We came across the rpmbuild behavior change.

Preamble. We embed checksum in our fips-certified binaries in a specially created section of the so files. Before calculation the block is initialized by zeros at compilation time and then the correct checksum is embedded, replacing the zeroes by the calculated value.

The embedding procedure is done twice: for the locally built fips.so and for the fips.so copied to buildroot after strip/extracting the debuginfo. The package native tests are run from %check with the locally built ones and must succeed to build the package.

Recently (between the end of September 2024 and Jan 2025) the behavior of rpmbuild has changed. Old behavior was copying the built files to the buildroot before embedding the checksum (before %check?). Now the files are copied after embedding the checksum. So the checksum block is not zeroized anymore and checksum verification is failing.

We need to zeroize the checksum section in the buildroot before calculating the checksum, so the state becomes predictable.