On 2/2/26 12:24 PM, David Howells wrote: > Here's an alternative patch that will allow PKCS#7 with the hash specified on > the command line, removing the SHA1 restriction. > > David > --- > sign-file, pkcs7: Honour the hash parameter to sign-file > > Currently, the sign-file program rejects anything other than "sha1" as the > hash parameter if it is going to produce a PKCS#7 message-based signature > rather than a CMS message-based signature (though it then ignores this > argument and uses whatever is selected as the default which might not be > SHA1 and may actually reflect whatever is used to sign the X.509 > certificate). > > Fix sign-file to actually use the specified hash when producing a PKCS#7 > message rather than just accepting the default.
Is it worth keeping this sign-file code that uses the OpenSSL PKCS7 API instead of having only one variant that uses the newer CMS API? -- Thanks, Petr
