Hi Vitaly,
On Thu, 2021-07-01 at 04:13 +0300, Vitaly Chikunov wrote:
> Allow user to set signature's keyid using `--keyid' option. Keyid should
> correspond to SKID in certificate. When keyid is calculated using SHA-1
> in libimaevm it may mismatch keyid extracted by the kernel from SKID of
> certificate (the way public key is presented to the kernel), thus making
> signatures not verifiable. This may happen when certificate is using non
> SHA-1 SKID (see rfc7093) or just 'unique number' (see rfc5280 4.2.1.2).
> As a last resort user may specify arbitrary keyid using the new option.
> Certificate filename could be used instead of the hex number with
> `--keyid-from-cert' option. And, third option is to read keyid from the
> cert appended to the key file.
>
> These commits create backward incompatible ABI change for libimaevm,
> thus soname should be incremented on release.
I haven't started using Github actions. Here are some new Travis
complaints:
Alpine:
libimaevm.c: In function 'sign_hash_v2':
libimaevm.c:996:47: warning: taking address of packed member of 'struct
signature_v2_hdr' may result in an unaligned pointer value [-Waddress-
of-packed-member]
996 | int keyid_read_failed = read_keyid_from_key(&hdr->keyid,
keyfile);
| ^~~~~~~~~~~
libimaevm.c:999:18: warning: taking address of packed member of 'struct
signature_v2_hdr' may result in an unaligned pointer value [-Waddress-
of-packed-member]
999 | calc_keyid_v2(&hdr->keyid, name, pkey);
| ^~~~~~~~~~~
centos:
./.libs/libimaevm.so: undefined reference to `X509_get0_subject_key_id'
./.libs/libimaevm.so: undefined reference to `ASN1_STRING_get0_data'
xenial:
libimaevm.c: In function 'extract_keyid':
libimaevm.c:695:2: warning: implicit declaration of function
'X509_get0_subject_key_id' [-Wimplicit-function-declaration]
if (!(skid = X509_get0_subject_key_id(x))) {
^
libimaevm.c:695:13: warning: assignment makes pointer from integer
without a cast [enabled by default]
if (!(skid = X509_get0_subject_key_id(x))) {
thanks,
Mimi
