Re: [PATCH] sign-file, pkcs7: Honour the hash parameter to sign-file

Next message: Konrad Dybcio: "Re: [PATCH v6 2/5] arm64: dts: qcom: ipq5424: Add the IMEM node"
Previous message: Konrad Dybcio: "Re: [PATCH v5] crypto: qce - Add runtime PM and interconnect bandwidth scaling support"
In reply to: David Howells: "Re: [PATCH] sign-file, pkcs7: Honour the hash parameter to sign-file"
Next in thread: Sami Tolvanen: "Re: [PATCH] sign-file, pkcs7: Honour the hash parameter to sign-file"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Petr Pavlu

Date: Mon Feb 02 2026 - 07:25:49 EST

On 2/2/26 12:24 PM, David Howells wrote:
> Here's an alternative patch that will allow PKCS#7 with the hash specified on
> the command line, removing the SHA1 restriction.
>
> David
> ---
> sign-file, pkcs7: Honour the hash parameter to sign-file
>
> Currently, the sign-file program rejects anything other than "sha1" as the
> hash parameter if it is going to produce a PKCS#7 message-based signature
> rather than a CMS message-based signature (though it then ignores this
> argument and uses whatever is selected as the default which might not be
> SHA1 and may actually reflect whatever is used to sign the X.509
> certificate).
>
> Fix sign-file to actually use the specified hash when producing a PKCS#7
> message rather than just accepting the default.

Is it worth keeping this sign-file code that uses the OpenSSL PKCS7 API
instead of having only one variant that uses the newer CMS API?

--
Thanks,
Petr