NSS signtool deprecation
Summary
Deprecate the NSS tool named signtool, currently shipped as part of the nss-tools package, and available in the default search path at /usr/bin/signtool. Move it to /usr/lib*/nss/unsupported-tools/signtool.
Owner
- Name: Kai Engert
- Email: kaie@redhat.com
- Release notes owner:
Current status
- Targeted release: Fedora 27
- Last updated: 2017-07-03
- Tracker bug: <will be assigned by the Wrangler>
Detailed Description
The NSS signtool is hardcoded to use SHA1 for signatures, however, SHA1 is no longer considered secure. Because it seems difficult to change the signtool default to make use of a more secure hash algorithm in a backwards and forwards compatible way, and because signtool might no longer be required for common uses, the suggestion is to deprecate it.
See also
- https://bugzilla.mozilla.org/show_bug.cgi?id=1345528
- https://bugzilla.redhat.com/show_bug.cgi?id=1444136
Benefit to Fedora
Discourage users from using a tool with weaker security properties. Less maintenance burden.
Scope
- Proposal owners:
The work required to implement this change is a simple packaging change.
- Other developers:
Users who used signtool for signing Jar/Zip/etc. files must use a different tool. A possible alternative is the jarsigner tool, which is shipped as part of the java-*-openjdk-devel package.
- Release engineering: #Releng issue number (a check of an impact with Release Engineering is needed)
- List of deliverables: N/A, no deliverables
- Policies and guidelines: N/A, no changes should be necessary.
- Trademark approval: N/A (not needed for this Change)
Upgrade/compatibility impact
Workflows that were previously depending on signtool will no longer work.
It is unknown if any such workflows exist.
How To Test
Executing the command "signtool" in a terminal should report an error message like "command not found".
User Experience
Users who previously tried to execute signtool, and relied on it to be available in the default search path, will fail to execute it.
For backwards compatibility reasons, users who still need this tool may still execute it by referring to the /usr/lib64/nss/unsupported-tools/ path.
Dependencies
No new dependencies
Contingency Plan
- Contingency mechanism: Should we unexpectedly learn that signtool is used for important workflows, any NSS packager can revert it to the previously shipped configuration.
- Contingency deadline: beta freeze
- Blocks release? No
- Blocks product? No
Documentation
No documentation
Release Notes
I should be sufficient to add a simple sentence that the NSS signtool is now deprecated.