diff --git a/_service b/_service index ed112cf..c0a2666 100644 --- a/_service +++ b/_service @@ -1,7 +1,7 @@ @PARENT_TAG@ - refs/tags/v7.7.0 + refs/tags/v7.11.0 https://github.com/keylime/keylime.git git enable diff --git a/_servicedata b/_servicedata index 7414633..e168362 100644 --- a/_servicedata +++ b/_servicedata @@ -1,4 +1,4 @@ https://github.com/keylime/keylime.git - b7af6fef3baefeb41f471d1050ba7a78f9423e5b \ No newline at end of file + 31db17cd1413780e3f4f9b9673c024bc8096b897 \ No newline at end of file diff --git a/keylime-v7.11.0.tar.xz b/keylime-v7.11.0.tar.xz new file mode 100644 index 0000000..98f0e67 --- /dev/null +++ b/keylime-v7.11.0.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7c8a1da60eac6fc8fdc8a092289cf62dd3e2875cbdcee066de7f880cfd2449f5 +size 8285980 diff --git a/keylime-v7.7.0.tar.xz b/keylime-v7.7.0.tar.xz deleted file mode 100644 index 19ff0ec..0000000 --- a/keylime-v7.7.0.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:e1aee62586f4c2256b33e9c8bb7c1a80e25b6d2f10fa0ce3f65f63464e441921 -size 8255688 diff --git a/keylime.changes b/keylime.changes index 7043371..f42c247 100644 --- a/keylime.changes +++ b/keylime.changes @@ -1,3 +1,96 @@ +------------------------------------------------------------------- +Fri Jun 14 08:04:48 UTC 2024 - aplanas@suse.com + +- Update to version v7.11.0: + * "Monthly" Release (7.11.0) + * template mapping change for persisted idevids + * add config options for the persisted idevid and iak handles and passwords + * templates: Restore the default values + * templates: Add version 2.3 + * convert_config: Use the latest default value for --default + * Add new /verify/identity API + * PSS padding fix - salt length changed to byte length of digest from length of signature + * sign_runtime_policy: Display error message if non-EC key is provided + * packit: enable /regression/CVE-2023-3674 (suggested by Karel Srot) + * Fix durable attestation in absence of mb_policy + * tests: Fix coverage download by supporting new webdrives + * templates: verifier: Add require_allow_list_signatures to config file + * runtime policy: Raise error on missing key if signature required + * runtime policy: Raise error on unsigned policy if signature required + * dsse: Remove unused type: ignore comment (mypy) + +------------------------------------------------------------------- +Fri Mar 15 09:11:41 UTC 2024 - aplanas@suse.com + +- Update to version v7.10.0: + * Monthly Release (7.10.0) + * mba: Add a separate table for measured boot policies. In the next PR, similar to named runtime policies, this table will be used to provide support for named measured boot policies and thier management. + * user_guide: Add section about 'Key Learning to Verify Files' + * docs: fix rendering in PCR example + * docs: update PCR monitoring example + * templates: Fix typo on default measured boot log location + * packit: re-enable tests against Rawhide + * elparser: add different escaping required for tpm2-tools >= 5.6 + * requirements: bump pyasn1-modules to 0.2.5 + +------------------------------------------------------------------- +Wed Jan 31 07:25:12 UTC 2024 - aplanas@suse.com + +- Update to version v7.9.0: + * templates: Add version 2.2, with event log location options + * Monthly release (7.9.0) + * update roadmap for 2024 + * Extended the length of `verifier_ip` column to String(255) + * mba/e/elchecking: add workaround for non spec compliant firmware + * mba/e/example: ignore EV_CPU_MICROCODE, EV_EFI_HANDOFF_TABLES2 and MokListRT + * mba/e/example: Allow db entries to be also hashes + * mba/elchecking: load imports first + * codestyle: Have pyright ignore ffi.NULL + * codestyle: Use cast() to set type after splitlines() + * codestyle: Replace _ with variable name in abstract method (pyright) + * codestyle: Address some issues detected by pyright + * codestyle: Remove a 'type: ignore' comment (mypy) + * detect template changes - docs + * detect template changes - mappings + * Tests: Switch code coverage measurement to Fedora 39 + * Correcting paths in userguide documentation + * docs: fix conf.py + * Add build os and python version to readthedocs + * Fix readthedocs config file location + * docs: add additional reading section + +------------------------------------------------------------------- +Tue Dec 05 14:55:25 UTC 2023 - aplanas@suse.com + +- Update to version v7.8.0: + * Monthly release (7.8.0) + * address marcio and stefan comments + * Add documentation for IAK and IDevID + * templates/2.1: Fix enable_iak_idevid in agent template + * support for user mode in run-test.sh + * docs: fix small typo in threat model + * ca_impl_openssl: support CRL distribution point from config + * ca_util: add import functions for private keys + * Enable test functional/iak-idevid-register-with-certificates + * Replace mailing list address with Slack channel + * docs: Add configuration documentation + * tests: Add tests for exception cases in configuration update + * tests: Add test for update mapping corner cases + * convert_config: Add support for update mappings + * convert_config: Do not require keylime modules + * convert_config: Make the config upgrade less verbose + * ima: Report an error if no quote forward-progress was made + * codestyle: Modify list generator to avoid annotation issue (pyright) + * codestyle: Remove unnecessary type check ignore statement (mypy) + * codestyle: Add missing type parameter to generic type 'Pattern' (mypy) + * Update packit plan with new tests + * Fix typo in Secure Payloads docs + * incorrect boolean expression causing ECs to be disallowed + * codestyle: Create explicit sighandler with type annotation (pyright) + * cert_utils: Ignore malformed certificate files + * unit test for cert utils + * Add certificates and certificate checking for IDevID and IAK keys + ------------------------------------------------------------------- Fri Nov 03 15:27:58 UTC 2023 - aplanas@suse.com diff --git a/keylime.spec b/keylime.spec index a3c42b8..91880c2 100644 --- a/keylime.spec +++ b/keylime.spec @@ -1,7 +1,7 @@ # # spec file for package keylime # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -26,7 +26,7 @@ %define _config_norepl %config(noreplace) %endif Name: keylime -Version: 7.7.0 +Version: 7.11.0 Release: 0 Summary: Open source TPM software for Bootstrapping and Maintaining Trust License: Apache-2.0 AND MIT AND BSD-3-Clause @@ -66,7 +66,7 @@ Requires: tpm2-0-tss Requires: tpm2.0-abrmd Requires: tpm2.0-tools Requires(post): update-alternatives -Requires(postun):update-alternatives +Requires(postun): update-alternatives Conflicts: rust-keylime BuildArch: noarch %python_subpackages diff --git a/registrar.conf.diff b/registrar.conf.diff index 6507c47..6e086bb 100644 --- a/registrar.conf.diff +++ b/registrar.conf.diff @@ -1,7 +1,9 @@ ---- config/registrar.conf.ORIG 2023-08-24 09:34:59.228880762 +0200 -+++ config/registrar.conf 2023-08-24 09:36:34.165570356 +0200 +diff --git a/config/registrar.conf b/config/registrar.conf +index 19f7cb1..3492453 100644 +--- a/config/registrar.conf ++++ b/config/registrar.conf @@ -5,7 +5,8 @@ - version = 2.0 + version = 2.3 # The binding address and port for the registrar server -ip = "127.0.0.1" diff --git a/tenant.conf.diff b/tenant.conf.diff index a6e4d21..3cf116e 100644 --- a/tenant.conf.diff +++ b/tenant.conf.diff @@ -1,6 +1,8 @@ ---- tenant.conf.ORIG 2023-03-07 17:08:27.642929656 +0100 -+++ tenant.conf 2023-03-07 17:09:23.018891153 +0100 -@@ -106,7 +106,8 @@ +diff --git a/config/tenant.conf b/config/tenant.conf +index ead02b8..1b3d921 100644 +--- a/config/tenant.conf ++++ b/config/tenant.conf +@@ -106,7 +106,8 @@ request_timeout = 60 # might provide a signed list of EK public key hashes. Then you could write # an ek_check_script that checks the signature of the allowlist and then # compares the hash of the given EK with the allowlist. diff --git a/verifier.conf.diff b/verifier.conf.diff index b4e5761..afda6ee 100644 --- a/verifier.conf.diff +++ b/verifier.conf.diff @@ -1,6 +1,8 @@ ---- config/verifier.conf.ORIG 2023-08-24 09:34:59.222214093 +0200 -+++ config/verifier.conf 2023-08-24 09:37:53.332256150 +0200 -@@ -8,7 +8,8 @@ +diff --git a/config/verifier.conf b/config/verifier.conf +index 9f65039..4e6191d 100644 +--- a/config/verifier.conf ++++ b/config/verifier.conf +@@ -8,7 +8,8 @@ version = 2.3 uuid = default # The binding address and port for the verifier server @@ -10,7 +12,7 @@ port = 8881 # The address and port of registrar server that the verifier communicates with -@@ -242,7 +243,8 @@ +@@ -245,7 +246,8 @@ require_allow_list_signatures = False enabled_revocation_notifications = ['agent'] # The binding address and port of the revocation notifier service via ZeroMQ.