Closed Bug 1028388 Opened 6 years ago Closed 6 years ago

Sign the Firefox update hotfix (v20140527.01)


(Release Engineering :: Release Requests, defect)

Not set


(Not tracked)



(Reporter: gps, Assigned: rail)




(2 files)

Please sign the attached XPI, a Firefox hotfix that upgrades clients stuck on old releases.

For your reference, a similar request is bug 985689.
Assignee: nobody → rail
Closed: 6 years ago
Resolution: --- → FIXED
Wil or Jorge:

Could one of you please upload the signed hotfix to the *dev* AMO server and publish it?
Flags: needinfo?(jorge)
Flags: needinfo?(clouserw)
It's up on dev and published now.
Flags: needinfo?(jorge)
Flags: needinfo?(clouserw)
I can't make the automatic install work, using the info on The signature is correct, also tried by running the ping snippet. Tested on FF 10, 28 Win 7.
So, what could be the problem ?
Flags: needinfo?(jorge)
Wait, why is the filename of the signed xpi different from what I submitted?

When I attempt to install it, I get the following:

Timestamp: 6/24/14, 11:43:30 AM
Error: Expected certificate attribute 'sha1Fingerprint' value incorrect, expected: 'F1:DB:F9:6A:7B:B8:04:FA:48:3C:16:95:C7:2F:17:C6:5B:C2:9F:45', got: 'CA:C4:7D:BF:63:4D:24:E9:DC:93:07:2F:E3:C8:EA:6D:C3:94:6E:89'.
Source File: resource:///modules/CertUtils.jsm
Line: 103
Timestamp: 6/24/14, 11:43:30 AM
Error: Certificate checks failed. See previous errors for details.
Source File: resource:///modules/CertUtils.jsm
Line: 106
Timestamp: 6/24/14, 11:43:30 AM
Warning: WARN addons.manager: The hotfix add-on was not signed by the expected certificate and so will not be installed.
LOG addons.xpi: Cancelling download of

Not sure if the two are related. I'm going to reopen this until we have staging working.
Resolution: FIXED → ---
$ wget
$ wget\?id\=8443851 -O signed.xpi

$ md5sum *.xpi
1fa3c14f708d3502269357c41f4ee549  mozilla_firefox_hotfix-20130826.01-fx.xpi
a7722cc56ba17c672d80a4937839ce1d  signed.xpi

They are not identical. Also 20130826 doesn't sound right...
Are you sure you're getting the right file?  When I install from it does a redirect dance and ends up at which md5sums to a7722cc56ba17c672d80a4937839ce1d.
I'll be off Thu-Wed. Please ping people in #releng if there is something actionable from Releng side. I'll keep the bug assigned to me to make sure it's closed properly.
I uploaded the file in comment #1, which has and incorrect file name but appears to be the correct version. install.rdf and AMO have the correct number: 20140527.01

I don't know what could be wrong with the auto install. Maybe Unfocused can help with this.
Flags: needinfo?(jorge) → needinfo?(bmcbride)
To summarize what I think is happening here:
* rail made a typo when creating the signed file, using the command in the doc without updating the output file name. The correct input and signing cert were used.

* in comment #5, the build is expecting an old cert, it needs this treatment
  before testing the hotfix. For reference, the baked in key signatures in Firefox are:
    From 10.0 - F1:DB:F9:6A:7B:B8:04:FA:48:3C:16:95:C7:2F:17:C6:5B:C2:9F:45
    From 17.0 - CA:C4:7D:BF:63:4D:24:E9:DC:93:07:2F:E3:C8:EA:6D:C3:94:6E:89
    From 25.0 - 91:53:98:0C:C1:86:DF:47:8F:35:22:9E:11:C9:A7:31:04:49:A1:AA

* the wrong file in comment #5, something wrong on the AMO side or testing method ? It looks like the original v20130826.01, with a key sig which matches the active cert at that time (ie CA:C4...)

I suggest retesting, making sure extensions.hotfix.certs.1.sha1Fingerprint has been set to 91:53:98:0C:C1:86:DF:47:8F:35:22:9E:11:C9:A7:31:04:49:A1:AA.
I suspect because the update ping to results in a 304 status code, redirecting to

Might want to fix that :)
Flags: needinfo?(bmcbride)
(In reply to Blair McBride [:Unfocused] from comment #11)
> I suspect because the update ping to results in a 304
> status code, redirecting to
> Might want to fix that :)

Wil, did something change recently about the update ping on -dev?
Flags: needinfo?(clouserw)
Nothing from me.  Jason would know if we moved boxes around - they were changing settings files recently which might have affected this, although I thought it was only marketplace.  

Are you expecting -dev to just point to -dev and not any VAMO (not even a -dev VAMO)?
Flags: needinfo?(clouserw)
I expect auto-updates to use -dev if you point your profile to -dev. I don't know what that entails.

We will have a new hotfix shortly for signing and staging. I think we should call this bug FIXED and file a new bug for the fixed version.
Closed: 6 years ago6 years ago
Resolution: --- → FIXED
Blocks: 1034216
Blocks: 1038382
You need to log in before you can comment on or make changes to this bug.