From Fedora Project Wiki
(Initial version)
 
 
(11 intermediate revisions by 3 users not shown)
Line 1: Line 1:
= NSS signtool deprecation
+
= NSS signtool deprecation =
  
 
== Summary ==
 
== Summary ==
Line 11: Line 11:
 
-->
 
-->
 
* Name: [[User:kengert| Kai Engert]]
 
* Name: [[User:kengert| Kai Engert]]
* Email: kengert@redhat.com
+
* Email: kaie@redhat.com
 
* Release notes owner: <!--- To be assigned by docs team [[User:FASAccountName| Release notes owner name]] <email address> -->
 
* Release notes owner: <!--- To be assigned by docs team [[User:FASAccountName| Release notes owner name]] <email address> -->
 
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
 
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
Line 32: Line 32:
 
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
 
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
 
-->
 
-->
* Tracker bug: <will be assigned by the Wrangler>
+
* Tracker bug:
  
 
== Detailed Description ==
 
== Detailed Description ==
  
The NSS signtool is hardcoded to use SHA1 for signatures, however, SHA1 is no longer considered secure. Because it seems difficult to change the signtool default to make use of a more secure hash algorithm, and because signtool might no longer be required for common uses, the suggestion is to deprecate it.
+
The NSS signtool is hardcoded to use SHA1 for signatures, however, SHA1 is no longer considered secure. Because it seems difficult to change the signtool default to make use of a more secure hash algorithm in a backwards and forwards compatible way, and because signtool might no longer be required for common uses, the suggestion is to deprecate it.
 +
 
 +
See also
 +
* https://bugzilla.mozilla.org/show_bug.cgi?id=1345528
 +
* https://bugzilla.redhat.com/show_bug.cgi?id=1444136
  
 
== Benefit to Fedora ==
 
== Benefit to Fedora ==
Line 45: Line 49:
 
The work required to implement this change is a simple packaging change.
 
The work required to implement this change is a simple packaging change.
  
* Other developers: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
+
* Other developers:  
 
Users who used signtool for signing Jar/Zip/etc. files must use a different tool. A possible alternative is the jarsigner tool, which is shipped as part of the java-*-openjdk-devel package.
 
Users who used signtool for signing Jar/Zip/etc. files must use a different tool. A possible alternative is the jarsigner tool, which is shipped as part of the java-*-openjdk-devel package.
  
* Release engineering: [https://pagure.io/releng/issues #Releng issue number] (a check of an impact with Release Engineering is needed) <!-- REQUIRED FOR SYSTEM WIDE AS WELL AS FOR SELF CONTAINED CHANGES -->
+
* Release engineering: https://pagure.io/releng/issue/6882
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuild required?  include a link to the releng issue.
+
 
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing, and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication -->
+
** [[Fedora_Program_Management/ReleaseBlocking/Fedora{{FedoraVersionNumber|next}}|List of deliverables]]: N/A
** [[Fedora_Program_Management/ReleaseBlocking/Fedora{{FedoraVersionNumber|next}}|List of deliverables]]: N/A, no deliverables
 
  
 
* Policies and guidelines: N/A, no changes should be necessary.
 
* Policies and guidelines: N/A, no changes should be necessary.
Line 85: Line 88:
  
 
[[Category:ChangePageIncomplete]]
 
[[Category:ChangePageIncomplete]]
<!-- When your change proposal page is completed and ready for review and announcement -->
 
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
 
<!-- The Wrangler announces the Change to the devel-announce list and changes the category to Category:ChangeAnnounced (no action required) -->
 
<!-- After review, the Wrangler will move your page to Category:ChangeReadyForFesco... if it still needs more work it will move back to Category:ChangePageIncomplete-->
 
 
 
[[Category:SystemWideChange]]
 
[[Category:SystemWideChange]]

Latest revision as of 08:05, 8 August 2017

NSS signtool deprecation

Summary

Deprecate the NSS tool named signtool, currently shipped as part of the nss-tools package, and available in the default search path at /usr/bin/signtool. Move it to /usr/lib*/nss/unsupported-tools/signtool.

Owner

  • Name: Kai Engert
  • Email: kaie@redhat.com
  • Release notes owner:

Current status

  • Targeted release: Fedora 27
  • Last updated: 2017-08-08
  • Tracker bug:

Detailed Description

The NSS signtool is hardcoded to use SHA1 for signatures, however, SHA1 is no longer considered secure. Because it seems difficult to change the signtool default to make use of a more secure hash algorithm in a backwards and forwards compatible way, and because signtool might no longer be required for common uses, the suggestion is to deprecate it.

See also

Benefit to Fedora

Discourage users from using a tool with weaker security properties. Less maintenance burden.

Scope

  • Proposal owners:

The work required to implement this change is a simple packaging change.

  • Other developers:

Users who used signtool for signing Jar/Zip/etc. files must use a different tool. A possible alternative is the jarsigner tool, which is shipped as part of the java-*-openjdk-devel package.

  • Policies and guidelines: N/A, no changes should be necessary.
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

Workflows that were previously depending on signtool will no longer work.

It is unknown if any such workflows exist.

How To Test

Executing the command "signtool" in a terminal should report an error message like "command not found".

User Experience

Users who previously tried to execute signtool, and relied on it to be available in the default search path, will fail to execute it.

For backwards compatibility reasons, users who still need this tool may still execute it by referring to the /usr/lib64/nss/unsupported-tools/ path.

Dependencies

No new dependencies

Contingency Plan

  • Contingency mechanism: Should we unexpectedly learn that signtool is used for important workflows, any NSS packager can revert it to the previously shipped configuration.
  • Contingency deadline: beta freeze
  • Blocks release? No
  • Blocks product? No

Documentation

No documentation

Release Notes

I should be sufficient to add a simple sentence that the NSS signtool is now deprecated.