Investigating this further.... .ko signatures are CMS signatures, which are ANS.1 structures. THey are tested, such that SignedData is a wrapper, around DigestedData, which is a wrapper around ContentInfo, which is a warapper around raw binary input.
The nice property of DigestedData is that it contains version, hash algo, and digest fields, and the raw binary data is actually optional. Meaning, one can Create CMS ANS.1 DER encoded DigestedData object, with raw binary data discarded. Transfer that to the signing service, which should be able to produce detached signatures. Original desire to make large data optional, is in case the data to be signed is a very large stream / tape, which is impossible or impractical to hold in memory; and yet one still wants to generate signatures for it. None of the existing APIs to work CMS appear to trivially support creating / serializing DigestedData, then deserialize it to sign it and produce detached signatures. Ideally this should be done in DER encoding such that it is platform/architecture independent. I am pondering to add more APIs to OpenSSL or extend some of the available CMS golang or rust libraries. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1930454 Title: support for .ko.hash signatures or .o -> ko -> detached signatures To manage notifications about this bug go to: https://bugs.launchpad.net/launchpad/+bug/1930454/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
