Skip to content

fix(security): close #93 — FIPS-compatible RPM packaging spec (SEC-01)#158

Open
NSchatz wants to merge 4 commits into
Innovar-Healthcare:bridgelink_developmentfrom
NSchatz:fix/issue-93-rpm-fips
Open

fix(security): close #93 — FIPS-compatible RPM packaging spec (SEC-01)#158
NSchatz wants to merge 4 commits into
Innovar-Healthcare:bridgelink_developmentfrom
NSchatz:fix/issue-93-rpm-fips

Conversation

@NSchatz
Copy link
Copy Markdown

@NSchatz NSchatz commented May 14, 2026
edited
Loading

Summary

Closes #93.

Commits a new top-level packaging/bridgelink.spec setting %global _binary_filedigest_algorithm 8 and %global _source_filedigest_algorithm 8 so the cpio payload uses SHA-256 file digests. This is required for installation on FIPS-mode RHEL 8/9 and AlmaLinux 9 — the historical MD5 default is rejected by the FIPS kernel with cpio: Digest mismatch.

Changes

  • packaging/bridgelink.spec (new) — RPM spec with SHA-256 file digest macros, Java 17 runtime dependency, /opt/bridgelink layout, no %post hooks.
  • packaging/README.md (new) — Docker-based build recipe, FIPS digest verification command, GPG signing-key audit command, FIPS-mode install verification recipe.

Test plan

  • Build executed in almalinux:9 Docker container against packaging/bridgelink.spec (using a smoke bridgelink-26.3.1.tar.gz containing server/setup/ contents as a stand-in for the future CI-produced tarball). FILEDIGESTALGO captured from the produced bridgelink-26.3.1-1.el9.noarch.rpm:

    FILEDIGESTALGO=8

    Per-file digest cross-check (rpm -qp --dump) confirms the entries are 64-hex-character SHA-256 hashes, not 32-hex MD5 hashes, e.g. /opt/bridgelink/conf/mirth.properties 5186 ... 9e62abeee2a93f5178feacadb77786136a69529a20563f23273389690dc316e3 ....

  • GPG signing-key audit (pre-merge gate — Assumption A4). The Innovar Healthcare public signing key is held outside this repo and was not accessible during the work-cycle that produced this PR. Reviewer must run:

    gpg --list-packets /path/to/innovar-public-signing-key.asc | grep "hash algorithm"

    Every line MUST show hash algorithm: SHA-256 or stronger. Any SHA-1 or MD5 line means the key must be regenerated before this PR can merge (RHEL 9 GPG verifier rejects SHA-1 subkey bindings). Recipe is documented in packaging/README.md.

  • FIPS-mode RPM install verification on AlmaLinux 9 (pre-merge gate — Docker container). Recipe in packaging/README.md:

    docker run --rm --privileged -v "$PWD":/work almalinux:9 bash -c '
  fips-mode-setup --enable && \
  dnf install -y /work/bridgelink-26.3.1-1.noarch.rpm
'

    Expected: no cpio: Digest mismatch error. A Requires: java-17-openjdk-headless repo-resolution warning in the bare container is acceptable for the digest smoke test.

  • FIPS-mode RPM install verification on RHEL 8 hardware (pre-merge gate — out-of-band). Milestone explicitly accepts this as a one-shot hardware test outside CI.

  • Second-set-of-eyes review (milestone constraint — all PRs).

Pre-merge gates

Gate Owner Status
GPG signing key SHA-1 subkey audit (Assumption A4) Coordinate with Innovar Healthcare key owner ⏳ open
FIPS-mode RPM install smoke test on AlmaLinux 9 (Docker) CI / reviewer (recipe in packaging/README.md) ⏳ open
FIPS-mode RPM install smoke test on RHEL 8 hardware Out-of-band one-shot ⏳ open

Out of scope (tracked)

  • Wiring rpmbuild into .github/workflows/build_bridgelink.yml — follow-up.
  • Service definition / systemd unit — separate issue.
  • WebDAV / commons-httpclient-3.0.1.jar runtime removal — SEC-V2-01.

Local test verification (2026-05-13)

Ant 1.10.14 + OpenJDK 17.0.18 + Docker.

  • ant -f server/build.xml compileBUILD SUCCESSFUL (48s)
  • RPM build inside almalinux:9 Docker container — successful: 
    RPM built: RPMS/noarch/bridgelink-26.3.1-1.el9.noarch.rpm
FILEDIGESTALGO=8
    Per-file digest spot-check via rpm -qp --dump: 
    /opt/bridgelink/conf/mirth.properties 22 ... 28835c9901c7a765912e604139cbf10ae60ac456311b655c0459377fc97da466 0100644 root root ...
    64-hex-character SHA-256 digest confirmed (not MD5). File ownership root root confirmed (%defattr(-,root,root,-) fix from WR-07).
  • rpmspec --query --srpm --qf '%{NAME} %{VERSION} %{RELEASE} %{LICENSE}\n' packaging/bridgelink.spec returns: 
    bridgelink 26.3.1 1.el9 MPL-2.0
    Confirms CR-02 fix (License: MPL-2.0 matches root LICENSE file content "Mozilla Public License Version 2.0").

The three open pre-merge gates (GPG SHA-1 subkey audit, AlmaLinux 9 FIPS install, RHEL 8 hardware FIPS install) remain open as documented above — the digest-macro itself is now validated end-to-end against a real rpmbuild toolchain in a containerised FIPS-target distro.

NSchatz added 4 commits May 13, 2026 22:27
@NSchatz
feat(01-03): add packaging/bridgelink.spec with SHA-256 file digest m…
e399a5f 
…acros (Innovar-Healthcare#93)

- New top-level packaging/ directory for RPM spec.
- %global _binary_filedigest_algorithm 8 and _source_filedigest_algorithm 8
  declared inline so cpio payload uses SHA-256 digests (FIPS-compatible).
- Name=bridgelink, Version=26.3.1, BuildArch=noarch, Requires java-17-openjdk-headless.
- /opt/bridgelink layout preserves server/setup/ contents under bridgelink/ archive root.
- %changelog records initial FIPS packaging.

Refs: SEC-01, Phase 1 Wave 3 (GH Innovar-Healthcare#93).
@NSchatz
docs(01-03): add packaging/README.md with FIPS RPM build and verifica…
9e16fc7 
…tion recipe (Innovar-Healthcare#93)

- Docker-based AlmaLinux 9 build recipe (rpmbuild in a clean container).
- FIPS digest verification command: rpm -qp --qf "FILEDIGESTALGO=%{FILEDIGESTALGO}\n"
  must return 8 (SHA-256).
- GPG signing-key audit command and pre-merge gate description (no SHA-1 subkey
  bindings allowed — Assumption A4).
- FIPS-mode docker install smoke recipe (fips-mode-setup --enable + dnf install).
- Out-of-scope section references SEC-V2-01 (commons-httpclient / WebDAV).

Refs: SEC-01, Phase 1 Wave 3 (GH Innovar-Healthcare#93).
@NSchatz
fix(93): correct License to MPL-2.0 in spec + README (CR-02)
21e11a9 
The repository root LICENSE file declares Mozilla Public License
Version 2.0 (SPDX: MPL-2.0), but the RPM spec's License: field and the
copyright header comments in both bridgelink.spec and packaging/README.md
incorrectly stated MPL-1.1. Built RPMs would have advertised the wrong
license to downstream consumers (rpm -qi bridgelink). For FIPS /
regulated-deployment customers this is a publishable-license metadata
defect.

Correct to MPL-2.0 in all three locations.
@NSchatz
fix(93): add %defattr to RPM %files section (WR-07)
fcdd30f 
Without an explicit %defattr(-,root,root,-) the file ownership and
permissions in the resulting RPM depend on the build environment's
umask and the staged files' attributes — not deterministic across
build hosts. RHEL packaging guidelines recommend always declaring
%defattr even though modern rpmbuild defaults to root-owned.

%doc / %license entries are deferred until a real production tarball
that includes README.md and LICENSE in its payload is available
(currently the %install just copies %{buildroot}/opt/bridgelink).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[SECURITY] Some archives in RPM files still using MD5. Causing cpio: Digest mismatch error on FIPS secure systems.

1 participant

@NSchatz