keylime-tpm_cert_store-6.3.2-150400.4.17.1 >  A dpp9| /0ݺE-lWZ`& _%P<ؑɀ\kS7 L"R`(bBHx:Ziu)[=W?LpKwȭu(38c8C0 i<%[a*=;r4H!ۯD8Rx s DK"HFk#P*e4@/"iQ)`ƹk3D쬸 0k>Bʰ%Q Sa+J:6f878bad2003fe1dec16624a948b5be6274e052ded769b5b3e26812f0bc1d5ecc1e795e96c6554b4c87a754f5bbd8183de7a5029dpp9| ~ap*/ACXt@}~ g w^5Y;Qj(^㴞M_ỏ6ߊCj OYM6ʶ0e<ĺlQ r9ӆ[ t~tplaQE8W< w):*VXZ^g!nJh`Nnqe ЬZWѭf7& !fLeST- (_(Vf)x9WǕ \htB H>pE?d - G "(/L44 4 4 4 04 d444>4@d44h'TXe(f8p9:=>"F*G<4H 4I4XY\44]4^bScd~eflu4vlw4xT4y$z,<@FCkeylime-tpm_cert_store6.3.2150400.4.17.1Certify store for the TPMSubpackage of keylime for storing the TPM certificates.dpkgoat31@SUSE Linux Enterprise 15SUSE LLC Apache-2.0 AND MIThttps://www.suse.com/Unspecifiedhttps://github.com/keylime/keylimelinuxnoarch/usr/sbin/sysusers2shadow keylime-user.conf <<"EOF" || [ -f /.buildenv ] u keylime - "Keylime agent" /var/lib/keylime EOF [ -z "${TRANSACTIONAL_UPDATE}" -a -x /usr/bin/systemd-tmpfiles ] && /usr/bin/systemd-tmpfiles --create keylime.conf || : # Help the upgrade process when moving to a non-root services # # The '-h' parameter alone will not change the ownership of the linked # file, only of the link itself. This is secure because the user # still cannot read or write the file if the linked file does is from # a different user with restricted permissions. # # The '-h' parameter with '-R' will also do the right thing. In this # case, if the directory is a symlink it will change only the # ownership of the link and will stop changes, i.e. it will not change # ownership of the linked directory files. chown -h -R keylime:tss /var/lib/keylime/ca 2> /dev/null || : chown -h -R keylime:tss /var/lib/keylime/secure 2> /dev/null || : chown -h -R keylime:tss /var/lib/keylime/cv_ca 2> /dev/null || : chown -h -R keylime:tss /var/log/keylime 2> /dev/null || : chown -h -R keylime:tss /run/keylime 2> /dev/null || : chown -h keylime:tss /var/lib/keylime/*.sqlite 2> /dev/null || : chown -h keylime:tss /var/lib/keylime/*.yml 2> /dev/null || : chown -h keylime:tss /etc/keylime.conf 2> /dev/null || :I n~~~~~~~~~~~~~~~nNzbbbbbccAAA큤dpkbbb]dpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpidpif3e3d340592dcded58eb49eacd821fb9c2eeabf330fc863542587501c7c3453e2216947540f0f43ffb0ea2dfec0d35476ee4f339d5d3821feda76fa17fb588c34102884842601f314dad09122e48be0e4195abb884bad94630fa5a27dce63e74b5f76cb9736d1151ab0ac4afd3e516a784ec4b3c3489d54d4eecc263149db24ae2ffa9198a5bbca435dffb1f70db7ccee0bc64c0a8e65feefe4f677cf18f2899fe3e43ad068add661002f5347c6e4693e6ab6a9022161712cc9ec3e5014ef3a07a7439ff573df5bd5497baafb1e6409b367a480aebd2cb8743ee02fe0e0c9e2eca90d2b52aa97a6cb1dc307e95fe05cb756b09bb4fd96c4b920cb142023a7aa5c39b89e52ba681db55dc180002ca8b49d88ec89017a685114f14ebb1fa6df530df2244f9b3c201760d96af60d717402efbc2a33e32fd286f07bec71ace7862032da47a1670ce8f7c2157ab96d94a51f3874612f04c2670fad76531ada045e914b5f76cb9736d1151ab0ac4afd3e516a784ec4b3c3489d54d4eecc263149db24afe3e43ad068add661002f5347c6e4693e6ab6a9022161712cc9ec3e5014ef3a09ad0f9190a35c0fb1b8e5626d310897227c2c2d6bca1d204ee4074218e13bce77a7439ff573df5bd5497baafb1e6409b367a480aebd2cb8743ee02fe0e0c9e2eca90d2b52aa97a6cb1dc307e95fe05cb756b09bb4fd96c4b920cb142023a7aa5c39b89e52ba681db55dc180002ca8b49d88ec89017a685114f14ebb1fa6df530df2244f9b3c201760d96af60d717402efbc2a33e32fd286f07bec71ace78620300eb8bd4b8305df7d91e87acc46dff5f3a2de75fc4a962b16a99de41cb721fbd6c8457a79da5b12a2dc46967e9c964bb9ad0ee27d2cb837efe41396f350a85a02ebfaa96fc6ef369b9e4d82fd44fc32bab279d62f3ef0f39b91a90d304106aba29e56c5530e74f7937fe396ae6dadb73da929fd4cfcca29ea88b102c7070a05cdf2c5e5afd753725d08e0d4de854e2c7e99577854a7e7e9d27f76bbfec4e5df84bb440894a4c35e4a1878a9d6cc519b2ee5743342657d43747f06e620c926a99343b27910c0d69aa54a94e2d1819d0a43f290b42e6334148154e0f5097a0b8af2c5d7bd9f4ac46fab56542eeaa0f92180bb05bd91a9120f36a5c9a999358304f09bbae7bf3158b4dfbd68fb27aef6b4c17b5169167e9045260ad8fe9b217cd0facb50f23fe4a71f7d1d4368d4e4c97f935abb545835bba21cb56e22af11a6c50261af2389b65f0f971df30e0759389e81bcb720e65ad58645d716d46dd3cb2caaa2fa5681e0b91fe65e3d83ea46c681c9f7c44395122a279afb2f18c0a57765a2026305005b147d0c77f23935faede0600973ce4bf2be2c15a66cae15394f28123b9d4a11383c782c4e013f1be9e5e836b892a3d32db56ed54569c1be43c33cd20eae9bcef20c54e3d3555cc458e516c615b7184c1d50f1009f1dcfa4463aa163741c7b7144c212e597ae6d7844d34f0e905e80e9f0594bab6f721f9733bd1efd302db65467a8bc5c3d50d5ae1d271df0d4ae5c69c44c4a52a362a58325b1ab39ffe9b84cd05a83ac73f5d93a6c544e09b305ccfcd12d5a3fd2273e877a17946c1b42c0a03d93b29d45ca7ebc49afdc3b7e15176f7b819e254e404685a9dd194f292d76038ec1ecf00d9fc097c717dc1bc5212d55a34d08b34081c3b238ec57ee295a1004f76d5f90c7594fd2af92b4226a5d905d3ba3fef82ebd41c320658f707d9033e8a2bbd18e311bc1c63e39a1f483020c94ed088000c960571cf51a94ed009af3a0c8d6557812fc39166f4c4263177a3479e2e69daadbeee888a6c82a8ec31c5d0a5baf0b25cd12435a4022d817c85385bbfe34419255e84514958f187ceed5c890c4f80311ff1b21c374e5617b3767ab5bb2f56ff6145398eaa7fa5bc307c034fa070c2fd70fa2d85d3fad445ed2b364923bea4f7ffb13f3596e51847469b5c6673f5f004221b019b784291cf5dc6cd7fe15877980350aca0237c6a24e33162b84c4996da7dc95c7da34eac76eee195c59d4a682a6388a976259644eb8060713ee5c0b1c91ceb6b52acded1086c8a3022da86f623f458512cdf7dda2c8718c1ca766626af61ac1cddf1a713000f0277b1cf4eed71d32813b7f44ad7038144022600b9c04cd6e0338fcb4b77708c10e72a820b7a7c9e24aa6dcf41c59b@keylimerootrootkeylimerootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootroottssrootroottssrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootkeylime-6.3.2-150400.4.17.1.src.rpmgroup(keylime)keylime-tpm_cert_storeuser(keylime)     /bin/sh/bin/shpython3-keylimerpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PartialHardlinkSets)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)6.3.23.0.4-14.6.0-14.0.4-14.0-15.2-1rust-keylime4.14.3dE@cY!@b@b@bUbbV@bs@bs@b a@a@aaq@aq@aaa@a@acaC1`` @`i@````aplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.comaplanas@suse.com- Backport patches to avoid DoS via SSL (CVE-2023-38200, boo#1213310) + CVE-2023-38200-01.patch + CVE-2023-38200-02.patch + CVE-2023-38200-03.patch- Backport CVE-2022-3500.patch (CVE-2022-3500) (bsc#1204782) + Moderate vulnerability where a node can seems as attested when in reality it is not properly attested- Drop cfssl default in keylime.conf patch (bsc#1201866)- Use chown -h to adjust persmissions for downgrade migration. This skip following symlinks and make the migration possible (bsc#1201466) - Add logrotate configuration for the services - Create run directory as non-root user - Conflict with rust-keylime - Consolidate in _distconfdir when possible - Add fix_exit.diff patch, to exit properly in SLE- Remove user downgrade mechanism from the package (CVE-2022-31250, bsc#1200885)- Fix "run_as" configuration parameter and set it to keylime:tss - Improve downgrade user migration during package update - Add patches (CVE-2022-1053, boo#1199253): + CVE-2022-1053-01.patch + CVE-2022-1053-02.patch + CVE-2022-1053-03.patch + CVE-2022-1053-04.patch- Update to version v6.3.2: * general: bump Keylime version to 6.3.2 * tpm_main: flush transient objects * pypi: add notice that the Python API is unstable * installer: use OpenSSL by default * Avoid mounting secdir while unmounting it * remove TPM, VTPM and IMA stubbing support * archive: remove all archive files * Change GH reviewers to be from developer group * added suse / opensuse support with zypper * Fix tpm import in test_tpm.py * Fix cfssl configuration in run_tests.sh * tpm_emulator: improve TPM emulator installation * config: Add option to enable DB debugging via DEBUG_DB env var * Enable SQL query cache for JSONPickleType * tpm_emulator: move everything into systemd services * Implement broader key support for Keylime's signing mechanisms * tenant: Use exponential backoff on key verification retries * tenant: Move JSON parsing to capture possible exceptions * tenant: Move verifier stop from do_quote to do_verify * pylint: Fix issues related to W0602 global-variable-not-assigned * tenant: Handle 404 error from registrar gracefully * pylint: Fix remaining code with issue R1732 consider-using-with * pylint: Fix R1732 consider-using-with * pylint: Fix issue detected by pylint-2.13.0 * pylint: Fix issue detected by pylint-2.13.0 * tenant: verify agent quote before adding to verifier * README: remove tpm2-abrmd and OSX sections * pylint: Fix issues related to W0102 dangerous-default-value * pylint: Fix R0201 no-self-use * pylint: remove W1203 logging-format-interpolation from ignore list * pylint: remove R1729 use-a-generator from ignore list * pylint: remove E1120 no-value-for-parameter from ignore list * pylint: remove W1201 logging-not-lazy from ignore list * pylint: fix C0209 consider-using-f-string * pylint: fix C0201 consider-iterating-dictionary * pylint: fix W1509 subprocess-popen-preexec-fn * keylime_tenant non-zero exit code on error * Fix prepare step adjustments in packit-ci.fmf plan * failure: fix Pattern type hint * mypy: add initial Mypy configuration * ima_ast: add type hints * failure: add type hints * logging, config: add type hints for logging module * algorithms: add type hints * json: add type hints and add JSONType as custom type * Full allowlist processing when not adding host * provider, vTPM: remove vTPM manager and provider code * tpm: fix that the set of missing PCRs is not serializable in failure * Restores the option to use keylime agents without mTLS * services: make the services run as keylime user instead of root * State in --help that SHA-256 is used for --allowlist-checksum * config: change cacert.pem to cacert.crt * registrar_client: validate connections against registrar ca certificate * tenant: validate connections against verifier ca certificate * request_client: only add custom adapter if TLS is enabled * setup: add static assets for webapp * Add TESTING.md describing testing details * Fix some remaining log format strings * Fix for database_url parameter with sqlite * Enable test basic-attestation-with-unpriviledged-agent in Packit CI * Use lazy string formatting when logging (#535) * Make Packit CI plan more resource-saving * keylime.conf: Document setting ownership in WORK_DIR (/var/lib/keylime) * agent: Make sure tmpfs is empty even if not mounted or cannot unmount * agent: Drop privileges by switching to normal user and group * agent: Move mounting of tmpfs towards beginning of main() * agent: Read measured boot log near process start * agent: Open file for IMA log file near process start * ima: Refactor read_measurement_list() to take file as argument * Add the policy name to failure event * tpm_main: Check if tpm_cert_store exists (#553) * Remove tag input from container build workflow * Push container images to quay.io/keylime org * Enable code coverage measurement for e2e tests in Packit CI * config: fix config search order * Add defaults for ephemeral keys for agent records * Update outdated greetings Github messages * services: add keylime_agent_secure.mount service * installer.sh: updated tpm2-{tools, tss}, use system packages if possible * revocation_notifier: convert the data to str in the notifiers * revocation_notifier: mark webhook threads as daemon and add timeout * Fix Packit CI test plan Summary * Enable Packit CI testing on CentOS Stream 8 * Enable Packit CI testing on Fedora Rawhide * Remove last trace of TPM 1.2 (hopefully) * verifier: remove start_tornado() function * verifier: wait for connections to be closed before stopping ioloop * revocation_notifier: kill ZeroMQ broker if it blocks more than 5s * Add more e2e tests to Packit CI * Enable EPEL repo on CentOS Stream in packit.yaml - Drop already merged patches * drop_privileges_of_agent_process_after_startup.patch * config_fix_config_search_order.patch * services_add_keylime_agent_secure_mount_service.patch- Add upstream patches: * drop_privileges_of_agent_process_after_startup.patch * config_fix_config_search_order.patch * services_add_keylime_agent_secure_mount_service.patch - Configure the agent to run as non-root (via keylime.conf) - Add keylime sysuser conf file and deploy as part of the tpm certificate subpackage - Prepare the systemd mount unit for /var/lib/keylime/secure- Drop patches beacuse merged upstream: * version.diff * cloud_verifier_tornado-use-fork_processes.patch - Drop binaries not used anymore: * keylime_provider_platform_init * keylime_provider_registrar * keylime_provider_vtpm_add - Update to version v6.3.1: * revocation_notifier: mark webhook threads as daemon and add timeout * Fix Packit CI test plan Summary * Enable Packit CI testing on CentOS Stream 8 * Enable Packit CI testing on Fedora Rawhide * Remove last trace of TPM 1.2 (hopefully) * verifier: remove start_tornado() function * verifier: wait for connections to be closed before stopping ioloop * revocation_notifier: kill ZeroMQ broker if it blocks more than 5s * Add more e2e tests to Packit CI * Enable EPEL repo on CentOS Stream in packit.yaml * agent, crypto: add localhost, server and contact ip to agent certificate * Add better default repo path for run_local.sh * Fix incorrect variable name in test_restful * Run existing agent tests against the rust-keylime agent * Fix small wording mistakes caught while reading the code * agent: move key and certificate logging levels from debug to info * agent: allow absolute paths for rsa_keyname and mtls_cert * Add missing backend parameter * cloud_verifier_tornado: use fork_processes * ci: automatically push release to PyPI * setup.{py,cfg}: Move setup configuration to setup.cfg * Add iproute tool to Dockerfile * Pylint does not like single-line functions. * A small beauty fix * This is a small fix to proactively fix Issue #840 by identifying non-escaped double quotes in the tpm2-tools output * setup.py: add version number and new Python versions, drop unsed binaries * setup.py, config: install default configuration into package path * ci: move old keylime.conf to keylime.conf.orig before running tests * retry: fix pylint issue * Adding Infineon Optiga 034 RSA and ECC certificates for Infineon SLB9675 devices. * Ensure columns "mb_refstate" and "allowlist" are of type LONGTEXT in table "verifiermain" * tenant: add exponential backoff option to retry timings * cloud verifier: add exponential backoff option to retry timings * tpm: add exponential backoff option to retry timings * test, retry: add unit test for retry algorithm * common: add algorithm for retry time calculation * registrar, tpm_main: ensure that correct types are commited to DB. * Fix typo for config param listen_notifications * Lint is _really_ unhappy today. * Linty fixes * Adding a unit test file for tpm_main * tpm_main: check if PCRs for the hash algorithm are available * tpm_main: handle if tpm2_checkquote returns no PCRs for a hash algorithm * agent: output supported_version as result not as a status * Add missing subcommands to -c help message * tests: fix mtls_cert generation in test_restful.py * revocation_notifier: fix socket path permission check * Remove unused database_query config param * Move umask calls only on entry points * config: move directory utilities to fs_util- Change back agent_uuid to hostname - Set tpm_hash_alg to sha256 by default - Update version.diff patch to point to the correct version number - Fix issue with Tornado, when multiple workers are started * Add cloud_verifier_tornado-use-fork_processes.patch (bsc#1195605)- Drop patches beacuse merged upstream: * 0001-Drop-dataclasses-module-usage.patch * 0001-config-support-merge-multiple-config-files.patch * 0001-ca-support-back-old-cyptography-API.patch - Update to version v6.3.0: * Coordinated update to fix: + bsc#1193997 (CVE-2022-23948) + bsc#1193998 (CVE-2021-43310) + bsc#1194000 (CVE-2022-23949) + bsc#1194002 (CVE-2022-23950) + bsc#1194004 (CVE-2022-23951) + bsc#1194005 (CVE-2022-23952) * secure_mount: add umount function * secure_mount: use /proc/self/mountinfo * Validate user ID in all public interfaces * validators: add uuid and agent_id validators * validators: create validators module * revocation_notifier: move zmq socket to /var/run/keylime * Update API version from 1.0 to 2.0 * tpm: do not compress quote with zlib by default * verifier: persist AK and mTLS certificate to DB * verifier: use "supported_version" for agent connections * tenant: add support for "supported_version" option for the verifier * api_version: add the option for basic validation * verifier: add supported_version field to DB and API * agent: add /version to REST API * verifier, tenant: allow agents to not use mTLS * tenant, verifier: allow manual configuration of agent mTLS * tests: migrate to mTLS * tenant: connect to the agent via mTLS * verifier: connect to the agent via mTLS * tornado_requests: handle SSLError * web_util: add mTLS context generation for agent * agent: Enable mTLS for agent REST API * crypto: add helper function for creating self signed certs * registrar: Allow the agent to registrar with a mTLS certificate * request_client: add workaround for handling certificates * request_client: add the option to ignore hostname validation * Better docs and errors about IMA hash mismatches * tests: use JSON instead Python string for IMA tests * verifier: use json.loads(..) instead of ast.literal_eval(..) * Adding Nuvoton certificate for a post 2020 TPM device. The EK cert of the device directs to the following download site: 'https://www.nuvoton.com/security/NTC-TPM-EK-Cert/Nuvoton TPM Root CA 1111.cer' (yes, including the spaces) * Improve revocation notifier IP description in keylime.conf * tornado_requests: set Content-Type header correctly for JSON * tenant: post U key to agent with correct Content-Type header * Explicitly set permissions on new keylime.conf files installed * tpm_main: close file descriptor for aik handle * verifier: do not call finish() twice * agent: fix payload execution * tests: add initial tests for web_util module * config, web_util: move get_restful_params(..) to web_util * verifier: Also retry on HTTP 500 status code * agent: improve startup and shutdown * registrar: cleanup start function * web_util: move echo_json_response(..) out of config.py * verifier: fix failure generation for V key * tornado_requests: cleanup TornadoResponse class * web_util, verifier: move mTLS SSLContext generation into separate module * ca: support back old cyptography API * Fix test branch reference in packit.yaml * ci: disable DeprecationWarning from pylint in tox * Enable new test in Packit CI * tenant: fix reactivate command * config: support merge multiple config files * ci: use only fedora-stable for packit * elchecking: harden example policy against event type manipulation * elchecking: add new tests * tests: fix stdout formatting for agent and verifier * Drop dataclasses module usage * revocation notifier: handle shutdown of process gracefully * verifier: handle SIGINT and SIGTERM correctly * ima_emulator: fix IMA hash validation and add more options * ima_ast: fix handling ToMToU errors * Remove leftovers of TPM 1.2 support * agent: improved validation for post function * agent: better validation for mask and nonce * config: add function to validate hex strings * agent: keys/verify check if challenge was provided * tpm_main: do not append /usr/local/{bin,lib} to default env * db: only set length on Text type if supported * json: do not make sqlalchemy a hard requirement * Enable functional testing with Packit CI * ima_emulator: specify sys.argv as the named parameter argv in main() * elchecking example policy: make it work with Fedora 34 * elchecking example policy: initrd* might be also called initramfs* * scripts: add mb_refstate generator for example policy * config: change tpm_hash_alg to SHA1 by default * parse_mb_bootlog: specify the used hash algorithm used for PCRs * agent: add warning that on kernels <5.10 IMA only works with SHA1 * tpm: explicitly pass hash alg to sim_extend(..) * ima emulator: use IMA AST and support multiple hash algorithms * tests: update IMA allowlist version number * ima: add option 'log_hash_alg' to IMA allowlist * ima: remove hard requirement for SHA1 PCR 10 * algorithms: extend Hash class to simplify computing hash values * config, tpm_main: explicitly handle YAML load errors * config: private_key must be set to -private.pem not -public.pem * agent: add UUID option environment * agent: drop openstack uuid option- Set /var/lib/keylime under the same permissions expected by the code- Add 0001-config-support-merge-multiple-config-files.patch This will allow the merge of config files in /usr/etc and /etc. - Move the configuration file to /usr/etc in new distributions - Add 0001-ca-support-back-old-cyptography-API.patch This is only required for SLE, but the API is compatible with new versions- Add 0001-Drop-dataclasses-module-usage.patch, to support Python 3.6- Fix cfssl bcond logic in Tumbleweed / SLE- Update to version v6.2.1: * Another addition to gitignore * Update .gitignore with more Keylime-specific files * json: add support for sqlalchemy.engine.row.Row in newer sqlalchemy * ima_ast: check if the PCR is the same as in the config * Fix permissions issue on volume mount in run_local.sh * Make run_local.sh use a local copy of the repo * Small updates to GOVERNANCE.md * Move cargo-tarpaulin install to separate command * config: drop registrar_* TLS options in [registrar] section * Fix missing && in Dockerfile * Remove simplejson from scripts and docs * Replace simplejson with built-in json module * Add rust-keylime container dependencies * config: fix getboolean with fallback * Clean up CI scripts and rewrite run_local.sh * ima: for ToMToU errors skip template content validation * ima: Use a set of entry numbers and file offsets to remember multiple positions * Rename CONTRIBUTORS.md to CONTRIBUTING.md * Update GOVERNANCE.md to match MAINTAINERS.md rename * Update MAINTAINERS * Update README: remove Gitter, Travis CI * ca: Use UTC when setting certificate validity * Tenant commands return json * scripts: Allow passing a base policy to create_policy tool * ima: Handle the case of ima-sig with a path with spaces in them * add length to string object * scripts: Implement create_policy to create the JSON allowlist from files * ima: Also add a sha256 default boot_aggregate hash with 64 '0's * ima: Use seek() to get to the last known last entry * ima: Extend allowlist to be able to handle generic ima-buf entries * ima: Extend JSON allowlist with 'ima' entry and 'ignored_keyrings' * ima: Populate verifier keyrings with keys taken from ima-buf log line * ima: Remove methods from ImaKeyring that are now in ImaKeyrings * ima: Start passing ima_keyrings through APIs replacing ima_keyring * Extend AgentAttestState with ima_keyrings field and use it * ima: Implement ImaKeyrings class to support multiple keyrings * verifier: Extend verifier DB to persist learned keyrings * Fix a couple of pylint errors * ima: Fix spurious attestation failures * ima: make ToMToU errors not a failure by default * Simple fix for tenant error message printout. * pylint: Fix errors related to R1714 * pylint: Suppress C0201, C0209 and W0602 newly reported errors * installer: do not install tpm2-abrmd * tpm: by default use /dev/tpmrm0 instead of tpm2-abrmd * verifier: add option to send revocation messages via webhook- Fix keylime configuration file attributes- Requires python-psutil - Disable automatic execution of the payload by default - Use ramdom UUID by default- Introduce a bcond for cfssl detection- Drop cfssl if we are not in openSUSE- Update to version 6.2.0: * Fix bug #757 where revoc cert was treated as text * Code improvement: removal of extra dependencies in measured boot attestation (#755) * Sanitize the exclude list while it is ingested at `tenant` by removing comments (^#) and empty lines. * tenant: show severity level and last event id in status * verifier: move to new failure architecture * pcr validation: move to new failure architecture * measured boot: move to new failure architecture * ima: move to new failure architecture * failure: add infrastructure to tag and collect revocation events in Keylime * Simulating use of SSLContext.minimum_version on ssl v3.6 * verifier: fix minor typos * Add tests for ca_impl_cfssl and ca_util * Replace M2Crypto with python-cryptography * tenant: status now shows if a agent was added to the registrar * tenant: open file to send utf-8 encoded * Correct some comments about and remove vestige in MB policy * fixing a small bug that resulted in malformed refstates not failing MBA * agent: ensure that EK is in PEM format when used as uuid * Solves #703 by adding a "non-trivial" example of a "measured boot policy" (#734) * ci: build and publish container images * codestyle: fix W0612 and R1735 pylint errors * codestyle: fix W1514 pylint error * systemd: Add KillSignal=SIGINT to keylime_agent.service * One-liner to set the minimum version of TLS to v1.2 * pylint fix * Typo fix: return list order confusion between measured_boot.py and tpm_abstract.py * Refactor keylime_logging module * ima: Implement ima-buf validator and validate keys on keyrings (#725) * Remove Python 2 leftovers * Additional fix for the processing of "tpm_policy" * ima: Return an empty allowlist rather than a plain empty list * verifier: convert (v)tpm_policy in DB from string to JSONPickleType * verifier: Create AgentAttestState objects from entries in the db * verifier: Persist the IMA attestation state after running the log verification * db: Add DB migration file for boottime, ima_pcrs, pcr10, and next_ima_ml_entries * verifier: Skip attestation one time if agent's boottime changed * test: Add test case simulating iterative attestation * verifier: Delete an AgentAttestState when deleting an agent * ima: Remember the number of lines successfully processed and last IMA PCR value(s) * ima: Reset the attestation if processing the measurement list fails * debug: Show line number when PCR match occurs * verifier: Extend AgentAttestState with state of the IMA PCR * Consult the AgentAttestState for the next measurement list entry * Introduce an AgentAttestState class for passing state through the APIs * verifier: Request IMA log at entry 0 for now * agent: Get boottime and transfer to verifier * agent: Add support for optional IMA log offset parameter * tests: Add a unit test for the IMA function and run it * agent: Move IMA measurement list reading function to ima.py * Add default verifier-check value * Use tox for pylint * Use Fedora 34 as base image for CI container * Run ci jobs only when needed * config: merge convert and list_convert into the same function * Versioned APIs * Refacator of check_pcrs to parse then validate (#716) * Automatically calculates the boot_aggregate from the measured boot log. (#713) * Set default UUID as lowercase (#699) * tenant: do_cvdelete wait until 404 * Ensures the output of `bulkinfo` command in `keylime_tenant` is JSON * ima: Convert pcrval to bytes to increase efficiency * tests: extend ima tests for signature validation and exclude lists * Allow agents to specify a contact ip address and port for the tenant and CV (#690) * verifer: Fix signature and allowlist evaluation bahavior change * ima: Fix runtime error due to wrong datatype * tenant: add the option to specify the registrar ip and port * measured_boot: drop process_refstate * check_pcrs: match PCR if no mb_refstate is provided * ci: make run_local.sh work with newer docker versions * Fixing pylint errors (#698) * tests: add IMA test where validation should be ignored * ima: Use ima_ast for parsing and validation * tests: Add test for ima AST parser * ima: Introducing a AST for parsing and validation * Make stalebot a bit nicer * enable tenant to fetch all (or verifier specific) agents info in a single call from the verifier * Flush all sessions from TPM device (#682) * multiple named verifiers sharing a single database * webapp: fix tls certs paths (#659) * Corrects markdown to have proper rendering (#673) * ima_file_signatures: Extract keyidv2 from x509 certs * installer: Add '-r' option to cp to copy directory (issue #671) * config: Add optional fallback parameter to get() * agent: Fix the usage of dmidecode during the agent startup (issue #664) * agent: Rename allowlist to ima_allowlist in keylime.conf * Fix decoding error in user_data_encrypt * agent: Fix issue #667 by testing for an empty ima_sign_verification_keys list * Addresses issue #660 (database path while running local tests) (#665) * ima: Return 'None' when ImaKeyring.from_string() called with emtpy string * tests: Move unittests into files with suffix _test.py * Fixes and improvements for database configuration (#654) * Add signature verification support for local and remote IMA signature verification keys (#597) * install: Remove TPM 1.2 support from installer and bundeling scripts * CI/CD: Remove tpm1.2 testing support * Remove duplicated calls to verifier * Remove adding entropy to system rng * Cleanup and fix error case in encryptAIK (#648) * Move measured boot related code into functions to make check_pcrs readable (#642) * Move code related to tpm2_checkquote into its own function (#639) * scripts: Cleanup shell script formatting * installer.sh: Do not delete the local copy of the certificates. * Fix user_data_encrypt to UTF8 decode before print * tpm_abstract: Fix adding of entropy * codestyle: Ignore R1732 implemented by pylint >=2.8.0 * a fix for letting JSON encoding bytes correctly * Adding back reglist to the list of commands that don't need a -t argument * Invoke tpm2_evictcontrol for 4.0 and 4.2 tools if aik_handle exists (#624) * Addresses #436 (#611) * Fixes #620 * Include PCR16 in the quote only when needed * Close leaking file descriptors (#622) * installer.sh: Add missing spaces when efivar is added * More ima_emulator_adapter cleanups (#616) * installer: Add json-c-devel/json-c-dev to BUILD_TOOLS for tpm2-tss build * Remove more commented code in ca_util.py * installer: Only install efi library on x86_64 systems * Create allowlist table and basic API support * installer: Add libuuid-devel/uuid-dev to BUILD_TOOLS for tpm2_tools build * WIP: Some cleanups (#612) * Remove _cLime.c * config: Document the measured boot PCRs and what is using them * Very simple fix for the agent (re: measured boot) The agent code does not need to import "measured boot policies" * ima_emulator_adapater: Remove unnecessary global statement * webapp: Fix private key and certificate path (issue #604) * Add support for keylime_webapp service to read intervals from keylime.conf- Update to Keylime 6.1.1 + keylime_tenant add crash with TypeError: Object of type 'bytes' is not JSON serializable + Whenever Keylime agent starts and cannot contact the registrar, it fails and quits without flushing create EK handles + keylime_tenant -c reglist now requires a "-t" parameter for no reason + Duplicated API calls to verifier in webapp backend + Installer deletes tpm_cert_store files + agent_uuid set to dmidecode crashes Keylime + Copying of tpm_cert_store fails during installation + If the PCR belong to a measured boot list, it is not validated + keylime_tenant --c update fails with a race condition - Drop patches already present in the new version + webapp-fix-tls-certs-paths.patch + check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch + tenant-do_cvdelete-wait-until-404.patch- Add tenant-do_cvdelete-wait-until-404.patch to fix the update command- Adjust the default revocation notifier binding IP - Default to CFSSL in keylime.conf- Add config-libefivars.diff to adjust the path of the library- Add check_pcrs-match-PCR-if-no-mb_refstate-is-provided.patch (gh#keylime/keylime!695) - Recommends CFSSL in the registrar (actually should be the CA) - Change default value for require_ek_cert to False - Reorder the patches to separate upstream fixes from openSUSE ones- Add webapp-fix-tls-certs-paths.patch (gh#keylime/keylime!659) - Recommend dmidecode for the agent - Require libtss2-tcti-{device0,tabrmd0} to use abrmd service - Add keylime.conf.diff patch to change the default config file - Add keylime.xml for firewalld service definition- Update to version 6.1.0: * Update python cryptography lib to v3.3.2 * installer.sh improvments * run_local.sh: Run unit tests in keylime/tpm/tpm2_objects.py * Fourth and final PR to address #491 (#580) * scripts: Also use pylint-3 if pylint is not installed * agent: Fix the checking for a specific error returned by tpm2_quote * Allowlist verification - Enhancement #16 * Forgot to remove the original, more crude solution (which caused pylint errors) * New and improved code to fix issue #582 * Consistent formatting for logging strings/bin/sh/bin/shgoat31 1690988651    !"#$%&'()*+,-./012346.3.2-150400.4.17.1keylimekeylime-user.confkeylime.confkeylimetpm_cert_storeGS_TPM_RT.pemIFX1.pemIFX15.pemIFX2.pemIFX3.pemIFX4.pemIFX5.pemIFX8.pemIFX_ECC_034.pemIFX_RSA_01I.pemIFX_RSA_02I.pemIFX_RSA_034.pemIFX_RSA_03I.pemIFX_RSA_04I.pemIFX_RSA_05I.pemIFX_RSA_08I.pemIFX_RSA_17I.pemIFX_RSA_18I.pemIFX_RSA_20I.pemIFX_RSA_21I.pemIFX_RSA_RT.pemINF_ECC_010I.pemINF_ECC_010RT.pemINF_ECC_011.pemINF_RSA_010I.pemINF_RSA_010RT.pemINF_RSA_011.pemINF_RSA_022.pemINTEL_I.pemINTEL_RT.pemNTC1.pemNTC2.pemNUVO_0100.pemNUVO_1110.pemNUVO_1111.pemNUVO_2110.pemNUVO_2111.pemSTM_ECC_01I.pemSTM_ECC_01RT.pemSTM_RSA_01I.pemSTM_RSA_02I.pemSTM_RSA_03I.pemSTM_RSA_04I.pemSTM_RSA_05I.pemSTM_RSA_06I.pemSTM_RSA_07I.pemSTM_RSA_RT.pem/run//usr/lib/sysusers.d//usr/lib/tmpfiles.d//var/lib//var/lib/keylime//var/lib/keylime/tpm_cert_store/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:30092/SUSE_SLE-15-SP4_Update/93d76e55d4458018afbcf8253655ab57-keylime.SUSE_SLE-15-SP4_Updatecpioxz5noarch-suse-linuxdirectoryASCII textPPp C*utf-8d3c4ff51b39ce34dbb3c835ee6dc899f446e746de928bc2a5cbd3c7ea0ab7c0a?7zXZ !t/GcC] cNſ^J0ht/%KuS!sh0{"#Ήe57){9q`j*NFl:NIngoٚ7t4GϿr 䖌@|+LmY5awLvnyI- SKhl ؽdg7@ ;Q fzع( u69Nyp9.Yc/!̗u9+_ᑟP^ Q 9VBAJ8H-H\a,3gvI額w#qA2>:I^(cHmNc.ǟ) R1X>\F3f,=8zz#td(Riurg0KYiG 5w}8srPbN0ҶVrvקzzb] p #" ᣧkm+My\]6pb@+J+.qEegf*}hQ4P#V,HۻDvv" 4߰kD 7,7lQqw_J9?at  螉K;ƞVz'B|乮v u𕆕~ti(P\m?p.!IǏ96ƈ!cQgkxz/4~ bav p))6gKc!1H(mN43QYYߢ׍5=;zbߚ%+';iF \0cBj理6[4Ҵwgb af.u3:@iٗ O=kfКG3%JZ1KLJEv~US̪̬DK_.{@ؚ2l pb7RO誫 7@4|&ԱTz35$W>SCOmglWFráϩVXz+LOy2T%p maRgJ*+y%gF{[~ژ3{s[vs}6d]k›SLq+щfao*mf2TR%)~S<tk3n]tСgc }Xa<^pC& KA![ p҃S9x,qT`KCx)jcwlO^uOR5*zv\069F uxD}SgD IPTUB.ْcQ\^?J4H3ّZYKLH>tIRoK_c!8+`  k#iԌPgZ[4eCUuO"eW]җe? ŅEg8[8k6Li:"i(};<ʮl3v/"XG|˗p?ۈ7oOBcyQ{wٱ楉'L VҌy,\dc9 tIAIب(κ4uC%vbt+q Re4&{4ݙEݧ ȥI#t:uD-rW<ěX7C~' ? ChKf=/>|*xU&v[ƖETH uUSH\N3џrE;I)/dΦ[8(ޢI"!&a S@]lWFH߮Kt&5ɂ#4 (&3cI4%uw}=%$15QWW6sqڋՕkCF8I% _ޏw-',DbU=J4 [81A(}sO;:-dv. lJ0@:u[bfThkw0saOYezZ *wkCP. LrȀܗ6uT^="+ԫqۆc%W%r+ ds/<(THSeoMRwǼf=N n )u Ft%>̺Nodu}?)'9o.PSm|iT6|G]Q?ܪ^oEyN x+`i\R>?yiB/L S) dn͠!e,Ɵۃ(v߫dfjt 2_u &J8zY4<7܀ +B<,[u%##G mTS#R5)U׫vr T_L V;c6\hp俽m(+iav#m%\&I62 !U5ҋZ g fAW- DhqձdqUqIS} 9\QswxzUeF*!huqHq$JRmQj?NQp(ےSC P(sG};GPnP'ӑwrᄄ\ G GcW,4uꒋ h=<.x,Fj"e$ {Y4WLk$ZtvMFzd {+5_0s@(عz 6N}[=}Cn /5_ |*le"uok:Z ZwZhvm9yn@,ؙZ>'}9qM7/jӸnh!&U"<_\Ҡ0,Mw,gݑ}(Z/nvsz,Wf>6?\&եoggN"s_EٓG"`5G23&,*03?r|;z}]I8'vߐOmfe:MD|ad4=rΡb'  b YԖl{Q\g}O'J 1XACdkixα)YfL%bY󰃧;A  xN\WEObznGN ̢k6\?r-yǍ;o<忟:->lb.թ]T"fE ? aXtk c"!fȰO/0J犴(!qD M bi])tE/VwV@J9N{t+)_'/dw=(?D1)(i/wgrq_= u̕P;dn53'Be{ބ?"bL,mص8P|+,Ns! f}!6WᓋVrk"*&ko>?$*V?d1nkm73UNqXXgep%R ֿE5{9ξ EځB/v frf&;3V${J'[V21;q 6\}곊j%:)7u+7U NGj$^ߓuMɪhHK 4Uص53NՑ86'WXfSc(-Pjc;G,||<[9anQ'8dY ]7B-^94*>DKYdZyƜ0j,Vn\ٸTQѕ{M繇w-<FxJ+HY[_#r{(siV,?nOB˅"pbCyMu+JD\+Ձ섹((-FmVZ)OJYGpfeH`qd) h?S*z] P~I9]NS{ ZA4Ciѻ>_.FxGup3rai(uR2N1ߩ0ZqD+=w]55.P%(vֹi0OA<84PM^I CDډ^X9! v fnIBC&e͎jHgyC/*uC?HR3>RG[&#ar׆堃J֐C+P!jk;`f?x;P6XY.%.g2=-,G1Y}?ZTٴt$T};:]V,RRZ@QXi%]~ "~c] &Kh6錥EQ}u5x~#Mp$A-h) `5[~ '$})+):+EXPG#|:nݥA쉞K\.$٬S&gnAT.cDQ\ۿ-X3X1!ހx6}#ZwaBt"q_LÐG+8Czf P_̕&aD.*okJuԐkO!.it;ӯJ{<7nc)3TjO:\_Ќk$,cr d[ ]*ck[ja~-8Ɣa-{rgiG9'Vl,\||*9xBŠV\>Z 0ZͦVyEmo{7i=dz\p\ST+NϾ;}Z$ H@zB]=6( 9dp3sas Y.};;UXEbkT?\mwB2|P>FԢDwblS&?POmY+YuEߑDR9s瓻/&525gM-E3xNHZ$TXXSQ.;ebhPzixP=IlmMi ˟e!ˆQSl]V,ee:g[*%v[L|C}G>\՗!ϿBS+&2H\j@\vrG8$N{ebU_XP.=$;("P ɳ)%X3fzN/DX~;P+4j^3!UyfW#$@leđ8;yAkkv+_ilsUyظwW͍Oa#|*/S"[Dt|+堎ylQvd]esLtvpߴ9T+4CBYAdPӣMYV&vWvB蔨{؟yu 57^SR!ZdzU-wFif*vĪJ5P#α)=OGhhiͅQ 22Ȍl*q͒k753xK/$kU:m.q}㧕͓xW$VyRZ3'z iS&5t9P >S<;^߂ZcwkM;֮~+nUgG8KmKP!TZui[(Bbfb{29G'M1ڡ Ǐ+ 6%IբɃot/QԹSW59뙔ePJ۶yjAɢKA9һ^e>Se>a7g?D1JWzZ QI"zg7AU_6SlepntKK; J>Ȁ5_<:].|8!Y?hz¡Gs¡ɜbᤠKd##l *@YhAȱT&;.#!^Jr^Nzn52IT!<8ҕuP.PBЗ(LM3%_qsᰘ9e15: pA8 ?b&馈C<}Xzeivh0Q4=p!4yhЃeX^˼7.BċI&P* ʝ27E]a!0? }+;kzE `ő-̵|w {>ܤLL>m؂ _^b)V^@Hm<g"[ƺ6pF,(69TqZk!)WF{K=tfn^p<~1 @](d<rod,4o?%WO!>ׇ伛7m'dP`lK %$+Kv*OC`oRߍW-s 7QB,S1a753B( sΩ!F -qCT,KLb\/< +v޹[&LʜYP1 ܔNs dֵؿv 3Y gIڹ 25' qk t?5gꓳY{e)pCig:`w0섴u?Aۋ箾2|TC~gN,5!VƎ%͏'kˁ&4ViCa 3JQe:q"|[cV;jКVu.m0LXJVcI[YiYʃ ?B7ʧr3h8_ 0t@>"xϱCgt!&*N,rV+׺RLO?2 L=Y=&!~\uI~~ox4qQJӼ!Xd1.vc8EA.n "X] *1ǻ>bN|^(KN[Cc  hdz!<}CC%He1[⭡eg֭pBu^fRdMΈ i[Jth Bb(=ɴ,^$; ( Ĥ[%=Gc,bI.,{INȼ6꿨2,. xלDF6p#{h,vCe{2DvtΗ] 1KWp*|}nrܗݏ&<ް fmmu}KO[n69/\H;^["TqwEcL=^?JE迅b 5ȇpkVmw焜:YUJ>3I۔" tj{I`6EDWX6W @0SxXX6ekH8" Ŋ$3un`[pa'^ϮMՔl>UX@q``dc$bzG'>` := ۶t>D~U;~Ց`nM*@UJ\l 4sPN^~[!Jc43]q|-MT?BbMȔ%M4k˚aBǻaT{c8 G=q|.b@9Gp% 6{ JUٸ3ΫA$]lT)pΙ N*eQ 2Wrh긆ZԉiٛDg{U^2&4Qaeeʱڟ@0Qgam+u'ޚ l(6#p &]m#-!n V. ؋_7xA)y=V2;n3ܜ8P0}G˂LƓF)}GwCA>Yg S؎<4@0_G杄#Ks^P㱙2;'0*sqFv`ta ;oB63ỦVݹV6t{edzK]ݠ\M̰+p 0=:];7:?Bb.BL&K0ܦ8_qReOe/a]\kk|HN^/Td4×~>w^esںG0˕'3Z:ҎxY 9x"GT1tWIIiM@exm)a3/LZP/''-Dg;Mi 1ϔ.,쏱2:Eb|8\^sBn*1 lkn0; Ϣ2蹽?fV9Y3F(?HSm%KyAq! bUn+hSJ}}Hy{{x 3jtRˤV<8Bs}C@冮4>{WP?CsYĝh :aB.;y׺ϘY cb2uQG&\)yA}QiHk1Y=KI~V۹as$Clƹw3ptf%D+ʉ Wc\ R`XlJ *:YB~,֥\twÍe/VJ1b,,X("San"3_'E{ Ű}lP|G\f"o>5`/u}y L} ͂Úu :ӹG؞sVmvm v052}9xw֩fi}DjcLXRVy}d6/\#}\znik 2.lBn~Y؞T_$ o%K8˦e,}i_MIii{2/ -I2++ÕbdS[G-Gdi-f6XyjYltȱ KmMoqKRT^qm˜EhY J@[p&@ j@ٓkH] "r %wT~3;ZYj_EHIjg=dc+GFnn]Dec;?NCs|+$a13Yd6Tm"[YCSXS-(P`Z -6 ?CiUýp;J:Sj G7\2bݎ n@0 ,1FpՒ0!>}nXx锦7`hsمK 'hGcCJ$׎2Gʻ#*`Xk߄cr\ llZ.M@#*,B"Q*b́fUF|ϔ5dN\>S@$ķ_@܍p;GW:d6w+7b~?Z? @B^0e9hN q=,u1BÈېK!J~e)q6c21X^{!] y9*Fl+уvS7= Zh&5* dohrc "Ru]vY~{ʥ;IQc({Jܞq$cBXpB~g['Ri!80K6(wwn'=N<) >qP#/40pHOkTI ن-9 S[uqWN>q3:i}k͆5}u$5짞9<8GP3/m.F6m(ZS=!*lezP9f_#r'kʹ.&g -4 $9딚WNHlA dN"ecgJ"M"-ŧ/ےC9d)ķҿrӥQb_'B'@94i=f8/'ďPHbJ՗\JL E|D ա֍H-= )|Lm=aQzx\$ax/KjppPjln+$~XGgR\#7HXanKͷJ6-0A,;2 "D>RdxzEakE@ *&/\_SM/iܴuǾP2Sv 邺-1y Ƣ9AT2em$ϖ,/֙HYXǚϳv&x=,X VsnvԨWxW2E!>#p9N y&#Hs\ot}./~0%5֩rk+@H/Uj}py=- ~.u-.s ҩ*ic,#d| %Ȗ$]/FtEwWalz97_̣W%j$L}J?,Q&7*/ɾ h&ꢗz2_Nq1i8,ռ(-pQ *vmy^UeasVK[Tu-Dn㬗{Ya!)`6 3AIt㒨e01=u| 96-wྡD|65J0 28rς0o;}upr6 Q|mj#JM0Pv{wgFDh":76lex:rC<=(>&W d=.Ӷ95 u.$3͘/W[| V:աzh.gzB6ʫ$,=^i(l*+Ixc8?ѷ&K-frsyڍKtB?f-S>h{DI 06&kFvƝ{d ͬmpC__zl.=EG)-MFN3gS II߰S)8О/_ /YVa%hUv+REHކPcy\$^UfxN # $B(&Xk9DMNQ " }f2Mm{BjMPϰpk^YkANE04rMR5w&B䌰ۗ{WflvsJ'&TEln6d֏A{gǮ2wUԶsbN X{aڭjU}i,.zj *D?P;RKyM;uKVUZ]j0Lg2/0.UA{+Ů1.bY" ԉ}Zoc`c +tQj Sj2%_$*E-Z3Yے P}/=, uG/PJy0ٖJu-B@ay};MTW(1 M8<9X;$kr.8ﯞOQŠ(>~2$(MxU't79V׾Hq=7ۉ jQw%Jp%]4$@!_A :E%۔_u~o4ὣ883,`n[\0/eݷ ix(B(NSԾD3ʧ+t8PJ[&w4%Vh!nzY7cso5d*iLj2gn]\d\s7ZHB"7QcӵْtM5c (_VȘzӐ{>wBEز+]l~,7zu_!^~Ǎh1#ҍNxUՏ7x,ju v,qF#RAry:qfOZ"BkZ ɣqyVPK{ڭ~҇wM+cXYa鱘2ʶ-;jOIpq Rl 2*cz 2Q7M{·zGs}ָ| V?6,i jlWk>k ^! я㙮?MJCxonݵiRv0:ȷY;22 t?0"w֦Xckԃ&oQߒ 'yrw+^~~NH!o_Iџ˷C|/*I(r |b,cc25m{ =-:œH FcUsQLMsuFr~M56"ʔ[%5Ӧo"ZSzxwsE2?էI;аvMV2h{G|RfךDQ €n41 ѥ)q|騉k}aRQ;X/X7\-=&81 p`$8q.F~9t iE_#Ĉ]=-H  ١cr[@{}O<QĤU n 5kJzP cN:WXQTR†Pђ8bmMaga@ftLPgiYYFh 'G] Cy^yW,սT%R=0vA${IeC@K<6)+ACK+drו]$7:#v9jk`y^MZEzr DdiѺޕDvBR?Bb yDZrWqD# *,-DOW@(߈,*UQ93U%*c i杘LP N^Q%WV>p&0'2ri%1(s ąnEKs~TtdJ`d's}#O)v#QozE$ꄆ}9O?Pk-r)3#R`Y^sv9Of!(ǫW&䙘)`(RQ@t' h*s.z环_}}L"i5&o9Cv^J^]kfk/ OPgt>ɨՈ;+wkEXu%߿nv͉xya\u tN#>3.Wn$ݐ TAe7lG2 3z>q^H3N{ڕ7ygX?)~h_D MqFu?c[ {L+K?6E:Dݺdn5Smw8u/@68N˭́fœ?3,NAPgʹR73=x8WlMί]%yH=o[C' hޒ'dJ(~ Wژ@ͺGضq>]EqXH իn)rUlPz6n|hnA ul-߬VF RT?(Re#M\]d~KRjf|K Ac\ϼ8qR);_$ L-Dq~z}(kU!|ň 0~5 'sPōy]Lq3Fx֩"v)c(B}RYfa '4qbdnU32Z9jaWtŚ=u.BL-M(=j&odz$TosسN"b<,3rWmNv4cI(Q&sҳd>H_C wH8f|F[JRLZJ $0Ek)7O='J2>x~׈eJúrNժjp|7EAכR!Ei uqec!Җ5!*^drD#mHS?v$}w݆J1v덹džI4D+@X@Ot KX28T&&,K]]sQ=ˆPҰ,5I[`_L1Gމn$ŭZtly@M%/F*ȴ!)=!t}"` 2guRQvTs3B@ᖭ~UѢ".)8ȿ9V| H UV.er]n> g<"̢b՚91^s%^ahh?ۚG|.\lo%Td2?/gұ n=f۷{.Ȅ/p{[L!} U%pS|N(ֆAq$t fӄ}^@})^FF&k&Oնk@A`Lr UEMES<OK]EAi8Q\g8:=]qzDJh3k-W4N+ ׺|7wNCMv9TӴhDyҲʲNbY &7 tRS.o5%1vQ@2EueW?Xϔѹq' &+W;L bǘf32  G=ԺѕƷ5MMB=rf:Q,~ȒwPe>7:cѕ*#uU}0%Ч\QKm2~Y ! !k .љ[) kCGu_%}s eHtxK:~1Kǃ8L;rn,ABiپ6L=v G87Q[kt(|bmaJk!@?5X`61|y}u5 M~_h_`hy;;2=ḍ AE~eO]|d(FIg:^0[.mTCq< +/TQj f(JHH8c}jT~]=Bw/_vsTukop[gBۃnD1R[4NzQ-p!ީQݔ)FQy0f^X8 +$LrŸmOM?-sL:_?{ݚ B1!5(w{RPgqK  W90|{Vy~`_JPlV7;R$H8NV-efxtte-}S]g ,nZ2ǭcJ(\YFoYs-\C !a3eS¬/ޛ ʮCh!@qLCMk/)U_V_6 CK͜{c1_(SmC`O$F$rfNzIagr'Ӊ` p2%@0FbᠬRXsdHo1JH+ YW:qZuAC0f_a@mWIl`(NZ'$-<2kGx?8[G`W$W*8ɴO Rg*C4gY;ut Acq  4{\oE֟<8 I&Co0 OWoY:x8e%r| ]IԯR(GnPzPr"CWs\!UKdZ eX; ϾԦ ՑoDŁUS,1)6kY8R<Ϻi2oSǑNU)X% \忋HZ~éǴ%N:LFXJXOazN_,ȋo@s!"!n_nAy}GUY eX:6͟# ecUiGxh%19AK~,Z8 q0nnCp8E\*+}.y4cG|{Kߜ$)ܿGz2JF*r^m1Y:Qa@}&4,>?oŃ\3%knT%')"s!&m&%vOXɩ6nӃ"€ho̩gM˼PcN}8ǺI|3gߗw)-.&"fx;쐤pbcYh$';{E&.LLҎ5_3zkkãKmaj=!r*t2Ո-7b-e`Lj IƜo+ ظ?R[a@]]?SMʸWbS'"rZiv#Rtj0;D)%we ޗ3PrD Naj_6jq0 "G V̂Qq(bM-Y@g]j|H -R< ?Q1ȻfoY4((ZؽBe@X3X Ş70P!ҼB):TEXË̈́kqaP2 ; 㪋ZU-#M,xK\6Ңl $~i y:oXOwT :r,]KM=|CU<W6CXR<,`䤓g,ECmu#EghlY 5k?'8$,O+/c;J:~xݲU VPI Wo+o,q5ϞpJ9hi!"ip.9@S 2Y]2`a:C.٘Wq9A(9 H,}eQԞ;Q`& ֭Ϸp]H+#9?dy Q?}r-gH$][''|!}tjF OۭFM WlxC\a2{$V~)9OABQ1_ul!8fP^ڱVY' ߨwTڕUvYC ?$l&}b!+ SB~s!ǨV%;'ST Hy wI'k=VL(\+@>9xjoI ?4+c(xƈِ̲!+3#NzU<\~iEWoݶZ.oq30. 1Z 콤Hs?y.y4D,(zF ݤ1&)^420pѦxo D!&e١[bì7 mI=deDq\BfSZ-TΗu)o~[~pF6DwG4WUI^ª|>p T;[ZPVɡ2ꂻSW1\Z1'ViNe}. R(g޸ (觕߾1, ABU9^FNYnM4B6(:bPCP'9nx 7%%Jyc~C 1΄ l 4R: 23m R $z@A}3񭵰Ԣŏ ov9yB\Y=7HQ ^NtlkR4(t0_=Wʒ֡-. # J)W;xB08 ʙh fюQ"nר#Uw~*) eܒ\EI5ڈ͆9{+ChqO0;7| vp0GR;9i?]D.;ݣ~j yw BsRZ,y?^g,~/Y?>nYhe-(W0( >LY#VU2wxnrsù6t@-Ii+~畍Ip(}xDwi,Cٶ=UG߻dO ; {ɫaC ĶhA:o d)f1ub놑ȹ3,ц)\8?N݋79ϐz/IXV(ϷE#ŷ iBȂE8Ik2)X5jT4ji~?@r &xTI2́ɫj-1rԄAw" ԨԾx.ē7wM%WX7SpacH0U`Ն@#MMB-rtܺ C~űX}P_k$BT6-N+90utWmh6` (D "Sڷ1v1M`b? dt%L:hVLm(ߎZ"#֚d`%`=q XWހzX9Uʋic&u_dz*h)cAU }v