Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-4963

"puppet module build" fails on FIPS-enabled system



    • Bug
    • Status: Closed
    • Normal
    • Resolution: Fixed
    • PUP 3.7.4
    • PUP 5.4.0
    • Modules
    • Bug Fix
    • Puppet will now gracefully exit when running the puppet module tool on a FIPS-enabled system as MD5 checksums are not allowed.


      When I try to run puppet module build . to package up my module, the following messages happen:

      md5_dgst.c(78): OpenSSL internal error, assertion failed: Digest MD5 forbidden in FIPS mode!
      Aborted (core dumped)

      And it doesn't make the tar.gz I wanted it to.

      The Ruby code that causes the crash is the checksum method of the Puppet::ModuleTool::Checksums module, in lib/puppet/module_tool/checksums.rb. I looked in the source of 3.7.4, in my oldest copy of Puppet (2.7.something), and in the trunk on GitHub, and found in all places that the module_tool/checksums.rb solely uses MD5, which does not work in FIPS mode.

      In the case of Puppet itself (PUP-1840), the fix for the failure of MD5 under FIPS mode was to let FIPS users dictate the digest algorithm to be used at their own site. This issue, in contrast, appears to be a matter of the definition of a Puppet module, and therefore necessarily global. Does the definition of checksums.json allow solely for MD5 checksums?

      Aside: My Ruby interpreter (, like all Ruby interpreters, has the bug reported at https://bugs.ruby-lang.org/issues/9659, which makes the Ruby interpreter crash when Digest::MD5 is used in FIPS mode, instead of raising an exception. You may note that the issue has languished, even though a patch has been provided. If anyone else, who worked for a company that uses Ruby a lot, were to want this rough edge of Ruby filed off, they may want to tell the Ruby folks.

      To get the Ruby backtrace, I ran `puppet module build` inside gdb, and used the trick from http://weblog.jamisbuck.org/2006/9/22/inspecting-a-live-ruby-process to get the Ruby backtrace. On a 64-bit system, I had to use "long" instead of "int", 16 instead of 8, and 24 instead of 12.


        Issue Links



              jayant.sane Jayant Sane
              jared.jennings.ctr Jared Jennings
              Eric Thompson Eric Thompson
              0 Vote for this issue
              6 Start watching this issue



                Zendesk Support