Add sha256 digests to RPM packages (#27103)

Fixes #23670 (cherry picked from commit be63e87)
elastic · Jul 30, 2021 · 5be4d0f · 5be4d0f
1 parent d89b35d
commit 5be4d0f
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 6 deletions.
diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
@@ -468,6 +468,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Libbeat: report beat version to monitoring. {pull}26214[26214]
 - Ensure common proxy settings support in HTTP clients: proxy_disabled, proxy_url, proxy_headers and typical environment variables HTTP_PROXY, HTTPS_PROXY, NOPROXY. {pull}25219[25219]
 - Add proxy support for AWS functions. {pull}26832[26832]
+- Add sha256 digests to RPM packages. {issue}23670[23670]
 
 *Auditbeat*
 

diff --git a/dev-tools/mage/pkgtypes.go b/dev-tools/mage/pkgtypes.go
@@ -721,7 +721,10 @@ func runFPM(spec PackageSpec, packageType PackageType) error {
 		"--architecture", spec.Arch,
 	)
 	if packageType == RPM {
-		args = append(args, "--rpm-rpmbuild-define", "_build_id_links none")
+		args = append(args,
+			"--rpm-rpmbuild-define", "_build_id_links none",
+			"--rpm-digest", "sha256",
+		)
 	}
 	if spec.Version != "" {
 		args = append(args, "--version", spec.Version)

diff --git a/dev-tools/mage/settings.go b/dev-tools/mage/settings.go
@@ -38,7 +38,7 @@ import (
 )
 
 const (
-	fpmVersion = "1.11.0"
+	fpmVersion = "1.13.1"
 
 	// Docker images. See https://github.com/elastic/golang-crossbuild.
 	beatsFPMImage = "docker.elastic.co/beats-dev/fpm"

diff --git a/dev-tools/packaging/package_test.go b/dev-tools/packaging/package_test.go
@@ -109,7 +109,7 @@ func TestDocker(t *testing.T) {
 // Sub-tests
 
 func checkRPM(t *testing.T, file string) {
-	p, err := readRPM(file)
+	p, rpmPkg, err := readRPM(file)
 	if err != nil {
 		t.Error(err)
 		return
@@ -127,6 +127,7 @@ func checkRPM(t *testing.T, file string) {
 	checkLicensesPresent(t, "/usr/share", p)
 	checkSystemdUnitPermissions(t, p)
 	ensureNoBuildIDLinks(t, p)
+	checkRPMDigestTypeSHA256(t, rpmPkg)
 }
 
 func checkDeb(t *testing.T, file string, buf *bytes.Buffer) {
@@ -478,6 +479,16 @@ func ensureNoBuildIDLinks(t *testing.T, p *packageFile) {
 	})
 }
 
+// checkRPMDigestTypeSHA256 verifies that the RPM contains sha256 digests.
+// https://github.com/elastic/beats/issues/23670
+func checkRPMDigestTypeSHA256(t *testing.T, rpmPkg *rpm.PackageFile) {
+	t.Run("rpm_digest_type_is_sha256", func(t *testing.T) {
+		if rpmPkg.ChecksumType() != "sha256" {
+			t.Errorf("expected SHA256 digest type but got %v", rpmPkg.ChecksumType())
+		}
+	})
+}
+
 // Helpers
 
 type packageFile struct {
@@ -507,10 +518,10 @@ func getFiles(t *testing.T, pattern *regexp.Regexp) []string {
 	return files
 }
 
-func readRPM(rpmFile string) (*packageFile, error) {
+func readRPM(rpmFile string) (*packageFile, *rpm.PackageFile, error) {
 	p, err := rpm.OpenPackageFile(rpmFile)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	contents := p.Files()
@@ -529,7 +540,7 @@ func readRPM(rpmFile string) (*packageFile, error) {
 		pf.Contents[file.Name()] = pe
 	}
 
-	return pf, nil
+	return pf, p, nil
 }
 
 // readDeb reads the data.tar.gz file from the .deb.