On 06.01.25 15:05, Petr Pavlu wrote: > On 1/4/25 10:43, Thorsten Leemhuis wrote: >> On 20.10.24 00:57, Luis Chamberlain wrote: >>> On Wed, Oct 16, 2024 at 04:18:41PM +0200, Thorsten Leemhuis wrote: >>>> Switch away from using sha1 for module signing by default and use the >>>> more modern sha512 instead, which is what among others Arch, Fedora, >>>> RHEL, and Ubuntu are currently using for their kernels. >>>> >>>> Sha1 has not been considered secure against well-funded opponents since >>>> 2005[1]; since 2011 the NIST and other organizations furthermore >>>> recommended its replacement[2]. This is why OpenSSL on RHEL9, Fedora >>>> Linux 41+[3], and likely some other current and future distributions >>>> reject the creation of sha1 signatures, which leads to a build error of >>>> allmodconfig configurations: >>>> >>>> 80A20474797F0000:error:03000098:digital envelope routines:do_sigver_init:invalid digest:crypto/evp/m_sigver.c:342: >>>> make[4]: *** [.../certs/Makefile:53: certs/signing_key.pem] Error 1 >>>> make[4]: *** Deleting file 'certs/signing_key.pem' >>>> make[4]: *** Waiting for unfinished jobs.... >>>> make[3]: *** [.../scripts/Makefile.build:478: certs] Error 2 >>>> make[2]: *** [.../Makefile:1936: .] Error 2 >>>> make[1]: *** [.../Makefile:224: __sub-make] Error 2 >>>> make[1]: Leaving directory '...' >>>> make: *** [Makefile:224: __sub-make] Error 2 >>>> >>>> This change makes allmodconfig work again and sets a default that is >>>> more appropriate for current and future users, too. >>>> >>>> Link: https://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html [1] >>>> Link: https://csrc.nist.gov/projects/hash-functions [2] >>>> Link: https://fedoraproject.org/wiki/Changes/OpenSSLDistrustsha1SigVer [3] >>>> Signed-off-by: Thorsten Leemhuis <linux@xxxxxxxxxxxxx> >>> >>> Thanks! >>> >>> Tested-by: kdevops <kdevops@xxxxxxxxxxxxxxx> [0] >>> Links: https://github.com/linux-kdevops/linux-modules-kpd/actions/runs/11420092929/job/31775404330 # [0] >>> >>> Applied and pushed! >> >> Lo! Just wandering: ^ Seems it was "let's start the year with a stupid typo in a public message" time... :-D >> what happened to that patch? That reply made me >> assume that the patch was heading towards mainline, but it seems it's >> not even in -next. Were there problems and it was dropped or something? > > I can't recall that there was any problem with this patch, I assume it > felt through by some accident. I've now queued it on modules-next. Great, thx! Ciao, Thorsten
