Closed
Bug 1028388
Opened 10 years ago
Closed 10 years ago
Sign the Firefox update hotfix (v20140527.01)
Categories
(Release Engineering :: Release Requests, defect)
Release Engineering
Release Requests
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: gps, Assigned: rail)
References
Details
Attachments
(2 files)
Please sign the attached XPI, a Firefox hotfix that upgrades clients stuck on old releases. For your reference, a similar request is bug 985689.
|
Assignee | |
Updated•10 years ago
|
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
|
Reporter | |
Comment 2•10 years ago
|
||
Wil or Jorge: Could one of you please upload the signed hotfix to the *dev* AMO server and publish it? https://addons-dev.allizom.org/developers/addon/firefox-hotfix/edit
Flags: needinfo?(jorge)
Flags: needinfo?(clouserw)
|
||
Comment 3•10 years ago
|
||
It's up on dev and published now.
Flags: needinfo?(jorge)
Flags: needinfo?(clouserw)
|
||
Comment 4•10 years ago
|
||
I can't make the automatic install work, using the info on https://developer.mozilla.org/en-US/Add-ons/Hotfix#Testing_the_hotfix_on_the_staging_server. The signature is correct, also tried by running the ping snippet. Tested on FF 10, 28 Win 7. So, what could be the problem ?
Flags: needinfo?(jorge)
|
|
Reporter | |
Comment 5•10 years ago
|
||
Wait, why is the filename of the signed xpi different from what I submitted? When I attempt to install it, I get the following: Timestamp: 6/24/14, 11:43:30 AM Error: Expected certificate attribute 'sha1Fingerprint' value incorrect, expected: 'F1:DB:F9:6A:7B:B8:04:FA:48:3C:16:95:C7:2F:17:C6:5B:C2:9F:45', got: 'CA:C4:7D:BF:63:4D:24:E9:DC:93:07:2F:E3:C8:EA:6D:C3:94:6E:89'. Source File: resource:///modules/CertUtils.jsm Line: 103 Timestamp: 6/24/14, 11:43:30 AM Error: Certificate checks failed. See previous errors for details. Source File: resource:///modules/CertUtils.jsm Line: 106 Timestamp: 6/24/14, 11:43:30 AM Warning: WARN addons.manager: The hotfix add-on was not signed by the expected certificate and so will not be installed. LOG addons.xpi: Cancelling download of https://addons.cdn.mozilla.net/storage/public-staging/354399/mozilla_firefox_hotfix-20130826.01-fx.xpi Not sure if the two are related. I'm going to reopen this until we have staging working.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
Assignee | |
Comment 6•10 years ago
|
||
$ wget https://addons.cdn.mozilla.net/storage/public-staging/354399/mozilla_firefox_hotfix-20130826.01-fx.xpi $ wget https://bugzilla.mozilla.org/attachment.cgi\?id\=8443851 -O signed.xpi $ md5sum *.xpi 1fa3c14f708d3502269357c41f4ee549 mozilla_firefox_hotfix-20130826.01-fx.xpi a7722cc56ba17c672d80a4937839ce1d signed.xpi They are not identical. Also 20130826 doesn't sound right...
|
||
Comment 7•10 years ago
|
||
Are you sure you're getting the right file? When I install from https://addons-dev.allizom.org/en-US/firefox/addon/firefox-hotfix/ it does a redirect dance and ends up at https://addons-dev-cdn.allizom.org/storage/public-staging/354399/mozilla_firefox_hotfix-20140527.01.xpi which md5sums to a7722cc56ba17c672d80a4937839ce1d.
|
|
Assignee | |
Comment 8•10 years ago
|
||
I'll be off Thu-Wed. Please ping people in #releng if there is something actionable from Releng side. I'll keep the bug assigned to me to make sure it's closed properly.
|
|
||
Comment 9•10 years ago
|
||
I uploaded the file in comment #1, which has and incorrect file name but appears to be the correct version. install.rdf and AMO have the correct number: 20140527.01 I don't know what could be wrong with the auto install. Maybe Unfocused can help with this.
Flags: needinfo?(jorge) → needinfo?(bmcbride)
|
||
Comment 10•10 years ago
|
||
To summarize what I think is happening here: * rail made a typo when creating the signed file, using the command in the doc without updating the output file name. The correct input and signing cert were used. * in comment #5, the build is expecting an old cert, it needs this treatment https://developer.mozilla.org/en-US/Add-ons/Hotfix#Signatures before testing the hotfix. For reference, the baked in key signatures in Firefox are: From 10.0 - F1:DB:F9:6A:7B:B8:04:FA:48:3C:16:95:C7:2F:17:C6:5B:C2:9F:45 From 17.0 - CA:C4:7D:BF:63:4D:24:E9:DC:93:07:2F:E3:C8:EA:6D:C3:94:6E:89 From 25.0 - 91:53:98:0C:C1:86:DF:47:8F:35:22:9E:11:C9:A7:31:04:49:A1:AA * the wrong file in comment #5, something wrong on the AMO side or testing method ? It looks like the original v20130826.01, with a key sig which matches the active cert at that time (ie CA:C4...) I suggest retesting, making sure extensions.hotfix.certs.1.sha1Fingerprint has been set to 91:53:98:0C:C1:86:DF:47:8F:35:22:9E:11:C9:A7:31:04:49:A1:AA.
|
||
Comment 11•10 years ago
|
||
I suspect because the update ping to addons-dev.allizom.org results in a 304 status code, redirecting to versioncheck.addons.mozilla.org. Might want to fix that :)
Flags: needinfo?(bmcbride)
|
|
||
Comment 12•10 years ago
|
||
(In reply to Blair McBride [:Unfocused] from comment #11) > I suspect because the update ping to addons-dev.allizom.org results in a 304 > status code, redirecting to versioncheck.addons.mozilla.org. > > Might want to fix that :) Wil, did something change recently about the update ping on -dev?
Flags: needinfo?(clouserw)
|
|
||
Comment 13•10 years ago
|
||
Nothing from me. Jason would know if we moved boxes around - they were changing settings files recently which might have affected this, although I thought it was only marketplace. Are you expecting -dev to just point to -dev and not any VAMO (not even a -dev VAMO)?
Flags: needinfo?(clouserw)
|
|
||
Comment 14•10 years ago
|
||
I expect auto-updates to use -dev if you point your profile to -dev. I don't know what that entails.
|
|
||
Comment 15•10 years ago
|
||
Jason: This URL is redirecting to production VAMO: https://addons-dev.allizom.org/update/VersionCheck.php?reqVersion=2&id=firefox-hotfix@mozilla.org&version=&maxAppVersion=%ITEM_MAXAPPVERSION%&status=userEnabled,incompatible&appID={ec8030f7-c20a-464f-9b0e-13a3a9e97384}&appVersion=24.0&appOS=Darwin&appABI=x86_64-gcc3&locale=en-US¤tAppVersion=24.0&updateType=%UPDATE_TYPE%&compatMode=%COMPATIBILITY_MODE% Do you think that's a recent change? Can you make it...not do that? :)
Flags: needinfo?(jthomas)
|
||
Comment 16•10 years ago
|
||
Should be fixed now: λ master ~ → curl -I https://addons-dev.allizom.org/update/VersionCheck.php\?reqVersion\=2\&id\=firefox-hotfix@mozilla.org\&version\=\&maxAppVersion\=%ITEM_MAXAPPVERSION%\&status\=userEnabled,incompatible\&appID\=\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}\&appVersion\=24.0\&appOS\=Darwin\&appABI\=x86_64-gcc3\&locale\=en-US\¤tAppVersion\=24.0\&updateType\=%UPDATE_TYPE%\&compatMode\=%COMPATIBILITY_MODE% HTTP/1.1 301 Moved Permanently Server: nginx X-Backend-Server: dev2 Content-Type: text/html Date: Mon, 30 Jun 2014 19:16:41 GMT Location: https://versioncheck-dev.allizom.org//update/VersionCheck.php?reqVersion=2&id=firefox-hotfix@mozilla.org&version=&maxAppVersion=%ITEM_MAXAPPVERSION%&status=userEnabled,incompatible&appID=ec8030f7-c20a-464f-9b0e-13a3a9e97384&appVersion=24.0&appOS=Darwin&appABI=x86_64-gcc3&locale=en-US¤tAppVersion=24.0&updateType=%UPDATE_TYPE%&compatMode=%COMPATIBILITY_MODE% Via: Moz-zlb10 Connection: keep-alive Content-Length: 178
Flags: needinfo?(jthomas)
|
||
Comment 17•10 years ago
|
||
Great! We will have a new hotfix shortly for signing and staging. I think we should call this bug FIXED and file a new bug for the fixed version.
Status: REOPENED → RESOLVED
Closed: 10 years ago → 10 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•