Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package keylime for openSUSE:Factory checked
in at 2022-05-25 20:34:03
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/keylime (Old)
and /work/SRC/openSUSE:Factory/.keylime.new.2254 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "keylime"
Wed May 25 20:34:03 2022 rev:18 rq:978982 version:6.4.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/keylime/keylime.changes 2022-04-16
00:14:14.829648934 +0200
+++ /work/SRC/openSUSE:Factory/.keylime.new.2254/keylime.changes
2022-05-25 20:34:12.896198565 +0200
@@ -1,0 +2,46 @@
+Mon May 23 12:52:23 UTC 2022 - apla...@suse.com
+
+- Update to version v6.4.0 (CVE-2022-1053, boo#1199253):
+ * general: bump Keylime version to 6.4.0
+ * tests: adjust tests to reflect latest API changes
+ * api: bump version to 2.1
+ * config: remove unused registrar mTLS options in cloud_verifier section
+ * tenant, verifier: let the tenant provide the AK and mTLS certificate
+ * Fix exit call in scripts/download_packit_coverage.sh
+ * Added codecov.io description to TESTING.md
+ * ci: only run CodeQL on the keylime directory and disable it for the webapp
+ * Enable GitHub workflow integrating codecov.io
+ * README: Fix and cleanup the install instructions
+ * ima: add backport for dataclasses support for Python 3.6
+ * ima: add info that device mapper validation is still experimental
+ * add lark as a dependency
+ * ima: integrate dm validator into gernal IMA validation
+ * agentstates: add the option to load and store dm validator state
+ * ima: add parser and validator for device mapper entries
+ * ima_file_signatures: rename to file_signatures
+ * ima_ast: rename to ast
+ * ima: move IMA components into their own module
+ * failure: add function to get current event ids
+ * config: add more details for tpm_cert_store option
+ * Deprecate API version 1.0
+ * config, webapp: remove tls_check_hostnames option
+ * ci: add CodeQL analysis
+ * agent, tpm: remove is_vtpm() check
+ * tests: update to reflect vTPM removal
+ * remove vTPM related helper files and documentation
+ * config: remove vTPM related options
+ * tenant: remove vtpm_policy
+ * verifier: remove vtpm_policy
+ * remove REQUIRE_ROOT environment option
+ * Remove Testing farm tag-repository
+ * Bump required packaging module version to 20.0
+ * Remove last traces of M2Crypto
+ * Workaround for mock_open not supporting iteration in Python 3.6
+
+-------------------------------------------------------------------
+Wed May 18 11:28:14 UTC 2022 - Alberto Planas Dominguez <apla...@suse.com>
+
+- Fix "run_as" configuration parameter and set it to keylime:tss
+- Improve downgrade user migration during package update
+
+-------------------------------------------------------------------
Old:
----
keylime-v6.3.2.tar.xz
New:
----
keylime-v6.4.0.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ keylime.spec ++++++
--- /var/tmp/diff_new_pack.mJfIFI/_old 2022-05-25 20:34:13.648199614 +0200
+++ /var/tmp/diff_new_pack.mJfIFI/_new 2022-05-25 20:34:13.652199620 +0200
@@ -25,7 +25,7 @@
%bcond_with cfssl
%endif
Name: keylime
-Version: 6.3.2
+Version: 6.4.0
Release: 0
Summary: Open source TPM software for Bootstrapping and Maintaining
Trust
License: Apache-2.0 AND MIT
@@ -50,6 +50,7 @@
Requires: python-SQLAlchemy
Requires: python-alembic
Requires: python-cryptography
+Requires: python-lark-parser
Requires: python-psutil
Requires: python-python-gnupg
Requires: python-pyzmq
@@ -156,11 +157,11 @@
install -Dpm 600 %{srcname}.conf %{buildroot}%{_sysconfdir}/%{srcname}.conf
%endif
install -Dpm 644 ./services/%{srcname}_agent.service
%{buildroot}%{_unitdir}/%{srcname}_agent.service
-install -Dpm 644 ./services/%{srcname}_agent_secure.mount
%{buildroot}%{_unitdir}/var-lib-keylime-secure.mount
+install -Dpm 644 ./services/%{srcname}_agent_secure.mount
%{buildroot}%{_unitdir}/var-lib-%{srcname}-secure.mount
install -Dpm 644 ./services/%{srcname}_verifier.service
%{buildroot}%{_unitdir}/%{srcname}_verifier.service
install -Dpm 644 ./services/%{srcname}_registrar.service
%{buildroot}%{_unitdir}/%{srcname}_registrar.service
-install -D -m 644 %{SOURCE1}
%{buildroot}%{_prefix}/lib/firewalld/services/keylime.xml
+install -D -m 644 %{SOURCE1}
%{buildroot}%{_prefix}/lib/firewalld/services/%{srcname}.xml
mkdir -p %{buildroot}/%{_sharedstatedir}/%{srcname}
cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/%{srcname}/
@@ -199,6 +200,15 @@
%pre -n %{srcname}-tpm_cert_store -f %{srcname}.pre
+%post -n %{srcname}-tpm_cert_store
+# Help the upgrade process when moving to a non-root services
+chown -R keylime:tss %{_sharedstatedir}/%{srcname}/ca 2> /dev/null || :
+chown -R keylime:tss %{_sharedstatedir}/%{srcname}/secure 2> /dev/null || :
+chown -R keylime:tss %{_sharedstatedir}/%{srcname}/cv_ca 2> /dev/null || :
+chown keylime:tss %{_sharedstatedir}/%{srcname}/*.sqlite 2> /dev/null || :
+chown keylime:tss %{_sharedstatedir}/%{srcname}/*.yml 2> /dev/null || :
+chown keylime:tss %{_sysconfdir}/%{srcname}.conf 2> /dev/null || :
+
%pre -n %{srcname}-verifier
%service_add_pre %{srcname}_verifier.service
@@ -225,19 +235,19 @@
%pre -n %{srcname}-agent
%service_add_pre %{srcname}_agent.service
-%service_add_pre var-lib-keylime-secure.mount
+%service_add_pre var-lib-%{srcname}-secure.mount
%post -n %{srcname}-agent
%service_add_post %{srcname}_agent.service
-%service_add_post var-lib-keylime-secure.mount
+%service_add_post var-lib-%{srcname}-secure.mount
%preun -n %{srcname}-agent
%service_del_preun %{srcname}_agent.service
-%service_del_preun var-lib-keylime-secure.mount
+%service_del_preun var-lib-%{srcname}-secure.mount
%postun -n %{srcname}-agent
%service_del_postun %{srcname}_agent.service
-%service_del_postun var-lib-keylime-secure.mount
+%service_del_postun var-lib-%{srcname}-secure.mount
%files %{python_files}
%doc README.md
@@ -255,20 +265,20 @@
%files -n %{srcname}-config
%if 0%{?suse_version} >= 1550
-%{_prefix}%{_sysconfdir}/%{srcname}.conf
+%attr (600,keylime,tss) %{_prefix}%{_sysconfdir}/%{srcname}.conf
%else
-%config(noreplace) %{_sysconfdir}/%{srcname}.conf
+%config(noreplace) %attr (600,keylime,tss) %{_sysconfdir}/%{srcname}.conf
%endif
%files -n %{srcname}-firewalld
%dir %{_prefix}/lib/firewalld
%dir %{_prefix}/lib/firewalld/services
-%{_prefix}/lib/firewalld/services/keylime.xml
+%{_prefix}/lib/firewalld/services/%{srcname}.xml
%files -n %{srcname}-tpm_cert_store
-%dir %attr(0700,keylime,tss) %{_sharedstatedir}/keylime
-%dir %{_sharedstatedir}/keylime/tpm_cert_store
-%{_sharedstatedir}/keylime/tpm_cert_store/*
+%dir %attr(0700,keylime,tss) %{_sharedstatedir}/%{srcname}
+%dir %{_sharedstatedir}/%{srcname}/tpm_cert_store
+%{_sharedstatedir}/%{srcname}/tpm_cert_store/*
%{_sysusersdir}/%{srcname}-user.conf
%files -n %{srcname}-verifier
@@ -279,6 +289,6 @@
%files -n %{srcname}-agent
%{_unitdir}/%{srcname}_agent.service
-%{_unitdir}/var-lib-keylime-secure.mount
+%{_unitdir}/var-lib-%{srcname}-secure.mount
%changelog
++++++ _service ++++++
--- /var/tmp/diff_new_pack.mJfIFI/_old 2022-05-25 20:34:13.680199659 +0200
+++ /var/tmp/diff_new_pack.mJfIFI/_new 2022-05-25 20:34:13.684199664 +0200
@@ -1,7 +1,7 @@
<services>
<service name="tar_scm" mode="disabled">
<param name="versionformat">@PARENT_TAG@</param>
- <param name="revision">refs/tags/v6.3.2</param>
+ <param name="revision">refs/tags/v6.4.0</param>
<param name="url">https://github.com/keylime/keylime.git</param>
<param name="scm">git</param>
<param name="changesgenerate">enable</param>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.mJfIFI/_old 2022-05-25 20:34:13.700199687 +0200
+++ /var/tmp/diff_new_pack.mJfIFI/_new 2022-05-25 20:34:13.704199693 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param
name="url">https://github.com/keylime/keylime.git</param>
- <param
name="changesrevision">89e520567f239a663453d83466943ee366a0fba2</param></service></servicedata>
+ <param
name="changesrevision">c8137d941b1813bcf2fbb726e108693c6dc6aec6</param></service></servicedata>
(No newline at EOF)
++++++ config-libefivars.diff ++++++
--- /var/tmp/diff_new_pack.mJfIFI/_old 2022-05-25 20:34:13.712199703 +0200
+++ /var/tmp/diff_new_pack.mJfIFI/_new 2022-05-25 20:34:13.712199703 +0200
@@ -1,8 +1,8 @@
-Index: keylime-v6.3.2/keylime/config.py
+Index: keylime-v6.4.0/keylime/config.py
===================================================================
---- keylime-v6.3.2.orig/keylime/config.py
-+++ keylime-v6.3.2/keylime/config.py
-@@ -150,7 +150,7 @@ MEASUREDBOOT_ML = '/sys/kernel/security/
+--- keylime-v6.4.0.orig/keylime/config.py
++++ keylime-v6.4.0/keylime/config.py
+@@ -138,7 +138,7 @@ MEASUREDBOOT_ML = '/sys/kernel/security/
MEASUREDBOOT_IMPORTS = get_config().get('cloud_verifier',
'measured_boot_imports', fallback='').split(',')
MEASUREDBOOT_POLICYNAME = get_config().get('cloud_verifier',
'measured_boot_policy_name', fallback='accept-all')
++++++ keylime-v6.3.2.tar.xz -> keylime-v6.4.0.tar.xz ++++++
/work/SRC/openSUSE:Factory/keylime/keylime-v6.3.2.tar.xz
/work/SRC/openSUSE:Factory/.keylime.new.2254/keylime-v6.4.0.tar.xz differ: char
15, line 1
++++++ keylime.conf.diff ++++++
--- /var/tmp/diff_new_pack.mJfIFI/_old 2022-05-25 20:34:13.756199765 +0200
+++ /var/tmp/diff_new_pack.mJfIFI/_new 2022-05-25 20:34:13.760199770 +0200
@@ -1,8 +1,8 @@
-Index: keylime-v6.3.2/keylime.conf
+Index: keylime-v6.4.0/keylime.conf
===================================================================
---- keylime-v6.3.2.orig/keylime.conf
-+++ keylime-v6.3.2/keylime.conf
-@@ -12,11 +12,13 @@ tls_check_hostnames = False
+--- keylime-v6.4.0.orig/keylime.conf
++++ keylime-v6.4.0/keylime.conf
+@@ -9,11 +9,13 @@ enable_tls = True
# Valid values are "cfssl" or "openssl". For cfssl to work, you must have the
# go binary installed in your path or in /usr/local/.
# Note: Revocation list generation is only supported by "cfssl".
@@ -18,7 +18,7 @@
receive_revocation_port = 8992
#=============================================================================
-@@ -24,7 +26,8 @@ receive_revocation_port = 8992
+@@ -21,7 +23,8 @@ receive_revocation_port = 8992
#=============================================================================
# The binding address and port for the agent server
@@ -28,7 +28,7 @@
cloudagent_port = 9002
# Address and port where the verifier and tenant can connect to reach the
agent.
-@@ -33,7 +36,8 @@ agent_contact_ip = 127.0.0.1
+@@ -30,7 +33,8 @@ agent_contact_ip = 127.0.0.1
agent_contact_port = 9002
# The address and port of registrar server which agent communicate with
@@ -38,7 +38,7 @@
registrar_port = 8890
# The name of the RSA key that Keylime should use for protecting shares of
U/V.
-@@ -89,7 +93,8 @@ extract_payload_zip = True
+@@ -86,7 +90,8 @@ extract_payload_zip = True
# 'dmidecode -s system-uuid'.
# If you set this to "hostname", Keylime will use the full qualified domain
# name of current host as the agent id.
@@ -48,7 +48,7 @@
# Whether to listen for revocation notifications from the verifier or not.
listen_notifications = True
-@@ -148,7 +153,8 @@ max_retries = 4
+@@ -145,7 +150,8 @@ max_retries = 4
# - hashing: sha512, sha384, sha256 or sha1
# - encryption: ecc or rsa
# - signing: rsassa, rsapss, ecdsa, ecdaa or ecschnorr
@@ -58,7 +58,17 @@
tpm_encryption_alg = rsa
tpm_signing_alg = rsassa
-@@ -184,7 +190,8 @@ run_as =
+@@ -171,7 +177,8 @@ ek_handle = generate
+ # chown keylime /var/lib/keylime/cv_ca
+ # chown keylime /var/lib/keylime/cv_ca/cacert.crt
+ #
+-run_as =
++# run_as =
++run_as = keylime:tss
+
+ #=============================================================================
+ [cloud_verifier]
+@@ -181,7 +188,8 @@ run_as =
cloudverifier_id = default
# The IP address and port of verifier server binds to
@@ -68,7 +78,7 @@
cloudverifier_port = 8881
# The address and port of registrar server that verifier communicates with
-@@ -309,7 +316,8 @@ revocation_notifier = True
+@@ -282,7 +290,8 @@ revocation_notifier = True
# The binding address and port of the revocation notifier service.
# If the 'revocation_notifier' option is set to "true", then the verifier
# automatically starts the revocation service.
@@ -78,7 +88,7 @@
revocation_notifier_port = 8992
# Enable revocation notifications via webhook. This can be used to notify
other
-@@ -445,10 +453,12 @@ max_payload_size = 1048576
+@@ -419,7 +428,8 @@ max_payload_size = 1048576
# and SHA-512).
# Note that you can't set a policy on PCR10 and PCR16 because Keylime uses
# them internally.
@@ -86,14 +96,9 @@
+# tpm_policy =
{"22":["0000000000000000000000000000000000000001","0000000000000000000000000000000000000000000000000000000000000001","000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001","ffffffffffffffffffffffffffffffffffffffff","ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff","ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"],"15":["0000000000000000000000000000000000000000","0000000000000000000000000000000000000000000000000000000000000000","000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"]}
+tpm_policy = {}
- # Same as 'tpm_policy' but for virtual PCRs.
--vtpm_policy =
{"23":["ffffffffffffffffffffffffffffffffffffffff","0000000000000000000000000000000000000000"],"15":"0000000000000000000000000000000000000000"}
-+# vtpm_policy =
{"23":["ffffffffffffffffffffffffffffffffffffffff","0000000000000000000000000000000000000000"],"15":"0000000000000000000000000000000000000000"}
-+vtpm_policy = {}
-
# Specify the file containing allowlists for processing Linux IMA measurements
# this file is used if tenant provides "default" as the allowlist file
-@@ -500,7 +510,8 @@ max_retries = 5
+@@ -471,7 +481,8 @@ max_retries = 5
# might provide a signed list of EK public key hashes. Then you could write
# an ek_check_script that checks the signature of the allowlist and then
# compares the hash of the given EK with the allowlist.
@@ -103,7 +108,7 @@
# Optional script to execute to check the EK and/or EK certificate against a
# allowlist or any other additional EK processing you want to do. Runs in
-@@ -526,7 +537,8 @@ ek_check_script=
+@@ -497,7 +508,8 @@ ek_check_script=
# The registrar's IP address and port used to communicate with other services
# as well as the bind address for the registrar server.
