Sync from SUSE:SLFO:Main keylime revision f123c7a156b68ff6acbe1ca730b48a92

_service

@@ -1,7 +1,7 @@
 <services>
   <service name="tar_scm" mode="manual">
     <param name="versionformat">@PARENT_TAG@</param>
-    <param name="revision">refs/tags/v7.7.0</param>
+    <param name="revision">refs/tags/v7.11.0</param>
     <param name="url">https://github.com/keylime/keylime.git</param>
     <param name="scm">git</param>
     <param name="changesgenerate">enable</param>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/keylime/keylime.git</param>
-              <param name="changesrevision">b7af6fef3baefeb41f471d1050ba7a78f9423e5b</param></service></servicedata>
+              <param name="changesrevision">31db17cd1413780e3f4f9b9673c024bc8096b897</param></service></servicedata>

keylime.changes

@@ -1,3 +1,96 @@
+-------------------------------------------------------------------
+Fri Jun 14 08:04:48 UTC 2024 - aplanas@suse.com
+
+- Update to version v7.11.0:
+  * "Monthly" Release (7.11.0)
+  * template mapping change for persisted idevids
+  * add config options for the persisted idevid and iak handles and passwords
+  * templates: Restore the default values
+  * templates: Add version 2.3
+  * convert_config: Use the latest default value for --default
+  * Add new /verify/identity API
+  * PSS padding fix - salt length changed to byte length of digest from length of signature
+  * sign_runtime_policy: Display error message if non-EC key is provided
+  * packit: enable /regression/CVE-2023-3674 (suggested by Karel Srot)
+  * Fix durable attestation in absence of mb_policy
+  * tests: Fix coverage download by supporting new webdrives
+  * templates: verifier: Add require_allow_list_signatures to config file
+  * runtime policy: Raise error on missing key if signature required
+  * runtime policy: Raise error on unsigned policy if signature required
+  * dsse: Remove unused type: ignore comment (mypy)
+
+-------------------------------------------------------------------
+Fri Mar 15 09:11:41 UTC 2024 - aplanas@suse.com
+
+- Update to version v7.10.0:
+  * Monthly Release (7.10.0)
+  * mba: Add a separate table for measured boot policies. In the next PR, similar to named runtime policies, this table will be used to provide support for named measured boot policies and thier management.
+  * user_guide: Add section about 'Key Learning to Verify Files'
+  * docs: fix rendering in PCR example
+  * docs: update PCR monitoring example
+  * templates: Fix typo on default measured boot log location
+  * packit: re-enable tests against Rawhide
+  * elparser: add different escaping required for tpm2-tools >= 5.6
+  * requirements: bump pyasn1-modules to 0.2.5
+
+-------------------------------------------------------------------
+Wed Jan 31 07:25:12 UTC 2024 - aplanas@suse.com
+
+- Update to version v7.9.0:
+  * templates: Add version 2.2, with event log location options
+  * Monthly release (7.9.0)
+  * update roadmap for 2024
+  * Extended the length of `verifier_ip` column to String(255)
+  * mba/e/elchecking: add workaround for non spec compliant firmware
+  * mba/e/example: ignore EV_CPU_MICROCODE, EV_EFI_HANDOFF_TABLES2 and MokListRT
+  * mba/e/example: Allow db entries to be also hashes
+  * mba/elchecking: load imports first
+  * codestyle: Have pyright ignore ffi.NULL
+  * codestyle: Use cast() to set type after splitlines()
+  * codestyle: Replace _ with variable name in abstract method (pyright)
+  * codestyle: Address some issues detected by pyright
+  * codestyle: Remove a 'type: ignore' comment (mypy)
+  * detect template changes - docs
+  * detect template changes - mappings
+  * Tests: Switch code coverage measurement to Fedora 39
+  * Correcting paths in userguide documentation
+  * docs: fix conf.py
+  * Add build os and python version to readthedocs
+  * Fix readthedocs config file location
+  * docs: add additional reading section
+
+-------------------------------------------------------------------
+Tue Dec 05 14:55:25 UTC 2023 - aplanas@suse.com
+
+- Update to version v7.8.0:
+  * Monthly release (7.8.0)
+  * address marcio and stefan comments
+  * Add documentation for IAK and IDevID
+  * templates/2.1: Fix enable_iak_idevid in agent template
+  * support for user mode in run-test.sh
+  * docs: fix small typo in threat model
+  * ca_impl_openssl: support CRL distribution point from config
+  * ca_util: add import functions for private keys
+  * Enable test functional/iak-idevid-register-with-certificates
+  * Replace mailing list address with Slack channel
+  * docs: Add configuration documentation
+  * tests: Add tests for exception cases in configuration update
+  * tests: Add test for update mapping corner cases
+  * convert_config: Add support for update mappings
+  * convert_config: Do not require keylime modules
+  * convert_config: Make the config upgrade less verbose
+  * ima: Report an error if no quote forward-progress was made
+  * codestyle: Modify list generator to avoid annotation issue (pyright)
+  * codestyle: Remove unnecessary type check ignore statement (mypy)
+  * codestyle: Add missing type parameter to generic type 'Pattern' (mypy)
+  * Update packit plan with new tests
+  * Fix typo in Secure Payloads docs
+  * incorrect boolean expression causing ECs to be disallowed
+  * codestyle: Create explicit sighandler with type annotation (pyright)
+  * cert_utils: Ignore malformed certificate files
+  * unit test for cert utils
+  * Add certificates and certificate checking for IDevID and IAK keys
+
 -------------------------------------------------------------------
 Fri Nov 03 15:27:58 UTC 2023 - aplanas@suse.com
 

keylime.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package keylime
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -26,7 +26,7 @@
   %define _config_norepl %config(noreplace)
 %endif
 Name:           keylime
-Version:        7.7.0
+Version:        7.11.0
 Release:        0
 Summary:        Open source TPM software for Bootstrapping and Maintaining Trust
 License:        Apache-2.0 AND MIT AND BSD-3-Clause
@@ -66,7 +66,7 @@ Requires:       tpm2-0-tss
 Requires:       tpm2.0-abrmd
 Requires:       tpm2.0-tools
 Requires(post): update-alternatives
-Requires(postun):update-alternatives
+Requires(postun): update-alternatives
 Conflicts:      rust-keylime
 BuildArch:      noarch
 %python_subpackages

registrar.conf.diff

@@ -1,7 +1,9 @@
---- config/registrar.conf.ORIG	2023-08-24 09:34:59.228880762 +0200
-+++ config/registrar.conf	2023-08-24 09:36:34.165570356 +0200
+diff --git a/config/registrar.conf b/config/registrar.conf
+index 19f7cb1..3492453 100644
+--- a/config/registrar.conf
++++ b/config/registrar.conf
 @@ -5,7 +5,8 @@
- version = 2.0
+ version = 2.3
  
  # The binding address and port for the registrar server
 -ip = "127.0.0.1"

tenant.conf.diff

@@ -1,6 +1,8 @@
---- tenant.conf.ORIG	2023-03-07 17:08:27.642929656 +0100
-+++ tenant.conf	2023-03-07 17:09:23.018891153 +0100
-@@ -106,7 +106,8 @@
+diff --git a/config/tenant.conf b/config/tenant.conf
+index ead02b8..1b3d921 100644
+--- a/config/tenant.conf
++++ b/config/tenant.conf
+@@ -106,7 +106,8 @@ request_timeout = 60
  # might provide a signed list of EK public key hashes.  Then you could write
  # an ek_check_script that checks the signature of the allowlist and then
  # compares the hash of the given EK with the allowlist.

verifier.conf.diff

@@ -1,6 +1,8 @@
---- config/verifier.conf.ORIG	2023-08-24 09:34:59.222214093 +0200
-+++ config/verifier.conf	2023-08-24 09:37:53.332256150 +0200
-@@ -8,7 +8,8 @@
+diff --git a/config/verifier.conf b/config/verifier.conf
+index 9f65039..4e6191d 100644
+--- a/config/verifier.conf
++++ b/config/verifier.conf
+@@ -8,7 +8,8 @@ version = 2.3
  uuid = default
  
  # The binding address and port for the verifier server
@@ -10,7 +12,7 @@
  port = 8881
  
  # The address and port of registrar server that the verifier communicates with
-@@ -242,7 +243,8 @@
+@@ -245,7 +246,8 @@ require_allow_list_signatures = False
  enabled_revocation_notifications = ['agent']
  
  # The binding address and port of the revocation notifier service via ZeroMQ.