Petr Pavlu <[email protected]> wrote: > In practice, since distributions now typically sign modules with SHA-2, for > which sign-file already required CMS API support, removing the USE_PKCS7 > code shouldn't cause any issues.
We're looking at moving to ML-DSA, and the CMS support there is slightly dodgy at the moment, so we need to hold off a bit on this change. Patch 1, removing the option to sign with SHA-1 from the kernel is fine, but doesn't stop things that are signed with SHA-1 from being verified. David
