On Mon, Feb 2, 2026 at 4:25 AM Petr Pavlu <[email protected]> wrote: > > On 2/2/26 12:24 PM, David Howells wrote: > > Here's an alternative patch that will allow PKCS#7 with the hash specified > > on > > the command line, removing the SHA1 restriction. > > > > David > > --- > > sign-file, pkcs7: Honour the hash parameter to sign-file > > > > Currently, the sign-file program rejects anything other than "sha1" as the > > hash parameter if it is going to produce a PKCS#7 message-based signature > > rather than a CMS message-based signature (though it then ignores this > > argument and uses whatever is selected as the default which might not be > > SHA1 and may actually reflect whatever is used to sign the X.509 > > certificate). > > > > Fix sign-file to actually use the specified hash when producing a PKCS#7 > > message rather than just accepting the default. > > Is it worth keeping this sign-file code that uses the OpenSSL PKCS7 API > instead of having only one variant that uses the newer CMS API?
I agree that keeping only the CMS variant makes more sense. However, David, please let me know if you'd prefer that I drop the patch removing PKCS7 support from sign-file for now. I assumed you had no further objections since the discussion in the other sub-thread tapered off, but perhaps I misread that. Sami
