Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign Beats RPMs w/ SHA256 header for FIPS-enabled Operating Systems #23670

Closed
n0othing opened this issue Jan 25, 2021 · 9 comments · Fixed by #27103
Closed

Sign Beats RPMs w/ SHA256 header for FIPS-enabled Operating Systems #23670

n0othing opened this issue Jan 25, 2021 · 9 comments · Fixed by #27103
Assignees
@ruflin
Labels
enhancement Packaging Team:Elastic-Agent Label for the Agent team

Comments

@n0othing
Copy link
Member

Describe the enhancement:

Beats RPMs will fail to install on RHEL 8 w/ FIPS mode enabled because the RPMs aren't signed with a SHA256 header (see BZ#1581990 [1].

[robbie@rob-nix-06 ~]$ sudo rpm -ivh auditbeat-7.9.2-x86_64.rpm
warning: auditbeat-7.9.2-x86_64.rpm: Header V4 RSA/SHA512 Signature, key ID d88e42b4: NOKEY
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
        package auditbeat-7.9.2-1.x86_64 does not verify: no digest

It's possible to get around this by installing with --nodigest --nofiledigest arguments [2], but such a workaround may not be acceptable for certain organizations.

[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/8.0_release_notes/index
[2] https://access.redhat.com/solutions/4460971
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Jan 25, 2021
@andresrc andresrc added the Team:Elastic-Agent Label for the Agent team label Jan 25, 2021
@elasticmachine
Copy link
Collaborator

Pinging @elastic/agent (Team:Agent)

@botelastic botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Jan 25, 2021
@andresrc andresrc self-assigned this Feb 2, 2021
@andresrc andresrc assigned ruflin and unassigned andresrc Jul 27, 2021
@ruflin
Copy link
Member

ruflin commented Jul 27, 2021

There is currently some work ongoing in Elasticsearch, see elastic/elasticsearch#75731 and the related issues / pull requests. We need to figure out we make this best happen as part of the build process.

@breskeby
Copy link

breskeby commented Jul 27, 2021
edited
Loading

just for clarification. I think apart from the sha256 header digest also sha256 payload digest. Furthermore file digest needs to be switched from md5 (rpm default) to sha256. how are the beats rpms currently build? ES is using the nebula ospackage plugin which relies on redline, a java library for building rpms. We needed to patch this redline library to get sha256 header and sha256 payload + file digests in our ES RPMS

@andrewkroh
Copy link
Member

The RPMs from beats are built using fpm. FPM does have an --rpm-digest flag that appears to control the _binary_filedigest_algorithm.

https://github.com/jordansissel/fpm/blob/067f4ccfd07d228256ff313be4f9dc36e61055ee/templates/rpm.erb#L23-L27

beats/dev-tools/mage/pkgtypes.go

Lines 712 to 758 in 5481b06

args = append(args,
"--rm",
"-w", "/app",
"-v", CWD()+":/app",
beatsFPMImage+":"+fpmVersion,
"fpm", "--force",
"--input-type", "tar",
"--output-type", fpmPackageType,
"--name", spec.ServiceName,
"--architecture", spec.Arch,
)
if packageType == RPM {
args = append(args, "--rpm-rpmbuild-define", "_build_id_links none")
}
if spec.Version != "" {
args = append(args, "--version", spec.Version)
}
if spec.Vendor != "" {
args = append(args, "--vendor", spec.Vendor)
}
if spec.License != "" {
args = append(args, "--license", strings.Replace(spec.License, " ", "-", -1))
}
if spec.Description != "" {
args = append(args, "--description", spec.Description)
}
if spec.URL != "" {
args = append(args, "--url", spec.URL)
}
if spec.localPreInstallScript != "" {
args = append(args, "--before-install", spec.localPreInstallScript)
}
if spec.localPostInstallScript != "" {
args = append(args, "--after-install", spec.localPostInstallScript)
}
for _, pf := range spec.Files {
if pf.Config {
args = append(args, "--config-files", pf.Target)
}
if pf.Owner != "" {
args = append(args, "--rpm-attr", fmt.Sprintf("%04o,%s,%s:%s", pf.Mode, pf.Owner, pf.Owner, pf.Target))
}
}
args = append(args,
"-p", spec.OutputFile,
inputTar,
)

@andrewkroh
Copy link
Member

Does this look like what we want?

# rpm --checksig -v filebeat-*rpm
filebeat-8.0.0-SNAPSHOT-x86_64.rpm:
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    MD5 digest: OK

I updated the FPM container image to include rpm 4.14.2 (it had 4.12). And then I added --rpm-digest sha256 to the args we use in Beats.

@andrewkroh
Copy link
Member

Here's the update for FPM: elastic/golang-crossbuild#118

andrewkroh added a commit to andrewkroh/beats that referenced this issue Jul 28, 2021
@andrewkroh
Add sha256 digests to RPM packages
1a0c26d 
Fixes elastic#23670
@andrewkroh andrewkroh mentioned this issue Jul 28, 2021
Merged
5 tasks
@breskeby
Copy link

@andrewkroh that looks good IMO. For elasticsearch we have this output for the rpm I've tested succesfully on centos tips enabled:

rpm --checksig -v elasticsearch-8.0.0-SNAPSHOT-x86_64.rpm
elasticsearch-8.0.0-SNAPSHOT-x86_64.rpm:
    Header V4 RSA/SHA512 Signature, key ID d88e42b4: OK
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V4 RSA/SHA512 Signature, key ID d88e42b4: OK

@breskeby
Copy link

one thing I also needed to change is to use filedigestalgo to sha256 (defaults to md5) to get our rpm working. You should be able to test the RPM on one of our centos 8 fips enabled CI images

@andrewkroh
Copy link
Member

And this is the change to Beats to add the --rpm-digest flag to FPM. #27103

andrewkroh added a commit that referenced this issue Jul 30, 2021
@andrewkroh
Add sha256 digests to RPM packages (#27103)
be63e87 
Fixes #23670
mergify bot pushed a commit that referenced this issue Jul 30, 2021
@andrewkroh
Add sha256 digests to RPM packages (#27103)
5be4d0f 
Fixes #23670

(cherry picked from commit be63e87)
andrewkroh added a commit that referenced this issue Aug 3, 2021
@mergify @andrewkroh
Add sha256 digests to RPM packages (#27103) (#27152)
0bf2fe7 
Fixes #23670

(cherry picked from commit be63e87)

Co-authored-by: Andrew Kroh <andrew.kroh@elastic.co>
@ChrisLeinbach ChrisLeinbach mentioned this issue May 31, 2024
Open
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ruflin ruflin

Labels
enhancement Packaging Team:Elastic-Agent Label for the Agent team
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add sha256 digests to RPM packages andrewkroh/beats
6 participants
@breskeby @ruflin @andresrc @andrewkroh @n0othing @elasticmachine