From 26487078451c52f45f118c9613c0a8fae8703b3b Mon Sep 17 00:00:00 2001
From: Pawel Winogrodzki <pawelwi@microsoft.com>
Date: Mon, 18 May 2026 21:38:29 +0000
Subject: [PATCH] fix(mozjs128): drop scanner-flagged aes_archive.zip from
 source0

The upstream `firefox-128.11.0esr.source.tar.xz` ships an
AES-encrypted ZIP fixture at
`firefox-128.11.0/third_party/rust/zip/tests/data/aes_archive.zip`
that comes from the cargo-vendored Rust `zip` crate's test suite.
That file trips the automated package-signing pipeline's deep
scanner with a benign encrypted-archive verdict, which fails the
SRPM signing step for mozjs128 even though the fixture is never
read at AZL build time -- the SpiderMonkey build only consumes
`js/src/`, and the cargo `zip` crate's test corpus is not
exercised by SpiderMonkey.

Mitigation: serve a downstream-modified Source0 with that single
file removed. The repack is deterministic so the resulting
tarball SHA-512 is reproducible from a fresh clone.

Files:

- `base/comps/components.toml`: remove the inline
  `[components.mozjs128]` row (the dedicated component file is
  auto-included by the `**/*.comp.toml` glob).
- `base/comps/mozjs128/mozjs128.comp.toml`: declare a
  `[[components.mozjs128.source-files]]` block with
  `replace-upstream = true` pointing at the locally-modified
  tarball in the `pkgs_modified/mozjs128/` lookaside path
  (SHA-512 = 39141838...370db2d).
- `base/comps/mozjs128/modify_source.sh`: deterministic script
  that downloads the upstream `.tar.xz`, verifies its published
  SHA-512, extracts, deletes the single `aes_archive.zip` leaf,
  and repacks via `tar --sort=name --mtime --owner=0 --group=0
  --numeric-owner | xz -T1 -9e`. Single-threaded xz keeps the
  block-boundary layout (and therefore the SHA-512) host-CPU
  independent.
- `locks/mozjs128.lock`: refreshed `input-fingerprint` to
  reflect the new component definition.
- `specs/m/mozjs128/{mozjs128.spec,sources}`: re-rendered:
  bumps `release_number` to 10, swaps the `sources` SHA-512 to
  the modified-tarball hash, adds a `%changelog` entry.
---
 base/comps/components.toml             |  1 -
 base/comps/mozjs128/modify_source.sh   | 83 ++++++++++++++++++++++++++
 base/comps/mozjs128/mozjs128.comp.toml |  9 +++
 locks/mozjs128.lock                    |  2 +-
 specs/m/mozjs128/mozjs128.spec         |  5 +-
 specs/m/mozjs128/sources               |  2 +-
 6 files changed, 98 insertions(+), 4 deletions(-)
 create mode 100755 base/comps/mozjs128/modify_source.sh
 create mode 100644 base/comps/mozjs128/mozjs128.comp.toml

diff --git a/base/comps/components.toml b/base/comps/components.toml
index 28735f368a3..dd58a004cc1 100644
--- a/base/comps/components.toml
+++ b/base/comps/components.toml
@@ -2161,7 +2161,6 @@ includes = ["**/*.comp.toml", "component-check-disablement.toml", "component-min
 [components.mosh]
 [components.motif]
 [components.mozilla-filesystem]
-[components.mozjs128]
 [components.mozjs140]
 [components.mpdecimal]
 [components.mpfr]
diff --git a/base/comps/mozjs128/modify_source.sh b/base/comps/mozjs128/modify_source.sh
new file mode 100755
index 00000000000..97464b5e14f
--- /dev/null
+++ b/base/comps/mozjs128/modify_source.sh
@@ -0,0 +1,83 @@
+#!/usr/bin/env bash
+#
+# mozjs128: download upstream Firefox ESR source, remove a single
+# scanner-tripping test fixture, and repack deterministically as a
+# .tar.xz. The single removed file is:
+#
+#   firefox-128.11.0/third_party/rust/zip/tests/data/aes_archive.zip
+#
+# (AES-encrypted ZIP test vector for the cargo-vendored `zip` crate;
+# never read at AZL build time -- mozjs128 only consumes `js/src/`.)
+#
+# Rationale lives in mozjs128.comp.toml (replace-reason). All output
+# lands under <repo-root>/base/build/work/scratch/mozjs128/.
+
+set -euo pipefail
+
+VERSION="128.11.0"
+ORIGINAL_NAME="firefox-${VERSION}esr.source.tar.xz"
+EXTRACTED_DIRNAME="firefox-${VERSION}"
+MODIFIED_NAME="firefox-${VERSION}esr-azl-aes-fixture-removed.tar.xz"
+UPSTREAM_URL="https://ftp.mozilla.org/pub/firefox/releases/${VERSION}esr/source/${ORIGINAL_NAME}"
+
+# From https://ftp.mozilla.org/pub/firefox/releases/128.11.0esr/SHA512SUMS
+ORIGINAL_SHA512="80af64c1dce6d7a25111480567a3251cc2d1edce00acc4d85bbaa44590f5bbf4c0716f9490c3ab8ef1e6fc2bbabb2379029c2dee51ce477933c7a5935092d279"
+
+# Single path (relative to the extracted top-level dir) to remove.
+REMOVE_PATH="third_party/rust/zip/tests/data/aes_archive.zip"
+
+SCRIPT_DIR="$(cd "$(dirname "$(realpath "$0")")" && pwd)"
+REPO_ROOT="$(cd "${SCRIPT_DIR}/../../.." && pwd)"
+WORKDIR="${REPO_ROOT}/base/build/work/scratch/mozjs128"
+mkdir -p "${WORKDIR}"
+cd "${WORKDIR}"
+
+echo "[1/5] Downloading ${ORIGINAL_NAME}"
+[[ -f "${ORIGINAL_NAME}" ]] || curl -fsSL --retry 3 -o "${ORIGINAL_NAME}" "${UPSTREAM_URL}"
+
+echo "[2/5] Verifying upstream SHA512"
+computed=$(sha512sum "${ORIGINAL_NAME}" | awk '{print $1}')
+if [[ "${computed}" != "${ORIGINAL_SHA512}" ]]; then
+    echo "ERROR: upstream SHA512 mismatch" >&2
+    echo "  expected: ${ORIGINAL_SHA512}" >&2
+    echo "  computed: ${computed}" >&2
+    exit 1
+fi
+
+echo "[3/5] Extracting"
+rm -rf "${EXTRACTED_DIRNAME}"
+tar -xf "${ORIGINAL_NAME}"
+
+echo "[4/5] Removing ${EXTRACTED_DIRNAME}/${REMOVE_PATH}"
+if [[ ! -f "${EXTRACTED_DIRNAME}/${REMOVE_PATH}" ]]; then
+    echo "ERROR: expected file not present in upstream tarball: ${REMOVE_PATH}" >&2
+    exit 1
+fi
+rm -f "${EXTRACTED_DIRNAME}/${REMOVE_PATH}"
+
+echo "[5/5] Repacking deterministically"
+# Stable byte output requires: sorted names, fixed mtime, zeroed
+# owner/group, and single-threaded xz (xz -T0 block boundaries vary
+# by host CPU count).
+rm -f "${MODIFIED_NAME}"
+tar --sort=name \
+    --mtime='2024-01-01 00:00:00 UTC' \
+    --owner=0 --group=0 --numeric-owner \
+    -cf - "${EXTRACTED_DIRNAME}" | xz -T1 -9e > "${MODIFIED_NAME}"
+
+MODIFIED_SHA512=$(sha512sum "${MODIFIED_NAME}" | awk '{print $1}')
+echo "${MODIFIED_SHA512}  ${MODIFIED_NAME}" > "${MODIFIED_NAME}.sha512"
+
+cat <<EOF
+
+modified tarball: ${WORKDIR}/${MODIFIED_NAME}
+SHA512:           ${MODIFIED_SHA512}
+
+Upload (after \`az login\`):
+  az storage blob upload \\
+      --auth-mode login \\
+      --account-name azltempstaginglookaside \\
+      --container-name repo \\
+      --name "pkgs_modified/mozjs128/${ORIGINAL_NAME}/sha512/${MODIFIED_SHA512}/${ORIGINAL_NAME}" \\
+      --file "${WORKDIR}/${MODIFIED_NAME}"
+EOF
diff --git a/base/comps/mozjs128/mozjs128.comp.toml b/base/comps/mozjs128/mozjs128.comp.toml
new file mode 100644
index 00000000000..804f8323914
--- /dev/null
+++ b/base/comps/mozjs128/mozjs128.comp.toml
@@ -0,0 +1,9 @@
+[components.mozjs128]
+
+[[components.mozjs128.source-files]]
+filename = "firefox-128.11.0esr.source.tar.xz"
+hash = "39141838e0ead6918b267772486fbbfbacc0596b5baad279170d103d221550d58eb6a0cf5e811b59b7700eb492d743119412b4093dba09dab56a55ff4370db2d"
+hash-type = "SHA512"
+origin = { type = "download", uri = "https://azltempstaginglookaside.blob.core.windows.net/repo/pkgs_modified/mozjs128/firefox-128.11.0esr.source.tar.xz/sha512/39141838e0ead6918b267772486fbbfbacc0596b5baad279170d103d221550d58eb6a0cf5e811b59b7700eb492d743119412b4093dba09dab56a55ff4370db2d/firefox-128.11.0esr.source.tar.xz" }
+replace-upstream = true
+replace-reason = "Serve a locally-modified `firefox-128.11.0esr.source.tar.xz` with the single file `firefox-128.11.0/third_party/rust/zip/tests/data/aes_archive.zip` removed. That file is an AES-encrypted ZIP fixture from the upstream Rust `zip` crate's test suite that trips an automated package-signing pipeline scanner with a benign encrypted-archive verdict. The file is never read at AZL build time (mozjs128 only consumes `js/src/` from this tarball; the cargo-vendored `zip` crate's test corpus is not exercised). See modify_source.sh next to this file."
diff --git a/locks/mozjs128.lock b/locks/mozjs128.lock
index 55de1b16c7a..d68ff38c5f7 100644
--- a/locks/mozjs128.lock
+++ b/locks/mozjs128.lock
@@ -2,5 +2,5 @@
 version = 1
 import-commit = 'ae46ed8d38e0119a29e2e6b2f1acaf54e798b10c'
 upstream-commit = 'ae46ed8d38e0119a29e2e6b2f1acaf54e798b10c'
-input-fingerprint = 'sha256:f37549be8769342de5848352e6e475bfdaef8f105d336888b31c7aa901bf6a21'
+input-fingerprint = 'sha256:3882c9dba0ab29d178eaca9d775554b56c3f1f6b64352c71a8da12f46d031695'
 resolution-input-hash = 'sha256:466421704711c4fd3c71f0b2ed715a0e61d49e3e26f3a2637fee755795849c8e'
diff --git a/specs/m/mozjs128/mozjs128.spec b/specs/m/mozjs128/mozjs128.spec
index 112c4cfa8a6..06ce72b263a 100644
--- a/specs/m/mozjs128/mozjs128.spec
+++ b/specs/m/mozjs128/mozjs128.spec
@@ -2,7 +2,7 @@
 ## (rpmautospec version 0.8.3)
 ## RPMAUTOSPEC: autorelease, autochangelog
 %define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
-    release_number = 9;
+    release_number = 10;
     base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
     print(release_number + base_release_number - 1);
 }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
@@ -261,6 +261,9 @@ pushd js/src/
 
 %changelog
 ## START: Generated by rpmautospec
+* Mon May 18 2026 Pawel Winogrodzki <pawelwi@microsoft.com> - 128.11.0-10
+- mozjs128: drop scanner-flagged aes_archive.zip from Source0
+
 * Thu Apr 30 2026 Daniel McIlvaney <damcilva@microsoft.com> - 128.11.0-9
 - feat: introduce deterministic commit resolution via Azure Linux lock file
 
diff --git a/specs/m/mozjs128/sources b/specs/m/mozjs128/sources
index c6c5c9d7051..fbf64bc20b9 100644
--- a/specs/m/mozjs128/sources
+++ b/specs/m/mozjs128/sources
@@ -1 +1 @@
-SHA512 (firefox-128.11.0esr.source.tar.xz) = 80af64c1dce6d7a25111480567a3251cc2d1edce00acc4d85bbaa44590f5bbf4c0716f9490c3ab8ef1e6fc2bbabb2379029c2dee51ce477933c7a5935092d279
+SHA512 (firefox-128.11.0esr.source.tar.xz) = 39141838e0ead6918b267772486fbbfbacc0596b5baad279170d103d221550d58eb6a0cf5e811b59b7700eb492d743119412b4093dba09dab56a55ff4370db2d