From Fedora Project Wiki
(fix wrong links)
(ready for wrangler)
Line 49: Line 49:
The work required to implement this change is a simple packaging change.
The work required to implement this change is a simple packaging change.


* Other developers: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Other developers:  
Users who used signtool for signing Jar/Zip/etc. files must use a different tool. A possible alternative is the jarsigner tool, which is shipped as part of the java-*-openjdk-devel package.
Users who used signtool for signing Jar/Zip/etc. files must use a different tool. A possible alternative is the jarsigner tool, which is shipped as part of the java-*-openjdk-devel package.


Line 88: Line 88:
I should be sufficient to add a simple sentence that the NSS signtool is now deprecated.
I should be sufficient to add a simple sentence that the NSS signtool is now deprecated.


[[Category:ChangePageIncomplete]]
[[Category:ChangeReadyForWrangler]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- The Wrangler announces the Change to the devel-announce list and changes the category to Category:ChangeAnnounced (no action required) -->
<!-- After review, the Wrangler will move your page to Category:ChangeReadyForFesco... if it still needs more work it will move back to Category:ChangePageIncomplete-->
 
[[Category:SystemWideChange]]
[[Category:SystemWideChange]]

Revision as of 13:37, 3 July 2017

NSS signtool deprecation

Summary

Deprecate the NSS tool named signtool, currently shipped as part of the nss-tools package, and available in the default search path at /usr/bin/signtool. Move it to /usr/lib*/nss/unsupported-tools/signtool.

Owner

  • Name: Kai Engert
  • Email: kengert@redhat.com
  • Release notes owner:

Current status

  • Targeted release: Fedora 27
  • Last updated: 2017-07-03
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

The NSS signtool is hardcoded to use SHA1 for signatures, however, SHA1 is no longer considered secure. Because it seems difficult to change the signtool default to make use of a more secure hash algorithm in a backwards and forwards compatible way, and because signtool might no longer be required for common uses, the suggestion is to deprecate it.

See also

* https://bugzilla.mozilla.org/show_bug.cgi?id=1345528
* https://bugzilla.redhat.com/show_bug.cgi?id=1444136

Benefit to Fedora

Discourage users from using a tool with weaker security properties. Less maintenance burden.

Scope

  • Proposal owners:

The work required to implement this change is a simple packaging change.

  • Other developers:

Users who used signtool for signing Jar/Zip/etc. files must use a different tool. A possible alternative is the jarsigner tool, which is shipped as part of the java-*-openjdk-devel package.

  • Policies and guidelines: N/A, no changes should be necessary.
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

Workflows that were previously depending on signtool will no longer work.

It is unknown if any such workflows exist.

How To Test

Executing the command "signtool" in a terminal should report an error message like "command not found".

User Experience

Users who previously tried to execute signtool, and relied on it to be available in the default search path, will fail to execute it.

For backwards compatibility reasons, users who still need this tool may still execute it by referring to the /usr/lib64/nss/unsupported-tools/ path.

Dependencies

No new dependencies

Contingency Plan

  • Contingency mechanism: Should we unexpectedly learn that signtool is used for important workflows, any NSS packager can revert it to the previously shipped configuration.
  • Contingency deadline: beta freeze
  • Blocks release? No
  • Blocks product? No

Documentation

No documentation

Release Notes

I should be sufficient to add a simple sentence that the NSS signtool is now deprecated.