Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ClamAV LTS RPMs compatibility issues with both RHEL9/Stream9 (all profiles) and RHEL8/Stream8 (FIPS modes) #1223

Open
BJSmithIEEE opened this issue Apr 5, 2024 · 1 comment
Open

ClamAV LTS RPMs compatibility issues with both RHEL9/Stream9 (all profiles) and RHEL8/Stream8 (FIPS modes) #1223

BJSmithIEEE opened this issue Apr 5, 2024 · 1 comment

Comments

@BJSmithIEEE
Copy link

BJSmithIEEE commented Apr 5, 2024
edited

PREFACE: I want to thank the Cisco-Talos group for building RPMs of ClamAV LTS starting with 1.0.4, which saves us the issue of building a complete Rust environment on RHEL8/Stream8, which is something not even the Fedora EPEL8 team is doing.

RPM Package Digest is insecure MD5/SHA1

Putting digital signatures to the side (we can always sign packages with our own), neither any RHEL9/Stream9 installation, nor any RHEL8/Stream8 with a FIPS profile (user-space) or FIPS kernel mode (hard enforcement, blocks everything non-FIPS), will install the prebuilt ClamAV LTS RPMs, as they are built -- the 'digests' just for integrity checking -- with old MD5/SHA1 hashes.

Again, this is not allowed at all in EL9, as well as EL8 when EL8 is in FIPS (or other secure) profiles/modes.

$ sudo rpm -Uhv --test ./yum/.staging/TPS8/x86_64/clamav_clamav-lts/clamav-1.0.5.linux.x86_64.rpm
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
        package clamav-1.0.5-1.x86_64 does not verify: no digest

On an EL8 system not in FIPS mode ...

$ rpm -Kv ./yum/.staging/TPS8/x86_64/clamav_clamav-lts/clamav-1.0.5.linux.x86_64.rpm
./yum/.staging/TPS8/x86_64/clamav_clamav-lts/clamav-1.0.5.linux.x86_64.rpm:
    Header SHA1 digest: OK
    MD5 digest: OK

Considering these are the two (2) supported RHEL/Stream releases after June of this year (RHEL7/CentOS7 goes EoL '24 June), I would recommend you consider the following changes to your RPM Macros for building.

$ cat ~/.rpmmacros
#
# ~/.rpmmacros

 ... cut ...

### RPM Digest (Checksum/Integrity) Configuration

# Use SHA256 (8)
# Use SHA384 (9)
# Use SHA512 (10)
%_binary_filedigest_algorithm 10
%_source_filedigest_algorithm 10

### [Optional] RPM Signature (Digital Signature) Configuration

# Use GnuPG
%_signature gpg
%__gpg /usr/bin/gpg
# Currently GPG key XXXXXX (expires YYYY-bbb-dd)
%_gpg_name you@domain

# Maximum RPM v3 compatibility (RHEL7/CentOS7) and force SHA512 (still supported)
%__gpg_sign_cmd %{__gpg} --force-v3-sigs --digest-algo=sha512 --batch \
 --no-verbose --no-armor --no-secmem-warning -u "%{_gpg_name}" \
 -sbo %{__signature_filename} %{__plaintext_filename}

 ... cut ...

It uses SHA512, which should be compatible with the last RHEL7.9 / CentOS7.9 Updates, and similar, decade-old distributions.

I've also included the optional digital signature stanza (should you wish to add one) to even generate an older RPMv3 format (than RPMv4) for them too. This is all while still being EL8/9 FIPS compliant, and possibly the forthcoming EL10 (Stream 10) due in 2025 (I do need to test if RPMv3 is still supported in EL10).

This should be read/supported by CPack in CMake, which I see you are using.

P.S. I will reserve further comment on CPack, but would be very interested in assisting with these, and other RPM SPEC meta-data (e.g., obsoleting EPEL ClamAV), you could use in the package, even with CPack. I would be very interested in understanding how you are building these LTS 1.0.4+ release RPM packages, especially your Rust environment, if you are using RHEL8/Stream8, as I cannot reproduce a working environment. I.e., Installing the Rust module from RHEL8 Application Streams, I cannot get the RPM Macros/Build support to work, not even after pulling various, older support from EPEL8 or other sources.
@BJSmithIEEE
Copy link
Author

BJSmithIEEE commented Apr 29, 2024
edited

Just to confirm, in addition to RHEL9 compatibility issues, there will be continued, US Gov't non-compliance with FIPS, NIST, DISA and just about every standard out there for RHEL8, which will affect both federal and regulated commerciaI users (e.g., financial),, with the latest LTS 1.0.6 RPM release too ...

$ rpm -Kv clamav-1.0.6.linux.x86_64.rpm
clamav-1.0.6.linux.x86_64.rpm:
    Header SHA1 digest: OK
    MD5 digest: OK

As documented earlier, the 'fix' for this is literally this simple!

$ cat ~/.rpmmacros
#
# ~/.rpmmacros

 ... cut ...

### RPM Digest (Checksum/Integrity) Configuration

# Use SHA256 (8)
# Use SHA384 (9)
# Use SHA512 (10)
%_binary_filedigest_algorithm 10
%_source_filedigest_algorithm 10

 ... cut ...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@BJSmithIEEE