-
Notifications
You must be signed in to change notification settings - Fork 43
Description
Describe the bug
After the cimg/base:current tag recently changed from Ubuntu 22 to Ubuntu 24, the checkout command stopped working. This affects self-hosted CircleCI enterprise customers who have NIST 171 environments requiring FIPS on their server. The checkout command fails with:
PRNG is not seeded
fatal: Could not read from remote repository.
A known workaround can be found below, so in many ways this is less of a bug report and more-so a request for you to provide FIPS mode support. Related, I've also found that when you try to add a deploy key to a project through the button in the CircleCI UI, it always generates it with ED25519, which also appears to fail with FIPS mode enabled. My workaround for that is also listed below.
To Reproduce
No special config.yml is needed to reproduce. Checkout is the very first command in the job, and it fails immediately.
Expected behavior
It properly checks out the source code.
Workarounds
- For now we can just replace
cimg/base:currentwithcimg/base:current-22.04in most cases. Unfortunately some popular orbs havecimg/base:currentbaked into their source code for jobs though. Likewise, you can't updatecimg/go,cimg/node, and others though because they're based off ofcimg/base:current. - If the first workaround isn't possible, you can disable FIPS via an environment variable (not a great long-term solution):
docker:
- image: cimg/base:current
environment:
OPENSSL_FORCE_FIPS_MODE: 0
- For the
checkoutcommand always using ED25519 keys, I created a custom checkout command that I've published in this orb: https://github.com/juburr/corecci
Screenshots and Build Links
Additional context
This probably amount to including FIPS provider binaries in the image that can be used with openssl. Ubuntu only seems to offer these through their Ubuntu Pro subscription though.