forked from pool/keylime
Alberto Planas Dominguez
436587cab6
- Update to version v7.11.0: * "Monthly" Release (7.11.0) * template mapping change for persisted idevids * add config options for the persisted idevid and iak handles and passwords * templates: Restore the default values * templates: Add version 2.3 * convert_config: Use the latest default value for --default * Add new /verify/identity API * PSS padding fix - salt length changed to byte length of digest from length of signature * sign_runtime_policy: Display error message if non-EC key is provided * packit: enable /regression/CVE-2023-3674 (suggested by Karel Srot) * Fix durable attestation in absence of mb_policy * tests: Fix coverage download by supporting new webdrives * templates: verifier: Add require_allow_list_signatures to config file * runtime policy: Raise error on missing key if signature required * runtime policy: Raise error on unsigned policy if signature required * dsse: Remove unused type: ignore comment (mypy) OBS-URL: https://build.opensuse.org/request/show/1180844 OBS-URL: https://build.opensuse.org/package/show/security/keylime?expand=0&rev=95
15 lines
613 B
Diff
15 lines
613 B
Diff
diff --git a/config/tenant.conf b/config/tenant.conf
|
|
index ead02b8..1b3d921 100644
|
|
--- a/config/tenant.conf
|
|
+++ b/config/tenant.conf
|
|
@@ -106,7 +106,8 @@ request_timeout = 60
|
|
# might provide a signed list of EK public key hashes. Then you could write
|
|
# an ek_check_script that checks the signature of the allowlist and then
|
|
# compares the hash of the given EK with the allowlist.
|
|
-require_ek_cert = True
|
|
+# require_ek_cert = True
|
|
+require_ek_cert = False
|
|
|
|
# Optional script to execute to check the EK and/or EK certificate against a
|
|
# allowlist or any other additional EK processing you want to do. Runs in
|