RPM Missing Digests
dcarlojr opened this issue · 7 comments
We are unable to install NCPA 3.1.0-1 on RHEL systems running in FIPS mode. I believe the file digests are missing from the published RPMs. The yum/rpm transaction throws a package ncpa-3.1.0-1.x86_64 does not verify: no digest error.
OS: RHEL 9.2 x86_64
[root@nagios9-test ~]# yum install ncpa-latest-1.x86_64.rpm
Updating Subscription Management repositories.
Unable to read consumer identity
Warning: failed loading '/etc/yum.repos.d/redhat.repo', skipping.
Last metadata expiration check: 0:34:26 ago on Fri 17 May 2024 09:26:01 PM EDT.
Dependencies resolved.
======================================================================================================================================================================================================
Package Architecture Version Repository Size
======================================================================================================================================================================================================
Installing:
ncpa x86_64 3.1.0-1 @commandline 26 M
Transaction Summary
======================================================================================================================================================================================================
Install 1 Package
Total size: 26 M
Installed size: 69 M
Is this ok [y/N]: y
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Error: Transaction test error:
package ncpa-3.1.0-1.x86_64 does not verify: no digest
[root@nagios9-test ~]# fips-mode-setup --check
FIPS mode is enabled.
Hello, this is affecting us on RHEL 9 in FIPS mode as well. Is there any update on when this might be fixed?
I have opened a ticket with Nagios support about this but was just pointed back here. When will this be assigned and worked on?
Information related to the required change can be found here: https://fedoraproject.org/wiki/RPM_file_format_changes_to_support_SHA-256
The issue is related to MD5/SHA1 being used for signatures/digest which are no longer allowed in modern FIPS restrictions. The solution is to move to using SHA-256 for these when building the RPM package.
It looks like updating the .rpmmacros file in the build environment before building might also be a way to handle this. Possibly both should be done. Using SHA256 should allow RHEL 7, 8, and 9 to work according to what I have read.
# ~/.rpmmacros
... cut ...
### RPM Digest (Checksum/Integrity) Configuration
# Use SHA256 (8)
# Use SHA384 (9)
# Use SHA512 (10)
%_binary_filedigest_algorithm 8
%_source_filedigest_algorithm 8
... cut ...
Sorry for the delay in response. I will try to get this worked out for NCPA 3.2.0.
Sorry for the delay in response. I will try to get this worked out for NCPA 3.2.0.
Thanks! I appreciate the update. Let me know if you need someone to test.
In the meantime, you can either
- install NCPA via the tarball
or if you only want to install through the Nagios repo:
- disable FIPS
- install NCPA
- re-enable FIPS