Debian install fails on Bookworm in FIPS mode

[hannes-ucsc]

On Debian Bookworm with FIPS mode enabled, when following the official instructions for installing from the apt repository, the second invocation of apt-get update fails with

+ apt-get update
Hit:1 http://deb.debian.org/debian bookworm InRelease
Hit:2 http://deb.debian.org/debian bookworm-updates InRelease
Hit:3 http://deb.debian.org/debian-security bookworm-security InRelease
Get:4 https://download.docker.com/linux/debian bookworm InRelease [43.3 kB]
Get:5 https://download.docker.com/linux/debian bookworm/stable amd64 Packages [31.3 kB]
Fetched 74.6 kB in 1s (87.5 kB/s)
Reading package lists...fatal error in libgcrypt, file ../../src/misc.c, line 92, function _gcry_fatal_error: requested algo not in md context

Fatal error: requested algo not in md context
bash: line 6:   274 Aborted                 apt-get update

This is tracked (and probably won't be fixed) as bug 1014517 in the Debian issue tracker. It only happens on Bookworm because the version of libgcrypt in that release removed an exception that allowed MD5 in FIPS mode.

FIPS mode is a Linux kernel mode that disallows certain cryptographic algorithms. Whether it is active in the kernel is controlled by, and exposed at, /proc/sys/crypto/fips_enabled.

I believe that one way to work around this would be to remove the MD5 hashes from the InRelease file for Bookworm. I noticed that none of the distribution's default InRelease files contain them anymore, despite the lingering recommendation to include them. I'd venture to say that the number of Bookworm users that actually rely on MD5 hashes for package installation is extremely small. On the other hand, I believe that those users who are forced to enable FIPS mode, because, say a compliance framework requires them to, are also eager to upgrade to Bookworm (stable) simply because it has fewer reported vulnerabilities (CVEs), which many compliance frameworks require them to address promptly.