td-agent-bit won't install on RHEL 8 / FIPS

[nokute78]

It is reported by https://github.com/fluent/fluent-bit/issues/3617

[nokute78]

v1.7.9 seems to be used by SHA512.

# rpm -q --qf '%{NAME}-%{VERSION}-%{RELEASE} %{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n' td-agent-bit-1.7.9-1.x86_64.rpm 
td-agent-bit-1.7.9-1 RSA/SHA512, Fri Jun 18 21:47:58 2021, Key ID 4ff8368b6ea0722a (none)

I also tested curl package as a reference.

# rpm -q --qf '%{NAME}-%{VERSION}-%{RELEASE} %{SIGPGP:pgpsig} %{SIGGPG:pgpsig}\n' curl-7.61.1-18.el8.x86_64.rpm   
curl-7.61.1-18.el8 RSA/SHA256, Wed Feb  3 21:10:51 2021, Key ID 05b555b38483c65d (none)

RHEL8 article: https://access.redhat.com/articles/3642912#disabled-in-the-fips-policy-in-addition-to-the-default-policy-5 Similar issue: https://github.com/aws/amazon-ssm-agent/issues/235

[JungleGenius]

@justchris1 I just had this same issue today on a new install of RHEL 8. The fix per Red Hat was:

echo '%_pkgverify_level signature' > /etc/rpm/macros.verify then yum install td-agent-bit

Hopefully that fixes your issues.

My next problem is that in doesn't look like TD keeps the previous releases in their yum repo and I need to install td-agent-bit-1.7.9-1.x86_64.rpm because there was a breaking change for us going to the 1.8 release.

[justchris1]

Thanks for the note. That workaround did work and I appreciate you noting it. However, there is no way I will be able to get that through cybersecurity as a deviation. TD needs to properly package and sign their code. Security and integrity of their distributions is really important! Also - thanks for the note on the lack of keeping even recent old versions around in their repos. I will have to come up with an approach for that too.

[patrick-stephens]

See the update on the Fluent Bit issue for a workaround to get older versions. Also linking this to the associated packaging one: https://github.com/fluent/fluent-bit/issues/3753