The NSS utility "signtool" is hardcoded to use SHA1 when creating a digital signature.
As I've described in this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1345528 it might be complicated to change the default to a more secure hash algorithm in a compatible way. I wonder who still depends on signtool. If you know, could you please give feedback? I see that OpenJDK ships its own tool, jarsigner. Mozilla appears to use different tools to sign the Firefox addons in XPI file format, using python. Franziskus pointed me to: https://github.com/mozilla-services/autograph/pull/46 ) Can we declare signtool as deprecated? Thanks Kai -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
