periodic-ci-openshift-release-master-nightly-4.10-e2e-openstack-fips is failing frequently in CI, see: https://testgrid.k8s.io/redhat-openshift-ocp-release-4.10-informing#periodic-ci-openshift-release-master-nightly-4.10-e2e-openstack-fips The test failing is: [sig-imageregistry][Serial][Suite:openshift/registry/serial] Image signature workflow can push a signed image to openshift registry and verify it [Suite:openshift/conformance/serial] It appears to be from this test's generation of a dummy GPG key STEP: creating dummy GPG key Sep 22 21:21:19.847: INFO: Running 'oc --namespace=e2e-test-registry-signing-2rrsz --kubeconfig=/tmp/configfile304355208 exec sign-and-push -- /bin/bash -c rm -f /dev/random; ln -sf /dev/urandom /dev/random && GNUPGHOME=/var/lib/origin/gnupg gpg2 --batch --gen-key --pinentry-mode=loopback --passphrase '' dummy_key.conf && GNUPGHOME=/var/lib/origin/gnupg gpg2 --output=gnupg/pubring.gpg --export joe' Sep 22 21:21:20.573: INFO: Error running /usr/bin/oc --namespace=e2e-test-registry-signing-2rrsz --kubeconfig=/tmp/configfile304355208 exec sign-and-push -- /bin/bash -c rm -f /dev/random; ln -sf /dev/urandom /dev/random && GNUPGHOME=/var/lib/origin/gnupg gpg2 --batch --gen-key --pinentry-mode=loopback --passphrase '' dummy_key.conf && GNUPGHOME=/var/lib/origin/gnupg gpg2 --output=gnupg/pubring.gpg --export joe: StdOut> gpg: out of core handler ignored in FIPS mode gpg: WARNING: unsafe permissions on homedir '/var/lib/origin/gnupg' gpg: keybox '/var/lib/origin/gnupg/pubring.kbx' created gpg: Generating openpgp key ... gpg: agent_genkey failed: Invalid value gpg: key generation failed: Invalid value gpg: done command terminated with exit code 2 StdErr> gpg: out of core handler ignored in FIPS mode gpg: WARNING: unsafe permissions on homedir '/var/lib/origin/gnupg' gpg: keybox '/var/lib/origin/gnupg/pubring.kbx' created gpg: Generating openpgp key ... gpg: agent_genkey failed: Invalid value gpg: key generation failed: Invalid value gpg: done command terminated with exit code 2
Not just openstack, all FIPS jobs also failing. This seems to be because the config specifies to create a 1024-bit DSA key. FIPS requires 2048-bit, per https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf (p9, Approval Status of Algorithms Used for Digital Signature Generation and Verification)
Nice find, this looks like a useful find from the periodic variants *and* a demonstration of why some organizations want to use FIPS - to be sure there isn't legacy code generating very weak keys or with long broken ciphers, etc.
This was corrected in https://github.com/openshift/origin/pull/26510 *** This bug has been marked as a duplicate of bug 1960674 ***