There's a directory with maybe 30+ exe's in this repo. So it's a black box to some extent but it looks like they're known browser utilities so presumably someone could verify them.
However the SHA256 hashes do not match those of the provided Lenovo binaries. The Lenovo binaries are also bigger than either build provided by Mozilla.
However this does NOT mean there is something wrong, Lenovo may have just compiled them using a different compiler/compiler options/library versions. It is actually common for two people compiling the same source to get different binaries (see, for example, the TrueCrypt issue where TrueCrypt's pre-built binaries were hard to reproduce because the library versions were so specific).
Lenovo may also have supplied the wrong Readme file (that's where I get the version number from).
If you're paranoid, delete them from the Lenovo package, and download them from Mozilla.
ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_4_RTM/msvc9/
However the SHA256 hashes do not match those of the provided Lenovo binaries. The Lenovo binaries are also bigger than either build provided by Mozilla.
However this does NOT mean there is something wrong, Lenovo may have just compiled them using a different compiler/compiler options/library versions. It is actually common for two people compiling the same source to get different binaries (see, for example, the TrueCrypt issue where TrueCrypt's pre-built binaries were hard to reproduce because the library versions were so specific).
Lenovo may also have supplied the wrong Readme file (that's where I get the version number from).
If you're paranoid, delete them from the Lenovo package, and download them from Mozilla.