Bug 1022078 - spacewalk-repo-sync of MD-5 signed packages on a FIPS enabled Satellite produces errors
Summary: spacewalk-repo-sync of MD-5 signed packages on a FIPS enabled Satellite produ...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Server
Version: 560
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Milan Zázrivec
QA Contact: Jan Hutař
URL:
Whiteboard:
Depends On:
Blocks: 843620
TreeView+ depends on / blocked
 
Reported: 2013-10-22 15:35 UTC by Milan Zázrivec
Modified: 2015-01-13 10:44 UTC (History)
5 users (show)

Fixed In Version: spacewalk-backend-2.2.13-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-13 10:44:51 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Milan Zázrivec 2013-10-22 15:35:15 UTC 
Description of problem:
Import of MD-5 signed packages (i.e. RHEL-5 content) using spacewalk-repo-sync
on a FIPS enabled Satellite produces following errors:

# spacewalk-repo-sync -c test-channel-vt-01
Repo URL: http://whatever.com/directory/
Packages in repo:                59
Packages already synced:          0
Packages to sync:                59
1/59 : python-virtinst-0.400.3-13.el5-0.noarch
error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
2/59 : kmod-kvm-83-262.el5_9.4-0.x86_64
error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips
3/59 : virt-who-0.7-9.el5-0.noarch
error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

The process completes successfully, nonetheless the packages are not imported
into the associated channel.


Version-Release number of selected component (if applicable):
Satellite 5.6

How reproducible:
Always

Steps to Reproduce:
1. Install Satellite 5.6 on a FIPS enabled RHEL system
2. spacewalk-repo-sync of a yum repo containing MD-5 signed packages

Actual results:
Above results.

Expected results:
With FIPS enabled, either the import completes successfully, or the process
informs the user that the import is not possible.

Additional info:
SHA-256 signed packages (RHEL-6 content) imports successfully.
Comment 1 Milan Zázrivec 2014-04-01 14:58:47 UTC 
Fixed in spacewalk.git master: a478498e201f94cff1b4bacd187cf33c8f61c7a8
Comment 4 Pavel Studeník 2015-01-13 10:33:51 UTC 
Reverified  with phonon-backend-gstreamer-4.6.2-28.el6_5.x86_64

>>> import hashlib; hashlib.md5()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ValueError: error:060800A3:digital envelope routines:EVP_DigestInit_ex:disabled for fips

# /usr/bin/spacewalk-repo-sync --channel fedora-21-aarch64 --type yum
Repo URL: http://fr2.rpmfind.net/linux/fedora-secondary/development/21/aarch64/os/
Packages in repo:             34088
Packages passed filter rules:    22
Packages already synced:          0
Packages to sync:                22
1/22 : kernel-tools-3.17.4-302.fc21-0.aarch64
...
22/22 : redhat-rpm-config-26-1.fc21-0.noarch
Linking packages to channel.
Repo http://fr2.rpmfind.net/linux/fedora-secondary/development/21/aarch64/os/ has comps file a60f6bd88244e1b01551d2429d39380b28e7b771c8b60201689d78a88123df5b-comps-f21.xml.xz.
Repo http://fr2.rpmfind.net/linux/fedora-secondary/development/21/aarch64/os/ has 0 errata.
Sync completed.
Comment 5 Clifford Perry 2015-01-13 10:44:51 UTC 
With the release of Red Hat Satellite 5.7 on January 12th 2015 this bug is
being moved to a Closed Current Release state. 

The Satellite 5.7 GA Errata:
 - https://rhn.redhat.com/errata/RHSA-2015-0033.html 

Satellite 5.7 Release Notes:
 -
https://access.redhat.com/documentation/en-US/Red_Hat_Satellite/5.7/html-single/Release_Notes/index.html

Satellite Customer Portal Blog announcement for release:
 - https://access.redhat.com/blogs/1169563/posts/1315743 

Cliff
Note You need to log in before you can comment on or make changes to this bug.