-
Notifications
You must be signed in to change notification settings - Fork 128
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FIPS mode self check error #780
Comments
Hmm, can you give me a minimal reproducer that uses GnuTLS from python? Are you building under RHEL 8.5 as well, or under some other distribution? Also, what PyInstaller version are you using - gnutls seems to be using .hmac files, and we added collection of those in 6.4.0. |
Great point, I kept seeing the error with everything I tried to compile, but I never tried to create a minimal example. I am using the latest pyinstaller version (6.9.0) and building and running on the same RHEL (8.5) system. Here were my findings in this process: Issue 1test.py: import IPython import comm import ipykernel import jupyter_client import matplotlib import matplotlib_inline Compiling and running one of these returns the GnuTLS error originally stated. $ pyinstaller test.py
...
$ ./dist/test/test
Error in GnuTLS initialization: Error while performing self checks. Issue 2test.py: import hashlib import OpenSSL import parso Compiling and running one of these returns: $ pyinstaller test.py
...
$ ./dist/test/test
crypto/fips/fips.c:154: OpenSSL internal error: FATAL FIPS SELFTEST FAILURE
Aborted (core dumped) What is strange is that it doesn't happen when thrid-party libraries import |
Can you check if |
For the
For the |
Hmm, last time time I was looking into FIPS mode (pyinstaller/pyinstaller#8273) collecting these seemed to suffice. I'll try to set up a test RHEL8 system again. |
If it is easier for you to explain debugging steps, I would be happy to help you test. |
I think it is, because I have no idea what to look for at the moment. |
Can you tell me what python version you used, and how did you install it? (If I recall correctly, default is 3.6 which does not work with PyInstaller 6.9). And tested packages are installed from PyPI via pip? |
installed using the yum package manager Packages are installed from PyPi using pip, yes. |
Can you give me That said,
|
Hmm, let's focus on
Could be that issue is that one lib is bundled and the other is not. |
Yep, that seems to be the case on my system; the |
I am in a giant catch-all environment (probably should have made a fresh one). Let me know if you want me to make a new one or send you a paste bin link of my current environment.
Not an expert, but enabling FIPS post-boot shouldn't be problem, I doubt the Python version change makes a difference, but we have noticed big differences between libraries on different RHEL 8.x versions. Trying you suggestions for hashlib now... |
Adding |
This also worked |
Running |
Is there a If I try importing it in python REPL, I get the following, though:
So it could be that it is completely unavailable for you... (and that's why |
It is collected at
I get no errors when importing
|
In an interpreter, |
Aha, then it's different in your python version vs. mine. In my case, it is linked against ssl and crypto:
|
Wrong file, here's what I get:
|
Hmmm, that confuses situation somewhat. Can you check the Or if you run
in interpreter? |
The lines from
|
Do you have two python 3.11 installations on that system? RPM-installed (python3.11, python3.11-libs) in |
So I take it if you try to import |
Yep XD I guess we need to uninstall all instances of Python 3.11.5 from our system? |
Nah, don't, because then we might lose the chance to debug the real issue at hand. |
So aside this detour with different python versions, the OpenSSL case is clear: if we collect ssl or crypto shared lib and there are accompanying hmac files, we need to ensure that the other lib is also collected (if that is not already the case). |
Moving on to GnuTLS, we'll first need to figure out what is pulling it in. It would probably help if we worked with same kind of virtual environment, starting from a minimal one (e.g., create, update pip and wheel to latest version, and "setuptools<71"; then install PyInstaller and matplotlib). Then You could also rebuild |
test.py
CommandsAfter creating a new virtual environment (using Python 3.11.6 -
Build logFiltered for
|
When running Build logFiltered for
|
In both environments:
|
Aha, you have PyQt5 in the environment... fair enough. Looks like the hmac file An |
That worked in both the minimal and catch-all environments! |
So, what are the next steps from here? |
I'll extend the hmac handling code for the For OpenSSL, I need to think a bit on what the best approach would be. But that's less pressing, since typically, both ssl and crypto are collected together. Until then, if you want FIPS compliance, use the |
Great, I will use the Thank you for all of your help! |
We use a Red Hat Enterprise Linux 8.5 machine with FIPS mode enabled. After installing any program (folder or one-file mode) and running it, we get the following error:
Note, this is a non-critical bug as it does not seem to affect the usage of the program except the undesired terminal output. Googling the error will return a few posts, but they don't seem to have any solutions.
gnutls-cli version: 3.6.16
The text was updated successfully, but these errors were encountered: