Update to 1+git20260114.371a8b3

Signed-off-by: Alberto Planas <aplanas@suse.com>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/openSUSE/sdbootutil.git</param>
-              <param name="changesrevision">f4890e92b888e4021dbc704798f72dd66f8ac345</param></service></servicedata>
+              <param name="changesrevision">371a8b3fc8a462b273955901c7544eea3f7c661a</param></service></servicedata>

config.toml

@@ -0,0 +1,5 @@
+[source.crates-io]
+replace-with = "vendored-sources"
+
+[source.vendored-sources]
+directory = "vendor"

sdbootutil.changes

@@ -1,3 +1,271 @@
+-------------------------------------------------------------------
+Wed Jan 14 10:44:23 UTC 2026 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20260114.371a8b3:
+  * Create the /var/lib/sdbootutil directory during installation
+  * Make fde-tools file optional
+
+-------------------------------------------------------------------
+Thu Jan 08 19:51:41 UTC 2026 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20260108.be38224:
+  * Use tmpfiles.d for /var directories (PED-14900)
+
+-------------------------------------------------------------------
+Wed Jan 07 09:46:55 UTC 2026 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20260107.2807c87:
+  * Enable armv7 builds (boo#1254865)
+
+-------------------------------------------------------------------
+Thu Dec 18 09:13:42 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20251218.1cd7294:
+  * Improve partition detection for multipath (boo#1254317)
+
+-------------------------------------------------------------------
+Thu Dec 11 12:25:54 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20251211.b3d0304:
+  * Set default entry when removing a kernel
+  * Fix return value when image is set (boo#1254534)
+  * Return error if the hash program is not installed
+
+-------------------------------------------------------------------
+Wed Nov 26 10:21:51 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20251126.f7a46a1:
+  * Improve error messages
+
+-------------------------------------------------------------------
+Wed Nov 19 07:34:30 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20251119.0bee866:
+  * Make sure to use consistent locale (bsc#1253652)
+
+-------------------------------------------------------------------
+Fri Nov 14 12:15:39 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20251114.1783016:
+  * Find also entries with boot counter
+  * Avoid adding tries for existing entries
+
+-------------------------------------------------------------------
+Tue Nov 11 09:06:28 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20251111.611edd1:
+  * Drop shebang in the enroll module
+
+-------------------------------------------------------------------
+Mon Nov 10 13:36:34 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20251110.0d334b6:
+  * Fix some rpmlint warnings about executable conf files
+  * Recognize tracing code parameters
+  * Fix summary of subpackages
+  * Remove executable bit
+  * snapper: add drop-in for CAP_SYS_CHROOT capability
+
+-------------------------------------------------------------------
+Fri Nov 07 15:07:55 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20251107.49e9025:
+  * Ask the PIN or PW when enrolling (bsc#1252871)
+  * Read the password from environment when enrolling
+  * Fix when reading password from environment
+  * Clarify the help message
+
+-------------------------------------------------------------------
+Thu Nov 06 14:07:33 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20251106.f0b1a06:
+  * Drop kernel version in title for grub2-bls
+  * Do not always install the dracut module in hostonly mode
+  * snapper: exit when path is not root
+
+-------------------------------------------------------------------
+Wed Oct 29 11:49:05 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20251029.c883722:
+  * Set minimal udev version required
+
+-------------------------------------------------------------------
+Tue Oct 28 10:07:09 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20251028.e423362:
+  * Drop systemd-experimental requirement
+
+-------------------------------------------------------------------
+Fri Oct 03 15:04:15 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20251003.f402058:
+  * Do not mount /run/media in the chroot
+  * Normalize how to hide errors
+  * Ask the volume key only if --measure-pcr is set
+  * Abort any updating inside a transaction
+  * Bindmount /var/lib/systemd for tukit
+  * Revert "Do not ask the password while in a transaction"
+  * Only update PCR 15 if --measure-pcr is set
+  * Do not ask the password while in a transaction
+  * Add parameter for code tracing
+
+-------------------------------------------------------------------
+Wed Sep 17 14:34:52 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20250917.7aab076:
+  * Revert "PCR#15 workaround for LVM devices"
+  * measure-pcr-generator: escape the device name
+  * Fix boot_root for systemd 258
+
+-------------------------------------------------------------------
+Tue Sep 09 07:22:59 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20250909.8b2878e:
+  * Check KEY for LUKS2 password
+
+-------------------------------------------------------------------
+Wed Sep 03 14:46:15 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20250903.f5a076b:
+  * Distiguish between path and id for boot entries
+
+-------------------------------------------------------------------
+Wed Aug 20 12:21:25 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20250820.077bd8b:
+  * Revert "Ignore UPDATE_NVRAM (bsc#1247952)"
+  * Fix dracut "No '/dev/log' or 'logger'" message
+  * Don't mount /etc in chroot with btrfs subvolume
+  * Fix issue template directory name
+
+-------------------------------------------------------------------
+Thu Aug 14 17:08:45 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20250814.85181f6:
+  * Add issue templates for bugs and feature requests
+  * Use command line of target snapshot
+  * Add --no-measure-pcr to opt-out PCR15
+  * Remove README images
+
+-------------------------------------------------------------------
+Tue Aug 12 11:07:17 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20250812.13f4562:
+  * Ignore UPDATE_NVRAM (bsc#1247952)
+
+-------------------------------------------------------------------
+Mon Aug 11 20:35:27 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20250811.2048838:
+  * Add easy advanced debugging
+
+-------------------------------------------------------------------
+Mon Aug 11 20:03:25 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20250811.5fc14ca:
+  * Enable sdbootutil-update-predictions.service on enroll
+  * Fix device not marked as portable
+  * Fix handling of configuration UPDATE_NVRAM
+
+-------------------------------------------------------------------
+Mon Aug 11 09:36:03 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20250811.2fd41f0:
+  * Clarify when the boot entries are created
+  * Measure all bootloader combinations
+  * Remove hard coded EFI boot entry name
+
+-------------------------------------------------------------------
+Tue Aug 05 13:03:35 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20250805.67fa6cb:
+  * PCR#15 workaround for LVM devices
+  * Use installkernel() only to install kernel modules
+
+-------------------------------------------------------------------
+Mon Aug 04 12:14:06 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20250804.8dccab3:
+  * crypttab: do not add/remove parameters for ignored entries
+
+-------------------------------------------------------------------
+Thu Jul 31 12:19:27 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20250731.055e2fe:
+  * Refactor the write_issue_file function
+
+-------------------------------------------------------------------
+Thu Jul 31 06:33:35 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20250731.b7568e3:
+  * Some style changes
+  * Exit if no encrypted devices
+
+-------------------------------------------------------------------
+Wed Jul 30 07:43:49 UTC 2025 - Thorsten Kukuk <kukuk@suse.com>
+
+- Update to version 1+git20250729.9dba13a:
+  * sdbootutil-enroll: support agetty for issue.d, too
+  * Support riscv64 in set_image_name
+
+-------------------------------------------------------------------
+Thu Jul 24 11:23:01 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20250724.553d46c:
+  * measure-pcr-validator: fail if the file is missing
+  * measure-pcr-validator.service: Run after initrd-root-device.target
+  * measure-pcr-validator.service: Fix failure handling
+  * Clean the default snapshot in Tumbleweed
+  * Improve volume key extraction
+
+-------------------------------------------------------------------
+Tue Jul 22 13:41:54 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20250722.bf18f3b:
+  * Measure kernel in PCR4 for grub2-bls if secure-boot
+
+-------------------------------------------------------------------
+Fri Jul 18 16:24:10 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20250718.9f557f7:
+  * MicroOS mounts encrypted /var in initrd
+
+-------------------------------------------------------------------
+Wed Jul 16 10:57:22 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20250716.b03c12f:
+  * Revert "Check for transactional systems by actually checking ro status, not mount attributes"
+
+-------------------------------------------------------------------
+Mon Jul 14 07:36:25 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20250710.d8e5d82:
+  * Check for transactional systems by actually checking ro status, not mount attributes
+
+-------------------------------------------------------------------
+Fri Jun 13 09:30:39 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20250613.ee73e55:
+  * Fix uhmac installation
+  * Remove edition downgrade
+  * Update Cargo.lock
+
+-------------------------------------------------------------------
+Thu May 29 10:34:18 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
+
+- Update to version 1+git20250529.307d6ff:
+  * Remove noarch for main package
+  * Copy measure-pcr-prediction if missing in ESP
+  * Compile and install uhmac
+  * Use uhmac instead of openssl for HMAC
+  * uhmac: add Rust tool for HMAC
+  * Re-enable riscv64 arch
+  * Support non-secure boot installations
+  * Rework removable media detection
+  * jeos-firstboot-enroll: fix typo in msgbox
+  * Measure GPT of the disk with ESP, not the disk with root
+  * jeos-firstboot-enroll: show final error message
+
 -------------------------------------------------------------------
 Mon May 05 12:49:05 UTC 2025 - Alberto Planas Dominguez <aplanas@suse.com>
 

sdbootutil.obsinfo

@@ -1,4 +1,4 @@
 name: sdbootutil
-version: 1+git20250505.f4890e9
-mtime: 1746448769
-commit: f4890e92b888e4021dbc704798f72dd66f8ac345
+version: 1+git20260114.371a8b3
+mtime: 1768387402
+commit: 371a8b3fc8a462b273955901c7544eea3f7c661a

sdbootutil.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package sdbootutil
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -16,13 +16,19 @@
 #
 
 
+%global rustflags '-Clink-arg=-Wl,-z,relro,-z,now'
 Name:           sdbootutil
-Version:        1+git20250505.f4890e9
+Version:        1+git20260114.371a8b3
 Release:        0
-Summary:        bootctl wrapper for BLS boot loaders
+Summary:        Bootctl wrapper for BLS boot loaders
 License:        MIT
 URL:            https://github.com/openSUSE/sdbootutil
 Source:         %{name}-%{version}.tar
+Source1:        vendor.tar.zst
+Source2:        config.toml
+BuildRequires:  cargo
+BuildRequires:  cargo-packaging
+BuildRequires:  libopenssl-devel
 BuildRequires:  systemd-rpm-macros
 Requires:       %{name}-dracut-measure-pcr
 Requires:       dialog
@@ -36,16 +42,14 @@ Requires:       qrencode
 Requires:       sed
 Requires:       (%{name}-snapper if (snapper and btrfsprogs))
 Requires:       (%{name}-tukit if read-only-root-fs)
-# While systemd-pcrlock is in experimental
-Requires:       systemd-experimental
-# something needs to require it. Can be us.
 Requires:       tpm2.0-tools
-# While bootctl is in udev
-Requires:       udev
+# For bootctl and systemd-pcrlock
+Requires:       (udev >= 257.9 or systemd-experimental < 257.9)
 Supplements:    (grub2-x86_64-efi-bls and shim)
 Supplements:    (systemd-boot and shim)
-BuildArch:      noarch
-ExclusiveArch:  aarch64 x86_64
+# Because uhmac it is not a noarch package
+# BuildArch:      noarch
+ExclusiveArch:  aarch64 %{arm} riscv64 x86_64
 %{?systemd_requires}
 
 %description
@@ -54,7 +58,7 @@ Implements also the life cycle of a full disk encryption installation,
 based on systemd.
 
 %package snapper
-Summary:        plugin script for snapper
+Summary:        Plugin script for snapper
 Requires:       %{name} = %{version}
 Requires:       btrfsprogs
 Requires:       snapper
@@ -64,7 +68,7 @@ BuildArch:      noarch
 Plugin scripts for snapper to handle BLS config files
 
 %package tukit
-Summary:        plugin script for tukit
+Summary:        Plugin script for tukit
 Requires:       %{name} = %{version}
 Requires:       tukit
 BuildArch:      noarch
@@ -126,13 +130,26 @@ BuildArch:      noarch
 Dracut module from sdbootutil to measure PCR 15 in non-UKIs systems
 
 %prep
-%setup -q
+%autosetup -a1 -p1
+mv vendor uhmac
+cd uhmac
+mkdir .cargo
+install -D -m 644 %{SOURCE2} .cargo/config.toml
 
 %build
+cd uhmac
+%{cargo_build}
 
 %install
 install -D -m 755 %{name} %{buildroot}%{_bindir}/%{name}
 
+# Install uhmac binary
+pushd uhmac
+%{cargo_install}
+install -D -m 755 %{buildroot}%{_bindir}/uhmac %{buildroot}%{_libexecdir}/%{name}/uhmac
+rm %{buildroot}%{_bindir}/uhmac
+popd
+
 # Update prediction service
 install -D -m 644 %{name}-update-predictions.service \
 	%{buildroot}%{_unitdir}/%{name}-update-predictions.service
@@ -148,15 +165,22 @@ install -D -m 644 jeos-firstboot-enroll %{buildroot}%{_datadir}/jeos-firstboot/m
 
 # Snapper
 install -D -m 755 10-%{name}.snapper %{buildroot}%{_prefix}/lib/snapper/plugins/10-%{name}.snapper
+install -D -m 644 snapper-override.conf \
+	%{buildroot}%{_prefix}/lib/systemd/system/snapperd.service.d/sdbootutil-override.conf
+for service in backup boot cleanup timeline; do
+	install -D -m 644 snapper-override.conf \
+		%{buildroot}%{_prefix}/lib/systemd/system/snapper-"$service".service.d/sdbootutil-override.conf
+done
 
 # Tukit
 install -D -m 755 10-%{name}.tukit %{buildroot}%{_prefix}/lib/tukit/plugins/10-%{name}.tukit
+install -D -m 644 10-%{name}.tukit.conf %{buildroot}%{_prefix}%{_sysconfdir}/tukit.conf.d/10-%{name}.conf
 
 # kernel-install
 install -D -m 755 50-%{name}.install %{buildroot}%{_prefix}/lib/kernel/install.d/50-%{name}.install
 
 # Bash completions
-install -D -m 755 completions/bash_sdbootutil %{buildroot}%{_datadir}/bash-completion/completions/sdbootutil
+install -D -m 644 completions/bash_sdbootutil %{buildroot}%{_datadir}/bash-completion/completions/sdbootutil
 
 # Dracut module
 install -D -m 755 module-setup.sh %{buildroot}%{_prefix}/lib/dracut/modules.d/50measure-pcr/module-setup.sh
@@ -164,11 +188,15 @@ install -D -m 755 measure-pcr-generator.sh %{buildroot}%{_prefix}/lib/dracut/mod
 install -D -m 755 measure-pcr-validator.sh %{buildroot}%{_prefix}/lib/dracut/modules.d/50measure-pcr/measure-pcr-validator.sh
 install -D -m 644 measure-pcr-validator.service %{buildroot}/%{_prefix}/lib/dracut/modules.d/50measure-pcr/measure-pcr-validator.service
 
-install -d -m 700 %{buildroot}%{_sharedstatedir}/%{name}
-
 # tmpfiles
-install -D -m 755 kernel-install-%{name}.conf \
-	%{buildroot}%{_prefix}/lib/tmpfiles.d/kernel-install-%{name}.conf
+install -Dpm 0644 %{name}.conf %{buildroot}%{_tmpfilesdir}/%{name}.conf
+install -Dpm 0644 kernel-install-%{name}.conf %{buildroot}%{_tmpfilesdir}/kernel-install-%{name}.conf
+
+# tmpfiles_create macro is a noop, and the directories in /var/lib
+# will be present in the next reboot.  The problem is that when the
+# package is installed by YaST / Agama, this directory needs to be
+# present, as sdbootutil is called for enrollment
+install -d -m 700 %{buildroot}%{_sharedstatedir}/%{name}
 
 %transfiletriggerin -- %{_prefix}/lib/systemd/boot/efi %{_datadir}/grub2/%{_build_arch}-efi %{_datadir}/efi/%{_build_arch}
 cat > /dev/null || :
@@ -196,6 +224,7 @@ fi
 
 %post
 %service_add_post %{name}-update-predictions.service
+%tmpfiles_create %{name}.conf
 
 %preun enroll
 %service_del_preun %{name}-enroll.service
@@ -209,7 +238,7 @@ fi
 %post enroll
 %service_add_post %{name}-enroll.service
 
-%posttrans kernel-install
+%post kernel-install
 %tmpfiles_create kernel-install-%{name}.conf
 
 %post dracut-measure-pcr
@@ -223,25 +252,39 @@ fi
 
 %files
 %license LICENSE
-%dir %{_sharedstatedir}/%{name}
 %{_bindir}/%{name}
 %{_unitdir}/%{name}-update-predictions.service
+%{_tmpfilesdir}/%{name}.conf
+%dir %{_libexecdir}/%{name}
+%{_libexecdir}/%{name}/uhmac
 
 %files snapper
 %dir %{_prefix}/lib/snapper
 %dir %{_prefix}/lib/snapper/plugins
 %{_prefix}/lib/snapper/plugins/*
+%dir %{_unitdir}/snapperd.service.d
+%{_unitdir}/snapperd.service.d/sdbootutil-override.conf
+%dir %{_unitdir}/snapper-backup.service.d
+%{_unitdir}/snapper-backup.service.d/sdbootutil-override.conf
+%dir %{_unitdir}/snapper-boot.service.d
+%{_unitdir}/snapper-boot.service.d/sdbootutil-override.conf
+%dir %{_unitdir}/snapper-cleanup.service.d
+%{_unitdir}/snapper-cleanup.service.d/sdbootutil-override.conf
+%dir %{_unitdir}/snapper-timeline.service.d
+%{_unitdir}/snapper-timeline.service.d/sdbootutil-override.conf
 
 %files tukit
 %dir %{_prefix}/lib/tukit
 %dir %{_prefix}/lib/tukit/plugins
 %{_prefix}/lib/tukit/plugins/*
+%dir %{_prefix}%{_sysconfdir}/tukit.conf.d
+%{_prefix}%{_sysconfdir}/tukit.conf.d/*
 
 %files kernel-install
 %dir %{_prefix}/lib/kernel
 %dir %{_prefix}/lib/kernel/install.d
 %{_prefix}/lib/kernel/install.d/*
-%{_prefix}/lib/tmpfiles.d/kernel-install-%{name}.conf
+%{_tmpfilesdir}/kernel-install-%{name}.conf
 
 %files enroll
 %{_bindir}/%{name}-enroll