Accepting request 1318215 from utilities

OBS-URL: https://build.opensuse.org/request/show/1318215
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sbctl?expand=0&rev=9

_service

@@ -5,7 +5,6 @@
     <param name="exclude">.git</param>
     <param name="revision">@PARENT_TAG@</param>
     <param name="versionformat">@PARENT_TAG@</param>
-    <param name="changesgenerate">enable</param>
   </service>
   <service name="set_version" mode="manual">
     <param name="basename">sbctl</param>
@@ -15,5 +14,7 @@
     <param name="compression">gz</param>
   </service>
   <service name="go_modules" mode="manual">
+    <param name="replace">github.com/ulikunitz/xz=github.com/ulikunitz/xz@v0.5.14</param>
+    <param name="replace">golang.org/x/net=golang.org/x/net@v0.46.0</param>
   </service>
 </services>

sbctl-0.14.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:b1e7b62c66e842113a31ab1c1505886e38475c5f1ee8a5f15f2ab32f25ad3ef4
-size 17935856

sbctl-0.18.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f244890d1676bc9e7761ebbbdc7e94e516b47642ef37efd0b7b60e5223fcaaa5
+size 17960022

sbctl.changes

@@ -1,3 +1,122 @@
+-------------------------------------------------------------------
+Wed Nov 12 07:29:18 UTC 2025 - Fridrich Strba <fstrba@suse.com>
+
+- Upgrade the embedded golang.org/x/net to 0.46.0
+  * Fixes: bsc#1251399, CVE-2025-47911: various algorithms with
+    quadratic complexity when parsing HTML documents
+  * Fixes: bsc#1251609, CVE-2025-58190: excessive memory consumption
+    by 'html.ParseFragment' when processing specially crafted input
+
+-------------------------------------------------------------------
+Mon Oct 13 09:06:05 UTC 2025 - Jan Loeser <rooterle@posteo.de>
+
+- Update to version 0.18:
+  * logging: fixup new go vet warning
+  * workflows: add cc for cross compile
+  * workflow: add sudo to apt
+  * workflow: add pcsclite to ci
+  * workflow: try enable cgo
+  * go.mod: update golang.org/x/ dependencies
+  * fix: avoid adding bogus Country attribute to subject DNs
+  * sbctl: only store file if we did actually sign the file
+  * installkernel: add post install hook for Debian's traditional installkernel
+  * CI: missing libpcsclite pkg
+  * workflows: add missing depends and new pattern keyword
+  * Add yubikey example for create keys to the README
+  * Initial yubikey backend keytype support
+  * verify: ensure we pass args in correct order
+
+-------------------------------------------------------------------
+Mon Sep  1 09:34:54 UTC 2025 - Michael Vetter <mvetter@suse.com>
+
+- bsc#1248949 (CVE-2025-58058):
+  Bump xz to 0.5.14
+
+-------------------------------------------------------------------
+Mon May  5 11:24:29 UTC 2025 - Jan Loeser <jan.loeser@posteo.de>
+
+- Update to version 0.17:
+  * Ensure we don't wrongly compare input/output files when signing
+  * Added --json supprt to sbctl verify
+  * Ensure sbctl setup with no arguments returns a helpful output
+  * Import latest Microsoft keys for KEK and db databases
+  * Ensure we print the path of the file when encountering an invalid PE file
+  * Misc fixups in tests
+  * Misc typo fixes in prints
+
+-------------------------------------------------------------------
+Tue Oct 22 03:56:54 UTC 2024 - Joshua Smith <smolsheep@opensuse.org>
+
+- Disable tests that fail due to gh/foxboron/sbctl#343
+- Update to version 0.16:
+  * Ensure sbctl reads --config even if /etc/sbctl/sbctl.conf is
+    present
+  * Fixed a bug where sbctl would abort if the TPM eventlog
+    contains the same byte multiple times
+  * Fixed a landlock bug where enroll-keys --export did not work
+  * Fixed a bug where an ESP mounted to multiple paths would not be
+    detected
+  * Exporting keys without efivars present work again
+  * sbctl sign will now use the saved output path if the signed
+    file is enrolled
+  * enroll-keys --append will now work without --force.
+- Updates from version 0.15.4:
+  * Fixed an issue where sign-all did not report a non-zero exit
+    code when something failed
+  * Fixed and issue where we couldn't write to a file with landlock
+  * Fixed an issue where --json would print the human readable
+    output and the json
+  * Fixes landlock for UKI/bundles by disabling the sandbox feature
+  * Some doc fixups that mentioned /usr/share/
+
+-------------------------------------------------------------------
+Wed Jul 31 23:55:22 UTC 2024 - Joshua Smith <smolsheep@opensuse.org>
+
+- Update to version 0.15.3:
+  * Fixed a mistake where the db_additions setting in sbctl.conf
+    was not wired up to sbctl setup.
+  * Relaxed the check for an existing install in sbctl setup form
+    looking after /var/lib/sbctl to check for /var/lib/sbctl/keys.
+  * Fixed a bug where dmi information was not read for quirk
+    detection when landlock was enabled.
+  * Fixed a bug where sbctl create-keys did not have access to
+    /var/lib under landlock.
+  * Fixed a bug where sbctl setup didn't have access to /usr/share.
+
+-------------------------------------------------------------------
+Wed Jul 31 14:13:47 UTC 2024 - Joshua Smith <smolsheep@opensuse.org>
+
+- Added minimum go required version
+- Update to version 0.15.2:
+  * Fixed a bug where sbctl setup aborts early because
+    /var/lib/sbctl already exists.
+- Updates from version 0.15.1:
+  * Fixed an issue where sbctl migrate did not work without
+    --disable-landlock.
+  * Fixed an issue where bundles.db would be written to files.json
+    deleting list of files.
+- Updates from version 0.15:
+  See the release for full changes.
+  https://github.com/Foxboron/sbctl/releases/tag/0.15
+  * sbctl will try to sandbox all commands with landlock. Landlock
+    is a unpriviledged sandbox, similar to OpenBSD pledge, that
+    allows sbctl to declare the directories and files we are
+    reading/writing a head. This feature is enabled by default and
+    can be disabled by setting landlock: false in the new config
+    file, or by passing --disable-landlock flag.
+  * sbctl has moved from using /usr/share/secureboot to
+    /var/lib/sbctl. The useage of /usr was mostly for legacy
+    reasons but there wasn't any motivation to fix this until now.
+    To help with the migration sbctl migrate has been implemented.
+    It will move all the files from the old location to
+    /var/lib/sbctl and rename files accordingly.
+  * sbctl now support creation of TPM key files using
+    go-tpm-keyfiles. These keys are mostly compatible with how
+    other TPM2 TSS keyfiles are created. This key type can be used
+    by passing on of several keytype flags to create-keys or
+    rotate-keys, or by specifying the type in the new configuration
+    file.
+
 -------------------------------------------------------------------
 Thu May  9 15:54:58 UTC 2024 - Joshua Smith <smolsheep@opensuse.org>
 

sbctl.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package sbctl
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -17,16 +17,12 @@
 
 
 Name:           sbctl
-Version:        0.14
+Version:        0.18
 Release:        0
 Summary:        Secure Boot key manager
 License:        MIT
 Group:          System/Boot
 URL:            https://github.com/Foxboron/sbctl
-%if "%{_vendor}" == "debbuild"
-# Needed to set Maintainer in output debs
-Packager:       Jan Loeser <jan.loeser@posteo.de>
-%endif
 Source:         %{name}-%{version}.tar.gz
 Source1:        vendor.tar.gz
 Source2:        %{name}-rpmlintrc
@@ -40,10 +36,15 @@ Requires:       util-linux
 BuildRequires:  asciidoc
 BuildRequires:  binutils
 %if 0%{?suse_version}
+BuildRequires:  go >= 1.22.0
 BuildRequires:  golang-packaging
+BuildRequires:  pcsc-lite-devel
+BuildRequires:  pkgconfig(openssl) > 3.0.0
 %endif
 %if 0%{?ubuntu}
-BuildRequires:  golang
+BuildRequires:  golang >= 1.22.0
+BuildRequires:  libpcsclite-dev
+BuildRequires:  libssl-dev > 3.0.0
 %endif
 
 %description
@@ -55,7 +56,15 @@ needs to be signed in the boot chain.
 %autosetup -a 1
 
 %build
-%make_build all
+# Remove toolchain directive as we can't download it from external and we lack a corresponding
+# macro package for deb (golang-packaging)
+%if 0%{?ubuntu}
+sed -i '/^toolchain.*/d' go.mod
+%endif
+
+# Remove upstream version set.
+sed -i 's|VERSION =.*||' Makefile
+VERSION="%{version}" %make_build all
 
 %install
 %make_install BINDIR="%{_sbindir}" PREFIX="%{_prefix}"
@@ -63,22 +72,22 @@ needs to be signed in the boot chain.
 # Fix potential-bashisms rpmlint error by using bash shebang
 sed -i 's|bin/sh|bin/bash|' %{buildroot}%{_prefix}/lib/kernel/install.d/91-sbctl.install
 
-%check
-%make_build test
-
 %files
 %doc README.md
 %license LICENSE
 
 %dir %{_prefix}/lib/kernel/
 %dir %{_prefix}/lib/kernel/install.d/
+%dir %{_prefix}/lib/kernel/postinst.d/
 %dir %{_datadir}/fish/
 %dir %{_datadir}/fish/vendor_completions.d/
 %dir %{_datadir}/zsh/
 %dir %{_datadir}/zsh/site-functions/
 
 %{_prefix}/lib/kernel/install.d/91-sbctl.install
+%{_prefix}/lib/kernel/postinst.d/91-sbctl.install
 %{_mandir}/man8/sbctl.8*
+%{_mandir}/man5/sbctl.conf.5*
 %{_datadir}/bash-completion/completions/sbctl
 %{_datadir}/fish/vendor_completions.d/sbctl.fish
 %{_datadir}/zsh/site-functions/_sbctl

vendor.tar.gz

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:8c1bc51d0fcb14867b8309e8cba83a494dec0f6137b01098cb7c537d9d630788
-size 4584792
+oid sha256:d2fc644ddb2b233faec1f29dd1199748667ff2a50640a8b5107920fef6ca1fa2
+size 5068731