add fips compliant packages

newrelic · Nov 21, 2024 · e55d122 · e55d122
1 parent 8c361f5
commit e55d122
Show file tree

Hide file tree

Showing 11 changed files with 218 additions and 46 deletions.
diff --git a/.github/workflows/on_prerelease.yaml b/.github/workflows/on_prerelease.yaml
@@ -9,8 +9,9 @@ on:
 
 jobs:
   pre-release:
-    uses: newrelic/coreint-automation/.github/workflows/reusable_pre_release.yaml@v3
+    uses: newrelic/coreint-automation/.github/workflows/reusable_pre_release.yaml@test-fips-s3-upload-schema
     with:
       tag: ${{ github.event.release.tag_name }}
       integration: "redis"
+      dest_prefix: "rohan-fips-test-redis/"
     secrets: inherit
diff --git a/Makefile b/Makefile
@@ -1,11 +1,13 @@
-INTEGRATION     := redis
-BINARY_NAME      = nri-$(INTEGRATION)
-SRC_DIR          = ./src/
-INTEGRATIONS_DIR = /var/db/newrelic-infra/newrelic-integrations/
-CONFIG_DIR       = /etc/newrelic-infra/integrations.d
-GO_FILES        := ./src/
-TARGET          := target
-GOFLAGS          = -mod=readonly
+INTEGRATION			:= redis
+BINARY_NAME      	= nri-$(INTEGRATION)
+SRC_DIR          	= ./src/
+INTEGRATIONS_DIR 	= /var/db/newrelic-infra/newrelic-integrations/
+CONFIG_DIR       	= /etc/newrelic-infra/integrations.d
+GO_FILES        	:= ./src/
+TARGET          	:= target
+GOFLAGS          	= -mod=readonly
+GO_VERSION 			?= $(shell grep '^go ' go.mod | awk '{print $$2}')
+BUILDER_IMAGE 		?= "ghcr.io/newrelic/coreint-automation:latest-go$(GO_VERSION)-ubuntu16.04"
 
 all: build
 

diff --git a/build/.goreleaser.yml b/build/.goreleaser.yml
@@ -1,3 +1,6 @@
+---
+version: 2
+project_name: nri-redis
 builds:
   - id: nri-nix
     main: ./src
@@ -18,6 +21,26 @@ builds:
       - goos: darwin
         goarch: 386
 
+  - id: nri-nix-fips
+    main: ./src
+    binary: nri-redis
+    ldflags:
+      - -s -w -X main.integrationVersion={{.Version}} -X main.gitCommit={{.Commit}} -X main.buildDate={{.Date}}
+    env:
+      - CGO_ENABLED=1
+      - GOEXPERIMENT=boringcrypto
+      - >-
+        {{- if eq .Arch "arm64" -}}
+        CC=aarch64-linux-gnu-gcc
+        {{- end }}
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - arm64
+    tags:
+      - fips
+
   - id: nri-win
     main: ./src
     binary: nri-redis
@@ -67,9 +90,59 @@ nfpms:
 
     overrides:
       rpm:
-        file_name_template: "{{ .ProjectName }}-{{ .Version }}-1.{{ .Arch }}"
-        replacements:
-          amd64: x86_64
+        file_name_template: >-
+          {{- .ProjectName }}_
+          {{- .Version }}-1.
+          {{- if eq .Arch "amd64" -}}x86_64
+          {{- else -}}
+          {{ .Arch }}
+          {{- end }}
+
+    # Formats to be generated.
+    formats:
+      - deb
+      - rpm
+
+  - id: linux-fips
+    file_name_template: "{{ .ProjectName }}-fips_{{ .Version }}-1_{{ .Arch }}"
+    vendor: "New Relic, Inc."
+    homepage: "https://www.newrelic.com/infrastructure"
+    maintainer: "New Relic Infrastructure Team <[email protected]>"
+    description: "New Relic Infrastructure redis Integration extend the core New Relic\nInfrastructure agent's capabilities to allow you to collect metric and\nlive state data from redis components."
+    license: "https://newrelic.com/terms (also see LICENSE installed with this package)"
+
+    builds:
+      - nri-nix-fips
+
+    dependencies:
+      - newrelic-infra (>= 1.20.0)
+
+    bindir: "/var/db/newrelic-infra/newrelic-integrations/bin"
+
+    contents:
+      - src: "redis-config.yml.sample"
+        dst: "/etc/newrelic-infra/integrations.d/redis-config.yml.sample"
+      - src: "redis-log.yml.example"
+        dst: "/etc/newrelic-infra/logging.d/redis-log.yml.example"
+      - src: "CHANGELOG.md"
+        dst: "/usr/share/doc/nri-redis/CHANGELOG.md"
+      - src: "README.md"
+        dst: "/usr/share/doc/nri-redis/README.md"
+      - src: "LICENSE"
+        dst: "/usr/share/doc/nri-redis/LICENSE"
+      - src: "legacy/redis-definition.yml"
+        dst: "/var/db/newrelic-infra/newrelic-integrations/redis-definition.yml"
+        type: config
+
+    overrides:
+      rpm:
+        file_name_template: >-
+          {{- .ProjectName }}-fips_
+          {{- .Version }}-1.
+          {{- if eq .Arch "amd64" -}}x86_64
+          {{- else -}}
+          {{ .Arch }}
+          {{- end }}
 
     # Formats to be generated.
     formats:
@@ -88,6 +161,17 @@ archives:
         strip_parent: true
     format: tar.gz
 
+  - id: nri-nix-fips
+    builds:
+      - nri-nix-fips
+    name_template: "{{ .ProjectName }}-fips_{{ .Os }}_{{ .Version }}_{{ .Arch }}_dirty"
+    files:
+      - redis-config.yml.sample
+      - src: 'legacy/redis-definition.yml'
+        dst: .
+        strip_parent: true
+    format: tar.gz
+
   - id: nri-win
     builds:
       - nri-win

diff --git a/build/Dockerfile b/build/Dockerfile
diff --git a/build/ci.mk b/build/ci.mk
@@ -1,8 +1,9 @@
-BUILDER_TAG ?= nri-$(INTEGRATION)-builder
+.PHONY : ci/pull-builder-image
+ci/pull-builder-image:
+	@docker pull $(BUILDER_IMAGE)
 
 .PHONY : ci/deps
-ci/deps:
-	@docker build -t $(BUILDER_TAG) -f $(CURDIR)/build/Dockerfile $(CURDIR)
+ci/deps: ci/pull-builder-image
 
 .PHONY : ci/debug-container
 ci/debug-container: ci/deps
@@ -17,15 +18,15 @@ ci/debug-container: ci/deps
 			-e GPG_MAIL \
 			-e GPG_PASSPHRASE \
 			-e GPG_PRIVATE_KEY_BASE64 \
-			$(BUILDER_TAG) bash
+			$(BUILDER_IMAGE) bash
 
 .PHONY : ci/test
 ci/test: ci/deps
 	@docker run --rm -t \
 			--name "nri-$(INTEGRATION)-test" \
 			-v $(CURDIR):/go/src/github.com/newrelic/nri-$(INTEGRATION) \
 			-w /go/src/github.com/newrelic/nri-$(INTEGRATION) \
-			$(BUILDER_TAG) make test
+			$(BUILDER_IMAGE) make test
 
 .PHONY : ci/snyk-test
 ci/snyk-test:
@@ -46,7 +47,7 @@ ifdef TAG
 			-w /go/src/github.com/newrelic/nri-$(INTEGRATION) \
 			-e INTEGRATION \
 			-e TAG \
-			$(BUILDER_TAG) make release/build
+			$(BUILDER_IMAGE) make release/build
 else
 	@echo "===> $(INTEGRATION) ===  [ci/build] TAG env variable expected to be set"
 	exit 1
@@ -67,8 +68,8 @@ ifdef TAG
 			-e GPG_MAIL \
 			-e GPG_PASSPHRASE \
 			-e GPG_PRIVATE_KEY_BASE64 \
-			$(BUILDER_TAG) make release
+			$(BUILDER_IMAGE) make release
 else
 	@echo "===> $(INTEGRATION) ===  [ci/prerelease] TAG env variable expected to be set"
 	exit 1
-endif
+endif
diff --git a/build/nix/sign.sh b/build/nix/sign.sh
@@ -7,14 +7,28 @@ set -e
 #
 #
 #
+# Function to start gpg-agent if not running
+start_gpg_agent() {
+    if ! pgrep -x "gpg-agent" > /dev/null
+    then
+        echo "Starting gpg-agent..."
+        eval $(gpg-agent --daemon)
+    else
+        echo "gpg-agent is already running."
+    fi
+}
+
+# Ensure gpg-agent is running
+start_gpg_agent
+
 
 # Sign RPM's
 echo "===> Create .rpmmacros to sign rpm's from Goreleaser"
 echo "%_gpg_name ${GPG_MAIL}" >> ~/.rpmmacros
 echo "%_signature gpg" >> ~/.rpmmacros
 echo "%_gpg_path /root/.gnupg" >> ~/.rpmmacros
 echo "%_gpgbin /usr/bin/gpg" >> ~/.rpmmacros
-echo "%__gpg_sign_cmd   %{__gpg} gpg --no-verbose --no-armor --batch --pinentry-mode loopback --passphrase ${GPG_PASSPHRASE} --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}" >> ~/.rpmmacros
+echo "%__gpg_sign_cmd   %{__gpg} gpg --no-verbose --no-armor --passphrase ${GPG_PASSPHRASE} --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}" >> ~/.rpmmacros
 
 echo "===> Importing GPG private key from GHA secrets..."
 printf %s ${GPG_PRIVATE_KEY_BASE64} | base64 -d | gpg --batch --import -
@@ -25,9 +39,13 @@ rpm --import /tmp/RPM-GPG-KEY-${GPG_MAIL}
 
 cd dist
 
+sles_regex="(.*sles12.*)"
+
 for rpm_file in $(find -regex ".*\.\(rpm\)");do
   echo "===> Signing $rpm_file"
-  rpm --addsign $rpm_file
+
+  ../build/nix/sign_rpm.exp $rpm_file ${GPG_PASSPHRASE}
+
   echo "===> Sign verification $rpm_file"
   rpm -v --checksig $rpm_file
 done
@@ -36,12 +54,31 @@ done
 GNUPGHOME="/root/.gnupg"
 echo "${GPG_PASSPHRASE}" > "${GNUPGHOME}/gpg-passphrase"
 echo "passphrase-file ${GNUPGHOME}/gpg-passphrase" >> "$GNUPGHOME/gpg.conf"
-echo 'allow-loopback-pinentry' >> "${GNUPGHOME}/gpg-agent.conf"
-echo 'pinentry-mode loopback' >> "${GNUPGHOME}/gpg.conf"
+# echo 'allow-loopback-pinentry' >> "${GNUPGHOME}/gpg-agent.conf"
+# echo 'pinentry-mode loopback' >> "${GNUPGHOME}/gpg.conf"
 echo 'use-agent' >> "${GNUPGHOME}/gpg.conf"
 echo RELOADAGENT | gpg-connect-agent
 
-for deb_file in $(find -regex ".*\.\(deb\)");do
+for deb_file in $(find -regex ".*\.\(deb\)"); do
   echo "===> Signing $deb_file"
-  debsigs --sign=origin --verify --check -v -k ${GPG_MAIL} $deb_file
+
+  # Run the sign_deb.exp script to sign the .deb file
+../build/nix/sign_deb.exp $deb_file ${GPG_PASSPHRASE} ${GPG_MAIL}
+
+
+  echo "===> Sign verification $deb_file"
+  dpkg-sig --verify $deb_file
 done
+
+# Sign TARGZ files
+for targz_file in $(find . -type f -name "*.tar.gz"); do
+  echo "===> Signing $targz_file"
+  ../build/nix/sign_tar.exp $targz_file ${GPG_PASSPHRASE}
+  asc_file="${targz_file}.asc"
+  if [ -f "$asc_file" ]; then
+    echo "===> Sign verification $targz_file"
+    gpg --verify "$asc_file" "$targz_file"
+  else
+    echo "Error: Signature file $asc_file not found."
+  fi
+done
diff --git a/build/nix/sign_deb.exp b/build/nix/sign_deb.exp
@@ -0,0 +1,20 @@
+#!/usr/bin/expect -f
+
+# Retrieve the arguments
+set deb_file [lindex $argv 0];
+set GPG_PASSPHRASE [lindex $argv 1];
+set GPG_MAIL [lindex $argv 2];  # Capture GPG_MAIL
+
+# Set an infinite timeout to allow for longer operations
+set timeout -1
+
+# Start the signing process using dpkg-sig
+spawn dpkg-sig --sign builder -k $GPG_MAIL $deb_file
+
+# Handle the passphrase prompt
+expect "Enter passphrase:"
+send -- "$GPG_PASSPHRASE\r"
+
+# Wait until the process completes
+expect eof
+
diff --git a/build/nix/sign_rpm.exp b/build/nix/sign_rpm.exp
@@ -0,0 +1,10 @@
+#!/usr/bin/expect -f
+
+set rpm_file [lindex $argv 0];
+set GPG_PASSPHRASE [lindex $argv 1];
+
+set timeout -1
+spawn rpmsign -v --addsign $rpm_file
+expect "Enter pass phrase:"
+send -- "${GPG_PASSPHRASE}\r"
+expect eof
diff --git a/build/nix/sign_tar.exp b/build/nix/sign_tar.exp
@@ -0,0 +1,23 @@
+#!/usr/bin/expect -f
+
+set timeout -1
+set targz_file [lindex $argv 0]
+set passphrase [lindex $argv 1]
+
+# Ensure the GPG_TTY is set correctly
+set env(GPG_TTY) [exec /bin/sh -c "tty"]
+
+# Debug output to verify the correct file is being processed
+puts "Expect script signing file: $targz_file"
+
+spawn gpg --sign --armor --detach-sig $targz_file
+expect {
+    "Enter passphrase:" {
+        send -- "$passphrase\r"
+        exp_continue
+    }
+    eof {
+        catch wait result
+        exit [lindex $result 3]
+    }
+}
diff --git a/build/release.mk b/build/release.mk
@@ -1,5 +1,5 @@
 BUILD_DIR    := ./bin/
-GORELEASER_VERSION := v0.174.1
+GORELEASER_VERSION := v2.4.4
 GORELEASER_BIN ?= bin/goreleaser
 
 bin:
@@ -27,10 +27,10 @@ release/deps: $(GORELEASER_BIN)
 release/build: release/deps release/clean
 ifeq ($(PRERELEASE), true)
 	@echo "===> $(INTEGRATION) === [release/build] PRE-RELEASE compiling all binaries, creating packages, archives"
-	@$(GORELEASER_BIN) release --config $(CURDIR)/build/.goreleaser.yml --rm-dist
+	@$(GORELEASER_BIN) release --config $(CURDIR)/build/.goreleaser.yml --clean
 else
 	@echo "===> $(INTEGRATION) === [release/build] build compiling all binaries"
-	@$(GORELEASER_BIN) build --config $(CURDIR)/build/.goreleaser.yml --snapshot --rm-dist
+	@$(GORELEASER_BIN) build --config $(CURDIR)/build/.goreleaser.yml --snapshot --clean
 endif
 
 .PHONY : release/fix-archive

diff --git a/src/fips.go b/src/fips.go
@@ -0,0 +1,11 @@
+// Copyright 2024 New Relic Corporation. All rights reserved.
+// SPDX-License-Identifier: Apache-2.0
+
+//go:build fips
+// +build fips
+
+package main
+
+import (
+	_ "crypto/tls/fipsonly"
+)