[PATCH] sign-file, pkcs7: Honour the hash parameter to sign-file

Mon, 02 Feb 2026 03:24:58 -0800 

Here's an alternative patch that will allow PKCS#7 with the hash specified on
the command line, removing the SHA1 restriction.

David
---
sign-file, pkcs7: Honour the hash parameter to sign-file

Currently, the sign-file program rejects anything other than "sha1" as the
hash parameter if it is going to produce a PKCS#7 message-based signature
rather than a CMS message-based signature (though it then ignores this
argument and uses whatever is selected as the default which might not be
SHA1 and may actually reflect whatever is used to sign the X.509
certificate).

Fix sign-file to actually use the specified hash when producing a PKCS#7
message rather than just accepting the default.

Fixes: 283e8ba2dfde ("MODSIGN: Change from CMS to PKCS#7 signing if the openssl 
is too old")
Signed-off-by: David Howells <[email protected]>
cc: Lukas Wunner <[email protected]>
cc: Ignat Korchagin <[email protected]>
cc: Jarkko Sakkinen <[email protected]>
cc: Stephan Mueller <[email protected]>
cc: Herbert Xu <[email protected]>
cc: Eric Biggers <[email protected]>
cc: [email protected]
cc: [email protected]

diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index 547b97097230..f0b7e5616b9a 100644
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -56,6 +56,7 @@
        defined(OPENSSL_NO_CMS)
 #define USE_PKCS7
 #endif
+#define USE_PKCS7
 #ifndef USE_PKCS7
 #include <openssl/cms.h>
 #else
@@ -289,14 +290,6 @@ int main(int argc, char **argv)
                replace_orig = true;
        }
 
-#ifdef USE_PKCS7
-       if (strcmp(hash_algo, "sha1") != 0) {
-               fprintf(stderr, "sign-file: %s only supports SHA1 signing\n",
-                       OPENSSL_VERSION_TEXT);
-               exit(3);
-       }
-#endif
-
        /* Open the module file */
        bm = BIO_new_file(module_name, "rb");
        ERR(!bm, "%s", module_name);
@@ -348,10 +341,17 @@ int main(int argc, char **argv)
                    "CMS_final");
 
 #else
-               pkcs7 = PKCS7_sign(x509, private_key, NULL, bm,
-                                  PKCS7_NOCERTS | PKCS7_BINARY |
-                                  PKCS7_DETACHED | use_signed_attrs);
+               unsigned int flags =
+                       PKCS7_NOCERTS |
+                       PKCS7_BINARY |
+                       PKCS7_DETACHED |
+                       use_signed_attrs;
+               pkcs7 = PKCS7_sign(NULL, NULL, NULL, bm, flags);
                ERR(!pkcs7, "PKCS7_sign");
+
+               ERR(!PKCS7_sign_add_signer(pkcs7, x509, private_key, 
digest_algo, flags),
+                   "PKS7_sign_add_signer");
+               ERR(PKCS7_final(pkcs7, bm, flags) != 1, "PKCS7_final");
 #endif
 
                if (save_sig) {

Reply via email to