[packages/clevis] - new
baggins
baggins at pld-linux.org
Sun Mar 29 15:47:57 CEST 2026
commit 75f120b35341885e81420c223bf4cbe5566f7360
Author: Jan Rękorajski <baggins at pld-linux.org>
Date: Sun Mar 29 16:47:38 2026 +0200
- new
clevis.spec | 225 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
clevis.sysusers | 3 +
2 files changed, 228 insertions(+)
---
diff --git a/clevis.spec b/clevis.spec
new file mode 100644
index 0000000..4d43b67
--- /dev/null
+++ b/clevis.spec
@@ -0,0 +1,225 @@
+Summary: Automated decryption framework
+Name: clevis
+Version: 22
+Release: 1
+License: GPL v3
+Group: Applications
+Source0: https://github.com/latchset/clevis/releases/download/v%{version}/%{name}-%{version}.tar.xz
+# Source0-md5: 24e15de2bd9c0d6198e0e6f45c24fa33
+Source1: %{name}.sysusers
+URL: https://github.com/latchset/clevis
+BuildRequires: asciidoc
+BuildRequires: audit-libs-devel
+BuildRequires: bash-completion-devel
+BuildRequires: cryptsetup
+BuildRequires: curl
+BuildRequires: desktop-file-utils
+BuildRequires: dracut
+BuildRequires: gcc
+BuildRequires: jose-devel >= 8
+BuildRequires: jq
+BuildRequires: luksmeta-devel >= 8
+BuildRequires: meson
+BuildRequires: ninja
+BuildRequires: opensc
+BuildRequires: openssl
+BuildRequires: openssl-devel
+BuildRequires: pcsc-lite
+BuildRequires: pkgconfig
+BuildRequires: systemd-devel
+BuildRequires: tpm2-tools >= 4.0.0
+BuildRequires: udisks2-devel
+Requires: coreutils
+Requires: curl
+Requires: jose >= 8
+Requires: jq
+Requires: luksmeta
+Requires: tang >= 6
+Requires: tpm2-tools >= 4.0.0
+Requires: tpm2-tss >= 4.0.0
+Requires(post): systemd
+Requires: clevis-pin-tpm2
+Provides: group(clevis)
+Provides: user(clevis)
+
+%description
+Clevis is a framework for automated decryption. It allows you to
+encrypt data using sophisticated unlocking policies which enable
+decryption to occur automatically.
+
+The clevis package provides basic encryption/decryption policy
+support. Users can use this directly; but most commonly, it will be
+used as a building block for other packages. For example, see the
+clevis-luks and clevis-dracut packages for automatic root volume
+unlocking of LUKSv1/LUKSv2 volumes during early boot.
+
+%package luks
+Summary: LUKS integration for clevis
+Group: Libraries
+Requires: %{name}%{?_isa} = %{version}-%{release}
+Requires: cryptsetup
+Requires: luksmeta >= 8
+
+%description luks
+LUKS integration for clevis. This package allows you to bind a LUKS
+volume to a clevis unlocking policy. For automated unlocking, an
+unlocker will also be required. See, for example, clevis-dracut and
+clevis-udisks2.
+
+%package systemd
+Summary: systemd integration for clevis
+Group: Libraries
+Requires: %{name}-luks%{?_isa} = %{version}-%{release}
+Requires: systemd >= 236
+
+%description systemd
+Automatically unlocks LUKS _netdev block devices from /etc/crypttab.
+
+%package dracut
+Summary: Dracut integration for clevis
+Group: Libraries
+Requires: %{name}-systemd%{?_isa} = %{version}-%{release}
+Requires: dracut-network
+
+%description dracut
+Automatically unlocks LUKS block devices in early boot.
+
+%package udisks2
+Summary: UDisks2/Storaged integration for clevis
+Group: Libraries
+Requires: %{name}-luks%{?_isa} = %{version}-%{release}
+
+%description udisks2
+Automatically unlocks LUKS block devices in desktop environments that
+use UDisks2 or storaged (like GNOME).
+
+%package pin-pkcs11
+Summary: PKCS#11 for clevis
+Group: Libraries
+Requires: %{name}-dracut%{?_isa} = %{version}-%{release}
+Requires: %{name}-luks%{?_isa} = %{version}-%{release}
+Requires: %{name}-systemd%{?_isa} = %{version}-%{release}
+Requires: opensc
+Requires: openssl
+Requires: pcsc-lite
+Requires: socat
+
+%description pin-pkcs11
+Automatically unlocks LUKS block devices through a PKCS#11 device.
+
+%prep
+%setup -q
+
+%build
+
+%meson -Duser=clevis -Dgroup=clevis
+%meson_build
+
+%meson_test
+
+%install
+rm -rf $RPM_BUILD_ROOT
+install -d $RPM_BUILD_ROOT%{_sysusersdir}
+
+%meson_install
+
+cp -p %{SOURCE1} $RPM_BUILD_ROOT%{_sysusersdir}/clevis.conf
+
+%pre
+%groupadd -g 358 %{name}
+%useradd -u 358 -d /usr/share/empty -g %{name} -G tss -c "Clevis Decryption Framework unprivileged user" %{name}
+
+%post systemd
+systemctl preset clevis-luks-askpass.path || :
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%files
+%defattr(644,root,root,755)
+%doc COPYING
+%{_datadir}/bash-completion/
+%attr(755,root,root) %{_bindir}/%{name}-decrypt-tang
+%attr(755,root,root) %{_bindir}/%{name}-decrypt-tpm2
+%attr(755,root,root) %{_bindir}/%{name}-decrypt-sss
+%attr(755,root,root) %{_bindir}/%{name}-decrypt-null
+%attr(755,root,root) %{_bindir}/%{name}-decrypt-file
+%attr(755,root,root) %{_bindir}/%{name}-decrypt
+%attr(755,root,root) %{_bindir}/%{name}-encrypt-tang
+%attr(755,root,root) %{_bindir}/%{name}-encrypt-tpm2
+%attr(755,root,root) %{_bindir}/%{name}-encrypt-sss
+%attr(755,root,root) %{_bindir}/%{name}-encrypt-null
+%attr(755,root,root) %{_bindir}/%{name}-encrypt-file
+%attr(755,root,root) %{_bindir}/%{name}
+%{_mandir}/man1/%{name}-encrypt-tang.1*
+%{_mandir}/man1/%{name}-encrypt-tpm2.1*
+%{_mandir}/man1/%{name}-encrypt-sss.1*
+%{_mandir}/man1/%{name}-encrypt-file.1*
+%{_mandir}/man1/%{name}-decrypt.1*
+%{_mandir}/man1/%{name}.1*
+%{_sysusersdir}/clevis.conf
+
+%files luks
+%defattr(644,root,root,755)
+%attr(755,root,root) %{_bindir}/%{name}-luks-unlock
+%attr(755,root,root) %{_bindir}/%{name}-luks-unbind
+%attr(755,root,root) %{_bindir}/%{name}-luks-bind
+%attr(755,root,root) %{_bindir}/%{name}-luks-common-functions
+%attr(755,root,root) %{_bindir}/%{name}-luks-list
+%attr(755,root,root) %{_bindir}/%{name}-luks-edit
+%attr(755,root,root) %{_bindir}/%{name}-luks-regen
+%attr(755,root,root) %{_bindir}/%{name}-luks-report
+%attr(755,root,root) %{_bindir}/%{name}-luks-pass
+%{_mandir}/man7/%{name}-luks-unlockers.7*
+%{_mandir}/man1/%{name}-luks-unlock.1*
+%{_mandir}/man1/%{name}-luks-unbind.1*
+%{_mandir}/man1/%{name}-luks-bind.1*
+%{_mandir}/man1/%{name}-luks-list.1.*
+%{_mandir}/man1/%{name}-luks-edit.1.*
+%{_mandir}/man1/%{name}-luks-regen.1.*
+%{_mandir}/man1/%{name}-luks-report.1.*
+%{_mandir}/man1/%{name}-luks-pass.1.*
+
+%files systemd
+%defattr(644,root,root,755)
+%{_libexecdir}/%{name}-luks-askpass
+%{_libexecdir}/%{name}-luks-unlocker
+%{systemdunitdir}/%{name}-luks-askpass.path
+%{systemdunitdir}/%{name}-luks-askpass.service
+
+%files dracut
+%defattr(644,root,root,755)
+%dir %{_prefix}/lib/dracut/modules.d/50%{name}
+%{_prefix}/lib/dracut/modules.d/50%{name}/clevis-hook.sh
+%{_prefix}/lib/dracut/modules.d/50%{name}/module-setup.sh
+%dir %{_prefix}/lib/dracut/modules.d/50%{name}-pin-null
+%{_prefix}/lib/dracut/modules.d/50%{name}-pin-null/module-setup.sh
+%dir %{_prefix}/lib/dracut/modules.d/50%{name}-pin-sss
+%{_prefix}/lib/dracut/modules.d/50%{name}-pin-sss/module-setup.sh
+%dir %{_prefix}/lib/dracut/modules.d/50%{name}-pin-tang
+%{_prefix}/lib/dracut/modules.d/50%{name}-pin-tang/module-setup.sh
+%dir %{_prefix}/lib/dracut/modules.d/50%{name}-pin-tpm2
+%{_prefix}/lib/dracut/modules.d/50%{name}-pin-tpm2/module-setup.sh
+%dir %{_prefix}/lib/dracut/modules.d/50%{name}-pin-file
+%{_prefix}/lib/dracut/modules.d/50%{name}-pin-file/module-setup.sh
+
+%files udisks2
+%defattr(644,root,root,755)
+%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
+%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
+
+%files pin-pkcs11
+%defattr(644,root,root,755)
+%{_libexecdir}/%{name}-luks-pkcs11-askpass
+%{_libexecdir}/%{name}-luks-pkcs11-askpin
+%attr(755,root,root) %{_bindir}/%{name}-decrypt-pkcs11
+%attr(755,root,root) %{_bindir}/%{name}-encrypt-pkcs11
+%attr(755,root,root) %{_bindir}/%{name}-pkcs11-afunix-socket-unlock
+%attr(755,root,root) %{_bindir}/%{name}-pkcs11-common
+%{systemdunitdir}/%{name}-luks-pkcs11-askpass.service
+%{systemdunitdir}/%{name}-luks-pkcs11-askpass.socket
+%{_mandir}/man1/%{name}-encrypt-pkcs11.1*
+%dir %{_prefix}/lib/dracut/modules.d/50%{name}-pin-pkcs11
+%{_prefix}/lib/dracut/modules.d/50%{name}-pin-pkcs11/module-setup.sh
+%{_prefix}/lib/dracut/modules.d/50%{name}-pin-pkcs11/%{name}-pkcs11-hook.sh
+%{_prefix}/lib/dracut/modules.d/50%{name}-pin-pkcs11/%{name}-pkcs11-prehook.sh
diff --git a/clevis.sysusers b/clevis.sysusers
new file mode 100644
index 0000000..58284b7
--- /dev/null
+++ b/clevis.sysusers
@@ -0,0 +1,3 @@
+u clevis 358:358 "Clevis Decryption Framework unprivileged user" /usr/share/empty -
+g clevis 358 - -
+m clevis tss
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/clevis.git/commitdiff/75f120b35341885e81420c223bf4cbe5566f7360
More information about the pld-cvs-commit
mailing list