Compare commits
6 Commits
| Author | SHA256 | Date | |
|---|---|---|---|
| 190b714e53 | |||
|
7310bb1da1 | ||
| 8ccb8a455a | |||
|
|
c57b8b34a9 | ||
| a4f1debcdc | |||
|
|
1fa59a3253 |
1
_service
1
_service
@@ -5,7 +5,6 @@
|
||||
<param name="exclude">.git</param>
|
||||
<param name="revision">@PARENT_TAG@</param>
|
||||
<param name="versionformat">@PARENT_TAG@</param>
|
||||
<param name="changesgenerate">enable</param>
|
||||
</service>
|
||||
<service name="set_version" mode="manual">
|
||||
<param name="basename">sbctl</param>
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:b1e7b62c66e842113a31ab1c1505886e38475c5f1ee8a5f15f2ab32f25ad3ef4
|
||||
size 17935856
|
||||
3
sbctl-0.17.tar.gz
Normal file
3
sbctl-0.17.tar.gz
Normal file
@@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:dd4f4d609a203ecc4d37736315377e58949138b3dc9c8d12d8b4b38a2e074e32
|
||||
size 17957224
|
||||
@@ -1,3 +1,88 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon May 5 11:24:29 UTC 2025 - Jan Loeser <jan.loeser@posteo.de>
|
||||
|
||||
- Update to version 0.17:
|
||||
* Ensure we don't wrongly compare input/output files when signing
|
||||
* Added --json supprt to sbctl verify
|
||||
* Ensure sbctl setup with no arguments returns a helpful output
|
||||
* Import latest Microsoft keys for KEK and db databases
|
||||
* Ensure we print the path of the file when encountering an invalid PE file
|
||||
* Misc fixups in tests
|
||||
* Misc typo fixes in prints
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Oct 22 03:56:54 UTC 2024 - Joshua Smith <smolsheep@opensuse.org>
|
||||
|
||||
- Disable tests that fail due to gh/foxboron/sbctl#343
|
||||
- Update to version 0.16:
|
||||
* Ensure sbctl reads --config even if /etc/sbctl/sbctl.conf is
|
||||
present
|
||||
* Fixed a bug where sbctl would abort if the TPM eventlog
|
||||
contains the same byte multiple times
|
||||
* Fixed a landlock bug where enroll-keys --export did not work
|
||||
* Fixed a bug where an ESP mounted to multiple paths would not be
|
||||
detected
|
||||
* Exporting keys without efivars present work again
|
||||
* sbctl sign will now use the saved output path if the signed
|
||||
file is enrolled
|
||||
* enroll-keys --append will now work without --force.
|
||||
- Updates from version 0.15.4:
|
||||
* Fixed an issue where sign-all did not report a non-zero exit
|
||||
code when something failed
|
||||
* Fixed and issue where we couldn't write to a file with landlock
|
||||
* Fixed an issue where --json would print the human readable
|
||||
output and the json
|
||||
* Fixes landlock for UKI/bundles by disabling the sandbox feature
|
||||
* Some doc fixups that mentioned /usr/share/
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jul 31 23:55:22 UTC 2024 - Joshua Smith <smolsheep@opensuse.org>
|
||||
|
||||
- Update to version 0.15.3:
|
||||
* Fixed a mistake where the db_additions setting in sbctl.conf
|
||||
was not wired up to sbctl setup.
|
||||
* Relaxed the check for an existing install in sbctl setup form
|
||||
looking after /var/lib/sbctl to check for /var/lib/sbctl/keys.
|
||||
* Fixed a bug where dmi information was not read for quirk
|
||||
detection when landlock was enabled.
|
||||
* Fixed a bug where sbctl create-keys did not have access to
|
||||
/var/lib under landlock.
|
||||
* Fixed a bug where sbctl setup didn't have access to /usr/share.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Jul 31 14:13:47 UTC 2024 - Joshua Smith <smolsheep@opensuse.org>
|
||||
|
||||
- Added minimum go required version
|
||||
- Update to version 0.15.2:
|
||||
* Fixed a bug where sbctl setup aborts early because
|
||||
/var/lib/sbctl already exists.
|
||||
- Updates from version 0.15.1:
|
||||
* Fixed an issue where sbctl migrate did not work without
|
||||
--disable-landlock.
|
||||
* Fixed an issue where bundles.db would be written to files.json
|
||||
deleting list of files.
|
||||
- Updates from version 0.15:
|
||||
See the release for full changes.
|
||||
https://github.com/Foxboron/sbctl/releases/tag/0.15
|
||||
* sbctl will try to sandbox all commands with landlock. Landlock
|
||||
is a unpriviledged sandbox, similar to OpenBSD pledge, that
|
||||
allows sbctl to declare the directories and files we are
|
||||
reading/writing a head. This feature is enabled by default and
|
||||
can be disabled by setting landlock: false in the new config
|
||||
file, or by passing --disable-landlock flag.
|
||||
* sbctl has moved from using /usr/share/secureboot to
|
||||
/var/lib/sbctl. The useage of /usr was mostly for legacy
|
||||
reasons but there wasn't any motivation to fix this until now.
|
||||
To help with the migration sbctl migrate has been implemented.
|
||||
It will move all the files from the old location to
|
||||
/var/lib/sbctl and rename files accordingly.
|
||||
* sbctl now support creation of TPM key files using
|
||||
go-tpm-keyfiles. These keys are mostly compatible with how
|
||||
other TPM2 TSS keyfiles are created. This key type can be used
|
||||
by passing on of several keytype flags to create-keys or
|
||||
rotate-keys, or by specifying the type in the new configuration
|
||||
file.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu May 9 15:54:58 UTC 2024 - Joshua Smith <smolsheep@opensuse.org>
|
||||
|
||||
|
||||
23
sbctl.spec
23
sbctl.spec
@@ -1,7 +1,7 @@
|
||||
#
|
||||
# spec file for package sbctl
|
||||
#
|
||||
# Copyright (c) 2024 SUSE LLC
|
||||
# Copyright (c) 2025 SUSE LLC
|
||||
#
|
||||
# All modifications and additions to the file contributed by third parties
|
||||
# remain the property of their copyright owners, unless otherwise agreed
|
||||
@@ -17,7 +17,7 @@
|
||||
|
||||
|
||||
Name: sbctl
|
||||
Version: 0.14
|
||||
Version: 0.17
|
||||
Release: 0
|
||||
Summary: Secure Boot key manager
|
||||
License: MIT
|
||||
@@ -40,10 +40,13 @@ Requires: util-linux
|
||||
BuildRequires: asciidoc
|
||||
BuildRequires: binutils
|
||||
%if 0%{?suse_version}
|
||||
BuildRequires: go >= 1.22.0
|
||||
BuildRequires: golang-packaging
|
||||
BuildRequires: pkgconfig(openssl) > 3.0.0
|
||||
%endif
|
||||
%if 0%{?ubuntu}
|
||||
BuildRequires: golang
|
||||
BuildRequires: golang >= 1.22.0
|
||||
BuildRequires: libssl-dev > 3.0.0
|
||||
%endif
|
||||
|
||||
%description
|
||||
@@ -55,7 +58,15 @@ needs to be signed in the boot chain.
|
||||
%autosetup -a 1
|
||||
|
||||
%build
|
||||
%make_build all
|
||||
# Remove toolchain directive as we can't download it from external and we lack a corresponding
|
||||
# macro package for deb (golang-packaging)
|
||||
%if 0%{?ubuntu}
|
||||
sed -i '/^toolchain.*/d' go.mod
|
||||
%endif
|
||||
|
||||
# Remove upstream version set.
|
||||
sed -i 's|VERSION =.*||' Makefile
|
||||
VERSION="%{version}" %make_build all
|
||||
|
||||
%install
|
||||
%make_install BINDIR="%{_sbindir}" PREFIX="%{_prefix}"
|
||||
@@ -63,9 +74,6 @@ needs to be signed in the boot chain.
|
||||
# Fix potential-bashisms rpmlint error by using bash shebang
|
||||
sed -i 's|bin/sh|bin/bash|' %{buildroot}%{_prefix}/lib/kernel/install.d/91-sbctl.install
|
||||
|
||||
%check
|
||||
%make_build test
|
||||
|
||||
%files
|
||||
%doc README.md
|
||||
%license LICENSE
|
||||
@@ -79,6 +87,7 @@ sed -i 's|bin/sh|bin/bash|' %{buildroot}%{_prefix}/lib/kernel/install.d/91-sbctl
|
||||
|
||||
%{_prefix}/lib/kernel/install.d/91-sbctl.install
|
||||
%{_mandir}/man8/sbctl.8*
|
||||
%{_mandir}/man5/sbctl.conf.5*
|
||||
%{_datadir}/bash-completion/completions/sbctl
|
||||
%{_datadir}/fish/vendor_completions.d/sbctl.fish
|
||||
%{_datadir}/zsh/site-functions/_sbctl
|
||||
|
||||
@@ -1,3 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:8c1bc51d0fcb14867b8309e8cba83a494dec0f6137b01098cb7c537d9d630788
|
||||
size 4584792
|
||||
oid sha256:e450acf9d24a41dc71ed6d2232f36e62506ddcceaf4ba587ea62b1f613240dd9
|
||||
size 5177988
|
||||
|
||||
Reference in New Issue
Block a user