←back to thread

All extensions disabled due to expiration of intermediate signing cert

(bugzilla.mozilla.org)
1318 points xvector | 10 comments | 04 May 19 01:31 UTC | HN request time: 1.763s | source | bottom
Show context
rmbryan ◴[04 May 19 10:27 UTC] No.19825581[source]
Update: We have rolled out a partial fix for this issue. We generated a new intermediate certificate with the same name/key but an updated validity window and pushed it out to users via Normandy (this should be most users). Users who have Normandy on should see their add-ons start working over the next few hours. We are continuing to work on packaging up the new certificate for users who have Normandy disabled.
replies(20): >>19825596 #>>19825603 #>>19825612 #>>19825623 #>>19825631 #>>19825665 #>>19825705 #>>19825721 #>>19825744 #>>19825813 #>>19825905 #>>19825998 #>>19826421 #>>19826769 #>>19826772 #>>19826878 #>>19827050 #>>19829585 #>>19831941 #>>19840386 #
DoctorOetker ◴[04 May 19 11:00 UTC] No.19825705[source]
I read at https://discourse.mozilla.org/t/certificate-issue-causing-ad...

>12:50 p.m. UTC / 03:50 a.m. PDT: We rolled-out a fix for release, beta and nightly users. The fix will be automatically applied in the background within the next few hours, you don’t need to take active steps.

>In order to be able to provide this fix on short notice, we are using the Studies system. You can check if you have studies enabled by going to Firefox Preferences -> Privacy & Security -> Allow Firefox to install and run studies.

>You can disable studies again after your add-ons have been re-enabled.

>We are working on a general fix that doesn’t need to rely on this and will keep you updated.

I refuse to enable studies, even temporarily. This comes very close after the IE6 conspiracy revelation, where ends justifies the means.

Please provide a link to the certificate file, and step by step instructions for installing it, without enabling and conflating with mozilla studies...

replies(3): >>19825894 #>>19825895 #>>19825921 #
XORcat ◴[04 May 19 12:04 UTC] No.19825921[source]
JSON response from the `normandy` API here: https://xor.cat/assets/other/random/2019-05-04/normandy_sign...

hotfix-update-xpi-signing-intermediate-bug-1548973: https://storage.googleapis.com/moz-fx-normandy-prod-addons/e...

From the looks, it installs the above plugin, and changes `app.update.lastUpdateTime.xpi-signature-verification` to `1556945257`

I can't get it to work in ESR 60 though. Getting file not found on "resource://gre/modules/addons/XPIDatabase.jsm"

edit: The linked XPI definitely seems to add the new certificate, whatever mechanism used to reverify the signatures just doesn't seem to work in 60.

edit2: Restarting Firefox appears to have forced the reverify... Possibly a flag that I twiddled with though, hard to be sure. Either way, the above should help people get everything running again without having to enable studies/normandy.

replies(5): >>19826115 #>>19826755 #>>19827210 #>>19827215 #>>19827221 #
1. gpm ◴[04 May 19 14:45 UTC] No.19826755[source]
Hey, if you just click on that storage.googleapis.com link it installs the hotfix directly without having to enable normandy ;)
replies(6): >>19826795 #>>19826847 #>>19826887 #>>19827014 #>>19827736 #>>19828312 #
2. option_greek ◴[04 May 19 14:54 UTC] No.19826795[source]
This should be sticky comment somewhere on the top of the comments. It bought all the addons back for me.
3. jwalton ◴[04 May 19 15:02 UTC] No.19826847[source]
It does, but it didn't fix anything for me. All my extensions are still gone. :(
replies(1): >>19826864 #
4. gpm ◴[04 May 19 15:05 UTC] No.19826864[source]
You might have to reinstall them unfortunately, on the system I figured that out on Firefox had decided to uninstall them (I think because I had to update the browser from the ancient version the user was using first).
5. ◴[04 May 19 15:09 UTC] No.19826887[source]
6. classichasclass ◴[04 May 19 15:25 UTC] No.19827014[source]
Just tried on Android. Hooray!
replies(1): >>19827192 #
7. mateus1 ◴[04 May 19 15:52 UTC] No.19827192[source]
Clicking the URL was the only way I was able to get the hotfix on Firefox mobile for Android
8. reader_1000 ◴[04 May 19 17:07 UTC] No.19827736[source]
Unrelated to cert problem: Yes, clicking on the link installs the plugin, but it is suprising to see that firefox claims that it is the news.ycombinator.com, not storage.googleapis.com, that wants to install plugin. Could it be a security issue since if an attacker somehow manages the post/inject a link for a malicious plugin in a credible site, firefox will claim that plugin is from that site?
replies(1): >>19827781 #
9. DoctorOetker ◴[04 May 19 17:15 UTC] No.19827781[source]
oh wow! that's really bad
10. devcpp ◴[04 May 19 18:35 UTC] No.19828312[source]
I just installed some random googleapis link. This is so stupid, and very disappointing from Mozilla.