[Rpm-maint] [rpm-software-management/rpm] rpmsign: enable signing files with PKCS11 tokens (PR #4125)
Simo Sorce
notifications at github.com
Fri Feb 27 17:23:48 UTC 2026
simo5 left a comment (rpm-software-management/rpm#4125)
> For my use-case I'm fine having the keyid be provided in a config, but if someone really wants rpmsign to handle it I'd say require users to provide the PEM or DER encoded certificate that matches whatever key you're using and then using `imaevm_read_keyid` from that file.
Maybe I was not clear, going from a certificate to find the corresponding private key in a PKCS#11 token is not straightforward, and may fail within OpenSSL + pkcs11-provider due to various limitations on the kind of information passed internally through OpenSSL.
Ideally rpmsign identifies the private key directly, and not indirectly by virtue of an associated certificate. However if rpmsign can only deal with certificates as identifiers we'll try to find a way to deal with that.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/4125#issuecomment-3974127066
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/pull/4125/c3974127066 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20260227/9298bfca/attachment.htm>
More information about the Rpm-maint
mailing list