Package does not install when FIPS mode is enabled (RHEL/CentOS)

[zsmi]

Version info

• OS: Red Hat Enterprise Linux 8
• Build: 2050 (any RPM version really)

Description

If FIPS mode is enabled in Red Hat Enterprise Linux 8 or CentOS 7 sublime merge cannot be updated or installed using the Linux repository. When running an update the user will see the following error: Error: Transaction test error: package sublime-merge-2054-1.x86_64 does not verify: no digest

sudo yum update
Updating Subscription Management repositories.
No read/execute access in current directory, moving to /
Red Hat CodeReady Linux Builder for RHEL 8 x86_ 4.9 kB/s | 2.8 kB     00:00    
Red Hat Ansible Engine 2 for RHEL 8 x86_64 (RPM 4.2 kB/s | 2.4 kB     00:00    
Red Hat Enterprise Linux 8 for x86_64 - AppStre 4.5 kB/s | 2.8 kB     00:00    
Red Hat Satellite Tools 6.6 for RHEL 8 x86_64 ( 3.5 kB/s | 2.1 kB     00:00    
Red Hat Enterprise Linux 8 for x86_64 - Supplem 3.5 kB/s | 2.1 kB     00:00    
Red Hat Enterprise Linux 8 for x86_64 - BaseOS  4.0 kB/s | 2.4 kB     00:00    
Red Hat Ansible Engine 2.8 for RHEL 8 x86_64 (R 4.2 kB/s | 2.4 kB     00:00    
Red Hat Satellite Tools 6.5 for RHEL 8 x86_64 ( 4.4 kB/s | 2.1 kB     00:00    
Dependencies resolved.
================================================================================
 Package               Architecture   Version        Repository            Size
================================================================================
Upgrading:
 sublime-merge         x86_64         2054-1         sublime-text         5.8 M

Transaction Summary
================================================================================
Upgrade  1 Package

Total download size: 5.8 M
Is this ok [y/N]: y
Downloading Packages:
sublime-merge-2054-1.x86_64.rpm                  11 MB/s | 5.8 MB     00:00    
--------------------------------------------------------------------------------
Total                                            11 MB/s | 5.8 MB     00:00     
Running transaction check
Transaction check succeeded.
Running transaction test
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'yum clean packages'.
Error: Transaction test error:
  package sublime-merge-2054-1.x86_64 does not verify: no digest

Steps to reproduce

Steps to reproduce the behavior:

1. Enable FIPS mode on RHEL 8: sudo fips-mode-setup --enable (for CentOS 7 look here: https://www.thegeekdiary.com/how-to-make-centos-rhel-7-fips-140-2-compliant/)
2. Reboot the system
3. Verify FIPS mode is enabled: cat /proc/sys/crypto/fips_enabled (should return 1 if enabled)
4. sudo rpm -v --import https://download.sublimetext.com/sublimehq-rpm-pub.gpg
5. sudo yum-config-manager --add-repo https://download.sublimetext.com/rpm/stable/x86_64/sublime-text.repo
6. sudo yum install sublime-merge

Expected behavior

Successfully install and update the sublime merge package when FIPS mode is enabled.

Documentation for a Fix Note: Requires rpm v4.14 or newer Detailed explanation of how to fix and why How it was fixed in the wazuh package

[dpjohnst]

Hi @zsmi,

Thanks for reporting this!

As this issue is unlikely to be addressed in RHEL8 (see: https://bugzilla.redhat.com/show_bug.cgi?id=1728031), we suggest you install Sublime Merge via the tarball for the time being.

The tarball can be downloaded here via direct downloads: https://www.sublimemerge.com/download

Thanks, - Dylan

[zsmi]

@dpjohnst This issue is addressed if the sublime_merge package is built using rhel8 with rpm v4.14 or newer. I provided you links to documentation showing how to fix the issue (The problem isn't a bug in RHEL8). You don't even have to be on rhel8 to build the proper package as long as you can install rpm v4.14 in your build environment (This link shows you how to do it in a CentOS 6 environment: https://github.com/wazuh/wazuh-packages/issues/367#issuecomment-573113336). I updated the broken link in the original post but here it is again: https://www.starlab.io/blog/adding-sha256-digests-to-rpms