Can we deprecate NSS signtool?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Can we deprecate NSS signtool?

Kai Engert-4
The NSS utility "signtool" is hardcoded to use SHA1 when creating a digital
signature.

As I've described in this bug:
  https://bugzilla.mozilla.org/show_bug.cgi?id=1345528
it might be complicated to change the default to a more secure hash algorithm in
a compatible way.

I wonder who still depends on signtool. If you know, could you please give
feedback?

I see that OpenJDK ships its own tool, jarsigner.

Mozilla appears to use different tools to sign the Firefox addons in XPI file
format, using python. Franziskus pointed me to:
  https://github.com/mozilla-services/autograph/pull/46 )

Can we declare signtool as deprecated?

Thanks
Kai

--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Can we deprecate NSS signtool?

Kyle Hamilton-2
http://docs.oracle.com/javase/7/docs/technotes/tools/windows/jarsigner.html

It is probably not as complicated to change the default in a compatible way
as you think.

However, I don't know if anyone still uses signtool.

-Kyle H



On Mon, Jul 3, 2017 at 4:49 AM, Kai Engert <[hidden email]> wrote:

> The NSS utility "signtool" is hardcoded to use SHA1 when creating a digital
> signature.
>
> As I've described in this bug:
>   https://bugzilla.mozilla.org/show_bug.cgi?id=1345528
> it might be complicated to change the default to a more secure hash
> algorithm in
> a compatible way.
>
> I wonder who still depends on signtool. If you know, could you please give
> feedback?
>
> I see that OpenJDK ships its own tool, jarsigner.
>
> Mozilla appears to use different tools to sign the Firefox addons in XPI
> file
> format, using python. Franziskus pointed me to:
>   https://github.com/mozilla-services/autograph/pull/46 )
>
> Can we declare signtool as deprecated?
>
> Thanks
> Kai
>
> --
> dev-tech-crypto mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Loading...