search

wkhtmltopdf / packaging

Packaging of wkhtmltopdf releases
https://wkhtmltopdf.org/downloads.html#stable
305 stars 138 forks source link

Digest mismatch when installing latest RPM on a FIPS enabled system #95

Closed pkbarbiedoll closed 1 year ago

pkbarbiedoll commented 3 years ago

wkhtmltopdf version(s) affected: x.y.z wkhtmltox-0.12.6-1.centos8.x86_64.rpm

OS information RHEL 8.3

Description Our system is required to run with FIPS mode enabled. This is set prior to installation via boot options: fips=1, and can be checked after installation with:

# cat /proc/sys/crypto/fips_enabled
1

Installation of the package is the same.

Download latest rpm:

wget https://github.com/wkhtmltopdf/packaging/releases/download/0.12.6-1/wkhtmltox-0.12.6-1.centos8.x86_64.rpm

Attempt to install:

sudo dnf localinstall wkhtmltox-0.12.6-1.centos8.x86_64.rpm

Result:

Error unpacking rpm package wkhtmltox-1:0.12.6-1.centos8.x86_64
  Running scriptlet: wkhtmltox-1:0.12.6-1.centos8.x86_64                                                                                                         4/4 
error: unpacking of archive failed on file /usr/local/bin/wkhtmltoimage;606e16fc: cpio: Digest mismatch
error: wkhtmltox-1:0.12.6-1.centos8.x86_64: install failed

The same package installs fine on the same RHEL 8 installation with FIPS mode turned off during installation.

How to reproduce Install RHEL/CentOS with FIPS enabled (fips=1 on boot options)

Expected behavior Package installs normally (as with the same RHEL/CentOS 8 system without FIPS being enabled)

Possible Solution
Alternative file digest such as sha256 would allow this to be installed on systems where FIPS is enabled

ashkulz commented 3 years ago

I don't really use the fips mode -- what does it do? Maybe this is a bug which should be reported and fixed upstream -- can you reproduce it with a package other than wkhtmltopdf?

pkbarbiedoll commented 3 years ago

FIPS is intended for systems that require greater levels of security.

Maintainers of other packages have encountered the fips related digest errors, and fixed by enabling sha256 digests.

I'm able to install other RPMs without the digest error. For example:

# wget https://download-ib01.fedoraproject.org/pub/epel/8/Everything/x86_64/Packages/a/advancecomp-2.1-11.el8.x86_64.rpm

# rpm -ivh advancecomp-2.1-11.el8.x86_64.rpm 
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:advancecomp-2.1-11.el8           ################################# [100%]
pkbarbiedoll commented 3 years ago

Using the successfully installed advancecomp package to compare: 

[user@box packages]# rpm --checksig -v advancecomp-2.1-11.el8.x86_64.rpm 
advancecomp-2.1-11.el8.x86_64.rpm:
    Header V3 RSA/SHA256 Signature, key ID 2f86d6a1: OK
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V3 RSA/SHA256 Signature, key ID 2f86d6a1: OK

[user@box packages]# rpm --checksig -v wkhtmltox-0.12.6-1.centos8.x86_64.rpm 
wkhtmltox-0.12.6-1.centos8.x86_64.rpm:
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
[user@box packages]#
pkbarbiedoll commented 3 years ago

I'm able to install the package using the --nodigest and --nofiledigest options

[user@box packages]# rpm -ivh --nodigest --nofiledigest wkhtmltox-0.12.6-1.centos8.x86_64.rpm 
Preparing...                          ################################# [100%]
Updating / installing...
   1:wkhtmltox-1:0.12.6-1.centos8     ################################# [100%]
[root@nbs2 packages]#
ashkulz commented 3 years ago

Can you check if building the RPM with this patch applied results in something that works? You can refer to the contents of README.md, you can do it on your local machine.

diff --git a/build b/build
index a1724c4..8d010f3 100755
--- a/build
+++ b/build
@@ -160,7 +160,7 @@ def package_docker(config, target, src_dir, iteration, clean=False):
         fdeb = '-t deb --deb-compression xz --provides wkhtmltopdf --conflicts wkhtmltopdf --replaces wkhtmltopdf --deb-shlibs "libwkhtmltox 0 wkhtmltox (>= 0.12.0)"'
         shell('docker run --rm -v%s:/tgt -w/tgt %s %s' % (os.path.abspath('targets'), fpm_args, fdeb))
     elif output in ('rpm', 'rpm:bzip2'):
-        frpm = '-t rpm --rpm-compression %s' % ('xz' if output == 'rpm' else 'bzip2')
+        frpm = '-t rpm --rpm-compression %s --rpm-digest sha256' % ('xz' if output == 'rpm' else 'bzip2')
         shell('docker run --rm -v%s:/tgt -w/tgt %s %s' % (os.path.abspath('targets'), fpm_args, frpm))
     elif output in ('pacman'):
         fpacman = '-t pacman'
dylan-at-nagios commented 1 year ago

I made this change and the build was able to install on a fips-mode enabled Centos 9.

ashkulz commented 1 year ago

I think I'll leave the CentOS builds as-is (6 is EOL, 7 will be EOL in a year) but rebuild the AlmaLinux 8/9 images over the weekend.

bgiaccio commented 1 year ago

There isn't a released rpm for this change, are you planning to make a new build soon?

ashkulz commented 1 year ago

@bgiaccio it slipped off my radar, will attempt to do that this weekend.

srepetsk commented 1 year ago

I would also love to get a new RPM build with this fix in place!

bgiaccio commented 1 year ago

@ashkulz just a reminder you were going to try a build and release

ashkulz commented 1 year ago

@bgiaccio published a new release 0.12.6.1-3, some builds are still ongoing due to hitting the 6-hour cutoff.

bgiaccio commented 1 year ago

Was able to confirm that wkhtmltox-0.12.6.1-3.almalinux8.x86_64.rpm installs cleanly on RHEL8 and with --nogpgcheck on centOS 7 Thank you very much.

JonMcL commented 1 year ago

Very happy to have found this issue. I was able to install into RHEL 8 with dnf install --nogpgcheck https://github.com/wkhtmltopdf/packaging/releases/download/0.12.6.1-3/wkhtmltox-0.12.6.1-3.almalinux8.x86_64.rpm