Skip to content

fix(firefox): repack source tarball without obfuscated ff-inst.exe#17133

Draft
anphel31 wants to merge 5 commits into
tomls/base/mainfrom
anphel/esrp-signfix-firefox
Draft

fix(firefox): repack source tarball without obfuscated ff-inst.exe#17133
anphel31 wants to merge 5 commits into
tomls/base/mainfrom
anphel/esrp-signfix-firefox

Conversation

@anphel31
Copy link
Copy Markdown
Member

@anphel31 anphel31 commented May 11, 2026

Summary

The upstream Mozilla Firefox source tarball ships an obfuscated Windows
executable test fixture at
firefox-148.0/toolkit/components/mediasniffer/test/unit/data/ff-inst.exe.
Obfuscated binaries inside our source RPMs trip the distro's RPM signing
pipeline, which blocks the SRPM from being published.

This PR replaces Source0 with a deterministically-repacked tarball that is
byte-identical to upstream except that ff-inst.exe has been removed.
ff-inst.exe is only used by Firefox's unit tests, which are not run in our
build (run_firefox_tests = 0), so removing it has no effect on the shipped
package.

Changes

  • base/comps/firefox/repack-source-tarball.sh — New helper script that:

    • Downloads firefox-148.0.source.tar.xz from archive.mozilla.org.
    • Verifies its SHA-512 against the value in
      specs/f/firefox/sources.
    • Removes ff-inst.exe.
    • Deterministically repacks as firefox-148.0.azl.source.tar.xz:
      • tar --sort=name --owner=0 --group=0 --numeric-owner --mtime=@1577836800 --format=gnu — stable file order, fixed
        ownership and mtime, no PAX extended headers.
      • xz -T 4 -9 --block-size=256MiB — fixed thread count and block size
        so the SHA-256 is identical across re-runs and machines.
    • Emits SHA-256 and SHA-512 of the modified tarball and prints the
      az storage blob upload command for the AZL lookaside cache.

  • base/comps/firefox/firefox.comp.toml — Adds:

    • A spec-update-tag overlay rewriting Source0 to
      firefox-%{version}%{?pre_version}.azl.source.tar.xz (top-level
      directory inside the tarball is unchanged, so %setup -n firefox-...
      keeps working).
    • A [[components.firefox.source-files]] entry pinning the new filename,
      its SHA-256, and an origin URL pointing at the AZL lookaside cache.

Reproduction

Anyone can regenerate the modified tarball:

./base/comps/firefox/repack-source-tarball.sh
# Writes to base/build/work/scratch/firefox-repack/firefox-148.0.azl.source.tar.xz
# along with .sha256 / .sha512 sidecar files.

@anphel31 anphel31 force-pushed the anphel/esrp-signfix-firefox branch from 6a87246 to 3261e50 Compare May 11, 2026 09:15
PawelWMS
PawelWMS reviewed May 11, 2026
View reviewed changes
Comment thread base/comps/firefox/firefox.comp.toml
# 1. Update --version in modify_source.sh (and UPSTREAM_SHA512).
# 2. Re-run the script and copy the new SHA-256 into the source-files entry.
# 3. Upload the new tarball to the modified-source lookaside (see script output).
[[components.firefox.overlays]]
Copy link
Copy Markdown
Contributor

@PawelWMS PawelWMS May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's wait for this azldev update to go in, so you can replace the original upstream source and make this TOML config simpler.

PawelWMS
PawelWMS reviewed May 11, 2026
View reviewed changes
Comment thread base/comps/firefox/modify_source.sh
az storage blob upload \\
--account-name azltempstaginglookaside \\
--container-name repo \\
--name "pkgs_modified/firefox/${OUTPUT_NAME}/sha256/\$(awk '{print \$1}' ${OUTPUT_NAME}.sha256)/${OUTPUT_NAME}" \\
Copy link
Copy Markdown
Contributor

@PawelWMS PawelWMS May 11, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks wrong. The sources file uses SHA-512 and here we're using SHA-256. In general, I don't think we need any SHA-256 in this script.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PawelWMS PawelWMS PawelWMS left review comments

@ddstreetmicrosoft ddstreetmicrosoft Awaiting requested review from ddstreetmicrosoft ddstreetmicrosoft will be requested when the pull request is marked ready for review ddstreetmicrosoft is a code owner

@reubeno reubeno Awaiting requested review from reubeno reubeno will be requested when the pull request is marked ready for review reubeno is a code owner

@christopherco christopherco Awaiting requested review from christopherco christopherco will be requested when the pull request is marked ready for review christopherco is a code owner

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@anphel31 @PawelWMS