[Rpm-maint] [rpm-software-management/rpm] rpmsign: Adopting PKCS#11 opaque keys support in libfsverity for fsverity signatures (#1779)
wuyuoss
notifications at github.com
Tue Nov 2 06:00:15 UTC 2021
@wuyuoss commented on this pull request.
> @@ -149,9 +170,9 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
if (flags_sign_files(sargs->signflags)) {
char *fileSigningKeyPassword = NULL;
- char *key = rpmExpand("%{?_file_signing_key}", NULL);
Yeah it is.
The signing actually calls "`libfsverity_sign_digest`" (from kernel fsverity-utils: https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git/tree/lib/sign_digest.c#n402) in "`sign/rpmsignverity.c`", which has requirement on
- cert present,
- private key can either from direct private key path or PKCS#11 token, but must be present as well.
So this feature is not removed, it's now
- private key can be provided in two ways (follow fsverity-utils),
- cert being present check performed earlier to fail early if not present.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1779#discussion_r740740186
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20211101/dd5d5078/attachment-0001.html>
More information about the Rpm-maint
mailing list