Quoting https://bugzilla.redhat.com/show_bug.cgi?id=1898641
Upstream NSS just added policy support for rsa-pkcs, rsa-pss, and ecdsa as signature algorithms in NSS 3.59. crypto policies needs to add maps from the signature values to these new algorithm types. Without these new algorithms, rsa signatures will break when policies are installed.
The challenge is we can't add these to crypto policies before NSS updates because nss-check-policy will fail (we really need to have an option for nss-check-policy to allow NEW unknown policies (sigh)).
The check actually uses 3.60 as Fedora has the change reverted in its 3.59. This way we're wrong in a narrow case: we're skipping the check on non-Fedora 3.59 NSS, while it could technically work.