Re: Module signing broken after SYSTEM_DATA_VERIFICATION commit?

From: Valdis . Kletnieks
Date: Fri Aug 28 2015 - 17:09:36 EST


On Fri, 28 Aug 2015 11:23:54 +0100, David Howells said:
> Valdis Kletnieks <Valdis.Kletnieks@xxxxxx> wrote:
>
> > [ 31.829322] PKCS7: Unknown OID: [32] 2.16.840.1.101.3.4.2.3
> > [ 31.829328] PKCS7: Unknown OID: [180] 2.16.840.1.101.3.4.2.3
>
> OID_sha1, /* 1.3.14.3.2.26 */
> OID_sha256, /* 2.16.840.1.101.3.4.2.1 */
>
> I suspect I'm missing something here in oid_registry.h. Looking online, I
> see:
>
> id-sha256 OBJECT IDENTIFIER ::= { hashAlgs 1 }
> id-sha384 OBJECT IDENTIFIER ::= { hashAlgs 2 }
> id-sha512 OBJECT IDENTIFIER ::= { hashAlgs 3 }
> id-sha224 OBJECT IDENTIFIER ::= { hashAlgs 4 }
> id-sha512-224 OBJECT IDENTIFIER ::= { hashAlgs 5 }
> id-sha512-256 OBJECT IDENTIFIER ::= { hashAlgs 6 }
>
> Are you perchance using sha512 hashes in your signatures?

% grep MODULE_SIG /usr/src/linux-next/.config
CONFIG_MODULE_SIG=y
# CONFIG_MODULE_SIG_FORCE is not set
CONFIG_MODULE_SIG_ALL=y
# CONFIG_MODULE_SIG_SHA1 is not set
# CONFIG_MODULE_SIG_SHA224 is not set
# CONFIG_MODULE_SIG_SHA256 is not set
# CONFIG_MODULE_SIG_SHA384 is not set
CONFIG_MODULE_SIG_SHA512=y
CONFIG_MODULE_SIG_HASH="sha512"
CONFIG_MODULE_SIG_KEY="signing_key.pem"

Attachment: pgpGL_tGbTA8h.pgp
Description: PGP signature