Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RPM Install Fails on FIPS Mode Systems #1016

Open
5 tasks done
ChrisLeinbach opened this issue May 31, 2024 · 2 comments
Open
5 tasks done

RPM Install Fails on FIPS Mode Systems #1016

ChrisLeinbach opened this issue May 31, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@ChrisLeinbach
Copy link

Thanks in advance for your bug report!

  • Have you reproduced issue in safe mode?
  • Have you used the debugging guide to try to resolve the issue?
  • Have you checked our FAQs to make sure your question isn't answered there?
  • Have you checked to make sure your issue does not already exist?
  • Have you checked you are on the latest release of Pulsar?

What happened?

The Pulsar RPM packages fail to install on systems that have FIPS mode enabled when installing via both the RPM and DNF/Yum commands.

This happens due to MD5 digests being the default digest method for RPM but MD5, being non-FIPS compliant, is blocked on FIPS enabled systems.

Pulsar version

1.117.0

Which OS does this happen on?

🐧 Red Hat based (Fedora, Alma, RockyLinux, CentOS Stream, etc.)

OS details

AlmaLinux 9.4

Which CPU architecture are you running this on?

x86_64/AMD64

What steps are needed to reproduce this?

  1. Enable FIPS mode on your system using the fips=1 kernel command line argument.
  2. Attempt to install the Pulsar RPM with either DNF/Yum or RPM directly.
  3. DNF/Yum will give a very generic error. RPM will error stating that the digest for the Electron license file digest failed.

Additional Information:

See Elastic Beats #23670 for a similar issue and how it was fixed for that project.
@ChrisLeinbach ChrisLeinbach added the bug Something isn't working label May 31, 2024
@ChrisLeinbach
Copy link
Author

Building a virtual machine to test out the build and install now. Will create pull request if successful.

@ChrisLeinbach
Copy link
Author

This appears to be more nuanced that I originally thought. I was able to build an RPM with my change but both my build and the one i pulled from the releases page have SHA256 digests.

The result of signature/digest checking both RPMs:

# rpm --checksig -v ./*pulsar*.rpm 
./Linux.pulsar-1.117.0.x86_64.rpm:
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
./pulsar-1.117.0-dev.x86_64.rpm:
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK

The result of trying to install the 1.117.0 release RPM:

# rpm -i Linux.pulsar-1.117.0.x86_64.rpm 
error: unpacking of archive failed on file /opt/Pulsar/LICENSE.electron.txt;6659d276: cpio: Digest mismatch
error: pulsar-1.117.0-1.x86_64: install failed

Its almost like something in the release binary pipeline is mangling that license file or its digest.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ChrisLeinbach