FIPS packages: Use system libgcrypt

FIPS packages should use the system libgcrypt. The only Omnibus component using requiring libgcrypt is gnupg. Builder image revision is updated to have the required dev utilities to build with system libgcrypt. Closes https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8794 Changelog: fixed

FIPS packages: Use system libgcrypt
e5c4fca0 · Clemens Beck · Balasankar C · d698daa2 · e5c4fca0 · e5c4fca0
Commit e5c4fca0 authored 2 months ago by Clemens Beck Committed by Balasankar C 2 months ago
--- a/config/projects/gitlab.rb
+++ b/config/projects/gitlab.rb
@@ -101,7 +101,7 @@ if OhaiHelper.arm?
  allowed_lib /libatomic.so.1/ if OhaiHelper.raspberry_pi?
 end
  
-# FIPs requires system OpenSSL packages to run
+# FIPS requires system OpenSSL packages to run
 if Build::Check.use_system_ssl?
  if rhel?
    runtime_dependency 'openssl-perl'
@@ -110,6 +110,17 @@ if Build::Check.use_system_ssl?
  end
 end
  
+# FIPS requires system libgcrypt packages to run.
+if Build::Check.use_system_libgcrypt?
+  allowed_lib /libgcrypt\.so/
+
+  if rhel?
+    runtime_dependency 'libgcrypt'
+  else
+    runtime_dependency 'libgcrypt20'
+  end
+end
+
 dependency 'cacerts'
 dependency 'omnibus-gitlab-gems'
 dependency 'gitlab-selinux' if SELinuxDistroHelper.selinux_supported?

--- a/config/software/gnupg.rb
+++ b/config/software/gnupg.rb
@@ -17,12 +17,13 @@
 name 'gnupg'
 default_version '2.2.41'
  
+dependency 'bzip2'
 dependency 'libassuan'
-dependency 'npth'
-dependency 'libgcrypt'
+dependency 'libgcrypt' unless Build::Check.use_system_libgcrypt?
+dependency 'libgpg-error'
 dependency 'libksba'
+dependency 'npth'
 dependency 'zlib'
-dependency 'bzip2'
  
 license 'LGPL-2.1'
 license_file 'COPYING.LGPL3'
@@ -39,14 +40,24 @@ build do
  # For gnupg to build fine in Debian Wheezy and Centos ^
  env['LDFLAGS'] << " -lrt"
  
-  config_flags = ""
+  prefix = "#{install_dir}/embedded"
+
+  configure_command = [
+    './configure',
+    "--prefix=#{prefix}",
+    '--disable-doc',
+    '--without-readline',
+    '--disable-sqlite',
+    '--disable-gnutls',
+    '--disable-dirmngr',
+    "--with-libgpg-error-prefix=#{prefix}",
+  ]
+
  # CentOS 6 doesn't have inotify, which will raise an error
  # IN_EXCL_UNLINK undeclared. Hence disabling it explicitly.
-  config_flags = "ac_cv_func_inotify_init=no" if ohai['platform'] =~ /centos/ && ohai['platform_version'] =~ /^6/
+  configure_command << "ac_cv_func_inotify_init=no" if ohai['platform'] =~ /centos/ && ohai['platform_version'] =~ /^6/
  
-  prefix = "#{install_dir}/embedded"
-  command './configure ' \
-    "--prefix=#{prefix} --with-libgpg-error-prefix=#{prefix} --disable-doc --without-readline --disable-sqlite --disable-gnutls --disable-dirmngr #{config_flags}", env: env
+  command configure_command.join(' '), env: env
  
  make "-j #{workers}", env: env
  make 'install', env: env

--- a/config/software/libassuan.rb
+++ b/config/software/libassuan.rb
@@ -32,8 +32,15 @@ relative_path "libassuan-#{version}"
 build do
  env = with_standard_compiler_flags(with_embedded_path)
  prefix = "#{install_dir}/embedded"
-  command './configure ' \
-    "--prefix=#{prefix} --with-libgpg-error-prefix=#{prefix} --disable-doc", env: env
+
+  configure_command = [
+    './configure',
+    "--prefix=#{prefix}",
+    '--disable-doc',
+    "--with-libgpg-error-prefix=#{prefix}",
+  ]
+
+  command configure_command.join(' '), env: env
  
  make "-j #{workers}", env: env
  make 'install', env: env

--- a/gitlab-ci-config/check-packages.yml
+++ b/gitlab-ci-config/check-packages.yml
@@ -123,6 +123,7 @@ Ubuntu-20.04-fips-check:
    - if: '$PIPELINE_TYPE == "EE_CHECK_PACKAGE_AVAILABILITY_PIPELINE"'
  variables:
    USE_SYSTEM_SSL: "true"
+    USE_SYSTEM_LIBGCRYPT: "true"
  
 # yum based
 CentOS-7-check:
@@ -159,6 +160,7 @@ AlmaLinux-8-fips-check:
    - if: '$PIPELINE_TYPE == "EE_CHECK_PACKAGE_AVAILABILITY_PIPELINE"'
  variables:
    USE_SYSTEM_SSL: "true"
+    USE_SYSTEM_LIBGCRYPT: "true"
 AlmaLinux-9-fips-check:
  image: "${BUILDER_IMAGE_REGISTRY}/almalinux_9_fips:latest"
  extends: .yum-install
@@ -166,6 +168,7 @@ AlmaLinux-9-fips-check:
    - if: '$PIPELINE_TYPE == "EE_CHECK_PACKAGE_AVAILABILITY_PIPELINE"'
  variables:
    USE_SYSTEM_SSL: "true"
+    USE_SYSTEM_LIBGCRYPT: "true"
 AmazonLinux-2-fips-check:
  image: "${BUILDER_IMAGE_REGISTRY}/amazonlinux_2_fips:latest"
  extends: .yum-install
@@ -173,6 +176,7 @@ AmazonLinux-2-fips-check:
    - if: '$PIPELINE_TYPE == "EE_CHECK_PACKAGE_AVAILABILITY_PIPELINE"'
  variables:
    USE_SYSTEM_SSL: "true"
+    USE_SYSTEM_LIBGCRYPT: "false" # AL2 libgcrypt is not compatible with Omnibus gpgme/gnupg
  
 # zypper based
 OpenSUSE-15.5-check:

--- a/gitlab-ci-config/dev-gitlab-org.yml
+++ b/gitlab-ci-config/dev-gitlab-org.yml
@@ -73,6 +73,7 @@
  extends: .branch_template
  variables:
    USE_SYSTEM_SSL: "true"
+    USE_SYSTEM_LIBGCRYPT: "true"
  rules:
    - !reference [.default_rules, rules]
    - if: '$PIPELINE_TYPE == "EE_NIGHTLY_BUILD_PIPELINE"'
@@ -141,6 +142,7 @@
  extends: .tag_template
  variables:
    USE_SYSTEM_SSL: "true"
+    USE_SYSTEM_LIBGCRYPT: "true"
  rules:
    - !reference [.default_rules, rules]
    - if: '$PIPELINE_TYPE =~ /^EE_(RC|TAG)_BUILD_PIPELINE$/'
@@ -182,6 +184,7 @@
  extends: .staging_upload_template
  variables:
    USE_SYSTEM_SSL: "true"
+    USE_SYSTEM_LIBGCRYPT: "true"
    INCLUDE_PACKAGECLOUD: "true"
  rules:
    - !reference [.default_rules, rules]
@@ -219,6 +222,7 @@
  extends: .production_release_template
  variables:
    USE_SYSTEM_SSL: "true"
+    USE_SYSTEM_LIBGCRYPT: "true"
    INCLUDE_PACKAGECLOUD: "true"
  rules:
    - !reference [.default_rules, rules]
@@ -383,6 +387,8 @@ SLES-15.2-branch:
 AmazonLinux-2-fips-branch:
  image: "${BUILDER_IMAGE_REGISTRY}/amazonlinux_2_fips:${BUILDER_IMAGE_REVISION}"
  extends: .fips_branch_template
+  variables:
+    USE_SYSTEM_LIBGCRYPT: "false" # AL2 libgcrypt is not compatible with Omnibus gpgme/gnupg
 AlmaLinux-8-fips-branch:
  image: "${BUILDER_IMAGE_REGISTRY}/almalinux_8_fips:${BUILDER_IMAGE_REVISION}"
  extends: .fips_branch_template
@@ -637,6 +643,8 @@ SLES-15.2:
 AmazonLinux-2-fips:
  image: "${BUILDER_IMAGE_REGISTRY}/amazonlinux_2_fips:${BUILDER_IMAGE_REVISION}"
  extends: .fips_tag_template
+  variables:
+    USE_SYSTEM_LIBGCRYPT: "false" # AL2 libgcrypt is not compatible with Omnibus gpgme/gnupg
 AlmaLinux-8-fips:
  image: "${BUILDER_IMAGE_REGISTRY}/almalinux_8_fips:${BUILDER_IMAGE_REVISION}"
  extends: .fips_tag_template
@@ -829,6 +837,8 @@ SLES-15.2-staging:
    - if: '$PIPELINE_TYPE =~ /^EE_(RC|TAG)_BUILD_PIPELINE$/'
 AmazonLinux-2-fips-staging:
  extends: .fips_staging_upload_template
+  variables:
+    USE_SYSTEM_LIBGCRYPT: "false" # AL2 libgcrypt is not compatible with Omnibus gpgme/gnupg
  needs:
    - job: AmazonLinux-2-fips
      optional: true
@@ -971,6 +981,8 @@ AmazonLinux-2-fips-release:
  extends: .fips_release_template
  needs:
    - AmazonLinux-2-fips
+  variables:
+    USE_SYSTEM_LIBGCRYPT: "false" # AL2 libgcrypt is not compatible with Omnibus gpgme/gnupg
 AlmaLinux-8-fips-release:
  extends: .fips_release_template
  needs:

--- a/gitlab-ci-config/variables.yml
+++ b/gitlab-ci-config/variables.yml
@@ -8,7 +8,7 @@ variables:
  # To be used for images that exist only on dev.gitlab.org
  DEV_BUILDER_IMAGE_REGISTRY: 'dev.gitlab.org:5005/cookbooks/gitlab-omnibus-builder'
  PUBLIC_BUILDER_IMAGE_REGISTRY: "registry.gitlab.com/gitlab-org/gitlab-omnibus-builder"
-  BUILDER_IMAGE_REVISION: "5.21.0"
+  BUILDER_IMAGE_REVISION: "5.22.0"
  # The registry to pull the assets image from
  ASSET_REGISTRY: "${CI_REGISTRY}"
  ASSET_SYNC_EXISTING_REMOTE_FILES: "keep"

--- a/lib/gitlab/build/check.rb
+++ b/lib/gitlab/build/check.rb
@@ -23,21 +23,27 @@ module Build
        is_ee? || is_jh?
      end
  
+      def boringcrypto_supported?
+        system({ 'GOEXPERIMENT' => 'boringcrypto' }, *%w(go version))
+      end
+
      def fips?
        # TODO: Add code to automatically set to true on FIPS supported OSs
        false
      end
  
-      def boringcrypto_supported?
-        system({ 'GOEXPERIMENT' => 'boringcrypto' }, *%w(go version))
-      end
-
      def use_system_ssl?
-        # Once we implement the above TODO, we can get rid of this variable and
+        # Once we implement the `fips?` TODO, we can get rid of this variable and
        # gate on `fips?` alone.
        Gitlab::Util.get_env('USE_SYSTEM_SSL') == 'true' || fips?
      end
  
+      def use_system_libgcrypt?
+        # Once we implement the `fips?` TODO, we can get rid of this variable and
+        # gate on `fips?` alone.
+        Gitlab::Util.get_env('USE_SYSTEM_LIBGCRYPT') == 'true' || fips?
+      end
+
      def match_tag?(tag)
        system(*%W[git describe --exact-match --match #{tag}])
      end