On Wed, 2025-11-12 at 15:36 +0000, David Howells wrote: > Petr Pavlu <[email protected]> wrote: > > > In practice, since distributions now typically sign modules with > > SHA-2, for which sign-file already required CMS API support, > > removing the USE_PKCS7 code shouldn't cause any issues. > > We're looking at moving to ML-DSA, and the CMS support there is > slightly dodgy at the moment, so we need to hold off a bit on this > change.
How will removing PKCS7_sign, which can only do sha1 signatures affect that? Is the dodginess that the PKCS7_... API is better than CMS_... for PQS at the moment? In which case we could pretty much do a rip and replace of the CMS_ API if necessary, but that would be a completely separate patch. Regards, James
