grafana · mattdurham · Aug 14, 2023 · Aug 11, 2023 · Aug 14, 2023 · Aug 14, 2023
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -74,6 +74,8 @@ Main (unreleased)
 
 - Fix issue where corrupt WAL segments lead to crash looping. (@tpaschalis)
 
+- Sign RPMs with SHA256 for FIPs compatbility. (@mattdurham)
+
 v0.35.3 (2023-08-09)
 --------------------
 

diff --git a/packaging/grafana-agent-flow/rpm/gpg-sign.sh b/packaging/grafana-agent-flow/rpm/gpg-sign.sh
@@ -18,7 +18,8 @@ echo "%_gpg_name Grafana Labs <[email protected]>
 %_gpg_path /root/.gnupg
 %_gpgbin /usr/bin/gpg
 %_gpg_digest_algo sha256
-%_binary_filedigest_algorithm 8
+%_binary_filedigest_algorithm sha256
+%_source_filedigest_algorithm sha256
 %__gpg /usr/bin/gpg
 %__gpg_sign_cmd     %{__gpg} \
          gpg --no-tty --batch --yes --no-verbose --no-armor \
@@ -30,6 +31,6 @@ echo "%_gpg_name Grafana Labs <[email protected]>
 " > ~/.rpmmacros
 
 for f in dist/*.rpm; do
-  rpm --addsign "${f}"
+  rpm --addsign --fips --rpm-digest sha256 "${f}"
   rpm --checksig "${f}"
 done
diff --git a/packaging/grafana-agent/rpm/gpg-sign.sh b/packaging/grafana-agent/rpm/gpg-sign.sh
@@ -18,7 +18,8 @@ echo "%_gpg_name Grafana Labs <[email protected]>
 %_gpg_path /root/.gnupg
 %_gpgbin /usr/bin/gpg
 %_gpg_digest_algo sha256
-%_binary_filedigest_algorithm 8
+%_binary_filedigest_algorithm sha256
+%_source_filedigest_algorithm sha256
 %__gpg /usr/bin/gpg
 %__gpg_sign_cmd     %{__gpg} \
          gpg --no-tty --batch --yes --no-verbose --no-armor \
@@ -30,6 +31,6 @@ echo "%_gpg_name Grafana Labs <[email protected]>
 " > ~/.rpmmacros
 
 for f in dist/*.rpm; do
-  rpm --addsign "${f}"
+  rpm --addsign --fips --rpm-digest sha256 "${f}"
   rpm --checksig "${f}"
 done
diff --git a/tools/make/packaging.mk b/tools/make/packaging.mk
@@ -239,6 +239,7 @@ define generate_agent_fpm =
 		--license "Apache 2.0" \
 		--vendor "Grafana Labs" \
 		--url "https://github.com/grafana/agent" \
+		--rpm-digest sha256 \
 		-t $(1) \
 		--after-install packaging/grafana-agent/$(1)/control/postinst \
 		--before-remove packaging/grafana-agent/$(1)/control/prerm \
@@ -314,6 +315,7 @@ define generate_flow_fpm =
 		--license "Apache 2.0" \
 		--vendor "Grafana Labs" \
 		--url "https://github.com/grafana/agent" \
+		--rpm-digest sha256 \
 		-t $(1) \
 		--after-install packaging/grafana-agent-flow/$(1)/control/postinst \
 		--before-remove packaging/grafana-agent-flow/$(1)/control/prerm \