Sorry, my fault. The file to de signed couldn't be hashed correctly due to an error while applying a patch to the original sources. Please ignore the issue. -- Christian Weber Am 09.03.2016 um 15:13 schrieb weber at infotech.de: > Dear openssl users, > > we're using openssl since quite a longer time. For code signing we're > still using separate p2s files. > Hence, in our development environment, we integrated code signing by > commandline (batch): > > openssl smime -sign -in %1 -out %1.p7s -outform der -signer > integritycert.cert.pem -inkey integritycert.key.pem -binary -noattr > > We found newer (detached) signatures being not successfully verifiable > within our (and by other) > applications since migration from version 1.0.1h to 1.0.2d. It seems > like the signatures were broken. > > We noticed, that the default digest algorithm has changed from sha1 to > sha256, which is currently > documented differently. The commandline tool's usage output says > nothing about the implemented > -md option. > > Within our application we call: > int p7flags = PKCS7_BINARY | PKCS7_NOSMIMECAP | PKCS7_NOVERIFY | > PKCS7_NOCHAIN | PKCS7_NOSIGS; > int rc = PKCS7_verify(p7, 0, 0, indata, out, p7flags); > > and get back 0 instead of 1 while the error stack stays empty. > > Surely current (and probably future) applications should use the > (newer) cms variant, but the > older smime should still work. > > Neither we found a report concerning this issue within the users > mailing list nor we traced down > the issue itself. > > Heard about this issue before? Any idea? > > Thanks in advance > -- > Christian Weber
