Hi, > On 2. Apr 2024, at 16:31, Luca Boccassi <bluca@xxxxxxxxxx> wrote: > > The fact that such packages are physically present is not enough - they need to implement all the needed features, and they need to be mature enough to just work out of the box. Neither of these are true today, and providers just do not work for very simple use cases like signing a UKI with a yubikey. At the very least a couple more years of development and testing is needed before they are anywhere near ready to drop support for engines, that actually do work out of the box. Not to mention third party engines that are specific to internal/private build systems - if any such system runs Fedora as the build host, they'd have to migrate to Debian/Ubuntu to keep working. I did try using the current pkcs11-provider with my Yubikey to create a signature using openssl dgst -sign 'pkcs11:serial=18c9662a9c930e9e;id=%02;type=private'. It worked just fine for me, including prompting for the PIN, twice. I did have to enable the PKCS11 provider in my openssl.cnf, but that could also be done programmatically at runtime by applications should they choose to do so. I was not able to reproduce the problems you faced in the systemd upstream ticket you referred to earlier. It is possible that they have been fixed upstream in the meantime. There will always be some effort related to such a transition, but that effort will have to happen one way or the other eventually. I suspect if Fedora decides to keep ENGINE support, we’ll have the exact same discussion in a few years when OpenSSL 4.0 is released, and people will demand that the rebase to 4.0 that removes engine support should be a system-wide change proposal because it breaks engines. -- Clemens Lang RHEL Crypto Team Red Hat -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
