Re: [PATCH v2] scripts/sign-file.c: Add support for signing with a raw signature

From: Juerg Haefliger
Date: Thu Feb 18 2016 - 04:26:29 EST


On 02/10/2016 02:24 PM, Juerg Haefliger wrote:
> On 02/10/2016 11:12 AM, David Howells wrote:
>> Juerg Haefliger <juerg.haefliger@xxxxxxx> wrote:
>>
>>> This patch adds support for signing a kernel module with a raw
>>> detached PKCS#7 signature/message.
>>>
>>> The signature is not converted and is simply appended to the module so
>>> it needs to be in the right format. Using openssl, a valid signature can
>>> be generated like this:
>>> $ openssl smime -sign -nocerts -noattr -binary -in <module> -inkey \
>>> <key> -signer <x509> -outform der -out <raw sig>
>>>
>>> The resulting raw signature from the above command is (more or less)
>>> identical to the raw signature that sign-file itself can produce like
>>> this:
>>> $ scripts/sign-file -d <hash algo> <key> <x509> <module>
>>
>> What's the usage case for this? Can it be done instead with openssl PKCS#11?
>
> Our internal signing service doesn't support PKCS#11. I have to submit the blobs
> and get detached PKCS#7 messages back. I don't claim I fully understand all the
> different signing mechanisms but everything worked just fine until support for
> signing with a detached signature was removed. IMO that's a regression, which
> I'm trying to fix with this patch.

Any comments?

Thanks
...Juerg