%global srcname keylime Name: keylime Version: 6.3.2 Release: 1%{?dist} Summary: Open source TPM software for Bootstrapping and Maintaining Trust BuildArch: noarch URL: https://github.com/keylime/keylime Source0: https://github.com/keylime/keylime/archive/refs/tags/v%{version}.tar.gz # Main program: BSD # Icons: MIT License: ASL 2.0 and MIT BuildRequires: git-core BuildRequires: swig BuildRequires: openssl-devel BuildRequires: python3-devel BuildRequires: python3-dbus BuildRequires: python3-setuptools BuildRequires: systemd-rpm-macros Requires: python3-%{srcname} = %{version}-%{release} Requires: %{srcname}-base = %{version}-%{release} Requires: %{srcname}-verifier = %{version}-%{release} Requires: %{srcname}-registrar = %{version}-%{release} Requires: %{srcname}-tenant = %{version}-%{release} Requires: %{srcname}-webapp = %{version}-%{release} Requires: %{srcname}-tools = %{version}-%{release} # Agent. Requires: keylime-agent Suggests: python3-%{srcname}-agent # Conflicts with the monolithic versions of the package, before the split. Conflicts: keylime < 6.3.0-3 %{?python_enable_dependency_generator} %description Keylime is a TPM based highly scalable remote boot attestation and runtime integrity measurement solution. %package base Summary: The base package contains the default configuration License: MIT # Conflicts with the monolithic versions of the package, before the split. Conflicts: keylime < 6.3.0-3 Requires(pre): shadow-utils Requires: efivar-libs Requires: procps-ng Requires: tpm2-tss Requires: tpm2-tools %description base The base package contains the Keylime default configuration %package -n python3-%{srcname} Summary: The Python Keylime module License: MIT # Conflicts with the monolithic versions of the package, before the split. Conflicts: keylime < 6.3.0-3 Requires: %{srcname}-base = %{version}-%{release} %{?python_provide:%python_provide python3-%{srcname}} %description -n python3-%{srcname} The python3-keylime module implements the functionality used by Keylime components. %package verifier Summary: The Python Keylime Verifier component License: MIT # Conflicts with the monolithic versions of the package, before the split. Conflicts: keylime < 6.3.0-3 Requires: %{srcname}-base = %{version}-%{release} Requires: python3-%{srcname} = %{version}-%{release} Requires: python3-tornado Requires: python3-sqlalchemy Requires: python3-alembic Requires: python3-cryptography Requires: python3-pyyaml Requires: python3-packaging Requires: python3-requests Requires: python3-zmq Requires: python3-gnupg %description verifier The Keylime Verifier continuously verifies the integrity state of the machine that the agent is running on. %package registrar Summary: The Keylime Registrar component License: MIT # Conflicts with the monolithic versions of the package, before the split. Conflicts: keylime < 6.3.0-3 Requires: %{srcname}-base = %{version}-%{release} Requires: python3-%{srcname} = %{version}-%{release} Requires: python3-tornado Requires: python3-sqlalchemy Requires: python3-alembic Requires: python3-cryptography Requires: python3-pyyaml Requires: python3-packaging Requires: python3-requests Requires: python3-zmq Requires: python3-gnupg %description registrar The Keylime Registrar is a database of all agents registered with Keylime and hosts the public keys of the TPM vendors. %package -n python3-%{srcname}-agent Summary: The Python Keylime Agent License: MIT # Conflicts with the monolithic versions of the package, before the split. Conflicts: keylime < 6.3.0-3 Requires: %{srcname}-base = %{version}-%{release} Requires: python3-%{srcname} = %{version}-%{release} # Virtual Provides to support swapping between Python and Rust implementation. Provides: keylime-agent Conflicts: keylime-agent Requires: python3-psutil Requires: python3-tornado Requires: python3-cryptography Requires: python3-pyyaml Requires: python3-packaging Requires: python3-requests Requires: python3-zmq Requires: python3-gnupg %description -n python3-%{srcname}-agent The Keylime Agent is deployed to the remote machine that is to be measured or provisioned with secrets stored within an encrypted payload released once trust is established. %package tenant Summary: The Python Keylime Tenant License: MIT # Conflicts with the monolithic versions of the package, before the split. Conflicts: keylime < 6.3.0-3 Requires: %{srcname}-base = %{version}-%{release} Requires: python3-%{srcname} = %{version}-%{release} %description tenant The Keylime Tenant can be used to provision a Keylime Agent. %package webapp Summary: The Python Keylime WebApp GUI License: MIT # Conflicts with the monolithic versions of the package, before the split. Conflicts: keylime < 6.3.0-3 Requires: %{srcname}-base = %{version}-%{release} Requires: python3-%{srcname} = %{version}-%{release} Requires: python3-tornado Requires: python3-cryptography Requires: python3-pyyaml Requires: python3-packaging Requires: python3-requests Requires: python3-zmq Requires: python3-gnupg # Conflicts with the monolithic versions of the package, before the split. Conflicts: keylime < 6.3.0-3 %description webapp The Keylime WebApp GUI interface can be used to provision a Keylime Agent. %package tools Summary: Keylime tools License: MIT # Conflicts with the monolithic versions of the package, before the split. Conflicts: keylime < 6.3.0-3 Requires: %{srcname}-base = %{version}-%{release} Requires: python3-%{srcname} = %{version}-%{release} Requires: python3-tornado Requires: python3-cryptography Requires: python3-pyyaml Requires: python3-packaging Requires: python3-requests Requires: python3-zmq Requires: python3-gnupg %description tools The keylime tools package includes tools like the IMA emulator. %prep %autosetup -S git -n %{srcname}-%{version} %build %py3_build %install %py3_install mkdir -p %{buildroot}/%{_sharedstatedir}/%{srcname} mkdir -p --mode=0700 %{buildroot}/%{_rundir}/%{srcname} mkdir -p --mode=0700 %{buildroot}/%{_localstatedir}/log/%{srcname} # Setting up the agent to use keylime user/group. sed -e 's/^run_as.*/run_as = %{srcname}:%{srcname}/g' -i %{srcname}.conf install -Dpm 600 %{srcname}.conf \ %{buildroot}%{_sysconfdir}/%{srcname}.conf install -Dpm 644 ./services/%{srcname}_agent.service \ %{buildroot}%{_unitdir}/%{srcname}_agent.service install -Dpm 644 ./services/%{srcname}_agent_secure.mount \ %{buildroot}%{_unitdir}/%{srcname}_agent_secure.mount install -Dpm 644 ./services/%{srcname}_verifier.service \ %{buildroot}%{_unitdir}/%{srcname}_verifier.service install -Dpm 644 ./services/%{srcname}_registrar.service \ %{buildroot}%{_unitdir}/%{srcname}_registrar.service cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/keylime/ %pre base getent group %{srcname} >/dev/null || groupadd -r %{srcname} &>/dev/null getent passwd %{srcname} >/dev/null || \ useradd -r -g %{srcname} -d %{_localstatedir}/lib/%{srcname} -s /usr/sbin/nologin \ -c "Keylime agent unprivileged user" %{srcname} &>/dev/null # Add keylime user to tss group. if getent group tss >/dev/null && ! groups %{srcname} | grep -q "\btss\b"; then usermod -a -G tss %{srcname} &>/dev/null fi # Check if already use run_as (introduced in 6.3.2). if ! _ug=$(grep ^run_as %{_sysconfdir}/%{srcname}.conf | awk '{ print $3 }') \ || [ -z "${_ug}" ]; then [ -d %{_localstatedir}/lib/rpm-state/%{srcname} ] \ && rm -rf %{_localstatedir}/lib/rpm-state/%{srcname} mkdir -p %{_localstatedir}/lib/rpm-state/%{srcname} touch %{_localstatedir}/lib/rpm-state/%{srcname}/no-run_as fi exit 0 %posttrans base [ -f %{_sysconfdir}/%{srcname}.conf ] && \ chmod 600 %{_sysconfdir}/%{srcname}.conf # If we just started using run_as, we need to change a few permissions. if _ug=$(grep ^run_as %{_sysconfdir}/%{srcname}.conf | awk '{ print $3 }') \ && [ -n "${_ug}" ] \ && [ -f %{_localstatedir}/lib/rpm-state/%{srcname}/no-run_as ]; then [ -f %{_sharedstatedir}/%{srcname}/tpmdata.yml ] && \ chown "${_ug}" %{_sharedstatedir}/%{srcname}/tpmdata.yml if [ -d %{_sharedstatedir}/%{srcname}/cv_ca ]; then chown "${_ug}" %{_sharedstatedir}/%{srcname}/cv_ca [ -f %{_sharedstatedir}/%{srcname}/cv_ca/cacert.crt ] && \ chown "${_ug}" %{_sharedstatedir}/%{srcname}/cv_ca/cacert.crt fi fi [ -d %{_localstatedir}/lib/rpm-state/%{srcname} ] \ && rm -rf %{_localstatedir}/lib/rpm-state/%{srcname} exit 0 %post verifier %systemd_post %{srcname}_verifier.service %post registrar %systemd_post %{srcname}_registrar.service %post -n python3-%{srcname}-agent %systemd_post %{srcname}_agent.service %preun verifier %systemd_preun %{srcname}_verifier.service %preun registrar %systemd_preun %{srcname}_registrar.service %preun -n python3-%{srcname}-agent %systemd_preun %{srcname}_agent.service %postun verifier %systemd_postun_with_restart %{srcname}_verifier.service %postun registrar %systemd_postun_with_restart %{srcname}_registrar.service %postun -n python3-%{srcname}-agent %systemd_postun_with_restart %{srcname}_agent.service %files verifier %license LICENSE %{_bindir}/%{srcname}_verifier %{_bindir}/%{srcname}_ca %{_bindir}/%{srcname}_migrations_apply %{_unitdir}/keylime_verifier.service %files registrar %license LICENSE %{_bindir}/%{srcname}_registrar %{_unitdir}/keylime_registrar.service %files -n python3-%{srcname}-agent %license LICENSE %{_bindir}/%{srcname}_agent %{_unitdir}/%{srcname}_agent.service %{_unitdir}/%{srcname}_agent_secure.mount %{_bindir}/%{srcname}_ima_emulator %files tenant %license LICENSE %{_bindir}/%{srcname}_tenant %files webapp %license LICENSE %{_bindir}/%{srcname}_webapp %files -n python3-%{srcname} %license LICENSE %{python3_sitelib}/%{srcname}-*.egg-info/ %{python3_sitelib}/%{srcname} %files tools %license LICENSE %{_bindir}/%{srcname}_userdata_encrypt %files base %license LICENSE keylime/static/icons/ICON-LICENSE %doc README.md %config(noreplace) %attr(600,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}.conf %attr(700,%{srcname},%{srcname}) %dir %{_rundir}/%{srcname} %attr(700,%{srcname},%{srcname}) %dir %{_localstatedir}/log/%{srcname} %attr(700,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname} %files %license LICENSE %changelog * Wed Apr 06 2022 Sergio Correia - 6.3.2-1 - Updating for Keylime release v6.3.2 * Mon Feb 14 2022 Sergio Correia - 6.3.1-1 - Updating for Keylime release v6.3.1 * Tue Feb 08 2022 Sergio Correia - 6.0.3-4 - Add Conflicts clauses for the subpackages * Mon Feb 07 2022 Sergio Correia - 6.3.0-3 - Split keylime into subpackages Related: rhbz#2045874 - Keylime subpackaging and agent alternatives * Thu Jan 27 2022 Sergio Correia - 6.3.0-2 - Fix permissions of config file * Thu Jan 27 2022 Sergio Correia - 6.3.0-1 - Updating for Keylime release v6.3.0 * Thu Jan 20 2022 Fedora Release Engineering - 6.1.0-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild * Thu Jul 22 2021 Fedora Release Engineering - 6.1.0-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild * Fri Jun 04 2021 Python Maint - 6.1.0-3 - Rebuilt for Python 3.10 * Thu Mar 25 2021 Luke Hinds 6.0.1-1 - Updating for Keylime release v6.1.0 * Wed Mar 03 2021 Luke Hinds 6.0.1-1 - Updating for Keylime release v6.0.1 * Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 6.0.0-2 - Rebuilt for updated systemd-rpm-macros See https://pagure.io/fesco/issue/2583. * Wed Feb 24 2021 Luke Hinds 6.0.0-1 - Updating for Keylime release v6.0.0 * Tue Feb 02 2021 Luke Hinds 5.8.1-1 - Updating for Keylime release v5.8.1 * Tue Jan 26 2021 Fedora Release Engineering - 5.8.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild * Sat Jan 23 2021 Luke Hinds 5.8.0-1 - Updating for Keylime release v5.8.0 * Fri Jul 17 2020 Luke Hinds 5.7.2-1 - Updating for Keylime release v5.7.2 * Tue May 26 2020 Miro Hrončok - 5.6.2-2 - Rebuilt for Python 3.9 * Fri May 01 2020 Luke Hinds 5.6.2-1 - Updating for Keylime release v5.6.2 * Thu Feb 06 2020 Luke Hinds 5.5.0-1 - Updating for Keylime release v5.5.0 * Wed Jan 29 2020 Fedora Release Engineering - 5.4.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild * Thu Dec 12 2019 Luke Hinds 5.4.1-1 – Initial Packaging