Accepting request 999046 from home:lnussel:branches:security

- cryptsetup 2.5.0: * Split manual pages into per-action pages and use AsciiDoc format. * Remove cryptsetup-reencrypt tool from the project and move reencryption to already existing "cryptsetup reencrypt" command. If you need to emulate the old cryptsetup-reencrypt binary, use simple wrappers script running "exec cryptsetup reencrypt $@". * LUKS2: implement --decryption option that allows LUKS removal. * Fix decryption operation with --active-name option and restrict it to be used only with LUKS2. * Do not refresh reencryption digest when not needed. This should speed up the reencryption resume process. * Store proper resilience data in LUKS2 reencrypt initialization. Resuming reencryption now does not require specification of resilience type parameters if these are the same as during initialization. * Properly wipe the unused area after reencryption with datashift in the forward direction. * Check datashift value against larger sector size. For example, it could cause an issue if misaligned 4K sector appears during decryption. * Do not allow sector size increase reencryption in offline mode. * Do not allow dangerous sector size change during reencryption. * Ask the user for confirmation before resuming reencryption. * Do not resume reencryption with conflicting parameters. * Add --force-offline-reencrypt option. * Do not allow nested encryption in LUKS reencrypt. * Support all options allowed with luksFormat with encrypt action. * Add resize action to integritysetup. * Remove obsolete dracut plugin reencryption example. * Fix possible keyslot area size overflow during conversion to LUKS2. * Allow use of --header option for cryptsetup close. OBS-URL: https://build.opensuse.org/request/show/999046 OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=178
2022-08-24 11:32:11 +00:00 · 2022-08-24 11:32:11 +00:00 · 0ffce94442
commit 0ffce94442
parent ee04894715
6 changed files with 128 additions and 68 deletions
--- a/cryptsetup-2.4.3.tar.sign
+++ b/cryptsetup-2.4.3.tar.sign
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEKikYJD/eRmSNBob52bBXe9k+mPwFAmHf9akACgkQ2bBXe9k+
-mPz0zw//cqAJh3wE0zxtfb+2al4cH2oTtPR+/VnnW8s5z9hyBztNZo8ChOXEQqEQ
-3l+S0qvJSkCmQT2RNEAdyqMjolU3NKKYi+iZwKUfcYPAABnc0/df9p1l4ykKYmuZ
-6EiQCCZITrFkiRl0jVsZ/U92FAU+EdI7dXPVr+H8Ai6eA4HW3NIrZlsUUMdsmkCE
-6eqSX3WX1WVpFkv3453JSNG5/byHP4iPEnXdy00+n5qDoWrOEqDL6MDFaljBS2gq
-XKIeDfKTe3tQAelPEnIc/Is5Tus2uMkxn+bW9KPviS3tOSW5iDVUNL2DBVdMcuxV
-e26mEud9BYyKvajj3wP2TR/BD+ctmwnYSLrfs8aMzE109YI2NuxHD6sWI9d2jrtx
-2fMDV20AKGvvt2q4RkIqAkML7S1RQUVdma33I/iBojFu4bXleLBUcwi1vT+G1NMX
-rz+bVo5zKa7bfTjjX/T8ATL302Lhpr3yReAR6m2KqX3xbxinwG3BV88fyZjJEFft
-zW2JYT3gntkp7GqrxMWjZYNc8AAcpRcabXqb/7NcCBPmS33Kk+/eQiBGEQCw85g7
-MQk7oLKFKT31yJ0TipJExWLOpaWR592wBMl/vx3jAyJjWR1IxajzKD60ZNJHavsn
-5PCPtLxXGdbyyagI45Jm1Pa6Me0vcXzYSHnYdPy5tprOfJgzMT4=
-=yURq
-----END PGP SIGNATURE-----
--- a/cryptsetup-2.4.3.tar.xz
+++ b/cryptsetup-2.4.3.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:fc0df945188172264ec5bf1d0bda08264fadc8a3f856d47eba91f31fe354b507
-size 11242152
--- a/cryptsetup-2.5.0.tar.sign
+++ b/cryptsetup-2.5.0.tar.sign
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEKikYJD/eRmSNBob52bBXe9k+mPwFAmLir6MACgkQ2bBXe9k+
+mPz0aRAA1NvR+v5YBgq0+VxkNLWN76sIiFOZ46ASepos5bvzV6QgfHf2Pm4Tdi2j
+CHc9Vc6D32w3oww6qQQ3j4XjqDxtRbxa17YEcsoQHT7J0sezaPknv+OM+vT+B8WT
+PmoOF6ZoxqmA4hf2psap/4sWB+TNVlJoyksOy/yF5pLdSFT9w/A6DIO+FiufVCxg
+Sg8HNcU0rFkLTnHNQiZGFx9lNAy+FJ+5mm+8A8IIbTB4cxuohaz8ZwNjJjIO36jm
+H0t4yDQTL7JoV1ONPJ+Fq9OaQP6MBCnSr3uFXwkQoV99geaHmGVbv+jUqqFjosu3
+Usm1hHkqFp+BW8f+XZ0lYYGyGz1bFZHsiCnEdjFLmmMiSqjW+Jo0AdGtqEjx5Ahc
+/6D8XyRpb+Wwg9cQyzvcOXgBysWp4dINWQSjsyWqN4AlEOy4UtEbAW4Pm/t2SCnV
+xw7eNbCdqa2+tAJTMV5AlQgkk1dYDY9KFNvNkrgkEMlzoeq/3QgkqPo7PqCqixrL
+cTlMm8g5IDV95Mnyd2uNng7T/M4E6PLfhApjpSbP0Sk6Hyp1Mp959AKTHJFPE4ZO
+R9dTYQ+Jy/2DUKDQoeYtiosq1Yoi4NKueazGAbjvbQT8NXx7DDcS3AYIfxBsdGnv
+xmsAHiM8LgjJmFYZNWHHBpWakCUM7LhqbrfLkVlMyprN4ZCzyLM=
+=Rmfd
+-----END PGP SIGNATURE-----
--- a/cryptsetup-2.5.0.tar.xz
+++ b/cryptsetup-2.5.0.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9184a6ebbd9ce7eb211152e7f741a6c82f2d1cc0e24a84ec9c52939eee0f0542
+size 11304256
--- a/cryptsetup.changes
+++ b/cryptsetup.changes
@ -1,3 +1,51 @@
+-------------------------------------------------------------------
+Mon Aug 22 08:38:16 UTC 2022 - Ludwig Nussel <lnussel@suse.de>
+
+- cryptsetup 2.5.0:
+  * Split manual pages into per-action pages and use AsciiDoc format. 
+  * Remove cryptsetup-reencrypt tool from the project and move reencryption
+    to already existing "cryptsetup reencrypt" command.
+    If you need to emulate the old cryptsetup-reencrypt binary, use simple
+    wrappers script running "exec cryptsetup reencrypt $@".
+  * LUKS2: implement --decryption option that allows LUKS removal.
+  * Fix decryption operation with --active-name option and restrict
+    it to be used only with LUKS2.
+  * Do not refresh reencryption digest when not needed.
+    This should speed up the reencryption resume process.
+  * Store proper resilience data in LUKS2 reencrypt initialization.
+    Resuming reencryption now does not require specification of resilience
+    type parameters if these are the same as during initialization.
+  * Properly wipe the unused area after reencryption with datashift in
+    the forward direction.
+  * Check datashift value against larger sector size.
+    For example, it could cause an issue if misaligned 4K sector appears
+    during decryption.
+  * Do not allow sector size increase reencryption in offline mode.
+  * Do not allow dangerous sector size change during reencryption.
+  * Ask the user for confirmation before resuming reencryption.
+  * Do not resume reencryption with conflicting parameters.
+  * Add --force-offline-reencrypt option.
+  * Do not allow nested encryption in LUKS reencrypt.
+  * Support all options allowed with luksFormat with encrypt action.
+  * Add resize action to integritysetup.
+  * Remove obsolete dracut plugin reencryption example.
+  * Fix possible keyslot area size overflow during conversion to LUKS2.
+  * Allow use of --header option for cryptsetup close.
+  * Fix activation of LUKS2 device with integrity and detached header.
+  * Add ZEROOUT IOCTL support for crypt_wipe API call.
+  * VERITY: set loopback sector size according to dm-verity block sizes.
+  * veritysetup: dump device sizes.
+  * LUKS2 token: prefer token PIN query before passphrase in some cases.
+    When a user provides --token-type or specific --token-id, a token PIN
+    query is preferred to a passphrase query.
+  * LUKS2 token: allow tokens to be replaced with --token-replace option
+    for cryptsetup token command.
+  * LUKS2 token: do not continue operation when interrupted in PIN prompt.
+  * Add --progress-json parameter to utilities.
+  * Add support for --key-slot option in luksResume action.
+- move man pages to separate subpackage
+- drop backports handling
+
 -------------------------------------------------------------------
 Fri Jan 14 19:19:43 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de>

--- a/cryptsetup.spec
+++ b/cryptsetup.spec
@ -1,5 +1,5 @@
 #
-# spec file for package cryptsetup2
+# spec file for package cryptsetup
 #
 # Copyright (c) 2022 SUSE LLC
 #
@ -16,22 +16,18 @@
 #


-%define tar_version 2.4.3
+%define tar_version 2.5.0
 %define so_ver 12
-%if 0%{?is_backports}
-Name:           cryptsetup2
-%else
 Name:           cryptsetup
-%endif
-Version:        2.4.3
+Version:        2.5.0
 Release:        0
 Summary:        Setup program for dm-crypt Based Encrypted Block Devices
 License:        LGPL-2.0-or-later AND SUSE-GPL-2.0-with-openssl-exception
 Group:          System/Base
 URL:            https://gitlab.com/cryptsetup/cryptsetup/
-Source0:        https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/cryptsetup-%{tar_version}.tar.xz
+Source0:        https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/cryptsetup-%{tar_version}.tar.xz
 # GPG signature of the uncompressed tarball.
-Source1:        https://www.kernel.org/pub/linux/utils/cryptsetup/v2.4/cryptsetup-%{tar_version}.tar.sign
+Source1:        https://www.kernel.org/pub/linux/utils/cryptsetup/v2.5/cryptsetup-%{tar_version}.tar.sign
 Source2:        baselibs.conf
 Source3:        cryptsetup.keyring
 Source4:        %{name}-rpmlintrc
@ -51,13 +47,9 @@ BuildRequires:  pkgconfig(blkid)
 BuildRequires:  pkgconfig(libargon2)
 BuildRequires:  pkgconfig(libssh)
 BuildRequires:  pkgconfig(openssl)
+BuildRequires:  rubygem(asciidoctor)
 Requires(post): coreutils
 Requires(postun):coreutils
-%if 0%{?is_backports}
-BuildRequires:  autoconf
-BuildRequires:  automake
-BuildRequires:  libtool
-%endif
 %if %{?suse_version} >= 1550
 # LUKS2 used as default format, which GRUB < 2.06 can't read
 Conflicts:      grub2 < 2.06
@ -80,6 +72,15 @@ Group:          System/Base
 Experimental cryptsetup plugin for unlocking LUKS2 devices with
 token connected to an SSH server.

+%package doc
+Summary:        Cryptsetup Documentation
+Group:          Documentation/Man
+Supplements:    (cryptsetup and man)
+Supplements:    (cryptsetup and patterns-base-documentation)
+
+%description doc
+Documentation and man pages for cryptsetup
+
 %package -n libcryptsetup%{so_ver}
 Summary:        Library for setting up dm-crypt Based Encrypted Block Devices
 Group:          System/Libraries
@ -109,10 +110,6 @@ Requires:       libcryptsetup%{so_ver} = %{version}
 # cryptsetup-devel last used 11.1
 Provides:       cryptsetup-devel = %{version}
 Obsoletes:      cryptsetup-devel < %{version}
-%if 0%{?is_backports}
-# have to conflict with main package that is in SLE
-Conflicts:      cryptsetup-devel < %{version}
-%endif

 %description -n lib%{name}-devel
 cryptsetup is used to conveniently set up dm-crypt based device-mapper
@ -123,14 +120,9 @@ time via the config file %{_sysconfdir}/crypttab.

 %prep
 %autosetup -n cryptsetup-%{tar_version}
-%if 0%{?is_backports}
-sed -i -e '/AC_INIT/s/cryptsetup/cryptsetup2/' configure.ac
-autoreconf -f -i
-%endif

 %build
 %configure \
-  --enable-cryptsetup-reencrypt \
  --enable-selinux \
  --enable-fips \
  --enable-pwquality \
@ -153,25 +145,15 @@ autoreconf -f -i
 %{nil}

 %make_install
-%if 0%{?is_backports}
-# need to rename a files to avoid file conflict
-for i in cryptsetup integritysetup veritysetup cryptsetup-reencrypt; do
-	mv %{buildroot}%{_sbindir}/$i %{buildroot}%{_sbindir}/${i}2
-	mv %{buildroot}%{_mandir}/man8/$i.8 %{buildroot}%{_mandir}/man8/${i}2.8
-done
-rm -f %{buildroot}%{_tmpfilesdir}/cryptsetup.conf
-%endif
 %if !0%{?usrmerged}
 install -dm 0755 %{buildroot}/sbin
-ln -s ..%{_sbindir}/cryptsetup%{?is_backports:2} %{buildroot}/sbin
+ln -s ..%{_sbindir}/cryptsetup %{buildroot}/sbin
 %endif
 # don't want this file in /lib (FHS compat check), and can't move it to /usr/lib
 find %{buildroot} -type f -name "*.la" -delete -print
 #
 %find_lang %{name} --all-name

-%if !0%{?is_backports}
-#
 %post
 %{?regenerate_initrd_post}
 %tmpfiles_create %{_tmpfilesdir}/cryptsetup.conf
@ -181,30 +163,20 @@ find %{buildroot} -type f -name "*.la" -delete -print

 %posttrans
 %{?regenerate_initrd_posttrans}
-#
-%endif

 %post -n libcryptsetup%{so_ver} -p /sbin/ldconfig
+
 %postun -n libcryptsetup%{so_ver} -p /sbin/ldconfig

 %files
 %license COPYING*
-%doc AUTHORS FAQ README.md docs/*ReleaseNotes
 %if !0%{?usrmerged}
-/sbin/cryptsetup%{?is_backports:2}
+/sbin/cryptsetup
 %endif
-%{_sbindir}/cryptsetup%{?is_backports:2}
-%{_sbindir}/veritysetup%{?is_backports:2}
-%{_sbindir}/integritysetup%{?is_backports:2}
-%{_sbindir}/cryptsetup-reencrypt%{?is_backports:2}
-%{_mandir}/man8/cryptsetup%{?is_backports:2}.8%{?ext_man}
-%{_mandir}/man8/cryptsetup-reencrypt%{?is_backports:2}.8%{?ext_man}
-%{_mandir}/man8/veritysetup%{?is_backports:2}.8%{?ext_man}
-%{_mandir}/man8/integritysetup%{?is_backports:2}.8%{?ext_man}
-%if !0%{?is_backports}
+%{_sbindir}/cryptsetup
+%{_sbindir}/veritysetup
+%{_sbindir}/integritysetup
 %{_tmpfilesdir}/cryptsetup.conf
-%ghost %dir /run/cryptsetup
-%endif

 %files lang -f %{name}.lang

@ -227,4 +199,44 @@ find %{buildroot} -type f -name "*.la" -delete -print
 %{_mandir}/man8/cryptsetup-ssh.8.gz
 %{_sbindir}/cryptsetup-ssh

+%files doc
+%doc AUTHORS FAQ.md README.md docs/*ReleaseNotes
+%{_mandir}/man8/cryptsetup.8.gz
+%{_mandir}/man8/cryptsetup-benchmark.8.gz
+%{_mandir}/man8/cryptsetup-bitlkDump.8.gz
+%{_mandir}/man8/cryptsetup-bitlkOpen.8.gz
+%{_mandir}/man8/cryptsetup-close.8.gz
+%{_mandir}/man8/cryptsetup-config.8.gz
+%{_mandir}/man8/cryptsetup-convert.8.gz
+%{_mandir}/man8/cryptsetup-create.8.gz
+%{_mandir}/man8/cryptsetup-erase.8.gz
+%{_mandir}/man8/cryptsetup-isLuks.8.gz
+%{_mandir}/man8/cryptsetup-loopaesOpen.8.gz
+%{_mandir}/man8/cryptsetup-luksAddKey.8.gz
+%{_mandir}/man8/cryptsetup-luksChangeKey.8.gz
+%{_mandir}/man8/cryptsetup-luksConvertKey.8.gz
+%{_mandir}/man8/cryptsetup-luksDump.8.gz
+%{_mandir}/man8/cryptsetup-luksErase.8.gz
+%{_mandir}/man8/cryptsetup-luksFormat.8.gz
+%{_mandir}/man8/cryptsetup-luksHeaderBackup.8.gz
+%{_mandir}/man8/cryptsetup-luksHeaderRestore.8.gz
+%{_mandir}/man8/cryptsetup-luksKillSlot.8.gz
+%{_mandir}/man8/cryptsetup-luksOpen.8.gz
+%{_mandir}/man8/cryptsetup-luksRemoveKey.8.gz
+%{_mandir}/man8/cryptsetup-luksResume.8.gz
+%{_mandir}/man8/cryptsetup-luksSuspend.8.gz
+%{_mandir}/man8/cryptsetup-luksUUID.8.gz
+%{_mandir}/man8/cryptsetup-open.8.gz
+%{_mandir}/man8/cryptsetup-plainOpen.8.gz
+%{_mandir}/man8/cryptsetup-reencrypt.8.gz
+%{_mandir}/man8/cryptsetup-refresh.8.gz
+%{_mandir}/man8/cryptsetup-repair.8.gz
+%{_mandir}/man8/cryptsetup-resize.8.gz
+%{_mandir}/man8/cryptsetup-status.8.gz
+%{_mandir}/man8/cryptsetup-tcryptDump.8.gz
+%{_mandir}/man8/cryptsetup-tcryptOpen.8.gz
+%{_mandir}/man8/cryptsetup-token.8.gz
+%{_mandir}/man8/integritysetup.8.gz
+%{_mandir}/man8/veritysetup.8.gz
+
 %changelog