Open aronatkins opened 1 year ago
A more minimal debugging.R
that presents the same error:
options(repos = c(CRAN = "https://cran.rstudio.com/"))
install.packages("openssl")
key <- openssl::rsa_keygen(2048L)
rawsig <- openssl::signature_create(charToRaw("some data"), key = key)
signature <- openssl::base64_encode(rawsig)
Another variation on debugging.R
..
key <- openssl::rsa_keygen(2048L)
priv_der <- openssl::write_der(key)
pub_der <- openssl::write_der(key$pubkey)
token <- list(
public_key = openssl::base64_encode(pub_der),
private_key = openssl::base64_encode(priv_der)
)
private_key <- openssl::read_key(
openssl::base64_decode(token$private_key),
der = TRUE
)
rawsig <- openssl::signature_create(charToRaw("some data"), key = key)
signature <- openssl::base64_encode(rawsig)
Related to #363?
The error can be avoided if we tell OpenSSL to allow SHA1 signatures:
ENV OPENSSL_ENABLE_SHA1_SIGNATURES=yes
RUN R -f /content/debugging.R
RHEL9 OpenSSL disables SHA1 signatures: https://gitlab.com/redhat/centos-stream/rpms/openssl/-/commit/78fb78d30755ae18fdaef28ef392f4e67c662ff6 (linked from https://github.com/VirusTotal/yara/issues/1864#issuecomment-1400252566)
Related to #363?
@hadley - Related, yes: That issue tracks an error when using MD5 to produce checksums; this one reports an error when using SHA1 to create signatures.
This particular SHA1 error was not previously seen - maybe because RHEL9 (with the added enforcement) is fairly recent.
Oh sorry, I meant #768
Oh sorry, I meant #768
Oh! I totally didn't find that issue. Yes, it looks to be the same error.
Support ticket reference: 91795
Support ticket reference: 96540
According to https://github.com/dotnet/runtime/issues/65874#issuecomment-1058187135 another workaround would be to set rh-allow-sha1-signatures
in openssl.cnf
.
Is the problem being tracked on the connect side too? Obviously it will need a change before we can use a different client side strategy.
Connect issue #14353 tracks shifting away from MD5; I did not find anything tracking this piece.
@mmarchetti - are you tracking a change to API keys in all workflows?
When using FIPS in a Rocky Linux 9 container, calling
openssl::signature_create
can err like:This can happen when people attempt to configure a Posit Account using the RStudio IDE or using
rsconnect::connectUser
.Folks encountering this problem can use
rsconnect::connectApiUser
as a workaround.Here is the
Dockerfile
:Here is
debugging.R
:With the
Dockerfile
anddebugging.R
files written into a directory, recreate the error with: