7809 – Server RPMs cannot be installed on FIPS enforcing system

Bug 7809 - Server RPMs cannot be installed on FIPS enforcing system

Summary: Server RPMs cannot be installed on FIPS enforcing system

Status:	NEW

Alias:	None

Product:	ThinLinc
Classification:	Unclassified
Component:	Server Installer (show other bugs)
Version:	trunk
Hardware:	PC Unknown

Importance:	P2 Normal
Target Milestone:	LowPrio
Assignee:	Bugzilla mail exporter

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-12-16 16:39 CET by Pierre Ossman
Modified:	2022-06-27 18:30 CEST (History)
CC List:	2 users (show)

See Also:	7637 7657
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Pierre Ossman

2021-12-16 16:39:02 CET

If you enable "FIPS mode" on Red Hat systems it activates some extra checks in rpm that causes our installation to fail:

> 2021-12-16 16:25:46,370: Installation of packages failed:
> 2021-12-16 16:25:46,371:     ########################################
> 2021-12-16 16:25:46,371:     ########################################
> 2021-12-16 16:25:46,371:        package thinlinc-tlmisc-libs-4.13.0post-2376.x86_64 does not verify: no digest
> 2021-12-16 16:25:46,371:        package thinlinc-tlprinter-4.13.0post-2376.noarch does not verify: no digest
> 2021-12-16 16:25:46,371:        package thinlinc-tlmisc-4.13.0post-2376.x86_64 does not verify: no digest
> 2021-12-16 16:25:46,371:        package thinlinc-vsm-4.13.0post-2376.x86_64 does not verify: no digest
> 2021-12-16 16:25:46,371:        package thinlinc-webaccess-4.13.0post-2376.noarch does not verify: no digest
> 2021-12-16 16:25:46,371:        package thinlinc-vnc-server-4.13.0post-2376.x86_64 does not verify: no digest
> 2021-12-16 16:25:46,371:        package thinlinc-tladm-4.13.0post-2376.x86_64 does not verify: no digest
> 2021-12-16 16:25:46,372:        package thinlinc-tlmisc-libs32-4.13.0post-2376.i686 does not verify: no digest

Unfortunately bypassing the signature check is insufficient:

> $ sudo rpm -Uvh --nodigest --noverify *.rpm
> Preparing...                          ################################# [100%]
> Updating / installing...
>    1:thinlinc-tlmisc-libs-4.13.0post-2################################# [ 13%]
> error: unpacking of archive failed on file /etc/passwdaliases;61bb5bb6: cpio: Digest mismatch
> error: thinlinc-tlmisc-libs-4.13.0post-2376.x86_64: install failed
>    2:thinlinc-tlprinter-4.13.0post-237################################# [ 25%]
> error: unpacking of archive failed on file /opt/thinlinc/libexec/add_nearest_printer.sh;61bb5bb6: cpio: Digest mismatch
> error: thinlinc-tlprinter-4.13.0post-2376.noarch: install failed
>    3:thinlinc-tlmisc-4.13.0post-2376  ################################# [ 38%]
> error: unpacking of archive failed on file /etc/cron.d/tl-statistics-cron;61bb5bb6: cpio: Digest mismatch
> error: thinlinc-tlmisc-4.13.0post-2376.x86_64: install failed
>    4:thinlinc-vsm-4.13.0post-2376     ################################# [ 50%]
> error: unpacking of archive failed on file /etc/logrotate.d/thinlinc-vsm-agent;61bb5bb6: cpio: Digest mismatch
> error: thinlinc-vsm-4.13.0post-2376.x86_64: install failed
>    5:thinlinc-webaccess-4.13.0post-237################################# [ 63%]
> error: unpacking of archive failed on file /etc/logrotate.d/thinlinc-webaccess;61bb5bb6: cpio: Digest mismatch
> error: thinlinc-webaccess-4.13.0post-2376.noarch: install failed
>    6:thinlinc-tladm-4.13.0post-2376   ################################# [ 75%]
> error: unpacking of archive failed on file /etc/logrotate.d/thinlinc-tlwebadm;61bb5bb6: cpio: Digest mismatch
> error: thinlinc-tladm-4.13.0post-2376.x86_64: install failed
>    7:thinlinc-vnc-server-4.13.0post-23################################# [ 88%]
> error: unpacking of archive failed on file /opt/thinlinc/bin/setxkbmap;61bb5bb6: cpio: Digest mismatch
> error: thinlinc-vnc-server-4.13.0post-2376.x86_64: install failed
>    8:thinlinc-tlmisc-libs32-4.13.0post################################# [100%]
> error: unpacking of archive failed on file /lib/libnss_passwdaliases.so.2;61bb5bb6: cpio: Digest mismatch
> error: thinlinc-tlmisc-libs32-4.13.0post-2376.i686: install failed

There is some extra check for the files as well, which you fortunately can also bypass:

> $ sudo rpm -Uvh --nodigest --nofiledigest *.rpm
> Preparing...                          ################################# [100%]
> Updating / installing...
>    1:thinlinc-tlmisc-libs-4.13.0post-2################################# [ 13%]
>    2:thinlinc-tlprinter-4.13.0post-237################################# [ 25%]
>    3:thinlinc-tlmisc-4.13.0post-2376  ################################# [ 38%]
>    4:thinlinc-vsm-4.13.0post-2376     ################################# [ 50%]
>    5:thinlinc-webaccess-4.13.0post-237################################# [ 63%]
>    6:thinlinc-tladm-4.13.0post-2376   ################################# [ 75%]
>    7:thinlinc-vnc-server-4.13.0post-23################################# [ 88%]
>    8:thinlinc-tlmisc-libs32-4.13.0post################################# [100%]

So it seems like it's not just package signatures that are missing, but something more. This thread also confirms that signing the packages is not enough:

https://access.redhat.com/discussions/5043121

Also worth noting is that us signing our packages is not sufficient to get pass the signature check. The key must also be trusted, which is unclear how that should accomplished in a secure way. Also discussed on bug 7637.

Comment 2 Patrik Pira 2021-12-16 20:10:05 CET

You will also need to build the packages with SHA256 file digests. This is taken from /usr/lib/rpm/macros on RHEL 8. 

#	Algorithm to use for generating file checksum digests on build.
#	If not specified or 0, MD5 is used.
#	WARNING: non-MD5 is backwards incompatible with rpm < 4.6!
#	The supported algorithms may depend on the underlying crypto
#	implementation but generally at least the following are supported:
#	1	MD5
#	2	SHA1
#	8	SHA256 (default)
#	9	SHA384
#	10	SHA512
#
%_source_filedigest_algorithm	8
%_binary_filedigest_algorithm	8

Comment 3 Ken Bass 2022-06-23 21:13:53 CEST

Is there any possibility your build process can create the RPM packages using RPM version 4.14 or newer? My understanding is that will fix this issue and will also be backwards compatible with older RHEL/Centos versions.

Comment 4 Pierre Ossman

2022-06-27 08:38:27 CEST

Not at the moment, no. We'd need to check exactly what an upgrade means for the various distributions we try to support.

For now, I'm afraid you'll have to use the appropriate flags to rpm when installing on a FIPS enforcing system.

Comment 5 Ken Bass 2022-06-27 18:30:36 CEST

I did spend some effort researching this before posting here, so I think using RPM 4.14 will fix the issue and will also work on other older RPM platforms. 

https://fedoraproject.org/wiki/Changes/RPM-4.14 indicates they changed RPM to use SHA256 by default and they declare it is backwards compatible. 

From other research I did, there is an indication that building your package with  RPM 4.14 or newer will work on RHEL6, RHEL7, and RHEL8 (and their Centos equivalents) due to the backwards compatibility.

Maybe give it a try when you have a chance? Not sure what other RPM based systems you need to support, but many older ones are past or nearing EOL.

Note You need to log in before you can comment on or make changes to this bug.