Re: [PATCH 2/2] sign-file: Remove support for signing with PKCS#7

Next message: Ben Horgan: "Re: [PATCH 10/33] arm_mpam: Add probe/remove for mpam msc driver and kbuild boiler plate"
Previous message: Frank Li: "Re: [PATCH v2 2/2] arm64: dts: freescale: add Toradex SMARC iMX95"
In reply to: James Bottomley: "Re: [PATCH 2/2] sign-file: Remove support for signing with PKCS#7"
Next in thread: James Bottomley: "Re: [PATCH 2/2] sign-file: Remove support for signing with PKCS#7"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: David Howells

Date: Wed Nov 12 2025 - 10:37:09 EST

Petr Pavlu <petr.pavlu@xxxxxxxx> wrote:

> In practice, since distributions now typically sign modules with SHA-2, for
> which sign-file already required CMS API support, removing the USE_PKCS7
> code shouldn't cause any issues.

We're looking at moving to ML-DSA, and the CMS support there is slightly dodgy
at the moment, so we need to hold off a bit on this change.

Patch 1, removing the option to sign with SHA-1 from the kernel is fine, but
doesn't stop things that are signed with SHA-1 from being verified.

David