-
-
Notifications
You must be signed in to change notification settings - Fork 868
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix #1469 Use a different checksum calculation method to run in FIPS env #1473
Conversation
Just making sure, this change is backwards compatible, right? |
8dd91da
to
2578499
Compare
@jschneier the change depends on a specific version of the google storage lib, that I'm locking with the change. All the test python versions were already using the latest one 2.18.2, e.g. see 3.7 logs:
I guess it should be compatible. |
2578499
to
3c7a065
Compare
@jschneier the failing test
|
@markesha any idea what's going on here? There are no failures now but the tests were never "fixed". |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good although I don't understand the test reality.
3c7a065
to
5736ede
Compare
@jschneier I'm not sure what's happening - it still fails locally for me |
Well, in #1476 I just change it to use CSS which should fix whatever weird mimetype problem we are having. |
… in FIPS env Python 3.10 and later versions rely on OpenSSL 1.1.1 or newer, which includes FIPS-compliance checks. MD5 is not an approved algorithm in FIPS mode, so attempting to instantiate self.blob.download_to_file(self._file) will fail when the system is running in FIPS mode. The change configures the `download_to_file` function to use an alternative algorithm provided by gcloud storage SDK - 'crc32c' - for checksum calculation. Configurable checksumming is available in the google-storage lib since v1.31.0, but pinning to >=1.32 for the retry import.
5736ede
to
ab961ba
Compare
@jschneier Do you mind making a release for this change? |
Python 3.10 and later versions rely on OpenSSL 1.1.1 or newer, which includes FIPS-compliance checks.
MD5 is not an approved algorithm in FIPS mode, so attempting to instantiate self.blob.download_to_file(self._file) will fail when the system is running in FIPS mode.
The change configures the
download_to_file
function to use an alternative algorithm provided by gcloud storage SDK - 'crc32c' - for checksum calculation.