On Tue, 2025-11-11 at 16:48 +0100, Petr Pavlu wrote: > The PKCS#7 code in sign-file allows for signing only with SHA-1. > Since SHA-1 support for module signing has been removed, drop PKCS#7 > support in favor of using only CMS.
The change log is a bit alarmist. CMS really *is* PKCS7 and most literature will refer to CMS as PKCS7. What you're really deprecating is the use of the PKCS7_sign() API which can only produce SHA-1 Signatures ... openssl is fully capable of producing any hash PKCS7 signatures using a different PKCS7_... API set but the CMS_... API is newer. The point being the module signature type is still set to PKEY_ID_PKCS7 so it doesn't square with the commit log saying "drop PKCS#7 support". What you really mean is only use the openssl CMS_... API for producing PKCS7 signatures. Regards, James
