keylime/keylime.spec

%global srcname keylime

Name:    keylime
Version: 6.4.1
Release: %autorelease
Summary: Open source TPM software for Bootstrapping and Maintaining Trust

BuildArch:      noarch

URL:            https://github.com/keylime/keylime
Source0:        https://github.com/keylime/keylime/archive/refs/tags/v%{version}.tar.gz

# Main program: BSD
# Icons: MIT
License: ASL 2.0 and MIT

BuildRequires: git-core
BuildRequires: swig
BuildRequires: openssl-devel
BuildRequires: python3-devel
BuildRequires: python3-dbus
BuildRequires: python3-setuptools
BuildRequires: systemd-rpm-macros

Requires: python3-%{srcname} = %{version}-%{release}
Requires: %{srcname}-base = %{version}-%{release}
Requires: %{srcname}-verifier = %{version}-%{release}
Requires: %{srcname}-registrar = %{version}-%{release}
Requires: %{srcname}-tenant = %{version}-%{release}
Requires: %{srcname}-webapp = %{version}-%{release}
Requires: %{srcname}-tools = %{version}-%{release}

# Agent.
Requires: keylime-agent
Suggests: python3-%{srcname}-agent

# Conflicts with the monolithic versions of the package, before the split.
Conflicts: keylime < 6.3.0-3

%{?python_enable_dependency_generator}
%description
Keylime is a TPM based highly scalable remote boot attestation
and runtime integrity measurement solution.

%package base
Summary: The base package contains the default configuration
License: MIT

# Conflicts with the monolithic versions of the package, before the split.
Conflicts: keylime < 6.3.0-3

Requires(pre): shadow-utils
Requires: efivar-libs
Requires: procps-ng
Requires: tpm2-tss
Requires: tpm2-tools


%description base
The base package contains the Keylime default configuration

%package -n python3-%{srcname}
Summary: The Python Keylime module
License: MIT

# Conflicts with the monolithic versions of the package, before the split.
Conflicts: keylime < 6.3.0-3

Requires: %{srcname}-base = %{version}-%{release}
%{?python_provide:%python_provide python3-%{srcname}}


%description -n python3-%{srcname}
The python3-keylime module implements the functionality used
by Keylime components.

%package verifier
Summary: The Python Keylime Verifier component
License: MIT

# Conflicts with the monolithic versions of the package, before the split.
Conflicts: keylime < 6.3.0-3

Requires: %{srcname}-base = %{version}-%{release}
Requires: python3-%{srcname} = %{version}-%{release}

Requires: python3-tornado
Requires: python3-sqlalchemy
Requires: python3-alembic
Requires: python3-cryptography
Requires: python3-pyyaml
Requires: python3-packaging
Requires: python3-requests
Requires: python3-zmq
Requires: python3-gnupg
Requires: python3-lark-parser


%description verifier
The Keylime Verifier continuously verifies the integrity state
of the machine that the agent is running on.

%package registrar
Summary: The Keylime Registrar component
License: MIT

# Conflicts with the monolithic versions of the package, before the split.
Conflicts: keylime < 6.3.0-3

Requires: %{srcname}-base = %{version}-%{release}
Requires: python3-%{srcname} = %{version}-%{release}

Requires: python3-tornado
Requires: python3-sqlalchemy
Requires: python3-alembic
Requires: python3-cryptography
Requires: python3-pyyaml
Requires: python3-packaging
Requires: python3-requests
Requires: python3-zmq
Requires: python3-gnupg
Requires: python3-lark-parser


%description registrar
The Keylime Registrar is a database of all agents registered
with Keylime and hosts the public keys of the TPM vendors.

%package -n python3-%{srcname}-agent
Summary: The Python Keylime Agent
License: MIT

# Conflicts with the monolithic versions of the package, before the split.
Conflicts: keylime < 6.3.0-3

Requires: %{srcname}-base = %{version}-%{release}
Requires: python3-%{srcname} = %{version}-%{release}

# Virtual Provides to support swapping between Python and Rust implementation.
Provides:  keylime-agent
Conflicts: keylime-agent

Requires: python3-psutil
Requires: python3-tornado
Requires: python3-cryptography
Requires: python3-pyyaml
Requires: python3-packaging
Requires: python3-requests
Requires: python3-zmq
Requires: python3-gnupg
Requires: python3-lark-parser


%description -n python3-%{srcname}-agent
The Keylime Agent is deployed to the remote machine that is to be
measured or provisioned with secrets stored within an encrypted
payload released once trust is established.

%package tenant
Summary: The Python Keylime Tenant
License: MIT

# Conflicts with the monolithic versions of the package, before the split.
Conflicts: keylime < 6.3.0-3

Requires: %{srcname}-base = %{version}-%{release}
Requires: python3-%{srcname} = %{version}-%{release}


%description tenant
The Keylime Tenant can be used to provision a Keylime Agent.

%package webapp
Summary: The Python Keylime WebApp GUI
License: MIT

# Conflicts with the monolithic versions of the package, before the split.
Conflicts: keylime < 6.3.0-3

Requires: %{srcname}-base = %{version}-%{release}
Requires: python3-%{srcname} = %{version}-%{release}

Requires: python3-tornado
Requires: python3-cryptography
Requires: python3-pyyaml
Requires: python3-packaging
Requires: python3-requests
Requires: python3-zmq
Requires: python3-gnupg

# Conflicts with the monolithic versions of the package, before the split.
Conflicts: keylime < 6.3.0-3


%description webapp
The Keylime WebApp GUI interface can be used to provision a Keylime Agent.

%package tools
Summary: Keylime tools
License: MIT

# Conflicts with the monolithic versions of the package, before the split.
Conflicts: keylime < 6.3.0-3

Requires: %{srcname}-base = %{version}-%{release}
Requires: python3-%{srcname} = %{version}-%{release}

Requires: python3-tornado
Requires: python3-cryptography
Requires: python3-pyyaml
Requires: python3-packaging
Requires: python3-requests
Requires: python3-zmq
Requires: python3-gnupg


%description tools
The keylime tools package includes tools like the IMA emulator.

%prep
%autosetup -S git -n %{srcname}-%{version}

%build
%py3_build

%install
%py3_install
mkdir -p %{buildroot}/%{_sharedstatedir}/%{srcname}
mkdir -p --mode=0700 %{buildroot}/%{_rundir}/%{srcname}
mkdir -p --mode=0700 %{buildroot}/%{_localstatedir}/log/%{srcname}

# Setting up the agent to use keylime user/group.
sed -e 's/^run_as.*/run_as = %{srcname}:%{srcname}/g' -i %{srcname}.conf
install -Dpm 600 %{srcname}.conf \
    %{buildroot}%{_sysconfdir}/%{srcname}.conf

install -Dpm 644 ./services/%{srcname}_agent.service \
    %{buildroot}%{_unitdir}/%{srcname}_agent.service

install -Dpm 644 ./services/%{srcname}_agent_secure.mount \
    %{buildroot}%{_unitdir}/%{srcname}_agent_secure.mount

install -Dpm 644 ./services/%{srcname}_verifier.service \
    %{buildroot}%{_unitdir}/%{srcname}_verifier.service

install -Dpm 644 ./services/%{srcname}_registrar.service \
    %{buildroot}%{_unitdir}/%{srcname}_registrar.service

cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/keylime/

%pre base
getent group %{srcname} >/dev/null || groupadd -r %{srcname} &>/dev/null
getent passwd %{srcname} >/dev/null || \
     useradd -r -g %{srcname} -d %{_localstatedir}/lib/%{srcname} -s /usr/sbin/nologin \
     -c "Keylime agent unprivileged user" %{srcname} &>/dev/null
# Add keylime user to tss group.
if getent group tss >/dev/null && ! groups %{srcname} | grep -q "\btss\b"; then
    usermod -a -G tss %{srcname} &>/dev/null
fi
exit 0

%posttrans base
[ -f %{_sysconfdir}/%{srcname}.conf ] && \
    chmod 600 %{_sysconfdir}/%{srcname}.conf && \
    chown %{srcname} %{_sysconfdir}/%{srcname}.conf
[ -d %{_sharedstatedir}/%{srcname} ] && \
    chown -R %{srcname} %{_sharedstatedir}/%{srcname}/
[ -d %{_localstatedir}/log/%{srcname} ] && \
    chown -R %{srcname} %{_localstatedir}/log/%{srcname}/
exit 0

%post verifier
%systemd_post %{srcname}_verifier.service

%post registrar
%systemd_post %{srcname}_registrar.service

%post -n python3-%{srcname}-agent
%systemd_post %{srcname}_agent.service

%preun verifier
%systemd_preun %{srcname}_verifier.service

%preun registrar
%systemd_preun %{srcname}_registrar.service

%preun -n python3-%{srcname}-agent
%systemd_preun %{srcname}_agent.service

%postun verifier
%systemd_postun_with_restart %{srcname}_verifier.service

%postun registrar
%systemd_postun_with_restart %{srcname}_registrar.service

%postun -n python3-%{srcname}-agent
%systemd_postun_with_restart %{srcname}_agent.service

%files verifier
%license LICENSE
%{_bindir}/%{srcname}_verifier
%{_bindir}/%{srcname}_ca
%{_bindir}/%{srcname}_migrations_apply
%{_unitdir}/keylime_verifier.service

%files registrar
%license LICENSE
%{_bindir}/%{srcname}_registrar
%{_unitdir}/keylime_registrar.service

%files -n python3-%{srcname}-agent
%license LICENSE
%{_bindir}/%{srcname}_agent
%{_unitdir}/%{srcname}_agent.service
%{_unitdir}/%{srcname}_agent_secure.mount
%{_bindir}/%{srcname}_ima_emulator

%files tenant
%license LICENSE
%{_bindir}/%{srcname}_tenant

%files webapp
%license LICENSE
%{_bindir}/%{srcname}_webapp

%files -n python3-%{srcname}
%license LICENSE
%{python3_sitelib}/%{srcname}-*.egg-info/
%{python3_sitelib}/%{srcname}

%files tools
%license LICENSE
%{_bindir}/%{srcname}_userdata_encrypt

%files base
%license LICENSE keylime/static/icons/ICON-LICENSE
%doc README.md
%config(noreplace) %attr(600,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}.conf
%attr(700,%{srcname},%{srcname}) %dir %{_rundir}/%{srcname}
%attr(700,%{srcname},%{srcname}) %dir %{_localstatedir}/log/%{srcname}
%attr(700,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}

%files
%license LICENSE

%changelog
%autochangelog