214.1708e01/disk-encryption-tool new/disk-encryption-tool-1+git20231221.d2e7fe6/disk-encryption-tool --- old/disk-encryption-tool-1+git20231214.1708e01/disk-encryption-tool 2023-12-14 11:04:59.000000000 +0100 +++ new/disk-encryption-tool-1+git20231221.d2e7fe6/disk-encryption-tool 2023-12-21 16:03:00.000000000 +0100 @@ -184,7 +184,7 @@ kv="${kv##*/}" initrd="${initrd#"$mp"}" log_info "create $initrd for $kv" - chroot "$mp" dracut --add qemu --add-drivers "dm_crypt nls_iso8859-1 nls_cp437" -q --reproducible -f "$initrd" "$kv" "$@" + hostonly_l=no chroot "$mp" dracut -q --reproducible -f "$initrd" "$kv" "$@" done else err "Unsupported boot loader or fs layout" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/disk-encryption-tool-1+git20231214.1708e01/disk-encryption-tool-dracut new/disk-encryption-tool-1+git20231221.d2e7fe6/disk-encryption-tool-dracut --- old/disk-encryption-tool-1+git20231214.1708e01/disk-encryption-tool-dracut 2023-12-14 11:04:59.000000000 +0100 +++ new/disk-encryption-tool-1+git20231221.d2e7fe6/disk-encryption-tool-dracut 2023-12-21 16:03:00.000000000 +0100 @@ -1,19 +1,23 @@ #!/bin/sh + exec < /dev/console >/dev/console 2>&1 type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh -script=/run/combustion/mount/combustion/script -if [ -e "$script" ] && grep -qE '^# combustion:(.*)\<encrypt\>' "$script"; then - systemctl start sysroot.mount - # silence systemd - kill -SIGRTMIN+21 1 - chmod a+x "$script" - "$script" --encrypt -elif getargbool 0 rd.encrypt || [ ! -e /sysroot/etc/machine-id ]; then - systemctl start sysroot.mount - # silence systemd - kill -SIGRTMIN+21 1 - echo -ne '\a' - read -n1 -s -r -t 5 -p "Press ESC to prevent encrypting the disk" inhibitor - echo - [ "$inhibitor" = $'\e' ] || /usr/bin/disk-encryption-tool -v --gen-key || die "Encryption failed" + +# XXX: this is so dirty +systemctl start sysroot.mount +mount --target-prefix /sysroot --fstab /sysroot/etc/fstab /var +if [ ! -e /sysroot/var/lib/YaST2/reconfig_system ]; then + echo "system already configured, no encryption" + umount /sysroot/var + exit 0 +fi +umount /sysroot/var + +# silence systemd +kill -SIGRTMIN+21 1 +echo -ne '\n\n\a' +read -n1 -s -r -t 10 -p "*** Press ESC to prevent encrypting the disk" inhibitor +echo +if [ "$inhibitor" != $'\e' ]; then + /usr/bin/disk-encryption-tool -v --gen-key || die "Encryption failed" fi diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/disk-encryption-tool-1+git20231214.1708e01/disk-encryption-tool-dracut.service new/disk-encryption-tool-1+git20231221.d2e7fe6/disk-encryption-tool-dracut.service --- old/disk-encryption-tool-1+git20231214.1708e01/disk-encryption-tool-dracut.service 2023-12-14 11:04:59.000000000 +0100 +++ new/disk-encryption-tool-1+git20231221.d2e7fe6/disk-encryption-tool-dracut.service 2023-12-21 16:03:00.000000000 +0100 @@ -7,12 +7,7 @@ Requires=initrd-root-device.target After=initrd-root-device.target -# we want to run after combustion copied the config but before combustion -# itself runs -Requires=combustion.service -After=firstboot-detect.service -After=combustion-prepare.service -Before=combustion.service +After=combustion.service # After ignition completed its stuff After=ignition-complete.target diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/disk-encryption-tool-1+git20231214.1708e01/jeos-firstboot-diskencrypt new/disk-encryption-tool-1+git20231221.d2e7fe6/jeos-firstboot-diskencrypt --- old/disk-encryption-tool-1+git20231214.1708e01/jeos-firstboot-diskencrypt 2023-12-14 11:04:59.000000000 +0100 +++ new/disk-encryption-tool-1+git20231221.d2e7fe6/jeos-firstboot-diskencrypt 2023-12-21 16:03:00.000000000 +0100 @@ -59,7 +59,7 @@ local dev for dev in "${crypt_devs[@]}"; do echo "adding password to $dev" - echo -n "$password" | run cryptsetup luksAddKey --verbose --batch-mode --force-password --key-file <(keyctl pipe "$crypt_keyid") "$dev" + echo -n "$crypt_pw" | run cryptsetup luksAddKey --verbose --batch-mode --force-password --key-file <(keyctl pipe "$crypt_keyid") "$dev" done fi } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/disk-encryption-tool-1+git20231214.1708e01/jeos-firstboot-enroll new/disk-encryption-tool-1+git20231221.d2e7fe6/jeos-firstboot-enroll --- old/disk-encryption-tool-1+git20231214.1708e01/jeos-firstboot-enroll 2023-12-14 11:04:59.000000000 +0100 +++ new/disk-encryption-tool-1+git20231221.d2e7fe6/jeos-firstboot-enroll 2023-12-21 16:03:00.000000000 +0100 @@ -1,17 +1,34 @@ #!/bin/bash -crypt_keyid="" with_fido2= with_tpm2= +declare -a luks2_devices + # After the enrolling, other tools can find this list in the LUKS # header pcrs="0,2,4,7,9" +have_luks2() +{ + [ "${#luks2_devices[@]}" -gt 0 ] +} + +detect_luks2() +{ + local dev fstype + [ -z "$luks2_devices" ] || return 0 + while read -r dev fstype; do + [ "$fstype" = 'crypto_LUKS' ] || continue + cryptsetup isLuks --type luks2 "$dev" || continue + luks2_devices+=("$dev") + done < <(lsblk --noheadings -o PATH,FSTYPE) + have_luks2 +} + enroll_systemd_firstboot() { - crypt_keyid="$(keyctl id %user:cryptenroll)" - [ -n "$crypt_keyid" ] || return 0 [ -e /usr/bin/systemd-cryptenroll ] || return 0 + detect_luks2 || return 0 local has_fido2=${JEOS_HAS_FIDO2:-} local has_tpm2= @@ -100,22 +117,16 @@ } enroll_post() { - [ -n "$crypt_keyid" ] || return 0 [ -e /usr/bin/systemd-cryptenroll ] || return 0 + detect_luks2 || return 0 local dev local fstype - if [ -z "$crypt_devs" ]; then - while read -r dev fstype; do - [ "$fstype" = 'crypto_LUKS' ] || continue - crypt_devs+=("$dev") - done < <(lsblk --noheadings -o PATH,FSTYPE) - fi crypttab_options="x-initrd.attach" if [ "$with_fido2" = '1' ]; then - for dev in "${crypt_devs[@]}"; do + for dev in "${luks2_devices[@]}"; do enroll_fido2 "$dev" done crypttab_options+=",fido2-device=auto" @@ -124,7 +135,7 @@ if [ "$with_tpm2" = '1' ]; then generate_key - for dev in "${crypt_devs[@]}"; do + for dev in "${luks2_devices[@]}"; do enroll_tpm2 "$dev" done crypttab_options+=",tpm2-device=auto" ++++++ disk-encryption-tool.obsinfo ++++++ --- /var/tmp/diff_new_pack.0phF6A/_old 2023-12-22 22:41:01.135308986 +0100 +++ /var/tmp/diff_new_pack.0phF6A/_new 2023-12-22 22:41:01.139309134 +0100 @@ -1,5 +1,5 @@ name: disk-encryption-tool -version: 1+git20231214.1708e01 -mtime: 1702548299 -commit: 1708e014184aba1d69c3294a990594a35abbe71c +version: 1+git20231221.d2e7fe6 +mtime: 1703170980 +commit: d2e7fe6e0781b71a19f35ca4fd27bca559c31fd7