Disable checksums when FIPS enabled [run-all-rspec]
What does this MR do and why?
We currently use an md5 hash to verify integrity.
Disable md5 hash generation and storage.
https://gitlab.com/gitlab-org/gitlab/-/issues/361258
How to set up and validate locally
1. Setup FIPS VM and Enable FIPS mode: https://docs.gitlab.com/ee/development/fips_compliance.html#enable-fips-mode not able to run fully
- Have
Gitlab::FIPS.enabled?
returntrue
locally - Set up and run any CI/CD job which will generate artifacts for logs.
- Log into postgres shell
psql -h /Users/allisonbrowne/gitlab/gdk/postgresql -d gitlabhq_development_ci -p 5432
your location of gdk will vary - Ensure md5 hash was not stored
gitlabhq_development_ci=# select checksum, remote_checksum from ci_build_trace_metadata ORDER BY archived_at limit 10;
Validate in CI
Testing merge requests with a FIPS pipeline
Merge requests that can trigger Package and QA, can trigger a FIPS package and a Reference Architecture test pipeline. The base image used for the trigger is Ubuntu 20.04 FIPS:
-
Trigger package-and-qa, if not already triggered. -
On the gitlab-omnibus-mirror child pipeline, manually trigger Trigger:package:fips. -
When the package job is complete, manually trigger the RAT:FIPS job.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.