commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package keylime for openSUSE:Factory checked in at 2024-06-17 19:27:04 Comparing /work/SRC/openSUSE:Factory/keylime (Old) and /work/SRC/openSUSE:Factory/.keylime.new.19518 (New) Package is "keylime" Mon Jun 17 19:27:04 2024 rev:45 rq:1180845 version:7.11.0 Changes: --- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2024-03-17 22:10:52.929154011 +0100 +++ /work/SRC/openSUSE:Factory/.keylime.new.19518/keylime.changes 2024-06-17 19:27:20.893544562 +0200 @@ -1,0 +2,21 @@ +Fri Jun 14 08:04:48 UTC 2024 - apla...@suse.com + +- Update to version v7.11.0: + * "Monthly" Release (7.11.0) + * template mapping change for persisted idevids + * add config options for the persisted idevid and iak handles and passwords + * templates: Restore the default values + * templates: Add version 2.3 + * convert_config: Use the latest default value for --default + * Add new /verify/identity API + * PSS padding fix - salt length changed to byte length of digest from length of signature + * sign_runtime_policy: Display error message if non-EC key is provided + * packit: enable /regression/CVE-2023-3674 (suggested by Karel Srot) + * Fix durable attestation in absence of mb_policy + * tests: Fix coverage download by supporting new webdrives + * templates: verifier: Add require_allow_list_signatures to config file + * runtime policy: Raise error on missing key if signature required + * runtime policy: Raise error on unsigned policy if signature required + * dsse: Remove unused type: ignore comment (mypy) + +--- Old: keylime-v7.10.0.tar.xz New: keylime-v7.11.0.tar.xz Other differences: -- ++ keylime.spec ++ --- /var/tmp/diff_new_pack.SgYxro/_old 2024-06-17 19:27:22.293595551 +0200 +++ /var/tmp/diff_new_pack.SgYxro/_new 2024-06-17 19:27:22.297595696 +0200 @@ -26,7 +26,7 @@ %define _config_norepl %config(noreplace) %endif Name: keylime -Version:7.10.0 +Version:7.11.0 Release:0 Summary:Open source TPM software for Bootstrapping and Maintaining Trust License:Apache-2.0 AND MIT AND BSD-3-Clause ++ _service ++ --- /var/tmp/diff_new_pack.SgYxro/_old 2024-06-17 19:27:22.345597444 +0200 +++ /var/tmp/diff_new_pack.SgYxro/_new 2024-06-17 19:27:22.349597590 +0200 @@ -1,7 +1,7 @@ @PARENT_TAG@ -refs/tags/v7.10.0 +refs/tags/v7.11.0 https://github.com/keylime/keylime.git git enable ++ _servicedata ++ --- /var/tmp/diff_new_pack.SgYxro/_old 2024-06-17 19:27:22.369598319 +0200 +++ /var/tmp/diff_new_pack.SgYxro/_new 2024-06-17 19:27:22.373598464 +0200 @@ -1,6 +1,6 @@ https://github.com/keylime/keylime.git - a5a671f71ce5ed425bc2afa7e81f87fe682936f3 + 31db17cd1413780e3f4f9b9673c024bc8096b897 (No newline at EOF) ++ keylime-v7.10.0.tar.xz -> keylime-v7.11.0.tar.xz ++ /work/SRC/openSUSE:Factory/keylime/keylime-v7.10.0.tar.xz /work/SRC/openSUSE:Factory/.keylime.new.19518/keylime-v7.11.0.tar.xz differ: char 16, line 1 ++ registrar.conf.diff ++ --- /var/tmp/diff_new_pack.SgYxro/_old 2024-06-17 19:27:22.441600941 +0200 +++ /var/tmp/diff_new_pack.SgYxro/_new 2024-06-17 19:27:22.445601086 +0200 @@ -1,7 +1,9 @@ config/registrar.conf.ORIG 2024-01-31 09:54:18.487372896 +0100 -+++ config/registrar.conf 2024-01-31 09:54:40.910700043 +0100 +diff --git a/config/registrar.conf b/config/registrar.conf +index 19f7cb1..3492453 100644 +--- a/config/registrar.conf b/config/registrar.conf @@ -5,7 +5,8 @@ - version = 2.2 + version = 2.3 # The binding address and port for the registrar server -ip = "127.0.0.1" ++ tenant.conf.diff ++ --- /var/tmp/diff_new_pack.SgYxro/_old 2024-06-17 19:27:22.461601670 +0200 +++ /var/tmp/diff_new_pack.SgYxro/_new 2024-06-17 19:27:22.465601815 +0200 @@ -1,6 +1,8 @@ config/tenant.conf.ORIG2024-01-31 09:54:23.807371427 +0100 -+++ config/tenant.conf 2024-01-31 09:55:09.827358730 +0100 -@@ -106,7 +106,8 @@ +diff --git a/config/tenant.conf b/config/tenant.conf +index ead02b8..1b3d921 100644 +--- a/config/tenant.conf b/config/tenant.conf +@@ -106,7 +106,8 @@ request_timeout = 60 # might provide a signed list of EK public key hashes. Then you could write # an ek_check_script that checks the signature of the allowlist and then # compares the hash of the given EK with the allowlist. ++ verifier.conf.diff ++ --- /var/tmp/diff_new_pack.SgYxro/_old 2024-06-17 19:27:22.497602980 +0200 +++ /var/tmp/diff_new_pack.SgYxro/_new 2024-06-17 19:27:22.501603126 +0200 @@
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package keylime for openSUSE:Factory checked in at 2024-03-17 22:10:47 Comparing /work/SRC/openSUSE:Factory/keylime (Old) and /work/SRC/openSUSE:Factory/.keylime.new.1905 (New) Package is "keylime" Sun Mar 17 22:10:47 2024 rev:44 rq:1158172 version:7.10.0 Changes: --- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2024-01-31 23:53:48.893129434 +0100 +++ /work/SRC/openSUSE:Factory/.keylime.new.1905/keylime.changes 2024-03-17 22:10:52.929154011 +0100 @@ -1,0 +2,14 @@ +Fri Mar 15 09:11:41 UTC 2024 - apla...@suse.com + +- Update to version v7.10.0: + * Monthly Release (7.10.0) + * mba: Add a separate table for measured boot policies. In the next PR, similar to named runtime policies, this table will be used to provide support for named measured boot policies and thier management. + * user_guide: Add section about 'Key Learning to Verify Files' + * docs: fix rendering in PCR example + * docs: update PCR monitoring example + * templates: Fix typo on default measured boot log location + * packit: re-enable tests against Rawhide + * elparser: add different escaping required for tpm2-tools >= 5.6 + * requirements: bump pyasn1-modules to 0.2.5 + +--- Old: keylime-v7.9.0.tar.xz New: keylime-v7.10.0.tar.xz Other differences: -- ++ keylime.spec ++ --- /var/tmp/diff_new_pack.7OWaQI/_old 2024-03-17 22:10:54.925226777 +0100 +++ /var/tmp/diff_new_pack.7OWaQI/_new 2024-03-17 22:10:54.925226777 +0100 @@ -26,7 +26,7 @@ %define _config_norepl %config(noreplace) %endif Name: keylime -Version:7.9.0 +Version:7.10.0 Release:0 Summary:Open source TPM software for Bootstrapping and Maintaining Trust License:Apache-2.0 AND MIT AND BSD-3-Clause ++ _service ++ --- /var/tmp/diff_new_pack.7OWaQI/_old 2024-03-17 22:10:54.965228236 +0100 +++ /var/tmp/diff_new_pack.7OWaQI/_new 2024-03-17 22:10:54.969228381 +0100 @@ -1,7 +1,7 @@ @PARENT_TAG@ -refs/tags/v7.9.0 +refs/tags/v7.10.0 https://github.com/keylime/keylime.git git enable ++ _servicedata ++ --- /var/tmp/diff_new_pack.7OWaQI/_old 2024-03-17 22:10:54.993229256 +0100 +++ /var/tmp/diff_new_pack.7OWaQI/_new 2024-03-17 22:10:54.997229402 +0100 @@ -1,6 +1,6 @@ https://github.com/keylime/keylime.git - 2f0921808db8f3bbf0e834b8d02d5c52c6c69504 + a5a671f71ce5ed425bc2afa7e81f87fe682936f3 (No newline at EOF) ++ keylime-v7.9.0.tar.xz -> keylime-v7.10.0.tar.xz ++ /work/SRC/openSUSE:Factory/keylime/keylime-v7.9.0.tar.xz /work/SRC/openSUSE:Factory/.keylime.new.1905/keylime-v7.10.0.tar.xz differ: char 15, line 1
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package keylime for openSUSE:Factory checked in at 2023-11-05 12:18:57 Comparing /work/SRC/openSUSE:Factory/keylime (Old) and /work/SRC/openSUSE:Factory/.keylime.new.17445 (New) Package is "keylime" Sun Nov 5 12:18:57 2023 rev:42 rq:1123260 version:7.7.0 Changes: --- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2023-10-03 20:16:50.181902309 +0200 +++ /work/SRC/openSUSE:Factory/.keylime.new.17445/keylime.changes 2023-11-05 12:19:15.574162002 +0100 @@ -1,0 +2,16 @@ +Fri Nov 03 15:27:58 UTC 2023 - apla...@suse.com + +- Update to version v7.7.0: + * Monthly release (7.7.0) + * tpm_cert_store: add the Nationz TPM EK x509 cert + * codestyle: Have mypy ignore import of PoolManager + * codestyle: Suppress pyright errors on methods that do exist + * codestyle: Annotate some string constances (pyright) + * types: Fix a deprecation warning from recent cryptography + * create_policy: Set the generator value to LegacyAllowList + * verifier: Compare generator against enum rather than magic '1' + * Fix pylint C0103 (naming) errors in some files + * crypto: Fix a pyright issue + * test: Fix a pyright issue + +--- Old: keylime-v7.6.0.tar.xz New: keylime-v7.7.0.tar.xz Other differences: -- ++ keylime.spec ++ --- /var/tmp/diff_new_pack.DREmIf/_old 2023-11-05 12:19:16.342190175 +0100 +++ /var/tmp/diff_new_pack.DREmIf/_new 2023-11-05 12:19:16.346190322 +0100 @@ -26,7 +26,7 @@ %define _config_norepl %config(noreplace) %endif Name: keylime -Version:7.6.0 +Version:7.7.0 Release:0 Summary:Open source TPM software for Bootstrapping and Maintaining Trust License:Apache-2.0 AND MIT AND BSD-3-Clause ++ _service ++ --- /var/tmp/diff_new_pack.DREmIf/_old 2023-11-05 12:19:16.378191496 +0100 +++ /var/tmp/diff_new_pack.DREmIf/_new 2023-11-05 12:19:16.382191642 +0100 @@ -1,7 +1,7 @@ @PARENT_TAG@ -refs/tags/v7.6.0 +refs/tags/v7.7.0 https://github.com/keylime/keylime.git git enable ++ _servicedata ++ --- /var/tmp/diff_new_pack.DREmIf/_old 2023-11-05 12:19:16.398192229 +0100 +++ /var/tmp/diff_new_pack.DREmIf/_new 2023-11-05 12:19:16.402192376 +0100 @@ -1,6 +1,6 @@ https://github.com/keylime/keylime.git - 1370326be6ec28ea785513f3c929f49da59c5fbd + b7af6fef3baefeb41f471d1050ba7a78f9423e5b (No newline at EOF) ++ keylime-v7.6.0.tar.xz -> keylime-v7.7.0.tar.xz ++ /work/SRC/openSUSE:Factory/keylime/keylime-v7.6.0.tar.xz /work/SRC/openSUSE:Factory/.keylime.new.17445/keylime-v7.7.0.tar.xz differ: char 15, line 1
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package keylime for openSUSE:Factory checked
in at 2023-10-03 20:15:16
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
and /work/SRC/openSUSE:Factory/.keylime.new.28202 (New)
Package is "keylime"
Tue Oct 3 20:15:16 2023 rev:41 rq:1114720 version:7.6.0
Changes:
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2023-08-30
10:18:48.288553784 +0200
+++ /work/SRC/openSUSE:Factory/.keylime.new.28202/keylime.changes
2023-10-03 20:16:50.181902309 +0200
@@ -1,0 +2,21 @@
+Mon Oct 02 07:46:01 UTC 2023 - apla...@suse.com
+
+- Update to version v7.6.0:
+ * Monthly release (7.6.0)
+ * test-requirements: remove types-atomicwrites
+ * Fixed an inappropriate test expression to remove a logical short circuit
+ * remove prov_db_filename from config
+ * Fix for key parse error in tpm2_objects
+ * Fix mapping.json path in the comments
+ * ima: Emit a warning when a file signature could not be parsed
+ * Initial PR to add support for IDevID and IAK
+ * Implement automatic agent API version bump
+ * tests: avoid fail when epel-release is installed
+
+---
+Fri Sep 29 15:22:13 UTC 2023 - Matej Cepl
+
+- M2Crypto is not used anymore.
+- Clean up SPEC file.
+
+---
Old:
keylime-v7.5.0.tar.xz
New:
keylime-v7.6.0.tar.xz
Other differences:
--
++ keylime.spec ++
--- /var/tmp/diff_new_pack.Npz59V/_old 2023-10-03 20:16:53.406018592 +0200
+++ /var/tmp/diff_new_pack.Npz59V/_new 2023-10-03 20:16:53.406018592 +0200
@@ -17,7 +17,6 @@
%global srcname keylime
-%{?!python_module:%define python_module() python-%{**} python3-%{**}}
%define skip_python2 1
# Consolidate _distconfdir and _sysconfdir
%if 0%{?_distconfdir:1}
@@ -27,7 +26,7 @@
%define _config_norepl %config(noreplace)
%endif
Name: keylime
-Version:7.5.0
+Version:7.6.0
Release:0
Summary:Open source TPM software for Bootstrapping and Maintaining
Trust
License:Apache-2.0 AND MIT AND BSD-3-Clause
@@ -50,7 +49,6 @@
Requires: libtss2-tcti-device0
Requires: libtss2-tcti-tabrmd0
Requires: procps
-Requires: python3-M2Crypto
Requires: python3-PyYAML
Requires: python3-SQLAlchemy
Requires: python3-alembic
@@ -265,7 +263,8 @@
%python_alternative %{_bindir}/%{srcname}_upgrade_config
%python_alternative %{_bindir}/%{srcname}_userdata_encrypt
%python_alternative %{_bindir}/%{srcname}_verifier
-%{python_sitelib}/*
+%{python_sitelib}/keylime
+%{python_sitelib}/keylime-%{version}*-info
%files -n %{srcname}-config
%dir %attr(0700,keylime,tss) %{_distconfdir}/%{srcname}
++ _service ++
--- /var/tmp/diff_new_pack.Npz59V/_old 2023-10-03 20:16:53.438019746 +0200
+++ /var/tmp/diff_new_pack.Npz59V/_new 2023-10-03 20:16:53.442019890 +0200
@@ -1,15 +1,15 @@
-
+
@PARENT_TAG@
-refs/tags/v7.5.0
+refs/tags/v7.6.0
https://github.com/keylime/keylime.git
git
enable
-
+
xz
*.tar
-
+
++ _servicedata ++
--- /var/tmp/diff_new_pack.Npz59V/_old 2023-10-03 20:16:53.458020467 +0200
+++ /var/tmp/diff_new_pack.Npz59V/_new 2023-10-03 20:16:53.462020612 +0200
@@ -1,6 +1,6 @@
https://github.com/keylime/keylime.git
- 29657502a4b59f1ffc702043fdb375c0e02bed60
+ 1370326be6ec28ea785513f3c929f49da59c5fbd
(No newline at EOF)
++ keylime-v7.5.0.tar.xz -> keylime-v7.6.0.tar.xz ++
/work/SRC/openSUSE:Factory/keylime/keylime-v7.5.0.tar.xz
/work/SRC/openSUSE:Factory/.keylime.new.28202/keylime-v7.6.0.tar.xz differ:
char 15, line 1
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package keylime for openSUSE:Factory checked in at 2023-08-30 10:17:47 Comparing /work/SRC/openSUSE:Factory/keylime (Old) and /work/SRC/openSUSE:Factory/.keylime.new.1766 (New) Package is "keylime" Wed Aug 30 10:17:47 2023 rev:40 rq:1105560 version:7.5.0 Changes: --- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2023-08-03 17:27:17.582859179 +0200 +++ /work/SRC/openSUSE:Factory/.keylime.new.1766/keylime.changes 2023-08-30 10:18:48.288553784 +0200 @@ -1,0 +2,19 @@ +Thu Aug 24 06:55:14 UTC 2023 - apla...@suse.com + +- Update to version v7.5.0 (CVE-2023-38201, bsc#1213314): + * Monthly release (7.5.0) + * Fix for CVE-2023-38201 (Security Advisory GHSA-f4r5-q63f-gcww) + * verifier: should read parameters from verifier.conf only + * tests: Correctly configure kernel IMA + * Handle session close using a session manager + * requirements.txt: update the need sqlalchemy version to 1.3.12 and above. + * elchecking/example: add ignores for EV_PLATFORM_CONFIG_FLAGS + * tpm_cert_store: add the Alibaba Cloud vTPM EK x509 cert + * installer.sh: use the -i parameter to set the default binding and listening IP about the agent, verifier, and registrar server is 127.0.0.1 or 0.0.0.0 + * installer.sh: remove the unused command line params + * Update container build workflow actions + * mba: Manage the number of times measure boot attestation is done. + * codestyle: Fix access to possibly not available package 'rpm' (pyright) + * templates/2.0/mapping.json: fix the default registrar_port error in the verifier config + +--- Old: keylime-v7.4.0.tar.xz New: keylime-v7.5.0.tar.xz Other differences: -- ++ keylime.spec ++ --- /var/tmp/diff_new_pack.ZuTTcl/_old 2023-08-30 10:18:50.672638865 +0200 +++ /var/tmp/diff_new_pack.ZuTTcl/_new 2023-08-30 10:18:50.676639007 +0200 @@ -27,7 +27,7 @@ %define _config_norepl %config(noreplace) %endif Name: keylime -Version:7.4.0 +Version:7.5.0 Release:0 Summary:Open source TPM software for Bootstrapping and Maintaining Trust License:Apache-2.0 AND MIT AND BSD-3-Clause ++ _service ++ --- /var/tmp/diff_new_pack.ZuTTcl/_old 2023-08-30 10:18:50.716640435 +0200 +++ /var/tmp/diff_new_pack.ZuTTcl/_new 2023-08-30 10:18:50.720640578 +0200 @@ -1,7 +1,7 @@ @PARENT_TAG@ -refs/tags/v7.4.0 +refs/tags/v7.5.0 https://github.com/keylime/keylime.git git enable ++ _servicedata ++ --- /var/tmp/diff_new_pack.ZuTTcl/_old 2023-08-30 10:18:50.736641149 +0200 +++ /var/tmp/diff_new_pack.ZuTTcl/_new 2023-08-30 10:18:50.740641292 +0200 @@ -1,6 +1,6 @@ https://github.com/keylime/keylime.git - 37809d40ced15c38daa41d578b39b12a595d1167 + 29657502a4b59f1ffc702043fdb375c0e02bed60 (No newline at EOF) ++ keylime-v7.4.0.tar.xz -> keylime-v7.5.0.tar.xz ++ /work/SRC/openSUSE:Factory/keylime/keylime-v7.4.0.tar.xz /work/SRC/openSUSE:Factory/.keylime.new.1766/keylime-v7.5.0.tar.xz differ: char 15, line 1 ++ registrar.conf.diff ++ --- /var/tmp/diff_new_pack.ZuTTcl/_old 2023-08-30 10:18:50.800643433 +0200 +++ /var/tmp/diff_new_pack.ZuTTcl/_new 2023-08-30 10:18:50.804643576 +0200 @@ -1,12 +1,12 @@ registrar.conf.ORIG2022-09-26 10:45:14.032956447 +0200 -+++ registrar.conf 2022-09-26 10:59:47.477707174 +0200 +--- config/registrar.conf.ORIG 2023-08-24 09:34:59.228880762 +0200 config/registrar.conf 2023-08-24 09:36:34.165570356 +0200 @@ -5,7 +5,8 @@ version = 2.0 - # The registrar server IP address and port --ip = 127.0.0.1 -+# ip = 127.0.0.1 -+ip = 0.0.0.0 + # The binding address and port for the registrar server +-ip = "127.0.0.1" ++# ip = "127.0.0.1" ++ip = "0.0.0.0" port = 8890 tls_port = 8891 ++ verifier.conf.diff ++ --- /var/tmp/diff_new_pack.ZuTTcl/_old 2023-08-30 10:18:50.836644718 +0200 +++ /var/tmp/diff_new_pack.ZuTTcl/_new 2023-08-30 10:18:50.840644860 +0200 @@ -1,22 +1,22 @@ verifier.conf.ORIG 2023-01-23 09:36:14.684727116 +0100 -+++ verifier.conf 2023-01-23 09:45:13.585042153 +0100 +--- config/verifier.conf.ORIG 2023-08-24 09:34:59.14093 +0200 config/verifier.conf 2023-08-24 09:37:53.332256150 +0200 @@ -8,7 +8,8 @@ uuid = default - # The verifier server IP address and port --ip = 127.0.0.1 -+# ip = 127.0.0.1 -+ip = 0.0.0.0 + # The binding address and port for the verifier server +-ip = "127.0.0.1" ++# ip = "127.0.0.1" ++ip = "0.0.0.0" port = 8881 # The address and port of registrar server that the
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package keylime for openSUSE:Factory checked
in at 2023-08-03 17:27:16
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
and /work/SRC/openSUSE:Factory/.keylime.new.22712 (New)
Package is "keylime"
Thu Aug 3 17:27:16 2023 rev:39 rq:1101911 version:7.4.0
Changes:
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2023-07-14
15:35:45.221975381 +0200
+++ /work/SRC/openSUSE:Factory/.keylime.new.22712/keylime.changes
2023-08-03 17:27:17.582859179 +0200
@@ -1,0 +2,25 @@
+Wed Aug 02 07:53:35 UTC 2023 - apla...@suse.com
+
+- Add BSD-3-Clause license
+- Update to version v7.4.0 (CVE-2023-38200, bsc#1213310):
+ * Monthly release (7.4.0)
+ * codestyle: Fix tsa_rfc3161.py and have it pyright checked
+ * installer.sh: support Anolis OS whose ID is anolis
+ * tpm_util: Add the BSD license to the file due to functions from TPM 2 code
+ * codestyle: Have pyright check keylime/da directory
+ * docs: add missing options for verifier, remove vactivate
+ * codestyle: Have pyright check mba/elchecking/ except for example.py
+ * registrar_common: fix style complain
+ * registrar_common: fix missing select and sock
+ * Changes to script create_runtime_policy.sh, fixes #1426
+ * tenant: non-zero exit code in case of error
+ * mba: making MBA policy parser and checker pluggable
+ * create_runtime_policy: fix bash typo
+ * Extend Registrar SSL socket to be non-blocking
+ * Several improvements for the "create_runtime_policy.sh" script
+ * tpm_util: Replace a logger.error with an Exception in case of invalid
signature
+ * tpm_util: Remove useless comparison of always identical hashes
+ * tests: Disable Packit CI on Rawhide due to infra issues
+ * adding kubectl to tenant docker image
+
+---
Old:
keylime-v7.3.0.tar.xz
New:
keylime-v7.4.0.tar.xz
Other differences:
--
++ keylime.spec ++
--- /var/tmp/diff_new_pack.TL1QKR/_old 2023-08-03 17:27:19.010867821 +0200
+++ /var/tmp/diff_new_pack.TL1QKR/_new 2023-08-03 17:27:19.018867870 +0200
@@ -27,10 +27,10 @@
%define _config_norepl %config(noreplace)
%endif
Name: keylime
-Version:7.3.0
+Version:7.4.0
Release:0
Summary:Open source TPM software for Bootstrapping and Maintaining
Trust
-License:Apache-2.0 AND MIT
+License:Apache-2.0 AND MIT AND BSD-3-Clause
URL:https://github.com/keylime/keylime
Source0:%{name}-v%{version}.tar.xz
Source1:keylime.xml
++ _service ++
--- /var/tmp/diff_new_pack.TL1QKR/_old 2023-08-03 17:27:19.058868112 +0200
+++ /var/tmp/diff_new_pack.TL1QKR/_new 2023-08-03 17:27:19.062868136 +0200
@@ -1,7 +1,7 @@
@PARENT_TAG@
-refs/tags/v7.3.0
+refs/tags/v7.4.0
https://github.com/keylime/keylime.git
git
enable
++ _servicedata ++
--- /var/tmp/diff_new_pack.TL1QKR/_old 2023-08-03 17:27:19.082868257 +0200
+++ /var/tmp/diff_new_pack.TL1QKR/_new 2023-08-03 17:27:19.086868281 +0200
@@ -1,6 +1,6 @@
https://github.com/keylime/keylime.git
- 013040b9a1f69f299bf872bcd60599d6ac3594b1
+ 37809d40ced15c38daa41d578b39b12a595d1167
(No newline at EOF)
++ keylime-v7.3.0.tar.xz -> keylime-v7.4.0.tar.xz ++
/work/SRC/openSUSE:Factory/keylime/keylime-v7.3.0.tar.xz
/work/SRC/openSUSE:Factory/.keylime.new.22712/keylime-v7.4.0.tar.xz differ:
char 15, line 1
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package keylime for openSUSE:Factory checked in at 2023-07-14 15:35:41 Comparing /work/SRC/openSUSE:Factory/keylime (Old) and /work/SRC/openSUSE:Factory/.keylime.new.3193 (New) Package is "keylime" Fri Jul 14 15:35:41 2023 rev:38 rq:1098383 version:7.3.0 Changes: --- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2023-06-06 19:56:08.258430002 +0200 +++ /work/SRC/openSUSE:Factory/.keylime.new.3193/keylime.changes 2023-07-14 15:35:45.221975381 +0200 @@ -1,0 +2,30 @@ +Wed Jul 12 14:14:35 UTC 2023 - apla...@suse.com + +- Drop migrations_use_sa_text_for_raw_SQL.patch, merged upstream +- Update to version v7.3.0: + * Monthly release (7.3.0) + * tenant: log cleanup and output improvements + * mba: moving the boot event log parsing to the MBA subdirectory + * Add secure mount sanity test to packit testing + * templates: Set empty string as default value for tpm_ownerpassword + * migrations: use sa.text for raw SQL + * ima: only log the accept list on validation failure + * ima: remove code used for reading the IMA log from disk + * tpm: Move functions from tpm_astract.py to tpm_util.py + * tpm: Move splitting of quote string into reusable function + * tpm: Change default value of Hash parameter to Hash.SHA256 from None + * [tests] Enable basic allowlist/excludelist test + * installer.sh: update TPM2TOOLS_VER to 5.5 and cherry-pick patches to fix the bug of parsing for most newer logs with the tpm2_eventlog command. + * web_util: Remove check for code being 'None' since it is always an int + * verifier: Remove possibility for agent to be None and remove error case + * verifier: Remove conversion of agent to dict + * verifier: Remove possibility for agent to be None and remove error case + * verifier: Remove check for agent is None since it cannot be None + +--- +Tue Jun 6 14:51:55 UTC 2023 - Alberto Planas Dominguez + +- Add migrations_use_sa_text_for_raw_SQL.patch to fix migrations in + new SQLAlchemy versions + +--- Old: keylime-v7.2.5.tar.xz New: keylime-v7.3.0.tar.xz Other differences: -- ++ keylime.spec ++ --- /var/tmp/diff_new_pack.dY5afd/_old 2023-07-14 15:35:46.029980081 +0200 +++ /var/tmp/diff_new_pack.dY5afd/_new 2023-07-14 15:35:46.033980104 +0200 @@ -27,7 +27,7 @@ %define _config_norepl %config(noreplace) %endif Name: keylime -Version:7.2.5 +Version:7.3.0 Release:0 Summary:Open source TPM software for Bootstrapping and Maintaining Trust License:Apache-2.0 AND MIT @@ -50,19 +50,20 @@ Requires: libtss2-tcti-device0 Requires: libtss2-tcti-tabrmd0 Requires: procps -Requires: python-M2Crypto -Requires: python-PyYAML -Requires: python-SQLAlchemy -Requires: python-alembic -Requires: python-cryptography -Requires: python-gpg -Requires: python-jsonschema -Requires: python-lark -Requires: python-psutil -Requires: python-pyzmq -Requires: python-requests -Requires: python-tornado -Requires: python-typing_extensions +Requires: python3-M2Crypto +Requires: python3-PyYAML +Requires: python3-SQLAlchemy +Requires: python3-alembic +Requires: python3-cryptography +Requires: python3-gpg +Requires: python3-jsonschema +Requires: python3-lark +Requires: python3-packaging +Requires: python3-psutil +Requires: python3-pyzmq +Requires: python3-requests +Requires: python3-tornado +Requires: python3-typing_extensions Requires: tpm2-0-tss Requires: tpm2.0-abrmd Requires: tpm2.0-tools ++ _service ++ --- /var/tmp/diff_new_pack.dY5afd/_old 2023-07-14 15:35:46.077980360 +0200 +++ /var/tmp/diff_new_pack.dY5afd/_new 2023-07-14 15:35:46.081980384 +0200 @@ -1,7 +1,7 @@ @PARENT_TAG@ -refs/tags/v7.2.5 +refs/tags/v7.3.0 https://github.com/keylime/keylime.git git enable ++ _servicedata ++ --- /var/tmp/diff_new_pack.dY5afd/_old 2023-07-14 15:35:46.101980500 +0200 +++ /var/tmp/diff_new_pack.dY5afd/_new 2023-07-14 15:35:46.105980523 +0200 @@ -1,6 +1,6 @@ https://github.com/keylime/keylime.git - 5a759378cfa016e7008d4ec72903a0aeec3979df + 013040b9a1f69f299bf872bcd60599d6ac3594b1 (No newline at EOF) ++ keylime-v7.2.5.tar.xz -> keylime-v7.3.0.tar.xz ++ /work/SRC/openSUSE:Factory/keylime/keylime-v7.2.5.tar.xz
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package keylime for openSUSE:Factory checked in at 2023-06-06 19:55:19 Comparing /work/SRC/openSUSE:Factory/keylime (Old) and /work/SRC/openSUSE:Factory/.keylime.new.15902 (New) Package is "keylime" Tue Jun 6 19:55:19 2023 rev:37 rq:1090852 version:7.2.5 Changes: --- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2023-05-18 15:18:27.873591145 +0200 +++ /work/SRC/openSUSE:Factory/.keylime.new.15902/keylime.changes 2023-06-06 19:56:08.258430002 +0200 @@ -1,0 +2,73 @@ +Mon Jun 05 08:39:23 UTC 2023 - apla...@suse.com + +- Update to version v7.2.5: + * bump version to 7.2.5 + * installer.sh: remove unused codes + * tpm: Implement BigNum context creation and usage + * tpm: Implement int2bn and bn2int in our class + * tpm_util: Add EC key support for makecredential in python + * tpm: Replace tpm2_makecredential with python implementation + * tpm_util: Implement makecredential in python + * tpm2_objects: Return parameters when unmarshalling tpm2b_public + * The first of several PRs to clean up MBA + * verifier: Update agent dict values only after checking each value + * verifier: Remove assignment to variable overwritten immediately after + * registrar: Reformat initialization of dictionary + * registrar: Check for error case aik_enc being None first + * tpm_main: Remove unused run() method + * tpm_main: Remove unnecessary code for support of tpm2_quote + * tpm_main: Get rid of hashdigest() method + * tpm_main: Get rid of start_hash and use get_start_hash() of given Hash + * algorithms: Make get_START_HASH and get_FF_HASH methods of Hash + * Use .hex() to create hex string + * Use bytes.fromhex() instead of codecs for parsing of string with hex number + * Tpm: Rename START_HASH to start_hash + * Tpm: Remove unused parameters of __run method + * tpm: Move EXIT_SUCCESS outside class scope + * tpm: Rename tpm class to Tpm + * tpm: Access agent_id directory from structure + * codestyle: Fix issues detected by older pylint 2.13.9 + * tpm: Get rid of AbstractTPM class + * codestyle: Add missing annotations to test_ima_dm.py to pass pyright + * pypright: Remove ignored files that do not exist anymore + * ima: Replace usage of codec to parse hex string with bytes.fromhex() + * ima: Replace usage of codec with hex() method on bytes + * ima: Validate proper JSON before trying to convert from string to JSON + * tenant: fixes a (timing) issue whenever an agent is removed and re-added + * verifier: Simplify initialization of agent_data dict + * verifier: Use kwargs to pass ssl_context if it exists + * verifier: Return an Empty Dict rather than None in case of error + * verifier: Use get() on dict rather than catching an Exception + * cloud_verifier: AgentsHandler: Consolidate checking of input parameters + * registrar: Consolidate __validate_input() in BaseHandler + * registrar: ProtectedHandler: Refactor __validate_input + * registrar: UnprotectedHandler: Consolidate checking of input parameters + * registrar: ProtectedHandler: Consolidate checking of input parameters + * docs: remove Vagrant setup + * registrar: Move getting network parameters into own function + * [tests] Update test coverage task name regexp + * tenant: report when the keystore fails + * ca_util: fix captured exception + * [tests] Simply coverage file URL parsing + * tpm+ima: Convert tables to hold instances of hashers + * docs/rest_apis.rst: remove the comma at the end of the JSON string + * tpm: Activate tpm2_checkquote replacement code + * tests: Add test case for checkquote and parsing of tpms_attest + * tpm: Implement tpm2_checkquote in python + * README.md: fix the invalid URL about IMA stub service. + * README.md: fix the script name(./services/installer.sh) error + * installer.sh: support Alibaba Cloud Linux OS whose ID is alinux + * web_util: handle tls_dir default with cacerts correctly + * codestyle: Add pyright ignore annoatations due to pyright 1.1.306 + * codestyle: Ignore import of NoResultFound from sqlalchemy 1.3 file + * CI/CD: Run pyright as part of tox + * agentstates: Reformat construction of returned dictionary + * docker: fix tpm2-tools build + * docker: upate to newer tpm2-tools version + * docs/installation.rst: add the missing popd command in the manual deployment. + * tpm: Implement function to extract clock info from TPMS_ATTEST + * [tests] Reduce duplication in packit-ci test plan + * Enable Packit CI again on all Fedora releases + * Redefine the list of maintainers taking into account activity on the last 12 months, proposing a few new names to be added (please feel free to decline) + +--- Old: keylime-v7.0.0.tar.xz New:
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package keylime for openSUSE:Factory checked in at 2023-05-18 15:18:21 Comparing /work/SRC/openSUSE:Factory/keylime (Old) and /work/SRC/openSUSE:Factory/.keylime.new.1533 (New) Package is "keylime" Thu May 18 15:18:21 2023 rev:36 rq:1087552 version:7.0.0 Changes: --- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2023-04-27 19:59:05.921278007 +0200 +++ /work/SRC/openSUSE:Factory/.keylime.new.1533/keylime.changes 2023-05-18 15:18:27.873591145 +0200 @@ -1,0 +2,5 @@ +Wed May 17 11:34:35 UTC 2023 - Alberto Planas Dominguez + +- Add missing jsonschema dependecy + +--- Other differences: -- ++ keylime.spec ++ --- /var/tmp/diff_new_pack.HEH7kd/_old 2023-05-18 15:18:28.989596821 +0200 +++ /var/tmp/diff_new_pack.HEH7kd/_new 2023-05-18 15:18:29.025597003 +0200 @@ -56,6 +56,7 @@ Requires: python-alembic Requires: python-cryptography Requires: python-gpg +Requires: python-jsonschema Requires: python-lark Requires: python-psutil Requires: python-pyzmq
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package keylime for openSUSE:Factory checked
in at 2023-04-27 19:59:05
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
and /work/SRC/openSUSE:Factory/.keylime.new.1533 (New)
Package is "keylime"
Thu Apr 27 19:59:05 2023 rev:35 rq:1082914 version:7.0.0
Changes:
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2023-03-15
18:53:18.596001125 +0100
+++ /work/SRC/openSUSE:Factory/.keylime.new.1533/keylime.changes
2023-04-27 19:59:05.921278007 +0200
@@ -1,0 +2,64 @@
+Wed Apr 26 08:08:04 UTC 2023 - apla...@suse.com
+
+- Remove the agent subpackage
+- Remove keylime_ima_emulator binary
+- Add keylime_create_policy and keylime_sign_runtime_policy
+- Update to version v7.0.0:
+ * bump version to 7.0.0
+ * bump to version 6.8.0
+ * build-sys: Use comma-separated list for running multiple linters
+ * tenant: Add brackets to ipv6 addresses when used in URL
+ * registrar: Detect IPv6 addresses to bind to and set address_family
+ * setup.cfg: use license_files instead of license_file
+ * Do not run Packit tests on F38
+ * tests: Use Rust agent from COPR for e2e tests
+ * tenant: Raise a UserError on status_code != 200 returned from server
+ * Add missing test from keylime testsuite to e2e plan
+ * tests: remove tpm2-tss downgrade as Fedora bug got fixed
+ * da: non-zero exit code for attestation replay failures.
+ * ca:CLI utilities (keylime_ca,keylime_tenant) read password from ca.conf
+ * log: add a barebones log config in case configuration files not present
+ * Fix typo
+ * Use subtest in unittest.
+ * create_policy: Strip newline from file path read from measurement list
+ * create_policy: Validate policies against the JSON schema
+ * create_policy: Clarify help text for IMA measurement list
+ * create_policy: Add list of ignored keyrings after processing base policy
+ * create_policy: Add support for adding an IMA exclude list to the policy
+ * create_policy: Avoid duplicate entries in lists
+ * codestyle: Annotate with RuntimePolicyType and adapt code
+ * codestyle: Import urllib to make pyright happy
+ * Introduce PathLike_str for older python versions
+ * codestyle: Annotate create_policy.py and add to mypy
+ * docs: Update docs to reflect renaming of create_policy tool
+ * create_policy: Fix issues related to filelists-ext
+ * Move create_policy to keylime/cmd and install as keylime_create_policy
+ * Implement DSSE signature verification for runtime policies
+ * tenant: Raise UserError on (add/update)runtimepolicy status codes 401
+ * tests: Split unittests into two runs to avoid issue
+ * ima: Add a JSON schema for the runtime policy and use it on given policies
+ * Implement DSSE policy signing tool
+ * ima: Derive RUNTIME_POLICY_GENERATOR from enum.IntEnum
+ * packit: use rust agent for e2e tests
+ * services: remove agent systemd services
+ * tests: remove unused code
+ * tests: remove agent from config test
+ * tpm_ek_ca: remove check_tpm_cert_store(..) function
+ * tpm, measured boot: remove refrences to virtual TPMs
+ * tpm: remove unsed variables and some refactoring
+ * algorithms: remove unused from_algorithm method
+ * mpypy, pyright: remove refrences to agent in ignores
+ * config: remove refrences to agent
+ * crypto: remove unused functions
+ * secure_mount: removal
+ * tpm: remove unsed functions
+ * registar_client: remove functions only used by the agent
+ * user_utils: removal
+ * revocation notifier: remove zeroMQ client code
+ * ca_util: remove listen command and related functions
+ * revocation actions: remove all
+ * ima emulator: full removal
+ * agent: remove agent code
+ * agentstates: rename tpm_clocking to tpm_clockinfo
+
+---
Old:
agent.conf.diff
keylime-v6.7.0.tar.xz
New:
keylime-v7.0.0.tar.xz
Other differences:
--
++ keylime.spec ++
--- /var/tmp/diff_new_pack.xXAOSX/_old 2023-04-27 19:59:06.677282450 +0200
+++ /var/tmp/diff_new_pack.xXAOSX/_new 2023-04-27 19:59:06.677282450 +0200
@@ -27,7 +27,7 @@
%define _config_norepl %config(noreplace)
%endif
Name: keylime
-Version:6.7.0
+Version:7.0.0
Release:0
Summary:Open source TPM software for Bootstrapping and Maintaining
Trust
License:Apache-2.0 AND MIT
@@ -38,10 +38,9 @@
Source3:logrotate.%{name}
Source4:tmpfiles.%{name}
# openSUSE adjustments for generated configuration files
-Source10: agent.conf.diff
-Source11: registrar.conf.diff
-Source12: verifier.conf.diff
-Source13: tenant.conf.diff
+Source10: registrar.conf.diff
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package keylime for openSUSE:Factory checked in at 2023-03-15 18:53:12 Comparing /work/SRC/openSUSE:Factory/keylime (Old) and /work/SRC/openSUSE:Factory/.keylime.new.31432 (New) Package is "keylime" Wed Mar 15 18:53:12 2023 rev:34 rq:1071407 version:6.7.0 Changes: --- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2023-03-09 17:45:16.646760189 +0100 +++ /work/SRC/openSUSE:Factory/.keylime.new.31432/keylime.changes 2023-03-15 18:53:18.596001125 +0100 @@ -1,0 +2,46 @@ +Tue Mar 14 08:09:07 UTC 2023 - apla...@suse.com + +- Update to version v6.7.0: + * codestyle: Define RuntimePolicyType and use it + * ima: Move type defitions from ima_dm.py to types.py + * docs: fix docs + * End of term for @mpeters + propose @maugustosilva + * verifier: Activate every m-th agent starting at the n-th agent on a worker + * verifier: Read list of agents early on + * create_policy: read the hashes from filelists-ext + * tests: remove restful test and simplify test scripts + * tests: config move agent config example to verifier + * Update source code mapping in codecov.yml + * ima: do not validate against the allowlist if signature was already validated + * Disable e2e on Rawhide due to RHBZ#2171376 + * roadmap: update for 2023 + * readme: remove installation instructions, update outdated information + * db: switch to pessimistic disconnect handling + * Add timestamp of last successful attestation to verifier API + * tpm: improve logging for tpm and measured boot policy + * da: fixes for breakages on durable Attestation + * codestyle: Fully annotate cloud_verifier_tornado and add to mypy + * create_policy: clarify IMA on links + * create_policy: be explicit on opening binary files + * create_policy: use public variants for RPM flags + * create_policy: remote repository IMA extraction + * create_policy: local RPM repository IMA extraction + * create_policy: remove the experimental status + * create_policy: print into stderr + * signing: small refactor on the code + * Add missing e2e tests and reordering tests based on alphabetical order + * verifier,tenant : fix IMA runtime policy bug (issue #1306) + * e2e tests: Fix test name (#1307) + * verifier: fixing type issues (#1272) + * config: improve support for (log-based) debugging + * Fix stray references to "IMA policies" in conversion script + * tests: only keep test specific packages in test-requirements.txt + * codestyle: Have pyright ignore assignments of values to DB columns + * codestyle: Call type conversion functions on agent's DB columns + * codestyle: Fully annotate cloud_verifier_common.py and add to mypy + * codestyle: Have pyright ignore the parameter passed to the update() function + * codestyle: Have pyright ignore fields used to select columns to load + * codestyle: Add an assert to the returned update_agent to avoid pyright errors + * codesyle: Fix annotations of notify functions in revocation_notifier.py + +--- Old: keylime-v6.6.0.tar.xz New: keylime-v6.7.0.tar.xz Other differences: -- ++ keylime.spec ++ --- /var/tmp/diff_new_pack.J3SojP/_old 2023-03-15 18:53:19.480005827 +0100 +++ /var/tmp/diff_new_pack.J3SojP/_new 2023-03-15 18:53:19.484005849 +0100 @@ -27,7 +27,7 @@ %define _config_norepl %config(noreplace) %endif Name: keylime -Version:6.6.0 +Version:6.7.0 Release:0 Summary:Open source TPM software for Bootstrapping and Maintaining Trust License:Apache-2.0 AND MIT ++ _service ++ --- /var/tmp/diff_new_pack.J3SojP/_old 2023-03-15 18:53:19.524006061 +0100 +++ /var/tmp/diff_new_pack.J3SojP/_new 2023-03-15 18:53:19.528006083 +0100 @@ -1,7 +1,7 @@ @PARENT_TAG@ -refs/tags/v6.6.0 +refs/tags/v6.7.0 https://github.com/keylime/keylime.git git enable ++ _servicedata ++ --- /var/tmp/diff_new_pack.J3SojP/_old 2023-03-15 18:53:19.552006211 +0100 +++ /var/tmp/diff_new_pack.J3SojP/_new 2023-03-15 18:53:19.552006211 +0100 @@ -1,6 +1,6 @@ https://github.com/keylime/keylime.git - 9ae581f0c0bad40a232435e14019c882393be9c6 + 3ed38978fa67c00fd79a2ad02dc788bff50d034f (No newline at EOF) ++ keylime-v6.6.0.tar.xz -> keylime-v6.7.0.tar.xz ++ /work/SRC/openSUSE:Factory/keylime/keylime-v6.6.0.tar.xz /work/SRC/openSUSE:Factory/.keylime.new.31432/keylime-v6.7.0.tar.xz differ: char 15, line 1
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package keylime for openSUSE:Factory checked
in at 2023-03-09 17:45:03
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
and /work/SRC/openSUSE:Factory/.keylime.new.31432 (New)
Package is "keylime"
Thu Mar 9 17:45:03 2023 rev:33 rq:1069984 version:6.6.0
Changes:
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2023-03-04
22:42:37.503581753 +0100
+++ /work/SRC/openSUSE:Factory/.keylime.new.31432/keylime.changes
2023-03-09 17:45:16.646760189 +0100
@@ -1,0 +2,6 @@
+Tue Mar 7 16:11:03 UTC 2023 - Alberto Planas Dominguez
+
+- Add tenant.conf.diff path to do not require a valid EK certificate
+ (that is the case in TPM simulator)
+
+---
New:
tenant.conf.diff
Other differences:
--
++ keylime.spec ++
--- /var/tmp/diff_new_pack.Es6lrI/_old 2023-03-09 17:45:17.318763765 +0100
+++ /var/tmp/diff_new_pack.Es6lrI/_new 2023-03-09 17:45:17.322763787 +0100
@@ -41,6 +41,7 @@
Source10: agent.conf.diff
Source11: registrar.conf.diff
Source12: verifier.conf.diff
+Source13: tenant.conf.diff
BuildRequires: %{python_module Jinja2}
BuildRequires: %{python_module setuptools}
BuildRequires: fdupes
@@ -172,6 +173,7 @@
patch -s --fuzz=0 config/agent.conf < %{SOURCE10}
patch -s --fuzz=0 config/registrar.conf < %{SOURCE11}
patch -s --fuzz=0 config/verifier.conf < %{SOURCE12}
+patch -s --fuzz=0 config/tenant.conf < %{SOURCE13}
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_agent
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_attest
++ tenant.conf.diff ++
--- tenant.conf.ORIG2023-03-07 17:08:27.642929656 +0100
+++ tenant.conf 2023-03-07 17:09:23.018891153 +0100
@@ -106,7 +106,8 @@
# might provide a signed list of EK public key hashes. Then you could write
# an ek_check_script that checks the signature of the allowlist and then
# compares the hash of the given EK with the allowlist.
-require_ek_cert = True
+# require_ek_cert = True
+require_ek_cert = False
# Optional script to execute to check the EK and/or EK certificate against a
# allowlist or any other additional EK processing you want to do. Runs in
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package keylime for openSUSE:Factory checked in at 2023-03-04 22:42:26 Comparing /work/SRC/openSUSE:Factory/keylime (Old) and /work/SRC/openSUSE:Factory/.keylime.new.31432 (New) Package is "keylime" Sat Mar 4 22:42:26 2023 rev:32 rq:1069176 version:6.6.0 Changes: --- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2023-02-16 16:55:26.962602770 +0100 +++ /work/SRC/openSUSE:Factory/.keylime.new.31432/keylime.changes 2023-03-04 22:42:37.503581753 +0100 @@ -1,0 +2,5 @@ +Fri Mar 3 13:58:55 UTC 2023 - Alberto Planas Dominguez + +- Add python-typing_extensions requirement + +--- Other differences: -- ++ keylime.spec ++ --- /var/tmp/diff_new_pack.TU5hmf/_old 2023-03-04 22:42:39.147589656 +0100 +++ /var/tmp/diff_new_pack.TU5hmf/_new 2023-03-04 22:42:39.151589675 +0100 @@ -61,6 +61,7 @@ Requires: python-pyzmq Requires: python-requests Requires: python-tornado +Requires: python-typing_extensions Requires: tpm2-0-tss Requires: tpm2.0-abrmd Requires: tpm2.0-tools
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package keylime for openSUSE:Factory checked in at 2023-02-16 16:55:18 Comparing /work/SRC/openSUSE:Factory/keylime (Old) and /work/SRC/openSUSE:Factory/.keylime.new.22824 (New) Package is "keylime" Thu Feb 16 16:55:18 2023 rev:31 rq:1065909 version:6.6.0 Changes: --- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2023-02-04 14:18:06.314438537 +0100 +++ /work/SRC/openSUSE:Factory/.keylime.new.22824/keylime.changes 2023-02-16 16:55:26.962602770 +0100 @@ -1,0 +2,5 @@ +Sat Feb 11 16:32:52 UTC 2023 - Matej Cepl + +- Remove completely unnecessary dependency on python-simplejson. + +--- Other differences: -- ++ keylime.spec ++ --- /var/tmp/diff_new_pack.nWbhsr/_old 2023-02-16 16:55:27.718605825 +0100 +++ /var/tmp/diff_new_pack.nWbhsr/_new 2023-02-16 16:55:27.722605842 +0100 @@ -60,7 +60,6 @@ Requires: python-psutil Requires: python-pyzmq Requires: python-requests -Requires: python-simplejson Requires: python-tornado Requires: tpm2-0-tss Requires: tpm2.0-abrmd
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package keylime for openSUSE:Factory checked
in at 2023-02-04 14:11:32
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
and /work/SRC/openSUSE:Factory/.keylime.new.4462 (New)
Package is "keylime"
Sat Feb 4 14:11:32 2023 rev:30 rq:1063019 version:6.6.0
Changes:
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2023-01-24
20:23:55.485645494 +0100
+++ /work/SRC/openSUSE:Factory/.keylime.new.4462/keylime.changes
2023-02-04 14:18:06.314438537 +0100
@@ -1,0 +2,45 @@
+Fri Feb 03 09:21:52 UTC 2023 - apla...@suse.com
+
+- Update to version v6.6.0:
+ * bump version to 6.6.0
+ * codestyle: Annotate registrar_common.py and add to mypy
+ * codestyle: Type-annotate tenant.py
+ * codestyle: Type-annotate registrar_client.py and add to mypy
+ * black: Upgrade to new 23.1.0 and reformat some sources
+ * pylint: Fix an issue related to usage of dict R1735 (use-dict-literal)
+ * pylint: Fix two issues related to C0325 (superfluous-parens)
+ * pylint: Fix an unreachable-code issue
+ * pylintrc: Ignore W0719 (broad-exception-raised)
+ * codestyle: Type-annotate revocation_notifier.py and add to mypy
+ * CI/CD: Use later version of actions for style-checks
+ * pre-commit: Use isort v5.12 and black v22.12
+ * migrations: Move bind parameter from MetaData() to reflect() method
+ * pylint: Ignore newly reported too-many-ancestors issue
+ * docker/ci: Remove image used for TPM 1.2 tests
+ * docker/ci: Update ci image to base on Fedora 37
+ * docs: Update IMA instructions to new runtime policy format
+ * docs: point newcomers to the design document
+ * docs: add basic (m)TLS instructions to the installation guide
+ * docs: update REST APIs TLS documentation to match new default setup
+ * docs: remove old development instructions, move dev conainter section
+ * docs: update theme to min 1.1.0
+ * docs: fix formatting of example IMA-policy
+ * codestyle: Get rid of casts on return value from get_tpm_metadata()
+ * codestyle: Add missing type annotations to tpm_main.py and add to mypy
+ * codestyle: Add missing type annotations to tpm_abstract.py and add to mypy
+ * tenant: Implement updateallowlist command to update an existing allowlist
+ * verifier: Implement PUT method to update named allowlist
+ * verifier: AllowlistHandler: Move getting runtime policy in DB format to
function
+ * verifier: AllowlistHandler: Deduplicate code validating REST API input
+ * verifier: proper support for listening on 0.0.0.0 (fixes #705)
+ * script: Remove unused argument argv
+ * pylintc: Remove outdated modules from list of ignore modules
+ * Rename keylime_agent_secure.mount to comply policy
+ * scripts: Also copy excluded files and verification keys from base policy
+ * scripts: Improve descriptions in create_policy tool
+ * scripts: Add user-provided keys to the policy
+ * scripts: update create_policy script to latest runtime policy JSON format
+ * Rename "create_allowlist.sh" to "create_runtime_policy.sh"
+ * Implement major Keylime policy overhaul
+
+---
Old:
keylime-v6.5.3.tar.xz
New:
keylime-v6.6.0.tar.xz
Other differences:
--
++ keylime.spec ++
--- /var/tmp/diff_new_pack.DNv74p/_old 2023-02-04 14:18:06.698440628 +0100
+++ /var/tmp/diff_new_pack.DNv74p/_new 2023-02-04 14:18:06.706440672 +0100
@@ -27,7 +27,7 @@
%define _config_norepl %config(noreplace)
%endif
Name: keylime
-Version:6.5.3
+Version:6.6.0
Release:0
Summary:Open source TPM software for Bootstrapping and Maintaining
Trust
License:Apache-2.0 AND MIT
@@ -176,7 +176,7 @@
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_agent
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_attest
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_ca
-%python_clone -a %{buildroot}%{_bindir}/%{srcname}_convert_ima_policy
+%python_clone -a %{buildroot}%{_bindir}/%{srcname}_convert_runtime_policy
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_ima_emulator
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_registrar
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_tenant
@@ -191,7 +191,7 @@
done
install -Dpm 0644 ./services/%{srcname}_agent.service
%{buildroot}%{_unitdir}/%{srcname}_agent.service
-install -Dpm 0644 ./services/%{srcname}_agent_secure.mount
%{buildroot}%{_unitdir}/var-lib-%{srcname}-secure.mount
+install -Dpm 0644 ./services/var-lib-%{srcname}-secure.mount
%{buildroot}%{_unitdir}/var-lib-%{srcname}-secure.mount
install -Dpm 0644 ./services/%{srcname}_verifier.service
%{buildroot}%{_unitdir}/%{srcname}_verifier.service
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package keylime for openSUSE:Factory checked in at 2023-01-24 19:42:07 Comparing /work/SRC/openSUSE:Factory/keylime (Old) and /work/SRC/openSUSE:Factory/.keylime.new.32243 (New) Package is "keylime" Tue Jan 24 19:42:07 2023 rev:29 rq:1060358 version:6.5.3 Changes: --- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2022-11-12 17:40:37.741975064 +0100 +++ /work/SRC/openSUSE:Factory/.keylime.new.32243/keylime.changes 2023-01-24 20:23:55.485645494 +0100 @@ -1,0 +2,191 @@ +Mon Jan 23 08:28:17 UTC 2023 - apla...@suse.com + +- Update to version v6.5.3: + * Bump version number to 6.5.3 + * durable attestation: a simple "attestation replay" CLI utility + * cmd_exec: Replace cast()s to bytes with asserts isinstance(..., bytes) + * codestyle: Add type annotations to db/keylime_db.py and add to mypy + * codestyle: Add type annotations to requests_client.py and add to mypy + * codestyle: Add type annotations to tornado_requests.py and add to mypy + * mypy: Change list of checked files to shorter list of unchecked files + * codestyle: Add missing annotations to cmd_exec.py and add to mypy + * codestyle: Have all files in ima directory checked by mypy + * pylint: ignore zmq Context abstract-class-instantiated warnings + * tenant: reliable and consistent add/delete operations (fixes #1158) (#1271) + * tenant: fix the exit code for `bulkinfo` operation + * config: support override via environment variables + * Extend test execution instructions in TESTING.md + * packit-ci: Add hotfix for tpm2-tss Fedora BZ#2158598 + * tenant: Remove code hashing a public key and using hash as UUID + * linters: Exclude intentionally invalid python file + * config: Check for available config upgrade on startup + * Do not install keylime nor configuration files during tests + * .ci/test_wrapper: Add test user keylime:tss + * config: Support quoted strings for TOML compatibility + * gitignore: Do not use 'config' as a match pattern + * tests: Add test for convert_config script + * convert_config: Set version for each mapping processed + * cmd/convert_config: Remove quotes and spaces around version string + * convert_config: Set default output path as /etc/keylime for root + * convert_config: Do not use keys() to iterate on maps + * Install config upgrade script as keylime_upgrade_config + * templates: Remove log_destination option + * Fix default values in mappings + * Correctly strip elements of a list on config v2.0 adjust script + * setup: Don't use keylime.conf to generate the split configuration + * convert_config: Add --defaults option to use default values + * convert_config: Use str_to_version from common module + * Add keylime/common/version.py for version manipulation + * elchecking: load policy modules explicitly + * Revert "tpm_abstract: move import of measured_boot into check_pcrs(..)" + * codestyle: Add type-annotations to cli/policies.py and add to mypy + * codestyle: Add type-annotations to cli/options.py and add to mypy + * Introduce a RetDictType for return type of cmd_exec.run() + * requirements, docs: add typing-extensions as a dependency + * ima_dm: add type checks and hints + * Switch code coverage measurement to Fedora 37 + * codestyle: Fix annotation of mb_measurement_data + * ima: Fix the ima_sign_verification_keys initial datatype + * elchecking: add support for MeasuredBoot when SecureBoot is disabled + * verifier: a (very simple) cache implementation for IMA policies (solves #1167) + * codestyle: Add type annotations to cmd/convert_ima_policy.py and add to mypy + * codestyle: Add type annotations to cmd/ima_emulator_adapter.py and add to mypy + * codestyle: Add type annotations to cmd/user_data_encrypt.py and add to mypy + * codestyle: Add type annotations to cmd/verifier.py and add to mypy + * codestyle: Add type annotations to cmd/tenant.py and add to mypy + * codestyle: Add type annotations to cmd/registrar.py and add to mypy + * codestyle: Add type annotations to cmd/ca.py and add to mypy + * codestyle: Add type annotations to cmd/agent.py and add to mypy + * CI tests: Do not remove Fedora tag repository + * tpm_abstract: move import of measured_boot into check_pcrs(..) + * docker: fix and improve build_locally.sh + * docker: use version 5.4 of tpm2-tools + * docker: update container to Fedora 37 + * codestyle: Type-annotate files in revocation_actions & add to mypy + * Remove redundant parameter from enforce_pcrs() + * codestyle: Add missing type annotations to files in common & add to mypy + * api_version: Catch InvalidVersion for packaging v22.0 + * verifier: fix for IMA policy checksum calculation + * codestyle: Type-annotate measured_boot.py and add to mypy + * codestyle:
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package keylime for openSUSE:Factory checked
in at 2022-11-12 17:40:28
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
and /work/SRC/openSUSE:Factory/.keylime.new.1597 (New)
Package is "keylime"
Sat Nov 12 17:40:28 2022 rev:28 rq:1035197 version:6.5.2
Changes:
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2022-11-03
19:13:46.347862143 +0100
+++ /work/SRC/openSUSE:Factory/.keylime.new.1597/keylime.changes
2022-11-12 17:40:37.741975064 +0100
@@ -2 +2 @@
-Wed Nov 02 15:38:00 UTC 2022 - apla...@suse.com
+Fri Nov 11 09:40:46 UTC 2022 - apla...@suse.com
@@ -4 +4,31 @@
-- Update to version v6.5.3:
+- Update to version v6.5.2:
+ * cloud_verifier: This is the first PR to address the scalability problems
uncovered in #1167, starting with `agent` status.
+ * Bump version number
+ * Add --retry 5 parameter to curl
+ * create_mb_refstate: Check tpm2-tools version before running
+ * create_mb_refstate: Print error messages
+ * test_tpm: Skip event log parsing test if tpm2-tools is too old
+ * installer: Enable installation on RHEL-9
+ * Move the execution of external EK check script to cert_utils
+ * Move EK cert verification to cert_utils
+ * Make the tpm cert store path configurable
+ * ima-policy-converter: Implement a basic test suite for conversion script
+ * ima-policy-converter: Implement IMA policy conversion script
+ * ima-policy-converter: Add empty reference IMA policy
+ * ima: Accept x509 certificates if no Subject Key Identifier is available
+ * test_tpm: Use doc strings for tests description
+ * Test binary measured boot event log parsing
+ * alpha renaming
+ * shallow type fixes
+ * ima_emulator_adapter: Print readable error if reading a PCR fails
+ * tpm: Check whether hash_alg is in jsonout
+ * Very limited code fixup/cleanup on keylime_tenant CLI
+ * Set permissions of keylime_agent_secure.mount to 664
+ * Disable dnf-makecache.timer to save RAM
+ * tpm_bootlog_enrich: Get DevicePath length from LengthOfDevicePath
+ * Disable dnf-makecache.service to save RAM
+ * Fix for writing the same allow list twice during agent activation (#1150)
+ * Fix improper handling of IMA policy bundle when none is provided
+ * ima: Fix log evaluation on quick-succession execution of scripts
+ * Add new tests to packit CI
+ * Remove semantic-release action to stop erroneous releases
@@ -8,5 +37,0 @@
-
-Wed Oct 26 14:10:21 UTC 2022 - apla...@suse.com
-
-- Update to version v6.5.2:
Old:
keylime-v6.5.3.tar.xz
New:
keylime-v6.5.2.tar.xz
Other differences:
--
++ keylime.spec ++
--- /var/tmp/diff_new_pack.N1UXkt/_old 2022-11-12 17:40:38.361978755 +0100
+++ /var/tmp/diff_new_pack.N1UXkt/_new 2022-11-12 17:40:38.369978802 +0100
@@ -27,7 +27,7 @@
%define _config_norepl %config(noreplace)
%endif
Name: keylime
-Version:6.5.3
+Version:6.5.2
Release:0
Summary:Open source TPM software for Bootstrapping and Maintaining
Trust
License:Apache-2.0 AND MIT
@@ -181,6 +181,7 @@
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_migrations_apply
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_userdata_encrypt
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_ima_emulator
+%python_clone -a %{buildroot}%{_bindir}/%{srcname}_convert_ima_policy
%python_expand %fdupes %{buildroot}%{$python_sitelib}
@@ -215,6 +216,7 @@
%python_install_alternative %{srcname}_migrations_apply
%python_install_alternative %{srcname}_userdata_encrypt
%python_install_alternative %{srcname}_ima_emulator
+%python_install_alternative %{srcname}_convert_ima_policy
%postun
%python_uninstall_alternative %{srcname}_verifier
@@ -225,6 +227,7 @@
%python_uninstall_alternative %{srcname}_migrations_apply
%python_uninstall_alternative %{srcname}_userdata_encrypt
%python_uninstall_alternative %{srcname}_ima_emulator
+%python_uninstall_alternative %{srcname}_convert_ima_policy
%post -n %{srcname}-firewalld
%firewalld_reload
@@ -285,6 +288,7 @@
%python_alternative %{_bindir}/%{srcname}_migrations_apply
%python_alternative %{_bindir}/%{srcname}_userdata_encrypt
%python_alternative %{_bindir}/%{srcname}_ima_emulator
+%python_alternative %{_bindir}/%{srcname}_convert_ima_policy
%{python_sitelib}/*
%files -n %{srcname}-config
++ _service ++
--- /var/tmp/diff_new_pack.N1UXkt/_old 2022-11-12 17:40:38.409979041 +0100
+++ /var/tmp/diff_new_pack.N1UXkt/_new 2022-11-12 17:40:38.413979065 +0100
@@ -1,7 +1,7 @@
@PARENT_TAG@
-refs/tags/v6.5.3
+refs/tags/v6.5.2
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package keylime for openSUSE:Factory checked in at 2022-11-03 19:13:38 Comparing /work/SRC/openSUSE:Factory/keylime (Old) and /work/SRC/openSUSE:Factory/.keylime.new.2275 (New) Package is "keylime" Thu Nov 3 19:13:38 2022 rev:27 rq:1032920 version:6.5.3 Changes: --- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2022-10-27 13:53:13.900279606 +0200 +++ /work/SRC/openSUSE:Factory/.keylime.new.2275/keylime.changes 2022-11-03 19:13:46.347862143 +0100 @@ -1,0 +2,8 @@ +Wed Nov 02 15:38:00 UTC 2022 - apla...@suse.com + +- Update to version v6.5.3: + * crypto: Provide input as bytes to encrypt + * Revert "Revert "Revert "tenant: open file to send utf-8 encoded" (#1136)" (#1141)" + * Update runtime_ima.rst + +--- Old: keylime-v6.5.2.tar.xz New: keylime-v6.5.3.tar.xz Other differences: -- ++ keylime.spec ++ --- /var/tmp/diff_new_pack.fLJ7vz/_old 2022-11-03 19:13:47.707870141 +0100 +++ /var/tmp/diff_new_pack.fLJ7vz/_new 2022-11-03 19:13:47.711870164 +0100 @@ -27,7 +27,7 @@ %define _config_norepl %config(noreplace) %endif Name: keylime -Version:6.5.2 +Version:6.5.3 Release:0 Summary:Open source TPM software for Bootstrapping and Maintaining Trust License:Apache-2.0 AND MIT ++ _service ++ --- /var/tmp/diff_new_pack.fLJ7vz/_old 2022-11-03 19:13:47.751870399 +0100 +++ /var/tmp/diff_new_pack.fLJ7vz/_new 2022-11-03 19:13:47.755870423 +0100 @@ -1,7 +1,7 @@ @PARENT_TAG@ -refs/tags/v6.5.2 +refs/tags/v6.5.3 https://github.com/keylime/keylime.git git enable ++ _servicedata ++ --- /var/tmp/diff_new_pack.fLJ7vz/_old 2022-11-03 19:13:47.775870540 +0100 +++ /var/tmp/diff_new_pack.fLJ7vz/_new 2022-11-03 19:13:47.779870563 +0100 @@ -1,6 +1,6 @@ https://github.com/keylime/keylime.git - a937ac2d6a45bb8ca7f46ec1307fee40ccaabde3 + 7c03d2ada63e21c4c184d7f46d9c2e4602354bef (No newline at EOF) ++ keylime-v6.5.2.tar.xz -> keylime-v6.5.3.tar.xz ++ /work/SRC/openSUSE:Factory/keylime/keylime-v6.5.2.tar.xz /work/SRC/openSUSE:Factory/.keylime.new.2275/keylime-v6.5.3.tar.xz differ: char 15, line 1
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package keylime for openSUSE:Factory checked in at 2022-10-27 13:53:00 Comparing /work/SRC/openSUSE:Factory/keylime (Old) and /work/SRC/openSUSE:Factory/.keylime.new.2275 (New) Package is "keylime" Thu Oct 27 13:53:00 2022 rev:26 rq:1031364 version:6.5.2 Changes: --- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2022-10-22 14:13:31.928801288 +0200 +++ /work/SRC/openSUSE:Factory/.keylime.new.2275/keylime.changes 2022-10-27 13:53:13.900279606 +0200 @@ -1,0 +2,12 @@ +Wed Oct 26 14:10:21 UTC 2022 - apla...@suse.com + +- Update to version v6.5.2: + * Back to 6.5.1 + * This PR fixes a bug that prevented 6.5.x verifiers from interacting with 6.2. agents + * Revert "Revert "tenant: open file to send utf-8 encoded" (#1136)" (#1141) + * Revert "tenant: open file to send utf-8 encoded" (#1136) + * ca_util: allow users in the same group to read the created certificates and keys (#1138) + * Update sample ima-policy to exclude overlayfs + * installer: remove tarball option + +--- Old: keylime-v6.5.1.tar.xz New: keylime-v6.5.2.tar.xz Other differences: -- ++ keylime.spec ++ --- /var/tmp/diff_new_pack.WLlUP6/_old 2022-10-27 13:53:14.624283299 +0200 +++ /var/tmp/diff_new_pack.WLlUP6/_new 2022-10-27 13:53:14.632283341 +0200 @@ -27,7 +27,7 @@ %define _config_norepl %config(noreplace) %endif Name: keylime -Version:6.5.1 +Version:6.5.2 Release:0 Summary:Open source TPM software for Bootstrapping and Maintaining Trust License:Apache-2.0 AND MIT ++ _service ++ --- /var/tmp/diff_new_pack.WLlUP6/_old 2022-10-27 13:53:14.684283606 +0200 +++ /var/tmp/diff_new_pack.WLlUP6/_new 2022-10-27 13:53:14.688283626 +0200 @@ -1,7 +1,7 @@ @PARENT_TAG@ -refs/tags/v6.5.1 +refs/tags/v6.5.2 https://github.com/keylime/keylime.git git enable ++ _servicedata ++ --- /var/tmp/diff_new_pack.WLlUP6/_old 2022-10-27 13:53:14.716283769 +0200 +++ /var/tmp/diff_new_pack.WLlUP6/_new 2022-10-27 13:53:14.720283789 +0200 @@ -1,6 +1,6 @@ https://github.com/keylime/keylime.git - fe08b5145a595ef562186f4ede4cb3eca3fd7499 + a937ac2d6a45bb8ca7f46ec1307fee40ccaabde3 (No newline at EOF) ++ keylime-v6.5.1.tar.xz -> keylime-v6.5.2.tar.xz ++ /work/SRC/openSUSE:Factory/keylime/keylime-v6.5.1.tar.xz /work/SRC/openSUSE:Factory/.keylime.new.2275/keylime-v6.5.2.tar.xz differ: char 15, line 1
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package keylime for openSUSE:Factory checked in at 2022-10-22 14:13:00 Comparing /work/SRC/openSUSE:Factory/keylime (Old) and /work/SRC/openSUSE:Factory/.keylime.new.2275 (New) Package is "keylime" Sat Oct 22 14:13:00 2022 rev:25 rq:1030126 version:6.5.1 Changes: --- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2022-10-12 18:24:44.641672345 +0200 +++ /work/SRC/openSUSE:Factory/.keylime.new.2275/keylime.changes 2022-10-22 14:13:31.928801288 +0200 @@ -1,0 +2,5 @@ +Thu Oct 13 09:15:04 UTC 2022 - Alberto Planas Dominguez + +- Update requirement name to python-lark + +--- Other differences: -- ++ keylime.spec ++ --- /var/tmp/diff_new_pack.5aEWLQ/_old 2022-10-22 14:13:32.804803364 +0200 +++ /var/tmp/diff_new_pack.5aEWLQ/_new 2022-10-22 14:13:32.808803374 +0200 @@ -56,7 +56,7 @@ Requires: python-alembic Requires: python-cryptography Requires: python-gpg -Requires: python-lark-parser +Requires: python-lark Requires: python-psutil Requires: python-pyzmq Requires: python-requests
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package keylime for openSUSE:Factory checked
in at 2022-10-12 18:23:40
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
and /work/SRC/openSUSE:Factory/.keylime.new.2275 (New)
Package is "keylime"
Wed Oct 12 18:23:40 2022 rev:24 rq:1010122 version:6.5.1
Changes:
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2022-10-01
17:42:03.985550949 +0200
+++ /work/SRC/openSUSE:Factory/.keylime.new.2275/keylime.changes
2022-10-12 18:24:44.641672345 +0200
@@ -1,0 +2,29 @@
+Wed Oct 12 06:50:54 UTC 2022 - apla...@suse.com
+
+- Drop replace-use-of-cryptography.utils.register_interface.patch,
+ already upstream
+- Update to version v6.5.1:
+ * Bump version to 6.5.1
+ * Fix proper exception handling and impedance match in `tornado_requests`
(#1128)
+ * elchecking/tests: fix type hints for Dispatcher
+ * tpm_main: unescape UEFI eventlog strings
+ * elchecking: fix standalone program
+ * elchecking/example: add support for MokListTrusted variable
+ * README, docs: remove reference to ipsec demo
+ * docs: fix typo and note box rendering
+ * docs: update installation instructions
+ * make Rust agent official, add depreacation warnings to Python agent
+ * GH first-interaction action is busted, workaround
+ * Replace use of cryptography.utils.register_interface
+ * Remove unnecessary config symbolic link
+ * Small changes required by enhancement #73 "Durable (Offline) Attestion"
+ * docs, README: add reference to official Docker containers
+ * Fix typo in ISSUE_TEMPLATE.md
+
+---
+Mon Oct 10 13:55:15 UTC 2022 - Alberto Planas Dominguez
+
+- Add replace-use-of-cryptography.utils.register_interface.patch to
+ support new cryptography 38.0
+
+---
Old:
keylime-v6.5.0.tar.xz
New:
keylime-v6.5.1.tar.xz
Other differences:
--
++ keylime.spec ++
--- /var/tmp/diff_new_pack.emMzXk/_old 2022-10-12 18:24:45.313674024 +0200
+++ /var/tmp/diff_new_pack.emMzXk/_new 2022-10-12 18:24:45.317674034 +0200
@@ -27,7 +27,7 @@
%define _config_norepl %config(noreplace)
%endif
Name: keylime
-Version:6.5.0
+Version:6.5.1
Release:0
Summary:Open source TPM software for Bootstrapping and Maintaining
Trust
License:Apache-2.0 AND MIT
@@ -169,11 +169,9 @@
export VERSION=%{version}
%python_install
-%{python_expand # Patch the generated configuration files
-patch -s --fuzz=0 %{buildroot}%{$python_sitelib}/%{srcname}/config/agent.conf
< %{SOURCE10}
-patch -s --fuzz=0
%{buildroot}%{$python_sitelib}/%{srcname}/config/registrar.conf < %{SOURCE11}
-patch -s --fuzz=0
%{buildroot}%{$python_sitelib}/%{srcname}/config/verifier.conf < %{SOURCE12}
-}
+patch -s --fuzz=0 config/agent.conf < %{SOURCE10}
+patch -s --fuzz=0 config/registrar.conf < %{SOURCE11}
+patch -s --fuzz=0 config/verifier.conf < %{SOURCE12}
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_verifier
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_registrar
@@ -186,11 +184,9 @@
%python_expand %fdupes %{buildroot}%{$python_sitelib}
-%{python_expand # Install configuration files
-for cfg in %{buildroot}%{$python_sitelib}/%{srcname}/config/*.conf; do
+for cfg in config/*.conf; do
install -Dpm 0600 "$cfg" %{buildroot}%{_distconfdir}/%{srcname}/$(basename
"$cfg")
done
-}
install -Dpm 0644 ./services/%{srcname}_agent.service
%{buildroot}%{_unitdir}/%{srcname}_agent.service
install -Dpm 0644 ./services/%{srcname}_agent_secure.mount
%{buildroot}%{_unitdir}/var-lib-%{srcname}-secure.mount
++ _service ++
--- /var/tmp/diff_new_pack.emMzXk/_old 2022-10-12 18:24:45.369674164 +0200
+++ /var/tmp/diff_new_pack.emMzXk/_new 2022-10-12 18:24:45.373674174 +0200
@@ -1,7 +1,7 @@
@PARENT_TAG@
-refs/tags/v6.5.0
+refs/tags/v6.5.1
https://github.com/keylime/keylime.git
git
enable
++ _servicedata ++
--- /var/tmp/diff_new_pack.emMzXk/_old 2022-10-12 18:24:45.393674224 +0200
+++ /var/tmp/diff_new_pack.emMzXk/_new 2022-10-12 18:24:45.397674234 +0200
@@ -1,6 +1,6 @@
https://github.com/keylime/keylime.git
- d2ddf4e0ce2cc8e1224f874090f9efab8a02b63b
+ fe08b5145a595ef562186f4ede4cb3eca3fd7499
(No newline at EOF)
++ agent.conf.diff ++
--- /var/tmp/diff_new_pack.emMzXk/_old 2022-10-12 18:24:45.409674264 +0200
+++ /var/tmp/diff_new_pack.emMzXk/_new 2022-10-12 18:24:45.413674273 +0200
@@ -1,6 +1,6 @@
agent.conf.ORIG2022-09-26 10:45:14.032956447 +0200
-+++ agent.conf 2022-09-26 10:56:45.789550501 +0200
-@@
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package keylime for openSUSE:Factory checked in at 2022-10-01 17:41:57 Comparing /work/SRC/openSUSE:Factory/keylime (Old) and /work/SRC/openSUSE:Factory/.keylime.new.2275 (New) Package is "keylime" Sat Oct 1 17:41:57 2022 rev:23 rq:1006460 version:6.5.0 Changes: --- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2022-07-18 18:33:11.689694116 +0200 +++ /work/SRC/openSUSE:Factory/.keylime.new.2275/keylime.changes 2022-10-01 17:42:03.985550949 +0200 @@ -1,0 +2,104 @@ +Mon Sep 26 07:15:17 UTC 2022 - apla...@suse.com + +- Remove keylime.conf.diff patch. Now the configuration file is + generated during build time +- The "config" subpackage shared only the logger configuration file +- New "tenant" subpackage for the Tenant command line tool +- Drop webapp service port in firewall XML service file +- Update to version v6.5.0: + * Bump up versions to 6.5.0 + * Enable testing of Rust agent as well as Python by default + * New readthedocs location for keylime + * test_restful: Add test for /keys/verify endpoint to rust tests + * test_restful: Fix testing with rust agent + * run_tests: Install rust agent when RUST_TEST is defined + * A fix for "per-agent verifier-issued epoch timestamp" + * Move SQLite ref integrity pragma to keylime_db + * Separate CA key store password from server key password + * Generate missing key and certificates + * verifier: Add a configuration option to set timeouts + * config: Change default value for getfloat() to -1.0 + * tenant: Add request_timeout configuration option + * tpm_main: Move agent specific initialization to tpm_init() + * failure: Do not read the verifier config on load + * logging, verifier: Read configuration only when needed + * tpm_ek_ca: Access tenant config file when needed + * tpm_main: Only access agent configuration if needed + * keylime_agent: Use a single tpm instance + * config: Evaluate snippets in /usr/etc/keylime before /etc/keylime + * Remove ignore_hostname argument from RequestsClient() calls + * requests_client: Ignore hostname verification by default + * web_util: Remove unneeded checks for absolute paths before joining + * requests_client: remove RequestClient class variables + * elchecking/policies: Use config.getlist() for measured_boot_imports + * mappings: Add back missing option measured_boot_imports to verifier config + * verifier: Fail earlier if mTLS cert is missing when required + * crypto: Replace if block with conditional argument passing + * config: Drop unused getdict() + * config: Use python generator to strip strings in the list + * verifier: Drop 'cloud' from 'cloudverifier_' variables + * verifier: Always generate TLS context to contact the agent + * ca_util: Replace if block with conditional argument + * Drop broken auto-ipsec demos + * tenant: Do not disable TLS when enable_agent_mtls = False + * test_config: Reload configuration on tearDown + * Change the meaning of trusted_client_ca=default for the agent + * Install configuration files in test scripts + * Add jinja2 as requirement for building and testing + * tenant: Fix mention to old configuration section + * tenant, verifier: Fix mTLS disablement + * tenant: Do not try to verify EK cert when not required + * Adjust test_restful to use the new configuration file + * ima: Do not try to read excludelist if it is None + * tenant: Use empty tpm_policy by default + * Read measured boot configuration when needed + * Add support for password encrypted keys + * Change owner of config files and fix sed command in services installer + * installer: Build and install split configuration files + * Fix configuration unit tests + * Remove trailing and leading white spaces in config.get_list() + * Make changes to use the new configuration files + * Add script to convert old config to new config + * Ignore false positive for lints + * Implement additional test to cover in-use deletion case + * Enable referential integrity for foreign keys in Keylime DB + * Prevent deletion of in-use allowlists via tenant + better error handling + * Fixes #1046 by explicitly and carefully dealing with a corner case. + * Fixes #1072 by explicitly and carefully dealing with yet another corner case. + * Define context agent due to keylime-tests PR#193 + * Adds two small utilities which are used by "Offline Attestation" (enhancement #73) + * This commit solves #1091 by adding a per-agent verifier-issued epoch timestamp + * Remove keylime-bot + * Verifier log message improvements for large-scale testing. + * Bump version to 6.4.3 + * KEYLIME_DIR should not be clobbered in TEST_MODE + * registrar: parse EK cert with pyasn1 + * Reject invalid hash algorithms passed as arguments + *
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package keylime for openSUSE:Factory checked
in at 2022-07-18 18:33:05
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
and /work/SRC/openSUSE:Factory/.keylime.new.1523 (New)
Package is "keylime"
Mon Jul 18 18:33:05 2022 rev:22 rq:989361 version:6.4.2
Changes:
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2022-06-30
13:18:10.637525058 +0200
+++ /work/SRC/openSUSE:Factory/.keylime.new.1523/keylime.changes
2022-07-18 18:33:11.689694116 +0200
@@ -1,0 +2,40 @@
+Fri Jul 15 08:31:50 UTC 2022 - Alberto Planas Dominguez
+
+- Replace python-gpg requirement
+- Fix consolidation for _distconfdir and _sysconfdir macro
+
+---
+Wed Jul 13 13:43:12 UTC 2022 - apla...@suse.com
+
+- Update to version v6.4.2:
+ * Bump version # to 6.4.2
+ * Use python3-gpg instead of python3-gnupg
+ * Update Packit CI tests to test both agent and zeromq revocation notifiers
+ * ima_ast: Make entry parsing stricter
+ * ima_ast: Calculate length of "n" and "n-ng" in bytes
+ * Fix broken URLs in README (Additional Reading)
+ * Remove CFSSL leftovers
+ * signing: move exception handing to verify_signature()
+ * Set revocation_notifiers = agent as default in keylime.conf
+ * cloud_verifier: Support /notifications/revocation REST API
+ * keylime_agent: Support /notifications/revocation REST method
+ * revocation_notifier: Factor out revocation message processing
+ * keylime: initialize supplementary groups when dropping privileges
+ * Refactor allowlist processing to enable verifier-side signature checks
+ * Full removal of the tenant WebApp
+ * update roadmap for 2022 and 2023
+ * docs: make Python requirements less strict
+ * docs: update API documentation for 2.1, add missing fields for agent quote
+ * Add python3-alembic to distros
+ * Update fmf plans to run test with IMA policy
+ * Drop SPDX-License-Identifier header
+ * Adjust CI test name according to keylime-tests PR#125
+ * ci: Run lint with Python 3.6 as well
+ * [trivial]: fix style of recently added docs files
+ * Improve error handling when doing signature verification
+ * Fix coverage file paths in submit-HEAD-coverage workflow
+ * Adding files from keylime-docs into main repo
+- Fix keylime service home directory
+- Adjust the directory for the TPM certificates
+
+---
Old:
keylime-v6.4.1.tar.xz
New:
keylime-v6.4.2.tar.xz
Other differences:
--
++ keylime.spec ++
--- /var/tmp/diff_new_pack.9nS5e1/_old 2022-07-18 18:33:12.361695071 +0200
+++ /var/tmp/diff_new_pack.9nS5e1/_new 2022-07-18 18:33:12.365695077 +0200
@@ -27,7 +27,7 @@
%define _config_norepl %config(noreplace)
%endif
Name: keylime
-Version:6.4.1
+Version:6.4.2
Release:0
Summary:Open source TPM software for Bootstrapping and Maintaining
Trust
License:Apache-2.0 AND MIT
@@ -52,9 +52,9 @@
Requires: python-SQLAlchemy
Requires: python-alembic
Requires: python-cryptography
+Requires: python-gpg
Requires: python-lark-parser
Requires: python-psutil
-Requires: python-python-gnupg
Requires: python-pyzmq
Requires: python-requests
Requires: python-simplejson
@@ -153,8 +153,6 @@
export VERSION=%{version}
%python_install
-cp -r %{srcname}/static %{buildroot}%{python_sitelib}/%{srcname}
-
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_verifier
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_registrar
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_agent
@@ -163,7 +161,6 @@
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_migrations_apply
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_userdata_encrypt
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_ima_emulator
-%python_clone -a %{buildroot}%{_bindir}/%{srcname}_webapp
%python_expand %fdupes %{buildroot}%{$python_sitelib}
@@ -179,9 +176,9 @@
install -Dpm 0644 %{SOURCE4} %{buildroot}%{_tmpfilesdir}/%{name}.conf
install -d %{buildroot}%{_localstatedir}/log/%{name}
-mkdir -p %{buildroot}/%{_localstatedir}/%{srcname}
-cp -r ./tpm_cert_store %{buildroot}%{_localstatedir}/%{srcname}/
-%fdupes %{buildroot}%{_localstatedir}/%{srcname}/
+mkdir -p %{buildroot}/%{_sharedstatedir}/%{srcname}
+cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/%{srcname}/
+%fdupes %{buildroot}%{_sharedstatedir}/%{srcname}/
# %%check
# %%pyunittest -v
@@ -195,7 +192,6 @@
%python_install_alternative %{srcname}_migrations_apply
%python_install_alternative %{srcname}_userdata_encrypt
%python_install_alternative
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package keylime for openSUSE:Factory checked
in at 2022-06-30 13:18:07
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
and /work/SRC/openSUSE:Factory/.keylime.new.1548 (New)
Package is "keylime"
Thu Jun 30 13:18:07 2022 rev:21 rq:985769 version:6.4.1
Changes:
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2022-06-24
08:45:34.883157380 +0200
+++ /work/SRC/openSUSE:Factory/.keylime.new.1548/keylime.changes
2022-06-30 13:18:10.637525058 +0200
@@ -1,0 +2,5 @@
+Wed Jun 29 11:05:08 UTC 2022 - Alberto Planas Dominguez
+
+- Conflict also rust-keylime for all the subpackages
+
+---
Other differences:
--
++ keylime.spec ++
--- /var/tmp/diff_new_pack.k2u7k4/_old 2022-06-30 13:18:11.185525469 +0200
+++ /var/tmp/diff_new_pack.k2u7k4/_new 2022-06-30 13:18:11.189525472 +0200
@@ -16,17 +16,16 @@
#
+%global srcname keylime
+%{?!python_module:%define python_module() python-%{**} python3-%{**}}
+%define skip_python2 1
# Consolidate _distconfdir and _sysconfdir
%if 0%{?_distconfdir:1}
- %define _config_norepl %nil
+ %define _config_norepl %{nil}
%else
%define _distconfdir %{_sysconfdir}
%define _config_norepl %config(noreplace)
%endif
-
-%global srcname keylime
-%{?!python_module:%define python_module() python-%{**} python3-%{**}}
-%define skip_python2 1
Name: keylime
Version:6.4.1
Release:0
@@ -76,6 +75,7 @@
%package -n %{name}-config
Summary:Configuration file for keylime
Requires: python3-%{name} = %{version}
+Conflicts: rust-keylime
%description -n %{name}-config
Subpackage of %{name} for the shared configuration file of the agent
@@ -84,6 +84,7 @@
%package -n %{name}-firewalld
Summary:Firewalld service file for keylime
Requires: python3-%{name} = %{version}
+Conflicts: rust-keylime
%description -n %{name}-firewalld
Subpackage of %{name} for the firewalld XML service file.
@@ -91,6 +92,7 @@
%package -n %{name}-tpm_cert_store
Summary:Certify store for the TPM
Requires: python3-%{name} = %{version}
+Conflicts: rust-keylime
%description -n %{name}-tpm_cert_store
Subpackage of %{name} for storing the TPM certificates.
@@ -103,6 +105,7 @@
Requires: python3-%{name} = %{version}
Recommends: %{name}-firewalld = %{version}
Recommends: dmidecode
+Conflicts: rust-keylime
%description -n %{name}-agent
Subpackage of %{name} for agent service.
@@ -114,6 +117,7 @@
Requires: %{name}-tpm_cert_store = %{version}
Requires: python3-%{name} = %{version}
Recommends: %{name}-firewalld = %{version}
+Conflicts: rust-keylime
%description -n %{name}-registrar
Subpackage of %{name} for registrar service.
@@ -125,6 +129,7 @@
Requires: %{name}-tpm_cert_store = %{version}
Requires: python3-%{name} = %{version}
Recommends: %{name}-firewalld = %{version}
+Conflicts: rust-keylime
%description -n %{name}-verifier
Subpackage of %{name} for verifier service.
@@ -132,6 +137,7 @@
%package -n %{name}-logrotate
Summary:Logrotate for Keylime servies
Requires: logrotate
+Conflicts: rust-keylime
%description -n %{name}-logrotate
Subpacakge of %{name} for logrotate for Keylime services
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package keylime for openSUSE:Factory checked
in at 2022-06-24 08:45:19
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
and /work/SRC/openSUSE:Factory/.keylime.new.1548 (New)
Package is "keylime"
Fri Jun 24 08:45:19 2022 rev:20 rq:984735 version:6.4.1
Changes:
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2022-06-17
21:22:53.870785896 +0200
+++ /work/SRC/openSUSE:Factory/.keylime.new.1548/keylime.changes
2022-06-24 08:45:34.883157380 +0200
@@ -1,0 +2,13 @@
+Thu Jun 23 14:50:05 UTC 2022 - Alberto Planas Dominguez
+
+- Remove user downgrade mechanism from the package (CVE-2022-31250,
bsc#1200885)
+
+---
+Thu Jun 23 08:49:30 UTC 2022 - Alberto Planas Dominguez
+
+- Add logrotate configuration for the services
+- Create run directory as non-root user
+- Conflict with rust-keylime
+- Consolidate in _distconfdir when possible
+
+---
New:
logrotate.keylime
tmpfiles.keylime
Other differences:
--
++ keylime.spec ++
--- /var/tmp/diff_new_pack.iDSLe4/_old 2022-06-24 08:45:35.403157963 +0200
+++ /var/tmp/diff_new_pack.iDSLe4/_new 2022-06-24 08:45:35.407157967 +0200
@@ -16,6 +16,14 @@
#
+# Consolidate _distconfdir and _sysconfdir
+%if 0%{?_distconfdir:1}
+ %define _config_norepl %nil
+%else
+ %define _distconfdir %{_sysconfdir}
+ %define _config_norepl %config(noreplace)
+%endif
+
%global srcname keylime
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
%define skip_python2 1
@@ -28,6 +36,8 @@
Source0:%{name}-v%{version}.tar.xz
Source1:keylime.xml
Source2:%{name}-user.conf
+Source3:logrotate.%{name}
+Source4:tmpfiles.%{name}
# PATCH-FIX-OPENSUSE keylime.conf.diff
Patch1: keylime.conf.diff
BuildRequires: %{python_module setuptools}
@@ -55,6 +65,7 @@
Requires: tpm2.0-tools
Requires(post): update-alternatives
Requires(postun):update-alternatives
+Conflicts: rust-keylime
BuildArch: noarch
%python_subpackages
@@ -87,6 +98,7 @@
%package -n %{name}-agent
Summary:Keylime agent service
Requires: %{name}-config = %{version}
+Requires: %{name}-logrotate = %{version}
Requires: %{name}-tpm_cert_store = %{version}
Requires: python3-%{name} = %{version}
Recommends: %{name}-firewalld = %{version}
@@ -98,6 +110,7 @@
%package -n %{name}-registrar
Summary:Keylime registrar service
Requires: %{name}-config = %{version}
+Requires: %{name}-logrotate = %{version}
Requires: %{name}-tpm_cert_store = %{version}
Requires: python3-%{name} = %{version}
Recommends: %{name}-firewalld = %{version}
@@ -108,6 +121,7 @@
%package -n %{name}-verifier
Summary:Keylime verifier service
Requires: %{name}-config = %{version}
+Requires: %{name}-logrotate = %{version}
Requires: %{name}-tpm_cert_store = %{version}
Requires: python3-%{name} = %{version}
Recommends: %{name}-firewalld = %{version}
@@ -115,6 +129,13 @@
%description -n %{name}-verifier
Subpackage of %{name} for verifier service.
+%package -n %{name}-logrotate
+Summary:Logrotate for Keylime servies
+Requires: logrotate
+
+%description -n %{name}-logrotate
+Subpacakge of %{name} for logrotate for Keylime services
+
%prep
%autosetup -p1 -n %{name}-v%{version}
@@ -140,24 +161,21 @@
%python_expand %fdupes %{buildroot}%{$python_sitelib}
-%if 0%{?suse_version} >= 1550
-install -Dpm 600 %{srcname}.conf
%{buildroot}%{_prefix}%{_sysconfdir}/%{srcname}.conf
-%else
-install -Dpm 600 %{srcname}.conf %{buildroot}%{_sysconfdir}/%{srcname}.conf
-%endif
-install -Dpm 644 ./services/%{srcname}_agent.service
%{buildroot}%{_unitdir}/%{srcname}_agent.service
-install -Dpm 644 ./services/%{srcname}_agent_secure.mount
%{buildroot}%{_unitdir}/var-lib-%{srcname}-secure.mount
-install -Dpm 644 ./services/%{srcname}_verifier.service
%{buildroot}%{_unitdir}/%{srcname}_verifier.service
-install -Dpm 644 ./services/%{srcname}_registrar.service
%{buildroot}%{_unitdir}/%{srcname}_registrar.service
-
-install -D -m 644 %{SOURCE1}
%{buildroot}%{_prefix}/lib/firewalld/services/%{srcname}.xml
-
-mkdir -p %{buildroot}/%{_sharedstatedir}/%{srcname}
-cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/%{srcname}/
-%fdupes %{buildroot}%{_sharedstatedir}/%{srcname}/
-
-mkdir -p %{buildroot}%{_sysusersdir}
-install -m 0644 %{SOURCE2} %{buildroot}%{_sysusersdir}/
+install -Dpm 0600 %{srcname}.conf %{buildroot}%{_distconfdir}/%{srcname}.conf
+install -Dpm 0644
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package keylime for openSUSE:Factory checked
in at 2022-06-17 21:20:27
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
and /work/SRC/openSUSE:Factory/.keylime.new.1548 (New)
Package is "keylime"
Fri Jun 17 21:20:27 2022 rev:19 rq:982482 version:6.4.1
Changes:
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2022-05-25
20:34:12.896198565 +0200
+++ /work/SRC/openSUSE:Factory/.keylime.new.1548/keylime.changes
2022-06-17 21:22:53.870785896 +0200
@@ -1,0 +2,37 @@
+Mon Jun 13 14:15:49 UTC 2022 - apla...@suse.com
+
+- Update to version v6.4.1:
+ * Bump version for pypi
+ * verifier: ensure that execptions caused by the agent result in a failure
+ * tpm_main: add failure tagging to measured boot parsing
+ * tpm_main: fix temp file handling in parse_binary_bootlog(..)
+ * pylint: fix bad-option-value and implicit-str-concat warnings
+ * ca: drop support for using CFSSL as a backend
+ * ca_openssl_impl: add basic support for generating a CRL
+ * config: change libefivar.so to libefivar.so.1
+ * elchecking: add workaround for wrong GUID parsing
+ * Add test /functional/measured-boot-swtpm-sanity to Packit CI plan
+ * Fix order of parameters in an error message
+ * pylint: remove usage of distutils because it is deprecated
+ * ca_util: do not use deprecated setDeamon() call
+ * elchecking: error if policy name is invalid, change default to reject-all
+ * Simplify GitHub Actions used for code coverage processing
+ * ima_dm: enable support for dm_target_update events
+ * benchmark: remove benchmark code
+ * ima: remove read_unpack(..) function
+ * Fixes #996, by properly catching exceptions resulting from network
problems on the verifier.
+ * List tests in Packit-CI plan explicitly
+ * contributing: add section about code style
+ * fix git blame ignore entry for code style changes
+ * Enable test /functional/basic-attestation-without-mtls
+ * Defer loading PyZMQ to avoid optional dependency
+ * Unify log messages about deleting agent from CV
+ * Ignore reformat commit for git blame
+ * Reformat Keylime with isort and black to new code style
+ * Introducing pre-commit hook to enforce code style with isort and black
+- Drop already merged patches:
+ * config-libefivars.diff
+- Drop cfssl dependency, as uses openssl only
+- Drop cfssl firewalld rule
+
+---
Old:
config-libefivars.diff
keylime-v6.4.0.tar.xz
New:
keylime-v6.4.1.tar.xz
Other differences:
--
++ keylime.spec ++
--- /var/tmp/diff_new_pack.cdE073/_old 2022-06-17 21:22:54.314786137 +0200
+++ /var/tmp/diff_new_pack.cdE073/_new 2022-06-17 21:22:54.318786140 +0200
@@ -19,13 +19,8 @@
%global srcname keylime
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
%define skip_python2 1
-%if 0%{?suse_version} >= 1550
-%bcond_without cfssl
-%else
-%bcond_with cfssl
-%endif
Name: keylime
-Version:6.4.0
+Version:6.4.1
Release:0
Summary:Open source TPM software for Bootstrapping and Maintaining
Trust
License:Apache-2.0 AND MIT
@@ -35,8 +30,6 @@
Source2:%{name}-user.conf
# PATCH-FIX-OPENSUSE keylime.conf.diff
Patch1: keylime.conf.diff
-# PATCH-FIX-OPENSUSE config-libefivars.diff
-Patch2: config-libefivars.diff
BuildRequires: %{python_module setuptools}
BuildRequires: fdupes
BuildRequires: firewall-macros
@@ -108,7 +101,6 @@
Requires: %{name}-tpm_cert_store = %{version}
Requires: python3-%{name} = %{version}
Recommends: %{name}-firewalld = %{version}
-Recommends: cfssl
%description -n %{name}-registrar
Subpackage of %{name} for registrar service.
@@ -125,9 +117,6 @@
%prep
%autosetup -p1 -n %{name}-v%{version}
-%if !%{with cfssl}
-sed -i "s/ca_implementation = cfssl/ca_implementation = openssl/g" keylime.conf
-%endif
%build
%python_build
++ _service ++
--- /var/tmp/diff_new_pack.cdE073/_old 2022-06-17 21:22:54.346786155 +0200
+++ /var/tmp/diff_new_pack.cdE073/_new 2022-06-17 21:22:54.350786157 +0200
@@ -1,7 +1,7 @@
@PARENT_TAG@
-refs/tags/v6.4.0
+refs/tags/v6.4.1
https://github.com/keylime/keylime.git
git
enable
++ _servicedata ++
--- /var/tmp/diff_new_pack.cdE073/_old 2022-06-17 21:22:54.370786168 +0200
+++ /var/tmp/diff_new_pack.cdE073/_new 2022-06-17 21:22:54.374786170 +0200
@@ -1,6 +1,6 @@
https://github.com/keylime/keylime.git
- c8137d941b1813bcf2fbb726e108693c6dc6aec6
+ bbc191948341b71c64a38d897470f300c7ebcbb1
(No newline at EOF)
++
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package keylime for openSUSE:Factory checked
in at 2022-05-25 20:34:03
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
and /work/SRC/openSUSE:Factory/.keylime.new.2254 (New)
Package is "keylime"
Wed May 25 20:34:03 2022 rev:18 rq:978982 version:6.4.0
Changes:
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2022-04-16
00:14:14.829648934 +0200
+++ /work/SRC/openSUSE:Factory/.keylime.new.2254/keylime.changes
2022-05-25 20:34:12.896198565 +0200
@@ -1,0 +2,46 @@
+Mon May 23 12:52:23 UTC 2022 - apla...@suse.com
+
+- Update to version v6.4.0 (CVE-2022-1053, boo#1199253):
+ * general: bump Keylime version to 6.4.0
+ * tests: adjust tests to reflect latest API changes
+ * api: bump version to 2.1
+ * config: remove unused registrar mTLS options in cloud_verifier section
+ * tenant, verifier: let the tenant provide the AK and mTLS certificate
+ * Fix exit call in scripts/download_packit_coverage.sh
+ * Added codecov.io description to TESTING.md
+ * ci: only run CodeQL on the keylime directory and disable it for the webapp
+ * Enable GitHub workflow integrating codecov.io
+ * README: Fix and cleanup the install instructions
+ * ima: add backport for dataclasses support for Python 3.6
+ * ima: add info that device mapper validation is still experimental
+ * add lark as a dependency
+ * ima: integrate dm validator into gernal IMA validation
+ * agentstates: add the option to load and store dm validator state
+ * ima: add parser and validator for device mapper entries
+ * ima_file_signatures: rename to file_signatures
+ * ima_ast: rename to ast
+ * ima: move IMA components into their own module
+ * failure: add function to get current event ids
+ * config: add more details for tpm_cert_store option
+ * Deprecate API version 1.0
+ * config, webapp: remove tls_check_hostnames option
+ * ci: add CodeQL analysis
+ * agent, tpm: remove is_vtpm() check
+ * tests: update to reflect vTPM removal
+ * remove vTPM related helper files and documentation
+ * config: remove vTPM related options
+ * tenant: remove vtpm_policy
+ * verifier: remove vtpm_policy
+ * remove REQUIRE_ROOT environment option
+ * Remove Testing farm tag-repository
+ * Bump required packaging module version to 20.0
+ * Remove last traces of M2Crypto
+ * Workaround for mock_open not supporting iteration in Python 3.6
+
+---
+Wed May 18 11:28:14 UTC 2022 - Alberto Planas Dominguez
+
+- Fix "run_as" configuration parameter and set it to keylime:tss
+- Improve downgrade user migration during package update
+
+---
Old:
keylime-v6.3.2.tar.xz
New:
keylime-v6.4.0.tar.xz
Other differences:
--
++ keylime.spec ++
--- /var/tmp/diff_new_pack.mJfIFI/_old 2022-05-25 20:34:13.648199614 +0200
+++ /var/tmp/diff_new_pack.mJfIFI/_new 2022-05-25 20:34:13.652199620 +0200
@@ -25,7 +25,7 @@
%bcond_with cfssl
%endif
Name: keylime
-Version:6.3.2
+Version:6.4.0
Release:0
Summary:Open source TPM software for Bootstrapping and Maintaining
Trust
License:Apache-2.0 AND MIT
@@ -50,6 +50,7 @@
Requires: python-SQLAlchemy
Requires: python-alembic
Requires: python-cryptography
+Requires: python-lark-parser
Requires: python-psutil
Requires: python-python-gnupg
Requires: python-pyzmq
@@ -156,11 +157,11 @@
install -Dpm 600 %{srcname}.conf %{buildroot}%{_sysconfdir}/%{srcname}.conf
%endif
install -Dpm 644 ./services/%{srcname}_agent.service
%{buildroot}%{_unitdir}/%{srcname}_agent.service
-install -Dpm 644 ./services/%{srcname}_agent_secure.mount
%{buildroot}%{_unitdir}/var-lib-keylime-secure.mount
+install -Dpm 644 ./services/%{srcname}_agent_secure.mount
%{buildroot}%{_unitdir}/var-lib-%{srcname}-secure.mount
install -Dpm 644 ./services/%{srcname}_verifier.service
%{buildroot}%{_unitdir}/%{srcname}_verifier.service
install -Dpm 644 ./services/%{srcname}_registrar.service
%{buildroot}%{_unitdir}/%{srcname}_registrar.service
-install -D -m 644 %{SOURCE1}
%{buildroot}%{_prefix}/lib/firewalld/services/keylime.xml
+install -D -m 644 %{SOURCE1}
%{buildroot}%{_prefix}/lib/firewalld/services/%{srcname}.xml
mkdir -p %{buildroot}/%{_sharedstatedir}/%{srcname}
cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/%{srcname}/
@@ -199,6 +200,15 @@
%pre -n %{srcname}-tpm_cert_store -f %{srcname}.pre
+%post -n %{srcname}-tpm_cert_store
+# Help the upgrade process when moving to a non-root services
+chown -R keylime:tss
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package keylime for openSUSE:Factory checked in at 2022-04-16 00:13:57 Comparing /work/SRC/openSUSE:Factory/keylime (Old) and /work/SRC/openSUSE:Factory/.keylime.new.1941 (New) Package is "keylime" Sat Apr 16 00:13:57 2022 rev:17 rq:969814 version:6.3.2 Changes: --- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2022-03-02 18:20:34.724654834 +0100 +++ /work/SRC/openSUSE:Factory/.keylime.new.1941/keylime.changes 2022-04-16 00:14:14.829648934 +0200 @@ -1,0 +2,99 @@ +Wed Apr 13 09:42:54 UTC 2022 - apla...@suse.com + +- Update to version v6.3.2: + * general: bump Keylime version to 6.3.2 + * tpm_main: flush transient objects + * pypi: add notice that the Python API is unstable + * installer: use OpenSSL by default + * Avoid mounting secdir while unmounting it + * remove TPM, VTPM and IMA stubbing support + * archive: remove all archive files + * Change GH reviewers to be from developer group + * added suse / opensuse support with zypper + * Fix tpm import in test_tpm.py + * Fix cfssl configuration in run_tests.sh + * tpm_emulator: improve TPM emulator installation + * config: Add option to enable DB debugging via DEBUG_DB env var + * Enable SQL query cache for JSONPickleType + * tpm_emulator: move everything into systemd services + * Implement broader key support for Keylime's signing mechanisms + * tenant: Use exponential backoff on key verification retries + * tenant: Move JSON parsing to capture possible exceptions + * tenant: Move verifier stop from do_quote to do_verify + * pylint: Fix issues related to W0602 global-variable-not-assigned + * tenant: Handle 404 error from registrar gracefully + * pylint: Fix remaining code with issue R1732 consider-using-with + * pylint: Fix R1732 consider-using-with + * pylint: Fix issue detected by pylint-2.13.0 + * pylint: Fix issue detected by pylint-2.13.0 + * tenant: verify agent quote before adding to verifier + * README: remove tpm2-abrmd and OSX sections + * pylint: Fix issues related to W0102 dangerous-default-value + * pylint: Fix R0201 no-self-use + * pylint: remove W1203 logging-format-interpolation from ignore list + * pylint: remove R1729 use-a-generator from ignore list + * pylint: remove E1120 no-value-for-parameter from ignore list + * pylint: remove W1201 logging-not-lazy from ignore list + * pylint: fix C0209 consider-using-f-string + * pylint: fix C0201 consider-iterating-dictionary + * pylint: fix W1509 subprocess-popen-preexec-fn + * keylime_tenant non-zero exit code on error + * Fix prepare step adjustments in packit-ci.fmf plan + * failure: fix Pattern type hint + * mypy: add initial Mypy configuration + * ima_ast: add type hints + * failure: add type hints + * logging, config: add type hints for logging module + * algorithms: add type hints + * json: add type hints and add JSONType as custom type + * Full allowlist processing when not adding host + * provider, vTPM: remove vTPM manager and provider code + * tpm: fix that the set of missing PCRs is not serializable in failure + * Restores the option to use keylime agents without mTLS + * services: make the services run as keylime user instead of root + * State in --help that SHA-256 is used for --allowlist-checksum + * config: change cacert.pem to cacert.crt + * registrar_client: validate connections against registrar ca certificate + * tenant: validate connections against verifier ca certificate + * request_client: only add custom adapter if TLS is enabled + * setup: add static assets for webapp + * Add TESTING.md describing testing details + * Fix some remaining log format strings + * Fix for database_url parameter with sqlite + * Enable test basic-attestation-with-unpriviledged-agent in Packit CI + * Use lazy string formatting when logging (#535) + * Make Packit CI plan more resource-saving + * keylime.conf: Document setting ownership in WORK_DIR (/var/lib/keylime) + * agent: Make sure tmpfs is empty even if not mounted or cannot unmount + * agent: Drop privileges by switching to normal user and group + * agent: Move mounting of tmpfs towards beginning of main() + * agent: Read measured boot log near process start + * agent: Open file for IMA log file near process start + * ima: Refactor read_measurement_list() to take file as argument + * Add the policy name to failure event + * tpm_main: Check if tpm_cert_store exists (#553) + * Remove tag input from container build workflow + * Push container images to quay.io/keylime org + * Enable code coverage measurement for e2e tests in Packit CI + * config: fix config search order + * Add defaults for ephemeral keys for agent records + * Update outdated greetings Github messages + * services: add
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package keylime for openSUSE:Factory checked
in at 2022-03-02 18:20:22
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
and /work/SRC/openSUSE:Factory/.keylime.new.1958 (New)
Package is "keylime"
Wed Mar 2 18:20:22 2022 rev:16 rq:958269 version:6.3.1
Changes:
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2022-02-26
17:02:31.279540081 +0100
+++ /work/SRC/openSUSE:Factory/.keylime.new.1958/keylime.changes
2022-03-02 18:20:34.724654834 +0100
@@ -1,0 +2,9 @@
+Thu Feb 24 15:50:53 UTC 2022 - Alberto Planas Dominguez
+
+- Add upstream patches:
+ * drop_privileges_of_agent_process_after_startup.patch
+ * config_fix_config_search_order.patch
+ * services_add_keylime_agent_secure_mount_service.patch
+- Configure the agent to run as non-root
+
+---
New:
config_fix_config_search_order.patch
drop_privileges_of_agent_process_after_startup.patch
keylime-user.conf
services_add_keylime_agent_secure_mount_service.patch
Other differences:
--
++ keylime.spec ++
--- /var/tmp/diff_new_pack.HAjvWj/_old 2022-03-02 18:20:35.448654860 +0100
+++ /var/tmp/diff_new_pack.HAjvWj/_new 2022-03-02 18:20:35.452654859 +0100
@@ -32,14 +32,22 @@
URL:https://github.com/keylime/keylime
Source0:%{name}-v%{version}.tar.xz
Source1:keylime.xml
+Source2:%{name}-user.conf
# PATCH-FIX-OPENSUSE keylime.conf.diff
Patch1: keylime.conf.diff
# PATCH-FIX-OPENSUSE config-libefivars.diff
Patch2: config-libefivars.diff
+# PATCH-FIX-UPSTREAM drop_privileges_of_agent_process_after_startup.patch
(gh#keylime/keylime!900)
+Patch3: drop_privileges_of_agent_process_after_startup.patch
+# PATCH-FIX-UPSTREAM config_fix_config_search_order.patch
(gh#keylime/keylime!902)
+Patch4: config_fix_config_search_order.patch
+# PATCH-FIX-UPSTREAM services_add_keylime_agent_secure_mount_service.patch
(gh#keylime/keylime!903)
+Patch5: services_add_keylime_agent_secure_mount_service.patch
BuildRequires: %{python_module setuptools}
BuildRequires: fdupes
BuildRequires: firewall-macros
BuildRequires: python-rpm-macros
+BuildRequires: sysuser-tools
Requires: libtss2-tcti-device0
Requires: libtss2-tcti-tabrmd0
Requires: procps
@@ -128,6 +136,7 @@
%build
%python_build
+%sysusers_generate_pre %{SOURCE2} %{name} %{name}-user.conf
%install
export VERSION=%{version}
@@ -153,6 +162,7 @@
install -Dpm 600 %{srcname}.conf %{buildroot}%{_sysconfdir}/%{srcname}.conf
%endif
install -Dpm 644 ./services/%{srcname}_agent.service
%{buildroot}%{_unitdir}/%{srcname}_agent.service
+install -Dpm 644 ./services/%{srcname}_agent_secure.mount
%{buildroot}%{_unitdir}/var-lib-keylime-secure.mount
install -Dpm 644 ./services/%{srcname}_verifier.service
%{buildroot}%{_unitdir}/%{srcname}_verifier.service
install -Dpm 644 ./services/%{srcname}_registrar.service
%{buildroot}%{_unitdir}/%{srcname}_registrar.service
@@ -162,6 +172,9 @@
cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/%{srcname}/
%fdupes %{buildroot}%{_sharedstatedir}/%{srcname}/
+mkdir -p %{buildroot}%{_sysusersdir}
+install -m 0644 %{SOURCE2} %{buildroot}%{_sysusersdir}/
+
# %%check
# %%pyunittest -v
@@ -190,6 +203,8 @@
%post -n %{srcname}-firewalld
%firewalld_reload
+%pre -n %{srcname}-tpm_cert_store -f %{srcname}.pre
+
%pre -n %{srcname}-verifier
%service_add_pre %{srcname}_verifier.service
@@ -216,15 +231,19 @@
%pre -n %{srcname}-agent
%service_add_pre %{srcname}_agent.service
+%service_add_pre var-lib-keylime-secure.mount
%post -n %{srcname}-agent
%service_add_post %{srcname}_agent.service
+%service_add_post var-lib-keylime-secure.mount
%preun -n %{srcname}-agent
%service_del_preun %{srcname}_agent.service
+%service_del_preun var-lib-keylime-secure.mount
%postun -n %{srcname}-agent
%service_del_postun %{srcname}_agent.service
+%service_del_postun var-lib-keylime-secure.mount
%files %{python_files}
%doc README.md
@@ -253,9 +272,10 @@
%{_prefix}/lib/firewalld/services/keylime.xml
%files -n %{srcname}-tpm_cert_store
-%dir %attr(0700,root,root) %{_sharedstatedir}/keylime
+%dir %attr(0700,keylime,tss) %{_sharedstatedir}/keylime
%dir %{_sharedstatedir}/keylime/tpm_cert_store
%{_sharedstatedir}/keylime/tpm_cert_store/*
+%{_sysusersdir}/%{srcname}-user.conf
%files -n %{srcname}-verifier
%{_unitdir}/%{srcname}_verifier.service
@@ -265,5 +285,6 @@
%files -n %{srcname}-agent
%{_unitdir}/%{srcname}_agent.service
+%{_unitdir}/var-lib-keylime-secure.mount
%changelog
++ config_fix_config_search_order.patch ++
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package keylime for openSUSE:Factory checked
in at 2022-02-26 17:02:01
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
and /work/SRC/openSUSE:Factory/.keylime.new.1958 (New)
Package is "keylime"
Sat Feb 26 17:02:01 2022 rev:15 rq:957406 version:6.3.1
Changes:
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2022-02-09
20:39:12.126376267 +0100
+++ /work/SRC/openSUSE:Factory/.keylime.new.1958/keylime.changes
2022-02-26 17:02:31.279540081 +0100
@@ -1,0 +2,62 @@
+Thu Feb 24 14:49:33 UTC 2022 - apla...@suse.com
+
+- Drop patches beacuse merged upstream:
+ * version.diff
+ * cloud_verifier_tornado-use-fork_processes.patch
+- Drop binaries not used anymore:
+ * keylime_provider_platform_init
+ * keylime_provider_registrar
+ * keylime_provider_vtpm_add
+- Update to version v6.3.1:
+ * revocation_notifier: mark webhook threads as daemon and add timeout
+ * Fix Packit CI test plan Summary
+ * Enable Packit CI testing on CentOS Stream 8
+ * Enable Packit CI testing on Fedora Rawhide
+ * Remove last trace of TPM 1.2 (hopefully)
+ * verifier: remove start_tornado() function
+ * verifier: wait for connections to be closed before stopping ioloop
+ * revocation_notifier: kill ZeroMQ broker if it blocks more than 5s
+ * Add more e2e tests to Packit CI
+ * Enable EPEL repo on CentOS Stream in packit.yaml
+ * agent, crypto: add localhost, server and contact ip to agent certificate
+ * Add better default repo path for run_local.sh
+ * Fix incorrect variable name in test_restful
+ * Run existing agent tests against the rust-keylime agent
+ * Fix small wording mistakes caught while reading the code
+ * agent: move key and certificate logging levels from debug to info
+ * agent: allow absolute paths for rsa_keyname and mtls_cert
+ * Add missing backend parameter
+ * cloud_verifier_tornado: use fork_processes
+ * ci: automatically push release to PyPI
+ * setup.{py,cfg}: Move setup configuration to setup.cfg
+ * Add iproute tool to Dockerfile
+ * Pylint does not like single-line functions.
+ * A small beauty fix
+ * This is a small fix to proactively fix Issue #840 by identifying
non-escaped double quotes in the tpm2-tools output
+ * setup.py: add version number and new Python versions, drop unsed binaries
+ * setup.py, config: install default configuration into package path
+ * ci: move old keylime.conf to keylime.conf.orig before running tests
+ * retry: fix pylint issue
+ * Adding Infineon Optiga 034 RSA and ECC certificates for Infineon SLB9675
devices.
+ * Ensure columns "mb_refstate" and "allowlist" are of type LONGTEXT in table
"verifiermain"
+ * tenant: add exponential backoff option to retry timings
+ * cloud verifier: add exponential backoff option to retry timings
+ * tpm: add exponential backoff option to retry timings
+ * test, retry: add unit test for retry algorithm
+ * common: add algorithm for retry time calculation
+ * registrar, tpm_main: ensure that correct types are commited to DB.
+ * Fix typo for config param listen_notifications
+ * Lint is _really_ unhappy today.
+ * Linty fixes
+ * Adding a unit test file for tpm_main
+ * tpm_main: check if PCRs for the hash algorithm are available
+ * tpm_main: handle if tpm2_checkquote returns no PCRs for a hash algorithm
+ * agent: output supported_version as result not as a status
+ * Add missing subcommands to -c help message
+ * tests: fix mtls_cert generation in test_restful.py
+ * revocation_notifier: fix socket path permission check
+ * Remove unused database_query config param
+ * Move umask calls only on entry points
+ * config: move directory utilities to fs_util
+
+---
Old:
cloud_verifier_tornado-use-fork_processes.patch
keylime-v6.3.0.tar.xz
version.diff
New:
keylime-v6.3.1.tar.xz
Other differences:
--
++ keylime.spec ++
--- /var/tmp/diff_new_pack.n6NLGZ/_old 2022-02-26 17:02:32.063540205 +0100
+++ /var/tmp/diff_new_pack.n6NLGZ/_new 2022-02-26 17:02:32.067540206 +0100
@@ -25,21 +25,17 @@
%bcond_with cfssl
%endif
Name: keylime
-Version:6.3.0
+Version:6.3.1
Release:0
Summary:Open source TPM software for Bootstrapping and Maintaining
Trust
License:Apache-2.0 AND MIT
URL:https://github.com/keylime/keylime
Source0:%{name}-v%{version}.tar.xz
Source1:keylime.xml
-# PATCH-FIX-OPENSUSE version.diff
-Patch1: version.diff
# PATCH-FIX-OPENSUSE keylime.conf.diff
-Patch2: keylime.conf.diff
+Patch1: keylime.conf.diff
# PATCH-FIX-OPENSUSE
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package keylime for openSUSE:Factory checked
in at 2022-02-09 20:38:36
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
and /work/SRC/openSUSE:Factory/.keylime.new.1898 (New)
Package is "keylime"
Wed Feb 9 20:38:36 2022 rev:14 rq:952217 version:6.3.0
Changes:
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2022-01-29
20:57:40.936424405 +0100
+++ /work/SRC/openSUSE:Factory/.keylime.new.1898/keylime.changes
2022-02-09 20:39:12.126376267 +0100
@@ -1,0 +2,9 @@
+Mon Feb 7 16:28:22 UTC 2022 - Alberto Planas Dominguez
+
+- Change back agent_uuid to hostname
+- Set tpm_hash_alg to sha256 by default
+- Update version.diff patch to point to the correct version number
+- Fix issue with Tornado, when multiple workers are started
+ * Add cloud_verifier_tornado-use-fork_processes.patch (bsc#1195605)
+
+---
New:
cloud_verifier_tornado-use-fork_processes.patch
Other differences:
--
++ keylime.spec ++
--- /var/tmp/diff_new_pack.EjcBwT/_old 2022-02-09 20:39:12.934378200 +0100
+++ /var/tmp/diff_new_pack.EjcBwT/_new 2022-02-09 20:39:12.942378219 +0100
@@ -38,6 +38,8 @@
Patch2: keylime.conf.diff
# PATCH-FIX-OPENSUSE config-libefivars.diff
Patch3: config-libefivars.diff
+# PATCH-FIX-UPSTREAM cloud_verifier_tornado-use-fork_processes.patch
(gh#keylime/keylime!880)
+Patch4: cloud_verifier_tornado-use-fork_processes.patch
BuildRequires: %{python_module setuptools}
BuildRequires: fdupes
BuildRequires: firewall-macros
++ cloud_verifier_tornado-use-fork_processes.patch ++
>From 3ffdf86d6e3f2377520a07da0202cd6ba4c6f711 Mon Sep 17 00:00:00 2001
From: Alberto Planas
Date: Mon, 7 Feb 2022 17:00:02 +0100
Subject: [PATCH 1/2] cloud_verifier_tornado: use fork_processes
If the cloud_verifier/multiprocessing_pool_num_workers is different from
1, the call to the `.start()` process will fails, as previous call to
`.add_stockets()` is already initializing the internal ioloop.
The raised exception will be:
Traceback (most recent call last):
File "/usr/bin/keylime_verifier", line 11, in
load_entry_point('keylime==6.3.0', 'console_scripts', 'keylime_verifier')()
File "/usr/lib/python3.6/site-packages/keylime/cmd/verifier.py", line 21, in
main
cloud_verifier_tornado.main()
File "/usr/lib/python3.6/site-packages/keylime/cloud_verifier_tornado.py",
line 1122, in main
server.start(config.getint('cloud_verifier',
'multiprocessing_pool_num_workers'))
File "/usr/lib64/python3.6/site-packages/tornado/tcpserver.py", line 220, in
start
process.fork_processes(num_processes)
File "/usr/lib64/python3.6/site-packages/tornado/process.py", line 129, in
fork_processes
raise RuntimeError("Cannot run in multiple processes: IOLoop instance "
RuntimeError: Cannot run in multiple processes: IOLoop instance has already
been initialized. You cannot call IOLoop.instance() before calling
start_processes()
This was introduced in
https://github.com/keylime/keylime/commit/50661f8b33f6b7335104cd4c0dfff711705ee96e
This patch revert back to call `.process.fork_processes()` after the
`.bind_sockets()` line, that is happening before the `.start()`, and
drop the optional parameter in the last method call.
Signed-off-by: Alberto Planas
---
keylime/cloud_verifier_tornado.py | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
Index: keylime-v6.3.0/keylime/cloud_verifier_tornado.py
===
--- keylime-v6.3.0.orig/keylime/cloud_verifier_tornado.py
+++ keylime-v6.3.0/keylime/cloud_verifier_tornado.py
@@ -1113,13 +1113,16 @@ def main():
sockets = tornado.netutil.bind_sockets(
int(cloudverifier_port), address=cloudverifier_host)
+tornado.process.fork_processes(config.getint(
+'cloud_verifier', 'multiprocessing_pool_num_workers'))
+
server = tornado.httpserver.HTTPServer(app, ssl_options=context,
max_buffer_size=max_upload_size)
server.add_sockets(sockets)
signal.signal(signal.SIGTERM, lambda *_: sys.exit(0))
try:
-server.start(config.getint('cloud_verifier',
'multiprocessing_pool_num_workers'))
+server.start()
if tornado.process.task_id() == 0:
# Start the revocation notifier only on one process
if config.getboolean('cloud_verifier', 'revocation_notifier'):
Index: keylime-v6.3.0/keylime/crypto.py
===
--- keylime-v6.3.0.orig/keylime/crypto.py
+++ keylime-v6.3.0/keylime/crypto.py
@@ -211,5 +211,5 @@ def
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package keylime for openSUSE:Factory checked
in at 2022-01-29 20:57:31
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
and /work/SRC/openSUSE:Factory/.keylime.new.1898 (New)
Package is "keylime"
Sat Jan 29 20:57:31 2022 rev:13 rq:949635 version:6.3.0
Changes:
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2022-01-27
23:16:40.827096907 +0100
+++ /work/SRC/openSUSE:Factory/.keylime.new.1898/keylime.changes
2022-01-29 20:57:40.936424405 +0100
@@ -1,0 +2,106 @@
+Thu Jan 27 16:16:19 UTC 2022 - apla...@suse.com
+
+- Drop patches beacuse merged upstream:
+ * 0001-Drop-dataclasses-module-usage.patch
+ * 0001-config-support-merge-multiple-config-files.patch
+ * 0001-ca-support-back-old-cyptography-API.patch
+- Update to version v6.3.0:
+ * Coordinated update to fix:
++ bsc#1193997 (CVE-2022-23948)
++ bsc#1193998 (CVE-2021-43310)
++ bsc#1194000 (CVE-2022-23949)
++ bsc#1194002 (CVE-2022-23950)
++ bsc#1194004 (CVE-2022-23951)
++ bsc#1194005 (CVE-2022-23952)
+ * secure_mount: add umount function
+ * secure_mount: use /proc/self/mountinfo
+ * Validate user ID in all public interfaces
+ * validators: add uuid and agent_id validators
+ * validators: create validators module
+ * revocation_notifier: move zmq socket to /var/run/keylime
+ * Update API version from 1.0 to 2.0
+ * tpm: do not compress quote with zlib by default
+ * verifier: persist AK and mTLS certificate to DB
+ * verifier: use "supported_version" for agent connections
+ * tenant: add support for "supported_version" option for the verifier
+ * api_version: add the option for basic validation
+ * verifier: add supported_version field to DB and API
+ * agent: add /version to REST API
+ * verifier, tenant: allow agents to not use mTLS
+ * tenant, verifier: allow manual configuration of agent mTLS
+ * tests: migrate to mTLS
+ * tenant: connect to the agent via mTLS
+ * verifier: connect to the agent via mTLS
+ * tornado_requests: handle SSLError
+ * web_util: add mTLS context generation for agent
+ * agent: Enable mTLS for agent REST API
+ * crypto: add helper function for creating self signed certs
+ * registrar: Allow the agent to registrar with a mTLS certificate
+ * request_client: add workaround for handling certificates
+ * request_client: add the option to ignore hostname validation
+ * Better docs and errors about IMA hash mismatches
+ * tests: use JSON instead Python string for IMA tests
+ * verifier: use json.loads(..) instead of ast.literal_eval(..)
+ * Adding Nuvoton certificate for a post 2020 TPM device. The EK cert
+of the device directs to the following download site:
+'https://www.nuvoton.com/security/NTC-TPM-EK-Cert/Nuvoton TPM Root
+CA .cer' (yes, including the spaces)
+ * Improve revocation notifier IP description in keylime.conf
+ * tornado_requests: set Content-Type header correctly for JSON
+ * tenant: post U key to agent with correct Content-Type header
+ * Explicitly set permissions on new keylime.conf files installed
+ * tpm_main: close file descriptor for aik handle
+ * verifier: do not call finish() twice
+ * agent: fix payload execution
+ * tests: add initial tests for web_util module
+ * config, web_util: move get_restful_params(..) to web_util
+ * verifier: Also retry on HTTP 500 status code
+ * agent: improve startup and shutdown
+ * registrar: cleanup start function
+ * web_util: move echo_json_response(..) out of config.py
+ * verifier: fix failure generation for V key
+ * tornado_requests: cleanup TornadoResponse class
+ * web_util, verifier: move mTLS SSLContext generation into separate module
+ * ca: support back old cyptography API
+ * Fix test branch reference in packit.yaml
+ * ci: disable DeprecationWarning from pylint in tox
+ * Enable new test in Packit CI
+ * tenant: fix reactivate command
+ * config: support merge multiple config files
+ * ci: use only fedora-stable for packit
+ * elchecking: harden example policy against event type manipulation
+ * elchecking: add new tests
+ * tests: fix stdout formatting for agent and verifier
+ * Drop dataclasses module usage
+ * revocation notifier: handle shutdown of process gracefully
+ * verifier: handle SIGINT and SIGTERM correctly
+ * ima_emulator: fix IMA hash validation and add more options
+ * ima_ast: fix handling ToMToU errors
+ * Remove leftovers of TPM 1.2 support
+ * agent: improved validation for post function
+ * agent: better validation for mask and nonce
+ * config: add function to validate hex strings
+ * agent: keys/verify check if challenge was provided
+ * tpm_main: do not append /usr/local/{bin,lib} to default env
+ * db: only set length on Text type if supported
+ * json:
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package keylime for openSUSE:Factory checked
in at 2022-01-27 23:16:25
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
and /work/SRC/openSUSE:Factory/.keylime.new.1898 (New)
Package is "keylime"
Thu Jan 27 23:16:25 2022 rev:12 rq:949098 version:6.2.1
Changes:
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2022-01-21
01:25:02.742741216 +0100
+++ /work/SRC/openSUSE:Factory/.keylime.new.1898/keylime.changes
2022-01-27 23:16:40.827096907 +0100
@@ -1,0 +2,5 @@
+Tue Jan 25 15:13:04 UTC 2022 - Alberto Planas Dominguez
+
+- Set /var/lib/keylime under the same permissions expected by the code
+
+---
Other differences:
--
++ keylime.spec ++
--- /var/tmp/diff_new_pack.xwF456/_old 2022-01-27 23:16:41.563091822 +0100
+++ /var/tmp/diff_new_pack.xwF456/_new 2022-01-27 23:16:41.567091794 +0100
@@ -275,7 +275,7 @@
%{_prefix}/lib/firewalld/services/keylime.xml
%files -n %{srcname}-tpm_cert_store
-%dir %{_sharedstatedir}/keylime
+%dir %attr(0700,root,root) %{_sharedstatedir}/keylime
%dir %{_sharedstatedir}/keylime/tpm_cert_store
%{_sharedstatedir}/keylime/tpm_cert_store/*
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package keylime for openSUSE:Factory checked
in at 2022-01-21 01:24:58
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
and /work/SRC/openSUSE:Factory/.keylime.new.1938 (New)
Package is "keylime"
Fri Jan 21 01:24:58 2022 rev:11 rq:947243 version:6.2.1
Changes:
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2022-01-13
00:22:14.719924836 +0100
+++ /work/SRC/openSUSE:Factory/.keylime.new.1938/keylime.changes
2022-01-21 01:25:02.742741216 +0100
@@ -1,0 +2,9 @@
+Tue Jan 18 14:28:05 UTC 2022 - Alberto Planas Dominguez
+
+- Add 0001-config-support-merge-multiple-config-files.patch
+ This will allow the merge of config files in /usr/etc and /etc.
+- Move the configuration file to /usr/etc in new distributions
+- Add 0001-ca-support-back-old-cyptography-API.patch
+ This is only required for SLE, but the API is compatible with new versions
+
+---
New:
0001-ca-support-back-old-cyptography-API.patch
0001-config-support-merge-multiple-config-files.patch
Other differences:
--
++ keylime.spec ++
--- /var/tmp/diff_new_pack.h2NGLR/_old 2022-01-21 01:25:03.790734031 +0100
+++ /var/tmp/diff_new_pack.h2NGLR/_new 2022-01-21 01:25:03.794734005 +0100
@@ -40,6 +40,10 @@
Patch3: config-libefivars.diff
# PATCH-FIX-UPSTREAM 0001-Drop-dataclasses-module-usage.patch
(gh#keylime/keylime!827)
Patch4: 0001-Drop-dataclasses-module-usage.patch
+# PATCH-FIX-UPSTREAM 0001-config-support-merge-multiple-config-files.patch
(gh#keylime/keylime!829)
+Patch5: 0001-config-support-merge-multiple-config-files.patch
+# PATCH-FIX-UPSTREAM 0001-ca-support-back-old-cyptography-API.patch
(gh#keylime/keylime!839)
+Patch6: 0001-ca-support-back-old-cyptography-API.patch
BuildRequires: %{python_module setuptools}
BuildRequires: fdupes
BuildRequires: firewall-macros
@@ -154,7 +158,13 @@
%python_expand %fdupes %{buildroot}%{$python_sitelib}
+%if 0%{?suse_version} >= 1550
+# setup.py copy keylime.conf in /etc, but we expect it in /usr/etc
+rm %{buildroot}%{_sysconfdir}/%{srcname}.conf
+install -Dpm 600 %{srcname}.conf
%{buildroot}%{_prefix}%{_sysconfdir}/%{srcname}.conf
+%else
install -Dpm 600 %{srcname}.conf %{buildroot}%{_sysconfdir}/%{srcname}.conf
+%endif
install -Dpm 644 ./services/%{srcname}_agent.service
%{buildroot}%{_unitdir}/%{srcname}_agent.service
install -Dpm 644 ./services/%{srcname}_verifier.service
%{buildroot}%{_unitdir}/%{srcname}_verifier.service
install -Dpm 644 ./services/%{srcname}_registrar.service
%{buildroot}%{_unitdir}/%{srcname}_registrar.service
@@ -253,7 +263,11 @@
%{python_sitelib}/*
%files -n %{srcname}-config
+%if 0%{?suse_version} >= 1550
+%{_prefix}%{_sysconfdir}/%{srcname}.conf
+%else
%config(noreplace) %{_sysconfdir}/%{srcname}.conf
+%endif
%files -n %{srcname}-firewalld
%dir %{_prefix}/lib/firewalld
++ 0001-ca-support-back-old-cyptography-API.patch ++
>From 57d033e9a9a5946a63c9d161381dee4830017531 Mon Sep 17 00:00:00 2001
From: Alberto Planas
Date: Tue, 18 Jan 2022 15:04:55 +0100
Subject: [PATCH] ca: support back old cyptography API
After [1] we moved from M2Crypto to cryptography, and we started to drop
the use of the, now optional, `backend` parameter. This is OK as we are
explicit on the minimal version of cryptography, but we still use in
other modules (like crypto.py or tpm_main.py for example) the old API.
This patch use the optional `backend` parameter to unify the API usage,
and still be compatible with some older versions of cryptography.
[1] https://github.com/keylime/keylime/pull/747
Signed-off-by: Alberto Planas
---
keylime/ca_impl_cfssl.py | 2 ++
keylime/ca_impl_openssl.py | 4
keylime/ca_util.py | 6 +-
3 files changed, 11 insertions(+), 1 deletion(-)
Index: keylime-v6.2.1/keylime/ca_impl_cfssl.py
===
--- keylime-v6.2.1.orig/keylime/ca_impl_cfssl.py
+++ keylime-v6.2.1/keylime/ca_impl_cfssl.py
@@ -127,6 +127,7 @@ def mk_cacert(name=None):
privkey = serialization.load_pem_private_key(
body['result']['private_key'].encode('utf-8'),
password=None,
+backend=default_backend(),
)
cert = x509.load_pem_x509_certificate(
data=body['result']['certificate'].encode('utf-8'),
@@ -212,6 +213,7 @@ def mk_signed_cert(cacert, ca_pk, name,
pk = serialization.load_pem_private_key(
body['result']['private_key'].encode('utf-8'),
password=None,
+backend=default_backend(),
)
cert =
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package keylime for openSUSE:Factory checked
in at 2022-01-13 00:22:06
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
and /work/SRC/openSUSE:Factory/.keylime.new.1892 (New)
Package is "keylime"
Thu Jan 13 00:22:06 2022 rev:10 rq:945609 version:6.2.1
Changes:
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2022-01-11
00:02:32.397274330 +0100
+++ /work/SRC/openSUSE:Factory/.keylime.new.1892/keylime.changes
2022-01-13 00:22:14.719924836 +0100
@@ -1,0 +2,10 @@
+Tue Jan 11 13:38:19 UTC 2022 - Alberto Planas Dominguez
+
+- Add 0001-Drop-dataclasses-module-usage.patch, to support Python 3.6
+
+---
+Tue Jan 11 12:54:41 UTC 2022 - Alberto Planas Dominguez
+
+- Fix cfssl bcond logic in Tumbleweed / SLE
+
+---
New:
0001-Drop-dataclasses-module-usage.patch
Other differences:
--
++ keylime.spec ++
--- /var/tmp/diff_new_pack.jlTX9d/_old 2022-01-13 00:22:15.671925521 +0100
+++ /var/tmp/diff_new_pack.jlTX9d/_new 2022-01-13 00:22:15.675925524 +0100
@@ -38,6 +38,8 @@
Patch2: keylime.conf.diff
# PATCH-FIX-OPENSUSE config-libefivars.diff
Patch3: config-libefivars.diff
+# PATCH-FIX-UPSTREAM 0001-Drop-dataclasses-module-usage.patch
(gh#keylime/keylime!827)
+Patch4: 0001-Drop-dataclasses-module-usage.patch
BuildRequires: %{python_module setuptools}
BuildRequires: fdupes
BuildRequires: firewall-macros
@@ -124,7 +126,7 @@
%prep
%autosetup -p1 -n %{name}-v%{version}
-%if %{with cfssl}
+%if !%{with cfssl}
sed -i "s/ca_implementation = cfssl/ca_implementation = openssl/g" keylime.conf
%endif
++ 0001-Drop-dataclasses-module-usage.patch ++
>From 9986afc17621fba80df9493a6bf9343334fce77d Mon Sep 17 00:00:00 2001
From: Alberto Planas
Date: Tue, 11 Jan 2022 14:32:54 +0100
Subject: [PATCH] Drop dataclasses module usage
Dataclasses module is not present in Python 3.6, an interpreter still
used in some distributions.
Even there is a 3rd party compatibility module, the current usage seems
not properly justified. For example, in one of the dataclasses there is
an user-provided `__init__` constructor.
Signed-off-by: Alberto Planas
---
keylime/failure.py | 7 ---
keylime/ima_ast.py | 5 +++--
2 files changed, 7 insertions(+), 5 deletions(-)
Index: keylime-v6.2.1/keylime/failure.py
===
--- keylime-v6.2.1.orig/keylime/failure.py
+++ keylime-v6.2.1/keylime/failure.py
@@ -5,7 +5,6 @@ Copyright 2021 Thore Sommer
Tagging of failure events that might cause revocation in Keylime.
'''
import ast
-import dataclasses
import enum
import functools
import json
@@ -19,7 +18,6 @@ logger = keylime_logging.init_logging("f
@functools.total_ordering
-@dataclasses.dataclass(frozen=True)
class SeverityLabel:
"""
Severity label that can be attached to an event.
@@ -30,6 +28,10 @@ class SeverityLabel:
name: str
severity: int
+def __init__(self, name, severity):
+self.name = name
+self.severity = severity
+
def __lt__(self, other):
return self.severity < other.severity
@@ -49,7 +51,6 @@ class Component(enum.Enum):
DEFAULT = "default"
-@dataclasses.dataclass
class Event:
"""
Event that might be the reason for revocation.
Index: keylime-v6.2.1/keylime/ima_ast.py
===
--- keylime-v6.2.1.orig/keylime/ima_ast.py
+++ keylime-v6.2.1/keylime/ima_ast.py
@@ -13,7 +13,6 @@ import codecs
import hashlib
import struct
import abc
-import dataclasses
from typing import Dict, Callable, Any, Optional
from keylime import config
@@ -33,10 +32,12 @@ NULL_BYTE = ord('\0')
COLON_BYTE = ord(':')
-@dataclasses.dataclass
class Validator:
functions: Dict[Any, Callable]
+def __init__(self, functions):
+self.functions = functions
+
def get_validator(self, class_type) -> Callable:
validator = self.functions.get(class_type, None)
if validator is None:
++ config-libefivars.diff ++
--- /var/tmp/diff_new_pack.jlTX9d/_old 2022-01-13 00:22:15.723925558 +0100
+++ /var/tmp/diff_new_pack.jlTX9d/_new 2022-01-13 00:22:15.727925561 +0100
@@ -1,8 +1,8 @@
-Index: keylime-6.2.0/keylime/config.py
+Index: keylime-v6.2.1/keylime/config.py
===
keylime-6.2.0.orig/keylime/config.py
-+++ keylime-6.2.0/keylime/config.py
-@@ -311,7 +311,7 @@ MEASUREDBOOT_ML = '/sys/kernel/security/
+---
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package keylime for openSUSE:Factory checked
in at 2022-01-11 00:01:57
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
and /work/SRC/openSUSE:Factory/.keylime.new.1892 (New)
Package is "keylime"
Tue Jan 11 00:01:57 2022 rev:9 rq:945320 version:6.2.1
Changes:
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2021-12-21
18:40:19.125856991 +0100
+++ /work/SRC/openSUSE:Factory/.keylime.new.1892/keylime.changes
2022-01-11 00:02:32.397274330 +0100
@@ -1,0 +2,51 @@
+Mon Jan 10 12:05:37 UTC 2022 - apla...@suse.com
+
+- Update to version v6.2.1:
+ * Another addition to gitignore
+ * Update .gitignore with more Keylime-specific files
+ * json: add support for sqlalchemy.engine.row.Row in newer sqlalchemy
+ * ima_ast: check if the PCR is the same as in the config
+ * Fix permissions issue on volume mount in run_local.sh
+ * Make run_local.sh use a local copy of the repo
+ * Small updates to GOVERNANCE.md
+ * Move cargo-tarpaulin install to separate command
+ * config: drop registrar_* TLS options in [registrar] section
+ * Fix missing && in Dockerfile
+ * Remove simplejson from scripts and docs
+ * Replace simplejson with built-in json module
+ * Add rust-keylime container dependencies
+ * config: fix getboolean with fallback
+ * Clean up CI scripts and rewrite run_local.sh
+ * ima: for ToMToU errors skip template content validation
+ * ima: Use a set of entry numbers and file offsets to remember multiple
positions
+ * Rename CONTRIBUTORS.md to CONTRIBUTING.md
+ * Update GOVERNANCE.md to match MAINTAINERS.md rename
+ * Update MAINTAINERS
+ * Update README: remove Gitter, Travis CI
+ * ca: Use UTC when setting certificate validity
+ * Tenant commands return json
+ * scripts: Allow passing a base policy to create_policy tool
+ * ima: Handle the case of ima-sig with a path with spaces in them
+ * add length to string object
+ * scripts: Implement create_policy to create the JSON allowlist from files
+ * ima: Also add a sha256 default boot_aggregate hash with 64 '0's
+ * ima: Use seek() to get to the last known last entry
+ * ima: Extend allowlist to be able to handle generic ima-buf entries
+ * ima: Extend JSON allowlist with 'ima' entry and 'ignored_keyrings'
+ * ima: Populate verifier keyrings with keys taken from ima-buf log line
+ * ima: Remove methods from ImaKeyring that are now in ImaKeyrings
+ * ima: Start passing ima_keyrings through APIs replacing ima_keyring
+ * Extend AgentAttestState with ima_keyrings field and use it
+ * ima: Implement ImaKeyrings class to support multiple keyrings
+ * verifier: Extend verifier DB to persist learned keyrings
+ * Fix a couple of pylint errors
+ * ima: Fix spurious attestation failures
+ * ima: make ToMToU errors not a failure by default
+ * Simple fix for tenant error message printout.
+ * pylint: Fix errors related to R1714
+ * pylint: Suppress C0201, C0209 and W0602 newly reported errors
+ * installer: do not install tpm2-abrmd
+ * tpm: by default use /dev/tpmrm0 instead of tpm2-abrmd
+ * verifier: add option to send revocation messages via webhook
+
+---
Old:
keylime-6.2.0.tar.gz
New:
keylime-v6.2.1.tar.xz
Other differences:
--
++ keylime.spec ++
--- /var/tmp/diff_new_pack.w0WyVn/_old 2022-01-11 00:02:32.961274825 +0100
+++ /var/tmp/diff_new_pack.w0WyVn/_new 2022-01-11 00:02:32.961274825 +0100
@@ -1,7 +1,7 @@
#
# spec file for package keylime
#
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -25,12 +25,12 @@
%bcond_with cfssl
%endif
Name: keylime
-Version:6.2.0
+Version:6.2.1
Release:0
Summary:Open source TPM software for Bootstrapping and Maintaining
Trust
License:Apache-2.0 AND MIT
URL:https://github.com/keylime/keylime
-Source0:%{name}-%{version}.tar.gz
+Source0:%{name}-v%{version}.tar.xz
Source1:keylime.xml
# PATCH-FIX-OPENSUSE version.diff
Patch1: version.diff
@@ -123,7 +123,7 @@
Subpackage of %{name} for verifier service.
%prep
-%autosetup -p1
+%autosetup -p1 -n %{name}-v%{version}
%if %{with cfssl}
sed -i "s/ca_implementation = cfssl/ca_implementation = openssl/g" keylime.conf
%endif
++ _service ++
--- /var/tmp/diff_new_pack.w0WyVn/_old 2022-01-11 00:02:33.001274860 +0100
+++ /var/tmp/diff_new_pack.w0WyVn/_new 2022-01-11 00:02:33.001274860 +0100
@@ -1,7 +1,7 @@
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package keylime for openSUSE:Factory checked
in at 2021-12-21 18:40:16
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
and /work/SRC/openSUSE:Factory/.keylime.new.2520 (New)
Package is "keylime"
Tue Dec 21 18:40:16 2021 rev:8 rq:941638 version:6.2.0
Changes:
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2021-12-13
20:46:42.760502103 +0100
+++ /work/SRC/openSUSE:Factory/.keylime.new.2520/keylime.changes
2021-12-21 18:40:19.125856991 +0100
@@ -1,0 +2,12 @@
+Wed Dec 15 13:22:32 UTC 2021 - Alberto Planas Dominguez
+
+- Fix keylime configuration file attributes
+
+---
+Tue Dec 14 17:07:39 UTC 2021 - Alberto Planas Dominguez
+
+- Requires python-psutil
+- Disable automatic execution of the payload by default
+- Use ramdom UUID by default
+
+---
Other differences:
--
++ keylime.spec ++
--- /var/tmp/diff_new_pack.FzvTxV/_old 2021-12-21 18:40:19.581857400 +0100
+++ /var/tmp/diff_new_pack.FzvTxV/_new 2021-12-21 18:40:19.585857403 +0100
@@ -50,6 +50,7 @@
Requires: python-SQLAlchemy
Requires: python-alembic
Requires: python-cryptography
+Requires: python-psutil
Requires: python-python-gnupg
Requires: python-pyzmq
Requires: python-requests
@@ -151,7 +152,7 @@
%python_expand %fdupes %{buildroot}%{$python_sitelib}
-install -Dpm 644 %{srcname}.conf %{buildroot}%{_sysconfdir}/%{srcname}.conf
+install -Dpm 600 %{srcname}.conf %{buildroot}%{_sysconfdir}/%{srcname}.conf
install -Dpm 644 ./services/%{srcname}_agent.service
%{buildroot}%{_unitdir}/%{srcname}_agent.service
install -Dpm 644 ./services/%{srcname}_verifier.service
%{buildroot}%{_unitdir}/%{srcname}_verifier.service
install -Dpm 644 ./services/%{srcname}_registrar.service
%{buildroot}%{_unitdir}/%{srcname}_registrar.service
++ keylime.conf.diff ++
--- /var/tmp/diff_new_pack.FzvTxV/_old 2021-12-21 18:40:19.645857457 +0100
+++ /var/tmp/diff_new_pack.FzvTxV/_new 2021-12-21 18:40:19.649857461 +0100
@@ -38,17 +38,27 @@
registrar_port = 8890
# The name of the RSA key that Keylime should use for protecting shares of
U/V.
-@@ -73,7 +77,8 @@ extract_payload_zip = True
+@@ -62,7 +66,8 @@ tpm_ownerpassword = keylime
+ # After decryption, the archive will be unzipped to a directory in
/var/lib/keylime/secure.
+ # Note: the limits on the size of the tmpfs partition set above with the
'secure_size'
+ # option will affect this.
+-extract_payload_zip = True
++# extract_payload_zip = True
++extract_payload_zip = False
+
+ # The agent's UUID.
+ # Set to "openstack", it will try to get the UUID from the metadata service.
+@@ -73,7 +78,8 @@ extract_payload_zip = True
# 'dmidecode -s system-uuid'.
# If you set this to "hostname", Keylime will use the full qualified domain
# name of current host as the agent id.
-agent_uuid = d432fbb3-d2f1-4a97-9ef7-75bd81c0
+# agent_uuid = d432fbb3-d2f1-4a97-9ef7-75bd81c0
-+agent_uuid = hostname
++agent_uuid = generate
# Whether to listen for revocation notifications from the verifier or not.
listen_notfications = True
-@@ -137,7 +142,8 @@ ek_handle = generate
+@@ -137,7 +143,8 @@ ek_handle = generate
cloudverifier_id = default
# The IP address and port of verifier server binds to
@@ -58,7 +68,7 @@
cloudverifier_port = 8881
# The address and port of registrar server that verifier communicates with
-@@ -250,7 +256,8 @@ revocation_notifier = True
+@@ -250,7 +257,8 @@ revocation_notifier = True
# The revocation notifier IP address and port used to start the revocation
service.
# If the 'revocation_notifier' option is set to "true", then the verifier
# automatically starts the revocation service.
@@ -68,7 +78,7 @@
revocation_notifier_port = 8992
# The verifier limits the size of upload payloads (allowlists) which defaults
to
-@@ -354,10 +361,12 @@ max_payload_size = 1048576
+@@ -354,10 +362,12 @@ max_payload_size = 1048576
# and SHA-512).
# Note that you can't set a policy on PCR10 and PCR16 because Keylime uses
# them internally.
@@ -83,7 +93,7 @@
# Specify the file containing allowlists for processing Linux IMA measurements
# this file is used if tenant provides "default" as the allowlist file
-@@ -409,7 +418,8 @@ max_retries = 10
+@@ -409,7 +419,8 @@ max_retries = 10
# might provide a signed list of EK public key hashes. Then you could write
# an ek_check_script that checks the signature of the allowlist and then
# compares the hash of the given EK with the allowlist.
@@ -93,7 +103,7 @@
# Optional
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package keylime for openSUSE:Factory checked
in at 2021-12-13 20:42:01
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
and /work/SRC/openSUSE:Factory/.keylime.new.2520 (New)
Package is "keylime"
Mon Dec 13 20:42:01 2021 rev:7 rq:936751 version:6.2.0
Changes:
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2021-12-03
20:35:28.828205151 +0100
+++ /work/SRC/openSUSE:Factory/.keylime.new.2520/keylime.changes
2021-12-13 20:46:42.760502103 +0100
@@ -1,0 +2,5 @@
+Wed Dec 8 16:30:39 UTC 2021 - Alberto Planas Dominguez
+
+- Introduce a bcond for cfssl detection
+
+---
Other differences:
--
++ keylime.spec ++
--- /var/tmp/diff_new_pack.2FNmX4/_old 2021-12-13 20:46:43.300502169 +0100
+++ /var/tmp/diff_new_pack.2FNmX4/_new 2021-12-13 20:46:43.304502169 +0100
@@ -19,6 +19,11 @@
%global srcname keylime
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
%define skip_python2 1
+%if 0%{?suse_version} >= 1550
+%bcond_without cfssl
+%else
+%bcond_with cfssl
+%endif
Name: keylime
Version:6.2.0
Release:0
@@ -118,7 +123,7 @@
%prep
%autosetup -p1
-%if !0%{?is_opensuse}
+%if %{with cfssl}
sed -i "s/ca_implementation = cfssl/ca_implementation = openssl/g" keylime.conf
%endif
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package keylime for openSUSE:Factory checked
in at 2021-12-03 20:35:24
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
and /work/SRC/openSUSE:Factory/.keylime.new.31177 (New)
Package is "keylime"
Fri Dec 3 20:35:24 2021 rev:6 rq:934989 version:6.2.0
Changes:
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2021-09-20
23:33:06.439170178 +0200
+++ /work/SRC/openSUSE:Factory/.keylime.new.31177/keylime.changes
2021-12-03 20:35:28.828205151 +0100
@@ -1,0 +2,5 @@
+Wed Dec 1 10:07:10 UTC 2021 - Alberto Planas Dominguez
+
+- Drop cfssl if we are not in openSUSE
+
+---
Other differences:
--
++ keylime.spec ++
--- /var/tmp/diff_new_pack.TsoJUg/_old 2021-12-03 20:35:29.476202783 +0100
+++ /var/tmp/diff_new_pack.TsoJUg/_new 2021-12-03 20:35:29.476202783 +0100
@@ -118,6 +118,9 @@
%prep
%autosetup -p1
+%if !0%{?is_opensuse}
+sed -i "s/ca_implementation = cfssl/ca_implementation = openssl/g" keylime.conf
+%endif
%build
%python_build
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package keylime for openSUSE:Factory checked in at 2021-09-20 23:32:16 Comparing /work/SRC/openSUSE:Factory/keylime (Old) and /work/SRC/openSUSE:Factory/.keylime.new.1899 (New) Package is "keylime" Mon Sep 20 23:32:16 2021 rev:5 rq:919475 version:6.2.0 Changes: --- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2021-07-29 21:31:35.952798018 +0200 +++ /work/SRC/openSUSE:Factory/.keylime.new.1899/keylime.changes 2021-09-20 23:33:06.439170178 +0200 @@ -1,0 +2,130 @@ +Thu Sep 16 08:39:35 UTC 2021 - apla...@suse.com + +- Update to version 6.2.0: + * Fix bug #757 where revoc cert was treated as text + * Code improvement: removal of extra dependencies in measured boot attestation (#755) + * Sanitize the exclude list while it is ingested at `tenant` by removing comments (^#) and empty lines. + * tenant: show severity level and last event id in status + * verifier: move to new failure architecture + * pcr validation: move to new failure architecture + * measured boot: move to new failure architecture + * ima: move to new failure architecture + * failure: add infrastructure to tag and collect revocation events in Keylime + * Simulating use of SSLContext.minimum_version on ssl v3.6 + * verifier: fix minor typos + * Add tests for ca_impl_cfssl and ca_util + * Replace M2Crypto with python-cryptography + * tenant: status now shows if a agent was added to the registrar + * tenant: open file to send utf-8 encoded + * Correct some comments about and remove vestige in MB policy + * fixing a small bug that resulted in malformed refstates not failing MBA + * agent: ensure that EK is in PEM format when used as uuid + * Solves #703 by adding a "non-trivial" example of a "measured boot policy" (#734) + * ci: build and publish container images + * codestyle: fix W0612 and R1735 pylint errors + * codestyle: fix W1514 pylint error + * systemd: Add KillSignal=SIGINT to keylime_agent.service + * One-liner to set the minimum version of TLS to v1.2 + * pylint fix + * Typo fix: return list order confusion between measured_boot.py and tpm_abstract.py + * Refactor keylime_logging module + * ima: Implement ima-buf validator and validate keys on keyrings (#725) + * Remove Python 2 leftovers + * Additional fix for the processing of "tpm_policy" + * ima: Return an empty allowlist rather than a plain empty list + * verifier: convert (v)tpm_policy in DB from string to JSONPickleType + * verifier: Create AgentAttestState objects from entries in the db + * verifier: Persist the IMA attestation state after running the log verification + * db: Add DB migration file for boottime, ima_pcrs, pcr10, and next_ima_ml_entries + * verifier: Skip attestation one time if agent's boottime changed + * test: Add test case simulating iterative attestation + * verifier: Delete an AgentAttestState when deleting an agent + * ima: Remember the number of lines successfully processed and last IMA PCR value(s) + * ima: Reset the attestation if processing the measurement list fails + * debug: Show line number when PCR match occurs + * verifier: Extend AgentAttestState with state of the IMA PCR + * Consult the AgentAttestState for the next measurement list entry + * Introduce an AgentAttestState class for passing state through the APIs + * verifier: Request IMA log at entry 0 for now + * agent: Get boottime and transfer to verifier + * agent: Add support for optional IMA log offset parameter + * tests: Add a unit test for the IMA function and run it + * agent: Move IMA measurement list reading function to ima.py + * Add default verifier-check value + * Use tox for pylint + * Use Fedora 34 as base image for CI container + * Run ci jobs only when needed + * config: merge convert and list_convert into the same function + * Versioned APIs + * Refacator of check_pcrs to parse then validate (#716) + * Automatically calculates the boot_aggregate from the measured boot log. (#713) + * Set default UUID as lowercase (#699) + * tenant: do_cvdelete wait until 404 + * Ensures the output of `bulkinfo` command in `keylime_tenant` is JSON + * ima: Convert pcrval to bytes to increase efficiency + * tests: extend ima tests for signature validation and exclude lists + * Allow agents to specify a contact ip address and port for the tenant and CV (#690) + * verifer: Fix signature and allowlist evaluation bahavior change + * ima: Fix runtime error due to wrong datatype + * tenant: add the option to specify the registrar ip and port + * measured_boot: drop process_refstate + * check_pcrs: match PCR if no mb_refstate is provided + * ci: make run_local.sh work with newer docker versions + * Fixing pylint errors (#698) + * tests: add IMA test where
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package keylime for openSUSE:Factory checked
in at 2021-07-29 21:31:05
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
and /work/SRC/openSUSE:Factory/.keylime.new.1899 (New)
Package is "keylime"
Thu Jul 29 21:31:05 2021 rev:4 rq:908385 version:6.1.1
Changes:
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2021-07-22
22:43:06.943218942 +0200
+++ /work/SRC/openSUSE:Factory/.keylime.new.1899/keylime.changes
2021-07-29 21:31:35.952798018 +0200
@@ -1,0 +2,21 @@
+Mon Jul 26 09:31:01 UTC 2021 - Alberto Planas Dominguez
+
+- Update to Keylime 6.1.1
+ + keylime_tenant add crash with TypeError: Object of type 'bytes' is
+not JSON serializable
+ + Whenever Keylime agent starts and cannot contact the registrar, it
+fails and quits without flushing create EK handles
+ + keylime_tenant -c reglist now requires a "-t" parameter for no
+reason
+ + Duplicated API calls to verifier in webapp backend
+ + Installer deletes tpm_cert_store files
+ + agent_uuid set to dmidecode crashes Keylime
+ + Copying of tpm_cert_store fails during installation
+ + If the PCR belong to a measured boot list, it is not validated
+ + keylime_tenant --c update fails with a race condition
+- Drop patches already present in the new version
+ + webapp-fix-tls-certs-paths.patch
+ + check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch
+ + tenant-do_cvdelete-wait-until-404.patch
+
+---
Old:
check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch
keylime-6.1.0.tar.xz
tenant-do_cvdelete-wait-until-404.patch
webapp-fix-tls-certs-paths.patch
New:
keylime-6.1.1.tar.gz
Other differences:
--
++ keylime.spec ++
--- /var/tmp/diff_new_pack.CMteEL/_old 2021-07-29 21:31:36.564797264 +0200
+++ /var/tmp/diff_new_pack.CMteEL/_new 2021-07-29 21:31:36.568797259 +0200
@@ -20,12 +20,12 @@
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
%define skip_python2 1
Name: keylime
-Version:6.1.0
+Version:6.1.1
Release:0
Summary:Open source TPM software for Bootstrapping and Maintaining
Trust
License:Apache-2.0 AND MIT
URL:https://github.com/keylime/keylime
-Source0:%{name}-%{version}.tar.xz
+Source0:%{name}-%{version}.tar.gz
Source1:keylime.xml
# PATCH-FIX-OPENSUSE version.diff
Patch1: version.diff
@@ -33,12 +33,6 @@
Patch2: keylime.conf.diff
# PATCH-FIX-OPENSUSE config-libefivars.diff
Patch3: config-libefivars.diff
-# PATCH-FIX-UPSTREAM webapp-fix-tls-certs-paths.patch gh#keylime/keylime!659
-Patch4: webapp-fix-tls-certs-paths.patch
-# PATCH-FIX-UPSTREAM check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch
gh#keylime/keylime!695
-Patch5: check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch
-# PATCH-FIX-UPSTREAM tenant-do_cvdelete-wait-until-404.patch
gh#keylime/keylime!711
-Patch6: tenant-do_cvdelete-wait-until-404.patch
BuildRequires: %{python_module setuptools}
BuildRequires: fdupes
BuildRequires: firewall-macros
++ keylime.conf.diff ++
--- /var/tmp/diff_new_pack.CMteEL/_old 2021-07-29 21:31:36.624797190 +0200
+++ /var/tmp/diff_new_pack.CMteEL/_new 2021-07-29 21:31:36.628797185 +0200
@@ -1,7 +1,7 @@
-Index: keylime-6.1.0/keylime.conf
+Index: keylime-6.1.1/keylime.conf
===
keylime-6.1.0.orig/keylime.conf
-+++ keylime-6.1.0/keylime.conf
+--- keylime-6.1.1.orig/keylime.conf
keylime-6.1.1/keylime.conf
@@ -12,11 +12,13 @@ tls_check_hostnames = False
# Valid values are "cfssl" or "openssl". For cfssl to work, you must have the
# go binary installed in your path or in /usr/local/.
@@ -18,7 +18,7 @@
receive_revocation_port = 8992
#=
-@@ -24,11 +26,13 @@ receive_revocation_port = 8992
+@@ -24,7 +26,8 @@ receive_revocation_port = 8992
#=
# The binding address and port for the agent server
@@ -27,6 +27,10 @@
+cloudagent_ip = 0.0.0.0
cloudagent_port = 9002
+ # Address and port where the verifier and tenant can connect to reach the
agent.
+@@ -33,7 +36,8 @@ agent_contact_ip = 127.0.0.1
+ agent_contact_port = 9002
+
# The address and port of registrar server which agent communicate with
-registrar_ip = 127.0.0.1
+# registrar_ip = 127.0.0.1
@@ -34,7 +38,7 @@
registrar_port = 8890
# The name of the RSA key that Keylime should use for protecting shares of
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package keylime for openSUSE:Factory checked
in at 2021-07-22 22:42:44
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
and /work/SRC/openSUSE:Factory/.keylime.new.1899 (New)
Package is "keylime"
Thu Jul 22 22:42:44 2021 rev:3 rq:907680 version:6.1.0
Changes:
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2021-07-17
23:36:24.702074732 +0200
+++ /work/SRC/openSUSE:Factory/.keylime.new.1899/keylime.changes
2021-07-22 22:43:06.943218942 +0200
@@ -1,0 +2,11 @@
+Wed Jul 21 14:17:10 UTC 2021 - Alberto Planas Dominguez
+
+- Add tenant-do_cvdelete-wait-until-404.patch to fix the update command
+
+---
+Mon Jul 19 14:57:45 UTC 2021 - Alberto Planas Dominguez
+
+- Adjust the default revocation notifier binding IP
+- Default to CFSSL in keylime.conf
+
+---
New:
tenant-do_cvdelete-wait-until-404.patch
Other differences:
--
++ keylime.spec ++
--- /var/tmp/diff_new_pack.8YsX1v/_old 2021-07-22 22:43:07.875217727 +0200
+++ /var/tmp/diff_new_pack.8YsX1v/_new 2021-07-22 22:43:07.875217727 +0200
@@ -37,6 +37,8 @@
Patch4: webapp-fix-tls-certs-paths.patch
# PATCH-FIX-UPSTREAM check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch
gh#keylime/keylime!695
Patch5: check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch
+# PATCH-FIX-UPSTREAM tenant-do_cvdelete-wait-until-404.patch
gh#keylime/keylime!711
+Patch6: tenant-do_cvdelete-wait-until-404.patch
BuildRequires: %{python_module setuptools}
BuildRequires: fdupes
BuildRequires: firewall-macros
++ keylime.conf.diff ++
--- /var/tmp/diff_new_pack.8YsX1v/_old 2021-07-22 22:43:07.927217659 +0200
+++ /var/tmp/diff_new_pack.8YsX1v/_new 2021-07-22 22:43:07.927217659 +0200
@@ -2,7 +2,13 @@
===
--- keylime-6.1.0.orig/keylime.conf
+++ keylime-6.1.0/keylime.conf
-@@ -16,7 +16,8 @@ ca_implementation = openssl
+@@ -12,11 +12,13 @@ tls_check_hostnames = False
+ # Valid values are "cfssl" or "openssl". For cfssl to work, you must have the
+ # go binary installed in your path or in /usr/local/.
+ # Note: Revocation list generation is only supported by "cfssl".
+-ca_implementation = openssl
++# ca_implementation = openssl
++ca_implementation = cfssl
# Revocation IP & Port used by either the cloud_agent or keylime_ca to receive
# revocation events from the verifier.
@@ -12,7 +18,7 @@
receive_revocation_port = 8992
#=
-@@ -24,11 +25,13 @@ receive_revocation_port = 8992
+@@ -24,11 +26,13 @@ receive_revocation_port = 8992
#=
# The binding address and port for the agent server
@@ -28,7 +34,7 @@
registrar_port = 8890
# The name of the RSA key that Keylime should use for protecting shares of
U/V.
-@@ -68,7 +71,8 @@ extract_payload_zip = True
+@@ -68,7 +72,8 @@ extract_payload_zip = True
# 'dmidecode -s system-uuid'.
# If you set this to "hostname", Keylime will use the full qualified domain
# name of current host as the agent id.
@@ -38,7 +44,7 @@
# Whether to listen for revocation notifications from the verifier or not.
listen_notfications = True
-@@ -129,7 +133,8 @@ ek_handle = generate
+@@ -129,7 +134,8 @@ ek_handle = generate
#=
# The IP address and port of verifier server binds to
@@ -48,7 +54,17 @@
cloudverifier_port = 8881
# The address and port of registrar server that verifier communicates with
-@@ -380,7 +385,8 @@ max_retries = 10
+@@ -241,7 +247,8 @@ revocation_notifier = True
+ # The revocation notifier IP address and port used to start the revocation
service.
+ # If the 'revocation_notifier' option is set to "true", then the verifier
+ # automatically starts the revocation service.
+-revocation_notifier_ip = 127.0.0.1
++# revocation_notifier_ip = 127.0.0.1
++revocation_notifier_ip = 0.0.0.0
+ revocation_notifier_port = 8992
+
+ # The verifier limits the size of upload payloads (allowlists) which defaults
to
+@@ -380,7 +387,8 @@ max_retries = 10
# might provide a signed list of EK public key hashes. Then you could write
# an ek_check_script that checks the signature of the allowlist and then
# compares the hash of the given EK with the allowlist.
@@ -58,7 +74,7 @@
# Optional script to execute to check the EK and/or EK certificate against a
# allowlist or any other additional EK
commit keylime for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package keylime for openSUSE:Factory checked
in at 2021-07-17 23:36:21
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
and /work/SRC/openSUSE:Factory/.keylime.new.2632 (New)
Package is "keylime"
Sat Jul 17 23:36:21 2021 rev:2 rq:906290 version:6.1.0
Changes:
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2021-06-24
18:22:43.404926149 +0200
+++ /work/SRC/openSUSE:Factory/.keylime.new.2632/keylime.changes
2021-07-17 23:36:24.702074732 +0200
@@ -1,0 +2,14 @@
+Wed Jul 14 12:12:23 UTC 2021 - Alberto Planas Dominguez
+
+- Add config-libefivars.diff to adjust the path of the library
+
+---
+Thu Jul 8 14:45:24 UTC 2021 - Alberto Planas Dominguez
+
+- Add check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch
+ (gh#keylime/keylime!695)
+- Recommends CFSSL in the registrar (actually should be the CA)
+- Change default value for require_ek_cert to False
+- Reorder the patches to separate upstream fixes from openSUSE ones
+
+---
New:
check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch
config-libefivars.diff
Other differences:
--
++ keylime.spec ++
--- /var/tmp/diff_new_pack.gxAI4B/_old 2021-07-17 23:36:25.238070600 +0200
+++ /var/tmp/diff_new_pack.gxAI4B/_new 2021-07-17 23:36:25.238070600 +0200
@@ -29,10 +29,14 @@
Source1:keylime.xml
# PATCH-FIX-OPENSUSE version.diff
Patch1: version.diff
-# PATCH-FIX-UPSTREAM webapp-fix-tls-certs-paths.patch gh#keylime/keylime!659
-Patch2: webapp-fix-tls-certs-paths.patch
# PATCH-FIX-OPENSUSE keylime.conf.diff
-Patch3: keylime.conf.diff
+Patch2: keylime.conf.diff
+# PATCH-FIX-OPENSUSE config-libefivars.diff
+Patch3: config-libefivars.diff
+# PATCH-FIX-UPSTREAM webapp-fix-tls-certs-paths.patch gh#keylime/keylime!659
+Patch4: webapp-fix-tls-certs-paths.patch
+# PATCH-FIX-UPSTREAM check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch
gh#keylime/keylime!695
+Patch5: check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch
BuildRequires: %{python_module setuptools}
BuildRequires: fdupes
BuildRequires: firewall-macros
@@ -54,7 +58,7 @@
Requires: tpm2.0-abrmd
Requires: tpm2.0-tools
Requires(post): update-alternatives
-Requires(postun): update-alternatives
+Requires(postun):update-alternatives
BuildArch: noarch
%python_subpackages
@@ -101,6 +105,7 @@
Requires: %{name}-tpm_cert_store = %{version}
Requires: python3-%{name} = %{version}
Recommends: %{name}-firewalld = %{version}
+Recommends: cfssl
%description -n %{name}-registrar
Subpackage of %{name} for registrar service.
++ check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch ++
>From 1c3dc5928866741426acabbe653c51d5ec2b9813 Mon Sep 17 00:00:00 2001
From: Alberto Planas
Date: Thu, 8 Jul 2021 16:16:32 +0200
Subject: [PATCH] check_pcrs: match PCR if no mb_refstate is provided
If the values for mb_refstate are empty, the PCRs that are present in
the tpm_policy and belong to the measured boot process are ignored.
This patch check that the PCRs form the policy matches the ones that
comes from the quote when there is no measured boot data.
Fix #694
Signed-off-by: Alberto Planas
---
keylime/tpm/tpm_abstract.py | 3 +++
1 file changed, 3 insertions(+)
Index: keylime-6.1.0/keylime/tpm/tpm_abstract.py
===
--- keylime-6.1.0.orig/keylime/tpm/tpm_abstract.py
+++ keylime-6.1.0/keylime/tpm/tpm_abstract.py
@@ -316,6 +316,9 @@ class AbstractTPM(metaclass=ABCMeta):
if val_from_log_hex_stripped != pcrval_stripped:
logger.error("For PCR %d and hash SHA256 the boot
event log has value %r but the agent returned %r", pcrnum, val_from_log_hex,
pcrval)
return False
+elif pcrnum in pcr_allowlist and pcrval not in
pcr_allowlist[pcrnum] and not config.STUB_TPM:
+logger.error("%sPCR #%s: %s from quote does not match
expected value %s", ("", "v")[virtual], pcrnum, pcrval, pcr_allowlist[pcrnum])
+return False
pcrsInQuote.add(pcrnum)
continue
++ config-libefivars.diff ++
Index: keylime-6.1.0/keylime/config.py
===
--- keylime-6.1.0.orig/keylime/config.py
+++ keylime-6.1.0/keylime/config.py
@@ -318,7 +318,7 @@ MEASUREDBOOT_ML = '/sys/kernel/security/
MEASUREDBOOT_IMPORTS = get_config().get('cloud_verifier',
