[Rpm-maint] [rpm-software-management/rpm] rpmsign: Adopting PKCS#11 opaque keys support in libfsverity for fsverity signatures (#1779)

wuyuoss notifications at github.com
Tue Nov 2 06:00:15 UTC 2021


@wuyuoss commented on this pull request.



> @@ -149,9 +170,9 @@ static int doSign(poptContext optCon, struct rpmSignArgs *sargs)
 
     if (flags_sign_files(sargs->signflags)) {
 	char *fileSigningKeyPassword = NULL;
-	char *key = rpmExpand("%{?_file_signing_key}", NULL);

Yeah it is. 

The signing actually calls "`libfsverity_sign_digest`" (from kernel fsverity-utils: https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git/tree/lib/sign_digest.c#n402) in "`sign/rpmsignverity.c`", which has requirement on 
- cert present, 
- private key can either from direct private key path or PKCS#11 token, but must be present as well. 

So this feature is not removed, it's now
- private key can be provided in two ways (follow fsverity-utils), 
- cert being present check performed earlier to fail early if not present.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1779#discussion_r740740186
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20211101/dd5d5078/attachment-0001.html>


More information about the Rpm-maint mailing list