Merge branch '8794-libgcrypt-gnupg-fips' into 'master'

FIPS packages: Use system libgcrypt Closes #8794 See merge request https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/8048 Merged-by: Balasankar 'Balu' C <balasankar@gitlab.com> Approved-by: Andrew Patterson <apatterson@gitlab.com> Approved-by: Balasankar 'Balu' C <balasankar@gitlab.com> Reviewed-by: Clemens Beck <cbeck@gitlab.com> Co-authored-by: Clemens Beck <cbeck@gitlab.com>

Merge branch '8794-libgcrypt-gnupg-fips' into 'master'
4c821e5c · Balasankar C · 20a81bb7 · e5c4fca0 · 4c821e5c · 4c821e5c
Commit 4c821e5c authored 2 months ago by Balasankar C
--- a/config/projects/gitlab.rb
+++ b/config/projects/gitlab.rb
@@ -101,7 +101,7 @@ if OhaiHelper.arm?
  allowed_lib /libatomic.so.1/ if OhaiHelper.raspberry_pi?
 end
  
-# FIPs requires system OpenSSL packages to run
+# FIPS requires system OpenSSL packages to run
 if Build::Check.use_system_ssl?
  if rhel?
    runtime_dependency 'openssl-perl'
@@ -110,6 +110,17 @@ if Build::Check.use_system_ssl?
  end
 end
  
+# FIPS requires system libgcrypt packages to run.
+if Build::Check.use_system_libgcrypt?
+  allowed_lib /libgcrypt\.so/
+
+  if rhel?
+    runtime_dependency 'libgcrypt'
+  else
+    runtime_dependency 'libgcrypt20'
+  end
+end
+
 dependency 'cacerts'
 dependency 'omnibus-gitlab-gems'
 dependency 'gitlab-selinux' if SELinuxDistroHelper.selinux_supported?

--- a/config/software/gnupg.rb
+++ b/config/software/gnupg.rb
@@ -17,12 +17,13 @@
 name 'gnupg'
 default_version '2.2.41'
  
+dependency 'bzip2'
 dependency 'libassuan'
-dependency 'npth'
-dependency 'libgcrypt'
+dependency 'libgcrypt' unless Build::Check.use_system_libgcrypt?
+dependency 'libgpg-error'
 dependency 'libksba'
+dependency 'npth'
 dependency 'zlib'
-dependency 'bzip2'
  
 license 'LGPL-2.1'
 license_file 'COPYING.LGPL3'
@@ -39,14 +40,24 @@ build do
  # For gnupg to build fine in Debian Wheezy and Centos ^
  env['LDFLAGS'] << " -lrt"
  
-  config_flags = ""
+  prefix = "#{install_dir}/embedded"
+
+  configure_command = [
+    './configure',
+    "--prefix=#{prefix}",
+    '--disable-doc',
+    '--without-readline',
+    '--disable-sqlite',
+    '--disable-gnutls',
+    '--disable-dirmngr',
+    "--with-libgpg-error-prefix=#{prefix}",
+  ]
+
  # CentOS 6 doesn't have inotify, which will raise an error
  # IN_EXCL_UNLINK undeclared. Hence disabling it explicitly.
-  config_flags = "ac_cv_func_inotify_init=no" if ohai['platform'] =~ /centos/ && ohai['platform_version'] =~ /^6/
+  configure_command << "ac_cv_func_inotify_init=no" if ohai['platform'] =~ /centos/ && ohai['platform_version'] =~ /^6/
  
-  prefix = "#{install_dir}/embedded"
-  command './configure ' \
-    "--prefix=#{prefix} --with-libgpg-error-prefix=#{prefix} --disable-doc --without-readline --disable-sqlite --disable-gnutls --disable-dirmngr #{config_flags}", env: env
+  command configure_command.join(' '), env: env
  
  make "-j #{workers}", env: env
  make 'install', env: env

--- a/config/software/libassuan.rb
+++ b/config/software/libassuan.rb
@@ -32,8 +32,15 @@ relative_path "libassuan-#{version}"
 build do
  env = with_standard_compiler_flags(with_embedded_path)
  prefix = "#{install_dir}/embedded"
-  command './configure ' \
-    "--prefix=#{prefix} --with-libgpg-error-prefix=#{prefix} --disable-doc", env: env
+
+  configure_command = [
+    './configure',
+    "--prefix=#{prefix}",
+    '--disable-doc',
+    "--with-libgpg-error-prefix=#{prefix}",
+  ]
+
+  command configure_command.join(' '), env: env
  
  make "-j #{workers}", env: env
  make 'install', env: env

--- a/gitlab-ci-config/check-packages.yml
+++ b/gitlab-ci-config/check-packages.yml
@@ -123,6 +123,7 @@ Ubuntu-20.04-fips-check:
    - if: '$PIPELINE_TYPE == "EE_CHECK_PACKAGE_AVAILABILITY_PIPELINE"'
  variables:
    USE_SYSTEM_SSL: "true"
+    USE_SYSTEM_LIBGCRYPT: "true"
  
 # yum based
 CentOS-7-check:
@@ -159,6 +160,7 @@ AlmaLinux-8-fips-check:
    - if: '$PIPELINE_TYPE == "EE_CHECK_PACKAGE_AVAILABILITY_PIPELINE"'
  variables:
    USE_SYSTEM_SSL: "true"
+    USE_SYSTEM_LIBGCRYPT: "true"
 AlmaLinux-9-fips-check:
  image: "${BUILDER_IMAGE_REGISTRY}/almalinux_9_fips:latest"
  extends: .yum-install
@@ -166,6 +168,7 @@ AlmaLinux-9-fips-check:
    - if: '$PIPELINE_TYPE == "EE_CHECK_PACKAGE_AVAILABILITY_PIPELINE"'
  variables:
    USE_SYSTEM_SSL: "true"
+    USE_SYSTEM_LIBGCRYPT: "true"
 AmazonLinux-2-fips-check:
  image: "${BUILDER_IMAGE_REGISTRY}/amazonlinux_2_fips:latest"
  extends: .yum-install
@@ -173,6 +176,7 @@ AmazonLinux-2-fips-check:
    - if: '$PIPELINE_TYPE == "EE_CHECK_PACKAGE_AVAILABILITY_PIPELINE"'
  variables:
    USE_SYSTEM_SSL: "true"
+    USE_SYSTEM_LIBGCRYPT: "false" # AL2 libgcrypt is not compatible with Omnibus gpgme/gnupg
  
 # zypper based
 OpenSUSE-15.5-check:

--- a/gitlab-ci-config/dev-gitlab-org.yml
+++ b/gitlab-ci-config/dev-gitlab-org.yml
@@ -73,6 +73,7 @@
  extends: .branch_template
  variables:
    USE_SYSTEM_SSL: "true"
+    USE_SYSTEM_LIBGCRYPT: "true"
  rules:
    - !reference [.default_rules, rules]
    - if: '$PIPELINE_TYPE == "EE_NIGHTLY_BUILD_PIPELINE"'
@@ -141,6 +142,7 @@
  extends: .tag_template
  variables:
    USE_SYSTEM_SSL: "true"
+    USE_SYSTEM_LIBGCRYPT: "true"
  rules:
    - !reference [.default_rules, rules]
    - if: '$PIPELINE_TYPE =~ /^EE_(RC|TAG)_BUILD_PIPELINE$/'
@@ -182,6 +184,7 @@
  extends: .staging_upload_template
  variables:
    USE_SYSTEM_SSL: "true"
+    USE_SYSTEM_LIBGCRYPT: "true"
    INCLUDE_PACKAGECLOUD: "true"
  rules:
    - !reference [.default_rules, rules]
@@ -219,6 +222,7 @@
  extends: .production_release_template
  variables:
    USE_SYSTEM_SSL: "true"
+    USE_SYSTEM_LIBGCRYPT: "true"
    INCLUDE_PACKAGECLOUD: "true"
  rules:
    - !reference [.default_rules, rules]
@@ -383,6 +387,8 @@ SLES-15.2-branch:
 AmazonLinux-2-fips-branch:
  image: "${BUILDER_IMAGE_REGISTRY}/amazonlinux_2_fips:${BUILDER_IMAGE_REVISION}"
  extends: .fips_branch_template
+  variables:
+    USE_SYSTEM_LIBGCRYPT: "false" # AL2 libgcrypt is not compatible with Omnibus gpgme/gnupg
 AlmaLinux-8-fips-branch:
  image: "${BUILDER_IMAGE_REGISTRY}/almalinux_8_fips:${BUILDER_IMAGE_REVISION}"
  extends: .fips_branch_template
@@ -637,6 +643,8 @@ SLES-15.2:
 AmazonLinux-2-fips:
  image: "${BUILDER_IMAGE_REGISTRY}/amazonlinux_2_fips:${BUILDER_IMAGE_REVISION}"
  extends: .fips_tag_template
+  variables:
+    USE_SYSTEM_LIBGCRYPT: "false" # AL2 libgcrypt is not compatible with Omnibus gpgme/gnupg
 AlmaLinux-8-fips:
  image: "${BUILDER_IMAGE_REGISTRY}/almalinux_8_fips:${BUILDER_IMAGE_REVISION}"
  extends: .fips_tag_template
@@ -829,6 +837,8 @@ SLES-15.2-staging:
    - if: '$PIPELINE_TYPE =~ /^EE_(RC|TAG)_BUILD_PIPELINE$/'
 AmazonLinux-2-fips-staging:
  extends: .fips_staging_upload_template
+  variables:
+    USE_SYSTEM_LIBGCRYPT: "false" # AL2 libgcrypt is not compatible with Omnibus gpgme/gnupg
  needs:
    - job: AmazonLinux-2-fips
      optional: true
@@ -971,6 +981,8 @@ AmazonLinux-2-fips-release:
  extends: .fips_release_template
  needs:
    - AmazonLinux-2-fips
+  variables:
+    USE_SYSTEM_LIBGCRYPT: "false" # AL2 libgcrypt is not compatible with Omnibus gpgme/gnupg
 AlmaLinux-8-fips-release:
  extends: .fips_release_template
  needs:

--- a/gitlab-ci-config/variables.yml
+++ b/gitlab-ci-config/variables.yml
@@ -8,7 +8,7 @@ variables:
  # To be used for images that exist only on dev.gitlab.org
  DEV_BUILDER_IMAGE_REGISTRY: 'dev.gitlab.org:5005/cookbooks/gitlab-omnibus-builder'
  PUBLIC_BUILDER_IMAGE_REGISTRY: "registry.gitlab.com/gitlab-org/gitlab-omnibus-builder"
-  BUILDER_IMAGE_REVISION: "5.21.0"
+  BUILDER_IMAGE_REVISION: "5.22.0"
  # The registry to pull the assets image from
  ASSET_REGISTRY: "${CI_REGISTRY}"
  ASSET_SYNC_EXISTING_REMOTE_FILES: "keep"

--- a/lib/gitlab/build/check.rb
+++ b/lib/gitlab/build/check.rb
@@ -23,21 +23,27 @@ module Build
        is_ee? || is_jh?
      end
  
+      def boringcrypto_supported?
+        system({ 'GOEXPERIMENT' => 'boringcrypto' }, *%w(go version))
+      end
+
      def fips?
        # TODO: Add code to automatically set to true on FIPS supported OSs
        false
      end
  
-      def boringcrypto_supported?
-        system({ 'GOEXPERIMENT' => 'boringcrypto' }, *%w(go version))
-      end
-
      def use_system_ssl?
-        # Once we implement the above TODO, we can get rid of this variable and
+        # Once we implement the `fips?` TODO, we can get rid of this variable and
        # gate on `fips?` alone.
        Gitlab::Util.get_env('USE_SYSTEM_SSL') == 'true' || fips?
      end
  
+      def use_system_libgcrypt?
+        # Once we implement the `fips?` TODO, we can get rid of this variable and
+        # gate on `fips?` alone.
+        Gitlab::Util.get_env('USE_SYSTEM_LIBGCRYPT') == 'true' || fips?
+      end
+
      def match_tag?(tag)
        system(*%W[git describe --exact-match --match #{tag}])
      end