From ed358470787ee1081e1fc0bd4816aea00a8e8541 Mon Sep 17 00:00:00 2001 From: Jan Horak Date: Tue, 27 Apr 2021 16:35:14 +0200 Subject: [PATCH] Resolves: #1935623 Fixing failed addon install because of disabled sha1 algorithm --- firefox-nss-addon-hack.patch | 19 +++++++++++++++++++ firefox.spec | 8 +++++++- 2 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 firefox-nss-addon-hack.patch diff --git a/firefox-nss-addon-hack.patch b/firefox-nss-addon-hack.patch new file mode 100644 index 0000000..0322707 --- /dev/null +++ b/firefox-nss-addon-hack.patch @@ -0,0 +1,19 @@ +diff -up firefox-84.0.2/security/certverifier/NSSCertDBTrustDomain.cpp.nss-hack firefox-84.0.2/security/certverifier/NSSCertDBTrustDomain.cpp +--- firefox-84.0.2/security/certverifier/NSSCertDBTrustDomain.cpp.nss-hack 2021-01-11 12:12:02.585514543 +0100 ++++ firefox-84.0.2/security/certverifier/NSSCertDBTrustDomain.cpp 2021-01-11 12:47:50.345984582 +0100 +@@ -1619,6 +1619,15 @@ SECStatus InitializeNSS(const nsACString + return srv; + } + ++ /* Sets the NSS_USE_ALG_IN_ANY_SIGNATURE bit. ++ * does not change NSS_USE_ALG_IN_CERT_SIGNATURE, ++ * so policy will still disable use of sha1 in ++ * certificate related signature processing. */ ++ srv = NSS_SetAlgorithmPolicy(SEC_OID_SHA1, NSS_USE_ALG_IN_ANY_SIGNATURE, 0); ++ if (srv != SECSuccess) { ++ NS_WARNING("Unable to use SHA1 for Add-ons, expect broken/disabled Add-ons. See https://bugzilla.redhat.com/show_bug.cgi?id=1908018 for details."); ++ } ++ + if (nssDbConfig == NSSDBConfig::ReadWrite) { + UniquePK11SlotInfo slot(PK11_GetInternalKeySlot()); + if (!slot) { diff --git a/firefox.spec b/firefox.spec index 3b8e499..580043d 100644 --- a/firefox.spec +++ b/firefox.spec @@ -198,7 +198,7 @@ Summary: Mozilla Firefox Web browser Name: firefox Version: 78.8.0 -Release: 5%{?dist} +Release: 6%{?dist} URL: https://www.mozilla.org/firefox/ License: MPLv1.1 or GPLv2+ or LGPLv2+ %if 0%{?rhel} == 7 @@ -267,6 +267,7 @@ Patch232: firefox-rhel6-hugepage.patch Patch233: firefox-rhel6-nss-tls1.3.patch Patch234: rhbz-1821418.patch Patch235: firefox-pipewire-0-3.patch +Patch236: firefox-nss-addon-hack.patch # Upstream patches Patch402: mozilla-1196777.patch @@ -601,10 +602,12 @@ sed -ie 's|/usr/include|/app/include|' %_sourcedir/firefox-pipewire-0-3.patch %if 0%{?rhel} >= 8 %if 0%{?rhel_minor_version} >= 3 %patch235 -p1 -b .pipewire-0-3 + %else %patch231 -p1 -b .pipewire %endif %endif +%patch236 -p1 -b .firefox-nss-addon-hack %patch234 -p1 -b .rhbz-1821418 @@ -1591,6 +1594,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : #--------------------------------------------------------------------- %changelog +* Tue Apr 27 2021 Jan Horak - 78.8.0-6 +- Added patch for SHA-1 support for the addons + * Thu Apr 15 2021 Mohan Boddu - 78.8.0-5 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937