Comment 4 for bug 655462

Reliably patching in zeros (dummy signatures) is probably 1–3 hours work, but once scripted in the build system needs no further work.

Developing a replacement Linux-based signing DSIG font signing tool is probably 1–3 days including the combined QA confirmation work to ensure it works. The blocker here is having a number of MS Windows machines (with various versions) available to confirm that validation works in all cases.

At that point, either a pair of keys need generating and including in the source, or they should be signed with eg. the same keys previously used for signing Java stuff.