Dear Zbyszek,
Thanks, I updated the Wiki page correspondingly.
On Wed, Apr 3, 2024 at 5:56 PM Zbigniew Jędrzejewski-Szmek <zbyszek@xxxxxxxxx> wrote:
[Replying to two mails at once to conserve some electrons.]
On Tue, Apr 02, 2024 at 04:03:31PM +0200, Dmitry Belyavskiy wrote:
> Thanks. In the period between the proposal was written and published the
> TPM2 provider has landed in Fedora.
> PKCS#11 provider is already here for a while.
>
> Should I update the Wiki page to adjust this point?
Please do.
> > == How To Test ==
> > > OpenSSL libcrypto.so exports the same ENGINE_* symbols as for f40.
> > > Applications relying on the ENGINE API can't be built but still work.
> >
> > That's incompatible with package rebuilds…
> >
> > An acceptable approach would be to split out the headers to a separate
> > -devel file, e.g. openssl-engine-devel, mark it as Provides: deprecated().
> > Existing packages which need the engine headers can adjust to use the
> > new header and new packages are prevented by the Packaging Guidelines
> > from adding a dependency on deprecated packages.
>
> Thanks! I like this idea and can update the Wiki page accordingly.
Thanks!
On Tue, Apr 02, 2024 at 05:12:20PM +0200, Dmitry Belyavskiy wrote:
> On Tue, Apr 2, 2024 at 4:32 PM Luca Boccassi <bluca@xxxxxxxxxx> wrote:
> [...]
> The TPM2 package is suitable for all required operations, AFAIK.
> I'm also sure about the PKCS11 provider which I follow close enough.
>
> Please raise detailed issues if you have something particular.
> I remember that you mentioned a particular issue about PKCS#11, could you
> please try the current version?
> My colleagues working on PKCS#11 are not aware of any Yubikey issues, BTW.
>
> Third-party engines may be a problem but as we don't break ABI, it's not a
> problem of the moment.
On Wed, Apr 03, 2024 at 09:50:27AM +0200, Clemens Lang wrote:
> I did try using the current pkcs11-provider with my Yubikey to
> create a signature using openssl dgst -sign
> 'pkcs11:serial=18c9662a9c930e9e;id=%02;type=private'. It worked just
> fine for me, including prompting for the PIN, twice.
>
> I did have to enable the PKCS11 provider in my openssl.cnf, but that
> could also be done programmatically at runtime by applications>
> should they choose to do so.
>
> I was not able to reproduce the problems you faced in the systemd
> upstream ticket you referred to earlier. It is possible that they
> have been fixed upstream in the meantime.
Thank you both, it sounds like this should work. In systemd, we'll
need to adjust the code to use providers, but that should be doable.
OK, so with discussed changes, I'm +1.
Zbyszek
--
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Dmitry Belyavskiy
-- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue