swtpm (0.10.1+ds-1ubuntu1) resolute; urgency=medium

  * Merge with Debian unstable (LP: #2126004).
    This is the first merge of swtpm histories between Debian and Ubuntu. As
    such, all superficial differences in the packaging have been removed in
    favor of matching Debian to reduce delta. Non-trivial changes from Debian
    include:
    - Addition of swtpm-libs binary package containing swtpm common libraries.
    - Addition of swtpm-dev binary package containing files for the CUSE
      interface.
    - d/copyright cleanup.
    - Additional patches:
      + increase-poll-timeout.patch: Double poll timeout to account for when
        swtpm creates a key.
      + automake-do-not-remove-checked-in-selinux-source-files.patch: Avoid
        cleaning up checked-in SELinux source files on distclean.
      + automake-remove-more-generated-files-on-distclean.patch: Remove
        additional unneeded files on distclean.
      + swtpm-install-sysusers.d-and-tmpfiles.d-configs.patch: Install
        sysusers.d and tmpfiles.d configs and remove swtpm-tools.postinst from
        configure.ac inclusions.
      + tests-Retry-NVWrite-command-after-0x922-return-code.patch: Retry
        NVWrite command in tests after 0x922 return code.
    - Add hardening=+all
    - Use --without-selinux in configuration.
    - Include binaries in self-tests.
    - Add command-line autopkgtest.
  * Remaining changes:
    - d/t/run-tests: Add autopkgtest to run upstream test suite.
    - d/swtpm-tools.postinst: Include upstream packaging fixes in postinst.
    - Use swtpm user for swtpm to avoid overloading tss user already used for
      physical tpm ACLs (LP #1949060).
      + d/rules: Set tss user in configure.
      + d/swtpm-tools.postinst: Swap from tss user to swtpm user.
      + d/control: Add adduser dependency to swtpm-tools for creating swtpm
        user.
    - d/p/openssl-not-certtool.patch: Use openssl at runtime, not certtool.
    - d/control: Add openssl runtime dependency to swtpm-tools.
    - Add apparmor profile to swtpm (LP #1950631).
      + d/usr.bin.swtpm: Create new apparmor profile.
      + d/swtpm.install: Copy apparmor profile to /etc/apparmor.d/.
      + d/rules: Deploy the swtpm apparmor profile.
      + d/control: Add dh-apparmor as a dependency.
    - d/clean: Clean man and gch files from source tree during build.
    - d/rules: Add dh_clean override from upstream.
    - d/p/fortify-source.patch: Add patch to force the buildsystem to build
      with -D_FORTIFY_SOURCE=3.
    - d/rules: Ignore make check tests when nocheck option set.
  * Dropped Changes:
    - d/p/no-autoconf-in-debian.patch
      [Included in swtpm-install-sysusers.d-and-tmpfiles.d-configs.patch]
    - d/swtpm-tools.install: swtpm_setup and swtpm-localca manpage inclusions.
      [Files removed upstream in 0.8]
  * d/NEWS: Add NEWS file to document changes from this initial Debian merge.

 -- Lena Voytek <lena.voytek@canonical.com>  Thu, 18 Dec 2025 09:15:50 -0500

swtpm (0.10.1+ds-1) unstable; urgency=medium

  * Implement package salvaging protocol (Closes: #1113719)
  * Mark swtpm-dev as MA: same
  * d/control: bump Standards-Version to 4.7.2, no changes
  * Add d/salsa-ci.yml
  * d/rules: drop manual nocheck workaround
  * Build with package-notes ELF stamping
  * Add lintian overrides for spare-manual-page
  * Drop upstream machinery to make swtpm_cert optional to install
  * d/rules: drop manual autogen.sh
  * Exclude upstream debian/ directory from imports
  * New upstream version 0.10.1 (Closes: #1025738)
  * Drop fix-typos.patch, merged upstream
  * Drop move-conf-and-options-files-to-man5.patch, merged upstream
  * Bump dependency on libtpms-dev
  * d/not-installed: list upstream installed-tests
  * Drop build dependency on fuse (Closes: #1084403)
  * d/rules: explicitly disable selinux support
  * d/rules: avoid cleaning up checked in source file
  * Backport patches to fix make maintainer-clean (Closes: #1049074)
  * Backport patch to install sysusers.d and tmpfiles.d configs and use
    them
  * increase-poll-timeout.patch: update header and set forwarded tag
  * Backport patch to fix failing test
  * Add support for nocheck profile

 -- Luca Boccassi <bluca@debian.org>  Mon, 22 Sep 2025 19:31:08 +0100

swtpm (0.7.3-0ubuntu9) resolute; urgency=medium

  * No-change mass rebuild for Ubuntu 26.04 (LP: #2132257)

 -- Sebastien Bacher <seb128@debian.org>  Sat, 06 Dec 2025 12:03:22 +0100

swtpm (0.7.3-0ubuntu8) plucky; urgency=medium

  * d/usr.bin.swtpm: Allow additional tmp directory access through user-tmp
    abstraction, and remove the original full /tmp permissions (LP: #2086736)

 -- Lena Voytek <lena.voytek@canonical.com>  Fri, 08 Nov 2024 15:25:24 -0700

swtpm (0.7.3-0ubuntu7) oracular; urgency=medium

  * d/usr.bin.swtpm:
    - Add sys_admin capability to apparmor profile to allow access to kernel
      modules such as tpm_vtpm_proxy (LP: #2071478)
    - Allow non-owned lockfile write access in /var/lib/libvirt/swtpm/ to fix
      apparmor denials when working with TPM2 locks (LP: #2072524)

 -- Lena Voytek <lena.voytek@canonical.com>  Tue, 09 Jul 2024 06:06:00 -0700

swtpm (0.7.3-0ubuntu6) oracular; urgency=medium

  * Fix autopkgtests following dpkg changes (LP: #2071468)

 -- Gianfranco Costamagna <locutusofborg@debian.org>  Tue, 09 Jul 2024 12:29:58 +0200

swtpm (0.7.3-0ubuntu5) noble; urgency=medium

  * Add patch to force the buildsystem to build with -D_FORTIFY_SOURCE=3

 -- Jeremy Bícha <jbicha@ubuntu.com>  Tue, 02 Apr 2024 15:18:02 -0400

swtpm (0.7.3-0ubuntu4) noble; urgency=medium

  * No-change rebuild for CVE-2024-3094

 -- William Grant <wgrant@ubuntu.com>  Mon, 01 Apr 2024 19:21:09 +1100

swtpm (0.7.3-0ubuntu3) noble; urgency=medium

  * No-change rebuild against libssl3t64

 -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 04 Mar 2024 21:29:18 +0000

swtpm (0.7.3-0ubuntu2) mantic; urgency=medium

  * d/usr.bin.swtpm: Configure apparmor to grant access to relevant files in
    /run/user/<UID>/libvirt/qemu/run/swtpm/ files when using the
    qemu:///session bus (LP: #2017874)

 -- Olivier Gayot <olivier.gayot@canonical.com>  Fri, 04 Aug 2023 11:10:37 +0200

swtpm (0.7.3-0ubuntu1) lunar; urgency=medium

  * New upstream release 0.7.3:
    - Bug fixes include:
      + Fix secure boot failure - TPM 2.0 not supported (LP: #2012028)
  * Add new debian/ files from upstream
    - d/clean: Clean man and gch files from source tree during build
    - d/not-installed: Do not install .la lib files with package
    - d/swtpm-libs.install: Install swtpm .so files with swtpm-libs package
  * d/rules: Add dh_clean and dh_makeshlibs overrides from upstream
  * d/swtpm-tools.install: Update installation of swtpm-tools files for 0.7
  * d/control: Remove unneeded dependencies for 0.7
  * Remove d/p/0001-Install-swtpm-localca-to-the-correct-path.patch as it is
    no longer needed to change swtpm-localca's path
  * d/p/no-autoconf-in-debian.patch: Refresh to clean fuzz
  * d/p/openssl-not-certtool.patch: Update and refresh to apply with 0.7

 -- Lena Voytek <lena.voytek@canonical.com>  Wed, 22 Mar 2023 14:03:19 -0700

swtpm (0.7.1-1.5) unstable; urgency=medium

  * Non-maintainer upload
  * Drop hard-coded Depends on libtpms0 from swtpm-libs.
    The correct, versioned dependency is automatically computed by
    dh_shlibdeps.
  * Remove any dependency on libglib2.0 from swtpm-libs.
    This basically reverts 62c6de07746efd63d9ab14893854a827dd3693e5 and
    simply drops any hard-coded reference on libglib2.0-0 from swtpm-libs.
    The library libswtpm_libtpms does not actually use anything from glib.
    (Closes: #1086348)

 -- Michael Biebl <biebl@debian.org>  Sat, 02 Nov 2024 21:43:55 +0100

swtpm (0.7.1-1.4) unstable; urgency=medium

  * Non-maintainer upload
  * Don't hard-code dependency on shared library package (Closes: #1068602)

 -- Bastian Germann <bage@debian.org>  Sat, 20 Apr 2024 10:43:03 +0000

swtpm (0.7.1-1.3) unstable; urgency=medium

  * Non-maintainer upload
  * Revert "Remove essential Depends: adduser"

 -- Bastian Germann <bage@debian.org>  Thu, 18 May 2023 19:52:09 +0200

swtpm (0.7.1-1.2) unstable; urgency=high

  * Non-maintainer upload
  * Patch: Increase poll timeout (Closes: #1036101)
  * Add autopkgtest
  * Remove essential Depends: adduser

 -- Bastian Germann <bage@debian.org>  Thu, 18 May 2023 19:16:12 +0200

swtpm (0.7.1-1.1) unstable; urgency=medium

  * Non-maintainer upload
  * swtpm-dev: Add missing Depends: swtpm-libs (#1035460)

 -- Bastian Germann <bage@debian.org>  Fri, 12 May 2023 19:06:09 +0200

swtpm (0.7.1-1) unstable; urgency=medium

  * New upstream version 0.7.1
  * Fix a security issue, CVE-2022-23645
  * debian/control: Change Standards-Version to 4.6.0

 -- Seunghun Han <kkamagui@gmail.com>  Tue, 22 Feb 2022 16:50:30 +0900

swtpm (0.7.0-1) unstable; urgency=medium

  * Initial release. (Closes: #941199)

 -- Seunghun Han <kkamagui@gmail.com>  Fri, 22 Oct 2021 13:53:57 +0900

swtpm (0.6.3-0ubuntu5) lunar; urgency=medium

  * d/usr.bin.swtpm: Allow swtpm to also access /run/libvirt/qemu/swtpm/*.pid
    files that it does not own (LP: #1989100)

 -- Lena Voytek <lena.voytek@canonical.com>  Mon, 24 Oct 2022 10:52:06 -0700

swtpm (0.6.3-0ubuntu4) kinetic; urgency=medium

  * d/usr.bin.swtpm: Update apparmor profile to match swtpm upstream
    In between adding the apparmor profile to Ubuntu and merging upstream
    additional rules were used to cover more common use cases. (LP: #1992377)
    - The six capability lines fix the broken upstream unit test cases:
      test_ctrlchannel, test_vtpm_proxy, test_tpm2_file_permissions,
      test_tpm2_save_load_state_2_block, and test_tpm2_ctrlchannel2
    - owner @{HOME}/** rwk was added as using a folder in one's home directory
      is common for managing tpm states
    - Access in the tmp directory is further generalized as this is where swtpm
      interacts with qemu and libvirt
    - The ability to read from /etc/nsswitch.conf was added for vtpm proxy to
      work

 -- Lena Voytek <lena.voytek@canonical.com>  Tue, 11 Oct 2022 10:54:21 -0700

swtpm (0.6.3-0ubuntu3) jammy; urgency=medium

  * d/usr.bin.swtpm: Add additional apparmor rules
    - allow full interaction with libvirt (LP: #1968187)
    - add qemu socket rules (LP: #1968335)

 -- Lena Voytek <lena.voytek@canonical.com>  Tue, 12 Apr 2022 07:49:45 -0700

swtpm (0.6.3-0ubuntu2) jammy; urgency=medium

  * d/p/openssl-not-certtool.patch: do not use rnd file (LP: #1968131)
    RANDFILE isn't needed anymore in openssl and furthermore breaks many
    use cases here as HOME isn't resolved and therefore it accessed $CWD/.rnd
    which often ends up in places it isn't able to access the file.
    Thanks to Simon Deziel for the suggested fix!

 -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Thu, 07 Apr 2022 16:07:21 +0200

swtpm (0.6.3-0ubuntu1) jammy; urgency=medium

  * Update to the stable release v0.6.3 (LP: 1948748)
    - swtpm:
      + Do not chdir(/) when using --daemon
      + Check header size indicator against expected size (CVE-2022-23645)
    - swtpm-localca:
      + Re-implement variable resolution for swtpm-localca.conf
      + Test for available issuercert before creating CA
    - tests:
      + Use ${WORKDIR} in config files to test env. var replacement
    - man:
      + Add missing .config directory to path description when using ${HOME}
    - build-sys:
      + Add probing for -fstack-protector
      + configure: Fix typo TPM2 -> TMP2
    - swtpm_setup:
      + Report stderr as returned by external tool (swtpm-localcal)
      + Fix exit code on error to be '1'.
  * d/usr.bin.swtpm: fix hang on unix sockets due to apparmor rules

 -- Christian Ehrhardt <christian.ehrhardt@canonical.com>  Tue, 22 Mar 2022 09:31:40 +0100

swtpm (0.6.1-0ubuntu6) jammy; urgency=medium

  * Add apparmor profile to swtpm (LP: #1950631)
    - d/usr.bin.swtpm: Create new apparmor profile
    - d/swtpm.install: Copy apparmor profile to /etc/apparmor.d/
    - d/rules: Deploy the swtpm apparmor profile
    - d/control: Add dh-apparmor as a dependency

 -- Lena Voytek <lena.voytek@canonical.com>  Fri, 18 Feb 2022 14:24:14 -0700

swtpm (0.6.1-0ubuntu5) jammy; urgency=medium

  * debian/patches/openssl-not-certtool.patch: Use traditional format
    output as expected by tests.
  * Set executable bit on debian/tests/run-tests.

 -- Dimitri John Ledkov <dimitri.ledkov@canonical.com>  Thu, 02 Dec 2021 17:54:13 +0000

swtpm (0.6.1-0ubuntu4) jammy; urgency=medium

  * debian/patches/openssl-not-certtool.patch: Use openssl at runtime,
    not certtool.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Fri, 05 Nov 2021 13:16:42 -0700

swtpm (0.6.1-0ubuntu3) jammy; urgency=medium

  * Don't use the tss user for swtpm, this overloads a user already used for
    physical tpm ACLs.  LP: #1949060.
  * Add missing adduser dependency to swtpm-tools.
  * Add missing debhelper token to swtpm-tools.postinst.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 28 Oct 2021 05:47:30 -0700

swtpm (0.6.1-0ubuntu2) jammy; urgency=medium

  * Include packaging fixes from upstream to the postinst.
  * Drop tpm-udev dependency, not needed because we create the tss user
    ourselves now as needed.
  * Add autopkgtests.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 25 Oct 2021 20:52:45 -0700

swtpm (0.6.1-0ubuntu1) jammy; urgency=medium

  * Initial release, using packaging from upstream.
  * debian/patches/0001-Install-swtpm-localca-to-the-correct-path.patch:
    Install swtpm-localca to the correct path.
  * debian/patches/no-autoconf-in-debian.patch: don't modify debian
    directory from upstream configure script.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Sun, 24 Oct 2021 01:04:51 +0000
