Announcement

Announcement Module
Collapse
No announcement yet.

FIPS Compliant Hash for RHEL6 / EL6 RPMs

Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • FIPS Compliant Hash for RHEL6 / EL6 RPMs

    Would someone be able to rebuild your RHEL/EL6 RPMs an algorithm that is supported for systems running in FIPS mode?

    This would be changed in your .rpmmacros file:

    The following two values need to be set to at least SHA256:

    %_source_filedigest_algorithm 8
    %_binary_filedigest_algorithm 8

    For reference, the default value for each of those settings is "1", which is MD5.

    This is the default configuration, for reference, along with the other possible variables:
    # If not specified or 0, MD5 is used.
    # 1 MD5 (default)
    # 2 SHA1
    # 8 SHA256
    # 9 SHA384
    # 10 SHA512
    #
    #%_source_filedigest_algorithm 1
    #%_binary_filedigest_algorithm 1


    Would someone be able rebuild RHEL6 / EL6 rpms with that value changed in the rpmmacros file?

  • #2
    Here is some additional info: When building RPMs for a RHEL 6 environment (that will also be FIPS compliant by default), you must build the RPM with the appropriate digest algorithm and if desired, sign it with a FIPS compliant key. Example:

    $ rpmbuild -ba --define "_source_filedigest_algorithm 8" --define "_binary_filedigest_algorithm 8" /home/rpmbuild/rpmbuild/SPECS/package.spec
    $ gpg --gen-key --personal-digest-preference SHA256
    $ gpg --export -a 'rpmbuild' > RPM-GPG-KEY-rpmbuild
    $ sudo rpm --import RPM-GPG-KEY-rpmbuild
    $ rpm --addsign package.el6.x86_64.rpm


    The values associated with the _source_filedigest_algorithm and _binary_filedigest_algorithm options comes from the following list, which by default is set to 1 (MD5):

    # If not specified or 0, MD5 is used.
    # 1 MD5 (default)
    # 2 SHA1
    # 8 SHA256
    # 9 SHA384
    # 10 SHA512
    # #%_source_filedigest_algorithm 1
    #%_binary_filedigest_algorithm 1


    If desired, to make the rpmbuild process a bit more seamless, add the following to the user's /home/rpmbuild/.rpmmacros file:

    %_source_filedigest_algorithm 8
    %_binary_filedigest_algorithm 8
    %_gpg_name rpmbuild@example.com
    Last edited by crucible; 02-18-2014, 03:22 PM. Reason: Formatting

    Comment


    • #3
      Anything thoughts on this?

      Comment


      • #4
        Sorry I'm missing the point I think, are you asking someone on percona to update and distribute new rpms with the listed settings changed or are you asking someone to build these rpms on an ad-hoc basis and provide them to you?

        Comment


        • #5
          Ah nevermind, I see what you mean.

          Comment


          • #6
            Yup, asking Percona if they could change how they are building the RPMs. I could rebuild myself but would much rather have them rebuilt by the vendor and provided. Thanks!

            Comment

            Working...
            X