From mboxrd@z Thu Jan  1 00:00:00 1970
Delivery-date: Thu, 25 Jun 2026 21:24:21 +0200
Received: from metis.whiteo.stw.pengutronix.de ([2a0a:edc0:2:b01:1d::104])
	by lore.white.stw.pengutronix.de with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	(Exim 4.96)
	(envelope-from <ptxdist-bounces+lore=lore.pengutronix.de@pengutronix.de>)
	id 1wcpgT-009op7-1W
	for lore@lore.pengutronix.de;
	Thu, 25 Jun 2026 21:24:21 +0200
Received: from [127.0.0.1] (helo=metis.whiteo.stw.pengutronix.de)
	by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92)
	(envelope-from <ptxdist-bounces@pengutronix.de>)
	id 1wcpgT-0002Jt-1q; Thu, 25 Jun 2026 21:24:21 +0200
Received: from mx1.white.stw.pengutronix.de ([185.203.200.13])
 by metis.whiteo.stw.pengutronix.de with esmtp (Exim 4.92)
 (envelope-from <mol@pengutronix.de>)
 id 1wcpft-0008G7-RF; Thu, 25 Jun 2026 21:23:47 +0200
Received: from drehscheibe.grey.stw.pengutronix.de
 (drehscheibe.grey.stw.pengutronix.de [IPv6:2a0a:edc0:0:c01:1d::a2])
 (Authenticated sender: relay-from-drehscheibe.grey.stw.pengutronix.de)
 by mx1.white.stw.pengutronix.de (Postfix) with ESMTPSA id A4AF42002FE;
 Thu, 25 Jun 2026 21:23:45 +0200 (CEST)
Received: from dude05.red.stw.pengutronix.de ([2a0a:edc0:0:1101:1d::54])
 by drehscheibe.grey.stw.pengutronix.de with esmtps (TLS1.3) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96)
 (envelope-from <mol@pengutronix.de>) id 1wcpft-004da9-1u;
 Thu, 25 Jun 2026 21:23:45 +0200
Received: from mol by dude05.red.stw.pengutronix.de with local (Exim 4.98.2)
 (envelope-from <mol@pengutronix.de>) id 1wcpft-00000003UjM-2Ho6;
 Thu, 25 Jun 2026 21:23:45 +0200
From: Michael Olbrich <m.olbrich@pengutronix.de>
To: ptxdist@pengutronix.de
Date: Thu, 25 Jun 2026 21:23:45 +0200
Message-ID: <20260625192345.833105-1-m.olbrich@pengutronix.de>
X-Mailer: git-send-email 2.47.3
In-Reply-To: <20260623141303.1126598-1-s.pueschel@pengutronix.de>
References: <20260623141303.1126598-1-s.pueschel@pengutronix.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 metis.whiteo.stw.pengutronix.de
X-Spam-Level: 
X-Spam-Status: No, score=-3.6 required=4.0 tests=ALL_TRUSTED,AWL,BAYES_00
 autolearn=ham autolearn_force=no version=3.4.2
Subject: Re: [ptxdist] [APPLIED] ptxd_lib_code_signing: only import public
 key in cs_import_pubkey_from_pem
X-BeenThere: ptxdist@pengutronix.de
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <https://metis.pengutronix.de/mailman/options/ptxdist>,
 <mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <https://metis.pengutronix.de/mailman/private/ptxdist/>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <https://metis.pengutronix.de/mailman/listinfo/ptxdist>,
 <mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Reply-To: ptxdist@pengutronix.de
Cc: =?UTF-8?q?Sven=20P=C3=BCschel?= <s.pueschel@pengutronix.de>
Sender: "ptxdist" <ptxdist-bounces@pengutronix.de>
X-SA-Exim-Connect-IP: 127.0.0.1
X-SA-Exim-Mail-From: ptxdist-bounces@pengutronix.de
X-SA-Exim-Scanned: No (on metis.whiteo.stw.pengutronix.de); SAEximRunCond expanded to false

Thanks, applied as ca81a4eb281623c0273fefcfdc8e23a8aab62a6c.

Michael

[sent from post-receive hook]

On Thu, 25 Jun 2026 21:23:45 +0200, Sven Püschel <s.pueschel@pengutronix.de> wrote:
> Only import the public key in cs_import_pubkey_from_pem, as without
> the -pubin flag the 'openssl pkey' command tries to import
> a private key. This is a problem, when only the public key is available
> in the PEM file (e.g. production key instead of a development key).
> This results in the following error:
> 
>   Could not find private key of key from pubkey.pem
>   40238C2FB57F0000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:crypto/store/store_result.c:160:provider=default
> 
> >From the man page of `openssl pkey` the -pubin flag also works with a
> private key input. In this case openssl will only read the public part.
> 
> Signed-off-by: Martin Domig <martin.domig@wolfvision.net>
> Co-developed-by: Sven Püschel <s.pueschel@pengutronix.de>
> Signed-off-by: Sven Püschel <s.pueschel@pengutronix.de>
> Message-Id: <20260623141303.1126598-1-s.pueschel@pengutronix.de>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/scripts/lib/ptxd_lib_code_signing.sh b/scripts/lib/ptxd_lib_code_signing.sh
> index c7bcfc2570f4..aa4ef99848c2 100644
> --- a/scripts/lib/ptxd_lib_code_signing.sh
> +++ b/scripts/lib/ptxd_lib_code_signing.sh
> @@ -237,7 +237,7 @@ cs_import_pubkey_from_pem() {
>  
>      openssl pkey \
>  	"${openssl_keyopt[@]}" \
> -	-in "${pem}" -inform pem -pubout -outform der -out "/proc/self/fd/${tmpfd}"
> +	-pubin -in "${pem}" -inform pem -pubout -outform der -out "/proc/self/fd/${tmpfd}"
>      softhsm_pkcs11_tool --type pubkey --write-object "/proc/self/fd/${tmpfd}" --label "${role}"
>      check_pipe_status
>  }