Skip to content

Current key unsupported in FIPS mode #174

New issue
New issue
Open
Open
Current key unsupported in FIPS mode#174
@dylan-at-nagios

Description

@dylan-at-nagios
dylan-at-nagios
opened on Feb 17, 2023

You can enable fips mode on centos 9 with

fips-mode-setup --enable

Running gpg --keyserver hkp://pgpkeys.eu --recv-key 2E66557AB97C19C791AF8E20328DA867450F89EC outputs

gpg: out of core handler ignored in FIPS mode
gpg: can't check signature with unsupported public-key algorithm (17): Invalid public key algorithm.
gpg: can't check signature with unsupported public-key algorithm (17): Invalid public key algorithm.
gpg: can't check signature with unsupported public-key algorithm (17): Invalid public key algorithm.
gpg: can't check signature with unsupported public-key algorithm (17): Invalid public key algorithm.
gpg: can't check signature with unsupported public-key algorithm (17): Invalid public key algorithm.
gpg: can't check signature with unsupported public-key algorithm (17): Invalid public key algorithm.
gpg: can't check signature with unsupported public-key algorithm (17): Invalid public key algorithm.
gpg: can't check signature with unsupported public-key algorithm (17): Invalid public key algorithm.
gpg: can't check signature with unsupported public-key algorithm (17): Invalid public key algorithm.
gpg: can't check signature with unsupported public-key algorithm (17): Invalid public key algorithm.
gpg: can't check signature with unsupported public-key algorithm (17): Invalid public key algorithm.
gpg: can't check signature with unsupported public-key algorithm (17): Invalid public key algorithm.
gpg: can't check signature with unsupported public-key algorithm (17): Invalid public key algorithm.
gpg: key 328DA867450F89EC: 10 duplicate signatures removed
gpg: key 328DA867450F89EC: new key but contains no user ID - skipped
gpg: Total number processed: 1
gpg:           w/o user IDs: 1

You can see here https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf that DSA is only acceptable with a FIPS approved hash function until February 2024, when it will no longer be supported. I see in the SIGNATURE file in https://cpan.org/authors/id/A/AN/ANDK/CPAN-2.34.tar.gz that it appears the hash algorithm used is RIPEMD160, which is not a FIPS support hash algorithm. However, I don't see anything about it being insecure, just that it's not approved by FIPS.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions