Accepting request 1298141 from security

OBS-URL: https://build.opensuse.org/request/show/1298141
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rust-keylime?expand=0&rev=29

_service

@@ -4,7 +4,7 @@
     <!-- <param name="versionformat">@PARENT_TAG@</param> -->
     <param name="versionformat">@PARENT_TAG@+@TAG_OFFSET@</param>
     <param name="scm">git</param>
-    <param name="revision">v0.2.6</param>
+    <param name="revision">v0.2.7</param>
     <param name="revision">master</param>
     <param name="match-tag">*</param>
     <param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/keylime/rust-keylime.git</param>
-              <param name="changesrevision">57992463535d15951ebaca77d1be4217ffaf74d6</param></service></servicedata>
+              <param name="changesrevision">573d1958a6343fd1882851d97e3ac06122d34438</param></service></servicedata>

keylime-agent.conf.diff

@@ -1,8 +1,8 @@
-Index: rust-keylime-0.2.0+git.1677002906.cf6c4f0/keylime-agent.conf
+diff --git i/keylime-agent.conf w/keylime-agent.conf
-===================================================================
+index d6e8615..75994c4 100644
---- rust-keylime-0.2.0+git.1677002906.cf6c4f0.orig/keylime-agent.conf
+--- i/keylime-agent.conf
-+++ rust-keylime-0.2.0+git.1677002906.cf6c4f0/keylime-agent.conf
++++ w/keylime-agent.conf
-@@ -19,13 +19,15 @@ version = "2.2"
+@@ -29,13 +29,15 @@ api_versions = "default"
  # of 'SHA256(public EK in PEM format)'.
  #
  # To override, set KEYLIME_AGENT_UUID environment variable.
@@ -20,7 +20,7 @@ Index: rust-keylime-0.2.0+git.1677002906.cf6c4f0/keylime-agent.conf
  port = 9002
  
  # Address and port where the verifier and tenant can connect to reach the agent.
-@@ -41,7 +43,8 @@ contact_port = 9002
+@@ -51,7 +53,8 @@ contact_port = 9002
  # To override registrar_ip, set KEYLIME_AGENT_REGISTRAR_IP environment variable.
  # To override registrar_port, set KEYLIME_AGENT_REGISTRAR_PORT environment
  # variable.
@@ -30,7 +30,7 @@ Index: rust-keylime-0.2.0+git.1677002906.cf6c4f0/keylime-agent.conf
  registrar_port = 8890
  
  # Enable mTLS communication between agent, verifier and tenant.
-@@ -151,7 +154,8 @@ revocation_actions_dir = "/usr/libexec/k
+@@ -161,7 +164,8 @@ revocation_actions_dir = "/usr/libexec/keylime"
  # KEYLIME_AGENT_REVOCATION_NOTIFICATION_IP environment variable.
  # To override revocation_notification_port, set
  # KEYLIME_AGENT_REVOCATION_NOTIFICATION_PORT environment variable.

rust-keylime-0.2.7+141.tar.zst

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:cdad3234db3f1e6975134aeb8dc9cb0db37e0d30a175f8b671788be98222ee7e
+size 287080

rust-keylime.changes

@@ -1,7 +1,249 @@
+-------------------------------------------------------------------
+Thu Aug 07 12:17:29 UTC 2025 - aplanas@suse.com
+
+- Update vendored crates (bsc#1247193, CVE-2025-58266)
+  * shlex 1.3.0
+
+- Rebase keylime-agent.conf.diff for current configuration
+
+- Drop Cargo_lock.patch patch, already present in Cargo.lock
+
+- Update to version 0.2.7+141:
+  * service: Use WantedBy=multi-user.target
+  * rpm: Add subpackage for push-attestation agent
+  * push-model: implement continuous attestation with configurable intervals
+  * Retry registration forever in the state machine
+  * Add Verifier URL to configuration
+  * Align exp.backoff to current configuration format
+  * Increase coverage of state machine (using Context)
+  * Increase coverage of struct_filler.rs
+  * Groom code (remove dead code)
+  * Fix exponential backoff (10secs, 4xx accepted)
+  * test: Add documentation test to tests/run.sh
+  * tpm: Avoid running code example during documentation tests
+  * state_machine: Always start the agent from the Unregistered state
+  * Add fixes for the URL construction
+  * Refactor evidences collection in push attestation agent
+  * push-model: refactor attestation logic into a state machine
+  * Fix body sending by allowing serializing strings (#1057)
+  * Log ResilientClient errors/response status codes (#1055)
+  * Add AK signing scheme and hash algorithm to negotiation
+  * tpm: Add method to extract signing scheme and hash algorithm from AK
+  * Allow custom content-type/accept headers
+  * Integrate exponential backoff to registration (#1052)
+  * keylime/structures: Rename ShaValues to PcrBanks
+  * Add resilient_client for exponential backoff (#1048)
+
+-------------------------------------------------------------------
+Mon Jul 14 12:56:25 UTC 2025 - aplanas@suse.com
+
+- Update vendored crates (bsc#1242623, CVE-2025-3416)
+  * openssl 0.10.73
+
+- Update to version 0.2.7+117:
+  * Increase coverage in evidence handling structure
+  * Add Capabilities Negotiations resp. missing fields
+  * Fix UEFI test to check file access in all cases
+  * context_info_handler: Do not assume /var/lib/keylime exists
+  * Fix clippy warnings about uninlined format arguments
+  * attestation: Allow unwrap() in tests
+  * Increase coverage (groom code, extend unit tests)
+  * Include IMA/UEFI logs in Evidence Handling request
+  * Include method to get all IMA entries as string
+  * Send correct list of pcr banks and sign algorithms
+  * Try to fix TPM tests related issues
+  * Define attestation perform asynchronous
+  * Perform attestation in push model agent binary
+  * Refactor code to use new attestation.rs
+  * Create attestation.rs for Attestation stuff
+  * Move ContextInfo management to its own handler
+  * Adjust context_info.rs after rebase
+  * Add attestation function to ContextInfo structure
+  * Add prohibited signing algorithms, avoid ecschnorr
+  * keylime/config: Use macro to implement PushModelConfigTrait
+  * Introduce keylime-macros and define_view_trait
+  * config: Remove KeylimeConfig structure
+  * config: Remove unnecessary options and lazy initialization
+  * Fix pcr_bank function to send all possible slots
+  * Send Content-Type:application/json on request (#1039)
+  * Send correct 'key_algorithm' in certification_keys (#1035)
+  * Push Model: Persist Attestation Key to file
+  * Add Keylime push model binary to root GNUmakefile
+  * Use singleton to avoid multiple Context allocation
+  * tests: Do not assume `/var/lib/keylime` exists (#1030)
+  * lib/cert: Fix race condition due to use of same file path
+  * payloads: Fix race condition in tests
+  * Add uefi_log_handler.rs to parse UEFI binary
+  * Use IMA log parser to send correct entry count
+  * Add IMA log parser
+  * build(deps): bump once_cell from 1.19.0 to 1.21.3
+  * lib/config/base.rs: Add more unit tests
+  * lib/permissions: Add unit tests
+  * keylime-agent: move JsonWrapper from common.rs to the library
+  * lib/agent_data: Move agent_data related tests from common
+  * common: Replace APIVersion with the library Version structure
+  * keylime_agent: Move secure_mount.rs to the library
+  * lib: Rename keylime_error.rs as error.rs
+  * config: Move config to keylime library
+  * config: Rename push_model_config to push_model
+  * lib: Move permissions.rs from keylime-agent to the lib
+  * Extract Capabilities Negotiation info from TPM (#1014)
+
+-------------------------------------------------------------------
+Thu Jun 05 11:48:58 UTC 2025 - aplanas@suse.com
+
+- Update vendored crates (bsc#1243861, CVE-2024-12224)
+  * idna 1.0.3
+
+- Add Cargo_lock.patch to adjust versions that will allow the
+  compilation of mbox crate
+
+- Update to version 0.2.7+70: 
+  * build(deps): bump wiremock from 0.6.2 to 0.6.3
+  * build(deps): bump uuid from 1.16.0 to 1.17.0
+  * lib: Introduce AgentIdentity structure
+  * gitignore: Add *.swp and *.orig to be ignored
+  * build(deps): bump clap from 4.5.38 to 4.5.39
+  * build(deps): bump tokio from 1.45.0 to 1.45.1
+  * Unify Push Model structures time formats to UTC (#1016)
+  * Add Quote related structures to Keylime library
+  * Remove configuration file trailing whitespaces (#1012)
+  * keylime-agent.conf: add all accepted TPM encryption algs
+  * tpm: add policy auth for EK to activate crendential
+  * Enable non standard key sizes and curves for EK and AK
+  * config: Use next_back() instead of last() for iterators
+  * Update to tss-esapi v7.6.0
+  * Avoid duplicated call to ctx.create_ek
+  * build(deps): bump clap from 4.5.23 to 4.5.38
+  * Add registration for Push Model client
+  * build(deps): bump tokio from 1.44.2 to 1.45.0
+  * build(deps): bump chrono from 0.4.40 to 0.4.41
+  * build(deps): bump tempfile from 3.17.1 to 3.20.0
+  * Refactor code: move error, registration to lib
+  * Move structure filling and URL selection code (#999)
+  * build(deps): bump pest_derive from 2.7.15 to 2.8.0
+  * build(deps): bump pest from 2.7.15 to 2.8.0
+  * build(deps): bump libc from 0.2.169 to 0.2.172
+  * Add Evidence/Authentication messages to prototype
+  * build(deps): bump uuid from 1.15.1 to 1.16.0
+  * build(deps): bump thiserror from 2.0.11 to 2.0.12
+  * build(deps): bump signal-hook from 0.3.17 to 0.3.18
+  * build(deps): bump log from 0.4.25 to 0.4.27
+  * build(deps): bump assert_cmd from 2.0.16 to 2.0.17
+  * build(deps): bump actix-web from 4.9.0 to 4.10.2
+  * build(deps): bump reqwest from 0.12.12 to 0.12.15
+  * build(deps): bump serde from 1.0.217 to 1.0.219
+  * Add unit tests for sessions.rs structures
+  * Add auth(sessions) structures
+  * Fix minor README.md issue (#988)
+  * Define EvidenceHandling structures (#971)
+  * Add mockoon test scenario
+  * Add client certificates to push-attestation prototype
+  * Cargo: bump url crate to version 2.5.4
+  * Add logging to the push attestation prototype
+  * Do not use certificate on insecure mode
+  * common: Move the EncryptedData structure from common to the library
+  * common: Move AuthTag from common to the library
+  * build(deps): bump openssl from 0.10.71 to 0.10.72
+  * common: Move Symmkey to library as crypto::symmkey
+  * common: Remove unused constants and static values
+  * build(deps): bump tokio from 1.43.0 to 1.44.2
+  * Refactor code: Include AgentIdentity structure
+  * Push model prototype
+  * Add support for ek certificate chain, stored in TPM NVRAM.
+  * Recover key_class field and set it as "asymmetric"
+  * Update push model structures to latest values
+  * build(deps): bump serde_json from 1.0.138 to 1.0.140
+  * packit: Add identifier for each copr_build job
+  * keylime-agent.conf: only mention ecdsa and rsassa for signing
+  * build(deps): bump openssl from 0.10.70 to 0.10.71
+  * build(deps): bump uuid from 1.13.2 to 1.15.1
+  * Add capabilities_negotiation structures
+  * packit: Add compatibility/api_version_compatibility test
+  * build(deps): bump uuid from 1.11.0 to 1.13.2
+  * build(deps): bump serde_json from 1.0.135 to 1.0.138
+  * build(deps): bump thiserror from 2.0.9 to 2.0.11
+  * build(deps): bump tempfile from 3.14.0 to 3.17.1
+  * Allow agent to start as non-root
+  * scripts: Fix coverage information downloading script
+  * build(deps): bump openssl from 0.10.68 to 0.10.70
+  * build(deps): bump tokio from 1.42.0 to 1.43.0
+
+-------------------------------------------------------------------
+Mon Jan 27 09:43:30 UTC 2025 - aplanas@suse.com
+
+- Update to version 0.2.7+1:
+  * dist: Enable logging for keylime library in the service
+  * Bump version to 0.2.7
+  * scripts: Download coverage data from Testing Farm directly
+  * main: Remove unnecessary lifetime
+  * cargo: Bump pretty_env_logger to version 0.5.0
+  * scripts: Fix regex in download_packit_coverage.sh
+  * cargo: Bump clap crate to version 4.5.23
+  * cargo: Bump base64 crate to version 0.22.1
+  * build(deps): bump log from 0.4.22 to 0.4.25
+  * build(deps): bump serde_json from 1.0.133 to 1.0.135
+  * cargo: Bump tokio crate to version 1.42.0
+  * packit: Fix RPM builds on copr
+  * cargo: Bump thiserror crate to version 0.2.9
+  * cargo: Update reqwest to version 0.12.12
+  * build(deps): bump libc from 0.2.168 to 0.2.169
+  * build(deps): bump glob from 0.3.1 to 0.3.2
+  * version: Implement API version validation and ordering
+  * main: Support using multiple API versions for registration
+  * keylime: Introduce the registrar_client module
+  * Provide endpoints under multiple API versions
+  * Move 'serialization' module to the keylime library
+  * Drop unnecessary dependency on common::API_VERSION
+  * keylime-agent.conf: Bump version to 2.3
+  * build(deps): bump serde from 1.0.210 to 1.0.217
+  * build(deps): bump pest_derive from 2.7.14 to 2.7.15
+  * build(deps): bump pest from 2.7.14 to 2.7.15
+  * build(deps): bump libc from 0.2.167 to 0.2.168
+  * config: Make IAK and IDevID certificates optional
+  * Fix warnings reported by clippy
+  * workflows: Run job in the CI container directly
+  * tests: Add unit test for device ID builder
+  * main: Move IAK/IDevID related code to dedicated module
+  * tests: Add script to generate IAK and IDevID certificates
+  * build(deps): bump openssl from 0.10.66 to 0.10.68
+  * build(deps): bump uuid from 1.10.0 to 1.11.0
+  * build(deps): bump serde_json from 1.0.128 to 1.0.133
+  * build(deps): bump actix-web from 4.5.1 to 4.9.0
+  * build(deps): bump reqwest from 0.12.7 to 0.12.9
+  * tests/setup_swtpm.sh: Add script to setup temporary TPM
+  * Use a single TPM context and avoid race conditions during tests
+  * config: Enable passing a hostname instead of IP
+  * build(deps): bump clap from 4.3.11 to 4.5.21
+  * build(deps): bump tempfile from 3.10.1 to 3.14.0
+  * build(deps): bump pest_derive from 2.7.6 to 2.7.14
+  * build(deps): bump pest from 2.7.6 to 2.7.14
+  * build(deps): bump codecov/codecov-action from 4 to 5
+  * workflows: Submit the coverage for merged PR from Fedora 41
+  * tests: Use Fedora 41 to generate code coverage
+  * api: Make API configuration modular
+  * agent_handler: Move the /agent scope configuration
+  * notifications_handler: Move the /notifications scope configuration
+  * quotes_handler: Move the /quotes scope configuration to quotes_handler
+  * keys_handler: Move /keys scope configuration to keys_handler
+  * Use ${DESTDIR} for config
+  * Fix showing wrong UUID
+  * build(deps): bump actix-rt from 2.9.0 to 2.10.0
+  * config: Refactor AgentConfig Source trait implementation
+  * build(deps): bump log from 0.4.21 to 0.4.22
+  * build(deps): bump serde_json from 1.0.120 to 1.0.128
+  * tpm: check if EK certificate has valid ASN.1 DER encoding
+  * build(deps): bump futures from 0.3.27 to 0.3.31
+  * cargo: Bump reqwest to version 0.12.7
+  * build(deps): bump serde from 1.0.203 to 1.0.210
+  * tests: Add more tests to Packit CI
+  * build(deps): bump docker/build-push-action from 5 to 6
+  * tests: apply workarounds to known bugs
+
 -------------------------------------------------------------------
 Mon Sep 02 11:53:27 UTC 2024 - aplanas@suse.com
 
-- Update vendored crates (bsc#1229952, bsc#1230029)
+- Update vendored crates (bsc#1229952, bsc#1230029, CVE-2024-43806)
   * rustix 0.37.25
   * rustix 0.38.34
   * shlex  1.3.0

rust-keylime.obsinfo

@@ -1,4 +1,4 @@
 name: rust-keylime
-version: 0.2.6+13
+version: 0.2.7+141
-mtime: 1724838345
+mtime: 1754479734
-commit: 57992463535d15951ebaca77d1be4217ffaf74d6
+commit: 573d1958a6343fd1882851d97e3ac06122d34438

rust-keylime.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package rust-keylime
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -25,13 +25,13 @@
   %define _config_norepl %config(noreplace)
 %endif
 Name:           rust-keylime
-Version:        0.2.6+13
+Version:        0.2.7+141
 Release:        0
 Summary:        Rust implementation of the keylime agent
 License:        (Apache-2.0 OR MIT) AND BSD-3-Clause AND (Apache-2.0 OR MIT) AND Unicode-DFS-2016 AND (Apache-2.0 OR BSL-1.0) AND (Apache-2.0 OR ISC OR MIT) AND (Apache-2.0 OR MIT) AND (Apache-2.0 OR Apache-2.0 WITH LLVM-exception OR MIT) AND (Apache-2.0 OR MIT OR Zlib) AND (MIT OR Unlicense) AND (Apache-2.0 OR Zlib OR MIT) AND Apache-2.0 AND Apache-2.0 WITH LLVM-exception AND BSD-3-Clause AND ISC AND MIT
 URL:            https://github.com/keylime/rust-keylime
 Source:         rust-keylime-%{version}.tar.zst
-Source1:        vendor.tar.xz
+Source1:        vendor.tar.zst
 Source2:        cargo_config
 Source3:        keylime.xml
 Source4:        keylime-user.conf
@@ -46,6 +46,8 @@ BuildRequires:  clang
 BuildRequires:  firewall-macros
 BuildRequires:  libarchive-devel
 BuildRequires:  rust
+# Required for SLE-15-SP5 / Micro55
+BuildRequires:  cargo >= 1.87
 BuildRequires:  sysuser-tools
 BuildRequires:  tpm2-0-tss-devel
 Requires:       libtss2-tcti-device0
@@ -72,7 +74,7 @@ Subpackage of %{name} to provide an suggested IMA policy for Keylime agent
 %prep
 %autosetup -a1 -p1
 mkdir .cargo
-install -D -m 644 %{SOURCE2} .cargo/config
+install -D -m 644 %{SOURCE2} .cargo/config.toml
 
 %build
 %{cargo_build} --no-default-features

vendor.tar.zst

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b63d41f84adc8b4bf6c863aae492a29c524d7ade2f7fdfcfc1a3d5b7041f64ec
+size 58828231