On Wed, Aug 13, 2025 at 6:37 AM Alexander Egorenkov <egorenar@xxxxxxxxxxxxx> wrote: > > > Okay, i identified the code which is at fault, and it is indeed > Fedora's kernel fault. And it explains why PKCS1's sign callback returns -ENOSYS. > > https://src.fedoraproject.org/rpms/kernel/blob/f42/f/patch-6.15-redhat.patch#_510 > > But why was this change made ? > All signing callbacks seem to be overrided with sig_prepare_alg() for some reason. > We would like to use PKCS1 signing algorithm provided by kernel. Thanks for the catch, and sorry for the noise there. We do carry that patch in rawhide, along with several other that change Crypto for RHEL FIPS which upstream isn't interested in. I typically drop those (and many other RHEL specific patches) when I rebase stable Fedora. But those are poorly labelled and I suppose I missed it with the 6.15 rebase. In normal rawhide, that is part of a larger patch series and makes more sense. Anyway, the patch should be dropped from the next stable Fedora releases. Justin > Regards > Alex >
