Add sha256 digests to RPM packages (#27103) (#27152)

Fixes #23670 (cherry picked from commit be63e87) Co-authored-by: Andrew Kroh <[email protected]>
elastic · Aug 3, 2021 · 0bf2fe7 · 0bf2fe7
1 parent 4a22981
commit 0bf2fe7
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 6 deletions.
diff --git a/dev-tools/mage/pkgtypes.go b/dev-tools/mage/pkgtypes.go
@@ -721,7 +721,10 @@ func runFPM(spec PackageSpec, packageType PackageType) error {
 		"--architecture", spec.Arch,
 	)
 	if packageType == RPM {
-		args = append(args, "--rpm-rpmbuild-define", "_build_id_links none")
+		args = append(args,
+			"--rpm-rpmbuild-define", "_build_id_links none",
+			"--rpm-digest", "sha256",
+		)
 	}
 	if spec.Version != "" {
 		args = append(args, "--version", spec.Version)

diff --git a/dev-tools/mage/settings.go b/dev-tools/mage/settings.go
@@ -38,7 +38,7 @@ import (
 )
 
 const (
-	fpmVersion = "1.11.0"
+	fpmVersion = "1.13.1"
 
 	// Docker images. See https://github.com/elastic/golang-crossbuild.
 	beatsFPMImage = "docker.elastic.co/beats-dev/fpm"

diff --git a/dev-tools/packaging/package_test.go b/dev-tools/packaging/package_test.go
@@ -109,7 +109,7 @@ func TestDocker(t *testing.T) {
 // Sub-tests
 
 func checkRPM(t *testing.T, file string) {
-	p, err := readRPM(file)
+	p, rpmPkg, err := readRPM(file)
 	if err != nil {
 		t.Error(err)
 		return
@@ -127,6 +127,7 @@ func checkRPM(t *testing.T, file string) {
 	checkLicensesPresent(t, "/usr/share", p)
 	checkSystemdUnitPermissions(t, p)
 	ensureNoBuildIDLinks(t, p)
+	checkRPMDigestTypeSHA256(t, rpmPkg)
 }
 
 func checkDeb(t *testing.T, file string, buf *bytes.Buffer) {
@@ -478,6 +479,16 @@ func ensureNoBuildIDLinks(t *testing.T, p *packageFile) {
 	})
 }
 
+// checkRPMDigestTypeSHA256 verifies that the RPM contains sha256 digests.
+// https://github.com/elastic/beats/issues/23670
+func checkRPMDigestTypeSHA256(t *testing.T, rpmPkg *rpm.PackageFile) {
+	t.Run("rpm_digest_type_is_sha256", func(t *testing.T) {
+		if rpmPkg.ChecksumType() != "sha256" {
+			t.Errorf("expected SHA256 digest type but got %v", rpmPkg.ChecksumType())
+		}
+	})
+}
+
 // Helpers
 
 type packageFile struct {
@@ -507,10 +518,10 @@ func getFiles(t *testing.T, pattern *regexp.Regexp) []string {
 	return files
 }
 
-func readRPM(rpmFile string) (*packageFile, error) {
+func readRPM(rpmFile string) (*packageFile, *rpm.PackageFile, error) {
 	p, err := rpm.OpenPackageFile(rpmFile)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 
 	contents := p.Files()
@@ -529,7 +540,7 @@ func readRPM(rpmFile string) (*packageFile, error) {
 		pf.Contents[file.Name()] = pe
 	}
 
-	return pf, nil
+	return pf, p, nil
 }
 
 // readDeb reads the data.tar.gz file from the .deb.