- version 1.6.4
- new tarball / signature location
* Implement new erase (with alias luksErase) command.
* Add internal "whirlpool_gcryptbug hash" for accessing flawed
Whirlpool hash in gcrypt (requires gcrypt 1.6.1 or above).
* Allow to use --disable-gcrypt-pbkdf2 during configuration
to force use internal PBKDF2 code.
* Require gcrypt 1.6.1 for imported implementation of PBKDF2
(PBKDF2 in gcrypt 1.6.0 is too slow).
* Add --keep-key to cryptsetup-reencrypt.
* By default verify new passphrase in luksChangeKey and luksAddKey
commands (if input is from terminal).
* Fix memory leak in Nettle crypto backend.
* Support --tries option even for TCRYPT devices in cryptsetup.
* Support --allow-discards option even for TCRYPT devices.
(Note that this could destroy hidden volume and it is not suggested
by original TrueCrypt security model.)
* Link against -lrt for clock_gettime to fix undefined reference
to clock_gettime error (introduced in 1.6.2).
* Fix misleading error message when some algorithms are not available.
* Count system time in PBKDF2 benchmark if kernel returns no self
usage info.
OBS-URL: https://build.opensuse.org/request/show/235564
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=111
- cryptsetup 1.6.1
* Fix loop-AES keyfile parsing.
* Fix passphrase pool overflow for too long TCRYPT passphrase.
* Fix deactivation of device when failed underlying node disappeared.
- There is a bug in the released tarball, due to HAVE_BYTESWAP_H
and HAVE_ENDIAN_H not properly handled by the buildsystem. A
patch with permanent solution was sent and accepted upstream
and will appear in the next release, for now an spec file workaround
is in place, remove in the next update. (forwarded request 181807 from elvigia)
OBS-URL: https://build.opensuse.org/request/show/181818
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=82
- cryptsetup 1.6.1
* Fix loop-AES keyfile parsing.
* Fix passphrase pool overflow for too long TCRYPT passphrase.
* Fix deactivation of device when failed underlying node disappeared.
- There is a bug in the released tarball, due to HAVE_BYTESWAP_H
and HAVE_ENDIAN_H not properly handled by the buildsystem. A
patch with permanent solution was sent and accepted upstream
and will appear in the next release, for now an spec file workaround
is in place, remove in the next update.
OBS-URL: https://build.opensuse.org/request/show/181807
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=103
ATTENTION: wait for cryptsetup-mkinitrd before checkin, otherwise installation
with root on crypto no longer boot
- version 1.5.1:
* Added keyslot checker
* Add crypt_keyslot_area() API call.
* Optimize seek to keyfile-offset (Issue #135, thx to dreisner).
* Fix luksHeaderBackup for very old v1.0 unaligned LUKS headers.
* Allocate loop device late (only when real block device needed).
* Rework underlying device/file access functions.
* Create hash image if doesn't exist in veritysetup format.
* Provide better error message if running as non-root user (device-mapper, loop).
- split off hashalot and boot.crypto
- move to /usr (forwarded request 145274 from lnussel)
OBS-URL: https://build.opensuse.org/request/show/145279
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cryptsetup?expand=0&rev=78
ATTENTION: wait for cryptsetup-mkinitrd before checkin, otherwise installation
with root on crypto no longer boot
- version 1.5.1:
* Added keyslot checker
* Add crypt_keyslot_area() API call.
* Optimize seek to keyfile-offset (Issue #135, thx to dreisner).
* Fix luksHeaderBackup for very old v1.0 unaligned LUKS headers.
* Allocate loop device late (only when real block device needed).
* Rework underlying device/file access functions.
* Create hash image if doesn't exist in veritysetup format.
* Provide better error message if running as non-root user (device-mapper, loop).
- split off hashalot and boot.crypto
- move to /usr
OBS-URL: https://build.opensuse.org/request/show/145274
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=97
Verify GPG signature: Perform build-time offline GPG verification.
Please verify that included keyring matches your needs.
For manipulation with the offline keyring, please use gpg-offline tool from openSUSE:Factory, devel-tools-building or Base:System.
See the man page and/or /usr/share/doc/packages/gpg-offline/PACKAGING.HOWTO.
If you need to build your package for older products and don't want to mess spec file with ifs, please follow PACKAGING.HOWTO:
you can link or aggregate gpg-offline from
devel:tools:building or use following trick with "osc meta prjconf":
--- Cut here ----
%if 0%{?suse_version} <= 1220
Substitute: gpg-offline
%endif
Macros:
%gpg_verify(dnf) \
%if 0%{?suse_version} > 1220\
echo "WARNING: Using %%gpg_verify macro from prjconf, not from gpg-offline package."\
gpg-offline --directory="%{-d:%{-d*}}%{!-d:%{_sourcedir}}" --package="%{-n:%{-n*}}%{!-n:%{name}}""%{-f: %{-f*}}" --verify %{**}\
%else\
echo "WARNING: Dummy prjconf macro. gpg-offline is not available, skipping %{**} GPG signature verification!"\
%endif\
%nil
-----------------
OBS-URL: https://build.opensuse.org/request/show/143882
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=96
* Add --device-size option for reencryption tool.
* Switch to use unit suffix for --reduce-device-size option.
* Remove open device debugging feature (no longer needed).
* Introduce cryptsetup-reencrypt - experimental offline LUKS reencryption tool.
* Fix luks-header-from-active script (do not use LUKS header on-disk, add UUID).
* Add --test-passphrase option for luksOpen (check passphrase only).
* Introduce veritysetup for dm-verity target management.
* Both data and header device can now be a file.
* Loop is automatically allocated in crypt_set_data_device().
* Require only up to last keyslot area for header device (ignore data offset).
* Fix header backup and restore to work on files with large data offset.
* Fix readonly activation if underlying device is readonly (1.4.0).
* Fix keyslot removal (wipe keyslot) for device with 4k hw block (1.4.0).
* Allow empty cipher (cipher_null) for testing.
* Fix loop mapping on readonly file.
* Relax --shared test, allow mapping even for overlapping segments.
* Support shared flag for LUKS devices (dangerous).
* Switch on retry on device remove for libdevmapper.
* Allow "private" activation (skip some udev global rules) flag.
OBS-URL: https://build.opensuse.org/package/show/security/cryptsetup?expand=0&rev=91