RPM Missing Digests

[dcarlojr]

We are unable to install NCPA 3.1.0-1 on RHEL systems running in FIPS mode. I believe the file digests are missing from the published RPMs. The yum/rpm transaction throws a package ncpa-3.1.0-1.x86_64 does not verify: no digest error.

OS: RHEL 9.2 x86_64

[root@nagios9-test ~]# yum install ncpa-latest-1.x86_64.rpm
Updating Subscription Management repositories.
Unable to read consumer identity
Warning: failed loading '/etc/yum.repos.d/redhat.repo', skipping.
Last metadata expiration check: 0:34:26 ago on Fri 17 May 2024 09:26:01 PM EDT.
Dependencies resolved.
======================================================================================================================================================================================================
 Package                                     Architecture                                  Version                                          Repository                                           Size
======================================================================================================================================================================================================
Installing:
 ncpa                                        x86_64                                        3.1.0-1                                          @commandline                                         26 M

Transaction Summary
======================================================================================================================================================================================================
Install  1 Package

Total size: 26 M
Installed size: 69 M
Is this ok [y/N]: y
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Error: Transaction test error:
  package ncpa-3.1.0-1.x86_64 does not verify: no digest
[root@nagios9-test ~]# fips-mode-setup --check
FIPS mode is enabled.

[Petaris]

Hello, this is affecting us on RHEL 9 in FIPS mode as well. Is there any update on when this might be fixed?

[Petaris]

I have opened a ticket with Nagios support about this but was just pointed back here. When will this be assigned and worked on?

[Petaris]

Information related to the required change can be found here: https://fedoraproject.org/wiki/RPM_file_format_changes_to_support_SHA-256

The issue is related to MD5/SHA1 being used for signatures/digest which are no longer allowed in modern FIPS restrictions. The solution is to move to using SHA-256 for these when building the RPM package.

[Petaris]

It looks like updating the .rpmmacros file in the build environment before building might also be a way to handle this. Possibly both should be done. Using SHA256 should allow RHEL 7, 8, and 9 to work according to what I have read.

# ~/.rpmmacros

 ... cut ...

### RPM Digest (Checksum/Integrity) Configuration

# Use SHA256 (8)
# Use SHA384 (9)
# Use SHA512 (10)
%_binary_filedigest_algorithm 8
%_source_filedigest_algorithm 8

 ... cut ...

[ne-bbahn]

Sorry for the delay in response. I will try to get this worked out for NCPA 3.2.0.

[Petaris]

Sorry for the delay in response. I will try to get this worked out for NCPA 3.2.0.

Thanks! I appreciate the update. Let me know if you need someone to test.

[ne-bbahn]

In the meantime, you can either

• install NCPA via the tarball

or if you only want to install through the Nagios repo:

• disable FIPS
• install NCPA
• re-enable FIPS