Sign the Firefox update hotfix (v20140527.01)

RESOLVED FIXED

Status

Release Engineering
Releases
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: gps, Assigned: rail)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

3 years ago
Created attachment 8443713 [details]
hotfix-v20140527.01.xpi

Please sign the attached XPI, a Firefox hotfix that upgrades clients stuck on old releases.

For your reference, a similar request is bug 985689.
(Assignee)

Comment 1

3 years ago
Created attachment 8443851 [details]
hotfix-v20130826.01-signed.xpi

attached
Assignee: nobody → rail
(Assignee)

Updated

3 years ago
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
(Reporter)

Comment 2

3 years ago
Wil or Jorge:

Could one of you please upload the signed hotfix to the *dev* AMO server and publish it?

https://addons-dev.allizom.org/developers/addon/firefox-hotfix/edit
Flags: needinfo?(jorge)
Flags: needinfo?(clouserw)
It's up on dev and published now.
Flags: needinfo?(jorge)
Flags: needinfo?(clouserw)
I can't make the automatic install work, using the info on https://developer.mozilla.org/en-US/Add-ons/Hotfix#Testing_the_hotfix_on_the_staging_server. The signature is correct, also tried by running the ping snippet. Tested on FF 10, 28 Win 7.
So, what could be the problem ?
Flags: needinfo?(jorge)
(Reporter)

Comment 5

3 years ago
Wait, why is the filename of the signed xpi different from what I submitted?

When I attempt to install it, I get the following:

Timestamp: 6/24/14, 11:43:30 AM
Error: Expected certificate attribute 'sha1Fingerprint' value incorrect, expected: 'F1:DB:F9:6A:7B:B8:04:FA:48:3C:16:95:C7:2F:17:C6:5B:C2:9F:45', got: 'CA:C4:7D:BF:63:4D:24:E9:DC:93:07:2F:E3:C8:EA:6D:C3:94:6E:89'.
Source File: resource:///modules/CertUtils.jsm
Line: 103
Timestamp: 6/24/14, 11:43:30 AM
Error: Certificate checks failed. See previous errors for details.
Source File: resource:///modules/CertUtils.jsm
Line: 106
Timestamp: 6/24/14, 11:43:30 AM
Warning: WARN addons.manager: The hotfix add-on was not signed by the expected certificate and so will not be installed.
LOG addons.xpi: Cancelling download of https://addons.cdn.mozilla.net/storage/public-staging/354399/mozilla_firefox_hotfix-20130826.01-fx.xpi

Not sure if the two are related. I'm going to reopen this until we have staging working.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(Assignee)

Comment 6

3 years ago
$ wget https://addons.cdn.mozilla.net/storage/public-staging/354399/mozilla_firefox_hotfix-20130826.01-fx.xpi
$ wget https://bugzilla.mozilla.org/attachment.cgi\?id\=8443851 -O signed.xpi

$ md5sum *.xpi
1fa3c14f708d3502269357c41f4ee549  mozilla_firefox_hotfix-20130826.01-fx.xpi
a7722cc56ba17c672d80a4937839ce1d  signed.xpi

They are not identical. Also 20130826 doesn't sound right...
Are you sure you're getting the right file?  When I install from https://addons-dev.allizom.org/en-US/firefox/addon/firefox-hotfix/ it does a redirect dance and ends up at https://addons-dev-cdn.allizom.org/storage/public-staging/354399/mozilla_firefox_hotfix-20140527.01.xpi which md5sums to a7722cc56ba17c672d80a4937839ce1d.
(Assignee)

Comment 8

3 years ago
I'll be off Thu-Wed. Please ping people in #releng if there is something actionable from Releng side. I'll keep the bug assigned to me to make sure it's closed properly.
I uploaded the file in comment #1, which has and incorrect file name but appears to be the correct version. install.rdf and AMO have the correct number: 20140527.01

I don't know what could be wrong with the auto install. Maybe Unfocused can help with this.
Flags: needinfo?(jorge) → needinfo?(bmcbride)
To summarize what I think is happening here:
* rail made a typo when creating the signed file, using the command in the doc without updating the output file name. The correct input and signing cert were used.

* in comment #5, the build is expecting an old cert, it needs this treatment 
    https://developer.mozilla.org/en-US/Add-ons/Hotfix#Signatures
  before testing the hotfix. For reference, the baked in key signatures in Firefox are:
    From 10.0 - F1:DB:F9:6A:7B:B8:04:FA:48:3C:16:95:C7:2F:17:C6:5B:C2:9F:45
    From 17.0 - CA:C4:7D:BF:63:4D:24:E9:DC:93:07:2F:E3:C8:EA:6D:C3:94:6E:89
    From 25.0 - 91:53:98:0C:C1:86:DF:47:8F:35:22:9E:11:C9:A7:31:04:49:A1:AA

* the wrong file in comment #5, something wrong on the AMO side or testing method ? It looks like the original v20130826.01, with a key sig which matches the active cert at that time (ie CA:C4...)

I suggest retesting, making sure extensions.hotfix.certs.1.sha1Fingerprint has been set to 91:53:98:0C:C1:86:DF:47:8F:35:22:9E:11:C9:A7:31:04:49:A1:AA.
I suspect because the update ping to addons-dev.allizom.org results in a 304 status code, redirecting to versioncheck.addons.mozilla.org.

Might want to fix that :)
Flags: needinfo?(bmcbride)
(In reply to Blair McBride [:Unfocused] from comment #11)
> I suspect because the update ping to addons-dev.allizom.org results in a 304
> status code, redirecting to versioncheck.addons.mozilla.org.
> 
> Might want to fix that :)

Wil, did something change recently about the update ping on -dev?
Flags: needinfo?(clouserw)
Nothing from me.  Jason would know if we moved boxes around - they were changing settings files recently which might have affected this, although I thought it was only marketplace.  

Are you expecting -dev to just point to -dev and not any VAMO (not even a -dev VAMO)?
Flags: needinfo?(clouserw)
I expect auto-updates to use -dev if you point your profile to -dev. I don't know what that entails.
Jason: This URL is redirecting to production VAMO:  https://addons-dev.allizom.org/update/VersionCheck.php?reqVersion=2&id=firefox-hotfix@mozilla.org&version=&maxAppVersion=%ITEM_MAXAPPVERSION%&status=userEnabled,incompatible&appID={ec8030f7-c20a-464f-9b0e-13a3a9e97384}&appVersion=24.0&appOS=Darwin&appABI=x86_64-gcc3&locale=en-US&currentAppVersion=24.0&updateType=%UPDATE_TYPE%&compatMode=%COMPATIBILITY_MODE%

Do you think that's a recent change?  Can you make it...not do that? :)
Flags: needinfo?(jthomas)
Should be fixed now:

λ master ~ → curl -I  https://addons-dev.allizom.org/update/VersionCheck.php\?reqVersion\=2\&id\=firefox-hotfix@mozilla.org\&version\=\&maxAppVersion\=%ITEM_MAXAPPVERSION%\&status\=userEnabled,incompatible\&appID\=\{ec8030f7-c20a-464f-9b0e-13a3a9e97384\}\&appVersion\=24.0\&appOS\=Darwin\&appABI\=x86_64-gcc3\&locale\=en-US\&currentAppVersion\=24.0\&updateType\=%UPDATE_TYPE%\&compatMode\=%COMPATIBILITY_MODE%
HTTP/1.1 301 Moved Permanently
Server: nginx
X-Backend-Server: dev2
Content-Type: text/html
Date: Mon, 30 Jun 2014 19:16:41 GMT
Location: https://versioncheck-dev.allizom.org//update/VersionCheck.php?reqVersion=2&id=firefox-hotfix@mozilla.org&version=&maxAppVersion=%ITEM_MAXAPPVERSION%&status=userEnabled,incompatible&appID=ec8030f7-c20a-464f-9b0e-13a3a9e97384&appVersion=24.0&appOS=Darwin&appABI=x86_64-gcc3&locale=en-US&currentAppVersion=24.0&updateType=%UPDATE_TYPE%&compatMode=%COMPATIBILITY_MODE%
Via: Moz-zlb10
Connection: keep-alive
Content-Length: 178
Flags: needinfo?(jthomas)
Great!

We will have a new hotfix shortly for signing and staging. I think we should call this bug FIXED and file a new bug for the fixed version.
Status: REOPENED → RESOLVED
Last Resolved: 3 years ago3 years ago
Resolution: --- → FIXED
(Reporter)

Updated

3 years ago
Blocks: 1034216
(Reporter)

Updated

3 years ago
Blocks: 1038382
You need to log in before you can comment on or make changes to this bug.