Dear Zbyszek, Thanks, I updated the Wiki page correspondingly.
On Wed, Apr 3, 2024 at 5:56 PM Zbigniew Jędrzejewski-Szmek < zbys...@in.waw.pl> wrote: > [Replying to two mails at once to conserve some electrons.] > > On Tue, Apr 02, 2024 at 04:03:31PM +0200, Dmitry Belyavskiy wrote: > > Thanks. In the period between the proposal was written and published the > > TPM2 provider has landed in Fedora. > > PKCS#11 provider is already here for a while. > > > > Should I update the Wiki page to adjust this point? > > Please do. > > > > == How To Test == > > > > OpenSSL libcrypto.so exports the same ENGINE_* symbols as for f40. > > > > Applications relying on the ENGINE API can't be built but still work. > > > > > > That's incompatible with package rebuilds… > > > > > > An acceptable approach would be to split out the headers to a separate > > > -devel file, e.g. openssl-engine-devel, mark it as Provides: > deprecated(). > > > Existing packages which need the engine headers can adjust to use the > > > new header and new packages are prevented by the Packaging Guidelines > > > from adding a dependency on deprecated packages. > > > > Thanks! I like this idea and can update the Wiki page accordingly. > > Thanks! > > On Tue, Apr 02, 2024 at 05:12:20PM +0200, Dmitry Belyavskiy wrote: > > On Tue, Apr 2, 2024 at 4:32 PM Luca Boccassi <bl...@debian.org> wrote: > > [...] > > The TPM2 package is suitable for all required operations, AFAIK. > > I'm also sure about the PKCS11 provider which I follow close enough. > > > > Please raise detailed issues if you have something particular. > > I remember that you mentioned a particular issue about PKCS#11, could you > > please try the current version? > > My colleagues working on PKCS#11 are not aware of any Yubikey issues, > BTW. > > > > Third-party engines may be a problem but as we don't break ABI, it's not > a > > problem of the moment. > > On Wed, Apr 03, 2024 at 09:50:27AM +0200, Clemens Lang wrote: > > I did try using the current pkcs11-provider with my Yubikey to > > create a signature using openssl dgst -sign > > 'pkcs11:serial=18c9662a9c930e9e;id=%02;type=private'. It worked just > > fine for me, including prompting for the PIN, twice. > > > > I did have to enable the PKCS11 provider in my openssl.cnf, but that > > could also be done programmatically at runtime by applications> > > should they choose to do so. > > > > I was not able to reproduce the problems you faced in the systemd > > upstream ticket you referred to earlier. It is possible that they > > have been fixed upstream in the meantime. > > Thank you both, it sounds like this should work. In systemd, we'll > need to adjust the code to use providers, but that should be doable. > > OK, so with discussed changes, I'm +1. > > Zbyszek > -- > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > -- Dmitry Belyavskiy
-- _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
