Not the answer you need?
Register and ask your own question!

FIPS Compliant Hash for RHEL6 / EL6 RPMs

cruciblecrucible EntrantInactive User Role Beginner
Would someone be able to rebuild your RHEL/EL6 RPMs an algorithm that is supported for systems running in FIPS mode?

This would be changed in your .rpmmacros file:

The following two values need to be set to at least SHA256:

%_source_filedigest_algorithm 8
%_binary_filedigest_algorithm 8

For reference, the default value for each of those settings is "1", which is MD5.

This is the default configuration, for reference, along with the other possible variables:
# If not specified or 0, MD5 is used.
# 1 MD5 (default)
# 2 SHA1
# 8 SHA256
# 9 SHA384
# 10 SHA512
#
#%_source_filedigest_algorithm 1
#%_binary_filedigest_algorithm 1

Would someone be able rebuild RHEL6 / EL6 rpms with that value changed in the rpmmacros file?

Comments

  • cruciblecrucible Entrant Inactive User Role Beginner
    Here is some additional info: When building RPMs for a RHEL 6 environment (that will also be FIPS compliant by default), you must build the RPM with the appropriate digest algorithm and if desired, sign it with a FIPS compliant key. Example:

    $ rpmbuild -ba --define "_source_filedigest_algorithm 8" --define "_binary_filedigest_algorithm 8" /home/rpmbuild/rpmbuild/SPECS/package.spec
    $ gpg --gen-key --personal-digest-preference SHA256
    $ gpg --export -a 'rpmbuild' > RPM-GPG-KEY-rpmbuild
    $ sudo rpm --import RPM-GPG-KEY-rpmbuild
    $ rpm --addsign package.el6.x86_64.rpm


    The values associated with the _source_filedigest_algorithm and _binary_filedigest_algorithm options comes from the following list, which by default is set to 1 (MD5):

    # If not specified or 0, MD5 is used.
    # 1 MD5 (default)
    # 2 SHA1
    # 8 SHA256
    # 9 SHA384
    # 10 SHA512
    # #%_source_filedigest_algorithm 1
    #%_binary_filedigest_algorithm 1


    If desired, to make the rpmbuild process a bit more seamless, add the following to the user's /home/rpmbuild/.rpmmacros file:

    %_source_filedigest_algorithm 8
    %_binary_filedigest_algorithm 8
    %_gpg_name [EMAIL="rpmbuild@example.com"][email protected][/EMAIL]
  • cruciblecrucible Entrant Inactive User Role Beginner
    Anything thoughts on this?
  • xmikewxmikew Entrant Inactive User Role Supporter
    Sorry I'm missing the point I think, are you asking someone on percona to update and distribute new rpms with the listed settings changed or are you asking someone to build these rpms on an ad-hoc basis and provide them to you?
  • xmikewxmikew Entrant Inactive User Role Supporter
    Ah nevermind, I see what you mean.
  • cruciblecrucible Entrant Inactive User Role Beginner
    Yup, asking Percona if they could change how they are building the RPMs. I could rebuild myself but would much rather have them rebuilt by the vendor and provided. Thanks!
Sign In or Register to comment.

MySQL, InnoDB, MariaDB and MongoDB are trademarks of their respective owners.
Copyright ©2005 - 2020 Percona LLC. All rights reserved.