Re: [PATCH 2/2] sign-file: Remove support for signing with PKCS#7

Next message: Zi Yan: "Re: [PATCH -v5 1/2] mm: add spurious fault fixing support for huge pmd"
Previous message: Mathieu Poirier: "Re: [PATCH v2] rpmsg: char: Fix UAF and memory leak"
In reply to: James Bottomley: "Re: [PATCH 2/2] sign-file: Remove support for signing with PKCS#7"
Next in thread: James Bottomley: "Re: [PATCH 2/2] sign-file: Remove support for signing with PKCS#7"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David Howells

Date: Wed Nov 12 2025 - 10:52:51 EST

James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> wrote:

> > We're looking at moving to ML-DSA, and the CMS support there is
> > slightly dodgy at the moment, so we need to hold off a bit on this
> > change.
>
> How will removing PKCS7_sign, which can only do sha1 signatures affect
> that? Is the dodginess that the PKCS7_... API is better than CMS_...
> for PQS at the moment? In which case we could pretty much do a rip and
> replace of the CMS_ API if necessary, but that would be a completely
> separate patch.

OpenSSL-3.5.1's ML-DSA support isn't completely right - in particular
CMS_NOATTR is not currently supported. I believe there is a fix in the works
there, but I doubt it has made it to all the distributions yet. I'm only
asking that we hold off a cycle; that will probably suffice.

David