[PATCH] sign-file, pkcs7: Honour the hash parameter to sign-file

public inbox for linux-modules@vger.kernel.org
 help / color / mirror / Atom feed

From: David Howells <dhowells@redhat.com>
To: Petr Pavlu <petr.pavlu@suse.com>
Cc: dhowells@redhat.com, David Woodhouse <dwmw2@infradead.org>,
	Luis Chamberlain <mcgrof@kernel.org>,
	Daniel Gomez <da.gomez@kernel.org>,
	Sami Tolvanen <samitolvanen@google.com>,
	Aaron Tomlin <atomlin@atomlin.com>,
	keyrings@vger.kernel.org, linux-modules@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: [PATCH] sign-file, pkcs7: Honour the hash parameter to sign-file
Date: Mon, 02 Feb 2026 11:24:22 +0000	[thread overview]
Message-ID: <2403737.1770031462@warthog.procyon.org.uk> (raw)
In-Reply-To: <20251111154923.978181-3-petr.pavlu@suse.com>

Here's an alternative patch that will allow PKCS#7 with the hash specified on
the command line, removing the SHA1 restriction.

David
---
sign-file, pkcs7: Honour the hash parameter to sign-file

Currently, the sign-file program rejects anything other than "sha1" as the
hash parameter if it is going to produce a PKCS#7 message-based signature
rather than a CMS message-based signature (though it then ignores this
argument and uses whatever is selected as the default which might not be
SHA1 and may actually reflect whatever is used to sign the X.509
certificate).

Fix sign-file to actually use the specified hash when producing a PKCS#7
message rather than just accepting the default.

Fixes: 283e8ba2dfde ("MODSIGN: Change from CMS to PKCS#7 signing if the openssl is too old")
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Lukas Wunner <lukas@wunner.de>
cc: Ignat Korchagin <ignat@cloudflare.com>
cc: Jarkko Sakkinen <jarkko@kernel.org>
cc: Stephan Mueller <smueller@chronox.de>
cc: Herbert Xu <herbert@gondor.apana.org.au>
cc: Eric Biggers <ebiggers@kernel.org>
cc: keyrings@vger.kernel.org
cc: linux-crypto@vger.kernel.org

diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index 547b97097230..f0b7e5616b9a 100644
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -56,6 +56,7 @@
 	defined(OPENSSL_NO_CMS)
 #define USE_PKCS7
 #endif
+#define USE_PKCS7
 #ifndef USE_PKCS7
 #include <openssl/cms.h>
 #else
@@ -289,14 +290,6 @@ int main(int argc, char **argv)
 		replace_orig = true;
 	}
 
-#ifdef USE_PKCS7
-	if (strcmp(hash_algo, "sha1") != 0) {
-		fprintf(stderr, "sign-file: %s only supports SHA1 signing\n",
-			OPENSSL_VERSION_TEXT);
-		exit(3);
-	}
-#endif
-
 	/* Open the module file */
 	bm = BIO_new_file(module_name, "rb");
 	ERR(!bm, "%s", module_name);
@@ -348,10 +341,17 @@ int main(int argc, char **argv)
 		    "CMS_final");
 
 #else
-		pkcs7 = PKCS7_sign(x509, private_key, NULL, bm,
-				   PKCS7_NOCERTS | PKCS7_BINARY |
-				   PKCS7_DETACHED | use_signed_attrs);
+		unsigned int flags =
+			PKCS7_NOCERTS |
+			PKCS7_BINARY |
+			PKCS7_DETACHED |
+			use_signed_attrs;
+		pkcs7 = PKCS7_sign(NULL, NULL, NULL, bm, flags);
 		ERR(!pkcs7, "PKCS7_sign");
+
+		ERR(!PKCS7_sign_add_signer(pkcs7, x509, private_key, digest_algo, flags),
+		    "PKS7_sign_add_signer");
+		ERR(PKCS7_final(pkcs7, bm, flags) != 1, "PKCS7_final");
 #endif
 
 		if (save_sig) {

next prev parent reply	other threads:[~2026-02-02 11:24 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-11 15:48 [PATCH 0/2] module: Remove SHA-1 support for module signing Petr Pavlu
2025-11-11 15:48 ` [PATCH 1/2] " Petr Pavlu
2025-11-11 22:37   ` Aaron Tomlin
2025-11-11 15:48 ` [PATCH 2/2] sign-file: Remove support for signing with PKCS#7 Petr Pavlu
2025-11-11 16:53   ` James Bottomley
2025-11-12 13:51     ` Petr Pavlu
2025-11-12 15:05       ` James Bottomley
2025-11-12 15:36       ` David Howells
2025-11-12 15:47         ` James Bottomley
2025-11-12 15:52           ` David Howells
2025-11-12 15:58             ` James Bottomley
2026-02-02 11:24   ` David Howells [this message]
2026-02-02 11:27     ` [PATCH] sign-file, pkcs7: Honour the hash parameter to sign-file David Howells
2026-02-02 12:25     ` Petr Pavlu
2026-02-02 17:01       ` Sami Tolvanen
2025-11-11 16:22 ` [PATCH 0/2] module: Remove SHA-1 support for module signing Sami Tolvanen
2025-12-22 20:24 ` Sami Tolvanen

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:547b9709723 dfblob:f0b7e5616b9 )
 OR (
bs:"[PATCH] sign-file, pkcs7: Honour the hash parameter to sign-file" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2403737.1770031462@warthog.procyon.org.uk \
    --to=dhowells@redhat.com \
    --cc=atomlin@atomlin.com \
    --cc=da.gomez@kernel.org \
    --cc=dwmw2@infradead.org \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-modules@vger.kernel.org \
    --cc=mcgrof@kernel.org \
    --cc=petr.pavlu@suse.com \
    --cc=samitolvanen@google.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox