Thanks, applied as ca81a4eb281623c0273fefcfdc8e23a8aab62a6c. Michael
[sent from post-receive hook] On Thu, 25 Jun 2026 21:23:45 +0200, Sven Püschel <[email protected]> wrote: > Only import the public key in cs_import_pubkey_from_pem, as without > the -pubin flag the 'openssl pkey' command tries to import > a private key. This is a problem, when only the public key is available > in the PEM file (e.g. production key instead of a development key). > This results in the following error: > > Could not find private key of key from pubkey.pem > 40238C2FB57F0000:error:1608010C:STORE > routines:ossl_store_handle_load_result:unsupported:crypto/store/store_result.c:160:provider=default > > >From the man page of `openssl pkey` the -pubin flag also works with a > private key input. In this case openssl will only read the public part. > > Signed-off-by: Martin Domig <[email protected]> > Co-developed-by: Sven Püschel <[email protected]> > Signed-off-by: Sven Püschel <[email protected]> > Message-Id: <[email protected]> > Signed-off-by: Michael Olbrich <[email protected]> > > diff --git a/scripts/lib/ptxd_lib_code_signing.sh > b/scripts/lib/ptxd_lib_code_signing.sh > index c7bcfc2570f4..aa4ef99848c2 100644 > --- a/scripts/lib/ptxd_lib_code_signing.sh > +++ b/scripts/lib/ptxd_lib_code_signing.sh > @@ -237,7 +237,7 @@ cs_import_pubkey_from_pem() { > > openssl pkey \ > "${openssl_keyopt[@]}" \ > - -in "${pem}" -inform pem -pubout -outform der -out > "/proc/self/fd/${tmpfd}" > + -pubin -in "${pem}" -inform pem -pubout -outform der -out > "/proc/self/fd/${tmpfd}" > softhsm_pkcs11_tool --type pubkey --write-object > "/proc/self/fd/${tmpfd}" --label "${role}" > check_pipe_status > }
