Jira (PUP-10859) Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode

Trevor Vaughan (Jira)

unread,

Jan 23, 2021, 1:34:03 PM1/23/21

to puppe...@googlegroups.com

Trevor Vaughan created an issue

Puppet /

PUP-10859

Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode

Issue Type:	Bug
Affects Versions:	PUP 6.19.1, PUP 7.1.0, PUP 6.18.0
Assignee:	Morgan Rhodes
Created:	2021/01/23 10:33 AM
Priority:	Major
Reporter:	Trevor Vaughan

Puppet Version: All
Puppet Server Version: All
OS Name/Version: CentOS and RHEL 8.3+ in FIPS mode

CentOS and RHEL 8.3+, when running in FIPS mode, require SHA-256 signatures on both repository metadata and RPMs.

StarLab has a good summary of the issue and I can confirm that resigning the RPMs using a CentOS 8.3+ base container/image will allow for correct installation.

Desired Behavior: Ability to install puppet RPMs on an EL8 system in FIPS mode.

Actual Behavior: RPMs fail to install.

An example of the failure can be found in the pupmod-simp-pupmod beaker tests.

Add Comment

This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)

Josh Cooper (Jira)

unread,

Jan 25, 2021, 7:01:02 PM1/25/21

to puppe...@googlegroups.com

Josh Cooper updated an issue

Puppet /

PUP-10859

Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode

Change By:	Josh Cooper
Team:	Night's Watch

Add Comment

Morgan Rhodes (Jira)

unread,

Jan 26, 2021, 11:17:03 AM1/26/21

to puppe...@googlegroups.com

Morgan Rhodes assigned an issue to Unassigned

Puppet /

PUP-10859

Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode

Change By:	Morgan Rhodes
Assignee:	Morgan Rhodes

Add Comment

Mihai Buzgau (Jira)

unread,

Mar 2, 2021, 7:58:56 PM3/2/21

to puppe...@googlegroups.com

Mihai Buzgau updated an issue

Puppet /

PUP-10859

Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode

Change By:	Mihai Buzgau
Labels:	community

Add Comment

Mihai Buzgau (Jira)

unread,

Jun 16, 2021, 4:44:01 AM6/16/21

to puppe...@googlegroups.com

Mihai Buzgau updated an issue

Puppet /

PUP-10859

Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode

Change By:	Mihai Buzgau
Epic Link:	PA-3766

Add Comment

This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97)

Jeanne Greulich (Jira)

unread,

Jul 20, 2021, 1:32:03 PM7/20/21

to puppe...@googlegroups.com

Jeanne Greulich commented on

PUP-10859

Re: Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode

No the problem does not happen when not in FIPS mode. The puppet-agent RPM is signed correctly so it can be installed on EL8 fips mode you can use that a model for signing your puppetserver RPM.

Add Comment

Maggie Dreyer (Jira)

unread,

Jul 20, 2021, 5:17:02 PM7/20/21

to puppe...@googlegroups.com

Maggie Dreyer commented on

PUP-10859

Re: Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode

No, I think this is Release Engineering. We don't do anything with signing packages.

Add Comment

Morgan Rhodes (Jira)

unread,

Jul 21, 2021, 3:55:04 PM7/21/21

to puppe...@googlegroups.com

Morgan Rhodes commented on

PUP-10859

Re: Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode

Ok, I've been able to isolate this to some difference in the build environments for packages built with vanagon (puppet-agent, pdk) and packages built with ezbake (puppetserver, puppetdb). We will investigate this.

Add Comment

Liz Nemsick (Jira)

unread,

Aug 19, 2021, 9:38:02 AM8/19/21

to puppe...@googlegroups.com

Liz Nemsick commented on

PUP-10859

Re: Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode

Is there a timeframe to address this issue?

Add Comment

Morgan Rhodes (Jira)

unread,

Aug 25, 2021, 1:44:03 PM8/25/21

to puppe...@googlegroups.com

Morgan Rhodes assigned an issue to Morgan Rhodes

Puppet /

PUP-10859

Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode

Change By:	Morgan Rhodes
Assignee:	Morgan Rhodes

Add Comment

Morgan Rhodes (Jira)

unread,

Aug 25, 2021, 1:45:03 PM8/25/21

to puppe...@googlegroups.com

Morgan Rhodes updated an issue

Puppet /

PUP-10859

Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode

Change By:	Morgan Rhodes
Team:	Night's Watch Release Engineering

Add Comment

Morgan Rhodes (Jira)

unread,

Aug 27, 2021, 6:56:05 PM8/27/21

to puppe...@googlegroups.com

Morgan Rhodes commented on

PUP-10859

Re: Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode

Liz Nemsick I believe I have a fix for this up now so hopefully the next puppet platform releases will include this change.

Add Comment

Morgan Rhodes (Jira)

unread,

Sep 22, 2021, 5:15:02 PM9/22/21

to puppe...@googlegroups.com

Morgan Rhodes commented on

PUP-10859

Re: Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode

Ok, there were some delays in getting this change rolled out, but I was able to confirm with a local development build has all the correct digests/signatures:

# rpm -Kv puppetserver-7.4.1-0.1SNAPSHOT.2021.09.21T2216.el8.noarch.rpm

puppetserver-7.4.1-0.1SNAPSHOT.2021.09.21T2216.el8.noarch.rpm:

    Header V4 RSA/SHA256 Signature, key ID 9e61ef26: OK

    Header SHA256 digest: OK

    Header SHA1 digest: OK

    Payload SHA256 digest: OK

    V4 RSA/SHA256 Signature, key ID 9e61ef26: OK

    MD5 digest: OK

Add Comment

Trevor Vaughan (Jira)

unread,

Jan 17, 2022, 3:49:01 PM1/17/22

to puppe...@googlegroups.com

Trevor Vaughan commented on

PUP-10859

Re: Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode

It looks like the solution was only a partial fix unfortunately:

Error unpacking rpm package puppetserver-7.5.0-1.el8.noarch

  Cleanup          : lua-libs-5.3.4-11.el8.x86_64                                                                                                                                                                                                                                                                                                                                   18/18 error: unpacking of archive failed on file /etc/puppetlabs/puppetserver/conf.d/auth.conf;61e5d5b8: cpio: Digest mismatch

error: puppetserver-7.5.0-1.el8.noarch: install failed

It is possible to work around this particular error by resigning things locally but that is not ideal since we lose the vendor signature. And, of course, you still can't install from the puppet repositories themselves.

Add Comment

This message was sent by Atlassian Jira (v8.20.2#820002-sha1:829506d)

Trevor Vaughan (Jira)

unread,

Jan 17, 2022, 3:51:02 PM1/17/22

to puppe...@googlegroups.com

Trevor Vaughan updated an issue

Puppet /

PUP-10859

Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode

Change By:	Trevor Vaughan

*Puppet Version:* All
*Puppet Server Version:* All
*OS Name/Version:* CentOS and RHEL 8.3+ in FIPS mode

CentOS and RHEL 8.3+, when running in FIPS mode, require SHA-256 signatures on both repository metadata and RPMs.

StarLab has a [good summary of the issue|https://www.starlab.io/blog/adding-sha256-digests-to-rpms] and I can confirm that resigning the RPMs using a CentOS 8.3+ base container/image will allow for correct installation.

*Desired Behavior:* Ability to install puppet RPMs on an EL8 system in FIPS mode.

*Actual Behavior:* RPMs fail to install.

*Docs:* An example of the failure can be found in the [pupmod-simp-pupmod beaker tests|https://gitlab.com/simp/pupmod-simp-pupmod/-/jobs/980280745#L4089].

*How To Test:*
{code:java}
fips-mode-setup --enable
reboot
fips-mode-setup --check (should say enabled)
dnf -y install https://yum.puppet.com/puppet-release-el-8.noarch.rpm
dnf -y install puppetserver{code}

Add Comment

Trevor Vaughan (Jira)

unread,

Feb 20, 2022, 4:03:02 PM2/20/22

to puppe...@googlegroups.com

Trevor Vaughan commented on

PUP-10859

Re: Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode

Version 7.6.0-1 works properly in FIPS mode on EL8

Add Comment

Reply all

Reply to author

Forward