BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
sha256 is not the standard option. It should be replaced by sha -sha256.
Otherwise, it doesn't work in MAC OS.
In V2, update the option to sha1 -sha256.
In late openssl version >= 1.1, there is no sha option, but has sha1,sha256.
In previous openssl version < 1.1, there is no sha256, but has sha,sha1.
To work with all openssl version, use sha1 -sha256 for it.
Contributed-under: TianoCore Contribution Agreement 1.1
Signed-off-by: Liao Jui-peng <jui-pengx.liao@intel.com>
Signed-off-by: Liming Gao <liming.gao@intel.com>
Cc: Michael Kinney <michael.d.kinney@intel.com>
Cc: Yonghong Zhu <yonghong.zhu@intel.com>
---
BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
index 1ae6ebb..4188f8e 100644
--- a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
+++ b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py
@@ -176,7 +176,7 @@ if __name__ == '__main__':
#
# Sign the input file using the specified private key and capture signature from STDOUT
#
- Process = subprocess.Popen('%s sha256 -sign "%s"' % (OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
+ Process = subprocess.Popen('%s sha1 -sha256 -sign "%s"' % (OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
Signature = Process.communicate(input=FullInputFileBuffer)[0]
if Process.returncode <> 0:
sys.exit(Process.returncode)
@@ -225,7 +225,7 @@ if __name__ == '__main__':
#
# Verify signature
#
- Process = subprocess.Popen('%s sha256 -prverify "%s" -signature %s' % (OpenSslCommand, args.PrivateKeyFileName, args.OutputFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
+ Process = subprocess.Popen('%s sha1 -sha256 -prverify "%s" -signature %s' % (OpenSslCommand, args.PrivateKeyFileName, args.OutputFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
Process.communicate(input=FullInputFileBuffer)
if Process.returncode <> 0:
print 'ERROR: Verification failed'
--
2.8.0.windows.1
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel
Reviewed-by: Yonghong Zhu <yonghong.zhu@intel.com> Best Regards, Zhu Yonghong -----Original Message----- From: Gao, Liming Sent: Tuesday, March 27, 2018 1:48 PM To: edk2-devel@lists.01.org Cc: Liao, Jui-pengX <jui-pengx.liao@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Zhu, Yonghong <yonghong.zhu@intel.com> Subject: [PATCH v2] BaseTools: Update Rsa2048Sha256Sign to use openssl standard options sha256 is not the standard option. It should be replaced by sha -sha256. Otherwise, it doesn't work in MAC OS. In V2, update the option to sha1 -sha256. In late openssl version >= 1.1, there is no sha option, but has sha1,sha256. In previous openssl version < 1.1, there is no sha256, but has sha,sha1. To work with all openssl version, use sha1 -sha256 for it. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Liao Jui-peng <jui-pengx.liao@intel.com> Signed-off-by: Liming Gao <liming.gao@intel.com> Cc: Michael Kinney <michael.d.kinney@intel.com> Cc: Yonghong Zhu <yonghong.zhu@intel.com> --- BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py index 1ae6ebb..4188f8e 100644 --- a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py +++ b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py @@ -176,7 +176,7 @@ if __name__ == '__main__': # # Sign the input file using the specified private key and capture signature from STDOUT # - Process = subprocess.Popen('%s sha256 -sign "%s"' % (OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True) + Process = subprocess.Popen('%s sha1 -sha256 -sign "%s"' % (OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True) Signature = Process.communicate(input=FullInputFileBuffer)[0] if Process.returncode <> 0: sys.exit(Process.returncode) @@ -225,7 +225,7 @@ if __name__ == '__main__': # # Verify signature # - Process = subprocess.Popen('%s sha256 -prverify "%s" -signature %s' % (OpenSslCommand, args.PrivateKeyFileName, args.OutputFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True) + Process = subprocess.Popen('%s sha1 -sha256 -prverify "%s" -signature %s' % (OpenSslCommand, args.PrivateKeyFileName, args.OutputFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True) Process.communicate(input=FullInputFileBuffer) if Process.returncode <> 0: print 'ERROR: Verification failed' -- 2.8.0.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
This ("sha1 -sha256") looks a little odd. Could we try "openssl dgst -sha256 ...."? Best Regards & Thanks, LONG, Qin -----Original Message----- From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Zhu, Yonghong Sent: Tuesday, March 27, 2018 3:56 PM To: Gao, Liming <liming.gao@intel.com>; edk2-devel@lists.01.org Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Liao, Jui-pengX <jui-pengx.liao@intel.com> Subject: Re: [edk2] [PATCH v2] BaseTools: Update Rsa2048Sha256Sign to use openssl standard options Reviewed-by: Yonghong Zhu <yonghong.zhu@intel.com> Best Regards, Zhu Yonghong -----Original Message----- From: Gao, Liming Sent: Tuesday, March 27, 2018 1:48 PM To: edk2-devel@lists.01.org Cc: Liao, Jui-pengX <jui-pengx.liao@intel.com>; Kinney, Michael D <michael.d.kinney@intel.com>; Zhu, Yonghong <yonghong.zhu@intel.com> Subject: [PATCH v2] BaseTools: Update Rsa2048Sha256Sign to use openssl standard options sha256 is not the standard option. It should be replaced by sha -sha256. Otherwise, it doesn't work in MAC OS. In V2, update the option to sha1 -sha256. In late openssl version >= 1.1, there is no sha option, but has sha1,sha256. In previous openssl version < 1.1, there is no sha256, but has sha,sha1. To work with all openssl version, use sha1 -sha256 for it. Contributed-under: TianoCore Contribution Agreement 1.1 Signed-off-by: Liao Jui-peng <jui-pengx.liao@intel.com> Signed-off-by: Liming Gao <liming.gao@intel.com> Cc: Michael Kinney <michael.d.kinney@intel.com> Cc: Yonghong Zhu <yonghong.zhu@intel.com> --- BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py index 1ae6ebb..4188f8e 100644 --- a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py +++ b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py @@ -176,7 +176,7 @@ if __name__ == '__main__': # # Sign the input file using the specified private key and capture signature from STDOUT # - Process = subprocess.Popen('%s sha256 -sign "%s"' % (OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True) + Process = subprocess.Popen('%s sha1 -sha256 -sign "%s"' % (OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True) Signature = Process.communicate(input=FullInputFileBuffer)[0] if Process.returncode <> 0: sys.exit(Process.returncode) @@ -225,7 +225,7 @@ if __name__ == '__main__': # # Verify signature # - Process = subprocess.Popen('%s sha256 -prverify "%s" -signature %s' % (OpenSslCommand, args.PrivateKeyFileName, args.OutputFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True) + Process = subprocess.Popen('%s sha1 -sha256 -prverify "%s" -signature %s' % (OpenSslCommand, args.PrivateKeyFileName, args.OutputFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True) Process.communicate(input=FullInputFileBuffer) if Process.returncode <> 0: print 'ERROR: Verification failed' -- 2.8.0.windows.1 _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Qin: Thanks for your suggestion. It also work. I agree this style is better. Thanks Liming >-----Original Message----- >From: Long, Qin >Sent: Tuesday, March 27, 2018 4:33 PM >To: Zhu, Yonghong <yonghong.zhu@intel.com>; Gao, Liming ><liming.gao@intel.com>; edk2-devel@lists.01.org >Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Liao, Jui-pengX <jui- >pengx.liao@intel.com> >Subject: RE: [PATCH v2] BaseTools: Update Rsa2048Sha256Sign to use openssl >standard options > >This ("sha1 -sha256") looks a little odd. >Could we try "openssl dgst -sha256 ...."? > > >Best Regards & Thanks, >LONG, Qin > >-----Original Message----- >From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of Zhu, >Yonghong >Sent: Tuesday, March 27, 2018 3:56 PM >To: Gao, Liming <liming.gao@intel.com>; edk2-devel@lists.01.org >Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Liao, Jui-pengX <jui- >pengx.liao@intel.com> >Subject: Re: [edk2] [PATCH v2] BaseTools: Update Rsa2048Sha256Sign to use >openssl standard options > >Reviewed-by: Yonghong Zhu <yonghong.zhu@intel.com> > >Best Regards, >Zhu Yonghong > > >-----Original Message----- >From: Gao, Liming >Sent: Tuesday, March 27, 2018 1:48 PM >To: edk2-devel@lists.01.org >Cc: Liao, Jui-pengX <jui-pengx.liao@intel.com>; Kinney, Michael D ><michael.d.kinney@intel.com>; Zhu, Yonghong <yonghong.zhu@intel.com> >Subject: [PATCH v2] BaseTools: Update Rsa2048Sha256Sign to use openssl >standard options > >sha256 is not the standard option. It should be replaced by sha -sha256. >Otherwise, it doesn't work in MAC OS. > >In V2, update the option to sha1 -sha256. >In late openssl version >= 1.1, there is no sha option, but has sha1,sha256. >In previous openssl version < 1.1, there is no sha256, but has sha,sha1. >To work with all openssl version, use sha1 -sha256 for it. > >Contributed-under: TianoCore Contribution Agreement 1.1 >Signed-off-by: Liao Jui-peng <jui-pengx.liao@intel.com> >Signed-off-by: Liming Gao <liming.gao@intel.com> >Cc: Michael Kinney <michael.d.kinney@intel.com> >Cc: Yonghong Zhu <yonghong.zhu@intel.com> >--- > BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > >diff --git >a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py >b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py >index 1ae6ebb..4188f8e 100644 >--- a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py >+++ b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py >@@ -176,7 +176,7 @@ if __name__ == '__main__': > # > # Sign the input file using the specified private key and capture signature >from STDOUT > # >- Process = subprocess.Popen('%s sha256 -sign "%s"' % (OpenSslCommand, >args.PrivateKeyFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, >stderr=subprocess.PIPE, shell=True) >+ Process = subprocess.Popen('%s sha1 -sha256 -sign "%s"' % >(OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE, >stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True) > Signature = Process.communicate(input=FullInputFileBuffer)[0] > if Process.returncode <> 0: > sys.exit(Process.returncode) >@@ -225,7 +225,7 @@ if __name__ == '__main__': > # > # Verify signature > # >- Process = subprocess.Popen('%s sha256 -prverify "%s" -signature %s' % >(OpenSslCommand, args.PrivateKeyFileName, args.OutputFileName), >stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, >shell=True) >+ Process = subprocess.Popen('%s sha1 -sha256 -prverify "%s" - >signature %s' % (OpenSslCommand, args.PrivateKeyFileName, >args.OutputFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, >stderr=subprocess.PIPE, shell=True) > Process.communicate(input=FullInputFileBuffer) > if Process.returncode <> 0: > print 'ERROR: Verification failed' >-- >2.8.0.windows.1 > >_______________________________________________ >edk2-devel mailing list >edk2-devel@lists.01.org >https://lists.01.org/mailman/listinfo/edk2-devel _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
Hi all, The "openssl dgst -sha256" is working as well. [configuration] Xcode 9 Openssl 0.9.8zh 14 Jan 2016 Best regards George Liao -----Original Message----- From: Gao, Liming Sent: Tuesday, March 27, 2018 4:49 PM To: Long, Qin <qin.long@intel.com>; Zhu, Yonghong <yonghong.zhu@intel.com>; edk2-devel@lists.01.org Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Liao, Jui-pengX <jui-pengx.liao@intel.com> Subject: RE: [PATCH v2] BaseTools: Update Rsa2048Sha256Sign to use openssl standard options Qin: Thanks for your suggestion. It also work. I agree this style is better. Thanks Liming >-----Original Message----- >From: Long, Qin >Sent: Tuesday, March 27, 2018 4:33 PM >To: Zhu, Yonghong <yonghong.zhu@intel.com>; Gao, Liming ><liming.gao@intel.com>; edk2-devel@lists.01.org >Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Liao, Jui-pengX ><jui- pengx.liao@intel.com> >Subject: RE: [PATCH v2] BaseTools: Update Rsa2048Sha256Sign to use >openssl standard options > >This ("sha1 -sha256") looks a little odd. >Could we try "openssl dgst -sha256 ...."? > > >Best Regards & Thanks, >LONG, Qin > >-----Original Message----- >From: edk2-devel [mailto:edk2-devel-bounces@lists.01.org] On Behalf Of >Zhu, Yonghong >Sent: Tuesday, March 27, 2018 3:56 PM >To: Gao, Liming <liming.gao@intel.com>; edk2-devel@lists.01.org >Cc: Kinney, Michael D <michael.d.kinney@intel.com>; Liao, Jui-pengX ><jui- pengx.liao@intel.com> >Subject: Re: [edk2] [PATCH v2] BaseTools: Update Rsa2048Sha256Sign to >use openssl standard options > >Reviewed-by: Yonghong Zhu <yonghong.zhu@intel.com> > >Best Regards, >Zhu Yonghong > > >-----Original Message----- >From: Gao, Liming >Sent: Tuesday, March 27, 2018 1:48 PM >To: edk2-devel@lists.01.org >Cc: Liao, Jui-pengX <jui-pengx.liao@intel.com>; Kinney, Michael D ><michael.d.kinney@intel.com>; Zhu, Yonghong <yonghong.zhu@intel.com> >Subject: [PATCH v2] BaseTools: Update Rsa2048Sha256Sign to use openssl >standard options > >sha256 is not the standard option. It should be replaced by sha -sha256. >Otherwise, it doesn't work in MAC OS. > >In V2, update the option to sha1 -sha256. >In late openssl version >= 1.1, there is no sha option, but has sha1,sha256. >In previous openssl version < 1.1, there is no sha256, but has sha,sha1. >To work with all openssl version, use sha1 -sha256 for it. > >Contributed-under: TianoCore Contribution Agreement 1.1 >Signed-off-by: Liao Jui-peng <jui-pengx.liao@intel.com> >Signed-off-by: Liming Gao <liming.gao@intel.com> >Cc: Michael Kinney <michael.d.kinney@intel.com> >Cc: Yonghong Zhu <yonghong.zhu@intel.com> >--- > BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py | 4 >++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > >diff --git >a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py >b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py >index 1ae6ebb..4188f8e 100644 >--- a/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py >+++ b/BaseTools/Source/Python/Rsa2048Sha256Sign/Rsa2048Sha256Sign.py >@@ -176,7 +176,7 @@ if __name__ == '__main__': > # > # Sign the input file using the specified private key and capture >signature from STDOUT > # >- Process = subprocess.Popen('%s sha256 -sign "%s"' % (OpenSslCommand, >args.PrivateKeyFileName), stdin=subprocess.PIPE, >stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True) >+ Process = subprocess.Popen('%s sha1 -sha256 -sign "%s"' % >(OpenSslCommand, args.PrivateKeyFileName), stdin=subprocess.PIPE, >stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True) > Signature = Process.communicate(input=FullInputFileBuffer)[0] > if Process.returncode <> 0: > sys.exit(Process.returncode) >@@ -225,7 +225,7 @@ if __name__ == '__main__': > # > # Verify signature > # >- Process = subprocess.Popen('%s sha256 -prverify "%s" -signature %s' % >(OpenSslCommand, args.PrivateKeyFileName, args.OutputFileName), >stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE, >shell=True) >+ Process = subprocess.Popen('%s sha1 -sha256 -prverify "%s" - >signature %s' % (OpenSslCommand, args.PrivateKeyFileName, >args.OutputFileName), stdin=subprocess.PIPE, stdout=subprocess.PIPE, >stderr=subprocess.PIPE, shell=True) > Process.communicate(input=FullInputFileBuffer) > if Process.returncode <> 0: > print 'ERROR: Verification failed' >-- >2.8.0.windows.1 > >_______________________________________________ >edk2-devel mailing list >edk2-devel@lists.01.org >https://lists.01.org/mailman/listinfo/edk2-devel _______________________________________________ edk2-devel mailing list edk2-devel@lists.01.org https://lists.01.org/mailman/listinfo/edk2-devel
© 2016 - 2024 Red Hat, Inc.