#21451 closed defect (fixed)
Upcoming problem for Fedora 38 rpms
| Reported by: | Yoda | Owned by: | |
|---|---|---|---|
| Component: | installer | Version: | VirtualBox-7.0.6 |
| Keywords: | Fedora 38 | Cc: | |
| Guest type: | all | Host type: | Linux |
Description
Fedora 38 (currently Rawhide - but due to be released in April) has tightened the security on the crypto on the rpm packages. While we until only few day ago could use your released Fedora36 packages on even rawhide, that is no longer possible, because your signing mechanism is now outdated.
This is just a heads up for Fedora 38 release in april - it should not affect current Fedora 35/36/37 releases.
Please read this blogpost from nirik about the changes: https://www.scrye.com/wordpress/nirik/2023/01/31/error-rpmdbnextiterator-skipping-in-fedora-38/
Change History (13)
comment:1 by , 21 months ago
comment:2 by , 21 months ago
Hi again.
I just installed and tested that package with F36+F37+F38+F39(Rawhide) It works perfect with all releases - even kernel 6.3.0-rc0 on rawhide works :-)
comment:3 by , 20 months ago
I just upgraded Fedora 37 -> Fedora 38, and see the same issue on attempt to repo-update.
It's the key,
wget -q https://www.virtualbox.org/download/oracle_vbox.asc rpm --import ./oracle_vbox.asc
warning: Certificate 54422A4B98AB5139:
Policy rejects subkey B6748A65281DDC4B: Policy rejected asymmetric algorithm
, apparently due to tightened policy described in the ref'd link
The TMP policy change works
Is there a fix in the works?
comment:4 by , 20 months ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Hi guys,
VirtualBox 7.0.8 was just released and available at https://www.virtualbox.org/wiki/Downloads. This issue should be fixed there. Could you please give it a try?
comment:5 by , 20 months ago
I'm afraid you goofed up something - it fails on all Fedora versions: Fedora 36 - x86_64 - VirtualBox 5.2 kB/s | 819 B 00:00 Error: Failed to download metadata for repo 'virtualbox': repomd.xml GPG signature verification error: Bad GPG signature Ignorerer softwarearkiver: virtualbox
_ F37:
Opgraderer:
VirtualBox-7.0 x86_64 7.0.8_156879_fedora36-1 virtualbox 92 M
Transaktionsopsummering ================================================================================================================================= Opgrader 1 Pakke
Samlet downloadstørrelse: 92 M Er det OK? [j/N]: y Downloader pakker: VirtualBox-7.0-7.0.8_156879_fedora36-1.x86_64.rpm 28 MB/s | 92 MB 00:03
Samlet 28 MB/s | 92 MB 00:03 indhenter softwarearkivnøgle for virtualbox ukrypterede fra http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc Fedora 37 - x86_64 - VirtualBox 516 kB/s | 1.7 kB 00:00 GPG-nøgle på http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc (0x98AB5139) er allerede installeret De GPG-nøgler som vises for "Fedora 37 - x86_64 - VirtualBox"-softwarearkivet er allerede installeret, men de er ikke korrekte for denne pakke. Kontrollér at konfigurationen af nøgle-URL'er er korrekt for dette softwarearkiv.. Mislykkede pakke er: VirtualBox-7.0-7.0.8_156879_fedora36-1.x86_64
GPG-nøgler er konfigureret som: http://download.virtualbox.org/virtualbox/debian/oracle_vbox.asc
I'll check F38 shortly
comment:6 by , 20 months ago
On F38 is shows same GPG error as F37. However if I override that GPG check then it installs. That tells me that the new rpm does have the correct SHA256 checksums, as --nogpgcheck does not override the crypto policy.
I assume you just happen to have used a wrong gpg key for the signing.
btw we _really_ miss "repos" for F37 and F38 - should be a simple thing, as F36 build works perfectly on both
comment:7 by , 20 months ago
ok, just got info from klaus about the fixes to the .repo file we use for Fedora - and after updating that it just works again. For everybody reading this ticket update your .repo file according to: https://download.virtualbox.org/virtualbox/rpm/fedora/virtualbox.repo
comment:8 by , 19 months ago
on F38, with new repo, dnf update/install still fails @ gpgkey.
issue with curl?
lsb_release -rd
Description: Fedora release 38 (Thirty Eight)
Release: 38
cat /etc/yum.repos.d/virtualbox.repo
[virtualbox]
name=Fedora $releasever - $basearch - VirtualBox
baseurl=http://download.virtualbox.org/virtualbox/rpm/fedora/$releasever/$basearch
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://www.virtualbox.org/download/oracle_vbox_2016.asc
dnf clean all
rm -rf /var/cache/dnf
rpm -qa | grep VirtualBox-7.0
dnf install VirtualBox-7.0
...
Fedora 38 - x86_64 - VirtualBox 4.7 kB/s | 819 B 00:00
Fedora 38 - x86_64 - VirtualBox 0.0 B/s | 0 B 00:01
Errors during downloading metadata for repository 'virtualbox':
- Curl error (35): SSL connect error for https://www.virtualbox.org/download/oracle_vbox_2016.asc [OpenSSL/3.0.8: error:0A000410:SSL routines::sslv3 alert handshake failure]
Error: Failed to retrieve GPG key for repo 'virtualbox': Curl error (35): SSL connect error for https://www.virtualbox.org/download/oracle_vbox_2016.asc [OpenSSL/3.0.8: error:0A000410:SSL routines::sslv3 alert handshake failure]
...
cd ~
rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' | grep -i virtual
gpg-pubkey-98ab5139-4bf2d0b0 Oracle Corporation (VirtualBox archive signing key) <info@virtualbox.org> public key
gpg-pubkey-2980aecf-5719f4e1 Oracle Corporation (VirtualBox archive signing key) <info@virtualbox.org> public key
rpm -e --allmatches gpg-pubkey-98ab5139-4bf2d0b0
rpm -e --allmatches gpg-pubkey-2980aecf-5719f4e1
rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' | grep -i virtual
(empty)
rm -f oracle_vbox*
wget https://www.virtualbox.org/download/oracle_vbox_2016.asc
sha256sum oracle_vbox_2016.asc
49e6801d45f6536232c11be6cdb43fa8e0198538d29d1075a7e10165e1fbafe2 oracle_vbox_2016.asc
rpm -v --import oracle_vbox_2016.asc
rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' | grep -i virtual
gpg-pubkey-2980aecf-5719f4e1 Oracle Corporation (VirtualBox archive signing key) <info@virtualbox.org> public key
dnf install VirtualBox-7.0
Fedora 38 - x86_64 - VirtualBox 3.3 kB/s | 819 B 00:00
Fedora 38 - x86_64 - VirtualBox 0.0 B/s | 0 B 00:01
Errors during downloading metadata for repository 'virtualbox':
- Curl error (35): SSL connect error for https://www.virtualbox.org/download/oracle_vbox_2016.asc [OpenSSL/3.0.8: error:0A000410:SSL routines::sslv3 alert handshake failure]
Error: Failed to retrieve GPG key for repo 'virtualbox': Curl error (35): SSL connect error for https://www.virtualbox.org/download/oracle_vbox_2016.asc [OpenSSL/3.0.8: error:0A000410:SSL routines::sslv3 alert handshake failure]
Ignoring repositories: virtualbox
No match for argument: VirtualBox-7.0
Error: Unable to find a match: VirtualBox-7.0
rm -f oracle_vbox_2016.asc
curl https://www.virtualbox.org/download/oracle_vbox_2016.asc
curl: (35) OpenSSL/3.0.8: error:0A000410:SSL routines::sslv3 alert handshake failure
which curl
/usr/bin/curl
curl -V
curl 7.87.0 (x86_64-redhat-linux-gnu) libcurl/7.87.0 OpenSSL/3.0.8 zlib/1.2.13 brotli/1.0.9 libidn2/2.3.4 libpsl/0.21.2 (+libidn2/2.3.4) libssh/0.10.4/openssl/zlib nghttp2/1.52.0
Release-Date: 2022-12-21
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS brotli GSS-API HSTS HTTP2 HTTPS-proxy IDN IPv6 Kerberos Largefile libz NTLM NTLM_WB PSL SPNEGO SSL threadsafe TLS-SRP UnixSockets
dnf install VirtualBox-7.0 --nogpgcheck
Fedora 38 - x86_64 - VirtualBox 164 kB/s | 69 kB 00:00
Dependencies resolved.
==============================================================================================================
Package Architecture Version Repository Size
==============================================================================================================
Installing:
VirtualBox-7.0 x86_64 7.0.8_156879_fedora36-1 virtualbox 92 M
Installing dependencies:
libvpx7 x86_64 1.12.0-1.fc38 fedora 1.1 M
Transaction Summary
==============================================================================================================
Install 2 Packages
Total download size: 93 M
Installed size: 209 M
Is this ok [y/N]:
...
Verifying : libvpx7-1.12.0-1.fc38.x86_64 1/2
Verifying : VirtualBox-7.0-7.0.8_156879_fedora36-1.x86_64 2/2
You should restart:
* These applications manually:
firefox
Additionally, there are:
- 1 processes requiring reboot
For more information run:
sudo tracer -iat 1682501005.1225846
Installed:
VirtualBox-7.0-7.0.8_156879_fedora36-1.x86_64 libvpx7-1.12.0-1.fc38.x86_64
Complete!
curl issue?
checking @ https://www.ssllabs.com/ssltest/analyze.html?d=www.virtualbox.org
NOTE: "This server supports TLS 1.0 and TLS 1.1. Grade capped to B."
checking
curl https://www.virtualbox.org/download/oracle_vbox_2016.asc --tls-max 1.1
curl: (35) OpenSSL/3.0.8: error:0A0000BF:SSL routines::no protocols available
curl https://www.virtualbox.org/download/oracle_vbox_2016.asc --tls-max 1.2
curl: (35) OpenSSL/3.0.8: error:0A000410:SSL routines::sslv3 alert handshake failure
and
curl -v https://www.virtualbox.org/download/oracle_vbox_2016.asc * Trying 137.254.60.32:443... * Connected to www.virtualbox.org (137.254.60.32) port 443 (#0) * ALPN: offers h2 * ALPN: offers http/1.1 * CAfile: /etc/pki/tls/certs/ca-bundle.crt * CApath: /etc/ssl/certs * [CONN-0-0][CF-SSL] TLSv1.0 (OUT), TLS header, Certificate Status (22): * [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1): * [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Unknown (21): * [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS alert, handshake failure (552): * OpenSSL/3.0.8: error:0A000410:SSL routines::sslv3 alert handshake failure * Closing connection 0 curl: (35) OpenSSL/3.0.8: error:0A000410:SSL routines::sslv3 alert handshake failure curl -v https://yum.oracle.com/RPM-GPG-KEY-oracle-ol9 * Trying [2600:141b:9000:6a7::2a7d]:443... * Connected to yum.oracle.com (2600:141b:9000:6a7::2a7d) port 443 (#0) * ALPN: offers h2 * ALPN: offers http/1.1 * CAfile: /etc/pki/tls/certs/ca-bundle.crt * CApath: /etc/ssl/certs * [CONN-0-0][CF-SSL] TLSv1.0 (OUT), TLS header, Certificate Status (22): * [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Client hello (1): * [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Certificate Status (22): * [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Server hello (2): * [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Finished (20): * [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23): * [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23): * [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Certificate (11): * [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23): * [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, CERT verify (15): * [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23): * [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Finished (20): * [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Finished (20): * [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1): * [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23): * [CONN-0-0][CF-SSL] TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_CHACHA20_POLY1305_SHA256 * ALPN: server accepted http/1.1 * Server certificate: * subject: C=US; ST=Texas; L=Austin; O=Oracle Corporation; CN=yum.oracle.com * start date: Nov 14 00:00:00 2022 GMT * expire date: Nov 14 23:59:59 2023 GMT * subjectAltName: host "yum.oracle.com" matched cert's "yum.oracle.com" * issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS RSA SHA256 2020 CA1 * SSL certificate verify ok. * [CONN-0-0][CF-SSL] TLSv1.2 (OUT), TLS header, Supplemental data (23): > GET /RPM-GPG-KEY-oracle-ol9 HTTP/1.1 > Host: yum.oracle.com > User-Agent: curl/7.87.0 > Accept: */* > * [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23): * [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23): * [CONN-0-0][CF-SSL] TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * old SSL session ID is stale, removing * [CONN-0-0][CF-SSL] TLSv1.2 (IN), TLS header, Supplemental data (23): * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Accept-Ranges: bytes < Content-Type: text/plain < ETag: "57d39f1538ab7dcd46f2c8662f55a96f:1657036179.196558" < Last-Modified: Wed, 29 Jun 2022 20:50:51 GMT < Server: AkamaiNetStorage < Content-Length: 6350 < Date: Wed, 26 Apr 2023 10:00:20 GMT < Connection: keep-alive < X-Frame-Options: SAMEORIGIN < -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBGHncu8BEAC2dhocMZkdapnP9o/MvAnKOczaSpF4Cj9yqt49bxLPJCY57jz9 ... 4QrtLe//99hXPcFVanIxgkdslnyYf4fjdbdlmNY= =xpaH -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBGHndDkBEACieeO8U0kcUTDMLGXGKrJ3nScZ4LN5hHSzWC1zuLPpkB0YQdik ... RgwnCPfIai7lLNx95bdwB8U2NpY11OXsoTLZAA== =UWTf -----END PGP PUBLIC KEY BLOCK----- * Connection #0 to host yum.oracle.com left intact
comment:9 by , 19 months ago
Hi guys,
Everything works here if I do "dnf up" / "yum up" after .repo file changes.
comment:10 by , 19 months ago
the problem's 'in' the dnf exec. as above, there's something up with curl/cert/protocol
dnf clean all rm -rf /var/cache/dnf dnf up ... Fedora 38 - x86_64 - VirtualBox 5.1 kB/s | 819 B 00:00 Fedora 38 - x86_64 - VirtualBox 0.0 B/s | 0 B 00:01 Errors during downloading metadata for repository 'virtualbox': - Curl error (35): SSL connect error for https://www.virtualbox.org/download/oracle_vbox_2016.asc [OpenSSL/3.0.8: error:0A000410:SSL routines::sslv3 alert handshake failure] Error: Failed to retrieve GPG key for repo 'virtualbox': Curl error (35): SSL connect error for https://www.virtualbox.org/download/oracle_vbox_2016.asc [OpenSSL/3.0.8: error:0A000410:SSL routines::sslv3 alert handshake failure] ...
comment:11 by , 19 months ago
Hi pgnd,
There were no recent changes in www.virtualbox.org certificate. Is there a chance that your Fedora 38 installation has stricter policies enabled which forbid TLS 1.0 and TLS 1.1?
F38 is not my primary distribution, so I cannot say much about the issue you are experiencing. What is the output of "update-crypto-policies --show" ?
comment:12 by , 19 months ago
pebkac. sort of.
our server side TLS policy here is
https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
that includes
Cipher suites (TLS 1.3): TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
Cipher suites (TLS 1.2): (none)
clients, for a fair while now, match. we typically don't allow non-TLS 1.3 anymore.
checking, virtualbox.org's ssl report
https://www.ssllabs.com/ssltest/analyze.html?d=virtualbox.org
shows no tls 1.3 support; only 1.2. and of those, only 1 strong,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
adding that suite to
CipherSuites
in
/etc/ssl/openssl.conf
does the trick.
curl & dnf curl with the new repo gpgkey url work fine, now.
wget wasn't sentitive to openssl config, as
ldd `which wget` |grep -Ei "ssl|tls"
libgnutls.so.30 => /lib64/libgnutls.so.30 (0x00007efd79200000)
ldd `which curl` |grep -Ei "ssl|tls"
libssl.so.3 => /lib64/libssl.so.3 (0x00007fad4132c000)
it would be helpful virtualbox.org server to get bumped to include tls1.3 support.
comment:13 by , 19 months ago
The project to modernize (on the technical side, plus updating the applications to new versions) the virtualbox.org stuff is actually ongoing for quite a while. There is still some uncertainty when the switchover will happen.
In the mean time: the public key has been available for a long time at the following URL: https://download.virtualbox.org/virtualbox/debian/oracle_vbox_2016.asc
This server can handle TLS 1.3 (but for some odd reason isn't using HSTS even though someone at Oracle told me they'd unconditionally enable it several years ago for everything on this server - we were actively supporting the plan).
Hi Yoda,
Thank you for pointing out. We will use SHA-256 signatures for feature releases. The following RPM is the official 7.0.6 release build, but signed with SHA-256 instead of SHA-1. Could you please give it a try?
https://www.virtualbox.org/download/testcase/VirtualBox-7.0-7.0.6_155176_fedora36-1.x86_64.rpm