Bug 2100400

Summary:	Regression: The nettle MAC key doesn't match
Product:	[Fedora] Fedora	Reporter:	Andreas Schneider <asn>
Component:	nettle	Assignee:	Daiki Ueno <dueno>
Status:	CLOSED DUPLICATE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	urgent	Docs Contact:
Priority:	unspecified
Version:	36	CC:	asn, crypto-team, dueno, dwmw2, paul.wouters
Target Milestone:	---	Keywords:	Regression
Target Release:	---	Flags:	fedora-admin-xmlrpc: mirror+
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-06-23 10:31:38 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Andreas Schneider 2022-06-23 09:30:14 UTC

Description of problem:

$ GNUTLS_FORCE_FIPS_MODE=1 certtool
[..]
gnutls[2]: Calculated MAC for /lib64/libnettle.so.8 does not match
gnutls[3]: ASSERT: fips.c[check_lib_hmac]:383
gnutls[3]: ASSERT: fips.c[_gnutls_fips_perform_self_checks2]:607
gnutls[1]: FIPS140-2 self testing part 2 failed

This happens again and again ...

Please add a Fedora gating test!

Comment 1 Andreas Schneider 2022-06-23 09:41:06 UTC

nettle-3.8-1.fc36.x86_64

Comment 2 Daiki Ueno 2022-06-23 10:31:38 UTC

Yeah, it was a recent change that gnutls' library integrity check covers other dependent packages (nettle and gmp) and we should have amended our packaging workflow to reflect that.

I agree that it would make sense to have a gating test.

*** This bug has been marked as a duplicate of bug 2099651 ***