Avoid checksum generation when not desired to circumvent FIPS problems

[tommycbird]

Description

Resolves Issue: #223 (comment)

When running under a FIPS-enabled OpenSSL build, Checksums.generate raises the following:

ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS

You would think that by marking deploy with checksum_enabled=False it would circumvent this, but even though it does not use the checksum in this scenario, it still makes a call to Checksums.generate which is redundant and makes it impossible to avoid this specific problem.

Type of change

• Bug fix (non-breaking change which fixes an issue)

How has it been tested ?

• Ran full pytest suite locally (via poetry environment) → no new failures, no decrease in coverage
• Ran deploy with checksum_enabled=True (verified expected behavior)
• Ran deploy with checksum_enabled=False (FIPS error gone)

Checklist:

• My PR is ready for prime time!
• All commits have a correct title
• Readme has been updated
• Quality tests are green (see Codacy)
• Automated tests are green (see pipeline)

[anancarv]

Hey @tommycbird ,
Thanks for raising. I believe merging your changes will bring back this old issue #199 . Is it possible that the issue comes from your artifact (corrupted ...)?

[tommycbird]

Hey @anancarv sorry for the late reply. Yes not adding checksums at all will cause a warning on Artifactory, which is annoying.

I would suggest then to make this update be a modification to the hashlib calls. If called with usedforsecurity=False then the FIPS issue won't come up. I've tested this change on my end. Do you foresee that change causing any issues? If not then I can update my PR.

[anancarv]

Hey @anancarv sorry for the late reply. Yes not adding checksums at all will cause a warning on Artifactory, which is annoying.

I would suggest then to make this update be a modification to the hashlib calls. If called with usedforsecurity=False then the FIPS issue won't come up. I've tested this change on my end. Do you foresee that change causing any issues? If not then I can update my PR.

Hey @tommycbird ,
This is a good solution. It is safe to call haslib with usedforsecurity=False in this context since checksums are used here to detect accidental errors or data corruption, not cryptographic security. You can update the MR

[anancarv]

Also, the lint job is failing on the bandit step. Can you please rebase with master so that the fix can be applied to your branch?

[tommycbird]

Rebased with upstream/master, removed the old changes, and added in usedforsecurity=False into the function mapping.

[tommycbird]

Tests added and passing. Put it in a try catch, and made it call the get_hash from where hasher = is declared.

[anancarv]

lgtm! Good work 😃