fix: use sha256 for RPM digest

[powersj]

The md5 algorithm is known to be unsafe and FIPS enabled systems do not
allow its use for file manifests. The fpm tool used to produce rpm
and deb packages uses md5 by default. This updates the algorithm to
sha256.

Resolves: #10270

[telegraf-tiger]

☺️ This pull request doesn't significantly change the Telegraf binary size (less than 1%)

📦 Looks like new artifacts were built from this PR.

Expand this list to get them here ! 🐯

Artifact URLs

DEB	RPM	TAR GZ	ZIP
amd64.deb	aarch64.rpm	darwin_amd64.tar.gz	windows_amd64.zip
arm64.deb	armel.rpm	freebsd_amd64.tar.gz	windows_i386.zip
armel.deb	armv6hl.rpm	freebsd_armv7.tar.gz
armhf.deb	i386.rpm	freebsd_i386.tar.gz
i386.deb	ppc64le.rpm	linux_amd64.tar.gz
mips.deb	s390x.rpm	linux_arm64.tar.gz
mipsel.deb	x86_64.rpm	linux_armel.tar.gz
ppc64el.deb		linux_armhf.tar.gz
s390x.deb		linux_i386.tar.gz
		linux_mips.tar.gz
		linux_mipsel.tar.gz
		linux_ppc64le.tar.gz
		linux_s390x.tar.gz
		static_linux_amd64.tar.gz

[reimda]

I'm concerned about compatibility with this change. We have people using old versions of RHEL for example, like 6 and 7. Are they compatible with --rpm-digest sha256?

[powersj]

I'm concerned about compatibility with this change. We have people using old versions of RHEL for example, like 6 and 7. Are they compatible with --rpm-digest sha256?

I went with sha256 instead of sha512 due to a similar concern. As far as RHEL/CentOS support:

• CentOS 6 is dead. The last maintenance update was last year.
• CentOS 7 and 8 are the targets to support and this works in both cases:

CentOS 8

[root@c8 ~]# wget https://137903-33258973-gh.circle-artifacts.com/0/build/dist/telegraf-1.21.0%7E6b28967c-0.x86_64.rpm
--2021-12-14 19:35:16--  https://137903-33258973-gh.circle-artifacts.com/0/build/dist/telegraf-1.21.0%7E6b28967c-0.x86_64.rpm
Resolving 137903-33258973-gh.circle-artifacts.com (137903-33258973-gh.circle-artifacts.com)... 3.221.73.142, 34.200.66.71, 54.86.190.169
Connecting to 137903-33258973-gh.circle-artifacts.com (137903-33258973-gh.circle-artifacts.com)|3.221.73.142|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://circle-production-customer-artifacts.s3.amazonaws.com/picard/forks/551c46bdf7d070509d9a8e21/382166127/61b8e8c4bfc44d17532b20c9-0-build/artifacts/build/dist/telegraf-1.21.0~6b28967c-0.x86_64.rpm?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20211214T193517Z&X-Amz-SignedHeaders=host&X-Amz-Expires=60&X-Amz-Credential=AKIAJR3Q6CR467H7Z55A%2F20211214%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=85a98b75a304295ae367469a8324ad9fa2c895f6397ff91e19676110e4cf05c9 [following]
--2021-12-14 19:35:17--  https://circle-production-customer-artifacts.s3.amazonaws.com/picard/forks/551c46bdf7d070509d9a8e21/382166127/61b8e8c4bfc44d17532b20c9-0-build/artifacts/build/dist/telegraf-1.21.0~6b28967c-0.x86_64.rpm?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20211214T193517Z&X-Amz-SignedHeaders=host&X-Amz-Expires=60&X-Amz-Credential=AKIAJR3Q6CR467H7Z55A%2F20211214%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=85a98b75a304295ae367469a8324ad9fa2c895f6397ff91e19676110e4cf05c9
Resolving circle-production-customer-artifacts.s3.amazonaws.com (circle-production-customer-artifacts.s3.amazonaws.com)... 52.216.101.251
Connecting to circle-production-customer-artifacts.s3.amazonaws.com (circle-production-customer-artifacts.s3.amazonaws.com)|52.216.101.251|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 35433216 (34M) [application/x-redhat-package-manager]
Saving to: ‘telegraf-1.21.0~6b28967c-0.x86_64.rpm’

telegraf-1.21.0~6b28967c-0.x86_64.rp 100%[=====================================================================>]  33.79M  4.71MB/s    in 15s     

2021-12-14 19:35:32 (2.30 MB/s) - ‘telegraf-1.21.0~6b28967c-0.x86_64.rpm’ saved [35433216/35433216]

[root@c8 ~]# cat /etc/os-release  | grep PRETTY
PRETTY_NAME="CentOS Linux 8"
[root@c8 ~]# rpm -ivh telegraf-1.21.0~6b28967c-0.x86_64.rpm
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:telegraf-1.21.0-0                ################################# [100%]
Created symlink /etc/systemd/system/multi-user.target.wants/telegraf.service → /usr/lib/systemd/system/telegraf.service.

CentOS 7

[root@c7 ~]# wget https://137903-33258973-gh.circle-artifacts.com/0/build/dist/telegraf-1.21.0%7E6b28967c-0.x86_64.rpm
--2021-12-14 19:32:05--  https://137903-33258973-gh.circle-artifacts.com/0/build/dist/telegraf-1.21.0%7E6b28967c-0.x86_64.rpm
Resolving 137903-33258973-gh.circle-artifacts.com (137903-33258973-gh.circle-artifacts.com)... 34.200.66.71, 3.221.73.142, 54.86.190.169
Connecting to 137903-33258973-gh.circle-artifacts.com (137903-33258973-gh.circle-artifacts.com)|34.200.66.71|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://circle-production-customer-artifacts.s3.amazonaws.com/picard/forks/551c46bdf7d070509d9a8e21/382166127/61b8e8c4bfc44d17532b20c9-0-build/artifacts/build/dist/telegraf-1.21.0~6b28967c-0.x86_64.rpm?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20211214T193205Z&X-Amz-SignedHeaders=host&X-Amz-Expires=60&X-Amz-Credential=AKIAJR3Q6CR467H7Z55A%2F20211214%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=4b95e64b1337be0125ad218151377c21c3a070acfae76c5a4fd63d2f35d83b94 [following]
--2021-12-14 19:32:05--  https://circle-production-customer-artifacts.s3.amazonaws.com/picard/forks/551c46bdf7d070509d9a8e21/382166127/61b8e8c4bfc44d17532b20c9-0-build/artifacts/build/dist/telegraf-1.21.0~6b28967c-0.x86_64.rpm?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20211214T193205Z&X-Amz-SignedHeaders=host&X-Amz-Expires=60&X-Amz-Credential=AKIAJR3Q6CR467H7Z55A%2F20211214%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=4b95e64b1337be0125ad218151377c21c3a070acfae76c5a4fd63d2f35d83b94
Resolving circle-production-customer-artifacts.s3.amazonaws.com (circle-production-customer-artifacts.s3.amazonaws.com)... 52.217.90.116
Connecting to circle-production-customer-artifacts.s3.amazonaws.com (circle-production-customer-artifacts.s3.amazonaws.com)|52.217.90.116|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 35433216 (34M) [application/x-redhat-package-manager]
Saving to: 'telegraf-1.21.0~6b28967c-0.x86_64.rpm'

100%[=========================================================================================================>] 35,433,216  3.43MB/s   in 11s    

2021-12-14 19:32:16 (3.12 MB/s) - 'telegraf-1.21.0~6b28967c-0.x86_64.rpm' saved [35433216/35433216]

[root@c7 ~]# cat /etc/os-release  | grep PRETTY
PRETTY_NAME="CentOS Linux 7 (Core)"
[root@c7 ~]# rpm -ivh telegraf-1.21.0~6b28967c-0.x86_64.rpm 
Preparing...                          ################################# [100%]
Updating / installing...
   1:telegraf-1.21.0-0                ################################# [100%]
Failed to get D-Bus connection: No such file or directory
Failed to get D-Bus connection: No such file or directory
Failed to get D-Bus connection: No such file or directory
Failed to get D-Bus connection: No such file or directory

The D-BUS messages happen with our released RPM as well and I believe because I'm running this in a LXD.

[reimda]

Sounds good, thanks for the info. The supported platforms doc does show that RHEL 7 is currently the oldest supported version. https://github.com/influxdata/telegraf/blob/master/docs/SUPPORTED_PLATFORMS.md#rhel