• David Howells's avatar
    MODSIGN: Change from CMS to PKCS#7 signing if the openssl is too old · 283e8ba2
    David Howells authored
    The sign-file.c program actually uses CMS rather than PKCS#7 to sign a file
    since that allows the target X.509 certificate to be specified by
    subjectKeyId rather than by issuer + serialNumber.
    However, older versions of the OpenSSL crypto library (such as may be found
    in CentOS 5.11) don't support CMS.  Assume everything prior to
    OpenSSL-1.0.0 doesn't support CMS and switch to using PKCS#7 in that case.
    Further, the pre-1.0.0 OpenSSL only supports PKCS#7 signing with SHA1, so
    give an error from the sign-file script if the caller requests anything
    other than SHA1.
    The compiler gives the following error with an OpenSSL crypto library
    that's too old:
      HOSTCC  scripts/sign-file
    scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory
     #include <openssl/cms.h>
    Reported-by: default avatarVinson Lee <vlee@twopensource.com>
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Acked-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>