rpms/keylime
6
0
Fork 0
Code Issues Pull Requests Releases Activity
5e0080288e
keylime/keylime.spec
Sergio Correia 5e0080288e Updating for Keylime release v6.3.2
2022-04-07 08:12:42 -03:00

432 lines
12 KiB
RPMSpec
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

%global srcname keylime
Name: keylime
Version: 6.3.2
Release: 1%{?dist}
Summary: Open source TPM software for Bootstrapping and Maintaining Trust
BuildArch: noarch
URL: https://github.com/keylime/keylime
Source0: https://github.com/keylime/keylime/archive/refs/tags/v%{version}.tar.gz
# Main program: BSD
# Icons: MIT
License: ASL 2.0 and MIT
BuildRequires: git-core
BuildRequires: swig
BuildRequires: openssl-devel
BuildRequires: python3-devel
BuildRequires: python3-dbus
BuildRequires: python3-setuptools
BuildRequires: systemd-rpm-macros
Requires: python3-%{srcname} = %{version}-%{release}
Requires: %{srcname}-base = %{version}-%{release}
Requires: %{srcname}-verifier = %{version}-%{release}
Requires: %{srcname}-registrar = %{version}-%{release}
Requires: %{srcname}-tenant = %{version}-%{release}
Requires: %{srcname}-webapp = %{version}-%{release}
Requires: %{srcname}-tools = %{version}-%{release}
# Agent.
Requires: keylime-agent
Suggests: python3-%{srcname}-agent
# Conflicts with the monolithic versions of the package, before the split.
Conflicts: keylime < 6.3.0-3
%{?python_enable_dependency_generator}
%description
Keylime is a TPM based highly scalable remote boot attestation
and runtime integrity measurement solution.
%package base
Summary: The base package contains the default configuration
License: MIT
# Conflicts with the monolithic versions of the package, before the split.
Conflicts: keylime < 6.3.0-3
Requires(pre): shadow-utils
Requires: efivar-libs
Requires: procps-ng
Requires: tpm2-tss
Requires: tpm2-tools
%description base
The base package contains the Keylime default configuration
%package -n python3-%{srcname}
Summary: The Python Keylime module
License: MIT
# Conflicts with the monolithic versions of the package, before the split.
Conflicts: keylime < 6.3.0-3
Requires: %{srcname}-base = %{version}-%{release}
%{?python_provide:%python_provide python3-%{srcname}}
%description -n python3-%{srcname}
The python3-keylime module implements the functionality used
by Keylime components.
%package verifier
Summary: The Python Keylime Verifier component
License: MIT
# Conflicts with the monolithic versions of the package, before the split.
Conflicts: keylime < 6.3.0-3
Requires: %{srcname}-base = %{version}-%{release}
Requires: python3-%{srcname} = %{version}-%{release}
Requires: python3-tornado
Requires: python3-sqlalchemy
Requires: python3-alembic
Requires: python3-cryptography
Requires: python3-pyyaml
Requires: python3-packaging
Requires: python3-requests
Requires: python3-zmq
Requires: python3-gnupg
%description verifier
The Keylime Verifier continuously verifies the integrity state
of the machine that the agent is running on.
%package registrar
Summary: The Keylime Registrar component
License: MIT
# Conflicts with the monolithic versions of the package, before the split.
Conflicts: keylime < 6.3.0-3
Requires: %{srcname}-base = %{version}-%{release}
Requires: python3-%{srcname} = %{version}-%{release}
Requires: python3-tornado
Requires: python3-sqlalchemy
Requires: python3-alembic
Requires: python3-cryptography
Requires: python3-pyyaml
Requires: python3-packaging
Requires: python3-requests
Requires: python3-zmq
Requires: python3-gnupg
%description registrar
The Keylime Registrar is a database of all agents registered
with Keylime and hosts the public keys of the TPM vendors.
%package -n python3-%{srcname}-agent
Summary: The Python Keylime Agent
License: MIT
# Conflicts with the monolithic versions of the package, before the split.
Conflicts: keylime < 6.3.0-3
Requires: %{srcname}-base = %{version}-%{release}
Requires: python3-%{srcname} = %{version}-%{release}
# Virtual Provides to support swapping between Python and Rust implementation.
Provides: keylime-agent
Conflicts: keylime-agent
Requires: python3-psutil
Requires: python3-tornado
Requires: python3-cryptography
Requires: python3-pyyaml
Requires: python3-packaging
Requires: python3-requests
Requires: python3-zmq
Requires: python3-gnupg
%description -n python3-%{srcname}-agent
The Keylime Agent is deployed to the remote machine that is to be
measured or provisioned with secrets stored within an encrypted
payload released once trust is established.
%package tenant
Summary: The Python Keylime Tenant
License: MIT
# Conflicts with the monolithic versions of the package, before the split.
Conflicts: keylime < 6.3.0-3
Requires: %{srcname}-base = %{version}-%{release}
Requires: python3-%{srcname} = %{version}-%{release}
%description tenant
The Keylime Tenant can be used to provision a Keylime Agent.
%package webapp
Summary: The Python Keylime WebApp GUI
License: MIT
# Conflicts with the monolithic versions of the package, before the split.
Conflicts: keylime < 6.3.0-3
Requires: %{srcname}-base = %{version}-%{release}
Requires: python3-%{srcname} = %{version}-%{release}
Requires: python3-tornado
Requires: python3-cryptography
Requires: python3-pyyaml
Requires: python3-packaging
Requires: python3-requests
Requires: python3-zmq
Requires: python3-gnupg
# Conflicts with the monolithic versions of the package, before the split.
Conflicts: keylime < 6.3.0-3
%description webapp
The Keylime WebApp GUI interface can be used to provision a Keylime Agent.
%package tools
Summary: Keylime tools
License: MIT
# Conflicts with the monolithic versions of the package, before the split.
Conflicts: keylime < 6.3.0-3
Requires: %{srcname}-base = %{version}-%{release}
Requires: python3-%{srcname} = %{version}-%{release}
Requires: python3-tornado
Requires: python3-cryptography
Requires: python3-pyyaml
Requires: python3-packaging
Requires: python3-requests
Requires: python3-zmq
Requires: python3-gnupg
%description tools
The keylime tools package includes tools like the IMA emulator.
%prep
%autosetup -S git -n %{srcname}-%{version}
%build
%py3_build
%install
%py3_install
mkdir -p %{buildroot}/%{_sharedstatedir}/%{srcname}
mkdir -p --mode=0700 %{buildroot}/%{_rundir}/%{srcname}
mkdir -p --mode=0700 %{buildroot}/%{_localstatedir}/log/%{srcname}
# Setting up the agent to use keylime user/group.
sed -e 's/^run_as.*/run_as = %{srcname}:%{srcname}/g' -i %{srcname}.conf
install -Dpm 600 %{srcname}.conf \
%{buildroot}%{_sysconfdir}/%{srcname}.conf
install -Dpm 644 ./services/%{srcname}_agent.service \
%{buildroot}%{_unitdir}/%{srcname}_agent.service
install -Dpm 644 ./services/%{srcname}_agent_secure.mount \
%{buildroot}%{_unitdir}/%{srcname}_agent_secure.mount
install -Dpm 644 ./services/%{srcname}_verifier.service \
%{buildroot}%{_unitdir}/%{srcname}_verifier.service
install -Dpm 644 ./services/%{srcname}_registrar.service \
%{buildroot}%{_unitdir}/%{srcname}_registrar.service
cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/keylime/
%pre base
getent group %{srcname} >/dev/null || groupadd -r %{srcname} &>/dev/null
getent passwd %{srcname} >/dev/null || \
useradd -r -g %{srcname} -d %{_localstatedir}/lib/%{srcname} -s /usr/sbin/nologin \
-c "Keylime agent unprivileged user" %{srcname} &>/dev/null
# Add keylime user to tss group.
if getent group tss >/dev/null && ! groups %{srcname} | grep -q "\btss\b"; then
usermod -a -G tss %{srcname} &>/dev/null
fi
# Check if already use run_as (introduced in 6.3.2).
if ! _ug=$(grep ^run_as %{_sysconfdir}/%{srcname}.conf | awk '{ print $3 }') \
|| [ -z "${_ug}" ]; then
[ -d %{_localstatedir}/lib/rpm-state/%{srcname} ] \
&& rm -rf %{_localstatedir}/lib/rpm-state/%{srcname}
mkdir -p %{_localstatedir}/lib/rpm-state/%{srcname}
touch %{_localstatedir}/lib/rpm-state/%{srcname}/no-run_as
fi
exit 0
%posttrans base
[ -f %{_sysconfdir}/%{srcname}.conf ] && \
chmod 600 %{_sysconfdir}/%{srcname}.conf
# If we just started using run_as, we need to change a few permissions.
if _ug=$(grep ^run_as %{_sysconfdir}/%{srcname}.conf | awk '{ print $3 }') \
&& [ -n "${_ug}" ] \
&& [ -f %{_localstatedir}/lib/rpm-state/%{srcname}/no-run_as ]; then
[ -f %{_sharedstatedir}/%{srcname}/tpmdata.yml ] && \
chown "${_ug}" %{_sharedstatedir}/%{srcname}/tpmdata.yml
if [ -d %{_sharedstatedir}/%{srcname}/cv_ca ]; then
chown "${_ug}" %{_sharedstatedir}/%{srcname}/cv_ca
[ -f %{_sharedstatedir}/%{srcname}/cv_ca/cacert.crt ] && \
chown "${_ug}" %{_sharedstatedir}/%{srcname}/cv_ca/cacert.crt
fi
fi
[ -d %{_localstatedir}/lib/rpm-state/%{srcname} ] \
&& rm -rf %{_localstatedir}/lib/rpm-state/%{srcname}
exit 0
%post verifier
%systemd_post %{srcname}_verifier.service
%post registrar
%systemd_post %{srcname}_registrar.service
%post -n python3-%{srcname}-agent
%systemd_post %{srcname}_agent.service
%preun verifier
%systemd_preun %{srcname}_verifier.service
%preun registrar
%systemd_preun %{srcname}_registrar.service
%preun -n python3-%{srcname}-agent
%systemd_preun %{srcname}_agent.service
%postun verifier
%systemd_postun_with_restart %{srcname}_verifier.service
%postun registrar
%systemd_postun_with_restart %{srcname}_registrar.service
%postun -n python3-%{srcname}-agent
%systemd_postun_with_restart %{srcname}_agent.service
%files verifier
%license LICENSE
%{_bindir}/%{srcname}_verifier
%{_bindir}/%{srcname}_ca
%{_bindir}/%{srcname}_migrations_apply
%{_unitdir}/keylime_verifier.service
%files registrar
%license LICENSE
%{_bindir}/%{srcname}_registrar
%{_unitdir}/keylime_registrar.service
%files -n python3-%{srcname}-agent
%license LICENSE
%{_bindir}/%{srcname}_agent
%{_unitdir}/%{srcname}_agent.service
%{_unitdir}/%{srcname}_agent_secure.mount
%{_bindir}/%{srcname}_ima_emulator
%files tenant
%license LICENSE
%{_bindir}/%{srcname}_tenant
%files webapp
%license LICENSE
%{_bindir}/%{srcname}_webapp
%files -n python3-%{srcname}
%license LICENSE
%{python3_sitelib}/%{srcname}-*.egg-info/
%{python3_sitelib}/%{srcname}
%files tools
%license LICENSE
%{_bindir}/%{srcname}_userdata_encrypt
%files base
%license LICENSE keylime/static/icons/ICON-LICENSE
%doc README.md
%config(noreplace) %attr(600,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}.conf
%attr(700,%{srcname},%{srcname}) %dir %{_rundir}/%{srcname}
%attr(700,%{srcname},%{srcname}) %dir %{_localstatedir}/log/%{srcname}
%attr(700,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}
%files
%license LICENSE
%changelog
* Wed Apr 06 2022 Sergio Correia <scorreia@redhat.com> - 6.3.2-1
- Updating for Keylime release v6.3.2
* Mon Feb 14 2022 Sergio Correia <scorreia@redhat.com> - 6.3.1-1
- Updating for Keylime release v6.3.1
* Tue Feb 08 2022 Sergio Correia <scorreia@redhat.com> - 6.0.3-4
- Add Conflicts clauses for the subpackages
* Mon Feb 07 2022 Sergio Correia <scorreia@redhat.com> - 6.3.0-3
- Split keylime into subpackages
Related: rhbz#2045874 - Keylime subpackaging and agent alternatives
* Thu Jan 27 2022 Sergio Correia <scorreia@redhat.com> - 6.3.0-2
- Fix permissions of config file
* Thu Jan 27 2022 Sergio Correia <scorreia@redhat.com> - 6.3.0-1
- Updating for Keylime release v6.3.0
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 6.1.0-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 6.1.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Fri Jun 04 2021 Python Maint <python-maint@redhat.com> - 6.1.0-3
- Rebuilt for Python 3.10
* Thu Mar 25 2021 Luke Hinds <lhinds@redhat.com> 6.0.1-1
- Updating for Keylime release v6.1.0
* Wed Mar 03 2021 Luke Hinds <lhinds@redhat.com> 6.0.1-1
- Updating for Keylime release v6.0.1
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 6.0.0-2
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Wed Feb 24 2021 Luke Hinds <lhinds@redhat.com> 6.0.0-1
- Updating for Keylime release v6.0.0
* Tue Feb 02 2021 Luke Hinds <lhinds@redhat.com> 5.8.1-1
- Updating for Keylime release v5.8.1
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Sat Jan 23 2021 Luke Hinds <lhinds@redhat.com> 5.8.0-1
- Updating for Keylime release v5.8.0
* Fri Jul 17 2020 Luke Hinds <lhinds@redhat.com> 5.7.2-1
- Updating for Keylime release v5.7.2
* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 5.6.2-2
- Rebuilt for Python 3.9
* Fri May 01 2020 Luke Hinds <lhinds@redhat.com> 5.6.2-1
- Updating for Keylime release v5.6.2
* Thu Feb 06 2020 Luke Hinds <lhinds@redhat.com> 5.5.0-1
- Updating for Keylime release v5.5.0
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.4.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Dec 12 2019 Luke Hinds <lhinds@redhat.com> 5.4.1-1
Initial Packaging
Reference in New Issue View Git Blame Copy Permalink