Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

  • Comments
  • EL8 w/ FIPS Enabled and Poorly-Signed RPMs

    Posted on

    It seems like, once you enable FIPS mode on RHEL 8, RPM-validation becomes fairly hardcore. If a vendor supplies an RPM that is unsigned or weakly-signed or has digests that use use weak algorithms,

    yum
    /
    dnf
    will refuse to install the package.

    While one can still specify

    --nogpgcheck
    at run-time (or set
    gpgcheck=0
    in a given RPM's repo's configuration file) to get
    yum
    /
    dnf
    to ignore the RPM's signing-key, doing so does not get rid of the digest errors.

    As near as I can tell, it seems like the only workaround is to use the

    rpm
    command, instead. This is subideal for us as most of the automation we have in place for RHEL6 and RHEL7 expect to be able to use
    yum
    rather than
    rpm
    . I looked through the
    dnf
    man pages (and upstream documentation), but it doesn't seem like there's a method for disabling the digest-checking? Can someone tell me if I've missed something, and, if so, what that something might be?

    Thanks in advance!

    by

    points

    Responses

    Red Hat

    Quick Links

    Help

    Site Info

    Related Sites

    © 2025 Red Hat, Inc.