The Wayback Machine - https://web.archive.org/web/20211109113508/https://github.com/angular/angular/pull/42582
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(compiler-cli): change ngcc hash algorithm to be FIPS compliant #42582

Closed
wants to merge 3 commits into from
Closed

fix(compiler-cli): change ngcc hash algorithm to be FIPS compliant #42582

wants to merge 3 commits into from

Conversation

Reviewers

@JoostK JoostK

@gkalpak gkalpak

Assignees
No one assigned
Labels
action: merge cla: yes comp: ngcc target: patch
Projects
None yet
Milestone
Backlog
Linked issues

Successfully merging this pull request may close these issues.

Angular Compilation is not FIPS-Compliant
3 participants
@petebacondarwin @JoostK @gkalpak
@petebacondarwin
Copy link
Member

@petebacondarwin petebacondarwin commented Jun 16, 2021

Fixes #42577

NOTE: This is not a breaking change, since the hashes are only used locally and are recreated when installing a new version of ngcc.
@petebacondarwin
refactor(compiler-cli): make ngcc configuration hash algorithm config…
a3ba4ad 
…urable!

The ngcc configuration gets hashed to be used when caching
but it was hardcoded to use the `md5` algorithm, which is
not FIPS compliant.

Now the hash algorithm can be configured in the ngcc.config.js
file at the project level.
@petebacondarwin
refactor(compiler-cli): ngcc entry-point manifest hash is now configu…
d31ff76 
…rable

The hash algorithm for the entry-point manifest was hardcoded to `md5`.
This can now be configured by the `hashAlgorithm` property on the
ngcc.config.js project configuration.
@petebacondarwin
fix(compiler-cli): change default ngcc hash algorithm to be FIPS comp…
4cdcc3d 
…liant

The previous default algorithm was `md5`, which is not compliant with FIPS.
The default is now set to `sha256`, which is compliant.

Fixes angular#42577
@ngbot ngbot bot added this to the Backlog milestone Jun 16, 2021
@ngbot ngbot bot added this to the Backlog milestone Jun 16, 2021
@ngbot ngbot bot added this to the Backlog milestone Jun 16, 2021
@google-cla google-cla bot added the cla: yes label Jun 16, 2021
@petebacondarwin petebacondarwin requested review from JoostK and gkalpak Jun 18, 2021
JoostK
JoostK approved these changes Jun 19, 2021
View changes
Copy link
Member

@JoostK JoostK left a comment

Although this addresses the compatibility issue in ngcc, the CLI also uses md5 hashing and its dependencies might as well. Since we don't test FIPS compatibility I'm a bit hesitant to say we "officially" support operating within FIPS constraints.

Loading

@petebacondarwin
Copy link
Member Author

@petebacondarwin petebacondarwin commented Jun 20, 2021

Although this addresses the compatibility issue in ngcc, the CLI also uses md5 hashing and its dependencies might as well. Since we don't test FIPS compatibility I'm a bit hesitant to say we "officially" support operating within FIPS constraints.

The ability to configure should be enough to future proof ngcc.

Regarding testing, perhaps we could update our CI containers to run node in FIPS compliant mode?

Loading

jessicajaniuk added a commit that referenced this issue Jun 24, 2021
@petebacondarwin @jessicajaniuk
refactor(compiler-cli): ngcc entry-point manifest hash is now configu…
b8ef83b 
…rable (#42582)

The hash algorithm for the entry-point manifest was hardcoded to `md5`.
This can now be configured by the `hashAlgorithm` property on the
ngcc.config.js project configuration.

PR Close #42582
jessicajaniuk added a commit that referenced this issue Jun 24, 2021
@petebacondarwin @jessicajaniuk
fix(compiler-cli): change default ngcc hash algorithm to be FIPS comp…
874de59 
…liant (#42582)

The previous default algorithm was `md5`, which is not compliant with FIPS.
The default is now set to `sha256`, which is compliant.

Fixes #42577

PR Close #42582
jessicajaniuk added a commit that referenced this issue Jun 24, 2021
@petebacondarwin @jessicajaniuk
refactor(compiler-cli): make ngcc configuration hash algorithm config…
e1c9b8c 
…urable! (#42582)

The ngcc configuration gets hashed to be used when caching
but it was hardcoded to use the `md5` algorithm, which is
not FIPS compliant.

Now the hash algorithm can be configured in the ngcc.config.js
file at the project level.

PR Close #42582
jessicajaniuk added a commit that referenced this issue Jun 24, 2021
@petebacondarwin @jessicajaniuk
refactor(compiler-cli): ngcc entry-point manifest hash is now configu…
8419cb9 
…rable (#42582)

The hash algorithm for the entry-point manifest was hardcoded to `md5`.
This can now be configured by the `hashAlgorithm` property on the
ngcc.config.js project configuration.

PR Close #42582
jessicajaniuk added a commit that referenced this issue Jun 24, 2021
@petebacondarwin @jessicajaniuk
fix(compiler-cli): change default ngcc hash algorithm to be FIPS comp…
4459741 
…liant (#42582)

The previous default algorithm was `md5`, which is not compliant with FIPS.
The default is now set to `sha256`, which is compliant.

Fixes #42577

PR Close #42582
@angular-automatic-lock-bot
Copy link

@angular-automatic-lock-bot angular-automatic-lock-bot bot commented Jul 25, 2021

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

Loading

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Jul 25, 2021
@petebacondarwin petebacondarwin deleted the ngcc-sha-issue-42577 branch Sep 8, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.