From 82f1ab8e0a0eadb54bf28315080bc034cd69d248e33af105740ed6b651362d0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adrian=20Schr=C3=B6ter?= Date: Mon, 22 Jul 2024 17:44:37 +0200 Subject: [PATCH] Sync from SUSE:SLFO:Main rust-keylime revision 38dc69a9ff2ea2ca73e1f2f330ee3543 --- _service | 25 ++- _servicedata | 2 +- ima-policy.service | 2 +- keylime-agent.conf.diff | 2 +- ...eylime-0.2.1+git.1682587333.b497f1d.tar.xz | 3 - rust-keylime-0.2.6~0.tar.zst | 3 + rust-keylime.changes | 196 ++++++++++++++++++ rust-keylime.obsinfo | 4 + rust-keylime.spec | 12 +- vendor.tar.xz | 4 +- 10 files changed, 230 insertions(+), 23 deletions(-) delete mode 100644 rust-keylime-0.2.1+git.1682587333.b497f1d.tar.xz create mode 100644 rust-keylime-0.2.6~0.tar.zst create mode 100644 rust-keylime.obsinfo diff --git a/_service b/_service index a02526b..ff215ee 100644 --- a/_service +++ b/_service @@ -1,21 +1,28 @@ - - 0.2.1+git.%ct.%h - master + https://github.com/keylime/rust-keylime.git + @PARENT_TAG@~@TAG_OFFSET@ git + v0.2.6 + master + * + v(\d+\.\d+\.\d+) + \1 enable + aplanas@suse.com - - xz + + *.tar + zst + - - + + + rust-keylime - - + diff --git a/_servicedata b/_servicedata index 9218265..25f5b4b 100644 --- a/_servicedata +++ b/_servicedata @@ -1,4 +1,4 @@ https://github.com/keylime/rust-keylime.git - b497f1d9638be6c41b56aaa6855faf7f71c13651 \ No newline at end of file + d75475e728a907b9d556405d13e2b4180aa57322 \ No newline at end of file diff --git a/ima-policy.service b/ima-policy.service index fb141f2..2a838a5 100644 --- a/ima-policy.service +++ b/ima-policy.service @@ -5,7 +5,7 @@ Description=Load the IMA Policy Type=oneshot RemainAfterExit=yes Environment=IMA_SECFS_POLICY=/sys/kernel/security/ima/policy -Environment=IMA_POLICY=/etc/ima/ima-policy +Environment=IMA_POLICY=/etc/ima/ima-policy.POST-SYSTEMD ExecStart=bash -c '[ -f $IMA_SECFS_POLICY ] && [ -f $IMA_POLICY ] && cat $IMA_POLICY > $IMA_SECFS_POLICY' TimeoutStartSec=0 diff --git a/keylime-agent.conf.diff b/keylime-agent.conf.diff index 4daee95..08d2bd6 100644 --- a/keylime-agent.conf.diff +++ b/keylime-agent.conf.diff @@ -2,7 +2,7 @@ Index: rust-keylime-0.2.0+git.1677002906.cf6c4f0/keylime-agent.conf =================================================================== --- rust-keylime-0.2.0+git.1677002906.cf6c4f0.orig/keylime-agent.conf +++ rust-keylime-0.2.0+git.1677002906.cf6c4f0/keylime-agent.conf -@@ -19,13 +19,15 @@ version = "2.0" +@@ -19,13 +19,15 @@ version = "2.2" # of 'SHA256(public EK in PEM format)'. # # To override, set KEYLIME_AGENT_UUID environment variable. diff --git a/rust-keylime-0.2.1+git.1682587333.b497f1d.tar.xz b/rust-keylime-0.2.1+git.1682587333.b497f1d.tar.xz deleted file mode 100644 index 11f32c5..0000000 --- a/rust-keylime-0.2.1+git.1682587333.b497f1d.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:4cc2d80db2d67043c51af0f650e65fc51a33f8562b42a0b964f9643dfdbca429 -size 134972 diff --git a/rust-keylime-0.2.6~0.tar.zst b/rust-keylime-0.2.6~0.tar.zst new file mode 100644 index 0000000..02435dc --- /dev/null +++ b/rust-keylime-0.2.6~0.tar.zst @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:19038bff7afd68bc418b2a161a906010c2e3649ed79e65d1a3eb657f853c8404 +size 180453 diff --git a/rust-keylime.changes b/rust-keylime.changes index 536128a..6e43cca 100644 --- a/rust-keylime.changes +++ b/rust-keylime.changes @@ -1,3 +1,199 @@ +------------------------------------------------------------------- +Fri Jun 14 07:39:29 UTC 2024 - aplanas@suse.com + +- Update to version 0.2.6~0: + * Bump version to 0.2.6 + * build(deps): bump libc from 0.2.153 to 0.2.155 + * build(deps): bump serde from 1.0.196 to 1.0.203 + * rpm/fedora: Update rust macro usage + * config: Support hostnames in registrar_ip option + * added use of persisted IAK and IDevID and authorisation values + * config changes + * Adding /agent/info API to agent + * Fix leftover 'unnecessary qualification' warnings on tests + +------------------------------------------------------------------- +Thu May 16 13:40:05 UTC 2024 - aplanas@suse.com + +- Update to version 0.2.5~4: + * Fix 'unnecessary qualification' warnings + * fix IAK template to match IDevID + * rpm: fix COPR RPMs build for centos-stream-10 + * Build COPR RPMs for centos-stream-10 + +------------------------------------------------------------------- +Thu May 02 07:31:40 UTC 2024 - aplanas@suse.com + +- Update to version 0.2.5~0: + * Bump version to 0.2.5 + * cargo: Relax required version for pest crate + * build(deps): bump log from 0.4.20 to 0.4.21 + * build(deps): bump thiserror from 1.0.56 to 1.0.59 + +------------------------------------------------------------------- +Tue Apr 30 07:52:30 UTC 2024 - aplanas@suse.com + +- actix-web update moves rustls as feature (bsc#1223234, CVE-2024-32650) +- Update to version 0.2.4~39: + * build(deps): bump openssl from 0.10.63 to 0.10.64 + * build(deps): bump h2 from 0.3.24 to 0.3.26 + * build(deps): bump serde_json from 1.0.107 to 1.0.116 + * build(deps): bump actix-web from 4.4.1 to 4.5.1 + * crypto: Enable TLS 1.3 + * build(deps): bump tempfile from 3.9.0 to 3.10.1 + * build(deps): bump mio from 0.8.4 to 0.8.11 + * enable hex values to be used for tpm_ownerpassword + * config: Support IPv6 with or without brackets + * keylime: Implement a simple IP parser to remove brackets + * crypto: Implement CertificateBuilder to generate certificates + * tests: Fix coverage download by supporting arbitrary URL + * cargo: Add testing feature to keylime library + * Set X509 SAN with local DNSname/IP/IPv6 + * Include newest Node20 versions for Github actions + * tpm: Add unit test for uncovered public functions + * crypto: Implement ECC key generation support + * crypto: Add test for match_cert_to_template() + * Fix minor typo, format and remove end whitespaces + * crypto: Make error types less specific + * tests/run.sh: Run tarpaulin with a single thread + * payloads: Remove explicit drop of channel transmitter + * crypto: Move to keylime library + * crypto: Add specific type for every possible error + * tpm: Rename origin of error as source in structures + * list_parser: Add source for error for backtrace + * algorithms: Make errors more specific + * typo fix for default path to measured boot log file + * README: remove mentions of libarchive as a dependency + * Dockerfile.wolfi: Update clang to version 17 + * docker: Remove libarchive as a dependency + * rpm: Remove libarchive from dependencies + * cargo: Replace compress-tools with zip crate + * cargo: Bump ahash to version 0.8.7 + * build(deps): bump serde from 1.0.195 to 1.0.196 + * build(deps): bump libc from 0.2.152 to 0.2.153 + * build(deps): bump reqwest from 0.11.23 to 0.11.24 + * docker: Install configuration file in the correct path + * config: Make IAK/IDevID disabled by default + +------------------------------------------------------------------- +Wed Jan 31 09:22:00 UTC 2024 - aplanas@suse.com + +- Update to version 0.2.4+git.1706692574.a744517: + * Bump version to 0.2.4 + * build(deps): bump uuid from 1.4.1 to 1.7.0 + * keylime-agent.conf: Allow setting event logs paths + * Mutable log paths: allow IMA and MBA log paths to be overridden by keylime configuration. + * workflows: Update checkout action to version 4 + * build(deps): bump serde from 1.0.188 to 1.0.195 + * build(deps): bump pest_derive from 2.7.0 to 2.7.6 + * build(deps): bump openssl from 0.10.62 to 0.10.63 + * build(deps): bump config from 0.13.3 to 0.13.4 + * build(deps): bump base64 from 0.21.4 to 0.21.7 + * build(deps): bump tempfile from 3.8.0 to 3.9.0 + * build(deps): bump pest from 2.7.0 to 2.7.6 + * build(deps): bump actix-web from 4.4.0 to 4.4.1 + * build(deps): bump reqwest from 0.11.22 to 0.11.23 + * build(deps): bump h2 from 0.3.17 to 0.3.24 + * build(deps): bump shlex from 1.1.0 to 1.3.0 + * cargo: Bump tss-esapi to version 7.4.0 + * workflows: Fix keylime-bot token usage + * tpm: Add error context for every possible error + * tpm: Add AlgorithmError to TpmError + * detect idevid template from certificates + * build(deps): bump wiremock from 0.5.18 to 0.5.22 + * build(deps): bump thiserror from 1.0.48 to 1.0.56 + * Make use of workspace dependencies + * build(deps): bump openssl from 0.10.57 to 0.10.62 + * packit: Bump Fedora version used for code coverage + +------------------------------------------------------------------- +Fri Dec 01 10:04:40 UTC 2023 - aplanas@suse.com + +- Update to version 0.2.3+git.1701075380.a5dc985: + * build(deps): bump actix-rt from 2.8.0 to 2.9.0 + * Bump version to 0.2.3 + * build(deps): bump reqwest from 0.11.20 to 0.11.22 + * Bump configuration version and fix enable_iak_idevid + * Enable test functional/iak-idevid-register-with-certificates + * Update packit plan with new tests + * Add certificates and certificate checking for IDevID and IAK keys (#669) + +------------------------------------------------------------------- +Fri Nov 03 15:23:05 UTC 2023 - aplanas@suse.com + +- Update to version 0.2.2+git.1697658634.9c7c6fa: + * build(deps): bump rustix from 0.37.11 to 0.37.25 + * build(deps): bump tempfile from 3.6.0 to 3.8.0 + * build(deps): bump base64 from 0.21.0 to 0.21.4 + * build(deps): bump serde_json from 1.0.96 to 1.0.107 + * build(deps): bump openssl from 0.10.55 to 0.10.57 + * cargo: Bump serde to version 1.0.188 + * tests: Fix tarpaulin issues with dropped -v option + * build(deps): bump signal-hook from 0.3.15 to 0.3.17 + * build(deps): bump actix-web from 4.3.1 to 4.4.0 + * build(deps): bump thiserror from 1.0.40 to 1.0.48 + * Remove private_in_public + * Initial PR to add support for IDevID and IAK + * build(deps): bump uuid from 1.3.1 to 1.4.1 + * build(deps): bump log from 0.4.17 to 0.4.20 + * build(deps): bump reqwest from 0.11.16 to 0.11.20 + * Do not use too specific version on cargo audit workflow + * Add workflow to run cargo-audit security audit + * README: update dependencies for Debian and Ubuntu + * Use latest versions of checkout/upload-artifacts + * docker: Add 'keylime' system user + * Use "currently" for swtpm emulator warning (#632) + * Update container workflow actions versions + * Build container image and push to quay.io + * README: update requirements + +------------------------------------------------------------------- +Fri Jul 14 07:31:23 UTC 2023 - aplanas@suse.com + +- Update to version 0.2.2+git.1689256829.3d2b627: + * Bump version to 0.2.2 + * build(deps): bump tempfile from 3.5.0 to 3.6.0 + * removing SIGINT stop signals from Dockerfiles and systemd service, as well as adding SIGTERM to IMA emulator as shutdown signal + +------------------------------------------------------------------- +Wed Jul 12 14:17:39 UTC 2023 - aplanas@suse.com + +- Update to version 0.2.1+git.1689167094.67ce0cf: + * cargo: Bump serde to version 1.0.166 + * build(deps): bump libc from 0.2.142 to 0.2.147 + * adding release Dockerfiles in 3 flavours: fedora, distroless and wolfi + * hash: add more configurable hash algorithm for public key digest + * cargo: Update clap to version 4.3.11 + * cargo: Bump tokio crate version to 1.28.2 + * Add an example of IMA policy + * main: Gracefully shutdown on SIGTERM or SIGINT + * cargo: Bump proc-macro2 crate version + * revocation: Parse revocation actions flexibly + * crypto: Add unit tests for x509 functions + * crypto: Make internal functions private + * config: Add unit test for the list to files mapping + * config: Make trusted_client_ca to accept lists + * lib: Implement parser for lists from config file + * build(deps): bump openssl from 0.10.48 to 0.10.55 + * Add secure mount sanity test to packit testing. + * [packit] Do not let COPR project expire + +------------------------------------------------------------------- +Wed Jun 7 09:08:22 UTC 2023 - Alberto Planas Dominguez + +- Recommends the IMA Policy subpackage only if SELinux is configured + +------------------------------------------------------------------- +Mon Jun 05 08:41:33 UTC 2023 - aplanas@suse.com + +- Update to version 0.2.1+git.1685699835.3c9d17c: + * Remove MOUNT_SECURE bool + * rpm: Remove unused directory and add dependency for mount + * keylime-agent/src: update API version to 2.1 to consistent with https://github.com/keylime/keylime/blob/master/docs/rest_apis.rst + * docker/fedora/keylime_rust.Dockerfile: add the logic of cloning and compiling rust-keylime + * [tests] Update test coverage task name regexp + * [tests] Simply coverage file URL parsing + ------------------------------------------------------------------- Thu Apr 27 09:34:45 UTC 2023 - aplanas@suse.com diff --git a/rust-keylime.obsinfo b/rust-keylime.obsinfo new file mode 100644 index 0000000..1c36870 --- /dev/null +++ b/rust-keylime.obsinfo @@ -0,0 +1,4 @@ +name: rust-keylime +version: 0.2.6~0 +mtime: 1718091585 +commit: d75475e728a907b9d556405d13e2b4180aa57322 diff --git a/rust-keylime.spec b/rust-keylime.spec index a8cc727..0959341 100644 --- a/rust-keylime.spec +++ b/rust-keylime.spec @@ -1,7 +1,7 @@ # # spec file for package rust-keylime # -# Copyright (c) 2023 SUSE LLC +# Copyright (c) 2024 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -25,12 +25,12 @@ %define _config_norepl %config(noreplace) %endif Name: rust-keylime -Version: 0.2.1+git.1682587333.b497f1d +Version: 0.2.6~0 Release: 0 Summary: Rust implementation of the keylime agent -License: Apache-2.0 AND MIT +License: (Apache-2.0 OR MIT) AND BSD-3-Clause AND (Apache-2.0 OR MIT) AND Unicode-DFS-2016 AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR ISC OR MIT) AND (Apache-2.0 OR MIT) AND (Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT) AND (Apache-2.0 OR MIT OR Zlib) AND (MIT OR Unlicense) AND (Apache-2.0 OR Zlib OR MIT) AND Apache-2.0 AND Apache-2.0 WITH LLVM-exception AND BSD-3-Clause AND ISC AND MIT URL: https://github.com/keylime/rust-keylime -Source: rust-keylime-%{version}.tar.xz +Source: rust-keylime-%{version}.tar.zst Source1: vendor.tar.xz Source2: cargo_config Source3: keylime.xml @@ -51,7 +51,7 @@ BuildRequires: tpm2-0-tss-devel Requires: libtss2-tcti-device0 Requires: logrotate Requires: tpm2.0-abrmd -Recommends: keylime-ima-policy +Recommends: (keylime-ima-policy if selinux-policy-targeted) Provides: user(keylime) %sysusers_requires # Disable this line if you wish to support all platforms. In most @@ -72,7 +72,7 @@ Subpackage of %{name} to provide an suggested IMA policy for Keylime agent %prep %autosetup -a1 -p1 mkdir .cargo -cp %{SOURCE2} .cargo/config +install -D -m 644 %{SOURCE2} .cargo/config %build %{cargo_build} --no-default-features diff --git a/vendor.tar.xz b/vendor.tar.xz index a40fbfd..fe30e67 100644 --- a/vendor.tar.xz +++ b/vendor.tar.xz @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:0d3fa779a512c37e73c05da973c0fa67420e6e3fc5757e0f4fb5533503a3e85f -size 31347284 +oid sha256:c72b2693ba2d7c49b6f308eaddc243206b0f7c30af7a17f93719241b7e952afa +size 30830564