fix(security): close #93 — FIPS-compatible RPM packaging spec (SEC-01)

packaging/README.md

@@ -0,0 +1,90 @@
+<!--
+Copyright (c) 2026 Innovar Healthcare
+Licensed under the MPL-2.0.
+-->
+
+# BridgeLink RPM Packaging
+
+This directory holds `bridgelink.spec`, the RPM spec for BridgeLink. It closes
+issue [#93](https://github.com/Innovar-Healthcare/BridgeLink/issues/93): on
+FIPS-mode RHEL 8/9 and AlmaLinux 9 hosts, RPMs built with the historical RPM
+default (MD5 cpio file digests) are rejected by the kernel with `cpio: Digest
+mismatch`. The spec declares `%global _binary_filedigest_algorithm 8` and
+`%global _source_filedigest_algorithm 8` in the spec body itself (so the
+build is reproducible regardless of `~/.rpmmacros` on the build host), which
+selects SHA-256 (algorithm `8`) for both binary and source payload digests.
+
+Maintainer: Innovar Healthcare.
+
+Wiring `rpmbuild` into `.github/workflows/build_bridgelink.yml` is out of
+scope for this milestone — see the "Out of scope" section below.
+
+## Build recipe (Docker, AlmaLinux 9)
+
+```bash
+# 1. Produce the source tarball expected by Source0. CI emits bridgelink.tar.gz
+#    without a version suffix; rename it so rpmbuild's %setup macro finds it.
+cp bridgelink.tar.gz bridgelink-26.3.1.tar.gz
+
+# 2. Build the RPM inside a clean AlmaLinux 9 container.
+docker run --rm -v "$PWD":/work -w /work almalinux:9 bash -c '
+  dnf install -y rpm-build rpmdevtools tar gzip && \
+  rpmdev-setuptree && \
+  cp bridgelink-26.3.1.tar.gz ~/rpmbuild/SOURCES/ && \
+  cp packaging/bridgelink.spec ~/rpmbuild/SPECS/ && \
+  rpmbuild -bb ~/rpmbuild/SPECS/bridgelink.spec && \
+  cp ~/rpmbuild/RPMS/noarch/bridgelink-*.rpm /work/
+'
+```
+
+The output artifact is `bridgelink-26.3.1-1.el9.noarch.rpm` (or similar
+distribution tag) in the repo root.
+
+## FIPS digest verification
+
+```bash
+rpm -qp --qf "FILEDIGESTALGO=%{FILEDIGESTALGO}\n" bridgelink-26.3.1-1.*.noarch.rpm
+```
+
+Expected output: `FILEDIGESTALGO=8` (SHA-256). Reject any other value
+(`1` = MD5). If you see `FILEDIGESTALGO=1` or no output, the `%global`
+directives did not apply — inspect the `rpmbuild` log for `warning:
+%global ignored` and confirm the spec at `packaging/bridgelink.spec` is
+the one rpmbuild consumed.
+
+## GPG signing key audit
+
+```bash
+gpg --list-packets /path/to/innovar-public-signing-key.asc | grep "hash algorithm"
+```
+
+Every line MUST show `hash algorithm: SHA-256` or stronger. Any `SHA-1`
+or `MD5` line means the key has a SHA-1 subkey binding and the key MUST
+be regenerated before signing FIPS-compatible RPMs — RHEL 9's GPG
+verifier rejects signatures whose subkey bindings use SHA-1. This audit
+is a hard pre-merge gate for issue #93. Coordinate with the Innovar
+Healthcare release/security team to obtain the public key for inspection.
+
+## FIPS-mode install test
+
+```bash
+docker run --rm --privileged -v "$PWD":/work almalinux:9 bash -c '
+  fips-mode-setup --enable && \
+  dnf install -y /work/bridgelink-26.3.1-1.noarch.rpm
+'
+```
+
+Expected: install completes with no `cpio: Digest mismatch` error.
+A `Requires: java-17-openjdk-headless` resolution warning in the default
+container repo configuration is acceptable for this digest-only smoke
+test; production installs should run against a repo that provides the
+Java runtime.
+
+The one-shot RHEL 8 hardware install verification is performed
+out-of-band per the milestone's accepted verification matrix.
+
+## Out of scope for this milestone
+
+- Wiring `rpmbuild` into `.github/workflows/` — follow-up.
+- Service definition (systemd unit) — separate issue.
+- WebDAV / commons-httpclient removal — tracked as SEC-V2-01.

packaging/bridgelink.spec

@@ -0,0 +1,41 @@
+# Copyright (c) 2026 Innovar Healthcare
+# Licensed under the MPL-2.0.
+# BridgeLink RPM spec — FIPS-compatible (SHA-256 file digests). Closes #93. See packaging/README.md.
+
+%global _binary_filedigest_algorithm 8
+%global _source_filedigest_algorithm 8
+%global _binary_payload_flags 0x1
+
+Name:           bridgelink
+Version:        26.3.1
+Release:        1%{?dist}
+Summary:        BridgeLink healthcare integration engine
+License:        MPL-2.0
+URL:            https://github.com/Innovar-Healthcare/BridgeLink
+Source0:        bridgelink-%{version}.tar.gz
+BuildArch:      noarch
+BuildRequires:  tar
+BuildRequires:  gzip
+Requires:       java-17-openjdk-headless
+
+%description
+BridgeLink is a fork of NextGen Connect (Mirth Connect) — a healthcare
+integration engine maintained by Innovar Healthcare. This RPM lays down
+the server installation tree under /opt/bridgelink. Service management
+(systemd unit, start scripts) is intentionally out of scope for this
+initial FIPS-digest packaging fix.
+
+%prep
+%setup -q -n bridgelink
+
+%install
+mkdir -p %{buildroot}/opt/bridgelink
+cp -r * %{buildroot}/opt/bridgelink/
+
+%files
+%defattr(-,root,root,-)
+/opt/bridgelink
+
+%changelog
+* Wed May 13 2026 Innovar Healthcare <ossteam@innovarhealthcare.com> - 26.3.1-1
+- Initial RPM packaging with SHA-256 file digests for FIPS compatibility (closes #93)