Description of problem: Package ruby fails to build from source in Fedora Rawhide. https://koschei.fedoraproject.org/package/ruby build.log ``` 184) Error: OpenSSL::TestPKeyRSA#test_sign_verify_options: OpenSSL::PKey::PKeyError: EVP_PKEY_CTX_ctrl_str(ctx, "rsa_mgf1_md", "SHA1"): digest not allowed (digest=SHA1) /builddir/build/BUILD/ruby-3.4.2-build/ruby-3.4.2/test/openssl/test_pkey_rsa.rb:113:in 'Hash#each' /builddir/build/BUILD/ruby-3.4.2-build/ruby-3.4.2/test/openssl/test_pkey_rsa.rb:113:in 'OpenSSL::PKey::PKey#sign' /builddir/build/BUILD/ruby-3.4.2-build/ruby-3.4.2/test/openssl/test_pkey_rsa.rb:113:in 'OpenSSL::TestPKeyRSA#test_sign_verify_options' 185) Error: OpenSSL::TestPKeyRSA#test_sign_verify_pss: OpenSSL::PKey::RSAError: digest not allowed (digest=SHA1) /builddir/build/BUILD/ruby-3.4.2-build/ruby-3.4.2/test/openssl/test_pkey_rsa.rb:191:in 'OpenSSL::PKey::RSA#sign_pss' /builddir/build/BUILD/ruby-3.4.2-build/ruby-3.4.2/test/openssl/test_pkey_rsa.rb:191:in 'OpenSSL::TestPKeyRSA#test_sign_verify_pss' Finished tests in 1152.595208s, 27.9812 tests/s, 5697.0278 assertions/s. 32251 tests, 6566367 assertions, 0 failures, 2 errors, 183 skips ``` The koschei started to fail from the following build. https://koschei.fedoraproject.org/build/19932543 That is the timing that openssl RPM upgraded as follows. openssl-libs 1:3.2.4-1.fc43 => 1:3.2.4-2.fc43 openssl-devel 1:3.2.4-1.fc43 => 1:3.2.4-2.fc43 But I am not sure if this is the timing that this SHA-1 issue started to happen. Because the above build's build.log is not available any more. This issue doesn't happen Version-Release number of selected component (if applicable): $ ruby-3.4.2-23.fc43.x86_64 Steps to Reproduce: $ koji build --scratch f43 ruby-3.4.2-23.fc43.src.rpm Additional info: This package is tracked by Koschei. See: https://koschei.fedoraproject.org/package/ruby Reproducible: Always Steps to Reproduce: This issue can happen with the upstream ruby/openssl and latest openssl-devel-3.5.0-2.fc43.x86_64 on rawhide. ``` $ rpm -q openssl-libs openssl-devel openssl-libs-3.5.0-2.fc43.x86_64 openssl-devel-3.5.0-2.fc43.x86_64 $ rpm -q ruby ruby-devel rubygem-bundler ruby-3.4.2-23.fc43.x86_64 ruby-devel-3.4.2-23.fc43.x86_64 rubygem-bundler-2.6.2-23.fc43.noarch $ git remote -v | grep origin origin https://github.com/ruby/openssl.git (fetch) origin https://github.com/ruby/openssl.git (push) $ git log --pretty=oneline | head -1 09495dcd20c531f234ae4d5f11767ffa5304b6d3 Merge pull request #877 from ruby/dependabot/github_actions/step-security/harden-runner-2.11.1 $ bundle install --standalone $ bundle exec rake compile $ bundle exec rake test ``` Actual Results: ``` $ bundle exec rake test ... E =============================================================================================== Error: test_sign_verify_options(OpenSSL::TestPKeyRSA): OpenSSL::PKey::PKeyError: EVP_PKEY_CTX_ctrl_str(ctx, "rsa_mgf1_md", "SHA1"): digest not allowed (digest=SHA1) /mnt/git/ruby/openssl/test/openssl/test_pkey_rsa.rb:113:in 'Hash#each' /mnt/git/ruby/openssl/test/openssl/test_pkey_rsa.rb:113:in 'OpenSSL::PKey::PKey#sign' /mnt/git/ruby/openssl/test/openssl/test_pkey_rsa.rb:113:in 'OpenSSL::TestPKeyRSA#test_sign_verify_options' 110: "rsa_pss_saltlen" => 20, 111: "rsa_mgf1_md" => "SHA1" 112: } => 113: sig_pss = key.sign("SHA256", data, pssopts) 114: assert_equal 256, sig_pss.bytesize 115: assert_equal true, key.verify("SHA256", sig_pss, data, pssopts) 116: assert_equal true, key.verify_pss("SHA256", sig_pss, data, =============================================================================================== E =============================================================================================== Error: test_sign_verify_pss(OpenSSL::TestPKeyRSA): OpenSSL::PKey::RSAError: digest not allowed (digest=SHA1) /mnt/git/ruby/openssl/test/openssl/test_pkey_rsa.rb:191:in 'OpenSSL::PKey::RSA#sign_pss' /mnt/git/ruby/openssl/test/openssl/test_pkey_rsa.rb:191:in 'OpenSSL::TestPKeyRSA#test_sign_verify_pss' 188: data = "Sign me!" 189: invalid_data = "Sign me?" 190: => 191: signature = key.sign_pss("SHA256", data, salt_length: 20, mgf1_hash: "SHA1") 192: assert_equal 256, signature.bytesize 193: assert_equal true, 194: key.verify_pss("SHA256", signature, data, salt_length: 20, mgf1_hash: "SHA1") =============================================================================================== ... 577 tests, 4186 assertions, 0 failures, 2 errors, 0 pendings, 3 omissions, 0 notifications ``` Expected Results: The test passes. This issue doesn't happen with the upstream OpenSSL 3.5 (3.5.0-beta1).[1] So, the issue is the downstream Fedora OpenSSL specific. [1] https://github.com/ruby/openssl/pull/878
> That is the timing that openssl RPM upgraded as follows. > openssl-libs 1:3.2.4-1.fc43 => 1:3.2.4-2.fc43 > openssl-devel 1:3.2.4-1.fc43 => 1:3.2.4-2.fc43 > But I am not sure if this is the timing that this SHA-1 issue started to happen. Because the above build's build.log is not available any more. At this timing cmake is upgraded to (problematic?) 4.0.0~rc2-1.fc43 and in my memory the build failure was not for openssl issue but with testsuite with cmake related. Later, openssl is upgraded from 1:3.2.4-2.fc43 to 1:3.2.4-3.fc43. And at the exact timing cmake is again downgraded to 3.31.6-2.fc43, openssl is upgraded to 1:3.5.0-1.fc43 . So I guess that ruby test failure began with openssl change from 1:3.2.4-3.fc43 to 1:3.5.0-1.fc43
(In reply to Mamoru TASAKA from comment #1) > > That is the timing that openssl RPM upgraded as follows. > > openssl-libs 1:3.2.4-1.fc43 => 1:3.2.4-2.fc43 > > openssl-devel 1:3.2.4-1.fc43 => 1:3.2.4-2.fc43 > > > But I am not sure if this is the timing that this SHA-1 issue started to happen. Because the above build's build.log is not available any more. > > At this timing cmake is upgraded to (problematic?) 4.0.0~rc2-1.fc43 > and in my memory the build failure was not for openssl issue but with > testsuite with cmake related. > > Later, openssl is upgraded from 1:3.2.4-2.fc43 to 1:3.2.4-3.fc43. > > And at the exact timing cmake is again downgraded to 3.31.6-2.fc43, > openssl is upgraded to 1:3.5.0-1.fc43 . > > So I guess that ruby test failure began with openssl change from > 1:3.2.4-3.fc43 to 1:3.5.0-1.fc43 Oh! Thanks for the info! By the way, I was able to fix this issue fixing the tests on my local. I will send the PR later.
I sent the PR below. https://src.fedoraproject.org/rpms/ruby/pull-request/207
(In reply to Mamoru TASAKA from comment #1) And there was also crypto-policies change at the same time, wasn't it?
FEDORA-2025-67acc9ab79 (ruby-3.4.2-24.fc43) has been submitted as an update to Fedora 43. https://bodhi.fedoraproject.org/updates/FEDORA-2025-67acc9ab79
FEDORA-2025-67acc9ab79 (ruby-3.4.2-24.fc43) has been pushed to the Fedora 43 stable repository. If problem still persists, please make note of it in this bug report.