rpms/firefox
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to 140.5.0 build 2

Browse Source 
- Add mlkem768-secp256r1 support
- Fix ML-DSA support
- Update upstream patch and rework the patch for ML-DSA adapting it to
system NSS to avoid possible breakage in case of future NSS rebase.
- Fix for massive file size of x86_64 rpm in rhel-7.9

Resolves: RHEL-126383
This commit is contained in:
Jan Grulich 2025-10-17 13:57:33 +02:00 committed by Jan Horak
parent 73440b1bde
commit 24b95b00a4
7 changed files with 291 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -398,3 +398,6 @@
/firefox-140.4.0esr.processed-source.tar.xz
/firefox-langpacks-140.4.0esr-20251008.tar.xz
/firefox-langpacks-140.4.0esr-20251010.tar.xz
/firefox-140.5.0esr.processed-source.tar.xz
/firefox-langpacks-140.5.0esr-20251106.tar.xz
/firefox-langpacks-140.5.0esr-20251107.tar.xz

68
firefox-adapt-ml-dsa-support-to-rhel-nss.patch
View File

@ -1,8 +1,37 @@
diff --git a/security/nss/lib/mozpkix/lib/pkixnss.cpp b/security/nss/lib/mozpkix/lib/pkixnss.cpp
index 31aa1ddd67..6eb367eae4 100644
index 31aa1ddd67..93ab402bfd 100644
--- a/security/nss/lib/mozpkix/lib/pkixnss.cpp
+++ b/security/nss/lib/mozpkix/lib/pkixnss.cpp
@@ -323,13 +323,21 @@ VerifyMLDSASignedDataNSS(Input data,
@@ -303,6 +303,28 @@ DigestBufNSS(Input item,
return Success;
}
+static SECOidTag
+findOIDByName(const char *cipherString)
+{
+ SECOidTag tag;
+ SECOidData *oid;
+
+ for (int i = 1; ; i++) {
+ SECOidTag tag = static_cast<SECOidTag>(i);
+ oid = SECOID_FindOIDByTag(tag);
+
+ if (oid == NULL) {
+ break;
+ }
+
+ if (strcasecmp(oid->desc, cipherString) == 0) {
+ return tag;
+ }
+ }
+
+ return SEC_OID_UNKNOWN;
+}
+
Result
VerifyMLDSASignedDataNSS(Input data,
Input signature,
@@ -323,17 +345,14 @@ VerifyMLDSASignedDataNSS(Input data,
SECItem dataItem(UnsafeMapInputToSECItem(data));
CK_MECHANISM_TYPE mechanism;
@ -10,22 +39,21 @@ index 31aa1ddd67..6eb367eae4 100644
- case SEC_OID_ML_DSA_44:
- case SEC_OID_ML_DSA_65:
- case SEC_OID_ML_DSA_87:
+ switch (SEC_GetSignatureAlgorithmOidTag(pubk->keyType, pubk->u.mldsa.params)) {
+ case CKP_ML_DSA_44:
+ hashPolicyTag = SEC_OID_UNKNOWN;
+ mechanism = CKM_ML_DSA;
+ signaturePolicyTag = SEC_OID_PRIVATE_3;
+ break;
+ case CKP_ML_DSA_65:
+ hashPolicyTag = SEC_OID_UNKNOWN;
mechanism = CKM_ML_DSA;
- mechanism = CKM_ML_DSA;
- signaturePolicyTag = pubk->u.mldsa.paramSet;
+ signaturePolicyTag = SEC_OID_PRIVATE_4;
+ break;
+ case CKP_ML_DSA_87:
hashPolicyTag = SEC_OID_UNKNOWN;
+ mechanism = CKM_ML_DSA;
+ signaturePolicyTag = SEC_OID_PRIVATE_5;
break;
default:
return Result::ERROR_UNSUPPORTED_KEYALG;
- hashPolicyTag = SEC_OID_UNKNOWN;
- break;
- default:
- return Result::ERROR_UNSUPPORTED_KEYALG;
- break;
+ if (pubk->u.mldsa.params == findOIDByName("ML-DSA-44") ||
+ pubk->u.mldsa.params == findOIDByName("ML-DSA-65") ||
+ pubk->u.mldsa.params == findOIDByName("ML-DSA-87")) {
+ hashPolicyTag = SEC_OID_UNKNOWN;
+ mechanism = CKM_ML_DSA;
+ signaturePolicyTag = pubk->u.mldsa.params;
+ } else {
+ return Result::ERROR_UNSUPPORTED_KEYALG;
}
SECOidTag policyTags[2] = {signaturePolicyTag, hashPolicyTag};

139
firefox-add-mlkem768-secp256r1-support.patch Normal file
View File

File diff suppressed because one or more lines are too long

143
firefox-integrate-ml-dsa-signature-verification-for-pkix-certificate-chain-validation.patch
View File

@ -1,26 +1,24 @@
diff --git a/netwerk/protocol/http/WebTransportCertificateVerifier.cpp b/netwerk/protocol/http/WebTransportCertificateVerifier.cpp
index cc77864..1e978ef 100644
index cc778640a1..298d6a61e8 100644
--- a/netwerk/protocol/http/WebTransportCertificateVerifier.cpp
+++ b/netwerk/protocol/http/WebTransportCertificateVerifier.cpp
@@ -53,6 +53,11 @@ class ServerCertHashesTrustDomain : public mozilla::pkix::TrustDomain {
@@ -53,6 +53,10 @@ class ServerCertHashesTrustDomain : public mozilla::pkix::TrustDomain {
mozilla::pkix::Input signature,
mozilla::pkix::Input subjectPublicKeyInfo) override;
+ virtual mozilla::pkix::Result VerifyMLDSASignedData(
+ mozilla::pkix::Input data,
+ mozilla::pkix::Input signature,
+ mozilla::pkix::Input data, mozilla::pkix::Input signature,
+ mozilla::pkix::Input subjectPublicKeyInfo) override;
+
virtual mozilla::pkix::Result DigestBuf(
mozilla::pkix::Input item, mozilla::pkix::DigestAlgorithm digestAlg,
/*out*/ uint8_t* digestBuf, size_t digestBufLen) override;
@@ -151,6 +156,15 @@ mozilla::pkix::Result ServerCertHashesTrustDomain::VerifyECDSASignedData(
@@ -151,6 +155,14 @@ mozilla::pkix::Result ServerCertHashesTrustDomain::VerifyECDSASignedData(
return mozilla::pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
}
+mozilla::pkix::Result ServerCertHashesTrustDomain::VerifyMLDSASignedData(
+ mozilla::pkix::Input data,
+ mozilla::pkix::Input signature,
+ mozilla::pkix::Input data, mozilla::pkix::Input signature,
+ mozilla::pkix::Input subjectPublicKeyInfo) {
+ MOZ_ASSERT_UNREACHABLE("not expecting this to be called");
+
@ -31,27 +29,46 @@ index cc77864..1e978ef 100644
mozilla::pkix::Input item, mozilla::pkix::DigestAlgorithm digestAlg,
/*out*/ uint8_t* digestBuf, size_t digestBufLen) {
diff --git a/security/certverifier/CertVerifier.cpp b/security/certverifier/CertVerifier.cpp
index ca33077..cb96f58 100644
index ca330770fb..1e8f1d4996 100644
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@@ -1048,10 +1048,14 @@ void HashSignatureParams(pkix::Input data, pkix::Input signature,
@@ -7,6 +7,7 @@
#include "CertVerifier.h"
#include <stdint.h>
+#include <optional>
#include "AppTrustDomain.h"
#include "CTKnownLogs.h"
@@ -1010,7 +1011,7 @@ Result CertVerifier::VerifySSLServerCert(
void HashSignatureParams(pkix::Input data, pkix::Input signature,
pkix::Input subjectPublicKeyInfo,
pkix::der::PublicKeyAlgorithm publicKeyAlgorithm,
- pkix::DigestAlgorithm digestAlgorithm,
+ std::optional<pkix::DigestAlgorithm> digestAlgorithm,
/*out*/ Maybe<nsTArray<uint8_t>>& sha512Hash) {
sha512Hash.reset();
Digest digest;
@@ -1048,10 +1049,14 @@ void HashSignatureParams(pkix::Input data, pkix::Input signature,
sizeof(publicKeyAlgorithm)))) {
return;
}
- if (NS_FAILED(
+ // Digest algorithm is expected to be null since ML-DSA is not an hash and
+ // sign algorithm. Skip digestAlgorithm for ML-DSA.
+ if (publicKeyAlgorithm != der::PublicKeyAlgorithm::MLDSA) {
+ if (NS_FAILED(
digest.Update(reinterpret_cast<const uint8_t*>(&digestAlgorithm),
sizeof(digestAlgorithm)))) {
- digest.Update(reinterpret_cast<const uint8_t*>(&digestAlgorithm),
- sizeof(digestAlgorithm)))) {
- return;
+ // There is no fallback digest algorithm when it's empty.
+ // Check that digestAlgorithm actually contains a value.
+ if (digestAlgorithm) {
+ pkix::DigestAlgorithm value = digestAlgorithm.value();
+ if (NS_FAILED(digest.Update(reinterpret_cast<const uint8_t*>(&value),
+ sizeof(value)))) {
+ return;
+ }
}
nsTArray<uint8_t> result;
if (NS_FAILED(digest.End(result))) {
@@ -1064,12 +1068,19 @@ Result VerifySignedDataWithCache(
@@ -1064,10 +1069,17 @@ Result VerifySignedDataWithCache(
der::PublicKeyAlgorithm publicKeyAlg,
mozilla::glean::impl::DenominatorMetric telemetryDenominator,
mozilla::glean::impl::NumeratorMetric telemetryNumerator, Input data,
@ -68,34 +85,31 @@ index ca33077..cb96f58 100644
+ }
+
HashSignatureParams(data, signature, subjectPublicKeyInfo, publicKeyAlg,
- digestAlgorithm, sha512Hash);
+ digestAlgorithm.value_or(pkix::DigestAlgorithm::sha512), sha512Hash);
digestAlgorithm, sha512Hash);
// If hashing the signature parameters succeeded, see if this signature is in
// the signature cache.
if (sha512Hash.isSome() &&
@@ -1080,16 +1091,23 @@ Result VerifySignedDataWithCache(
@@ -1080,16 +1092,23 @@ Result VerifySignedDataWithCache(
Result result;
switch (publicKeyAlg) {
case der::PublicKeyAlgorithm::ECDSA:
- result = VerifyECDSASignedDataNSS(data, digestAlgorithm, signature,
- subjectPublicKeyInfo, pinArg);
+ result = VerifyECDSASignedDataNSS(data, digestAlgorithm.value(),
+ signature, subjectPublicKeyInfo,
+ pinArg);
+ result =
+ VerifyECDSASignedDataNSS(data, digestAlgorithm.value(), signature,
+ subjectPublicKeyInfo, pinArg);
break;
case der::PublicKeyAlgorithm::RSA_PKCS1:
- result = VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm, signature,
- subjectPublicKeyInfo, pinArg);
+ result = VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm.value(),
+ signature, subjectPublicKeyInfo,
+ pinArg);
+ result =
+ VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm.value(), signature,
+ subjectPublicKeyInfo, pinArg);
break;
case der::PublicKeyAlgorithm::RSA_PSS:
- result = VerifyRSAPSSSignedDataNSS(data, digestAlgorithm, signature,
- subjectPublicKeyInfo, pinArg);
+ result = VerifyRSAPSSSignedDataNSS(data, digestAlgorithm.value(),
+ signature, subjectPublicKeyInfo,
+ pinArg);
+ result =
+ VerifyRSAPSSSignedDataNSS(data, digestAlgorithm.value(), signature,
+ subjectPublicKeyInfo, pinArg);
+ break;
+ case der::PublicKeyAlgorithm::MLDSA:
+ result = VerifyMLDSASignedDataNSS(data, signature, subjectPublicKeyInfo,
@ -104,58 +118,56 @@ index ca33077..cb96f58 100644
default:
MOZ_ASSERT_UNREACHABLE("unhandled public key algorithm");
diff --git a/security/certverifier/CertVerifier.h b/security/certverifier/CertVerifier.h
index 6432547..f9a0365 100644
index 6432547c8a..6e09e6fcdd 100644
--- a/security/certverifier/CertVerifier.h
+++ b/security/certverifier/CertVerifier.h
@@ -331,7 +331,7 @@ mozilla::pkix::Result VerifySignedDataWithCache(
@@ -331,7 +331,8 @@ mozilla::pkix::Result VerifySignedDataWithCache(
mozilla::pkix::der::PublicKeyAlgorithm publicKeyAlg,
mozilla::glean::impl::DenominatorMetric telemetryDenominator,
mozilla::glean::impl::NumeratorMetric telemetryNumerator,
- mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm,
+ mozilla::pkix::Input data, std::optional<mozilla::pkix::DigestAlgorithm> digestAlgorithm,
+ mozilla::pkix::Input data,
+ std::optional<mozilla::pkix::DigestAlgorithm> digestAlgorithm,
mozilla::pkix::Input signature, mozilla::pkix::Input subjectPublicKeyInfo,
SignatureCache* signatureCache, void* pinArg);
diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp
index 77c17c1..741892f 100644
index 70ba17d70f..a3ace3cee7 100644
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -1541,6 +1541,17 @@ Result NSSCertDBTrustDomain::VerifyECDSASignedData(
@@ -1541,6 +1541,15 @@ Result NSSCertDBTrustDomain::VerifyECDSASignedData(
signature, subjectPublicKeyInfo, mSignatureCache, mPinArg);
}
+Result NSSCertDBTrustDomain::VerifyMLDSASignedData(Input data,
+ Input signature,
+ Input subjectPublicKeyInfo)
+{
+Result NSSCertDBTrustDomain::VerifyMLDSASignedData(Input data, Input signature,
+ Input subjectPublicKeyInfo) {
+ return VerifySignedDataWithCache(
+ der::PublicKeyAlgorithm::MLDSA,
+ mozilla::glean::cert_signature_cache::total,
+ mozilla::glean::cert_signature_cache::hits, data, std::nullopt,
+ signature, subjectPublicKeyInfo, mSignatureCache, mPinArg);
+ mozilla::glean::cert_signature_cache::hits, data, std::nullopt, signature,
+ subjectPublicKeyInfo, mSignatureCache, mPinArg);
+}
+
Result NSSCertDBTrustDomain::CheckValidityIsAcceptable(
Time notBefore, Time notAfter, EndEntityOrCA endEntityOrCA,
KeyPurposeId keyPurpose) {
diff --git a/security/certverifier/NSSCertDBTrustDomain.h b/security/certverifier/NSSCertDBTrustDomain.h
index fc210f3..8d17a4f 100644
index fc210f3254..6178201758 100644
--- a/security/certverifier/NSSCertDBTrustDomain.h
+++ b/security/certverifier/NSSCertDBTrustDomain.h
@@ -197,6 +197,11 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain {
@@ -197,6 +197,10 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain {
mozilla::pkix::Input signature,
mozilla::pkix::Input subjectPublicKeyInfo) override;
+ virtual Result VerifyMLDSASignedData(
+ mozilla::pkix::Input data,
+ mozilla::pkix::Input signature,
+ mozilla::pkix::Input data, mozilla::pkix::Input signature,
+ mozilla::pkix::Input subjectPublicKeyInfo) override;
+
virtual Result DigestBuf(mozilla::pkix::Input item,
mozilla::pkix::DigestAlgorithm digestAlg,
/*out*/ uint8_t* digestBuf,
diff --git a/security/ct/CTLogVerifier.cpp b/security/ct/CTLogVerifier.cpp
index d5e665a..4712137 100644
index d5e665aaca..471213745d 100644
--- a/security/ct/CTLogVerifier.cpp
+++ b/security/ct/CTLogVerifier.cpp
@@ -99,6 +99,10 @@ class SignatureParamsTrustDomain final : public TrustDomain {
@ -170,19 +182,16 @@ index d5e665a..4712137 100644
KeyPurposeId) override {
return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
diff --git a/security/ct/tests/gtest/CTTestUtils.cpp b/security/ct/tests/gtest/CTTestUtils.cpp
index 6a25307..03d19f7 100644
index 6a25307ec3..dbec7adc91 100644
--- a/security/ct/tests/gtest/CTTestUtils.cpp
+++ b/security/ct/tests/gtest/CTTestUtils.cpp
@@ -807,6 +807,15 @@ class OCSPExtensionTrustDomain : public TrustDomain {
@@ -807,6 +807,12 @@ class OCSPExtensionTrustDomain : public TrustDomain {
subjectPublicKeyInfo, nullptr);
}
+ pkix::Result VerifyMLDSASignedData(Input data,
+ Input signature,
+ pkix::Result VerifyMLDSASignedData(Input data, Input signature,
+ Input subjectPublicKeyInfo) override {
+ return VerifyMLDSASignedDataNSS(data,
+ signature,
+ subjectPublicKeyInfo,
+ return VerifyMLDSASignedDataNSS(data, signature, subjectPublicKeyInfo,
+ nullptr);
+ }
+
@ -190,20 +199,16 @@ index 6a25307..03d19f7 100644
KeyPurposeId) override {
ADD_FAILURE();
diff --git a/security/manager/ssl/AppTrustDomain.cpp b/security/manager/ssl/AppTrustDomain.cpp
index ab49d7e..36e7e19 100644
index ab49d7eb1f..3963f90eb1 100644
--- a/security/manager/ssl/AppTrustDomain.cpp
+++ b/security/manager/ssl/AppTrustDomain.cpp
@@ -322,6 +322,16 @@ pkix::Result AppTrustDomain::VerifyECDSASignedData(
@@ -322,6 +322,12 @@ pkix::Result AppTrustDomain::VerifyECDSASignedData(
subjectPublicKeyInfo, nullptr);
}
+pkix::Result AppTrustDomain::VerifyMLDSASignedData(Input data,
+ Input signature,
+ Input subjectPublicKeyInfo)
+{
+ return VerifyMLDSASignedDataNSS(data,
+ signature,
+ subjectPublicKeyInfo,
+pkix::Result AppTrustDomain::VerifyMLDSASignedData(Input data, Input signature,
+ Input subjectPublicKeyInfo) {
+ return VerifyMLDSASignedDataNSS(data, signature, subjectPublicKeyInfo,
+ nullptr);
+}
+
@ -211,31 +216,29 @@ index ab49d7e..36e7e19 100644
Time /*notBefore*/, Time /*notAfter*/, EndEntityOrCA /*endEntityOrCA*/,
KeyPurposeId /*keyPurpose*/) {
diff --git a/security/manager/ssl/AppTrustDomain.h b/security/manager/ssl/AppTrustDomain.h
index 4b0212e..083d5fb 100644
index 4b0212ede0..85fdff5f13 100644
--- a/security/manager/ssl/AppTrustDomain.h
+++ b/security/manager/ssl/AppTrustDomain.h
@@ -80,6 +80,10 @@ class AppTrustDomain final : public mozilla::pkix::TrustDomain {
@@ -80,6 +80,9 @@ class AppTrustDomain final : public mozilla::pkix::TrustDomain {
mozilla::pkix::DigestAlgorithm digestAlg,
/*out*/ uint8_t* digestBuf,
size_t digestBufLen) override;
+ virtual Result VerifyMLDSASignedData(
+ mozilla::pkix::Input data,
+ mozilla::pkix::Input signature,
+ mozilla::pkix::Input data, mozilla::pkix::Input signature,
+ mozilla::pkix::Input subjectPublicKeyInfo) override;
private:
nsTArray<Span<const uint8_t>> mTrustedRoots;
diff --git a/security/manager/ssl/TLSClientAuthCertSelection.cpp b/security/manager/ssl/TLSClientAuthCertSelection.cpp
index 3a84b15..8450076 100644
index 3a84b15ee6..a3dc5a1af1 100644
--- a/security/manager/ssl/TLSClientAuthCertSelection.cpp
+++ b/security/manager/ssl/TLSClientAuthCertSelection.cpp
@@ -217,6 +217,12 @@ class ClientAuthCertNonverifyingTrustDomain final : public TrustDomain {
@@ -217,6 +217,11 @@ class ClientAuthCertNonverifyingTrustDomain final : public TrustDomain {
pkix::Input subjectPublicKeyInfo) override {
return pkix::Success;
}
+ virtual mozilla::pkix::Result VerifyMLDSASignedData(
+ pkix::Input data,
+ pkix::Input signature,
+ pkix::Input data, pkix::Input signature,
+ pkix::Input subjectPublicKeyInfo) override {
+ return pkix::Success;
+ }

28
firefox.spec
View File

@ -12,6 +12,22 @@
%global run_firefox_tests 0
%endif
%ifarch x86_64
%if 0%{?rhel} == 7
# Disable debuginfo package and strip all binaries to avoid 4GB cpio limit
%define _binary_payload w19T16.xzdio
%global debug_package %{nil}
%define _enable_debug_packages 0
%define __spec_install_post \
%{__arch_install_post} \
%{__os_install_post} \
find %{buildroot}%{mozappdir} -type f -name "*.so" -exec eu-strip --strip-debug {} \\; 2>/dev/null || find %{buildroot}%{mozappdir} -type f -name "*.so" -exec strip --strip-debug {} \\; \
eu-strip --strip-all %{buildroot}%{mozappdir}/firefox-bin 2>/dev/null || strip --strip-all %{buildroot}%{mozappdir}/firefox-bin || : \
eu-strip --strip-all %{buildroot}%{mozappdir}/firefox 2>/dev/null || strip --strip-all %{buildroot}%{mozappdir}/firefox || : \
eu-strip --strip-all %{buildroot}%{mozappdir}/plugin-container 2>/dev/null || strip --strip-all %{buildroot}%{mozappdir}/plugin-container || :
%endif
%endif
# wasi_sdk is for sandboxing third party c/c++ libs by using rlbox, exclude s390x on the f39.
%global with_wasi_sdk 0
@ -175,8 +191,8 @@ end}
Summary: Mozilla Firefox Web browser
Name: firefox
Version: 140.4.0
Release: 3%{?dist}
Version: 140.5.0
Release: 1%{?dist}
URL: https://www.mozilla.org/firefox/
License: MPLv1.1 or GPLv2+ or LGPLv2+
@ -206,7 +222,7 @@ ExcludeArch: aarch64 s390 ppc
# Link to original tarball: https://archive.mozilla.org/pub/firefox/releases/%%{version}%%{?pre_version}/source/firefox-%%{version}%%{?pre_version}.source.tar.xz
Source0: firefox-%{version}%{?pre_version}%{?buildnum}.processed-source.tar.xz
%if %{with langpacks}
Source1: firefox-langpacks-%{version}%{?pre_version}-20251010.tar.xz
Source1: firefox-langpacks-%{version}%{?pre_version}-20251107.tar.xz
%endif
Source2: cbindgen-vendor.tar.xz
Source3: process-official-tarball
@ -291,6 +307,8 @@ Patch122: firefox-enable-ml-dsa-signature-verification-for-certificate-cha
Patch123: firefox-adapt-ml-dsa-support-to-rhel-nss.patch
# RHEL downstream only - enable ML-DSA in manager/ssl
Patch124: firefox-enable-ml-dsa-in-manager-ssl.patch
# RHEL downstream only - add mlkem768-secp256r1 support
Patch125: firefox-add-mlkem768-secp256r1-support.patch
# ---- Fedora specific patches ----
Patch151: firefox-enable-addons.patch
@ -1346,6 +1364,7 @@ export LIBCLANG_RT=`pwd`/wasi-sdk-20/build/compiler-rt/lib/wasi/libclang_rt.buil
%patch -P122 -p1 -b .enable-ml-dsa-signature-verification-for-certificate-chain-validation
%patch -P123 -p1 -b .adapt-ml-dsa-support-to-rhel-nss
%patch -P124 -p1 -b .enable-ml-dsa-in-manager-ssl
%patch -P125 -p1 -b .add-mlkem768-secp256r1-support
%endif
# ---- Fedora specific patches ----
@ -2109,6 +2128,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
#---------------------------------------------------------------------
%changelog
* Fri Nov 7 2025 Jan Horak <jhorak@redhat.com> - 140.5.0-1
- Update to 140.5.0 ESR
* Fri Oct 10 2025 Jan Horak <jhorak@redhat.com> - 140.4.0-3
- Update to 140.4.0 ESR

4
sources
View File

@ -4,5 +4,5 @@ SHA512 (nss-3.112.0-1.el9_4.src.rpm) = 6386239e79f8095b05270b3c8b76ac9203b0df196
SHA512 (nss-3.112.0-4.el8_2.src.rpm) = 59cca3df7a0ec6a731f4a36f8f560d496d240da0c16650f047ae686e683b883dc2630aedbe46a8b2cb21662c15f03f1efbe99da42055cc3a5418da4839e28da2
SHA512 (nspr-4.36.0-2.el8_2.src.rpm) = fcc720afd2453a5110975fac9dd06f636491234780b62cbfcc235a485b4935e97c4f438292c686d27d9dc86b56f43399c024bee4fffcdff5f27c62d105310645
SHA512 (cbindgen-vendor.tar.xz) = 79becf7e70bddbbebfd8c3eaf8c0003e29e267bfbcd64b9801ed2cfd35f5de9d04bb55afcf379f784b5a1e2b9b83c6b14eb6af6219ed5ccea1df29fc24e5614c
SHA512 (firefox-140.4.0esr.processed-source.tar.xz) = 1e779bfe44de51f34b02a8d3df440dad60bae5e8760df9591d0d8d7186e823d960ec4ec5d2d2b9aa0608fc0bf6e4ae2b9a121e9513e1b3716cf0b51fb2db4389
SHA512 (firefox-langpacks-140.4.0esr-20251010.tar.xz) = 3119dbd361eabf918e58948fc5c54caa24da204037b5087f8298bac051307c073fb3fd2f44032f03949f237cbcff95063aa827237746f264d77aa80d0cdb34c5
SHA512 (firefox-140.5.0esr.processed-source.tar.xz) = a2f0020e095dc4fcb9439aa2504644965b4a4655debb939b1346417ebf1d22a7efcc7956050d55245ade5f15a62a50f1c54c3fb87b9009d59e6e2a59fe25d35b
SHA512 (firefox-langpacks-140.5.0esr-20251107.tar.xz) = 1c6cd9a55d964a04820eb11d0da933f92bf3a9feb8c2b079cba07e6426b893e36870df4b031c03be934ec0f44852259e5fcad51e95e98f85f66f9403d1d06de7

2
wasi.patch
View File

@ -6,7 +6,7 @@ diff -up firefox-121.0.1/toolkit/moz.configure.wasi firefox-121.0.1/toolkit/moz.
if wasi_sysroot:
log.info("Using wasi sysroot in %s", wasi_sysroot)
- return ["--sysroot=%s" % wasi_sysroot]
+ return ["--sysroot=%s" % wasi_sysroot, "-nodefaultlibs", "-lc", "-lwasi-emulated-process-clocks", "-lc++", "-lc++abi", "/home/jhorak/r/firefox/firefox-140.4.0-build/firefox-140.4.0/wasi-sdk-20/build/compiler-rt/lib/wasi/libclang_rt.builtins-wasm32.a"]
+ return ["--sysroot=%s" % wasi_sysroot, "-nodefaultlibs", "-lc", "-lwasi-emulated-process-clocks", "-lc++", "-lc++abi", "/home/jhorak/r/firefox/firefox-140.5.0-build/firefox-140.5.0/wasi-sdk-20/build/compiler-rt/lib/wasi/libclang_rt.builtins-wasm32.a"]
return []
set_config("WASI_SYSROOT", wasi_sysroot)