From: Lennart Poettering <lennart@amutable.com>
Date: Wed, 11 Mar 2026 16:27:12 +0000 (+0100)
Subject: measure-tool: always sign with SHA256
X-Git-Tag: v260-rc3~13
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4b551035b4e7d96abd04595f05575d6fc18103ae;p=thirdparty%2Fsystemd.git

measure-tool: always sign with SHA256

We should not use the bank algorithm for the signing, as we only support
validating via SHA256. Fix that.

Fixes: #40245
---

diff --git a/src/measure/measure-tool.c b/src/measure/measure-tool.c
index 515e7588b07..6392460cf40 100644
--- a/src/measure/measure-tool.c
+++ b/src/measure/measure-tool.c
@@ -935,7 +935,10 @@ static int build_policy_digest(bool sign) {
                         _cleanup_free_ void *sig = NULL;
                         size_t ss = 0;
                         if (privkey) {
-                                r = digest_and_sign(p->md, privkey, pcr_policy_digest.buffer, pcr_policy_digest.size, &sig, &ss);
+                                /* We always use SHA256 for signing currently. Regardless of the bank. */
+                                const EVP_MD *sha256 = ASSERT_PTR(EVP_get_digestbyname("sha256"));
+
+                                r = digest_and_sign(sha256, privkey, pcr_policy_digest.buffer, pcr_policy_digest.size, &sig, &ss);
                                 if (r == -EADDRNOTAVAIL)
                                         return log_error_errno(r, "Hash algorithm '%s' not available while signing. (Maybe OS security policy disables this algorithm?)", EVP_MD_name(p->md));
                                 if (r < 0)