WORKAROUND - YUM/DNF installation of RPMs when FIPS is enabled

Hi esteemed colleagues.

By accident, I uncovered a method to install RPMs on a FIPS-enabled RHEL 8.4 server with YUM/DNF.

Action

RHEL 8.4 VM (VMware) with Selinux in enforcing mode and FIPS enabled.

Kernel is 4.18.0-305.el8.x86_64.

Impact

Oracle JDK needs to be installed. Oracle does not provide RPMs that support FIPS:

rpm --checksig --verbose /var/tmp/jdk-11.0.12_linux-x64_bin.rpm
/var/tmp/jdk-11.0.12_linux-x64_bin.rpm:
Header V3 RSA/SHA256 Signature, key ID ec551f03: NOKEY
Header SHA1 digest: OK
V3 RSA/SHA256 Signature, key ID ec551f03: NOKEY

• Standard process to install package fails:

dnf -y install jdk
…
Error: Transaction test error:
package jdk-11.0.10-2000:11.0.10-ga.x86_64 does not verify: no digest

• Trick to by-pass FIPS security:

echo "%_pkgverify_level none" >/etc/rpm/macros.verify

Oracle JDK now gets installed:

dnf -y install jdk

…
Preparing : 1/1
Installing : jdk-11.0.10-2000:11.0.10-ga.x86_64 1/1
Running scriptlet: jdk-11.0.10-2000:11.0.10-ga.x86_64 1/1
Verifying : jdk-11.0.10-2000:11.0.10-ga.x86_64 1/1
Installed products updated.

Installed:
jdk-11.0.10-2000:11.0.10-ga.x86_64

java --version
java 11.0.10 2021-01-19 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.10+8-LTS-162)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.10+8-LTS-162, mixed mode)

I asked Red Hat if this is something that could be considered a bug or undocumented feature with /etc/rpm/macros.verify. Red Hat was kind to reply that they did not consider this to be a security issue.

Regards,

Dusan Baljevic (amateur radio VK2COT)