Re: [xcat-user] Installing with FIPS Mode Enabled

Tue, 25 Jul 2023 14:22:17 -0700 

Try taking xcat-dep rpms from 
https://www.xcat.org/files/xcat/repos/yum/devel/xcat-dep/rh9/
Those were rebuild last December with SHA256 signatures.

From: Scott W Groel <sgr...@clemson.edu>
Sent: Tuesday, July 25, 2023 3:32 PM
To: xcat-user@lists.sourceforge.net
Subject: [EXTERNAL] [xcat-user] Installing with FIPS Mode Enabled

Running into a bit of an issue installing xcat on a machine with FIPS mode 
enabled. I am seeing some issues with signing on RPMs in the XCAT repos. These 
look to be the affected packages: Error: Transaction test error: package 
perl-Net-HTTPS-NB-0. 14-2. noarch
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.
    Report Suspicious  
<https://us-phishalarm-ewt.proofpoint.com/EWT/v1/PjiDSg!1e-ublFzRvmadYv7uKFFzm2_TqytAmw3KWf-KOPz-P-s4pAS1aoqdT3-nxSRbmBnTFcWoddQaTvz9L7XDgHHpuP1Z8GCyN0AeQiFxSmtOdV3FJ1zp1Mpsw0p5wR_77uSxCgzU3TisCM$>
   ‌
ZjQcmQRYFpfptBannerEnd
Running into a bit of an issue installing xcat on a machine with FIPS mode 
enabled. I am seeing some issues with signing on RPMs in the XCAT repos.

These look to be the affected packages:
Error: Transaction test error:
  package perl-Net-HTTPS-NB-0.14-2.noarch does not verify: no digest
  package xCAT-genesis-base-x86_64-2:2.14.5-snap201811190037.noarch does not 
verify: no digest
  package syslinux-xcat-3.86-2.noarch does not verify: no digest
  package grub2-xcat-2.02-0.76.el7.1.snap201905160255.noarch does not verify: 
no digest
  package elilo-xcat-3.14-6.noarch does not verify: no digest
  package yaboot-xcat-1.3.17-rc1.noarch does not verify: no digest

Looks like some signatures are missing:

rpm --checksig -v perl-Net-HTTPS-NB-0.14-2.noarch.rpm
perl-Net-HTTPS-NB-0.14-2.noarch.rpm:
    Header V4 RSA/SHA1 Signature, key ID ca548a47: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: NOTFOUND
    V4 RSA/SHA1 Signature, key ID ca548a47: OK
    MD5 digest: NOTFOUND

Here is what we expect to see:
rpm --checksig -v xCAT-openbmc-py-2.16.5-snap202303030907.noarch.rpm
xCAT-openbmc-py-2.16.5-snap202303030907.noarch.rpm:
    Header V4 RSA/SHA256 Signature, key ID ca548a47: OK
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V4 RSA/SHA256 Signature, key ID ca548a47: OK

I can use some DNF flags to get around this, but I don’t believe that is the 
ideal solution… Could these packages be rebuilt to include the proper digests?

Thanks,
Scott Groel
Clemson University
Executive Director – Research Computing and Data Infrastructure
Email: sgr...@clemson.edu<mailto:sgr...@clemson.edu>
Phone: (864) 656-9235


_______________________________________________
xCAT-user mailing list
xCAT-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xcat-user






















					Reply via email to