search

TurboVNC / turbovnc

Main TurboVNC repository
https://TurboVNC.org
GNU General Public License v2.0
747 stars 137 forks source link

Repo package install fails on RHEL 8 w/FIPS #353

Closed djareval closed 1 year ago

djareval commented 1 year ago

RHEL 8 systems in FIPS mode cannot by default install packages that have been built with less secure digests (MD5/SHA1).

$ cat /etc/redhat-release
Red Hat Enterprise Linux release 8.7 (Ootpa)

$ fips-mode-setup --check
FIPS mode is enabled.

$ sudo yum install turbovnc
Updating Subscription Management repositories.
Last metadata expiration check: 0:36:59 ago on Thu 22 Dec 2022 03:15:38 PM PST.
Dependencies resolved.
...
<output truncated>
...
Running transaction check
Transaction check succeeded.
Running transaction test
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'yum clean packages'.
Error: Transaction test error:
  package turbovnc-3.0.2-20221128.x86_64 does not verify: no digest

$ rpm --checksig -v turbovnc-3.0.2.x86_64.rpm
turbovnc-3.0.2.x86_64.rpm:
    Header V4 RSA/SHA256 Signature, key ID 6e7fe9a1: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: NOTFOUND
    V4 RSA/SHA256 Signature, key ID 6e7fe9a1: OK
    MD5 digest: NOTFOUND

Can future packages be built using more updated algorithms?

Here's a well-written summary of how one organization made that change.

In the meantime, (for anyone stumbling on this) the workaround is to tell rpm to ignore the digest, either by installing outside the package manager or overriding the default rpm macro.

dcommander commented 1 year ago

I am out of the lab this week, but I'll look into this next week and issue new packages for the current releases of TurboVNC and VirtualGL, as well as modify the build system so that any future releases have SHA256 digests.

JPGlaser commented 1 year ago

This may be related to what I am experiencing in https://github.com/TurboVNC/turbovnc/issues/354

~ Joe G.

dcommander commented 1 year ago

Sorry for the delay. I have been hip-deep in libjpeg-turbo hell for the past couple of months but am finally coming up for air.

The RPMs are supposed to use SHA256 digests because of TurboVNC/buildscripts@978c14987fbcf524c8c32ae10aed387ed84f0805, but I can confirm that they don't. It seems that SHA256 digests are poorly supported in older versions of RPM, including the one we use in our official builds. I am investigating how to add them.

dcommander commented 1 year ago

New TurboVNC 3.0.2 RPM packages with SHA-256 payload digests have been deployed to SourceForge (and, by extension, the YUM repository.) Do sudo yum clean metadata and try the install again.

djareval commented 1 year ago

Works great, thanks so much for the update!