On Tue, Jan 20, 2026 at 02:50:48PM +0000, David Howells wrote: > replace sig->digest with a copy of the contents of the > authenticatedAttributes section and adjust the digest length to match.
As I mentioned on v11, it's misleading to start using the term digest for something that isn't a digest. Naturally, this confusing introduction of non-digest digests seems to have already caused a bug: IMA calls pkcs7_get_digest() to calculate the digest of the module. But now that's no longer necessarily a digest. It could be the entire signed attributes. For security-critical code like this we need to have a clear design, not just patch in hacks that overload existing code like this. I'll also note that this commit doesn't fully implement "Allow the signing algo to calculate the digest itself" as claimed, since only the signed attributes case is handled. It looks like the next patch is intended to handle the other case. But it's not made clear at all that it's a two-part thing; this patch implies that it's complete. - Eric
