Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2007850

Summary: FIPS jobs are failing a test trying to use a 1024-bit DSA key
Product: OpenShift Container Platform Reporter: Stephen Benjamin <stbenjam>
Component: Test FrameworkAssignee: Stephen Benjamin <stbenjam>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4.10CC: sippy, walters
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
job=periodic-ci-openshift-release-master-nightly-4.10-e2e-azure-fips-serial=all job=periodic-ci-openshift-release-master-nightly-4.10-e2e-openstack-fips=all job=periodic-ci-openshift-release-master-nightly-4.10-e2e-aws-fips-serial=all job=periodic-ci-openshift-release-master-nightly-4.10-e2e-gcp-fips-serial=all
Last Closed: 2021-11-10 14:22:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stephen Benjamin 2021-09-25 13:39:57 UTC 
periodic-ci-openshift-release-master-nightly-4.10-e2e-openstack-fips

is failing frequently in CI, see:
https://testgrid.k8s.io/redhat-openshift-ocp-release-4.10-informing#periodic-ci-openshift-release-master-nightly-4.10-e2e-openstack-fips

The test failing is:
[sig-imageregistry][Serial][Suite:openshift/registry/serial] Image signature workflow can push a signed image to openshift registry and verify it [Suite:openshift/conformance/serial]

It appears to be from this test's generation of a dummy GPG key

STEP: creating dummy GPG key
Sep 22 21:21:19.847: INFO: Running 'oc --namespace=e2e-test-registry-signing-2rrsz --kubeconfig=/tmp/configfile304355208 exec sign-and-push -- /bin/bash -c rm -f /dev/random; ln -sf /dev/urandom /dev/random && GNUPGHOME=/var/lib/origin/gnupg gpg2 --batch --gen-key --pinentry-mode=loopback --passphrase '' dummy_key.conf && GNUPGHOME=/var/lib/origin/gnupg gpg2 --output=gnupg/pubring.gpg --export joe'
Sep 22 21:21:20.573: INFO: Error running /usr/bin/oc --namespace=e2e-test-registry-signing-2rrsz --kubeconfig=/tmp/configfile304355208 exec sign-and-push -- /bin/bash -c rm -f /dev/random; ln -sf /dev/urandom /dev/random && GNUPGHOME=/var/lib/origin/gnupg gpg2 --batch --gen-key --pinentry-mode=loopback --passphrase '' dummy_key.conf && GNUPGHOME=/var/lib/origin/gnupg gpg2 --output=gnupg/pubring.gpg --export joe:
StdOut>
gpg: out of core handler ignored in FIPS mode
gpg: WARNING: unsafe permissions on homedir '/var/lib/origin/gnupg'
gpg: keybox '/var/lib/origin/gnupg/pubring.kbx' created
gpg: Generating openpgp key ...
gpg: agent_genkey failed: Invalid value
gpg: key generation failed: Invalid value
gpg: done
command terminated with exit code 2
StdErr>
gpg: out of core handler ignored in FIPS mode
gpg: WARNING: unsafe permissions on homedir '/var/lib/origin/gnupg'
gpg: keybox '/var/lib/origin/gnupg/pubring.kbx' created
gpg: Generating openpgp key ...
gpg: agent_genkey failed: Invalid value
gpg: key generation failed: Invalid value
gpg: done
command terminated with exit code 2
Comment 1 Stephen Benjamin 2021-09-25 13:54:25 UTC 
Not just openstack, all FIPS jobs also failing. This seems to be because the config specifies to create a 1024-bit DSA key.

FIPS requires 2048-bit, per https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf (p9, Approval Status of Algorithms Used for Digital Signature 
Generation and Verification)
Comment 2 Colin Walters 2021-09-27 12:46:11 UTC 
Nice find, this looks like a useful find from the periodic variants *and* a demonstration of why some organizations want to use FIPS - to be sure there isn't legacy code generating very weak keys or with long broken ciphers, etc.
Comment 4 Stephen Benjamin 2021-11-10 14:22:30 UTC 
This was corrected in https://github.com/openshift/origin/pull/26510

*** This bug has been marked as a duplicate of bug 1960674 ***