# rpm -q rpm rpm-4.19.92-2.fc41.x86_64 # rpmsign --addsign --signfiles --fskpath=/etc/keys/privkey_evm.pem /root/rpmbuild/RPMS/noarch/rpm-ima-sign-test-1-1.noarch.rpm /root/rpmbuild/RPMS/noarch/rpm-ima-sign-test-1-1.noarch.rpm: error: sign_hash failed error: signFile failed This is a regression compared to # rpm -q rpm rpm-4.19.91-13.fc41.x86_64 [root@vm-10-0-186-98 tmp.UFeskSJtgO]# rpmsign --addsign --signfiles --fskpath=/etc/keys/privkey_evm.pem /root/rpmbuild/RPMS/noarch/rpm-ima-sign-test-1-1.noarch.rpm /root/rpmbuild/RPMS/noarch/rpm-ima-sign-test-1-1.noarch.rpm: hash(sha256): 562eb1111ef3e3c2ec9c60e53b27af259ff984f31a804d97bfd49df13e843128 evm/ima signature: 264 bytes FYI, This is identical scenario as in the previously reported bug https://bugzilla.redhat.com/show_bug.cgi?id=2291183 although the error message is not entirely identical. The test case source is available at https://github.com/RedHat-SP-Security/keylime-tests/blob/main/functional/install-rpm-with-ima-signature/test.sh with IMA keys being generated here https://github.com/RedHat-SP-Security/keylime-tests/blob/main/Library/test-helpers/lib.sh#L1494 Reproducible: Always Steps to Reproduce: 1. attempt to sign RPM file using --signfiles 2. 3. Actual Results: Failure Expected Results: Signing succeeds. Reproducible: Always
Opened upstream as https://github.com/rpm-software-management/rpm/issues/3214
The related rpm code hasn't changed at all since the fix to bug 2291183, so I'm more inclined to think this is a regression in ima-evm-utils 1.0.6, to which rawhide was updated in the meanwhile. Especially since this has appeared in rpm build log as a result, so clearly there have been significant changes on the ima-evm-utils side: /builddir/build/BUILD/rpm-4.19.92-build/rpm-4.19.92/sign/rpmsignfiles.c: In function ‘signFile’: /builddir/build/BUILD/rpm-4.19.92-build/rpm-4.19.92/sign/rpmsignfiles.c:56:5: warning: ‘sign_hash’ is deprecated [-Wdeprecated-declarations] 56 | siglen = sign_hash(algo, fdigest, diglen, key, keypass, signature+1); | ^~~~~~ In file included from /builddir/build/BUILD/rpm-4.19.92-build/rpm-4.19.92/sign/rpmsignfiles.h:12, from /builddir/build/BUILD/rpm-4.19.92-build/rpm-4.19.92/sign/rpmsignfiles.c:17: /usr/include/imaevm.h:240:23: note: declared here 240 | IMAEVM_DEPRECATED int sign_hash(const char *algo, const unsigned char *hash, | ^~~~~~~~~ I'm not saying it's the case here, but it wouldn't be the first piece of software to deprecate a function and break it in the process when the tests no longer cover it.
This is definitely possible since in order to downgrade rpm I had to also downgrade to ima-evm-utils-1.5-5.fc41.
Can you retest with 1.6.1 please?
Hi Peter, I have tested with ima-evm-utils-1.6-2.fc41.x86_64, the issue is still present. rpmsign --addsign --signfiles --fskpath=/etc/keys/privkey_evm.pem /root/rpmbuild/RPMS/noarch/rpm-ima-sign-test-1-1.noarch.rpm out: error: sign_hash failed out: error: signFile failed out: /root/rpmbuild/RPMS/noarch/rpm-ima-sign-test-1-1.noarch.rpm: And the same situation is with ima-evm-utils-1.6.1-1.fc41
I have modified evmctl 1.6 to use the old API sign_hash to create IMA signatures but I cannot recreate the issue with it. So at least in this case the old API seems to still be working fine. I suppose we can rule out a failure to sign due to usage of SHA-1? Any chance to hook gdb onto rpmsign? I will try to recreate this with rawhide.
One of the recent changes in RH is building ima-evm-utils with just provider support, not with engine support. sign_hash() is now limited to engine support. Could this be the cause of the problem?
It's an issue occurring during runtime when engines are missing. PR: https://github.com/linux-integrity/ima-evm-utils/pull/9
(In reply to zohar from comment #7) > One of the recent changes in RH is building ima-evm-utils with just provider > support, not with engine support. sign_hash() is now limited to engine > support. Could this be the cause of the problem? RHEL-10 drops engine support altogether, and it's deprecated upstream in openssl.
Scratch build here with the PR patch, Karel can you test pls: https://koji.fedoraproject.org/koji/taskinfo?taskID=122682616
(In reply to Peter Robinson from comment #10) > Scratch build here with the PR patch, Karel can you test pls: > https://koji.fedoraproject.org/koji/taskinfo?taskID=122682616 Hello, I can confirm this build fixes the issue. Thank you.
FEDORA-2024-42aa96c1d5 (ima-evm-utils-1.6.1-2.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2024-42aa96c1d5
FEDORA-2024-69fa1ec0bf (ima-evm-utils-1.6.1-2.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2024-69fa1ec0bf
Proposed as a Freeze Exception for 41-beta by Fedora user pbrobinson using the blocker tracking app because: sign_hash is broken when used with ima. This is used by IoT Edition.
> sign_hash is broken when used with ima. This is used by IoT Edition. That's meant to read "rpm sign_hash"
FEDORA-2024-42aa96c1d5 (ima-evm-utils-1.6.1-2.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2024-69fa1ec0bf has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-69fa1ec0bf` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-69fa1ec0bf See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-360cc548cb has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-360cc548cb` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-360cc548cb See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Discussed during the 2024-09-03 blocker review meeting: [1] The decision to classify this bug as a AcceptedFreezeException (Beta) was made: "This is accepted as it potentially has consequences during compose of IoT and upgrade of IoT systems to Beta, per Peter." [1] https://meetbot.fedoraproject.org/blocker-review_matrix_fedoraproject-org/2024-09-03/f41-blocker-review.2024-09-03-16.00.log.html
FEDORA-2024-360cc548cb (ima-evm-utils-1.6.2-1.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.