Kibana is not installed on RHEL 8 based systems with FIPS without bypassing file integrity checks

[ejsears]

Kibana version:
7.7.1, 7.8.0
Elasticsearch version:
7.6.2, 7.7.0, 7.7.1, 7.8.0
Server OS version:
RHEL 8, RHEL 8.1, RHEL 8.2
Browser version:
n/a
Browser OS version:
n/a
Original install method (e.g. download page, yum, from source, etc.):
Attempt to install from Elasticsearch RPM repository
Describe the bug:
When attempting to install or upgrade Kibana from the official Elastic repository, it fails due to the RPM package not being signed in the appropriate way.
Steps to reproduce:

1. Install any version of RHEL 8.
2. Enable FIPS

[root@XXXXX kibana]# cat /proc/sys/crypto/fips_enabled
1
[root@XXXXX kibana]#  

3. Attempt to install or upgrade Kibana (using re-install here, however it is the same behavior for install / upgrade):

[root@XXXXXX kibana]# yum reinstall kibana
Updating Subscription Management repositories.
...
Downloading Packages:
kibana-7.8.0-x86_64.rpm                                                                                                                                       273 MB/s | 329 MB     00:01    
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                         272 MB/s | 329 MB     00:01     
Running transaction check
Transaction check succeeded.
Running transaction test
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'yum clean packages'.
Error: Transaction test error:
  package kibana-7.8.0-1.x86_64 does not verify: no digest

Expected behavior:

Kibana installs or upgrades normally.

Screenshots (if relevant):
n/a

Errors in browser console (if relevant):
n/a

Provide logs and/or server output (if relevant):

Any additional context:

This is due to a change in RHEL 8+ with regards to package management / verification. From the RHEL 8 Release notes:

 (BZ#1581990)

RPM now validates the entire package contents before starting an installation

On Red Hat Enterprise Linux 7, the RPM utility verified payload contents of individual files while unpacking. However, this is insufficient for multiple reasons:

    If the payload is damaged, it is only noticed after executing script actions, which are irreversible.
    If the payload is damaged, upgrade of a package aborts after replacing some files of the previous version, which breaks a working installation.
    The hashes on individual files are performed on uncompressed data, which makes RPM vulnerable to decompressor vulnerabilities. 

On Red Hat Enterprise Linux 8, the entire package is validated prior to the installation in a separate step, using the best available hash.

Packages built on Red Hat Enterprise Linux 8 use a new SHA-256 hash on the compressed payload. On signed packages, the payload hash is additionally protected by the signature, and thus cannot be altered without breaking a signature and other hashes on the package header. Older packages use the MD5 hash of the header and payload unless it is disabled by configuration.

The %_pkgverify_level macro can be used to additionally enable enforcing signature verification before installation or disable the payload verification completely. In addition, the %_pkgverify_flags macro can be used to limit which hashes and signatures are allowed. For example, it is possible to disable the use of the weak MD5 hash at the cost of compatibility with older packages. 

Additional info at link

[elasticmachine]

Pinging @elastic/kibana-operations (Team:Operations)