%global srcname keylime
Name: keylime
Version: 6.4.0
Release: 1%{?dist}
Summary: Open source TPM software for Bootstrapping and Maintaining Trust
BuildArch: noarch
URL: https://github.com/keylime/keylime
Source0: https://github.com/keylime/keylime/archive/v%{version}.tar.gz
# Main program: BSD
# Icons: MIT
License: ASL 2.0 and MIT
BuildRequires: swig
BuildRequires: openssl-devel
BuildRequires: python3-setuptools
BuildRequires: python3-devel
BuildRequires: python3-dbus
BuildRequires: python3-pbr
BuildRequires: systemd
BuildRequires: systemd-rpm-macros
Requires: efivar-libs
Requires: procps-ng
Requires: python3-alembic
Requires: python3-gnupg
Requires: python3-pyyaml
Requires: python3-cryptography
Requires: python3-tornado
Requires: python3-sqlalchemy
Requires: python3-requests
Requires: python3-packaging
Requires: python3-psutil
Requires: python3-zmq
Requires: python3-lark-parser
Requires: tpm2-tss
Requires: tpm2-tools
%description
Keylime is a TPM based highly scalable remote boot attestation
and runtime integrity measurement solution.
%prep
%autosetup -n %{srcname}-%{version}
%build
export PBR_VERSION=%{version}
%py3_build
%install
export PBR_VERSION=%{version}
%py3_install
mkdir -p %{buildroot}/%{_sharedstatedir}/keylime
mkdir -p --mode=0700 %{buildroot}/%{_rundir}/%{srcname}
mkdir -p --mode=0700 %{buildroot}/%{_localstatedir}/log/%{srcname}
# Setting up the agent to use keylime user/group.
sed -e 's/^run_as.*/run_as = %{srcname}:%{srcname}/g' -i %{srcname}.conf
install -Dpm 600 %{srcname}.conf \
%{buildroot}%{_sysconfdir}/%{srcname}.conf
install -Dpm 644 ./services/%{srcname}_agent.service \
%{buildroot}%{_unitdir}/%{srcname}_agent.service
install -Dpm 644 ./services/%{srcname}_agent_secure.mount \
%{buildroot}%{_unitdir}/%{srcname}_agent_secure.mount
install -Dpm 644 ./services/%{srcname}_verifier.service \
%{buildroot}%{_unitdir}/%{srcname}_verifier.service
install -Dpm 644 ./services/%{srcname}_registrar.service \
%{buildroot}%{_unitdir}/%{srcname}_registrar.service
cp -r ./tpm_cert_store %{buildroot}%{_sharedstatedir}/keylime/
%pre
getent group %{srcname} >/dev/null || groupadd -r %{srcname} &>/dev/null
getent passwd %{srcname} >/dev/null || \
useradd -r -g %{srcname} -d %{_localstatedir}/lib/%{srcname} -s /usr/sbin/nologin \
-c "Keylime agent unprivileged user" %{srcname} &>/dev/null
# Add keylime user to tss group.
if getent group tss >/dev/null && ! groups %{srcname} | grep -q "\btss\b"; then
usermod -a -G tss %{srcname} &>/dev/null
fi
exit 0
%posttrans
[ -f %{_sysconfdir}/%{srcname}.conf ] && \
chmod 600 %{_sysconfdir}/%{srcname}.conf && \
chown %{srcname} %{_sysconfdir}/%{srcname}.conf
[ -d %{_sharedstatedir}/%{srcname} ] && \
chown -R %{srcname} %{_sharedstatedir}/%{srcname}/
[ -d %{_localstatedir}/log/%{srcname} ] && \
chown -R %{srcname} %{_localstatedir}/log/%{srcname}/
exit 0
%post
%systemd_post %{srcname}_agent_secure.mount %{srcname}_agent.service %{srcname}_verifier.service %{srcname}_registrar.service
%preun
%systemd_preun %{srcname}_agent_secure.mount %{srcname}_agent.service %{srcname}_verifier.service %{srcname}_registrar.service
%postun
%systemd_postun_with_restart %{srcname}_agent_secure.mount %{srcname}_agent.service %{srcname}_verifier.service %{srcname}_registrar.service
%files
%license LICENSE keylime/static/icons/ICON-LICENSE
%doc README.md
%{python3_sitelib}/%{srcname}-*.egg-info/
%{python3_sitelib}/%{srcname}
%{_bindir}/%{srcname}_verifier
%{_bindir}/%{srcname}_registrar
%{_bindir}/%{srcname}_agent
%{_bindir}/%{srcname}_tenant
%{_bindir}/%{srcname}_ca
%{_bindir}/%{srcname}_migrations_apply
%{_bindir}/%{srcname}_userdata_encrypt
%{_bindir}/%{srcname}_ima_emulator
%{_bindir}/%{srcname}_webapp
%config(noreplace) %attr(600,%{srcname},%{srcname}) %{_sysconfdir}/%{srcname}.conf
%attr(700,%{srcname},%{srcname}) %dir %{_rundir}/%{srcname}
%attr(700,%{srcname},%{srcname}) %dir %{_localstatedir}/log/%{srcname}
%attr(700,%{srcname},%{srcname}) %{_sharedstatedir}/%{srcname}
%{_unitdir}/%{srcname}_agent.service
%{_unitdir}/%{srcname}_agent_secure.mount
%{_unitdir}/%{srcname}_verifier.service
%{_unitdir}/%{srcname}_registrar.service
%changelog
* Wed May 04 2022 Sergio Correia <scorreia@redhat.com> - 6.4.0-1
- Updating for Keylime release v6.4.0
* Thu Apr 07 2022 Sergio Correia <scorreia@redhat.com> - 6.3.2-1
- Updating for Keylime release v6.3.2
* Thu Feb 17 2022 Sergio Correia <scorreia@redhat.com> - 6.3.1-3
- Fix systemd unit for registrar
* Tue Feb 15 2022 Sergio Correia <scorreia@redhat.com> - 6.3.1-2
- Fix dependencies
* Mon Feb 14 2022 Sergio Correia <scorreia@redhat.com> - 6.3.1-1
- Updating for Keylime release v6.3.1
* Thu Jan 27 2022 Sergio Correia <scorreia@redhat.com> - 6.3.0-2
- Fix permissions of config file
* Thu Jan 27 2022 Sergio Correia <scorreia@redhat.com> - 6.3.0-1
- Updating for Keylime release v6.3.0
* Thu Mar 25 2021 Luke Hinds <lhinds@redhat.com> 6.0.1-1
- Updating for Keylime release v6.1.0
* Wed Mar 03 2021 Luke Hinds <lhinds@redhat.com> 6.0.1-1
- Updating for Keylime release v6.0.1
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 6.0.0-2
- Rebuilt for updated systemd-rpm-macros
See https://pagure.io/fesco/issue/2583.
* Wed Feb 24 2021 Luke Hinds <lhinds@redhat.com> 6.0.0-1
- Updating for Keylime release v6.0.0
* Tue Feb 02 2021 Luke Hinds <lhinds@redhat.com> 5.8.1-1
- Updating for Keylime release v5.8.1
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 5.8.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Sat Jan 23 2021 Luke Hinds <lhinds@redhat.com> 5.8.0-1
- Updating for Keylime release v5.8.0
* Fri Jul 17 2020 Luke Hinds <lhinds@redhat.com> 5.7.2-1
- Updating for Keylime release v5.7.2
* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 5.6.2-2
- Rebuilt for Python 3.9
* Fri May 01 2020 Luke Hinds <lhinds@redhat.com> 5.6.2-1
- Updating for Keylime release v5.6.2
* Thu Feb 06 2020 Luke Hinds <lhinds@redhat.com> 5.5.0-1
- Updating for Keylime release v5.5.0
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.4.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Dec 12 2019 Luke Hinds <lhinds@redhat.com> 5.4.1-1
– Initial Packaging