On Thu, 8 Dec 2022 at 03:35, Eric Biggers ebiggers@kernel.org wrote:
From: Eric Biggers ebiggers@google.com
An issue that arises when migrating from builtin signatures to userspace signatures is that existing files that have builtin signatures cannot be opened unless either CONFIG_FS_VERITY_BUILTIN_SIGNATURES is disabled or the signing certificate is left in the .fs-verity keyring.
Since builtin signatures provide no security benefit when fs.verity.require_signatures=0 anyway, let's just skip the signature verification in this case.
Fixes: 432434c9f8e1 ("fs-verity: support builtin file signatures") Cc: stable@vger.kernel.org # v5.4+ Signed-off-by: Eric Biggers ebiggers@google.com
fs/verity/signature.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-)
Acked-by: Luca Boccassi bluca@debian.org