Jira (PUP-10859) Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode
Title: Message Title Trevor Vaughan commented on PUP-10859 Re: Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode Version 7.6.0-1 works properly in FIPS mode on EL8 Add Comment This message was sent by Atlassian Jira (v8.20.2#820002-sha1:829506d) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.384622.1611426826000.20610.1645390980046%40Atlassian.JIRA.
Jira (PUP-10859) Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode
Title: Message Title
Trevor Vaughan updated an issue
Puppet / PUP-10859
Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode
Change By:
Trevor Vaughan
*Puppet Version:* All *Puppet Server Version:* All *OS Name/Version:* CentOS and RHEL 8.3+ in FIPS modeCentOS and RHEL 8.3+, when running in FIPS mode, require SHA-256 signatures on both repository metadata and RPMs.StarLab has a [good summary of the issue|https://www.starlab.io/blog/adding-sha256-digests-to-rpms] and I can confirm that resigning the RPMs using a CentOS 8.3+ base container/image will allow for correct installation.*Desired Behavior:* Ability to install puppet RPMs on an EL8 system in FIPS mode.*Actual Behavior:* RPMs fail to install. *Docs:* An example of the failure can be found in the [pupmod-simp-pupmod beaker tests|https://gitlab.com/simp/pupmod-simp-pupmod/-/jobs/980280745#L4089]. *How To Test:*{code:java}fips-mode-setup --enablerebootfips-mode-setup --check (should say enabled)dnf -y install https://yum.puppet.com/puppet-release-el-8.noarch.rpmdnf -y install puppetserver{code}
Add Comment
This message was sent by Atlassian Jira (v8.20.2#820002-sha1:829506d)
Jira (PUP-10859) Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode
Title: Message Title Trevor Vaughan commented on PUP-10859 Re: Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode It looks like the solution was only a partial fix unfortunately: Error unpacking rpm package puppetserver-7.5.0-1.el8.noarch Cleanup : lua-libs-5.3.4-11.el8.x86_64 18/18 error: unpacking of archive failed on file /etc/puppetlabs/puppetserver/conf.d/auth.conf;61e5d5b8: cpio: Digest mismatch error: puppetserver-7.5.0-1.el8.noarch: install failed It is possible to work around this particular error by resigning things locally but that is not ideal since we lose the vendor signature. And, of course, you still can't install from the puppet repositories themselves. Add Comment This message was sent by Atlassian Jira (v8.20.2#820002-sha1:829506d)
Jira (PUP-10859) Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode
Title: Message Title Morgan Rhodes commented on PUP-10859 Re: Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode Ok, there were some delays in getting this change rolled out, but I was able to confirm with a local development build has all the correct digests/signatures: # rpm -Kv puppetserver-7.4.1-0.1SNAPSHOT.2021.09.21T2216.el8.noarch.rpm puppetserver-7.4.1-0.1SNAPSHOT.2021.09.21T2216.el8.noarch.rpm: Header V4 RSA/SHA256 Signature, key ID 9e61ef26: OK Header SHA256 digest: OK Header SHA1 digest: OK Payload SHA256 digest: OK V4 RSA/SHA256 Signature, key ID 9e61ef26: OK MD5 digest: OK Add Comment
Jira (PUP-10859) Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode
Title: Message Title Morgan Rhodes commented on PUP-10859 Re: Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode Liz Nemsick I believe I have a fix for this up now so hopefully the next puppet platform releases will include this change. Add Comment This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.384622.1611426826000.119269.1630104962850%40Atlassian.JIRA.
Jira (PUP-10859) Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode
Title: Message Title Morgan Rhodes updated an issue Puppet / PUP-10859 Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode Change By: Morgan Rhodes Team: Night's Watch Release Engineering Add Comment This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.384622.1611426826000.116691.1629913500055%40Atlassian.JIRA.
Jira (PUP-10859) Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode
Title: Message Title Morgan Rhodes assigned an issue to Morgan Rhodes Puppet / PUP-10859 Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode Change By: Morgan Rhodes Assignee: Morgan Rhodes Add Comment This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.384622.1611426826000.116690.1629913440050%40Atlassian.JIRA.
Jira (PUP-10859) Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode
Title: Message Title Liz Nemsick commented on PUP-10859 Re: Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode Is there a timeframe to address this issue? Add Comment This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.384622.1611426826000.112009.1629380280034%40Atlassian.JIRA.
Jira (PUP-10859) Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode
Title: Message Title Morgan Rhodes commented on PUP-10859 Re: Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode Ok, I've been able to isolate this to some difference in the build environments for packages built with vanagon (puppet-agent, pdk) and packages built with ezbake (puppetserver, puppetdb). We will investigate this. Add Comment This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.384622.1611426826000.86890.1626897300171%40Atlassian.JIRA.
Jira (PUP-10859) Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode
Title: Message Title Maggie Dreyer commented on PUP-10859 Re: Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode No, I think this is Release Engineering. We don't do anything with signing packages. Add Comment This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.384622.1611426826000.85838.1626815820178%40Atlassian.JIRA.
Jira (PUP-10859) Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode
Title: Message Title Jeanne Greulich commented on PUP-10859 Re: Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode No the problem does not happen when not in FIPS mode. The puppet-agent RPM is signed correctly so it can be installed on EL8 fips mode you can use that a model for signing your puppetserver RPM. Add Comment This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.384622.1611426826000.85500.1626802320031%40Atlassian.JIRA.
Jira (PUP-10859) Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode
Title: Message Title Mihai Buzgau updated an issue Puppet / PUP-10859 Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode Change By: Mihai Buzgau Epic Link: PA-3766 Add Comment This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.384622.1611426826000.57722.1623833040038%40Atlassian.JIRA.
Jira (PUP-10859) Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode
Title: Message Title Mihai Buzgau updated an issue Puppet / PUP-10859 Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode Change By: Mihai Buzgau Labels: community Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.384622.1611426826000.154856.1614682200152%40Atlassian.JIRA.
Jira (PUP-10859) Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode
Title: Message Title Morgan Rhodes assigned an issue to Unassigned Puppet / PUP-10859 Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode Change By: Morgan Rhodes Assignee: Morgan Rhodes Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.384622.1611426826000.124614.1611677820028%40Atlassian.JIRA.
Jira (PUP-10859) Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode
Title: Message Title Josh Cooper updated an issue Puppet / PUP-10859 Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode Change By: Josh Cooper Team: Night's Watch Add Comment This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-bugs/JIRA.384622.1611426826000.124129.1611619260048%40Atlassian.JIRA.
Jira (PUP-10859) Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode
Title: Message Title Trevor Vaughan created an issue Puppet / PUP-10859 Red Hat and CentOS 8.3 cannot install RPMs in FIPS mode Issue Type: Bug Affects Versions: PUP 6.19.1, PUP 7.1.0, PUP 6.18.0 Assignee: Morgan Rhodes Created: 2021/01/23 10:33 AM Priority: Major Reporter: Trevor Vaughan Puppet Version: All Puppet Server Version: All OS Name/Version: CentOS and RHEL 8.3+ in FIPS mode CentOS and RHEL 8.3+, when running in FIPS mode, require SHA-256 signatures on both repository metadata and RPMs. StarLab has a good summary of the issue and I can confirm that resigning the RPMs using a CentOS 8.3+ base container/image will allow for correct installation. Desired Behavior: Ability to install puppet RPMs on an EL8 system in FIPS mode. Actual Behavior: RPMs fail to install. An example of the failure can be found in the pupmod-simp-pupmod beaker tests. Add Comment
