Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Sha256 header in elasticsearch RPMs #75569

Merged
merged 1 commit into from
Jul 22, 2021

Conversation

breskeby
Copy link
Contributor

This adds support for Sha256 header signature in our RPMs by
updating the dependency to the readline library to a version
we have patched until the provided PR (craigwblake/redline#157)
got merged and released by the redline folks.

This work is related to #58257

@breskeby breskeby self-assigned this Jul 21, 2021
@breskeby breskeby added :Delivery/Build Build or test infrastructure >enhancement Team:Delivery Meta label for Delivery team v7.15.0 v8.0.0 labels Jul 21, 2021
@breskeby
Copy link
Contributor Author

To verify the change this PR introduces you can run

./gradlew :distribution:packages:buildRpm and then verify the rpm: by running

rpm --checksig -v distribution/packages/rpm/build/distributions/elasticsearch-8.0.0-SNAPSHOT-x86_64.rpm distribution/packages/rpm/build/distributions/elasticsearch-8.0.0-SNAPSHOT-x86_64.rpm

which should result in:

    Header SHA256 digest: OK
    Header SHA1 digest: OK
    MD5 digest: OK

@breskeby breskeby marked this pull request as ready for review July 21, 2021 09:52
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-delivery (Team:Delivery)

This adds support for Sha256 header signature in our RPMs by
updating the dependency to the readline library to a version
we have patched until the provided PR (craigwblake/redline#157)
got merged and released by the redline folks.

This work is related to elastic#58257
@breskeby breskeby force-pushed the fix-fips-rpm-checksums branch from 37549b2 to 7677c5f Compare July 21, 2021 09:57
// We rely on a patched version of the redline library used to build rpm packages
// to support sha256header in our elasticsearch RPMs
// TODO: Update / remove this dependency once https://github.com/craigwblake/redline/pull/157 got merged
// Be aware that it seems the redline project hasnt been active for a while
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you think we might end up forking it under an Elastic org?

Copy link
Contributor

@pugnascotia pugnascotia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I followed the steps and got the same results 👍

@bytebilly
Copy link
Contributor

@breskeby great!
Is there a way to verify that this change is enough to allow installation on a FIPS-enabled distro? I'm not sure if we have such environment, we may want to loop in Fed Field folks and ask some of our customers to check.

@breskeby
Copy link
Contributor Author

We don't have an RHEL 8 FIPS environment by hand to evaluate this I think Who would we ping at fed field folks to test this?

@bytebilly
Copy link
Contributor

I'm reaching out some folks and check if they can help. If this makes things easier, I'm ok merging this PR and iterate further if needed after the validation round.

@breskeby
Copy link
Contributor Author

@bytebilly @mark-vieira I got confirmation from @mgreau that our nightly rpms are signed in the build process similar to the release builds. So once merged we can wait for a nightly and then test the rpm installation on an centos tips enabled gcs image

}
}
}

dependencies {
classpath "com.github.breskeby:gradle-ospackage-plugin:98455c1"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't realize we're also using a patched version of the os-package plugin as well. Curiosity, what's that for?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

because this hasn't been merged and released yet: nebula-plugins/gradle-ospackage-plugin#400

breskeby added a commit to breskeby/elasticsearch that referenced this pull request Jul 27, 2021
This is a follow up on elastic#75569

and should fix installation problems in FIPS enabled environments.
breskeby added a commit that referenced this pull request Jul 27, 2021
This is a follow up on #75569

and should fix installation problems in FIPS enabled environments.
breskeby added a commit to breskeby/elasticsearch that referenced this pull request Jul 29, 2021
This is a follow up on elastic#75569

and should fix installation problems in FIPS enabled environments.
breskeby added a commit that referenced this pull request Jul 29, 2021
This is a follow up on #75569

and should fix installation problems in FIPS enabled environments.
@breskeby breskeby added the :Delivery/Packaging RPM and deb packaging, tar and zip archives, shell and batch scripts label Jul 29, 2021
ywangd pushed a commit to ywangd/elasticsearch that referenced this pull request Jul 30, 2021
This adds support for Sha256 header signature in our RPMs by
updating the dependency to the readline library to a version
we have patched until the provided PR (craigwblake/redline#157)
got merged and released by the redline folks.

This work is related to elastic#58257
ywangd pushed a commit to ywangd/elasticsearch that referenced this pull request Jul 30, 2021
This is a follow up on elastic#75569

and should fix installation problems in FIPS enabled environments.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
:Delivery/Build Build or test infrastructure :Delivery/Packaging RPM and deb packaging, tar and zip archives, shell and batch scripts >enhancement Team:Delivery Meta label for Delivery team v7.15.0 v8.0.0-alpha1
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants