It appears there is no SHA256 payload digest. I am uncertain which keys you are using, so I am unsure if 9310d3fc is correct for the other signatures. Do you know where the PGP signatures are published to be verified against?
Thanks for that link - I tried googling for the signature, but couldnât find it. You link did list the location of that key. I was able to install that key and it did verify that the parts of the signatures that were present were valid, but that it still lacked the Payload SHA256 signatures. See output below after the key import:
$ rpm --checksig -v opensearch-1.3.2-linux-x64.rpm
opensearch-1.3.2-linux-x64.rpm:
Header V4 RSA/SHA512 Signature, key ID 9310d3fc: OK
Header SHA1 digest: OK
Payload SHA256 digest: NOTFOUND
V4 RSA/SHA512 Signature, key ID 9310d3fc: OK
MD5 digest: NOTFOUND
$ rpm --checksig -v opensearch-dashboards-1.3.2-linux-x64.rpm
opensearch-dashboards-1.3.2-linux-x64.rpm:
Header V4 RSA/SHA512 Signature, key ID 9310d3fc: OK
Header SHA1 digest: OK
Payload SHA256 digest: NOTFOUND
V4 RSA/SHA512 Signature, key ID 9310d3fc: OK
MD5 digest: NOTFOUND
In short, FIPS mode dramatically increases the RPM validation before installation. Going back to my earlier command which you should be able to replicate:
$ rpm --checksig -v opensearch-1.3.2-linux-x64.rpm
opensearch-1.3.2-linux-x64.rpm:
Header V4 RSA/SHA512 Signature, key ID 9310d3fc: OK
Header SHA1 digest: OK
Payload SHA256 digest: NOTFOUND
V4 RSA/SHA512 Signature, key ID 9310d3fc: OK
MD5 digest: NOTFOUND
FIPS mode will not install a RPM that has a Payload SHA256 digest of NOTFOUND.
Hi @justme, no I am not running with FIPS mode up.
And my output on RockyLinux8 is different from yours, assuming due to FIPS mode here:
[root@84c245a01715 /]# rpm --import https://artifacts.opensearch.org/publickeys/opensearch.pgp
[root@84c245a01715 /]# rpm --checksig -v opensearch-1.3.2-linux-x64.rpm
opensearch-1.3.2-linux-x64.rpm:
Header V4 RSA/SHA512 Signature, key ID 9310d3fc: OK
Header SHA1 digest: OK
V4 RSA/SHA512 Signature, key ID 9310d3fc: OK
MD5 digest: OK
And here is the rpmmacro we are using to sign the package, let me know if there is anything missed for payload sha256 to be empty, but in my prior experience I have never used FIPS so not familiar with this behavior:
I am quite familiar with needing the packages being signed, but not so much with the how the signing works. That being said, I worked with a different maintainer on a package and he noted that he needed to add %_gpg_digest_algo sha256 to sign it as such. See this semi-similar issue td-agent-bit won't install on RHEL 8 / FIPS ¡ Issue #3617 ¡ fluent/fluent-bit ¡ GitHub where the package also was lacking a Payload SHA256 digest preventing installation, but where it was ultimately resolved.
I also do find out that using echo "%_pkgverify_level none" >/etc/rpm/macros.verify will allow you to bypass FIPS, probably a workaround you can consider being we permanently fix it on our pkg.
The artifacts you linked to verify with --checksig now:
[USERNAME@localhost ~]$ rpm --checksig -v opensearch-1.3.2-linux-x64-fips-enabled.rpm
opensearch-1.3.2-linux-x64-fips-enabled.rpm:
Header V4 RSA/SHA512 Signature, key ID 9310d3fc: OK
Header SHA256 digest: OK
Header SHA1 digest: OK
Payload SHA256 digest: OK
V4 RSA/SHA512 Signature, key ID 9310d3fc: OK
[USERNAME@localhost ~]$ rpm --checksig -v opensearch-dashboards-1.3.2-linux-x64-fips-enabled.rpm
opensearch-dashboards-1.3.2-linux-x64-fips-enabled.rpm:
Header V4 RSA/SHA512 Signature, key ID 9310d3fc: OK
Header SHA256 digest: OK
Header SHA1 digest: OK
Payload SHA256 digest: OK
V4 RSA/SHA512 Signature, key ID 9310d3fc: OK
rpm -ivh succeeds as well. Thanks for the updates!