Closed Bug 1169574 Opened 10 years ago Closed 10 years ago

some signed extensions on AMO fail to install (signature not recognized)

Categories

(Toolkit :: Add-ons Manager, defect)

Product:
Toolkit
Component:
Add-ons Manager
Version:
38 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: magopian, Assigned: rtilder)

References

Details

(Keywords: regression)

This bug was created following comment 2 on https://bugzilla.mozilla.org/show_bug.cgi?id=1169537#c2 about signatures not recognized. Just a first impression about that, opening the "quoteurl" and the "map_this" addons, I see there's a META-INF/MANIFEST.mf file in there, which seem to have been there before we signed the file. This could cause the issue on the client, because of a confusion between the META-INF/MANIFEST.mf file and the META-INF/manifest.mf (ours).
See Also: → 1169537
Summary: some signed extensions on AMO fails to install → some signed extensions on AMO fails to install (signature not recognized)
Summary: some signed extensions on AMO fails to install (signature not recognized) → some signed extensions on AMO fail to install (signature not recognized)
The duplicate file definitely seems the most likely candidate. It got through testing because Python fnmatch module defaults to the OS's case sensitivity. In the case of OS X as used on my workstation, it seems to default to case insensitive. On Linux in production, not the case. PR filed: https://github.com/mozilla/signing-clients/pull/18
Assignee: nobody → rtilder
Status: NEW → ASSIGNED
a tentative PR on olympia to find all the addons that suffer from this issue: https://github.com/mozilla/olympia/pull/573 With the list of such addons, we could resign them with "sign_addons --force" or unsign them and sign them again after that.
Blocks: 1169537
To confirm the multiple manifest.mf files is the problem. For old Firefox version this makes the add-on corrupt entirely, newer versions accept multiple manifest.mf files but only checks the original for the file hashes and in the cases we've seen so far that manifest doesn't hash the files properly. Note that Firefox 40/41 users will have downloaded and installed updates for these affected add-ons. For them to get properly signed versions we will need to bump the version number higher again
(In reply to Mathieu Agopian [:magopian] from comment #2) > a tentative PR on olympia to find all the addons that suffer from this > issue: https://github.com/mozilla/olympia/pull/573 > > With the list of such addons, we could resign them with "sign_addons > --force" or unsign them and sign them again after that. > I don't have any real preference for which technique is used as long as the affected addons all get signed again with the updated signing clients. The end result should be the same. Might be a UX issue for addon developers. I'm not certain whom we should contact about that.
PR merged.
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Blocks: 1070153
You need to log in before you can comment on or make changes to this bug.