nss sigalgs bz1898641

Merged Alexander Sosedkin requested to merge nss-sigalgs-bz1898641 into master

Quoting https://bugzilla.redhat.com/show_bug.cgi?id=1898641

Upstream NSS just added policy support for rsa-pkcs, rsa-pss, and ecdsa as signature algorithms in NSS 3.59. crypto policies needs to add maps from the signature values to these new algorithm types. Without these new algorithms, rsa signatures will break when policies are installed.

The challenge is we can't add these to crypto policies before NSS updates because nss-check-policy will fail (we really need to have an option for nss-check-policy to allow NEW unknown policies (sigh)).

The check actually uses 3.60 as Fedora has the change reverted in its 3.59. This way we're wrong in a narrow case: we're skipping the check on non-Fedora 3.59 NSS, while it could technically work.

Merge request reports