Skip to content

Commit

Permalink
feat(fips): add fips compliant packages (#190)
Browse files Browse the repository at this point in the history
feat(fips): add fips compliant packages
  • Loading branch information
sairaj18 authored Dec 17, 2024
1 parent 7601cb8 commit 8ff8fb5
Show file tree
Hide file tree
Showing 13 changed files with 206 additions and 38 deletions.
1 change: 1 addition & 0 deletions .github/workflows/on_prerelease.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,4 +13,5 @@ jobs:
with:
tag: ${{ github.event.release.tag_name }}
integration: "mssql"
upload_fips_packages: true
secrets: inherit
1 change: 1 addition & 0 deletions .github/workflows/on_release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,4 +13,5 @@ jobs:
with:
integration: mssql
tag: ${{ github.event.release.tag_name }}
upload_fips_packages: true
secrets: inherit
6 changes: 6 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,12 @@ Unreleased section should follow [Release Toolkit](https://github.com/newrelic/r

## v2.14.1 - 2024-12-17

### dependency
- Update goreleaser to v2.4.4

### enhancements
- Add FIPS compliant packages and archives

### dependency
- Updated golang.org/x/crypto to v0.31.0
- Updated golang.org/x/text to v0.21.0
Expand Down
2 changes: 2 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ INTEGRATION := mssql
BINARY_NAME = nri-$(INTEGRATION)
GO_FILES := ./src/
GOFLAGS = -mod=readonly
GO_VERSION ?= $(shell grep '^go ' go.mod | awk '{print $$2}')
BUILDER_IMAGE ?= "ghcr.io/newrelic/coreint-automation:latest-go$(GO_VERSION)-ubuntu16.04"

all: build

Expand Down
89 changes: 85 additions & 4 deletions build/.goreleaser.yml
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
---
version: 2
project_name: nri-mssql
builds:
- id: nri-nix
main: ./src
Expand All @@ -17,6 +20,25 @@ builds:
ignore:
- goos: darwin
goarch: 386
- id: nri-nix-fips
main: ./src
binary: nri-mssql
ldflags:
- -s -w -X main.integrationVersion={{.Version}} -X main.gitCommit={{.Commit}} -X main.buildDate={{.Date}}
env:
- CGO_ENABLED=1
- GOEXPERIMENT=boringcrypto
- >-
{{- if eq .Arch "arm64" -}}
CC=aarch64-linux-gnu-gcc
{{- end }}
goos:
- linux
goarch:
- amd64
- arm64
tags:
- fips

- id: nri-win
main: ./src
Expand All @@ -35,7 +57,8 @@ builds:

nfpms:
- id: linux
file_name_template: "{{ .ProjectName }}_{{ .Version }}-1_{{ .Arch }}"
package_name: nri-mssql
file_name_template: "{{ .PackageName }}_{{ .Version }}-1_{{ .Arch }}"
vendor: "New Relic, Inc."
homepage: "https://www.newrelic.com/infrastructure"
maintainer: "New Relic Infrastructure Team <[email protected]>"
Expand Down Expand Up @@ -65,9 +88,57 @@ nfpms:

overrides:
rpm:
file_name_template: "{{ .ProjectName }}-{{ .Version }}-1.{{ .Arch }}"
replacements:
amd64: x86_64
file_name_template: >-
{{- .ProjectName }}-
{{- .Version }}-1.
{{- if eq .Arch "amd64" -}}x86_64
{{- else -}}
{{ .Arch }}
{{- end }}
# Formats to be generated.
formats:
- deb
- rpm
- id: linux-fips
package_name: nri-mssql-fips
file_name_template: "{{ .PackageName }}_{{ .Version }}-1_{{ .Arch }}"
vendor: "New Relic, Inc."
homepage: "https://www.newrelic.com/infrastructure"
maintainer: "New Relic Infrastructure Team <[email protected]>"
description: "New Relic Infrastructure mssql Integration extend the core New Relic\nInfrastructure agent's capabilities to allow you to collect metric and\nlive state data from mssql components."
license: "https://newrelic.com/terms (also see LICENSE installed with this package)"

builds:
- nri-nix-fips

dependencies:
- newrelic-infra (>= 1.20.0)

bindir: "/var/db/newrelic-infra/newrelic-integrations/bin"

contents:
- src: "mssql-config.yml.sample"
dst: "/etc/newrelic-infra/integrations.d/mssql-config.yml.sample"
- src: "CHANGELOG.md"
dst: "/usr/share/doc/nri-mssql/CHANGELOG.md"
- src: "README.md"
dst: "/usr/share/doc/nri-mssql/README.md"
- src: "LICENSE"
dst: "/usr/share/doc/nri-mssql/LICENSE"
- src: "legacy/mssql-definition.yml"
dst: "/var/db/newrelic-infra/newrelic-integrations/mssql-definition.yml"
type: config

overrides:
rpm:
file_name_template: >-
{{- .ProjectName }}-fips-
{{- .Version }}-1.
{{- if eq .Arch "amd64" -}}x86_64
{{- else -}}
{{ .Arch }}
{{- end }}
# Formats to be generated.
formats:
Expand All @@ -85,6 +156,16 @@ archives:
dst: .
strip_parent: true
format: tar.gz
- id: nri-nix-fips
builds:
- nri-nix-fips
name_template: "{{ .ProjectName }}-fips_{{ .Os }}_{{ .Version }}_{{ .Arch }}_dirty"
files:
- mssql-config.yml.sample
- src: 'legacy/mssql-definition.yml'
dst: .
strip_parent: true
format: tar.gz

- id: nri-win
builds:
Expand Down
18 changes: 0 additions & 18 deletions build/Dockerfile

This file was deleted.

17 changes: 9 additions & 8 deletions build/ci.mk
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
BUILDER_TAG ?= nri-$(INTEGRATION)-builder
.PHONY : ci/pull-builder-image
ci/pull-builder-image:
@docker pull $(BUILDER_IMAGE)

.PHONY : ci/deps
ci/deps:
@docker build -t $(BUILDER_TAG) -f $(CURDIR)/build/Dockerfile $(CURDIR)
ci/deps: ci/pull-builder-image

.PHONY : ci/debug-container
ci/debug-container: ci/deps
Expand All @@ -17,15 +18,15 @@ ci/debug-container: ci/deps
-e GPG_MAIL \
-e GPG_PASSPHRASE \
-e GPG_PRIVATE_KEY_BASE64 \
$(BUILDER_TAG) bash
$(BUILDER_IMAGE) bash

.PHONY : ci/test
ci/test: ci/deps
@docker run --rm -t \
--name "nri-$(INTEGRATION)-test" \
-v $(CURDIR):/go/src/github.com/newrelic/nri-$(INTEGRATION) \
-w /go/src/github.com/newrelic/nri-$(INTEGRATION) \
$(BUILDER_TAG) make test
$(BUILDER_IMAGE) make test

.PHONY : ci/snyk-test
ci/snyk-test:
Expand All @@ -46,7 +47,7 @@ ifdef TAG
-w /go/src/github.com/newrelic/nri-$(INTEGRATION) \
-e INTEGRATION \
-e TAG \
$(BUILDER_TAG) make release/build
$(BUILDER_IMAGE) make release/build
else
@echo "===> $(INTEGRATION) === [ci/build] TAG env variable expected to be set"
exit 1
Expand All @@ -67,7 +68,7 @@ ifdef TAG
-e GPG_MAIL \
-e GPG_PASSPHRASE \
-e GPG_PRIVATE_KEY_BASE64 \
$(BUILDER_TAG) make release
$(BUILDER_IMAGE) make release
else
@echo "===> $(INTEGRATION) === [ci/prerelease] TAG env variable expected to be set"
exit 1
Expand All @@ -90,7 +91,7 @@ ifdef TAG
-e GPG_MAIL \
-e GPG_PASSPHRASE \
-e GPG_PRIVATE_KEY_BASE64 \
$(BUILDER_TAG) make release
$(BUILDER_IMAGE) make release
else
@echo "===> $(INTEGRATION) === [ci/fake-prerelease] TAG env variable expected to be set"
exit 1
Expand Down
41 changes: 36 additions & 5 deletions build/nix/sign.sh
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,27 @@ set -e
#
#
#
# Function to start gpg-agent if not running
start_gpg_agent() {
if ! pgrep -x "gpg-agent" > /dev/null
then
echo "Starting gpg-agent..."
eval $(gpg-agent --daemon)
else
echo "gpg-agent is already running."
fi
}

# Ensure gpg-agent is running
start_gpg_agent

# Sign RPM's
echo "===> Create .rpmmacros to sign rpm's from Goreleaser"
echo "%_gpg_name ${GPG_MAIL}" >> ~/.rpmmacros
echo "%_signature gpg" >> ~/.rpmmacros
echo "%_gpg_path /root/.gnupg" >> ~/.rpmmacros
echo "%_gpgbin /usr/bin/gpg" >> ~/.rpmmacros
echo "%__gpg_sign_cmd %{__gpg} gpg --no-verbose --no-armor --batch --pinentry-mode loopback --passphrase ${GPG_PASSPHRASE} --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}" >> ~/.rpmmacros
echo "%__gpg_sign_cmd %{__gpg} gpg --no-verbose --no-armor --passphrase ${GPG_PASSPHRASE} --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}" >> ~/.rpmmacros

echo "===> Importing GPG private key from GHA secrets..."
printf %s ${GPG_PRIVATE_KEY_BASE64} | base64 -d | gpg --batch --import -
Expand All @@ -25,9 +38,11 @@ rpm --import /tmp/RPM-GPG-KEY-${GPG_MAIL}

cd dist

sles_regex="(.*sles12.*)"

find . -regex ".*\.\(rpm\)" | while read rpm_file; do
echo "===> Signing $rpm_file"
rpm --addsign "$rpm_file"
../build/nix/sign_rpm.exp $rpm_file ${GPG_PASSPHRASE}
echo "===> Sign verification $rpm_file"
rpm -v --checksig $rpm_file
done
Expand All @@ -36,12 +51,28 @@ done
GNUPGHOME="/root/.gnupg"
echo "${GPG_PASSPHRASE}" > "${GNUPGHOME}/gpg-passphrase"
echo "passphrase-file ${GNUPGHOME}/gpg-passphrase" >> "$GNUPGHOME/gpg.conf"
echo 'allow-loopback-pinentry' >> "${GNUPGHOME}/gpg-agent.conf"
echo 'pinentry-mode loopback' >> "${GNUPGHOME}/gpg.conf"
# echo 'allow-loopback-pinentry' >> "${GNUPGHOME}/gpg-agent.conf"
# echo 'pinentry-mode loopback' >> "${GNUPGHOME}/gpg.conf"
echo 'use-agent' >> "${GNUPGHOME}/gpg.conf"
echo RELOADAGENT | gpg-connect-agent

find . -regex ".*\.\(deb\)" | while read deb_file; do
echo "===> Signing $deb_file"
debsigs --sign=origin --verify --check -v -k ${GPG_MAIL} $deb_file
# Run the sign_deb.exp script to sign the .deb file
../build/nix/sign_deb.exp $deb_file ${GPG_PASSPHRASE} ${GPG_MAIL}
echo "===> Sign verification $deb_file"
dpkg-sig --verify $deb_file
done

# Sign TARGZ files
for targz_file in $(find . -type f -name "*.tar.gz"); do
echo "===> Signing $targz_file"
../build/nix/sign_tar.exp $targz_file ${GPG_PASSPHRASE}
asc_file="${targz_file}.asc"
if [ -f "$asc_file" ]; then
echo "===> Sign verification $targz_file"
gpg --verify "$asc_file" "$targz_file"
else
echo "Error: Signature file $asc_file not found."
fi
done
19 changes: 19 additions & 0 deletions build/nix/sign_deb.exp
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
#!/usr/bin/expect -f

# Retrieve the arguments
set deb_file [lindex $argv 0];
set GPG_PASSPHRASE [lindex $argv 1];
set GPG_MAIL [lindex $argv 2]; # Capture GPG_MAIL

# Set an infinite timeout to allow for longer operations
set timeout -1

# Start the signing process using dpkg-sig
spawn dpkg-sig --sign builder -k $GPG_MAIL $deb_file

# Handle the passphrase prompt
expect "Enter passphrase:"
send -- "$GPG_PASSPHRASE\r"

# Wait until the process completes
expect eof
10 changes: 10 additions & 0 deletions build/nix/sign_rpm.exp
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
#!/usr/bin/expect -f

set rpm_file [lindex $argv 0];
set GPG_PASSPHRASE [lindex $argv 1];

set timeout -1
spawn rpmsign -v --addsign $rpm_file
expect "Enter pass phrase:"
send -- "${GPG_PASSPHRASE}\r"
expect eof
23 changes: 23 additions & 0 deletions build/nix/sign_tar.exp
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
#!/usr/bin/expect -f

set timeout -1
set targz_file [lindex $argv 0]
set passphrase [lindex $argv 1]

# Ensure the GPG_TTY is set correctly
set env(GPG_TTY) [exec /bin/sh -c "tty"]

# Debug output to verify the correct file is being processed
puts "Expect script signing file: $targz_file"

spawn gpg --sign --armor --detach-sig $targz_file
expect {
"Enter passphrase:" {
send -- "$passphrase\r"
exp_continue
}
eof {
catch wait result
exit [lindex $result 3]
}
}
6 changes: 3 additions & 3 deletions build/release.mk
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
BUILD_DIR := ./bin/
GORELEASER_VERSION := v0.174.1
GORELEASER_VERSION := v2.4.4
GORELEASER_BIN ?= bin/goreleaser

bin:
Expand Down Expand Up @@ -27,10 +27,10 @@ release/deps: $(GORELEASER_BIN)
release/build: release/deps release/clean
ifeq ($(PRERELEASE), true)
@echo "===> $(INTEGRATION) === [release/build] PRE-RELEASE compiling all binaries, creating packages, archives"
@$(GORELEASER_BIN) release --config $(CURDIR)/build/.goreleaser.yml --rm-dist
@$(GORELEASER_BIN) release --config $(CURDIR)/build/.goreleaser.yml --clean
else
@echo "===> $(INTEGRATION) === [release/build] build compiling all binaries"
@$(GORELEASER_BIN) build --config $(CURDIR)/build/.goreleaser.yml --snapshot --rm-dist
@$(GORELEASER_BIN) build --config $(CURDIR)/build/.goreleaser.yml --snapshot --clean
endif

.PHONY : release/fix-archive
Expand Down
11 changes: 11 additions & 0 deletions src/fips.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
// Copyright 2024 New Relic Corporation. All rights reserved.
// SPDX-License-Identifier: Apache-2.0

//go:build fips
// +build fips

package main

import (
_ "crypto/tls/fipsonly"
)

0 comments on commit 8ff8fb5

Please sign in to comment.