measure-tool: always sign with SHA256

author Lennart Poettering <lennart@amutable.com>

Wed, 11 Mar 2026 16:27:12 +0000 (17:27 +0100)

committer Luca Boccassi <luca.boccassi@gmail.com>

Wed, 11 Mar 2026 18:40:57 +0000 (18:40 +0000)
author Lennart Poettering <lennart@amutable.com>
Wed, 11 Mar 2026 16:27:12 +0000 (17:27 +0100)
committer Luca Boccassi <luca.boccassi@gmail.com>
Wed, 11 Mar 2026 18:40:57 +0000 (18:40 +0000)
diff --git a/src/measure/measure-tool.c b/src/measure/measure-tool.c

index 515e7588b07063e755e4ed82151b2aecf37738be..6392460cf40e857c95b468ac8eabdc1452a7203f 100644 (file)
--- a/src/measure/measure-tool.c
+++ b/src/measure/measure-tool.c
@@ -935,7 +935,10 @@ static int build_policy_digest(bool sign) {
                          _cleanup_free_ void *sig = NULL;
                          size_t ss = 0;
                          if (privkey) {
-                                r = digest_and_sign(p->md, privkey, pcr_policy_digest.buffer, pcr_policy_digest.size, &sig, &ss);
+                                /* We always use SHA256 for signing currently. Regardless of the bank. */
+                                const EVP_MD *sha256 = ASSERT_PTR(EVP_get_digestbyname("sha256"));
+
+                                r = digest_and_sign(sha256, privkey, pcr_policy_digest.buffer, pcr_policy_digest.size, &sig, &ss);
                                  if (r == -EADDRNOTAVAIL)
                                          return log_error_errno(r, "Hash algorithm '%s' not available while signing. (Maybe OS security policy disables this algorithm?)", EVP_MD_name(p->md));
                                  if (r < 0)
author	Lennart Poettering <lennart@amutable.com>
	Wed, 11 Mar 2026 16:27:12 +0000 (17:27 +0100)
committer	Luca Boccassi <luca.boccassi@gmail.com>
	Wed, 11 Mar 2026 18:40:57 +0000 (18:40 +0000)