From Fedora Project Wiki
m (formatting change of an enumerated list)
(add releng issue)
Line 52: Line 52:
 
Users who used signtool for signing Jar/Zip/etc. files must use a different tool. A possible alternative is the jarsigner tool, which is shipped as part of the java-*-openjdk-devel package.
 
Users who used signtool for signing Jar/Zip/etc. files must use a different tool. A possible alternative is the jarsigner tool, which is shipped as part of the java-*-openjdk-devel package.
  
* Release engineering: [https://pagure.io/releng/issues #Releng issue number] (a check of an impact with Release Engineering is needed) <!-- REQUIRED FOR SYSTEM WIDE AS WELL AS FOR SELF CONTAINED CHANGES -->
+
* Release engineering: https://pagure.io/releng/issue/6882
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuild required?  include a link to the releng issue.
+
 
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing, and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication -->
 
 
** [[Fedora_Program_Management/ReleaseBlocking/Fedora{{FedoraVersionNumber|next}}|List of deliverables]]: N/A, no deliverables
 
** [[Fedora_Program_Management/ReleaseBlocking/Fedora{{FedoraVersionNumber|next}}|List of deliverables]]: N/A, no deliverables
  

Revision as of 15:34, 4 July 2017

NSS signtool deprecation

Summary

Deprecate the NSS tool named signtool, currently shipped as part of the nss-tools package, and available in the default search path at /usr/bin/signtool. Move it to /usr/lib*/nss/unsupported-tools/signtool.

Owner

  • Name: Kai Engert
  • Email: kaie@redhat.com
  • Release notes owner:

Current status

  • Targeted release: Fedora 27
  • Last updated: 2017-07-04
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

The NSS signtool is hardcoded to use SHA1 for signatures, however, SHA1 is no longer considered secure. Because it seems difficult to change the signtool default to make use of a more secure hash algorithm in a backwards and forwards compatible way, and because signtool might no longer be required for common uses, the suggestion is to deprecate it.

See also

Benefit to Fedora

Discourage users from using a tool with weaker security properties. Less maintenance burden.

Scope

  • Proposal owners:

The work required to implement this change is a simple packaging change.

  • Other developers:

Users who used signtool for signing Jar/Zip/etc. files must use a different tool. A possible alternative is the jarsigner tool, which is shipped as part of the java-*-openjdk-devel package.

  • Policies and guidelines: N/A, no changes should be necessary.
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

Workflows that were previously depending on signtool will no longer work.

It is unknown if any such workflows exist.

How To Test

Executing the command "signtool" in a terminal should report an error message like "command not found".

User Experience

Users who previously tried to execute signtool, and relied on it to be available in the default search path, will fail to execute it.

For backwards compatibility reasons, users who still need this tool may still execute it by referring to the /usr/lib64/nss/unsupported-tools/ path.

Dependencies

No new dependencies

Contingency Plan

  • Contingency mechanism: Should we unexpectedly learn that signtool is used for important workflows, any NSS packager can revert it to the previously shipped configuration.
  • Contingency deadline: beta freeze
  • Blocks release? No
  • Blocks product? No

Documentation

No documentation

Release Notes

I should be sufficient to add a simple sentence that the NSS signtool is now deprecated.