Re: [ptxdist] [APPLIED] code-signing: enable provider support

Fri, 05 Jun 2026 01:52:07 -0700 

Thanks, applied as c6bbbfce1e98328dad30113153e86a3b8ce792f2.

Michael

[sent from post-receive hook]

On Fri, 05 Jun 2026 10:51:34 +0200, Sascha Hauer <[email protected]> wrote:
> openssl engines have long been deprecated. Add support for provider to
> the ptxdist code signing infrastructure.
> 
> We add a custom openssl-pkcs11.cnf to specify
> pkcs11-module-block-operations = digest. The reason is that softhsm2
> itself uses openssl for digesting. Without this option softhsm would end
> up calling itself via openssl resulting in a deadlock. Now that we have
> a custom config already we also use it to specify the path to the pkcs11
> module.
> 
> Signed-off-by: Sascha Hauer <[email protected]>
> Message-Id: <[email protected]>
> Signed-off-by: Michael Olbrich <[email protected]>
> 
> diff --git a/platforms/code-signing.in b/platforms/code-signing.in
> index 81f9ef6f3c9e..a20982f202ca 100644
> --- a/platforms/code-signing.in
> +++ b/platforms/code-signing.in
> @@ -4,6 +4,7 @@ menuconfig CODE_SIGNING
>       bool
>       select VIRTUAL
>       select HOST_LIBP11
> +     select HOST_PKCS11_PROVIDER
>       prompt "Code signing                  "
>       help
>         This option enables the ptxdist signing infrastructure.
> diff --git a/rules/host-softhsm.in b/rules/host-softhsm.in
> index 160f4b598d57..dfa1e3c8e0e6 100644
> --- a/rules/host-softhsm.in
> +++ b/rules/host-softhsm.in
> @@ -4,6 +4,7 @@ config HOST_SOFTHSM
>       tristate
>       select HOST_P11_KIT
>       select HOST_OPENSSL
> +     select HOST_PKCS11_PROVIDER
>       select HOST_SQLITE
>       default y if ALLYES
>       help
> diff --git a/rules/host-softhsm.make b/rules/host-softhsm.make
> index 67d9c5ab8f96..613a42b42478 100644
> --- a/rules/host-softhsm.make
> +++ b/rules/host-softhsm.make
> @@ -30,4 +30,31 @@ HOST_SOFTHSM_CONF_OPT      := \
>  HOST_SOFTHSM_CPPFLAGS := \
>       -DDEBUG_LOG_STDERR=1
>  
> +# 
> ----------------------------------------------------------------------------
> +# Install
> +# 
> ----------------------------------------------------------------------------
> +
> +$(STATEDIR)/host-softhsm.install:
> +     @$(call targetinfo)
> +     @$(call world/install, HOST_SOFTHSM)
> +     @{ \
> +     echo 'openssl_conf = openssl_init'; \
> +     echo ''; \
> +     echo '[openssl_init]'; \
> +     echo 'providers = provider_sect'; \
> +     echo ''; \
> +     echo '[provider_sect]'; \
> +     echo 'default = default_sect'; \
> +     echo 'pkcs11 = pkcs11_sect'; \
> +     echo ''; \
> +     echo '[default_sect]'; \
> +     echo 'activate = 1'; \
> +     echo ''; \
> +     echo '[pkcs11_sect]'; \
> +     echo "module = $(PTXDIST_SYSROOT_HOST)/usr/lib/ossl-modules/pkcs11.so"; 
> \
> +     echo 'activate = 1'; \
> +     echo 'pkcs11-module-block-operations = digest'; \
> +     } > $(PTXDIST_SYSROOT_HOST)/usr/ssl/openssl-pkcs11.cnf
> +     @$(call touch)
> +
>  # vim: syntax=make
> diff --git a/rules/pre/010-code-signing.make b/rules/pre/010-code-signing.make
> index 6141a7b19b50..238f37934062 100644
> --- a/rules/pre/010-code-signing.make
> +++ b/rules/pre/010-code-signing.make
> @@ -8,7 +8,7 @@
>  
>  CODE_SIGNING_ENV = \
>       SO_PATH=$(PTXDIST_SYSROOT_HOST)/usr/lib/engines-3/pkcs11.so \
> -     OPENSSL_CONF="$(PTXDIST_SYSROOT_HOST)/usr/ssl/openssl.cnf" \
> +     OPENSSL_CONF="$(PTXDIST_SYSROOT_HOST)/usr/ssl/openssl-pkcs11.cnf" \
>       OPENSSL_ENGINES="$(PTXDIST_SYSROOT_HOST)/usr/lib/engines-3"
>  
>  #
> diff --git a/rules/pre/020-code-signing-softhsm.make 
> b/rules/pre/020-code-signing-softhsm.make
> index 62e3ab3311a1..3f1307ca9601 100644
> --- a/rules/pre/020-code-signing-softhsm.make
> +++ b/rules/pre/020-code-signing-softhsm.make
> @@ -9,7 +9,8 @@
>  ifdef PTXCONF_HOST_SOFTHSM
>  SOFTHSM_CODE_SIGNING_ENV = \
>       SOFTHSM2_CONF="$(PTXDIST_SYSROOT_HOST)/etc/softhsm2.conf" \
> -     
> PKCS11_MODULE_PATH=$(PTXDIST_SYSROOT_HOST)/usr/lib/softhsm/libsofthsm2.so
> +     
> PKCS11_MODULE_PATH=$(PTXDIST_SYSROOT_HOST)/usr/lib/softhsm/libsofthsm2.so \
> +     
> PKCS11_PROVIDER_MODULE=$(PTXDIST_SYSROOT_HOST)/usr/lib/softhsm/libsofthsm2.so
>  
>  CODE_SIGNING_ENV += \
>       $(SOFTHSM_CODE_SIGNING_ENV)

Reply via email to