On Thu, 8 Dec 2022 at 03:35, Eric Biggers <ebiggers@xxxxxxxxxx> wrote:
>
> From: Eric Biggers <ebiggers@xxxxxxxxxx>
>
> An issue that arises when migrating from builtin signatures to userspace
> signatures is that existing files that have builtin signatures cannot be
> opened unless either CONFIG_FS_VERITY_BUILTIN_SIGNATURES is disabled or
> the signing certificate is left in the .fs-verity keyring.
>
> Since builtin signatures provide no security benefit when
> fs.verity.require_signatures=0 anyway, let's just skip the signature
> verification in this case.
>
> Fixes: 432434c9f8e1 ("fs-verity: support builtin file signatures")
> Cc: <stable@xxxxxxxxxxxxxxx> # v5.4+
> Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
> ---
> fs/verity/signature.c | 18 ++++++++++++++++--
> 1 file changed, 16 insertions(+), 2 deletions(-)
Acked-by: Luca Boccassi <bluca@xxxxxxxxxx>
