[Rpm-maint] [rpm-software-management/rpm] rpmsign: enable signing files with PKCS11 tokens (PR #4125)

[Jeremy Cline]

Attempt to load the PKCS11 provider for OpenSSL and use it if it is available. This allows users of rpmsign to pass in a pkcs11 URI as the file signing key. For example:

rpmsign --addsign --rpmv6 --signfiles \
  --fskpath "pkcs11:token=test-codesigning-key;id=%01;type=private" \
  cloud-init-25.2-10.fc43.noarch.rpm

When this is provided, a non-zero keyid is required, so there's also a _file_signing_key_id macro to provide that. ima-evm-utils has a flag to extract the Subject Key ID from an x509 certificate to use as the keyid so that's a direction we could go as well, or we can leave that as an exercise to the reader.

Fixes: #4124

I've marked this as a draft because I'd like some early feedback before I go write tests to setup a software pkcs11 token and all that. Should there be a CLI argument for the keyid? Does this need to support OpenSSL 1? The INSTALL file indicates openssl-1.0.2+ is supported, but it feels a bit weird to add support for that since engines aren't even available in many current RPM-based distributions.
You can view, comment on, or merge this pull request online at:

  https://github.com/rpm-software-management/rpm/pull/4125

-- Commit Summary --

  * rpmsign: enable signing files with PKCS11 tokens

-- File Changes --

    M sign/rpmgensig.cc (3)
    M sign/rpmsignfiles.cc (15)
    M sign/rpmsignfiles.hh (4)

-- Patch Links --

https://github.com/rpm-software-management/rpm/pull/4125.patch
https://github.com/rpm-software-management/rpm/pull/4125.diff

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/4125
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/pull/4125 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20260224/5f3c340b/attachment.htm>