1486383 – freeipa should no longer use signtool

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1486383 - freeipa should no longer use signtool

Summary: freeipa should no longer use signtool

Keywords:
Status:	CLOSED DUPLICATE of bug 1483159
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	freeipa
Sub Component:
Version:	27
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	IPA Maintainers
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-08-29 15:45 UTC by Daiki Ueno
Modified:	2017-08-29 17:16 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-29 17:16:29 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Daiki Ueno 2017-08-29 15:45:04 UTC

In Fedora 27 and later, NSS plans to deprecate the 'signtool' command:
https://fedoraproject.org/wiki/Changes/NSSSigntoolDeprecation

After this change, the tool will be moved from /usr/bin to /usr/lib64/nss/unsupported-tools.  However, freeipa apparently relies on the absolute path of this command:

$ fedpkg clone freeipa
$ cd freeipa
$ fedpkg prep
$ grep signtool **/*.py
freeipa-4.5.3/ipaplatform/base/paths.py:    SIGNTOOL = "/usr/bin/signtool"
freeipa-4.5.3/ipaserver/install/certs.py:    def run_signtool(self, args, stdin=None):
freeipa-4.5.3-python3/ipaplatform/base/paths.py:    SIGNTOOL = "/usr/bin/signtool"
freeipa-4.5.3-python3/ipaserver/install/certs.py:    def run_signtool(self, args, stdin=None):

This was spotted by openQA, when I mistakenly pushed this change to F26:
https://bodhi.fedoraproject.org/updates/nspr-4.16.0-1.fc26%20nss-3.32.0-1.1.fc26%20nss-softokn-3.32.0-1.2.fc26%20nss-util-3.32.0-1.0.fc26#comment-648102

Comment 1 Kai Engert (:kaie) (inactive account) 2017-08-29 16:13:40 UTC

It would be preferred if you stopped using signtool altogether, and switched to use a different tool. The reason is that signtool is hardcoded to use SHA1, and we recommend not to use it. We don't have plans to enhance signtool to be more flexible.

Could you potentially use jarsigner from openjdk-devel ?

Comment 2 Petr Vobornik 2017-08-29 16:53:59 UTC

This is probably not an issue in IPA because it is used only in run_signtool method which is not used anywhere. 

But yes, the method and the constant should be removed.

Comment 3 Rob Crittenden 2017-08-29 17:16:29 UTC


*** This bug has been marked as a duplicate of bug 1483159 ***

Note You need to log in before you can comment on or make changes to this bug.