| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <0b18e4cd726c6d986e969a78bff0aaaf6affd3a0.camel@HansenPartnership.com> Date: Wed, 12 Nov 2025 10:47:23 -0500 From: James Bottomley <James.Bottomley@...senPartnership.com> To: David Howells <dhowells@...hat.com>, Petr Pavlu <petr.pavlu@...e.com> Cc: David Woodhouse <dwmw2@...radead.org>, Luis Chamberlain <mcgrof@...nel.org>, Daniel Gomez <da.gomez@...nel.org>, Sami Tolvanen <samitolvanen@...gle.com>, Aaron Tomlin <atomlin@...mlin.com>, keyrings@...r.kernel.org, linux-modules@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH 2/2] sign-file: Remove support for signing with PKCS#7 On Wed, 2025-11-12 at 15:36 +0000, David Howells wrote: > Petr Pavlu <petr.pavlu@...e.com> wrote: > > > In practice, since distributions now typically sign modules with > > SHA-2, for which sign-file already required CMS API support, > > removing the USE_PKCS7 code shouldn't cause any issues. > > We're looking at moving to ML-DSA, and the CMS support there is > slightly dodgy at the moment, so we need to hold off a bit on this > change. How will removing PKCS7_sign, which can only do sha1 signatures affect that? Is the dodginess that the PKCS7_... API is better than CMS_... for PQS at the moment? In which case we could pretty much do a rip and replace of the CMS_ API if necessary, but that would be a completely separate patch. Regards, James
Powered by blists - more mailing lists