From 418c1e3e94d319762bca81680eb1dc097d30118b Mon Sep 17 00:00:00 2001
From: MSVSphere Packaging Team <packager@msvsphere-os.ru>
Date: Wed, 13 Mar 2024 03:31:40 +0300
Subject: [PATCH] import dotnet6.0-6.0.128-2.el9_3

---
 .dotnet6.0.metadata                |  2 +-
 .gitignore                         |  2 +-
 SOURCES/runtime-openssl-sha1.patch | 34 ++++++++++++++++++++++++++++++
 SPECS/dotnet6.0.spec               | 28 ++++++++++++++++++++----
 4 files changed, 60 insertions(+), 6 deletions(-)
 create mode 100644 SOURCES/runtime-openssl-sha1.patch

diff --git a/.dotnet6.0.metadata b/.dotnet6.0.metadata
index 11bca36..7a20510 100644
--- a/.dotnet6.0.metadata
+++ b/.dotnet6.0.metadata
@@ -1 +1 @@
-722442f6afac60d4d6dce2c43752717a4d396d84 SOURCES/dotnet-v6.0.127.tar.gz
+c649ed6290120976258e02ab5bab39e37f565b86 SOURCES/dotnet-v6.0.128.tar.gz
diff --git a/.gitignore b/.gitignore
index 1dc40a5..546c695 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/dotnet-v6.0.127.tar.gz
+SOURCES/dotnet-v6.0.128.tar.gz
diff --git a/SOURCES/runtime-openssl-sha1.patch b/SOURCES/runtime-openssl-sha1.patch
new file mode 100644
index 0000000..98f48d7
--- /dev/null
+++ b/SOURCES/runtime-openssl-sha1.patch
@@ -0,0 +1,34 @@
+From d7805229ffe6906cd0832c0482b963caf4b4fd82 Mon Sep 17 00:00:00 2001
+From: Tom Deseyn <tom.deseyn@gmail.com>
+Date: Wed, 28 Feb 2024 14:08:15 +0100
+Subject: [PATCH] Allow certificate validation with SHA-1 signatures.
+
+RHEL OpenSSL builds disable SHA-1 signatures. This causes certificate
+validation to fail when using the X509_V_FLAG_CHECK_SS_SIGNATURE flag
+with a chain where the last certificate uses a SHA-1 signature.
+
+This removes X509_V_FLAG_CHECK_SS_SIGNATURE flag to have the default
+OpenSSL behavior for certificate validation.
+---
+ .../libs/System.Security.Cryptography.Native/pal_x509.c      | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/src/libraries/Native/Unix/System.Security.Cryptography.Native/pal_x509.c b/src/libraries/Native/Unix/System.Security.Cryptography.Native/pal_x509.c
+index 04c6ba06cd..2cd3413dae 100644
+--- a/src/libraries/Native/Unix/System.Security.Cryptography.Native/pal_x509.c
++++ b/src/libraries/Native/Unix/System.Security.Cryptography.Native/pal_x509.c
+@@ -272,11 +272,6 @@ int32_t CryptoNative_X509StoreCtxInit(X509_STORE_CTX* ctx, X509_STORE* store, X5
+ {
+     int32_t val = X509_STORE_CTX_init(ctx, store, x509, extraStore);
+ 
+-    if (val != 0)
+-    {
+-        X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CHECK_SS_SIGNATURE);
+-    }
+-
+     return val;
+ }
+ 
+-- 
+2.43.2
+
diff --git a/SPECS/dotnet6.0.spec b/SPECS/dotnet6.0.spec
index 4d1979a..3bdf12b 100644
--- a/SPECS/dotnet6.0.spec
+++ b/SPECS/dotnet6.0.spec
@@ -20,10 +20,10 @@
 # until that's done, disable LTO.  This has to happen before setting the flags below.
 %define _lto_cflags %{nil}
 
-%global host_version 6.0.27
-%global runtime_version 6.0.27
+%global host_version 6.0.28
+%global runtime_version 6.0.28
 %global aspnetcore_runtime_version %{runtime_version}
-%global sdk_version 6.0.127
+%global sdk_version 6.0.128
 %global sdk_feature_band_version %(echo %{sdk_version} | sed -e 's|[[:digit:]][[:digit:]]$|00|')
 %global templates_version %{runtime_version}
 #%%global templates_version %%(echo %%{runtime_version} | awk 'BEGIN { FS="."; OFS="." } {print $1, $2, $3+1 }')
@@ -60,7 +60,7 @@
 
 Name:           dotnet6.0
 Version:        %{sdk_rpm_version}
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        .NET Runtime and SDK
 License:        MIT and ASL 2.0 and BSD and LGPLv2+ and CC-BY and CC0 and MS-PL and EPL-1.0 and GPL+ and GPLv2 and ISC and OFL and zlib
 URL:            https://github.com/dotnet/
@@ -88,6 +88,13 @@ Patch100:       runtime-arm64-lld-fix.patch
 Patch101:       runtime-mono-remove-ilstrip.patch
 # https://github.com/dotnet/runtime/pull/95218#issuecomment-1842799422
 Patch102:       runtime-re-enable-implicit-rejection.patch
+# We disable checking the signature of the last certificate in a chain
+# if the certificate is supposedly self-signed. A side effect of not
+# checking the self-signature of such a certificate is that disabled
+# or unsupported message digests used for the signature are not
+# treated as fatal errors. https://issues.redhat.com/browse/RHEL-25254
+Patch103:       runtime-openssl-sha1.patch
+
 
 # Disable apphost, needed for s390x
 Patch500:       fsharp-no-apphost.patch
@@ -378,6 +385,7 @@ pushd src/runtime
 %patch100 -p1
 %patch101 -p1
 %patch102 -p1
+%patch103 -p1
 popd
 
 pushd src/fsharp
@@ -612,6 +620,18 @@ rm -rf %{buildroot}%{_libdir}/dotnet/packs/NETStandard.Library.Ref/2.1.0
 
 
 %changelog
+* Wed Mar 06 2024 Tom Deseyn <tom.deseyn@gmail.com> - 6.0.128-2
+- We disable checking the signature of the last certificate in a chain
+  if the certificate is supposedly self-signed. A side effect of not
+  checking the self-signature of such a certificate is that disabled
+  or unsupported message digests used for the signature are not
+  treated as fatal errors.
+- Resolves: RHEL-28359
+
+* Thu Feb 29 2024 Omair Majid <omajid@redhat.com> - 6.0.128-1
+- Update to .NET SDK 6.0.128 and Runtime 6.0.28
+- Resolves: RHEL-27540
+
 * Thu Feb 01 2024 Omair Majid <omajid@redhat.com> - 6.0.127-1
 - Update to .NET SDK 6.0.127 and Runtime 6.0.27
 - Resolves: RHEL-23787