[Packaging] Add SHA256 digest for RPM

[aghassemlouei]

Description
This pull request allows for RPM packages to be signed with SHA256 digests given that #11325 reverted CentOS8 changes that would've negated this request. This should address #20719 and unblock installation on Red Hat Enterprise Linux (RHEL) 8 systems.

Testing Guide
On RHEL 8.4 systems, when the azure-cli is installed via Yum/RPM the current behavior without this change results in the following output:

# rpm --checksig --verbose azure-cli-2.31.0-1.el7.x86_64.rpm
azure-cli-2.31.0-1.el7.x86_64.rpm:
    Header V4 RSA/SHA256 Signature, key ID be1229cf: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: NOTFOUND
    V4 RSA/SHA256 Signature, key ID be1229cf: OK
    MD5 digest: NOTFOUND

External References

• https://www.starlab.io/blog/adding-sha256-digests-to-rpms
• https://fedoraproject.org/wiki/Hash_algorithm_migration_status#rpm

History Notes
[Packaging] Add SHA256 digest for RPM: Ensure that all RPMs include SHA256 digest to enable installation on operating systems that do not accept SHA1 checksums

[ghost]

Thank you for your contribution aghassemlouei! We will review the pull request and get back to you soon.

[yonzhan]

Packaging

[jiasli]

Thanks for the contribution, and the description is very helpful! However, this PR does not qualify as a Hotfix. The next release is pretty near anyway: https://github.com/Azure/azure-cli/milestone/113

[jiasli]

By the way, @aghassemlouei, @archoversight, any idea how I can use an RPM that checks Payload SHA256 digest?

> docker run -it --rm centos:8

# rpm --version
RPM version 4.14.3

# curl 'https://artprodcus3.artifacts.visualstudio.com/A0fb41ef4-5012-48a9-bf39-4ee3de03ee35/29ec6040-b234-4e31-b139-33dc4287b756/_apis/artifact/cGlwZWxpbmVhcnRpZmFjdDovL2F6dXJlLXNkay9wcm9qZWN0SWQvMjllYzYwNDAtYjIzNC00ZTMxLWIxMzktMzNkYzQyODdiNzU2L2J1aWxkSWQvMTI2NzE1OS9hcnRpZmFjdE5hbWUveXVt0/content?format=file&subPath=%2Fazure-cli-2.31.0-1.el7.x86_64.rpm' -o azure-cli.rpm

# rpm --checksig --verbose azure-cli.rpm
azure-cli.rpm:
    Header SHA1 digest: OK
    MD5 digest: OK

# curl https://packages.microsoft.com/yumrepos/azure-cli/azure-cli-2.31.0-1.el7.x86_64.rpm -O

# rpm --checksig --verbose azure-cli-2.31.0-1.el7.x86_64.rpm
azure-cli-2.31.0-1.el7.x86_64.rpm:
    Header V4 RSA/SHA256 Signature, key ID be1229cf: NOKEY
    Header SHA1 digest: OK
    V4 RSA/SHA256 Signature, key ID be1229cf: NOKEY
    MD5 digest: OK

[archoversight]

[cloud-user@dev-bert-redhattest ~]$ rpm --version
RPM version 4.14.3
[cloud-user@dev-bert-redhattest ~]$ rpm --checksig --verbose azure-cli.rpm
azure-cli.rpm:
    Header SHA1 digest: OK
    Payload SHA256 digest: NOTFOUND
    MD5 digest: NOTFOUND

I have no idea how to get it to do explicitly. The tests above was run on a Red Hat 8.4 system in FIPS mode.

[jiasli]

@archoversight, are you pulling azure-cli.rpm from https://artprodcus3.artifacts.visualstudio.com/A0fb41ef4-5012-48a9-bf39-4ee3de03ee35/29ec6040-b234-4e31-b139-33dc4287b756/_apis/artifact/cGlwZWxpbmVhcnRpZmFjdDovL2F6dXJlLXNkay9wcm9qZWN0SWQvMjllYzYwNDAtYjIzNC00ZTMxLWIxMzktMzNkYzQyODdiNzU2L2J1aWxkSWQvMTI2NzE1OS9hcnRpZmFjdE5hbWUveXVt0/content?format=file&subPath=%2Fazure-cli-2.31.0-1.el7.x86_64.rpm ? If so, Payload SHA256 digest: NOTFOUND suggests the flag doesn't work...

Also, your result shows MD5 digest: NOTFOUND which differs from mine.

I checked https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#enabling-fips-mode-in-a-container_using-the-system-wide-cryptographic-policies, but can't find a way to enable "Red Hat 8.4 system in FIPS mode" on a Windows docker container using WSL 2. Any way I can do this easily without a "Red Hat 8.4 system in FIPS mode" physical machine?

[jiasli]

I also tried to create an Azure VM with

            "imageReference": {
                "publisher": "RedHat",
                "offer": "RHEL",
                "sku": "84-gen2",
                "version": "latest"
            },

However, after following https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#switching-the-system-to-fips-mode_using-the-system-wide-cryptographic-policies and running

sudo fips-mode-setup --enable

the VM won't start anymore 🙁

[jiasli]

Gen 1 VM works correctly:

            "imageReference": {
                "publisher": "RedHat",
                "offer": "RHEL",
                "sku": "8_4",
                "version": "latest"
            },

$ sudo fips-mode-setup --enable
$ sudo reboot
$ fips-mode-setup --check
FIPS mode is enabled.

$ rpm --version
RPM version 4.14.3

$ curl 'https://artprodcus3.artifacts.visualstudio.com/A0fb41ef4-5012-48a9-bf39-4ee3de03ee35/29ec6040-b234-4e31-b139-33dc4287b756/_apis/artifact/cGlwZWxpbmVhcnRpZmFjdDovL2F6dXJlLXNkay9wcm9qZWN0SWQvMjllYzYwNDAtYjIzNC00ZTMxLWIxMzktMzNkYzQyODdiNzU2L2J1aWxkSWQvMTI2NzE1OS9hcnRpZmFjdE5hbWUveXVt0/content?format=file&subPath=%2Fazure-cli-2.31.0-1.el7.x86_64.rpm' -o azure-cli.rpm

$ rpm --checksig --verbose azure-cli.rpm
azure-cli.rpm:
    Header SHA1 digest: OK
    Payload SHA256 digest: NOTFOUND
    MD5 digest: NOTFOUND

Now rpm does check Payload SHA256 digest, but Payload SHA256 digest is missing from the package.

CentOS 7 which the build pipeline uses only has RPM 4.11.3:

> docker run -it --rm centos:7
# rpm --version
RPM version 4.11.3

According to https://www.starlab.io/blog/adding-sha256-digests-to-rpms

As it turns out, the version of rpm (4.11.3) that ships with the latest RHEL / CentOS doesn’t support SHA256 digests in the rpm headers.

[fabnord]

We did some additional testing today and as @jiasli mentioned above Cent OS 7 default rpm version 4.11.3 will simply ignore the global parameters to generate SHA256 digest. We need rpm version >= 4.14.3, which is the default on RedHat 8.4, to generate the correct SHA256 digest.

I think the most straightforward solution would be to generate a new rpm package based on an RedHat 8.x binary-compatible Linux distribution like Alma or Rocky as Cent OS 8 is already deprecated. This would make this PR obsolete.

[jiasli]

As explained in #20852 (comment), this PR won't work. Closing and will continue the work in #20918.