Bug 1929818
| Summary: | pulp3: Patch Satellite to continue supporting md5 content in FIPS mode | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | David Davis <daviddavis> |
| Component: | Pulp | Assignee: | satellite6-bugs <satellite6-bugs> |
| Status: | CLOSED ERRATA | QA Contact: | Lai <ltran> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | Nightly | CC: | bmbouter, egolov, ggainey, jjeffers, osousa, smallamp, swadeley, ttereshc, zhunting |
| Target Milestone: | 6.10.0 | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | python-pulpcore-3.11.0 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-11-16 14:10:07 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1982695, 1995175 | ||
| Bug Blocks: | |||
|
Description
David Davis
2021-02-17 17:34:47 UTC
Here's an rpm repo with md5 checksums that would be worth testing: https://fixtures.pulpproject.org/rpm-with-md5/ (In reply to David Davis from comment #5) > Here's an rpm repo with md5 checksums that would be worth testing: > https://fixtures.pulpproject.org/rpm-with-md5/ Hello David Can you please confirm, is it the Repo that is signed, i.e. its meta data, or the RPMs themselves? The name of the repo, rpm-with-md5, makes me think its the RPMs that are signed with MD5. I downloaded bear RPM /]$ rpm -Kv --nosignature bear-4.1-1.noarch.rpm bear-4.1-1.noarch.rpm: Header SHA1 digest: OK MD5 digest: OK looks like its the RPMs Thank you It's actually the checksums in the metadata itself (see repomd.xml and primary.xml). Pulp uses these checksums to verify the repomd files and rpms when syncing content into Pulp. (In reply to David Davis from comment #8) > It's actually the checksums in the metadata itself (see repomd.xml and > primary.xml). Pulp uses these checksums to verify the repomd files and rpms > when syncing content into Pulp. I see it now: <open-checksum type="md5"> https://fixtures.pulpproject.org/rpm-with-md5/repodata/repomd.xml Thank you The patches which should be included are specified here: https://hackmd.io/@pulp/Pulp3-FIPS-matrix#What-about-37 Correct link to the patches: https://hackmd.io/@pulp/Pulp3-FIPS-matrix#Patches As noted in a FIPS call we just had, Peter has uncovered a FIPS-compliance-problem in the new tasking system that is getting its own BZ, and will need to be addressed before any testing can happen on **this** bug. (Summary: blake2 is Not Allowed in FIPS mode) Steps to test: 1. Install Satellite on a box with FIPS mode enabled 2. Create a product repo that uses md5 checksums for content (e.g. https://fixtures.pulpproject.org/rpm-with-md5/) 3. Sync it 4. Confirm that sync worked. Bonus: install a package from the repo. Expected: syncing should be successful Actual: syncing is successful I also was able to successful install a package after syncing. Verified on 6.10_21 with python3-pulpcore-3.14.7-1.el7pc.noarch Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: Satellite 6.10 Release), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:4702 |