some signed extensions on AMO fail to install (addon corrupted)

RESOLVED FIXED

Status

()

Toolkit
Add-ons Manager
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: Alice0775 White, Assigned: magopian)

Tracking

(Blocks: 1 bug, {regression})

38 Branch
regression
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox38+ fixed)

Details

(Reporter)

Description

3 years ago
Build Identifier:
https://hg.mozilla.org/releases/mozilla-release/rev/62bee8cdd19f
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0 ID:20150513174244

Signed extensions on AMO fails to install.

Steps to reproduce:
Try to install from
https://addons.mozilla.org/en-US/firefox/addon/quoteurltext/
https://addons.mozilla.org/en-US/firefox/addon/aguse/

Actual Results:
It fails to install.
Door hanger said "The add-on downloaded from addons.mozilla.org could not be installed because it appears to be corrupt."

Expected Results:
Successfully installed

Updated

3 years ago
Duplicate of this bug: 1169519

Comment 2

3 years ago
Another example:
Map This 0.3.1.1-signed
https://addons.mozilla.org/firefox/addon/map-this/

The add-ons successfully install in Nightly, but the signature is not recognized: the warning “could not be verified for use in Nightly” is displayed.
Potentially an important regression, tracking.
tracking-firefox38: --- → +
(Assignee)

Comment 4

3 years ago
This comment is about the "addon is corrupt" issue. I think it's different than the "signature is not recognized" one.


Here are the logs when trying to install the "quoteurl" addon from https://addons.mozilla.org/en-US/firefox/addon/quoteurltext/

1432893291948	addons.xpi	DEBUG	Download started for https://addons.mozilla.org/firefox/downloads/latest/4292/addon-4292-latest.xpi?src=dp-btn-primary to file /Users/mathieu/Library/Caches/TemporaryItems/tmp-g1c.xpi
1432893291949	addons.xpi	DEBUG	Download of https://addons.mozilla.org/firefox/downloads/latest/4292/addon-4292-latest.xpi?src=dp-btn-primary completed.
1432893291950	addons.xpi	WARN	Download of https://addons.mozilla.org/firefox/downloads/latest/4292/addon-4292-latest.xpi?src=dp-btn-primary failed: [Exception... "Component returned failure code: 0x8052000b (NS_ERROR_FILE_CORRUPTED) [nsIZipReader.getSigningCert]"  nsresult: "0x8052000b (NS_ERROR_FILE_CORRUPTED)"  location: "JS frame :: resource://gre/modules/addons/XPIProvider.jsm :: AI_loadManifest :: line 5295"  data: no] Stack trace: AI_loadManifest()@resource://gre/modules/addons/XPIProvider.jsm:5295 < AI_onStopRequest()@resource://gre/modules/addons/XPIProvider.jsm:5580 < <file:unknown>
1432893291954	addons.xpi	DEBUG	downloadFailed: removing temp file for https://addons.mozilla.org/firefox/downloads/latest/4292/addon-4292-latest.xpi?src=dp-btn-primary
1432893291954	addons.xpi	DEBUG	removeTemporaryFile: https://addons.mozilla.org/firefox/downloads/latest/4292/addon-4292-latest.xpi?src=dp-btn-primary removing temp file /Users/mathieu/Library/Caches/TemporaryItems/tmp-g1c.xpi


I tried the two others also on my FF 39, with the same result. I could manage installing them on my Firefox Dev edition "40.0a2 (2015-05-28)" though. The very first time I tried on the dev edition (before it got updated/restarted?) it failed with the exact same issue.

I also tried using a new profile on my FF 39, but it failed the same way.
(Assignee)

Comment 5

3 years ago
I've opened a new bug for the "this signature is not recognized" issue: https://bugzilla.mozilla.org/show_bug.cgi?id=1169574
See Also: → bug 1169574
I think the patch in bug 1038068 needs to be uplifted to beta.

:Mossop, can you confirm?
Flags: needinfo?(dtownsend)
(Assignee)

Updated

3 years ago
Summary: some signed extensions on AMO fails to install → some signed extensions on AMO fails to install (addon corrupted)
mozregression narrowed it down to https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=5fa88d413c4f&tochange=ad388474898c

From reading the description that page, bug 1038068 is the only bug I spotted who could be "responsible".
(Assignee)

Updated

3 years ago
Summary: some signed extensions on AMO fails to install (addon corrupted) → some signed extensions on AMO fail to install (addon corrupted)
(In reply to Andreas Wagner [:TheOne] from comment #6)
> I think the patch in bug 1038068 needs to be uplifted to beta.
> 
> :Mossop, can you confirm?

No that shouldn't be necessary. If beta doesn't work without that patch then I'd expect no version of Firefox before 40 to work, is that the case?
Flags: needinfo?(dtownsend)
So the bug is that these add-ons have multiple manifest.mf files. One of them is the one we add during signing, the other is one that was already present in the add-on and in the cases here they don't contain hashes for the files in the add-on.

The old Firefox signature checks call an add-on corrupt if it appears signed and has multiple manifest.mf files so these add-ons probably don't install in any version of Firefox before 40.

The new signature checks don't do that, but they will use the original manifest.mf (it is listed first in the zip) for the signature checks which in at least these cases will fail because they don't hash the add-on's files.

The original manifest looks like it comes from some build tools, gcc is mentioned in one, Apache Ant in another.

This is something we'll have to fix by signing these add-ons correctly I think.
I guess bug 1169574 is the bug to do that
Depends on: 1169574
Blocks: 1070153
(Assignee)

Comment 11

3 years ago
Fixed in https://github.com/mozilla/olympia/commit/8b4966ff33f22f35ba1cf286fb3f822c8bec0258 (at the same time as bug 1169574)
Assignee: nobody → mathieu
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
status-firefox38: affected → fixed
You need to log in before you can comment on or make changes to this bug.