Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2041710

Summary: UBI8 Python 3.9 packaging issue (twine TypeError digest_size)
Product: Red Hat Enterprise Linux 8 Reporter: Aditya Soni <adsoni>
Component: python39Assignee: Lumír Balhar <lbalhar>
Status: CLOSED UPSTREAM QA Contact: RHEL CS Apps Subsystem QE <rhel-cs-apps-subsystem-qe>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.7CC: cstratak, pviktori, torsava
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-01 10:36:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Aditya Soni 2022-01-18 07:07:11 UTC 
What problem/issue/behavior are you having trouble with?  What do you expect to see?

We use the ubi8/python-39 [1] container image for packaging a Python application on GitLab. The "twine check dist/*" command errors out in a way that suggest that there is a problem with how the container image is packaged.

[1] https://catalog.redhat.com/software/containers/ubi8/python-39/6065b24eb92fbda3a4c65d8f?container-tabs=security

Please, see GitHub issue pypa/twine#857 [2] for details.
[2] https://github.com/pypa/twine/issues/857

Where are you experiencing the behavior? What environment?
GitLab CI runner, version  14.6.1, self-hosted (omnibus).

When does the behavior occur? Frequency? Repeatedly? At certain times?
Every time we run the command inside the container. It does not occur outside, e.g. on an Ubuntu 18.04 LTS Linux developer machine. Please, see the GitHub issue for details.
Comment 4 Lumír Balhar 2022-02-28 07:43:38 UTC 
Hello.

I'm gonna take a look at this and try to create a reproducer.
Comment 5 Lumír Balhar 2022-02-28 09:47:58 UTC 
I've responded to the mentioned upstream issue even it seems that the problem is not there.

The problem seems to be caused by FIPS mode. FIPS mode forces Python to use blake2 implementation from OpenSSL which has a different API than Python's implementation and Twine does not work with it.
Comment 6 Lumír Balhar 2022-02-28 10:32:00 UTC 
And this is not all. It seems that the BLAKE algorithms are not certified for FIPS (and are disabled on OpenSSL level) so the different API is only a part of the problem.

# python3.8
Python 3.8.0 (default, Mar  9 2020, 18:02:46) 
[GCC 8.3.1 20191121 (Red Hat 8.3.1-5)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import _hashlib
>>> _hashlib.get_fips_mode()
1
>>> import hashlib
>>> hashlib.blake2b(digest_size=256 //8)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
TypeError: 'digest_size' is an invalid keyword argument for openssl_blake2b()
>>> hashlib.blake2b()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS
Comment 7 Lumír Balhar 2022-02-28 12:32:40 UTC 
Upstream maintainer is willing to include a compatibility fix for our FIPS patch so I'm working on it in: https://github.com/pypa/twine/pull/879
Comment 8 Lumír Balhar 2022-02-28 17:28:30 UTC 
The fix is implemented upstream. However, there is room for improvement also in our own patch so I'm keeping the bug open.
Comment 9 Lumír Balhar 2022-03-01 10:36:26 UTC 
We have discussed this and realized that there is nothing we can do better on our side. Upstream code has been improved to handle this special case better and that's all we can do.