= System Wide Change: NSS signtool deprecation = https://fedoraproject.org/wiki/Changes/NSSSigntoolDeprecation Change owner(s): * Kai Engert <kaie@xxxxxxxxxx> Deprecate the NSS tool named signtool, currently shipped as part of the nss-tools package, and available in the default search path at /usr/bin/signtool. Move it to /usr/lib*/nss/unsupported-tools/signtool. == Detailed Description == The NSS signtool is hardcoded to use SHA1 for signatures, however, SHA1 is no longer considered secure. Because it seems difficult to change the signtool default to make use of a more secure hash algorithm in a backwards and forwards compatible way, and because signtool might no longer be required for common uses, the suggestion is to deprecate it. See also [1] and [2] == Scope == * Proposal owners: The work required to implement this change is a simple packaging change. * Other developers: Users who used signtool for signing Jar/Zip/etc. files must use a different tool. A possible alternative is the jarsigner tool, which is shipped as part of the java-*-openjdk-devel package. * Release engineering: [1] * List of deliverables: N/A * Policies and guidelines: N/A, no changes should be necessary. * Trademark approval: N/A (not needed for this Change) [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1345528 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1444136 [3] https://pagure.io/releng/issue/6882 Thanks, Jaroslav _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
