Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Sha256 header in elasticsearch RPMs #75569

Merged
merged 1 commit into from
Jul 22, 2021
Merged

Add Sha256 header in elasticsearch RPMs #75569

merged 1 commit into from
Jul 22, 2021

Conversation

breskeby
Copy link
Contributor

This adds support for Sha256 header signature in our RPMs by
updating the dependency to the readline library to a version
we have patched until the provided PR (craigwblake/redline#157)
got merged and released by the redline folks.

This work is related to #58257

@breskeby breskeby self-assigned this Jul 21, 2021
@breskeby breskeby added :Delivery/Build Build or test infrastructure >enhancement Team:Delivery Meta label for Delivery team v7.15.0 v8.0.0 labels Jul 21, 2021
@breskeby
Copy link
Contributor Author

To verify the change this PR introduces you can run

./gradlew :distribution:packages:buildRpm and then verify the rpm: by running

rpm --checksig -v distribution/packages/rpm/build/distributions/elasticsearch-8.0.0-SNAPSHOT-x86_64.rpm distribution/packages/rpm/build/distributions/elasticsearch-8.0.0-SNAPSHOT-x86_64.rpm

which should result in:

    Header SHA256 digest: OK
    Header SHA1 digest: OK
    MD5 digest: OK

@breskeby breskeby marked this pull request as ready for review July 21, 2021 09:52
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-delivery (Team:Delivery)

@breskeby breskeby mentioned this pull request Jul 21, 2021
Closed
@breskeby
Add Sha256 header in elasticsearch RPMs
7677c5f 
This adds support for Sha256 header signature in our RPMs by
updating the dependency to the readline library to a version
we have patched until the provided PR (craigwblake/redline#157)
got merged and released by the redline folks.

This work is related to elastic#58257
pugnascotia
pugnascotia reviewed Jul 21, 2021
View reviewed changes
distribution/packages/build.gradle
// We rely on a patched version of the redline library used to build rpm packages
// to support sha256header in our elasticsearch RPMs
// TODO: Update / remove this dependency once https://github.com/craigwblake/redline/pull/157 got merged
// Be aware that it seems the redline project hasnt been active for a while
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you think we might end up forking it under an Elastic org?

pugnascotia
pugnascotia approved these changes Jul 21, 2021
View reviewed changes
Copy link
Contributor

@pugnascotia pugnascotia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I followed the steps and got the same results 👍

@bytebilly
Copy link
Contributor

@breskeby great!
Is there a way to verify that this change is enough to allow installation on a FIPS-enabled distro? I'm not sure if we have such environment, we may want to loop in Fed Field folks and ask some of our customers to check.

@breskeby
Copy link
Contributor Author

We don't have an RHEL 8 FIPS environment by hand to evaluate this I think Who would we ping at fed field folks to test this?

@bytebilly
Copy link
Contributor

I'm reaching out some folks and check if they can help. If this makes things easier, I'm ok merging this PR and iterate further if needed after the validation round.

@breskeby
Copy link
Contributor Author

@bytebilly @mark-vieira I got confirmation from @mgreau that our nightly rpms are signed in the build process similar to the release builds. So once merged we can wait for a nightly and then test the rpm installation on an centos tips enabled gcs image

mark-vieira
mark-vieira approved these changes Jul 21, 2021
View reviewed changes
distribution/packages/build.gradle
}
}
}

dependencies {
classpath "com.github.breskeby:gradle-ospackage-plugin:98455c1"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't realize we're also using a patched version of the os-package plugin as well. Curiosity, what's that for?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

because this hasn't been merged and released yet: nebula-plugins/gradle-ospackage-plugin#400

@breskeby breskeby merged commit 2c5e406 into elastic:master Jul 22, 2021
@breskeby breskeby mentioned this pull request Jul 27, 2021
Merged
breskeby added a commit to breskeby/elasticsearch that referenced this pull request Jul 27, 2021
@breskeby
Update rpm build to add sha256 payload and file digest
dd9acb2 
This is a follow up on elastic#75569

and should fix installation problems in FIPS enabled environments.
breskeby added a commit that referenced this pull request Jul 27, 2021
@breskeby
Update rpm build to add sha256 payload and file digest (#75731)
b5016d9 
This is a follow up on #75569

and should fix installation problems in FIPS enabled environments.
breskeby added a commit to breskeby/elasticsearch that referenced this pull request Jul 29, 2021
@breskeby
Update rpm build to add sha256 payload and file digest (elastic#75731)
62754ca 
This is a follow up on elastic#75569

and should fix installation problems in FIPS enabled environments.
@breskeby breskeby mentioned this pull request Jul 29, 2021
Merged
breskeby added a commit that referenced this pull request Jul 29, 2021
@breskeby
Update rpm build to add sha256 payload and file digest (#75731) (#75826)
0e27c62 
This is a follow up on #75569

and should fix installation problems in FIPS enabled environments.
@breskeby breskeby added the :Delivery/Packaging RPM and deb packaging, tar and zip archives, shell and batch scripts label Jul 29, 2021
ywangd pushed a commit to ywangd/elasticsearch that referenced this pull request Jul 30, 2021
@breskeby @ywangd
Add Sha256 header in elasticsearch RPMs (elastic#75569)
f18bdb0 
This adds support for Sha256 header signature in our RPMs by
updating the dependency to the readline library to a version
we have patched until the provided PR (craigwblake/redline#157)
got merged and released by the redline folks.

This work is related to elastic#58257
ywangd pushed a commit to ywangd/elasticsearch that referenced this pull request Jul 30, 2021
@breskeby @ywangd
Update rpm build to add sha256 payload and file digest (elastic#75731)
b803b8f 
This is a follow up on elastic#75569

and should fix installation problems in FIPS enabled environments.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bytebilly bytebilly bytebilly approved these changes

@pugnascotia pugnascotia pugnascotia approved these changes

@mark-vieira mark-vieira mark-vieira approved these changes

Assignees

@breskeby breskeby

Labels
:Delivery/Build Build or test infrastructure :Delivery/Packaging RPM and deb packaging, tar and zip archives, shell and batch scripts >enhancement Team:Delivery Meta label for Delivery team v7.15.0 v8.0.0-alpha1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@breskeby @elasticmachine @bytebilly @mark-vieira @pugnascotia @jakelandis