Unable to install cuda rpms and libraries in RHEL8 FIPS mode - no digest

When enabling FIPS mode in RHEL8, md5sums are disallowed due to FIPS restrictions, so CUDA rpms cannot be installed via yum/dnf

For example:
yum install libnpp-11-8

fails with:
Error: Transaction test error:
package libnpp-11-8-11.8.0.86-1.x86_64 does not verify: no digest

This is due to the file digests in md5 format. All official RHEL8 packages are built with SHA256 digests

rpm --checksig libnpp-11-8-11.8.0.86-1.x86_64.rpm
libnpp-11-8-11.8.0.86-1.x86_64.rpm:
Header V4 RSA/SHA512 Signature, key ID d42d0685: NOKEY
Header SHA1 digest: OK
V4 RSA/SHA512 Signature, key ID d42d0685: NOKEY
MD5 digest: OK

Grafana packages had the same issue, but seems they have solved it recently:
rpm --checksig -v grafana-9.1.7-1.x86_64.rpm
grafana-9.1.7-1.x86_64.rpm:
Header V4 RSA/SHA512 Signature, key ID 24098cb6: NOKEY
Header SHA256 digest: OK
Header SHA1 digest: OK
Payload SHA256 digest: OK
V4 RSA/SHA512 Signature, key ID 24098cb6: NOKEY
MD5 digest: OK

Here is some info about sha256 digests when building RPMs
Adding SHA256 Digests to RPMs — Star Lab Software (Can’t post more than one link)

It would be great if NVIDIA could build packages with proper SHA256 digests

1 Like

Agree with OP - it seems the packages available in the NVIDIA CUDA for EL8 repo are inconsistently built; some have more secure SHA256 digests, some without.

Good package that installs with no issue:

$ rpm -K -v cuda-drivers-470.161.03-1.x86_64.rpm
cuda-drivers-470.161.03-1.x86_64.rpm:
    Header V4 RSA/SHA512 Signature, key ID d42d0685: OK
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V4 RSA/SHA512 Signature, key ID d42d0685: OK

Bad package with install failure and “no digest” error:

$ rpm -K -v nsight-compute-2020.2.1-2020.2.1.8-1.x86_64.rpm
nsight-compute-2020.2.1-2020.2.1.8-1.x86_64.rpm:
    Header V4 RSA/SHA512 Signature, key ID d42d0685: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: NOTFOUND
    V4 RSA/SHA512 Signature, key ID d42d0685: OK
    MD5 digest: NOTFOUND

I’ve tried to open a support case with NVIDIA, but so far they haven’t been willing to address this.

System details:

$ cat /etc/redhat-release
Red Hat Enterprise Linux release 8.7 (Ootpa)

$ uname -r
4.18.0-425.3.1.el8.x86_64

$ fips-mode-setup --check
FIPS mode is enabled.

Greetings, I just wanted to +1 this request. Our organization uses Nvidia hardware and also the CUDA Development Toolkit (including nsight-compute) for scientific computing. However, we have stringent security requirements which mandate the use of good-quality (SHA-256) RPM payload digest algorithms.