FIPS Compliant Hash for RHEL6 / EL6 RPMs

Would someone be able to rebuild your RHEL/EL6 RPMs an algorithm that is supported for systems running in FIPS mode?

This would be changed in your .rpmmacros file:

The following two values need to be set to at least SHA256:

%_source_filedigest_algorithm 8
%_binary_filedigest_algorithm 8

For reference, the default value for each of those settings is “1”, which is MD5.

This is the default configuration, for reference, along with the other possible variables:

If not specified or 0, MD5 is used.

1 MD5 (default)

2 SHA1

8 SHA256

9 SHA384

10 SHA512

#%_source_filedigest_algorithm 1
#%_binary_filedigest_algorithm 1

Would someone be able rebuild RHEL6 / EL6 rpms with that value changed in the rpmmacros file?

Here is some additional info: When building RPMs for a RHEL 6 environment (that will also be FIPS compliant by default), you must build the RPM with the appropriate digest algorithm and if desired, sign it with a FIPS compliant key. Example:

$ rpmbuild -ba --define “_source_filedigest_algorithm 8” --define “_binary_filedigest_algorithm 8” /home/rpmbuild/rpmbuild/SPECS/package.spec
$ gpg --gen-key --personal-digest-preference SHA256
$ gpg --export -a ‘rpmbuild’ > RPM-GPG-KEY-rpmbuild
$ sudo rpm --import RPM-GPG-KEY-rpmbuild
$ rpm --addsign package.el6.x86_64.rpm

The values associated with the _source_filedigest_algorithm and _binary_filedigest_algorithm options comes from the following list, which by default is set to 1 (MD5):

[I]# If not specified or 0, MD5 is used.

1 MD5 (default)

2 SHA1

8 SHA256

9 SHA384

10 SHA512

#%_source_filedigest_algorithm 1

#%_binary_filedigest_algorithm 1 [/I]

If desired, to make the rpmbuild process a bit more seamless, add the following to the user’s /home/rpmbuild/.rpmmacros file:

%_source_filedigest_algorithm 8
%_binary_filedigest_algorithm 8
%_gpg_name rpmbuild@example.com

Anything thoughts on this?

Sorry I’m missing the point I think, are you asking someone on percona to update and distribute new rpms with the listed settings changed or are you asking someone to build these rpms on an ad-hoc basis and provide them to you?

Ah nevermind, I see what you mean.

Yup, asking Percona if they could change how they are building the RPMs. I could rebuild myself but would much rather have them rebuilt by the vendor and provided. Thanks!