Update rpm build to add sha256 payload and file digest

[breskeby]

This is a follow up on #75569 and should fix installation problems in FIPS enabled environments.

I have updated the PR on redline to add sha256 payload and file digests
(see craigwblake/redline#157 for details). This should enable the installation of our RPM packages in FIPS enabled environments.

The patch provided to redline adds some overhead to the rpm packaging as we need to run through the payload twice to calculate the payload digest first. I haven't found a more elegant way to do this at the moment as this would required way more rework in redline IMO but it should unblock us from not being installable on FIPS environments.

[breskeby]

To verify the change this PR introduces you can run

./gradlew :distribution:packages:buildRpm and then verify the rpm: by running

rpm --checksig -v distribution/packages/rpm/build/distributions/elasticsearch-8.0.0-SNAPSHOT-x86_64.rpm distribution/packages/rpm/build/distributions/elasticsearch-8.0.0-SNAPSHOT-x86_64.rpm

which should result in:

Header SHA256 digest: OK
Header SHA1 digest: OK
Payload SHA256 ALT digest: OK
Payload SHA256 digest: OK
MD5 digest: OK

[breskeby]

I have tested this on a centos 8 fips enabled machine:

installing unsupported 7.13.3 elasticsearch package resulted in the following problems:

[rene@breskeby-ci-centos8-fips-test ~]$ sudo rpm -iv elasticsearch-7.13.4-x86_64.rpm
Verifying packages...
Preparing packages...
	package elasticsearch-0:7.13.4-1.x86_64 does not verify: no digest
[rene@breskeby-ci-centos8-fips-test ~]$

[rene@breskeby-ci-centos8-fips-test ~]$ rpm --checksig -v elasticsearch-7.13.4-x86_64.rpm
elasticsearch-7.13.4-x86_64.rpm:
    Header V4 RSA/SHA512 Signature, key ID d88e42b4: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: NOTFOUND
    V4 RSA/SHA512 Signature, key ID d88e42b4: OK
    MD5 digest: NOTFOUND

With the RPMs created using this PR we get:

[rene@breskeby-ci-centos8-fips-test ~]$ rpm --checksig -v elasticsearch-8.0.0-SNAPSHOT-x86_64.rpm
elasticsearch-8.0.0-SNAPSHOT-x86_64.rpm:
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK



[rene@breskeby-ci-centos8-fips-test ~]$ sudo rpm -iv elasticsearch-8.0.0-SNAPSHOT-x86_64.rpm
Verifying packages...
Preparing packages...
Creating elasticsearch group... OK
Creating elasticsearch user... OK
elasticsearch-0:8.0.0~SNAPSHOT-1.x86_64
### NOT starting on installation, please execute the following statements to configure elasticsearch service to start automatically using systemd
 sudo systemctl daemon-reload
 sudo systemctl enable elasticsearch.service
### You can start elasticsearch service by executing
 sudo systemctl start elasticsearch.service
Created elasticsearch keystore in /etc/elasticsearch/elasticsearch.keystore
[/usr/lib/tmpfiles.d/elasticsearch.conf:1] Line references path below legacy directory /var/run/, updating /var/run/elasticsearch → /run/elasticsearch; please update the tmpfiles.d/ drop-in file accordingly.
[/usr/lib/tmpfiles.d/pesign.conf:1] Line references path below legacy directory /var/run/, updating /var/run/pesign → /run/pesign; please update the tmpfiles.d/ drop-in file accordingly.

I tested this with a local created RPM which was not signed as done in our release process but seems that is not required.

In an initial fix where I just added the sha256 payload digest seem not to be enough and changing the file digest from md5 to sha256 seems also necessary as otherwise we see this error:

// using a package with only md5 based file digests
[rene@breskeby-ci-centos8-fips-test ~]$ sudo rpm -iv elasticsearch-8.0.0-SNAPSHOT-x86_64.rpm
Verifying packages...
Preparing packages...
Creating elasticsearch group... OK
Creating elasticsearch user... OK
elasticsearch-0:8.0.0~SNAPSHOT-1.x86_64
error: unpacking of archive failed on file /etc/elasticsearch/elasticsearch.yml;60ffea45: cpio: Digest mismatch
error: elasticsearch-0:8.0.0~SNAPSHOT-1.x86_64: install failed

[elasticmachine]

Pinging @elastic/es-delivery (Team:Delivery)

[pugnascotia]

LGTM. I also built and verified the RPM.