.clevis.metadata

@@ -1 +0,0 @@
-ce825a10c5aa885e001c963be4cc4a8dea2137b0 SOURCES/clevis-15.tar.xz

SOURCES/0004-systemd-drop-ncat-dependency.patch

@@ -0,0 +1,101 @@
+From 8f0fcf2e7384ad757042e7e6a0850f655eb70b7e Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Thu, 18 Nov 2021 16:45:58 -0300
+Subject: [PATCH 4/4] systemd: drop ncat dependency
+
+When using systemd, i.e., clevis-luks-askpass, we use ncat to send
+the decrypted password to the systemd socket as per systemd's password
+agents specification [1].
+
+However, systemd itself has a utility that does exactly that,
+systemd-reply-password.
+
+In this commit we drop the ncat dependency and instead use
+systemd-reply-password in clevis-luks-askpass.
+
+[1] https://systemd.io/PASSWORD_AGENTS/
+---
+ ...is-luks-askpass => clevis-luks-askpass.in} |  2 +-
+ .../systemd/dracut/clevis/module-setup.sh.in  |  4 ++--
+ src/luks/systemd/meson.build                  | 19 +++++++++++++++++--
+ 3 files changed, 20 insertions(+), 5 deletions(-)
+ rename src/luks/systemd/{clevis-luks-askpass => clevis-luks-askpass.in} (97%)
+
+diff --git a/src/luks/systemd/clevis-luks-askpass b/src/luks/systemd/clevis-luks-askpass.in
+similarity index 97%
+rename from src/luks/systemd/clevis-luks-askpass
+rename to src/luks/systemd/clevis-luks-askpass.in
+index f19671f..a6699c9 100755
+--- a/src/luks/systemd/clevis-luks-askpass
++++ b/src/luks/systemd/clevis-luks-askpass.in
+@@ -58,7 +58,7 @@ while true; do
+         fi
+ 
+         uuid="$(cryptsetup luksUUID "${d}")"
+-        if ! printf '+%s' "${pt}" | ncat -U -u --send-only "${s}"; then
++        if ! printf '%s' "${pt}" | @SYSTEMD_REPLY_PASS@ 1 "${s}"; then
+             echo "Unable to unlock ${d} (UUID=${uuid}) with recovered passphrase" >&2
+             continue
+         fi
+diff --git a/src/luks/systemd/dracut/clevis/module-setup.sh.in b/src/luks/systemd/dracut/clevis/module-setup.sh.in
+index ebf969f..d46c6e2 100755
+--- a/src/luks/systemd/dracut/clevis/module-setup.sh.in
++++ b/src/luks/systemd/dracut/clevis/module-setup.sh.in
+@@ -36,6 +36,7 @@ install() {
+ 
+     inst_multiple \
+         /etc/services \
++        @SYSTEMD_REPLY_PASS@ \
+         @libexecdir@/clevis-luks-askpass \
+         clevis-luks-common-functions \
+         grep sed cut \
+@@ -45,8 +46,7 @@ install() {
+         luksmeta \
+         clevis \
+         mktemp \
+-        jose \
+-        ncat
++        jose
+ 
+     dracut_need_initqueue
+ }
+diff --git a/src/luks/systemd/meson.build b/src/luks/systemd/meson.build
+index 369e7f7..e3b3d91 100644
+--- a/src/luks/systemd/meson.build
++++ b/src/luks/systemd/meson.build
+@@ -1,6 +1,15 @@
+ systemd = dependency('systemd', required: false)
+ 
+-if systemd.found()
++sd_reply_pass = find_program(
++  join_paths(get_option('prefix'), get_option('libdir'), 'systemd', 'systemd-reply-password'),
++  join_paths(get_option('prefix'), 'lib', 'systemd', 'systemd-reply-password'),
++  join_paths('/', 'usr', get_option('libdir'), 'systemd', 'systemd-reply-password'),
++  join_paths('/', 'usr', 'lib', 'systemd', 'systemd-reply-password'),
++  required: false
++)
++
++if systemd.found() and sd_reply_pass.found()
++  data.set('SYSTEMD_REPLY_PASS', sd_reply_pass.path())
+   subdir('dracut')
+ 
+   unitdir = systemd.get_pkgconfig_variable('systemdsystemunitdir')
+@@ -12,8 +21,14 @@ if systemd.found()
+     configuration: data,
+   )
+ 
++  configure_file(
++    input: 'clevis-luks-askpass.in',
++    output: 'clevis-luks-askpass',
++    install_dir: libexecdir,
++    configuration: data
++  )
++
+   install_data('clevis-luks-askpass.path', install_dir: unitdir)
+-  install_data('clevis-luks-askpass', install_dir: libexecdir)
+ else
+   warning('Will not install systemd support due to missing dependencies!')
+ endif
+-- 
+2.33.1
+

SOURCES/0005-Stop-sending-stderr-to-the-void-when-decryption-does.patch

@@ -0,0 +1,26 @@
+From da17589f0706b27690a11484165fd58dea1a5eb1 Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Thu, 25 Nov 2021 19:18:03 -0300
+Subject: [PATCH 5/5] Stop sending stderr to the void when decryption doesn't
+ happen
+
+---
+ src/luks/clevis-luks-common-functions | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
+index 879ca4c..df8e16d 100644
+--- a/src/luks/clevis-luks-common-functions
++++ b/src/luks/clevis-luks-common-functions
+@@ -323,7 +323,7 @@ clevis_luks_unlock_device_by_slot() {
+         return 1
+     fi
+ 
+-    if ! passphrase="$(printf '%s' "${jwe}" | clevis decrypt 2>/dev/null)" \
++    if ! passphrase="$(printf '%s' "${jwe}" | clevis decrypt)" \
+                        || [ -z "${passphrase}" ]; then
+         return 1
+     fi
+-- 
+2.33.1
+

SOURCES/0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch

@@ -0,0 +1,45 @@
+From af10e0fb8cb63d9c3a429b7efa293fe2fe0e2767 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Renaud=20M=C3=A9trich?=
+ <1163635+rmetrich@users.noreply.github.com>
+Date: Wed, 1 Dec 2021 09:37:35 -0300
+Subject: [PATCH 6/6] luks: enable debugging in clevis scripts when rd.debug is
+ set (#340)
+
+On Fedora/RHEL, the rd.debug kernel command line parameter controls
+debugging.
+By implementing the functionality inside clevis, troubleshooting will be
+greatly eased.
+See RHBZ #1980742 (https://bugzilla.redhat.com/show_bug.cgi?id=1980742).
+---
+ src/luks/clevis-luks-common-functions | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
+index df8e16d..67ece72 100644
+--- a/src/luks/clevis-luks-common-functions
++++ b/src/luks/clevis-luks-common-functions
+@@ -20,6 +20,21 @@
+ 
+ CLEVIS_UUID="cb6e8904-81ff-40da-a84a-07ab9ab5715e"
+ 
++enable_debugging() {
++    # Automatically enable debugging if in initramfs phase and rd.debug
++    if [ -e /usr/lib/dracut-lib.sh ]; then
++        local bashopts=$-
++        # Because dracut is loosely written, disable hardening options temporarily
++        [[ $bashopts != *u* ]] || set +u
++        [[ $bashopts != *e* ]] || set +e
++        . /usr/lib/dracut-lib.sh
++        [[ $bashopts != *u* ]] || set -u
++        [[ $bashopts != *e* ]] || set -e
++    fi
++}
++
++enable_debugging
++
+ # valid_slot() will check whether a given slot is possibly valid, i.e., if it
+ # is a numeric value within the specified range.
+ valid_slot() {
+-- 
+2.33.1
+

SOURCES/0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch

@@ -0,0 +1,83 @@
+From ea5db9fdfaa92d2a3ec2446313dcaa00db57a0cc Mon Sep 17 00:00:00 2001
+From: Renaud Metrich <rmetrich@redhat.com>
+Date: Fri, 7 Jan 2022 12:13:03 -0300
+Subject: [PATCH 7/7] luks: explicitly specify pbkdf iterations to cryptsetup
+
+This fixes an Out of memory error when the system has not much memory,
+such as a VM configured with 2GB currently being installed through the
+network (hence having ~1GB free memory only).
+See RHBZ #1979256 (https://bugzilla.redhat.com/show_bug.cgi?id=1979256).
+---
+ src/luks/clevis-luks-bind.in          | 7 +++++--
+ src/luks/clevis-luks-common-functions | 7 ++++++-
+ 2 files changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/src/luks/clevis-luks-bind.in b/src/luks/clevis-luks-bind.in
+index 4748c08..017f762 100755
+--- a/src/luks/clevis-luks-bind.in
++++ b/src/luks/clevis-luks-bind.in
+@@ -169,7 +169,9 @@ if ! cryptsetup luksOpen --test-passphrase "${DEV}" \
+     exit 1
+ fi
+ 
++pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
+ if [ "$luks_type" == "luks1" ]; then
++    pbkdf_args=
+     # In certain circumstances, we may have LUKSMeta slots "not in sync" with
+     # cryptsetup, which means we will try to save LUKSMeta metadata over an
+     # already used or partially used slot -- github issue #70.
+@@ -184,7 +186,7 @@ fi
+ 
+ # Add the new key.
+ if [ -n "$SLT" ]; then
+-    cryptsetup luksAddKey --key-slot "$SLT" --key-file \
++    cryptsetup luksAddKey ${pbkdf_args} --key-slot "$SLT" --key-file \
+         <(echo -n "$existing_key") "$DEV"
+ else
+     if [ $luks_type == "luks2" ]; then
+@@ -194,7 +196,8 @@ else
+         readarray -t usedSlotsBeforeAddKey < <(cryptsetup luksDump "${DEV}" \
+             | sed -rn 's|^Key Slot ([0-7]): ENABLED$|\1|p')
+     fi
+-    cryptsetup luksAddKey --key-file <(echo -n "${existing_key}") "$DEV"
++    cryptsetup luksAddKey ${pbkdf_args} \
++        --key-file <(echo -n "${existing_key}") "$DEV"
+ fi < <(echo -n "${key}")
+ if [ $? -ne 0 ]; then
+     echo "Error while adding new key to LUKS header!" >&2
+diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
+index 67ece72..038cc37 100644
+--- a/src/luks/clevis-luks-common-functions
++++ b/src/luks/clevis-luks-common-functions
+@@ -760,10 +760,12 @@ clevis_luks_add_key() {
+         extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
+         input="$(printf '%s' "${NEWKEY}")"
+     fi
++    local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
+ 
+     printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \
+                                          --key-slot "${SLT}" \
+                                          "${DEV}" \
++                                         ${pbkdf_args} \
+                                          ${extra_args}
+ }
+ 
+@@ -792,11 +794,14 @@ clevis_luks_update_key() {
+         extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
+         input="$(printf '%s' "${NEWKEY}")"
+     fi
++    local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
+ 
+     if [ -n "${in_place}" ]; then
+         printf '%s' "${input}" | cryptsetup luksChangeKey "${DEV}" \
+                                             --key-slot "${SLT}" \
+-                                            --batch-mode ${extra_args}
++                                            --batch-mode \
++                                            ${pbkdf_args} \
++                                            ${extra_args}
+         return
+     fi
+ 
+-- 
+2.33.1
+

SOURCES/0008-tang-dump-url-on-error-communication.patch

@@ -0,0 +1,16 @@
+--- clevis-15-ori/src/pins/tang/clevis-decrypt-tang	2020-10-28 19:55:47.673228700 +0100
++++ clevis-15/src/pins/tang/clevis-decrypt-tang	2022-01-21 10:37:40.327825491 +0100
+@@ -73,10 +73,10 @@
+ 
+ xfr="$(jose jwk exc -i '{"alg":"ECMR"}' -l- -r- <<< "$clt$eph")"
+ 
+-url="$url/rec/$kid"
++rec_url="$url/rec/$kid"
+ ct="Content-Type: application/jwk+json"
+-if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$url" <<< "$xfr")"; then
+-    echo "Error communicating with the server!" >&2
++if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$rec_url" <<< "$xfr")"; then
++    echo "Error communicating with the server $url" >&2
+     exit 1
+ fi
+ 

SOURCES/0009-feat-rename-the-test-pin-to-null-pin.patch

@@ -0,0 +1,213 @@
+From 87d690e41621878f70a3f6f3305dd23746d1b857 Mon Sep 17 00:00:00 2001
+From: Antonio Murdaca <runcom@linux.com>
+Date: Wed, 1 Dec 2021 14:17:53 +0100
+Subject: [PATCH 9/9] feat: rename the test pin to null pin
+
+Signed-off-by: Antonio Murdaca <runcom@linux.com>
+---
+ src/initramfs-tools/hooks/clevis.in           |  1 +
+ .../dracut/clevis-pin-null/meson.build        | 14 ++++++++++
+ .../dracut/clevis-pin-null/module-setup.sh.in | 28 +++++++++++++++++++
+ src/luks/systemd/dracut/meson.build           |  1 +
+ ...levis-decrypt-test => clevis-decrypt-null} |  4 +--
+ ...levis-encrypt-test => clevis-encrypt-null} |  4 +--
+ src/pins/sss/meson.build                      |  5 +++-
+ src/pins/sss/{pin-test => pin-null}           |  4 +--
+ src/pins/sss/pin-sss                          | 12 ++++----
+ 9 files changed, 60 insertions(+), 13 deletions(-)
+ create mode 100644 src/luks/systemd/dracut/clevis-pin-null/meson.build
+ create mode 100755 src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
+ rename src/pins/sss/{clevis-decrypt-test => clevis-decrypt-null} (88%)
+ rename src/pins/sss/{clevis-encrypt-test => clevis-encrypt-null} (90%)
+ rename src/pins/sss/{pin-test => pin-null} (53%)
+
+diff --git a/src/initramfs-tools/hooks/clevis.in b/src/initramfs-tools/hooks/clevis.in
+index cc3b492..448ba96 100755
+--- a/src/initramfs-tools/hooks/clevis.in
++++ b/src/initramfs-tools/hooks/clevis.in
+@@ -58,6 +58,7 @@ fi
+ 
+ copy_exec @bindir@/clevis-decrypt-tang || die 1 "@bindir@/clevis-decrypt-tang not found"
+ copy_exec @bindir@/clevis-decrypt-sss || die 1 "@bindir@/clevis-decrypt-sss not found"
++copy_exec @bindir@/clevis-decrypt-null || die 1 "@bindir@/clevis-decrypt-null not found"
+ copy_exec @bindir@/clevis-decrypt || die 1 "@bindir@/clevis-decrypt not found"
+ copy_exec @bindir@/clevis-luks-common-functions || die 1 "@bindir@/clevis-luks-common-functions not found"
+ copy_exec @bindir@/clevis-luks-list || die 1 "@bindir@/clevis-luks-list not found"
+diff --git a/src/luks/systemd/dracut/clevis-pin-null/meson.build b/src/luks/systemd/dracut/clevis-pin-null/meson.build
+new file mode 100644
+index 0000000..107e3ba
+--- /dev/null
++++ b/src/luks/systemd/dracut/clevis-pin-null/meson.build
+@@ -0,0 +1,14 @@
++dracut = dependency('dracut', required: false)
++
++if dracut.found()
++  dracutdir = dracut.get_pkgconfig_variable('dracutmodulesdir') + '/60' + meson.project_name() + '-pin-null'
++
++  configure_file(
++    input: 'module-setup.sh.in',
++    output: 'module-setup.sh',
++    install_dir: dracutdir,
++    configuration: data,
++  )
++else
++  warning('Will not install dracut module clevis-pin-null due to missing dependencies!')
++endif
+diff --git a/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
+new file mode 100755
+index 0000000..6a16078
+--- /dev/null
++++ b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
+@@ -0,0 +1,28 @@
++#!/bin/bash
++# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
++#
++# Copyright (c) 2016 Red Hat, Inc.
++# Author: Nathaniel McCallum <npmccallum@redhat.com>
++#
++# This program is free software: you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation, either version 3 of the License, or
++# (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program.  If not, see <http://www.gnu.org/licenses/>.
++#
++
++depends() {
++    echo clevis
++    return 0
++}
++
++install() {
++    inst clevis-decrypt-null
++}
+diff --git a/src/luks/systemd/dracut/meson.build b/src/luks/systemd/dracut/meson.build
+index fdb264b..7ad5b14 100644
+--- a/src/luks/systemd/dracut/meson.build
++++ b/src/luks/systemd/dracut/meson.build
+@@ -2,3 +2,4 @@ subdir('clevis')
+ subdir('clevis-pin-tang')
+ subdir('clevis-pin-tpm2')
+ subdir('clevis-pin-sss')
++subdir('clevis-pin-null')
+diff --git a/src/pins/sss/clevis-decrypt-test b/src/pins/sss/clevis-decrypt-null
+similarity index 88%
+rename from src/pins/sss/clevis-decrypt-test
+rename to src/pins/sss/clevis-decrypt-null
+index f0e9249..a6217ed 100755
+--- a/src/pins/sss/clevis-decrypt-test
++++ b/src/pins/sss/clevis-decrypt-null
+@@ -22,11 +22,11 @@
+ 
+ read -r -d . hdr
+ 
+-if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "test" ]; then
++if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "null" ]; then
+     echo "JWE pin mismatch!" >&2
+     exit 1
+ fi
+ 
+-jwk="$(jose fmt -q "$hdr" -SyOg clevis -g test -g jwk -Oo-)" || exit 1
++jwk="$(jose fmt -q "$hdr" -SyOg clevis -g null -g jwk -Oo-)" || exit 1
+ 
+ exec jose jwe dec -k- -i- < <(echo -n "$jwk$hdr."; /bin/cat)
+diff --git a/src/pins/sss/clevis-encrypt-test b/src/pins/sss/clevis-encrypt-null
+similarity index 90%
+rename from src/pins/sss/clevis-encrypt-test
+rename to src/pins/sss/clevis-encrypt-null
+index bd2d6ec..af182a5 100755
+--- a/src/pins/sss/clevis-encrypt-test
++++ b/src/pins/sss/clevis-encrypt-null
+@@ -26,10 +26,10 @@ if ! cfg="$(jose fmt -j "$1" -Oo- 2>/dev/null)"; then
+ fi
+ 
+ jwk="$(jose jwk gen -i '{"alg":"A256GCM"}')"
+-jwe='{"protected":{"clevis":{"pin":"test","test":{}}}}'
++jwe='{"protected":{"clevis":{"pin":"null","null":{}}}}'
+ 
+ if ! jose fmt -j "$cfg" -g fail -T; then
+-    jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g test -j "$jwk" -Os jwk -UUUUo-)"
++    jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g null -j "$jwk" -Os jwk -UUUUo-)"
+ fi
+ 
+ exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat)
+diff --git a/src/pins/sss/meson.build b/src/pins/sss/meson.build
+index 7f20eea..2a5295a 100644
+--- a/src/pins/sss/meson.build
++++ b/src/pins/sss/meson.build
+@@ -28,8 +28,11 @@ if jansson.found() and libcrypto.found()
+     separator: ':'
+   )
+ 
++  bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-null')
++  bins += join_paths(meson.current_source_dir(), 'clevis-decrypt-null')
++
+   test('pin-sss', find_program(join_paths(src, 'pin-sss')), env: env)
+-  test('pin-test', find_program(join_paths(src, 'pin-test')), env: env)
++  test('pin-null', find_program(join_paths(src, 'pin-null')), env: env)
+ else
+   warning('Will not install sss pin due to missing dependencies!')
+ endif
+diff --git a/src/pins/sss/pin-test b/src/pins/sss/pin-null
+similarity index 53%
+rename from src/pins/sss/pin-test
+rename to src/pins/sss/pin-null
+index 50c8c67..b14ac63 100755
+--- a/src/pins/sss/pin-test
++++ b/src/pins/sss/pin-null
+@@ -2,9 +2,9 @@
+ 
+ trap 'exit' ERR
+ 
+-e="$(echo -n hi | clevis encrypt test '{}')"
++e="$(echo -n hi | clevis encrypt null '{}')"
+ d="$(echo -n "$e" | clevis decrypt)"
+ test "$d" == "hi"
+ 
+-e="$(echo -n hi | clevis encrypt test '{"fail":true}')"
++e="$(echo -n hi | clevis encrypt null '{"fail":true}')"
+ ! echo "$e" | clevis decrypt
+diff --git a/src/pins/sss/pin-sss b/src/pins/sss/pin-sss
+index 5c0b8cf..24da052 100755
+--- a/src/pins/sss/pin-sss
++++ b/src/pins/sss/pin-sss
+@@ -1,24 +1,24 @@
+ #!/bin/bash -ex
+ 
+-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{}]}}')"
++e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{}]}}')"
+ d="$(echo "$e" | clevis decrypt)"
+ test "$d" == "hi"
+ 
+-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{"fail":true}]}}')"
++e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{"fail":true}]}}')"
+ d="$(echo "$e" | clevis decrypt)"
+ test "$d" == "hi"
+ 
+-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{"fail":true},{"fail":true}]}}')"
++e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{"fail":true},{"fail":true}]}}')"
+ ! echo "$e" | clevis decrypt
+ 
+-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{}]}}')"
++e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{}]}}')"
+ d="$(echo "$e" | clevis decrypt)"
+ test "$d" == "hi"
+ 
+-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{"fail":true}]}}')"
++e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{"fail":true}]}}')"
+ ! echo "$e" | clevis decrypt
+ 
+-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{"fail":true},{"fail":true}]}}')"
++e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{"fail":true},{"fail":true}]}}')"
+ ! echo "$e" | clevis decrypt
+ 
+ ! e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"tang":[{"url":"foo bar"}]}}')"
+-- 
+2.33.1
+

SOURCES/0010-avoid-clevis-invalid-msg.patch

@@ -0,0 +1,24 @@
+--- clevis-15.ori/src/clevis	2020-10-28 19:55:47.663228800 +0100
++++ clevis-15/src/clevis	2022-06-22 11:06:27.061230653 +0200
+@@ -27,6 +27,7 @@
+ }
+ 
+ cmd=clevis
++input_commands="$cmd $@"
+ while [ $# -gt 0 ]; do
+     [[ "$1" =~ ^- ]] && break
+     cmd="$cmd-$1"
+@@ -36,8 +37,11 @@
+ done
+ 
+ exec >&2
+-echo
+-echo "Command '$cmd' is invalid"
++if [ "$cmd" != "clevis" ];
++then
++    echo
++    echo "Command '$input_commands' is invalid"
++fi
+ echo
+ echo "Usage: clevis COMMAND [OPTIONS]"
+ echo

SOURCES/0011-Improve-boot-performance-by-removing-key-check.patch

@@ -0,0 +1,53 @@
+From 51ae4f94a4955d9f06955ccd5a8b396b01c80d48 Mon Sep 17 00:00:00 2001
+From: Sergio Arroutbi <sarroutb@redhat.com>
+Date: Tue, 2 Aug 2022 11:07:00 -0300
+Subject: [PATCH] Improve boot performance by removing key check
+
+---
+ src/luks/clevis-luks-common-functions | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/src/luks/clevis-luks-common-functions b/src/luks/clevis-luks-common-functions
+index 038cc37..950f217 100644
+--- a/src/luks/clevis-luks-common-functions
++++ b/src/luks/clevis-luks-common-functions
+@@ -328,6 +328,7 @@ clevis_luks_check_valid_key_or_keyfile() {
+ clevis_luks_unlock_device_by_slot() {
+     local DEV="${1}"
+     local SLT="${2}"
++    local SKIP_CHECK="${3}"
+ 
+     [ -z "${DEV}" ] && return 1
+     [ -z "${SLT}" ] && return 1
+@@ -343,7 +344,9 @@ clevis_luks_unlock_device_by_slot() {
+         return 1
+     fi
+ 
+-    clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1
++    if [ -z "${SKIP_CHECK}" ]; then
++        clevis_luks_check_valid_key_or_keyfile "${DEV}" "${passphrase}" || return 1
++    fi
+     printf '%s' "${passphrase}"
+ }
+ 
+@@ -351,6 +354,8 @@ clevis_luks_unlock_device_by_slot() {
+ # parameter and returns the decoded passphrase.
+ clevis_luks_unlock_device() {
+     local DEV="${1}"
++    local SKIP_CHECK="YES"
++
+     [ -z "${DEV}" ] && return 1
+ 
+     local used_slots
+@@ -361,7 +366,7 @@ clevis_luks_unlock_device() {
+ 
+     local slt pt
+     for slt in ${used_slots}; do
+-        if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}") \
++        if ! pt=$(clevis_luks_unlock_device_by_slot "${DEV}" "${slt}" "${SKIP_CHECK}") \
+                   || [ -z "${pt}" ]; then
+              continue
+         fi
+-- 
+2.35.1
+

SOURCES/0012-ignore-empty-and-comment-lines-in-crypttab.patch

@@ -0,0 +1,16 @@
+--- clevis-15.ori/src/luks/clevis-luks-common-functions	2023-01-11 11:11:03.050262054 +0100
++++ clevis-15/src/luks/clevis-luks-common-functions	2023-01-11 11:19:16.004358405 +0100
+@@ -413,7 +413,12 @@
+     clevis_devices=
+ 
+     # Build list of devices to unlock.
+-    while read -r _ crypt_device _; do
++    while read -r _volname_ crypt_device _; do
++        # skip empty lines and lines which begin with the '#' char, per
++        # crypttab(5)
++        case $_volname_ in
++            ''|\#*) continue ;;
++        esac
+         if ! dev=$(clevis_map_device "${crypt_device}") \
+                    || [ -z "${dev}" ]; then
+             # Unable to get the device - maybe it's not available, e.g. a

SOURCES/0013-luks-define-max-entropy-bits-for-pwmake.patch

@@ -0,0 +1,73 @@
+--- clevis-15.ori/src/clevis.1.adoc	2020-10-28 19:55:47.663228800 +0100
++++ clevis-15/src/clevis.1.adoc	2023-01-11 17:18:29.967295005 +0100
+@@ -101,7 +101,7 @@
+ 
+ This command performs four steps:
+ 
+-1. Creates a new key with the same entropy as the LUKS master key.
++1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
+ 2. Encrypts the new key with Clevis.
+ 3. Stores the Clevis JWE in the LUKS header.
+ 4. Enables the new key for use with LUKS.
+--- clevis-15.ori/src/luks/clevis-luks-bind.1.adoc	2020-10-28 19:55:47.663228800 +0100
++++ clevis-15/src/luks/clevis-luks-bind.1.adoc	2023-01-11 17:18:55.239351209 +0100
+@@ -20,7 +20,7 @@
+ 
+ This command performs four steps:
+ 
+-1. Creates a new key with the same entropy as the LUKS master key.
++1. Creates a new key with the same entropy as the LUKS master key -- maximum entropy bits is 256.
+ 2. Encrypts the new key with Clevis.
+ 3. Stores the Clevis JWE in the LUKS header.
+ 4. Enables the new key for use with LUKS.
+--- clevis-15.ori/src/luks/clevis-luks-common-functions	2023-01-11 17:15:44.984928070 +0100
++++ clevis-15/src/luks/clevis-luks-common-functions	2023-01-11 17:20:53.238613637 +0100
+@@ -865,6 +865,7 @@
+     [ -z "${DEV}" ] && return 1
+ 
+     local dump filter bits
++    local MAX_ENTROPY_BITS=256
+     dump=$(cryptsetup luksDump "${DEV}")
+     if cryptsetup isLuks --type luks1 "${DEV}"; then
+         filter="$(echo "${dump}" | sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p')"
+@@ -876,6 +877,9 @@
+     fi
+ 
+     bits="$(echo -n "${filter}" | sort -n | tail -n 1)"
++    if [ "${bits}" -gt "${MAX_ENTROPY_BITS}" ]; then
++        bits="${MAX_ENTROPY_BITS}"
++    fi
+     pwmake "${bits}"
+ }
+
+--- clevis-15.ori/src/luks/clevis-luks-bind.in	2023-01-11 17:15:44.815927694 +0100
++++ clevis-15/src/luks/clevis-luks-bind.in	2023-01-12 16:20:30.266404993 +0100
+@@ -19,6 +19,8 @@
+ # along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ #
+ 
++. clevis-luks-common-functions
++
+ SUMMARY="Binds a LUKS device using the specified policy"
+ UUID=cb6e8904-81ff-40da-a84a-07ab9ab5715e
+ 
+@@ -139,14 +141,11 @@
+ fi
+ 
+ # Generate a key with the same entropy as the LUKS Master Key
+-key="$(pwmake "$(
+-cryptsetup luksDump "$DEV" \
+-    | if [ "$luks_type" == "luks1" ]; then
+-        sed -rn 's|MK bits:[ \t]*([0-9]+)|\1|p'
+-    else
+-        sed -rn 's|^\s+Key:\s+([0-9]+) bits\s*$|\1|p'
+-    fi | sort -n | tail -n 1
+-)")"
++if ! key="$(clevis_luks_generate_key "${DEV}")" \
++     || [ -z "${key}" ]; then
++    echo "Unable to generate key for ${DEV}" >&2
++    return 1
++fi
+ 
+ # Encrypt the new key
+ jwe="$(echo -n "$key" | clevis encrypt "$PIN" "$CFG" "${YES}")"

SOURCES/0014-luks-edit-remove-unnecessary-redirection.patch

@@ -0,0 +1,11 @@
+--- clevis-15.ori/src/luks/clevis-luks-edit	2020-10-28 19:55:47.663228800 +0100
++++ clevis-15/src/luks/clevis-luks-edit	2023-01-16 12:03:14.006998399 +0100
+@@ -173,7 +173,7 @@
+ 
+ echo "Updating binding..."
+ if ! clevis_luks_do_bind "${DEV}" "${SLT}" "" "${pin}" "${new_cfg}" \
+-                         "-y" "overwrite" 2>/dev/null; then
++                         "-y" "overwrite"; then
+     echo "Unable to update binding in ${DEV}:${SLT}. Operation cancelled." >&2
+     exit 1
+ fi

SOURCES/0015-support-sha256-algorithm.patch

@@ -0,0 +1,219 @@
+--- clevis-15.ori/src/pins/tang/clevis-decrypt-tang	2023-05-23 11:29:59.717465656 +0200
++++ clevis-15/src/pins/tang/clevis-decrypt-tang	2023-05-23 11:49:02.950511503 +0200
+@@ -50,12 +50,30 @@
+     exit 1
+ fi
+ 
+-if ! srv="$(jose fmt -j- -Og clevis -g tang -g adv -Oo- <<< "$jhd" \
+-        | jose jwk thp -i- -f "$kid")"; then
++if ! keys="$(jose fmt -j- -Og clevis -g tang -g adv -Oo- <<< "${jhd}")"; then
+     echo "JWE missing required 'clevis.tang.adv' header parameter!" >&2
+     exit 1
+ fi
+ 
++# Check if the thumbprint we have in `kid' is in the advertised keys.
++CLEVIS_DEFAULT_THP_ALG=S1        # SHA-1
++CLEVIS_ALTERNATIVE_THP_ALGS=S256 # SHA-256
++
++if ! srv="$(jose jwk thp -i- -f "${kid}" -a "${CLEVIS_DEFAULT_THP_ALG}" \
++            <<< "${keys}")"; then
++    # `kid' thumprint not in the advertised keys, but it's possible it was
++    # generated using a different algorithm than the default one.
++    # Let us try the alternative supported algorithms to make sure `kid'
++    # really is not part of the advertised keys.
++    for alg in ${CLEVIS_ALTERNATIVE_THP_ALGS}; do
++        srv="$(jose jwk thp -i- -f "$kid" -a "${alg}" <<< "${keys}")" && break
++    done
++    if [ -z "${srv}" ]; then
++        echo "JWE header validation of 'clevis.tang.adv' failed: key thumbprint does not match" >&2
++        exit 1
++    fi
++fi
++
+ if ! url="$(jose fmt -j- -Og clevis -g tang -g url -Su- <<< "$jhd")"; then
+     echo "JWE missing required 'clevis.tang.url' header parameter!" >&2
+     exit 1
+--- clevis-15.ori/src/pins/tang/clevis-encrypt-tang	2020-10-28 19:55:47.673228700 +0100
++++ clevis-15/src/pins/tang/clevis-encrypt-tang	2023-05-23 15:15:18.440099403 +0200
+@@ -64,6 +64,9 @@
+     exit 1
+ fi
+ 
++CLEVIS_DEFAULT_THP_ALG=S1        # SHA-1
++CLEVIS_ALTERNATIVE_THP_ALGS=S256 # SHA-256
++
+ trust=
+ [ -n "${2}" ] && [ "${2}" == "-y" ] && trust=yes
+ 
+@@ -111,15 +114,24 @@
+     if [ -z "$thp" ]; then
+         echo "The advertisement contains the following signing keys:" >&2
+         echo >&2
+-        jose jwk thp -i- <<< "$ver" >&2
++	jose jwk thp -i- -a "${CLEVIS_DEFAULT_THP_ALG}" <<< "$ver" >&2
+         echo >&2
+         read -r -p "Do you wish to trust these keys? [ynYN] " ans < /dev/tty
+         [[ "$ans" =~ ^[yY]$ ]] || exit 1
+-
+     elif [ "$thp" != "any" ] && \
+-        ! jose jwk thp -i- -f "$thp" -o /dev/null <<< "$ver"; then
+-        echo "Trusted JWK '$thp' did not sign the advertisement!" >&2
+-        exit 1
++        ! jose jwk thp -i- -f "${thp}" -o /dev/null -a "${CLEVIS_DEFAULT_THP_ALG}" \
++          <<< "$ver"; then
++        # Thumbprint of trusted JWK did not match the signature. Let's check
++        # alternative thumbprints generated with clevis supported hash
++        # algorithms to be sure.
++        for alg in ${CLEVIS_ALTERNATIVE_THP_ALGS}; do
++            srv="$(jose jwk thp -i- -f "${thp}" -a "${alg}" <<< "${ver}")" \
++                   && break
++        done
++        if [ -z "${srv}" ]; then
++            echo "Trusted JWK '$thp' did not sign the advertisement!" >&2
++            exit 1
++        fi
+     fi
+ fi
+ 
+@@ -138,7 +150,7 @@
+ 
+ jwk="$(jose fmt -j- -Od key_ops -o- <<< "$jwk")"
+ jwk="$(jose fmt -j- -Od alg -o- <<< "$jwk")"
+-kid="$(jose jwk thp -i- <<< "$jwk")"
++kid="$(jose jwk thp -i- -a "${CLEVIS_DEFAULT_THP_ALG}"  <<< "$jwk")"
+ jwe='{"protected":{"alg":"ECDH-ES","enc":"A256GCM","clevis":{"pin":"tang","tang":{}}}}'
+ jwe="$(jose fmt -j "$jwe" -g protected -q "$kid" -s kid -UUo-)"
+ jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g tang -q "$url" -s url -UUUUo-)"
+--- clevis-15.ori/src/luks/tests/meson.build	2023-05-23 11:29:59.594464890 +0200
++++ clevis-15/src/luks/tests/meson.build	2023-05-23 12:00:10.811482757 +0200
+@@ -113,6 +113,7 @@
+     test('report-sss-luks2', find_program('report-sss-luks2'), env: env, timeout: 120)
+     test('edit-tang-luks2', find_program('edit-tang-luks2'), env: env, timeout: 210)
+     test('pass-tang-luks2', find_program('pass-tang-luks2'), env: env, timeout: 60)
++    test('default-thp-alg', find_program('default-thp-alg'), env: env)
+   endif
+ 
+ test('backup-restore-luks2', find_program('backup-restore-luks2'), env: env, timeout: 120)
+--- clevis-15.ori/src/luks/tests/default-thp-alg	1970-01-01 01:00:00.000000000 +0100
++++ clevis-15/src/luks/tests/default-thp-alg	2023-05-23 16:09:21.920385994 +0200
+@@ -0,0 +1,120 @@
++#!/bin/bash
++set -exo pipefail
++# vim: set ts=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
++#
++# Copyright (c) 2020 Red Hat, Inc.
++# Author: Sergio Correia <scorreia@redhat.com>
++#
++# This program is free software: you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation, either version 3 of the License, or
++# (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program.  If not, see <http://www.gnu.org/licenses/>.
++
++
++. tests-common-functions
++
++TEST=$(basename "${0}")
++
++on_exit() {
++    exit_status=$?
++    tang_stop "${TMP}"
++    [ -d "${TMP}" ] && rm -rf "${TMP}"
++    exit "${exit_status}"
++}
++
++trap 'on_exit' EXIT
++
++TMP="$(mktemp -d)"
++
++port=$(get_random_port)
++tang_run "${TMP}" "${port}"
++
++url="http://localhost:${port}"
++data="just a sample text"
++
++adv="${TMP}/adv"
++# Get the advertisement and extract the keys.
++tang_get_adv "${port}" "${adv}"
++
++jwks="$(jose fmt --json="${adv}" --get payload --b64load --output=-)"
++enc="$(printf '%s' "${jwks}" | jose jwk use --input=- --required \
++       --use deriveKey --output=-)"
++
++jose fmt --json="${enc}" --get keys --array \
++      || enc="$(printf '{"keys": [%s]}' "${enc}")"
++
++jwk="$(jose fmt --json="${enc}" --get keys --array --foreach=- \
++       | jose fmt --json=- --delete key_ops --delete alg --output=-)"
++
++jwe_t='{"protected":{"alg":"ECDH-ES","enc":"A256GCM","clevis":{"pin":"tang","tang":{}}}}'
++jwe_t="$(jose fmt --json="${jwe_t}" --get protected --get clevis --get tang --quote "${url}" --set url -UUUUo-)"
++jwe_t="$(printf '%s' "${jwks}" | jose fmt --json="${jwe_t}" --get protected --get clevis --get tang --json=- --set adv -UUUUo-)"
++
++# We currently support SHA-1 (legacy) and SHA-256.
++CLEVIS_SUPPORTED_THP_ALGS="S1 S256"
++# Now we will use every hash algorithm supported by jose to create a thumbprint
++# for `kid', then we do the encoding and verify clevis decrypt can decode it
++# correctly.
++for alg in ${CLEVIS_SUPPORTED_THP_ALGS}; do
++    kid="$(printf '%s' "${jwk}" | jose jwk thp -a "${alg}" --input=-)"
++    jwe="$(jose fmt --json="${jwe_t}" --get protected --quote "${kid}" -s kid -UUo-)"
++
++    encoded=$(printf '%s%s' "${jwk}" "${data}" \
++              | jose jwe enc --input="${jwe}" --key=- --detached=- --compact)
++
++    if ! decoded="$(printf '%s' "${encoded}" | clevis decrypt)"; then
++        tang_error "${TEST}: decoding is expected to work (alg = ${alg})"
++    fi
++
++    if  [ "${decoded}" != "${data}" ]; then
++        tang_error "${TEST}: tang decrypt should have succeeded decoded[${decoded}] data[${data}] (alg = ${alg})"
++    fi
++done
++
++# Now let's test encryption providing the thp in the configuration.
++data="just another test"
++for alg in ${CLEVIS_SUPPORTED_THP_ALGS}; do
++    thp="$(jose fmt --json="${adv}" -g payload -y -o- \
++           | jose jwk use -i- -r -u verify -o- \
++           | jose jwk thp -i- -a "${alg}")"
++    cfg="$(printf '{"url":"%s", "thp":"%s"}' "${url}" "${thp}")"
++    if ! encoded=$(printf '%s' "${data}" | clevis encrypt tang "${cfg}"); then
++        tang_error "${TEST}: tang encryption should have succeeded when providing the thp (${thp}) with any supported algorithm (${alg})"
++    fi
++
++    if ! decoded="$(printf '%s' "${encoded}" | clevis decrypt)"; then
++        tang_error "${TEST}: decoding is expected to work (thp alg = ${alg})"
++    fi
++
++    if  [ "${decoded}" != "${data}" ]; then
++        tang_error "${TEST}: tang decrypt should have succeeded decoded[${decoded}] data[${data}] (alg = ${alg})"
++    fi
++done
++
++# Let's also try some unsupported thp hash algorithms.
++UNSUPPORTED="S224 S384 S512" # SHA-224, SHA-384, SHA-512.
++for alg in ${UNSUPPORTED}; do
++    thp="$(jose fmt --json="${adv}" -g payload -y -o- \
++           | jose jwk use -i- -r -u verify -o- \
++           | jose jwk thp -i- -a "${alg}")"
++    cfg="$(printf '{"url":"%s", "thp":"%s"}' "${url}" "${thp}")"
++    if echo foo | clevis encrypt tang "${cfg}" >/dev/null; then
++        tang_error "${TEST}: tang encryption should have failed when providing the thp (${thp}) with an unsupported algorithm (${alg})"
++    fi
++done
++
++# Now let's try some bad values for thp.
++for thp in "" "foo" "invalid"; do
++    cfg="$(printf '{"url":"%s", "thp":"%s"}' "${url}" "${thp}")"
++    if echo foo | clevis encrypt tang "${cfg}" >/dev/null; then
++        tang_error "${TEST}: tang encryption expected to fail when providing a bad thp"
++    fi
++done

SPECS/clevis.spec

@@ -2,7 +2,7 @@
 
 Name:           clevis
 Version:        15
-Release:        2%{?dist}
+Release:        15%{?dist}
 Summary:        Automated decryption framework
 
 License:        GPLv3+
@@ -12,6 +12,18 @@ Source0:        https://github.com/latchset/%{name}/releases/download/v%{version
 Patch0001: 0001-Fixes-for-dealing-with-newer-tang-without-tangd-upda.patch
 Patch0002: 0002-Add-the-option-to-extract-luks-passphrase-used-for-b.patch
 Patch0003: 0003-systemd-account-for-unlocking-failures-in-clevis-luk.patch
+Patch0004: 0004-systemd-drop-ncat-dependency.patch
+Patch0005: 0005-Stop-sending-stderr-to-the-void-when-decryption-does.patch
+Patch0006: 0006-luks-enable-debugging-in-clevis-scripts-when-rd.debu.patch
+Patch0007: 0007-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch
+Patch0008: 0008-tang-dump-url-on-error-communication.patch
+Patch0009: 0009-feat-rename-the-test-pin-to-null-pin.patch
+Patch0010: 0010-avoid-clevis-invalid-msg.patch
+Patch0011: 0011-Improve-boot-performance-by-removing-key-check.patch
+Patch0012: 0012-ignore-empty-and-comment-lines-in-crypttab.patch
+Patch0013: 0013-luks-define-max-entropy-bits-for-pwmake.patch
+Patch0014: 0014-luks-edit-remove-unnecessary-redirection.patch
+Patch0015: 0015-support-sha256-algorithm.patch
 
 BuildRequires:  git
 BuildRequires:  gcc
@@ -35,7 +47,7 @@ BuildRequires:  tang >= 6
 BuildRequires:  curl
 BuildRequires:  luksmeta
 BuildRequires:  cracklib-dicts
-Buildrequires:  jq
+BuildRequires:  jq
 BuildRequires:  diffutils
 BuildRequires:  expect
 BuildRequires:  openssl
@@ -47,6 +59,7 @@ Requires:       jose >= 8
 Requires:       curl
 Requires:       jq
 Requires(pre):  shadow-utils
+Requires(post): systemd
 
 %description
 Clevis is a framework for automated decryption. It allows you to encrypt
@@ -86,7 +99,6 @@ Requires:       systemd%{?_isa} >= 236
 %endif
 %endif
 %endif
-Requires:       nc
 
 %description systemd
 Automatically unlocks clevis-bound LUKS block devices during boot.
@@ -133,16 +145,8 @@ if getent group tss >/dev/null && ! groups %{name} | grep -q "\btss\b"; then
 fi
 exit 0
 
-%posttrans
-# In case clevis-luks-askpass is enabled, make sure it's using the
-# correct target, which changed in v14.
-[ "$(find /etc/systemd/system/ -name "clevis-luks-askpass*")" ] || exit 0
-find /etc/systemd/system/ -name "clevis-luks-askpass*" \
-     | grep -q cryptsetup.target.wants && exit 0
-
-find /etc/systemd/system/ -name "clevis-luks-askpass*" -exec rm {} +
-systemctl enable clevis-luks-askpass.path >/dev/null 2>&1 || :
-exit 0
+%post systemd
+systemctl preset %{name}-luks-askpass.path >/dev/null 2>&1 || :
 
 %files
 %license COPYING
@@ -150,10 +154,12 @@ exit 0
 %{_bindir}/%{name}-decrypt-tang
 %{_bindir}/%{name}-decrypt-tpm2
 %{_bindir}/%{name}-decrypt-sss
+%{_bindir}/%{name}-decrypt-null
 %{_bindir}/%{name}-decrypt
 %{_bindir}/%{name}-encrypt-tang
 %{_bindir}/%{name}-encrypt-tpm2
 %{_bindir}/%{name}-encrypt-sss
+%{_bindir}/%{name}-encrypt-null
 %{_bindir}/%{name}
 %{_mandir}/man1/%{name}-encrypt-tang.1*
 %{_mandir}/man1/%{name}-encrypt-tpm2.1*
@@ -188,6 +194,7 @@ exit 0
 
 %files dracut
 %{_prefix}/lib/dracut/modules.d/60%{name}
+%{_prefix}/lib/dracut/modules.d/60%{name}-pin-null
 %{_prefix}/lib/dracut/modules.d/60%{name}-pin-sss
 %{_prefix}/lib/dracut/modules.d/60%{name}-pin-tang
 %{_prefix}/lib/dracut/modules.d/60%{name}-pin-tpm2
@@ -197,6 +204,58 @@ exit 0
 %attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
 
 %changelog
+* Tue May 23 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-15
+- Include SHA-256 thumbprints clevis support
+  Resolves: rhbz#2209058
+
+* Mon Jan 16 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-14
+- luks-edit: remove unnecessary 2>/dev/null
+  Resolves: rhbz#2159739
+
+* Wed Jan 11 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-13
+- luks: define max entropy bits for pwmake
+  Resolves: rhbz#2159736
+
+* Wed Jan 11 2023 Sergio Arroutbi <sarroutb@redhat.com> - 15-12
+- Ignore empty & comment lines in crypttab
+  Resolves: rhbz#2159440
+
+* Tue Aug 02 2022 Sergio Arroutbi <sarroutb@redhat.com> - 15-11
+- Start clevis-luks-askpass.path service according to global policy
+  Resolves: rhbz#2107081
+
+* Thu Jul 21 2022 Sergio Arroutbi <sarroutb@redhat.com> - 15-10
+- Improve boot performance by removing key check
+  Resolves: rhbz#2099748
+
+* Wed Jun 22 2022 Sergio Arroutbi <sarroutb@redhat.com> - 15-9
+- Avoid invalid message for clevis command
+  Resolves: rhbz#2099325
+
+* Wed Jan 26 2022 Sergio Correia <scorreia@redhat.com> - 15-8
+- Support a null pin
+  Resolves: rhbz#2028096
+
+* Fri Jan 21 2022 Sergio Arroutbi <sarroutb@redhat.com> - 15-7
+- Dump server information on server error communication
+  Resolves: rhbz#2020193
+
+* Tue Jan 04 2022 Sergio Correia <scorreia@redhat.com> - 15-6
+- Explicitly specify pbkdf iterations to cryptsetup
+  Resolves: rhbz#1979256
+
+* Wed Dec 01 2021 Sergio Correia <scorreia@redhat.com> - 15-5
+- Enable debugging in clevis scripts when rd.debug is set
+  Resolves: rhbz#1980742
+
+* Thu Nov 25 2021 Sergio Correia <scorreia@redhat.com> - 15-4
+- Stop sending stderr to the void when decryption doesn't happen
+  Resolves: rhbz#1976880
+
+* Thu Nov 18 2021 Sergio Correia <scorreia@redhat.com> - 15-3
+- Drop ncat dependency
+  Resolves: rhbz#1949289
+
 * Wed Nov 17 2021 Sergio Correia <scorreia@redhat.com> - 15-2
 - Account for unlocking failures in clevis-luks-askpass
   Resolves: rhbz#2018292