RHEL 7.3 gpg error

Latest response

It seems like I stepped on myself hardening our image.
When I run the following command:
gpg --version

I get the following output dumped to the console:
error in libgcrypt, file drbg.c, line 1826, function _gcry_drbg_randomize: DRBG is not initialized

I would appreciate any clues as to where to look.

Thank you,
Scott M.

Responses

You didn't happen to FIPS-enable your system as part of your hardening, did you? That causes all kinds of havoc with GPG. There's an open bug about it. Red Hat indicated they might try to have the GPG-under-FIPS issues fixed in 7.4.

Thanks Tom, yes I did FIPS-enable the RHEL 7.3 image, will remove it and test.

Confirmed that FIPS was the problem, removed the FIPS setting on "bootloader" in the kickstart, re-built the RHEL 7.3 image and the "gpg" error went away, the signing of the localrepo also worked with FIPS removed. Thanks Tom :)

Cool. There's a technote around these problems that indicates that you should open a support case so that the priority for the fix can be upped. Dunno if you need to have a support account or not. If you need but don't have one, it's possible one of the Red Hat people monitoring this forum could help get the issue raised (again) on your behalf.

Thanks for the link, some other people are also quite concerned about this issue. I think I have a support account, just got it so will try.

No worries on the link-share: I need the problem addressed for my environment. If I can get other people opening cases, there's a better chance that the "fix for this issue is being considered for RHEL 7.4" note becomes "fix for this issue will be included in RHEL 7.4".

Constructive self-interest. ;)

Opened Case :)

Had one of my guys testing our RHEL 7.3, he accidentally pulled down the FIPS enabled version and tried to do a "cifs" mount to a Windows Share they received "CIFS VFS: could not allocate crypto hmacmd5" turned out that this was a problem with RHEL 6.3 and documented here Why would enabling FIPS mode in the kernel break CIFS mounts? . Is there something going on with the X.3 versions?

Red Hat provided a patch to test, in case 01784863. It worked for the gpg --version and connecting to my signed yum iso repository (localrepo). However a cifs mount did not work.

Red Hat responded in their bug support that the "cifs" mount problem with the following:

The libgcrypt update fixes only gpg issues and not kernel crypto related ones. So yes, the CIFS mount issue is unrelated and not fixed by this update.

As of this point in time I know that without fips enabled cifs mount works, with fips it does not work. I am not sure if it is a bug in "kernel crypto" or a kernel option setting in my hardening effort.

I opened a discussion to address the "cifs" mount / "kernel crypto" issue I had with fips. RHEL 7.3 FIPS and CIFS mount because Red Hat appears to have a handle on the gpg problem.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.