Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to install grafana-agent rpm on FIPS-enabled OS #4267

Closed
kfriedrich123 opened this issue Jun 27, 2023 · 1 comment · Fixed by #4268
Closed

Unable to install grafana-agent rpm on FIPS-enabled OS #4267

kfriedrich123 opened this issue Jun 27, 2023 · 1 comment · Fixed by #4268
Labels
bug Something isn't working frozen-due-to-age Locked due to a period of inactivity. Please open new issues or PRs if more discussion is needed.

Comments

@kfriedrich123
Copy link
Contributor

What's wrong?

RPM complains about Digest mismatch, while installing grafana-agent on FIPS-installed OS:

# fips-mode-setup --check
FIPS mode is enabled.

# rpm -i grafana-agent-0.34.1-1.amd64.rpm
error: unpacking of archive failed on file /etc/grafana-agent.yaml;649b0319: cpio: Digest mismatch
error: grafana-agent-0.34.1-1.x86_64: install failed

This happens because MD5 is set as the digest singing algorithm, and FIPS prohibits usage of MD5 anywhere:

# rpm -qp --qf "%{filedigestalgo}\n"  grafana-agent-0.34.1-1.amd64.rpm
(none)

(none) here means MD5 , as per https://bugzilla.redhat.com/show_bug.cgi?id=1659053

This is different grafana (not the agent) rpm, which as of grafana/grafana#59510 is now signed with sha256:

# rpm -qp --qf "%{filedigestalgo}\n"  grafana-7.5.15-4.el8.x86_64.rpm
8

Steps to reproduce

  1. Download grafana-agent rpm from the upstream repo to a FIPS-enabled OS
  2. Attempt to install it with rpm -i grafana-agent-0.34.1-1.amd64.rpm

System information

RHEL 8.8

Software version

grafana-agent-0.34.1-1

Configuration

FIPS enabled

Logs

No response
@kfriedrich123 kfriedrich123 added the bug Something isn't working label Jun 27, 2023
@kfriedrich123 kfriedrich123 mentioned this issue Jun 27, 2023
Merged
3 tasks
@github-project-automation github-project-automation bot moved this from Todo to Done in Grafana Agent (Public) Jun 27, 2023
@kfriedrich123
Copy link
Contributor Author

As per @rfratto comment in #4268 (comment), packages distributed via rpm.grafana.com are re-signed. I've just tested grafana-agent-0.34.3-1 downloaded from that repo and it still contains the MD5 signature, blocking rollout to our FIPS-enabled machines.

@andrewimeson andrewimeson mentioned this issue Jul 12, 2023
Closed
andrewimeson added a commit to andrewimeson/agent that referenced this issue Jul 26, 2023
@andrewimeson
Make RPM file digests use FIPS-compliant sha256 instead of MD5
67e9b2c 
Closes grafana#4419, relates to grafana#4267

Signed-off-by: Andrew Imeson <[email protected]>
andrewimeson added a commit to andrewimeson/agent that referenced this issue Jul 26, 2023
@andrewimeson
Make RPM file digests use FIPS-compliant sha256 instead of MD5
9c3ee23 
Closes grafana#4419, relates to grafana#4267

Signed-off-by: Andrew Imeson <[email protected]>
andrewimeson added a commit to andrewimeson/agent that referenced this issue Jul 26, 2023
@andrewimeson
Make RPM file digests use FIPS-compliant sha256 instead of MD5
8cc65b2 
Closes grafana#4419, relates to grafana#4267

Signed-off-by: Andrew Imeson <[email protected]>
@andrewimeson andrewimeson mentioned this issue Jul 26, 2023
Closed
3 tasks
andrewimeson added a commit to andrewimeson/agent that referenced this issue Jul 27, 2023
@andrewimeson
Make RPM file digests use FIPS-compliant sha256 instead of MD5
ea510d0 
Closes grafana#4419, relates to grafana#4267

Signed-off-by: Andrew Imeson <[email protected]>
@github-actions github-actions bot added the frozen-due-to-age Locked due to a period of inactivity. Please open new issues or PRs if more discussion is needed. label Feb 21, 2024
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 21, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working frozen-due-to-age Locked due to a period of inactivity. Please open new issues or PRs if more discussion is needed.
Projects
No open projects
Grafana Agent (Public)
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use sha256 for rpm signing to allow installation on fips-enabed systems kfriedrich123/agent
1 participant
@kfriedrich123