Changelog for
python3-keylime-6.3.2-150400.4.20.1.noarch.rpm :
* Thu Aug 24 2023 aplanasAATTsuse.com- Backport patch to avoid the leak of the authorization tag (CVE-2023-38201, boo#1213314) + CVE-2023-38201.patch
* Wed Aug 02 2023 aplanasAATTsuse.com- Backport patches to avoid DoS via SSL (CVE-2023-38200, boo#1213310) + CVE-2023-38200-01.patch + CVE-2023-38200-02.patch + CVE-2023-38200-03.patch
* Wed Oct 26 2022 aplanasAATTsuse.com- Backport CVE-2022-3500.patch (CVE-2022-3500) (bsc#1204782) + Moderate vulnerability where a node can seems as attested when in reality it is not properly attested
* Tue Jul 26 2022 aplanasAATTsuse.com- Drop cfssl default in keylime.conf patch (bsc#1201866)
* Thu Jul 14 2022 aplanasAATTsuse.com- Use chown -h to adjust persmissions for downgrade migration. This skip following symlinks and make the migration possible (bsc#1201466)- Add logrotate configuration for the services- Create run directory as non-root user- Conflict with rust-keylime- Consolidate in _distconfdir when possible- Add fix_exit.diff patch, to exit properly in SLE
* Thu Jun 23 2022 aplanasAATTsuse.com- Remove user downgrade mechanism from the package (CVE-2022-31250, bsc#1200885)
* Wed May 18 2022 aplanasAATTsuse.com- Fix \"run_as\" configuration parameter and set it to keylime:tss- Improve downgrade user migration during package update- Add patches (CVE-2022-1053, boo#1199253): + CVE-2022-1053-01.patch + CVE-2022-1053-02.patch + CVE-2022-1053-03.patch + CVE-2022-1053-04.patch
* Wed Apr 13 2022 aplanasAATTsuse.com- Update to version v6.3.2:
* general: bump Keylime version to 6.3.2
* tpm_main: flush transient objects
* pypi: add notice that the Python API is unstable
* installer: use OpenSSL by default
* Avoid mounting secdir while unmounting it
* remove TPM, VTPM and IMA stubbing support
* archive: remove all archive files
* Change GH reviewers to be from developer group
* added suse / opensuse support with zypper
* Fix tpm import in test_tpm.py
* Fix cfssl configuration in run_tests.sh
* tpm_emulator: improve TPM emulator installation
* config: Add option to enable DB debugging via DEBUG_DB env var
* Enable SQL query cache for JSONPickleType
* tpm_emulator: move everything into systemd services
* Implement broader key support for Keylime\'s signing mechanisms
* tenant: Use exponential backoff on key verification retries
* tenant: Move JSON parsing to capture possible exceptions
* tenant: Move verifier stop from do_quote to do_verify
* pylint: Fix issues related to W0602 global-variable-not-assigned
* tenant: Handle 404 error from registrar gracefully
* pylint: Fix remaining code with issue R1732 consider-using-with
* pylint: Fix R1732 consider-using-with
* pylint: Fix issue detected by pylint-2.13.0
* pylint: Fix issue detected by pylint-2.13.0
* tenant: verify agent quote before adding to verifier
* README: remove tpm2-abrmd and OSX sections
* pylint: Fix issues related to W0102 dangerous-default-value
* pylint: Fix R0201 no-self-use
* pylint: remove W1203 logging-format-interpolation from ignore list
* pylint: remove R1729 use-a-generator from ignore list
* pylint: remove E1120 no-value-for-parameter from ignore list
* pylint: remove W1201 logging-not-lazy from ignore list
* pylint: fix C0209 consider-using-f-string
* pylint: fix C0201 consider-iterating-dictionary
* pylint: fix W1509 subprocess-popen-preexec-fn
* keylime_tenant non-zero exit code on error
* Fix prepare step adjustments in packit-ci.fmf plan
* failure: fix Pattern type hint
* mypy: add initial Mypy configuration
* ima_ast: add type hints
* failure: add type hints
* logging, config: add type hints for logging module
* algorithms: add type hints
* json: add type hints and add JSONType as custom type
* Full allowlist processing when not adding host
* provider, vTPM: remove vTPM manager and provider code
* tpm: fix that the set of missing PCRs is not serializable in failure
* Restores the option to use keylime agents without mTLS
* services: make the services run as keylime user instead of root
* State in --help that SHA-256 is used for --allowlist-checksum
* config: change cacert.pem to cacert.crt
* registrar_client: validate connections against registrar ca certificate
* tenant: validate connections against verifier ca certificate
* request_client: only add custom adapter if TLS is enabled
* setup: add static assets for webapp
* Add TESTING.md describing testing details
* Fix some remaining log format strings
* Fix for database_url parameter with sqlite
* Enable test basic-attestation-with-unpriviledged-agent in Packit CI
* Use lazy string formatting when logging (#535)
* Make Packit CI plan more resource-saving
* keylime.conf: Document setting ownership in WORK_DIR (/var/lib/keylime)
* agent: Make sure tmpfs is empty even if not mounted or cannot unmount
* agent: Drop privileges by switching to normal user and group
* agent: Move mounting of tmpfs towards beginning of main()
* agent: Read measured boot log near process start
* agent: Open file for IMA log file near process start
* ima: Refactor read_measurement_list() to take file as argument
* Add the policy name to failure event
* tpm_main: Check if tpm_cert_store exists (#553)
* Remove tag input from container build workflow
* Push container images to quay.io/keylime org
* Enable code coverage measurement for e2e tests in Packit CI
* config: fix config search order
* Add defaults for ephemeral keys for agent records
* Update outdated greetings Github messages
* services: add keylime_agent_secure.mount service
* installer.sh: updated tpm2-{tools, tss}, use system packages if possible
* revocation_notifier: convert the data to str in the notifiers
* revocation_notifier: mark webhook threads as daemon and add timeout
* Fix Packit CI test plan Summary
* Enable Packit CI testing on CentOS Stream 8
* Enable Packit CI testing on Fedora Rawhide
* Remove last trace of TPM 1.2 (hopefully)
* verifier: remove start_tornado() function
* verifier: wait for connections to be closed before stopping ioloop
* revocation_notifier: kill ZeroMQ broker if it blocks more than 5s
* Add more e2e tests to Packit CI
* Enable EPEL repo on CentOS Stream in packit.yaml- Drop already merged patches
* drop_privileges_of_agent_process_after_startup.patch
* config_fix_config_search_order.patch
* services_add_keylime_agent_secure_mount_service.patch
* Thu Feb 24 2022 aplanasAATTsuse.com- Add upstream patches:
* drop_privileges_of_agent_process_after_startup.patch
* config_fix_config_search_order.patch
* services_add_keylime_agent_secure_mount_service.patch- Configure the agent to run as non-root (via keylime.conf)- Add keylime sysuser conf file and deploy as part of the tpm certificate subpackage- Prepare the systemd mount unit for /var/lib/keylime/secure
* Thu Feb 24 2022 aplanasAATTsuse.com- Drop patches beacuse merged upstream:
* version.diff
* cloud_verifier_tornado-use-fork_processes.patch- Drop binaries not used anymore:
* keylime_provider_platform_init
* keylime_provider_registrar
* keylime_provider_vtpm_add- Update to version v6.3.1:
* revocation_notifier: mark webhook threads as daemon and add timeout
* Fix Packit CI test plan Summary
* Enable Packit CI testing on CentOS Stream 8
* Enable Packit CI testing on Fedora Rawhide
* Remove last trace of TPM 1.2 (hopefully)
* verifier: remove start_tornado() function
* verifier: wait for connections to be closed before stopping ioloop
* revocation_notifier: kill ZeroMQ broker if it blocks more than 5s
* Add more e2e tests to Packit CI
* Enable EPEL repo on CentOS Stream in packit.yaml
* agent, crypto: add localhost, server and contact ip to agent certificate
* Add better default repo path for run_local.sh
* Fix incorrect variable name in test_restful
* Run existing agent tests against the rust-keylime agent
* Fix small wording mistakes caught while reading the code
* agent: move key and certificate logging levels from debug to info
* agent: allow absolute paths for rsa_keyname and mtls_cert
* Add missing backend parameter
* cloud_verifier_tornado: use fork_processes
* ci: automatically push release to PyPI
* setup.{py,cfg}: Move setup configuration to setup.cfg
* Add iproute tool to Dockerfile
* Pylint does not like single-line functions.
* A small beauty fix
* This is a small fix to proactively fix Issue #840 by identifying non-escaped double quotes in the tpm2-tools output
* setup.py: add version number and new Python versions, drop unsed binaries
* setup.py, config: install default configuration into package path
* ci: move old keylime.conf to keylime.conf.orig before running tests
* retry: fix pylint issue
* Adding Infineon Optiga 034 RSA and ECC certificates for Infineon SLB9675 devices.
* Ensure columns \"mb_refstate\" and \"allowlist\" are of type LONGTEXT in table \"verifiermain\"
* tenant: add exponential backoff option to retry timings
* cloud verifier: add exponential backoff option to retry timings
* tpm: add exponential backoff option to retry timings
* test, retry: add unit test for retry algorithm
* common: add algorithm for retry time calculation
* registrar, tpm_main: ensure that correct types are commited to DB.
* Fix typo for config param listen_notifications
* Lint is _really_ unhappy today.
* Linty fixes
* Adding a unit test file for tpm_main
* tpm_main: check if PCRs for the hash algorithm are available
* tpm_main: handle if tpm2_checkquote returns no PCRs for a hash algorithm
* agent: output supported_version as result not as a status
* Add missing subcommands to -c help message
* tests: fix mtls_cert generation in test_restful.py
* revocation_notifier: fix socket path permission check
* Remove unused database_query config param
* Move umask calls only on entry points
* config: move directory utilities to fs_util
* Mon Feb 07 2022 aplanasAATTsuse.com- Change back agent_uuid to hostname- Set tpm_hash_alg to sha256 by default- Update version.diff patch to point to the correct version number- Fix issue with Tornado, when multiple workers are started
* Add cloud_verifier_tornado-use-fork_processes.patch (bsc#1195605)
* Thu Jan 27 2022 aplanasAATTsuse.com- Drop patches beacuse merged upstream:
* 0001-Drop-dataclasses-module-usage.patch
* 0001-config-support-merge-multiple-config-files.patch
* 0001-ca-support-back-old-cyptography-API.patch- Update to version v6.3.0:
* Coordinated update to fix: + bsc#1193997 (CVE-2022-23948) + bsc#1193998 (CVE-2021-43310) + bsc#1194000 (CVE-2022-23949) + bsc#1194002 (CVE-2022-23950) + bsc#1194004 (CVE-2022-23951) + bsc#1194005 (CVE-2022-23952)
* secure_mount: add umount function
* secure_mount: use /proc/self/mountinfo
* Validate user ID in all public interfaces
* validators: add uuid and agent_id validators
* validators: create validators module
* revocation_notifier: move zmq socket to /var/run/keylime
* Update API version from 1.0 to 2.0
* tpm: do not compress quote with zlib by default
* verifier: persist AK and mTLS certificate to DB
* verifier: use \"supported_version\" for agent connections
* tenant: add support for \"supported_version\" option for the verifier
* api_version: add the option for basic validation
* verifier: add supported_version field to DB and API
* agent: add /version to REST API
* verifier, tenant: allow agents to not use mTLS
* tenant, verifier: allow manual configuration of agent mTLS
* tests: migrate to mTLS
* tenant: connect to the agent via mTLS
* verifier: connect to the agent via mTLS
* tornado_requests: handle SSLError
* web_util: add mTLS context generation for agent
* agent: Enable mTLS for agent REST API
* crypto: add helper function for creating self signed certs
* registrar: Allow the agent to registrar with a mTLS certificate
* request_client: add workaround for handling certificates
* request_client: add the option to ignore hostname validation
* Better docs and errors about IMA hash mismatches
* tests: use JSON instead Python string for IMA tests
* verifier: use json.loads(..) instead of ast.literal_eval(..)
* Adding Nuvoton certificate for a post 2020 TPM device. The EK cert of the device directs to the following download site: \'https://www.nuvoton.com/security/NTC-TPM-EK-Cert/Nuvoton TPM Root CA 1111.cer\' (yes, including the spaces)
* Improve revocation notifier IP description in keylime.conf
* tornado_requests: set Content-Type header correctly for JSON
* tenant: post U key to agent with correct Content-Type header
* Explicitly set permissions on new keylime.conf files installed
* tpm_main: close file descriptor for aik handle
* verifier: do not call finish() twice
* agent: fix payload execution
* tests: add initial tests for web_util module
* config, web_util: move get_restful_params(..) to web_util
* verifier: Also retry on HTTP 500 status code
* agent: improve startup and shutdown
* registrar: cleanup start function
* web_util: move echo_json_response(..) out of config.py
* verifier: fix failure generation for V key
* tornado_requests: cleanup TornadoResponse class
* web_util, verifier: move mTLS SSLContext generation into separate module
* ca: support back old cyptography API
* Fix test branch reference in packit.yaml
* ci: disable DeprecationWarning from pylint in tox
* Enable new test in Packit CI
* tenant: fix reactivate command
* config: support merge multiple config files
* ci: use only fedora-stable for packit
* elchecking: harden example policy against event type manipulation
* elchecking: add new tests
* tests: fix stdout formatting for agent and verifier
* Drop dataclasses module usage
* revocation notifier: handle shutdown of process gracefully
* verifier: handle SIGINT and SIGTERM correctly
* ima_emulator: fix IMA hash validation and add more options
* ima_ast: fix handling ToMToU errors
* Remove leftovers of TPM 1.2 support
* agent: improved validation for post function
* agent: better validation for mask and nonce
* config: add function to validate hex strings
* agent: keys/verify check if challenge was provided
* tpm_main: do not append /usr/local/{bin,lib} to default env
* db: only set length on Text type if supported
* json: do not make sqlalchemy a hard requirement
* Enable functional testing with Packit CI
* ima_emulator: specify sys.argv as the named parameter argv in main()
* elchecking example policy: make it work with Fedora 34
* elchecking example policy: initrd
* might be also called initramfs
*
* scripts: add mb_refstate generator for example policy
* config: change tpm_hash_alg to SHA1 by default
* parse_mb_bootlog: specify the used hash algorithm used for PCRs
* agent: add warning that on kernels <5.10 IMA only works with SHA1
* tpm: explicitly pass hash alg to sim_extend(..)
* ima emulator: use IMA AST and support multiple hash algorithms
* tests: update IMA allowlist version number
* ima: add option \'log_hash_alg\' to IMA allowlist
* ima: remove hard requirement for SHA1 PCR 10
* algorithms: extend Hash class to simplify computing hash values
* config, tpm_main: explicitly handle YAML load errors
* config: private_key must be set to -private.pem not -public.pem
* agent: add UUID option environment
* agent: drop openstack uuid option
* Tue Jan 25 2022 aplanasAATTsuse.com- Set /var/lib/keylime under the same permissions expected by the code
* Tue Jan 18 2022 aplanasAATTsuse.com- Add 0001-config-support-merge-multiple-config-files.patch This will allow the merge of config files in /usr/etc and /etc.- Move the configuration file to /usr/etc in new distributions- Add 0001-ca-support-back-old-cyptography-API.patch This is only required for SLE, but the API is compatible with new versions
* Tue Jan 11 2022 aplanasAATTsuse.com- Add 0001-Drop-dataclasses-module-usage.patch, to support Python 3.6
* Tue Jan 11 2022 aplanasAATTsuse.com- Fix cfssl bcond logic in Tumbleweed / SLE
* Mon Jan 10 2022 aplanasAATTsuse.com- Update to version v6.2.1:
* Another addition to gitignore
* Update .gitignore with more Keylime-specific files
* json: add support for sqlalchemy.engine.row.Row in newer sqlalchemy
* ima_ast: check if the PCR is the same as in the config
* Fix permissions issue on volume mount in run_local.sh
* Make run_local.sh use a local copy of the repo
* Small updates to GOVERNANCE.md
* Move cargo-tarpaulin install to separate command
* config: drop registrar_
* TLS options in [registrar] section
* Fix missing && in Dockerfile
* Remove simplejson from scripts and docs
* Replace simplejson with built-in json module
* Add rust-keylime container dependencies
* config: fix getboolean with fallback
* Clean up CI scripts and rewrite run_local.sh
* ima: for ToMToU errors skip template content validation
* ima: Use a set of entry numbers and file offsets to remember multiple positions
* Rename CONTRIBUTORS.md to CONTRIBUTING.md
* Update GOVERNANCE.md to match MAINTAINERS.md rename
* Update MAINTAINERS
* Update README: remove Gitter, Travis CI
* ca: Use UTC when setting certificate validity
* Tenant commands return json
* scripts: Allow passing a base policy to create_policy tool
* ima: Handle the case of ima-sig with a path with spaces in them
* add length to string object
* scripts: Implement create_policy to create the JSON allowlist from files
* ima: Also add a sha256 default boot_aggregate hash with 64 \'0\'s
* ima: Use seek() to get to the last known last entry
* ima: Extend allowlist to be able to handle generic ima-buf entries
* ima: Extend JSON allowlist with \'ima\' entry and \'ignored_keyrings\'
* ima: Populate verifier keyrings with keys taken from ima-buf log line
* ima: Remove methods from ImaKeyring that are now in ImaKeyrings
* ima: Start passing ima_keyrings through APIs replacing ima_keyring
* Extend AgentAttestState with ima_keyrings field and use it
* ima: Implement ImaKeyrings class to support multiple keyrings
* verifier: Extend verifier DB to persist learned keyrings
* Fix a couple of pylint errors
* ima: Fix spurious attestation failures
* ima: make ToMToU errors not a failure by default
* Simple fix for tenant error message printout.
* pylint: Fix errors related to R1714
* pylint: Suppress C0201, C0209 and W0602 newly reported errors
* installer: do not install tpm2-abrmd
* tpm: by default use /dev/tpmrm0 instead of tpm2-abrmd
* verifier: add option to send revocation messages via webhook
* Wed Dec 15 2021 aplanasAATTsuse.com- Fix keylime configuration file attributes
* Tue Dec 14 2021 aplanasAATTsuse.com- Requires python-psutil- Disable automatic execution of the payload by default- Use ramdom UUID by default
* Wed Dec 08 2021 aplanasAATTsuse.com- Introduce a bcond for cfssl detection
* Wed Dec 01 2021 aplanasAATTsuse.com- Drop cfssl if we are not in openSUSE
* Thu Sep 16 2021 aplanasAATTsuse.com- Update to version 6.2.0:
* Fix bug #757 where revoc cert was treated as text
* Code improvement: removal of extra dependencies in measured boot attestation (#755)
* Sanitize the exclude list while it is ingested at `tenant` by removing comments (^#) and empty lines.
* tenant: show severity level and last event id in status
* verifier: move to new failure architecture
* pcr validation: move to new failure architecture
* measured boot: move to new failure architecture
* ima: move to new failure architecture
* failure: add infrastructure to tag and collect revocation events in Keylime
* Simulating use of SSLContext.minimum_version on ssl v3.6
* verifier: fix minor typos
* Add tests for ca_impl_cfssl and ca_util
* Replace M2Crypto with python-cryptography
* tenant: status now shows if a agent was added to the registrar
* tenant: open file to send utf-8 encoded
* Correct some comments about and remove vestige in MB policy
* fixing a small bug that resulted in malformed refstates not failing MBA
* agent: ensure that EK is in PEM format when used as uuid
* Solves #703 by adding a \"non-trivial\" example of a \"measured boot policy\" (#734)
* ci: build and publish container images
* codestyle: fix W0612 and R1735 pylint errors
* codestyle: fix W1514 pylint error
* systemd: Add KillSignal=SIGINT to keylime_agent.service
* One-liner to set the minimum version of TLS to v1.2
* pylint fix
* Typo fix: return list order confusion between measured_boot.py and tpm_abstract.py
* Refactor keylime_logging module
* ima: Implement ima-buf validator and validate keys on keyrings (#725)
* Remove Python 2 leftovers
* Additional fix for the processing of \"tpm_policy\"
* ima: Return an empty allowlist rather than a plain empty list
* verifier: convert (v)tpm_policy in DB from string to JSONPickleType
* verifier: Create AgentAttestState objects from entries in the db
* verifier: Persist the IMA attestation state after running the log verification
* db: Add DB migration file for boottime, ima_pcrs, pcr10, and next_ima_ml_entries
* verifier: Skip attestation one time if agent\'s boottime changed
* test: Add test case simulating iterative attestation
* verifier: Delete an AgentAttestState when deleting an agent
* ima: Remember the number of lines successfully processed and last IMA PCR value(s)
* ima: Reset the attestation if processing the measurement list fails
* debug: Show line number when PCR match occurs
* verifier: Extend AgentAttestState with state of the IMA PCR
* Consult the AgentAttestState for the next measurement list entry
* Introduce an AgentAttestState class for passing state through the APIs
* verifier: Request IMA log at entry 0 for now
* agent: Get boottime and transfer to verifier
* agent: Add support for optional IMA log offset parameter
* tests: Add a unit test for the IMA function and run it
* agent: Move IMA measurement list reading function to ima.py
* Add default verifier-check value
* Use tox for pylint
* Use Fedora 34 as base image for CI container
* Run ci jobs only when needed
* config: merge convert and list_convert into the same function
* Versioned APIs
* Refacator of check_pcrs to parse then validate (#716)
* Automatically calculates the boot_aggregate from the measured boot log. (#713)
* Set default UUID as lowercase (#699)
* tenant: do_cvdelete wait until 404
* Ensures the output of `bulkinfo` command in `keylime_tenant` is JSON
* ima: Convert pcrval to bytes to increase efficiency
* tests: extend ima tests for signature validation and exclude lists
* Allow agents to specify a contact ip address and port for the tenant and CV (#690)
* verifer: Fix signature and allowlist evaluation bahavior change
* ima: Fix runtime error due to wrong datatype
* tenant: add the option to specify the registrar ip and port
* measured_boot: drop process_refstate
* check_pcrs: match PCR if no mb_refstate is provided
* ci: make run_local.sh work with newer docker versions
* Fixing pylint errors (#698)
* tests: add IMA test where validation should be ignored
* ima: Use ima_ast for parsing and validation
* tests: Add test for ima AST parser
* ima: Introducing a AST for parsing and validation
* Make stalebot a bit nicer
* enable tenant to fetch all (or verifier specific) agents info in a single call from the verifier
* Flush all sessions from TPM device (#682)
* multiple named verifiers sharing a single database
* webapp: fix tls certs paths (#659)
* Corrects markdown to have proper rendering (#673)
* ima_file_signatures: Extract keyidv2 from x509 certs
* installer: Add \'-r\' option to cp to copy directory (issue #671)
* config: Add optional fallback parameter to get()
* agent: Fix the usage of dmidecode during the agent startup (issue #664)
* agent: Rename allowlist to ima_allowlist in keylime.conf
* Fix decoding error in user_data_encrypt
* agent: Fix issue #667 by testing for an empty ima_sign_verification_keys list
* Addresses issue #660 (database path while running local tests) (#665)
* ima: Return \'None\' when ImaKeyring.from_string() called with emtpy string
* tests: Move unittests into files with suffix _test.py
* Fixes and improvements for database configuration (#654)
* Add signature verification support for local and remote IMA signature verification keys (#597)
* install: Remove TPM 1.2 support from installer and bundeling scripts
* CI/CD: Remove tpm1.2 testing support
* Remove duplicated calls to verifier
* Remove adding entropy to system rng
* Cleanup and fix error case in encryptAIK (#648)
* Move measured boot related code into functions to make check_pcrs readable (#642)
* Move code related to tpm2_checkquote into its own function (#639)
* scripts: Cleanup shell script formatting
* installer.sh: Do not delete the local copy of the certificates.
* Fix user_data_encrypt to UTF8 decode before print
* tpm_abstract: Fix adding of entropy
* codestyle: Ignore R1732 implemented by pylint >=2.8.0
* a fix for letting JSON encoding bytes correctly
* Adding back reglist to the list of commands that don\'t need a -t argument
* Invoke tpm2_evictcontrol for 4.0 and 4.2 tools if aik_handle exists (#624)
* Addresses #436 (#611)
* Fixes #620
* Include PCR16 in the quote only when needed
* Close leaking file descriptors (#622)
* installer.sh: Add missing spaces when efivar is added
* More ima_emulator_adapter cleanups (#616)
* installer: Add json-c-devel/json-c-dev to BUILD_TOOLS for tpm2-tss build
* Remove more commented code in ca_util.py
* installer: Only install efi library on x86_64 systems
* Create allowlist table and basic API support
* installer: Add libuuid-devel/uuid-dev to BUILD_TOOLS for tpm2_tools build
* WIP: Some cleanups (#612)
* Remove _cLime.c
* config: Document the measured boot PCRs and what is using them
* Very simple fix for the agent (re: measured boot) The agent code does not need to import \"measured boot policies\"
* ima_emulator_adapater: Remove unnecessary global statement
* webapp: Fix private key and certificate path (issue #604)
* Add support for keylime_webapp service to read intervals from keylime.conf
* Mon Jul 26 2021 aplanasAATTsuse.com- Update to Keylime 6.1.1 + keylime_tenant add crash with TypeError: Object of type \'bytes\' is not JSON serializable + Whenever Keylime agent starts and cannot contact the registrar, it fails and quits without flushing create EK handles + keylime_tenant -c reglist now requires a \"-t\" parameter for no reason + Duplicated API calls to verifier in webapp backend + Installer deletes tpm_cert_store files + agent_uuid set to dmidecode crashes Keylime + Copying of tpm_cert_store fails during installation + If the PCR belong to a measured boot list, it is not validated + keylime_tenant --c update fails with a race condition- Drop patches already present in the new version + webapp-fix-tls-certs-paths.patch + check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch + tenant-do_cvdelete-wait-until-404.patch
* Wed Jul 21 2021 aplanasAATTsuse.com- Add tenant-do_cvdelete-wait-until-404.patch to fix the update command
* Mon Jul 19 2021 aplanasAATTsuse.com- Adjust the default revocation notifier binding IP- Default to CFSSL in keylime.conf
* Wed Jul 14 2021 aplanasAATTsuse.com- Add config-libefivars.diff to adjust the path of the library
* Thu Jul 08 2021 aplanasAATTsuse.com- Add check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch (gh#keylime/keylime!695)- Recommends CFSSL in the registrar (actually should be the CA)- Change default value for require_ek_cert to False- Reorder the patches to separate upstream fixes from openSUSE ones
* Thu Jun 10 2021 aplanasAATTsuse.com- Add webapp-fix-tls-certs-paths.patch (gh#keylime/keylime!659)- Recommend dmidecode for the agent- Require libtss2-tcti-{device0,tabrmd0} to use abrmd service- Add keylime.conf.diff patch to change the default config file- Add keylime.xml for firewalld service definition
* Tue Apr 27 2021 aplanasAATTsuse.com- Update to version 6.1.0:
* Update python cryptography lib to v3.3.2
* installer.sh improvments
* run_local.sh: Run unit tests in keylime/tpm/tpm2_objects.py
* Fourth and final PR to address #491 (#580)
* scripts: Also use pylint-3 if pylint is not installed
* agent: Fix the checking for a specific error returned by tpm2_quote
* Allowlist verification - Enhancement #16
* Forgot to remove the original, more crude solution (which caused pylint errors)
* New and improved code to fix issue #582
* Consistent formatting for logging strings