import OL keylime-7.12.1-11.el10_1.3

.gitignore

@@ -1,2 +1,2 @@
-SOURCES/keylime-selinux-42.1.2.tar.gz
-SOURCES/v7.12.1.tar.gz
+keylime-selinux-42.1.2.tar.gz
+v7.12.1.tar.gz

.keylime.metadata

@@ -1,2 +0,0 @@
-36672155770ce6690e59d97764072f9629af716d SOURCES/keylime-selinux-42.1.2.tar.gz
-3db2aa10ee0a005bf5d0a1214cd08e2604da0429 SOURCES/v7.12.1.tar.gz

0002-mb-support-EV_EFI_HANDOFF_TABLES-events-on-PCR1.patch

@@ -1,7 +1,7 @@
-From d14e0a132cfedd081bffa7a990b9401d5e257cac Mon Sep 17 00:00:00 2001
+From 52944972182639a625599e29ebe65b91714a3a41 Mon Sep 17 00:00:00 2001
 From: Sergio Correia <scorreia@redhat.com>
 Date: Fri, 8 Aug 2025 16:40:01 +0100
-Subject: [PATCH 8/9] mb: support EV_EFI_HANDOFF_TABLES events on PCR1
+Subject: [PATCH 2/3] mb: support EV_EFI_HANDOFF_TABLES events on PCR1
 
 Allow EV_EFI_HANDOFF_TABLES events on PCR1 alongside the existing
 EV_EFI_HANDOFF_TABLES2 support to handle different firmware

0003-mb-support-vendor_db-as-logged-by-newer-shim-version.patch

@@ -1,7 +1,7 @@
-From 607b97ac8d414cb57b1ca89925631d41bd7ac04c Mon Sep 17 00:00:00 2001
+From 34bd283113f13c251114507315c647975beede2f Mon Sep 17 00:00:00 2001
 From: Sergio Correia <scorreia@redhat.com>
 Date: Fri, 8 Aug 2025 16:41:54 +0100
-Subject: [PATCH 9/9] mb: support vendor_db as logged by newer shim versions
+Subject: [PATCH 3/3] mb: support vendor_db as logged by newer shim versions
 
 - Updated example policy to properly handle different event structures
   for vendor_db validation:
@@ -199,10 +199,10 @@ index 23cafb9..c98e61d 100755
          **get_kernel(events, has_secureboot),
      }
 diff --git a/test/test_create_mb_policy.py b/test/test_create_mb_policy.py
-index b00d8e7..cd32bda 100644
+index eaed0e3..aa7a4b9 100644
 --- a/test/test_create_mb_policy.py
 +++ b/test/test_create_mb_policy.py
-@@ -364,6 +364,148 @@ class CreateMeasuredBootPolicy_Test(unittest.TestCase):
+@@ -362,6 +362,148 @@ class CreateMeasuredBootPolicy_Test(unittest.TestCase):
          for c in test_cases:
              self.assertDictEqual(create_mb_policy.get_mok(c["events"]), c["expected"])
  

0004-verifier-Gracefully-shutdown-on-signal.patch

@@ -1,7 +1,7 @@
-From 1b7191098ca3f6d72c6ad218564ae0938a87efd4 Mon Sep 17 00:00:00 2001
+From c530c332321c1daffa5bfcd08754179012dd21cc Mon Sep 17 00:00:00 2001
 From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
-Date: Mon, 18 Aug 2025 12:22:55 +0000
-Subject: [PATCH 10/13] verifier: Gracefully shutdown on signal
+Date: Mon, 18 Aug 2025 12:12:16 +0000
+Subject: [PATCH 4/7] verifier: Gracefully shutdown on signal
 
 Wait for the processes to finish when interrupted by a signal.  Do not
 call exit(0) in the signal handler.

0005-revocations-Try-to-send-notifications-on-shutdown.patch

@@ -1,7 +1,7 @@
-From af9ac50f5acf1a7d4ad285956b60e60c3c4416b7 Mon Sep 17 00:00:00 2001
+From 565889ab6c90823a5096e39a58e9599fa49072f6 Mon Sep 17 00:00:00 2001
 From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
 Date: Wed, 23 Jul 2025 15:39:49 +0200
-Subject: [PATCH 11/13] revocations: Try to send notifications on shutdown
+Subject: [PATCH 5/7] revocations: Try to send notifications on shutdown
 
 During verifier shutdown, try to send any pending revocation
 notification in a best-effort manner.  In future, the pending revocation

0006-requests_client-close-the-session-at-the-end-of-the-.patch

@@ -1,7 +1,7 @@
-From 5fb4484b07a7ba3fcdf451bf816b5f07a40d6d97 Mon Sep 17 00:00:00 2001
+From e6fb5090df3e35c7d44bc8f7f37d420d7ee8a05c Mon Sep 17 00:00:00 2001
 From: Sergio Correia <scorreia@redhat.com>
 Date: Wed, 4 Jun 2025 19:52:37 +0100
-Subject: [PATCH 12/13] requests_client: close the session at the end of the
+Subject: [PATCH 6/7] requests_client: close the session at the end of the
  resource manager
 
 We had an issue in the past in which the webhook worker would not

0007-tests-change-test_mba_parsing-to-not-need-keylime-in.patch

@@ -0,0 +1,91 @@
+From 39ea2efb72b383f729474a1583d4b8c097cf848a Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Thu, 6 Feb 2025 21:29:56 +0000
+Subject: [PATCH 07/10] tests: change test_mba_parsing to not need keylime
+ installed
+
+This test needs the verifier configuration file available, and on
+systems that do not have keylime installed (hence, no config file),
+it would fail.
+
+This commit changes the test so that it creates a verifier conf file
+in a temporary directory with default values, so that it can use it.
+
+Signed-off-by: Sergio Correia <scorreia@redhat.com>
+---
+ test/test_mba_parsing.py | 52 +++++++++++++++++++++++++++++-----------
+ 1 file changed, 38 insertions(+), 14 deletions(-)
+
+diff --git a/test/test_mba_parsing.py b/test/test_mba_parsing.py
+index 670a602..4ee4e3b 100644
+--- a/test/test_mba_parsing.py
++++ b/test/test_mba_parsing.py
+@@ -1,27 +1,51 @@
+ import os
++import tempfile
+ import unittest
++from configparser import RawConfigParser
+ 
++from keylime import config
++from keylime.cmd import convert_config
+ from keylime.common.algorithms import Hash
+ from keylime.mba import mba
+ 
++TEMPLATES_DIR = os.path.abspath(os.path.join(os.path.dirname(__file__), "..", "templates"))
++
+ 
+ class TestMBAParsing(unittest.TestCase):
+     def test_parse_bootlog(self):
+         """Test parsing binary measured boot event log"""
+-        mba.load_imports()
+-        # Use the file that triggered https://github.com/keylime/keylime/issues/1153
+-        mb_log_path = os.path.abspath(os.path.join(os.path.dirname(__file__), "data/mb_log.b64"))
+-        with open(mb_log_path, encoding="utf-8") as f:
+-            # Read the base64 input and remove the newlines
+-            b64 = "".join(f.read().splitlines())
+-            pcr_hashes, boot_aggregates, measurement_data, failure = mba.bootlog_parse(b64, Hash.SHA256)
+-
+-            self.assertFalse(
+-                failure, f"Parsing of measured boot log failed with: {list(map(lambda x: x.context, failure.events))}"
+-            )
+-            self.assertTrue(isinstance(pcr_hashes, dict))
+-            self.assertTrue(isinstance(boot_aggregates, dict))
+-            self.assertTrue(isinstance(measurement_data, dict))
++        # This test requires the verifier configuration file, so let's create
++        # one with the default values to use, so that we do not depend on the
++        # configuration files existing in the test system.
++        with tempfile.TemporaryDirectory() as config_dir:
++            # Let's write the config file for the verifier.
++            verifier_config = convert_config.process_versions(["verifier"], TEMPLATES_DIR, RawConfigParser(), True)
++            convert_config.output(["verifier"], verifier_config, TEMPLATES_DIR, config_dir)
++
++            # As we want to use a config file from a different location, the
++            # proper way would be to define an environment variable for the
++            # module of interest, e.g. in our case it would be the
++            # KEYLIME_VERIFIER_CONFIG variable. However, the config module
++            # reads such env vars at first load, and there is no clean way
++            # to have it re-read them, so for this test we will override it
++            # manually.
++            config.CONFIG_ENV["verifier"] = os.path.abspath(os.path.join(config_dir, "verifier.conf"))
++
++            mba.load_imports()
++            # Use the file that triggered https://github.com/keylime/keylime/issues/1153
++            mb_log_path = os.path.abspath(os.path.join(os.path.dirname(__file__), "data/mb_log.b64"))
++            with open(mb_log_path, encoding="utf-8") as f:
++                # Read the base64 input and remove the newlines
++                b64 = "".join(f.read().splitlines())
++                pcr_hashes, boot_aggregates, measurement_data, failure = mba.bootlog_parse(b64, Hash.SHA256)
++
++                self.assertFalse(
++                    failure,
++                    f"Parsing of measured boot log failed with: {list(map(lambda x: x.context, failure.events))}",
++                )
++                self.assertTrue(isinstance(pcr_hashes, dict))
++                self.assertTrue(isinstance(boot_aggregates, dict))
++                self.assertTrue(isinstance(measurement_data, dict))
+ 
+ 
+ if __name__ == "__main__":
+-- 
+2.47.3
+

0008-tests-skip-measured-boot-related-tests-for-s390x-and.patch

@@ -1,7 +1,7 @@
-From 4e7cd6b75de27897ecc8e7329732cd945f7adfd0 Mon Sep 17 00:00:00 2001
+From 1496567e4b06f7a8eff9f758ea2e4e00ffa89f9b Mon Sep 17 00:00:00 2001
 From: Sergio Correia <scorreia@redhat.com>
-Date: Thu, 22 May 2025 18:27:04 +0100
-Subject: [PATCH 3/6] tests: skip measured-boot related tests for s390x and
+Date: Wed, 4 Jun 2025 07:28:54 +0100
+Subject: [PATCH 08/10] tests: skip measured-boot related tests for s390x and
  ppc64le
 
 Signed-off-by: Sergio Correia <scorreia@redhat.com>
@@ -11,7 +11,7 @@ Signed-off-by: Sergio Correia <scorreia@redhat.com>
  2 files changed, 4 insertions(+)
 
 diff --git a/test/test_create_mb_policy.py b/test/test_create_mb_policy.py
-index eaed0e3..b00d8e7 100644
+index aa7a4b9..cd32bda 100644
 --- a/test/test_create_mb_policy.py
 +++ b/test/test_create_mb_policy.py
 @@ -5,6 +5,7 @@ Copyright 2024 Red Hat, Inc.
@@ -31,16 +31,17 @@ index eaed0e3..b00d8e7 100644
      def test_event_to_sha256(self):
          test_cases = [
 diff --git a/test/test_mba_parsing.py b/test/test_mba_parsing.py
-index 670a602..e157116 100644
+index 4ee4e3b..82e6086 100644
 --- a/test/test_mba_parsing.py
 +++ b/test/test_mba_parsing.py
-@@ -1,10 +1,12 @@
+@@ -1,4 +1,5 @@
  import os
 +import platform
+ import tempfile
  import unittest
- 
- from keylime.common.algorithms import Hash
- from keylime.mba import mba
+ from configparser import RawConfigParser
+@@ -11,6 +12,7 @@ from keylime.mba import mba
+ TEMPLATES_DIR = os.path.abspath(os.path.join(os.path.dirname(__file__), "..", "templates"))
  
  
 +@unittest.skipIf(platform.machine() in ["ppc64le", "s390x"], "ppc64le and s390x are not supported")
@@ -48,5 +49,5 @@ index 670a602..e157116 100644
      def test_parse_bootlog(self):
          """Test parsing binary measured boot event log"""
 -- 
-2.47.1
+2.47.3
 

0009-tests-fix-rpm-repo-tests-from-create-runtime-policy.patch

@@ -1,7 +1,7 @@
-From 5c5c7f7f7180111485b24061af4c0395476958b5 Mon Sep 17 00:00:00 2001
+From be968fd54198042d2014ad63368b78e9d4609169 Mon Sep 17 00:00:00 2001
 From: Sergio Correia <scorreia@redhat.com>
 Date: Thu, 22 May 2025 11:25:15 -0400
-Subject: [PATCH 2/6] tests: fix rpm repo tests from create-runtime-policy
+Subject: [PATCH 09/10] tests: fix rpm repo tests from create-runtime-policy
 
 Signed-off-by: Sergio Correia <scorreia@redhat.com>
 ---
@@ -54,5 +54,5 @@ index 708438c..b62729b 100755
  }
  
 -- 
-2.47.1
+2.47.3
 

0012-keylime-policy-avoid-opening-dev-stdout.patch

@@ -0,0 +1,37 @@
+From e9a6615ea3ab60b9248377071ea2f5cc7b45dfda Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Thu, 28 Aug 2025 14:33:59 +0100
+Subject: [PATCH] policy/sign: use print() when writing to /dev/stdout
+
+Signed-off-by: Sergio Correia <scorreia@redhat.com>
+---
+ keylime/policy/sign_runtime_policy.py | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/keylime/policy/sign_runtime_policy.py b/keylime/policy/sign_runtime_policy.py
+index 87529065d..316ee15aa 100644
+--- a/keylime/policy/sign_runtime_policy.py
++++ b/keylime/policy/sign_runtime_policy.py
+@@ -2,6 +2,7 @@
+ 
+ import argparse
+ import json
++import sys
+ from json.decoder import JSONDecodeError
+ from typing import TYPE_CHECKING, Any, Optional
+ 
+@@ -191,8 +192,12 @@ def sign_runtime_policy(args: argparse.Namespace) -> Optional[str]:
+         return None
+ 
+     try:
+-        with open(args.output_file, "wb") as f:
+-            f.write(signed_policy.encode("UTF-8"))
++        if args.output_file == "/dev/stdout":
++            # Let's simply print to stdout the regular way.
++            print(signed_policy, file=sys.stdout)
++        else:
++            with open(args.output_file, "wb") as f:
++                f.write(signed_policy.encode("UTF-8"))
+     except Exception as exc:
+         logger.error("Unable to write signed policy to destination file '%s': %s", args.output_file, exc)
+         return None

SOURCES/0001-Make-keylime-compatible-with-python-3.9.patch

@@ -1,628 +0,0 @@
-From f7c32aec9c44a176124d982d942391ed3d50e846 Mon Sep 17 00:00:00 2001
-From: Sergio Correia <scorreia@redhat.com>
-Date: Tue, 3 Jun 2025 21:23:09 +0100
-Subject: [PATCH 1/6] Make keylime compatible with python 3.9
-
-Signed-off-by: Sergio Correia <scorreia@redhat.com>
----
- keylime/ima/types.py                        | 33 ++++----
- keylime/models/base/basic_model.py          |  4 +-
- keylime/models/base/basic_model_meta.py     |  4 +-
- keylime/models/base/field.py                |  4 +-
- keylime/models/base/persistable_model.py    |  4 +-
- keylime/models/base/type.py                 |  4 +-
- keylime/models/base/types/base64_bytes.py   |  4 +-
- keylime/models/base/types/certificate.py    | 92 +++++++++++----------
- keylime/models/base/types/dictionary.py     |  4 +-
- keylime/models/base/types/one_of.py         |  6 +-
- keylime/models/registrar/registrar_agent.py | 31 +++----
- keylime/policy/create_runtime_policy.py     |  2 +-
- keylime/registrar_client.py                 |  8 +-
- keylime/web/base/action_handler.py          |  7 +-
- keylime/web/base/controller.py              | 78 ++++++++---------
- tox.ini                                     | 10 +++
- 16 files changed, 154 insertions(+), 141 deletions(-)
-
-diff --git a/keylime/ima/types.py b/keylime/ima/types.py
-index 99f0aa7..a0fffdf 100644
---- a/keylime/ima/types.py
-+++ b/keylime/ima/types.py
-@@ -6,11 +6,6 @@ if sys.version_info >= (3, 8):
- else:
-     from typing_extensions import Literal, TypedDict
- 
--if sys.version_info >= (3, 11):
--    from typing import NotRequired, Required
--else:
--    from typing_extensions import NotRequired, Required
--
- ### Types for tpm_dm.py
- 
- RuleAttributeType = Optional[Union[int, str, bool]]
-@@ -51,7 +46,7 @@ class Rule(TypedDict):
- 
- 
- class Policies(TypedDict):
--    version: Required[int]
-+    version: int
-     match_on: MatchKeyType
-     rules: Dict[str, Rule]
- 
-@@ -60,27 +55,27 @@ class Policies(TypedDict):
- 
- 
- class RPMetaType(TypedDict):
--    version: Required[int]
--    generator: NotRequired[int]
--    timestamp: NotRequired[str]
-+    version: int
-+    generator: int
-+    timestamp: str
- 
- 
- class RPImaType(TypedDict):
--    ignored_keyrings: Required[List[str]]
--    log_hash_alg: Required[Literal["sha1", "sha256", "sha384", "sha512"]]
-+    ignored_keyrings: List[str]
-+    log_hash_alg: Literal["sha1", "sha256", "sha384", "sha512"]
-     dm_policy: Optional[Policies]
- 
- 
- RuntimePolicyType = TypedDict(
-     "RuntimePolicyType",
-     {
--        "meta": Required[RPMetaType],
--        "release": NotRequired[int],
--        "digests": Required[Dict[str, List[str]]],
--        "excludes": Required[List[str]],
--        "keyrings": Required[Dict[str, List[str]]],
--        "ima": Required[RPImaType],
--        "ima-buf": Required[Dict[str, List[str]]],
--        "verification-keys": Required[str],
-+        "meta": RPMetaType,
-+        "release": int,
-+        "digests": Dict[str, List[str]],
-+        "excludes": List[str],
-+        "keyrings": Dict[str, List[str]],
-+        "ima": RPImaType,
-+        "ima-buf": Dict[str, List[str]],
-+        "verification-keys": str,
-     },
- )
-diff --git a/keylime/models/base/basic_model.py b/keylime/models/base/basic_model.py
-index 68a126e..6f5de83 100644
---- a/keylime/models/base/basic_model.py
-+++ b/keylime/models/base/basic_model.py
-@@ -407,7 +407,9 @@ class BasicModel(ABC, metaclass=BasicModelMeta):
-         if max and length > max:
-             self._add_error(field, msg or f"should be at most {length} {element_type}(s)")
- 
--    def validate_number(self, field: str, *expressions: tuple[str, int | float], msg: Optional[str] = None) -> None:
-+    def validate_number(
-+        self, field: str, *expressions: tuple[str, Union[int, float]], msg: Optional[str] = None
-+    ) -> None:
-         value = self.values.get(field)
- 
-         if not value:
-diff --git a/keylime/models/base/basic_model_meta.py b/keylime/models/base/basic_model_meta.py
-index 353e004..84617d4 100644
---- a/keylime/models/base/basic_model_meta.py
-+++ b/keylime/models/base/basic_model_meta.py
-@@ -1,6 +1,6 @@
- from abc import ABCMeta
- from types import MappingProxyType
--from typing import Any, Callable, Mapping, TypeAlias, Union
-+from typing import Any, Callable, Mapping, Union
- 
- from sqlalchemy.types import TypeEngine
- 
-@@ -40,7 +40,7 @@ class BasicModelMeta(ABCMeta):
- 
-     # pylint: disable=bad-staticmethod-argument, no-value-for-parameter, using-constant-test
- 
--    DeclaredFieldType: TypeAlias = Union[ModelType, TypeEngine, type[ModelType], type[TypeEngine]]
-+    DeclaredFieldType = Union[ModelType, TypeEngine, type[ModelType], type[TypeEngine]]
- 
-     @classmethod
-     def _is_model_class(mcs, cls: type) -> bool:  # type: ignore[reportSelfClassParameterName]
-diff --git a/keylime/models/base/field.py b/keylime/models/base/field.py
-index 7fb3dcb..d1e3bc3 100644
---- a/keylime/models/base/field.py
-+++ b/keylime/models/base/field.py
-@@ -1,6 +1,6 @@
- import re
- from inspect import isclass
--from typing import TYPE_CHECKING, Any, Optional, TypeAlias, Union
-+from typing import TYPE_CHECKING, Any, Optional, Union
- 
- from sqlalchemy.types import TypeEngine
- 
-@@ -23,7 +23,7 @@ class ModelField:
-     [2] https://docs.python.org/3/library/functions.html#property
-     """
- 
--    DeclaredFieldType: TypeAlias = Union[ModelType, TypeEngine, type[ModelType], type[TypeEngine]]
-+    DeclaredFieldType = Union[ModelType, TypeEngine, type[ModelType], type[TypeEngine]]
- 
-     FIELD_NAME_REGEX = re.compile(r"^[A-Za-z_]+[A-Za-z0-9_]*$")
- 
-diff --git a/keylime/models/base/persistable_model.py b/keylime/models/base/persistable_model.py
-index 18f7d0d..015d661 100644
---- a/keylime/models/base/persistable_model.py
-+++ b/keylime/models/base/persistable_model.py
-@@ -1,4 +1,4 @@
--from typing import Any, Mapping, Optional, Sequence
-+from typing import Any, Mapping, Optional, Sequence, Union
- 
- from keylime.models.base.basic_model import BasicModel
- from keylime.models.base.db import db_manager
-@@ -165,7 +165,7 @@ class PersistableModel(BasicModel, metaclass=PersistableModelMeta):
-         else:
-             return None
- 
--    def __init__(self, data: Optional[dict | object] = None, process_associations: bool = True) -> None:
-+    def __init__(self, data: Optional[Union[dict, object]] = None, process_associations: bool = True) -> None:
-         if isinstance(data, type(self).db_mapping):
-             super().__init__({}, process_associations)
-             self._init_from_mapping(data, process_associations)
-diff --git a/keylime/models/base/type.py b/keylime/models/base/type.py
-index 2520f72..e4d924c 100644
---- a/keylime/models/base/type.py
-+++ b/keylime/models/base/type.py
-@@ -1,7 +1,7 @@
- from decimal import Decimal
- from inspect import isclass
- from numbers import Real
--from typing import Any, TypeAlias, Union
-+from typing import Any, Union
- 
- from sqlalchemy.engine.interfaces import Dialect
- from sqlalchemy.types import TypeEngine
-@@ -99,7 +99,7 @@ class ModelType:
-     you should instead set ``_type_engine`` to ``None`` and override the ``get_db_type`` method.
-     """
- 
--    DeclaredTypeEngine: TypeAlias = Union[TypeEngine, type[TypeEngine]]
-+    DeclaredTypeEngine = Union[TypeEngine, type[TypeEngine]]
- 
-     def __init__(self, type_engine: DeclaredTypeEngine) -> None:
-         if isclass(type_engine) and issubclass(type_engine, TypeEngine):
-diff --git a/keylime/models/base/types/base64_bytes.py b/keylime/models/base/types/base64_bytes.py
-index b9b4b13..a1eeced 100644
---- a/keylime/models/base/types/base64_bytes.py
-+++ b/keylime/models/base/types/base64_bytes.py
-@@ -1,6 +1,6 @@
- import base64
- import binascii
--from typing import Optional, TypeAlias, Union
-+from typing import Optional, Union
- 
- from sqlalchemy.types import Text
- 
-@@ -62,7 +62,7 @@ class Base64Bytes(ModelType):
-         b64_str = Base64Bytes().cast("MIIE...")
-     """
- 
--    IncomingValue: TypeAlias = Union[bytes, str, None]
-+    IncomingValue = Union[bytes, str, None]
- 
-     def __init__(self) -> None:
-         super().__init__(Text)
-diff --git a/keylime/models/base/types/certificate.py b/keylime/models/base/types/certificate.py
-index 2c27603..0f03169 100644
---- a/keylime/models/base/types/certificate.py
-+++ b/keylime/models/base/types/certificate.py
-@@ -1,7 +1,7 @@
- import base64
- import binascii
- import io
--from typing import Optional, TypeAlias, Union
-+from typing import Optional, Union
- 
- import cryptography.x509
- from cryptography.hazmat.primitives.serialization import Encoding
-@@ -78,7 +78,7 @@ class Certificate(ModelType):
-         cert = Certificate().cast("-----BEGIN CERTIFICATE-----\nMIIE...")
-     """
- 
--    IncomingValue: TypeAlias = Union[cryptography.x509.Certificate, bytes, str, None]
-+    IncomingValue = Union[cryptography.x509.Certificate, bytes, str, None]
- 
-     def __init__(self) -> None:
-         super().__init__(Text)
-@@ -195,18 +195,19 @@ class Certificate(ModelType):
-         """
- 
-         try:
--            match self.infer_encoding(value):
--                case "decoded":
--                    return None
--                case "der":
--                    cryptography.x509.load_der_x509_certificate(value)  # type: ignore[reportArgumentType, arg-type]
--                case "pem":
--                    cryptography.x509.load_pem_x509_certificate(value)  # type: ignore[reportArgumentType, arg-type]
--                case "base64":
--                    der_value = base64.b64decode(value, validate=True)  # type: ignore[reportArgumentType, arg-type]
--                    cryptography.x509.load_der_x509_certificate(der_value)
--                case _:
--                    raise Exception
-+            encoding_inf = self.infer_encoding(value)
-+            if encoding_inf == "decoded":
-+                return None
-+
-+            if encoding_inf == "der":
-+                cryptography.x509.load_der_x509_certificate(value)  # type: ignore[reportArgumentType, arg-type]
-+            elif encoding_inf == "pem":
-+                cryptography.x509.load_pem_x509_certificate(value)  # type: ignore[reportArgumentType, arg-type]
-+            elif encoding_inf == "base64":
-+                der_value = base64.b64decode(value, validate=True)  # type: ignore[reportArgumentType, arg-type]
-+                cryptography.x509.load_der_x509_certificate(der_value)
-+            else:
-+                raise Exception
-         except Exception:
-             return False
- 
-@@ -227,37 +228,38 @@ class Certificate(ModelType):
-         if not value:
-             return None
- 
--        match self.infer_encoding(value):
--            case "decoded":
--                return value  # type: ignore[reportReturnType, return-value]
--            case "der":
--                try:
--                    return self._load_der_cert(value)  # type: ignore[reportArgumentType, arg-type]
--                except PyAsn1Error as err:
--                    raise ValueError(
--                        f"value cast to certificate appears DER encoded but cannot be deserialized as such: {value!r}"
--                    ) from err
--            case "pem":
--                try:
--                    return self._load_pem_cert(value)  # type: ignore[reportArgumentType, arg-type]
--                except PyAsn1Error as err:
--                    raise ValueError(
--                        f"value cast to certificate appears PEM encoded but cannot be deserialized as such: "
--                        f"'{str(value)}'"
--                    ) from err
--            case "base64":
--                try:
--                    return self._load_der_cert(base64.b64decode(value, validate=True))  # type: ignore[reportArgumentType, arg-type]
--                except (binascii.Error, PyAsn1Error) as err:
--                    raise ValueError(
--                        f"value cast to certificate appears Base64 encoded but cannot be deserialized as such: "
--                        f"'{str(value)}'"
--                    ) from err
--            case _:
--                raise TypeError(
--                    f"value cast to certificate is of type '{value.__class__.__name__}' but should be one of 'str', "
--                    f"'bytes' or 'cryptography.x509.Certificate': '{str(value)}'"
--                )
-+        encoding_inf = self.infer_encoding(value)
-+        if encoding_inf == "decoded":
-+            return value  # type: ignore[reportReturnType, return-value]
-+
-+        if encoding_inf == "der":
-+            try:
-+                return self._load_der_cert(value)  # type: ignore[reportArgumentType, arg-type]
-+            except PyAsn1Error as err:
-+                raise ValueError(
-+                    f"value cast to certificate appears DER encoded but cannot be deserialized as such: {value!r}"
-+                ) from err
-+        elif encoding_inf == "pem":
-+            try:
-+                return self._load_pem_cert(value)  # type: ignore[reportArgumentType, arg-type]
-+            except PyAsn1Error as err:
-+                raise ValueError(
-+                    f"value cast to certificate appears PEM encoded but cannot be deserialized as such: "
-+                    f"'{str(value)}'"
-+                ) from err
-+        elif encoding_inf == "base64":
-+            try:
-+                return self._load_der_cert(base64.b64decode(value, validate=True))  # type: ignore[reportArgumentType, arg-type]
-+            except (binascii.Error, PyAsn1Error) as err:
-+                raise ValueError(
-+                    f"value cast to certificate appears Base64 encoded but cannot be deserialized as such: "
-+                    f"'{str(value)}'"
-+                ) from err
-+        else:
-+            raise TypeError(
-+                f"value cast to certificate is of type '{value.__class__.__name__}' but should be one of 'str', "
-+                f"'bytes' or 'cryptography.x509.Certificate': '{str(value)}'"
-+            )
- 
-     def generate_error_msg(self, _value: IncomingValue) -> str:
-         return "must be a valid X.509 certificate in PEM format or otherwise encoded using Base64"
-diff --git a/keylime/models/base/types/dictionary.py b/keylime/models/base/types/dictionary.py
-index 7d9e811..d9ffec3 100644
---- a/keylime/models/base/types/dictionary.py
-+++ b/keylime/models/base/types/dictionary.py
-@@ -1,5 +1,5 @@
- import json
--from typing import Optional, TypeAlias, Union
-+from typing import Optional, Union
- 
- from sqlalchemy.types import Text
- 
-@@ -50,7 +50,7 @@ class Dictionary(ModelType):
-         kv_pairs = Dictionary().cast('{"key": "value"}')
-     """
- 
--    IncomingValue: TypeAlias = Union[dict, str, None]
-+    IncomingValue = Union[dict, str, None]
- 
-     def __init__(self) -> None:
-         super().__init__(Text)
-diff --git a/keylime/models/base/types/one_of.py b/keylime/models/base/types/one_of.py
-index 479d417..faf097d 100644
---- a/keylime/models/base/types/one_of.py
-+++ b/keylime/models/base/types/one_of.py
-@@ -1,6 +1,6 @@
- from collections import Counter
- from inspect import isclass
--from typing import Any, Optional, TypeAlias, Union
-+from typing import Any, Optional, Union
- 
- from sqlalchemy.engine.interfaces import Dialect
- from sqlalchemy.types import Float, Integer, String, TypeEngine
-@@ -65,8 +65,8 @@ class OneOf(ModelType):
-     incoming PEM value would not be cast to a certificate object and remain a string.
-     """
- 
--    Declaration: TypeAlias = Union[str, int, float, ModelType, TypeEngine, type[ModelType], type[TypeEngine]]
--    PermittedList: TypeAlias = list[Union[str, int, float, ModelType]]
-+    Declaration = Union[str, int, float, ModelType, TypeEngine, type[ModelType], type[TypeEngine]]
-+    PermittedList = list[Union[str, int, float, ModelType]]
- 
-     def __init__(self, *args: Declaration) -> None:
-         # pylint: disable=super-init-not-called
-diff --git a/keylime/models/registrar/registrar_agent.py b/keylime/models/registrar/registrar_agent.py
-index 560c188..b232049 100644
---- a/keylime/models/registrar/registrar_agent.py
-+++ b/keylime/models/registrar/registrar_agent.py
-@@ -153,21 +153,22 @@ class RegistrarAgent(PersistableModel):
-         names = ", ".join(non_compliant_certs)
-         names = " and".join(names.rsplit(",", 1))
- 
--        match config.get("registrar", "malformed_cert_action"):
--            case "ignore":
--                return
--            case "reject":
--                logger.error(
--                    "Certificate(s) %s may not conform to strict ASN.1 DER encoding rules and were rejected due to "
--                    "config ('malformed_cert_action = reject')",
--                    names,
--                )
--            case _:
--                logger.warning(
--                    "Certificate(s) %s may not conform to strict ASN.1 DER encoding rules and were re-encoded before "
--                    "parsing by python-cryptography",
--                    names,
--                )
-+        cfg = config.get("registrar", "malformed_cert_action")
-+        if cfg == "ignore":
-+            return
-+
-+        if cfg == "reject":
-+            logger.error(
-+                "Certificate(s) %s may not conform to strict ASN.1 DER encoding rules and were rejected due to "
-+                "config ('malformed_cert_action = reject')",
-+                names,
-+            )
-+        else:
-+            logger.warning(
-+                "Certificate(s) %s may not conform to strict ASN.1 DER encoding rules and were re-encoded before "
-+                "parsing by python-cryptography",
-+                names,
-+            )
- 
-     def _bind_ak_to_iak(self, iak_attest, iak_sign):
-         # The ak-iak binding should only be verified when either aik_tpm or iak_tpm is changed
-diff --git a/keylime/policy/create_runtime_policy.py b/keylime/policy/create_runtime_policy.py
-index 6a412c4..8e1c687 100644
---- a/keylime/policy/create_runtime_policy.py
-+++ b/keylime/policy/create_runtime_policy.py
-@@ -972,7 +972,7 @@ def create_runtime_policy(args: argparse.Namespace) -> Optional[RuntimePolicyTyp
-                 )
-                 abort = True
-         else:
--            if a not in algorithms.Hash:
-+            if a not in set(algorithms.Hash):
-                 if a == SHA256_OR_SM3:
-                     algo = a
-                 else:
-diff --git a/keylime/registrar_client.py b/keylime/registrar_client.py
-index 705ff12..97fbc2a 100644
---- a/keylime/registrar_client.py
-+++ b/keylime/registrar_client.py
-@@ -13,12 +13,6 @@ if sys.version_info >= (3, 8):
- else:
-     from typing_extensions import TypedDict
- 
--if sys.version_info >= (3, 11):
--    from typing import NotRequired
--else:
--    from typing_extensions import NotRequired
--
--
- class RegistrarData(TypedDict):
-     ip: Optional[str]
-     port: Optional[str]
-@@ -27,7 +21,7 @@ class RegistrarData(TypedDict):
-     aik_tpm: str
-     ek_tpm: str
-     ekcert: Optional[str]
--    provider_keys: NotRequired[Dict[str, str]]
-+    provider_keys: Dict[str, str]
- 
- 
- logger = keylime_logging.init_logging("registrar_client")
-diff --git a/keylime/web/base/action_handler.py b/keylime/web/base/action_handler.py
-index b20de89..e7b5888 100644
---- a/keylime/web/base/action_handler.py
-+++ b/keylime/web/base/action_handler.py
-@@ -1,4 +1,5 @@
- import re
-+import sys
- import time
- import traceback
- from inspect import iscoroutinefunction
-@@ -48,7 +49,11 @@ class ActionHandler(RequestHandler):
- 
-         # Take the list of strings returned by format_exception, where each string ends in a newline and may contain
-         # internal newlines, and split the concatenation of all the strings by newline
--        message = "".join(traceback.format_exception(err))
-+        if sys.version_info < (3, 10):
-+            message = "".join(traceback.format_exception(err, None, None))
-+        else:
-+            message = "".join(traceback.format_exception(err))
-+
-         lines = message.split("\n")
- 
-         for line in lines:
-diff --git a/keylime/web/base/controller.py b/keylime/web/base/controller.py
-index f1ac3c5..153535e 100644
---- a/keylime/web/base/controller.py
-+++ b/keylime/web/base/controller.py
-@@ -2,7 +2,7 @@ import http.client
- import json
- import re
- from types import MappingProxyType
--from typing import TYPE_CHECKING, Any, Mapping, Optional, Sequence, TypeAlias, Union
-+from typing import TYPE_CHECKING, Any, Mapping, Optional, Sequence, Union
- 
- from tornado.escape import parse_qs_bytes
- from tornado.httputil import parse_body_arguments
-@@ -15,14 +15,16 @@ if TYPE_CHECKING:
-     from keylime.models.base.basic_model import BasicModel
-     from keylime.web.base.action_handler import ActionHandler
- 
--PathParams: TypeAlias = Mapping[str, str]
--QueryParams: TypeAlias = Mapping[str, str | Sequence[str]]
--MultipartParams: TypeAlias = Mapping[str, Union[str, bytes, Sequence[str | bytes]]]
--FormParams: TypeAlias = Union[QueryParams, MultipartParams]
--JSONConvertible: TypeAlias = Union[str, int, float, bool, None, "JSONObjectConvertible", "JSONArrayConvertible"]
--JSONObjectConvertible: TypeAlias = Mapping[str, JSONConvertible]
--JSONArrayConvertible: TypeAlias = Sequence[JSONConvertible]  # pyright: ignore[reportInvalidTypeForm]
--Params: TypeAlias = Mapping[str, Union[str, bytes, Sequence[str | bytes], JSONObjectConvertible, JSONArrayConvertible]]
-+PathParams = Mapping[str, str]
-+QueryParams = Mapping[str, Union[str, Sequence[str]]]
-+MultipartParams = Mapping[str, Union[str, bytes, Union[Sequence[str], Sequence[bytes]]]]
-+FormParams = Union[QueryParams, MultipartParams]
-+JSONConvertible = Union[str, int, float, bool, None, "JSONObjectConvertible", "JSONArrayConvertible"]
-+JSONObjectConvertible = Mapping[str, JSONConvertible]
-+JSONArrayConvertible = Sequence[JSONConvertible]  # pyright: ignore[reportInvalidTypeForm]
-+Params = Mapping[
-+    str, Union[str, bytes, Union[Sequence[str], Sequence[bytes]], JSONObjectConvertible, JSONArrayConvertible]
-+]
- 
- 
- class Controller:
-@@ -77,7 +79,7 @@ class Controller:
-     VERSION_REGEX = re.compile("^\\/v(\\d+)(?:\\.(\\d+))*")
- 
-     @staticmethod
--    def decode_url_query(query: str | bytes) -> QueryParams:
-+    def decode_url_query(query: Union[str, bytes]) -> QueryParams:
-         """Parses a binary query string (whether from a URL or HTTP body) into a dict of Unicode strings. If multiple
-         instances of the same key are present in the string, their values are collected into a list.
- 
-@@ -135,8 +137,8 @@ class Controller:
- 
-     @staticmethod
-     def prepare_http_body(
--        body: Union[str, JSONObjectConvertible | JSONArrayConvertible, Any], content_type: Optional[str] = None
--    ) -> tuple[Optional[bytes | Any], Optional[str]]:
-+        body: Union[str, Union[JSONObjectConvertible, JSONArrayConvertible], Any], content_type: Optional[str] = None
-+    ) -> tuple[Optional[Union[bytes, Any]], Optional[str]]:
-         """Prepares an object to be included in the body of an HTTP request or response and infers the appropriate
-         media type unless provided. ``body`` will be serialised into JSON if it contains a ``dict`` or ``list`` which is
-         serialisable unless a ``content_type`` other than ``"application/json"`` is provided.
-@@ -155,32 +157,34 @@ class Controller:
-         if content_type:
-             content_type = content_type.lower().strip()
- 
--        body_out: Optional[bytes | Any]
--        content_type_out: Optional[str]
--
--        match (body, content_type):
--            case (None, _):
--                body_out = None
--                content_type_out = content_type
--            case ("", _):
--                body_out = b""
--                content_type_out = "text/plain; charset=utf-8"
--            case (_, "text/plain"):
-+        body_out: Optional[bytes | Any] = None
-+        content_type_out: Optional[str] = None
-+
-+        if body is None:
-+            body_out = None
-+            content_type_out = content_type
-+        elif body == "":
-+            body_out = b""
-+            content_type_out = "text/plain; charset=utf-8"
-+        else:
-+            if content_type == "text/plain":
-                 body_out = str(body).encode("utf-8")
-                 content_type_out = "text/plain; charset=utf-8"
--            case (_, "application/json") if isinstance(body, str):
--                body_out = body.encode("utf-8")
--                content_type_out = "application/json"
--            case (_, "application/json"):
--                body_out = json.dumps(body, allow_nan=False, indent=4).encode("utf-8")
--                content_type_out = "application/json"
--            case (_, None) if isinstance(body, str):
--                body_out = body.encode("utf-8")
--                content_type_out = "text/plain; charset=utf-8"
--            case (_, None) if isinstance(body, (dict, list)):
--                body_out = json.dumps(body, allow_nan=False, indent=4).encode("utf-8")
--                content_type_out = "application/json"
--            case (_, _):
-+            elif content_type == "application/json":
-+                if isinstance(body, str):
-+                    body_out = body.encode("utf-8")
-+                    content_type_out = "application/json"
-+                else:
-+                    body_out = json.dumps(body, allow_nan=False, indent=4).encode("utf-8")
-+                    content_type_out = "application/json"
-+            elif content_type is None:
-+                if isinstance(body, str):
-+                    body_out = body.encode("utf-8")
-+                    content_type_out = "text/plain; charset=utf-8"
-+                elif isinstance(body, (dict, list)):
-+                    body_out = json.dumps(body, allow_nan=False, indent=4).encode("utf-8")
-+                    content_type_out = "application/json"
-+            else:
-                 body_out = body
-                 content_type_out = content_type
- 
-@@ -248,7 +252,7 @@ class Controller:
-         self,
-         code: int = 200,
-         status: Optional[str] = None,
--        data: Optional[JSONObjectConvertible | JSONArrayConvertible] = None,
-+        data: Optional[Union[JSONObjectConvertible, JSONArrayConvertible]] = None,
-     ) -> None:
-         """Converts a Python data structure to JSON and wraps it in the following boilerplate JSON object which is
-         returned by all v2 endpoints:
-diff --git a/tox.ini b/tox.ini
-index 031ac54..ce3974c 100644
---- a/tox.ini
-+++ b/tox.ini
-@@ -51,3 +51,13 @@ commands = black --diff ./keylime ./test
- deps =
-     isort
- commands = isort --diff --check ./keylime ./test
-+
-+
-+[testenv:pylint39]
-+basepython = python3.9
-+deps =
-+    -r{toxinidir}/requirements.txt
-+    -r{toxinidir}/test-requirements.txt
-+    pylint
-+commands = bash scripts/check_codestyle.sh
-+allowlist_externals = bash
--- 
-2.47.1
-

SOURCES/0004-templates-duplicate-str_to_version-in-the-adjust-scr.patch

@@ -1,52 +0,0 @@
-From 7ca86e1c0d68f45915d9f583ffaf149285905005 Mon Sep 17 00:00:00 2001
-From: Sergio Correia <scorreia@redhat.com>
-Date: Tue, 3 Jun 2025 10:50:48 +0100
-Subject: [PATCH 4/6] templates: duplicate str_to_version() in the adjust
- script
-
-As a follow-up of upstream PR#1486, duplicate the str_to_version()
-method in adjust.py so that we do not need the keylime modules in
-order for the configuration upgrade script to run.
-
-Signed-off-by: Sergio Correia <scorreia@redhat.com>
----
- templates/2.0/adjust.py | 22 ++++++++++++++++++++--
- 1 file changed, 20 insertions(+), 2 deletions(-)
-
-diff --git a/templates/2.0/adjust.py b/templates/2.0/adjust.py
-index 6008e4c..24ba898 100644
---- a/templates/2.0/adjust.py
-+++ b/templates/2.0/adjust.py
-@@ -4,9 +4,27 @@ import logging
- import re
- from configparser import RawConfigParser
- from logging import Logger
--from typing import Dict, List, Optional, Tuple
-+from typing import Dict, Tuple, Union
- 
--from keylime.common.version import str_to_version
-+
-+def str_to_version(v_str: str) -> Union[Tuple[int, int], None]:
-+    """
-+    Validates the string format and converts the provided string to a tuple of
-+    ints which can be sorted and compared.
-+
-+    :returns: Tuple with version number parts converted to int. In case of
-+    invalid version string, returns None
-+    """
-+
-+    # Strip to remove eventual quotes and spaces
-+    v_str = v_str.strip('" ')
-+
-+    m = re.match(r"^(\d+)\.(\d+)$", v_str)
-+
-+    if not m:
-+        return None
-+
-+    return (int(m.group(1)), int(m.group(2)))
- 
- 
- def adjust(
--- 
-2.47.1
-

SOURCES/0005-Restore-RHEL-9-version-of-create_allowlist.sh.patch

@@ -1,404 +0,0 @@
-From c60460eccab93863dbd1fd0b748e5a275c8e6737 Mon Sep 17 00:00:00 2001
-From: Sergio Correia <scorreia@redhat.com>
-Date: Tue, 3 Jun 2025 21:29:15 +0100
-Subject: [PATCH 5/6] Restore RHEL-9 version of create_allowlist.sh
-
-Signed-off-by: Sergio Correia <scorreia@redhat.com>
----
- scripts/create_runtime_policy.sh | 335 ++++++++++---------------------
- 1 file changed, 104 insertions(+), 231 deletions(-)
-
-diff --git a/scripts/create_runtime_policy.sh b/scripts/create_runtime_policy.sh
-index 90ba50b..c0b641d 100755
---- a/scripts/create_runtime_policy.sh
-+++ b/scripts/create_runtime_policy.sh
-@@ -1,282 +1,155 @@
--#!/usr/bin/env bash
-+#!/usr/bin/bash
- ################################################################################
- # SPDX-License-Identifier: Apache-2.0
- # Copyright 2017 Massachusetts Institute of Technology.
- ################################################################################
- 
--
--if [ $0 != "-bash" ] ; then
--    pushd `dirname "$0"` > /dev/null 2>&1
--fi
--KCRP_BASE_DIR=$(pwd)
--if [ $0 != "-bash" ] ; then
--    popd 2>&1 > /dev/null
--fi
--KCRP_BASE_DIR=$KCRP_BASE_DIR/..
--
--function detect_hash {
--    local hashstr=$1
--
--    case "${#hashstr}" in
--      32) hashalgo=md5sum ;;
--      40) hashalgo=sha1sum ;;
--      64) hashalgo=sha256sum ;;
--      128) hashalgo=sha512sum ;;
--      *) hashalgo="na";;
--    esac
--
--    echo $hashalgo
--}
--
--function announce {
--    # 1 - MESSAGE
--
--	MESSAGE=$(echo "${1}" | tr '\n' ' ')
--	MESSAGE=$(echo $MESSAGE | sed "s/\t\t*/ /g")
--
--	echo "==> $(date) - ${0} - $MESSAGE"
--}
--
--function valid_algo {
--        local algo=$1
--
--        [[ " ${ALGO_LIST[@]} " =~ " ${algo} " ]]
--}
--
- # Configure the installer here
- INITRAMFS_TOOLS_GIT=https://salsa.debian.org/kernel-team/initramfs-tools.git
- INITRAMFS_TOOLS_VER="master"
- 
--# All defaults
--ALGO=sha1sum
--WORK_DIR=/tmp/kcrp
--OUTPUT_DIR=${WORK_DIR}/output
--ALLOWLIST_DIR=${WORK_DIR}/allowlist
--INITRAMFS_LOC="/boot/"
--INITRAMFS_STAGING_DIR=${WORK_DIR}/ima_ramfs/
--INITRAMFS_TOOLS_DIR=${WORK_DIR}/initramfs-tools
--BOOT_AGGREGATE_LOC="/sys/kernel/security/ima/ascii_runtime_measurements"
--ROOTFS_LOC="/"
--EXCLUDE_LIST="none"
--SKIP_PATH="none"
--ALGO_LIST=("sha1sum" "sha256sum" "sha512sum")
-+WORKING_DIR=$(readlink -f "$0")
-+WORKING_DIR=$(dirname "$WORKING_DIR")
- 
- # Grabs Debian's initramfs_tools from Git repo if no other options exist
- if [[ ! `command -v unmkinitramfs` && ! -x "/usr/lib/dracut/skipcpio" ]] ; then
-     # Create temp dir for pulling in initramfs-tools
--    announce "INFO: Downloading initramfs-tools: $INITRAMFS_TOOLS_DIR"
-+    TMPDIR=`mktemp -d` || exit 1
-+    echo "INFO: Downloading initramfs-tools: $TMPDIR"
- 
--    mkdir -p $INITRAMFS_TOOLS_DIR
-     # Clone initramfs-tools repo
--    pushd $INITRAMFS_TOOLS_DIR > /dev/null 2>&1
--    git clone $INITRAMFS_TOOLS_GIT initramfs-tools > /dev/null 2>&1
--    pushd initramfs-tools > /dev/null 2>&1
--    git checkout $INITRAMFS_TOOLS_VER > /dev/null 2>&1
--    popd > /dev/null 2>&1
--    popd > /dev/null 2>&1
-+    pushd $TMPDIR
-+    git clone $INITRAMFS_TOOLS_GIT initramfs-tools
-+    pushd initramfs-tools
-+    git checkout $INITRAMFS_TOOLS_VER
-+    popd # $TMPDIR
-+    popd
- 
-     shopt -s expand_aliases
--    alias unmkinitramfs=$INITRAMFS_TOOLS_DIR/initramfs-tools/unmkinitramfs
--
--    which unmkinitramfs > /dev/null 2>&1 || exit 1
-+    alias unmkinitramfs=$TMPDIR/initramfs-tools/unmkinitramfs
- fi
- 
-+
- if [[ $EUID -ne 0 ]]; then
-     echo "This script must be run as root" 1>&2
-     exit 1
- fi
- 
--USAGE=$(cat <<-END
--    Usage: $0 -o/--output_file FILENAME [-a/--algo ALGO] [-x/--ramdisk-location PATH] [-y/--boot_aggregate-location PATH] [-z/--rootfs-location PATH] [-e/--exclude_list FILENAME] [-s/--skip-path PATH] [-h/--help]
-+if [ $# -lt 1 ]
-+then
-+    echo "No arguments provided" >&2
-+    echo "Usage:  `basename $0` -o [filename] -h [hash-algo]" >&2
-+    exit $NOARGS;
-+fi
- 
--    optional arguments:
--        -a/--algo                    (checksum algorithm to be used, default: $ALGO)
--        -x/--ramdisk-location        (path to initramdisk, default: $INITRAMFS_LOC, set to "none" to skip)
--        -y/--boot_aggregate-location (path for IMA log, used for boot aggregate extraction, default: $BOOT_AGGREGATE_LOC, set to "none" to skip)
--        -z/--rootfs-location         (path to root filesystem, default: $ROOTFS_LOC, cannot be skipped)
--        -e/--exclude_list            (filename containing a list of paths to be excluded (i.e., verifier will not try to match checksums, default: $EXCLUDE_LIST)
--        -s/--skip-path               (comma-separated path list, files found there will not have checksums calculated, default: $SKIP_PATH)
--        -h/--help                    (show this message and exit)
--END
--)
-+ALGO=sha256sum
- 
--while [[ $# -gt 0 ]]
--do
--    key="$1"
-+ALGO_LIST=("sha1sum" "sha256sum" "sha512sum")
-+
-+valid_algo() {
-+        local algo=$1
-+
-+        [[ " ${ALGO_LIST[@]} " =~ " ${algo} " ]]
-+}
- 
--    case $key in
--        -a|--algo)
--        ALGO="$2"
--        shift
--        ;;
--        -a=*|--algo=*)
--        ALGO=$(echo $key | cut -d '=' -f 2)
--        ;;
--        -x|--ramdisk-location)
--        INITRAMFS_LOC="$2"
--        shift
--        ;;
--        -x=*|--ramdisk-location=*)
--        INITRAMFS_LOC=$(echo $key | cut -d '=' -f 2)
--        ;;
--        -y|--boot_aggregate-location)
--        BOOT_AGGREGATE_LOC=$2
--        shift
--        ;;
--        -y=*|--boot_aggregate-location=*)
--        BOOT_AGGREGATE_LOC=$(echo $key | cut -d '=' -f 2)
--        ;;
--        -z|--rootfs-location)
--        ROOTFS_LOC=$2
--        shift
--        ;;
--        -z=*|--rootfs-location=*)
--        ROOTFS_LOC=$(echo $key | cut -d '=' -f 2)
--        ;;
--        -e|--exclude_list)
--        EXCLUDE_LIST=$2
--        shift
--        ;;
--        -e=*|--exclude_list=*)
--        EXCLUDE_LIST=$(echo $key | cut -d '=' -f 2)
--        ;;        
--        -o=*|--output_file=*)
--        OUTPUT=$(echo $key | cut -d '=' -f 2)
--        ;;
--        -o|--output_file)
--        OUTPUT=$2
--        shift
--        ;;
--        -s=*|--skip-path=*)
--        SKIP_PATH=$(echo $key | cut -d '=' -f 2)
--        ;;
--        -s|--skip-path)
--        SKIP_PATH=$2
--        shift
--        ;;        
--        -h|--help)
--        printf "%s\n" "$USAGE"
--        exit 0
--        shift
--        ;;
--        *)
--                # unknown option
--        ;;
--        esac
--        shift
-+while getopts ":o:h:" opt; do
-+    case $opt in
-+        o)
-+            OUTPUT=$(readlink -f $OPTARG)
-+            rm -f $OUTPUT
-+            ;;
-+        h)
-+            if valid_algo $OPTARG; then
-+                ALGO=$OPTARG
-+            else
-+                echo "Invalid hash function argument: use sha1sum, sha256sum, or sha512sum"
-+                exit 1
-+            fi
-+            ;;
-+    esac
- done
- 
--if ! valid_algo $ALGO
-+if [ ! "$OUTPUT" ]
- then
--    echo "Invalid hash function argument: pick from \"${ALGO_LIST[@]}\""
-+    echo "Missing argument for -o" >&2;
-+    echo "Usage: $0 -o [filename] -h [hash-algo]" >&2;
-     exit 1
- fi
- 
--if [[ -z $OUTPUT ]]
--then
--    printf "%s\n" "$USAGE"
--    exit 1
-+
-+# Where to look for initramfs image
-+INITRAMFS_LOC="/boot"
-+if [ -d "/ostree" ]; then
-+    # If we are on an ostree system change where we look for initramfs image
-+    loc=$(grep -E "/ostree/[^/]([^/]*)" -o /proc/cmdline | head -n 1 | cut -d / -f 3)
-+    INITRAMFS_LOC="/boot/ostree/${loc}/"
- fi
- 
--rm -rf $ALLOWLIST_DIR
--rm -rf $INITRAMFS_STAGING_DIR
--rm -rf $OUTPUT_DIR
- 
--announce "Writing allowlist $ALLOWLIST_DIR/${OUTPUT} with $ALGO..."
--mkdir -p $ALLOWLIST_DIR
-+echo "Writing allowlist to $OUTPUT with $ALGO..."
- 
--if [[ $BOOT_AGGREGATE_LOC != "none" ]]
--then
--    announce "--- Adding boot agregate from $BOOT_AGGREGATE_LOC on allowlist $ALLOWLIST_DIR/${OUTPUT} ..."
- # Add boot_aggregate from /sys/kernel/security/ima/ascii_runtime_measurements (IMA Log) file.
- # The boot_aggregate measurement is always the first line in the IMA Log file.
- # The format of the log lines is the following:
- #     <PCR_ID> <PCR_Value> <IMA_Template> <File_Digest> <File_Name> <File_Signature>
- # File_Digest may start with the digest algorithm specified (e.g "sha1:", "sha256:") depending on the template used.
--    head -n 1 $BOOT_AGGREGATE_LOC | awk '{ print $4 "  boot_aggregate" }' | sed 's/.*://' >> $ALLOWLIST_DIR/${OUTPUT}
-+head -n 1 /sys/kernel/security/ima/ascii_runtime_measurements | awk '{ print $4 "  boot_aggregate" }' | sed 's/.*://' >> $OUTPUT
- 
--    bagghash=$(detect_hash $(cat $ALLOWLIST_DIR/${OUTPUT} | cut -d ' ' -f 1))
--    if [[ $ALGO != $bagghash ]]
--    then
--        announce "ERROR: \"boot aggregate\" has was calculated with $bagghash, but files will be calculated with $ALGO. Use option -a $bagghash"
--        exit 1
--    fi
--else
--    announce "--- Skipping boot aggregate..."
--fi
--
--announce "--- Adding all appropriate files from $ROOTFS_LOC on allowlist $ALLOWLIST_DIR/${OUTPUT} ..."
- # Add all appropriate files under root FS to allowlist
--pushd $ROOTFS_LOC > /dev/null 2>&1
--BASE_EXCLUDE_DIRS="\bsys\b\|\brun\b\|\bproc\b\|\blost+found\b\|\bdev\b\|\bmedia\b\|\bsnap\b\|\bmnt\b\|\bvar\b\|\btmp\b"
--ROOTFS_FILE_LIST=$(ls | grep -v $BASE_EXCLUDE_DIRS)
--if [[ $SKIP_PATH != "none" ]]
--then
--    SKIP_PATH=$(echo $SKIP_PATH | sed -e "s#^$ROOTFS_LOC##g" -e "s#,$ROOTFS_LOC##g" -e "s#,#\\\|#g")
--    ROOTFS_FILE_LIST=$(echo "$ROOTFS_FILE_LIST" | grep -v "$SKIP_PATH")
--fi
--find $ROOTFS_FILE_LIST \( -fstype rootfs -o -xtype f -type l -o -type f \) -uid 0 -exec $ALGO "$ROOTFS_LOC/{}" >> $ALLOWLIST_DIR/${OUTPUT} \;
--popd > /dev/null 2>&1
-+cd /
-+find `ls / | grep -v "\bsys\b\|\brun\b\|\bproc\b\|\blost+found\b\|\bdev\b\|\bmedia\b\|\bsnap\b\|mnt"` \( -fstype rootfs -o -xtype f -type l -o -type f \) -uid 0 -exec $ALGO '/{}' >> $OUTPUT \;
- 
- # Create staging area for init ram images
--mkdir -p $INITRAMFS_STAGING_DIR
-+rm -rf /tmp/ima/
-+mkdir -p /tmp/ima
- 
--if [[ $INITRAMFS_LOC != "none" ]]
--then
--    # Where to look for initramfs image
--    if [[ -d "/ostree" ]] 
--    then
--        X=$INITRAMFS_LOC
--        # If we are on an ostree system change where we look for initramfs image
--        loc=$(grep -E "/ostree/[^/]([^/]*)" -o /proc/cmdline | head -n 1 | cut -d / -f 3)
--        INITRAMFS_LOC="/boot/ostree/${loc}/"
--        announce "--- The location of initramfs was overriden from \"${X}\" to \"$INITRAMFS_LOC\""
--    fi
--
--    announce "--- Creating allowlist for init ram disks found under \"$INITRAMFS_LOC\" to $ALLOWLIST_DIR/${OUTPUT} ..."
--    for i in $(ls ${INITRAMFS_LOC}/initr* 2> /dev/null)
--    do
--        announce "            extracting $i"
--        mkdir -p $INITRAMFS_STAGING_DIR/$i-extracted
--        cd $INITRAMFS_STAGING_DIR/$i-extracted
--
--        # platform-specific handling of init ram disk images
--        if [[ `command -v unmkinitramfs` ]] ; then
--            mkdir -p $INITRAMFS_STAGING_DIR/$i-extracted-unmk
--            unmkinitramfs $i $INITRAMFS_STAGING_DIR/$i-extracted-unmk
--            if [[ -d "$INITRAMFS_STAGING_DIR/$i-extracted-unmk/main/" ]] ; then
--                cp -r $INITRAMFS_STAGING_DIR/$i-extracted-unmk/main/. /tmp/ima/$i-extracted
--            else
--                cp -r $INITRAMFS_STAGING_DIR/$i-extracted-unmk/. /tmp/ima/$i-extracted
--            fi
--        elif [[ -x "/usr/lib/dracut/skipcpio" ]] ; then
--            /usr/lib/dracut/skipcpio $i | gunzip -c | cpio -i -d 2> /dev/null
-+# Iterate through init ram disks and add files to allowlist
-+echo "Creating allowlist for init ram disk"
-+for i in `ls ${INITRAMFS_LOC}/initr*`
-+do
-+    echo "extracting $i"
-+    mkdir -p /tmp/ima/$i-extracted
-+    cd /tmp/ima/$i-extracted
-+
-+    # platform-specific handling of init ram disk images
-+    if [[ `command -v unmkinitramfs` ]] ; then
-+        mkdir -p /tmp/ima/$i-extracted-unmk
-+        unmkinitramfs $i /tmp/ima/$i-extracted-unmk
-+        if [[ -d "/tmp/ima/$i-extracted-unmk/main/" ]] ; then
-+            cp -r /tmp/ima/$i-extracted-unmk/main/. /tmp/ima/$i-extracted
-         else
--            announce "ERROR: No tools for initramfs image processing found!"
--            exit 1
-+            cp -r /tmp/ima/$i-extracted-unmk/. /tmp/ima/$i-extracted
-         fi
-+    elif [[ -x "/usr/lib/dracut/skipcpio" ]] ; then
-+        /usr/lib/dracut/skipcpio $i | gunzip -c 2> /dev/null | cpio -i -d 2> /dev/null
-+    else
-+        echo "ERROR: No tools for initramfs image processing found!"
-+        break
-+    fi
- 
--        find -type f -exec $ALGO "./{}" \; | sed "s| \./\./| /|" >> $ALLOWLIST_DIR/${OUTPUT}
--    done
--fi
--
--# Non-critical cleanup on the resulting file (when ROOTFS_LOC = '/', the path starts on allowlist ends up with double '//' )
--sed -i "s^ //^ /^g"  $ALLOWLIST_DIR/${OUTPUT}
--# A bit of cleanup on the resulting file (among other problems, sha256sum might output a hash with the prefix '\\')
--sed -i "s/^\\\//g" $ALLOWLIST_DIR/${OUTPUT}
--
--# Convert to runtime policy
--mkdir -p $OUTPUT_DIR
--announce "Converting created allowlist ($ALLOWLIST_DIR/${OUTPUT}) to Keylime runtime policy ($OUTPUT_DIR/${OUTPUT}) ..."
--CONVERT_CMD_OPTS="--allowlist $ALLOWLIST_DIR/${OUTPUT} --output_file $OUTPUT_DIR/${OUTPUT}"
--[ -f $EXCLUDE_LIST ] && CONVERT_CMD_OPTS="$CONVERT_CMD_OPTS --excludelist "$(readlink -f -- "${EXCLUDE_LIST}")""
-+    find -type f -exec $ALGO "./{}" \; | sed "s| \./\./| /|" >> $OUTPUT
-+done
- 
--pushd $KCRP_BASE_DIR  > /dev/null 2>&1
--export PYTHONPATH=$KCRP_BASE_DIR:$PYTHONPATH
--# only 3 dependencies required: pip3 install cryptography lark packaging
--python3 ./keylime/cmd/convert_runtime_policy.py $CONVERT_CMD_OPTS; echo " "
--if [[ $? -eq 0 ]]
--then
--    announce "Done, new runtime policy file present at ${OUTPUT_DIR}/$OUTPUT. It can be used on the tenant keylime host with \"keylime_tenant -c add --runtime-policy ${OUTPUT_DIR}/$OUTPUT <other options>"
--fi
--popd  > /dev/null 2>&1
-+# when ROOTFS_LOC = '/', the path starts on allowlist ends up with double '//'
-+#
-+# Example:
-+#
-+# b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c  //bar
-+#
-+# Replace the unwanted '//' with a single '/'
-+sed -i 's| /\+| /|g'  $ALLOWLIST_DIR/${OUTPUT}
-+
-+# When the file name contains newlines or backslashes, the output of sha256sum
-+# adds a backslash at the beginning of the line.
-+#
-+# Example:
-+#
-+# $ echo foo > ba\\r
-+# $ sha256sum ba\\r
-+# \b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c  ba\\r
-+#
-+# Remove the unwanted backslash prefix
-+sed -i 's/^\\//g' $ALLOWLIST_DIR/${OUTPUT}
-+
-+# Clean up
-+rm -rf /tmp/ima
--- 
-2.47.1
-

SOURCES/0006-Revert-default-server_key_password-for-verifier-regi.patch

@@ -1,66 +0,0 @@
-From 733db4036f2142152795fc51b761f05e39594b08 Mon Sep 17 00:00:00 2001
-From: Sergio Correia <scorreia@redhat.com>
-Date: Tue, 27 May 2025 09:31:54 +0000
-Subject: [PATCH 6/6] Revert "default" server_key_password for
- verifier/registrar
-
-Signed-off-by: Sergio Correia <scorreia@redhat.com>
----
- templates/2.0/mapping.json | 4 ++--
- templates/2.1/mapping.json | 6 +++---
- 2 files changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/templates/2.0/mapping.json b/templates/2.0/mapping.json
-index 80dcdde..8fce124 100644
---- a/templates/2.0/mapping.json
-+++ b/templates/2.0/mapping.json
-@@ -232,7 +232,7 @@
-             "server_key_password": {
-                 "section": "cloud_verifier",
-                 "option": "private_key_pw",
--                "default": ""
-+                "default": "default"
-             },
-             "enable_agent_mtls": {
-                 "section": "cloud_verifier",
-@@ -563,7 +563,7 @@
-             "server_key_password": {
-                 "section": "registrar",
-                 "option": "private_key_pw",
--                "default": ""
-+                "default": "default"
-             },
-             "server_cert": {
-                 "section": "registrar",
-diff --git a/templates/2.1/mapping.json b/templates/2.1/mapping.json
-index 956a53a..88e3fb6 100644
---- a/templates/2.1/mapping.json
-+++ b/templates/2.1/mapping.json
-@@ -262,7 +262,7 @@
-             "server_key_password": {
-                 "section": "verifier",
-                 "option": "server_key_password",
--                "default": ""
-+                "default": "default"
-             },
-             "enable_agent_mtls": {
-                 "section": "verifier",
-@@ -593,7 +593,7 @@
-             "server_key_password": {
-                 "section": "registrar",
-                 "option": "server_key_password",
--                "default": ""
-+                "default": "default"
-             },
-             "server_cert": {
-                 "section": "registrar",
-@@ -835,4 +835,4 @@
-         "handler_consoleHandler": "logging",
-         "logger_keylime": "logging"
-     }
--}
-\ No newline at end of file
-+}
--- 
-2.47.1
-

keylime.spec

@@ -1,58 +1,82 @@
+## START: Set by rpmautospec
+## (rpmautospec version 0.6.5)
+## RPMAUTOSPEC: autochangelog
+## END: Set by rpmautospec
+
 %global srcname keylime
 %global policy_version 42.1.2
-%global with_selinux 1
-%global selinuxtype targeted
 
 # Package is actually noarch, but it has an optional dependency that is
 # arch-specific.
 %global debug_package %{nil}
+%global with_selinux 1
+%global selinuxtype targeted
 
 Name:    keylime
 Version: 7.12.1
-Release: 11%{?dist}
+Release: 11%{?dist}.3
 Summary: Open source TPM software for Bootstrapping and Maintaining Trust
 
 URL:            https://github.com/keylime/keylime
 Source0:        https://github.com/keylime/keylime/archive/refs/tags/v%{version}.tar.gz
+# The selinux policy for keylime is distributed via this repo: https://github.com/RedHat-SP-Security/keylime-selinux
 Source1:        https://github.com/RedHat-SP-Security/%{name}-selinux/archive/v%{policy_version}/keylime-selinux-%{policy_version}.tar.gz
 Source2:        %{srcname}.sysusers
 Source3:        %{srcname}.tmpfiles
 
-Patch: 0001-Make-keylime-compatible-with-python-3.9.patch
-Patch: 0002-tests-fix-rpm-repo-tests-from-create-runtime-policy.patch
-Patch: 0003-tests-skip-measured-boot-related-tests-for-s390x-and.patch
-Patch: 0004-templates-duplicate-str_to_version-in-the-adjust-scr.patch
-# RHEL-9 ships a slightly modified version of create_allowlist.sh and
-# also a "default" server_key_password for the registrar and verifier.
-# DO NOT REMOVE THE FOLLOWING TWO PATCHES IN FOLLOWING RHEL-9.x REBASES.
-Patch: 0005-Restore-RHEL-9-version-of-create_allowlist.sh.patch
-Patch: 0006-Revert-default-server_key_password-for-verifier-regi.patch
 # Backported from https://github.com/keylime/keylime/pull/1782
-Patch: 0007-fix_db_connection_leaks.patch
+# Fixes DB connections leaks (https://issues.redhat.com/browse/RHEL-102995)
+Patch:         keylime-fix-db-connection-leaks.patch
 
 # Backported from https://github.com/keylime/keylime/pull/1791
-Patch: 0008-mb-support-EV_EFI_HANDOFF_TABLES-events-on-PCR1.patch
-Patch: 0009-mb-support-vendor_db-as-logged-by-newer-shim-version.patch
+Patch: 0002-mb-support-EV_EFI_HANDOFF_TABLES-events-on-PCR1.patch
+Patch: 0003-mb-support-vendor_db-as-logged-by-newer-shim-version.patch
 
 # Backported from https://github.com/keylime/keylime/pull/1784
-# and https://github.com/keylime/keylime/pull/1785.
-Patch: 0010-verifier-Gracefully-shutdown-on-signal.patch
-Patch: 0011-revocations-Try-to-send-notifications-on-shutdown.patch
-Patch: 0012-requests_client-close-the-session-at-the-end-of-the-.patch
+# and https://github.com/keylime/keylime/pull/1785
+Patch: 0004-verifier-Gracefully-shutdown-on-signal.patch
+Patch: 0005-revocations-Try-to-send-notifications-on-shutdown.patch
+Patch: 0006-requests_client-close-the-session-at-the-end-of-the-.patch
 
-License: ASL 2.0 and MIT
+# Backported from https://github.com/keylime/keylime/pull/1736,
+# https://github.com/keylime/keylime/commit/11c6b7f and
+# https://github.com/keylime/keylime/commit/dd63459
+Patch: 0007-tests-change-test_mba_parsing-to-not-need-keylime-in.patch
+Patch: 0008-tests-skip-measured-boot-related-tests-for-s390x-and.patch
+Patch: 0009-tests-fix-rpm-repo-tests-from-create-runtime-policy.patch
+
+# Backported from https://github.com/keylime/keylime/pull/1793
+Patch: 0010-mba-normalize-vendor_db-in-EV_EFI_VARIABLE_AUTHORITY.patch
+
+# Backported from https://github.com/keylime/keylime/pull/1794
+Patch: 0011-fix-malformed-certs-workaround.patch
+# Backported from https://github.com/keylime/keylime/pull/1795
+Patch: 0012-keylime-policy-avoid-opening-dev-stdout.patch
+
+# CVE-2025-13609
+# Backports from:
+# - https://github.com/keylime/keylime/pull/1817/commits/1024e19d
+# - https://github.com/keylime/keylime/pull/1825
+Patch: 0013-Add-shared-memory-infrastructure-for-multiprocess-co.patch
+Patch: 0014-Fix-registrar-duplicate-UUID-vulnerability.patch
+
+# Main program: Apache-2.0
+# Icons: MIT
+License: Apache-2.0 AND MIT
 
 BuildRequires: git-core
+BuildRequires: openssl
 BuildRequires: openssl-devel
 BuildRequires: python3-devel
 BuildRequires: python3-dbus
 BuildRequires: python3-jinja2
 BuildRequires: python3-cryptography
+BuildRequires: python3-gpg
 BuildRequires: python3-pyasn1
 BuildRequires: python3-pyasn1-modules
 BuildRequires: python3-tornado
 BuildRequires: python3-sqlalchemy
-BuildRequires: python3-lark-parser
+BuildRequires: python3-lark
 BuildRequires: python3-psutil
 BuildRequires: python3-pyyaml
 BuildRequires: python3-jsonschema
@@ -67,10 +91,20 @@ Requires: %{srcname}-base = %{version}-%{release}
 Requires: %{srcname}-verifier = %{version}-%{release}
 Requires: %{srcname}-registrar = %{version}-%{release}
 Requires: %{srcname}-tenant = %{version}-%{release}
+Requires: %{srcname}-tools = %{version}-%{release}
+
+# webapp was removed upstream in release 6.4.2.
+Obsoletes: %{srcname}-webapp < 6.4.2
+
+# python agent was removed upstream in release 7.0.0.
+Obsoletes: python3-%{srcname}-agent < 7.0.0
 
 # Agent.
 Requires: keylime-agent
-Suggests: keylime-agent-rust
+Suggests: %{srcname}-agent-rust
+
+# Conflicts with the monolithic versions of the package, before the split.
+Conflicts: keylime < 6.3.0-3
 
 %{?python_enable_dependency_generator}
 %description
@@ -81,10 +115,11 @@ and runtime integrity measurement solution.
 Summary: The base package contains the default configuration
 License: MIT
 
+# Conflicts with the monolithic versions of the package, before the split.
+Conflicts: keylime < 6.3.0-3
 
 Requires(pre): python3-jinja2
 Requires(pre): shadow-utils
-Requires(pre): util-linux
 Requires(pre): tpm2-tss
 Requires: procps-ng
 Requires: openssl
@@ -108,6 +143,9 @@ The base package contains the Keylime default configuration
 Summary: The Python Keylime module
 License: MIT
 
+# Conflicts with the monolithic versions of the package, before the split.
+Conflicts: keylime < 6.3.0-3
+
 Requires: %{srcname}-base = %{version}-%{release}
 %{?python_provide:%python_provide python3-%{srcname}}
 
@@ -122,10 +160,10 @@ Requires: python3-gpg
 Requires: python3-lark-parser
 Requires: python3-pyasn1
 Requires: python3-pyasn1-modules
+requires: python3-psutil
 Requires: python3-jsonschema
-Requires: python3-psutil
+Requires: python3-typing-extensions
 Requires: tpm2-tools
-Requires: openssl
 
 %description -n python3-%{srcname}
 The python3-keylime module implements the functionality used
@@ -135,6 +173,9 @@ by Keylime components.
 Summary: The Python Keylime Verifier component
 License: MIT
 
+# Conflicts with the monolithic versions of the package, before the split.
+Conflicts: keylime < 6.3.0-3
+
 Requires: %{srcname}-base = %{version}-%{release}
 Requires: python3-%{srcname} = %{version}-%{release}
 
@@ -146,6 +187,9 @@ of the machine that the agent is running on.
 Summary: The Keylime Registrar component
 License: MIT
 
+# Conflicts with the monolithic versions of the package, before the split.
+Conflicts: keylime < 6.3.0-3
+
 Requires: %{srcname}-base = %{version}-%{release}
 Requires: python3-%{srcname} = %{version}-%{release}
 
@@ -171,6 +215,9 @@ Custom SELinux policy module
 Summary: The Python Keylime Tenant
 License: MIT
 
+# Conflicts with the monolithic versions of the package, before the split.
+Conflicts: keylime < 6.3.0-3
+
 Requires: %{srcname}-base = %{version}-%{release}
 Requires: python3-%{srcname} = %{version}-%{release}
 
@@ -178,13 +225,26 @@ Requires: python3-%{srcname} = %{version}-%{release}
 %description tenant
 The Keylime Tenant can be used to provision a Keylime Agent.
 
+%package tools
+Summary: Keylime tools
+License: MIT
+
+# Conflicts with the monolithic versions of the package, before the split.
+Conflicts: keylime < 6.3.0-3
+
+Requires: %{srcname}-base = %{version}-%{release}
+Requires: python3-%{srcname} = %{version}-%{release}
+
+%description tools
+The keylime tools package includes miscelaneous tools.
+
+
 %prep
 %autosetup -S git -n %{srcname}-%{version} -a1
 
 %if 0%{?with_selinux}
 # SELinux policy (originally from selinux-policy-contrib)
 # this policy module will override the production module
-mkdir selinux
 
 make -f %{_datadir}/selinux/devel/Makefile %{srcname}.pp
 bzip2 -9 %{srcname}.pp
@@ -204,20 +264,18 @@ for comp in "verifier" "tenant" "registrar" "ca" "logging"; do
     install -Dpm 400 config/${comp}.conf %{buildroot}/%{_sysconfdir}/%{srcname}
 done
 
-# Ship some scripts.
-mkdir -p %{buildroot}/%{_datadir}/%{srcname}/scripts
-for s in create_mb_refstate \
-         ek-openssl-verify; do
-    install -Dpm 755 scripts/${s} \
-        %{buildroot}/%{_datadir}/%{srcname}/scripts/${s}
+# Do not ship a few scripts that are to be obsoleted soon.
+# The functionality they provide is now provided by keylime-policy.
+for s in keylime_convert_runtime_policy \
+         keylime_create_policy \
+         keylime_sign_runtime_policy; do
+    rm -f %{buildroot}/%{_bindir}/"${s}"
 done
 
-# On RHEL 9.3, install create_runtime_policy.sh as create_allowlist.sh
-# The convert_runtime_policy.py script to convert allowlist and excludelist into
-# runtime policy is not called anymore.
-# See: https://issues.redhat.com/browse/RHEL-11866
-install -Dpm 755 scripts/create_runtime_policy.sh \
-        %{buildroot}/%{_datadir}/%{srcname}/scripts/create_allowlist.sh
+# Ship the ek-openssl-verify script.
+mkdir -p %{buildroot}/%{_datadir}/%{srcname}/scripts
+install -Dpm 755 scripts/ek-openssl-verify \
+        %{buildroot}/%{_datadir}/%{srcname}/scripts/ek-openssl-verify
 
 # Ship configuration templates.
 cp -r ./templates %{buildroot}%{_datadir}/%{srcname}/templates/
@@ -265,11 +323,11 @@ export KEYLIME_LOGGING_CONFIG="${CONF_TEMP_DIR}/logging.conf"
 
 # Cleanup.
 [ "${CONF_TEMP_DIR}" ] && rm -rf "${CONF_TEMP_DIR}"
-for e in KEYLIME_VERIFIER_CONFIG \
-         KEYLIME_TENANT_CONFIG \
-         KEYLIME_REGISTRAR_CONFIG \
-         KEYLIME_CA_CONFIG \
-         KEYLIME_LOGGING_CONFIG; do
+    for e in KEYLIME_VERIFIER_CONFIG \
+        KEYLIME_TENANT_CONFIG \
+        KEYLIME_REGISTRAR_CONFIG \
+        KEYLIME_CA_CONFIG \
+        KEYLIME_LOGGING_CONFIG; do
     unset "${e}"
 done
 exit 0
@@ -279,12 +337,7 @@ exit 0
 exit 0
 
 %post base
-for c in ca logging; do
-    [ -e /etc/keylime/"${c}.conf" ] || continue
-    /usr/bin/keylime_upgrade_config --component "${c}" \
-                                    --input /etc/keylime/"${c}.conf" \
-                                    >/dev/null
-done
+/usr/bin/keylime_upgrade_config --component ca --component logging >/dev/null
 exit 0
 
 %posttrans base
@@ -304,43 +357,19 @@ fi
 [ -d %{_sharedstatedir}/%{srcname}/tpm_cert_store ] && \
     chmod 400 %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem && \
     chmod 500 %{_sharedstatedir}/%{srcname}/tpm_cert_store/
-exit 0
 
 %post verifier
-[ -e /etc/keylime/verifier.conf ] && \
-    /usr/bin/keylime_upgrade_config --component verifier \
-                                    --input /etc/keylime/verifier.conf \
-                                    >/dev/null
+/usr/bin/keylime_upgrade_config --component verifier >/dev/null
 %systemd_post %{srcname}_verifier.service
-exit 0
 
 %post registrar
-[ -e /etc/keylime/registrar.conf ] && \
-    /usr/bin/keylime_upgrade_config --component registrar \
-                                    --input /etc/keylime/registrar.conf /
-                                    >/dev/null
+/usr/bin/keylime_upgrade_config --component registrar >/dev/null
 %systemd_post %{srcname}_registrar.service
-exit 0
 
 %post tenant
-[ -e /etc/keylime/tenant.conf ] && \
-    /usr/bin/keylime_upgrade_config --component tenant \
-                                    --input /etc/keylime/tenant.conf \
-                                    >/dev/null
+/usr/bin/keylime_upgrade_config --component tenant >/dev/null
 exit 0
 
-%preun verifier
-%systemd_preun %{srcname}_verifier.service
-
-%preun registrar
-%systemd_preun %{srcname}_registrar.service
-
-%postun verifier
-%systemd_postun_with_restart %{srcname}_verifier.service
-
-%postun registrar
-%systemd_postun_with_restart %{srcname}_registrar.service
-
 %if 0%{?with_selinux}
 # SELinux contexts are saved so that only affected files can be
 # relabeled after the policy module installation
@@ -355,7 +384,7 @@ if [ "$1" -le "1" ]; then # First install
     # The services need to be restarted for the custom label to be
     # applied in case they where already present in the system,
     # restart fails silently in case they where not.
-    for svc in agent registrar verifier; do
+    for svc in registrar verifier; do
         [ -f "%{_unitdir}/%{srcname}_${svc}".service ] && \
             %systemd_postun_with_restart "%{srcname}_${svc}".service
     done
@@ -369,6 +398,21 @@ if [ $1 -eq 0 ]; then
 fi
 %endif
 
+%preun verifier
+%systemd_preun %{srcname}_verifier.service
+
+%preun registrar
+%systemd_preun %{srcname}_registrar.service
+
+%preun tenant
+%systemd_preun %{srcname}_registrar.service
+
+%postun verifier
+%systemd_postun_with_restart %{srcname}_verifier.service
+
+%postun registrar
+%systemd_postun_with_restart %{srcname}_registrar.service
+
 %files verifier
 %license LICENSE
 %attr(500,%{srcname},%{srcname}) %dir %{_sysconfdir}/%{srcname}/verifier.conf.d
@@ -401,14 +445,14 @@ fi
 %license LICENSE
 %{python3_sitelib}/%{srcname}-*.egg-info/
 %{python3_sitelib}/%{srcname}
-%{_datadir}/%{srcname}/scripts/create_mb_refstate
 %{_bindir}/keylime_attest
-%{_bindir}/keylime_convert_runtime_policy
-%{_bindir}/keylime_create_policy
-%{_bindir}/keylime_sign_runtime_policy
-%{_bindir}/keylime_userdata_encrypt
 %{_bindir}/keylime-policy
 
+
+%files tools
+%license LICENSE
+%{_bindir}/%{srcname}_userdata_encrypt
+
 %files base
 %license LICENSE
 %doc README.md
@@ -424,7 +468,6 @@ fi
 %attr(400,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}/tpm_cert_store/*.pem
 %{_tmpfilesdir}/%{srcname}.conf
 %{_sysusersdir}/%{srcname}.conf
-%{_datadir}/%{srcname}/scripts/create_allowlist.sh
 %{_datadir}/%{srcname}/scripts/ek-openssl-verify
 %{_datadir}/%{srcname}/templates
 %{_bindir}/keylime_upgrade_config
@@ -433,178 +476,243 @@ fi
 %license LICENSE
 
 %changelog
-* Mon Aug 18 2025 Sergio Correia <scorreia@redhat.com> - 7.12.1-11
--  Fix for revocation notifier not closing TLS session correctly
-   Resolves: RHEL-109656
+## START: Generated by rpmautospec
+* Thu Dec 11 2025 Sergio Correia <scorreia@redhat.com> - 7.12.1-15
+- Registrar allows identity takeover via duplicate UUID registration
 
-* Wed Aug 13 2025 Sergio Correia <scorreia@redhat.com> - 7.12.1-10
-- Support vendor_db: follow-up fix
-  Related: RHEL-80455
+* Mon Sep 15 2025 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.12.1-14
+- Properly fix malformed TPM certificates workaround
+
+* Thu Aug 28 2025 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.12.1-13
+- Avoid opening /dev/stdout when printing
+
+* Wed Aug 27 2025 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.12.1-12
+- Fix malformed TPM certificates workaround
+
+* Wed Aug 20 2025 Sergio Correia <scorreia@redhat.com> - 7.12.1-11
+- mba: normalize vendor_db in EV_EFI_VARIABLE_AUTHORITY events
+
+* Mon Aug 18 2025 Sergio Correia <scorreia@redhat.com> - 7.12.1-10
+- Fix for revocation notifier not closing TLS session correctly
 
 * Tue Aug 12 2025 Sergio Correia <scorreia@redhat.com> - 7.12.1-9
 - Support vendor_db as logged by newer shim versions
-  Resolves: RHEL-80455
 
 * Fri Aug 08 2025 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.12.1-8
 - Fix DB connection leaks
-  Resolves: RHEL-108263
 
-* Tue Jul 22 2025 Sergio Correia <scorreia@redhat.com> - 7.12.1-7
+* Thu Jul 24 2025 Sergio Correia <scorreia@redhat.com> - 7.12.1-7
 - Fix tmpfiles.d configuration related to the cert store
-  Resolves: RHEL-104572
 
 * Thu Jul 10 2025 Sergio Correia <scorreia@redhat.com> - 7.12.1-6
 - Populate cert_store_dir with tpmfiles.d
-  Resolves: RHEL-76926
 
 * Thu Jul 10 2025 Sergio Correia <scorreia@redhat.com> - 7.12.1-5
 - Use tmpfiles.d for permissions in /var/lib/keylime and /etc/keylime
-  Resolves: RHEL-77144
 
-* Tue Jul 08 2025 Patrik Koncity <pkoncity@redhat.com> - 7.12.1-4
-- Add new keylime-selinux release - removing keylime_var_log_t label
-  Resolves: RHEL-388
+* Wed Jul 09 2025 Patrik Koncity <pkoncity@redhat.com> - 7.12.1-4
+- Use the newest keylime-selinux release
 
-* Fri Jun 20 2025 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.12.1-3
-- Avoid changing ownership of /var/log/keylime
-  Resolves: RHEL-388
+* Wed Jul 02 2025 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.12.1-3
+- Avoid changing the ownership of /var/log/keylime
 
-* Tue May 27 2025 Sergio Correia <scorreia@redhat.com> - 7.12.1-2
-- Revert changes to default server_key_password for verifier/registrar
-  Resolves: RHEL-93678
+* Mon Feb 17 2025 Sergio Correia <scorreia@redhat.com> - 7.12.1-2
+- Drop old keylime policy related scripts
 
-* Thu May 22 2025 Sergio Correia <scorreia@redhat.com> - 7.12.1-1
-- Update to 7.12.1
-  Resolves: RHEL-78418
+* Fri Feb 14 2025 Sergio Correia <scorreia@redhat.com> - 7.12.1-1
+- Updating for Keylime release v7.12.1
 
-* Wed Feb 05 2025 Sergio Correia <scorreia@redhat.com> - 7.3.0-15
+* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 7.9.0-8
+- Bump release for October 2024 mass rebuild:
+
+* Mon Aug 19 2024 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.9.0-7
 - Use TLS on revocation notification webhook
-- Include system installed CA certificates when verifying webhook
-   server certificate
+- Include system installed CA certificates when verifying webhook server
+  certificate
 - Include the CA certificates added via configuration file option
   'trusted_server_ca'
-  Resolves: RHEL-78057
-  Resolves: RHEL-78313
-  Resolves: RHEL-78316
 
-* Fri Jan 10 2025 Sergio Correia <scorreia@redhat.com> - 7.3.0-14
-- Backport keylime-policy tool
-  Resolves: RHEL-75797
+* Fri Aug 16 2024 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.9.0-6
+- Restore create_allowlist.sh to be the same as in RHEL-9
 
-* Fri Jan 05 2024 Sergio Correia <scorreia@redhat.com> - 7.3.0-13
-- Backport fix for CVE-2023-3674
-  Resolves: RHEL-21013
+* Mon Jun 24 2024 Karel Srot <ksrot@redhat.com> - 7.9.0-5
+- Add rhel-10 gating.yaml
 
-* Tue Oct 17 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.3.0-12
-- Set the generator and timestamp in create_policy.py
-  Related: RHEL-11866
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 7.9.0-4
+- Bump release for June 2024 mass rebuild
 
-* Mon Oct 09 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.3.0-11
-- Suppress unnecessary error message
-  Related: RHEL-11866
+* Thu May 09 2024 Karel Srot <ksrot@redhat.com> - 7.9.0-3
+- tests: Update CI test plan for C10S
 
-* Fri Oct 06 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.3.0-10
-- Restore allowlist generation script
-  Resolves: RHEL-11866
-  Resolves: RHEL-11867
+* Mon Feb 12 2024 Sergio Correia <scorreia@redhat.com> - 7.9.0-2
+- Fixes for rawhide
 
-* Wed Sep 06 2023 Sergio Correia <scorreia@redhat.com> - 7.3.0-9
-- Rebuild for properly tagging the resulting build
-  Resolves: RHEL-1898
+* Tue Jan 30 2024 Sergio Correia <scorreia@redhat.com> - 7.9.0-1
+- Updating for Keylime release v7.9.0
+- Migrated license to SPDX
 
-* Fri Sep 01 2023 Sergio Correia <scorreia@redhat.com> - 7.3.0-8
-- Add missing dependencies python3-jinja2 and util-linux
-  Resolves: RHEL-1898
+* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 7.8.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 
-* Mon Aug 28 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.3.0-7
-- Automatically update agent API version
-  Resolves: RHEL-1518
+* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 7.8.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
 
-* Mon Aug 28 2023 Sergio Correia <scorreia@redhat.com> - 7.3.0-6
-- Fix registrar is subject to a DoS against SSL (CVE-2023-38200)
-  Resolves: rhbz#2222694
+* Tue Dec 05 2023 Sergio Correia <scorreia@redhat.com> - 7.8.0-1
+- Updating for Keylime release v7.8.0
 
-* Fri Aug 25 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 7.3.0-5
-- Fix challenge-protocol bypass during agent registration (CVE-2023-38201)
-  Resolves: rhbz#2222695
+* Thu Nov 02 2023 Sergio Correia <scorreia@redhat.com> - 7.7.0-1
+- Updating for Keylime release v7.7.0
 
-* Tue Aug 22 2023 Sergio Correia <scorreia@redhat.com> - 7.3.0-4
-- Update spec file to use %verify(not md5 size mode mtime) for files updated in %post scriptlets
-  Resolves: RHEL-475
+* Thu Aug 24 2023 Sergio Correia <scorreia@redhat.com> - 7.5.0-1
+- Updating for Keylime release v7.5.0
 
-* Tue Aug 15 2023 Sergio Correia <scorreia@redhat.com> - 7.3.0-3
-- Fix Keylime configuration upgrades issues introduced in last rebase
-  Resolves: RHEL-475
-- Handle session close using a session manager
-  Resolves: RHEL-1252
-- Add ignores for EV_PLATFORM_CONFIG_FLAGS
-  Resolves: RHEL-947
+* Mon Jul 31 2023 Sergio Correia <scorreia@redhat.com> - 7.3.0-1
+- Updating for Keylime release v7.3.0
 
-* Tue Aug 8 2023 Patrik Koncity <pkoncity@redhat.com> - 7.3.0-2
-- Keylime SELinux policy provides more restricted ports.
-- New SELinux label for ports used by keylime.
-- Adding tabrmd interfaces allow unix stream socket communication and dbus communication.
-- Allow the keylime_server_t domain to get the attributes of all filesystems.
-  Resolves: RHEL-595
-  Resolves: RHEL-390
-  Resolves: RHEL-948
+* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 7.2.5-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
 
-* Wed Jul 19 2023 Sergio Correia <scorreia@redhat.com> - 7.3.0-1
-- Update to 7.3.0
-  Resolves: RHEL-475
+* Thu Jun 15 2023 Python Maint <python-maint@redhat.com> - 7.2.5-3
+- Rebuilt for Python 3.12
 
-* Fri Jan 13 2023 Sergio Correia <scorreia@redhat.com> - 6.5.2-4
-- Backport upstream PR#1240 - logging: remove option to log into separate file
-  Resolves: rhbz#2154584 - keylime verifier is not logging to /var/log/keylime
+* Tue Jun 06 2023 Sergio Correia <scorreia@redhat.com> - 7.2.5-2
+- Update test plan
 
-* Thu Dec 1 2022 Sergio Correia <scorreia@redhat.com> - 6.5.2-3
-- Remove leftover policy file
-  Related: rhbz#2152135
+* Mon Jun 05 2023 Sergio Correia <scorreia@redhat.com> - 7.2.5-1
+- Updating for Keylime release v7.2.5
 
-* Thu Dec 1 2022 Patrik Koncity <pkoncity@redhat.com> - 6.5.2-2
-- Use keylime selinux policy from upstream.
-  Resolves: rhbz#2152135
+* Fri Feb 03 2023 Sergio Correia <scorreia@redhat.com> - 6.6.0-1
+- Updating for Keylime release v6.6.0
 
-* Mon Nov 14 2022 Sergio Correia <scorreia@redhat.com> - 6.5.2-1
-- Update to 6.5.2
-  Resolves: CVE-2022-3500
-  Resolves: rhbz#2138167 - agent fails IMA attestation when one scripts is executed quickly after the other
-  Resolves: rhbz#2140670 - Segmentation fault in /usr/share/keylime/create_mb_refstate script
-  Resolves: rhbz#142009 - Registrar may crash during EK validation when require_ek_cert is enabled
+* Wed Jan 25 2023 Sergio Correia <scorreia@redhat.com> - 6.5.3-2
+- e2e tests: do not change the tpm hash alg to sha256
 
-* Tue Sep 13 2022 Sergio Correia <scorreia@redhat.com> - 6.5.0-1
-- Update to 6.5.0
-  Resolves: rhbz#2120686 - Keylime configuration is too complex
+* Wed Jan 25 2023 Sergio Correia <scorreia@redhat.com> - 6.5.3-1
+- Updating for Keylime release v6.5.3
 
-* Fri Aug 26 2022 Sergio Correia <scorreia@redhat.com> - 6.4.3-1
-- Update to 6.4.3
-  Resolves: rhbz#2121044 - Error parsing EK ASN.1 certificate of Nuvoton HW TPM
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 6.4.3-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
 
-* Fri Aug 26 2022 Patrik Koncity <pkoncity@redhat.com> - 6.4.2-6
-- Update keylime SELinux policy
-- Resolves: rhbz#2121058
+* Mon Dec 12 2022 Karel Srot <ksrot@redhat.com> - 6.4.3-7
+- Ignore non-keylime AVCs on Fedora Rawhide
 
-* Fri Aug 26 2022 Patrik Koncity <pkoncity@redhat.com> - 6.4.2-5
-- Update keylime SELinux policy and removed duplicate rules
-- Resolves: rhbz#2121058
+* Fri Dec 09 2022 Sergio Correia <scorreia@redhat.com> - 6.4.3-6
+- Proper exception handling in tornado_requests
 
-* Fri Aug 26 2022 Patrik Koncity <pkoncity@redhat.com> - 6.4.2-4
-- Update keylime SELinux policy
-- Resolves: rhbz#2121058
+* Fri Dec 09 2022 Sergio Correia <scorreia@redhat.com> - 6.4.3-5
+- Do not remove tag-repository.repo
 
-* Wed Aug 17 2022 Patrik Koncity <pkoncity@redhat.com> - 6.4.2-3
-- Add keylime-selinux policy as subpackage
-- See https://fedoraproject.org/wiki/SELinux/IndependentPolicy
-- Resolves: rhbz#2121058
+* Thu Dec 01 2022 Karel Srot <ksrot@redhat.com> - 6.4.3-4
+- Add dynamic_ref reference to e2e_tests.fmf
 
-* Mon Jul 11 2022 Sergio Correia <scorreia@redhat.com> - 6.4.2-2
+* Tue Oct 25 2022 Patrik Koncity <pkoncity@redhat.com> - 6.4.3-3
+- Add keylime selinux policy as subpackage and update CI
+
+* Wed Sep 14 2022 Sergio Correia <scorreia@redhat.com> - 6.4.3-2
+- Update tests branch to fedora-main
+
+* Thu Aug 25 2022 Sergio Correia <scorreia@redhat.com> - 6.4.3-1
+- Updating for Keylime release v6.4.3
+
+* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 6.4.2-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Mon Jul 11 2022 Sergio Correia <scorreia@redhat.com> - 6.4.2-3
+- Wrap efivar-libs dependency in a "ifarch %%efi"
+
+* Fri Jul 08 2022 Sergio Correia <scorreia@redhat.com> - 6.4.2-2
 - Fix efivar-libs dependency
-  Related: rhbz#2082989
+- Some arches do not have efivar-libs, so let's require it conditionally.
 
-* Thu Jul 07 2022 Sergio Correia <scorreia@redhat.com> - 6.4.2-1
-- Update to 6.4.2
-  Related: rhbz#2082989
+* Fri Jul 08 2022 Sergio Correia <scorreia@redhat.com> - 6.4.2-1
+- Updating for Keylime release v6.4.2
+- Remove keylime-webapp and mark package as obsolete
+- Configure tmpfiles.d
+- Move common python dependencies to python3-keylime
+- Change dependency from python3-gnupg to python3-gpg
+- Use sysusers.d for handling user creation
 
-* Tue Jun 21 2022 Sergio Correia <scorreia@redhat.com> - 6.4.1-1
-- Add keylime to RHEL-9
-  Resolves: rhbz#2082989
+* Fri Jul 08 2022 Sergio Correia <scorreia@redhat.com> - 6.4.1-4
+- Adjust Fedora CI test plan as per upstream
+
+* Thu Jul 07 2022 Sergio Correia <scorreia@redhat.com> - 6.4.1-3
+- Opt in to rpmautospec
+
+* Mon Jun 13 2022 Python Maint <python-maint@redhat.com> - 6.4.1-2
+- Rebuilt for Python 3.11
+
+* Mon Jun 06 2022 Sergio Correia <scorreia@redhat.com> - 6.4.1-1
+- Updating for Keylime release v6.4.1
+
+* Wed May 04 2022 Sergio Correia <scorreia@redhat.com> - 6.4.0-1
+- Updating for Keylime release v6.4.0
+
+* Wed Apr 06 2022 Sergio Correia <scorreia@redhat.com> - 6.3.2-1
+- Updating for Keylime release v6.3.2
+
+* Mon Feb 14 2022 Sergio Correia <scorreia@redhat.com> - 6.3.1-1
+- Updating for Keylime release v6.3.1
+
+* Tue Feb 08 2022 Sergio Correia <scorreia@redhat.com> - 6.0.3-4
+- Add Conflicts clauses for the subpackages
+
+* Mon Feb 07 2022 Sergio Correia <scorreia@redhat.com> - 6.3.0-3
+- Split keylime into subpackages
+  Related: rhbz#2045874 - Keylime subpackaging and agent alternatives
+
+* Thu Jan 27 2022 Sergio Correia <scorreia@redhat.com> - 6.3.0-2
+- Fix permissions of config file
+
+* Thu Jan 27 2022 Sergio Correia <scorreia@redhat.com> - 6.3.0-1
+- Updating for Keylime release v6.3.0
+
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 6.1.0-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 6.1.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Fri Jun 04 2021 Python Maint <python-maint@redhat.com> - 6.1.0-3
+- Rebuilt for Python 3.10
+
+* Thu Mar 25 2021 Luke Hinds <lhinds@redhat.com> 6.0.1-1
+- Updating for Keylime release v6.1.0
+
+* Wed Mar 03 2021 Luke Hinds <lhinds@redhat.com> 6.0.1-1
+- Updating for Keylime release v6.0.1
+
+* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 6.0.0-2
+- Rebuilt for updated systemd-rpm-macros
+  See https://pagure.io/fesco/issue/2583.
+
+* Wed Feb 24 2021 Luke Hinds <lhinds@redhat.com> 6.0.0-1
+- Updating for Keylime release v6.0.0
+
+* Tue Feb 02 2021 Luke Hinds <lhinds@redhat.com> 5.8.1-1
+- Updating for Keylime release v5.8.1
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Sat Jan 23 2021 Luke Hinds <lhinds@redhat.com> 5.8.0-1
+- Updating for Keylime release v5.8.0
+
+* Fri Jul 17 2020 Luke Hinds <lhinds@redhat.com> 5.7.2-1
+- Updating for Keylime release v5.7.2
+
+* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 5.6.2-2
+- Rebuilt for Python 3.9
+
+* Fri May 01 2020 Luke Hinds <lhinds@redhat.com> 5.6.2-1
+- Updating for Keylime release v5.6.2
+
+* Thu Feb 06 2020 Luke Hinds <lhinds@redhat.com> 5.5.0-1
+- Updating for Keylime release v5.5.0
+
+* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.4.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Dec 12 2019 Luke Hinds <lhinds@redhat.com> 5.4.1-1
+– Initial Packaging
+
+## END: Generated by rpmautospec

sources

@@ -0,0 +1,2 @@
+SHA512 (keylime-selinux-42.1.2.tar.gz) = cb7b7b10d1d81af628a7ffdadc1be5af6d75851a44f58cff04edc575cbba1613447e56bfa1fb86660ec7c15e5fcf16ba51f2984094550ba3e08f8095b800b741
+SHA512 (v7.12.1.tar.gz) = c1297ebfc659102d73283255cfda4a977dfbff9bdd3748e05de405dadb70f752ad39aa5848edda9143d8ec620d07c21f1551fa4a914c99397620ab1682e58458