After an update to newer rpm we have started observing test failures due to rpmsign failing. :: [ 11:09:58 ] :: [ BEGIN ] :: Running 'rpmsign --addsign --signfiles --fskpath=/etc/keys/privkey_evm.pem /root/rpmbuild/RPMS/noarch/rpm-ima-sign-test-1-1.noarch.rpm' /root/rpmbuild/RPMS/noarch/rpm-ima-sign-test-1-1.noarch.rpm: hash(sha384): 562eb1111ef3e3c2ec9c60e53b27af259ff984f31a804d97bfd49df13e843128 sign_hash_v2: signing failed: (invalid digest length) in EVP_PKEY_sign openssl: error:1C8000A6:Provider routines::invalid digest length error: sign_hash failed error: signFile failed It started failing with the update to rpm-4.19.91-1.fc41 and redhat-rpm-config-291-1.fc41 from rpm-4.19.1.1-2.fc41. If I omit "--signfiles --fskpath=/etc/keys/privkey_evm.pem" from the above commend then it works. Btw, I have no issues reading the key with openssl rsa -in /etc/keys/privkey_evm.pem -text The test case source is available at https://github.com/RedHat-SP-Security/keylime-tests/blob/main/functional/install-rpm-with-ima-signature/test.sh with IMA keys being generated here https://github.com/RedHat-SP-Security/keylime-tests/blob/main/Library/test-helpers/lib.sh#L1494 Reproducible: Always Steps to Reproduce: 1. attempt to sign RPM file using --signfiles 2. 3. Actual Results: Failure Expected Results: Signing succeeds.
Seems kinda strange as there's almost zero changes to the signing code in rpm, but almost != none. Thanks for the report, we'll look into it.
Should be fixed in https://bodhi.fedoraproject.org/updates/FEDORA-2024-d5cd0a365c I wasn't able to locally test just now but it seems fairly obvious.
Hi Panu, thanks for a prompt action. I can confirm it fixes the issue.
Ok, we can close this then. Thanks for verifying!