[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <56BB3A09.3080501@hpe.com>
Date: Wed, 10 Feb 2016 14:24:25 +0100
From: Juerg Haefliger <juerg.haefliger@....com>
To: David Howells <dhowells@...hat.com>
Cc: linux-kernel@...r.kernel.org, keyrings@...r.kernel.org,
dwmw2@...radead.org
Subject: Re: [PATCH v2] scripts/sign-file.c: Add support for signing with a
raw signature
On 02/10/2016 11:12 AM, David Howells wrote:
> Juerg Haefliger <juerg.haefliger@....com> wrote:
>
>> This patch adds support for signing a kernel module with a raw
>> detached PKCS#7 signature/message.
>>
>> The signature is not converted and is simply appended to the module so
>> it needs to be in the right format. Using openssl, a valid signature can
>> be generated like this:
>> $ openssl smime -sign -nocerts -noattr -binary -in <module> -inkey \
>> <key> -signer <x509> -outform der -out <raw sig>
>>
>> The resulting raw signature from the above command is (more or less)
>> identical to the raw signature that sign-file itself can produce like
>> this:
>> $ scripts/sign-file -d <hash algo> <key> <x509> <module>
>
> What's the usage case for this? Can it be done instead with openssl PKCS#11?
Our internal signing service doesn't support PKCS#11. I have to submit the blobs
and get detached PKCS#7 messages back. I don't claim I fully understand all the
different signing mechanisms but everything worked just fine until support for
signing with a detached signature was removed. IMO that's a regression, which
I'm trying to fix with this patch.
...Juerg
> David
>
Powered by blists - more mailing lists