Description of problem: libgcrypt was recently updated from 1.10.0-1.fc36 to 1.10.1-1.fc36. This introduced a regression (or at least scary errors) in FIPS mode. Version-Release number of selected component (if applicable): libgcrypt 1.10.1-1.fc36 How reproducible: Always Steps to Reproduce: 1. fips-mode-setup --enable 2. reboot 3. journalctl -b -t sshd Actual results: The journalctl command *itself* prints libgcrypt selftest: binary (0): Invalid object and otherwise the logs show: Apr 07 13:15:59 fedora-36-127-0-0-2-2201 sshd[981]: libgcrypt selftest: binary (0): Invalid object Apr 07 13:15:59 fedora-36-127-0-0-2-2201 sshd[981]: Libgcrypt error: integrity check failed: Invalid object Apr 07 13:15:59 fedora-36-127-0-0-2-2201 sshd[981]: Libgcrypt notice: state transition Self-Test => Error Apr 07 13:15:59 fedora-36-127-0-0-2-2201 sshd[981]: Server listening on 0.0.0.0 port 22. Apr 07 13:15:59 fedora-36-127-0-0-2-2201 sshd[981]: Server listening on :: port 22. Apr 07 13:16:11 fedora-36-127-0-0-2-2201 sshd[2127]: libgcrypt selftest: binary (0): Invalid object Apr 07 13:16:11 fedora-36-127-0-0-2-2201 sshd[2127]: Libgcrypt error: integrity check failed: Invalid object Apr 07 13:16:11 fedora-36-127-0-0-2-2201 sshd[2127]: Libgcrypt notice: state transition Self-Test => Error This is true for a lot of services: # journalctl -b | grep gcrypt | wc -l libgcrypt selftest: binary (0): Invalid object 465 Expected results: gcrypt self-tests succeed Additional info: This was spotted in https://github.com/cockpit-project/bots/pull/3198, cockpit CI's fedora-36 image refresh.
Sounds like pakcage notes stuff is relinking the binary after the checksum is added, therefore invalidating *and* removing it from the binary ... From koji build log: ECHO_N=-n READELF=readelf AWK=gawk \ ./gen-note-integrity.sh > libgcrypt.so.hmac make[2]: Leaving directory '/builddir/build/BUILD/libgcrypt-1.10.1/src' make[2]: Entering directory '/builddir/build/BUILD/libgcrypt-1.10.1/src' objcopy --add-section .note.fdo.integrity=libgcrypt.so.hmac \ --set-section-flags .note.fdo.integrity=noload,readonly \ .libs/libgcrypt.so .libs/libgcrypt.so.new mv -f .libs/libgcrypt.so.new .libs/libgcrypt.so.*.* make[2]: Leaving directory '/builddir/build/BUILD/libgcrypt-1.10.1/src' make[2]: Entering directory '/builddir/build/BUILD/libgcrypt-1.10.1/src' /bin/sh ../libtool --tag=CC --mode=link gcc -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fvisibility=hidden -fno-delete-null-pointer-checks -Wall -Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 -Wl,-dT,/builddir/build/BUILD/libgcrypt-1.10.1/.package_note-libgcrypt-1.10.1-1.fc36.x86_64.ld -o mpicalc mpicalc-mpicalc.o libgcrypt.la -lgpg-error libtool: link: gcc -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fvisibility=hidden -fno-delete-null-pointer-checks -Wall -Wl,-z -Wl,relro -Wl,--as-needed -Wl,-z -Wl,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 -Wl,-dT -Wl,/builddir/build/BUILD/libgcrypt-1.10.1/.package_note-libgcrypt-1.10.1-1.fc36.x86_64.ld -o .libs/mpicalc mpicalc-mpicalc.o ./.libs/libgcrypt.so -lgpg-error make[2]: Leaving directory '/builddir/build/BUILD/libgcrypt-1.10.1/src'
Thank you for the report. I am looking into that as I obviously messed up the checksum re-creation after the debuginfo is stripped, because I did not notice how much different. Fortunately, it affects only FIPS mode on Fedora, which is hopefully not much used.
FEDORA-2022-ec883a424c has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-ec883a424c
FEDORA-2022-ec883a424c has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-ec883a424c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-ec883a424c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-ec883a424c has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.