Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

RPM packages fail to install when FIPS Enabled

Description

During a customer installation we observed the following behavior when starting the initial installation of the Meridian 2022.1.5 packages: 

[root@localhost ~]# yum install meridian Last metadata expiration check: 2:15:15 ago on Mon 08 Aug 2022 01:42:05 PM EDT. Dependencies resolved. ================================================================================  Package                   Arch       Version                Repository    Size ================================================================================ Installing:  meridian                  noarch     2022.1.5-1             meridian     6.7 k Installing dependencies:  jicmp                     x86_64     2.0.5-1.el7.centos     meridian      32 k  jicmp6                    x86_64     2.0.4-1.el7.centos     meridian      16 k  jrrd2                     x86_64     1:2.0.5-1.el8          meridian      20 k  meridian-core             noarch     2022.1.5-1             meridian     555 M  meridian-webapp-jetty     noarch     2022.1.5-1             meridian      58 M  rrdtool                   x86_64     1.7.2-5.el8            meridian     534 kTransaction Summary ================================================================================ Install  7 PackagesTotal download size: 614 M Installed size: 818 M Is this ok [y/N]: y Downloading Packages: (1/7): jicmp6-2.0.4-1.el7.centos.x86_64.rpm      29 kB/s |  16 kB     00:00     (2/7): jrrd2-2.0.5-1.el8.x86_64.rpm              35 kB/s |  20 kB     00:00     (3/7): meridian-2022.1.5-1.noarch.rpm           149 kB/s | 6.7 kB     00:00     (4/7): jicmp-2.0.5-1.el7.centos.x86_64.rpm       45 kB/s |  32 kB     00:00     (5/7): rrdtool-1.7.2-5.el8.x86_64.rpm           1.7 MB/s | 534 kB     00:00     (6/7): meridian-webapp-jetty-2022.1.5-1.noarch.  14 MB/s |  58 MB     00:04     (7/7): meridian-core-2022.1.5-1.noarch.rpm       10 MB/s | 555 MB     00:52     -------------------------------------------------------------------------------- Total                                            11 MB/s | 614 MB     00:53      Running transaction check Transaction check succeeded. Running transaction test The downloaded packages were saved in cache until the next successful transaction. You can remove cached packages by executing 'yum clean packages'. Error: Transaction test error:   package jicmp6-2.0.4-1.el7.centos.x86_64 does not verify: no digest   package jicmp-2.0.5-1.el7.centos.x86_64 does not verify: no digest

 

We found that this error came up because FIPS was enabled in the customer environment. We were able to use the following command to see if FIPS was enabled:

 

fips-mode-setup --check

 

We were able to use the following command to disable FIPS: 

fips-mode-setup --disable

 

After disabling FIPS, we were able to download and instal the JICMP/JICMP6 packages without any issues. We were also able to bypass the issue by downloading the JICMP/JICMP6 packages locally and installing them with the following command: 

rpm -ivh --noverify --nofiledigest --path /tmp/meridian/*

 

 

 

Environment

RHEL 8 VM

Acceptance / Success Criteria

None

Lucidchart Diagrams

Activity

Show:

Benjamin Reed December 13, 2022 at 5:43 PM

pushed fixed packages to meridian 2020/2021/2022 repos as well; re-marking as resolved

Jeff Gehlbach December 13, 2022 at 4:30 PM

Reopening so that can resolve once the updated RPMs have been synced out to all the live Meridians.

Benjamin Reed December 5, 2022 at 8:19 PM

Fixed by building new RPM packages with the proper signatures attached for JICMP and JICMP6. I paired with to show him how manual (re)builds happen for these types of one-off packages. The updated packages are live and in repos.

Jeff Gehlbach August 10, 2022 at 2:13 PM

Let's spawn a research issue from this one to investigate normalizing the digest algorithms used in our RPM headers.

Dino Yancey August 9, 2022 at 2:15 AM

This appears to be because the jicmp packages do not offer header and payload digests using sha256: (which would make sense as these are el7 packages)

# rpm --checksig -v /tmp/jicmp-2.0.5-1.el7.centos.x86_64.rpm /tmp/jicmp-2.0.5-1.el7.centos.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID 5b9efd43: OK Header SHA1 digest: OK V4 DSA/SHA1 Signature, key ID 5b9efd43: OK MD5 digest: OK

Versus the Meridian core package:

# rpm --checksig -v /tmp/opennms-core-30.0.1-1.noarch.rpm /tmp/opennms-core-30.0.1-1.noarch.rpm: Header V4 DSA/SHA1 Signature, key ID 5b9efd43: OK Header SHA256 digest: OK Header SHA1 digest: OK Payload SHA256 digest: OK V4 DSA/SHA1 Signature, key ID 5b9efd43: OK MD5 digest: OK
Fixed

Details

Assignee

Reporter

Labels

HB Grooming Date

HB Backlog Status

Story Points

Components

Sprint

Fix versions

Affects versions

Priority

Parent

PagerDuty

Created August 8, 2022 at 8:13 PM
Updated December 13, 2022 at 5:43 PM
Resolved December 13, 2022 at 5:43 PM