Error "package [zulu package name] does not verify: no digest" when installing on RHEL 8 with FIPS mode enabled

If you're installing an Azul Zulu Build of OpenJDK rpm from a repo on a RHEL 8 system with FIPS mode enabled, you may get an error such as:

$ sudo yum install -y https://cdn.azul.com/zulu/bin/zulu-repo-1.0.0-1.noarch.rpm
[...]
package zulu-repo-1.0.0-1.noarch does not verify: no digest

$ sudo yum install zulu17-jre-headless
[...]
package zulu17-ca-jre-headless-17.0.3-1.x86_64 does not verify: no digest
package zulu17-jre-headless-17.0.3-1.x86_64 does not verify: no digest


This happens because the community builds of Azul Zulu Builds of OpenJDK are built with a version of rpm that doesn't provide the sha256 digest that FIPS mode required.

There are a couple of ways to work around this.

 

1. You can download the Zulu bundle(s) you need, then install them using "--nodigest":

$ sudo rpm -ivh --nodigest zulu17.34.19-ca-jre17.0.3-linux.x86_64.rpm

 

2. You can temporarily disable the digest check on package installations from repos by adding the line 

%_pkgverify_level none 

to the file /etc/rpm/macros.dist, then following the instructions to install from the repo, and then remove the line from /etc/rpm/macros.dist.


Note that in either case, you're working around the FIPS security so this may not be desired or acceptable in your environment, and in either case, you're no longer able to take advantage of the benefits of the repos as future updates will fail unless you use a method to temporarily work around the FIPS security for the package update.

 

Add Comment

Comments

0 comments

Please sign in to leave a comment.

Was this article helpful?
0 out of 0 found this helpful