diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index c7a8b46c4d3e..1623aa903c58 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -619,6 +619,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Ensure common proxy settings support in HTTP clients: proxy_disabled, proxy_url, proxy_headers and typical environment variables HTTP_PROXY, HTTPS_PROXY, NOPROXY. {pull}25219[25219] - `add_process_metadata` processor enrich process information with owner name and id. {issue}21068[21068] {pull}21111[21111] - Add proxy support for AWS functions. {pull}26832[26832] +- Add sha256 digests to RPM packages. {issue}23670[23670] *Auditbeat* diff --git a/dev-tools/mage/pkgtypes.go b/dev-tools/mage/pkgtypes.go index ece8b73bfabc..c2c454c873d1 100644 --- a/dev-tools/mage/pkgtypes.go +++ b/dev-tools/mage/pkgtypes.go @@ -721,7 +721,10 @@ func runFPM(spec PackageSpec, packageType PackageType) error { "--architecture", spec.Arch, ) if packageType == RPM { - args = append(args, "--rpm-rpmbuild-define", "_build_id_links none") + args = append(args, + "--rpm-rpmbuild-define", "_build_id_links none", + "--rpm-digest", "sha256", + ) } if spec.Version != "" { args = append(args, "--version", spec.Version) diff --git a/dev-tools/mage/settings.go b/dev-tools/mage/settings.go index 5134a24e22d8..b721b730c6a3 100644 --- a/dev-tools/mage/settings.go +++ b/dev-tools/mage/settings.go @@ -38,7 +38,7 @@ import ( ) const ( - fpmVersion = "1.11.0" + fpmVersion = "1.13.1" // Docker images. See https://github.com/elastic/golang-crossbuild. beatsFPMImage = "docker.elastic.co/beats-dev/fpm" diff --git a/dev-tools/packaging/package_test.go b/dev-tools/packaging/package_test.go index 72538e616291..249bd0bb6dbb 100644 --- a/dev-tools/packaging/package_test.go +++ b/dev-tools/packaging/package_test.go @@ -109,7 +109,7 @@ func TestDocker(t *testing.T) { // Sub-tests func checkRPM(t *testing.T, file string) { - p, err := readRPM(file) + p, rpmPkg, err := readRPM(file) if err != nil { t.Error(err) return @@ -127,6 +127,7 @@ func checkRPM(t *testing.T, file string) { checkLicensesPresent(t, "/usr/share", p) checkSystemdUnitPermissions(t, p) ensureNoBuildIDLinks(t, p) + checkRPMDigestTypeSHA256(t, rpmPkg) } func checkDeb(t *testing.T, file string, buf *bytes.Buffer) { @@ -478,6 +479,16 @@ func ensureNoBuildIDLinks(t *testing.T, p *packageFile) { }) } +// checkRPMDigestTypeSHA256 verifies that the RPM contains sha256 digests. +// https://github.com/elastic/beats/issues/23670 +func checkRPMDigestTypeSHA256(t *testing.T, rpmPkg *rpm.PackageFile) { + t.Run("rpm_digest_type_is_sha256", func(t *testing.T) { + if rpmPkg.ChecksumType() != "sha256" { + t.Errorf("expected SHA256 digest type but got %v", rpmPkg.ChecksumType()) + } + }) +} + // Helpers type packageFile struct { @@ -507,10 +518,10 @@ func getFiles(t *testing.T, pattern *regexp.Regexp) []string { return files } -func readRPM(rpmFile string) (*packageFile, error) { +func readRPM(rpmFile string) (*packageFile, *rpm.PackageFile, error) { p, err := rpm.OpenPackageFile(rpmFile) if err != nil { - return nil, err + return nil, nil, err } contents := p.Files() @@ -529,7 +540,7 @@ func readRPM(rpmFile string) (*packageFile, error) { pf.Contents[file.Name()] = pe } - return pf, nil + return pf, p, nil } // readDeb reads the data.tar.gz file from the .deb.