Closed Bug 1028388 Opened 6 years ago Closed 6 years ago

Sign the Firefox update hotfix (v20140527.01)

Categories

(Release Engineering :: Release Requests, defect)

defect
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: gps, Assigned: rail)

References

Details

Attachments

(2 files)

Please sign the attached XPI, a Firefox hotfix that upgrades clients stuck on old releases.

For your reference, a similar request is bug 985689.
attached
Assignee: nobody → rail
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Wil or Jorge:

Could one of you please upload the signed hotfix to the *dev* AMO server and publish it?

https://addons-dev.allizom.org/developers/addon/firefox-hotfix/edit
Flags: needinfo?(jorge)
Flags: needinfo?(clouserw)
It's up on dev and published now.
Flags: needinfo?(jorge)
Flags: needinfo?(clouserw)
I can't make the automatic install work, using the info on https://developer.mozilla.org/en-US/Add-ons/Hotfix#Testing_the_hotfix_on_the_staging_server. The signature is correct, also tried by running the ping snippet. Tested on FF 10, 28 Win 7.
So, what could be the problem ?
Flags: needinfo?(jorge)
Wait, why is the filename of the signed xpi different from what I submitted?

When I attempt to install it, I get the following:

Timestamp: 6/24/14, 11:43:30 AM
Error: Expected certificate attribute 'sha1Fingerprint' value incorrect, expected: 'F1:DB:F9:6A:7B:B8:04:FA:48:3C:16:95:C7:2F:17:C6:5B:C2:9F:45', got: 'CA:C4:7D:BF:63:4D:24:E9:DC:93:07:2F:E3:C8:EA:6D:C3:94:6E:89'.
Source File: resource:///modules/CertUtils.jsm
Line: 103
Timestamp: 6/24/14, 11:43:30 AM
Error: Certificate checks failed. See previous errors for details.
Source File: resource:///modules/CertUtils.jsm
Line: 106
Timestamp: 6/24/14, 11:43:30 AM
Warning: WARN addons.manager: The hotfix add-on was not signed by the expected certificate and so will not be installed.
LOG addons.xpi: Cancelling download of https://addons.cdn.mozilla.net/storage/public-staging/354399/mozilla_firefox_hotfix-20130826.01-fx.xpi

Not sure if the two are related. I'm going to reopen this until we have staging working.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
$ wget https://addons.cdn.mozilla.net/storage/public-staging/354399/mozilla_firefox_hotfix-20130826.01-fx.xpi
$ wget https://bugzilla.mozilla.org/attachment.cgi\?id\=8443851 -O signed.xpi

$ md5sum *.xpi
1fa3c14f708d3502269357c41f4ee549  mozilla_firefox_hotfix-20130826.01-fx.xpi
a7722cc56ba17c672d80a4937839ce1d  signed.xpi

They are not identical. Also 20130826 doesn't sound right...
Are you sure you're getting the right file?  When I install from https://addons-dev.allizom.org/en-US/firefox/addon/firefox-hotfix/ it does a redirect dance and ends up at https://addons-dev-cdn.allizom.org/storage/public-staging/354399/mozilla_firefox_hotfix-20140527.01.xpi which md5sums to a7722cc56ba17c672d80a4937839ce1d.
I'll be off Thu-Wed. Please ping people in #releng if there is something actionable from Releng side. I'll keep the bug assigned to me to make sure it's closed properly.
I uploaded the file in comment #1, which has and incorrect file name but appears to be the correct version. install.rdf and AMO have the correct number: 20140527.01

I don't know what could be wrong with the auto install. Maybe Unfocused can help with this.
Flags: needinfo?(jorge) → needinfo?(bmcbride)
To summarize what I think is happening here:
* rail made a typo when creating the signed file, using the command in the doc without updating the output file name. The correct input and signing cert were used.

* in comment #5, the build is expecting an old cert, it needs this treatment 
    https://developer.mozilla.org/en-US/Add-ons/Hotfix#Signatures
  before testing the hotfix. For reference, the baked in key signatures in Firefox are:
    From 10.0 - F1:DB:F9:6A:7B:B8:04:FA:48:3C:16:95:C7:2F:17:C6:5B:C2:9F:45
    From 17.0 - CA:C4:7D:BF:63:4D:24:E9:DC:93:07:2F:E3:C8:EA:6D:C3:94:6E:89
    From 25.0 - 91:53:98:0C:C1:86:DF:47:8F:35:22:9E:11:C9:A7:31:04:49:A1:AA

* the wrong file in comment #5, something wrong on the AMO side or testing method ? It looks like the original v20130826.01, with a key sig which matches the active cert at that time (ie CA:C4...)

I suggest retesting, making sure extensions.hotfix.certs.1.sha1Fingerprint has been set to 91:53:98:0C:C1:86:DF:47:8F:35:22:9E:11:C9:A7:31:04:49:A1:AA.
I suspect because the update ping to addons-dev.allizom.org results in a 304 status code, redirecting to versioncheck.addons.mozilla.org.

Might want to fix that :)
Flags: needinfo?(bmcbride)
(In reply to Blair McBride [:Unfocused] from comment #11)
> I suspect because the update ping to addons-dev.allizom.org results in a 304
> status code, redirecting to versioncheck.addons.mozilla.org.
> 
> Might want to fix that :)

Wil, did something change recently about the update ping on -dev?
Flags: needinfo?(clouserw)
Nothing from me.  Jason would know if we moved boxes around - they were changing settings files recently which might have affected this, although I thought it was only marketplace.  

Are you expecting -dev to just point to -dev and not any VAMO (not even a -dev VAMO)?
Flags: needinfo?(clouserw)
I expect auto-updates to use -dev if you point your profile to -dev. I don't know what that entails.
Great!

We will have a new hotfix shortly for signing and staging. I think we should call this bug FIXED and file a new bug for the fixed version.
Status: REOPENED → RESOLVED
Closed: 6 years ago6 years ago
Resolution: --- → FIXED
Blocks: 1034216
Blocks: 1038382
You need to log in before you can comment on or make changes to this bug.