From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com [209.85.221.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D89B5366047 for ; Mon, 2 Feb 2026 12:25:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.48 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770035111; cv=none; b=UcqCCbp+QSj2Y2429Ll7Q/hvaQdATI3C9Mni8yppQOgvHaVOzJ38Tavf7GyvgMMr18qcUJJ+TQfjwIwDNnkUAeE1J0P4pqFJo4xL7lWHHpOL19yrN/t1FwLw/LBVLrNz3nRf9hiEK1YQN7b1ZzUzNEwBHr1h/nJPveAEv1m6pGQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1770035111; c=relaxed/simple; bh=P9HHPCfdzr3+7KcIG4nqWi/NFF0xphh1hN2q0+DqS+k=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=l1XcqCMs7DGQ3RyafZb7272I06ovT3YLfSlef4lkfq6RRRFcYGQzy3LfHjLEnfHkBRIEZSilj4TWaD/8RONKSnUkB/GpLA92Xf4DxA94uVmGUZJsTZPdCfvCz9h1K6ZsfaAJ2xU2IAUy9wqSZCUHz2gZtgodAUMU8id05qmAzdo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com; spf=pass smtp.mailfrom=suse.com; dkim=pass (2048-bit key) header.d=suse.com header.i=@suse.com header.b=cXUrTXQj; arc=none smtp.client-ip=209.85.221.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=suse.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=suse.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=suse.com header.i=@suse.com header.b="cXUrTXQj" Received: by mail-wr1-f48.google.com with SMTP id ffacd0b85a97d-432da746749so2509187f8f.0 for ; Mon, 02 Feb 2026 04:25:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=google; t=1770035108; x=1770639908; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=35SCFxgP97C5MCjGFWH+I8SFYnEJmlfx+QRFsAL723s=; b=cXUrTXQj+EywFnrxpcm5ZMZ0Dpj1SrEdRNgq/FIbG8qJiGdhE3xBVOK1TyNKVC5yHM /YU4Rp6jcWu4EgREG9LUsb70K6+NleBSiFi5Y532AJZYt94kyWiCH7duiPY7ADITTgMA IW9PEEB54V/S0ubsl6TsLW/4VVNbEudOpBUOff9sJreEaYHxQhAxNFQIqtECkfn+IaYe 1qZOIec7ST2haJWciKJjBvrg+Nm+Gn755hjsc4yMIh5F92SMFKWOt1mcWDEGu6VjHu8F 6C2+EPxqtgIQ0mv3KvCrVgsoRjQ1QpvjgCpIDNk4uUvfQ3XBkeEqQMpXvOU1I3nfzYkN /now== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1770035108; x=1770639908; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=35SCFxgP97C5MCjGFWH+I8SFYnEJmlfx+QRFsAL723s=; b=QWikcXLwMQhgerndRGcNNc7Qjoj7D5vWl+97kNauU8IBFotRJTciOn9JILdDfu1cda qsueDS8TWUVe9ZpmW/Uhl4eUJm1DBHJTEne/x4tR9uFijKM4l1FaU6MAF946PEpZwCPg 2pfb6GmeSPV39yR9+C0TSajfTj5HAvcDdRLuvGpQnNfOUdyJfOsbsbJGniaISR5GlOEl wD1vO4dNO83ozGIFKeawQk63ppWKY+lYGB/gOetrr78WR9rDh56t5i17NBUiaG3oqakl JSF7Ad0OJdmdvFxBvehoWn7hxV5cRYxu8lu4b5IE7zz6vOO3NCkfKsMIfeVRW2VpnuQV xx9A== X-Forwarded-Encrypted: i=1; AJvYcCUiubjCMGVnj9z/WSnQIOq83vIu8ub6X3GWrTZIpwkdrElpR8JRRGSiefw1ykBJcTgrQ0hKAZ9LYikp1/aP@vger.kernel.org X-Gm-Message-State: AOJu0YxWsD9z9xS4vxTfeHmZjg1jIxY8udBb5MMx52fl6HpgIm6P+0p7 dlzzutwmJa53sK/qpwe8WEzb9pqWYBf2B/dTDRbIZF7PUkVWgIduNiyxEFyAkohOCOw= X-Gm-Gg: AZuq6aKqqcILuwQ7nCx8TdMFTbtxvluEHxT0ctdi25ewlH5zEK5hqxcQRVb1Bm39geI s5+xIT2PZ/60n7e7IR2gN9ltLj6hAXSTyciyDWaQub7s6Wv6kCxtTbw+Q262GzyfzRmqDOtdN7j mRUTaAOp6xnMkEyFKAzIn07meWpAmgTTnbJTGvrLrNBUipX6Oydnmer9PB0y+gpItdsaHgvOko8 U2mvjuSJ/4+jzb5cEhlL/1INqj+m24wvDsU954CN1cAg3TNAc3ZRuiPe7G2+ccK/zOfFzNEfHVg 7yNC744dIlP0utxwL8okUA/pOFOuVfxTdXVJTukK1jie6dGNFz0M9r7H9S6lhbjqFcerLx+P5p1 apRIgK21ZJggBKS8V3B/QZ3150o2gQ1wLXFDmrEEHcmlX7Xo1L6d46JJ8Q3JhjrNb8Kw/d8GTUU xZCdGDZGBy7Ofve3hAKdMRrCB2cms7LA== X-Received: by 2002:a05:6000:2881:b0:435:94c1:3713 with SMTP id ffacd0b85a97d-435f3aaff90mr15459978f8f.37.1770035108092; Mon, 02 Feb 2026 04:25:08 -0800 (PST) Received: from [10.0.1.22] (109-81-1-107.rct.o2.cz. [109.81.1.107]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-435e1322eefsm44791754f8f.30.2026.02.02.04.25.07 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 02 Feb 2026 04:25:07 -0800 (PST) Message-ID: <640c124e-0f03-4869-80fe-20c8be7aa525@suse.com> Date: Mon, 2 Feb 2026 13:25:06 +0100 Precedence: bulk X-Mailing-List: linux-modules@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] sign-file, pkcs7: Honour the hash parameter to sign-file To: David Howells Cc: David Woodhouse , Luis Chamberlain , Daniel Gomez , Sami Tolvanen , Aaron Tomlin , keyrings@vger.kernel.org, linux-modules@vger.kernel.org, linux-kernel@vger.kernel.org References: <20251111154923.978181-3-petr.pavlu@suse.com> <20251111154923.978181-1-petr.pavlu@suse.com> <2403737.1770031462@warthog.procyon.org.uk> Content-Language: en-US From: Petr Pavlu In-Reply-To: <2403737.1770031462@warthog.procyon.org.uk> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit On 2/2/26 12:24 PM, David Howells wrote: > Here's an alternative patch that will allow PKCS#7 with the hash specified on > the command line, removing the SHA1 restriction. > > David > --- > sign-file, pkcs7: Honour the hash parameter to sign-file > > Currently, the sign-file program rejects anything other than "sha1" as the > hash parameter if it is going to produce a PKCS#7 message-based signature > rather than a CMS message-based signature (though it then ignores this > argument and uses whatever is selected as the default which might not be > SHA1 and may actually reflect whatever is used to sign the X.509 > certificate). > > Fix sign-file to actually use the specified hash when producing a PKCS#7 > message rather than just accepting the default. Is it worth keeping this sign-file code that uses the OpenSSL PKCS7 API instead of having only one variant that uses the newer CMS API? -- Thanks, Petr