| Message ID | 20260408075540.53309-4-hpa@redhat.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series |
|
| Related | show |
Hi 2026. 04. 08. 9:55 keltezéssel, Kate Hsuan írta: > Sign IPA according to the signature algorithm of the key. > > Signed-off-by: Kate Hsuan <hpa@redhat.com> > --- > src/ipa/ipa-sign.sh | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/src/ipa/ipa-sign.sh b/src/ipa/ipa-sign.sh > index 69024213..aa9c7d31 100755 > --- a/src/ipa/ipa-sign.sh > +++ b/src/ipa/ipa-sign.sh > @@ -10,4 +10,9 @@ key="$1" > input="$2" > output="$3" > > -openssl dgst -sha256 -sign "${key}" -out "${output}" "${input}" > +if openssl pkey -text -noout -in "${key}" 2>/dev/null | grep -q "ML-DSA"; then I'm not familiar with the openssl cli, but is there really no way to use a single command for signing? Regards, Barnabás Pőcze > + openssl pkeyutl -sign -inkey "${key}" -rawin \ > + -in "${input}" -out "${output}" > +else > + openssl dgst -sha256 -sign "${key}" -out "${output}" "${input}" > +fi
Hi Barnabás, On Mon, Apr 13, 2026 at 4:49 PM Barnabás Pőcze <barnabas.pocze@ideasonboard.com> wrote: > > Hi > > 2026. 04. 08. 9:55 keltezéssel, Kate Hsuan írta: > > Sign IPA according to the signature algorithm of the key. > > > > Signed-off-by: Kate Hsuan <hpa@redhat.com> > > --- > > src/ipa/ipa-sign.sh | 7 ++++++- > > 1 file changed, 6 insertions(+), 1 deletion(-) > > > > diff --git a/src/ipa/ipa-sign.sh b/src/ipa/ipa-sign.sh > > index 69024213..aa9c7d31 100755 > > --- a/src/ipa/ipa-sign.sh > > +++ b/src/ipa/ipa-sign.sh > > @@ -10,4 +10,9 @@ key="$1" > > input="$2" > > output="$3" > > > > -openssl dgst -sha256 -sign "${key}" -out "${output}" "${input}" > > +if openssl pkey -text -noout -in "${key}" 2>/dev/null | grep -q "ML-DSA"; then > > I'm not familiar with the openssl cli, but is there really no way to use a single command for signing? > After a survey and testing, the command can be replaced with a one-line command # openssl pkeyutl -sign -inkey "${key}" -rawin -in "${input}" -out "${output}" However, this command didn't explicitly indicate the digest algorithm for RSA. The default digest algorithm for RSA is SHA256, and it is the same as the libcamera IPA signature algorithm. If it is good for you, I can simplify the script with a one-line command. > > Regards, > Barnabás Pőcze > > > > + openssl pkeyutl -sign -inkey "${key}" -rawin \ > > + -in "${input}" -out "${output}" > > +else > > + openssl dgst -sha256 -sign "${key}" -out "${output}" "${input}" > > +fi >
diff --git a/src/ipa/ipa-sign.sh b/src/ipa/ipa-sign.sh index 69024213..aa9c7d31 100755 --- a/src/ipa/ipa-sign.sh +++ b/src/ipa/ipa-sign.sh @@ -10,4 +10,9 @@ key="$1" input="$2" output="$3" -openssl dgst -sha256 -sign "${key}" -out "${output}" "${input}" +if openssl pkey -text -noout -in "${key}" 2>/dev/null | grep -q "ML-DSA"; then + openssl pkeyutl -sign -inkey "${key}" -rawin \ + -in "${input}" -out "${output}" +else + openssl dgst -sha256 -sign "${key}" -out "${output}" "${input}" +fi
Sign IPA according to the signature algorithm of the key. Signed-off-by: Kate Hsuan <hpa@redhat.com> --- src/ipa/ipa-sign.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)