Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package keylime for openSUSE:Factory checked in at 2022-04-16 00:13:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/keylime (Old) and /work/SRC/openSUSE:Factory/.keylime.new.1941 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "keylime" Sat Apr 16 00:13:57 2022 rev:17 rq:969814 version:6.3.2 Changes: -------- --- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2022-03-02 18:20:34.724654834 +0100 +++ /work/SRC/openSUSE:Factory/.keylime.new.1941/keylime.changes 2022-04-16 00:14:14.829648934 +0200 @@ -1,0 +2,99 @@ +Wed Apr 13 09:42:54 UTC 2022 - [email protected] + +- Update to version v6.3.2: + * general: bump Keylime version to 6.3.2 + * tpm_main: flush transient objects + * pypi: add notice that the Python API is unstable + * installer: use OpenSSL by default + * Avoid mounting secdir while unmounting it + * remove TPM, VTPM and IMA stubbing support + * archive: remove all archive files + * Change GH reviewers to be from developer group + * added suse / opensuse support with zypper + * Fix tpm import in test_tpm.py + * Fix cfssl configuration in run_tests.sh + * tpm_emulator: improve TPM emulator installation + * config: Add option to enable DB debugging via DEBUG_DB env var + * Enable SQL query cache for JSONPickleType + * tpm_emulator: move everything into systemd services + * Implement broader key support for Keylime's signing mechanisms + * tenant: Use exponential backoff on key verification retries + * tenant: Move JSON parsing to capture possible exceptions + * tenant: Move verifier stop from do_quote to do_verify + * pylint: Fix issues related to W0602 global-variable-not-assigned + * tenant: Handle 404 error from registrar gracefully + * pylint: Fix remaining code with issue R1732 consider-using-with + * pylint: Fix R1732 consider-using-with + * pylint: Fix issue detected by pylint-2.13.0 + * pylint: Fix issue detected by pylint-2.13.0 + * tenant: verify agent quote before adding to verifier + * README: remove tpm2-abrmd and OSX sections + * pylint: Fix issues related to W0102 dangerous-default-value + * pylint: Fix R0201 no-self-use + * pylint: remove W1203 logging-format-interpolation from ignore list + * pylint: remove R1729 use-a-generator from ignore list + * pylint: remove E1120 no-value-for-parameter from ignore list + * pylint: remove W1201 logging-not-lazy from ignore list + * pylint: fix C0209 consider-using-f-string + * pylint: fix C0201 consider-iterating-dictionary + * pylint: fix W1509 subprocess-popen-preexec-fn + * keylime_tenant non-zero exit code on error + * Fix prepare step adjustments in packit-ci.fmf plan + * failure: fix Pattern type hint + * mypy: add initial Mypy configuration + * ima_ast: add type hints + * failure: add type hints + * logging, config: add type hints for logging module + * algorithms: add type hints + * json: add type hints and add JSONType as custom type + * Full allowlist processing when not adding host + * provider, vTPM: remove vTPM manager and provider code + * tpm: fix that the set of missing PCRs is not serializable in failure + * Restores the option to use keylime agents without mTLS + * services: make the services run as keylime user instead of root + * State in --help that SHA-256 is used for --allowlist-checksum + * config: change cacert.pem to cacert.crt + * registrar_client: validate connections against registrar ca certificate + * tenant: validate connections against verifier ca certificate + * request_client: only add custom adapter if TLS is enabled + * setup: add static assets for webapp + * Add TESTING.md describing testing details + * Fix some remaining log format strings + * Fix for database_url parameter with sqlite + * Enable test basic-attestation-with-unpriviledged-agent in Packit CI + * Use lazy string formatting when logging (#535) + * Make Packit CI plan more resource-saving + * keylime.conf: Document setting ownership in WORK_DIR (/var/lib/keylime) + * agent: Make sure tmpfs is empty even if not mounted or cannot unmount + * agent: Drop privileges by switching to normal user and group + * agent: Move mounting of tmpfs towards beginning of main() + * agent: Read measured boot log near process start + * agent: Open file for IMA log file near process start + * ima: Refactor read_measurement_list() to take file as argument + * Add the policy name to failure event + * tpm_main: Check if tpm_cert_store exists (#553) + * Remove tag input from container build workflow + * Push container images to quay.io/keylime org + * Enable code coverage measurement for e2e tests in Packit CI + * config: fix config search order + * Add defaults for ephemeral keys for agent records + * Update outdated greetings Github messages + * services: add keylime_agent_secure.mount service + * installer.sh: updated tpm2-{tools, tss}, use system packages if possible + * revocation_notifier: convert the data to str in the notifiers + * revocation_notifier: mark webhook threads as daemon and add timeout + * Fix Packit CI test plan Summary + * Enable Packit CI testing on CentOS Stream 8 + * Enable Packit CI testing on Fedora Rawhide + * Remove last trace of TPM 1.2 (hopefully) + * verifier: remove start_tornado() function + * verifier: wait for connections to be closed before stopping ioloop + * revocation_notifier: kill ZeroMQ broker if it blocks more than 5s + * Add more e2e tests to Packit CI + * Enable EPEL repo on CentOS Stream in packit.yaml +- Drop already merged patches + * drop_privileges_of_agent_process_after_startup.patch + * config_fix_config_search_order.patch + * services_add_keylime_agent_secure_mount_service.patch + +------------------------------------------------------------------- @@ -8 +107,4 @@ -- Configure the agent to run as non-root +- Configure the agent to run as non-root (via keylime.conf) +- Add keylime sysuser conf file and deploy as part of the tpm + certificate subpackage +- Prepare the systemd mount unit for /var/lib/keylime/secure Old: ---- config_fix_config_search_order.patch drop_privileges_of_agent_process_after_startup.patch keylime-v6.3.1.tar.xz services_add_keylime_agent_secure_mount_service.patch New: ---- keylime-v6.3.2.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ keylime.spec ++++++ --- /var/tmp/diff_new_pack.61CChq/_old 2022-04-16 00:14:15.841650284 +0200 +++ /var/tmp/diff_new_pack.61CChq/_new 2022-04-16 00:14:15.849650295 +0200 @@ -25,7 +25,7 @@ %bcond_with cfssl %endif Name: keylime -Version: 6.3.1 +Version: 6.3.2 Release: 0 Summary: Open source TPM software for Bootstrapping and Maintaining Trust License: Apache-2.0 AND MIT @@ -37,12 +37,6 @@ Patch1: keylime.conf.diff # PATCH-FIX-OPENSUSE config-libefivars.diff Patch2: config-libefivars.diff -# PATCH-FIX-UPSTREAM drop_privileges_of_agent_process_after_startup.patch (gh#keylime/keylime!900) -Patch3: drop_privileges_of_agent_process_after_startup.patch -# PATCH-FIX-UPSTREAM config_fix_config_search_order.patch (gh#keylime/keylime!902) -Patch4: config_fix_config_search_order.patch -# PATCH-FIX-UPSTREAM services_add_keylime_agent_secure_mount_service.patch (gh#keylime/keylime!903) -Patch5: services_add_keylime_agent_secure_mount_service.patch BuildRequires: %{python_module setuptools} BuildRequires: fdupes BuildRequires: firewall-macros ++++++ _service ++++++ --- /var/tmp/diff_new_pack.61CChq/_old 2022-04-16 00:14:15.881650337 +0200 +++ /var/tmp/diff_new_pack.61CChq/_new 2022-04-16 00:14:15.885650344 +0200 @@ -1,7 +1,7 @@ <services> <service name="tar_scm" mode="disabled"> <param name="versionformat">@PARENT_TAG@</param> - <param name="revision">refs/tags/v6.3.1</param> + <param name="revision">refs/tags/v6.3.2</param> <param name="url">https://github.com/keylime/keylime.git</param> <param name="scm">git</param> <param name="changesgenerate">enable</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.61CChq/_old 2022-04-16 00:14:15.905650370 +0200 +++ /var/tmp/diff_new_pack.61CChq/_new 2022-04-16 00:14:15.909650376 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/keylime/keylime.git</param> - <param name="changesrevision">2cd35f3d03732407cffbbbfada1f6c8c3a1b59af</param></service></servicedata> + <param name="changesrevision">89e520567f239a663453d83466943ee366a0fba2</param></service></servicedata> (No newline at EOF) ++++++ config-libefivars.diff ++++++ --- /var/tmp/diff_new_pack.61CChq/_old 2022-04-16 00:14:15.917650386 +0200 +++ /var/tmp/diff_new_pack.61CChq/_new 2022-04-16 00:14:15.921650391 +0200 @@ -1,8 +1,8 @@ -Index: keylime-v6.3.1/keylime/config.py +Index: keylime-v6.3.2/keylime/config.py =================================================================== ---- keylime-v6.3.1.orig/keylime/config.py -+++ keylime-v6.3.1/keylime/config.py -@@ -191,7 +191,7 @@ MEASUREDBOOT_ML = '/sys/kernel/security/ +--- keylime-v6.3.2.orig/keylime/config.py ++++ keylime-v6.3.2/keylime/config.py +@@ -150,7 +150,7 @@ MEASUREDBOOT_ML = '/sys/kernel/security/ MEASUREDBOOT_IMPORTS = get_config().get('cloud_verifier', 'measured_boot_imports', fallback='').split(',') MEASUREDBOOT_POLICYNAME = get_config().get('cloud_verifier', 'measured_boot_policy_name', fallback='accept-all') ++++++ keylime-v6.3.1.tar.xz -> keylime-v6.3.2.tar.xz ++++++ /work/SRC/openSUSE:Factory/keylime/keylime-v6.3.1.tar.xz /work/SRC/openSUSE:Factory/.keylime.new.1941/keylime-v6.3.2.tar.xz differ: char 15, line 1 ++++++ keylime.conf.diff ++++++ --- /var/tmp/diff_new_pack.61CChq/_old 2022-04-16 00:14:15.961650445 +0200 +++ /var/tmp/diff_new_pack.61CChq/_new 2022-04-16 00:14:15.961650445 +0200 @@ -1,7 +1,7 @@ -Index: keylime-v6.3.1/keylime.conf +Index: keylime-v6.3.2/keylime.conf =================================================================== ---- keylime-v6.3.1.orig/keylime.conf -+++ keylime-v6.3.1/keylime.conf +--- keylime-v6.3.2.orig/keylime.conf ++++ keylime-v6.3.2/keylime.conf @@ -12,11 +12,13 @@ tls_check_hostnames = False # Valid values are "cfssl" or "openssl". For cfssl to work, you must have the # go binary installed in your path or in /usr/local/. @@ -38,7 +38,7 @@ registrar_port = 8890 # The name of the RSA key that Keylime should use for protecting shares of U/V. -@@ -84,7 +88,8 @@ extract_payload_zip = True +@@ -89,7 +93,8 @@ extract_payload_zip = True # 'dmidecode -s system-uuid'. # If you set this to "hostname", Keylime will use the full qualified domain # name of current host as the agent id. @@ -48,7 +48,7 @@ # Whether to listen for revocation notifications from the verifier or not. listen_notifications = True -@@ -136,7 +141,8 @@ max_retries = 4 +@@ -148,7 +153,8 @@ max_retries = 4 # - hashing: sha512, sha384, sha256 or sha1 # - encryption: ecc or rsa # - signing: rsassa, rsapss, ecdsa, ecdaa or ecschnorr @@ -58,7 +58,7 @@ tpm_encryption_alg = rsa tpm_signing_alg = rsassa -@@ -154,7 +160,8 @@ ek_handle = generate +@@ -184,7 +190,8 @@ run_as = cloudverifier_id = default # The IP address and port of verifier server binds to @@ -68,7 +68,7 @@ cloudverifier_port = 8881 # The address and port of registrar server that verifier communicates with -@@ -276,7 +283,8 @@ revocation_notifier = True +@@ -309,7 +316,8 @@ revocation_notifier = True # The binding address and port of the revocation notifier service. # If the 'revocation_notifier' option is set to "true", then the verifier # automatically starts the revocation service. @@ -78,7 +78,7 @@ revocation_notifier_port = 8992 # Enable revocation notifications via webhook. This can be used to notify other -@@ -410,10 +418,12 @@ max_payload_size = 1048576 +@@ -445,10 +453,12 @@ max_payload_size = 1048576 # and SHA-512). # Note that you can't set a policy on PCR10 and PCR16 because Keylime uses # them internally. @@ -93,7 +93,7 @@ # Specify the file containing allowlists for processing Linux IMA measurements # this file is used if tenant provides "default" as the allowlist file -@@ -469,7 +479,8 @@ max_retries = 5 +@@ -500,7 +510,8 @@ max_retries = 5 # might provide a signed list of EK public key hashes. Then you could write # an ek_check_script that checks the signature of the allowlist and then # compares the hash of the given EK with the allowlist. @@ -103,7 +103,7 @@ # Optional script to execute to check the EK and/or EK certificate against a # allowlist or any other additional EK processing you want to do. Runs in -@@ -495,7 +506,8 @@ ek_check_script= +@@ -526,7 +537,8 @@ ek_check_script= # The registrar's IP address and port used to communicate with other services # as well as the bind address for the registrar server.
