path: root/Documentation
diff options
authorDavid Howells <>2015-09-25 16:31:46 +0100
committerDavid Howells <>2015-09-25 16:31:46 +0100
commit283e8ba2dfde54f8f27d7d0f459a07de79a39d55 (patch)
tree0e4057e7b3e082a9b93d04ba7b1e9ca2f23ef034 /Documentation
parente7c87bef7de2417b219d4dbfe8d33a0098a8df54 (diff)
MODSIGN: Change from CMS to PKCS#7 signing if the openssl is too old
The sign-file.c program actually uses CMS rather than PKCS#7 to sign a file since that allows the target X.509 certificate to be specified by subjectKeyId rather than by issuer + serialNumber. However, older versions of the OpenSSL crypto library (such as may be found in CentOS 5.11) don't support CMS. Assume everything prior to OpenSSL-1.0.0 doesn't support CMS and switch to using PKCS#7 in that case. Further, the pre-1.0.0 OpenSSL only supports PKCS#7 signing with SHA1, so give an error from the sign-file script if the caller requests anything other than SHA1. The compiler gives the following error with an OpenSSL crypto library that's too old: HOSTCC scripts/sign-file scripts/sign-file.c:23:25: fatal error: openssl/cms.h: No such file or directory #include <openssl/cms.h> Reported-by: Vinson Lee <> Signed-off-by: David Howells <> Acked-by: David Woodhouse <>
Diffstat (limited to 'Documentation')
1 files changed, 1 insertions, 1 deletions
diff --git a/Documentation/Changes b/Documentation/Changes
index 6d8863004858..f447f0516f07 100644
--- a/Documentation/Changes
+++ b/Documentation/Changes
@@ -43,7 +43,7 @@ o udev 081 # udevd --version
o grub 0.93 # grub --version || grub-install --version
o mcelog 0.6 # mcelog --version
o iptables 1.4.2 # iptables -V
-o openssl & libcrypto 1.0.1k # openssl version
+o openssl & libcrypto 1.0.0 # openssl version
Kernel compilation