From Fedora Project Wiki

< Changes

Revision as of 13:29, 3 July 2017 by Kengert (talk | contribs) (clarify that compatibility is the difficulty and add context bugzilla links)

NSS signtool deprecation

Summary

Deprecate the NSS tool named signtool, currently shipped as part of the nss-tools package, and available in the default search path at /usr/bin/signtool. Move it to /usr/lib*/nss/unsupported-tools/signtool.

Owner

  • Name: Kai Engert
  • Email: kengert@redhat.com
  • Release notes owner:

Current status

  • Targeted release: Fedora 27
  • Last updated: 2017-07-03
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

The NSS signtool is hardcoded to use SHA1 for signatures, however, SHA1 is no longer considered secure. Because it seems difficult to change the signtool default to make use of a more secure hash algorithm in a backwards and forwards compatible way, and because signtool might no longer be required for common uses, the suggestion is to deprecate it.

See also

* https://bugzilla.redhat.com/show_bug.cgi?id=1309781
* https://bugzilla.mozilla.org/show_bug.cgi?id=1345106

Benefit to Fedora

Discourage users from using a tool with weaker security properties. Less maintenance burden.

Scope

  • Proposal owners:

The work required to implement this change is a simple packaging change.

  • Other developers: N/A (not a System Wide Change)

Users who used signtool for signing Jar/Zip/etc. files must use a different tool. A possible alternative is the jarsigner tool, which is shipped as part of the java-*-openjdk-devel package.

  • Policies and guidelines: N/A, no changes should be necessary.
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

Workflows that were previously depending on signtool will no longer work.

It is unknown if any such workflows exist.

How To Test

Executing the command "signtool" in a terminal should report an error message like "command not found".

User Experience

Users who previously tried to execute signtool, and relied on it to be available in the default search path, will fail to execute it.

For backwards compatibility reasons, users who still need this tool may still execute it by referring to the /usr/lib64/nss/unsupported-tools/ path.

Dependencies

No new dependencies

Contingency Plan

  • Contingency mechanism: Should we unexpectedly learn that signtool is used for important workflows, any NSS packager can revert it to the previously shipped configuration.
  • Contingency deadline: beta freeze
  • Blocks release? No
  • Blocks product? No

Documentation

No documentation

Release Notes

I should be sufficient to add a simple sentence that the NSS signtool is now deprecated.