Generate SHA256 digests when packaging RPM files. #1482
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
For Enterprise Linux users with FIPS mode enabled, the reaper packages will not install without sidestepping digest checking or disabling FIPS mode. This is primarily related to `MD5` hashing not being supported when FIPS is enabled.
Generated packages can be verified as having the SHA256 digests with `rpm --checksig -v reaper-3.5.0-1.noarch.rpm` and should appear as follows:
```
rpm --checksig -v reaper-3.5.0-1.noarch.rpm
reaper-3.5.0-1.noarch.rpm:
Header SHA256 digest: OK
Header SHA1 digest: OK
Payload SHA256 digest: OK
MD5 digest: OK
```
Prior to this change, packages would appear as follows:
```
rpm --checksig --verbose reaper-3.5.0-1.noarch.rpm
reaper-3.5.0-1.noarch.rpm:
Header RSA signature: NOTFOUND
Header DSA signature: NOTFOUND
Header SHA256 digest: OK
Header SHA1 digest: OK
Payload SHA256 digest: OK
RSA signature: NOTFOUND
DSA signature: NOTFOUND
```
```
cp resource/cassandra-reaper.yaml build/etc/cassandra-reaper/
cp resource/cassandra-reaper*.yaml build/etc/cassandra-reaper/configs
cp resource/cassandra-reaper-ssl.properties build/etc/cassandra-reaper/configs
cp ../server/target/cassandra-reaper-3.5.0.jar build/usr/share/cassandra-reaper/
cp bin/* build/usr/local/bin/
cp etc/bash_completion.d/spreaper build/etc/bash_completion.d/
cp debian/reaper.init build/etc/init.d/cassandra-reaper
cp debian/cassandra-reaper.service build/lib/systemd/system/cassandra-reaper.service
chmod 755 build/etc/init.d/cassandra-reaper
fpm -s dir -t deb -a all -n reaper -v 3.5.0 --pre-install debian/preinstall.sh --post-install debian/postinstall.sh -C build .
Debian packaging tools generally labels all files in /etc as config files, as mandated by policy, so fpm defaults to this behavior for deb packages. You can disable this default behavior with --deb-no-default-config-files flag {:level=>:warn}
Created package {:path=>"reaper_3.5.0_all.deb"}
fpm --rpm-digest sha256 -s dir -t rpm -a all -n reaper -v 3.5.0 --pre-install redhat/preinstall.sh --post-install redhat/postinstall.sh --config-files /etc/cassandra-reaper/cassandra-reaper.yaml -C build .
Created package {:path=>"reaper-3.5.0-1.noarch.rpm"}
+ mv reaper_3.5.0_all.deb reaper-3.5.0-1.noarch.rpm /usr/src/app/packages
+ cp ../server/target/cassandra-reaper-3.5.0-javadoc.jar ../server/target/cassandra-reaper-3.5.0-sources.jar ../server/target/cassandra-reaper-3.5.0.jar /usr/src/app/packages
+ rm -f /usr/src/app/packages/cassandra-reaper-3.5.0-sources.jar
```
|
No linked issues found. Please add the corresponding issues in the pull request description. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
For Enterprise Linux users with FIPS mode enabled, the reaper packages will not install without sidestepping digest checking or disabling FIPS mode. This is primarily related to
MD5hashing not being supported when FIPS is enabled.Generated packages can be verified as having the SHA256 digests with
rpm --checksig -v reaper-3.5.0-1.noarch.rpmand should appear as follows:Prior to this change, packages would appear as follows: