.gitignore

@@ -1,3 +1,2 @@
-SOURCES/centosimarelease-9.der
-SOURCES/ima-evm-utils-1.6.2.tar.gz
-SOURCES/redhatimarelease-9.der
+SOURCES/ima-evm-utils-1.1.tar.gz
+SOURCES/ima-evm-utils-1.3.2.tar.gz

.ima-evm-utils.metadata

@@ -1,3 +1,2 @@
-61d5a223ff0c79189505abae77e0087c4b2d2b47 SOURCES/centosimarelease-9.der
-41095bb1d9ddeb166cdfb81338dc5d671f623f1c SOURCES/ima-evm-utils-1.6.2.tar.gz
-99e571f9de4188f3b5fdf1f84ff73f6cc4bb6a0e SOURCES/redhatimarelease-9.der
+58705b3544ae6e650042374dba535c0b3837b8fc SOURCES/ima-evm-utils-1.1.tar.gz
+034d163533ae5f9c06001b375ec7e5a1b09a3853 SOURCES/ima-evm-utils-1.3.2.tar.gz

SOURCES/0001-Fix-sign_hash-not-observing-the-hashalgo-argument.patch

@@ -0,0 +1,38 @@
+From ea10a33d26572eebde59565179f622b6fb240d04 Mon Sep 17 00:00:00 2001
+From: Patrick Uiterwijk <patrick@puiterwijk.org>
+Date: Wed, 6 Jan 2021 10:43:34 +0100
+Subject: [PATCH] Fix sign_hash not observing the hashalgo argument
+
+This fixes sign_hash not using the correct algorithm for creating the
+signature, by ensuring it uses the passed in variable value.
+
+Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
+---
+ src/libimaevm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/libimaevm.c b/src/libimaevm.c
+index fa6c27858d0f..72d5e67f6fdd 100644
+--- a/src/libimaevm.c
++++ b/src/libimaevm.c
+@@ -916,7 +916,7 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash,
+ 		return -1;
+ 	}
+ 
+-	log_info("hash(%s): ", imaevm_params.hash_algo);
++	log_info("hash(%s): ", algo);
+ 	log_dump(hash, size);
+ 
+ 	pkey = read_priv_pkey(keyfile, imaevm_params.keypass);
+@@ -942,7 +942,7 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash,
+ 	if (!EVP_PKEY_sign_init(ctx))
+ 		goto err;
+ 	st = "EVP_get_digestbyname";
+-	if (!(md = EVP_get_digestbyname(imaevm_params.hash_algo)))
++	if (!(md = EVP_get_digestbyname(algo)))
+ 		goto err;
+ 	st = "EVP_PKEY_CTX_set_signature_md";
+ 	if (!EVP_PKEY_CTX_set_signature_md(ctx, md))
+-- 
+2.29.2
+

SOURCES/annocheck-opt-flag.patch

@@ -0,0 +1,19 @@
+diff --git a/configure.ac b/configure.ac
+index 6822f39..34e4a81 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -36,9 +36,9 @@ AC_CHECK_HEADERS(keyutils.h, , [AC_MSG_ERROR([keyutils.h header not found. You n
+ #debug support - yes for a while
+ PKG_ARG_ENABLE(debug, "yes", DEBUG, [Enable Debug support])
+ if test $pkg_cv_enable_debug = yes; then
+-	CFLAGS="$CFLAGS -g -O1 -Wall -Wstrict-prototypes -pipe"
++	CFLAGS="$CFLAGS -g -O2 -Wall -Wstrict-prototypes -pipe"
+ else
+-	CFLAGS="$CFLAGS -Wall -Wstrict-prototypes -pipe -fomit-frame-pointer"
++	CFLAGS="$CFLAGS -O2 -Wall -Wstrict-prototypes -pipe -fomit-frame-pointer"
+ fi
+ 
+ # for gcov
+-- 
+2.14.4
+

SOURCES/covscan-memory-leaks.patch

@@ -0,0 +1,45 @@
+diff --git a/src/evmctl.c b/src/evmctl.c
+index 2ffee78..b80a1c9 100644
+--- a/src/evmctl.c
++++ b/src/evmctl.c
+@@ -1716,7 +1716,7 @@ static char *get_password(void)
+ 
+ 	if (tcsetattr(fileno(stdin), TCSANOW, &tmp_flags) != 0) {
+ 		perror("tcsetattr");
+-		return NULL;
++		goto get_pwd_err;
+ 	}
+ 
+ 	printf("PEM password: ");
+@@ -1725,10 +1725,14 @@ static char *get_password(void)
+ 	/* restore terminal */
+ 	if (tcsetattr(fileno(stdin), TCSANOW, &flags) != 0) {
+ 		perror("tcsetattr");
+-		return NULL;
++		goto get_pwd_err;
+ 	}
+ 
++	free(password);
+ 	return pwd;
++get_pwd_err:
++	free(password);
++	return NULL;
+ }
+ 
+ int main(int argc, char *argv[])
+diff --git a/src/libimaevm.c b/src/libimaevm.c
+index 6fa0ed4..39582f2 100644
+--- a/src/libimaevm.c
++++ b/src/libimaevm.c
+@@ -466,6 +466,8 @@ void init_public_keys(const char *keyfiles)
+ 		entry->next = public_keys;
+ 		public_keys = entry;
+ 	}
++
++	free(tmp_keyfiles);
+ }
+ 
+ int verify_hash_v2(const char *file, const unsigned char *hash, int size,
+-- 
+2.14.4
+

SOURCES/docbook-xsl-path.patch

@@ -0,0 +1,12 @@
+diff -urNp ima-evm-utils-1.0-orig/Makefile.am ima-evm-utils-1.0/Makefile.am
+--- ima-evm-utils-1.0-orig/Makefile.am	2015-07-30 15:28:53.000000000 -0300
++++ ima-evm-utils-1.0/Makefile.am	2017-11-20 16:20:04.245591165 -0200
+@@ -24,7 +24,7 @@ rpm: $(tarname)
+ 	rpmbuild -ba --nodeps $(SPEC)
+ 
+ # requires asciidoc, xslproc, docbook-xsl
+-MANPAGE_DOCBOOK_XSL = /usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl
++MANPAGE_DOCBOOK_XSL = /usr/share/sgml/docbook/xsl-stylesheets/manpages/docbook.xsl
+ 
+ evmctl.1.html: README
+ 	@asciidoc -o $@ $<

SOURCES/dracut-98-integrity.conf

@@ -1 +0,0 @@
-add_dracutmodules+=" integrity "

SOURCES/ima-add-sigs.sh

@@ -1,141 +0,0 @@
-#!/bin/bash
-#
-# This script add IMA signatures to installed RPM package files
-usage() {
-	echo "Add IMA signatures to installed packages."
-	cat <<EOF
-usage: $0 [--package=PACKAGE_NAME|ALL] [--ima_cert=IMA_CERT_PATH] [--reinstall_threshold=NUM]
-
-       --package
-       By default, it will add IMA sigantures to all installed package files.
-       Or you can provide a package name to only add IMA signature for files of
-       specicifed package.
-
-       --reinstall_threshold
-       When there are >reinstall_threshold (=20 by default) packages in the RPM
-       DB missing IMA signatures, reinstalling the packages to add IMA
-       signatures to the packages.  By default, IMA sigatures will be obtained
-       from the RPM DB. However the RPM DB may not have the signatures. Dectect
-       this case by checking if there are >reinstall_threshold package missing
-       IMA signatures.
-
-       --ima_cert
-       With the signing IMA cert path specified, it will also try to verify the
-       added IMA signature.
-
-EOF
-	exit 1
-}
-
-for _opt in "$@"; do
-	case "$_opt" in
-	--reinstall_threshold=*)
-		reinstall_threshold=${_opt#*=}
-		;;
-	--package=*)
-		package=${_opt#*=}
-		;;
-	--ima_cert=*)
-		ima_cert=${_opt#*=}
-		;;
-	*)
-		[[ -n $1 ]] && usage
-		;;
-	esac
-done
-
-if [[ -z $package ]] || [[ $package == ALL ]]; then
-	package="--all"
-fi
-
-abort() {
-	echo "$1"
-	exit 1
-}
-
-get_system_ima_key() {
-	source /etc/os-release
-	local -A name_map=(['Fedora Linux']="fedora" ['Red Hat Enterprise Linux']="redhatimarelease" ['CentOS Stream']='centosimarelease')
-	local version_id
-	key_name=${name_map[$NAME]}
-	version_id=${VERSION_ID/.?/}
-
-	[[ $key_name == fedora ]] && name_suffix=-ima
-	key_path=/etc/keys/ima/${key_name}-${version_id}${name_suffix}.der
-	if [[ ! -e $key_path ]]; then
-		echo "Failed to get system IMA code verification key"
-		exit 1
-	fi
-
-	echo -n "$key_path"
-}
-
-# Add IMA signatures from RPM database
-add_from_rpm_db() {
-	if ! command -v setfattr &>/dev/null; then
-		abort "Please install attr"
-	fi
-
-	if [[ -e "$ima_cert" ]]; then
-		verify_ima_cert=$ima_cert
-	else
-		verify_ima_cert=$(get_system_ima_key)
-	fi
-
-	# use "|" as deliminator since it won't be used in a filename or signature
-	while IFS="|" read -r path sig; do
-		# [[ -z "$sig" ]] somehow doesn't work for some files that don't have IMA
-		# signatures. This may be a issue of rpm
-		if [[ "$sig" != "0"* ]]; then
-			continue
-		fi
-
-		# Skip directory, soft links, non-existent files and vfat fs
-		if [[ -d "$path" || -L "$path" || ! -f "$path" || "$path" == "/boot/efi/EFI/"* ]]; then
-			continue
-		fi
-
-		# Skip some files that are created on the fly
-		if [[ $path == "/usr/share/mime/"* || $path == "/etc/pki/ca-trust/extracted/"* ]]; then
-			continue
-		fi
-
-		if ! setfattr -n security.ima "$path" -v "0x$sig"; then
-			echo "Failed to add IMA sig for $path"
-		fi
-
-		if ! evmctl ima_verify -k "$verify_ima_cert" "$path" &>/dev/null; then
-			setfattr -x security.ima "$path"
-			# When ima_cert is set, shows the verfication result for users
-			[[ -e "$ima_cert" ]] && "Failed to verify $path"
-			continue
-		fi
-
-	done < <(rpm -q --queryformat "[%{FILENAMES}|%{FILESIGNATURES}\n]" "$package")
-}
-
-# Add IMA signatures by reinstalling all packages
-add_by_reinstall() {
-	[[ $package == "--all" ]] && package='*'
-	dnf reinstall "$package" -yq >/dev/null
-}
-
-if [[ -z $reinstall_threshold ]]; then
-	if [[ $package == "--all" ]]; then
-		reinstall_threshold=20
-	else
-		if ! rpm -q --quiet "$package"; then
-			dnf install "$package" -yq >/dev/null
-			exit 0
-		fi
-		reinstall_threshold=1
-	fi
-fi
-
-unsigned_packages_in_rpm_db=$(rpm -q --queryformat "%{SIGPGP:pgpsig}\n" "$package" | grep -c "^(none)$")
-
-if [[ $unsigned_packages_in_rpm_db -ge $reinstall_threshold ]]; then
-	add_by_reinstall
-else
-	add_from_rpm_db
-fi

SOURCES/ima-setup.sh

@@ -1,145 +0,0 @@
-#!/bin/bash
-#
-# This script helps set up IMA.
-#
-IMA_SYSTEMD_POLICY=/etc/ima/ima-policy
-IMA_POLICY_SYSFS=/sys/kernel/security/ima/policy
-
-usage() {
-	echo "Set up IMA."
-	cat <<EOF
-usage: $0 --policy=IMA_POLICY_PATH [--reinstall_threshold=NUM]
-
-       --policy
-       The path of IMA policy to be loaded. Sample polices are inside
-       /usr/share/ima/policies or you can use your own IMA policy
-       The path of IMA policy to be loaded.  Sample polices are inside
-       /usr/share/ima/policies or you can use your own IMA policy
-
-       --reinstall_threshold
-       When there are >reinstall_threshold packages in the RPM DB missing IMA
-       signatures, reinstalling the packages to add IMA signatures to the
-       packages.  By default, IMA sigatures will be obtained from the RPM DB.
-       However the RPM DB may not have the signatures. Dectect this case by
-       checking if there are >reinstall_threshold package missing IMA
-       signatures.
-
-EOF
-	exit 1
-}
-
-for _opt in "$@"; do
-	case "$_opt" in
-	--policy=*)
-		ima_policy_path=${_opt#*=}
-		if [[ ! -e $ima_policy_path ]]; then
-			echo "$ima_policy_path doesn't exist"
-			exit 1
-		fi
-		;;
-	--reinstall_threshold=*)
-		reinstall_threshold=${_opt#*=}
-		;;
-	*)
-		usage
-		;;
-	esac
-done
-
-if [[ $# -eq 0 ]]; then
-	usage
-fi
-
-echo "Installing prerequisite package rpm-plugin-ima"
-if ! dnf install rpm-plugin-ima -yq; then
-	echo "Failed to install rpm-plugin-ima, abort"
-	exit 1
-fi
-
-# Add IMA signatures
-if test -f /run/ostree-booted; then
-	echo "You are using OSTree, please enable IMA signatures as part of the OSTree creation process."
-else
-	echo "Adding IMA signatures to installed package files"
-	if ! ima-add-sigs --reinstall_threshold="$reinstall_threshold"; then
-		echo "Failed to add IMA signatures, abort"
-		exit 1
-	fi
-fi
-
-load_ima_keys() {
-	local _key_loaded
-
-	if line=$(keyctl describe %keyring:.ima); then
-		_ima_id=${line%%:*}
-	else
-		echo "Failed to get ID of the .ima  keyring"
-		exit 1
-	fi
-
-	for i in /etc/keys/ima/*; do
-		if [ ! -f "${i}" ]; then
-			echo "No IMA key exist"
-			exit 1
-		fi
-
-		if ! evmctl import "${i}" "${_ima_id}" &>/dev/null; then
-			echo "Failed to load IMA key ${i}"
-		else
-			_key_loaded=yes
-		fi
-	done
-
-	if [[ $_key_loaded != yes ]]; then
-		echo "No IMA key loaded"
-		exit 1
-	fi
-}
-
-load_ima_policy() {
-	local ima_policy_path
-
-	ima_policy_path=$1
-
-	if ! test -f "$ima_policy_path"; then
-		echo "$ima_policy_path doesn't exist"
-		return 1
-	fi
-	if ! echo "$ima_policy_path" >"$IMA_POLICY_SYSFS"; then
-		echo "$ima_policy_path can't be loaded"
-		return 1
-	fi
-	# Let systemd load the IMA policy which will load LSM rules first so IMA
-	# policy containing rules like "appraise obj_type=ifconfig_exec_t" can be
-	# loaded
-	[[ -e /etc/ima ]] || mkdir -p /etc/ima/
-	if ! cp --preserve=xattr "$ima_policy_path" "$IMA_SYSTEMD_POLICY"; then
-		echo "Failed to copy $ima_policy_path to $IMA_SYSTEMD_POLICY"
-		return 1
-	fi
-}
-
-echo "Loading IMA keys"
-load_ima_keys
-
-# Include the dracut integrity module to load the IMA keys and policy
-# automatically when there is a system reboot
-if ! lsinitrd --mod | grep -q integrity; then
-	cp --preserve=xattr /usr/share/ima/dracut-98-integrity.conf /etc/dracut.conf.d/98-integrity.conf
-	echo "Rebuilding the initramfs of kernel-$(uname -r) to include the dracut integrity module"
-	dracut -f
-
-	if command -v grubby >/dev/null; then
-		_default_kernel=$(grubby --default-kernel | sed -En "s/.*vmlinuz-(.*)/\1/p")
-		if [[ $_default_kernel != $(uname -r) ]]; then
-			echo "Current kernel is not the default kernel ($_default_kernel), include dracut integrity for it as well"
-			dracut -f --kver "$_default_kernel"
-		fi
-	fi
-	[[ $(uname -m) == s390x ]] && zipl &> /dev/null
-fi
-
-if ! load_ima_policy "$ima_policy_path"; then
-	echo "Failed to load IMA policy $ima_policy_path!"
-	exit 1
-fi

SOURCES/libimaevm-keydesc-import.patch

@@ -0,0 +1,37 @@
+diff --git a/src/libimaevm.c b/src/libimaevm.c
+index 6fa0ed4..b6f9b9f 100644
+--- a/src/libimaevm.c
++++ b/src/libimaevm.c
+@@ -672,12 +672,11 @@ void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len
+ 	memcpy(keyid, sha1 + 12, 8);
+ 	log_debug("keyid: ");
+ 	log_debug_dump(keyid, 8);
++	id = __be64_to_cpup((__be64 *) keyid);
++	sprintf(str, "%llX", (unsigned long long)id);
+ 
+-	if (params.verbose > LOG_INFO) {
+-		id = __be64_to_cpup((__be64 *) keyid);
+-		sprintf(str, "%llX", (unsigned long long)id);
++	if (params.verbose > LOG_INFO)
+ 		log_info("keyid-v1: %s\n", str);
+-	}
+ }
+ 
+ void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key)
+@@ -694,11 +693,10 @@ void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key)
+ 	memcpy(keyid, sha1 + 16, 4);
+ 	log_debug("keyid: ");
+ 	log_debug_dump(keyid, 4);
++	sprintf(str, "%x", __be32_to_cpup(keyid));
+ 
+-	if (params.verbose > LOG_INFO) {
+-		sprintf(str, "%x", __be32_to_cpup(keyid));
++	if (params.verbose > LOG_INFO)
+ 		log_info("keyid: %s\n", str);
+-	}
+ 
+ 	free(pkey);
+ }
+-- 
+2.19.1
+

SOURCES/policy-01-appraise-executable-and-lib-signatures

@@ -1,28 +0,0 @@
-# Skip some unsupported filesystems
-# This list of the filesystems can be found on
-# https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy
-# PROC_SUPER_MAGIC
-dont_appraise fsmagic=0x9fa0
-# SYSFS_MAGIC
-dont_appraise fsmagic=0x62656572
-# DEBUGFS_MAGIC
-dont_appraise fsmagic=0x64626720
-# TMPFS_MAGIC
-dont_appraise fsmagic=0x01021994
-# RAMFS_MAGIC
-dont_appraise fsmagic=0x858458f6
-# DEVPTS_SUPER_MAGIC
-dont_appraise fsmagic=0x1cd1
-# BINFMTFS_MAGIC
-dont_appraise fsmagic=0x42494e4d
-# SECURITYFS_MAGIC
-dont_appraise fsmagic=0x73636673
-# SELINUX_MAGIC
-dont_appraise fsmagic=0xf97cff8c
-# CGROUP_SUPER_MAGIC
-dont_appraise fsmagic=0x27e0eb
-# NSFS_MAGIC
-dont_appraise fsmagic=0x6e736673
-
-appraise func=MMAP_CHECK mask=MAY_EXEC appraise_type=imasig
-appraise func=BPRM_CHECK appraise_type=imasig

SOURCES/policy-02-keylime-remote-attestation

@@ -1,37 +0,0 @@
-# PROC_SUPER_MAGIC
-dont_measure fsmagic=0x9fa0
-# SYSFS_MAGIC
-dont_measure fsmagic=0x62656572
-# DEBUGFS_MAGIC
-dont_measure fsmagic=0x64626720
-# TMPFS_MAGIC
-dont_measure fsmagic=0x01021994
-# DEVPTS_SUPER_MAGIC
-dont_measure fsmagic=0x1cd1
-# BINFMTFS_MAGIC
-dont_measure fsmagic=0x42494e4d
-# SECURITYFS_MAGIC
-dont_measure fsmagic=0x73636673
-# SELINUX_MAGIC
-dont_measure fsmagic=0xf97cff8c
-# SMACK_MAGIC
-dont_measure fsmagic=0x43415d53
-# CGROUP_SUPER_MAGIC
-dont_measure fsmagic=0x27e0eb
-# CGROUP2_SUPER_MAGIC
-dont_measure fsmagic=0x63677270
-# NSFS_MAGIC
-dont_measure fsmagic=0x6e736673
-# EFIVARFS_MAGIC
-dont_measure fsmagic=0xde5e81e4
-# OVERLAYFS_MAGIC
-# when containers are used we almost always want to ignore them
-dont_measure fsmagic=0x794c7630
-
-
-# Measure and log keys loaded onto the .ima keyring
-measure func=KEY_CHECK keyrings=.ima
-# Measure and log executables
-measure func=BPRM_CHECK
-# Measure and log shared libraries
-measure func=FILE_MMAP mask=MAY_EXEC

SOURCES/policy_list

@@ -1,2 +0,0 @@
-01-appraise-executable-and-lib-signatures
-02-keylime-remote-attestation

SPECS/ima-evm-utils.spec

@@ -1,34 +1,20 @@
-# If the soname gets bumped we need to ship a compat library to be able
-# to bootstrap and rebuild rpm else we end up with chicken and egg problem.
-%global bootstrap 0
-
-%if 0%{bootstrap}
-%global compat_soversion 4
-%endif
+%global compat_soversion 0
 
 Name:    ima-evm-utils
-Version: 1.6.2
-Release: 2%{?dist}
+Version: 1.3.2
+Release: 12%{?dist}
 Summary: IMA/EVM support utilities
 License: GPLv2
 Url:     http://linux-ima.sourceforge.net/
-Source0:  https://github.com/mimizohar/ima-evm-utils/releases/download/v%{version}/%{name}-%{version}.tar.gz
+Source:  http://sourceforge.net/projects/linux-ima/files/ima-evm-utils/%{name}-%{version}.tar.gz
+Source10: ima-evm-utils-1.1.tar.gz
 
-# IMA setup tools
-Source2: dracut-98-integrity.conf
-Source3: ima-add-sigs.sh
-Source4: ima-setup.sh
-Source100: policy-01-appraise-executable-and-lib-signatures
-Source101: policy-02-keylime-remote-attestation
-Source200: policy_list
-Source300: redhatimarelease-9.der
-Source301: centosimarelease-9.der
-
-
-%if 0%{bootstrap}
-# compat source and patches
-Source10: ima-evm-utils-1.5.tar.gz
-%endif
+Patch0: 0001-Fix-sign_hash-not-observing-the-hashalgo-argument.patch
+# compat patches
+Patch1: docbook-xsl-path.patch
+Patch2: covscan-memory-leaks.patch
+Patch3: annocheck-opt-flag.patch
+Patch4: libimaevm-keydesc-import.patch
 
 BuildRequires: asciidoc
 BuildRequires: autoconf
@@ -37,11 +23,12 @@ BuildRequires: gcc
 BuildRequires: keyutils-libs-devel
 BuildRequires: libtool
 BuildRequires: libxslt
-BuildRequires: make
 BuildRequires: openssl-devel
 BuildRequires: tpm2-tss-devel
-Requires: keyutils
-Requires: attr
+# compat requirement
+BuildRequires: libattr-devel
+
+#Requires: tpm2-tss
 
 %description
 The Trusted Computing Group(TCG) run-time Integrity Measurement Architecture
@@ -58,185 +45,102 @@ Requires: %{name} = %{version}-%{release}
 %description devel
 This package provides the header files for %{name}
 
+%package -n %{name}%{compat_soversion}
+Summary: Compatibility package of %{name}
+
+%description -n %{name}%{compat_soversion}
+This package provides the libimaevm.so.%{compat_soversion} relative to %{name}-1.1
+
 %prep
 %setup -q
-
-%if 0%{bootstrap}
+%patch0 -p1
 mkdir compat/
-pushd compat/
-tar -zxf %{SOURCE10} --strip-components=1
-popd
-%endif
+tar -zxf %{SOURCE10} --strip-components=1 -C compat/
+cd compat/
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
 
 %build
+# build compat version of the package
+pushd compat/
+autoreconf -vif
+%configure --disable-static
+%make_build
+popd
+
 autoreconf -vif
 %configure --disable-static
 %make_build
 
-%if 0%{bootstrap}
-pushd compat/
-autoreconf -vif
-%configure --disable-static --disable-engine
-%make_build
-popd
-%endif
-
 %install
 %make_install
-find %{buildroot} -type f -name "*.la" -print -delete
-
-%if 0%{bootstrap}
+find %{buildroot}%{_libdir} -type f -name "*.la" -print -delete
+# install compat libs
 pushd compat/src/.libs/
 install -p libimaevm.so.%{compat_soversion}.0.0 %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion}.0.0
 ln -s -f %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion}.0.0 %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion}
 popd
-%endif
 
 %ldconfig_scriptlets
 
-# IMA setup tools
-install -D -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_datadir}/ima/dracut-98-integrity.conf
-
-mkdir -p -m 755 $RPM_BUILD_ROOT%{_datadir}/ima/policies
-while IFS= read -r policy_file
-do
-  install -m 644 %{_sourcedir}/policy-"$policy_file" $RPM_BUILD_ROOT%{_datadir}/ima/policies/"$policy_file"
-done < %{SOURCE200}
-
-install -D %{SOURCE3} $RPM_BUILD_ROOT%{_bindir}/ima-add-sigs
-install -D %{SOURCE4} $RPM_BUILD_ROOT%{_bindir}/ima-setup
-
-# IMA code-signing certs
-install -d -m 755 $RPM_BUILD_ROOT/etc/keys/ima
-install -m 644 %{SOURCE300} %{SOURCE301} $RPM_BUILD_ROOT/etc/keys/ima/
-
 %files
 %license COPYING
 %doc NEWS README AUTHORS
-%{_bindir}/evmctl
-%{_mandir}/man1/evmctl*
-
-# IMA setup tools
-%{_datadir}/ima/policies
-%{_datadir}/ima/dracut-98-integrity.conf
-%{_bindir}/ima-add-sigs
-%{_bindir}/ima-setup
-
+%{_bindir}/*
 # if you need to bump the soname version, coordinate with dependent packages
-%{_libdir}/libimaevm.so.5*
-%if 0%{bootstrap}
-%{_libdir}/libimaevm.so.%{compat_soversion}
-%{_libdir}/libimaevm.so.%{compat_soversion}.0.0
-%endif
-
-# IMA code-signing certs
-/etc/keys/ima/*.der
+%{_libdir}/libimaevm.so.2
+%{_libdir}/libimaevm.so.2.0.0
+%{_mandir}/man1/*
 
 %files devel
 %{_pkgdocdir}/*.sh
-%{_includedir}/imaevm.h
+%{_includedir}/*
 %{_libdir}/libimaevm.so
 
+%files -n %{name}%{compat_soversion}
+%{_libdir}/libimaevm.so.%{compat_soversion}
+%{_libdir}/libimaevm.so.%{compat_soversion}.0.0
+
 %changelog
-* Thu Jul 31 2025 Coiby Xu <coxu@redhat.com> - 1.6.2-2
-- Verify IMA signature to make sure it's correct (RHEL-105471)
-- Drop old libimaevm.so.4 (RHEL-82797)
+* Thu Feb 18 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-12
+- Add compat subpackage for keeping the API stability in userspace
 
-* Mon Mar 10 2025 Coiby Xu <coxu@redhat.com> - 1.6.2-1
-- ima-setup: run zipl after building initramfs for s390x (RHEL-72293)
-- update to upstream 1.6.2 (RHEL-82793)
+* Mon Jan 25 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-11
+- Bump release number for yet another rebuild
 
-* Wed Nov 13 2024 Coiby Xu <coxu@redhat.com> - 1.5-3
-- Skip unsupported file systems for sample appraisal rule (RHEL-62817)
+* Mon Jan 25 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-10
+- Add patch for fixing hash algorithm used through libimaevm
 
-* Fri Jun 07 2024 Coiby Xu <coxu@redhat.com> - 1.5-2
-- add some IMA setup tools (RHEL-33751)
+* Fri Jan 15 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-9
+- Add tpm2-tss as a runtime dependency
 
-* Tue Jun 04 2024 Coiby Xu <coxu@redhat.com> - 1.5-1
-- Disable compat build (RHEL-2969)
+* Sun Jan 10 2021 Michal Domonkos <mdomonko@redhat.com> - 1.3.2-8
+- Bump release number for yet another couple of rebuilds
 
-* Fri Apr 12 2024 Coiby Xu <coxu@redhat.com> - 1.5-0.1
-- Update to upstream 1.5 (RHEL-2969)
+* Wed Jan 06 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-4
+- Bump release number for yet another build for solving wrong target usage
 
-* Mon Dec 13 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.4-4
-- Fix compat bcond_with value check.
+* Wed Jan 06 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-3
+- Bump release number for another build, handling build issues
 
-* Fri Dec 10 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.4-3
-- Remove compat subpkg from compose (rhbz#2026028)
+* Tue Dec 01 2020 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-2
+- Bump release number for forcing a new build
 
-* Tue Dec 07 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.4-2
-- Add compat subpkg for helping building dependencies (rhbz#2026028)
+* Mon Nov 09 2020 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-1
+- Rebase to upstream v1.3.2 version
+- Sync specfile with Fedora's version
 
-* Thu Dec 02 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.4-1
-- Modify some pieces to get closer to Fedora's specfile
-- Remove patch handling memory leak: solved in the rebase
-- Remove patch handling SHA-256 default hash: solved in the rebase
-- Rebase to upstream release v1.4 (rhbz#2026028)
+* Thu Mar 28 2019 Bruno E. O. Meneguele <bmeneg@redhat.com> - 1.1-5
+- Add patch to correctly handle key description on keyring during importation
 
-* Fri Aug 20 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-9
-- Use upstream accepted patch for the memory leak
-- Make SHA-256 the default hash algorithm (rhbz#1934949)
+* Mon Oct 29 2018 Bruno E. O. Meneguele <bmeneg@redhat.com> - 1.1-4
+- Solve a single memory leak not handled by the last patch
 
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.3.2-6
-- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  Related: rhbz#1991688
-
-* Thu Jul 08 2021 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-5
-- Add patch fixing memory leak (rhbz#1938742)
-
-* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.3.2-4
-- Rebuilt for RHEL 9 BETA for openssl 3.0
-  Related: rhbz#1971065
-
-* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.3.2-3
-- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
-
-* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.2-2
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Wed Oct 28 2020 Bruno Meneguele <bmeneg@redhat.com> - 1.3.2-1
-- Rebase to new upstream v1.3.2 minor release
-
-* Tue Aug 11 2020 Bruno Meneguele <bmeneg@redhat.com> - 1.3.1-1
-- Rebase to new upstream v1.3.1 minor release
-
-* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.3-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Sun Jul 26 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 1.3-2
-- Fix devel deps
-
-* Sun Jul 26 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 1.3-1
-- Update to 1.3
-- Use tpm2-tss instead of tss2
-- Minor spec cleanups
-
-* Mon Jul 13 2020 Tom Stellard <tstellar@redhat.com> - 1.2.1-4
-- Use make macros
-- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
-
-* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.2.1-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Wed Jul 31 2019 Bruno E. O. Meneguele <bmeneg@redhat.com> - 1.2.1-2
-- Add pull request to correct lib soname version, wich was bumped to 1.0.0
-
-* Wed Jul 31 2019 Bruno E. O. Meneguele <bmeneg@redhat.com> - 1.2.1-1
-- Rebase to upstream v1.2.1
-- Remove both patches that were already solved in upstream version
-- Add runtime dependency of tss2 to retrieve PCR bank data from TPM2.0
-
-* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-6
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-5
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-
-* Fri Jul 20 2018 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.1-4
-- Add patch to remove dependency from libattr-devel package
-
-* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.1-3
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+* Thu Oct 25 2018 Bruno E. O. Meneguele <bmeneg@redhat.com> - 1.1-3
+- Solve memory leaks pointed by covscan tool
+- Add optimization flag O2 during compilation to satisfy annocheck tool
 
 * Fri Mar 02 2018 Bruno E. O. Meneguele <brdeoliv@redhat.com> - 1.1-2
 - Remove libtool files