Skip to content

Nvidia-container-toolkit RPMs won’t install on FIPS enable RHEL/Rocky systems #321

New issue
New issue
Open
Open
Nvidia-container-toolkit RPMs won’t install on FIPS enable RHEL/Rocky systems#321
@easpeagle

Description

@easpeagle
easpeagle
opened on Jun 30, 2025

We’re running into an issue getting nvidia-container-toolkit RPMs to install on RHEL/Rocky hosts that are setup in FIPS mode. We see this:

Upgrading:
 libnvidia-container-tools        x86_64    1.17.8-1     cuda-rhel8-x86_64     40 k
 libnvidia-container1             x86_64    1.17.8-1     cuda-rhel8-x86_64    1.0 M
 nvidia-container-toolkit         x86_64    1.17.8-1     cuda-rhel8-x86_64    1.2 M
 nvidia-container-toolkit-base    x86_64    1.17.8-1     cuda-rhel8-x86_64    5.8 M

Transaction Summary
====================================================================================
Upgrade  4 Packages

Total download size: 8.0 M
Is this ok [y/N]: y
Downloading Packages:
(1/4): libnvidia-container-tools-1.17.8-1.x86_64.rp  40 kB/s |  40 kB     00:01
(2/4): libnvidia-container1-1.17.8-1.x86_64.rpm     904 kB/s | 1.0 MB     00:01
(3/4): nvidia-container-toolkit-1.17.8-1.x86_64.rpm 764 kB/s | 1.2 MB     00:01
(4/4): nvidia-container-toolkit-base-1.17.8-1.x86_6 4.3 MB/s | 5.8 MB     00:01
------------------------------------------------------------------------------------
Total                                               3.4 MB/s | 8.0 MB     00:02
Running transaction check
Transaction check succeeded.
Running transaction test
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: Transaction test error:
  package nvidia-container-toolkit-base-1.17.8-1.x86_64 does not verify: no digest
  package libnvidia-container1-1.17.8-1.x86_64 does not verify: no digest
  package libnvidia-container-tools-1.17.8-1.x86_64 does not verify: no digest
  package nvidia-container-toolkit-1.17.8-1.x86_64 does not verify: no digest

Digging into this, I see that the RPMs only contain SHA1 digests… which aren’t going to work on a FIPS-enabled system:

# rpm -Kvv libnvidia-container1-1.17.8-1.x86_64.rpm
ufdio:       1 reads,    17154 total bytes in 0.000004 secs
ufdio:       1 reads,     5442 total bytes in 0.000001 secs
ufdio:       1 reads,    17154 total bytes in 0.000005 secs
D: loading keyring from pubkeys in /var/lib/rpm/pubkeys/*.key
D: couldn't find any keys in /var/lib/rpm/pubkeys/*.key
D: loading keyring from rpmdb
D: opening  db environment /var/lib/rpm cdb:0x401
D: opening  db index       /var/lib/rpm/Packages 0x400 mode=0x0
D: locked   db index       /var/lib/rpm/Packages
D: opening  db index       /var/lib/rpm/Name 0x400 mode=0x0
D:  read h#    1513 
Header SHA1 digest: OK
D: added key gpg-pubkey-6d745a60-60287f36 to keyring
D:  read h#    1521 
Header SHA1 digest: OK
D: added key gpg-pubkey-d42d0685-62589a51 to keyring
D:  read h#    1522 
Header SHA1 digest: OK
D: added key gpg-pubkey-2f86d6a1-5cf7cefb to keyring
D:  read h#    1709 
Header SHA1 digest: OK
D: added key gpg-pubkey-158b3811-5c33874c to keyring
D:  read h#    2444 
Header SHA1 digest: OK
D: added key gpg-pubkey-621e9f35-58adea78 to keyring
D:  read h#    2612 
Header SHA1 digest: OK
D: added key gpg-pubkey-51312f3f-621fa7a9 to keyring
D: added subkey 0 of main key gpg-pubkey-51312f3f-621fa7a9 to keyring
D:  read h#    2613 
Header SHA1 digest: OK
D: added key gpg-pubkey-35dfa027-60ba0235 to keyring
D: added subkey 0 of main key gpg-pubkey-35dfa027-60ba0235 to keyring
D:  read h#    3460 
Header SHA1 digest: OK
D: added key gpg-pubkey-be1229cf-5631588c to keyring
D:  read h#    4564 
Header SHA1 digest: OK
D: added key gpg-pubkey-6ba75a4e-64486ab3 to keyring
D: added subkey 0 of main key gpg-pubkey-6ba75a4e-64486ab3 to keyring
D:  read h#    6382 
Header SHA1 digest: OK
D: added key gpg-pubkey-264a7796-62589a51 to keyring
D:  read h#    8867 
Header SHA1 digest: OK
D: added key gpg-pubkey-16055553-5b11e9d8 to keyring
D:  read h#    8879 
Header SHA1 digest: OK
D: added key gpg-pubkey-ff696172-62979e51 to keyring
D: added subkey 0 of main key gpg-pubkey-ff696172-62979e51 to keyring
D: Using legacy gpg-pubkey(s) from rpmdb
libnvidia-container1-1.17.8-1.x86_64.rpm:
    Header V4 RSA/SHA512 Signature, key ID d42d0685: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: NOTFOUND
    V4 RSA/SHA512 Signature, key ID d42d0685: OK
    MD5 digest: NOTFOUND
ufdio:      38 reads,  1024228 total bytes in 0.000175 secs
D: closed   db index       /var/lib/rpm/Packages
D: closed   db index       /var/lib/rpm/Name
D: closed   db environment /var/lib/rpm

Can whoever is responsible for building these packages add the proper sha256 digests, please?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions