Update to 140.5.0 esr build 2

- Remove unused pref(mail.folder.views.version) - Fixed appdata - Apply ML-DSA patches that were forgotten to be added in the SPEC file - Update upstream patch and rework the patch for ML-DSA adapting it to system NSS to avoid possible breakage in case of future NSS rebase. - Enable PQC for all RHELs 10. Resolves: RHEL-126394
2025-10-17 14:10:27 +02:00 · 2025-10-17 14:10:27 +02:00 · b4af5699e2
commit b4af5699e2
parent 255d36d8fb
8 changed files with 404 additions and 105 deletions
--- a/.gitignore
+++ b/.gitignore
@ -173,3 +173,5 @@
 /thunderbird-langpacks-140.3.0esr-20250912.tar.xz
 /thunderbird-140.4.0esr.processed-source.tar.xz
 /thunderbird-langpacks-140.4.0esr-20251013.tar.xz
+/thunderbird-140.5.0esr.processed-source.tar.xz
+/thunderbird-langpacks-140.5.0esr-20251111.tar.xz
--- a/4
+++ b/4
@ -2,5 +2,5 @@ SHA512 (nss-3.112.0-1.el9_4.src.rpm) = 6386239e79f8095b05270b3c8b76ac9203b0df196
 SHA512 (cbindgen-vendor.tar.xz) = 2b8db32c0bca2fa27304ee4fd3a5cc38bc43a11500b23842747813d221e55719c51cf4c0e027e41857f58ce1e283ce97b69c2c7d1eae93ecbb08c2f729e2bf55
 SHA512 (nss-3.112.0-4.el8_2.src.rpm) = 59cca3df7a0ec6a731f4a36f8f560d496d240da0c16650f047ae686e683b883dc2630aedbe46a8b2cb21662c15f03f1efbe99da42055cc3a5418da4839e28da2
 SHA512 (nspr-4.36.0-2.el8_2.src.rpm) = fcc720afd2453a5110975fac9dd06f636491234780b62cbfcc235a485b4935e97c4f438292c686d27d9dc86b56f43399c024bee4fffcdff5f27c62d105310645
-SHA512 (thunderbird-140.4.0esr.processed-source.tar.xz) = 7b0a530bcd52169b05fb584bbc5a26de1ffb33908ded1ca17ac789f1c1320f573cb800f7a2c6ad8b42fb9b2e44e9d2dce8ebc2850d8bf2674fe7dd89f11b556e
-SHA512 (thunderbird-langpacks-140.4.0esr-20251013.tar.xz) = aae8ca2e5d4c0740e22df069f748d02ec6a185ac973ebfef8c5dc966e2bf73aa9d228302f29eaf92ab4bdbacfc1380be43c2d20765f9193b2d96e43127ff86f9
+SHA512 (thunderbird-140.5.0esr.processed-source.tar.xz) = a05bdaa0738015af8adf3c7c8a9e51ddd6bbd18bc620b6571b65e5aba92786581cb29605be73724db331e713ed19064abf62049d175f854d9a5ade5334b98aaa
+SHA512 (thunderbird-langpacks-140.5.0esr-20251111.tar.xz) = 08c4d8fac7d2fff02cc32a6a50f176d25b8b92e17a76828634e0a3c3cfa07f436bb9d38ad54f10446b141bb1f515ccceeddc651e56141353f8b4cdf8d28bdaae
--- a/thunderbird-adapt-ml-dsa-support-to-rhel-nss.patch
+++ b/thunderbird-adapt-ml-dsa-support-to-rhel-nss.patch
@ -1,8 +1,37 @@
 diff --git a/security/nss/lib/mozpkix/lib/pkixnss.cpp b/security/nss/lib/mozpkix/lib/pkixnss.cpp
-index 31aa1ddd67..6eb367eae4 100644
+index 31aa1ddd67..93ab402bfd 100644
 --- a/security/nss/lib/mozpkix/lib/pkixnss.cpp
 +++ b/security/nss/lib/mozpkix/lib/pkixnss.cpp
-@@ -323,13 +323,21 @@ VerifyMLDSASignedDataNSS(Input data,
+@@ -303,6 +303,28 @@ DigestBufNSS(Input item,
+   return Success;
+ }
+ 
+static SECOidTag
+findOIDByName(const char *cipherString)
+{
+  SECOidTag tag;
+  SECOidData *oid;
+
+  for (int i = 1; ; i++) {
+    SECOidTag tag = static_cast<SECOidTag>(i);
+    oid = SECOID_FindOIDByTag(tag);
+
+    if (oid == NULL) {
+      break;
+    }
+
+    if (strcasecmp(oid->desc, cipherString) == 0) {
+      return tag;
+    }
+  }
+
+  return SEC_OID_UNKNOWN;
+}
+
+ Result
+ VerifyMLDSASignedDataNSS(Input data,
+                          Input signature,
+@@ -323,17 +345,14 @@ VerifyMLDSASignedDataNSS(Input data,
   SECItem dataItem(UnsafeMapInputToSECItem(data));
   CK_MECHANISM_TYPE mechanism;
 
@ -10,22 +39,21 @@ index 31aa1ddd67..6eb367eae4 100644
 -    case SEC_OID_ML_DSA_44:
 -    case SEC_OID_ML_DSA_65:
 -    case SEC_OID_ML_DSA_87:
-+  switch (SEC_GetSignatureAlgorithmOidTag(pubk->keyType, pubk->u.mldsa.params)) {
-+    case CKP_ML_DSA_44:
-+      hashPolicyTag = SEC_OID_UNKNOWN;
-+      mechanism = CKM_ML_DSA;
-+      signaturePolicyTag = SEC_OID_PRIVATE_3;
-+      break;
-+    case CKP_ML_DSA_65:
-+      hashPolicyTag = SEC_OID_UNKNOWN;
-       mechanism = CKM_ML_DSA;
+-      mechanism = CKM_ML_DSA;
 -      signaturePolicyTag = pubk->u.mldsa.paramSet;
-+      signaturePolicyTag = SEC_OID_PRIVATE_4;
-+      break;
-+    case CKP_ML_DSA_87:
-       hashPolicyTag = SEC_OID_UNKNOWN;
-+      mechanism = CKM_ML_DSA;
-+      signaturePolicyTag = SEC_OID_PRIVATE_5;
-       break;
-     default:
-       return Result::ERROR_UNSUPPORTED_KEYALG;
+-      hashPolicyTag = SEC_OID_UNKNOWN;
+-      break;
+-    default:
+-      return Result::ERROR_UNSUPPORTED_KEYALG;
+-      break;
+  if (pubk->u.mldsa.params == findOIDByName("ML-DSA-44") ||
+      pubk->u.mldsa.params == findOIDByName("ML-DSA-65") ||
+      pubk->u.mldsa.params == findOIDByName("ML-DSA-87")) {
+    hashPolicyTag = SEC_OID_UNKNOWN;
+    mechanism = CKM_ML_DSA;
+    signaturePolicyTag = pubk->u.mldsa.params;
+  } else {
+    return Result::ERROR_UNSUPPORTED_KEYALG;
+   }
+ 
+   SECOidTag policyTags[2] = {signaturePolicyTag, hashPolicyTag};
--- a/thunderbird-add-mlkem768-secp256r1-support.patch
+++ b/thunderbird-add-mlkem768-secp256r1-support.patch
--- a/thunderbird-integrate-ml-dsa-signature-verification-for-pkix-certificate-chain-validation.patch
+++ b/thunderbird-integrate-ml-dsa-signature-verification-for-pkix-certificate-chain-validation.patch
@ -1,26 +1,24 @@
 diff --git a/netwerk/protocol/http/WebTransportCertificateVerifier.cpp b/netwerk/protocol/http/WebTransportCertificateVerifier.cpp
-index cc77864..1e978ef 100644
+index cc778640a1..298d6a61e8 100644
 --- a/netwerk/protocol/http/WebTransportCertificateVerifier.cpp
 +++ b/netwerk/protocol/http/WebTransportCertificateVerifier.cpp
-@@ -53,6 +53,11 @@ class ServerCertHashesTrustDomain : public mozilla::pkix::TrustDomain {
+@@ -53,6 +53,10 @@ class ServerCertHashesTrustDomain : public mozilla::pkix::TrustDomain {
       mozilla::pkix::Input signature,
       mozilla::pkix::Input subjectPublicKeyInfo) override;
 
 +  virtual mozilla::pkix::Result VerifyMLDSASignedData(
-+      mozilla::pkix::Input data,
-+      mozilla::pkix::Input signature,
+      mozilla::pkix::Input data, mozilla::pkix::Input signature,
 +      mozilla::pkix::Input subjectPublicKeyInfo) override;
 +
   virtual mozilla::pkix::Result DigestBuf(
       mozilla::pkix::Input item, mozilla::pkix::DigestAlgorithm digestAlg,
       /*out*/ uint8_t* digestBuf, size_t digestBufLen) override;
-@@ -151,6 +156,15 @@ mozilla::pkix::Result ServerCertHashesTrustDomain::VerifyECDSASignedData(
+@@ -151,6 +155,14 @@ mozilla::pkix::Result ServerCertHashesTrustDomain::VerifyECDSASignedData(
   return mozilla::pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
 }
 
 +mozilla::pkix::Result ServerCertHashesTrustDomain::VerifyMLDSASignedData(
-+    mozilla::pkix::Input data,
-+    mozilla::pkix::Input signature,
+    mozilla::pkix::Input data, mozilla::pkix::Input signature,
 +    mozilla::pkix::Input subjectPublicKeyInfo) {
 +  MOZ_ASSERT_UNREACHABLE("not expecting this to be called");
 +
@ -31,27 +29,46 @@ index cc77864..1e978ef 100644
     mozilla::pkix::Input item, mozilla::pkix::DigestAlgorithm digestAlg,
     /*out*/ uint8_t* digestBuf, size_t digestBufLen) {
 diff --git a/security/certverifier/CertVerifier.cpp b/security/certverifier/CertVerifier.cpp
-index ca33077..cb96f58 100644
+index ca330770fb..1e8f1d4996 100644
 --- a/security/certverifier/CertVerifier.cpp
 +++ b/security/certverifier/CertVerifier.cpp
-@@ -1048,10 +1048,14 @@ void HashSignatureParams(pkix::Input data, pkix::Input signature,
+@@ -7,6 +7,7 @@
+ #include "CertVerifier.h"
+ 
+ #include <stdint.h>
+#include <optional>
+ 
+ #include "AppTrustDomain.h"
+ #include "CTKnownLogs.h"
+@@ -1010,7 +1011,7 @@ Result CertVerifier::VerifySSLServerCert(
+ void HashSignatureParams(pkix::Input data, pkix::Input signature,
+                          pkix::Input subjectPublicKeyInfo,
+                          pkix::der::PublicKeyAlgorithm publicKeyAlgorithm,
+-                         pkix::DigestAlgorithm digestAlgorithm,
+                         std::optional<pkix::DigestAlgorithm> digestAlgorithm,
+                          /*out*/ Maybe<nsTArray<uint8_t>>& sha512Hash) {
+   sha512Hash.reset();
+   Digest digest;
+@@ -1048,10 +1049,14 @@ void HashSignatureParams(pkix::Input data, pkix::Input signature,
                         sizeof(publicKeyAlgorithm)))) {
     return;
   }
 -  if (NS_FAILED(
-+  // Digest algorithm is expected to be null since ML-DSA is not an hash and
-+  // sign algorithm. Skip digestAlgorithm for ML-DSA.
-+  if (publicKeyAlgorithm != der::PublicKeyAlgorithm::MLDSA) {
-+    if (NS_FAILED(
-           digest.Update(reinterpret_cast<const uint8_t*>(&digestAlgorithm),
-                         sizeof(digestAlgorithm)))) {
+-          digest.Update(reinterpret_cast<const uint8_t*>(&digestAlgorithm),
+-                        sizeof(digestAlgorithm)))) {
 -    return;
+  // There is no fallback digest algorithm when it's empty.
+  // Check that digestAlgorithm actually contains a value.
+  if (digestAlgorithm) {
+    pkix::DigestAlgorithm value = digestAlgorithm.value();
+    if (NS_FAILED(digest.Update(reinterpret_cast<const uint8_t*>(&value),
+                                sizeof(value)))) {
 +      return;
 +    }
   }
   nsTArray<uint8_t> result;
   if (NS_FAILED(digest.End(result))) {
-@@ -1064,12 +1068,19 @@ Result VerifySignedDataWithCache(
+@@ -1064,10 +1069,17 @@ Result VerifySignedDataWithCache(
     der::PublicKeyAlgorithm publicKeyAlg,
     mozilla::glean::impl::DenominatorMetric telemetryDenominator,
     mozilla::glean::impl::NumeratorMetric telemetryNumerator, Input data,
@ -68,34 +85,31 @@ index ca33077..cb96f58 100644
 +  }
 +
   HashSignatureParams(data, signature, subjectPublicKeyInfo, publicKeyAlg,
-                      digestAlgorithm, sha512Hash);
-+                      digestAlgorithm.value_or(pkix::DigestAlgorithm::sha512), sha512Hash);
+                       digestAlgorithm, sha512Hash);
   // If hashing the signature parameters succeeded, see if this signature is in
-   // the signature cache.
-   if (sha512Hash.isSome() &&
-@@ -1080,16 +1091,23 @@ Result VerifySignedDataWithCache(
+@@ -1080,16 +1092,23 @@ Result VerifySignedDataWithCache(
   Result result;
   switch (publicKeyAlg) {
     case der::PublicKeyAlgorithm::ECDSA:
 -      result = VerifyECDSASignedDataNSS(data, digestAlgorithm, signature,
 -                                        subjectPublicKeyInfo, pinArg);
-+      result = VerifyECDSASignedDataNSS(data, digestAlgorithm.value(),
-+                                        signature, subjectPublicKeyInfo,
-+                                        pinArg);
+      result =
+          VerifyECDSASignedDataNSS(data, digestAlgorithm.value(), signature,
+                                   subjectPublicKeyInfo, pinArg);
       break;
     case der::PublicKeyAlgorithm::RSA_PKCS1:
 -      result = VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm, signature,
 -                                           subjectPublicKeyInfo, pinArg);
-+      result = VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm.value(),
-+                                           signature, subjectPublicKeyInfo,
-+                                           pinArg);
+      result =
+          VerifyRSAPKCS1SignedDataNSS(data, digestAlgorithm.value(), signature,
+                                      subjectPublicKeyInfo, pinArg);
       break;
     case der::PublicKeyAlgorithm::RSA_PSS:
 -      result = VerifyRSAPSSSignedDataNSS(data, digestAlgorithm, signature,
 -                                         subjectPublicKeyInfo, pinArg);
-+      result = VerifyRSAPSSSignedDataNSS(data, digestAlgorithm.value(),
-+                                         signature, subjectPublicKeyInfo,
-+                                         pinArg);
+      result =
+          VerifyRSAPSSSignedDataNSS(data, digestAlgorithm.value(), signature,
+                                    subjectPublicKeyInfo, pinArg);
 +      break;
 +    case der::PublicKeyAlgorithm::MLDSA:
 +      result = VerifyMLDSASignedDataNSS(data, signature, subjectPublicKeyInfo,
@ -104,58 +118,56 @@ index ca33077..cb96f58 100644
     default:
       MOZ_ASSERT_UNREACHABLE("unhandled public key algorithm");
 diff --git a/security/certverifier/CertVerifier.h b/security/certverifier/CertVerifier.h
-index 6432547..f9a0365 100644
+index 6432547c8a..6e09e6fcdd 100644
 --- a/security/certverifier/CertVerifier.h
 +++ b/security/certverifier/CertVerifier.h
-@@ -331,7 +331,7 @@ mozilla::pkix::Result VerifySignedDataWithCache(
+@@ -331,7 +331,8 @@ mozilla::pkix::Result VerifySignedDataWithCache(
     mozilla::pkix::der::PublicKeyAlgorithm publicKeyAlg,
     mozilla::glean::impl::DenominatorMetric telemetryDenominator,
     mozilla::glean::impl::NumeratorMetric telemetryNumerator,
 -    mozilla::pkix::Input data, mozilla::pkix::DigestAlgorithm digestAlgorithm,
-+    mozilla::pkix::Input data, std::optional<mozilla::pkix::DigestAlgorithm> digestAlgorithm,
+    mozilla::pkix::Input data,
+    std::optional<mozilla::pkix::DigestAlgorithm> digestAlgorithm,
     mozilla::pkix::Input signature, mozilla::pkix::Input subjectPublicKeyInfo,
     SignatureCache* signatureCache, void* pinArg);
 
 diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp
-index 77c17c1..741892f 100644
+index 70ba17d70f..a3ace3cee7 100644
 --- a/security/certverifier/NSSCertDBTrustDomain.cpp
 +++ b/security/certverifier/NSSCertDBTrustDomain.cpp
-@@ -1541,6 +1541,17 @@ Result NSSCertDBTrustDomain::VerifyECDSASignedData(
+@@ -1541,6 +1541,15 @@ Result NSSCertDBTrustDomain::VerifyECDSASignedData(
       signature, subjectPublicKeyInfo, mSignatureCache, mPinArg);
 }
 
-+Result NSSCertDBTrustDomain::VerifyMLDSASignedData(Input data,
-+                                                   Input signature,
-+                                                   Input subjectPublicKeyInfo)
-+{
+Result NSSCertDBTrustDomain::VerifyMLDSASignedData(Input data, Input signature,
+                                                   Input subjectPublicKeyInfo) {
 +  return VerifySignedDataWithCache(
 +      der::PublicKeyAlgorithm::MLDSA,
 +      mozilla::glean::cert_signature_cache::total,
-+      mozilla::glean::cert_signature_cache::hits, data, std::nullopt,
-+      signature, subjectPublicKeyInfo, mSignatureCache, mPinArg);
+      mozilla::glean::cert_signature_cache::hits, data, std::nullopt, signature,
+      subjectPublicKeyInfo, mSignatureCache, mPinArg);
 +}
 +
 Result NSSCertDBTrustDomain::CheckValidityIsAcceptable(
     Time notBefore, Time notAfter, EndEntityOrCA endEntityOrCA,
     KeyPurposeId keyPurpose) {
 diff --git a/security/certverifier/NSSCertDBTrustDomain.h b/security/certverifier/NSSCertDBTrustDomain.h
-index fc210f3..8d17a4f 100644
+index fc210f3254..6178201758 100644
 --- a/security/certverifier/NSSCertDBTrustDomain.h
 +++ b/security/certverifier/NSSCertDBTrustDomain.h
-@@ -197,6 +197,11 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain {
+@@ -197,6 +197,10 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain {
       mozilla::pkix::Input signature,
       mozilla::pkix::Input subjectPublicKeyInfo) override;
 
 +  virtual Result VerifyMLDSASignedData(
-+      mozilla::pkix::Input data,
-+      mozilla::pkix::Input signature,
+      mozilla::pkix::Input data, mozilla::pkix::Input signature,
 +      mozilla::pkix::Input subjectPublicKeyInfo) override;
 +
   virtual Result DigestBuf(mozilla::pkix::Input item,
                            mozilla::pkix::DigestAlgorithm digestAlg,
                            /*out*/ uint8_t* digestBuf,
 diff --git a/security/ct/CTLogVerifier.cpp b/security/ct/CTLogVerifier.cpp
-index d5e665a..4712137 100644
+index d5e665aaca..471213745d 100644
 --- a/security/ct/CTLogVerifier.cpp
 +++ b/security/ct/CTLogVerifier.cpp
@@ -99,6 +99,10 @@ class SignatureParamsTrustDomain final : public TrustDomain {
@ -170,19 +182,16 @@ index d5e665a..4712137 100644
                                          KeyPurposeId) override {
     return pkix::Result::FATAL_ERROR_LIBRARY_FAILURE;
 diff --git a/security/ct/tests/gtest/CTTestUtils.cpp b/security/ct/tests/gtest/CTTestUtils.cpp
-index 6a25307..03d19f7 100644
+index 6a25307ec3..dbec7adc91 100644
 --- a/security/ct/tests/gtest/CTTestUtils.cpp
 +++ b/security/ct/tests/gtest/CTTestUtils.cpp
-@@ -807,6 +807,15 @@ class OCSPExtensionTrustDomain : public TrustDomain {
+@@ -807,6 +807,12 @@ class OCSPExtensionTrustDomain : public TrustDomain {
                                      subjectPublicKeyInfo, nullptr);
   }
 
-+  pkix::Result VerifyMLDSASignedData(Input data,
-+                                     Input signature,
+  pkix::Result VerifyMLDSASignedData(Input data, Input signature,
 +                                     Input subjectPublicKeyInfo) override {
-+    return VerifyMLDSASignedDataNSS(data,
-+                                    signature,
-+                                    subjectPublicKeyInfo,
+    return VerifyMLDSASignedDataNSS(data, signature, subjectPublicKeyInfo,
 +                                    nullptr);
 +  }
 +
@ -190,20 +199,16 @@ index 6a25307..03d19f7 100644
                                          KeyPurposeId) override {
     ADD_FAILURE();
 diff --git a/security/manager/ssl/AppTrustDomain.cpp b/security/manager/ssl/AppTrustDomain.cpp
-index ab49d7e..36e7e19 100644
+index ab49d7eb1f..3963f90eb1 100644
 --- a/security/manager/ssl/AppTrustDomain.cpp
 +++ b/security/manager/ssl/AppTrustDomain.cpp
-@@ -322,6 +322,16 @@ pkix::Result AppTrustDomain::VerifyECDSASignedData(
+@@ -322,6 +322,12 @@ pkix::Result AppTrustDomain::VerifyECDSASignedData(
                                   subjectPublicKeyInfo, nullptr);
 }
 
-+pkix::Result AppTrustDomain::VerifyMLDSASignedData(Input data,
-+                                                   Input signature,
-+                                                   Input subjectPublicKeyInfo)
-+{
-+  return VerifyMLDSASignedDataNSS(data,
-+                                  signature,
-+                                  subjectPublicKeyInfo,
+pkix::Result AppTrustDomain::VerifyMLDSASignedData(Input data, Input signature,
+                                                   Input subjectPublicKeyInfo) {
+  return VerifyMLDSASignedDataNSS(data, signature, subjectPublicKeyInfo,
 +                                  nullptr);
 +}
 +
@ -211,31 +216,29 @@ index ab49d7e..36e7e19 100644
     Time /*notBefore*/, Time /*notAfter*/, EndEntityOrCA /*endEntityOrCA*/,
     KeyPurposeId /*keyPurpose*/) {
 diff --git a/security/manager/ssl/AppTrustDomain.h b/security/manager/ssl/AppTrustDomain.h
-index 4b0212e..083d5fb 100644
+index 4b0212ede0..85fdff5f13 100644
 --- a/security/manager/ssl/AppTrustDomain.h
 +++ b/security/manager/ssl/AppTrustDomain.h
-@@ -80,6 +80,10 @@ class AppTrustDomain final : public mozilla::pkix::TrustDomain {
+@@ -80,6 +80,9 @@ class AppTrustDomain final : public mozilla::pkix::TrustDomain {
                            mozilla::pkix::DigestAlgorithm digestAlg,
                            /*out*/ uint8_t* digestBuf,
                            size_t digestBufLen) override;
 +  virtual Result VerifyMLDSASignedData(
-+      mozilla::pkix::Input data,
-+      mozilla::pkix::Input signature,
+      mozilla::pkix::Input data, mozilla::pkix::Input signature,
 +      mozilla::pkix::Input subjectPublicKeyInfo) override;
 
  private:
   nsTArray<Span<const uint8_t>> mTrustedRoots;
 diff --git a/security/manager/ssl/TLSClientAuthCertSelection.cpp b/security/manager/ssl/TLSClientAuthCertSelection.cpp
-index 3a84b15..8450076 100644
+index 3a84b15ee6..a3dc5a1af1 100644
 --- a/security/manager/ssl/TLSClientAuthCertSelection.cpp
 +++ b/security/manager/ssl/TLSClientAuthCertSelection.cpp
-@@ -217,6 +217,12 @@ class ClientAuthCertNonverifyingTrustDomain final : public TrustDomain {
+@@ -217,6 +217,11 @@ class ClientAuthCertNonverifyingTrustDomain final : public TrustDomain {
       pkix::Input subjectPublicKeyInfo) override {
     return pkix::Success;
   }
 +  virtual mozilla::pkix::Result VerifyMLDSASignedData(
-+      pkix::Input data,
-+      pkix::Input signature,
+      pkix::Input data, pkix::Input signature,
 +      pkix::Input subjectPublicKeyInfo) override {
 +    return pkix::Success;
 +  }
--- a/thunderbird-redhat-default-prefs.js
+++ b/thunderbird-redhat-default-prefs.js
@ -12,8 +12,6 @@ pref("offline.autoDetect", true);
 /* Disable global indexing by default*/
 pref("mailnews.database.global.indexer.enabled", false);

-/* Do not switch to Smart Folders after upgrade to 3.0b4 */
-pref("mail.folder.views.version", "1");
 pref("extensions.shownSelectionUI", true);
 pref("extensions.autoDisableScopes", 0);

--- a/thunderbird.appdata.xml.in
+++ b/thunderbird.appdata.xml.in
@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<component type="desktop-application">
+  <id>thunderbird</id>
+  <metadata_license>CC0-1.0</metadata_license>
+  <name>Thunderbird</name>
+  <summary>Thunderbird is a free and open source email, newsfeed, chat, and calendaring client</summary>
+  <description>
+    <!-- From https://www.thunderbird.net/en-US/about/  -->
+    <p>
+      Thunderbird is a free and open source email, newsfeed, chat, and
+      calendaring client, that’s easy to set up and customize. One of the core
+      principles of Thunderbird is the use and promotion of open standards -
+      this focus is a rejection of our world of closed platforms and services
+      that can’t communicate with each other. We want our users to have freedom
+      and choice in how they communicate.
+    </p>
+    <p>
+      Thunderbird is an open source project, which means anyone can contribute
+      ideas, designs, code, and time helping fellow users.
+    </p>
+  </description>
+  <categories>
+    <category>Calendar</category>
+    <category>Email</category>
+    <category>Office</category>
+  </categories>
+
+  <url type="homepage">https://www.thunderbird.net/</url>
+  <url type="bugtracker">https://bugzilla.mozilla.org/</url>
+  <url type="faq">https://support.mozilla.org/kb/thunderbird-faq/</url>
+  <url type="help">https://support.mozilla.org/products/thunderbird/</url>
+  <url type="donation">https://www.thunderbird.net/donate/</url>
+  <url type="translate">https://www.thunderbird.net/participate/</url>
+
+  <project_group>Mozilla</project_group>
+  <project_license>MPL-2.0</project_license>
+  <developer_name>Thunderbird Project</developer_name>
+
+  <mimetypes>
+    <mimetype>message/rfc822</mimetype>
+    <mimetype>x-scheme-handler/mailto</mimetype>
+    <mimetype>text/calendar</mimetype>
+    <mimetype>text/vcard</mimetype>
+    <mimetype>text/x-vcard</mimetype>
+  </mimetypes>
+  <releases>
+    <release version="__VERSION__" date="__DATE__"/>
+  </releases>
+  <update_contact>jhorak@redhat.com</update_contact>
+</component>
--- a/thunderbird.spec
+++ b/thunderbird.spec
@ -137,7 +137,7 @@ end}

 Summary:        Mozilla Thunderbird mail/newsgroup client
 Name:           thunderbird
-Version:        140.4.0
+Version:        140.5.0
 Release:        2%{?dist}
 URL:            http://www.mozilla.org/projects/thunderbird/
 License:        MPLv1.1 or GPLv2+ or LGPLv2+
@ -165,7 +165,7 @@ ExcludeArch:    %{ix86}
 #Source0:        https://archive.mozilla.org/pub/thunderbird/releases/%%{version}%%{?pre_version}/source/thunderbird-%%{version}%%{?pre_version}.processed-source.tar.xz
 Source0:        thunderbird-%{version}%{?pre_version}%{?buildnum}.processed-source.tar.xz
 %if %{with langpacks}
-Source1:        thunderbird-langpacks-%{version}%{?pre_version}-20251013.tar.xz
+Source1:        thunderbird-langpacks-%{version}%{?pre_version}-20251111.tar.xz
 %endif
 Source2:        cbindgen-vendor.tar.xz
 Source3:        process-official-tarball
@ -177,6 +177,7 @@ Source24:       mozilla-api-key
 Source25:       thunderbird-symbolic.svg
 Source27:       google-api-key
 Source32:       node-stdout-nonblocking-wrapper
+Source33:       thunderbird.appdata.xml.in
 Source35:       google-loc-api-key
 Source401:      nss-setup-flags-env.inc
 Source402:      nspr-4.36.0-2.el8_2.src.rpm
@ -218,6 +219,20 @@ Patch109:       mozilla-bmo1789216-disable-av1.patch
 Patch110:       build-libaom.patch
 Patch111:	av1-else-condition-add.patch

+# ML-DSA support
+# https://phabricator.services.mozilla.com/D262395
+Patch120:       thunderbird-integrate-ml-dsa-signature-verification-for-pkix-certificate-chain-validation.patch
+# https://phabricator.services.mozilla.com/D262397
+Patch121:       thunderbird-add-ml-dsa-certificate-support-to-certviewer.patch
+# https://phabricator.services.mozilla.com/D264144
+Patch122:       thunderbird-enable-ml-dsa-signature-verification-for-certificate-chain-validation.patch
+# RHEL downstream only - adapts to ML-DSA support in NSS from RHEL 10
+Patch123:       thunderbird-adapt-ml-dsa-support-to-rhel-nss.patch
+# RHEL downstream only - enable ML-DSA in manager/ssl
+Patch124:       thunderbird-enable-ml-dsa-in-manager-ssl.patch
+# RHEL downstream only - add mlkem768-secp256r1 support
+Patch125:       thunderbird-add-mlkem768-secp256r1-support.patch
+
 # ---- Fedora specific patches ----
 Patch151:       firefox-enable-addons.patch
 Patch152:       rhbz-1173156.patch
@ -1099,6 +1114,16 @@ echo "--------------------------------------------"
 %patch -P110 -p1 -b .libaom
 %patch -P111 -p1 -b .av1-else-condition-add

+%if 0%{?rhel} >= 10
+# ML-DSA support
+%patch -P120 -p1 -b .integrate-ml-dsa-signature-verification-for-pkix-certificate-chain-validation
+%patch -P121 -p1 -b .add-ml-dsa-certificate-support-to-certviewer
+%patch -P122 -p1 -b .enable-ml-dsa-signature-verification-for-certificate-chain-validation
+%patch -P123 -p1 -b .adapt-ml-dsa-support-to-rhel-nss
+%patch -P124 -p1 -b .enable-ml-dsa-in-manager-ssl
+%patch -P125 -p1 -b .add-mlkem768-secp256r1-support
+%endif
+
 # ---- Fedora specific patches ----
 %patch -P151 -p1 -b .addons
 %patch -P152 -p1 -b .rhbz-1173156
@ -1569,15 +1594,10 @@ touch $RPM_BUILD_ROOT%{mozappdir}/components/xpti.dat
 %endif

 # Register as an application to be visible in the software center
-mkdir -p $RPM_BUILD_ROOT%{_datadir}/metainfo
-%{__cp} -p comm/mail/branding/%{name}/net.thunderbird.Thunderbird.appdata.xml $RPM_BUILD_ROOT%{_datadir}/metainfo/thunderbird.appdata.xml
-%if 0%{?flatpak}
-# don't specify icon for flatpak appdata, icons are correctly named and packaged already
-# as org.mozilla.Thunderbird.png
-sed -i -e 's|<icon .*||' "$RPM_BUILD_ROOT%{_datadir}/metainfo/thunderbird.appdata.xml"
-%else
-sed -i -e 's|<icon .*|<icon type="stock">thunderbird</icon>|' "$RPM_BUILD_ROOT%{_datadir}/metainfo/thunderbird.appdata.xml"
-%endif
+mkdir -p %{buildroot}%{_datadir}/metainfo
+%{__sed} -e "s/__VERSION__/%{version}/" \
+         -e "s/__DATE__/$(date '+%Y-%m-%d')/" \
+         %{SOURCE33} > %{buildroot}%{_datadir}/metainfo/thunderbird.appdata.xml

 # Clean the created bundled rpms.
 rm -rf %{_srcrpmdir}/libffi*.src.rpm
@ -1591,6 +1611,11 @@ find %{_rpmdir} -name "nspr*.rpm" -delete

 #===============================================================================

+%check
+appstream-util validate-relax --nonet %{buildroot}%{_datadir}/metainfo/*.appdata.xml
+
+#===============================================================================
+
 %post
 update-desktop-database &> /dev/null || :
 touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
@ -1675,6 +1700,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 #===============================================================================

 %changelog
+* Tue Nov 11 2025 Jan Horak <jhorak@redhat.com> - 140.5.0-2
+- Update to 140.5.0 ESR
+
 * Mon Oct 13 2025 Jan Horak <jhorak@redhat.com> - 140.4.0-2
 - Update to 140.4.0 ESR