.clevis-pin-tpm2.metadata

@@ -1,2 +0,0 @@
-3cca4797cb447ec9414f5481c44291539d610de1 SOURCES/clevis-pin-tpm2-0.5.1.tar.gz
-59bdc74ad0d54c73a1c3b2509361e52106f775c4 SOURCES/clevis-pin-tpm2-v0.5.1-vendor.tar.gz

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -1,2 +1,2 @@
-SOURCES/clevis-pin-tpm2-0.5.1.tar.gz
-SOURCES/clevis-pin-tpm2-v0.5.1-vendor.tar.gz
+/clevis-pin-tpm2-*.tar.gz
+/clevis-pin-tpm2-*-vendor.tar.xz

0001-Add-JSON-schema-validation-to-reject-unknown-fields.patch

@@ -0,0 +1,70 @@
+From d1ab04c3d8cffae06fef09fbe5cf8202e59df3d7 Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Sun, 14 Dec 2025 18:58:57 -0300
+Subject: [PATCH] Add JSON schema validation to reject unknown fields
+
+Adds serde(deny_unknown_fields) attribute to TPM2Config to catch
+typos and invalid field names in JSON configuration. Previously,
+invalid fields like "pcrs_ids" were silently ignored, which could
+lead to unexpected behavior.
+
+Signed-off-by: Sergio Correia <scorreia@redhat.com>
+---
+ src/cli.rs | 37 +++++++++++++++++++++++++++++++++++++
+ 1 file changed, 37 insertions(+)
+
+diff --git a/src/cli.rs b/src/cli.rs
+index e5caa70..97eaabb 100644
+--- a/src/cli.rs
++++ b/src/cli.rs
+@@ -7,6 +7,7 @@ use tpm2_policy::TPMPolicyStep;
+ use crate::utils::get_authorized_policy_step;
+ 
+ #[derive(Serialize, Deserialize, std::fmt::Debug)]
++#[serde(deny_unknown_fields)]
+ pub(super) struct TPM2Config {
+     pub hash: Option<String>,
+     pub key: Option<String>,
+@@ -235,3 +236,39 @@ pub(super) fn get_mode_and_cfg(args: &[String]) -> Result<(ActionMode, Option<TP
+ 
+     Ok((mode, cfg))
+ }
++
++#[cfg(test)]
++mod tests {
++    use super::*;
++
++    #[test]
++    fn test_valid_config_parsing() {
++        let config_str = r#"{"pcr_ids": "7"}"#;
++        let result = serde_json::from_str::<TPM2Config>(config_str);
++        assert!(result.is_ok());
++    }
++
++    #[test]
++    fn test_invalid_field_name_rejected() {
++        // Using "pcrs_ids" instead of "pcr_ids" should fail
++        let config_str = r#"{"pcrs_ids": "7"}"#;
++        let result = serde_json::from_str::<TPM2Config>(config_str);
++        assert!(result.is_err());
++        let err = result.unwrap_err();
++        assert!(err.to_string().contains("unknown field"));
++    }
++
++    #[test]
++    fn test_multiple_invalid_fields_rejected() {
++        let config_str = r#"{"invalid_field": "value", "another_invalid": "value2"}"#;
++        let result = serde_json::from_str::<TPM2Config>(config_str);
++        assert!(result.is_err());
++    }
++
++    #[test]
++    fn test_valid_complex_config() {
++        let config_str = r#"{"pcr_ids": [7, 11], "pcr_bank": "sha256", "hash": "sha256"}"#;
++        let result = serde_json::from_str::<TPM2Config>(config_str);
++        assert!(result.is_ok());
++    }
++}
+-- 
+2.47.3
+

README.md

@@ -0,0 +1,3 @@
+# clevis-pin-tpm2
+
+The clevis-pin-tpm2 package

SPECS/clevis-pin-tpm2.spec

@@ -1,89 +0,0 @@
-%bcond_without check
-%global __cargo_skip_build 0
-%global __cargo_is_lib() false
-
-Name:           clevis-pin-tpm2
-Version:        0.5.1
-Release:        2%{?dist}
-Summary:        Clevis PIN for unlocking with TPM2 supporting Authorized Policies
-
-License:        MIT
-URL:            https://github.com/fedora-iot/clevis-pin-tpm2/
-Source:         %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
-Source1:        %{name}-v%{version}-vendor.tar.gz
-
-ExclusiveArch:  %{rust_arches}
-# RHBZ 1869980
-ExcludeArch:    s390x i686 %{power64}
-
-BuildRequires:  rust-toolset
-BuildRequires:  tpm2-tss-devel
-Requires:       clevis
-
-%description
-%{summary}.
-
-%prep
-%autosetup -p1
-%cargo_prep -V 1
-
-%build
-%cargo_build
-
-%install
-%cargo_install
-ln -s /usr/bin/clevis-pin-tpm2 %{buildroot}/usr/bin/clevis-encrypt-tpm2plus
-ln -s /usr/bin/clevis-pin-tpm2 %{buildroot}/usr/bin/clevis-decrypt-tpm2plus
-
-%if %{with check}
-%check
-%cargo_test -- -- --skip real_ --skip loop_ --skip travis_
-%endif
-
-%files
-%license LICENSE
-%{_bindir}/clevis-pin-tpm2
-%{_bindir}/clevis-*-tpm2plus
-
-%changelog
-* Fri Dec 10 2021 Antonio Murdaca <runcom@linux.com> - 0.5.1-2
-- rebuilt to disable annocheck for Rust code
-
-* Thu Dec 09 2021 Antonio Murdaca <runcom@linux.com> - 0.5.1-1
-- rebuilt to add gating and relicense to MIT
-
-* Thu Dec 09 2021 Antonio Murdaca <runcom@linux.com> - 0.5.0-1
-- bump to 0.5.0
-
-* Mon Oct 4 2021 Antonio Murdaca <amurdaca@redhat.com> - 0.4.1-1
-- import in c9s and rhel9
-
-* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.3.0-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
-
-* Tue Apr 06 2021 Peter Robinson <pbrobinson@fedoraproject.org> - 0.3.0-1
-- Update to 0.3.0
-
-* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.2.0-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Thu Dec  3 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 0.2.0-1
-- Update to 0.2.0
-
-* Tue Nov 10 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 0.1.4-1
-- Update to 0.1.4
-
-* Sat Aug 29 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 0.1.3-1
-- Update to 0.1.3
-
-* Tue Aug 25 2020 Patrick Uiterwijk <patrick@puiterwijk.org> - 0.1.2-2
-- Add symlink to clevis-{en,de}crypt-tpm2plus
-
-* Fri Aug 21 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 0.1.2-1
-- Update to 0.1.2
-
-* Thu Aug 13 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 0.1.1-1
-- Update to 0.1.1
-
-* Mon Aug  3 2020 Peter Robinson <pbrobinson@fedoraproject.org> 0.0.1-1
-- Initial release

ci_tests.fmf

@@ -0,0 +1,20 @@
+summary: test plan for clevis-pin-tpm2 gating testing
+
+
+prepare:
+  - how: shell
+    script:
+     - systemctl disable --now dnf-makecache.service || true
+     - systemctl disable --now dnf-makecache.timer || true
+     - dnf makecache
+
+discover:
+  - name: Upstream_tests_clevis
+    how: fmf
+    url: https://github.com/RedHat-SP-Security/clevis-tests
+    ref: master
+    test:
+     - /Sanity/upstream-test-suite
+execute:
+    how: tmt
+

clevis-pin-tpm2.spec

@@ -0,0 +1,188 @@
+%bcond_without check
+%global __cargo_skip_build 0
+%global __cargo_is_lib() false
+
+Name:           clevis-pin-tpm2
+Version:        0.5.3
+Release:        9%{?dist}
+Summary:        Clevis PIN for unlocking with TPM2 supporting Authorized Policies
+
+License:        MIT
+URL:            https://github.com/fedora-iot/clevis-pin-tpm2/
+Source:         %{url}/archive/v%{version}/%{name}-%{version}.tar.gz
+# To create the vendor tarball:
+#   tar xf %%{name}-%%{version}.crate ; pushd %%{name}-%%{version} ; \
+#   cargo vendor && tar Jcvf ../%%{name}-%%{version}-vendor.tar.xz vendor/ ; popd
+Source1:        %{name}-%{version}-vendor.tar.xz
+
+Patch: 0001-Add-JSON-schema-validation-to-reject-unknown-fields.patch
+
+ExclusiveArch:  %{rust_arches}
+%if 0%{?rhel}
+BuildRequires:  rust-toolset
+%else
+BuildRequires:  rust-packaging
+%endif
+BuildRequires:  git-core
+BuildRequires:  clang-devel
+BuildRequires:  openssl-devel
+BuildRequires:  tpm2-tss-devel
+%if %{with check}
+BuildRequires:  swtpm
+BuildRequires:  swtpm-tools
+BuildRequires:  clevis
+%endif
+Requires:       clevis
+
+%description
+%{summary}.
+
+%prep
+%autosetup -S git %{?rhel:-a1}
+%if 0%{?rhel}
+%cargo_prep -v vendor
+%else
+%cargo_prep
+
+%generate_buildrequires
+%cargo_generate_buildrequires
+%endif
+
+%build
+%cargo_build
+%cargo_license_summary
+%{cargo_license} > LICENSE.dependencies
+%if 0%{?rhel}
+%cargo_vendor_manifest
+%endif
+
+%install
+%cargo_install
+ln -s /usr/bin/clevis-pin-tpm2 %{buildroot}/usr/bin/clevis-encrypt-tpm2plus
+ln -s /usr/bin/clevis-pin-tpm2 %{buildroot}/usr/bin/clevis-decrypt-tpm2plus
+
+%if %{with check}
+%check
+# Setup and start swtpm for testing (following upstream CI workflow)
+export SWTPM_DIR="$(mktemp -d)"
+swtpm_setup --tpm2 \
+    --tpmstate "${SWTPM_DIR}" \
+    --createek --decryption \
+    --pcr-banks sha1,sha256 \
+    --display
+swtpm socket --tpm2 \
+    --tpmstate dir="${SWTPM_DIR}" \
+    --flags startup-clear \
+    --ctrl type=tcp,port=2322 \
+    --server type=tcp,port=2321 &
+SWTPM_PID=$!
+export TCTI=swtpm:
+
+# Run tests.
+SKIP_CLEVIS=true %cargo_test -- -- --nocapture
+
+# Clean up
+kill "${SWTPM_PID}" 2>/dev/null || true
+[ -d "${SWTPM_DIR}" ] && rm -rf "${SWTPM_DIR}"
+%endif
+
+%files
+%license LICENSE
+%license LICENSE.dependencies
+%if 0%{?rhel}
+%license cargo-vendor.txt
+%endif
+%{_bindir}/clevis-pin-tpm2
+%{_bindir}/clevis-*-tpm2plus
+
+%changelog
+* Tue Jan 13 2026 Sergio Correia <scorreia@redhat.com> - 0.5.3-9
+- Add JSON schema validation to reject unknown fields
+  Resolves: RHEL-138591
+
+* Tue Feb 4 2025 Sergio Arroutbi <sarroutb@redhat.com> - 0.5.3-8
+- Package rebuild to retrieve latest rust-openssl version
+  Resolves: RHEL-77723
+
+* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.5.3-7
+- Bump release for October 2024 mass rebuild:
+  Resolves: RHEL-64018
+
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 0.5.3-6
+- Bump release for June 2024 mass rebuild
+
+* Fri Feb 02 2024 Yaakov Selkowitz <yselkowi@redhat.com> - 0.5.3-5
+- Update Rust macro usage
+
+* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.3-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Dec 01 2023 Fabio Valentini <decathorpe@gmail.com> - 0.5.3-2
+- Rebuild for openssl crate >= v0.10.60 (RUSTSEC-2023-0044, RUSTSEC-2023-0072)
+
+* Fri Jul 28 2023 Peter Robinson <pbrobinson@fedoraproject.org> - 0.5.3-1
+- Update to 0.5.3
+
+* Wed Jul 19 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 0.5.2-7
+- Use vendored dependencies in RHEL builds
+
+* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.2-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Wed May 03 2023 Fabio Valentini <decathorpe@gmail.com> - 0.5.2-5
+- Rebuild for openssl crate >= v0.10.48 (RUSTSEC-2023-{0022,0023,0024})
+
+* Tue Feb 07 2023 Peter Robinson <pbrobinson@fedoraproject.org> - 0.5.2-4
+- Rebuild for tss-esapi 7.2.0
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Fri Apr 22 2022 Peter Robinson <pbrobinson@fedoraproject.org> - 0.5.2-1
+- Update to 0.5.2
+- License EUPL 1.2 -> MIT
+
+* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Wed Dec 08 2021 Peter Robinson <pbrobinson@fedoraproject.org> - 0.5.0-1
+- Update to 0.5.0
+
+* Wed Nov 03 2021 Peter Robinson <pbrobinson@fedoraproject.org> - 0.4.1-1
+- Update to 0.4.1
+
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.3.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Tue Apr 06 2021 Peter Robinson <pbrobinson@fedoraproject.org> - 0.3.0-1
+- Update to 0.3.0
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.2.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Thu Dec  3 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 0.2.0-1
+- Update to 0.2.0
+
+* Tue Nov 10 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 0.1.4-1
+- Update to 0.1.4
+
+* Sat Aug 29 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 0.1.3-1
+- Update to 0.1.3
+
+* Tue Aug 25 2020 Patrick Uiterwijk <patrick@puiterwijk.org> - 0.1.2-2
+- Add symlink to clevis-{en,de}crypt-tpm2plus
+
+* Fri Aug 21 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 0.1.2-1
+- Update to 0.1.2
+
+* Thu Aug 13 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 0.1.1-1
+- Update to 0.1.1
+
+* Mon Aug  3 2020 Peter Robinson <pbrobinson@fedoraproject.org> 0.0.1-1
+- Initial release

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-10
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

sources

@@ -0,0 +1,2 @@
+SHA512 (clevis-pin-tpm2-0.5.3.tar.gz) = 5c7abb7398339801955de202166ad5a0de4cb1963207f1eae0d40c36cd6603a5703b5cb49b1181b086a666e65fe17994508c24c7e3ea6cd0ccfbe1ef19d1d9d5
+SHA512 (clevis-pin-tpm2-0.5.3-vendor.tar.xz) = f55cb8d0e29087d061629b463dc413ad9885d4879d8fe8213a0b4d41262e3a016edc1bf0739ee4d290a56cdf18280000019fbba78c96fd7f750ae4bba25f5cd6