Bug 2222117

Summary: gpg commands in FIPS mode show message "gpg: out of core handler ignored in FIPS mode"
Product: Red Hat Enterprise Linux 8 Reporter: ckrell
Component: gnupg2Assignee: Jakub Jelen <jjelen>
Status: NEW --- QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: low    
Version: 8.8Keywords: Triaged
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description ckrell 2023-07-11 21:00:06 UTC 
Description of problem:
In RHEL 8/ RHEL 9 when you have FIPS enabled and attempt to run any gpg commands, you see a message -

RHEL 8
~~~
[root@rhel8 ~]# gpg --help
gpg: out of core handler ignored in FIPS mode
gpg (GnuPG) 2.2.20
libgcrypt 1.8.5
<snip>
[root@rhel8 ~]# echo $?
0
~~~
RHEL 9
~~~
$ gpg --help | head
gpg: out of core handler ignored in FIPS mode
gpg (GnuPG) 2.3.3
libgcrypt 1.10.0-unknown
$ echo $?
0
~~~


Based on BZ 2094013 https://bugzilla.redhat.com/show_bug.cgi?id=2094013 I think this is just an informational message, but would like some clarity if this message is needed or if it's not useful - can it be hidden?


Version-Release number of selected component (if applicable):
gnupg2-2.2.20-3.el8_6.x86_64
libgcrypt-1.8.5-7.el8_6.x86_64

gnupg2-2.3.3-2.el9_0.x86_64
libgcrypt-1.10.0-10.el9_2.x86_64

How reproducible:

Steps to Reproduce:
1.  Enable FIPS mode (preferably install system and press `tab` to add the kernel command option fips=1 alternatively can use `fips-mode-setup --enable` and then reboot).
2.  Run any gpg command including `gpg --help`


Actual results:
The first line after running a gpg command shows `gpg: out of core handler ignored in FIPS mode`

Expected results:
gpg command runs without this message
Comment 1 Jakub Jelen 2023-07-12 07:46:44 UTC 
This was discussed in the upstream couple of weeks back and solution was to remove the message:

https://dev.gnupg.org/T6515
https://dev.gnupg.org/rC6c79dcddd151b6b01a760f7aab54e6882ea5a475

So if we will be updating RHEL, we can backport this change.