Skip to content

Disable checksums when FIPS enabled [run-all-rspec]

Allison Browne requested to merge ab-disable-md5-fips into master

What does this MR do and why?

We currently use an md5 hash to verify integrity.

Disable md5 hash generation and storage.

https://gitlab.com/gitlab-org/gitlab/-/issues/361258

How to set up and validate locally

1. Setup FIPS VM and Enable FIPS mode: https://docs.gitlab.com/ee/development/fips_compliance.html#enable-fips-mode not able to run fully

  1. Have Gitlab::FIPS.enabled? return true locally
  2. Set up and run any CI/CD job which will generate artifacts for logs.
  3. Log into postgres shell psql -h /Users/allisonbrowne/gitlab/gdk/postgresql -d gitlabhq_development_ci -p 5432 your location of gdk will vary
  4. Ensure md5 hash was not stored gitlabhq_development_ci=# select checksum, remote_checksum from ci_build_trace_metadata ORDER BY archived_at limit 10;

Validate in CI

Testing merge requests with a FIPS pipeline

Merge requests that can trigger Package and QA, can trigger a FIPS package and a Reference Architecture test pipeline. The base image used for the trigger is Ubuntu 20.04 FIPS:

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Allison Browne

Merge request reports

Loading