%global srcname keylime

Name:    keylime

Version: 6.4.0

Release: 1%{?dist}

Summary: Open source TPM software for Bootstrapping and Maintaining Trust

BuildArch:      noarch

URL:            https://github.com/keylime/keylime

Source0:        https://github.com/keylime/keylime/archive/refs/tags/v%{version}.tar.gz

# Main program: BSD

# Icons: MIT

License: ASL 2.0 and MIT

BuildRequires: git-core

BuildRequires: swig

BuildRequires: openssl-devel

BuildRequires: python3-devel

BuildRequires: python3-dbus

BuildRequires: python3-setuptools

BuildRequires: systemd-rpm-macros

Requires: python3-%{srcname} = %{version}-%{release}

Requires: %{srcname}-base = %{version}-%{release}

Requires: %{srcname}-verifier = %{version}-%{release}

Requires: %{srcname}-registrar = %{version}-%{release}

Requires: %{srcname}-tenant = %{version}-%{release}

Requires: %{srcname}-webapp = %{version}-%{release}

Requires: %{srcname}-tools = %{version}-%{release}

# Agent.

Requires: keylime-agent

Suggests: python3-%{srcname}-agent

# Conflicts with the monolithic versions of the package, before the split.

Conflicts: keylime < 6.3.0-3

%{?python_enable_dependency_generator}

%description

Keylime is a TPM based highly scalable remote boot attestation

and runtime integrity measurement solution.

%package base

Summary: The base package contains the default configuration

License: MIT

# Conflicts with the monolithic versions of the package, before the split.

Conflicts: keylime < 6.3.0-3

Requires(pre): shadow-utils

Requires: efivar-libs

Requires: procps-ng

Requires: tpm2-tss

Requires: tpm2-tools

%description base

The base package contains the Keylime default configuration

%package -n python3-%{srcname}

Summary: The Python Keylime module

License: MIT

# Conflicts with the monolithic versions of the package, before the split.

Conflicts: keylime < 6.3.0-3

Requires: %{srcname}-base = %{version}-%{release}

%{?python_provide:%python_provide python3-%{srcname}}

%description -n python3-%{srcname}

The python3-keylime module implements the functionality used

by Keylime components.

%package verifier

Summary: The Python Keylime Verifier component

License: MIT

# Conflicts with the monolithic versions of the package, before the split.

Conflicts: keylime < 6.3.0-3

Requires: %{srcname}-base = %{version}-%{release}

Requires: python3-%{srcname} = %{version}-%{release}

Requires: python3-tornado

Requires: python3-sqlalchemy

Requires: python3-alembic

Requires: python3-cryptography

Requires: python3-pyyaml

Requires: python3-packaging

Requires: python3-requests

Requires: python3-zmq

Requires: python3-gnupg

Requires: python3-lark-parser

%description verifier

The Keylime Verifier continuously verifies the integrity state

of the machine that the agent is running on.

%package registrar

Summary: The Keylime Registrar component

License: MIT

# Conflicts with the monolithic versions of the package, before the split.

Conflicts: keylime < 6.3.0-3

Requires: %{srcname}-base = %{version}-%{release}

Requires: python3-%{srcname} = %{version}-%{release}

Requires: python3-tornado

Requires: python3-sqlalchemy

Requires: python3-alembic

Requires: python3-cryptography

Requires: python3-pyyaml

Requires: python3-packaging

Requires: python3-requests

Requires: python3-zmq

Requires: python3-gnupg

Requires: python3-lark-parser

%description registrar

The Keylime Registrar is a database of all agents registered

with Keylime and hosts the public keys of the TPM vendors.

%package -n python3-%{srcname}-agent

Summary: The Python Keylime Agent

License: MIT

# Conflicts with the monolithic versions of the package, before the split.

Conflicts: keylime < 6.3.0-3

Requires: %{srcname}-base = %{version}-%{release}

Requires: python3-%{srcname} = %{version}-%{release}

# Virtual Provides to support swapping between Python and Rust implementation.

Provides:  keylime-agent

Conflicts: keylime-agent

Requires: python3-psutil

Requires: python3-tornado

Requires: python3-cryptography

Requires: python3-pyyaml

Requires: python3-packaging

Requires: python3-requests

Requires: python3-zmq

Requires: python3-gnupg

Requires: python3-lark-parser

%description -n python3-%{srcname}-agent

The Keylime Agent is deployed to the remote machine that is to be

measured or provisioned with secrets stored within an encrypted

payload released once trust is established.

%package tenant

Summary: The Python Keylime Tenant

License: MIT

# Conflicts with the monolithic versions of the package, before the split.

Conflicts: keylime < 6.3.0-3

Requires: %{srcname}-base = %{version}-%{release}

Requires: python3-%{srcname} = %{version}-%{release}

%description tenant

The Keylime Tenant can be used to provision a Keylime Agent.

%package webapp

Summary: The Python Keylime WebApp GUI

License: MIT

# Conflicts with the monolithic versions of the package, before the split.

Conflicts: keylime < 6.3.0-3

Requires: %{srcname}-base = %{version}-%{release}

Requires: python3-%{srcname} = %{version}-%{release}

Requires: python3-tornado

Requires: python3-cryptography

Requires: python3-pyyaml

Requires: python3-packaging

Requires: python3-requests

Requires: python3-zmq

Requires: python3-gnupg

# Conflicts with the monolithic versions of the package, before the split.

Conflicts: keylime < 6.3.0-3

%description webapp

The Keylime WebApp GUI interface can be used to provision a Keylime Agent.

%package tools

Summary: Keylime tools

License: MIT

# Conflicts with the monolithic versions of the package, before the split.

Conflicts: keylime < 6.3.0-3

Requires: %{srcname}-base = %{version}-%{release}

Requires: python3-%{srcname} = %{version}-%{release}

Requires: python3-tornado

Requires: python3-cryptography

Requires: python3-pyyaml

Requires: python3-packaging

Requires: python3-requests

Requires: python3-zmq

Requires: python3-gnupg

%description tools

The keylime tools package includes tools like the IMA emulator.

%prep

%autosetup -S git -n %{srcname}-%{version}

%build

%py3_build

%install

%py3_install

mkdir -p %{buildroot}/%{_sharedstatedir}/%{srcname}

mkdir -p --mode=0700 %{buildroot}/%{_rundir}/%{srcname}

mkdir -p --mode=0700 %{buildroot}/%{_localstatedir}/log/%{srcname}

# Setting up the agent to use keylime user/group.

sed -e 's/^run_as.*/run_as = %{srcname}:%{srcname}/g' -i %{srcname}.conf

install -Dpm 600 %{srcname}.conf \

    %{buildroot}%{_sysconfdir}/%{srcname}.conf

install -Dpm 644 ./services/%{srcname}_agent.service \

    %{buildroot}%{_unitdir}/%{srcname}_agent.service

install -Dpm 644 ./services/%{srcname}_agent_secure.mount \

    %{buildroot}%{_unitdir}/%{srcname}_agent_secure.mount

install -Dpm 644 ./services/%{srcname}_verifier.service \

    %{buildroot}%{_unitdir}/%{srcname}_verifier.service

install -Dpm 644 ./services/%{srcname}_registrar.service \

    %{buildroot}%{_unitdir}/%{srcname}_registrar.service

cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/keylime/

%pre base

getent group %{srcname} >/dev/null || groupadd -r %{srcname} &>/dev/null

getent passwd %{srcname} >/dev/null || \

     useradd -r -g %{srcname} -d %{_localstatedir}/lib/%{srcname} -s /usr/sbin/nologin \

     -c "Keylime agent unprivileged user" %{srcname} &>/dev/null

# Add keylime user to tss group.

if getent group tss >/dev/null && ! groups %{srcname} | grep -q "\btss\b"; then

    usermod -a -G tss %{srcname} &>/dev/null

fi

exit 0

%posttrans base

[ -f %{_sysconfdir}/%{srcname}.conf ] && \

    chmod 600 %{_sysconfdir}/%{srcname}.conf && \

    chown %{srcname} %{_sysconfdir}/%{srcname}.conf

[ -d %{_sharedstatedir}/%{srcname} ] && \

    chown -R %{srcname} %{_sharedstatedir}/%{srcname}/

[ -d %{_localstatedir}/log/%{srcname} ] && \

    chown -R %{srcname} %{_localstatedir}/log/%{srcname}/

exit 0

%post verifier

%systemd_post %{srcname}_verifier.service

%post registrar

%systemd_post %{srcname}_registrar.service

%post -n python3-%{srcname}-agent

%systemd_post %{srcname}_agent.service

%preun verifier

%systemd_preun %{srcname}_verifier.service

%preun registrar

%systemd_preun %{srcname}_registrar.service

%preun -n python3-%{srcname}-agent

%systemd_preun %{srcname}_agent.service

%postun verifier

%systemd_postun_with_restart %{srcname}_verifier.service

%postun registrar

%systemd_postun_with_restart %{srcname}_registrar.service

%postun -n python3-%{srcname}-agent

%systemd_postun_with_restart %{srcname}_agent.service

%files verifier

%license LICENSE

%{_bindir}/%{srcname}_verifier

%{_bindir}/%{srcname}_ca

%{_bindir}/%{srcname}_migrations_apply

%{_unitdir}/keylime_verifier.service

%files registrar

%license LICENSE

%{_bindir}/%{srcname}_registrar

%{_unitdir}/keylime_registrar.service

%files -n python3-%{srcname}-agent

%license LICENSE

%{_bindir}/%{srcname}_agent

%{_unitdir}/%{srcname}_agent.service

%{_unitdir}/%{srcname}_agent_secure.mount

%{_bindir}/%{srcname}_ima_emulator

%files tenant

%license LICENSE

%{_bindir}/%{srcname}_tenant

%files webapp

%license LICENSE

%{_bindir}/%{srcname}_webapp

%files -n python3-%{srcname}

%license LICENSE

%{python3_sitelib}/%{srcname}-*.egg-info/

%{python3_sitelib}/%{srcname}

%files tools

%license LICENSE

%{_bindir}/%{srcname}_userdata_encrypt

%files base

%license LICENSE keylime/static/icons/ICON-LICENSE

%doc README.md

%config(noreplace) %attr(600,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}.conf

%attr(700,%{srcname},%{srcname}) %dir %{_rundir}/%{srcname}

%attr(700,%{srcname},%{srcname}) %dir %{_localstatedir}/log/%{srcname}

%attr(700,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}

%files

%license LICENSE

%changelog

* Wed May 04 2022 Sergio Correia <scorreia@redhat.com> - 6.4.0-1

- Updating for Keylime release v6.4.0

* Wed Apr 06 2022 Sergio Correia <scorreia@redhat.com> - 6.3.2-1

- Updating for Keylime release v6.3.2

* Mon Feb 14 2022 Sergio Correia <scorreia@redhat.com> - 6.3.1-1

- Updating for Keylime release v6.3.1

* Tue Feb 08 2022 Sergio Correia <scorreia@redhat.com> - 6.0.3-4

- Add Conflicts clauses for the subpackages

* Mon Feb 07 2022 Sergio Correia <scorreia@redhat.com> - 6.3.0-3

- Split keylime into subpackages

  Related: rhbz#2045874 - Keylime subpackaging and agent alternatives

* Thu Jan 27 2022 Sergio Correia <scorreia@redhat.com> - 6.3.0-2

- Fix permissions of config file

* Thu Jan 27 2022 Sergio Correia <scorreia@redhat.com> - 6.3.0-1

- Updating for Keylime release v6.3.0

* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 6.1.0-5

- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild

* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 6.1.0-4

- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild

* Fri Jun 04 2021 Python Maint <python-maint@redhat.com> - 6.1.0-3

- Rebuilt for Python 3.10

* Thu Mar 25 2021 Luke Hinds <lhinds@redhat.com> 6.0.1-1

- Updating for Keylime release v6.1.0

* Wed Mar 03 2021 Luke Hinds <lhinds@redhat.com> 6.0.1-1

- Updating for Keylime release v6.0.1

* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 6.0.0-2

- Rebuilt for updated systemd-rpm-macros

  See https://pagure.io/fesco/issue/2583.

* Wed Feb 24 2021 Luke Hinds <lhinds@redhat.com> 6.0.0-1

- Updating for Keylime release v6.0.0

* Tue Feb 02 2021 Luke Hinds <lhinds@redhat.com> 5.8.1-1

- Updating for Keylime release v5.8.1

* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.0-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

* Sat Jan 23 2021 Luke Hinds <lhinds@redhat.com> 5.8.0-1

- Updating for Keylime release v5.8.0

* Fri Jul 17 2020 Luke Hinds <lhinds@redhat.com> 5.7.2-1

- Updating for Keylime release v5.7.2

* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 5.6.2-2

- Rebuilt for Python 3.9

* Fri May 01 2020 Luke Hinds <lhinds@redhat.com> 5.6.2-1

- Updating for Keylime release v5.6.2

* Thu Feb 06 2020 Luke Hinds <lhinds@redhat.com> 5.5.0-1

- Updating for Keylime release v5.5.0

* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.4.1-2

- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild

* Thu Dec 12 2019 Luke Hinds <lhinds@redhat.com> 5.4.1-1

– Initial Packaging