- Update to version 7.14.0+0 (CVE-2026-1709, bsc#1257895):
* Bump version to 7.14.0
* verifier: Delete sessions from the DB and then from the cache
* authentication: Do not persist plaintext tokens
* crypto: Add operation to calculate the hash of a token
* Fix session management bugs and improve security
* authorization: Add documentation explaining authorization framework
* authorization: Add unit tests
* authorization: Add metadata to routes with auth requirement
* authorization: Integrate authorization to action_handler
* authorization: Add access requirement metadata to all routes
* authorization: Add authorization provider manager
* authorization: Add pluggable authorization provider framework
* keylime_oneshot_attestation: Fix measured boot log encoding
* tenant: Log the API version used to communicate with the agent
* tenant: Negotiate API version with the registrar
* scripts: Do not take TPM ownership
* scripts: Remove verifier key parameters from keylime_oneshot_attestation
* /verify/evidence: Return error 400 if no policy is provided
* tpm: handle policies provided as empty strings
* /verify/evidence: Require a policy for TPM evidence type
* ima: Fix deserialization of empty runtime policy
* scripts: Fix keylime_oneshot_attestation for API v2.5
* [Automatic] Update Keylime base image 2026-02-03
* tpm_engine: Fix evidence_class filtering for ima_log
* tpm_engine: Move _add_error() calls to self.attestation
* tpm_engine: Validate that available_subjects is a dict
* verifier: Add missing identity controller and fix routing mixup
* templates: Remove unused agent options, fixed incorrect ones
* templates: Add missing options to the templates
* templates: Fix values to be TOML compatible
* tests: Add unit tests for negotiate_version
* verifier: Only check for version downgrade after first attestation
* docs: Fix documentation regarding behavior of /verify/evidence
* docs: Update v2.5 doc with new agent /version behavior
* tenant, verifier: Implement API version negotiation
* Introduce new API version v2.5
* Fix HTTP 500 error when accessing attestations for agents with no records
* Remove @Controller.require_json_api from GET attestations endpoints
* mba: Fix linting warnings on measured boot code
* CI: Update e2e test plan with new tests
* CI: Switch code coverage measurement to Fedora43
* workflows: Separate upstream test suite from e2e coverage
OBS-URL: https://build.opensuse.org/request/show/1332047
OBS-URL: https://build.opensuse.org/package/show/security/keylime?expand=0&rev=109
- Add missing pyasn1 dependency
- Use tmpfiles.d for /var directories (PED-14735)
- Update to version 7.13.0+55:
* [Automatic] Update Keylime base image 2026-01-05
* docs: Document claims response from /verify/evidence
* verify/evidence: Use tee label for TEE verification
* verify/evidence: Change valid response to boolean
* tee/snp: Return SEV-SNP claims upon successful verification
* verify/evidence: Return TPM claims in response
* verify/evidence: Define empty response fields
* [Automatic] Update Keylime base image 2025-12-14
* Fix TypeError when using -m flag without IMA measurement list path
* Increase maximum_attestation_interval
* Do not require wheel for building
* Add session.refresh() before process_get_status()
* Fix PUSH mode attestation status race condition
* Add consecutive_attestation_failures column to legacy VerfierMain model
* Remove operational_state field from status response in push mode
OBS-URL: https://build.opensuse.org/request/show/1326328
OBS-URL: https://build.opensuse.org/package/show/security/keylime?expand=0&rev=107
- Update to version 7.13.0+40 (CVE-2025-13609, bsc#1254199):
* Fix registrar duplicate UUID vulnerability (#1825)
* [Automatic] Update Keylime base image 2025-12-01
* Include new attestation information fields (#1818)
* Fix Database race conditions and SQLAlchemy 2.0 compatibility (#1823)
* ci: add push model tests to the packit plan
* push-model: require HTTPS for authentication and attestation endpoints
* Fix operational_state tracking in push mode attestations
* templates: add push model authentication config options to 2.5 templates
* Improve test coverage for authentication components
* Security: Hash authentication tokens in logs
* Fix stale IMA policy cache in verification
* Fix authentication behavior on failed attestations for push mode
* Add shared memory infrastructure for multiprocess communication
* Add agent authentication (challenge/response) protocol for push mode
* Convert CRLF to LF line endings in attestation_controller.py
* Add agent-driven (push) attestation protocol with PULL mode regression fixes (#1814)
* [Automatic] Update Keylime base image (2025-11-01) (#1816)
* docs: Fix man page RST formatting for rst2man compatibility (#1813)
* tests: Enable more tests in CI
* Apply limit on keylime-policy workers
* tpm: fix ECC signature parsing to support variable-length coordinates
* tpm: fix ECC P-521 credential activation with consistent marshaling
* tpm: fix ECC P-521 coordinate validation
* tests: Test keylime-policy both for filelist-ext.xml match and mismatch (#1806)
* [Automatic] Update Keylime base image 2025-10-01
* Remove deprecated disabled_signing_algorithms configuration option (#1804)
* algorithms: add support for specific RSA algorithms
* algorithms: add support for specific ECC curve algorithms
* Update manages based on review feedback
* Created manpage for keylime-policy and edited manpages for keylime verifier, registrar, agent
* Manpage for keylime agent
* Manpage for keylime verifier
* Manpage for keylime registrar
* Use constants for timeout and max retries defaults
* tests: Add unit tests for the timeout configuration
* verifier: Use timeout from `request_timeout` config option
* revocation_notifier: Use timeout setting from config file
* tenant: Set timeout when getting version from agent
* verify/evidence: SEV-SNP evidence type/verifier
* verify/evidence: Add evidence type to request JSON
- Update to version v7.13.0:
* Bump version to 7.13.0
* Avoid re-encoding certificate stored in DB
* Revert "models: Do not re-encode certificate stored in DB"
* Revert "registrar_agent: Use pyasn1 to parse PEM"
* CI: Enable test add-agent-with-malformed-ek-cert
* [Automatic] Update Keylime base image 2025-09-01
* policy/sign: use print() when writing to /dev/stdout
* registrar_agent: Use pyasn1 to parse PEM
* models: Do not re-encode certificate stored in DB
* mba: normalize vendor_db in EV_EFI_VARIABLE_AUTHORITY events
* Fix minor typo (exponantial->exponential)
* mb: support vendor_db as logged by newer shim versions
* mb: support EV_EFI_HANDOFF_TABLES events on PCR1
* Remove unnecessary configuration values
* cloud_verifier_tornado: handle exception in notify_error()
* requests_client: close the session at the end of the resource manager
* Manpage for keylime_tenant (#1786)
* Add 2.5 templates including Push Model changes
* [Automatic] Update Keylime base image 2025-08-01
* Initial version of verify evidence API
* packit: Enable connection leak test in CI
* db: Do not read pool size and max overflow for sqlite
* Use context managers to close DB sessions
* revocations: Try to send notifications on shutdown
* verifier: Gracefully shutdown on signal
* [Automatic] Update Keylime base image 2025-07-01
* Use `fork` as `multiprocessing` start method
* Fix inaccuracy in threat model and add reference to SBAT
* Explain TPM properties and expand vTPM discussion
* Misc formatting fixes
* Add diagrams and tweak formatting
* Fix formatting issues
* Fix invalid RST and update TOC
* Expand threat model page to include adversarial model
* CI: Enable CONTAINER_ENGINE to allow other engines
* Add --push-model option to avoid requests to agents
* [Automatic] Update Keylime base image 2025-06-04
* docker: Remove tpm2-tools compilation from base image
* tests: fix rpm repo tests from create-runtime-policy
* tests: skip measured-boot related tests for s390x and ppc64le
* templates: duplicate str_to_version() in the adjust script
* policy: fix mypy issues with rpm_repo
* revocation_notifier: fix mypy issue by replacing deprecated call
* Fix create_runtime_policy in python < 3.12
* [Automatic] Update Keylime base image 2025-06-02
* Fix after review
* fixed CONSTANT names C0103 errors
* [Automatic] Update Keylime base image 2025-05-02
* [Automatic] Update Keylime base image 2025-04-04
* [Automatic] Update Keylime base image 2025-04-01
* Extend meta_data field in verifierdb
* docs: update issue templates
* docs: add GitHub PR template with documentation reminders
* [Automatic] Update Keylime base image 2025-03-10
* tpm_util: fix quote signature extraction for ECDSA
* packit: Add compatibility/api_version_compatibility test
* registrar: Log API versions during startup
* lint: Fix mypy warnings
* Remove excessive logging on exception
* tests: change test_mba_parsing to not need keylime installed
* scripts: Fix coverage information downloading script
OBS-URL: https://build.opensuse.org/request/show/1321781
OBS-URL: https://build.opensuse.org/package/show/security/keylime?expand=0&rev=105
- Update to version v7.12.0:
* Bump version to 7.12.0
* API: Add /version endpoint to registrar
* Remove unused registrar_common.py file
* scripts: Download coverage data directly from Testing Farm
* docs: Add separate documentation for each API version
* scripts/create_runtime_policy.sh: fix path for the exclude list
* docs: add documentation for keylime-policy
* [Automatic] Update Keylime base image 2025-01-02
* templates: Add the new agent.conf option 'api_versions'
* Enable autocompletion using argcomplete
* build(deps): bump codecov/codecov-action from 5.1.1 to 5.1.2
* test: remove typed-ast from test-requirements.txt
* tests: fix rpm tests to account for older createrepo_c versions
* Configure EPEL-10 repo in packit-ci.fmf
* packit: Fix typo to run keylime-policy-commands test
* build(deps): bump codecov/codecov-action from 5.0.2 to 5.1.1
* build(deps): bump pypa/gh-action-pypi-publish from 1.12.0 to 1.12.3
* docker/ci: Add xxd to the CI image
* docker/ci: Fix CI image build for dnf5
* build(deps): bump docker/metadata-action from 5.5.1 to 5.6.1
* build(deps): bump docker/build-push-action from 6.9.0 to 6.10.0
* keylime-policy: improve error handling when provided a bad key (sign)
* keylime-policy: exit with status 1 when the commands failed
* keylime-policy: use Certificate() from models.base to validate certs
* keylime-policy: check for valid cert file when using x509 backend (sign)
* keylime-policy: fix help for "keylime-policy sign" verb
* tenant: Correctly log number of tries when deleting
* tests: Use Fedora 41 to generate code coverage
* [Automatic] Update Keylime base image 2024-12-02
* update TCTI environment variable usage
* build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.2
* keylime-policy: add `create measured-boot' subcommand
* keylime-policy: add `sign runtime' subcommand
* keylime-policy: add logger to use with the policy tool
* docker/release/build_locally.sh: Fail if skopeo is not installed
* installer.sh: Restore execution permission
* installer: Fix string comparison
* build(deps): bump docker/build-push-action from 6.7.0 to 6.9.0
* build(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0
* build(deps): bump pypa/gh-action-pypi-publish from 1.11.0 to 1.12.0
* build(deps): bump actions/setup-python from 5.2.0 to 5.3.0
* installer.sh: updated EPEL, PEP668 Fix, logic fix
* build(deps): bump pypa/gh-action-pypi-publish from 1.10.3 to 1.11.0
* build(deps): bump actions/checkout from 4.2.1 to 4.2.2
* postgresql support for docker using psycopg2
* [Automatic] Update Keylime base image 2024-11-04
* End of term for @maugustosilva + propose @ansasaki
* installer.sh: update package list, add workaround for PEP 668
* build(deps): bump actions/checkout from 4.2.0 to 4.2.1
* keylime.conf: full removal
* Drop pending SPDX-License-Identifier headers
* create_runtime_policy: Validate algorithm from IMA measurement log
* test_create_runtime_policy: Add test for mismatching algorithms
* create-runtime-policy: Deal with SHA-256 and SM3_256 ambiguity
* create_runtime_policy: drop commment with test data
* create_runtime_policy: Use a common method to guess algorithm
* keylime-policy: rename tool to keylime-policy instead of keylime_policy
* keylime_policy: create runtime: remove --use-ima-measurement-list
* keylime_policy: use consistent arg names for create_runtime_policy
* tests: Add more tests to Packit CI
* build(deps): bump pypa/gh-action-pypi-publish from 1.10.2 to 1.10.3
* build(deps): bump actions/checkout from 4.1.7 to 4.2.0
* [Automatic] Update Keylime base image 2024-10-01
* elchecking/example: workaround empty PK, KEK, db and dbx
* elchecking: add handling for EV_EFI_PLATFORM_FIRMWARE_BLOB2
* create_runtime_policy: Fix log level for debug messages
* build(deps): bump pypa/gh-action-pypi-publish from 1.10.1 to 1.10.2
* build(deps): bump peter-evans/create-pull-request from 6.1.0 to 7.0.5
* pylintrc: Ignore too-many-positional-arguments check
* keylime/web/base/controller: Move TypeAlias definition out of class
* test_create_runtime_policy: Add tests for algorithm priority
* test_create_runtime_policy: Add test case for symbolic links
* create_runtime_policy: Calculate digests in multiple threads
* create_runtime_policy: Allow rootfs to be in any directory
* keylime_policy: Calculate digests from each source separately
* create_runtime_policy: Simplify boot_aggregate parsing
* ima: Validate JSON when loading IMA Keyring from string
* docs: include IDevID page also in the sidebar
* docs: point to installation guide from RHEL and SLE Micro
* build(deps): bump actions/setup-python from 5.1.1 to 5.2.0
* build(deps): bump pypa/gh-action-pypi-publish from 1.9.0 to 1.10.1
* change check_tpm_origin_check to a warning that does not prevent registration
* docs: Fix Runtime Policy JSON schema to reflect the reality
* README: update meeting time to 16:00 UK time
* [Automatic] Update Keylime base image 2024-09-11
* Sets absolute path for files inside a rootfs dir
* policy/create_runtime_policy: fix handling of empty lines in exclude list
* keylime_policy: setting 'log_hash_alg' to 'sha1' (template-hash algo)
* tests: apply workarounds to known bugs
* codestyle: Assign CERTIFICATE_PRIVATE_KEY_TYPES directly (pyright)
* codestyle: convert bytearrays to bytes to get expected type (pyright)
* codestyle: Use new variables after changing datatype (pyright)
* Revert "DO NOT MERGE, TEMPORARY COMMIT"
* [Automatic] Update Keylime base image 2024-08-16
* Lint: ignore reportArgumentType and reportInvalidTypeForm errors
* docker: Install latest Keylime during image build
* cert_utils: add description why loading using cryptography might fail
* Enable test functional/iak-idevid-persisted-and-protected
* ima: list names of the runtime policies
* tests: Enable test /sanity/opened-conf-files
* build(deps): bump docker/build-push-action from 6.6.1 to 6.7.0
* DO NOT MERGE, TEMPORARY COMMIT
* tox: Use python 3.10 instead of 3.6
* revocation_notifier: Use web_util to generate TLS context
* mba: Add a skip custom policies option when loading mba.
* build(deps): bump docker/build-push-action from 6.5.0 to 6.6.1
* build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
* workflows/base-image: Add latest tag to the CI image build
* test: add setuptools to test-requirements.txt
* keylime/models/registrar: attempt to make pylint happy
* test: update green version in test/test-requirements.txt
* test/run_tests.sh: take into account non-zero exit status from pytest
* cmd/keylime_policy: add tool to handle keylime policies
* cert_utils: add is_x509_cert()
* common/algorithms: transform Encrypt and Sign class into enums
* common/algorithms: add method to calculate digest of a file
* [Automatic] Update Keylime base image 2024-08-02
* workflows/base-image: Fix CI image build context
* docker/ci: Add test dependency needed for PR#1568
* workflow/base-image: Drop duplicated job ID
* [Automatic] Update Keylime base image 2024-07-31
* docker: Build CI image together with the base image
* build(deps): bump docker/build-push-action from 4.2.1 to 6.5.0
* build(deps): bump docker/login-action from 3.2.0 to 3.3.0
* build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
* workflows/update-base-image: Add a signoff to the automatic PR
* workflows/container: Fix typo on sed command
* docker: Build base image separately
* build(deps): bump docker/login-action from 3.2.0 to 3.3.0
* build(deps): bump docker/build-push-action from 6.4.1 to 6.5.0
* build(deps): bump docker/build-push-action from 4.2.1 to 6.4.1
* build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
* build(deps): bump pre-commit/action from 3.0.0 to 3.0.1
* tpm: Replace KDFs and ECDH implementations with python-cryptography
* build(deps): bump codecov/codecov-action from 2.1.0 to 4.5.0
* build(deps): bump docker/login-action from 2.2.0 to 3.2.0
* Update .github/workflows/pypi-release.yml
* Update .github/workflows/test.yml
* build(deps): bump actions/setup-python from 2.3.4 to 5.1.1
* ci: disable Packit testing for Rawhide
* docker/release/base: Explicitly add the registry for base
* ci: use CODECOV_TOKEN for coverage file upload
* build(deps): bump actions/first-interaction
* build(deps): bump actions/checkout from 2.7.0 to 4.1.7
* docker/ci: Add test dependencies from #1568
* docker: Update images to use Fedora 40
* Added limit by mistake for dependabot
* Adds dependabot
* Add Frizbee Action
* Change Docker and Action Tags to Digests
* revocation_notifier: Explicitly add CA certificate bundle
* Introduce new REST API framework and refactor registrar implementation
* mba: Support named measured boot policies
* tenant: add friendlier error message if mTLS CA is wrongly configured
* ca_impl_openssl: Mark extensions as critical following RFC 5280
* Include Authority Key Identifier in KL-generated certs
* verifier, tenant: make payload for agent completely optional
OBS-URL: https://build.opensuse.org/request/show/1240484
OBS-URL: https://build.opensuse.org/package/show/security/keylime?expand=0&rev=97
- Update to version v7.11.0:
* "Monthly" Release (7.11.0)
* template mapping change for persisted idevids
* add config options for the persisted idevid and iak handles and passwords
* templates: Restore the default values
* templates: Add version 2.3
* convert_config: Use the latest default value for --default
* Add new /verify/identity API
* PSS padding fix - salt length changed to byte length of digest from length of signature
* sign_runtime_policy: Display error message if non-EC key is provided
* packit: enable /regression/CVE-2023-3674 (suggested by Karel Srot)
* Fix durable attestation in absence of mb_policy
* tests: Fix coverage download by supporting new webdrives
* templates: verifier: Add require_allow_list_signatures to config file
* runtime policy: Raise error on missing key if signature required
* runtime policy: Raise error on unsigned policy if signature required
* dsse: Remove unused type: ignore comment (mypy)
OBS-URL: https://build.opensuse.org/request/show/1180844
OBS-URL: https://build.opensuse.org/package/show/security/keylime?expand=0&rev=95
- Update to version v7.10.0:
* Monthly Release (7.10.0)
* mba: Add a separate table for measured boot policies. In the next PR, similar to named runtime policies, this table will be used to provide support for named measured boot policies and thier management.
* user_guide: Add section about 'Key Learning to Verify Files'
* docs: fix rendering in PCR example
* docs: update PCR monitoring example
* templates: Fix typo on default measured boot log location
* packit: re-enable tests against Rawhide
* elparser: add different escaping required for tpm2-tools >= 5.6
* requirements: bump pyasn1-modules to 0.2.5
OBS-URL: https://build.opensuse.org/request/show/1158171
OBS-URL: https://build.opensuse.org/package/show/security/keylime?expand=0&rev=93
- Update to version v7.9.0:
* templates: Add version 2.2, with event log location options
* Monthly release (7.9.0)
* update roadmap for 2024
* Extended the length of `verifier_ip` column to String(255)
* mba/e/elchecking: add workaround for non spec compliant firmware
* mba/e/example: ignore EV_CPU_MICROCODE, EV_EFI_HANDOFF_TABLES2 and MokListRT
* mba/e/example: Allow db entries to be also hashes
* mba/elchecking: load imports first
* codestyle: Have pyright ignore ffi.NULL
* codestyle: Use cast() to set type after splitlines()
* codestyle: Replace _ with variable name in abstract method (pyright)
* codestyle: Address some issues detected by pyright
* codestyle: Remove a 'type: ignore' comment (mypy)
* detect template changes - docs
* detect template changes - mappings
* Tests: Switch code coverage measurement to Fedora 39
* Correcting paths in userguide documentation
* docs: fix conf.py
* Add build os and python version to readthedocs
* Fix readthedocs config file location
* docs: add additional reading section
- Update to version v7.8.0:
* Monthly release (7.8.0)
* address marcio and stefan comments
* Add documentation for IAK and IDevID
* templates/2.1: Fix enable_iak_idevid in agent template
* support for user mode in run-test.sh
* docs: fix small typo in threat model
* ca_impl_openssl: support CRL distribution point from config
* ca_util: add import functions for private keys
* Enable test functional/iak-idevid-register-with-certificates
* Replace mailing list address with Slack channel
* docs: Add configuration documentation
* tests: Add tests for exception cases in configuration update
* tests: Add test for update mapping corner cases
* convert_config: Add support for update mappings
* convert_config: Do not require keylime modules
* convert_config: Make the config upgrade less verbose
* ima: Report an error if no quote forward-progress was made
* codestyle: Modify list generator to avoid annotation issue (pyright)
* codestyle: Remove unnecessary type check ignore statement (mypy)
* codestyle: Add missing type parameter to generic type 'Pattern' (mypy)
* Update packit plan with new tests
* Fix typo in Secure Payloads docs
* incorrect boolean expression causing ECs to be disallowed
* codestyle: Create explicit sighandler with type annotation (pyright)
* cert_utils: Ignore malformed certificate files
* unit test for cert utils
* Add certificates and certificate checking for IDevID and IAK keys
OBS-URL: https://build.opensuse.org/request/show/1142946
OBS-URL: https://build.opensuse.org/package/show/security/keylime?expand=0&rev=91
- Update to version v7.7.0:
* Monthly release (7.7.0)
* tpm_cert_store: add the Nationz TPM EK x509 cert
* codestyle: Have mypy ignore import of PoolManager
* codestyle: Suppress pyright errors on methods that do exist
* codestyle: Annotate some string constances (pyright)
* types: Fix a deprecation warning from recent cryptography
* create_policy: Set the generator value to LegacyAllowList
* verifier: Compare generator against enum rather than magic '1'
* Fix pylint C0103 (naming) errors in some files
* crypto: Fix a pyright issue
* test: Fix a pyright issue
OBS-URL: https://build.opensuse.org/request/show/1123259
OBS-URL: https://build.opensuse.org/package/show/security/keylime?expand=0&rev=89
- Update to version v7.6.0:
* Monthly release (7.6.0)
* test-requirements: remove types-atomicwrites
* Fixed an inappropriate test expression to remove a logical short circuit
* remove prov_db_filename from config
* Fix for key parse error in tpm2_objects
* Fix mapping.json path in the comments
* ima: Emit a warning when a file signature could not be parsed
* Initial PR to add support for IDevID and IAK
* Implement automatic agent API version bump
* tests: avoid fail when epel-release is installed
OBS-URL: https://build.opensuse.org/request/show/1114719
OBS-URL: https://build.opensuse.org/package/show/security/keylime?expand=0&rev=87
- Update to version v7.5.0 (CVE-2023-38201, bsc#1213314):
* Monthly release (7.5.0)
* Fix for CVE-2023-38201 (Security Advisory GHSA-f4r5-q63f-gcww)
* verifier: should read parameters from verifier.conf only
* tests: Correctly configure kernel IMA
* Handle session close using a session manager
* requirements.txt: update the need sqlalchemy version to 1.3.12 and above.
* elchecking/example: add ignores for EV_PLATFORM_CONFIG_FLAGS
* tpm_cert_store: add the Alibaba Cloud vTPM EK x509 cert
* installer.sh: use the -i parameter to set the default binding and listening IP about the agent, verifier, and registrar server is 127.0.0.1 or 0.0.0.0
* installer.sh: remove the unused command line params
* Update container build workflow actions
* mba: Manage the number of times measure boot attestation is done.
* codestyle: Fix access to possibly not available package 'rpm' (pyright)
* templates/2.0/mapping.json: fix the default registrar_port error in the verifier config
OBS-URL: https://build.opensuse.org/request/show/1105559
OBS-URL: https://build.opensuse.org/package/show/security/keylime?expand=0&rev=84
- Add BSD-3-Clause license
- Update to version v7.4.0 (CVE-2023-38200, bsc#1213310):
* Monthly release (7.4.0)
* codestyle: Fix tsa_rfc3161.py and have it pyright checked
* installer.sh: support Anolis OS whose ID is anolis
* tpm_util: Add the BSD license to the file due to functions from TPM 2 code
* codestyle: Have pyright check keylime/da directory
* docs: add missing options for verifier, remove vactivate
* codestyle: Have pyright check mba/elchecking/ except for example.py
* registrar_common: fix style complain
* registrar_common: fix missing select and sock
* Changes to script create_runtime_policy.sh, fixes#1426
* tenant: non-zero exit code in case of error
* mba: making MBA policy parser and checker pluggable
* create_runtime_policy: fix bash typo
* Extend Registrar SSL socket to be non-blocking
* Several improvements for the "create_runtime_policy.sh" script
* tpm_util: Replace a logger.error with an Exception in case of invalid signature
* tpm_util: Remove useless comparison of always identical hashes
* tests: Disable Packit CI on Rawhide due to infra issues
* adding kubectl to tenant docker image
- Drop migrations_use_sa_text_for_raw_SQL.patch, merged upstream
OBS-URL: https://build.opensuse.org/request/show/1101909
OBS-URL: https://build.opensuse.org/package/show/security/keylime?expand=0&rev=82
- Add BSD-3-Clause license
- Update to version v7.4.0 (CVE-2023-38200):
* Monthly release (7.4.0)
* codestyle: Fix tsa_rfc3161.py and have it pyright checked
* installer.sh: support Anolis OS whose ID is anolis
* tpm_util: Add the BSD license to the file due to functions from TPM 2 code
* codestyle: Have pyright check keylime/da directory
* docs: add missing options for verifier, remove vactivate
* codestyle: Have pyright check mba/elchecking/ except for example.py
* registrar_common: fix style complain
* registrar_common: fix missing select and sock
* Changes to script create_runtime_policy.sh, fixes#1426
* tenant: non-zero exit code in case of error
* mba: making MBA policy parser and checker pluggable
* create_runtime_policy: fix bash typo
* Extend Registrar SSL socket to be non-blocking
* Several improvements for the "create_runtime_policy.sh" script
* tpm_util: Replace a logger.error with an Exception in case of invalid signature
* tpm_util: Remove useless comparison of always identical hashes
* tests: Disable Packit CI on Rawhide due to infra issues
* adding kubectl to tenant docker image
OBS-URL: https://build.opensuse.org/request/show/1101906
OBS-URL: https://build.opensuse.org/package/show/security/keylime?expand=0&rev=81
- Drop migrations_use_sa_text_for_raw_SQL.patch, merged upstream
- Update to version v7.3.0:
* Monthly release (7.3.0)
* tenant: log cleanup and output improvements
* mba: moving the boot event log parsing to the MBA subdirectory
* Add secure mount sanity test to packit testing
* templates: Set empty string as default value for tpm_ownerpassword
* migrations: use sa.text for raw SQL
* ima: only log the accept list on validation failure
* ima: remove code used for reading the IMA log from disk
* tpm: Move functions from tpm_astract.py to tpm_util.py
* tpm: Move splitting of quote string into reusable function
* tpm: Change default value of Hash parameter to Hash.SHA256 from None
* [tests] Enable basic allowlist/excludelist test
* installer.sh: update TPM2TOOLS_VER to 5.5 and cherry-pick patches to fix the bug of parsing for most newer logs with the tpm2_eventlog command.
* web_util: Remove check for code being 'None' since it is always an int
* verifier: Remove possibility for agent to be None and remove error case
* verifier: Remove conversion of agent to dict
* verifier: Remove possibility for agent to be None and remove error case
* verifier: Remove check for agent is None since it cannot be None
- Add migrations_use_sa_text_for_raw_SQL.patch to fix migrations in
new SQLAlchemy versions
OBS-URL: https://build.opensuse.org/request/show/1098382
OBS-URL: https://build.opensuse.org/package/show/security/keylime?expand=0&rev=79
- Update to version v7.2.5:
* bump version to 7.2.5
* installer.sh: remove unused codes
* tpm: Implement BigNum context creation and usage
* tpm: Implement int2bn and bn2int in our class
* tpm_util: Add EC key support for makecredential in python
* tpm: Replace tpm2_makecredential with python implementation
* tpm_util: Implement makecredential in python
* tpm2_objects: Return parameters when unmarshalling tpm2b_public
* The first of several PRs to clean up MBA
* verifier: Update agent dict values only after checking each value
* verifier: Remove assignment to variable overwritten immediately after
* registrar: Reformat initialization of dictionary
* registrar: Check for error case aik_enc being None first
* tpm_main: Remove unused run() method
* tpm_main: Remove unnecessary code for support of tpm2_quote
* tpm_main: Get rid of hashdigest() method
* tpm_main: Get rid of start_hash and use get_start_hash() of given Hash
* algorithms: Make get_START_HASH and get_FF_HASH methods of Hash
* Use <bytes>.hex() to create hex string
* Use bytes.fromhex() instead of codecs for parsing of string with hex number
* Tpm: Rename START_HASH to start_hash
* Tpm: Remove unused parameters of __run method
* tpm: Move EXIT_SUCCESS outside class scope
* tpm: Rename tpm class to Tpm
* tpm: Access agent_id directory from structure
* codestyle: Fix issues detected by older pylint 2.13.9
* tpm: Get rid of AbstractTPM class
* codestyle: Add missing annotations to test_ima_dm.py to pass pyright
* pypright: Remove ignored files that do not exist anymore
* ima: Replace usage of codec to parse hex string with bytes.fromhex()
* ima: Replace usage of codec with hex() method on bytes
* ima: Validate proper JSON before trying to convert from string to JSON
* tenant: fixes a (timing) issue whenever an agent is removed and re-added
* verifier: Simplify initialization of agent_data dict
* verifier: Use kwargs to pass ssl_context if it exists
* verifier: Return an Empty Dict rather than None in case of error
* verifier: Use get() on dict rather than catching an Exception
* cloud_verifier: AgentsHandler: Consolidate checking of input parameters
* registrar: Consolidate __validate_input() in BaseHandler
* registrar: ProtectedHandler: Refactor __validate_input
* registrar: UnprotectedHandler: Consolidate checking of input parameters
* registrar: ProtectedHandler: Consolidate checking of input parameters
* docs: remove Vagrant setup
* registrar: Move getting network parameters into own function
* [tests] Update test coverage task name regexp
* tenant: report when the keystore fails
* ca_util: fix captured exception
* [tests] Simply coverage file URL parsing
* tpm+ima: Convert tables to hold instances of hashers
* docs/rest_apis.rst: remove the comma at the end of the JSON string
* tpm: Activate tpm2_checkquote replacement code
* tests: Add test case for checkquote and parsing of tpms_attest
* tpm: Implement tpm2_checkquote in python
* README.md: fix the invalid URL about IMA stub service.
* README.md: fix the script name(./services/installer.sh) error
* installer.sh: support Alibaba Cloud Linux OS whose ID is alinux
* web_util: handle tls_dir default with cacerts correctly
* codestyle: Add pyright ignore annoatations due to pyright 1.1.306
* codestyle: Ignore import of NoResultFound from sqlalchemy 1.3 file
* CI/CD: Run pyright as part of tox
* agentstates: Reformat construction of returned dictionary
* docker: fix tpm2-tools build
* docker: upate to newer tpm2-tools version
* docs/installation.rst: add the missing popd command in the manual deployment.
* tpm: Implement function to extract clock info from TPMS_ATTEST
* [tests] Reduce duplication in packit-ci test plan
* Enable Packit CI again on all Fedora releases
* Redefine the list of maintainers taking into account activity on the last 12 months, proposing a few new names to be added (please feel free to decline)
OBS-URL: https://build.opensuse.org/request/show/1090851
OBS-URL: https://build.opensuse.org/package/show/security/keylime?expand=0&rev=77
- Remove the agent subpackage
- Remove keylime_ima_emulator binary
- Add keylime_create_policy and keylime_sign_runtime_policy
- Update to version v7.0.0:
* bump version to 7.0.0
* bump to version 6.8.0
* build-sys: Use comma-separated list for running multiple linters
* tenant: Add brackets to ipv6 addresses when used in URL
* registrar: Detect IPv6 addresses to bind to and set address_family
* setup.cfg: use license_files instead of license_file
* Do not run Packit tests on F38
* tests: Use Rust agent from COPR for e2e tests
* tenant: Raise a UserError on status_code != 200 returned from server
* Add missing test from keylime testsuite to e2e plan
* tests: remove tpm2-tss downgrade as Fedora bug got fixed
* da: non-zero exit code for attestation replay failures.
* ca:CLI utilities (keylime_ca,keylime_tenant) read password from ca.conf
* log: add a barebones log config in case configuration files not present
* Fix typo
* Use subtest in unittest.
* create_policy: Strip newline from file path read from measurement list
* create_policy: Validate policies against the JSON schema
* create_policy: Clarify help text for IMA measurement list
* create_policy: Add list of ignored keyrings after processing base policy
* create_policy: Add support for adding an IMA exclude list to the policy
* create_policy: Avoid duplicate entries in lists
* codestyle: Annotate with RuntimePolicyType and adapt code
* codestyle: Import urllib to make pyright happy
* Introduce PathLike_str for older python versions
* codestyle: Annotate create_policy.py and add to mypy
* docs: Update docs to reflect renaming of create_policy tool
* create_policy: Fix issues related to filelists-ext
* Move create_policy to keylime/cmd and install as keylime_create_policy
* Implement DSSE signature verification for runtime policies
* tenant: Raise UserError on (add/update)runtimepolicy status codes 401
* tests: Split unittests into two runs to avoid issue
* ima: Add a JSON schema for the runtime policy and use it on given policies
* Implement DSSE policy signing tool
* ima: Derive RUNTIME_POLICY_GENERATOR from enum.IntEnum
* packit: use rust agent for e2e tests
* services: remove agent systemd services
* tests: remove unused code
* tests: remove agent from config test
* tpm_ek_ca: remove check_tpm_cert_store(..) function
* tpm, measured boot: remove refrences to virtual TPMs
* tpm: remove unsed variables and some refactoring
* algorithms: remove unused from_algorithm method
* mpypy, pyright: remove refrences to agent in ignores
* config: remove refrences to agent
* crypto: remove unused functions
* secure_mount: removal
* tpm: remove unsed functions
* registar_client: remove functions only used by the agent
* user_utils: removal
* revocation notifier: remove zeroMQ client code
* ca_util: remove listen command and related functions
* revocation actions: remove all
* ima emulator: full removal
* agent: remove agent code
* agentstates: rename tpm_clocking to tpm_clockinfo
OBS-URL: https://build.opensuse.org/request/show/1082913
OBS-URL: https://build.opensuse.org/package/show/security/keylime?expand=0&rev=73
- Update to version v6.7.0:
* codestyle: Define RuntimePolicyType and use it
* ima: Move type defitions from ima_dm.py to types.py
* docs: fix docs
* End of term for @mpeters + propose @maugustosilva
* verifier: Activate every m-th agent starting at the n-th agent on a worker
* verifier: Read list of agents early on
* create_policy: read the hashes from filelists-ext
* tests: remove restful test and simplify test scripts
* tests: config move agent config example to verifier
* Update source code mapping in codecov.yml
* ima: do not validate against the allowlist if signature was already validated
* Disable e2e on Rawhide due to RHBZ#2171376
* roadmap: update for 2023
* readme: remove installation instructions, update outdated information
* db: switch to pessimistic disconnect handling
* Add timestamp of last successful attestation to verifier API
* tpm: improve logging for tpm and measured boot policy
* da: fixes for breakages on durable Attestation
* codestyle: Fully annotate cloud_verifier_tornado and add to mypy
* create_policy: clarify IMA on links
* create_policy: be explicit on opening binary files
* create_policy: use public variants for RPM flags
* create_policy: remote repository IMA extraction
* create_policy: local RPM repository IMA extraction
* create_policy: remove the experimental status
* create_policy: print into stderr
* signing: small refactor on the code
* Add missing e2e tests and reordering tests based on alphabetical order
* verifier,tenant : fix IMA runtime policy bug (issue #1306)
* e2e tests: Fix test name (#1307)
* verifier: fixing type issues (#1272)
* config: improve support for (log-based) debugging
* Fix stray references to "IMA policies" in conversion script
* tests: only keep test specific packages in test-requirements.txt
* codestyle: Have pyright ignore assignments of values to DB columns
* codestyle: Call type conversion functions on agent's DB columns
* codestyle: Fully annotate cloud_verifier_common.py and add to mypy
* codestyle: Have pyright ignore the parameter passed to the update() function
* codestyle: Have pyright ignore fields used to select columns to load
* codestyle: Add an assert to the returned update_agent to avoid pyright errors
* codesyle: Fix annotations of notify functions in revocation_notifier.py
OBS-URL: https://build.opensuse.org/request/show/1071406
OBS-URL: https://build.opensuse.org/package/show/security/keylime?expand=0&rev=71
- Update to version v6.6.0:
* bump version to 6.6.0
* codestyle: Annotate registrar_common.py and add to mypy
* codestyle: Type-annotate tenant.py
* codestyle: Type-annotate registrar_client.py and add to mypy
* black: Upgrade to new 23.1.0 and reformat some sources
* pylint: Fix an issue related to usage of dict R1735 (use-dict-literal)
* pylint: Fix two issues related to C0325 (superfluous-parens)
* pylint: Fix an unreachable-code issue
* pylintrc: Ignore W0719 (broad-exception-raised)
* codestyle: Type-annotate revocation_notifier.py and add to mypy
* CI/CD: Use later version of actions for style-checks
* pre-commit: Use isort v5.12 and black v22.12
* migrations: Move bind parameter from MetaData() to reflect() method
* pylint: Ignore newly reported too-many-ancestors issue
* docker/ci: Remove image used for TPM 1.2 tests
* docker/ci: Update ci image to base on Fedora 37
* docs: Update IMA instructions to new runtime policy format
* docs: point newcomers to the design document
* docs: add basic (m)TLS instructions to the installation guide
* docs: update REST APIs TLS documentation to match new default setup
* docs: remove old development instructions, move dev conainter section
* docs: update theme to min 1.1.0
* docs: fix formatting of example IMA-policy
* codestyle: Get rid of casts on return value from get_tpm_metadata()
* codestyle: Add missing type annotations to tpm_main.py and add to mypy
* codestyle: Add missing type annotations to tpm_abstract.py and add to mypy
* tenant: Implement updateallowlist command to update an existing allowlist
* verifier: Implement PUT method to update named allowlist
* verifier: AllowlistHandler: Move getting runtime policy in DB format to function
* verifier: AllowlistHandler: Deduplicate code validating REST API input
* verifier: proper support for listening on 0.0.0.0 (fixes#705)
* script: Remove unused argument argv
* pylintc: Remove outdated modules from list of ignore modules
* Rename keylime_agent_secure.mount to comply policy
* scripts: Also copy excluded files and verification keys from base policy
* scripts: Improve descriptions in create_policy tool
* scripts: Add user-provided keys to the policy
* scripts: update create_policy script to latest runtime policy JSON format
* Rename "create_allowlist.sh" to "create_runtime_policy.sh"
* Implement major Keylime policy overhaul
OBS-URL: https://build.opensuse.org/request/show/1063018
OBS-URL: https://build.opensuse.org/package/show/security/keylime?expand=0&rev=63
