From a7cf835927a6aafd55dffc0a0482d5fc2b701ff1 Mon Sep 17 00:00:00 2001 From: Sergio Correia Date: Thu, 7 Jul 2022 12:34:15 -0300 Subject: [PATCH] Updating for Keylime release v6.4.2 - Remove keylime-webapp and mark package as obsolete - Configure tmpfiles.d - Move common python dependencies to python3-keylime - Change dependency from python3-gnupg to python3-gpg - Use sysusers.d for handling user creation --- .gitignore | 1 + keylime.spec | 113 ++++++++++++----------------------------------- keylime.sysusers | 2 + sources | 2 +- 4 files changed, 32 insertions(+), 86 deletions(-) create mode 100644 keylime.sysusers diff --git a/.gitignore b/.gitignore index 8bf2b16..dcc89b6 100644 --- a/.gitignore +++ b/.gitignore @@ -16,3 +16,4 @@ /v6.3.2.tar.gz /v6.4.0.tar.gz /v6.4.1.tar.gz +/v6.4.2.tar.gz diff --git a/keylime.spec b/keylime.spec index 005f27e..5d74100 100644 --- a/keylime.spec +++ b/keylime.spec @@ -1,7 +1,7 @@ %global srcname keylime Name: keylime -Version: 6.4.1 +Version: 6.4.2 Release: %autorelease Summary: Open source TPM software for Bootstrapping and Maintaining Trust @@ -9,6 +9,7 @@ BuildArch: noarch URL: https://github.com/keylime/keylime Source0: https://github.com/keylime/keylime/archive/refs/tags/v%{version}.tar.gz +Source1: %{srcname}.sysusers # Main program: BSD # Icons: MIT @@ -27,9 +28,11 @@ Requires: %{srcname}-base = %{version}-%{release} Requires: %{srcname}-verifier = %{version}-%{release} Requires: %{srcname}-registrar = %{version}-%{release} Requires: %{srcname}-tenant = %{version}-%{release} -Requires: %{srcname}-webapp = %{version}-%{release} Requires: %{srcname}-tools = %{version}-%{release} +# webapp was removed upstream in release 6.4.2. +Obsoletes: %{srcname}-webapp < 6.4.2 + # Agent. Requires: keylime-agent Suggests: python3-%{srcname}-agent @@ -69,6 +72,15 @@ Conflicts: keylime < 6.3.0-3 Requires: %{srcname}-base = %{version}-%{release} %{?python_provide:%python_provide python3-%{srcname}} +Requires: python3-tornado +Requires: python3-sqlalchemy +Requires: python3-alembic +Requires: python3-cryptography +Requires: python3-pyyaml +Requires: python3-packaging +Requires: python3-requests +Requires: python3-gpg +Requires: python3-lark-parser %description -n python3-%{srcname} The python3-keylime module implements the functionality used @@ -84,18 +96,6 @@ Conflicts: keylime < 6.3.0-3 Requires: %{srcname}-base = %{version}-%{release} Requires: python3-%{srcname} = %{version}-%{release} -Requires: python3-tornado -Requires: python3-sqlalchemy -Requires: python3-alembic -Requires: python3-cryptography -Requires: python3-pyyaml -Requires: python3-packaging -Requires: python3-requests -Requires: python3-zmq -Requires: python3-gnupg -Requires: python3-lark-parser - - %description verifier The Keylime Verifier continuously verifies the integrity state of the machine that the agent is running on. @@ -110,18 +110,6 @@ Conflicts: keylime < 6.3.0-3 Requires: %{srcname}-base = %{version}-%{release} Requires: python3-%{srcname} = %{version}-%{release} -Requires: python3-tornado -Requires: python3-sqlalchemy -Requires: python3-alembic -Requires: python3-cryptography -Requires: python3-pyyaml -Requires: python3-packaging -Requires: python3-requests -Requires: python3-zmq -Requires: python3-gnupg -Requires: python3-lark-parser - - %description registrar The Keylime Registrar is a database of all agents registered with Keylime and hosts the public keys of the TPM vendors. @@ -135,22 +123,13 @@ Conflicts: keylime < 6.3.0-3 Requires: %{srcname}-base = %{version}-%{release} Requires: python3-%{srcname} = %{version}-%{release} +Requires: python3-psutil +Requires: python3-zmq # Virtual Provides to support swapping between Python and Rust implementation. Provides: keylime-agent Conflicts: keylime-agent -Requires: python3-psutil -Requires: python3-tornado -Requires: python3-cryptography -Requires: python3-pyyaml -Requires: python3-packaging -Requires: python3-requests -Requires: python3-zmq -Requires: python3-gnupg -Requires: python3-lark-parser - - %description -n python3-%{srcname}-agent The Keylime Agent is deployed to the remote machine that is to be measured or provisioned with secrets stored within an encrypted @@ -170,31 +149,6 @@ Requires: python3-%{srcname} = %{version}-%{release} %description tenant The Keylime Tenant can be used to provision a Keylime Agent. -%package webapp -Summary: The Python Keylime WebApp GUI -License: MIT - -# Conflicts with the monolithic versions of the package, before the split. -Conflicts: keylime < 6.3.0-3 - -Requires: %{srcname}-base = %{version}-%{release} -Requires: python3-%{srcname} = %{version}-%{release} - -Requires: python3-tornado -Requires: python3-cryptography -Requires: python3-pyyaml -Requires: python3-packaging -Requires: python3-requests -Requires: python3-zmq -Requires: python3-gnupg - -# Conflicts with the monolithic versions of the package, before the split. -Conflicts: keylime < 6.3.0-3 - - -%description webapp -The Keylime WebApp GUI interface can be used to provision a Keylime Agent. - %package tools Summary: Keylime tools License: MIT @@ -205,17 +159,8 @@ Conflicts: keylime < 6.3.0-3 Requires: %{srcname}-base = %{version}-%{release} Requires: python3-%{srcname} = %{version}-%{release} -Requires: python3-tornado -Requires: python3-cryptography -Requires: python3-pyyaml -Requires: python3-packaging -Requires: python3-requests -Requires: python3-zmq -Requires: python3-gnupg - - %description tools -The keylime tools package includes tools like the IMA emulator. +The keylime tools package includes miscelaneous tools. %prep %autosetup -S git -n %{srcname}-%{version} @@ -248,15 +193,15 @@ install -Dpm 644 ./services/%{srcname}_registrar.service \ cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/keylime/ +install -p -d %{buildroot}/%{_tmpfilesdir} +cat > %{buildroot}/%{_tmpfilesdir}/%{srcname}.conf << EOF +d %{_rundir}/%{srcname} 0700 %{srcname} %{srcname} - +EOF + +install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/%{srcname}.conf + %pre base -getent group %{srcname} >/dev/null || groupadd -r %{srcname} &>/dev/null -getent passwd %{srcname} >/dev/null || \ - useradd -r -g %{srcname} -d %{_localstatedir}/lib/%{srcname} -s /usr/sbin/nologin \ - -c "Keylime agent unprivileged user" %{srcname} &>/dev/null -# Add keylime user to tss group. -if getent group tss >/dev/null && ! groups %{srcname} | grep -q "\btss\b"; then - usermod -a -G tss %{srcname} &>/dev/null -fi +%sysusers_create_compat %{SOURCE1} exit 0 %posttrans base @@ -319,10 +264,6 @@ exit 0 %license LICENSE %{_bindir}/%{srcname}_tenant -%files webapp -%license LICENSE -%{_bindir}/%{srcname}_webapp - %files -n python3-%{srcname} %license LICENSE %{python3_sitelib}/%{srcname}-*.egg-info/ @@ -333,12 +274,14 @@ exit 0 %{_bindir}/%{srcname}_userdata_encrypt %files base -%license LICENSE keylime/static/icons/ICON-LICENSE +%license LICENSE %doc README.md %config(noreplace) %attr(600,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}.conf %attr(700,%{srcname},%{srcname}) %dir %{_rundir}/%{srcname} %attr(700,%{srcname},%{srcname}) %dir %{_localstatedir}/log/%{srcname} %attr(700,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname} +%{_tmpfilesdir}/%{srcname}.conf +%{_sysusersdir}/%{srcname}.conf %files %license LICENSE diff --git a/keylime.sysusers b/keylime.sysusers new file mode 100644 index 0000000..4979d46 --- /dev/null +++ b/keylime.sysusers @@ -0,0 +1,2 @@ +u keylime - "Keylime unprivileged user" /var/lib/keylime /usr/sbin/nologin +m keylime tss diff --git a/sources b/sources index 9c77940..e890003 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (v6.4.1.tar.gz) = 1075eacb45f27df36e16e68b6486cfb32060c86ddbf0f40b28ab59ce4a76db183c65a8d76896fe49451b5b2ba84be1b39e758d42b943fd9ec66e659be2f1d89f +SHA512 (v6.4.2.tar.gz) = 7bc365b17b719c03aad76796f63c103de06c7c8a0ac1e9741cd0be460110d4da9d44c2caebb5eb1390f577d3a082d4a3d6a565bdccb46bd5c9ec060dae2bc161