Elasticsearch Curator RPM package does not contain a SHA256 Digest signature

[SeanathanVT]

Expected Behavior

The Elasticsearch Curator RPM package (elasticsearch-curator-5.8.4-1.x86_64.rpm) should contain a SHA256-based Digest signature.

Actual Behavior

Without a SHA256 Digest signature, installation will fail on a FIPS 140-2 compliant EL8 host.

Steps to Reproduce the Problem

1. Attempt to install elasticsearch-curator-5.8.4-1.x86_64.rpm on a FIPS-enabled RHEL 8 host.
2. Installation fails with a "Transaction Test Error" message (does not verify: no digest).
3. To verify that there is no SHA256 Digest value, execute rpm --checksig --verbose elasticsearch-curator-5.8.4-1.x86_64.rpm -- note no SHA256 Digest value, only SHA1 and MD5 (the same issue exists with Logstash RPMs, but Elasticsearch and Kibana RPMs have the SHA256 Digest value..).

Specifications

• Version: 5.8.4-1
• Platform: x86_64
• Subsystem:

Context (Environment)

Outside of manual installation via the rpm command with the --nodigest flag, we can't utilize our existing pipelines and automation logic to simply pull packages from a YUM repository on RHEL 8 hosts with FIPS 140-2 compliance mode enabled. I'd like to do it cleanly as opposed to with a workaround. Given that this has been implemented with Elasticsearch and apparently Kibana, hopefully the internal packaging teams can figure this out for Curator and Logstash.

For reference

• I also commented on the Logstash project's GitLab page (for an existing Issue): Sign Logstash RPM w/ SHA256 header for FIPS-enabled Operating Systems logstash#12597 (comment)
• The initial resolution on the Elasticsearch project's GitLab page: RPM verification failure on RHEL 8 in FIPS mode elasticsearch#58257

Detailed Description

Please implement SHA256 Digest signature support in Elasticsearch Curator packaging pipelines (and pass the above-referenced Issue along to the Logstash team, if there is internal communication on these types of things).

[SeanathanVT]

For reference:

[root@sat01 Elastic_Stack]# rpm --checksig --verbose elastic-7_x/Packages/e/elasticsearch-7.17.5-x86_64.rpm
elastic-7_x/Packages/e/elasticsearch-7.17.5-x86_64.rpm:
    Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
    MD5 digest: OK
[root@sat01 Elastic_Stack]#
[root@sat01 Elastic_Stack]#
[root@sat01 Elastic_Stack]#
[root@sat01 Elastic_Stack]# rpm --checksig --verbose elastic-7_x/Packages/l/logstash-7.17.5-x86_64.rpm
elastic-7_x/Packages/l/logstash-7.17.5-x86_64.rpm:
    Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
    Header SHA1 digest: OK
    V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
    MD5 digest: OK
[root@sat01 Elastic_Stack]#
[root@sat01 Elastic_Stack]#
[root@sat01 Elastic_Stack]#
[root@sat01 Elastic_Stack]# rpm --checksig --verbose elastic-7_x/Packages/k/kibana-7.17.5-x86_64.rpm
elastic-7_x/Packages/k/kibana-7.17.5-x86_64.rpm:
    Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
    MD5 digest: OK
[root@sat01 Elastic_Stack]#
[root@sat01 Elastic_Stack]#
[root@sat01 Elastic_Stack]#
[root@sat01 Elastic_Stack]# rpm --checksig --verbose curator-5/Packages/e/elasticsearch-curator-5.8.4-1.x86_64.rpm
curator-5/Packages/e/elasticsearch-curator-5.8.4-1.x86_64.rpm:
    Header V4 RSA/SHA256 Signature, key ID d88e42b4: NOKEY
    Header SHA1 digest: OK
    V4 RSA/SHA256 Signature, key ID d88e42b4: NOKEY
    MD5 digest: OK
[root@sat01 Elastic_Stack]#

[untergeek]

Sorry you've had a hard time. Subsequent releases of Curator will not use RPM or DEB packaging at all (Docker or pip only), so this is unlikely to be addressed.