Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package tik for openSUSE:Factory checked in
at 2025-05-14 17:02:10
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/tik (Old)
and /work/SRC/openSUSE:Factory/.tik.new.30101 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tik"
Wed May 14 17:02:10 2025 rev:27 rq:1277420 version:1.3.12
Changes:
--------
--- /work/SRC/openSUSE:Factory/tik/tik.changes 2025-03-31 11:44:00.954240125
+0200
+++ /work/SRC/openSUSE:Factory/.tik.new.30101/tik.changes 2025-05-14
17:02:43.943071303 +0200
@@ -1,0 +2,7 @@
+Wed May 14 12:37:46 UTC 2025 - rbr...@suse.com
+
+- Update to version 1.3.12:
+ * [15-encrypt] Generate keys for signing PCR15 predictions
+ * [15-encrypt|20-mig] Detect if /etc is overlayfs or nested subvolume and
mount accordingly (boo#1243063)
+
+-------------------------------------------------------------------
Old:
----
tik-1.3.11.obscpio
New:
----
tik-1.3.12.obscpio
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ tik.spec ++++++
--- /var/tmp/diff_new_pack.hGIZvl/_old 2025-05-14 17:02:44.419091293 +0200
+++ /var/tmp/diff_new_pack.hGIZvl/_new 2025-05-14 17:02:44.419091293 +0200
@@ -17,7 +17,7 @@
Name: tik
-Version: 1.3.11
+Version: 1.3.12
Release: 0
Summary: Transactional Installation Kit
License: MIT
++++++ _service ++++++
--- /var/tmp/diff_new_pack.hGIZvl/_old 2025-05-14 17:02:44.447092469 +0200
+++ /var/tmp/diff_new_pack.hGIZvl/_new 2025-05-14 17:02:44.451092638 +0200
@@ -3,7 +3,7 @@
<service name="obs_scm" mode="manual">
<param name="url">https://github.com/sysrich/tik.git</param>
<param name="scm">git</param>
- <param name="revision">v1.3.11</param>
+ <param name="revision">v1.3.12</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
<param name="versionrewrite-pattern">v(.*)</param>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.hGIZvl/_old 2025-05-14 17:02:44.479093814 +0200
+++ /var/tmp/diff_new_pack.hGIZvl/_new 2025-05-14 17:02:44.483093981 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/sysrich/tik.git</param>
- <param
name="changesrevision">7a5e512088fbcda0f0bba5ee5c873eb1c14d453d</param></service></servicedata>
+ <param
name="changesrevision">2aa25814af825db44b28c9fa5f9c402351810620</param></service></servicedata>
(No newline at EOF)
++++++ tik-1.3.11.obscpio -> tik-1.3.12.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tik-1.3.11/usr/lib/tik/modules/post/15-encrypt
new/tik-1.3.12/usr/lib/tik/modules/post/15-encrypt
--- old/tik-1.3.11/usr/lib/tik/modules/post/15-encrypt 2025-03-29
15:26:49.000000000 +0100
+++ new/tik-1.3.12/usr/lib/tik/modules/post/15-encrypt 2025-05-14
14:35:08.000000000 +0200
@@ -69,8 +69,13 @@
done
prun /usr/bin/mount -o compress=zstd:1,subvol=/@/.snapshots
/dev/mapper/aeon_root ${encrypt_dir}/mnt/.snapshots
prun /usr/bin/mount -o compress=zstd:1,subvol=/@/var /dev/mapper/aeon_root
${encrypt_dir}/mnt/var
- etcmountcmd=$(cat ${encrypt_dir}/mnt/etc/fstab | grep "overlay /etc" | sed
's/\/sysroot\//${encrypt_dir}\/mnt\//g' | sed 's/\/work-etc.*/\/work-etc
${encrypt_dir}\/mnt\/etc\//' | sed 's/overlay \/etc overlay/\/usr\/bin\/mount
-t overlay overlay -o/')
- eval prun "$etcmountcmd"
+ # Detect whether /etc is overlay else assume it's a T-U 5.0+ later bind
mount
+ if grep -qF 'overlay /etc' ${mig_dir}/mnt/etc/fstab ; then
+ etcmountcmd=$(cat ${mig_dir}/mnt/etc/fstab | grep "overlay /etc" | sed
's/\/sysroot\//${mig_dir}\/mnt\//g' | sed 's/\/work-etc.*/\/work-etc
${mig_dir}\/mnt\/etc\//' | sed 's/overlay \/etc overlay/\/usr\/bin\/mount -t
overlay overlay -o/')
+ eval prun "$etcmountcmd"
+ else
+ prun /usr/bin/mount -o bind ${mig_dir}/mnt/etc ${mig_dir}/mnt/etc
+ fi
prun /usr/bin/mount ${esppart} ${encrypt_dir}/mnt/boot/efi
prun /usr/bin/mount -t tmpfs tmpfs "${encrypt_dir}/mnt/run"
prun /usr/bin/mount -t securityfs securityfs
"${encrypt_dir}/mnt/sys/kernel/security"
@@ -93,12 +98,18 @@
cryptUUID=$(lsblk -n -r -d -o UUID ${cryptpart})
echo "aeon_root UUID=${cryptUUID} none x-initrd.attach${crypttab_opts}" |
prun tee ${encrypt_dir}/mnt/etc/crypttab
echo "# Installing boot loader" > ${encrypt_pipe}
- # If Default mode has been detected, configure PCR policy. In this case,
+ # If Default mode has been detected, configure PCR policy and PCR15 keys.
# `etc/sysconfig/fde-tools` must be created before any calls to sdbtools,
# because sdbootutil expects at least one of the configuration files being
# present. See
#
https://github.com/openSUSE/sdbootutil/commit/8d3db8b01f5681c11054c37145aad3e3973a7741
if [ "${tik_encrypt_mode}" == 0 ]; then
+ # Generate keys for signing PCR15 predictions
+ local
private="${encrypt_dir}/mnt/var/lib/sdbootutil/measure-pcr-private.pem"
+ local
public="${encrypt_dir}/mnt/var/lib/sdbootutil/measure-pcr-public.pem"
+ [ -f "$private" ] || prun openssl genrsa -out "$private" 4096
+ # Writes "writing RSA key" in stderr and -noout is not doing what I
was expecting
+ [ -f "$public" ] || prun openssl rsa -in "$private" -pubout -out
"$public" 2> /dev/null
# Explaining the chosen PCR list below
# - 4 - Bootloader and drivers, should never recovery key as
bootloader should only be updated with new PCR measurements
# - 5 - GPT Partition table, should never require recovery key as
partition layout shouldn't change
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tik-1.3.11/usr/lib/tik/modules/post/20-mig
new/tik-1.3.12/usr/lib/tik/modules/post/20-mig
--- old/tik-1.3.11/usr/lib/tik/modules/post/20-mig 2025-03-29
15:26:49.000000000 +0100
+++ new/tik-1.3.12/usr/lib/tik/modules/post/20-mig 2025-05-14
14:35:08.000000000 +0200
@@ -30,8 +30,13 @@
prun /usr/bin/systemd-repart --pretty 0 --root ${mig_dir}/mnt --dry-run=0
${probedpart}
prun /usr/bin/mount -o compress=zstd:1,subvol=/@/var ${probedpart}
${mig_dir}/mnt/var
prun /lib/systemd/systemd-growfs ${mig_dir}/mnt/var
- etcmountcmd=$(cat ${mig_dir}/mnt/etc/fstab | grep "overlay /etc" | sed
's/\/sysroot\//${mig_dir}\/mnt\//g' | sed 's/\/work-etc.*/\/work-etc
${mig_dir}\/mnt\/etc\//' | sed 's/overlay \/etc overlay/\/usr\/bin\/mount -t
overlay overlay -o/')
- eval prun "$etcmountcmd"
+ # Detect whether /etc is overlay else assume it's a T-U 5.0+ later bind
mount
+ if grep -qF 'overlay /etc' ${mig_dir}/mnt/etc/fstab ; then
+ etcmountcmd=$(cat ${mig_dir}/mnt/etc/fstab | grep "overlay /etc" | sed
's/\/sysroot\//${mig_dir}\/mnt\//g' | sed 's/\/work-etc.*/\/work-etc
${mig_dir}\/mnt\/etc\//' | sed 's/overlay \/etc overlay/\/usr\/bin\/mount -t
overlay overlay -o/')
+ eval prun "$etcmountcmd"
+ else
+ prun /usr/bin/mount -o bind ${mig_dir}/mnt/etc ${mig_dir}/mnt/etc
+ fi
prun /usr/bin/cat ${mig_dir}/passwd.out | prun tee -a
${mig_dir}/mnt/etc/passwd
prun /usr/bin/cat ${mig_dir}/group.out | prun tee -a
${mig_dir}/mnt/etc/group
prun /usr/bin/cat ${mig_dir}/shadow.out | prun tee -a
${mig_dir}/mnt/etc/shadow
@@ -67,4 +72,4 @@
prun /usr/bin/umount ${mig_dir}/mnt
prun /usr/bin/rmdir ${mig_dir}/mnt
[ ! -e /dev/mapper/aeon_root ] || prun /usr/sbin/cryptsetup luksClose
aeon_root
-fi
\ No newline at end of file
+fi
++++++ tik.obsinfo ++++++
--- /var/tmp/diff_new_pack.hGIZvl/_old 2025-05-14 17:02:44.615099524 +0200
+++ /var/tmp/diff_new_pack.hGIZvl/_new 2025-05-14 17:02:44.615099524 +0200
@@ -1,5 +1,5 @@
name: tik
-version: 1.3.11
-mtime: 1743258409
-commit: 7a5e512088fbcda0f0bba5ee5c873eb1c14d453d
+version: 1.3.12
+mtime: 1747226108
+commit: 2aa25814af825db44b28c9fa5f9c402351810620
