-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Logic for checksums on a file with http(s) source
can attempt to use MD5 on a FIPS system
#9375
Comments
Migrated issue to PUP-12047 |
Puppet needs some mechanism to determine if the file content on disk matches the desired state on the http server. If the server only provides an MD5 checksum, then what should a FIPS agent do? |
It already defaults to using Adding some logic to |
Ah gotcha. I was confused by your earlier comment "if the only option is an MD5 header" But you're saying the problem is puppet prefers |
Fixed in #9405 |
Describe the Bug
The behavior as described in
lib/puppet/type/file/source.rb
selects a checksum method based on available headers, and does not have any provisions to use an alternative checksum if the only option is an MD5 header. On a FIPS system, this results in the error fromlib/puppet/type/file/checksum.rb
that MD5 is not supported in FIPS mode and the catalog application fails.This is of course heavily dependent on the source, meaning that all http(s)
source
files must definechecksum
asmtime
to ensure consistent behavior.Expected Behavior
A file with an http(s)
source
on a FIPS-enabled system would successfully download without manual intervention, regardless of checksum headers provided by the source.Steps to Reproduce
Steps to reproduce the behavior:
On a FIPS-enabled system, include a file resource with an http source defined that provides an MD5 checksum header (e.g. a github release link), without defining
checksum
. The example with which I encountered this was the voxpupuli/webhook-go release downloaded by ther10k::webhook
class from modulepuppet/r10k
:Applying the above on a FIPS-enabled system should result in the following:
Swapping in my fork of the module which sets the
checksum
tomtime
results in a successful apply.Environment
The text was updated successfully, but these errors were encountered: