Sync from SUSE:ALP:Source:Standard:1.0 rust-keylime revision a47610bf3ed55ecc9173b1a2d1db5d86

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/keylime/rust-keylime.git</param>
-              <param name="changesrevision">a56fc94c2d8c8dc4b48aaf13bf514964ac548aab</param></service></servicedata>
+              <param name="changesrevision">4974f3b6785b2adbd102b724bbd9584836384596</param></service></servicedata>

keylime-agent.conf.diff

@@ -1,8 +1,8 @@
 diff --git i/keylime-agent.conf w/keylime-agent.conf
-index d6e8615..75994c4 100644
+index 49124f3..5dd707b 100644
 --- i/keylime-agent.conf
 +++ w/keylime-agent.conf
-@@ -29,13 +29,15 @@ api_versions = "default"
+@@ -33,14 +33,16 @@ api_versions = "default"
  # of 'SHA256(public EK in PEM format)'.
  #
  # To override, set KEYLIME_AGENT_UUID environment variable.
@@ -10,7 +10,8 @@ index d6e8615..75994c4 100644
 +# uuid = "d432fbb3-d2f1-4a97-9ef7-75bd81c00000"
 +uuid = "generate"
  
- # The binding IP address and port for the agent server
+ # The binding IP address or hostname (FQDN) and port for the agent server
+ # Supports IPv4, IPv6, or fully qualified domain names
  #
  # To override ip, set KEYLIME_AGENT_IP environment variable.
  # To override port, set KEYLIME_AGENT_PORT environment variable.
@@ -19,8 +20,8 @@ index d6e8615..75994c4 100644
 +ip = "0.0.0.0"
  port = 9002
  
- # Address and port where the verifier and tenant can connect to reach the agent.
-@@ -51,7 +53,8 @@ contact_port = 9002
+ # Address (IP or hostname/FQDN) and port where the verifier and tenant can connect to reach the agent.
+@@ -58,7 +60,8 @@ contact_port = 9002
  # To override registrar_ip, set KEYLIME_AGENT_REGISTRAR_IP environment variable.
  # To override registrar_port, set KEYLIME_AGENT_REGISTRAR_PORT environment
  # variable.
@@ -30,7 +31,7 @@ index d6e8615..75994c4 100644
  registrar_port = 8890
  
  # Enable mTLS communication between agent, verifier and tenant.
-@@ -161,7 +164,8 @@ revocation_actions_dir = "/usr/libexec/keylime"
+@@ -191,7 +194,8 @@ revocation_actions_dir = "/usr/libexec/keylime"
  # KEYLIME_AGENT_REVOCATION_NOTIFICATION_IP environment variable.
  # To override revocation_notification_port, set
  # KEYLIME_AGENT_REVOCATION_NOTIFICATION_PORT environment variable.

rust-keylime.changes

@@ -1,3 +1,123 @@
+-------------------------------------------------------------------
+Mon Feb 09 14:44:05 UTC 2026 - aplanas@suse.com
+
+- Update vendored crates (bsc#1257908, CVE-2026-25727)
+  * time 0.3.47
+
+- Update to version 0.2.8+116:
+  * build(deps): bump bytes from 1.7.2 to 1.11.1
+  * api: Modify /version endpoint output in version 2.5
+  * Add API v2.5 with backward-compatible /v2.5/quotes/integrity
+  * tests: add unit test for resolve_agent_id (#1182)
+  * (pull-model): enable retry logic for registration
+  * rpm: Update specfiles to apply on master
+  * workflows: Add test to detect unused crates
+  * lib: Drop unused crates
+  * push-model: Drop unused crates
+  * keylime-agent: Drop unused crates
+  * build(deps): bump uuid from 1.18.1 to 1.19.0
+  * Update reqwest-retry to 0.8, retry-policies to 0.5
+  * rpm: Fix cargo_build macro usage on CentOS Stream
+  * fix(push-model): resolve hash_ek uuid to actual EK hash
+  * build(deps): bump thiserror from 2.0.16 to 2.0.17
+  * workflows: Separate upstream test suite from e2e coverage
+  * Send UEFI measured boot logs as raw bytes (#1173)
+  * auth: Add unit tests for SecretToken implementation
+  * packit: Enable push-attestation tests
+  * resilient_client: Prevent authentication token leakage in logs
+
+-------------------------------------------------------------------
+Wed Jan 07 15:53:59 UTC 2026 - aplanas@suse.com
+
+- Use tmpfiles.d for /var directories (PED-14736)
+  + tmpfiles.keylime renamed to rust-keylime.conf and extended
+
+- Update to version 0.2.8+96:
+  * build(deps): bump wiremock from 0.6.4 to 0.6.5
+  * build(deps): bump actions/checkout from 5 to 6
+  * build(deps): bump chrono from 0.4.41 to 0.4.42
+  * packit: Get coverage from Fedora 43 runs
+  * Fix issues pointed out by clippy
+  * Replace mutex unwraps with proper error handling in TPM library
+  * Remove unused session request methods from StructureFiller
+  * Fix config panic on missing ek_handle in push model agent
+  * build(deps): bump tempfile from 3.21.0 to 3.23.0
+  * build(deps): bump actions/upload-artifact from 4 to 6 (#1163)
+  * Fix clippy warnings project-wide
+  * Add KEYLIME_DIR support for verifier TLS certificates in push model agent
+  * Thread privileged resources and use MeasurementList for IMA reading
+  * Add privileged resource initialization and privilege dropping to push model agent
+  * Fix privilege dropping order in run_as()
+  * add documentation on FQDN hostnames
+  * Remove confusing logs for push mode agent
+  * Set correct default Verifier port (8891->8881) (#1159)
+  * Add verifier_url to reference configuration file (#1158)
+  * Add TLS support for Registrar communication (#1139)
+  * Fix agent handling of 403 registration responses (#1154)
+  * Add minor README.md rephrasing (#1151)
+  * build(deps): bump actions/checkout from 5 to 6 (#1153)
+  * ci: update spec files for packit COPR build
+  * docs: improve challenge encoding and async TPM documentation
+  * refactor: improve middleware and error handling
+  * feat: add authentication client with middleware integration
+  * docker: Include keylime_push_model_agent binary
+  * Include attestation_interval configuration (#1146)
+  * Persist payload keys to avoid attestation failure on restart
+  * crypto: Implement the load or generate pattern for keys
+  * Use simple algorithm specifiers in certification_keys object (#1140)
+  * tests: Enable more tests in CI
+  * Fix RSA2048 algorithm reporting in keylime agent
+  * Remove disabled_signing_algorithms configuration
+  * rpm: Fix metadata patches to apply to current code
+  * workflows/rpm.yml: Use more strict patching
+  * build(deps): bump uuid from 1.17.0 to 1.18.1
+  * Fix ECC algorithm selection and reporting for keylime agent
+  * Improve logging consistency and coherency
+  * Implement minimal RFC compliance for Location header and URI parsing (#1125)
+  * Use separate keys for payload mechanism and mTLS
+  * docker: update rust to 1.81 for distroless Dockerfile
+  * Ensure UEFI log capabilities are set to false
+  * build(deps): bump http from 1.1.0 to 1.3.1
+  * build(deps): bump log from 0.4.27 to 0.4.28
+  * build(deps): bump cfg-if from 1.0.1 to 1.0.3
+  * build(deps): bump actix-rt from 2.10.0 to 2.11.0
+  * build(deps): bump async-trait from 0.1.88 to 0.1.89
+  * build(deps): bump trybuild from 1.0.105 to 1.0.110
+  * Accept evidence handling structures null entries
+  * workflows: Add test to check if RPM patches still apply
+  * CI: Enable test add-agent-with-malformed-ek-cert
+  * config: Fix singleton tests
+  * FSM: Remove needless lifetime annotations (#1105)
+  * rpm: Do not remove wiremock which is now available in Fedora
+  * Use latest Fedora httpdate version (1.0.3)
+  * Enhance coverage with parse_retry_after test
+  * Fix issues reported by CI regarding unwrap() calls
+  * Reuse max retries indicated to the ResilientClient
+  * Include limit of retries to 5 for Retry-After
+  * Add policy to handle Retry-After response headers
+  * build(deps): bump wiremock from 0.6.3 to 0.6.4
+  * build(deps): bump serde_json from 1.0.140 to 1.0.143
+  * build(deps): bump pest_derive from 2.8.0 to 2.8.1
+  * build(deps): bump syn from 2.0.90 to 2.0.106
+  * build(deps): bump tempfile from 3.20.0 to 3.21.0
+  * build(deps): bump thiserror from 2.0.12 to 2.0.16
+  * rpm: Fix patches to apply to current master code
+  * build(deps): bump anyhow from 1.0.98 to 1.0.99
+  * state_machine: Automatically clean config override during tests
+  * config: Implement singleton and factory pattern
+  * testing: Support overriding configuration during tests
+  * feat: implement standalone challenge-response authentication module
+  * structures: rename session structs for clarity and fix typos
+  * tpm: refactor certify_credential_with_iak() into a more generic function
+  * Add Push Model Agent Mermaid FSM chart (#1095)
+  * Add state to avoid exiting on wrong attestation (#1093)
+  * Add 6 alphanumeric lowercase X-Request-ID header
+  * Enhance Evidence Handling response parsing
+  * build(deps): bump quote from 1.0.35 to 1.0.40
+  * build(deps): bump libc from 0.2.172 to 0.2.175
+  * build(deps): bump glob from 0.3.2 to 0.3.3
+  * build(deps): bump actix-web from 4.10.2 to 4.11.0
+
 -------------------------------------------------------------------
 Wed Aug 20 09:26:08 UTC 2025 - aplanas@suse.com
 

rust-keylime.conf

@@ -0,0 +1,5 @@
+#Type Path                   Mode User    Group Age Argument...
+d     /var/log/keylime       0750 keylime tss   -   -
+d     /var/lib/keylime       0700 keylime tss   -   -
+d     /var/lib/keylime/cv_ca 0700 keylime tss   -   -
+d     /run/keylime           0700 keylime tss   -   -

rust-keylime.obsinfo

@@ -1,4 +1,4 @@
 name: rust-keylime
-version: 0.2.8+12
-mtime: 1755679596
-commit: a56fc94c2d8c8dc4b48aaf13bf514964ac548aab
+version: 0.2.8+116
+mtime: 1770636785
+commit: 4974f3b6785b2adbd102b724bbd9584836384596

rust-keylime.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package rust-keylime
 #
-# Copyright (c) 2025 SUSE LLC and contributors
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -25,7 +25,7 @@
   %define _config_norepl %config(noreplace)
 %endif
 Name:           rust-keylime
-Version:        0.2.8+12
+Version:        0.2.8+116
 Release:        0
 Summary:        Rust implementation of the keylime agent
 License:        (Apache-2.0 OR MIT) AND BSD-3-Clause AND (Apache-2.0 OR MIT) AND Unicode-DFS-2016 AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR ISC OR MIT) AND (Apache-2.0 OR MIT) AND (Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT) AND (Apache-2.0 OR MIT OR Zlib) AND (MIT OR Unlicense) AND (Apache-2.0 OR Zlib OR MIT) AND Apache-2.0 AND Apache-2.0 WITH LLVM-exception AND BSD-3-Clause AND ISC AND MIT
@@ -35,7 +35,7 @@ Source1:        vendor.tar.zst
 Source2:        cargo_config
 Source3:        keylime.xml
 Source4:        keylime-user.conf
-Source5:        tmpfiles.keylime
+Source5:        rust-keylime.conf
 Source6:        ima-policy
 Source7:        ima-policy.service
 Source8:        README.suse
@@ -97,13 +97,9 @@ install -Dpm 0644 ./dist/systemd/system/var-lib-keylime-secure.mount %{buildroot
 
 install -Dpm 0644 %{SOURCE3} %{buildroot}%{_prefix}/lib/firewalld/services/keylime.xml
 install -Dpm 0644 %{SOURCE4} %{buildroot}%{_sysusersdir}/keylime-user.conf
-install -Dpm 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/keylime.conf
-install -d %{buildroot}%{_localstatedir}/log/keylime
+install -Dpm 0644 %{SOURCE5} %{buildroot}%{_tmpfilesdir}/rust-keylime.conf
 install -d %{buildroot}%{_libexecdir}/keylime
 
-# Create work directory and the certificate directory
-mkdir -p %{buildroot}%{_sharedstatedir}/keylime/cv_ca
-
 install -Dpm 0644 %{SOURCE6} %{buildroot}%{_sysconfdir}/ima/ima-policy
 install -Dpm 0644 %{SOURCE7} %{buildroot}%{_unitdir}/ima-policy.service
 
@@ -116,7 +112,7 @@ install -Dpm 0644 %{SOURCE7} %{buildroot}%{_unitdir}/ima-policy.service
 
 %post
 %firewalld_reload
-%tmpfiles_create keylime.conf
+%tmpfiles_create %{_tmpfilesdir}/rust-keylime.conf
 %service_add_post keylime_agent.service
 %service_add_post var-lib-keylime-secure.mount
 
@@ -141,11 +137,9 @@ install -Dpm 0644 %{SOURCE7} %{buildroot}%{_unitdir}/ima-policy.service
 %dir %{_prefix}/lib/firewalld/services
 %{_prefix}/lib/firewalld/services/keylime.xml
 %{_sysusersdir}/keylime-user.conf
-%{_tmpfilesdir}/keylime.conf
-%dir %attr(0750,keylime,tss) %{_localstatedir}/log/keylime
+%dir %{_tmpfilesdir}
+%{_tmpfilesdir}/rust-keylime.conf
 %dir %attr(0750,keylime,tss) %{_libexecdir}/keylime
-%dir %attr(0700,keylime,tss) %{_sharedstatedir}/keylime
-%dir %attr(0700,keylime,tss) %{_sharedstatedir}/keylime/cv_ca
 
 %files -n keylime-ima-policy
 %dir %attr(0750,root,root) %{_sysconfdir}/ima

tmpfiles.keylime

@@ -1 +0,0 @@
-d /run/keylime 0700 keylime tss