diff --git a/.clevis.metadata b/.clevis.metadata
new file mode 100644
index 0000000..ba8f886
--- /dev/null
+++ b/.clevis.metadata
@@ -0,0 +1 @@
+dc2e95d0c0ce9118bc01b3872869657b0d43f1bc SOURCES/clevis-18.tar.xz
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..f29345d
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/clevis-18.tar.xz
diff --git a/SOURCES/0001-sss-use-BN_set_word-x-0-instead-of-BN_zero.patch b/SOURCES/0001-sss-use-BN_set_word-x-0-instead-of-BN_zero.patch
new file mode 100644
index 0000000..6c865e2
--- /dev/null
+++ b/SOURCES/0001-sss-use-BN_set_word-x-0-instead-of-BN_zero.patch
@@ -0,0 +1,47 @@
+From 95f25c355fc13727410ccacaa618caf6af5d5eba Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Mon, 3 May 2021 22:36:36 -0300
+Subject: [PATCH] sss: use BN_set_word(x, 0) instead of BN_zero()
+
+Different OpenSSL versions define BN_zero() differently -- sometimes
+returning an integer, sometimes as void --, so let's use instead
+BN_set_word() instead, not to have issues when building with these
+different versions.
+---
+ src/pins/sss/sss.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/pins/sss/sss.c b/src/pins/sss/sss.c
+index a37215d..7486d6c 100644
+--- a/src/pins/sss/sss.c
++++ b/src/pins/sss/sss.c
+@@ -214,7 +214,7 @@ sss_point(const json_t *sss, size_t *len)
+ if (BN_rand_range(xx, pp) <= 0)
+ return NULL;
+
+- if (BN_zero(yy) <= 0)
++ if (BN_set_word(yy, 0) <= 0)
+ return NULL;
+
+ for (size_t i = 0; i < json_array_size(e); i++) {
+@@ -272,7 +272,7 @@ sss_recover(const json_t *p, size_t npnts, const uint8_t *pnts[])
+ if (!ctx || !pp || !acc || !tmp || !k)
+ return NULL;
+
+- if (BN_zero(k) <= 0)
++ if (BN_set_word(k, 0) <= 0)
+ return NULL;
+
+ len = jose_b64_dec(p, NULL, 0);
+@@ -303,7 +303,7 @@ sss_recover(const json_t *p, size_t npnts, const uint8_t *pnts[])
+
+ /* acc *= (0 - xi) / (xo - xi) */
+
+- if (BN_zero(tmp) <= 0)
++ if (BN_set_word(tmp, 0) <= 0)
+ return NULL;
+
+ if (BN_mod_sub(tmp, tmp, xi, pp, ctx) <= 0)
+--
+2.31.1
+
diff --git a/SOURCES/0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch b/SOURCES/0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch
new file mode 100644
index 0000000..1fc7016
--- /dev/null
+++ b/SOURCES/0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch
@@ -0,0 +1,41 @@
+From d3010c89a8f516a0c9695a939a8cccca0918da2b Mon Sep 17 00:00:00 2001
+From: Sergio Correia <scorreia@redhat.com>
+Date: Fri, 29 Oct 2021 12:04:46 -0300
+Subject: [PATCH 2/2] systemd: account for unlocking failures in
+ clevis-luks-askpass (#343)
+
+As unlock may fail for some reason, e.g. the network is not up yet,
+one way cause problems would be to add extra `rd.luks.uuid' params
+to the cmdline, which would then cause such devices to be unlocked
+in early boot. If the unlocking fail, those devices might not be
+accounted for in the clevis_devices_to_unlock() check, as it is
+based on crypttab.
+
+Let's make sure there are no pending ask.* sockets waiting to be
+answered, before exiting.
+
+Related: https://bugzilla.redhat.com/show_bug.cgi?id=1878892
+---
+ src/luks/systemd/clevis-luks-askpass.in | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/luks/systemd/clevis-luks-askpass.in b/src/luks/systemd/clevis-luks-askpass.in
+index 8f54859..a6699c9 100755
+--- a/src/luks/systemd/clevis-luks-askpass.in
++++ b/src/luks/systemd/clevis-luks-askpass.in
+@@ -67,8 +67,11 @@ while true; do
+ done
+
+ [ "${loop}" != true ] && break
++
+ # Checking for pending devices to be unlocked.
+- if remaining=$(clevis_devices_to_unlock) && [ -z "${remaining}" ]; then
++ remaining_crypttab=$(clevis_devices_to_unlock) ||:
++ remaining_askfiles=$(ls "${path}"/ask.* 2>/dev/null) ||:
++ if [ -z "${remaining_crypttab}" ] && [ -z "${remaining_askfiles}" ]; then
+ break;
+ fi
+
+--
+2.33.1
+
diff --git a/SOURCES/0004-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch b/SOURCES/0004-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch
new file mode 100644
index 0000000..be4608c
--- /dev/null
+++ b/SOURCES/0004-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch
@@ -0,0 +1,49 @@
+From 76ad9b21b61627a728bc9499821cf8e09446725d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
+Date: Thu, 21 Oct 2021 13:58:52 +0200
+Subject: [PATCH 4/4] luks: explicitly specify pbkdf iterations to cryptsetup
+
+This fixes an Out of memory error when the system has not much memory,
+such as a VM configured with 2GB currently being installed through the
+network (hence having ~1GB free memory only).
+See RHBZ #1979256 (https://bugzilla.redhat.com/show_bug.cgi?id=1979256).
+---
+ src/luks/clevis-luks-common-functions.in | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/luks/clevis-luks-common-functions.in b/src/luks/clevis-luks-common-functions.in
+index d53d2ab..360eb7e 100644
+--- a/src/luks/clevis-luks-common-functions.in
++++ b/src/luks/clevis-luks-common-functions.in
+@@ -760,10 +760,12 @@ clevis_luks_add_key() {
+ extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
+ input="$(printf '%s' "${NEWKEY}")"
+ fi
++ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
+
+ printf '%s' "${input}" | cryptsetup luksAddKey --batch-mode \
+ --key-slot "${SLT}" \
+ "${DEV}" \
++ ${pbkdf_args} \
+ ${extra_args}
+ }
+
+@@ -792,11 +794,14 @@ clevis_luks_update_key() {
+ extra_args="$(printf -- '--key-file %s' "${KEYFILE}")"
+ input="$(printf '%s' "${NEWKEY}")"
+ fi
++ local pbkdf_args="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
+
+ if [ -n "${in_place}" ]; then
+ printf '%s' "${input}" | cryptsetup luksChangeKey "${DEV}" \
+ --key-slot "${SLT}" \
+- --batch-mode ${extra_args}
++ --batch-mode \
++ ${pbkdf_args} \
++ ${extra_args}
+ return
+ fi
+
+--
+2.33.1
+
diff --git a/SOURCES/0005-tang-dump-url-on-error-communication.patch b/SOURCES/0005-tang-dump-url-on-error-communication.patch
new file mode 100644
index 0000000..c8224bb
--- /dev/null
+++ b/SOURCES/0005-tang-dump-url-on-error-communication.patch
@@ -0,0 +1,16 @@
+--- clevis-18.ori/src/pins/tang/clevis-decrypt-tang 2021-04-15 13:00:19.969067600 +0200
++++ clevis-18/src/pins/tang/clevis-decrypt-tang 2022-01-20 17:29:21.859897964 +0100
+@@ -99,10 +99,10 @@
+
+ xfr="$(jose jwk exc -i '{"alg":"ECMR"}' -l- -r- <<< "$clt$eph")"
+
+-url="$url/rec/$kid"
++rec_url="$url/rec/$kid"
+ ct="Content-Type: application/jwk+json"
+-if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$url" <<< "$xfr")"; then
+- echo "Error communicating with the server!" >&2
++if ! rep="$(curl -sfg -X POST -H "$ct" --data-binary @- "$rec_url" <<< "$xfr")"; then
++ echo "Error communicating with the server $url" >&2
+ exit 1
+ fi
+
diff --git a/SOURCES/0006-feat-rename-the-test-pin-to-null-pin.patch b/SOURCES/0006-feat-rename-the-test-pin-to-null-pin.patch
new file mode 100644
index 0000000..811006f
--- /dev/null
+++ b/SOURCES/0006-feat-rename-the-test-pin-to-null-pin.patch
@@ -0,0 +1,213 @@
+From f668840e22e45ac8b16d770072b4395a155d089c Mon Sep 17 00:00:00 2001
+From: Antonio Murdaca <runcom@linux.com>
+Date: Wed, 1 Dec 2021 14:17:53 +0100
+Subject: [PATCH 6/6] feat: rename the test pin to null pin
+
+Signed-off-by: Antonio Murdaca <runcom@linux.com>
+---
+ src/initramfs-tools/hooks/clevis.in | 1 +
+ .../dracut/clevis-pin-null/meson.build | 14 ++++++++++
+ .../dracut/clevis-pin-null/module-setup.sh.in | 28 +++++++++++++++++++
+ src/luks/systemd/dracut/meson.build | 1 +
+ ...levis-decrypt-test => clevis-decrypt-null} | 4 +--
+ ...levis-encrypt-test => clevis-encrypt-null} | 4 +--
+ src/pins/sss/meson.build | 5 +++-
+ src/pins/sss/{pin-test => pin-null} | 4 +--
+ src/pins/sss/pin-sss | 12 ++++----
+ 9 files changed, 60 insertions(+), 13 deletions(-)
+ create mode 100644 src/luks/systemd/dracut/clevis-pin-null/meson.build
+ create mode 100755 src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
+ rename src/pins/sss/{clevis-decrypt-test => clevis-decrypt-null} (88%)
+ rename src/pins/sss/{clevis-encrypt-test => clevis-encrypt-null} (90%)
+ rename src/pins/sss/{pin-test => pin-null} (53%)
+
+diff --git a/src/initramfs-tools/hooks/clevis.in b/src/initramfs-tools/hooks/clevis.in
+index 7e6d2b3..8d60d05 100755
+--- a/src/initramfs-tools/hooks/clevis.in
++++ b/src/initramfs-tools/hooks/clevis.in
+@@ -58,6 +58,7 @@ fi
+
+ copy_exec @bindir@/clevis-decrypt-tang || die 1 "@bindir@/clevis-decrypt-tang not found"
+ copy_exec @bindir@/clevis-decrypt-sss || die 1 "@bindir@/clevis-decrypt-sss not found"
++copy_exec @bindir@/clevis-decrypt-null || die 1 "@bindir@/clevis-decrypt-null not found"
+ copy_exec @bindir@/clevis-decrypt || die 1 "@bindir@/clevis-decrypt not found"
+ copy_exec @bindir@/clevis-luks-common-functions || die 1 "@bindir@/clevis-luks-common-functions not found"
+ copy_exec @bindir@/clevis-luks-list || die 1 "@bindir@/clevis-luks-list not found"
+diff --git a/src/luks/systemd/dracut/clevis-pin-null/meson.build b/src/luks/systemd/dracut/clevis-pin-null/meson.build
+new file mode 100644
+index 0000000..107e3ba
+--- /dev/null
++++ b/src/luks/systemd/dracut/clevis-pin-null/meson.build
+@@ -0,0 +1,14 @@
++dracut = dependency('dracut', required: false)
++
++if dracut.found()
++ dracutdir = dracut.get_pkgconfig_variable('dracutmodulesdir') + '/60' + meson.project_name() + '-pin-null'
++
++ configure_file(
++ input: 'module-setup.sh.in',
++ output: 'module-setup.sh',
++ install_dir: dracutdir,
++ configuration: data,
++ )
++else
++ warning('Will not install dracut module clevis-pin-null due to missing dependencies!')
++endif
+diff --git a/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
+new file mode 100755
+index 0000000..6a16078
+--- /dev/null
++++ b/src/luks/systemd/dracut/clevis-pin-null/module-setup.sh.in
+@@ -0,0 +1,28 @@
++#!/bin/bash
++# vim: set tabstop=8 shiftwidth=4 softtabstop=4 expandtab smarttab colorcolumn=80:
++#
++# Copyright (c) 2016 Red Hat, Inc.
++# Author: Nathaniel McCallum <npmccallum@redhat.com>
++#
++# This program is free software: you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation, either version 3 of the License, or
++# (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program. If not, see <http://www.gnu.org/licenses/>.
++#
++
++depends() {
++ echo clevis
++ return 0
++}
++
++install() {
++ inst clevis-decrypt-null
++}
+diff --git a/src/luks/systemd/dracut/meson.build b/src/luks/systemd/dracut/meson.build
+index fdb264b..7ad5b14 100644
+--- a/src/luks/systemd/dracut/meson.build
++++ b/src/luks/systemd/dracut/meson.build
+@@ -2,3 +2,4 @@ subdir('clevis')
+ subdir('clevis-pin-tang')
+ subdir('clevis-pin-tpm2')
+ subdir('clevis-pin-sss')
++subdir('clevis-pin-null')
+diff --git a/src/pins/sss/clevis-decrypt-test b/src/pins/sss/clevis-decrypt-null
+similarity index 88%
+rename from src/pins/sss/clevis-decrypt-test
+rename to src/pins/sss/clevis-decrypt-null
+index f0e9249..a6217ed 100755
+--- a/src/pins/sss/clevis-decrypt-test
++++ b/src/pins/sss/clevis-decrypt-null
+@@ -22,11 +22,11 @@
+
+ read -r -d . hdr
+
+-if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "test" ]; then
++if [ "$(jose fmt -q "$hdr" -SyOg clevis -g pin -u-)" != "null" ]; then
+ echo "JWE pin mismatch!" >&2
+ exit 1
+ fi
+
+-jwk="$(jose fmt -q "$hdr" -SyOg clevis -g test -g jwk -Oo-)" || exit 1
++jwk="$(jose fmt -q "$hdr" -SyOg clevis -g null -g jwk -Oo-)" || exit 1
+
+ exec jose jwe dec -k- -i- < <(echo -n "$jwk$hdr."; /bin/cat)
+diff --git a/src/pins/sss/clevis-encrypt-test b/src/pins/sss/clevis-encrypt-null
+similarity index 90%
+rename from src/pins/sss/clevis-encrypt-test
+rename to src/pins/sss/clevis-encrypt-null
+index bd2d6ec..af182a5 100755
+--- a/src/pins/sss/clevis-encrypt-test
++++ b/src/pins/sss/clevis-encrypt-null
+@@ -26,10 +26,10 @@ if ! cfg="$(jose fmt -j "$1" -Oo- 2>/dev/null)"; then
+ fi
+
+ jwk="$(jose jwk gen -i '{"alg":"A256GCM"}')"
+-jwe='{"protected":{"clevis":{"pin":"test","test":{}}}}'
++jwe='{"protected":{"clevis":{"pin":"null","null":{}}}}'
+
+ if ! jose fmt -j "$cfg" -g fail -T; then
+- jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g test -j "$jwk" -Os jwk -UUUUo-)"
++ jwe="$(jose fmt -j "$jwe" -Og protected -g clevis -g null -j "$jwk" -Os jwk -UUUUo-)"
+ fi
+
+ exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat)
+diff --git a/src/pins/sss/meson.build b/src/pins/sss/meson.build
+index 7f20eea..2a5295a 100644
+--- a/src/pins/sss/meson.build
++++ b/src/pins/sss/meson.build
+@@ -28,8 +28,11 @@ if jansson.found() and libcrypto.found()
+ separator: ':'
+ )
+
++ bins += join_paths(meson.current_source_dir(), 'clevis-encrypt-null')
++ bins += join_paths(meson.current_source_dir(), 'clevis-decrypt-null')
++
+ test('pin-sss', find_program(join_paths(src, 'pin-sss')), env: env)
+- test('pin-test', find_program(join_paths(src, 'pin-test')), env: env)
++ test('pin-null', find_program(join_paths(src, 'pin-null')), env: env)
+ else
+ warning('Will not install sss pin due to missing dependencies!')
+ endif
+diff --git a/src/pins/sss/pin-test b/src/pins/sss/pin-null
+similarity index 53%
+rename from src/pins/sss/pin-test
+rename to src/pins/sss/pin-null
+index 50c8c67..b14ac63 100755
+--- a/src/pins/sss/pin-test
++++ b/src/pins/sss/pin-null
+@@ -2,9 +2,9 @@
+
+ trap 'exit' ERR
+
+-e="$(echo -n hi | clevis encrypt test '{}')"
++e="$(echo -n hi | clevis encrypt null '{}')"
+ d="$(echo -n "$e" | clevis decrypt)"
+ test "$d" == "hi"
+
+-e="$(echo -n hi | clevis encrypt test '{"fail":true}')"
++e="$(echo -n hi | clevis encrypt null '{"fail":true}')"
+ ! echo "$e" | clevis decrypt
+diff --git a/src/pins/sss/pin-sss b/src/pins/sss/pin-sss
+index 5c0b8cf..24da052 100755
+--- a/src/pins/sss/pin-sss
++++ b/src/pins/sss/pin-sss
+@@ -1,24 +1,24 @@
+ #!/bin/bash -ex
+
+-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{}]}}')"
++e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{}]}}')"
+ d="$(echo "$e" | clevis decrypt)"
+ test "$d" == "hi"
+
+-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{},{"fail":true}]}}')"
++e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{},{"fail":true}]}}')"
+ d="$(echo "$e" | clevis decrypt)"
+ test "$d" == "hi"
+
+-e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"test":[{"fail":true},{"fail":true}]}}')"
++e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"null":[{"fail":true},{"fail":true}]}}')"
+ ! echo "$e" | clevis decrypt
+
+-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{}]}}')"
++e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{}]}}')"
+ d="$(echo "$e" | clevis decrypt)"
+ test "$d" == "hi"
+
+-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{},{"fail":true}]}}')"
++e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{},{"fail":true}]}}')"
+ ! echo "$e" | clevis decrypt
+
+-e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"test":[{"fail":true},{"fail":true}]}}')"
++e="$(echo hi | clevis encrypt sss '{"t":2,"pins":{"null":[{"fail":true},{"fail":true}]}}')"
+ ! echo "$e" | clevis decrypt
+
+ ! e="$(echo hi | clevis encrypt sss '{"t":1,"pins":{"tang":[{"url":"foo bar"}]}}')"
+--
+2.33.1
+
diff --git a/SOURCES/clevis.sysusers b/SOURCES/clevis.sysusers
new file mode 100644
index 0000000..492bdeb
--- /dev/null
+++ b/SOURCES/clevis.sysusers
@@ -0,0 +1 @@
+u clevis - "Clevis Decryption Framework unprivileged user" /var/cache/clevis /usr/sbin/nologin
diff --git a/SPECS/clevis.spec b/SPECS/clevis.spec
new file mode 100644
index 0000000..02cdc20
--- /dev/null
+++ b/SPECS/clevis.spec
@@ -0,0 +1,396 @@
+Name: clevis
+Version: 18
+Release: 102%{?dist}
+Summary: Automated decryption framework
+
+License: GPLv3+
+URL: https://github.com/latchset/%{name}
+Source0: https://github.com/latchset/%{name}/releases/download/v%{version}/%{name}-%{version}.tar.xz
+Source1: clevis.sysusers
+
+Patch0001: 0001-sss-use-BN_set_word-x-0-instead-of-BN_zero.patch
+Patch0002: 0002-systemd-account-for-unlocking-failures-in-clevis-luk.patch
+Patch0004: 0004-luks-explicitly-specify-pbkdf-iterations-to-cryptset.patch
+Patch0005: 0005-tang-dump-url-on-error-communication.patch
+Patch0006: 0006-feat-rename-the-test-pin-to-null-pin.patch
+
+BuildRequires: git-core
+BuildRequires: gcc
+BuildRequires: meson
+BuildRequires: asciidoc
+BuildRequires: ninja-build
+BuildRequires: bash-completion
+
+BuildRequires: libjose-devel >= 8
+BuildRequires: libluksmeta-devel >= 8
+BuildRequires: audit-libs-devel
+BuildRequires: libudisks2-devel
+BuildRequires: openssl-devel
+
+BuildRequires: tpm2-tools >= 4.0.0
+BuildRequires: desktop-file-utils
+BuildRequires: pkgconfig
+BuildRequires: systemd
+BuildRequires: systemd-rpm-macros
+BuildRequires: dracut
+BuildRequires: tang >= 6
+BuildRequires: curl
+BuildRequires: cracklib-dicts
+BuildRequires: luksmeta
+BuildRequires: openssl
+BuildRequires: diffutils
+BuildRequires: cryptsetup
+BuildRequires: jq
+
+Requires: tpm2-tools >= 4.0.0
+Requires: coreutils
+Requires: jose >= 8
+Requires: curl
+Requires: jq
+Requires(pre): shadow-utils
+Recommends: cracklib-dicts
+
+%description
+Clevis is a framework for automated decryption. It allows you to encrypt
+data using sophisticated unlocking policies which enable decryption to
+occur automatically.
+
+The clevis package provides basic encryption/decryption policy support.
+Users can use this directly; but most commonly, it will be used as a
+building block for other packages. For example, see the clevis-luks
+and clevis-dracut packages for automatic root volume unlocking of LUKSv1
+volumes during early boot.
+
+%package luks
+Summary: LUKS integration for clevis
+Requires: %{name}%{?_isa} = %{version}-%{release}
+Requires: cryptsetup
+Requires: luksmeta >= 8
+
+%description luks
+LUKS integration for clevis. This package allows you to bind a LUKS
+volume to a clevis unlocking policy. For automated unlocking, an unlocker
+will also be required. See, for example, clevis-dracut and clevis-udisks2.
+
+%package systemd
+Summary: systemd integration for clevis
+Requires: %{name}-luks%{?_isa} = %{version}-%{release}
+%if 0%{?fedora} > 27
+Requires: systemd%{?_isa} >= 235-3
+%else
+%if 0%{?fedora} == 27
+Requires: systemd%{?_isa} >= 234-9
+%else
+%if 0%{?fedora} == 26
+Requires: systemd%{?_isa} >= 233-7
+%else
+Requires: systemd%{?_isa} >= 236
+%endif
+%endif
+%endif
+
+%description systemd
+Automatically unlocks LUKS _netdev block devices from /etc/crypttab.
+
+%package dracut
+Summary: Dracut integration for clevis
+Requires: %{name}-systemd%{?_isa} = %{version}-%{release}
+Requires: dracut-network
+
+%description dracut
+Automatically unlocks LUKS block devices in early boot.
+
+%package udisks2
+Summary: UDisks2/Storaged integration for clevis
+Requires: %{name}-luks%{?_isa} = %{version}-%{release}
+
+%description udisks2
+Automatically unlocks LUKS block devices in desktop environments that
+use UDisks2 or storaged (like GNOME).
+
+%prep
+%autosetup -S git
+
+%build
+%meson -Duser=clevis -Dgroup=clevis
+%meson_build
+
+%install
+%meson_install
+install -p -D -m 0644 %{SOURCE1} %{buildroot}%{_sysusersdir}/clevis.conf
+
+%check
+desktop-file-validate \
+ %{buildroot}/%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
+%meson_test
+
+%pre
+%sysusers_create_compat %{SOURCE1}
+# Add clevis user to tss group.
+if getent group tss >/dev/null && ! groups %{name} | grep -q "\btss\b"; then
+ usermod -a -G tss %{name} &>/dev/null
+fi
+exit 0
+
+%posttrans
+# In case the clevis-luks-askpass is enabled, make sure it's using the
+# correct target, which changed in v14.
+[ "$(find /etc/systemd/system/ -name "clevis-luks-askpass*")" ] || exit 0
+find /etc/systemd/system/ -name "clevis-luks-askpass*" \
+ | grep -q cryptsetup.target.wants && exit 0
+
+find /etc/systemd/system/ -name "clevis-luks-askpass*" -exec rm {} +
+systemctl enable clevis-luks-askpass.path >/dev/null 2>&1 || :
+exit 0
+
+%files
+%license COPYING
+%{_datadir}/bash-completion/
+%{_bindir}/%{name}-decrypt-tang
+%{_bindir}/%{name}-decrypt-tpm2
+%{_bindir}/%{name}-decrypt-sss
+%{_bindir}/%{name}-decrypt-null
+%{_bindir}/%{name}-decrypt
+%{_bindir}/%{name}-encrypt-tang
+%{_bindir}/%{name}-encrypt-tpm2
+%{_bindir}/%{name}-encrypt-sss
+%{_bindir}/%{name}-encrypt-null
+%{_bindir}/%{name}
+%{_mandir}/man1/%{name}-encrypt-tang.1*
+%{_mandir}/man1/%{name}-encrypt-tpm2.1*
+%{_mandir}/man1/%{name}-encrypt-sss.1*
+%{_mandir}/man1/%{name}-decrypt.1*
+%{_mandir}/man1/%{name}.1*
+%{_sysusersdir}/clevis.conf
+
+%files luks
+%{_mandir}/man7/%{name}-luks-unlockers.7*
+%{_mandir}/man1/%{name}-luks-unlock.1*
+%{_mandir}/man1/%{name}-luks-unbind.1*
+%{_mandir}/man1/%{name}-luks-bind.1*
+%{_mandir}/man1/%{name}-luks-list.1.*
+%{_mandir}/man1/%{name}-luks-edit.1.*
+%{_mandir}/man1/%{name}-luks-regen.1.*
+%{_mandir}/man1/%{name}-luks-report.1.*
+%{_mandir}/man1/%{name}-luks-pass.1.*
+%{_bindir}/%{name}-luks-unlock
+%{_bindir}/%{name}-luks-unbind
+%{_bindir}/%{name}-luks-bind
+%{_bindir}/%{name}-luks-common-functions
+%{_bindir}/%{name}-luks-list
+%{_bindir}/%{name}-luks-edit
+%{_bindir}/%{name}-luks-regen
+%{_bindir}/%{name}-luks-report
+%{_bindir}/%{name}-luks-pass
+
+%files systemd
+%{_libexecdir}/%{name}-luks-askpass
+%{_unitdir}/%{name}-luks-askpass.path
+%{_unitdir}/%{name}-luks-askpass.service
+
+%files dracut
+%{_prefix}/lib/dracut/modules.d/60%{name}
+%{_prefix}/lib/dracut/modules.d/60%{name}-pin-null/module-setup.sh
+%{_prefix}/lib/dracut/modules.d/60%{name}-pin-sss/module-setup.sh
+%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tang/module-setup.sh
+%{_prefix}/lib/dracut/modules.d/60%{name}-pin-tpm2/module-setup.sh
+
+%files udisks2
+%{_sysconfdir}/xdg/autostart/%{name}-luks-udisks2.desktop
+%attr(4755, root, root) %{_libexecdir}/%{name}-luks-udisks2
+
+%changelog
+* Wed Jan 26 2022 Sergio Correia <scorreia@redhat.com> - 18-102
+- Support a null pin
+ Resolves: rhbz#2028091
+
+* Wed Jan 26 2022 Sergio Correia <scorreia@redhat.com> - 18-101
+- Revert "Enable debugging in clevis scripts when rd.debug is set"
+ Related: rhbz#2022420
+
+* Thu Jan 20 2022 Sergio Arroutbi <sarroutb@redhat.com> - 18-100
+- Dump server information on server error communication
+ Resolves: rhbz#2022423
+
+* Tue Jan 04 2022 Sergio Correia <scorreia@redhat.com> - 18-7
+- Explicitly specify pbkdf iterations to cryptsetup
+ Resolves: rhbz#2022416
+
+* Tue Jan 04 2022 Sergio Correia <scorreia@redhat.com> - 18-6
+- Enable debugging in clevis scripts when rd.debug is set
+ Resolves: rhbz#2022420
+
+* Wed Nov 17 2021 Sergio Correia <scorreia@redhat.com> - 18-5
+- Account for unlocking failures in clevis-luks-askpass
+ Resolves: rhbz#2022421
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 18-4
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+ Related: rhbz#1991688
+
+* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 18-3
+- Rebuilt for RHEL 9 BETA for openssl 3.0
+ Related: rhbz#1971065
+
+* Fri May 07 2021 Sergio Correia <scorreia@redhat.com> - 18-2
+- Port to OpenSSL 3
+ Resolves: rhbz#1956760
+
+* Tue May 04 2021 Sergio Correia <scorreia@redhat.com> - 18-1
+- Update to new clevis upstream release, v18
+ Resolves: rhbz#1956760
+
+* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 16-3
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Tue Mar 16 2021 Sergio Correia <scorreia@redhat.com> - 16-2
+- Fix for -t option in clevis luks bind - backport upstream commit ea0d0c20
+
+* Tue Feb 09 2021 Sergio Correia <scorreia@redhat.com> - 16-1
+- Update to new clevis upstream release, v16.
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 15-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Mon Nov 23 08:14:40 GMT 2020 Peter Robinson <pbrobinson@fedoraproject.org> - 15-3
+- Upstream patch for tpm-tools 5.0 support
+
+* Thu Oct 29 2020 Sergio Correia <scorreia@redhat.com> - 15-2
+- Add jq to dependencies
+
+* Wed Oct 28 2020 Sergio Correia <scorreia@redhat.com> - 15-1
+- Update to new clevis upstream release, v15.
+
+* Tue Sep 08 2020 Sergio Correia <scorreia@redhat.com> - 14-5
+- Suppress output in pre scriptlet when adjusting users/groups
+ Resolves: rhbz#1876729
+
+* Tue Sep 08 2020 Sergio Correia <scorreia@redhat.com> - 14-4
+- Backport upstream PR#230 - clevis-luks-askpass now exits cleanly
+ when receives a SIGTERM
+ Resolves: rhbz#1876001
+
+* Sat Sep 05 2020 Sergio Correia <scorreia@redhat.com> - 14-3
+- If clevis-luks-askpass is enabled, it may be using a wrong target,
+ since that changed in v14. Check and update it, if required.
+
+* Mon Aug 31 2020 Sergio Correia <scorreia@redhat.com> - 14-2
+- Update sources file with new v14 release.
+
+* Mon Aug 31 2020 Sergio Correia <scorreia@redhat.com> - 14-1
+- Update to new clevis upstream release, v14.
+
+* Sun Aug 02 2020 Benjamin Gilbert <bgilbert@redhat.com> - 13-3
+- Downgrade cracklib-dicts to Recommends
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 13-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Sun May 10 2020 Sergio Correia <scorreia@redhat.com> - 13-1
+- Update to new clevis upstream release, v13.
+
+* Thu May 07 2020 Sergio Correia <scorreia@redhat.com> - 12-4
+- cracklib-dicts should be also listed as a build dependency, since
+ it's required for running some of the tests
+
+* Mon Apr 06 2020 Sergio Correia <scorreia@redhat.com> - 12-3
+- Make cracklib-dicts a regular dependency
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 12-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Mon Jan 20 2020 Sergio Correia <scorreia@redhat.com> - 12-1
+- Update to new clevis upstream release, v12.
+
+* Thu Dec 19 2019 Sergio Correia <scorreia@redhat.com> - 11-11
+- Backport upstream PR#70 - Handle case where we try to use a partially
+ used luksmeta slot
+ Resolves: rhbz#1672371
+
+* Thu Dec 05 2019 Sergio Correia <scorreia@redhat.com> - 11-10
+- Disable LUKS2 tests for now, since they fail randomly in Koji
+ builders, killing the build
+
+* Wed Dec 04 2019 Sergio Correia <scorreia@redhat.com> - 11-9
+- Backport of upstream patches and the following fixes:
+ - Rework the logic for reading the existing key
+ - fix for different output from 'luksAddKey' command w/cryptsetup v2.0.2 (
+ - pins/tang: check that key derivation key is available
+
+* Wed Oct 30 2019 Peter Robinson <pbrobinson@fedoraproject.org> 11-8
+- Drop need network patch
+
+* Fri Sep 06 2019 Javier Martinez Canillas <javierm@redhat.com> - 11-7
+- Add support for tpm2-tools 4.0
+
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 11-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 11-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Thu Dec 6 2018 Peter Robinson <pbrobinson@fedoraproject.org> 11-4
+- Update patch for work around
+
+* Thu Dec 6 2018 Peter Robinson <pbrobinson@fedoraproject.org> 11-3
+- Work around network requirement for early boot
+
+* Fri Nov 09 2018 Javier Martinez Canillas <javierm@redhat.com> - 11-2
+- Delete remaining references to the removed http pin
+- Install cryptsetup and tpm2_pcrlist in the initramfs
+- Add device TCTI library to the initramfs
+ Resolves: rhbz#1644876
+
+* Tue Aug 14 2018 Nathaniel McCallum <npmccallum@redhat.com> - 11-1
+- Update to v11
+
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 10-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Wed Mar 21 2018 Nathaniel McCallum <npmccallum@redhat.com> - 10-1
+- Update to v10
+
+* Tue Feb 13 2018 Nathaniel McCallum <npmccallum@redhat.com> - 9-1
+- Update to v9
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 8-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Mon Nov 13 2017 Nathaniel McCallum <npmccallum@redhat.com> - 8-1
+- Update to v8
+
+* Wed Nov 08 2017 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 7-2
+- Rebuild for cryptsetup-2.0.0
+
+* Fri Oct 27 2017 Nathaniel McCallum <npmccallum@redhat.com> - 7-1
+- Update to v7
+
+* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Tue Jun 27 2017 Nathaniel McCallum <npmccallum@redhat.com> - 6-1
+- New upstream release
+- Specify unprivileged user/group during configuration
+- Move clevis user/group creation to base clevis package
+
+* Mon Jun 26 2017 Nathaniel McCallum <npmccallum@redhat.com> - 5-1
+- New upstream release
+- Run clevis decryption from udisks2 under an unprivileged user
+
+* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 4-1
+- New upstream release
+
+* Wed Jun 14 2017 Nathaniel McCallum <npmccallum@redhat.com> - 3-1
+- New upstream release
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Fri Nov 18 2016 Nathaniel McCallum <npmccallum@redhat.com> - 2-1
+- New upstream release
+
+* Mon Nov 14 2016 Nathaniel McCallum <npmccallum@redhat.com> - 1-1
+- First release