Closed Bug 1407685 Opened 3 years ago Closed 3 years ago

"ERROR: Unknown signature algorithm ID" in 56 updates

Categories

(Toolkit :: Application Update, defect, P5)

defect

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox58 --- affected

People

(Reporter: keeler, Unassigned)

References

Details

(In reply to Ben from bug 1105689 comment 72)
> When updating Fx 56.0 to 56.0.1 using the partial.mar or complete.mar files,
> updates fail.
> D/L files from
> https://ftp.mozilla.org/pub/firefox/releases/56.0.1/update/linux-x86_64/en-
> US/
> 
> The error in Linux terminal is: "ERROR: Unknown signature algorithm ID." 
> That error is shown in code from comment 5, above.
> Same error when installing firefox-56.0-56.0.1.partial.mar, and
> firefox-56.0.1.complete.mar
> 
> I didn't see an error or have problem installing
> firefox-55.0.3-56.0.partial.mar.
> The Mozilla Firefox version is installed in /opt.
> 
> Only SHA256, 512 are listed on the v56.0.1 D/L page (above)  - and those
> check out on the downloaded files.
> I also verified signatures on the two 56.0.1 update files.
> 
> No idea what the problem is, except a change for checksums used in Fx landed
> in v56 & that's the 1st one I saw this error or had a problem installing
> updates.
> 
> After updating 55.0.3 to 56.0, rechecking for updates should show another is
> available (56.0.1), but shows "up to date."
> 
> In about:preferences, it lists Version 56.0 (64-bit), but Update History
> shows last update was 55.0.3.
Ben, can you please elaborate on how you are performing this update, specific steps, terminal or UX.

For reference, the update from 56.0 --> 56.0.1 is meant only for a certain class of windows users, but new downloads can indeed get 56.0.1 for all platforms.

There is absolutely no substantive difference for Linux users between 56.0 and 56.0.1 to require the update, and is why we dont' show an update available in the UX for 56.0 users on Linux, (we don't need them to download an update for no reason).

Thank You,
Flags: needinfo?(bendov)
Priority: -- → P5
Sure.  The update files are D/L from https://ftp.mozilla.org/pub/firefox/releases/56.0.1/update/linux-x86_64/en.
Or (Linux) http://archive.mozilla.org/pub/firefox/releases/56.0.1/update/linux-x86_64/en-US/ (listed in the how to article).
There's the Linux (US) updates for 56.0 to 56.0.1.
The previous update was firefox-55.0.3-56.0.partial.mar. 
 
The method used is from https://wiki.mozilla.org/Software_Update:Manually_Installing_a_MAR_file#Steps_for_Linux.  Also Mac, Windows instructions.
Since you asked, I looked at the article & noticed they updated it October 11, 2017, at 11:37.
It now says:
>Important:

>    "Changes made to all applications in version 56.0 require updating or installing version 56.0 of the >application before updating to a newer version." 

I read that as updating from 55.0.3 to 56.0 is OK.  It does say "require updating OR installing version 56.0," which I did.  Except, the wiki steps require copying the updater executable file to a folder OUTSIDE of Fx installation, to install partial.mar updates.

If Mozilla made changes in the updater / updater.exe file, regarding signature or checksum algorithms, it could be the cause.  The updater file in v56.0 has changed (size).  I'll go & try the v56 updater file, since the bug https://bugzilla.mozilla.org/show_bug.cgi?id=1407685 discussed using SHA384 & use 4096 bit signature.  Though SHA384 checksums aren't on the v56 updates D/L pages, yet.  I'll report back.
Flags: needinfo?(bendov)
(In reply to Ben from comment #2)
> Sure.  The update files are D/L from
> https://ftp.mozilla.org/pub/firefox/releases/56.0.1/update/linux-x86_64/en.
> Or (Linux)
> http://archive.mozilla.org/pub/firefox/releases/56.0.1/update/linux-x86_64/
> en-US/ (listed in the how to article).
> There's the Linux (US) updates for 56.0 to 56.0.1.
> The previous update was firefox-55.0.3-56.0.partial.mar. 
>  
> The method used is from
> https://wiki.mozilla.org/Software_Update:
> Manually_Installing_a_MAR_file#Steps_for_Linux.  Also Mac, Windows
> instructions.
> Since you asked, I looked at the article & noticed they updated it October
> 11, 2017, at 11:37.
> It now says:
> >Important:
> 
> >    "Changes made to all applications in version 56.0 require updating or installing version 56.0 of the >application before updating to a newer version." 
Yes, I added that today. :)

We'll provide best effort support for manually applying mar files but it isn't officially supported.

> 
> I read that as updating from 55.0.3 to 56.0 is OK.  It does say "require
> updating OR installing version 56.0," which I did.  Except, the wiki steps
> require copying the updater executable file to a folder OUTSIDE of Fx
> installation, to install partial.mar updates.
> 
> If Mozilla made changes in the updater / updater.exe file, regarding
> signature or checksum algorithms, it could be the cause.  The updater file
> in v56.0 has changed (size).  I'll go & try the v56 updater file, since the
> bug https://bugzilla.mozilla.org/show_bug.cgi?id=1407685 discussed using
> SHA384 & use 4096 bit signature.
You will need to use the v56 updater to update but as stated by Callek the 56.0.1 update is Windows specific and is not advertised to Mac or Linux.

The mar file you should use is the one without bz in the name.

We've tested updating on Linux on the Nightly, Aurora, and Beta channels for over 6 weeks so I don't expect that there will be any issues beyond using the correct updater and the correct mar files.

> Though SHA384 checksums aren't on the v56
> updates D/L pages, yet.  I'll report back.
Those checksums are not what are used for the mar signature verification.
Robert, you sneaked that change in the wiki article just to embarrass me, huh? :)
You were making changes at the same time.  I tried to get it to "remove my latest comments," but it just duplicated earlier comments - not what I was typing last??  I'm not sure I can delete my comments - even if dups.

Result:  Yep, that was it - needed to use the updater file from v56.  The Mozilla wiki article should probably mention using the latest Fx / Tb / SM updater file, especially if updates won't install.

You said,
>no substantive difference for Linux users between 56.0 and 56.0.1 

But, after updating Linux *56.0 to 56.0.1* (using partial.mar file), the update.log shows a lot of patches.  They weren't in it after updating 55.0.3 -> 56.0 (unless that update failed to log any changes):
    EXECUTE PATCH updater
    EXECUTE ADD removed-files
    EXECUTE ADD precomplete
    EXECUTE PATCH plugin-container.sig
    EXECUTE PATCH plugin-container
    EXECUTE PATCH platform.ini
    EXECUTE PATCH pingsender
    EXECUTE PATCH omni.ja
    EXECUTE PATCH libxul.so.sig
    EXECUTE PATCH libxul.so
    EXECUTE ADD libsoftokn3.chk
    EXECUTE ADD libnssdbm3.chk
    EXECUTE PATCH libnspr4.so
    EXECUTE PATCH libmozsqlite3.so
    EXECUTE ADD libfreeblpriv3.chk
    EXECUTE PATCH gmp-clearkey/0.1/libclearkey.so.sig
    EXECUTE PATCH firefox.sig
    EXECUTE PATCH firefox-bin.sig
    EXECUTE PATCH firefox-bin
    EXECUTE PATCH firefox
    EXECUTE ADD chrome.manifest
    EXECUTE PATCH browser/omni.ja
    EXECUTE PATCH browser/features/webcompat@mozilla.org.xpi
    EXECUTE PATCH browser/features/shield-recipe-client@mozilla.org.xpi
    EXECUTE PATCH browser/features/onboarding@mozilla.org.xpi
    EXECUTE PATCH browser/features/formautofill@mozilla.org.xpi
    EXECUTE PATCH browser/features/firefox@getpocket.com.xpi
    EXECUTE PATCH browser/features/e10srollout@mozilla.org.xpi
    EXECUTE PATCH browser/features/clicktoplay-rollout@mozilla.org.xpi
    EXECUTE PATCH browser/features/aushelper@mozilla.org.xpi
    EXECUTE PATCH browser/features/activity-stream@mozilla.org.xpi
    EXECUTE PATCH browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi
    EXECUTE PATCH application.ini
You said,
>We'll provide best effort support for manually applying mar files but it isn't officially supported.
In Linux (unless it's *just* changed), if users want the Mozilla Fx full version (& assume Tb), they won't update automatically, if installed to /opt, etc.  It's just "not allowed."  So there's no choice, except manual updates.    The distros' versions - usually in /usr/bin, will automatically update.

The only way I know around that (which isn't best, IMO) is install them in user's Home directory.

>the 56.0.1 update is Windows specific and is not advertised to Mac or Linux.
Well, the 56.0.1 partial.mar files are available on https://ftp.mozilla.org/pub/firefox/releases/56.0.1/update/linux-x86_64/en
and http://archive.mozilla.org/pub/firefox/releases/56.0.1/update/linux-x86_64/

The Linux 56.0.1 update sure seems to log substantive changes?
(In reply to Ben from comment #4)
> Robert, you sneaked that change in the wiki article just to embarrass me,
> huh? :)
Not many people use this method and updating the page was on my list of things to do.

> You were making changes at the same time.  I tried to get it to "remove my
> latest comments," but it just duplicated earlier comments - not what I was
> typing last??  I'm not sure I can delete my comments - even if dups.
> 
> Result:  Yep, that was it - needed to use the updater file from v56.  The
> Mozilla wiki article should probably mention using the latest Fx / Tb / SM
> updater file, especially if updates won't install.
Always using the updater from the current install and updating to 56.0 first is sufficient.

> 
> You said,
> >no substantive difference for Linux users between 56.0 and 56.0.1 
> 
> But, after updating Linux *56.0 to 56.0.1* (using partial.mar file), the
> update.log shows a lot of patches.  They weren't in it after updating 55.0.3
> -> 56.0 (unless that update failed to log any changes):
>     EXECUTE PATCH updater
>     EXECUTE ADD removed-files
>     EXECUTE ADD precomplete
>     EXECUTE PATCH plugin-container.sig
>     EXECUTE PATCH plugin-container
>     EXECUTE PATCH platform.ini
>     EXECUTE PATCH pingsender
>     EXECUTE PATCH omni.ja
>     EXECUTE PATCH libxul.so.sig
>     EXECUTE PATCH libxul.so
>     EXECUTE ADD libsoftokn3.chk
>     EXECUTE ADD libnssdbm3.chk
>     EXECUTE PATCH libnspr4.so
>     EXECUTE PATCH libmozsqlite3.so
>     EXECUTE ADD libfreeblpriv3.chk
>     EXECUTE PATCH gmp-clearkey/0.1/libclearkey.so.sig
>     EXECUTE PATCH firefox.sig
>     EXECUTE PATCH firefox-bin.sig
>     EXECUTE PATCH firefox-bin
>     EXECUTE PATCH firefox
>     EXECUTE ADD chrome.manifest
>     EXECUTE PATCH browser/omni.ja
>     EXECUTE PATCH browser/features/webcompat@mozilla.org.xpi
>     EXECUTE PATCH browser/features/shield-recipe-client@mozilla.org.xpi
>     EXECUTE PATCH browser/features/onboarding@mozilla.org.xpi
>     EXECUTE PATCH browser/features/formautofill@mozilla.org.xpi
>     EXECUTE PATCH browser/features/firefox@getpocket.com.xpi
>     EXECUTE PATCH browser/features/e10srollout@mozilla.org.xpi
>     EXECUTE PATCH browser/features/clicktoplay-rollout@mozilla.org.xpi
>     EXECUTE PATCH browser/features/aushelper@mozilla.org.xpi
>     EXECUTE PATCH browser/features/activity-stream@mozilla.org.xpi
>     EXECUTE PATCH
> browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi
>     EXECUTE PATCH application.ini
Pretty sure all of those files were in 56.0 and I can check if you provide that list
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
(In reply to Ben from comment #5)
> You said,
> >We'll provide best effort support for manually applying mar files but it isn't officially supported.
> In Linux (unless it's *just* changed), if users want the Mozilla Fx full
> version (& assume Tb), they won't update automatically, if installed to
> /opt, etc.  It's just "not allowed."  So there's no choice, except manual
> updates.    The distros' versions - usually in /usr/bin, will automatically
> update.
By default we notify when there is a new version available and provide a link to the tar file. I suspect there are more people that install into a writable location and for those that don't I suspect most of them just install the newer version which is supported as well as much simpler instead of performing all of the steps to manually apply a mar file.

> The only way I know around that (which isn't best, IMO) is install them in
> user's Home directory.
> 
> >the 56.0.1 update is Windows specific and is not advertised to Mac or Linux.
> Well, the 56.0.1 partial.mar files are available on
> https://ftp.mozilla.org/pub/firefox/releases/56.0.1/update/linux-x86_64/en
> and
> http://archive.mozilla.org/pub/firefox/releases/56.0.1/update/linux-x86_64/
> 
> The Linux 56.0.1 update sure seems to log substantive changes?
Several of those files are always added and I suspect the other changes to files are due to the version number being baked into the code.
(In reply to Robert Strong [:rstrong] (use needinfo to contact me) from comment #7)
> (In reply to Ben from comment #5)
> > You said,
> > >We'll provide best effort support for manually applying mar files but it isn't officially supported.
> > In Linux (unless it's *just* changed), if users want the Mozilla Fx full
> > version (& assume Tb), they won't update automatically, if installed to
> > /opt, etc.  It's just "not allowed."  So there's no choice, except manual
> > updates.    The distros' versions - usually in /usr/bin, will automatically
> > update.
> By default we notify when there is a new version available and provide a
> link to the tar file.
Actually, provide a link to a web page where the tar file can be downloaded from.
Thanks for the help.
It's not a big deal whether the changes in the update.log came from v56.0 or 56.0.1.
Maybe something missing in the older updater copy I used for 55.0.3 to 56.0, that caused failure of logging the 56.0 changes.

As for the Firefox updates (not complete installer), the pages I've seen have firefox*.partial.mar files.
They're also the *only* ones with .asc signature files to verify file authenticity.
AFAIK, pages with tar.bz2 files don't have signature files and the tar.bz2 files are full installers.  

I doubt extracting a firefox.tar.bz2 file to /home or /opt verifies authenticity.
As for installing all browser files where a user has full write permissions, there's a reason distros install all included or repo software to root owned locations.

Also, the wiki article "Manually installing a mar file", under "(see Where to get a mar file)" shows all http connections.  The D/L pages probably should be encrypted. This D/L page is encrypted: https://ftp.mozilla.org/pub/firefox.
There is a good chance that the log was overwritten since we only keep 2 but I'm fairly certain those files were updated.
The .asc file generation is done by releng and you can file a releng bug for generating them. I believe there are checksums in the parent dir for the release for the tar files.
Just exttracting won't verify authenticity but checking the checksums will.
Agreed regarding not installing into a user writable location. Just as the first time installing the checksum should be checked that is the supported process.
Will change the wiki to https as time permits unless someone beats me to it..
You need to log in before you can comment on or make changes to this bug.