Search for signing certificates in more places

Resolves: RHEL-145379
2026-03-05 13:27:48 +01:00 · 2026-03-05 13:27:48 +01:00 · 1b42e77309
commit 1b42e77309
parent 6b8f3c1fbf
2 changed files with 89 additions and 1 deletions
--- a/poppler-24.02.0-cert-db.patch
+++ b/poppler-24.02.0-cert-db.patch
@ -0,0 +1,82 @@
+--- poppler-24.02.0/poppler/NSSCryptoSignBackend.cc
+++ poppler-24.02.0/poppler/NSSCryptoSignBackend.cc
+@@ -15,7 +15,7 @@
+ // Copyright 2020 Thorsten Behrens <Thorsten.Behrens@CIB.de>
+ // Copyright 2020 Klarälvdalens Datakonsult AB, a KDAB Group company, <info@kdab.com>. Work sponsored by Technische Universität Dresden
+ // Copyright 2021 Theofilos Intzoglou <int.teo@gmail.com>
+-// Copyright 2021 Marek Kasik <mkasik@redhat.com>
+// Copyright 2021, 2025, 2026 Marek Kasik <mkasik@redhat.com>
+ // Copyright 2022 Erich E. Hoover <erich.e.hoover@gmail.com>
+ // Copyright 2023 Tobias Deiminger <tobias.deiminger@posteo.de>
+ // Copyright 2023 g10 Code GmbH, Author: Sune Stolborg Vuorela <sune@vuorela.dk>
+@@ -31,6 +31,7 @@
+ 
+ #include <optional>
+ #include <vector>
+#include <filesystem>
+ 
+ #include <Error.h>
+ 
+@@ -679,28 +680,54 @@ std::unique_ptr<X509CertificateInfo> NSS
+ 
+ static std::optional<std::string> getDefaultFirefoxCertDB()
+ {
+    std::vector<std::string> firefoxPaths;
+
+ #ifdef _WIN32
+     const char *env = getenv("APPDATA");
+     if (!env) {
+         return {};
+     }
+-    const std::string firefoxPath = std::string(env) + "/Mozilla/Firefox/Profiles/";
+    firefoxPaths.emplace_back(std::string(env) + "/Mozilla/Firefox/Profiles/");
+ #else
+     const char *env = getenv("HOME");
+    const char *xdg_config_home = getenv("XDG_CONFIG_HOME");
+    const char *legacy = getenv("MOZ_LEGACY_HOME");
+     if (!env) {
+         return {};
+     }
+-    const std::string firefoxPath = std::string(env) + "/.mozilla/firefox/";
+    const std::string firefoxLegacyPath = std::string(env) + "/.mozilla/firefox/";
+
+    if (legacy == nullptr || legacy[0] != '1') {
+        if (xdg_config_home != nullptr) {
+            firefoxPaths.emplace_back(std::string(xdg_config_home) + "/mozilla/firefox/");
+        } else {
+            firefoxPaths.emplace_back(std::string(env) + "/.config/mozilla/firefox/");
+        }
+    }
+    firefoxPaths.emplace_back(firefoxLegacyPath);
+ #endif
+ 
+-    GDir firefoxDir(firefoxPath.c_str());
+-    std::unique_ptr<GDirEntry> entry;
+-    while (entry = firefoxDir.getNextEntry(), entry != nullptr) {
+-        if (entry->isDir() && entry->getName()->toStr().find("default") != std::string::npos) {
+-            return entry->getFullPath()->toStr();
+    std::error_code ec; // ensures directory_iterator doesn't throw exceptions
+    std::optional<std::string> latestDir;
+    std::filesystem::file_time_type latestWriteTime;
+    for (const std::string &firefoxPath : firefoxPaths) {
+        for (const auto &entry : std::filesystem::directory_iterator { firefoxPath, ec }) {
+            if (entry.is_directory() && entry.path().string().find("default") != std::string::npos) {
+                const auto certPath = entry.path() / "cert9.db";
+                if (std::filesystem::exists(certPath, ec) && std::filesystem::is_regular_file(certPath, ec)) {
+                    const auto writeTime = std::filesystem::last_write_time(certPath, ec);
+                    if (!latestDir.has_value() || writeTime > latestWriteTime) {
+                        latestWriteTime = writeTime;
+                        latestDir = entry.path().string();
+                    }
+                }
+            }
+        }
+        if (latestDir.has_value()) {
+            break;
+         }
+     }
+-    return {};
+    return latestDir;
+ }
+ 
+ std::string NSSSignatureConfiguration::sNssDir;
--- a/poppler.spec
+++ b/poppler.spec
@ -17,7 +17,7 @@
 Summary: PDF rendering library
 Name:    poppler
 Version: 24.02.0
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: (GPL-2.0-only OR GPL-3.0-only) AND GPL-2.0-or-later AND LGPL-2.0-or-later AND LGPL-2.1-or-later AND MIT
 URL:     http://poppler.freedesktop.org/
 Source0: http://poppler.freedesktop.org/poppler-%{version}.tar.xz
@ -35,6 +35,8 @@ Patch5:  poppler-24.02.0-covscan.patch

 Patch6:  poppler-24.02.0-check-bitmap-in-combine.patch

+Patch7:  poppler-24.02.0-cert-db.patch
+
 BuildRequires: make
 BuildRequires: cmake
 BuildRequires: gcc-c++
@ -287,6 +289,10 @@ test "$(pkg-config --modversion poppler-qt6)" = "%{version}"
 %{_mandir}/man1/*

 %changelog
+* Thu Mar  5 2026 Marek Kasik <mkasik@redhat.com> - 24.02.0-8
+- Search for signing certificates in more places
+- Resolves: RHEL-145379
+
 * Mon Dec 15 2025 Marek Kasik <mkasik@redhat.com> - 24.02.0-7
 - Check bitmap in combine()
 - Resolves: RHEL-131783, RHEL-131782