Description of problem: gyp fails to run in FIPS mode. It fails due to a call to hashlib.md5. Version-Release number of selected component (if applicable): How reproducible: Very Steps to Reproduce: 0. Acquire a RHEL 8 or CentOS 8 VM in FIPS mode 1. mkdir sandbox && cd sandbox && hg clone https://hg.mozilla.org/projects/nspr && hg clone https://hg.mozilla.org/projects/nss 2. cd nss 3. ./build.sh -v --enable-fips Actual results: [root@localhost nss]# ./build.sh -v run_scanbuild gyp -f ninja --depth=/root/sandbox/nss --generator-output=. -Dtarget_arch=x64 -Denable_sslkeylogfile=1 -Dnss_dist_dir=/root/sandbox/dist -Dnss_dist_obj_dir=/root/sandbox/dist/Debug -Dnspr_include_dir=/root/sandbox/dist/Debug/include/nspr -Dnspr_lib_dir=/root/sandbox/dist/Debug/lib /root/sandbox/nss/nss.gyp gyp multiprocessing.pool.RemoteTraceback: """ Traceback (most recent call last): File "/usr/lib64/python3.6/multiprocessing/pool.py", line 119, in worker result = (True, func(*args, **kwds)) File "/usr/lib64/python3.6/multiprocessing/pool.py", line 44, in mapstar return list(map(*args)) File "/usr/lib/python3.6/site-packages/gyp/generator/ninja.py", line 2467, in CallGenerateOutputForConfig GenerateOutputForConfig(target_list, target_dicts, data, params, config_name) File "/usr/lib/python3.6/site-packages/gyp/generator/ninja.py", line 2391, in GenerateOutputForConfig hash_for_rules = hashlib.md5(qualified_target_for_hash).hexdigest() ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS """ The above exception was the direct cause of the following exception: Traceback (most recent call last): File "/usr/bin/gyp", line 11, in <module> load_entry_point('gyp==0.1', 'console_scripts', 'gyp')() File "/usr/lib/python3.6/site-packages/gyp/__init__.py", line 551, in script_main return main(sys.argv[1:]) File "/usr/lib/python3.6/site-packages/gyp/__init__.py", line 544, in main return gyp_main(args) File "/usr/lib/python3.6/site-packages/gyp/__init__.py", line 529, in gyp_main generator.GenerateOutput(flat_list, targets, data, params) File "/usr/lib/python3.6/site-packages/gyp/generator/ninja.py", line 2493, in GenerateOutput pool.map(CallGenerateOutputForConfig, arglists) File "/usr/lib64/python3.6/multiprocessing/pool.py", line 266, in map return self._map_async(func, iterable, mapstar, chunksize).get() File "/usr/lib64/python3.6/multiprocessing/pool.py", line 644, in get raise self._value ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS Expected results: gyp should build successfully in FIPS mode. Additional info: You should be able to pass the usedforsecurity=False flag to hashlib.md5(...) and hashlib.sha1(...) calls in generator/make.py and generator/ninja.py.
I'm not sure what was wrong but adding usedforsecurity=False to hashlib.md5 and hashlib.sha1 seems causing a build issue getting stuck on %check. I need to investigate it...
I just pulled master and re-added the patch. The issue I see is that Fedora doesn't ship the usedforsecurity kwargs; only RHEL does. So I think the patch should be applied on the epel8 branch only? Might warrant asking the Python team if they're planning on adding these kwargs.
Ah: Just talked with Christian. The feature was upstreamed in Python 3.8, but backported in RHEL. So I think building on Fedora Rawhide -- https://fedoraproject.org/wiki/Changes/Python3.8 -- would suffice.
Re-visiting here. the patch is enabled again in gyp-0.1-0.39.fcd686f1git.el8 and built in koji
FEDORA-EPEL-2020-2106038be8 has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-2106038be8
FEDORA-EPEL-2020-2106038be8 has been pushed to the Fedora EPEL 8 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2020-2106038be8 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2020-2106038be8 has been pushed to the Fedora EPEL 8 stable repository. If problem still persists, please make note of it in this bug report.