Bug 2277398

Summary: implantisomd5 results in a custom ISO that does not pass verification upon booting
Product: [Fedora] Fedora Reporter: Jonathan Billings <jbilling>
Component: isomd5sumAssignee: anaconda-maint
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 40CC: anaconda-maint, rvykydal
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: isomd5sum-1.2.4-1 isomd5sum-1.2.4-2.fc41 isomd5sum-1.2.4-2.fc40 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-04-29 20:24:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Screenshot of checkisomd5 error on Fedora boot none

Description Jonathan Billings 2024-04-26 18:48:35 UTC 
When I create a custom ISO with 'mkksiso', part of the 'lorax' package, and then implant an MD5 on the ISO with the v1.2.4 version of implantisomd5, I get a failed verification during boot.  This didn't happen with the implantisomd5 in Fedora 39 (v1.2.3)

Reproducible: Always

Steps to Reproduce:
1. Download the latest fedora netinst ISO
2. Use mkksiso to modify the ISO somehow.  
3. Run implantisomd5 on the new ISO
4. Try to boot the ISO
Actual Results:  
$ sudo mkksiso -c nomodeset  Fedora-Everything-netinst-x86_64-40-1.14.iso testing.iso
xorriso 1.5.6 : RockRidge filesystem manipulator, libburnia project.

xorriso : NOTE : Loading ISO image tree from LBA 0
xorriso : UPDATE :     328 nodes read in 1 seconds
libisofs: NOTE : Found hidden El-Torito image for EFI.
libisofs: NOTE : EFI image start and size: 390055 * 2048 , 25552 * 512
xorriso : NOTE : Detected El-Torito boot information which currently is set to be discarded
Drive current: -indev '/home/jbilling/VirtualMachines/Fedora-Everything-netinst-x86_64-40-1.14.iso'
Drive access : shared:readonly
Media current: stdio file, overwriteable
Media status : is written , is appendable
Boot record  : El Torito , MBR protective-msdos-label grub2-mbr cyl-align-off GPT
Media summary: 1 session, 396609 data blocks,  775m data,  303g free
Volume id    : 'Fedora-E-dvd-x86_64-40'
xorriso : UPDATE :       1 files restored (  1326b) in 1 seconds = 0.0xD
Extracted from ISO image: file '/EFI/BOOT/BOOT.conf'='/tmp/mkksiso-v44ojr26/EFI/BOOT/BOOT.conf'
xorriso : UPDATE :       1 files restored (  1326b) in 1 seconds = 0.0xD
Extracted from ISO image: file '/EFI/BOOT/grub.cfg'='/tmp/mkksiso-v44ojr26/EFI/BOOT/grub.cfg'
xorriso : UPDATE :       1 files restored (  1465b) in 1 seconds = 0.0xD
Extracted from ISO image: file '/boot/grub2/grub.cfg'='/tmp/mkksiso-v44ojr26/boot/grub2/grub.cfg'
xorriso : UPDATE :       1 files restored (    28b) in 1 seconds = 0.0xD
Extracted from ISO image: file '/.discinfo'='/tmp/mkksiso-v44ojr26/.discinfo'
INFO:iso arch = x86_64
INFO:Volume Id = Fedora-E-dvd-x86_64-40
WARNING:No isolinux/isolinux.cfg file found
WARNING:No s390 config files found
xorriso 1.5.6 : RockRidge filesystem manipulator, libburnia project.

xorriso : NOTE : Loading ISO image tree from LBA 0
xorriso : UPDATE :     328 nodes read in 1 seconds
libisofs: NOTE : Found hidden El-Torito image for EFI.
libisofs: NOTE : EFI image start and size: 390055 * 2048 , 25552 * 512
xorriso : NOTE : Detected El-Torito boot information which currently is set to be discarded
Drive current: -indev '/home/jbilling/VirtualMachines/Fedora-Everything-netinst-x86_64-40-1.14.iso'
Drive access : shared:readonly
Media current: stdio file, overwriteable
Media status : is written , is appendable
Boot record  : El Torito , MBR protective-msdos-label grub2-mbr cyl-align-off GPT
Media summary: 1 session, 396609 data blocks,  775m data,  303g free
Volume id    : 'Fedora-E-dvd-x86_64-40'
xorriso : UPDATE :      11 files restored ( 12251k) in 1 seconds = 9.1xD
Extracted from ISO image: file '/EFI'='/tmp/mkksiso-_5vih6ul/EFI'
xorriso 1.5.6 : RockRidge filesystem manipulator, libburnia project.

xorriso : NOTE : Loading ISO image tree from LBA 0
xorriso : UPDATE :     328 nodes read in 1 seconds
libisofs: NOTE : Found hidden El-Torito image for EFI.
libisofs: NOTE : EFI image start and size: 390055 * 2048 , 25552 * 512
xorriso : NOTE : Detected El-Torito boot information which currently is set to be discarded
Drive current: -indev '/home/jbilling/VirtualMachines/Fedora-Everything-netinst-x86_64-40-1.14.iso'
Media current: stdio file, overwriteable
Media status : is written , is appendable
Boot record  : El Torito , MBR protective-msdos-label grub2-mbr cyl-align-off GPT
Media summary: 1 session, 396609 data blocks,  775m data,  303g free
Volume id    : 'Fedora-E-dvd-x86_64-40'
Drive current: -outdev '/home/jbilling/VirtualMachines/testing.iso'
Media current: stdio file, overwriteable
Media status : is blank
Media summary: 0 sessions, 0 data blocks, 0 data,  303g free
xorriso : WARNING : -volid text does not comply to ISO 9660 / ECMA 119 rules
xorriso : NOTE : Replayed 23 boot related commands
Updating '/tmp/mkksiso-v44ojr26/EFI/BOOT/grub.cfg' to '/EFI/BOOT/grub.cfg'
xorriso : UPDATE : Added/overwrote '/EFI/BOOT/grub.cfg'  (1366)
Differences detected and updated. (runtime 0.0 s)
Updating '/tmp/mkksiso-v44ojr26/EFI/BOOT/BOOT.conf' to '/EFI/BOOT/BOOT.conf'
xorriso : UPDATE : Added/overwrote '/EFI/BOOT/BOOT.conf'  (1366)
Differences detected and updated. (runtime 0.0 s)
Updating '/tmp/mkksiso-v44ojr26/boot/grub2/grub.cfg' to '/boot/grub2/grub.cfg'
xorriso : UPDATE : Added/overwrote '/boot/grub2/grub.cfg'  (1505)
Differences detected and updated. (runtime 0.0 s)
Updating '/tmp/mkksiso-v44ojr26/.discinfo' to '/.discinfo'
xorriso : UPDATE : Adjusted attributes of '/.discinfo'
Differences detected and updated. (runtime 0.0 s)
xorriso : NOTE : Copying to System Area: 32768 bytes from file '--interval:imported_iso:0s-15s:zero_mbrpt,zero_gpt:/home/jbilling/VirtualMachines/Fedora-Everything-netinst-x86_64-40-1.14.iso'
xorriso : UPDATE : Writing:      40960s   10.3%   fifo 100%  buf  50%
xorriso : UPDATE : Writing:     368544s   92.9%   fifo  99%  buf  50%  537.7xD 
ISO image produced: 396419 sectors
Written to medium : 396592 sectors at LBA 48
Writing to '/home/jbilling/VirtualMachines/testing.iso' completed successfully.

$ sudo implantisomd5 --force testing.iso 
Inserting md5sum into iso image...
md5 = dcfb96039ea69c60dfb06404f917c844
Inserting fragment md5sums into iso image...
fragmd5 = 3626853c994f39efaed2522444183e86c4312cbe818ca9554bbbb9dd2
frags = 20
Setting supported flag to 0
$ checkisomd5 testing.iso 
Press [Esc] to abort check.

The media check is complete, the result is: PASS.

It is OK to use this media.

When I boot the ISO, during boot it says:

/dev/sr0:   dcfb96039ea69c60dfb06404f917c844
Fragment sums: 3626853c994f39efaed2522444183e86c4312cbe818ca9554bbbb9dd2;FR
Fragment count: 20
Supported ISO: no
Press [Esc] to abort check.
Checking: 095.2%

The media check is complete, the result is: FAIL

It is not recommended to use this media.
[FAILED] Failed to start checkisomd5 - Media check on /dev/sr0

(I'll attach a screenshot)


Expected Results:  
I would expect the boot to succeed and pass verification.

I can run a Fedora 39 toolbox on my Fedora 40 system and run the same 'implantisomd5' command and the system boots fine with the ISO.
Comment 1 Jonathan Billings 2024-04-26 18:52:08 UTC 
Created attachment 2029460 [details]
Screenshot of checkisomd5 error on Fedora boot
Comment 2 Jonathan Billings 2024-04-26 18:59:43 UTC 
I had tested this on a VM (libvird/kvm on Fedora 40), and to be absolutely sure, I dd'd the ISO to a USB stick and booted it on a spare laptop, same failure.

I also tested checkisomd5 from Fedora 39 on an ISO that was created and passed a check with the package in Fedora 40:

[jbilling@thinkpad VirtualMachines]$ cat /etc/fedora-release 
Fedora release 40 (Forty)
[jbilling@thinkpad VirtualMachines]$ rpm -q isomd5sum
isomd5sum-1.2.4-1.fc40.x86_64 
[jbilling@thinkpad VirtualMachines]$ checkisomd5 --verbose testing.iso 
testing.iso:   dcfb96039ea69c60dfb06404f917c844
Fragment sums: 3626853c994f39efaed2522444183e86c4312cbe818ca9554bbbb9dd2;FR
Fragment count: 20
Supported ISO: no
Press [Esc] to abort check.
Checking: 100.0%

The media check is complete, the result is: PASS.

It is OK to use this media.
[jbilling@thinkpad VirtualMachines]$ toolbox enter fedora-toolbox-39
[jbilling@toolbox VirtualMachines]$ cat /etc/fedora-release 
Fedora release 39 (Thirty Nine)
[jbilling@toolbox VirtualMachines]$ rpm -q isomd5sum 
isomd5sum-1.2.3-21.fc39.x86_64
[jbilling@toolbox VirtualMachines]$ checkisomd5 --verbose testing.iso 
testing.iso:   dcfb96039ea69c60dfb06404f917c844
Fragment sums: 3626853c994f39efaed2522444183e86c4312cbe818ca9554bbbb9dd2;FR
Fragment count: 20
Supported ISO: no
Press [Esc] to abort check.
Checking: 095.2%

The media check is complete, the result is: FAIL.

It is not recommended to use this media.
Comment 3 Jonathan Billings 2024-04-26 19:34:46 UTC 
checked the version of 'checkisomd5' in the initrd on the install media, and I see it is v1.2.3-23.fc40, which explains the above behavior.  (boot into the media with rd.break, and run 'grep -a version /usr/bin/checkisomd5', which prints out a lot of garbage text along with:

{"type":"rpm","name":"isomd5sum","version":"1.2.3-23.fc40","architecture":"x86_64","osCpe":"cpe:/o:fedoraproject:fedora:39"}
Comment 4 Brian Lane 2024-04-29 17:45:49 UTC 
Thanks for the report. FWIW you shouldn't need to run implantisomd5 yourself, mkksiso does this unless you pass it '--no-md5sum'

But running it manually should result in the same checksums being written, so I'm curious to see what happens if you run checkisomd5sum after running mkksiso (and maybe I should add that as a sanity check).

The first problem though is that implantmd5sum is implanting an incorrect checksum, it's too short. It should be 60 characters, but is only 57, resulting in the trailing ';FR' that is shown when you try to boot it.
So I'll fire up an f40 vm today and see if I can reproduce this.
Comment 5 Brian Lane 2024-04-29 18:57:17 UTC 
Sorry about this. It was caused by my attempt to fix problems writing checksums to small isos. I've reverted that patch for now and a new release (1.2.4-2) is being built.

https://koji.fedoraproject.org/koji/taskinfo?taskID=117043901
Comment 6 Fedora Update System 2024-04-29 18:59:13 UTC 
FEDORA-2024-985bf09847 (isomd5sum-1.2.4-2.fc41) has been submitted as an update to Fedora 41.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-985bf09847
Comment 7 Fedora Update System 2024-04-29 20:24:25 UTC 
FEDORA-2024-985bf09847 (isomd5sum-1.2.4-2.fc41) has been pushed to the Fedora 41 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 8 Fedora Update System 2024-04-29 21:43:08 UTC 
FEDORA-2024-4eb5f90606 (isomd5sum-1.2.4-2.fc40) has been submitted as an update to Fedora 40.
https://bodhi.fedoraproject.org/updates/FEDORA-2024-4eb5f90606
Comment 9 Fedora Update System 2024-04-30 02:07:11 UTC 
FEDORA-2024-4eb5f90606 has been pushed to the Fedora 40 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-4eb5f90606`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-4eb5f90606

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 10 Fedora Update System 2024-05-07 05:14:27 UTC 
FEDORA-2024-4eb5f90606 (isomd5sum-1.2.4-2.fc40) has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.