Update to keylime-7.13.0+40 (CVE-2025-13609, bsc#1254199)

Signed-off-by: Alberto Planas <aplanas@suse.com>

_service

@@ -1,14 +1,20 @@
 <services>
-  <service name="tar_scm" mode="manual">
+  <service mode="manual" name="obs_scm">
-    <param name="versionformat">@PARENT_TAG@</param>
-    <param name="revision">refs/tags/v7.11.0</param>
     <param name="url">https://github.com/keylime/keylime.git</param>
+    <!-- <param name="versionformat">@PARENT_TAG@</param> -->
+    <param name="versionformat">@PARENT_TAG@+@TAG_OFFSET@</param>
     <param name="scm">git</param>
+    <param name="revision">v7.13.0</param>
+    <param name="revision">master</param>
+    <param name="match-tag">*</param>
+    <param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
+    <param name="versionrewrite-replacement">\1</param>
     <param name="changesgenerate">enable</param>
+    <param name="changesauthor">aplanas@suse.com</param>
   </service>
-  <service name="recompress" mode="manual">
+  <service mode="manual" name="tar" />
-    <param name="compression">xz</param>
+  <service mode="manual" name="recompress">
     <param name="file">*.tar</param>
+    <param name="compression">xz</param>
   </service>
-  <service name="set_version" mode="manual"/>
 </services>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/keylime/keylime.git</param>
-              <param name="changesrevision">31db17cd1413780e3f4f9b9673c024bc8096b897</param></service></servicedata>
+              <param name="changesrevision">dc75773679b1862e3b571f513e5aa9904efaf136</param></service></servicedata>

keylime.changes

@@ -1,3 +1,295 @@
+-------------------------------------------------------------------
+Tue Dec 09 13:34:39 UTC 2025 - aplanas@suse.com
+
+- Update to version 7.13.0+40 (CVE-2025-13609, bsc#1254199):
+  * Fix registrar duplicate UUID vulnerability (#1825)
+  * [Automatic] Update Keylime base image 2025-12-01
+  * Include new attestation information fields (#1818)
+  * Fix Database race conditions and SQLAlchemy 2.0 compatibility (#1823)
+  * ci: add push model tests to the packit plan
+  * push-model: require HTTPS for authentication and attestation endpoints
+  * Fix operational_state tracking in push mode attestations
+  * templates: add push model authentication config options to 2.5 templates
+  * Improve test coverage for authentication components
+  * Security: Hash authentication tokens in logs
+  * Fix stale IMA policy cache in verification
+  * Fix authentication behavior on failed attestations for push mode
+  * Add shared memory infrastructure for multiprocess communication
+  * Add agent authentication (challenge/response) protocol for push mode
+  * Convert CRLF to LF line endings in attestation_controller.py
+  * Add agent-driven (push) attestation protocol with PULL mode regression fixes (#1814)
+  * [Automatic] Update Keylime base image (2025-11-01) (#1816)
+  * docs: Fix man page RST formatting for rst2man compatibility (#1813)
+  * tests: Enable more tests in CI
+  * Apply limit on keylime-policy workers
+  * tpm: fix ECC signature parsing to support variable-length coordinates
+  * tpm: fix ECC P-521 credential activation with consistent marshaling
+  * tpm: fix ECC P-521 coordinate validation
+  * tests: Test keylime-policy both for filelist-ext.xml match and mismatch (#1806)
+  * [Automatic] Update Keylime base image 2025-10-01
+  * Remove deprecated disabled_signing_algorithms configuration option (#1804)
+  * algorithms: add support for specific RSA algorithms
+  * algorithms: add support for specific ECC curve algorithms
+  * Update manages based on review feedback
+  * Created manpage for keylime-policy and edited manpages for keylime verifier, registrar, agent
+  * Manpage for keylime agent
+  * Manpage for keylime verifier
+  * Manpage for keylime registrar
+  * Use constants for timeout and max retries defaults
+  * tests: Add unit tests for the timeout configuration
+  * verifier: Use timeout from `request_timeout` config option
+  * revocation_notifier: Use timeout setting from config file
+  * tenant: Set timeout when getting version from agent
+  * verify/evidence: SEV-SNP evidence type/verifier
+  * verify/evidence: Add evidence type to request JSON
+
+-------------------------------------------------------------------
+Tue Dec 09 13:07:30 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version v7.13.0:
+  * Bump version to 7.13.0
+  * Avoid re-encoding certificate stored in DB
+  * Revert "models: Do not re-encode certificate stored in DB"
+  * Revert "registrar_agent: Use pyasn1 to parse PEM"
+  * CI: Enable test add-agent-with-malformed-ek-cert
+  * [Automatic] Update Keylime base image 2025-09-01
+  * policy/sign: use print() when writing to /dev/stdout
+  * registrar_agent: Use pyasn1 to parse PEM
+  * models: Do not re-encode certificate stored in DB
+  * mba: normalize vendor_db in EV_EFI_VARIABLE_AUTHORITY events
+  * Fix minor typo (exponantial->exponential)
+  * mb: support vendor_db as logged by newer shim versions
+  * mb: support EV_EFI_HANDOFF_TABLES events on PCR1
+  * Remove unnecessary configuration values
+  * cloud_verifier_tornado: handle exception in notify_error()
+  * requests_client: close the session at the end of the resource manager
+  * Manpage for keylime_tenant (#1786)
+  * Add 2.5 templates including Push Model changes
+  * [Automatic] Update Keylime base image 2025-08-01
+  * Initial version of verify evidence API
+  * packit: Enable connection leak test in CI
+  * db: Do not read pool size and max overflow for sqlite
+  * Use context managers to close DB sessions
+  * revocations: Try to send notifications on shutdown
+  * verifier: Gracefully shutdown on signal
+  * [Automatic] Update Keylime base image 2025-07-01
+  * Use `fork` as `multiprocessing` start method
+  * Fix inaccuracy in threat model and add reference to SBAT
+  * Explain TPM properties and expand vTPM discussion
+  * Misc formatting fixes
+  * Add diagrams and tweak formatting
+  * Fix formatting issues
+  * Fix invalid RST and update TOC
+  * Expand threat model page to include adversarial model
+  * CI: Enable CONTAINER_ENGINE to allow other engines
+  * Add --push-model option to avoid requests to agents
+  * [Automatic] Update Keylime base image 2025-06-04
+  * docker: Remove tpm2-tools compilation from base image
+  * tests: fix rpm repo tests from create-runtime-policy
+  * tests: skip measured-boot related tests for s390x and ppc64le
+  * templates: duplicate str_to_version() in the adjust script
+  * policy: fix mypy issues with rpm_repo
+  * revocation_notifier: fix mypy issue by replacing deprecated call
+  * Fix create_runtime_policy in python < 3.12
+  * [Automatic] Update Keylime base image 2025-06-02
+  * Fix after review
+  * fixed CONSTANT names C0103 errors
+  * [Automatic] Update Keylime base image 2025-05-02
+  * [Automatic] Update Keylime base image 2025-04-04
+  * [Automatic] Update Keylime base image 2025-04-01
+  * Extend meta_data field in verifierdb
+  * docs: update issue templates
+  * docs: add GitHub PR template with documentation reminders
+  * [Automatic] Update Keylime base image 2025-03-10
+  * tpm_util: fix quote signature extraction for ECDSA
+  * packit: Add compatibility/api_version_compatibility test
+  * registrar: Log API versions during startup
+  * lint: Fix mypy warnings
+  * Remove excessive logging on exception
+  * tests: change test_mba_parsing to not need keylime installed
+  * scripts: Fix coverage information downloading script
+
+-------------------------------------------------------------------
+Thu Aug 21 09:20:06 UTC 2025 - Markéta Machová <mmachova@suse.com>
+
+- Convert to libalternatives on SLE-16-based and newer systems
+
+-------------------------------------------------------------------
+Tue Aug 12 11:48:30 UTC 2025 - Nico Krapp <nico.krapp@suse.com>
+
+- Switch to pyproject macros
+
+-------------------------------------------------------------------
+Fri Feb 14 12:59:04 UTC 2025 - aplanas@suse.com
+
+- Update to version v7.12.1 (CVE-2025-1057, bsc#1237153):
+  * Bump version to 7.12.1
+  * models: Add Base64Bytes type to read and write from the database
+  * Simplify response check from registrar
+  * [Automatic] Update Keylime base image 2025-02-01
+
+-------------------------------------------------------------------
+Mon Jan 27 08:32:00 UTC 2025 - aplanas@suse.com
+
+- Update to version v7.12.0:
+  * Bump version to 7.12.0
+  * API: Add /version endpoint to registrar
+  * Remove unused registrar_common.py file
+  * scripts: Download coverage data directly from Testing Farm
+  * docs: Add separate documentation for each API version
+  * scripts/create_runtime_policy.sh: fix path for the exclude list
+  * docs: add documentation for keylime-policy
+  * [Automatic] Update Keylime base image 2025-01-02
+  * templates: Add the new agent.conf option 'api_versions'
+  * Enable autocompletion using argcomplete
+  * build(deps): bump codecov/codecov-action from 5.1.1 to 5.1.2
+  * test: remove typed-ast from test-requirements.txt
+  * tests: fix rpm tests to account for older createrepo_c versions
+  * Configure EPEL-10 repo in packit-ci.fmf
+  * packit: Fix typo to run keylime-policy-commands test
+  * build(deps): bump codecov/codecov-action from 5.0.2 to 5.1.1
+  * build(deps): bump pypa/gh-action-pypi-publish from 1.12.0 to 1.12.3
+  * docker/ci: Add xxd to the CI image
+  * docker/ci: Fix CI image build for dnf5
+  * build(deps): bump docker/metadata-action from 5.5.1 to 5.6.1
+  * build(deps): bump docker/build-push-action from 6.9.0 to 6.10.0
+  * keylime-policy: improve error handling when provided a bad key (sign)
+  * keylime-policy: exit with status 1 when the commands failed
+  * keylime-policy: use Certificate() from models.base to validate certs
+  * keylime-policy: check for valid cert file when using x509 backend (sign)
+  * keylime-policy: fix help for "keylime-policy sign" verb
+  * tenant: Correctly log number of tries when deleting
+  * tests: Use Fedora 41 to generate code coverage
+  * [Automatic] Update Keylime base image 2024-12-02
+  * update TCTI environment variable usage
+  * build(deps): bump codecov/codecov-action from 4.6.0 to 5.0.2
+  * keylime-policy: add `create measured-boot' subcommand
+  * keylime-policy: add `sign runtime' subcommand
+  * keylime-policy: add logger to use with the policy tool
+  * docker/release/build_locally.sh: Fail if skopeo is not installed
+  * installer.sh: Restore execution permission
+  * installer: Fix string comparison
+  * build(deps): bump docker/build-push-action from 6.7.0 to 6.9.0
+  * build(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0
+  * build(deps): bump pypa/gh-action-pypi-publish from 1.11.0 to 1.12.0
+  * build(deps): bump actions/setup-python from 5.2.0 to 5.3.0
+  * installer.sh: updated EPEL, PEP668 Fix, logic fix
+  * build(deps): bump pypa/gh-action-pypi-publish from 1.10.3 to 1.11.0
+  * build(deps): bump actions/checkout from 4.2.1 to 4.2.2
+  * postgresql support for docker using psycopg2
+  * [Automatic] Update Keylime base image 2024-11-04
+  * End of term for @maugustosilva + propose @ansasaki
+  * installer.sh: update package list, add workaround for PEP 668
+  * build(deps): bump actions/checkout from 4.2.0 to 4.2.1
+  * keylime.conf: full removal
+  * Drop pending SPDX-License-Identifier headers
+  * create_runtime_policy: Validate algorithm from IMA measurement log
+  * test_create_runtime_policy: Add test for mismatching algorithms
+  * create-runtime-policy: Deal with SHA-256 and SM3_256 ambiguity
+  * create_runtime_policy: drop commment with test data
+  * create_runtime_policy: Use a common method to guess algorithm
+  * keylime-policy: rename tool to keylime-policy instead of keylime_policy
+  * keylime_policy: create runtime: remove --use-ima-measurement-list
+  * keylime_policy: use consistent arg names for create_runtime_policy
+  * tests: Add more tests to Packit CI
+  * build(deps): bump pypa/gh-action-pypi-publish from 1.10.2 to 1.10.3
+  * build(deps): bump actions/checkout from 4.1.7 to 4.2.0
+  * [Automatic] Update Keylime base image 2024-10-01
+  * elchecking/example: workaround empty PK, KEK, db and dbx
+  * elchecking: add handling for EV_EFI_PLATFORM_FIRMWARE_BLOB2
+  * create_runtime_policy: Fix log level for debug messages
+  * build(deps): bump pypa/gh-action-pypi-publish from 1.10.1 to 1.10.2
+  * build(deps): bump peter-evans/create-pull-request from 6.1.0 to 7.0.5
+  * pylintrc: Ignore too-many-positional-arguments check
+  * keylime/web/base/controller: Move TypeAlias definition out of class
+  * test_create_runtime_policy: Add tests for algorithm priority
+  * test_create_runtime_policy: Add test case for symbolic links
+  * create_runtime_policy: Calculate digests in multiple threads
+  * create_runtime_policy: Allow rootfs to be in any directory
+  * keylime_policy: Calculate digests from each source separately
+  * create_runtime_policy: Simplify boot_aggregate parsing
+  * ima: Validate JSON when loading IMA Keyring from string
+  * docs: include IDevID page also in the sidebar
+  * docs: point to installation guide from RHEL and SLE Micro
+  * build(deps): bump actions/setup-python from 5.1.1 to 5.2.0
+  * build(deps): bump pypa/gh-action-pypi-publish from 1.9.0 to 1.10.1
+  * change check_tpm_origin_check to a warning that does not prevent registration
+  * docs: Fix Runtime Policy JSON schema to reflect the reality
+  * README: update meeting time to 16:00 UK time
+  * [Automatic] Update Keylime base image 2024-09-11
+  * Sets absolute path for files inside a rootfs dir
+  * policy/create_runtime_policy: fix handling of empty lines in exclude list
+  * keylime_policy: setting 'log_hash_alg' to 'sha1' (template-hash algo)
+  * tests: apply workarounds to known bugs
+  * codestyle: Assign CERTIFICATE_PRIVATE_KEY_TYPES directly (pyright)
+  * codestyle: convert bytearrays to bytes to get expected type (pyright)
+  * codestyle: Use new variables after changing datatype (pyright)
+  * Revert "DO NOT MERGE, TEMPORARY COMMIT"
+  * [Automatic] Update Keylime base image 2024-08-16
+  * Lint: ignore reportArgumentType and reportInvalidTypeForm errors
+  * docker: Install latest Keylime during image build
+  * cert_utils: add description why loading using cryptography might fail
+  * Enable test functional/iak-idevid-persisted-and-protected
+  * ima: list names of the runtime policies
+  * tests: Enable test /sanity/opened-conf-files
+  * build(deps): bump docker/build-push-action from 6.6.1 to 6.7.0
+  * DO NOT MERGE, TEMPORARY COMMIT
+  * tox: Use python 3.10 instead of 3.6
+  * revocation_notifier: Use web_util to generate TLS context
+  * mba: Add a skip custom policies option when loading mba.
+  * build(deps): bump docker/build-push-action from 6.5.0 to 6.6.1
+  * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
+  * workflows/base-image: Add latest tag to the CI image build
+  * test: add setuptools to test-requirements.txt
+  * keylime/models/registrar: attempt to make pylint happy
+  * test: update green version in test/test-requirements.txt
+  * test/run_tests.sh: take into account non-zero exit status from pytest
+  * cmd/keylime_policy: add tool to handle keylime policies
+  * cert_utils: add is_x509_cert()
+  * common/algorithms: transform Encrypt and Sign class into enums
+  * common/algorithms: add method to calculate digest of a file
+  * [Automatic] Update Keylime base image 2024-08-02
+  * workflows/base-image: Fix CI image build context
+  * docker/ci: Add test dependency needed for PR#1568
+  * workflow/base-image: Drop duplicated job ID
+  * [Automatic] Update Keylime base image 2024-07-31
+  * docker: Build CI image together with the base image
+  * build(deps): bump docker/build-push-action from 4.2.1 to 6.5.0
+  * build(deps): bump docker/login-action from 3.2.0 to 3.3.0
+  * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
+  * workflows/update-base-image: Add a signoff to the automatic PR
+  * workflows/container: Fix typo on sed command
+  * docker: Build base image separately
+  * build(deps): bump docker/login-action from 3.2.0 to 3.3.0
+  * build(deps): bump docker/build-push-action from 6.4.1 to 6.5.0
+  * build(deps): bump docker/build-push-action from 4.2.1 to 6.4.1
+  * build(deps): bump docker/metadata-action from 4.6.0 to 5.5.1
+  * build(deps): bump pre-commit/action from 3.0.0 to 3.0.1
+  * tpm: Replace KDFs and ECDH implementations with python-cryptography
+  * build(deps): bump codecov/codecov-action from 2.1.0 to 4.5.0
+  * build(deps): bump docker/login-action from 2.2.0 to 3.2.0
+  * Update .github/workflows/pypi-release.yml
+  * Update .github/workflows/test.yml
+  * build(deps): bump actions/setup-python from 2.3.4 to 5.1.1
+  * ci: disable Packit testing for Rawhide
+  * docker/release/base: Explicitly add the registry for base
+  * ci: use CODECOV_TOKEN for coverage file upload
+  * build(deps): bump actions/first-interaction
+  * build(deps): bump actions/checkout from 2.7.0 to 4.1.7
+  * docker/ci: Add test dependencies from #1568
+  * docker: Update images to use Fedora 40
+  * Added limit by mistake for dependabot
+  * Adds dependabot
+  * Add Frizbee Action
+  * Change Docker and Action Tags to Digests
+  * revocation_notifier: Explicitly add CA certificate bundle
+  * Introduce new REST API framework and refactor registrar implementation
+  * mba: Support named measured boot policies
+  * tenant: add friendlier error message if mTLS CA is wrongly configured
+  * ca_impl_openssl: Mark extensions as critical following RFC 5280
+  * Include Authority Key Identifier in KL-generated certs
+  * verifier, tenant: make payload for agent completely optional
+
 -------------------------------------------------------------------
 Fri Jun 14 08:04:48 UTC 2024 - aplanas@suse.com
 

keylime.obsinfo

@@ -0,0 +1,4 @@
+name: keylime
+version: 7.13.0+40
+mtime: 1764941702
+commit: dc75773679b1862e3b571f513e5aa9904efaf136

keylime.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package keylime
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,7 +17,6 @@
 
 
 %global srcname keylime
-%define skip_python2 1
 # Consolidate _distconfdir and _sysconfdir
 %if 0%{?_distconfdir:1}
   %define _config_norepl %{nil}
@@ -25,13 +24,19 @@
   %define _distconfdir   %{_sysconfdir}
   %define _config_norepl %config(noreplace)
 %endif
+%if 0%{?suse_version} > 1500
+%bcond_without libalternatives
+%else
+%bcond_with libalternatives
+%endif
+%{?sle15_python_module_pythons}
 Name:           keylime
-Version:        7.11.0
+Version:        7.13.0+40
 Release:        0
 Summary:        Open source TPM software for Bootstrapping and Maintaining Trust
 License:        Apache-2.0 AND MIT AND BSD-3-Clause
 URL:            https://github.com/keylime/keylime
-Source0:        %{name}-v%{version}.tar.xz
+Source0:        %{name}-%{version}.tar.xz
 Source1:        keylime.xml
 Source2:        %{name}-user.conf
 Source3:        logrotate.%{name}
@@ -41,7 +46,9 @@ Source10:       registrar.conf.diff
 Source11:       verifier.conf.diff
 Source12:       tenant.conf.diff
 BuildRequires:  %{python_module Jinja2}
+BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module setuptools}
+BuildRequires:  %{python_module wheel}
 BuildRequires:  fdupes
 BuildRequires:  firewall-macros
 BuildRequires:  python-rpm-macros
@@ -65,10 +72,15 @@ Requires:       python3-typing_extensions
 Requires:       tpm2-0-tss
 Requires:       tpm2.0-abrmd
 Requires:       tpm2.0-tools
-Requires(post): update-alternatives
-Requires(postun): update-alternatives
 Conflicts:      rust-keylime
 BuildArch:      noarch
+%if %{with libalternatives}
+BuildRequires:  alts
+Requires:       alts
+%else
+Requires(post): update-alternatives
+Requires(postun): update-alternatives
+%endif
 %python_subpackages
 
 %description
@@ -146,15 +158,15 @@ Conflicts:      rust-keylime
 Subpackage of %{name} for logrotate for Keylime services
 
 %prep
-%autosetup -p1 -n %{name}-v%{version}
+%autosetup -p1 -n %{name}-%{version}
 
 %build
-%python_build
+%pyproject_wheel
 %sysusers_generate_pre %{SOURCE2} %{name} %{name}-user.conf
 
 %install
 export VERSION=%{version}
-%python_install
+%pyproject_install
 
 rm config/agent.conf
 patch -s --fuzz=0 config/registrar.conf < %{SOURCE10}
@@ -165,6 +177,7 @@ patch -s --fuzz=0 config/tenant.conf < %{SOURCE12}
 %python_clone -a %{buildroot}%{_bindir}/%{srcname}_ca
 %python_clone -a %{buildroot}%{_bindir}/%{srcname}_convert_runtime_policy
 %python_clone -a %{buildroot}%{_bindir}/%{srcname}_create_policy
+%python_clone -a %{buildroot}%{_bindir}/%{srcname}-policy
 %python_clone -a %{buildroot}%{_bindir}/%{srcname}_registrar
 %python_clone -a %{buildroot}%{_bindir}/%{srcname}_sign_runtime_policy
 %python_clone -a %{buildroot}%{_bindir}/%{srcname}_tenant
@@ -194,11 +207,25 @@ cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/%{srcname}/
 # %%check
 # %%pyunittest -v
 
+%pre
+%python_libalternatives_reset_alternative %{srcname}_attest
+%python_libalternatives_reset_alternative %{srcname}_ca
+%python_libalternatives_reset_alternative %{srcname}_convert_runtime_policy
+%python_libalternatives_reset_alternative %{srcname}_create_policy
+%python_libalternatives_reset_alternative %{srcname}-policy
+%python_libalternatives_reset_alternative %{srcname}_registrar
+%python_libalternatives_reset_alternative %{srcname}_sign_runtime_policy
+%python_libalternatives_reset_alternative %{srcname}_tenant
+%python_libalternatives_reset_alternative %{srcname}_upgrade_config
+%python_libalternatives_reset_alternative %{srcname}_userdata_encrypt
+%python_libalternatives_reset_alternative %{srcname}_verifier
+
 %post
 %python_install_alternative %{srcname}_attest
 %python_install_alternative %{srcname}_ca
 %python_install_alternative %{srcname}_convert_runtime_policy
 %python_install_alternative %{srcname}_create_policy
+%python_install_alternative %{srcname}-policy
 %python_install_alternative %{srcname}_registrar
 %python_install_alternative %{srcname}_sign_runtime_policy
 %python_install_alternative %{srcname}_tenant
@@ -211,6 +238,7 @@ cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/%{srcname}/
 %python_uninstall_alternative %{srcname}_ca
 %python_uninstall_alternative %{srcname}_convert_runtime_policy
 %python_uninstall_alternative %{srcname}_create_policy
+%python_uninstall_alternative %{srcname}-policy
 %python_uninstall_alternative %{srcname}_registrar
 %python_uninstall_alternative %{srcname}_sign_runtime_policy
 %python_uninstall_alternative %{srcname}_tenant
@@ -257,6 +285,7 @@ cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/%{srcname}/
 %python_alternative %{_bindir}/%{srcname}_ca
 %python_alternative %{_bindir}/%{srcname}_convert_runtime_policy
 %python_alternative %{_bindir}/%{srcname}_create_policy
+%python_alternative %{_bindir}/%{srcname}-policy
 %python_alternative %{_bindir}/%{srcname}_registrar
 %python_alternative %{_bindir}/%{srcname}_sign_runtime_policy
 %python_alternative %{_bindir}/%{srcname}_tenant
@@ -264,7 +293,7 @@ cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/%{srcname}/
 %python_alternative %{_bindir}/%{srcname}_userdata_encrypt
 %python_alternative %{_bindir}/%{srcname}_verifier
 %{python_sitelib}/keylime
-%{python_sitelib}/keylime-%{version}*-info
+%{python_sitelib}/keylime-*.dist-info
 
 %files -n %{srcname}-config
 %dir %attr(0700,keylime,tss) %{_distconfdir}/%{srcname}

registrar.conf.diff

@@ -1,9 +1,9 @@
-diff --git a/config/registrar.conf b/config/registrar.conf
+diff --git i/registrar.conf w/registrar.conf
-index 19f7cb1..3492453 100644
+index 19348f6..683cc40 100644
---- a/config/registrar.conf
+--- i/registrar.conf
-+++ b/config/registrar.conf
++++ w/registrar.conf
 @@ -5,7 +5,8 @@
- version = 2.3
+ version = 2.5
  
  # The binding address and port for the registrar server
 -ip = "127.0.0.1"

tenant.conf.diff

@@ -1,5 +1,5 @@
 diff --git a/config/tenant.conf b/config/tenant.conf
-index ead02b8..1b3d921 100644
+index 717f686..7cf5a49 100644
 --- a/config/tenant.conf
 +++ b/config/tenant.conf
 @@ -106,7 +106,8 @@ request_timeout = 60

verifier.conf.diff

@@ -1,8 +1,8 @@
 diff --git a/config/verifier.conf b/config/verifier.conf
-index 9f65039..4e6191d 100644
+index b1655f5..1c1b12b 100644
 --- a/config/verifier.conf
 +++ b/config/verifier.conf
-@@ -8,7 +8,8 @@ version = 2.3
+@@ -8,7 +8,8 @@ version = 2.4
  uuid = default
  
  # The binding address and port for the verifier server