diff --git a/security/nss/.taskcluster.yml b/security/nss/.taskcluster.yml
index 4d5117e5e6e0..05bade9656e8 100644
--- a/security/nss/.taskcluster.yml
+++ b/security/nss/.taskcluster.yml
@@ -55,7 +55,7 @@ tasks:
         image: djmitche/nss-decision:0.0.3
 
         env:
-          TC_OWNER: "${push.owner}"
+          TC_OWNER: "${ownerEmail}"
           TC_SOURCE: "${repository.url}"
           TC_PROJECT: ${repository.project}
           TC_SCHEDULER_ID: "${schedulerId}"
diff --git a/security/nss/TAG-INFO b/security/nss/TAG-INFO
index a9fcb10e3838..9458e85c1979 100644
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1 +1 @@
-264f19e7ede7
+8c6fad5544a6
diff --git a/security/nss/automation/taskcluster/docker-hacl/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc b/security/nss/automation/taskcluster/docker-hacl/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc
new file mode 100644
index 000000000000..513dcd410106
--- /dev/null
+++ b/security/nss/automation/taskcluster/docker-hacl/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc
@@ -0,0 +1,143 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFS+1SABEACnmkESkY7eZq0GhDjbkWpKmURGk9+ycsfAhA44NqUvf4tk1GPM
+5SkJ/fYedYZJaDVhIp98fHgucD0O+vjOzghtgwtITusYjiPHPFBd/MN+MQqSEAP+
+LUa/kjHLjgyXxKhFUIDGVaDWL5tKOA7/AQKl1TyJ8lz89NHQoUHFsF/hu10+qhJe
+V65d32MXFehIUSvegh8DrPuExrliSiORO4HOhuc6151dWA4YBWVg4rX5kfKrGMMT
+pTWnSSZtgoRhkKW2Ey8cmZUqPuUJIfWyeNVu1e4SFtAivLvu/Ymz2WBJcNA1ZlTr
+RCOR5SIRgZ453pQnI/Bzna2nnJ/TV1gGJIGRahj/ini0cs2x1CILfS/YJQ3rWGGo
+OxwG0BVmPk0cmLVtyTq8gUPwxcPUd6WcBKhot3TDMlrffZACnQwQjlVjk5S1dEEz
+atUfpEuNitU9WOM4jr/gjv36ZNCOWm95YwLhsuci/NddBN8HXhyvs+zYTVZEXa2W
+l/FqOdQsQqZBcJjjWckGKhESdd7934+cesGD3O8KaeSGxww7slJrS0+6QJ8oBoAB
+P/WCn/y2AiY2syEKp3wYIGJyAbsm542zMZ4nc7pYfSu49mcyhQQICmqN5QvOyYUx
+OSqwbAOUNtlOyeRLZNIKoXtTqWDEu5aEiDROTw6Rkq+dIcxPNgOLdeQ3HwARAQAB
+tCFIYW5zIFdlbm5ib3JnIDxoYW5zQGNocm9taXVtLm9yZz6JARwEEAECAAYFAlT2
+MQAACgkQVfXNcLtaBWnDKgf/fjusXk+kh1zuyn5eOCe16+2vV1lmXZrDIGdJtXDW
+ZtHKele1Yv1BA3kUi5tKQi+VOOrvHL0+TMjFWFiCy1sYJS9qgkS08kReI2nAnhZ7
+INdqEVxtVk1TTOhtYjOPy6txwujoICuPv5F4rHVhn1LPKGTLtYD2LOwf/8eKYQox
+51gaJ8dNxpcHE/iFOIDXdebJPufo3EhqDRihchxb8AVLhrNss7pGGG/tVfichmHK
+djPT2KfSh14pq1ahFOz0zH4nmTu7CCLnLAdRBHuhL8HVDbi0vKBtCiSmQggdxvoj
+u+hpXiiDFQoCjLh0zVCwtFqWDZbnKMTBNNF26aTmQ+2fiYkBMwQQAQgAHRYhBB/m
+NI7eqCWiKXDlxI3TBA8SPMP0BQJbcLU1AAoJEI3TBA8SPMP021sH/jD1m7azNCN6
+DVL1iDJT6uIIYCTylygH5XI46CRoWaz/LwdFnUqWHHTcQxJ5pIkWV9KF+SIgMT42
+brdZZmNvvSdX0odjFKqj5UR6w+wDN+uZ6Q40zu4pNoNzbk7pRpbFf1XIfGB1liyu
+m28EJ58IXu/0AV7FiDAHGGBqppK/cwQN8pGLwmz1n6YELtXeFmtOGnusO6iLYOE7
+3ByFCCqJB6twT5+7dDqFYqqQJgQ6jDTy19dDZ1vDhDttL+2Rn0OYXqPw7gy/1D2p
+Y1cM9PgPBsR4EXhbtV0uKUNomk8tM/HnGMFT0KirI/tSwEP3v9g5YH992mrvNuIV
+TkyQn0jGeMeJATMEEAEIAB0WIQRswFHTwdmkr54mDFjT45SsdE4uuwUCW3haCQAK
+CRDT45SsdE4uu4JjCACppkreiMrpJSREKbUscdOvFxFRYzkTFeSCwX9Ih7r5ENpa
+zjczfIqCCfWzioV6y4K0V04y8CXt/5S5a9vfW801pBUdF9nG4X8YbUn/xSe+8A9m
+MsfDjMNcF7Cp5czVoSS4/4oHm9mQUMYQsn3AwwCPDKFORRRv5Eb0om9JawKtt++7
+ZW0fOgDkvOCm14SN0UtVc4mxTx6iyxdMDgrKinBZVjxEh5oeqUyXh5TYM+XyWFVh
+/gDUvUWwLI0GUWNTyOyUQU1oPVp+sWqrEe1BXLVCKFVWaSTtgJtJ5FyP+z2uzRcv
+aanPOj/ohHAo8VBq9QbefYVAkShNBEuJkATnXhcGiQEzBBABCAAdFiEEvlzFWRM6
+4JjNAb2a+j2ZL9Cqr7wFAlkBCcIACgkQ+j2ZL9Cqr7yB9AgArj+0+i0DCo1nm4MF
+TLnW1Y9GF/Hq/mBva1MhkT0j3BzENK3xgqrqac8KqupsporNEmJ0ZbZzilJdZImb
+o4X5BFdmmnjMiGaH6GAiPqRBBHGvLV2r2pG467J4tOMWO3XipFRf7FibbfhAU1lV
+/GLWYTSwLqwWwBE8u5rriEvDngWUJw2Yd4Yqwduef7O6F+JfsGPRXFomR3387II0
+8AXo/C+P5cl64llaxV6BmkJhQ6ydL0/KwSkHVdlXugk1sPtV/qOyPQ5L1Ibqbsvh
+lLq/jhHlUUNLFjlQ2lrS9bhHGw9OIHTMJvS8RDrk0yAmoHAyRWNgbFN7aA62vBhq
+pcUVzokBMwQQAQgAHRYhBPZ+fW6ADyQOg+vIZ/9qyaZGTfCcBQJa+ZAwAAoJEP9q
+yaZGTfCcKMgH/jRxGfYhhGnlMnDLAEpYC+TGSDLMgmg9cOZbonqyMv+7Kts+pV03
+KUr9SPV+VtGtOxRNiqwFt6V2MHcwPJfTXuH/bBW/HCCpr6UlOVWqIiCNK0Gnpcj5
+rRt5unjG9CwsgyaK9QPI8bGin/c6m8BjwmEdfJ01ATLiUb8WuDHQy9OCyrEAnzSq
+FD5ZtFmAFxvzm2x1nwb5HPuqkOqbRatp8aRJzTxIeSJPpgLw0PawHKGN3Ckp7REc
+g26P1spkPe7SIVRsobH3al4uw7mgs7wiDWN3t8CdmuHAzmB2UrsR84JMTb45GboO
+Bc1CX8xZcHyNaDEpyWHav+P8nZqwfBm+cLiJAjMEEAEIAB0WIQSawVDb4dGOtiX0
++gWyD0lU8+/LPwUCW/4O9QAKCRCyD0lU8+/LPyI7EACWtj0GEb1VT02gKwtKwgFn
+RJ2pz8vYm188wgJwCJaL04d2D/VwE0jMvmfH80hSKgSLPAVMG06RIOb/tGhHsQKU
+zBlHiAFmfjlJo1FC/Mp44RrERRsFAWBg0/URIs4vP8+5Vl+5m70sZrQpKeq+6TLM
+1dQ0Ohz+QkQ04Z+DTroChWU8/7Uw0E3CqGGKYqPvDh54T1q4s8FoN0no8ZUlt/O+
+r/3c7awr85ZnxqtnHIcuMbVyIZ+gOqXdrLa85yZITsh4zQrjYuyTEg7dpziReyiZ
++rkpdIdFKl8YeD+d0JWzVm7kq9D4K3+x9C509z0IgJUT3bhsX/N0Yf/QUtUW5oxI
+T7fod86B/Q2M7zBTttFhd1vAjiSjEalK48SjTzWqTDYVIkea1+f1kZK5A0QlthqG
+P2zy5GUjZVzOiCSOhyEOvAorU3zKD2s84VFKlayZEqlHJh8u5U59TWBdkW3qZUJd
+ewW31xt0s8IovYSgOwX3wbsClQs6eVwNuCZT2yQAgAyXA5iFztBvDRQ0qmetvzV2
+Ay9SrjvkQ3qr/eZmbMErEwEUxIO4b1rctCQ6jcbyVxMTAZAfaDoVKWEMXNiF2KSw
+F9SSzGPIZDgiEXUlgaJBlUIYSFxrPuE+da0CM5RixyYIinU6AER6crl9C4C9XL6a
+u3jf+5MTGxviRGn2oQzSCYkCMwQQAQgAHRYhBKeHFU4z7cw4HFbYuaxFYRTTj42I
+BQJboq6kAAoJEKxFYRTTj42IWIAP/3rc9GjDTM4nI6Oi4OzLkwm/I2Vr7LUKG8oX
+8E4Nj3amvNGupzGySjB+vrM6APrMSScXunvM0f19LV84EnNrUQ3KFZcSC6r5WC0B
+2+TVRYGpY+6R9AQpqnuxicW0sa/AlV9WSEb4fDavCel2nW0arH4wkkCzTThUxoBB
+X4I9nf4ZzGoUnnDAwTD9rN0gpI6Td/7faa3t99dRLb6AHJ1KhvyiiV3lr0xtTssD
+xVHo0SpzQTnOcRJnYf/2rTny8bVfROPWieh6HuEiP7SxT1HyeTr4WSAjSCoG95O2
+b3OgSMl0Z82FRMoJYmxID/V5YqH7015SjCxKdYhEZVp9YwWruEJIH8r6MGbWYNAl
+REnyDvfGzAF0L0+gAUymDRmtp1jeXLo+HmLgVEUWegafs1TPfCWS/H9n10Upjmuq
+akituzacz6Kjleq9qbnl81Xmh4AKmOILRwE7Pmcbl8HATOrmi5EaKffjMdWFzOWh
+3U4/VsNDujqSTXD88EjGcpLiIiYefGy0sURJbIMTkfXVt3ruHLyuvhsRE/2QEAi7
+gWB0zuBV8iGBaag+6RQkxGdpemPiogzuDijqZHoUXlp7Q6IYLanXeweyivdrSyTB
+4HOECDbWEPZwk6tCxnuklW5iJndxBmxjSxefIMGU7G2JS9quppCVFCrKUjIWnf7b
+gXnNji5JiQIzBBABCAAdFiEExZuSbLy7rtFhdiOuHt8NuZ2LeoQFAluirpUACgkQ
+Ht8NuZ2LeoR/gQ/6A71JxUavzyBlCXlMy2Hx2+gOfy68b8UWl7DwKTOBSoZOzPC7
+dVCSTzoK8dRELqsp7CkFImWcEwLJWMptuH2I1nK+Ua8bvxJSMJnOlPxYE8Wz5EK3
+SQ2mQvifRezQTe8zjdpxEDSR6xocSiigvJow4X+Mivrxxj8sMgu1KA1ud2VGX/IR
+wMbwuBTH9YydgvzmFzTxdlJHEYmsI8koHrVWPHm//QqqPBn+qz2z9uAzDmGAiDYg
+qtQijo5IJC8ZjxgdcTfCkN6he+GhHtOhyP/KF/FcRHY83DoNCtqexQZWGuKtbd8o
+nQYtmemRFob5kR7GxuNdAqF74oQfXcvXZNtHSuN3VtLqkB4fzW+21JBJCsP3XCzd
+nKjR4erXNrQycmp3shSoJbnVvdbDwaVlWhDen1DvJb0Lj2sO3PQPcwVQbf5XHWR/
+ZCf2OQTfVgwFEB4/0Twv70XwYIui2Ry9hmTPbD4Nn+UXbMQ3SOp90tj/e2yY/MFt
+FvcIYcJTk9LM5IsnKgh+fSWDmdS3HD5Kjv2EPUHTNalruwwfmhS+ScJwM4XqHTJY
+JkB16j/Xv2FTF+6KlbA1zdOVycPzoFKjAENYccQBVo2B+WQac7dFDqGEVNal9z66
+DyU4ciAHl6PsbuN7DWeuScLoqq5jwx61bZgn71mUOYC1/47ypat2BKCOXZ2JAjME
+EgEIAB0WIQSm5op4O95BdGcqQkHwXKpE5VGK/wUCWie53AAKCRDwXKpE5VGK/3rM
+D/9jcYKOjYaPJh3Q7wNC1HjjUa73eo5GvJqyXbsXufIh/RAYgQkD08P5JgzfXvQ0
+zOQTtDlDTVG8VMFoBYeMJVDd0k9LBbaljxcttMPfOll+AlQGAL7iQIqTAndknkJL
+CFdl0ypa5GVsl1tzqmNC5fuMJ3vBoRtYbMitlHQkO0vLjZ7yl9fz+7YkREpEo/d5
+Ya8t4+L6el6lrETYaiGCTxHcbYD7VdiJxpxFQlpgl+XKtobrj70RocGQ5JwUNilC
+nRJKUb33lbmntwDwQ1y1AjCnhB++3GHjJDXBPgYFDCSZPCndKeOXhxmB2psFf41i
+8foJPJXuh1vWOqArdwseFCRM6W2deF1utZmROMSkUo6IC8dYlucO/hjpjhG+C8Zv
+QiM5uLylD3IPMX9wCz1tAhMNs3v4pEPo/4A//1cdLkor9cQVLFj3+TkS888EWZdj
+Y8mUTIXU6yL1DXcj8CfDPS29fMpDorDpK1swl4pN5qgGfsL5BSAXUf1AZDWbxnEY
+xf5rakfHDzrfbtbTSSfrBxS8gdW2vBKM+3nL21BeP8hQ0tkLA7bn2fNGz3aCOw46
+XeVJdBk1gVTwazspylqrh1ljr0hQEN4gs/8kM645BRdD0IyAFFcI44VmuVwd8+2g
+5miAGmVKSqN77w2cgMRnF7xpUsanv+3zKzaTnG+2liTeCokCPgQTAQIAKAUCVL7V
+IAIbAwUJBaOagAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQD8MELjRa0F1m
+RhAAj9X+/4iiQsN888dNW/H1wEFFTd/1vqb2j0sHP3t02LkEPN5Ii9u71TSD2gSD
+WTu1Eb46nRDcapFNv5M0vXcWrEt7PK9b51Kuj4KpP5IjJHpTl2g7umaYQWC8fqcY
+TJTH0guMSCzZlsP0xGLbAj3cG6X5OPzCO+IxEafXmE//SfS9w46n1OC57ca1Y0Fp
+WXfjA0sJrcozgNchsptu3jg/oEteYJoxDAzNO45O4geNONq5D9PUQPb+H5Vv5zpy
+MI7iUJhVnTOFvnoUgRS7v6pWiA3flh5FelK8tYPCzEfvxfe7EB5GO7MaJEO3ZLni
+COaAZ3Nfn6Tt28tCOgd052W4FeGWow7iYCS1Wgd30bq/FNgnl+tKv2woxmWt4jJv
+ioBHQ4PbUnap2RCmBFaG7llRkrKP8nhWSUdwSS3OmDwAfxTTXjPaESK9EX9OV9Xo
+or07thq+7OMs+2cyiy2jSfIau0SELy/tVioZBhoB7hzAJUB8sGHOxMPlVDFdUr3x
+F/cgCclWANhw2xvgPim1wQ0XpeZe6w9RpmjZR7ReMYwxn8APBDP/e9R5aLDUQAep
+2hrJUPK38D0L69RnpWQsR9hZ2hEOrMV2M6ChlvhwHbGSdJ2CcqG5Jx4ZAP23DK3A
+N26TB88H9F7IMrM0REZeu7KzvYwCWlpg0zMXXKQ/2vovoe2JAlUEEwECAD8CGwMG
+CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAFiEEtsj5goK5ROOw1cJTD8MELjRa0F0F
+Alpd+i0FCQ8FJo0ACgkQD8MELjRa0F3X3A//dBQLm6GmXlQFjxZbukTw0lZsevFR
+M/6ljZTxp7bsC+HFzYoaCKv6rikaWzytxk//SOaLKrB4Z9HjAlpBMtyLl2Hk7tcZ
+bPpFafNmQ+4KgWNjLXCvt9se8BGrQvGQUrbE6YowbXa2YIgxIVEncFzIECAsp/+N
+xbMcZN5/X1PJxKi/N22gP4nn47muN6L3pKez3CXgWnhGYSc7BuD5ALWYH7yMYUem
+d4jlXfu5xkBIqirj1arIYC9wmF4ldbLNDPuracc8LmXcSqa5Rpao0s4iVzAD+tkX
+vE/73m3rhepwBXxrfk0McXuI9aucf5h4/KkIBzZsaJ6JM1tzlrJzzjaBKJF9OI5T
+jA0qTxdGzdPztS8gPaPcMkRFfh9ti0ZDx4VeF3s8sOtmMRHeGEWfxqUAbBUbwFsa
+JDu/+8/VO4KijfcuUi8tqJ/JHeosCuGE7TM93LwJu6ZcqMYOPDROE/hsnGm0ZU92
+xedu+07/X1ESHkSFPoaSHD5/DCNa/tXIyJZ8X7gF3eoDP5mSmrJqIqsOBR9WOVYv
+dI8i0GHTXbrZj8WXdoS+N8wlyMLLbAS2jvTe7M5RoqbLz4ABOUUnLVoEE0CiccVZ
+bW75BPxOfaD0szbinAeX6HDPI7St0MbKrRPjuDXjD0JVkLqFINtZfYLGMLss4tgn
+suefr0Bo9ISwG3u5Ag0EVL7VIAEQAOxBxrQesChjrCqKjY5PnSsSYpeb4froucrC
+898AFw2DgN/Zz+W7wtSTbtz/GRcCurjzZvN7o2rCuNk0j0+s1sgZZm2BdldlabLy
++UF/kSW1rb5qhfXcGGubu48OMdtSfok9lOc0Q1L4HNlGE4lUBkZzmI7Ykqfl+Bwr
+m9rpi54g4ua9PIiiHIAmMoZIcbtOG1KaDr6CoXRk/3g2ZiGUwhq3jFGroiBsKEap
+2FJ1bh5NJk2Eg8pV7fMOF7hUQKBZrNOtIPu8hA5WEgku3U3VYjRSI3SDi6QXnDL+
+xHxajiWpKtF3JjZh8y/CCTD8PyP34YjfZuFmkdske5cdx6H0V2UCiH453ncgFVdQ
+DXkY4n+0MTzhy2xu0IVVnBxYDYNhi+3MjTHJd9C4xMi9t+5IuEvDAPhgfZjDpQak
+EPz6hVmgj0mlKIgRilBRK9/kOxky9utBpGk3jEJGru/hKNloFNspoYtY6zATAr8E
+cOgoCFQE0nIktcg3wF9+OCEnV28/a7XZwUZ7Gl/qfOHtdr374wo8kd8R3V8d2G9q
+5w0/uCV9NNQ0fGWZDPDoYt6wnPL6gZv/nJM8oZY+u0rC24WwScZIniaryC4JHDas
+Ahr2S2CtgCvBgslK6f3gD16KHxPZMBpX73TzOYIhMEP/vXgVJbUD6dYht+U9c4Oh
+EDJown0dABEBAAGJAjwEGAECACYCGwwWIQS2yPmCgrlE47DVwlMPwwQuNFrQXQUC
+Wl36SwUJDwUmqwAKCRAPwwQuNFrQXT1/D/9YpRDNgaJl3YVDtVZoeQwh7BQ6ULZT
+eXFPogYkF2j3VWg8s9UmAs4sg/4a+9KLSantXjX+JFsRv0lQe5Gr/Vl8VQ4LKEXB
+fiGmSivjIZ7eopdd3YP2w6G5T3SA4d2CQfsg4rnJPnXIjzKNiSOi368ybnt9fL0Y
+2r2aqLTmP6Y7issDUO+J1TW1XHm349JPR0Hl4cTuNnWm4JuX2m2CJEc5XBlDAha9
+pUVs+J5C2D0UFFkyeOzeJPwy6x5ApWHm84n8AjhQSpu1qRKxKXdwei6tkQWWMHui
++TgSY/zCkmD9/oY15Ei5avJ4WgIbTLJUoZMi70riPmU8ThjpzA7S+Nk0g7rMPq+X
+l1whjKU/u0udlsrIJjzkh6ftqKUmIkbxYTpjhnEujNrEr5m2S6Z6x3y9E5QagBMR
+dxRhfk+HbyACcP/p9rXOzl4M291DoKeAAH70GHniGxyNs9rAoMr/hD5XW/Wrz3dc
+KMc2s555E6MZILE2ZiolcRn+bYOMPZtWlbx98t8uqMf49gY4FGQBZAwPglMrx7mr
+m7HTIiXahThQGOJg6izJDAD5RwSEGlAcL28T8KAuM6CLLkhlBfQwiKsUBNnh9r8w
+V3lB+pV0GhL+3i077gTYfZBRwLzjFdhm9xUKEaZ6rN1BX9lzix4eSNK5nln0jUq1
+67H2IH//2sf8dw==
+=fTDu
+-----END PGP PUBLIC KEY BLOCK-----
\ No newline at end of file
diff --git a/security/nss/automation/taskcluster/docker-hacl/Dockerfile b/security/nss/automation/taskcluster/docker-hacl/Dockerfile
index 50f2be239c87..168be1c41ceb 100644
--- a/security/nss/automation/taskcluster/docker-hacl/Dockerfile
+++ b/security/nss/automation/taskcluster/docker-hacl/Dockerfile
@@ -9,9 +9,10 @@ ENV haclrepo https://github.com/mitls/hacl-star.git
 
 # Define versions of dependencies
 ENV opamv 4.05.0
-ENV haclversion 1da331f9ef30e13269e45ae73bbe4a4bca679ae6
+ENV haclversion 1442c015dab97cdf203ae238b1f3aeccf511bd1e
 
 # Install required packages and set versions
+ADD B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc /tmp/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc
 ADD setup.sh /tmp/setup.sh
 RUN bash /tmp/setup.sh
 
diff --git a/security/nss/automation/taskcluster/docker-hacl/setup.sh b/security/nss/automation/taskcluster/docker-hacl/setup.sh
index f5f8bd7d5e0a..491342e14208 100644
--- a/security/nss/automation/taskcluster/docker-hacl/setup.sh
+++ b/security/nss/automation/taskcluster/docker-hacl/setup.sh
@@ -12,9 +12,13 @@ update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-5 200
 # Get clang-format-3.9
 curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz
 curl -LO https://releases.llvm.org/3.9.1/clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
-# Verify the signature.
-gpg --keyserver pool.sks-keyservers.net --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D
-gpg --verify *.tar.xz.sig
+
+# Verify the signature. The key used for verification was fetched via:
+#    gpg --keyserver pgp.key-server.io --recv-keys B6C8F98282B944E3B0D5C2530FC3042E345AD05D
+# Use a local copy to workaround bug 1565013.
+gpg --no-default-keyring --keyring tmp.keyring --import /tmp/B6C8F98282B944E3B0D5C2530FC3042E345AD05D.asc
+gpg --no-default-keyring --keyring tmp.keyring --verify clang+llvm-3.9.1-x86_64-linux-gnu-ubuntu-16.04.tar.xz.sig
+
 # Install into /usr/local/.
 tar xJvf *.tar.xz -C /usr/local --strip-components=1
 # Cleanup.
diff --git a/security/nss/automation/taskcluster/graph/src/extend.js b/security/nss/automation/taskcluster/graph/src/extend.js
index d7bd3f547ca8..890a00fd45e7 100644
--- a/security/nss/automation/taskcluster/graph/src/extend.js
+++ b/security/nss/automation/taskcluster/graph/src/extend.js
@@ -127,6 +127,10 @@ queue.map(task => {
       task.env = {};
     }
     task.env.NSS_SSL_TESTS = "crl iopr policy";
+
+    if (task.platform == "mac") {
+      task.maxRunTime = 7200;
+    }
   }
 
   // Windows is slow.
@@ -135,6 +139,9 @@ queue.map(task => {
     task.maxRunTime = 7200;
   }
 
+  if (task.platform == "mac" && task.tests == "tools") {
+      task.maxRunTime = 7200;
+  }
   return task;
 });
 
diff --git a/security/nss/build.sh b/security/nss/build.sh
index 0b6fec83aa38..6ac6eba8ba31 100755
--- a/security/nss/build.sh
+++ b/security/nss/build.sh
@@ -13,14 +13,16 @@
 set -e
 
 cwd=$(cd $(dirname $0); pwd -P)
-source "$cwd"/coreconf/nspr.sh
-source "$cwd"/coreconf/sanitizers.sh
+dist_dir="$cwd/../dist"
+argsfile="$dist_dir/build_args"
+source "$cwd/coreconf/nspr.sh"
+source "$cwd/coreconf/sanitizers.sh"
 GYP=${GYP:-gyp}
 
 # Usage info
 show_help()
 {
-    cat "$cwd"/help.txt
+    cat "$cwd/help.txt"
 }
 
 run_verbose()
@@ -35,6 +37,14 @@ run_verbose()
     exec 3>&-
 }
 
+# The prehistoric bash on Mac doesn't support @Q quoting.
+# The consequences aren't that serious, unless there are odd arrangements of spaces.
+if /usr/bin/env bash -c 'x=1;echo "${x@Q}"' >/dev/null 2>&1; then
+    Q() { echo "${@@Q}"; }
+else
+    Q() { echo "$@"; }
+fi
+
 if [ -n "$CCC" ] && [ -z "$CXX" ]; then
     export CXX="$CCC"
 fi
@@ -56,7 +66,7 @@ gyp_params=(--depth="$cwd" --generator-output=".")
 ninja_params=()
 
 # Assume that the target architecture is the same as the host by default.
-host_arch=$(python "$cwd"/coreconf/detect_host_arch.py)
+host_arch=$(python "$cwd/coreconf/detect_host_arch.py")
 target_arch=$host_arch
 
 # Assume that MSVC is wanted if this is running on windows.
@@ -66,8 +76,17 @@ if [ "${platform%-*}" = "MINGW32_NT" -o "${platform%-*}" = "MINGW64_NT" ]; then
 fi
 
 # Parse command line arguments.
+all_args=("$@")
 while [ $# -gt 0 ]; do
     case "$1" in
+        --rebuild)
+            if [[ ! -e "$argsfile" ]]; then
+                echo "Unable to rebuild" 1>&2
+                exit 2
+            fi
+            IFS=$'\r\n' GLOBIGNORE='*' command eval  'previous_args=($(<"$argsfile"))'
+            exec /usr/bin/env bash -c "$(Q "$0")"' "$@"' "$0" "${previous_args[@]}"
+            ;;
         -c) clean=1 ;;
         -cc) clean_only=1 ;;
         -v) ninja_params+=(-v); verbose=1 ;;
@@ -105,7 +124,7 @@ while [ $# -gt 0 ]; do
         --enable-libpkix) gyp_params+=(-Ddisable_libpkix=0) ;;
         --mozpkix-only) gyp_params+=(-Dmozpkix_only=1 -Ddisable_tests=1 -Dsign_libs=0) ;;
         --disable-keylog) sslkeylogfile=0 ;;
-	-D*) gyp_params+=("$1") ;;
+        -D*) gyp_params+=("$1") ;;
         *) show_help; exit 2 ;;
     esac
     shift
@@ -123,7 +142,7 @@ gyp_params+=(-Denable_sslkeylogfile="$sslkeylogfile")
 
 # Do special setup.
 if [ "$fuzz" = 1 ]; then
-    source "$cwd"/coreconf/fuzz.sh
+    source "$cwd/coreconf/fuzz.sh"
 fi
 nspr_set_flags $sanitizer_flags
 if [ ! -z "$sanitizer_flags" ]; then
@@ -131,20 +150,13 @@ if [ ! -z "$sanitizer_flags" ]; then
 fi
 
 if [ "$msvc" = 1 ]; then
-    source "$cwd"/coreconf/msvc.sh
+    source "$cwd/coreconf/msvc.sh"
 fi
 
-# Setup build paths.
-target_dir="$cwd"/out/$target
-mkdir -p "$target_dir"
-dist_dir="$cwd"/../dist
-dist_dir=$(mkdir -p "$dist_dir"; cd "$dist_dir"; pwd -P)
-gyp_params+=(-Dnss_dist_dir="$dist_dir")
-
 # -c = clean first
 if [ "$clean" = 1 -o "$clean_only" = 1 ]; then
     nspr_clean
-    rm -rf "$cwd"/out
+    rm -rf "$cwd/out"
     rm -rf "$dist_dir"
     # -cc = only clean, don't build
     if [ "$clean_only" = 1 ]; then
@@ -153,6 +165,12 @@ if [ "$clean" = 1 -o "$clean_only" = 1 ]; then
     fi
 fi
 
+# Setup build paths.
+target_dir="$cwd/out/$target"
+mkdir -p "$target_dir"
+dist_dir=$(mkdir -p "$dist_dir"; cd "$dist_dir"; pwd -P)
+gyp_params+=(-Dnss_dist_dir="$dist_dir")
+
 # This saves a canonical representation of arguments that we are passing to gyp
 # or the NSPR build so that we can work out if a rebuild is needed.
 # Caveat: This can fail for arguments that are position-dependent.
@@ -162,66 +180,67 @@ check_config()
     local newconf="$1".new oldconf="$1"
     shift
     mkdir -p $(dirname "$newconf")
-    echo CC="$CC" >"$newconf"
-    echo CCC="$CCC" >>"$newconf"
-    echo CXX="$CXX" >>"$newconf"
-    echo target_arch="$target_arch" >>"$newconf"
-    for i in "$@"; do echo $i; done | sort >>"$newconf"
+    echo CC="$(Q "$CC")" >"$newconf"
+    echo CCC="$(Q "$CCC")" >>"$newconf"
+    echo CXX="$(Q "$CXX")" >>"$newconf"
+    echo target_arch="$(Q "$target_arch")" >>"$newconf"
+    for i in "$@"; do echo "$i"; done | sort >>"$newconf"
 
     # Note: The following diff fails if $oldconf isn't there as well, which
     # happens if we don't have a previous successful build.
     ! diff -q "$newconf" "$oldconf" >/dev/null 2>&1
 }
 
-gyp_config="$cwd"/out/gyp_config
-nspr_config="$cwd"/out/$target/nspr_config
+gyp_config="$cwd/out/gyp_config"
+nspr_config="$cwd/out/$target/nspr_config"
 
 # Now check what needs to be rebuilt.
 # If we don't have a build directory make sure that we rebuild.
 if [ ! -d "$target_dir" ]; then
     rebuild_nspr=1
     rebuild_gyp=1
-elif [ ! -d "$dist_dir"/$target ]; then
+elif [ ! -d "$dist_dir/$target" ]; then
     rebuild_nspr=1
 fi
 
 if check_config "$nspr_config" \
-                 nspr_cflags="$nspr_cflags" \
-                 nspr_cxxflags="$nspr_cxxflags" \
-                 nspr_ldflags="$nspr_ldflags"; then
+                 nspr_cflags="$(Q "$nspr_cflags")" \
+                 nspr_cxxflags="$(Q "$nspr_cxxflags")" \
+                 nspr_ldflags="$(Q "$nspr_ldflags")"; then
     rebuild_nspr=1
 fi
 
-if check_config "$gyp_config" "${gyp_params[@]}"; then
+if check_config "$gyp_config" "$(Q "${gyp_params[@]}")"; then
     rebuild_gyp=1
 fi
 
 # Save the chosen target.
-mkdir -p "$dist_dir"
-echo $target > "$dist_dir"/latest
+echo "$target" > "$dist_dir/latest"
+for i in "${all_args[@]}"; do echo "$i"; done > "$argsfile"
 
 # Build.
 # NSPR.
 if [[ "$rebuild_nspr" = 1 && "$no_local_nspr" = 0 ]]; then
+    nspr_clean
     nspr_build
-    mv -f "$nspr_config".new "$nspr_config"
+    mv -f "$nspr_config.new" "$nspr_config"
 fi
 # gyp.
 if [ "$rebuild_gyp" = 1 ]; then
-    if ! hash ${GYP} 2> /dev/null; then
-        echo "Please install gyp" 1>&2
-        exit 1
+    if ! hash "$GYP" 2> /dev/null; then
+        echo "Building NSS requires an installation of gyp: https://gyp.gsrc.io/" 1>&2
+        exit 3
     fi
     # These extra arguments aren't used in determining whether to rebuild.
-    obj_dir="$dist_dir"/$target
-    gyp_params+=(-Dnss_dist_obj_dir=$obj_dir)
+    obj_dir="$dist_dir/$target"
+    gyp_params+=(-Dnss_dist_obj_dir="$obj_dir")
     if [ "$no_local_nspr" = 0 ]; then
         set_nspr_path "$obj_dir/include/nspr:$obj_dir/lib"
     fi
 
-    run_verbose run_scanbuild ${GYP} -f ninja "${gyp_params[@]}" "$cwd"/nss.gyp
+    run_verbose run_scanbuild ${GYP} -f ninja "${gyp_params[@]}" "$cwd/nss.gyp"
 
-    mv -f "$gyp_config".new "$gyp_config"
+    mv -f "$gyp_config.new" "$gyp_config"
 fi
 
 # ninja.
@@ -230,7 +249,7 @@ if hash ninja-build 2>/dev/null; then
 elif hash ninja 2>/dev/null; then
     ninja=ninja
 else
-    echo "Please install ninja" 1>&2
-    exit 1
+    echo "Building NSS requires an installation of ninja: https://ninja-build.org/" 1>&2
+    exit 3
 fi
-run_scanbuild $ninja -C "$target_dir" "${ninja_params[@]}"
+run_scanbuild "$ninja" -C "$target_dir" "${ninja_params[@]}"
diff --git a/security/nss/cmd/httpserv/httpserv.c b/security/nss/cmd/httpserv/httpserv.c
index 71e2ab88d989..c7277f3bd774 100644
--- a/security/nss/cmd/httpserv/httpserv.c
+++ b/security/nss/cmd/httpserv/httpserv.c
@@ -463,7 +463,7 @@ handle_connection(
     char *getData = NULL; /* inplace conversion */
     SECItem postData;
     PRBool isOcspRequest = PR_FALSE;
-    PRBool isPost;
+    PRBool isPost = PR_FALSE;
 
     postData.data = NULL;
     postData.len = 0;
diff --git a/security/nss/cmd/tstclnt/tstclnt.c b/security/nss/cmd/tstclnt/tstclnt.c
index 12c6df045035..bb626d903694 100644
--- a/security/nss/cmd/tstclnt/tstclnt.c
+++ b/security/nss/cmd/tstclnt/tstclnt.c
@@ -924,7 +924,7 @@ restartHandshakeAfterServerCertIfNeeded(PRFileDesc *fd,
                                         PRBool override)
 {
     SECStatus rv;
-    PRErrorCode error;
+    PRErrorCode error = 0;
 
     if (!serverCertAuth->isPaused)
         return SECSuccess;
diff --git a/security/nss/coreconf/UNIX.mk b/security/nss/coreconf/UNIX.mk
index b448e7553f7b..8f6042eeec13 100644
--- a/security/nss/coreconf/UNIX.mk
+++ b/security/nss/coreconf/UNIX.mk
@@ -14,9 +14,7 @@ ifdef BUILD_OPT
 	DEFINES    += -UDEBUG -DNDEBUG
 else
 	OPTIMIZER  += -g
-	USERNAME   := $(shell whoami)
-	USERNAME   := $(subst -,_,$(USERNAME))
-	DEFINES    += -DDEBUG -UNDEBUG -DDEBUG_$(USERNAME)
+	DEFINES    += -DDEBUG -UNDEBUG
 endif
 
 ifdef BUILD_TREE
diff --git a/security/nss/coreconf/WIN32.mk b/security/nss/coreconf/WIN32.mk
index be795f0ce6d3..634a7a4584d6 100644
--- a/security/nss/coreconf/WIN32.mk
+++ b/security/nss/coreconf/WIN32.mk
@@ -116,11 +116,7 @@ ifdef NS_USE_GCC
 	DEFINES    += -UDEBUG -DNDEBUG
     else
 	OPTIMIZER  += -g
-	NULLSTRING :=
-	SPACE      := $(NULLSTRING) # end of the line
-	USERNAME   := $(subst $(SPACE),_,$(USERNAME))
-	USERNAME   := $(subst -,_,$(USERNAME))
-	DEFINES    += -DDEBUG -UNDEBUG -DDEBUG_$(USERNAME)
+	DEFINES    += -DDEBUG -UNDEBUG
     endif
 else # !NS_USE_GCC
     WARNING_CFLAGS = -W3 -nologo -D_CRT_SECURE_NO_WARNINGS \
@@ -179,10 +175,7 @@ else # !NS_USE_GCC
     else
 	OPTIMIZER += -Zi -Fd$(OBJDIR)/ -Od
 	NULLSTRING :=
-	SPACE      := $(NULLSTRING) # end of the line
-	USERNAME   := $(subst $(SPACE),_,$(USERNAME))
-	USERNAME   := $(subst -,_,$(USERNAME))
-	DEFINES    += -DDEBUG -UNDEBUG -DDEBUG_$(USERNAME)
+	DEFINES    += -DDEBUG -UNDEBUG
 	DLLFLAGS   += -DEBUG -OUT:$@
 	LDFLAGS    += -DEBUG 
 ifeq ($(_MSC_VER),$(_MSC_VER_6))
diff --git a/security/nss/coreconf/coreconf.dep b/security/nss/coreconf/coreconf.dep
index 590d1bfaeee3..5182f75552c8 100644
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -10,4 +10,3 @@
  */
 
 #error "Do not include this header file."
-
diff --git a/security/nss/help.txt b/security/nss/help.txt
index 33e2c945d625..3e4bf43c8ab0 100644
--- a/security/nss/help.txt
+++ b/security/nss/help.txt
@@ -7,6 +7,7 @@ Usage: build.sh [-h] [-c|-cc] [-v] [-j <n>] [--gyp|-g] [--opt|-o]
                 [--nspr|--with-nspr=<include>:<lib>|--system-nspr]
                 [--system-sqlite] [--enable-fips] [--enable-libpkix]
                 [--mozpkix-only] [-D<gyp-option>]
+                [--rebuild]
 
 This script builds NSS with gyp and ninja.
 
@@ -54,3 +55,5 @@ NSS build tool options:
     --disable-keylog disable support for logging key data to a file specified
                      by the SSLKEYLOGFILE environment variable
     -D<gyp-option>   pass an option directly to gyp
+    --rebuild        build again using the last set of options provided
+                     (all other arguments are ignored if --rebuild is used)
diff --git a/security/nss/lib/freebl/Makefile b/security/nss/lib/freebl/Makefile
index d5208719ff8a..d5dd4bb8377a 100644
--- a/security/nss/lib/freebl/Makefile
+++ b/security/nss/lib/freebl/Makefile
@@ -498,7 +498,7 @@ endif # target == SunO
 ifdef USE_64
 # no __int128 at least up to lcc 1.23 (pretending to be gcc5)
 # NB: CC_NAME is not defined here
-ifneq ($(shell $(CC) -? 2>&1 >/dev/null | sed -e 's/:.*//;1q'),lcc)
+ifneq ($(shell $(CC) -? 2>&1 >/dev/null </dev/null | sed -e 's/:.*//;1q'),lcc)
     ifdef CC_IS_CLANG
             HAVE_INT128_SUPPORT = 1
             DEFINES += -DHAVE_INT128_SUPPORT
diff --git a/security/nss/lib/freebl/ec.c b/security/nss/lib/freebl/ec.c
index ddbcc2340aa0..12330193a647 100644
--- a/security/nss/lib/freebl/ec.c
+++ b/security/nss/lib/freebl/ec.c
@@ -24,7 +24,7 @@ static const ECMethod kMethods[] = {
 static const ECMethod *
 ec_get_method_from_name(ECCurveName name)
 {
-    int i;
+    unsigned long i;
     for (i = 0; i < sizeof(kMethods) / sizeof(kMethods[0]); ++i) {
         if (kMethods[i].name == name) {
             return &kMethods[i];
diff --git a/security/nss/lib/freebl/verified/FStar.c b/security/nss/lib/freebl/verified/FStar.c
index 4e5f6d50dd8e..74c0318764cb 100644
--- a/security/nss/lib/freebl/verified/FStar.c
+++ b/security/nss/lib/freebl/verified/FStar.c
@@ -1,4 +1,4 @@
-/* Copyright 2016-2017 INRIA and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
diff --git a/security/nss/lib/freebl/verified/FStar.h b/security/nss/lib/freebl/verified/FStar.h
index 7b105b8f2b8b..56b1c89f8528 100644
--- a/security/nss/lib/freebl/verified/FStar.h
+++ b/security/nss/lib/freebl/verified/FStar.h
@@ -1,4 +1,4 @@
-/* Copyright 2016-2017 INRIA and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
diff --git a/security/nss/lib/freebl/verified/Hacl_Chacha20.c b/security/nss/lib/freebl/verified/Hacl_Chacha20.c
index 45a743035743..38f25166b2d0 100644
--- a/security/nss/lib/freebl/verified/Hacl_Chacha20.c
+++ b/security/nss/lib/freebl/verified/Hacl_Chacha20.c
@@ -1,4 +1,4 @@
-/* Copyright 2016-2017 INRIA and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
diff --git a/security/nss/lib/freebl/verified/Hacl_Chacha20.h b/security/nss/lib/freebl/verified/Hacl_Chacha20.h
index f97e44b744b6..e7876aef791f 100644
--- a/security/nss/lib/freebl/verified/Hacl_Chacha20.h
+++ b/security/nss/lib/freebl/verified/Hacl_Chacha20.h
@@ -1,4 +1,4 @@
-/* Copyright 2016-2017 INRIA and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
diff --git a/security/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c b/security/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c
index 4eba49f47d4e..b5568cc73d51 100644
--- a/security/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c
+++ b/security/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c
@@ -1,4 +1,4 @@
-/* Copyright 2016-2017 INRIA and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
diff --git a/security/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.h b/security/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.h
index 57942093da17..a3970ead60a8 100644
--- a/security/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.h
+++ b/security/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.h
@@ -1,4 +1,4 @@
-/* Copyright 2016-2017 INRIA and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
diff --git a/security/nss/lib/freebl/verified/Hacl_Curve25519.c b/security/nss/lib/freebl/verified/Hacl_Curve25519.c
index f2dcddc571cf..f6f6f930bbeb 100644
--- a/security/nss/lib/freebl/verified/Hacl_Curve25519.c
+++ b/security/nss/lib/freebl/verified/Hacl_Curve25519.c
@@ -1,4 +1,4 @@
-/* Copyright 2016-2017 INRIA and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
diff --git a/security/nss/lib/freebl/verified/Hacl_Curve25519.h b/security/nss/lib/freebl/verified/Hacl_Curve25519.h
index 0e443f177279..dd2615ac72e7 100644
--- a/security/nss/lib/freebl/verified/Hacl_Curve25519.h
+++ b/security/nss/lib/freebl/verified/Hacl_Curve25519.h
@@ -1,4 +1,4 @@
-/* Copyright 2016-2017 INRIA and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
diff --git a/security/nss/lib/freebl/verified/Hacl_Poly1305_32.c b/security/nss/lib/freebl/verified/Hacl_Poly1305_32.c
index 246a41af391a..d07a069bf406 100644
--- a/security/nss/lib/freebl/verified/Hacl_Poly1305_32.c
+++ b/security/nss/lib/freebl/verified/Hacl_Poly1305_32.c
@@ -1,4 +1,4 @@
-/* Copyright 2016-2017 INRIA and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
diff --git a/security/nss/lib/freebl/verified/Hacl_Poly1305_32.h b/security/nss/lib/freebl/verified/Hacl_Poly1305_32.h
index 4dd0700267c0..f808bc6f9764 100644
--- a/security/nss/lib/freebl/verified/Hacl_Poly1305_32.h
+++ b/security/nss/lib/freebl/verified/Hacl_Poly1305_32.h
@@ -1,4 +1,4 @@
-/* Copyright 2016-2017 INRIA and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
diff --git a/security/nss/lib/freebl/verified/Hacl_Poly1305_64.c b/security/nss/lib/freebl/verified/Hacl_Poly1305_64.c
index 984031ae21bc..4d3bdde19ce3 100644
--- a/security/nss/lib/freebl/verified/Hacl_Poly1305_64.c
+++ b/security/nss/lib/freebl/verified/Hacl_Poly1305_64.c
@@ -1,4 +1,4 @@
-/* Copyright 2016-2017 INRIA and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
diff --git a/security/nss/lib/freebl/verified/Hacl_Poly1305_64.h b/security/nss/lib/freebl/verified/Hacl_Poly1305_64.h
index 0aa9a0de3882..e2e62193c7e3 100644
--- a/security/nss/lib/freebl/verified/Hacl_Poly1305_64.h
+++ b/security/nss/lib/freebl/verified/Hacl_Poly1305_64.h
@@ -1,4 +1,4 @@
-/* Copyright 2016-2017 INRIA and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
diff --git a/security/nss/lib/freebl/verified/kremlib.h b/security/nss/lib/freebl/verified/kremlib.h
index c12164e74ce2..69b5845201c7 100644
--- a/security/nss/lib/freebl/verified/kremlib.h
+++ b/security/nss/lib/freebl/verified/kremlib.h
@@ -1,4 +1,4 @@
-/* Copyright 2016-2017 INRIA and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
diff --git a/security/nss/lib/freebl/verified/kremlib_base.h b/security/nss/lib/freebl/verified/kremlib_base.h
index 14170625ddeb..f88f02aa52f8 100644
--- a/security/nss/lib/freebl/verified/kremlib_base.h
+++ b/security/nss/lib/freebl/verified/kremlib_base.h
@@ -1,4 +1,4 @@
-/* Copyright 2016-2017 INRIA and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
diff --git a/security/nss/lib/freebl/verified/vec128.h b/security/nss/lib/freebl/verified/vec128.h
index 986e9db82e6f..6ccecc9ecd7e 100644
--- a/security/nss/lib/freebl/verified/vec128.h
+++ b/security/nss/lib/freebl/verified/vec128.h
@@ -1,4 +1,4 @@
-/* Copyright 2016-2017 INRIA and Microsoft Corporation
+/* Copyright 2016-2018 INRIA and Microsoft Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
diff --git a/security/nss/lib/mozpkix/test-lib/pkixtestnss.cpp b/security/nss/lib/mozpkix/test-lib/pkixtestnss.cpp
index ee59b1d9707a..099bf8348d1c 100644
--- a/security/nss/lib/mozpkix/test-lib/pkixtestnss.cpp
+++ b/security/nss/lib/mozpkix/test-lib/pkixtestnss.cpp
@@ -234,14 +234,14 @@ GenerateKeyPairInner()
   if (!slot) {
     abort();
   }
+  PK11RSAGenParams params;
+  params.keySizeInBits = 2048;
+  params.pe = 3;
 
   // Bug 1012786: PK11_GenerateKeyPair can fail if there is insufficient
   // entropy to generate a random key. Attempting to add some entropy and
   // retrying appears to solve this issue.
   for (uint32_t retries = 0; retries < 10; retries++) {
-    PK11RSAGenParams params;
-    params.keySizeInBits = 2048;
-    params.pe = 3;
     SECKEYPublicKey* publicKeyTemp = nullptr;
     ScopedSECKEYPrivateKey
       privateKey(PK11_GenerateKeyPair(slot.get(), CKM_RSA_PKCS_KEY_PAIR_GEN,
@@ -262,8 +262,9 @@ GenerateKeyPairInner()
     // random keys.
     // https://xkcd.com/221/
     static const uint8_t RANDOM_NUMBER[] = { 4, 4, 4, 4, 4, 4, 4, 4 };
-    if (PK11_RandomUpdate((void*) &RANDOM_NUMBER,
-                          sizeof(RANDOM_NUMBER)) != SECSuccess) {
+    if (PK11_RandomUpdate(
+          const_cast<void*>(reinterpret_cast<const void*>(RANDOM_NUMBER)),
+          sizeof(RANDOM_NUMBER)) != SECSuccess) {
       break;
     }
   }
diff --git a/security/nss/lib/softoken/legacydb/lgattr.c b/security/nss/lib/softoken/legacydb/lgattr.c
index 3d77bd05627c..c1865a38e019 100644
--- a/security/nss/lib/softoken/legacydb/lgattr.c
+++ b/security/nss/lib/softoken/legacydb/lgattr.c
@@ -1069,7 +1069,7 @@ lg_FindTrustAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
     NSSLOWCERTCertificate *cert;
     unsigned char hash[SHA1_LENGTH];
     unsigned int trustFlags;
-    CK_RV crv;
+    CK_RV crv = CKR_CANCEL;
 
     switch (type) {
         case CKA_PRIVATE:
diff --git a/security/nss/lib/ssl/tls13esni.c b/security/nss/lib/ssl/tls13esni.c
index 9b635a9cfe0c..4d2e12d62f10 100644
--- a/security/nss/lib/ssl/tls13esni.c
+++ b/security/nss/lib/ssl/tls13esni.c
@@ -580,7 +580,7 @@ tls13_ClientSetupESNI(sslSocket *ss)
     size_t i;
     PRCList *cur;
     SECStatus rv;
-    TLS13KeyShareEntry *share;
+    TLS13KeyShareEntry *share = NULL;
     const sslNamedGroupDef *group = NULL;
     PRTime now = PR_Now() / PR_USEC_PER_SEC;
 
diff --git a/security/nss/tests/common/certsetup.sh b/security/nss/tests/common/certsetup.sh
index 32c6bc235aa0..7169dea8eb34 100644
--- a/security/nss/tests/common/certsetup.sh
+++ b/security/nss/tests/common/certsetup.sh
@@ -55,9 +55,11 @@ make_cert() {
   msg="create certificate: $@"
   shift 2
   counter=$(($counter + 1))
-  certscript $@ | ${BINDIR}/certutil -S \
+  cmd=(${BINDIR}/certutil -S \
     -z "$R_NOISE_FILE" -d "$PROFILEDIR" \
     -n $name -s "CN=$name" -t "$trust" "${sign[@]}" -m "$counter" \
-    -w -2 -v 120 -k "$type" "${type_args[@]}" "${sighash[@]}" -1 -2
+    -w -2 -v 120 -k "$type" "${type_args[@]}" "${sighash[@]}" -1 -2)
+  echo "${cmd[@]}"
+  certscript $@ | "${cmd[@]}"
   html_msg $? 0 "$msg"
 }
diff --git a/taskcluster/ci/geckodriver-repack/kind.yml b/taskcluster/ci/geckodriver-repack/kind.yml
index 329d0bf1f6f2..403d451faa98 100644
--- a/taskcluster/ci/geckodriver-repack/kind.yml
+++ b/taskcluster/ci/geckodriver-repack/kind.yml
@@ -28,7 +28,6 @@ job-defaults:
         chain-of-trust: true
     run:
         using: run-task
-        checkout: false
 
 jobs:
     linux-nightly/opt: