CUDA Repo - RHEL8 - Select Package Signature Failures

System Information:

• Dell Precision 5820
• NVIDIA Corporation GP107GL [Quadro P1000] (rev a1)
• RHEL 8.5 + latest errata
• RHEL8 CUDA Repo, already setup for nvidia-driver:510-dkms

Happened afternoon-evening of Fri 2/25 and again today Mon 2/28
Was able to install the drivers from the RHEL8 Module for 510:
$ sudo dnf module install nvidia-driver:510-dkms

And I can verify the GPG key 7fa2af80 is good on all driver (from the 510 module) packages.

$ rpm -qi nvidia-kmod-common-510.47.03-1.el8.noarch
Name : nvidia-kmod-common
...
License : NVIDIA License
Signature : RSA/SHA512, Mon 24 Jan 2022 09:30:46 PM CST, Key ID f60f4b3d7fa2af80
Source RPM : nvidia-kmod-common-510.47.03-1.el8.src.rpm
Build Date : Mon 24 Jan 2022 09:29:17 PM CST
...

But when I try to install CUDA 11-4 and 11-6 packages, all but 2 fail.

$ sudo dnf install $(cat /tmp/rpms_cuda11-6_11-4.txt)
...
Error: Transaction test error:
package cuda-toolkit-config-common-11.6.55-1.noarch does not verify: no digest
...
package cuda-11-6-11.6.1-1.x86_64 does not verify: no digest

And I verified in the DNF cache directory … (these are the only 2 good ones)

$ rpm -K /var/cache/dnf/LIMITED-cuda-f1d7a46f058da57c/packages/*.rpm | grep -iv not
/var/cache/dnf/LIMITED-cuda-f1d7a46f058da57c/packages/datacenter-gpu-manager-2.3.4-1-x86_64.rpm: digests signatures OK
/var/cache/dnf/LIMITED-cuda-f1d7a46f058da57c/packages/nsight-systems-2021.5.2-2021.5.2.53_28d0e6e-0.x86_64.rpm: digests signatures OK

And the rest are all bad signatures …

$ rpm -K /var/cache/dnf/LIMITED-cuda-f1d7a46f058da57c/packages/*.rpm | grep -i not
/var/cache/dnf/LIMITED-cuda-f1d7a46f058da57c/packages/cuda-11-4-11.4.4-1.x86_64.rpm: DIGESTS signatures NOT OK
/var/cache/dnf/LIMITED-cuda-f1d7a46f058da57c/packages/cuda-11-6-11.6.1-1.x86_64.rpm: DIGESTS signatures NOT OK
...
/var/cache/dnf/LIMITED-cuda-f1d7a46f058da57c/packages/nsight-compute-2022.1.1-2022.1.1.2-1.x86_64.rpm: DIGESTS signatures NOT OK

I’ve found other reports in the forum that this happens from time-to-time. But given the recent nVidia compromise, I don’t want to directly use rpm to install without signature validation.

Please advise and/or remediate.

For security purposes, can someone else verify there are signature failures? This would mean the packages have been tampered with … or at least not signed/signed correctly after being built.

Unless nVidia is using a new GPG signing key than Key ID f60f4b3d7fa2af80

Seems to have been resolved! Thank you!

nsight-systems currently prevents cuda from installing or updating for me because it finds no digest. This could very well be because NASA makes us use FIPS mode in RHEL8. Probably nsight-systems has an inferior digest.

I’m also having a problem with nsight-systems when fips mode is enabled. It seems to be signed with an inferior key.

It’s related to FIPS with all but the latest CUDA 12.2 packages it seems.

I’m not sure how NVIDIA is packaging RHEL 8 and RHEL 9 rpms and the subsequent RPM’s not contain a digest! The inability to install NVIDA CUDA software with FIPS enabled is unacceptable.

The work around I use is ‘rpmrebuild -5-p ’. It rebuilds the rpm with the digests, but strips the NVIDIA signature. It isn’t the right method, however disabling / enabling FIPS on over 1500 systems every six months is too time consuming.