Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package disk-encryption-tool for
openSUSE:Factory checked in at 2023-12-22 22:40:49
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/disk-encryption-tool (Old)
and /work/SRC/openSUSE:Factory/.disk-encryption-tool.new.28375 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "disk-encryption-tool"
Fri Dec 22 22:40:49 2023 rev:3 rq:1134500 version:1+git20231221.d2e7fe6
Changes:
--------
---
/work/SRC/openSUSE:Factory/disk-encryption-tool/disk-encryption-tool.changes
2023-12-15 21:47:31.570691649 +0100
+++
/work/SRC/openSUSE:Factory/.disk-encryption-tool.new.28375/disk-encryption-tool.changes
2023-12-22 22:40:59.819260565 +0100
@@ -1,0 +2,14 @@
+Thu Dec 21 15:28:58 UTC 2023 - [email protected]
+
+- Update to version 1+git20231221.d2e7fe6:
+ * Fix setting separate crypt password
+
+-------------------------------------------------------------------
+Wed Dec 20 17:20:08 UTC 2023 - [email protected]
+
+- Update to version 1+git20231220.6a5fb7f:
+ * refactor luks detection
+ * Tweak combustion deps
+ * Fix combustion support (boo#1218131)
+
+-------------------------------------------------------------------
Old:
----
disk-encryption-tool-1+git20231214.1708e01.obscpio
New:
----
disk-encryption-tool-1+git20231221.d2e7fe6.obscpio
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ disk-encryption-tool.spec ++++++
--- /var/tmp/diff_new_pack.0phF6A/_old 2023-12-22 22:41:00.951302216 +0100
+++ /var/tmp/diff_new_pack.0phF6A/_new 2023-12-22 22:41:00.951302216 +0100
@@ -28,7 +28,7 @@
%endif
Name: disk-encryption-tool
-Version: 1+git20231214.1708e01%{git_version}
+Version: 1+git20231221.d2e7fe6%{git_version}
Release: 0
Summary: Tool to reencrypt kiwi raw images
License: MIT
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.0phF6A/_old 2023-12-22 22:41:00.999303982 +0100
+++ /var/tmp/diff_new_pack.0phF6A/_new 2023-12-22 22:41:01.003304129 +0100
@@ -3,6 +3,6 @@
<param
name="url">https://github.com/lnussel/disk-encryption-tool.git</param>
<param
name="changesrevision">702dff62d37b74244b58b41f78b41cd2befe581b</param></service><service
name="tar_scm">
<param
name="url">https://github.com/openSUSE/disk-encryption-tool.git</param>
- <param
name="changesrevision">1708e014184aba1d69c3294a990594a35abbe71c</param></service></servicedata>
+ <param
name="changesrevision">d2e7fe6e0781b71a19f35ca4fd27bca559c31fd7</param></service></servicedata>
(No newline at EOF)
++++++ disk-encryption-tool-1+git20231214.1708e01.obscpio ->
disk-encryption-tool-1+git20231221.d2e7fe6.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/disk-encryption-tool-1+git20231214.1708e01/README.md
new/disk-encryption-tool-1+git20231221.d2e7fe6/README.md
--- old/disk-encryption-tool-1+git20231214.1708e01/README.md 2023-12-14
11:04:59.000000000 +0100
+++ new/disk-encryption-tool-1+git20231221.d2e7fe6/README.md 2023-12-21
16:03:00.000000000 +0100
@@ -39,9 +39,9 @@
script would have to look like this:
#!/bin/bash
- # combustion: encrypt
- if [ "$1" = "--encrypt" ]; then
- echo 12345 | disk-encryption-tool -v --gen-key
+ # combustion: prepare
+ if [ "$1" = "--prepare" ]; then
+ echo 12345 | disk-encryption-tool -v
else
echo root:12345 | chpasswd
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/disk-encryption-tool-1+git20231214.1708e01/disk-encryption-tool
new/disk-encryption-tool-1+git20231221.d2e7fe6/disk-encryption-tool
--- old/disk-encryption-tool-1+git20231214.1708e01/disk-encryption-tool
2023-12-14 11:04:59.000000000 +0100
+++ new/disk-encryption-tool-1+git20231221.d2e7fe6/disk-encryption-tool
2023-12-21 16:03:00.000000000 +0100
@@ -184,7 +184,7 @@
kv="${kv##*/}"
initrd="${initrd#"$mp"}"
log_info "create $initrd for $kv"
- chroot "$mp" dracut --add qemu --add-drivers "dm_crypt
nls_iso8859-1 nls_cp437" -q --reproducible -f "$initrd" "$kv" "$@"
+ hostonly_l=no chroot "$mp" dracut -q --reproducible -f
"$initrd" "$kv" "$@"
done
else
err "Unsupported boot loader or fs layout"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/disk-encryption-tool-1+git20231214.1708e01/disk-encryption-tool-dracut
new/disk-encryption-tool-1+git20231221.d2e7fe6/disk-encryption-tool-dracut
--- old/disk-encryption-tool-1+git20231214.1708e01/disk-encryption-tool-dracut
2023-12-14 11:04:59.000000000 +0100
+++ new/disk-encryption-tool-1+git20231221.d2e7fe6/disk-encryption-tool-dracut
2023-12-21 16:03:00.000000000 +0100
@@ -1,19 +1,23 @@
#!/bin/sh
+
exec < /dev/console >/dev/console 2>&1
type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh
-script=/run/combustion/mount/combustion/script
-if [ -e "$script" ] && grep -qE '^# combustion:(.*)\<encrypt\>' "$script"; then
- systemctl start sysroot.mount
- # silence systemd
- kill -SIGRTMIN+21 1
- chmod a+x "$script"
- "$script" --encrypt
-elif getargbool 0 rd.encrypt || [ ! -e /sysroot/etc/machine-id ]; then
- systemctl start sysroot.mount
- # silence systemd
- kill -SIGRTMIN+21 1
- echo -ne '\a'
- read -n1 -s -r -t 5 -p "Press ESC to prevent encrypting the disk"
inhibitor
- echo
- [ "$inhibitor" = $'\e' ] || /usr/bin/disk-encryption-tool -v --gen-key
|| die "Encryption failed"
+
+# XXX: this is so dirty
+systemctl start sysroot.mount
+mount --target-prefix /sysroot --fstab /sysroot/etc/fstab /var
+if [ ! -e /sysroot/var/lib/YaST2/reconfig_system ]; then
+ echo "system already configured, no encryption"
+ umount /sysroot/var
+ exit 0
+fi
+umount /sysroot/var
+
+# silence systemd
+kill -SIGRTMIN+21 1
+echo -ne '\n\n\a'
+read -n1 -s -r -t 10 -p "*** Press ESC to prevent encrypting the disk"
inhibitor
+echo
+if [ "$inhibitor" != $'\e' ]; then
+ /usr/bin/disk-encryption-tool -v --gen-key || die "Encryption failed"
fi
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/disk-encryption-tool-1+git20231214.1708e01/disk-encryption-tool-dracut.service
new/disk-encryption-tool-1+git20231221.d2e7fe6/disk-encryption-tool-dracut.service
---
old/disk-encryption-tool-1+git20231214.1708e01/disk-encryption-tool-dracut.service
2023-12-14 11:04:59.000000000 +0100
+++
new/disk-encryption-tool-1+git20231221.d2e7fe6/disk-encryption-tool-dracut.service
2023-12-21 16:03:00.000000000 +0100
@@ -7,12 +7,7 @@
Requires=initrd-root-device.target
After=initrd-root-device.target
-# we want to run after combustion copied the config but before combustion
-# itself runs
-Requires=combustion.service
-After=firstboot-detect.service
-After=combustion-prepare.service
-Before=combustion.service
+After=combustion.service
# After ignition completed its stuff
After=ignition-complete.target
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/disk-encryption-tool-1+git20231214.1708e01/jeos-firstboot-diskencrypt
new/disk-encryption-tool-1+git20231221.d2e7fe6/jeos-firstboot-diskencrypt
--- old/disk-encryption-tool-1+git20231214.1708e01/jeos-firstboot-diskencrypt
2023-12-14 11:04:59.000000000 +0100
+++ new/disk-encryption-tool-1+git20231221.d2e7fe6/jeos-firstboot-diskencrypt
2023-12-21 16:03:00.000000000 +0100
@@ -59,7 +59,7 @@
local dev
for dev in "${crypt_devs[@]}"; do
echo "adding password to $dev"
- echo -n "$password" | run cryptsetup luksAddKey
--verbose --batch-mode --force-password --key-file <(keyctl pipe
"$crypt_keyid") "$dev"
+ echo -n "$crypt_pw" | run cryptsetup luksAddKey
--verbose --batch-mode --force-password --key-file <(keyctl pipe
"$crypt_keyid") "$dev"
done
fi
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/disk-encryption-tool-1+git20231214.1708e01/jeos-firstboot-enroll
new/disk-encryption-tool-1+git20231221.d2e7fe6/jeos-firstboot-enroll
--- old/disk-encryption-tool-1+git20231214.1708e01/jeos-firstboot-enroll
2023-12-14 11:04:59.000000000 +0100
+++ new/disk-encryption-tool-1+git20231221.d2e7fe6/jeos-firstboot-enroll
2023-12-21 16:03:00.000000000 +0100
@@ -1,17 +1,34 @@
#!/bin/bash
-crypt_keyid=""
with_fido2=
with_tpm2=
+declare -a luks2_devices
+
# After the enrolling, other tools can find this list in the LUKS
# header
pcrs="0,2,4,7,9"
+have_luks2()
+{
+ [ "${#luks2_devices[@]}" -gt 0 ]
+}
+
+detect_luks2()
+{
+ local dev fstype
+ [ -z "$luks2_devices" ] || return 0
+ while read -r dev fstype; do
+ [ "$fstype" = 'crypto_LUKS' ] || continue
+ cryptsetup isLuks --type luks2 "$dev" || continue
+ luks2_devices+=("$dev")
+ done < <(lsblk --noheadings -o PATH,FSTYPE)
+ have_luks2
+}
+
enroll_systemd_firstboot() {
- crypt_keyid="$(keyctl id %user:cryptenroll)"
- [ -n "$crypt_keyid" ] || return 0
[ -e /usr/bin/systemd-cryptenroll ] || return 0
+ detect_luks2 || return 0
local has_fido2=${JEOS_HAS_FIDO2:-}
local has_tpm2=
@@ -100,22 +117,16 @@
}
enroll_post() {
- [ -n "$crypt_keyid" ] || return 0
[ -e /usr/bin/systemd-cryptenroll ] || return 0
+ detect_luks2 || return 0
local dev
local fstype
- if [ -z "$crypt_devs" ]; then
- while read -r dev fstype; do
- [ "$fstype" = 'crypto_LUKS' ] || continue
- crypt_devs+=("$dev")
- done < <(lsblk --noheadings -o PATH,FSTYPE)
- fi
crypttab_options="x-initrd.attach"
if [ "$with_fido2" = '1' ]; then
- for dev in "${crypt_devs[@]}"; do
+ for dev in "${luks2_devices[@]}"; do
enroll_fido2 "$dev"
done
crypttab_options+=",fido2-device=auto"
@@ -124,7 +135,7 @@
if [ "$with_tpm2" = '1' ]; then
generate_key
- for dev in "${crypt_devs[@]}"; do
+ for dev in "${luks2_devices[@]}"; do
enroll_tpm2 "$dev"
done
crypttab_options+=",tpm2-device=auto"
++++++ disk-encryption-tool.obsinfo ++++++
--- /var/tmp/diff_new_pack.0phF6A/_old 2023-12-22 22:41:01.135308986 +0100
+++ /var/tmp/diff_new_pack.0phF6A/_new 2023-12-22 22:41:01.139309134 +0100
@@ -1,5 +1,5 @@
name: disk-encryption-tool
-version: 1+git20231214.1708e01
-mtime: 1702548299
-commit: 1708e014184aba1d69c3294a990594a35abbe71c
+version: 1+git20231221.d2e7fe6
+mtime: 1703170980
+commit: d2e7fe6e0781b71a19f35ca4fd27bca559c31fd7
