# SPDX-FileCopyrightText: Sergio Arroutbi # # SPDX-License-Identifier: MIT # Disable debuginfo generation for Rust binaries %global debug_package %{nil} Name: clevis-pin-trustee Version: 0.1.0 Release: 1%{?dist} Summary: Clevis PIN for Trustee attestation License: MIT URL: https://github.com/sarroutbi/clevis-pin-trustee Source0: %{name}-%{version}-vendor.tar.gz BuildRequires: rust >= 1.85.0 BuildRequires: cargo >= 1.85.0 BuildRequires: openssl-devel # Runtime dependencies Requires: clevis Requires: jose %description clevis-pin-trustee is a Clevis PIN that implements encryption and decryption operations using remote attestation via a Trustee server. It enables automated unlocking of LUKS-encrypted volumes in confidential computing environments by fetching encryption keys from Trustee servers after successful attestation. %prep %autosetup -n %{name}-%{version} # Verify vendored dependencies are present if [ ! -d vendor ]; then echo "Error: vendor directory not found in source tarball" exit 1 fi %build # Build using vendored dependencies (offline mode) # The .cargo/config.toml in the tarball configures vendored sources export CARGO_HOME=$(pwd)/.cargo cargo build --release --offline %install # Install main binary install -D -m 0755 target/release/%{name} %{buildroot}%{_bindir}/%{name} # Install Clevis wrapper scripts install -D -m 0755 clevis-encrypt-trustee %{buildroot}%{_bindir}/clevis-encrypt-trustee install -D -m 0755 clevis-decrypt-trustee %{buildroot}%{_bindir}/clevis-decrypt-trustee %check # Run tests with vendored dependencies export CARGO_HOME=$(pwd)/.cargo cargo test --release --offline %files %license LICENSES/MIT.txt %doc README.md %{_bindir}/%{name} %{_bindir}/clevis-encrypt-trustee %{_bindir}/clevis-decrypt-trustee %changelog * Wed Nov 26 2025 Sergio Arroutbi - 0.1.0-1 - Initial release - Clevis PIN for Trustee attestation - Support for multiple Trustee server URLs with failover - Certificate-based TLS authentication - Optional initdata for attestation context