Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tik for openSUSE:Factory checked in at 2024-08-01 22:04:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tik (Old) and /work/SRC/openSUSE:Factory/.tik.new.7232 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "tik" Thu Aug 1 22:04:11 2024 rev:16 rq:1190654 version:1.2.3 Changes: -------- --- /work/SRC/openSUSE:Factory/tik/tik.changes 2024-07-25 16:03:17.985321664 +0200 +++ /work/SRC/openSUSE:Factory/.tik.new.7232/tik.changes 2024-08-01 22:04:29.968640054 +0200 @@ -1,0 +2,19 @@ +Wed Jul 31 12:30:38 UTC 2024 - rbrown@suse.com + +- Update to version 1.2.3: + * encrypt: recoverykey is now always slot #2 + +------------------------------------------------------------------- +Wed Jul 31 12:27:03 UTC 2024 - rbrown@suse.com + +- Update to version 1.2.2: + * encrypt: create passphrase before recoverykey to keep key slot alignment with Default Mode + +------------------------------------------------------------------- +Wed Jul 31 12:05:50 UTC 2024 - rbrown@suse.com + +- Update to version 1.2.1: + * mig: Actually check if /@/home mount fails (boo#1227714) + * encrypt: Fix boo#1228416 by doing enrolment in correct order + +------------------------------------------------------------------- Old: ---- tik-1.2.obscpio New: ---- tik-1.2.3.obscpio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tik.spec ++++++ --- /var/tmp/diff_new_pack.7EHZ9A/_old 2024-08-01 22:04:30.552664142 +0200 +++ /var/tmp/diff_new_pack.7EHZ9A/_new 2024-08-01 22:04:30.556664307 +0200 @@ -17,7 +17,7 @@ Name: tik -Version: 1.2 +Version: 1.2.3 Release: 0 Summary: Transactional Installation Kit License: MIT ++++++ _service ++++++ --- /var/tmp/diff_new_pack.7EHZ9A/_old 2024-08-01 22:04:30.580665296 +0200 +++ /var/tmp/diff_new_pack.7EHZ9A/_new 2024-08-01 22:04:30.580665296 +0200 @@ -3,7 +3,7 @@ <service name="obs_scm" mode="manual"> <param name="url">https://github.com/sysrich/tik.git</param> <param name="scm">git</param> - <param name="revision">v1.2</param> + <param name="revision">v1.2.3</param> <param name="versionformat">@PARENT_TAG@</param> <param name="changesgenerate">enable</param> <param name="versionrewrite-pattern">v(.*)</param> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.7EHZ9A/_old 2024-08-01 22:04:30.600666121 +0200 +++ /var/tmp/diff_new_pack.7EHZ9A/_new 2024-08-01 22:04:30.604666286 +0200 @@ -1,6 +1,6 @@ <servicedata> <service name="tar_scm"> <param name="url">https://github.com/sysrich/tik.git</param> - <param name="changesrevision">a17b5aa348938da12eeb79a0dbc1f7b257bd0da0</param></service></servicedata> + <param name="changesrevision">d013149dc0fe0b7acb3a894f73547a846c237d2a</param></service></servicedata> (No newline at EOF) ++++++ tik-1.2.obscpio -> tik-1.2.3.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tik-1.2/usr/lib/tik/modules/post/15-encrypt new/tik-1.2.3/usr/lib/tik/modules/post/15-encrypt --- old/tik-1.2/usr/lib/tik/modules/post/15-encrypt 2024-07-24 14:32:45.000000000 +0200 +++ new/tik-1.2.3/usr/lib/tik/modules/post/15-encrypt 2024-07-31 14:29:58.000000000 +0200 @@ -64,7 +64,7 @@ prun /usr/sbin/cryptsetup luksOpen --key-file=${tik_keyfile} ${cryptpart} aeon_root echo "35" > ${encrypt_pipe} prun /usr/bin/mount -o compress=zstd:1 /dev/mapper/aeon_root ${encrypt_dir}/mnt - for i in proc dev sys 'sys/firmware/efi/efivars' 'sys/fs/cgroup'; do + for i in proc dev sys tmp 'sys/firmware/efi/efivars' 'sys/fs/cgroup'; do prun /usr/bin/mount --bind "/$i" "${encrypt_dir}/mnt/$i" done prun /usr/bin/mount -o compress=zstd:1,subvol=/@/.snapshots /dev/mapper/aeon_root ${encrypt_dir}/mnt/.snapshots @@ -73,7 +73,6 @@ eval prun "$etcmountcmd" prun /usr/bin/mount ${esppart} ${encrypt_dir}/mnt/boot/efi prun /usr/bin/mount -t tmpfs tmpfs "${encrypt_dir}/mnt/run" - prun /usr/bin/mount -t tmpfs tmpfs "${encrypt_dir}/mnt/tmp" prun /usr/bin/mount -t securityfs securityfs "${encrypt_dir}/mnt/sys/kernel/security" echo "42" > ${encrypt_pipe} } @@ -133,6 +132,14 @@ WantedBy=default.target EOF prun /usr/bin/ln -s ${encrypt_dir}/mnt/etc/systemd/system/firstboot-update-predictions.service ${encrypt_dir}/mnt/etc/systemd/system/default.target.wants/firstboot-update-predictions.service + log "[configure_encryption] Generating Predictions" + echo "# Generating TPM Predictions" > ${encrypt_pipe} + prun /usr/bin/chroot ${encrypt_dir}/mnt sdbootutil -vv update-predictions + echo "73" > ${encrypt_pipe} + log "[configure_encryption] Default Mode - Enrolling ${cryptpart} to TPM 2.0" + echo "# Enrolling to TPM" > ${encrypt_pipe} + prun /usr/bin/chroot ${encrypt_dir}/mnt systemd-cryptenroll --unlock-key-file=${tik_keyfile} --tpm2-device=auto ${cryptpart} + echo "76" > ${encrypt_pipe} fi } @@ -143,7 +150,6 @@ prun /usr/bin/umount "${encrypt_dir}/mnt/$i" done prun /usr/bin/umount ${encrypt_dir}/mnt - prun /usr/bin/rmdir ${encrypt_dir}/mnt prun /usr/sbin/cryptsetup luksClose aeon_root echo "77" > ${encrypt_pipe} } @@ -167,23 +173,24 @@ echo "# Adding recovery key to ${cryptpart}" > ${encrypt_pipe} log "[add_recoveryKey] adding recovery key to ${cryptpart}" prun /usr/sbin/cryptsetup luksAddKey --key-file=${tik_keyfile} --batch-mode --force-password "${cryptpart}" <<<"${key}" - echo '{"type":"systemd-recovery","keyslots":["1"]}' | prun /usr/sbin/cryptsetup token import "${cryptpart}" + echo '{"type":"systemd-recovery","keyslots":["2"]}' | prun /usr/sbin/cryptsetup token import "${cryptpart}" echo "100" > ${encrypt_pipe} } display_recoveryKey() { local defaultmsg="This ${TIK_OS_NAME} system is encrypted and checks its own integrity on every boot\nIn the event of these integrity checks failing, you will need to use the Recovery Key provided below to enter this system\n\nLikely reasons for integrity checks failing include:\n\n• UEFI System Firmware updated\n• Secure Boot changed from enabled or disabled\n• Boot drive was moved to a different computer\n• Disk partitions were changed\n• Boot loader or initrd were altered unexpectedly\n\nIf you are unaware as to why the system is requesting the recovery key, this systems security may have been compromised\nThe best course of action may be to not unlock the disk until you can determine what changed to require the Recovery Key\n\nThis systems Recovery Key is:\n\n <b><big>${key}</big></b>\n\nPlease save this secret Recovery Key in a secure location\n\n" - local fallbackmsg="This ${TIK_OS_NAME} system is encrypted and will require a Passphrase on every boot\n\nYou will be prompted to set the Passphrase on the next screen\n\nIn addition a Recovery Key has been generated:\n\n <b><big>${key}</big></b>\n\nPlease save this secret Recovery Key in a secure location\nIt may be used to regain access to this system if the other Passphrase becomes lost or forgotten\n\n" + local fallbackmsg="In addition to your Passphrase a Recovery Key has been generated:\n\n <b><big>${key}</big></b>\n\nPlease save this secret Recovery Key in a secure location\nIt may be used to regain access to this system if the other Passphrase becomes lost or forgotten\n\n" local message [ "${tik_encrypt_mode}" == 0 ] && message=${defaultmsg} [ "${tik_encrypt_mode}" == 1 ] && message=${fallbackmsg} log "[display_recoveryKey] displaying recovery key" - zenity --width=500 --height=500 --no-wrap --warning --title="Encryption Recovery Key" --text="${message}You may optionally scan the recovery key off screen:\n<span face='monospace'>$(qrencode ${key} -t UTF8i)</span>\nFor more information please visit <tt>https://aeondesktop.org/encrypt</tt>" + zenity --width=500 --height=500 --no-wrap --warning --icon=security-high-symbolic --title="Encryption Recovery Key" --text="${message}You may optionally scan the recovery key off screen:\n<span face='monospace'>$(qrencode ${key} -t UTF8i)</span>\nFor more information please visit <tt>https://aeondesktop.org/encrypt</tt>" log "[display_recoveryKey] recovery key dialogue dismissed" } add_key() { if [ "${tik_encrypt_mode}" == 1 ]; then + d --width=500 --height=300 --no-wrap --warning --icon=security-high-symbolic --title="Set Encryption Passphrase" --text="This ${TIK_OS_NAME} system is encrypted and will require a Passphrase on every boot\n\nYou will be prompted to set the Passphrase on the next screen\n\nFor more information please visit <tt>https://aeondesktop.org/encrypt</tt>" log "[add_key] Fallback Mode - Prompting user for passphrase for ${cryptpart}" # Not using 'd' function to avoid logging the password while true @@ -200,9 +207,6 @@ ;; esac done - else - log "[add_key] Default Mode - Enrolling ${cryptpart} to TPM 2.0" - prun /usr/bin/systemd-cryptenroll --unlock-key-file=${tik_keyfile} --tpm2-device=auto ${cryptpart} > >(d --progress --title="Finalising Encryption" --text="Enrolling to TPM 2.0" --pulsate --auto-close --no-cancel --width=400) fi } @@ -212,7 +216,7 @@ open_partition configure_encryption close_partition +add_key generate_recoveryKey add_recoveryKey -display_recoveryKey -add_key \ No newline at end of file +display_recoveryKey \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tik-1.2/usr/lib/tik/modules/pre/20-mig new/tik-1.2.3/usr/lib/tik/modules/pre/20-mig --- old/tik-1.2/usr/lib/tik/modules/pre/20-mig 2024-07-24 14:32:45.000000000 +0200 +++ new/tik-1.2.3/usr/lib/tik/modules/pre/20-mig 2024-07-31 14:29:58.000000000 +0200 @@ -81,7 +81,8 @@ if [ -n "${probedpart}" ]; then prun /usr/bin/mkdir ${mig_dir}/mnt - if prun-opt /usr/bin/mount -o compress=zstd:1,subvol=/@/home ${probedpart} ${mig_dir}/mnt; then + prun-opt /usr/bin/mount -o compress=zstd:1,subvol=/@/home ${probedpart} ${mig_dir}/mnt + if [ ${retval} -eq 0 ]; then prun /usr/sbin/btrfs quota rescan -w ${mig_dir}/mnt | d --progress --title="Detected existing /home subvolume.." --pulsate --auto-close --no-cancel --width=400 home_size=$(prun /usr/sbin/btrfs qgroup show --raw -f ${mig_dir}/mnt | grep @/home$ | awk '{print $2}') tik_stick_size=$(prun /usr/sbin/btrfs fi usage --raw ${mig_dir} | grep estimated | awk '{print $3}') ++++++ tik.obsinfo ++++++ --- /var/tmp/diff_new_pack.7EHZ9A/_old 2024-08-01 22:04:30.700670246 +0200 +++ /var/tmp/diff_new_pack.7EHZ9A/_new 2024-08-01 22:04:30.700670246 +0200 @@ -1,5 +1,5 @@ name: tik -version: 1.2 -mtime: 1721824365 -commit: a17b5aa348938da12eeb79a0dbc1f7b257bd0da0 +version: 1.2.3 +mtime: 1722428998 +commit: d013149dc0fe0b7acb3a894f73547a846c237d2a