FIPS packages: Use system libgcrypt

Clemens Beckrequested to merge
8794-libgcrypt-gnupg-fips into master

What does this MR do?

FIPS packages should use the system libgcrypt. The only Omnibus component using requiring libgcrypt is gnupg.

System library comparability

libgrcypt

All FIPS Omnibus packages now use the system libgcrypt to build gnupg. The minimum libgcrypt version to build gnupg is defined at https://github.com/gpg/gnupg/blob/gnupg-2.2.41/configure.ac#L60.

libgpg-error

The libgcrypt package depends on libgpg-error.

Omnibus does continue to not use the system libgpg-error library and keeps using a bundled libgpg-error in all package variants. This is done because system package of some OSes is to old to compile current versions of gnupg.

AmazonLinux 2 FIPS

AmazonLinux2 FIPS packages will keep using the bundled libgcrypt instead of the system libgcrypt because of compatibility reasons.

This will be documented in gitlab!174666 (merged).

Change in runtime dependencies

  • rpm FIPS package now declare libgcrypt as a dependency.
  • apt FIPS packages now declare libgcrypt20 as a dependency.

Related issues

Closes https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8794

Checklist

See Definition of done.

For anything in this list which will not be completed, please provide a reason in the MR discussion.

Required

  • MR title and description are up to date, accurate, and descriptive.
  • MR targeting the appropriate branch.
  • Latest Merge Result pipeline is green.
  • When ready for review, MR is labeled workflowready for review per the Distribution MR workflow.

For GitLab team members

If you don't have access to this, the reviewer should trigger these jobs for you during the review process.

  • The manual Trigger:ee-package jobs have a green pipeline running against latest commit.
  • If config/software or config/patches directories are changed, make sure the build-package-on-all-os job within the Trigger:ee-package downstream pipeline succeeded.
  • If you are changing anything SSL related, then the Trigger:package:fips manual job within the Trigger:ee-package downstream pipeline must succeed.
  • If CI configuration is changed, the branch must be pushed to dev.gitlab.org to confirm regular branch builds aren't broken.

Expected (please provide an explanation if not completing)

  • Test plan indicating conditions for success has been posted and passes.
  • Documentation created/updated. gitlab!174666 (merged)
  • Tests added.
  • Integration tests added to GitLab QA.
  • Equivalent MR/issue for the GitLab Chart opened.
  • Validate potential values for new configuration settings. Formats such as integer 10, duration 10s, URI scheme://user:passwd@host:port may require quotation or other special handling when rendered in a template and written to a configuration file.

Test Plan

Install an FIPS package and confirm gnupg is linked against the system libgrcypt:

$ ldd /opt/gitlab/embedded/bin/gpg | grep libgcrypt
TBD
$ /opt/gitlab/embedded/bin/gpg --version | head -n1
gpg (GnuPG) 2.2.41

Compared to a non-FIPS package:

$ ldd /opt/gitlab/embedded/bin/gpg | grep libg
	libgcrypt.so.20 => /lib/x86_64-linux-gnu/libgcrypt.so.20 (0x00007f3fed6c7000)
	libgpg-error.so.0 => /opt/gitlab/embedded/lib/libgpg-error.so.0 (0x00007f3fed686000)
$ /opt/gitlab/embedded/bin/gpg --version | head -n1
gpg (GnuPG) 2.2.41
Edited by Clemens Beck

Merge request reports