* [PATCH] wireless-regdb: Fix regulatory.bin signing with new M2Crypto
@ 2026-02-16 20:01 Ben Hutchings
2026-02-16 20:03 ` [PATCH] wireless-regdb: Replace M2Crypto with cryptography package Ben Hutchings
2026-02-25 7:40 ` [PATCH] wireless-regdb: Fix regulatory.bin signing with new M2Crypto Chen-Yu Tsai
0 siblings, 2 replies; 4+ messages in thread
From: Ben Hutchings @ 2026-02-16 20:01 UTC (permalink / raw)
To: linux-wireless; +Cc: wireless-regdb
[-- Attachment #1: Type: text/plain, Size: 1131 bytes --]
In M2Crypto version 0.45.1, the default hash algorithm for
M2Crypto.RSA.sign() changed from SHA-1 to SHA-256. Since the
signature on regulatory.bin uses a SHA-1 hash, db2bin.py generates
invalid signatures for regulatory.bin if a recent version of M2Crypto
is installed.
I reported this incompatible change as
<https://todo.sr.ht/~mcepl/m2crypto/389>.
There is an obvious workaround, which is to add an explicit
algo='sha1' parameter. This works with old and new versions of
M2Crypto.
Signed-off-by: Ben Hutchings <benh@debian.org>
---
Re-sending this with the [PATCH] prefix.
Ben.
--- a/db2bin.py
+++ b/db2bin.py
@@ -131,13 +131,13 @@ if len(sys.argv) > 3:
key = RSA.load_key(sys.argv[3])
hash = hashlib.sha1()
hash.update(output.getvalue())
- sig = key.sign(hash.digest())
+ sig = key.sign(hash.digest(), algo='sha1')
# write it to file
siglen.set(len(sig))
# sign again
hash = hashlib.sha1()
hash.update(output.getvalue())
- sig = key.sign(hash.digest())
+ sig = key.sign(hash.digest(), algo='sha1')
output.write(sig)
else:
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH] wireless-regdb: Replace M2Crypto with cryptography package
2026-02-16 20:01 [PATCH] wireless-regdb: Fix regulatory.bin signing with new M2Crypto Ben Hutchings
@ 2026-02-16 20:03 ` Ben Hutchings
2026-02-25 7:38 ` Chen-Yu Tsai
2026-02-25 7:40 ` [PATCH] wireless-regdb: Fix regulatory.bin signing with new M2Crypto Chen-Yu Tsai
1 sibling, 1 reply; 4+ messages in thread
From: Ben Hutchings @ 2026-02-16 20:03 UTC (permalink / raw)
To: linux-wireless; +Cc: wireless-regdb
[-- Attachment #1: Type: text/plain, Size: 1620 bytes --]
M2Crypto is deprecated by its maintainers in favour of the
cryptography package. Update db2bin.py to use that for signing
regulatory.bin.
Signed-off-by: Ben Hutchings <benh@debian.org>
---
This applies on top of the preceding fix for M2Crypto usage, but I can
squash them together if it's preferable to switch directly to
cryptography.
Ben.
--- a/db2bin.py
+++ b/db2bin.py
@@ -2,7 +2,6 @@
from io import BytesIO, open
import struct
-import hashlib
from dbparse import DBParser
import sys
@@ -125,19 +124,18 @@ if len(sys.argv) > 3:
# Load RSA only now so people can use this script
# without having those libraries installed to verify
# their SQL changes
- from M2Crypto import RSA
+ from cryptography.hazmat.primitives import hashes, serialization
+ from cryptography.hazmat.primitives.asymmetric import padding
# determine signature length
- key = RSA.load_key(sys.argv[3])
- hash = hashlib.sha1()
- hash.update(output.getvalue())
- sig = key.sign(hash.digest(), algo='sha1')
+ with open(sys.argv[3], 'rb') as key_file:
+ key = serialization.load_pem_private_key(key_file.read(),
+ password=None)
+ sig = key.sign(output.getvalue(), padding.PKCS1v15(), hashes.SHA1())
# write it to file
siglen.set(len(sig))
# sign again
- hash = hashlib.sha1()
- hash.update(output.getvalue())
- sig = key.sign(hash.digest(), algo='sha1')
+ sig = key.sign(output.getvalue(), padding.PKCS1v15(), hashes.SHA1())
output.write(sig)
else:
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] wireless-regdb: Replace M2Crypto with cryptography package
2026-02-16 20:03 ` [PATCH] wireless-regdb: Replace M2Crypto with cryptography package Ben Hutchings
@ 2026-02-25 7:38 ` Chen-Yu Tsai
0 siblings, 0 replies; 4+ messages in thread
From: Chen-Yu Tsai @ 2026-02-25 7:38 UTC (permalink / raw)
To: Ben Hutchings; +Cc: linux-wireless, wireless-regdb
On Tue, Feb 17, 2026 at 4:03 AM Ben Hutchings <benh@debian.org> wrote:
>
> M2Crypto is deprecated by its maintainers in favour of the
> cryptography package. Update db2bin.py to use that for signing
> regulatory.bin.
Cool. This actually forced me to remove Python 2 from my system
to switch over to python3-cryptography. I was using some ancient
version of M2Crypto otherwise.
> Signed-off-by: Ben Hutchings <benh@debian.org>
> ---
> This applies on top of the preceding fix for M2Crypto usage, but I can
> squash them together if it's preferable to switch directly to
> cryptography.
It's fine. Having some history is good.
Thanks
ChenYu
> Ben.
>
> --- a/db2bin.py
> +++ b/db2bin.py
> @@ -2,7 +2,6 @@
>
> from io import BytesIO, open
> import struct
> -import hashlib
> from dbparse import DBParser
> import sys
>
> @@ -125,19 +124,18 @@ if len(sys.argv) > 3:
> # Load RSA only now so people can use this script
> # without having those libraries installed to verify
> # their SQL changes
> - from M2Crypto import RSA
> + from cryptography.hazmat.primitives import hashes, serialization
> + from cryptography.hazmat.primitives.asymmetric import padding
>
> # determine signature length
> - key = RSA.load_key(sys.argv[3])
> - hash = hashlib.sha1()
> - hash.update(output.getvalue())
> - sig = key.sign(hash.digest(), algo='sha1')
> + with open(sys.argv[3], 'rb') as key_file:
> + key = serialization.load_pem_private_key(key_file.read(),
> + password=None)
> + sig = key.sign(output.getvalue(), padding.PKCS1v15(), hashes.SHA1())
> # write it to file
> siglen.set(len(sig))
> # sign again
> - hash = hashlib.sha1()
> - hash.update(output.getvalue())
> - sig = key.sign(hash.digest(), algo='sha1')
> + sig = key.sign(output.getvalue(), padding.PKCS1v15(), hashes.SHA1())
>
> output.write(sig)
> else:
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] wireless-regdb: Fix regulatory.bin signing with new M2Crypto
2026-02-16 20:01 [PATCH] wireless-regdb: Fix regulatory.bin signing with new M2Crypto Ben Hutchings
2026-02-16 20:03 ` [PATCH] wireless-regdb: Replace M2Crypto with cryptography package Ben Hutchings
@ 2026-02-25 7:40 ` Chen-Yu Tsai
1 sibling, 0 replies; 4+ messages in thread
From: Chen-Yu Tsai @ 2026-02-25 7:40 UTC (permalink / raw)
To: linux-wireless, Ben Hutchings; +Cc: wireless-regdb
On Mon, 16 Feb 2026 21:01:58 +0100, Ben Hutchings wrote:
> In M2Crypto version 0.45.1, the default hash algorithm for
> M2Crypto.RSA.sign() changed from SHA-1 to SHA-256. Since the
> signature on regulatory.bin uses a SHA-1 hash, db2bin.py generates
> invalid signatures for regulatory.bin if a recent version of M2Crypto
> is installed.
>
> I reported this incompatible change as
> <https://todo.sr.ht/~mcepl/m2crypto/389>.
>
> [...]
Applied to master in wens/wireless-regdb.git, thanks!
[1/1] wireless-regdb: Fix regulatory.bin signing with new M2Crypto
https://git.kernel.org/wens/wireless-regdb/c/dcfad17e607c
[1/1] wireless-regdb: Replace M2Crypto with cryptography package
https://git.kernel.org/wens/wireless-regdb/c/88951a4a9b07
Best regards,
--
Chen-Yu Tsai <wens@kernel.org>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-02-25 7:40 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-02-16 20:01 [PATCH] wireless-regdb: Fix regulatory.bin signing with new M2Crypto Ben Hutchings
2026-02-16 20:03 ` [PATCH] wireless-regdb: Replace M2Crypto with cryptography package Ben Hutchings
2026-02-25 7:38 ` Chen-Yu Tsai
2026-02-25 7:40 ` [PATCH] wireless-regdb: Fix regulatory.bin signing with new M2Crypto Chen-Yu Tsai
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox