Bug 2297927
| Summary: | rpmsign broken: error: sign_hash failed | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Karel Srot <ksrot> |
| Component: | ima-evm-utils | Assignee: | Bruno Meneguele <brdeoliv> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 41 | CC: | brdeoliv, ffesti, fzatlouk, igor.raits, laura, mdomonko, packaging-team-maint, pbrobinson, pmatilai, stefanb, vgoyal, zohar |
| Target Milestone: | --- | Keywords: | Regression, Reopened |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | AcceptedFreezeException | ||
| Fixed In Version: | ima-evm-utils-1.6.1-2.fc42 ima-evm-utils-1.6.2-1.fc41 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2024-09-04 18:29:51 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2247866 | ||
|
Description
Karel Srot
2024-07-15 10:27:57 UTC
Opened upstream as https://github.com/rpm-software-management/rpm/issues/3214 The related rpm code hasn't changed at all since the fix to bug 2291183, so I'm more inclined to think this is a regression in ima-evm-utils 1.0.6, to which rawhide was updated in the meanwhile. Especially since this has appeared in rpm build log as a result, so clearly there have been significant changes on the ima-evm-utils side: /builddir/build/BUILD/rpm-4.19.92-build/rpm-4.19.92/sign/rpmsignfiles.c: In function ‘signFile’: /builddir/build/BUILD/rpm-4.19.92-build/rpm-4.19.92/sign/rpmsignfiles.c:56:5: warning: ‘sign_hash’ is deprecated [-Wdeprecated-declarations] 56 | siglen = sign_hash(algo, fdigest, diglen, key, keypass, signature+1); | ^~~~~~ In file included from /builddir/build/BUILD/rpm-4.19.92-build/rpm-4.19.92/sign/rpmsignfiles.h:12, from /builddir/build/BUILD/rpm-4.19.92-build/rpm-4.19.92/sign/rpmsignfiles.c:17: /usr/include/imaevm.h:240:23: note: declared here 240 | IMAEVM_DEPRECATED int sign_hash(const char *algo, const unsigned char *hash, | ^~~~~~~~~ I'm not saying it's the case here, but it wouldn't be the first piece of software to deprecate a function and break it in the process when the tests no longer cover it. This is definitely possible since in order to downgrade rpm I had to also downgrade to ima-evm-utils-1.5-5.fc41. Can you retest with 1.6.1 please? Hi Peter,
I have tested with ima-evm-utils-1.6-2.fc41.x86_64, the issue is still present.
rpmsign --addsign --signfiles --fskpath=/etc/keys/privkey_evm.pem /root/rpmbuild/RPMS/noarch/rpm-ima-sign-test-1-1.noarch.rpm
out: error: sign_hash failed
out: error: signFile failed
out: /root/rpmbuild/RPMS/noarch/rpm-ima-sign-test-1-1.noarch.rpm:
And the same situation is with ima-evm-utils-1.6.1-1.fc41
I have modified evmctl 1.6 to use the old API sign_hash to create IMA signatures but I cannot recreate the issue with it. So at least in this case the old API seems to still be working fine. I suppose we can rule out a failure to sign due to usage of SHA-1? Any chance to hook gdb onto rpmsign? I will try to recreate this with rawhide. One of the recent changes in RH is building ima-evm-utils with just provider support, not with engine support. sign_hash() is now limited to engine support. Could this be the cause of the problem? It's an issue occurring during runtime when engines are missing. PR: https://github.com/linux-integrity/ima-evm-utils/pull/9 (In reply to zohar from comment #7) > One of the recent changes in RH is building ima-evm-utils with just provider > support, not with engine support. sign_hash() is now limited to engine > support. Could this be the cause of the problem? RHEL-10 drops engine support altogether, and it's deprecated upstream in openssl. Scratch build here with the PR patch, Karel can you test pls: https://koji.fedoraproject.org/koji/taskinfo?taskID=122682616 (In reply to Peter Robinson from comment #10) > Scratch build here with the PR patch, Karel can you test pls: > https://koji.fedoraproject.org/koji/taskinfo?taskID=122682616 Hello, I can confirm this build fixes the issue. Thank you. FEDORA-2024-42aa96c1d5 (ima-evm-utils-1.6.1-2.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2024-42aa96c1d5 FEDORA-2024-69fa1ec0bf (ima-evm-utils-1.6.1-2.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2024-69fa1ec0bf Proposed as a Freeze Exception for 41-beta by Fedora user pbrobinson using the blocker tracking app because: sign_hash is broken when used with ima. This is used by IoT Edition. > sign_hash is broken when used with ima. This is used by IoT Edition.
That's meant to read "rpm sign_hash"
FEDORA-2024-42aa96c1d5 (ima-evm-utils-1.6.1-2.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report. FEDORA-2024-69fa1ec0bf has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-69fa1ec0bf` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-69fa1ec0bf See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2024-360cc548cb has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-360cc548cb` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-360cc548cb See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. Discussed during the 2024-09-03 blocker review meeting: [1] The decision to classify this bug as a AcceptedFreezeException (Beta) was made: "This is accepted as it potentially has consequences during compose of IoT and upgrade of IoT systems to Beta, per Peter." [1] https://meetbot.fedoraproject.org/blocker-review_matrix_fedoraproject-org/2024-09-03/f41-blocker-review.2024-09-03-16.00.log.html FEDORA-2024-360cc548cb (ima-evm-utils-1.6.2-1.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report. |