In Fedora 27 and later, NSS plans to deprecate the 'signtool' command:
https://fedoraproject.org/wiki/Changes/NSSSigntoolDeprecation
After this change, the tool will be moved from /usr/bin to /usr/lib64/nss/unsupported-tools. However, freeipa apparently relies on the absolute path of this command:
$ fedpkg clone freeipa
$ cd freeipa
$ fedpkg prep
$ grep signtool **/*.py
freeipa-4.5.3/ipaplatform/base/paths.py: SIGNTOOL = "/usr/bin/signtool"
freeipa-4.5.3/ipaserver/install/certs.py: def run_signtool(self, args, stdin=None):
freeipa-4.5.3-python3/ipaplatform/base/paths.py: SIGNTOOL = "/usr/bin/signtool"
freeipa-4.5.3-python3/ipaserver/install/certs.py: def run_signtool(self, args, stdin=None):
This was spotted by openQA, when I mistakenly pushed this change to F26:
https://bodhi.fedoraproject.org/updates/nspr-4.16.0-1.fc26%20nss-3.32.0-1.1.fc26%20nss-softokn-3.32.0-1.2.fc26%20nss-util-3.32.0-1.0.fc26#comment-648102
Comment 1Kai Engert (:kaie) (inactive account)
2017-08-29 16:13:40 UTC
It would be preferred if you stopped using signtool altogether, and switched to use a different tool. The reason is that signtool is hardcoded to use SHA1, and we recommend not to use it. We don't have plans to enhance signtool to be more flexible.
Could you potentially use jarsigner from openjdk-devel ?
This is probably not an issue in IPA because it is used only in run_signtool method which is not used anywhere.
But yes, the method and the constant should be removed.