[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-devel-list
Subject:    F27 System Wide Change: NSS signtool deprecation
From:       Jaroslav Reznik <jreznik () redhat ! com>
Date:       2017-07-06 16:38:36
Message-ID: CAMDqk54oEhNEGOx5N0qtUCrceas8E3Oiv8g3Q6ZNedsrR+Fnpg () mail ! gmail ! com
[Download RAW message or body]

= System Wide Change: NSS signtool deprecation =
https://fedoraproject.org/wiki/Changes/NSSSigntoolDeprecation

Change owner(s):
* Kai Engert <kaie@redhat.com>

Deprecate the NSS tool named signtool, currently shipped as part of
the nss-tools package, and available in the default search path at
/usr/bin/signtool. Move it to
/usr/lib*/nss/unsupported-tools/signtool.

== Detailed Description ==
The NSS signtool is hardcoded to use SHA1 for signatures, however,
SHA1 is no longer considered secure. Because it seems difficult to
change the signtool default to make use of a more secure hash
algorithm in a backwards and forwards compatible way, and because
signtool might no longer be required for common uses, the suggestion
is to deprecate it.

See also [1] and [2]

== Scope ==
* Proposal owners:

The work required to implement this change is a simple packaging change.

* Other developers:

Users who used signtool for signing Jar/Zip/etc. files must use a
different tool. A possible alternative is the jarsigner tool, which is
shipped as part of the java-*-openjdk-devel package.

* Release engineering: [1]

* List of deliverables:
N/A

* Policies and guidelines:
N/A, no changes should be necessary.

* Trademark approval:
N/A (not needed for this Change)

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1345528
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1444136
[3] https://pagure.io/releng/issue/6882

Thanks,
Jaroslav
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-leave@lists.fedoraproject.org

[prev in list] [next in list] [prev in thread] [next in thread]