Firefox 1548973 Hotfix (addons disabled due to expired intermediate certificate) #60916
Comments
|
The issue can be followed at https://bugzilla.mozilla.org/show_bug.cgi?id=1548973 (see also various other links hanging off this as "Depends On" and "Blocks", linked in the comments, etc ) |
|
Thank you so much! I've been looking for this! |
|
Thanks, it worked! |
|
It worked for me, Thanks! |
|
Edit: correction: https://bugzilla.mozilla.org/show_bug.cgi?id=1549061 is linked somewhere, and so is https://blog.mozilla.org/addons/2019/05/04/update-regarding-add-ons-in-firefox/ The latter says: "There are a number of work-arounds being discussed in the community. These are not recommended as they may conflict with fixes we are deploying. We’ll let you know when further updates are available that we recommend, and appreciate your patience. (May 4, 15:01 EST)" Therefore my suggestion is to periodically check the issues for additional information, caveat emptor, etc etc. |
|
THANK YOU. the way Mozilla has been handling this is stupid. this exists, why not give people the link instead of asking them to browse unprotected for SIX FUCKING HOURS |
|
Almost 18 hours unpatched, here. I couldn't enable studies - toggling the checkbox made NO change to prefs.js so studies are vaporware on my install for some reason. Just give me the stinkin' patch, Mozilla. |
* |
|
Fixed typo. |
|
Added edit mentioning a second workaround method that may or may not work if the XPI doesn't work. |
|
How can I uninstall this once Mozilla fixed the issue? I don't see anything at |
|
Oh, that's a good question. I just assumed it would show up in |
For clarification, I have Studies and Telemetry disabled in my profile |
|
The addon seems to be listed in |
I deleted the .xpi from the profile directory and it seems to remove the add-on, but I'm not sure if it's removed completly or not... And it seems to not store data, as far as I can see. Edit 1: Also, I downloaded the .xpi and unzip it. I see it injects a cert and then forces a re-verification of the add-ons' signature. The file |
|
+1 I guess that when the official patch rolls out, we can uninstall Firefox completely and just reinstall it, right? |
|
Ok so I couldn't find the original source code for the XPI, would be nice if someone could post where to find it, but it's basically readable if you extract the xpi. I don't know what the content.js does, otherwise this is the code: /* eslint no-unused-vars: ["error", { "varsIgnorePattern": "skeleton" }]*/
ChromeUtils.defineModuleGetter(this, "XPIDatabase", "resource://gre/modules/addons/XPIDatabase.jsm");
var skeleton = class extends ExtensionAPI {
getAPI(/* context */) {
return {
experiments: {
skeleton: {
async doTheThing() {
// first inject the new cert
try {
let intermediate = *omitted*
let certDB = Cc["@mozilla.org/security/x509certdb;1"].getService(Ci.nsIX509CertDB);
certDB.addCertFromBase64(intermediate, ",,");
console.log("new intermediate certificate added");
} catch (e) {
console.error("failed to add new intermediate certificate:", e);
}
// Second, force a re-verify of signatures
try {
XPIDatabase.verifySignatures();
console.log("signatures re-verified");
} catch (e) {
console.error("failed to re-verify signatures:", e);
}
}
}
}
};
}
};Some similar patches can be found linked from https://bugzilla.mozilla.org/show_bug.cgi?id=1549061 Basically, I guess it looks safe to just delete the addon as stated by @captainepoch but I'm not a firefox dev so YMMV. Edit: Oops, some duplicated work. :) |
|
Specifically, relevant discussion can be read at https://phabricator.services.mozilla.com/D29940 , I have not read through it. |
|
https://news.ycombinator.com/item?id=19828631 links https://news.ycombinator.com/item?id=19827428 links http://kb.mozillazine.org/Uninstalling_extensions#Uninstalling_manually suggests the manual deletion method is fine. Who knows how up to date that article is though. |
|
@captainepoch You can see both comments. They explain what is being done in less detail. |
|
The googleapi link to intermediate hotfix as in OP, pops window "normandy.cdn.mozilla.net Firefox prevented this site from asking you to install software on your computer" Then if I resend url I get another popup "The add-on could not be downloaded because of a connection failure" Any ideas? Edit: here is complete url with ++ h++ps://storage.googleapis.com/moz-fx-normandy-prod-addons/extensions/hotfix-update-xpi-intermediate@mozilla.com-1.0.2-signed.xpi browser console shows 1557070136986 addons.xpi WARN Download of https://storage.googleapis.com/moz-fx-normandy-prod-addons/extensions/hotfix-update-xpi-intermediate%40mozilla.com-1.0.2-signed.xpi failed: [Exception... "Certificate issuer is not built-in." nsresult: "0x80004004 (NS_ERROR_ABORT)" location: "JS frame :: resource://gre/modules/CertUtils.jsm :: checkCert :: line 163" data: no] Stack trace: checkCert()@resource://gre/modules/CertUtils.jsm:163 |
|
You must have something different with your configuration and/or have something causing the site to be untrusted. I don't know, sorry. There seem to be ways to get past the prevention of installation from untrusted sites but I don't feel comfortable recommending that. You need to figure out why your Firefox doesn't trust the path. Edit: there seem to be other people on the internet with your issue. I guess you could download the XPI manually with curl or wget or something (right click -> save link as?), I'm just looking at your browser very suspiciously. This is basically bypassing a check it's doing and is unhappy about for some reason. Edit 2: As long as you haven't disabled signature verification I guess it's fine. |
|
It looks like firefox doesn't like the certificate the addon is signed with for some reason? |
|
Thank you stefano-m!!! |
|
Just in case it helps future visitors, the fix (same solution as the hotfix) has already shipped now (about 3 hours ago in 66.0.4). See release notes for details and known outstanding issues: https://www.mozilla.org/en-US/firefox/66.0.4/releasenotes/ |
|
The master and 19.03 branches have Firefox 66.0.4 now, so I assume hotfixes aren't needed anymore. |
|
Just wanted to throw this fix out there since I am on an older version of Firefox 56.0.2 which does not currently have a fix. You can manually import the certificate found in the xpi. To do this you will want to download the xpi from the below link possibly with another browser like IE if you ware having trouble. Rename the file extension to .crt |
|
56 surprises me. I'd expect 52 ESR to be more likely (we even still have it in latest nixpkgs), but both are unmaintained upstream and thus unlikely to receive official fixes. |
|
@camy011 Quite curious here. |
|
@vcunat That's what I needed. Thanks. Makes sense. |
Originally I didn't upgrade because I didn't want my addons disabled. The goal being to allow enough time for addons to update and alternatives to become available. I actually went through and installed the latest FF side-by-side yesterday and got everything working to the point that I don't need my old copy. Some addons that don't have an alternative that I was using though: Most of what I wanted from these addons can be done using the userChrome.css so it doesn't matter too much. Tabs on bottom, moving "Select All" and "Copy" to the top of the right click menu, hiding context menu options (if I care enough to get around to it), hiding text for bookmarks to fit more on the bar. I also used classic theme restorer to move my file menu to my bookmarks bar to help compact the browser. While there isn't an easy way to do that it looks like I can move my bookmarks toolbar to my file menu bar which gives almost the same effect (top vs middle row). |
|
In pre-Quantum FF (versions 56, 55, etc.), I tried following some of the instructions in this thread, but didn't have success with extensions working again. Finally I found this thread on Reddit which basically goes through the same process mentioned by @camy011 about extracting and installing the certificate, but it also includes the last important step about running a command needed to re-verify the signatures of all add-ons. |
|
It appears even fix for 52 ESR is planned, though I still can't see a new 52.x release on the download site.
|
Installing the hotfix:
I didn't want to turn on user studies and it didn't seem to be pulling the hotfix immediately anyway, so I did some digging and found the hotfix installer at https://normandy.cdn.mozilla.net/api/v1/recipe/.
Search for
"name": "Hotfix: Update XPI signing intermediate [Bug 1548973]",and then install the xpi from theaddonUrlfield. I don't know how supported this method is but it worked for me. I cannot guarantee user support, so if you can't figure things out yourself/don't consider yourself a power user it's probably a bad idea to rely on this That said, strictly on topic issues (this isn't really a mozilla issue tracker) will be handled on a best effort basis.Example url:
https:// storage.googleapis.com /moz-fx-normandy-prod-addons/extensions/hotfix-update-xpi-intermediate@mozilla.com-1.0.2-signed.xpiEdit: see later in thread for some vague clarification from Mozilla about community workarounds, which FWIW is more or less a reasonable under the circumstances. Likely to attempt to reduce support load. TL;DR: caveat emptor. (nothing has changed)
Edit2: Fixed typo:
addonIUrl->addonUrlEdit3: For those coming to this issue from other sources: Nixpkgs currently runs firefox 66. For those on an older version where the normandy xpi does not work (unsure if user error, or version incompatibility - have not tested it myself) a more involved workaround that is mentioned in the issue tracker is to extract the certificate from the XPI and manually import it into the certificate store. E.g. https://bugzilla.mozilla.org/show_bug.cgi?id=1549078#c71
The text was updated successfully, but these errors were encountered: