Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package tik for openSUSE:Factory checked in
at 2024-08-01 22:04:11
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/tik (Old)
and /work/SRC/openSUSE:Factory/.tik.new.7232 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tik"
Thu Aug 1 22:04:11 2024 rev:16 rq:1190654 version:1.2.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/tik/tik.changes 2024-07-25 16:03:17.985321664
+0200
+++ /work/SRC/openSUSE:Factory/.tik.new.7232/tik.changes 2024-08-01
22:04:29.968640054 +0200
@@ -1,0 +2,19 @@
+Wed Jul 31 12:30:38 UTC 2024 - rbr...@suse.com
+
+- Update to version 1.2.3:
+ * encrypt: recoverykey is now always slot #2
+
+-------------------------------------------------------------------
+Wed Jul 31 12:27:03 UTC 2024 - rbr...@suse.com
+
+- Update to version 1.2.2:
+ * encrypt: create passphrase before recoverykey to keep key slot alignment
with Default Mode
+
+-------------------------------------------------------------------
+Wed Jul 31 12:05:50 UTC 2024 - rbr...@suse.com
+
+- Update to version 1.2.1:
+ * mig: Actually check if /@/home mount fails (boo#1227714)
+ * encrypt: Fix boo#1228416 by doing enrolment in correct order
+
+-------------------------------------------------------------------
Old:
----
tik-1.2.obscpio
New:
----
tik-1.2.3.obscpio
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ tik.spec ++++++
--- /var/tmp/diff_new_pack.7EHZ9A/_old 2024-08-01 22:04:30.552664142 +0200
+++ /var/tmp/diff_new_pack.7EHZ9A/_new 2024-08-01 22:04:30.556664307 +0200
@@ -17,7 +17,7 @@
Name: tik
-Version: 1.2
+Version: 1.2.3
Release: 0
Summary: Transactional Installation Kit
License: MIT
++++++ _service ++++++
--- /var/tmp/diff_new_pack.7EHZ9A/_old 2024-08-01 22:04:30.580665296 +0200
+++ /var/tmp/diff_new_pack.7EHZ9A/_new 2024-08-01 22:04:30.580665296 +0200
@@ -3,7 +3,7 @@
<service name="obs_scm" mode="manual">
<param name="url">https://github.com/sysrich/tik.git</param>
<param name="scm">git</param>
- <param name="revision">v1.2</param>
+ <param name="revision">v1.2.3</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="changesgenerate">enable</param>
<param name="versionrewrite-pattern">v(.*)</param>
++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.7EHZ9A/_old 2024-08-01 22:04:30.600666121 +0200
+++ /var/tmp/diff_new_pack.7EHZ9A/_new 2024-08-01 22:04:30.604666286 +0200
@@ -1,6 +1,6 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://github.com/sysrich/tik.git</param>
- <param
name="changesrevision">a17b5aa348938da12eeb79a0dbc1f7b257bd0da0</param></service></servicedata>
+ <param
name="changesrevision">d013149dc0fe0b7acb3a894f73547a846c237d2a</param></service></servicedata>
(No newline at EOF)
++++++ tik-1.2.obscpio -> tik-1.2.3.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tik-1.2/usr/lib/tik/modules/post/15-encrypt
new/tik-1.2.3/usr/lib/tik/modules/post/15-encrypt
--- old/tik-1.2/usr/lib/tik/modules/post/15-encrypt 2024-07-24
14:32:45.000000000 +0200
+++ new/tik-1.2.3/usr/lib/tik/modules/post/15-encrypt 2024-07-31
14:29:58.000000000 +0200
@@ -64,7 +64,7 @@
prun /usr/sbin/cryptsetup luksOpen --key-file=${tik_keyfile} ${cryptpart}
aeon_root
echo "35" > ${encrypt_pipe}
prun /usr/bin/mount -o compress=zstd:1 /dev/mapper/aeon_root
${encrypt_dir}/mnt
- for i in proc dev sys 'sys/firmware/efi/efivars' 'sys/fs/cgroup'; do
+ for i in proc dev sys tmp 'sys/firmware/efi/efivars' 'sys/fs/cgroup'; do
prun /usr/bin/mount --bind "/$i" "${encrypt_dir}/mnt/$i"
done
prun /usr/bin/mount -o compress=zstd:1,subvol=/@/.snapshots
/dev/mapper/aeon_root ${encrypt_dir}/mnt/.snapshots
@@ -73,7 +73,6 @@
eval prun "$etcmountcmd"
prun /usr/bin/mount ${esppart} ${encrypt_dir}/mnt/boot/efi
prun /usr/bin/mount -t tmpfs tmpfs "${encrypt_dir}/mnt/run"
- prun /usr/bin/mount -t tmpfs tmpfs "${encrypt_dir}/mnt/tmp"
prun /usr/bin/mount -t securityfs securityfs
"${encrypt_dir}/mnt/sys/kernel/security"
echo "42" > ${encrypt_pipe}
}
@@ -133,6 +132,14 @@
WantedBy=default.target
EOF
prun /usr/bin/ln -s
${encrypt_dir}/mnt/etc/systemd/system/firstboot-update-predictions.service
${encrypt_dir}/mnt/etc/systemd/system/default.target.wants/firstboot-update-predictions.service
+ log "[configure_encryption] Generating Predictions"
+ echo "# Generating TPM Predictions" > ${encrypt_pipe}
+ prun /usr/bin/chroot ${encrypt_dir}/mnt sdbootutil -vv
update-predictions
+ echo "73" > ${encrypt_pipe}
+ log "[configure_encryption] Default Mode - Enrolling ${cryptpart} to
TPM 2.0"
+ echo "# Enrolling to TPM" > ${encrypt_pipe}
+ prun /usr/bin/chroot ${encrypt_dir}/mnt systemd-cryptenroll
--unlock-key-file=${tik_keyfile} --tpm2-device=auto ${cryptpart}
+ echo "76" > ${encrypt_pipe}
fi
}
@@ -143,7 +150,6 @@
prun /usr/bin/umount "${encrypt_dir}/mnt/$i"
done
prun /usr/bin/umount ${encrypt_dir}/mnt
- prun /usr/bin/rmdir ${encrypt_dir}/mnt
prun /usr/sbin/cryptsetup luksClose aeon_root
echo "77" > ${encrypt_pipe}
}
@@ -167,23 +173,24 @@
echo "# Adding recovery key to ${cryptpart}" > ${encrypt_pipe}
log "[add_recoveryKey] adding recovery key to ${cryptpart}"
prun /usr/sbin/cryptsetup luksAddKey --key-file=${tik_keyfile}
--batch-mode --force-password "${cryptpart}" <<<"${key}"
- echo '{"type":"systemd-recovery","keyslots":["1"]}' | prun
/usr/sbin/cryptsetup token import "${cryptpart}"
+ echo '{"type":"systemd-recovery","keyslots":["2"]}' | prun
/usr/sbin/cryptsetup token import "${cryptpart}"
echo "100" > ${encrypt_pipe}
}
display_recoveryKey() {
local defaultmsg="This ${TIK_OS_NAME} system is encrypted and checks its
own integrity on every boot\nIn the event of these integrity checks failing,
you will need to use the Recovery Key provided below to enter this
system\n\nLikely reasons for integrity checks failing include:\n\n⢠UEFI
System Firmware updated\n⢠Secure Boot changed from enabled or disabled\nâ¢
Boot drive was moved to a different computer\n⢠Disk partitions were
changed\n⢠Boot loader or initrd were altered unexpectedly\n\nIf you are
unaware as to why the system is requesting the recovery key, this systems
security may have been compromised\nThe best course of action may be to not
unlock the disk until you can determine what changed to require the Recovery
Key\n\nThis systems Recovery Key is:\n\n
<b><big>${key}</big></b>\n\nPlease save this secret Recovery Key in a secure
location\n\n"
- local fallbackmsg="This ${TIK_OS_NAME} system is encrypted and will
require a Passphrase on every boot\n\nYou will be prompted to set the
Passphrase on the next screen\n\nIn addition a Recovery Key has been
generated:\n\n <b><big>${key}</big></b>\n\nPlease save this secret
Recovery Key in a secure location\nIt may be used to regain access to this
system if the other Passphrase becomes lost or forgotten\n\n"
+ local fallbackmsg="In addition to your Passphrase a Recovery Key has been
generated:\n\n <b><big>${key}</big></b>\n\nPlease save this secret
Recovery Key in a secure location\nIt may be used to regain access to this
system if the other Passphrase becomes lost or forgotten\n\n"
local message
[ "${tik_encrypt_mode}" == 0 ] && message=${defaultmsg}
[ "${tik_encrypt_mode}" == 1 ] && message=${fallbackmsg}
log "[display_recoveryKey] displaying recovery key"
- zenity --width=500 --height=500 --no-wrap --warning --title="Encryption
Recovery Key" --text="${message}You may optionally scan the recovery key off
screen:\n<span face='monospace'>$(qrencode ${key} -t UTF8i)</span>\nFor more
information please visit <tt>https://aeondesktop.org/encrypt</tt>"
+ zenity --width=500 --height=500 --no-wrap --warning
--icon=security-high-symbolic --title="Encryption Recovery Key"
--text="${message}You may optionally scan the recovery key off screen:\n<span
face='monospace'>$(qrencode ${key} -t UTF8i)</span>\nFor more information
please visit <tt>https://aeondesktop.org/encrypt</tt>"
log "[display_recoveryKey] recovery key dialogue dismissed"
}
add_key() {
if [ "${tik_encrypt_mode}" == 1 ]; then
+ d --width=500 --height=300 --no-wrap --warning
--icon=security-high-symbolic --title="Set Encryption Passphrase" --text="This
${TIK_OS_NAME} system is encrypted and will require a Passphrase on every
boot\n\nYou will be prompted to set the Passphrase on the next screen\n\nFor
more information please visit <tt>https://aeondesktop.org/encrypt</tt>"
log "[add_key] Fallback Mode - Prompting user for passphrase for
${cryptpart}"
# Not using 'd' function to avoid logging the password
while true
@@ -200,9 +207,6 @@
;;
esac
done
- else
- log "[add_key] Default Mode - Enrolling ${cryptpart} to TPM 2.0"
- prun /usr/bin/systemd-cryptenroll --unlock-key-file=${tik_keyfile}
--tpm2-device=auto ${cryptpart} > >(d --progress --title="Finalising
Encryption" --text="Enrolling to TPM 2.0" --pulsate --auto-close --no-cancel
--width=400)
fi
}
@@ -212,7 +216,7 @@
open_partition
configure_encryption
close_partition
+add_key
generate_recoveryKey
add_recoveryKey
-display_recoveryKey
-add_key
\ No newline at end of file
+display_recoveryKey
\ No newline at end of file
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/tik-1.2/usr/lib/tik/modules/pre/20-mig
new/tik-1.2.3/usr/lib/tik/modules/pre/20-mig
--- old/tik-1.2/usr/lib/tik/modules/pre/20-mig 2024-07-24 14:32:45.000000000
+0200
+++ new/tik-1.2.3/usr/lib/tik/modules/pre/20-mig 2024-07-31
14:29:58.000000000 +0200
@@ -81,7 +81,8 @@
if [ -n "${probedpart}" ]; then
prun /usr/bin/mkdir ${mig_dir}/mnt
- if prun-opt /usr/bin/mount -o compress=zstd:1,subvol=/@/home
${probedpart} ${mig_dir}/mnt; then
+ prun-opt /usr/bin/mount -o compress=zstd:1,subvol=/@/home
${probedpart} ${mig_dir}/mnt
+ if [ ${retval} -eq 0 ]; then
prun /usr/sbin/btrfs quota rescan -w ${mig_dir}/mnt | d --progress
--title="Detected existing /home subvolume.." --pulsate --auto-close
--no-cancel --width=400
home_size=$(prun /usr/sbin/btrfs qgroup show --raw -f
${mig_dir}/mnt | grep @/home$ | awk '{print $2}')
tik_stick_size=$(prun /usr/sbin/btrfs fi usage --raw ${mig_dir} |
grep estimated | awk '{print $3}')
++++++ tik.obsinfo ++++++
--- /var/tmp/diff_new_pack.7EHZ9A/_old 2024-08-01 22:04:30.700670246 +0200
+++ /var/tmp/diff_new_pack.7EHZ9A/_new 2024-08-01 22:04:30.700670246 +0200
@@ -1,5 +1,5 @@
name: tik
-version: 1.2
-mtime: 1721824365
-commit: a17b5aa348938da12eeb79a0dbc1f7b257bd0da0
+version: 1.2.3
+mtime: 1722428998
+commit: d013149dc0fe0b7acb3a894f73547a846c237d2a
