utilities/sbctl
SHA256
5
0
Fork 0
forked from pool/sbctl
Code Pull Requests Activity
Files
main
sbctl/sbctl.changes
Jan Loeser 7310bb1da1 - Update to version 0.17: 
* Ensure we don't wrongly compare input/output files when signing
  * Added --json supprt to sbctl verify
  * Ensure sbctl setup with no arguments returns a helpful output
  * Import latest Microsoft keys for KEK and db databases
  * Ensure we print the path of the file when encountering an invalid PE file
  * Misc fixups in tests
  * Misc typo fixes in prints

OBS-URL: https://build.opensuse.org/package/show/utilities/sbctl?expand=0&rev=15
2025-05-05 11:38:27 +00:00

206 lines
8.9 KiB
Plaintext
Raw Permalink Blame History

-------------------------------------------------------------------
Mon May 5 11:24:29 UTC 2025 - Jan Loeser <jan.loeser@posteo.de>
- Update to version 0.17:
* Ensure we don't wrongly compare input/output files when signing
* Added --json supprt to sbctl verify
* Ensure sbctl setup with no arguments returns a helpful output
* Import latest Microsoft keys for KEK and db databases
* Ensure we print the path of the file when encountering an invalid PE file
* Misc fixups in tests
* Misc typo fixes in prints
-------------------------------------------------------------------
Tue Oct 22 03:56:54 UTC 2024 - Joshua Smith <smolsheep@opensuse.org>
- Disable tests that fail due to gh/foxboron/sbctl#343
- Update to version 0.16:
* Ensure sbctl reads --config even if /etc/sbctl/sbctl.conf is
present
* Fixed a bug where sbctl would abort if the TPM eventlog
contains the same byte multiple times
* Fixed a landlock bug where enroll-keys --export did not work
* Fixed a bug where an ESP mounted to multiple paths would not be
detected
* Exporting keys without efivars present work again
* sbctl sign will now use the saved output path if the signed
file is enrolled
* enroll-keys --append will now work without --force.
- Updates from version 0.15.4:
* Fixed an issue where sign-all did not report a non-zero exit
code when something failed
* Fixed and issue where we couldn't write to a file with landlock
* Fixed an issue where --json would print the human readable
output and the json
* Fixes landlock for UKI/bundles by disabling the sandbox feature
* Some doc fixups that mentioned /usr/share/
-------------------------------------------------------------------
Wed Jul 31 23:55:22 UTC 2024 - Joshua Smith <smolsheep@opensuse.org>
- Update to version 0.15.3:
* Fixed a mistake where the db_additions setting in sbctl.conf
was not wired up to sbctl setup.
* Relaxed the check for an existing install in sbctl setup form
looking after /var/lib/sbctl to check for /var/lib/sbctl/keys.
* Fixed a bug where dmi information was not read for quirk
detection when landlock was enabled.
* Fixed a bug where sbctl create-keys did not have access to
/var/lib under landlock.
* Fixed a bug where sbctl setup didn't have access to /usr/share.
-------------------------------------------------------------------
Wed Jul 31 14:13:47 UTC 2024 - Joshua Smith <smolsheep@opensuse.org>
- Added minimum go required version
- Update to version 0.15.2:
* Fixed a bug where sbctl setup aborts early because
/var/lib/sbctl already exists.
- Updates from version 0.15.1:
* Fixed an issue where sbctl migrate did not work without
--disable-landlock.
* Fixed an issue where bundles.db would be written to files.json
deleting list of files.
- Updates from version 0.15:
See the release for full changes.
https://github.com/Foxboron/sbctl/releases/tag/0.15
* sbctl will try to sandbox all commands with landlock. Landlock
is a unpriviledged sandbox, similar to OpenBSD pledge, that
allows sbctl to declare the directories and files we are
reading/writing a head. This feature is enabled by default and
can be disabled by setting landlock: false in the new config
file, or by passing --disable-landlock flag.
* sbctl has moved from using /usr/share/secureboot to
/var/lib/sbctl. The useage of /usr was mostly for legacy
reasons but there wasn't any motivation to fix this until now.
To help with the migration sbctl migrate has been implemented.
It will move all the files from the old location to
/var/lib/sbctl and rename files accordingly.
* sbctl now support creation of TPM key files using
go-tpm-keyfiles. These keys are mostly compatible with how
other TPM2 TSS keyfiles are created. This key type can be used
by passing on of several keytype flags to create-keys or
rotate-keys, or by specifying the type in the new configuration
file.
-------------------------------------------------------------------
Thu May 9 15:54:58 UTC 2024 - Joshua Smith <smolsheep@opensuse.org>
- Enable tests
- Fix bashism error in 91-sbctl.install by using bash shebang
- Service to use manual instead of deprecated disabled and pattern
cleanup
- Update to version 0.14:
New commands
* export-enrolled-keys will export all enrolled keys on the
system to a directory
* list-enrolled-keys will list the enrolled keys on the system
New Things
* The test suite has now been rewritten to use the new vmtest
library.
Bugfixes
* sign-all won't abort when it encounters a file it can't sign.
* The kernel-install hook won't try to sign things if there are
no signing keys available.
* The kernel-install hook will now only remove things if they
actually did exist on the system.
* The mkinitcpio hook now only sign the built kernel/UKI instead
of all the sbctl files.
-------------------------------------------------------------------
Wed Dec 27 08:21:25 UTC 2023 - Joshua Smith <jsmithfpv@gmail.com>
- Update to version 0.13:
* --export,-e and --database-path,-d now work properly and don't
overwrite the create-keys variables internally
* remove erronous dbx enrollment. Previous release implemented
support for dbx that doesn't really work as expected. It
would also fail to enroll keys for previously setup clients.
Implementation has been removed and will be iterated upon at a
later date.
* make: fix github artifact upload
* Change shebang
* Ensure file signing hook is run when initrd is rebuilt
* Fixed typo, removed mention enroll-keys enables Secure Boot
automatically
* Ignore Setup mode and immutable variables for export
* Specify file origin + always print signing message
* tests/utils/certs.go: drop keyUsage bitfield
* update manpage docs
* allow specifying keys and GUID paths
* Update README.md
* keys.go: drop the keyUsage bitfield
* Check and return Open errs
* Update documentation for custom dbx
-------------------------------------------------------------------
Fri Oct 20 23:32:22 UTC 2023 - Joshua Smith <jsmithfpv@gmail.com>
- Update to version 0.12:
* sbctl bundle might be depreciated in the future.
* sbctl now allows you to enroll custom certificates into KEK
and db.
* sbctl now allows keys to be exported as EFI Signature Lists
(esl) or EFI Authenticated Variables (auth), which are pre-signed.
* sbctl can now enroll certificates found in dbxDefault,
dbDefault, KEKDefault and PKDefault.
* Before this release sbctl would enroll, reset and rotate the
entire key hierarchy when requested. With this release several
improvements have been made to have the ability to support
partial key hierarchies. This can be used through the --partial
flag in their respective commands.
* add documentation for the extra flags of enroll/rotate/reset
* feat: add option to remove specific certs from db instead of an entire reset
* feat: add append option to enroll-keys
* feat: force key flag
* Add support for OEM dbx enrollment
* feat(dbx): enroll/rotate/reset dbx keys
* feat(rotate): enable partial rotation and providing different sources
* feat(reset): enable partial resets of secureboot keys
* feat(enroll-keys): add partial enrollment of keys
* Implement full support for loading builtin firmware certificates
* Add support for loading certificates from dbDefault
-------------------------------------------------------------------
Mon Mar 27 07:36:22 UTC 2023 - jan.loeser@posteo.de
- Update to version 0.11:
* status: Warn about firmware quirks
* Add trailing newline to JSON output
* Improve wording
* Always include vendor keys in status output
* Move a few more functions to afero and fs.Fs
* Remove unused code
* Include fs module
* Implement fs package and remove all direct filesystem calls
* Updated dependencies
* status: Added e2e test
* enroll-keys: remove variable overriding for OEM key enrollment
* updated to go 1.20
* Fix arbitrary sizes in UKI generation
* Update README.md
* enroll-keys: Enroll Microsoft KEK along with their other keys
* pacman: Add extramodules target to hook
* Fix POSIX sh comparison
* verify: Implement file verification
-------------------------------------------------------------------
Thu Jan 19 12:29:01 UTC 2023 - Joshua Smith <jsmithfpv@gmail.com>
- Update to version 0.10:
* go.mod: Properly fetch new library version
* go.mod: update go-uefi and cleanup
* rotate-keys: Implement rotate-keys
* Add support for the uki layout
* Fix typos and some improve grammar a bit
* sbctl.8: Provide more precise setup mode instructions
* enroll-keys: Error if user has Setup Mode disabled
* update manpage to reflect defaults in bundle.go
* Fix crash when ESP is not mounted
* main: Always ensure we allow printing before json prints
-------------------------------------------------------------------
Mon Nov 28 04:07:35 UTC 2022 - Joshua Smith <jsmithfpv@gmail.com>
- Initial package of sbctl 0.9.0 for openSUSE
View Git Blame Copy Permalink