Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Critical
Fix Version/s: None
Affects Version/s: 4.17
Component/s: Release
Labels:
- FIPS
- FIPS-140-3

Severity:
Critical
Regression:
Yes
Blocked:
False
Blocked Reason:

Hide

None

Show
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:

   OpenShift release signature is armored which is a GnuPG extension to OpenPGP and doesn't work on FIPS enabled RHEL 9 systems

Version-Release number of selected component (if applicable):

How reproducible:

    100%

Steps to Reproduce:

    1.Deploy RHEL 9.4 System
    2.Enable FIPS
    3.Run the following command

oc adm release mirror --apply-release-image-signature=false --from=quay.io/openshift-release-dev/ocp-release:4.16.3-x86_64 --to file://openshift/release --to-dir=/home/ec2-user/mirror

Actual results:

error: Unable to load configmap verifier: the config map openshift-config-managed/release-verification has an invalid key "verifier-public-key-redhat" that must be a GPG public key: unable to read keyring with armor (openpgp: invalid data: user ID self-signature invalid: openpgp: invalid signature: RSA verification failure) or without armor (openpgp: invalid data: tag byte does not have MSB set): unable to read keyring with armor (openpgp: invalid data: user ID self-signature invalid: openpgp: invalid signature: RSA verification failure) or without armor (openpgp: invalid data: tag byte does not have MSB set)

Expected results:

OpenShift release images are mirroed to disk

Additional info:

This has started happening within the last few weeks. It seems that when the oc binary started using the underlying OS libraries for FIPS compliance instead of the GOlang embedded libraries, this error started happening    

We can see that the release key is armored here on a 4.17 cluster.


oc get -o yaml cm release-verification
apiVersion: v1
data:
  store-openshift-official-release: https://storage.googleapis.com/openshift-release/official/signatures/openshift/release
  store-openshift-official-release-mirror: https://mirror.openshift.com/pub/openshift-v4/signatures/openshift/release
  verifier-public-key-redhat: |
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    Comment: Use "gpg --dearmor" for unpacking


Also note, the release being mirrored does not change the behavior. Same error message if we mirror 4.12.20 or 4.17.6. The error goes away if I use an older 4.12.20 oc binary. The armored GPG key has been there a long time. Only when oc started using the system libraries for FIPS support correctly did the armored key become an issue.

This is a huge problem for a ton of customers who has FIPS requirements.

is triggering

OCPBUGS-47453 oc-mirror V2 fails on FIPS enabled and STIG compliant RHEL 9 system

ASSIGNED

relates to

OCPBUGS-35528 Load Red Hat keys in FIPS mode with Go 1.22

Closed

Assignee:: Joep van Delft

Reporter:: Dan Clark

QA Contact:: Xiaojie Yuan

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2024/12/07 1:03 AM

Updated:: 2024/12/19 2:03 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates