On 02/10/2016 02:24 PM, Juerg Haefliger wrote: > On 02/10/2016 11:12 AM, David Howells wrote: >> Juerg Haefliger <[email protected]> wrote: >> >>> This patch adds support for signing a kernel module with a raw >>> detached PKCS#7 signature/message. >>> >>> The signature is not converted and is simply appended to the module so >>> it needs to be in the right format. Using openssl, a valid signature can >>> be generated like this: >>> $ openssl smime -sign -nocerts -noattr -binary -in <module> -inkey \ >>> <key> -signer <x509> -outform der -out <raw sig> >>> >>> The resulting raw signature from the above command is (more or less) >>> identical to the raw signature that sign-file itself can produce like >>> this: >>> $ scripts/sign-file -d <hash algo> <key> <x509> <module> >> >> What's the usage case for this? Can it be done instead with openssl PKCS#11? > > Our internal signing service doesn't support PKCS#11. I have to submit the > blobs > and get detached PKCS#7 messages back. I don't claim I fully understand all > the > different signing mechanisms but everything worked just fine until support for > signing with a detached signature was removed. IMO that's a regression, which > I'm trying to fix with this patch.
Any comments? Thanks ...Juerg
