OpenSearch RPM distro SHA256 signatures

A problem I am battling with the Elastic repo’s are that they seem to not sign their RPM artifacts in their yum repos with SHA256 signatures. This causes problems on RHEL/Centos 8 machines that are in FIPS mode. The FIPS mode is required for compliance reasons. I realize this is a logstash bug, but I think there are similar issues with the other products in their yum repos (Sign Logstash RPM w/ SHA256 header for FIPS-enabled Operating Systems · Issue #12597 · elastic/logstash · GitHub). I am hoping that since OpenSearch is a more modern approach, that the packages will be signed with (kind of?) modern signature like SHA256. Does anyone associated with the RPM build planned for 1.0 GA have any insight on if that will be shipped with the RPM/yum repos at 1.0GA? Thanks in advance!

@justme Interesting! I’ll be honest, I’m not sure what the plans are for this particular aspect of distribution, but it sounds like something that should be covered. I would post an issue on GitHub - opensearch-project/opensearch-build to make sure this is covered.

1 Like