2023-01-26 01:45:09,918 DEBUG _fipsLibgcryptDivert
2023-01-26 01:45:09,919 DEBUG System is not fips enabled, no dpkg-divert needed
...
2023-01-26 02:01:49,401 DEBUG _fipsLibgcryptHmacCleanup
2023-01-26 02:01:49,402 DEBUG System is not fips enabled, no need for hmac tidy
The Bionic + fips VM upgraded successfully. Upgrade log:
2023-01-26 01:56:58,731 DEBUG _fipsLibgcryptDivert
2023-01-26 01:56:58,732 DEBUG Broken libgcrypt20-hmac will be installed, likely due to using certified fips pocket instead of fips-updates. Installing dpkg-divert for incorrect placement of /lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac to the correct /usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac
...
2023-01-26 02:17:27,649 DEBUG _fipsLibgcryptHmacCleanup
2023-01-26 02:17:27,649 DEBUG Removing old hmac file from Bionic version
Looking at the hmac file locations:
$ ll /lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac
ls: cannot access '/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac': No such file or directory
$ ll /usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac
-rw-r--r-- 1 root root 126 May 26 2021 /usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac
$ dpkg-divert --list
...
local diversion of /lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac to /usr/lib/x86_64-linux-gnu/.libgcrypt.so.20.hmac
$ apt-cache policy libgcrypt20-hmac | grep Installed
Installed: 1.8.5-5ubuntu1.fips.1.4
The quirk worked as intended and the upgrade was successful.
The Bionic + fips-updates VM upgraded successfully. Upgrade log:
2023-01-26 01:57:51,662 DEBUG _fipsLibgcryptDivert
2023-01-26 01:57:51,663 DEBUG Fixed libgcrypt20-hmac will be installed as part of upgrade process, no need for dpkg-divert
...
2023-01-26 03:23:16,764 DEBUG _fipsLibgcryptHmacCleanup
2023-01-26 03:23:16,764 DEBUG Fixed libgcrypt20-hmac was installed as part of upgrade process, no need for hmac file cleanup
The quirk noticed the fixed libgcrypt20-hmac package was installed during the upgrade, and did not set up any unnecessary dpkg-diverts.
In all cases, the quirk functioned as intended, and the upgrades from Bionic to Focal were successful. The ubuntu-release-upgrader package 1:20.04.40 from --proposed fixes the issue, happy to mark verified for Focal.
Performing verification for Focal
I started three Bionic VMs and set up Ubuntu Pro like so:
- Bionic
- Bionic + fips
- Bionic + fips-updates
On each of these VMs I ran
$ sudo do-release-upgrade --proposed
This used ubuntu- release- upgrader 1:20.04.40 from --proposed, and started the
upgrade process.
The plain Bionic VM upgraded successfully. Upgrade log:
https:/ /paste. ubuntu. com/p/j7V33YHHV 8/
Looking at the fips related entries, we see:
2023-01-26 01:45:09,918 DEBUG _fipsLibgcryptD ivert macCleanup
2023-01-26 01:45:09,919 DEBUG System is not fips enabled, no dpkg-divert needed
...
2023-01-26 02:01:49,401 DEBUG _fipsLibgcryptH
2023-01-26 02:01:49,402 DEBUG System is not fips enabled, no need for hmac tidy
The Bionic + fips VM upgraded successfully. Upgrade log:
https:/ /paste. ubuntu. com/p/Y3tqXtN97 W/
Looking at the fips related entries, we see:
2023-01-26 01:56:58,731 DEBUG _fipsLibgcryptD ivert 64-linux- gnu/.libgcrypt. so.20.hmac to the correct /usr/lib/ x86_64- linux-gnu/ .libgcrypt. so.20.hmac macCleanup
2023-01-26 01:56:58,732 DEBUG Broken libgcrypt20-hmac will be installed, likely due to using certified fips pocket instead of fips-updates. Installing dpkg-divert for incorrect placement of /lib/x86_
...
2023-01-26 02:17:27,649 DEBUG _fipsLibgcryptH
2023-01-26 02:17:27,649 DEBUG Removing old hmac file from Bionic version
Looking at the hmac file locations:
$ ll /lib/x86_ 64-linux- gnu/.libgcrypt. so.20.hmac 64-linux- gnu/.libgcrypt. so.20.hmac' : No such file or directory x86_64- linux-gnu/ .libgcrypt. so.20.hmac x86_64- linux-gnu/ .libgcrypt. so.20.hmac 64-linux- gnu/.libgcrypt. so.20.hmac to /usr/lib/ x86_64- linux-gnu/ .libgcrypt. so.20.hmac fips.1. 4
ls: cannot access '/lib/x86_
$ ll /usr/lib/
-rw-r--r-- 1 root root 126 May 26 2021 /usr/lib/
$ dpkg-divert --list
...
local diversion of /lib/x86_
$ apt-cache policy libgcrypt20-hmac | grep Installed
Installed: 1.8.5-5ubuntu1.
The quirk worked as intended and the upgrade was successful.
The Bionic + fips-updates VM upgraded successfully. Upgrade log:
https:/ /paste. ubuntu. com/p/cDVyPsFRK B/
2023-01-26 01:57:51,662 DEBUG _fipsLibgcryptD ivert macCleanup
2023-01-26 01:57:51,663 DEBUG Fixed libgcrypt20-hmac will be installed as part of upgrade process, no need for dpkg-divert
...
2023-01-26 03:23:16,764 DEBUG _fipsLibgcryptH
2023-01-26 03:23:16,764 DEBUG Fixed libgcrypt20-hmac was installed as part of upgrade process, no need for hmac file cleanup
$ ll /lib/x86_ 64-linux- gnu/.libgcrypt. so.20.hmac 64-linux- gnu/.libgcrypt. so.20.hmac' : No such file or directory x86_64- linux-gnu/ .libgcrypt. so.20.hmac x86_64- linux-gnu/ .libgcrypt. so.20.hmac fips.1. 7
ls: cannot access '/lib/x86_
$ ll /usr/lib/
-rw-r--r-- 1 root root 126 Apr 15 2022 /usr/lib/
$ dpkg-divert --list
...
$ apt-cache policy libgcrypt20-hmac | grep Installed
Installed: 1.8.5-5ubuntu1.
The quirk noticed the fixed libgcrypt20-hmac package was installed during the upgrade, and did not set up any unnecessary dpkg-diverts.
In all cases, the quirk functioned as intended, and the upgrades from Bionic to Focal were successful. The ubuntu- release- upgrader package 1:20.04.40 from --proposed fixes the issue, happy to mark verified for Focal.