Sure, but this will need adaption in FIPS mode as it fails with:

Patch using SHA1 instead of MD5.

Thanks, Werner. This was originally reported by Alejandro Masino.

Hi, @gniibe and @Jakuje. That fulfills the requirement and all the regression tests pass in FIPS mode. Thanks!

I'm not completely sure but it might be convenient to mark HMAC keys with lengths less that 112 as non-approved in FIPS mode for both generation and verification. It could be easily implemented by adding a check using cipher/mac-hmac.c:hmac_get_keylen() or at the algo level. What do you think?

Just FYI, see also how GnuTLS has proposed to implement the service indicator:
https://gitlab.com/gnutls/gnutls/-/merge_requests/1465

Great! That fixes it. Many thanks!

Yes, I forgot to include the full build log, I'm attaching it here. I've seen this in OpenSUSE Tumbleweed; the compiler is gcc10; and I can see this on any architecture. The test fails when building against gpg-2.2.21 but not with previous versions.

I can confirm that the patch from the referenced commit fixes the issue. Thanks for the quick action!

Adding the patch here.

Builds fine now with GCC 9. Thanks for looking into this so quickly.

Adding the patch here.