In Fedora 27 and later, NSS plans to deprecate the 'signtool' command: https://fedoraproject.org/wiki/Changes/NSSSigntoolDeprecation After this change, the tool will be moved from /usr/bin to /usr/lib64/nss/unsupported-tools. However, freeipa apparently relies on the absolute path of this command: $ fedpkg clone freeipa $ cd freeipa $ fedpkg prep $ grep signtool **/*.py freeipa-4.5.3/ipaplatform/base/paths.py: SIGNTOOL = "/usr/bin/signtool" freeipa-4.5.3/ipaserver/install/certs.py: def run_signtool(self, args, stdin=None): freeipa-4.5.3-python3/ipaplatform/base/paths.py: SIGNTOOL = "/usr/bin/signtool" freeipa-4.5.3-python3/ipaserver/install/certs.py: def run_signtool(self, args, stdin=None): This was spotted by openQA, when I mistakenly pushed this change to F26: https://bodhi.fedoraproject.org/updates/nspr-4.16.0-1.fc26%20nss-3.32.0-1.1.fc26%20nss-softokn-3.32.0-1.2.fc26%20nss-util-3.32.0-1.0.fc26#comment-648102
It would be preferred if you stopped using signtool altogether, and switched to use a different tool. The reason is that signtool is hardcoded to use SHA1, and we recommend not to use it. We don't have plans to enhance signtool to be more flexible. Could you potentially use jarsigner from openjdk-devel ?
This is probably not an issue in IPA because it is used only in run_signtool method which is not used anywhere. But yes, the method and the constant should be removed.
*** This bug has been marked as a duplicate of bug 1483159 ***