From bbfb0ca53efbff39cae4d93cae12881c7ff8a33a Mon Sep 17 00:00:00 2001
From: Louis Johnson <louiszn@users.noreply.github.com>
Date: Tue, 30 Jun 2026 01:35:31 +0700
Subject: [PATCH 1/4] clevis: update to 23

---
 ...uiring-systemd-reply-password-at-bui.patch | 29 +++++++++++++++++++
 ...-include-chmod-for-password-unlocker.patch | 26 +++++++++++++++++
 srcpkgs/clevis/template                       | 11 ++++---
 3 files changed, 62 insertions(+), 4 deletions(-)
 create mode 100644 srcpkgs/clevis/patches/0001-dracut-avoid-requiring-systemd-reply-password-at-bui.patch
 create mode 100644 srcpkgs/clevis/patches/0002-dracut-include-chmod-for-password-unlocker.patch

diff --git a/srcpkgs/clevis/patches/0001-dracut-avoid-requiring-systemd-reply-password-at-bui.patch b/srcpkgs/clevis/patches/0001-dracut-avoid-requiring-systemd-reply-password-at-bui.patch
new file mode 100644
index 00000000000000..e61fac32330e2f
--- /dev/null
+++ b/srcpkgs/clevis/patches/0001-dracut-avoid-requiring-systemd-reply-password-at-bui.patch
@@ -0,0 +1,29 @@
+From 55dd24711be711763b5eca2dcaa23d0c17bbe6cc Mon Sep 17 00:00:00 2001
+From: Owen Xie <15828145+nfusionz@users.noreply.github.com>
+Date: Sun, 31 May 2026 04:20:11 -0400
+Subject: [PATCH 1/2] dracut: avoid requiring systemd-reply-password at build
+ time
+
+Fixes dracut module issue in non-systemd environments where
+systemd-reply-password.path() is called when it doesn't exist,
+causing an error. The path isn't used for the non-systemd flow.
+---
+ src/luks/dracut/clevis/meson.build | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/luks/dracut/clevis/meson.build b/src/luks/dracut/clevis/meson.build
+index f37cc3c..e6230f3 100644
+--- a/src/luks/dracut/clevis/meson.build
++++ b/src/luks/dracut/clevis/meson.build
+@@ -5,7 +5,7 @@ if dracut.found()
+ 
+   dracut_data = configuration_data()
+   dracut_data.merge_from(data)
+-  dracut_data.set('SYSTEMD_REPLY_PASS', sd_reply_pass.path())
++  dracut_data.set('SYSTEMD_REPLY_PASS', sd_reply_pass.found() ? sd_reply_pass.path() : '')
+ 
+   configure_file(
+     input: 'module-setup.sh.in',
+-- 
+2.54.0
+
diff --git a/srcpkgs/clevis/patches/0002-dracut-include-chmod-for-password-unlocker.patch b/srcpkgs/clevis/patches/0002-dracut-include-chmod-for-password-unlocker.patch
new file mode 100644
index 00000000000000..bbc9c94c57b892
--- /dev/null
+++ b/srcpkgs/clevis/patches/0002-dracut-include-chmod-for-password-unlocker.patch
@@ -0,0 +1,26 @@
+From a575ea0337878708766cd074a14ea5d8be32d360 Mon Sep 17 00:00:00 2001
+From: Owen Xie <15828145+nfusionz@users.noreply.github.com>
+Date: Sun, 31 May 2026 18:43:31 -0400
+Subject: [PATCH 2/2] dracut: include chmod for password unlocker
+
+Fixes issue in non-systemd environments that may not
+have chmod included in the init environment already.
+---
+ src/luks/dracut/clevis/module-setup.sh.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/luks/dracut/clevis/module-setup.sh.in b/src/luks/dracut/clevis/module-setup.sh.in
+index 32fac41..cb0bd22 100755
+--- a/src/luks/dracut/clevis/module-setup.sh.in
++++ b/src/luks/dracut/clevis/module-setup.sh.in
+@@ -52,6 +52,7 @@ install() {
+         inst_script "$moddir"/clevis-password-unlocker-prepare /bin/clevis-password-unlocker-prepare
+         inst_multiple \
+             clevis-luks-unlock \
++            chmod \
+             blkid
+     fi
+ 
+-- 
+2.54.0
+
diff --git a/srcpkgs/clevis/template b/srcpkgs/clevis/template
index 4755af65a9a6c4..9e1a1425f48677 100644
--- a/srcpkgs/clevis/template
+++ b/srcpkgs/clevis/template
@@ -1,7 +1,9 @@
 # Template file for 'clevis'
 pkgname=clevis
-version=20
-revision=2
+version=23
+revision=1
+# Holds non-standard upstream version suffixes when needed.
+_subversion=tpm1u1
 build_style=meson
 hostmakedepends="asciidoc bash-completion cryptsetup curl jq keyutils pkg-config tpm2-tools"
 makedepends="bash-completion cryptsetup-devel dracut jansson-devel
@@ -11,9 +13,10 @@ short_desc="Pluggable framework for automated decryption"
 maintainer="Johannes Heimansberg <git@jhe.dedyn.io>"
 license="GPL-3.0-or-later WITH custom:OpenSSL-Exception"
 homepage="https://github.com/latchset/clevis"
-distfiles="https://github.com/latchset/clevis/archive/v$version/clevis-$version.tar.gz"
-checksum=67eb9cbbb9c90f9802cae76503f74f23d0046ee6570553407035e9fae3b4b4dd
+distfiles="https://github.com/latchset/clevis/archive/v${version}${subversion}/clevis-${version}${subversion}.tar.gz"
+checksum=a8a09f148d54d91aa0d21c5fa508dd1446c2a200be7679fbf6e7d19196aec164
 make_check="ci-skip" # LUKS tests fail in CI pipeline
+configure_args="-Db_ndebug=false"
 
 post_install() {
 	vlicense COPYING.openssl

From f2f8b127dc39b588cff548e607d3eeb8ba6d5b1a Mon Sep 17 00:00:00 2001
From: Louis Johnson <louis.jns@proton.me>
Date: Tue, 30 Jun 2026 11:11:43 +0700
Subject: [PATCH 2/4] clevis: fix broken distfile URL

---
 srcpkgs/clevis/template | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/srcpkgs/clevis/template b/srcpkgs/clevis/template
index 9e1a1425f48677..ed3ce6ae8fb269 100644
--- a/srcpkgs/clevis/template
+++ b/srcpkgs/clevis/template
@@ -2,8 +2,6 @@
 pkgname=clevis
 version=23
 revision=1
-# Holds non-standard upstream version suffixes when needed.
-_subversion=tpm1u1
 build_style=meson
 hostmakedepends="asciidoc bash-completion cryptsetup curl jq keyutils pkg-config tpm2-tools"
 makedepends="bash-completion cryptsetup-devel dracut jansson-devel
@@ -13,7 +11,7 @@ short_desc="Pluggable framework for automated decryption"
 maintainer="Johannes Heimansberg <git@jhe.dedyn.io>"
 license="GPL-3.0-or-later WITH custom:OpenSSL-Exception"
 homepage="https://github.com/latchset/clevis"
-distfiles="https://github.com/latchset/clevis/archive/v${version}${subversion}/clevis-${version}${subversion}.tar.gz"
+distfiles="https://github.com/latchset/clevis/archive/v${version}/clevis-${version}.tar.gz"
 checksum=a8a09f148d54d91aa0d21c5fa508dd1446c2a200be7679fbf6e7d19196aec164
 make_check="ci-skip" # LUKS tests fail in CI pipeline
 configure_args="-Db_ndebug=false"

From 6a8a425d6785cab3340d477eaa3e4d88f87a579a Mon Sep 17 00:00:00 2001
From: Louis Johnson <louiszn@users.noreply.github.com>
Date: Tue, 30 Jun 2026 12:37:00 +0700
Subject: [PATCH 3/4] clevis: fix test build with NDEBUG

---
 ...ts-avoid-assert-in-token-to-jwe-test.patch | 90 +++++++++++++++++++
 srcpkgs/clevis/template                       |  1 -
 2 files changed, 90 insertions(+), 1 deletion(-)
 create mode 100644 srcpkgs/clevis/patches/0003-tests-avoid-assert-in-token-to-jwe-test.patch

diff --git a/srcpkgs/clevis/patches/0003-tests-avoid-assert-in-token-to-jwe-test.patch b/srcpkgs/clevis/patches/0003-tests-avoid-assert-in-token-to-jwe-test.patch
new file mode 100644
index 00000000000000..a98fb614579504
--- /dev/null
+++ b/srcpkgs/clevis/patches/0003-tests-avoid-assert-in-token-to-jwe-test.patch
@@ -0,0 +1,90 @@
+--- a/src/luks/udisks2/test-token-to-jwe.c	2026-05-13 21:45:35.000000000 +0700
++++ b/src/luks/udisks2/test-token-to-jwe.c	2026-06-30 12:26:23.264129600 +0700
+@@ -19,11 +19,17 @@
+ 
+ #include "token-to-jwe.h"
+ 
+-#include <assert.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+ 
++#define CHECK(expr) do { \
++    if (!(expr)) { \
++        fprintf(stderr, "%s:%d: check failed: %s\n", __FILE__, __LINE__, #expr); \
++        abort(); \
++    } \
++} while (0)
++
+ static const char valid_token[] =
+     "{"
+     "  \"type\": \"clevis\","
+@@ -51,8 +57,8 @@
+         "."
+         "6L9KBrn6-R1---wTikJTrA";
+ 
+-    assert(token_to_jwe(valid_token, &pkt));
+-    assert(strcmp(pkt.data, expected) == 0);
++    CHECK(token_to_jwe(valid_token, &pkt));
++    CHECK(strcmp(pkt.data, expected) == 0);
+     fprintf(stderr, "test_basic_conversion: PASS\n");
+ }
+ 
+@@ -61,8 +67,8 @@
+ {
+     pkt_t pkt = {};
+ 
+-    assert(token_to_jwe(valid_token, &pkt));
+-    assert(pkt.used == (ssize_t) strlen(pkt.data));
++    CHECK(token_to_jwe(valid_token, &pkt));
++    CHECK(pkt.used == (ssize_t) strlen(pkt.data));
+     fprintf(stderr, "test_used_equals_strlen: PASS\n");
+ }
+ 
+@@ -71,11 +77,11 @@
+ {
+     pkt_t pkt = {};
+ 
+-    assert(!token_to_jwe(NULL, &pkt));
+-    assert(!token_to_jwe("not json", &pkt));
+-    assert(!token_to_jwe("{}", &pkt));
+-    assert(!token_to_jwe("{\"jwe\":{}}", &pkt));
+-    assert(!token_to_jwe("{\"jwe\":{\"protected\":\"a\"}}", &pkt));
++    CHECK(!token_to_jwe(NULL, &pkt));
++    CHECK(!token_to_jwe("not json", &pkt));
++    CHECK(!token_to_jwe("{}", &pkt));
++    CHECK(!token_to_jwe("{\"jwe\":{}}", &pkt));
++    CHECK(!token_to_jwe("{\"jwe\":{\"protected\":\"a\"}}", &pkt));
+     fprintf(stderr, "test_invalid_json: PASS\n");
+ }
+ 
+@@ -92,10 +98,10 @@
+         "}}";
+     pkt_t pkt = {};
+ 
+-    assert(token_to_jwe(json, &pkt));
+-    assert(strcmp(pkt.data, "....") == 0);
+-    assert(pkt.used == 4);
+-    assert(pkt.used == (ssize_t) strlen(pkt.data));
++    CHECK(token_to_jwe(json, &pkt));
++    CHECK(strcmp(pkt.data, "....") == 0);
++    CHECK(pkt.used == 4);
++    CHECK(pkt.used == (ssize_t) strlen(pkt.data));
+     fprintf(stderr, "test_empty_components: PASS\n");
+ }
+ 
+@@ -112,10 +118,10 @@
+         "}}";
+     pkt_t pkt = {};
+ 
+-    assert(token_to_jwe(json, &pkt));
+-    assert(strcmp(pkt.data, "a.b.c.d.e") == 0);
+-    assert(pkt.used == 9);
+-    assert(pkt.used == (ssize_t) strlen(pkt.data));
++    CHECK(token_to_jwe(json, &pkt));
++    CHECK(strcmp(pkt.data, "a.b.c.d.e") == 0);
++    CHECK(pkt.used == 9);
++    CHECK(pkt.used == (ssize_t) strlen(pkt.data));
+     fprintf(stderr, "test_single_char_components: PASS\n");
+ }
+ 
diff --git a/srcpkgs/clevis/template b/srcpkgs/clevis/template
index ed3ce6ae8fb269..060597b2cf6034 100644
--- a/srcpkgs/clevis/template
+++ b/srcpkgs/clevis/template
@@ -14,7 +14,6 @@ homepage="https://github.com/latchset/clevis"
 distfiles="https://github.com/latchset/clevis/archive/v${version}/clevis-${version}.tar.gz"
 checksum=a8a09f148d54d91aa0d21c5fa508dd1446c2a200be7679fbf6e7d19196aec164
 make_check="ci-skip" # LUKS tests fail in CI pipeline
-configure_args="-Db_ndebug=false"
 
 post_install() {
 	vlicense COPYING.openssl

From 567998afe424679333451762c32447448ec5be8b Mon Sep 17 00:00:00 2001
From: Louis Johnson <louiszn@users.noreply.github.com>
Date: Tue, 30 Jun 2026 12:52:14 +0700
Subject: [PATCH 4/4] clevis: document test-token-to-jwe patch

---
 .../0003-tests-avoid-assert-in-token-to-jwe-test.patch | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/srcpkgs/clevis/patches/0003-tests-avoid-assert-in-token-to-jwe-test.patch b/srcpkgs/clevis/patches/0003-tests-avoid-assert-in-token-to-jwe-test.patch
index a98fb614579504..a741b015fbb550 100644
--- a/srcpkgs/clevis/patches/0003-tests-avoid-assert-in-token-to-jwe-test.patch
+++ b/srcpkgs/clevis/patches/0003-tests-avoid-assert-in-token-to-jwe-test.patch
@@ -1,3 +1,13 @@
+tests: avoid assert in token-to-jwe test
+
+Void builds with b_ndebug=true by default, which defines NDEBUG. This causes
+assert() expressions to be compiled out, leaving variables used only by those
+checks unused. Since clevis builds with -Werror, test-token-to-jwe then fails
+to compile.
+
+Replace assert() with an explicit CHECK() helper so the test remains active
+with NDEBUG defined.
+
 --- a/src/luks/udisks2/test-token-to-jwe.c	2026-05-13 21:45:35.000000000 +0700
 +++ b/src/luks/udisks2/test-token-to-jwe.c	2026-06-30 12:26:23.264129600 +0700
 @@ -19,11 +19,17 @@