File keylime.spec of Package keylime.26599

Overview Repositories Revisions Requests Users Attributes Meta

File keylime.spec of Package keylime.26599

#
# spec file for package keylime
#
# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via https://bugs.opensuse.org/
#

%global srcname keylime
%{?!python_module:%define python_module() python-%{**} python3-%{**}}
%define skip_python2 1
# Consolidate _distconfdir and _sysconfdir
%if 0%{?_distconfdir:1}
  %define _config_norepl %{nil}
%else
  %define _distconfdir   %{_sysconfdir}
  %define _config_norepl %config(noreplace)
%endif
Name:           keylime
Version:        6.3.2
Release:        0
Summary:        Open source TPM software for Bootstrapping and Maintaining Trust
License:        Apache-2.0 AND MIT
URL:            https://github.com/keylime/keylime
Source0:        %{name}-v%{version}.tar.xz
Source1:        keylime.xml
Source2:        %{name}-user.conf
Source3:        logrotate.%{name}
Source4:        tmpfiles.%{name}
# PATCH-FIX-OPENSUSE keylime.conf.diff
Patch1:         keylime.conf.diff
# PATCH-FIX-OPENSUSE config-libefivars.diff
Patch2:         config-libefivars.diff
# PATCH-FIX-UPSTREAM CVE-2022-1053-0{1234}.patch boo#1199253
Patch3:         CVE-2022-1053-01.patch
Patch4:         CVE-2022-1053-02.patch
Patch5:         CVE-2022-1053-03.patch
Patch6:         CVE-2022-1053-04.patch
Patch7:         CVE-2022-3500.patch
# PATCH-FIX-SLE
Patch8:         fix_exit.diff
BuildRequires:  %{python_module setuptools}
BuildRequires:  fdupes
BuildRequires:  firewall-macros
BuildRequires:  python-rpm-macros
BuildRequires:  sysuser-tools
Requires:       libtss2-tcti-device0
Requires:       libtss2-tcti-tabrmd0
Requires:       procps
Requires:       python-M2Crypto
Requires:       python-PyYAML
Requires:       python-SQLAlchemy
Requires:       python-alembic
Requires:       python-cryptography
Requires:       python-psutil
Requires:       python-python-gnupg
Requires:       python-pyzmq
Requires:       python-requests
Requires:       python-simplejson
Requires:       python-tornado
Requires:       tpm2-0-tss
Requires:       tpm2.0-abrmd
Requires:       tpm2.0-tools
Requires(post): update-alternatives
Requires(postun):update-alternatives
Conflicts:      rust-keylime
BuildArch:      noarch
%python_subpackages

%description
Keylime is a TPM based highly scalable remote boot attestation
and runtime integrity measurement solution.

%package -n %{name}-config
Summary:        Configuration file for keylime
Requires:       python3-%{name} = %{version}
Conflicts:      rust-keylime

%description -n %{name}-config
Subpackage of %{name} for the shared configuration file of the agent
and the server components.

%package -n %{name}-firewalld
Summary:        Firewalld service file for keylime
Requires:       python3-%{name} = %{version}
Conflicts:      rust-keylime

%description -n %{name}-firewalld
Subpackage of %{name} for the firewalld XML service file.

%package -n %{name}-tpm_cert_store
Summary:        Certify store for the TPM
Requires:       python3-%{name} = %{version}
Conflicts:      rust-keylime

%description -n %{name}-tpm_cert_store
Subpackage of %{name} for storing the TPM certificates.

%package -n %{name}-agent
Summary:        Keylime agent service
Requires:       %{name}-config = %{version}
Requires:       %{name}-logrotate = %{version}
Requires:       %{name}-tpm_cert_store = %{version}
Requires:       python3-%{name} = %{version}
Recommends:     %{name}-firewalld = %{version}
Recommends:     dmidecode
Conflicts:      rust-keylime

%description -n %{name}-agent
Subpackage of %{name} for agent service.

%package -n %{name}-registrar
Summary:        Keylime registrar service
Requires:       %{name}-config = %{version}
Requires:       %{name}-logrotate = %{version}
Requires:       %{name}-tpm_cert_store = %{version}
Requires:       python3-%{name} = %{version}
Recommends:     %{name}-firewalld = %{version}
Conflicts:      rust-keylime

%description -n %{name}-registrar
Subpackage of %{name} for registrar service.

%package -n %{name}-verifier
Summary:        Keylime verifier service
Requires:       %{name}-config = %{version}
Requires:       %{name}-logrotate = %{version}
Requires:       %{name}-tpm_cert_store = %{version}
Requires:       python3-%{name} = %{version}
Recommends:     %{name}-firewalld = %{version}
Conflicts:      rust-keylime

%description -n %{name}-verifier
Subpackage of %{name} for verifier service.

%package -n %{name}-logrotate
Summary:        Logrotate for Keylime servies
Requires:       logrotate
Conflicts:      rust-keylime

%description -n %{name}-logrotate
Subpacakge of %{name} for logrotate for Keylime services

%prep
%autosetup -p1 -n %{name}-v%{version}

%build
%python_build
%sysusers_generate_pre %{SOURCE2} %{name} %{name}-user.conf

%install
export VERSION=%{version}
%python_install

cp -r %{srcname}/static %{buildroot}%{python_sitelib}/%{srcname}

%python_clone -a %{buildroot}%{_bindir}/%{srcname}_verifier
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_registrar
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_agent
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_tenant
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_ca
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_migrations_apply
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_userdata_encrypt
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_ima_emulator
%python_clone -a %{buildroot}%{_bindir}/%{srcname}_webapp

%python_expand %fdupes %{buildroot}%{$python_sitelib}

install -Dpm 0600 %{srcname}.conf %{buildroot}%{_distconfdir}/%{srcname}.conf
install -Dpm 0644 ./services/%{srcname}_agent.service %{buildroot}%{_unitdir}/%{srcname}_agent.service
install -Dpm 0644 ./services/%{srcname}_agent_secure.mount %{buildroot}%{_unitdir}/var-lib-%{srcname}-secure.mount
install -Dpm 0644 ./services/%{srcname}_verifier.service %{buildroot}%{_unitdir}/%{srcname}_verifier.service
install -Dpm 0644 ./services/%{srcname}_registrar.service %{buildroot}%{_unitdir}/%{srcname}_registrar.service

install -Dpm 0644 %{SOURCE1} %{buildroot}%{_prefix}/lib/firewalld/services/%{srcname}.xml
install -Dpm 0644 %{SOURCE2} %{buildroot}%{_sysusersdir}/%{name}-user.conf
install -Dpm 0644 %{SOURCE3} %{buildroot}%{_distconfdir}/logrotate.d/%{name}
install -Dpm 0644 %{SOURCE4} %{buildroot}%{_tmpfilesdir}/%{name}.conf
install -d %{buildroot}%{_localstatedir}/log/%{name}

mkdir -p %{buildroot}/%{_sharedstatedir}/%{srcname}
cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/%{srcname}/
%fdupes %{buildroot}%{_sharedstatedir}/%{srcname}/

# %%check
# %%pyunittest -v

%post
%python_install_alternative %{srcname}_verifier
%python_install_alternative %{srcname}_registrar
%python_install_alternative %{srcname}_agent
%python_install_alternative %{srcname}_tenant
%python_install_alternative %{srcname}_ca
%python_install_alternative %{srcname}_migrations_apply
%python_install_alternative %{srcname}_userdata_encrypt
%python_install_alternative %{srcname}_ima_emulator
%python_install_alternative %{srcname}_webapp

%postun
%python_uninstall_alternative %{srcname}_verifier
%python_uninstall_alternative %{srcname}_registrar
%python_uninstall_alternative %{srcname}_agent
%python_uninstall_alternative %{srcname}_tenant
%python_uninstall_alternative %{srcname}_ca
%python_uninstall_alternative %{srcname}_migrations_apply
%python_uninstall_alternative %{srcname}_userdata_encrypt
%python_uninstall_alternative %{srcname}_ima_emulator
%python_uninstall_alternative %{srcname}_webapp

%post -n %{srcname}-firewalld
%firewalld_reload

%pre -n %{srcname}-tpm_cert_store -f %{srcname}.pre

%post -n %{srcname}-tpm_cert_store
%tmpfiles_create %{srcname}.conf
# Help the upgrade process when moving to a non-root services
#
# The '-h' parameter alone will not change the ownership of the linked
# file, only of the link itself.  This is secure because the user
# still cannot read or write the file if the linked file does is from
# a different user with restricted permissions.
#
# The '-h' parameter with '-R' will also do the right thing.  In this
# case, if the directory is a symlink it will change only the
# ownership of the link and will stop changes, i.e. it will not change
# ownership of the linked directory files.
chown -h -R keylime:tss %{_sharedstatedir}/%{srcname}/ca 2> /dev/null || :
chown -h -R keylime:tss %{_sharedstatedir}/%{srcname}/secure 2> /dev/null || :
chown -h -R keylime:tss %{_sharedstatedir}/%{srcname}/cv_ca 2> /dev/null || :
chown -h -R keylime:tss %{_localstatedir}/log/%{srcname} 2> /dev/null || :
chown -h -R keylime:tss %{_rundir}/%{srcname} 2> /dev/null || :
chown -h keylime:tss %{_sharedstatedir}/%{srcname}/*.sqlite 2> /dev/null || :
chown -h keylime:tss %{_sharedstatedir}/%{srcname}/*.yml 2> /dev/null || :
chown -h keylime:tss %{_sysconfdir}/%{srcname}.conf 2> /dev/null || :

%pre -n %{srcname}-verifier
%service_add_pre %{srcname}_verifier.service

%post -n %{srcname}-verifier
%service_add_post %{srcname}_verifier.service

%preun -n %{srcname}-verifier
%service_del_preun %{srcname}_agent.service

%postun -n %{srcname}-verifier
%service_del_postun %{srcname}_verifier.service

%pre -n %{srcname}-registrar
%service_add_pre %{srcname}_registrar.service

%post -n %{srcname}-registrar
%service_add_post %{srcname}_registrar.service

%preun -n %{srcname}-registrar
%service_del_preun %{srcname}_registrar.service

%postun -n %{srcname}-registrar
%service_del_postun %{srcname}_registrar.service

%pre -n %{srcname}-agent
%service_add_pre %{srcname}_agent.service
%service_add_pre var-lib-%{srcname}-secure.mount

%post -n %{srcname}-agent
%service_add_post %{srcname}_agent.service
%service_add_post var-lib-%{srcname}-secure.mount

%preun -n %{srcname}-agent
%service_del_preun %{srcname}_agent.service
%service_del_preun var-lib-%{srcname}-secure.mount

%postun -n %{srcname}-agent
%service_del_postun %{srcname}_agent.service
%service_del_postun var-lib-%{srcname}-secure.mount

%files %{python_files}
%doc README.md
%license LICENSE keylime/static/icons/ICON-LICENSE
%python_alternative %{_bindir}/%{srcname}_verifier
%python_alternative %{_bindir}/%{srcname}_registrar
%python_alternative %{_bindir}/%{srcname}_agent
%python_alternative %{_bindir}/%{srcname}_tenant
%python_alternative %{_bindir}/%{srcname}_ca
%python_alternative %{_bindir}/%{srcname}_migrations_apply
%python_alternative %{_bindir}/%{srcname}_userdata_encrypt
%python_alternative %{_bindir}/%{srcname}_ima_emulator
%python_alternative %{_bindir}/%{srcname}_webapp
%{python_sitelib}/*

%files -n %{srcname}-config
%_config_norepl %attr (0600,keylime,tss) %{_distconfdir}/%{srcname}.conf

%files -n %{srcname}-firewalld
%dir %{_prefix}/lib/firewalld
%dir %{_prefix}/lib/firewalld/services
%{_prefix}/lib/firewalld/services/%{srcname}.xml

%files -n %{srcname}-tpm_cert_store
%dir %attr(0700,keylime,tss) %{_sharedstatedir}/%{srcname}
%dir %{_sharedstatedir}/%{srcname}/tpm_cert_store
%{_sharedstatedir}/%{srcname}/tpm_cert_store/*
# We use this subpackage to store other unrelated things, as far as is
# required by all the services
%{_sysusersdir}/%{srcname}-user.conf
%ghost %dir %attr(0700,keylime,tss) %{_rundir}/%{srcname}
%{_tmpfilesdir}/%{srcname}.conf

%files -n %{srcname}-agent
%{_unitdir}/%{srcname}_agent.service
%{_unitdir}/var-lib-%{srcname}-secure.mount

%files -n %{srcname}-registrar
%{_unitdir}/%{srcname}_registrar.service

%files -n %{srcname}-verifier
%{_unitdir}/%{srcname}_verifier.service

%files -n %{srcname}-logrotate
%_config_norepl %{_distconfdir}/logrotate.d/%{srcname}
%dir %attr(0750,keylime,tss) %{_localstatedir}/log/%{srcname}

%changelog

Places

File keylime.spec of Package keylime.26599

Places