Bug 2291183

Summary: rpmsign broken: openssl: error:1C8000A6:Provider routines::invalid digest length
Product: [Fedora] Fedora Reporter: Karel Srot <ksrot>
Component: rpmAssignee: Packaging Maintenance Team <packaging-team-maint>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: igor.raits, mdomonko, msrb, packaging-team-maint, pmatilai
Target Milestone: ---Keywords: Regression
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-06-12 10:22:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Karel Srot 2024-06-10 16:03:52 UTC 
After an update to newer rpm we have started observing test failures due to rpmsign failing.

:: [ 11:09:58 ] :: [  BEGIN   ] :: Running 'rpmsign --addsign --signfiles --fskpath=/etc/keys/privkey_evm.pem /root/rpmbuild/RPMS/noarch/rpm-ima-sign-test-1-1.noarch.rpm'
/root/rpmbuild/RPMS/noarch/rpm-ima-sign-test-1-1.noarch.rpm:
hash(sha384): 562eb1111ef3e3c2ec9c60e53b27af259ff984f31a804d97bfd49df13e843128
sign_hash_v2: signing failed: (invalid digest length) in EVP_PKEY_sign
openssl: error:1C8000A6:Provider routines::invalid digest length
error: sign_hash failed
error: signFile failed

It started failing with the update to rpm-4.19.91-1.fc41 and redhat-rpm-config-291-1.fc41 from rpm-4.19.1.1-2.fc41.

If I omit "--signfiles --fskpath=/etc/keys/privkey_evm.pem" from the above commend then it works.
Btw, I have no issues reading the key with
openssl rsa -in /etc/keys/privkey_evm.pem -text

The test case source is available at
https://github.com/RedHat-SP-Security/keylime-tests/blob/main/functional/install-rpm-with-ima-signature/test.sh
with IMA keys being generated here
https://github.com/RedHat-SP-Security/keylime-tests/blob/main/Library/test-helpers/lib.sh#L1494

Reproducible: Always

Steps to Reproduce:
1. attempt to sign RPM file using --signfiles
2.
3.
Actual Results:  
Failure

Expected Results:  
Signing succeeds.
Comment 1 Panu Matilainen 2024-06-11 05:10:16 UTC 
Seems kinda strange as there's almost zero changes to the signing code in rpm, but almost != none.
Thanks for the report, we'll look into it.
Comment 2 Panu Matilainen 2024-06-11 06:40:43 UTC 
Should be fixed in https://bodhi.fedoraproject.org/updates/FEDORA-2024-d5cd0a365c
I wasn't able to locally test just now but it seems fairly obvious.
Comment 3 Karel Srot 2024-06-12 07:25:17 UTC 
Hi Panu,
thanks for a prompt action. I can confirm it fixes the issue.
Comment 4 Panu Matilainen 2024-06-12 10:22:18 UTC 
Ok, we can close this then. Thanks for verifying!